SCADA security references

NIST published their Critical Infrastructure Protection guidelines and I also noted the National Information Assurance Program (NIAP) Process Control Security Requirements Forum (PCSRF). Wish I had these references about four years ago. This is an especially interesting paper, which I think was done for the PCSRF and ISO/IEC 15408:

http://www.isd.mel.nist.gov/documents/falco/ITSecurityProcess.pdf

The Gas Technology Institute/American Gas Association Encryption page also has some good pointers and here’s the Department of Energy (DoE) guide to CyberSecurity.

Drinking Alone Under The Moon

by Li Bai

Among the flowers from a pot of wine
I drink alone beneath the bright moonshine.
I raise my cup to invite the moon, who blends
Her light with my shadow and we’re three friends.
The moon does not know how to drink her share;
In vain my shadow follows me here and there.
Together with them for the time I stay
And make merry before spring’s spend away.
I sing the moon to linger with my song;
My shadow disperses as I dance along.
Sober, we three remain cheerful and gay;
Drunken, we part and each goes his way.
Our friendship will outshine all earthly love;
Next time we’ll meet beyond the stars above.

Gopher eats Microsoft

Once upon a time, Georgi Guninski wrote AIX buffer overflows. Aleph One provided shellcodes. Now everyone hammers on Microsoft vulnerabilities and Bill Gates is retraining his employees for security awareness. That seems like a good idea as UNIX gopher servers could suddenly gain popularity again. Think your “internal” network is safe? Think again as one of your users might connect to a gopher site…oh, and all versions of IE are vulnerable. Go Minnesota!

Would you like Web Services with that?

So let’s get one thing straight, the “web services” (WS) revolution is a new term for standards-based communication between networked applications. Does this change anything for anyone? Not really, not yet. An executive at a small software company asked me to help them decide what to do about WS, so it’s been on my mind lately. The rather sharp-witted Register points out a clear case where not even Microsoft or Sun can figure out how to turn the WS hype into real value for customers.

Packet Trap

There’s something really nice about a good pasta sauce. There are so many recipes on the web, it’s hard to know where to begin. My favorite, of course, is the easiest: a bit of your favorite oil, add some basil, pine nuts, and garlic in the blender. Just press a button and…pesto!

There’s something really suspicious about a product called the White Glove, but there’s no doubt that Fred Cohen has a unique view. In light of this, I think when I build a DMZ for a client tomorrow I will try to convince them to call it a “Packet Trap.”

In Salutation to the Eternal Peace

by Sarojini Naidu

Men say the world is full of fear and hate,
And all life’s ripening harvest-fields await
The restless sickle of relentless fate.

But I, sweet Soul, rejoice that I was born,
When from the climbing terraces of corn
I watch the golden orioles of Thy morn.

What care I for the world’s desire and pride,
Who know the silver wings that gleam and glide,
The homing pigeons of Thine eventide?

What care I for the world’s loud weariness,
Who dream in twilight granaries Thou dost bless
With delicate sheaves of mellow silences?

Say, shall I heed dull presages of doom,
Or dread the rumoured loneliness and gloom,
The mute and mythic terror of the tomb?

For my glad heart is drunk and drenched with Thee,
O inmost wind of living ecstasy!
O intimate essence of eternity!

Death and Sailing

Happy Birthday A Team! It’s been far too long since I last wrote an entry. Hello to everyone out in Internet land. Have you heard the story of Dan Eldon? I am not fond of the site, but you can get an idea of what an amazing photographer and artist he was before his untimely death.

A-cat RacingRacing my cat in the Kickoff regatta was great. Rob Howe took a photo of me outpacing a Prindle 19 in flat water and a stiff breeze (that’s me on the right). You can see the BIG version of the photo here. I also found a photo that shows me preparing to round the leeward mark. In the end, the race committee was smoking crack and robbed Julian of a first place, but the conditions were ideal. Division Three [used to have] more information online.

I sent a message to Sailing Anarchy asking if they had any articles on the A-Class cats…they responded by asking me if I wanted to write one for them. They MUST be anarchists.

A blustery day on the water

Do you care what the weather is up to o’er ‘ere? Check out the local met station webpage. Julian and I discovered yesterday it is fairly easy handle the cats in fierce conditions, although I confess we had the sails completely de-powered. The wind was similar to today’s reading:

   $ finger met@sealion.ucsc.edu 
        Wind Speed:             +14.592 m/s     (+32.642 mph)
        Maximum Wind Gust:      +16.376 m/s     (+36.633 mph)

Whoa Bessie!

The cost of VPN deployment

Had an interesting talk with some folks from Nortel and IBM this morning about managing VPNs. I was told that an insurance company in Northern CA recently spent $1.1 million, more than double their investment in hardware and software, installing remote VPN clients and pushing out updates.

The IBM rep also told a funny story. He said someone had to drive all the way to a branch office to receive the new VPN software. The person became very annoyed, however, when they found out they were expected to bring their PC with them for the update. Apparently they said “Someone should have told me I needed to bring my computer here to have the software installed!”

Push software was tried, but it was inconvenient to end users. Since many of them relied on v90 dial-up connections, they did not appreciate a 3MB push to their computer, especially when they were trying to upload files to meet critical deadlines. They also complained about having to leave their computers running overnight. Clearly any push solution that claims to be efficient, easy, and nonintrustive has to take into account the behavior of recipients, and not just the needs of IT management.

Also discovered that the W3C allows you to easily validate my cascading style sheets.

This Old Weblog

Euclid
I have setup my webcam to be able to prove that Euclid sits in the window all day watching the ocean and the birds.

It is hard not to notice bloggers are taking over the web. They are easy and fun, but I do not think I could put it in perspective any better than This Old Weblog. Speaking of links, SecurityFocus has a radio interview with Jennifer Granick regarding digital forensics and the law. She explains why investigating computer crime is different from regular forensics and gives some basic legal advice for companies. Digital evidence is more “fragile” she says. This is definitely not rocket science.

Salon ran a story called “The price of milk (and sex) in Cuba” and I had to write a somewhat prosaic letter to the editor in response. This letter, as well as the constant urging of friends and family, has led me to create a writing section where I will put my own travel stories.

the poetry of information security