Privacy is a Technological Imperative

Posted on July 16, 2007 by dutcherstiles


My seasonal July funk has been working on me and my attitude, but not so much that I can’t find some perverse humor in the slashdot discussion on privacy as a biological imperative.

Ms. Sweeney’s correlation of privacy to the stealth required by the predator stalk and consume prey was latched on to by the /.ers like an antelope at a watering hole. I don’t see it myself. There is a fundamental difference between the biological need to eat and personal need for privacy. The development of information technologies creates the need for personal identity, and creates the tools to destroy it. Examples include the portable camera (which drove Warren & Brandeis to define the right to privacy in the context of the US Constitution), the telephone, punch-cards and TCP/IP.

These aren’t new or original thoughts, but just how I see it.

Lion enjoying a private moment courtesy hannes.steyn.

Posted in Uncategorized | Tagged | Leave a comment

The Easy No

Posted on July 4, 2007 by dutcherstiles


From Concurring Opinions, this commentary on a recent New York Times article on Hypercompliance on the HIPAA front. Health care folks have been intimidated into denying access to PHI to people who have legitimate inquiries and a legal right to it.

This type of behavior is born out of fear and poor understanding of rules filtered through complicated reports written by obfuscating contractors. It seems reactionary, and unreasonable, but a means to the safety only an ass well-covered provides. As Mr. McGeveran points out, “it is always easier to say ‘no’ than to figure out how to say ‘yes.'” I believe mistaken “safe” attitudes like this is often how security policies end up being implemented, and are difficult to purge once they become corporate folklore.

The “easy no” is not uncommon in security management, and enables ten thousand wannabe Kip Hawleys to exercise passive aggressive nonsense in its name.

Beats thinking.

Posted in Uncategorized | Tagged , , | Leave a comment

Dog of War or McGriff the Crime Dog?

Posted on June 27, 2007 by dutcherstiles


So, solider or cop? War or Crime? Or both?

I ask this question of my own self after reading (and enjoying) Michael C. W. Research’s recent posts on security framed in the context of Clauswitz. Thinking it through, though, I began to wonder if war is the context information security should frame itself. After all, as an info security practitioner, you are denied both first strike and retaliation with like force. Hampered by a bureaucracy, limited by budget and laden with metrics of questionable value, you perform awareness and outreach to a resistant, often resentful community that harbors potential adversaries. When the adversary attacks, your response is defensive, forensic, and heavily regulated. In the initial analysis, it sounds more like a cop than a soldier.

Like Mr. Peterson, I recently finished reading Robb’s Brave New War. Robb describes the decline of wars between states or their proxies and the rise of the global guerrilla. The global guerrilla uses system disruption and open source warfare to break down the brittle security systems of organized and highly interdependent states. Mobile and rapidly adapting to changing tactics, this adversary is usually hidden in the state it is trying to hollow it out, cooperating with or participating in transnational organized crime. Now that threat sounds more familiar; Robb describes the phishing marketplace as a example of open source warfare.

Is War now Crime? Is the infosec defense model Clear Hold Build or Broken Windows?

Posted in Uncategorized | Tagged , , , , | Leave a comment

New Concepts in Data, Compliance and Marketing or The Overly Dramatic Truth

Posted on June 19, 2007 by dutcherstiles


Like the rest of the world, I read J. Cline’s article on the upcoming data eclipse while listening to El P’s I’ll Sleep When You’re Dead, which is the best way to read it.

J. Cline is prophesyin’ the impending darkness where all corporations will crumble ‘neath the cleated boot of data governance.

Mr. Cline identifies the signs of the data eclipse endtimes: Ford has abandoned autos to focus on quality improvement. Wal Mart has unburdened themselves of the lucrative Chinese tube sock trade for supply chain management. In the post-eclipse world, we must surrender control of our enterprises to the wanton desires of regulators, lawyers and audit chimps such as myself. We no longer make the decisions, but wait for them to be passed down from these distant parties who ponder our fate far from the red meat and hot breath of corporate operations. It’s not the moon, after all, but the pointing finger of compliance and legality we should focus on.

I may have been born yesterday, sir, but I’ve been up all night. Like a diamond bullet between the eyes, I was struck with an aces-on Notion (with a little backing I think I could turn it into an Idea) which will make me the fortune I frankly deserve. A methodology that will empower the document generating wherewithal of ten thousand legions of certified information control professionals.

I will call it the Compliance Legal Object Audit Client Architecture: CLOACA. Look for my booth at a tradeshow near you.

CLOACA: You’ll Be Surprised What Can Come Out Of It!

Posted in Uncategorized | Tagged , , , , | 1 Comment

Vulnerabilty v. Threat

Posted on June 12, 2007 by dutcherstiles

Jeremiah Grossman’s analysis of the MSNBC stock contest cheat.

It seems to me that this sort of flaw would rise to the surface quickly from a threat perspective, but slower from a vulnerability perspective. I’m not sure why though.

Posted in Uncategorized | Tagged , , , | 2 Comments

The Italian Job

Posted on June 12, 2007 by dutcherstiles


Odd ball kidnapping heist documented at MCN and Roadracing World illustrates the danger of the insider beyond the pilfered laptop or unexpired system credentials.

Apparently the Alto Evolution World Superbike team “reduced the responsibilities” of Sergio Bertocchi, their erstwhile manager, after the race at Monza a while back.

On the way back to Italy from the most recent race at Silverstone, UK, the Alto truck gets hijacked at a border crossing. According to the Alto Evolution press release:

The driver was kidnapped for more than six hours and the truck diverted. The driver was able to escape in Bruxelles – Belgium, where he alerted the police and confirmed the names of the people of the gang which had kidnapped him and stolen the truck. Amongst the members of the gang have been recognised four people: one of them was Mr. Sergio Bertocchi.

Policemen from Belgium have immediately started investigations and, at the same time, Carabinieri in Italy have been alerted. Investigations have gone on strenuously and with outmost secrecy. On the 6th a van of ours was sent to Trieste to recover other spare parts and accessories still in Trieste’s warehouse. On the way back, in the first rest/service area out of Trieste, the same criminals have stolen the van and its content. Unluckily for them, following a great effort of electronic interception and lots of their’s tailing, law-enforcement personnel has had the opportunity to see the criminals in action in first person. Carabinieri have been on the van’s tail for a couple of hours and at last they have recovered the vehicle and its content and put them under sequestration.

Meanwhile the subject liable for theft have been blocked. On Friday the 8th Carabinieri have given us communication that the truck has been found and is now in a safe place in Trieste, again judges have disposed sequestration of the goods.

Although it reads as if they got Alto’s rider Muggas to do the translating directly from Italian to Tweed Headsian blindfolded, at first blush appears to be a story of justice served. The former manager plays the archetypical role of the disgruntled employee who turns against his employer by hacking, vandalizing, stealing office supplies, truck hijacking and/or kidnapping. His fiendish plot is foiled due to surveillance and electronic tracking. Chalk one up to the gallant carabinieri and their high tech tracking equipment!

And interesting question regarding identity, though. Did former manager Sergio use his identity to gain confidence and access to the truck? Seems that would be an enormously boneheaded maneuver for a hijacker. I’ve got issues trying to correlate the motivation of the attacker with his techniques.

Maybe it was just a denial of service attack. Check that word “sequestration” in the above quote, on which the Alto Evolution team elaborates:

This, and only this, is the reason for which we will not be able to partecipate to the race in Misano on the 17th of June.

Not too difficult to imagine Sergio in his Italian jail cell rubbing his hands together, mumbling about how they’ll never race in Misano…never in Misano..

Posted in Uncategorized | Tagged , , , | Leave a comment

Sufficiency, Competence, Relevance

Posted on June 8, 2007 by dutcherstiles


I returned to work after a refreshing and invigorating vacation in Wisconsin and greater Chicagoland. After marking random e-mails as “Read,” I look over some notes I took in a prefreshed state, most particularly this line:

“Reality vs. ????”

I figure I was on track to bust my epistemological crisis wide open, and instead I caved into some ontological audit chasm. Not quite a zombie, but brains are starting to smell real good.

“Reality vs. ????” I think I was getting into a Rashomon fugue state, with folks skating around conflicting stories, but nodding in agreement. I wanted to know: When evaluating perception, what evidence is more reliable than testimonial evidence? Is the written as as important as the thought which drives the action? Can or should the common testimony of a dozen individuals be sufficient to assert a common perception, and be used to predict a likely action?

I searched the Red Book and Yellow Book for the answer. To make sure I didn’t miss anything, I checked the Blue Book, too. (Man, that Mazdaspeed3 looks SWEET!) Their answers rang as hollow as a Sturtevant kringle, just not as tasty. “Sufficient and appropriate,” “competent and relevant,” “better if supported by documentary evidence,” “yada yada yada.” Not helping me out.

I was looking in the wrong places, of course. In my backpack was the unfinished beach reading: King of the Jews by Nick Tosches. I dig Tosches in a serious way; he is a relentless researcher with a full appreciation of the negative case. From the Book of Esther to Abe Lincoln to Mayor Bloomberg, Tosches makes clear that evidence – competent, appropriate, sufficient or otherwise – winds up as whatever is said most often, and what is said most often is often enough wrong. Still not much of an answer. Really sort of grim.

Nonetheless, with that cryptic fugue out of my system, I’ll go back to work. Less episteme, more hax0rme.

Posted in Uncategorized | Tagged , | Leave a comment

The Red Duck

Posted on May 29, 2007 by dutcherstiles


Yesterday was a tough one at work, made especially tougher by the fact that the House of Tooth is flying out on vacation tomorrow, earlier than I feel comfortable contemplating.
But if Mr. Howell is going to write about motor vehicular risk, so will I.

When I got home last night, I watched Race 1 of the WSBK at Silverstone. Nasty conditions: standing water on the track, filthy visor-coating mist flung up from rear tires, cold rain, poor visibility, and very heavy very aggressive traffic. So nasty that the second race was red flagged. Sounds like Chandler’s Chicago commute, with the following exceptions:

  • Everyone is on two wheels (except for the Alfa 159, which follows only on the warm up lap, and at a discrete distance).
  • The cycles have been freshly massaged by well paid mechanics, sparing no expense in picking the fly poop from the pepper in handling, power delivery and suspension according to the desires of the rider. When the track is hot, statuesque women in high heels hold umbrellas over the motorcycles to keep them cool.
  • Everyone on the track is wearing leathers, gloves, boots, back protector and a full-face helmet.
  • No one is chatting on a cell phone or drinking coffee whilst riding round the track. The only communication is through flags waved by officials and corner workers, and the pit board with a couple of numbers hung out for the rider to read as he speeds past. None of this NASCAR-style chit chat and sippy cups.

All the WSBK machines are produced to a regulation, a formula that is more rigorously enforced than PCI, Basel II or the FFIEC guidelines. Sunday’s race at Silverstone revealed the difference of how a regulation is interpreted, viz., traction control. Despite the best efforts of a well funded Ten Kate team, with full support of the mammoth Honda Racing Corporation, and a skilled and extra-dreamy rider at a home course, Mr. Toseland’s CBR1000RR ended up like this after only a few laps. Nonetheless, water spewing from his radiator, and mud in the engine, he picked it up and rode on, finishing 8th. He was lapped by the pack who had figured out traction control: Xerox Ducati and Yamaha. And the Ducati bike is a year old.

Are strictly enforced regulations and technical innovation what makes for great racing? Is it all physics, themodynamics, fluid mechanics, geometry and friction?

No. What makes for great racing is the fact that these machines are piloted by the world’s finest chaos generating engines, i.e., motorcycle road racers. Otherwise, why does nutso “Nori” get wear a rainbow wig on the podium, while his stoic Wollongongian team mate does not? What is to prevent a twitchy Frenchman on an equally twitchy Kawasaki from having a fleeting existential moment, resulting in a high velocity green missile smashing into a focused Texan’s perfect line round Ascari? Nothing. The black swan rides the track along with the red Ducks.

Like any enterprise, you can comply with the regulations. You can follow the rules. You can become technically innovative. But the enterprise is run by chaos driven humans. All you can do is strap them in leathers and hope they don’t lose any more fingers than is absolutely necessary.

Posted in Uncategorized | Tagged , , , , | Leave a comment

Signals, Calls and Marches

Posted on May 23, 2007 by dutcherstiles


Two stories stuck in my craw this past week. Now, I’m spitting them out, for your pre-masticated pleasure.

Firstly:
Tim Wilson’s post at Dark Reading figures we shouldn’t buy IBM security services because one of their contractors lost a storage tape with NPI on it. And that a public wireless company should not be patronized because they had a crooked options administrator. The TSA loses some employee data, so what..? We find some off-brand liquid & gel manhandler? The causality between the security products and services offered and the lapses in security and anti-fraud controls seems spurious. Does TJ Maxx not still shop continuously so I can find fabulous fashion bargains? That I’ll pay cash for?

Segundo:
I can’t believe the guy playing Punk’d with Google AdWords got so much press. The SANS dudes creamed themselves into a fit self-righeous suspender-snapping ecstacy in their newsletter over this DARING SOCIAL EXPERIMENT! The story was lame, proved nothing, but did allow the SANSabelters a chance to feel so superior to the l00zerz that would click on a link that says “Infect your computer.” All that energy parsing stats THAT MEANT NOTHING! Dismissing your customers as ignoramuses, and pointing to practical jokes as proof is no way to run a “profession.” If you must, at least do it behind closed doors.

Cause in the words of Mission of Burma:
So make sure that you are sure of everything I do
‘Cause I’m not, not, not, not, not, not, not, not your academy.

Posted in Uncategorized | Leave a comment

Motoprox

Posted on May 17, 2007 by dutcherstiles


Yesterday I was barreling down the concrete slab choked with tractor-trailers and nitro-burnining funny trucks laden with oily 2x4s and spent joint compound jugs, I was engaging my left brain in random problem solving (“Resolved: The world is as random as it is not.”) and engaging my right wrist in focussed throttle control on my Triumph Bonneville. I hate the road – a stretch of oversubscribed interstate that at an unfamiliar time (around 3:00 pm) and was unfamiliar with how the traffic would be flowing. The part of the brain that controls motorcycle function became increasingly engaged.

Fortunately, it didn’t come out of nowhere: some set of clues were processed so I was pretty sure the black sedan was going to dart into the part of highway I was occupying. I braked as much as I could, as the pickup behind was riding my exhaust, and I moved as far to the left of the lane as I could. Just as his door was nearing my knee, the driver of the sedan spotted me, and made a panic swerve back to his lane. No harm, no foul, just a cortex soaked in adrenaline. People pay good money for that.

Which led me to my thought. Do near misses count?

UK Civilian Aviation Authority Airprox Board thinks so. They are dealing with potential accidents, however, with an not unreasonable assumption that neither party wishes a collision. There is no attacker, so it is easier to get both sides of the story, and a clearer, truer account of the incident, and quality information to improve the process. In a security incident, you will rarely get the other side of the story, so the account is skewed to what the defender has observed, and the attacker has failed to hide.

The Risk Management and Decision Process Center at the Wharton School has this brief description of its Near Miss Management study.

It may be nothing useful, but I’m wondering how “near miss” security incidents are handled. How are the elements of “luck” and “skill” (i.e, controls, response,etc.) allocated? Since the bullet was dodged, is there a increase in comfort in the level of security, even though it may have just been luck, or the actions of the attacker, that made it a “miss”?

I don’t know, but I’ve been hyperaware of traffic lately, and my head is encased in Shoei and my body in Tourmaster. (And for more on motorisks, see Chandler’s post from last September.)

Hot Honda on Duck action courtesy PhillC.

Posted in Uncategorized | Tagged , , , | 2 Comments