Hahahaha…..

Apparently, “HashKeeper is available free of charge.” Contact the National Drug Intelligence Center for more information.

National Drug Intelligence Center
c/o Mr. Steve Gironda
Telephone: 814-532-4987
E-mail: ndic.domex.request@usdoj.gov

Hat tip to John Masterson.

The coupon is similar to a credit card, with a serial number and expiration date printed on the front (as well as a nifty hologram that reads “Security”). It also has a magnetic stripe. Curious, I borrowed a coupon and swiped it through my trusty mag-stripe reader. The output was as follows (name/number have been changed for privacy):

%B5897320630985200^SMITH/FRANK ^0903121000000000000000798000000?
;5897320630985200=09031210000079800000?

Much to my surprise, the applicant’s name was encoded on the coupon, in addition to the serial number and expiration date.

Consumers are clearly not aware that their names are encoded on the cards. Although National Telecommunications and Information Administration (NTIA) documents refer to “identifying serial numbers,” (NTIA 2006) there is no mention of the fact that names themselves are encoded on the cards. Since the name is not printed on the face of the card itself, there’s no way for recipients to tell it is there without special card-reader equipment.

As a result, over 24 million Americans have now unknowingly submitted their names into the tracking systems of nationwide corporate retailers such as Wal-Mart and Best Buy. “There are federal privacy laws that say what the government can do with your information, but once that information is given to private industry, it’s theirs,” commented senior security consultant Jonathan Ham.

What’s more, the NTIA itself tracks the location, date and time of each purchase. Retailers are required to “provide NTIA electronically with redemption information and payment receipts related to coupons used in the purchase of converter boxes, specifically tracking each serialized coupon by number with a corresponding [certified converter box] purchase.” (NTIA retailer site.) Each week, the NTIA publishes statistics indicating the number of cards used in each zip code.

Consumers are not explicitly informed of the coupon tracking on the TV Converter Coupon Program web site or application. Buried in the NTIA’s web site is the statement that “to keep track of the number of coupons issued, used and redeemed, as well as to minimize fraud and counterfeiting, NTIA intends to place identifying serial numbers on the coupons.” (NTIA 2006)

I went to Best Buy to get a retailer’s perspective on the TV Converter Coupon Program. Like most retailers, Best Buy likes to track their customers. With cash or check, this is difficult, but with credit cards and similar systems (such as the DTV coupons), customers can be automatically added to their database.

Rob Hooper, the helpful manager on duty, explained, “[The DTV coupon] would probably have their name, a number, and they probably have to put in their phone number for us to ring out the remainder of the transaction. As soon as that number gets rung through a Best Buy retailer or a Wal-Mart retailer or anywhere else, [NTIA can] probably break it down underneath the ID of the retailer, and then also the ID of the individual who applied for that particular card number. Not only do they have demographics, they also have geographics– where each card is used.”

In other words, the government receives detailed information about precisely where and when each card is used, and each card is explicitly linked to a name. What’s more, since the names are stored on the coupon’s magnetic stripe itself, the retailer also receives and can store personal information about the consumer. The consumer may never even be aware that his or her name has been given to the retailer.

My mother, who applied for the program by phone, was shocked to learn that her name was encoded on the card and her purchases were tracked. “The government should have made me aware of the information they would be collecting about me if I used the card,” she said. “They’re taking away my freedom. If they decide they need to collect information, they should do so with the people they are collecting the information from volunteering to give it, not being forced.”

Presumably the names encoded on the coupon’s magnetic stripe can be used to prevent fraud, but in practice this has not been occurring. Even if the name on the coupon doesn’t match the consumer, retailers still accept the coupons.

“We generally don’t check IDs against the card,” said Rob. “If someone’s out there stealing digital converter box cards and they’re just hoarding boxes of those cards, that’s not on the top priority list for Best Buy’s loss prevention.”

“We haven’t really seen too much fraud whatsoever with these coupon cards,” he added. “It would be a really interesting thing to try to steal $40 converter box cards, because you’re basically getting paid off in technology that will be antiquated.”
 
Millions of Americans using the DTV converter coupons have unknowingly had their shopping habits tracked and names given to third parties such as Best Buy and Wal-Mart. What is the value of our privacy? Is watered-down “fraud protection” really worth giving away millions of American’s names to retailers? Would my mother really want her shopping habits recorded in an obscure government database, even to save $40?

“I like to shop for a product without Big Brother watching over me,” said Mom.

Cleartext Passwords in Linux Memory

Given the recent developments with cold boot memory dumping, the risk associated with cleartext passwords and other sensitive data in memory has significantly increased. Last week at HOPE Jacob Appelbaum released some of the cold boot tools which the Princeton, EFF and Wind River team used to dump and analyze memory.

My hope is that detailed information about cleartext passwords will be useful to forensic examiners and the Linux development community. For folks who would like to examine the data for themselves, below are a some snippets of process memory that I collected from my Ubuntu test system.

Each zipfile contains a pcat capture of process memory, as well as files containing the Ascii and Unicode strings. In the GDM process memory, you’ll find the login username, password, and shadow file information. In the Truecrypt process memory, you’ll find the volume location, password, and the command used to mount it. There’s other interesting stuff in there as well.

GDM process memory (.zip, 6.0M)
  login username: myname1
  password: !1MyPwd1!

Truecrypt process memory (.zip, 7.5M)
  volume location: /home/myname1/Desktop/tcvol
  password: !mytcvol!
  shell command: truecrypt Desktop/tcvol)

For others such as myself who were not aware of it, 2257 is part of the Child Protection and Obscenity Enforcement Act of 1988, which “places stringent record-keeping requirements on the producers of actual, sexually explicit materials” and requires “producers of sexually explicit material to obtain proof of age for every model they shoot, and retain those records. Federal inspectors may at any time launch inspections of these records and prosecute any infraction.” (Wikipedia) Failure to do this is punishable with up to 5 years of jail time and fines.

Now, there is a lot of fallout from this seemingly straightforward requirement. For starters, this means that producers of pornographic material are collecting and permanently storing sensitive information about their actors and actresses, including name, social security number, maiden name, all other names they’ve ever performed under, address, etc. Many people star in pornographic films under pseudonyms for a reason– ie. they value their privacy, and pornography is a sensitive topic in our society. There are many legitimate reasons that an actor might not want their art to be associated with their real name.

Furthermore, consider the current state of information security in industry. It’s a mess. Large companies at least have full-time staff to devote to the problem of securing data, but not small businesses. The creators of pornography, especially small enterprises, are not likely to have the specialized security skills necessary to properly store this information. The best defense is probably to keep it off the network entirely, but actors have little control over how producers manage their data, and no good way to verify that it’s being carefully managed. Even if companies do store their actors’ information carefully today, how can the actors be sure that that will continue to be the case for the next ten, twenty or thirty years? In the current environment, giving sensitive personal information to a company and asking them to store it forever, with no verification of their security procedures, is pretty much equivalent to making it public. Section 2257 forces actors to choose between their work and their safety of their personal information.

In 2007, the courts “ruled that the record keeping requirements were facially invalid because they imposed an overbroad burden on legitimate, constitutionally protected speech.” (Wikipedia) However, the Department of Justice requested an en banc review of that decision, which is still unscheduled. Due to this legal limbo, the law still stands.

I’m guessing that one supposed purpose of this law is to thwart child exploitation, by ensuring that all producers verify the age of their actors and maintain records that they have done so. However, requiring them to actually store detailed identification information places their actors– free American citizens and consenting adults– at undue risk of privacy breach.

The same purpose could be accomplished with far less risk by having producers record other information, such as the actor’s age and manner in which it was verified, rather than store the actual identification data itself. I think it’s unlikely that the law actually protects children at all– if a minor wants to be in a sexually explicit film, they can always get a fake ID. If they’re being forced into it, then Section 2257 is not going to stop the producers (although I suppose it could extend their jail sentences).

Actors in sexually explicit films are free citizens and consenting adults. They should have the right to perform without being forced to give detailed identification information to companies that may or may not secure it properly. At the very least, companies which store this data should be required to provide verification that the data is being properly secured. In my opinion, as consenting adults actors should have the right to perform anonymously if they so choose. Section 2257 may have been created to “protect” minors from exploitation, but in reality it is ineffective, and places many Americans at real, immediate risk of personal data loss.
 
 

In lieu of the FISA Amendments Act which passed in Congress this week and legitimizes warrantless wiretapping, I’d like an open-source (hardware or software) voice encryption product which I can use to encrypt my own phone conversations end-to-end. Features would include:

• Based on public key encryption.
• Fully open source. I want to be able to review the design, and install it myself.
• Small enough to be attached to my cell phone without being a pain. (Bergey suggested using Bluetooth, which is an interesting idea.) Bonus points if it actually fits inside my cell phone.
• Cheap, so that it is widely accessible.

If scientists can conduct heart surgery through someone’s leg, surely we can collectively create a convenient, cheap, open-source, public-key-based voice encryption product.

For some relevant prior work, check out the Secure Telephone Unit III (STU-III), introduced by the NSA in 1987 NSA for US government communications:

From Wikipedia:
STU-III – These telephone sets operated over ordinary telephone lines and featured the use of security tokens and public key cryptography, making them much more user friendly. They were very popular as a result.

That was later replaced by the Secure Terminal Equipment. Again, from Wikipedia:

Secure Terminal Equipment (STE) – This system is intended to replace STU-III. It uses wide-bandwidth voice transmitted over ISDN lines. It can communicate with STU-III phones and can be upgraded for FNBDT compatibility.

It can be done!
 
 

http://prebys.org/Africa/

These two guys went to Africa in 2004 and decided to scan in their driver’s licenses, passports, yellow cards and put them on the Internet, along with their credit card and bank account numbers. That way if they lost anything, they could look it up really easily from anywhere in Africa. Convenient!

What nearly made me fall over, though, was that as it happens both these guys are good friends and former roommates of mine. (Apparently paranoia doesn’t rub off.) Eric was in our living room at the time, so I went downstairs and asked him if he had ever suffered any ill effects from having all of his personal data on the Internet for the past four years. He said nope! No stolen credit card, no financial problems, no identity theft to date.

Stephanie commented that stealing the identity of a man with his driver’s license photo probably wouldn’t be very helpful. Still, I have to wonder if my work as a security consultant actually has any purpose.