Monday Jan 28, 2008

"Authenticate the endpoints, as well as the transactions"

As I'm sure you're aware, Société Générale just had their Nick Leeson moment, on an even grander scale.

Reading Friday's Telegraph and Saturday's Times on the matter (my home local is less right of centre than my office local, in terms of newspaper choice), it would appear that Jérome Kerviel's activities wouldn't have been curtailed by technology as currently deployed. The three standard controls deployed at SocGen are:

  • cash flow monitoring - all transactions are monitored and the flow of cash traced
  • "straight-through" automated processing - every trade is performed on a central infrastructure which distributes the details to the accounting, cash management and risk control groups
  • the "middle office", where the risk controllers act as gatekeepers, monitoring the flow of cash and mediating any trades or requests for trades from the dealers
What Kerviel did, was set up his own, far more elaborate answer to Leeson's infamous 88888 account; the risk controllers would have believed that Kerviel was trading with real customers (Kerviel had been a risk controller for a while, so knew in detail what patterns of trades and requests were typical), so he wasn't challenged.

As far as I can tell, there are two ways in which this can be prevented from happening again.

1. Fix the human factors, by ensuring that no risk controller or former risk controller can ever get a job as a trader. You'd have to have some sort of central database of risk controllers maintained by the banking industry as a whole, and the risk controllers would likely be annoyed by such an initiative, since good traders are paid significantly better than good risk controllers; it may be necessary to even this up a bit...

2. Actually authenticate the endpoints, as well as the transactions. If a signed trade request is sent, and returned countersigned with an acknowledgement, such that both certificates have organisaton names matching the organisation names on the trade-to-be, can be traced back to "known good" root CAs and aren't on any "known good" CRLs, before any funds are transferred, then you have to have parties in both organisations collaborating in order to achieve anythng underhand.

Of course, how a CA or CRL is determined to be "known good" is left as an exercise for the reader...


Steve Bellovin cast his net wider, for source material, and found information to the effect that Kerviel was "using other people's passwords".

Anyone for smartcards and Sun Rays, SocGen?

Monday Jan 21, 2008

On Tech Republic's "The 6 Consumer Technologies that are Destroying IT" article...

A copy of this article arrived as part of our internal weekly e-newsletter the week before last (and yes, I have been that busy); I would provide a pointer to it, but for some reason I can't seem to find it on Nonetheless, I believe it merits comment; I hope TechRepublic don't mind me quoting the article (with HTML blockquote tags) in full.

Consumerization: The IT Civil War. If this really is a war, I think it’s fair to say that IT is losing. Many users are circumventing IT by using widely available technologies such as Yahoo Messenger, Gmail, USB drives, and BlackBerry phones to help them accomplish their tasks at work. The practice is so common that The Wall Street Journal has even published an entire article aimed at helping business users circumvent their own IT departments. I wrote a diatribe about how irresponsible it was for WSJ to publish that article, but that does not diminish the fact that this is happening everywhere and IT has become virtually powerless to stop it. “It’s almost become a sport for users to vilify IT.” – Jeff Comport Gartner Analyst Jeff Comport, said, “There’s a reason people are trying to use this kind of technology and very often it’s to do their jobs better… We have IT very often coming from a world of budgets, controls, and projects, and they have spent their lives keeping this kind of stuff out.” As a result, “It’s almost become a sport for users to vilify IT,” said Comport. Let’s take a look at the six consumer technologies that are causing IT the most trouble and then consider what IT can do to turn around a situation that is quickly going from bad to worse in many places. 6. Instant messaging software Whether it is Yahoo Messenger, Windows Live Messenger, AOL Instant Messenger, Skype, Google Talk, or a variety of other IM clients, the fact is that instant messaging has spread to the point that as many as 20% of business users or more are now running it at work. Those are U.S. stats. The percentage is higher in Asia and far higher among younger workers everywhere. Users typically install the software themselves, often against IT policy. Most of the IM clients send data unencrypted so even two workers in the same company and on the same network can end up sending corporate secrets out onto the Internet for any hacker to sniff. There’s also the issue of IM file transfers that can introduce files that have not been scanned by antivirus software. However, IM can also be a good thing. It can relieve e-mail inboxes from worthless chatter and it can help users quickly locate colleagues to solve timely problems. And there are enterprise options from Skype, Microsoft, and others that are making IM much easier for IT to regulate and standardize.
I also believe IM is A Good Thing; I use it myself, on a regular basis (invariably with OTR, when discussing interesting security things with colleagues, even when such discussions are over our internal network).

Granted, IM can be a double-edged sword; having both internal and external contacts available through the same IM interface, is a security risk; it's all too easy to accidentally paste something into a chat session with someone outside the company, which should instead have been pasted to somewhere inside the company. Here's where Trusted Extensions ("TX") comes into its own; even if, as an organisation, you're not up for doing a major data classification exercise, you could nonetheless have just two labels (call them PUBLIC and INTERNAL, or EXTERNAL and INTERNAL, it makes no difference) such that INTERNAL strictly dominates EXTERNAL (or PUBLIC). If you then - as the norm - run an internal IM instance for internal contacts and an external one for external contacts, give users the privilege in /etc/user_attr to copy and paste data "upwards" in sensitivity but not "downwards", then they can still bring data in from the world at large, but data inside the organisation, stays there. Where internal communications prompt the need to look for something out in the world at large, Glenn Faden has an elegant solution prototyped.

For folk who have legitimate need to move data from INTERNAL to PUBLIC - a corporate press officer would need to do this as part of the process of making a press release, for example - then a role could be created in RBAC such that the officer would assume the role,

5. Personal smartphones Now that BlackBerry phones, Palm Treos, and Windows-based phones are priced as low as $200 by many of the big cellular carriers, lots of users who don’t have a spiffy company smartphone are just going out and buying one of their own. Many of them have figured out how to forward their business e-mail to their personal smartphones, which opens up a ton of privacy, regulatory, and security issues. There are secure ways for IT departments to handle this. Turning a blind eye or trying to block it are not valid options.

Owing to Blackberry's data propagation mechanism (via RIM, with a state machine such that a man-in-the-middle attack could be perpetrated), their use is rightly prohibited within Sun.

TX comes in use here, too; as the INTERNAL-labelled network isn't connected to the Internet, from its perspective, forwarding email from it to smartphones is going to be "very much less than straightforward" :-). For email on the PUBLIC network, email forwarding to mobile devices is a technology which could potentially be embraced within both policy and practice.

Of course, the world is not usually this straightforward and may require some finessing within the labelling scheme; PARTNER and (potentially) CUSTOMER could potentially be inserted as labels between PUBLIC and INTERNAL, such that data associated with these classes of organisation may be forwarded where policy permits.

4. BitTorrent and P2P Transferring big files is very difficult for most users. E-mail policies usually restrict it. FTP is too slow and often too difficult to configure (and sometimes even blocked by firewalls). IM clients are clunky and often fail at file transfers (usually blocked by firewalls). That’s why some users will turn to P2P programs such as BitTorrent, because they are much more effective. Unfortunately, these programs can also have a lot baggage since they are regularly used for hosting and transferring illegal music and video files. That doesn’t mean IT should necessarily abandon P2P software altogether. It can often prove extremely useful and efficient. For example, Collanos software can be used for sharing and collaborating on documents between various users in a team or workgroup.

I've had the "email thresholds too low, ftp (and sftp, as part of ssh) blocked, IM file xfer fail" issue before now, and my normal approach in these circumstances is either to use split to divide data into small enough chunks that they can be emailed as several parts, or to burn stuff to CDs and either put them in the post, or take them to the customer by hand.

If folk need to transfer stuff which takes more than 5 such emails, then they either have an overly-Draconian email policy, or excessvely low bandwidth or absolute transfer size limits from their network service provider.

Of course, TX also prevents folk sharing stuff via these mechanisms, that they shouldn't :-).

3. Web mail with GB of storage Another method that users often employ to transfer large company files is with a consumer e-mail account, such as Gmail, Yahoo Mail, and Hotmail, which all have much larger storage capacity and allow larger file attachments than most corporate mail accounts. The problem is that not only are these systems far less secure than corporate mail servers, but many of them thoroughly index messages and files and so sensitive corporate data transfered through these mail systems can get spread throughout lots of different servers and search indexes. New Windows storage technologies that do not save multiple copies of the same file can help IT deal with the e-mail storage issue and allow IT administrators to expand storage limits for users. There are also new Exchange plug-ins, such as Mimosa, that offload all attachments from messages and store them separately to streamline inboxes and allow IT to increase quotas.

Hear, Hear, TechRepublic; if you haven't already seen my pal Alec's recent talk incorporating his thoughts on this and other subjects, it's worth a watch. For folk in my position, who find it useful be able to make VMWare images of Solaris with Trusted Extensions configured, available for internal download, a home directory of anything less than 20 gigabytes just doesn't cut it.

Also, for what it's worth, our messaging server hasn't been saving multiple copies of the same file, for as long as I can remember; it looks like Exchange just hit on something we've been doing for nigh on a decade ;-).

Naturally, TX will stop people putting internal stuff on external systems, as above...

2. Rogue wireless access points It’s a wireless world in home networking now. Users who see how easy it is to connect a router to their DSL or cable modem and roam the house wonder why they can’t just do the same thing when they take their laptop from their cubicle to the conference room. If the company doesn’t offer wireless LAN access in their office, many of them just get sub-$100 wireless access points, plug into their Ethernet jack at work, and start roaming the building. Of course, if their desk is at the window next to the parking lot, they don’t realize that they just provided anyone who drives up with a free Internet connection and easy access to the corporate network. IT departments can follow best practices (see TechRepublic’s ultimate guide to enterprise wireless LAN security) to establish their own secure wireless LAN, or they can use products like Xirrus to simplify secure wireless deployments. They can also educate users and use intrusion prevention software to scan for rogue access points.

Not in my home, it isn't.

The best way to do campus / office wireless, is to provide encrypted access direct to the Internet; if folk need to access the intranet they can VPN back in (ensure the keys are only in the INTERNAL keystore), and encryption (even if it's something as trivial to crack as WEP) can at least inconvenience a Bad Guy and ensure that anyone who busts in for general access, actually is provably a Bad Guy.

Of course, the best way to prevent rogue access points springing up, is to install sufficient non-rogue ones that the users feel no need to install access points of their own :-).

1. USB flash drives Portable storage is nothing new. Twenty years ago, users were carrying around floppy discs full of files. However, the size of those old floppy discs limited the amount of data that users could take out of the company. Today, with 4-GB USB flash drives costing $40 or less (and flash drives as large as 64 GB now on the market), users can copy all of their My Documents files to a flash drive and walk out the door with them. Or a user could copy a huge chunk of a file server and walk out with it on an unencrypted USB drive.

As a Geek Of A Certain Age, I consider personal email and occasional personal web browsing (, various security sites and blogs, occasional oddities), via the corporate network to be "perks of the job". Having a nice hosted blog is a perk, too.

if Alec (and the originator of this idea, JP Rangaswami) are to be believed, the geeks who are entering the job market now, will consider it a perk of the job to be able to plug their iPods into their office desktops and fire up iTunes. In fact, if they can't do this, it's reckoned they'll be reluctant to work for you.

So, let them - at PUBLIC.In fact, ensure that there's a little bit of infrastructure at PUBLIC for them to get to and run iTunes on, use as their temporary file springboard to get stuff to Flickr, etc. Of course, it may be necessary to have this bit of infrastructure automagically rebuild itself from time to time, so ensure the users know to download stuff to their iPods, etc in safe time windows. Let them mount USB sticks, digital cameras, etc at PUBLIC, deny them the privilege to do so at INTERNAL, and pragmatically, you're doing OK.

Users need to be able to easily transport their files in order to work from home or on the road, transfer documents to partners, etc. IT has to find ways to make it simple for users to do this while also protecting sensitive corporate data. For example, an IT department could educate users about flash drive security, provide encryption software for those who need to use flash drives, or simply provide company-sanctioned flash drives that are preconfigured with encryption and other security standards. The cost of the flash drives would be much cheaper than the legal fees and/or fines of dealing with customer data that slipped into the wrong hands.
Cue Flagstone and T10000 tape drives for really sensitive stuff (or large aggregations of notionally less sensitive stuff), and the likes of ZFS crypto and FileVault for more general day-to-day things.

What will come of all this? Gartner Analyst Stephen Prentice said, “The critical thing to understand is that your employees are not doing any of these things … to be awkward. They’re not doing it because they’re trying to break security. They’re simply trying to get their job done… The approach has be to not go in there and stop them from doing it. Go in there and find what constraint have you put in their way that’s forcing them to do something that is out of your control, and then fix your problem. If you gave people the option of using an in-house, secure, controlled environment that meets all of their needs, they simply aren’t going to have the need to go outside. If you fail to give them that — if you give them restrictions that are unreasonable or stop them doing their job effectively — then they will find another way.” Gartner Fellow David Mitchell Smith added, “If rogue users start to see some flexibility on the part of the IT department — some genuine interest in wanting to provide what they need — they may be more open to go to them first and say ‘Can you help us provide this,’ as opposed to just going out and doing it. [They could] be part of the solution, instead of part of the problem. But long term, there’s this unstoppable force which is demographics. New people are coming into the workforce, in IT and in non-IT functions, and they are becoming more open-minded and having more and more of an impact. Over time it’s pretty inevitable that the trend is moving toward the more open way of doing things. It’s just a matter of how long it takes and how well it fits into the culture of each organization.” Ultimately, this “civil war” is merely a sign of two larger problems that IT must address: 1.) There are lot of IT departments that have policies and attitudes that are stuck in a time warp. The procedures that allowed IT to deploy important technologies while protecting users from themselves are no longer valid in a world where individual users often have newer and more advanced technologies in their homes than the IT department has in the office. IT is now entering into more of partnership with users, and policies and attitudes need to reflect that. 2.) There’s a general disconnect and lack of constructive communications between many IT departments and their users. IT departments need to view themselves as customer service organizations, with their users being their primary customers. IT departments have got to lose their paternalistic approach to users and focus their efforts around serving users and enabling them to become more productive. The IT departments that make these changes will thrive. The ones that don’t will see their role within the organization diminished and become prime targets for outsourcing.

This isn't the first place I've seen this - Alec hit it first, AFAIK - but it's worth commenting on.

Monday Dec 31, 2007

A little research request for UK GPs...

Following the recent NHS regional authority data leaks, and taking advantage of the lull in workload associated with the festive season, I've been thinking about whether care record centralisation or decentralisation is the better idea.

Currently, I'm in favour of centralisation; this is mostly down to human factors. If a centralised infrastructure needs fewer but more capable sysadmins than the regional authorities currently have, such sysadmins can be found, and measures can be be put in place (codes of connection, etc) such that any data which is legitimately accessed by a regional authority cannot be cached outside the central infrastructure, then centralisation is pragmatically the best bet.

However, I'm open to other opinions and lines of argument.

I've also had a careful re-read of some standards I tend to refer to, from a healthcare-oriented perspective, and doing so raises a number of questions; I was originally planning to blog about what changes might be needed in an end-to-end, centralised electronic patient and care record system in order to maintain compliance with these standards, until I realised that I don't have current and detailed knowledge of what various health authorities are actually using, today.

So, I have a request. If you are a UK-based GP, or know one who wouldn't mind answering a few questions for a security geek, please let me know (either by email - usual Sun format - or in this posting's comments):

  • for a typical PC in a GP's surgery, who owns it?
  • for ditto, who maintains it, from the perspective of patching, AV, etc?
  • what OS and apps does it run?
  • what is the nature of the data connection between the GP's surgery and the local trust - who owns it, and who provides it?
  • what authentication does a GP have to provide, to access online records or services?
  • does said typical PC have internet connectivity, and if so, is this direct or via some relay / proxy in the local authority?
  • what does the computer do, when you put a CD or USB stick in it?
I thought I'd make the request here, since different regional healthcare trusts may have different approaches, and I suspect my own GP might well take a dim view of me trying to make an appointment with him for something not related to my health ;-) .

If you would like to email me about this (being my preferred means of communication on the subject), please use your NHSnet or email address; I'll drop you a quick line back with my thoughts, and this will also serve to verify that the email comes from a valid address...

Some silliness with analogies

It's sometimes amusing to see what conversational threads start at the local, especially after a few beers :-).

For instance, the old adage about optimists, pessimists and whether glasses are half-empty or half-full can almost take on a life of its own:

  • Optimist: the glass is half full.
  • Pessimist: the glass is half empty.
  • High-availability engineer: half the liquid is in a redundant glass.
  • Performance engineer: the glass is performing at 50 percent capacity.
  • Accountant: the glass is twice the size it needs to be; if we don't get more liquid before the end of the quarter, we need to downsize it.
  • Auditor: who owns the glass?
  • Compliance officer: are the glass and the liquid owned by the same organisation? What do their industry regulators have to say about liquid management?
  • Consolidation engineer: you can put the liquid from those other, smaller glasses into this big one.
  • Virtualisation engineer: ...and when you do, you don't have to worry about whether the liquids are the same or not, as they won't mix.
  • Security engineer: now prove that last statement, and show how multiple people can drink only their liquid from the same glass, hygienically.

Monday Dec 24, 2007

"PII as a Controlled Substance"

As he frequently does, Robin set me thinking with a couple of items in one of his recent posts.

Robin reckons that PII should be "treated as a controlled substance", and makes a convincing argument to this effect. However, there's an even deeper truth in his statement that PII should be considered to be like "fissile material, or the kinds of materiel covered by arms limitation agreements during the Cold War".

Just like fissile material, PII has a half-life.

If the infamous HMRC CDs have fallen into the hands of a ne'er-do-well, said ne'er-do-well would be wise to sit on them until the media brouhaha has died down, but not so long that much of the data is no longer accurate.

People die, move house, change their names on getting married and divorced - in short, PII changes. For the amount of PII disclosed by HMRC, the analogy can just about be drawn between loss of accuracy over time, and radioactive decay.

In a hundred years' time, the misplaced HMRC data will be entirely useless to someone who wants to try faking identity. In fact, if you look at it from the perspective of the disclosure state machine I put together, if someone was to try to fake an identity based on a piece of "naturally expired" PII in a few years' time, the "expired" PII could serve as a strong indicator of suspicion that they were in possession of the misplaced HMRC data. I sincerely hope that HMRC has realised this, and has made a reference copy of the as-misplaced database such that a "watch-for" list will come into being inside HMRC and slowly grow, based on updates to the live database resulting in increasing discrepancies with the misplaced records.

Potentially, HMRC could even offer a service to other UK Government departments, to check offered identity information against this watch-for list...

Oh, and a happy Newtonmas to all my readers :-)

Wednesday Dec 19, 2007

Reward for missing HMRC disks - why?

I'm scratching my head over the news that HMRC is offering a substantial reward for the return of their missing child benefit data CDs.

As has been said elsewhere (see posting dated November 24th, 2007), the data hasn't been so much "lost" as "published". If the CDs genuinely have fallen into the hands of a ne'er-do-well, they would certainly have the sense to take a copy of the contents, before attempting to claim the reward - in fact, I idly wonder if the reward is a hook such that, if return is attempted, the returnee will immediately be arrested, have their home thoroughly searched for backup media, and have their computer equipment seized for forensic examination to determine whether such a backup exists on hard disk.

I also idly wonder what HMRC's response would be, if they were to receive multiple, identical copies of the discs, from multiple sources? After all, this is quite possibly the distribution status of the data, by now...

Wednesday Dec 12, 2007

"Password-protected, but not encrypted": a follow-up

While further examples of questionable media handling security within Government are now starting to come out of the woodwork (DWP, DVLA Northern Ireland), I'm also seeing some interesting comments on my previous posting about the HMRC data leak.

While I don't believe everything I read in my blog comments, the enigmatic "wigwam" has kindly pointed me at this - the minutes of evidence presented to the Treasury sub-committee on the breach.

Take a look at Q389 - Q393.

Monday Nov 26, 2007

"Password-protected, but not encrypted"

While I'm happy that my own details haven't been leaked as part of the HMRC data leak (not having children is good for my privacy as well as my bank balance and my carbon footprint, it would seem), I'm following the news closely, as more information about the leak is disclosed.

The Chancellor of the Exchequer was interviewed on Radio 4's "Today" programme on Tuesday morning last week, and said something which particuarly surprised me. Specifically, he referred to the way in which the data was stored on the missing discs as "password-protected, but not encrypted".

I conjecture that you can't actually have password protection, without encryption.

Consider one of these missing disks. If it was to turn up and you put in your DVD-ROM drive, you could dd the blocks off it, to get yourself a file of anything up to 4-and-a-bit GB in size. If you then grep through it for known cleartext (such as names of folk you know, who are parents) you'll get matches unless the data is either compressed or encrypted; it's fair to assume that the files on the disks will have been generated by fresh extraction from a database of some sort, so you're going to be looking at a reasonably sequential set of blocks, without much fragmentation or indirection.

This neatly bypasses any application-layer password system.

If the files on the disks are simply compressed, you could either reconstruct the compressed data sets from the dd'ed blocks using forensic tools, or simply mount the disks, copy the files to scratch space and decompress them.

Here's where you're likely to hit password protection - at the application layer.

Thinking about what is likely to have been done when marshalling the files to burn onto the disks, it's rather probably that whatever raw data required, was put into a password-protected zip archive (in fact, suggests this is the case).

The zip compression standard indicates that, where password protection is applied, the password is used to unlock a soft keystore from which a symmetric key is extracted, and that key then decrypts the main body of the archive before the usual decompression takes place.

Please note the use of the word "decrypts", Chancellor :-).

Apparently, WinZip 9.x introduced AES encryption, so depending on what version of what zipping app is in use at HMRC, it may even be using a US-formally-approved algorithm.

Granted, the soft keystore needs to be bound up with the data in the file (and it's usually advisable to keep your keys somewhere where your data isn't), but encryption is still encryption. However, for earlier versions of Zip, I'm reliably informed that the PC1 encryption algorithm it uses, is rather straightforward to break.

It's also possible that, rather than password-protect a zip archive, HMRC sent the data in some password-protected spreadsheet form; let's look at what happens with StarOffice Spreadsheet and Microsoft Excel, in this regard...

From the OASIS standard for ODF 1.0...

The encryption process takes place in the following multiple stages:

1. A 20-byte SHA1 digest of the user entered password is created and passed to the package component.

2. The package component initializes a random number generator with the current time.

3. The random number generator is used to generate a random 8-byte initialization vector and 16-byte salt for each file.

4. This salt is used together with the 20-byte SHA1 digest of the password to derive a unique 128-bit key for each file. The algorithm used to derive the key is PBKDF2 using HMAC-SHA- 1 (see [RFC2898]) with an iteration count of 1024.

5. The derived key is used together with the initialization vector to encrypt the file using the Blowfish algorithm in cipher-feedback (CFB) mode.

...nice :-).

For Excel, here's the appropriate quote directly from Microsoft's support site:

"You can use a strong password with the Password to Open feature in conjunction with RC4 level advanced encryption to require a user to enter a password to open an Office file."

Not as explicitly defined as the ODF standard, but then, that's Microsoft for you.

Nonetheless, RC4, if correctly implemented, is Plenty Good Enough to count as "encryption".

Of course, if the HMRC infrastructure had been built on top of Trusted Extensions, the "junior employee" (noting the rumours forming, that more senior staff may have been complicit) would probably not have had the label at which all this data was stored within his clearance range, or the clearance range of a role that he was allowed to assume without passing through a two-person rule; he certainly wouldn't have had the privilege to mount or burn media at that label...


Actually, it looks like "password protction without encryption" has been implemented as a feature, as "Password to modify" in Microsoft Office - but, as you might expect, it doesn't work...

Tuesday Nov 13, 2007

Another Sun security geek joins the ranks of the Blognoscenti...

Welcome, Efi :-).

I'll grab your application security stuff, in a mo.

Wednesday Nov 07, 2007

(Feeling at) Home on the Range

(Aside; composing blog articles for my "to post" queue isn't a bad way to spend time on a train into London...)

As you've already seen, Las Vegas and I don't see eye to eye. However, the same permissive Nevada laws which cause Vegas to be what it is in the first place, also resulted in one of the very few pleasant non-conference experiences I had (other than catching up with many of my pals from Sun's worldwide security community, and sinking large quantities of overpriced beer with them).

There's a place a little way off the Strip called "The Gun Store". It does exactly what it says on the tin - ie, sells guns, ammunition, holsters etc - however it also has its own little arsenal which, for a reasonable fee plus ammunition, can be hired out to shoot on the range they have at the back of the store. Now, I used to be on my University Rifle Team's "B" string back in the days when firearms were still legal in the UK; we'd shoot .22 long, prone, at targets maybe 2.5 inches across (this being the diameter of the 5 ring) with iron sights at 30 yards. I used to shoot around the high 80s - low 90s pretty much all the time; I still have the card, somewhere, on which I shot my best score of 96, sometime in 1991.

So, this place had some appeal - even more so, when I found out that Nevada law permits fully automatic weapons :-).

Steve (Nelson), Joel and I headed over there on the Tuesday lunchtime; here's some notes on what I shot, and what I thought of it.

MP40 "Schmeisser": I was really pleasantly surprised to find that they had one of these (a Mk2); having heard stories of them when I was a small boy, from a few aged great-uncles who had fought in World War II and "liberated" MP40s to use in preference to their UK-issued Stens, "it had to be done". Cyclic rate was maybe 65 per minute; it was easy to squeeze off controlled 3-round bursts. Barrel rise wasn't a huge issue, probably as a result of overall good balance and the good forward grip. Nice single-blade-in-tunnel foresight; if the backsight hadn't gone (probably a casualty of history), I reckon I'd have got my groups rather tighter. I put 40 rounds through it, and enjoyed it.

Heckler &Koch MP5: The SMG of choice for British Special Forces and police armed response units, though to be honest, I can't see why; barrel rise was much more of an issue on this than the other two SMGs I shot, and I think it would benefit from a forward grip redesign. Cyclic rate is about 70 per minute, so it's easy to get 3-round bursts off even when set to full auto. Unusual trident-in-tunnel foresight; I suspect this may be a ranging aid of sorts. Nice integrated backsight. I put 60 rounds through it, and wasn't displeased to hand it back.
Extra note: I gather that the slings that such units carry their MP5s in, are rigged such that when shooting, they exert a force on the gun to keep the barrel down (in the manner that the "across the chest, under the forward hand and onto the end of the forward grip" sling I used to use when shooting .22 rifle, would stabilise it). It's a shame that such a sling wasn't available at the Gun Store, I'd have liked to have used it...

Colt M16 9mm compact: Clearly a derivative of the Colt Commando, with the same gas-cylinder recoil compensator in the short stock. The sweetest-shooting SMG of the lot, in terms of low barrel rise; however barrel control still needs care, given the 100 round per minute cyclic rate! I was usually getting 4-5 round bursts out of it, although I did manage to loose off a 10-round (out of sheer curiosity) and still get everything on the target, although naturally not in anything which could be called a decent grouping. Nice single blade-in-tunnel foresight and integrated backsight, really good forward grip. I put 100 rounds through it, and thoroughly enjoyed it.

Glock 17: It's been even longer since I've shot pistol, but Joel, bless him, persuaded me to hire this out and see what I remembered. I put two clips of 10 rounds through it; the first clip was "on target" inasmuch as all the rounds actually hit the target, but with a little advice from my instructor, my hands remembered how to shoot pistol and the second clip went in a reasonable group. A very nice, well-balanced little 9mm.

Magnum Research / IMI Desert Eagle: I've been wanting to put a few rounds through one of these, since I first heard of their existence :-). Having gained a bit of confidence with the Glock, I just had to give it a go. Hire and ammo cost was somewhat steeper than for the other pistols available, as you'd expect - nonetheless, it's now on my "been there, done that" list, even though I only got 5 rounds for my money. The Eagle is not the wrist-snapper I was expecting (although I found out afterwards, that the piece I was shooting was chambered for .44 Magnum rather than the .50 Action Express I was expecting... interchangeable barrels, etc); it still packs a considerable recoil, certainly, and you wouldn't want to try any sort of rapid-fire semi-auto shooting with it, but if you shoot two-handed and have the luxury of taking 5 seconds or so between shots, you can let your shoulders take the strain and it doesn't hurt. To really put the perfect finish on my shooting session, I managed to put the last 3 of my 5 rounds into a 2-inch diameter headshot grouping :-).

There's something about the Eagle, which "simply works" for me. It's a hardcore sniper's pistol, if there could be considered to be such a thing. Somehow, it feels "spot on" in my hands, heavy though it is. I so want to see what it can do, target-wise, with the optional 10" barrel on - in such a configuration, it would be the Walker Whitney Colt for the era of the self-contained, cased round...

The shop and range are very well-managed; the guns-for-hire are on two racks well behind the counter, one rack being for fully automatic and the other for semi; you indicate the gun you're interested in and name your number of rounds in multiples of clip capacity ("bulk discount" deals are available, see the labels next to the guns); the clips are given to you pre-loaded; you take them to the till, where you choose your target sheets and pay for everything. Then, you go to the back of the store, collecting eye protection and ear defenders on the way, and meet up with your instructor, who picks up your chosen weapons. You are then led through a door into a short corridor, at the end of which is another door - only one of the doors can be open at a time, although this is managed by a human rather than electronic process. Beyond the second door, you're on the range. You and your instructor find a free booth, you put your clips on the booth's shelf, your chosen target sheet is run out on the wire, your instructor (un)locks and loads for you, and you either put the gun down on the shelf or hand it across to your instructor once it's empty (your instructor decides how they want to run things).

If you are ever in Vegas and fancy having some responsible fun with firearms, I highly recommend this place; it's well-managed, has a good selection of guns available, and the instructors are polite and informative (at least, as polite and informative as you can be while both of you are wearing ear defenders). My little session above cost me the modest sum of a hundred pounds, and to my mind, it's much better-value fun than gambling or glitzy shows - even though it's expensive in absolute terms, compared with usual ammunition prices, IMHO it's worth it for the experience. The range is only really long enough for pistols and SMGs, though - if you want to see what you can do with a sniping rifle, you need to go elsewhere (and most likely, outdoors), to put some serious distance between you and your target.

Fear and Loathing of Las Vegas

While CEC itself was good and very worthwhile attending, Las Vegas does rather more than "put my teeth on edge". If it wasn't for my presentation obligations, getting to see so many of my old pals and wanting to see other folks' breakouts, I'd have been close to rearranging my flights to be out of there within the first 24 hours.

If you want to know why, read on. If not, skip to the next article, which is far more positive and involves guns :-).

From the air, Vegas is very spread-out - it's very unlike most American cities, and if it wasn't for the sheer garishness of the illumination of the Strip and the fairly rigorous geometry of the street patterns, what you see from above at night could almost be mistaken for London.

The first warning bell rang in my head, when I had to walk past ranks of slot machines at the airport. Some of these were even air-side.

When I landed, rather than being bussed to the Paris / Bally where the conference was being hosted, with the rest of the CEC folk, I was picked up by Steve Nelson (Head of the Security Ambassador Board), and he, Luc Wijns (who was on the same 'plane) and I went for dinner and beer at the Crown and Anchor, a "British" pub a little way off the Strip. It's nice to feel welcomed :-).

About the only way in which the place could be described as British in atmosphere involves lots of Union Jacks and regimental colours around the place - British pubs tend not to do neon. Fortunately, some of the beer also came from home, and even though the Americans do a fair amount of damage to a pint of Hen by serving it chilled from a nitro pump, at the end of the day, it's still Hen :-). There were also some British-inspired dishes on the menu (Steve enjoyed a steak and ale pie), however my metabolism was still out of kilter having just spent the better part half a day travelling a third of the way around the planet, so I contented myself with some bacon and cheese potato skins.

We drove to the Strip via some back roads and went into the hotel via a side door, so we didn't see the full horror of the place immediately - however, it took a stroll of some 200 metres through the massed ranks of slot machines and card tables to find Reception. In fact:

Vegas Rule #1: If either your starting point or destination are on the Strip, you have to walk through at least 200 metres of slot machines and card tables to get between points A and B. If points A and B are both on the Strip - even if they are in the same hotel - you can make that 400 metres.

There's an almost-constant beeping in the ears, like tinnitus, when doing anything on the ground floor of a hotel on the Strip.

Then, there's the people sat at these machines and card tables - but it's the ones at the machines which get to you if you look closely. Glazed of eye, they feed money into flashing and beeping contraptions while hitting a very few buttons, for hours and hours at a time; I walked past a little old lady one evening on my way to my room, and she was still there when I came down for breakfast the next morning. The Wachowski Brothers must have been in Vegas, or thinking about Vegas, when they came up with the idea in "The Matrix" that the purpose of humanity is to power the machines.

Vegas Rule #2: You are trapped in the Matrix. Take the blue pill (or the red-eye, the hell out of there). You need to wear shades at night; my photochromatics darkened, when on the Strip after sunset.

Surprisingly, smoking in unsegregated areas of indoor public places is entirely permitted.

Anyway, I checked in - which took 20 minutes of queuing - and headed off to bed; on drawing my curtains back, I was confronted with a replica Eiffel tower. In retrospect, I think the one in Blackpool is taller.

With the effects of several pints of Hen to help me sleep, I managed about 5 hours of shut-eye; not bad, for me, for a first night on a day in which I travelled from BST to PDT with a 2-hour stopover in EDT. One serious soak in the bath in the morning (why is it that American baths, to my view, always seem to be slightly countersunk into the floor?) and I was ready to take an extended stroll to see what Vegas looked like from the ground, while working up an appetite for breakfast.

Vegas Rule #3: Hotel exits are hard to find. Interior lighting is kept to a perpetual early twilight, and exit signs are placed no further than 100 feet before an actual exit. I regularly bumped into colleagues who were looking lost, asked them what they were looking for, and was told "daylight". I hate to think what would happen in the event of a fire; maybe the casinos have emergency floor lighting, like passenger aircraft...

The Strip looks like Second Life. Actually, that's not true; I suspect a bunch of Second Life was modelled on Vegas. One thing's for sure, all the hallucinogens left over at the end of the '60s must have been force-fed to the architects tasked with designing the place. There's a life-size castle which looks like it was built from 30-foot-a-side Lego bricks, a 3-storey high Coke bottle, a bike shop with half of a 1-storey high Harley coming out of the wall above the door, a scaled-down New York skyline (interestingly, minus the Twin Towers) , a pyramid (incongrous in black, and with a many-storey high Vodka advert on it) with an upward-pointing light source which the FAA must still be complaining about, and everywhere, slot machines and card tables in seemingly-endless rows. In the middle of "New York' New York"'s main slot machine floor, stands one of the most outstanding products of a diseased mind I've seen; render Marilyn Monroe in classic "Seven Year Itch" skirt-blowing pose in stone, and modify it by raising her right arm, putting a torch in her right hand and planting the Statue of Liberty's crown on her head.

If Vegas looks like this to a clean and sober security geek, I can begin to understand what Hunter S. Thompson used to see there.

Vegas Rule #4: Read "Fear and Loathing in Las Vegas" before you go. What's there today, isn't what St. Hunter was seeing in the '70s, but it's a helluva lot weirder than what was actually there when he was, and almost as weird as what he was seeing.

Indoors, it's hard to get away from the beeping without going to a presentation, or your room. Outdoors, it's hard to get away from the flicking of cardboard on cardboard, as though there's always someone within a few feet of you doing a riffle shuffle on a card deck. What the folk (usually appearing to be of Mexican or other Central / South American origin) doing this are actually doing, is propagating "tart cards", advertising the personal services of "ladies of negotiable affection", as Mr Nelson and I like to refer to them (with a tip of the hat to Pratchett). Even though I'm given to understand that prostitution, while legal in most of the rest of Nevada, is actually illegal in the county in which Vegas sits, it nonetheless goes on openly. Actually, it must be a really hellish job to be a Vegas cop; not only are most residents likely to have fully-automatic ordnance at their disposal, but in order to have anyone notice the roof lights on your car at night on the Strip, you'd have to replace them with at least Class III lasers...

Anyway, on the Sunday (being the day after) I landed, there were a few things I needed to do; among these was "mandatory speaker training", which I went to with an open mind, and came out of with some useful new ideas on presentation technique. There was a huge dinner laid on for Sun folk, in the evening; the food wasn't bad, and I welcomed the opportunity to catch up with a big bunch of friends. Bumping into Wolfgang Ley, I found that he'd already done a bunch of research into where the local microbreweries were, and marked them on his map; with Steve Gaul also on hand (we needed to discuss the finer points of what we were going to cover in our presentation and workshop on the Monday - plus, Steve also likes his beer), Wolfie and I decamped to one in yet another nearby hotel / casino complex, which - even though it no longer brewed on the premises - carried "Sin City Stout". I'm not much of a Stout drinker at the best of times, but this stuff did a good job of converting me to the chocolate-malt cause:-).

Vegas Rule #5: You can still find a good locally-brewed pint, if you know where to look :-).

Waking up at a sane hour on Monday morning after a good night's stout-induced sleep (whew), my agenda read: "Breakfast, general sessions, breakout setup and test, breakout, deep-dive, try not to panic during any of the previous two entries, dinner". I'm pleased to say (as in the CEC posting previously) that the breakout and deep-dive were both well-received; no CEC dinner was organised in the evening, so a bunch of us found a nice Italian restaurant tucked away in the back of another hotel / casino complex (restaurants are always at the back, see Rule #1) and had a really rather good dinner. It always helps to have Italians (principally Domenico) on hand to choose the wine at such occasions, of course!

Tuesday, I've mostly covered in the CEC article (with the major exception of the fun had at lunchtime, but that's the next post); about the only other point worth mentioning is to agree with Tim Bray about Vegas not being set up for pedestrians (although Joel and I took the first bus back from the party; Tim did better than us, by actually managing to get 3 kebabs). I was in the mood for dining Oriental, but anything Oriental seems to be ridiculously overpriced in Vegas; when steaks are on a financial par with Singapore noodles, Something is Very Wrong. In the end, we ended up dining pseudo-French, back at our own hotel, hours later.

Wednesday was a "general sessions, and get out of Vegas". I was disappointed to miss the post-wrap-up Security Ambassador get-together, but that's flight times for you. The views of the Nevada desert from the window, heading out to LA, were spectacular; I've never seen anywhere quite so seemingly untouched by Man. Quite the welcome contrast to Vegas.

Terrorism gets the Salem treatment

I've been wondering for a little while, when this would happen.

I also wonder what crimes the perpetrator committed. Let's start with libel (which he's been charged with), defamation and - probably - wasting police time.

None of these crimes are subject to extradition arangements, so unless a prosecution is brought in Sweden or the perpetrator ever visits the US, chances are he'll get away scot free.

Even then, libel charges against individuals, tend not to result in major punishments.

I hope the FBI and TSA are able to remove whatever "suspected terrorist, watch for" flags from the son-in-law's records...

Monday Nov 05, 2007

CEC 2007

Well, what with the various pressures of "the day job", it's taken me an age (nigh on a month, ouch!) to get round to posting my thoughts on this year's Customer Engineering Conference (aka "CEC"), which was set in the madness of Las Vegas (more about which, later).

I flew in on the Saturday, as I needed to attend mandatory speaker training on the Sunday (which I went into with an open mind, even though I've spoken at numerous CECs and STSes before them; I came out with a couple of useful new techniques, so it was worthwhile), had a lazy Sunday de-jetlagging, wandering around, catching up with old friends and being trained, and then hit the conference with my legs running, on the Monday.

Other than the general sessions, I didn't see anything more than a little bit of the CEC Pavilion on the Monday; the reason being, that I was presenting two sessions myself on Solaris 10 Trusted Extensions ("TX"), written and delivered jointly with Steve Gaul (a very capable and affable "opposite-number" in Sun Federal). We did a 1-hour "regular" breakout (attendance about 20 folk, about half of whom were TX users; some good questions in the Q&A piece at the end, which showed that folk were being attentive) and a 3-hour "deep dive" workshop, courtesy of Brad Blumenthal's SE deep-dive programme (6 attendees, lots of questions, some relating to real-world deployments; two of the attendees, who I bumped into on the bus back to the airport, said the latter session was "the best session they'd attended at this year's CEC").

It's always nice to be appreciated :-).

Regarding the breakout sessions I attended, on the Tuesday:

  • Achim Reckeweg spoke a lot of sense around IDM projects; he's clearly "been there, done that and got the scars as well as the T-shirt, in terms of some of the issues that a customer's business processes can raise when trying to automate them".
  • Giuseppe Russo and Domenico Minchella are really on to something with their new business partner's token card; great to see that the duress situation is finally likely to be addressed. This was probably my favourite breakout, as an attendee.
  • Efi Batchev was handicapped by issues with the system showing his slides, but the content was good. Kernel forensics is a fascinating topic, especially how Efi covers it.
  • I need to get my hands on Peter Charpentier's imminently-released patch management book.
Unfortunately I wasn't able to get to Gilles Gravier's session on the Monday, as it clashed with the TX deep-dive; this is a real shame, as I gather it was hugely entertaining, in terms of showing how far Solaris' compatibility capabilities can be stretched in new and unexpected directions (Skype in a Linux BrandZ Zone, for example :-) ).

I'm not going to blog my thoughts on the General sessions; other folk have already covered the content, and some of my opinions may be just a bit too controversial for public airing ;-).

In the Pavilion, I found the HBA vendor (got the guy's business card somewhere, company name begins with a V...) and had a chat; they have just launched an HBA with built-in encryption, which is deeply cool if they've done it right...

Chatting with an informative guy on the VMWare stand, the next cut of VMWare ESX is expected to drop the embedded Linux, and be an entirely VMWare code production.

Oh, and the Tuesday night Party sucked; I left with my pal Joel after about 45 minutes, as it was clear that there was no way we were going to get food and the place wasn't so much "packed" as "London Underground at rush hour". A place twice the size, with twice the staff and twice the food was clearly required.

On the Wednesday, Steve Nelson and I had a little bit of a brainstorming session in one of the breaks; we came up with a useful "application testing extension" initiative which we hope will get appropriate buy-in, and run. Unfortunately I'd arranged my flights before I found out about the Security Ambassador poster session after the main conference wrapped-up; it takes a lot to drag me away from a gathering of many of my pals, but missing my 'plane home, is one of the things which will succeed...

It's a point worth making, that much of the best value I get from CECs is to be had over dinners, drinks - even breakfasts - with security-focussed colleagues from around the world, as well as from attending the sessions. This is why I keep submitting papers every year, as the best way to guarantee "being there" is by presenting :-).

I've nearly finished the next posting, giving my thoughts on Vegas itself. Watch this space!

Tuesday Oct 30, 2007

Visa payWave

Much of the London Underground is plastered with advertisements for this new card, right now; it has various taglines, the one which particularly springs to my mind being "in the future, nobody queues".

Am I the only one thinking it needs a new one, along the lines of "in the future, all transactions are 'cardholder not present', as nobody authenticates"?

Tuesday Sep 18, 2007

Bedtime Reading

CSI's 12th annual Computer Crime and Security Survey came out, yesterday.


I decided to read it over lunch, instead :-).

Salient points which jumped off the page, at me:

  • Financial losses are up
  • Directed attacks are up
  • "Fraud" has displaced "viruses" as the primary cause of financial loss
  • More than half of all security spend is on antivirus (hey, just call it "Solaris" ;-) )
  • There's still an uncomfortably-large number of "Don't know"s when it comes to compromise, SB1386 and all its clones notwithstanding
  • There's a lot of folk who appreciate that many, many things which have been done in the name of Sarbanes-Oxley are Just Plain Silly
Make of it, what you will.




« April 2014