Thursday, April 16, 2009

Not an email I was expecting...

This landed in one of my inboxes today. I don't know what maillist I got myself on, but I don't really consider the Director of National Intelligence one of my pen-pals.  This topic is outside of my normal infosec focus, and I don't want to get into the politics of it or any related debates- but it involves the intelligence community, a group closely involved in information security. I am copying it, complete and intact, below for those who may not have seen it.

Please direct you flames and/or accolades to Director Blair, I am just sharing the memo.

Statement by the Director of National Intelligence
Dennis C. Blair

April 16, 2009

The Department of Justice released today four previous Office of Legal Counsel opinions which concluded certain harsh interrogation techniques used by CIA officers on suspected al Qa’ida terrorists were legal. The opinions spell out in graphic detail techniques used in questioning high value detainees suspected of involvement in, and plans for, terrorist activity against the United States and its allies.

As the leader of the Intelligence Community, I am trying to put these issues into perspective. We cannot undo the events of the past; we must understand them and use this understanding as we move into the future.

It is important to remember the context of these past events. All of us remember the horror of 9/11. For months afterwards we did not have a clear understanding of the enemy we were dealing with, and our every effort was focused on preventing further attacks that would kill more Americans. It was during these months that the CIA was struggling to obtain critical information from captured al Qa’ida leaders, and requested permission to use harsher interrogation methods. The OLC memos make clear that senior legal officials judged the harsher methods to be legal.

Those methods, read on a bright, sunny, safe day in April 2009, appear graphic and disturbing. As the President has made clear, and as both CIA Director Panetta and I have stated, we will not use those techniques in the future. But we will absolutely defend those who relied on these memos and those guidelines.

As a young Navy officer during the Vietnam years, I experienced public scorn for those of us who served in the Armed Forces during an unpopular war. Challenging and debating the wisdom and policies linked to wars and warfighting is important and legitimate; however disrespect for those who serve honorably within legal guidelines is not. I remember well the pain of those of us who served our country even when the policies we were carrying out were unpopular or could be second-guessed.

We in the Intelligence Community should not be subjected to similar pain. Let the debate focus on the law and our national security. Let us be thankful that we have public servants who seek to do the difficult work of protecting our country under the explicit assurance that their actions are both necessary and legal.

There will almost certainly be more public attention about the actions of intelligence agencies in the past. What we must do is make it absolutely clear to the American people that our ethos is to act legally, in as transparent a manner as we can, and in a way that they would be proud of if we could tell them the full story.

Compliance made simple, part 2

"Compliance made simple" is still a lie, but I do have a rock-solid suggestion for easing the pain and getting started (after taking the first step): read the law/regulation/guidelines/Pirates Code for yourself. Print it out, scribble on it and mark it up with a highlighter if you need to (I prefer "printing" to Windows Journal and virtually scribbling on a Tablet, but whatever works for you...)

After reading the appropriate regulations, then look for official supporting documents, but don't be surprised if they don't quite agree, they will still help.  Only after this homework is it safe to start listening to the "experts".

Many regulations are long-winded and difficult to comprehend on the first pass, but even if you only pick a few details out of the original material you'll be ahead of many people facing the same compliance challenges as you.  And "ahead" is where you want to be.



Monday, April 13, 2009

What's so bad about it?

In a couple of posts and presentations I have taken shots at one of the supporting documents the Commonwealth of Massachusetts has published to assist in complying with 201CMR17.00, the "Small Business Guide For Formulating A Comprehensive Written Information Security Program ".  Maybe it is time to elaborate (emphasis below is mine):

On page three there is a section which begins "Employment contracts must be amended immediately..." Amending contracts "immediately" seems problematic and potentially burdensome- unless 201CMR17.00 somehow invalidates employment contracts, both parties will need to agree to renegotiate and re-sign the contract.

On page four, there is a section which states "Electronic access to user identification after multiple unsuccessful attempts to gain access must be blocked."  As good an idea as this is, there are many systems which do not support this, it may not always be practical or even possible.

Later on page four, in the section beginning with "A terminated employee’s physical...", the end of the section states "The Data Security Coordinator shall maintain a highly secured master list of all lock combinations, passwords and keys."  Maintaining a list of combinations and keys is a great idea, maintaining a list of passwords is a very bad idea.

And the really stupid one, on page five, the seventh bullet point begins "Visitors’ access must be restricted to one entry point for each building in which personal information is stored, and visitors shall be required to present a photo ID, sign-in and wear a plainly visible “GUEST” badge or tag."  Where to start- how about building codes, possibly fire codes (although they are generally more interested in egress), simple feasibility, or maybe common sense.  Any mall is a "building in which PI is stored", and even in the small businesses this guide is designed to assist there are similar issues. I would hate to see the AG use the same interpretation for enforcement.



Saturday, April 11, 2009

SNENUG (not a Dr. Seuss character) and 201CMR17.00

The first user group I found when I landed in IT was SNENUG (sounds like a Dr. Seuss character, but it isn't), the Southern New England Network Users Group. Not a big group, but an very active and helpful bunch of IT folks who welcomed me into the fraternity of admins. SNENUG meets in the Providence, RI area, their current meeting place is New England Institute of Technology. I don't get to their meetings as often as I would like anymore, but I will be there on Wednesday night...

I'll be giving my presentation on Mass 201 CMR 17.00, updated a bit to reflect the final changes to the regulations. Here are a few updated links for 201 CMR 17.00 information:

The Massachusetts Office of Consumer Affairs and Business Regulation's site is and their Businesses Identity Theft page is the hub for official information on the topic:

PDF reference documents:

The current (amended) 201CMR17.00 regulations [Please read this yourself before listening to any "experts", even especially me]

Three-page Compliance Checklist [Not comprehensive, but really pretty good]

Small Business Guide [This one is still a bit problematic, doesn't quite line up with common sense or the regulations in some places- but still worth a look]


What's happening, and where

I'll be at the RSA conference in San Francisco on April 20th through 24th- during most of the days, I'll be working the booth for the nice folks who routinely give me a paycheck, otherwise I'll be catching some talks and checking out some vendors.  In the evenings I plan on crashing as many parties as possible- I am especially looking forward to this year's Security Blogger's Meetup- last year's was great and I expect this year's to be even better.  Track me down if you'll be at RSA, I'm pretty easy to find.  The corporate overlords may have a reception thingie, if they do I'll put the word out via Twitter so interested folks can come and drink their booze.

Before RSA, I will not be at Notacon.  But if you have the chance, you should go, Notacon sounds great and has a solid reputation, but it is just too close to RSA to work into my schedule for this year.  Maybe I'll get there next year.

I think I'll stay close to home for a few weeks after that, then maybe a blacksmith event or two and then the Catalyst Camping Conversations.

Yes, there will be more road trips...



Monday, April 6, 2009


Since you can't always count on bloggers (especially ones like me) to keep you updated on the latest security news, it is good to have consistent, reliable sources of security news and commentary available.  There's a relatively new site, Threatpost, which is worth checking out.  It is sponsored by Kaspersky Labs, but it is an aggregation site with plenty of original content, not a "vendor blog".  There are Big K ads on the site, (including some mildly annoying Flash ads) but the content is independent and worthwhile, with a wide array of contributors.

The guys driving Threatpost are Ryan Naraine and Dennis Fisher, their bylines alone should be enough to get you to give it a look.