The InfoSec Blog

http://search.cpan.org/dist/App-Asciio/lib/App/Asciio.pm

This gtk2-perl application allows you to draw ASCII diagrams in a modern
(but simple) graphical application. The ASCII graphs can be saved as
ASCII or in a format that allows you to modify them later

So what does this have to do with security?

Well, one of the security risks we face is that Microsoft Office applications (among others) have embedded Visual Basic, often with extensions. These have been susceptible to macro viruses.

Yes, I’m aware that there are mechanisms for defending against this, but they are software, and we know that in the long run errors will be introduced in upgrades or patches and the bad guys will find alternative avenues of attack. The real problem is that VB is embedded in the application.

So this is a solution. We go back to the “data is data” era, when data was not executable. See also all the “why HTML mail is evil” articles - go Google for them.

Happy Friday.

http://www.networkworld.com/news/2008/042308-how-not-to-hire-a.html?page=1

One of the first questions to ask during an audit is “Do you have Policy?” (which is part of the ISMS - see ISO-27001)

Then after checking that for completeness and sufficiency start checking if its communicated to staff and if its followed.

Since policy defines how an organization is to be run, this is the top-down approach. Its why bottom up things like pen testing are a waste of time. The policy-driven approach ensures that there are processes and procedures in place, it allows for metrics and for improvement of both the compliance and the details processes themselves.
(CMM etc)

See also “Who Ya Gonna Call?”

At “10 dumb things users do that can mess up their computers” Debra Littlejohn Shinder brings up some interesting common failings. Lets look at her list, because I have a different take.

#1: Plug into the wall without surge protection
#2: Surf the Internet without a firewall
#3: Neglect to run or update antivirus and anti-spyware programs
#4: Install and uninstall lots of programs, especially betas
#5: Keep disks full and fragmented
#6: Open all attachments
#7: Click on everything
#8: Share and share alike
#9: Pick the wrong passwords
#10: Ignore the need for a backup and recovery plan

Well, they seem interesting, but …
The big “but” gets back to one of my favourite phrases:

Very simply, in my own context most of this is meaningless. It may well be in yours as well.

Lets first look at the stated and unstated context, which should have been made clear up front.

The author mentions Windows XP a couple of times without making it clear which version, and only a passing reference to other versions of Windows. There is no mention of any other operating systems, Mac OSX, Linux, BSD, OLPC, or even embedded systems in PDAs. I can surf the net with Trusty Old Newton. More on that in a moment.

She also fails to mention the context in which the computer is being used. Is this a home personal system, a home office system, a small business or a larger commercial enterprise with its own IT and InfoSec departments? This matters not only from the point of view of meeting this points but of legal ramifications.

Many of us in InfoSec use the terms “diligence” and “care”. We usually omit the word “due” so as to avoid the legal meaning and the gunnysack of baggage that gets dragged in. ‘Diligence‘ means a constant and earnest effort and application. ‘Care‘ means the effort is serious and devoted. Neither of these terms are used in the article. However one would reasonably expect these to be part of the approach in business of any kind or even in a home setting where personal assets need to be protected and perhaps children to be cared for. The author fails to mention this too.

Plug into the wall without surge protection.

I’d rate this as ‘necessary but not sufficient’ for a number of reasons.
First and foremost the author does not make it clear that a UPS and a surge protector are not the same thing. Yes, many UPSs include surge protection, but think about these two things for a moment.

1. You can have surge protection but still loose data when the power fails.
   This isn’t just about the work that you’ve done sine the last ’save’, although loosing that can be serious. That loss of power may occur at a critical point for the hardware causing corruption of the file system (disk drive, networked or USB). It is almost certainly going to cause a loss of your train of thought, and that may be very serious.
2. Surge protection wears out.
   Most people are unaware that surge protectors have a limited life and its not measured in time but in how much energy (aka surges) they have to absorb. So one day your surge protector isn’t going to protect you any more. FINIS. Game Over. The surge gets though and your machine is toasted.
   How do you know when your protector has used up its surge capacity? Generally you don’t, though some newer ones do have an indicator.
   What can you do about it? Not a lot, except buy a new one.

That’s why I like using a high-end laptop as a workstation. The power-brick and the battery do protect against surges and the battery acts as UPS. Sort of.

But please note that not all UPSs are created equally. Its not just about battery power. I’ll save that for another article.

Surf the Internet without a firewall.

While this is good advice in general, the specifics are the killer.

My firewall is a separate machine, an old HP Vesta P1 with 256Meg of RAM and a 30Meg and a CD reader. If you feel so inclined you could probably pick up something like this from the Salvation Army for about $10.
I run the IP-COP firewall on it. I’ve run other firewalls including the Mandriva MDF with its sophisticated GUI. I loved playing with Shorewall, which is one of the most flexible open source firewalls I’ve met. But IP-COP is small, fast and reliable. It has plugins for caching and for handling Dynamic DNS, as well as many other functions if you chose to install the plugins.

Why have I chosen to run a separate firewall rather than the software or modem based approach that the author of the article suggests? There are may reasons, but prime among them is the principle of Separation of Duties. I’m a firm believer in the idea that each thing should do just one thing and do it well, and the idea of a ’security appliance’ or of running the firewall on the host (i.e. the target) doesn’t appeal to me.

Perhaps there should be a “solely” in there.

Neglect to run or update antivirus and anti-spyware programs

This is another “Context is Everything” situation.

At home, even though I have an ‘always on’ broadband connection, I have a Linux based firewall and all my servers and laptops run Linux. Its not that Linux is guaranteed 100% protection against all forms of malware, but at least its not the highly vulnerable situation of Windows that necessitates running AV software.

And lets face it, as Bob Bergener at VMyths points out, AV software is getting less and less effective and the cycles of malware are getting more capable and more aggressive and more insidious.

But its not just me and its not just Linux. I have a number of high profile clients who put AV software on their corporate laptops and workstations … but it is disabled. Its there, I’m forced to conclude, to satisfy the auditors. However these organizations don’t suffer from malware attacks for other reasons, most notably that they have strict control over outside access. For the most part, there is none. Internals users are not allowed to use the Internet except under special conditions. Incoming and outgoing mail is aggressively filtered.

We’re beginning to see this kind of access control with products from Ironport (Cisco) and Proofpoint. These are “appliances” more available to smaller sites. In all probability most users of these products aren’t going to use their full capability and will still want another layer of protection against malware.

Sadly, the most effective one is the one that is weakest and is also the most easily subverted. Its user awareness and discipline. Don’t open unexpected attachments, download and run strange programs, visit dubious sites. See below.

Please don’t think that I’m saying having a firewall is an excuse for not keeping your software well maintained. There are many reasons for keeping up to date quite apart from making the software attack-proof. The the mantra “If it ain’t broke, don’t fix it” is not a reasonable stance with something as complex as software. It may be broken in ways that you don’t see or haven’t seen yet. This is quite different from choosing not to apply a change because you’ve analyzed it and determine that it is not appropriate.

And lets not forget that a firewall has lots of limitation - most are designed to protect the internal network from the outside world and assume that the internal network is trustworthy. Hence its no use at all if an internal machine is infected by some other means.

Install and uninstall lots of programs, especially betas

I was at IT360 and heard David Rice, the author of “Geekonomics” speak on software quality. One point he made was that the large software vendors treat all users as the “beta testers” for their products. He says:

“Software buyers are literally crash test dummies for an industry that is remarkably insulated against liability, accountability, and responsibility for any harm, damages or loss that should occur because of manufacturing defects or weaknesses that allow cyber attackers to break into and hijack our computer systems.”

So while this point may be a good one, we are all on the roundabout and can’t get off.

Keep disks full and fragmented

This is a meaningless and unhelpful generalization.

Firstly, I see an amazing amount of nonsense published about de-fragmentation. It warrants a posting and discussion in its own right, but please, don’t buy into this myth.

The second thing is that I DO keep a disk full and never run de-fragmentation on it. But then I have my hard drives partitioned. One contains the operating system, just what is needed to boot; another contains the system and libraries. These are pretty full and apart from the upgrades and occasional patches (which are less frequent and less extensive with Linux than Windows) there is very little “churn” on these partitions. I can leave them almost full. This includes auxillary programs where I keep on-line documentation (”manual pages”) and things like icons, wallpaper, themes and so on.

Next up is the temporary partition - /tmp in Linux parlance. Its the scratch workspace. It is cleaned out on every reboot and by a script that runs every night, but most programs clean up their temporary files after themselves. This partition looks empty most of the time. There’s no point de-fragmenting it and no point backing it up.

Another few partitions deal with what can be termed “archives”. These may be PDFs of interest or archived e-mail. Backup of these is important but they are in effect ‘incremental’ storage so there is no ‘churn’, just growth, so de-fragmentation is completely irrelevant.

So what’s left? Partitions that deal with “current stuff”, development, writing, so forth. These are on fast drives, aggressively backed up, and use journaled file systems for integrity.

But overall I simply don’t do ANY de-fragmentation. I think its a waste of time for a number of reasons.

The first is that it simply makes no sense in any of the contexts above. The second is that given high speed disks and head activity and good allocation strategies in the first place, its not going to help.

The third and most significant is that since I use volume management software it can’t possibly help.

I use LVM on all my Linux platforms to manage disk allocation. If you read up on it you’ll see that it means that a contiguous logical volume may not correspond to a contiguous physical allocation on the disk. Since LVM subsumes RAID as well, it may not even be on a single physical drive.

Remember:

Now, after reading that article, speculate about how I do backups

Open all attachments

Good advice at last! Sadly human nature seems perverse. People seem to be sucked in to reading attachments and visiting dubious web sites (see below) and admonishions don’t seem enough to change their behaviour.

Perhaps evolution has failed us; perhaps we need a Darwinian imperative so that people foolish enough to do this can no longer contribute to the gene (or is it meme?) pool.

Click on everything

More good advice, more efforts to overcome human stupidity.

Share and share alike

“Context is everything“

Oh dear. This doesn’t make sense any more. To be effective in business you do need to share data. I don’t need to go into detail, but I will mention that most businesses need a web site to share information with customers, prospects and investors.

There are now many web-based businesses based on sharing, Flicr, Facebook, LinkedIn and the like.

And lets not forget that the whole “Open Source” model is about sharing.

Pick the wrong passwords

There are two things I object to here.
The first is the hang-up with passwords. They are, to coin a phrase, “so twentieth century“.

The problem isn’t dreaming up passwords - we get nonsense like this:

Lets face it, there;’s no real problem dreaming up passwords.
Certainly not for me. I had to learn by heart poems and passages from famous works, chunks of Shakespeare and that kind of thing at school. I can always pull out something, take first letters, mange them however.

But the real problem, whether you have this repertoire or whether you use a generator software tools, is remembering them. Oh, and forgetting them when you have to change them. Oh, and knowing which one applies where.

This is the point that Mike Smith makes in his book, “Authentication” and is why people write down passwords or use passwords that are essentially mnemonics or use the same password for many situations.

Twenty years ago I only had to deal with a few passwords, now I have to deal with hundreds. Almost every web site I visit demand that I log in.

We have reached a point now where using ’strong’ password technology is becoming a liability and using passwords is and of itself an increasing risk. The likelihood that a new employee will re-use a password he’s used on a public web site for his corporate login is high. The load on his memory is just too great. This is why there is a market for software that remembers your passwords. But how portable is it? USB drives, you say? I seem to loose USBs with alarming frequency.

So, how happy are you with doing financial transaction over the Internet using just a password as authentication, even if it is over a SSL connection? I’m not very happy. This is a subject that deserves a long blog article in its own right, but lets just point out that banks in Canada and the US have chosen not to use the more secure “two factor” and “one time pad” authentication systems that are normal for European and Scandinavian banks, and so have put their customers at risk. Not all the risks have to do with the Internet connection.

Some banks have moved to what they call “two factor” authentication. Well, it certainly isn’t really what the security industry calls “two factor”. At best it might be called ‘two passwords‘ - instead of asking you just your password they will ask for the password and then one of a set or previously agreed questions like “what was the colour of your first car“. It gives the illusion of security, but its just a double-password. Compare it to having a lock on your screen door and your front door. If the theif comes in by breaking a window or by stealing your keys (or the book you have your passwords written down in since you have so many of them!) then this doens’t help.

Real “Two-Factor” authentication has two different things. A password is “something you know“. The colour of your first car is also something you know. Its also something other people can know.

A real second factor would be “something you have” like your bank Client Card that you use with your personal identification number (P.I.N.) which is “something you know“. Both have to be used together. Someone might know - or guess - your PIN without you knowing about it, but if you loose possession of the card you do now about it.

Another factor is “something you are” - biometrics. Recognition of your fingerprint or iris along with a password.

Of course these more secure methods require more technology which is why most web sites fall back to the only thing they are sure you have - a keyboard.

Rick Smith’s book is …
“Authentication: From Passwords to Public Keys” ISBN 0201615991

See his home page at http://www.smat.us/crypto/index.html
He refers there to ..

A companion site, The Center for Password Sanity, examines the
fundamental flaws one finds in typical password security policies
and recommends more sane approaches.
http://www.smat.us/sanity/index.html

See also ‘The Strong password dilemma’ at http://www.smat.us/sanity/pwdilemma.html

And not least of all the cartoon at http://www.smat.us/sanity/index.html

Seriously: go read Rick Smith’s book.

There is a lot of nonsense out there about passwords and a lot of it is
promulgated by auditors and security-wannabes.

Ignore the need for a backup and recovery plan

As you can see above, I’ve made things easy for backups.

One reason for this is that the real problem is not having a backup and recovery plan, is the doing of it, making it a habit, a regular part of operations.

That is one reason most larger organizations use centralized services, so that the IT department takes care of backups. Its a major incentive for “thin clients” where there is no storage at the workstation that needs to be backed up.

Its also one reason that I partition my drives so I can identify what is ’static’ and what is ‘dynamic’.

One of my great complaints about Microsoft Windows is that everything is on the C: drive. I very strongly recommend partitioning your drives. Having a D: drive and remapping your desktop and local storage there makes things so much easier. It also helps to have a separate partition for the swap area and for temporary files. Sadly, while this is possible and is documented (search Google for details), its not straight forward. Which is sad, because it is a very simple and effective way of dealing with many problems. No the least of which is that you can re-install Windows without over-writing all your data.

http://blog.wired.com/gadgets/2008/04/historys-five-b.html

There’s an import point here in the sub-text about manual controls.
Well, many actually.

One point is that of ‘being in control” vs “transparency”.
If all I want to do is listen to music or drive, then dropping a CD in a player or moving the selector past P, R and N make more sense. If I want fine control in any one of many ways then the manual controls make sense.

So what has this to do with Security?

Bruce Schneier has pointed out that security needs to be transparent and intuitive, but that means different things to different people.

To an end user it means no spam and no malware and intrusive pop-up adverts and no corruption and crashes or slowdowns. The ordinary user doesn’t want to be told to install patches or configure his personal firewall. He wants to write letters, balance his check-book, play games, watch videos or do the work he’s paid for. At many of my larger
client sites the IT department does its job well enough that the end users see nothing what so ever of the security process - I’ve discussed before how they don’t even have their AV enabled - its only there to satisfy the eternal auditors.

But there are people who do need the fine control, either professionally or as a self indulgence for their ego. For some people the array of knobs and sliders on their hi-fi, the ability to hit 6,000 RPM before moving out of first or having a menu interface that takes their attention off the job and has them fiddle around for a few critical seconds is very important.

In “The Inmates are Running the Asylum” (ISBN 0-672-31649-8) Alan Cooper talks about the way adding a computer to a previously established device can make it more like a computer than what it is supposed to be. The book is about user interface modelling and is a recommended read.

My first cell phone had a simple menu. The numbers, and ‘up/down’ lever and “go” button. I could operate it “blind”. Every phone I’ve had since then has a complicated multi-level menu that I have to look at in order to do even simple things.

Its the same with Cameras. My favourite is my old Canon A-1. It was one of the first generation of fully automatic cameras and only had automatic exposure control, which could be easily turned into manual without taking one’s eye from the viewfinder or being distracted from the job at hand - composing and taking the photograph.

We keep saying that security is everyone’s responsibility, but really its not, not in the sense that everyone has to be encumbered by clunky user interfaces that get in the way of doing the real job. And for most people, the details of security have nothing to do with their job.

There’s this idiot …

http://www.timesonline.co.uk/tol/sport/formula_1/article3221830.ece

Nigel Stepney, the former Ferrari mechanic who sparked the Ferrari/
McLaren Mercedes espionage scandal last year, has admitted that he
handed information to McLaren, but did not imagine that it would be used
by the Woking-based team to the degree that it was.

Why ever not?
Once he handed the information over it was outside his control.
What people do with it then is up to them, not up to him. Its not as if there was some binding contract and he can sue them for misuse of the information.

This boy is a fool to think he retains any control over the use of the information. Heck, by giving it away he shown that his employers don’t have control over the use to which its put, so why is he spouting nonsense like this:-

“I don’t feel responsible in anyway for what happened at McLaren,”
Stepney said in an interview due to be transmitted on Sky Sports World
Motor Sport show this evening.

This boy is a fool! Does he imagine everyone in the world is honest, is happy to abide by his agenda?

Or perhaps he’s a fool in a different way. Perhaps that’s all a smoke screen that he’s throwing up, hoping we’ll think him an innocent fool. Perhaps he’s fully aware of what he did and hopes we’ll think he’s just a naive and gullible idiot.

“Obviously it got a bit sensitive and somebody used information more
than I actually thought it [should have been] or not more than it should
have been, it should never have been used . . . to that extreme.”

And of course any leaked information could be put together with information from other sources, used to verify information obtained elsewhere, lead to other stuff … Anyone who has read things like David Kahn’s “The Codebreakers” or, perhaps more relevant to this guy the BBC documentary in May of last year.

This boy’s a fool on many levels. How is any employer going to trust him ever again? It doens’t matter if his intentions were as he claims or is this patter is a smokescreen, he’s shown that he can’t be trusted and that is what matters.

http://www.theregister.co.uk/2008/01/17/globalization_of_crimeware/

… In many respects, malware creation mimics open
source communities, in which legions of programmers spanning the globe
tweak one another’s code to add new features and fix bugs.

So what happened to the proverbial socially maladjusted hacker in the bask room eating twinkies and drinking jolt?

“It seems somewhat different than the standard way of thinking of a
hacker,” says Thomas Holt, a professor of criminal justice at
the University of North Carolina at Charlotte, who presented his
findings Thursday to military and law enforcement officials at the US
Department of Defense’s Cyber Crime Conference. Crime groups “are
looking to one another for assistance. It’s no longer just a single
person distributing malware. Now there
appear to be groups and there appears to be a distribution of labor.”

And this when so many ‘mainstream’ companies are finding reasons to avoid using open source. No doubt they will misunderstand and use this as another reason.

http://aluigi.altervista.org/adv/quicktimebof-adv.txt

You’d think by now … after all, SC Magazine, at least in the print edition, lists the “top 5 attacks” used by US and foreign hackers, and ‘overflow’ attacks have been in the number 1 or number 2 slot for as far back as I can remember.

I keep going on about how the Morris Worm brought this to the public attention TWENTY years ago. I keep going on about how I continue to meet programmers of varying maturity, not just the ones fresh out of college, who are unaware of this kind of programming flaw - along with many other flaws and egregious habits.

I suspect what we have is the old phenomena of assigning junior (aka inexperienced) coders to doing the maintenance programming. Why else would this kind of bug be introduced into a mature product?

Did I say ‘introduced‘? Perhaps it was there all along, which is even worse, since it means it took this long to discover it.

Perhaps this applies to ore than Oracle users?
Sybase? MySQL?
Windows?
Perhaps even Linux!

http://www.informationweek.com/news/showArticle.jhtml?articleID=205603104

Slavik Markovich, chief technology officer of Sentrigo, a database
security firm, said he’s been making presentations at Oracle Users
Groups around the U.S. since August, and at each one he asks for a show
of hands on how many attendees have adopted one of the two most recent
Oracle Critical Patch Updates. He also asks how many have adopted at
least one update since Oracle started issuing them.

Starting with the Capital Area Oracle User Group in Reston, Va., the
answers that he’s gotten have surprised him. At that meeting last
August, two out of 40 attendees said they had installed one of the two
latest patches; 15 said they had installed at least one patch in the
four years of the program. That left 62.5% who had not installed any
patches since the program began in November 2004.

And the effect of this?

“That leaves many databases vulnerable to what are now publicly known vulnerabilities.”

I think we could have guessed that.
The issue is did the people in the organizations that run un-patched systems think about that, think about the consequences of that.

Probably not.
All the studies I’ve read indicate that the ‘high performers’ not only follow though on security procedures like this, but have proactive monitoring (e.g. IDS, log file scanning) and proactive response procedures. The people who don’t bother to patch will in all likelihood not even know if they have been hacked unless the hack has catastrophic results. If the hacker was subtle and just did some identity theft, small-but-many financial theft, then the database owner might never know.

So: When did you …

• last update ..

• your OS
• your browser
• your database

Enquiring minds want to know, and many of them belong to malicious hackers.

Please read thee two news articles:

Passenger Says He Hacked Windows In New York Taxi Display Screen

and

Porn industry frets over security breach

Back already? That was fast.

What do they have in common? Not just a security breach, but that the spokesman takes a particular attitude towards the risk and the PII:

The VeriFone spokesman, however, said Chasen had merely accessed media
files, and passengers could not gain control of sensitive information.

“It’s a Windows-based system, so I could never say never,” he said. “But
there is no credit card information stored in the system.”

and

According to industry chat boards that have been buzzing about the
problem, the violation so far appears to be limited to e-mail addresses,
with an avalanche of spam e-mail hitting Web site customers’ inboxes -
including unique addresses created for joining specific porn sites.

John Albright, owner of the Too Much Media Corp., said in a statement
Wednesday that no credit-card information was affected by the October
incident.

The latter report adds some interesting observations:

Firstly:

“The adult industry has worked for a long time to become an industry
that can be trusted with personal information,” said Kathee Brewer,
former editor of AVN Online, the trade journal of the digital
adult-entertainment industry.

It then goes on to say:

When customer information is leaked - even if it is only e-mail
addresses - Brewer said, “consumers begin to back away because they
don’t trust the industry any more. All it takes is one issue like this.”

I don’t think that’s fair. I don’t think its fair for a few basic reasons.

Lets look at the case of the taxis. If you feel their InfoSec is compromised, what alternatives do you have, as the average Newyorker?
Bus? Limo? Drive your own car? In downtown NYC? Its a monopoly, and the the New York City Taxi and Limousine Commission mandates it. I
suspect that the also mandate a specific implementation.

The porn industry may or may not be a monopoly; you can always visit another site, but what do they have in common? The same authentication
software? The article seem to imply that software from Too Much Media Corp. is the norm.

But this just illustrates a point about such sites being an oligopoly.

In reality, how is this different from Amazon’s on-line services?
Yes, there is Chapters here in Canukistaniland, and yo have a few other book-sores (type intended) on-line down in the USA, but have you tried
comparing prices?

How is this different from gas stations? A few blocks from here there is an intersection with a different gas station on each corner (and a few blocks from that an intersection with three different donut stores and one gas station). They all display the same price and they all change prices at the same time. Well, almost: the independents is about 0.2 cents cheaper (as if it matters!). But who do you think he buys his gas from and how do you think he can manage to cut his margin?

You might look at Marin Fowler’s article “Catastrophic Failover” and think about “common failure mode” and the risks of a monopoly. I pointed this article out to a friend in operations and he commented that the cost of running a diversely heterogeneous site would be difficult to defend against the risk of a “domino effect”.

But in the InfoSec business we’re very aware of common failure mode.

Aren’t we?

But that wasn’t the point I was hoping to make with those two articles.

Look again at the quotes; look at the focus on credit card information, as if that was the only PII that was significant. As if harvesting e-mail addresses or other information wasn’t of value to spammers.

Bah!

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9045738&pageNumber=1

The computer magazines are full of “green’ and IBM is running adverts about green that are painting the server room walls green. Green is obviously one of the hot IT buzzwords.

But what about home computing?

With the advent of DSL and cable internet many homes are running “always on” internet. This is a big “multiplier”.

Those of us who are smart have a firewall at the CPE doing the ‘always on’ part. I also have a server that uses fetchmail to fetch the mail from all the mailboxes I have around the world, so limiting my exposure.

While there are very low energy consumption machines like the Asus or solar powered laptops or very low power hacks this is all leading edge stuff. Many homes are running “legacy” equipment.

My firewall, for example, is an old HP Vectra desktop. It also makes a nice support for my monitor. The monitor is ‘Energy Star’ compliant and powers itself down. My server and laptop are more modern and have energy saving features. Since I run Linux I make use of ‘powersave‘ to use the BIOS to throttle the CPU and shut-down disk activity.
Similar features exist for Windows.

The issue is “how many people use them?”

It would be nice for the green advocates if machines shipped with powersave features turned on, but its also easy to imagine grandma at her PC pecking out the letters while sending e-mail pausing to think what to say next and seeing her screen go blank. Panic sets in.

Ah, awareness. Always an issue.

So what does this have to do with security?
Well, apart from grandma panicking, this is one more thing that can affect issues such as availability. While a battery-conserving road-warrior will tolerate the delay of disk start-up, its not appropriate in many other settings. Certainly not in a server farm!

Often the IT world can become obsessed with issues that are tangential to its main focus. Being Green should be a corporate strategy, one that is systemic. There are many other ways that a corporation can cause energy to be consumed other than its own electrical demands.

Telecommuting might seem a good idea but do work out the details. Is it more energy efficient for workers to come to an office and turn their own home energy demands down? Crunch the numbers. It may be less expensive for the company, allow it to have smaller premises and energy demands, but all its doing if offloading its energy demands onto its telecommuters. Good for its own profits but short-sighted with respect to the community at large.

And “going green” by telecommuting has its own InfoSec risks!