Category Archives: Government

Count ‘Em All By Hand

ButchHancock.gif I admire Matt Blaze, and I only hope he was being sarcastic in the entire post in which, after pointing out that California just decertified three major voting machine manufacturors due to massive security problems, he wrote:
How to build secure systems out of insecure components is a tough problem in general, but of huge practical importance here, since we can’t exactly stop holding elections until the technology is ready.

The best defense: Ad hominem security engineering. Matt Blaze, Exhaustive Search, 6 August 2007

Well, yes, yes we can. Continue reading

Liability Waiver?

Speciality Insurance Blog points out that liability waivers, while increasingly popular, may not protect governmental entities from gross negligence claims.

That doesn’t stop governmental entities from using them even in the grossest cases:

Sec. 5. For those persons whose property and interests in property are blocked pursuant to this order who might have a constitutional presence in the United States, I find that, because of the ability to transfer funds or other assets instantaneously, prior notice to such persons of measures to be taken pursuant to this order would render these measures ineffectual. I therefore determine that for these measures to be effective in addressing the national emergency declared in Executive Order 13303 and expanded in Executive Order 13315, there need be no prior notice of a listing or determination made pursuant to section 1(a) of this order.

Sec. 8. This order is not intended to, and does not, create any right, benefit, or privilege, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, instrumentalities, or entities, its officers or employees, or any other person.

Executive Order: Blocking Property of Certain Persons Who Threaten Stabilization Efforts in Iraq , by George W. Bush, The White House, 17 July 2007

You’ve got to admire the chutzpah of promulgating a blatantly unconstitutional directive (see Fourth Amendment) and ending it with a liability waiver.

And there’s always suppressing the evidence, as in FEMA trailers outgassing formaldehyde.

Risk management includes watching what’s going on.

-jsq

Negligence and Breaches

richard_thomas.jpg
Banks, shops and government departments have exposed thousands in Britain to the risk of fraud through “horrifying” breaches of data protection laws, a watchdog said on Wednesday.

In his annual report, Information Commissioner Richard Thomas, whose office enforces the Data Protection Act, said firms must do more to secure people’s private details.

“The roll-call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying,” he said in the report.

Privacy watchdog warns of “horrifying” breaches, The Scotsman, Reuters, 11 July 2007

He’s not talking terrorism, so we can hope this is not just more FUD. Continue reading

Connectivity: Engulf or Participate?

circulo_xavante.jpg Can’t pass up an article with “Peril” in its title:
“I don’t think it’s a good thing, because it’s a threat to our culture,” said Tsereptse, who carries a bow and arrow with him at all times as a symbol of his position.

Some of the tribe’s younger members have been trying to convince Tsereptse that computers will have the exact opposite effect — that they can be tools to record and preserve Xavante folklore and traditions, and to disseminate them all over the world.

Awaiting Internet Access, Remote Brazilian Tribes Debate Its Promise, Peril,By Monte Reel, Washington Post Foreign Service, Friday, July 6, 2007; Page A08

These are members of the Xavante tribe in Mato Grosso state in Brazil. They don’t have electricity yet, but they’ve decided to get Internet access. Why? Continue reading

Wildfire Myopia

smoke.gif It looks like technological security isn’t the only kind disorganized in government. The latest GAO report about wildfires seems like more smoke than fire:

This testimony summarizes several key actions that federal agencies need to complete or take to strengthen their management of the wildland fire program, including the need to (1) develop a long-term, cohesive strategy to reduce fuels and address wildland fire problems and (2) improve the management of their efforts to contain the costs of preparing for and responding to wildland fires.

For cost-containment efforts to be effective, the agencies need to integrate cost-containment goals with the other goals of the wildland fire program–such as protecting life, resources, and property–and to recognize that trade-offs will be needed to meet desired goals within the context of fiscal constraints.

Wildland Fire Management: A Cohesive Strategy and Clear Cost-Containment Goals Are Needed for Federal Agencies to Manage Wildland Fire Activities Effectively, GAO-07-1017T, U.S. General Accounting Office, June 19, 2007

How about a strategy for integrating wildfire planning into subdivision planning, or cost allocations from homeowner wildfire insurance?

Continue reading

FISMA Failing

Shades of SOX complaints: the U.S. GAO reports that the Federal Information Security Management Act (FISMA) is failing:

When we go out and conduct our security control reviews at federal agencies, we often find serious and significant vulnerabilities in systems that have been certified and accredited. Part of it, I think, is just that agencies may be focusing on just trying to get the systems certified and accredited but not effectively implementing the processes that the certification and accreditation is supposed to reflect.

Q&A: Federal info security isn’t just about FISMA compliance, auditor says, Most agencies still have security gaps, according to Gregory Wilshusen, by Jaikumar Vijayan Computerworld, June 14, 2007

Sounds like they haven’t implemented numerous simple security measures that were known before FISMA, they don’t have processes to do so, and they don’t adequately report what they’re doing, even with FISMA. What to do?

Continue reading

TSA Transparency?

Bruce Schneier examines the notorious sippy cup incident in which a mother was told she couldn’t take a cup of water for her infant through airport security, and gets right to the point:
Why is it that we all — myself included — believe these stories? Why are we so quick to assume that the TSA is a bunch of jack-booted thugs, officious and arbitrary and drunk with power?

TSA and the Sippy Cup Incident, Bruce Schneier, Schneier on Security, 18 June 2007

Yes, why is that? Continue reading

Homeland Insecurity

Congress is investigating Homeland Security’s internal insecurity:

…hearing, the GAO witnesses will also describe an investigation they conducted on a specific DHS network that is "riddled with significant information security control weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized disclosure."

The subcommittee also plans to air some of its concerns with the DHS OneNet project, which is aimed at consolidating all of the agency’s information networks under one roof, and to question a perceived lack of IT security funding by Charbo.

Homeland Security to detail IT attacks Hearing will reveal findings of agency’s internal investigation into risk of system attacks and other online threats, By Matt Hines InfoWorld, June 15, 2007

Who could have predicted that putting all information networks under one roof would make them vulnerable to attack? That would have been like predicting that making all DHS and DoD computers run one operating system would make them vulnerable to attack.

-jsq

PS: Seen via Fergie’s Tech Blog

Breach Discovery

bv.jpg If people know about security breaches, maybe there’s incentive for the companies whose customers they are or the governments whose constituents they are to do something about them, so this is good news:

New Hampshire, one of a handful of U.S. states that require breaches involving personal information to be reported to the state as well as to affected individuals, has made at least some breach notices it has received available on the net.

New Hampshire gets it, Chris Walsh, Emergent Chaos, 13 June 2007

Or at least if we know what’s really going on, maybe unfounded scare

Continue reading

Liberty vs. Control

ben.jpg Bruce Schneier reviews a paper about data mining, which unfortunately includes the phrase “the Security-Liberty Debate” in its title. He reiterates that liberty is security.
It’s a liberty vs. control debate.

Data Mining and the Security-Liberty Debate, by Bruce Schneier, Schneier on Security, June 12, 2007

Remember, this opinion is backed up by research. Continue reading