Thursday, February 25, 2010

Headed to RSA next week?

If you are headed to RSA next week, here are a few references you should check out:

I'll be at the Moscone occasionally, but most of my time will be spent over at pariSoma for B-Sides.  If you are wondering the conference hall, say hello to my co-workers from Astaro at booth 1855.



Saturday, February 20, 2010

Last post on SchoolSpyGate

This is exploding, as well it should, so I'll drop the story after this post and we can all follow it in the news- but there are a couple more things I'll point you to first: Martin McKeay has a good post on his blog, and there's a fairly damning interview on a local TV station with the family involved.  After watching the interview, it is really hard to see how the school district comes out of this alive.  The Superintendent of Schools has a new statement up on their site, compare that to the family's statements in the interview.  Someone is flat out lying; I don't know who, but for now the school district has not done a good job of earning my trust.  The school claims everything is logged, if that's true, why are the numbers changing?  Yesterday the schools said 28 laptops had been recovered with the software, today they say 18.  Maybe they just suck at PR.  Alright, not "maybe".

If you are competent, respectful of privacy, and have IT or educational experience, and are looking for your next job, I would suggest keeping an eye on this site:



Friday, February 19, 2010

Another quick update

The Washington Post has an article with more details on SchoolSpyGate.  Looks like the FBI is investigating, and there are few more interesting tidbits- such as the cameras were activated 42 times in the past 14 months.  2,300 laptops in the hands of students, 42 is about 2%, not an outrageous number if the uses were indeed for missing laptops, and the school district says that 28 laptops were recovered through the monitoring system.  But the more I read about this mess, the more questions I have.  I am glad the FBI is involved, but I am not certain they will help us get the truth.  The FBI is tasked with investigating potential federal crimes, and that's what they're looking for- they aren't doing (or authorized to do) a full forensic investigation and analysis of the situation and how it got to this point, they are looking for evidence of specific crimes.  The good news is the FBI does have plenty of competent agents who can process the case without spoiling evidence for state and civil investigations.  There is also the danger that if the FBI says there is no evidence of a federal crime, that will give the school district cover for their behavior.

What a mess.



More information, more questions.

Additional information has been posted on ZDNet, from the article:

"In an FAQ document, Dr. Christopher McGinley, Superintendent of the Lower Merion School District, tried to clear the air. The key points include:

   * The district has disabled the tracking system and won’t reactivate it without permission;
   * The tracking feature was included on the roughly 1,800 Apple PCs provided to high school students.
   * And the tracking feature “has only been used for the limited purpose of locating a lost, stolen or missing laptop. The District has not used the tracking feature or web cam for any other purpose or in any other manner whatsoever.”

And these messages are posted at the school district's web site:

So, we have some more information, but still a lot of unanswered questions- and maybe a bit of a contradiction.  The Superintendent claims that the monitoring software was never used for any purpose other than lost or stolen laptop recovery, but the suit alleges that an image from the laptop were used to prove a student's "inappropriate behavior"- so, how was the image captured and retrieved?  Did the student take incriminating photos of himself?

The Superintendent's letter states that

"This feature was only used for the narrow purpose of locating a lost, stolen or missing laptop."

If this is true, how about some stats to back that up- tell us how many systems have been reported missing and how many have been recovered by use of the system.  It may either prove a value of the system, or (more likely in my opinion) prove relatively useless, compounding the problem.

Let's see the logs, and I don't want to see them from the school district- an independent team needs to grab the data and audit it for the sake of transparency.



Thursday, February 18, 2010

They've gone too far. Waaaay too far.

I get it, kids these days, they just can't be trusted. Just like kids for all of eternity couldn't be trusted (especially me).  So, do the best we can, set an example, hope for the best and deal with the worst.  Or maybe we should spy on the little guttersnipes, use technology to surreptitiously monitor them and take incriminating photos without informing them or their parents that it is happening.  Let's issue them bugged laptops and monitor them everywhere, even at home, even in their bedrooms, what a great idea.  So what if it is unconscionable and likely criminal?

OK, Jack, did they give you a Magic Mushroom Latte at Starbucks this morning?  Latest copy of Conspiracy Theory Digest just arrive? Sadly, iStock_000002116200XSmallno- the Lower Merion School District (PA) has implemented just such a plan.  This boingboing article outlines the story and there is more detail in this Courthouse News article.

I think the administrators responsible are very lucky people- our current legal system is not allowed to deal with this kind of behavior appropriately, because nothing the law can do to these school administrators comes close to what a righteously outraged parent would like to do.



Tuesday, February 16, 2010

Shmoocon 6 and the Shmoobus II

It has been a week, and I've almost recovered.  Shmoocon was great as it always is, in spite of a blizzard- something the DC area is not prepared to deal with.

The Shmoobus was another great adventure, many thanks to Astaro for sponsoring the RV again this year.  It was a real adventure trying to get home through the horrific streets of DC, and the total mess of the beltway and I-95 between DC and Baltimore- but I piloted the Shmoobus home with no physical scars to rig or riders.  Emotional scars are another story.  Travel with us through the magic of the Internet:

Shmoobus Tumblr

My Flickr Set

A Twitter Search

There will be video at the Hacker News Network, but you are already watching HNN, right?

A good wrap-up of the con from Anton Chuvakin

Our panel discussion was on Sunday morning  (Anton's thought on the panel) and it was good, even if Josh Corman had to play the part of Max Headroom and come to us via video stream since he could not get to DC because of the Weather.  We had a lively discussion, and I am confident that everyone present disagreed with something said during the hour- and some good conversations were started from the panel.  I can tell you that black Shmooballs flying through a darkened room make moderating a panel much more interesting than it would otherwise be.  Thanks again to my co-conspirators Mike Dahn, Josh Corman, and Anton Chuvakin for making it possible.



Sunday, February 14, 2010

Singing Pigs and End Users

This started life as a post to the Pauldotcom mailing list, but has morphed into a blog post because I think it is a topic we need to explore.  Larry Pesce wrote a good post over at fudsec, if your haven't read it, go now, and make sure you read the comments.  I think it is a good starting point for a conversation we need to have in InfoSec.  I generally line up with the detractors like Ranum in my skepticism of the value of user education, but I have tried many times anyway.  I almost always come back to Robert Heinlein's pig quote: "Never try to teach a pig to sing; it wastes your time and it annoys the pig."  We do get some successes, but at what cost?  What else could we do with those resources that might yield better results?

An informed look at the education we give end users, and the reasons that they should reject the advice, is found in a paper Cormac Herley delivered last year.  I read it when it came out, and keep going back to it.  It isn't very long, but it isn't really a light read, either.  PDF is at

You should notice that this is focused on the home user, not the corporate end user- that is on purpose, there just isn't enough data to extrapolate conclusions with the level of detail he wanted.  Herley has observed that end users in business are rejecting the advice anyway.  I do think the numbers have to shift significantly when we factor in the costs of breaches to organizations and the fact that many fraud protections offered to individuals do not apply to businesses.  My gut feeling is that rejecting a lot of "security advice" still makes economic sense, at least from the corporate end-user perspective, but the margins are slimmer.

There is also the issue of the true cost of breaches; if I have a fraudulent charge on a card I am not out any money directly, but we're all paying double-digit interest rates on credit cards when the prime is below a percent, partly to cover fraud expenses (yes, costs, profits, the burden of PCI, etc. are also in there)- and the price of goods includes an added margin to cover "shrinkage" (theft, loss, fraud, etc.).  We are all paying for the fraud, but the true costs are so obfuscated that we don't know what the real numbers are.

I'm not sure where we go from here, but I do believe we need to be able to honestly answer the question "is it worth it" before we hand out security advice and education, especially if it is the same stuff we've been saying for years.

I am sure that it makes sense to use this information to justify some lockdown of corporate assets; if the users can't be relied on to protect the assets (and arguably shouldn't have to), then we need to secure them before letting people loose to do their jobs.  As always, the balance is in enabling people to do their jobs without undue burden- but few people need unrestricted access to internal or Internet resources to do their jobs.



Monday, February 1, 2010

Finally, 201 CMR 17.00 is coming, ready or not

hourglass It looks like the last time OCABR said they "really mean it this time" about the last round of emasculations to Mass. 201 CMR 17.00, they really meant it.  Ready or not, it becomes effective on March 1, 2010.  OK, poor phrasing there- let's say "goes into effect" instead, because I'm not that hopeful that it will actually be very effective.

If 201CMR17.00 applies to you, I hope you are well on your way to complying, because you only have a month (and a stubby little month at that) to be compliant.

I do have one piece of advice, regardless of your current level of preparedness:

Do not be the test case, the first prosecuted.

Yeah, not really "actionable", but bulletproof advice nonetheless.  Even if Massachusetts' Attorney General Martha Coakley hadn't just had her head handed to her in the Senate race it would be a bad idea.  But she did, and I bet she's bitter.  Do not get in her line of fire.

A second bit of advice, regardless of your current level of preparedness:

Re-read the regulations.

Another lame one, really- but important and easy.  I you are ready and sure you are compliant, this will make you more comfortable.  If you are "getting there", it should help you focus your efforts.  If you haven't even started, it will help you find the ambition to polish up that resume.  Actually, the goal is to step back and make sure that you measure success against the correct benchmarks- before, during, and after the project.  "Completing" your compliance project and not being compliant isn't really success. 

PDF of the regs: and of course you can ask the Blogger search box in the upper left or the Lijit search in the lower right of this page to show you a multitude of my posts on the topic.