Security Snake Oil, Squared

Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.
— Albert Einstein

I’ve written here from time to time about some of the questionable expenditures made in the name of security; in one case, the US government paid several million dollars for software that, if it ever existed at all, did not produce anything like the promised results.  In some cases, I think that the buyers are so focused on the security outcomes that they want that they lose sight of the need to verify extravagant claims for a product, or at least to ensure that the claimed performance is realistically plausible.

I’ve just been reminded of another instance of a large purchase of security snake oil.  According to the C-Net news site, a British businessman named James McCormick is on trial at the Old Bailey (the Central Criminal Court) in London, on charges of fraud connected to the sale of supposed bomb-detecting equipment to a variety of government agencies.  The prosecution alleges that McCormick sold a large number of his ADE detection devices for use in Iraq, at a price of approximately £ 27,000 [about $41,000] each.  Units were also allegedly sold to the governments of Niger and Georgia, the former Soviet republic.

The claims that McCormick is alleged to have made for the devices, which supposedly worked by static electricity, are close to miraculous.  According to an article in the Daily Mail,

He produced glossy brochures to trick potential investors into believing the devices could detect tiny amounts of explosive from three miles away, the Old Bailey heard.

He claimed they could detect explosives, drugs and ivory through walls, up to 30ft underground and 100ft underwater, jurors were told. They could also detect fluids and human beings.

Some skepticism has been expressed about these devices before.  A 2009 article in the New York Times discusses the use by Iraqi forces of bomb detectors described by the US military as “useless”.  According to the article, at least some parts of the Iraqi government paid considerably more than the going rate for these gadgets.

Mr. Turaihi [Inspector General of the Interior Ministry] said Iraqi officials paid up to $60,000 apiece, when the wands could be purchased for as little as $18,500. He said he had begun an investigation into the no-bid contracts with ATSC.

Jim McCormick, the head of ATSC, based in London, did not return calls for comment.

That these devices did not entirely live up the the claims made for them will probably not surprise too many readers.  But the aspect of this story that I find really remarkable is the original source of the devices.   It appears that they are a slightly modified, and re-badged, version of a product sold in the US as a golf ball finder.

Mr Whittam [Prosecutor Richard Whittam, QC] showed the jury pictures of a golf ball finder and one of the devices the defendant allegedly sold. He told jurors they were practically identical ‘in terms of shape, size, weight and construction’.

He said: ‘In reality, save for the stickers, they were indistinguishable. What that means is that they came from the same mould. The golf ball finder had been rebadged as an ADE 101.’

Now you may well ask yourself how experienced military and security personnel could be taken in by this sort of (seemingly) obvious scam.  I’m afraid I don’t have a good answer.

However, I think the most darkly amusing part of the whole story is this: the device, in its original incarnation as a golf ball finder, was pure snake oil.  It was, apparently, sold on the Web at mnglobal.com. That site is no longer around, but the Internet Archive‘s Wayback Machine has a version of the page from 2006.  The claims for its abilities in this sphere are also fairly extravagant (the UPPER CASE and spelling is from the original):

IT IS NOT COMUPTER DRIVEN, CONTAINS NO CHIPS OR ELECTRONICS. IT USES YOUR NATIVE ENERGY TO ENERGIZE ITS ACTION. PLEASE DON’T ASK US FOR THE THEORY OF ITS OPERATION THAT’S OUR BUSINESS AND THE MAIN REASON WE HAVE NOT APPLIED FOR PATENTS WHICH WOULD EXPOSE THE TECHNOLOGY.

The page also assures the prospective purchaser that the finder has “no moving parts to wear out”.  And (I particularly like this), it “can be used by right or left-handed people.”  After all, you wouldn’t want something that could just find right-handed golf balls.

Obviously, P.T. Barnum’s Law of Applied Economics is still in effect.  I guess it’s good to know there are some things you can depend on.

Expired Certificate Hoses Microsoft’s Cloud Service

Yesterday, at around 3:45 PM EST, users of Microsoft’s Azure cloud computing platform began to experience problems world-wide.   The    problem apparently stemmed from an SSL certificate that had expired.  The certificate was used by Azure storage service, and the problem had knock-on effects on other Azure services as well.   The following message was posted on the Windows Azure Service Dashboard:

On Friday, February 22 at 12:44 PM PST, Storage experienced a worldwide outage impacting HTTPS traffic due to an expired SSL certificate. This did not impact HTTP traffic.

At the time I’m writing this, about 14:25 EST on Saturday, February 23, the Dashboard is still showing “Storage service degradation” across all regions.   The most recent status update says:

We have executed repair steps to update SSL certificate on the impacted clusters and have recovered to over 99% availability across all sub-regions. We will continue monitoring the health of the Storage service and SSL traffic for the next 24 hrs. Customers may experience intermittent failures during this period.

Although there are many systems that have enviable records of reliability, occasional service outages are still something to be expected and planned for.  In some cases, such as a natural disaster, it is possible to have considerable sympathy for the systems’ operators; forecasting rare events is difficult almost by definition (we assume the future will be like the past, because in the past, the future has been like the past).

It’s difficult for me to work up a lot of sympathy in this case, however.  SSL cryptographic certificates have a well-defined expiration date.  In addition, the certificate in question appears to have been issued by “Microsoft Secure Server Authority”; in other words, Microsoft was unable to get a timely renewal of the certificate from itself.  If I were a customer of the Azure service, I would not be too happy right now.

Legislative Lunacy, Revisited

Glendower:   I can call spirits from the vasty deep.
Hotspur:       Why, so can I, or so can any man;
But will they come when you do call for them?
— Wm. Shakespeare, Henry IV Part I, III:1

From time to time, I have posted here about some of the more exotic efforts of some US state legislatures, such as the statute in South Carolina (since repealed) that required subversive organizations to pay a $5 fee to register with the state, or the Louisiana legislation which would require additional penalties if a crime involved the use of maps.  It sometimes seems that at least some of these legislative bodies are engaged in a contest to see which can produce the most ridiculous legislation.  Of course, Indiana has long had a strong position in this contest, with its attempt in 1897 to set the value of the mathematical constant, pi [π], by legislation.

Blog posts at The Economist‘s site report a couple of new entries to the contest.   The first entry, reported on the “Babbage” science and technology blog, is from North Carolina.  It seems that a state scientific commission released a report saying that, based on climate change predictions, the sea level  at the state’s Atlantic coast might rise by more than three feet.

Aghast at a state commission’s scientific findings about the local sea level rising 39 inches (or one metre, as it is known to the rest of the world) by 2100, coastal business leaders and property developers pressured the state’s legislators into banning all sea-level projections based on climate-change data. As a result, House Bill 819 would require future projections to use only historical data.

Now it is certainly true that a one-meter rise in sea level would have a grave economic effect on the state.  It derives a good deal of tourism income from vacationers that visit the coast, especially along the chain of barrier islands called the Outer Banks.   (The Wright brothers made their famous first flight there, near Kitty Hawk.)   I’ve visited there; it is a very pleasant place, and there is no doubt that a good deal of it would be decidedly damp if the sea level rose by three feet.  I guess the legislature can forbid the state’s agencies from publishing studies.  But do they think that they can legislate a higher sea level out of existence?

The second entry, from the “Democracy in America” blog, is from Georgia.  It seems that the state’s voters are to be asked to approve an increase in the sales tax, in order to fund transportation projects.

On July 31st, Georgia’s voters will decide whether to impose upon themselves a one-cent sales tax for the next ten years to fund transportation projects. Voters in each of Georgia’s 12 regions will have seen (or at least, will have had the opportunity to see) the list of projects their tax will fund; money collected in that region will be spent in that region.

There are, as one might expect, a variety of projects that are proposed under this initiative; there is also debate about the merits of the various proposals.  Most of this debate is relatively rational, but unfortunately some of it is not.

It also raises an insane question: are Atlanta’s Democratic mayor, Kasim Reed, and Republican attorney-general, Sam Olens, both agents of the United Nations determined to advance the cause of one-world government and outlaw private property?

The issue apparently arises because some of the proposed plans include provision of paths for pedestrians and cyclists alongside highways.   According to some local politicians, this is the thin edge of the wedge for an attempt, known as Agenda 21,  by the United Nations to take away Georgians’ freedoms.

That’s Agenda 21. Bicycles and pedestrian traffic as an alternative form of transportation to the automobile.

The scope of this UN conspiracy is breathtaking.  Just think, back when our distant ancestors first walked upright on the African savannah, they were preparing for this dastardly plot.   And everyone knows that people who ride bicycles are bound to be socialist atheist terrorists.  (There might even be a connection with the events in North Carolina.  After all, the Wright brothers were bicycle mechanics — what more do you want?)

My grandfather was fond of saying, “Most people are dumber than average.”  I am beginning to be convinced that he was right.

High-Value Recycling

Bruce Schneier has a post at his Schneier on Security blog (link in the side bar) that refers to another instance of a security problem created by good old-fashioned human error.  As is the case with virtually every currency, the monetary authorities responsible for the Euro, the official currency of the Euro-zone (the majority but not all of the members of the European Union), have a process in place to remove worn-out or damaged coins from circulation.  The coins are then “destroyed” (as coins), and the materials sold to scrap metal dealers.  (This of course assumes that the materials are worth less than the face value of the coin; this is usually, but not always, the case.)

This is fine in principle; however, as the linked article from Der Spiegel relates, the implementation of the process left something to be desired in terms of security.  The problem stems, in the first instance, from the design of the €1 and €2 coins.   As you can see in the photo below, these coins are bimetallic, made up of an inner disc, surrounded by an outer ring.  (The photo shows the side of the coins that is common to all issues, regardless of nationality.)

 

Apparently the “destruction” procedure used for these coins sometimes just separated the inner disc from the outer ring.  The resulting pieces were then sold to dealers in China for recycling.   Apparently some of the Chinese firms carried out the recycling by putting the pieces back together (Krazy Glue, anyone?), and then sending them back to Germany via accomplices among Lufthansa flight crews.  The accomplices would then turn in the reconstructed coins at the German Bundesbank, in exchange for new ones.  The Bundesbank was not chosen as a redemption point at random.

According to a Thursday statement by the Frankfurt public prosecutors, the German Bundesbank is the only place in Europe which exchanges damaged coins for free. The bank accepts such coins in bags containing up to €1,000 worth of coins. They are weighed rather than counted and only periodically checked.

Apparently, the scam was finally uncovered when a German customs officer noticed an airline employee struggling with a very heavy suitcase, which, when opened, turned out to contain thousands of re-assembled coins.

 

Texas Data Breach

Down in Texas, they like to talk about doing things big.  Apparently, that extends to security screw-ups, too.  According to an article at the ThreatPost security blog, published by Kaspersky Labs, the Texas Comptroller’s office apparently lost track of some individuals’ data.

The Texas Comptroller’s Office is issuing letters Wednesday to some 3.5 million citizens after personally identifiable data was left exposed to the public on a state server for more than a year, according to a published statement. The exposed data included the names, addresses and Social Security Numbers and driver’s license numbers of citizens, many of them current and former State employees.

Apparently the data, which was intended for use in a system to track unclaimed property, had been transferred from other state agencies, put on a server at the Comptroller’s Office, and then forgotten.   The bulk of the data came from the Texas Workforce Commission, the Teacher Retirement System of Texas, and the Texas Employees’ Retirement System.   According to the article, the state’s administrative rules specify that any data to be transferred like this should first be encrypted, but that rule was apparently ignored, along with other unspecified internal procedures.

The agency is, of course, playing down the importance of the incident, although they have set up a mechanism for citizen inquiries.

The Texas Comptroller’s Office said it has no evidence the data was stolen or misused. Still, the agency has set up a website has and toll free phone line (1-855-474-2065) to provide additional details and recommended steps and resources for protecting identity information.

All of us that are involved in security issues spend a good deal of time talking about technical issues, software flaws, and other esoterica.  We all need to remember that good old-fashioned, garden-variety incompetence and stupidity are the biggest security threats of all.

Yes, Virginia, It’s Still Down

According to a press release issued late yesterday by the Virginia Department of Motor Vehicles, the ongoing saga of the systems failures at the Virginia Information Technologies Agency [VITA] is, well, ongoing.  It will not be possible again today for citizens to renew their driver’s licenses or state ID cards at any DMV facility.  Quoting from the press release:

An estimated recovery time for the computer system is not known, so customers are encouraged to visit the DMV website at http://www.dmvNOW.com or call (804) 497-7100 before visiting a DMV office this week

(Other transactions, such as vehicle registrations, are possible.)

Meanwhile, back at the VITA site, the first page I saw displayed a blurb for the Commonwealth of Virginia Innovative Technology Symposium 2010 [COVITS], which is to occur in Richmond on September 8.   Information about the service failure is not exactly prominent on the site, but the latest update has the usual self-congratulatory tone.

Significant progress has been made and we have reached high confidence that all services will be restored soon.

Real soon now.   Do you suppose everything will be fixed in time to talk about “innovative technology”?