Category Archives: Security

History, Security

Honoring Steven P. Daugherty

Leave a comment

A Cryptologist named Steven P. Daugherty has been eulogized on the National Security Agency site:

One of the most important functions of any “special operations” team is to gather critical intelligence with the aim of discerning future enemy intentions. Daugherty’s role in this important process was to provide timely and effective cryptologic support to his team. By providing and protecting his unit’s most precious communications he not only contributed to coalition success on the battlefield but also saved countless lives.

Two Days after the 231st anniversary of the nation he had sworn to defend Petty Officer Daugherty was returning from a important mission with his team when their vehicle struck an improvised explosive device killing him and two other members of his unit. Daugherty would leave behind a loving family and young son but his efforts would not be in vain. Later it was confirmed that the work he and his team performed earlier that day had played a decisive role in thwarting a dangerous group of insurgents in their efforts to kill coalition forces.

Tragic news. I wonder what his real views on the war were. Some friends in the Air Force told me the other day that although they all disagreed with the war, and thought it obvious as to why, it was not their job to question authority.

The interesting thing about the Daugherty eulogy, however, is the absolutist emphasis on seeking the truth:

The famous philosopher Thomas Hobbes once noted “Hell is truth seen too late.”” Throughout his time in the United States Navy both on the sea and on land Petty Officer Steven Phillip Daugherty devoted his life to determining truth with the aim of defeating the enemies of freedom throughout the world. His work and accomplishments as a Sailor, cryptologist, father and friend will forever stand as testament to his own personal character and his devotion to his country.

John Stewart put forward a question to the biographer of Cheney that was right on target. If Cheney knew in 1994 that a quagmire would result from invasion, and there was risk of great loss of American lives in the chaos, why did he not openly discuss this, plan for it, or even allow others to raise the issue? Was Daugherty truly allowed to assess the truth to defeat enemies of freedom, or penned into a predictable disaster and a casualty of dishonesty.

Security

Telecoms Sans Frontieres MySQL errors

Leave a comment

I was going to say how impressed I am that the Telecoms Sans Frontieres (TSF) was already rushing to restore connectivity in Peru, but then I noticed some troubling issues on the default page of their website:

Warning: mysql_connect() [function.mysql-connect]: Access denied for user: ‘tsfi@10.0.70.8’ (Using password: YES) in /home.10.4/tsfi/www/html_e/index_gb.php on line 1

Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home.10.4/tsfi/www/html_e/index_gb.php on line 2

Warning: mysql_query() [function.mysql-query]: Can’t connect to local MySQL server through socket ‘/var/run/mysqld/mysqld.sock’ (2) in /home.10.4/tsfi/www/html_e/index_gb.php on line 9

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in /home.10.4/tsfi/www/html_e/index_gb.php on line 9

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home.10.4/tsfi/www/html_e/index_gb.php on line 10

First, the errors should not go to the browser, especially with IP addresses, directory paths and usernames. There’s no need for the general user to see those details.

Second, it must be embarassing for an IT crisis group trying to restore services to have a website crisis of their own, no?

Perhaps it is time someone created an Information Security Sans Frontieres group to help ensure the availability of systems and perhaps even privacy of data for disaster areas and the teams working there…

Security

Robots Won’t Do the Plumbing

Leave a comment

Interesting perspectives in the BBC on the demand for plumbers. Do we need more plumbers because the quality of the field is so low, or because of new growth? They suggest it is the latter.

Plumbing, like being a waiter or taxi driver, hasn’t become cheaper or more efficient over time because it can’t, says Tim Harford, a columnist at the Financial Times.

“In 50 years we won’t get robots doing the plumbing so what we find is if we looked at the economy 50 years ago, something like plumbing wouldn’t have really stood out. People didn’t really have much money.

“But now you can buy amazing televisions and cars that are cheaper and better than 20 years ago.

“All this amazing stuff and yet plumbing has not really changed and so it looms large as a problem, as something expensive.”

I disagree.

Taxi drivers are actually capable of being far more efficient now with GPS and if the automobile manufacturers would pull their heads out of their tailpipes taxis could be significantly cheaper (more fuel efficient).

While I really don’t get his “cars that are cheaper” evidence, the point about lowering costs through technology seems correct.

Plumbing has actually become cheaper and more efficient with plastic tubes that are connected with heat and instant glue like the Pex system. So if more plumbers aren’t needed because of quality problems, and the technology has improved, then why aren’t costs going down?

I think the real problem is the overhead of being a plumber has gone up and so plumbers tend to have to charge more to make a decent living. In other words, cars are in fact more expensive.

If they could lower their overhead, not just in terms of code and regulations but also the costs of materials, fuel and waste disposal, then there would be room for a more competitive (and secure) environment. Robots might never be cost-effective for the final fit and finish, but they certainly could help with the manufacturing and supply-chain costs.

Overall a very useful example for Information Security…

History, Security

Will it Work?

Leave a comment

Wikipedia reports that Philip Crosby is considered the forefather of the Capability Maturity Model.

I have been using this model extensively for over ten years when consulting on security controls. It is a far better way of documenting and illustrating control status rather than pass/fail, as it shows a continuum of improvement.

In other words, rather than telling a company they “failed” the security test, you can say they have achieved a initial step and only have a couple more to go.

With that in mind, I just ran into a rather funny illustration. It comes from “one of the first publications” by Crosby, meant to help reduce defects in guided missle design and manufacture.

Bendix

The Control Maturity Levels, just for handy reference, are these:

0 Control is not documented

1 Control is documented

2 Control is consistently applied (implemented)

3 Control is working (tested)

4 Control is measured

Companies often mistakenly rest on their laurels after achieving level 1, documentation of controls. This is the equivalent of trust, without verification, and rarely accurate. Meanwhile security firms often look for evidence of level 3. The gap is where the friction of compliance comes from.

Tests quickly prove vulnerabilities exist, but the real challenge is to find management that is able to move a company solidly into level 2 (implementation). In other words, do they have someone who can reliably answer the question “Will it work?”