When I first set this blog up, it was just to see what blogging was like and if it was useful. I don’t just blog for the sake of blogging, but I like the idea of things I find interesting or am working on in one place that is easily accessible and I can go back and reference if necessary.
Since most of my days (and nights) over the last few years have been dealing with tier 1 service providers around the world and their security, I figured it would mainly be based on those experiences and the security research that I do. I couldn’t think of a good name, so I picked the obvious ‘security’ — not very creative.
The problem with the title ‘security’ is that the blog is turning out to encompass more than just security. It has technical papers I have written, comments on things that I feel are important such as physical security, privacy concerns and whatever else I want to write my comments on and track. I considered starting multiple blogs but I have enough trouble keeping one blog and often times a issue in security can start with a technical paper which grows to discussions about architecture and then to politics, law etc. I want to be able to keep these things together.
With respect to technical security publishing, I am still working on what I can technically publish and what I can not. Given the work we do and our customers, I have to be careful what I write about on the blog. Since I work for a company that relies on research to build products that assist our customers, I have to ensure that I won’t expose our systems or our customers systems in anyway. That being said, my goal is to have either my research and articles published here, or at least comments on it and reference to a publicly available version of it.
I wrote a blog post the other day and referenced ‘Kaizen’. This seems like a good title to me, so I’ve switched the name of the blog. No big deal, but for anyone wondering why it changed now you know. If you go to the old URL http://security.michaeldundas.com it will continue to work. That URL now goes to a web server that will issue a HTTP 301 code which is a notification of a website that is moved permanently and redirect you to the new URL which is http://kaizen.michaeldundas.com.
Kaizen is a Japanese term that means continuous improvement. I’ve heard it used in business many times and with slightly different interpretations. The most interesting business version was a particular company I consulted for that wanted to impose a new licensing scheme. The problem was to just impose it on their customers would be bad for business. In order to reach their goal, they did it very slowly. As new features came out on new versions of their software, they started adding additional license requirements. It took them longer, but they got most of their customers converted to the new scheme all paying effectively more and their customer lost was negligible. The president of the company described the process to me as ‘Kaizen’ — obtain your goal in baby steps, otherwise you will not be successful.
A similar western analogy is that of a frog in water. It goes like this. If you put a frog in boiling water, it will immediately jump out. If you put the frog in room temperature water and slowly increase the temperature of the water to a boil, the frog not sensing a big difference will stay in the water and eventually die.
Kaizen is exactly what the governments do. To me this is the bigger picture of what some of Bill C-10 represents. Bill C-10 among other things, permits the government to decide if a particular film should get funding based on some unpublished ‘guidelines’. These ‘guidelines’, probably have a fair bit of subjectivity to them, can be changed at anytime and most likely can be interpreted in many different ways. The word guideline implies a suggestion of a path to take to come to a decision, which is different than a rule which implies you must take a specific path or a specific action.
On March 4th, The Current, a CBC Radio show, discussed Bill C-10. You can find the podcast here. Pierre Poilievre was interviewed about the bill. One of his first statements was that these ‘guidelines’ are not new and are already used for books and magazines. Bill C-10 permits these same ‘guidelines’ to be applied to film. If you listen to him, he implies that this is nothing new and there is nothing to worry about. These guidelines have obviously worked, we are just now going to apply them to film. Why all the fuss? No big deal … right? This to me is Kaizen or the frog analogy. If I want to change things and I execute the change in baby steps, people tend to not notice or not enough people notice, so the concern is not brought to the forefront for the general public to become aware. I had no idea till I heard this interview that this process was applied to books and magazines. Now that I know it actually bothers me and it doesn’t make me worry less. His implication that because I didn’t know about it, it obviously didn’t affect me tone is crap. Maybe the book and magazine people don’t care. Or maybe they did care, but for reasons of popularity they didn’t get enough press to make people aware of it at the time. Regardless, it is not a justification for applying these guidelines to film. Nor is it a justification to imply that people are overreacting and shouldn’t be concerned.
Sam Trosow said the government should publish these ‘guidelines’ and I completely agree with him. However, I would suggest they remain published on a government website and changes can not be applied to requests for funding unless the website is kept up-to-date. This should be a rule with penalties if it is broken. It should also include a history of all changes. What is to stop the government from changing these ‘guidelines’ in the future without any justification to the public? Since they are guidelines and not rules or law, changing them without notifying the public is probably permitted.
Kaizen when used by governments and business can be a bad thing. Expectation of privacy is just one of many examples. With the advances in technology and the cost of technology dropping, privacy is not the same as it was. It used to be that a employee could assume a general amount of geographical location privacy while not at work. My PDA that work provides me with has a GPS. The PDA is constantly connected servers at my place of employment. Technically, they can know and track my whereabouts anytime they want. They don’t do this of course (I do know that) they are not that type of company, but at any point in time they could. After all the PDA is owned by the company. It is technically their property so they have a right to track it … right?
As a fictional example, lets say this company is a office and they started questioning why their employees were at certain places during their off hours. This would probably not be acceptable today. Now, take the same scenario and lets pretend it is a PDA that belongs to a paramedic. The paramedic is off duty till 6:00 in the morning, but someone notices that their PDA was at a bar till 3:00 in the morning. Does the employer have a right to question the paramedic? People might say ‘yes’ they do because unlike the office scenario, the responsibilities entrusted to a paramedic by the public should allow them to be questioned and it is the responsibility of the organization to do so. Most people would naturally agree, and it becomes acceptable and maybe the company even requires them to now sign a contract giving permission for the company to track their whereabouts 24 hours a day, 7 days a week. After all, this is now perfectly normal and generally people feel this is acceptable. A year later, I could impose a similar policy on the police department. It’s in the publics best interest right? And really it’s not a new policy. The policy is in place for paramedics, we are just applying the same policy to the police force. What would be next? Fire fighters, construction workers, security guards …. I don’t know about you, but I see a pattern. At what point will the public start to speak up? Probably when it is too late.
Excellent review of the latest version of Truecrypt 5.0 by Steve Gibson. Truecrypt is completely open source software. I’ve personally used it for years. This version of Truecrypt support full system disk encryption and does this on the fly, no need to re-install your operating system. You can even decrypt the drive without re-installing or rebooting.
Another strike for Digital Rights Management! Looks like audio book publishers are now going to remove DRM from their audio books and revert to good old MP3!
Completely not security related, but physics related. I’ve always liked Physics and even managed to take a first year physics course as an option while I was in University. A colleague of mine Mou Mukherjee pointed me to software called Phun a 2-D physics sandbox. A youtube video showing it actually being demoed can be seen here. Kind of cool. I’m going to download it and play with it when I get some time.
On my last three trips I have noticed a trend at our airport that I find extremely inconvenient, slightly concerning and for the life of me can not understand what the airport security is hoping to accomplish. Within a particular terminal in the middle of seemingly nowhere, there are guards that ask you to present your boarding pass.
My family and I were taking our vacation last week. We arrived at the airport early in the morning as we had an early flight. We did the usual routine of checking in, acquiring our boarding passes, going through security and waiting at our gate. Once we were settled at the gate, we had a 2 hour wait till we were to board the plane and had not had breakfast. I decided to wander to the coffee shop to get drinks and something to snack on for everyone. In order for me to get to the coffee shop I had to present my boarding pass to a security official. I found this very odd. Intrigued, I presented my boarding pass to her. She glanced at it quickly. From what I could tell based on her eyes, she was looking at the date or terminal number. I was allowed to pass through. I purchased my items and was carrying them back to the gate where my family was, and of course I had to pull out my boarding pass and present it again. This time, I had to juggle the coffees and snacks to get my boarding pass in a position where she could glance at it to give me the okay. I passed through and went back to the gate and wondered what was the point?
After I finished my coffee, I was so curious, I wandered through the entire terminal as far as possible and returned to my gate attempting to understand why this security checkpoint was required. Was there something different about this terminal that made the checkpoint required? I couldn’t find anything. The security personnel force everyone to do it and at times the lineup was quite large with people waiting 10-15 minutes to get through. The sign above the checkpoint is a permanent sign stating that you must present your boarding pass, so I assume the checkpoint is required for some reason yet, there was another permanent sign 100m down the same hall and it was not manned.
Looking at my boarding pass, you can’t identify if it is me or not. I could be holding the wrong boarding pass, a fake boarding pass or someone else’s pass so they can’t be checking for that. There is no way the security personnel are checking if you are on the right flights, as they were not running the boarding pass through any computer to cross reference your information with the information on the boarding pass. They could be checking that it is the right date, right terminal, and maybe that the flight time is within a given range from the current time I suppose, but all this is checked when I pass through the security screening checkpoint in order to get to the gates, and they are glancing way to quickly at the boarding pass to make that level of assessment. You move into a different ‘security zone’ when you pass through security screening. You can’t leave that zone without either boarding a plane or going through the security screening again. This ‘checkpoint’ is not different zone, it is just in the middle of the terminal.
As far as I can tell it is just security theatre. It is a rather large inconvenience, a waste of money and time, most importantly my time. I have little to no patience for this type of thing it just makes me angry. I’m all for making sure things are secure. But I expect a security step is necessary and by executing the step, you obtain some benefit. I suppose someone could argue that it is a secondary check to catch people who have slipped past the first screening. In which case I’d suggest you put the money towards fixing the issues with the first step, rather then waste money and people’s time on a step that is easily thwarted by someone who had reason or intent to bypass it. I don’t believe this helps people understand and accept security. It just frustrates them and makes them question it more and more.
Good article forwarded to me by a colleague. It was written by Harvey Schachter. It highlights some quick ways to differentiate between between good and bad managers. The article is here, but I’m copying it here in case it ‘disappears’ for some reason in the future.
Some managers are competent while others are not. Here are 10 ways that serial entrepreneur Margaret Heffernan says she spots the incompetents. If a manager displays any one of these behaviours, she writes on FastCompany.com, it should ring a warning bell and more than two means you should sound the alarm:
Bias against actions
There are always many reasons not to take a decision. Real leaders display a constant bias for action while the incompetents wait for more information, more options and more opinions.
Beware of a manager who always fights against telling staff about what’s happening, worrying it will distract or confuse employees. Very few matters in business must remain confidential and good managers can identify those easily.
Managers must see a problem, address it head on, and move on. If the manager is afraid to raise issues with employees because it might hurt their feelings, problems won’t be resolved.
Love of procedure
Managers who cling to the rulebook have forgotten that rules and processes are meant to expedite business not ritualize it. “Love of procedure often masks a fatal inability to prioritize – a tendency to polish the silver while the house is burning,” she says.
Preference for weak candidates
When a choice has to be made between candidates, an incompetent manager will often avoid super-competent recruits in favour of junior or weaker alternatives. Good managers know you must hire people smarter than yourself but weak managers can feel threatened by such folk.
Focus on small tasks
Unable to handle their actual job, they get lost in preparing perfect spreadsheets and making sure data is completely up-to-date.
Allergy to deadlines
A deadline is a commitment, but some managers cannot set and stick to deadlines or honour commitments.
Inability to hire former employees
If you hire a new manager who doesn’t attract new recruits from the previous company, it’s a sign that manager hasn’t mentored others or won their respect.
Addiction to consultants
A good way to put off making decisions is to hire consultants, and so often this is a route a weak manager will take. When the consultant’s report comes in, it also can chew up time.
Bad managers work long hours. “They think this is a brand of heroism but it is probably the single biggest hallmark of incompetence. To work effectively, you must prioritize and you must pace yourself. The manager who boasts of late nights and no time off cannot manage himself so you’d better not let him manage anyone else,” she writes.
Credit card companies a few years ago were dealing with the problem of stolen credit cards and expiry dates. If you have a bunch of these and an Internet connection you can get a lot of things and do a lot of damage. Attempting to mitigate this problem, credit card companies came out with the idea of a CVC (Card Verification Check) number on the back of the card. The idea being that if you are not swiping the card, you would have to give this number as well in order for the transaction to proceed. This would prove that you physically have the card in your possession. But the key to this working is that no one ever stores the CVC. You enter the CVC during the transaction, it is transmitted for verification and it is NOT stored. Of course you are relying on businesses to not store this number. Nothing to stop them from actually doing it. This is what happened at Geeks.com. Geeks.com sent a letter to their affected customers basically stating they are sorry for the breech, but it is now the customers problem to deal with. Does anyone see a problem with this? A business fails in its security measures that they decided on to protect customer data and it is now the customers problem.
The answer here to me is obvious. Businesses can not be trusted to do the right thing. They can be trusted to do what makes the most financial sense and they always will take this path. We have seen this time and time again and there are way too many examples to list. People like Bruce Schneier have commented on this over and over again for years. Loren Weinstein has an excellent example of this.
The answer to this is easy. Put the burden on the companies, financial institutions and anyone that stores third party financial information. I’m not a lawyer and this would have to be legally worded but the something like this:
“If for any reason you in anyway use or store for any period of time third party financial or personal information for any purpose, you are completely and totally responsible for any breech of this information directly or indirectly for as long as you in anyway have possession of the data. You are legally and financially responsible for any misuse resulting from the breech of this information.”
We need to make it the businesses problem. I think this is fair. The businesses decide their security measures. The businesses decide how to protect the data. The businesses decide what level of competent experts to hire to design, monitor, and secure their systems. As a consumer, I have no say or control in these matters. I am forced to trust them. Trust that they are secure. Trust that they are competent. When that trust that has been imposed on me is breeched they should be responsible. If the businesses are financially and legally responsible they will fix the problem. Business will fix the problem because as we have historically seen over and over again they do this by nature. They do what makes the most financial sense for them. By making them legally and financially responsible it becomes in their best interest to do what makes the most financial sense for them, protect customer data.
The only right thing geeks.com did here was to contact law enforcement.
I just finished the show Unseen connections: New ways that objects and poeple are linked.
Great show. They discuss RFID tags, how they work and examples of their uses today. Casinos use them in chips to stop forgery, how they can be used in consumer products and save information such as product lot number, when, where it was manufactured and other information that can be extracted.
Smart homes were discussed. In the interview they discussed up till recently the hold back to the adoption of smart homes has been compatibility. This has now been overcome by the Amigo Project, an open source project that is supported by most vendors. One of the issues currently being researched by this project is privacy. With your home all connected privacy is naturally a big concern. Lots of information can be generated by a smart homes and the devices in your home; what you purchase, how often you cook, what you watch, what items you take with you, prescription information. This type of personal information is valuable and wanted by marketing and research firms. Privacy is becoming one of the hottest issues on the internet and it only makes sense that this issue is of even more concern in your home as it becomes more and more connected to the outside world. I look forward to the results of their research. Although a smart home is something that really intrigues me, I worry about both security and privacy. If my thermostat was connected to my smart home for example, would it be possible for an external entity to keep tabs on what I set my thermostat temperature at? This doesn’t seem like a big deal, but it is one step towards government stepping in and legislating that we are forcing everyone to keep their dwellings at x degrees for the sake of the nation, betterment of the greater population, or something to that effect. You might think I am paranoid and spreading fear but this was tried recently (although unsuccessful).
Personally, I think any smart home should have an override for the home owner. A switch or detailed configuration screens where under no circumstances can data be extracted or removed without prior authorization — a default ‘deny’ on ingress and/or egress connections. No individual device should be able to override the master control of the house. Even the government should not be able to do it in any circumstance. On the positive side, the project is open-source so even if this is discovered to be possible, someone will patch it quickly.