Category Archives: Security

Security

More bluetooth and auto security

Leave a comment

Apparently someone thinks it is a good idea to require you to have your cellphone with you in order to start your car. When that is found to be easily broken (i.e. with a replay or DoS attack) I can only guess what else will be used as a key. Perhaps a special stuffed animal that will rest on the dashboard? Or maybe one of those cap tassles from graduation ceremonies? Might as well put the stuff to use.

Anyhow, I just thought I should mention that multiples of the same form of authentication do not necessarily reduce vulnerabilities. For example, “something you have” plus “something else you have” plus “something else you have” still just adds up to one-factor authentication — something you have.

Telematics Journal describes the system in question:

A new car security system that identifies car owners through the Bluetooth element of their mobile phones is set to revolutionize the fight against car thieves. Auto-txt immediately identifies a car as stolen if the car is started with the keys but the mobile phone is not present. This unique feature allows a Bluetooth enabled device, such as a phone or PDA, to authenticate the vehicle owner, providing an enhanced level of security.

I can barely get my bluetooth headset to reliably connect to my phone, so I can’t imagine what happens when I need to start my car and bluetooth connections are spotty, or the battery dies. And when will manufacturers stop hard-coding four-digit PIN authentication as 0000? Bluetooth security has been so poorly implemented, I have a hard time understanding why anyone would want to lower their auto security to the dismal level of cell-phones.

The other part of the system seems to be some sort of sales spiel by Ford’s luxury division to provide assurance to prospective owners:

Auto-txt is the first stolen vehicle protection and tracking system to be awarded Thatcham’s Category 5 accreditation, the new insurance industry standard that is supported by the police. […] Auto-txt has been selected by Jaguar Cars and Land Rover to supply car tracking and security systems for all their vehicles from 2006. The systems, called Jaguar Watch and Land Rover Watch, will be available in the UK and across Europe. It is the first time the prestige car manufacturers will be offering a stolen vehicle tracking system in their own name.

Might be interesting to look into the formula for the Thatcham accreditation claim. In other words, is the plan for sales to go up x% due to an Auto-txt marketing blurb, or do they really believe that auto recovery (in a useable state) will be more effective?

History, Security

Cheney admits error in judgement

Leave a comment

I know, it’s a loaded title, but at some point you just have to admit that Cheney is the kind of guy who doesn’t understand that if he keeps saying “it was the other guy’s fault” that eventually the proverbial finger comes around and is pointing right at him.

I’ve written about this on Schneier’s blog numerous times, and I hope everyone remembers that Cheney was the primary reason that the Bush Administration ignored the intelligence warnings about al Qaeda before 9/11. There was no shortage of information, as Cheney would like to suggest. Quite the opposite, Bush said during his campaign that he would deal with those responsible for the USS Cole bombing if he were elected…and yet when the information clearly pointed to al Qaeda in February 2001, who decided that the CIA had better things to do than worry about terrorists? And when Clarke recommended a roll-back strategy and a very targeted attack on al Qaeda training camps in February 2001, who wasn’t willing to take decisive action?

Reuters brings us some sad news:

Vice President Dick Cheney on Wednesday strongly defended a secret domestic eavesdropping operation and said that had it been in place before the September 11 attacks the Pentagon might have been spared

Does he really expect us to believe that if the President could have used domestic wire-taps that they would have been better prepared for 9/11? Please.

Not only did they have the information necessary, but the 9/11 report itself said that the mistake was clearly NOT from a lack of intelligence, it was from a lack of coordination and leadership. Remember how Bush and Cheney ignored the Hart-Rudman recommendations, how Lynne Cheney resigned from the Hart-Rudman commission, how the FBI admitted that they had sufficient information but were procedurally constrained and under-trained? History will show that Cheney was no better than Mugabe, wrapping himself in the flag and claiming that he is protecting us from ourselves. Bush and Cheney fail to realize that it is their antiquated cold-war approach to a new era of geopolitical challenges that is damaging their country. The sooner he steps down from office, the sooner America can regain its strength.

History, Poetry, Security

Duan Wu and the Lament for Ying

1 Comment

Happy Duan Wu Festival day! Also known as the Dragon Boat Festival this Chinese holiday commemorates the death of Qu Yuan (340-278 BC), a poet from the kingdom of Chu (楚) during the Warring States Period.

May Dragon Boat Festival Print, Taipei National Palace Museum

It is celebrated each year on the fifth day of the fifth month (in the Chinese lunar calendar).

Perhaps the most interesting moral of the Duan Wu story is that the lack of accountability and integrity in leadership can lead a great state into total disaster.

Some might say the moral of the story has to do with loyalty, but that just begs the question of loyalty to what or who?

Once upon a time there was a minister named Qu Yuan from Chu who was known and respected for his family nobility and his great political loyalty to the kingdom through truth. Some might even say he was something of a whistleblower.

He was very determined to maintain Chu’s sovereignty and he advocated for an alliance with other kingdoms to ward off the threat from the powerful state of Qin. The king, however, banished the truth-talking Qu Yuan at the behest of other corrupt and jealous ministers (you might say they called themselves the “patriots” to use today’s political parlance).

Qu Yuan then returned to his home town where he traveled the countryside and collected stories. This effort became a source of some of the most well regarded poetry in Chinese literature, known as Chu Chi, as Qu Yuan expressed love and devotion to his state and concern for its future.

Perhaps the best known poem is “Lament for Ying” when Qu Yuan expresses his sadness over the capture of Chu’s capital city, Ying, by General Bai Qi from the state of Qin.

Soon after he wrote his lament, Qu Yuan went to the river Miluo to kill himself in protest of the corruption in government that led to the decline and fall of the state of Chu. People gathered to try and save the poet, but to no avail.

To this day there are celebrations and recognition in China to remember a man who put the “public concern” above his own welfare and who stood for integrity and against the corrupt leaders who sacrificed the future of their country for a false sense of pride and/or to line their own pockets.

Sound familiar?

As a famous US President once said (repeating the phrase of a French dressmaker), there is nothing new to this world, just history we have not yet read:

Il n’y a de nouveau que ce qui est oublié.

山鬼 屈原 The Mountain Spirit
若有人兮山之阿 There seems to be someone deep in the mountain,
被薜荔兮带女萝 Clad in creeping vine and girded with ivy,
既含睇兮又宜笑 With a charming look and a becoming smile.
子慕予兮善窈宨 “Do you admire me for my lovely form?”
乘赤豹兮从文狸 She rides a red leopard — striped lynxes following her
辛夷车兮结桂旗 Her chariot of magnolia arrayed with banners of cassia,
被石兰兮带杜衡 Her cloak made of orchids and her girdle of azalea,
折芳馨兮遗所思 Calling sweet flowers for those dear in her heart.
余处幽篁兮终不见天 I live isolated in a bamboo grove, the sky unseen;
路险难兮独后来 The road hither is steep and dangerous.
表独立兮山之上 Alone I stand on the mountain top
云容容兮而在下 While the clouds gather beneath me.
杳冥冥兮羌昼晦 All gloomy and dark is the day;
东风飘兮神灵雨 The east wind blows and god sends rain down.
留灵修兮憺忘归 Waiting for the divine one, I forget to go home.
岁即晏兮孰华予 “It is late in the year. Who will now reward me?”
采三秀兮于山間 I pluck the larkspur on the mountain side,
石磊磊兮葛蔓蔓 The rocks are craggy; and the vines tangled.
怨公子兮怅忘归 Complaining of the young lord, I forget to go home.
君思我兮不得闲 “You, my lord, are thinking of me; but you have no time.”
山中人兮芳杜若 The woman in the mountain, fragrant with sweet herb,
饮石泉兮阴松柏 Drinks from the rocky spring, shaded by pines and firs.
君思我兮然疑作 “You, my lord, are thinking of me, but then you hesitate.”
雷填填兮雨冥冥 The thunder rumbles and the rain darkens;
猨啾啾兮又夜鸣 The gibbons mourn, howling all the night;
风飒飒兮木萧萧­ The wind whistles and the trees are bare.
思公子兮徒离忧 “I am thinking of the young lord; I sorrow in vain.”

PDF With Simplified Chinese and references

Security

US Supreme Court rules against whistleblower rights

Leave a comment

In a case called Garcetti v. Ceballos, the US Supreme Court ruled that whistleblowers do not have a Constitutional right to free speech.

I’m no lawyer, but it seems to me that the Court has basically said that employers should be able to discipline employees for speech on the job without any regard to whether it touches on serious matters of “public concern”. So if anyone was wondering what’s ahead for America, with Alito on the bench, the answer should be clear. Alito cast the deciding vote.

Hopefully clarification will be in the news soon. Perhaps more reasonable minds will raise awareness and some sensible thinking might prevail over Alito. Jack Balkan has aleady posted an excellent critique called Ceballos — The Court Creates Bad Information Policy. Meanwhile Alito’s decision means employee’s speech in any “official capacity” explicity has no constitutional protection. SCOTUSblog has a nice summary of the case background:

Los Angeles County deputy district attorney Richard Ceballos may be in trouble for one simple reason: he performed his job exactly as he was supposed to. Informed by a defense attorney in a case being prosecuted by the district attorney’s office that one of the arresting police officers may have lied in a search warrant affidavit, Ceballos vigorously investigated the charge and found evidence of wrongdoing. Respecting the chain of command, Ceballos drafted a memo raising his concerns and recommended dismissal of the case. Since Ceballos could not dismiss the case without supervisor approval, he discussed his concerns with one of his supervisors and provided him with the memo. Ceballos and his supervisors met with the Sheriff’s office to discuss their concerns, but the meeting convinced Ceballos’s superiors to pursue the case despite flaws in the affidavit. Knowing that Ceballos had legitimate concerns about the affidavit, defense counsel in the case subpoenaed Ceballos to testify at the hearing. Ceballos agreed to testify and—pursuant to what he believed were his prosecutorial obligations—provided the memo to defense counsel. When Ceballos was allegedly punished for speaking out, he responded by filing a Section 1983 action contending that he was retaliated against for engaging in speech protected by the First Amendment. Legally, however, Ceballos has one critical problem: he did exactly what his job required.

And here is Jack’s conclusion regarding today’s decision, clearly explaining why it is bad policy:

After Ceballos, employees who do know what they are talking about will retain First Amendment protection only if they make their complaints publicly without going through internal grievance procedures. Although the Court suggests that its decision will encourage the creation and use of such internal procedures, it will probably not have that effect. Note that if employees have obligations to settle disputes and make complaints within internal grievance procedures, then they are doing something that is within their job description when they make complaints and so they have no First Amendment protections in what they say. Hence employees will have incentives not to use such procedures but to speak only in public if they want First Amendment protections (note that if they speak both privately and publicly, they can be fired for their private speech). However, if they speak only publicly, they essentially forfeit their ability to stay in their jobs, first because they become pariahs, and second, because they have refused to use the employer’s internal mechanisms for complaint (mechanisms which, if they used them, would eliminate their First Amendment rights). In short, whatever they do, they are pretty much screwed. So the effect of the Court’s decision is to create very strong incentives against whistleblowing of any kind. (Another possible result of the case is that employees will have incentives to speak anonymously or leak information to reporters and hope that the reporters don’t have to reveal their sources).