Give someone enough rope …

Today a Conservative Canadian Senator made a rather bizarre suggestion about giving convicted murderers a rope, and allowing them to hang themselves.  (No, I’m not kidding.  But he later retracted the statement.)

But, never let it be said that we couldn’t look at ideas, regardless of how they come.  Moral repugnance aside, is this a good idea?  Probably not.

Would it save money?  Only if the murderer felt really, really sorry.  And, isn’t that what we wanted out of the justice system in the first place?  So, we might have saved money and wasted a life.

Then again, what if the convicted person was not guilty?  I would think that an innocent person, unjustly convicted, would be a prime candidate for suicide.  So then we have a monetary saving at the cost of an innocent life.

And, for those who really don’t feel bad about killing people, they might welcome the option of getting out of a life sentence.  So we may be reducing the deterrent effect if we implement the rope idea.

If we’ve got a real psychopath, is it really a good idea to give him a rope, or poison, or a knife, or a gun, or anything particularly dangerous?  It isn’t too hard to start to imagine scenarios where he/she/it could do some real damage, even within the prison.

Maybe we should chip in and buy the Senator a copy of Schneier’s “Liars and Outliers.”


Certified security awareness

A vendor speaking at a conference (is there any other kind of presentation at conferences these days?) has made a call for a new standard for information security awareness training.

” … the way to do this is via a new infosecurity standard that solely focuses on training and awareness and is delivered in the work environment”

Now, I’m all for security awareness.  I’m all for more security awareness.  I’m all for better security awareness.  I’m all for infosec departments to actually TRY security awareness (since they say often say, “well, if it was gonna have worked, it woulda worked by now” and never try it).

But, come on.  A new “standard”?

As the man[1] said, the wonderful thing about computer “standards” is that there are so many to choose from.

What are we going to certify?  Users?  “Sorry, you have been found to be too stupid to use a computer at work.  You are hereby issued this non-jailbroken iPad.”

No, undoubtedly he thinks we are going to “certify” the awareness materials themselves.  Good luck with that.

I’ve been a teacher for a lot of years.  I’ve also been a book reviewer for a lot of years.  And I’ve published books.  Trust me on this: a variant of Gresham’s Law is very active in the textbook and educational materials field.  Bad textbooks drive out good.  As a matter of fact, it’s even closer to Gresham: money drives out good textbooks and materials.  Publishers know there is a lot of money to be made in textbooks and training materials.  Publishers with a lot of money are going to use that money to advertise, create “exclusive” contracts, and otherwise ensure that they have the biggest share of the market.  The easiest way to do that is to publish as many titles as you can, as cheaply as you can.  “Cheaply” means you use contract writers, who can turn out 2-300 pages on anything, whether they know about it or not.

So, do you really think that, if someone starts making noise about a security awareness standard, the publishers won’t make absolutely certain that they’ve got control of the certification process?  That if someone comes up with an independent standard that they can withstand the financial pressures that large publishers can bring to bear?  That if someone creates an independent cert, and firmly holds to principles and standards, that the publishers won’t just create a competing cert, and advertise it much more than the independent cert can ever hope to?

After all, none of us can possibly think of any lousy security product with a lot of money behind it that can command a larger market share than a good, but independent, product, now can we?

[1] Well, maybe it was Andrew Tanenbaum, but maybe it was Grace Hopper.  Or Patricia Seybold.  Or Ken Olsen.


New computers – Kindle – Ebooks and education

Recently I was discussing the use of technology in education, when an odd (to me) question came up.  It was about the use of ebooks.  That wasn’t really high on my radar on the tech-in-ed landscape.  When I started (good grief, more than 30 years ago) the use of computers for textbooks was a vague, blue-sky idea that a guy named Vannevar Bush had once talked about.  (Actually, he was talking about a desk, rather than a book.)

Recently, of course, there has been a lot of discussion about ebooks.  School boards have been looking into cost savings.  Major tech corporations and publishing conglomerates are getting on the bandwagon.  So, her interest was natural.

Specifically, she wanted to know:

> Perhaps you talk to me a bit about why (from a non-environmental
> standpoint) it’s important for students to use digital e-books?
> Is there a learning curve when it comes to learning from an ebook
> rather than a textbook? Is there a shorter attention span?
> What about eye strain?
> How would this effect the structure of learning?

This I could do, having been given a Kindle for Christmas this year.  I have just finished doing my first review for the series, using an ebook on the device.  Definite tradeoffs: it was easier to grab quotes, much harder to make notes, easier to search, and a right royal pain to try and flip back and forth to check notes, index, etc.  Also a complete pain to check references in other works.

In terms of education, and using study materials in school, it was easier to grab quotes — which would make copying and plagiarism easy and very tempting.  That’s a bad thing.  It is much harder to make notes, and makes study, or writing your own paper, more difficult.  Again, given that the purpose of many assignments is to get students to practice creating their own writing, this is a bad thing.

On the other hand, it’s easier to search, and that’s good for studying.

But it’s a right royal pain to try and flip back and forth to check notes (most books don’t have footnotes any longer, they are no endnotes–at the back of the book), the index, appendices, and other material in the book.  It is also a complete pain to check references in other works — definitely bad for studying and learning.

In terms of it being “important” for students to use ebooks: as a former public school teacher I don’t think it is.  The only reasons would be cost, and getting up to date materials.  Frankly, the quality of almost all school texts is absolutely appalling, so having the latest version of tripe isn’t all that important.  So, that just leaves cost.

There is a learning curve to using an e-reader, but a fairly small one.  No, I take that back.  Actual reading isn’t that hard, but you do have to learn something about filing, arranging, and accessing material on the device, particularly in a school/learning situation.

The small screen size is a bit annoying, although you generally can increase the font size.  (The book I just finished reviewing was in PDF, and the options for font size for that are very much less.)  Generally I didn’t find much eye strain, although I’m used to reading small print, but in low light it was pretty awful.

In terms of learning structure, there could be some advantages.  As a teacher, I could create notes and send them to the devices of all the students: it would help that they could not say they didn’t have the assignment  :-)


Corporate social media rules

An item for discussion:

I’ve see this stuff in some recent reports of lawsuits.  First people started using social media, for social things.  Then corps decided that socmed was a great way to spam people without being accused of spamming.  Then corps suddenly realized, to their horror, that, on socmed, people can talk back.  And maybe alert other people to the fact that you a) don’t fulfill on your promises, b) make lousy products, c) provide lousy service, and d) so on.

Gloria ran into this today and asked me about the legalities of it.  I imagine that it has all the legality of any waiver: you can’t sign away your rights, and a waiver has slightly less value than the paper it’s printed on (or, slightly more, if a fraudster can copy your signature off it  [Sorry, I'm a professional paranoid.  My brain just works that way.]).

Anyway, what she ran into today (a Facebook page that was offering to let you in on a draw if you “liked” them) (don’t worry, we’ve already discussed the security problems of “likes”):

“We’re honoured that you’re a fan of [us], and we look forward to hearing what you have to say. To ensure a positive online experience for the entire community, we may monitor and remove certain postings. “Be kind and have fun” is the short version of our rules. What follows is the longer version of rules for posts, communications and general behaviour on [our] Facebook page:”

[fairly standard "we're nice people" marketing type bumpf - rms]

“The following should not be posted on [our] Facebook pages:”

Now, some of this is good:
“Unauthorized commercial communications (such as spam)
“Content meant to bully, intimidate or harass any user
“Content that is hateful, threatening, discriminatory, pornographic, or that
contains nudity or graphic or gratuitous violence
“Content that infringes or violates someone else’s rights or otherwise violates the law
“Personal, sensitive or financial information on this page (this includes but is not limited to email addresses, phone numbers, etc.)
“Unlawful or misleading posts”

Some of it is protecting their “brand”:
“Competitor material such as pictures, videos, or site links”

Some has to do with the fact that they are a franchise operation:
“Links to personal [agent] websites, or invitations from [agents] to connect with them privately”

But some it is limits freedom of expression:
“Unconstructive, negative or derogatory comments
“Repeat postings of unconstructive comments/statements”

And, of course, the kicker:
“[We] reserves the right to remove any postings deemed to be inappropriate or in violation of these rules.”

Now, it’s probably the case that they do have the right to manipulate the content on their site/page any way they want to.  But, how far can these “rules” go?


2nd Annual Cyber Security China 2012

It seems like nowadays China is the immediate suspect when it comes to hacking attempts or cyber espionage. It’s therefore interesting to know that they are suffering from as much internal attacks as anyone else.

The ‘cyber security china 2012′ is organized with ISC2, which is typically a good indicator for interesting speakers and content (at least, that’s been my past experience in other countries). The description shows that the Chinese are worried about the same things we all are:

With support from Ministry of Public Security  of  China,  and  working  with  ISC2, ITU-IMPACT and  ISFS Hong kong, Cyber Security China 2011  is successfully organized in March 24-25 in Shanghai, China.  The  2011  event convened 130+ delegates from global and local cyber security authorities, government, law enforcement  agencies, users  and  security  vendors,  and  mainly  explored  the solutions  against  evolving cyber  threats  and  attacks,  and how to fight the  cyber crimes through public-private-partnership.

More information here.


Who’s Who phish

And here, I thought I was finally famous.  It’s so disappointing.

I got a “Weekly Follow-up from the National Academic Association.”  I suppose it doesn’t really matter that I’d never heard of them, let alone weekly, because it came from the “Academic Association.”

“Hello Candidate,” it starts, and goes on to tell me that “As the school year opens, the Who’s Who Among Executives and Professionals begin a global search for accomplished individuals in both faculty and administrative roles at post-secondary institutions of learning.”

Could this possibly be a job offer?  They apparently need me to “verify your contact information so that we can properly publish your updated credentials alongside 30,000 of your prestigious peers. Such a listing can only bring you increased visibility and networking opportunities within the scholastic community.”  Only 30,000!  Such a select group!

Alas, when I actually went to the site (tested with a safe browser, but it doesn’t actually seem to be feeding malware) it turned out to be the “International Association of Successful Individuals.”  Therefore, I don’t qualify, but no doubt a number of you do, so I’m letting you know  :-)


New computers – Kindle

The Girls, who have been having a grand time in recent years finding interesting high tech goodies that I never even knew existed, got me a Kindle for Christmas.  So, of course, I’m going to review the Kindle.

I had been putting off the idea of getting one for myself.  I do a lot of reading, but that’s primarily because I do a lot of reviewing, and for that you need the ability to make notes, and transfer said notes back to the computer for writing up.  So far, I haven’t seen an awful lot that convinces me the e-readers are there yet.

But, I do have to say that, right off the top, the idea of having 60 books (so far) in something that is lighter than a paperback definitely has its attractions.  So far I’ve been able to load the Bible, some tech articles, my own security dictionary, a dozen Sherlock Holmes stories, Don Quixote (both of which I have read), The Divine Comedy, War and Piece (both of which I intend to read–sometime), a fair amount of poetry, and an egalley for Bruce Schneier’s latest (sent along by his publicist).

Unfortunately, all this fun exploring has me somewhat behind in news and email, so I’ll have to start putting together my observations of the Kindle, itself, a bit later.


Easy login into Korean Point-of-Sale device

Some things are cross-culture it seems. Especially when it comes to trivial security mishaps.
So I’m at a PoS terminal in a large department store in Seoul and while I’m waiting for the register to ring up my order, I look at the touchscreen where I will be asked for my signature in a moment. I notice a little icon that looks like ‘settings’. How can I not click on it?

Initial PoS screen
Oh, it needs a password. Must be this PCI compliance thing everybody is raving about. And no, wiseass, 1-2-3-4-5 doesn’t work.

Asking for password

…But 1-2-3-4 does.


Yup. Unlocked.
Now I need to polish up my Korean to figure out what to do next. Suggestions?

Menu Screen

Sorry for the full disclosure guys. And that includes all of you that now need to change your luggage combination.


REVIEW: “Surviving Cyberwar”, Richard Stiennon

BKSRCYWR.RVW   20110325

“Surviving Cyberwar”, Richard Stiennon, 2010, 978-1-60590-688-1
%A   Richard Stiennon
%C   4501 Forbes Blvd, #200, Lanham, MD   20706
%D   2010
%G   978-1-60590-688-1 1-60590-674-3
%I   Government Institutes/Scarecrow Press/Rowman & Littlefield Publ.
%O   800-462-6420
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   180 p.
%T   “Surviving Cyberwar”

The introduction is the customarily (for books on currently “hot” topics) vague warning that there is danger out there.

Chapter one, according to the title, is supposed to talk about the “Titan Rain” attacks.  In reality it concentrates on Shawn Carpenter and his personal problems, and says very little either about details of the technology, or ideas for defence.  China, and various activities in espionage (and diplomatic disagreements with the US), is the topic of chapter two.  (One story is not about China.)  Although entitled “Countering Cyber Espionage,” chapter three is just about security tools and malware.  Chapter four lists random aspects of, and attacks on, email.  The Pentagon is dealt with, in similarly haphazard fashion, in chapter five.

A few wars, or tense “situations,” are mentioned in chapter six, along with some possibly related computer involvement.  Chapter seven titularly promises DDoS defence, but mostly just talks about distributed denial of service attacks, along with a mention of the error of using BGP (Border Gateway Protocol) as a routing protocol.  Aspects of social networking, mostly in support of activism, are noted in chapter eight.  Chapter nine is a not-very-useful account of the Estonian cyber-attack of 2007, ten briefly mentions some others in eastern Europe, and eleven mentions the Georgian attack.  There is a rambling dissertation on war and various computer security problems in chapter twelve.  Chapter thirteen appears to be an attempt to provide some structure to the concept of cyberwar, but establishes very little of any significance.  Preparations, by some nations, for cyberwarfare are mentioned in chapter fourteen.  Most of the detail is for the US, and there isn’t much even for them.  A final chapter says that the existence of cyberwarfare could cause troubles for lots of people.

The content and writing is rambling and disorganized.  This reads more like a collection of fifteen lengthy, but not terribly well researched, magazine articles than an actual book.  There are many more informative resources, such as Dorothy Dennings’ “Information Warfare and Security” (cf. BKINWRSC.RVW) (which, despite predating this work by a dozen years, still manages to present more useful information).  Stiennon does not add anything substantial to the literature on this topic.

copyright, Robert M. Slade   2011     BKSRCYWR.RVW   20110325


REVIEW: “Good Night Old Man”, George Campbell

BKGNOM.RVW   20111128

“Good Night Old Man”, George Campbell, 2011, 978-9878319-0-3, C$19.95
%A   George Campbell
%C   PO Box 57083 RPO Eastgate, Sherwood Park, AB Canada T8A 5L7
%D   2011
%G   978-9878319-0-3
%I   Dream Write Publishing
%O   C$19.95  780-445-0991
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   342 p.
%T   “Good Night Old Man”

On page 114 the author asserts that even learning to use Morse code “bestowed on us instant acceptance into a society whose members regularly performed tasks too difficult for most others to even attempt.”  This statement will be instantly recognizable by anyone in any technical field.  This is because in the beginning was the telegraph.  And the telegraph begat teletype (and baudot code) and the telephone.  And telephone company research labs (in large measure) begat computers.  And teletype begat the Internet.  And wireless telegraphy begat radio.  And radio and the telephone and the Internet and computers begat 4G.  (Or, at least, it will begat it once they get it right.)  But it all started with the telegraph.

As the author states, any communications textbook will mention the telegraph.  Most will tell you Morse code began on May 24th, 1844.  Some might mention that it isn’t in use anymore.  A few crypto books might let you know that commercial nomenklators were used not just for confidentiality, but to reduce word counts (and thus costs) when sending telegrams.  (The odd data representation text might relay the trivium that Morse code is not a binary code of dots and dashes, but a trinary code of dots, dashes, and silence.)

But they won’t tell you anything about what it was like to be a telegrapher, to actually communicate, and help other people communicate with Morse code.  How you got started, what the work was, and what your career might be like.  This book does.

I am not going to pretend to be objective with this review.  George Campbell is my wife’s (favourite) uncle.  He’s always liked telling stories, has a fund of stories to tell, and tells them well.  For example, he was the first person in North America to know about the German surrender in Europe, since he was the (Royal Canadian Naval Volunteer Reserve) telegrapher who received the message from Europe and passed it on.  Of course, the message was in code.  But everyone knew it was coming, and he knew who the message was from, and who it was going to.  You can learn a lot with simple traffic analysis.

There are lots of good stories in the book.  There are lots of funny stories in the book.  If you know technology, it is intriguing to see the beginnings of all kinds of things we use today.  Standard protocols, flow control, error correction, and data compression.  Oh, and script kiddies, too.  (Well, I don’t know what else you would call people who don’t understand what they are working with, but do know that if you follow *this* script, then *that* will happen.)  It is fascinating to see all of this being developed in an informal fashion by people who are just trying to get on with their jobs.

The title, “Good Night Old Man,” comes from a code the telegraphers themselves used.  “GN” (and a “call sign”) was sent when the telegrapher signed off his station for the night.  Morse code is no longer used commercially.  Within a few years, the last of the “native” speakers will have died off.  Morse will become a dead language, possibly studied by some hobbyists and academics, who can tease legibility out of a sample, or laboriously create a message in that form, but without anything like the facility achieved by those who had to use it day in and day out.

This is a last chance to learn a part of history.

copyright, Robert M. Slade   2011     BKGNOM.RVW   20111128


The political risks of a DDoS

In Korea, the ruling party performed a DDoS attack, and as result the chairman and most of its officials will resign. Most likely, it will be disbanded completely.
This is probably the most severe result of a cyber attack yet. Of course, the only reason they know who to blame, is because the guy responsible for the attack admitted guilt. DDoS is all fun and games until the guy you hired to do it spills the beans.


All that, and it was just pharma spam?

Got a message yesterday.  It was immediately suspect, since it purportedly came from YouTube, and was threatening that I had sent “the maximum number of messages per day.”  It was also sent to the “-owner” of a mailing list I run on Yahoo.  Of course, I don’t send email through YouTube.

However, since I do have a YouTube account, and just in case there was a mail capability I didn’t know about, I figured I’d better check it out.  Sending through Yahoo is a good form of obfuscation.  I did, eventually, figure out that it came via ThePlanet in Houston (probably a bot infected machine).

I then suspected that it might be some kind of account phishing.  However, when I actually looked at the URL, and checked it out, it seems to have been a simple pharma spam (bounced from a site in France to one in Russia).

All that trouble and obfuscation, just to post pharma spam?  Sophisticated misdirection kits are obviously getting cheaper and easier for the script kiddie level spammers to buy.


Amex clueless about security–so what else is new?

American Express is, as far as I know, alone among major financial institutions (for large values of “major”) in sending out phish-like messages.  Pretty much every other bank has gotten the message: don’t send email to your customers, and alert them that if they receive email, it’s not from you.

(I’m still getting those messages, by the way.  Ironically, it’s because I don’t want them.  If I want to tell Amex to turn them off, the only way I can do that is to register to receive them.  Explain to me the logic underlying that process …)

Amex is also alone in not providing an email account to which you can send phishing messages.  I guess Amex doesn’t want to do any more takedowns than they absolutely have to.

As a security pro, I’ve got contacts; personal contacts; in many major banks and financial institutions.  These are people who work in phishing and malware takedowns, and I’ve encountered them in the course of my research into same over the years.  I’ve never come across anyone from Amex.  I’ve never had anyone from Amex in any of my seminars.

So, it is no great surprise that when a researcher recently found a gaping hole in Amex security, he had a very hard time letting Amex know about it.


History of crimeware?

C’mon, Infoworld, give us a break.

“There are few viable options to combat crimeware’s success in undermining today’s technologies.”

How about “don’t do dangerous stuff”?

“Crimeware: Foundation of today’s telescreens”

I’m sorry, what has “1984″ to do with the use of malware by criminal elements?

“Advancement #1: Form-grabbing for PCs running IE/Windows
Form grabbing, as its name implies, is the crimeware technique for capturing web form data within browsers.”

Can you say “login trojan”?  I knew you could.  They existed even before PCs did.

“Advancement #2: Anti-detection (also termed stealth)”

Oh, no!  Stealth!  Run!  We’re all gonna die!

Possibly the first piece of malware to use some form of stealth technology to hide itself from detection was a virus.  Perhaps you might have heard of it.  It was called BRAIN, and was written in 1986.

“Advancement #5: Source code availability/release
The source codes for Zeus and SpyEye, among the most sophisticated crimeware, were publicly released in 2010 and 2011, respectively.”

And the source code for Concept, which was, at the time, the most sophisticated macro virus (since it was the only macro virus), was released in 1995, respectively.  But wait!  The source code for the CHRISTMA exec was released in 1988!  Now how terrified are you!

“Crimeware in 2010 deployed the capability to disable anti-malware products”

And malware in 1991 deployed the capability to disable CPAV and MSAV.  With only fourteen bytes of code.  As a matter of fact, that fourteen byte string came to be used as an antivirus signature for a while, since so many viruses were included it.

“Advancement #7: Mobile device support (also termed man-in-the-mobile)”

We’ve got “man in the middle” and “meet in the middle.”  Nobody is using “man in the mobile” except you.

“Advancement #8: Anti-removal (also termed persistence)
As security solutions struggle to detect and remove crimeware from compromised PCs, malware authors are updating their code to permit it to re-emerge on PCs even after its supposed removal.”

I’ve got four words for you: “Robin Hood” and Friar Tuck.”

The author “has served with the National Security Agency, the North Atlantic Treaty Organization, the U.S. Air Force, and two Federal think tanks.”

With friends like this, who needs enemies?


Nightmare on Malware Street

The Scientific American, no less, has published an article on malware.  Not that they don’t have every right, it’s just that the article is short on fact or help, and long on rather wild conjecture.

The author does have some points to make, even if he makes them very, very badly.

We, both as security professionals and as a society, don’t take malware seriously enough.  The security literature on the subject is appalling.  It is hard to find books on malware, even harder to find good ones, and well nigh impossible to find decent information in general security books.  The problem has been steadily growing since it was a vague academic topic, and has been ignored for so long that, now that it is a real problem, even most security experts have only a tenuous grasp of it.

Almost all reports do sound like paranoid thrillers.  Promoting the idea of shadowy genius figures in dark corners manipulating us at will, this engenders a kind of overall depression: we can’t possibly fight it, so we might was well not even try.  This attitude is further exacerbated but the dearth of information: we can’t even know what’s going on, so how can we even try to fight it?

It is getting more and more difficult to find malware, mostly because we are constantly creating new places for it to hide.  In the name of “user friendliness,” we are building ever more complex systems, with ever more crevices for the pumas to hide in.

Yes, then he goes off into wild speculation and gets all “Reflections on Trusting Trust” on us.  Which kind of loses the valid points.


The truth behind the Opera unpatched vulnerability

How hard is it to get facts straight? I don’t expect vendors to admit they sat on a vulnerability for months without patching: it’s human nature to blame someone else:

Opera [...] claims that it couldn’t replicate the issue at the time. According to the vendor, its attempts to obtain more information from the researcher at the time weren’t successful.

Of course, when dealing with vendors, it’s always “the dog ate my homework” and “I swear we couldn’t reproduce it until it became public”
But I’m puzzled on why a technical reporter would just happily accept what’s being shoveled at him. For one, he could have contacted us and asked…

Here’s what really happened: We notified Opera about this vulnerability back in May. We gave them the Proof-of-Concept, disassembly, explanation and vulnerability analysis. So saying they did not have the full information is far from the truth. We didn’t ask for anything in return (we never do) but I admit we were skeptical based on previous experience with reporting vulnerabilities to Opera.
Then came the Million dollar question; we were asked if it worked on the latest version of Opera, and we said we don’t know. Since last time I checked, no one here worked for the Opera QA team, so we didn’t feel it was our job to check it. The response was typical:
“We only fix issues that are relevant to the latest version of Opera”

Followed by the all-too-common:”the items provided only cause crashes they have no intention to fix them”.

I guess they meant “we won’t fix them unless you drop a 0-day and we get a call from a computer magazine”.The Vendors-against-full-disclosure will continue, no doubt. Tech writers, get your spines refitted please: if you’re not a part of the solution, you’re a part of the problem.