Steve Riley on Security : public policy

Reading list from “How IT will change in the next 10 years”

Steve Riley — Mon, 24 Nov 2008 22:39:10 GMT

At Windows Connections two weeks ago, during my keynote speech “How IT will change in the next 10 years and why you should care,” I mentioned several books worth reading. Many of you have asked for the list; here it is:

The Cathedral and the Bazaar by Eric S. Raymond
The Wisdom of Crowds by James Surowiecki
We Are Smarter Than Me by Barry Libert, Jon Spector, Don Tapscott
The World Is Flat by Thomas L. Friedman
The Innovator's Dilemma by Clayton M. Christensen
The Long Tail by Chris Anderson
The Speed of Trust by Stephen M. R. Covey
What Got You Here Won't Get You There by Marshall Goldsmith
Outsourced (the movie)

Also remember that I mildly panned Digital Economy by Harbhajan Kehal and Varinder P. Singh; my assertion was that the next 10 years will bring about a social economy instead, one that includes the digital natives you’ll all be hiring and selling to now or very soon. They’re the ones who are building it, so you might as well adapt.

The opt-out from hell

Steve Riley — Tue, 16 Sep 2008 22:22:03 GMT

One problem with making your email address available (which I will continue to do, don't worry) is that folks with something to sell assume you're interested in their stuff. To wit, let's consider an email I received today (copied, headers and all, after my griping).

Note that if I want to opt out of further communications, I have to do two separate things -- which actually becomes three things.

First I have to click the last link to opt out of future TechTarget spam. (Yes, I deleted the actual links. But certainly none of my trustworthy readers would attempt to re-subscribe me, right...? <g>
But that isn't enough -- I also have to separately opt out of future Avaya spam! (Why does the no-more-from-Avaya link live on a techtargetmail.com server? Whatever.) Clicking on that link eventually does land me on an avaya.com page, where I have to confirm my email address and indicate they don't have my permission to send me spam. Hmm, too difficult to embed my email in that link, when the other techtargetmail.com link did embed my email?
Then after submitting it, another page pops up telling me that I'll soon receive an email with additional instructions! In this email there's a link -- to avaya.com with my email address embedded -- that I must click, I guess to double plus confirm that yes, I really really really do wish never to hear from you again. Clicking that link takes me to a page that promises my "permissions have successfully been set. Thank you."

A pox on both your houses, TechTarget and Avaya. I never asked for your stuff. Go away.

Spam, my friends, is only going to get worse. It was so easy to ban junk faxes in 1991. But even those regulations were weakened in 2005. So do you really think we'll see anything even remotely logical for outlawing spam? I doubt it, unless we the citizens foment a revolt. Let's get cracking!

Received: from SVC-EXGWY-E801.partners.extranet.microsoft.com (10.251.24.242)
by tk5-exhub-c102.redmond.corp.microsoft.com (157.54.18.53) with Microsoft
SMTP Server (TLS) id 8.1.291.1; Tue, 16 Sep 2008 11:27:56 -0700
Received: from mail139-wa4-R.bigfish.com (216.32.181.113) by
mail04.microsoft.com (10.253.160.184) with Microsoft SMTP Server (TLS) id
8.1.291.1; Tue, 16 Sep 2008 11:27:55 -0700
Received: from mail139-wa4 (localhost.localdomain [127.0.0.1])    by
mail139-wa4-R.bigfish.com (Postfix) with ESMTP id 018C11184C2    for
<steriley@microsoft.com>; Tue, 16 Sep 2008 18:27:50 +0000 (UTC)
X-BigFish: ps16(zz18c1K1936K2b7wcak69jzzzz2af1jz2fh6bh5eh65h)
X-Spam-TCS-SCL: 4:0
Received: by mail139-wa4 (MessageSwitch) id 1221589667478982_28100; Tue, 16
Sep 2008 18:27:47 +0000 (UCT)
Received: from pp.techtargetmail.com (pp.techtargetmail.com [65.211.80.227])
    by mail139-wa4.bigfish.com (Postfix) with SMTP id 46566978071    for
<steriley@microsoft.com>; Tue, 16 Sep 2008 18:27:47 +0000 (UTC)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=pp.techtargetmail.com; b=iOmibOrM91/1Ugy2gj3QbWo74T2m3GuhmwxZCXJQpFT+nwRES8QKg+4vjt48SNp7WWJExG61Ge+DtnKD3KVI3KwqTKzkPRVrEBF0DCHhYot6VAG/EyEr5vb5RhBz+91yvNhbIqITzGnuQ+uBDJzyc6gU0FHfBl0Fa3S/phcPELM=;
Message-ID: <a818b044.724694.236c8ee748f7dd97.1.n.4.2971370188@pp.techtargetmail.com>
Date: Tue, 16 Sep 2008 14:27:47 -0400
thread-index: a818b044.724694.236c8ee748f7dd97.1.n.4
Reply-To: Avaya <a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com>
From: Avaya <Avaya@pp.techtargetmail.com>
To: Steve Riley <steriley@microsoft.com>
Subject: 7 Tips to Ensure Readiness for UC Deployment
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4133
Return-Path: a818b044.724694.236c8ee748f7dd97.1.n.4@pp.techtargetmail.com
X-MS-Exchange-Organization-PRD: pp.techtargetmail.com
Received-SPF: Pass (SVC-EXGWY-E801.partners.extranet.microsoft.com: domain
of Avaya@pp.techtargetmail.com designates 65.211.80.227 as permitted sender)
receiver=SVC-EXGWY-E801.partners.extranet.microsoft.com;
client-ip=65.211.80.227; helo=mail139-wa4-R.bigfish.com;
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.6916.600;SV:3.3.6916.813;SID:SenderIDStatus Pass;OrigIP:65.211.80.227
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-SenderIdResult: PASS

The following message was sent to you as a subscriber to third party offers from a TechTarget property, including our network of Search sites, Bitpipe.com, CIO Decisions Magazine, Information Security Magazine, Storage Magazine, KnowledgeStorm, TheServerSide.com and/or TheServerSide.NET. To unsubscribe, see below.
____________________________________________________________

How should you evaluate the move to unified communications (UC)? Who within which parts of an organization will benefit? Will UC reduce the time to market? Read this E-Guide for answers to these questions and a better look at how the value of UC will, at first, be less of a financial issue and more of a productivity improvement issue that translates into financial benefits. Download this white paper now: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

When implementing unified communications, there are a number of important issues to think about and questions to ask. This E-Guide analyzes seven phases to ensure you reap the full benefits of UC in each. If you're ready to take the plunge but you're not sure your business or your infrastructure is - download this E-Guide now.

Click here to learn more: http://pp.techtargetmail.com/c.asp?724694&236c8ee748f7dd97&1

"If you do not wish to receive future promotions directly from Avaya please forward this e-mail to {link removed} ; please note that there is a separate opt-out procedure below to be removed from the list from which this email originated."
____________________________________________________________

Please do not reply to this email. To unsubscribe from all future third party offers from all TechTarget properties, simply click here: {link removed}

TechTarget | 117 Kendrick Street, Suite 800 | Needham, MA 02494

Blamestorming

Steve Riley — Fri, 12 Sep 2008 09:03:42 GMT

So, let's recap the sequence of events:

The Sun-Sentinel newspaper in Fort Lauderdale accidentally republishes a six-year-old news story about the bankruptcy of UAL. It wasn't on the home page, but instead buried somewhere inside the web site.
Google's news crawler (an automated thing, remember) finds the story and incorporates it as part of its news feed.
Investors see the story, and immediately react. When UAL's stock plunged 76% to a low of $3, Nasdaq shut down trading. Eventually trading resumed, and the stock closed at just under $11, losing about 11%.
United blamed Tribune Company (the owner of the Sun-Sentinel) for "irresponsibly" changing the date on the story and demanded a retraction.
Tribune Company blamed Google, claiming they've had issues with Google's crawler "for months."

Who will blame be shifted to next?

Look -- if people haven't realized by now that the Internet pretty much lacks a delete function, then (IMNSHO) it becomes the requirement of each and every one of us to pay close attention to what we're reading, to use our own big brains and fine-tuned bullshit detectors to suss out whether something makes sense.

Since this is my blog, I'm going to parcel out blame the way I see it:

United: 0%. If the concept of "negative blame" made any sense, then I'd actually write −∞ (that's a negative infinity, in case your character set is different than mine).
Google: 5%. How can an automated crawler know that a newly-dated story isn't really new? Well, those folks over there at Google are smart. Certainly it shouldn't be that difficult to compare a "new" article against existing ones. Content hashes won't work as a comparison tool, because the date would be included in the hash computation, thus making the hashes different anyway. Full-text comparisons? Sure, it would take a lot of horsepower. Perhaps not every "new" story needs comparison, but at least the crawler could submit to the comparator any stories that ought to be verified (say those with the word "bankruptcy" in them).
Tribune Company: 30%. Hey guys, you changed the date on the article. Don't go blaming someone else for your screw-up.
Investors: 65%. If you're using an automated news aggregator (remember, an aggregator is not a source of news) to make major financial decisions -- decisions that affect the livelihoods of thousands (maybe millions) of people -- well, you're a moron. You should know that incorrect information can be just as instantly available as correct information. Verify potentially damaging claims before engaging in reckless behavior.

What's this got to do with security? I don't know, maybe nothing directly related. But it certainly raises the question -- what if someone intentionally wanted to cause nearly permanent damage to a person or a corporation? Malicious content, disguised as "news," certainly seems to have become a potentially successful attack vector this week.

Worried about a social engineering attack on a massive scale? I suspect that what happened Monday (8 September) was the largest social engineering attack in history -- although I wouldn't classify it as intentionally malicious. Just you wait until the idea spreads.

The bad guys will use BitLocker, too

Steve Riley — Fri, 13 Jul 2007 21:03:36 GMT

Got an email today from a customer asking about how BitLocker will affect the ability of law enforcement to conduct forensic analysis of a protected hard drive. Specifically, the person was asking about any back doors that law enforcement could use to bypass the encryption.

The answer is very simple, and I'm sure not what he wanted to hear: there are no back doors. Period.

Think about it for a moment: if there were a back door, would you trust the technology? Of course not. If Microsoft incorporated a mechanism to bypass the encryption, then we'd be weakening the technology for 99.9% of the population to favor the needs of 0.1%. And, surely, the bad guys would find out how to exploit the bypass -- meaning that BitLocker becomes completely useless for you.

Here's a similar example: some people have advocated that cell phones be disabled in certain public places (movie theaters, tunnels, sports stadiums, and so on) because terrorists might use them to remotely trigger bombs. What a bunch of nonsense this is. Communications tools are far more beneficial to the millions of good guys who use them every day (perhaps to save lives?) than to the few bad guys who also use them. Why destroy beneficial utility for everyone just because someone might misuse the technology?

Encryption is amoral. Good guys will use it, and bad guys will use it. We've got to accept that fact. It does no one any good to render beneficial technology useless just because there's the potential that someone might misuse it.

America, wake up: stop being "security sheep"

Steve Riley — Tue, 02 Jan 2007 21:49:00 GMT

OK, I need to complain a bit here.

Yesterday I went to Best Buy to get a new digital camera. I already knew which one I wanted, so I found a sales guy, pointed to the display unit, and said, "I'd like one of these."

"Sure," he replied. He found the keys, unlocked the cabinet, pulled out a box, and said, "I'll meet you at register four."

"Eh?" I asked. "Can't I just carry it?"

"No, the policy is that I have to carry it."

"What a stupid policy," I grumbled, "treating all of your customers as if they're thieves."

Then when making the purchase with a credit card, the cashier demanded to see my ID. "Why?" I asked.

"To verify your identity."

I walked out of the store, with my camera, but not in a good mood at all. I spend a lot of money at Best Buy and I don't appreciate the assumption that I'm there to steal something. Furthermore, asking for ID during a credit card purchase is just dumb. Credit card companies really don't care who you are. Once the authorization is received, the transaction has already been processed, which includes a serious amount of "transaction authentication" to detect and reduce fraud. This is far more reliable than some clerk comparing names or -- worse -- signatures. And how come it never seems to dawn on the policy-making folk at these stores that online purchases don't require ID?

How did we get into this mess of distrust by default? My thinking followed this process:

First I blamed the September 11th terrorists. You bastards, if you hadn't done what you did, then Americans wouldn't be so afraid of strangers and so quick to assume that anyone who doesn't "look right" is a rapacious murderer.
No, it isn't the terrorists. It's the media. Owned by money-grubbing conglomerates with their lips pressed firmly against the wrinkled white flesh of the other Washington's (that's D.C.) buttocks, the media assists the politicians in their drive to keep America terrified. For when the people are terrified, they can be controlled, and even have their civil liberties illegally stripped away without nary a peep.
Finally, I realized: it's our own fault. We as free citizens have the solemn responsibility not to allow ourselves to be manipulated by those who would benefit from our sheepishness. While we citizens have no control over the media (this is a good thing) and little control over our current government (this is a bad thing), we have complete control over how we react to the tactics of both -- as well as the tactics of those who would do us physical harm.

America is paralyzed by fear, and this fear has caused us to regard with great suspicion those whom we necessarily interact with every day. The only way to move beyond this is to refuse to allow yourself to be manipulated. While you can't just refuse to show your ID if you want to buy something with a credit card or get on an airplane tomorrow, you can begin having conversations with your friends and neighbors -- help people understand that only when we all rise against the backlash will there be change. And chat up a stranger, too. In my travels around the world I've met hundreds of folks; I'm convinced that the overwhelming majority of people are kind and decent and simply looking for someone to listen to their stories. Be a listener -- it's amazing what you can learn. And little by little, we can undo the paralysis that defines life in the 21st century.

Yes, everyone knows you're a dog

Steve Riley — Thu, 07 Sep 2006 18:17:00 GMT

Amazing how long the legs are on the AOL search debacle. Of course, we in the online community often beat such storeis to death, if only because they deserve it!

Recently Kim Cameron posted the search history of user 16006693, which flits "from politics, to retirement, to politics, to religion, to sex, quickly back to religion (repent!), to food, and finally to heartburn." Why is it interesting? Probably because each and every one of us can find a bit of ourselves in user 16006693 (well, OK, not all of us; I know I'm not anywhere close!).

Check it out; don't hurt yourself too much from laughing:

16006693 nak
16006693 nack
16006693 sharona
16006693 knack
16006693 knack downloads
16006693 oakrige boys
16006693 oakridge boys
16006693 oakridge boys downloads free
16006693 jokes about dick cheney
16006693 jokes about dick cheney but not george bush
16006693 dick cheney creep
16006693 dick cheney dickhead
16006693 rummy dickhead
16006693 where is iraq
16006693 where is lebenon
16006693 his bullets
16006693 his bullies
16006693 shiits
16006693 shee-ites
16006693 bush appruval
16006693 bush approvel
16006693 bush drops below
16006693 dead reporters
16006693 dead reporters fotos
16006693 dead reporters pix
16006693 disembowled reporters pix
16006693 disembowled new york times
16006693 love thine enemas
16006693 love thine enemies
16006693 bible quote of the day
16006693 insperation from bible
16006693 george bush great president
16006693 george w bush great president
16006693 dream on
16006693 oakridge boys lyrics dream on
16006693 how to run country
16006693 how to run country when not really inerested
16006693 people to run country for you
16006693 over work
16006693 overwork
16006693 stress
16006693 best place to retire
16006693 places like crawford but without cindy sheehan
16006693 crawford the town not cindy crawford
16006693 crawford tx
16006693 like crawford tx but not so hot
16006693 best places to retire not hot
16006693 best places to retire global warming
16006693 global warming mith
16006693 global warming myth
16006693 crawford hot
16006693 cindy crawford hot
16006693 rice hot
16006693 rice hot not recipes
16006693 rice naked
16006693 rice nude
16006693 bible quotes resisting temptation
16006693 oakridge boys i’ll be true to you
16006693 oakridge boys trying to love two women
16006693 rice and beans
16006693 tex mex
16006693 tex mex not music
16006693 tex mex takeout
16006693 tex mex takeout dc
16006693 heart burn
16006693 heartburn

The Internet routes around outages -- and censorship, too

Steve Riley — Tue, 27 Sep 2005 12:28:00 GMT

Have you seen this yet? "Grokster ruling begins the good fight" If you haven't, it's worth your time to read -- it's a terrible shibboleth for a U.S. "national firewall."

Coursey is promoting the idea that all U.S. Internet access should pass through a firewall that will block file-sharing and gambling sites. Since most of these sites have moved off-shore, Coursey claims that this isn't censorship, but it's the only way to ensure that "when the Internet is being used on American soil, it should comply with American law." Later in the article he chides the Chinese government "for filtering the Internet as delivered to residents of the communist dictatorship." He contrasts this with file-sharing and gambling and says that "since [these] are not accepted as universal human rights," it's OK to "stop illegal content from reaching American citizens."

Does Coursey lack a sense of irony? It seems so. In one swell foop he maintains that America should be allowed to filter what America has declared illegal -- file-sharing and gambling -- while denying that China should be allowed to filter what China has declared illegal -- political and religious content that's counter to and threatens the government.

Am I the only one who sees a problem with this? Now of course China's actions completely violate all sense of human rights, but adopting their solution -- censorship -- will be no better in this country. If we establish a precedent of censoring illegal content, what's to stop various interest groups from galvanizing politicians to declare illegal anything that the groups don't like? Where will it end?

(Post script: I'm writing this from Taiwan! Also, last week in China, their "national firewall" was pretty useless...)

Airport security silliness

Steve Riley — Fri, 22 Jul 2005 06:23:00 GMT

So today (Thursday 21 July 2005) I flew from Seattle to Dallas for a customer meeting. Since it's a short one-day affair, I packed my small carry-on size suitcase. In it was a pair of shoes, one pants, one shorts, two shirts, a toiletry bag, and my collection of wall warts (AC adpaters). Seems normal, so far.

As the suitcase passes through the x-ray machine, the TSA droid's brows begin to furrow. "Oh crap," thought I. They run the bag a second time. More furrowing.

"Is this your bag?" they ask. There seemed to be a bit of trepidation combined with glee in their attitude -- or maybe I was just imagining it.

"Yeah, can you tell me what's wrong?"

"There's something that we can't figure out what it is. We'll need to do a secondary screening."

So then they carry it to one of those infernal explosive detection machines. You know, where another doughnut-gorged TSA droid sticks a little chamois pad on the end of a wand and lovingly caresses your bag's zippers, then inserts the chamois pad into the detection machine. There was nothing, of course. As far as I can tell from my research, none of these machines in any airport in the United States has ever actually found an explosive. What an absolute waste of time, money, and resources.

Then -- get this -- Mr. Doughnut hands me my bag! So let me get this straight. The supposedly highly-trained x-ray operator can't figure out something inside my bag, and so they inspect the exterior zipper? What are these people smoking, and why don't they share? Sheesh! Security theater, indeed.