Security Pie

The below is a true story. Some of the names were changed to protect the innocent. Yes, there is a moral to this true story, but you’ll have to read all the way…

It was a typical day. Jose Arcadio was at his office in Los Gatos CA, probably planning the next perfect restaurant visit.  Consuela Martinez was (as always) at a random hotel. This time it was in Manila, the Philippines, just before bedtime. In Sunnyvale CA Porky Leibowitz was Blackberry-ing .

9:34 AM| Los Gatos CA|Jose: What the heck is wrong with Security Pie – It came up all jumbled.

1:46 AM+1 day | Manila, Philippines |Consuela: Looks fine to me. What exactly do you see, Jose?

9:48 AM |Sunnyvale CA|Porky : See how we see it here in the US: Chrome and FF (screen shoot added )

1:50 AM +1 day |Manila, Philippines |Consuela: Did anyone touch the style or the sidebar plugin recently?

10:51 AM |Sunnyvale CA|Porky : Not me…

10:52: AM |Los Gatos CA|Jose: Ok. So this morning it looked okay. But then I posted my post as a page (by mistake). I then reposted it as a post. It happened somewhere there. But I did not knowingly make any changes anywhere. Just wrote a blog item. But I can hear Silvester saying “did you touch it”? So it was probably me…

1:55 AM +1 day|Manila, Philippines|Consuela : Okay let’s backtrack. What is the sequence of operations that you did, precisely?

10:52: AM |Los Gatos CA|Jose: I think I did the following:

1. Clicked new page.

2. Wrote.

3. Clicked save and then post.

4. Couldn’t find it on front page.

5. Went back, looked around, found Hong Sin’s remark under moderation and allowed it, and then figured out it was a page and not post.

6. Copied the page to a post, named it the same and posted it. It posted corruptly.

7. Deleted the page (but not the post).

2:10 AM +1 day |  Manila, Philippines|Consuela: Okay fixed. The culprit was a <div class=”main”> tag that was somehow transferred with your post when you cut and pasted it. It isn’t visible in the “visual” view, only when you switch to “HTML” view. I suggest you style-edit your post, it contains this ugly link in the middle; I think you can have some text instead where the link is just the target.

What’s the moral?

There is always more one bug. There is always something that can go wrong and you can bet your pie that it would.  Paraphrasing Assaf, I have interest in PCI section 6.6 (don’t sue me).  As I wrote in another place, things will go wrong. The above example takes place every day in different places. Innocent mistakes that can go wrong. This time, nothing serious happened and our man in Manila was able to take care and fix the problem. Is your organization is as lucky as Securitypie ?

Ok – So I have a vested interest in DLP. Sue me.

But here is a real cool use of DLP to detect plagurizing of dissertations:
http://ondlp.com/?p=9#respond

Notes:
1. Really cool use of the fingerprinting technology
2. I did not know that Dave’s wife was a professor

/al

 

 

Cisco is promoting Diego Rivas

Dave, a developer from Melbourne, Australia brings an interesting story . He was installing a newly purchased VPN product. When he loaded the VPN client software, he discovered that in the place of the usual boring software was an audio disk with 12 tracks of Spanish music (see Cisco\’s Hit). A lively discussion on Dave’s blog tried and successfully managed to identify the musician.  You can watch the video below.

Beyond the anecdotal story there are few things that we can learn from this incident. I’m not picking on Cisco specifically: In the past, one of the products that I was managing was built by very large OEM partner that was responsible for building the appliance, packaging, forwarding etc. Though it was very rare, we had few incidents when customer X received parts of a printer with his order (inside the appliance package), while another customer received the wrong CDs etc. Errors do occur and I believe that Cisco will do everything it can to learn from this manufacturing snafu and improve its quality assurance process. However from a security risk management point of view , this incident is a reminder to trust no one:

Every CD should be considered suspicious, even if it arrived inside a box that has the Cisco logo. Due to the popularity of Cisco’s gear there’s a second hand market and also some fake devices. Softpedia tells that even the United States government is reportedly using some 3500 fake Cisco-branded network devices, including routers, network switches and hubs. “According to the investigation results, the fake devices are worth up to $3.5 million.” 

Trust no one is the moral of this story.  On a side note, this story also explains why the DOD is investing so much money looking for the kill switch. 

Enjoy the music!

(Arik, What’s going on down there in Australia?, we’re getting a steady stream of weird reports recently  

In his latest posting (http://securitypie.com/workers-more-prone-to-lie-in-email-so-what/), Sharon refers to a hypothetical detector for lying over email. Now such things exist, and have existed for quite some time. Plotters connected to sensors have been used as lie detectors since its evolutionary invention spanning some 40 years and multiple devices during the turn of the last century. Every so often a handheld lie detector would appear on the classified ads of some local newspaper or one of the inflight magazines or skymall.

Now everyone knows (or should know) that the jury is out about the accuracy of lie detectors. Now why is that significant?

There are 4 possible outcomes of a lie detector test:

Read the rest of this entry »

I have recently completed a book called “The Billionaire’s Vinegar: … “. In this book Benjamin Wallace spins a fascinating tale of how a group of very rich Americans spent 100’s of thousands of dollars on a select cache of wine bottles that were allegedly linked to Thomas Jefferson and were found in a non-disclosed location in Paris. Very soon questions of provenance started to emerge, culminating in a very expensive law suit waged by Bill Koch against the purveyor of the wines, a German collector named Hardy Rodenstock. The book is well written and is a highly recommended read.

  Thomas Jefferson’s bottle or a really expensive counterfeit?
 

If we can't ask Mr. Jefferson, perhaps we can find an expert?

Read the rest of this entry »

‘An unprecedented crisis‘ said Hank Paulson. http://www.politico.com/news/stories/0908/13590.html

‘American economy is facing unprecedented challenges‘ added a concerned George W. Bush http://www.foxnews.com/story/0,2933,425261,00.html

“The Secretary of the Treasury, Henry Paulson, will be granted unprecedented authority in the financial bailout plan” http://www.lockergnome.com/forsythe/2008/09/29/unprecedented-authority-granted-to-henry-paulson/

In a series of moves culminating overnight, Washington took an unprecedented step into the financial sector in a bid to steady an ailing housing market and ease a global credit crunch, analysts said. http://www.theaustralian.news.com.au/story/0,25197,24310593-20142,00.html

Tuesday, Paulson is spearheading an unprecedented global change as the Bush administration point man for the proposed $700 billion bailout of the U.S. financial industry as the economy reels from the credit crisis sparked by the national real estate slump and spiraling mortgage failure rates. http://www.usatoday.com/money/economy/2008-09-22-paulson-treasury_N.htm

But the $700bn (€480bn, £380bn) bail-out marks an unprecedented test of both the Democratic and Republican leadership in Congress, who are seeking to pass a proposal that they know will be unpopular among voters in an important election year and is opposed for ideological reasons by factions within both political parties. http://www.ft.com/cms/s/0/2c86b58a-89a4-11dd-8371-0000779fd18c.html

Bush: ‘unprecedented challenges‘ call for ‘unprecedented action‘ http://network.nationalpost.com/np/blogs/fpposted/archive/2008/09/19/bush-unprecedented-challenges-call-for-unprecedented-action.aspx

Why terrifying?
Because after all these exciting ‘unprecedented firsts‘ everything will be ‘precedented seconds’ or, in other words, bland.

Meanwhile, while things are still interesting, have you placed your bets on September Madness?