On Saturday my wife and I went with another couple to the Nine Inch Nails / Jane’s Addiction concert. (No Matt, I don’t know when the PIR/ATE concert comes to town.) It’s been a long time since I’ve gone to a large outdoor show, like back in the cell-phones-didn’t-have-cameras era. It turns out Trent is pretty cool about the whole recording the show thing. Probably since he’s thrown off the chains of a record company and struck out on his own he’s willing to let the fans get the word out via flickr and youtube. That and he’s a big nerd, he did the sounds for Quake for crying out loud.
After we sat down in our seats waiting for Street Sweeper Social Club to take the stage we started talking about the trek to get to that point. I thought it was surprisingly laid back, but maybe that’s because I flown a lot more times than gone to shows in the last few years. The sun was going down and there was a chill in the air so everyone except for Shawn had jackets. (He eventually wore the purchased JA t-shirt over his other t-shirt. He didn’t want to be “that guy” but at a certain point comfort overrode cool.)
In order to get in we got the usualy line up security search which involved a weak pat down on the sides and belt with my arms up holding my keys and phone. I was asked if I had anything else in my jacket and I automatically said no, but there was no confirmation. I could have had anything lighweight in the pockets.
Then I handed the four barcoded tickets to the next guy. He beeped the top sheet and handed it back to me. I showed him the other three sheets underneath but all I got was a blank stare. We proceeded to check out the $35 t-shirts and grabbed $12 cups of beer (no lids so there’s a better chance of spilling and requiring refill) and then proceeded to our seats. The final check was to make sure we were in the right section, all 4 tickets confirmed.
It was then that I realized the security was all about “guns & money”. The pat down was for any obvious weapons like a gun in the belt or shoulder holster, but every bag was thoroughly checked for any drinks that were dumped before entry. It’s tough to sell an $8 cup of wine if you can bring it in yourself. They’d let pretty much anyone into the “outer ring” of the ampitheater to buy those drinks, food and t-shirts. The actual ticket check was in the sections to make sure you didn’t try to sneak in an upgrade to the price you paid.
P.S. I will post about all three performances later this week. Waiting for the pics from Shawn to prove that it did happen. Feel free to check out the pics and youtubed vids over at NIN’s site in the meantime.
Sometimes it’s tough to explain to non-security people and especially non-IT people what my job is about. Bruce Schneier has a pretty good anecdote for this problem in his latest essay for Wired.
Imagine if the inventor of antilock brakes — or any automobile safety or security feature — had to sell them directly to the consumer. It would be an uphill battle convincing the average driver that he needed to buy them; maybe that technology would have succeeded and maybe it wouldn’t. But that’s not what happens. Antilock brakes, airbags, and that annoying sensor that beeps when you’re backing up too close to another object are sold to automobile companies, and those companies bundle them together into cars that are sold to consumers. This doesn’t mean that automobile safety isn’t important, and often these new features are touted by the car manufacturers.
In the essay the context is security vendors selling products to companies, but it holds with my job. I don’t directly provide any services to my company. I make sure the company’s services strike a balance between feasibility and security. That’s not a zero-sum game with good security meaning an impractical service. With the number of security methods and technologies you can use, you can probably find the right balance of good security and still focus on the business side. But when you get down to it, business don’t really want security, they want to do business. My job is to show the value of security and provide solutions that enable business.
Don Parker has an intersting take on my job that was reported on in Information Security Magazine at the beginning of this year. Information Security has been all about managing risk. He contends that the objective of reducing risk isn’t measurable so it’s better to focus some new objectives for security:
- Compliance – making sure that your business follows the laws, rules, and regulations required to do business
- Benchmarking – compare your capabilities with your peers and the industry as a whole
- Differentiation – make security a reason to choose your business over another
Information Security is changing. It’s becoming more mature and more of a commodity (like electricity or water) and less of being it’s own specialized industry. I’m excited about the direction and looking forward to the change as long as I can keep in front of it.
I must brag. My so smart husband has been put up with some pretty impressive names for the Western Information Security Executive of the Year Award. See the bottom right hand corner of the page.
And quoted in another article.
Securityfocus has an account of groups of game griefers acquiring access to Xbox Live accounts (and the associated credit cards) through a social attack called pretexting. Pretexting became more well known after HP hired aprivate security firm to pretext journalists’ ISP and phone accounts to find a leak in the board. It resulted in the ouster of the Chairwoman of the board and she just narrowly missed felony charges.
Pretexting is a social attack. You call up the help line and pose as the person in order to get access to their account information. You may not have enough personal data in the first try to get past the help desk screening, but through searching the Internet and weasling bits of information out of the help desk you can eventually pose as that person. Then you can get the password changed, access billing statements online, etc. etc.
[Edit: Xbox is responding, but they're missing the point that this attack is against the people at the service centers and not the network security of the Xbox Live service.]
Here’s an awesome “Successories” style poster. (LJ and RSS friends need to view the site to see the pic.)
Two things everyone needs to understand about the recent Boston Terror Scare:
- The signs were posted in 9 cities without incident
- The signs had been up in some cases for the last 3 weeks
Where did things go wrong? It wasn’t the concerned citizen who called it in. It wasn’t the first responders who honored the potential threat and took careful action. No, the problem happened somewhere between the first responders and the city leadership. Once the threat was found to be non-existent they needed to back off and be practical about it. Instead they overreacted and made fools of themselves. Now those leaders are attempting to cover up their overreaction by going after the promoters, and Cartoon Network and Turner Broadcasting.
We’ll see how successfully the Boston city leaders can play on people’s fear to shift blame away from them. I hope they don’t get away with it, but the precedence isn’t good.
RFID is the concept of putting a little wireless chip into pretty much everything allowing you to track and identify items with a computer and an antenna. Chances are your credit card has one in it, and there’s one in your passport if you’ve gotten it in the last few months. There’s the potential for some interesting things with RFID, (you may remember the commercial of the person walking through the grocery checkout without stopping) but the control is lost to the user since anyone with a reader nearby can check all your RFID tags at will.
So three researchers from the Netherlands submitted a paper about an RFID firewall. It queries all your currently held RFID chips and proxies answers to any other readers, including giving no answer at all. It gives the fine grained control back to the user and is a very, very interesting development in personal privacy in an world where everything has a chip and is wireless.
A few months ago the then-chair of the board of HP was attempting to find out which board member was leaking sensitive information to which journalist. They hired a private detective agency which proceeded to make claims that they were the targets of the investigation to the phone companies so they could access the phone records. Falsely claiming someone else’s identity is fraud but since it’s online they had to come up with a new term called pretexting.
Although fraud is illegal already the California legislation decided in wake of the HP scandal to create a specific law leaving no distinction on the illegality of pretexting. But the law was shot down once the lobbying power of the MPAA got involved. Why? Because the MPAA and RIAA are using pretexting to find out who is stealing music and movies online.
I learned very early on in my life that two wrongs don’t make a right. Illegal actions to capture illegal actions should not be allowed. Down that path leads the end of the rule of law for certain classes of society (i.e. corporations or the government).
AOL released search records for over 600k users through a 3 month period. Although they randomized the user ID you can still get a good picture of who they are and worse off what they do by linking together all of their searches.
This is the exact type of data that Google went to court for a few months ago to prevent it from being released to the government. So, what have you typed into a search engine lately?
Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin in 1755
None of your civil liberties matter much after you’re dead. – U.S. Senator John Coryn in 2006