FCC sued over IP wiretap rules

The Associated Press reports that “Privacy and technology groups asked the federal appeals court in Washington on Tuesday to overturn a Federal Communications Commission rule that expands wiretapping laws to cover Internet calls — or Voice over Internet Protocol (VoIP).

Law enforcement agencies already can obtain a subpoena for the contents of VoIP calls from Internet access providers. But the FBI and others want the ability to capture the technology live and they want systems designed so it would be easy to do that. “

BBC halts Blackberry use

The Guardian reported today that RIM (of Blackberry fame) had to resolve an “obscure bug”, which caused the BBC to suspended use of the mobile devices due to security concerns:

“Siemens, which provides the IT backbone for the BBC’s email system, was asked to close the Blackberry network last week after a Creative Futures senior management awayday at which users compared emails and discovered they were receiving messages not intended for them. The decision left around 300 BBC executives and programme makers frantically checking their ‘sent’ folders to make sure they had not inadvertently betrayed any confidences or criticised colleagues. Insiders said that while some of the rogue emails were potentially embarrassing, there were no serious leaks.”

Security flaw gets prisoners early parole

Here’s an interesting case of errors in an unchecked data-input process, discovered by the Michigan State Auditor General. The story appeared on The Register, which was kind enough to link to the original news story posted by WLNS.com:

“A flaw in computer programming caused State jails to release 8 prisoners anywhere from 39-161 days early, prisoners who were doing time for everything from embezzlement and drugs to bad check writing…A followup study by the Department of Corrections found 15 more prisoners who were either let out early or late.”

From there I found the actual audit document itself on the Michigan Office of the Auditor General, available as Report Number 47-591-04

As it turns out, Michigan’s Auditors are on a roll. A BNA report published earlier this year noted that Michigan voter and drivers’ license databases were improperly secured for seven years:

“The Michigan Auditor General found, in a report issued March 18, that the state’s security methods were not effective in protecting voting and driver’s license databases from potential hackers between 1997 and June 30, 2004 (Mich. Aud. Gen. Report No. 23-591-04)”

McDonalds posts fat facts

Why would McDonalds bother?

The Chief Exec is quoted by the BBC: “We’ve given them what they asked for and then people take responsibility about whether they add it up or not add it up.”

Did consumers demand this information prior to “Fast Food Nation” and “Supersize Me”, or more importantly prior to the lawsuit that claimed fast food companies are liable for customers with eating disorders? Does the corporation perceive more risk now (from not providing the information) compared to when they first adopted the current recipes/ingredients?

Little black helicopters from space

It might seem overly tongue-in-cheek at first glance, but the Register’s ongoing coverage of Google satellite imagery has some interesting implications for privacy and information control. In general I think it good that we have better navigational aids, but clearly there will be some issues for anyone who is trying to fly below radar, so to speak. It actually reminds me of sand dunes in Baja that do a poor job of hiding Mexican military equipment from ground view, yet from the sky…

On a slightly-related note, the flashearth site has a nice view of what future interfaces couold look like. I wonder if anyone at Google is working on (or cares about) flat map distortion characteristics?

Shared secret exposes CA sensitive data

Weak algorithms (e.g. your name and and a shared secret) used to “seed” new systems are another area where two-factor authentication (TFA) can really help improve security.

Here’s a story from the San Francisco Chronicle that illustrates how things might happen now if unique and random passwords, let alone TFA, are not planned for the system launch:

“The personal information of tens of thousands of California children — including their names, state achievement test scores, identification numbers and status in gifted or special-needs programs — is open to public view through a security loophole in dozens of school districts statewide that use a popular education software system.

Teacher names and employee identification numbers are also visible to anyone logging onto the system, which is used locally by school districts including San Francisco, San Jose and Hayward.

The problem occurs when the districts issue a generic password to teachers using the system. Until the teacher changes to a unique password, anyone can type in a teacher’s user name and generic password and gain access to information about students that is supposed to be guarded as closely as the gold in Fort Knox.”

The last photo album

I remember people in the movie theater laughing during a particular scene in “The Last Starfighter”. One of the “alien” pilots has a digital device that shows pictures of his family — like an album on a screen — and the human starfighter is incredulous.

Fast-forward to earth today and a myriad of devices are on the market that might fit the bill, but the latest Garmin product seems especially like something a starfighter might stow on his/her ship. It’s called the nuvi and, of course, it’s only available to Europeans right now.

No announcements yet from Garmin on a StarWars-like holo-imaging display included with a robot travel-companion…

Schneier on the ATM story

Bruce Schneier picked up the ATM story today on his blog, with an interesting perspective. He says “how lucky everyone was”…I posted something in his comments section about the liability issues raised in the article, which is where I felt I would have been headed anyway.

Bruce also has added an excellent link to Ross Anderson’s page regarding phantom withdrawls.

Time to give this trackback thingy a try…

the poetry of information security