Amazing Coincidence

In yesterday's post I remarked on the need for CIOs and CSOs to raise the INFOrmation SECurity threat level. (Okay, I didn't actually say that, but that was the implication of what I did say.) Why? Because times are tight and that puts a fresh edge on computer crime, data leakage, and plain old data theft.

I also made the point that data theft was nothing new, something you can see for yourself if you Google the words data and theft and a year of your choosing. Serendipitously I chose 1985, and one of the results was this headline: "F-4 Design Data Taken in Theft at Parts Firm" from the Los Angeles Times, January 6, 1985:
"Computer cards containing sketches and design specifications for the F-4 Phantom jet fighter have been stolen from the Camarillo offices of a firm under investigation for alleged illegal shipment of F-4 parts to Iran, authorities said."

And wouldn't you know it, about an hour after yesterday's post I saw this story: Joint Strike Fighter secrets possibly compromised. Now, I should point out that this story does not say secrets were compromised, but it describes some less that stellar goings on at the Pentagon's Defense Security Service, which is apparently underfunded (like our soldiers in Iraq and Afghanistan and Walter Reed and Fort Bragg). There are three main points to note here...

Tough Times and Threat Levels: New wave of infosec issues:

Protecting information, and the systems that process it, is part science, part art. There is no scientifically established correlation [that I know of] between economic conditions and security breaches, but commonsense tells us that the temptation to steal, cheat, defraud, or simply fudge a little, can be greater when times are tough. Witness the Lending Tree case. "Several former employees of LendingTree are believed to have taken company passwords and given them to a handful of lenders who then accessed LendingTree customer data files."

Do such things happen in good times as well as bad? Sure, but I think the human mind is better able to justify certain acts, like data theft, when people are haunted by fears of foreclosure, bankruptcy, gas lines and food lines. And make no mistake, while stealing a loaf of bread might seem the most direct answer to the threat of hunger, data theft is an increasingly viable alternative when a desperate person needs money. Indeed, from an INFOrmation SECurity perspective, one things that makes the current economic downturn different from previous cycles is the existence of a thriving underground market for purloined data, on top of the ever-present market of unethical employees and employers.

When I was researching my first computer security book in the 1980s there was no shortage of examples of bad behavior involving data (e.g. "2 Arrested in Theft of DMV, Credit Data by Alleged Ring" LA Times, December 11, 1985; "Alleged Data Theft by AT&T Probed" Dallas Morning News, November 19, 1985; "Two Arrested in Theft of Customs Computer Data" Miami Herald, July 20, 1986, etc.). Two decades later there is a lot more data stored on computers, a lot more ways of stealing it, and a lot more ways of selling it. Consider:

New SQL attack methods are discovered.
New SQL attacks launched.
New methods of defeating disk encryption publicized.

These threats are real. These are not security experts crying wolf to drum up business. The need to batten down the hatches is greater than ever.

Let Them Eat Watermelon! Congress and the Many Crises

Oil crisis! Food crisis! Mortgage crisis! Healthcare crisis! Watch Nightly News these days and it's Nothing But Crisis. And what are our elected officials in Washington doing about it? A whole lot of nothing. A lot of talk, precious few results. Today, the American people are struggling with tough decisions, like whether to spend their shrinking earnings on the mortgage or health insurance or food. Meanwhile Congress is hunkered down under a nice dry roof, on full stomachs, with full medical and dental, and apparently unable to make tough decisions. Instead it's going for the easy options, the low-hanging legislative fruit as it were, like declaring Watermelon Month.

That's right, all these crises to deal with and their message seems to be: Let them eat watermelon! For many Americans aged 50 to 65 the cost of health insurance now exceeds the median monthly mortgage payment and its time to promote fruit? I mean, no offense to farmers who grow them, or the lovely Watermelon Queen, but is the following really the kind of stuff we want to pay our politicians for?
"Whereas watermelon has been a nutritious summer favorite from generation to generation; Whereas it is important to educate citizens of the United States regarding the health benefits of watermelon and other fruits and vegetables; and Whereas July would be an appropriate month to establish as National Watermelon Month: Now, therefore, be it Resolved, That it is the sense of the House of Representatives that there should be established a National Watermelon Month to recognize the health benefits of watermelon and the importance of watermelon to the agriculture industry of the United States."

At least we know at whom we should be spitting the seeds come Summer recess (and it won't be the Watermelon Queen).

The Price of Voting Rights

The fact that you need money to vote has always been democracy's dirty little secret, from the early experiments in England to the great experiment in these United States.

Over the centuries people with few means have had to pry concessions from those with many; the vote was extended from male landowners of a certain class, with a certain size of landholding, to all landowners, to all males regardless of wealth, to all men and women of a certain race, and so on.

Until yesterday's Supreme Court decision on Indiana's photo ID requirement, the direction was pretty much all one way, to encompass more and more members of society. Now it seems the tide is turning. Now you must be able to get your hands on enough money to obtain a photo ID or you can't vote.

The state of Indiana is providing free photo ID cards you say? But they are not making house calls. Read the Secretary of State's web site and you will see it is no easy matter to get one of these cards if you have no car and no phone (let alone access to the web site). There are people in every state for whom getting to the Bureau of Motor Vehicle is a major challenge. After all, why have neighborhood polling places if a precondition of voting is the ability to get out of the neighborhood? Any politician or Supreme Court judge who thinks getting a photo ID is no burden is out of touch.

Roseboom Antique Power Days

Not all traction technology is new. We can always learn from past technological achievements. That's why I'm looking forward already to the Tenth Annual Roseboom Antique Power Days. August 16-17, 2008.

This gathering of old tractors and other antique machinery has become quite the event in the Cherry Valley and Cooperstown area. If you can make it, expect to see over 100 antique tractors and farm machines as well as a bunch of parallel activities, like eating pancakes. Click here for the general location.

The Roseboom Antique Power Days are a great complement to your trip to the Baseball Hall of Fame and Farmers' Museum in Cooperstown. I will post more details as they become available.

Early Word: Roseboom Antique Power Days

Not all cool technology is new. We can always learn from past technological achievements. That's why I'm looking forward already to the Tenth Annual Roseboom Antique Power Days. August 16-17, 2008.

This gathering of old tractors and other antique machinery has become quite the event in the Cherry Valley and Cooperstown area. If you can make it, expect to see dozens of antique tractors and farm machines as well as a bunch of parallel activities, like eating pancakes. Click here for the general location.

The Roseboom Antique Power Days are a great complement to your trip to the Baseball Hall of Fame and Farmers' Museum in Cooperstown. I will post more details as they become available.

Wachovia Gets Fined: Yikes or no yikes?

News of a big fine levied against Wachovia may, or may not, satisfy those who lost money thanks to the bank turning a blind eye to activity other banks said was clearly fraudulent (as blogged here a while back).

The word 'Yikes' is in play here because of its use in a Wachovia email that came to light. Here's how the NYT reported it:

“YIKES!!!!” wrote one Wachovia executive in 2005, warning colleagues that an account used by telemarketers had drawn 4,500 complaints. “DOUBLE YIKES!!!!” But Wachovia continued processing fraudulent transactions for that account and others."

Why? Because the fraudsters paid, presumably with money stolen from victims, huge fees to Wachovia so that the money would keep flowing. And you thought the sub-prime mortgage market was the only thing your bank's cupidity was screwing up.

Dare Not Walk Alone Opens in LA

Couldn't resist some shameless cross-posting to boost the civil rights doc I've been involved with. Check out the show times here. We open April 25. Wish us luck!

Navy Needs Information Security Staff: But HR web site is down

If the world economy is headed downhill as fast as some pundits claim, a job with the US federal government might be a safer option than trusting one's future to free enterprise. Or so I was musing this morning when I decided to peruse usajobs.gov.

I found numerous Department of the Navy openings for something labeled "Information Technology Specialist (Security)." These openings were spread across the country so there was bound to be one nearby. And the listing suggest some urgency: "This notice is issued under the direct-hire authority to recruit new talent to occupations for which Department of the Navy has a severe shortage of candidates or a critical hiring need. As such, this notice is targeted to qualified United States citizens who are not current permanent Federal employees."

Bingo! I'm a citizen. There's a critical hiring need OR severe shortage of candidates, let's check it out. I was told to visit https://chart.donhr.navy.mil/. I boldly clicked and, well, nothing. Turns out that server has been off the grid for the past three hours and counting.

Okay, it's a Saturday and these are government jobs. Maybe Information Technology Specialists don't work weekends. I can dig that. So I decided to do a little more digging. What could I expect to earn in one of these jobs? Oh let's say, roughly, something between about $28,862 and oh, how about in the region of around $152,670 per year. That's about as useful as a prospective employer answering "Money" when a job applicant asks "What does the job pay?"

In the private sector a good IT security specialist can earn $150K. But it is hard to imagine a n IT security job starting at $29K (that's less than $14 an hour). So the government has an employment web site that urgently seeks information security specialists who could start at a pay level most people with the necessary skills would rate as "not worth it," rising to an upper pay level that is a whopping 5X the low end, applications for which cannot be accepted right now because the server is down.

People used to ask themselves "Who's running this country?" The question now seems to be "Is anyone running this country?"