Mangle those cell phones?

OK. Right off I am *not* advocating physical destruction of old recycled cell phones. This post (Mangle those hard drives!) at my primary security blog, ThreatChaos, got a lot of reactions when I suggested that physical destruction of hard drives was the best policy in lieu of a well managed data wiping process. That was sparked by the news that computers being re-sold in Nigeria were being used to harvest bank account information which was then sold to attackers.
Now, Trust Digital has demonstrated that most phones are not properly scrubbed before being offered for sale on eBay. They purchased ten cell phones and proceeded to extract all sorts of data from them. Read the whole story from the Associated Press article. There is a great quote from Howard Schmidt who types his password incorrectly 11 times to cause his cell phone to self destruct. Of course Trust Digital was demonstrating the need for their products which are justified in the corporate world.
For personal protection? I would mangle the flash memory of all un-needed cell phones. Incinerate? Acid bath? Microwave? All good. But unless you are worried about the NSA recovering your info I would just take it out to the garage and whack it with a hammer on your anvil. Don’t have an anvil? I can lend you one of mine. :-)
Can’t get the flash memory out of the phone? Hit the phone with a hammer until you can find the chip. Then proceed to instruction 1. above. (Always wear safety goggles when hitting things with hammers).

Several On MS Software

excel-inline-bar-charts.jpgFirst, don’t miss the great series of posts on the “Excel 2007 Trust Center.” There’s some really good thought on security and usability in there. (While I’m at it, after two months of using ribbons, the idea of going back pains me. It really does. I had that “WTF did you do to my screen space?” reaction at first, now I love them.)

Next, check out “Lightweight Data Exploration in Excel” at the excellent Juice Analytics blog:

For instance, REPT(”X”,10) gives you “XXXXXXXXXX”. REPT can also repeat a phrase; REPT(”Oh my goodness! “,3) gives “Oh my goodness! Oh my goodness! Oh my goodness! ” (my daughter’s an Annie fan).


For in-cell bar charts, the trick is to repeat a single bar “|”. When formatted in 8 point Arial font, single bars look like bar graphs.

Cool!

On a less complimentary note, see “Death By Powerpoint:”

The Iraq disaster did not happen because someone in the JTF-IV planning group or the Office of the Secretary of Defense (OSD) couldn’t write a good PowerPoint presentation. The problem was that anyone used PowerPoint to plan a war.

Via Marty Lederman’s “The Evil That Is PowerPoint (or, How We Lost the War)), which concludes:

Exception that proves the rule: I must concede that Yochai Benkler’s PowerPoint presentation last year at the Yale Constitution-in-2020 Conference was really engaging and fun — informative, even. So there is hope.

This “evil” actually pre-dates the current Secretary of Defense, and it even pre-dates Powerpoint. The Army has long had a tradition of briefings in which foils replaced well-reasoned essays. For example, all of the work of John Boyd was done as sets of foils, which were available as scanned photocopies. Those were manually redone as powerpoint slides. The issue isn’t the tool, it’s the culture that expects a presentation can replace other forms of communication.

This is particularly disappointing in Boyd’s case, because I’m really interested in how to apply his work to information security, and all we have is sentence fragments. It’s tough to blame that on a tool which didn’t exist when he did his work.


Also, last week, Presentation Zen had a really good roundup on presentations, entitled “Is it Broken,” which touches on a lot of these issues. Finally, I should mention, MS PR had a chance to look at this post, because, well, I’m discussing our software, and it seemed like the right plan.

[Update: For some reason this post has become a spam magnet; I’ve closed comments, but will happily take them for publication, via email.]

On Terror and Terrorism

Is There Still a Terrorist Threat” asks Foreign Affairs. Bruce Schneier considers “What the Terrorists Want,” and also offers up a useful roundup of “Details on The British Terrorist Alert.” In that details space, Phil offers up thoughts on what a “Temporary Flight Restriction” meant to his travel. Meanwhile Kung-Fu Monkey asks “Wait, Aren’t You Scared?” while Moshe Yudkowsly thinks that “Fear Is a Healthy Reaction to Terrorism.”

John Quarterman doesn’t think you should be scared, even if it makes sense to think of “Terrorism as Theater.”
I think John’s point that terrorism is theater is often forgotten, and not giving the terrorists extended ovations for their performances is an important part of the solution.

Outsiders! Insiders! Let’s call the whole thing off.


I have no idea whether outsiders or insiders are responsible for more losses, and while the topic is somewhat interesting, it seems to me to be something of a marketing-generated distraction.
I’ve worked in environments where I am absolutely certain that insiders were the predominant threat, in environments where they probably were, and in environments where they probably were not. In no case would I have been able to conclude this from criminal prosecution data, which is what one report relies on to support it’s conclusions.
My point is that regardless of what the aggregate “threat landscape” looks like, there is no substitute for knowing your own environment, and for proper threat modeling and countermeasures.
[The image is part of a screenshot from infosecdaily.net, circa February 22, 2005]

Are Things Out of Whack?

picking-stuff.jpg

In North Dakota, the state agricultural commissioner, Roger Johnson, has proposed allowing () farming, and has been working with federal drug regulators on stringent regulations that would include fingerprinting farmers and requiring G.P.S. coordinates of () fields.

“We’ve done our level best to convince them we’re not a bunch of wackos,” Mr. Johnson said.

The quotes, with a single word replaced by (), are from the New York Times story, “California Seeks to Clear Hemp of a Bad Name.” Whatever you happen to think about the criminalization of plants and their products, I hope it’s clear that when we’re talking about fingerprinting farmers in order to convince someone that “we’re not wackos,” something is out of whack.

Photo: “Picking Stuff” by Lynt.

Air Safety: Terrorism and Crashes

There have been two fatal air accidents this week, one in Ukraine in which 170 people died, and one in Kentucky, in which 50 people died. In neither case is terrorism being blamed as I write this.

The safety engineering that makes air travel so safe is astounding. The primary activities, from pilot training to maintenance to operations, are all excellent, and they’ve gotten there through a well designed feedback loop that analyzes every error. (oh, to have such a thing in information security! Errors being made public!)

Given that the air safety loop is so good already, and given the enormous resources being put into measures of dubious effectiveness, I’m curious: Would those resources be better spent further improving general aviation safety, or are they relatively well deployed in the areas of passenger and luggage screening?

PS: I know I have readers who are deeply interested in aviation safety. Can I ask you to provide some good links for further reading?

Poll: 58% approval rating for Bush among voting machines

diebold-voting-machines-for-bush.jpg

WASHINGTON – Despite mounting public criticism of his administration’s handling of Iraq and the war on terror, 58 percent of voting machines approve of the way Bush is handling his job according to the latest poll by Shamby and Associates. This is in contrast to the 42% approval rating he has among human beings from polls conducted in the same time period.

“We’re very encouraged by these numbers,” said Karl Rove, Bush’s chief political advisor. “Voting machines across America, especially in the contested Congressional districts, are likely to stand with Bush against the forces of terrorism and extremism this election cycle.”

From Democratic Underground.

Hamming it Up

thousand-dollar-ham.jpg(or “The New York Times Gets Self-Referentially Ironic“)

… he recognizes that plenty of people must think that rounding up friends and family members to go in on a thousand-dollar ham that he envisions hanging in his living room is crazy. But food lovers like him understand, he says. And in the end, the elaborate narrative of the ham (the way it is produced, his advance payment, the visit to the picturesque town in western Spain where it’s made) is a thing to be savored almost as much as the meat itself. “I must say,” Saltzman adds, “I’ve gotten incredible mileage out of the whole ham story.”

Indeed you have, Mr. Saltzman, indeed you have.

The image is from La Tienda, who are charging $1200 for a (roughly) 15 pound ham, or roughly $80 per pound, which, frankly, doesn’t sound nearly so bad. It’s in range with foie gras, and it’s even legal in Chicago.