Jack Prelutsky has a site with a list of poems by students, including some from Angola, Afghanistan and Iraq. I found the Kindergarten (K) list especially fun, although I find it surprising that a K-level student would be able to write this:
My mind is like a shadow,
you can see it, but it isn’t really there.
My mind is like a sieve,
losing bits here and there.
Sounds like a budding security analyst…
Ross Anderson announced today that you can read his book online (er, in PDF format) for free. No word yet on the mp3 version, read aloud by Bruce Schneier.
The premier authority on intrusion detection theory Martin Roesch has posted some excellent insights, as well as humorous anecdotes, on his newly minted blog:
If the set of things that need to be detected (signatures) is constrained to guns, knives and bomb materials, I’d say grudgingly that a motivated screener could maintain alertness through their entire period manning the machine to have a reasonable probability of detection of the things in the set of threats. Once you extend that signature set to, well, pretty much everything that’s not paper or cloth you’re going to have an analysts nightmare because you just did the equivalent of “alert ip any any -> any any (msg: “Something bad may have happened!!”;)” in Snort.
True, but that is probably not an acurate depiction of current events. There is a period of re-tuning the sensor, rather than de-tuning, and in this case the current detection technology is unable to detect the threat regardless of the rules you give it. In other words you can tell it “find liquids” but the scanner isn’t capable (since they are x-ray instead of ultrasound), so you have little choice but to take extra precautions and re-tune until you get something that can process the new rules and speed up again.
As an aside, “security sauce” and “meatspace”, found in Roesch’s blog, keep making me think of spaghetti. I wonder if he’s a Pastafarian, or maybe I am just hungry. Here’s my suggestion for an official Security Sauce site poem:
On top of spaghetti,
All covered with cheese,
I lost my poor meatball,
When somebody sneezed.It rolled off the table,
And on to the floor,
And then my poor meatball,
Rolled out of the door.It rolled in the garden,
And under a bush,
And then my poor meatball,
Was nothing but mush.The mush was as tasty
As tasty could be,
And then the next summer,
It grew into a tree.The tree was all covered,
All covered with moss,
And on it grew meatballs,
And tomato sauce.So if you eat spaghetti,
All covered with cheese,
Hold on to your meatball,
Whenever you sneeze.
Security Sauce: Hold on to your meatspace.
Maybe if I have time I’ll try to do a full parody.
Just on the heels of my earlier post about UK plans to dissolve privacy protections, Australia sends a stark warning about the damage that can be done by staff entrusted with your data.
Centrelink is the federal agency for welfare and social security in Australia. Thus, their staff have access to a huge amount of information about Australians. News about privacy violations they are dealing with was reported by ABC
Hundreds of Centrelink staff have been caught inappropriately looking up the records of friends and ex-lovers.
The privacy breaches were uncovered using specially designed spyware software.
As a result of a two-year investigation, Centrelink has uncovered nearly 800 cases of what it has described as inappropriate access by staff to customer records.
Nineteen staff have been sacked and nearly 100 resigned when they were confronted with the allegations.
Administration and customer care tools carry big risks with them. On the one hand companies want to give their staff simple and easy access to customer data to ensure support is smooth, but on the other hand companies have an obligation to protect customer data from exposure.
It can be expensive to do thorough background checks, and develop specific role-based controls, so many organizations try to get around these preventive measures to save money. In this case, detective controls were able to catch the abuse, but the “friends and ex-lovers” comment gives a big hint related to personal motives that companies often overlook when they factor the safety of data from internal attacks.