Monthly Archives: July 2009

Security

Everyone a Cyber Security Expert?

Leave a comment

There seems to be some sort of confusion about who exactly should be considered an expert on cyber security.

Take for example a post by the ITAC (Identity Theft Assistance Center) that boasts:

Michael Brown was a “former Director of FEMA. Mr. Brown is an expert on cyber security and provides excellent insights into what our nation can do to better protect itself in this new era of cyber warfare.”

Remember how he was disgracefully removed from his position as FEMA Director after Hurricane Katrina?

CNN posted a more critical view of him; the sort of information that makes me wonder why the ITAC portrays him so favorably and whether we should really expect any “excellent insights”.

The e-mails Melancon posted, a sampling of more than 1,000 provided to the House committee now assessing responses to Katrina by all levels of government, also show Brown making flippant remarks about his responsibilities.

“Can I quit now? Can I come home?” Brown wrote to Cindy Taylor, FEMA’s deputy director of public affairs, the morning of the hurricane.

A few days later, Brown wrote to an acquaintance, “I’m trapped now, please rescue me.”

Sounds like Mr. Brown was trying to pull a Palin, and “former Director of FEMA” is an understatement.

The truth seems to be that this man doctored his resume and worked friends and connections to get into positions of authority. This unfortunately put people’s lives at unnecessary risk as Time has detailed.

Brown’s lack of experience in emergency management isn’t the only apparent bit of padding on his resume, which raises questions about how rigorously the White House vetted him before putting him in charge of FEMA. Under the “honors and awards” section of his profile at FindLaw.com — which is information on the legal website provided by lawyers or their offices—he lists “Outstanding Political Science Professor, Central State University”. However, Brown “wasn’t a professor here, he was only a student here,” says Charles Johnson, News Bureau Director in the University Relations office at the University of Central Oklahoma (formerly named Central State University).

[…]

According to FEMA’s Andrews, Brown said “he’s never claimed to be the director of the home. He was on the board of directors, or governors of the nursing home.” However, a veteran employee at the center since 1981 says Brown “was never director here, was never on the board of directors, was never executive director. He was never here in any capacity. I never heard his name mentioned here.”

The FindLaw profile for Brown was amended on Thursday to remove a reference to his tenure at the International Arabian Horse Association, which has become a contested point.

Brown’s FindLaw profile lists a wide range of areas of legal practice, from estate planning to family law to sports. However, one former colleague does not remember Brown’s work as sterling. Stephen Jones, a prominent Oklahoma lawyer who was lead defense attorney on the Timothy McVeigh case, was Brown’s boss for two-and-a-half years in the early ’80s. “He did mainly transactional work, not litigation,” says Jones. “There was a feeling that he was not serious and somewhat shallow.”

Why would anyone think today that he suddenly has become an expert with regard to technology, let alone anything to do with cyber security?

I read a few of his blog entries and once I got past his Palinesque trash talk about Obama, I found a few examples of his supposedly “excellent insights”. Here is his analysis of a recent disc reported missing:

We live in an electronic world of ones and zeroes. That data represents national security interests, personal interests, our lives and our safety. There has to be a better way to secure and protect this from human error. Why, for instance, isn’t the data archived on site at the White House Data Center (a secret location not yet revealed by Joe Biden insofar as I know – it is a cool place, though.) Why couldn’t that disc been archived or “processed” (whatever the National Archives was doing to it) at the White House data center and then transferred electronically to the archives. Seems a little archaic to actually deliver a hard drive from either the White House or the data center to the archives.

But then I’m a Mac person. What do I know?

Nothing, apparently. Ones and zeros? Sorry, but we do not live in a binary world although we make use of binary. Decisions are often vague and have shades.

He asks why a disc couldn’t be archived at a data center and then transferred electronically. What? A disc with data, almost certainly a duplicate of what is already in the archives, disappears. So he asks if it could instead be sent over a network to protect against human error. Bzzzt. Fail.

And what kind of conclusion is his personal choice of an operating system? A Mac has nothing to do with this topic.

I say without hesitation this is *not* an expert on cyber security.

Food, Security

Death by Strawberry

Leave a comment

A US state is facing the decision whether to allow a dangerous pesticide into strawberry production. Gourmet.com calls this Politics of the Plate: Toxic Strawberries?

California strawberry farms could soon become toxic sites, if governor Arnold Schwarzenegger succumbs to industry pressure to bypass scientific review by the state’s Department of Pesticide Regulation and allows growers to apply methyl iodide, a potent fumigant that kills every living organism in the soil. He is expected to make a decision in the next two weeks.

I find it strange to see this decision even raised for consideration, given the kind of criticism and documented harm that comes with methyl iodide. The EPA received a letter in 2007 from fifty-four concerned scientists and doctors including five Nobel Laureates, which gave a stark warning.

We are writing to urgently request your assistance in preventing the registration of methyl iodide for use as a soil fumigant. As chemists and physicians familiar with the effects of this chemical, we are concerned that pregnant women and the fetus, children, the elderly, farm workers, and other people living near application sites would be at serious risk if methyl iodide is permitted for use in agriculture (80-275 pounds per acre).

The same letter suggests there is real danger from using a flawed model for toxicity tests.

…U.S. EPA has actually decreased the size of the safety factors that typically add some level of protection from exposures to pesticides.

The EPA did not forestall approval or alter their testing model. Instead they rushed to register “Midas” products. California has already classified methyl bromide as a carcinogen, but New York state has completely refused to register the pesticide. Will California follow?

The bottom line is that as the US debates health care reform, they really should also consider eliminating threats such as poison gas that will drift from agriculture sites into neighborhoods, neighboring fields with workers, and settle into groundwater.

Food, Security

Blueberry Pie

Leave a comment

Yes, it’s true. Blueberry season is here and that means PIE. Here is what has worked best for me:

Crust Ingredients:

2 1/2 cups whole wheat flour
2 sticks of unsalted frozen butter cut to 1/2 inch cubes
Pinch salt
Pinch sugar
4 to 8 Spoonfuls of ice water

Why make a crust? To be honest I went to a local store and looked for the pre-made variety. No luck. I asked and was told “it’s not in season”. Thank you not-very-much. Crust not in season? What is crust season? Blueberries everywhere and it’s not the season for pie crust?

So, without further hesitation:

Cut the stick frozen butter into 1/2-inch cubes. I suppose you could also just grate the butter. Combine flour, salt, and sugar in a bowl.

I chose to use a fork for the mixing, but that’s not recommended unless you really feel like you can crush butter into the mix by hand. The end result should be something that looks like a coarse meal with bean-sized pieces of butter.

Then add water 1 spoonful at a time, mixing until it all starts to clump. Pinch the dough and see if it holds together to test if it’s ready. If it still crumbles, add water.

Pull the dough out and separate into two disks, sprinkle them with flour on all sides, wrap in plastic and chill for in the fridge for an hour or more. Do not knead or roll yet. The butter bits should still be visible.

At this point you are almost ready to make pie.

Pull one dough disc from the fridge and put on a floured surface. Let it thaw for five or ten minutes. Give it a sprinkle of flour on top. Roll it out to a 12 inch circle and about 1/8 inch thick. Add flour to the surfaces if the dough starts to stick. Test with a spatula.

When you have the 12 inch discs ready, fold one in half then place into a 9 inch pie plate and put it in the fridge for about half and hour.

The other one goes on top, unless you are really hungry, don’t mind starting again and like to eat pie dough.

Now for the filling:

8 cups of blueberries (about 24 oz)
Spoonful of lemon juice
1/4 cup whole wheat flour
1/2 cup sugar
Pinch of cinnamon
Two tablespoons of unsalted butter
One egg
Spoonful of milk

Eat two cups of blueberries. Seriously, this helps. Then mix the remaining six cups of blueberries in a bowl with the sugar, flour, cinnamon, lemon juice. Once mixed thoroughly so all the berries are covered, pour into the chilled pie crust. See what I mean about the first two cups? No temptation to just eat the whole thing on the spot.

Sprinkle the top with pieces of butter.

Pull the other dough disc from the fridge and put on a floured surface. Let it thaw for five or ten minutes. Give it a sprinkle of flour on top. Roll it out to a 12 inch circle and about 1/8 inch thick. Add flour to the surfaces if the dough starts to stick. Test with a spatula.

Place on top of the berry filled crust. Tuck the top crust under the edge of the bottom crust. Press down with a fork to seal them together. Put the whole thing in the fridge for about 30 minutes.

Whisk together the egg and milk. Pull the pie out and brush the top with the egg and milk.

Cut a big X or several slits in the crust to let steam escape when baking. Place on the middle rack in the oven.

Bake for 20 minutes at 425, then 30 to 40 minutes at 350 until the juice is bubbling and thick.

Try to let it cool before serving, unless you like eating hot blueberry soup in a crust.

Serves one, maybe two.

What does this have to do with security? Did you eat the two cups of blueberries as I suggested? That’s a preventive measure. It helps ensure the pie will be completed. The blue stuff all over your hands and lips normally would be a detective measure, but by eating the two cups you have defeated the control mechanism. A much more serious look at security can be found in the National Sustainable Agriculture Information Service guide to Blueberries: Organic Production.

Security

23 Quadrillion Mistake

Leave a comment

WMUR, a local station in Manchester, reports that a simple card swipe has gone awry: Debit Card Charged $23 Quadrillion

Muszynski swiped his debit card at a local Mobil gas station to buy a pack of cigarettes for a few bucks, Instead, his Bank of America account indicated he spent $23,148,855,308,184,500 at the gas station — an amount for which he probably could have used to buy the entire company.

The punch line is that the Bank then charged him a $15 overdraft fee. No, wait, the punchline is that nobody wanted to even attempt to explain.

WMUR News 9 contacted Bank of America about the statement mishap, but representatives said the card issuer, Visa, could only answer questions. Visa, in turn, recommended that WMUR News 9 contact the bank.

This goes back to my presentation on the Top 10 Breaches, and podcast on RBS Worldpay, where I explained in detail how bank controls can be defeated such that unlimited funds can be pulled from cards in a very short period of time. Banks need no new technology to prevent this, just better security engineering in the applications they already run.