The Quiet Earth - Meta

Never attribute to malice...

nospam@example.com (Axel Eble) — Tue, 23 Dec 2008 10:56:34 +0100

... that which can be adequately explained by stupidity.

Hanlon's Razor

Konkret: der Fall der verlorenen Kreditkartendaten der Berliner Landesbank wurde durch zwei Kurierfahrer verursacht, die Christstollen haben wollten und daher einfach zwei Pakete austauschten...

Bücher in liebevolle Hände abzugeben

nospam@example.com (Axel Eble) — Sun, 23 Dec 2007 17:23:41 +0100

Hinweis in eigener Sache: Im Zusammenhang mit unserem kurz bevorstehenden Umzug habe ich eine Latte Bücher abzugeben, die ich nicht mehr umziehen werde. Die gesamte Liste liegt unter Bücherliste. Bei Interesse bitte eine Email oder Nachricht im IRC. Ansonsten fliegen die Bücher ins Altpapier. Und ja, da blutet mein Herz.

Crisis Management

nospam@example.com (Axel Eble) — Tue, 20 Feb 2007 08:14:57 +0100

So flickr had a hiccup yesterday. Well, truth be told, it was a major problem on their side: the image caches ran amok and delivered the wrong pics - not a few of them a bit on the more adult oriented side (as a sidenote, this proves what we all knew anyway: The Internet Is All About Porn). To the emotional outcry from lotsa lotsa users came the fact that the problem was not resolved by restarting the flaky cache server(s) but instead resurfaced once again. So finally, after quite a few hours of downtime (and I bet beet red engineers working overtime to find the bug and fix it) the system is back up.

So that's the exposition, which just about gives you an idea of the dimension of this thingy. It didn't? Well, then let me summarize: It Was BIG. However, flickr not only took down their site but pointed to their blog - in which Eric Costello did keep the users informed (if only tersely, but this is better than just a few lame marketing lines stating that all is beautiful and the system is just being enhanced yaddayaddayadda). When it was apparent that flickr would solve the problem he sat down and wrote a decent explanation of the problem - in a way to satisfy both non-technical users and the somewhat tech-savvy ones. He explains the issue without emotional overtures nor does he play it down:

To be clear, we regard this as a serious problem, but it is something that goes away as soon as we restart the malfunctioning servers (tonight we found that the servers were going insane again shortly after restarting, but we have isolated the problem and believe we have a permanent fix).

And finally, he concludes with:

We shamefacedly apologize for the inconvenience and the scare. We understand that it probably seems very, very strange and we know that many people got the impression that their photos were lost forever. But they should all be back now, safe and sound. And everyone who works on Flickr's engineering and technical operations teams are working double time to ensure that it never happens again. Thanks for your understanding and patience!

Folks, this is one of the best pieces of crisis management I have ever seen! It states the problem; it states the solution; it takes the blame where necessary and it gives a promise to the future. Now, if we could set this as mandatory teaching for all companies worldwide I would feel so much better.

Der mediale Internet-Experte und die Berichterstattung

nospam@example.com (Axel Eble) — Wed, 06 Dec 2006 16:44:09 +0100

Heute erschien auf der Webseite von tagesschau.de ein Artikel namens "Wieviel Kontrolle braucht das Internet?"
In diesem Artikel zitiert der Autor Herr Zirpins einen Hamburger "Internet-Experten" namens Bert Weingart, der für mehr Filter und bessere Kontrolle des Netzes eintritt. Diese Meinung kann man vertreten, so man sie denn entsprechend verargumentiert. Der Artikel beschränkt sich jedoch weitgehend darauf, die Meinung Herrn Weingartens wiederzugeben. Ganz am Schluß des Artikels schließlich gesteht Weingarten die Problematik seiner Vorschläge ein:

"Die derzeitige Anarchie im Internet ist in Ordnung für Menschen, die eine Medienerziehung genossen haben und damit umgehen können. Wir müssen aber medienunerfahrene Personen schützen", sagt er, und gesteht ein Problem ein: "Internet-Filterung kann durch entsprechende Administration zur Zensur werden."

Aber genau das schlägt er ja letztlich vor.

Interessant hingegen die Meinung des Waffenexperten der Gewerkschaft der Polizei, Wolfgang Dicke:

"Wenn der Waffenkauf so einfach wäre, warum war Sebastian B. dann - zum Glück - so hundsmiserabel bewaffnet?"

Interessant, daß diese Meinung gerade von der GdP kommt, die ja sonst eher durch markige Sprüche ihres Vorsitzenden Konrad Freiberg auffällt, der stets für mehr Überwachung und mehr Kontrolle in allen Lebensbereichen eintritt.

Zusammengefaßt empfinde ich den Artikel als sehr tendenziös, weil er den massiven geschäftlichen Interessen des Bert Weingarten nach dem Mund redet. Hätte man mit Kristian Köhntopp gesprochen, der wohl genausogut als "Internet-Experte" klassifiziert werden kann (oder mit Andrea Wardzichowski vom DFN-Verein oder mit einem anderen alten Hasen), so hätte Herr Zirpins mit Sicherheit einen anderslautenden Artikel geschrieben - wohlgemerkt: mit Argumenten hinterlegt statt mit Panikmache (und: handfestem Geschäftsinteresse).

Aber das paßt natürlich gut zu der aktuellen Stern-Umfrage, daß ca. 59% der Bevölkerung a) einem Verbot von Egoshootern (gemeinhin "Killerspiele" genannt) und b) stärkerer Kontrolle und damit der Einschränkung bzw. dem Verlust von Bürgerrechten zustimmt. Ganze 72% sind danach der Meinung, daß Egoshooter zu dem Amoklauf von Emsdetten beigetragen haben - was auch immer das heißen mag.
Im ZDF-Politbarometer hingegen sind sogar 72% der Befragten für ein Verbot von "Killerspielen" (Frage 9 von 11); allerdings sind nur 16% der Meinung, daß durch ein solches Verbot die Zahl gewaltbereiter Jugendlicher stark zurückginge, 49% weniger stark und immerhin 32% sind der Meinung, daß ein Verbot keinen Unterschied bewirkte. Diese Umfragewerte halte ich für bedenklich, zeigen sie doch, daß für komplexe Zusammenhänge nur einfache Lösungsansätze gefragt zu sein scheinen.

Zum Abschluß zitiere ich nochmals Herrn Weingarten:

"Die derzeitige Anarchie im Internet ist in Ordnung für Menschen, die eine Medienerziehung genossen haben und damit umgehen können. Wir müssen aber medienunerfahrene Personen schützen"

Ich stimmt dieser Aussage zu - allerdings sehe ich das Heil hier nicht in technischen Lösungen: wir sehen derzeit an vielen Beispielen der USA, daß Technologie nur begrenzt helfen kann. Die eigentliche Herausforderung liegt in der Medienerziehung, insbesondere der heranwachsenden Generationen. Viele Eltern, Erzieher und Lehrer sind damit schlichtweg überfordert, weil sie selbst keine entsprechende Medienkompetenz besitzen.

Language Log: Translating leadership, creating verbiage

nospam@example.com (Axel Eble) — Tue, 22 Aug 2006 12:37:08 +0200

Language Log: Translating leadership, creating verbiage
"Translating thought leadership...creating business results"

Wonderful, just wonderful! I've nothing to add to it, actually.

Germany: Greens Urge Goverment To Force Companies To Disclose Information Breaches

nospam@example.com (Axel Eble) — Mon, 26 Jun 2006 12:12:59 +0200

The German Party Bündnis 90/Die Grünen filed an application to the legislative body (the Bundestag) to enact a law along California State Act 1836 to require companies to disclose breaches of information.
The representatives are concerned about what they call "identity theft" - however, what they mean by it is the growing number of credit card information abuse. In Germany and, with the exception of the United Kingdom, in Europe in general there is nothing that resembles what in the US is known as "identity theft". Credit card (data) abuse over here has practically no risk for the client as the credit card companies refund you for money lost. And there is no such thing as your credit rating going bonkers because you can identify yourself with an official government-issued identity document (either your identity card or your passport).

How do you in the US prove you are who you claim to be? How do you get yourself off the no-fly list? Exactly: you can't - at least not without severe hassle. So, in my eyes, the application by the Greens is a smoke screen, aimed at gaining votes. The proposed law will not be effective in reducing credit card data abuse.

WTF - Apple's OS X is NOT As Secure As a Fortress?!

nospam@example.com (Axel Eble) — Mon, 12 Jun 2006 14:18:51 +0200

Oh holy Guacamole! OS X has lots of heap and buffer overflows! Quick, buy Vista and all will be well again! Oh, right. Vista isn't out yet. You've just switched to Apple because of all the exploits and dangers of running XP or some *gasp* older version of Windows. And now you're still insecure?!

Why, yes, of course. There is no such thing as ~~a free lunch~~ 100% security. Every reasonably complex piece or suite of software will. be. buggy - to some extent at least. Granted, there's lots of talk out there about how secure OS X is - and, actually, it still is. It's just not invincible, as it's cracked up to be. But, when Apple says it's products are the best, why would you believe them when you don't believe Microsoft? All vendors are alike in that regard.

And let's not forget that OS X is a revamped version of NeXTSTEP, the OS of the famous NeXT computer. That one was said to be riddled with local exploits, so don't expect OS X to be much better. As OS X is gaining market share, it will become more and more the target of choice for malware programmers.

What is different, though, is the use of administrative accounts (like on Windows where accounts by default are administrator accounts). On OS X, the only administrator account, root, is disabled, and to run administrative tasks one has to enter the password (this is a better-working equivalent to the runas command in Windows).

Moral of this? If someone tells you they are offering perfect security, chances are they are lying and only want your money. Be careful, always - it's a dangerous world out there.

Flight Data Transmission from EU to US illegal

nospam@example.com (Axel Eble) — Mon, 12 Jun 2006 13:13:43 +0200

The European Court of Justice has declared the treaty between the European Commission and the US Federal Government for the transmission of passenger data to US officials as illegal. That sounds like a big win for data protection and privacy at a first glance - but is it really?

Well, no, it's not. The original intention of the complainants was to have the European Court of Law state that the treaty does not conform to European Data Protection Legislation. However, all the Court did was rule that there was no legal basis for the treaty at all.
The European Commission had signed the treaty because they claimed that they were responsible because the data concerned was collected by private organizations and companies. The Court in turn clarified that the EU Directive did not cover Penal uses of data and since the data would only be collected for purposes of criminal prosecution the directive does not apply. Thus, the Court carefully managed to avoid the trickier side of politics and navigated around those particular rapids.

So, what does this ruling mean? First of all: the EU has until the end of September 2006 to come up with a new treaty. So far it looks like the Commission will try to push through new legislation to create the legal grounds for the treaty with the US Administration. Mind you, this is not easy because Criminal Legislation is still in the courts of the individual States - there is nothing like a common criminal legislation in Europe. EU law would have to be changed - unanimously by 25 member States. You can bet that political issues (both European politics and local politics) will greatly influence the stance of each State. If the change does not happen, each State would have to negotiate a separate deal with the US.

Ah, so finally we have our rights back and have full control over our data! No, unfortunately not. If the airlines don't transmit the passenger data to the US, they will experience heavy sanctions by the United States of America.

The best way to keep control about your data is by not going to the USA for now.

Fachsimpler-Test

nospam@example.com (Axel Eble) — Wed, 23 Nov 2005 19:03:41 +0100

The Fachsimpler-Test is a test by one of Germany's larger political (?) magazines, Der Spiegel (or rather their online counterpart, Spiegel Online). It is a test aimed at helping school students to find out what subject they should take at University.

ToJe, Zugschlus and Thildkröte all took the test and found large differences between their field of interest/work and the suggested subject of their studies. The test should be taken with a grain of salt as we all are slightly older and experienced than we were right after school, but, well, it's quite interesting to see the discrepancies.

Thinking about it the result is not that far off: I am a generalist with a broad spectrum of interests after all.

Airline Passenger Data Transmission To US May End

nospam@example.com (Axel Eble) — Wed, 23 Nov 2005 10:28:34 +0100

In 2003 the US ordered airlines to transmit flight passenger data for all flights ending in, stopping over in or just crossing US American territory. It was made clear that all data was to be stored in raw form and would be subject to further analysis, leading to profiling of passengers, all, of course, in the name of fighting terrorism. It is completely unclear what sort of profiling will be done and what else the US government will be doing with the data (e. g. handing it over to some commercial data brokers like gasp ChoicePoint for analysis). The Washington Post has a good summary as well.

The EU Commission and the EU Council caved in instead of taking a strong position against this practice and declared the US data handling processes as equivalent to European processes and, in general, good enough. This led to a huge outcry from the EU Parliament and several Civil Rights organizations (like the European Digital Rights Initiative) but both the Commission and the Council wouldn't budge.

Now, however, things start to look a bit brighter: the Advocate General at the Court of Justice at the European Communities recommends to annul the Council decision about the agreement. The Court will have to rule about a law suit by the Parliament against the Commission and the Council decisions. The recommendation of the General Attorney are not binding but in most cases the Court will follow advisory opinions.

References:
Heise Newsticker (German)
Washington Post

Security Convergence

nospam@example.com (Axel Eble) — Thu, 17 Nov 2005 20:30:49 +0100

"Security Convergence" is the subject of The Alliance between ISACA, ISSA and ASIS. Seeing what the focus of all the three groups is it really does make sense: ISACAs main operational field is Governance, especially IT governance; ISSA is "the global voice of information security" and ASIS is primarily concerned with physical security.
It's pretty clear that those three fields do converge more and more, so The Alliance is an important step in the right direction. It will help to open the eyes of security professionals worldwide to the other fields. It will, thus, help to raise a more business oriented security program in enterprises. We shouldn't expect too much in too little time, however: I don't believe that many companies understand at the moment that security is something that needs to be considered in a (I hate to use the term, but it does fit so nicely) wholistic way.
So, at the Network Security Conference/Security Management Conference of ISACA in Amsterdam last Monday the panel discussion was just about this: "Security Convergence". I was invited to represent ISSA at the panel. It was rather interesting to see the different points of view on the panel - and in the audience. Another member of the panel, Carl Thorp, stayed on for the day (I had to get back unfortunately) and reported that there were quite a few interesting discussions about the convergence thing. However, it seems to be of prime import to define what "Convergence" really means.
It will be interesting to see the discussions around the term in the near future.

The Dangers of Inference

nospam@example.com (Axel Eble) — Thu, 03 Nov 2005 01:47:15 +0100

Here I am, taking a strong stance about government agencies that collect data and use inference to think about what it might possibly mean. There's no lack of wrong inferring to be done that way, starting from false assumptions about coherence of incoherent data or by simply interpreting too much into too little data.

And suddenly I find myself here, doing exactly the same: thinking F-Secure jumped on the bandwagon of Mark Russinovich's posting at sysinternals for their excellent work of analyzing the Sony DRM Rootkit. Independently, I should say, because that is what they did. They did not, however, manage to make it clear how they got wind of the thing (which they did earlier than Russinovich and were in contact with Sony to discuss the issue). After Mark published his findings, F-Secure thought it was now time to publish theirs, too.

Can't blame them, really. I blame myself, however, for jumping to unjustified conclusions. Ah well, as I said: inference is bad.

Ch-ch-ch-changes

nospam@example.com (Axel Eble) — Tue, 01 Nov 2005 00:03:01 +0100

Jon Toigo is annoyed at the lack of progress the information security field has made since the Medieval. I feel his pain, too. But what are the alternatives? Or rather, why are we still using the same concepts? Are we just too stupid to come up with something new or are the concepts just so basic and so sound that there is no better way? Let's take a look at the items Jon mentions.

Access Control: moats and stockades then, firewalls now. Access control is still one of the soundest principles of information security. Control who may access information when and how and you have removed several vulnerabilities and reduced your risk dramatically. However, the technologies being used for access control change considerably over time. Up until the 1980s to 1990s access control meant control of physical access. Computers were large and heavy and access to them could be controlled pretty strictly and fairly easily. Enter The Network - and things shift completely. Or, to be fair, they get expanded. Physical access control is by then pretty much a commodity: people just do it anyway. What's new is that access to the computers is not only available by physical access but by network access as well. While the Light Side had control for an enjoyable while it was only a matter of time until the Dark Side jumped on the bandwagon and started to use the Net for their sinister purposes. So well, Marcus Ranum writes the DEC SEAL and it starts to get a success quite fast: companies hire firewall administrators to take care of these arcane beasts that are tough to tame (alliteration not intended but gladly taken). Fast forward to today: every simple DSL router for home use has a NAT firewall included; the network guys do the firewalls on the side and up come web services with the nice side effect of tunneling "stuff" across HTTP (yes, and other protocols, but HTTP really is ubiquitous by now and a nice example of the ever changing technologies, thank you). So now we have web application firewalls which really are nothing else than application layer proxies. And so it goes, goes round again. (Kudos to Joe Jackson)

Signet Rings and Trusted Certificates - now there you've hit a sore spot, Jon. I don't trust the PKI model with a commercial head - much less even if said head is Verisign. The last piece in the puzzle was their Sitefinder "service" which accidentally broke half the Internet. But really, why do we trust signatures, signets or certificates at all? Chances are, the signature is illegibile anyway so a cursory glance of similarity is all we get. Same with certificates (without even the added benefit of Verisign). No solution there, I'm afraid.

Edicts and Policies - good point, Jon. However, I consider them to lay out the rules by which we play. We agree upon a set of rules to be able to note deviant behaviour and sanction it. Thus, policies and edits are rather useful tools as they prepare the ground for legal skirmishes or, in some cases, provide the opportunity to find out unwanted behaviour in the first place. I wouldn't want to live without them.

Codes and Encryption are powerful tools, too. Unfortunately, many people tend to forget that encryption is a temporary safeguard at best. Even if the encryption algorithm has no known weaknesses it still will fall given enough time. There's the rise in computing power and the change to other technologies (can you say Quantum Encryption? I knew you could!). As long as people recognize this, they are quite secure. All they have to do is select an algorithm that will possibly keep the information secure as long as it has to be classified.

Interestingly enough, the bad guys don't seem to have learned either how to circumvent the safeguards we set up. Either they are as caught in our ways of thinking or there simply Is No Better Way at the moment.

What do you think?

All of this, however, has nothing to do with vendors coming up with new products all along instead of listening to what the customers want - just like in the storage market. Thanks for the eye-opener, Jon!

Conservatives going off the deep end

nospam@example.com (Axel Eble) — Wed, 26 Oct 2005 12:52:15 +0200

heise reports that the CDU/CSU parties warn of potential terrorist threats to IT infrastructure. Yawn yawn. I just love it how terrorists are responsible for anything and dangerous for everything. And, being the conservatives, one could expect them to scream for direct data exchange between governmental, law enforcement and intelligence agencies. Why, sure enough that is exactly what they want.

"International terrorism and information technology are related in a multitude of ways," Mr. Koschyk explained today. The information infrastructure was a potential target for international terrorism, he observed.

Oh yes, bringing the Internet down will strike terror in the hearts of the people like nothing we have seen before. Tell that to the people in Pakistan, to the people in Far East caught by the Tsunami, the people in New Orleans, to the people in Florida and whoever else has been struck lately by nature's catastrophes.

Another One Bites The Dust™

nospam@example.com (Axel Eble) — Thu, 06 Oct 2005 22:42:26 +0200

Martin pointed me to Sourcefire being bought by Check Point. I'm annoyed at that because Check Point is like any big player in any field: they buy a company and suck them dry. I am very apprehensive what they are going to do to Snort and how Marty Roesch will get along.

If I were to look in the crystal ball I'd predict that Check Point will kill the GPL and open source version of Snort or at the very least will try to squash it or drop support.

Of course, we'll see what pans out. I'd really love to be wrong on this account. Oh, and for the record: I hope Marty Roesch got a good deal out of it.