Arto Bendiken

It's good to dream:

IARPA's five-year plan aims to design experiments that can measure trust with high certainty -- a tricky proposition for a psychological study. Developing such experimental protocols could prove very useful for assessing levels of trust within one-on-one talks, or even during group interactions.

A second part of the IARPA proposal might involve using new types of sensors and software to gauge human facial, language or body signals that might help predict trustworthiness. Perhaps facial recognition technology that could deduce emotions or facial tics might help, not to mention better lie detectors.

IARPA is the Intelligence Advanced Research Projects Activity, the U.S. intelligence community's answer to DARPA.

Really:

Since they are hard to conceal, the study says, noses would work well for identification in covert surveillance.

The researchers say noses have been overlooked in the growing field of biometrics, studies into ways of identifying distinguishing traits in people.

"Noses are prominent facial features and yet their use as a biometric has been largely unexplored," said the University of Bath's Dr Adrian Evans.

"Ears have been looked at in detail, eyes have been looked at in terms of iris recognition but the nose has been neglected."

The researchers used a system called PhotoFace, developed by researchers at the University of the West of England, Bristol and Imperial College, London, for the 3D scans.

Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, "Identity and its Verification," in Computer Law & Security Review, Volume 26, Number 1, Jan 2010.

Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question, 'Identity with what?' An enquirer equipped with the answer to this question is in a position to tackle, on a rational basis, the task of deciding what evidence will be useful for the purpose. Without the answer to the question, the verification of identity becomes a sadly familiar exercise in blind compliance with arbitrary rules.

Interesting commentary:

I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established in the United States.

The video at the center of this case was very popular in Italy and drove lots of users to the Google Video site. This boosted advertising and support for other Google services. As a consequence, Google actually had an incentive not to respond to the many requests it received before it actually took down the video.

Back in the U.S., here is the relevant history: after Brandeis and Warren published their famous article on the right to privacy in 1890, state courts struggled with its application. In a New York state case in 1902, a court rejected the newly proposed right. In a second case, a Georgia state court in 1905 endorsed it.

What is striking is that both cases involved the use of a person's image without their consent. In New York, it was a young girl, whose image was drawn and placed on an oatmeal box for advertising purposes. In Georgia, a man's image was placed in a newspaper, without his consent, to sell insurance.

Also important is the fact that the New York judge who rejected the privacy claim, suggested that the state assembly could simple pass a law to create the right. The New York legislature did exactly that and in 1903 New York enacted the first privacy law in the United States to protect a person's "name or likeness" for commercial use.

The whole thing is worth reading.

The "Microsoft Online Services Global Criminal Compliance Handbook (U.S. Domestic Version)" (also can be found here, here, and here) outlines exactly what Microsoft will do upon police request. Here's a good summary of what's in it:

The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also provides sample language for subpoenas and diagrams on how to understand server logs.

I call it "quasi-comprehensive" because, at a mere 22 pages, it doesn't explore the nitty-gritty of Microsoft's systems; it's more like a data-hunting guide for dummies.

When it was first leaked, Microsoft tried to scrub it from the Internet. But they quickly realized that it was futile and relented.

Lots more information.

Funny:

MOUNTAIN VIEW, CA—Responding to recent public outcries over its handling of private data, search giant Google offered a wide-ranging and eerily well-informed apology to its millions of users Monday.

"We would like to extend our deepest apologies to each and every one of you," announced CEO Eric Schmidt, speaking from the company's Googleplex headquarters. "Clearly there have been some privacy concerns as of late, and judging by some of the search terms we've seen, along with the tens of thousands of personal e-mail exchanges and Google Chat conversations we've carefully examined, it looks as though it might be a while before we regain your trust."

Google expressed regret to some of its third-generation Irish-American users on Smithwood between Barlow and Lake.

Added Schmidt, "Whether you're Michael Paulson who lives at 3425 Longview Terrace and makes $86,400 a year, or Jessica Goldblatt from Lynnwood, WA, who already has well-established trust issues, we at Google would just like to say how very, truly sorry we are."

How not to destroy evidence:

In a bold and bizarre attempt to destroy evidence seized during a federal raid, a New York City man grabbed a flash drive and swallowed the data storage device while in the custody of Secret Service agents, records show.

The article wasn't explicit about this -- odd, as it's the main question any reader would have -- but it seems that the man's digestive tract did not destroy the evidence.

Interesting paper: "A Practical Attack to De-Anonymize Social Network Users."

Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data.

In this paper, we introduce a novel de-anonymization attack that exploits group membership information that is available on social networking sites. More precisely, we show that information about the group memberships of a user (i.e., the groups of a social network to which a user belongs) is often sufficient to uniquely identify this user, or, at least, to significantly reduce the set of possible candidates. To determine the group membership of a user, we leverage well-known web browser history stealing attacks. Thus, whenever a social network user visits a malicious website, this website can launch our de-anonymization attack and learn the identity of its visitors.

The implications of our attack are manifold, since it requires a low effort and has the potential to affect millions of social networking users. We perform both a theoretical analysis and empirical measurements to demonstrate the feasibility of our attack against Xing, a medium-sized social network with more than eight million members that is mainly used for business relationships. Our analysis suggests that about 42% of the users that use groups can be uniquely identified, while for 90%, we can reduce the candidate set to less than 2,912 persons. Furthermore, we explored other, larger social networks and performed experiments that suggest that users of Facebook and LinkedIn are equally vulnerable (although attacks would require more resources on the side of the attacker). An analysis of an additional five social networks indicates that they are also prone to our attack.

News article. Moral: anonymity is really, really hard -- but we knew that already.

Squid teapot. Could be squiddier.

I gave this one two days ago, at the RSA Conference.

The Spanish police arrested three people in connection with the 13-million-computer Mariposa botnet.

On Tuesday, the White House published an unclassified summary of its Comprehensive National Cybersecurity Initiative (CNCI). Howard Schmidt made the announcement at the RSA Conference. These are the 12 initiatives in the plan:

• Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet.
• Initiative #2. Deploy an intrusion detection system of sensors across the Federal enterprise.
• Initiative #3. Pursue deployment of intrusion prevention systems across the Federal enterprise.
• Initiative #4: Coordinate and redirect research and development (R&D) efforts.
• Initiative #5. Connect current cyber ops centers to enhance situational awareness.
• Initiative #6. Develop and implement a government-wide cyber counterintelligence (CI) plan.
• Initiative #7. Increase the security of our classified networks.
• Initiative #8. Expand cyber education.
• Initiative #9. Define and develop enduring "leap-ahead" technology, strategies, and programs.
• Initiative #10. Define and develop enduring deterrence strategies and programs.
• Initiative #11. Develop a multi-pronged approach for global supply chain risk management.
• Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains.

While this transparency is a good, in this sort of thing the devil is in the details -- and we don't have any details. We also don't have any information about the legal authority for cybersecurity, and how much the NSA is, and should be, involved. Good commentary on that here. EPIC is suing the NSA to learn more about its involvement.

Look at this new AES-encrypted USB memory stick. You enter the key directly into the stick via the keypad, thereby bypassing any eavesdropping software on the computer.

The problem is that in order to get full 256-bit entropy in the key, you need to enter 77 decimal digits using the keypad. I can't imagine anyone doing that; they'll enter an eight- or ten-digit key and call it done. (Likely, the password encrypts a random key that encrypts the actual data: not that it matters.) And even if you wanted to, is it reasonable to expect someone to enter 77 digits without making an error?

Nice idea, complete implementation failure.

EDITED TO ADD (3/4): According to the manual, the drive locks for two minutes after five unsuccessful attempts. This delay is enough to make brute-force attacks infeasible, even with only ten-digit keys.

So, not nearly as bad as I thought it was. Better would be a much longer delay after 100 or so unsuccessful attempts. Yes, there's a denial-of-service attack against the thing, but stealing it is an even more effective denial-of-service attack.

Nice essay.

Similar sentiment from Newsweek.

Interesting essay by a former CIA field officer on the al-Mabhouh assassination:

The truth is that Mr. Mabhouh's assassination was conducted according to the book -- a military operation in which the environment is completely controlled by the assassins. At least 25 people are needed to carry off something like this. You need "eyes on" the target 24 hours a day to ensure that when the time comes he is alone. You need coverage of the police -- assassinations go very wrong when the police stumble into the middle of one. You need coverage of the hotel security staff, the maids, the outside of the hotel. You even need people in back-up accommodations in the event the team needs a place to hide.

I found this conclusion incredible:

I can only speculate about where exactly the hit went wrong. But I would guess the assassins failed to account for the marked advance in technology.

[...]

Not completely understanding advances in technology may be one explanation for the assassins nonchalantly exposing their faces to the closed-circuit TV cameras, one female assassin even smiling at one.... The other explanation -- the assassins didn't care whether their faces were identified -- doesn't seem plausible at all.

Does he really think that this professional a team simply didn't realize that there were security cameras in airports and hotels? I think that the "other explanation" is not only plausible, it's obvious.

The number of suspects is now at 27, by the way. And:

Also Monday, the sources said the UAE central bank is working with other nations to track funding and 14 credit cards -- issued mostly by a United States bank -- used by the suspects in different places, including the United States.

We'll see how well these people covered their tracks.

EDITED TO ADD (3/3): Speculation that it's Egypt or Jordan. I don't believe it.

EDITED TO ADD (3/5): More commentary on the tactics. Speculation that it was Mossad.

Is this how the al-Mabhouh assassins got in?

Squids make great examples.

My fourth essay for CNN.com, on surveillance cameras. The Al-Mabhouh assassination made a nice news hook.

Funny video by Marcus Ranum and Gunnar Peterson.

A Washington Post article concludes that small planes are not the next terror threat:

Pilots of private planes fly about 200,000 small and medium-size aircraft in the United States, using 19,000 airports, most of them small. The planes' owners say the aircraft have little in common with airliners.

"I don't see a gaping security hole here," said Tom Walsh, an aviation security consultant. "In terms of aviation security, there are much bigger fish to fry than worrying [about] small aircraft."

He said most would-be terrorists would draw the same conclusion -- that tiny aircraft don't pack a big enough punch. Planes like the one Stack flew weigh just a few thousands pounds and carry no more than 100 gallons of fuel. A Boeing 767 weighs 400,000 pounds and carries up to 25,000 gallons.

Richard L. Skinner, inspector general of the Department of Homeland Security, reviewed security at several general-aviation airports last year and concluded that general aviation "presents only limited and mostly hypothetical threats to security."

What this analysis misses is our ability to terrorize ourselves. After all, who thought that a failed terrorist incident -- nobody hurt, no plane crash, terrorist in custody -- could cause so much terror?

On the face of it, Joseph Stack flying a private plane into the Austin, TX IRS office is no different than Nidal Hasan shooting up Ft. Hood: a lone extremist nutcase. If one is a terrorist and the other is a criminal, the difference is more political or religious than anything else.

Personally, I wouldn't call either a terrorist. Nor would I call Amy Bishop, who opened fire on her department after she was denied tenure, a terrorist.

I consider both Theodore Kaczynski (the Unibomber) and Bruce Ivins (the anthrax mailer) to be terrorists, but John Muhammad and Lee Malvo (the DC snipers) to be criminals. Clearly there is grey area.

I note that the primary counterterrorist measures I advocate -- investigation and intelligence -- can't possibly make a difference against any of these people. Lone nuts are pretty much impossible to detect in advance, and thus pretty much impossible to defend against: a point Cato's Jim Harper made in a smart series of posts. And once they attack, conventional police work is how we capture those that simply don't care if they're caught or killed.