Category Archives: Security

Food-Defense Shutters Factory Tours

A reader from Apple forwarded me a story of the Vermont Press Bureau that says a popular tour shuttered over terrorism concerns.

The story centers around an issue of establishing role-based access to production; only trusted people with a business need should be allowed access. An industrial maple syrup facility that supplies chain stores and big box retailers is the example given in Vermont.

Their dilemma was whether to spend money on role-based access controls that can control visitors within the production area or use existing ones at the perimeter that disallow visitors. They chose to cancel their tours rather than upgrade security controls.

“One of fallouts of those guidelines was to restrict access to food plants a lot more than they ever have been in past,” says Dave Fusaro, editor-in-chief at Food Processing, an industry trade magazine. “Maybe the biggest loss was the plant tour. Used to be you could bring a Boy Scout troop in and walk right through. That ain’t going to happen anymore.”

Maple Grove, which bottles about 12 million pounds of maple syrup a year, is a mainstay on tour-bus itineraries. Jones says the company welcomes close to 120,000 people annually to its St. Johnsbury factory. But access to major retailers like Walmart and chain grocery stores, Jones says, outweigh the benefits of the company’s popular tour.

Unsubstantiated fear tactics unfortunately appear to be behind this decision.

Frank Busta, director emeritus of the National Center for Food Protection and Defense, says the new guidelines aren’t an overreaction.

“Let me paint you a scenario,” he says. “If someone got to a vulnerable location and got something into 1,000 gallons of maple syrup that went out in six-ounce bottles, and that got distributed rapidly in some big supermarket chain — wow. What a catastrophe.”

That makes maple syrup seem like some kind of essential food that everyone is going to eat three times a day. Instead I can imagine 1,000 gallons of maple syrup sitting unused in pantries and closets all over America. Even one incident is tragic but hyperbole about the vulnerability and threat does not help.

Let us take as an assumption that industrialized additives such as High Fructose Corn Syrup and Trans Fats are controversial at best and proven to be harmful at worst. How much of that “something” is being “distributed rapidly in some big supermarket chain”?

Yes, what a real catastrophe that is happening today as opposed to a theoretical one from potential terrorists. Tens of millions of seriously unhealthy people suffering from a lack of security control. Where does the National Center for Food Protection and Defense stand on this issue?

Here is another scenario. Meat. There are small batch catering incidents

…the June 13, 2009 nuptials were part of a notorious trio of salmonella outbreaks caused by an unlicensed caterer who served tainted beef and noodle salad at two weddings and a family reunion.

The three incidents sickened 180 people, hospitalized 10 — and now serve as a warning about the dangers of foodborne illness from catered events.

There also are big batch meat poisoning cases. One of just nine major beef recalls in 2009 was the Christmas Eve E.coli O157:H7 incident that involved 248,000 pounds of beef.

At least 21 people in 16 states have fallen ill after eating contaminated meat pulled from restaurants last month as part of a beef recall.

The U.S. Department of Agriculture (USDA) reports that recalled National Steak and Poultry beef products have been linked to 21 E. coli food poisoning cases, which have resulted in at least nine people being hospitalized.

371,000 people are hospitalized and 5,700 die each year — almost twice the number from 9/11 — according to the CDC. Are food security experts taking this into account when they say we should worry about terrorism in the food supply?

Consider that 143 million pounds of beef was recalled in 2008 alone!

A quick scan of the Current Recalls and Alerts from the FSIS of the USDA shows a long list of beef, chicken and pork products. It seems fairly normal for a plant to operate with unsanitary and unsafe production until inspectors eventually trace harm back to it, and then the plant is shutdown with a warning sent out to tens of millions of consumers.

Thus, although the “post 9/11” terror scenario grabs people’s attention it really does not reflect the reality of risk and food security in America.

Consumers eat products laced with “something” seriously harmful to their health as a regular practice and meat products continue to be recalled with thousands killed every year.

Maple Grove reported 120,000 visitors annually yet how many incidents did they have with food poisoning let alone terrorism? Enforcing role-based access makes sense to counter an outsider threat such as a terrorist if it is real but what is the actual likelihood of this outsider threat?

The evidence actually points to insider threats (e.g. chemists trying to maximize shelf-life with non-food additives, industrialized and catered meat) as the far greater and more immediate threat to health and safety.

PCI DSS 2.0 Summary of Changes

The PCI Security Standards Council released a Summary of Changes document this morning without any fanfare. It gives a very high level review of which Requirements will be modified and how. Here are the ones to watch:

1 Clarification of DMZ
3.2 Issuers and Authentication Data
3.6 Key Management
4.4 Centralized Logging for Payment Applications
6.2 Risk-based approach to Vulnerability Mgmt
6.5 OWASP no longer the only standard for Web Security
10 and 11 (now combined)
12.3.10 Business justification for copy/move/store CHD

Police Fail to See Flaws in iPhone

CIO has a sweet-sounding report about The Policeman’s New Partner: iPhone. They fawn over a concept that they call “one of the coolest apps never to appear on the App Store”.

Not in the store? That suggests to the reader a kind of exclusiveness. Should we want it more now? On the other hand, it also suggests a lack of market validation such as feedback. My guess is that CIO wants to imply the former rather than the latter. Take this quote, for example:

During his three-decade police career, [retired assistant chief] Bostic wore many hats at the LAPD, including overseeing some IT functions and communications. “In police work, we’re probably 20 years behind in technological capability,” he says. “We’re using the same handheld radio that costs many thousands of dollars but has a thousand times less capability than the cell phone that I have on my hip.”

Define capability. If we are talking about availability, such as sending/receiving messages when required, than that handheld radio has the iPhone beat by a mile. If we are talking about availability in terms of resistance to physical damage and failure, then that handheld radio has the iPhone beat by two miles.

I suppose if being a Police officer only involved wearing cashmere turtlenecks and nobby slippers while driving around tucked safely into calfskin Porsche seats then the iPhone would be an excellent option. The first little bump in the road or distance from cell tower, however, and the venerable radio would be the more capable choice. It seems clear (pun not intended) that a glass-faced touch-screen loosely cabled in an unsealed box does not meet the basic level of capability.

Another clue to bias in the CIO article is this quote

Imagine undercover officers milling around with an iPhone or Droid (One Force Tracker also has a Droid version) and earbuds, while secretly communicating with each other and knowing the locations of other officers. “Everyone has an iPhone so you don’t stick out,” Bostic says.

Everyone has an iPhone? Last time I checked Android, BlackBerry and Symbian all were far more popular and by a large margin. The iPhone only sold more phones than Microsoft. Granted, a cell-phone is less obvious than a police radio for communication, but this is not a reason to develop a specialized application for an iPhone. An application developed for police that runs only on iPhone will actually increase the ability to spot them, just like having a specialized radio.

The reasons for a Police iPhone do not stack up for me. This article could have been written from a far more realistic (i.e. tax-payer) perspective instead of Apple marketing. Perhaps something like “Smart phones found capable for police work” would make the most sense given all the examples of Sprint and Android already in use.

Secret US Gov kill command for Cloud

The Daily Cloud reports on a controversial takedown action initiated by the US government related to reported IP abuse

After complying with a secret order from U.S. authorities, hosting provider BurstNet shut down Blogetery.com with no warning and no way to get the blog provider’s servers back up and running. According to Blogetery, BurstNet is under a gag order, so Blogetery has no way of knowing the specifics of the complaint, the basis for legal action, or even whether the order was legal.

On a blog forum, Blogetery further complained that BurstNet would not even specify which agency or government authority ordered the shutdown.

The secrecy of the action and response is what distinguishes it the most from in-house hosting takedown disputes.

Losing Poker Player Sentenced to Play Poker

Here is a strange story from ABC that says a man in New Mexico who has a gambling problem has been sentenced to…gamble. New Mexico man sentenced to playing poker in order to avoid prison

He allegedly owes more than $400,000.

Prosecutors say the deal is not a get out of jail free card.

McMaster’s sentencing will be delayed for six months while he participates in tournaments.

He must make payments of $7,500 a month.

If he misses two payments he will face immediate sentencing of up to 12 years in prison.

He stole from his clients to support his gambling habit before. One can only presume he now has even more motive to try extreme and illegal measures — take big gambles, if you will — to support the payment plan rather than go to jail.