Monthly Archives: March 2009

Energy, Security

A car that can fly

Leave a comment

CNET News has reported that a start-up is really taking off. March 6th saw the maiden voyage of a car that can actually fly:

Terrafugia describes its Transition vehicle as a “roadable aircraft” and is pitching it in part as giving private pilots an easy travel alternative when bad weather makes flying a bad idea, or simply to avoid having to take a separate car to the airport. Also, in the eyes of the Federal Aviation Administration, the vehicle falls into the light sport aircraft category.

Delivery could start as early as 2011. It will be interesting to see how regulators figure out the safety standards for these vehicles, since they seem to struggle over things like the number of doors and seats in conventional cars. Unfortunately it’s a gasoline engine, but otherwise seems like yet another reason to finish my pilot’s license this summer.

Security

PodCast: Cyber Security and NERC CIP 002 through 009

Leave a comment

My second podcast has been posted, discussing security and compliance in the context of North American Bulk Power Cyber Security Standards.

In related news, the cover story in the April 2009 Popular Mechanics is “Cyber Attack: Weapon of Mass Disruption”

Hackers could use the very computer systems that keep America’s infrastructure running to bring down key utilities and industries. Just how worried should we be?

[…]

The next world war might not start with a bang, but with a blackout.

Hope you enjoy the podcast.

History, Poetry, Security

Wizard of Oz Secrets

Leave a comment

The BBC has picked up the “secret” story of the Wizard of Oz:

Baum published the book in 1900, just after the US emerged from a period of deflation and depression. Prices had fallen by about 22% over the previous 16 years, causing huge debt.

Farmers were among those badly affected, and the Populist political party was set up to represent their interests and those of industrial labourers.

The US was then operating on the gold standard – a monetary system which valued the dollar according to the quantity of gold. The Populists wanted silver, along with gold, to be used for money. This would have increased the US money supply, raised price levels and reduced farmers’ debt burdens.

Since originally I am from Kansas, and enjoy reading history, I have always been fascinated by the code and how few people were able (willing?) to crack it, even with a publicly available reference.

This is how I always knew the story. So whenever someone brings up the 1939 film version with those strange red slippers I feel compelled to explain to them why a ruby standard makes no sense.

…Littlefield’s theory has been hotly debated. He believed the characters could represent the personalities and themes of the late 1800s, with Dorothy embodying the everyman American spirit.

US political historian Quentin Taylor, who supports this interpretation, says: “There are too many instances of parallels with the political events of the time.

“The Tin Woodman represents the industrial worker, the Scarecrow is the farmer and the Cowardly Lion is William Jennings Bryan.”

Great stuff. Perhaps the strangest chapter of all is more recent. Bob Dole, the son of staunch populists in rural Kansas, ran for President as a conservative Republican who favored corporate wealth and trickle-down economics, the opposite of his roots.

Update: the ruby slippers from the film are going to be auctioned for a lot of money to someone who probably doesn’t know and/or doesn’t care that they are meant to be silver.

Security

Visa tackles PCI myths

Leave a comment

There is so much useless chatter on the Internet about Heartland, it is nice to see a well researched and written article by Bank Info Security. They report on a security road-show by Visa:

In tackling facts and myths about data compromises, as presented in the news media, Visa says:

  • No compromised entity has been found to be PCI compliant at the time of the breach;
  • Visa does support encryption for both online and batch files.

The presentation goes on to cover common compromise vulnerabilities, including:

  • Failure to secure and monitor connected non-payment environment;
  • Unprotected systems vulnerable to SQL injection attacks;
  • Corporate websites targeted to gain access to network;
  • Malware installed to capture passwords and cardholder data.

Perhaps most interesting is that Visa is estimating that each check card with track and PIN has a $1000 market value.

The first bullet in the second list should not be missed. Although many people are banging the drum on SQL vulnerabilities and web application vulnerabilities, as well as malware, the “it’s all connected” message is a tough one. I know this well because it was the basis of a campaign I ran a few years ago at a financial institution. Fortunately there is some help in publications like the FIPS 200 from 2006 (Minimum Security Requirements for Federal Information and Information Systems). It suggests that everything connected to a critical system should have same or higher levels of security.

This message is not an easy one to deliver because it is based upon the options of either raising enterprise-wide baseline security or building security on critical systems to the point where they are truly isolated. Either way, it’s a security project with costs determined by how the business wants to operate around risk.

Thus, the difference from the other three bullet points is that it is a question for management, rather than a strictly technical gap. You can patch and monitor to fix SQL, web applications, and malware but making a decision about information flow and minimum security requirements across the enterprise is a complex business decision. Incidentally, no pun intended, the utilities are currently dealing with this very same issue as corporate systems and control centers appear to be increasingly connected to critical assets and critical cyber assets throughout their infrastructure.