The InfoSec Blog

• The most interesting, creative, fun and innovative people don’t run
  with the pack.
• You’re a leader because your team believes you are worth following,
  not because you are appointed leader.
• You don’t lead by giving orders, you lead by motivation.
• Don’t expect to generate consensus easily, and be very suspicious when it occurs other than spontaneously.
• ‘Who’s to blame’ is the last question anyone should ask.
• You can’t make cats or programmers do something they don’t want to do.
• Avoid the dogs.
• Its important to have a plan, but also to have interesting things happen along the way.
• Curiosity never killed anything except maybe a few hours.
• Always focus on the goal and the results, not the inconsequentials.
• Don’t shout at them at all the time, only the once when it really matters.
• One can only force someone to act against their true nature for so long.
• No matter how hard you try, you can’t baptise cats, and trying to convert some people to The One True Faith is equally difficult.
• You can’t trust dogs to watch your food.
• Never hold a dustbuster and a cat at the same time. Never try to hold a debugging session with the original programmer present.
• Cat’s, like programmers, pretty much do as they please.
• Cat’s, like programmers, make a mistake, and by sheer luck they land on their feet. The next comment from them? “I planned it that way…”.
• They conveniently “forget” the big rule when it suits them.
• They are major egoists.
• They are always sitting in the “command” seat (i.e. the seat you sit in), figuring they are real designers and architects and planners as well.\
• Don’t take it personally, they’re like that with everyone.
• They are always pouncing on their favourite ‘toy’ and ‘killing’ it.
• They take highly risky chances just because they can.
• An understanding cat is better than a therapist; and cheaper too.
• It’s important to make time to do ‘Cat things.’
• If it’s not fun, why are we doing it?

In Memoria, Ulla

My friend and fellow security droid Gary Hinson asked why so many corporate mission statements end up being utter gibberish, with more meanings than bits.

Hmm.
A ‘bit’ being, according to /usr/share/units.dat, a measure of entropy.

No Gary, I think that corporate mission statements, like political party policies, are high entropy. and with a high negative correlation with observable reality.

Perhaps one of the stochastic/markov-chaining text generators was used – what were they called? “Racter“or something like that?

As it says at http://en.wikipedia.org/wiki/Nonsense

The problem is important in cryptography and other intelligence fields,
where it is important to distinguish signal from noise. Cryptanalysts
have devised algorithms for this purpose, to determine whether a given
text is in fact nonsense or not. These algorithms typically analyse the
presence of repetitions and redundancy in a text; in meaningful texts,
certain frequently used words—for example, the, is, and and in a text in
the English language—will occur over and over again.

However the Racter (?) programs, corporate PR and political speech writers seems to know this – heck, if you can test for it algorithmically you can generate it algorithmically, so manage to make
‘nonsense’ have the necessary redundancy to pass these tests and sucker-punch our cognitive processes and perform memetic subversion.

If reading parts of http://megahal.alioth.debian.org/Classic.html reminds you of conversations with your boss or of televised political debates or radio phone-in shows with politicians, then you’ll understand.

(As a sidebar, I’ll mention that my local talk radio, CFRB, has a show late Sunday where ‘saucertites’and the like are given a platform. They answer phone-in questions more rationally than the politicians, in fact they actually answer the questions the callers ask instead of sounding off on their own agenda. Perhaps this is why people believe the politicians and not the saucerites.)

Perhaps, as Neal Stephenson speculated in ‘Snowcrash‘, there is some Deep Language of our brains and some Politicians know fragments of it.

Related articles by Zemanta

• Neal Stephenson’s new novel, Anathem: sneak peek at glossary
• Neal Stephenson’s Latest Novel Invokes The Long Now

No, not a Google its a Sagan!

I’m sure that like me you get mails that read something like

From:Mr.John Lewis
Phone No: 44-702 409 9061

This is to inform you that your funds of US$15 Million
has been approved for immediate delivery to you.

For the purpose of clarification,you are advised to
reconfirm your Full Names,Direct Telephone
Numbers,Physical Address with Zip Code so that there
will be no error during the delivery of the funds to
you in your country of residence.

Your quick response will be highly appreciated.
Congratulations in advance.your mail to this email address .
johnlewis477@yahoo.com.hk
Please Try and call me now Phone No: 44-702 409 9061.
It is very Urgent.
Mr.John Lewis

Its always struck me as illogical that these are rarely addressed to me personally, they are usually to ‘undisclosed recipients’. That’s plural.
Lots of people have been sent this offer for $15M then.

The second thing that is illogical is that if there is this much money surely they could do the background check on me so they don’t need to ask for my name, address and all the other stuff. I’m in the phone book. And the on-line phone book.

Some of these even give physical addresses and phone numbers in countries – is that ’44′ UK and not HK? – which may look convincing but s a bit stupid in this day and age when so many people travel and have relatives and friends in other countries. I do recall reading on the net of someone who did scam one of these people by having friends in that country following up.

But that ‘lots of $15M’ raises an interesting question.
Presumably the scam artist is appealing to greed.
The trouble is that its unrealistic.

What would be realistic?
Would $15,000 sound more reasonable for some long lost relative?
After all what if I am the eldest son of an eldest son of an eldest son, so some collateral branch of the family we lost contact with during the war leaves a legacy part of which follows that path?

Yes, I know its more than most scamers would think worth while, but just as the ‘Net has pushed down the cost of unsolicited mail, so to has it pushed down the cost and effort of genealogical research.

Does being sucked in by the smaller but more reasonable amount make more sense that the obviously impossible millions?

Because lets face it, pitches like

We happily announce to you the draw (#1106) of the UK
INTERNATIONAL LOTTERY,online Sweepstakes International program
held on 12th May, 2007.

Your e-mail address attached to ticket number:56475600545 188
with Serial number 5368/06 drew the lucky numbers:
04-05-16-19-21-49 (bonus no.20), which subsequently won you the
lottery in the 2nd category i.e match 5 plus bonus. You have
therefore been approved to claim a total sum of �500,000 (Five
hundred thousand pounds sterling) in cash credited to file
KTU/9023118308/03.

That went out to ‘undisclosed recipients’ as well.
But since when do these jackpots get disbursed in cash rather than cheques with lots of publicity. And why should the cash be credited to a file and not the winner?

So what it comes down to is that these scams are targeted to people who are dazzled by big numbers and don’t have a lot in the way of critical thinking and scepticism. Scott Adams, the author of the Dilbert cartoon strip, would call them “In-duh-viduals”.

I’m tempted to say that there’s a lot of that about in the western world today for a number of reasons, religious fanaticism, lack of education in statistics, believing that you have a right to gobs of money with no effort … One school of thought is that civilization needs the Marching Morons to act as consumers and keep the machinery of society working, but we don’t want the to be too smart or
they might rebel. Fred Pohl and Cynic Kornbluth explored this idea in their short story
“The Marching Morons“. (I recall the false speedometers in cars that gave the impression you were doing the Ton when you were only just doing a bit over 60. This too has come to pass.) Its been explored in other utopian/dystopian novels such as Ira Levin’s “This Perfect Day” or the sex slaves of Charles Fourier‘s (yes THAT Fourier) Utopian vision.
Utopia for some.

If you want to see it applied to our society – yes Virginia, we do have sex slaves and a ‘conspiracy’ (or at least an emergent property) to dumb us down. While John Gatto has written about how our school system is rigged for this (See

http://antonaylward.com/articles/2006/12/01/dumbing-us-down)

he omits that in many ways the society we have NEEDS the Marching Morons. Large scale questioning of roles and existence would be too disruptive. Isaac Asimov touches on this in his stories, for example ‘Strikebreaker’ (someone has to do the dirty jobs like garbage collection and build and maintain the sewers…) and “Profession“

But doesn’t that in and of itself mean that the under-educated classes must exist and must therefore be susceptible to scams like the ones I describe above?

Its a sad, sad world.

Related articles by Zemanta

• 80 Nigerian E-Mail Scammers Arrested
• Why Google is now my homepage instead of Yahoo
• In brief: New Line ex-bosses build new foundations on Asimov
• CRA warns Canadians about tax scam

It seems that many people in HR don’t realise that the interview is a two-way street. Not only are they trying to find out if the candidate is suitable, but the candidate wants to know about the position, the firm, the job and the people he will be working with. The most sucessful intervvvews are when both parties realise this and work accordingly.

Thirty plus years ago the company I worked for out of university assumed that the hires were there for their career. As such they invested in them. Training for middle management and beyond began quite early.

One of the first thing we got was interviewing skills, that is DOING the interviewing. You might wonder why this was so early on. I was told that part of interviewing was determining if the candidate would fit in with the team. (How different from the attitude where hiring ‘gurus’ and
‘whiz-kids’ for their individual excellence is the only criteria.) Hence the candidate needed to meet the team and so the team had to understand how to interview.

But today? How many companies invest in training in that strategic manner?
The last couple of decades have been ones where job-hopping is the norm, so why should a company invest in training someone who will shortly be gone? Most people look to their own training, hence the rise of the training companies.

Hence also the rise of evaluating applications by their training record, and in some cultures the attitude that training is a ticket and certification is a ticket to a job. Many of have seen on other forums people posting

“I want to get into security – which should I take first,
a CISSP, CISA or CISM?”

Its really hard, I’ve found, to convince people with this cultural background and set of assumptions that its experience that counts.

I wonder if the same applies to HH/HR/screeners?

I ask because I’m one of those people who isn’t good at classroom learning. I’m better off taking things apart and experimenting. In the classroom I’m a pest, I ask questions as my mind races ahead and “off on irrelevant tangents” – which amounts to next weeks lesson! You’re never going to see a long list of courses taken and certifications earned on any of my resumes.

I’m off doing the “I wonder what if ..”.   I think in terms of ‘ability’ rather than skills with specific pieces of equipment and software.    I’m more like the guy in Asimov’s short story “Profession“.

Well, it takes all sorts.

Related articles by Zemanta

• Tales from the Interview: Hot, Hot, Hot!, The Last Interview, and A Wrinkle in Time
• Do we need a farm system in the security industry?

http://blogs.techrepublic.com.com/window-on-windows/?p=760&tag=nl.e101

I could go through a litany of complaints I have about Linux. I could
complain about the confusing number of distributions. I could complain
about the propensity of Linux proponents to cause unnecessary confusion
by abbreviating or using acronyms for Linux-only functions. I could
complain about the silly confusing names they give applications.

How come Linux gets berated for this?
There’s a plethora, a confusing plethora, of Microsoft products, since, compared to Linux, that world is unbundled.

But Microsoft aside, look at the auto industry; it was once said that you could order over a quarter of a million different variations given the options on some Chrysler models. There are still many distributor/vendors, and different dealers/outlets offer different deals, trade-ins, offers and options. The auto industry has more acronyms than the computer industry and lots of special functions and tools.

For example, the spring inside my seat-belt buckle slipped out of place so that the buckle wont lock the clip in place. The way the buckle is built you can’t take it apart, so the whole assembly has to be replaced. The bolt that fastens it into the seat assembly (remember, the seat has to be able to gyre and gymble without altering the tension of the belt, so the belt is bolted to the seat, not the frame of the car) is a special one, the only one (except for the other seat belt) in the car. Of course it take a special tool. As it turns out, the tool costs more than the over-priced replacement seat-belt assembly. And since it is for that purpose only on that model series (apparently it was changed for another equally unique bolt and matching tool in later models) my mechanic did not have that tool in in his toolbox. He tells me that this is normal, that the auto manufacturers have any twists and turns like this that serve to lock out the independent mechanic by forcing up the cost of operations.

I look at the computer industry and think how easy it actually is to move between vendors of hardware and software. I really can’t see why if you are an office worker familiar with MS-Word you will be unable to do any work if faced with OpenOffice – or WordPerfect or WordPro. Once upon a time both Apple and Microsoft “sold” the GUI interface as being something that was “obvious” and wouldn’t need training and thick documentation. Whether or not that’s so, moving from one word processor to another, one mail user interface to another, has nothing to do with the underlying OS or the names and acronyms used.

As the article says:

An operating system exists only to create an environment for
applications; nothing more, nothing less. Most people sit down at a
computer and just start using it without worrying about what operating
system it is running.

So why the fuss? Gnome and KDE have “skins” that can make them look like OSX or any of the Microsoft Operating systems. The various distributions of Linux are more like the various offerings of the auto industry, they mostly resemble each other and copy ideas from one another. If you can drive a Ford – sorry, SUSE – you can drive a Chrysler – sorry, Mandriva. Or even a Volvo/BSD. And since I’ve seen Americans cope in England after just a few minutes, I’ll add MGB/LinOS.

So Why Linux?

The article has a theme about moving from Windows to Linux. What it doesn’t touch on is why one might want to move.

The reason for most people is that they get a new computer. They are probably going to have to change OS – from W/95 or W/XP to Vista. This is likely to be even more traumatic than if they changed to Linux with an appropriate skin. I’ve certainly seen many reports of application-only users who had their system “regressed” from a Vista they didn’t like to to their “old” system which was actually Linux looking like XP. The reality is that most users see the applications and neither see nor want to see the OS. The same applies for most car drivers. They just want to drive.

When Mark Kaelin says that John Sheesley can crash Linux over and over – so what? The issue isn’t that someone with John’s background and expertise can crash Linux, its how stable Linux is for an ordinary user. And compared to Windows, it seems to be about 15 years further down the road. Windows seems to emphasise ‘dressing’. Perhaps that’s why Mark Shuttleworth wants to address the image of the desktop.
Its worth reading some of John’s articles – he’s not rabidly anti-Linux. Or rabidly anti-Microsoft.

When Mark points out that viruses and malware exist for Linux he omits to note that these are ‘proof of concept’ things that neither exist nor could exist in the wild. The underlying architecture of Linux makes it more resilient to whole classes of malware. The idea that its ‘immune’ because it doesn’t have the market share is a myth.

I’ve asked many people in the business world why they don’t use Linux, and all in all their reasons tend to be emotional not logical.

But to be fair, if security and reliability and security are deciding issues, as many Linux enthusiast claim, then why aren’t they using BSD? I ask that of them and I get an emotional response similar to the one I see when I ask Windows enthusiasts about Linux.

Related articles by Zemanta

• A third of Vista PCs downgraded to XP

http://techbuddha.wordpress.com/2008/08/13/passwords-suck/

Indeed they do.
Its beginning to look like the point I’ve been trying to make for years, here and with clients, is finally getting some notice. That the sad real truth is that passwords are security theatre. They provide the
illusion that you’re securing something.

For those new here, I’ve long recommended Rick Smith‘s excellent book on this matter:
“Authentication: From Passwords to Public Keys” ISBN 0201615991
See his home page at http://www.smat.us/crypto/index.html

Grandpa Rob Slade reviewed this, rather more kindly than some books he’s reviewed.
The author of the article recommends passphrases – a passphrase is easy too remember.
In “Password Expiration Considered Harmful” Rick makes the case that the overhead of periodically creating and remembering new but obscure passwords is actually a greater risk than conventional wisdom would lead one to think.

See also ‘The Strong password dilemma‘ and not least of all this cartoon.

I use SSH and a 40+ character passphrase which is a line from a poem I wrote in my youth (and as the bard said, “But that was in another country and besides, the wench is dead”). I fat finger one time in four.

Some of it is practice. If you make people change their passphrases or passwords they won’t flow from their fingers so readily.

My home machine, where no-one can get in from the net and where no-one looks over my shoulder except my cats, I’ve used the same passphrase for over a decade. I can type it a LOT faster than a a shoulder-surfer could see and my fat-finger rate is down around 1 in 300+. I don’t even have to ‘say’ the passphrase in my mind so even a telepath couldn’t “sniff” it.

Yes, this is a unique setting. My hardware, my home, no-one else comes near (not even to clean out the dust bunnies).

My error rate at client sites is, though, very high. They have these rules that Rick Smith points out are user-unfriendly and demand that I change the password just about the time I’m getting used to it. In the week after the mandatory password change I probably make 2-3 calls to support. AND I have to dream up more and more forgettable passwords.

If you ask me, its crazy, unproductive and expensive.

To debunk the myth that frequent password rotation is a good idea, see Gene Spafford’s blog entry on this.  But many regulations require it, no matter how counter-productive it is and no matter how much it has been shown to weaken security.

Tell me, now often do you change the lock on your front door?

Related articles by Zemanta

• What is worse than reusing passwords? (Markus Jakobsson/Markus Jakobsson’s blog)

My collegue Sami O. Koskinen said “I always felt like the new biometric passport is just a show” and I have to agree with him. He also has reservations about the idea of building a national fingerprint database covering all citizen, and I would think visitors to a country. He points out that the justification for this in his home country of Finland is that fingerprints are already taken for ID and passports.

The normal justification for such a policy, which seems to exceed those of even the most represive times at Stalinist Russia, is that it would ease solving crimes and help in crime prevention.

Well, for a start, I see from discussions in other forums that many people in IT and security don’t understand the difference between preventive and detective controls, or even that detective controls are part of an effective security profile, so why should tech-ignorant (and proud of it) politicians see that point.

Fingerprinting is a baseline detective method in law enforcement, at least with serious crimes of violence. But then again, this has been well publicized and is only really of use in impulsive crimes where the perpetrator has not had the time or foresight to wear gloves.

A few years ago I went through a stage of reading a lot of detective novels. Lets face it, these are ‘entertainment’, not true crime’. As such, twisted plots are common. Never the less, there are no shortage of plots whereby fingerprint and DNA evidence is spoofed and subverted. There are no laws or controls that prevent criminals or potential criminals from reading these books, and nothing what so ever to stop them from coming up with even more creative and ingenious methods.

We’ve had references here to Schneier‘s “security as a state of mind” and how we security professionals have “twisted minds”. That “twisted minds” designation has historically been applied to ingenious and inventive criminals.
According to my database of quotes, John Tandervold said:

“Each new law makes only a single guarantee. It will create new
criminals.”

A similar thing can be said about security controls in general. Each will have have people who will find ways to bypass or subvert it.

Related articles by Zemanta

• E-Passports ‘can be cloned’
• New E-Passports Cloned
• Biometric passport chips ‘can be cloned in an hour’
• Post Office aims to collect ID card fingerprints?
• Newer Forensic Techniques Help Solve Cases
• ID Cards cost cut to £5.6bn
• Cost of ID card and passport rises to £100
• Airport fingerprint plan sparks a domestic dispute
• Weighing Fingerprints As Forensic Evidence