The SF Chronicle has reported an interesting case of a teenager arrested by police for a string of bank robberies and an attempted homicide. Although the 17-year old suspect went to great lengths to jam electronic signals while in a stolen luxury car, he apparently did not take very much precaution against simple video surveillance. It might be fair to say an obsession with avoiding capture did not mix well with what sounds like vanity and jealousy.

The detectives started only with reports from witnesses that a black-clad motorcyclist had been seen waiting at a nearby gas station before five shots were fired into a pickup truck parked on Evergreen Avenue in Mill Valley. Landon Wahlstrom and his 17-year-old girlfriend were sitting inside and ducked, according to the report.

Surveillance video at two gas stations where witnesses said they had seen the motorcyclist showed the apparent suspect. The helmet had “Bilt” written on it. That led investigators to a Cycle Gear retail store in San Francisco, which sells that model helmet. Surveillance video and transaction records showed the suspect buying not only the helmet but a dark visor, a black cloth face and neck protector, a black leather vest and black gloves.

The female victim was shown the video and identified Wade, from whom she had admitted buying fake identification cards and counterfeit driver’s licenses.

Americans are so used to labels being displayed on the outside of everything that the suspect probably did not even notice the BiLT sticker or realize it’s a unique form of identitication. Cracking the case is related to the luxury car, which was stolen from a dealership last year. Ironically it had been stored with the dealer by its owner, a celebrity cheft who was concerned it might end up in a chop-shop in San Francisco. Ok, pun intended. Once police identified the suspect on the motorcycle and realized the connection with the car they engineered the suspect into revealing the location of a 2008 bright yellow Lamborghini Gallardo. They simply used the girl’s identity to ask for a date in the car. He fell for it and invited police to a storage locker in Richmond where they found everything they could want stored together.

The cache in the steel locker was a potpourri of gadgetry, disguises and guns. Investigators found a dismantled AK-47 assault weapon, an assault-type shotgun, electronics that can interfere with cell phone frequencies and a list of scanner codes for a variety of California law enforcement agencies. Inside the Lamborghini were three UHF signal jammers for cell phones and two radio signal jammers.

Most troubling of all, though, was the discovery of a full San Francisco Police Department uniform, including a badge and duty belt and some bags, containers and a mask.

“The mask resembled one which was reportedly worn by a suspect or suspects in a series of recent, unsolved bank robberies in Northern California,” stated the report, which was prepared by Marin Sheriff’s Detective Greg Garrett.

The uniform is definitely troubling and likely will bring charges of impersonation. The mask, however, is an odd detail. I leave it to you to figure out why he would store a used mask instead of destroy it, let alone put it with the evidence from other unrelated crimes to make it easy to link them all together.

VMware Security has posted an announcement that patches are being made available immediately.

VMware has accelerated the delivery of a set of software patches for specific product releases that may be exposed to increased risk. We encourage all customers to view the following links to determine if appropriate patches are available for products in their environment: http://kb.vmware.com/kb/2019941 and http://www.vmware.com/security/advisories/VMSA-2012-0009.html.

For example, ESXi 5.0 P3 has a Security Patch Needed.

Apply security patch available at http://www.vmware.com/patchmgr/ download.portal under Bulletin ESXi500-201205401-SG.

That patch has the following explanations:

Due to a flaw in the handling of NFS traffic, it is possible to overwrite memory. This vulnerability may allow a user with access to the network to execute code on the ESXi/ESX host without authentication. The issue is not present in cases where there is no NFS traffic.

[…]

Due to a flaw in the virtual floppy configuration it is possible to perform an out-of-bounds memory write. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

[…]

Due to a flaw in the SCSI device registration it is possible to perform an unchecked write into memory. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host.

Their announcement also has a FAQ with reference to recent events:

In light of the current circumstances, we have accelerated our most recent security patches and applied them to all affected currently supported products.

500pix is a photo sharing site with an interesting approach to a terms of service (TOS) page. On the left side they have a bunch of legal language.

Content Submitted Or Made Available For Inclusion On The Service

Please read this section carefully before posting, uploading, or otherwise submitting any Content to the site. By submitting content to the site you are granting 500px a worldwide, Non exclusive license to use the content and are representing and warranting to 500px That the content is owned or duly licensed by you, and that 500px is free to publish, Distribute and use the content as hereinafter provided for without obtaining permission Or license from any third party…

Yada, yada, and then on the right they say this:

Basically, Your photos will preserve whatever copyright they had before uploading to this site. We will protect the copyright and will not sell your photos without your permission.

Under the store section they give this concluding sentence:

Your photos will be kept safe.

Safe? That is bold. I would understand if they said they would do their best or practice diligence but this statement is absolute. Then again, note their summary under Release and Indemnity.

Basically, We are not liable if something goes really wrong.

Uh, ok, really safe.

A new social network company by Sarah Gates called Wisegate, which bills itself as “a private invitation-only community of senior information technology professionals,” has released survey results that suggest security and compliance remain a barrier to cloud adoption for IT across industries.

When asked if they were moving protected class data into the public cloud, 53% of senior IT practitioners from leading companies in financial services, healthcare, consumer products, automotive, and government agencies said that the “cloud was too risky and they have no near term plans” to adopt cloud for such applications. Quite a few members reported that government or industry regulations (such as HIPAA or Sarbanes-Oxley) prevent them from adopting cloud-based applications.

Quite a few? What percentage is that?

A survey brief is available online from Wisegate but it has few of the usual details like sample size. It also shows some inconsistencies with the press release.

When it comes to moving to cloud-based applications and services, Wisegate members are most concerned about security. Scott’s first poll shows that 73% of Wisegate members have security as their biggest reservation about moving to cloud-based applications. A second poll from Scott shows that 53% of Wisegate members are addressing this security concern by requiring data classification, virtualization security, and encryption as a key control for moving to cloud.

Encryption as a key control? Funny. That pun was probably unintentional.

The paper from Wisegate emphasises using information from peers to move into cloud. That’s positive. Yet the news, even without the 73% data point, seems to get the opposite story spin. I’d like to see more detail on the 73% breakdown and how the questions were asked. Virtualization security is not mututally exclusive from data classification and encryption. Maybe the obfuscation of data is a sales tactic to get people to join Wisegate.