Friday, October 30, 2009

More evidence that it is not only me advocating well known, old time security procedures.

http://broadcast.oreilly.com/2009/10/top-log-fail.html

Top Log FAIL

By Anton Chuvakin October 29, 2009

A recent Wal-Mart intrusion story inspired me to summarize the most egregious, reckless, painful, negligent, sad, idiotic examples of failures with logs and logging - "Top Log FAIL." I am pretty sure that esteemed readers of SysAdmin Blog would never, ever do anything of that sort :-)
Here they are:

  1. Logging disabled: if you got a system which had operational logging enabled by default and then you turned it off before deploying in production - congratulations! You truly earn your title of a Log Idiot! :-)

  2. Logging not enabled: this is more sad than anything else ... and the person who will suffer the most from this is likely the one who has caused it. After all, you'd need those logs at some point yourself. There is nothing sadder than see a person having to explain to management, police, FBI, press, QSA, SEC, whoever: "Well, logging ... was ... never ... enabled!" (check out this motivational horror story)

  3. No log centralization: Windows admins, read this one - logs on the machine that crashed, was 0wned or even stolen will do you absolutely no good. It used to be that only Unix administratory can do this (via the magic of /etc/syslog.conf line ". @loghost.example.com"), but you, on the Windows side, could not. Please notice that the world is different now! (check out this deck on benefits and tips related to log centralization)

  4. Log retention period too short: the picture on the right should make this item (as well as the one above) painfully clear: doing "the right thing" and building the centralized logging infrastructure and then limiting the retention to 30 days is still "log FAIL." Many, many scenarios today require logs from the past - for the juiciest examples check all the recent "compromised in 2006 - discovered in 2008" stories (see some here in this deck)

  5. No logging of "Granted", "Accepted", "Allowed", etc: I don't even know where to start on this one - maybe thus: logging a firewall "connection blocked" events simply means that the firewall was doing its job, logging "connection allowed" shows that somebody is now in your network... The same idea applies to logging "login failed" and missing "login successful" - please make really sure to always log both (read this tip for more examples, instructions and ideas)

  6. Bad logs: if you are in operations, this is truly not your fault. But if you are in development - it probably is. Creating such logging classics as "failed successfully" and "login failed" [with no actual user name recorded] are fine examples of this "log FAIL." Be aware that our work on CEE will fix it eventually, but more hilarity will have to transpire before it happens (see this deck for some ideas on how not to engineer logging and how to do it - and for some examples of hilarity, of course)

  7. No log review or nobody is looking at logs: I am saving this "log FAIL" for last; logs are created to be reviewed, monitored, searched, investigated, etc and NOT - I assure you! - to simply use up disk space (check my famous "Top 11 Reasons to Look at Logs" as well the classic "Top Logging Mistakes" for more info on this one)

Possibly related posts:



Is there provision for an “anonymous client?”

http://www.pogowasright.org/?p=4855

Judge: FTC Cannot Make Lawyers Comply With Identity Theft Laws

October 29, 2009 by Dissent Filed under Breaches, Court, Featured Headlines

The Federal Trade Commission cannot force practicing lawyers to comply with new regulations aimed at curbing identity theft, a federal judge ruled today at the U.S. District Court for the District of Columbia.

The decision offers a reprieve to law firms across the country, which faced a deadline this weekend to put in place programs to meet so-called “Red Flags Rule” requirements. The rules would have forced firms to verify the identities of potential clients.

The American Bar Association, represented by a Proskauer Rose team led by partner Steven Krane, argued that the rules would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers were not covered by the rule. The FTC contended that lawyers should be covered, because many of their billing practices, such as charging clients on a monthly basis rather than up front, made them “creditors.”

Read more on BLT: The Blog of Legal Times.



Dilbert addresses both Cloud Computing and Identity Theft!

http://dilbert.com/strips/comic/2009-10-30/



When you have a terrorist in those “snap a nude image” scanners, you can turn up the juice and fry them where they stand.

http://science.slashdot.org/story/09/10/30/1216230/How-Terahertz-Waves-Tear-Apart-DNA?from=rss

How Terahertz Waves Tear Apart DNA

Posted by kdawson on Friday October 30, @08:55AM from the tear-a-cell dept.

KentuckyFC writes

"Great things are expected of terahertz waves, the radiation in the electromagnetic spectrum between microwaves and the infrared. Terahertz waves pass through non-conducting materials such as clothes, paper, wood and brick and so cameras sensitive to them can peer inside envelopes, into living rooms and 'frisk' people at distance. That's not to mention the great potential they have in medical imaging. Because terahertz photons are not energetic enough to break chemical bonds or ionize electrons, it's easy to dismiss fears over their health effects. And yet the evidence is mixed: some studies have reported significant genetic damage while others, although similar, have reported none. Now a team led by Los Alamos National Labs thinks it knows why. They say that although the forces that terahertz waves exert on double-stranded DNA are tiny, in certain circumstances resonant effects can unzip the DNA strands, tearing them apart. This creates bubbles in the strands that can significantly interfere with processes such as gene expression and DNA replication. With terahertz scanners already appearing in airports and hospitals, the question that now urgently needs answering is what level of exposure is safe."



Could this be why states are gathering DNA? They plan to make our highways safer? Anything to keep them from selling this to insurance companies? Perhaps defective genes explain all anti-social behavior?

http://science.slashdot.org/story/09/10/29/1615214/Bad-Driving-May-Have-Genetic-Basis?from=rss

Bad Driving May Have Genetic Basis

Posted by samzenpus on Thursday October 29, @01:11PM from the born-to-run-off-the-road dept.

Serenissima writes

"Bad drivers may in part have their genes to blame, suggests a new study by UC Irvine neuroscientists. People with a particular gene variant performed more than 20 percent worse on a driving test than people without it — and a follow-up test a few days later yielded similar results. About 30 percent of Americans have the variant. These people make more errors from the get-go, and they forget more of what they learned after time away,' said Dr. Steven Cramer, neurology associate professor and senior author of the study published recently in the journal Cerebral Cortex."



One of my favorite judges gets to slam government lawyers again and again. Why they keep trying tactics that the judge has rejected many times before is one of those “I'll never understand lawyers” questions. Since Clinton has admitted guilt, why are they fighting so hard?

http://www.pogowasright.org/?p=4862

Privacy Act Does Not Apply to White House?

October 29, 2009 by Dissent Filed under Govt, U.S.

From their press release:

Judicial Watch, the public interest group that investigates and prosecutes government corruption, announced today that the Obama administration argued in a recent court filing that the Privacy Act does not apply to the Executive Office of the President (EOP). This court filing came in a Judicial Watch lawsuit filed in 1996 against the Clinton White House related to a scandal known as “Filegate,” where the Clinton White House obtained and maintained the private FBI files of hundreds of former Reagan and Bush officials [Alexander v. Federal Bureau of Investigation, Civil Action No. 96-2123/97-1288 (RCL)].

In the Obama administration’s “Renewed Motion for Summary Judgment,” filed with the U.S. District Court for the District of Columbia on September 17, the Obama Justice Department stated the following: “The White House is not an agency under the Freedom of Information Act (FOIA), and it necessarily follows that it is not an agency subject to the Privacy Act.” However, the Privacy Act specifically lists the “Executive Office of the President” as an agency subject to the Act’s provisions.

U.S. District Court Judge Royce Lamberth had repeatedly rejected this same legal argument, most recently in 2008 when the court ruled against a government motion that would have dismissed the lawsuit: “…this court holds that under the Privacy Act, the word ‘agency’ includes the Executive Office of the President, just as the Privacy Act says.”

While the Obama administration continues to advance the legal and political argument that the White House and the FBI should not be held accountable for the Filegate scandal, former President Bill Clinton apparently disagrees. Clinton told historian Taylor Branch in preparation for a recently published book, “those files did not belong at The White House,” and that they “should have been isolated and returned immediately.” According to Branch, Clinton also said “[h]is administration should and would be held accountable.”

“What the Obama administration is effectively saying here is that if the White House decides to illegally compile FBI files and violate your privacy rights, tough luck,” said Judicial Watch President Tom Fitton. “It is disturbing that the Obama administration has taken the legal position that the Privacy Act does not apply to the White House and the Clinton FBI files scandal was not a scandal. It is worrying to those of us concerned about the Obama White House’s collecting ‘fishy’ emails and compiling an enemies list of news organizations, radio hosts, businesses, and industry associations to attack and smear. Is the Obama defense of the FBI files scandal less about that Clinton scandal and more about what his White House is up to now?” [Are you listening Fox News? Bob]

Documents related to Judicial Watch’s Filegate lawsuit can be found on their web site.



How else can you have a really effective (and scary) Secret Police? (Would the courts reach the same opinion if emails were encrypted?)

http://www.pogowasright.org/?p=4878

On Gmail and the Constitution

October 30, 2009 by Dissent Filed under Court, Featured Headlines, Internet

Ashby Jones writes:

Here’s a question: Is it kosher for a law enforcement agency to, pursuant to a lawfully granted search warrant, search your Gmail account without telling you?

According to an opinion handed down earlier this year and currently making the rounds on legal blogs (here and here), the answer is yes.

The opinion, handed down by Portland, Ore., federal judge Michael Mosman, doesn’t really delve into the case’s facts. It cuts right to the legal issue: whether the government must notify the subscriber to an email service before the government undertakes a search. [...]

Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.

Read more on the WSJ Law Blog.

Over on FourthAmendment.com, John Wesley Hall comments:

The sad fact is that an amendment will be required to put a notice provision into the Stored Communications Act. People think e-mail is private like letters in transit, but “[t]he blunt fact is, they are not.” Technology is steadily overcoming the Fourth Amendment. From GPS to e-mail, our privacy is slipping away, and older notions of the meaning of the reasonable expectation of privacy no longer seem to apply. If people think that e-mail is private, then why cannot they have a subjective expectation of privacy “that society is prepared to recognize as ‘reasonable.’” Katz, infra, at 361 (Harlan, J., concurring).

The case is In the Matter of an Application of the United States for a Search Warrant on the Contents of Electronic Mail and for an Order Directing a Provider of Electronic Communication Services to not Disclose the Existence of the Search Warrant, 2009 WL 3416240 (No. 08-9131-MC, D. Ore.


(Related) Slightly different perspective

http://yro.slashdot.org/story/09/10/29/2257209/Federal-Judge-Says-E-mail-Not-Protected-By-4th-Amendment?from=rss

Federal Judge Says E-mail Not Protected By 4th Amendment

Posted by timothy on Thursday October 29, @07:58PM from the persons-papers-and-effects dept.

DustyShadow writes

"In the case In re United States, Judge Mosman ruled that there is no constitutional requirement of notice to the account holder because the Fourth Amendment does not apply to e-mails under the third-party doctrine. 'When a person uses the Internet, the user's actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus 'private' information is actually being held by third-party private companies."" Updated 2:50 GMT by timothy: Orin Kerr, on whose blog post of yesterday this story was founded, has issued an important correction. He writes, at the above-linked Volokh Conspiracy, "In the course of re-reading the opinion to post it, I recognized that I was misreading a key part of the opinion. As I read it now, Judge Mosman does not conclude that e-mails are not protected by the Fourth Amendment. Rather, he assumes for the sake of argument that the e-mails are protected (see bottom of page 12), but then concludes that the third party context negates an argument for Fourth Amendment notice to the subscribers."


(Related) Could Oceania have slipped some spy's onto Big Brother's court?

http://www.pogowasright.org/?p=4892

UK: Criminal record checks gone too far

October 30, 2009 by Dissent Filed under Court, Featured Headlines, Non-U.S., Workplace

Tom Whitehead reports:

The system of investigating people’s backgrounds for employment vetting much be overhauled because it is wrongly “tilted” in favour of protecting the public, the Supreme Court concluded.

It said this meant that individual rights could be damaged by “unreliable” or “out of date” details, especially with the use of so-called soft intelligence held by police, such as allegations or suspicions, in enhanced Criminal Record Bureau (CRB) checks.

In a victory against the growing Big Brother state, the justices, in their first judgment since the Supreme Court opened in Britain earlier this month, said there should no longer be a “presumption for disclosure” of such information, which could be “even mere suspicion or hints of matters which are disputed by the applicant”. [...]

In a second significant development, the Supreme judges said in cases where the disclosure of information is “borderline”, individuals should be given the opportunity to make representations to the police before it is passed on to employers.

Police chiefs said they would now “actively consider” allowing people to make representations.

Read more in the Telegraph.



Strange, it seems the court wants to hold the government to the same standards as the private sector. What could they be thinking?

http://www.pogowasright.org/?p=4865

Arizona public records law applies to metadata

October 29, 2009 by Dissent Filed under Court

In a decision that will be welcomed by transparency advocates but may induce handwringing in others, the Supreme Court of Arizona ruled that:

Arizona law provides that “[p]ublic records and other matters in the custody of any officer shall be open to inspection by any person at all times during office hours.” Ariz. Rev. Stat. (“A.R.S.”) § 39-121 (2001). The City of Phoenix denied a public records request for metadata in the electronic version of a public record. We today hold that if a public entity maintains a public record in an electronic format, then the electronic version, including any embedded metadata, is subject to disclosure under our public records laws.

The case is Lake v. City of Phoenix. The full decision is here (pdf). Hat-tip, How Appealing blog.


(Related) They should have read this.

http://www.bespacific.com/mt/archives/022688.html

October 29, 2009

A Call to Action for State Government: Guidance for Opening the Doors to State Data

"States and local governments should increase citizens' access to raw, machine-readable data through sites similar to the federal government's Data.gov. Data democratization will lead to greater citizen engagement and government accountability, according to the National Association of State CIOs' latest brief on transparency. In A Call to Action for State Government: Guidance for Opening the Doors to State Data, state and local CIOs are advised to populate these portals with data that is already currently available, and develop agreements with the data owners and custodians to supply ongoing data to the portal." [Dotgov Buzz]

[From the guidance:

Metadata Model

Datasets that are made available should include additional information about the dataset in order to present the context for the data



Background for the debate? How government agencies grab power?

http://news.cnet.com/8301-1035_3-10385865-94.html

The case against the FCC's Net neutrality plan

by Larry Downes October 29, 2009 10:00 AM PDT

… The comment process, which runs until March 2010, is open to anyone. The FCC is clearly expecting lots of comment. The document itself asks more than 100 questions, including whether the new rules are necessary, whether the commission should enforce them without detailed regulations but instead on a "case by case" basis, and even whether the commission has the legal authority to enact new rules in the first place.



Should we twitter them?

http://www.pogowasright.org/?p=4868

Facebook calls for feedback on proposed privacy changes

October 30, 2009 by Dissent Filed under Businesses, Featured Headlines, Internet

Facebook’s privacy policy will be changing — partly in response to changes requested by the Canadian government — and Facebook is seeking responses to the proposed changes. Yesterday, Vice president of communications and public policy Elliot Schrage, invited users to comment about the proposed changes. Members have until November 5 to submit comments.

Our primary goals remain transparency and readability, which is why we’ve used plain language and included numerous examples to help illustrate our points. For example, here is how we explain users’ options for modifying or deleting information or content in the current privacy policy on the site:

When you update information, we usually keep a backup copy of the prior version for a reasonable period of time to enable reversion to the prior version of that information. …

… Even after removal, copies of User Content may remain viewable in cached and archived pages or if other Users have copied or stored your User Content. …

Access and control over most personal information on Facebook is readily available through the profile editing tools. Facebook users may modify or delete any of their profile information at any time by logging into their account. Information will be updated immediately. Individuals who wish to deactivate their Facebook account may do so on the My Account page. Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.

Here is the clearer and more comprehensive version from the new proposed policy:

Viewing and editing your profile. You may change or delete your profile information at any time by going to your profile page and clicking “Edit My Profile.” Information will be updated immediately. While you cannot delete your date of birth, you can use the setting on the info tab of your profile information page to hide all or part of it from other users. …

Deactivating or deleting your account. If you want to stop using your account you may deactivate it or delete it. When you deactivate an account, no user will be able to see it, but it will not be deleted. We save your profile information (friends, photos, interests, etc.) in case you later decide to reactivate your account. Many users deactivate their accounts for temporary reasons and in doing so are asking us to maintain their information until they return to Facebook. You will still have the ability to reactivate your account and restore your profile in its entirety. When you delete an account, it is permanently deleted. You should only delete your account if you are certain you never want to reactivate it. You may deactivate your account on your account settings page or delete your account on this help page.

Limitations on removal. Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users. However, your name will no longer be associated with that information on Facebook. (For example, if you post something to another user’s profile, and then you delete your account, that post may remain, but be attributed to an “Anonymous Facebook User.”) Additionally, we may retain certain information to prevent identity theft and other misconduct even if deletion has been requested.

Backup copies. Removed and deleted information may persist in backup copies for up to 90 days, but will not be available to others.

Read more on Facebook.


(Related) Should the government have 'friends' on Facebook? Is that what we mean when we say lawyers are friends of the court?

http://www.bespacific.com/mt/archives/022687.html

October 29, 2009

Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0

Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0 Issued By: ISIMC [Information Security and Identity Management Committee] - Effective Date: 09.17.2009

  • Abstract: The use of social media for federal services and interactions is growing tremendously, supported by initiatives from the administration, directives from government leaders, and demands from the public. This situation presents both opportunity and risk. Guidelines and recommendations for using social media technologies in a manner that minimizes the risk are analyzed and presented in this document. This document is intended as guidance for any federal agency that uses social media services to collaborate and communicate among employees, partners, other federal agencies, and the public."



Interesting use of technology. Perhaps I could become a “partner” and require my students to subscribe?

http://www.nonotes.com/index.htm

NoNotes.com

The mechanics of the site involve recording a class and its subsequent upload to the site in order to be transcribed and sent back to you.

No comments: