[SecurityRatty] tag: safeguards

E-voting report: Several states still vulnerable

Thu, 16 Oct 2008 00:00:00 +0000

Several states still do not have adequate election safeguards in place, according to a new report.

E-voting report: Several states still vulnerable

Wed, 15 Oct 2008 20:00:00 +0000

Several U.S. states still are not doing all they can to ensure the accuracy of votes over electronic voting machines and 10 states received inadequate grades in three of four categories of safeguards, a report from three voting security advocacy groups said.

Data Mining for Terrorists Doesn't Work

Fri, 10 Oct 2008 02:35:43 +0000

According to a massive report from the National Research Council, data mining for terrorists doesn't work. Here's a good summary:

The report was written by a committee whose members include William Perry, a professor at Stanford University; Charles Vest, the former president of MIT; W. Earl Boebert, a retired senior scientist at Sandia National Laboratories; Cynthia Dwork of Microsoft Research; R. Gil Kerlikowske, Seattle's police chief; and Daryl Pregibon, a research scientist at Google.
They admit that far more Americans live their lives online, using everything from VoIP phones to Facebook to RFID tags in automobiles, than a decade ago, and the databases created by those activities are tempting targets for federal agencies. And they draw a distinction between subject-based data mining (starting with one individual and looking for connections) compared with pattern-based data mining (looking for anomalous activities that could show illegal activities).

But the authors conclude the type of data mining that government bureaucrats would like to do--perhaps inspired by watching too many episodes of the Fox series 24--can't work. "If it were possible to automatically find the digital tracks of terrorists and automatically monitor only the communications of terrorists, public policy choices in this domain would be much simpler. But it is not possible to do so."

A summary of the recommendations:

U.S. government agencies should be required to follow a systematic process to evaluate the effectiveness, lawfulness, and consistency with U.S. values of every information-based program, whether classified or unclassified, for detecting and countering terrorists before it can be deployed, and periodically thereafter.
Periodically after a program has been operationally deployed, and in particular before a program enters a new phase in its life cycle, policy makers should (carefully review) the program before allowing it to continue operations or to proceed to the next phase.

To protect the privacy of innocent people, the research and development of any information-based counterterrorism program should be conducted with synthetic population data... At all stages of a phased deployment, data about individuals should be rigorously subjected to the full safeguards of the framework.

Any information-based counterterrorism program of the U.S. government should be subjected to robust, independent oversight of the operations of that program, a part of which would entail a practice of using the same data mining technologies to "mine the miners and track the trackers."

Counterterrorism programs should provide meaningful redress to any individuals inappropriately harmed by their operation.

The U.S. government should periodically review the nation's laws, policies, and procedures that protect individuals' private information for relevance and effectiveness in light of changing technologies and circumstances. In particular, Congress should re-examine existing law to consider how privacy should be protected in the context of information-based programs (e.g., data mining) for counterterrorism.

Here are more news articles on the report. I explained why data mining wouldn't find terrorists back in 2005.

XTM? YAUSA, or Yet Another Useless Security Acronym

Mon, 11 Aug 2008 13:06:29 +0000

Sometimes, two negatives do make a positive. Gartner has avoided using the term UTM (that is, unified threat management) in our research because:

1. You can't (and wouldn't want to) manage threats.
2. UTM originally applied to products for small and midsize businesses (SMBs), but UTM has been recently co-opted by some enterprise security vendors under the guise of fresh marketing.
3. There is little evidence that many of the components in these platforms are integrated, much less "unified." Now, there is some promotion of the new acronym XTM (that is, eXtensible threat management) as a new generation of UTM. We're not referring to any product name, but the attempt to create a new and confusing acronym, and create another artificial market to size and make predictions about.

No matter what you call it, the arc of advancement of network security products for the SMB will continue: New threats will drive the development of new safeguards that will be included as an option in that same appliance. This is not true for the enterprise, where best-of-breed buying of point solutions will continue, with consolidation of products occurring in three places, aligned by buying center and safeguard profile (see "Introducing the Secure Web Gateway").

The next-generation firewall (NGFW) will serve the enterprise and combine firewall and IPS,; however, there will be no UTM for the enterprise (see "Magic Quadrant for Enterprise Network Firewalls, 2H07"). We are already seeing SMB multifunction firewall vendors optimizing performance by assigning separate ASICs, emphasizing that the inspection tasks on content and network processing are very different (see "MarketScope for Multifunction Firewalls for Small and Midsize Businesses"). Even among SMBs, we are seeing little evidence that many are deploying network, content and e-mail processing in the same platform, usually leaving e-mail security to a separate product or service.

Bypassing Microsoft Vista's Memory Protection

Mon, 11 Aug 2008 12:26:11 +0000

This is huge:

Two security researchers have developed a new technique that essentially bypasses all of the memory protection safeguards in the Windows Vista operating system, an advance that many in the security community say will have far-reaching implications not only for Microsoft, but also on how the entire technology industry thinks about attacks.
In a presentation at the Black Hat briefings, Mark Dowd of IBM Internet Security Systems (ISS) and Alexander Sotirov, of VMware Inc. will discuss the new methods they've found to get around Vista protections such as Address Space Layout Randomization(ASLR), Data Execution Prevention (DEP) and others by using Java, ActiveX controls and .NET objects to load arbitrary content into Web browsers.

By taking advantage of the way that browsers, specifically Internet Explorer, handle active scripting and .NET objects, the pair have been able to load essentially whatever content they want into a location of their choice on a user's machine.

Paper here.

Very few details are available for Missouri National Guard breach

Tue, 15 Jul 2008 10:15:48 +0000

Technorati Tag: Security Breach

Date Reported:
7/15/08

Organization:
National Guard Bureau

Contractor/Consultant/Branch:
Missouri National Guard ("MOGUARD")

Victims:
"Citizen-Soldier and employee"s

Number Affected:
"approximately 2,000"

Types of Data:
"some personal information"

Breach Description:
"The Missouri National Guard learned on Monday, July 14, 2008, that some personal information was compromised. Details of how this information was compromised are being withheld at this time, so as not to interfere with the ongoing law enforcement investigation."

Reference URL:
Missouri National Guard Press Release
St. Louis Post-Dispatch

Report Credit:
Missouri National Guard

Response:
From the online sources cited above:

The Missouri National Guard learned on Monday, July 14, 2008, that some personal information was compromised.

Details of how this information was compromised are being withheld at this time, so as not to interfere with the ongoing law enforcement investigation.
[Evan] Sounds like a good excuse to not reveal details.

It is important to note that we have no reason to believe that the information that was compromised was for the purpose of gaining Citizen-Soldier or employee information or that the information has been or will be used inappropriately.
[Evan] It's nice that MOGUARD can make this judgment call on behalf of the victims. Its too bad the victims are not allowed to make a determination themselves based on the facts surrounding this breach.

The Missouri National Guard has a list of those Citizen-Soldiers or employees whose information was compromised.
[Evan] Keyword is "was", and not the phrase "may have been".

Letters are being sent to these individuals and/or their Families.

The list includes approximately 2,000 individuals.

At this time we have no confirmation of misuse of Citizen-Soldier or employee information resulting from the loss.

"I am distressed that sensitive information has been compromised," Major General King Sidwell
[Evan] I am impressed when a leader of an organization steps forward and speaks about a breach. In my opinion it demonstrates strong leadership and the understanding that the "buck" ultimately stops with him.

"I am especially concerned about the problems and inconveniences this may cause for our Missouri National Guard Citizen-Soldiers and their families," King said.

Because Social Security Numbers may have been contained within the missing information, we advise individuals to monitor financial accounts continuously for suspicious activity as a matter of good practice.
[Evan] This statement provide a clue as to what "some personal information" may be.

The Missouri National Guard has safeguards in place to protect private information.

We provide ongoing privacy training to all employees.

The Missouri National Guard has taken action to rectify this unfortunate situation, and is working to insure our Citizen-Soldier’s or employee’s information receives the highest standard of security and privacy protection.

Any soldier or family member with questions should call a hotline number at 1-888-526-6664 extension 7888.

If the soldier is deployed overseas, the soldier may use the Defense Switching Network and call 312-555-9500 extension. 7888.

Commentary:
We have no idea as to what the cause of this breach may have been. Anyone want to guess? If so, post a comment.

It’s a little ironic. I was just typing an email response to an information security friend of mine about military breaches and the way the military has a completely different way of disclosing details (if any). This breach is proof positive. We'll have to see if further details emerge over time.

I sincerely hope that the owners of the "personal information" (the victims) get all of the answers that they require in order to evaluate risk themselves and make educated decisions on how they will proceed.

Past Breaches:
Unknown

Kill Switches and Remote Control

Tue, 01 Jul 2008 02:48:37 +0000

It used to be that just the entertainment industries wanted to control your computers -- and televisions and iPods and everything else -- to ensure that you didn't violate any copyright rules. But now everyone else wants to get their hooks into your gear. OnStar will soon include the ability for the police to shut off your engine remotely. Buses are getting the same capability, in case terrorists want to re-enact the movie Speed. The Pentagon wants a kill switch installed on airplanes, and is worried about potential enemies installing kill switches on their own equipment. Microsoft is doing some of the most creative thinking along these lines, with something it's calling "Digital Manners Policies." According to its patent application, DMP-enabled devices would accept broadcast "orders" limiting capabilities. Cellphones could be remotely set to vibrate mode in restaurants and concert halls, and be turned off on airplanes and in hospitals. Cameras could be prohibited from taking pictures in locker rooms and museums, and recording equipment could be disabled in theaters. Professors finally could prevent students from texting one another during class. The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That's a difficult security problem even in its simplest form. Distributing that system among a variety of different devices -- computers, phones, PDAs, cameras, recorders -- with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards. Once we go down this path -- giving one device authority over other devices -- the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override? How do we prevent this from being abused? Can a burglar, for example, enforce a "no photography" rule and prevent security cameras from working? Can the police enforce the same rule to avoid another Rodney King incident? Do the police get "superuser" devices that cannot be limited, and do they get "supercontroller" devices that can limit anything? How do we ensure that only they get them, and what do we do when the devices inevitably fall into the wrong hands? It's comparatively easy to make this work in closed specialized systems -- OnStar, airplane avionics, military hardware -- but much more difficult in open-ended systems. If you think Microsoft's vision could possibly be securely designed, all you have to do is look at the dismal effectiveness of the various copy-protection and digital-rights-management systems we've seen over the years. That's a similar capabilities-enforcement mechanism, albeit simpler than these more general systems. And that's the key to understanding this system. Don't be fooled by the scare stories of wireless devices on airplanes and in hospitals, or visions of a world where no one is yammering loudly on their cellphones in posh restaurants. This is really about media companies wanting to exert their control further over your electronics. They not only want to prevent you from surreptitiously recording movies and concerts, they want your new television to enforce good "manners" on your computer, and not allow it to record any programs. They want your iPod to politely refuse to copy music to a computer other than your own. They want to enforce their legislated definition of manners: to control what you do and when you do it, and to charge you repeatedly for the privilege whenever possible. "Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure -- or more polite. This essay originally appeared in Wired.com.

Security Matters: I've Seen the Future, and It Has a Kill Switch

Thu, 26 Jun 2008 00:00:00 +0000

OnStar will soon include the ability for the police to shut off your engine remotely. Buses are getting the same capability, in case terrorists want to re-enact the movie Speed. The Pentagon wants a kill switch installed on airplanes, and is worried about potential enemies installing kill switches on their own equipment.

Microsoft is doing some of the most creative thinking along these lines, with something it's calling "Digital Manners Policies." According to its patent application, DMP-enabled devices would accept broadcast "orders" limiting capabilities. Cellphones could be remotely set to vibrate mode in restaurants and concert halls, and be turned off on airplanes and in hospitals. Cameras could be prohibited from taking pictures in locker rooms and museums, and recording equipment could be disabled in theaters. Professors finally could prevent students from texting one another during class.

The possibilities are endless, and very dangerous. Making this work involves building a nearly flawless hierarchical system of authority. That's a difficult security problem even in its simplest form. Distributing that system among a variety of different devices -- computers, phones, PDAs, cameras, recorders -- with different firmware and manufacturers, is even more difficult. Not to mention delegating different levels of authority to various agencies, enterprises, industries and individuals, and then enforcing the necessary safeguards.

Once we go down this path -- giving one device authority over other devices -- the security problems start piling up. Who has the authority to limit functionality of my devices, and how do they get that authority? What prevents them from abusing that power? Do I get the ability to override their limitations? In what circumstances, and how? Can they override my override?

How do we prevent this from being abused? Can a burglar, for example, enforce a "no photography" rule and prevent security cameras from working? Can the police enforce the same rule to avoid another Rodney King incident? Do the police get "superuser" devices that cannot be limited, and do they get "supercontroller" devices that can limit anything? How do we ensure that only they get them, and what do we do when the devices inevitably fall into the wrong hands?

It's comparatively easy to make this work in closed specialized systems -- OnStar, airplane avionics, military hardware -- but much more difficult in open-ended systems. If you think Microsoft's vision could possibly be securely designed, all you have to do is look at the dismal effectiveness of the various copy-protection and digital-rights-management systems we've seen over the years. That's a similar capabilities-enforcement mechanism, albeit simpler than these more general systems.

And that's the key to understanding this system. Don't be fooled by the scare stories of wireless devices on airplanes and in hospitals, or visions of a world where no one is yammering loudly on their cellphones in posh restaurants. This is really about media companies wanting to exert their control further over your electronics. They not only want to prevent you from surreptitiously recording movies and concerts, they want your new television to enforce good "manners" on your computer, and not allow it to record any programs. They want your iPod to politely refuse to copy music a computer other than your own. They want to enforce their legislated definition of manners: to control what you do and when you do it, and to charge you repeatedly for the privilege whenever possible.

"Digital Manners Policies" is a marketing term. Let's call this what it really is: Selective Device Jamming. It's not polite, it's dangerous. It won't make anyone more secure -- or more polite.

---

Bruce Schneier is chief security technology officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

Mashup of the Titans

Wed, 25 Jun 2008 13:29:25 +0000

Information Security - an Oxymoron for the information age

“Always the beautiful answer who asks a more beautiful question.” e. e. cummings

...or why i am with Gelernter

This is a mashup of Saltzer & Schroeder's famous information security principles with David Gelernter's Manifesto.

The premise of this mashup is to examine the paper by Saltzer and Schroeder which was written in 1975 and serves as the basis for most information security programs against the Gelernter's manifesto as to where computing is actually going. Each of the eight principles in Saltzer and Schroeder's paper is listed in order, and followed by select excerpts of Gelernter's manifesto. This comparison is to examine theoretical information security principles vis a vis the actual utility of modern information systems. I will not make an attempt to reconcile theory and practice, but will point out where the two schools of thought agree. In fairness, Saltzer and Schroeder's paper was written 25 years before Gelernter's, however Saltzer and Schroeder's principles dominate the thinking about information security to this day and so its important to view them side by side with Gelernter's thinking on the direction of computing.

Saltzer and Schroeder:

"a) Economy of mechanism: Keep the design as simple and small as possible. This well-known principle applies to any aspect of a system, but it deserves emphasis for protection mechanisms for this reason: design and implementation errors that result in unwanted access paths will not be noticed during normal use (since normal use usually does not include attempts to exercise improper access paths). As a result, techniques such as line-by-line inspection of software and physical examination of hardware that implements protection mechanisms are necessary. For such techniques to be successful, a small and simple design is essential."

Gelernter:

"9. The computing future is based on "cyberbodies" — self-contained, neatly-ordered, beautifully-laid-out collections of information, like immaculate giant gardens."

Conclusion(gp): So far, so good

Saltzer and Schroeder:

"b) Fail-safe defaults: Base access decisions on permission rather than exclusion. This principle, suggested by E. Glaser in 1965,8 means that the default situation is lack of access, and the protection scheme identifies conditions under which access is permitted. The alternative, in which mechanisms attempt to identify conditions under which access should be refused, presents the wrong psychological base for secure system design. A conservative design must be based on arguments why objects should be accessible, rather than why they should not. In a large system some objects will be inadequately considered, so a default of lack of permission is safer. A design or implementation mistake in a mechanism that gives explicit permission tends to fail by refusing permission, a safe situation, since it will be quickly detected. On the other hand, a design or implementation mistake in a mechanism that explicitly excludes access tends to fail by allowing access, a failure which may go unnoticed in normal use. This principle applies both to the outward appearance of the protection mechanism and to its underlying implementation."

Conclusion(gp): A conservative design principle that puts the object's owner in control of permissions. This makes a lot of sense from the object point of view, but does little to address the use case in which it executes.

Saltzer and Schroeder:

"c) Complete mediation: Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes initialization, recovery, shutdown, and maintenance. It implies that a foolproof method of identifying the source of every request must be devised. It also requires that proposals to gain performance by remembering the result of an authority check be examined skeptically. If a change in authority occurs, such remembered results must be systematically updated."

Gelernter:

"8. The software systems we depend on most today are operating systems (Unix, the Macintosh OS, Windows et. al.) and browsers (Internet Explorer, Netscape Communicator...). Operating systems are connectors that fasten users to computers; they attach to the computer at one end, the user at the other. Browsers fasten users to remote computers, to "servers" on the internet.

Today's operating systems and browsers are obsolete because people no longer want to be connected to computers — near ones OR remote ones. (They probably never did). They want to be connected to information. In the future, people are connected to cyberbodies; cyberbodies drift in the computational cosmos — also known as the Swarm, the Cybersphere.

13. Any well-designed next-generation electronic gadget will come with a ``Disable Omniscience'' button.

17. A cyberbody can be replicated or distributed over many computers; can inhabit many computers at the same time. If the Cybersphere's computers are tiles in a paved courtyard, a cyberbody is a cloud's drifting shadow covering many tiles simultaneously.

20. If a million people use a Web site simultaneously, doesn't that mean that we must have a heavy-duty remote server to keep them all happy? No; we could move the site onto a million desktops and use the internet for coordination. The "site" is like a military unit in the field, the general moving with his troops (or like a hockey team in constant swarming motion). (We used essentially this technique to build the first tuple space implementations. They seemed to depend on a shared server, but the server was an illusion; there was no server, just a swarm of clients.) Could Amazon.com be an itinerant horde instead of a fixed Central Command Post? Yes."

Conclusion(gp): Complete mediation provides the underpinning for Saltzer and Schroeder's system, but does not appear to scale to the desired itinerant horde at least in common interpretation.

Saltzer and Schroeder:

"d) Open design: The design should not be secret. The mechanisms should not depend on the ignorance of potential attackers, but rather on the possession of specific, more easily protected, keys or passwords. This decoupling of protection mechanisms from protection keys permits the mechanisms to be examined by many reviewers without concern that the review may itself compromise the safeguards. In addition, any skeptical user may be allowed to convince himself that the system he is about to use is adequate for his purpose. Finally, it is simply not realistic to attempt to maintain secrecy for any system which receives wide distribution."

Conclusion(gp): both seem to agree, hard to get the itinerant horde moving in a swarm without open standards.

Saltzer and Schroeder:

"e) Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key. The relevance of this observation to computer systems was pointed out by R. Needham in 1973. The reason is that, once the mechanism is locked, the two keys can be physically separated and distinct programs, organizations, or individuals made responsible for them. From then on, no single accident, deception, or breach of trust is sufficient to compromise the protected information. This principle is often used in bank safe-deposit boxes. It is also at work in the defense system that fires a nuclear weapon only if two different people both give the correct command. In a computer system, separated keys apply to any situation in which two or more conditions must be met before access should be permitted. For example, systems providing user-extendible protected data types usually depend on separation of privilege for their implementation."

Gelernter:

"37. Elements stored in a mind do not have names and are not organized into folders; are retrieved not by name or folder but by contents. (Hear a voice, think of a face: you've retrieved a memory that contains the voice as one component.) You can see everything in your memory from the standpoint of past, present and future. Using a file cabinet, you classify information when you put it in; minds classify information when it is taken out. (Yesterday afternoon at four you stood with Natasha on Fifth Avenue in the rain — as you might recall when you are thinking about "Fifth Avenue," "rain," "Natasha" or many other things. But you attached no such labels to the memory when you acquired it. The classification happened retrospectively.)"

Conclusion(gp): Information Security models tend to look at things statically through information classification lenses, but its how information is used that makes it valuable. In practice this is how information security theory breaks down in the face of reality - what does an access control matrix look like for a mashup? What does it look like for a data mining app?

Saltzer and Schroeder:

"f) Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized. Put another way, if a mechanism can provide "firewalls," the principle of least privilege provides a rationale for where to install the firewalls. The military security rule of "need-to-know" is an example of this principle."

Gelernter:

"28. Metaphors have a profound effect on computing: the file-cabinet metaphor traps us in a "passive" instead of "active" view of information management that is fundamentally wrong for computers.

29. The rigid file and directory system you are stuck with on your Mac or PC was designed by programmers for programmers — and is still a good system for programmers. It is no good for non-programmers. It never was, and was never intended to be.

30. If you have three pet dogs, give them names. If you have 10,000 head of cattle, don't bother. Nowadays the idea of giving a name to every file on your computer is ridiculous."

Conclusion(gp): Least Privilege is the point where the practical matter of applying Saltzer and Schroeder's principles breaks down in modern systems. Its a deployment issue, and a matter of insufficient models and modes.

Saltzer and Schroeder:

"g) Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28]. Every shared mechanism (especially one involving shared variables) represents a potential information path between users and must be designed with great care to be sure it does not unintentionally compromise security. Further, any mechanism serving all users must be certified to the satisfaction of every user, a job presumably harder than satisfying only one or a few users. For example, given the choice of implementing a new function as a supervisor procedure shared by all users or as a library procedure that can be handled as though it were the user's own, choose the latter course. Then, if one or a few users are not satisfied with the level of certification of the function, they can provide a substitute or not use it at all. Either way, they can avoid being harmed by a mistake in it."

Gelernter:

"6. Miniaturization was the big theme in the first age of computers: rising power, falling prices, computers for everybody. Theme of the Second Age now approaching: computing transcends computers. Information travels through a sea of anonymous, interchangeable computers like a breeze through tall grass. A dekstop computer is a scooped-out hole in the beach where information from the Cybersphere wells up like seawater.

16. The future is dense with computers. They will hang around everywhere in lush growths like Spanish moss. They will swarm like locusts. But a swarm is not merely a big crowd. The individuals in the swarm lose their identities. The computers that make up this global swarm will blend together into the seamless substance of the Cybersphere. Within the swarm, individual computers will be as anonymous as molecules of air.

55. Software can solve hard problems in two ways: by algorithm or by making connections — by delivering the problem to exactly the right human problem-solver. The second technique is just as powerful as the first, but so far we have ignored it.

56. Lifestreams and microcosms are the two most important cyberbody types; they relate to each other as a single musical line relates to a single chord. The stream is a "moment in space," the microcosm a moment in time."

Saltzer and Schroeder:

"h) Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors."

Gelernter:

"7. "The network is the computer" — yes; but we're less interested in computers all the time. The real topic in astronomy is the cosmos, not telescopes. The real topic in computing is the Cybersphere and the cyberstructures in it, not the computers we use as telescopes and tuners.

27. Modern computing is based on an analogy between computers and file cabinets that is fundamentally wrong and affects nearly every move we make. (We store "files" on disks, write "records," organize files into "folders" — file-cabinet language.) Computers are fundamentally unlike file cabinets because they can take action.

31. Our standard policy on file names has far-reaching consequences: doesn't merely force us to make up names where no name is called for; also imposes strong limits on our handling of an important class of documents — ones that arrive from the outside world. A newly-arrived email message (for example) can't stand on its own as a separate document — can't show up alongside other files in searches, sit by itself on the desktop, be opened or printed independently; it has no name, so it must be buried on arrival inside some existing file (the mail file) that does have a name. The same holds for incoming photos and faxes, Web bookmarks, scanned images...

32. You shouldn't have to put files in directories. The directories should reach out and take them. If a file belongs in six directories, all six should reach out and grab it automatically, simultaneously.

33. A file should be allowed to have no name, one name or many names. Many files should be allowed to share one name. A file should be allowed to be in no directory, one directory, or many directories. Many files should be allowed to share one directory. Of these eight possibilities, only three are legal and the other five are banned — for no good reason.

53. Your car, your school, your company and yourself are all one-track vehicles moving forward through time, and they will each leave a stream-shaped cyberbody (like an aircraft's contrail) behind them as they go. These vapor-trails of crystallized experience will represent our first concrete answer to a hard question: what is a company, a university, any sort of ongoing organization or institution, if its staff and customers and owners can all change, its buildings be bulldozed, its site relocated — what's left? What is it? The answer: a lifestream in cyberspace."

Conclusion(gp):

The Saltzer and Schroeder principles of Open Design and Economy of Mechanism hold up well in the face of modern computing realities, and to a certain extent Fail Safe Defaults does as well; however if we information security people are to be effective we need to re-think the other principles.

Last word: Gelernter:

We'll know the system is working when a butterfly wanders into the in-box and (a few wingbeats later) flutters out — and in that brief interval the system has transcribed the creature's appearance and analyzed its way of moving, and the real butterfly leaves a shadow-butterfly behind. Some time soon afterward you'll be examining some tedious electronic document and a cyber-butterfly will appear at the bottom left corner of your screen (maybe a Hamearis lucina) and pause there, briefly hiding the text (and showing its neatly-folded rusty-chocolate wings like Victorian paisley, with orange eyespots) — and moments later will have crossed the screen and be gone.

NHTI loses thumb drive that may have contained student information

Tue, 24 Jun 2008 13:21:39 +0000

Technorati Tag: Security Breach

Date Reported:
5/30/08

Organization:
NHTI, Concord's Community College

Contractor/Consultant/Branch:
None

Victims:
Nursing program graduates form the classes of 2006 and 2007

Number Affected:
128

Types of Data:
"names, social security numbers, addresses, phone numbers, and email addresses"

Breach Description:
NHTI has notified the New Hampshire State Attorney General of a lost flash drive that may have contained sensitive personal information belonging to nursing program 2006 and 2007 graduates.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
New Hampshire State Attorney General

Response:
From the online source cited above:

We are writing to notify you that NHTI, Concord's Community College recently learned of a data security incident involving personal information of individuals who have graduated from the College.

On April 23, 2008, it was discovered that a data storage device, or flash drive, was missing.
[Evan] Are unsecured flash drives allowed for use with NHTI information resources? There is no mention in the breach notification.

The flash drive may have contained the names, social security numbers, addresses, phone numbers, and email addresses of our nursing program graduates from the classes of 2006 and 2007.

Our Campus Safety Department conducted a thorough investigation to locate the flash drive.

The investigation concluded that we cannot determine whether a security breach has occurred.
[Evan] What is the school's definition of a security breach? Was the Campus Safety Department unable to confirm that personal information was stored on the lost flash drive? If not a breach, then poor information management at the least.

The potential security breach involved personal identification information of 128 former students.

While we do not believe the flash drive was taken for purposes of identity theft, we have recommended that the affected individuals take steps to protect themselves from the possible misuse of personal information.
[Evan] Really, at the end of the day I don't think it matters how many steps people take to protect themselves if the custodians of confidential information do not take proper care of the information entrusted to them. Everyone needs to play their role. Owner, custodians and users.

There is no indication that the disappearance of the device, a USB flash drive, was motivated by identity theft.

We do not have any evidence that your information has been misused, and we believe the likelihood of such misuse is low.
[Evan] "Low" is subjective and hard to measure. This reminds me of some informal research we conducted a while back. We were curious. We found a left-over box of unused flash drives that a marketing department had been giving away (s.w.a.g.) at a trade show. We wanted to find out #1, how many people pick-up a flash drive if they find one lying around, and #2, how many people plug them in and peruse the contents/use them. We had 40 flash drives. 29% of people picked them up (meaning it took 137 people walking by to nab 40 flash drives). We tried to vary the locations of the flash drives both out in the open and semi-private. Of the 40 people that picked up the flash drives, all 40 used them. I suppose that this particular flash drive could have ended up in the garbage or destroyed somehow, but if someone found it, I think chances are pretty good that someone will find the information. The difficult part is trying to determine what someone will do with the information once they have it, I suppose.

However, out of an abundance of caution, we are informing everyone who may be affected by this incident so that they may properly evaluate what actions -if any -they wish to take in this matter.
[Evan] The "abundance of caution" phrase is quickly becoming my pet peeve. An abundance of caution would have gone a long way towards preventing the breach. Storing confidential information on an insecure flash drive certainly does not demonstrate an abundance of caution.

We have obtained the services of a credit monitoring organization to provide free credit monitoring for one year to the affected individuals.

NHTI takes the protection of confidential information very seriously.

We sincerely regret that this incident occurred and are taking steps to prevent this type of breach from occurring again.

The College has instituted safeguards to prevent such incidents in the future.
[Evan] Like?

If you have any questions or concerns, please contact NHTI's Director of Communications, Alan Blake, at (603) 271-8904.

Commentary:
Most of my commentary is included above. Flash drives are very convenient, but sometimes the thought of them sends a slight shiver down my spine. If their use cannot be properly controlled, their use can be disastrous. So, if you can't control their use, then prohibit their use. I know of quite a few companies that have banned flash drives and disabled USB and FireWire ports.

I was a little tardy in finding this breach. I thought is was still good information for readers though.

Past Breaches:
Unknown