Reed Me : security

Yeah, I know I said I’d never run for office again...

reedme — Tue, 31 Mar 2009 19:07:43 GMT

But then I went and put my name in the hat once more... because it’s for a good cause!

No, it’s not April Fool’s. That’s tomorrow.

Personally, I’d like to thank L.D. Kirshenbaum (the author of the article below) for giving us a fair shake. I’m sure that there were some embarrassing quotes among all the hours that we chatted which she could’ve taken out of context, but she was very professional.

The Gun Club at Microsoft

March 31st, 2009 | Posted in American Bulletin

Right now, the Gun Club has 756 members.
At left, new President David Reed celebrated his wedding anniversary with his wife, Samia, at the shooting range.

Photos by Andrew McDonald.

We’re having a big get-together for Second Amendment Day on Saturday, if anybody wants to come out and celebrate with us.

Yeah, I’m a month overdue on a fitness duel update, a bike update and all that. I’ve been busy (and not necessarily in a fun way). Now that everyone @ Fort Reed is reasonably healthy again, I’ll have more time to goof off.

Legal use of social network websites

reedme — Tue, 16 Dec 2008 20:45:39 GMT

A long time ago, in a life far, far away, I was a deputy constable and I had to physically locate people and hand them court documents (or haul them off to jail). As much fun as it was to run around with a badge and a gun, it would’ve made life much easier if I could’ve just sent them an email! I guess I’m old: “You’ve been served... via Facebook!” just seems odd.

This case took place in Oz, but I suspect that it’s not too far off from becoming the order of the day in other parts of the world, too. Email is pretty common already, and I think SMS (aka text) messages aren’t used only because they can’t carry attachments. As a database-oriented person, I have to wonder whether I could testify to the reliability of Facebook or Myspace as a delivery mechanism. Since the process server got permission from the judge in advance, I guess it’s a moot point.

The court decided Facebook was a legally viable way to communicate.

But, in granting permission to use the social networking site, the judge stipulated that the papers be sent via a private email so that other people visiting the page could not read their contents.

Courts have previously allowed judgements to be delivered by email, but it is not known if Facebook or other social networking sites have been used in the same way.

Australian couple served with legal documents via Facebook - Telegraph

I do feel for people who are having their homes taken away for non-payment of their mortgages. A lot of people are having a rough time out there. One of the hardest things a constable ever has to do is an eviction, especially if there are children involved.

This story would be funnier if the property being foreclosed was in Second Life or WoW. Heh.

Voice Command: FORMAT C: [ENTER]

reedme — Tue, 11 Nov 2008 20:40:55 GMT

Well, that’s how the joke used to go about Vista voice command... Apparently somebody thought it would be fun to actually implement something similar in their mobile o/s. On purpose or not. Heh.

The bug can hardly be called a security problem, given it requires access to the handset, but the fact that until the fix was issued today any G1 user typing a text message containing the word "reboot" would see their phone resetting is truly stunning... Google fixes world's most stupid bug • The Register

It’s hard to imagine why one would use the same editor/parser for text messages that is used for phone commands, or have a text sink that hooks in at the system level and parses commands out of all input, but... it’s funny either way. I love the Law of Unintended Consequences™.

As often as I have to reboot my own mobile phone, a voice command for doing this would save me from having to pop the battery off so often. <envy />

Get your beta on! SQL Server 2005 SP3 Beta

reedme — Wed, 29 Oct 2008 21:07:31 GMT

No new features. Lots of good fixes rolled up in one package.

Download details: SQL Server 2005 SP3 Beta

We don’t call them “service packs” inside SQL Server anymore, but it would seem that a lot of people have a Linus’ blanket reaction to the term, so we’ll call it SP3 to make everyone happy.

Enjoy!

We don‘t need yet another database security czar.

reedme — Thu, 23 Oct 2008 19:29:42 GMT

I was reading this article about recent data breaches that was recommending Yet Another Government Agency® and (no surprise) I started getting mad:

A program to share best practices among agencies at all levels of government and create cybersecurity templates, even if they are not mandated, would be a big step forward in data security, Kleinfeld said. Data Breaches at State, Local Agencies Expose Data about Millions (redmondmag.com)

We already have one! It’s part of DHS!! Just because the appointee hired to run it lacks experience that most security professionals would consider requisite… Why not? We might be electing a president without any meaningful executive experience in a couple weeks. Government is never the answer to a domestic problem. The fact that we have government agencies collecting and storing so much sensitive data IS the problem!

In the meantime, we’ve already got more public resources on data security than the average DBA will ever read. Here are just a few:

http://www.schneier.com/

http://www.cert.org/

http://iase.disa.mil/stigs/checklist/index.html (The 182-page database security checklist is interesting. It was updated in January 2008.)

I know that there are strict DOD guidelines which ought to serve as a template, and I’m pretty sure that I have bookmarks somewhere for NSA security resources, too. The information is out there! The problem is that the people being hired to be responsible for the data aren’t reading it and implementing it. That’s what happens when you (the taxpayer) are only willing to pay half of the market rate for government database management positions… and hiring your cousin’s nephew to be the county DBA is probably not a wise idea, either.

There are “industry standard” practices which were violated in nearly all of the data breaches cited above or publicly acknowledged in recent years. Another government agency won’t help the situation. Part of the problem is that everybody wants to “solve” the data security problem, but it’s not a "problem” which can be “solved”. It’s a risk that has to be managed. Constantly and continuously.

Here’s an example hypothetical situation to demonstrate the continuous problem (we’ll leave simple software security patching for later):

Steve the DBA has been conscientious and has encrypted his database backups made in 2008 and following with a strong a algorithm (AES-256).
Steve works in a moderately regulated industry (not to mention at a company that gets sued from time to time), hence the corporate data governance strategy requires that he has to maintain backups for a minimum of three years.
Because he has to maintain a disaster recovery strategy, too, his backups are taken offsite on a regular schedule by a 3rd-party vendor.
In 2010 (that’s in our hypothetical future), an advance in mathematics related to encryption demonstrates a heretofore unknown but readily exploitable flaw in AES-256.
If Steve isn’t constantly learning and monitoring trade magazines, especially in the realm of information security, he won’t even know that he now has TWO YEARS OF BACKUPS @ RISK!
What’s the solution to this problem?
Will Cousin Bob’s nephew known how to solve it?

Another part of the problem is employers which hire inexperienced people to manage their data. Companies and government agencies should be held liable for breaches, but ultimately the only thing which will “solve” this problem is individual data professionals insisting upon best practices for data handling and application security.

That means you.

You're doing it wrong!

reedme — Wed, 27 Aug 2008 21:25:37 GMT

I always hear Randall's comic voice in my head now shouting "You're doing it wrong!" when I see things like this:

"This is believed to be the first reported case of a space station computer getting a virus, but a Nasa spokesman said there had been previous instances."
Computer virus infects International Space Station laptops

Um. I guess we're supposed to feel better because the infected computers aren't plugged into the C&C network… but they're sharing an unsafe flash drive, so… Isn't the cliché supposed to be "It's ain't rocket science?"

Read this and you'll hear the same voice in your head: Voting Machines (xkcd.com)

Edgar said to tell you that he would like to add, "Nevermore."

Big brother (or SkyNet) is coming... to a PC near you.

reedme — Thu, 17 Jan 2008 04:18:24 GMT

I loved the book 1984, even though it was almost 1984 by the time I read it. The fact that the date was around the corner and technology wasn't anywhere close kind of took the punch out of the story. I guess it didn't scare me the way it scared "previous generations" (to put it politely). Perhaps being able to fool a lie detector later in life clinched it for me... Any system can be beaten; you just have to figure out how.

Labor unions said they fear that employees could be dismissed on the basis of a computer's assessment of their physiological state.
Microsoft System May Monitor Workers' Brains, Bodies (FOXNews.com)

I'm not concerned about the automated dismissal so much as I am about where and how we're going to store all of that telemetry data. Wow! Imagine how much sensor data would have to be collected every polling period (1 second?), centralized and sanitized to make it useful... Multiply that times 100,000 employees over the course of a couple years and you've got a serious data warehousing problem. Not to mention the AI for alerting someone in HR that a pink slip cannon needs to be activated.

Watching Terminator: The Sarah Connor Chronicles this past two evenings did make me starting knoodling about the complexities of the database systems required for SkyNet's C3 systems (command, control and communications). Wouldn't that be a fun database to model on SQL Server 2008? Wish I had more free time!

Fiction is rapidly becoming science. Brought to you by Microsoft.

Mr. Jobs, welcome to the slightly bigger time...

reedme — Thu, 06 Dec 2007 16:07:54 GMT

Not a whole lot here to say, just entertainment value. After all the Mac v. PC commercials, I will laugh my considerable posterior off if Apple winds up creating a UAC-style prompt to warn their customers that an application is attempting to access critical system components...

Apple declined to discuss specific steps it was taking to counter the growing number of attacks. However, Apple said: “We take security very seriously and have a great track record for addressing vulnerabilities before they can affect users.”
Apple’s rising popularity lures hackers (FT.com)

Transparency and disclosure, anyone? Nah, why would Apple want to do that?

The article doesn't mention whether specific versions of the Mac o/s were targeted, but I will speculate wildly that perhaps it's easier to "hack the Mac" now that it has Linux Inside®? Heh.

Data mining from casinos to counterterrorism...

reedme — Mon, 22 Oct 2007 17:42:48 GMT

I guess DHS has figured out that bad guys are bad guys and existing expertise and technology probably will translate from fraud prevention to terrorism prevention.

Casinos have tried to use facial-recognition software to identify known cheats in real time, but with little success. Casino lighting is often dim, and a player who wants to conceal his identity can hide behind a hat, sunglasses or a false beard.

But in a few years, some say, iris-scan technology will be mature enough to use in gaming. Casinos might ask people to sit for a scan of the iris, which, like a fingerprint, has a unique pattern. That pattern would be transformed into a template to be matched against a database.
From Casinos to Counterterrorism (washingtonpost.com)

Data mining retinal scans and RFID flow to track betting sounds like a rather cool gig!