Re: [funsec] Colorado Supreme Court: Using a Stolen Social Security Number is Not Identity Theft
Here’s an amazing fact: some individual Social Security numbers are in use right now by up to 3,000 people and it isn’t at all unusual for a borrowed number to be used by 200-1,000 people at the same time . . . Well, that turned out a more nuanced answer than I expected. SSN's are nonrandom, but unique. Interestingly, that means, given a working SSN#, all the numbers nearby are working SSN#'s as well. In fact, technically, a random sequence of digits is 50% likely to be a working SSN#, actually of somebody born approximately at the same time and place as the first #. This argues fairly strongly that the number alone isn't an identity, and that the (number,name) is. In fact, that seems to be how businesses are setting up their databases. Thus making the ruling...right. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] Colorado Supreme Court: Using a Stolen Social Security Number is Not Identity Theft
On Fri, Nov 19, 2010 at 7:27 AM, Dan Kaminsky d...@doxpara.com wrote: Here’s an amazing fact: some individual Social Security numbers are in use right now by up to 3,000 people and it isn’t at all unusual for a borrowed number to be used by 200-1,000 people at the same time . . . Well, that turned out a more nuanced answer than I expected. SSN's are nonrandom, but unique. When I think of SSNs, it reminds me of SSL, and SSLs attempts at making the IV secure. A SSN turns out to be roughly equivalent to SSL v3 (some hand waiving): This field [the IV] is first initialized by the SSL handshake protocol. Thereafter the final ciphertext block from each record is preserved for use with the following record. Unique, but not random. Interestingly, that means, given a working SSN#, all the numbers nearby are working SSN#'s as well. In fact, technically, a random sequence of digits is 50% likely to be a working SSN#, actually of somebody born approximately at the same time and place as the first #. This argues fairly strongly that the number alone isn't an identity, and that the (number,name) is. In fact, that seems to be how businesses are setting up their databases. Thus making the ruling...right. As with SSL v3, it still not quite right ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Academic Cyberbully Is Sentenced to Jail in Dead Sea Scrolls Case
http://chronicle.com/blogs/wiredcampus/academic-cyberbully-sentenced-to-jail-in-dead-sea-scrolls-case/28269 The Dead Sea Scrolls cyberbully is being sent to jail. A judge in New York State’s main trial court sentenced Raphael Golb, a lawyer, to six months in prison for using false online identities to harass and discredit academics in a debate over the origin of the Dead Sea Scrolls, the Associated Press reported. ... Update: Raphael Golb has been granted bail and will be released from prison tomorrow, pending the outcome of his appeal. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] China would *never* do that ...
A U.S. report to Congress that suggests there is Chinese state support for internet network hacking activities is full of Cold War thinking and political bias, China's Foreign Ministry said Friday. http://www.cbc.ca/technology/story/2010/11/19/china-hacking-.html (You will notice they never said it wasn't true ...) == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org *Microsoft* is going to write the software that spies on me? I feel better already. - John D. Goulden victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Feeling sheepish at the airport?
http://tumblr.com/xu8qnwow2 == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org The Tao of network protocols: If all you see is IP, you see nothing. - Greg Minshall victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] China would *never* do that ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Nov 19, 2010 at 10:24 AM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: A U.S. report to Congress that suggests there is Chinese state support for internet network hacking activities is full of Cold War thinking and political bias, China's Foreign Ministry said Friday. http://www.cbc.ca/technology/story/2010/11/19/china-hacking-.html For a more balanced perspective, please read: http://www.renesys.com/blog/2010/11/chinas-18-minute-mystery.shtml http://asert.arbornetworks.com/2010/11/china-hijacks-15-of-internet-traffic / FYI, - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM5sawq1pz9mNUZTMRAvA8AJsEl7/ooeX90kmnSfYyVmJATrPpYQCbBb6G M6e7GDLDixcpvSoBjc/cW4Y= =+Dzr -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Collection of TSA groping URLs from Schneier
http://www.schneier.com/blog/archives/2010/11/tsa_backscatter.html == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org Why should I care about posterity? What's posterity ever done for me? - Groucho Marx victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] China would *never* do that ...
Imagine you're the Chinese. They think we can pull that off? This could be useful... Of course misconfiguring your router is not hard to do. About 6 years ago a Turkish ISP tried (accidentally I'm sure) to jack the entire Internet this way. (http://www.renesys.com/blog/2005/12/internetwide-nearcatastrophela.shtml) But if you're expecting to take advantage of the rerouting in order to co-opt a network it's a lot harder, and I can't imagine you could pull it off in 18 minutes. Assuming the traffic wasn't encrypted, in which case you're probably screwed, you'd need substantial information on the workings of the network and it would all have to be set up correctly from the get-go or it would be obvious that something was wrong. (me on all this: http://blogs.pcmag.com/securitywatch/2010/11/did_china_hijack_the_internet .php) LJS -Original Message- From: funsec-boun...@linuxbox.org [mailto:funsec-boun...@linuxbox.org] On Behalf Of Rob, grandpa of Ryan, Trevor, Devon Hannah Sent: Friday, November 19, 2010 1:25 PM To: funsec@linuxbox.org Subject: [funsec] China would *never* do that ... A U.S. report to Congress that suggests there is Chinese state support for internet network hacking activities is full of Cold War thinking and political bias, China's Foreign Ministry said Friday. http://www.cbc.ca/technology/story/2010/11/19/china-hacking-.html (You will notice they never said it wasn't true ...) == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org *Microsoft* is going to write the software that spies on me? I feel better already. - John D. Goulden victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] Anybody in Minneapolis?
Up for coffee week of Nov. 28-Dec.4? (And, yes I *did* just ask about Milwaukee. Two seminars, back to back.) == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org As the length of the thread increases, the chances of someone making a pointless and completely off-the-wall comment (purely in the hope of having his/her/its name in the mailing list) approaches one. - rms, named Markwin's Law by MW, 20100615 victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
[funsec] From the folks who brought you the TSA: infosec directives
Tech firms, meet your new cybersecurity boss: DHS http://bit.ly/b77nNH+ http://news.cnet.com/8301-13578_3-20023464-38.html Politicians are proposing a novel approach to cybersecurity: fine technology companies $100,000 a day unless they comply with directives imposed by the U.S. Department of Homeland Security. == (quote inserted randomly by Pegasus Mailer) rsl...@vcn.bc.ca sl...@victoria.tc.ca rsl...@computercrime.org Take my advice. I'm not using it. victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] From the folks who brought you the TSA: infosec directives
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Right. Like that's going to happen in a millions years. - - ferg On Fri, Nov 19, 2010 at 6:49 PM, Rob, grandpa of Ryan, Trevor, Devon Hannah rmsl...@shaw.ca wrote: Tech firms, meet your new cybersecurity boss: DHS http://bit.ly/b77nNH+ http://news.cnet.com/8301-13578_3-20023464-38.html Politicians are proposing a novel approach to cybersecurity: fine technology companies $100,000 a day unless they comply with directives imposed by the U.S. Department of Homeland Security. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFM5zrcq1pz9mNUZTMRAn+JAKCNG0p9NsPvB3mi7e8r0HDMRU/tWwCgyo/p 4K8Ke17DVpq8gdB+5EKl61Q= =zW50 -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.