Category Archives: Security

Phishing for poems

The New Yorker often has good poetry. This one reminds me of how far we have come from the old meaning of fishing:

And now he feels he’s in his element,

Baiting a hook and casting forth the line,

And through clear water sees a heaven-sent

Swift flash of silver rise into air and shine.

Ah, let it go-go, dart back to the deep.

A lovely thing, but much too small to keep.

Does a phisher ever say “nah, this one is much too small”? Not enough data, or maybe too poor to steal from?

Probably not. The modern phisher is about as unlikely to follow catch-and-release rules as a greedy seagull. Or, as Henry Wadsworth Longfellow put it in Hiawatha’s Fishing:

Three whole days and nights alternate
Old Nokomis and the seagulls
Stripped the oily flesh of Nahma,
Till the waves washed through the rib-bones,
Till the sea-gulls came no longer,
And upon the sands lay nothing
But the skeleton of Nahma.

And upon the silicon lay nothing but the skeleton of users..

Utah offers $1,000 reward for 2.2 million missing billing records

My math skills must be waning. If I read this article correctly, the University of Utah Hospitals & Clinics is offering $1 for every 2200 billing records that were lost by Perpetual Storage Inc.:

A metal box containing the backup tapes, which contained billing records for approximately 2.2 million patients and guarantors, was stolen on Monday, June 2, from a car belonging to a driver who worked for an independent storage company contracted by the health-care system. The driver violated the protocols his company had established to ensure secure data transportation.

[…]

The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked.

The numbers just do not make sense to me. Another report explains that 1.3 million Social Security numbers were on those tapes.

Here is the recap of how the driver violated his protocol:

The courier picked up the records on June 1. Instead of taking them to a storage center, he worked a second job and then went home, said Shane Manwaring, Salt Lake County deputy sheriff.

The next day, he discovered that someone had broken into his vehicle outside his Kearns home and taken the box, Manwaring said.

The key question, no pun intended, is why the trip was able to include this insecure detour. The obvious answer seems to be that the employee was in need of a second job, in need of a stop at home, and that the storage company had no way of detecting that the box was overdue for “direct route” delivery to a safe spot. The three things could be easily fixed, and I consider them a failure of security management, rather than solely the fault of an operator who made a predictable error. With only only $1,000 offered as a reward I have to wonder how serious anyone would be about security when they transport tapes.

Finally, assuming the tapes are returned, they were still stolen and potentially copied.

Incidentally, no pun intended again, Kearns Utah seems to be a dangerous neighborhood. The Salt Lake Tribune reported a man was shot with his own gun while trying to fight off a “high-dollar merchandise” burglar in his home on May 10th, 2008.

Updated to add (June 12, 2008): Vincent Arnold has been kind enough to post Symantec’s chart of the value of compromised information.

It does not take a rocket scientist to read this and see that a person with tape data from Utah University could be looking at a minimum of $1 per identity, and upwards of $1000 per identity for bank accounts. Compare that to the $1000 total offer for the return of the tape to its owners…

Subaru Diesel Test Drive

Be still my heart. Subaru has created a turbo diesel boxer Legacy

Subaru finally has a diesel-and it’s the first boxer turbodiesel in a passenger car. Ever. The diesel option not only gives the company a real presence in Europe, but the engine’s excellent fuel economy-near an estimated 50 mpg on the highway-will make it easier to comply with the upcoming CAFE legislation.

YES! YES! YES! 258-lb-ft turbodiesel DOHC 16-valve flat-4 at 50mpg and AWD. Woohoo! Better yet, it meets the Euro4 emission standard with 148 g/km of CO2 thanks to technology enhancements like common rail, oxidation catalytic converters, particulate filters, and Exhaust Gas Recirculation.

Sadly, like most consumer technology these days, it will be introduced to the US at least two years after being sold in Europe and Asia. WTF?

I bought my diesel VW at a far lower cost than the gasoline variant. In fact, it used to be one of the cheapest engine options on the VW line. The dealers barely wanted to carry them on the lot. Now, given the clear performance and efficiency advantages of diesel in foreign markets, Americans are not only still waiting, but the story is that there might be a surcharge :

It would make perfect sense in the Forester, and perhaps the Impreza. However, when it comes to sales, the success of this engine in the U.S. is going to depend on the cost factor. Pricing hasn’t yet been announced, not even for European markets, but this engine option could add $2000 or more to the bottom line for America.

Why does this upside down and backward situation not surprise me? Who loves the “market”? Come on America, stop pissing around with all the hydrogen mumbo-jumbo and let in the Diesel revolution. What gain is there from by delaying this kind of innovation from reaching our shores? Car manufacturers should be given incentives to bring 50mpg full-size full-power automobiles to us.

Safety on Escalators and Crocs

This story should get filed under the “if only I had known” category:

At first, Rory’s mother had no idea what caused the boy’s foot to get caught. It was only later, when someone at the hospital remarked on Rory’s shoes, that she began to suspect the Crocs and did an Internet search.

“I came home and typed in ‘Croc’ and ‘escalator,’ and all these stories came up,” said Jodi McDermott, of Vienna, Va. “If I had known, those would never have been worn.”

Informed consent? Should we all be searching the Internet for safety information before a purchase, and can we trust the data that we find? These are deep questions that tug at the roots of compliance and safety regulations.

The first question that comes to my mind is should the Croc be held liable? Consider what comes from a
“consumer rights” perspective:

“These injuries are horrendous,” reports Early Show ConsumerWatch Correspondent Susan Koeppen. “They look like shark bites. This is a six-ton piece of machinery and if your foot, your finger or something gets caught in there, we’re talking a serious, serious injury.”

Scary! What is being done about these six-ton sharks with giant metal teeth ready to tear pedestrian toes into ribbons? Nothing, apparently. Instead, consumer advocates are going after a soft-shoe manufacturer. Consumerreports highlights the frequency of risk as well as the target group. It seems the escalator monsters prefer children:

In Japan, where 3.9 million pairs of Crocs were sold last year, the Trade Ministry asked the Colorado-based maker of Crocs to change the design of its shoes after receiving 65 complaints of Crocs and Crocs knockoffs becoming stuck in escalators between June and November of 2007. Most of the cases involved young children.

Call me crazy, but what was the rate of other soft-shoe complaints on escalators at the same time. Perhaps the problem is that escalator designers assumed steel-toed safety boots for passengers in the way that motorcycles now require helmets? Is the cost of a soft-shoe friendly escalator too much to ask? What about a child-safe escalator design? There seem to be child-safety designs exploding in every other area of the market these days, should the blame for the dangers of six-ton monsters get laid on the feet of soft-shoe wearing children?

In NY, the answer is yes. An attorney filed a USD$7 million (that’s about ten euros) lawsuit that claims the Croc manufacturer is misleading consumers:

“It’s not everyday footwear. It’s especially dangerous on escalators, and this is something (Crocs has) known about for quite some time,” Laskin said. “And they just don’t seem to be doing anything about it.”

[…]

“It’s somewhat ironic that kid after kid keeps getting the same kind of injury,” Laskin said. “And Crocs keeps on saying it’s a fluke.”

Again, I have to ask if perhaps there is something clearly wrong with the escalators if they are maiming children…but I guess the shoe company provides a more juicy or colorful target? The EESF (Elevator Escalator Safety Foundation) was formed in 1991, long before Crocs, and claims they have “reached over 4 million children, parents and teachers since inception”. That tells me the Croc situation is just a new chapter in a long-standing concern that really should be driving us towards better escalators. Maybe I’m just not seeing the Croc threat properly, but here is an alternative approach that also saves energy: shut-down any escalators unless they can pass a Croc test.