crypto comic greatness:

(click for the whole thing)

A little bit of thought food from DamnInteresting about Rogue Waves :

Over the years experienced captains have made very credible reports of meeting behemoth waves which appear spontaneously, cause extensive damage to their ships, and shrug back into the sea just as mysteriously as they had appeared. One account describes the appearance of a giant wave trough which onlookers likened to a “hole in the sea”, followed by a twelve-story-tall “wall of water.” To further compound the mystery, some such waves have been said to appear mid-ocean, and often in calm weather.

Wow, very scary. But not to worry, the computer models say that while rogue waves are an extremely high impact event, they’re also extremely unlikely.

Despite these and other encounters with rogue waves, scientists long rejected such claims as unlikely. Anecdotal evidence is often unreliable, so researchers used computer modelling to predict the likelihood of such massive waves. Oceanographers’ findings indicated that waves higher than fifteen meters were probably very rare events, occurring perhaps once in 10,000 years.

Unfortunately, reality would beg to differ.

More recently, satellite photos and radar imagery have documented the existence of numerous rogue waves, and it turns out that they are far more common than previously thought. During a three-week study in 2001, radar scanning detected ten monster waves in a 1.5 million square kilometer area. Satellites and direct observations have also established that rogue waves can happen anywhere, but they are most numerous in the North Atlantic and off the western shore of South Africa. In spite of their frequency, monster waves rarely meet with sea vessels because they are so short-lived.

How do you manage this risk? Well, so long as you’re not the actual guy on the ship, you transfer it with insurance. But which data set are the insurance rates being set on? If it’s the computer models, then the risk is being underpriced, which is good for the ship owner protecting his investment, but bad for the insurance company which is writing the policy. If the two data sets were significantly enough different, then the ship owner might find that the default risk on the part of the insurance company had now replaced the rogue wave risk, such that he might now find himself effectively paying to accept the original risk.

In the IT Security world, people play these games all the time. We like to think that we’re the shipowner, managing our risk based on the information from our Security Event Management Systems or based on models that we adjust over time. In reality, though, we’re that guy on the ship, looking out across the horizon and hoping for yet another day when we don’t meet the “hole in the sea.”

They say that the right to vote is priceless. As a registered Chicago voter, I’ll could now have to decide if it’s worth credit monitoring at $20/year or so.

For 1.3 million of my fellow Chicagoans, it’s being at risk of identity theft fraud-by-impersonation.

As if there weren’t enough concerns about the integrity of the vote, a non-partisan civic organization today claimed it had hacked into the voter database for the 1.35 million voters in the city of Chicago.

Bob Wilson, an official with the Illinois Ballot Integrity Project — which bills itself as a not-for-profit civic organization dedicated to the correction of election system deficiencies — tells ABC News that last week his organization hacked the database, which contains detailed information about hundreds of thousands of Chicago voters, including their Social Security numbers, and dates of birth.

I wonder how many dead people, dogs and cats will have their identities stolen because of this?

Updated: Note that this is a vulnerability announcement, not an actual theft

From an article on Diebold and Sequoia voting machines and Edward Felton’s efforts to challenge the problems:

Want to shake confidence in democracy? All you need, according to the Princeton team, is some common programming skills, a key widely available for $2, and a moment alone with an unattended machine.

Unlock a lid, briefly insert a memory card infected with The Virus, and the machine is ready to infect other Diebold machines that get programmed by shared cards.

The virus can be designed to fool pre-election testers. It can awaken on some future election day. And it can destroy itself afterward. In mock elections conducted by the Princeton team, no matter how the votes were cast, Benedict Arnold beat George Washington every time on an infected machine, with no evidence of his treachery left behind.

Computer scientists have sounded the loudest warnings about electronic voting machines, which have been dogged by anecdotal reports of vote-switching and other glitches. Because so little is known about the inner workings of these devices, critics say, it’s virtually impossible to detect errors or sabotage.

Manufacturers’ political ties have not inspired trust. Walden O’Dell, for example, raised money for President Bush in 2004 while serving as Diebold’s chief executive.

What I find most despicable about this is that Diebold, manufacturer of horribly insecure voting machines is the same company as Diebold, major manufacturer of rock-solid ATM machines. This selective incompetence indicates to me that Diebold cares about money, but not democracy.

From the Streetlight:

Or think of it another way: a single province in India (Uttar Pradesh) has nearly two-thirds the population of the entire United States, with over 180 million people - all in an area about the size of Oregon.

So, if you live in the US, enjoy your elbow room.

Cnet has an article on the topic of “The future of Malware” and basically, it’s all about the 0days.

Widespread worms, viruses or Trojan horses spammed to millions of mailboxes are typically not a grave concern anymore, security experts said at the Virus Bulletin conference here Thursday. Instead, especially for organizations, targeted Trojan horses have become the nightmare scenario, they said.

I lose sleep over a lot of things, but this is not one of them. Fortunately (for me, at least), the article puts it in perspective:

Targeted attacks are, at most, a blip on the radar in the big scheme of security problems, researchers said. MessageLabs pulls about 3 million pieces of malicious software out of e-mail messages every day. Only seven of those can be classified as a targeted Trojan attack, said Alex Shipp, a senior antivirus technologist at the e-mail security company.

Seven emails out of 3 million pieces of malware blocked per day across the entire messagelabs customer base (More than 13,000 businesses around the world, with 5 million users, according to their Web site). That’d need to be a damn high impact (like infecting the CEO’s PC and actually stealing something valuable) to be an unacceptable risk, and the likelihood (assuming randomness, which may be a bad bet) is lower than the odds that he’ll lose his hard drive on any given day.

Even so, the odds that your CEO will even be targeted are still pretty damn low–basically 1 in 2000. I don’t know about you, but I’ve got a lot more to worry about than a one-in-five year chance that my CEO is going to receive targeted malware.

Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven’t previously considered and accounted for.

Yes, (bad) security analogies are a pet peeve of mine. Analogies are defended as a mechanism to help people begin to understand a concept. Mostly, however, they seem to be used as an alternative to understanding a concept.

The Jericho Forum has eleven “Commandments”, the third of which is “Assume context at your peril.”

For example, The Concorde doesn’t have locks on its doors. Nor does the modified Boeing 707 which served as JFK’s Air Force One. Neither plane needed them since, it was assumed, they would always be surrounded by the protective perimeter of airport security and/or the US Secret Service.

Today, however, both of these jets are protected by nothing more than a low chain link fence, security cameras and the guards across the street in the Museum of Flight. The vast majority of the protections which once ensured the integrity (and to a lesser extent, the confidentiality and availability) of these two airplanes are gone. Sure, they’re decommissioned so the pure asset value is reduced (and the cost of protecting them should decrease as well), but both planes still posess significant intangible value as pieces of avaiation history.

I can think of any reasons why the designers wouldn’t have put locks on the plane, such as ensuring that the doors couldn’t be accidentally locked during an emergency, but it still doesn’t change the fact that the plane assumes its environment will protect it from a breach.

Assume context at your peril, indeed.

I have to say that I think last week’s open meeting of the Jericho Forum was the best one yet. I’d like to claim some small credit for that, since I led the first morning’s discussion session on Client Security in a Deperimeterized World (my my slides), but the reality of it was that we had a room full of smart, eloquent people consistently challenged themselves and each other to extend and refine their thinking. Ian Dobson, the forum’s Director, asked for “stimulating” and I told him that I was aiming for “lively.” I think I succeeded and the momentum carried over into the the rest of the sessions as well as the breaks, meals, and drinks.

The official notes aren’t out yet, but the key take-aways that I observed from the participants were. Please correct any mis-perceptions or items I overlooked in the comments. I wasn’t able to take notes since I was busy working the room.

1. Users do not feel that loss of control/functionality for enhanced protection of (corporate) information/resources is an acceptable trade-off. They still want to have their cake and eat it too.
2. People are not sold on DRM. People almost universally felt that it’s still extremely immature and will only be applicable for limited use cases for some time to come. Still, people are not giving up on it, but rather taking a wait-and-see approach There was agreement that data needs to be able to “defend itself” and we can’t count on the client to provide a secure environment, including TPM. There was also some discussion (but no clear agreement) as to how much this is a People Problem and how much is a Technology Problem, and where the point of diminishing returns on efforts to tackle either problem will eventually settle.
3. NAC is not the answer. If anything, it’s the anti-deperimeterization.
4. Microsoft-y protocols are sill hard (Domain traffic, NetBIOS, etc). Some of the MS people disputed this, but about half of the MS people in attendance agreed that, even if it’s possible (with lots of ISA servers & effort), protecting the traffic is still too hard for general IT use.

In general, I’m seeing a growing awareness of deperimeterization in both the IT and business worlds today. With growing frequency, when I talk to people about their information security issues, they’re now aware that those issues are often related to the eroding perimeter, they just didn’t know it had a name. This is a big change from a year ago, when most people I spoke with still weren’t even aware there was a problem.