I have experienced all kinds of difficulties travelling down to the US to teach.

It used to be a lot easier, in the old days.
Border agent: “Business or pleasure?”
Me: “Business.”
BA: “What are you doing?”
Me: “Teaching.”
BA: “OK.”
Then The-Conservative-Government-Before-The-New-Harperite-Government-Of-Canada decided, in it’s infinite wisdom, to bring in something called the North American Free Trade Agreement, which had provisions to make it “easier” to trade and travel.  Now it’s a royal pain.

(I’ve travelled and taught elsewhere, of course.  Some places I’ve had to get visas.  Nigeria was a nusiance.  Australia was a $20 charge, online, no problem at all.  Last time I taught in Ireland it was “Business or pleasure?”  “Business.”  “Welcome to Ireland!”  Last time I taught in Norway there wasn’t even anyone at the immigration desk.)

Occasionally Americans have complained that they have had troubles coming to work in Canada.  So far I have never heard anything like what I’ve had to go
through.

At the moment I’ve been dealing with American lawyers again.  This has generally been OK, since I usually don’t have to travel for that.  However, this time the other side wants to depose me.  (I suspect they are just doing this for the nusiance value.  As usuall, I’m not doing this as an “expert” witness, just as the only guy who still has the materials.)  So, the origianl plan was for me to fly down to California, spend a day with the lawyers on one side “prepping” me, and spend an hour or two with the other side for the deposition.  They’d have to pay for my fare and travel expenses, as well as my time during prep.

During the call I mentioned that, since he was a lawyer, and presumably had access to other lawyers in their firm who knew something about immigration, they should check on that point, and see if they wanted/needed to do anything about a visa for me.  He didn’t think it was an issue.  I said that, according to the official rules he was right, but that I had seen plenty of cases where the border agents interpretted the rules in idiosyncratic ways, and maybe he should just check.

Today the plan has entirely changed.  At least three lawyers (possibly more), from at least two firms (and possibly more) are flying up from California, renting a boardroom here in Vancouver, renting a court reporter, and staying at least two days (more likely three) to do the prep and deposition.  With all the extra associated costs.  (And all this on behalf of a company that has very stringent travel cost policies: I had to sign off on them for the original contract.)

I think I’ve proved the point: it’s *way* harder to go to the US than to Canada.

The food fair area of one of the local mall had a facelift recently.  Now, as you walk down the hall towards the washrooms, the first thing you see is a lighted sign stating “WOMEN” on the first hallway that takes off to the right.

Trouble is, that hallway is where the men’s washroom is located.  Unless you know the layout of the mall (and, in this season of the annual Northern-Hemisphere-Mid-Winter-Gift-and-Party-Period, there are lots of guys around who aren’t normally in the mall), you don’t really notice that the triangle next to the word “WOMEN” is actually an arrow, presumably directing you further down the hall, where the hallway to the women’s washroom is actually located.  You have to be closer, and still looking up high, to notice that the word “MEN” is printed above the word “WOMEN,” but is, for some weird design reason, right justified, so that it starts about a foot past the beginning of the word “WOMEN.”

This explains why there are lots of guys coming back up the hall looking for the men’s washroom that they passed on the way down.

User interface is important.

The flooding of New York City was, once again, an example of known threats not being addressed.

It would have been too expensive to do anything about the issues.  (Flood costs currently $50B and rising as more damage is found.)

Of course, nobody could have predicted Sandy, because this was a storm produced by changing conditions.  Brought on by global warming/climate change.  Which is another issue that is too expensive to address …

(Why do I have this old oil filter ad tagline running through my head?  “You can pay me now … or pay me later …”)

Go Public, a consumer advocacy show on CBC, has produced a show on Budget Rent-A-Car overcharging customers for minor repairs.

This rang a bell with me.

In May of 2009, I rented a car from Budget, in order to travel to give a seminar.  Having had troubles with various car rental companies before, I did my own “walk around” and made sure I got a copy of the damage report before I left.  There were two marks on the driver’s door (a small dent, and a scratch), but the Budget employee refused to make two marks in that spot of the form: he said that the one tick covered both.

When I turned in the car, I was told that the tick was only good for the one scratch, and that I would be charged $400 for the dent.  I was also told that, since I had rented the car using my American Express card, I was automatically covered, by American Express, for minor damage, so I should get them to pay for it.

Since I was neither interested in paying myself, nor in assisting in defrauding Amex, I referred to the earlier statement by the employee who had checked the car.  (I had a witness to his statement, as well.)

Thus started a months-long series of phone calls from Budget.  They kept trying to get me to agree to pay the extra $400, and get Amex to reimburse me.  I wasn’t interested.

The phone calls finally stopped when, on one call, I informed the caller (by now identifying himself as someone in the provincial head office for Budget) that I had kept the copy of the original damage report form.  The caller told me that it clearly stated that there was a scratch on the door.  When I asked him how he interpreted the tick mark as a scratch, rather than a dent, he said that the word “scratch” was written on the form.

Well, of course, it hadn’t been written on the form originally.  I guess the caller must have been reasonable high up in the corporate food chain, because he knew what that meant.  I had the original, and it proved that they had messed with their copy.  That breaks the chain of evidence: they had no case at all.

(I still have a scan of that form.  Just in case …)

This goes back a bit, but I was reminded of it this morning:

Amazing where you can get inspiration.  I went to an electronics manufacturing trade show, just to keep up with what’s happening over in that sector.  Nothing particularly new that anyone was selling particularly relevant to security.

However, I sat in on a seminar on the new EU “Restriction of (certain) Hazardous Substances” directive.  (This comes into effect in nine days, and there is all kinds of concern over the fact that the specific regulations for compliance haven’t been promulgated yet.  Remember HIPAA, you lot? 

RoHS (variously pronounced “rows,” “row-hoss,” or “rosh”) is intended to reduce or eliminate the use of various toxic materials, notably lead and mercury, from the manufacture of electronic equipment.  This would reduce the toxic waste involved in manufacturing of said equipment, and particularly the toxic materials involved in recycling (or not) old digital junk.  EU countries all have to produce legislation matching the standard, and it affects imports as well.  In addition, other countries are producing similar legislation.  (Somewhat the same as the EU privacy directive, although without the “equivalent protection” clause.)  Korea is getting something very close to RoHS, California somewhat less.  Japan is going after informational labelling only.  China, interestingly, is producing more restrictive laws, but only for items and devices for sale within China.  If you want to manufacture lead, mercury, and hexavalent chromium computers in China for sale to other countries, that is just fine with them.

There are points relevant to various domains.  In terms of Physical security, and particularly life safety, there are issues of the environmental hazards of toxic materials in the electronic devices that we use.  (This is especially true in regard to BCP: lead, for example, vaporizes at temperatures seem in building fires.)

There is a certification process for ensuring compliance with the regulations.  Unfortunately, a number of manufacturers are carefully considering whether it is worth complying with the regulations.  Even if the products are compliant in terms of hazardous materials, the documentation required for compliance certificates requires details of materials used that could, to educated engineers and others in competing businesses, give away trade secrets involved in manufacturing processes.

The certification and due diligence processes are, like SOX, recursive.  In order to prove that your products are compliant, you also have to demonstrate that your suppliers, and their products, are also compliant.

There is also an interesting possibility of unintended consequences.  Outside of the glass for CRTs, the major use of lead is in solder.  Increasing the proportion of tin in the solder increases the temperature at which it melts, which is one factor.  However, another is that tin-only solder has a tendency to grow “whiskers.”  (The conditions and time for growing whiskers is not fully understood.)  Therefore, in an attempt to reduce the health risk of toxic materials, RoHS may be forcing manufacturers to produce electronic goods with shorter lifetimes, since the whiskers may become long enough to produce short circuits within electronic devices.  Indeed, these devices may have an additional risk of fire …

We seem to be missing the boat on security awareness of phishing attacks: it’s not just for bank and credit card accounts anymore.  This article notes the “DHL,” “tax refund,” and similar queries.  I would have thought these were obvious, but they seem to be the most successful ways to get spear phishing and APT information.

Came back to the computer after some time away, to find the sun shining full on the desk and part of the screen.  And, of course, the screen has blanked from lack of input during that time.

So, I pull the drapes forward to shade the screen–and the screen pops up, even though I haven’t touched the keyboard or the mouse.

Considering this, I realize that a) it’s an optical mouse, and b) it was on the part of the desk that was in the sun, and is now shaded when I pulled the drapes.

So, being a security geek, I start to wonder:

a) how the system interpretted that light?
b) how hard it would be to figure out how to get a laser to create specific “actions” on the computer?  (And if the optical sensor’s range is wide enough that you can do it with an IR laser, so the user doesn’t realize what you are doing?)

I’m not sure how far back to go, to get to the beginning.

Could be the time, a few years back, when the townhouse complex’s main water supply, after 30 years of flawless operation, was “upgraded.”  This, of course, inevitably resulted, a couple of years later, in some very odd variations in water pressure.  Some of the time we had little more than a trickle of water in the taps, and occasionally the washing machine took forever to fill.  (The “upgrade” may also have been responsible for the Great Flood of Aught-Nine, out on the main road.  But I digress.)

This year the main pressure regulator for the complex was replaced, and water was back to full pressure.  As a matter of fact, it was back to significantly higher than full pressure.  Filling the washer (or sink) is much quicker than it used to be.  You have to be careful not to turn the kitchen sink on full blast, or much of the counter around it gets sprayed.

A couple of day ago, the upstairs toilet stopped working.  Well, it would still flush, if the tank was full, but refilling slowed to a stream of drips.  (Hypothesis: the intake valve in the tank has blown from the higher water pressure.)  The manager happens to be away this weekend (of course), so we’ve been muddling through.

This morning, while attempting to refill the tank manually, I discovered that, if the tank was in the process of filling itself, and you turned on the bath tap full blast, the toilet would start filling normally.  Further experimentation determined that it had to be full blast: half or even three quarters wasn’t good enough.  (Revised hypothesis: the valve is partly damaged, and reducing the pressure allows it to function, temporarily.)

Weird.

Anyway, it reminded me: if a system as simple as a toilet, and household plumbing, can have these sorts of effects, what makes you think your incredibly complicated IT system, and its protective elements, is working as you think it should be?

The Cyber Security Research Alliance has just announced it’s formation.

If you want to join, it’s $60,000 for a founding membership, but a mere $15,000 if you want to be an affiliate member.

I think I’ll stick with my membership in the Vancouver Security Special Interest Group (or SecSIG).  We actually celebrate our thirtieth anniversary in January, and, for all of that time, we’ve managed to keep the annual fees to $0.

“Media artist” creates a form of spyware using Macbook webcams.  Runs it on computers in Apple Stores.  Apple calls Secret Service about the artist.  Lots more.  Some interesting and provocative concepts in the article, covering privacy, legality, search and seizure, and the fact that people show little affect when working with/on computers:

http://www.wired.com/threatlevel/2012/07/people-staring-at-computers/all/

Or: One Of The Reasons Why I’ve Never Actually Bought Any Kindle Books from Amazon, And Only Install Free Books:

Amazon closes account and wipes Kindle. Without notice. Without explanation.

Overconfidence makes you successful in business.

Not just confidence, mind you, overconfidence.

Add in the Dunning-Kruger effect, and the Peter Principle, and you start to realize why all those huge banks keep failing …

BKLNFOCT.RVW   20120714

“Learning from the Octopus”, Rafe Sagarin, 2012, 978-0-465-02183-3, U$26.99/C$30.00
%A   Rafe Sagarin
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02183-3 0-465-02183-2
%I   Basic Books/Perseus Books Group
%O   U$26.99/C$30.00 800-810-4145 www.basicbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465021832/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0465021832/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465021832/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   284 p.
%T   “Learning from the Octopus”

The subtitle promises that we will learn “how secrets from nature can help us fight terrorist attacks, natural disasters, and disease.”  The book does fulfill that aim.  However, what it doesn’t say (up front) is that it isn’t an easy task.

The overall tone of the book is almost angry, as Sagarin takes the entire security community to task for not paying sufficient attention to the lessons of biology.  The text and examples in the work, however, do not present the reader with particularly useful insights.  The prologue drives home the fact that 350 years of fighting nation-state wars did not prepare either society or the military for the guerilla-type terrorist situations current today.  No particular surprise: it has long been known that the military is always prepared to fight the previous war, not this one.

Chapter one looks to the origins of “natural” security.  In this regard, the reader is inescapably reminded of Bruce Schneier’s “Liars and Outliers” (cf. BKLRSOTL.RVW), and Schneier’s review of evolution, sociobiology, and related factors.  But whereas Schneier built a structure and framework for examining security systems, Sagarin simply retails examples and stories, with almost no structure at all.   (Sagarin does mention a potentially interesting biology/security working group, but then is strangely reticent about it.)  In chapter two, “Tide Pool Security,” we are told that the octopus is very fit and functional, and that the US military and government did not listen to biologists in World War II.

Learning is a force of nature, we are told in chapter three, but only in regard to one type of learning (and there is no mention at all of education).  The learning force that the author lauds is that of evolution, which does tend to modify behaviours for the population over time, but tends to be rather hard on individuals.  Sagarin is also opposed to “super efficiency” (and I can agree that it leaves little margin for error), but mostly tells us to be smart and adaptable, without being too specific about how to achieve that.  Chapter four tells us that decentralization is better than centralization, but it is interesting to note that one of the examples given in the text demonstrates that over-decentralization is pretty bad, too.  Chapter five again denigrates security people for not understanding biology, but that gets a bit hard to take when so much of the material betrays a lack of understanding of security.  For example, passwords do not protect against computer viruses.  As the topics flip and change it is hard to see whether there is any central thread.  It is not clear what we are supposed to learn about Mutual Assured Destruction or fiddler crabs in chapter six.

Chapter seven is about bluffing, use  and misuse of information, and alarm systems.  Yes, we already know about false positives and false negatives, but this material does not help to find a balance.  The shared values of salmon and suicide bombers, religion, bacterial addicts, and group identity are discussed in chapter eight.  Chapter nine says that cooperation can be helpful.  We are told, in chapter ten, that “natural is better,” therefore it is ironic to note that the examples seem to pit different natural systems against each other.  Also, while Sagarin says that a natural and complex system is flexible and resilient, he fails to mention that it is difficult to verify and tune.

This book is interesting, readable, erudite, and contains many interesting and thought-provoking points.  For those in security, it may be good bedtime reading material, but it won’t be helpful on the job.  In the conclusion, the author states that his goal was to develop a framework for dealing with security problems, of whatever type.  He didn’t.  (Schneier did.)

copyright, Robert M. Slade   2012     BKLNFOCT.RVW   20120714

Recently one of the bridges in my area was replaced by a new one.  The new Port Mann Bridge is, at the moment, apparently the widest in the world, and will relieve congestion on the existing bridge, which has been a huge bottleneck for years.  (Why do I keep flashing on an old saying about “traffic expands to fill anything made available for it …”?)

In order to pay for it, our currently right-wing) provincial government has formed a “public/private partnership” with a shell corporation (Treo) which gets to “lease” the bridge for about fifity years and put tolls on it.

I’m not sure I’ll have a lot of use for the Port Mann Bridge when it gets tolled (except to get out to the Olive Garden, until they build one closer in).  It’s been such a bottleneck for so long that I’ve found all kinds of ways to avoid it.  (There is another tolled bridge in the area, and I’ve only traveled over it once, in the first “free” week, just to find out where it was and went.)  But I figured I’d get the decal anyway, especially since it gets you a discount, and some extra bucks (equivalent to about 20 free trips) to start off.

You’ll have heard about the debacle in regard to the phone registration, where some of the clerks were in business for themselves, and stole credit card numbers.  So I figured I’d register via the Website.  The process wasn’t too arduous, although I found it odd that American Express, which I use for most of my pre-authorized charges, wasn’t acceptable.  (I also found out that my password algorithm, while it is long, complex, and uses mixed case and non-alphabetic characters, doesn’t generate a number in all cases.  Apparently you have to have a number.)

I didn’t realize that I didn’t get a confirmation email until this morning, when I checked the spam filters.  There it was.

And, I have to agree.  If I was a spam filter, I’d have said it was spam, too.  It’s a mess.  Looking at the body, I can’t make out anything it is trying to do (other than create all kinds of buttons).  The spam report says:
0.00 NO_REAL_NAME           From: does not include a real name
0.00 BSF_SC0_MISMATCH_TO    Envelope rcpt doesn’t match header
0.00 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts
0.00 URI_TRUNCATED          BODY: Message contained a URI which was truncated
0.00 HTML_MESSAGE           BODY: HTML included in message

Treo itself seems to use a system called Barracuda, and this system also scores the message as spam.  (It also seems to have an AV scanner, which appears to be turned off.  Apparently Treo is not concerned about sending viruses out to infect other people.)

So, the Treo people don’t seem to be very concerned about information security.  Which gets me thinking:

Is the bridge safe?

I have just got off the phone with a marketroid.  In the course of our conversation (no, I usually don’t talk to them, but this turned our to be a special case), I was explaining to her about ISC2 and the CISSP.  She was puzzled by an annotation on my file with her company, and it wasn’t making sense in terms of what I did, and what their ERM/CRM system was saying about me.

When she looked at the ISC2 Website, during our conversation, she immediately noted the “Security Transcends Technology” slogan.  I dimly recall the great fanfare when this was introduced about 9 or ten years back: our (marketing department’s) proud statement that we were not mere technologists, but covered the whole realm of security.

Well, apparently that’s not what it says to some people.  The simple existence of the “technology” word in our slogan seems to trigger an immediate pegging of us as mere techies.  All of us CISSPs are just basic firewall admins.  We are not
transcendant.

Back to the marketing board … ?

There are always two sides (and maybe more) to every story, but:

Police called to a scene where children were reportedly abandoned.  Police arrive to find children on a suburban street, and the mother watching from the porch.

So the police take the mother to jail.