REVIEW: “Rainbows End”, Vernor Vinge

BKRNBSND.RVW   20130525

“Rainbows End”, Vernor Vinge, 2006, 0-312-85684-9, U$25.95/C$34.95
%A   Vernor Vinge
%C   175 Fifth Avenue, New York, NY  10010
%D   2006
%G   0-312-85684-9
%I   Tor Books/Tom Doherty Assoc.
%O   U$25.95/C$34.95 pnh@tor.com www.tor.com
%O  http://www.amazon.com/exec/obidos/ASIN/0312856849/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0312856849/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0312856849/robsladesin03-20
%O   Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation)
%P   364 p.
%T   “Rainbows End”

It is always a pleasure to read something from Vinge.  His characters are interesting, his plots sufficiently convoluted, and his writing clear and flowing.  In addition, for the geek, his understanding of the technology is realistic and fundamental, which makes a change from so many who merely parrot jargon they do not comprehend.

Of course, this is future technology we are talking about, so none of it is (currently) real.  But it could be, without the wild flights of illogic that so abound in fiction.

In this book, we have a future with interconnectedness around the globe.  Of course, this means that there are dangers, in regard to identity and authentication.  The new technology protects against these dangers with a Secure Hardware Environment.  (Or SHE, and, since the DHS mandates that everyone must use it, does that make it SHE-who-must-be-obeyed?)

Encryption is, of course, vital to the operations, and so is used a lot, often in multiple layers.  It is probably a measure of the enjoyability of Vinge’s work that I really didn’t take note of the fact that two of the characters were named Alice and Bob.  Not, that is, until late in the volume, when the author also briefly introduces a character named Eve Mallory.

copyright, Robert M. Slade   2013   BKRNBSND.RVW   20130525

Share

Outsourcing, and rebranding, (national) security

I was thinking about the recent trend, in the US, for “outsourcing” and “privatization” of security functions, in order to reduce (government) costs.  For example, we know, from the Snowden debacle, that material he, ummm, “obtained,” was accessed while he was working for a contractor that was working for the NSA.  The debacle also figured in my thinking, particularly the PR fall-out and disaster.

Considering both these trends; outsourcing and PR, I see an opportunity here.  The government needs to reduce costs (or increase revenue).  At the same time, there needs to be a rebranding effort, in order to restore tarnished images.

Sports teams looking for revenue (or cost offsets) have been allowing corporate sponsors to rename, or “rebrand,” arenas.  Why not allow corporations to sponsor national security programs, and rebrand them?

For example: PRISM has become a catch-phrase for all that is wrong with surveillance of the general public.  Why not allow someone like, say, DeBeers to step in.  For a price (which would offset the millions being paid to various tech companies for “compliance”) it could be rebranded as DIAMOND, possibly with a new slogan like “A database is forever!”

(DeBeers is an obvious sponsor, given the activities of NSA personnel in regard to love interests.)

I think the possibilities are endless, and should be explored.

Share

Click on everything?

You clicked on that link, didn’t you?  I’m writing a posting about malicious links in postings and email, and you click on a link in my posting.  How silly is that?

(No, it wouldn’t have been dangerous, in this case.  I disabled the URL by “x”ing out the “tt” in http;” (which is pretty standard practice in malware circles), and further “x”ed out a couple of the letters in the URL.)

Share

Risk analysis, traffic analysis, and unusual factors

Canadian terrorists strike again: apparently we are responsible for taking down a major piece of transportation infrastructure, vis, the I-5 bridge over the Skagit river at Mount Vernon.

A friend in Seattle assures me that, while he is disappointed in us, he holds no grudges, and is willing to warn us if he hears of any drone strikes planned for north of the border.

(Allow me, for a moment, to examine this “oversized load” on which everyone is blaming the collapse.  Image 2 in the slide deck [if they don't change it] is this “oversized load.”  You will notice that it is basically an empty box with the two sides missing, and has, relatively, zero structural rigidity.  If a ding from that kind of load brought the bridge down [and didn't even collapse the load itself], the bridge was definitely unsafe.)

I drive that route regularly, and, when I heard that a bridge had gone down, that bridge was the first one I thought of.  I have always felt unsafe crossing it.  There is a wrongness about it you can just feel.

It’s also ugly.  And I am reminded of an essay by an engineer who said that bridges were the most beautiful products of all forms of engineering.  A properly designed bridge has curves, and those curves just feel right.  They are beautiful.

So, if you ever have questions about a bridge, and you don’t have enough facts to go on, just look at it.

If it’s ugly, don’t cross it.

Share

Memory lane …

I ordered a new computer before Christmas, and there have been delays getting it.  Today the shop called and said that the one I ordered (with 4 Gigs of RAM) was still short, but they did have one with 6 Gigs, if I was willing to pay an extra ten bucks.  So I said fine.

Got off the phone and told Gloria about it.  She asked “How many Commodores is that?” since I still have a Commodore 64 in the “computer museum” trunk.

32,000.  Give or take a few for rounding purposes.  For ten bucks, the equivalent memory of 32,000 Commodore 64 computers.

We work in a bizarre field.

Share

Online forum rule haikus

On the CISSPforum we were discussing precepts for getting along and keeping the discussions meaningful.  Somebody started listing rules, so I started casting them as haikus.  That prompted a few more.

I wondered if these were only for that group, but then realized most of them were applicable to online discussions of whatever type.  So, herewith:

 

Create your own space
Meaningful content only
Comes to those who post.

Silence calls silence
Lurkers don’t disturb quiet
Sleep beckons as well.

The posts are boring?
Raise topic of interest
Thread starter lauded.

Forum like sewer:
What you get out of forum
Depends on input.

Being creative
Is much better than being
Tagged as complainer.

These are your colleagues.
Why are you so much  better
That they must start first?

The forum that is
Is not what must always be.
Build a better world.

Friday is not for
Building new realities.
Your colleagues would sleep.

 

Then some other chimed in:

I remember trust
It disappeared so quickly
I guess we were fools

Pointing to resource
Always appreciated
Who can search the whole?

Putting platitudes
into pleasing haiku
removes sting of truth

Now you’re getting it.
Format is everything.  (Well,
And maybe context  :-)

friday gratitude
is here at last for resting
ignoring infosec

Friday at last! Time for
Bottles of overpriced wine.
Why’m I still at work???

Request not correct.
Reformat for this thread.
Please resubmit now.

UNSUBSCRPTION post
Jangles cosmic harmonies
Til balance achieved.

Share

Secure Awareness mottoes and one-liners

From various forums, mailing lists, discussions and other sources (many of which exist only in my febrile imagination), herewith a bit of a compilation of mottoes that can be used as part of a security awareness campaign:

No-one in Africa wants to GIVE anyone their money or gold.

Microsoft/Google/a Russian oil magnate/VW/BMW/etc certainly does not want to GIVE anyone money/a car/etc.

A stunning Russian blonde DOES NOT want to marry you.

If it sounds too good to be true, IT IS.

A web site, Email message, IM or tweet that tells you you need to install security software IS LYING.

Just because it’s in a Google search result or an “ad by Google” does NOT mean it is safe.

If the options seem to be “Click OK/Run/Install” or “turn off the computer”, TURN OFF THE COMPUTER.

Did your friend really send you that message?

Is your friend really as smart about computer security as you think?
A. No    B. Not at all    C. Well and truly not    D. All the above

You didn’t win the Irish lottery.

Your bank doesn’t want you to change your password.

Don’t be Phish Phood.

Pwnly Phools Phall for Phishing.

Think, THINK every click.

Need extra money?  Want to work from home?  Getting a job from a spammer is NOT A GOOD IDEA!!!

When did you last make a backup?  Do you want to do [period of time] worth of work all over again?

Report the suspicious, not the strange.

If the bank thinks your online account has been hacked, they won’t warn you by email.

Being sociable doesn’t mean being totally open. Be careful what you disclose via social media.

If someone wants/offers to make something really easy for you, there is a way that can be used against you.

Hide your ‘cheese’ (get a router).

A patch a day keeps hackers away (keep your OS and apps up to date).

Always wear a helmet (install a firewall/antivirus package).

The great unknown ain’t so great (only use software you can trust).

Use sunscreen to prevent burns (lock down your OS and apps).

Make 007 jealous (learn to use additional security tools).

“Password” is not a password (use strong passwords).

Keep your skeletons in the closet (protect your personal data).

Don’t be a dork (be smart when you’re on-line).

Keep your dukes up (stay informed and vigilant).

Infosec is like a sewer: what you get out of it, depends on what you put into it.

 

Some are recently from the #InfosecMotherlyAdvice tag on Twitter:

Don’t click … it’ll get infected.

Don’t take cookies from strangers.

Idle systems are a botnet’s playground.

A backup in hand is worth two in the cloud.

While you’re connected to my network you’ll live by my firewall rule.

A backup a day keeps data loss away.

We’d better get you a bigger firewall – you’ll grow into it.

Close the security holes, you’re letting all our sensitive data out.

If your system gets compromised and crashes, don’t come emailing to me.

Always encrypt your data. you never know when you’ll have an accident.

If everybody else clicked on links in emails, would you do that too?

Either you’re inside the firewall, or outside the firewall! Don’t leave it open!

Install your patches if you want your security to grow up big and strong.

Don’t put that in your browser, you don’t know where it’s been.

Someday your bluescreen will freeze like that!

It’s all fun and games until someone loses sensitive data.

Only you can prevent Internet meltdowns.

Share

Beware! The “Metavirus”!

In the spirit of many infosec and antivirus company “announcements” of “new threats” in the past year:

A leading (if unemployed) information security and malware researcher, today noted startling developments (which were first mentioned in 1988, but we’ll leave out that bit) in cross-platform malware.

Dubbed the “metavirus,” this threat could completely swamp the Internet, and render literally billions of computers useless.  The chief researcher at the Vancouver Institute for Research into User Security has found that these entities can be created by almost anyone, even without programming knowledge or skills.  “This doesn’t even require a malware kit,” said Rob Slade, who has “discovered” this unregarded vulnerability.

Although the number of metavirus “families” are very small, in comparison to the millions of viruses, worms, and trojans discovered yearly, they are remarkably resistant to disinfection.  Infections tend to be clustered, and can affect almost all machines in an infected company, network or group.

“This is definitely cross-platform,” said Slade.  “It doesn’t rely on a specific operating system, program, or even virtual machine, like Java.”  Infections have jumped between Windows, Mac, Linux, iPhones, Android, and even CP/M and VMS machines.  Transmission can occur via email, sneakernet, wireless, and even phone and fax.  In all cases productivity is affected as time is lost.  In one class of the threat machines can be rendered inoperable.

Rob Slade can be made available for presentations on how to deal with this enormous threat.  Anyone wanting to protect themselves can send first class airfare, proof of prepaid hotel accommodation, and a bank draft for $15,000 deposit.  (US or Canadian dollars, whichever is higher at the time  :-)

Share

Airline security

Mom and my little sister were supposed to go on a cruise over Christmas.  The first leg of their flight to the embarkation port was cancelled when a door wouldn’t close.  The storm in the midwest, and the consequent meltdown of the North American air travel system, put paid to any chance of getting re-routed.  So they didn’t go.

The door that wouldn’t close on the first flight wasn’t an outside door, it was the cockpit door.  Mom was peeved.  Most people would have complained about the security policy that prevents takeoff without a locked cabin door.  Not Mom.  Her take was that there were lots of security guards around the airport, and that they could have just got one to stand in the doorway for the flight.

Share

Risks of Risk Assessment in Multiple Small Illumination Sources During Winter Conditions

Risks of Risk Assessment in Multiple Small Illumination Sources During Winter Conditions
Robert M. Slade, version 1.0, 20121220

Testing can be used to demonstrate the presence of bugs, but never their absence.
- testing aphorism

ABSTRACT

As follow-up research to the study “Risk Assessment and Failure Analysis in Multiple Small Illumination Sources During Winter Conditions” (first published in 2003, and available in the RISKS Digest), the author has undertaken a multi-year study attempting to reduce the level and risks of failure in the illumination network required for celebration of the Northern Hemisphere Mid-Winter Party Period and Gift Giving Season.  (The nodes in this network currently stand at approximately 900 sources, and a significant portion may be noted at Twitter.)

Testing of nodes (also known as “bulbs”) and subnets (also known as “strings”) has been a major component of the risk reduction strategy.  However, recent studies have indicated that testing itself may be a contributing factor in node and subnet failures.

INTRODUCTION

In terms of risk management, it is well known that there comes a point of diminishing returns in the process.  The father of quality control, Walter Deming, noted that there was such a thing as too much quality assessment.  Despite the greater accuracy of assessment, very few enterprises engage in full quantitative risk analysis, preferring the less accurate but less costly (in terms of time and resources) qualitative risk analysis.

This study looks specifically at the testing component of the risk management process, and notes the probability that testing may contribute to total risk or failure.

TESTING IN THE LIGHT CYCLE

For details of the light sources and portions of the process, we refer readers to the earlier study.  A brief outline of the light source cycle is in order at this point.

Towards the end of September, the female members of the household, in preparation for upcoming events, start to ask the male members of the household whether any purchases or other preparation is necessary.  (This generally corresponds to the initiation phase of the cycle.)  The male members of the household point out that Canadian Tire does not start selling Christmas lights or decorations until November.  (This portion of the communication protocol is not, as many suppose, for information purposes, but to deflect discussion from the fact that the notes on necessary purchases and replacements, made last year, are packed away with the Christmas decorations, and are therefore inaccessible.  Students of security may note that this is a good illustration of the importance of all three pillars of security: the confidentiality and integrity of the information is maintained, but availability is not.)  Testing at this point in the cycle might be useful, but is, unfortunately, impossible.

At some point in November, the male members of the household will have run out of excuses for not retrieving the Christmas decorations from storage.  At this point there is usually a mass retrieval of the decorations, and assessment of any items requiring replacement or supplement, or any perishable items which must be purchased each year.  (This corresponds to the requirements phase.)  Testing of light nodes and subnets may be done at this point.

This retrieval/requirements phase is generally followed by a design/planning phase.  To many researchers, it would appear that the ultimate result varies little from year to year, and that the design and planning is not necessary.  However, mature researchers will note that, as one becomes, well, “more experienced” in these matters, one notes a failing of memory as to the exact process from previous years, and sometimes even more recent events are difficult to …

I’m sorry, where was I?

Oh, yes.

Testing and failure rectification can be undertaken during the design phase.  Some researchers feel that this assessment point can be skipped, but experienced researchers know that failed nodes will inevitably be discovered on the back of the tree in such cases.

During the implementation phase, testing tends to be somewhat informal.  Since the light nodes are being placed individually, failure of a node is generally obvious.  However, if testing and rectification is not planned into the process, researchers inevitably find themselves balanced precariously on a stool at the back of the tree, with no replacement nodes, when a dead node or subnet is discovered.

The maintenance phase of the cycle generally runs from the first Sunday of Advent until January 6th (Feast of the Epiphany, last of the twelve days of Christmas).  Testing at this period is by observation.  Unfortunately, very much like testing, observation can usually tell you which nodes are shining, but not which ones are not.  As per the earlier study, it should be noted that a single node failure does not generally result in subnet failure, but that cumulative failures do.  Therefore, failure to observe and rectify individual node failures frequently result in subnet failures at some point during this phase.  Rectification following subnet failure at this point is extremely difficult, and usually impossible.

The termination phase of the cycle involves “undecorationing,” and return of items to storage.  Testing is possible at this point of the cycle, but is made problematic by a) fatigue, and b) haste in returning items to storage in order to allow for “spring cleaning.”

RESULTS OF TESTING AT DIFFERENT CYCLE PHASES

Initially, this study looked at testing by observation during the maintenance phase.  It was felt that by observation and ongoing rectification, nodes and subnets could be maintained, and would therefore be in good order upon retrieval the following year.

Unfortunately, the following year some nodes and subnets were found to be dead.  Therefore, testing at the termination phase was added.  This had the advantage of allowing notes to be taken during rectification, so that replacements could be purchased in advance, the year after.  As previously noted, this information was maintained, but was not available at a time when it would be useful.

Therefore, testing was added during the requirements phase.  All subnets were tested upon retrieval, replacements were purchased (if one could fight through the crowds at Canadian Tire), and rectification was done prior to implementation.  During implementation phase on that study, it was found that nodes and even subnets were still showing as failed.  This led to the addition of an additional testing point during the design/planning phase.

During this past cycle, all nodes and subnets were tested and rectified during the termination phase.  Upon retrieval, subnets were tested and any failures rectified.  During planning, subnets were again tested and failures rectified.  During implemenation, provision was made for rectification within the process.  So far, in the maintenance phase, failures have been rectified as soon as observed.  (One subnet failure was noted.  The attempt to rectify it was successful, but this is considered anomalous.)  Failure rates between testing points have been observed as high as 14% of total nodes.)

CONCLUSION

The results of the data collected are inescapable.  Testing results in failure.

ACKNOWLEDGEMENT

This study would not have been undertaken without the encouragement and support of Gloria J. Slade.

Share

Blatant much?

So a friend of mine posts (on Twitter) a great shot of a clueless phishing spammer:

So I reply:
@crankypotato Were only all such phishing spammers so clueless. (Were only all users clueful enough to notice …)

So some other scammer tries it out on me:
Max Dubberly  @Maxt4dxsviida
@rslade http://t.co/(dangerous URL that I’m not going to include, obviously)

I don’t know exactly where that URL redirects, but when I tried it, in a safe browser, Avast immediately objected …

Share

I *thought* “Gangnam style” looked familiar …

REmember “Monty Python and the Holy Grail“?

Share

Security Transcends Slogans … or not …

I have just got off the phone with a marketroid.  In the course of our conversation (no, I usually don’t talk to them, but this turned our to be a special case), I was explaining to her about ISC2 and the CISSP.  She was puzzled by an annotation on my file with her company, and it wasn’t making sense in terms of what I did, and what their ERM/CRM system was saying about me.

When she looked at the ISC2 Website, during our conversation, she immediately noted the “Security Transcends Technology” slogan.  I dimly recall the great fanfare when this was introduced about 9 or ten years back: our (marketing department’s) proud statement that we were not mere technologists, but covered the whole realm of security.

Well, apparently that’s not what it says to some people.  The simple existence of the “technology” word in our slogan seems to trigger an immediate pegging of us as mere techies.  All of us CISSPs are just basic firewall admins.  We are not
transcendant.

Back to the marketing board … ?

Share

Biblical epics return!

(Sorry, nothing to do with security in this one.)

Hollywood has rediscovered the Bible as movie source material.  (Probably because it’s in the public domain, and saves costs.)

In production is “Noah,” which stars Russell Crowe as someone mumbling about God telling him to build a boat, and then beating up his neighbours when they make fun of him for it.

Steven Spielberg is supposed to direct “Gods and Kings,” about Moses.  Therefore it will star special effects, and probably have the tagline “I(sraels) C(hildren) Go Home!”

“The Redemption of Cain” is supposed to be Will Smith’s directorial debut, so Cain will probably turn Black and therefore become cool.

“Mary, Mother of Christ,” is being billed as a prequel to “The Passion of the Christ,” so will probably have the most violent Madonna ever.

Fox and Ridley Scott are working on “Exodus,” so it will probably be the most inaccurate Biblical epic ever filmed, and may star alien monsters.

(Just in case you think I’m making all of this up, it’s based on a report in the WSJ.)

Share

Linded-Indiots in the stock market

OK, as some of you may be aware, LinkeDin had a semi-massive leak of passwords that came to light yesterday.

How are the markets taking it?

Well, today the stock is up, slightly.

That’s because ad revenues are up.  Since everyone is loggin on today, in order to change passwords …

Sometimes I wonder why we bother …

Share

Transit of venus safety tip

Many people around the world are hoping for clear skies to view the transit of Venus across the face of the sun, an event which will not occur again for more than a century. [1]

However, public safety officials are concerned that people may endanger their eyes by looking directly at the sun without eye protection.  Not only will they not be able to see any indications of the transit, but this can, of course, burn the retina of the eye, causing permanent damage, and possibly complete blindness.

However, I have confirmed that ordinary sunglasses are sufficient protection, as long as used correctly. [2]

And the great thing is, this works no matter what “Venus transit” webcam you view, and no matter how brightly you have your monitor cranked up.

(In the spring, generally we would have at least some clear skies for viewing.  However, typically Vancouver, it’s pretty much completely overcast here for the entire run of the transit.)

So, thank goodness for NASA

[1] It’s rather interesting that the transits occur in pairs, eight years apart, and then more than a century between the eight year pairs.

[2] I hope I don’t have to point out that this is just a joke, and that staring into the sun with only sunglasses as protection is no protection at all.  If anyone doesn’t get it, at least I have a hundred and five years before I get sued.

Share