7/24/04

Book Review: The Day the World Came to Town, 9/11 in Gander, Newfoundland

Yes, I've got a thing for remembering 9/11/2001 (see the picture on the bottom of my home page). And I have always been intrigued by the closing of the US airspace that day and the days following. (See this photo from Gander International Airport.)

In NetSec Letter #13 from 23 October 2001 entitled "Afterthoughts and Lessons to Learn," I said, How do we know the good guys from the bad? ... Get the good guys out of the sky. The principle demonstrated is important. The fewer potential attack agents, the fewer avenues of attack, the easier your task of protection and detection can be."

I got this book for my birthday from my darling wife. It is a book of wonderful stories of individual's stories describing the affects of that day on stranded travelers and the locals, and how a 10,000-person town doubled in size for a few days. Because of the subject matter, it cannot help invoke tears in some (like me). Over and over again, my heart was touched with the stories of simple caring, one for another. This was a great birthday gift.

"... for I was hungry and you gave Me food; I was thirsty and you gave Me drink; I was a stranger and you took Me in; I was naked and you clothed Me ... Assuredly ... in as much as you did it to one of the least of these you did it to Me."
Matthew 25:35-40


7/19/04

Push to talk -- what to do?

Recently, I ranted about PTT technology on mobile phones. (Find it here.) Someone named Saso called me to task:
... it seems to me that you left a bit too much as an exercise for the reader. What am I talking about? The Push to talk service provides people with a perfect eavesdropping device. TSCM industry will love this one. All mobiles should be already banned from meeting rooms, but since they're not, often they get used as one party's way to let more people in to the discussion as there's physically present parties. For that to work in the old days, you'd need an accomplice on the inside or a physical access to the room. Now, all you need is the name of the one of the parties attending a strictly confidential meeting and their direct call number. And you don't even have to be anywhere near the meeting place, like in the old times. Is the handset beeping loud enough when you establish a connection? Loud enough not to be drowned in the average office noise? Street noise?
(As a funny coincidence, someone just walked by the office I am sitting in today, talking on this annoying walkie-talkie mobile phone. :-) Or maybe they are really ubiquitous.)

These are all good points, and yes I should have made some observations and recommendations instead of just grumping. First, the open questions to answer:
  • Is it possible to turn off this feature? Almost certainly, "yes."
  • Can someone else connect with you without your knowledge? "Yes," if you miss the BEEP.
  • Can someone else listen in without your (you are the owner of the phone) knowing it? "No," you have to hold a button down when talking just like a real walkie-talkie.
  • But, can an insider broadcast a meeting to an outsider without anyone else knowing it? Sure. But, this is the case with all mobile phones. This is one reason they are prohibited in certain secure facilities. (That and the cameras that come with them. See Dave Piscitello's comments here.)
So, probably this feature on mobile phones is more of an annoyance than a security risk. But, there is a similar feature in some office telephone systems: the intercom.

To my left is a "COMDIAL Impact" telephone set connected to the office phone system where I sit today as I type this. Anyone here can "Intercom" to my phone set. There is a beep and they are expected to speak, such as, "Fred? Call from your wife." Or, "Fred? Would you stop by?" Now, the important part is the notification BEEP. What if someone does this when I am out getting a cup of coffee? What if a bad guy did something to my phone so that it did not beep? Would I know someone was listening? There is a visual indication that the phone is connected to someone else's, but would I notice it? (No, I would not.) In an office environment, that would concern me more than Push to Talk. But, PTT is still more annoying.

7/17/04

How Much is Too Much?

We in computer and network security, and those who claim to be, find ourselves talking about paranoia. Now, the definition we are talking about is the second one we find on dictionary.reference.com, "Extreme, irrational distrust of others." In computer and network security, the "extreme" part is alright, as is the "distrust of others." Of course, it is the "irrational" part that doesn't belong.

Rational distrust versus irrational is often what seperates the grownups from the youngsters (darn, that is the second time I wrote that word on this blog today, and it is still a year before I turn 50!) -- in Internet parlance, the wizards from the newbies. It does not seperate those who have certifications from those who do not have them (not in the direction you might think, anyway). It takes experience and it takes risk assessment taking into account all controls too know what to be afraid of and what not to.
Yeah I might be a little bit loco
But it keeps me from losin' my mind
Oh but half insane that's ok
Babe a little bit crazy's alright.
-- From "Loco," by David Lee Murphy