"The rigorous studies clearly show red-light cameras don't work," said lead author Barbara Langland-Orban, professor and chair of health policy and management at the USF College of Public Health. "Instead, they increase crashes and injuries as drivers attempt to abruptly stop at camera intersections."

Comprehensive studies from North Carolina, Virginia, and Ontario have all reported cameras are associated with increases in crashes. The study by the Virginia Transportation Research Council also found that cameras were linked to increased crash costs. The only studies that conclude cameras reduced crashes or injuries contained "major research design flaws," such as incomplete data or inadequate analyses, and were always conducted by researchers with links to the Insurance Institute for Highway Safety. The IIHS, funded by automobile insurance companies, is the leading advocate for red-light cameras since insurance companies can profit from red-light cameras by way of higher premiums due to increased crashes and citations.

And, of course, the agenda of the government is to increase revenue due to fines:

A 2001 paper by the Office of the Majority Leader of the U.S. House of Representatives reported that red-light cameras are "a hidden tax levied on motorists." The report came to the same conclusions that all of the other valid studies have, that red-light cameras are associated with increased crashes and that the timings at yellow lights are often set too short to increase tickets for red-light running. That's right, the state actually tampers with the yellow light settings to make them shorter, and more likely to turn red as you're driving through them.

In fact, six U.S. cities have been found guilty of shortening the yellow light cycles below what is allowed by law on intersections equipped with cameras meant to catch red-light runners. Those local governments have completely ignored the safety benefit of increasing the yellow light time and decided to install red-light cameras, shorten the yellow light duration, and collect the profits instead.

The cities in question include Union City, CA, Dallas and Lubbock, TX, Nashville and Chattanooga, TN, and Springfield, MO, according to Motorists.org, which collected information from reports from around the country.

The baaad folks who were listed up on this “Wall of Sheep” consisted largely of security professionals who should know better, though many of them were using iPhones or other types of mobile devices instead of traditional laptops. Apparently, users were warned ahead of time that this could happen, and this type of passive hacking was done good naturedly, as a lesson and a point of humor.

But the event turned a bit sour when some reporters set out to actively hack credentials and passwords from other well known press representatives (like eWeek and CNET), in order to post them on the Wall of Sheep, too. It’s a credit to the Black Hat organizers that they showed their commitment to security and confidentiality, and threw the reporter-hackers out of the conference for their “active” hack:

With thousands of hackers milling around the Black Hat convention here, and widespread snooping on the public WiFi network, one place was supposed to be off limits: the press room.

But in a case of reporters spying on other reporters, three journalists working for the French publication Global Security Magazine were booted Thursday from the hackers’ conference after they were allegedly caught hacking into the private computer network set up for the media.

Read the full article here.

The HANG UP Act (Halting Airplane Noise to Give Us Peace, cute) will make the regulatory actions statutory. Oregon Rep. Peter DeFazio has been pushing such a move to prevent airlines from moving forward on such services despite the overwhelming distaste by American travelers. In Europe, Asia, and the Middle East, there appears to be less concern, and we'll see how it works out when calling starts to become widely available on RyanAir and other airlines by year's end.

AirCell's near-term launch with American Airlines of its GoGo Internet service will use various measures, including crew involvement, to prevent in-flight VoIP.

To enable in-flight calling, OnAir and others place a low-power picocell in an aircraft which handles all the frequencies that could be used by mobile phones. The phones associate with the picocell, keeping their power output low. The picocell could be used to prevent calls entirely, too.

Formalize your Final Security Review (FSR) Process

A Final Security Review is your final security audit to ensure your software is secure enough to deliver to your customers. I will assume the idea of an FSR is a new concept and try to provide some FAQ-style detail on this topic.

Who is the FSR team? An FSR Team usually consists of a non-product-team security expert (for impartial perspective), a security representative from the product team, and individual representatives from the separate disciplines. However, that size team may not scale to your company. If that is the case, at a minimum, you should have an impartial “outsider” separate from the product team who understands the security requirements as well as the measurements used to validate them. This person along with a project manager can probably perform the bulk of the FSR with development or test leadership providing input as needed.

What is needed to do an FSR? All threat models should be revised to reflect the final product, the code should be complete, and all security-related testing should be completed and documented. In addition, everyone involved in the FSR should have full access to the bug database to review status or exceptions to security bugs.

What does an FSR team do?

1. Re-review threat models to verify all mitigations identified in those exercises were fixed or went through an exception process.
2. Verify that all security issues uncovered during the development process were fixed or granted exceptions by the appropriate people. This is where you verify whether the state of your security bugs meets the “bug bar” requirements you have defined for your products.
3. If there is any output from security tools that you have used to define requirements, the FSR team would verify that the results of the tools meet the security requirements.
4. Review all exceptions to verify that they approve these decisions in the context of the final product. If they identify risks associated with the exceptions, they should communicate those to the business ownership for a final decision before signoff. Any decisions related to known risks should also be reflected in the response plan for future reference.
5. Finally, there should be a final signoff exercise where all security people and project leadership jointly approve the decision of the Final Security Review.

How long does an FSR take? If done correctly, the FSR will likely take some time. You should schedule this review well in advance of your release date to give your FSR team some time to complete the review, push issues back to the product team, and respond to any serious issues that may be discovered.

Final security reviews are a crucial piece to your Security Development Lifecycle. It would be easy to encourage secure development in your team, but as you expand your process to include formal security requirements and begin enforcing those requirements, it is necessary to perform a final audit of your product before it is released. Your customers will thank you for taking the time to add this layer of quality control to your operations and you will likely save yourself some security embarrassment down the road by adding a FSR to the end of your product cycle.

Document security work for reference

After the FSR is complete, there is still work for the security team. The final FSR documentation should be archived along with the symbols and code that represents the finished project. This becomes the time-stamped “snapshot” of your product. Your post-release process should include archiving the following documents in an easily accessible location:

·         All final threat models for future reference.

·         Bug bars, tool settings, and test results related to your project and the supporting tools used to validate. These will be referenced and reused in the next product cycle.

·         All documented security bug exceptions. These need to be rolled into your next product cycle to ensure they are addressed.

·         The final symbols that reflect the product shipped should be archived.

·         The Final Security Report and project signoffs to validate your security audit activity

·         Your Incident Response Plan (discussed in the Crawl post). This must be accessible for quick reference if security incidents occur.

Archiving this evidence serves a few critical purposes: it shows historic evidence of the work you did to ensure a secure product, allows you to postmortem the results and improves your process each time, and reduces the amount of time your team will have to spend next time around by making the existing resources reusable.

In closing…

I hope this long series has provided some practical steps you can take to move your Security Development Lifecycle practices to the next level. At Microsoft, creating a lifecycle to match security development practices has faced a fair share of challenges. However, the investment and time has resulted in more secure products. We’ll continue refining how we execute the Security Development Lifecycle and hope to share those ideas with you along the way. We welcome your thoughts and questions as you start “Walking” with the SDL in your own company and look forward to seeing more secure products and customers as a result.

I’ve created a unique tag on the SDL Blog to cover this series. To get a full list of the related posts, click the “Crawl Walk Run” tag on the left column. I’ll post a Word document version of the full “Walk” series sometime in the next week.