Michael N. Dundas

I recently did a presentation on anonymous surfing and anonymous emailing for the High Technology Crime Investigation Assocation. HTCIA is a community that has goals to encourage, promote, aid and effect the voluntary interchange of data, information, experience, ideas and knowledge about methods, processes, and techniques relating to investigations and security in advanced technologies among its membership. The membership includes law enforcement, government, and private sector from different countries including Canada and the United States.

One thing I found challenging when creating the presentation was the technical level to target. HTCIA membership includes individuals and groups from many different disciplines. Most members have different levels of knowledge and experience within any given discipline. With that in mind, I tried to create a presentation that would be beneficial to the majority of individuals.

A PPT compressed slideshow of the presentation is here. There is also a PDF that can be found here. I’d recommend the PPT slideshow over the PDF. Animation doesn’t show well in the PDF and as a result some of the slides are covered over with different layers of the animation.

Looks like Bill C-10 does not even have a problem it is trying to solve with respect to the ability to deny grant money to any film based on some ‘guidelines’ according to Andrew House, spokesperson for the Heritage minister. Makes me even more suspicious. The Star article is here.

When I first set this blog up, it was just to see what blogging was like and if it was useful. I don’t just blog for the sake of blogging, but I like the idea of things I find interesting or am working on in one place that is easily accessible and I can go back and reference if necessary.

Since most of my days (and nights) over the last few years have been dealing with tier 1 service providers around the world and their security, I figured it would mainly be based on those experiences and the security research that I do. I couldn’t think of a good name, so I picked the obvious ’security’ — not very creative.

The problem with the title ’security’ is that the blog is turning out to encompass more than just security. It has technical papers I have written, comments on things that I feel are important such as physical security, privacy concerns and whatever else I want to write my comments on and track. I considered starting multiple blogs but I have enough trouble keeping one blog and often times a issue in security can start with a technical paper which grows to discussions about architecture and then to politics, law etc. I want to be able to keep these things together.

With respect to technical security publishing, I am still working on what I can technically publish and what I can not. Given the work we do and our customers, I have to be careful what I write about on the blog. Since I work for a company that relies on research to build products that assist our customers, I have to ensure that I won’t expose our systems or our customers systems in anyway. That being said, my goal is to have either my research and articles published here, or at least comments on it and reference to a publicly available version of it.

I wrote a blog post the other day and referenced ‘Kaizen’. This seems like a good title to me, so I’ve switched the name of the blog. No big deal, but for anyone wondering why it changed now you know. If you go to the old URL http://security.michaeldundas.com it will continue to work. That URL now goes to a web server that will issue a HTTP 301 code which is a notification of a website that is moved permanently and redirect you to the new URL which is http://kaizen.michaeldundas.com.

Kaizen is a Japanese term that means continuous improvement. I’ve heard it used in business many times and with slightly different interpretations. The most interesting business version was a particular company I consulted for that wanted to impose a new licensing scheme. The problem was to just impose it on their customers would be bad for business. In order to reach their goal, they did it very slowly. As new features came out on new versions of their software, they started adding additional license requirements. It took them longer, but they got most of their customers converted to the new scheme all paying effectively more and their customer lost was negligible. The president of the company described the process to me as ‘Kaizen’ — obtain your goal in baby steps, otherwise you will not be successful.

A similar western analogy is that of a frog in water. It goes like this. If you put a frog in boiling water, it will immediately jump out. If you put the frog in room temperature water and slowly increase the temperature of the water to a boil, the frog not sensing a big difference will stay in the water and eventually die.

Kaizen is exactly what the governments do. To me this is the bigger picture of what some of Bill C-10 represents. Bill C-10 among other things, permits the government to decide if a particular film should get funding based on some unpublished ‘guidelines’. These ‘guidelines’, probably have a fair bit of subjectivity to them, can be changed at anytime and most likely can be interpreted in many different ways. The word guideline implies a suggestion of a path to take to come to a decision, which is different than a rule which implies you must take a specific path or a specific action.

On March 4th, The Current, a CBC Radio show, discussed Bill C-10. You can find the podcast here. Pierre Poilievre was interviewed about the bill. One of his first statements was that these ‘guidelines’ are not new and are already used for books and magazines. Bill C-10 permits these same ‘guidelines’ to be applied to film. If you listen to him, he implies that this is nothing new and there is nothing to worry about. These guidelines have obviously worked, we are just now going to apply them to film. Why all the fuss? No big deal … right? This to me is Kaizen or the frog analogy. If I want to change things and I execute the change in baby steps, people tend to not notice or not enough people notice, so the concern is not brought to the forefront for the general public to become aware. I had no idea till I heard this interview that this process was applied to books and magazines. Now that I know it actually bothers me and it doesn’t make me worry less. His implication that because I didn’t know about it, it obviously didn’t affect me tone is crap. Maybe the book and magazine people don’t care. Or maybe they did care, but for reasons of popularity they didn’t get enough press to make people aware of it at the time. Regardless, it is not a justification for applying these guidelines to film. Nor is it a justification to imply that people are overreacting and shouldn’t be concerned.

Sam Trosow said the government should publish these ‘guidelines’ and I completely agree with him. However, I would suggest they remain published on a government website and changes can not be applied to requests for funding unless the website is kept up-to-date. This should be a rule with penalties if it is broken. It should also include a history of all changes. What is to stop the government from changing these ‘guidelines’ in the future without any justification to the public? Since they are guidelines and not rules or law, changing them without notifying the public is probably permitted.

Kaizen when used by governments and business can be a bad thing. Expectation of privacy is just one of many examples. With the advances in technology and the cost of technology dropping, privacy is not the same as it was. It used to be that a employee could assume a general amount of geographical location privacy while not at work. My PDA that work provides me with has a GPS. The PDA is constantly connected servers at my place of employment. Technically, they can know and track my whereabouts anytime they want. They don’t do this of course (I do know that) they are not that type of company, but at any point in time they could. After all the PDA is owned by the company. It is technically their property so they have a right to track it … right?

As a fictional example, lets say this company is a office and they started questioning why their employees were at certain places during their off hours. This would probably not be acceptable today. Now, take the same scenario and lets pretend it is a PDA that belongs to a paramedic. The paramedic is off duty till 6:00 in the morning, but someone notices that their PDA was at a bar till 3:00 in the morning. Does the employer have a right to question the paramedic? People might say ‘yes’ they do because unlike the office scenario, the responsibilities entrusted to a paramedic by the public should allow them to be questioned and it is the responsibility of the organization to do so. Most people would naturally agree, and it becomes acceptable and maybe the company even requires them to now sign a contract giving permission for the company to track their whereabouts 24 hours a day, 7 days a week. After all, this is now perfectly normal and generally people feel this is acceptable. A year later, I could impose a similar policy on the police department. It’s in the publics best interest right? And really it’s not a new policy. The policy is in place for paramedics, we are just applying the same policy to the police force. What would be next? Fire fighters, construction workers, security guards …. I don’t know about you, but I see a pattern. At what point will the public start to speak up? Probably when it is too late.

Excellent review of the latest version of Truecrypt 5.0 by Steve Gibson. Truecrypt is completely open source software. I’ve personally used it for years. This version of Truecrypt support full system disk encryption and does this on the fly, no need to re-install your operating system. You can even decrypt the drive without re-installing or rebooting.

Another strike for Digital Rights Management! Looks like audio book publishers are now going to remove DRM from their audio books and revert to good old MP3!

Completely not security related, but physics related. I’ve always liked Physics and even managed to take a first year physics course as an option while I was in University. A colleague of mine Mou Mukherjee pointed me to software called Phun a 2-D physics sandbox. A youtube video showing it actually being demoed can be seen here. Kind of cool. I’m going to download it and play with it when I get some time.

On my last three trips I have noticed a trend at our airport that I find extremely inconvenient, slightly concerning and for the life of me can not understand what the airport security is hoping to accomplish. Within a particular terminal in the middle of seemingly nowhere, there are guards that ask you to present your boarding pass.
My family and I were taking our vacation last week. We arrived at the airport early in the morning as we had an early flight. We did the usual routine of checking in, acquiring our boarding passes, going through security and waiting at our gate. Once we were settled at the gate, we had a 2 hour wait till we were to board the plane and had not had breakfast. I decided to wander to the coffee shop to get drinks and something to snack on for everyone. In order for me to get to the coffee shop I had to present my boarding pass to a security official. I found this very odd. Intrigued, I presented my boarding pass to her. She glanced at it quickly. From what I could tell based on her eyes, she was looking at the date or terminal number. I was allowed to pass through. I purchased my items and was carrying them back to the gate where my family was, and of course I had to pull out my boarding pass and present it again. This time, I had to juggle the coffees and snacks to get my boarding pass in a position where she could glance at it to give me the okay. I passed through and went back to the gate and wondered what was the point?

After I finished my coffee, I was so curious, I wandered through the entire terminal as far as possible and returned to my gate attempting to understand why this security checkpoint was required. Was there something different about this terminal that made the checkpoint required? I couldn’t find anything. The security personnel force everyone to do it and at times the lineup was quite large with people waiting 10-15 minutes to get through. The sign above the checkpoint is a permanent sign stating that you must present your boarding pass, so I assume the checkpoint is required for some reason yet, there was another permanent sign 100m down the same hall and it was not manned.

Looking at my boarding pass, you can’t identify if it is me or not. I could be holding the wrong boarding pass, a fake boarding pass or someone else’s pass so they can’t be checking for that. There is no way the security personnel are checking if you are on the right flights, as they were not running the boarding pass through any computer to cross reference your information with the information on the boarding pass. They could be checking that it is the right date, right terminal, and maybe that the flight time is within a given range from the current time I suppose, but all this is checked when I pass through the security screening checkpoint in order to get to the gates, and they are glancing way to quickly at the boarding pass to make that level of assessment. You move into a different ’security zone’ when you pass through security screening. You can’t leave that zone without either boarding a plane or going through the security screening again. This ‘checkpoint’ is not different zone, it is just in the middle of the terminal.

As far as I can tell it is just security theatre. It is a rather large inconvenience, a waste of money and time, most importantly my time. I have little to no patience for this type of thing it just makes me angry. I’m all for making sure things are secure. But I expect a security step is necessary and by executing the step, you obtain some benefit. I suppose someone could argue that it is a secondary check to catch people who have slipped past the first screening. In which case I’d suggest you put the money towards fixing the issues with the first step, rather then waste money and people’s time on a step that is easily thwarted by someone who had reason or intent to bypass it. I don’t believe this helps people understand and accept security. It just frustrates them and makes them question it more and more.