Homeland Insecurity

Congress is investigating Homeland Security’s internal insecurity:

…hearing, the GAO witnesses will also describe an investigation they conducted on a specific DHS network that is "riddled with significant information security control weaknesses that place sensitive and personally identifiable information at increased risk of unauthorized disclosure."

The subcommittee also plans to air some of its concerns with the DHS OneNet project, which is aimed at consolidating all of the agency’s information networks under one roof, and to question a perceived lack of IT security funding by Charbo.

Homeland Security to detail IT attacks Hearing will reveal findings of agency’s internal investigation into risk of system attacks and other online threats, By Matt Hines InfoWorld, June 15, 2007

Who could have predicted that putting all information networks under one roof would make them vulnerable to attack? That would have been like predicting that making all DHS and DoD computers run one operating system would make them vulnerable to attack.

-jsq

PS: Seen via Fergie’s Tech Blog

WS-Anasazi

pueblo_bonito_aerial_chaco_canyon.jpg Gunnar usually says it better than I did:
Coordinated detection and response is the logical conclusion to defense in depth security architecture. I think the reason that we have standards for authentication, authorization, and encryption is because these are the things that people typically focus on at design time. Monitoring and auditing are seen as runtime operational acitivities, but if there were standards based ways to communicate security information and events, then there would be an opportunity for the tooling and processes to improve, which is ultimately what we need.

Building Coordinated Response In – Learning from the Anasazis, Gunnar Peterson, 1 Raindrop, 14 June 2007

Security shouldn’t be a bag of uncoordinated aftermarket tricks. It should be a process that starts with design and continues through operations.

-jsq

Breach Discovery

bv.jpg If people know about security breaches, maybe there’s incentive for the companies whose customers they are or the governments whose constituents they are to do something about them, so this is good news:

New Hampshire, one of a handful of U.S. states that require breaches involving personal information to be reported to the state as well as to affected individuals, has made at least some breach notices it has received available on the net.

New Hampshire gets it, Chris Walsh, Emergent Chaos, 13 June 2007

Or at least if we know what’s really going on, maybe unfounded scare

Continue reading

Liberty vs. Control

ben.jpg Bruce Schneier reviews a paper about data mining, which unfortunately includes the phrase “the Security-Liberty Debate” in its title. He reiterates that liberty is security.
It’s a liberty vs. control debate.

Data Mining and the Security-Liberty Debate, by Bruce Schneier, Schneier on Security, June 12, 2007

Remember, this opinion is backed up by research. Continue reading

Salvage Logging


AP Photo/Don Ryan, FILE

While the federal government tries to dump the costs of wildfires onto local governments, a new study indicates that federal policies have been making things worse:

"It was the conventional wisdom that salvage logging and planting could reduce the risk of high-severity fires," said Jonathan R. Thompson, a doctoral candidate in forest science at Oregon State, who was lead author of the study appearing this week in Proceedings of the National Academy of Sciences. "Our data suggest otherwise."

They suggested that the large stands of closely packed young trees created by replanting are a much more volatile source of fuel for decades to come than the large dead trees that are cut down and hauled away in salvage logging operations.

Scientists find logging dead trees after wildfire and replanting makes next year’s fire worse, by Jeff Barnard, AP, 11 June 2007

Salvage logging is removing dead trees after a fire. It turns out that doesn’t reduce the risk of fire, and close-packed new-planted trees increase that risk.

Continue reading

Public Public Domain

malamud2006.jpg
James Duncan Davidson/O’Reilly Media

In March, Carl Malamud finished organizing release on the Internet of videos of Congressional subcommittee hearings. Back in November 2006 Malamud was lobbying the Smithsonian Institution to rescind its exclusive contract with Showtime. Now he’s teamed up with others to multiplex such projects and get more done:

When you buy content, we get the material from the U.S. government and then upload the data to places like the Internet Archive, Google Video, and other fine content sources. Because this data is public domain, anybody can use the material without restriction!

How Do We Do It? public.resource.org, accessed 9 June 2007

Already he says:

Per Lessig’s agreement with CNN, we’ve uploaded both Presidential Debates to the Internet Archive:

Continue reading

Wildfires: Who Should Pay?

alfire1.jpg The New York Times asked:
The steeply rising cost of preventing and suppressing wildfires, which burned more of the American landscape in 2006 than in any other year since at least 1960, is creating a rift between Washington and state and local governments over how the burden ought to be shouldered.

As Costs of Wildfires Grow, So Does a Question, by Kirk Johnson, New York Times, January 3, 2007

Basically, wildfire costs have increased greatly in recent years, and the current federal administration wants to dump the costs onto states. Continue reading

Terrorism, Lightning, and Bloomberg

bloo0902.jpg Sometimes a politician says something so sensible you wonder why everbody doesn’t say it:

There are lots of threats to you in the world. There’s the threat of a heart attack for genetic reasons. You can’t sit there and worry about everything. Get a life.

You have a much greater danger of being hit by lightning than being struck by a terrorist.

In terms of what you as individual on the streets should worry about is not whether the person sitting next to you on the subway is a terrorist. The likelihood of that is so small it is not something you should worry about.

Buzz Over Mayor’s ‘Get a Life’ Remark, By Sewell Chan, Empire Zone, June 6, 2007,  9:46 am

The outlet that originally quoted Bloomberg, wcbstv.com, quotes several people as saying terrorism is a big threat. However, it also points out that New York City is the safest city in America, with violent crime in general low and decreasing. Maybe if that TV station and others reported that more often, instead of constant, irrational fear, more people would understand what Bloomberg is saying.

Continue reading

Norms-Based iTunes?

Borovinka.jpg Ben Hyde dug up a paper about Norms-Based Intellectual Property Systems: The Case of French Chefs, which discusses the issues involved in the recent case of the French chefs, even though it was published before that foofaraw. This paper makes me wonder if that’s what Apple is doing:
With great power comes great responsibility, and apparently with DRM-free music comes files embedded with identifying information. Such is the situation with Apple’s new DRM-free music: songs sold without DRM still have a user’s full name and account e-mail embedded in them, which means that dropping that new DRM-free song on your favorite P2P network could come back to bite you.

We started examining the files this morning and noticed our names and e-mail addresses in the files, and we’ve found corroboration of the find at TUAW, as well. But there’s more to the story: Apple embeds your account information in all songs sold on the store, not just DRM-free songs. Previously it wasn’t much of a big deal, since no one could imagine users sharing encrypted, DRMed content. But now that DRM-free music from Apple is on the loose, the hidden data is more significant since it could theoretically be used to trace shared tunes back to the original owner. It must also be kept in mind that this kind of information could be spoofed.

Apple hides account info in DRM-free music, too, By Ken Fisher, ars technica, May 30, 2007 – 01:39PM CT

The ars technica article goes on to recommend a trivial way to keep the music and ditch the identifiers, and points out that the presence of such an identifier on somebody else’s disk doesn’t necessarily prove copyright infringement. But maybe that’s not what Apple is really after. Maybe it’s so people will know that Apple could know, and other people could know, where you got your music. Like French chefs know where other chefs got certain recipes. Norms-based iTunes?

-jsq

Cooking Property?

bio_wylie3.jpg What happens when one famous chef copies another’s recipe?

The place is agog at the effrontery of Vigneron, since they believe he has brazenly ripped off one of chef Wylie Dufresne’s best-known dishes. By the looks of a feature in the current issue of Wired, Vigneron has created a showpiece dish of a “cyber egg,” the yolk of which is made of carrot-cardamom purée, surrounded by a white of hardened coconut milk. Very interesting, given that almost the exact same dish (minus a garnish of foam and carrot) has been served often at wd-50, is featured on the restaurant’s website, and, we are told by members of the staff, has been eaten by Vigneron at least twice. “It’s one thing to be inspired by a dish and to change the flavors to make it your own,” says line cook John Bignelli. “But to just steal everything? How can you do that?” Dufresne, staying above the fray, declined to comment.

Did Marcel From ‘Top Chef’ Really Just Rip Off Wylie Dufresne? Grub Street, New York Magazine, 15 May 2007

You get a lot of commentary.

Continue reading