Memory lane …

I ordered a new computer before Christmas, and there have been delays getting it.  Today the shop called and said that the one I ordered (with 4 Gigs of RAM) was still short, but they did have one with 6 Gigs, if I was willing to pay an extra ten bucks.  So I said fine.

Got off the phone and told Gloria about it.  She asked “How many Commodores is that?” since I still have a Commodore 64 in the “computer museum” trunk.

32,000.  Give or take a few for rounding purposes.  For ten bucks, the equivalent memory of 32,000 Commodore 64 computers.

We work in a bizarre field.

Share

Online forum rule haikus

On the CISSPforum we were discussing precepts for getting along and keeping the discussions meaningful.  Somebody started listing rules, so I started casting them as haikus.  That prompted a few more.

I wondered if these were only for that group, but then realized most of them were applicable to online discussions of whatever type.  So, herewith:

 

Create your own space
Meaningful content only
Comes to those who post.

Silence calls silence
Lurkers don’t disturb quiet
Sleep beckons as well.

The posts are boring?
Raise topic of interest
Thread starter lauded.

Forum like sewer:
What you get out of forum
Depends on input.

Being creative
Is much better than being
Tagged as complainer.

These are your colleagues.
Why are you so much  better
That they must start first?

The forum that is
Is not what must always be.
Build a better world.

Friday is not for
Building new realities.
Your colleagues would sleep.

 

Then some other chimed in:

I remember trust
It disappeared so quickly
I guess we were fools

Pointing to resource
Always appreciated
Who can search the whole?

Putting platitudes
into pleasing haiku
removes sting of truth

Now you’re getting it.
Format is everything.  (Well,
And maybe context  :-)

friday gratitude
is here at last for resting
ignoring infosec

Friday at last! Time for
Bottles of overpriced wine.
Why’m I still at work???

Request not correct.
Reformat for this thread.
Please resubmit now.

UNSUBSCRPTION post
Jangles cosmic harmonies
Til balance achieved.

Share

Official (ISC)2 Guide to the CISSP CBK

Recently, on the CISSPforum, there was some discussion of the new, third edition of the Official (ISC)2 Guide to the CISSP CBK (which, I note, is pretending to be available as an ebook for only ten bucks).  At the end of one post, one of the correspondents stated that he was “leaning towards buying the new book.”

First, lemme say that, for those who haven’t yet got the cert, I do recommend the “Official Guide” as my first choice.  (Harris is easier to read, but does contain *lots* of errors, and I tell my seminar candidates that I refuse to answer any question that starts out “Shon Harris says …”   :-)

However, on the other hand … why would anyone who has the cert buy the guide?  Of course, I am speaking from the perspective of someone who does read the source literature (and I am aware that all too many of my colleagues do not).

I also recall at least two seminar attendees who actually did have the cert.  Furthermore, they were consultants, and thus going on their own dime for the course.  The reason given was the same: they charged by the hour, so any time spent upgrading was time they could not charge.  Therefore, regularly attending the seminar was the fastest, and therefore, in their situation cheapest, way to ensure they were current.

So, yes, I can see that some people would want to get the guide as a quick check.  (In that regard, I would tend to recommend ISMH instead of the guide, but …)  But I still find it kind of odd …

Share

Beware! The “Metavirus”!

In the spirit of many infosec and antivirus company “announcements” of “new threats” in the past year:

A leading (if unemployed) information security and malware researcher, today noted startling developments (which were first mentioned in 1988, but we’ll leave out that bit) in cross-platform malware.

Dubbed the “metavirus,” this threat could completely swamp the Internet, and render literally billions of computers useless.  The chief researcher at the Vancouver Institute for Research into User Security has found that these entities can be created by almost anyone, even without programming knowledge or skills.  “This doesn’t even require a malware kit,” said Rob Slade, who has “discovered” this unregarded vulnerability.

Although the number of metavirus “families” are very small, in comparison to the millions of viruses, worms, and trojans discovered yearly, they are remarkably resistant to disinfection.  Infections tend to be clustered, and can affect almost all machines in an infected company, network or group.

“This is definitely cross-platform,” said Slade.  “It doesn’t rely on a specific operating system, program, or even virtual machine, like Java.”  Infections have jumped between Windows, Mac, Linux, iPhones, Android, and even CP/M and VMS machines.  Transmission can occur via email, sneakernet, wireless, and even phone and fax.  In all cases productivity is affected as time is lost.  In one class of the threat machines can be rendered inoperable.

Rob Slade can be made available for presentations on how to deal with this enormous threat.  Anyone wanting to protect themselves can send first class airfare, proof of prepaid hotel accommodation, and a bank draft for $15,000 deposit.  (US or Canadian dollars, whichever is higher at the time  :-)

Share

Bell bull

I recently re-upped with Bell Canada for cell phone service.  I bought new phones and upgraded the plan to include “unlimited” text messaging (since that’s how the grandkids mostly communicate).  The plan I got  is supposed to include picture and video messaging.

In order to use the picture messaging I am told, by both the kiosk and telephone personnel, to turn on the cellular data (not wifi: I’ve been a communications specialist for 30 years and I know the difference) connection on the phone.  Every time I do that I am charged $5.00 for “Pay per use flex data Data Usage.”

Each time I can get it reversed, but I have to spend 20 minutes getting through to an agent on the phone in order to do so.  (All the telephone agents initially insist that this is a “mobile browsing” charge, and I have to point out that I have turned off every app on the phone every time I try this.)

I am not being given the services it stipulates on my contract.

Right now I’m on the phone with Bell’s telephone “support.”  She’s already tried to get rid of me once by claiming to call “technical support.”  When I asked to speak to a supervisor, the agent did the same thing, but eventually put me through to “Puneet.”

I have spoken with supervisor “Puneet.”  She will not answer the simple question of how to access the services I am paying for.  Her only answer is that I upgrade to a data plan.

Therefore Bell is lying in it’s contract stating that I have access to picture and video messages.

Puneet has also just told me that Bell will no longer reverse or adjust any charges for using the picture messaging.

(Puneet did make one rather damaging admission late in the call: she did admit that, actually, Bell has no way to tell what the “Pay per use flex data Data Usage” is.  It could be updating.  It could be mobile browsing.  It could be Twitter.  It could, also, be the picture and video messaging for which I’m not supposed to be charged …)

Share

Airline security

Mom and my little sister were supposed to go on a cruise over Christmas.  The first leg of their flight to the embarkation port was cancelled when a door wouldn’t close.  The storm in the midwest, and the consequent meltdown of the North American air travel system, put paid to any chance of getting re-routed.  So they didn’t go.

The door that wouldn’t close on the first flight wasn’t an outside door, it was the cockpit door.  Mom was peeved.  Most people would have complained about the security policy that prevents takeoff without a locked cabin door.  Not Mom.  Her take was that there were lots of security guards around the airport, and that they could have just got one to stand in the doorway for the flight.

Share

Risks of Risk Assessment in Multiple Small Illumination Sources During Winter Conditions

Risks of Risk Assessment in Multiple Small Illumination Sources During Winter Conditions
Robert M. Slade, version 1.0, 20121220

Testing can be used to demonstrate the presence of bugs, but never their absence.
- testing aphorism

ABSTRACT

As follow-up research to the study “Risk Assessment and Failure Analysis in Multiple Small Illumination Sources During Winter Conditions” (first published in 2003, and available in the RISKS Digest), the author has undertaken a multi-year study attempting to reduce the level and risks of failure in the illumination network required for celebration of the Northern Hemisphere Mid-Winter Party Period and Gift Giving Season.  (The nodes in this network currently stand at approximately 900 sources, and a significant portion may be noted at Twitter.)

Testing of nodes (also known as “bulbs”) and subnets (also known as “strings”) has been a major component of the risk reduction strategy.  However, recent studies have indicated that testing itself may be a contributing factor in node and subnet failures.

INTRODUCTION

In terms of risk management, it is well known that there comes a point of diminishing returns in the process.  The father of quality control, Walter Deming, noted that there was such a thing as too much quality assessment.  Despite the greater accuracy of assessment, very few enterprises engage in full quantitative risk analysis, preferring the less accurate but less costly (in terms of time and resources) qualitative risk analysis.

This study looks specifically at the testing component of the risk management process, and notes the probability that testing may contribute to total risk or failure.

TESTING IN THE LIGHT CYCLE

For details of the light sources and portions of the process, we refer readers to the earlier study.  A brief outline of the light source cycle is in order at this point.

Towards the end of September, the female members of the household, in preparation for upcoming events, start to ask the male members of the household whether any purchases or other preparation is necessary.  (This generally corresponds to the initiation phase of the cycle.)  The male members of the household point out that Canadian Tire does not start selling Christmas lights or decorations until November.  (This portion of the communication protocol is not, as many suppose, for information purposes, but to deflect discussion from the fact that the notes on necessary purchases and replacements, made last year, are packed away with the Christmas decorations, and are therefore inaccessible.  Students of security may note that this is a good illustration of the importance of all three pillars of security: the confidentiality and integrity of the information is maintained, but availability is not.)  Testing at this point in the cycle might be useful, but is, unfortunately, impossible.

At some point in November, the male members of the household will have run out of excuses for not retrieving the Christmas decorations from storage.  At this point there is usually a mass retrieval of the decorations, and assessment of any items requiring replacement or supplement, or any perishable items which must be purchased each year.  (This corresponds to the requirements phase.)  Testing of light nodes and subnets may be done at this point.

This retrieval/requirements phase is generally followed by a design/planning phase.  To many researchers, it would appear that the ultimate result varies little from year to year, and that the design and planning is not necessary.  However, mature researchers will note that, as one becomes, well, “more experienced” in these matters, one notes a failing of memory as to the exact process from previous years, and sometimes even more recent events are difficult to …

I’m sorry, where was I?

Oh, yes.

Testing and failure rectification can be undertaken during the design phase.  Some researchers feel that this assessment point can be skipped, but experienced researchers know that failed nodes will inevitably be discovered on the back of the tree in such cases.

During the implementation phase, testing tends to be somewhat informal.  Since the light nodes are being placed individually, failure of a node is generally obvious.  However, if testing and rectification is not planned into the process, researchers inevitably find themselves balanced precariously on a stool at the back of the tree, with no replacement nodes, when a dead node or subnet is discovered.

The maintenance phase of the cycle generally runs from the first Sunday of Advent until January 6th (Feast of the Epiphany, last of the twelve days of Christmas).  Testing at this period is by observation.  Unfortunately, very much like testing, observation can usually tell you which nodes are shining, but not which ones are not.  As per the earlier study, it should be noted that a single node failure does not generally result in subnet failure, but that cumulative failures do.  Therefore, failure to observe and rectify individual node failures frequently result in subnet failures at some point during this phase.  Rectification following subnet failure at this point is extremely difficult, and usually impossible.

The termination phase of the cycle involves “undecorationing,” and return of items to storage.  Testing is possible at this point of the cycle, but is made problematic by a) fatigue, and b) haste in returning items to storage in order to allow for “spring cleaning.”

RESULTS OF TESTING AT DIFFERENT CYCLE PHASES

Initially, this study looked at testing by observation during the maintenance phase.  It was felt that by observation and ongoing rectification, nodes and subnets could be maintained, and would therefore be in good order upon retrieval the following year.

Unfortunately, the following year some nodes and subnets were found to be dead.  Therefore, testing at the termination phase was added.  This had the advantage of allowing notes to be taken during rectification, so that replacements could be purchased in advance, the year after.  As previously noted, this information was maintained, but was not available at a time when it would be useful.

Therefore, testing was added during the requirements phase.  All subnets were tested upon retrieval, replacements were purchased (if one could fight through the crowds at Canadian Tire), and rectification was done prior to implementation.  During implementation phase on that study, it was found that nodes and even subnets were still showing as failed.  This led to the addition of an additional testing point during the design/planning phase.

During this past cycle, all nodes and subnets were tested and rectified during the termination phase.  Upon retrieval, subnets were tested and any failures rectified.  During planning, subnets were again tested and failures rectified.  During implemenation, provision was made for rectification within the process.  So far, in the maintenance phase, failures have been rectified as soon as observed.  (One subnet failure was noted.  The attempt to rectify it was successful, but this is considered anomalous.)  Failure rates between testing points have been observed as high as 14% of total nodes.)

CONCLUSION

The results of the data collected are inescapable.  Testing results in failure.

ACKNOWLEDGEMENT

This study would not have been undertaken without the encouragement and support of Gloria J. Slade.

Share

“Feudal” and the young employee

In respect of Schneier’s article on “feudalism” in security (pledging “fealty” to a company/platform, and relying on the manufacturer/vendor to keep you safe), I’m sitting in a seminar for an ERP product from one of the “giants.”  The speaker has stressed that you need an “easy to use” system, since your young employees won’t attend or pay attention to training (on either systems or your business): they expect things to “just work.”

We’ve also just had a promo video from a company that uses the product.  Close to the ideal of a “virtual” company: head office is in one country, manufacturing in two more, and most of the user base shops online.  It is easy for the security professional to see that this is a situation fraught with peril: online access to vital business, manufacturing, and customer information, privacy issues with a diverse customer base, legal and privacy issues with multiple jurisdictions, and the list goes on.  This is not a situation where “plug and play” and turnkey systems are going to be able to address all the problems.

But, of course, the vendor position is just “Trust us.”

Share

Why can’t my laptop figure out what time zone I’m in, like my cell phone does?

We got new cell phones (mobiles, for you non-North Americans) recently.  In the time since we last bought phones they have added lots of new features, like texting, cameras, email and Google Maps.

This, plus the fact that I am away on a trip right now, and Gloria has to calculate what time it is for me when we communicate (exacerbated by the fact that I never change the time zone on the laptops to local time), prompted her to ask the question above.  (She knows that I have an NTP client that updates the time on a regular basis.  She’s even got the associated clocks, on her desktop, in pink.)

Cell phones, of course, have to know where they are (or, at least, the cellular system has to know where they are) very precisely, so they can be told, by the nearest cell tower, what time it is (or, at least, what time it is for that tower).

Computers, however, have no way of knowing where they are, I explained.  And then realized that I had made an untrue statement.

Computers can find out (or somebody can find out) where a specific computer is when they are on the net.  (And you have to be on the net to get time updates.)  Some Websites use this (sometimes startlingly accurate) information in a variety of amusing (and sometimes annoying or frightening) ways.  So it is quite possible for a laptop to find out what time zone it is in, when it updates the time.

Well, if it is possible, then, in these days of open source, surely someone has done it.  Except that a quick couple of checks (with AltaVista and Google) didn’t find anything like that.  There does seem to be some interest:

http://stackoverflow.com/questions/8049912/how-can-i-get-the-network-time-from-the-automatic-setting-called-use-netw

and there seems to be an app for an Android phone:

https://play.google.com/store/apps/details?id=ru.org.amip.ClockSync&hl=en

(which seems silly since you can already get that from the phone side), but I couldn’t find an actual client or system for a computer or laptop.

So, any suggestions?

Or, anybody interested in a project?

Share

I *thought* “Gangnam style” looked familiar …

REmember “Monty Python and the Holy Grail“?

Share

Still think “climate change” is just an academic curiosity?

A study conducted by scientists at the Royal Botanic Gardens, Kew (UK), in collaboration with scientists in Ethiopia, reports that climate change alone could lead to the extinction of wild Arabica coffee (Coffea arabica) well before the end of this century.”

Not so smug now, are you?

(I trust I do not have to explain the importance of coffee to information security …)

Share

REVIEW: “The Quantum Thief”, Hannu Rajaniemi

BKQNTTHF.RVW   20120724

“The Quantum Thief”, Hannu Rajaniemi, 2010, 978-1-4104-3970-3
%A   Hannu Rajaniemi
%C   175 Fifth Avenue, New York, NY  10010
%D   2010
%G   978-1-4104-3970-3 0765367661
%I   Tor Books/Tom Doherty Assoc.
%O   pnh@tor.com www.tor.com
%O  http://www.amazon.com/exec/obidos/ASIN/0765367661/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0765367661/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0765367661/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   466 p.
%T   “The Quantum Thief”

This is the type of space opera that creates whole worlds, technologies, and languages behind it.  The language or jargon makes it hard to read.  The worlds are confusing, especially since some are real, and some aren’t.  The technologies make it way too easy to pull huge numbers of deuses ex way too many machinas, which strain the ability to follow, or even care about, the plot.  In this situation, the plot can be random, so the impetus for continued reading tends to rely on the reader’s sympathy for the characters.  Unfortunately, in this work, the characters can also have real or imagined aspects, and can change radically after an event.  It was hard to keep going.

Some of the jargon terms can be figured out fairly easily.  An agora, as it was in Greece, is a public meeting place.  Gogol wrote a book called “Dead Peasants,” so gogols are slaves.  Gevulot is the Hebrew word for borders, and has to deal with agreed-upon privacy deals.  But all of them have quirks, and a number of other terms come out of nowhere.

I was prompted to review this book since it was recommended as a piece of fiction that accurately represented some interesting aspects of information security.  Having read it, I can agree that there are some cute descriptions of significant points.  There is mention of a massive public/asymmetric key infrastructure (PKI) system.  There is reference to the importance of social engineering in breaking technical protection.  There is allusion to the increased fragility of overly complex systems.  But these are mentions only.  The asymmetric crypto system has no mention of a base algorithm, of course, but doesn’t even begin to describe the factors in the PKI itself.

If you know infosec you will recognize some of the mentions.  If you don’t, you won’t learn them.  (A specific reference to social engineering actually relates to an implementation fault.)  Otherwise, you may or may not enjoy being baffled by the pseudo-creativity of the story.

copyright, Robert M. Slade   2012     BKQNTTHF.RVW   20120724

Share

Apple Now “Owns” the Page Turn

A blog posting at the New York Times:

“Yes, that’s right. Apple now owns the page turn. You know, as when you
turn a page with your hand. An “interface” that has been around for
hundreds of years in physical form. I swear I’ve seen similar
animation in Disney or Warner Brothers cartoons.  (This is where
readers are probably checking the URL of this article to make sure
it’s The New York Times and not The Onion.)”

Yet more proof that the US patent system, and possibly the whole concept of intellectual property law, is well and truly insane.

What’s even funnier is that, when I read the New York Times blog page that carries this story, I noticed that NYT may be in grave danger of having their pants sued off by Apple (which is, after all, a much larger and more litigious corporation).  At least two of the animated graphical ads on the page feature a little character that rolls down a corner of the ad, inviting you to “Click to see more.”  If you click or even mouseover the ad, then the little figure “turns a page” to let you see the rest of the ad.

(This interface appears to be a standard for either the NYT or Google Ads, since refreshing the page a few times gave me the same display for two different auto manufacturers and, somewhat ironically, for Microsoft.)

(In discussing this with Gloria, she mentioned an online magazine based in Australia which uses a graphical page turning interface for the electronic version of the magazine.  Prior art?  Or are they in danger of getting sued by Apple as well?)

Share

Border (relative) difficulties

I have experienced all kinds of difficulties travelling down to the US to teach.

It used to be a lot easier, in the old days.
Border agent: “Business or pleasure?”
Me: “Business.”
BA: “What are you doing?”
Me: “Teaching.”
BA: “OK.”
Then The-Conservative-Government-Before-The-New-Harperite-Government-Of-Canada decided, in it’s infinite wisdom, to bring in something called the North American Free Trade Agreement, which had provisions to make it “easier” to trade and travel.  Now it’s a royal pain.

(I’ve travelled and taught elsewhere, of course.  Some places I’ve had to get visas.  Nigeria was a nusiance.  Australia was a $20 charge, online, no problem at all.  Last time I taught in Ireland it was “Business or pleasure?”  “Business.”  “Welcome to Ireland!”  Last time I taught in Norway there wasn’t even anyone at the immigration desk.)

Occasionally Americans have complained that they have had troubles coming to work in Canada.  So far I have never heard anything like what I’ve had to go
through.

At the moment I’ve been dealing with American lawyers again.  This has generally been OK, since I usually don’t have to travel for that.  However, this time the other side wants to depose me.  (I suspect they are just doing this for the nusiance value.  As usuall, I’m not doing this as an “expert” witness, just as the only guy who still has the materials.)  So, the origianl plan was for me to fly down to California, spend a day with the lawyers on one side “prepping” me, and spend an hour or two with the other side for the deposition.  They’d have to pay for my fare and travel expenses, as well as my time during prep.

During the call I mentioned that, since he was a lawyer, and presumably had access to other lawyers in their firm who knew something about immigration, they should check on that point, and see if they wanted/needed to do anything about a visa for me.  He didn’t think it was an issue.  I said that, according to the official rules he was right, but that I had seen plenty of cases where the border agents interpretted the rules in idiosyncratic ways, and maybe he should just check.

Today the plan has entirely changed.  At least three lawyers (possibly more), from at least two firms (and possibly more) are flying up from California, renting a boardroom here in Vancouver, renting a court reporter, and staying at least two days (more likely three) to do the prep and deposition.  With all the extra associated costs.  (And all this on behalf of a company that has very stringent travel cost policies: I had to sign off on them for the original contract.)

I think I’ve proved the point: it’s *way* harder to go to the US than to Canada.

Share

User interface

The food fair area of one of the local mall had a facelift recently.  Now, as you walk down the hall towards the washrooms, the first thing you see is a lighted sign stating “WOMEN” on the first hallway that takes off to the right.

Trouble is, that hallway is where the men’s washroom is located.  Unless you know the layout of the mall (and, in this season of the annual Northern-Hemisphere-Mid-Winter-Gift-and-Party-Period, there are lots of guys around who aren’t normally in the mall), you don’t really notice that the triangle next to the word “WOMEN” is actually an arrow, presumably directing you further down the hall, where the hallway to the women’s washroom is actually located.  You have to be closer, and still looking up high, to notice that the word “MEN” is printed above the word “WOMEN,” but is, for some weird design reason, right justified, so that it starts about a foot past the beginning of the word “WOMEN.”

This explains why there are lots of guys coming back up the hall looking for the men’s washroom that they passed on the way down.

User interface is important.

Share

Sandy and BCP

The flooding of New York City was, once again, an example of known threats not being addressed.

It would have been too expensive to do anything about the issues.  (Flood costs currently $50B and rising as more damage is found.)

Of course, nobody could have predicted Sandy, because this was a storm produced by changing conditions.  Brought on by global warming/climate change.  Which is another issue that is too expensive to address …

(Why do I have this old oil filter ad tagline running through my head?  “You can pay me now … or pay me later …”)

Share