Dibbler's Net

Via Slashdot to the CBS SF web site Security Breached At SFO Due To Stolen Laptop. So all Clear users have possibly had all their data stolen, however I doubt this is new.

There are more of these stories everyday and I think we are finally seeing critical mass on these. This has been long covered by Bruce Schneier in his Crypto-Gram Newsletter for years.

Now for my Rant on this, which involves two separate issues on this topic.
Issue 1: I come from the days of mainframes. All the data in a secure location with dumb clients that validated users before allowing them access to the data. When dealing with these large databases of users why do they exist in a standalone form on the notebook. Is there a reason for offline access ? When you have offline access to this database how do you as a company audit access to the data and verify data stability. With the proliferation of VPN’s, Mobile data cards, and really the ability to have networks anywhere why does this need to be on a standalone machine. This has always been a base rule of security. If you can’t control the physical access to the machine then you have already lost.

Issue 2: The laptop has been stolen so now people consider that the data is insecure and that places the names at risk. I assert that by admission of the data being on the notebook in the first place there is already a high probability that the data has already been compromised. Let’s take a logical look at this. If the database exists on the notebook in a standalone form that means that at a minimum it exists in the form of an Excel spreadsheet, or maybe an access database with a small gui frontend, or even possibly a standalone Oracle or MS SQL install that holds the data, but really for 33,000 records I really doubt they have gone to that extreme yet. So if the data is an access database or an excel spreadsheet how did it get there ? Was it sent by cleartext email to an unknown number of accounts where it can be read or forwarded without issue ? Maybe it was sent out to employees on a CD which is then used to install on the notebook but then is the CD safely destroyed ? The point here being that if they feel safe keeping the data in a standalone application on the notebook then one can assume the data has already been disclosed prior to the notebook being stolen.

In the end this comes down to what FISMA, Sarbanes-Oxley, and every other federal regulation has been trying to establish. There are three critical areas when it comes to data storage. The ability to limit access to allowed users with a need to create, view, modify, delete. The second item is to be able to validate and verify the integrity of the data so you can detect changes that make the data wrong. The third is to audit data, you should know who looked, changed, added, or deleted data at any time. Currently the easiest way to meet these three is to start with a safe infrastructure that holds the data. A notebook in an office is not a good start and shows a bad corporate stance. If your the CIO of Clear then you have a real uphill battle on getting the trust back of not only your current customers but of those future customers of which I will not be one. I also think it’s about time we stop trusting companies by default and start making companies show us that they are safe before we become customers.

D~

For many many version now I have maintained a patch for Nagios called the Read Only Patch. I have found in most cases that when I have a Nagios install I have some type of external user involved. Nagios is a great tool for showing what’s working and not just what’s wrong. But in order to allow external users to see what’s working they need an account. And with that account there are all sorts of commands they can run or comments they can see. This patch removes that ability for selected users. It also removes comments as in most Nagios installs I leave the comments as a way for techs to relay information regarding a system and that information is not always meant for external view. If you have any questions please feel free to comment or ask them on the Nagios-Devel Mailing list.

D~

Download the tar file.

Finally bought a SlingBox Solo. I have a DirecTV HD DVR at the house and wanted to see what windows mobile can really do. I installed the Slingbox on the DVR using the Comp video out. I was able to setup the software pretty easily. I had one issue where my Astaro Firewall IDS was causing an issue with the last configuration wizard. Once that was resolved I tried it out. First using my notebook and a nearby Wifi I found that the slingplayer works really well. Good Picture and it gives you your home remote so you can watch anything on the DVR. Next I downloaded the slingplayer for Windows Mobile 6 for my T-Mobile Wing.

Now the second day I even have my wing at work the most Internet connected thing happens. On one of my barely used monitors I keep iGoogle homepage up which has news headlines and other modules. One of the modules is a twitter client. About near lunch time I see about 3 twitter postings from people about an Earthquake hitting lower SoCal. I am originally from the Los Angeles, CA area so I am immediately interested. I break out the wing hit my slingbox player and turn on 202 (CNN). I instantly have live video in decent quality over the Edge network and am watching CNN. This is really the type of reason to have something like this. The battery and quality are not there to watch BSG for an hour each week, but it’s perfect when you need news anywhere.

Overall I like the Sling Product. Setup was easy, quality and software work like expected. Down side, the pc client is free, but I need to buy the mobile client.

D~