OT

Off Topic

User interface

The food fair area of one of the local mall had a facelift recently.  Now, as you walk down the hall towards the washrooms, the first thing you see is a lighted sign stating “WOMEN” on the first hallway that takes off to the right.

Trouble is, that hallway is where the men’s washroom is located.  Unless you know the layout of the mall (and, in this season of the annual Northern-Hemisphere-Mid-Winter-Gift-and-Party-Period, there are lots of guys around who aren’t normally in the mall), you don’t really notice that the triangle next to the word “WOMEN” is actually an arrow, presumably directing you further down the hall, where the hallway to the women’s washroom is actually located.  You have to be closer, and still looking up high, to notice that the word “MEN” is printed above the word “WOMEN,” but is, for some weird design reason, right justified, so that it starts about a foot past the beginning of the word “WOMEN.”

This explains why there are lots of guys coming back up the hall looking for the men’s washroom that they passed on the way down.

User interface is important.

Sandy and BCP

The flooding of New York City was, once again, an example of known threats not being addressed.

It would have been too expensive to do anything about the issues.  (Flood costs currently $50B and rising as more damage is found.)

Of course, nobody could have predicted Sandy, because this was a storm produced by changing conditions.  Brought on by global warming/climate change.  Which is another issue that is too expensive to address …

(Why do I have this old oil filter ad tagline running through my head?  “You can pay me now … or pay me later …”)

Budget and the chain of evidence

Go Public, a consumer advocacy show on CBC, has produced a show on Budget Rent-A-Car overcharging customers for minor repairs.

This rang a bell with me.

In May of 2009, I rented a car from Budget, in order to travel to give a seminar.  Having had troubles with various car rental companies before, I did my own “walk around” and made sure I got a copy of the damage report before I left.  There were two marks on the driver’s door (a small dent, and a scratch), but the Budget employee refused to make two marks in that spot of the form: he said that the one tick covered both.

When I turned in the car, I was told that the tick was only good for the one scratch, and that I would be charged $400 for the dent.  I was also told that, since I had rented the car using my American Express card, I was automatically covered, by American Express, for minor damage, so I should get them to pay for it.

Since I was neither interested in paying myself, nor in assisting in defrauding Amex, I referred to the earlier statement by the employee who had checked the car.  (I had a witness to his statement, as well.)

Thus started a months-long series of phone calls from Budget.  They kept trying to get me to agree to pay the extra $400, and get Amex to reimburse me.  I wasn’t interested.

The phone calls finally stopped when, on one call, I informed the caller (by now identifying himself as someone in the provincial head office for Budget) that I had kept the copy of the original damage report form.  The caller told me that it clearly stated that there was a scratch on the door.  When I asked him how he interpreted the tick mark as a scratch, rather than a dent, he said that the word “scratch” was written on the form.

Well, of course, it hadn’t been written on the form originally.  I guess the caller must have been reasonable high up in the corporate food chain, because he knew what that meant.  I had the original, and it proved that they had messed with their copy.  That breaks the chain of evidence: they had no case at all.

(I still have a scan of that form.  Just in case …)

Hazardous materials and balancing risks

This goes back a bit, but I was reminded of it this morning:

Amazing where you can get inspiration.  I went to an electronics manufacturing trade show, just to keep up with what’s happening over in that sector.  Nothing particularly new that anyone was selling particularly relevant to security.

However, I sat in on a seminar on the new EU “Restriction of (certain) Hazardous Substances” directive.  (This comes into effect in nine days, and there is all kinds of concern over the fact that the specific regulations for compliance haven’t been promulgated yet.  Remember HIPAA, you lot?  :-)

RoHS (variously pronounced “rows,” “row-hoss,” or “rosh”) is intended to reduce or eliminate the use of various toxic materials, notably lead and mercury, from the manufacture of electronic equipment.  This would reduce the toxic waste involved in manufacturing of said equipment, and particularly the toxic materials involved in recycling (or not) old digital junk.  EU countries all have to produce legislation matching the standard, and it affects imports as well.  In addition, other countries are producing similar legislation.  (Somewhat the same as the EU privacy directive, although without the “equivalent protection” clause.)  Korea is getting something very close to RoHS, California somewhat less.  Japan is going after informational labelling only.  China, interestingly, is producing more restrictive laws, but only for items and devices for sale within China.  If you want to manufacture lead, mercury, and hexavalent chromium computers in China for sale to other countries, that is just fine with them.

There are points relevant to various domains.  In terms of Physical security, and particularly life safety, there are issues of the environmental hazards of toxic materials in the electronic devices that we use.  (This is especially true in regard to BCP: lead, for example, vaporizes at temperatures seem in building fires.)

There is a certification process for ensuring compliance with the regulations.  Unfortunately, a number of manufacturers are carefully considering whether it is worth complying with the regulations.  Even if the products are compliant in terms of hazardous materials, the documentation required for compliance certificates requires details of materials used that could, to educated engineers and others in competing businesses, give away trade secrets involved in manufacturing processes.

The certification and due diligence processes are, like SOX, recursive.  In order to prove that your products are compliant, you also have to demonstrate that your suppliers, and their products, are also compliant.

There is also an interesting possibility of unintended consequences.  Outside of the glass for CRTs, the major use of lead is in solder.  Increasing the proportion of tin in the solder increases the temperature at which it melts, which is one factor.  However, another is that tin-only solder has a tendency to grow “whiskers.”  (The conditions and time for growing whiskers is not fully understood.)  Therefore, in an attempt to reduce the health risk of toxic materials, RoHS may be forcing manufacturers to produce electronic goods with shorter lifetimes, since the whiskers may become long enough to produce short circuits within electronic devices.  Indeed, these devices may have an additional risk of fire …

This is [phishing] news?!?

We seem to be missing the boat on security awareness of phishing attacks: it’s not just for bank and credit card accounts anymore.  This article notes the “DHL,” “tax refund,” and similar queries.  I would have thought these were obvious, but they seem to be the most successful ways to get spear phishing and APT information.

Malformed input?

Came back to the computer after some time away, to find the sun shining full on the desk and part of the screen.  And, of course, the screen has blanked from lack of input during that time.

So, I pull the drapes forward to shade the screen–and the screen pops up, even though I haven’t touched the keyboard or the mouse.

Considering this, I realize that a) it’s an optical mouse, and b) it was on the part of the desk that was in the sun, and is now shaded when I pulled the drapes.

So, being a security geek, I start to wonder:

a) how the system interpretted that light?
b) how hard it would be to figure out how to get a laser to create specific “actions” on the computer?  (And if the optical sensor’s range is wide enough that you can do it with an IR laser, so the user doesn’t realize what you are doing?)

Unintended consequences

I’m not sure how far back to go, to get to the beginning.

Could be the time, a few years back, when the townhouse complex’s main water supply, after 30 years of flawless operation, was “upgraded.”  This, of course, inevitably resulted, a couple of years later, in some very odd variations in water pressure.  Some of the time we had little more than a trickle of water in the taps, and occasionally the washing machine took forever to fill.  (The “upgrade” may also have been responsible for the Great Flood of Aught-Nine, out on the main road.  But I digress.)

This year the main pressure regulator for the complex was replaced, and water was back to full pressure.  As a matter of fact, it was back to significantly higher than full pressure.  Filling the washer (or sink) is much quicker than it used to be.  You have to be careful not to turn the kitchen sink on full blast, or much of the counter around it gets sprayed.

A couple of day ago, the upstairs toilet stopped working.  Well, it would still flush, if the tank was full, but refilling slowed to a stream of drips.  (Hypothesis: the intake valve in the tank has blown from the higher water pressure.)  The manager happens to be away this weekend (of course), so we’ve been muddling through.

This morning, while attempting to refill the tank manually, I discovered that, if the tank was in the process of filling itself, and you turned on the bath tap full blast, the toilet would start filling normally.  Further experimentation determined that it had to be full blast: half or even three quarters wasn’t good enough.  (Revised hypothesis: the valve is partly damaged, and reducing the pressure allows it to function, temporarily.)

Weird.

Anyway, it reminded me: if a system as simple as a toilet, and household plumbing, can have these sorts of effects, what makes you think your incredibly complicated IT system, and its protective elements, is working as you think it should be?

Security group fees …

The Cyber Security Research Alliance has just announced it’s formation.

If you want to join, it’s $60,000 for a founding membership, but a mere $15,000 if you want to be an affiliate member.

I think I’ll stick with my membership in the Vancouver Security Special Interest Group (or SecSIG).  We actually celebrate our thirtieth anniversary in January, and, for all of that time, we’ve managed to keep the annual fees to $0.