Interesting development in horse risder safety, reported by NYTimes.com

Inflatable vests have been sold to motorcyclists for about a decade, but few equestrians used them until a British company, Point Two Air Jackets, adapted them for use on horses and began distributing them at top European competitions last year. Hit Air, a Japanese company that says it has been selling motorcycle vests since 1999, also sells an equestrian version.

They each rely on similar technology. The two-pound vest is attached by a cord to a rider’s saddle and is worn over a traditional protective vest made of high-density foam. When a rider is thrown from a horse, the cord is yanked, puncturing a cartridge of carbon dioxide and inflating the vest. The vest can be reused after the cartridge is replaced. Point Two said its vest inflates in one-tenth of a second; Hit Air said its average rate is one-quarter of a second.

I have never seen a motorcyclist wearing one. The article explains that speed and impact are different so the benefits are considered controversial. The equestrians seem to have only qualms about minor improvements.

The vests have become so common on the competition circuit that it has become a common courtesy to warn other riders to unhook their cords before dismounting. “When you arrive, everyone says: ‘Your vest! Your vest!'” Laghouag said.

Inevitably, someone forgets.

“It’s always a source of amusement,” O’Connor said. “You hear a pop, and somebody’s looking like a marshmallow.”

Even before I flew to Rio de Janeiro I was getting warnings about personal safety from friends, colleagues and family. Without rehashing the usual advice (walk briskly and do not pull out a camera to take pictures, do not wear a nice watch, etc.) I thought I could add a little fresh detail.

A 2008 article in the New York Times says you must also pay attention to your clothes, especially on the beach:

..dress for the beach as the Cariocas do, the implication being that I would otherwise look like a gringo and become the target of every panhandler, pineapple salesman and potential kidney-napper

Two caveats to this kind of advice. First, tan lines also matter. If your dark tan starts below your knees, expect to stand out from the Cariocas. A short suit far above a tan line actually makes your impersonation worse. You are better off with a local pair of board shorts. Second, I have been told on very good authority that the color of a Sunga has meaning. The Times talks about a “world of sungas to be explored” but black is actually a safe bet.

California Senate Bill 1411, authored by Joe Simitian, has passed the legislature unanimously and now awaits Governor signature. He has only 140 days left in his term but it seems likely to get through.

“In the age of the Internet,” said Simitian, “pretending to be someone else is as easy as using their name to create a new e-mail account. When that is done to cause harm, folks need a law on the books they can turn to.”

The current law, said by Simitian to be from 1872, apparently could not handle the latest attacks that involve impersonation online. I have not yet found the right copy of the old text (Chapter 8, Sections 528 through 539?) but apparently the language had a loophole for “electronic means” (Pony Express mail was covered) and perhaps the fine was only 10 cents. This will be changed to a whopping maximum of $10,000 or up to a year in jail. The Simitian site says the new law makes it a misdemeanor if impersonation has two conditions: criminal intent and if it is done without consent. This must expand the current tests of harm to the victim and benefit to the attacker, but I am not a lawyer.

I wonder why 1872 is relevant. Other laws from a hundred years prior (e.g. 1776) seem to be ok. Is the age of a law really important or is there something more specific that is wrong?

It also prompts me to wonder if you have consent can you still have criminal intent? Imagine a couple who are married or have given written full power of attorney for a transaction…perhaps that would give a situation with legal consent yet criminal intent. On the other hand there seem to be cases where you do not have consent but that does not mean criminal intent. Consider the recent ruling on schools that monitor students at home, for example.

“Electronic means” is defined here.

This bill defines “electronic means” to include opening an e-mail account or an account or a profile on a social networking Internet Web site in another person’s name.

Although Simitian speaks of stopping pernicious attackers, the bill seems much more broad. Someone just opening an account, rather than active use of the account for impersonation, could already face lawsuits related to their intent. I assume they mean registering a new one and not just authentication when they say “opening…an account”.

Fortify has been doing surveys at conferences and claiming results as isolated. I thought it made more sense to put them together, or at least do a comparison of results. They had a survey at an InfoSec Europe conference, to start with, this past June that claimed IT Professionals Are Hacking Their Own Enterprises To Keep Intruders Out

Half of the respondents admitted to hacking, with 73% of these respondents doing so to test the strength of their own network’s defences, 13% for fun or out of curiosity, and 3% targeting their efforts at the competition.

This number of 50% was down significantly from a survey at the RSA North America conference in March

Eighty-eight percent of respondents admitted to doing some hacking themselves — mostly for work purposes, they said.

Thus, while half of the attendees at the first conference admit to hacking, the second conference has almost ninety percent. They just announced a new survey result, based on only 100 attendees at DefCon that pushes the number higher…as you might expect.

an overwhelming 96 percent of the respondents to the Fortify Software-sponsored poll said they believed the cloud would open up more hacking opportunities for them.

This is being driven, says Barmak Meftah, chief products officer with the software assurance specialist, by the belief from the hackers, that cloud vendors are not doing enough to address the security issues of their services.

“89 percent of respondents said they believed this was the case and, when you analyze this overwhelming response in the light of the fact that 45 percent of hackers said they had already tried to exploit vulnerabilities in the cloud, you begin to see the scale of the problem,” he said.

This is a good example of how the term “cloud” gets thrown into something IT related to generate interest. I am confident that if you survey attendees at any security conference anywhere they the vast majority are going to say not enough is being done to address security issues. That is not really a cloud point. The more interesting question would be what is lacking, since this would force a more thoughtful response and give some clues into what needs to be done. Even a multiple choice of what in security is lacking would get a more accurate response than just “is enough being done, yes/no”.

The DefCon survey also seems to ask more about future and potential opportunities rather than present hacking practices, found in the first two surveys. That slight change also pushes the percentage higher and makes results read differently.

That is why I say the headline is not so much about a giant new opportunity for hacking the cloud, given the past two surveys as reference, but instead about attendee attitudes at different conferences. More attendees at DefCon openly admit that they will hack, while attendees at other security conferences often (nearly 25%) refused to comment or refused to admit hacking in the past. The one problem with this theory is that only 45% at DefCon admitted to a past hack, about 5% lower than InfoSec Europe. Perhaps that gives us reason to say DefCon attendees are more hopeful to try and find an exploit in the future (they call them opportunities) but other conference attendees are more likely to be working on finding them now.