Wednesday, June 14, 2006

Only You

The AP reports that the data pertaining to 1,500 Department of Energy employees, many of who worked on nuclear weapons, was stolen from an unclassified computer.

A computer hacker stole a file containing the names and Social Security numbers of 1,500 people working for the Energy Department's nuclear weapons agency. ... The data theft occurred in a computer system at a service center belonging to the National Nuclear Security Administration in New Mexico. The file contained information about contract workers throughout the agency's nuclear weapons complex, a department spokesman said.

The administrator, Linton Brooks, told a House of Representatives hearing that he learned of the security breach in late September but did not inform Energy Secretary Samuel Bodman about it. It had occurred earlier that month.

Brooks blamed a misunderstanding for the failure to inform either Bodman or Deputy Energy Secretary Clay Sell about the security breach. Brooks' NNSA is a semiautonomous agency within the department, and he said he assumed DOE's counterintelligence office would have briefed the two senior officials.

Defense Industry Daily reports that a previously reported loss of Veteran's Administration data from an analyst also contains information on active duty servicemen.


In a follow-up to the events described in DID's May 25, 2006 article, the US government has disclosed that personal data on up to 50,000 active Navy and National Guard personnel were among those stolen from a Veterans Affairs employee's home last month. An Associated Press article says that information including names, Social Security numbers and dates of birth of up to 20,000 National Guard and Reserve personnel who were on at least their second active-duty call-up were "potentially included"; the same status applies for up to 30,000 active-duty Navy personnel who completed their first enlistment term prior to 1991. ...

So how much data theft is there?  There are apparently a fair number of attempts even on banks, though the seriousness of the losses is apparently limited ("in the range of $1 million")

Deloitte's '2006 Global Security Survey' of the world's top 100 global financial institutions found that 78% of banks experienced a security breach from outside the organisation in the past 12 months, up from 26% in 2005, while 49% had experienced at least one internal security breach, up from 35% in 2005. Almost three-quarters (72%) of financial institutions that experienced a security breach indicated the estimated amount of damage, including direct and indirect costs, was in the range of $1 million.

Naturally something, once stolen has got to be fenced. There's apparently a market in stolen data. The International Herald Tribune filed this report in mid-2005.

The players come from all over the world, but most of the Web sites where they meet are run from computer servers in the former Soviet Union, making them difficult to police. ... In October, the Justice Department and the Secret Service announced the internationally coordinated arrests of 28 people in eight U.S. states and several other countries, including Sweden, England, Poland, Belarus and Bulgaria. ... But eight months later, the traders have adapted and resumed business, though they seem a bit more wary now ...

Commentary

Most of the data theft instances cited above are actually instances of identity theft. An identity token is something that stands for "you". What we use to represent us reflects the tradeoff between the usefulness of the form chosen and the danger it represents to us. Wikipedia cites the example of the USA where the use of "semi-secret" information is more commonly used to authenticate transactions than in Europe, where a physical identification card is required. The card is harder to counterfeit, but reliance on it means that "it is also less common to do business by phone as it is e.g. in the USA". Printing a high-security physical ID doesn't solve every problem. Alan Dershowitz, notes that behind every system of ID cards lies -- you guessed it -- a database which contains not only the master recordset but information that can be used to match the ID card to the record key.

The next group of issues relates not to the card itself but to the database connected to the card. The most important question in this regard is what information the database should contain. Further still, should there be a single database or separate databases, each containing different kinds of information for different purposes. Related to this is the question of sharing information on any databases. Should government agencies be permitted to share information freely? What about the private sector? Should there be a presumption in favor of sharing or in favor of separation? Prior to 11 September 2001, these important issues were decided largely by happenstance, computer connections, and intragovernmental rivalries. Following 11 September 2001 there has been greater sensitivity to the need to make principled decisions about when information should be shared and when it should be kept separate. Finally, there are the technical questions related to whether we can develop the capacity to limit access to data according to the need to know.

With respect to "what information the database should contain", the British have decided to use biometric information so identities can be checked not only by matching the ID photo with the bearer's face but by doing any further lookups necessary on the stored biometric file. Biometrics are going to be incorporated into the various forms of US IDs. But even this isn't foolproof because anyone seeking to biometrically authenticate a person against a database will in practice have to transmit a digital representation of the biometric, with allowances for an error within a specified limit, to do the lookup. "If a person's credit card number is stolen, for example, it can cause them great difficulty. If their iris scan is stolen, though, and it allows someone else to access personal information or financial accounts, the damage could be irreversible." If someone has stolen the digital representation of your iris scan it could in principle be fraudulently used to represent "you"; and unlike a credit card number there is no easy way to get a new set of irises.

If a perfect ID card could be developed, it would self-answer the question of who can collect information about "you": it is anyone who takes the trouble to.

some high-tech bars are scanning driver's licenses, presumably as a means of stopping underage drinkers, but also as a means of gathering statistics on their patrons, such as what hours certain demographic groups drink. This latter use is worrisome, and it's likely to get worse, in part because of legislation approved by Congress last year. The Real ID Act requires states to adopt uniform standards for their driver's licenses, including common machine-readable technology, presumably RFID. The idea is that a driver's license in one state can be scanned by someone in another state. Under the Real ID Act, the information will not be encrypted--a boon for identity thieves who can already scan copycat credit and debit cards at their leisure. With the Real ID Act, look for more businesses to scan driver's licenses with an eye toward selling the data to data warehouses, such as ChoicePoint, which have proven to be insecure.

A foolproof ID card with RFID would represent a tracking device of considerable power. With enough sensors available there it should be possible in principle to locate a person 24x7. The downside of carrying an object that strongly identifies you is that it identifies you in practically every conceivable situation. Do you really want to be you?

28 Comments:

Blogger 2164th said...

Your Permanent Record

We often hear about the right to "Privacy". It is railed about when discussing abortions, student lockers and sexuality issues. There was the recent guff about NSA phone surveillance. It is considered intrusive to ask if someone is legally in the country, and you hardly need identification to vote, yet the food you eat is tracked by computers in super markets. People willingly surrender all privacy for a "buy one get one free" box of ice cream with a club card. There once was the quaint threat and notion of getting information put on your "permanent record" if you were in school during the fifties and sixties.

Today it is the "Credit Score", sort of a spender’s nirvana, where lenders, insurers, landlords can dispense favors or rampant discrimination all based on the real Permanent Record. We are encouraged to check it daily as if it were your pulse and take remedial action to get your numbers up. Google recently posted satellite photos of your home, so that anyone could find your most private space.

It is time for the extreme opt out. It is time to have the choice of cloaking all your data from any source other than law enforcement and government. The outrage of ubiquitous anonymous data banks on citizens must stop.

6/14/2006 05:16:00 AM  
Blogger Cannoneer No. 4 said...

16 And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:

17 and that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name.

18 Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six.

6/14/2006 05:22:00 AM  
Blogger Cannoneer No. 4 said...

I got my letter from the VA the other day. Never got a thing from the VA, but they got info from me, which they lost.

Getting a security clearance is only going to get harder when an ever increasing number of applicants have major credit problems caused by identity theft. If I was a Red Chinese cyber war general thinking of ways to bring down the capitalist running dogs, I'd be stroking my big white cat and thinking "hmmmm".

6/14/2006 05:33:00 AM  
Blogger Papa Bear said...

2164th: at least on the supermarket "club cards", one can usually get away with filling out a bogus name/address on the application

One step in the right direction would be a "smart card" with an embedded computer chip using public key encryption and message signing. In this way, what is read from the card would be different on every query. The vendor would need to query the card company on each transaction to verify the card is not stolen.

6/14/2006 05:38:00 AM  
Blogger Cannoneer No. 4 said...

Spycips RFID Blog

6/14/2006 05:43:00 AM  
Blogger Cannoneer No. 4 said...

VeriChip Photos

VeriChip Corporation: RFID For People

6/14/2006 05:49:00 AM  
Blogger John B said...

And people wonder why I don't bank online.

6/14/2006 07:45:00 AM  
Blogger al fin said...

There is no such thing as absolute data security. But the US federal government civil service workers are sloppy, sloppy, sloppy. Get to work in time for morning coffee break, try to finish the break in time for lunch, get back from lunch for afternoon coffee break, then finish the afternoon break early to clock out for the day. The mentality of the permanently entitled civil service bureaucrat, enjoying the leisure of other people's money. Work? Why, this is government "work". There is no work in government work.

Of all US government employees, military members and forest service employees appear the most devoted. Most of the rest appear not to care if the rest of the country dropped off the map, as long as they got their paycheck. Good old nepotistic affirmative action at work, along with a fair degree of Peter Principle.

6/14/2006 08:47:00 AM  
Blogger desert rat said...

This comment has been removed by a blog administrator.

6/14/2006 08:57:00 AM  
Blogger Doug said...

Ot-Limbaugh:
FOIA-Warfare by ACLU in Courts driving war policy re Gitmo, etc MSM/McCain drive it home.
"Take No Prisoners"
- Ralph Peters
"No Prisoners, No Problem"
- Trish
(Freedom of Information Act + Activist Judges)

6/14/2006 09:21:00 AM  
Blogger Doug said...

John B said...
"And people wonder why I don't bank online."
---
People with brains and a conservative outlook should never FILE TAXES online:
Give it to the Borg vs to a lazy Govt employee to shuffle.
-we ALL Suffer as a result.

6/14/2006 09:27:00 AM  
Blogger Doug said...

Cannoneer:
"Getting a security clearance is only going to get harder when an ever increasing number of applicants have major credit problems caused by identity theft"
---
A Valid Matricula Consular Card will do just fine.
...or Immam Status.

6/14/2006 09:30:00 AM  
Blogger Doug said...

Kerry demandsUS troop pullout
Senator John F. Kerry is placing himself at the center of congressional action over the war in Iraq this week with a crisply worded resolution to require President Bush to withdraw almost all US troops by the end of this year.
---
"Hard and Fast," (Hillary.)
Says Mr. Flip Flop.

6/14/2006 09:50:00 AM  
Blogger desert rat said...

cannoneer
Take a little trip and you will see what I've meant by the Court of Public opinion.

First stop by RCP blog where the title "The Assault on Our Troops" is referencing a Steve Benson cartoon. Mr Benson is a long time AZ Republic cartoonist. If this cartoon offends, boycott Gannent, everywhere. here is a list of their newspapers. Here is a list of their TV stations

If you find Mr Benson offensive, I have for years, take the fight to his owner. He's a corporate cartoonist.

But then while visting for reference, do not miss out on THE CAMP PENDLETON 8 story and see just how innocent 'til proven guilty the THE CAMP PENDLETON 8 combat vets are being treated.

Camp Pendelton, the "new" Gitmo.
Well not really, the Gitmo boys have more freedoms, on average, then the THE CAMP PENDLETON 8.

12 hours of recreation a day at Gitmo.

6/14/2006 09:59:00 AM  
Blogger desert rat said...

So who do we as patriotic Americans support, cannoneer?
The Corps, which is holding, without charges, seven Marines and a Corpsman, in shackles, or do we believe these men innocent, 'til proven otherwise, and that they should be treated as such, even though the Corps obviously does not agree.

Obviously the CAMP PENDLETON 8 are a danger to Society, or so the Corps must believe.

6/14/2006 10:11:00 AM  
Blogger rhhardin said...

An ID mechanism has a built-in contradiction, that the token is not the person. The more you trust the token, the more damage it can do.

Going the other way, with informal identification, keeps the level of trust at about what is necessary for the transaction, and worked for years and years until, for example, credit agencies got lazy.

A credit agency using SS number has a competitive advantage because their costs are lower, so every credit agency has to use them. So long as the damage cost to them is lower than the business gained, it gets used.

Now nobody can stop using SS number without losing business, even though competitively they're back where they started.

Making the credit agency responsible for the damage to the individual damaged would change the equation a lot in favor of ``know your customer.''

The mistake is not in the token, but in thinking you can trust it.

6/14/2006 10:45:00 AM  
Blogger RWE said...

A recent article in Aviation Week said that Australia is looking at how to fight the cyber-war and also said that electronic crime "universities" in Eastern Euope have teamed up with practicioners in North Korea to conduct attacks, most recently causing a spike in that kind of crime in Japan.

Since getting a firewall for my home computer, I have been shocked at the number of unauthorized outside connection attempts. Most recently a source traced to Skiatook, OK has been very persistant.

If you do not have a firewall, get one!

Then there is Phishing. Got another one today, purporting to be my ISP. I have traced a number of these to Romania, and recently I was surprised when I complained to a Russian ISP about one and got a nice answer saying they had shut the guy down. Usually, if it is foriegn I do not bother to complain.

Personally, I look forward to some of these guys receiving the Zerqawie Kerpowie treatment.

A Smith and Wesson beats four aces. An F-16 with laser guided bombs beats an expertise in electronic crime.

6/14/2006 11:29:00 AM  
Blogger 2164th said...

Maybe it is Too Late

June 14, 2006 7:30 AM PDT
Google's secret weapon is hiding in plain sight
A New York Times article on Wednesday takes look at a sprawling new plant under construction in Oregon. Spread over a lot the size of two football fields, the compound houses two buildings, with permits ready for a third, and features "twin cooling plants protruding four stories into the sky."


But this plant isn't run by an electricity company or another utility. It belongs to Google.

The company has built a data center that is expected to house tens of thousands of inexpensive processors and disks, necessary to maintain the massive databases and power the computing needs of the search engine giant. Why a remote spot in Oregon? The attraction is cheap electricity and a large supply of fiber optic networking.

Google's not alone in the neighborhood-- Microsoft and Yahoo have announced that that they too will build data centers in the area.

6/14/2006 11:54:00 AM  
Blogger Annoy Mouse said...

I made the monumental mistake of sharing the SSN of an employee of mine with a company that I was under contract to. Someone there pinched his name and social security number which ended up in the hands of an identity theft ring in Southeast San Diego. They got a Discovery card and started racking up bills. Even paid a couple of times. The credit card company blamed me for the mishap, suggesting even that I was involved. I talked to the police… said it was a post office problem, met with the postal inspector… it was a police problem, talked with the credit card company, my problem. So I holstered my 45ACP and drove down there to talk to these people. Bad idea… not my problem. The government promotes identity theft like they promote illegal immigration. Its about time to break out the torches and pitch forks and throw the colonials out. July the forth part deux is coming sooner or later if these malignant turds don’t get their act together.

On a side note, back in the day when I was married, my wife bought weed from the postman in Arizona. When we moved to California I was relieved to know that this tie was being broken until she was able to buy weed from the new postman. In San Diego I knew a postman who sold meth. He’d give it away for free to these young ladies that I knew, and as screwed up as they were I was determined to make it stop. I told him if I found out that he was selling it or giving it away around here (Baxter’s bar) that I would personally drop the dime on him. He told me that if I did that he would kill me. I told him if I ever saw him again I would kill him. I showed up every day for a month packing a .380. Never saw Skip again. I have more identity theft and postal workers stories but will save it for a later time.

By the by… sold my gun collection.

6/14/2006 12:27:00 PM  
Blogger Doug said...

"ended up in the hands of an identity theft ring in Southeast San Diego"
---
Pretty disgusting of you to blame these new arrivals for not understanding all our restrictive rules in the first few generations:
Your Nativist, Exclusionist Prejudice has taken over your heart and soul.
Mind is next to go.

6/14/2006 12:33:00 PM  
Blogger Doug said...

Wish you would go post over at Farts in the Darkness, or whatever, where people in the rest of the country, lawyers and welfare workers and the like think you Californians should pound sand.
...and of course Buddy Larsen, who thinks the country belongs to Mexico, ...or should per GWB/Senate plan.

6/14/2006 12:36:00 PM  
Blogger Annoy Mouse said...

Note to Doug, mind already go...

My knew ketch fraze

dont no.

6/14/2006 12:38:00 PM  
Blogger desert rat said...

Like cannoneer, I got my VA letter the other day.
We regret to inform you...
We lost your name and SS#, you should be aware of idenity theft threats.
We got your address from the IRS, but do not worry about that, either.

Convert to cash, counter migrate south, hit the beach.

6/14/2006 12:45:00 PM  
Blogger Doug said...

"My husband is one of the seven Marines and one sailor that are being held without being charged over accusations about the incident in Hamandiya that has been in the news for the past few weeks. Whenever he leaves his cell, he is shackled, handcuffed, and escorted by two guards. He is kept in solitary confinement and let out for exercise only 1 hour a day.
When I visit him, he is presented to me behind a thick glass barrier and still shackled. We can’t even touch each other.
"
---
If he had any sense, he'd convert to Islam, and get the lavish glove treatment for his remaining days in service.
Catered food, spiritual counseling, free legal, medical, etc.
Nothing but the finest.

6/14/2006 01:01:00 PM  
Blogger 2164th said...

amen

6/14/2006 01:08:00 PM  
Blogger Doug said...

Mike Savage was intstumental in raising money for Mr. Pantano's defense.
Now on to the Corpsman, and the rest.
Dear Dr. Savage:

My Secretary handed me a document this evening which stunned me. It was a document from the investigation which had been scanned and e-mailed to my office by a member of the media. I don’t know who leaked the document- - whether it was an "unnamed Pentagon official," NCIS, or a politician with an agenda- - but I do know that it is an outrage that the only piece of documentary evidence I’ve seen so far in this case came from a member of the media and not from the Marine Corps. As my client sits shackled in solitary confinement in the Marine Corps Brig with charges yet to be filed, the Marine Corps has stooped to leaking portions of the investigation in order to advance their case in the media.
It is a sad day in military justice when honor on the battlefield takes a back seat to political agendas.
Thanks again for your support. You are a true American.
Jeremiah J. Sullivan, III
Law Offices of Jeremiah J. Sullivan, III

6/14/2006 01:14:00 PM  
Blogger Doug said...

Hope some will address rhhardin's points.
This sort of stuff makes my head hurt, but I'm for ANYTHING necessary to stop our rapid descent into lawlessness.
All our subtle and precious freedoms will mean nothing once a certain point is reached on that slide.

6/14/2006 01:55:00 PM  
Blogger bioqubit said...

WHY is it not obvious to anyone here that the Chinese are doing this? Or else the Russians? This pattern of getting key information on people critical to the security of this nation can only point to a potential enemy.

And, yes, to what end? You can bet your bottom dollar they are incessantly striving to match those names up with security clearances so they can key in on the really crucial people.

As a matter of history, I am willing to bet that a perfect copy of the 900 plus FBI files on government officials that were stolen under Clinton ended up in a secret library in Beijing.

So, the Feds better get jiggy with this and stop more of these types of thefts.

And these are just the ones we have been told about...

6/16/2006 08:17:00 PM  

Post a Comment

Links to this post:

Create a Link

<< Home


Powered by Blogger