Category Archives: Security

US surveillance to go deeper with ADVISE

The Christian Science Monitor reports that the US government is secretly developing a surveillance system called Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement (ADVISE):

The US government is developing a massive computer system that can collect huge amounts of data and, by linking far-flung information from blogs and e-mail to government records and intelligence reports, search for patterns of terrorist activity.

The article has a side-bar that, according to US Government auditors, says SecureFlight held records on 43,000 people not accused of terrorism. This points directly at the very real threat of data-mining being used for nefarious non-security related purposes.

ADVISE is apparently meant to stitch together a vast array of data points in order to more accurately understand behavior and avoid false positives. However, an analytics expert from IBM had this to say about the current capabilities of such a system:

Techniques that “look at people’s behavior to predict terrorist intent,” he said, “are so far from reaching the level of accuracy that’s necessary that I see them as nothing but civil liberty infringement engines.”

BSOD at RSA

The exhibition floor reminds me of a county fair, bristling with prize cattle and pigs. I hate to say it, but I find myself wandering among the herds of vendor logo’d sales people and entertainers, munching from troughs of mediocre food, wondering if this is really the best way to find new/interesting products and make contacts.

BDOD at RSA

Perhaps the most odd thing of the evening was when I found a Blue Screen of Death prominently displayed on a vendor system, and realized I was the only person who seemed to realize that it was a bad thing. I thought about making a big deal of it, but then just decided to help the vendor understand the error and to get the system back up again.

Someone in a PGP shirt walked up to me and said “How does anyone make a decision here”, to which I simply had to reply “Hmmm, let me think about that. I’m not sure, but it’s one of two ways.” He didn’t laugh.

An enigma

I had fun at the NSA booth where I typed out a message on an actual three-rotor German military Enigma from WWII. The keys are hard to press, but satisfying. Here is the result: QLKERMAKJDU. Pretty cool, eh?

I played some odd ping-pong ball drawing and won a lottery-ticket that won two dollars. I must have had a dour expression on my face during the process because the woman pulling the balls out said “you don’t seem very excited” to which I simply had to reply “oh, is it exciting to stand here and win other people’s money?” I guess I don’t believe in the “free” money concept.

Clearly I was missing something since I really just wanted to find the folks who could solve a few burning questions about encryption and key management for/with me, not play the lottery or place a bet on roulette, or throw bean-bags through a hole…sigh. Ten California rolls, three tiramisus, two kebabs, a slice of roast, some mozzarella balls, two salami slices, six egg-rolls, and a chocolate-covered strawberry later I finally connected with a real crypto-token vendor who gave me a demo and might actually be able to sell me some fobs (no software, no integration, no lottery tickets…).

I also discussed some anomaly and fraud detection software with the IBM engineers, but they kept saying “contact center” instead of “call center”, which started to give me the creeps, so I took one of their squishy brains and moved along. Microsoft said they could sell me software to integrate directories for just $25,000. I almost coughed up a cracker (with cheese) when they tossed that number out at me. Microsoft sells midrange software? They backpedaled a bit “you probably have a reseller who could get it to you in the teens”. It started to sound like an IBM rep talking. Apparently the cough-up your food on the sales engineer technique is handy in negotiation. They were just lucky I wasn’t drinking wine.

All in all, some good contacts, a couple interesting new products, and a fine start to the week. I just wish I had paid more attention to math when I was young.

If thou art diligent and wise, O stranger, compute the number of cattle of the Sun, who once upon a time grazed on the fields of the Thrinacian isle of Sicily, divided into four herds of different colors, one milk white, another a glossy black, a third yellow and the last dappled. In each herd were bulls, mighty in number according to these proportions: Understand, stranger, that the white bulls were equal to a half and a third of the black together with the whole of the yellow, while the black were equal to the fourth part of the dappled and a fifth, together with, once more, the whole of the yellow. Observe further that the remaining bulls, the dappled, were equal to a sixth part of the white and a seventh, together with all of the yellow.

— Archimedes

RSA Badge Challenge

Funny thing happened as I was waiting in the lobby and contemplating my badge, I ran into Bruce Schneier.

He’s a very energetic and upbeat guy in person. We discussed the return fees and a couple ideas for how to debate/blog about the badge policy. I’m getting more and more pissed about the whole situation, while he seemed playful and curious.

I started to dismantle my badge to find the chip, but realized I might actually end up paying full registration fees for a little bit of useless knowledge. Perhaps that’s the difference between a real security identity, who is paid to attend and doesn’t even need an ID, and just some nobody conference attendee who had to pay money to get access, like me. I need to be careful.

The odd thing, as Bruce put it, is that RSA is able to transfer the liability entirely to the end user. I added how unfortunate it is that we just accept it as part of the deal, and that RSA doesn’t take the opporuntity to innovate/experiment with identity cards.

Well, more on this topic later.

I also mentioned I was surprised Monterey Bay restaurants were not in his guide to eating since they have the best fresh squid, to which he replied “Japan has the best squid”. Somehow I could actually see him start to defend that position (oh yeah, well let’s just hop in our jet and pop over to Japan for dinner to decide this right now, shall we?) so I dropped the subject.

RSA Registration

I had suggested earlier that the RSA conference badge could be some kind of token with an associated revocation and replacement fee (as opposed to being forced to pay a full conference rate for a lost/stolen badge). I just realized as I navigated the swarms of vendors that the badges do, in fact, have to be linked to the vendor acquisition systems. They seem to use a proximity-reader. So a reader with revocation capabilities not only would be a trivial addition to the entrance-way, but the expo floor is covered in the things. What gives? Imagine if a company tried to manage it’s authentication/authorization system by asking users who lose their badges to repay the entire value of assets they are meant to protect…

Anybody else here?