Research

I just read over at Computerworld that the TSA will start requiring gender and date of birth when we buy plane tickets. This is part of Secure Flight, and meant to increase the accuracy of matches to the terrorist watch list(s). As brought up by Bruce and many others over the years, the TSA has yet to identify a single case where this list… umm… you know… actually caught a terrorist. Yes, they’ve snagged some people with warrants, but this is supposedly the terrorist watch list, not the random dumb-ass criminal watch list. They’ve even been questioned about it in their blog comments multiple times, and have yet to answer. Thus, I think we all know the answer. (A special request to the TSA- when you add the colonoscopies, can we get copies to give to our physicians? I’m almost 40 and that would be a cool way to save on health care costs). Note: I don’t blame the people working hard at the checkpoints (other than the few bad eggs common in all workplaces). They are in a crappy position and we shouldn’t blame them for the idiocy of their superiors. Share:

Holy 0day Batman! What started as a quiet week definitely got a little more interesting yesterday as Microsoft released an out-of-band patch for a critical vulnerability affecting most versions of Windows. It’s been a while since MS had to push out an emergency fix like this, and boy was it a whacky vulnerability. For those of you who haven’t kept up on it, it is a flaw in the RPC service that allows remote code execution without authentication. What’s really interesting is that this flaw is in a part of the code base that was patched already for a very similar problem. What’s even more interesting is that this was discovered due to active exploits in the wild. I’ve been known to be a little persnickety about definitions, and I’ve never liked that we call all unpatched vulnerabilities zero-days. In my book, a true 0day is a vulnerability that is being actively exploited but we don’t know about it. The bad guys have information we don’t and are using it against us. When the details are public, but no patch is available, I just consider that an unpatched vulnerability. But who am I to say- I still consider hackers good guys. On a totally different note, I think I found a minor security flaw in the RSA Conference session submission system. It appears that if you submit a session and add a speaker, you can overwrite some of the attributes of that speaker if they are already in the system. Minor, but annoying since I was submitted for something like 10 sessions and part of my bio kept changing while I was submitting my own stuff. On that note, it’s time to head off and start decorating for our annual Evilsquirrel Halloween Party. We have about 13 tubs of decorations we’ve collected since my old roommates and I started holding parties around 1995 or so. I even have homemade animatronics I built using microcontrollers and other geeky stuff. Yeah, I fear for my impending children too, but the neighborhood kids love us. At least the ones who don’t pee themselves when the motion sensor kicks off. Webcasts, Podcasts, and Conferences: The Network Security Podcast, Episode 124. Jacob West from Fortify joined us to rail against electronic voting. If Dick Cheney wins the election, we’ll all know why. I participated in a virtual conference put on by InformationWeek and Dark Reading. I was on Ten Security Threats Your Organization May Be Unable to Prevent, with H D Moore of Metasploit and BreakingPoint and Trey Ford of WhiteHat Security. I felt a little weird talking about XSS and SQL Injection with H D following me, but it was a pretty good panel. Favorite Securosis Posts: Rich: Your Simple Guide to Endpoint Encryption. I’ve been writing a lot about market issues lately, and I really enjoy it when I can give out practical advice. Adrian: WAF vs. Secure Code vs. Dead Fish. Look folks, we’re far too polarized politically in this country to fight out over which of these things solves our problem better, when both are equally good and bad. Favorite Outside Posts: Adrian: Rsnake captures the everyman experience and puts the fun back into Internet browsing. I mean, can’t we all just get along? Rich: Andy reminds us what it’s like to work in the real world. Researchers, analysts, and vendors often forget what it’s like to be in the trenches, even though most of us have been there. I think it’s refreshing to read about Andy’s pain. Er… maybe that wasn’t the best way to say that. Top News: Microsoft Security Patch was released this week. We covered it a bit ourselves. Princeton posts a guide to hacking Sequoia voting machines. Jimmy Buffett for President! FTW! Australian government massively censoring the Internet. I love that country and have spent a lot of time down there, but the government is really whacky. Did you know that hard core pornography is illegal everywhere except the Australian Capital Territory (you know, where all the politicians are). Guess writing censorship bills is boring work. Voting machines flipping votes. Notice a trend? (Thanks to Dave at Liquidmatrix, who does a great daily summary). Blog Comment of the Week: Windexh8er’s comment on the Microsoft vulnerability post: So even though this sort of thing is less common as SDLs mature further (honestly Microsoft is doing a much better job in this space — but legacy code that’s in the OS is still there). This just goes back to the position wherein do corporations really need client side processing? Some may have valid reasoning (i.e. graphics / architecture / modeling / etc), but for the majority of the end users out there in corporate America they really don’t need a fully functional end system. In a Microsoft environment I’d like to see the next iteration of OS go to stripped down systems like you can leverage in Server2k8 – obviously most “work” today from a variety of different locations and the laptop has overwhelmingly displaced the standard desktop workstation for day to day business. With that respect the standard installation should be minimalistic at best. Stripped stack, host based filtering (in and out), no user rights with the exception of approved applications and then strictly managed socket / protocol connections to approved devices. Give them what they need through established connections. At that rate client processing goes way down and visibility and control sky rockets. It’s far too much for any given internal IT / IS departments to manage numerous deployed apps and multiple desktop configurations in the state business as usual is running today. Everyone I know has a corporate laptop (these are big businesses right) but all of these users can pretty much all connect to outside networks and do casual computing – even if it’s restricted, it’s still wide open enough to let the user infect themselves unknowingly. I’d love to do a formal PoC, like this, with one of my large clients. Cost savings

If you don’t already know, Microsoft is releasing an out of band critical update today. Rumor is it is not related to the TCP DoS issue, and may involve an 0day with remote code execution. Here’s the link to the webcast where they will detail what’s going on. We don’t normally jump on a bandwagon like this, but it sounds like a big one you’ll want to fix ASAP. UPDATE: Woops- literally 2 minutes after I posted this, Ryan Naraine posted details and a link to the official advisory. It’s a nasty vulnerability in the Server service that allows remote code execution without authentication. You should already be blocking TCP ports 139 and 445 at the perimeter, so nothing unusual to change on the firewall. But this is totally wormable, requires no authentication, and allows arbitrary code execution. It’s the evil trinity of vulnerabilities. You should pay extra attention to your mobile users and friends and family- have them update ASAP since the odds are they aren’t blocking those ports. Don’t get too cocky if you have a firewall- like Slammer it will only take one infected sales dude to plug back in at the office and ruin your day. These are the kinds of vulns NAC is made for. Also, don’t forget about those virtual versions of Windows running on your Mac. It looks so easy to exploit, that by the time you read this it’s probably too late 🙂 Share:

I’ve been slowly catching up on my reading after months of near-nonstop travel, and this post over at Imperviews caught my eye. Ignoring the product promotion angle, it raises one of my major pet peeves these days. I’m really tired of the Web Application Firewall vs. secure coding debate, never mind using PCI 6.6 to justify one over the other for security effectiveness. It’s like two drunk cajuns arguing over the relative value of shrimp or pork in gumbo- you need both, and if either is spoiled the entire thing tastes like sh&t. You also can’t dress up the family dog and fish in a pinch, use them as substitutes, and expect your kids to appreciate either the results or use of resources (resulting gumbo or the loss of Rover). Here’s the real deal- Secure coding is awesome and you need to adopt a formal process if you produce any meaningful volume of code. But it takes a ton of resources to get to the old code (which you should still try to do), and can’t account for new vulnerability classes. Also, people screw up… even when there are multiple layers to detect or prevent them from screwing up. On the other hand, WAFs need to get a hell of a lot better. We’re seeing some positive advancements, as I’ve written about before, but they still can’t stop all vulnerabilities, can’t stop logic flaws and certain other categories of attack, can’t deal with the browser end, and I hear a lot of complaints about tuning (while I think liking WAFs with Vulnerability Assessment is a great start on this problem, we’re just at the start of that race). I absolutely hate to tell you to buy more than you need, but if you have a major web presence you likely need both these days, in the right combination (plus a few other things). If you don’t have the resources for both, I suggest two options. First, if you are really on the low end of resources, use hosted applications and standard platforms as much as possible to limit your custom coding. Then, make sure you have kick ass backups. Finally, absolutely minimize the kinds of information and transaction you expose to the risk of web attacks- drop those ad banners, minimize collecting private information, and validate transactions on the back end as much as possible. If you do have some more resources available, I suggest starting with a vulnerability assessment (not a cheap ass bare-bones PCI scan, but something deeper), and using that to figure out where to go next. Yes- we are eating our own dog food on this one. The blog is hosted using a standard platform. We know it’s vulnerable, so we’ve minimized the attack surface as best we can and make sure we have backups of all the content. I’ve been pleasantly surprised we haven’t been nailed yet, but I expect it to happen eventually. None of our sensitive operations are on that server, and we’ve pulled email and our other important stuff in house. Early next year we’re going to be launching some new things, and we will again go with remote hosting (on a more powerful platform). This time, we are switching to a more secure platform than WordPress (Expression Engine) and will pay for a full vulnerability assessment and penetration test (at least annually, or when any major new components come online). We may perform some financial transactions, and we’ll use an external provider for that. A WAF is out of budget for us, so we’ll focus on minimizing our exposure and manually fixing problems discovered by ongoing assessments. We also plan on using as little custom code as possible. But seriously- I’m tired of this debate. Both options have value, they aren’t exclusionary, and which you need depends on what you are doing and how many resources you have. Eventually we’ll get a better lock on this problem, but that’s a few years out. Share:

Want to talk about electronic voting? We did. So we invited Jacob West from Fortify to talk with us about a paper he just published with a couple of engineers at Fortify. Guess what- they found electronic voting using DRE voting machines are the least secure way to vote. Makes me feel good going into the election. It’s a good thing we’re fairly self-policing when it comes to time; this is a conversation that could have gone on for a couple of hours. We had a number of technical issues tonight, so be glad we’ve got a podcast up at all. Network Security Podcast, Episode 124, October 21, 2008 Show Notes: Dear Mr. President: Let’s talk tech – We desparately need a geek in the Cabinet! Miley Cyrus Hacker Raided by FBI – Don’t brag to the press when you’re already in the cross-hairs! Flash Suckage: Eat your cookies – Now you can be tracked through Flash too. VeriSign and ICANN square off over the DNS root – Let’s just give it to Dan K. and let him manage it. Judge Suppresses Report on Voting Machine Security – Which brings us to why we’re really here Fortify’s paper on e-voting Share:

On the surface endpoint encryption is pretty straightforward these days (WAY better than when I first covered it 8 years ago), but when you start matching all the options to your requirements it can be a tad confusing. I like to break things out into some simple categories/use cases when I’m helping people figure out the best approach. While this could end up as one of those huge blog posts that ends up as a whitepaper, for today I’ll stick with the basics. Here are the major endpoint encryption options and the most common use cases for them: Full Drive Encryption (FDE): To protect data when you lose a laptop/desktop (but usually laptop). Your system boots up to a mini-operating system where you authenticate, then the rest of the drive is decrypted/encrypted on the fly as you use it. There are a ton of options, including McAfee, CheckPoint, WinMagic, Utimaco, GuardianEdge, PGP, BitArmor, BitLocker, TrueCrypt, and SafeNet. Partial Drive Encryption: To protect data when you lose a laptop/desktop. Similar to whole drive, with some differences for dealing with system updates and such. There’s only one vendor doing this today (Credent), and the effect is equivalent to FDE except in limited circumstances. Volume/Home Directory Encryption: For protecting all of a user’s or group’s data on a shared system. Either the users home directory or a specific volume is encrypted. Offers some of the protection of FDE, but there is a greater chance data may end up in shared spaces and be potentially recovered. FileVault and TrueCrypt are examples. Media Encryption: For encrypting an entire CD, memory stick, etc. Most of the FDE vendors support this. File/Folder Encryption: To protect data on a shared system- including protecting sensitive data from administrators. FDE and file folder encryption are not mutually exclusive- FDE protects against physical loss, while file/folder protects against other individuals with access to a system. Imagine the CEO with an encrypted laptop that still wants to protect the financials from a system administrator. Also useful for encrypting a folder on a shared drive. Again, a ton of options, including PGP (and the free GPG), WinMagic, Utimaco, PKWare, SafeNet, McAfee, WinZip, and many of the other FDE vendors (I just listed the ones I know for sure). Distributed Encryption: This is a special form of file/folder encryption where keys are centrally managed with the encryption engine distributed. It’s used to encrypt files/folders for groups or individuals that move around different systems. There are a bunch of different technical approaches, but basically as long as the product is on the system you are using, and has access to the central server, you don’t need to manually manage keys. Ideally, to encrypt you can right-click the file and select the group/key you’d like to use (or this is handled transparently). Options include Vormetric, BitArmor, PGP, Utimaco, and WinMagic (I think some others are adding it). Email Encryption: To encrypt email messages and attachments. A ton of vendors that are fodder for another post. Hardware Encrypted Drives: Keys are managed by software, and the drive is encrypted using special hardware built-in. The equivalent of FDE with slightly better performance (unless you are using it in a high-activity environment) and better security. Downside is cost, and I only recommend it for high security situations until prices (including the software) drop to what you’d pay for software. Seagate is first out of the gate, with laptop, portable, and full size options. Here’s how I break out my advice: If you have a laptop, use FDE. If you want to protect files locally from admins or other users, add file/folder. Ideally you want to use the same vendor for both, although there are free/open source options depending on your platform (for those of you on a budget). If you exchange stuff using portable media, encrypt it, preferably using the same tool as the two above. If you are in an enterprise and exchange a lot of sensitive data, especially on things like group projects, use distributed encryption over regular file/folder. It will save a ton of headaches. There aren’t free options, so this is really an enterprise-only thing. Email encryption is a separate beast- odds are you won’t link it to your other encryption efforts (yet) but this will likely change in the next couple years. Enterprise options are linked up on the email server vs. handling it all on the client, thus why you may manage it separately. I generally recommend keeping it simple- FDE is pretty much mandatory, but many of you don’t quite need file/folder yet. Email is really nice to have, but for a single user you are often better off with a free option since the commercial advantages mostly come into play on the server. Personally I used to use FileVault on my Mac for home directory encryption, and GPG for email. I then temporarily switched to a beta of PGP for whole drive encryption (and everything else; but as a single user the mail.app plugin worked better than the service option). My license expired and my drive decrypted, so I’m starting to look at other options (PGP worked very well, but I prefer a perpetual license; odds are I will end up back on it since there aren’t many Mac options for FDE- just them, CheckPoint, and WinMagic if you have a Seagate encrypting drive). FileVault worked well for a while, but I did encounter some problems during a system migration and we still get problem reports on our earlier blog entry about it. Oh- and don’t forget about the Three Laws. And if there were products I missed, please drop them in the comments. Share:

Yesterday, Adrian posted his take on a conversation we had last week. We were headed over to happy hour, talking about the usual dribble us analyst types get all hot and bothered about, when he dropped the bombshell that one of our favorite groups of products could be in serious trouble. For the record, we hadn’t started happy hour yet. Although everyone on the vendor side is challenged with such a screwed up economy, I believe the forces affecting the database security market place it in particular jeopardy. This bothers me, because I consider these to be some of the highest value tools in our information-centric security arsenal. Since I’m about to head off to San Diego for a Jimmy Buffett concert, I’ll try and keep this concise. Database security is more a collection of markets and tools than a single market. We have encryption, Database Activity Monitoring, vulnerability assessment, data masking, and a few other pieces. Each of these bits has different buying cycles, and in some cases, different buying centers. Users aren’t happy with the complexity, yet when they go shopping the tend to want to put their own car together (due to internal issues) than buy the full product. Buying cycles are long and complex due to the mix of database and security. Average cycles are 9-12 months for many products, unless there’s a short term compliance mandate. Long cycles are hard to manage in a tight economy. It isn’t a threat driven market. Sure, the threats are bad, but as I’ve talked about before they don’t keep people from checking their email or playing solitaire, thus they are perceived as less. The tools are too technical. I’m sorry to my friends on the vendor side, but most of the tools are very technical and take a lot of training. These aren’t drop in boxes, and that’s another reason buying cycles are long. I’ve been talking with some people who have gone through vendor product training in the last 6 months, and they all said the tools required DBA skills, but not many on the security side have them. They are compliance driven, but not compliance mandated. These tools can seriously help with a plethora of compliance initiatives, but there is rarely a checkbox requiring them. Going back to my economics post, if you don’t hit that checkbox or clearly save money, getting a sale will be rough. Big vendors want to own the market, and think they have the pieces. Oracle and IBM have clearly stepped into the space, even when products aren’t as directly competitive (or capable) as the smaller vendors. Better or not, as we continue to drive towards “good enough” many clients will stop with their big vendor first (especially since the DBAs are so familiar with the product line). There are more short-term acquisition targets than acquirers. The Symantecs and McAfees of the world aren’t looking too strongly at the database security market, mostly leaving the database vendors themselves. Only IBM seems to be pursuing any sort of acquisition strategy. Oracle is building their own, and we haven’t heard much in this area out of Microsoft. Sybase is partnered with a company that seems to be exiting the market, and none of the other database companies are worth talking about. The database tools vendors have hovered around this area, but outside of data masking (which they do themselves) don’t seem overly interested. It’s all down to the numbers and investor patience. Few of the startups are in the black yet, and some have fairly large amounts of investment behind them. If run rates are too high, and sales cycles too low, I won’t be surprised to see some companies dumped below their value. IPLocks, for example, didn’t sell for nearly it’s value (based on the numbers alone, I’m not even talking product). There are a few ways to navigate through this, and the companies that haven’t aggressively adjusted their strategies in the past few weeks are headed for trouble. I’m not kidding, I really hated writing this post. This isn’t a “X is Dead” stir the pot kind of thing, but a concern that one of the most important linchpins of information centric security is in probable trouble. To use Adrian’s words: But the evolutionary cycle coincides with a very nasty economic downturn, which will be long enough that venture investment will probably not be available to bail out those who cannot maintain profitability. Those that earn most of their revenue from other products or services may be immune, but the DB Security vendors who are not yet profitable are candidates for acquisition under semi-controlled circumstances, fire-sale or bankruptcy, depending upon how and when they act. Share:

There was some great hype in the wireless security world this weekend thanks to an article that made it on to Slashdot, and some FUD pumping so-called security consultants. Elcomsoft issued a press release that they can now crack WPA keys WAY faster using the GPUs (Graphics Processing Units) on the latest video cards. It’s kind of cool, and for wireless pen testing the tool sounds useful, but some of the quotes in the article from the security firm GSS (who I never heard of) are the typical garbage: “This breakthrough in brute force decryption of Wi-Fi signals by Elcomsoft confirms our observations that firms can no longer rely on standards-based security to protect their data,” said GSS managing director David Hobson. “As a result, we now advise clients using Wi-Fi in their offices to move on up to a VPN encryption system as well.” … Hobson added that the development could spur a step back from wireless to wired network connection in sensitive installation, such as financial services organisations, particularly concerned about data privacy. Idiots. These guys are forgetting two things- first, this method doesn’t work AT ALL against an enterprise installation (RADIUS) of WPA. George Ou has more on this. Second, as the original article added as an update, this attack only speeds up brute forcing. Use a long, strong passphrase for your WPA key and you’re fine. Rob Graham also has more on this. WPA-PSK still sucks to manage, and keys go stale, but use a good one and you’re fine. GCC should go back to playing Team Fortress or something with those video cards, because they were either misquoted, or clueless. Share:

What a wild, wacky, crazy week. I have a funny suspicion a lot of stock brokers and investors are scraping together their spare change for some major liquid escapes this weekend. As a small business we haven’t felt the impact yet, but we are keeping a close eye on things and preparing to adjust our strategy as needed. Security deals are definitely slowing- we sense an impending rush of acquisitions, and a general feeling of nervousness. The need for security never goes away, but if you aren’t making plans to protect yourself through this crisis, you might go away. Someone responded to a Twitter post of mine that this will be over before the next president takes office; I can’t possibly imagine that happening. Meanwhile, we watched the usual spectacle of the Presidential debate. Since I already know who I’m voting for, I’m not sure why I watch them at all. Like NASCAR, I suppose I don’t want to miss out when someone smashes into the wall and bursts into flames. On the security front, this week we saw more clickjacking details emerge, Apple release a security update, the World Bank get totally pwned, and Symantec make a major acquisition at a good multiple. But don’t get too excited; we also know a lot of investors pushing early exits at low multiples to save what they can. I don’t mean to focus so much on the finance side of the security world, but I think we’re going to see it bleed into our daily operations as the vendor landscape shifts around. Over here at Securosis central I continued to geek out and work on our infrastructure. We may be small, but we’re trying to set up some cool collaboration tools to support us as we grow. For you other small business types, the wiki/blog/calendar/mail group integration of OS X Server works surprisingly well, although I don’t think it would be my first choice for an external web server. I just wish it would index documents attached to the wiki. I also ordered a Drobo for our backups and I’ll let you all know how it works. Oh- and on my run yesterday I saw two coyotes in the park near our house watching me. Very cool. Webcasts, Podcasts, and Conferences: Martin and I have started broadcasting the Network Security Podcast live as we record it. In episode 123 (my luggage combination!) we talk about electronic voting, China spying, and clickjacking. If you didn’t catch it in the October print edition of Macworld, here’s the online version of the firewall article I coauthored with Chris Pepper. I wrote an article on mobile phone networks for TidBITS that made the front page of Slashdot. I think it’s about the 6th time I’ve hit the front page this year, which is pretty wacky. The TidBITS server had a massive failure unrelated to the Slashdot load right after the article was linked (oops). I was quoted over at Dark Reading on the license changes to Metasploit 3.2. I know I wrote that quote, but reading it now it comes off strangely ambiguous. For the record, I think it’s a great change that will really drive some interesting things in the pen testing software world. Adrian and I were invited by Jeremiah Grossman to a lunch event here in Phoenix with his company (WhiteHat Security) and F5. It was nice to finally get a demo of the F5/WhiteHat integration (WhiteHat generates dynamic WAF rules on the F5 box to block validated vulnerabilities; it’s pretty cool). Jeremiah also showed us his clickjacking code/demo. I almost wondered if I downplayed it too much after seeing it at work. On the bad side, some slimeballs from a local ISP decided to show up, enjoy a free lunch, and proceed to hit up every single one of us there as their personal sales prospects. I pretended I was out of business cards, but they snagged one of Adrian’s so he’ll get the call. Talk about low. Favorite Securosis Posts: Rich: Clickjacking Details, Analysis, and Advice. I tried to put some context around it, and talk about the overall impact. Direct from Rsnake is some advice on limiting the exploit. Adrian: Symantec Buys MessageLabs. Symantec pays a hefty price, but they land a leader in SaaS email security and fill out their messaging security portfolio. Favorite Outside Posts: Adrian: I had trouble naming any single post my favorite for the week. There was a most shocking, a scariest, a most depressing and a most sadly illuminating. I am going with the illuminating look into the minds of Sequoia Capital and their reactions to the current financial crisis. This should look a lot like the tech crash of 2001, and frankly, I hope this information was conveyed to their portfolio companies 9-12 months ago as the window to react has passed. Rich: Gunnar Peterson’s Innovators, Imitators, and Idiots. Just a great post that I need to blog about more fully later. Top News: The World Bank is seriously compromised. We need a new word for pwn. Apple releases a big OS X security update. Asus ships EEE PCs infected with a virus. Good job guys. ATM skimmers now include a wireless modem for SMS messages. The bad guys increase their embedded devices skills. Blog Comment of the Week: Christophe’s comment on My “Policies, Plans, and Procedures” post: Alas, I work in a former communist country where people were used to signing awful things, and hide whatever they did from upper eyes. I sure have an agreement, signed by all users, stating their responsibility, but that means almost nothing to them. Time for happy hour with some of out local financial analyst friends. Smart guys who are doing well through this mess, so we plan on getting them loaded and sucking up the advice. Share:

I don’t remember the exact quote from King of the Hill (an animated series here in the US), but it went something like this. Bobby: But how come you don’t want Luanne to go out with guys but you want me to date girls? Dad: It’s called the double standard, Bobby. Don’t knock it – we got the long end of the stick on that one. Alan Shimel clearly got the short end of the stick when his account was hacked. Heck, he got the short end of the nub, and so would pretty much all of us. Odds are high you’ve heard that the college kid that hacked Palin’s account is being indicted and could face jail time. Twitter was all aflutter yesterday with concerns that the potential punishment exceeds the crime. Personally, I believe if you break the law, you face the consequences. I also harbor no illusions that our justice system is blind. It’s clear if you mess with a popular politician, they will frack you as hard as possible, in every way possible Then bury you. Then pee on your grave. Then pee on your dog before they bury it next to you. Your family and friends? You really don’t want to think about that. And when you mess with a maverick Republican? Well, let’s better hope they can’t track down anyone that ever bothered to smile in your general direction. Had the perpetrator broke into a government account I would expect a different set of consequences. But a personal account should be treated the same as Joe Six Pack’s. Heck, Alan’s break in involved documented financial fraud, unlike Palin. Not that I think we should destroy the lives of every college kid that virtually shoplifts a virtual candy bar (punishment should suit the crime), but over-tolerance only breeds contempt. Just call me a dreamer, but as a realist I know I’m just wasting my words on this particular topic. Still, I’ve heard from businesses that unless credit cards or other hard financial losses are clearly involved it is essentially impossible to get law enforcement to take action; they just don’t have the resources. As such we need to focus on our own monitoring and incident response. If you can’t prove someone really stole your cash, you won’t get the attention of law enforcement. If you can’t give them a description, don’t expect the case to go very far. It’s really no different in the physical world. A few years ago, when I moved to Phoenix, we screwed up and left the garage door open at night. One of those silly mistakes when you think the other person took care of it. Neighborhoods are routinely cruised out here, and when I woke up and noticed it was too late. There went my road bicycle, most of my climbing gear, and, worst of all, a small pack containing my original Star Wars figures I’d saved since I was a kid and some other very personal mementos. We filled out a police report but never expected any action (no, they won’t take fingerprints if someone steals your bike), and after our deductible it wasn’t even worth filing an insurance claim. I made the rounds of the local pawn shops, but no joy. Society accepts a certain level of losses, since we don’t have the resources to continue otherwise. That doesn’t, of course, apply when something gets the press attention of the Palin hack. Sometimes it’s about the losses, and other times it’s about looking good in the press. Share: