BI Incorporated runs a Microsoft-based database of registered sex offenders in the US. They suffered a major outage when they hit more than 2.1 billion records. Apparently no one saw it coming.

An explanation is posted on their website:

“At 7:29 a.m. Mountain Time on Oct. 5, BI Incorporated experienced a problem with one of its offender monitoring servers that caused this server’s automatic notification system to be temporarily disabled, resulting in delayed notifications to customers. The issue was resolved approximately 12 hours later at 7:25 p.m. MT. The issue was confined to the BI TotalAccess Server when its database exceeded its 2.1 billion record threshold. The BI system notified administrators and technical staff of the issue immediately and a team was immediately assembled to diagnose and plan for recovery.

“Importantly, the monitoring system continued to operate and gather information, but transmissions were delayed until the system was restored. Offender activity logged while the server was being worked on was effectively processed at 7:25 p.m. MT when the system was restored. Alerts that may have occurred during this period were transmitted to our customers at that time.

The database ran “out of values in a column in a table”. It now has been expanded, they say, to 1 trillion records. They did not explain the rate of change to records over time. Was it getting exponentially larger lately or has it been slowly creeping? An expert is cited in their press release saying no one could have predicted running out of space.

The irony of the story, and that expert testimony, is that an alerting system for this alerting system is said to now be a priority for BI.

…we are working with Microsoft to develop a warning system on database thresholds so we can anticipate these issues in the future

The State of California has added a list of security features (some public, some secret) to its drivers license. The LA Times says it was designed to thwart counterfeiters.

Among the new features, licenses for drivers under age 21 will be printed vertically, making them easier to identify for police and shopkeepers. The cardholder’s signature and birthday will be raised, allowing them to be felt by touch.

Hidden images can be seen only with the use of ultraviolet light, and a laser perforation outline of the California brown bear will be visible when a flashlight is pressed against the back of the card.

The back of the card will still have a magnetic stripe but will also have a 2D barcode; both store information from the front of the card.

The new license was only just released but already I hear licenses from Nevada and Oregon are more common. California says they issue about 8 million licenses and ID cards a year. Will a change in that rate number be linked to these security measures?

On the flip side inside jobs are usually the most dangerous; the new CA license will definitely carry more weight but will it have the appropriate protection of the source? A certificate authority’s certificates are only as good as…

I am excited to know my signature will soon be easily copied with a piece of paper, some charcoal and a little pressure.

Updated 2019: So many people are coming to this post I wrote in 2010 to find out about the “Real ID” cards that have been available since January 22, 2018, due to a deadline of October 2010 for federal security. Valid U.S. passport will be required after October 2020, if you don’t have a Real ID card. California DMV has a Real ID portal site.

I often get asked about PCI compliance and multi-mode or mixed-mode or multi-tennant systems. I generally find it easy to explain how the measure of controls in the virtual environment is really not far from traditional IT.

When you have a firewall, which can host virtual firewalls, what is the highest security level possible for that firewall? Is it the least common denominator — the most secure virtual instance only can be given a trust level of the least secure virtual instance on the same base system or hypervisor? The answer is that you can have different levels of trust on the same hypervisor, provided that you apply appropriate controls.

Yes, I am giving the diaper answer — it depends — but that is better than just saying no way, no virtualization.

Although you could take my word for it, an excellent example comes from the NSA who worked with VMware to create a Trusted Virtual Environment (TVE) to address this issue. It allows two mixed modes: unclassified through secret and secret through top secret/SCI.

Most of the story, about a programmer who abused his access to plant a “server bomb” in Fannie Mae’s servers, is straightforward.

The lessons are the usual ones. Remove access immediately upon terminating an employee, including remote access. Make sure you get their equipment, such as laptops and mobile devices, back before they have left the premises. Review all code before it is pushed to production.

Nothing jumps out as hard to handle with security management…except for this part:

Makwana’s employment record was a matter of some confusion last year, with various contractors denying that he worked for them, but was instead a “pass-through” employee paid by another company.

IonIdea, an IT contractor with offices in the Washington D.C. area, acknowledged that it had billed Fannie Mae for Makwana’s work, but argued that Makwana was actually employed by yet another firm, N.J.-based Marlabs.

I remember how Dvorak questioned why Makwana was ever hired in the first place. It still is a compelling question and probably not one answered by security (yet).