(Photo) Copyist’s error?

Students of the classics and ancient documents are used to checking for copyist errors, but a photocopier?

And, of course, you can’t trust the machine to check the copy against the original, since it will probably make the same mistake every time.

Actually, with absolutely everything in the world going digital, this type of problem is becoming inevitable, and endemic.  Analogue systems have problems, but digital systems are subject to catastrophic collapse.

Share

Thoughts at the library drop slot

A couple of days ago, I happened to walk over to the library in order to return some items.  When I got there, as all too often is the case, a parent was allowing two of his children to put their returns back into the (single) drop slot.  He noticed me, and offered to take my stuff and return it when they were done.  (Parenthetically [as it were], I should note that, in the five years since the new system was put in place, this is only the second time that a parent, in such a situation, has taken any notice of the fact that they were delaying matters.  The previous one, about a year ago, asked her children to stand aside and let me through.  I digress, but not completely.)

I immediately handed over my pile (which included a recent bestseller, and a recent movie).  (We are all creatures of social convention, and social engineering is a powerful force.)  But, being a professional paranoid, as soon as I walked away I started berating myself for being so trusting.

I was also thinking that his actions were pedagogically unsound.  While he was, at least, assisting me in avoiding delay, he was, just as much as the majority of the parents at that slot, teaching his children that they need have no regard for anyone else.

(And, yes, before I left the library, I checked my account, and determined that he had, in fact, returned my items.  Auditing, you know.)

Share

REVIEW: “Intelligent Internal Control and Risk Management”, Matthew Leitch

BKIICARM.RVW   20121210

“Intelligent Internal Control and Risk Management”, Matthew Leitch, 2008, 978-0-566-08799-8, U$144.95
%A   Matthew Leitch
%C   Gower House, Croft Rd, Aldershot, Hampshire, GU11 3HR, England
%D   2008
%G   978-0-566-08799-8 0-566-08799-5
%I   Gower Publishing Limited
%O   U$114.95 www.gowerpub.com
%O  http://www.amazon.com/exec/obidos/ASIN/0566087995/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0566087995/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0566087995/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   253 p.
%T   “Intelligent Internal Control and Risk Management”

The introduction indicates that this book is written from the risk management perspective of the financial services industry, with a concentration on Sarbanes-Oxley, COSO, and related frameworks.  There is an implication that the emphasis is on designing new controls.

Part one, “The Bigger Picture,” provides a history of risk management and internal controls.  Chapter one asks how much improvement is possible through additional controls.  The author’s statement that “[w]hen an auditor, especially an external auditor, recommends an improvement control it is usually with little concern for the cost of implementing or operating that control [or improved value].  The auditor wants to feel `covered’ by having recommended something in the face of a risk that exists, at least in theory” is one that is familiar to anyone in the security field.  Leitch goes on to note that there is a disparity between providing real value and revenue assurance, and the intent of this work is increasing the value of business risk controls.  The benefits of trying quality management techniques, as well as those of quantitative risk management, are promoted in chapter two.   Chapter three appears to be a collection of somewhat random thoughts on risk.  Psychological factors in assessing risk, and the fact that controls have to be stark enough to make people aware of upcoming dangers, are discussed in chapter four.

Part two turns to a large set of controls, and examines when to use, and not to use, them.  Chapter five introduces the list, arrangement, and structure.  Controls that generate other controls (frequently management processes) are reviewed in chapter six.  For each control there is a title, example, statement of need, opening thesis, discussion, closing recommendation, and summary relating to other controls.  Most are one to three pages in length.  Audit and monitoring controls are dealt with in chapter seven.  Adaptation is the topic of chapter eight.  (There is a longer lead-in discussion to these controls, since, inherently, they deal with change, to which people, business, and control processes are highly resistant.)  Chapter nine notes issues of protection and reliability.  The corrective controls in chapter ten are conceptually related to those in chapter seven.

Part three looks at change for improvement, rather than just for the sake of change.  Chapter eleven suggests means of promoting good behaviours.  A Risk and Uncertainty Management Assessment (RUMA) tool is presented in chapter twelve, but, frankly, I can’t see that it goes beyond thinking out alternative courses of action.  Barriers to improvement are noted in chapter thirteen.  Roles in the organization, and their relation to risk management, are outlined in chapter fourteen.  Chapter fifteen examines the special needs for innovative projects.  Ways to address restrictive ideology are mentioned in chapter sixteen.  Seven areas that Leitch advises should be explored conclude the book in chapter seventeen.

A number of interesting ideas are presented for consideration in regard to the choice and design of controls.  However, the text is not a guidebook for producing actual control systems.

copyright, Robert M. Slade   2013   BKIICARM.RVW   20121210

Share

A virus too big to fail?

Once upon a time, many years ago, a school refused to take my advice (mediated through my brother) as to what to do about a very simple computer virus infection.  The infection in question was Stoned, which was a boot sector infector.   BSIs generally do not affect data, and (and this is the important point) are not eliminated by deleting files on the computer, and often not even by reformatting the hard disk.  (At the time there were at least a dozen simple utilities for removing Stoned, most of them free.)

The school decided to cleanse it’s entire computer network by boxing it up, shipping it back to the store, and having the store reformat everything.  Which the store did.  The school lost it’s entire database of student records, and all databases for the library.  Everything had to be re-entered.  By hand.

I’ve always thought this was the height of computer virus stupidity, and that the days when anyone would be so foolish were long gone.

I was wrong.  On both counts.

“In December 2011 the Economic Development Administration (an agency under the US Department of Commerce) was notified by the Department of Homeland Security that it had a malware infection spreading around its network.

“They isolated their department’s hardware from other government networks, cut off employee email, hired an outside security contractor, and started systematically destroying $170,000 worth of computers, cameras, mice, etc.”

The only reason they *stopped* destroying computer equipment and devices was because they ran out of money.  For the destruction process.

Malware is my field, and so I often sound like a bit of a nut, pointing out issues that most people consider minor.  However, malware, while now recognized as a threat, is a field that extremely few people, even in the information security field, study in any depth.  Most general security texts (and, believe me, I know almost all of them) touch on it only tangentially, and often provide advice that is long out of date.

With that sort of background, I can, unfortunately, see this sort of thing happening again.

 

Lest you think I exaggerate any of this, you can read the actual report.

Share

Fuzzing Samsung Kies

Android fuzzing is always fun – seems that whenever we fuzz an android app it crashes within seconds.

Samsung Kies was no different. With the help of the talented Juan Yacubian (who built the Kies module in no time) we launched beSTORM against Kies… And saw it crash in record 23 seconds (just over 1,100 attack combinations).

Next on the agenda: install gdb for Android and build the proper payload.

Samsung Kies Crash

 

Share

REVIEW: “The Tangled Web: A Guide to Securing Modern Web Applications”, Michael Zalewski

BKTNGWEB.RVW   20121207

“The Tangled Web: A Guide to Securing Modern Web Applications”, Michael Zalewski, 2012, 978-1-59327-388-0, U$49.95/C$52.95
%A   Michael Zalewski
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2012
%G   978-1-59327-388-0 1-59327-388-6
%I   No Starch Press
%O   U$49.95/C$52.95 415-863-9900 fax 415-863-9950 info@nostarch.com
%O  http://www.amazon.com/exec/obidos/ASIN/1593273886/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1593273886/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593273886/robsladesin03-20
%O   Audience a Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   299 p.
%T   “The Tangled Web: A Guide to Securing Modern Web Applications”

In the preface, the author dismisses security experts as academic, ineffectually worried, and unaware of the importance of the Web.  (Zalewski makes reference to a “confused deputy problem” being “regularly” referred to in academic security literature.  I’ve never heard of it.)  He blames them for the current insecure state of Web applications.  I suspect this is a bit unfair, given the “citizen programmer” status of huge numbers of Web projects, and the time and feature pressure this places on the rest.  It is unfortunate that some security specialists have not regarded the Web as significant, but it is critical that most security specialist don’t know how to program, and most programmers don’t care anything about security.

He also says the book is about repentance, and a step towards normalcy.  (Normalcy is not defined.

Chapter one is an introduction, both to information security, and to Web application development.  Starting off by misattributing one of Gene Spafford’s quotes, the author complains about any and all attempts to structure or define security.  (Rather inconsistently, while he derides taxonomies, he does recommend designing systems so as to deal with “classes” of bugs.  The difference between a class and a taxon is not explained.)

Part one outlines the principal concepts of the Web.  Chapter two starts us off with the URL (Uniform Resource Locator), noting some of the problems with different types of encoding.  From this point in the book, each chapter concludes with a “Security Engineering Cheat Sheet,” listing potential problems, and suggesting broad approaches (without details) to dealing with those issues.  HTTP (the HyperText Transfer Protocol) is the subject of chapter three, primarily concerning the handling of user data.  (Since the author is fond of quotes, I’ll give him one from Tony Buckland, several years before the invention of the Web: “The client interface is the boundary of trustworthiness.”)  Chapters four to eight cover HTML (HyperText Markup Language), CSS (Cascading Style Sheets), browser scripting (concentrating exclusively on JavaScript), non-HTML data (mostly XML), and plug-ins.

Part two turns to browser security features.  Chapter nine talks about isolating content, so that different sites or documents don’t interfere with each other.  Determining where and to whom a page belongs is addressed in chapter ten.  Chapter eleven expands the details of problems caused by allowing disparate documents to interact.  Other security boundaries, such as local storage, networks, ports, and cookies, are reviewed in chapter twelve.  Recognizing content, when the “Content-Type” description may be problematic, is in chapter thirteen.  Chapter fourteen suggests ways to deal with malicious scripts.  Specifically setting or raising permissions is discussed in chapter fifteen.

Part three looks ahead to Web application security issues as they may develop in the future.  New and coming security features are noted in chapters sixteen and seventeen.  Chapter eighteen reviews the all-too-common Web vulnerabilities (such as cross-site scripting and “Referer” leakage).

Absent the complaints about the rest of the security field, this is a decent and technical guide to problems which should be considered for any Web application project.  It’s not a cookbook, but provides solid advice for designers and developers.

copyright, Robert M. Slade   2013   BKTNGWEB.RVW   20121207

Share

Hiding in Plain Sight

“Charity, dear Miss Prism, charity! None of us are perfect. I myself am peculiarly susceptible to draughts.” (Dr. Chasuble, in The Importance of Being Earnest)

Not long ago, I was – inevitably – asked a number of questions about NSA and Prism, one of which was “Can you protect yourself against it somehow?”

To which I responded: “I suspect that effective self-concealment from SIGINT functionality like ECHELON is probably not only out of reach of the average person, but might also actually attract more active investigation.”

And it seems I wasn’t far wrong. Subsequent revelations indicate that – as Lisa Vaas of Sophos (among many others) observed – Using Tor and other means to hide your location piques NSA’s interest in you. That works because people who hide their location will be assumed to be non-Americans, and those of us outside the US are considered fair game even if we’re communicating with Americans. Still, there’s a sufficiency of loopholes that make USians talking to Usians almost equally justifiable as targets.

In particular, it turns out that “all communications that are enciphered or reasonably believed to contain secret meaning” are also fair game, even if they’re known to be domestic. But the grounds for hanging onto harvested information apparently include communications containing “significant foreign intelligence information”, “evidence of a crime”, “technical data base information” (such as encrypted communications), or “information pertaining to a threat of serious harm to life or property”. You might wonder how many electronic communications aren’t encrypted these days at some stage during their transmission… But I suppose it doesn’t really matter whether the NSA is exceeding its brief by paying too much attention to too many all-American transactions, since apparently the UK’s GCHQ is tapping every fibre-optic cable it can lay hands on and sharing its data with our Transatlantic cousins.

It might seem strange that the security community isn’t getting more worked up about all this, but that’s probably because none of us really believe that government and law enforcement agencies worldwide aren’t carrying out information gathering and analysis to the fullest extent that their resources permit. The problem with establishing a balance between the right to privacy of the individual and the right to security of the majority is not really about the gathering of information. Not that there’s much likelihood of the forty-niners (I’m thinking Gold Rush, not football) of the world’s intelligence agencies giving up panning the gravel beds of the world’s data streams.

What really matters is (a) what they do with the nuggets and (b) what they do with stuff that isn’t nuggets. It would be nice to think that where legislation limiting the State’s right to surveillance fails because of the sheer volume of data, legislation limiting the use that can be made of information gathered collaterally would at least partly compensate. However, it’s none too clear that this is the case right now in the Five Eyes community, far less among states with less of a tradition of observing democratic and libertarian principles. In the meantime, if you’re at all concerned about the privacy of your data, you might want to consider John Leyden’s suggestion of a combination of carrier pigeon and one-time pad. Bearing in mind that if an out-of-band communication does come to the attention of the authorities, it’s likely to attract attention rather than deflect it. Which is where I came in.

“The good ended happily, and the bad unhappily. That is what fiction means.” (Miss Prism, in The Importance of Being Earnest)

Share

REVIEW: “Consent of the Networked”, Rebecca MacKinnon

BKCNSNTW.RVW   20121205

“Consent of the Networked”, Rebecca MacKinnon, 2012, 978-0-465-02442-1, U$26.99/C$30.00
%A   Rebecca MacKinnon
%C   387 Park Ave. South, New York, NY   10016-8810
%D   2012
%G   978-0-465-02442-1 0-465-02442-1
%I   Basic Books
%O   U$26.99/C$30.00 special.markets@perseusbooks.com
%O  http://www.amazon.com/exec/obidos/ASIN/0465024421/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0465024421/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0465024421/robsladesin03-20
%O   Audience n Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   294 p.
%T   “Consent of the Networked: The Worldwide Struggle for Internet Freedom”

In neither the preface nor the introduction is there a clear statement of the intent of this work.  The closest comes buried towards the end of the introduction, in a sentence which states “This book is about the new realities of power, freedom, and control in the Internet Age.”  Alongside other assertions in the opening segments, one can surmise that MacKinnon is trying to point out the complexities of the use, by countries or corporations, of technologies which enhance either democracy or control, and the desirability of a vague concept which she refers to as “Internet Freedom.”

Readers may think I am opposed to the author’s ideas.  That is not the case.  However, it is very difficult to critique a text, and suggest whether it is good or bad, when there is no clear statement of intent, thesis, or terminology.

Part one is entitled “Disruptions.”  Chapter one outlines a number of stories dealing with nations or companies promising freedom, but actually censoring or taking data without informing citizens or users.  The “digital commons,” conceptually akin to open source but somewhat more nebulous (the author does, in fact, confuse open source and open systems), is promoted in chapter two.

Part two turns more directly to issues of control.  Chapter three concentrates on factors the Republic of China uses to strengthen state censorship.  Variations on this theme are mentioned in chapter four.

Part three examines challenges to democracy.  Chapter five lists recent US laws and decisions related to surveillance and repression of speech.  The tricky issue of making a distinction between repression of offensive speech on the one hand, and censorship on the other, is discussed in chapter six.  The argument made about strengthening censorship by taking actions against intellectual property infringement, in chapter seven, is weak, and particularly in light of more recent events.

Part four emphasizes the role that corporations play in aiding national censorship and surveillance activities.  Chapter eight starts with some instances of corporations aiding censorship, but devolves into a review of companies opposed to “network neutrality.”  Similarly, chapter nine notes corporations aiding surveillance.  Facebook and Google are big, states chapter ten, but the evil done in stories given does not inherently relate to size.

Part five asks what is to be done.  Trust but verify, says (ironically) chapter eleven: hold companies accountable.  MacKinnon mentions that this may be difficult.   Chapter twelve asks for an Internet Freedom Policy, but, since the author admits the term can have multiple meanings, the discussion is fuzzy.  Global Information Governance is a topic that makes chapter thirteen apposite in terms of the current ITU (International Telecommunications Union) summit, but the focus in the book is on the ICANN (Internet Committee on Assigned Names and Numbers) top level domain sale scandals.  The concluding chapter fourteen, on building a netizen-centric Internet is not just fuzzy, but full of warm fuzzies.

There are a great many interesting news reports, stories, and anecdotes in the book.  There is a great deal of passion, but not much structure.  This can make it difficult to follow topical threads.  This book really adds very little to the debates on these topics.

copyright, Robert M. Slade   2013   BKCNSNTW.RVW   20121205

Share

Nopcon 2013 is here

Douglas Adams is still right: No language has the phrase “As pretty as an airport”. But in my humble opinion, airports have come a long way in the last 10 years. Or maybe my expectations have become so low, I can’t be disappointed. Either way, it seems to me going through an airport isn’t as bad or boring or inconvenient as it used to be.
I’m not just talking about the East-Asian airports (Hong Kong, Seoul, Singapore) which have always been stellar. Even the infamous American airports are newer, and more convenient.

I’m giving you this airport cheer-leading chant because if you live in Europe, you should go and check out how much your airport has improved since you’ve last seen it. Then, take a flight to Istanbul. Not just because Istanbul is one of the nicest cities in Europe but also because Nopcon is taking place June 6, and has some very interesting and incredibly original speaker lineup: Moti Joseph, Nikita Tarakanov, Gökhan Alkan, Svetlana Gaivoronski, Canberk Bolat and Ahmet Cihan (aka Hurby). Nice!

More info here: http://www.nopcon.org/

Share

Risk analysis, traffic analysis, and unusual factors

Canadian terrorists strike again: apparently we are responsible for taking down a major piece of transportation infrastructure, vis, the I-5 bridge over the Skagit river at Mount Vernon.

A friend in Seattle assures me that, while he is disappointed in us, he holds no grudges, and is willing to warn us if he hears of any drone strikes planned for north of the border.

(Allow me, for a moment, to examine this “oversized load” on which everyone is blaming the collapse.  Image 2 in the slide deck [if they don't change it] is this “oversized load.”  You will notice that it is basically an empty box with the two sides missing, and has, relatively, zero structural rigidity.  If a ding from that kind of load brought the bridge down [and didn't even collapse the load itself], the bridge was definitely unsafe.)

I drive that route regularly, and, when I heard that a bridge had gone down, that bridge was the first one I thought of.  I have always felt unsafe crossing it.  There is a wrongness about it you can just feel.

It’s also ugly.  And I am reminded of an essay by an engineer who said that bridges were the most beautiful products of all forms of engineering.  A properly designed bridge has curves, and those curves just feel right.  They are beautiful.

So, if you ever have questions about a bridge, and you don’t have enough facts to go on, just look at it.

If it’s ugly, don’t cross it.

Share

REVIEW: “Cloud Crash”, Phil Edwards

BKCLDCRS.RVW   20101009

“Cloud Crash”, Phil Edwards, 2011, 978-1466408425, U$9.99
%A   Phil Edwards PhilEdwardsInc.com philipjedwards@gmail.com
%C   Seattle, WA
%D   2011
%G   978-1466408425 1466408421
%I   CreateSpace Independent Publishing Platform/Amazon
%O   U$9.99
%O  http://www.amazon.com/exec/obidos/ASIN/1466408421/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1466408421/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1466408421/robsladesin03-20
%O   Audience n Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   386 p.
%T   “Cloud Crash”

To a background of the Internet crashing, and opposed by a conspiracy that has penetrated the highest levels of government, two (no, make that three … err … four … better say five …) groups of individuals race to save the world from … a stock market fraud?  hostile takeover? aliens?  (No, I’m pretty sure the aliens were a red
herring.)

The story and inconsistent characterizations could use some work, and the plot twists don’t make it very easy to follow what is going on.  It’s fairly easy to tell who the good and bad guys are: the politics and philosophy of the book are fairly simple, and one is reminded of the scifi and comics of the 30s and 40s, with heavily anti-fascist and (ironically) right-wing rhetoric.

It would be tempting to dismiss the work as a simple “jump on the latest buzzword” potboiler, were it not for the fact that the technology is fairly realistic.  Yes, right now everyone is jumping on the cloud bandwagon without much regard for real security.  Yes, if you wanted to make a big (and public) splash on the Internet, without doing too much permanent damage, taking down power supplies would still leave the data intact.  (Of course, an axe would do just as good a job as bombs …)

So, while the story isn’t great, at least the technology is less annoying than is normally the case …

copyright, Robert M. Slade   2012     BKCLDCRS.RVW   20101009

Share

REVIEW: “Security and Privacy for Microsoft Office 2010 Users”, Mitch Tulloch

BKSCPRO2.RVW   20121122

“Security and Privacy for Microsoft Office 2010 Users”, Mitch Tulloch,
2012, 0735668833, U$9.99
%A   Mitch Tulloch info@mtit.com www.mtit.com
%C   1 Microsoft Way, Redmond, WA   98052-6399
%D   2012
%G   0735668833
%I   Microsoft Press
%O   U$9.99 800-MSPRESS fax: 206-936-7329 mspinput@microsoft.com
%O  http://www.amazon.com/exec/obidos/ASIN/0735668833/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0735668833/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0735668833/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   100 p.
%T   “Security and Privacy for Microsoft Office 2010 Users”

Reducing the complex jargon in the introduction to its simplest terms, this book is intended to allow anyone who uses the Microsoft Office 2010 suite, or the online Office 365, to effectively employ the security functions built into the software.  Chapter one purports to present the “why” of security, but does a very poor job of it.  Company policy is presented as a kind of threat to the employee, and this does nothing to ameliorate the all-too-common perception that security is there simply to make life easier for the IT department, while it makes work harder for everyone else.

Chapter two examines the first security function, called “Protected View.”  The text addresses issues of whether or not you can trust a document created by someone else, and mentions trusted locations.  (Trusted locations seem simply to be defined as a specified directory on your hard drive, and the text does not discuss whether merely moving an unknown document into this directory will magically render it trustworthy.  Also, the reader is told how to set a trusted location, but not an area for designating untrusted files.)  Supposedly “Protected View” will automatically restrict access to, and danger from, documents you receive from unknown sources.  Unfortunately, having used Microsoft Office 2010 for a couple of years, and having received, in that time, hundreds of documents via email and from Web sources, I’ve never yet seen “Protected View,” so I’m not sure how far I can trust what the author is telling me.  (In addition, Tulloch’s discussion of viruses had numerous errors: Concept came along five years before Melissa, and some of the functions he attributes to Melissa are, in fact, from the CHRISTMA exec over a decade earlier.)

Preparation of policy is promised in chapter three, but this isn’t what most managers or security professionals would think of as policy: it is just the provision of a function for change detection or digital signatures.  It also becomes obvious, at this point, that Microsoft Office 2010 and Office 365 can have significantly different operations.  The material is quite confusing with references to a great many programs which are not part of the two (2010 and 365) MS Office suites.

Chapter four notes the possibility of encryption with a password, but the discussion of rights is unclear, and a number of steps are missing.

An appendix lists pointers to a number of references at Microsoft’s Website.

The utility of this work is compromised by the fact that it provides instructions for functions, but doesn’t really explain how, and in what situations, the functions can assist and protect the user.  Any employee using Microsoft Office will be able to access the operations, but without understanding the concepts they won’t be able to take advantage of what protection they offer.

copyright, Robert M. Slade   2012     BKSCPRO2.RVW   20121122

Share

Fake security can hurt you …

“Fraudster James McCormick has been jailed for 10 years for selling fake bomb detectors. … One invoice showed sales of £38m over three years to Iraq, the judge said.”

http://www.bbc.co.uk/news/uk-22380368

Closer to our technical field, we know about the pure fraud of fake AV, of course.  And there are plenty of companies out there selling shoddy products.  But there are also the “consultants” out there doing desultory work, and spending more time on building a client base than doing any research or analysis.  (I recently ran into a monitoring and surveillance “expert” who had no idea about the problems with IP-connected video cameras.)  Some of them even hold CISSP certificates.

This is basically the whole reason behind the certificate: to have a standard that allows people to expect a minimal level of competence.  It’s not perfect, never will be, and there are other attempts (so far seemingly even less successful) at doing the same thing.  We need to assist the process, where we can, even if we don’t feel like pushing the ISC2 “brand.”

Do what you can to help.  Even if it is just pointing out fixable errors.

(When was the last time you submitted a question to the exam committee?)

Share

Why BC holds the record for “World’s Weirdest Politicians”

Whenever political pundits get together, they all start the competition for “our politicians are more corrupt/venal/just plain weird than yours.”  Whenever anyone from BC enters the fray, everyone else concedes.

Herewith our latest saga.

The ruling “Today’s BC Liberal Party” is finding itself polling behind the NDP.  (Do not let the word “liberal” in the party name fool you.  Whereas pretty much every other liberal party would be centre-left, the BC Liberals are, politically, somewhat to the right of Attila the Hun.)  The liberals are runing attack ads stating that, twelve years ago, the leader of the NDP backdated a memo.

(No, I’m not making this up.)

The Liberals have just released another version of the same attack ad, this time using a snippet of footage from the recent leaders debate.  Trouble is, the media consortium that ran the debate has copyright on the video of the debate, and all parties agreed that none of the material would be used for political purposes.

The Liberals, called on their use of the video, have refused to take it down.

(How old do you have to be to understand the meaning of “copyright infringement?”)

(I am eagerly awaiting the next installment of this story.  I assume the lawyers paid for by Today’s BC Liberals [or possibly by public money: that's happened before] will argue the provisions of “fair use,” and claim that the attack ads are commentary, or even educational …)

Share

REVIEW: “World War Hack”, Ethan Bull/Tsubasa Yozora

BKWWHACK.RVW   20121009

“World War Hack”, Ethan Bull/Tsubasa Yozora, 2012, 978-0-9833670-8-6
%A   Ethan Bull
%A   Tsubasa Yozora
%C   9400 N. MacArthur Blvd., Suite 124-215, Irving, TX   75063
%D   2012
%E   Gwendolyn Borgen
%G   978-0-9833670-8-6 0-9833670-8-6
%I   Viper Entertainment Inc./Viper Comics
%O   U$7.95 wyatt@worldwarhack.com www.worldwarhack.com
%O  http://www.amazon.com/exec/obidos/ASIN/0983367086/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0983367086/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0983367086/robsladesin03-20
%O   Audience n- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   72 p.
%T   “World War Hack”

Someone (eventually we find out they are backed by the Chinese) has hacked into the United States military and government control systems.  Fortunately, despite being in complete control and untraceable, all they seem to want to do is make one military drone act up.

The US government immediately swings into action, and sponsors a hacking contest, to try and identify suitably talented young geniuses (genii?) to find out what is going on.

It’s hard to follow what is going on, since the artwork makes it difficult to differentiate between characters.  There are young people with bad haircuts, and there are other people with suits.  Some people are female.  After that, it gets hard to tell who’s who.  One of the hackers is a government agent, another one has a criminal record but seems to be a son of a suited government agent.

Some of the technical and hacking activity is somewhat realistic, but other aspects are bizarre, and betray a complete lack of understanding of basic technology.  For example, at different times a programming language gets “hacked” (in the sense of breaking into it), and at another time a government administrator can’t tell what computer language has been used to write a specific program.  In the real world of programming and hacking neither of these scenarios makes any sense.  Absent Ken Thompson’s famous speech nobody “hacks” a language, and generally nobody cares what language has been used to write a utility once it is operating.  (By the way, no programmer ever said LISP was a concise language, and there is no way that even a “skin” on top of LISP would look like C.)  At another point two devices “piggyback” on the same IP address, which simply does not work in networking terms.

There are aspects of this story that are realistic.  One is that, if you are not careful with your systems, someone can penetrate them and mess with you.  If there are any other useful factors in this story, I can’t think of them offhand.

(As usual, the draft of this review was submitted to the author/publisher for comment prior to publication.  I often get rude email in response, sometimes threats of physical harm, and once even a death threat.  [Yes, really.]  In this case the publisher has threatened unspecified legal action “to protect the copyright on our work.”  I would be interested to see the publisher’s reaction to counsel explaining the “commentary” aspect of the concept of “fair use.”)

copyright, Robert M. Slade   2012     BKWWHACK.RVW   20121009

Share

Password reset questions

Recently therewas some discussion about “self-service” password resets.  The standard option, of course, is to have some sort of “secret question” that the true account holder should be able to answer.  You know: super-secret stuff like your pet’s name.  (Yes, Paris Hilton, I’m talking about you.)

The discussion was more detailed, turning to policy and options, and asked whether you should turn off “custom” questions, and stick to a list of prepared questions.

I would definitely allow custom questions.  The standard lists never seem to give me options that I can both a) remember, and b) that wouldn’t be immediately obvious to anyone who was able to find out some minimal information about me.

If I can make up my own question, I can ask myself what my favourite burial option would be.  The answer, “encryption,” is something I will remember to my dying day, and nobody else is ever going to guess.  (Well, those who have read the “Dictionary of Information Security” might guess that one, so I guess I won’t actually use it.)

Go ahead: try and guess what is the only pain reliever that works for me.

What sits under my desk and keeps the computers running in the case of a power failure?

What is Gloria’s favourite ice cream flavour?

Finish the following sentence: Don’t treat Rob as your _______ ___.  (This is a two-factor authentication: you also have to fill in the standard response to that statement.)

The thing is, all of these oddball questions have special meaning for Gloria and I, but for very few other people in the world.  They rely on mistakes or quirks that have become “family phrases.”  For example, what do you need before bed to get to sleep?  Answer: “warum melek,” coming from an elderly lady of our acquaintance from a northern European background.

Yeah, I like “custom questions” a lot.

(OK, yes, you do have to do a bit of security awareness training to indicate that “who is my sweetie poo” may not be as secret as some people seem to think …)

Share