Bell bull

I recently re-upped with Bell Canada for cell phone service.  I bought new phones and upgraded the plan to include “unlimited” text messaging (since that’s how the grandkids mostly communicate).  The plan I got  is supposed to include picture and video messaging.

In order to use the picture messaging I am told, by both the kiosk and telephone personnel, to turn on the cellular data (not wifi: I’ve been a communications specialist for 30 years and I know the difference) connection on the phone.  Every time I do that I am charged $5.00 for “Pay per use flex data Data Usage.”

Each time I can get it reversed, but I have to spend 20 minutes getting through to an agent on the phone in order to do so.  (All the telephone agents initially insist that this is a “mobile browsing” charge, and I have to point out that I have turned off every app on the phone every time I try this.)

I am not being given the services it stipulates on my contract.

Right now I’m on the phone with Bell’s telephone “support.”  She’s already tried to get rid of me once by claiming to call “technical support.”  When I asked to speak to a supervisor, the agent did the same thing, but eventually put me through to “Puneet.”

I have spoken with supervisor “Puneet.”  She will not answer the simple question of how to access the services I am paying for.  Her only answer is that I upgrade to a data plan.

Therefore Bell is lying in it’s contract stating that I have access to picture and video messages.

Puneet has also just told me that Bell will no longer reverse or adjust any charges for using the picture messaging.

(Puneet did make one rather damaging admission late in the call: she did admit that, actually, Bell has no way to tell what the “Pay per use flex data Data Usage” is.  It could be updating.  It could be mobile browsing.  It could be Twitter.  It could, also, be the picture and video messaging for which I’m not supposed to be charged …)

Share

Airline security

Mom and my little sister were supposed to go on a cruise over Christmas.  The first leg of their flight to the embarkation port was cancelled when a door wouldn’t close.  The storm in the midwest, and the consequent meltdown of the North American air travel system, put paid to any chance of getting re-routed.  So they didn’t go.

The door that wouldn’t close on the first flight wasn’t an outside door, it was the cockpit door.  Mom was peeved.  Most people would have complained about the security policy that prevents takeoff without a locked cabin door.  Not Mom.  Her take was that there were lots of security guards around the airport, and that they could have just got one to stand in the doorway for the flight.

Share

“Feudal” and the young employee

In respect of Schneier’s article on “feudalism” in security (pledging “fealty” to a company/platform, and relying on the manufacturer/vendor to keep you safe), I’m sitting in a seminar for an ERP product from one of the “giants.”  The speaker has stressed that you need an “easy to use” system, since your young employees won’t attend or pay attention to training (on either systems or your business): they expect things to “just work.”

We’ve also just had a promo video from a company that uses the product.  Close to the ideal of a “virtual” company: head office is in one country, manufacturing in two more, and most of the user base shops online.  It is easy for the security professional to see that this is a situation fraught with peril: online access to vital business, manufacturing, and customer information, privacy issues with a diverse customer base, legal and privacy issues with multiple jurisdictions, and the list goes on.  This is not a situation where “plug and play” and turnkey systems are going to be able to address all the problems.

But, of course, the vendor position is just “Trust us.”

Share

Blatant much?

So a friend of mine posts (on Twitter) a great shot of a clueless phishing spammer:

So I reply:
@crankypotato Were only all such phishing spammers so clueless. (Were only all users clueful enough to notice …)

So some other scammer tries it out on me:
Max Dubberly  @Maxt4dxsviida
@rslade http://t.co/(dangerous URL that I’m not going to include, obviously)

I don’t know exactly where that URL redirects, but when I tried it, in a safe browser, Avast immediately objected …

Share

REVIEW: “The Quantum Thief”, Hannu Rajaniemi

BKQNTTHF.RVW   20120724

“The Quantum Thief”, Hannu Rajaniemi, 2010, 978-1-4104-3970-3
%A   Hannu Rajaniemi
%C   175 Fifth Avenue, New York, NY  10010
%D   2010
%G   978-1-4104-3970-3 0765367661
%I   Tor Books/Tom Doherty Assoc.
%O   pnh@tor.com www.tor.com
%O  http://www.amazon.com/exec/obidos/ASIN/0765367661/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0765367661/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0765367661/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   466 p.
%T   “The Quantum Thief”

This is the type of space opera that creates whole worlds, technologies, and languages behind it.  The language or jargon makes it hard to read.  The worlds are confusing, especially since some are real, and some aren’t.  The technologies make it way too easy to pull huge numbers of deuses ex way too many machinas, which strain the ability to follow, or even care about, the plot.  In this situation, the plot can be random, so the impetus for continued reading tends to rely on the reader’s sympathy for the characters.  Unfortunately, in this work, the characters can also have real or imagined aspects, and can change radically after an event.  It was hard to keep going.

Some of the jargon terms can be figured out fairly easily.  An agora, as it was in Greece, is a public meeting place.  Gogol wrote a book called “Dead Peasants,” so gogols are slaves.  Gevulot is the Hebrew word for borders, and has to deal with agreed-upon privacy deals.  But all of them have quirks, and a number of other terms come out of nowhere.

I was prompted to review this book since it was recommended as a piece of fiction that accurately represented some interesting aspects of information security.  Having read it, I can agree that there are some cute descriptions of significant points.  There is mention of a massive public/asymmetric key infrastructure (PKI) system.  There is reference to the importance of social engineering in breaking technical protection.  There is allusion to the increased fragility of overly complex systems.  But these are mentions only.  The asymmetric crypto system has no mention of a base algorithm, of course, but doesn’t even begin to describe the factors in the PKI itself.

If you know infosec you will recognize some of the mentions.  If you don’t, you won’t learn them.  (A specific reference to social engineering actually relates to an implementation fault.)  Otherwise, you may or may not enjoy being baffled by the pseudo-creativity of the story.

copyright, Robert M. Slade   2012     BKQNTTHF.RVW   20120724

Share

Apple Now “Owns” the Page Turn

A blog posting at the New York Times:

“Yes, that’s right. Apple now owns the page turn. You know, as when you
turn a page with your hand. An “interface” that has been around for
hundreds of years in physical form. I swear I’ve seen similar
animation in Disney or Warner Brothers cartoons.  (This is where
readers are probably checking the URL of this article to make sure
it’s The New York Times and not The Onion.)”

Yet more proof that the US patent system, and possibly the whole concept of intellectual property law, is well and truly insane.

What’s even funnier is that, when I read the New York Times blog page that carries this story, I noticed that NYT may be in grave danger of having their pants sued off by Apple (which is, after all, a much larger and more litigious corporation).  At least two of the animated graphical ads on the page feature a little character that rolls down a corner of the ad, inviting you to “Click to see more.”  If you click or even mouseover the ad, then the little figure “turns a page” to let you see the rest of the ad.

(This interface appears to be a standard for either the NYT or Google Ads, since refreshing the page a few times gave me the same display for two different auto manufacturers and, somewhat ironically, for Microsoft.)

(In discussing this with Gloria, she mentioned an online magazine based in Australia which uses a graphical page turning interface for the electronic version of the magazine.  Prior art?  Or are they in danger of getting sued by Apple as well?)

Share

Border (relative) difficulties

I have experienced all kinds of difficulties travelling down to the US to teach.

It used to be a lot easier, in the old days.
Border agent: “Business or pleasure?”
Me: “Business.”
BA: “What are you doing?”
Me: “Teaching.”
BA: “OK.”
Then The-Conservative-Government-Before-The-New-Harperite-Government-Of-Canada decided, in it’s infinite wisdom, to bring in something called the North American Free Trade Agreement, which had provisions to make it “easier” to trade and travel.  Now it’s a royal pain.

(I’ve travelled and taught elsewhere, of course.  Some places I’ve had to get visas.  Nigeria was a nusiance.  Australia was a $20 charge, online, no problem at all.  Last time I taught in Ireland it was “Business or pleasure?”  “Business.”  “Welcome to Ireland!”  Last time I taught in Norway there wasn’t even anyone at the immigration desk.)

Occasionally Americans have complained that they have had troubles coming to work in Canada.  So far I have never heard anything like what I’ve had to go
through.

At the moment I’ve been dealing with American lawyers again.  This has generally been OK, since I usually don’t have to travel for that.  However, this time the other side wants to depose me.  (I suspect they are just doing this for the nusiance value.  As usuall, I’m not doing this as an “expert” witness, just as the only guy who still has the materials.)  So, the origianl plan was for me to fly down to California, spend a day with the lawyers on one side “prepping” me, and spend an hour or two with the other side for the deposition.  They’d have to pay for my fare and travel expenses, as well as my time during prep.

During the call I mentioned that, since he was a lawyer, and presumably had access to other lawyers in their firm who knew something about immigration, they should check on that point, and see if they wanted/needed to do anything about a visa for me.  He didn’t think it was an issue.  I said that, according to the official rules he was right, but that I had seen plenty of cases where the border agents interpretted the rules in idiosyncratic ways, and maybe he should just check.

Today the plan has entirely changed.  At least three lawyers (possibly more), from at least two firms (and possibly more) are flying up from California, renting a boardroom here in Vancouver, renting a court reporter, and staying at least two days (more likely three) to do the prep and deposition.  With all the extra associated costs.  (And all this on behalf of a company that has very stringent travel cost policies: I had to sign off on them for the original contract.)

I think I’ve proved the point: it’s *way* harder to go to the US than to Canada.

Share

User interface

The food fair area of one of the local mall had a facelift recently.  Now, as you walk down the hall towards the washrooms, the first thing you see is a lighted sign stating “WOMEN” on the first hallway that takes off to the right.

Trouble is, that hallway is where the men’s washroom is located.  Unless you know the layout of the mall (and, in this season of the annual Northern-Hemisphere-Mid-Winter-Gift-and-Party-Period, there are lots of guys around who aren’t normally in the mall), you don’t really notice that the triangle next to the word “WOMEN” is actually an arrow, presumably directing you further down the hall, where the hallway to the women’s washroom is actually located.  You have to be closer, and still looking up high, to notice that the word “MEN” is printed above the word “WOMEN,” but is, for some weird design reason, right justified, so that it starts about a foot past the beginning of the word “WOMEN.”

This explains why there are lots of guys coming back up the hall looking for the men’s washroom that they passed on the way down.

User interface is important.

Share

Sandy and BCP

The flooding of New York City was, once again, an example of known threats not being addressed.

It would have been too expensive to do anything about the issues.  (Flood costs currently $50B and rising as more damage is found.)

Of course, nobody could have predicted Sandy, because this was a storm produced by changing conditions.  Brought on by global warming/climate change.  Which is another issue that is too expensive to address …

(Why do I have this old oil filter ad tagline running through my head?  “You can pay me now … or pay me later …”)

Share

What happens when your user changes his password?

You just forced the user to change his password; periodic password changing is good policy, right?

Now lets see what happens next:

  • The user sends the password to himself by email, in plaintext, so he won’t forget. Now it’s in his inbox, viewable on the email ‘preview’ section to anyone shoulder surfing
  • He then writes it on a post-it note. The cleaning person threw out the previous password (but that’s ok, he finally remembered it). Now there’s a post it with the password in the top right drawer
  • He then sends it to his wife/friend/colleague who also uses the account sometimes. Now it’s in another person’s inbox, again in a preview pane. He might have typed their email wrong and sent it to someone else by mistake, or maybe they put it on a post-it note too
  • The next time he tries to login he will use the old password (that he remembers) and fail. Your system will lock him out, and he will call to have it released. Another false positive that makes the person auditing the log for lock outs not pay attention to the warnings
  • He will then sign up to the new and cool social web site and use this last password as his password there. It’s already on the post-it note: Why write another? This new social web site will soon be cracked and your user’s password will be available online

Remind me again why changing passwords periodically is good for security? Oh, I get it. You were just living up to the bad reputation and preventing ease of use.

 

Share

Budget and the chain of evidence

Go Public, a consumer advocacy show on CBC, has produced a show on Budget Rent-A-Car overcharging customers for minor repairs.

This rang a bell with me.

In May of 2009, I rented a car from Budget, in order to travel to give a seminar.  Having had troubles with various car rental companies before, I did my own “walk around” and made sure I got a copy of the damage report before I left.  There were two marks on the driver’s door (a small dent, and a scratch), but the Budget employee refused to make two marks in that spot of the form: he said that the one tick covered both.

When I turned in the car, I was told that the tick was only good for the one scratch, and that I would be charged $400 for the dent.  I was also told that, since I had rented the car using my American Express card, I was automatically covered, by American Express, for minor damage, so I should get them to pay for it.

Since I was neither interested in paying myself, nor in assisting in defrauding Amex, I referred to the earlier statement by the employee who had checked the car.  (I had a witness to his statement, as well.)

Thus started a months-long series of phone calls from Budget.  They kept trying to get me to agree to pay the extra $400, and get Amex to reimburse me.  I wasn’t interested.

The phone calls finally stopped when, on one call, I informed the caller (by now identifying himself as someone in the provincial head office for Budget) that I had kept the copy of the original damage report form.  The caller told me that it clearly stated that there was a scratch on the door.  When I asked him how he interpreted the tick mark as a scratch, rather than a dent, he said that the word “scratch” was written on the form.

Well, of course, it hadn’t been written on the form originally.  I guess the caller must have been reasonable high up in the corporate food chain, because he knew what that meant.  I had the original, and it proved that they had messed with their copy.  That breaks the chain of evidence: they had no case at all.

(I still have a scan of that form.  Just in case …)

Share

Hazardous materials and balancing risks

This goes back a bit, but I was reminded of it this morning:

Amazing where you can get inspiration.  I went to an electronics manufacturing trade show, just to keep up with what’s happening over in that sector.  Nothing particularly new that anyone was selling particularly relevant to security.

However, I sat in on a seminar on the new EU “Restriction of (certain) Hazardous Substances” directive.  (This comes into effect in nine days, and there is all kinds of concern over the fact that the specific regulations for compliance haven’t been promulgated yet.  Remember HIPAA, you lot?  :-)

RoHS (variously pronounced “rows,” “row-hoss,” or “rosh”) is intended to reduce or eliminate the use of various toxic materials, notably lead and mercury, from the manufacture of electronic equipment.  This would reduce the toxic waste involved in manufacturing of said equipment, and particularly the toxic materials involved in recycling (or not) old digital junk.  EU countries all have to produce legislation matching the standard, and it affects imports as well.  In addition, other countries are producing similar legislation.  (Somewhat the same as the EU privacy directive, although without the “equivalent protection” clause.)  Korea is getting something very close to RoHS, California somewhat less.  Japan is going after informational labelling only.  China, interestingly, is producing more restrictive laws, but only for items and devices for sale within China.  If you want to manufacture lead, mercury, and hexavalent chromium computers in China for sale to other countries, that is just fine with them.

There are points relevant to various domains.  In terms of Physical security, and particularly life safety, there are issues of the environmental hazards of toxic materials in the electronic devices that we use.  (This is especially true in regard to BCP: lead, for example, vaporizes at temperatures seem in building fires.)

There is a certification process for ensuring compliance with the regulations.  Unfortunately, a number of manufacturers are carefully considering whether it is worth complying with the regulations.  Even if the products are compliant in terms of hazardous materials, the documentation required for compliance certificates requires details of materials used that could, to educated engineers and others in competing businesses, give away trade secrets involved in manufacturing processes.

The certification and due diligence processes are, like SOX, recursive.  In order to prove that your products are compliant, you also have to demonstrate that your suppliers, and their products, are also compliant.

There is also an interesting possibility of unintended consequences.  Outside of the glass for CRTs, the major use of lead is in solder.  Increasing the proportion of tin in the solder increases the temperature at which it melts, which is one factor.  However, another is that tin-only solder has a tendency to grow “whiskers.”  (The conditions and time for growing whiskers is not fully understood.)  Therefore, in an attempt to reduce the health risk of toxic materials, RoHS may be forcing manufacturers to produce electronic goods with shorter lifetimes, since the whiskers may become long enough to produce short circuits within electronic devices.  Indeed, these devices may have an additional risk of fire …

Share

This is [phishing] news?!?

We seem to be missing the boat on security awareness of phishing attacks: it’s not just for bank and credit card accounts anymore.  This article notes the “DHL,” “tax refund,” and similar queries.  I would have thought these were obvious, but they seem to be the most successful ways to get spear phishing and APT information.

Share

Unintended consequences

I’m not sure how far back to go, to get to the beginning.

Could be the time, a few years back, when the townhouse complex’s main water supply, after 30 years of flawless operation, was “upgraded.”  This, of course, inevitably resulted, a couple of years later, in some very odd variations in water pressure.  Some of the time we had little more than a trickle of water in the taps, and occasionally the washing machine took forever to fill.  (The “upgrade” may also have been responsible for the Great Flood of Aught-Nine, out on the main road.  But I digress.)

This year the main pressure regulator for the complex was replaced, and water was back to full pressure.  As a matter of fact, it was back to significantly higher than full pressure.  Filling the washer (or sink) is much quicker than it used to be.  You have to be careful not to turn the kitchen sink on full blast, or much of the counter around it gets sprayed.

A couple of day ago, the upstairs toilet stopped working.  Well, it would still flush, if the tank was full, but refilling slowed to a stream of drips.  (Hypothesis: the intake valve in the tank has blown from the higher water pressure.)  The manager happens to be away this weekend (of course), so we’ve been muddling through.

This morning, while attempting to refill the tank manually, I discovered that, if the tank was in the process of filling itself, and you turned on the bath tap full blast, the toilet would start filling normally.  Further experimentation determined that it had to be full blast: half or even three quarters wasn’t good enough.  (Revised hypothesis: the valve is partly damaged, and reducing the pressure allows it to function, temporarily.)

Weird.

Anyway, it reminded me: if a system as simple as a toilet, and household plumbing, can have these sorts of effects, what makes you think your incredibly complicated IT system, and its protective elements, is working as you think it should be?

Share

Art, hacking, privacy, and the US Secret Service

“Media artist” creates a form of spyware using Macbook webcams.  Runs it on computers in Apple Stores.  Apple calls Secret Service about the artist.  Lots more.  Some interesting and provocative concepts in the article, covering privacy, legality, search and seizure, and the fact that people show little affect when working with/on computers:

http://www.wired.com/threatlevel/2012/07/people-staring-at-computers/all/

Share

Why PS3 Encryption Key Leak is not an End Game

A lot of people a speculating that since the PS3 LV0 encryption key has leaked, that all bets are off and piracy for the PS3 is now a fact and there is nothing Sony can do to resolve. They further claim, even if Sony releases a patch, with the availability of this LV0 encryption key, hackers would just need to decrypt the update and snatch from it the new LV0 keys if those are updated using a patch.

This reminds me of a story about a Satellite Broadcaster a few years ago that has lost similar encryption keys that were part of its update mechanism for enabling/disabling your subscription card. Once you had this encryption key you could enable your card without needing to pay anything to the broadcaster.

When this news got out, it seemed to be an obvious bet that the company would go bankrupt in a few months as piracy would ruin them.

But the broadcaster didn’t lose hope and devised a plan that was quite ingenuous. They knew that updating the encryption key in one “bang” would be blunt and very easy to track down. So instead, over the course of a year they sent “junk” data as part of their updates, gradually sending out more and more chunks of indecipherable data. Then one day, they “executed” this “junk” data, and voila! the “junk” wasn’t junk at all. It was self decrypting pieces of code.

There were two very clever parts to their plan. First, they data they sent just hid there until it got executed. In fact, only in retrospect it was noticed that there was even “junk” data there. The second part was that it was not executable on anywhere but on their specific platform. You couldn’t decrypt that data as it used inherit functionality of the hardware on which it ran – you couldn’t easily disassemble it without knowing some of the secret ASM code that ran on their hardware.

The moral of this story  is, even when all is lost, as long as your true customers are updating, and your thieves need to upgrade too in order to enjoy the full benefits of the system, you can always regain control over you hardware – in essence having “code execution” on your system allows you full control over it, even if someone else is watching and tracking what you are doing – it is just a tad harder to do so in a way that will mask from guy who controls the system what you are doing.

Share