Category Archives: Security

Voltaire Day

There should be one if there isn’t already. And unless someone objects, today seems like as good a day as any to celebrate the brilliance of his words, most of which I find useful in meetings about risk:

    “No snowflake in an avalanche ever feels responsible.”

    “Doubt is uncomfortable, certainty is ridiculous.”

    “Judge a man by his questions rather than by his answers”

    “The more I read, the more I meditate; and the more I acquire, the more I am enabled to affirm that I know nothing”

    “It is forbidden to kill; therefore all murderers are punished unless they kill in large numbers and to the sound of trumpets” (a softer variation is that some think it’s ok to write buggy code if you write so much of it that your pride and profit keep it going in spite of inefficiency and harm)

    and finally, with regard to today’s news that the FTC has fined ChoicePoint $15 million…

    “Every man is guilty of all the good he didn’t do.”

Here’s to Voltaire and to his role in the age of Enlightenment!

He was a poet’s poet:

Understand idleness better. It is either folly or wisdom; it is virtue in wealth and vice in poverty. In the winter of our life, we can enjoy in peace the fruits which in its spring our industry planted. Courtiers of glory, writers or warriors, slumber is permitted you, but only upon laurels.

Perhaps Rousseau Day will be next?

Spam Poets

Obviously spam is annoying and costly, but today I received a clever spam message that had somehow morphed itself into a simple poem:

awake need teach
from swim have
He reply change
on live want
As tell know
Or fit explain
That turnoff allow
night need think
school sit understand
Which fall finish
The give know

Deep, no? I’m almost glad it made it to my inbox. Should the spammers decide that they need to resort to including poetry in their email in order to get through the filters, the sting of their messages and hostility towards them might all but subside and people could welcome spam as literary marketing. Or that might be like saying used car salesmen would be more popular if they could sing when they lied.

Assessment of US Tap Water Quality

General Ripper in the movie “Dr. Strangelove” said he was afraid “precious bodily fluids” could be contaminated by the Communists, so he drank only distilled water or rainwater. He might have sounded a bit nutty at the time, but the latest report on US tap water might make the movie seem less comical. The Environmental Working Group released a report last month that had some disturbing data:

In an analysis of more than 22 million tap water quality tests, most of which were required under the federal Safe Drinking Water Act, EWG found that water suppliers across the U.S. detected 260 contaminants in water served to the public. One hundred forty-one (141) of these detected chemicals — more than half — are unregulated; public health officials have not set safety standards for these chemicals, even though millions drink them every day.
Our investigation reveals major gaps in our system of public health protections when it comes to tap water safety. Federal programs that allocate grants and low-cost loans to prevent water pollution and protect the rivers, streams, and groundwater that we drink are sorely underfunded.

When you consider how important clean water is to the national infrastructure, the data suggests serious shortcomings that threaten to undermine US security.

EPA Administrator Stephen Johnson, as quoted by Salon, called clean drinking water “a key ingredient to keeping people healthy and our economy strong.”

EWG TapWater Database

Hot Lawns

Just read an amusing article in the Guardian about using your lawn to heat your home, based on the concept of heat pumps.

With fossil fuels becoming alarmingly expensive, this environmentally friendly and low-cost alternative to gas central heating is finally coming into its own in the UK. It is incrediblyeffective, capable of achieving 400% efficiency – giving out more energy (typically 3 to 4 kilowatts) than the householder puts in to run it (typically 1KW). By comparison, an average gas boiler works at 90% efficiency at best.

According to Professor David Reay, of Heriot-Watt University, an expert on heat pumps, little can be said against them. Variants that extract heat from outside air perform less well in cold weather, just when the heat is needed most.

I thought the close of the article was insightful:

So if heat pumps are such a great idea, why haven’t they caught on before? “Gas has been cheap, and the British are capital-averse,” sighs Tony Bowen [president of the Heat Pumps Association, the UK trade body]. “As a nation, we are bad at investing in low long-term running costs.”

It goes far beyond the nation…but it is good to see the UK seeking less dependence on oil as well as more distributed/resiliant sources of energy.

InfoSec a hot US political topic in 2006

According to the Electronic Privacy Information Center, nine US bills are pending that are related to information/data/privacy security:

  1. HR. 3140 Consumer Data Security and Notification Act (Bean)
  2. S. 1789 Personal Data Privacy and Security Act (Specter)
  3. S. 751 Notification of Risk to Personal Data Act (Feinstein)
  4. HR. 1069 Notification of Risk to Personal Data Act (Bean)
  5. S. 500 Information Protection and Security Act (Nelson)
  6. S. 768 Comprehensive Identity Theft Prevention Act (Schumer)
  7. S. 1336 Consumer Identity Protection Act (Pryor)
  8. S. 1408 Identity Theft Protection Act (Smith)
  9. HR. 1745 Social Security Number Privacy and Identity Theft Prevention Act (Shaw)


Himawari LightI think this is brilliant (pun intended). It reminds me of the concept of armored spaces that protect the inhabitants while retaining visual/light capabilities, but this adds in a component of also powering itself. Plain glass windows have been ok, but they clearly have drawbacks (ok, sometimes the puns just jump out). In this case the UV is blocked by walls, while a solar panel collects energy and glass fibers distribute the light. So, fiberlight (plus video) should provide a radical reduction in risks while maintaining many benefits from windows.

Wonder what Milton would have said about this fine use of talent to produce technology that might protect those who speak out in favor of a republic and against the supreme executive (e.g. he feared he “lost his light” because of writings like “the Tenure of Kings and Magistrates” and his support of Cromwell)…

When I Consider How My Light Is Spent
by John Milton (1608-1674)

    When I consider how my light is spent
         Ere half my days in this dark world and wide,
         And that one talent which is death to hide
         Lodged with me useless, though my soul more bent
    To serve therewith my Maker, and present
         My true account, lest he returning chide,
         "Doth God exact day-labour, light denied?"
         I fondly ask. But Patience, to prevent
    That murmur, soon replies: "God doth not need
         Either man's work or his own gifts: who best
         Bear his mild yoke, they serve him best. His state
    Is kingly; thousands at his bidding speed
         And post o'er land and ocean without rest:
         They also serve who only stand and wait."

Alito described as threat to liberty

Senator Feinstein had some pretty clear warnings about the appointment of Alito, in her Judiciary Committee statement today. Apparently she feels the best thing for America is to vote against his nomination to the bench:

I listened carefully to the testimony of many legal specialists, including professors in constitutional law. I listened to Professor Tribe. And something he said really struck me.

This is what he said: ‘The court will cut back on Roe v. Wade step by step, not just to the point where, as the moderate American center has it, abortion is cautiously restricted, but to the point where the fundamental underlying right to liberty becomes a hollow shell.’

And then I began to think about all of the things the fundamental right to liberty in this country encompasses such as: end of life decisions, privacy of medical records, privacy from unwarranted government intrusion.

On February 6 we begin the discussion and hearings on an interpretation of the use of force resolution to countenance something that none of us ever thought it would countenance – a threat to this liberty interest.

And I came to the conclusion that the fundamental right to liberty is at issue with this nominee.

It has nothing to do with his qualifications and his credentials. But it does have something to do with how far we are willing to see this Court move to the right and out of the mainstream of legal thinking in this great country.

And I, for one, really believe that there comes a time when you just have to stand up, particularly when you know that the majority of people think as you do.

And I truly believe that. I really believe the majority of people in America believe that a woman should have certain rights of privacy, modified the state, but a certain right to privacy. And if you know that this person is not going to respect those rights, but holds to a different theory, then you have to stand up.

And so all of this is in answer to Senator Kyl, because this is a hard vote. But it is a vote that is made with the belief that legal thinking and personal views, especially at times of crisis, at times of conflict, and at times of controversy do mean something. And those of us that don’t agree with the view have to stand up and vote no.

And so I am one of those.


Several people have asked me what’s new and different about the latest release of the Control Objectives for Information and related Technology (CObIT4). I have not read the official release yet from the Information Systems Audit and Control Foundation and IT Governance Institute (the primary backers) but here are some of the things that have stood out so far:

The framework has some basic rewording and reorganization that is intended to be more consistent with other standards, such as ITIL (convergence is good). For example Plan and Organize 8 (PO8) “Ensure compliance with external requirements” has been completely removed and the text transfered to a new Monitor and Evaluate 4 (ME4) “Ensure regulatory compliance”, which replaces the old ME4 “Provide for independent audit” since that was considered outside the scope of IT. Deliver and Support 8 (DS8) was renamed “Manage service desk and incidents” with Deliver and Support 10 (DS10) being renamed to “Manage problems”, which means problems will be handled separately. You get the idea…

There is also a shift from five resources to four:
– People
– Information (instead of “Data”)
– Applications
– Infrastructure (to replace both “Technology” and “Facilities”)

And the overall structure has been changed to
– Control over IT processes of…
– to satisfy the business requirement of…
– is achieved by…
– is managed by…
– and is measured by…

Protecting your trail

A recent decision of the Bankruptcy Appeals Panel of the 9th Circuit (VEE VINHNEE v. AMEX: Dec 16, 2005) seems to suggest that adequate controls to protect audit logs must be in place in order to prove the authenticity of digital information.

I have heard some conclude that this leads directly towards cryptographic protections, but it seems plausable to me that proper access controls and strong identity management might also be argued to be sufficient, if not compensatory.

The testimony by AMEX employees who routinely accessed the data was non-expert, and it suggests that they could only assume controls were in place but did not know/verify. This appears to have opened up the possibility that the data could not be proven to be authentic.

The decision explores the issue of authenticity and has some interesting citations such as “George L. Paul, The “Authenticity Crisisâ€? in Real Evidence, 15 PRAC. LITIGATOR No. 6, at 45-49 (2004). It also calls out a specific “scientific” methodology to help examine the “validity of the theory underlying computers and of their general reliability”:

Professor Imwinkelried perceives electronic records as a form of scientific evidence and discerns an eleven-step foundation for computer records:
1. The business uses a computer.
2. The computer is reliable.
3. The business has developed a procedure for inserting data into the computer.
4. The procedure has built-in safeguards to ensure accuracy and identify errors.
5. The business keeps the computer in a good state of repair.
6. The witness had the computer readout certain data.
7. The witness used the proper procedures to obtain the readout.
8. The computer was in working order at the time the witness obtained the readout.
9. The witness recognizes the exhibit as the readout.
10. The witness explains how he or she recognizes the readout.
11. If the readout contains strange symbols or terms, the witness explains the meaning of the symbols or terms for the trier of fact.

The decision then suggests that step four is of particular importance, given the lack of proof that controls existed to ensure the accuracy of data:

The testimony of the records custodian at trial regardingthe computer equipment used by American Express was vague, conclusory, and, in light of the assertion that “[t]here’s no way that the computer changes numbers,� unpersuasive.

If you read the testimony yourself, you can see the issue the decision is referring to…

I couldn’t testify to exactly what – what the model is or anything like that. It’s – you know, our computer system that we’ve used for, you know, quite some time to produce the documents, to gather the information, to store the information and then, you know, produce the statements to the card members. And we – you know, it’s highly accurate. It’s based on the fees that go in. There’s no way that the computer changes numbers or so.

I can imagine a million ways to be more convincing/prepared with regard to the controls used to protect the data in question. But the real question, I guess, is whether cryptographic controls should now be considered a minimum requirement?

Controls Map

With the recent release of ISO17799:2005 and CObIT4 I guess I need to rewite my controls map (not to mention the long list of privacy laws debated in California during 2005). I really like the ISO revision, but am still catching up with CObIT. One of the challenges of helping organizations stay on top of their controls is chosing the right blend of guidance and frameworks. I’m not saying you have to use a blend, but since they are never a perfect fit and different groups have their favorites (Auditors love COSO/CObIT, Engineers go for ISO, Ex-gov bring up the NSA and NIST, etc.) I find it helps to pull it all together into a shared map. For example:

SYSTEM INTEGRITY – Controls that ensure the integrity of the environment by utilizing proactive measures to prevent and detect unauthorized changes.

  • Gateway Filtering
  • Anti-virus
  • Encryption
  • Access Controls

  • ISO.17799 (8)(3) –
    Protection against malicious software
  • ISO.17799 (8)(7) –
    Exchange of information & software
  • ISO.17799 (10)(3)
    – Cryptographic controls
  • ISO.17799 (10)(5)
    – Security of system files
  • NIST.800-14 (3)(14) – Cryptography
  • NSA IAM (9) – Virus protection
  • AB 1950 (Wiggins) – California State Personal Information Security