Juvenal is credited with asking the question (”Who will watch the watchers?” for those of you who didn’t know or couldn’t be bothered to Google for it) over 2,000 years ago.

Today at the Los Angeles Police Department, the answer is a $35,000,000 data mining system from Sierra Systems Group and BearingPoint. Wired has the details:

This month, the agency began using a $35 million computer system that tracks complaints and other telling data about officers — then alerts top supervisors to possible signs of misconduct.

The system is central to a federal oversight program ordered by the U.S. Justice Department after a wave of abuse allegations in the 1990s cast doubt on the LAPD’s ability — and willingness — to police itself.

“There definitely needs to be computerized management” of officers, said Andre Birotte, the LAPD’s inspector general. “There have been concerns with all the scandals that have gone on within the department.”

Community leaders hope the tracking system can help restore public confidence shaken by high-profile shootings and scandals involving the LAPD.

Basically, the system looks for anomolies against an officer’s peers and flags them for some sort of intervention.

In the past, much of that data existed only on paper spread across various bureaus. That made it difficult to compile detailed performance profiles of officers and spot potential abusers.

Now, anyone whose conduct differs sharply from their peers’ automatically gets flagged. That could mean a vice detective who fires significantly more shots than other investigators or anti-gang cops with a high number of excessive force complaints.

Safeguards have been built in to catch abuse that might be widespread within certain peer groups.

If the system pinpoints unusual conduct, it triggers an electronic message to direct supervisors, who must take a second look. The notices also travel up the command chain to a deputy chief as an extra level of oversight. Managers can access the system anywhere in the department through an internal website.

…

Other troubled police departments, including New Orleans and Miami-Dade County, have turned to such tracking systems. New Orleans recorded a drop in citizen complaints, and Miami-Dade saw a decrease in use of force reports in the first years after systems were implemented, according to a 2001 study by the Justice Department.

The expected success is predicted, LAPD says, by the fact that officer abuse went down when a similar system was implemented in New Orleans. Personally, I don’t think the logic holds up. If the system was the reason that abuse went down, then there should have been a corresponding rise in the number of disciplinary actions in those departments if detective controls from the computer was the reason.

Given that there does not seem to have been an increase in discipline, it would appear that the decrease was due to one of two factors:
1) The presence of some sort of Big Brother monitoring solution produced a “chilling effect” with regards to officer misbehavior. If “bad” officers now believed they would get caught, they self-limited their abusive practices.
2) Some other change was made which reduced the officer’s abuse (and corresponding complaint) rates.

A little bit more searching finds that #2 seems to be the big winner. Apparently, New Orleans did a lot more than just install a very expensive technological Big Brother. They created a training program for complaint-prone officers:

An early warning system to detect officers with repeated complaints, called the Professional Performance Enhancement Program (PPEP), was initiated in mid-1995. Major Loicano of PID considers the PPEP the division’s “best success story.”67 Officers selected for the program are picked by collecting information about complaints filed against them, use of force and shooting incidents, and other relevant information that may show that the officer requires additional training, supervision, or counseling.68 The PID selects groups of officers once or twice a year, and the officers’ commanders receive a report from PID about the officers picked. The commander is allowed two weeks to agree to placing the officer in the six-month PPEP program or objecting to the officer’s inclusion.

According to Loicano, the first group of twenty-five officers selected for the PPEP program were collectively the subject of ninety-seven complaints during a twelve-month period ending in mid-1995. During the two years following their participation in the PPEP monitoring program (during which two of the officers were dismissed and one retired), the twenty-two remaining officers received thirty-seven complaints. The subsequent groups of officers placed in the program have shown similar reductions in complaints according to Loicano.

So a program of counseling and conflict resolution training produced a reduction in complaints against 25 problem officers from 97 per year to ~20 per year–an 80% reduction!

The computer may or may not have been involved in funneling officers into the counseling program, to claim that IT alone is going to solve officer abuse is just flat-out wrong.

A couple guys over at NetworkWorld pondered the question of How much encryption is ‘enough’ for VoIP? back in June:

“In fact, we’ll argue here that if anything, there is too much encryption of VoIP traffic. Why? It’s easy to encrypt IP traffic using techniques like IPSec and SSL, so any IP-based traffic - like VoIP - can be encrypted with minimal effort. In fact, many free or almost-free VoIP applications even encrypt traffic by default. Our concern here is that this readily available encryption makes lawful and appropriate monitoring of traffic for national security and law enforcement much more difficult than it should be.

(emphasis mine)

That’s the same thing as saying, “We shouldn’t wear bulletproof vests in case the police decide they to need to shoot us.”

Their core argument is, basically, that you never had crypto before, therefore you must not need it now, especially since it might be inconvient to anyone who actually wanted to eavesdrop on your calls. Umm…Earth to NetworkWorld…that’s the whole point of encrypting–if they have to eavesdrop rather than just being able to aske me about it, then I don’t want them to know! And the risk of Bad Things happening to me or my Right to Privacy due to abusive use of eavesdropping far outweighs any potential, amorphous benefit that Law Enforcement will potentially gain by being able to easily spy on my voice traffic.

In a corporate setting, to deliberately avoid a safeguard, especially if it’s on-by-default (as is the case with many consumer VoIP implementations), on the off chance that someone might “need” to intercept (attack) your voice traffic is absurd.

To make matters worse, if your employer suffered any sort of significant incident after explictly disabling a safeguard, you’re looking a world of hurt which will probably start with unemployment and could possibly go as far as a civil negligence case if the company winds up in the press and feels the need to “look tough.”

While I wouldn’t go so far as to call the PSTN a well-manicured neighborhood, I still prefer Phil Zimmerman’s (creator of PGP) assessment of the situation in a recent Wired article about his new encrypted VoIP start-up:

The PSTN is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum,” Zimmermann said. “To move all of our phone calls from the PSTN to the internet seems foolish without protecting it.”

I tend to agree with the person who wrote in to NetworkWorld (no link, unfortunately) about the original article and said:

“My view is that VoIP is in fact ‘inherently unsecure’ because so many people have access to the LAN infrastructure before it goes across the WAN.”

My approach to VoIP security has been to start from a similar assumption. It is inevitable that some risks must be accepted in the course of a deployment. What I’ve done, though, is look at the currently-understood threats within the context of our environment and provided recommendations to mitigate the risks which are either cheaply & easily-mitigated (like encrypting calls for certain key staff members) or which are significant, like the loss or unavailability of some or all of the VoIP infrastructure.

Network integrity and Layer 2 security tops my list as being essential to ensuring Availability and QoS as well as reducing the risk of eavesdropping. I’m much more concerned about someone or something both accidentally or deliberately taking down the VoIP infrastructure with a worm, an exploit, or a poorly-implemented third-party tool or device than anything else. If we can secure the integrity of the switch fabric, the nature of switched ethernet will mitigate againist many of the currently-identified network attack vectors as well as many other yet-unknown threats.

In certain situations, however, where privileged conversations may reasonably take place with some frequency, such as between senior staff, Legal or HR, it seems a reasonable precaution given that most of these people will probably already have the capable hardware (nicer handsets which coincidentally also have the CPU power to do encryption). It simply becomes a matter of enabling it in those cases and accounting for the incremental memory & CPU increases on the VoIP servers.

This approach gives us redundant security in the places where a breach would have the greatest impact, provides some degree of future-proofing against vulnerabilities we are not currently aware of, and costs very little to implement.

A note: There’s a lot more to securing VoIP than just what I’ve listed here, but there are plenty of places you can look for more information.

Over that the Internet Storm Center, Kyle Haugsness is the Handler-du-jour and he has some good advice for people attending Def-Con.

My first suggestion: if you absolutely don’t need to connect, then don’t take the risk. Just keep your laptop in your hotel room for emergencies and you won’t have to deal with the inevitable frustration of the wireless network going down. Yes, you may have some envy as you see everyone else geeking out in the hallways. But you will have the added advantage of being unencumbered as you head to the bar/pool/casino tables later.

This assumes that you have a way of ensuring the physical security of your laptop/data when it’s protected by nothing more than an electronic hotel room lock. So plan on mitigating the Second-Order risk that just bringing your laptop to a place like Def-Con creates.

Most laptops these days make it pretty easy to remove the hard drive. Bring along a protective sleeve for it and take it with you. That way, even if someone does break into your room, the best they’re going to get is an easily-replaced piece of commodity hardware. If you’re really worried about your data, install full disk encryption software. That way, even if something happens to the drive itself, all they’ve obtained from a data perpective is a paperweight.

Given that you feel confident that you can adequately manage the risks associated with bringing a laptop to the conference, there is another key point to keep in mind: You’re not in Kansas any more.

Finally, try to recall all of the attacks you have seen in the last year and dismissed because the attacker needed to be local to your network. Then realize that you are about to connect to that network.

Connecting to the network at DefCon is one of the riskier thing a person can do with a computer. You are pretty much guaranteed that you’re going to be interacting, whether you want to or not, with a wide mix of personalities, pretty much all of them well versed in the art of making computers behave in manners the owners and designers never intended.

Keep that in mind and make sure that when you accept that risk, it’s for a good reason.

Over at Educated Guesswork, EKR has a nice analysis of the potential effectiveness of random bad searches on the subway

If searches are conducted randomly, then on average each additional officer devoted to searching will increase the chance of detecting a terrorist by 480/5 million, or about 10-4.

…

Of course, this depends on some pretty charitable assumptions, namely:

1. The rate of attempted attacks will be substantially higher
2. People don’t blow themselves up when detected.
3. That people who are detected don’t just come back later try again.
4. That you can do a reasonable search in a minute. The TSA secondary screenings I’ve been on seem to take more like five.
5. That the terrorists won’t shift to some new target. Railway stations are good, but so are airports (outside the security perimeter), shopping malls, etc.

I’m not sure I believe any of these.

Me either.

More likely the attackers will deliberately target the queued up lines of people, which would seem a logical response and a nice judo move on the attackers’ part. By making the countermeasure the target, it will make everyone in the line at least as jumpy, nervous and generally suspicious-looking as the average “hinky” acting terrorist.

In commonts on my thoughts regarding Risk and Terrorism, IanG said that, “Your list of tactics lacks one: to Understand the Risk.”

This started as just a comment, but then took on a life of its own. That happens to me a lot…

Unfortunately, I think that the real issue here is the gap between reality and what too many people think is The Risk: The likelihood that people will blow things up on trains and buses, crash airplanes into buildings and eventually figure out how to either blow up an LNG terminal or set off a nuclear weapon in a Major Metropolitan Area is currently at or approaching one.

In general, though, given the number of people who die annually due to terrorism compared to cigarette smoking or travelling by automobile in the US and Western Europe, we are dramatically overreacting to the real scope of the problem. It’s like my favorite Schneier quote says, “You are more likely to be eaten by a pig than by a shark, but how much thought have you ever given to avoiding being eaten by a pig?”

Thus, it’s not so much that we don’t Understand the Risk as that it’s not suitably satisfying to the Fox News-fed masses who think that this problem should be no more complex than a First-, Second-, or Third-Generation war where Might Makes Right and the only things blowing up are Their tanks when being shot at by Our tanks (and helicopters, and airplanes, and artillery, etc.). This is probably because everyone agrees that in a conflict between State Actors, the United States Military would pretty much dominate everyone except Mainland China. Unfortunately, to steal a line from someone who’s Part of the Problem, You go to war against the enemy you have, not the enemy you want.

Which brings us back to where this whole discussion started. What we don’t understand, which is what to do from here. I include the current administration, their political base, the anti-war movement and myself in this list. I think that the questions that haven’t yet been asked, in part because they’re too scary and in part because it’s too easy to attack anyone who’s this honest about it is, Is it even possible at this point to de-escalate the current situation in Iraq? What strategy has the best chance of de-escalating the current high level of global violence the US has fuelled by invading Iraq?

I don’t think that most of us have a clue because we’re outsiders looking in. Anyone who has the cultural background which might allow them to Have a Clue on the subject is automatically disqualified by the current US regime under the assumption that they’re One of Them. Well, duh. That’s why their opinion might matter.

While I agree that de-escalation back to the realm of propaganda and rhetoric is really the only way to “win” a Fourth Generation War. What the US has done at this point is play completely into the hands of the non-state actors and do our best to live up the low expectations of the most fiery rhetoric regarding US dreams of dominating or destroying the Arab/Islamic World.

What we do know, though, is that the key to winning a conflict against Non-State Actors and other extra-legal entities is de-escalation and conflict avoidance. Less fancily put, to figure out how to make people not hate strongly enough to take up arms. The timeline for getting to that point is indeterminate but can be summed up as, Before “The Terrorists” either get their hands on a working nuclear weapon or put “liquid natural gas terminal” into maps.google.com and take a little road trip.

This picture is, in and of itself, pretty funny, so long as you’re either
1) Not one of those guys standing by the tree trying to figure out what to do about it; or
2) One of the guys standing by the tree re-telling the story in a bar at any point afterwards.

but then, I noticed the name of the tank…

You can’t make this stuff up.

As Mish points out, some analysts think that laying off 14,500 people is A Real Morale Booster:

“They’ve gotten themselves in fighting shape here,” said Caris & Co. analyst Mark Stahlman, adding that it dispels uncertainty, which had been frustrating for some in HP’s engineering culture. “I think this is going to give a big boost to morale internally,” he said.

Yeah, nothing dispels uncertainty like a bullet to the head, either, but

Of course, Mish follows with some more relevant thoughts, including this:

Enquiring minds might be asking some of the following questions:

1. When was the last time firing 14,500 people boosted morale?
2. Would firing 20,000 have boosted morale even more?
3. Is there a “Laffer Curve” on firing people to boost morale?

Excuse me for a moment, but I feel a rant coming on…yup…there it goes.

Unfortunately, I’ve had more experience with the morale boosting effects of layoffs than I’d really care to, and while I’ve only been on the receiving end once (My boss had to end my laying off before we were “finished” because it had run into his time to go get laid off and we were all supposed to be On A Schedule), I’ve had to both do the hatchet work and preside over trying to secure all the physical and intellectual property during and after the festivities. Nothing about it boosted morale. Nothing. Let me say that one more time in case I was unclear: Nothing.

In fact, I can’t think of much worse that I’ve had to do in my career than having to be the corporate Grim Reaper, descending on people’s cubes ferry them to HR’s Land of the Dead. I used to come home after those sorts of days physically and emotionally wrecked, usually not knowing if my name was on some list I just hadn’t seen yet and they were just waiting for me to finish sweeping out all of the lesser staff before they did me.

For months and even years after the fact, people were jumpy, paranoid and defensive. All the really good employees decided that the best way to avoid the risk of a layoff was to proactively go on a job hunt and succeed. Most of the rest would at least try, meaning that by the time layoffs were finished, most of the really bad ones were gone but pretty much everyone you wanted to keep had probably left of their own accord.

About the only reason that this might not happen to HP is that so many profesionals are already out of work that without a direct personal point-of-contact, it’s hard even get an interview much less actually find a job. Which means that job searching needs to be a full-time endeavor. Which means that no one at HP is going to be keeping the lights on. Think about that, then tell me how much those R&D workers are going to get done with no one thinking about seting up, paying for or administering their offices and computers.

If Mark Stahlman actually believes what he said, then he’s so far out of touch with reality that he probably shouldn’t be allowed to analyze what color socks to put on in the morning, much less be paid for his analysis.

Thank you. I feel better now.

Courtesy of verparacreer.net:

Much has been made of ATM Skimming, but this is a nice picture of what the devices actually look like.

You know a crime is becoming mainstream when it shows up somewhere like Boise, Idaho. Of course, in Boise, the skimmers are even smaller:

Also interesting is the quote from the Boise Police:

“It was actually just stuck to the ATM machine with double sided tape, so it wasn’t high tech as you can see,” said detective Wade Spain, Boise Police.

I’m lucky that I haven’t had to use an ATM that wasn’t visually familiar and situated inside a secure area in months. It requires careful planning and some increased assumption of risk related to carrying more cash than I otherwise might, but the risk of losing my wallet or getting mugged for a couple hundred US Dollars instead of $50 (which is fixed, regardless of how much cash I’m actually carrying) is worth assuming to me personally compared to the pain and stress of having my bank account cleared out.

Privacy has taken on new importance here of late. I mean “here” both in terms of at work and in my personal life. Yesterday, I got a letter from my bank to let me know that my credit card was one of the 41 million card details stolen from Cardsystems, Inc.

Around the office, recent events have also created increased interest in identifying and securing Personally Identifying Information (PII) has come back into the spotlight, too, which is good for obvious reasons, but also bad because it really makes you realize how much work it is to securely keep and handle PII.

So here’s how we’re going about it. This is far from a comprehensive discussion of how to go about performing each step, but for anyone who’s suddenly finding themselves being asked what they’re doing to make sure that a privacy breach doesn’t happen on their watch, this might help organize their thinking.

I’m going to ignore the issue of how broad this effort should be. Basically, assume that whomever gives the mandate can only ensure compliance from people in their management chain. If it’s a department head, then just focus on the department. If it’s supposed to be for the whole company, then it probably needs to come with a public declaration directly from the CEO or her designate on the matter.

So whatever the scope, here’s how I’m going about it where I work. I’m breaking this up into four parts. Today is Part 1. Right now, I expect the full series will comprise:

1. Define the PII Perimeter
2. Tighten The PII Perimeter
3. Encrypt PII at-rest
4. Encrypt PII in-transit

So without further ado…

1) Define the PII Perimeter
Things that aren’t known about can’t be protected. When we start looking for PII, we’re often horrified by how much of it there is and how indiscriminately it’s transferred and stored.

The other reason to define the perimeter is that if we need to conduct this exercise at all, our normal level of data protection is probably not adequate for protecting PII. This means tighter controls, which means increased costs, both directly for security technology like PGP or full-disk encryption software.

Don’t be scared off at this point. Too many people still equate Ignoring Risk with Avoiding Risk. In reality, Ignoring Risk equates to Accepting Risk, only without checking if it’s a good idea first.

So where to begin? If there’s an inventoryof applications, this can provide a good starting point for tracking down official PII stores. To really track down all the high-risk PII stores, however, we have to leave IT and go talk to the Functional side. That’s where the people who use the PII live. They’re also the ones who are performing the activities that create unofficial PII stores.

Think the company email server isn’t a PII store? Think again. People email the stuff around all time, and when they do, it winds up in server-side message stores and on backup tapes.

Think that laptops and workstations aren’t storing PII? People save those emails in client-side archive files, unzip excel sheets of employee salary data into temp directories to read the attachment, or save a local copy “so it doesn’t get lost.”

Next, we’ve got to figure out where this stuff is used and where it’s shared. That means it’s time to find the data feeds. Track down processes which involve PII. If it’s in a database, it had to get there from somewhere. Find the flatfile, replication process, EAI link, or whatever other mechanism populates that data. Now go to that system and repeat the process.

We repeat this process until we encounter a link that extends beyond our Mandate. This might be another department internally, it might be a third party to whom we outsource some business function involving PII. Either way, we’ll mark this an an External Interface, define exactly what PII we’re exchanging with this party, and go on.

Eventually, we’ll find all the official and unofficial PII data stores that are within our mandate. It’s probably going to be a list of servers, workstations, laptops, tape libraries, storerooms, floppy disks, USB Thumbdrives, CD-ROM’s, and who knows what else.

Additionally, a second list should identify the organizations and processes which handle PII: Payroll (everything), Human Resources (everything again), Accounts Payable (T&E Payment distribution), Internal Audit (Payroll work papers, HR, work papers), etc.

Finally, there will be that list of External Interfaces: Payroll data to to ADP. SSN’s and more to Fidelity for 401k. Customer warranty data to marketing (assuming that the Privacy Policy allows it).

Tired yet? Well the fun is just beginning.

In part 2, I’ll discuss Tightening The PII Perimeter. We’ll explore some strategies for avoiding the risk of an incident and reducing the work (and cost) associated with protecting PII by minimizing the amount that’s kept around. But that’s another post for another day.

Wikipedia now has an entry for one of my favorite Web comics, Alien Loves Predator.

That’s just too cool.