Medical Marijuana Vending Machines

I have been reading about the new medical marijuana vending machines in Los Angeles that are meant to go-live today.

The security discussion has been amazingly sparse. So here is a quick review of what I have noted:

  1. Anytime Vending Machines (AVM) have been deployed to meet a requirement for 24/7 secure and automated dispensaries of medical marijuana
  2. AVM locations will approve a prescription, take your fingerprint, and provide a prepaid credit card loaded with dosage (3.5 or 7 grams, with a max of 1oz a week) and one of five strain options

AVMWatching the video by a CBS station revealed many of the physical security measures, but also shows a cord running across the floor from the vending machine (look at the bottom left of the machine). That made me wonder about data transmission from this thing. Where is it going to/from and how often? Does it fail to vend if it can not connect to a database, and then what integrity controls are in place…?

That would be a more interesting attack vector than the usual tubular lock weakness. The fact that a human guard is said to be deployed at all times with the vending machine makes me think there is implicit recognition of weakness. I also wonder about the paper trail and whether video is integrated into the box.

The pin pad sure looks exposed, doesn’t it? Must be hard to hide your key-code when it’s setup in such a big spread open to plain view. Maybe only one person can be in the room at a time with the machine.

And finally, I have to say this definitely “high” security. Sorry, couldn’t resist.

Massive Insider Investment Fraud

The article by the Associated Press is written so well, it is hard to add much comment. I will do my best to keep the quotes brief, but I recommend reading the full article.

This highlights the ever-present insider issue. My first concern is that there is a lot of emphasis on motive, and most conclusions suggest none “rational”:

“This is a bad time for banks and the industry in general. But detecting the fraud over the weekend was problematic because world stock markets on Monday and Tuesday fell hugely around the world. When the positions had to be unwound, the bank did that in a terrible market of falling equities,” said Janine Dow, senior director at Fitch Ratings financial institution group in Paris

“In hindsight, it was this guy’s superior knowledge of the control system of every aspect of trading at the bank that allowed him to build up fraudulent positions and hide them,” she said.

The bank said the trader had misled investors in 2007 and 2008 through a “scheme of elaborate fictitious transactions.” The trader, who was not named, used his knowledge of the group’s security systems to conceal his fraudulent positions, the statement said.

The man admitted to the fraud, the bank said, and was being dismissed. Four or five of his supervisors were to leave the group. Bouton offered to resign but the board rejected that.

So motive is unclear, but method and consequences are easy to document.

Axel Pierron, senior analyst at Celent, an international financial research and consulting firm, was stunned that 13 years after the Barings collapse, something similar has happened.

“The situation reveals that banks, despite the implementation of sophisticated risk management solutions, are still under the threat that an employee with a good understanding of the risk management processes can getting round them to hide his losses,” he said.

If the controls are easy to circumvent without detection, why should we assume that they will not be circumvented without detection? Implicit in the article is that the trader was given a lot of leeway and trust, which seems the opposite of what an effective control system is meant to do. Bottom line, one introduces extreme social, cultural, and psychological (to name a few) risks/unpredictable results by basing controls on motives of users.

Illinois shops still selling lead-based toys

One might think the news of lead in toys would prompt a manufacturer to recall them immediately. Not so in Illinois, where a toy company has questioned the validity of state authority to determine safety. The disagreement seems to hinge on whether state or federal regulations should determine acceptable exposure to lead:

llinois authorities thought they had reached an amicable agreement late last year with Ty Inc. to have the company voluntarily remove its Jammin’ Jenna dolls from retailers because the toys contained high amounts of lead.

But a few days later, the state attorney general’s point person on the issue was surprised to see Jammin’ Jenna for sale in a candy store near her office. The next morning, the official spotted another one at a grocery store near her home.

When the attorney general’s office confronted Ty, best known for its Beanie Babies, the Westmont-based company said it would no longer sell new versions of Jammin’ Jenna to Illinois retailers. But it refused to recall dolls already in stores, according to the state.

Note the detection method. An official went to a store and saw the toy was still being sold. Could there be a more automated method? Will checkout tills soon have the ability to detect harmful substances? Probably too costly, compared with spot-checks, but I am reminded of airport security. If the risk is high-enough, even just from a public perception/fear perspective, then maybe toy retailers will have safety-enabled checkout scanners.

Speaking of retailers, I wonder why they could not get the retailer to refuse to sell the toy. Later in the same article, another similar story comes to light, but it does not target the manufacturer.

State authorities also are upset at national retailer Party City, which told investigators and the Tribune in the fall that it had stopped selling a pirate skull ring found by the newspaper to contain high lead levels. A spot check by the Tribune later found the ring still for sale.

The newspaper bought and tested the ring again. It exceeded safety limits for lead.

A Party City spokeswoman said the chain had instructed its 500 stores across the country to pull the rings and thought the order had been carried out. The firm said it re-issued the order earlier this month after the Tribune informed the company that the tainted product was still on some shelves.

The retailer also said it has instructed its stores to withdraw a similar pirate necklace, which the Tribune found in a follow-up test contained lead levels more than 200 times the state limit.

This story puts into perspective the hassle of chasing down NT4 and Windows 2000 servers and getting them off the network.

One last thought. Remember the robot in Buck Rogers? I think it said “Eat Lead, Suckers!” Ty should consider licensing that little guy for their beanie baby line…

Sun Ray IPSec VPN

I have been asked to work on some Sun Sun Ray (yes, it’s a redundant name).

They seem very much a throw-back to X terminal days, and in particular they remind me of a Sun Java Thin Client box I had to work on in 1997. My conclusion on the Java terminal at the time was DOA. There were literally no apps. Can’t believe it has been ten years already…anyway, the issue I am looking at relates to VPN connectivity.

Sun promises great new security functionality in their Sun Ray Software 4, as described in this beta release page:

…great new features such as the VPN/IPsec client in the Sun Ray firmware. This allows customers to simply plug their Sun Ray clients into nearly any network and connect back to their corporate desktop. Please note that the VPN/IPsec client only works initally with Cisco gateways that support the Cisco EasyVPN protocol.

Grammar check. Should that be “client initially only works with Cisco”? Hmmm, only Cisco? This looks like a not-so-easy EasyVPN protocol.

Why did Sun, a self-proclaimed champion of open standards, grab onto such a proprietary/rare IPSec configuration? Is Cisco a big consumer of the Sun Ray?

So that is what I have been researching lately. I love the X terminal concept, but it surprises me to hear there is no alternative to Cisco’s IKE implementation. That and the fact that Sun Ray documentation only points to IKE-DES3-MD5, rather than more contemporary options like IKE-AES-SHA1.