Monthly Archives: August 2008

History, Poetry, Security

Dead Prez on Government

Leave a comment

People often ask how to simplify compliance in information security and governance. They want to know if it can all be boiled together. I remember one CIO who said “just give me one list!”

I had put together a couple slides on why this is an 80/20 question, never a perfect fit, but I like how the Dead Prez rhyme a similar answer:

“Crack is like a Democrat; Cocaine Republican; Marijuana Independent Party. Same government…”

I guess I’m intentionally being opaque on this to protect my own rhymes, besides the fact that theirs are probably better anyway. Imagine a board room where a security consultant performs a poetic recital of risks. Yeah, that’s what I’m talking about. It will be subtle, trust me.

Similarities and differences. Analysis is not synthesis.

Food, Security

Acrylamide battle – potato chip makers pay $3mil

Leave a comment

I had no idea this was even an issue, but apparently the lawsuit has been going on for three years and that is after a prior settlement with fast-food companies over the same violations. The Associated Press reports:

California sued H.J. Heinz Co., Frito-Lay, Kettle Foods Inc., and Lance Inc. in 2005, alleging they violated a state requirement that companies post warning labels on products with carcinogens.

The companies avoided trial by agreeing to pay a combined $3 million in fines and reduce the levels of acrylamide in their products over three years, officials said.

The FDA says the dangers of high doses of acrylamide in food were only just discovered in 2002. Here are the top five food types documented in 2006, with a mean AA intake greater than 0.027 kgbw-day:

  1. French Fries
  2. Potato Chips
  3. Breakfast Cereal
  4. Cookies
  5. Brewed Coffee

Interesting that the lawsuit started when the data seems to have first become available. Must be more to the story. Also interesting that most employers in America provide chips and coffee to staff. Do they know they are killing them slowly with carcinogens?

I often go to a place now that keeps unlimited amounts of cheap processed breakfast cereal out in plastic tubs, and serves transfat products in baskets. I tried to explain the risk to facilities, but they said they had to buy whatever was cheapest. Sadly, I found it impossible to explain the irony of this insecure perspective. Until the harm is real and present, staring them down in the face and threatening their pocketbook, they play dumb.

The lack of warning or information from the FDA has been noticed elsewhere. A CSPI story from 2002 highlights a more global view of health and safety:

Today is the first day of a three-day closed meeting in Geneva of experts convened by the World Health Organization (WHO) to discuss the health ramifications of the acrylamide discovery, which has since been confirmed by the British, Swiss, and Norwegian governments. The United States Food and Drug Administration (FDA) though, has been standing on the sidelines of what is fast becoming a major global debate, according to CSPI, which today called on the agency to treat acrylamide with greater seriousness.

“The FDA has been strangely silent about acrylamide,” CSPI executive director Michael F. Jacobson said. “It should be advising consumers to avoid or cut back on the most contaminated and least nutritious foods while more testing is done across the food supply. The FDA also should be intensively investigating ways of preventing the formation of this carcinogen.”

California is suing, not the federal agencies. The story from 2002 did not make the big news, as far as I can tell, despite the impact to American national security as explained in 2002:

The amount of acrylamide in a large order of fast-food French fries is at least 300 times more than what the U.S. Environmental Protection Agency allows in a glass of water. Acrylamide is sometimes used in water-treatment facilities.

“I estimate that acrylamide causes several thousand cancers per year in Americans,” said Clark University research professor Dale Hattis. Hattis, an expert in risk analysis, based his estimate on standard EPA projections of risks from animal studies and limited sampling of acrylamide levels in Swedish and American foods.

With the EPA backing down from protection of consumers and wildlife, to favor industrial self-regulation, one can only presume states and citizens are on their own here to battle with those who would do them harm. Cheers to California for taking a stand on an important issue, just like breach notification laws.

Security

H.R. 5938 changes cybercrime laws in the US

Leave a comment

The US Senate just unanimously approved a bill “(H.R. 5938) entitled `An Act to amend title 18, United States Code, to provide secret service protection to former Vice Presidents,… (Engrossed Amendment as Agreed to by Senate)[H.R.5938.EAS]”

Pay special attention to the “Engrossed Amendment” part, since there is an exciting twist to this bill.

One of the major problems with fighting CyberCrime has been that prosecutors will not follow-up anything under $5K. I’d actually peg the number higher, from personal experience on cases, but that’s the official number given. So 10,000 $1000 incidents would never be reported/investigated under the current system when investigators are unable/unwilling to tie events together or show some kind of aggregate harm data.

The new legislation makes it a felony to install malicious software on 10 or more computers regardless of damage amount. This could open the door to individuals claiming harm on every actual computer itself, including impact to their data, in addition to use of the computer as a proxy for other attacks — under the new rules a victim can claim damages/restitution for time and money spent restoring identity/credit. The changes from existing law also includes anti-cyber extortion provisions and it would allow the feds to prosecute regardless of whether communication crossed state borders.

Since this modifies an existing house resolution it needs to be reconsidered and the changes reconciled by the house.

Aha!

Probably not what you would expect from the bill that is expected to cost every American family $0.05 to pay for the personal protection of Vice President Cheney. The Budget Report gives a quick summary:

H.R. 5938 would provide permanent authority for the Secret Service to protect former Vice Presidents, their spouses, and their children under the age of 16 for a period of not more than six months after the Vice President leaves office. The Secret Service has protected former Vice Presidents and their families, but authority to do so was provided by temporary legislation or by executive order. The bill’s provisions would apply to Vice Presidents holding office on or after the date of enactment.

Based on information provided by the Secret Service, CBO estimates that implementing H.R. 5938 would cost about $4 million in fiscal year 2009, subject to the availability of appropriated funds.

Something tells me that the Secret Service might be subcontracting the deal in the usual no-bid fashion of recent years to a subsidiary of Halliburton, which actually would make this a kind of $4 million/yr parachute for the Cheney family…but I digress.

The changes to the CyberCrime laws in the US are significant and will mean the data recorded on harm and presence should probably skyrocket.