Security Pie

Credit Cards by "s e v i n" at flickr.com

Here in Australia, in order to perform a certain set of transactions (for example, to open a bank account) there is a government mandated identification process, called the 100 Point Check[note: PDF] and is codified in the Financial Transaction Reports Act of 1988.

The short version is this: When you come to identify yourself, you need to have 100 points. To reach this number you have to supply documented proof of your identity which adds up to 100 points. Lets see what’s considered as identifiers:

Read the rest of this entry »

After 6 days of riding my mountain bike through 300km of Mongolian Steppes, I come back to learn that the US government had to bail out Merrill Lynch and AIG, meanwhile letting Lehman Brothers go belly up. SEC had banned short calls on most of the financial institutions in the United States. This boosted confidence in other SHODDILY run financial institutions (like Wamu) who saw a sunny day first time in months. Wamu’s spring was short lived, and now it is a part of JP Morgan. Now they plan to give away $700b of our hard earned money to wall street.

Having been completely without cell or Wifi coverage, I was oblivious to all this throughout my journey.

I met people who did not care what the heck Lehman Brother’s CEO Dick Fuld did with THEIR hard earned money. Or who Merrill Lynch decided to give THEIR money to. These people had trust in their own stash of food supply: milk products (cheese curds, butter, condensed milk and other products) and meat (Yak/Cow, Sheep, Horse or Goat), and they had faith that the sky would be kind to them.

Sheep stomachs sewn into sacks maintain the freshness of the home made butter for the brutally cold winter

Read the rest of this entry »

A few years ago I bought a backup robot for the business. I had lost one of my messaging servers which uspet most of the company employees (CEO can’t email the board, CFO can’t track the investors, VP BD can’t negotiate deals with partners, Secretary can’t arrange a vacation with boyfriend).

My robot hated me. I hated it. Veritas and it would cough up excuses for not performing a backup. They would collude to sending me email messages, syslog and other interruptions. There was always an open file that would not behave. There was always a tape that was full. There was always a cartridge that was out of sequence.

All in all the robot needed a robotsitter babysitter to keep it company. A babysitter that will feed it clean power, wipe its heads clean and replace the tape DAT we love so much. And once in a while change the channel on the Veritas application. 

So we got the most reliable thing available to look after automated infrastructure. An IT guy. Life was as simple as before the robot but with the additional comfort knowing there was a backup. I still cannot understand why robot architect HP and Veritas could not fit an IT guy in the packaging.

A week ago I bought a Windows Home Server preinstalled on a $700 small form factor PC from HP. I hooked it up and I turned it on. It did my backup for me. It told me it was successful. The only failure it had was when I shut down my machine. It was unaccessible, my server notified me in a nice looking alert.

I was offended. I had prepared my expert troubleshooting capabilities. I had prepared to resolve a routing issue. I was ready to resolve Access Control issues. I was gravely disappointed. It just worked.

Simple is nice. Simple makes security easier by making my data more available at home. Simple makes my training obsolete.

More than that - Security does not have to be complex: Simplicity showed me that my expertise can be replaced by a well though out script. Ahem. Perhaps it is time to learn a new trick?

Way to go Microsoft!

NB: My Roomba robot hates me as well. It gets stuck on any piece of paper or rubber band or even while climbing that 1/2″ to the short haired carpet. Does this mean that all robots hate me?

NEW YORK (Associated Press) – The Bank of New York Mellon said Thursday that a security breach involving the loss of backup data storage tapes affects about 8 million more individuals than originally thought.

When the breach was first disclosed in May, the bank estimated about 4.2 million people were affected, said Kevin Heine, a spokesman for the New York-based company. But a third-party re-examination of the analysis applied to the lost tapes has revealed that the affected number of individuals is actually about 12 million, Heine said. The company is in the process of notifying the additional consumers…. (more)

Can’t these people count?

How lucky we are that money and data are no longer physical goods but reside in digital systems that are easily hacked into or lost. Imagine a world where bartering still lives and money is represented by sheep. What would “lost” or “stolen” 12 million sheep look like roaming  the streets of South Manhattan?

Residents of Turin Italy know very well. About 700 sheep have now been employed by Turin officials to keep the grass verges and lawns in city parks trimmed.

I am not sure the drivers agree.

BTW – Silicon Valley has its very own sheep-as-lawnmower stories, one of the more famous about Robert Widlar, an engineer at National Semiconductor (and creator of the IC OP AMP) who was irritated that Charlie Spork decided to cut back on the cost of gardening. Widlar drove down to Gilroy, and brought a sheep back to Santa Clara, in the back of his Mercedes convertible. He then tethered the sheep out on the lawn.(more)

And the count continues…

We often find ourselves discussing the evolution of threats on the Internet. What initially began as nuisance by resource wasting websites evolved into server crashing mischievous hacking which evolved into real theft of data and resources. What started as scripts sent over email has evolved today into a complex echo system of insiders that get lured by emails into installing backdoor applications, zombies and key loggers. It is always interesting for me to see how nature resolves such issues in other systems, naturally (I apologize, I had to).

Why is it important? Perhaps it isn’t. But it always seems to me that nature tends to find the best (most cost effective) steady state that is achievable. Seek a better solution? Okay, but you will have to change the rules!

A recent animal planet special got me thinking about hacking in wildlife. Specifically, it was a story about a certain cane toad (Bufo Marinus) that was introduced in Australia in the 30′s to help combat a certain beetle that was eating the crops. As usual in these cases, since they have no natural predators, the toad population grew out of control. It is a problem of grand proportions that is sometimes referred to as the bane of Queensland.

Cane Toad (nice picture from frogwatch)

The cane toad is poisonous. The toad has glands on its back that secrete bufotoxin, a very potent poison that can kill or cause severe irritation in humans. Since it was newly introduced to Australia, it should take evolution many generations to develop an animal that can withstand the poison. Shouldn’t it?

Enter the crow. In Queensland, it has been observed that some crows have figured out the answer. Since the poison is on the toads back, the crows carefully position themselves behind the toad, and use the toad’s legs to flip it on its back. At that point in time, they can use their beak to puncture the soft underbelly and eat the tasty toad insides. As long as the stay away from the toad’s back, they are safe.

Crow and Raven

Who was the hacker crow that figured it out we’ll probably never know. How it figured the resolution we will also not know. But once that first crow figured it out, other crows watched and learned. And now word has passed into other crow communities across Australia. Australians now have a natural way to fight the menace of the cane toad (in addition to cane toad golf, cane golf cricket and other human inventions).

We build defenses and hackers find ways around them. Toads build defenses and crows find ways around them. Perhaps the term “cat and mouse” should be reevaluated to “toad and crow”.

Cheers.

BTW – in 2007 a group of crows in Australia’s Northern territories (NT) were spotted eating cane toads using another method. Picking them up carefully by the leg, flying up with them and killing them by throwing them to the ground. Cane Toad vulnerability #2 discovered. Seems like hackers in the natural world are everywhere. Toads beware!

Please stay tuned for more from the three crumudgeons.