Absent those who have gone gaga over the iPad, the top news for the past two weeks has been the earthquake and disaster in Haiti.  The concern, the outpourings of support (and, yes, the malware and phishing sites that have been attempting to capitalize on the crisis) are all reminiscent of the tsunami, Katrina, and other events stretching back in time.

Haiti has been different.  The major factor has been the total breakdown of infrastructure, and the consequent difficulty in getting the help to those who need it most.

Those of us in the security communities are always interested in disasters.  We are forever dealing with crises, both large and small, assessing risks, planning and comparing mitigation strategies, and looking at the management of it all.  So, I recall that, when Katrina struck, there were endless discussions of the latest details, the structures, the organization (and lack thereof) in the followup efforts.  One person made a donation to a charity, and challenged the group to match his gift.  I upped the stakes.  I challenged everyone to get trained for disasters.

Unfortunately for the point I’m trying to make, I am speaking from a position of privilege.  Canada has the best emergency structure in the world.  (Our disaster response team is in Haiti at the moment, and is always one of the first on the ground whenever there is a major incident, anywhere.)  British Columbia has the best emergency response management system in Canada.  (No, I’m not volunteering at the Olympics.  But for the past year, I’ve been working with a group that has been planning for the fact that, with the big event in town, even a minor crisis is probably going to mean that we may have to provide emergency lodging for a few hundred people.)  And the North Shore, where I live, has the best disaster training regime in BC.  (The group lodging thing isn’t done by VANOC: it’s an effort by the ESS volunteers from the North Shore, Vancouver, and Richmond.)

Emergency response, in a major disaster, is not simply a matter of having water, generators, blankets, and rescue dogs.  It has to do with organization, co-ordination, management, and, particularly, trained people.  Most of them volunteers, since nobody can afford to pay for a full-time staff of all those you need to have ready in an emergency.

That’s where you come in.

Get trained.

There is some emergency measures organization that covers your area, regardless of where you live.  Your local municpality probably has an office.  And they probably need volunteers.  And they provide training.

If you volunteer, you will probably get trained.  For free.  (You may also get additional perqs.  I get my flu shots paid for every year, since I’m an emergency worker.)

First of all, you’ll probably get trained on what you need for you and your family.  What do you need to survive the first 72 hours following a disaster?  Do you know how much water, what type of food, etc, you need, in the event of a total failure of utilities and other factors we rely on?

Then there are the skills you need to help other people.  Sometimes this might relate to first aid, or structural assessment of buildings after an earthquake, etc.  However, there are many necessary skills that are not quite so dramatic.  Most emergency response, believe it or not, has to do with paperwork.  Who is safe?  Who needs care?  Do families need to be reunited?  Documentation of all of this is a huge effort, which goes on long after the bottles of water and hot meals have been distributed.

Then there are management skills, to co-ordinate all of the other skills.  An awful lot of “charity” gets wasted because some people get too much help, and others don’t get enough.  Someone needs to oversee the efforts.

Training in all of this is available.  And, in an emergency, having trained people is probably more important than having stockpiles of tents.  Trained people can make or improvise shelter.

Maybe your municipality or county doesn’t have a formal emergency structure.  In that case, there are organizations covering the gap.  In Canada, the government doesn’t do it all.  The Red Cross and Salvation Army are two of the groups that have been working on this for years, and have specialists.  In BC we have courses provided by the Justice Institute in a number of areas.  The provincial government has created a marvelous structure, ensuring consistent organizational layout for all sizes and types of disasters, and all types of response.  But we don’t bother reinventing the wheel.  In our formal training curriculum, a number of the courses are prepared, provided and run by the groups that have been doing it for years, and know it best.  If your government doesn’t have the courses available, go to those who do.  They are around.

(For those who have security related certifications, like the CISSP, ongoing professional education is a requirement.  A constant complaint is that training is expensive, and getting the credits costs too much.  I get all kinds of training related to business continuity and disaster recovery.  I get almost all of it free.)

Get trained.  Volunteer.  You’ll get a wealth of experience that will help you plan for all kinds of events, not just for major disasters, but for the minor incidents that plague us and our companies every day.  You’ll be ready for the big stuff, too.  You’ll be able to keep yourself and those near to you safe.  You’ll be able to make a difference to others, certainly reducing suffering, and possibly saving lives.  If and when something major happens, you will be a part of the infrastructure necessary for the response to be effective.  You’ll be part of the solution, rather than part of the problem.

Rev. 6:6, OCD [1]

“Then it was as if I heard a voice saying: And they shalt go into the storehouses, and look there for the snack foods made from corn [2] which the hands of men have made into hollow cones or cornets [3].  And they shall go unto the Save-On, and unto the Shoppers Drug Mart, and unto the Safeway, and even unto the Zellers, which is the store of last resort when old stock is being cleared out.  And they shall find them not.  And, having no proper snack foods for the parties of the new year, the new year shall come not, and thus shall be the end of times.”

[1] Old Canadian Deviant translation, as opposed to the New American Standard

[2] Some ancient manuscripts add: “And this is not that barelycorn which was known even in Ur of the Chaldees, but that which came from the land newly found by him who gave his name unto a seventies TV detective show, but of whom we may not, at this time, speak”

[3] Scholars debate the meaning of this word.  Most believe that it is simply a reference to “little objects made from corn.”  However, some feel that it is similar to the word for “trumpets,” or, possibly “bugles.”

As part of some research into the security risks of social networking, I did an ego search on myself.  (Hey, it’s legitimate research, all right?)

On Altavista, the first hit was the Wikipedia page someone created about me.  The second result was http://www.robertslade.com/ which I hadn’t known existed.  As well as correctly listing his published books, this page informed him that me that I was mentioned on the Wikipedia entry for the RISKS-Forum Digest (which is a definite ego boost).  It also provides a photograph of someone else.  As well as two pictures I didn’t take, and three videos I have nothing to do with.  Two different boxes provide links to buy books, some of which are mine, and most of which aren’t.

I expected to find entries that weren’t me: I know there are a lot of Robert Slades on the net.  But it’s a bit weird to find out that there is a domain about me that I didn’t know about.
I also found the church I’m buried in, so currently I’m not feeling too great …

On Monday, it’ll be 40 years since a man first walked on the moon.

Big deal, some of you will say.  I imagine that most of the people who read this weren’t even born then, so all your lives were lived after man walked on the moon.

And, really, it wasn’t a big deal.  We came, we walked around a bit, we left.  We never went back.  This week we sent an unmanned spacecraft back, and it took some pictures of the places we once landed.  Big, brave us.

In the 40 years since then, what did we do?  We spent money on wars (and rumours of wars).  “Greed is good” became an acceptable business motto.  We had innumerable economic crashes (mostly due to greed).  Science has become a political football (with politicians and business telling scientists that facts aren’t facts because we can’t afford them).

We did invent the Internet, and personal computers.  We mostly use them now for porn.
So, to all of you kids who don’t remember the great event, accept as a video clip of ancient history:

You’re right.  Big deal.

Gloria pointed out an article in the Vancouver Sun and, just in case it disappears in a few days, I found the author’s blog.

The main thrust of the article is on the risk/benefit of a lack of privacy, as practiced in social networking.  This (absent the social networking) reminded me of David Brin’s “The Transparent Society,” and if you haven’t read it, I recommend it.

Over the past few days, both the Vancouver Sun and the Ottawa Citizen have published (basically the same) story about “Toronto-based Ancestry.ca.”  From the articles, this appears to be related to such public institutions as the national archive and Library and Archives Canada.  And the price is right: “A two-week free trial period that began June 10 allows users to search for and download documents at no charge.”

I tried it out.  Giving minimal information about him brought up over 6,000 hits, the second of which was my grandparent’s marriage certificate.  Pretty good.

Unfortunately, that is not the whole story.  If you want to actually see anything that the search finds, you have to register.  And, if you pay attention, and actually read the “Terms and Conditions” (and look at the full screen, not the portion that shows when the box first pops up), you find that you are registering with “an Internet service (the “Service”) owned and operated by The Generations Network, Inc, an American company incorporated in Delaware, USA, and whose registered address is 360 W 4800 N Provo, UT 84604, USA.”  In order to register you have to provide a credit card.  After 14 days (and it isn’t clear whether that is 14 days after June 10, or 14 days after you register) “[i]f you wish to terminate your subscription you must notify us at least two (2) days before the Renewal Date by calling (800) 958-9073 Member service is available from Monday to Friday 7:00 am to 4:00 pm MST, or by sending an email to cancel@ancestry.ca providing the following information: Given name and surname, Username, Subscription type (UK/Ireland collection, etc.), Email address used when subscribing, Phone number including country code, Country.  If you fail to respond to the notice, your subscription will be automatically renewed,” and, of course, your credit card will be charged.

So, read carefully, people.  Are you dealing with a public institution, or a private company?  Are you dealing with a company in your country, or another?  And, is your “free trial” an “opt-out” contract for the company to start billing your credit card?

OK, this has got nothing to do with computers (except that the SkyTrain is completely automated).

For the past three years, Cambie Street, a major thoroughfare with at least four different shopping and business areas on it, has been almost completely shut down for the construction of the RAV (Richmond-Airport-Vancouver) SkyTrain line (aka Canada Line).  (Since it is located almost dead centre in Vancouver, the city has been pretty much bisected for that time, and the traffic hassles have been enormous.)  Originally the line was supposed to be a tunnel, but that was going to take too long and cost too much, so they dug up the entire street.  For three years.

Most of the businesses along Cambie have gone bankrupt in that time: others have moved.

Now a lawsuit for damages has been won by a business owner.

This will, of course be a precedent, and will undoubtedly lead to more judgements (I think other cases are already before the courts) and more lawsuits.

I’ve got to admit to an uncharitable glee over this turn of events.  The RAV line was not prompted, but the decision to actually build it was undoubtedly influenced, by the 2010 Olympics.  The provincial government has been absolutely gaga over having the games here, and has launched a number of “vanity” projects and other measures.  (Latest on the list: for the games, security personnel won’t have to undergo the minimal training and licencing that already exists.  They can get a special certificate which seems to merely verify that they are breathing.)

According to ITWorldCanada, C-level executives are pushing for greater access to social networking sites and facilities, while even IT managers and security specialists are unprepared to deal with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue, you might want to remind them that, when they take off with funds they’ve obtained via fraud, it’s best not to post boasts on Facebook.

By the time you read this, CIO magazine will probably have already done its “In Cloud We Trust” Webcast.

The ISSA, ready to provide links to any security related activities, inadvisedly advertised the Webcast.  I say inadvisedly, because the Webcast, or at least the promotional material, features Kevin Mitnick.  This juxtaposition created a bit of a furor over the fact that a prestigious security institution was promoting a former computer criminal.  (It is entirely possible that Kevin Mitnick rather enjoyed the discomfiture of ISSA, since ISSA had the affrontery, in 2003, to turn down Kevin Mitnick’s application for membership.)

All of which sparked yet another debate, in at least one venue, over the advisability of hiring or attending to (for the purposes of security), those formerly convicted of computer crimes.

Feelings are strong, and tempers rather short, when this topic comes up for discussion.  Passions are surprisingly high on both sides of the debate.  However, I would like to attempt to present some opinions on the matter.

(I’m not going to speak about the Webcast itself.  As chance would have it, I’ll have to be getting on a bus at about that time in order to go downtown.  To speak to an ISSA meeting.)

Those who feel that hackers can and should be hired suggest that those best qualified to protect systems are those who have broken into them.  We, in defence of our systems, should not let foolish moral quibbles stand in the way of gaining the best information and advantage that we can.

I am on the side that opposes the use of former criminals.  I do not disagree with the risk management analysis of those on the pro side, but I feel that it is based on faulty assumptions.  My objections to the hiring of hackers are practical as well as moral, and, in terms of ethical analysis, lies in the area of practical morality.

In order to address the practical issues, I have to clarify, and separate, the different types of help we think we are going to get from cybercriminals.  Do we employ them for security management and administration?  Do we hire them for penetration testing?  Do we use them as security consultants?  Or do we just listen to them in seminars, webcasts, and conferences?

This last is the most difficult to oppose.  What is the harm in listening?  Should we not take every opportunity to learn all that we can about security?  Why block ourselves off from an important source of information?

So, I’ll address this first.

What is the harm in listening?  Well, we aren’t just listening, are we?  First off, most “reformed hackers” aren’t exactly doing this out of the goodness of their hearts.  Those who are on the lecture circuit generally make pretty good money out of it.  A lot of them make more than most legitimate security researchers, analysts, and consultants.  Then there are the spin-off benefits in books, workshops, and just plain advertising for John Q. Hacker’s Security Consulting.

Money isn’t the only benefit, though.  I’ve always been interested in the social side of technology, and for more than twenty years I’ve been studying those on the dark side.  Most of these people are charter members of Egos-backwardsR-Us.  Not all of them, but certainly enough to make it pretty much a defining characteristic.  Given a choice between money and a chance to grab the limelight, they might have to stop and think about it.

Regardless of whether we are paying cash or just stroking egos, one thing we are definitely doing is tacitly promoting the importance of what they have done.  We are saying that it is better, in the sense of obtaining security information, to break into systems than to study in other ways.

And I’ll address that later.

Dinosaur that I am, it never occurred to me that long URLs were a major problem.  Sure, I’d gotten lots that were broken, particularly after going through Web-based mailing lists.  But you could generally put them back together again with a few mouse clicks.  So what?

So the fact that there were actually sites that would allow you to proactively pre-empt the problem, by shortening the URL, came as a surprise.  What was even more of a surprise was that there were lots of them.  Go ahead.  Do a search on “+shorten +url” and see what you get.  Thousands.  http://bit.ly/ http://tubeurl.com/ http://www.shortenurl.com/index.php http://urlzoom.org/ http://ayuurl.com/ http://urlsnip.com/ http://url.co.uk/ http://metamark.net/ http://8ez.com/ http://notlong.com/ http://shorten.ws/ http://myurl.si/ http://dwindle.me/ http://nuurl.us/ http://myurlpro.com/ http://2url.org/ http://tiny.cc/

I would not, by the way, advise visiting that last.  .cc is a domain used by those on the dark side.  In fact, I wouldn’t recommend visiting many of those: I have no idea where they came from, except that a search pops them up.  Which is part of the point.

Are URL shorteners a good thing?  Joshua Schachter says no.  Therefore, in opposition, Ben Parr says yes.  There are legitimate points to be made on both sides.  They add complexity to the process.  (Shorteners aren’t shorteners: they are redirectors.)  They make it easier to tweet (and marginally easier to email).  They disguise spam.  Some of the sites give you link use data.  They create another failure point.  They hide the fact that most Twitter users are, in fact, posting exactly the same link as 49,000 other Twitter users.

URL shorteners/redirectors are going to be used: that is a given.  Now that they here, they are not going away.  Those of pure heart and altruistic (or, at least, monetary only) motive will provide the services, have reasonable respect for privacy, and add functions such as those providing link use data to the originator (and, possibly, user).  A number of the sites will be set up to install malware on the originator’s machine, to preferentially try to break the Websites identified, to mine and cross-corelate URL and use data, and to redirect users to malicious sites.

If you are going to use them (and you are, I can tell), then choose wisely, grasshopper.  There are lots to choose from.  Choose sites that offer preview capabilities.  If someone doesn’t use the preview options, you can still add them.  http://tinyurl.com/a-short-url-that-expands is the same as http://preview.tinyurl.com/a-short-url-that-expands : you just have to add the “preview.” part.  http://is.gd/ is even easier: just add a hyphen to the end of the shortened URL.  I’m hoping that one of the sites will start checking the database for already existing links, and returning the same “short form”: it’d make it easier to identify all the identical tweets.  (With the increasing use of the sites, it will also ensure that the hash space doesn’t expand too quickly, which would be to the advantage of the shortening sites.)

What could be worse: a vague and hastily thrown together mashup of security protections masquerading as a security framework or standard, or having the government get into the act?  Now you don’t have to choose: you can have the worst of both worlds!  Follow the US Congress hearings on PCI!  Or, follow the commentary into the hearings on Twitter (which is fairly random and noisy, but probably makes just as much sense).

I’m sitting in CanSecWest.  We’ve just had a talk on platform-independent static binary code analysis.  (It isn’t really platform independent: just translating from specific instruction sets.  Not that it isn’t cool: REIL is a sort of RISC version of an assembly version of pseudocode.)  The presentation, and what they’ve done so far, is fairly abstract.  They are approaching the analysis with a type of Turing machine, and, with a sort of lattice-based state machine model, hoping that the transforms they can see with their model, are close enough to what the actual program will do in an actual machine in order to tell you if there is teh possibility of a bug or an exploit.

So, it’s kind of complex.  We are applying some highly abstract, theoretical stuff, pretty directly to the real world.

Now, in the abstract world, it’s been more than 25 years since Fred Cohen proved that this type of thing will never completely work.  Either you are going to get an infinite number of false positives (false alarms, where you spend time chasing down problems that aren’t problems), or an infinite number of false negatives (which is our current situation with security: our tools aren’t telling us about the problems that do exist), or both.

(One of the authors responded to this point that he chose to err on the side of false positives.  A reasonable position if you are doing research.)

However, this system is so complex that it got me thinking: they are hoping that the model and transforms they have put together is close enough to reality that it will give them useful results and help, but they really don’t know.  What if we are now to the point where our security tools and models, themselves, have gaps that can hide problems, and be exploited?

(There was a reason the original security models were so simple …)

A new company is telling everyone which new companies are worth investing in.  Is this something we should get into?

http://news.bbc.co.uk/go/em/-/2/hi/technology/7900463.stm

“The software measures the “buzz” surrounding a company via blogs and media reports along with a variety of factors including website traffic.”

We should all blog and Twitter about this.

Then we should all blog about how blogging is so last year.

This would be hilarious, except for the fact that I think the guy who wrote it (some years back, but still) was serious.

I don’t know if that makes it more funny, or less …

Even the domain name is funny, as in “delusions of adequacy” …

Somebody recently asked, on the CISSPforum, for some kind of reference supporting the concept that it was a good idea not to do development or testing on production systems.

I think Mim Britt said it best:

“Separation of test and production environments is one of those things that is such basic common sense that it wouldn’t occur to me to have to point to something that says to do it. The first time you test something on your production network and it breaks something else which breaks something else, etc etc etc is the LAST time they will ask you why it has to be done on a separate network.”

Somebody said we should make that into a sigquote, or blog it.  Mim said she’d be flattered if anyone did.  I think it’s a great idea.

Argh!  YASMA!  (Yet Another Stupid Marketing Acronym.)  VDI pops up in my email.  And when I search for it (using two kettles worth of carbon emissions), what do I find?  “Virtual desktop infrastructure.”  In other words, thin client, or cloud computing, or just plain virtualization.

It is to weep.