Monthly Archives: August 2009

Energy, Security

VW Diesel Crushes Fuel Consumption

Leave a comment

It has been a while since I last waxed poetically about the amazing virtues of diesel. It is the obvious choice to me for independence from petroleum today. The new Volkswagen Lupo 3L TDI not only proves this is reality, but has some nice marketing language to boot:

It wasn’t long ago the European community thought the idea of a regular production vehicle that consumes 3 liters of fuel for every 100 kilometers was a mere pipe dream. A challenge was put out to European car manufacturers to produce such a vehicle and former VWAG Chairman Dr. Piech stepped up to the plate and swung hard – he usually didn’t miss too many pitches when it comes to engineering feats. What resulted is the Volkswagen Lupo 3L TDI, the worlds first 3-liter consumption production car.

Considering that the 2010 VW Golf will give 170hp at 44mpg, we’re talking real cars with really efficient engines today. This is not to say small engines are not a good idea, but the fact is that today’s typical American driver will purchase based on performance and status first, efficiency second. The fact that BMW has started pumping up the 3-series diesel is proof of this performance-orientation taking hold. Not too long ago they were carrying on about some sort of hydrogen 7-series, which will probably be a reality in like…never. Today they too see the American diesel market heating up. Next step, biodiesel blends of 5% or more. Landfills, get your conversion systems running. You don’t have to be a total veggiebus to make a significant impact. Imagine reducing dependence on foreign oil by just 10% and the positive impact to air quality and health.

Biofuels are carbon dioxide (CO2) neutral. Unlike petroleum fuels, they do not add new carbon to the atmosphere [since they come from renewable plants which consume CO2]. Sulphur dioxide (SO2) and sulfates (major contributors to acid rain) are completely eliminated due to the fact that sulfur does not exist in veggie oil. Carbon monoxide (CO) emissions are reduced by 40-60% and carcinogens by 90%. Hydrocarbon emissions are reduced by 50% which reduces photochemical smog (ozone) by 50% as well. Particulate matter, a major contributor to increased asthma cases, is reduced by 45%

Security

Car Scrap Plan Abuse

Leave a comment

The BBC reports on fraud in the German car scrap

According to police, the owners had already received the government subsidy under the scrappage scheme, but instead of being destroyed the cars ended up in the hands of criminal gangs who sold them on.

This is not an isolated case and police say a number of factors are to blame.

Thanks to the global downturn the scrap metal market has crashed, so many scrapyard dealers are sitting on a mountain of old cars they need to get rid of.

There are lax controls and criminal gangs are becoming more savvy.

The government now estimates around 10 percent of the plan, as many as 50,000 cars, have been diverted by criminals. It seems that it would not be terribly hard to track the scrapped automobiles but apparently no one noticed until a Hamburg port cargo check revealed 40 old cars headed to Africa.

Security

Kenyan Birth Certificate and ASS

Leave a comment

Well, why not? Here’s a quick attempt to generate one of my own:

This is much more fun than the latest “ASS certification” joke seal.

Given all the hype about application security expertise, those guys so far have only generated a boring generic image file.

A certified ASS hat is funny, but not that funny. The members of the ASS movement should also reject all forms of training. They do not explain whether, for example, they can support a high school diploma and university or college degree but not other forms of education and testing. Is it a total rejection of any form of achievement and measure, or are they targeting certain certificates for specific reasons? Would they even reject certificates of birth, like this one?

Security

PCI DSS Scope

Leave a comment

Trey Ford raises some good questions that are very much the same as asking about systems that may (or do not have) cardholder data but are important enough to beg scope creep analysis.

Of course it’s easy for us to say “test all of them” when we sell security testing services. However, in my experience explaining ways to reduce scope without increasing risk are far more popular. :)

Security managers are not always blessed with a budget that can afford a “test all” approach. They usually only get support to build a keep smaller than the entire castle, if you will. Although you hinted at it, I would add that PCI DSS compliance should come from a risk-based approach. This is how to safely reduce scope as well as costs for validation.

Note that DSS 1.2 changed Requirement 6 to say “a risk-based approach may be used to prioritize patch installation”. Can the same be said for selecting sites and systems to be in scope? If cardholder data is transmitted, processed or stored, then it’s for sure in scope, if it doesn’t exist, then the asset value, frequency and likelihood of compromise related to the non-CHD could bring them into scope. Know your sites, but more importantly know your processes.

Back to my cheesy castle example, this is like saying if you are someone within the walls who has access or potential access to the king, then you also should be within scope of a keep security assessment. Your identity and your possessions are important to know, but your routine (processes) are also a key to understand (pun intended). The king’s security should assess the risk from this perspective and consider changing to a more isolated routine, which would thus reduce the scope/cost of protection.

All that being said, I noted a curious mistake in Trey’s writing:

Four good questions ome

Don’t you just hate when that happens? Automated checks, visual cues (e.g. code highlight)…and yet bugs still creep into web sites, even those of web security experts.