OT

Off Topic

REVIEW – “The Florentine Deception”, Carey Nachenberg

BKFLODEC.RVW   20150609

“The Florentine Deception”, Carey Nachenberg, 2015, 978-1-5040-0924-9,
U$13.49/C$18.91
%A   Carey Nachenberg http://florentinedeception.com
%C   345 Hudson Street, New York, NY   10014
%D   2015
%G   978-1-5040-0924-9 150400924X
%I   Open Road Distribution
%O   U$13.49/C$18.91 www.openroadmedia.com
%O  http://www.amazon.com/exec/obidos/ASIN/150400924X/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/150400924X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/150400924X/robsladesin03-20
%O   Audience n+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   321 p.
%T   “The Florentine Deception”

It gets depressing, after a while.  When you review a bunch of books on the basis of the quality of the technical information, books of fiction are disappointing.  No author seems interested in making sure that the technology is in any way realistic.  For every John Camp, who pays attention to the facts, there are a dozen Dan Browns who just make it up as they go along.  For every Toni Dwiggins, who knows what she is talking about, there are a hundred who don’t.

So, when someone like Carey Nachenberg, who actually works in malware research, decides to write a story using malicious software as a major plot device, you have to be interested.  (And besides, both Mikko Hypponen and Eugene Spafford, who know what they are talking about, say it is technically accurate.)

I will definitely grant that the overall “attack” is technically sound.  The forensics and anti-forensics makes sense.  I can even see young geeks with more dollars than sense continuing to play “Nancy Drew” in the face of mounting odds and attackers.  That a vulnerability can continue to go undetected for more than a decade would ordinarily raise a red flag, but Nachenberg’s premise is realistic (especially since I know of a vulnerability at that very company that went unfixed for seven years after they had been warned about it).  That a geek goes rock-climbing with a supermodel we can put down to poetic licence (although it may increase the licence rates).  I can’t find any flaws in the denouement.

But.  I *cannot* believe that, in this day and age, *anyone* with a background in malware research would knowingly stick a thumb/jump/flash/USB drive labelled “Florentine Controller” into his, her, or its computer.  (This really isn’t an objection: it would only take a couple of pages to have someone run up a test to make sure the thing was safe, but …)

Other than that, it’s a joy to read.  It’s a decent thriller, with some breaks to make it relaxing rather than exhausting (too much “one damn thing after another” gets tiring), good dialogue, and sympathetic characters.  The fact that you can trust the technology aids in the “willing suspension of disbelief.”

While it doesn’t make any difference to the quality of the book, I should mention that Carey is donating all author profits from sales of the book to charity:
http://florentinedeception.weebly.com/charities.html

copyright, Robert M. Slade   2015   BKFLODEC.RVW   20150609

REVIEW: “The Social Life of Information”, John Seely Brown/Paul Duguid

BKSCLFIN.RVW   20130124

“The Social Life of Information”, John Seely Brown/Paul Duguid, 2000,
0-87584-762-5, U$24.95
%A   John Seely Brown
%A   Paul Duguid
%C   60 Harvard Way, Boston MA   02163
%D   2000
%G   0-87584-762-5
%I   Harvard Business School Press
%O   U$25.95 617-495-6947 617-495-6700 617-495-6117 800-545-7685
%O  http://www.amazon.com/exec/obidos/ASIN/0875847625/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0875847625/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0875847625/robsladesin03-20
%O   Audience n+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   320 p.
%T   “The Social Life of Information”

The introduction is vague, but basically notes that those who approach information in a strictly technical or business sense risk failure by ignoring the social context in which information resides.  Information does not exist of itself, but is produced and consumed by people, and thus is a construct and artifact of our social environment.

Chapter one talks about information overload.  Bots are discussed in chapter two: not the botnets (simple programs distributed over multiple computers) that everyone agrees should be eliminated, but the range of software agents that we use without thinking.  The authors note that the interactions between these bots are inherently impossible to control, and the material prophecies the recent problems in content blocking such as affected the Hugo awards and Michelle Obama.  Chapter three examines various social issues of home (or non-office) -based work.  The difference between our processes, and the way people actually work, are addressed in chapter four.  A number of interesting ideas are raised, but it is (ironically) difficult to see how to put these into practice (rather than discussion of what we should do).  Chapter five turns to learning and knowledge management.  The authors assert that learning is primarily social, and note negative effects on business if this aspect is ignored, but actually say very little about learning or information.  Chapter six explores innovation in respect to the Internet and a global economy, noting that information is difficult to control in that it is both “sticky” (resistant to change) and “leaky” (incidental disclosures of “confidential” information abound).  The “background” of information is noted in chapter seven, with the authors examining the resilience of paper in the face of a determined effort to create the “paperless” office.  They note studies showing that “printing” out email seemed to automatically give the data greater weight.  (I wonder if this might have changed in today’s marketplace: sadly, a rather large proportion of people now seem to hold that *anything* found on the Internet, regardless of how silly, must be true.)  Chapter eight, entitled “Re-education,” discusses the changing nature of universities.

There is an afterword, “Beyond Information,” touching on miscellaneous points, particularly to do with copyright.

Despite a certain lack of structure or purpose to some of the sections, the writing is both clear and entertaining.  It also has that ineffable quality of readability, meaning that the reading is enjoyable even when the authors are not delivering specifically interesting information, or making a vital point in an argument.  It’s a joy simply to consume the text.

copyright, Robert M. Slade   2013   BKSCLFIN.RVW   20130124

Big Government vs Big Corp – which is worse?

A programmer has been banned from Google for life.

This appears to be kind of like those Kafka-esque errors that big government sometimes make [1] (and which reinforce the arguments against the “if you’re not doing anything wrong you don’t need privacy” position), with the added factor that there is absolutely nothing that can be done about it.

I suppose an individual programmer could bring civil suit against Google (and its undoubtedly huge population of lawyers) citing material damages for being forbidden from participating in the Google/Play/app store, but I wouldn’t be too sanguine about his chances of succeeding …

 

[1] – since the foreign workers program seems to be being used primarily to bring in workers for the oil and gas sector right now, do you think it would help if she offered to mount a production of “Grease”?

New computers – Windows 8 Phone

I was given a Win8Phone recently.  I suppose it may seem like looking a gift horse in the mouth to review it, but:

I must say, first off, that the Nokia Lumia has a lot of power compared to my other phone (and Android tablets), so I like the responsiveness using Twitter.  The antenna is decent, so I can connect to hotspots, even at a bit of a distance.  Also, this camera is a lot better than those on the three Android machines.

I’m finding the lack of functionality annoying.  There isn’t any file access on the phone itself, although the ability to access it via Windows Explorer (when you plug the USB cable into a Windows 7 or 8 computer) is handy.

I find the huge buttons annoying, and the interface for most apps takes up a lot of space.  This doesn’t seem to be adjustable: I can change the size of the font, but only for the content of an app, not for the frame or surround.

http://www.windowsphone.com/en-us/how-to/wp8 is useful: that’s how I found out how to switch between apps (hold down the back key and it gives you a set of
icons of running/active apps).

The range of apps is pathetic.  Security aside (yes, I know a closed system is supposed to be more secure), you are stuck with a) Microsoft, or b) completely unknown software shops.  You are stuck with Bing for search and maps: no Google, no Gmail.  You are stuck with IE: no Firefox, Chrome, or Safari.  Oh, sorry, yes you *can* get Firefox, Chrome, and Safari, but not from Mozilla, Google, or Apple: from developers you’ve never heard of.  (Progpack, maker(s) of the Windows Phone store version of Safari, admits it is not the real Safari, it just “looks like it.”)  You can’t get YouTube at all.  No Pinterest, although there is a LinkedIn app from LinkedIn, and a Facebook app–from Microsoft.

It’s a bit hard to compare the interface.  I’m comparing a Nokia Lumia 920 which has lots of power against a) the cheapest Android cell phone Bell had when I had to upgrade my account (ver 2.2), b) an Android 4.3 tablet which is really good but not quite “jacket” portable, and c) a Digital2 Android 4.1 mini-tablet which is probably meant for children and is *seriously* underpowered.

Don’t know whether this is the fault of Windows or the Nokia, but the battery indicators/indications are a major shortcoming.  I have yet to see any indication that the phone has been fully charged.  To get any accurate reading you have to go to the battery page under settings, and even that doesn’t tell you a heck of a lot.  (Last night when I turned it off it said the battery was at 46% which should be good for 18 hours.  After using it four times this morning for a total of about an hour screen time and two hours standby it is at 29%.)

(When I installed the Windows Phone app on my desktop, and did some file transfers while charging the phone through USB I found that the app has a battery level indicator on most pages, so that’s helpful.)

Firewalled

Full details are not out yet, but there was a “police incident” today in NorthVancouver, which resulted in the closure of two bridges from the North Shore.

(No, the cops aren’t looking for me.  Although this is fairly near our home, and only a few blocks up the street from where embroidery and quilting guilds meet.)

If you look at the map, you will see that a) the bridges aren’t that close to each other, and b) the incident was close to neither.

By closing both bridges, the police can completely isolate the North Shore from the rest of the world.  (I assume they put checks out at the Seabus and the road up to Squamish, although whoever they were looking for would have to be pretty stupid to head that way.)  Also, by closing the bridges, the police have probably tied up all traffic everywhere on the North Shore as well, preventing the perp from going very far in any case  :-)

Although we don’t know what happened, IHT indicates a homicide, and the response indicates someone may have been kidnapped, as well.

BadBIOS

In recent days there has been much interest in the “BadBIOS” infection being reported by Dragos Ruiu.  (The best overview I’ve seen has been from Naked Security.)  But to someone who has lived through several viral myths and legends, parts of it sound strange.

  • It is said to infect the low-level system firmware of your computer, so it can’t be removed or disabled simply by rebooting.

These things, of course, have been around for a while, so that isn’t necessarily wrong.  However, BIOS infectors never became a major vector.

  • It is said to include components that work at the operating system level, so it affects the high-level operation of your computer, too.
  • It is said to be multi-platform, affecting at least Windows, OS X, and OpenBSD systems.

This sounds bit odd, but we’ve had cross-platform stuff before.  But they never became major problems either.

  • It is said to prevent infected systems being booted from CD drives.

Possible: we’ve seen similar effects over the years, both intentionally and un.

  • It is said to spread itself to new victim computers using Software Defined Radio (SDR) program code, even with all wireless hardware removed.

OK, it’s dangerous to go out on a limb when you haven’t seen details and say something can’t happen, but I’m calling bullshit on this one.  Not that I don’t think someone couldn’t create a communications channel without the hardware: anything the hardware guys can do the software guys can emulate, and vice versa.  However, I can’t see getting an infection channel this way, at least without some kind of minimal infection first.  (It is, of course, possible that the person doing the analysis may have made a mistake in what they observed, or in the reporting of it.)

  • It is said to spread itself to new victim computers using the speakers on an infected device to talk to the microphone on an uninfected one.

As above.

  • It is said to infect simply by plugging in a USB key, with no other action required.

We’ve seen that before.

  • It is said to infect the firmware on USB sticks.

Well, a friend has built a device to blow off dangerous firmware on USB sticks, so I don’t see that this would present any problem.

  • It is said to render USB sticks unusable if they aren’t ejected cleanly; these sticks work properly again if inserted into an infected computer.

Reminds me somewhat of the old “fast infectors” of the early 90s.  They had unintended effects that actually made the infections easy to remove.

  • It is said to use TTF (font) files, apparently in large numbers, as a vector when spreading.

Don’t know details of the internals of TTF files, but they should certainly have enough space.

  • It is said to block access to Russian websites that deal with reflashing software.

Possible, and irrelevant unless we find out what is actually true.

  • It is said to render any hardware used in researching the threat useless for further testing.

Well, anything that gets reflashed is likely to become unreliable and untrustworthy …

  • It is said to have first been seen more than three years ago on a Macbook.

And it’s taken three years to get these details?  Or get a sample to competent researchers?  Or ask for help?  This I find most unbelievable.

In sum, then, I think this might be possible, but I strongly suspect that it is either a promotion for PacSec, or a promo for some presentation on social engineering.

 

Risk management and security theatre

Bruce Schneier is often outrageous, these days, but generally worth reading.  In a piece for Forbes in late August, he made the point that, due to fear and the extra trouble casued by TSA regulations, more people were driving rather than flying, and, thus, more people were dying.

“The inconvenience of extra passenger screening and added costs at airports after 9/11 cause many short-haul passengers to drive to their destination instead, and, since airline travel is far safer than car travel, this has led to an increase of 500 U.S. traffic fatalities per year.”

So, by six years after the event, the TSA had killed more US citizens than had the terrorists.  And continues to kill them.

Given the recent NSA revelations, I suppose this will sound like more US-bashing, but I don’t see it that way.  It’s another example of the importance of *real* risk management, taking all factors into account.

“Poor” decisions in management?

I started reading this article just for the social significance.  You’ve probably seen reports of it: it’s been much in the media.

However, I wasn’t very far in before I came across a statement that seems to have a direct implication to all business management, and, in particular, the CISSP:

“The authors gathered evidence … and found that just contemplating a projected financial decision impacted performance on … reasoning tests.”

As soon as I read that, I flashed on the huge stress we place on cost/benefit analysis in the CISSP exam.  And, of course, that extends to all business decisions: everything is based on “the bottom line.”  Which would seem to imply that hugely important corporate and public policy decisions are made on the worst possible basis and in the worst possible situation.

(That *would* explain a lot about modern business, policy, and economics.  And maybe the recent insanity in the US Congress.)

Other results seem to temper that statement, and, unfortunately, seem to support wage inequality and the practice of paying obscene wages to CEOs and directors: “… low-income people asked to ponder an expensive car repair did worse on cognitive-function tests than low-income people asked to consider cheaper repairs or than higher-income people faced with either scenario.”

But it does make you think …