Pun intended. I can see how normal gait analysis helps people with ailments, and thus justifies the expense of development. Mitigating health risks makes sense to me so I expect more gait analysis in medical research.

However, an example of satellite gait analysis posted on Bruce’s blog sounds like a westernized solution still looking for a problem. Perhaps someone wants to be able to find and recognize people from far, far away?

It seems to me that anyone who does not want to be recognized still can easily avoid a radar and camera gait analysis system from hundreds of feet away, let alone hundreds of miles away from space.

Shadows of a long dress, a tunic (e.g. a shalwar kameez) or a long coat, for example, would render a shadow analysis system useless, no? What about from shoes with wheels in the heels? Terrain also matters. The systems probably assume a hard surface like pavement. Also, it has been mentioned many times here and elsewhere that a simple change in shoes can alter gait.

I wonder if Auburn University scientists realized their research into orthopedic problems from flip-flops was also documenting a major flaw in gait analysis systems.

Shroyer’s team, under the direction of Dr. Wendi Weimar, associate professor of biomechanics and director of the department’s Biomechanics Laboratory, found that flip-flop wearers took shorter steps and that their heels hit the ground with less vertical force than when the same walkers wore athletic shoes. When wearing flip-flops, the study participants did not bring their toes up as much during the leg’s swing phase, resulting in a larger ankle angle and shorter stride length, possibly because they tended to grip the flip-flops with their toes.

Did I mention walking under trees…perhaps the satellite system assumes there soon will be no vegetation. I would say it is more useful in arid regions, but walking on sand goes right back to the issue of terrain.

The San Francisco Chronicle notes that you can easily fool American bank employees with a uniform and a webpage:

With a startling success rate, security researchers disguised as fire inspectors, exterminators or government safety monitors were able to slip past tellers in nearly 1,000 bank branches and steal confidential data about customers, according to a study being released Tuesday.

Startling indeed. It begs the question of why tellers are so unaware or unconcerned.

Using little more than simple disguises, basic e-mail trickery and smooth talking, the researchers from Baton Rouge, La.-based TraceSecurity Inc. walked off with loan applications, laptops, backup tapes of customer databases and even big computer servers that they simply carried out the front door.

The bottom line is that there is an education and training issue here. I disagree with the following conclusion:

But it illustrates something provocative about the way security has changed with the rise of the Internet, which has shifted so much of the attention and dollars spent on security toward computer networks and threats from hackers. That has in many cases led to less training for employees on how to prevent physical breaches, Stickley said.

False correlation. The change is not directly a result of the Internet but more likely from a shift in American business and banking culture. Tellers used to be far more vested in the welfare of their company and were far more qualified for the job. The cost of education was undervalued by banks, which led them to cut corners and hire more temporary, unskilled and contract/outsourced workers. The new model appears to be based on an assumption that no one will exploit frail (not to be confused with inexpensive) defenses, or if they do that the cost of liability transfer will still be below the cost of maintaining skilled and security-aware employees.

Stickley said the easiest disguise to pull off was the fire inspector, because with just a uniform and a badge, researchers were often given deep access to a facility even without an appointment beforehand. The other ruses were harder, requiring more advance planning with fake Web domain name registration and phony e-mails alerting employees that an exterminator would be coming by.

What this really shows is a much greater problem than physical security. In the next years far more scrutiny will be paid by regulators to the trust model that financial institutions have setup for partners, vendors, and other service providers. Outsourcing might have solved a financial riddle, but that was before the cost of security and compliance were factored properly.

Dark Reading seems to be an advertising site. Every time I read an article there it feels more like a vendor press release than anything insightful or balanced. That being said, I have not found mention of this anywhere else (yet):

The first set of metrics that the CIS will release tomorrow for download are: mean time between security incidents; mean time to recover from security incidents; percentage of systems configured to approved standards; percentage of systems patched to policy; percentage of systems with anti-virus; percentage of business applications that had a risk assessment; percentage of business applications that had a penetration or vulnerability assessment; and percentage of application code that had a security assessment, threat model analysis, or code review prior to production deployment.

This would be a very useful set of data, indeed. In fact, it mirrors a set of questions I proposed for the survey at the Protect ’08 conference in Washington DC. My questions were not chosen for the survey, unfortunately, or they would have coincided with this CIS press release. Oh well.

A universal grading system is a bit pie-in-the-sky for me. How many schools have how many interpretations of grading after how many years and yet CIS believes they will crack the code of a common security grading system?