I love this story from Peaceful Rise. It reads like a classic example of cultural differences in engineering and security. The author first describes the need for special effects in a movie:

For the burning village, the challenge would be to find someone who could manufacture the piping, and to figure out how to store and supply the set with such an absurd amount of fuel.

The author apparently left the project, due to other reasons, but he goes on to explain how an over-engineered solution was dismissed and the low-cost bid played out.

Not surprisingly, the American special effects team also left the project. I read that it was because their estimate of the cost to plumb the village with gas pipes was too high, although I wouldn’t be surprised if they intentionally gave a quote they knew would be too high just as an excuse to quit the movie and hurry on back to their American beachhouses. They were replaced by a Korean team who had a much more simple solution: douse the whole set and let it burn! As the story goes, a minute after they tossed the match and set the village up in flames, it occurred to someone in the production crew to inquire how they intended to douse the blaze. Put the fire out? That’s not our job, said the special effects crew. We set fires, we don’t put them out! The fire continued to spread to surrounding areas and grow out of control until finally emergency teams from a remote military film studio were able to arrive and control the blaze.

The requirement, if I read the story correctly was to create a fire that could be repeatably turned on, which seems to imply some kind of dousing mechanism. My guess is that the Americans started out with an assumption of an “effect” that was very different from the Korean crew. Or maybe it was just a case of high/low bid engineering. Anyway, it’s nice anecdote to share in my next presentation on culture and security.

It sounds similar to the story about American engineers that spent billions of dollars to design ink and a pen that could overcome zero gravity so astronauts could still take notes while on mission. The Russians, asked if and when they expected to achieve an engineering feat of similar magnitute, simply pointed out “we are ok with pencils”.

This was forwarded to me. I am unaware of the original source of this image, but I could not resist posting it here.

Reminds me of the joke about a life-long city resident who visits an Alaskan gun store and asks if his pistol is enough to defend himself against bears. A weathered old trapper looks at him and tells him to file off the bead at the tip of the barrel. “Why remove the bead?” the visitor asks. “Well, for one it will hurt less when the bear shoves it up your @$#.”

Or then there’s the joke about the hikers who happen upon a bear who roars at them and starts to charge:
“What now?” asks one hiker.
“Run!” says the other.
“Can you really outrun the bear?”
“No, but I can outrun you…”

An article that quotes me on GLBA has been published on Bank InfoSecurity. It is called “GLBA Compliance: Tips for Building a Successful Program Board Involvement, Documentation of Programs Key to Favorable Reviews”.

When an institution’s focus turns to compliance with the Gramm-Leach-Bliley Act (GLBA), questions always pop up — What should the institution’s core GLBA program include; who should be involved; what kind of information is needed, and what should be prepared for an assessment?

We’ve asked industry thought-leaders for their insights on GLBA program essentials, including board member involvement, key components of an information security program, as well as the keys to a successful GLBA compliance examination – and how to avoid a bad one.

You have to register to read, but registration is free.

This is the kind of breach that makes you go “huh”? The Breach Blog tells a sad tale of mailing labels gone awry:

On July 1st, 2008, the University of Maryland Department of Transportation Services mailed an on-campus parking brochure to all students registered for Fall 2008 classes as of June 15, 2008. Recipient Social Security numbers were inadvertently exposed on the mailing labels.

I hope the regulators fine the DoT for every label. Everyone knows the DoT love to hand out violations, so fair is fair. On the other hand, they might incorporate the fine by raising parking violation fees…