Category Archives: Security

Security

Labor Identity, Controls and Exploitation

Leave a comment

A movie called James’ Journey to Jerusalem centers around issues of identity as they relate to economic prosperity and security. The lead actor does a great job bringing the viewer on a path of evolution from missionary to mercenary. Here is the Rotten Tomatoes synopsis.

In the imaginary village of Entshongweni, very far from western civilization, the young James is chosen to undertake a mission–a pilgrimage to holy Jerusalem. But Israel is no longer the Holy Land that James and his people imagined. At the airport, James is suspected of trying to infiltrate the country in order to work illegally. He is jailed and destined for deportation. Inside the dark cell, as James prays to God to allow him to complete his mission, a miracle occurs. A mysterious stranger posts bail for him. But it soon becomes clear that James’ freedom has come at a price–his savior is a manpower agent, who rescues illegal migrant workers in exchange for employing them in hard labor jobs. From then on, James’ journey to Jerusalem turns into an unpredictable journey through the cruel heart of its economic system. With good teachers, a bit of luck and some lateral thinking, James learns the tricks of the game and plays it towards an inevitable end.

A human trafficking story in Al Jazeera just brought this to mind because the accused is an Israeli national.

Last year, Mordechai Orian, the head of the labour firm that had recruited the Thai farm labourers, was arrested and charged in a federal court with forced labour conspiracy.

In lawsuits filed on Tuesday, the EEOC said that Global Horizons Inc, Orian’s Beverly Hills-based company, had recruited the labourers to work on six farms in Hawaii and two in Washington state between 2003 and 2007.

[…]

The EEOC says that the workers were being subjected to fees until they had almost no income left at all.

“They were nickeled and dimed to the point where they really didn’t have any pay,” said Anna Park, regional attorney for the EEOC Los Angeles office.

The EEOC says that some of the workers were forced to live in crowded conditions, and their quarters were infested with rats and insects.

Workers of other nationalities on the same farms were not subject to the same conditions, Park said.

Officials also said that the workers had their passports taken from them, and were threatened with deportation if they complained.

It sounds just like the movie, but with a very different ending.

Security

Exploit Intelligence

Leave a comment

Dan Guido’s SOURCE Boston presentation is called Exploit Intelligence.

He suggests that the over-emphasis on vulnerabilities and a failure to assess threats will result in poor risk management. With so many vulnerabilities, it is best to prioritize based on threats — focus on the most likely exploits. Or you could say spend your defensive resources on making the known attacks less likely to work. That might mean using controls other than just patching.

This is an old song but still a good one. PCI DSS has tried to push the same message for a couple years now. But Dan has put some nice data together to illustrate his point and he seems very adamant about change. I particularly liked the part when he said

This analysis process and data should be picked up by the security industry and used effectively. AV companies have been doing you a disservice by not doing this in the past. They should start now.

They should have started a long time ago. But we also should be careful what we demand from vendors.

If we leave service definitions fairly open to interpretation and then force AV vendors to offer attacker capability evaluation (e.g. threat analysis or “kill chain models” if you must call it that) it will probably show up as a new $30/year premium subscription upgrade option with not much else changed.

Oh, wait, he included a “data should be…used effectively” clause. That always works.

History, Poetry, Security

UK Surveillance of WWII German POWs Reveals Private Beliefs

Leave a comment

There is a fascinating new twist for historians interested in German culture during the Second World War.

When German historian Sönke Neitzel ran across a bundle of documents in Britain’s National Archives in 2001, he could hardly believe his eyes: He had found transcripts of conversations between German soldiers secretly recorded while they were being held as prisoners of war during World War II. These were private conversations between soldiers who didn’t know that a third party was listening to and transcribing their every word.

Their British and American captors had hoped these conversations would provide them with militarily useful information. But they learned little about weapons depots or secret weapons. Most of what the transcripts reveal is what everyday life is like for the foot soldiers in a war, as they fight, kill, and die.

“I’ve developed the need to throw bombs,” reads one passage. “It sends tingles up your spine, it’s an awesome feeling. It’s just as good as shooting someone.”

I am curious if any poetry was found in these transcripts. So far I have not found any mention of it.

The real twist in this story comes when the historian and a psychoanalyst try to portray all war as equally criminal due to the requirement to kill.

According to Neitel and Welzer, there were without a doubt some committed Nazis among German soldiers during World War II, whose convictions told them that killing Jews was the right thing to do. But these, they say, were in the minority.

They also argue that the acts of violence committed under the Nazi regime were no more violent than those committed anywhere else. They believe that an ideology, such as Nazism is not the biggest factor that leads to atrocities. Instead, they say, it is a military values system that turns men into murderers.

It sounds like an anti-war argument. Regardless of motive, it fails a simple philosophy sniff test.

First of all, they use the term “minority” to call out “committed Nazis” so they obviously use some sort of criteria to distinguish their values from other soldiers. This alone proves that not all soldiers are equal-minded in war. From there it is just a matter of finding the right test pattern to identify exceptions to the rule.

Second, they say an ideology is separate and distinct from a military values system. They equate the latter to a job. While it is tempting to accept this analogy, and think of soldiers simply as professional killers, that would be an overly simplistic view of management ethics.

Take butchers, for example. Kosher butchers, Halal butchers…they too are professional killers but their ideology and their value system are not so easily separated. They use concepts and definitions of humane killing. Remove the religious foundation and replace it with health codes or even family traditions and you still will find ideology mixed with values and regulated by management.

Third, military values systems are not all historically equal. Historic comparisons often bring up stark differences in treatment of prisoners, to name one obvious example. The British definitely did not have the most humane military value system in their conflicts but the fact that we can differentiate them at all proves the point.

So Neitel and Welzer can claim that all killing in war is equally criminal, but that seems to me to be a hypothesis built upon their own views and personal definition(s) of atrocity. Others may approach the topic with the philosophy of finding the differences in self-defense versus aggression, for example.

And I suspect that German soldiers serving in Afghanistan today probably resent being linked to the military values system under Nazi rule. Military values across different eras have some things in common but that does not make them equal.

Security

iPhone keeps a database of all your movements

4 Comments

I recently wrote about a German politician who successfully fought to get location data from his mobile provider.

A commenter said mobile devices have to be in constant contact with the provider, so there is bound to be location data. Fair enough, but my hope was to focus on why data is stored and why users are not made aware so they can opt-in or out.

Perhaps the following example will be more clear, as it removes the network and service-model entirely. Last year it was publicly disclosed that the Apple iPhone keeps a record of movement in a local database.

iPhoneTracker is an application that can read the database of locations stored on your iPhone as well as the backups made with iTunes.

You should see something like this:

-rw-r–r– 00000000 00000000 28082176 1297319654 1297319654 1282888290 (4096c9ec676f2847dc283405900e284a7c815836)RootDomain::Library/Caches/locationd/consolidated.db

That text in brackets just before ‘RootDomain::’ is the name of the actual file on disk that holds the location data. Since it’s an SQLite database file, you can use any standard SQLite browser, I’m using this Firefox plugin:

https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/

Open up the file, choose the ‘CellLocation’ table, and you can browse the tens of thousands of points that it has collected. The most interesting data is the latitude, longitude location and the timestamp. The timestamp shows the time in seconds since January 1st 2001.

Apple is not a provider, and there is no (yet) known use of this information. Yet their mobile devices by default store a detailed database of your locations. They even back it up, so you can monitor any Apple iPhone user’s movements just by reviewing their iTunes sync data.

Why is Apple collecting this information?

It’s unclear. One guess might be that they have new features in mind that require a history of your location, but that’s pure speculation. The fact that it’s transferred across devices when you restore or migrate is evidence the data-gathering isn’t accidental.

[…]

By passively logging your location without your permission, Apple have made it possible for anyone from a jealous spouse to a private investigator to get a detailed picture of your movements.

I guess the advantage over the German politician is that you don’t have to sue Apple to see your data. The disadvantage is that the privacy laws directed at providers do not apply. You have been tracking yourself, but just didn’t know it.

Apple conveniently left it in plain-text format for anyone (e.g. a provider) to read and sell. Some of it might be askew because it is using tower triangulation instead of GPS but I would wager they could easily upgrade the accuracy.

I recommend anyone with an iPhone (or iPad) download the application and create their own “What six months of your life looks like to Apple” web page. Even more fun could be to write an application that pollutes the database with exotic location data to show an iPhone going on virtual vacations.

Updated to add: Apple’s name for the location tracking file is “consolidated.db”, the same name as a radical anti-fascist industrial band from the late 1980s. Hat tip to Jeremy Allaire for mentioning them to me. Ha, how far Apple has come since then, when we used to consider ourselves so alternative and secure on a Mac. I’m sure it’s total coincidence; that and the fact that disposableheroesofhiphoprisy.db was far too obvious.