Category Archives: Security

Security

Cyber ShockWave Day

Leave a comment

Today a simulated cyber attack response exercise is being held in Washington D.C. The Bipartisan Policy Center is hosting:

The participants, whose mission is to advise the president and mount a response to the attack, will not know the scenario in advance. They will react to the threat in real time, as intelligence and news reports drive the simulation, shedding light on how the difficult split-second decisions must be made to respond to an unfolding and often unseen threat.

The Bipartisan Policy Center press release is peppered with traditional terms like “unprecedented” and “real-world”, “often unseen threat” and “real dangers”. There is no mention of the Chinese or international collaboration but that has to be one of the main issues on everyone’s mind. I wonder, for example, if anyone bothered to invite international participants. Why? James Fallows in the Atlantic Monthly did a nice job explaining how national security models are facing a transition from typical “bipartisan” efforts to one that is open and collaborative:

While trying to build bridges to the military, McConnell and others recommend that the U.S. work with China on international efforts to secure data networks, comparable to the Chinese role in dealing with the world financial crisis. “You could have the model of the International Civil Aviation Organization,” James Lewis said, “a body that can reduce risks for everyone by imposing common standards. It’s moving from the Wild West to the rule of law.” Why would the Chinese government want to join such an effort? McConnell’s answer was that an ever-richer China will soon have as clear a stake in secure data networks as it did in safe air travel.

An alternative to this kind of closer cooperation could be to improve the quality of education dramatically in the US including teaching computer skills and Mandarin to a high percentage of graduates, as well as the language of every other threat. The British have tried this latter model, which I am told is why the School of Oriental and African Studies (SOAS) came to exist. Perhaps compared to solving the problem of quality education, cooperation on information security seems far simpler.

Fallows warns in his article that America might have a tough time with the concept of “cooperation” given the cultural view of how to deal with “tough-guy, real-world problems”. However, the interconnected nature of Internet risk makes it almost impossible to use a bi-lateral attack/defense paradigm. This has been known since at least the first “Smurf” attacks. Multi-lateral and shared approaches have become the norm in hi-tech response centers but it will take time for established leaders in government to warm up to the idea of greater openness as a strategic advantage in national security.

Food, Security

Cheese Fraud

Leave a comment

An article by the Times Online explains a recent crackdown by authorities on cheese fraud in Italy:

[Luca Zaia, the Agriculture Minister] said there was no health risk, adding “It is not a question of food security so much as of respect for the rules of production”. However he had taken “urgent action” by placing the mozzarella consortium under “special administration” for three months while a committee of police and ministry inspectors investigated.

He said he had acted “because the situation was deteriorating. Over the past two years my zero-tolerance policy has led to the discovery of many causes of food fraud. In November, checks in major supermarkets in Italy found that 25 per cent of the cheese sold as buffalo mozzarella was fake because it contained 30 per cent cow milk.”

Great example of how compliance depends on governance. It is a good thing he has no jurisdiction over the US cheese market or almost the entire mozzarella supply would be abruptly halted. I have tried without much success to find a consistent source buffalo mozzarella in America.

This case is notably different from a security risk that is also mentioned in the article.

Two years ago sales of mozzarella fell after buffalo milk was found to be contaminated with high levels of dioxin from rotting piles of uncollected rubbish in the Naples area. Sixty-six buffalo herds were quarantined and over 100 farmers and dairy producers were investigated for alleged “fraud and food poisoning”. In April last year inspectors found that some buffalo in the Caserta area near Naples had been given somatropine, a human growth hormone, although officials said this did not pose a health risk.

Thus compliance also depends to a large degree on consumer awareness and interests. Governance is meant to be a representation of demand, so risk definition becomes one of the first steps to creating rules for compliance. Risk from dioxins, for example, is much easier to quantify and campaign against than the risk from lack of authenticity. Who is harmed when cheese is fake? Many Americans, in fact, are likely to turn a blind eye to imitation — mozzarella made from cow milk in California or cheddar from cows in Wisconsin. Risks related to the authenticity of cheese may be far less valued than appearance and price — cheap imitations (“generics”) thus build a strong following when no one close to home is hurt by the practice. Only when authenticity issues hurt a domestic source or more immediate health issues appear do calls for governance come forward.

…food for thought the next time you take a bite of mozzarella.

Energy, Security

Show me a Focus on Hybrid-Diesel

Leave a comment

Who can forget when Bill Ford explained during the great restructuring last year that his company had traditionally sold low quality cars to Americans but high quality to Europeans. He said they thought there was no market for quality cars in America until after the crisis they noticed foreign brands outselling theirs.

The European Focus will be their first step to change this, introducing a quality compact car as detailed by Wired in their “Big Bet on Small Cars” article. Naturally, I expect they will not introduce the diesel Focus in America. Why do they bet on small cars instead of efficient cars?

Mercedes has been working on the holy grail of cool engine efficiency technology: aerodynamic diesel-hybrids built out of Advanced High-Strength Steels (AHSS). The new E300 mercedes gets 52mpg (4.5 l/100km). Once again, only available outside America.

There seems to be a leadership gap in the US as conservative market followers dominate the auto industry…so sad that the executive that brought the Prius to America died. He might have been in a position to really speed up innovation and competition. It was a leading design when it was introduced, primarily as it proved there was pent-up market demand, but the Prius is too weak and compact to make sense in the American market of road-trips and hauling cargo.

Ford should take the 500/Taurus and make a high-performance diesel option to compete with the Audi and Mercedes variants. It also should bring the EuroFocus diesel and go hybrid with it by 2012.

Security

BlueTOAD (Bluetooth Travel Time Origin and Destination)

Leave a comment

BlueTooth devices have been proliferating to the point where you can make a safe bet that most vehicles have one. That’s why some clever folks are starting to monitor the highways for bluetooth in project BlueTOAD.

Rather than depend on every car carrying a toll tag in plain view, the sensors along highways can read the unique address of a BlueTooth device and then predict traffic flow times. The collection of BlueTooth information then also can be tapped by law enforcement, or at least requested by a court, to prove movement of the devices. I vaguely remember a divorce case where a husband was proved to be cheating on his wife because of his toll tag movements.

The identity of a BlueTooth device, it’s MAC address, is in no way permanently connected to an individual. This makes BlueTooth potentially less sensitive than license plates and toll tags. Likewise, a bluetooth device could in theory cycle its address or duplicate others to make tracking difficult. There are plenty of lessons from the P2P market in how to keep service alive while modifying the MAC. A big difference from P2P, however, is that the portable BlueTooth device market is highly proprietary and unfriendly to user configuration (ever try to setup a BlueTooth PIN other than 0000?)

I leave all my BlueTooth disabled these days; not because I am very worried about being tracked or even because of eavesdropping, but because battery life is so poor. I find it much less hassle and more efficient to use the cord. The extra security and privacy is a secondary benefit.

Frankly I’m more concerned about the MyLocation project and the privacy settings for APIs to Google maps. In a test to compare with BlueTOAD we’ve been able to use a simple query to the Google map traffic data API to monitor the movement of a person’s phone.

I’m not sure Google meant it to be setup this way; it’s a security flaw from a privacy perspective but then again I know departments of transportation and law enforcement investigators already interested in accessing the data.