Save us from the other people

We are the other people
You’re the other people too

“Mother People” – Frank Zappa

So just who is it that messes up great security plans and policies? You know those folks who’s boneheaded stunts compromise even the best security efforts? The people who use webmail accounts for company business. The people who write their login credentials on little yellow stickies taped to their displays. After extensive research I have found incontrovertible evidence that it’s the other people.

That’s right. The other people. But here’s the bad news, pilgrim. Frank Zappa had it exactly right – we are the other people and you’re the other people too.

Sometimes the other people are those pesky end users, such as the guy described in this article from Nicholson Security who logs on to his company’s VPN remotely from Starbucks and then proceeds to the rest room for 15 minutes leaving his laptop unattended and unsecured. Sure, it’s easy to conclude that the guy in question is an idiot who should spanked. But consider this – he’s just a guy trying to get his job (in this case a realtor) done. Like all other people. Like you. Like me.

My goodness, we’re being mighty understanding here. Does this herald a kinder, gentler Security for all? You wish! Seriously, why would you expect a realtor to understand why it’s important to not leave the company LAN wide open to anyone including roving security pros? Okay so this is a particularly bad example since the guy left his laptop completely unattended in a Starbucks, so in all likelihood he is an idiot. But forgetting that for a second, didn’t he get the standard education about his company’s security policy? I’m guessing that what he got was a quick “this is how you access Outlook from the new Citrix system” either from the office admin or from the IT guy who installed the new Citrix system. And armed with that information set out to sell some houses.

Sure it’s easy to find numerous examples of ignorant end users who bypass security policy just so they can get their jobs done as efficiently as possible. But what about the guys who create and enforce those policies. Sorry to say, they are other people too. Other people tend to take too much for granted with respect to the skill level and “tech savviness” of their constituent users. For the next example, I submit my own experience. In fact the very experience that prompted me to write this.

My brother is developmentally delayed. That’s the currently PC version of mentally handicapped. For his birthday this year I got him an iMac. I set it up, got him on the internet, signed him up for a webmail account and showed him how to get started. Since all he wanted to do is take pictures with his digital camera, load them into iPhoto, send them to our Mom and surf the web, it wasn’t a very difficult training session. After about a week, he discovered that his email wasn’t working. Turns out I hadn’t set up his outgoing SMTP server correctly and consequently no one was responding to his emails since he wasn’t able to send them. So I went over to fix it and discovered a number of unsent messages responding to phishing sites that were attempting to steal his information. Yikes! But all he knew was that these sites had some cute picture or swell program that he wanted, and he had to join so he could get it. My epiphany happened at this point. It had not even occurred to me to warn him about these kind of sites, since I just automatically assumed that everybody knew about that. Bad assumption. We are the other people.

So let’s kick it up to a different level. What about the software project manager who cuts the QA time in order to get the product out the door in the (unrealistic) timeframe imposed by senior management in response to marketing intel with respect to market windows. It’s easy to say that the project manager is wrong because scrimping on QA will certainly lead to a lower quality product which translates to more bugs and vulnerabilities in the product. But the schedule was imposed by senior management, so it’s their fault. But senior management has reason to believe that if this schedule isn’t met, the product’s revenue will be substantially negatively affected because the marketing window will be missed. And then the shareholders will not be happy (read heads will roll). Yep, other people just trying to do their jobs.

So the premise in the Nicholson Security article is borne out: people will always be the weakest link in security. I suspect that this sad fact comes from everyone trying to do too much with too little time and resources to do it correctly. Because that’s what it takes to compete in a global economy. We are the other people. You’re the other people too.

If it’s on the web it must be true. Or not.

Just in time for Halloween is this article by Alice LaPlante in InformationWeek, 7 Fantastic Internet Hoaxes. The really scary thing about this list of hoaxes is that I remember almost all of them. You can read Alice’s original article to get the details but a summary list is provided for your convenience.

Test your internet savviness or suckerness (just like in the womens magazines!). How many do you remember? Variants count.

7. Bigfoot Captured!
Last August a Bigfoot hunting group lit up the Internet with claims it had found the 500-lb. body of Sasquatch in the woods of northern Georgia.

6. Snowball, the Giant Mutant Cat of Ontario
This photo of a man holding a giant (supposedly 87 pounds) cat first appeared on the Internet in April 2000. An e-mail that wove a story around the photo began circulating a year later. The cat’s purported owner, a Roger Degagne, supposedly found Snowball as a kitten near a nuclear power plant in Chalk River, Ontario, Canada — the implication being that toxic waste had caused its grotesque size.

5. The Last Tourist
Within a month of Sept. 11, a photograph began circulating the Internet that supposedly showed a tourist on top of the World Trade Center right before one of the terrorist-piloted planes hit.

4. Good Times Virus
This is just one example of a whole category of hoaxes, known as “virus hoaxes,” which warn about the dangers of a particular piece of malware with the potential to wreak irreparable damage on users’ computers. This particular virus was supposed to be attached to an e-mail message with the subject heading “Good Times,” that if opened, would rewrite the recipient’s hard drive and result in other disastrous scenarios, many of which were technically unfeasible.

3. Bill Gates’ Millions Giveaway
This hoax, which appeared in early 2001, claimed that Bill Gates of Microsoft was conducting a beta test of new software and would send money to all those who forwarded the message to others.

2. Petition to Ban Religious Broadcasting
This, like so many chain-letter hoaxes, has mutated over the years. It started out in 1996 claiming that the atheist Madalyn Murray O’Hair, who brought the lawsuit that led to the Supreme Court decision to ban prayer from public schools, was petitioning the FCC to ban all religious programming. It then spawned other chain letters asserting that atheists were attempting to forbid Christmas music in public places and remove references to God from popular television shows like Touched by an Angel.

1. Save Amanda Bundy
This chain letter has been in circulation since as early as 1997, and falls into a general category of “sympathy” hoaxes. There are a large number of variations of this letter in circulation, and many of them reference a sentimental poem “Slow Dance,” supposedly written by this young girl who is dying of cancer.

So how did you do? Check out your score for fantastic prizes! Okay so there’s no prizes, but check anyway.

If you can recall:

0: Newcomer. I’m surprised that you found your way to this blog post. Let me be the first to welcome you to the internet.

1 – 3: Experienced. Just wait, you’ll get to see them all. Probably before this time next year. This stuff just keeps getting recycled over and over again.

7: Cynical. Clearly you are mistaken since everyone knows that #3 is true. I’m waiting for my money right now.

If you know of any clever hoaxes – or want to start one – feel free to comment here. We’ll see what we can do to get into Snopes without litigation or prosecution.

And if you know Bill Gates – or if you are Bill Gates (hey, it could happen) – could you find out what happened to my money? I forwarded that email to 100 people just like the message said to do. I’ll bet those darn atheists took it to finance their effort to ban religious broadcasting.

Happy Birthday VMS

I just can’t help myself
I’m feeling like I’m going out of my head
Uncanny, strange deja vu
But I don’t mind

“Strange Deja Vu” Dream Theater

Micheal Janke at Last In – First Out has this great article entitled “There are some things about computers I really don’t miss…“. It’s a trip down memory lane designed to evoke that “what were we thinking” kind of reaction. Well it certainly had that effect on me, but also made me recall some really outstanding engineering that was going on at the same time. Since October 25th marks the birthday of one of those enormously influential, but incredibly underrated technologies, I decided to write about here. Now see what you’ve started Michael.

Way back in 1977 (October 25, 1977 to be exact) Digital Equipment Corporation released V1.0 of Virtual Memory System (VMS). To set the stage consider the following:

The Commodore PET and Apple II have just been released, the Atari 8-bit family won’t debut until 1979 and the IBM Personal Computer (PC) won’t be released until 1981. And Unix is an interesting toy in universities until it is enabled by the VAX11 architecture in 1978 when by that time there will be a whopping 600 machines running Unix in some form.

VMS or VAX11/VMS as it was initially released, was code named “Starlet” as it was the software companion project to the “Star” project, a 32-bit virtual address extension to DEC’s PDP-11 which ultimately culminated in the VAX 11/780. VMS programmers will recognize the STARLET.OLB and STARLET.MLB system libraries. Now you know where the name comes from. Throughout the years the name and platforms supported have evolved from the original VAX11/VMS V1.0 running on VAX 11/780 to OpenVMS V8.3 running on Alpha and Itanium systems. So what, OpenVMS was cool. What is the big deal? Well, it turns out that along the way VMS pioneered these features:

The upshot is that VMS was doing mission critical, highly available and secure computing while Unix was an interesting research topic and Windows NT (which was developed by Dave Cutler a Starlet project alum) was still vaporware. And doesn’t that list above give you some strange deja vu? How about “integrated database features”? Wait – isn’t that like the WinFS feature that was supposed to be in Vista but was shelved until (at least) Windows 7? And I’ve got to tell you that the first time I fired up Windows PowerShell it was definitely deja vu all over again. The irony is that while many nubes are whining that PowerShell is harder to use than a CMD shell, I totally get it. It’s just like a crippled, verbose DCL.

Sure there are some annoying things about VMS. At first. Like automatic file versioning. What VMS programming newby hasn’t run out of disk space with only two small source files before they realized that the system actually saved every version of those files by default. But what experienced VMS frog stomper hasn’t had their bacon saved by a judicious application of that same versioning feature (you just have to set it up right with DCL).

And then there are the stories and legends (at least one of which I know to be absolutely true), that go something like this:

Data center is being upgraded. In the course of cleaning up the IT guys discover an old VAX happily humming away in a closet. Nobody has any idea how long it’s been there or what possible use it could ever have served since a quick look at the console shows it running something called VMS which few of the IT guys have even heard of. So they unceremoniusly power it down. A short time later the help desk gets paniced calls from payroll: the main payroll system has gone off line for the first time ever.

Note: Blatant fishing for comments will ensue.

If you have any great VMS stories I’d love to hear them. Please comment away. I’d prefer that you have actual first hand knowledge of the voracity of the tale – but hey, if it’s good enough what the heck.

So anyway, to get back to the point, a fair portion of our “new and improved” features – particularly security and fault tolerance features – are in reality not so “new” as incremental improvements of, or directly borrowed from earlier systems like VMS. I think it’s a shame that OpenVMS never caught on the way that Unix, and later Linux did. Sure there are some obvious reasons for that, the high end hardware required, and the fact that OpenVMS has always been completely proprietary and very expensive. But you have to admit it’s certainly some excellent engineering.

To end on a high note, OpenVMS is not only still available, but still being actively developed (as far as I know). And you can get a development system to mess around with for a very low cost. Check out the OpenVMS Hobbyist Program.

So Happy 31st birthday VMS! I think I’ll celebrate by trolling the OpenVMS hobbyist site and contacting some of my old buddies in HP in Nashua to see if I can get OpenVMS 8.3 running on my Itanium box.

Security ideas for your mom revisited

Information security for  everyone is a big deal with me. I even have a weblog devoted to that very ideal. So Julie Seedorf’s Something About Nothing article, “Be careful of what you store on computers” definitely resonated with me.

I read an article from PC Magazine recently. It was titled “Day in the Life of A Web 2.0 Hacker.” Because many of my days consist of repairing damage done by viruses and hackers to people’s computers, this article was of interest to me.

I like the Internet. I remember years ago my first experience with the Internet. It was exciting to be able to read Web pages created by people many miles and countries away from my home. It was exciting to be able to connect with new people. The Internet was a new information highway that would revolutionize our life.

There is no question that the Internet has changed the way we receive our news, the way we do business and the way we are in touch with people. However, reading this article confirmed what I have been feeling recently. I am frustrated with the dangers that the Internet has invoked upon our society. I am frustrated with the controls we need on our computer to keep our information safe. I am frustrated by the lack of security enforcement by law officials.

While I completely concur with Julie’s sentiments, isn’t everybody aware of the risks of our Web 2.0 lives? Aren’t there plenty of wise and erudite security experts providing all of the information that everyone needs to know about being secure? And what about all the excellent and ubiquitous security suite software packages available? Surely a tech savvy person like Julie has nothing to be concerned about. And clearly if you are a Republican VP candidate the Feds are quick to enforce even the most trivial security breaches at least as long as the Feds are Republicans. Sorry couldn’t resist.

Unfortunately all of the preceding rhetorical questions are pure irony. Phillip Hallam-Baker’s Web Security Blog article “Zero Overhead Security” sums it up this way.

Folk tell me that if you take 60 confused users, split them into three groups of 20 and show them different security interfaces they are all still confused. Well what did they expect?

A good part of the problem can be laid our door, fellow security professionals. We can certainly build brilliant complex software and our marketing and sales brethren can sell the heck out of it. But there is something very wrong when at the end of the day someone like Julie is left with this anemic solution.

The new security programs are good. The problem with many of the new programs is that they put blocks and watch everything we do on the computer and sometimes they make it difficult for us to understand how they work. These programs sometimes block sites that we want to use. These programs sometimes warn us more than we want.

Why am I writing this column? There is no fun in this column. I don’t feel funny about the Internet right now. I am here to tell you to put a good security suite on your computer and learn what it does and what you need to do to keep your computer and information safe. Make sure you update your virus signatures, keep your firewall on and be careful what you open.

Be careful of the personal information you share with others. Create strong passwords that contain a mix of numbers and letters and don’t use the same one for all Web sites. Watch what your kids and teenagers are doing on the Web.

All of these precautions may not protect you completely but they will help.

So why do I say this is anemic? Isn’t this exactly what we’ve been telling Julie to do? Hasn’t she hit on every “best practice” point? Enough with the ironic rhetorical questions. How about some concrete ideas that Julie or you can give your mom on security that will make a difference. In three earlier articles here, here and here I attempted to build a framework of ideas that mom should consider when getting a new computer and going online. What’s missing from those articles are specific details. So without further ado:

Security Ideas for Mom – Revisited

  1. Get a good firewall. Most of the popular security suites available will come with a desktop firewall, but not all of these are created equal and some are not even created well. Specifically several of the most popular include predefined exceptions for their “partners”. Now I don’t know about you, but just because someone has finances to partner with a security vendor does not imply that I should trust them. Note to vendors – transitive trust is not a desirable feature of a firewall. What I would suggest here is to think outside the software box a little (I know, heresy for a software geek, but I’m also an EE). Why not buy a hardware firewall? Like the ones that come with decent wireless access points. Even if you aren’t interested in running wireless (yet) and only have a single computer (so far) this is still a great idea, not to mention a bargain. Given that the annual subscription fee for the most popular security suite is $60, you can get a very nice wireless router for that price. And you only have to pay for it once. Furthermore, setting up the firewall, and other features on a consumer NAT router is simple. They really aren’t that smart. Which is a good thing. The only caveats are do not keep any of the defaults (i.e. SSID and passwords) and if you actually use wireless, lock it down to the specific hardware (MAC) addresses of the devices you want to allow on your network and turn off any broadcast or UPNP. Also turn off any remote maintenance. You can also use desktop firewall software along with a hardware firewall and NAT router, if you are paranoid (and you should be). Just be sure and get a good bidirectional firewall that watches outgoing as well as incoming traffic so it can stop spyware and adware that wants to phone home. Once you get your NAT router/firewall system in place, you need to go to Gibson Research web site and run ShieldsUP!. You should be completely stealth. A ghost on the internet. In my opinion, a hardware NAT router and firewall, coupled with a bidirectional software firewall eliminates most of the need for anti-virus software (more heresy I know). But l like the idea of cutting off the malware at the pass as is were.
  2. If your computer is portable use full disk encryption. Period. No exceptions. Essentially full disk encryption converts the entire contents of your hard disk to random noise that cannot be deciphered without a key (passphrase or hardware key). There have been rumors over the years of groups like the NSA having the capability to break strong encryption, but trust me, you, me and mom are not worth the effort. The most widely known full disk encryption package is Microsoft Bitlocker, which is available with Vista Ultimate. For most average users, it’s probably not worth the $300 upgrade to Vista Ultimate, but for business users that are running Vista Ultimate on their mobile workstations should definitely contact their IT folks and get it set up. Fortunately there are some great (some would argue superior) alternatives to Bitlocker. I use the open source TrueCrypt package, because it runs on all of the platforms I use (Windows, Mac and Linux) and it’s free. The point is that when you lose your portable computer and the disk is encrypted, all that is really lost is the hardware (assuming you have backups) which is far less valuable than your data and personal information.
  3. Get a good password manager. Certainly you can try to create and remember 50 odd strong passwords, but it’s a whole lot easier to create and remember one strong password that can be used to access hundreds of your insanely strong and impossible to remember passwords. I’ve already written an article about this, so you can read all about it. There are some very good password managers, both open source and commercial. An important feature of the password manager you choose should be the ability to set up expirations on your passwords – i.e. something that reminds you to change passwords. For email accounts you should change the password every 6 months and financial services every 3 months. Since with a good password manager this is easy to do, feel free to do it more often.
  4. Get different email addresses for different purposes. When you sign up with your ISP you get an email address that is your primary. If you intend to do Web 2.0 stuff, like say a weblog or social networking like facebook or MySpace you should get a free online email address from Google (GMail), Yahoo (Yahoo Mail) or Microsoft (Windows Live Hotmail). Use this online account when you register for social networking sites. Then you can have your friends and casual acquaintances contact you via the social network site. Only use your primary email account (the one from your ISP) for banking and other communication where there is a risk of Personally Identifiable Information (PII) leakage. Do not give out your primary email to address to anyone but those sensitive accounts. This can be a problem if you’ve already let the horse out of the barn so to speak. Fortunately you can still get around it by sending out change of email address notices to everyone who has your primary asking that they use the new email address or contact you through your social network. If they don’t, just ignore them. They’ll figure it out. Or not. If you are involved in a legal or highly sensitive situation where privacy and confidentiality is crucial then you should check out a secure email service like VaultletSuite 2 Go. This service includes a minimal, but extremely secure email environment. For everyday it’s overkill, but if you are sending sensitive messages to your lawyer, it is definitely worth considering.
  5. Use different web browsers for different purposes. Let me be specific here: use Internet Explorer for your banking and financial sites, and no other sites. Use Firefox, Opera, Safari, Chrome or even another copy of IE for your social networking and casual surfing. The reason I recommend IE for banking and insurance sites is that they tend to work best (or only) with IE. Social sites, on the other hand tend to favor Mozilla (Firefox) or Webkit (Safari and Chrome) browsers. Now wait, isn’t it really inconvenient to share bookmarks between browsers? Yes. Exactly. Which is why you don’t want to do that. Your banking browser should only have bookmarks for your banks. Actually sharing bookmarks is not hard and if you really want to share between multiple social browsers, get a account. With your public email from #4.
  6. If you download software get a disposable virtual environment. Downloading anything from the web and installing it on your PC is risky business, even if it is from a reputable site, but it can be catastrophic if your tastes run to the wild side. The problem is that even decent shareware (of which I’m a huge fan) rarely uninstalls cleanly from Windows. And much of the stuff available for free download isn’t decent. In fact a fair portion of it is infected with malware, malicious or just plain bad. What you need is a virtual environment where you can download this stuff, install it and try it out before you commit it to your real environment. This can be done a number of ways. Virtualization software like VMware and Parallels allow you to create virtual machines that are exactly that. If you trash one, you just delete it and move on. The downside, as you can well imagine, is that virtualization software requires a lot of resources (i.e. a very powerful computer) and it’s not trivial. There is another kind of software that you can use to accomplish this: sandbox software. Basically a sandbox sets aside a place on your computer where programs can play nicely, isolated from everything else. Just like naughty children. The best known of these packages is Sandboxie. Using this kind of software, you can run any program “sandboxed”. Then if it blows up, or simply tuns out not to be what you wanted, you just clean out the sandbox. If you do happen to decide that you want to keep your changes for real, you can recover everything to your computer. Trust me, this will save your bacon.
  7. Keep your professional and personal stuff separate. By stuff, I mean everything: email accounts, social networking sites, computers and software. Everything. That means, don’t pay games or have personal email on your work computer. It also means don’t copy that spreadsheet from work to your home machine. Now hold on, I can see not doing personal stuff on my work PC, but what’s wrong with working on my personal PC? Ask your IT folks which is worse. They’ll tell you most emphatically that taking company data into an unsecured environment is way worse than stealing a some CPU cycles, hard disk space and time playing games. Either way it’s bad for you and bad for business. If you really must check your personal email at work, then use one of your web mail accounts (see #4). Also be aware that if you are using your employer’s computer equipment you have no reasonable expectation of privacy. Think about that before you fire off a note to that hotty you met last night. But what about connecting to the office VPN from my home machine? Well okay, but just be aware that if you have a home network where you share stuff like photos, music and files you could be sharing them with everyone on your company VPN. I’d think about that for a while. Finally if you work for the government, you may have safeguards and accountability requirements on your email. So don’t be like Sarah. Nuff said.

I’m sure there are other good, and straightforward ideas for securing mom’s computer. I would love to know about them. I would also love to hear about problems with the ideas I’ve put forth here [note - blatant pandering for comments]. Maybe we can make things a bit nicer for Julie and mom. Or convince them that the internet is funny again.

Energizer Bunny OS

The coveted Security for All “Energizer Bunny” award goes to Microsoft Windows XP for it’s ability to just keep going and going… Yep, the rumors of XP’s impending demise, ostensibly to be replaced by the exciting new Windows Mojave er… Vista are still somewhat premature. Undoubtedly to Microsoft’s chagrin. Check out this announcement as reported in InfoWorld.

Microsoft will provide hardware partners with media to let their customers downgrade from Windows Vista to Windows XP for six months longer than it originally planned, the company confirmed Friday.

The move comes even as Microsoft has just launched a $300 million marketing and advertising campaign to encourage people to buy Windows Vista. The company is also prepping Windows 7, the next client version of the OS, for release in the next 12 to 18 months.

Microsoft will give OS disks to OEMs and system builders so customers that purchase Windows Vista Ultimate and Business editions can downgrade to XP Professional if they so choose until July 31, 2009, Microsoft said through its public relations firm.

Previously, Microsoft planned to provide the XP recovery disks to partners until Jan. 31, 2009, although there is no deadline for downgrade rights, the company said. If a customer wants to downgrade from Vista to XP after the new deadline, they can contact Microsoft for a disk, the company said.

Competition with oneself issues aside, hats off to Windows XP for winning this prestigious award.

Over the top copyright enforcement insanity

Regular readers of this blog know that as a Software Engineer and music composer I’m all about getting paid for the intellectual property that I create and develop. The mechanism, flawed though it may be, that protects most of the work I do is copyright, which is typically held by my employer. If my company doesn’t get paid for the products I develop, they in turn can’t pay me. So I’m all for copyright enforcement.

I am most assuredly not for the kind of asinine, over-the-top enforcement that is the focus of this article from Make:.

Keene Valley resident Jerilea Zempel was detained at the U.S. border this summer because she had a drawing of a sport-utility vehicle in her sketchbook.

U.S. Customs and Border Protection officers told Zempel they suspected her of copyright infringement.

She was released after more than an hour in custody at the Houlton, Maine, port of entry from New Brunswick, Canada.

Her release came only after she persuaded border guards she was an artist doing a project that involved a crocheted SUV as a statement against America’s dependence on oil and love for big vehicles.

“After going through my (laptop) computer, digital camera, cell phone, business cards, suitcase, reading materials, boxes of yarn and crochet tools, she returned with my sketchbook.

Zempel had drawn an SUV covered by a cozy, with its mirrors marked as “ears.”

“My sketchbook puzzled her,” Zempel said. “It was a cartoon sketch. They couldn’t understand what I was doing. She said, “Just what were you doing in Canada? We think you’re engaged in some kind of copyright infringement.”

Aside from the clear moronic “copyright infringement” excuse, what really chaps my hide is the idea that these brain donors from U.S. Customs and Border Protection were concerned with copyright enforcement in the first place. Such an egregious violation of common sense, not to mention personal liberties, is surely not an actual CBP policy or directive. Is it? So I did a little digging and discovered this information about Intellectual Property Rights on the CBP web site.

CBP protects businesses and consumers every day by combating the trade in counterfeit and pirated goods through an aggressive IPR enforcement program. CBP targets and seizes imports of counterfeit and pirated goods, and enforces exclusion orders on patent-infringing and other IPR violative goods issued by the U.S. International Trade Commission.

So exactly what kinds of “counterfeit and pirated goods” and “patent-infringing and other IPR violative goods” are we talking about here. Well, there’s also this report posted on the CBP web site that details exactly that.

Executive Summary

  • The domestic value of goods seized for intellectual property rights (IPR)
    violations at the mid-year point of Fiscal Year (FY) 2008 increased by
    2.7% to $113.2 million (M) from $110.1M at the mid-year point of FY
  • The number of IPR seizures decreased by 1%, from 7,245 to 7,166.
    China was the top trading partner for IPR seizures at mid-year FY 2008
    with a domestic value of $96.7M, accounting for 85% of the total value
    seized. In FY 07, China accounted for 80% of seizure value.
  • Footwear was the top commodity seized at mid-year FY 2008 with a
    domestic value of $40.3M, which accounted for 36% of the entire value of
    infringing goods.
  • The categories of Handbags/Wallets/Backpacks, Cigarettes, and
    Sunglasses had significant increases in domestic value at mid-year FY
    2008 over mid-year FY 2007 values.

OK I guess I can see that. It’s the CBP’s job to protect the interest of American businesses. So a drawing of a SUV cozy would fall into the “All Other Commodities” category – which does, in fact, account for 9% ($6,576,378 US) of the commodities seized. Golly, I’m glad we’ve got the CBP watching our (businesses) backs to protect us from dangerous (to our wallets) IPR violators like Ms. Zempel. Are you kidding me? I’m starting to get the sneaking suspicion that this episode is only tangentially, through creative bending of overly broad policy (now where have we seen that before?), related to IPR enforcement. Could it be that CBP can now detain, harass, and otherwise violate the rights of anyone coming into the U.S. based on specious suspicions of “Intellectual Property Rights violations”? I sincerely hope not, but this episode is clearly evidence of exactly that.

I guess my next trip abroad I will have to make certain that I’m not in possession of such heinous “IPR violative” items as a hand sketched SUV cozy. Thanks CBP for your stellar vigilance. NOT.

Even you can be Elvis

Recently I came across this amazing hack in Make:. It shows you how to backup a RFID passport. Actually it goes way beyond that – you can actually alter the information on the RFID chip.

THC/vonJeek proudly presents an ePassport emulator. This emulator applet allows you to create a backup of your own passport chip(s).

The government plans to use ePassports at Immigration and Border Control. The information is electronically read from the Passport and displayed to a Border Control Officer or used by an automated setup. THC has discovered weaknesses in the system to (by)pass the security checks. The detection of fake passport chips does not work. Test setups do not raise alerts when a modified chip is used. This enables an attacker to create a Passport with an altered Picture, Name, DoB, Nationality and other credentials.

The manipulated information is displayed without any alarms going off. The exploitation of this loophole is trivial and can be verified using thc-epassport.

Yikes! You mean to tell me that I could be anyone I want to be on my ePassport? Including Elvis? Cool. Actually totally UNcool. According to the U.S. State Department, the purpose of the RFID chips is as follows.

The U.S. Electronic Passport (e-passport) is the same as a regular passport with the addition of a small contactless integrated circuit (computer chip) embedded in the back cover. The chip securely stores the same data visually displayed on the photo page of the passport, and additionally includes a digital photograph. The inclusion of the digital photograph enables biometric comparison, through the use of facial recognition technology, at international borders. The U.S. e-passport also has a new look, incorporating additional anti-fraud and security features.

So I’m wondering how exactly all this “biometric comparison through the use of facial recognition” and “anti-fraud and security features” are supposed to accomplish anything when I can alter the information to be whoever I want to be and the mechanism to authenticate and validate those credentials cannot detect the alteration. I guess the bright side is that we only have to pay $25 more than we did before this swell technology was implemented. Given the events of recent weeks that’s a bargain!

So I guess that I’ll just give the ePassport the consideration it deserves when someone suggests using it as a secure credential. Unless it’s Elvis – and then I’ll definitely ask for help with a cool weekend project I read about in Make:.

The dark side of post startup innovation

Todd at the Napera blog has two great articles here and here about how most of the innovation in network security comes from startups.

Breakthrough products like security appliances and virtualization were not pioneered by established industry behemoths, but originated with smaller companies willing to pioneer new product ideas and disrupt the status quo.

Startups are clearly much more agile than “established industry behemoths” and most of their mid sized brethren. The passion, drive and commitment of the small team offsets the capital, expertise and experience of the larger, older outfits.

startups spend an order of magnitude more time talking to customers and thinking about the challenges customers face. Ideally, interacting with and thinking about customers should happen at every level of a company. To add to that focus, a product team in a startup has a lot more autonomy in making product decisions.

Having worked across the entire spectrum in my career as a software engineer – from a small “mom and pop” DoD contractor (literally: Mom was the Controller and Pop was the CTO) all the way to a Fortune 50 computer manufacturer (truly one of those “established industry behemoths”) – I have definitely seen this in action. In a small startup everyone is intimately familiar with the customers, whereas large corporations have to make concerted efforts to allow a design engineer to even have marginal contact with a customer – and that’s usually second hand through either a sales or marketing initiative.

So being a startup is swell and you can innovate the pants off the big boys. The force is strong with startups. But there is a dark side. You didn’t really expect anything else now did you?

The conundrum which is faced by all startups (who don’t get snatched up immediately post initial product release by one of those big fish) is how to get new customers and still keep existing customers happy by providing a stable value added upgrade path. It’s really hard to innovate out of this one. But you have to in order to make that next step from being a startup to being an established concern that is in it for the long haul. From some things I’ve witnessed on the engineering side where this innovation actually happens, I present this cautionary tale.

Startup creates first product – brilliant idea, incredibly fast time to market. The chief engineer is now the CTO, but spends a fair amount of time addressing customer concerns (i.e. putting out fires). As a result the CTO is well loved and well rewarded by customers and executive staff alike. So now it’s time for the next big release of the product. The CTO has very precise ideas about what new features are important and what failings must be addressed. In fact the CTO knows that the largest customer is poised for a huge purchase when that killer feature is added. Unfortunately the CTO is way too busy and valuable an asset to the business to focus on the mundane tasks of development any longer so developers are hired to get the next version and next product out to the breathlessly waiting customers and potential customers.

So lets pause here and take stock of the new developers’ situation. They have to update an existing code base which has been field patched (remember those firefighting drills) with a technical lead (our CTO) who doesn’t have time to spend mentoring anyone. And they have to do it quickly. The CEO recalls that the first release came after 6 months and the following 2 releases came on 3 month cycles. Now granted the CEO knows that the now-CTO is a bona fide savant, a true code ninja, but surely these new mere mortal programmers can get the next rev out in 6 months. 9 months tops. Besides they’ve promised customers and there are some big deals riding on this next release. So the show must go on.

Fast forward 9 months and the vaunted next release is dangerously close to slipping the release date. The executive staff is not too worried as they recall the 160 hour weeks that the now-CTO put in to get the product out. So the pep-talks begin to motivate the new programmers to “take one for the team” and get this release done on time no matter what.

We’ll stop this tale here. The aforementioned allegorical startup can still make a happy ending, but not without recognizing the realities of the dark side.

  1. Brilliant innovative engineers are rare. The dark side of being brilliant is that they rarely value mundane necessities like documentation. They know the code inside and out, so from their point of view it’s self-documenting.
  2. Competent engineers are not so rare. They are also not so expensive. Or fast. They need mundane stuff like documentation to accomplish their job.
  3. The ramp up time it takes to come up to speed on a new product such that you can enhance and maintain it always takes at least twice as many engineering hours as it took to develop it in the first place. Don’t believe me? No problem, you can find out on your own.
  4. All engineers come to the realization (usually sooner rather than later) that firefighters get rewarded. So they look for fires to put out rather than doing the critical but boring and largely unnoticed jobs like configuration management or refactoring for maintainability.
  5. Executive management is always willing to oblige firefighters. They like it when the customer’s problem is solved quickly. That’s in the job description.
  6. The original founding members of the startup usually have an equity position in the company. So they know that at least the potential is there to be very well rewarded if the company is successful. So they are willing to work insane hours and make huge sacrifices for the company because of the potential rewards. Later members are employees or contractors with no real equity stake in the company. When they work insane hours and make huge sacrifices they get to keep their jobs. And have a party. Until they burn out.
  7. Customers who have your product expect to get new features before they are willing to pony up for the next version. They also expect a smooth and painless upgrade path – even when they decide to skip 3 or 4 releases. This is probably the most difficult part of software development. And one that most of us don’t consider until it steps up to brazenly bite our backsides.
  8. Customers really want the features they want. For them. Not for the entire customer base or potential markets. For them. And they are happy to drive your product strategy – where they want it to go.

Can a startup successfully address these dark side issues? Absolutely. To be successful you have to. Will you fall victim to most of these at least once? Of course. I’ve never heard of any company that survived the transition to post-startup unscathed. But the one edge that a startup can never afford to relinquish is that customer focus that Todd describes in his articles.

May the force be with you.

Eating your own dog food

Photo from AP Photo by BERNAT ARMANGUE

Photo from AP Photo by BERNAT ARMANGUE

Every so often you see something that is just so elegant and ironic that, well, you’ve just got to pause and admire it. Pete Finnigan has an article on Full Disclosure about an Oracle password cracker he has written completely in PL/SQL. That’s right – in PL/SQL.

I often suggest to people to download binary based crackers but there is often a reticence to do this. Hence I decided to create a PL/SQL based one. This way there is no excuse, its a SQL script that can be run in SQL*Plus and also its going to find the core issues anyway before you
need a faster cracker.

You can should download Pete’s tool here.

Talk about eating your own dog food. Or picking your own poison. Great idea. Get it. Use it.