Mom and my little sister were supposed to go on a cruise over Christmas.  The first leg of their flight to the embarkation port was cancelled when a door wouldn’t close.  The storm in the midwest, and the consequent meltdown of the North American air travel system, put paid to any chance of getting re-routed.  So they didn’t go.

The door that wouldn’t close on the first flight wasn’t an outside door, it was the cockpit door.  Mom was peeved.  Most people would have complained about the security policy that prevents takeoff without a locked cabin door.  Not Mom.  Her take was that there were lots of security guards around the airport, and that they could have just got one to stand in the doorway for the flight.

The flooding of New York City was, once again, an example of known threats not being addressed.

It would have been too expensive to do anything about the issues.  (Flood costs currently $50B and rising as more damage is found.)

Of course, nobody could have predicted Sandy, because this was a storm produced by changing conditions.  Brought on by global warming/climate change.  Which is another issue that is too expensive to address …

(Why do I have this old oil filter ad tagline running through my head?  “You can pay me now … or pay me later …”)

This goes back a bit, but I was reminded of it this morning:

Amazing where you can get inspiration.  I went to an electronics manufacturing trade show, just to keep up with what’s happening over in that sector.  Nothing particularly new that anyone was selling particularly relevant to security.

However, I sat in on a seminar on the new EU “Restriction of (certain) Hazardous Substances” directive.  (This comes into effect in nine days, and there is all kinds of concern over the fact that the specific regulations for compliance haven’t been promulgated yet.  Remember HIPAA, you lot? 

RoHS (variously pronounced “rows,” “row-hoss,” or “rosh”) is intended to reduce or eliminate the use of various toxic materials, notably lead and mercury, from the manufacture of electronic equipment.  This would reduce the toxic waste involved in manufacturing of said equipment, and particularly the toxic materials involved in recycling (or not) old digital junk.  EU countries all have to produce legislation matching the standard, and it affects imports as well.  In addition, other countries are producing similar legislation.  (Somewhat the same as the EU privacy directive, although without the “equivalent protection” clause.)  Korea is getting something very close to RoHS, California somewhat less.  Japan is going after informational labelling only.  China, interestingly, is producing more restrictive laws, but only for items and devices for sale within China.  If you want to manufacture lead, mercury, and hexavalent chromium computers in China for sale to other countries, that is just fine with them.

There are points relevant to various domains.  In terms of Physical security, and particularly life safety, there are issues of the environmental hazards of toxic materials in the electronic devices that we use.  (This is especially true in regard to BCP: lead, for example, vaporizes at temperatures seem in building fires.)

There is a certification process for ensuring compliance with the regulations.  Unfortunately, a number of manufacturers are carefully considering whether it is worth complying with the regulations.  Even if the products are compliant in terms of hazardous materials, the documentation required for compliance certificates requires details of materials used that could, to educated engineers and others in competing businesses, give away trade secrets involved in manufacturing processes.

The certification and due diligence processes are, like SOX, recursive.  In order to prove that your products are compliant, you also have to demonstrate that your suppliers, and their products, are also compliant.

There is also an interesting possibility of unintended consequences.  Outside of the glass for CRTs, the major use of lead is in solder.  Increasing the proportion of tin in the solder increases the temperature at which it melts, which is one factor.  However, another is that tin-only solder has a tendency to grow “whiskers.”  (The conditions and time for growing whiskers is not fully understood.)  Therefore, in an attempt to reduce the health risk of toxic materials, RoHS may be forcing manufacturers to produce electronic goods with shorter lifetimes, since the whiskers may become long enough to produce short circuits within electronic devices.  Indeed, these devices may have an additional risk of fire …

BKLNFOCT.RVW   20120714

“Learning from the Octopus”, Rafe Sagarin, 2012, 978-0-465-02183-3, U$26.99/C$30.00
%A   Rafe Sagarin
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02183-3 0-465-02183-2
%I   Basic Books/Perseus Books Group
%O   U$26.99/C$30.00 800-810-4145 www.basicbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465021832/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0465021832/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465021832/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   284 p.
%T   “Learning from the Octopus”

The subtitle promises that we will learn “how secrets from nature can help us fight terrorist attacks, natural disasters, and disease.”  The book does fulfill that aim.  However, what it doesn’t say (up front) is that it isn’t an easy task.

The overall tone of the book is almost angry, as Sagarin takes the entire security community to task for not paying sufficient attention to the lessons of biology.  The text and examples in the work, however, do not present the reader with particularly useful insights.  The prologue drives home the fact that 350 years of fighting nation-state wars did not prepare either society or the military for the guerilla-type terrorist situations current today.  No particular surprise: it has long been known that the military is always prepared to fight the previous war, not this one.

Chapter one looks to the origins of “natural” security.  In this regard, the reader is inescapably reminded of Bruce Schneier’s “Liars and Outliers” (cf. BKLRSOTL.RVW), and Schneier’s review of evolution, sociobiology, and related factors.  But whereas Schneier built a structure and framework for examining security systems, Sagarin simply retails examples and stories, with almost no structure at all.   (Sagarin does mention a potentially interesting biology/security working group, but then is strangely reticent about it.)  In chapter two, “Tide Pool Security,” we are told that the octopus is very fit and functional, and that the US military and government did not listen to biologists in World War II.

Learning is a force of nature, we are told in chapter three, but only in regard to one type of learning (and there is no mention at all of education).  The learning force that the author lauds is that of evolution, which does tend to modify behaviours for the population over time, but tends to be rather hard on individuals.  Sagarin is also opposed to “super efficiency” (and I can agree that it leaves little margin for error), but mostly tells us to be smart and adaptable, without being too specific about how to achieve that.  Chapter four tells us that decentralization is better than centralization, but it is interesting to note that one of the examples given in the text demonstrates that over-decentralization is pretty bad, too.  Chapter five again denigrates security people for not understanding biology, but that gets a bit hard to take when so much of the material betrays a lack of understanding of security.  For example, passwords do not protect against computer viruses.  As the topics flip and change it is hard to see whether there is any central thread.  It is not clear what we are supposed to learn about Mutual Assured Destruction or fiddler crabs in chapter six.

Chapter seven is about bluffing, use  and misuse of information, and alarm systems.  Yes, we already know about false positives and false negatives, but this material does not help to find a balance.  The shared values of salmon and suicide bombers, religion, bacterial addicts, and group identity are discussed in chapter eight.  Chapter nine says that cooperation can be helpful.  We are told, in chapter ten, that “natural is better,” therefore it is ironic to note that the examples seem to pit different natural systems against each other.  Also, while Sagarin says that a natural and complex system is flexible and resilient, he fails to mention that it is difficult to verify and tune.

This book is interesting, readable, erudite, and contains many interesting and thought-provoking points.  For those in security, it may be good bedtime reading material, but it won’t be helpful on the job.  In the conclusion, the author states that his goal was to develop a framework for dealing with security problems, of whatever type.  He didn’t.  (Schneier did.)

copyright, Robert M. Slade   2012     BKLNFOCT.RVW   20120714

Keyless Entry Using Your Phone.

1) I keep telling people, the next security risk is the next technology that is there solely for “convenience.”

2) So, your credit cards are going to be in your cell, your bank access is going to be in your cell, your car keys are going to be in your cell, your house keys are going to be in your cell …  All your eggs in one basket–that gets dropped in the toilet, left in coats, drops between couch cushions, gets picked up in bars …

3) You can even unlock it remotely, so social engineering is on the table (“Hey, Mr. iPhone User, we’re from the gas company, and your neighbours are reporting a strong smell from your place, any way you could come back here from your conference on the other coast we found out about from your Facebook account and let us in?”)

4) You could use Wifi at close range, but for remote it probably has to have a unit that hooks up to your phone.  (I suppose another option is to have the locking device be a cellular device, but that seems excessive.)  So, as was mentioned, you have to worry about power outages.  Also interference from other Wifi devices, portable phones, cell phones, microwave ovens …

There are always two sides (and maybe more) to every story, but:

Police called to a scene where children were reportedly abandoned.  Police arrive to find children on a suburban street, and the mother watching from the porch.

So the police take the mother to jail.

Marc Goodman (who I believe is FutureCrimes on Twitter and the Web) gave a recent TED talk on trends in the use of high technology in crime.

The 20 minute talk is frightening, with very little in the way of comfort for the protection or security side.  He ends with a call for crowdsourcing of protection.

Now as a transparent society/open source/full disclosure kind of guy, I like the general idea.  But, as someone who has been involved in education, security awareness, and professional security training for some time, I see a few problems.  For crowdsourcing to work, you need a critical mass of at least minimally capable people.  When you are talking about a weather reporting app, that minimal capability isn’t much. When you are talking about detecting cyberwar or bioweapons, the capability levels are a bit different.

Just yesterday the PNWER (Pacific NorthWest Economic Region) conference became the latest to bemoan the lack of trained employees.  I rather suspect these constant complaints, since I see lots of people out of work.  But the people who are whining about employees are just looking for network admins and such.  We need people with more depth and more breadth in their backgrounds.  I get CISSP candidates in my seminars who are network admins who simply want to know a few ACLS for firewalls.  I have to keep telling them that security professionals need to know more than that.

Yes, I am privileged to be able to meet a number who *are* interested in learning everything possible in order to meet any need or problem.  But, relatively speaking, those are few.  And my sample set tends to be abnormal, in that these are people who have already shown some interest in training (even if only job related).  What Goodman is talking about is the general public.  And those of us who have actually tried security awareness know how little conceptual awareness we have to build on, let alone advanced technical knowledge.

I think awareness, self-protection, and crowdsourcing is probably the only good way to approach the problems Goodman outlines.  I just worry that we have a long way to go.

‘Lying eyes’ are a myth – looking to the right DOESN’T mean you are fibbing.

“Many psychologists believe that when a person looks up to their right they are
likely to be telling a lie.  Glancing up to the left, on the other hand, is said to
indicate honesty.

“Co-author Dr Caroline Watt, from the University of Edinburgh, said: ‘A large
percentage of the public believes that certain eye movements are a sign of lying,
and this idea is even taught in organisational training courses. … The claimed link
between lying and eye movements is a key element of neuro-linguistic
programming.

“According to the theory, when right-handed people look up to their right they
are likely to be visualising a ‘constructed’ or imagined event.  In contrast when
they look to their left they are likely to be visualising a ‘remembered’ memory.
For this reason, when liars are constructing their own version of the truth, they
tend to look to the right.”

“Psychologist Prof Wiseman, from the University of Hertfordshire, said: ‘The
results of the first study revealed no relationship between lying and eye
movements, and the second showed that telling people about the claims made by
NLP practitioners did not improve their lie detection skills.’

However, this study raises a much more serious question.  These types of “skills” are being extensively taught (and sought) by law enforcement and other agencies.  How many investigations are being misdirected and delayed by false suppositions based on NLP “techniques”?  More disturbingly, how many people are being falsely accused, dismissed, or charged due to the same questionable “information”?  (As I keep telling my seminars, when you get sidetracked into pursuing the wrong suspect, the real culprit is getting away free.)

(I guess we’ll have to stop watching “The Mentalist” now …)

Many people around the world are hoping for clear skies to view the transit of Venus across the face of the sun, an event which will not occur again for more than a century. [1]

However, public safety officials are concerned that people may endanger their eyes by looking directly at the sun without eye protection.  Not only will they not be able to see any indications of the transit, but this can, of course, burn the retina of the eye, causing permanent damage, and possibly complete blindness.

However, I have confirmed that ordinary sunglasses are sufficient protection, as long as used correctly. [2]

And the great thing is, this works no matter what “Venus transit” webcam you view, and no matter how brightly you have your monitor cranked up.

(In the spring, generally we would have at least some clear skies for viewing.  However, typically Vancouver, it’s pretty much completely overcast here for the entire run of the transit.)

So, thank goodness for NASA …

[1] It’s rather interesting that the transits occur in pairs, eight years apart, and then more than a century between the eight year pairs.

[2] I hope I don’t have to point out that this is just a joke, and that staring into the sun with only sunglasses as protection is no protection at all.  If anyone doesn’t get it, at least I have a hundred and five years before I get sued.

I suppose I really can’t let this one … pass …

Last weekend a young woman fell to her death while on a tandem hang glider ride with an experienced pilot.  The pilot, owner of a company that takes people on hang gliding rides for kicks, promises video of the event: the hang glider is equipped with some kind of boom-mounted camera pointed at the riders.

Somehow the police investigating the incident suspected that the pilot had swallowed the memory card from the video camera.  (Presumably the video was running, and presumably the pilot knew it would show something unfortunate.)  This was later confirmed by x-rays.

So, this week we have all been on “memory card movement” watch.

And it has cr… I mean, come out all right.

Following the explosions in two BC sawmills, which experts are speculating may have been caused by fine sawdust caused by excessively dry wood, the TSA has banned any particulate materials, such as sawdust, flour, and icing sugar, to be banned from all flights.

Also included in the ban are any objects made from particulate materials, such as particleboard, bread, and icing sugar dusted donuts.  (The union representing TSA workers had argued, unsuccessfully, against this last item.)  The TSA’s Director Of Really Dangerous Stuff also noted that materials with larger particle sizes, such as table salt and sand, were also being included in the ban.

At press time, we were still awaiting word on whether computer equipment was to be included in the ban, since silicon chips are commonly said to be made of sand.

(Yeah, yeah, I know, don’t give the TSA ideas …)

I first saw this, appropriately enough, on Improbable Research.  It’s appropriate, because, when you see it, first it makes you laugh.  Then it makes you think.

This guy has created a paper safe.  Yeah, you got that right.  A safe, made out of paper.  No, not special paper: plain, ordinary paper, the kind you have in your recycling bin.  He’s even posted a video on YouTube showing how it works.

Right, so everyone’s going to have a good laugh, yes?  Paper isn’t going to provide any protection, right?  It’s a useless oddity, of interest only to those with an interest in origami, and more free time on their hands than any security professional is likely to get.

Except, then you start thinking about it (if you are any kind of security pro.)  First off, it’s a nice illustration of at least one form of combination lock.  And then you realize that the lock is going to be useless unless it’s obscured.  So that brings up the topic of maybe security-by-obscurity does have a function sometimes.

Then you start thinking that maybe it isn’t great as a preventive control, but it sure works as a detective control.  Yeah, it’s easy to smash and get out whatever was in there.  But it’ll sure be obvious if you do.

So that brings up different types of controls, and the reasons you might want different controls in different situations, and whether some perfectly adequate controls may be a) overkill, or b) useless under certain conditions.

It’s not just a cute toy.  It’s pretty educational, too.  No, I’m not going to keep my money in it.  But it makes you think …

Some things are cross-culture it seems. Especially when it comes to trivial security mishaps.
So I’m at a PoS terminal in a large department store in Seoul and while I’m waiting for the register to ring up my order, I look at the touchscreen where I will be asked for my signature in a moment. I notice a little icon that looks like ‘settings’. How can I not click on it?

Oh, it needs a password. Must be this PCI compliance thing everybody is raving about. And no, wiseass, 1-2-3-4-5 doesn’t work.

…But 1-2-3-4 does.

Yup. Unlocked.
Now I need to polish up my Korean to figure out what to do next. Suggestions?

Sorry for the full disclosure guys. And that includes all of you that now need to change your luggage combination.

I’ve mentioned this before.

We seem to have had a number of disasters this year: earthquakes, tsunami, a few hurricanes (with one currently sweeping Japan, and another building right now off the east coast of the US), wildfires, you name it.  In the US, this is National Preparedness Month.

So this is a good time to get trained.  It gets you CPEs, usually for free.

And, in a disaster, it makes you part of the solution, not part of the problem.

Once upon a time, somebody at Microsoft wrote an article on the “10 Immutable Laws of Security.”  (I can’t recall how long ago: it’s now listed as “Archived content.”  And I like the disclaimer that “No warranty is made as to technical accuracy.”)  Now these “laws” are all true, and they are helpful reminders.  But I’m not sure they deserve the iconic status they have achieved.

In terms of significance to security, you have to remember that security depends on situation.  As it is frequently put, one (security) size does not fit all.  Therefore, these laws (which lean heavily towards malware) may not be the most important for all users (or companies).

In terms of coverage, there is little or nothing about management, risk management, classification, continuity, secure development, architecture, telecom and networking, personnel, incidents, or a whole host of other topics.

As a quick recap, the laws are:

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

(Avoid malware.)

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

(Avoid malware, same as #1.)

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

(Quite true, and often ignored.  As I tell my students, I don’t care what technical protections you put on your systems, if I have physical access, I’ve got you.)

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

(Sort of a mix of access control and avoiding malware, same as #1.)

Law #5: Weak passwords trump strong security

(You’d think this relates to access control, like #4, but the more important point is that you need to view security holistically.  Security is like a bridge, not a road.  A road halfway is still partly useful.  A bridge half-built is a joke.  In security, any shortcoming can void the whole system.)

Law #6: A computer is only as secure as the administrator is trustworthy

(OK, there’s a little bit about people.  But it’s not just administrators.  Security is a people problem: never forget that.)

Law #7: Encrypted data is only as secure as the decryption key

(This is known as “Kerckhoffs’ Law.”  It’s been known for 130 years.  More significantly, it is a special case of the fact that security-by-obscurity [SBO] does not work.)

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

(I’m not sure that I’d even go along with “marginally.”  As a malware expert, I frequently run without a virus scanner: a lot of scanners [including MSE] impede my work.  But, if I were worried, I’d never rely on an out-of-date scanner, or one that I considered questionable in terms of accuracy [and there are lots of those around].)

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

(True.  But risk management is a little more complex than that.)

Law #10: Technology is not a panacea

(Or, as (ISC)² says, security transcends technology.  And, as #5 implies, management is the basic foundation of security, not any specific technology.)

Security wanted to open up my suitcase and look at the bag of chargers, USB sticks, etc, and was concerned about the laser pointers.  He decided they were pens, and I didn’t disabuse him of the notion.  Why disturb the tranquility of his ignorance?