Category Archives: Security

Security

The new US Assistant Secretary for Cyber Security

Leave a comment

I am not sure what to make of the news that a former employee of the Information Technology Association of America (ITAA) has been appointed to Assistant Secretary for Cyber Security.

First of all, sourcewatch has some extremely disturbing background information on the lobbying done by the ITAA on behalf of electronic voting companies:

ITAA has also tried to help its electronic voting machine manufacturer members combat an onslaught of negative publicity from technical problems, faulty security measures, concerns raised by computer scientists and security experts, and perceived conflicts of interest of company executives (especially Diebold Election Systems). It drafted a proposed PR plan for e-voting companies to “generate positive public perception.”[12], Draft of PR plan (PDF)

ITAA has opposed one of the more modest demands of e-voting critics — a paper receipt verifying each vote. ITAA president Harris Miller was quoted in the May 2004 issue of Congressional Quarterly’s Governing Magazine: “I think that the paper verification system is kind of giving people a false sense of security… I can give you a receipt, but if I started out the day by stuffing the ballot box with 50 ballots for Bush, I haven’t actually done anything to make the system secure.” In the same article, the Election Technology Council is identified as a new trade group within ITAA for voting machine manufacturers.

This stands in contradiction to Harris’ earlier remarks at the December 2003 press conference announcing the launch of the Election Technology Council, the e-voting machine manufacturers’ trade group: “The customer is always right. If the state and local election officials want paper ballots, the industry will provide those,” he remarked.[13]

If you work in information security I highly recommend you check out the “Draft of PR Plan” for Diebel. Oh, and you probably should make sure nothing breakable is near you when you read it.

Second, who is Greg Garcia? Here is Chertoff’s perspective, perhaps released by the ITAA, published on the Government Technology site:

“Greg joins the department from the Information Technology Association of America, where he was vice president for Information Security Policy and Programs. In that capacity, Greg led the public debate on cyber security policy and national cyber readiness.”

Led the public debate? I am having a hard time finding evidence of his existence prior to this announcement, let alone an outspoken role on US cyber security. Chertoff continued:

“He has worked closely with the department over the past few years in his role on the IT Sector Coordinating Council and working with industry to found the National Cyber Security Partnership. Greg helped to draft and enact the Cyber Security Research and Development Act of 2002 during his tenure with the U.S. House of Representatives Committee on Science.

I confess I had to lookup the NCSP. Even though I have been actively involved in information security in the private and public sectors for more than twelve years, I can not say the NCSP rings any bells. News.com provides an executive summary of their work:

Some security experts criticized the proposals as a way for companies to dodge any responsibility for the morass of security issues that plague firms and people on the Internet, a charge similar to that leveled against the National Strategy to Secure Cyberspace, which recommends that each Internet participant learn to secure his or her portion of the online domain.

That seems rather harsh, but what results have we seen since 2004? And on that note, the CSRDA was an allocation of $880 million over five years for research in cyber security. Wired described it this way:

Claiming that the Internet may be terrorists’ next target, the U.S. House of Representatives voted on Thursday to create a new generation of “cyber warriors” to protect America’s critical infrastructures.

Interesting. With only one year of funding left, I wonder how the new generation of information security students will emerge. Will the “cyber warriors” be realized, or are they ready? Can’t say I have heard much about them or the programs since the money was allocated, and yet there have been a number of high profile breaches during that same time. I searched through all the documentation provided by the House of Representatives on HR3394 and I also did not find mention of Greg’s name. I guess lobbyists who help draft the resolutions aren’t supposed to get the recognition, so no surprise there. Chertoff continued:

Greg has also worked to strengthen encryption control regulations while with the Americans for Computer Privacy and he was active on international trade and IT policy at the Americans Electronics Association.

As in the multi-million dollar lobbyist campaign to get Congress to relax export controls? Hm, that’s interesting. Wonder if he was working for Ed Gillespie. You may draw your own conclusions but this all reminds me of some other “surprise” appointments by the Bush administration. They are hard to pin down on the issues because they really do not want you to discuss facts and find out something you might not agree with. PR for hackable voting machines and working papers that transfer liability from corporations to consumers? Where does he stand on the issues? Let us hope Greg is able to turn the tide on the Bush administration and reign in corporate governance issues that precipitate security risks. But what are the odds, really.

Energy, Security

California Prop 87

Leave a comment

This is a rather sharp counter to the multi-million dollar campaign led by Chevron to kill Proposition 87 in California:

The full page New York Times ad run yesterday by your national political operation — the American Petroleum Institute — highlighted a messaging problem within your California campaign against Proposition 87. The ad stated: “… the global price of crude oil is the single most important factor in what you pay for fuel at the pump.” (Please see the full text of this ad, which I have attached.)

As a professional, I feel compelled to inform you that your California agents are taking your money and taking you for a ride.

The oil companies’ top flack in California, Chamber CEO Alan Zaremberg, has been saying Proposition 87 will increase gas prices at the pump. But according to the API “the global price of crude oil is the single most important factor in what you pay for fuel at the pump,” not local fees like the ones already charged in Alaska, Louisiana and Texas. Zaremberg is clearly off message and is clearly disregarding the oil industry’s talking points.

Zaremberg should be doing a better job in exchange for the $345,000 your industry has recently given to Chamber PACs. And he should remember who he works for: the California Chamber Board, on which Shell, Chevron, and Aera Energy, the Exxon/Shell joint venture, hold seats. In fact, the Immediate Past Chair of the Chamber is Aera’s CEO.

You might as well replace Zaremberg with Jack Coffey, who is currently a lobbyist for Chevron.

He at least was telling the truth when he summed up your position against Proposition 87 to the LA Times by saying:

“This is worth a lot of money to us.”

I urge you to make Mr. Coffey an offer without delay.

The level of corruption today in American politics, especially from the lure of petroleum companies, is said to be at an all time high (a tall order, given the infamous Harding and Grant administrations), but also disturbing is how these companies try to stoke fear in consumers by spreading disinformation about the economics of petroleum.

Edited to add (9/28/06):

I’ve noticed this post is getting a lot of traffic, even though I only provided an excerpt and a link to other sources. Some have even grouped me in with the “one-sided” list of pro-87 sites.

What I have found, essentially, is that people are intent on discussing the future cost of CA gasoline as though it is the most important consideration. In other words, some are trying to distill this measure down to a question of whether you are for or against higher prices at the pump. I find this disturbing as such a lopsided risk model has very dangerous consequences.

If we care only about the cash we hand over at the pump, and not other things at risk such as our health and welfare, then the business model for big oil is clear — manipulate pump costs with disregard for other factors.

The consequences of this are dangerous because this actually might be exactly what some consumers want. They would gladly have cheap gas at the cost of people being killed or maimed abroad or even at home.

Anyone who believes in obtaining the absolute maximum best for themselves while feeling little or no responsibility towards others (and expects everyone else to act this way) is not going to make intentionally good decisions for the majority of people. Beware the extremists who claim they are center-right or even centrists in the political spectrum and thus advocating for improvements to the general welfare, when they are not. They will make decisions that are good only for those who share their extreme minority views.

And so, with Prop 87, you find a number of extremists coming forward to say “hey, don’t touch my gas prices!”. Compare that to the ruling this week by a U.S. District Judge that the Department of Interior’s Bureau of Land Management (BLM) failed to consider the cumulative environmental impact of widespread oil and gas drilling (e.g. the big picture of risk) in the National Petroleum Reserve, Alaska (NPRA). The judge rejected the BLM’s decision and sent the matter back to the agency for further analysis.

The difference in perspective might be best explained with food as an analogy. Would someone pay $1 for a burger instead of $2, if they were told that by paying $1 today they would have to pay $50 for that same burger five years from now to survive? In other words, would they be willing to make a small investment now in order to maintain a relatively flat cost of living adjustment versus face a crisis? Before you answer, extremists would try to divert the argument away from a yes or no and instead ask whether anyone should ever trust a government to invest money wisely. Their position on this issue is that you should only give your hard-earned money to the oil companies, because in some weird way they think that oil companies will be more fair, more representative and more in tune with your interests than your elected representatives.

The foundation of California Prop 87 is the economics of risk. We know that the oil companies have been given tax breaks and therefore extra margins in California. And we know that they are not using their record profits to create an alternative energy market. Many see this as mismanagement of the resources they are allowed to refine. Some see this as their discretion to do as they please. The question is whether they should continue to get giant tax breaks or should taxes be applied, just like in every other state, in order for the state to allocate funds towards new technology and emerging energy markets that will lower the future cost of living from a broad perspective.

Choose your risks and manage them wisely.

Food, Security

Bluegills enlisted in the war on terror(able water)

Leave a comment

Here is a fine example of how allow-list strategies are far superior to block-list:

Since Sept. 11, the government has taken very seriously the threat of attacks on the U.S. water supply. Federal law requires nearly all community water systems to assess their vulnerability to terrorism.

Big cities employ a range of safeguards against chemical and biological agents, constantly monitoring, testing and treating the water. But electronic protection systems can trace only the toxins they are programmed to detect, Lawler said.

Bluegills — a hardy species about the size of a human hand — are considered more versatile. They are highly attuned to chemical disturbances in their environment, and when exposed to toxins, they experience the fish version of coughing, flexing their gills to expel unwanted particles.

Nice. The fish monitor the quality of water by living in “known good” conditions. It’s usually an impossible race to try and keep up with detection of all the latest attacks, or known bad conditions, which is why an allow-list such as this is the preferable approach when possible.

I am reminded of fish I caught on a line when I was growing up. When I was older I returned to some of my favorite spots only to find warnings posted by the government about toxic levels of poison that had resulted from pesticide and herbicide runoff. I was told the infamous Agent Orange of Vietnam was still legal if you sprayed it on the backs of cattle to keep insects away. The rain would then wash the poison into the ground and rivers which fed our ponds and lakes. The areas had become toxic to fish and thus humans due to weak regulation of agricultural industries.

More information about the bluegill system can be found here:

The iABS monitors fish behavior using a pair of non-contact electrodes mounted above and below each of eight bluegills. As the fish move in the chamber and ventilate their gills, muscle contractions generate electrical signals in the water that are monitored by a computer. When abnormal fish behavior is identified, the iABS provides immediate alarm notification and can start an automated water sampler to permit follow-up chemical analysis.

So if local fish die as a result of weak environmental regulations, and the water quality has already been ruined by an environmentally hostile department of agriculture, the worry about terrorists putting toxins in the water and killing bluegills seems well-intentioned yet a little less pressing than the already present problems.

Should community water systems assess their vulnerability to all toxins, as I mentioned back in February, or just the ones from “terrorists”? Will homebuyers start to demand air and water quality records and tests prior to home purchase, to ensure a functioning security system that will protect their health?

Security

F-22 Canopy Design

Leave a comment

A few months back Flight International had an interesting story about an F-22 Raptor canopy that jammed, trapping the pilot for five hours until he could be cut out by power-saw. I have been thinking about this recently:

The Raptor stealth fighter, heralded as the most technologically-advanced fighter in the world, entered service in January after 19 years of development. Each jet costs around $134 million per unit.

The canopy became stuck in the down and locked position and could not be opened manually after the pilot cycled the mechanism several times, following a pre-flight warning that the canopy was unlocked.

The cause of the malfunction has not been determined. The cost of replacing the canopy, which belongs to an aircraft from the 27th Fighter Squadron at Langley AFB, Virginia, is estimated at more than $180,000.

This seems pretty bad at first glance, but if the pilot had to eject and the canopy was jammed shut the results would be tragic. Interesting to note the software terminology used to describe the situation:

On 10 April 2006 at approximately 08:15, aircraft 03-041 had a Red Ball for a canopy unlock indication. Attempts to clear the problems by cycling the canopy failed. The final cycling of the canopy resulted in it being in the down and locked position.

“Tower to 03-041. Please press ctrl-alt-del on your keyboard. Over.” My guess is a manual override might next be implemented.