Lake Michigan Storm at U20 Championships

U20Macatawa Bay Yacht Club has posted a video of the Ultimate 20 North American Championship racers caught yesterday in a squall on Lake Michigan. A race was shortened and boats sent to shore but not in time to avoid the challenge of rough seas, rain, lightning and heavy winds from the West.

Within minutes this storm came in on Lake Michigan, endangering many boaters…. Wind gusts of up to 53 miles an hour quickly made it impossible to even see all the boaters. Fortunately no boaters were lost, although there was damage done to some boats including a broken mast and rudder.

One of the competitors captured a first-person view. Sailors headed for shore safety who were able to keep their 20 ft boat under way saw 14 knts of speed with mainsail alone (205 sq ft):

And here is the view from shore posted by the yacht club, which shows visibility drop to near zero as the rain and wind roll in.

Gonder (አስቴር አወቀ – ጎንደር)

A song from a former capital city (the 4th) of Ethiopia, as performed by Aster Aweke on her new album Checheho.

Gonder is known for preserving tradition and custom like the iskista dance, as opposed to the more diverse and modern capital city Addis Ababa.

Gonder also was the city where Italian forces made their last stand. The British 12th (African) Division led by Major-General “Fluffy”, along with the Kenya Armoured Car Regiment and Emperor Haile Selassie’s patriots, ended the occupation of Ethiopia when they seized Gonder in 1941.

Visa brings EMV to US; PCI DSS Waived for Merchants

From the Visa media center:

Visa’s plan includes merchant incentives to upgrade to EMV chip-enabled terminals, requirements for acquirer processors to support chip acceptance and the introduction of U.S. liability shift policies.

Specifically, Visa will waive Payment Card Industry Data Security Standard (PCI DSS) compliance validation requirements to encourage merchant investment in contact and contactless chip payment terminals. Visa will also require acquirer processors to ensure that their systems support dynamic data acceptance (i.e., chip) and will institute a domestic and cross-border counterfeit liability shift.

This comes not long after Operation Night Clone, which pointed out ongoing weaknesses and loopholes of EMV. I also wrote about it earlier.

Update: Hat tip to Christofer Hoff for pointing to the InversePath presentation on EMV implementation flaws and recommendations.

IDLELO 5 Conference to be in Nigeria

The Free Software and Open Source Foundation for Africa is planning their 5th African Conference on FOSS (Free and Open Source Software) to be held in Abuja, Nigeria

IDLELO 5 will consist of hackathons, awards, tutorials, hands-on trainings, demos, field visits and presentations on key FOSS and information technology areas. It will welcome a diverse number of parallel events, an exhibition and a business round table. The conference will welcome FOSS and IT keynote speakers, project, companies, solutions and innovations, not just in Africa, but across the global FOSS community. IDLELO 5 will mark the 10 years of the Free Software and Open Source Foundation for Africa (FOSSFA)


IDLELO is a Southern African word meaning “Common Grazing Ground”.

The maddog keynote from IDLELO 4 is reprinted in Linux magazine

People sometimes have a problem understanding “software freedom”, so I use the term “software slavery” to show the opposite:

Software slaves are told:

  • when to upgrade their software
  • how many computers they can put their software on
  • how many users can use the software
  • how the software will or will not work
  • what languages the software will support
  • when they will receive needed bug fixes or enhancements

Ironically only the richest peoples can afford software slavery. Poor people are persecuted as “software pirates”.

This is obviously far too broad a definition. Maybe it’s meant to be provocative rather than useful. After all, it’s a keynote speech in Africa.

The first thing that comes to mind is software as a service (SaaS) could easily be defined as slavery even if it runs on FOSS. Even FOSS users in their own environment are told what to do and when (e.g. ubuntu-security-announce).

The difference between freedom and slavery does not seem to be just about being given instructions. It is about a user becoming a property of the software company — penalized for any attempts at liberty.

Security in the Cloud: Data Sovereignty, Open Source and Multi-Tenancy

A recording of today’s Focus round table discussion is now available:

Security continues to be a top concern as the enterprise looks to shift workloads from the traditional data center to the cloud. Applications rarely work in isolation – and as such need to share data back and forth between them. IT is being taxed with understanding and securing this approach to utilizing the cloud. In this roundtable we will discuss what is at the heart of these security concerns and some different approaches to the problem. Focus Experts discussed multi-tenancy, private vs. public cloud computing, data sovereignty, open source, and more.

Patrick Pushor

Davi Ottenheimer

Robert Taylor
Rackspace Hosting

Simon Crosby
Bromium, Inc.

Ben Goodman
VMware, Inc.

Cloud Security Different, Says Okta

Okta has announced their series B financing today. It includes a recap of security in the cloud that reveals how they pitched it for money, and why it’s different:

The concepts of security, single sign on, user management and auditing are not new. They’ve existed since the first user logged into the first mainframe. Why is the problem different or the potential solutions better in the cloud?

  • There are more services and applications available to users within an enterprise than ever before.
  • The cost to build, deliver and sell the services is dramatically lower leading to more services available in the market. Literally, thousands of new SaaS start ups have spawned in the last 10 years.
  • Companies aren’t limited by their ability to build infrastructure to deploy and maintain as many applications as they want.
  • In addition to more services, there are more users. Each generation of technology, from mainframe to mini computers to client server to cloud has seen a 10X increase in the number of users. And each of these users is accessing the services in a variety of ways. Gone are the days of one desktop per employee. There are desktops, laptops, virtual desktops, tables and smart phones…
  • Finally, companies need to support a mobile workforce. They can no longer rely on securing the physical network perimeter with a firewall and selectively permitting VPN access. They need to have the same kind of rich authentication, authorization, auditing and logging for all their critical services.

Call me anal, or haiku-obsessed, but it looks like that lists boils down into the following:

  • More services are available
  • It costs less to build services
  • Infrastructure costs are lower
  • There are more users
  • Users are mobile

Wait, let me try that again.

  • More services now
  • Can’t stop the mobile access
  • Deployed for less dough

Coming up with definitions and finding differences is fun. Who doesn’t love isomorphism? When is a muscle-car a muscle-car? I mean if a Toyota Camry races a Pontiac GTO and wins, do we still get to call the GTO a muscle-car or does the Camry get the title? More to the point, if we accept the Okta explanation, clouds do not seem far ahead of traditional IT departments. What really stops on-premise IT from providing more services at less cost to more users who are mobile?

But there’s more to a muscle-car than just measuring horsepower (the 268 horsepower Camry LE is still a second slower than a goat BTW. Efficiency is another story). Okta could have highlighted the new cloud use-cases and security issues from cloud behavior.

Many more roles/identities with far more relationships and yet less permanence are cloud specific. Tracking identities and meta-directory data when it’s not clear who exactly should be the one to track identities, now that’s a different problem than on premise where accounts are doled out more carefully by a clear authority.

They also could have highlighted the tall and wide shadows of data created and then “destroyed” when accounts and services are spun up and down on short cycles because “owners” come and go. You thought keeping track of hires and terminations was hard before, try managing it for systems you can’t see or touch and only get a utilization report from. That’s another difference.

Maybe it’s all coming in their next installment and I’m just jumping the gun. For now, congrats go to them for round B. Perhaps it’s best to end by saying they are in a great market space — cloud providers clearly need identity management solutions like a GTO needs seat belts, air bags and a catalytic converter to control behavior-induced risk.

Microphone Fiend

by Eric B. and Rakim, Follow the Leader

I was a fiend before I became a teen
I melted microphones instead of cones of ice cream
Music orientated so when hip-hop was originated
Fitted like pieces of puzzles, complicated

’cause I grabbed the mic and try to say, yes y’all
They tried to take it, and say that I’m too small
Cool, ’cause I don’t get upset
I kick a hole in the speaker, pull the plug, then I jet

Back to the lab without a mic to grab
So then I add all the rhymes I had
One after the other one, then I make another one
To dis the opposite then ask if the brother’s done

X9.125 Cloud Services Compliance Data

The Accredited Standards Committee (ASC) X9, Data and Information Security Subcommittee X9F has assigned a new project to Cryptographic Protocol and Application Security standards working group X9F4. It is now open and calling for participation in the new work item (NWI) X9.125 Cloud Services Compliance Data (CSCD). It intends to “describe a common set of data needed for automating internal control and compliance testing of cloud service infrastructures” to support standard control frameworks. Contributors are sought “from the financial community with expertise in compliance, audit, and information security”.

IR 7756 and SCAP meetings scheduled

NIST had a Continuous Monitoring (CM) workshop several months ago to solicit feedback and discuss a technical reference model, as described in draft Internal Report (IR) 7756: An Enterprise Continuous Monitoring Technical Reference Architecture.

The outcome was for NIST to propose technical workflows, subsystems, interfaces, and bindings to SCAP (asset, configuration, and vulnerability management).

NIST has just announced that the requested content is ready for review. They have setup weekly meetings for Thursdays at 10 am Pacific, starting August 18th with a general model discussion. A specific workflow or subsystem will be the subject of each following meeting. Details for the meetings will be communicated to the Emerging Specification Development List. The results of these meetings will be presented at the 7th IT Security Automation Conference.

DARPA RA-11-52

Peiter Zatko says DARPA RA-11-52 CTF (Cyber Fast Track) was “launched about 18 hours ago”, which confirms a couple things:

  1. Cyber is a term not going away anytime soon
  2. The US government is going to try being a more overt and transparent supporter of Blackhat researchers (i.e. friends and colleagues of Peiter Zatko — “guys in my address book”)

Details on how to apply are online. Given that money is being pulled out of US education, this may offer an alternative path or a softer landing for students who hope to create software.

We need help and we have money

the poetry of information security