Emergent Chaos
The BBC reports that in Yorkshire, crafty sheep conquer cattle grids:
Hungry sheep on the Yorkshire moors have taught themselves to roll 8ft (3m) across hoof-proof metal cattle grids - and raid villagers' valley gardens.If these were Boston sheep, they'd be lucky to be alive after pulling a stunt like that....
A National Farmers' Union spokeswoman in York said: "We have never seen anything like it. We have looked at ways of improving the situation but it is very difficult. The grids are substantial bits of kit."
Photo: "2005 05 Northumberland 019" by Marjia.
Bookmark this post:
Good commentary and context at Threat Level, "Howto: Check Your Homeland Security Travel File."
Bookmark this post:
So how do banks make money? It's 'easy.' They sell you a loan at a higher rate than they'd be willing to settle for. A mortgage is a big, unpleasant, complex process that includes some stranger pawing through your financial life. Making a bad choice is worrisome. Most people apparently get very few quotes, and are told that their rate depends on their credit score.
There's a strong imbalance in the information that each side has, and my friends at SmartHippo have just launched a site to help correct that imbalance.
If you're getting a mortgage, or just want to compare, check these folks out. I really like what they're doing and where they're going.
What would it be like if buying lemonade was as complicated as shopping for mortgage rates? See what happens when little Jenna opens a lemonade stand and tries to maximize profit at the expense of her customers.
Bookmark this post:
Larry Hughes has a great post over on Riskbloggers with tips on how to demonstrate that security is invested in the success of the business. There's some really good stuff here. Especially these two:
Say “no” by saying “yes.” Somebody wants to uncork that remote access bottle, and let a thousand new contractors VPN into the corporate net from anywhere in the world with their own laptops? Of course you’d like to help them explore how they can meet their objectives in a way that’s neutral to the business’ security posture.
I can't agree with this one more. The only thing I've seen that gets more traction and people playing nice with us is a major security event. All saying no does is to make things more confrontational and put everyone in a resistant mood. So you want to avoid that, unless of course you like being called "Dr. No". By saying "How can I help?", you are putting yourself in a position where you are making things happen, not being a roadblock.
Learn when to say “That’s good enough for now.” Scratching and clawing for every inch of ground this time, because you know how hard it’ll be next time, only leaves you with bloody fingernails. Nobody wants to buy things from people with bloody fingernails.
As Ken Van Wyck and Mark Graff remind us Secure Coding, it's not about being secure. It's about being secure enough. It's never going to be perfect, so the question is whether there is enough protection from threats for the foreseeable future.
This is similar to how we need need to understand how businesses work. But we also need to understand how people work and learn how to interact with them better. As usual the people are indeed the weakest link, but in this case, it is us.
Bookmark this post:
According to court papers referenced in this VOA report, U.S. sniper teams in Iraq are using an interesting tactic:
[A] so-called baiting program developed at the Pentagon by the Asymmetrical Warfare Group....the baiting was described as putting items, including plastic explosives, ammunition and detonation cords on the battlefield then killing suspected insurgents who picked up the objects.
These claims are being made by men accused of murder, so bear that in mind. If true, however, this technique would seem very likely to suffer from a large number of false positives. Assuming the process was designed by someone intelligent, that either means they do not care about false positives, or that (contrary to my prior belief as asserted above) the likelihood of a curious true bad guy happening by is so large that the false positive rate is tolerably low.
Scary either way, I'd say.
Bookmark this post:
It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they're shaping the news by sending out a press release.On further reading, both from readers commenting on that article, and things like Network World, "Ameritrade customers vent about data breach:"
The Ameritrade spokeswoman says the company believes no Social Security numbers have been taken because the only known illicit activity traceable to the breaches is spam, not identity theft.Well, with a little more skepticism, words like "known" and "traceable" start to sound a lot less forthright. So perhaps my initial comment, that they're shaping the news, was entirely on target, but in the wrong context.
There's also this, from Information Week:
An attorney launching a class-action lawsuit against TD Ameritrade Holding alleges the online brokerage knew a hacker had access to a customer database as far back as a year ago.
As Rich Mogull says:
This is all Crisis Communications 101- as history has shown, the best way to defend your reputations in a major incident is to admit the failing, spare nothing to protect your customers, and act as openly and honestly as possible. Otherwise we wouldn’t have seen a bottle of Tylenol on a store shelf since the 1980’s.It's too bad Ameritrade won't be the first company to really come clean in a major breach. Which means there's still an opportunity for the CEO of another firm to get ahead of the problem and be remembered for their vision.
You'll read about whoever it is here.
Bookmark this post:
A lot of people are saying she got what she deserved, or that she's lucky to be alive. These people probably think that Jean Charles de Menezes should have worn different clothing before getting on the London Metro, and that Andrew Meyer should have never asked a question of John Kerry.
I think this is a tremendously dangerous trend for society, and not just the creative or strange types. Should we give police such broad license to use force that everyone needs to consider, first and foremost, if their actions, their legal actions, might freak out a policeman?
If we do so, there are substantial costs. They're not visible. A few moments of time every day, considering how the police feel about you. A little less bizarre or riqsue public art. A little less creativity and verve in life, as we all ask "what if a cop shoots me?"
What would have happened to the first people designing and testing cell phones, if homemade electronics with a battery had been cause for concern? How would we test keyless car entry systems, if a police officer had shot people walking up to cars without unlocking them? Even Dave Maynor would be in trouble. Just look at his art:
When I was a kid, Radio Shack sold breadboards (like the one the student was wearing.) Tinkering with electronics was a key part of what launched the Homebrew computer club. Tinkering with dangerous chemicals was an important part of the development of modern photography.
Do we want everyone who tinkers, invents, hacks or makes projects to have to worry that cops with submachine guns are going to show up and ask agitated questions? Are those filters good for society?
Here at Emergent Chaos, we're fans of, well, emergent chaos that happens when those filters go away.
Photos: Lisa Poole, AP, and Dave Maynor, Errata, respectively.
[Update: Chris Soghoian makes the useful point that lots of bombs have no visible wires at all, being hidden inside other things. And while protecting against dumb terrorists is useful, it's not worth giving up our ability to tinker, build or innovate.]
Bookmark this post:
A funny clip for Saturday. I can't figure out how to embed the video here, so click on the picture to be taken to Gizmodo.
Bookmark this post:
Like most EC readers, I have been following the story of the MIT student with the breadboard and Duracell fashion accessory who nearly got ventilated at Logan airport in the most LED-hostile city in the US, Boston.
The Associated Press was quick to repeat the claim that the student was wearing a "fake bomb", when this is at best a very debatable point. Well, now they've outdone themselves with the latest headline on this story:
MIT Coed With Fake Bomb 'Art' Arrested
This is the greatest example of linguistic economy I have seen this year. It bundles three horrendously poor word choices into a seven-word sentence. The Bulwer-Lytton people need to make a special award.
1. We do not know that this was a "fake bomb". That depends on the intent of the student, who says it was just art. Who the heck are the Associated Press to draw conclusions so early in the story?
2. "Art" or art? The AP "editors" need to read up on the different uses of quotation marks.
3. "Coed"? The appropriate term is "student". I literally cannot find the words to express how....erm...'quaint' this word choice is. I hope the AP editors are sitting down when they learn that the woman in question was not in a home economics, english literature, or library studies program.
Sheesh.
I have no idea what the motives (if any) this person had for her choice of attire. She may be a publicity-seeking ninny, some kind of art activist, an EE geek with poor situational awareness, or -- like Miss Teen South Carolina or whatever -- somebody who let off a rather noticeable brain fart which got caught in Panopticon 2.0. She could also be none of the above. One thing for sure is that the Associated Press isn't helping us arrive at the truth by using loaded terms (no pun intended) and taking us on a painful trip down memory lane.
Bookmark this post:
In unrelated news, the Canadian dollar reached parity with the US dollar for the first time in thirty years. See the Canadian Broadcasting Company, "$1 Cdn = $1 US."
Bookmark this post:
Privacy advocates obtained database records showing that the government routinely records the race of people pulled aside for extra screening as they enter the country, along with cursory answers given to U.S. border inspectors about their purpose in traveling. In one case, the records note Electronic Frontier Foundation co-founder John Gilmore's choice of reading material, and worry over the number of small flashlights he'd packed for the trip.In related lying news, last week it came out that Director of National Intelligence McConnell lied to the Senate about wiretaps.The breadth of the information obtained by the Gilmore-funded Identity Project (using a Privacy Act request) shows the government's screening program at the border is actually a "surveillance dragnet," according to the group's spokesman Bill Scannell.
"There is so much sensitive information in the documents that it is clear that Homeland Security is not playing straight with the American people," Scannell said. (Wired News, "U.S. Airport Screeners Are Watching What You Read.")
If this was a political blog, we'd analyze the trend. Since we're all about information security, and pirates I'll just say that in an environment where the security measures are unclear and scary, you can expect users to behave in strange ways.
Bookmark this post:
What the hell are the idiots at Facebook thinking?
If there's anything stupider than banning a woman from breastfeeding in public, it is banning a picture of a woman breastfeeding on the grounds that it is "obscene", which is what the morons at Facebook have done, as reported (for example) by the Toronto Star.
Attention Facebook idiots:
"Obscene" is a legal term. If your lawyers tell you that something like this is obscene, you need lawyers who didn't go the Springfield Upstairs School of Law. It sure as hell looks like it has redeeming social value to me.
Much is being made about the hypocrisy of Facebook allowing umpteen pro-anorexia groups, when anorexia is itself demonstrably damaging to women and when such web content (according to recently-published research) is as well. I think this is a foolish argument.
Facebook's position isn't wrong because it does more harm than good, or because it is inconsistent. It is bad because being able to advocate controversial things is an essential element of freedom.
Bookmark this post:
The scurvy dogs at TD Ameritrade may have tricked us!
Well, maybe. The comments on "Analyzing the TD Ameritrade Disclosure" and articles like "Lawsuit Raises Questions on TD Ameritrade Breach" and "Ameritrade Customers' contact information hacked" have been demanding a re-think of what I want to think on the subject. But less importantly, today is International Talk Like a Pirate Day!. We at Emergent Chaos love pirates far more than we love ninjas. No one has any fun on talk like a ninja day.
We celebrated in 2005 by reminding you that more pirates, less global warming.
We stand by that a lot more than we stand by me Ameritrade post. If there be any justice, I'd be scraping the bottom o' barnacles. But there's no justice this side of the Atlantic, thanks be.
Image plundered from amphion27.
Bookmark this post:
Case in point: SAIC confessed in July that "information ... stored on a single, SAIC-owned, non-secure server at a small SAIC location, and in some cases ... transmitted over the Internet in an unencrypted form ... was placed at risk for potential compromise." In the context of other firms having actual knowledge of miscreants accessing their data, and in some cases using it in actual identity theft schemes, SAIC's warning of "risk for potential compromise" sounds pretty tame. Still, the company has hired Marsh & McLennan (NYSE: MMC) subsidiary Kroll to help patch its security, and it would take at least $7 million to $9 million in charges in its second fiscal quarter to fix the breach.I've been predicting this sort of response from the market for a long time. It's nice to see it arrive at a respected consumer-oriented site.What management does: That won't do any good for the trend of declining gross, operating, and net margins at SAIC. But to put things in perspective, the midpoint of the range SAIC posited, $8 million, represents just one-tenth of one percent of the firm's cost of goods sold over the last 12 months. For a company this big, the financial cost of the breach isn't a tragedy, folks. It's a rounding error. (Motley Fool, "Foolish Forecast: SAIC's Chance to Shine")
Bookmark this post:
Adam mentioned the recently-announced Ameritrade incident. One thing I found interesting is their decision to hire ID Analytics to determine whether ID theft follows this data breach.
According to an ID Analytics press release, the US Veterans' Administration did something similar when several million veterans' information was revealed. At a cost of $25,000 (according to Fedspending.org) in the VA case, this sort of approach would almost certainly be much less costly than services like Equifax's CreditWatch, which are often offered to those whose information has been revealed by a breach.
I think what we're seeing here is the leading edge of a trend. Firms are applying (what they think is a) risk-based approach to determining what level of post-breach response they provide (if any) to individuals whose information is involved. This is similar to the risk-based notification triggers which some think wise. I would look for more of this, as firms become more knowledgeable about their options, they will become more discriminating in their responses.
Bookmark this post:
In a press release, TD Ameritrade this morning confirmed reports that it has been informing customers of a potential security breach. The release does not confirm the figure of 6.3 million customers, but a company spokesperson did give that number to reporters in interviews. (Dark Reading, "TD Ameritrade Breach Affects 6.3M Customers.")It appeared that no SSNs, account numbers, or other information was stolen. So why is Ameritrade announcing it, and what can information security professionals learn from this?
It appears that Ameritrade is getting ahead of the story. Rather than have it dribble out by accident, they're shaping the news by sending out a press release.
Second, they're shaping their customer response. Rather than hear about this from someone in a state with a broad disclosure notice, and worrying "was I affected, too" they're telling everyone. That allows them to appear proactive and caring, rather than reactive and hiding.
Third, they've probably kept costs way down by not paying a law firm to analyze their requirement to disclose under a variety of laws.
Finally, they were smart early, and separated their customer data from the deeply sensitive stuff which was in a different database.
So what can someone who's just been breached learn from this?
First, segment your data now. It pays off, probably more than a lot of products you might buy.
Second, when you encounter an incident, think about taking control of the situation, rather than letting the situation control you. Spending time planning for a variety of breaches will pay off, both for the the companies that are ready, and for the leader who initiated the process.
Bookmark this post:
NSW Police are investigating the possible compromise of an online florist's database and theft of customers' credit card details.The Fraud Squad has set up Strike Force Parkview to investigate the case that involves the retailer Roses Only.
There are unconfirmed reports that the details were used to make a string of luxury purchases in South-East Asia.
"A strike force has been set up by the State Crime Command Fraud Squad to investigate the possible compromise of an internet-based business' database and subsequent fraudulent transactions," a police spokesman said.
She said the investigation was in its earliest stages and no further information was available.
Roses Only later released a statement saying that it had been recently advised that their computer systems "may have been" compromised through an unauthorised intrusion earlier in the year.
"We moved quickly to address the situation and engaged a leading international technology security firm to enhance the security of our system," the statement said.
(Image grab via Youtube)
Bookmark this post:
If you don't follow sports news, the New England Patriots and their coach have been fined about three quarters of a million dollars and a draft pick. This is reported in articles like "Belichick given record fine for video cheating." (Times Online, UK) That may seem like a lot, until you realize that that's less than 1% of the fine assessed against the McLaren F1 racing team.
The case broke open in July when a 780-page technical dossier on Ferrari cars was found at the home of McLaren’s chief designer, Mike Coughlan, who later was suspended. Ferrari mechanic Nigel Stepney, who allegedly supplied the documents, was fired. (Detriot Free Press, "Formula One team McLaren fined $100 million in spying scandal.")So why was the fine for the Patriots so low? Apparently that's the league maximum.
So who likes a cheater? Apparently, the National Football League, who has set their maximum fines low enough that cheating was an irresistible temptation.
We now return to your regularly scheduled security blogging.
Photo: Sabine, "A fine city."
[Update: My friend Jeff, who is much more into football than I am, asks what the fines are proportioned to team budgets, and points out that this is the stiffest penalty given in NFL history. ("Penalizing the Patriots.") Proportionally, the MacLaren fine seems to be roughly 25% of an F1 budget, assuming that MacLaren spends as much as the $400MM that Ferrari spends[1]. The Patriot's financial penalty is less than 1% of the team's $100MM share of NFL revenue [2]. It's not clear to me how to compare a draft pick to points, which are the non-financial aspects of the penalties.
[1] Formula 1: The Business of Money [2] NFL's Economic Model Shows Signs of Strain]
Bookmark this post:
