Tuesday, May 29, 2007

The Red Duck


Yesterday was a tough one at work, made especially tougher by the fact that the House of Tooth is flying out on vacation tomorrow, earlier than I feel comfortable contemplating.
But if Mr. Howell is going to write about motor vehicular risk, so will I.

When I got home last night, I watched Race 1 of the WSBK at Silverstone. Nasty conditions: standing water on the track, filthy visor-coating mist flung up from rear tires, cold rain, poor visibility, and very heavy very aggressive traffic. So nasty that the second race was red flagged. Sounds like Chandler's Chicago commute, with the following exceptions:

  • Everyone is on two wheels (except for the Alfa 159, which follows only on the warm up lap, and at a discrete distance).
  • The cycles have been freshly massaged by well paid mechanics, sparing no expense in picking the fly poop from the pepper in handling, power delivery and suspension according to the desires of the rider. When the track is hot, statuesque women in high heels hold umbrellas over the motorcycles to keep them cool.
  • Everyone on the track is wearing leathers, gloves, boots, back protector and a full-face helmet.
  • No one is chatting on a cell phone or drinking coffee whilst riding round the track. The only communication is through flags waved by officials and corner workers, and the pit board with a couple of numbers hung out for the rider to read as he speeds past. None of this NASCAR-style chit chat and sippy cups.
All the WSBK machines are produced to a regulation, a formula that is more rigorously enforced than PCI, Basel II or the FFIEC guidelines. Sunday's race at Silverstone revealed the difference of how a regulation is interpreted, viz., traction control. Despite the best efforts of a well funded Ten Kate team, with full support of the mammoth Honda Racing Corporation, and a skilled and extra-dreamy rider at a home course, Mr. Toseland's CBR1000RR ended up like this after only a few laps. Nonetheless, water spewing from his radiator, and mud in the engine, he picked it up and rode on, finishing 8th. He was lapped by the pack who had figured out traction control: Xerox Ducati and Yamaha. And the Ducati bike is a year old.

Are strictly enforced regulations and technical innovation what makes for great racing? Is it all physics, themodynamics, fluid mechanics, geometry and friction?

No. What makes for great racing is the fact that these machines are piloted by the world's finest chaos generating engines, i.e., motorcycle road racers. Otherwise, why does nutso "Nori" get wear a rainbow wig on the podium, while his stoic Wollongongian team mate does not? What is to prevent a twitchy Frenchman on an equally twitchy Kawasaki from having a fleeting existential moment, resulting in a high velocity green missile smashing into a focused Texan's perfect line round Ascari? Nothing. The black swan rides the track along with the red Ducks.

Like any enterprise, you can comply with the regulations. You can follow the rules. You can become technically innovative. But the enterprise is run by chaos driven humans. All you can do is strap them in leathers and hope they don't lose any more fingers than is absolutely necessary.

Tuesday, May 22, 2007

Signals, Calls and Marches


Two stories stuck in my craw this past week. Now, I'm spitting them out, for your pre-masticated pleasure.

Firstly:
Tim Wilson's post at Dark Reading figures we shouldn't buy IBM security services because one of their contractors lost a storage tape with NPI on it. And that a public wireless company should not be patronized because they had a crooked options administrator. The TSA loses some employee data, so what..? We find some off-brand liquid & gel manhandler? The causality between the security products and services offered and the lapses in security and anti-fraud controls seems spurious. Does TJ Maxx not still shop continuously so I can find fabulous fashion bargains? That I'll pay cash for?

Segundo:
I can't believe the guy playing Punk'd with Google AdWords got so much press. The SANS dudes creamed themselves into a fit self-righeous suspender-snapping ecstacy in their newsletter over this DARING SOCIAL EXPERIMENT! The story was lame, proved nothing, but did allow the SANSabelters a chance to feel so superior to the l00zerz that would click on a link that says "Infect your computer." All that energy parsing stats THAT MEANT NOTHING! Dismissing your customers as ignoramuses, and pointing to practical jokes as proof is no way to run a "profession." If you must, at least do it behind closed doors.

Cause in the words of Mission of Burma:
So make sure that you are sure of everything I do
'Cause I'm not, not, not, not, not, not, not, not your academy.

Thursday, May 17, 2007

Motoprox


Yesterday I was barreling down the concrete slab choked with tractor-trailers and nitro-burnining funny trucks laden with oily 2x4s and spent joint compound jugs, I was engaging my left brain in random problem solving ("Resolved: The world is as random as it is not.") and engaging my right wrist in focussed throttle control on my Triumph Bonneville. I hate the road - a stretch of oversubscribed interstate that at an unfamiliar time (around 3:00 pm) and was unfamiliar with how the traffic would be flowing. The part of the brain that controls motorcycle function became increasingly engaged.

Fortunately, it didn't come out of nowhere: some set of clues were processed so I was pretty sure the black sedan was going to dart into the part of highway I was occupying. I braked as much as I could, as the pickup behind was riding my exhaust, and I moved as far to the left of the lane as I could. Just as his door was nearing my knee, the driver of the sedan spotted me, and made a panic swerve back to his lane. No harm, no foul, just a cortex soaked in adrenaline. People pay good money for that.

Which led me to my thought. Do near misses count?

UK Civilian Aviation Authority Airprox Board
thinks so. They are dealing with potential accidents, however, with an not unreasonable assumption that neither party wishes a collision. There is no attacker, so it is easier to get both sides of the story, and a clearer, truer account of the incident, and quality information to improve the process. In a security incident, you will rarely get the other side of the story, so the account is skewed to what the defender has observed, and the attacker has failed to hide.

The Risk Management and Decision Process Center at the Wharton School has this brief description of its Near Miss Management study.

It may be nothing useful, but I'm wondering how "near miss" security incidents are handled. How are the elements of "luck" and "skill" (i.e, controls, response,etc.) allocated? Since the bullet was dodged, is there a increase in comfort in the level of security, even though it may have just been luck, or the actions of the attacker, that made it a "miss"?

I don't know, but I've been hyperaware of traffic lately, and my head is encased in Shoei and my body in Tourmaster. (And for more on motorisks, see Chandler's post from last September.)


Hot Honda on Duck action courtesy PhillC.

Monday, May 14, 2007

Everyday Privacy & Security Part 2: Fear Factor Authentication, or I Won't Forget You Baby, Even Though I Should


If you are like me, or, if in fact, you are me, your online financial transacting experience has gone all Security 2.0 by the factor of WOW!

Over the weekend, I had an unpleasant experience. The clerk at our local What-Nots 'N Such franchise denied me use of my cash card. I figured my financial institution was trying to protect me whilst humiliating me, so I scurried home and logged into my financial institution's websperience.

But! Wait! My financial institution has gone all Fort Knoxy on my ass since the last time I websperienced them. They want to really get to know me before I can check out my balance. It went like this:

Dude! We're all secure and stuff now. It may be a pain in the back-end, but you will thank us because we will know you better. It's all legal. As a matter of fact, we wouldn't even be doing this unless we had to, but banking is mostly about money, and partly about pretending. So let's pretend.
Please enter your account number.

O.k.. But, no, that was your SSN.

Wait. Ooops. O.k. Let's call it an account number for now and move on.

Here are some fun disclosures for you to read. I'll wait here whilst you peruse them. Our attorneys wrote them to be concise but with a hint of whimsy, sort of P.G. Wodehouse meets Sartre.

Done already? Man, took our lawyers a bit longer, but whatever. Let us begin.

Type in some random characters.

More... More.... TOO MANY.
Did you include some numbers? Try that.
And some non-alphanumerics.

O.k.
Hope you remembered that. It could be your new password, or your new account number or what the tellers will whisper under their breaths when you come in to get a loan.

Now comes the fun part.
To your right you will see pictures of six different semi tractor trailers. We're going to use these pictures to identify you in the future.

Please pick the truck that most resembles your maternal grandmother.


Interesting choice.

Now some questions. Answer using your gut, and pretend that this is just between you and us. We'll use these questions for something in the future, probably resetting your password when you realize that your keyboard doesn't have a cent symbol on it. But pretend it's a legit reason.

Answer the following to the best of your knowledge:


Your favorite color.

The brand undergarment you are wearing right now.


Your favorite place for making whoopee (City and State only, please!)


Your favorite Poison lyric.

Interesting. You know you just qualified for a boat loan the way you answered that last one.

Now just press enter. (I hope you have Javascript, ActiveX and are typing this from a Internet Explorer 6 on Windows XP cause else I don't know what's going to happen.)


Sorry! You chose the wrong truck. Let's start again. Hit the back button. NO, NOT THAT BACK BUTTON!

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'login_id' to a column of data type int.
/index.asp, line 5

Tuesday, May 8, 2007

SSNS ON THE LOOSE! (Legacy Edition)


I'm trying to understand the newsworthiness of the latest episode of "SSNS On The L0OzE. OMG!!1!!"

Some dude in the mail room puts a bunch of computer tapes in the wrong slot, according to the AP report in the Houston Chronicle. State agency looks for 'em. Contractor looks for 'em. Then they find 'em, in the wrong slot. A problem as old as the mainframe.

My guess: the missing tape was a quarterly report (WITH SSNS!!), there was some turnover in the computer room, and the folkloric control vanished with the last operator who performed it. The article doesn't state the format of the tapes, but I'm guessing it's EBCDIC flavored, with a chewy center of either DB2, Adabas or Model204. (The New Russian mob has standardized on Unicode, leaving behind Blofeld and his "legacy" villainy.)

Solution? Document the process, develop a tracking spreadsheet. People have been exchanging tapes for decades, and there are simple ways to track it. You could even buy some bar code software, or something. (As it says on the wall in the illustration: If In Doubt ASK".)

What is the solution proposed by the contractor?

The company is now exploring transferring the data electronically to improve security, [contractor spokesman] Lightfoot said.
I think my way is cheaper. And safer. And easier to track. I only know what I read in the papers, though.



Diamonds Are Forever image courtesy Xeni.

Monday, May 7, 2007

Throwing Scorpion Out With the Frog Water


Declan McCullagh says that the federal government is unlikely to implement the National Research Council's privacy recommendations, in particular, a privacy commissioner, because it isn't in the federal government's scorpion-like nature. Ars Technica also has coverage. (And why must it always be a czar?)

The US is having the same issue with privacy legislation that it had with television resolution. We adopted early, because we needed to see our Felix the Cat on the airwaves, and 441 lines of resolution are all that NBC in 1941 could muster. Likewise, the privacy principles developed by the US government in the 1970s were developed too soon, when databases were just creeping out of the punch card era. US privacy law ends up like broadcast TV sets - an archaic lo-res standard, while other parts of the world lagged behind, but adapted a more advanced standard. Think of Europe's Privacy Directive as PAL.

From what I've read of the NRC's paper (the Executive Summary), it seems they are going for a full blown HiDef 1080p Dolby Surround sort of privacy regime. Just as the networks dragged their feet on the 441 lines of resolution until they were forced to move ahead with HD by the FCC, so will industry drag their feet on privacy until a privacy czar, prince or archbishop cajoles them into the 21st century. I'm being optimistic, but at least the frog was committed.



Lo-Res Felix from FelixtheCat.com

Friday, May 4, 2007

Waffle are Just Pancakes with Little Squares On 'Em

I've been working on something, but I don't know if it will make by race time in Shanghai.

In the meantime, the most important part of internal auditing is "production value." And we know what that means.






So, is it on spec?

Tuesday, May 1, 2007

Impacted Molars

Brighter Teeth

From Educational Security Incidents via Pogo comes this terrifying story of privacy laden scratch paper from the land of the gigantic stone Texan. Apparently Sam Houston State U. uses a student ID number that is not their SSN. Hooray! But they do sometimes print out sheets that correlate the student ID with the SSN for the math lab to use as scratch paper. Boo! But this was strictly against policy, and was surely attributable to the Soviets since:

"After a security briefing last summer, we no longer use SSN's, we only use Sam ID numbers to keep Identity Fraud down," Harris said. "It is against the University's procedures to use SSN, so if it prints off, we automatically white the information out." [emphasis all mine]
Teacher's high indeed!

Fresher Breath
From Dark Reading, a grim story of my home town, in which it is portrayed as a the hipsterest most l337 joint for the securi-hacker community. The worst part is that it mentions my coffee shop. I'll never feel safe using wi-fi again. (Actually, I usually limit myself to consumption of paper based information at coffee shops. But that's just me.) (And the coffee shop is not the one that is fully populated with jaded 21 year old grad students.) (It's the other one.)


Extra tooth
I agree with this comment to this Dark Reading article on the e-Gold dust-up. However, I believe that the phrase "going for the juggler" was an error. I've generally expressed the sentiment as "going for the juggalo." The powers that be are generally in a state of going for the juggalo.


Romanian toothpaste from Jessamyn