Blizzard Entertainment has raised the stakes for Cheating in StarCraft II

Playing StarCraft II legitimately means playing with an unaltered game client. Doing otherwise violates our policies for Battle.net, and it goes against the spirit of fair play that all of our games are based on. We strongly recommend that you avoid using any hacks, cheats, or exploits. Suspensions and bans of players that have used or start using cheats and hacks will begin in the near future.

A permanent ban for an account is apparently a big step. I am not familiar enough with the game to know whether someone could open multiple accounts and use them for testing cheats. This would be a simple countermeasure to an account ban — lessen the value of the account.

It seems to me an even bigger and more exciting step would be if they offered an incentive system for whistleblowers. Then players not only would engage in battle online but also could try to get ahead by reporting suspicious accounts. Or would they have to change the name to StarNarkCraft?

I am honored to be presenting three topics at the The High Technology Crime Investigation Association (HTCIA) International Conference next week. They just mentioned it on the conference blog:

Davi Ottenheimer, a security and PCI expert, blogs at http://www.flyingpenguin.com/ — not just about infosec, but also on a wide variety of topics including energy, food, and sailing. He’ll be presenting “Anatomy of a Breach” on Wednesday, along with “No Patch for Social Engineering” and “Cloud Investigations and Forensics,” both on Monday.

Well, I’d say it’s all just the poetry of information security :)

The HTCIA is made up of many local chapters designed for information sharing on investigations, as you might guess from who is allowed membership

(a) Peace Officers, Investigators and Prosecuting Attorneys engaged in the investigation and/or prosecution of criminal activity associated with computers and/or advanced technologies. Each member shall be regularly employed by the Federal Government, State Government, Counties, and/or Municipal subdivisions of any state, or

(b) Management Level and Senior Staff Security Professionals in the regular employ of private business or Industry in the various states, the primary duties of which, are the control and responsibility for security and/or investigation in computer or advanced technology environments, or by virtue of his/her position or interest can provide, or have a need for information and training in the areas of computer and/or advanced technologies.

I hope the NZ security community reps will be there and able to discuss the Wilce incident.

News from New Zealand is that their top military scientist quit when “lies” were found on his resume

NEW Zealand’s top military scientist has quit, it was announced today, after allegations that his resume falsely claimed he was an ex-Marine and an Olympic bobsledder who raced against Jamaica’s “Cool Runnings” team.

Lieutenant General Jerry Mateparae said chief defence scientist Stephen Wilce had resigned, a day after TV3’s 60 Minutes made the allegations about him.

The program also accused him of claiming to have designed nuclear weapons guidance systems.

Those are highly visible and easily verifiable claims. It is an embarrassment to the country.

Was he qualified and capable? Did he do a good job? These questions no longer matter after he had to admit he knowingly misrepresented his experience — he lied. A bobsled team in the Olympics? Easy to look that one up, and not too smart for a security scientist.

This reminds me of a more common style of CV obfuscation I have found in the security industry — years of experience. When did Internet security start? It is hard to say, which makes it easy for people to move the line.

I claim sixteen years of experience on my CV because 1994 was when I was hired into a full-time job (Staminet, a subsidiary of Space Applications) after I finished my graduate degree. I worked with computer and network security before then but only as a student so I do not count it in my professional experience.

With that in mind I recently met a security expert who told me he aims to “put audit firms out of business”. He started a website called cloudaudit.org. We had a brief discussion at VMworld about it that left me feeling a bit puzzled.

He mentioned he had experience with audit, but I think he meant he has been audited before. Does being audited qualify someone to reform audit or is there a conflict? I found it hard to get a clear picture of his experience and perspective on audit in order to understand his “put audit firms out of business” comment. Later I searched online for his name.

Two years ago he had over 15 years experience, according to the 2008 BlackHat presenter’s page.

…currently Unisys’ Chief Security Architect…over 15 years of experience in high-profile global roles in network and information security architecture, engineering, operations and management. Prior to Unisys, he served as Crossbeam Systems’ chief security strategist, was the CISO for a $25 billion financial services company and was founder/CTO of a national security consultancy.

Today, just two years later, his experience miraculously grew five years to 20:

…20 years of experience in high-profile global roles in network and information security architecture, engineering, operations, product management and marketing with a passion for virtualization and all things Cloud.

I checked BlackHat again. On their 2010 site he gave himself over 19 years experience — four years more after only two years.

…over 19 years of experience in high-profile global roles in network and information security architecture, engineering, operations, product management and marketing with a passion for virtualization and all things Cloud.

No olympic bobsleds yet, but it seems the jump from 15 to 20 should be reason for concern. I am not going to split hairs over a year here or there, but a four year variance is unsettling. I did a quick graduation date to double-check. Unfortunately LinkedIn only revealed another vague and potentially sliding timeline:

University of California, Berkeley
Electrical Engineering & Computer Science

1988 — 2000

Twelve years at the UC and no degree? This is not getting better, but still no olympic bobsleds.

This person said to me he is on a mission to transform the world of audit, yet his experience ironically is hard to audit. On the positive side I see glowing recommendations and what seems to be a devoted group of business colleagues, partners and friends. Should that be sufficient? I might say yes except I also noticed that LinkedIn says his career started November 1993, five years after starting at UC Berkeley. That means it would be 17 years of experience today, versus the 19 or 20 years mentioned above. So 15 was probably accurate two years ago and 17 is the right number for today. Where did 20 come from? 19?

At the end of the day, aside from trying to make sense of any self-description or LinkedIn profile, I have not seen any audit firm experience or something to answer my original concern. Why put audit firms out of business?

I’ve done 3 start-ups (and the odd up-start,) raised venture funding, lost my ass, made it all back again, been a CEO, CISO, CTO and still haven’t figured out what I want to be when I grow up.

I wanted to get perspective but instead I pulled up more questions than answers in a quick search for a resume online. Normally I might let it go but the Stephen Wilce story suggests that a quick search probably will not be sufficient.

It is hard not to think the Florida education system is failing on many levels. Never mind the crazy man who says he runs a church based on hate, the “story” of the day is now about a stuffed animal that quickly became an anti-terror bomb-squad playground exercise.

Authorities blew up a stuffed pony — determined to be a “suspicious device” — after it was found outside a central Florida school. The Orange County Sheriff’s Office reported that the toy was found near the Waterbridge Elementary School Tuesday morning.

No one was allowed in or out of the building while bomb disposal experts destroyed the stuffed animal. It was ultimately deemed “non-threatening.”

No injuries were reported.

Was it possible to determine it to be non-suspicious or were the options limited? I mean was there an inherent bias in the risk model? Did anyone ask teachers and the children next door, for example, if a toy was recognized? Missing? Maybe the security orders went something like this:

• “Warning. This is the police. No one is allowed in or out of the building.”
• School Teacher: “Um, ok, but can you tell us why we are in lock down?”
• “There is a stuffed toy in the playground. We find that to be suspicious.”
• “Sally! How many times have I told you not to forget your toys?”
• “I’m sorry Ma’am that’s a good try but we can not take any more chances here. We are going to deploy a robot, which we have not had a chance to use yet. It will deploy highly toxic and destructive charges. This should only take a couple hours and totally be worth it. Have you ever blown up a stuffed toy? It’s amazing how stuff evaporates, ha ha, like…ahem, this is not for you to see. Please stay in a locked room with the children until our fun, I mean risk, has passed.”

Someone reported hanging wires and that was it for the pony?

I still remember that an innocent man, Jean Charles de Menezes, was shot in the head by UK police after hanging wires were reported from his coat in the London Tube.

That horrible tragedy of poor judgment and excessive use of force led to “new guidelines for dealing with the ‘spontaneous sighting of a suspected suicide bomber'”.

These new police and anti-terror guidelines have actually saved another man’s life, again falsely suspected to be a threat.

A security official said: “He had a very lucky escape. It’s also amazing that the member of the public who spotted him didn’t shout something out and cause a panic on the Tube.”

Interesting that the police commend the public for not over reacting. The pony was not so lucky.

Meanwhile back in Orlando real crimes go unsolved while a stuffed animal in a school playground becomes a test of certainty…

Yup, definitely just a toy pony.