StorageMojo

In last week’s episode of Privacy Carve Out, Vaporstream promised to allow us to create, send and receive untrackable, unforwardable and disappearing email. This week the mavens at Xerox PARC announce they’ve developed a prototype technology that ensures that printed content diasappears within 24 hours. Just like thermal paper, except you don’t have to leave it out in the sun or in a parked car.

The immortal words of the Bard vs. the mortal words of you
Here’s an excerpt of the announcement, which shows just how wrong very smart people can get the implications of their creativity.

TORONTO and PALO ALTO, Calif., Nov. 27, 2006 — Xerox Corporation (NYSE:XRX) scientists have invented a way to make prints whose images last only a day, so that the paper can be used again and again. The technology, which is still in a preliminary state, blurs the line between paper documents and digital displays and could ultimately lead to a significant reduction in paper use.

The experimental printing technology, a collaboration between the Xerox Research Centre of Canada and PARC (Palo Alto Research Center Inc.), could someday replace printed pages that are used for just a brief time before being discarded. . . .

Xerox has filed for patents on the technology, which it calls “erasable paper.” It is currently part of a laboratory project that focuses on the concept of future dynamic documents.

Folks, who is going to bother to feed wrinked, dog-eared paper back into a printer to guarantee a paper jam? The real benefit here is privacy, that increasingly scarce commodity in a world of ever cheaper storage.

You will have privacy when we want you to have privacy
Authoritarians drool at the thought of ransacking every nook and cranny of our lives in search of illegal, embarrassing or déclassé behavior. Even America, Home of the Free, has several Supreme Court justices who believe that privacy is a gift of government, not an inherent right. “Sure, you have liberty. We’ll just make sure everyone knows what you do with it. Bwa-ha-ha!”

Until the Government needs privacy
Of course, in matters of national security, the government sees the need for all kinds of privacy, especially when disclosure reveals stupid, corrupt or morally repugnant behavior. Or, the software powering our very expensive defense systems (see Quick Disk Erase: Harder Than You Think).

The StorageMojo.com take
Two data points don’t make a trend, yet in a world with cheap massive storage and public network-based behavior, meaningful privacy will cease to exist unless we take pains to preserve it. Human frailty and hypocrisy being what they are, this means a high-growth privacy industry for the next several decades. Ultimately we all face governments, companies, competitors and acquaintances who may want to use information to hurt us or our families. Carving out privacy in our brave new digital world will take decades of controversy and pain.

Comments welcome, of course. Moderation turned on to keep comment spam at bay.

I had a colleague once whose emails seethed with such exquisite vituperation that new ones would get passed around the office so we could admire her wordcraft. She wasn’t the happiest woman in the world and when she got behind the keyboard, look out!

If you just can’t resist saying what is better left unsaid
Persistent storage enables civilization, so what are we to make of an application that disables persistance? Barbarity enabling? Reasoning by analogy has its limits and we may have just found one. I can see why one might want recordless communication for reasons both good and ill.

Introducing Vaporstream recordless communication
Combining chat and email, Vaporstream is a web-based communications system designed to ensure privacy and “eyes-only” security. Logging into Vaporstream through a browser, you type in a recipient’s email address and then start typing your message.

As soon as you start typing the message, the recipient’s name disappears, so you need a better memory than I have to complete the message. The process is reversed on the receiving end, where the sender’s name shows up until the message appears. Since the names are divorced from the content there is no record of who sent what to who.

Great for chatting up the hottie in marcom?
Both sender and receiver need subscriptions to the Vaporstream service, about $40 a year, so unless the marcom hottie is a subscriber you’ll have to choose less secure communications.

Confidential electronic communication
Vaporstream quotes security guru Bruce Schneier

The right to do things while not being watched is very fundamental to humanity, whether we sing in the shower or have private conversations with friends. If we are constantly under gaze, we can’t experiment as human beings. When we know we’re being watched, our lives are altered, even if we’re doing nothing wrong.
- Bruce Schneier, Security expert and author of Crypto-Gram
Dig. Boston’s Weekly, Issue 8.24, June 14, 2006

Bruce has a point. There are times and topics that don’t need a need a record, where a permanent record has a chilling effect on free and open discussion. HR, corporate strategy and investment and budget discussions are all sensitive area that benefit from a full airing without threat of a half-complete thought being used against a participant.

The StorageMojo take
Vaporstream is a product whose anti-storage message reminds us why massive storage is both a blessing and a curse. Records management professionals are rightly concerned with its potential for abuse and the loss of what could be valuable business records. Yet the fact that it is a subscription service and not available to all helps ensure it will be used primarily for business purposes.

Just because it might be used for, say, anti-trust conspiracies, is no reason to outlaw it for everyone. If there are problems with Vaporstream they are PEBCAK (Problem Exists Between Chair And Keyboard) in origin, like so many others in life.

Comments welcome, as always. Moderation turned on to deter, in part, the huge wave of Italian language spam coming in.

The new Federal Rules of Civil Procedure (FRCP) on electronic information discovery (e-discovery) is serving as an excuse for some scary marketing. So how scared should you be? If your company is under $100 million in sales, not very. Over $1 billion, you need to make yourself aware of policies and procedures that probably exist and that you haven’t been trained on. In between, things are a little murky.

There are three critical areas to e-discovery:

1. Finding the electronic documents, graphics, emails or whatever needed for litigation, which is what we all think when we hear “e-discovery”
2. Litigation hold policies
3. Record retention policies

IT is responsible for performing #1, and must be aware of and following #2 and #3. The policies are not IT’s responsibility, but complying with them certainly is.

Scary Marketing
Fear, Uncertainty and Doubt (FUD) are usually used to stop people from buying. In this case the FUD is to get you to buy. Email archiving seems to be a popular choice if you listen to the folks who sell email archiving. Email archiving is probably worth doing in many companies, but not necessarily for e-discovery reasons.

Two sides to every story but only one set of facts
The international law firm of Fulbright and Jaworski does an annual Litigation Trends Survey, which is the source of some of the numbers being bandied about. So let’s look at those numbers.

Sample size
F&J surveyed 422 companies, a healthy sample size. The size is healthy in another way: fully 53% were $1 billion or larger companies. Only 20% were under $100 million in sales.

Litigation IS on the rise
Despite arbitration, lawsuits are increasing. In the US, labor/employment, contracts and personal injury are big items, while folks in the UK are more concerned about regulatory proceedings.

Insurance, engineering/construction, manufacturing and energy companies spend the most on litigation, followed by health care, tech and financial services.

Size matters: companies under $100M only averaged $190,000 on litigation spending. Big companies commonly spend millions every year. And that isn’t counting awards or penalties - just costs.

E-discovery
In the section on e-discovery in the survey, F&J notes that this is a new area and subject to further litigation:

Most companies surveyed have not yet had their e-discovery protocols and procedures tested in the courts. However, with the amended [FRCP] concerning electronic discovery, companies may face more court tests of their e-discovery preparedness where the meet-and-confer process does not effectively resolove e-discovery disputes. Amendments in the Civil Procedure Rules in England and Wales are likely to have a similar effect.

Naturally, since the e-discovery rules aren’t in effect yet, how could they be tested?

Only 19% of those surveyed thought their companies are well-prepared for e-discovery.

Who ya gonna call?
Now, remember, those surveyed are corporate attorneys. When asked where they go for assistance, 61% said “general IT resources”. Just 31% supplement them with outside e-discovery vendors, while 25% use law firms with e-discovery expertise and 13% rely to some extent on in-house e-discovery teams.

Respondents reported their statisfaction with all of these exceeded 50%, with the notable exception of the e-discovery vendors, at 44%. These numbers all seem low to me, so the lawyers must have some itch that hasn’t yet been scratched. My guess: cost, speed and completeness are the lawyer’s worries.

Hold everything
Another piece of the e-discovery is are litigation hold policies. When a company becomes aware that they may be getting sued or suing someone else, it is important that all relevant documents, including electronic ones, be preserved. Most of F&J’s US respondents have policies in place, while it is much less common among European companies.

Record retention
Over 80% of the US $1 billion+ respondents had written record retention policies, with particularly strong compliance in financial, manufacturing, retail/wholesale and tech sectors. Small companies are much less likely to have written policies.

Oh by the way, we haven’t bothered to train you
So what else is new? The survey notes that training on these issues is just about nil:

. . . nearly two-thirds of respondents (64%) say their company has not conducted employee training for records retention or litigation holds.

Ouch!

The StorageMojo take
If you work for a $1 billion + company, your company probably has

• Significant legal exposure
• Written litigation hold and record retention policies
• Not trained you on them

If you are an in-the-trenches worker, I’d make a written request for training on these topics to my supervisor. If it doesn’t happen at least you tried and your supervisor will get fired, not you, if there is a fiasco.

If you are in IT management, I’d figure out who in IT-land is responsible for working with legal and RM and talk to them. Maybe it’s you. It may be that their policies and IT procedures don’t mesh and that is a problem you’ll want to fix

What I would NOT do is go running to my friendly local storage salesman asking for help. Your company legal professionals and record management folks are responsible for policy. You need to understand those policies first. Then you can design a solution with the right requirements and put it out to bid.

Comments welcome as always. Moderation turned on to control comment spam.

State-supported industrial espionage has an important ally in the Bush administration. The Department of Homeland Security Theatre has decided it needs to be able rifle through notebook hard drives at the US border. A boon to all online storage providers.

Hey, maybe you can buy it back on Ebay!
In the continuing parade of the wildly unpopular Bush administration’s Stupid Government Tricks, (”We had to destroy American liberty to save it”) this is relatively minor: US customs agents snooping through your laptop, and even seizing it. No warrants, no probably cause, none of those legal quibbles that are so dear to limp-wristed Defeatocrats and the ACLU. Just another underpaid government employee taking your notebook and all its data, forever, for any reason at all.

As reported in the New York Times

One e-mail correspondent told me that at Dulles International Airport several months ago as he returned from a business trip to Europe his laptop was seized in what he said he was told was a random search.

“After giving me and my shoes a thorough search, they moved on to my laptop,” he wrote. “On the desktop I had a folder named ‘Blueprints’ which contained, as labeled, blueprints for several potential designs for our company’s expansion in Madrid and Houston.”

He added, “My laptop was initially searched by one person, but he called for backup” when he saw the blueprints. “It seemed they were convinced I was sent to plant bombs in those nonexistent buildings.” He said he hasn’t seen the laptop since.

The The Association of Corporate Travel Executives (ACTE) is warning members

. . . that under U.S. law, government agents may seize and search a person´s laptop computer, computer discs, and other electronic media when that person arrives in the U.S. from abroad or departs from the U.S for a foreign country. The law applies equally to U.S. passport holders and non-U.S. passport holders. The association is advising business travellers to be cautious in carrying proprietary information across U.S. borders.

Some hope
In a modest victory for American liberty and the US Constitution (that musty old thing the President swore to “protect and defend”) Clinton-appointed 9th Circuit US District Court Judge Dean Pregerson ruled that customs agents must have a reasonable suspicion to search a computer.

However, the 4th Circuit has ruled otherwise, setting up a potential visit to the Supreme Court. This is bad news since the Supremes are well-stocked with liberty-hating justices like Antonine Scalia, Clarence Thomas and Samuel “strip-search a 10 year old girl? Yum!” Alito. So if you are flying into LA, SF or Seattle, your private data is less likely to be seized at government whim. Flying into the east coast your data is at risk of arbitrary search and seizure.

The StorageMojo take
Other than the unjustified monetary loss customs agents can inflict through notebook seizure, the big concern for companies has to be state-supported industrial espionage. Customs agents have been bribed before and the value of commercial data can be much greater than 440 lbs. of cocaine. A couple of strategies:

• Use an encrypted on-line storage service and *do not* have any reference to encryption stored on your notebook. This requires you have pretty fast internet access where ever you are going, but it beats not having any access thanks to over-zealous customs agents.
• Use an encrypted flash drive packed in your suitcase to store sensitive data. Less likely to get searched or confiscated and a lot cheaper than a notebook.
• Leave the laptop at home and use an encrypted thumb drive loaded with your critical data and portable apps instead (see Build A Portable Opposable Thumb Drive).

And let’s hope my favorite country, the US of A, steps back from its unreasoning fear and reinvigorates its faith in the power of a free people.

Companies and practitioners spend billions of dollars a year on RAID to protect against disk drive failure. Yet all the research I’ve seen shows that the most common reasons for data loss are, and always have been, caused by people: accidental file deletion and operator error. Why don’t we spend billions on those problems instead of disk drive failure? We aren’t rational about risk.

Bruce Schneier is the founder and CTO of BT Counterpane security. He is a witty and smart writer about security and security technology and is highly recommended. While reading his recent post Perceived Risk vs. Actual Risk it flashed on me that much of what I find goofy about the storage industry might be explained by Schneier.

Now, I could have done the obvious and called him up and asked him to actually explain it, but what fun is that? Instead, I’m going to apply some of his ideas to storage practice and marketing. Just for the record, many of these are actually the ideas of Daniel Gilbert, a psych prof at Harvard, (but I’m not holding that against him) whose book Stumbling on Happiness talks about why we are bad at predicting the future. A short intro to his work is this charming article If only gay sex caused global warming.

Schneier quotes himself from his book Beyond Fear on some of the common misperceptions:

People exaggerate spectacular but rare risks and downplay common risks. They worry more about earthquakes than they do about slipping on the bathroom floor, even though the latter kills far more people than the former. Similarly, terrorism causes far more anxiety than common street crime, even though the latter claims many more lives. Many people believe that their children are at risk of being given poisoned candy by strangers at Halloween, even though there has been no documented case of this ever happening.

File deletion is equivalent to slipping on the bathroom floor. Why not, for example, put deleted files into the trash for 10 days so you’ll have time to reconsider?

People have trouble estimating risks for anything not exactly like their normal situation. Americans worry more about the risk of mugging in a foreign city, no matter how much safer it might be than where they live back home. . . .

It is difficult to pick out the most likely occurrence from several unlikely choices, or even rank them. Perhaps this explains why so many firms have problems after an incident. They prepared, but not for the incident that actually occurred.

People underestimate risks they willingly take and overestimate risks in situations they can’t control. When people voluntarily take a risk, they tend to underestimate it. When they have no choice but to take the risk, they tend to overestimate it. Terrorists are scary because they attack arbitrarily, and from nowhere. Commercial airplanes are perceived as riskier than automobiles, because the controls are in someone else’s hands — even though they’re much safer per passenger mile. . . .

Back up our precious data to good old tape, where the failure rates range as high as 40%? No problem. Outsource our data archive to Cleversafe or Amazon? A scary thought.

Last, people overestimate risks that are being talked about and remain an object of public scrutiny. News, by definition, is about anomalies. Endless numbers of automobile crashes hardly make news like one airplane crash does. . . . If a lunatic goes back to the office after being fired and kills his boss and two coworkers, it’s national news for days. If the same lunatic shoots his ex-wife and two kids instead, it’s local news…maybe not even the lead story.

Gosh, so what is being talked about these days? Hmm-m. Disk error rates: you need RAID 6! Power density: you need to buy low-power chips! Pick your favorite. It isn’t that these aren’t issues, but we all got along last year without knowing or worrying about them and yet, somehow, now we are. Why?

Comments welcome as usual. Go ahead, take a chance!

A fine article in the latest Macworld describes how to create a thumb drive loaded with portable apps - including some that work with Windows - for use on the road. It is the first I’ve seen how-to article that actually describes the process in sufficient detail for mere mortals.

No matter what platform you use
When you are out and about you never know what platform might present itself, so it pays to be prepared. That’s why the article discusses more than just Mac.

Some pointers:

• Use a 2-4 GB thumb drive to ensure space for Mac/Windows/Linux versions of needed programs, like browsers and email clients
• Built-in security is a good idea as thumb drives are small and losable - and fingerprint-based authentication means you don’t have to rely on a cross-platform utility
• Format the drive with Microsoft’s FAT32 file system for cross platform compatibility - both Mac and recent versions of Linux recognize it
• Pick your apps. For me cross platform versions of
• Firefox for web browsing
• Thunderbird for an email client
• OpenOffice for productivity
• Anything else, like image editors, media players, FTP clients, chat
• I’d also want an on-screen keyboard for entering passwords to defeat hardware keyloggers

I don’t travel nearly as much as I used to, so lugging my laptop isn’t bad. Yet on a vacation to Europe or the third world - Kuala Lampur is quite the bargain these days - it would be nice to leave it at home. With three versions of my main apps (Windows, Mac & Linux) I’d be good to go anywhere.

Comments welcome, of course.

Fear mongering over the new Federal Rules of Civil Procedure (FRCP) requirements for electronic discovery has already begun with an article Storage Goes to Law School. As December 1, 2006 implementation date approaches expect the hype to rise. The “buy my widget or go to jail” line is well-nigh irresistible to sales and marketing folks, but way overstates the case. I’ve looked at the rule changes in some depth and they just aren’t that difficult. It is easy to fear the unknown. So let me give you the lay of the land. In less than 3 minutes.

FRCP: flow control for lawyers
The FRCP “govern the conduct of all civil actions brought in Federal district courts”. Federal district court judges don’t like their time wasted, so these rules are designed to ensure that by the time people get to court they are ready to rumble. These rules are binding only on the Federal courts, but many states model their rules on the FRCP, so expect to see these changes reflected in many state rules over time.

Because the Supreme Court says so, that’s why
The FRCP is produced by the federal judiciary as authorized by Congress. The rules process is long and involved with ample time for public comment and several review layers. Finally the Supreme Court approves the change and unless Congress intervenes, the rule becomes binding. It usually takes 2-3 years to change a rule, but the electronic discovery process changes have taken almost 6 years. They took their time and the result is, IMHO, fair and reasonable.

The nitty-gritty
Most of these rules changes are mostly technical (legally-speaking) in nature. Quoting from the uscourts.gov summary

• Civil Rule 16 (Pretrial Conferences; Scheduling; Management) (establishes process for the parties and court to address early issues pertaining to the disclosure and discovery of electronic information)
• Civil Rule 26(a) & (f) (General Provisions Governing Discovery; Duty of Disclosure) (requires parties to discuss during the discovery-planning conference issues relating to the disclosure and discovery of electronically stored information)
• Civil Rule 33 (Interrogatories to Parties) (expressly provides that an answer to an interrogatory involving review of business records should involve a search of electronically stored information)
• Civil Rule 34 (Production of Documents and Things and Entry Upon Land for Inspection and Other Purposes) (distinguishes between electronically stored information and “documents”)
• Civil Rule 37 (Failure to Make Disclosure or Cooperate in Discovery; Sanctions) (creates a “safe harbor” that protects a party from sanctions for failing to provide electronically stored information lost because of the routine operation of the party’s computer system)
• Civil Rule 45 (Subpoena) (technical amendments that conform to other proposed amendments regarding discovery of electronically stored information)

OK, stop yawning, here’s the good stuff
The drafting committee’s report on the rule changes called out a couple of interesting points.

• Rule 34 acknowledges that “electronically stored information is explicitly recognized as a category . . . distinct from “documents” and “things.” The courts recognize that computer information differs in three major ways from traditional documents:
  • Volume is often enormous
  • The information is dynamic - easily overwritten, deleted or changed, often without anyone’s specific direction or knowledge (BSOD, anyone?)
  • The information may be incomprehensible apart from the system that created or stored it
• Rule 37(f) is the IT department’s friend. It offers “limited protection against sanctions . . . for a party’s failure to provide electronically stored information in discovery.” The limits are:
  • The data must be lost in the routine operation of an information system
  • The operation of the system must be in good faith - which may mean modifying IT operations to preserve data that might be needed for pending or reasonably anticipated litigation

The StorageMojo.com take
The new FRCP rules are not, primarily, an IT problem. Your company’s record managers and legal advisors are responsible for figuring out company policy on record retention. IT should state clearly that they are ready and willing to help formulate cost-effective means of supporting discovery requirements, but under no circumstances should IT take responsibility for defining those standards. By this process IT will have the support of the firm’s legal advisors if any expenditures are required.

These policies will have to be documented and IT folks trained on them. You’ll need know that when the VP of sales storms in, demanding that his emails to a competitor be deleted right now! that you are on safe ground refusing until the proper process has been followed.

Federal Computer Week is reporting that the US Army is starting a pilot program to encrypt all data on all mobile devices. But that’s not all:

In the coming weeks, the secretary of the Army will release a new policy on data encryption mandating that each Army laptop PC be designated and clearly tagged as travel or stationary. All travel computers must use commercially available encryption software until an enterprisewide tool is chosen. . . .

The Good News: They Can’t Read The Data. The Bad News: Neither Can We.
Both Windows XP and Mac OS X have encryption options: XP has Encrypting File System; OS X has FileVault. I’m not familiar with the details of EFS, but FileVault is pretty secure - if you lose your password it is all over - you’ve got to wipe all your data. Which is one of the reasons I’ve never used it. Nor have most XP and OS X users. When we think of all the stupid and embarrassing reasons one can lose all data, forgetting the password has to be near the top of the list.

Apple’s FileVault has a Master Password option that will unlock any FileVault account, so a wily admin can set up a way to save forgetful users.

Yet this whole effort is back to relying on passwords, which are usually hackable, to secure data. Not to mention the organizational angst required to manage tens of thousands of passwords. It seems to be a choice among several sub-optimal solutions.

Go Army!
Despite the issues I applaud the Army for mandating encryption. There is nothing like a massive customer spending money to get ingenious people working on better solutions. A large scale test of those solutions will shake out the bugs faster than any beta program. With the Army’s action perhaps we will see more secure and usable encryption options on the market sooner rather than later.

8/24 Update: Alert reader Tom Maddox pointed me to Bruce Schneier’s (CTO of Counterpane Security) blog post on TrackMeNot - and why it won’t work. Good read. However it appears that Bruce is tackling one problem - protecting one’s privacy on the web - and TrackMeNot is also attacking the search engine’s practice of keeping your searches forever. Bruce doesn’t comment on that piece of it, and I suspect he isn’t impressed with that argument either. It will take one of the underdog engines declaring they will dump everything every 10 days to put pressure on the others. Which search engine will be first?

Nice post in Tom Foremski’s Silicon Valley Watcher called The future transparency of our lives and poisoning the database.

Tom is reacting to the stupid AOL search info release. His first point is that we are what we search, that is, we can be identified by the information that interests us.

His second point is:

Another response is to poison the database, to create a smokescreen, to use aliases/avatars, to make sure that the data collected online contains only a sliver of the real person.

As it happens there is a Firefox plug-in called TrackMeNot that does just that, automatically. As they explain:

TrackMeNot runs in Firefox as a low-priority background process that periodically issues randomized search-queries to popular search engines, e.g., AOL, Yahoo!, Google, and MSN. It hides users’ actual search trails in a cloud of indistinguishable ‘ghost’ queries, significantly increasing the difficulty of aggregating such data into accurate or identifying user profiles. TrackMeNot integrates into the Firefox ‘Tools’ menu and includes a variety of user-configurable options.

Developed by two NYU professors, TrackMeNot is designed to pollute the databases of the big search engines. They argue:

We are disturbed by the idea that search inquiries are systematically monitored and stored by corporations like AOL, Yahoo!, Google, etc. and may even be available to third parties. Because the Web has grown into such a crucial repository of information and our search behaviors profoundly reflect who we are, what we care about, and how we live our lives, there is reason to feel they should be off-limits to arbitrary surveillance. But what can be done?

TrackMeNot is their answer to that last question.

Your Employment Contract, On-Line
Diane, an old friend of mine from DEC, has a unique last name. Google her name and the number one hit is her employment contract from a Valley software company, posted on a website that mines SEC filings for legal documents that you and I might want to use - like Diane’s $50k signing bonus, $100k relo package, $250k salary, 25% bonus and 150,000 stock options - if we get lucky. For Diane, and her rare last name, there is significantly less privacy than those of us with common names have.

Will Everyone NOT Named John or Mary Smith Please Stand Up
Several thousand years ago many tribal cultures believed that one’s true name was so powerful that it was kept secret. Instead you had a public name, like “Wally” and your deep secret name: “Conan”. One remnant of this belief is the use of an abbreviation for God’s name in the Old Testament, the Tetragrammaton, or four letters: YHVH. Having forgotten the vowels left out of the name we can no longer be sure what God’s true name is. But He is much better at covering his tracks than most of us, especially Diane.

So do your kids a favor and name them something common. Give them nicknames, and then use those nicknames for school and medical records. Teach them to use TrackMeNot on Firefox. Don’t give out their Social Security Numbers, most likely candidate for the 21st century’s secret name. Use nonsense email user names. Create a fog of identity instead of a sharply etched one. In the Google world of never-overwrite-data this will be one of the few ways to maintain a modicum of privacy.

Oh, And One More Thing
Not only is Eric Schmidt a lousy marketer, but his reluctance to do right by users by destroying search records is a deeply stupid decision. It will, I’m sure, bite Google and, more importantly, many users, before it gets sorted out.

Should Impersonating a Human Be a Crime?
Fascinating Wall Street Journal article about a YouTube video that satirizes Al Gore’s global warming documentary, An Inconvenient Truth. The two-minute video is called Al Gore’s Penguin Army.

I haven’t seen either. What is interesting is that the video’s maker is listed as a 29 year old from Beverly Hills, but when the WSJ traded emails with “him” they found that:

. . . the email originated from a computer registered to DCI Group, a Washington, D.C., public relations and lobbying firm whose clients include oil company Exxon Mobil Corp.

Oops!

Stop Tux Abuse!
In the article’s illustration it looks like they are using Tux, the Linux mascot and symbol, as the penguin. Is Tux copyrighted? Is the open-source community going to let the very cute Tux be abused for crass political purposes?

Everything That Will Fit
The New York Times’ front page slogan is “All the News That’s Fit To Print”. With the internet and its massive storage capacity everything fits - and remains forever. Just another reminder that it’s reader beware 7×24. On the internet, and in life.

The Canadian Flag On Your Backpack Will Fool No One
That’s right, the US State Department loves wireless storage so much they are putting it in your passport, according to CNN Money, in the form of a 64 KB RFID chip. That’s four times the memory of my first computer. The chip can be easily read with non-standard equipment from as far away as 160 feet.

Just How Stupid Is It?
I give it a Threat Level: Red. Passports have a 10 year life, so the bad guys who want your info - or your scalp - will have 10 years of technology advances to refine their technique. Expect RFID scanners built into briefcases to be on sale next year at spy shops. They’ll get smaller and cheaper. You’ll get older and slower.

But The Data Is Encrypted
Heh. Encryption works best on unstructured data. Back during WWII, the Bletchley Park wizards broke the German Naval Enigma code - which they’d suddenly changed when someone suspected it had been broken - when they realized that each submarine’s transmission contained an unchanged weather code. What’s in a passport: name, birthdate, birthplace, date of issue, height, weight, eye color, photo. Gosh, who could figure that out? It took security pros using a PC two hours to crack the Dutch version last year.

Then: Z-Hunting. Now: RFID Crack & Track
Criminals in Florida used the Z plates on rental cars to target tourists for mugging, theft, abduction and occasionally murder. Organized criminals, like the ones commit cyber-crimes like identity theft and website extortion DOS attacks clearly have the Mojo to crack and track RFID passports.

Solution 1
The easiest solution would be for State to drop the whole stupid idea. That won’t happen, since most of elected officials, when not flat-out auctioning themselves for campaign contributions, are painfully ignorant about science and technology.

Solution 2: Use A Hammer
Use a hammer to crush the chip. We’ve all heard that sticking an RFID chip in a microwave will kill it - but not without risk. According to the Spychips FAQ:

Q: Can I microwave products to kill any hidden RFID tags they might contain?
A: While microwaving an RFID tag will destroy it (a microwave emits high frequency electromagnetic energy that overloads the antenna, eventually blowing out the chip), there is a good chance the the tag will burst into flames first. The difficulty of destroying a hidden RFID chip is one reason we need legislation making it illegal to hide a chip in an item in the first place.

They recommend either disconnecting the antenna - which would likely be a problem since the cutting would look like tampering - or physically crunching the chip. With some care the crunch job shouldn’t have to leave any marks.

Solution 3
A Frito’s corn chip bag. Anti-static bags don’t work, but informal tests suggest the aluminized corn chip bags block RFID effectively.

Stay Tuned
I’m sure Passport RFID destruction techniques will be explored and documented on the web in the next few months. Sadly, some courageous individuals will likely be prosecuted for “tampering” with their passport.

State could have used either smart cards or laser cards. Instead some fast-talking salesman and (probably) semi-corrupt congressmen gave us a poor solution that we’ll all be living with for years to come.

I love what cheap massive storage will do for business, culture and research. Yet every so often I have second thoughts about how storage and other technologies might be misused - with the very best of intentions.

This isn’t a Left or Right issue: folks from both extremes think of “good” reasons to spy on Americans. With the combination of GPS automobile speed and location tracking, cell phone GPS, credit card transactions, personal RFID and cheap massive storage, a massive behavioral database on every citizen is just a few billion dollars away. (See MyLifeBits, NIMD, NSA and You.)

In just 10 years any American could receive a letter like this one:

Department of Family Security
Behavioral Analysis Division
Prediction and Notification Program
Washington, DC

April 1, 2016

Dear Mr Harris,

Pursuant to the provisions of the Defense of Family Act, the Super-PATRIOT Act, the Safe Driving Act, the American Family Self-Reliance Act and the Personal RFID Security Act, we are pleased to send you this Notice of Significant Family Behavior Change (NSFBC).

The NSFBC is designed to alert you to changes in the behavior of family members. You are asked to use this information for a caring discussion with the affected family member(s).

Family Member Name: CHRISTINE FORD HARRIS
Family Member Relationship: Wife

Summary of Behavioral Change(s):

• Financial:
  • 6 instances of afternoon drinks at the Black Rock Bar and Grill
• Transportation:
  • 4 MPH Average Urban Speed Increase during afternoon drive times, resulting in $214 in Excess Speed Charges.
• Communications:
  • Afternoon cell phones calls received at the Sleepy Bear Motel 1/22/16, 1/29/16, 2/04/16 and 2/11/16.
• Association:
  • Mr. STEVEN D. CLARK, a tennis instructor at the Oak Valley Country Club, is the only individual whose financial, travel and communications patterns are known to match those of CHRISTINE FORD HARRIS at this time.
• Terrorist Plot Threat Rating:
  • LOW.

DFS/BAD reminds you that this information only suggests significant behavioral change(s). You are encouraged to open a respectful dialogue with the family member(s) to understand the the reasons for change(s). Work-related behavior changes are common and no cause for alarm. Please remember that it is highly unlikely your wife is a terrorist.

Based on DFS statistical profiling a Notice of Potential Domestic Dispute has been filed with local law enforcement. A list of faith-based and secular counseling services has been attached for your convenience.

Our goal at the Department of Family Security is to help you build a strong family unit. For more information please see our website at DEFSEC.GOV.

Sincerely,

(s)Elden Ebbish
Family Security Officer
“DFS - Helping Make America Strong - One Family At A Time”

IT is like any other technology: it can be used for good or ill. It is ironic that today the only thing standing between us and massive personal databases - besides the “quaint” U.S. Constitution - is the cost of Big Iron storage. Keep up the high prices, and preserve our liberty!

EMC, the world’s largest independent storage firm, paid a 45% premium for RSA Security, a firm with stagnant sales. Its stock promptly tanked, dropping 4%.

Expect more tanking
RSA products are primarily authentication (you are who you say you are) and access management (the authentic you is allowed to see this data). What does this have to do with data storage? Not much. Certainly EMC could have OEM’d security products for a lot less than $2.1 billion. From a financial perspective, EMC just paid $2.1 billion for $42 million in RSA earnings: a 2% return.

Hope Is Not A Plan
EMC is hoping that their strong grip on CIO wallets will enable them to dramatically increase RSA sales. To do so EMC’s crack commission sales force will have to step out of the corporate data centers they know so well into the business units they don’t. I can’t think of one IT firm that has done that successfully, but hey, maybe EMC will be the one to break the code.

Consumers Are The Big Win In Security
As with most markets in America and IT, consumers drive volume. I’ve used hardware security authenticators and know that consumers won’t use them. IT can mandate them for corporate use, but only with business unit buy-in. The jury is still out on which consumer security solution will win, but IMHO it isn’t going to be a set of solutions that have been around in various forms for 10 years.

EMC’s Strategy Is Broken
If ever a company cried out for inspired re-invention, it is EMC. They have tremendous resources, a strong brand, and the ear of every F5000 CIO. The signs of a hard landing in enterprise data storage are growing every day, just as in the mainframe and minicomputer markets of the late ’80s. EMC could re-invent data storage using modern design paradigms. Instead they appear intent on following their Rt. 128 minicomputer brethern into oblivion.

How Hard?
After a US spy plane was forced to land in China and the plane’s disks gave up military secrets, researchers worked to figure out how to quickly and securely erase the disk. Even when the people snooping it had unlimited time and money. Crushing, drilling or explosives would not do the job as fast and as safely as scientists hoped.

According to Dark Reading this proved possible only with permanent magnets - and not the kind decorating your refrigerator.

To create a magnetic field strong enough to penetrate the metal housing around a disk drive and erase the magnetic media inside, the researchers designed a neodymium iron-boron magnet with special pole pieces made of esoteric cobalt alloys. A motorized mechanism pushed disk drives past the magnets; a back up twist-knob allows operators to manually pull drives through the magnetic field.

How did they determine it really worked? By using the same techniques a serious disk recovery effort might use

The team verified that it was impossible to recover information from disk drives erased with the permanent magnets. They used a magnetic force microscope to map even the smallest magnetic domains on the surface of an erased disk drive to ensure that the patterns found there were completely random.

Disposing of disk drives that contained important information? Be even more paranoid than you are now.

Chilling story about a security firm’s successful infiltration of a credit union’s infrastructure using old USB flash drives. They wrote a Trojan that would collect “. . . passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us,” put it on the thumb drives and scattered them around the employee parking lot.

The bottom line:

Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience. We never broke a sweat. Everything that needed to happen did, and in a way it was completely transparent to the users, the network, and credit union management.

Of all the social engineering efforts we have performed over the years, I always had to worry about being caught, getting detained by the police, or not getting anything of value. The USB route is really the way to go. With the exception of possibly getting caught when seeding the facility, my chances of having a problem are reduced significantly.

Business Opportunity: Software or Epoxy?”
Do I sense a product opportunity? Software that erases everything on a flash drive that doesn’t have a security certificate? Or how else could one do it?

Or you could sell epoxy glue guns to seal off the USB ports. “Secure Goo” anyone?