Category Archives: Security

Security

Three Firefighters Dead. Gov Non-Compliance With Water Requirements Blamed

Leave a comment

A horrifying story is in the news, about firefighters running up 23 flights of stairs to save people’s lives and then losing their own because of a building’s non-compliance with water requirements

The building housed the departments of health, human settlements and cooperative governance and traditional affairs for Gauteng, South Africa’s wealthiest province – home to Johannesburg and the capital, Pretoria.

A government report that has surfaced in the last few days revealed that the building was only 21% compliant with occupational health and safety standards, as opposed to the expected norm of 85%.

80% non-compliance. Compliance is another way of saying a codified language exists for measuring disaster preparedness, and lack of compliance is a likelihood measure of disaster. For example America’s oldest professional safety organization, the American Society of Safety Engineers (ASSE), was founded very purposefully six months after the Triangle fire.

When I hear people say they work on safety or security and do not know compliance, or choose to not focus on it, it seems like an engineer saying they do not believe in a code of ethics or taking an engineers’ creed:

To give the utmost of performance;
To participate in none but honest enterprise;
To live and work according to the laws of man and the highest standards of professional conduct;
To place service before profit, the honor and standing of the profession before personal advantage, and the public welfare above all other considerations

Investigations into a building’s woeful non-compliance will be the start, explaining how operations allowed people into a 21% facility and who is accountable, which should lead to a broader question of why only 85% is expected and whether that’s safe.

History, Sailing, Security

Fruit Fly Movements Imitated by Giant Robot Brain Controlled by Humans

Leave a comment

They say fruit flies like a banana, and new science may now be able to prove that theory because robot brains have figured out that to the vector go the spoils.

The Micro Air Vehicle Lab (MAVLab) has just published their latest research

The manoeuvres performed by the robot closely resembled those observed in fruit flies. The robot was even able to demonstrate how fruit flies control the turn angle to maximize their escape performance. ’In contrast to animal experiments, we were in full control of what was happening in the robot’s ”brain”.

Can’t help but notice how the researchers emphasize getting away from threats with “high-agility escape manoeuvres” as a primary motivation for their work, which isn’t bananas. In my mind escape performance translates to better wind agility and therefore weather resilience.

The research also mentions the importance of rapidly deflating costs in flying machines. No guess who would really need such an affordable threat-evading flying machine.

I mean times really have changed since the 1970s when

Developed by CIA’s Office of Research and Development in the 1970s, this micro Unmanned Aerial Vehicle (UAV) was the first flight of an insect-sized aerial vehicle (Insectothopter). It was an initiative to explore the concept of intelligence collection by miniaturized platforms.

The Insectothopter was plagued by inability to fly in actual weather, as even the slightest breeze would render it useless. In terms of lessons learned, the same problems cropped up with Facebook’s (now cancelled) intelligence collection by elevated platform.

On June 28, 2016, at 0743 standard mountain time, the Facebook Aquila unmanned aircraft, N565AQ, experienced an in-flight structural failure on final approach near Yuma, Arizona. The aircraft was substantially damaged. There were no injuries and no ground damage. The flight was conducted under 14 Code of Federal Regulations Part 91 as a test flight; the aircraft did not hold an FAA certificate of airworthiness.

Instead of getting into the “airworthiness” of fruit flies, I will simply point out that “final approach” is where the winds blow and the damage occurred. If only Facebook had factored in some escape performance maximization to avoid the ground hitting them so dangerously when they landed.

Energy, Security

Police Say Man Who Stole Tesla Model 3 Charged With Battery

Leave a comment

Many moons ago you may remember this introduction to one of my car-hacking posts:

First, you need a Vehicle Identification Number (VIN). You can ask your friends or family for their VIN. You can walk into a parking lot, especially a Jeep dealer’s, and look at the VIN. Or you can search craigslist for a VIN. I used the SF bay area site but you can search anywhere using a simple URL modification…

The VIN is a token, a fairly important one, that requires manufacturers to use threat models to think about adversarial usage. Alas it sits in plain view both in person and online.

We interrupt this PSA about credential management to bring you a hot story about a brand new cutting edge technology Model 3 Tesla being stolen.

…a regular at the Trevls EV-only rent-a-car company in Minnesota was the key suspect in stealing a Model 3 rental car owned by the agency. According to the owner of Trevls, John Marino, the man simply walked up to the Model 3, opened it, got in, started it and drove off. Bloomington police are saying that “the man somehow manipulated the Tesla app to unlock and start the car, disabling the GPS before leaving town.”

The key here for the key suspect, puns intended, seems to be that this Tesla was rented before. The suspect had the VIN associated with his account and used the application, so was a temporary valid driver. A VIN has to be associated with an account to run the application, and I think most Tesla owners would not want any path for their public VINs to be “matched” to someone else’s account.

Alas, a rental company does exactly that, putting a VIN in random people’s accounts. The rental company claims they remove the VIN from a customer account after their rental, thus denying any further authorization. However, this driver likely realized since he was authenticated as a driver of that car at least once he probably could contact Tesla support and somehow convince them to add the VIN back to his account without authorization of the rental company. Or maybe the removal process wasn’t clean. Deprovisioning is notoriously hard in any credential system.

I’m going to go out on a limb here and say the Tesla application and driver support system wasn’t sufficiently threat modeled for the kind of VIN use that rental companies require, let alone social engineering talent of rental customers.

It reminds me once of sitting down with an automobile manufacturer and telling them while I enjoyed hacking cars I wasn’t about to start inserting USB into my rentals…and they interrupted me with a disgusted look on their face to say “WHY NOT?” I meekly explained I thought a lab was more appropriate as it would be dangerous for others to be renting cars I had been hacking on, especially when rental use wasn’t in the threat models (it wasn’t).

Police were scrambling for clues when this Tesla disappeared because, after the suspect reportedly disabled GPS, all the usual tracking signals (e.g. NFC/RFID scanning) on Interstate roads weren’t being helpful. The Tesla owner (rental company), on the other hand, noticed the stolen car being connected to the charging network and 1,000 miles from the scene of the crime (Minnesota to Texas in two days). Police simply went to the charging station and there they found the lazy thief, who despite noticing a loophole in authorization and means to disable GPS failed to think about other ways he could be charged.

And yes I wrote this entire thing just for the puns. You’re welcome.

Update Sept 15: Telsa has pushed an update (2018.34.1) that offers a “PIN to drive” security option to limit use of a key.

No word yet on the “forgot PIN, enter credentials to drive” flow resilience to social engineering. More to the point this update does not seem to leverage PIN to drive when using the mobile application with “keyless driving”…perhaps because if you can enter credentials for keyless driving you could start the car with the same credentials in the forgot PIN screen.

Food, Security

New Bar for Soldier Performance Readiness

Leave a comment

You might be wondering if this post is about raising the physical performance bar for a soldier, and it actually is the opposite. When I say bar I mean food. And by new bar, I mean something tasty like chocolate, which lowers the dangers from physical stress.

With that in mind, here’s a funny quote about making health improvements in military training:

“Research showed compliance was better when calcium and vitamin D were provided in a fortified bar,” said Army Maj. Kayla Ramotar, dietitian with the Army’s Training and Doctrine Command. “Trainees don’t get a lot of treats during basic training, and since this bar is made of chocolate, we know compliance won’t be an issue. It’s a lot more enticing than having to swallow a bunch of pills.”

I’m imaginging a poster now that says “Basic training. It’s no treat.”

Bottom line is that bone fractures were causing high numbers of drop-outs after strenuous physical tests. So the military has turned the sage old theory of “milk and cookies before bedtime” into a vitamin D enriched calcium bar. I suppose the tryptophan angle of this could mean people sleep better at night, which stimulates better recovery, but it’s seems like they’re going for the more direct vitamin to bone strength results.

From personal perspective I do believe a high consumption of vitamin D and calcium (I often was drinking a gallon of milk per day) prevented fractures many times over. One day, as I sat up on an examination table and my eyes involuntarily poured water, doctors repeatedly questioned me about incident details because they expected to see fractures where there were none.

This performance bar sounds more convenient than how I managed my diet, for sure, and I am going to wager right now that the study of 4,000 soldiers who eat the bar reveals positive results.