Steve's posterous

Eleventh circuit says password is 5th, not 4th amendment subject matter

We hold that the act of Doe’s decryption and production of the
contents of the hard drives would sufficiently implicate the Fifth
Amendment privilege. We reach this holding by concluding that (1)
Doe’s decryption and production of the contents of the drives would be
testimonial, not merely a physical act; and (2) the explicit and
implicit factual communications associated with the decryption and
production are not foregone conclusions.

First, the decryption and production of the hard drives would require
the use of the contents of Doe’s mind and could not be fairly
characterized as a physical act that would be nontestimonial in
nature. We conclude that the decryption and production would be
tantamount to testimony by Doe of his knowledge of the existence and
location of potentially incriminating files; of his possession,
control, and access to the encrypted portions of the drives; and of
his capability to decrypt the files.

We are unpersuaded by the Government’s derivation of the
key/combination analogy in arguing that Doe’s production of the
unencrypted files would be nothing more than a physical nontestimonial
transfer. The Government attempts to avoid the analogy by arguing that
it does not seek the combination or the key,
but rather the contents. This argument badly misses the mark. In
Fisher, where the analogy was born, and again in Hubbell, the
Government never sought the “key” or the “combination” to the safe for
its own sake; rather, the Government sought the files being withheld,
just as the Government does here. Hubbell, 530 U.S. at 38, 120 S. Ct.
at 2044 (trying to compel production of documents); Fisher v. United
States, 425 U.S. at 394–95, 96 S. Ct. at 1572–73 (seeking to access
contents possessed by attorneys).

Requiring Doe to use a decryption password is most certainly more akin
to requiring the production of a combination because both demand the
use of the contents of the mind, and the production is accompanied by
the implied factual statements noted above that could prove to be
incriminatory. See Hubbell, 530 U.S. at 43, 120 S. Ct. at 2047. Hence,
we conclude that what the Government seeks to compel in this case, the
decryption and production of the contents of the hard drives, is
testimonial in character.

Great Onion Video

The mock news site, "The Onion" has a video that skewers facebook
privacy. Well worth watching, and thinking about from a security
perspective

understanding the discontent

Lauren Weinstein is a prolific writer on issues of trust, privacy and
open government. His blog is well worth reading and he's certainly
worth following on google+. The entry linked here is one of the best
analyses of the discontent that's fueling "occupy wall street" and a
congressional approval rating of under 10% (first time ever).

Stop what you're doing. Go read this. Now.

http://lauren.vortex.com/archive/000907.html

which social engineering technique works best

The folks at www.social-engineer.org have published the results of a
poll that answers the title question. Worth a look.

Read the rest of this post »

Typo-squatting and doppelganger domains

Great article at Wired about typosquatting email domain names to grab
corporate email.

Researchers found that about a third of Fortune 500 firms have
legitimate domains that are easily typosquatted, and that some of them
have already been registered.

They registered a few and collected 20GB of data in a few months time,
with plenty of confidential reports, usernames, passwords,
configurations, etc.

More details here:
http://www.wired.com/threatlevel/2011/09/doppelganger-domains/

Steve Jobs: three stories

This link will take you to Steve Jobs' commencement address at
Stamford. In it, he tells the graduates three stories of his life that
apply to all of them and to all of us (at any age). It is well worth
the 18 minutes.

http://www.ted.com/talks/steve_jobs_how_to_live_before_you_die.html

Fall Foliage Workshop

Completely off topic, but just to let you all know that I signed up
for a very inexpensive photo workshop in one of my two most favorite
national parks (and we might hit the other one if the weather holds).
This tour goes to Zion and maybe Bryce. It is during Fall Foliage time
there (Starts Oct 30. Details at
http://www.ddnlw.com/pdf_itinerary.pdf

The two enclosed photos are mine, from Bryce and Zion, taken many
years ago on slide film and scanned to digital. Much better examples
can be found on the workshop leaders' website.

(download)

Click here to download:

Fall_Foliage_Workshop.zip (436 KB)

Risk and blame: prioritizing real risk vs personal risk

This is a quote lifted directly from Bruce Schneier's blog. He quotes
an article cited here, and the TSA comments at the end are his words.

"A. Peter McGraw, Alexander Todorov, and Howard Kunreuther, "A Policy
Maker's Dilemma: Preventing Terrorism or Preventing Blame,"
Organizational Behavior and Human Decision Processes, 115 (May 2011):
25-34.
Abstract: Although anti-terrorism policy should be based on a
normative treatment of risk that incorporates likelihoods of attack,
policy makers' anti-terror decisions may be influenced by the blame
they expect from failing to prevent attacks. We show that people's
anti-terror budget priorities before a perceived attack and blame
judgments after a perceived attack are associated with the attack's
severity and how upsetting it is but largely independent of its
likelihood. We also show that anti-terror budget priorities are
influenced by directly highlighting the likelihood of the attack, but
because of outcome biases, highlighting the attack's prior likelihood
has no influence on judgments of blame, severity, or emotion after an
attack is perceived to have occurred. Thus, because of accountability
effects, we propose policy makers face a dilemma: prevent terrorism
using normative methods that incorporate the likelihood of attack or
prevent blame by preventing terrorist attacks the public find most
blameworthy.

Think about this with respect to the TSA. Are they doing their best to
mitigate terrorism, or are they doing their best to ensure that if
there's a terrorist attack the public doesn't blame the TSA for
missing it?"

Bruce's excellent, must-read blog is at: http://www.schneier.com/

Future references to his work will merely include the link and a short
description.

Un-erasable cookie

Browsers use something called eTags to see if a graphic has already
been downloaded, and if so, if it is still unchanged. If so, then it
will be recalled from your local cache rather than downloaded again.
So far, so good.

This is built in behavior and very difficult, if not impossible to
stop in a business environment.

However, some advertisers are now using eTags to see if you have been
to their site or have ordered certain products; this is certainly not
the use intended, but that's beside the point. It exists and it is
being used to thwart user's privacy expectations.

The solution is legislation, fines and maybe jail (extension of
anti-hacking laws).

Defending the Net, A TED Talk by F-Secure's Mikko Hyponnen

Many of the blog posts here reference F-Secure materials. Here's one
of the best, a talk in July 2011 by Mikko Hyponnen, CTO of F-Secure.
He got a standing ovation at TED, which is quite an accomplishment.
Highly recommended.

http://blog.ted.com/2011/07/19/fighting-viruses-defending-the-net-mikko-hyppo...