Friday, March 14, 2014

Friday Musings - happy times under the spotlight

Taking a break from the daily gloomy tidings about UID misuse, foot in the mouth pronouncements, government system breaches let us look at some silver linings and keep the weekend cheery!

A recent analyst report says that the Information Security business is worth $102 billion - happy days for all! Who cares if this spend secures enterprises or governments so long as we can invoice them and get our payment! I can see the India Infosec group members coming together for an all India F2F to discuss the bulk purchase of high end Mercs, BMWs in the near future. Ek billion de de bhagwan hum ko :)

Tim Berners Lee was answering questions on reddit and there are some great quotes - this is a must read on the weekend He talks about Snowden and that whistleblowers may be all that will save society and that he favors surveillance for fighting crime (but there must be oversight). Incidentally, he had considered alternate names like The Mesh, The Information Mine before he finalized on WWW.

An extract from the reddit post:
[Question] Did you ever think that the internet would get this big?
[TBL] Yes, I more or less had it nailed down when it comes to the growth curve. I didn't get it completely right --- 25 years ago I was predicting Id be asked to do an AMA on reddit next wek, but it turned out to be this week. Well, we all make mistakes. (no of course not)
Closer home and elsewhere, IMS, CMS, NETRA, NSA, PRISM are a few terms that bring visions of a surveillance state intruding into every facet of your life. However this is not the start of surveillance as it has been around even before Biblical times. Every ruler and his statesmen have engaged in some form of surveillance on their populace - the level of intrusion depends on the case. 

In the Internet age, there has been great debate on the extent of surveillance and the fear of misuse, or loss, of data collected.

So say all the wise people outside the establishment. 
So says Tim Berners Lee too. 
Has anyone heard any government say this convincingly ? We shall rest our case here and learn to live with it.  The debate will continue and the government will do what they have to do against the raving and ranting of the privacy and human rights activists. 

There is a lot not happening in the InfoSec domain - good bad and ugly!  Some ugly stuff - I was with a client who had 'obtained' an ISO27001 certificate. They paid Rs. X for the certificate and then another Rs 150 for framing it :) .. of course they felt bad that this agency gave them the certificate without the photoframe. And now they were scrambling because a client wanted to do an audit and they did not have a single policy. Of course they did not have a hope in hell and flunked the audit.

InfoSec advisories warn about the insider threat and this is may be the biggest example: It is being alleged that Princess Diana leaked royal family phone numbers to get back to her husband - disgruntled wife causing a data breach! Another one was about the daughter of Michael Dell who was regularly posting details about her father's travel plans on her FB page while he was spending a few millions on protecting his privacy and security!

BTW - one of the fans on the TBL AMA commented that Berners-Lee does not use a browser! He just pulls on an ethernet cable like a hookah :)

How many of us can claim this power ;-)
However, with dollar dreams I should no longer care about surveillance or insiders - I have the power! (of the ISO certificate!

With that thought... have a great weekend. 

The world is full of great surprises & the uncommon shortage of common sense is one of them. 

Notice: this is my post on the India InfoSec Mailing list on Yahoo! a private closed group of information security professionals from India.

Monday, March 10, 2014

Sadly MH370 is lost and no thanks to the aircraft manufacturers

 Malaysian Airlines MH370 loss

This is not the first time an aircraft has been lost over sea and we are replaying the same scenario - MH370 loses contact and is feared lost. Now there is a search operation involving about 30+ aircraft and an equal number of ships.

The question that nags me is that after so many years of technology advances in aviation we struggle to find missing aircraft and when we find the debris there is big time trouble to locate the 'black box'. By now this should be child's play. I have a few childish  suggestions...
- why can't Boeing and other companies just embed homing beacons all over the body or an aircraft (it should not add more than $ 1000 to the cost) - Why can't these guys put reflective paint on the body- Why not have more than one black box OR keep a voice channel open to the ground where they can keep recording the cockpit activities- Why not have a 'call home' transmitter embedded across different parts of the aircraft

Then when you think about all the issues reported by the Boeing Dreamliner you realize that this is not happening because these guys have yet to get their act together in the flying section so how can we expect them to be good in the security segment!

It is the same story being replayed when precious lives are lost and the relatives are clueless about their loved ones and how did they die! 

As I write this there is a massive search operation underway and in the end we will have a monument somewhere in the middle of nowhere. Security checks have addressed many risks, however, when we think about the hardships which could have been avoided with a swifter search (in the event of an unfortunate mishap) there is no excuse. 

Someone from the design teams or from the FAA in USA or DGCA in India or equivalent bodies across the world should exert pressure on the aircraft manufacturers to something!