Security Slogans: Ctrl-Alt-Del when you leave your seat


Few of us are probably lucky enough to invent something as contagious as a Security-Tubby or a Barney character. Instead, we are stuck with the task of creating “fun” posters with slogans.

One of my more successful ones so far has been based on the saying “Ctrl-Alt-Del when you leave your seat”.

People tell me that no matter how rediculous they might find security slogans at first, eventually this one grows on them and they can’t help but sing it aloud when they leave the office. You know you have won over your users when they start to beg for more effective ways to comply with the “Ctrl-Alt-Del song”.

I usually give them a tip like the following:

Although a screen lock button is already provided in most X distros, including Linux, Windows folks are usually in need of a shortcut. They’re simple to create with the following command:

%windir%\system32\rundll32.exe user32.dll,LockWorkStation

Then change the icon to something that looks like a “lock”. The orange key seems most popular among XP users (consistency helps the helpdesk) and can be found in the following library:

%SystemRoot%\system32\shell32.dll

Lock Workstation Icon

Just put the button wherever convenient (desktop, taskbar, start, etc.) Although the setup is easily scripted and deployed over the network, sometimes it is best to hand it out to all your users like a present during the holiday season — “Security wishes you a safe and secure holiday. We hope you enjoy this new button.”

And believe it or not, people who start using this button will still say “hey, I did the Ctrl-Alt-Del thing, go check my screen”, even though they no longer are touching the keyboard when they step away. Ah, the power of security slogans.

loose lipsUnfortunately not all slogans are as catchy. Messages from security easily get lost in the sea of information users have to process every day and most of the other material they hear is so polished that phrases like “don’t get hooked by phishers” tend to blend right into the wallpaper. Thus, I believe the world of security would be far better off if more wordsmiths and poets were employed to craft our message, perhaps even at the state or federal level. Nothing too fancy would be necessary as the slogans that always seem to do best are the simple ones — “loose lips might sink ships”.

Third-highest priority in the FBI

The CSI/FBI have a famous report released annually called the “Computer Crime and Security Survey”. I was surprised to read today that the FBI also has a lesser-known report called the “Computer Crime Survey”.

The difference is supposedly in the method of gathering data, although it’s not clear that either survey is truly scientific. The larger survey is done with a select group of respondants and has a huge number of paper-based questions (I’ve filled it out at least twice), whereas this “Computer Crime only, hold the Security” survey “was taken by 2,066 organizations in Iowa, Nebraska, New York, and Texas”.

The findings are not particularly surprising, and I actually could spend some time trying to debunk the article’s title “FBI says attacks succeeding despite security investments”, but instead I just want to bring attention to the part of the report I found insightful:

While some individual law enforcement officers are not trained to respond to computer security incidents, local, state, and federal law enforcement agencies have become increasingly equipped to both investigate and assist in the prosecution of such violations. Computer related crime is the third-highest priority in the FBI, above public corruption, civil rights, organized crime, white collar crime, major theft and violent crime.

Not hard to find out what the top two priories are:
1. Protect the United States from terrorist attack.
2. Protect the United States against foreign intelligence operations and espionage.

So there you have it. If you are in the US and believe you are a victim of “cyber-based attacks and high-technology crimes”, contact the FBI.

Operation Ore Continues

International law enforcement has been working on Operation Ore since 2003, when investigators uncovered an Internet child porn business in Texas with over 250,000 customer records. The Guardian reported today that one of the worst cases so far has concluded with two people going to jail.

It’s a terrifying story, but at the core is the ability of police to process data quickly to follow leads and catch criminals before they can harm innocent children. If this threat is not mitigated fast enough by the police to bring the risk levels down, parents will not have much choice beyond demanding some form of official validation/certification from anyone who claims that they should be trusted with a child’s safety.

the poetry of information security