Category Archives: Security

Security

What’s the Matter with IT in Kansas: Brownback Edition

Leave a comment

Earlier this month the Kansas governor joked with reporters about the qualifications necessary to run the state’s IT environment. He was defending his recent appointment.

The governor, a Kansas agriculture secretary from 1986 to 1993, said his technology specialist at that agency did a fine job without a diploma.

“My IT guy was a former meat cutter,” the governor said.

Kansas IT Guys at Work
Gov. Brownback’s “IT guys” prepare the new state backbone

Something tells me his department needs from ’86 to ’93 consisted of two 486s, a shared modem and a dot-matrix printer. I guess what he means is back in the day when a PC would go down his IT guy would shoot a bolt through its CPU, throw it in the grinder, make silicon sandwiches and then order a new one from Compaq. Best IT guy ever.

But seriously, this has been a bad month for Brownback to show he has a clue about technology. First he hires a guy who has a dubious resume and then has to accept his resignation. Then he steps into a huge steaming pile of controversy over freedom of expression by trying to shutdown speech of a student his office considered “disrespectful”.

Gov. Sam Brownback apologized Monday for his office’s reaction to a Kansas high school senior’s disparaging tweet about the Republican during a visit to the Statehouse.

I think the flap about control over speech and Twitter is far more illustrative than many people might realize. As a former Kansan I see shades of what has plagued the state in the recent past. This governor looks set to dismantle programs that create long-term value and jobs in order to garner some sweet short-term investments from his business associates and campaign friends. He is in process of a big sell-out of the state for personal/selfish gains.

Note, for example, an urgency to dismantle public support of the arts and shift them to private interests who will control content, as stated in this comment in the Topeka Capitol Journal.

Funding the arts in Kansas was a mere 29 cents per person, with a HUGE return on investment. See kansasarts.org for more information. Now we get nothing and our money goes to other states. […] Koch is partly responsible for this agenda item, as they are against public arts funding and donate a lot of private money to the arts. As donors they get to select on what they consider “art”. Don’t forget the David H. Koch Theater (formerly the New York State Theater) in New York. The City Opera now has to move because it can’t afford to stay in such an elaborate building that was created just to have the Koch name on it. Business WANT to move to cities that are vibrant and have arts communities. Look at Mars and their criteria for moving to Topeka.

Brownback’s extreme position to zero out the art programs and reinvent them as corporate-backed programs doesn’t make a lot of sense as a move to save money. It mainly impacts avenues of dissent and puts a chill over the state — drops the quality of eduction and initiates brain drain to other states.

If I put Brownback’s public comments together from the three stories I get the image of a leader set to auction public interests to a corporate bidder and shutdown what he considers wasteful pursuits such as quality education and free expression. That’s the real story here. It seems to me that a leader who valued the potential of IT to bring freedom and prosperity to the residents of a state would be far less likely to make such rash decisions.

Alas, for those who think I may be reading too much into the news I submit to you a description by Pat Roberts of Brownback’s Chief of Staff:

The true Machiavelli of Kansas, David Kensinger, our pitbull without lipstick, whose expertise in this new and very different world of political campaigns is unrivaled. David mounted the parapets, waved the flag, fired the first and last shots and led our troops to victory.

There is a good chance that Brownback’s ignorance is a mistake, but there is also a very good chance that it has been very carefully and consciously allowed. I remember well the good-humored but extreme right-wing views of David Kensinger. When I defeated him the one and only time we faced each other in competition I learned he will attempt every subtle trick imaginable; if he intends (or helps) to expand corporate control of government and the dismantling of freedom in Kansas then it will be very hard to stop him.

DK on the job
“Should have played baseball. Too many liberals in politics”

Security

Legal Threats to Security Research

2 Comments

Attrition.org has a list of 23 security researchers since 2000 who have faced legal threats by vendors. They offer this analysis/message.

Companies: embrace researchers who are trying to improve the security of your products. Work with them, fix vulnerabilities, and coordinate disclosure. This will go a lot farther toward building customer confidence and help avoid negative publicity.

That number surprises me. Only 23? Given thousands of security bugs reported each year and nearly 50,000 reported to NIST there must be more threats, no?

The Attrition.org site also includes a few counter-examples of “incidents where it was not ‘security research’, but rather activity that was considered a crime by current laws (at the time)” such as installing a keylogger.

History, Sailing, Security

BayThreat 2011: Sharpening the Axe

Leave a comment

I will be presenting “Sharpening the Axe – How to Chop Down a Cloud” at BayThreat 2011

…the 2nd annual information security conference in the South Bay at The Hacker Dojo, December 9th, 10th & 11th.

My title is in reference to President Abraham Lincoln who was said to have once quipped:

If I had eight hours to chop down a tree, I’d spend six hours sharpening my axe.

The runner-up quote from Lincoln was

If this is coffee, please bring me some tea; but if this is tea, please bring me some coffee

…but I couldn’t figure out how to make it into a full presentation, let alone a title. Perhaps “if this is cloud, please bring me on-premise; but if this is on-premise, please bring me cloud”?

The axe title works fine, though, and also is in reference to Theseus’ paradox, sometimes known as the Ship of Theseus or my grandfather’s axe, which seems appropriate given this year’s badge.

At BayThreat this year, we’re giving attendees circuit board badges. These badges are plain boards to start, but on Sunday we will have a soldering workshop where everyone can work on their badges. We will have kits available for the badge.

The presentation is based on some of the material you will find in my new book soon to be published by Wiley on security in virtual environments. Hope to see you there.

BayThreat

History, Security

Facebook FAIL: ID mixup leads to lawsuit

Leave a comment

An established German company named Merck in the 1880s sent one of its chemists to New York to import drugs to the American market and capitalize on the fast-growing economy. Things went so well that just ten years later they began to look for ways to avoid high import tariffs and manufacture drugs in America; by 1900 they expanded operations into the remote and open space of New Jersey.

The company then was caught up in the divisiveness of WWI. German companies on U.S. soil, including Merck, were confiscated and auctioned to American owners. German Merck became a completely separate and distinct entity from Merck operations in America due to the terms of reconciliation and the Treaty of Versailles in 1918. After the forced split the American company eventually grew to be much larger than the German Merck.

Fastforward to today’s news. Facebook staff made the extremely awkward, if not completely ignorant, decision to hand the American Merck control over a page setup by the German Merck.

Facebook Inc said on Monday that it made a mistake in letting Merck & Co take over a page on the social networking website from its German rival Merck KGaA.

The takeover prompted an unusual November 21 filing by Merck KGaA with a New York state court.

In it, Merck KGaA sought to force Facebook to explain how it lost the page, www.facebook.com/merck, and the ability to administer it to Merck & Co, a separate company.

[…]

“The transfer of the vanity URL Facebook.com/Merck from Merck KGaA to Merck & Co was due to an administrative error,” Facebook said in a statement. “We apologize for any inconvenience this may have caused.”

This issue of impersonation is one of the most difficult problems in identity management, to be fair. How many John Smiths are there on Facebook and what can Facebook really depend upon to distinguish them as unique users? I mean which Budweiser brewer is the real one?

More to the point, how can a provider tell husband access from wife, or parent from child? The courts are usually the best answer. If a divorce court rules that a wife gets the shared Facebook account, then Facebook will have some justification to act.

This case is odd because Facebook apparently made a decision without authority to favor the American company over the German one.

Users need assurance that a company like Facebook, entrusted with sensitive data, can handle this kind of situation without making an historic blunder. Merck is lucky to have the legal team and resources to file a formal complaint but it begs the question how many similar mistakes are being made at a lower profile. It also begs whether Facebook staff do even the most basic review or follow a transparent and monitored process before taking action.