Observations Along the Road

Roadkill Along the Information Superhighway

Category Archive: 'security'

History, Art, and Science

Written By: cahwyguy - Sat Apr 06, 2013 @ 9:17 pm PDT
Posted in news-chum, security , , | No Comments »

userpic=headlinesToday I spent the day with my daughter, and got to meet two of her three roommates for her sophomore semester: Varsha and Hayden. We spent the day with Varsha and Erin visiting the Legion of Honor Fine Art Museum (for one of their Art History projects), and had dinner with Erin and Hayden. I’ll note that at the Legion of Honor, we saw one of the most moving holocaust memorials I have ever seen. So art and history are on my mind, plus a little bit of science and security…

In the history department, I have a few deaths (or potential deaths) of interest:

  • Yvonne Brill. The LA Times has an interesting writeup on Yvonne Brill, who died March 27 at age 88. Brill was a very important woman rocket scientist and engineer who developed a revolutionary propulsion system that remains the industry standard for keeping unmanned spacecraft in constant, stationary orbit. Later in her career, she became the director of the space shuttle’s solid rocket motor program for NASA. In the last quarter-century of her life, she strove to help others pursue careers in science and math and especially pushed for women to achieve scientific recognition. Still, at one point, she moved to the East Coast to support her husband’s career, noting “good jobs are easier to find than good husbands.”
  • Martyl Langsdorf. The St. Louis Post Dispatch is reporting the death last month of Martyl Langsdorf, who designed what has been called the world’s scariest logo — the Doomsday Clock of the Bulletin of the Atomic Scientists. Since its introduction in 1947, the drawing of the Doomsday Clock has kept watch as international incidents flared. The clock is a symbol of the nuclear age, whose minute hand moves closer to midnight— and presumed annihilation — with each major immediate danger. The clock hands can also move backward, if tensions cool. The hand has moved only 20 times during the past 65 years. It currently stands at five minutes to midnight.
  • CPI Corporation. You probably haven’t heard of CPI Corporation, which abruptly shut down last week. CPI Corporation is better known as the provider of photo studios in Sears and some Wal-Mart stores, and their shutdown deprives parents of an old-fashioned way of taking awkward photos of their children. Of course, there is always the cell phone.
  • Time Magazine. The Atlantic has an interesting article on how the death of Time Magazine may be soon, as they haven’t managed the Internet transition well.

Turning to the science side:  a number of interesting computer security articles. First, Israeli hackers have started attacking back at anti-Israel groups that have vouched to wipe Israel off the Internet. Next, researchers at Washington University in St. Louis have uncovered a way to fingerprint credit cards to address credit card fraud. Lastly, a data breech at a St. Louis supermarket chain have alerted a large number of people to the risks of how data is handled.

Finally, a PS: To my friends who are involved with Northern Faire: Erin is interested in going this year, so I’ll be glad to forward to her any information on how to get discount tickets &c. (and how to coordinate transportation). She’s also likely interested in Dickets. She’s at UC Berkeley.

Music: Alive Alive-O (Jose Feliciano): “The Comedy Bit”

--- *** ---

Remembering the 4 Es

Written By: cahwyguy - Thu Mar 21, 2013 @ 5:10 am PDT
Posted in rant, security | 2 Comments »

userpic=securityBruce Schneier has come out saying that Security Awareness training isn’t worth the money, and I couldn’t disagree more. Specifically, Schneier has said:

I personally believe that training users in security is generally a waste of time and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.

Bruce’s statement and belief reflect the fallacy and overconfidence of the engineer. I saw this discussed once in a seminar on highway safety, where the highway engineers talked about how they once believed that they could eliminate traffic fatalities solely by engineering better highways and better cars. They soon learned that wasn’t enough — they they needed the four Es:

  1. Engineering
  2. Enforcement
  3. Education
  4. Emergency Response

Engineering highways — or security — is only part of the picture. You still need to have policies and enforce them. You still need to teach users to be aware of threats and to know how to response. And you need emergency response to ensure your systems are not killed by the attacks — that they are resilient and can recover.

Awareness training is a vital part of this. Yes, you can engineer away some of the problems. But you can’t get rid of them all, and you certainly need to educate about social engineering attacks.

Bruce — I’m surprised at you for this statement.

(and now it is off to the shower before I go to work….)

--- *** ---

Impacts of Technology: Movies, Radio, Lectures, and Powerstrips

Written By: cahwyguy - Fri Feb 15, 2013 @ 11:22 am PDT
Posted in news-chum, security , , , , | 2 Comments »

userpic=frebergEarlier this week, I wrote about the negative impacts of the Internet on society. Today’s news chum deals with a similar subject: the impacts of the Internet and technologies on industry and academia:

 

--- *** ---

Friday News Chum (a day early): Blood Types, Zombies, Santa, Christian Radio, UP Maps, and old Jails

Written By: cahwyguy - Thu Dec 20, 2012 @ 11:17 am PDT
Posted in news-chum, security | No Comments »

userpic=lougrantWell, it’s Friday, and you know what… what do you mean it is Thursday… to me, it is virtual Friday, as starting tomorrow I’m taking off to the end of the year. So as I said… well, it’s Friday, and you know what that means… Time to clear out the accumulated links:

  • Blood Types. We’re all aware of different blood types for people (and some of us even know our blood types, but not me). Have you ever thought about whether humans are unique with blood types. We’re not, and this article from Mental Floss looks at the different blood types of Dogs and Cats. A co-worker basically said what one of the comments said: For dogs, they often are universal until the first transfusion.
  • End of the World. Tomorrow, or is it Saturday (I guess it depends on your time zone) is the end of the world. What? You didn’t know? In any case, you can be prepared. Evidently, the Zombie Apocalypse Store in Las Vegas is doing thriving business.
  • The Mail Will Get Through. Even if the world ends, the mail will still get through. I know, because Tom Paxton told me. It will certainly get through to Santa. In fact, an enterprising teacher in a Missouri school district is having her students write paper letters to Santa Claus. This bothers me quite a bit. I have no problem with the exercise and having students write letters. That’s good. The problem is that they are to Santa… seemingly irrespective of the student’s beliefs… and being imposed by a public school district.
  • A Word from Our Sponsor.  I noticed in the Ventura County Star today a report that a Christian radio network has bought 92.7 FM in Thousand Oaks. This is worrisome to me, as 92.7 used to be Jill-FM, and was a sponsor of Cabrillo Music Theatre.
  • Password Generation. One of my favorite tricks that I recommend to generate passwords is to take a map — the older, the better — and use names from that map to give you a series of words (you connect with special characters) that can create a password (I normally take the first 2-4 letters of each and do some substitutions). Old transit maps are great for this, so when I saw on the big map blog the 1900 map of the Union Pacific railroads and steamships I figured it was worth highlighting (and no, I don’t use this map).
  • Jail vs. Prison. Lastly, an article that highlights an interesting language distinction: jail vs. prison. The article is about Iron County Missouri’s 145-year-old ‘dungeon’. This is an incredibly old jail, constructed two years after Lincoln was elected and still in use, un-remodeled.

 

--- *** ---

Training in the Modern Era

Written By: cahwyguy - Wed Nov 14, 2012 @ 7:43 am PDT
Posted in acsac, security | 1 Comment »

I’ve been the training chair for the Annual Computer Security Applications Conference since 1990. In my over 20 years in this position, I’ve seen what was a very popular training program decrease in attendance. Whereas in the past we regularly had attendance for courses in the 15-35 student range, of late the attendance has been in the single digits (of course, there are always a few exceptional courses). That’s true again this year, even with (what I believe to be) one of our strongest training programs in years (look at Monday and Tuesday). [I certainly encourage all of my readers to attend the conference, and to encourage your friends to attend and take training courses.]

I’ve been trying to figure out the reasons for the decline in the program, and what to do about it. This post is part of that effort: I’d love comments that might help me figure out how to move the program forward in the future. Here’s what I think are some of the problems:

  • Publicity. As always, our publicity for the courses is poor. They tend to be subsumed into the technical program, and it is difficult to figure out what is a tutorial/training course and what is not. Part of this is due to how the Advance Program has changed: there used to be a separate section highlighting the training program and the courses, and it’s not there anymore. Part of this is due to a change in format: I’m of the strong belief that our move to electronic notification methods makes publicity in general less effective. People ignore email blasts and web pages except when they are seeking information. At least with mailed advance programs, if the target wasn’t interested, they could put it on a board or hand it to a colleague.
  • Growth of the Field. When ACSAC started back in the late 1980s, it was one of three major computer security conferences: ACSAC, IEEE (Oakland), and the NCSC. Today? There are hundreds and hundreds of conferences, each providing their own aspect of training. There are also online webinars, courses at local universities, and such. People don’t need to go to ACSAC to get their training, especially in a short course format for which they pay $$$.
  • Changing Budgets. Related to the last point is the change in budget. It is harder and harder for commercial contractors, defense contractors, and government to get funds to go to conferences. When they do, they need to be able to get something they can’t get elsewhere. That’s certainly true for the technical program–you only get the papers at the conference. That’s also true for workshops, where there is interaction with others in the field. Training courses? As noted above, those are increasingly available. With tighter budgets, it is harder to justify travel dollars for courses, even with CISSP requirements.
  • Changing Audience. One problem the conference has had is a changing audience. We’re working to fix that, but right now, the conference has become more academic. Contractors and government need tutorials to keep abreast of a changing field (and to maintain their CISSPs). Academics? Much less so. As the conference has become more academic, I believe the interest of that side for tutorials has gone down.

So what should the conference do about the situation. I haven’t fully worked that out yet. We already have an effort underway to restore the mix of the conference. Hopefully, this will increase the participation of industry and government. Doing that should help out the training courses some. Beyond that, however, what should we do? Here are some ideas:

  • Reduce Tutorial Days. If we reduce the number of paid tutorials, we can ensure that what we do present are the strongest and most attractive. I’m thinking right now of experimenting with only a single tutorial day (3 tracks), and using the second day for something training-related in a different way. Perhaps this might be more workshops related to the conference theme; perhaps this might be more interactive seminars.
  • Integrate Tutorials Into The Conference. Right now, we have two training approaches. We have our formal tutorials, for which attendees pay separately, and our government track, which has training sessions during the conference and is included in the conference fee. We could eliminate the training as a separate gated event, and just have a training track across all the days of the conference. This would provide more space for technical papers and discussions, and may increase attendance at the training courses.
  • Fix the Topics. I’ve begun to realize that general introductory topics are not good draws, even though they may be good courses. If I could get the material at a local university course, why have it at the conference? Our topics need to either be unique or something that clearly cannot be easily gotten elsewhere. Looking at our top draws this year, they are topics you are not seeing elsewhere. In past year, a regular strong draw was a tutorial on botnets. We need ACSAC-unique topics… and I need to find presenters to propose them.

Right now, I’m just at the musing stage on how to fix things. I’d welcome your ideas.

--- *** ---

Opening a Can of …

Written By: cahwyguy - Thu Oct 25, 2012 @ 11:15 am PDT
Posted in security, social-networking | No Comments »

Ah, lunchtime. The time of day when a persons thoughts turn to… tasty canned meat products. Oh, perhaps, they turn to the other kind of…

I mention this because I happened to look at my WordPress Dashboard, and saw the little note: “Akismet has protected your site from 23,482 spam comments already.”. Over 23,000 spam messages since I moved to WordPress in January. Wow.

Seeing all this, I thought I would write a little post for the spammers with some advice on how to get comments on this blog accepted:

  1. First and foremost: Make the content of your comment relate to the post. If it has absolutely no connection with the post, it stays as spam. For example, if in response to a post on politics, you write “Hey cheers! I apply earbuds abroad because health of their portability, even though I favor over all the ear”…. it ain’t gonna fly.
  2. Don’t just complement my blog. I know my blog is great; I don’t need comments saying it. I want an intelligent dialogue with my readers, not sycophants. Thus, a comment like “Very interesting info!Perfect just what I was looking for!” won’t fly on its lonesome (especially if the link for the poster is a site selling designer handbags… more on that later).
  3. Don’t tell me you’ve bookmarked my site (“Hi there, I found your web site via Google while searching for a related topic, your site came up, it looks great. I’ve bookmarked it in my google bookmarks.”). I don’t care. Comment on the specific post.
  4. Make your post grammatically correct (e.g., not “You are my aspiration , I have few web logs and occasionally run out from to post .”). If you don’t know how to compose proper English sentences, you will not be posted.
  5. For that matter, make your posts in English. If I can’t read your post, I won’t approve it. Russian spam (“фото звезд”)… I’m looking at you.
  6. Comment on a recent post. I’m still getting spam comments on posts I made last January; just a few minutes ago, I received a comment (“Hi my family member! I wish to say that this post is awesome, nice written and come with almost all vital infos.”) on a post about the iPod I made back in June. If you are commenting on something more than a week or two old, especially when it is not on topic, you’re a canned meat product.
  7. I look at the sites you claim to be from. If your comment has as its authors link a site clearly selling something, be it designer-knockoff purses, sex, viagra, or anything else, potted meat you are. Yes, this includes the purveyors of “ugg boots uk cheap”.
  8. I also look at your email address. What, you won’t give me an email address? Sorry, Charlie.
  9. If you are attempting linkbacks, the article from which you are linking had better relate to the linked article. For example, on a post regarding the musical “Justin Love”, I just received a linkback from a site with the webaddress “xamthonedistributor(dot)net/harga-xamthone/4570035123″. Somehow, I can’t believe this site has anything to do with a musical about a gay celebrity coming out of the closet.

I think, in all the time I’ve been using Askemet, I’ve had two false positives. I’ve gotten pretty trusting of its results. Of course, it will be interesting to see what spam gets attached to this post.

Of course, what I really want is non-spam comments. That’s where you come in. I encourage you to comment and interact with me on the subjects of my posts, and turn this into a conversation.

 

--- *** ---

Broadsides on the Plank

Written By: cahwyguy - Wed Sep 19, 2012 @ 11:23 am PDT
Posted in news-chum, security , , | No Comments »

Ahoy mateys. Today be humpday, as well as International Talk Like a Pirate Day, and so your Captain thought he would share some broadsides that me parrot done brought me. So while we chow down on our hearty lunch n’ grog, let’s throw these overboard and see what sharks they attract. Aye.

Music: Wichita Lineman (Glen Campbell): “You Better Sit Down Kids”

--- *** ---

Drive By Post: You Know You’ve Been Doing Security Too Long When…

Written By: cahwyguy - Wed Feb 29, 2012 @ 7:25 pm PDT
Posted in security | No Comments »

You know you’ve been doing security too long when you see an article about a restaurant called “A1 Cucina Italiana” opening… and you wonder who did the Orange Book evaluation.

(ducks and runs)

 

--- *** ---

12345>>