Category Archives: Security

Order Integrity

Data integrity is such a broad category of security it tends to pop up all over. When ordering from a website, for example, do you use just the part number on your order or also rely on the description and photo? The more information we gather about the thing we are ordering the more likely there will be no surprises when it arrives. On the other hand, large quantities of orders require efficiency in managing the related information. What’s the balance or trade-off?

Some companies cleverly use a simple algorithm to add descriptions to their part numbers (e.g. an eight port hub might be part#DL06-hub8). I like that method, personally, as it’s usually very simple and convenient to see if part numbers don’t match a description.

The next time you see a part number, ask yourself how you know that’s the right number for the part and how you verify the items you’re ordering are what can be expected to arrive.

Move on from Enron?

The BBC takes a look at the impact of Enron on the city of Houston. Beyond all the corruption, fraud, sad stories and bankruptcy of the company, their report concludes with a comment of hope:

“But again, this is a city that doesn’t want to remember. They’re not introspective – they just pick themselves up and start over again. That’s what they’ve done.”

And that’s fine, unless it takes you right into the next Enron. The whole point of the Freudian revolution in psychology, I thought, was to actually deal with the issues in a frank and open manner in order to avoid repeating mistakes. I still remember when companies in California were told to completely shut down operations during rolling brown-outs, only to find out that Enron manufactured the shortages.

Not wanting to remember might make it easier to start anew, but if the US does not address energy market corruption the citizens/companies will suffer the same or even worse pain in the future. If you listen to Cheney, you might start to think that the “broken-window fallacy” could become a major policy platform for economic success:

“You’ll thank me for rebuilding your house”
— But my house is still standing
“You’ll thank me for renting you a demolition crew when you have to clear the rubble from your lot”
— What rubble? The house is still standing
“You’ll thank me for burning your house down when the police have to take it over”
— What? Why would the police take it over?
“You’ll thank me for sending the police to get rid of the problem with your neighbors”
— But there’s nothing wrong with the neighbors
“You’ll thank me for buying the properties next door and renting them out to people of my choosing”
— Wait a minute…

Success for the Cheney companies that run energy and reconstruction projects, that is. Failure for the economy.

Cloud Appreciation

Kansas Evening
I really like the Cloud Appreciation Society manifesto.

WE BELIEVE that clouds are unjustly maligned
and that life would be immeasurably poorer without them.

We think that they are Nature’s poetry,
and the most egalitarian of her displays, since
everyone can have a fantastic view of them.

We pledge to fight ‘blue-sky thinking’ wherever we find it.
Life would be dull if we had to look up at
cloudless monotony day after day.

We seek to remind people that clouds are expressions of the
atmosphere’s moods, and can be read like those of
a person’s countenance.

Clouds are so commonplace that their beauty is often overlooked.
They are for dreamers and their contemplation benefits the soul.
Indeed, all who consider the shapes they see in them will save
on psychoanalysis bills.

And so we say to all who’ll listen:
Look up, marvel at the ephemeral beauty, and live life with your head in the clouds!

“I love the clouds… the clouds that pass… up there… up there… the wonderful clouds!â€?
[The Stranger, Charles Baudelaire]

Inspiring. I especially appreciate the “blue-sky” reference as that’s something very true in information security and risk management. When you defocus on actual data and see only on the spots of blue, you end up missing the big picture and getting rained on “without warning”.

I’ll have to see about posting more of my cloud photos

Nyxem made by crooks?

The mystery surrounding the Nyxem worm is starting to rattle the system. F-Secure was again first on the scene with a warning on January 20th that the growth and destructive payload of the worm were alarming. A week later all of the other large Anti-Malware firms are reporting the same thing, and security folks all seem to be looking at each other and wondering what’s the significance of February 3rd (the day it activates and deletes all your data — docs, spreadsheets, and databases), and whether this is the sophistication of attack we should expect going forward? The shift from quantity to “quality” of malware is happening right now. Who’s to blame?

Incidentally, just as we’re starting to get comfortable with using software to control the computer BIOS (very handy in the enterprise), someone points out that controls are lacking to prevent someone from BIOS attacks:

The firmware on most modern motherboards has tables associating commands in the ACPI Machine Language (AML) to hardware commands. New functionality can be programmed in a higher level ACPI Source Language (ASL) and compiled into machine language and then flashed into the tables.

Canada to expand surveillance as water warms

While the earth gets warmer, the politics seem to get colder. According to the BBC Canada is vigorously staking its claim to the Arctic perhaps in anticipation of a waterway opening up:

The Conservative plans include the construction and deployment of three new armed heavy ice-breaking ships and an underground network of listening posts.

Listening posts, eh? It’s not clear what the US ambassador was hoping to achieve by telling Canada that they have no claim to the territory. He’s certainly given the Canadian conservatives more ammunition that they must stake a claim. Pot, kettle, black, no?

Voltaire Day

There should be one if there isn’t already. And unless someone objects, today seems like as good a day as any to celebrate the brilliance of his words, most of which I find useful in meetings about risk:

    “No snowflake in an avalanche ever feels responsible.”

    “Doubt is uncomfortable, certainty is ridiculous.”

    “Judge a man by his questions rather than by his answers”

    “The more I read, the more I meditate; and the more I acquire, the more I am enabled to affirm that I know nothing”

    “It is forbidden to kill; therefore all murderers are punished unless they kill in large numbers and to the sound of trumpets” (a softer variation is that some think it’s ok to write buggy code if you write so much of it that your pride and profit keep it going in spite of inefficiency and harm)

    and finally, with regard to today’s news that the FTC has fined ChoicePoint $15 million…

    “Every man is guilty of all the good he didn’t do.”

Here’s to Voltaire and to his role in the age of Enlightenment!

He was a poet’s poet:

Understand idleness better. It is either folly or wisdom; it is virtue in wealth and vice in poverty. In the winter of our life, we can enjoy in peace the fruits which in its spring our industry planted. Courtiers of glory, writers or warriors, slumber is permitted you, but only upon laurels.

Perhaps Rousseau Day will be next?

Spam Poets

Obviously spam is annoying and costly, but today I received a clever spam message that had somehow morphed itself into a simple poem:

awake need teach
from swim have
He reply change
on live want
As tell know
Or fit explain
That turnoff allow
night need think
school sit understand
Which fall finish
The give know

Deep, no? I’m almost glad it made it to my inbox. Should the spammers decide that they need to resort to including poetry in their email in order to get through the filters, the sting of their messages and hostility towards them might all but subside and people could welcome spam as literary marketing. Or that might be like saying used car salesmen would be more popular if they could sing when they lied.

Assessment of US Tap Water Quality

General Ripper in the movie “Dr. Strangelove” said he was afraid “precious bodily fluids” could be contaminated by the Communists, so he drank only distilled water or rainwater. He might have sounded a bit nutty at the time, but the latest report on US tap water might make the movie seem less comical. The Environmental Working Group released a report last month that had some disturbing data:

In an analysis of more than 22 million tap water quality tests, most of which were required under the federal Safe Drinking Water Act, EWG found that water suppliers across the U.S. detected 260 contaminants in water served to the public. One hundred forty-one (141) of these detected chemicals — more than half — are unregulated; public health officials have not set safety standards for these chemicals, even though millions drink them every day.
Our investigation reveals major gaps in our system of public health protections when it comes to tap water safety. Federal programs that allocate grants and low-cost loans to prevent water pollution and protect the rivers, streams, and groundwater that we drink are sorely underfunded.

When you consider how important clean water is to the national infrastructure, the data suggests serious shortcomings that threaten to undermine US security.

EPA Administrator Stephen Johnson, as quoted by Salon, called clean drinking water “a key ingredient to keeping people healthy and our economy strong.”

EWG TapWater Database

Hot Lawns

Just read an amusing article in the Guardian about using your lawn to heat your home, based on the concept of heat pumps.

With fossil fuels becoming alarmingly expensive, this environmentally friendly and low-cost alternative to gas central heating is finally coming into its own in the UK. It is incrediblyeffective, capable of achieving 400% efficiency – giving out more energy (typically 3 to 4 kilowatts) than the householder puts in to run it (typically 1KW). By comparison, an average gas boiler works at 90% efficiency at best.

According to Professor David Reay, of Heriot-Watt University, an expert on heat pumps, little can be said against them. Variants that extract heat from outside air perform less well in cold weather, just when the heat is needed most.

I thought the close of the article was insightful:

So if heat pumps are such a great idea, why haven’t they caught on before? “Gas has been cheap, and the British are capital-averse,” sighs Tony Bowen [president of the Heat Pumps Association, the UK trade body]. “As a nation, we are bad at investing in low long-term running costs.”

It goes far beyond the nation…but it is good to see the UK seeking less dependence on oil as well as more distributed/resiliant sources of energy.

InfoSec a hot US political topic in 2006

According to the Electronic Privacy Information Center, nine US bills are pending that are related to information/data/privacy security:

  1. HR. 3140 Consumer Data Security and Notification Act (Bean)
  2. S. 1789 Personal Data Privacy and Security Act (Specter)
  3. S. 751 Notification of Risk to Personal Data Act (Feinstein)
  4. HR. 1069 Notification of Risk to Personal Data Act (Bean)
  5. S. 500 Information Protection and Security Act (Nelson)
  6. S. 768 Comprehensive Identity Theft Prevention Act (Schumer)
  7. S. 1336 Consumer Identity Protection Act (Pryor)
  8. S. 1408 Identity Theft Protection Act (Smith)
  9. HR. 1745 Social Security Number Privacy and Identity Theft Prevention Act (Shaw)