Incite 8/18/2010: Smokey and the Speed GunBy Mike Rothman
What ever happened to the human touch? And personal service? Those seem to be hallmarks of days gone by. It’s too bad. Since I don’t like people, I tend not to develop relationships with my bankers or pharmacists or clergy – or pretty much anyone, come to think of it. But I guess a lot of other people did and they likely miss that person to person interaction.
Why do I bring this up? On my journey to the Northern regions earlier this summer, I passed through Washington DC on our way to the beach in Delaware. I hardly even remember that section of the journey, but evidently I left a bit of an impression – with an automated speed trap. Yes, it was a good day when I opened my mail and saw a nice little letter from the DC Government requesting $150 for violating their speed laws. The picture below is how they explain the technology.
I remember the good old days when if you got caught speeding, you knew it. You have the horror of the flashing lights in your rear view mirror. There was the thought exercise of figuring out what story would perhaps provide a warning and not a ticket. The indignity of sitting on the side of the road as the officer did whatever officers do for 20 minutes. Maybe making sure you aren’t a convicted felon, driving in a stolen vehicle, or sexting with someone. There was none of that. Just an Internet site requesting my money.
And that’s the reality of the situation. The way I understand it, speeding laws got enacted for safety purposes, right? It’s dangerous to go 120 mph on a highway (ask Tyreke Evans). But this has nothing to do with safety. This is a shakedown, pure and simple. DC may as well just put a toll booth on the 14th Street bridge and collect $150 from everyone who crosses.
Of course, I consulted the Google to figure out whether I could beat the citation – hoping for a precedent that the tickets don’t hold up under scrutiny. Could I could claim I wasn’t driving the car, or raise vague uncertainties about the technology? Not so much. There were a few examples, but none were applicable to my situation. The faceless RoboCop got me.
I’m glad these machines weren’t around when I was a kid. Can you imagine how much fun Smokey and the Bandit would have been if Buford T. Justice used one of these automated speed traps? The Bandit would have gotten his cargo to the destination with nary a car chase. The biggest impact would have been a few traffic citations waiting in his mailbox when he returned. I suspect that wouldn’t have gotten many folks to the theaters.
Photo credits: “Police Department budget cutbacks?” originally uploaded by Brent Moore
Recent Securosis Posts
Last week we welcomed Gunnar Peterson as a Contributing Analyst and we are stoked. But we aren’t done yet, so keep an eye on the blog and Twitter toward the end of the week for more fun. Suffice it to say we’ll need to increase our beer budget for the next Securosis all-hands meeting.
- HP (Finally) Acquires Fortify
- Gunnar Peterson Joins Securosis As a Contributing Analyst
- Identity and Access Management Commoditization: A Talk of Two Cities
- Friday Summary: August 13, 2010
- Tokenization Series:
- Various NSO Quant posts:
Incite 4 U
No Control… – Shrdlu once again hits the nail right on the head with her post on Span of Control. We talking heads do have a nasty habit of assuming that logic prevails in organizations and that business people will make rational decisions (like not authorizing the off-shore partner to have full access to all intellectual property) and give us the resources we need to do our jobs. Ha! Clearly that isn’t the case, and obviously not having control over the systems we are supposed to protect makes things a wee bit harder. I also love her perspectives on Jericho and GRC. Amen, sister! We need to remember security is as much about persuading peers to do the right thing as it is about the technical aspects. If you’ve got no control, it’s time to start breaking out those Dale Carnegie books again. – MR
Sour Grapes? – I’d like you to think back to your preschool art class. Remember how sometimes the teacher would pick a few of the best pieces to hang on the class wall or for your preschool art show? Back in the days when it was legal to have “losers”? Ask yourself: were you the kid who was a little disappointed but happy for your classmate? Or did you sulk a bit but get over it? Or were you the little jerk who would kick the winners in the shins and try to steal their Twinkies? We’ve seen a fair few sour grape blog posts and press releases from competitors after acquisitions, but Veracode’s CEO might need a time out. I have a lot of friends over there, but this isn’t the way to show that you’re next in line for success. If you’re ever in that position, you’ll look a lot better being gracious and congratulatory rather than bitter and snarky. – RM
Cutting Compliance Corners – Security’s already been cut to the bone and anything that can be done must be within a compliance context. But it’s inevitable that as things remain tight, especially for small business, they’ll finally realize that compliance doesn’t really help them sell more stuff. Or spend less money doing what they already do. So it’s logical that many SMB organizations would start trying to reduce compliance costs, as our friends at 451 Group recently stated (hey, Josh and Andrew!). Of course, there will be a cost to that, because we all know compliance isn’t enough, and if they start doing compliance badly it’s not going to end well. But I guess it never does. – MR
Have Certificate, Will Trust – Every year I return from Black Hat and Defcon, after somebody reminds that each browser or operating system automatically trusts a bunch of certificates, and that some of them may not be particularly trustworthy. If a certificate authority goes rogue, they have carte blanche to cause all sorts of mayhem because much of the browsers’ built-in security features are based upon complete trust in certain certificates. But I recognize that I just don’t possess the tools and data to make an informed decision on whether TUeRKTRUST ElektronikmSertifika Hizmit is any less trustworthy than Go Daddy Secure Certificate Authority. While I have removed a couple certificates from Firefox because I neither trust nor need them, there are a bunch I just don’t know about. So I applauded when I heard someone else is looking into these trust issues: the Electronic Frontier Foundation (EFF) sent a letter to Verizon asking them to investigate Etisalat, a United Arab Emirates Telecommunications Regulatory Authority for issuing certificates for surveillance and potential malicious software. This is bad, but it could be a lot worse. Every time you grant certificate signing authority you are explicitly extending trust, and you trust they won’t screw you. But with this many certificates and certificate authorities, it’s tough to know who to trust, or whether they engage in unscrupulous behavior (or stupidly trust someone else who does). My intention is to compile a list of certs you should consider for removal from the browser in the coming weeks. If you have a list of certificate authorities you remove please email me, as I would love to hear who and why. – AL
Prime Delivery for a DDoS – Yup, it’s just a matter of time before some enterprising malcontents start using cloud services to blast rivals. As I’m still working through the stuff shown at Black Hat/DefCon, it seems a couple guys (David Bryan and Michael Anderson) showed how to leverage Amazon’s EC2 to launch a distributed denial of service attach. You might assume that Amazon would have reasonably well-developed processes to handle abuse of their systems, but evidently not. I pay $70 a year for Prime delivery to make sure Amazon gets me my stuff in two days. But they can ship the DDoSes Ground. – MR
Love Ya, But Don’t Trust Ya – I love my Macs, but I admit they need service on a more regular basis than I am used to. Quite a bit actually. But Apple service is usually pretty good and I am thankful I don’t have to do the work. However, as a cynic, I know my hard drive is vulnerable when the machine goes in for service. I am betting that they make a copy. Sure it helps in case of ‘accidents’, but there is a lot of valuable information – both sensitive data as well as how the computer is used – that I am sure any marketing executive or attacker would love to have. So what’s a paranoid privacy nut to do? Protect the data on your machine before it goes in for service. Our own Chris Pepper wrote a nice outline of what to do before shipping your Mac out on his Extra Pepperoni blog. He outlines a good process for backups, a few places you should remove files from, and some places where you need to secure accounts and services. And how to set up the Apple account for their service techs to access the machine. Unless of course the motherboard dies like it did on one of my machines … which means you pull the disk and risk your warranty, or you trust the techs. Right, I didn’t think so. Check out Chris’s post! – AL
Mentor this… – I have to say I’ve been very lucky over the years. I’ve usually been around someone who I could learn from, even if they didn’t know I was doing a Vulcan mind meld at the time. That’s why I’m always happy to try to help someone looking for career advice or some perspective about their job. It’s great to see a number of security folks starting a more formal mentoring program. I’m a big fan of external mentors because they can help with skills and by providing a totally objective perspective on what’s going on. But don’t forget the need to line up mentors within your organization as well – those folks can help you navigate choppy political waters and have probably screwed up a fair bit through the years. No need to screw up the same stuff as your mentor when there is so much new territory to make a mess of. – MR
How would you change PCI? – The PCI Security Standards Council is giving us our 7 year warning that they are going to update the standards. This inspired Martin McKeay to think about how he would change them if he were in charge. We all like to complain about PCI, but when you get down to it, writing any sort of standard/framework at that scale isn’t an easy prospect. Martin’s promised to codify his thoughts into a series of posts, and it’s worth thinking about yourself. Remember – there are real hard dollar costs associated with any suggested change, which is why PCI moves at such a glacial pace. – RM
The Twitter Bomb – In my younger guy days, there was a lot of jawing between drunk, testosterone-laden adolescents thinking they were Larry Holmes or something. But usually nothing came of it besides someone getting ejected from the bar. Nowadays it seems kid fights are a little different, especially when one of the kids has a couple million Twitter followers. Evidently teen sensation Justin Bieber (thankfully my girls are immune to his, uh, music) decided to end a little conflict by posting a rival’s cell number on his Twitter stream, claiming it was his. Yes, the rival got buried with phone calls and over 10,000 texts. I’m sure that kid will be happy when he gets his cell phone bill next month. Now that is a one-punch knockout. – MR