Thursday, December 14, 2006

Allow Me To Geek Out For A Moment

My day job is in Information Security. Normally, I don't talk so much about that here. I get more than enough of that topic during work and with my off-hours research.

That being said, I would like to address an article that was linked to in one of the myriad of security related mailing lists I belong to. The article in question is by Greg Meckbach in IT Business titled There are only two IT network security issues.

Just from the title alone I could see I was going to have issues with this article. Some of the points are valid, such as the fact that physical security is not the domain of Information Security. Except he talks about IT managers not specifically Information Security (which is an entirely different beast). What follows is a post I sent to the security mailing list I got the link from. I have changed it somewhat, due to the fact that I am grammar impaired and I have had more time to think on this topic. However, the primary point I was trying to make is unaltered.

I agree with some of what Mr. Meckbach said, but a couple statements he made struck me as wrong (or perhaps mislabelled).
If a criminal could steal something as a result of hacking into a network, that again is a management problem. It's the manager's job to make sure sensitive information is not stored on accessible drives.

Wouldn't this fall under the category of "spying", which he specifically names as one of the two concerns?

Anyway, what does he recommend "management" do? (and which management? Operations, IT, HR?) Reduce the distribution of sensitive business information to sneaker-net? Create a secondary network which would require multiple NICs and custom config to guarantee one network cannot see another (even then, comprise a dual homed host and even that's useless), or require users to have a separate workstation for each isolated network?
The fifth issue - compliance with securities regulations - is supposedly one of the security problems with instant messaging, because some IM programs do not have an archiving capability, which would allow investigators to check every record of an employee's correspondence.

While this may be a problem, it's not a security problem. Letting employees communicate, without monitoring that communication, is the business manager's problem, not the IT manager's problem.
Mr Meckbach seems to be confusing IT management with Information Security. Yes, the decision to archive and monitor IM may ultimately be an executive-level decision, but the implementation is most definitely the communications group's responsibility (which would fall under IT). The actual risk assessment and use of mitigating controls in an attempt to pro-actively prevent or limit the type of information transmitted using IM, without a doubt, is an IS concern.

For any business that is concerned about these things, risk assessment is a major part of the security framework. And a company's Information Security team plays a large part in risk assessment and mitigation. IS's primary function is to allow the business to conduct it's day-to-day operations with as little risk as necessary. IS involves more than just securing a network and attached hosts.

Information Security is about information. While the majority of IS does involve technological systems and solutions, it also involves things like standards and practices, security policies, compliance, and risk assessment. I have seen the attitude expressed in this article before, but usually it comes from people that don't seem to understand the security is not an end unto itself. It is the means in which a company can conduct its business with relative safety.

While I do believe a line to be has to be drawn somewhere (unless we want to drown in unnecessary work), Mr. Meckbach seems to have a too strict a definition of what IS should encompass.

Wednesday, December 13, 2006

I Like Shiny Objects As Well

Perhaps it's a some reflection of my innate barbarity. Maybe a revelation of how decadent our society has become.

I don't know... and I don't care!

I. Love. This. Show.

It's high-speed chases followed by absolutely brutal crashes tonight.

This is almost as good as the "Ho Ho Ho!" Christmas episodes of COPS with the all prostitute casts. There's back to back "Ho Ho Ho!" episodes this Sat (Dec 16, 2006). A whole hour of drug-using hookers! Whee!

From episode #1923 (Ho Ho Ho!) that will be on this Dec 16, 2006 (emphasis mine):
Officer Ryan Cook of the Las Vegas Metropolitan Police Department detains a male and female in an area known for drug activity and prostitution. During questioning the female admits to being a former prostitute and a drug user. When the officer discovers drug paraphernalia in her purse, she’s placed under arrest. The male individual insists that after meeting the lady earlier in the evening, she asked for a ride home. He claims that he had no knowledge that she was a transsexual prostitute and thanks Officer Cook for his help.

I swear, this is the true Golden Age of television.

Tuesday, December 12, 2006

Technology Tuesday

Well, at least we in the US aren't the only ones who overreact due to shoddy science.
David Dean, 43, a councillor in Merton, South London, and the managing director of a publishing company, describes himself as a human antenna. “The moment I go into people’s houses I know whether they have wi-fi because my head starts to buzz. I had to leave my last job because I couldn’t stand up for more than ten minutes in the office and my boss would not remove the wi-fi. My heart raced, I had double vision and really bad headaches. It felt as though my head was in an arm lock. Twice I have been into homes where the children were screaming monsters. After I suggested to the parents that they turn off the network for two days, the kids were transformed.”

Oh, and how about the guy with the lobbying group trying to stir up fear about the so-called effect of WiFi radio signals. Please disregard the fact that he "runs a company selling electromagnetic radiation detectors and blockers."

But wait, you say, what about evidence from the other side?
Dr Michael Clark, of the HPA, says published research on mobile phones and masts does not add up to an indictment of wi-fi. “All the expert reviews done here and abroad indicate that there is unlikely to be a health risk from wireless networks,” he says. “The few studies on mobile phone masts that have appeared in peer-reviewed journals claiming to observe health effects are not at all conclusive. The real problem is deciding what level of precaution is appropriate.

“When we have conducted measurements in schools, typical exposures from wi-fi are around 20 millionths of the international guideline levels of exposure to radiation. As a comparison, a child on a mobile phone receives up to 50 per cent of guideline levels. So a year sitting in a classroom near a wireless network is roughly equivalent to 20 minutes on a mobile. If wi-fi should be taken out of schools, then the mobile phone network should be shut down, too — and FM radio and TV, as the strength of their signals is similar to that from wi-fi in classrooms.”

Sorry Dr. Clark, anecdotal evidence always trumps facts and figures. Especially when we need to do it for the children.


I Hate The KKK As Well

That's not too far of a stretch, after all, I've already said I hate Nazis.

David Duke, the ex-Grand Wizard himself, is in Iran spewing hateful garbage from his pie hole.
Iranian President Mahmoud Ahmadinejad's conference questioning the Holocaust came to an end Tuesday, but not before hearing former KKK Imperial Wizard David Duke say that gas chambers were not used to kill Jews.

"The Zionists have used the Holocaust as a weapon to deny the rights of the Palestinians and cover up the crimes of Israel," Duke told a gathering of nearly 70 "researchers" in Tehran at Ahmadinejad's invitation.

What the fuck did he think those chambers were used for? Seriously, what else could they be used for? Rooms that seal hermetically. Pipes with fittings and valves for connecting to compresses gas tanks. Pipes that terminated in above hermetically sealed room. Of course, they were just there for... well, for killing millions of Jews!

God, I can't stand these kind of people. They have the same mentality as the cerebrally challenged 9/11 conspiracy kooks. It's really the same kind of paranoia operating here. Rather than imagining the government is this puppet master manipulating events for money and power, it's a world-wide cabal of Zionists (although these two groups of hidden masters seem to overlap at times). Rather than legitimizing the Jewish grievance against a pogrom on a scale never seen before in history, they seek to take it away and thus the primary rationale for Israel existing.

Now, I'm not going to get into the whole "is Israel legitimate" thing, because that's not really the issue. Well, OK, it is for this "conference", but only tangentially. The real issue here is these... meat sacks trying to erase the record of the systematic genocide perpetrated by the Nazis during the course of WWII.

I'm surprised and, at the same time, not surprised at David Duke's appearance at this carnival of ignorance. I am slightly surprised he's in Iran because for all his nauseating personal philosophy, he was a state legislator and I would expect some semblance of patriotism. But it appears his hatred has a stronger appetite. He's been a busy little beaver these last few years. After looking over that list of "tour dates" linked, the fact that he showed up in Iran is really no surprise.

You know, I've said I hate Nazis, and I hate the KKK, but really it's simpler than that.

I hate ignorance.

Monday, December 11, 2006

Monday Night Football

Don't fuck up, Rex.

UPDATE (After 1st half): So far, so good, Rex. But the defense better step up, they're letting the Rams get way too much yardage (and points).

UPDATE2 (7 mins left): Hester is incredible. Sixth return for a TD this season. A new NFL record and he's a rookie. The Bears have slammed the door. It's now 42-20 and I really don't think the Rams can come back (unless it turns into turnover city).

Grossman did a great job and I hope this isn't a fluke (please don't let this be fluke).

Half Of Texas Prepares To Move To Oklahoma

I guess I shouldn't be surprised about this. Coming as it does from a state with drive-in liquor stores.
A bill filed for the 2007 legislative session would permit legally blind hunters to use laser sights, or lighted pointing instruments.

"This opens up the fun of hunting to additional people, and I think that's great," said Republican Rep. Edmund Kuempel, the bill's sponsor.


Isn't the key part of laser sight the word "sight" (Yes, yes, I know. I read the article and they specifically mention being accompanied by a spotter.) I have this image of of bullet ridden houses, cars, and generally destroyed foliage.

It makes me shudder.

Admittedly, with suppressed laughter. Because I don't live in Texas.