Encryption Keys Please

Now in the UK encryption keys must be surrendered to any encrypted data you have on your hard drive and somebody surrendered it to the authorities.

Why these jokers didn't say I forgot, I will never know.

I mean how hard is it to NOT self-incriminate oneself: Say you forgot. Just like every other government official says after losing a laptop full of Witness Protection persons or intelligence officers, etc.

They can't compel you to recall something you don't remember.
Simply say, "I am sorry i can't remember: my memory is a bit hazy from all the manhandling the cops did, your honor."  What's the worst? Gitmo? I don't think so (although Britain has a track record of renditioning suspects to US).

At a time when courts and the government make a combined assault on our privacy and rights, while being more secretive themselves, it is up to us protect ourselves. Call me paranoid, but am the Burt Gummer type.

The Government has NO right to force me to divulge my self-secrets just like I can't force a government of the people, by the people and for the people to divulge its dirty secrets.   I can't be transparent when the Government wants to be opaque.

After all, it has been proven time and time again that the Government cannot be trusted even with the most basic secrets.   What is the criminal penalty for jokers who lost various laptops holding government secrets and OUR data? NONE.

What is the financial and criminal penalty the Government will pay if it causes me harm by leaking my secrets? NONE.

Until the Government pays for its mistakes(and heavily), am not going to divulge anything more to it. After all the Government am not trusty enough to know about its secrets, so why should I trust Government.

Ben Franklin, Hamilton and Mark Twain were absolutely right: You CANNOT and SHOULD NOT trust the government, if it doesn't trust you.

You can take my keys from my cold dead hands.

The name of the FICO game.

The FICO score is intimately tied to a person's Social Security Number, their Name and their Date Of Birth, those three key pieces of information are the cornerstone of a persons modern day ID. To the new breed of criminal, ID theft is the new and easier way to rob banks without all that mucking about with guns, strong arm tactics and the traditional shouting "get on the floor this is a robbery" and such.

The system is clearly flawed, since no doubt, too much emphasis is on the personal Social Security Number of a person and the FICO score is intimately attached to everything a Social Security Number is attached to. Once this critical piece of information is ascertained by the ID thief it is effectively compromised and it leaves a permanent opening to a plethora of opportunistic attack vectors for a ID thief to take advantage of.

The counter tactics by the banks are weak since they involve asking some detail information about a persons past addresses, car loans and with whom the loans where with, etc. That a savvy ID thief is already aware of. So what IS a person "to do" about this dilemma and still live like a "normal" modern person? Well, in short, you have to redefine or at least modify the methods by which one identifies him/herself to the world. This is hard to accomplish as, most of the damage is already done if the identity has "in fact" been stolen. Many such identities have already been compromised and are already in a ID thieves' virtual roll-a-dex, students, the military, medical patients, and much more. These people unwittingly have their dossiers at many a ID thief's fingertips and in the vast majority of cases the thief is given in most cases a 30 day head start, a typical billing cycle to apply for credit cards, loans, etc before the user even is aware of the transgression.

The onus is on the actual person of that ID to be vigilant and inspect and monitor his/her data. It, literally, took an act of congress to even allow the owner of the FICO score to even peak at his/her score just to get ones bearings of where he/she is at on this arbitrary scale of credit worthiness. But to make matters worse, independent commercial entities have unrestricted access to check and pre-select people to give junk mail to. As a default everybody is opted in, unless they register with a do not call list and purposely elect to opt out. New "services" have risen in recent years, to monitor and better inspect who has access to their FICO score and subsequently the cursory personal data of the people in the databases of the credit trinity (Transunion, Experian, Equifax).

They basically are yet another 3rd party that will require you to submit all your personal information to them to put a fraud alert on the personal data (forcing everybody to first call the person to allow them to personally authorize any probing of this very sensitive data). Any citizen, of course could do this on his/her own but many are intimidated to do so. Mostly because of the relative obscurity of these private databanks and the typical difficulty for private citizens to review their own data within them. This is truly a sad state of affairs in regards to the credit game, private citizens, if they want to deal on any level with obtaining credit, a loan or purchasing a car are forced to in some manner deal with this hypocrisy. The patriot act, and the societies lean toward forcing its citizens to surrender this data to 3rd parties will make protecting their data a more complex feature in modern life.

Fuck You Wamu

Fuck You Wamu

Wamu has the shitiest customer service department. I just got word from a customer who is trying to build up his credit and opted for one of their secured credit cards from Providian.

Now the subject has had a few run-ins with the credit trap, and wanted to build up his credit. He got one...count them one card, which he had to pay $300 into a savings account to secure the "loan" to play the credit game all over again.

His score started at 519, then to 535 the next month, then to 555 the next month, then it dropped to 508. This shocked the hell out of him and he immediately checked his score (with Transunion, Experian and Equifax) to make sure that all was on the level.

Well he got his FICO score and to his relief it was 565 it was going up as would be expected. But Wamu has recorded it as 508. He sent a message explaining the discrepancy. Wamu wrote back asking him to prove their error, which he did fax AND mail the documents they requested.

When he was able to finally talk with one of their customer service reps, he was told that the score reflected was based on a bank card enhanced FICO score and not the conventional FICO score consumers are privy to. He was able to get a correspondence from Transunion (not a trivial feat in the least). Who told him that the score that was delivered was the only score they had.

So, angry, he called Wamu on this and they insisted that the information about the bank card enhanced FICO score was correct and that he was incorrect.

When he asked for more information about this bank card enhanced FICO score, and to provide him a link online or at least a number where he could verify this information. Wamu just gave him the cold shoulder and told him that they did not have to provide their sources to him and adamantly refused to do so.

For two weeks he bantered back and forth with the Wamu customer service representatives and ultimately wasted his time and energy just trying to get a straight and forthright answer concerning this bank card enhanced FICO score.

Well, I was able to shed some light on the subject of the elusive bank card enhanced FICO score. It does in fact exist. My research has suggested that it is a new type of score, similar, but not quite like the conventional FICO score a consumer would be aware of. Further investigation revealed that Transunion and Providian has collaborated to issue this bank card enhanced FICO score to Wamu to reflect on their online credit card reports that are available online to their customers.

Well he, was livid that the customer service department just didn't tell him about the details that he directly asked for. Got him so angry and riled up that he started to talk to lawyers who knew less about the subject than he did (but charged him just the same).

My advise to him was very simple, swallow your pride, pay down the balance to $0 and sit on it for a month or so. Then check your FICO (and the bank card enhanced FICO score), give Wamu the finger and take you and your money elsewhere.

To anybody else in a similar situation, check out this link and this link.


Commentary

Wamu is clearly in the wrong by putting my associate on a wild goose chase, when they could of just come clean and show and tell him the details of the mysterious bank card enhanced FICO score. But they did not, in fact they deliberately refused to help him understand anything about the bank card enhanced FICO score and the conventional consumer FICO.

Banks are just making enemies of their customers by doing this, but they really don't seem to care. With the economy and the sensitivity to credit and credit reporting they should of been more empathetic to their customer. They get a wag of the finger and free coverage of their customer service shenanigans.

The living ID (who are you?)

We are living in a time of changes.   A time when information, or to be very specific, particular information will be the new currency of the underworld, Databases of personal data on simple machines that are to stupid to configure themselves, leaves the job to us who are just too lazy, giving job opportunities to Black-hat merchants.

Many universities have already been hit and compromised.   The social security numbers, their corresponding names and most likely drivers license data or car registration.  

 Talk about the cost for an education.   I cannot even say for sure if my own SSN was some where in that loop.   In the school system, in the world system.   It is now the Achilles heel of identifying citizens.

Our world, will no doubt run the gambit of attempting to find the "perfect" way to ID you and find the best was always the first solution.   

From passwords to, biometrics to...passwords, again? 

Why passwords?   Well, for several reasons.   First being I am scared as hell of letting just *any* monkey handle my DNA information.   In the game of life, fuck if somebody knows my fucken social security number, if their is a problem with ID theft using, just the ancillary information about a particular entity.   Just re-assign a new social security number, with NO ATTACHMENTS, to the original identity, hit the reset button no harm no fowl.

But to make, DNA or anything biometric the standard and something is compromised from your persons, like a few strands of hair for DNA or lifted fingerprints and have a decent lab nearby and presto, new ID lab that cannot be...disputed?

At least passwords are in your head, and if not too alphabetized, and some numbers and/or symbols thrown in for fun, and at least 6 characters, and you make it a mnemonic you will never forget your password and you never tell a soul (yes, I said everyone) then assuming reality is on even keel wit you, your ID should be safe...at least until quantum computers make the scene. 

Electric Safe Cracking 101

This was a image snap of an NKL INTELLISAFE, this is a Google search of the product.   Bypassing this can come in two ways, a real brute force attack on the physical safe itself and/or controlling the digital interface to the device.

Bypassing the device electronically is probably the most uber, if you have to cut this with a physical blowtorch or laser cutter it may take more time than if you can seize control of the digital interface to the safe.

Here is a link to the details of the NKL AuditLok XLV.   Could be a phun blackhat project.

Criminals Attacking Myspace, Facebook via/ IE attack plug-ins

We all know the new methods of a black-hat attack, is to attack the user majority operating system and like it or not Microsoft is a victim of its own successes. By being the most popular "user friendly" operating system. It is the most targeted system of compromise by the professional...and not so professional blackhats.

Lets face it IE, is a blackhat's dream. A browser, just by visiting a web site can compromise the host system and gain root (or administration) access. I have several virtual partitions of all the different versions of Windows. One for Windows 95, 98, 2000, NT, XP, Vista. Only 2 Operating systems Linux and Mac OS X (BSD).

This slashdot.org story tells more.

Cell Phone Encryption Exploit

Here is another exploit, for cell phones. Direct form slashdot.org of course encryption is only one of the methods of security. The details seem to be a re-discovery of prior methods of bypassing encryption. But you be the judge.


Quote:

Undetectable, 'passive' systems like the one that Muller and Hulton have created aren't new either, though previous technologies required about a million dollars worth of hardware and used a "brute force" tactic that tried 33 million times as many passwords to decrypt a cell signal. All of that means, Hulton and Muller argue, that their cheaper technique is simply drawing needed attention to a problem that mobile carriers have long ignored--one that well-financed eavesdroppers may have been exploiting for years. 'If governments or other people with millions of dollars can listen to your conversations right now, why shouldn't your next-door neighbor?' Muller says.

How is it that it caught on for the web (credit card payments over SSL), but still barely for personal communications (gpg, encrypted IM)?

That's a very good question.

One idea I've heard is that when SSL was first developed, the web was in its infancy and nobody really felt happy about the idea of sending their credit card details over it. The fact that it was relatively easy to eavesdrop on a computer network was fairly well known. This was no good to anyone who wanted to do business (OK, porn sites) over the web, and so SSL solved that problem by providing reassurance that nobody was eavesdropping.

The telephone system, on the other hand - that's been around so long that it's familiar technology and relatively few people are aware of how insecure it is. If you think GSM is bad (it's actually not that poor, and 3G introduces AES encryption), consider your land line. No encryption whatsoever and an analogue signal (so no computer equipment or specialised unusual codecs required to tap) between you and the telephone exchange.

That's a very good answer.