Results tagged “stupidity”

Unless you were off-planet last week, you've probably heard about President Obama's latest Executive Order, directing various agencies to step up their game on "critical infrastructure" cyber security. As part of this directive, NIST will be building a new framework oriented toward critical infrastructure that will help document processes, standards, best practices, etc, etc, etc. Gah!

The 1980s called and they want their lousy idea back. The 1990s also called, but they just repeated the prior point. The 2000s called and said "What is this, the '80s?!"

If frameworks were going to get the job done, then the job would be done. If securing data and operations was really such a simple task, then we would not be having this conversation, nor would we be reading reports, like Mandiant's big "APT1" blow-out from yesterday (you know, the big shocker that revealed that China is, in fact, hacking everyone... ok, not a shocker... or even really news... since we pretty much already know all that, right?).

The Great TSA Debacle: Groping for Success

There's been a veritable metric ton of coverage this past week over the TSA and their ham-fisted approach to security. This week's controversy is around the combination of back-scatter X-Ray scans and the introduction of "enhanced" pat-down techniques that, in some states, literally amounts to definitive sexual battery. There are an increasing number of anecdotes from people about abuses of the system, and a whole lot of attention placed on privacy issues. I'll provide some thoughts on those aspects, but before I did so, I want to hit what I think is the #1 reason why I think the TSA is wholly deficient in the area of airport security.

First, a word on terrorism: By abandoning the principles upon which this country is founded, and which make the US unique and special, the terrorists have won. Every time the bureaucratic geniuses here in DC make another idiotic and irrefutably clueless decisions like this latest round of lunacy, the objectives of the terrorists are achieved in ways the terrorists could have never accomplished on their own. It is our patriotic duty to refuse to be terrorized (http://www.schneier.com/essay-124.html)!

I've been mulling over writing a "cyber war" piece for several months - ever since Bejtlich started a series of posts last July on the topic, coupled with my reading of Richard Clarke's book, Cyber War. However, I've held off, mainly because I've been somewhat on the fence with the whole topic. On the one hand, yes, nation-states are conducting operations online, though they primarily fall under the heading of "espionage" and are not "attacks" per se. On the other hand, we have some suspicious situations (e.g., Georgia, Estonia, Google's "Operation Aurora," Stuxnet, Israel's bombing of the Syrian nuclear facility) that seem to clearly lean in the direction of being "cyber warfare" (or, offensive) operations.

Part of the problem I face in thinking about this topic is trying to separate the FUD-driven rhetoric from the realities of the current threat landscape. Those generals and politicians (one in the same?) behind the creation of the US Cyber Command provide a good example of hype and noise intended to generate false concern in order to further a clearly political agenda: formation and funding of Cyber Command. Ironically, all of this FUD highlights what is a clear problem: that the US Military is largely focused on offensive operations, neglecting the home front where we're most vulnerable (see my prior post "Missing the "Defense" In DoD?").

Dave Navetta of InfoLaw Group posted a review of the "EMI v. Comerica: Comerica's Motion for Summary Judgment" a few weeks ago. Part of the case revolved around the use of one-time code tokens for providing a second authentication factor. The argument, which seems to have succeeded, was that these tokens do not provide a reasonable level of protection for accounts. I couldn't agree more!

Folks, as much as one-time code tokens seem like a good idea, and can have a useful place in authentication schemes, they are also not foolproof. In fact, worse than that, organizations that have deployed these tokens in the foolish belief that they will magically halt all phishing and account hacking attempts are laboring under a delusion.

*sigh* Unhelpful PCI Advice

In scanning through my morning reading, I ran across this gem of a piece from Help Net Security. I'm really starting to wonder what is going on in the industry. This is seriously some of the worst advice I've seen regarding PCI DSS compliance in recent months.

"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." -Albert Einstein

The subtitle for this piece could easily be "a whole lotta stupid goin' on." Is it something about summertime, or have we really gotten to a place in our civilization where we just can't progress any farther? It really seems like regression is the only option to which most people will avail themselves today. Attack the science, attack that which isn't understood, and let's just rely on supposition (or, so it seems).

I've been mulling this piece over for more than a week now as all the drama has played out in Congress around building up a better "cyberwar" capability (as if that's something well-defined and understood). At the same time there has been an up-tick in mindless rhetoric railing against risk assessment, analysis, and management. Quite frankly, it all belies woeful ignorance and a wanton disregard for the sane. In both cases we see people making wild claims about things they clearly do not understand. Risk management is more than qualitative risk assessment, and "cyberwar" is a delusion perpetrated by those who desire to FUD us into ceding yet more power to the Executive Branch.

FACTA Red Flags and Credit

The latest compliance deadline for the FACTA Red Flag rules is quickly approaching, and you should be afraid (very afraid). Well, okay, maybe not afraid afraid, but you should be concerned. Sure, about compliance, but also about a larger slippery-slope issue that is escalating. See, the government wants us to believe that every business that invoices for services rendered are extending credit, and are thus subject to the new rules. This argument is dangerous and represents a serious, unwarranted overreach of authority.

Work Hard to Avoid Stupidity

I was reading this CSM summary of this year's Warren Buffett shareholder meeting and loved the closing comment about working hard to avoid stupidity. This sounds like an excellent goal for infosec, too. In fact, I'd go so far as to say that, if ever we should have a goal, it should be this.

Specifically, this goal of "working hard to avoid stupidity" seems to tab very nicely with the legal defensibility doctrine in that one of the stupid things we see time and again throughout the enterprise is decision-making that does everything but avoid stupidity, putting our respective organizations into a world of hurt.

Much Adieu: MS Search Data

Hold onto your hats, folks, cuz there's a PR/marketing storm sweeping the lands! It seems that Microsoft has decided to take the "bold" step of removing the IP address associated with a search query starting now at the 6-month mark. Ooooo how exciting. (that was cynicism) Actually, I could really care less. Well, ok, I think this is a good thing, but let's be honest here, it's so minor and trivial that it is just the thing for PR/marketing, not really the thing for actual meaningful privacy improvements.

So, what all my cynicism on the topic? Allow me to draw your attention to the AOL search data leak of August 2006. For a quick background on that story, check out these links (don't worry, I'll wait):
* Wikipedia
* TechCrunch
* EFF

DIRECTV's Billing System of Doom

Help me out, folks, cuz I'm at a loss here... I think there's something seriously wrong with DIRECTV's billing system... or maybe it's billing systems? The past couple months I received summary statements by email that said I owed $0.00. This was great - free TV, who wouldn't like that? So, just to be sure, I go online, and sure enough, the online statements say that I owe $0.00.

Then I get my credit card bill (yeah yeah misconfigured payment method sue me - actually, check that, it wasn't my fault, but anyway)... I have charges for the months of Nov and Dec - the very same months where the statements said I owed $0.00. ?!?!?!?!?! So, I start digging further and I find that, yes, the statements do in fact reflect a payment made in conjunction with the billing cycle. As a matter of fact, it turns out that the reason my bills said I owed $0.00 was because they were charging me on the same day that the statements were generated, which meant that my summary would zero out even though I'd just made a payment.

BeFUDdled by Risk

"You keep using that word. I do not think it means what you think it means." -Inigo Montoya in The Princess Bride

In the past couple months I've come to hate the word "risk" and its associated phrase "risk management." It's not because risk itself is inherently bad or wrong, or that the need for good, quality risk management has changed. Rather, it's the overuse and misuse of the term that is really grating on me. Despite a lot more talk about risk, it seems that it's even less understood and even more poorly defined than ever before.

Perhaps the most egregious "risk" annoyance is its constant use as a FUD hammer for pushing products or agendas. It seems that every time we turn around, somebody is proclaiming that something is a HIGH RISK (bold, all caps, exclamation, exclamation, exclamation, omg we're all gonna die!). Unless, of course, we buy their product or support their agenda.

Who? Farhad is a writer for Slate.com

Why? Because he's apparently a total moron.

Uh, why is that? Well, he had a piece published today, "Unchain the Office Computers! Why corporate IT should let us browse any way we want." that is so ill-conceived and imbecilic that nobody can actually believe this guy is a paid author for a major online publication.

What's the problem? There are several problems, but the most obvious one is that he's clearly unqualified for the topic. He apparently thinks end-users should have full unfettered access to run anything they want on their work computers, and to be able to go anywhere they want on the Internet. He clearly does not have the first clue about IT management and his article is a blatant insult not only to IT professionals, but security professionals.

Rather than rant a lot, check out these responses in the comments:
"Clueless Idiots Shouldn't Write IT Articles."
"You clearly have zero IT experience"

I've tried to be patient, I really have. I've now booked hotels 6 times with hotels.com. Of those times, only 2 worked out correctly. The final straw came in the last 24 hours as I tried to book my last hotel for the vacation that starts, well, today. The web site had a major fault last night, the primary customer care was completely unable to find the reservation anywhere in their system. They sent me to the "other" customer care office (other one?), which last night informed me to give them a couple hours, that system was down.

Update: Jules Polonetsky at The Future of Privacy Forum wonders "Could Bozeman Montana city officials be prosecuted for Facebook snooping?"

Well, well, well. My adopted home state is in the news late this week, and for good reason. Apparently the geniuses at town hall in Bozeman decided that, as part of their "background check," they would not only ask what sites people were on, but also what their usernames AND passwords were (see good aggregation of media coverage here). While I can certainly understand and appreciate a desire to compel full disclosure of online activities that may negatively impact the city, this is clearly a case of people just not understanding fundamental privacy practices.

Controlling the Bacon Fever Frenzy

As I noted about a week ago, there seems to be a lot of insanity surrounding the current "Swine Flu pandemic" ("swine flu" being the colloquial name for the H1N1 virus). In a continuing goal to fight FUD, replacing it with rational, logical, and intelligent thought, allow me to pull out a few definitions and suggestions to help you cope with the mass hysteria.

1) pandemic: "(of a disease) prevalent throughout an entire country, continent, or the whole world; epidemic over a large area." Now, this sounds a bit scary, but then let's look at what the World Health Organization (WHO) actually says about a pandemic, since they've raised the alert to Phase 5. From http://www.who.int/csr/disease/avian_influenza/phase/en/:

Phase 5 is characterized by human-to-human spread of the virus into at least two countries in one WHO region. While most countries will not be affected at this stage, the declaration of Phase 5 is a strong signal that a pandemic is imminent and that the time to finalize the organization, communication, and implementation of the planned mitigation measures is short.

2) Better context from WHO:
http://www.who.int/csr/don/2009_05_04/en/index.html:
* "As of 06:00 GMT, 4 May 2009, 20 countries have officially reported 985 cases of influenza A (H1N1) infection."
* "There is no risk of infection from this virus from consumption of well-cooked pork and pork products."
* 19 countries have lab-confirmed cases with no deaths.

http://www.who.int/csr/disease/swineflu/guidance/public_health/travel_advice/en/index.html:
* "1 May 2009 -- WHO is not recommending travel restrictions related to the outbreak of the influenza A(H1N1) virus."

3) Better context for the U.S. from the Center for Disease Control (CDC):
http://www.cdc.gov/h1n1flu/: In the US - 36 states with confirmed cases, a total of 286 confirmed cases in the country, and only 1 death reported attributable to H1N1.

The primary recommendations from the CDC? Wash your hands, stay home when sick, rest, recover, recuperate.

4) Comparing H1N1 to avian flu (H5N1).
http://www.who.int/csr/don/2009_04_23a/en/index.html:
"23 April 2009 - Of the 67 cases confirmed to date in Egypt, 23 have been fatal."

So, yeah, the strength and danger of swine flu pales in comparison with avian flu.

5) Opportunity to introduce common sense to HR policies. One of my biggest pet peeves is with paid time off. Many companies lump sick leave in with vacation time, mainly because of some misguided big brother nanny culture idea that people might fake being sick, and thus should not be trusted. The problem with this philosophy is that limiting sick leave discourages people from staying home when they are sick, thus greatly increasing the likelihood that one sick person will infect most of an office. Such policies are lunatic and need to be brought into the modern age.

Similarly, work from home policies are often quite backward despite significant advances in technology. Want to know how to deal with a pandemic? Make sure your workers can work from home, and encourage them to do so. Oh, and btw, guess what? Work-from-home policies also are good for the environment in that they help reduce the number of cars on the road, and thus help reduce emissions. Can't get much more green than that.

6) Skip the FUD, use your brain. If the mainstream media is covering it at a frenzied pitch, it's usually safe to assume that the actual risk represented is low. More people die in car accidents each day than have died from the swine flu (see http://www.car-accidents.com/pages/stats.html). "About 115 people die every day in vehicle crashes in the United States -- one death every 13 minutes." So, let's put things into perspective a bit here. 1 death from swine flu in the US, less than 300 confirmed infections, versus 115 deaths per days from traffic accidents.

If you really want to reduce deaths, I highly recommend investing in feasible mass transit. There's really no good reason why there aren't high-speed and light-rail trains connecting major cities and regional areas. For example, here in Arizona, there should be rail service from Phoenix to Tucson, Flagstaff, and Albuquerque, NM, as well as to LA, San Diego, Denver, Vegas, and SLC. Use airplanes for long-haul trips, but then use electric-based rail for the rest. If I didn't have to drive to work every day, I would not be sad. If I didn't have to drive to my favorite hiking and camping spots, even better.

Apply a modicum of common sense in the face of blatant hysteria. A little perspective is worth a lifetime of stress-inducing FUD.

Stupidity at BestBuy.com

Just a quick quip on an interesting interaction with BestBuy.com support. I received a called from "Restricted" on which I was advised by someone purporting to be from BestBuy.com that my back-ordered purchase was not successfully receiving a credit card authorization. It turns out that BestBuy.com re-authorizes the credit card transaction every 5 days. When an item is back-ordered for a long time, this eventually results in the issuing bank blocking further transactions. BestBuy.com support then called me to request that I call my card issuing bank and ask them to approve the authorization. SERIOUSLY?!? Quite literally, by following a stupid practice that they know causes problems, they've chosen to make it the customer's problem rather than fix their process.

What I find interesting here is that, really, there should only ever be 2 transactions. At the time of purchase there should be an authorization check, and then nothing further should happen until the product is ready to ship. At the ship time, the card should be run and charged, and if that fails, then and only then should BestBuy.com support be triggered to call the person. And, at that, a phone call shouldn't even be necessary. A simple "We're ready to ship, but your credit card declined." email would be more than adequate. Provide a contact number if more information is needed, but that's about it.

Of course, in either case there's a significant fraud risk. My example reads like a possible phish. *sigh* But the phone call wasn't much better. And, what's really weird is that they asked me to call my bank. Imagine running a scam where you're trying to make a false charge and it's being blocked. Just call the consumer and ask them to unblock it? Really? *sigh* Maybe it would be better simply to cancel the order if the credit card fails, requiring the user to go purchase it again? I'm sure business would love to hear that solution... of course, I wonder how much money they're spending on these phone calls asking people to unblock their repetitive authorization charge?

Oppose Merit-Based Pay for Teachers

Pardon the political rant... this is an issue near and dear to me. Please join me in openly opposing merit-based pay for teachers. This is the dumbest idea in education reform since Bush's No Child Left Behind (or educated or funded). That Obama has proposed such a plan makes me even more annoyed with the president I helped elect (this is not change I can believe in!). For more on his push, see here and here.

So, to keep this short and to the point... the problem with merit-based pay is that there's no reasonable, rational, consistent way to measure performance... teaching is more art than science. Every student is different, with a unique perspective, background, learning style, and, more importantly, pace of development. To penalize a teacher for having a group of students who develop more slowly than others is absurd. No matter how good the teacher is, there's no way to force a child to develope faster than they're capable of doing.

One might then respond by pointing at standardized tests. Surely those could be used, right? The problem, of course, is that when you put all the emphasis on standardized tests (as has been done the last several years thanks to Bush and NCLB), then the teacher is only incentivized to teach to the test. Instead of education and learning, you get rote memorization. Rote memorization is NOT education. Teaching to the test, and the resultant rote memorization technique, means that students are graduating without the ability to think for themselves (no critical thinking skills). Regurgitating facts is an almost completely useless ability if you don't know what to do with the facts. Just because you can recall constants and equations does not mean you know when and how to use them. This is a major problem.

And before you get off on the tangent about how our poor US students just don't compare with students in China or India, let's bear in mind some basic statistics... if you look at the top 10% of China and India (total populations of 1.3B and 1B), you're looking at 130m and 100m people, respectively. According to the US Census Bureau, the current US population is only 305,979,379. So, let's compare, then... the top 10% of China and India is approximately 230 million people, which is about 75% of the total US population... now consider that the best and the brightest are the ones who typically get to take standardized tests in those countries... while all students in the US take those tests... this is not, then, an apples to apples comparison, right? So, don't get off on those misleading reports about how the US is lagging behind... if you want to know the real cause of the US decline in education, it's the combination of requiring a focus on standardized tests (rote memorization instead of critical thinking) and the development of an entitlement generation that thinks everything should come easily to them with little or no effort (since mommy and daddy have always provided).

Ummm... Squeeze Me?

Alright, time for a snarky request for public intervention... :) If anybody out there knows anybody in the State of Colorado's Office of Technology, you might want to perform your public service act of kindness of the month and go kindly inform them that, no, IE6 (!!!) is not more secure than Mozilla Firefox. As noted on Slashdot, making such assertions to the contrary (that IE6 is, like, the most securest-est browser ever, man) really undermines the credibility of the agency.

Source: Slashdot: "State of Colorado Calls Firefox Insecure, IE6 Safe"

Why We Hate the Insurance Industry

If you've ever heard people complain about their insurance provider, either for medical or dental or vision, but never quite understood why that might be, then I'm here to provide you an explanation.

My wife recently had a crown made and installed into her mouth. We had to pay our estimated portion at the outset - a few hundred dollars. The insurance specified that it would cover 60% of the cost of the work ("major restorative" is covered at 60% while repair is 90% - the crown was to repair a tooth cracked by an old filling). We thought the price was rather absurd, but paid it because the alternative was not particularly appealing.

Last week, then, I received a bill from my dentist's office. I call today and inquired about the additional charge. The answer? Apparently there is a cheaper type of crown (gold) that could have been installed instead of the high-quality one my wife got (high-quality one will last longer, not to mention that it won't look ducky). The insurance company (MetLife) apparently has fine print in their coverage that they will only reimburse at the cheaper rate if such an alternative exists. Thus, though the crown was already order and installed, the insurance company has said after the fact "sorry, we'll only pay for the cheaper crown, you customer get to pay the difference."

The dentist's office went on to explain that they have this problem with fillings all the time, too. They use a non-toxic filling that blends with the tooth instead of a metal amalgam that may contain mercury, which is toxic and his been found to poison people with mercury gas over time. Nonetheless, because the amalgam filling is available, the insurance companies will only reimburse at that rate and the customer is, once again, left paying the difference.

This is a perfect example of what is wrong with the insurance industry today. I'm sure you have your own stories, too.

Prime Example of Extremist Wackos

A possible top answer to the rhetorical question "what the heck is wrong with people?!?" Glad to know we're not short of complete wackos in this country (as if you had to look farther than the White House to see that).

ATF says it has disrupted plot to assassinate Obama, kill 102 black people

2 3 4 5 6  

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10