Category Archives: Security

Security vendors and trust

RSA 2006 is coming soon and so I am being literally barraged by security vendors hawking their wares. How do we sort the chaff from the wheat?

Here’s a hint: there is nothing more annoying that someone dangling an iPod in front of my face and asking me to tell them whether I am able to comply with some regulation. “Tell us if you violate the GLBA and we’ll give you an mp3 player” is downright insulting. It baffles me that someone who is basically anonymous would even ask that question and expect to get accurate data. And putting a picture of some cute person in front of me doesn’t improve things. Appropriate response: ignore or, if pressured, present bad data and walk away.

If you represent a security company, please help stop the madness. Random drawings based on contact information alone, for popular electronics, is one thing. Overtly saying “we’ll pay you to give us dirt on your employer” without establishing any modicum of trust should be grounds for being barred from security conferences.

Spy Rock

Come here my sweet pet

You’ve heard of the pet rock? Russian intelligence is accusing the British of using one to spy on them, according to the BBC. The article has a fun Q&A format, with answers like this:

from what we know it appears that those who allegedly stole the confidential information walked close to the rock and then uploaded data to the device beneath it. Later, others came and downloaded the data and walked off with it

“Sir, can I help you?”
“No, thanks, just taking my pet rock for a walk.”

Update: the Russians reportedly claim the rock cost “several tens of millions of dollars” to develop. Funny.

Pirates and Terrorists

US Warship tracks Somali Pirates Recent events in the waters off the Somali coast are probably a sign of things to come. Pirates there have been a serious problem for many years (although historically dwarfed by the waters near Indonesia or even Nigeria), and the modern Navy has tended to only intervene and respond to civilian vessels after a mayday. This means that the Pirates are essentially taking the opportunity to attack highly vulnerable and ill-prepared victims.

The main difference between pirates and terrorists seems to be that the latter is motivated by some political mission, whereas the former are just hoping to increase their wealth by force (motivated by greed). When we heard about the cruise ship that was hit with an a RPG, but managed to repel the attackers with a loud noise, we were led to believe there were just pirates afoot (and not internationally funded criminal syndicates with a political agenda).

While that’s likely, one has to wonder at what (economic) point does the market for pirates give way to the politics of terrorists? Al Qaeda, of course, has been rumored to be discussing the use of vessels, including large fuel tankers, at sea in the same fashion as they had used airplanes on 9/11. Makes sense that they would discuss any vehicle under the sun given the nature of suicide bombing and the need to rapidly and discreetly “insert” themselves into a civilian zone.

Relative spatial density of reported pirate incidents in the Gulf of Aden for 2008
Therefore, if the threat of pirates increases far enough and ships remain vulnerable, eventually terrorists will make the glaringly obvious connection. The question then becomes whether countermeasures will be able to detect and prevent sufficient numbers of attacks to catch all those that might be linked to terror motives, and whether the root cause should/can be addressed rather than the symptoms.

I picked up a morsel of news several months ago that SEALs were actively training to rescue a large ship that had been commandeered in the Indian Ocean. The shipping company decided to pay a ransom (e.g. pirate motives were satisfied) rather than have the US military take it back by force. It’s hard to say more without the full details but it seems lucky to me that all those attackers wanted was money. My guess is the Navy was thinking the same thing, and the Seals were probably extremely disappointed in having their mission cancelled, so it’s no surprise to now hear in the mainstream press that US warships have started engaging the threat more and more proactively. The AP report regarding the latest Somali case notes that:

The Churchill is part of a multinational task force patrolling the western Indian Ocean and Horn of Africa region to thwart terrorist activity and other lawlessness during the U.S.-led war in Iraq

“Thwart terrorist activity and other lawlessness” is exactly what I am talking about. Does this mean the US Navy is now set to enforce the law in International waters? And do they need to mention multinational forces and the Iraq war in order to justify enforcing the law? The article also mentions “The Navy said it captured the dhow in response to a report from the International Maritime Bureau in Kuala Lumpur on Friday…” but it remains to be seen why this pirate ship in particular was of interest to the US Navy and why this is making mainstream news.

Beyond the threats of lawlessness, we still must face the general issue of vulnerability of ships. Although I’ve seen some improvements, I have to say that things like electrified fences have serious draw-backs. Aside from falling into one yourself, it is a single control point and rather prone to failure (electricity is not plentiful or reliable at sea) as well as somewhat easy to work around (attackers might just move on to the next vessel, but if they are everywhere what would stop them from just developing insulation/shorting equipment?). While naval engineering has made great strides in making boats more seaworthy, this has not translated into innovation in private boating anti-piracy measures. When you think of the boating industry in general, do consumers want to spend money on teak fittings, extra shipping capacity, or surveillance cameras and ammunition? Thus, I think the best answer today actually is a reduction in threats, which means that (multi)national forces will have to find ways to cooperatively police the International waterways before the path of the pirates is joined by terrorists. I hate to say it, but it reminds me of the “great Naval powers”…what would Admiral Nelson do?

Attacks by country


2019: Updated to add UNOSAT maps to replace deprecated secure-marine.com links

Ika wa ikaga

Comments on Bruce’s blog got me thinking about the word for squid, which turns out to be “ika”. It’s possible it could sound like a cuckoo if the seller is yelling. And if they have a dry sense of humor they might throw in a phrase like “Ika wa ikaga?” Roughly translated I think it means “how’s the squid” or “how about some squid”. Puns in a native tongue are funny, but foreign puns are absolutely fascinating — they are like keys to unlock the treasure of another culture.

I also found a visual connection with squid and birds in Japan mentioned on the japantimes.co.jp site:

Ika is generally written with phonetic kana characters, most likely because of the unusual kanji characters it has been assigned. It is written “thieving crow,” because the bird has been known to swoop down and grab squid as they float lazily on the ocean’s surface or hang on the massive drying racks used to make the jerky-like surume-ika.

Here’s another attempt at a haiku for Bruce…

Trawler nets glide by
Mother squid caresses eggs
in obscurity

Squid Security

A repeat of my comment on Bruce’s blog…

Interesting that he started bringing poetry into his blog about security. :)

—————————————

Bruce, you’re too modest. I suspect you could wax poetic about the squid and security…perhaps something like:

The squid grabs its eggs
caressing and washing them
as the trawlers trawl

Speaking of interpretation, Marylin Chin’s poem “The Floral Apron” has an interesting take on squid and Chinese culture, the family, etc.

http://www.math.buffalo.edu/~sww/poetry2/chin_marilyn.html

The poem ends with:

And although we have traveled far
we would never forget that primal lesson
-on patience, courage, forbearance,
on how to love squid despite squid,
how to honor the village, the tribe,
the floral apron.

Alito takes the stand

Three significant issues stand out after the Alito hearings:

1) He clearly does not think the Constitution protects a woman’s choice (the right to choose, as some might call it), and he indicated that Roe v. Wade is not settled law.

2) He clearly believes in an even more powerful executive branch. In fact he supports the notion of a “unitary executive” in order to give the President broad powers that are not subject to control by Congress. And he even refused to rule out the right of the President, with the absence of imminent threat, invading another country without first getting congressional authorization.

3) He clearly does not believe Congress has the authority under the Constitution to make laws meant to protect families from harm. Even though the Supreme Court ultimately said he was wrong, Alito stood fast by his opinion in the Rybar case that Congress couldn’t ban machine guns. Incidentally, this has provoked the Brady Center to announce their opposition to Alito, the first candidate that they have ever opposed. I believe they referred to his opinions as “right-wing judicial activism”. Pretty harsh stuff coming from a center named after President Reagan’s Press Secretary. Morerover, Alito stood by his opinion that seriously narrowed the Family and Medical Leave Act. I’m sure we all remember when he said there was no evidence for the notion that women are disadvantaged in the workplace when they are not allowed to take family leave. The Supreme Court trounced all over that one as well. Even Rehnquist said in the majority opinion that Alito’s position relative to women in the workplace defies common sense.

So it looks like if you hate women, like automatic weapons, and think executives should be able to operate without oversight…Alito’s your man.

Go big BlueFuel

After all the hubub this past year about the great advances in Bosch fuel injection technology, it is no surpise to hear about “BLUETEC diesel technology, which will make its U.S. debut this fall on the 2007 Mercedes E 320 sedan. DaimlerChrysler says BLUETEC is so clean it can meet emissions regulations in all 50 states, including the five states where diesels aren’t currently sold because they can’t meet emissions standards: California, Massachusetts, Maine, New York and Vermont.”

That’s encouraging, but of course Mercedes has some of the most advanced diesel engineering in the world. This isn’t your grandma’s grumbling, smelly clunker, we’re talking about. Personally, I’m curious whether the 2.5L V6 turbo-diesel quattro Audi Allroad will finally be imported — talk about the ultimate active-lifestyle high mpg with comfort road-warrior vehicle, it’s almost enough to make you want to move to Canada, eh? Ok, ok, I never said I was good at marketing. Back to engineering, the article explains “diesels are 30 percent more efficient than gas engines, and unlike gas-electric hybrids, which get better fuel economy in city driving, diesels are equally efficient on the highway.”

Silent but deadly And diesel-electric hybrid? Even the HumVee is going to DEH (rebranded the Shadow RST-V), according to military.com. They wax poetic about “going green”, but let’s face it, dependence on fuel is a giant security vulnerability issue — the more efficient a vehicle the less risk to soldiers from a supply chain. Special Forces are about the only group that bother with any real concept of environmental friendliness since it plays to their favor, whereas Army is about mowing down and establishing control, Sherman style, but I digress.

The AP article about the Mercedes and new diesel technology also mentions “a big boost this October, when U.S. diesel retailers are required to begin selling low-sulfur diesel. In the past, diesel could have a sulfur level of up to 500 parts per million; low-sulfur diesel has no more than 15 parts per million.”

The real question for the future is whether car manufacturers will start allowing pure-veg-oil to run in their vehicles rather than whether someone can improve petro production by reducing a toxic additive. The additive was introduced in the first place to get rid of the inherent shortcomings of petro diesel versus the bio alternative. Of course less sulfur is better and should have been forced years ago, but the real solution is to move away from overly centralized distribution and refinement and proprietary assets that have artificially high (protected) value. When information started being pushed around on workstations and PCs it exploded the processing market. When fuel creation can be localized in a similar fashion then we will really see advances in energy technology and a drop in risk. It’s like the shift from mainframes (petroleum production) to the PC (bio-diesel refinement), which again creates a whole new set of security issues (more resilience, but need for managing decentralized controls).

Security Slogans


Few of us are probably lucky enough to invent something as contagious as a Security-Tubby or a Barney character. Instead, we are stuck with the task of creating “fun” posters with slogans.

One of my more successful ones so far has been based on the saying “Ctrl-Alt-Del when you leave your seat”.

People tell me that no matter how rediculous they might find security slogans at first, eventually this one grows on them and they can’t help but sing it aloud when they leave the office. You know you have won over your users when they start to beg for more effective ways to comply with the “Ctrl-Alt-Del song”.

I usually give them a tip like the following:

Although a screen lock button is already provided in most X distros, including Linux, Windows folks are usually in need of a shortcut. They’re simple to create with the following command:

%windir%\system32\rundll32.exe user32.dll,LockWorkStation

Then change the icon to something that looks like a “lock”. The orange key seems most popular among XP users (consistency helps the helpdesk) and can be found in the following library:

%SystemRoot%\system32\shell32.dll

Lock Workstation Icon

Just put the button wherever convenient (desktop, taskbar, start, etc.) Although the setup is easily scripted and deployed over the network, sometimes it is best to hand it out to all your users like a present during the holiday season — “Security wishes you a safe and secure holiday. We hope you enjoy this new button.”

And believe it or not, people who start using this button will still say “hey, I did the Ctrl-Alt-Del thing, go check my screen”, even though they no longer are touching the keyboard when they step away. Ah, the power of security slogans.

loose lipsUnfortunately not all slogans are as catchy. Messages from security easily get lost in the sea of information users have to process every day and most of the other material they hear is so polished that phrases like “don’t get hooked by phishers” tend to blend right into the wallpaper. Thus, I believe the world of security would be far better off if more wordsmiths and poets were employed to craft our message, perhaps even at the state or federal level. Nothing too fancy would be necessary as the slogans that always seem to do best are the simple ones — “loose lips might sink ships”.

Third-highest priority in the FBI

The CSI/FBI have a famous report released annually called the “Computer Crime and Security Survey”. I was surprised to read today that the FBI also has a lesser-known report called the “Computer Crime Survey”.

The difference is supposedly in the method of gathering data, although it’s not clear that either survey is truly scientific. The larger survey is done with a select group of respondants and has a huge number of paper-based questions (I’ve filled it out at least twice), whereas this “Computer Crime only, hold the Security” survey “was taken by 2,066 organizations in Iowa, Nebraska, New York, and Texas”.

The findings are not particularly surprising, and I actually could spend some time trying to debunk the article’s title “FBI says attacks succeeding despite security investments”, but instead I just want to bring attention to the part of the report I found insightful:

While some individual law enforcement officers are not trained to respond to computer security incidents, local, state, and federal law enforcement agencies have become increasingly equipped to both investigate and assist in the prosecution of such violations. Computer related crime is the third-highest priority in the FBI, above public corruption, civil rights, organized crime, white collar crime, major theft and violent crime.

Not hard to find out what the top two priories are:
1. Protect the United States from terrorist attack.
2. Protect the United States against foreign intelligence operations and espionage.

So there you have it. If you are in the US and believe you are a victim of “cyber-based attacks and high-technology crimes”, contact the FBI.