Category Archives: Security

Album is to Single as Book is to Chapter

First we hear that Einstein and Darwin used rapid and succinct messaging as a foundation of their correspondence, and now Amazon has announced that you can buy chapters of books. Given Apple’s success in selling songs rather than albums…altogether it seems to me that Attention Defecit Disorder should be regarded as something of a normality for human consumption and communication rather than the exception. After all, why force yourself through 200 or more pages of nonsense when an important thought only needs twenty-five pages (or a brief blog entry)? Or, as some album-bands of the 80s pointed out, there is nothing particularly necessary about trying to tie a single brillant riff or expression into two or three hours of messy pyrotechnics and big hair costumes. In food terms, a lot of noise is being made about the “supersize” phenomenon, which shows that people are susceptible to wanting quantities of superficial chemically-enhanced filler instead of a simple and effective bite of nutrition. Or…dare I say it…poetry as a more succinct form of communication?

And the implication for security is that it could be easier to defend smaller packages with fewer attack vectors, but it may also be more difficult if it becomes necessary to extend beyond each instance and defend a dynamic relationship/network of connected material. In other words, it’s easy to secure a single workstation compared with securing a workstation’s network (perimeter-shift).

Cruise Ship fends off Pirates

The BBC reports that a Cruise Ship of the Caribbean was attacked by pirates about 100 miles off the coast of Somalia:

“At least two boats closed in on the Seabourn Spirit, firing automatic weapons and rocket-propelled grenades at the cruise liner. But crew took evasive action, repelling the attackers without returning fire.”

The ship defended itself by making a “loud acoustic bang” that apparently scared away the attackers. Wonder if the crew was trained in making noise, or something was just thrown together. No mention was made of Disney’s upcoming pro-Pirate advertising campaign.

Weapons and judging intent

I’ve been pondering this case for a while. Does it seem odd to anyone else that a poison gas ingredients merchant would claim to not be aware of the intent of the Iraqi regime?

The court found him guilty of aiding war crimes, as “his deliveries facilitated the attacks”.

“He cannot counter with the argument that this would have happened even without his contribution,” the presiding judge said.

However, the judges ruled that van Anraat was not aware of the genocidal intentions of the Iraqi regime when he sold the ingredients for poison gas.

I could see him saying he would not expect it to be used on a particular enemy…but is that not the exact problem with arms sales? Consider this recent statement in the VOA by the US State Department, for example:

“Indonesia has made significant progress in advancing its democratic institutions and practices in a relatively short time.” As a result, the department has decided to waive conditions placed on the sale of lethal military equipment to Indonesia and on U.S. financing of Indonesian military purchases.

Needless to say, some folks were critical of the announcement and wondered how the US can influence, or even know, the intentions of the buyers. Also from the VOA:

A leading U.S. human rights group concerned with Indonesian issues criticized the wavier late Tuesday. Karen Orenstein is the national coordinator of the East Timor and Indonesia Action Network. “The East Timor and Indonesia Action condemns in the strongest term possible the issuance of this national security wavier. This is just a clear abuse of executive power. You can’t press for military reform and human rights and accountability when you have no leverage to do so. We’ve just given away the store,” he said.

So does the US have preventive or detective measures in place to prevent abuse in Indonesia? Are they working towards preventing this kind of abuse elsewhere? Hindsight is 20-20, as they say, but what about preventing the Anraat of today? I mean what kind of message does the US give the world when they are the only country in the world to vote no on the UN measure against illegal arms sales?

RFDUMP

RFDUMP is a handy utility that claims to work with any RFID tags. I hope to get a chance to test early next year. A CTO from a security company just mentioned that he has perfected his T-Mobile scanner and now gets free wi-fi access at any of their hotspots. One can only imagine the incentives of gathering RFID passport information, compared to credentials for free bandwidth.

Correspondence Patterns

I like the conclusions in this study:

“Darwin and Einstein correspondence patterns: These scientists prioritized their replies to letters in the same way that people rate their e-mails today.”

Not only does it vindicate my habit of attending to some communication instantly, while letting other things wait for eons, but it also raises interesting implications for confidentiality and data retention.

Preacher killed by baptism

I know this is more about safety than security, but I just found the story somewhat shocking:

“Rev Kyle Lake, 33, was standing in a small pool used for baptisms at the University Baptist Church when he was electrocuted on Sunday morning. Rev Lake reached out to adjust a nearby microphone, which produced an electric shock, said church pastor Ben Dudley.”

Sad but true.

SCADA systems come into focus

SecurityFocus reports today that US SCADA systems are finally getting the attention they deserve:

“Wary of the increasing number of online attacks against industrial control systems, the U.S. government has begun a major push to secure the systems used to control and monitor critical infrastructure, such as power, utility and transportation networks.”

I did some consultative/audit work with a utility company in the late 1990s and was surprised that networked systems had become so commonplace with so few controls. Fail-safes were everywhere for the critical infrastructure (most of which was heavily engineered and influenced by ideas that probably went back to the beginning of utilities themselves) so disasters seemed unlikely without some knowledge or access, but simple network devices (routers) and Microsoft software were spreading like crazy to “increase efficiency” for remote management and control systems.

To be fair, that all was before the Critical Infrastructure Project (CIP) was even started. I just checked their online files and it seems that progress is slow but steady.

Bio-Diesel and the Military

I just ran across a report by Wired, published on September 28th, called “Green Berets Prefer Biodiesel“. I am thus happy to correct myself and say my earlier post on this subject, as well as the follow-up, were a bit hasty. Wired says that the military has been steadily increasing bio-diesel use for several years now.

This is great news for several reasons. The military move towards diesel motorcycles may quickly prove the viability of a robust yet small consumer engine. In addition, the fact that the Army, Navy, US Postal Service, Department of Agriculture, and NASA are all looking at bio-diesel means a more acceptable alternative to petroleum-based fuels could be on the precipice of mass adoption in a country that has been virtually blind to the importance of alternative fuels.

“That’s important to the military’s role as a public citizen, says [fleet manager for Marine Corps vehicles in Camp Pendleton] Funk. ‘We operate our vehicles on the public highways,’ he says. ‘Biodiesel sends a signal to the American public that we’re working to keep the air clean, and to reduce our dependence on foreign oil.'”

Admittedly, while it is nice to hear fleet managers give a kinder-gentler environmental message, the realist/security practitioner in me says bio-diesel is a more secure and sustainable fuel for domestic as well as foreign troop deployments. The article even mentions that waste oil from the mess halls is now used to fuel the transport vehicles. No matter how you slice it, bio-diesel is the fuel that just keeps giving — engines run longer (better lubricity) as well as cleaner (less smoke) and can take just about any fat/oil you can scrounge up, which leads to far less vulnerability in storage and transit. It stands to reason, therefore, that special forces would go this route given the obvious reduction in vulnerabilities compared to traditional petroleum supply-chain and storage.

Just imagine if consumer-grade Diesel engines today had half as much development and innovation effort put into them as other engines (like the new Corvette Z06 powerplant). I look forward to a diesel-hybrid in the (near?) future for the ultimate in efficiency and performance without the inherent security risks of petroleum.

Diesel Motorcycles

HDT USA announced that they are producing Diesel Motorcycles for the US military and they will be on sale to the general public in March 2006.

I’ve written before about the odd fact that the US military relies heavily on diesel but doesn’t seem to have domestic-diesel production strategy. The reliance on foreign oil is a conversation piece for most of us, but one would think the US military would see something like biodiesel production as a hugely influential factor in supply-chain dependence and security.

Imagine remote units converting local fats and oils into fuel rather than requiring vulnerable fueling convoys to follow them around.

I am putting a proposal together to present a domestic-fuel strategy to a VP of a logistics / distribution division for a major American company. A year ago bio-diesel production was hovering around US$3/gallon, which was a bit high for most execs to swallow and so we used to also talk about the environmental benefits for the air, landfills, etc., but those don’t incite change on their own, yet. However, today the import-oil companies charge as much if not more for their fuel, making the transition to a more secure (and cleaner and more efficient) domestic source somewhat obvious, no?

Death by Disney

I have issues with Disney for a whole number of reasons. Perhaps someday I will create a page to explain. I think it all started with a book I read as a kid about the CIA’s use of Scrooge McDuck and Huey, Louie, etc. in Latin America propaganda. Not that I disagreed with the use of comic-books, but if you read the actual comics they distributed you would know what I mean.

Bruce Schneier writes about the DMCA review by the US Congress today.

Posts on his blog seem more and more factual and less opinionated, perhaps due to time or just the general issue of dealing with the firestorm that can follow from giving any perspective. On the other hand, his links to “good information” all point to groups who oppose some aspect of the DMCA. Anyway, I read through the links that Bruce provided and this section stood out to me:

    (3) As used in this subsection-

    (A) to “circumvent a technological measure”? means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner; and

    (B) a technological measure “effectively controls access to a work”? if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.

    17 U.S.C. 1201(a)(3).

I’ll try the trackback system again instead of posting directly.