Disasters in BC

The auditor general has weighed in, and, surprise, surprise, we are not ready for an earthquake.

On the one hand, I’m not entirely sure that the auditor general completely understands disaster planning, and she hasn’t read Kenneth Myers and so doesn’t know that it can be counter-productive to produce plans for every single possibility.

On the other hand, I’m definitely with Vaugh Palmer in that we definitely need more public education.  We are seeing money diverted from disaster planning to other areas, regardless of a supposed five-fold increase in emergency budget.  In the past five years, the professional association has been defunded, training is very limited in local municipalities, and even recruitment and “thank you” events for volunteers have almost disappeared.  Emergency planning funds shouldn’t be used to pay for capital projects.

(And the province should have been prepared for an audit in this area, since they got a warning shot last year.)

So, once again, and even more importantly, I’d recommend you all get emergency training.  I’ve said it beforeI keep saying itI will keep on saying it.

(Stephen Hume agrees with me, although he doesn’t know the half of it. )


Access vulnerability on Android tablet

I made my first ever “Black Friday” purchase last week.  Staples (for those outside North America, this is a “big box” office supplies store with a large computer and tech section) had a door-crasher special of a Digital2 brand 7″ tablet, running Android 4.1, marked down from $250 to $70.  We had to go past a Staples on an errand, so I stopped in and got it.

I don’t quite regret getting it: particular at that price it is probably worth it.  I may do a review of its shortcomings at some point.  (Low memory, poor storage management, slow performance, limited battery, incompatible with some apps, poor file management options, many functions irregular.)  However, I came across something this morning that indicates a weakness.

One of the oddities is that there is no indication of charging or battery unless the tablet is on.  So, while charging, I had the tablet on to check the battery level.  The indicator icons are on the lower right of the screen on this model, and, in order to get more details on the charge, I touched that area.  But I had forgotten to unlock the device.

Lo and behold, it brought up the quick indicator list anyway, and, along with it, the notifications.  Prodding at this, I found that I couldn’t get into the settings menu proper, but I could access any of the notification messages.  And, once into any of those apps I had full access.

(This sounds similar to a number of lock-screen vulnerabilities that I’ve heard of on various Android and iOS versions and devices, but it seemed to be simpler and more direct than most.)



Full details are not out yet, but there was a “police incident” today in NorthVancouver, which resulted in the closure of two bridges from the North Shore.

(No, the cops aren’t looking for me.  Although this is fairly near our home, and only a few blocks up the street from where embroidery and quilting guilds meet.)

If you look at the map, you will see that a) the bridges aren’t that close to each other, and b) the incident was close to neither.

By closing both bridges, the police can completely isolate the North Shore from the rest of the world.  (I assume they put checks out at the Seabus and the road up to Squamish, although whoever they were looking for would have to be pretty stupid to head that way.)  Also, by closing the bridges, the police have probably tied up all traffic everywhere on the North Shore as well, preventing the perp from going very far in any case  :-)

Although we don’t know what happened, IHT indicates a homicide, and the response indicates someone may have been kidnapped, as well.


Risk analysis, traffic analysis, and unusual factors

Canadian terrorists strike again: apparently we are responsible for taking down a major piece of transportation infrastructure, vis, the I-5 bridge over the Skagit river at Mount Vernon.

A friend in Seattle assures me that, while he is disappointed in us, he holds no grudges, and is willing to warn us if he hears of any drone strikes planned for north of the border.

(Allow me, for a moment, to examine this “oversized load” on which everyone is blaming the collapse.  Image 2 in the slide deck [if they don't change it] is this “oversized load.”  You will notice that it is basically an empty box with the two sides missing, and has, relatively, zero structural rigidity.  If a ding from that kind of load brought the bridge down [and didn't even collapse the load itself], the bridge was definitely unsafe.)

I drive that route regularly, and, when I heard that a bridge had gone down, that bridge was the first one I thought of.  I have always felt unsafe crossing it.  There is a wrongness about it you can just feel.

It’s also ugly.  And I am reminded of an essay by an engineer who said that bridges were the most beautiful products of all forms of engineering.  A properly designed bridge has curves, and those curves just feel right.  They are beautiful.

So, if you ever have questions about a bridge, and you don’t have enough facts to go on, just look at it.

If it’s ugly, don’t cross it.


Airline security

Mom and my little sister were supposed to go on a cruise over Christmas.  The first leg of their flight to the embarkation port was cancelled when a door wouldn’t close.  The storm in the midwest, and the consequent meltdown of the North American air travel system, put paid to any chance of getting re-routed.  So they didn’t go.

The door that wouldn’t close on the first flight wasn’t an outside door, it was the cockpit door.  Mom was peeved.  Most people would have complained about the security policy that prevents takeoff without a locked cabin door.  Not Mom.  Her take was that there were lots of security guards around the airport, and that they could have just got one to stand in the doorway for the flight.


Sandy and BCP

The flooding of New York City was, once again, an example of known threats not being addressed.

It would have been too expensive to do anything about the issues.  (Flood costs currently $50B and rising as more damage is found.)

Of course, nobody could have predicted Sandy, because this was a storm produced by changing conditions.  Brought on by global warming/climate change.  Which is another issue that is too expensive to address …

(Why do I have this old oil filter ad tagline running through my head?  “You can pay me now … or pay me later …”)


Hazardous materials and balancing risks

This goes back a bit, but I was reminded of it this morning:

Amazing where you can get inspiration.  I went to an electronics manufacturing trade show, just to keep up with what’s happening over in that sector.  Nothing particularly new that anyone was selling particularly relevant to security.

However, I sat in on a seminar on the new EU “Restriction of (certain) Hazardous Substances” directive.  (This comes into effect in nine days, and there is all kinds of concern over the fact that the specific regulations for compliance haven’t been promulgated yet.  Remember HIPAA, you lot?  :-)

RoHS (variously pronounced “rows,” “row-hoss,” or “rosh”) is intended to reduce or eliminate the use of various toxic materials, notably lead and mercury, from the manufacture of electronic equipment.  This would reduce the toxic waste involved in manufacturing of said equipment, and particularly the toxic materials involved in recycling (or not) old digital junk.  EU countries all have to produce legislation matching the standard, and it affects imports as well.  In addition, other countries are producing similar legislation.  (Somewhat the same as the EU privacy directive, although without the “equivalent protection” clause.)  Korea is getting something very close to RoHS, California somewhat less.  Japan is going after informational labelling only.  China, interestingly, is producing more restrictive laws, but only for items and devices for sale within China.  If you want to manufacture lead, mercury, and hexavalent chromium computers in China for sale to other countries, that is just fine with them.

There are points relevant to various domains.  In terms of Physical security, and particularly life safety, there are issues of the environmental hazards of toxic materials in the electronic devices that we use.  (This is especially true in regard to BCP: lead, for example, vaporizes at temperatures seem in building fires.)

There is a certification process for ensuring compliance with the regulations.  Unfortunately, a number of manufacturers are carefully considering whether it is worth complying with the regulations.  Even if the products are compliant in terms of hazardous materials, the documentation required for compliance certificates requires details of materials used that could, to educated engineers and others in competing businesses, give away trade secrets involved in manufacturing processes.

The certification and due diligence processes are, like SOX, recursive.  In order to prove that your products are compliant, you also have to demonstrate that your suppliers, and their products, are also compliant.

There is also an interesting possibility of unintended consequences.  Outside of the glass for CRTs, the major use of lead is in solder.  Increasing the proportion of tin in the solder increases the temperature at which it melts, which is one factor.  However, another is that tin-only solder has a tendency to grow “whiskers.”  (The conditions and time for growing whiskers is not fully understood.)  Therefore, in an attempt to reduce the health risk of toxic materials, RoHS may be forcing manufacturers to produce electronic goods with shorter lifetimes, since the whiskers may become long enough to produce short circuits within electronic devices.  Indeed, these devices may have an additional risk of fire …


REVIEW: “Learning from the Octopus”, Rafe Sagarin

BKLNFOCT.RVW   20120714

“Learning from the Octopus”, Rafe Sagarin, 2012, 978-0-465-02183-3, U$26.99/C$30.00
%A   Rafe Sagarin
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02183-3 0-465-02183-2
%I   Basic Books/Perseus Books Group
%O   U$26.99/C$30.00 800-810-4145 www.basicbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465021832/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/0465021832/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   284 p.
%T   “Learning from the Octopus”

The subtitle promises that we will learn “how secrets from nature can help us fight terrorist attacks, natural disasters, and disease.”  The book does fulfill that aim.  However, what it doesn’t say (up front) is that it isn’t an easy task.

The overall tone of the book is almost angry, as Sagarin takes the entire security community to task for not paying sufficient attention to the lessons of biology.  The text and examples in the work, however, do not present the reader with particularly useful insights.  The prologue drives home the fact that 350 years of fighting nation-state wars did not prepare either society or the military for the guerilla-type terrorist situations current today.  No particular surprise: it has long been known that the military is always prepared to fight the previous war, not this one.

Chapter one looks to the origins of “natural” security.  In this regard, the reader is inescapably reminded of Bruce Schneier’s “Liars and Outliers” (cf. BKLRSOTL.RVW), and Schneier’s review of evolution, sociobiology, and related factors.  But whereas Schneier built a structure and framework for examining security systems, Sagarin simply retails examples and stories, with almost no structure at all.   (Sagarin does mention a potentially interesting biology/security working group, but then is strangely reticent about it.)  In chapter two, “Tide Pool Security,” we are told that the octopus is very fit and functional, and that the US military and government did not listen to biologists in World War II.

Learning is a force of nature, we are told in chapter three, but only in regard to one type of learning (and there is no mention at all of education).  The learning force that the author lauds is that of evolution, which does tend to modify behaviours for the population over time, but tends to be rather hard on individuals.  Sagarin is also opposed to “super efficiency” (and I can agree that it leaves little margin for error), but mostly tells us to be smart and adaptable, without being too specific about how to achieve that.  Chapter four tells us that decentralization is better than centralization, but it is interesting to note that one of the examples given in the text demonstrates that over-decentralization is pretty bad, too.  Chapter five again denigrates security people for not understanding biology, but that gets a bit hard to take when so much of the material betrays a lack of understanding of security.  For example, passwords do not protect against computer viruses.  As the topics flip and change it is hard to see whether there is any central thread.  It is not clear what we are supposed to learn about Mutual Assured Destruction or fiddler crabs in chapter six.

Chapter seven is about bluffing, use  and misuse of information, and alarm systems.  Yes, we already know about false positives and false negatives, but this material does not help to find a balance.  The shared values of salmon and suicide bombers, religion, bacterial addicts, and group identity are discussed in chapter eight.  Chapter nine says that cooperation can be helpful.  We are told, in chapter ten, that “natural is better,” therefore it is ironic to note that the examples seem to pit different natural systems against each other.  Also, while Sagarin says that a natural and complex system is flexible and resilient, he fails to mention that it is difficult to verify and tune.

This book is interesting, readable, erudite, and contains many interesting and thought-provoking points.  For those in security, it may be good bedtime reading material, but it won’t be helpful on the job.  In the conclusion, the author states that his goal was to develop a framework for dealing with security problems, of whatever type.  He didn’t.  (Schneier did.)

copyright, Robert M. Slade   2012     BKLNFOCT.RVW   20120714



Keyless Entry Using Your Phone.

1) I keep telling people, the next security risk is the next technology that is there solely for “convenience.”

2) So, your credit cards are going to be in your cell, your bank access is going to be in your cell, your car keys are going to be in your cell, your house keys are going to be in your cell …  All your eggs in one basket–that gets dropped in the toilet, left in coats, drops between couch cushions, gets picked up in bars …

3) You can even unlock it remotely, so social engineering is on the table (“Hey, Mr. iPhone User, we’re from the gas company, and your neighbours are reporting a strong smell from your place, any way you could come back here from your conference on the other coast we found out about from your Facebook account and let us in?”)

4) You could use Wifi at close range, but for remote it probably has to have a unit that hooks up to your phone.  (I suppose another option is to have the locking device be a cellular device, but that seems excessive.)  So, as was mentioned, you have to worry about power outages.  Also interference from other Wifi devices, portable phones, cell phones, microwave ovens …


Child abandonment

There are always two sides (and maybe more) to every story, but:

Police called to a scene where children were reportedly abandoned.  Police arrive to find children on a suburban street, and the mother watching from the porch.

So the police take the mother to jail.


Citizen cyber-protectors?

Marc Goodman (who I believe is FutureCrimes on Twitter and the Web) gave a recent TED talk on trends in the use of high technology in crime.

The 20 minute talk is frightening, with very little in the way of comfort for the protection or security side.  He ends with a call for crowdsourcing of protection.

Now as a transparent society/open source/full disclosure kind of guy, I like the general idea.  But, as someone who has been involved in education, security awareness, and professional security training for some time, I see a few problems.  For crowdsourcing to work, you need a critical mass of at least minimally capable people.  When you are talking about a weather reporting app, that minimal capability isn’t much. When you are talking about detecting cyberwar or bioweapons, the capability levels are a bit different.

Just yesterday the PNWER (Pacific NorthWest Economic Region) conference became the latest to bemoan the lack of trained employees.  I rather suspect these constant complaints, since I see lots of people out of work.  But the people who are whining about employees are just looking for network admins and such.  We need people with more depth and more breadth in their backgrounds.  I get CISSP candidates in my seminars who are network admins who simply want to know a few ACLS for firewalls.  I have to keep telling them that security professionals need to know more than that.

Yes, I am privileged to be able to meet a number who *are* interested in learning everything possible in order to meet any need or problem.  But, relatively speaking, those are few.  And my sample set tends to be abnormal, in that these are people who have already shown some interest in training (even if only job related).  What Goodman is talking about is the general public.  And those of us who have actually tried security awareness know how little conceptual awareness we have to build on, let alone advanced technical knowledge.

I think awareness, self-protection, and crowdsourcing is probably the only good way to approach the problems Goodman outlines.  I just worry that we have a long way to go.


Trust me, I didn’t look right as I typed this …

‘Lying eyes’ are a myth – looking to the right DOESN’T mean you are fibbing.

“Many psychologists believe that when a person looks up to their right they are
likely to be telling a lie.  Glancing up to the left, on the other hand, is said to
indicate honesty.

“Co-author Dr Caroline Watt, from the University of Edinburgh, said: ‘A large
percentage of the public believes that certain eye movements are a sign of lying,
and this idea is even taught in organisational training courses. … The claimed link
between lying and eye movements is a key element of neuro-linguistic

“According to the theory, when right-handed people look up to their right they
are likely to be visualising a ‘constructed’ or imagined event.  In contrast when
they look to their left they are likely to be visualising a ‘remembered’ memory.
For this reason, when liars are constructing their own version of the truth, they
tend to look to the right.”

“Psychologist Prof Wiseman, from the University of Hertfordshire, said: ‘The
results of the first study revealed no relationship between lying and eye
movements, and the second showed that telling people about the claims made by
NLP practitioners did not improve their lie detection skills.’

However, this study raises a much more serious question.  These types of “skills” are being extensively taught (and sought) by law enforcement and other agencies.  How many investigations are being misdirected and delayed by false suppositions based on NLP “techniques”?  More disturbingly, how many people are being falsely accused, dismissed, or charged due to the same questionable “information”?  (As I keep telling my seminars, when you get sidetracked into pursuing the wrong suspect, the real culprit is getting away free.)

(I guess we’ll have to stop watching “The Mentalist” now …)


Transit of venus safety tip

Many people around the world are hoping for clear skies to view the transit of Venus across the face of the sun, an event which will not occur again for more than a century. [1]

However, public safety officials are concerned that people may endanger their eyes by looking directly at the sun without eye protection.  Not only will they not be able to see any indications of the transit, but this can, of course, burn the retina of the eye, causing permanent damage, and possibly complete blindness.

However, I have confirmed that ordinary sunglasses are sufficient protection, as long as used correctly. [2]

And the great thing is, this works no matter what “Venus transit” webcam you view, and no matter how brightly you have your monitor cranked up.

(In the spring, generally we would have at least some clear skies for viewing.  However, typically Vancouver, it’s pretty much completely overcast here for the entire run of the transit.)

So, thank goodness for NASA

[1] It’s rather interesting that the transits occur in pairs, eight years apart, and then more than a century between the eight year pairs.

[2] I hope I don’t have to point out that this is just a joke, and that staring into the sun with only sunglasses as protection is no protection at all.  If anyone doesn’t get it, at least I have a hundred and five years before I get sued.


Phecal photo phorensics

I suppose I really can’t let this one … pass …

Last weekend a young woman fell to her death while on a tandem hang glider ride with an experienced pilot.  The pilot, owner of a company that takes people on hang gliding rides for kicks, promises video of the event: the hang glider is equipped with some kind of boom-mounted camera pointed at the riders.

Somehow the police investigating the incident suspected that the pilot had swallowed the memory card from the video camera.  (Presumably the video was running, and presumably the pilot knew it would show something unfortunate.)  This was later confirmed by x-rays.

So, this week we have all been on “memory card movement” watch.

And it has cr… I mean, come out all right.


Flash! TSA bans bread!

Following the explosions in two BC sawmills, which experts are speculating may have been caused by fine sawdust caused by excessively dry wood, the TSA has banned any particulate materials, such as sawdust, flour, and icing sugar, to be banned from all flights.

Also included in the ban are any objects made from particulate materials, such as particleboard, bread, and icing sugar dusted donuts.  (The union representing TSA workers had argued, unsuccessfully, against this last item.)  The TSA’s Director Of Really Dangerous Stuff also noted that materials with larger particle sizes, such as table salt and sand, were also being included in the ban.

At press time, we were still awaiting word on whether computer equipment was to be included in the ban, since silicon chips are commonly said to be made of sand.

(Yeah, yeah, I know, don’t give the TSA ideas …)


Paper safe

I first saw this, appropriately enough, on Improbable Research.  It’s appropriate, because, when you see it, first it makes you laugh.  Then it makes you think.

This guy has created a paper safe.  Yeah, you got that right.  A safe, made out of paper.  No, not special paper: plain, ordinary paper, the kind you have in your recycling bin.  He’s even posted a video on YouTube showing how it works.

Right, so everyone’s going to have a good laugh, yes?  Paper isn’t going to provide any protection, right?  It’s a useless oddity, of interest only to those with an interest in origami, and more free time on their hands than any security professional is likely to get.

Except, then you start thinking about it (if you are any kind of security pro.)  First off, it’s a nice illustration of at least one form of combination lock.  And then you realize that the lock is going to be useless unless it’s obscured.  So that brings up the topic of maybe security-by-obscurity does have a function sometimes.

Then you start thinking that maybe it isn’t great as a preventive control, but it sure works as a detective control.  Yeah, it’s easy to smash and get out whatever was in there.  But it’ll sure be obvious if you do.

So that brings up different types of controls, and the reasons you might want different controls in different situations, and whether some perfectly adequate controls may be a) overkill, or b) useless under certain conditions.

It’s not just a cute toy.  It’s pretty educational, too.  No, I’m not going to keep my money in it.  But it makes you think …