Security Sauce and Airports

The premier authority on intrusion detection theory Martin Roesch has posted some excellent insights, as well as humorous anecdotes, on his newly minted blog:

If the set of things that need to be detected (signatures) is constrained to guns, knives and bomb materials, I’d say grudgingly that a motivated screener could maintain alertness through their entire period manning the machine to have a reasonable probability of detection of the things in the set of threats. Once you extend that signature set to, well, pretty much everything that’s not paper or cloth you’re going to have an analysts nightmare because you just did the equivalent of “alert ip any any -> any any (msg: “Something bad may have happened!!”;)” in Snort.

True, but that is probably not an acurate depiction of current events. There is a period of re-tuning the sensor, rather than de-tuning, and in this case the current detection technology is unable to detect the threat regardless of the rules you give it. In other words you can tell it “find liquids” but the scanner isn’t capable (since they are x-ray instead of ultrasound), so you have little choice but to take extra precautions and re-tune until you get something that can process the new rules and speed up again.

As an aside, “security sauce” and “meatspace”, found in Roesch’s blog, keep making me think of spaghetti. I wonder if he’s a Pastafarian, or maybe I am just hungry. Here’s my suggestion for an official Security Sauce site poem:

On top of spaghetti,
All covered with cheese,
I lost my poor meatball,
When somebody sneezed.

It rolled off the table,
And on to the floor,
And then my poor meatball,
Rolled out of the door.

It rolled in the garden,
And under a bush,
And then my poor meatball,
Was nothing but mush.

The mush was as tasty
As tasty could be,
And then the next summer,
It grew into a tree.

The tree was all covered,
All covered with moss,
And on it grew meatballs,
And tomato sauce.

So if you eat spaghetti,
All covered with cheese,
Hold on to your meatball,
Whenever you sneeze.

Security Sauce: Hold on to your meatspace.

Maybe if I have time I’ll try to do a full parody.

Centrelink fires 19 for privacy breaches

Just on the heels of my earlier post about UK plans to dissolve privacy protections, Australia sends a stark warning about the damage that can be done by staff entrusted with your data.

Centrelink is the federal agency for welfare and social security in Australia. Thus, their staff have access to a huge amount of information about Australians. News about privacy violations they are dealing with was reported by ABC

Hundreds of Centrelink staff have been caught inappropriately looking up the records of friends and ex-lovers.

The privacy breaches were uncovered using specially designed spyware software.

As a result of a two-year investigation, Centrelink has uncovered nearly 800 cases of what it has described as inappropriate access by staff to customer records.

Nineteen staff have been sacked and nearly 100 resigned when they were confronted with the allegations.

Administration and customer care tools carry big risks with them. On the one hand companies want to give their staff simple and easy access to customer data to ensure support is smooth, but on the other hand companies have an obligation to protect customer data from exposure.

It can be expensive to do thorough background checks, and develop specific role-based controls, so many organizations try to get around these preventive measures to save money. In this case, detective controls were able to catch the abuse, but the “friends and ex-lovers” comment gives a big hint related to personal motives that companies often overlook when they factor the safety of data from internal attacks.

UK Data Sharing Plan Panned

This sounds like an absolutely horrible idea:

Ministers are preparing to overturn a fundamental principle of data protection in government, the Guardian has learned. They will announce next month that public bodies can assume they are free to share citizens’ personal data with other arms of the state, so long as it is in the public interest.

Oh, imagine someone appointed to decide that “public interest” means…sharing data. Wouldn’t that be a convenient position to defend?

The new policy appears to contravene a key principle of the data protection act, which is that “personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”. Ministers are likely to argue that efficient public administration is not incompatible with other purposes.

“Efficient” administration is certainly one value, but never the supreme and only value. In fact, I believe most if not all people would happily give up effciency to preserve their liberties if the real consequences were portrayed openly and clearly. I can’t even count the number of companies that have asked me to help them ensure their data is safe from sharing. If a plan like this is passed the demand for information security will absolutely explode as every citizen will need a professional/specialist even just to help them protect themselves from simple mistakes.

Nazi restaurant opens in Mumbai

The BBC reports that a man in Mumbai will keep the name of his restaurant “Hitler’s Cross” despite protests from the local Jewish community.

“My customers are not complaining about the name, they are very amused by it,” he said. “Just like Hitler wanted to conquer the world, I want to conquer at least my area through the food served in my restaurant.”

Great. Now you know where to find all the Nazi sympathizers, conveniently collected into a restaurant in India. Clearly this man thinks a genocidal maniac is someone to idolize. Or does he…

Mr Sabhlok also said he was not promoting Hitler in any manner as he did not have any pictures of the German Nazi leader or decor related to him.

When questioned about press photographs of a huge Hitler poster at the front door, Mr Sabhlok said it was put up by one of the 700 invitees who attended the opening. “We pulled it off later,” he said.

I can just imagine him saying “Oh, you mean that picture? That’s someone else’s.” Of course it is, because restaurant guests always bring a giant picture of Hitler with them to dinner and post it on the front door.

So he’s saying he wants to be just like Hitler, but not like Hitler in any way. Hmmm, that sort of double-speak sounds strangely similar to something Hitler would have said. So the big question is whether the officials will have the sense to shut this place down before it becomes a serious saftey issue (please note I have avoided any tasteless “to die for” jokes), and whether/how restaurant laws will be forced change in India as a result.

Edited to add (8/29/2006): Looks like the BBC report may have been a few days stale. NewKerala.com reported that the protests began August 18th when the restaurant opened and by the 24th the restaurant announced it would give up the name:

“We, the owners and operators of the restaurant opened at Kharghar, Navi Mumbai, acknowledge that the name adopted by us for our restaurant was most inappropriate.

“We have decided to change the name of our restaurant and remove all signs and articles associated with Hitler and Nazism in and around the restaurant,” the statement said.

It will now be called The Pol Pot. No, not really. But you never know.

the poetry of information security