So another week, another travel nightmare.  This week I am in the DC area for a few days, than flying over to Ohio and then back home.  Staying in the DC/Northern Va area I made hotel reservations through our corporate Expedia account (which is now called Egencia BTW). Though it is fine for airline reservations, I regret it every time I make a hotel reservation on Expedia.  This time I reserved a room at the Virginian Suites. I had never heard of it, but it was only $158, which is really cheap for around here.  It had 3 stars and sounded good, so I booked it.

I arrived tonight and as I pulled up I have to say that I thought I made a good choice. It is a converted apartment building and every room is actually a studio type of apartment. It has free parking and is located near where I have meetings in Arlington. I gave my name at the desk and they had my reservation, looking good!  I was given keys to room 707 and headed on up.  I got to room 707 and tried to open the door.  No luck, the keys didn???t work. After a moment or two of trying to make the keys work, the door opens and the guy who is staying in the room wants to know what I am doing trying to get in. Well I was reminded of an old Robert Schimmel comedy routine and ran away from there as fast as I could. 

I went back down to the desk and told them what happened.  The woman at the desk apologized, she meant to write room 700, not 707.  While I am waiting for her to correct this and issue new keys, I am looking at the schedule of events at the hotel today.  That is when I notice that one of the main events of the day was a someone???s funeral!  Thats right, it seems the hotel is used for funerals in the area.  That just freaked me out.  Now I am getting Six Feet Under deja vu here.  I don???t know, call me squeamish, but I just don???t feel good about staying at a hotel that doubles as a funeral home. To top it off, the Internet access here sucks. It is so slow that I am watching the paint dry.  Maybe I should go down and catch a funeral or two while I wait for a page to load.  In any event, I think this will be the last time I stay here.  I just can???t wait for what the rest of this week brings!

So another week, another travel nightmare.  This week I am in the DC area for a few days, than flying over to Ohio and then back home.  Staying in the DC/Northern Va area I made hotel reservations through our corporate Expedia account (which is now called Egencia BTW). Though it is fine for airline reservations, I regret it every time I make a hotel reservation on Expedia.  This time I reserved a room at the Virginian Suites. I had never heard of it, but it was only $158, which is really cheap for around here.  It had 3 stars and sounded good, so I booked it.

I arrived tonight and as I pulled up I have to say that I thought I made a good choice. It is a converted apartment building and every room is actually a studio type of apartment. It has free parking and is located near where I have meetings in Arlington. I gave my name at the desk and they had my reservation, looking good!  I was given keys to room 707 and headed on up.  I got to room 707 and tried to open the door.  No luck, the keys didn’t work. After a moment or two of trying to make the keys work, the door opens and the guy who is staying in the room wants to know what I am doing trying to get in. Well I was reminded of an old Robert Schimmel comedy routine and ran away from there as fast as I could. 

I went back down to the desk and told them what happened.  The woman at the desk apologized, she meant to write room 700, not 707.  While I am waiting for her to correct this and issue new keys, I am looking at the schedule of events at the hotel today.  That is when I notice that one of the main events of the day was a someone’s funeral!  Thats right, it seems the hotel is used for funerals in the area.  That just freaked me out.  Now I am getting Six Feet Under deja vu here.  I don’t know, call me squeamish, but I just don’t feel good about staying at a hotel that doubles as a funeral home. To top it off, the Internet access here sucks. It is so slow that I am watching the paint dry.  Maybe I should go down and catch a funeral or two while I wait for a page to load.  In any event, I think this will be the last time I stay here.  I just can’t wait for what the rest of this week brings!

Well, no, security dweebs, we’re on a public policy kick, probably will be until the end of the year (more on that to follow, stay tuned), so you wouldn’t be so lucky.

The Plum Book’s official title is Government Policy and Supporting Positions and basically it’s a huge staffing chart for the Senior Executive Service–the political appointees.  Congress publishes the Plum Book after each presidential election, so for those of us who remember our civics lessons in high school, that would be every 4 years, and the last one was published in 2004.

In fact, you can see the last edition here.  Caveat:  it’s dry, like the uber-trocken Franken white wine that grows in the fields around where I used to live in Germany–so dry that it sucks the moisture right out of you.

Plum Pickin photo by Secret Tenerife

Now why do we care about the Plum Book?  Well, that’s a good question.  Have a look at some of the staffing plans in the plum book, and you’ll see something missing:  Agency CISOs.

Now, I’m not a rocket scientist on org charts, but it seems to me that unless you put CISOs up to where they’re answerable to the agency head, they’re just a cost center inside the IT department with no visibility to the decision-makers.  Once again, we’ve crippled our security staffs like the old-school way of doing things.

On another note, taking a quick straw poll of the agency CISOs that I know, I think about half of them are political appointees, and half of them are GS-15s.  So what’s the difference?

Well, political appointees (SES) are appointed by the President.  They make a better target because they have much more visibility from the higher-ups they are more political in nature.

GS-scale employees are civil service careerists.  Usually these are the guys who have moved up the ranks in the various agencies and know quite a bit of things.

Which is better?  Well, if you want survivability, then GS-scale is the way to go.  If you want to make the most difference, SES is the ticket.

Most of us will never get the choice. =)

Bookmark to:

AEP had been a victim of the NAC fallout.  They made a bad bet on an OEM partner to provide them with NAC technology.  When that NAC vendor went belly up, so did AEPs NAC product as a result.  Now Tim Greene reports that AEP has come out with a new device that while not strictly a NAC product, does more identity access control and does not seem to do any admission control.

AEP which makes a SSL VPN type of appliance has a new appliance that delivers an agent to an endpoint and authenticates the user.  It than according to the article inserts an identifier in the payload of every packet that shows where and who that packet is from which then allows it to either pass or not pass through, only to its allowed base.  I don’t know that seems a bit of a chokepoint/bottleneck to me, but I don’t know enough about it, only what I read in the article.

The appliance is not cheap with a price tag of over 50k for just 99 users.  It seems like an awful lot of money for what it does.  An important lesson I think on picking the right OEM partner.  Pick the wrong one and your product goes down as collateral damage to the OEM partners demise.

The writer says that air-to-ground service is like Wi-Fi in the sky, but it's using cellular data standards, and so it's much more like mobile broadband in the sky. He also writes that there's 3 Mbps, which is the combined up-and-down estimated throughput of AirCell, the only firm that can operate such service in the U.S. for commercial flights. The next graf mentions that satellite-based Internet access is coupled with, uh, 802.11b (yes, B) access points. I think that's an error, innit?

And the analysis of JetBlue's move is incorrect. The purchase of Verizon's Airfone network is about positioning equipment, not using out-of-date gear that can't be employed for phone calls on commercial airliners.

I'd suggest a more appropriate metaphor be used than the one in this sentence: "[Lufthansa] hopes the experience is more fruitful than its ill-fated 2004 deal with Boeing's Connexion service, which crashed and burned when Boeing shut it down two years later." Beyond the distasteful reference, Connexion was shut down in an orderly fashion, and Lufthansa was one carrier that loved it, and tried to get it to stay in operation, and, failing that, to build a consortium to revive it.

The article finishes with a set of incorrect conclusions:

"There hasn't been much news about how airlines plan to charge for these services." In fact, we know pretty much that it will cost roughly $6 an hour, $10 for a 3-hour flight or less, and $13 for a flight longer than 3 hours. That's from Aircell in various statements, and it appears to be roughly the charges expected from its competitors in the US. In Europe, mobile calls and texting prices are also known: about US$2.50 per minute for calls, and something like 25 to 50 cents for text messages, not much more than the egregious ground pricing.

"If the industry's cash crunch gets much worse, in-flight broadband might be mothballed before it even gets off the ground." It's unclear what part of the expense the airlines are bearing. In my discussions with firms over the last five years, it's clear to me that this round involves the providers bearing more of the cost--and hence the lower installation cost involved--but also retaining more of the revenue.

Wi-Fi a-go-go onboard buses: The New York Daily News checks in on the trend to put Internet access via Wi-Fi on board East Coast buses. The article notes that Greyhound's new sidewalk-pickup BoltBus service among corridor cities has provoked the long-running Chinatown buses to bolt on Wi-Fi as well. The Chinatown Bus Association says here that their bus tickets are cheaper and thus more competitive--but one of their members has already added Wi-Fi, and others are considering it. MegaBus also serves the coast and has Internet access, as well as DC2NY. The biggest problem, though? Passengers demand AC outlets, and only BoltBus has them on every bus. LimoLiner (New York to Boston) isn't mentioned here, but is one of the earliest firms I'm aware of with on-board Internet, starting in 2004, and they also have power to every seat.

William Trogler and his team at the University of California, San Diego, made a silafluorene-fluorene copolymer to identify nitrogen-containing explosives. It is the first of its kind to act as a switchable sensor with picogram (10-15g) detection limits, and is reported in the Royal Society of Chemistry's Journal of Materials Chemistry.

Trogler's polymer can detect explosives at much lower levels than existing systems because it detects particles instead of explosive vapours. In the team's new method one simply sprays the polymer solution over the test area, let it dry, and shine UV light on it. Spots of explosive quench the fluorescent polymer and turn blue....

I know, I know- it’s late- but better late than never, right?

I really tried my best to take photos as much as possible. A quick note on the photography- because of the size of the rooms, it didn’t make sense to have the flash on, unfortunately it slowed the shutter speed, making some images blurry (sorry).

So Day 2 already felt like day 5 somehow. I had flown in early to be a tourist for a day or so but caught up with partners and other event-goers early, making it an especially long week. Wednesday was an eventful day. I have a great  Sins of Our Fathers session to share with you, a day with the Enigmas, and the Security Bloggers Party.

The highlight of the day’s sessions had to be the ‘Sins of Our Fathers’ breakout with an amazingly hilarious geek-filled panel including Daniel Houser, Ben Jun and Hugh Thompson. (Hugh unquestionably won the Most Entertaining Geek Award for the day). I was tweeting live from the session and took some photos of the interactive polls they intertwined in the discussion. They drew some interesting correlations between current security issues, such as SQL injections an ‘previous sins’, likening it to phone whistling. There were random notes about the inherent security risk of mixing data and coding together. View photos from session.

Then they talked about using good technology in a way that made it vulnerable. Examples, the Enigma code machines from WWII. (It was actually broken by the known plain-text gathered from repetition in contact initiation, and the mis-use of one-time-pads). They drew the line from Enigma to WEP and other algorithms that were okay, but mis-implemented.

There were a variety of other anecdotes, accompanied by audience-wide snickers, snorts and laughter. One story of tape backups, encrypted, with the key dutifully stick-noted to the case. Another of the secretary who type-writered all the 5.25” floppies. The story of the unmanned Predator aircraft flying unattended for about 5 minutes during a PC reboot. They were all tied into the topic nicely, and the guys did an outstanding job interacting and playing off one another.

One a more serious note- well, sorta- Hugh showed a clip from his participation in the documentary “Hacking Democracy” about the lack of security of electronic voting.

Here was something amusing… Their crypto list of
If you hear any of these, RUN!

1. Cryptography is expensive.
2. We have this guy that’s reallllly smart…
3. Wired EQUIVALENT encryption… . 
4. It’s “proprietary” security
5. It’s revolutionary NEW cryptography technology!
6. It uses DES- so its FIPS 140 compliant 

Some of the sins from the session…

• Engineering, Development & Management sins
• Using a good technology in a bad implementation
• Lack of metrics to indicate misuse
• Feature/mission creep - using item A for solution B
• Not teaching people how to use security
• Teaching them, but teaching bad habits
• Normalization of deviancy

I’ve spent long enough on that, there’s plenty more to share, but that session was so good, I thought it deserved some special attention. I did stay for the Cyber Storm II Panel, but that left more than ‘a little’ to be desired. I would have liked more anecdotal stories and a little more personality. The panel participants were knowledgeable, and I’m sure they were doing what they had been told, but it made for a very dry session, little content of interest, and much repetition. There’s a little live Tweeting from that session too.

Playing with the Enigma
At the Sins of Our Fathers sessions, I believe it was Ben that mentioned we had at our disposal not one- but TWO Enigma machines on the expo floor here are RSA. And BOTH were for our playing! They had it set so we could set the key and encode a message at the NSA booth, then take the encrypted message to the Cryptographic Research booth and use that Enigma to decypher the message. HOLY COW!!!!!! If their session hadn’t been so great I would have left right then. The only time I’ve seen these beautiful little pieces of crypto history, they’ve been fully encased in glass, and not for the touching. They actually let you set the rotors and punch the code in yourself so my buddy Eric and I ran right over to take full geek advantage of the situation. 

YES, that’s me with an Enigma, and I have more photos of the two Engimas.

The big highlight of the evening? The Security Bloggers Party of course! You get a whole post just for this topic, so stay tuned for that. I didn’t take photos here, because I felt pretty sure someone would be walking around with a camera. I need to find @ajolly (Apneet Jolly) and see if he has any- he’s usually fully equipped with a very nice camera…

# # #

In 1993, Internet pioneer John Gilmore said "the net interprets censorship as damage and routes around it", and we believed him. In 1996, cyberlibertarian John Perry Barlow issued his 'Declaration of the Independence of Cyberspace' at the World Economic Forum at Davos, Switzerland, and online. He told governments: "You have no moral right to rule us, nor do you possess any methods of enforcement that we have true reason to fear."

At the time, many shared Barlow's sentiments. The Internet empowered people. It gave them access to information and couldn't be stopped, blocked or filtered. Give someone access to the Internet, and they have access to everything. Governments that relied on censorship to control their citizens were doomed.

Today, things are very different. Internet censorship is flourishing. Organizations selectively block employees' access to the Internet. At least 26 countries -- mainly in the Middle East, North Africa, Asia, the Pacific and the former Soviet Union -- selectively block their citizens' Internet access. Even more countries legislate to control what can and cannot be said, downloaded or linked to. "You have no sovereignty where we gather," said Barlow. Oh yes we do, the governments of the world have replied.

Access Denied is a survey of the practice of Internet filtering, and a sourcebook of details about the countries that engage in the practice. It is written by researchers of the OpenNet Initiative (ONI), an organization that is dedicated to documenting global Internet filtering around the world.

The first half of the book comprises essays written by ONI researchers on the politics, practice, technology, legality and social effects of Internet filtering. There are three basic rationales for Internet censorship: politics and power; social norms, morals and religion; and security concerns.

Some countries, such as India, filter only a few sites; others, such as Iran, extensively filter the Internet. Saudi Arabia tries to block all pornography (social norms and morals). Syria blocks everything from the Israeli domain ".il" (politics and power). Some countries filter only at certain times. During the 2006 elections in Belarus, for example, the website of the main opposition candidate disappeared from the Internet.

The effectiveness of Internet filtering is mixed; it depends on the tools used and the granularity of filtering. It is much easier to block particular URLs or entire domains than it is to block information on a particular topic. Some countries block specific sites or URLs based on some predefined list but new URLs with similar content appear all the time. Other countries -- notably China -- try to filter on the basis of keywords in the actual web pages. A halfway measure is to filter on the basis of URL keywords: names of dissidents or political parties, or sexual words.

Much of the technology has other applications. Software for filtering is a legitimate product category, purchased by schools to limit access by children to objectionable material and by corporations trying to prevent their employees from being distracted at work. One chapter discusses the ethical implications of companies selling products, services and technologies that enable Internet censorship.

Some censorship is legal, not technical. Countries have laws against publishing certain content, registration requirements that prevent anonymous Internet use, liability laws that force Internet service providers to filter themselves, or surveillance. Egypt does not engage in technical Internet filtering; instead, its laws discourage the publishing and reading of certain content -- it has even jailed people for their online activities.

The second half of Access Denied consists of detailed descriptions of Internet use, regulations and censorship in eight regions of the world, and in each of 40 different countries. The ONI found evidence of censorship in 26 of those 40. For the other 14 countries, it summarizes the legal and regulatory framework surrounding Internet use, and tests the results that indicated no censorship. This leads to 200 pages of rather dry reading, but it is vitally important to have this information well-documented and easily accessible. The book's data are from 2006, but the authors promise frequent updates on the ONI website.

No set of Internet censorship measures is perfect. It is often easy to find the same information on uncensored URLs, and relatively easy to get around the filtering mechanisms and to view prohibited web pages if you know what you're doing. But most people don't have the computer skills to bypass controls, and in a country where doing so is punishable by jail -- or worse -- few take the risk. So even porous and ineffective attempts at censorship can become very effective socially and politically.

In 1996, Barlow said: "You are trying to ward off the virus of liberty by erecting guard posts at the frontiers of cyberspace. These may keep out the contagion for some time, but they will not work in a world that will soon be blanketed in bit-bearing media."

Brave words, but premature. Certainly, there is much more information available to many more people today than there was in 1996. But the Internet is made up of physical computers and connections that exist within national boundaries. Today's Internet still has borders and, increasingly, countries want to control what passes through them. In documenting this control, the ONI has performed an invaluable service.

This was originally published in Nature.

France's National Museum of Natural History on Tuesday unveiled the world's first "plastinated" squid -- a 6.5-metre-long (21.25-feet) deep-sea beast donated by New Zealand and named in honour of a creature featuring in Maori legend.

Plastination entails replacing the animal's water, fat and other liquids with a polymer that hardens.

It means the specimen can be appreciated in three dimensions in a dry, solid state, rather than in a jar filled with formalin or alcohol, whose glass distorts the view.

The squid was hauled up in January 2000 at a depth of 615 metres (2,000 feet) by fishermen off New Zealand.

[...]

The 65,000-euro (100,000-dollar) plastination, carried out by Italian lab VisDocta Research, took two and a half years, during which the specimen of Architeuthis sanctipauli lost 2.5 metres (seven feet) of its length through drying out.

Wheke is being given pride of place in the Paris museum's Great Gallery of Evolution, its centrepiece exhibit on biodiversity.

The giant squid, Architeuthis, of which there are three sub-species, is a potent source of maritime tales of tentacled monsters able to grab a ship and pull it down to its doom. The critter memorably featured in Jules Vernes' "20,000 Leagues Under the Sea," trying to engulf the submarine Nautilus.

In real life, though, the species is rather less gigantic -- about 13 metres (42.25 feet) from the caudal fin to the tip of its suckered tentacles. Females are larger than males.