[SecurityRatty] tag: construction

Reviewing the New MacBook Pro

Tue, 14 Oct 2008 09:18:41 +0000

I just read the Ars Technica update of the new Macbook Pro, announced by Apple yesterday:

Up first is a new MacBook Pro, with a buttonless trackpad, full glass screen (like the iMac), and all ports migrated to one side of the machine. The new buttonless trackpad adopts the iPhone’s multitouch functionality, offering a glass surface area that is both 39 percent larger than previous trackpads and allows for gestures involving up to four fingers. The new construction features an LED-backlit display, next-gen Nvidia GeForce 9400M and 9600M graphics with 512MB of GDDR3 RAM (and the ability to run them in Hybrid SLI mode), and a “precision aluminum unibody enclosure” that cuts down on parts costs while offering a much more rigid construction than the current aluminum design.

Some of the changes are great — more surface area on the trackpad and stronger construction–who can fault them for that? However, why on earth would they want to move all ports to one side? It’s really useful to bea ble to plug some things (like USB ports) from both sides, and honestly they need more than just 2 USB ports, so I’m sad to see that wasn’t updated.

The other great ergonomic change that could be made on the large MacBooks would be to move the speakers (currently at either side of the keyboard) to the center, and separate the keyboard sections to allow some space between your hands. But Apple might anticipate that this is a change that would be badly received by some users and that it can easily be corrected using a special ergonomic keyboard–everyone with a laptop should be using an external keyboard regularly anyway.

Mark Curphey On Builders and Breakers

Fri, 19 Sep 2008 08:02:10 +0000

Superb post by Mark on what I think is the biggest problem we have in security. One thing you learn in consulting is that no matter what anyone tells you when you start a project about what problem you are trying to solve, it is always a people problem. The single biggest problem in security is too many breakers not enough builders. Please understand I am not saying that breakers are not useful, we need them, and we need them to continue to get better so we can build more resilient systems. But the industry is about 90% breaking and 10% building and thats plain bad.

It’s still predominantly made up of an army of skilled hackers focused on better ways to break systems apart and find new ways to exploit vulnerabilities than “security architects” who are designing secure components, protocols and ultimately secure systems. If you don’t believe me go have a conversation with a so called application security consultant about SAML or security issues in Enterprise Message Buses and you’ll almost definitely draw blank stares. Ask application security consultants if they know about the latest HTTP or HTML spec and they’ll likely say yes (and want to demonstrate the latest issues) but if you ask them about the latest WS-x spec you’ll likely draw more blank stares. When was the last time you saw an attack drawn out as a UML sequence diagram? This is worrying and somewhat sad. I don’t think we are culturing, encouraging and nurturing people with the right skills to make a positive difference.

This is exactly my experience as well. Not only that, we have too much destruction and not enough construction, this is a big enough problem all by itself. I would go one step further and say we need creative destruction, breakers breaking things that lead to better systems over time. Maybe we need an OWASP Builders project?

In any case, for my small part I am builder. I teach a class (and will at OWASP) that is 100% focused on building secure Web services, identity management, distribut authN, authZ, message security and so on. I can tell you first hand there are not a lot of people approaching the problem from a builder mindset.

Employee Fraud Spiralling Out of Control in the UK

Tue, 09 Sep 2008 06:08:00 +0000

You have read it before on TheBulletProofBlog - the tougher times get, the more likelihood that people will resort to criminal measures.

We reported it regarding the theft of copper from Churches, Hospitals, Schools - even from new homes still under construction. We brought to your attention the fact that thieves have become bolder, evidenced by the theft of manhole covers in public streets and drilling into fuel tanks on vehicles as petrol and diesel prices rise.

In "Personneltoday", it is reported that employers have been put on "red alert" as the downturn in the economy is prompting employees to make ends meet by dishonest means. One figure that employers every where are bound to find shocking is the fact that employee fraud has cost UK companies more than 77 Million Pounds Sterling (approx. $150,000,000.00),just in the first half of this year alone.

The most disturbing aspect of this figure is the fact that it is up from 10 Million Pounds Sterling (approx. $18,000,000.00)in the same period last year. This represents more than an 8 fold increase in employee fraud in a 12 month period.

The report was conducted by the accountancy firm BDO Stoy Hayward. Mr. Simon Bevan, the head of fraud services there attributes the escalation in criminal activity amongst employees to; "spiralling personal debt as a result of mortgage,food and fuel price hike". Sound familiar?

The population of the UK is one sixth that of the United States. It is frightening to imagine what the figures will look like from U.S. businesses at the end of this year and beyond. In 2002, employee fraud and abuse cost U.S. businesses $6 Billion Dollars (independently reported by the "Association of Certified Fraud Examiners" of which SEXTON is a member).

What would be the outcome to U.S, businesses if fraud costs escalated 8 fold to $48 Billion Dollars by year's end? How many would go under? How much further damage would that inflict on the already struggling economy? The economic circumstances in the U.S. are certainly similar to those of the UK.

U.S. businesses beware. Be proactive and fight fraud and abuse before it is too late. Your very survival just may depend upon it.

Thieves Target Homeowners and Builders

Fri, 29 Aug 2008 15:51:00 +0000

We have written about thefts of copper wire and even street manhole covers in the past. It appears that new homes and those being foreclosed upon are ripe targets for unscrupulous thieves.

Thankfully, there are many more solutions than in days past. Global Positioning Systems can now be hidden in materials and the thieves can be tracked in real time and the Police notified by the security consultant who has been hired to monitor their movements.

The highlighted link from "The New York Times", tells the sad story of a young couple and their 7 month old child who had to live onsite at their new house for many months in order to deter thieves.

We have spoken with home builders in the past regarding supplying security officers to monitor unfinished homes. One of the hurdles has been the cost of security. The escalating cost of these thefts may now make Home Builders think twice though.

The National Association of Home Builders claims that $5 BILLION a year is being stolen nationally by theives from homes under construction. That would purchase a lot of security services. Not to mention the cost of labor to replace that missing copper wire, plumbing fittings, doors & windows, etc.

Like we always say, thieves are opportunists. If you give them an opportunity such as leaving valuable building supplies unprotected, they will take them. On the other hand, if you put an obstacle in their path such as a site that is monitored by security cameras (with somebody on the other end of the camera - you'd be surprised how many businesses put in cameras but have nobody to monitor them)or a roving security vehicle, they will move along and ply their trade elsewhere.

That is called "target hardening". Quite literally, you make yourself (or your property) a harder, more difficult target. They then move along to some other target. Bad for someone else, but good for you.

Apple on Fire!

Wed, 13 Aug 2008 10:45:49 +0000

It’s not just sales burning in Apple’s pockets — one of the Apple buildings in Cupertino caught fire today and burned for 3 hours before being extinguished — there was considerable damage.

The incident appeared to be connected to a construction crew working in the area where the blaze started, Darron Pisciotta, captain of operations for the Santa Clara County Fire Department, told InformationWeek. The work crew was the first to report the fire. More than 60 firefighters responded to the alarms.

I have a friend who’s been contracting down there, so glad to hear that no one was hurt!
I hope this doesn’t set development on the iTablet back;)

Hey, if you have construction workers in your area, tell them to be careful, okay?

Kaspersky says hacking attack did no damage

Mon, 21 Jul 2008 20:00:00 +0000

The defacement of one of Kaspersky Lab's partner Web sites over the weekend occurred while the site was under construction and offered no data to steal, a senior company official said Tuesday.

Do we need a farm system in the security industry?

Mon, 21 Jul 2008 12:17:30 +0000

Just read a good article by Lisa Vaas on Computerworld titles "When security staffers fail up". The article talks about some of the challenges that are faced by companies trying to provide proper security. While one of the issues is "bundled badness" which I will talk about later, the bigger problem that Lisa writes about is the profile of our security administrators. It is a familiar story I am afraid. Security people don't do a good job of "humanizing" themselves. Their peers don't understand what they are trying to accomplish and too often we speak in geek terms and try to dictate how people conduct business. As a result we are the "people in the way".

The next thing Lisa hits on is the obsession with certifications. Too many people think having a CISSP is the be all and end all of security. First of all, you can't hire enough of them and many of them don't have the practical business experience to take it to the next level. Than there is the security "prima donna". They just think they are smarter than everyone else and too many tasks are below them as to elementary. We have all met these types before as well.

Quickly on the "bundled badness" thing. Lisa rightfully points out that in spite of Mike Rothman's feelings to the contrary, though CIO and CFO types like to buy the bundle and get the jack of all trades suite cheaper than buying best of breeds individually, at the end of the day it is hurting our security. If you are really serious about securing the environment there is a world of difference between buying the bundle of goodness versus best in class tools.

Ultimately though, what are we to do about getting better security pros in the workplace? Do we need to change the certification process? Should companies have a different profile of who they hire for security positions. Do we need to develop some sort of farm system where security pros can cut their teeth and learn their craft, like the guilds and apprentices of yesteryear? The construction industry used to work like that. Maybe we should consider it too?

Follow the Yellow Brick Road

Sat, 19 Jul 2008 15:57:20 +0000

Marc Adler follows on from Muddy Waters to The First Annual Fluffies for CEP where Marc also calls into question the transparency, credibility and accuracy of the various fluffy “awards” we see from time-to-time.

When I discussed this openly with Waters in Muddy Waters comments they kindly replied that “customers are loath to be a reference client for a vendor,” like this fact somehow justifies having 600 people, most who have never actually used the software in practice, vote on how great it is.

Follow the Yellow Brick Road.

Or, as Mark Adler pointed out in his well written blog post The First Annual Fluffies for CEP , a secretive “panel of renowned judge” is going to tell us, via Jolt, who has the better solution? Holy Cow Batman! Let me buy a nice layout in your magazine or web site, please, so “my software company” will be on the short list for the “the awards”.

Follow the Yellow Brick Road.

All this smoke-and-mirrors. share-the-love, marketing reminds me of The Matrix a bit, where the world as we observe it, is a complete artificial construction, where most people in the Matrix believe they are “real” because they do not know that they really just a computer generated program designed to keep humans happy as they sleep in some cold goop with electrodes stuck up their you-know-what, really just bio-batteries insuring the light bill is paid.

Follow the Yellow Brick Road.

Or better yet, these fluffies are similar to most of the Webinars we see where there are questions from “the audience” but we know that most of these questions did not come from the “audience” - yet we all seem to continue ”the audience” myth just like Santa Claus and the Easter Bunny!

Follow the Yellow Brick Road.

The Easter Bunny, Santa Claus, the Tooth Fairy and the Fluffy Awards are real, if you want them to be real. Just close your eyes and click your heels three times….

Follow the Yellow Brick Road. Follow the Yellow Brick Road.
Follow, follow, follow, follow,
Follow the Yellow Brick Road.
Follow the Yellow Brick, Follow the Yellow Brick,
Follow the Yellow Brick Road.

We’re off to see the Wizard, The Wonderful Wizard of Oz.
You’ll find he is a whiz of a Wiz! If ever a Wiz! there was.
If ever oh ever a Wiz! there was The Wizard of Oz is one because,
Because, because, because, because, because.
Because of the wonderful things he does.
We’re off to see the Wizard. The Wonderful Wizard of Oz

Random Stupidity in the Name of Terrorism

Thu, 03 Jul 2008 08:57:04 +0000

An air traveller in Canada is first told by an airline employee that it is "illegal" to say certain words, and then that if he raised a fuss he would be falsely accused:

When we boarded a little later, I asked for the ninny's name. He refused and hissed, "If you make a scene, I'll call the pilot and you won't be flying tonight."

More on the British war on photographers. A British man is forced to give up his hobby of photographing busses due to harrassment.

The credit controller, from Gloucester, says he now suffers "appalling" abuse from the authorities and public who doubt his motives. The bus-spotter, officially known as an omnibologist, said: "Since the 9/11 attacks there has been a crackdown. "The past two years have absolutely been the worst. I have had the most appalling abuse from the public, drivers and police over-exercising their authority. Mr McCaffery, who is married, added: "We just want to enjoy our hobby without harassment. "I can deal with the fact someone might think I'm a terrorist, but when they start saying you're a paedophile it really hurts."

Is everything illegal and damaging now terrorism?

Israeli authorities are investigating why a Palestinian resident of Jerusalem rammed his bulldozer into several cars and buses Wednesday, killing three people before Israeli police shot him dead. Israeli authorities are labeling it a terrorist attack, although they say there is no clear motive and the man -- a construction worker -- acted alone. It is not known if he had links to any terrorist organization.

Boston public school locked down after someone saw a ninja:

Turns out the ninja was actually a camp counselor dressed in black karate garb and carrying a plastic sword. Police tell the Asbury Park Press the man was late to a costume-themed day at a nearby middle school.

And finally, not terrorism-related but a fine newspaper headline: "Giraffe helps camels, zebras escape from circus":

Amsterdam police say 15 camels, two zebras and an undetermined number of llamas and potbellied swine briefly escaped from a traveling Dutch circus after a giraffe kicked a hole in their cage.

Are llamas really that hard to count?

Clever Museum Theft

Fri, 06 Jun 2008 01:04:38 +0000

Some expensive and impressive stuff was stolen from the University of British Columbia's Museum of Anthropology:

A dozen pieces of gold jewelry designed by prominent Canadian artist Bill Reid were stolen from the museum sometime on May 23, along with three pieces of gold-plated Mexican jewelry. The pieces that were taken are estimated to be worth close to $2 million.

Of course, it's not the museum's fault:

But museum director Anthony Shelton said that elaborate computer program printouts have determined that the museum's security system did not fail during the heist and that the construction of the building's layout did not compromise security.

Um, isn't having stuff get stolen the very definition of security failing? And does anyone have any idea how "elaborate computer program printouts" can determine that security didn't fail? What in the world is this guy talking about?

A few days later, we learned that security did indeed fail:

Four hours before the break-in on May 23, two or three key surveillance cameras at the Museum of Anthropology mysteriously went off-line.
Around the same time, a caller claiming to be from the alarm company phoned campus security, telling them there was a problem with the system and to ignore any alarms that might go off.

Campus security fell for the ruse and ignored an automated computer alert sent to them, police sources told CBC News.

Meanwhile surveillance cameras that were still operating captured poor pictures of what was going on inside the museum because of a policy to turn the lights off at night.

Then, as the lone guard working overnight in the museum that night left for a smoke break, the thief or thieves broke in, wearing gas masks and spraying bear spray to slow down anyone who might stumble across them.

It's a particular kind of security failure, but it's definitely a failure.