If you tell enough stories, perhaps the moral will show up.


Spam Counter - 2009 May: 1358

That's bad.

I'm seeing Acai Berry among other approaches to the size of my waist and a renewed emphasis on the size and stiffness of my male member. There are fewer fake watches -- the SS Submariner -- and a very few swine flu.


Obvious Really

I'm not interested in concealing my identity, exactly, but I don't put my real name on these because any security writing that uses real-life examples will sometimes be about Fail, even if it's Fail rectified, and who wants to go public about their own employer's Fail?

Even so, I've always been circumspect about what I say because I've felt that the intersection of the things I talk about -- Kent, Finance, Computer Security, Old man -- is going to be a pretty sparse set. Anyone who cares could find out who I am.

So it's interesting to see Schneier blogging about some research from PARC. Apparently the end-points of a regular commute are sufficient to identify a huge proportion of people. Pretty much all that required is that the granularity is fine enough for people to be working in a different zip, county or whatever from the one they live in.

I'll be more careful in future. I have a plan.

Classic Fail

Went to pick up my printout from the printer and there it was: The biggest secret in the firm, and one from which I am firmly excluded. Ninety colour pages which someone had collected, collated and left prominently displayed to be picked up.

A few minutes in the event log of the print server gave the answer -- the same document printed twice in succession: the signature of a user losing track of what they've done. He's back on track now.

The report had been out on display for thirty minutes when I found it. I imagine the person who tidied it up will be one of the three people who used that printer between me and the inadvertent leak. But who else saw it is much harder to tell.


Contactpoint Security Misses the Point

ContactPoint, the government list of children, is live today in test areas. When it's complete, it will hold contact details for every child in the UK, with a NIN and a list of the agencies dealing with the subject.

The rights and wrongs of this are one thing, but there's a gap at the heart of the published security policy (pdf) -- they've left one point out, and it's the hard part that makes the rest work.

They're proud of the access control -- it'll be two factor and the web access won't work from just anywhere (I hope it'll be limited to registered IP addresses). Users will need to be in a role that requires access and have passed CRB checks.

But it fails, it misses the point. Apparently the designers expect there will be three hundred thousand users across the NHS, education authorities, LA social work departments, the police, courts and probation service. It seems on the low side, but just that number gives us around a thousand retirements a month. Add in all the role changes where users no longer need the access, or change employer or reporting line enough to change the origin of their entitlement and I call that around five thousand leaver events a month.

No-doubt ContactPoint has the staff to do it, but however will they hear about the leavers? We have enough difficulty finding the leavers in a few hundred users, and we have access to the payroll. It looks as though ContactPoint is going to be dependent on users or managers volunteering that they no-longer need the acccess. With all the good will in the world -- and social work departments are often very replete with ill-will -- that's never going to be anyone's top priority.

I'm not surprised they left it out. I wonder when it's going to bite.


Password-Stealing Spam

Big current spam trick: The stolen webmail account.

Hotmail etc. make it hard to register accounts for spamming, so a lot of mail out of their relays isn't spam. And that means that spam detectors mod up mail coming through those gateways -- if it's truly from Hotmail, it's much less likely to be spam. So we're seeing a resurgence -- it feels like 1998 -- of spam from public webmail services. Examined, it turns out:

  • To be from a real MSN/Hotmail/Yahoo account (they're not just spoofing addresses -- that wouldn't work)
  • To be pushing Chinese electrical goods (if it was stiffy lollies, the language would push the spam balance back to "block")
  • It's all sent from Chinese IP addresses. Whether it's .fr, .co.uk, or whatever, it's all pirated from China.

I wrote about this, from the other side, last year. But this is more sophisticated, going to big lists, not just address books.

Just another penalty of being spywared.