I’m not sure how far back to go, to get to the beginning.

Could be the time, a few years back, when the townhouse complex’s main water supply, after 30 years of flawless operation, was “upgraded.”  This, of course, inevitably resulted, a couple of years later, in some very odd variations in water pressure.  Some of the time we had little more than a trickle of water in the taps, and occasionally the washing machine took forever to fill.  (The “upgrade” may also have been responsible for the Great Flood of Aught-Nine, out on the main road.  But I digress.)

This year the main pressure regulator for the complex was replaced, and water was back to full pressure.  As a matter of fact, it was back to significantly higher than full pressure.  Filling the washer (or sink) is much quicker than it used to be.  You have to be careful not to turn the kitchen sink on full blast, or much of the counter around it gets sprayed.

A couple of day ago, the upstairs toilet stopped working.  Well, it would still flush, if the tank was full, but refilling slowed to a stream of drips.  (Hypothesis: the intake valve in the tank has blown from the higher water pressure.)  The manager happens to be away this weekend (of course), so we’ve been muddling through.

This morning, while attempting to refill the tank manually, I discovered that, if the tank was in the process of filling itself, and you turned on the bath tap full blast, the toilet would start filling normally.  Further experimentation determined that it had to be full blast: half or even three quarters wasn’t good enough.  (Revised hypothesis: the valve is partly damaged, and reducing the pressure allows it to function, temporarily.)

Weird.

Anyway, it reminded me: if a system as simple as a toilet, and household plumbing, can have these sorts of effects, what makes you think your incredibly complicated IT system, and its protective elements, is working as you think it should be?

The Cyber Security Research Alliance has just announced it’s formation.

If you want to join, it’s $60,000 for a founding membership, but a mere $15,000 if you want to be an affiliate member.

I think I’ll stick with my membership in the Vancouver Security Special Interest Group (or SecSIG).  We actually celebrate our thirtieth anniversary in January, and, for all of that time, we’ve managed to keep the annual fees to $0.

“Media artist” creates a form of spyware using Macbook webcams.  Runs it on computers in Apple Stores.  Apple calls Secret Service about the artist.  Lots more.  Some interesting and provocative concepts in the article, covering privacy, legality, search and seizure, and the fact that people show little affect when working with/on computers:

http://www.wired.com/threatlevel/2012/07/people-staring-at-computers/all/

Or: One Of The Reasons Why I’ve Never Actually Bought Any Kindle Books from Amazon, And Only Install Free Books:

Amazon closes account and wipes Kindle. Without notice. Without explanation.

Overconfidence makes you successful in business.

Not just confidence, mind you, overconfidence.

Add in the Dunning-Kruger effect, and the Peter Principle, and you start to realize why all those huge banks keep failing …

BKLNFOCT.RVW   20120714

“Learning from the Octopus”, Rafe Sagarin, 2012, 978-0-465-02183-3, U$26.99/C$30.00
%A   Rafe Sagarin
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02183-3 0-465-02183-2
%I   Basic Books/Perseus Books Group
%O   U$26.99/C$30.00 800-810-4145 www.basicbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465021832/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0465021832/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465021832/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   284 p.
%T   “Learning from the Octopus”

The subtitle promises that we will learn “how secrets from nature can help us fight terrorist attacks, natural disasters, and disease.”  The book does fulfill that aim.  However, what it doesn’t say (up front) is that it isn’t an easy task.

The overall tone of the book is almost angry, as Sagarin takes the entire security community to task for not paying sufficient attention to the lessons of biology.  The text and examples in the work, however, do not present the reader with particularly useful insights.  The prologue drives home the fact that 350 years of fighting nation-state wars did not prepare either society or the military for the guerilla-type terrorist situations current today.  No particular surprise: it has long been known that the military is always prepared to fight the previous war, not this one.

Chapter one looks to the origins of “natural” security.  In this regard, the reader is inescapably reminded of Bruce Schneier’s “Liars and Outliers” (cf. BKLRSOTL.RVW), and Schneier’s review of evolution, sociobiology, and related factors.  But whereas Schneier built a structure and framework for examining security systems, Sagarin simply retails examples and stories, with almost no structure at all.   (Sagarin does mention a potentially interesting biology/security working group, but then is strangely reticent about it.)  In chapter two, “Tide Pool Security,” we are told that the octopus is very fit and functional, and that the US military and government did not listen to biologists in World War II.

Learning is a force of nature, we are told in chapter three, but only in regard to one type of learning (and there is no mention at all of education).  The learning force that the author lauds is that of evolution, which does tend to modify behaviours for the population over time, but tends to be rather hard on individuals.  Sagarin is also opposed to “super efficiency” (and I can agree that it leaves little margin for error), but mostly tells us to be smart and adaptable, without being too specific about how to achieve that.  Chapter four tells us that decentralization is better than centralization, but it is interesting to note that one of the examples given in the text demonstrates that over-decentralization is pretty bad, too.  Chapter five again denigrates security people for not understanding biology, but that gets a bit hard to take when so much of the material betrays a lack of understanding of security.  For example, passwords do not protect against computer viruses.  As the topics flip and change it is hard to see whether there is any central thread.  It is not clear what we are supposed to learn about Mutual Assured Destruction or fiddler crabs in chapter six.

Chapter seven is about bluffing, use  and misuse of information, and alarm systems.  Yes, we already know about false positives and false negatives, but this material does not help to find a balance.  The shared values of salmon and suicide bombers, religion, bacterial addicts, and group identity are discussed in chapter eight.  Chapter nine says that cooperation can be helpful.  We are told, in chapter ten, that “natural is better,” therefore it is ironic to note that the examples seem to pit different natural systems against each other.  Also, while Sagarin says that a natural and complex system is flexible and resilient, he fails to mention that it is difficult to verify and tune.

This book is interesting, readable, erudite, and contains many interesting and thought-provoking points.  For those in security, it may be good bedtime reading material, but it won’t be helpful on the job.  In the conclusion, the author states that his goal was to develop a framework for dealing with security problems, of whatever type.  He didn’t.  (Schneier did.)

copyright, Robert M. Slade   2012     BKLNFOCT.RVW   20120714

Recently one of the bridges in my area was replaced by a new one.  The new Port Mann Bridge is, at the moment, apparently the widest in the world, and will relieve congestion on the existing bridge, which has been a huge bottleneck for years.  (Why do I keep flashing on an old saying about “traffic expands to fill anything made available for it …”?)

In order to pay for it, our currently right-wing) provincial government has formed a “public/private partnership” with a shell corporation (Treo) which gets to “lease” the bridge for about fifity years and put tolls on it.

I’m not sure I’ll have a lot of use for the Port Mann Bridge when it gets tolled (except to get out to the Olive Garden, until they build one closer in).  It’s been such a bottleneck for so long that I’ve found all kinds of ways to avoid it.  (There is another tolled bridge in the area, and I’ve only traveled over it once, in the first “free” week, just to find out where it was and went.)  But I figured I’d get the decal anyway, especially since it gets you a discount, and some extra bucks (equivalent to about 20 free trips) to start off.

You’ll have heard about the debacle in regard to the phone registration, where some of the clerks were in business for themselves, and stole credit card numbers.  So I figured I’d register via the Website.  The process wasn’t too arduous, although I found it odd that American Express, which I use for most of my pre-authorized charges, wasn’t acceptable.  (I also found out that my password algorithm, while it is long, complex, and uses mixed case and non-alphabetic characters, doesn’t generate a number in all cases.  Apparently you have to have a number.)

I didn’t realize that I didn’t get a confirmation email until this morning, when I checked the spam filters.  There it was.

And, I have to agree.  If I was a spam filter, I’d have said it was spam, too.  It’s a mess.  Looking at the body, I can’t make out anything it is trying to do (other than create all kinds of buttons).  The spam report says:
0.00 NO_REAL_NAME           From: does not include a real name
0.00 BSF_SC0_MISMATCH_TO    Envelope rcpt doesn’t match header
0.00 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
0.00 URI_TRUNCATED          BODY: Message contained a URI which was truncated
0.00 HTML_MESSAGE           BODY: HTML included in message

Treo itself seems to use a system called Barracuda, and this system also scores the message as spam.  (It also seems to have an AV scanner, which appears to be turned off.  Apparently Treo is not concerned about sending viruses out to infect other people.)

So, the Treo people don’t seem to be very concerned about information security.  Which gets me thinking:

Is the bridge safe?

I have just got off the phone with a marketroid.  In the course of our conversation (no, I usually don’t talk to them, but this turned our to be a special case), I was explaining to her about ISC2 and the CISSP.  She was puzzled by an annotation on my file with her company, and it wasn’t making sense in terms of what I did, and what their ERM/CRM system was saying about me.

When she looked at the ISC2 Website, during our conversation, she immediately noted the “Security Transcends Technology” slogan.  I dimly recall the great fanfare when this was introduced about 9 or ten years back: our (marketing department’s) proud statement that we were not mere technologists, but covered the whole realm of security.

Well, apparently that’s not what it says to some people.  The simple existence of the “technology” word in our slogan seems to trigger an immediate pegging of us as mere techies.  All of us CISSPs are just basic firewall admins.  We are not
transcendant.

Back to the marketing board … ?

Keyless Entry Using Your Phone.

1) I keep telling people, the next security risk is the next technology that is there solely for “convenience.”

2) So, your credit cards are going to be in your cell, your bank access is going to be in your cell, your car keys are going to be in your cell, your house keys are going to be in your cell …  All your eggs in one basket–that gets dropped in the toilet, left in coats, drops between couch cushions, gets picked up in bars …

3) You can even unlock it remotely, so social engineering is on the table (“Hey, Mr. iPhone User, we’re from the gas company, and your neighbours are reporting a strong smell from your place, any way you could come back here from your conference on the other coast we found out about from your Facebook account and let us in?”)

4) You could use Wifi at close range, but for remote it probably has to have a unit that hooks up to your phone.  (I suppose another option is to have the locking device be a cellular device, but that seems excessive.)  So, as was mentioned, you have to worry about power outages.  Also interference from other Wifi devices, portable phones, cell phones, microwave ovens …

There are always two sides (and maybe more) to every story, but:

Police called to a scene where children were reportedly abandoned.  Police arrive to find children on a suburban street, and the mother watching from the porch.

So the police take the mother to jail.

(Sorry, nothing to do with security in this one.)

Hollywood has rediscovered the Bible as movie source material.  (Probably because it’s in the public domain, and saves costs.)

In production is “Noah,” which stars Russell Crowe as someone mumbling about God telling him to build a boat, and then beating up his neighbours when they make fun of him for it.

Steven Spielberg is supposed to direct “Gods and Kings,” about Moses.  Therefore it will star special effects, and probably have the tagline “I(sraels) C(hildren) Go Home!”

“The Redemption of Cain” is supposed to be Will Smith’s directorial debut, so Cain will probably turn Black and therefore become cool.

“Mary, Mother of Christ,” is being billed as a prequel to “The Passion of the Christ,” so will probably have the most violent Madonna ever.

Fox and Ridley Scott are working on “Exodus,” so it will probably be the most inaccurate Biblical epic ever filmed, and may star alien monsters.

(Just in case you think I’m making all of this up, it’s based on a report in the WSJ.)

“The 2012 Norton Cybercrime Report, released Wednesday, says more than 46 per cent of Canadians have reported attempts by hackers to try to obtain personal data over the past 12 months,” according to the Vancouver Sun.

Well, since I see phishing every single day, and malware a few times times per week, what this survey is *really* saying is that 54% of Canadians don’t know what phishing and malware looks like.

(And you others don’t need to gloat: apparently the same figure holds globally …)

Kinda depressing …

What is true of teachers is also true for recruiters.

I am old enough to have gone through group interviews, hostile interviews, video interviews, multi-part phone interviews, questionnaire interviews, weird question interviews, “waht do you want to be when you grow up” interviews, and all the other “latest and greatest” ideas that swept through HR-land at one time or another.  I understand the intents of the various processes, and what they will and won’t tell you.  (When I do recruiting myself, I use the “prepared” interview model–know what it is you want, and how to find out if the candidate has it.)

So, apparently the next big thing in recruiting is to use technology.  Use robots.  (Well, actually just avatars and virtual game worlds.)  Use computerized questionnaires.  (They work just as well, and as badly, as paper ones.)  Use video.  (Wait.  We did that already.  Oh, I see, use videotape.)

It doesn’t take too long to see what the intent is here.  To save time and money.

And, doing it cheaper will work out just as well as doing it cheaper always has.

“There is hardly anything in the world that some man cannot make a little worse and sell a little cheaper, and the people who consider price only are this man’s lawful prey.        – John Ruskin

Someone has made yet another prediction that teachers will shortly be replaced by technology.  Teacherless classrooms are, apparently, the way of the future.

I recall this prediction being made, to great fanfare, thirty years ago.  I was, at the time, a public school teacher, and at a conference on science education.  The first speaker of the day took a bit of time out from his presentation to discuss the issue, and stated that any teacher who *could* be replaced by a computer, *should* be replaced by a computer.  His point was that teaching is a profession, not the push button assembly line job that many people seem to mistake it for.  Any teacher who is so repetitive, so lacking in imagination, so single dimensional, so robotic that they can be replaced by a machine or a process, should be replaced.  A teacher should be able to handle more than “do you want a diploma with that?”

(Go ahead.  Make my day.  Ask me if this is going to be on the final.)

One way or another I have been teaching for more than forty years.  I have taught (in the public school system) every grade level from kindergarten to grade twelve.  I have taught in two-year colleges, and at the post graduate level in academia.  I have taught for business and in commercial training.

I also have a rather broad experience in “distance education.”  I have participated as both director and teacher in video and audio production of teaching materials.  I have created online tutorials for computer-based courses.  I have designed and programmed interactive computer-based training.  Over twenty-five years ago I ran the telecommujnications component of the World Logo Conference, which was the first (and possibly still only) event to fully integrate onsite with online participation.  (And which also, since Logo is a “teaching” language, involved many teachers and computer educators.)

I have mentioned that I don’t like Webinars.  That isn’t because I inherently object to the very idea.  I think a good Webinar might be an interesting experience.  But, so far, nobody has figured out that that good distance education requires more work, not less.  (In the same way, publishers of textbooks haven’t yet understood that a good textbook requires better writing, not worse.)  We figured this out at the WLC more than two decades ago.  The developers of debuggy figured it out about programmed learning more than three decades ago.

There are some, few, isolated examples of individual lessons that have been done well using video, or the Web, or programmed learning, or various other forms of technology.  But they are, still, few and isolated, and drowned out in the vast sea of mediocre and wretched attempts.  Technology has uses, and good teachers know that.  It’s great for drill and practice in some areas.  The Web is a great place for discovery and research.  Letting a kid loose on the Internet without guidance is a recipe for disaster.  We are a long way, a very, VERY long way, from the use of technology to create entirely teacherless classrooms.

Yes, we can certainly use extra training for a number, possibly a very large number, of teachers who are afraid of the technology and don’t use it well.  But don’t tell me that you can replace them with droids until you can show me that you understand what teaching is all about.

I’ve mentioned before that I use Shaw as my ISP at home.  Right at the moment, they have an advertising campaign that claims they are, or have, Canada’s fastest network.

Now, I’m willing to believe that Shaw is not being deliberately mendacious or misleading.  There is probably someplace, or some part of Shaw’s network, that transfers data faster than other vendors in that area or for that component.

And, I have to admit that, since I am not, generally, a high volume user, even the basic service I have for them is usually sufficient.  In the afternoon and most evenings.

But, right where I am, Shaw can’t seem to get any data moving in the morning.

I first noticed this a few months ago, and spent quite a bit of time contacting Shaw’s generally unhelpful help staff.  This involved them asking me to try a different network cable to the router, or a different computer, or bypassing the router, and checking their speedtest.  (None of which made any difference.)  They finally sent someone around.  The next day.  Of course, by that time the problem had resolved.  But by that time I’d noticed that traffic was only slow in the morning.

So, over the past few months there have been numerous mornings when it has been slow.  I don’t mean just “they promised me speeds up to 5 Mbps and I’m only getting 1.39″ slow, I mean “they promise a minimum of 1 Mbps and their own speedtest is showing 0.02 Mbps and that’s only when it actually completes” slow.  It doesn’t happen every morning, but often enough to see that the pattern is extremely regular, starting about 8:30 am, and trailing off (as in, network speeds start working again) around 11:30 am.

I’ve reported this to Shaw’s technical support, mostly through Twitter, since it takes less time than fighting your way through their phone voice menu tree and it doesn’t matter what reporting method you use, they never do anything anyway.  (Along the way I have learned that the ShawHelp Twitter people have a “Hello $username. If you follow and DM your account info and phone number we can look into it for you” macro, and that, if you submit details about the speeds and the fact that you have tried various configurations, you will receive a “No issues in your area, modem signal is good. Is computer direct to modem or are you using router?” message about 3 or 4 hours later.

It’s been annoying, but I’ve lived with it for a while.  Except that, for the past week and a half, this has now happened every single day.  It is pretty much impossible to do anything in the morning.  This morning was particularly bad: I couldn’t even get the speedtest to run, for the most part.

So, if I suddenly stop posting, you’ll kn()^(*%(&*(&*(&^ NO CARRIER

BKMHFIIS.RVW   20120216

“Managing the Human Factor in Information Security”, David Lacey, 2009, 978-0-470-72199-5, U$50.00/C$55.00/UK#29.99
%A   David Lacey
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2009
%G   978-0-470-72199-5 0-470-72199-5
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$55.00/UK#29.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0470721995/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0470721995/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0470721995/robsladesin03-20
%O   Audience n- Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   374 p.
%T   “Managing the Human Factor in Information Security”

The preface states that the intent of the book is to identify and explain the range of human, organizational, and social challenges when trying to manage security in the current information and communications environment.  It is hoped this material will help manage incidents, risks, and design, and assist with promoting security systems to employees and management.  A subsidiary aim is to leverage the use of social networking.

Some aspects of security are mentioned among the indiscriminate stories in chapter one.  Chapter two has more tales, with emphasis on risks, and different people you encounter.  Generic incident response and business continuity material is in chapter three.  When you know the risk management literature, you can see where the arguments in chapter four come from.  (Yes, Donn, we know quantitative risk analysis is impossible.)  The trouble is, Lacey makes all of them, and therefore comes to no conclusion.  Chapter five has some points to make about different types of people, and dealing with them.  Unfortunately, it’s hard to extract the useful bits from the larding of stories and verbiage.  (Given the haphazard nature of the content, making practical application would be even more difficult.)  Aspects of corporate culture are discussed, in an unstructured fashion, in chapter six.  Chapter seven notes a number of factors that have appeared in successful security awareness programs, but doesn’t fulfill the promise of helping the reader design them.  Chapter eight is about changing organizational attitudes, so it’s an (equally random) extension of chapter six.  It also adds some more items on training programs.  Chapter nine is about building business cases.  Generic advice on creating systems is provided in chapter ten.  Some even broader advice on management is in chapter eleven.  A collection of some points from throughout the book forms a “conclusion.”

There are good points in the book.  There are points that would be good in one situation, and bad in another.  There is little structure in the work to help you find useful material.  There are stories about people, but not a survey of human factors.  Lacey uses lots of aphorisms throughout the text.  I am reminded of the proverb that if you can tell good advice from bad advice, you don’t need any advice.

copyright, Robert M. Slade   2012     BKMHFIIS.RVW   20120216