Michael N. Dundas

I as most in Canada have been following Maple Leaf Foods and the listeriosis outbreak. I drive approximately an hour for work 3 or 4 times per week and usually listen to CBC. Along with reading a few news articles on the web has allowed me to keep up with the public version of events.

Michael McCain really impressed me. His public apology was probably the most genuine and sincere I have ever seen from a CEO. I think a lot of businesses could learn from him. I suppose that it could all be staged, but regardless it was a nice change from what a business typically does when they are the center of an issue with negative tones.

I was reading about a press conference Michael McCain gave on August 27th and suddenly something didn’t make sense. Michael McCain said that Maple Leaf should bear all the costs and responsibilities of the outbreak. Specifically:

“I absolutely do not believe this is a failure of the Canadian food safety system or the regulators,” he said at a news conference in Toronto on Wednesday afternoon. “Certainly knowing there is a desire to assign blame, I want to reiterate that the buck stops here.”

Contrast McCain’s statement with an Interview on CBC (podcast of Interview is here) on August 25th with Linda Smith, a spokesperson for Maple Leaf Foods. Throughout her interview Linda Smith ensured the public that Maple Leaf Foods followed the protocols of the Canadian Food Inspection Agency and Health Canada exactly and never deviated from them. Comments in the interview included:

• manage exactly to the CFIA protocol
• manage to absolute exactitude
• We live and breath those protocols and have never deviated from those protocols
• All facilities follow to an exactitude the Heath Canada’s management protocols
• We did everything that we are suppose to do
• Moving forward going beyond protocols and testing all products. With a hold and release procedure
• Followed the food safety standards to the letter or exceeded those requirements.

I am not a food services expert, but common sense dictates that either Michael McCain or Linda Smith must be mistaken. If Maple Leaf Foods did follow all the protocols then there is obviously a problem with the protocols and they need to be reviewed at a government level. If Maple Leaf Foods didn’t follow the protocols, then Linda Smith is mistaken. So which one is correct?

UPDATE:
Post on how the CFIA is still continuing a plan to lower inspection requirements for domestic meat products.

In a previous post I commented about the MIT students being blocked from presenting their vulnerability findings of the Massachusetts Bay Transit Authority. Bruce Schneier summarizes the history of full disclosure and why blocking the students was wrong in a article on wired.com. He also references a post by Matt Blaze which has similar comments, both more elegantly worded than mine.

Of course these attacks are starting to become more and more prevalent lately. Here is an attack on the California Bay Area Road toll system. The part that worries me is not the fraud, but the idea that you could use the toll system to create a false alibi, or use it to frame someone else. Lawyers and Law Enforcement will have to dig deep into anyone using the technology as evidence.

I came across this article. It is a great synopsis of how easy it is to track the location of someone using thier own mobile phone. Third party companies are popping up to offer services like this. How do they do it? It is easy since some service providers are selling location data to anyone that wants it. What interested me about the article is it highlights how security analysis is changing. If you look at many of the current research papers and projects they involve using statistical data to determine patterns and what a particular user or group of users is up to. This removes the need for signatures, and also can yield useful information even if encryption is present.

Some key statements in the article that caught my attention:

• Anyone can, for instance, sign up – at £29.99 a year – to mapAmobile.com (‘you’ll always know where your loved ones are’), which allows you to follow the movements of your ‘family and friends’ on a computer screen
• That this sort of enterprising solution is possible is the result of the major networks – in the UK, Vodafone, Orange, O2 and T-Mobile – having decided, in around 2002, to sell their location data to any company willing to pay for it.
• the information your phone provides is out there anyway. It doesn’t belong to you, and anyone with the required resources can do with it what they will.
• Everyone on a network, he said, is part of a group; most groups talk to other groups, creating a spider’s web of interactions.
• The remaining groups ranged in size from two to 142 subscribers. Members of these groups only ever called each other – clear evidence of antisocial behaviour – and, in one extreme case, a group was identified in which all the subscribers only ever called a single number at the centre of the web. This section of the ThorpeGlen presentation ended with one word: ‘WHY??’
• It also sells ‘profiling’ systems, which measure the behaviour pattern of an individual subscriber and, using statistical analysis, determine whether that same pattern is now appearing from another source.

A recent example of this type of research is the Switzerland project which is currently in alpha at the time of this post. This is an open source project designed to detect when service providers modify or change subscriber packets before letting them continue on in the network.

Another research project was able to detect what movie you were watching via a Slingbox even though it was encrypted.

I attended DefCon 16 this year. A presentation by 3 MIT students Zack Anderson, RJ Ryan, and Alessandro Chiesa on the last day of the conference was stopped by a federal court judge. The order is here, and more details can be found here. The slides to their presentation had already been published on the Defcon CD that is distributed to all attendees.

Defcon issued a twitter notification to all attendees immediately this morning to disseminate the news. The EFF in their scheduled time slot preempted what they had originally been presenting to first discuss this in a press release. The EFF will be representing the students. What disappointed me the most and the main reason I am blogging this was that during the press release it was discovered that the students did everything right. They had met with the Massachusetts Bay Transportation Authority MBTA) at their convenience prior to Defcon and discussed the vulnerability in detail with them. The impression was that the meeting was friendly, went well and there were no issues. Then on Friday and Saturday (the presentation was to be on Sunday), the MBTA managed to secure a temporary restraining order at the last minute. This makes me sad. It suggests that properly informing companies of the vulnerability before releasing the details may not be the right thing to do. Researchers in the future may very well look at this example and decide to just publish not bothering to inform companies. Everyone needs to play by the rules for responsible disclosure to work.

Vulnerabilities such as these are not new either. There was a presentation at Blackhat last week as well. The company Mifare chooses to try and cover these vulernabilities up and stop them from being published rather then fix the issues and learn to design secure software.

I have been fortunate to attend Blackhat USA 2008 this year. I don’t usually pay too much attention to the vendors present as I am much more interested in the training, the researchers and their presentations and papers, but I usually peruse the vendor booths at some point during the conference.

I stopped at Splunk’s booth for two reasons. The first was that Alex Bewley mentioned them on his blog. I used to work for Alex at a previous company. Alex is a smart guy (in my opinon anyway), so the fact that he took the time to mention them in is worth noting. The second reason was I knew they had something to do with log management, analysis and forensics. Analysis and forensics is a big part of my job and a natural interest I have always had. It is why I like working in security.

One of the first things that caught me was the staff was genuinely nice. You could tell they were enjoying themselves and for the most part enjoyed their jobs and liked working for Splunk. It wasn’t just one or two of them either, it was all of them. They were all open honest people and this was readily apparent. It was like you were talking to real people, not a facade. Even the demo they gave didn’t feel like a sales presentation. It is really great when a company let’s employees be themselves and trusts they will do the right thing. This is all part of a companies corporate culture which is very important. Lately in talking to others, especially at this conference, I get the sense that corporate culture is getting worse instead of better. One of the main reasons I enjoy working at Sandvine and have been at Sandvine as long as I have is their corporate culture. I have no doubt our culture is very similar to Splunk. Alex also wrote a blog entry on corporate culture recently. If you are interested it can be found here.

The Splunk staff gave me a detailed tour of their software. In simple terms it can take anything ASCII, and index it. But it does so much more. You can search, create events, correlate different events, produce graphs, alerts. It is extremely configurable and easy to use. Anyone that has logs or events from any system that has the need to perform analysis on these forensically, proactively or any reason should give Splunk a try.

Splunk has taken a problem (log management) which has been around for a very long time and made it easy. No need to write custom code, scripts, and have people maintaining it along with changes, upgrades. My first job out of school was a firewall administrator for a large financial institution. One of my tasks was to automate the processing of the firewall logs, create alerts, automated responses etc. I used perl and did a pretty good job I think. However, I wish back then I had something like Splunk. It is a really well though out piece of software. I was impressed and I don’t impress easily.

“See what happens when you put a bunch of guys together that work hard and like what they do. Things get done.” — Mike Holmes

I honestly believe there is a direct correlation between Corporate Culture and good software.