Security Pie

So summer is here and that makes it a great time to write about ice cream, and particularly the sugar content in ice creams. Sugar is not merely important to ice cream. IMHO, sugar is ice cream. Without sugar, we’d be eating vanilla scented sludge.

So how much sugar? Well, the main effect sugar has on ice cream is texture. Yes, the texture of ice cream is determined by the sugar content. Now since it is summer, and since I’d like to make a point I can later eat happily with a spoon, it is time to experiment by making a blueberry sorbet.

I opted for a simple sorbet to test the effect sugar concentration has on the texture of the sorbet. I took a Costco bag of frozen blueberries, defrosted and blended them to create the ice cream base mixture. I then created a syrup: 33% Sucrose, 33% Trimoline – an invert sugar (sucrose that has been split to the two monosaccharides: glucose and fructose) and 33% water (all by weight).

I poured the base into 3 Pacojet beakers, and adjusted the sugar content of each (using the syrup) to obtain the following brix reading: 16 Brix, 20 Brix and 25 Brix. I used an Atago Pen-Pro refractometer to measure the refractive index of the base mixture (Note: Brix would represent the exact sugar percentage ONLY for a pure sucrose in water solution; in this case, since we have other solubles, the measurement is a qualitative assessment and should not be assumed to be an accurate percentage of sugar).

I froze the beakers for 48 hours to a measured -24.1C, and processed 1 portion of each beaker. Here is the result:

Pacojet beakers - one portion processed - 16, 20 and 25 brix

Textures - fluffy ice powder (16 brix), moist dirt (20 brix) and classic sorbet (25 brix)

From left to right, the brix levels are: 16, 20 and 25 brix. The results show a direct correlation between sugar content and the texture of the sorbet. When sugar levels are low, the sample exhibited a powder texture not unlike fine ground coffee. This was similar to snow, or frozen shaved water. The 20 brix sample exhibited the texture of fine, moist dirt, while the 25 brix sample has a smooth sorbet texture.

A taste test showed that the 3 resulted in a completely different mouthfeel and taste sensation. The powder was light powder, sort of like eating talc. The 20 brix sample reconstituted to a paste sensation (actually pretty unique and enjoyable), while the 25 brix sample was a true, sorbet experience.

So it is becoming an epidemic: Youngsters around the world, who have access to highly classified documents, share them.

In Israel, we had a well publicized case of Anat Kam, now 23, an army secretary who had decided, on her own accord, to release classified documents to a reporter. http://www.nytimes.com/2010/04/09/world/middleeast/09israel.html

And, as AB loves to say, what happens in Israel will always happens elsewhere. So the US now has an information “spy” of it’s own, one specialist Bradley Manning, 22, who released to secret documents on Wikileaks. See http://www.theregister.co.uk/2010/06/07/wikileaks_arrest/.

Both were young, both were not “spies” in the sense that they were not “operatives” of a state, but were still at an age where “correctness of action” and “ideology” and “duty” are mixed up. IMHO, these immature individuals were unable to identify the severity of their action. Sure, they intentionally released data they thought warrented public scrutiny; they wanted to promote transparency since they were brought up on the notion that sunlight disinfects; and they believed that their democracy was strong. They thought they were “doing the right thing”.

They were unable, however, to fathom the risk that their actions would create. What does a secretary know about international diplomacy and politics? What does she know about combat operations? Can she anticipate how many deaths would she directly cause by the disclosure of the data? Having sat through some complex classification exercises, I can safely say that she had no clue. As for Bradley Manning, the fact that he boasted of his “accomplishments” to fellow hackers and over Facebook reveals his lack of understanding of the severity of what he did.

So we expect youngsters to handle confidential data. Data they are severly ill equipped to fully grasp and understand the consequences of a data exposure. We assume it is their sense of duty: It worked in the past. But now these youngsters have laptops, smartphones, USB keys and other devices.

Now governance controls are important. Neither of these occurences were detected via some sort of data governance scheme, but some time after the leaks had occured. Really, shame on our security forces!

However, even governance controls, while important, are not enough. It is now even more important for HR to step up to the plate and seperate the mature, responsible adults (even at age 18) from the rest. The easy access to distribution mechanisms make silly leaks possible, and likely. Immature individuals, like mssrs Anat Kam and Bradley Manning should never have been allowed near sensitive data.

/al

Google has decided that “due to security concerns” it will phase out Windows on its endpoints. See http://www.ft.com/cms/s/2/d2f3f04e-6ccf-11df-91c8-00144feab49a.html.

A few thoughts:
1. Understandably Google is repositioning it’s own Chrome OS and Mac OS as an alternative to Windows as part of their competitive struggle with Microsoft.
2. Google’s CIO is attempting to sweep Google’s proven incompetence in securing the email accounts of Chinese activists as a byproduct of Microsoft’s OS. This method was used 12 month earlier by bank executives claiming “we weren’t at fault; it was those damn credit default swaps and collateralized debt obligations”. Google is incompetent. Microsoft might also be also be incompetant, but it is beside the point.
3. Google is implying that replacing all endpoints is a security strategy. It is not. Google should invest in understanding security: an endpoint should not be the only line of defense. I recommend developing a comprehensive security strategy based on risks to their (and my) data and executing against that strategy. As part of their security strategy, a broken endpoint should NEVER be allowed to poke holes in their infrastructure.
4. If there was a culprit, it was Explorer. Perhaps Google should use a different browser? Also, Google CIO should read about Windows 7. It has a much better security model.
5. Mac is being more successful in the workspace anyway. Anyone who has gone to a meeting and counted the number of Mac’s knows this, and it started long before Aurora came along (in fact, I think it happened when Apple moved away from silly white plastic to the me-too Sony VAIO Aluminium/Magnesium look).
6. Is Bing crawling under Google’s skin?
7. Google should keep at least a few endpoints of Microsoft for the sake of product quality. At least to do compatibility and QA for Google products running on Explorer and Microsoft OS. I can foresee Google’s CIO being busy for the next few years signing waivers for Microsoft OS. I suggest e-signatures.

/al

So email bites. Today an associate sent an email they shouldn’t. Not to worry, will be taken care of. just one extra recipient to call and ameliorate.

Facebook bites. Not in privacy. CEO Zuckerberg told us all that we don’t expect privacy and he is probably correct. Now I don’t think that we all necessarily want to voluntarily give up our right to privacy, but that we all put our status up on Facebook, pictures of spouse, kids, etc. Pretty soon we become an open book.

The recent debacle over privacy settings and the “turn Facebook off” day reminded me of the scene in Monty Python’ Life of Bryan when Stan wants to have a baby, so I paraphrase:
Judith: Why do you want to be Loretta, Stan?
Stan:I want to have privacy.
Reg: You want to have privacy?!?!?!
Stan: It’s every man’s right to have privacy if he wants them.
Reg: But you can’t have privacy.
Stan: Don’t you oppress me.
Reg: I’m not oppressing you, Stan — you haven’t got a womb. Where’s the privacy going to gestate? You going to keep it in a box?
(Stan starts crying.)
Judith: Here! I’ve got an idea. Suppose you agree that he can’t actually have privacy, not having a womb, which is nobody’s fault, not even the Romans’, but that he can have the *right* to have privacy.
Francis: Good idea, Judith. We shall fight the oppressors for your right to have privacy, brother. Sister, sorry.
Reg: (pissed) What’s the *point*?
Francis: What?
Reg: What’s the point of fighting for his right to have privacy, when he can’t have privacy?
Francis: It is symbolic of our struggle against oppression.
Reg: It’s symbolic of his struggle against reality.

So assume the right to have privacy is there, while privacy, well, is nigh dead. Nada, Kaput. Gone. To paraphrase the famous Python Dead Parrot sketch:
‘E’s not pinin’! ‘E’s passed on! This privacy is no more! He has ceased to be! ‘E’s expired and gone to meet ‘is maker! ‘E’s a stiff! Bereft of life, ‘e
rests in peace! If you hadn’t nailed ‘im to the perch ‘e’d be pushing up the daisies! ‘Is metabolic processes are now ‘istory! ‘E’s off the twig! ‘E’s kicked the
bucket, ‘e’s shuffled off ‘is mortal coil, run down the curtain and joined the bleedin’ choir invisibile!! THIS IS AN EX-PRIVACY!!

Where Facebook should be investing is teaching youngsters how to position themselves for the future. An elephant never forgets. But elephants do die. Databases never forget and never die. (or perhaps it is their backups that live forever.).

Indiscretions, pictures with a bung, proclivities, all live forever. Get used to it. Children must learn to manage their online image if they are to have a chance in their 20′s.

What is Facebook doing to teach them how to manage their online presence?

So it happend yet again. A pharmaceutical is under attack for having provided children with some over-the-counter medication that is adulterated. See recall note http://www.fda.gov/Safety/Recalls/ucm210443.htm and committee response http://news.yahoo.com/s/hsn/20100528/hl_hsn/johnsonampjohnsoncriticizedoverdrugrecall.

This is not new. Disfunctional safety practices in manufacturing have had a long history of sickening, and in some cases, killing, people.

What is left out of food, might be as dangerous, as what is put in. In 2003, babies died as a result of missing B1 vitamin in a lot of baby formula marketed by Remedia. See http://www.haaretz.com/news/remedia-execs-to-be-tried-for-allegedly-causing-infants-death-1.196950.

From my perspective, being even slightly partial to a brand of edible or pharmaceutical products is just plain ignorance. Drugs and food are routinely adulterated, expired, or simply mislabelled. If we are to reduce the risk due to contamination, or due to the lack of proper formulation, our sources of drugs, as well as food, must be religiously varied.

For bacteria to cause a disease, a certain exposure is required (varies among individuals). Varying the source of a particular food item – as in eating a salad where only two spinach leaves from a salmonella infected bunch – just might get you under that threshold.

For babies to die of a lack of nutrient in babyfood, the baby must be solely raised on that food source. Having 2 products used alternately will result in better nutrition (not perfect: In the remedia case the baby will get 50% of the daily amount of B1 needed, but that is dramatically better than getting 0% of the daily value).

In security, we are taught (or experience tells us) that we need to vary our AV vendors. We need the same for ourselves and our families.

As for partiality to other products – e.g. computer vendors (like Apple), or cosmetics (like Gillette or ROC) – the worst outcome there is NOT death, but disappointment; so have fun in becoming a follower (Steve Jobs and the reign of Apples)!

So last month HSBC apologized for selling the information of over 24,000 customers.

http://www.irishtimes.com/newspaper/breaking/2010/0311/breaking43.html

Okay. So HSBC likes to state it differently: It was not willingly or knowingly done on behalf of HSBC. Just that an ex-staffer copied the list of (at least) 24,000 private banking (read: wealthy) customers to a private computer and tried to sell it. The way HSBC states it, they (the bank) was the victim in this case (http://www.hsbc.com/1/PA_1_1_S5/content/assets/investor_relations/sea/2010/sea_100311_private_bank.pdf). Hmm… And here I thought the people who’s ID is being sold to mafias and governments would be the victims…

Amusingly, the thief was trying to sell the data to governments for tax evasion purposes. Germany, it seems, is willing to pay to expose tax evaders. LOL.

At first the bank thought it was “less than 10 customers”. Then it slowly went up to 24,000 customers. Some governance… What are their security/audit teams up to (if not governance) anyway?

IRS evaders: Think your tax haven in Swiss HSBC is safe? Think again!

Quote:“The bank believes the stolen data will not allow unauthorised people to access those accounts, despite the fact that the incident could mean that some of the account holders affected could be risking prosecution by tax authorities.”
“The bank believes?” – Believes is not a word I expect my bank to use. “Validated”, “verified”, “ensured”, “put in measures” etc. are better words. Call me old fashioned: I like my banks secure, with big safes and rigourous pen registries; not flimsy, uncommitted, ungoverned entities.

But HSBC unreservedly apologized, which I assume means all is well….

BTW – HSBC has previously starred as “most prone to ID theft” in a report analyzing susceptibility to data theft among large banks. More information at: http://www.wired.com/threatlevel/2008/02/bank-of-america/

Perhaps HSBC should stop apologizing and start governing?

Can you tell which of the following is a name for Marijuana (5), which is a name of a rollercoaster (6), and which is both (5)?

1. Tennessee Twister
2. Déjà vu
3. Cincinnati Cyclone
4. Afterburn
5. Pineapple Express
6. California Screaming
7. Brain Teaser
8. Blazing Fury
9. Flashback
10. Humbolt Scorcher
11. Great White
12. Hypersonic XLC
13. Hyperponic XLC
14. Invertigo
15. Woodstock’s Express
16. Bug Out

By Lockie Hunter. Answers at McSweeney’s (http://www.mcsweeneys.net/links/lists/4hunter.html).

/al

Why do we work so hard to protect user data and privacy when it seems users are very happy to place their credit card info online and broadcast their shopping? The concept of blippy.com was shocking to me. It still is. Do users understand that all this information is amassed and can be used at any time by anyone?

What makes blippy trustworthy of access to a bank account? Are they audited? Are they PCI compliant? They are not even public and (unlike TJX) have nothing to lose by compromising the security of the users data…

Yesterday, while analyzing business processes at a DLP account, we ran across a user that sent their entire password list in an unencrypted CSV format. Access to bank accounts, investment accounts, healthcare, Web 2.0 sites, etc.

Perhaps privacy, by 2020, will be replaced by identity insurance…

So I periodically dabble with my hifi setup. I rearrange stuff, I recalibrate my reference levels at the sitting positions using an inexpensive sound pressure level meter, and measure the distances using a cool laser distance meter.

I ignore my acoustics engineer self (that left in place by 10 years of SONAR system engineering) that is screaming (Edvard Munch style) at the banality of my exercise.

My engineer self does have a point: My SPL meter, for example, is a cheapo Radio Shack SPL meter. It measure signal in decibels. But a decibel is a ratio between two numbers: a reference figure, and a measured value. For example, a good measurement would be 12 dB re 1 uPa @ 1m which mould mean that my signal was 12 decidel relative to a pressure wave of 1 micro Pascal (pressure) as measure 1 meter from the source. My practical self dismissed my engineer self by saying “it is all relative anyway, so the exact parameter of the measurement is not important”; to which my engineer self scoffs with a resounding “idiot! If you don’t understand what you are measuring then anything that you measure is suspect. For example, your rear speakers naturally have a different freq response than your front speakers. Hence if you try to balance them using the SPL meter, and you don’t *really* understand how it sums the SPL throughout the frequency range, you might get inconsistent results. This will also be true due to difference in the vertical response of the sepakers vis-a-vis your sitting position“. Now once in a while my engineer self nearly gets a sure footing and I trend precipitously close to acquiring a Bruel & Kjaer measurement system so I can start measuring with aplomb. I usually luck out by ending up reading some article I find somewhere instead of paying the requisite megabucks for B&K Uber Gerate.

Bruel & Kjaer 2230

So here is a question: Most of us know that there is a hifi market denoted as “Audiophile”. There is also a market called “professional audio”. There are very few brands that cater to both (I can only think of Dynaudio, Bryston, JBL, ADAM Audio, PMC, JM labs and a few others) and many of the products are so labelled (pro audio vs. home audio). Now audio is audio – why is there such a distinct seperation between the two markets?

Is this home audio or pro? ADAM HM3 in Black

Is this for Home of Pro use? P33A (Hint: room acoustics controls and the technical designation of near/midfield monitor should make the intended audience clear)

Here are my opinions:
1. It isn’t looks (so called Wife Acceptance Factor – WAF) – Some home audio stuff is as horrid looking as the most functional of pro audio devices. And some pro audio stuff is drop dead gorgeous.
2. It isn’t pricing – Some pro audio stuff is as expensive as audiophile stuff. Even though it is easier to justify the really upper end stuff for home use (the justification is based on expendable income, just like an ultra high-end stovetop for people who only cook steaks, more than any value statement) – it isn’t really necessary for a recording studio.
3. Objective vs. Subjective sensibilities – By far the biggest differentiator – Audiophile makers differentiate themselves by ratings, by reviews, and mostly by subjective assessments. Audio professionals look for objective assessments (impossible to do, but possible to try to achieve). In fact many Audiophiles disregard objective assessments (like measurements) as secondary to subjective assessments (like listening to their favorite CDs). Meanwhile pros (like audio designers) measure first, and then validate the measurement with listening tests (to ensure they haven’t a “lemon”).
Note: The audio engineering market is exceptionally mature. So I have to accept the fact that both approaches have their merit. Audiophiles indeed have to rationalize their choices - and subjective assessments are the most optimal way to rationalize a choice, especially when there is no concensus on “state-of-the-art”. Meanwhile, audio pros have to make rational choices – for example, unlike an Audiophile, they must have a perfectly flat frequency response otherwise their recordings will be equalized to compensate and tend to sound “off” on other equipment. This might be interpreted by their customers as a quality deficiency resulting in fewer, lower paying projects. So both approaches are the correct approaches for their market segments.

What has this got to do with security? Well, security is just like any other market. It has the customers that rationalize their decision, and it has customers that make rational decisions. Now here is the funny fact-of-life: customers in the latter group tend to be assured with their decision and can defend it reasonably well, while customers in the former group tend to hem-and-haw and sort themselves into religious-like user camps. Just like the Audiophiles who flock to like-minded rationalization groups (like the sound-of-wire vs. all wires are identical camp, the Single Ended Triode vs. push-pull camp, the record player vs. CD or BD camps, the solid state vs. vacuum tube camps etc.).

The rational thinking “objective” group (typically early adopters) work like entrepeneurs: They identify a problem, create a list of parameters for their problem, and search for solutions. The decision rationalizing “subjective” group works in other ways, for example by stating top-level decision criteria inconsistent with the problem scenarios.

As an example, to compensate for their inability to achieve a sensible technical decision – or even a sensible description of the problem they are trying to solve – they will choose on other parameters – like integration with other products – whether those integrations make sense or not – or based on analyst opinion, or past relationships, or a reference list, or even past lust (or current bedroom relationship).

This is the “high end” model based on perception of applicability vs. measured applicability to the problem. Security folk are especially prone to this style of analysis since their role is multi disciplinary. The DLP market is becoming the best example of how this multi disciplinary responsibility serves to undermine the decision process eventually resulting in an alarming number of failed projects. For example, assume a security person who came from networking. Their background is reviewing logs, identifying the patterns of malware and they have a keen understanding of exploits. Being the best on their team, they are invited to participate in a DLP project selection committee. What, within their experience, allows them to understand the nature of risk due to information exposure? Not much… For the majority of technical security experts, the meaning of risk (and methodologies to assess and minimize risk) is obtuse. What is worse, risk is the sort of variable that everyone thinks they know and very few actually do. Even banking risk departments, who are supposed to be the leaders in risk class assessments, proved that they had no clue a year or so ago when they piled high risk products into lower risk bundles – just ask any jet airliner designer how wrong that assumption is.
Similarly, consider a CISO. Predominantly a business title, how is a CISO to assess the technical capabilities and applicability to the network of a DLP solution? A good CISO is ill equipped to provide a concrete technical answer to the question of technical suitability.
Add to this equation the fact that business folk and technical folk might as well speak a different language alltogether, and you are left with dire prospects for your selection committee.

This is where the analogy between the Audio Market and the Security Markets ends. An amplifier is an amplifier. It might amplify differently. But all amplifiers, and especially at the high-end side of the market, do a reasonable job of amplification. Almost all pro models are identical. That is the safety of a mature market. But the security market, by its nature, will never mature. Hackers and thieves will ensure that whatever we purchase today will be outdated quickly (as quickly as they can write the scripts to make it outdated). The results of the emotional decisions, in an immature market can be disaster. Remember the sods who bought the original early day $15-25k hi-def plasma displays only to have them become obsolete within 2 years due to the emergence of copy protection (HDCP)?

So 2 years later and the committee finally realize that while they really needed an equivalent of a pickup truck they had mistakingly acquired a dragster. It couldn’t pull the weight of the problem, it was hard to control and it tended to periodically veer off into the ditch. They hired a team of 100 to rebuild the engine every Tuesday and Thursdays. And you needed a semi-trailer to haul the damn thing around.

But at least they purchased “high end”. Colorful, shiney, heavy and what a guilt trip (as well as sometimes career limiting). As one CISO put it to me, it is “the cost of a maturing security organization”.

Back to my speakers. Radio Shack SPL meter useless in calibrating sub level (due to inconsistencies in frequency reponse). Damn it. Perhaps it is time for a B&K measurement station? Gotta love those Danes for their perfect measurement stuff. $5k – Eh? Nah. ETF 5 and a somewhat calibrated Behringer mic (50$) is all I really need.

Happy measuring!

While Sharon is busy waddling knee-deep through Phy (layer 1) terminology, another hardware/lifestyle company has released its gigantic equivalent of their iPod product, named iPad.

Somehow the glitter of lower tech color LCD screens has been noisier than Sharon’s uber technology switches. Go figure.