Monthly Archives: July 2008

Poetry, Security

Poetry of Guantanamo Bay

Leave a comment

The Guardian says American security officials perceive risk from releasing any information from the prisoners, including poems:

…most of the poems, including the lament by Al Hela which first sparked Falkoff’s interest, are unlikely to ever see the light of day. Not content with imprisoning the authors, the Pentagon has refused to declassify many of their words, arguing that poetry “presents a special risk” to national security because of its “content and format”. In a memo sent on September 18 2006, the team assigned to deal with communications between lawyers and their clients explains that they do not “maintain the requisite subject matter expertise” and says that poems “should continue to be considered presumptively classified”.

Extreme conditions are said to compel prisoners to take up poetry:

According to the poet Jack Mapanje, who was imprisoned in Malawi because of his writing and now teaches a course on the poetry of incarceration at Newcastle University, prisoners often turn to writing poetry as a way of “defending themselves”.

“People are writing as a search for the dignity that has been taken away from them,” he says. “It’s the only way they can attempt to restore it, but nobody is listening to them.” He was imprisoned himself with many people who were illiterate, he says, but many of them were writing poetry, or singing songs about their captivity – “it’s the same impulse that drives people to prayer.”

Here is an example, posted by Amnesty International:

It certainly is interesting to hear that the Pentagon has a bureau of poetic security.

This strikes me in the same way as when I used to read about people such as Irina Ratushinskaya who was sentenced by Soviet courts to hard labor and exile for “dissemination of slanderous documentation in poetic form”.

While in detention in the 1980s, she was isolated from other criminals and kept among a select group of political prisoners labeled “especially dangerous”.

I hope you can see why, for me, Donald Rumsfeld’s alarmist rantings had a strange echo to them:

The Pentagon called them “among the most dangerous, best-trained, vicious killers on the face of the earth,” sweeping them up after Sept. 11 and hauling them in chains to a U.S. military prison in southeastern Cuba.

Since then, hundreds of the men have been transferred from Guantanamo Bay to other countries, many of them for “continued detention.”

And then set free.

Ratushinskaya published a book called Grey is the color of Hope while in camp, which eventually led to her release to America.

Perhaps, like her description of camp life in Barashevo, those held captive in Guantanamo Bay will also find the strength to publish uncensored memoirs and thoughts of their love for freedom. Ratushinskaya wrote:

Yes, we are behind barbed wire, they have stripped us of everything they could, they have torn us away from our friends and families, but unless we acknowledge this as their right, we remain free.

The last I heard more than 400 of the approximately 800 men detained since 2001 have been released without charge after years of detention, but their writing did not survive. The Guardian explains:

Many poems have also been lost, confiscated or destroyed. Falkoff is unable to even offer an estimate of how many poems have been written in the camp.

“To start with,” he says, “there are probably 200 detainees who either don’t have lawyers or have not been allowed to communicate with their lawyers. Even for those clients who have lawyers, I really don’t know how many poems they’ve written or whether they’ve been confiscated. Communicating back and forth with our clients is a very, very difficult process.”

Ratushinskaya was lucky enough that Bloodaxe Books could publish her poems. While she grew ill in captivity her book was handed to Ronald Reagan and Mikhail Gorbachev at the Reykjavik summit…soon after she was released.

Who will read the poetry of Guantanamo Bay?

Security

McAfee Marketing and Fear Tactics

Leave a comment

I have already started to hear a number of security professionals rebroadcast a new McAfee report about small to medium business (SMB) owners in America. McAfee is said to show that the business owners are naive and unprepared because they do not focus their time on security vulnerabilities, even after they suffer a breach.

My problem with all this is that none of it seems to come from a risk management perspective, which threatens to undermine the credibility of the whole study. For starters, McAfee sells security products, so of course they are going to try and say that more concern is needed in the market. Just last month they “pledged a renewed focus on the small-and-midsize business market, where the security firm said it’s beefing up its product line and sales support.” The more concern, the more product you buy, right? Second, what qualifies McAfee to say that an SMB’s approach to risk is incorrect? They do not make a strong case to show that SMB behavior needs to change for any truly compelling reason other than to be more secure. That argument goes over like a lead balloon in the boardroom, I can tell you for certain. I wish it were another way, but the simple fact is the SMB owners do risk management every minute of every day as a matter of survival and when they do not perceive security needs, then why does McAfee feel they are the ones who are qualified to judge behavior?

Let me try to put this in perspective. A company formerly owned by Halliburton was awarded a no-bid contract to be the electrical contractor for US facilities in Iraq. The latest news is that this giant company is accused of having such improper risk management practices that they literally kill innocent soldiers:

Although it was aware of the problems that caused the deaths of Everett and Maseth, KBR did not make repairs that could have spared the lives of US soldiers, said Crawford.

“KBR has claimed that its contract did not cover fixing potential hazards, only repairing items after they broke down,” she said.

Many security professionals who call upon their employer to plan for improvements are often faced with budget shortfalls, and must tangle with managers who will do whatever they can to avoid making changes and adding workload/cost to their project plans. The stories about Halliburton’s old subsidiary sound familiar:

Debbie Crawford, who worked as an electrician for KBR in Iraq, drew a grim picture of incompetence, lack of accountability, poor leadership and poor workmanship by KBR.

“Qualified electricians found it difficult to deal with the complacency, the lack of leadership, the lack of tools and materials, and the lack of safety… Time and again we heard, ‘You’re in a war zone, what do you expect?’ and ‘If you don’t like it you can go home,'” she said.

Indeed, what do you expect from risk management? The NYT just revealed that these electrical problems are not an isolated issue:

And while the Pentagon has previously reported that 13 Americans have been electrocuted in Iraq, many more have been injured, some seriously, by shocks, according to the documents. A log compiled earlier this year at one building complex in Baghdad disclosed that soldiers complained of receiving electrical shocks in their living quarters on an almost daily basis.

Electrical problems were the most urgent noncombat safety hazard for soldiers in Iraq, according to an Army survey issued in February 2007. It noted “a safety threat theaterwide created by the poor-quality electrical fixtures procured and installed, sometimes incorrectly, thus resulting in a significant number of fires.”

The Army report said KBR, the Houston-based company that is responsible for providing basic services for American troops in Iraq, including housing, did its own study and found a “systemic problem” with electrical work.

But the Pentagon did little to address the issue until a Green Beret, Staff Sgt. Ryan D. Maseth, was electrocuted in January while showering. His death, caused by poor electrical grounding, drew the attention of lawmakers and Pentagon leaders after his family pushed for answers. Congress and the Pentagon’s inspector general have begun investigations, and this month senior Army officials ordered electrical inspections of all buildings in Iraq maintained by KBR.

With this in mind, the fact that McAfee is making news about potential bugs in IT code at resource-constrained SMBs seems to pale into insignificance. What damage lays ahead for those SMB who do not heed the warning?

I wish it were some other reality, but that is the tough situation of managing risks in IT when compared to overall business risks. Without compliance terms, such as the Payment Card Industry Data Security Standard (PCI DSS) that calls out specific fines for mishandling cardholder data, McAfee does not appear to have a standard of due care/diligence to call upon. That unfortunately, makes security reports, while statistically significant and interesting to some degree, little more than fear-based marketing.

This opening paragraph from SC Magazine is like fingernails on the chalkboard to me:

Small and medium sized businesses (SMBs) have developed a false sense of their own security and remain naïve about impending threats.

False? What is false about the decision to spend resources on something other than McAfee SMB products? Naive? Maybe they have decided that the impending threats, and the week of recovery time, is a risk they have to run and are willing to accept. Show me the data that says they are endangering other people’s lives, or causing external harm for which they are not being held accountable…and then I would start to understand the call to attention.

Security

San Francisco Lets Identity Data Leak Into the Streets

Leave a comment

Most of the news I have seen lately about San Francisco information security has centered around a disgruntled employee who “locked” the city’s management from the network after he claimed they were not to be trusted. Now there is a new twist to the city’s troubles as a TV crew stumbled upon a physical security breach of identity information:

It’s trash day in the city and the scavengers are out rifling through the garbage bins in a San Francisco alley. A KTVU cameraman caught two individuals with pick-up trucks stopping briefly before hauling away armloads of paper. No one challenges them as they steal from the unsecured blue bins.

A closer look shows some of what they left behind: confidential documents from the San Francisco Human Services Department.

The station believes thousands of records were exposed. As the sale of personal shredders has skyrocketed in recent years city staff remain unaware of the need to secure these documents? Hard to believe. There were two individuals with pickup trucks? Did the TV crew get their license plates, even though they did not challenge them? This story raises a number of strange questions.

Perhaps the most interesting question is whether disposal bins should be open containers. Many dumpsters are locked to prevent unauthorized sources from filling them, but how many full dumpsters should be locked to prevent theft? It is, in fact, illegal to remove anything from city containers and yet there is no actual mechanism provided to secure the material. For example, what if the garbage trucks had an RFID emitter that would unlock bins upon arrival? The bins would need little more than a lock controlled by a tag. The procedure could be for buildings to leave the bins open while inside their physically secure premises, and then to close the lid (activating the lock) when they set them out on the street.

Sailing, Security

Loopholes in Indian Maritime Regs

Leave a comment

LiveMint of The Wall Street Journal points out that a shipping firm in India is finding ways to evade regulators and taxes:

Mercator Lines Ltd, India’s second biggest private shipping firm, has registered more vessels outside the country in a bid to skirt tight local regulations while trying to reap the benefits of tonnage tax, a levy based on the cargo capacity of ships that reduces maritime companies’ tax burden.

The Mumbai-based firm has registered four dredgers, which it purchased in the past year, in the Comoros, an island nation in the Indian Ocean off the eastern coast of Africa, said an official at the directorate general of shipping, the maritime regulator.

I always wonder when I see ships that have city names on them whether there is really any actual association. What is needed to authenticate a ship as genuinely from a port-of-call? Nothing, apparently.

All the ships have been registered outside India directly, without opening a subsidiary in either Marshall Islands or the Comoros.

By doing this, Mercator can hire officers and crew from any part of the world, unlike ships registered in India, which have had to employ only Indian nationals. Last week, the regulator eased the clause on hiring only Indian nationals, but ship owners say strict conditions still apply to employment of foreigners.

Easy to see why the loophole is so attractive, and the irony now of course is that Mercator has to request the authorities treat these non-Indian ships as equal to Indian ships. The question is how a regulatory body should respond when a Mercator ship arrives with an international crew and “Domoni” stenciled on its stern. Their identity profile is different, so should they be authorized?

This seems similar to the debate over yacht tax loopholes in America these days. A typical story runs like this:

Jack Darcy of Redmond paid cash for a $2.2 million yacht through a Lake Union dealership last April, but he didn’t pay a dime in Washington sales taxes.

Instead, the retired corporate executive saved $200,000 by signing papers to buy his snazzy new 73-foot yacht three miles off Washington’s coast, in international waters.

[…]

Before California state law changed last month, resident boat owners needed only to keep their craft away from California for 90 days after purchase. Then they could sail home and never pay a sales tax. Most went to Mexico and were dubbed the 90-day yacht club.

In California the regulators then passed a rule called Chapter 226 that extended the time away from 90 days to a full year. Reports showed closing the so-called “sloophole” had little negative impact.

The state’s official Legislative Analyst’s Report concluded that the temporary one-year law had not resulted “in the sharp reduction in vessel-related sales that some had feared.” According to the report, the law resulted in a $20 million increase in state and local tax revenues from yacht sales made to California residents.

Strangely enough, even though the Republican Governor called on the state to close the gap permanently, he found little support from his party. An LA Times editorial painted a disturbing picture:

Like the characters in some hippie-era pop song, many Republican lawmakers in Sacramento have decided to let this troubled world fend for itself while they sail away to some imaginary shore. On yachts. After dodging their taxes

…or like characters in maritime law who like to ply the International waters as a path to alter their identity just long enough to escape a duty before returning “home” to lay claim to local privileges.