Category Archives: Security

Security

Correlating AOL search IDs to real people

Leave a comment

The NY Times has picked up the AOL fiasco story and brought it home:

A Face Is Exposed for AOL Searcher No. 4417749

Buried in a list of 20 million Web search queries collected by AOL and recently released on the Internet is user No. 4417749. The number was assigned by the company to protect the searcher’s anonymity, but it was not much of a shield.

No. 4417749 conducted hundreds of searches over a three-month period on topics ranging from “numb fingers� to “60 single men� to “dog that urinates on everything.�

And search by search, click by click, the identity of AOL user No. 4417749 became easier to discern. There are queries for “landscapers in Lilburn, Ga,� several people with the last name Arnold and “homes sold in shadow lake subdivision gwinnett county georgia.�

It did not take much investigating to follow that data trail to Thelma Arnold, a 62-year-old widow who lives in Lilburn, Ga., frequently researches her friends’ medical ailments and loves her three dogs. “Those are my searches,� she said, after a reporter read part of the list to her.

I can only assume that the woman who is the subject of this story, as well as the reporter, understand the significance of personalizing the issue.

I can honestly say I am glad I have not been using AOL, although I have nothing to hide. I suppose it is the same feeling as being glad I do not drive cars with exploding tires, even though I consider myself a safe driver.

One of the lessons for AOL will probably be to have a legal, privacy and security approval for any and all data transfers with external entities. I have to believe that their lawyers and security team had no idea that someone was going to post search data for public consumption, and this will probably become a good part of the discussion going forward (if not already).

Sailing, Security

Multi-hull safety at sea and risk perception

Leave a comment

I was asked to represent my local A-Cat fleet this evening at a club race planning meeting, to help bring us into the fold with the other approved one-design classes. It was a surprise to find most of the questions about the A-Cat, and multi-hull racing in general, related to safety concerns.

I had to explain the various risk factors and the safety measures I thought were appropriate for a high-performance ultra-light racing platform. This would have been easier if others sailed the same or even similar type boats, but you might say the difference between an A-Cat and a typical club racer is akin to the difference between a Mosler MT900s and a Toyota Camry. We’ve been sailing enough in local events, fortunately, that the issues were discussed with some real-world examples and in the end the fleet was approved.

People on sailing forums sometimes ask about A-Cat security and here are my thoughts in a nutshell:

I say a good radio, whistle, strobe, water and spare set of goggles/glasses (prescription) are most critical…a wetsuit is also typical gear for us where thicker ones give a fair amount of buoyancy. The way I look at it these basic items significantly reduce personal risk and you could still need them even if you manage to stay with the boat after a spill (torn sail, dismast, etc.). It’s bulky but to keep it nice an tidy (and reduce windage) I always wear a giant rashguard over everything.

And that just takes me back to an old Outside article on how to calculate risks during recreation:

NO WONDER, THEN, that the optimal adventure experience for many enthusiasts is one in which the perceived risk is high but the actual risk is acceptably low. Running rapids is a good example. “People look at big whitewater, and their perception is that it’s very dangerous,” says Pamela Dillon, executive director of the American Canoe Association. “But the stats tell a different tale. In sheer numbers—including canoeists, kayakers, and rafters—the most common way someone dies boating is in a canoe, on flatwater, with no PFD [personal flotation device], drinking alcohol.

“Fifty percent of people who die in canoes and kayaks are out fishing,” Dillon continues. “They’re not tuned in to the skills and information they need to participate safely.”

If there’s just one thing you could say about A-Cat sailors, I think “tuned in” might be it. Here’s Glenn doing a nice fly-by for the race committee (note the flat water):

balance

Security

Happy MS patch Tuesday

Leave a comment

Well, twelve patches with nine rated as critical have been officially announced. The list of vulnerabilities is longer than the fixes, so I give MS credit for finding a way to reduce the numbers (ah, the cumulative update). Yet, at least one patch requires a reboot and several deal with exploit code in the wild, so the significance of the vulnerabilities should be reviewed:

Critical

* MS06-040 – Vulnerability in Server Service Could Allow Remote Code Execution
* MS06-041 – Vulnerability in DNS Resolution Could Allow Remote Code Execution
* MS06-042 – Cumulative Security Update for Internet Explorer
* MS06-043 – Vulnerability in Microsoft Windows Could Allow Remote Code Execution
* MS06-044 – Vulnerability in Microsoft Management Console Could Allow Remote Code Execution
* MS06-046 – Vulnerability in HTML Help Could Allow Remote Code Execution
* MS06-047 – Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution
* MS06-048 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution
* MS06-051 – Vulnerability in Windows Kernel Coul d Result in Remote Code Execution

Moderate

* MS06-045 – Vulnerability in Windows Explorer Could Allow Remote Code Execution
* MS06-049 – Vulnerability in Windows Kernel Could Result in Elevation of Privilege
* MS06-050 – Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution

Security

Report slices into UK government knife amnesty

Leave a comment

A charity has some uncharitable words with regard to the government’s actions:

Chris Eades, author of the Centre for Crime and Justice Studies (CCJS) report, said: “Not enough is known about the carrying and use of knives or why people engage in those activities.

“Consequently, the government is constructing responses without any credible evidence that they will be successful.

“Knife amnesties will have a negligible impact since knives will be available as long as there is unsliced bread.

“If the goal of criminal justice policy is to reduce the number of victims and the harm they suffer, we should look at the root causes – the inclination or desire to resort to violence.”

Official statistics show violent knife crime in England and Wales has dropped in the last 10 years.

Sharp and very pointed analysis. The drop is apparently due to an overall decline in the use of knives, rather than effectiveness of the government program. But since when does an elected or even appointed official not take credit for positive results, regardless of their involvement or the real cause? Post hoc, propter hoc