Windshield washer fluid and privacy

I attended a panel discussion yesterday on identity management and privacy. One of the pundits made the observation, in a rather ostentatious manner, that he had been asked for his address when he tried to buy windshield washer fluid at a store. “Kragen shall remain nameless…they had no business reason for this information” he thundered.

Unfortunately, this is the kind of uninformed position that is all too common in information security. People get their shorts up in a bunch about privacy, which is all fine and good, but then they seem to think that everything must be an invasion of their personal rights even though they do not take even the most basic step to confirm/review the risks in their entirety.

Call it the uninformed consumer, if you will, but this guy had all the hallmarks of an American cultural tradition of shoot first, ask questions later. Not the sort of thing I would have expected from a panel at RSA. In fact, the presenter said he was forced to exit the store without his washer fluid — the business was plain wrong and they lost his business. Good for him, but did he try to find out why a business might be forced by the authorities to treat windshield washer fluid as a controlled substance (as opposed to just a random opportunity for marketing data)?

Anyone familiar with engine tuning or meth lab investigations knows the market dynamics of windshield washer fluid (about 30% methanol), not to mention the market for the bottles themselves. Moreover, anyone familiar with the properties of methanol knows the environmental and health impact of its widespread use for illegal purposes.

This begs the question of how effective the control might be (e.g. compared to removing the methanol from the fluid, since even in normal/legal use it’s a toxic substance that is being sprayed into the air and all over the roads that people live on), but in this instance I just wanted to point out that a store is unlikely to let the employees know why they have to ask for the address/information, but at the same time the consumers might be happy to know that the police are trying to cut down on highly-toxic uses of meth in their neighborhood.

This reminds me of Cory Doctorow’s explosive reaction to an American Airlines screener (for now I’ll skip the more well-known example of the hunt for WMD). Profiling is a critical component of our every day lives and people need to learn to seek and sufficiently understand an “other” perspective before they rush into action and demand reform/justice. There are few things more counterproductive in security than reacting to the symptoms and causing widespread outages. In fact, if more people just did a little bit of “root cause” analysis, we might find a more informed and democratic path of resolution for real and present dangers to their livelihood. This would actually help law enforcement by taking the burden of ad hoc policy creation away so they can get back to their proper focus on enforcement.

EFF sues AT&T over wiretap

I wonder if this case will go better than their others…

The Electronic Frontier Foundation (EFF), based in San Francisco, filed the suit against AT&T for giving the NSA direct access to its databases of communications records, including whom their customers had phoned or sent e-mail to in the past. The suit was filed Tuesday in the United States District Court of the Northern District of California. […] The EFF alleges that this behavior on the part of AT&T violates several federal laws, including the Electronic Communications Privacy Act (ECPA), he said. It also violates the first and fourth amendments, which protect U.S. citizens’ right to speak freely and not to be subject to unreasonable searches, Bankston said.

US surveillance to go deeper with ADVISE

The Christian Science Monitor reports that the US government is secretly developing a surveillance system called Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement (ADVISE):

The US government is developing a massive computer system that can collect huge amounts of data and, by linking far-flung information from blogs and e-mail to government records and intelligence reports, search for patterns of terrorist activity.

The article has a side-bar that, according to US Government auditors, says SecureFlight held records on 43,000 people not accused of terrorism. This points directly at the very real threat of data-mining being used for nefarious non-security related purposes.

ADVISE is apparently meant to stitch together a vast array of data points in order to more accurately understand behavior and avoid false positives. However, an analytics expert from IBM had this to say about the current capabilities of such a system:

Techniques that “look at people’s behavior to predict terrorist intent,” he said, “are so far from reaching the level of accuracy that’s necessary that I see them as nothing but civil liberty infringement engines.”

BSOD at RSA

The exhibition floor reminds me of a county fair, bristling with prize cattle and pigs. I hate to say it, but I find myself wandering among the herds of vendor logo’d sales people and entertainers, munching from troughs of mediocre food, wondering if this is really the best way to find new/interesting products and make contacts.

BDOD at RSA

Perhaps the most odd thing of the evening was when I found a Blue Screen of Death prominently displayed on a vendor system, and realized I was the only person who seemed to realize that it was a bad thing. I thought about making a big deal of it, but then just decided to help the vendor understand the error and to get the system back up again.

Someone in a PGP shirt walked up to me and said “How does anyone make a decision here”, to which I simply had to reply “Hmmm, let me think about that. I’m not sure, but it’s one of two ways.” He didn’t laugh.

An enigma

I had fun at the NSA booth where I typed out a message on an actual three-rotor German military Enigma from WWII. The keys are hard to press, but satisfying. Here is the result: QLKERMAKJDU. Pretty cool, eh?

I played some odd ping-pong ball drawing and won a lottery-ticket that won two dollars. I must have had a dour expression on my face during the process because the woman pulling the balls out said “you don’t seem very excited” to which I simply had to reply “oh, is it exciting to stand here and win other people’s money?” I guess I don’t believe in the “free” money concept.

Clearly I was missing something since I really just wanted to find the folks who could solve a few burning questions about encryption and key management for/with me, not play the lottery or place a bet on roulette, or throw bean-bags through a hole…sigh. Ten California rolls, three tiramisus, two kebabs, a slice of roast, some mozzarella balls, two salami slices, six egg-rolls, and a chocolate-covered strawberry later I finally connected with a real crypto-token vendor who gave me a demo and might actually be able to sell me some fobs (no software, no integration, no lottery tickets…).

I also discussed some anomaly and fraud detection software with the IBM engineers, but they kept saying “contact center” instead of “call center”, which started to give me the creeps, so I took one of their squishy brains and moved along. Microsoft said they could sell me software to integrate directories for just $25,000. I almost coughed up a cracker (with cheese) when they tossed that number out at me. Microsoft sells midrange software? They backpedaled a bit “you probably have a reseller who could get it to you in the teens”. It started to sound like an IBM rep talking. Apparently the cough-up your food on the sales engineer technique is handy in negotiation. They were just lucky I wasn’t drinking wine.

All in all, some good contacts, a couple interesting new products, and a fine start to the week. I just wish I had paid more attention to math when I was young.

If thou art diligent and wise, O stranger, compute the number of cattle of the Sun, who once upon a time grazed on the fields of the Thrinacian isle of Sicily, divided into four herds of different colors, one milk white, another a glossy black, a third yellow and the last dappled. In each herd were bulls, mighty in number according to these proportions: Understand, stranger, that the white bulls were equal to a half and a third of the black together with the whole of the yellow, while the black were equal to the fourth part of the dappled and a fifth, together with, once more, the whole of the yellow. Observe further that the remaining bulls, the dappled, were equal to a sixth part of the white and a seventh, together with all of the yellow.

— Archimedes