Hong Kong Police DB leaked

This report suggests some serious issues are afoot with security in Hong Kong:

The database contained complaints made from 1996 to 2004. As you would expect in such a database, it wasn’t just information on the complainant that was compromised, but also the name, age, gender, rank and station of the police officers against whom the complaints were made, and specifics of the complaint and the outcome, including any action taken against the officer, up to dismissal. Other index tables seemed to record the occupation of the complainant, their educational attainment, and whether they had a criminal record. Also, if the complainant had been charged with an offence, then the type of offence was recorded, and the outcome of the prosecution, including the type of sentence.

One table seemed to classify nationality into either Chinese, Mainlander, Vietnamese, Filipino, Pakistani or Others. Complaints were also categorised into causes (presumably the cause was concluded after investigation), including “tactical complaints” and “political complaints” – imagine who gets that category.

[…]

In our view, the Government will not escape blame in this episode. The IPCC secretariat apparently allowed its data to be taken off-site by a consultant, reportedly for the purpose of conversion of the database from one format used by COPA to another used by the IPCC. The person who worked for the consultant then reportedly left the consultancy, and took the data with him, storing it on the commercial server. An alternative explanation might be that the consultancy outsourced the work to him.

Ouch. Do you suppose people might just be afraid to complain about exposure of complaints?

Default Page Mishap

The Register reported a funny story about a man who confused a simple mistake that led to a default page with malicious intent:

The heartland turned vicious this week when an Oklahoma town threatened to call in the FBI because its web site was hacked by Linux maker Cent OS. Problem is CentOS didn’t hack Tuttle’s web site at all. The city’s hosting provider had simply botched a web server.

This tale kicked off yesterday when Tuttle’s city manager Jerry Taylor fired off an angry message to the CentOS staff. Taylor had popped onto the city’s web site and found the standard Apache server configuration boilerplate that appears with a new web server installation. Taylor seemed to confuse this with a potential hack attack on the bustling town’s IT infrastructure.

“Who gave you permission to invade my website and block me and anyone else from accessing it???,” Taylor wrote to CentOS. “Please remove your software immediately before I report it to government officials!! I am the City Manager of Tuttle, Oklahoma.

It just gets better from there. Definitely worth a read. And then there is a complaint from Tuttle to The Register for reporting on the story, and slew of related reader comments.

Farming, Water, and Security

Compare and contrast:

1) Israelis bring high-tech food to Angola

An Israeli company is using the latest water-saving technology to grow fruit and vegetables in Angola, which imports much of its food after 27 years of civil war. […] The farm was set up at the end of the war in 2002 and has been harvesting tomatoes, peppers, cucumber, mangoes, melons and grapes for three years. In fact, the farm produces 35 tonnes of vegetables every week of the year, selling most of this food to supermarkets and restaurants in Luanda.

2) Farms ‘big threat’ to fresh water

Farming poses the biggest threat to fresh water supplies, according to a major United Nations report. Agriculture is consuming more water as the world population increases and as people turn to a Western diet, one of the scientists on the report said. Farms use two-thirds of fresh water taken from aquifers and other sources. The UN concludes that ending subsidies on pesticides and fertilisers, and realistic pricing on water, would reduce demand and pollution.

So, artificially low prices on water are creating demand that far outstrips supply, leading the earth towards a security disaster. Only when water becomes a highly valuable commodity does innovation occur, leading to more appropriate controls designed to for long-term availability and scalability.

Yes, madam, I am drunk. But in the morning I will be sober…

…and you will still be ugly.

That’s one of my favorite quotes by Churchill, apparently in response to Lady Astor’s comment ‘Sir, you’re drunk!’. Churchill is famous for his sharp wit, in spite of his love of drink. W Bush on the other hand, seems to be famous for brashness (and lack of wit) perhaps due to his love of lying (about his drink among other things).

In both cases it’s tempting to find fault in vice, but it seems more useful to me if you can get close to the actual personality of a person and assess their aptitude to think rationally under stress. I’m obviously no psychiatrist, but I found this entry in Wikipedia insightful:

In Addiction, Brain Damage and the President: “Dry Drunk” Syndrome and George W. Bush (Katherine van Wormer, CounterPunch, October 11, 2002), van Wormer goes on to speculate over whether Bush is an example of a “dry drunk”, a slang term used by Alcoholics Anonymous and substance abuse counselors to describe a recovering alcoholic who is no longer drinking, but who has not confronted the dysfunctional basic cognitive patterns that led to addiction; they use the term because they feel that such an individual is someone “who is no longer drinking . . . but whose thinking is clouded,” not truly “sober”. In her opinion, Bush displays the telltale characteristics of grandiose behavior, rigid, judgmental outlook, impatience, childish and irresponsible behavior, irrational rationalization, projection, and overreaction. She concluded that Bush displays “all the classic patterns of addictive thinking”. More specifically, she argued that Bush exhibits “the tendency to go to extremes,” a “kill or be killed mentality,” incoherence while speaking away from script, impatience, irritability in the face of disagreement, and a rigid, judgmental outlook. She added that the 2003 invasion of Iraq was primarily a result of his relationship with his father: “the targeting of Iraq had become one man’s personal crusade.”

To be frank, I didn’t really follow the “relationship with his father” theory until I read a recap of the younger Bush’s history of reckless behavior and inability to handle confrontation over his mistakes:

The most notorious episode, reported in numerous diverse sources including U.S. News & World Report, November 1, 1999, Secrecy & Privilege: Rise of the Bush Dynasty from Watergate to Iraq by Robert Parry, First Son: George W. Bush and the Bush Family Dynasty by Bill Minutaglio, and W: Revenge of the Bush Dynasty by Elizabeth Mitchell, has 26 year old George W. Bush, visiting his parents in Washington, D. C. over the Christmas vacation in 1972 shortly after the death of his grandfather, taking his 16 year old brother Marvin out drinking. On the way home, George lost control of the car and ran over a garbage can, but continued home with the can wedged noisily under the car. When his father, George H. W. Bush, called him on the carpet for not only his own behavior but for exposing his younger brother to risk, George W., still under the influence, retorted angrily, “I hear you’re looking for me. You wanna go mano a mano right here?” Before the elder Bush could reply, the situation was defused by brother Jeb, who took the opportunity to surprise his father with the happy news that George W. had been accepted to Harvard Business School.

Makes you think twice when you read today’s news by the BBC titled Bush denies Iraq is in civil war, eh? I’m starting to wonder if Air Force One has a garbage can stuck under the landing gear…

To paraphrase an old Chinese saying, if the top rafters are not level, the lower ones are probably crooked too:

Tuesday’s news conference came as US military investigators flew to Iraq to study reports that marines shot dead at least 15 civilians, including seven women and three children [including a 3-yr old], in Haditha in November 2005. The military’s initial claim that the civilians died in a roadside blast was disproved by an earlier investigation.

Corruption is one of the hardest things to work with in security since the enforcement mechanisms end up undermining their own credibility, which leads to a response that causes an escalation of overly harsh tactics, which undermines credibility, and so forth.

Secure Voice over IP

ZfonePhil Zimmerman announced yesterday that he has released “Zfone, a new product that takes a new approach to make a secure telephone for the Internet.”

The source is open and beta versions are available for Mac OS X and Linux, and uses Phil’s new ZRTP:

I think it’s better than the other approaches to secure VoIP, because it achieves security without reliance on a PKI, key certification, trust models, certificate authorities, or key management complexity that bedevils the email encryption world. It also does not rely on SIP signaling for the key management, and in fact does not rely on any servers at all. It performs its key agreements and key management in a purely peer-to-peer manner over the RTP packet stream. It interoperates with any standard SIP phone, but naturally only encrypts the call if you are calling another Zfone client. This new protocol has been submitted to the IETF as a proposal for a public standard, to enable interoperability of SIP endpoints from different vendors.

Way to go Phil! We’re all still pulling our hair out over email key management and he announces a PKI-less (server-less!) communication client for voice. This defnitely lowers the bar for adoption of a secure system while increasing trust.

Me, Myself and I

Bruce Schneier started the Individual I campaign last year with an interesting idea. All you have to do is adopt the logo to show that you are in favor of:

Individual I

  • Freedom from surveillance
  • Personal privacy
  • Anonymity
  • Equal protection
  • Due process
  • Freedom to read, write, think, speak, associate, and travel
  • The right to make your own choices about sex, reproduction, marriage, and death
  • The right to dissent

All noble causes, but I’m not so sure of the logo concept. The current logo looks like something you might find at a construction site. Contractors always seem to have some giant letter and a globe or world image. Or maybe it just too similar to the international symbol for tourist information. Imagine when people who display the logo suddenly find all the tourists asking them for help — “but your button means you are to give me a map of the local area, no? Can you at least point me to the hostel?” Might be a good conversation starter, but it could also start to annoy the legitimate information booths.

And what is the split down the middle of the “I” supposed to represent? Brackets?

Maybe I’m the wrong kind of person to comment on button and sticker design (having little/no experience myself). But it seems to me that a campaign for human rights based on privacy needs something a little more iconic and unique. I propose some variation of the following as an alternative:

    Eye for an I

Or does that infringe on the “cats” trademark?

More seriously, I’m kind of curious how an “Individual I” concept might merge or overlap with the “Army of One” campaign. Anyone else notice the very similar themes of ontology? For some reason I would have expected Bruce to have more in common with Martin Buber’s I and Thou than a US military advertising campaign.

Speaking of the US military, here’s another idea: the famous logo from the 1st Armored Division could be transformed into an I, in order to achieve a good mix, like saying “an army of I”:

From this: Big Red 1 to this: Big Red I

Although you wouldn’t be allowed to call it the “big red i”, or “red bone”…

Update for Windows XP (KB912475)

Some updates are critical and deserve immediate attention, such as today’s announcement (Microsoft Security Bulletin MS06-001 and MS06-012) that Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413).

However, other updates provide little more than amusement (in between the remote code execution crises). Take KB912475 for example, which was officially published on 2/28/2006:

Australia has changed the regularly scheduled end of Daylight Saving Time in five Australian states from March 2006 to the first Sunday of April 2006 due to the 2006 Commonwealth Games. Install this update to enable your computer to automatically adjust the computer clock on the correct date. After you install this item, you may have to restart your computer.

I’m not sure which issue is more strange, that Australia is trying to cheat time for the games or that you may have to restart your OS when you adjust the clock. I guess the bigger issue becomes whether the time changes will cause any kind of application outages among systems that are not patched in time for the games to begin. Imagine a contestant using an unpatched version of the Windows OS while assuming that the time-change will happen automatically and failing to make it to their event on time.

And speaking of changing the system time, when will Microsoft release a patch that pushes back the IRS filing deadline…?

Poetry is like making Beer

The Economist has an amusing review of the economic and social impact of blogging:

JOURNALISM is like making beer. Or so Glenn Reynolds says in his engaging new book. Without formal training and using cheap equipment, almost anyone can do it. The quality may be variable, but the best home-brews are tastier than the stuff you see advertised during the Super Bowl. This is because big brewers, particularly in America, have long aimed to reach the largest market by pushing bland brands that offend no one. The rise of home-brewing, however, has forced them to create “micro-brews� that actually taste of something. In the same way, argues Mr Reynolds, bloggers—individuals who publish their thoughts on the internet—have shaken up the mainstream media (or MSM, in blogger parlance).

Funny metaphysical questions. Can journalism be said to exist even if it is not printed in the New York Times? Does poetry exist outside literature? I say absolutely and thankfully, yes, as long as existence is a matter of good taste rather than income alone.

As the metaphysicists might say, we should be forbidden from mourning the loss of macro brews…

Holy Sonnet X
by John Donne

    Death, be not proud, though some have called thee
    Mighty and dreadful, for thou art not so ;
    For those, whom thou think’st thou dost overthrow,
    Die not, poor Death, nor yet canst thou kill me.
    From rest and sleep, which but thy picture[s] be,
    Much pleasure, then from thee much more must flow,
    And soonest our best men with thee do go,
    Rest of their bones, and soul’s delivery.
    Thou’rt slave to Fate, chance, kings, and desperate men,
    And dost with poison, war, and sickness dwell,
    And poppy, or charms can make us sleep as well,
    And better than thy stroke ; why swell’st thou then ?
    One short sleep past, we wake eternally,
    And Death shall be no more ; Death, thou shalt die.

Cybercrime worse than physical crime?

IBM did a survey, and it was just published here on iTWire. Interesting perspective:

According to the IT executives surveyed, 49% of local businesses now perceive cybercrime to be a greater threat than physical crime to their business. At the same time, the perception is that perpetrators of cybercrime are becoming increasingly sophisticated; 80% of Australian CIOs (84% globally) believe that lone hackers are increasingly being replaced by organised and technically proficient criminal groups.

[…]

When it comes to relative costs, Australian CIOs think that cybercrime has a more detrimental financial impact on their business than physical crime. They are most concerned about the loss of current customers as a result of cybercrime (71%), followed by loss of revenue (68%) and loss of prospective customers (67%). Just 38% of their global peers identified loss of prospective customers as a major concern, possibly reflecting the smaller size of the Australian market and relative importance of each customer.

the poetry of information security