“Those who count on quote ‘Hollywood’ for support need to understand that this industry is watching very carefully who’s going to stand up for them when their job is at stake. Don’t ask me to write a check for you when you think your job is at risk and then don’t pay any attention to me when my job is at stake.”

As pointed out on the MPAA web site, Dodd is also a former US Senator from Connecticut. Surely he understood the implications of publicly confirming what we have always expected — that Hollywood spends a lot of money on politicans and expects a return on their investments. Rather than condemn him, perhaps we should be thanking him for putting this out in the open.

The movie industry, like many others, is facing a harsh new reality — one that, for the most part, they appear to be in denial about. Pushing for draconian, ill-informed legislation such as the Stop Online Piracy Act (SOPA) and the Protect IP Act isn’t the solution. Perhaps it’s time that Hollywood stop trying to purchase politicians and apply some creativity to their business model instead.

People are asking a lot of questions about this one, and while I haven’t heard directly from the seller, her letter is posted on Regretse. (The buyer’s identity has not been disclosed.)  The dispute appears to focus on the violin label. I’m certainly not qualified to discuss violin labels and associated traditions, but these folks are and have something interesting to say.

I was a bit surprised to hear that PayPal had the instrument destroyed rather than returned to the vendor, but I found this in PayPal’s user agreement:

If a buyer files a Significantly Not as Described (SNAD) Claim for an item they purchased from you, you will generally be required to accept the item back and refund the buyer the full purchase price plus original shipping costs. You will not receive a refund on your PayPal fees. Further, if you lose a SNAD Claim because we, in our sole discretion, reasonably believe the item you sold is counterfeit, you will be required to provide a full refund to the buyer and you will not receive the item back (it will be destroyed). PayPal Seller protection will not cover your liability.

Merchants take heed — “in our sold discretion” gives PayPal at lot of power.

In response to my query, a PayPal spokesperson replied via email,

“While we cannot talk about this particular case due to PayPal’s privacy policy, we carefully review each case, and in general we may ask a buyer to destroy counterfeit goods if they supply signed evidence from a knowledgeable third party that the goods are indeed counterfeit.  The reason why we reserve the option to ask the buyer to destroy the goods is that in many countries, including the US,  it is a criminal offense to mail counterfeit goods back to a seller.”

A lot of small businesses rely upon PayPal, and this type of incident causes concern among merchants.  For example, one commenter on Regretsy pointed out,

This scheme of PayPal’s makes a great way to perpetuate fraud. Want to swap the fake Vuitton bag you bought on Canal Street for a real one? Just buy that real one on eBay, pay through PayPal and report the ‘fake’!

Credit card transactions in general place the burden of proof on the merchant. For example, if I ordered goods and subsequently advised the credit card issuer that the product didn’t arrive, the merchant would face a chargeback unless they were able to provide strong evidence to the contrary. PayPal adds an additional layer. If a buyer who has purchased through PayPal using a credit card is not satisfied and disputes the charge through their credit card issuer, the burden of proof falls to PayPal.

My point is not to excuse PayPal of their responsibilities.  They’re in the payment game and need to treat all parties fairly as well as manage their own risk. However, it’s also not fair to assume that these type of disputes or the potential for merchant losses are specific to PayPal. It’s also not realistic for sellers to assume that PayPal will protect them from all potential fraud scenarios.

I’m happy to see PayPal take a strong stand against counterfeit goods, but I just wonder if destroying a violin — even if the label was wrong — was the right answer in this case. I suspect executives at PayPal are asking that same question.

For those new to the topic, the security of Supervisory Control and Data Acquisition (SCADA) systems has been a concern for years. For example, Andrew Hildick-Smith’s 2005 paper discusses Security for Critical Infrastructure SCADA systems.  I’m not convinced that I completely agree with Mr. Hildick-Smith’s approach, but the fact that he wrote this paper as a practical assignment for a security certification back in 2005 illustrates that this problem is certainly not unknown.

Assuming reports are correct and that an intruder was able to hack into a SCADA system from outside, this incident is another example of how basic security fundamentals are being ignored in the critical infrastructure sectors.  Given the current state of SCADA systems, neither the devices nor the computers that control them should be accessible from any other network, and they also require protection against insider threats. The risk is simply too high.

Stuxnet received a lot of attention because it was the first publicized case of malware targeting a physical control system, and anything that touches a nuclear reactor is a big deal. But this type of threat certainly wasn’t unforceen. The potential for malware and other network-centric threats to impact SCADA systems has been discussed within the security community for years. Stuxnet was simply the first to capture the spotlight.

The source code has been widely available online since July, so it’s no surprise that derivatives are starting to appear. Cyber criminals of all sorts have undoubtedly downloaded, modified, and experimented with it. The vast majority of malware created today is simply a derivative of existing malware; those capable of creating something completely new are far and few between. This new variant, code-named ‘duqu’, is probably the work of an individual or small group. A government or large criminal organization would not rework the Stuxnet code. They’d study it, learn from it, and then create something completely different to avoid detection.

Organizations with SCADA systems should be concerned about a much broader range of threats rather than focusing on Stuxnet or duqu. They need to ensure that their systems are adequately protected against malware and a long list of other insider and outsider threats.

More generally, rather than focusing on specific peices of malware, we should be asking why we continue to build systems that, from a security perspective, are fundamentally flawed. We continue to make the same mistakes over and over again, and then we’re surprised when a security breach occurs.

“The DNS vulnerability could result in a complete system compromise,” said Joshua Talbot, security intelligence manager, Symantec Security Response. “Because no user interaction is needed, a vulnerable service simply needs to be up and running for the vulnerability to be exploited.”

“Internet Explorer is affected by two critical vulnerabilities being patched, both of which can be exploited by a drive-by download,” Talbot added. “The fact that vulnerabilities such as these continue to be so common is one reason why web-based attacks are so prevalent. There is a very large attack surface.”

“We haven’t seen nearly this many low profile patches – ones that primarily result in information-disclosure or cause denial-of-service conditions – in quite some time,” Talbot concluded. “Half of all the vulnerabilities patched this month are of that type, which is rare.”

Google has apparently made changes to fix part of the problem.  Android users should update their phones as soon as possible.

There is good reason that high-end cryptographic devices offer features such as maintaining a constant data rate independent of the data being encrypted. It sounds like Skype might want to also incorporate some of those features.

“Hackers using an alias signed up to rent a server through Amazon’s EC2 service and launched the attack from there, said the person, who requested anonymity because the information is confidential. The account has been shut down, the person said.”

While it’s mildly interesting that criminals choose to use Amazon servers, it’s not really surprising.  Amazon Web Services offers great services at good prices, and attracts a wide range of customers – individuals, small business, and large enterprise all leverage their services.  Given the alleged sophistication of the attack, EC2 is simply an obvious choice.

While a shift in attention to Amazon might be good for Sony, we should expect criminals to use EC2 like everyone else.  Criminals also use rental vehicles, disposable mobile phones, and WiFi hotspots.  They probably even purchase their computers the same places we do.

The Sony PlayStation Network data exposure has two causes:

• Security deficiencies at Sony. While we don’t know what the specific weaknesses were, the fact that information on PlayStation Network customers – including credit card information — was stolen across the Internet would make it pretty difficult for Sony to convince us that they had appropriate security controls in place.
• The criminals. Let us not forget that Sony was the victim of a crime.

Like TJ Max, the Sony security breach should be a wake-up call.  Consumers often feel safer dealing with larger, more established companies.  But it appears that some of them don’t have security right yet.

We also need to understand that tracking down cyber criminals is becoming increasingly difficult.  Cloud-based services aren’t anonymous – while false identities can be used, criminals still need to connect to the cloud-based service from somewhere.  However, with the widespread proliferation of free WiFi hotspots and disposable mobile phones and data devices, we need to accept the fact that tracing an attack back to the source may not be possible and that more traditional investigation methods – like following the money trail – remain important and techniques must be constantly updated.

April 27, 2011

Apple Q&A on Location Data

Apple would like to respond to the questions we have recently received about the gathering and use of location information by our devices.

1. Why is Apple tracking the location of my iPhone?
Apple is not tracking the location of your iPhone. Apple has never done so and has no plans to ever do so.

2. Then why is everyone so concerned about this?
Providing mobile users with fast and accurate location information while preserving their security and privacy has raised some very complex technical issues which are hard to communicate in a soundbite. Users are confused, partly because the creators of this new technology (including Apple) have not provided enough education about these issues to date.

3. Why is my iPhone logging my location?
The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested. Calculating a phone’s location using just GPS satellite data can take up to several minutes. iPhone can reduce this time to just a few seconds by using Wi-Fi hotspot and cell tower data to quickly find GPS satellites, and even triangulate its location using just Wi-Fi hotspot and cell tower data when GPS is not available (such as indoors or in basements). These calculations are performed live on the iPhone using a crowd-sourced database of Wi-Fi hotspot and cell tower data that is generated by tens of millions of iPhones sending the geo-tagged locations of nearby Wi-Fi hotspots and cell towers in an anonymous and encrypted form to Apple.

4. Is this crowd-sourced database stored on the iPhone?
The entire crowd-sourced database is too big to store on an iPhone, so we download an appropriate subset (cache) onto each iPhone. This cache is protected but not encrypted, and is backed up in iTunes whenever you back up your iPhone. The backup is encrypted or not, depending on the user settings in iTunes. The location data that researchers are seeing on the iPhone is not the past or present location of the iPhone, but rather the locations of Wi-Fi hotspots and cell towers surrounding the iPhone’s location, which can be more than one hundred miles away from the iPhone. We plan to cease backing up this cache in a software update coming soon (see Software Update section below).

5. Can Apple locate me based on my geo-tagged Wi-Fi hotspot and cell tower data?
No. This data is sent to Apple in an anonymous and encrypted form. Apple cannot identify the source of this data.

6. People have identified up to a year’s worth of location data being stored on the iPhone. Why does my iPhone need so much data in order to assist it in finding my location today?
This data is not the iPhone’s location data—it is a subset (cache) of the crowd-sourced Wi-Fi hotspot and cell tower database which is downloaded from Apple into the iPhone to assist the iPhone in rapidly and accurately calculating location. The reason the iPhone stores so much data is a bug we uncovered and plan to fix shortly (see Software Update section below). We don’t think the iPhone needs to store more than seven days of this data.

7. When I turn off Location Services, why does my iPhone sometimes continue updating its Wi-Fi and cell tower data from Apple’s crowd-sourced database?
It shouldn’t. This is a bug, which we plan to fix shortly (see Software Update section below).

8. What other location data is Apple collecting from the iPhone besides crowd-sourced Wi-Fi hotspot and cell tower data?
Apple is now collecting anonymous traffic data to build a crowd-sourced traffic database with the goal of providing iPhone users an improved traffic service in the next couple of years.

9. Does Apple currently provide any data collected from iPhones to third parties?
We provide anonymous crash logs from users that have opted in to third-party developers to help them debug their apps. Our iAds advertising system can use location as a factor in targeting ads. Location is not shared with any third party or ad unless the user explicitly approves giving the current location to the current ad (for example, to request the ad locate the Target store nearest them).

10. Does Apple believe that personal information security and privacy are important?
Yes, we strongly do. For example, iPhone was the first to ask users to give their permission for each and every app that wanted to use location. Apple will continue to be one of the leaders in strengthening personal information security and privacy.

Software Update
Sometime in the next few weeks Apple will release a free iOS software update that:

• reduces the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,
• ceases backing up this cache, and
• deletes this cache entirely when Location Services is turned off.

In the next major iOS software release the cache will also be encrypted on the iPhone.

From a technical perspective, the root cause of the initial security breach was poor software design, poor implementation, and inadequate testing.  It’s an industry-wide problem that won’t change until customers demand better software and are willing to pay for it.  Things got worse because the folks at HBGary appear to have ignored basic and well understood best practices with regard to passwords.

However, let’s not ignore the other root cause.  While it doesn’t justify criminal behaviour, let us not forget that HBGary, in an apparent attempt to obtain publicity for themselves, allegedly did the cyber equivalent of visiting the nearest biker hangout to announce, “Just want to let you know we’re going to screw with you in the media tomorrow, but don’t worry, we’re only going to screw with you a bit.” Or, if you prefer a different analogy, they kicked the hornet’s nest without wearing the customary protective equipment.

As security pros dealing with people allegedly responsible for hacking and denial of service attacks on major companies, HBGary must have expected probes of their systems and at minimum a distributed denial of service attack.  They reportedly kicked the hornet’s nest deliberately and intentionally. It leaves me wondering if  becoming a victim was part of their publicity strategy. Getting yourself hacked would certainly be an bold publicity stunt for a security company, but it wouldn’t be the stupidest thing I’ve seen either.

In case you’ve missed the latest developments in the United States, many passengers over the past few weeks have found themselves in the uncomfortable position of having to choose between two intrusive and dehumanization alternatives: Submitting to a virtual strip search courtesy of a “body scanning” machine, or being subjected to an “enhanced pat-down” of their entire body including breasts and genitals.

As a security professional one thing that makes my blood boil is when “security” is used as an excuse. I cringe when I hear the phrase, “for your comfort and security…” which is usually followed by words that have little – if anything – to do with comfort or security. But in more than fifteen years as a security professional I have seldom witnessed anything as disgraceful as TSA officials using “security” as an excuse to abuse passengers.

Preventing the introduction of weapons, explosives, and other dangerous items onto passenger aircraft has been a security concern since the first recorded aircraft hijacking in 1931. In 2001 the game changed when multiple aircraft were hijacked and flown into ground targets as improvised missiles. Additional threats, including the introduction of small amounts of explosives onto passenger aircraft, have further complicated the threat landscape.

There is no doubt that the nature of the threat against passenger aircraft has changed dramatically in the past decade. The era of hijackings in which crew and passengers passively cooperated with hijackers – and were usually released – has been replaced with a set of new scenarios in which immediate action by passengers and crew against anyone threatening the aircraft appears justifiable and the best chance for survival.

There is also no doubt that all aspects of aviation security, including passenger screening, need to be regularly reviewed and appropriate changes made to manage risks. However, there is a world of difference between imposing realistic security controls and using the threat of terrorism as an excuse to impose draconian, unnecessarily invasive, and abusive processes in the name of “security”.

It is true that there is a terrorist threat against aircraft, and passengers are one of many vectors that could facilitate the threat. But in passenger screening, as in most areas of security, the law of diminishing returns applies. X-ray machines for carry-on luggage, explosive residue detection equipment, metal detectors, and skilled security professionals are capable of detecting the vast majority of weapons and explosives. Perfection is simply not possible. Adding strip-search machines and intrusive “pat downs” adds little – if any – additional security, and the marginal gain is grossly outweighed by the negative impact of the security measure on the very people it is designed to protect. It is a dramatic example of an exceptionally poor security management decision.

Let’s also not forget that the threat of terrorism is not limited to aircraft. Around the globe busses, trains, schools, public buildings, restaurants, bars, hotels, and marketplaces have all be targeted by terrorists and other criminals. As security professionals we have an obligation to set aside knee-jerk, “increased security at all cost” reactions and seek out security controls that are both effective and acceptable to the population they impact. Nobody would consent to body scans or intrusive personal searches to get into a taxi, bus, shopping plaza or nightclub. So why should we tolerate it at an airport?

I’m sure the TSA will argue that their employees are not committing sexual assault (or whatever the crime is called in the airport’s jurisdiction) because they have “consent”. But do they really? What choice does a person whose job requires them to travel have? Much of the United States has “at will” employment – employers need no reason to dismiss an employee. Let the TSA view their naked image, let the TSA grope them, or risk loosing their job. Not much of a choice. Parents also have a difficult choice to make.  Do they subject their children to TSA “searches” that would land anyone else in jail, or do they cancel the trip to Disney this winter?

The TSA’s new ‘scope or grope’ policy does not meaningfully improve security. No technology can compensate for poorly paid, poorly trained, and increasingly disenchanted front-line security staff. The fact that the TSA even considered this ineffective and unethical nonsense highlights the fecklessness of TSA leadership and the spineless politicians that support them.

Law abiding citizens and airport security staff should see each other as partners in security – both cooperating to ensure the security of their flights.  But that won’t work until the TSA stops abusing those it is supposed to protect. It’s time for TSA chief John Pistole to pack his bags and for the American Government to put a real security professional in charge.

1. iPad Offer Scams

With Apple products topping most shopping lists this holiday season, scammers are busy distributing bogus offers for free iPads. McAfee Labs found that in the spam version of the scam consumers are asked to purchase other products and provide their credit card number to get the free iPad. Of course, victims never receive the iPad or the other items, just the headache of reporting a stolen credit card number.

In the social media version of the scam, users take a quiz to win a free iPad and must supply their cell phone number to receive the results. In actuality they are signed up for a cell phone scam that costs $10 a week.

2. “Help! I’ve Been Robbed” Scam

This travel scam sends phony distress messages to family and friends requesting that money be wired or transferred so that they can get home. McAfee Labs has seen an increase in this scam and predicts its rise during the busy travel season.

3. Fake Gift Cards

Cybercrooks use social media to promote fake gift card offers with the goal of stealing consumers’ information and money, which is then sold to marketers or used for ID theft.

One recent Facebook scam offered a “free US$1,000 Best Buy gift card” to the first 20,000 people who signed up for a Best Buy fan page, which was a look-a-like. To apply for the gift card they had to provide personal information and take a series of quizzes.

4. Holiday Job Offers

As people seek extra cash for gifts this holiday season, Twitter scams offer dangerous links to high-paying, work-at-home jobs. Users are asked to supply personal information such as their email address, home address and Social Security number to apply for the fake job.

5. “Smishing”

Cybercrooks are now “smishing,” or sending phishing SMS texts. These texts appear to come from your bank or an online retailer, saying that there is something wrong with an account and you must call to verify your information. In reality, these efforts are merely a ruse to extract valuable personal information from the targets. Cybercrooks know that people are more vulnerable to this scam during the holiday season when consumers are doing more online shopping and checking bank balances frequently.

6. Suspicious Holiday Rentals

During peak travel times when consumers often look online for affordable holiday rentals, cybercrooks post fake holiday rental sites that ask for down payments on properties by credit card or wire transfer.

7. Recession Scams Continue

Scammers target vulnerable consumers with recession related scams such as pay-in-advance credit schemes. McAfee Labs has seen a significant number of spam emails advertising prequalified, low-interest loans and credit cards if the recipient pays a processing fee, which goes directly into the scammer’s pocket.

8. Grinch-like Greetings

E-cards are a convenient and earth-friendly way to send greetings to friends and family, but cybercriminals load fake versions with links that spread computer viruses and other malware instead of cheer. According to McAfee Labs, computers may start displaying obscene images, pop-up ads or even start sending cards to contacts that appear to come from you.

9. Low Price Traps

Shoppers should be cautious of products offered at prices far below competitors. Cyber scammers use auction sites and fake websites to offer too-good-to-be-true deals with the goal of stealing your money and information.

10. Charity Scams

The holidays have historically been a prime time for charity scams since it’s a traditional time for giving, and McAfee Labs predicts that this year is no exception. Common ploys include phone calls and spam e-mails asking you to donate to veterans’ charities, children’s causes and relief funds for the latest catastrophe.

11. Dangerous Holiday Downloads

Holiday-themed screensavers, jingles and animations are an easy way for scammers to spread viruses and other computer threats, especially when links come from an email or IM that appears to be from a friend.

12. Hotel and Airport Wi-fi

During the holidays many people travel and use free wi-fi in places like hotels and airports. This is a tempting time for thieves to hack into networks hoping to find opportunities for theft.

McAfee advises Internet users to follow these five tips to protect their computers and personal information:

• Stick to well-established and trusted sites that include trust marks (icons or seals from third parties verifying that the site is safe), user reviews and customer support. A reputable trust mark provider will have a live link attached to its trust mark icon, which will take visitors to a verification Web site of the trust mark provider.
• Do not respond to offers that arrive in a spam email, text or instant message.
• Preview a link’s web address before you click on it to make sure it is going to an established site. To check a link, move your mouse pointer over it – but don’t click it – and the address should appear on the bottom bar of your web browser. Never download or click anything from an unknown source.
• Stay away from vendors that offer prices well below the norm. Don’t believe anything that’s too good to be true.
• Make sure to use trusted wi-fi networks. Don’t check bank accounts or shop online if you’re not sure the network is safe.

It’s an interesting concept, and it makes some sense.  But it also begs a question:  Why aren’t we allowing pharmacists to deal with non-urgent issues?

It makes little sense, especially for someone without a GP, to go to an Emergency Room or wait for hours at a walk-in clinic for a condition such as a simple infection.  We have experts at our local pharmacy counter with years of training and a knowledge of drugs that far exceeds most physicians.  In many countries they’re allowed to write prescriptions.  Why not not in Canada?

Kiosks are cool, and they have a role, but let’s leverage the professionals already out there first.

Sometimes a high risk position results because we don’t correctly asses asset values, threats or vulnerabilities. Sometimes the cost of implementing a safeguard exceeds and expected loss, and the decision to accept risk is a logical one. And sometimes we simply make mistakes.

But there are other reasons that we Canadians are often too polite to point out: Laziness, denial, rationalization and risk decisions based upon emotion rather than logic.  The H1N1 ‘flu gives us plenty of examples.

We’re in the midst of an influenza pandemic.  Fortunately we know how to create ‘flu vaccines — we do it every year to combat the seasonal flu. So we have a vaccine, and every credible organization from the World Health Organization down to our local medical officers are recommending that we vaccinate ourselves and our families.

The risk is clear: pH1N1 is a nasty virus that, at best, will make you sick for a week or two.  At worst, it could kill you. The threat is real and much of resulting risk can be mitigated by a simple vaccination.  The Public Health Agency of Canada advises that, “without interventions like a vaccine and antivirals, close to 25 to 35 percent of the population could become ill over the period of a few months.”  Other health organizations have released similar estimates. The vaccine has been tested in Canada as well as other countries, and we know that approximately 1 in 100,000 people will have a serious reaction to it, as with any other vaccine.  (Source: http://www.phac-aspc.gc.ca/alert-alerte/h1n1/vacc/options-eng.php)

From a risk management perspective it doesn’t get much simpler than this. The benefits of the vaccine clearly outweigh the risks, and the cost (a few hours of our time at most) is minimal compared to the potential loss.  And that doesn’t take ethics and social responsibility into account.   Those who choose not to be vaccinated not only may become ill, but could also pass H1N1 on to more vulnerable family, friends and colleagues — including those who can’t be vaccinated due to alergies.

As a result, we continue to see people announce on the Internet that they’re not getting vaccinated. Some quote “facts” that are uninformed myths at best.  Some focus on the 1 in 100,000 serious reaction rate and completely loose perspective.  Others ignore a century or so of medical science and proclaim that they don’t need a vaccination because they are “healthy and take their herbs and vitamins.”

Chances are that you’ve already seen the writings of otherwise intelligent parents who are incapable or making good risk management decisions. Their blog posts usually start with how much they love their kids.  Then they latch on to the one quack that chargers people $50 each to attend a seminar to learn “the truth” and rationalize that “the medical community don’t all agree”.  They focus on the danger of mercury in vaccines, even though the exposure is less than you’d get from eating a can of tuna.  Or they repeat silly claims like suggesting that the vaccine is “untested”.

Some of these people obviously have other agendas.  It’s clear from their writing that they’re simply anti-vaccination shills. They write clever “balanced” articles pitting fact against laughable fiction and seek to “support” others who share their defective logic.

Some see themselves as rebells, not “giving in” to the experts who tell them they should be vaccinated.  The old phrase, “Rebells without a clue” comes to mind.

In others, the barrage of H1N1 information creates neurotic behaviour and they operate on a completely emotional level. They “agonize” (often at length and in writing) about how “difficult” the decision was.  They loose all perspective, and should you dare point out the flaws in their reasoning their feelings are hurt. How dare you suggest that they don’t know what’s best. They behave as if the act of conceiving a child instantly made them more knowledgeable on vaccines than the WHO, CDC, and the medical experts of countless countries, including their own. They have “the right” not to vaccinate themselves and their children, and as emotional people often do, they confuse having a right with it being the right thing to do.

(The Berlin Wall, December 1985.  Photo by Eric Jacksch)

Twenty years ago today the Berlin Wall fell, uniting East and West Germany. Celebrations today include fireworks, concerts, and the toppling of foam dominoes painted by school children. Spiegel Online International has a great collection of historic images and coverage of the 20th anniversary celebration.  They also have published their interview with Lieutenant-Colonel Harald Jäger, The Guard Who Opened the Berlin Wall (in English).

Adobe deserves a Colbert-style wag of the finger and I can understand why Seltzer is frustrated by the delay in obtaining a patch. But his suggestion that companies consider dumping Adobe in favour of other third-party pdf readers — that he himself admits also have a track record of security issues — just doesn’t make sense.

Let’s take a look at what happened.

In February, a vulnerability in several versions of Acrobat was discovered.  In summary, it is possible to manipulate a pdf document so that your system becomes infected when you open it or under certain circumstances, when your computer indexes it (more on that later).

Things appear to have been quiet until Feb 19th, when various security researchers and vulnerability databases picked it up.  Adobe released an advisory the same day and updated it on Feb 24th.  The advisory stated that a patch will be available on March 11th.  They worked with antivirus vendors to protect customers, released a patch and have information on their blog.

Yes, Adobe had a security defect in their code and took a few weeks to release a patch.  Yes they need to be more careful and respond faster.  But that’s only part of the story.

Aside from the overly sensationalistic and unbalanced journalism, much of the buzz had to do with the fact that, as Stevens points out in his blog post, infection can occur, “…on a Windows XP SP2 machine with Windows Indexing Services started and Adobe Acrobat Reader 9.0 installed…And the bug happens in a process running with Local System rights!”  Nasty indeed, but that is only partially Adobe’s fault.

No process interacting with user data, including an indexing service, should be running with system privileges.  It’s the type of stupidity that should cause first year computer science students — and experienced IT writers — to point their finger and laugh.  No process indexing a user’s files should have the right to change operating system files. Ideally, the process also should not be able to write to any of the files it is indexing.  It doesn’t need those privileges to do the job and it shouldn’t have them. It’s called the Principle of Least Privilege.  If the operating system was properly designed, the impact of this code defect would have been significantly decreased.

If we really want to see fewer security vulnerabilities, we need to start better architecting software and operating systems and building-in security, rather than considering it as an afterthought.  We need to design systems to tolerate code mistakes without breaching security.  It can be done but software developers won’t do it until the market demands it.

Or, I guess you could just take Seltzer’s advice. Dump Adobe, and move to Foxit. That product hasn’t had a security vulnerability announced in two days. And look, it’s the same issue as Adobe. Or take Seltzer’s advice and try Sumatra PDF, an open source solution that has about 200 open defects, some of which are from 2007.

Adobe may not be perfect and the company could have reacted faster. But put away the pitch forks. Or, at least, aim them in the right direction.

On the surface, the man’s request seems reasonable. As I understand it, the primary evidence against him is that he exhaled into a box and it displayed a number. And that number was too big.  In fact, everyone who drives, impaired or not, presumably has an interest in the accuracy of the device.

But the manufacturer, CMI, Inc., and the State of Minnesota apparently disagree, and they have convinced both the trial and appeal judges that handing over the source code would be “unreasonably burdensome.” So unless the defendant launches another appeal — or perhaps buys one and sends it to a lab for analysis — he appears to be out of luck.

I’m inclined to believe that the accused is simply looking for any possible way to have the evidence against him excluded. But that’s the way the system works. To be convicted, the accused must be proven guilty beyond a reasonable doubt. He has the right to cross examine human witnesses, so it simply doesn’t make sense that he’s not allowed to examine the functioning of the machine that says he was over the legal limit.

What could go wrong

There are a number of things that could go wrong with an electronic breathalyzer.  Presumably, aging or failing components that change the readings would be picked up during calibrations, so there are likely some procedural safeguards. But what if the developer made a mistake or took shortcuts?  Converting the output of an optical sensor into alcohol in the breath into blood alcohol levels must involve some math. What if there is a bug in the math libraries that hasn’t been discovered?

Then there are issues such as version control. Did the right software get loaded onto the device? Has it been upgraded? Can the vendor reproduce the exact code loaded onto devices sold several years ago? Has it been modified?

The last question should send shivers down a Judge’s spine. The device is in the custody of the same person who laid the charges and, therefore, has an interest in seeing a conviction. While the vast majority of police officers play by the rules, we are obliged to ask the question: What checks and balances are in place to stop that one bad apple from tampering with the device? Without appropriate safeguards, you too could be just one firmware mod away from a criminal conviction.

What should be done

An objective third party can examine all aspects of the software development life cycle, the software, the hardware, field maintenance and related security controls. If the manufacturer has done its job, the third party report will depict a reliable and trustworthy device. In fact, if the manufacturer has done its job, it should welcome the notion of an objective third party doing just that. On the other hand, if the manufacturer hasn’t done its job, we’ll all know that, as well.

According to Bill Collins, sales manager at CMI, the product was thoroughly tested by the National Highway Traffic Safety Administration, part of the United States Department of Transportation, prior to sale to law enforcement agencies. Individual States also test the device and it has been subject to other third party examinations prior to being generally accepted by the courts.  He made another very good point: Source code is only one part of the device and, to draw a meaningful conclusion, one would have to examine the entire device including both hardware and softwar.

Preserving defendant rights

While I sympathize with the company and understand its desire to keep the proprietary source code confidential, impaired driving is a crime and a conviction can have major implications, including restrictions on employment and travel. Criminal defendants must be allowed to examine the evidence against them. Intellectual property concerns are a red herring – courts have long had procedures in place to allow the examination of sensitive information in a controlled manner.

If a defendant wants to retain an expert to conduct such an analysis, he or she must be allowed to do so. If the product is solid, defendants will quickly find out that they are simply throwing their money away. Some American states including Florida agree and have upheld the defendant’s right to examine the code.

In the words of English jurist William Blackstone, “Better that ten guilty persons escape than that one innocent suffer.”  Allowing any black box to produce evidence is a slippery slope that we can’t afford, and product vendors should take note. It won’t be long until other devices like digital recorders are subject to the same scrutiny. Until we illuminate inside, outside and around the box there is no justice.

There is a segment of our population who simply must get to work: Police officers, fire fighters, teachers, bankers, assembly line workers and those in the health care, retail and hospitality sectors. But many of us can — or could, with the right solution — work from anywhere we have access to a computer and telephone rather than sitting in traffic.

Now, before I give you the wrong impression, I do live in the real world.  Face-to-face meetings are often more desirable than teleconferences, and some companies aren’t set up to support remote workers.  Some corporate cultures are such that working from home is seen as a euphemism for a day off and having one’s buttocks pressing upon a chair for the requisite number of hours is considered far more important than actually getting work done.  As a result modern day office martyrs drag themselves to the office when ill and consider sprinkling their viral load amongst colleagues a badge of honour.

When we step back and look at the issues from a broader point of view, it’s clear that during a transit strike we would all benefit by keeping the roads clear for those who must go to work and spending our time working instead of sitting in the car.

From a business perspective, not only are there advantages during transit strikes and severe storms, but the capability also allows the organization to function despite other emergencies such as fires, building evacuations and localized power failures.  Enabling employees to work at home also helps to retain top talent by promoting a better work-life balance. And less commuters is a better thing for the environment as well.

Enabling remote work — like any other infrastructure change — does have security implications.  Some organizations already have fundamental components in place such as laptops with VPN connectivity and the ability to forward phone lines.  For those who don’t, products are available to specifically address the issues.

One company seeing increased interest in their products is Route1, the Toronto-based firm that developed the MobiKEY product. “The user simply plugs MobiKEY into any computer with Internet access and within seconds they are able to access their home or office computer through the TruOFFICE service,” explained Tanieu Tan, Director of Marketing.  “With MobiKEY, all information remains behind the corporate firewall and no footprint of the work session is left on the guest computer. In the event that there is malware on the guest computer, it can not be introduced into the corporate network, making this a very secure solution.”

The product also offers other features to facilitate secure access to Web portals or specific applications instead of an entire remote desktop environment.  These solutions also tout a high level of security by eliminating dependence upon applications on the user’s local computer.

So, whether you blamed the City, OCTranspo workers or, perhaps, both, we did get a great lesson in business continuity planning.  Acting now can better enable you and your company to cope with similar events in the future.

More than 2000 years ago the ancient Chinese strategist Sun Tzu wrote about controlling and manipulating information. Politicians, military leaders and advertising agencies (to name just a few) have spent much of the time since refining their techniques. For example, during the cold war, nations such as the Soviet Union and East Germany used high-power transmitters to jam western radio and television broadcasts to prevent their citizens from watching and listening to them. At the same time, western countries used shortwave radio stations to broadcast programming specifically intended for the eastern audiences.

While radio frequency jamming continues in some parts of the world, the battle is now mostly online. Canadians can fairly expect to read all sorts of opinions on the budget but citizens of some other countries, notably China, aren’t so fortunate: Their government operates extensive filters in an ongoing attempt to suppress opposing viewpoints.

Other countries are more subtle. For example, at last report Australia was still moving forward with its “Clean Feed” project, which would require Australian Internet Service Providers to implement mandatory filtering. The filter was initially touted as a “cyber-safety” measure for homes with children. However, according to Electronic Frontiers Australia, “Recent comments by experts have revealed the existence of a second, secret black list that would apply even to homes that managed to opt out of the child-safe filtering scheme.”

The problem with all these schemes is who gets to decide what content is filtered and how the decision is made. Child pornography is universally unacceptable and proponents of filtering thus often use it as an example and a justification. Material such as hardcore pornography, information on how to make bombs and the words of those who propose policies such as genocide also have few public defenders. Then there’s nudity and violence. Some people find nudity offensive in itself, while others perceive the human body as beautiful. Some parents allow their young children to watch violent cartoons while others hope to never expose them to Elmer Fudd, the madman with the shotgun, or Wile E. Coyote and his nasty dynamite habit.

Government-imposed or Government-controlled Internet censorship is extremely dangerous. Once filters are implemented, politicians and bureaucrats will be under constant pressure by special interest groups to block additional content. Adding a Web site to the blacklist will always be a safer political decision than not adding it. Pornography will be first because very few people are willing to publically support it, followed shortly by any form of nudity. Religious groups will quickly organize and apply massive pressure to censor Web sites about abortion, contraception, homosexuality or that dare question the existence of God. You might disagree, and perhaps you personally might have the courage to stand fast against such groups. Now put the same decision into the hands of a group of people concerned about being re-elected and see how quickly the blacklist grows.

Of course once the filters are in place, there will be other uses for them. Fighting with terrorists? Block their Web sites to protect your citizens. Find complaints about the goings on in Gaza politically costly? Just flip the switch. Let there be no misunderstanding: These filters allow Governments to choose what we can and cannot read, to curb discussion and to silence dissent. And, no matter how noble the initial intent may be, they will be abused.

On December 10, 1948, the General Assembly of the United Nations proclaimed the Universal Declaration of Human Rights.  Article 19 reads:

“Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”

Whatever we think of the UN’s effectiveness today, the fact remains that, a few years after the end of the Second World War, a majority of the countries around the world saw fit to include this principle alongside other fundamental human rights. We must not allow short-sighted politicians to take this right away.

Obama and his Blackberry on the campaign trail.

There has been an onslaught of articles posing questions such as, “Is the BlackBerry secure”  and probing issues like access to the President’s email.  But there are much larger issues here.

As a Canadian, I have only a passing familiarity with the American legal system, so I won’t pretend to understand issues related to congressional access to Presidential email.  However, if the President of the United States doesn’t have the right to exchange private personal emails with friends and family, something is seriously wrong and it is not a technical problem.

In attempts to explain the security properties of most email, many have written that email is like sending a postcard. In reality, it’ s worse.  It is unlikely that someone working at a postal sorting facility could automatically copy every post card flowing through the system and walk out with it at the end of the day. Sadly, that’s all too easy with email. While larger ISPs have internal security and privacy processes in place, it still remains trivial to intercept copies of email, especially in the case of smaller Internet service providers. Email also leaves another trail: Virtually every mail server maintains a log file that shows the source and destination of every email message that passed through it.

The impact of this issue depends largely upon who you are. I, for one, would be flattered to hear that thousands of system administrators across the world searched their mail logs for my email address. However, such searches are guaranteed to happen within minutes of President Obama’s email address becoming known and the mere fact that Obama sent someone an email makes them interesting. Interesting enough that at least some system administrators will open the mailbox to have a look. And interesting enough that a number of organizations, both domestic and foreign, would be happy to pay for it.

The underlying issue is that, while the technology required to secure our email has existed for almost two decades, we don’t use it. Tools like PGP and the S/MIME capability built-in to Outlook are relatively easy to use but only an infinitesimally small number of people use them. And ask them what percentage of their total email is protected and you’ll quickly hear that most of their friends don’t have the capability to exchange encrypted email.

Yes, there are some issues with the BlackBerry, most notably that the encryption technology used in the device should be improved. But we need to keep the vulnerabilities in perspective. For most of us, our BlackBerry is not the weak link because intercepting the data and decrypting it is expensive, complicated and illegal. On the other hand, I would expect at least a dozen countries to spare no expense to monitor the President’s personal email. Put in security terms, few of us face a threat agent with sufficient resources and motivation to intercept the radio communications to and from our BlackBerry and break the cryptography. But the President does and the beauty of intercepting radio waves is that nobody can see you do it.  While personal emails may be benign, they can give some insight into what a leader is thinking, what other people are telling him and who his friends are.

Other issues exist, including the fact that any mobile phone, BlackBerry or otherwise, can be used to tell where someone is located when it is turned on. I won’t repeat the countless scenarios that people are posting to the net. They don’t matter. We already know where the President is. Anyone who needs his BlackBerry signal to find the Presidential motorcade isn’t much of a threat. And, after all, the devices do have an off switch.

But there’s another force at play that has nothing to do with security. Obama’s BlackBerry provides him with a direct path to the Internet that bypasses his advisors. Email, web, and telephone that they don’t screen or control. Just imagine the President asking a friend, former senate colleague, or anyone else for their opinion via email or instant messenger. This type of connectivity has the potential to change the White House and I’m sure that at least some people don’t like that.

I hope that President Obama keeps his BlackBerry. Ensuring that the President remains plugged in is a good thing. I also hope he assigns someone a new job: Fix email security. While few of us face the same threats as the President, given the economic climate and widespread economic and industrial espionage facing virtually all developed countries, we would all benefit from more secure email. I also hope that Canadian-based Research In Motion, maker of the BlackBerry, seizes the opportunity to increase the security provided by their products. We’ll all benefit from that, as well.

Monitor Today also ran a more detailed article on how the system works.

In summary, our schools need to do more educating and less banning.  Pushing a social problem off school property by banning technology may be easier for the school, but it benefits neither society nor students.