Monthly Archives: October 2010

Energy, Security

San Bruno Pipe: Ticking Time Bomb

Leave a comment

The San Francisco Chronicle says five families sue PG&E after the San Bruno fire:

The suits say the pipe was a “ticking time bomb” that PG&E ignored. They attack the utility for not having automatic shutoff valves on the line, which could have reduced the time it took to cut off the flow of gas that fed the inferno.

“This wasn’t an accident. This was a foreseeable consequence of ignoring safety measures,” said Frank Pitre, a Burlingame attorney representing the families. He said he would file cases on behalf of about two dozen more families in the next two weeks.

Richard Clarke cited this disaster in his keynote at RSA Europe last week. Here is my problem with his use of it as an example: he first said how simple it is to blow up a gas-line and cause massive destruction, then he said how complicated it is to design and deploy an attack on a utility (e.g. Stuxnet).

I asked him afterward about this apparent contradiction — easy to cause a disaster yet hard to cause a disaster. He said the sophisticated nature of “what they were trying to do” is what made Stuxnet different from the San Bruno explosion.

Ok, regardless of motive, which we can not really know anyway, let’s talk consequences.

Can we honestly say we are far more at risk from a “highly targeted” and “weaponized” and “highly sophisticated” attack like Stuxnet when it has had literally zero impact?

It seems to me that Clarke’s message about cybersecurity is weakened when he brings up examples of actual disasters and how easy they are — like a “ticking time bomb” instead of a bumbling virus.

His speech made me think the non-cyber environmental disasters (especially from energy companies) pose the more present danger (more likely, more severe) than anything he has to say about security. This is not to diminish the importance of security, but to keep it in perspective relative to things that the five families are describing in their lawsuit.

Security

Beer Thief Caught In Job Interview

Leave a comment

A man who stole beer from a grocery store applied for a job at the same store.

The Telegraph says the lager thief showed up for an interview, but it did not go well

When he was invited in for an interview, the local manager recognised his face, Burnley Crown Court heard.

The unnamed manager then checked CCTV footage from earlier that week and identified Holden stealing four boxes of lager worth £40 from the same store.

When confronted during the interview, he fled – and stole two more boxes of beer as ran through the front door.

This is a surveillance success story, as much as it is a case (pun not intended) of a really stupid thief. Although the cameras did not prevent theft, they aided in identification, which clearly helped the manager avoid hiring someone who stole from the store. Would have been much worse to hire and then “can” the thief. It also helped with prosecution.

Security

Computer Thief Returns Data

1 Comment

An amusing story comes from Sweden where a thief returned stolen laptop contents on a USB stick

The professor, who teaches at Umeå University in northern Sweden, was devastated when ten years of work stored on his laptop was stolen.

But to his surprise, a week after the theft, the entire contents of his laptop were posted to him on a USB stick.

I hate to say it but this is a great example of why encryption can be worse than no encryption — recovery of data. A backup is a better answer to the problem of recovery, but this professor says he has not made a backup in ten years.

I find that impossible to believe, since no thief would want a laptop that is ten years old. I will assume therefore that the laptop is only a few years old and at some point the professor must have made a copy or migrated the data. Encryption with a backup would be the best option.

Security

PaaS Bashing and Dashboards

Leave a comment

William Vambenepe explains his frustration with PaaS Cloud infrastructure — “can you handle the truth?”

…the instance monitoring console Google just rolled out is seriously lacking. As is too often the case with IT monitoring systems, it reports what is convenient to collect, not what is useful. I’m sure they’ll fix it over time. What this console does well (and really the main point of this blog) is illustrate the challenge of how much information about the underlying infrastructure should be surfaced.

Hard not to notice that his vent includes the phrase “as is too often the case with IT monitoring systems”, which indicates he is getting annoyed by something not specifically a cloud issue. Consoles and dashboards are rarely up to snuff, so you would expect this to be the same no matter what you call your IT environment. Then again, everything in the cloud is a cloud issue. The problem becomes you ONLY get a dashboard in the cloud, nothing more. Options are limited when you do not get to decide what they will be, just accept them as they are delivered to you.