A few days ago I called my good friend Michael Miora, president of information assurance and business continuity specialists ContingenZ. I dialed his office number but reached him on his cell phone even though he was in the office. The reason? A system error at Verizon had disrupted voicemail services for Michael--and about 740,000 other land-line customers--for several days. He had diverted his office phone to his cell to avoid missed calls, which can translate into missed business.
Michael's an enterprising guy, so he decided to turn this problem into a lesson in incident management, putting a story on the wire and also offering a discount on ContingenZ's incident management product, IMCD. That was this morning. By this afternoon his words of advice were looking quite prophetic as the wires lit up with this story: a critical Blackberry outage.
The message was clear: even if you are a relatively small company you need plans in place for such contingencies. Furthermore, the greater your dependency on a particular service, product, or supplier, the greater the need to plan for its demise, damage, disruption.
Now I would be the first to admit that preparing and documenting an incident management plan is far from exciting, but that is no reason to put it off. And if you want a reason to get on with it, consider the situation faced by one of the first companies to purchase IMCD, a small but growing shipping company that specialized in transporting art work. A much bigger company was looking to sub-contract them, creating a great new source of revenue. However, the big company wanted to see the smaller company's incident management plan before it signed the contract, a simple matter of due diligence.
Not so simple for the smaller company. Although management had a clear idea of what they would do in a variety of disaster scenarios, and some good lists of people to call, assets to protect, and so on, they didn't have this stuff formally documented. Enter IMCD, which automates and facilitates the process of pulling all that documentation together. Result? Contract signed.
[Disclaimer: For a while I was involved in the development of IMCD. However, I do not have a financial stake in the product.]
Satellite Internet: When broadband isn't
For millions of Americans today the Internet is not what it could be, or should be. While they can watch television adverts show depicting an Internet rich in video, streaming media, and cheap phone calls, the virtual reality for many rural Americans is virtually dead. They are still on dialup. They have no broadband.Despite the fact that big, fat, high-speed pipes criss-cross rural America to deliver thick, juicy broadband to major metropolitan areas, the locals too often lack a steak in this pie (sorry about the twisted allusions, but these folks that are being short-changed raise the steaks and many of the ingredients for our pies).
Sadly, as urban Internet access speeds soar beyond 1 Megabits per second on stable, 7x24 connections, for under $30 a month, too many country folk are still measuring their web page load times in minutes and their access speeds in baud rates. They can't telecommute over intranets. They can't get Vonage or any other VoIP.
Baud rates? You remember baud rates. Back in the eighties we went from 300 baud to 1200 and then we started talking bit rates, like 19,200 bits per second or 19.2Kbps (the difference between bauds and bit rates being somewhat symbolic, nudge, nudge). Then came the nineties. That's where a lot of people out in the country on dialup still reside, getting about 48Kbps. That's 125 times slower than the city dweller's 6 Mbps. You are not going to watch much video at 48Kbps.
So, why have our agrarian bethren been left behind, despite the fact that their stewardship of the land helps keep fiber optic lines alight? Greed, pure and simple. What profiteth it a communications company to install a switch in a valley or a village where only 300 souls reside? Apparently not enough. And whenever a state thinks about making "universal service" a prerequisite of doing communication business therein, the lobbyists come forth in great number.
Consider New York state, a prime example of a state that is essentially rural, apart from a huge great population center in the lower right. Despite Manhattan, New York State is, for the most part, farm country and timber country (and also hunting country, home to over a million deer, and more than 4,000 Black Bear.) And despite the fact that the state is criss-crossed by broadband infrastructure to feed Manhattan and the other high density population centers, a lot of farms and rural residences do not have broadband.
Or do they? There is one technology that can claim to deliver broadband to just about anywhere, without wires: satellite. But let me tell you folks, satellite is not broadband. It is more like broad bucket. (Note: opinions expressed herein are derived from my ongoing experience with HughesNet in upstate New York, dating back to when it was DirecPC).
Wachovia the Wicked? Yikes what a stunningly bad way to run a bank
Okay, this post will probably reduce to nil my chances of getting hired as a computer security or data privacy consultant to Wachovia Bank, but it's hard to let this story pass without comment. According to a report in the New York Times, Wachovia Bank kept doing business with rip-off artists long after it was clear that doing so was aiding and abetting them. In short, Wachovia:"solicited business from companies it knew had been accused of telemarketing crimes....high-ranking employees at the nation’s fourth-largest bank frequently warned colleagues about telemarketing frauds routed through its accounts.... Documents also show that Wachovia was alerted by other banks and federal agencies about ongoing deceptions, but that it continued to provide banking services to multiple companies that helped steal as much as $400 million from unsuspecting victims."
Now, obviously I don't have the time and resources to watch all the news that appears on television, but I haven't seen this latest development in the story on either CNN or NBC. True, it doesn't have the same urgency as an election or a killer storm. But right now the blogosphere is the only place it seems to be kept alive, by bloggers who are making sure it doesn't get swept under the rug (along by some good old-fashioned, old-media leg work).
Consider the words I italicised. A major American bank, a Main Street retail bank, provided banking services to multiple companies that helped steal as much as $400 million from unsuspecting victims.
Shouldn't that be a major, ongoing news story until justice is served? The fourth largest US bank deeply-entangled in a $400 million consumer rip-off?
3 Smart Choices in One Cute Picture
As some of my friends already know, we are in beta mode at our place in the hills between the Adirondacks and the Catskills, testing the feasibility of year-round residence.The Arctic Cat ATV you see here was an early purchase, mainly for pleasure, but also for utility (the miniature pickup-bed behind the driver actually tilts--very useful for hauling and dumping firewood, dirt, etc.). The rack on the front is a handy place to strap tools, axe, chainsaw, shotgun, and so on.
We have had great use of this 4x4 on the trails around the property, but in terms of mileage the main use has been dog walking: our Springer Spaniel loves to run ahead of it.
But we don't just drive the ATV around to exercise the dog while we conserve human calories sitting in the driver's seat. No-o-o. We drive to previously unexplored locations, park, then head off on our own two feet, weather permitting.
And speaking of weather, smart choice number two in this picture is the Warn snow plow. Installed by Dan Beebe, a.k.a. "Dan the ATV Man," of Performance Recreation, this plow really gets the job done. Following Dan's advice, we installed chains on the rear tires and we always plow in Low gear with 4-wheel drive engaged. Haven't got stuck yet. Raising and lowering the plow is handled by the Warn winch (barely visible just above the plow). The winch came pre-installed on the ATV and the fingertip controls are fully integrated on the handlebar.
Thanks to a simple but effective design the winch can still be used with the plow installed, like when I had to haul a fallen tree off the trail to get back to base camp (in fact the plow worked well as an anchor when the winch started to exert serious tension on the dead weight of the tree trunk).
And of course the third smart choice in the picture is the lady at the controls, my amazing partner Chey (as in: I chose her and she, thankfully, chose me). Who knew she would be a talented and enthusiastic plower of snow. That simply wasn't on my radar when I spotted her, over twenty years ago, amid San Francisco's ultra-cool coffee-house scene.
The Happiness Life Cycle: An Open Letter to NBC's Brian Williams
Dude...I just wanted to have a few words with you about the Happiness Life Cycle that you featured on NBC Nightly News last night.
(I'm assuming you're cool with the whole "Dude" salutation, what with you being a frequent and much applauded guest on The Daily Show and now heading up a very slick, video-rich, blog-enabled web site.)
And the first word I want to have is Dude! As in Dude! Did you look at this thing? It's going to drive people crazy.
Take me, for example. I'm a 55-year old guy and the chart is right! I am unhappy. Very unhappy. About rock bottom in fact, just like the chart says I should be. The thing is, Dude, I thought it was because the real estate crash just wiped out most of my net worth.
So much that I worked for has gone, poof, disappeared! Talk about depressing! But no, the real reason I'm unhappy, according to the chart, is because I'm at the bottom of the happiness curve.
Furthermore it looks like I'm about to start heading back up to happiness. This is great news, but so confusing. Does it mean I'm going to come to terms with being poorer than I was eight years ago? Eight years of hard toil, all for nought, yet I'm going to be happy? Maybe I am going to win the lottery just like the lady with the crystal ball said. Or perhaps an up-turn in the housing market is just around the corner (maybe you could start talking about it, pretty much like you talked us into bursting the bubble?). The thing is...
(I'm assuming you're cool with the whole "Dude" salutation, what with you being a frequent and much applauded guest on The Daily Show and now heading up a very slick, video-rich, blog-enabled web site.)
And the first word I want to have is Dude! As in Dude! Did you look at this thing? It's going to drive people crazy.Take me, for example. I'm a 55-year old guy and the chart is right! I am unhappy. Very unhappy. About rock bottom in fact, just like the chart says I should be. The thing is, Dude, I thought it was because the real estate crash just wiped out most of my net worth.
So much that I worked for has gone, poof, disappeared! Talk about depressing! But no, the real reason I'm unhappy, according to the chart, is because I'm at the bottom of the happiness curve.
Furthermore it looks like I'm about to start heading back up to happiness. This is great news, but so confusing. Does it mean I'm going to come to terms with being poorer than I was eight years ago? Eight years of hard toil, all for nought, yet I'm going to be happy? Maybe I am going to win the lottery just like the lady with the crystal ball said. Or perhaps an up-turn in the housing market is just around the corner (maybe you could start talking about it, pretty much like you talked us into bursting the bubble?). The thing is...
On IP and PII: Merely the Location of a Computer? Non!
A recent AP article entitled "EU Official: IP Is Personal" shows that some people still don't understand, or are prepared to willfully misconstrue, one of the basic privacy concepts: personally identifiable information or PII.
On the one hand you have the head of the European Union's group of data privacy regulators stating that "IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information." He is correct.
On the other hand you have Google insisting that "an IP address merely identifies the location of a computer, not who the individual user is." Google is incorrect.
An IP address does not merely identify the location of a computer, just as your street address does not merely identify a physical location and your year of birth does not not merely identify a year. All someone needs is a few 'mere' facts about you and your identity can be established. That's why it is called personally identifiable information.
There are plenty of simple experiments you can conduct to prove this.
On the one hand you have the head of the European Union's group of data privacy regulators stating that "IP addresses, string of numbers that identify computers on the Internet, should generally be regarded as personal information." He is correct.On the other hand you have Google insisting that "an IP address merely identifies the location of a computer, not who the individual user is." Google is incorrect.
An IP address does not merely identify the location of a computer, just as your street address does not merely identify a physical location and your year of birth does not not merely identify a year. All someone needs is a few 'mere' facts about you and your identity can be established. That's why it is called personally identifiable information.
There are plenty of simple experiments you can conduct to prove this.
Once More Unto the Breach Dear Friends?
I think that I speak for a number of my colleagues in the information security and data privacy communities when I say that "breach burn-out" is a recurring occupational hazard.Here's how it goes. After some period of time spent working on projects to improve security and privacy you hear about a rash of incidents, a string of security breaches, that elicit weary groans. You find yourself asking, "Why do I bother?"
Sometimes the still small voice of calm will answer, "For the money." You remind yourself of the payments that are due, the mortgage, the doctor bills and the health insurance (which may well be bigger than the mortgage). And you decide to keep going.
Sometimes you find yourself in a position to ease back on the earnings and take some time to smell the roses, and you say to yourself "Them roses, they sure smell good." But then you hear about a rash of breaches that elicit groans of a different kind, groans of anger and frustration, tinged with regret. And sometimes you decide it's time to rejoin the fray.
Speaking for myself, I've been groaning a lot lately. There was Facebook, valued at billions, either failing to get a clue about privacy or arrogantly flaunting privacy conventions to see if it could make a buck. There was the year-end count of private data exposures that topped 160 million records. There was Boeing and its hackable Dreamliner (after the FAA intimated the 787 could be hacked because "it allows new kinds of passenger connectivity to previously isolated data networks," Boeing said that "the plane's networks don't completely connect" as though partial connection was somehow not connection). Now we have CIA statements at SANS about hacking utilities and other SCADA systems, reminding everyone that folks in several sectors have continued to develop and deploy mission critical systems under various false assumptions about security.
(Which part of War Games did these people sleep through? BTW, there is a good primer on SCADA on Wikipedia and here is a well-balanced set of slides--in .pdf--put together by D. Maynor and R. Graham at ISS. Their experience parallels what my colleagues found in the nineties: zero systems they could not penetrate, and many that could be hacked with skills rated 3 or less on a scale of 1 to 5.)
Even cool companies like Aptera seem to be forgetting simple things, like not letting other people sign you up for their email. Hardly on the same scale as diddling with the spent fuel rods at a nuclear power plant, but one more reminder that when it comes to security and privacy, most people just forget this stuff. Which is not so much a criticism of "most people" but a reminder that most people don't have an innate talent for "security-think."
Indeed, this truism is so well-established that the folks in charge should have put well-established mechanism in place to compensate some time ago, like security input at the design stage and security review during development and deployment. With all the other problems the world faces, it would be nice to think that by now we had routed the insecurity dragon or at least chained it up in its cave. Apparently we have not. Darn it!
[Exeunt. Alarum, and chambers go off]
Natural Beauty
Sometimes I find nature more beautiful than any art.This is the view down the trail from my house right now. Layla, our Springer Spaniel, is looking back at me, encouraging me to take a walk.
The snow on the branches of the birch trees and maples creates a sort of cathedral over the trail. The silence is wonderful and the air is fresh and clear.
A walk down this trail seldom fails to cheer me up. Layla ventures off to the left and the right, bouncing through snow cover, following deer tracks and turkey tracks, but looking back every fifty feet or so to get my nod to continue or return.
I now have a wider shot of this scene as the wallpaper on my laptop (1280x800). That way I can see it long after the snow melts. If you'd like to try it you can download it here (it is free, licensed under Creative Commons Share Alike 3.0, attribute: Stephen Cobb).
Data Exposure Stats Exposed
When I picked the top three privacy/security stories of 2007, the annual toll of privacy breaches was not included. My intention was not to belittle the ongoing plague of personal data exposures. However, this is a plague in progress and in that sense it is not new, thus arguably less newsworthy than some other developments.
That said, the year-on-year increase in exposures is worth noting, as Mark Jewell, did recently, writing for the Associated Press. He cites Linda Foley of the San Diego-based Identity Theft Resource Center who says "more than 79 million records" were reported compromised in the United States through Dec. 18 2007. That is almost a fourfold increase from the nearly 20 million records reported compromised in all of 2006.
Another source is Attrition.org, which reckons more than 162 million records were compromised through Dec. 21 of 2007, but that was worldwide and not just the US. The comparable 2006 figure from Attrition was 49 million, so they are suggesting a year-on-year increase of more than 3X.
Jewell points out that the biggest difference between the record-loss counts of the two organizations is Attrition’s estimate that 94 million records were exposed in the TJX case (T.J. Maxx, Marshalls, etc.). Attrition’s figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit banks filed against TJX whereas the Identity Theft Resource Center counts about 46 million, which is the number of records TJX acknowledged in March were potentially compromised.
Strangely, Jewell states that Attrition.org and the Identity Theft Resource Center are the only groups, government included, maintaining databases on breaches and trends each year. That's a [hopefully unintentional] slight to the Privacy Rights Clearinghouse where Beth Givens has been keeping track of numbers for several years. The PRC site documents 217,118,526 records exposed from 2005 through 2007. I think a lot of the PRC data is sourced from Attrition, but PRC reviews it and sometimes modifies it. David Shettler has developed a Web site that provides statistical analysis of security breach data, at www.etiolated.org.
When you consider this chart, based on Attrition numbers, the scale of the problem is apparent. While some of the steepness of the curve is probably due to increased reporting of incidents following disclosure laws passed in California and other states, those laws are not creating the exposures, which are all real, real people, for whom exposure causes real problems. Clearly, companies and governments need to do a much better job.
That said, the year-on-year increase in exposures is worth noting, as Mark Jewell, did recently, writing for the Associated Press. He cites Linda Foley of the San Diego-based Identity Theft Resource Center who says "more than 79 million records" were reported compromised in the United States through Dec. 18 2007. That is almost a fourfold increase from the nearly 20 million records reported compromised in all of 2006.
Another source is Attrition.org, which reckons more than 162 million records were compromised through Dec. 21 of 2007, but that was worldwide and not just the US. The comparable 2006 figure from Attrition was 49 million, so they are suggesting a year-on-year increase of more than 3X.
Jewell points out that the biggest difference between the record-loss counts of the two organizations is Attrition’s estimate that 94 million records were exposed in the TJX case (T.J. Maxx, Marshalls, etc.). Attrition’s figure is based on estimates from Visa and MasterCard officials who were deposed in a lawsuit banks filed against TJX whereas the Identity Theft Resource Center counts about 46 million, which is the number of records TJX acknowledged in March were potentially compromised.
Strangely, Jewell states that Attrition.org and the Identity Theft Resource Center are the only groups, government included, maintaining databases on breaches and trends each year. That's a [hopefully unintentional] slight to the Privacy Rights Clearinghouse where Beth Givens has been keeping track of numbers for several years. The PRC site documents 217,118,526 records exposed from 2005 through 2007. I think a lot of the PRC data is sourced from Attrition, but PRC reviews it and sometimes modifies it. David Shettler has developed a Web site that provides statistical analysis of security breach data, at www.etiolated.org.When you consider this chart, based on Attrition numbers, the scale of the problem is apparent. While some of the steepness of the curve is probably due to increased reporting of incidents following disclosure laws passed in California and other states, those laws are not creating the exposures, which are all real, real people, for whom exposure causes real problems. Clearly, companies and governments need to do a much better job.
Firewalls 1996 to 2008
January is aptly named after the two-faced god of gates and doors. It's a good month for looking both forwards and backwards. For example, if you look back 12 years in network security you might notice FireWallCon '96, an event orchestrated by the National Computer Security Association (NCSA later became ISCA Labs, was bought by Cybertrust, and is now part of Verizon, so ncsa.com no longer exists; but here is the conference listing in Risks Digest).
It is fairly safe to say that this was the first full-scale, commercial conference dedicated to firewalls and Internet security. Heck, it even had t-shirts, darned good ones at that; after 12 years I'm still wearing mine, shown at left.
And it is amazing to think it was that long ago. These days a sizable percentage of the population has at least an inkling of what the term firewall means in a computer context (as opposed to a building code context). Blockbuster movies and popular TV dramas use the phrase "getting through the firewall" in the expectation that most of the audience will know what it means.
Yet 12 years ago it was not unusual for IT professionals from big companies to be asking "What is a firewall?" and "Do we need one?" The buzz about firewalls built very rapidly from 1995 through 1996 and sales were brisk. I met several people at FireWallCon '96 who had bought a firewall for their company but weren't yet sure where they should put it.
Some organizations took a long time to figure that one out. I recall my colleagues and I putting on a firewall seminar for a very secret government agency three years later, during which it became clear that many of their IT people thought a router with access control lists was the same thing as a firewall. This was somewhat worrying, and puzzling when you consider the fact that one of the best early documents on firewalls was written by two gifted federal employees, John Wack and Lisa Carnahan (NIST Special Publication 800-10: Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, December 1994). We drew on that document to create the NCSA Firewall Policy Guide, which enjoyed extensive world-wide distribution (NIST SP800-10 does not seem to appear anywhere in its original form, partly because it was superseded by the more complete SP800-41).
We now have firewalls everywhere, even on our personal computers. They haven't made us as comfortably secure as we'd like, but when properly configured and managed they are considerably more difficult to get through than some movies would have you believe.
It is fairly safe to say that this was the first full-scale, commercial conference dedicated to firewalls and Internet security. Heck, it even had t-shirts, darned good ones at that; after 12 years I'm still wearing mine, shown at left.And it is amazing to think it was that long ago. These days a sizable percentage of the population has at least an inkling of what the term firewall means in a computer context (as opposed to a building code context). Blockbuster movies and popular TV dramas use the phrase "getting through the firewall" in the expectation that most of the audience will know what it means.
Yet 12 years ago it was not unusual for IT professionals from big companies to be asking "What is a firewall?" and "Do we need one?" The buzz about firewalls built very rapidly from 1995 through 1996 and sales were brisk. I met several people at FireWallCon '96 who had bought a firewall for their company but weren't yet sure where they should put it.
Some organizations took a long time to figure that one out. I recall my colleagues and I putting on a firewall seminar for a very secret government agency three years later, during which it became clear that many of their IT people thought a router with access control lists was the same thing as a firewall. This was somewhat worrying, and puzzling when you consider the fact that one of the best early documents on firewalls was written by two gifted federal employees, John Wack and Lisa Carnahan (NIST Special Publication 800-10: Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, December 1994). We drew on that document to create the NCSA Firewall Policy Guide, which enjoyed extensive world-wide distribution (NIST SP800-10 does not seem to appear anywhere in its original form, partly because it was superseded by the more complete SP800-41).
We now have firewalls everywhere, even on our personal computers. They haven't made us as comfortably secure as we'd like, but when properly configured and managed they are considerably more difficult to get through than some movies would have you believe.
Subscribe to:
Posts (Atom)