Mostly Security Stories

Most realistic sci-fi film scene ever

2011-10-12T21:56:00.000-05:00

Watching a rerun on TV and once again marveling at Dr. Floyd's speech at Clavius in 2001: A Space Odyssey. Classic, timeless bureaucractic detachment. It takes a director with Stanley Kubrick's genius to put something so monstrously boring on the screen.

The Law of Political Necessity

2011-08-21T01:06:00.000-05:00

Saw this somewhere, not sure where, but it explains a huge amount of nonsensical political behavior and budget bloat. Given an arbitrary crisis:

Something must be done
This is something
Therefore, it must be done

Who won the space race?

2011-07-08T19:49:00.000-05:00

Houston, We Have a Problem - By Joshua E. Keating | Foreign Policy suggests that Russia "... appears to have prevailed." But what really catches my attention is the size of the budget numbers. About $4 billion each for Russia and Europe, about $1.5 billion each for China and India. Even the private arm of NASA is only about $6 billion. One of the comments mentions a US military budget of $640 billion. In the large company that I work for, it takes a billion dollars just to get an appointment with an Executive VP. As critical as it is to the national imagination, space is really just a hobby for everyone.

Whatever happened to stability analysis?

2011-06-29T22:23:00.000-05:00

Alejandro Nadal has a very interesting post titled Whatever happened to stability analysis? which points up the limitations of economic theory. "Stability is one of the most important aspects of neoclassical theory because it addresses the question of just how the mechanism of free competition in the marketplace actually leads to the formation of equilibrium prices. ... Maintaining ignorance about the limitations of stability theory comes in handy when perpetuating the mythology of market theory. As Mundell once remarked, stability analysis is the most successful failure of general economic theory. It is also the best example of how an academic community pushes the most serious problems of mainstream theory under the rug and gets away with it. Students should learn to look under the rug. "

Nadal's article includes references to online copies of key papers in the development of stability theory, but access to nearly every one of them is blocked to anyone who doesn't have an academic affiliation or is willing to pay more than $30 for a 37-year-old paper that probably cost $0.50 to scan.

Loss Equilibrium

2011-05-30T14:35:00.000-05:00

The fundamental question of security management is "how much should I spend on security?" There are several approaches to this.

There's the paranoid approach: "however much security you have, it's not enough" This is encouraged by vendors of security products and services, who want you to buy, buy, buy, and don't care if you're spending your money effectively. It's functionally equivalent to the "priceless assets" approach: "if your assets are infinitely valuable, anything less than an infinite amount of spending on security is inadequate." This approach is deeply baked into the security industry due to its origins in military security, where the asset value is the entire country.

There's the auditor's approach: "for every vulnerability, a control". It assumes that controls are 100% effective, and that breaches can be identified and rolled back if detected. This also creates an ongoing market for security products, since in a system with human components and with computationally universal inputs, that is one that allows documents with macros, Javascript, and active plugins, not to mention stack overflows and command injection vulnerabilities, there is an infinite supply of vulnerabilities to be protected by pattern-matching & blocking technologies.

Then there's the loss-management approach. This is based on the notion that losses can be predicted, and controls can be assessed for their effectiveness in mitigating those losses. This is the only approach that that provides a principled basis for a budget less than "all the money you have". But how do you manage effectiveness in a principled way, when vendors are motivated to tell you "trust me, it really works great!" and hide any weakenesses that their product or service may have until it's too late for you. Third party certifications such as Common Criteria protection profiles ensure a baseline of effectiveness, but the CC certification hierarchy doesn't distinguish levels of effectiveness - the distinguishes trustworthiness of achievement of the baseline. A product certified at EAL4 may may be no more effective than one certified at EAL2.

Assessment of effectriveness is problematic prospectively, but it can be assessed retrospectively: simply add up the losses actually experienced with a given configuration of controls. That is, if you are unable to develop a credible estimate of annual loss expectancy, use historical data for measured annual losses. That is, ALE = MAL.

Now apply the principle of not spending more than the value of the asset to your annual budget. You have observed MAL, so you can say the annual security expenses shouldn't exceed that value. SE =< MAL.

In an environment where threats & assets cannot be effectively and reliably estimated, security expenses will approach an equilibrium with security losses. This is not good news for participants with assets that are protected by the laws of macroeconomics, such as consumers in a free-market economy whose personally identifiable information is somewhere out there in the cloud.

Buffalo

2011-05-28T12:24:00.000-05:00

Thanks to a commenter on Brad Delong's blog. Any sequence of the word "buffalo" of length n>1 is a grammatical sentence of English. I am obligated as a former Oklahoman, where the buffalo still roam in a few places, to point out that they are actually American Bison.

The Paranoid Style in American Politics

2011-05-18T22:03:00.000-05:00

The Paranoid Style in American Politics
By Richard Hofstadter
Harper’s Magazine, November 1964, pp. 77-86.

Hofstadter was a famous professor of political science at the school where I was an undergraduate, though I never took any of his courses. This article is one of the reasons for his fame. The paranoid style is evident to any careful observer of politics, but this puts it in a broader context. No you're not imagining it, they really are crazy, and they've been that way for a long time.;

Ballistic Risk Management

2011-04-22T16:55:00.000-05:00

Also known as "manage first, assess someday". Compliance-based paradigms do this -- they just make you do whatever their requirements are, regardless of the actual threats or any unique vulnerabilities or immunities your systems may have. So do best-practice or good-practice risk management frameworks. If you do what everybody else is doing, you don't have to look at your own threat or vulnerability environment.

Everyone wants to be special. Except when being special means you might have to do more work to account for those special characteristics. Then you're just like everyone else, right?

Mechanical Universal Turing Machine at last!

2011-03-27T13:33:00.000-05:00

I don't think this guy Jim in Lancashire fully understands the magnitude of his accomplishment. As far as I know, nobody has ever built a finished, functioning, completely mechanical Universal Turing Machine before. The math and the plans are part of every computer science textbook, and there have been a number of more or less mechanical Turing Machines built, often cheating by using a microprocessor or other electronic components, but they've always been basic TMs, without the programmability that makes a true computer. And for extra coolness, he created the state transition table using CNC at the Manchester Fab Lab.

Not to mention his fully fabbed Rule 110 cellular automaton, with a few parts missing, oops. Rule 110 CA's are also universal, with a nice scandal to go along with their discovery.

http://srimech.blogspot.com/search/label/turingmachine

Reminds me of one of those naive geniuses that pop up regularly in the SF literature.

The road to sustainability: finding it with DE4 models

2011-02-21T22:55:00.002-06:00

DE4 models are a new paradigm in sustainability modeling, they try to put everything together all at once. DE4 stands for Dynamic Energy, Economic, Ecological, and Environmental. The 4 should really be a superscript, we don't always have that typographical convenience available.

The overall research program is to view sustainability as a giant problem in nonlinear programming. Nonlinear programming is of course the hard version of linear programming, it's a mathematical method for finding a goal, called the "objective function" given a set of constraints. "Objective" in this usage is not in contrast with "subjective", but is used in the sense of "where we're trying to get to". It's a noun, not an an adjective.

The objective function we're interested in achieving is this:

sustainable in the sense of lasting at least as long into the future as civilization has extended into the past, some 3000-5000 years.
stopping the decline in biological species diversity. This can occur either by forestalling the extinction of existing species, or by increasing the rate of appearance of new ones. Currently we're out of equilibrium by at least 10,000 to one.
Stopping the increase of carbon dioxide in the atmosphere, and secondarily other pollutants itself. The days of "the solution to pollution is dilution" are long gone. Mark Z. Jacobson's GATOR model is an example of the state of the art in this area.
Transformation of the global energy economy to sustainable sources. Jacobson and Mark Delucci have concluded that it is technically feasible to transform global energy sources to wind, water and solar within 20-40 years. They are of course wildly optimistic since neither the political will nor the economic resources are available.
Thus integrating economic models into this transformation is necessary. Things are unlikely to change in ways that are unprofitable; causing economies to collapse by raising taxes to unsustainable levels in order to fund energy projects doesn't do anyone any good. Cyclic booms and collapses don't count as "sustainable" even if their long-term average is nonzero.
We suspect that it will somehow be necessary to decouple the material economy from the nonmaterial value chain. Many material resources are bounded, but billionaires cannot personally consume all their wealth; it's just places they don't have time to go to and money they don't have time to spend. We would like to know whether a level of health and comfort equivalent to a first-world country in the year 2000 can be achievable for most everyone in the world using market economies.

Clearly, a brute-force search through this kind of parameter space is computationally unfeasible. So are bottom-up detailed models such as GATOR. We will need to use top-down approaches based on high level theories and summary data such as that found in David MacKay's "Without Hot Air" studies.

Lastly, we don't have time or resources to track all the trends in scientific data management consortia or modeling environments -- that path easily leads to unproductive thrashing. We'll use SciPy and JSON, and see where that takes us.

dead media: the uncensored internet

2011-02-21T22:33:00.001-06:00

Stealing Bruce Sterling's journalistic beat for a moment -- noticing once again how the walled gardens seem to be winning. Not only the national enclaves in the mideast, that simply shutdown the state-run ISP if the rulers don't have the sophistication shown by the Great Firewall of China (Arbor Networks has a neat chart at http://asert.arbornetworks.com/2011/02/middle-east-internet-scorecard-february-12-%E2%80%93-20/), anonymizing proxies notwithstanding, but the corporate enclaves that were always in the dumb cellphones now expanding to smartphones with Apple not allowing any apps that don't use Apple's subscription service and other appstore censoring incidents. Not to mention the RIAA lawsuits, the demise of Pirate Bay, and the net neutrality debate. Whatever happened to Gilmore's Law? Gilmore himself seems to be on both sides of the fence, see http://www.newswireless.net/index.cfm/article/8811

Bozo the Clown's telephone number

2010-12-20T16:43:00.002-06:00

For some unaccountable reason, while I was reading the comment thread for Jeff Masters' blog at the Weather Undergound, this number came to me:

Fiddledeedee 555-5555-55555-5552. That's fifteen 5's and a two.

I think it must be related to an observation that many weather prognosticators and climate change skeptics' declarations cannot be distinguished from the results of numerological computations on facts about clowns.

Masters writings of course are the very antithesis of this approach -- they're as scientific, coherent and data-based as it is possible to get.

Analogy of the day...

2010-10-15T21:53:00.003-05:00

Macroeconomics is like climatology. A discipline with a core of practitioners who are seriously trying to be scientific, but which is profoundly hampered by the impact of its predictions on public policy. To the politically-minded, whether the prediction is true or not doesn't matter, only whether it agrees with the party line. That is, the political approach is to use "outcomes-based reasoning" which doesn't need to be self-consistent or significantly reality-based. Believe it or don't.

The New York Times doesn't. An article by David Segal concludes that economics isn't really trying to be successful -- people are just too complicated. He quotes Duke University professor and specialist in behavioral economics Dan Ariely, who says "...the economy is a hugely complex problem. So we either simplify the problem and offer a solution, or embrace the complexity and do nothing.” Or as I say sarcastically, "if at first you don't succeed, give up."

Amateurs study cryptography, professionals study economics -- true experts study accounting

2010-10-10T20:57:00.003-05:00

The original slogan is "amateurs study cryptography, professionals study economics" -- it is the security version of the "amateurs study X, professionals study Y" pattern. The most famous one is "when amateur generals talk about military affairs over a few drinks, they discuss strategy and tactics; when real generals talk about military affairs over a few drinks, they discuss doctrine and logistics", but that topic is for a different post.

The original version has been tracked down to a short blog post by Alan Schiffman in 2004 by Adam Shostack and Andrew Stewart in their valuable book The New School of Information Security. But the economics of security, which is now a well-established subfield, is a topic for a different post, too.

It should be self-evident that it doesn't make sense to spend more money securing an asset than the asset itself is worth. But how do you know how much an asset is worth? That's accounting. Accounting for information assets is hard, and not the least reason is that information security professionals are often located in the organization in a position where they don't have access to the business information that ostensibly captures the values of each company asset. If the company is a public one, its regular shareholder statements contain a balance sheet that lists the totals, but the breakdown of the components that go into those totals is often a closely held executive secret. It's also hard because a company's information systems are deeply involved in the creation and securing of intangible values like intellectual property and brand value.

The folks at Risk Management Insight, one of the most experienced, insightful and methodical teams of risk analysts around, have posted a blog entry on how they still are pretty clueless after all these years. They know that looking at losses is one way to force people to think carefully about value, but they haven't yet gotten to the point of relating these losses to Generally Accepted Accounting Principles that their management is obligated to use to compute the balance sheet. Lots of opportunity for research remaining...

Cyber Attack Threat Map

2010-10-02T22:28:00.002-05:00

I'm only 4 months late mentioning it, but SANS has published the 2010 edition of their threat taxonomy poster. Now, how do you add them all up to find out the magnitude, intensity, and skill level of the total threat barrage that's being thrown at your systems? As far as I know, nobody has any method that's even internally self-consistent, much less capable of encompassing the complexity of the combinations that these pose against an enterprise of any significance.

Security is a wicked problem

2010-09-28T21:49:00.002-05:00

Tractable, intractable; easy, hard; well-posed, ill-posed; tame, wicked. A classic paper by Horst Rittel and Melvin Webber (1973), titled Dilemmas in a general theory of planning first articulated the distinction. Tame problems have a clear, singular goal, and they have answers that can be recognized definitively when they appear. Nobody may know how to prove P ~= NP, but it will be very clear when the answer is known. Wicked problems don't have either of these properties. Nobody can give a good answer to the perennial question "is my organization secure?" or even its more realistic formulation "is my organization secure enough?" But we keep plugging away, because the alternative is to accept chaos and destruction.

Atlas Shrugged - nothing happened

2010-09-06T21:01:00.002-05:00

That's because the world is holding itself up, and Atlas was under delusions of essentiality. I recently reread Ayn Rand's famous novel, and found myself remarking how empty all these characters really are. The esssential observation is that all the "heroic" characters are basically childless orphans. This is only possible because they have a philosophy of life that is disconnected from the fact that they are biological organisms descended from ancestors who took care of their children without regard for the payback those children might provide to them.

These characters' philosophy of money is also defective. Money has no intrinsic value, it only acquires value when it is used as an intermediary in transactions. They scorn people who obtain wealth without earning it, yet the miner who picked gold up out of a stream in California or Alaska had done nothing to earn it. The acquisition of gold without work is of course why there were gold rushes in 1849 and 1889. Money whose value is based on some material object is subject to supply and demand just like any other commodity. The whole point of money is that it can be used to buy anything, and in order to make it applicable to anything, money has to be a virtual object whose value is kept constant by fiat. In normal times, when people's work adds value to a product, it creates more value in the world, and that value has to be matched by the creation of an equivalent amount of money. If no new money is created, there is less money to go around than the value in circulation, and the money itself becomes more valuable, i.e. deflation occurs. When a very productive society creates value faster than some material carrier such as gold or silver can be dug out of the ground and refined, people who have stored the accumulated value of their past work in that carrier lose some of their value, which is unfair to them and bad for society as a whole. "Gold bugs" who insist that "fiat money" is somehow evil cannot follow this logic. My best explanation for them is that they have not fully advanced to a stage of cognitive development that is able to understand abstract concepts. If they can't hold it in their hands, it's not real. Unfortunately this class of people constitutes a very large fraction of mankind, including of course Ayn Rand and all the characters in her novels.

The third conceit in Atlas Shrugged is that there are just a few honest, productive people in the world. This is not a new concept; we've had it around since the Greek myth of Diogenes wandering the land with a lantern trying to find someone, anyone with an honest face. It only works in Rand's novel because John Galt is literally a deus ex machina, whose magical motor could solve the world's problems if only he could be convinced of the worthiness of the people upon whom his beneficence would be bestowed.

The fundamental fact of systems governed by natural selection, including economic systems, is that they grow by themselves. There aren't any secret cabals of rulers, financial or engineering, who can be taken away and the system will suddenly and catastrophically collapse.

Nobody is in charge of the global economy. This is very hard for some people to take. If it's not their own father who was in charge of the family's lives for many years, it's their paternalistic boss, or their governmental head, or a heavenly father who guides all things. Atlas Shrugged asserts that it's a few competent industrialists in a 1930's era economy: a miner, an oilman, a steel mill owner, a railroad manager, a banker (what? Bankers count as productive citizens?), a judge, a philosopher, and over them all, a superhuman inventor who disdainfully repairs the very electronic torture machine that is being used to coerce him into running the country. It's an entertaining, if tortuously lengthy story. Woe betide him who takes it seriously.

The logic of denialism

2010-09-04T10:55:00.002-05:00

I was discussing climate change denialism with some colleagues at work and realized the following list of excuses works for about any topic. It's commonly used by defense lawyers in cases of corporate wrongdoing, but I've never seen it briefly summarized.

it never happened
even if it happened in the past, it's not happening now
even if it's happening now, it's not due to anything we did
even if it is due to something we did there's nothing that can be done about it
even if there's something that can be done about it, it shouldn't be done for other reasons
even if it is due to something we did, it wasn't with malicious intentions and we shouldn't be held responsible
even if something should be done, we shouldn't have to pay, somebody else should
even if we ought to pay for the fix, paying will consume all of our profits and we'll go bankrupt and then somebody else will have to pay anyway
even if we won't go bankrupt, our profits will be reduced, and this is bad for the country if not for the world
solving the problem is revenue-neutral, we could get a lot of good press and "brand reputation" if we fixed it
hey, we could increase our profits if we really fixed this problem

My perception is that the denialist side of the global climate change argument is at stage 3 or 4, while the environmentalist side is mostly at stage 10, and thinks that's good enough. It leads to a value of perception over reality and a lot of "greenwashing" marketing of cosmetic changes that don't actually affect the real problem.

The pending carbon regulations

2010-07-24T11:12:00.005-05:00

Environmental politics pundits are all sad about how Congress isn't going to work on CO2-limitation legislation for awhile. I think they need to go back to their childhood fables and reread the story of Brer Rabbit and the Tar Baby. Republicans think they've caught this legislation in a Tar Baby of obstruction and filibusters. Now the Obama Administration is getting thrown into the briar patch of EPA regulations. Foreign Policy's Steve Levine has gotten an administration official to explain the bureaucratic strategy, but he doesn't make the connection.

When the EPA first made its finding that the climate impact of anthropogenic CO2 and 5 other greenhouse gases endangers the health of U.S. citizens (the "CAA endangerment finding"), the Obama administration made it clear that if Congress didn't produce legislation, the EPA would act unilaterally. No deficit-reducing taxes, no free-market cap and trade framework, simply a flat limit on emissions, just like benzene, ozone and other pollutants. "Please don't throw me into the briar patch!"

ODBC password encryption

2009-12-11T00:15:00.002-06:00

A colleague recently reminded me of a fact that shows once again how dark these cybersecurity ages are. ODBC password encryption is an oxymoron -- there isn't any encryption. Here's what a widely reprinted FAQ answer states:

How secure is ODBC?

Any ODBC sniffer will be able to trace everything from an ODBC perspective. This includes data, usernames, passwords etc. However, if you are using an ODBC driver that provides encryption, you can increase your level of security.

Since any front-end tool can effectively connect to and modify your databases, you need to enforce security at the server level.

On the other hand, if you use TCP/IP, ODBC security should be the least of your concerns!

It should be massively embarrassing to every security professional that the basic rule of never transmitting or storing passwords in clear text still doesn't have a standard, default implementation even now, many years after the first ODBC specification was published in 1992. The fact that ODBC is really an API, and not a network protocol, and that it was created for a non-networked environment where communication between the client process and the DBMS would take occur in the within-system interprocess communication framework, via OS traps using shared memory or intrasystem messages where security can be rigorously enforced, instead of the modern environment where database client and server processes run on different computers with an open, possibly hostile network in between, is not really an excuse. Vendors have had seventeen years to work this out!

Some ODBC libraries do support SSL session encryption, and if you encrypt everything, then passwords get encrypted too. But passwords should be encrypted always and everywhere. If every OS was able to figure out that this is required decades ago, DBMS products should be able to figure it out, too.

Hydrogen-compressed natural gas blends

2009-12-07T00:06:00.002-06:00

It turns out that the name for blends of hydrogen and methane that I used in a previous post is already trademarked by The Hythane Company LLC, and is specific to a blend of 20% hydrogen and 80% methane.

While ownership of the name is good for that company, it's bad for the industry, which has to use some other, less felicitous term, such as HCNG, which is used by NREL. DOE’s Advanced Vehicle Testing Activity (AVTA) spells it H/CNG, and has vehicles using 15%, 30%, 50% and 100% hydrogen.

Academic research in security - misguided again

2009-11-29T19:09:00.002-06:00

A few weeks ago, Science magazine, one of the most prestigious general-readership journals (if you can call a polymath scientist a "general reader") published a short article in its perspective section by two of the most eminent computer engineering researchers in the US, William Wulf and Anita Jones, about computer security, titled "Reflections on Cybersecurity".Their summary is almost accurate "Cyberspace is less secure than it was 40 years ago. That is not to say that no progress has been made—cryptography is much better, for example. But more vital information is accessible on networked computers, and the consequences of intrusion can therefore be much higher. A fresh approach is needed if the situation is to improve materially." And their discussion, behind a membership barrier or a typically outrageous $15.00/day per article pay-per-view fee, is generally correct. They list a number of ways that security goes wrong even with the best designs and the best methods.

Their error is in their conclusion, that public key cryptography is the miracle cure: "we conjecture that by providing just a way of accessing the public key of an object, one could build an arbitrary end-to-end security policy." Yes you can probably build an arbitrary end-to-end security policy, but in my experience with public key infrastructures, it will be intractably complex, in the technical sense of being NP-hard to administer in all but trivial usage structures. This is the same kind of error that occurs in real life with role-based access control schemes: for naturally occurring organizations rather than artificial examples, you quickly end up with more roles than people, and the system, though elegant, costs more to operate and administer than the messy environment that you started with.

Any system with crystalline simplicity such as the one that Wulf and Jones are looking for will have the brittleness of crystals, too. Strike it at just the right angle and it will fail disastrously. They have failed to recognize the key design decision by Tim Berners-Lee that made the World Wide Web scale so remarkably. Unlike nearly all previous hypertext systems, the WWW does not automatically create backlinks with every forward link, and it doesn't automatically update links with their targets change or go away completely. The Web expects errors and deals with them routinely. Even the very advanced semantic web, which is otherwise little more than a type system for XML objects, expects to see uncomputable type specifications and deals with them routinely.

If academic researchers want to make significant advances in security, they need to come to grips with the notion of "robustness" and not confuse it with "simplicity", which although it is very similar in that simple systems are often easy to make robust, they're not the same. Two of the most robust systems we understand, the immune system and the behavioral programming of the nervous system, are also among the most complex systems known.

Why economists should be opposed to nuclear power

2009-10-23T12:02:00.003-05:00

Because the external costs are outrageously high. Not only for nuclear, but for lots of other energy technologies, too.

No principled economist should be for nuclear energy, because its costs are dominated by serious aspects with extremely long tailed statistical distributions. Unlike chemicals such as PCBs where the cost of projects such as the cleanup of sediments in the Hudson River is merely unimaginably huge, there has never been a cleanup of a nuclear site so successful that it’s now suitable for residential use.

Other chemical disasters also have infinite costs — consider the permanent loss of the entire town of Times Beach, Missouri due to dioxin contamination. It’s also true that the costs associated with coal tailings and other mining wastes have equally long tails. Picher, Oklahoma is being abandoned due to mountains of toxic tin mine tailings that cannot be cleaned up at a cost less than the total value of the town.

We cannot base a permanent energy economy on extraction-based activities that cause progressive, permanent damage to the environment — sooner or later we’ll end up with all of the environment contaminated, and we’ll have no good places left for ourselves. If you like nuclear energy, we already have a wonderful source of fusion energy that produces far more power than we’ve been able to capture so far, and it keeps its waste to itself, at a safe distance of 93 million miles. Photovoltaic, solar thermal, wind, hydro, and wave energy produce no toxic waste needing cleanup after the plants have completed their lifespans. Not to mention photolysis of water to produce hydrogen, which has a nice promise to make a chemical fuel in home power plants for people who have an emotional need for a viciously roaring internal combustion engine in their car rather than a meekly quiet electric motor. But solar hydrogen technology is much less farther along than the other renewable ones.

Natural gas is a useful low-carbon fuel, but it can only be a transitional stage to a fully sustainable energy economy.

Path to a hydrogen-based energy economy

2009-09-15T08:09:00.003-05:00

It's all about aligning supply and demand.

The U.S. Energy Secretary, Paul Chu, has put the government on a path to a renewable, carbon-free energy ecosystem that is based on electricity and battery storage for stationary and short-distance transportation, and biofuels for long-distance transportation. This is a perfectly valid path but it's not the only one.

H.R.1622 was passed unanimously by the House and referred to the Senate Energy Committee on July 21. This bill directs the energy secretary to implement a 5-year program to enhance the capabilities of Natural Gas Vehicles (NGV) in 12 areas, including fuel storage, fueling stations and NGV-electric hybrids. These capabilities are a necessary next step, but they don't provide big picture that gets us to where we need to go. Here's a sketch of a path that does. There's a lot more to this picture than there is space for here. The National Renewable Energy Laboratory has done a lot of heavy lifting in this area.

Expand interstate infrastructure for Compressed Natural Gas transportation, driven by demand from long-haul truck lines and by supply pressure from natural gas producing companies
Develop capability of CNG motors, based on demand from trucking companies
Provide CNG motors in autos, based on fuel-management technology developed for trucks. Just like diesel fuel, CNG cars can drive up to the truck pumps at the fuel station. Home fuel stations become viable for those homes that have gas heat.
Deploy hydrogen-enhanced "Hythane" fuel. Hydrogen can be obtained by steam reformation of methane with carbon capture, or by direct production of hydrogen from water
Develop "Hy-flex" engines that can run on any blend of hydrogen and methane from 100% CNG to 100% hydrogen. At this point pure hydrogen fuel stations become a technically viable proposition.
Prohibit pure CNG
Progressively reduce the allowed proportion of methane in Hythane fuel.
Allowed proportion reaches 0%, prohibiting methane in compressed-gas fuel. Done!

We need to use the compressed-gas path rather than the liquified natural gas path, because of the vast difference in boiling points of hydrogen and methane. Liquid hydrogen in cars and trucks will probably never happen. Nor will exotic solid-state hydrogen storage systems until we get to the pure hydrogen mode; they do not offer the flex-fuel capability needed to bootstrap their technology into large-scale use.

Too complex to exist

2009-08-08T18:37:00.002-05:00

I just ran across this excellent article from mid-June by Duncan Watts at Yahoo Research, summarizing the arguments for breaking up financial institutions whose failure would cause major disruptions in the national or international economy. The comments are unusually good, as well, including one from Bob Metcalfe who professes to not be aware of how enamored social media entrepreneurs are about his eponymous law.

Interesting on its own, the argument also applies to IT risk management. CIOs like to simplify their systems, for many good reasons, including security reasons. The farther the system gets from being analyzable by the security staff, the more likely it is that it will contain a critical vulnerability that isn't being adequately addressed.

But they need to be sure that they don't simplify too much. We all know the maxim about not "putting all your eggs in one basket." CIO's like to say "we're an XX shop" where XX is IBM or Windows or SAP, but whenever they do this they're admitting that they're not only at the mercy of that vendor but also at the mercy of any cybercriminal who holds an undisclosed zero-day exploit. If an application or infrastructure component is so essential to the business that if it went down the business would also have to shut down, then that application or component probably needs to be partitioned, modularized, and diversified so that any single failure is not catastrophic.

Health destruction systems

2009-07-26T10:35:00.002-05:00

At last, someone explains the perversity of "market-based" health care systems. And it's Paul Krugman, in his New York Times blog at http://krugman.blogs.nytimes.com/2009/07/25/why-markets-cant-cure-healthcare/. If you've ever tried to shop around for a better price on blood tests or X-rays, you'll recognize what he's talking about.

It's shocking, although I have to say not really surprising, that so much of the discussion in the debate about restructuring our healthcare system is about how to maintain the profits of the insurance companies at the expense of the health of U.S. citizens.

The other perversity of the current system is the fee-for-service model, that pays more for delivery of more procedures, regardless of whether they actually do any good for the patient.

The original vision for Health Maintenance Organizations was that they could reduce costs by keeping their subscribers healthy. Healthy people don't need treatment as often, so by providing programs that keep subscribers from getting sick, HMO's could reduce the amount of money they would spend on treatments. But they discovered that prevention programs have overhead -- they actually had to engage with their subscribers regularly, and convincing subscribers to stop doing unhealthy things and start doing healthy things was complicated and took work. It was much easier to simply deny care when they got ill, or better yet exclude people who were likely to get sick in the first place. If your HMO only accepts healthy subscribers, payments for treatments are low and their subscriber fees are mostly profit. So HMO's became care-denial organizations. This acted to counterbalance the motivations for unnecessary treatments, but it didn't do anything to keep patients healthy.

In order for the United States to have a healthcare system that promotes the health of citizens instead of working against them, we have to identify those portions of the system that are incentivized to work against the interests of the end-users and either reverse those incentives or eliminate those portions entirely. I don't know of a structure that does that other than a government-administered single-payer system. Yes, government is inefficient, but it could hardly be more inefficient than the current system that is full of middlemen and where every insurance company has its own unique set of forms for doctors to struggle with when they should be focusing on their patients, and the "statement of benefits" from the insurance company has 3 different prices for every line item.

PCI "death penalty"

2009-06-02T08:48:00.003-05:00

The Payment Card Industry Security Standards Council has a framework of penalties for violations of their Data Security Standard. Some of these are explicit, while some are less obvious. Most obviously, if a merchant fails a DSS audit, fines can be imposed. But "merchant banks" have other ways to impose penalties. They can raise the per-transaction charges that occur every time they process a use of a card. They can raise the fraud management charges that come along with the privilege to accept credit cards. Merchants would much prefer to pay the hidden charges since they don't involve the public shame of having a fine imposed. If customers hear the you've been fined for security problems, many of them will take their business elsewhere.

The most serious penalties are the "death penalty" class that will cause the company to go out of business. The accounting firm Arthur Andersen might well have survived the scandal of its malfeasance with Enron, until the State of Texas withdrew its license to practice accounting. Death penalties have been imposed for credit card security violations very rarely. One of them has been Cardsystems, which had its card-processing permission withdrawn by VISA and other issuers, and consequently went bankrupt.

Trying to recover money from any conceivable source, the "merchant bank" that Cardsystems worked with has now sued the company that audited its security and certified that it was compliant with the DSS. Wired's Threat Level blog has more details on this story. Being compliant with the DSS doesn't guarantee that you are secure; there are many loopholes in the standard that can be exploited by someone who's trying to pass its audit rather than secure their customers' data. It will be interesting to see how this plays out.

Threat taxonomies

2009-05-19T11:45:00.002-05:00

The Open Group has recently released a Risk Taxonomy. Taxonomies are important because they allow you to keep track of all the different variants of situations that may be encountered, making sure that any "generic" solution really covers all of the bases, and they allow you to base your analysis on lessons learned from similar situations, refining your response rather than having to reinvent it from scratch every time. Most importantly, they give the big picture, counteracting the tendency of technical people to dive into the details and never look up.

Other risk or threat taxonomies can be found in:

U.S. NIST SP 800-30 "Risk Management Guide for Information Technology Systems"
SANS has a "What works" poster series that was organized by threat a few years ago. Unfortunately that perspective is gone from the latest version.

The threat taxonomy that I use is organized by the class of goals the attacker has:

recreational vandals: generally low skill level, looking for notoriety, will attack public-facing services but not destroy the ability of the site to show his "greatness".
cyber-theives: looking for money, will extract credit card and other information that can be sold or used directly to generate cash. Will generally not do permanent damange so that he can come back later for more.
cyber-extortionists: looking for weaknesses that can stop the service from fulfilling its function, so that he can threaten to do it again if the victim doesn't pay up
cyber-spies: looking to get in and out without discovery. May be supported by governments and may have high skill levels and large amounts of resources available for cracking passwords and encryption keys
cyberwarriors: attempting to do as much damage as possible. Will attack infrastructure for business continuity and data integrity.

Surprise-resistant

2009-04-18T22:28:00.002-05:00

The Financial Times has a story by Nassim Nicholas Taleb on Ten Principles for a Black Swan Proof World. These have a lot of implications for information security.

What is fragile should break early while it is still small. Computerized systems always break; they need to be built so that any component, including the hardware and the OS, will not cause the system to fail if every instance of that component fails.
No socialisation of losses and privatisation of gains. We haven't had a case where a computer systems needed a government bailout. Let's hope we never do.
People who were driving a school bus blindfolded (and crashed it) should never be given a new bus. PCI and HIPAA penalties for data breaches need to be much more severe than the slaps on the wrists that are given these days.
Do not let someone making an “incentive” bonus manage a nuclear plant – or your financial risks. CISO's should never report to the CIO. CIO's are paid to reduce IT costs; if they can do so by ignoring risks, they will.
Counter-balance complexity with simplicity. Information systems are the most complex systems in any enterprise. Every time some local solution is added in because it's too hard to make a global change, risk increases.
Do not give children sticks of dynamite, even if they come with a warning. While IT users may be system admins of their PCs at home, they should not be given that privilege over the systems they use at work.
Only Ponzi schemes should depend on confidence. Governments should never need to “restore confidence”. If your IT systems are so complex that their risk can't be analyzed by different members of your security staff and yield the same risk results, you can't manage their risks consistently.
Do not give an addict more drugs if he has withdrawal pains. Buying more security products does not often produce greater security.
Citizens should not depend on financial assets or fallible “expert” advice for their retirement. If a security "consultant" uses some proprietary method that he can't teach to a company's security staff, he's likely to be making it up as he goes along.
Make an omelette with the broken eggs. Don't remediate security weaknesses by patching on more controls, redesign the systems so that they are naturally secure.

Laws of evolution

2009-03-28T17:53:00.003-05:00

The Texas Board of Education has adopted language on the teaching of science that aren't as anti-science as many had feared, reports Garry Scharrer of the San Antonio Express-News in a story titled "Teaching evolution now protected". But scientists still are not communicating the principles of evolution in such a way that they are self-evident. Let's give it a try here...

Evolution by natural selection is a natural phenomenon with the same status as heat flow, which has its own Laws of Thermodynamics. It's a statistical statement about aggregate properties of groups of individuals, which in the case of thermodynamics are atoms, and in the case of evolution are biological organisms. Once it's understood clearly and carefully, what was originally an empirical generalization turns out to be a mathematical truth as incontrovertible as the fact that 2+3 is greater than either 2 or 3.

The first law of evolution: when entities that have inheritable traits exist in an environment where some of those traits make them less effective at reproducing themselves than entities with other traits, then evolution occurs.
The second law of evolution: when one subgroup, or population, of evolving entities becomes separated from another subgroup of what was that same population, they will evolve into varieties that cannot interbreed with each other, creating different species.
The third law of evolution: the complexity of organisms in an ecosystem tends to increase, because complexity has a lower bound, while it has no upper bound. That is, "there's always room at the top" of the complexity spectrum.

The laws of evolution apply to any entity that follows the first law, whether they are biological organisms, cultural memes, or data structures in an evolutionary algorithm in a computer.

Charles Darwin's great achievement was the discovery of the principles of evolution by examination of the fossil record and other sources. To the politically-minded, Darwinism is the recognition that the fossil record shows how evolution occurred in biological organisms.

In the 150 years since the publication of The Origin of Species, the theory of evolution has itself evolved, into a "modern synthesis" that is 60 years old now, incorporating molecular biology and population genetics. This theory (Huxleyism if you have to ideologize) recognizes that errors in DNA replication and recombination will lead to evolution, regardless of any evidence in the fossil record.

The latest features of evolutionary theory, still in progress under the banner of a wierd name, evo-devo, are the incorporation of developmental lifecycles into the organization of the traits that natural selection acts upon.

Update: I probably ought to mention, since I cite the laws of thermodynamics, that life occurs in an open system, on the slopes of entropy gradients, not in the closed system that the second law of thermodynamics applies to.

Also, Christopher Hitchens has a commentary about the Texas Board of Education decision. Although always entertaining, Hitchens doesn't actually add much light to the debate.

Foundations of (sustainable) economies

2009-03-15T13:28:00.006-05:00

Ecologists seem to know a few things that economists haven't discovered. They partition the species that make up ecosystems into two classes, the components of "primary production", called autotrophes, which take their nourishment directly from the physical world, and all the rest, called auxotrophes, which live on other organisms. Ecosystems are then organized into a hierarchy of trophic levels, with for example, a base of plants, eaten by herbivores, which are eaten by middle predators, which are eaten by top predators. These "food webs" get very complicated if you look at them carefully and include photosynthetic algae and other microorganisms, insects and other bugs, and the animals that eat them and each other, not to mention parasites, symbiotes, and cannibalism.

You can look at economic systems in the same way. There are a few industries that constitute primary production, and the rest of us in other industries are all standing on their shoulders. Only primary industries produce real value that exists independently of some subjective judgement. If you are trying to design a monetary system that is immune to speculative fluctuations, you want the currency to be tied to a value that is objectively constant as possible.

The primary economic sectors are

mining
agriculture
energy
information technology

You can argue about whether information technology is primary production or are higher-order production, but the others are fairly indisputable. We want to distinguish basic information technology from the information systems and eCommerce businesses that are built with them. ECommerce is clearly riding on top of primary sectors, but the underlying technology has a foundational role in every other industry. If you consider information technology in a broad sense that includes mechanical cash registers and double-entry accounting ledger books, or even cuneiform records on clay tablets, you may be able to recognize the difference between the technology itself and the economic enterprises that use the technology.

Many people would want to include real estate in that list, since other than waterfront landfills, they ain't makin' any more of it, as Will Rogers said. But we have seen a real estate bubble collapse recently, and there's no reason that it can't happen again. Real estate has a stable value only if you use it yourself. Real estate that is not owner-occupied free and clear is speculative by somebody.

Nevertheless, parts of the energy sector are set up for an investment bubble, as Eric Janszen wrote in an article for Harper's titled The next bubble: Priming the markets for tomorrows big crash. Once we're out of that bubble, we should have a sustainable economic foundation. There will be other bubbles, but they will be riding on that foundation, and investors who confine their focus to foundational sectors should be able to ride them out without too much damage.

We may discuss the sustainability of each of the primary sectors in future posts.

Doing your own dentistry

2009-03-14T10:32:00.002-05:00

The NY Times has captured a quote that summarizes one of the root problems with the financial system and the laissez-faire capitalism that has developed over the past few decades. In a story about Bernard Madoff's ponzi scheme titled "Madoff had accomplices -- his victims", [A version of this article appeared in print on March 14, 2009, on page B1 of the New York edition] columnist Joe Nocera quotes "James R. Hedges IV, who runs an advisory firm called LJH Global Investments, [who] says that in 1997 he spent two hours asking Mr. Madoff basic questions about his operation. “The explanation of his strategy, the consistency of his returns, the way he withheld information — it was a very clear set of warning signs,” said Mr. Hedges." ..." “It’s like trying to do your own dentistry.” Mr. Hedges said, “It is a real lesson that people cannot abdicate personal responsibility when it comes to their personal finances.” "

It is exactly like doing your own dentistry, but Mr. Hedges doesn't understand his own analogy. In dentistry and medicine, the average person can tell where it hurts, but when it comes to treatment your ability to distinguish between flu or tuberculosis and determine the correct course of action is pretty minimal. Likewise for most people the choice of a fund that includes hedged investments of one kind or another is essentially a shot in the dark. In medicine, the patient's personal responsibility is to ensure that the doctor is certified and licensed, but it's the government's responsibility to ensure that unlicensed and incompetent practitioners are identified and penalized -- driven out of business or imprisoned. The SEC utterly failed in its responsibility to discover and stop Madoff's scheme.

Unregulated hedge funds and similar firms are practicing finance without a license. In medicine and dentistry, the introduction of new, untried drugs and treatments is subject to a strict testing regime of preclinical and clinical trials before being given permission to be released to the broader community of practitioners. Anyone can build a new medical instrument, but using it on a patient without testing or qualifications is a crime. We need similar regulatory controls for financial instruments.

Conditions for a unified consciousness

2009-02-28T14:17:00.004-06:00

Kevin Kelly blogs about the visionary future of mankind in which we all share a single consciousness, and George Dyson's matrix of possibilities of number of species vs number of minds. While Kelly's comment system's CAPTCHA is tuned up so high that it can't even be solved by humans sometimes, here's my thought:

In his book "Consciousness Explained", philosopher Daniel Dennett (do we have to wait until he's dead to call him a "great philosopher"?) argues that the notion of "one mind" is an illusion, and that even as individual persons we have many minds. I think this goes a bit far, but it underscores that there's no neurologically justified way to look inside the box of our heads and tell how many minds are really there, as long as the mind that does the talking mistakenly says "I'm the only one". Nobody has a clue as to how to look at a neural circuit diagram and tell whether it can or does sustain consciousness.

Well, okay, here's what may be a clue: a unified consciousness is possible only in a system where the interconnect bandwidth between the processing elements exceeds the sensory bandwith between the respective processing elements and the external world.

Short of magic, ESP and telepathy, the one-mind options are physically impossible.

Even in science fiction, where one of the most creatively designed alien characters ever is a character in Vernor Vinge's A Fire Upon the Deep -- a group mind whose component elements look like puppies, but create a unified consciousness joined by ultrasonic sensors on their backs. Even with holographic multiplexing akin to the principles of phased-array radars, which doesn't seem to be what Vinge was thinking of, the bandwidth obtainable from atmospherically-transmitted ultrasound doesn't compare to the bandwidth obtainable in even a small fiber tract of neuronal axons and dendrites. Consider a simpler argument for bandwidth limitation: birdsong has much of its information in ultrasonic frequencies -- why are birds not telepathic with other birds of the same species?

Transparency is profitable

2009-02-13T23:44:00.003-06:00

In studies reported in January in the Proceedings of the National Academy of Sciences, a team of researchers found that publishing records of economic transactions significantly increased the output of an economic game. In the arcane language of the report, "Recordkeeping enables better recall of past outcomes, promotes reputation formation, and encourages spontaneous coordination of economic decisions. The ultimate effect is that recordkeeping alters an economy's history and encourages exchange by reducing the risk of loss from transacting with strangers."

This effect is well-known to users of eBay, Amazon, and other online marketplaces that incorporate reputation systems.

Sudipta Basua, John Dickhautb, Gary Hechtc, Kristy Towryc and Gregory Waymirec (2009) Recordkeeping alters economic history by promoting reciprocity. PNAS January 27, 2009 vol. 106 no. 4 1009-1014. Open Access article at http://www.pnas.org/content/106/4/1009.full

Automated vs manual code inspections

2009-01-31T13:02:00.003-06:00

Steve McConnell provides plenty of evidence for the efficacy of code reviews in Code Complete:

.. software testing alone has limited effectiveness -- the average defect detection rate is only 25 percent for unit testing, 35 percent for function testing, and 45 percent for integration testing. In contrast, the average effectiveness of design and code inspections are 55 and 60 percent. Case studies of review results have been impressive:
In a software-maintenance organization, 55 percent of one-line maintenance changes were in error before code reviews were introduced. After reviews were introduced, only 2 percent of the changes were in error. When all changes were considered, 95 percent were correct the first time after reviews were introduced. Before reviews were introduced, under 20 percent were correct the first time.
In a group of 11 programs developed by the same group of people, the first 5 were developed without reviews. The remaining 6 were developed with reviews. After all the programs were released to production, the first 5 had an average of 4.5 errors per 100 lines of code. The 6 that had been inspected had an average of only 0.82 errors per 100. Reviews cut the errors by over 80 percent.
The Aetna Insurance Company found 82 percent of the errors in a program by using inspections and was able to decrease its development resources by 20 percent.
IBM's 500,000 line Orbit project used 11 levels of inspections. It was delivered early and had only about 1 percent of the errors that would normally be expected.
A study of an organization at AT&T with more than 200 people reported a 14 percent increase in productivity and a 90 percent decrease in defects after the organization introduced reviews.
Jet Propulsion Laboratories estimates that it saves about $25,000 per inspection by finding and fixing defects at an early stage.

Now, McConnell's book, even the second edition, was published in 2004, and automated systems are improving at a rapid rate, while manual review techniques are not developing nearly as fast. So automated inspections will probably surpass manual reviews someday. But that day isn't here yet.

How science works

2009-01-24T12:05:00.003-06:00

In Texas, the State Board of Education continues its war against the teaching of evolution, turning to a strategy of attrition, looking to insert doubts when it has been prevented from actively inserting anti-evolution statements into the curriculum, reports the Houston Chronicle in a story headlined "Scientists: Board proposals undermine evolution teaching". While they have abandoned a mandate to discuss the "strengths and weaknesses" of evolution, they now propose to create a module where students evaluate an array of fossils and conduct a discussion about whether they lead to the conclusion of a common ancestor. This introduces huge opportunities for misleading "artificial selection" of the set of fossils to be examined and maliciously directed discussions.

This action is inevitably controversial and led to the story being one of the "most commented" on the Chronicle's website. While they present the spectrum of good, bad, and ugly views that one would expect in the newspaper of a large southern city, one of the commenters made a very good summary of the scientific method. [I've added some formatting to improve the clarity.]

Scientists often get so caught up in the marvelous organization of nature that they forget the basics. Science is simple:
look at some facts
create a model of the facts
use the model to make a prediction
test the prediction
revise the model to account for the differences between the model and the facts
repeat
Anything else isn't science, it's fiction or religion and should be taught in those classes, not science classes.

Evolution is the best model we have for the organization and development of biological organisms. All the others are losers in the scientific contest. I have no problems with teaching the weaknesses in evolution as long as the weaknesses of all the competitors are taught, too.

Consider "creation science" or "intelligent design". All their so-called "facts" have been shown to be mistakes or frauds. Their advocates' theories are full of logical errors, they don't make predictions that aren't obviously wrong, and they don't ever go out into the field and test anything against what their God is actually doing right now. It ain't science, it's propaganda.

Hey, that's five steps plus "repeat", one fewer than six days of creation and rest on the seventh. Which method is simpler?

The mirage of risk management

2009-01-21T22:34:00.003-06:00

Arthur at the Emergent Chaos blog attempts to continue the debate on the viability of "risk management" as an approach to computer system security, based on the comment from Financial Cryptography that "risk management is a dead duck". [FC's home link is to itself in in SSL, but uses a self-signed certificate that neither Firefox nor IE7 want to trust. And with good reason. If a so-called security website can't get its own security setup correctly, can you take its content seriously?] In any case, the basic point of risk management as an illusion that practitioners should not pretend to be following seriously is a good one. Here are some of the reasons why risk management is more like the city floating in the sky in the distance across the blazing desert.

1.Our so-called "theories of risk" are nonsense. We don't know how to attach credible numbers to threats, exposures, losses, or assets (unless those loss and asset values are money in current accounts). Do the basic physicist's step of "dimensional analysis" and your units don't match.

2.Our data are worthless. Tons of worthless data is still worthless. Security "analyst" companies that purport to compile attack data like number of spam messages per day keep their coverage and methods secret so that they can't be validated or falsified. US-CERT notwithstanding, overnment agencies corresponding to the Centers for Disease Control don't exist, and don't have the legal basis that the CDC does for collecting decent data.

3.Many "risks" are intrinsically unmanageable. Nasim Taleb writes about black swans, but computer systems are even worse. There are fundamental theorems in computer science that say that for any computer system powerful enough to be useful, it's impossible to prove that it is free of catastrophic defects. The hacker's job is to find those defects and exploit them.

4.Our systems are too complex for us to understand. The vulnerabilities that we know about number in tens and hundreds of thousands, and we don't have any tools that tell us how to assess their impact on enterprise-class systems comprising dozens of servers (not to mention "cloud computing" platforms of tens of thousands of servers), even if our theories made sense.

Computer security much more like military defense or public health than it is like managing an electric power grid. And even the grid has blackouts.

Fundamental error in urban designs

2009-01-18T14:00:00.003-06:00

The error is that they are urban. Cities are not unconditionally good for your mental health. Jonah Lehrer writes in the Boston Globe How the City Hurts Your Brain (http://www.boston.com/bostonglobe/ideas/articles/2009/01/04/how_the_city_hurts_your_brain/) A number of studies have recently demonstrated convincingly how the noise and chaos depletes your mental capacity. "After spending a few minutes on a crowded city street, the brain is less able to hold things in memory, and suffers from reduced self-control."

This is really an intrinsic property of concentrations of humans, and the correct answer is not simply to design less stressful city plans with good transportation infrastructures so that you have fewer traffic jams, and mixed-use complexes so that you don't have to carry your groceries on the subway. These are stopgaps that make a bad situation less bad. The right answer is to get out of town, i.e. suburbia. People know this, even if architects don't.

Why pure electric cars are no good

2009-01-11T11:13:00.005-06:00

Jeremy Clarkson of the Top Gear TV show on BBC (including BBC America) also has a column in the The Times of London. In an article at http://www.timesonline.co.uk/tol/ddriving/jeremy_clarkson/article5483422.ece he describes his experience testing the Tesla Roadster for the show. Things did not go at all well. Clarkson, not a prisoner to advertisers as are most auto magazines and TV shows, does not pull punches.

Clarkson's conclusions are spot on. The "Tesla works only at dinner parties. Tell someone you have one and in minutes you will be having sex. ... but we are left with the simple fact that it takes a long time to charge it up and the charge doesn't take you very far."

The comments to the article have some useful suggestions. Use electricity to to make chemical fuel such as methanol or hydrogen (although I have my doubts about the energy density of hydrogen, i.e. miles per fill-up), and build hybrid fuel-electric cars, and we should have something vastly more efficient, sustainable, and most important, usable away from home, than the gasoline internal combustion machines we have now.

Risk mismanagement according to the NY Times

2009-01-04T23:21:00.003-06:00

Recent editions on the website have two interesting articles:

Risk Mismangement by Joe Nocera is about the Value at Risk method for assigning a single number to a large collection of financial situations, at http://www.nytimes.com/2009/01/04/magazine/04risk-t.html?em

The End of the Financial World as We Know It is actually a two parter by Michael Lewis and David Einhorn, first at http://www.nytimes.com/2009/01/04/opinion/04lewiseinhorn.html?em and then, titled How to Repair a Broken Financial World, at http://www.nytimes.com/2009/01/04/opinion/04lewiseinhornb.html?em

I especially like the suggestion "Another good solution to the too-big-to-fail problem is to break up any institution that becomes too big to fail." When an enterprise is subject to catastrophic risks that put its existence in jeopardy, the only real remedy is to restructure the enterprise so that those risks are not catastrophic. That goes for the enterprises that are national and international financial systems, too.

Not keeping score

2008-12-28T12:37:00.003-06:00

The "bible" of best practices for IT management is a series of books published by the British Government called ITIL. According to their Best Practices for Security Management volume, "There is no frame of reference for management to defend the investments made in security." (sec. 2.3.1.6) This quote is from the 1999 edition; I don't have access to more recent versions, but I'm unaware that much has changed in the past 10 years.

This is really the most important question in security: how much security is enough? If we're ever to get beyond the self-serving answer "you can never have too much security", this has to change. There has to be a framework able to distinguish "too much" from "not enough".

Small-scale water power

2008-12-07T12:53:00.003-06:00

The Houston Chronicle reprints an AP story about how "More [regions are] taking the plunge into water power", explaining how turbines can be put across low-water dams or even in free flowing rivers to extract some of their power at low upfront costs and no cost for fuel. The story doesn't mention that the reason we put big dams on rivers is because the natural flow is irregular and stops during droughts and is overwhelming in floods. This isn't necessarily the kind of stability you want in an electric power source.

There are other environmental consequences in store if these small power sources become pervasive. Before Edison and Tesla invented electricity there were thousands of little dams all over New England producing power to run the mills -- their traces can still be seen today. The environmental effects were serious, not some tiny meaningless snail. Among other effects, they destroyed the Atlantic salmon industry, put fishermen out of business and eliminated a source of healthy food.

But there are many rivers that already have many small dams to provide flat water for barge transportation. The McClellan-Kerr Arkansas River navigation system is one example, extending for 445 miles from Oklahoma to the Mississippi River, with 18 locks and dams. Power turbines could easily be added onto them without further damage to the environment.

The Black Swan

2008-10-13T10:09:00.003-05:00

A colleague of mine pointed out a very nice review from April '07 in the WSJ Opinion Online section at http://www.opinionjournal.com/la/?id=110009979. Its author, David Shaywitz, insightfully captures the key explanations for why we don't pay as much attention to these events as we should.

We eagerly romp with [Taleb] through the follies of confirmation bias (our tendency to reaffirm our beliefs rather than contradict them), narrative fallacy (our weakness for compelling stories), silent evidence (our failure to account for what we don't see), ludic fallacy (our willingness to oversimplify and take games or models too seriously), and epistemic arrogance (our habit of overestimating our knowledge and underestimating our ignorance).

We don't explain the news, we just report it...

2008-08-16T17:57:00.004-05:00

In a complicated world, in order to react effectively to the news you often need to have substantial background information. But the institutions for giving people that background information are shockingly weak. Jay Rosen's PressThink has an article "National Explainer: A Job for Journalists on the Demand Side of News" where he identifies the problem.

In science we have the convention of the review article, which takes a whole bunch of more focused, technical reports and ties them together so that they form a coherent picture. General journals such as Science and Nature have a standard section in each weekly issue where they always publish two or three reviews. There's even a specialty publisher, Annual Reviews, who produce highly influential books containing nothing but review articles in each of 37 different subject areas.

When a scientist wants to investigate research in some new area of knowledge, the obvious approach is to look at the latest textbooks in the area, then find the review articles, then use them to look at the in-depth monograph volumes, followed by the specialized, polished journal articles, the less polished but more current conference proceedings, and finally the cutting edge but not fully vetted preprint archives and tech reports on personal websites. At each level you get less background explanation and stronger assumptions that the reader is fully up to speed on the concepts and issues. But each article also has references back to other articles for more context. The phrase "for reviews, see (ref1,ref2, etc.)" is practically obligatory.

Why doesn't journalism have a similar structure? Is the news review article an empty ecological niche waiting for an entrepreneur to fill it?

Rosen suggests that Pro Publica might be one candidate to fill that niche.

Economics Does Not Lie -- sez you!

2008-08-06T21:15:00.003-05:00

"The dismal science is at last a science—and the world is the beneficiary."

In this article at http://www.city-journal.org/2008/18_3_economics.html, Guy Sorman proposes 10 laws of economics that he believes qualify it as an authentic science. In his relentlessly pro-capitalist discussion, he fails to mention a important consequence of information asymmetry: Unrestricted markets destroy themselves. The rich get richer faster than the poor, because the rich can afford better advice on how to invest their money. Without strong regulation, this leads inevitably to monopoly or oligopoly in which the number of participants falls below that needed to function as a market. Stable pricing solutions do not exist when this kind of positive feedback occurs.

Of course there are as many rich fools who can't distinguish good advice from bad as there are poor fools, and there are a lot of fools giving investment advice, but not even the internet and exchange-traded funds have eliminated this asymmetry.

Sinclair's Law of Perverse Educational Incentives

2008-08-02T12:33:00.004-05:00

"It is difficult to get a man to understand something when his salary depends on his not understanding it."

- Upton Sinclair (1935) I, Candidate for Governor: And How I Got Licked, ISBN 0-520-08198-6

Many of the paradoxes of why computer security is so bad can be attributed to perverse incentives, where doing bad things is more profitable than doing good things. Sinclair's law is one of the reasons that it is so difficult to teach people good security practices.

Evolution is "only a theory". Yeah, right.

2008-06-03T21:02:00.003-05:00

"The fact that biological populations evolve is not in question," he said. "Evolution is an easily observable phenomenon, and has been documented beyond any reasonable doubt. The 'theory' part of evolutionary theory concerns the experiments, observations, and models that explain how populations evolve."
-- David Hillis, a biology professor at the University of Texas at Austin, quoted in a Houston Chronicle story today, titled Debate brewing over how to teach science

Couldn't have said it better myself.

2007-09-16T22:59:00.000-05:00

Entrust Identity Guard

Treasury Direct appears to be using the IdentityGuard product from Entrust, with the Entrust logo removed. Entrust owns patent 5,712,627, which claims to cover all forms of grid-based authentication.

2007-09-15T10:20:00.000-05:00

Card-based authentication

One of the most secure websites I know of is operated by the U.S. Government, which has received much deserved scorn for its weak security in other areas. Treasury Direct is in the process of introducing a multifactor authentication system based on a lookup card.

The website already uses a virtual keyboard that foils keystroke loggers; their Access Card adds a further level of authentication by requiring a 3-character one time PIN that can only be obtained by a computation that incorporates the layout of characters on a grid in a unique pattern known only to the Treasury and to the holder of the card. Details of Treasury Direct authentication are on their security page at http://www.treasurydirect.gov/indiv/help/TDHelp/help_ug_274-SecFeaturesProtectAcctLearnMore.htm. The page includes a demo of the Access Card system.

While most OTP systems use a six-digit PIN, the computation is performed by electronics on a token that is provided to the user. While prices of these tokens are very low for an electronic device, the price of a passive laminated card is far lower.

The security of the card is not as great as that of a token, since the keyspace produced by a six-digit token consists of 1,000,000 values, while the keyspace produced by the card is three of (26 letters + 10 digits), i.e. 36³=46,656 possible keys. Adding a fourth character to the card would create a keyspace of 1,679,616 possibilities, but this was apparently determined to be too much of an imposition on the user.

2007-09-10T00:33:00.000-05:00

Mass-market one-time passwords

Bank of America has recently introduced a program called SafePass that uses a phone or token to provide a 6-digit one-time password that can be used for large amount transactions, registration of a new PC with their SiteKey system and other high-risk situations. The OTP can be sent to a phone as a text message, or created by a token that costs $14.95. But it requires javascript and flash on the browser to work, which seems to me to be introducing unneeded sources of vulnerability.

Anyway, one more step in the evolution of best common practice...

2007-08-12T21:03:00.000-05:00

Asset management

How should your organization react when an employee loses a PC? The reaction should vary depending on the nature of the information stored on it. If the information includes a database with personally identifiable information about employees, customers or other persons, you may have to notify every person in the database. But before you can understand what's on those PCs, you have to know who has them. Maybe some of them are lost? How do you know?

We hope you're not in the sad situation of NASA, which received this response to a request to confirm possession of one:

This computer, although assigned to me, was being used on board the International Space Station. I was informed that it was tossed overboard to be burned up in the atmosphere when it failed.

The Government Accounting Office documented more than $94 million in equipment losses over the past 10 years by the agency.

2007-06-11T19:01:00.000-05:00

Flawed Symantec update cripples Chinese PCs

From the Risks Digest,
http://catless.ncl.ac.uk/Risks/24.68.html#subj6.1. This isn't quite cyberAIDS, it's more like an iatrogenic disorder.

<"Peter G. Neumann" >

Thu, 24 May 2007 12:58:05 PDT [TNX to Keith A Rhodes. PGN]

An erroneous Symantec antivirus signature update caused Norton Internet
Security 2007 and Norton 360 antivirus software to identify two critical
system files (netapi32.dll and lsasrv.dll) as the Backdoor.Haxdoo Trojan in
the Simplified Chinese version of Windows XP (with Service Pack 2 and a
particular patch), resulting in those files being quarantined. As a result,
millions of PCs throughout China were crippled, unable to be
rebooted. ``According to Symantec, the problem was caused when Symantec made
a change to the automated process used by the company's security response
team to detect malicious software.'' [Source: Article by Aaron Tan, CNET
News.com; PGN-ed]
http://news.com.com/Flawed+Symantec+update+cripples+Chinese+PCs/2100-1002_3-6186271.html?tag=st.ref.goo
http://www.cctv.com/program/bizchina/20070524/103599.shtml

2007-06-09T21:04:00.000-05:00

The Myth of Provable Correctness as a Security Solution

I actually wrote this in January 2002. I was reorganizing some old files and rediscovered it. It's never been published anywhere:

Computer Science departments teach courses in program verification that are based on the thesis that algorithms are mathematical objects that can have statements about their properties proven correct with the same absolute assurance that applies to the statement that “the factors of 330 (base ten) are 2, 3, 5 and 11”.If we would only take the trouble to prove our programs correct, we would save ourselves worlds of trouble in the long run [Note 1].What does it take to prove that a small program written in a high-level language will execute as intended?If you believe the textbooks, just a knowledge of logic.In reality, you need to have proofs of the correctness of several objects:

The small target program

The compiler for the language that the target program is written in

The source code for the runtime library modules for the language the target program is written in

The compiler(s) for the language(s) the runtime library modules are written in

The source code for the operating system the target program will run on

The compiler(s) for the language(s) the operating system is written in [Note 2]

The compilers and OS are enormous programs that cannot be proved correct by hand, so theorem-proving tools must be used. These must be proven correct, too:

The theorem-proving tools

The language processor(s) for the language(s) that the proof tools are written in
The processor, memory and I/O logic of the computer the OS and program run on all need to function correctly; they need proofs, too.

Almost nobody has designed and built a computer completely by hand since the 1950’s, so all the design tools need to be proven correct.

The VLSI design tools

The PC board layout tools

The language processors for the language(s) that the tools were written in

The OS that the tools run on

The hardware design of the computer that the tools run on

Remember, these are tools that were used to design the computer that we’re actually interested in, so we have a bootstrap situation that requires proofs of correctness all the way back to the stage when the entire system actually was completely designed and assembled by hand from primitive parts and machine language instructions toggled in by hand.

Last of all, you need a proof that your model of the physics of the hardware your computer is built out of is correct.Current consensus in the philosophy of science is that regardless of the fact that the doped silicon that integrated circuits are made from is perhaps the most accurately characterized material known to man, no scientific fact can be proven correct, it can only be falsified [Note 3].

You might consider the specific hardware used to implement your system’s security irrelevant – after all, a bit is a bit – but consider these two examples: First, certain types of scanning electron microscopes can detect the set or reset state of the memory cells of ROMS or EPROMS without reading them via the normal data access ports [Note 4]. Second, in 1998 Paul Kocher, Joshua Jaffe, and Benjamin Jun discovered Differential Power Analysis, which uses variations in the amount of power consumed by a cryptographic module when it does the same operation (e.g. a multiply) on different values to vastly reduce the amount of trials needed to guess a secret key [Note 5]. Smartcards and cryptography modules have been redesigned since then to reduce the effectiveness of this class of attack, but without that redesign it would be possible to guess the password that protects the information in a card or module without opening it and triggering the tamper-resistance self-destruct operation.

A Foundation of Trust

Not only do you need proofs for every element and every step of the design, elaboration, and execution platforms, but you also need to be assured that the process has not been tampered with in any of the transitions between stages.

Ken Thompson, in his Turing Award Lecture in 1984 [Note 6] showed how Trojan Horse code could be created that not only did not appear in the source code for the host program, but would also not appear in the source code for the compiler of the program. It is not known that Thompson’s technique has ever been exploited, but it stands as a warning that If you haven’t done every single one of the proofs listed in the previous section yourself, you can’t really be absolutely sure that nobody has inserted a Trojan Horse into one of the intermediate files and invalidated all your careful work.

“Trust no one” is unfeasible; you have to trust somebody, and you have to decide who to trust, how much to trust them, and why to trust them. The highest level of trust comes from a deep, longstanding relationship based on shared goals and experiences, but because computer systems are so complex and the industry is so dynamic, that’s also unfeasible for most of us. You often will have to trust people and organizations that you don’t know personally.

Who Must You Trust?

Most users of computer systems are unaware of the multiplicity of organizations that participate in the development and operation of those systems. Not only are there hardware, OS, application and network providers, but each of these is a huge organization that uses not only permanent employees, but individual contract and temporary workers, as well as subcontracting significant elements of their products and production processes to third party organizations. And those subcontractors often obtain major portions of their capacity from further sub-subcontractors. If you really must have a secure system, you have to verify the integrity of the “transitive closure” of all organizations involved in the system’s design, integration, and operation.

Last of all, and most important, you have to trust your users. Information security has three ultimate goals: prevention of malicious denial of service, prevention of unauthorized data modification, and prevention of unauthorized information leakage. If your organization does not have sound business practices with effective management of who is authorized to modify any particular piece of information, then all your efforts to secure the system and network are worthless.

All of these factors lead to an inescapable conclusion: it is impossible to be absolutely, incontrovertibly sure that there are no security holes in any activity that uses a modern computer. There is always some risk that the hole is there; the task of the security analyst is to estimate how big that risk is, and to make sure that the controls on the risk are appropriate to the magnitude of the value that’s being protected.

Notes

[Note 1] e.g. David Gries (1981) The Science of Programming. Springer-Verlag, New York.

[Note 2] Most OS’s are written in at least two languages. Early versions of Unix, for example, were written in C and the as assembler.

[Note 3] This view originated with Karl Popper (1959) The Logic of Scientific Discovery. Harper & Row, New York.

[Note 4] This is the reason that the U.S. government has specified requirements for making computer modules tamper-resistant, so that they will clear their memories if physically opened to provide access to the silicon chips they contain. Federal Information Processing Standards Publication 140-2 (2001) Security Requirements for Cryptographic Modules. Available online at http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

[Note 5] See, for example, http://cryptography.com/dpa/

[Note 6] “Reflections on Trusting Trust”, Communications of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763. Available online at http://www.acm.org/classics/sep95/

2007-06-06T13:31:00.000-05:00

Security is like quality, only more so

Quality ensures that the system behaves as expected when used in intended or unintended ways with good intentions.

Security ensures that the system behaves as expected when misused with bad intentions.

This is a corollary of the well-known slogan: "it is difficult to make systems foolproof, because fools are so clever." Hackers and crackers function as probability amplifiers for vulnerabilities in two ways. Foolish users will encounter vulnerabilities simply due to random chance, but hackers search for vulnerabilities systematically. Benign users will attempt to avoid revisiting vulnerabilities, but malicious hackers and crackers will revisit vulnerabilities again and again until they are drained of all value to them.

2007-01-25T20:19:00.000-06:00

Lincoln's law of governmental confabulation:

You can fool some of the people all of the time. You can fool all of the people some of the time. But you can't fool all of the people all of the time.

Rove's corollary to Lincoln's Law

If you can fool 51% of the people all of the time, in a democracy you can rule forever.

Political pundits who who don't understand how President Bush can act as if he has a "mandate" when his approval ratings are so low, don't understand this.

2006-12-30T18:25:00.000-06:00

Iris scans for everyone

With all the paranoia about RFID, we can't forget that there are other remote-identity techniques out there. For example, the Sheriff of Galveston County, Texas has announced a campaign to get a computer-readable signature of the iris pattern of every child and old person into a national database. He's one of more than 1800 sheriffs in 47 states who's on board with this. Who needs implantable verichips or bar-code tattoos when your eyes identify you? One more step towards the scenario in the film Minority Report.

Unlike RFIDs which radiate omnidirectionally, remote iris scanners don't work if you're not facing them, and they can of course be defeated by sunglasses or contact lenses with fake irises. "The future's so bright, gotta wear shades."

2006-12-08T14:01:00.000-06:00

More computer AIDS

AIDS stands for Acquired Immune Deficiency Syndrome. Computer AIDS is when a computer has some part of its "immune system" defenses agains malware disabled by other malicious software. The first case of computer AIDS that I heard of was not malicious except to conspiracy theorists -- it involved a pre-release, beta version of Microsoft AntiSpyware that removed Symantec AntiVirus. Technically, it's an easy error to make in the signature base that searches for spyware, so I'm not in with the conspiracy fans. The problem was fixed in the production release.

There have been others since then that I'll catalog later. Today's case appeared in SANS NewBites vol.8 no.97. It says

--Complaint Alleges Site Downloads Malware Surreptitiously
(7 & 6 December 2006)
The Center for Democracy and Technology (CDT) and StopBadware.org plan to file a complaint with the Federal Trade Commission (FTC) alleging that FastMP3Search.com.ar installs malware on people's computers when they believe they are installing a plug-in to download MP3 files. The complaint alleges the download disables the Windows Firewall, changes homepage settings and otherwise affects users' computers. The downloads are made without users' consent and are difficult to remove.
http://www.scmagazine.com/uk/news/article/608841/anti-spyware-groups-target-sham-music-website/
http://news.com.com/2102-7348_3-6141621.html?tag=st.util.print

2006-10-21T09:38:00.000-05:00

The October 20 issue of the SANS NewsBites contains this item:

BEST RESPONSE TO THE CISO SURVIVAL NOTE

I am currently serving as a contractor for the US Army as the Technical Chief Information Security Officer for several military networks in Stuttgart Germany. Three years ago, I was appointed to my current position, replacing an individual who treated the position as one of 'cop', 'you will do as I say'. I was appointed to the position, with the promise on my part, and orders on my boss's part, to turn information assurance into a service. My job, as I see it, is not to enforce standards, that is really the CIO's job, but to provide technical advice to the CIO, advice which would match his own risk acceptance profile. I'm responsible for security, he is responsible for providing services, and security impacts that in a very significant way. Faced with security problems, my office doesn't direct, we don't have the authority. We provide alternatives and recommendations. The people responsible for operations and maintenance of systems also must satisfy the needs of the CIO, and know full well that operations include security, and the CIO here has made that clear. So rather than working in opposition to the systems administrators, we are really working with them, toward the goal of meeting the CIO's expectations, though sometimes looking at the problem from different angles. Sometimes I must adjust, sometimes they must adjust. We rarely go before the CIO with a disagreement. When I first took this job, I received a lot of help, advice, from more experienced information assurance professionals in the Department of Defense. I was warned that is a big mistake to try to think of security as a service. My experience has been that it is certainly more difficult, but my shop has been more successful. I have just been awarded the Presidents Award (essentially, employee of the year - 114 out of over 15,000 employees) for my efforts. I guess that was positive feedback.

David M. Funk, CISSP, CISA Technical Chief of Information Security Computer Sciences Corp HQ USEUCOM

While avoiding responsbility is a useful survival tactic, it's an offense to the notion of "chief officer" over any business function.

2006-05-22T16:47:00.000-05:00

Cost of privacy breaches
"According to Edward McNicholas, a partner in the law firm Sidley Austin, if you experience a security breach, 20 percent of your affected customer base will no longer do business with you, 40 percent will consider ending the relationship, and 5 percent will be hiring lawyers! "

As reported by Michael Friedenberg, President and CEO of CIO.com, at http://www.cio.com/archive/051506/ceo.html

2006-05-10T11:05:00.000-05:00

Token-based authentication continues its slow migration into the mass-market environment. Citibank is now issuing tokens to its small and medium business customers in the US.

But they're not the only one:
"Citibank is one of the first US banks to take similar steps, with other American financial services firms opting for different approaches, such as PassMark a technology used by Bank of America and Alliance & Leicester in the UK."

http://www.vnunet.com/computing/news/2155249/citibank-introduces-anti

2006-05-05T13:44:00.000-05:00

Auto thieves are getting incredibly sophisticated in breaking through high-tech anti-theft measures, as this article in the LA Times describes.

http://www.latimes.com/classified/automotive/highway1/yourwheels/la-hy-wheels8feb08,0,2648213.story?coll=la-class-highway1-yourwheels

2005-12-21T12:12:00.000-06:00

Why is Internet security broken? Bad Economics

David Clark, who gained the title of The Internet Architect for his work on the original network protocols that we now live with, has argued that the Internet is broken, and it needs a complete redesign from the ground up. His views are reported in an article in Technology Review magazine, online in three parts at

http://www.technologyreview.com/InfoTech-Networks/wtr_16051,258,p1.html,

http://www.technologyreview.com/InfoTech-Networks/wtr_16055,258,p1.html,

and http://www.technologyreview.com/InfoTech-Networks/wtr_16056,258,p1.html

Let's think about how Clark's reasoning would work in other networks that are already in existence. It's like saying that the road network is broken because bank robbers use it to get to the sites of their crimes, and they use roads to get away before the police can respond to capture them. So let's abandon roads, and replace them by an access-controlled system like railroads, where your train is allowed on the tracks only with the permission of the railroad owner.

It's like what we already to for commercial passenger airlines, where you are allowed beyond the network gateway (the airport) only after passing invasive security checks. It's like the proposal that was raised after 9/11 to ban all "visual flight rules" private airplane usage, and require all aircraft to be under the strict management of the FAA Air Traffic Control system. Goodbye to your neighborhood light plane airport.

Of course, as we find out later in the article, what's being proposed isn't actually a ground-up redesign of the Internet at all. What the National Science Foundation is actually spending hundreds of millions of dollars on is yet another overlay of patches and incremental improvements. This is good because the Internet already has been rearchitected for security -- there are fixes for all the complaints that people like Clark have that have already been approved, standardized, and incorporated into existing products, except for the most serious problem: implementations with security vulnerabilities.

The next version of TCP/IP, IPv6, has been around for over ten years, and includes end-to-end authentication and encryption, called IPSEC. IPSEC has been back-engineered into IPv4, and is available in every major OS, including Microsoft Windows XP and Symbian smartphones. Spam has three or four proposals that can have major impact on the problem. Fraudulent websites linked to by unauthenticated spam can be detected by simple browser plugins or in the browsers themselves. (For instance the FraudEliminator plugin or the latest Netscape Browser.) DNS hijacking could be eliminated with authenticated lookup and transfer protocols that were approved years ago, but sites that have deployed them are incredibly rare.

The problem of vulnerable implementations is symptomatic of a truly fundamental problem with the Internet: bad economic incentives. In the current architecture, the victim pays for security problems, and the cause of the problems, the provider who failed to implement well-known existing security measures adequately, gets off free. It's exemplified by the standard shrink-wrap verbiage that states this software is not good for anything and that the supplier is not responsible for any "indirect or consequential" damage due to defects.

This is the classic problem that was famously addressed for automobiles in Ralph Nader's book "Unsafe at Any Speed", and is the reason for the existence of the U.S. Consumer Product Safety Commission. As long as software developers are exempt from the responsibilities applied to every other product sold to the public, they will continue to release software products that are insecure and dangerous to the financial health of their users.

In my view, Clark's proposal is really a well-disguised pitch for funding of fun projects by techno-geeks. Research money that wants to be really effective in combating Internet security problems should be directed at making the economic incentives obvious, well-known, and well-documented, and the effectiveness of economic changes well-understood. The Computer and Information Sciences Directorate of the NSF isn't used to funding law professors and economists, but this is what is really needed.

2005-12-12T11:32:00.000-06:00

Why enumeration-based antivirus tools don't work.

Marcus Ranum has criticized signature-based antivirus tools for "enumerating badness" in his recent article The Six Dumbest Ideas in Computer Security: http://www.ranum.com/security/computer_security/editorials/dumb/

Enumerating goodness doesn't work either. A recent review of their Sygate Security Agent data by a large enterprise I work with found over 75,000 unique application names that have been run or are running on desktop systems. Some fraction are malicious, but most are not. My own Windows XP notebook PC logged 144,988 files on its most recent full-disk scan.

2005-12-09T09:40:00.000-06:00

Economic incentives to fight identity theft

Korean banks forced to compensate hacking victims

Making the enabler pay, rather than the victim, starting in September 2006.

2005-11-03T15:01:00.000-06:00

Unintended Consequences of Rights Management with insecure technology

Someday computers will support trustworthy administrative frameworks that make this kind of shenannigans unnecessary. They won't necessarily stop, but at least they'll be unnecessary.

Sony CD protection subverts the OS and installs hidden files

The file hiding capability is being used by gamers to avoid anti-cheating features in their game.

2005-05-06T20:20:00.000-05:00

Two-factor authentication for consumers

E*Trade Digital Security ID

http://www.etrade.com/onlinesecurity

AOL PassCode

http://www.corp.aol.com/products/brands_passcode.shtml

Unconfirmed:
Commerce Bank commercial accounts.
U.S.Bank - press release promising Verisign Go Security for 10,000 commercial accounts, no evidence of deployment.
HSBC piloted SMS in Singapore and tokens in Brazil, but did not pursue broader uses.
Bendigo Bank in Australia.

2005-05-06T00:15:00.000-05:00

Secure Deletion of Data from Magnetic and Solid-State Memory

Peter Gutmann

This paper was first published in the Sixth USENIX Security Symposium Proceedings, San Jose, California, July 22-25, 1996

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

2004-06-02T09:41:00.000-05:00

It's not your father's phone system.

Here is some guidance on what to do if you're thinking of running your own Internet-based phone system. If you're using a "public" VoIP system like Vonage, they don't even pretend to be secure!

SecurityFocus HOME Infocus: H.323 Mediated Voice over IP: Protocols, Vulnerab: "Voice over IP (VoIP) can be a complex subject. Network security professionals may find the terminology foreign, and VoIP vulnerabilities are often misunderstood. This paper provides an overview of the H.323 protocol suite, its known vulnerabilities, and then suggests twenty rules for securing an H.323-based network. "

2004-05-19T10:01:00.000-05:00

Cost of information leak: $5.00 - $1000 per person

This story from Japan's Mainichi Interactive titled Internet customers sue Yahoo BB operator over info leak
provides two data points on the cost of losing control of customer information. Yahoo's leak, alleged to have been committed by a Yahoo employee, involved something between 3.8 million and 4.6 million customers -- at $1000 each, their liability could be equal to two years worth of revenue. A subcontractor of Yahoo Japan, Softbank Corp., has taken responsibility for the incident and promised to send about $5 to each one, for a total of about $40 million.

The really expensive security incidents always seem to involve insiders.

2004-05-05T10:53:00.000-05:00

How to write really secure code

Many security professionals have never heard the phrase "safety critical system". Working in commercial information technology, we think that "mission critical" is as sensitive as it gets, forgetting that there are computer controlled systems where a software failure may cause injury or loss of life. The International Electrotechnical Commission (IEC) has been around since before there were computers, and its standard 61508 specifies how to design safety-critical systems. A recent article, Embedded.com - Software safety by the numbers gives a nice introduction to the topic. No C++ for you!

2004-04-03T17:24:00.000-06:00

CAIDA,the Cooperative Association for Internet Data Analysis, has a thorough analysis of the spread of the "Witty" worm at http://www.caida.org/analysis/security/witty/. Witty was the first flash worm to carry a destructive payload.

"After the sharp rise in initial coordinated activity, the Witty worm followed a normal exponential growth curve for a pathogen spreading in a fixed population. Witty reached its peak after approximately 45 minutes, at which point the majority of vulnerable hosts had been infected. After that time, the churn caused by dynamic addressing causes the IP address count to inflate without any additional Witty infections. At the peak of the infection, Witty hosts flooded the Internet with more than 90Gbits/second of traffic (more than 11 million packets per second)." (italics mine)

Witty proves that the visionaries who believe that network-based security is impossible, so we should rely on host-based security (IPv6 and "edge-to-edge" people, you know who you are) are as misguided as those who believe that firewalls can protect us all.

If you're at home, get yourself a hardware-based home firewall. If you're an organization, make sure your firewalls are based on different OS's than your systems, and make sure your backups are up-to-date.

Best of all, start duplicating your critical data onto multiple different OS and hardware platforms. No single platform is invulnerable to attack -- the more diversity you have, the more resistance you will have to catastrophic disaster.

And don't forget that there are other OS's than Windows and GNU/Linux/Unix. Both HP and IBM have mainframes that are radically different in both hardware and software from mainstream systems.

2004-03-17T14:33:00.000-06:00

On February 24, the Department of Homeland Security published its Strategic Plan. It includes information systems in two of its objectives. (italics mine)

Objective 3.3
Protect against financial and electronic crimes, counterfeit currency, illegal bulk currency movement and identity theft.

A principal component of homeland security is economic security, including protection of the Nation’s currency and financial payment systems. The Department of Homeland Security participates in task forces and other joint operations with the financial community and with federal, state, local and tribal law enforcement partners to investigate crimes targeting the stability, reliability and security of financial systems. To prevent, detect and investigate various forms of electronic crimes, we will operate a nationwide network of Electronic Crimes Task Forces. We will maintain an overseas investigative presence where criminal groups engage in the counterfeiting of United States currency and other financial crimes targeting our homeland. International drug traffickers steal $20 to $30 billion annually from the United States economy. Much of these illegal funds are shipped out of the United States as bulk currency. This weakens our economy and strengthens the ability of the international drug traffickers to destabilize the governments of their countries by bribery or to finance terrorist activities. We will investigate, identify and seize out-bound shipments to take away this ability to fund illegal activities.

Objective 7.1
Protect confidentiality and data integrity to ensure privacy and security.

Protecting vital and sensitive information, thus ensuring the privacy of American citizens, is important to the safety of the Nation. We will ensure the technologies employed sustain, and do not erode, privacy protections relating to the collection, use and disclosure of personal information. We will eliminate in appropriate access to confidential data to preserve the privacy of Americans. We will maintain an appropriate balance between freedom and safety consistent with the values of our society.

2004-02-28T13:16:00.000-06:00

Parasitic ATM card scanners

We've heard of the thieves who install fake ATM machines in malls to capture cards and PINs. We've heard of the thieves who use jackhammers to rip ATM machines out of banks and load them onto pickup trucks to crack later. (An "offline" attack in computer parlance.)

Now we find that some very resourceful thieves have built an add-on module for ATM machines that scans the card in the same swipe that is used to feed the legitimate machine, and captures a video recording of the PIN entry. The entire transaction is transmitted wirelessly to recorders in a nearby van. Diabloical is the only appropriate word.

2004-02-01T10:35:00.000-06:00

Signed images

These days, everyone knows how easy it is to modify a digital image to show something that never happened. The slogan "pictures don't lie" is just a fond memory. Now, Canon has introduced a step back towards that confidence, with the Canon Data Verification Kit. This provides proof that if any faking occurred, it was done upstream of the camera in the chain of processing between the actual scene and the file of image data. It will be especially helpful in situations where the camera is triggered automatically, and there is no human nearby to testify under oath that the image represents what was actually in view at the time of capture.

Strictly speaking, we want FIPS-140-2 assurance that the camera is difficult to tamper with internally, but this is a step in the right direction.

2004-01-28T20:11:00.000-06:00

Privacy Nightmare

Business 2.0 - 101 Dumbest Moments in Business: Grand Prize Winners: "In October, a Pakistani woman doing cut-rate clerical work for the University of California at San Francisco Medical Center threatens to post patients' confidential files on the Internet unless she's paid money she says she's owed for her transcription work. Lubna Baloch claims she hasn't been paid the 3 cents a line promised by Tom Spires, a Texas man who got the assignment from Sonya Newburn, a Florida woman who got the job from Transcription Stat, a firm in Sausalito, Calif., that contracted to transcribe UCSF's records for 18 cents a line. "

2003-12-07T17:51:00.000-06:00

Was your electronic vote really counted? Or: ballot boxes will never go away.

It used to be that ballot-box stuffing was a purely local affair. That's why in many precincts there are representatives from all the major political parties and independent poll-watchers, to make sure that no shenannigans were being pulled. In developing democracies there are delegations of international representatives, like Jimmy Carter.

Now if you used an electronic voting machine, there could be traps in the software that shade the counts in ways undetectable to anyone in the polling place. Diebold Corporation, which makes voting machines used in many places, has come under attack for doing exactly this, possibly maliciously, possibly by accident. Voters will never know, unless the machine prints a paper trail that can be used as an independent means of verifying the vote.

Our best, and possibly only, opportunity to require a voter-verifiable paper trail everywhere in the U.S. for the November 2004 election is "The Voter Confidence and Increased Accessibility Act of 2003 (H.R. 2239)" which was introduced earlier this year by Rep. Rush Holt.

VerifiedVoting.org is in the midst of a campaign to contact every Representative and Senator as many times as possible to let them know how much we care about passing this bill. All our representatives in Congress have been called many times in the last weeks by over 100 volunteers. You can view the results here: http://www.verifiedvoting.org/houseofreps.asp.

Since this effort started, THIRTY-NINE new co-sponsors have signed on. But the bill still sits in the House Administration Committee.

Clearly, 100 volunteers is not enough. Our Congresspeople need to know that many, many of us really care. It is very important not to lose the momentum we now have!! PLEASE take a moment to use the 1-800-839-5276 number and:

1) Call your Representative and ask their position on this bill. Tell them you support it.

2) Call your Senators and ask them to introduce a companion bill into the Senate.

3) Report the results of your calls to pass2239@verifiedvoting.org so they can update the data.

If you need information on the voting issue or HR2239, go to http://www.verifiedvoting.org

2003-12-03T14:26:00.000-06:00

references on the economics of security

Security is worthless if it costs so much that you can't afford to use it. Ross Anderson has a very good page of reaearch articles and books on the topic.

http://www.cl.cam.ac.uk/users/rja14/econsec.html

2003-10-30T15:09:00.000-06:00

return on security investment -- it's not impossible

The M.D. Anderson Cancer Center of the University of Texas is one organization that is actually making ROSI calculations produce useful results. The accuracy of those numbers can be improved, but any numbers are far better than none at all.

A more extensive writeup is at InternetWeek.com, http://www.internetweek.com/shared/printableArticle.jhtml?articleID=15600902

2003-07-12T23:54:00.000-05:00

phone security? what phone security?

The security of a multi-link data communications system is only as strong as its weakest link. The phone system has some weak links that you may not know about. The government, in order to accomplish legal wiretaps, attaches computer systems to all telephone switches, implementing a law called CALEA, the Communications Assistance for Law Enforcement Act, which was enacted On Oct. 25, 1994. But those computers are standard Sun Solaris workstations, and are not competently secured, according to Bob Cringely. Makes worrying about the cryptography in your digital cellular system seem like a waste of time.

Bob's column is at http://www.pbs.org/cringely/pulpit/pulpit20030710.html

Bob is also concerned about the DARPA proposal requesting development of a Terrorist Information Awareness (TIA) system. The TIA has received a lot of frightened press coverage. It's really a "star wars" kind of vision -- too complex to succeed as described. But that doesn't mean it's not scary.

2003-06-22T16:25:00.000-05:00

facts about IPv6 they don't want you to know

The Internet Society's latest Member Briefing continues the disinformation program from IPv6 advocates about the role of NAT in security. Here's our brief response. Beware of sarcasm.

Legacy systems and applications don't exist. IPv6 architects have no need to offer any network-level transition mechanisms. Legacy systems can easily be discarded and replaced by dual-stack updates. Legacy applications don't exist. Every application that uses IPv4 must be rewritten. "This is easy," they say. Except if you don't have source code. Sorry.
ISP's don't suffer meltdowns. ATT's Frame Relay meltdown never happened. Enron Broadband Services never went out of business. Web hosting organizations don't need to have any way to support multiple ISP's in case they do. Even if you want to contract with multiple ISP's the IPv6 address allocation authorities won't give you portable addresses. Your carrier goes away, you'll have to readdress every host. You thought getting telephone carriers to provide number portability was hard, just try dealing with the ICANN anarcho-fascists. Sorry.
Network Address Translation (NAT) has no place in a network architecture. They made a mistake when they allowed IPv6 site-local addresses (2⁸⁰ per site), which are equivalent to IPv4 RFC1918 private 10.0.0.0/24 addresses. Site-local addressing violates the end-to-end peer-to-peer principle that anyone who every used the terms "client" and "server" in other than a low-level technical sense is confused. Nobody will ever think of using site-local addresses with NAT to achieve ISP independence. Sorry.
NAT has no place in a network security architecture. All IPv6-capable hosts will have perfect security designed in from the outset. They will never have buffer overflow or misconfiguration vulnerabilities and can be placed into the hostile Internet with impunity. Firewalls that recognize dynamic port assignment protocols are misdesigned, too. Analogies citing houses with locks on the doors and items inside that are not glued to the walls, and buildings with security desks in the lobby, not to mention customs and immigration inspection at national borders, are invalid. IPSEC is a magic panacea that trumps all security concerns. Sorry.

The offending article, just the straw that broke my security camel's back, is at http://www.isoc.org/briefings/014/index.html

2003-06-06T13:20:00.000-05:00

more flash worms to come

Now that "how to" source code has been published in a mass market magazine, Wired, everyone and his dog will know how to do it. Well, they'll have to do just a tad of research to find out the code has been out on Eeye's website for months...

"We believe in selling magazines, regardless of the impact on society", the magazine's editors are undoubtedly thinking to themselves. This at least is a coherent capitalist philosophy. Eeye's motives are just confused.

The Wired article: http://www.wired.com/wired/archive/11.07/slammer.html?pg=1&topic=&topic_set=

Articles about the article: http://www.nypost.com/technology/443.htm

http://news.com.com/2100-1002_3-1013974.html?tag=fd_top

2003-05-18T21:42:00.000-05:00

identity theft insurance

According to the FTC, more than 160,000 cases of identity fraud were reported in 2002.
Now you can get insurance in case it happens to you.

http://www.iii.org/individuals/other/insurance/identitytheft/

2003-04-16T11:10:00.000-05:00

spam, spam, spam, spam, spam, spam, baked beans, spam, spam and spam

The Center for Democracy and Technology has done controlled research on how email addresses get into the hands of spammers. Their report, "Why Am I Getting All This Spam?", shows that a number of common myths about how to prevent your address from being captured are just that -- myths.

In six months of operation, our project received over 10,000 e-mail messages to the more than 250 single-use e-mail addresses we created. About 1,600 of these were legitimate e-mail communications that we'd requested from various online services. Another 62 were unclassifiable due to incomplete e-mail headers or other missing data. And 16 messages were received after we'd opted-out of future communications from a business we'd given an e-mail address to, but were received within a two-week grace period that our methodology allowed. We classified the remaining 8,842 as unsolicited, a.k.a. spam, e-mail.

http://www.cdt.org/speech/spam/

2003-04-15T11:23:00.000-05:00

the myth of security at Canada's airports

The Standing Committee on National Security and Defence of the Canadian Senate has asked hard questions and obtained unpleasant answers. They should be applauded for their courage. U.S. airports have the same problems, but the Department of Homeland Security doesn't seem to have the same clarity of vision.

Are Canadian air travellers getting good value for their money?

Should Canadian air travellers feel comfortable that the new security measures that they are paying for are making air travel in Canada significantly more secure than it was before September 11, 2001?

...
Essentially, the Committee sees the front door of air security as now being fairly well secured, with the side and back doors wide open.

http://www.parl.gc.ca/37/2/parlbus/commbus/senate/com-e/defe-e/rep-e/rep05jan03-e.pdf

2003-04-10T21:58:00.000-05:00

putting the cat back into the bag
Or: why "shared secret" cryptographic keys must have a predefined lifetime.

subscribers to Microsoft's volume-licensing program are issued [license] keys that do not need activation. ... Should a code leak onto the Internet, as it has with Windows Server 2003, the single code can be used to install an unlimited number copies of the software.

http://news.com.com/2100-1009-995879.html
http://www.msnbc.com/news/897384.asp?0dm=N226T

Or they could have used a public-key cryptosystem, provided that they are willing and able to maintain a live certificate revocation list. Better luck next time...

2003-04-07T11:58:00.000-05:00

What's wrong with this picture?

According to Forrester Research, 74% of users don't trust Microsoft security.
Nine out of 10 users deploy sensitive applications on Windows, anyway.

http://www.forrester.com/ER/Research/Report/Summary/0,1338,16275,00.html

The full report costs $349, but the 4-minute video summary (with slides) is free, and says all the important things.

Answer: Managers think that Total Cost of Ownership and complexity issues are more important than security.

2003-03-15T17:07:00.000-06:00

is your security vendor ethical?

Nearly all of them are, nearly all of the time, but lapses occur. What's worrisome about this incident is that ArcSight claims that it did nothing wrong when it exploited information that had been provided to a customer under a non-disclosure agreement. Technically it was the customer who was bound by the NDA and not ArcSight, but taking advantage of someone else's improper behavior in order to obtain information about your competitors should be obviously wrong in anyone's eyes, even if it's not actually fraud.

On Jan. 20, the security engineers at Addamark Technologies Inc. noticed the problem immediately: Someone had accessed a confidential, password-protected document on the company's Web server that contained technical product details.
After studying the traffic logs more carefully, San Francisco-based Addamark officials discovered it was no random hack. The intrusion had come from a competitor, ArcSight Inc.

http://www.eweek.com/article2/0,3959,892578,00.asp

2003-03-12T00:53:00.000-06:00

Cellphones in Pakistan are insecure

Ever since former Speaker of the House Newt Gingrich's conversations were recorded and leaked to the press in 1996, we all knew that analog cellphones are easily eavesdropped upon. Digital phones use encryption, but it's known that the cipher used by GSM system has been cracked. Now we have more evidence that eavesdropping really works.

In Washington, the national security agency used Echelon, an intelligence system coordinated by the United States but involving several of its allies, including the UK, to monitor more than 10 mobile phones used by [al-Qaeda leader Khalid Sheikh] Mohammed.

http://www.guardian.co.uk/alqaida/story/0,12469,911860,00.html

More details indicating a less systematic program than the mythically-powerful Echelon, but nevertheless obviously effective, are at http://www.jang.com.pk/thenews/nov2002-daily/18-11-2002/main/main7.htm

2003-03-08T23:01:00.000-06:00

A strategy for curing global instability that actually makes sense

Many people have observed that we will never be free from the threat of global terrorism until the social conditions are eliminated that lead to terrorists' beliefs that suicidal destruction is preferable to continued life in a marginalized society. This leads to an "epidemiology of terrorism" that looks much like the medical epidemiology that has successfully eradicated smallpox from the planet and is near to eradicating polio.

Thomas P.M. Barnett, writing in the March 2003 issue of Esquire (not a typical source for such analyses) and reprinted online at http://www.nwc.navy.mil/newrulesets/ThePentagonsNewMap.htm, has mapped out those portions of the world where reservoirs of threats to the U.S. and the developed world can fester, and suggests that we are already pursuing a strategy to "drain the swamps" in those areas, one by one.

Since the end of the cold war, the United States has been trying to come up with an operating theory of the world -- and a military strategy to accompany it. Now there's a leading contender. It involves identifying the problem parts of the world and aggressively shrinking them.

Or more colorfully, if the U.S. has never been to war with a country where there is a McDonalds, the way for us to stop needing to go to war is to change those countries where there aren't any McDonalds so that fast-food restaurants can flourish there -- changing them by force if necessary. This doesn't necessarily mean the destruction of their indigenous cultures -- only those parts of their cultures that insist on the exclusion or destruction of our own.

p.s. Thanks to DayPop for providing a direct link into the blogging world's attentional focus bypassing the biases of any particular editor, and exposing Barnett's article.

2003-03-06T13:28:00.000-06:00

Identity theft resources

The University of Texas has a good list, at http://www.utexas.edu/datatheft/resources.html.

Unfortunately they were recently embarrassed (like today!) by a misdesigned public webpage that allowed anyone to enter a social security number and get lots of information on the holder. Then someone wrote a small script that started at 000-00-0000 and counted through 999-99-9999 and captured the output of the hits. [Later: A UT computer science student was arrested on March 15 and charged with unauthorized access to a protected computer and using someone else's identification with intent to commit a federal crime.]

2003-03-01T17:31:00.000-06:00

New home for London Symphony Orchestra

This group is certainly not a "musical museum"...

The LSO's new base-cum-education centre in a converted Hawksmoor church shows the way ahead for symphony orchestras, says Martin Kettle

http://www.guardian.co.uk/arts/fridayreview/story/0,12102,904021,00.html

2003-02-24T11:07:00.000-06:00

Final HIPAA Information Security Rule
A good summary from SANS.

Thousands of US health-care organizations have been waiting for the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to be finalized. First proposed nearly five years ago, the rule has now been issued in final form. The Security Rule is just one part of HIPAA - federal legislation that was passed into law in August 1996. The act is meant to provide better access to health insurance, limit fraud and abuse, and reduce the overall cost of health care. This article will provide a detailed overview of the final HIPAA Security Rule.

http://www.sans.org/projects/hipaa.php

2003-02-24T09:38:00.000-06:00

why instant messaging is dangerous

[This famous] hack involves tricking an ...employee into accepting a file using Instant Messenger or uploading a Trojan horse to a...file library. When the file is executed, the Trojan horse connects the user who launched it to an Internet relay chat server, which the hacker can use to issue commands on the targeted machine. This allows the hacker to enter the internal ...network.

http://neowin.net/comments.php?id=9582&category=main

2003-02-14T12:00:00.000-06:00

U.S. Strategy to Secure Cyberspace

has just been released -- 76 pages long; a narrative white paper rather than a bunch of slides like the previous draft. Even less forceful than before.
It's rumored that Richard Clarke resigned from his post as White info security czar due to frustration over his inability to get anything substantive into the proposal -- but Clarke isn't talking.

http://www.dhs.gov/interweb/assetlibrary/National_Cyberspace_Strategy.pdf

http://www2.cio.com/research/security/edit/a02032003.html

2003-02-10T18:26:00.000-06:00

lost drive found

Here's the latest on it... Apparently an ISM employee stole the disk drive.

The Regina police announced Tuesday that the hard drive had been found and they were investigating to determine whether any information had been accessed.

Government information on the hard drive included about 60,000 government employee pension statements, bulk fuel rebate programs for about 56,000 applicants and 4,669 personal records for Workers' Compensation Board clients.

More than 10,000 SaskPower customers may also have had personal and banking information compromised. Customers were receiving letters this week notifying them whether their information was on the hard drive.
....
Other organizations which had information stored on the hard drive include the Manitoba government, the Investors Group and the Co-operators Life Insurance Company.

http://www.canada.com/search/story.aspx?id=685c0cb3-43d2-44c6-aed3-c937ed77eaa5

2003-02-10T17:54:00.000-06:00

Customer data lost from IBM datacenter

Another case of "locked in a vault" not being sufficient.

IBM has lost a hard drive containing the records of 180,000 clients of an insurance company. Details include "names, addresses, beneficiaries, social insurance numbers, pension values, pre-authorized checking information and mothers' maiden names", according to wire reports. Anything else? Oh yes, their bank account details.

But is it carelessness, or is it theft? No-one knows yet, but the hard-drive was stored in a supposedly secure facility in Regina, SK, at ISM Canada, an IBM subsidiary.

Local police and the RCMP (the Mounties) are investigating.

http://www.theregister.co.uk/content/55/29117.html

2003-02-05T10:23:00.000-06:00

Dartmouth Institute for Security Technology Studies

High quality reports on security news

Security in the News provides security professionals, and government and law enforcement officials with timely and salient information on cybercrime, cyberterrorism, malware and other information-security issues at the strategic level.

http://news.ists.dartmouth.edu/todaysnews.html

2003-01-29T11:37:00.000-06:00

Powered off in a safe...

The old slogan goes "the only secure computer is one that's powered down and locked in a safe." Not any more. This is the second time an incident like this at LANL has reached the press. The first time, the missing drive contained secrets describing how to disarm nuclear warheads.

A computer hard drive containing classified information may be missing from the Los Alamos National Laboratory, but because of an inventory mistake, officials say they may never know.

...

The computer was used only for security work, and while it might have held classified data, there was never information about weaponry stored on it, [a lab spokesman] added.

More details in Federal Computer Week magazine: http://www.fcw.com/fcw/articles/2003/0113/web-alamos-01-17-03.asp

2003-01-27T13:07:00.000-06:00

SQL Slammer worm

Large parts of the Internet were effectively shut down by a malicious worm that exploited a bug in Microsoft SQL Server that had been known and repairable for at least six months. Many organizations's internal networks, including the one that manages automated teller machines for the Bank of America, were affected, too.

A good report of the impact on the Internet as a whole is at Matrix NetSystems

So far the Internet has survived without significant or lasting damage two of the three worst-case classes of attack. An attack on the DNS root servers was hardly even noticed. The third class is an attack on the BGP routing infrastructure used by the core backbone providers. Stay tuned...

2003-01-24T10:36:00.000-06:00

Wi-Fi Speed Spray

I can't wait for the New and Improved version with extra security!

http://www.j-walk.com/blog/docs/wifispray.htm