US Sailing Report on Farallones Tragedy

A US Sailing Farallones Panel Report has been posted with detailed analysis of the Low Speed Chase Capsize on 14 April 2012.

Four safety issues are explained. The first is that the crew sailed too close to shore.

As a result of the panel’s investigation, it became clear that the cause of the capsize was that Low Speed Chase sailed a course which took them across a shoal area over which breaking waves could be expected to occur several times per hour (see Appendix D) and encountered a breaking wave, which capsized the boat.

[…]

With a forecast for swells up to 15 feet, a maximum wave height of 30 feet would be expected, and 1% of waves (two or three per hour) would be expected to average 25 feet in height. The forecast wind waves would add two or three feet to the maximum wave. (See Appendix D)

The remaining three issues are related to adequate safety gear, communication and incident response procedures. Other sailors are also called out in the report for the decision to not assist.

Of the seven other race boat crews interviewed who witnessed the incident, all deemed the conditions too dangerous to physically stand by and attempt to render assistance. All continued racing.

[…]

22 boats heard the radio traffic concerning the LSC incident and five respondents saw Low Speed Chase on the shore, while one actually saw the capsize.

AT&T Announces End of 2G

AT&T just filed a 10-Q with the SEC and publicaly confirmed what the company has been warning in private for the past two years:

Also as part of our ongoing efforts to improve our network performance and help address the need for additional spectrum capacity, we intend to redeploy spectrum currently used for basic 2G services to support more advanced mobile Internet services on our 3G and 4G networks.

[…]

We expect to fully discontinue service on our 2G networks by approximately January 1, 2017.

[…]

As of June 30, 2012, approximately 12 percent of our postpaid customers were using 2G handsets.

A 5 year sunset plan seems like a long time for those of us who would argue 2G should be described as a terribly weak and dated protocol.

Any further delay is especially bad news for Apple customers who are unable to choose 3G-only (i.e. iPhone and iPad). (Another reason I recommend the Nokia N9 is the option to disable 2G communication).

2G, or 2nd Generation, was launched in Finland in 1991. How many electronic devices are you using today that are 22 years old? More to the point, 2G is older than the web and pre-dates the “data” revolution in communication. It also used a security-through-obscurity method, which became untenable by the mid 1990s. Although 2G had some functionality limitations fixed through extensions (2.5G) it never really fixed the security problems. Instead a 3G network was started in 1992 and by 2001 was launched in Japan. The path to far better performance and security should be crystal clear.

Yet AT&T doesn’t mention security in their filing as one of the reasons for ending their old network. Perhaps they don’t want to draw attention to the fact that it is trivial to impersonate a GSM base transceiver station (BTS). Or maybe they don’t want to mention that the fixed network is unprotected, encryption is weak (COMP128 implementation of the A3 and A8 algorithms can be broken in less than a minute), encryption is often disabled and/or completely useless (keys sent in the clear), there is no integrity or network identity…and so forth.

The AT&T filing says they have just over 100 million customers. So the end of service for 2G, which they say is 12%, must be around 12 million customers. That sounds like a lot of vulnerable end-users until you take a closer look at usage profiles. It is tempting to think of the numbers in terms of consumer handhelds. In fact this announcement has more relevance to appliance-like devices such as ATMs, Point-of-Sale and security alarms.

So the problem of 2G is not really about people who refuse to buy a new phone. There might be a few of those but most humans tend to frequently update their phones for a number of simple functionality reasons from dead batteries to better signal while moving around. Users also tend to absorb some of the replacement procedure costs.

The embedded device market however has a harder time discontinuing deployed assets and dealing with the cost of re-provisioning. Embedded devices tend to have a if-it-ain’t-broke-don’t-fix-it mentality for upgrades. Embedded devices also may drop down to 2G to provide service continuity. A message getting through often gets higher priority than a message being kept a secret; instead of demanding better service/coverage from AT&T, 2G may be given as an availability option. Unfortunately, embedded devices tend to be used for applications that are security-related and need confidentiality to be a priority.

In other words, AT&T could probably greatly accelerate the adoption of 3G and newer networks for millions of remaining devices if they admitted or otherwise raised awareness of serious security issues in 2G. In the meantime I suspect some may continue selling 2G as deceptively “inexpensive” and “reliable” option right up to the end of service in 2017.

Shanghai Roadway Breach and Identity Protection in China

The WSJ reported in March that a company in Beijing had been accused of identity theft at a very large scale.

Commercial information provider Dun & Bradstreet Corp. said it suspended the operations of a China-based business pending an investigation into whether it violated local consumer-privacy laws, and it is also looking into whether employees there violated the U.S. Foreign Corrupt Practices Act.

The business involved, Shanghai Roadway D&B Marketing Services Co., is a direct marketer that helps marketers reach customers through its database.

[…]

Dun & Bradsheet’s disclosure follows a report last week by state-controlled China Central Television that alleged the operation improperly collected private data on 150 million consumers. The report couldn’t be independently confirmed. It was broadcast on Thursday as part of China’s observance of World Consumer-Rights Day.

According to Paul McKenzie, managing partner at law firm Morrison & Foerster’s Beijing office, Chinese law provides its citizen with a broad right to privacy, even though “relative to other countries China has a relatively undeveloped privacy law infrastructure.”

According to Chinese criminal law, it is illegal for employees of government institutions or any private agency in a sector specified by the law with access to personal data, such as health care, education or telecommunications, to sell that data to a third party. Depending on the circumstances, the person buying the data could also be criminally liable.

You might think of this as a great sign. Identity information is being protected in China, which should help the market by reducing fraud.

CNN, however, argues a completely different perspective in a report. They say outsiders are uncomfortable with privacy for the Chinese as it makes investment more risky.

Beijing has clamped down on information once publicly available on listed and state-owned companies, hurting the effort of Western investors and companies to gauge whether to invest in — or short-sell — Chinese firms.

[…]

“This is a handicap to people investing in China right now. It is linked to the political atmosphere of this year’s leadership transition period, which has made China more tense, and the gathering of legitimate business information more sensitive” [said Peter Humphrey, managing director of ChinaWhys, an international business risk advisory firm in Beijing]

The move to limit public information on companies comes after the April arrest of 1,700 suspects in a widespread crackdown on the illegal selling of personal information, the Shanghai Daily reported, including an official in Baoding who sold large amounts registered company information.

Interesting angle on the topic of transparency. The question that CNN does not bring up or try to answer is when and how people should trust their identity information to foreign investors and, more importantly, whether they should be able to decide how their identity information is collected and shared. They skirt around the central issue: at what point does “gathering of legitimate business information” become “improperly collected private data”.

Death Threat Fraud SMS in Australia

Newspapers in Australia, such as the Sunshine Coast Daily, are reporting a massive fraud scheme using SMS messages

The Federal Government’s SCAMwatch sent out a national warning.

“These hoax death threats typically involve SMS text arriving out of the blue from what appears to be an international number. In some cases the number appears to be blocked,” SCAMwatch said.

“A typical message reads: ‘Someone paid me to kill you. If you want me to spare you, I’ll give you two days to pay $5000. If you inform the police or anybody, you will die, I am monitoring you’.

“Some of the messages are long and contain all the text, while others are broken up into shorter messages.”

The Daily understands the scam started spreading over the weekend and was sent out again yesterday morning.

Reports indicate the requested amount varied from $1000 to $50,000.

Police urged members of the public not to be alarmed and not to respond in any way to the message.

The police should urge the public to forward to the messages to an official abuse desk for free.

Phone providers can assign a SMS abuse reporting number (e.g. 8888) so it funtions like reporting email abuse (e.g. abuse@providername.com). The SCAMwatch form for reporting abuse is so big I doubt most people could fill it out in less than five minutes, which means it won’t be used.

Providers also could be a lot smarter about their blocking services. If the official response was to forward fraud messages for free to the providers then far more pressure would be felt by providers to stop fraud and SMS abuse.

Bike-cams Help Catch Hit-and-Run Drivers

As many of you know I’ve ridden cycles most of my life including racing, commuting every day in large cities and long tours. It wasn’t until I moved to San Francisco that I personally experienced a hit-and-run accident.

A van exceeding the speed-limit crossed the white line, side-swiped me and knocked me over. It amazed me that despite many people standing nearby watching traffic no one could describe anything other than a white van. I was hit at the corner of Pacific and Hyde where people were waiting at the bus stop, sitting outside at the cafe, standing on the corner waiting to cross…plenty of witnesses but no help. In fact, they just stood and watched while I picked myself up, checked my bleeding injuries and moved my bike off the street.

StreetView on Google, strangely enough, shows a white van speeding away from the scene where I was hit.


View Larger Map

The NYT writes that this risk equation is changing with use of cameras on bicycles.

“It’s a fact of life that on American roads that you get punked, cut off purposely, harassed, not once but on a regular basis,” said Bob Mionske, a former Olympic cyclist who is now a lawyer representing bicyclists in Portland, Ore. “If motorists start to hear about bikes having cameras, they’re going to think twice about running you off the road.”

A video by Berkeley cyclists, mentioned in the NYT article, provides a good example of how this can work. At 2:35 a black Acura Integra suddenly side-swipes two cyclists and then speeds away, exactly as it happened to me.

The video, which shows the Integra’s license plate, led police to the owner. The owner then apparently claimed it was stolen at the time of accident.

Of course the police should ask the car owner “do you have video to prove that it was stolen?”

A recent decision on “undisclosed recording” (Maryland v. Graber) suggests “video taping of public events is protected under the First Amendment.”

Here is a year of video by a cyclist, as presented by CNN:

PFGBest and Audit Red Flags

The bankruptcy of PFGBest and attempted suicide of its founder have reporters writing some interesting stories. New York Magazine says there were obvious red flags such as this detail posted by Reuters:

Jeannie Veraja-Snelling has been certified in the state of Illinois since 1999.

However, she does not list having any public company clients in her 2011 annual filing with the PCAOB.

On Tuesday night, she came to the door wearing a green sleeveless shirt and blue denim shorts. A stack of cardboard filing boxes was sitting just inside the door.

Why should we accept that the size of an audit firm or the clothes of an auditor are red flag signs?

I mean you always have to account for (pun not intended) the Enron fraud fiasco taking down the entire 85,000 employees of Arthur Andersen. And you also have to consider applying the same logic about size to other professionals such as doctors or dentists. An exit from large headquarters and staff to run a small practice is not necessarily a step down.

The future, ever more fueled by social network tools, could be argued to be headed towards umbrella firms of peer relationships between independent but small practitioners. Lower overhead yet more personalized service is a trend. Peer respect or presence in the market is not set by size alone. The age of “giant” corporations made sense when you were talking about smelting iron but in the information age a small firm may be superior to large ones in many ways.

Large firms, meanwhile, tend to face pressure to make money to cover their overhead. That pressure can often lead to fraud. PFGBest, for example, was very large. We know that the founder of the firm confessed to fraud and was known for excessive displays of wealth. The external auditor’s appearance pales in comparison, in terms of signs of fraud, to the corporate jets, giant gifts, large construction projects of the PFGBest founder.

That being said the true worry in the story is the independent auditor’s lack of records and lack of awareness. Also of concern, although I haven’t seen anyone report on it, is a lack of a peer network with other auditors or professionals in her area of expertise. Regulators definitely could have picked up on that, especially if they tested her annually. Did her skill and reputation match her responsibilities?

The PCI SSC regulates its auditors closely by regular tests and reviewing the reports on compliance. It’s a decent model for other regulators to follow. The quality assurance program for assessments and assessors is one of the primary factors that makes PCI DSS so much more rigorous than other regulations.

Another aspect of the PFGBest story is how the founder managed to hide his crime, as revealed by New York Magazine.

“I was able to conceal my crime of forgery by being the sole individual with access to the US Bank accounts held by PFG. No one else in the company ever saw an actual US Bank statement. The Bank statements were always delivered directly to me when they arrived in the mail. I made counterfeit statements within a few hours of receiving the actual statements and gave the forgeries to the accounting department.”

[…]

Later in the note, Wasendorf detailed how he had falsified bank documents “using a combination of Photo Shop, Excel, scanners, and both laser and ink jet printers” in order to fool regulators into believing that his firm, which is now bankrupt, had adequate money in its accounts.

Sole control? Financial companies usually force annual vacation, as explained by businessfinancemag.com, to let others run the numbers and verify controls.

Job rotation/mandatory vacation ranked second in effectiveness; companies with this control in place experienced a median loss 61 percent lower than the median loss incurred by the other organizations in the sample.

Source: Association of Certified Fraud Examiners

How did PFGBest avoid that time-honored practice? The excessive displays of wealth coupled with dictatorial control — accumulation of wealth coupled with lack of transparency — are the common red flags for corruption. Denim shorts and low overhead may not inspire confidence on their own but they tend not to show up in anti-fraud research.

2012 BSidesLV: Big Data’s Fourth V

I will be presenting at the 2012 BSidesLV conference:

Big Data’s Fourth V: Or Why We’ll Never Find the Loch Ness Monster

When: 1400, Wednesday, July 25, 2012
Where: Breaking Ground
Cost: Free (as always!)
Link: http://bsideslv.com/talks.php#bg104

Variety, Volume, Velocity and Vulnerability. We know many different types of data are being generated at high speed but how much do we know about the new weakness they introduce? Security is often an issue in Big Data but rarely understood or discussed openly. This presentation brings forward the giant elephant in the room and offers the audience some real-world puzzles of big data to solve. Examples of humorous failures as well as some success are presented as examples. You might think your security problems are big until you are asked to help find some solutions for Big Data’s Fourth V.

Video of the presentation:

Some of my other BSides presentations:

USCG Arctic Shield Operation

After the end of WWII hostilities the U.S. Navy deployed “task forces” all over the world. From the South Pole to the North Pole there were military teams mapping territory, assessing risk and seeking out remnants of opposition.

At least a dozen ships with double that many aircraft were assigned to study “techniques” for operation in extreme conditions and remote locations, as well as gather information the military considered “interesting”. Whether fueled by fear, suspicion or curiosity, the missions and their findings kicked off a huge body of knowledge about survival and risk management.

One way to get a sense of the number and types of teams is to look at photographs from aviation archives. Here’s a 1947 photo from LogBookMag of a Navy Douglas R4D-5 Skytrain (AirForce C47A) launching from an air craft carrier in Operation Highjump. Note the snow skis and the use of jet-assistance (JATO bottles).

R4D-5 Skytrain Launches

JATO was effective not only for small carrier runways but apparently also came in handy after skis froze to the ground.

By 1951 some believed that the U.S. was at risk of attack by the U.S.S.R. from the north. The CIA Factbook map makes it pretty obvious why; the distance straight over the pole is far shorter than following a latitude.

North Pole

The threat of increased traffic warranted understanding the region, establishing forward bases and learning to operate there. The American military stepped up research on extreme temperature survival, early-warning systems and rapid-response above the Arctic Circle.

Innovations like the “flying laboratory” were developed and used in Project Skijump, although it had a landing-gear failure in 1952 and was lost to the Soviets.

Fast forward to today. The U.S. Coast Guard has announced a massive expansion of operations above the Arctic Circle and a forward base at the northernmost city in America. The Fairbanks Daily News gives their perspective on the need for assistance.

Barrow is surrounded by open tundra and the Arctic Ocean. As sea ice continues to disappear, the city will begin to experience increasing boat traffic, both from companies planning to drill for oil and travelers looking for a shortcut from the Atlantic to the Pacific.

That is why the Coast Guard sent an aviation team more than 900 miles from its home in Kodiak to Barrow: It needs to be prepared if something goes wrong.

I wonder how much of the preparation from the past is useful for future incidents. The NYT makes it sound like the USCG is starting from scratch.

“The Arctic has been identified as a priority,” said Cmdr. Frank McConnell, the operations coordinator for Arctic Shield, which includes in its initial phase two Coast Guard cutters and two smaller ships, in addition to the two helicopters that will be stationed here in Barrow. The first of 25 pilots, along with support crews, mechanics and communications personnel, began rotating through Barrow this month on three-week tours. “There’s a lot to learn,” Commander McConnell said.

That’s what they said in 1947.

Chinatown Sues over Shark Fin Ban

Chinese sentiment last year clearly turned against shark fin, as reported in xinhuanet.

A Chinese lawmaker has proposed that the country’s top legislature ban the trade of shark fin, a high-end delicacy consumed by wealthy people in China and East Asia.

Shark-fin trading generates enormous profits, but encourages overfishing and brutal slaughter of sharks, of which some 30 species are near extinction, said Ding Liguo, deputy to the National People’s Congress, the top legislature.

Just a few days ago, in a logical next step, China announced a shark fin ban at official receptions.

China’s Government Offices Administration of the State Council (GOASC) is to issue guidelines to ban serving shark fins at official receptions, according to a report by news website CNTV.cn on Monday.

An official with the GOASC said the guidelines, instructing all levels of government agencies to stop serving the delicacy at such events, will come out within one to three years, the report said.

Meanwhile, back in San Francisco the Chinatown Neighborhood Association (CNA) has filed a lawsuit against AB 376, the state law set to ban of shark fins in California by July 2013: Chinatown Neighborhood Association et al., v. Edmund Brown, et al.

CBS News points out that the lawsuit centers on racial bias.

Two Asian-American groups have challenged the state’s shark fin ban in a federal lawsuit in San Francisco, claiming it discriminates against Chinese Americans because it blocks cultural uses of shark fin soup.

“It discriminates against people of Chinese national origin by targeting and suppressing ancient cultural practices unique to people of Chinese national origin,” the lawsuit alleges.

[…]

Its use dates back to the Ming Dynasty in the 14th century, the lawsuit says.

The CNA arguments are not very convincing. First, as Chuck Thompson explains perfectly, the lawsuit fails rudimentary logic and simple historical checks.

“Shark fin soup is popular because it was learned from Hong Kong twenty years ago,” [Clement Yui-Wah] Lee told me. “And even if 500 years ago some Chinese were eating it, this doesn’t mean it’s a tradition we have to follow. Chinese people don’t bind women’s feet anymore because we know it’s wrong.”

Lee is right. The Chinese don’t bind women’s feet anymore. It is just as true that the menu for the wedding feast of the Guangxu emperor in 1889 included no shark product of any kind.

Eating shark fin is to Chinese what eating Caviar is to Americans. Refusing to eat shark fin soup because of documented harm does not make anyone less Chinese. It might actually be the opposite; a more traditional Chinese custom is to study, respect and honor nature. Here’s another perspective on this same issue from Chinese NBA star Yao Ming

While shark fins have been used to make soup for hundreds of years, until recently consumption was limited to a small elite, said Yao, who gave up eating shark fin in 2006 and says he avoids events where it is served.

Perhaps the California law should have been written to say “shark fin soup is prohibited unless you are the Ming Dynasty Emperor of China.” Since there just isn’t much chance of that happening might as well just say it is prohibited.

Second, how does the race card play if the Chinese are officially banning and publicaly avoiding shark fin soup? At this point we could say the California law supports and honors Chinese culture by calling for a ban. Kudos to California for supporting Chinese conservationists and trying to help prevent shark extinction.

Photo by me...swimming with friendly blacktip reef sharks.

Updated to add: A 2011 Pew report called “The Future of Sharks: A Review of Action and Inaction” gives some detailed market data and analysis

Sharks are particularly vulnerable to overexploitation because of their biological characteristics of maturing late, having few young and being long-lived.

Inside the report you can find who is killing the most sharks and who is buying fins

Given that the Top 20 account for about 80% of global reported shark catch, the future sustainability of shark populations is effectively in their hands.

The future of sharks?

Here is some of the data on U.S. shark kill, which emphasizes that fins are not well tracked but the exports primarily go to Hong Kong.

Frozen shark fin is not identified separately in U.S. trade data. However, Hong Kong import data indicate that in 2008, 251 t of dried and frozen shark fins were imported from the United States in 2008 (Oceana 2010). Given that only 8 t of dried fin were identified in the U.S. export data as exported to Hong Kong that year, it is assumed that the majority of fins is exported as frozen product and is included in the U.S. data as “sharks, frozen, nei.”

[…]

In 2008, the U.S. reported that of its 35 identified shark stock/complexes, four were subject to overfishing and four were overfished, and the status of about 20 others was unknown or unidentified (NMFS 2009). Shark finning was banned in U.S. Atlantic fisheries in 1993, and this ban was extended nationally in 2000. As of 2008, all sharks in the Atlantic Highly Migratory Species Fishery must be offloaded with fins naturally attached.

the poetry of information security