Tuesday, July 15, 2008

Putting the brakes on software rollout

The New York Times reports that the latest hitch in getting the 787 "Dreamliner" out the door is validation of the software that runs the brakes. The general manager for the 787 program is quoted as saying ”It’s not that the brakes don’t work, it’s the traceability of the software,” and notes that the subcontractor had to "go back and rewrite certain parts of the brake control software to verify it for the certification process".

This is a good thing for two reasons:

(1) They're really paying attention to the software in the verification process, and not just rubber stamping it. That's something that the safety community has always done much more effectively than the security community.

(2) Because this is showing up in the popular press, perhaps we'll get people to ask "if they go to that much trouble for brake systems, why don't they go to that much trouble for voting systems". We know that if any modern voting system underwent the level of scrutiny as the 787 brakes, we'd have much more trustworthy elections.

Thursday, July 10, 2008

The greatest public speaker in decades?

I went this afternoon to hear Barack Obama speak at Robinson Secondary School in Fairfax, just a few miles from home. My motivation was two-fold: I'm a supporter (and have spent some weekend time knocking on doors for him), and his reputation as a great speaker. When I was a kid, my mother took my younger brother to see Robert F. Kennedy speak at a campaign rally, and I've regretted that I never saw him (or JFK or MLK - probably the two greatest speakers of the second half of the twentieth century).

It was exciting to be there - newspaper reports say there were 2800 people there (including a few McCain supporters chanting outside). There's certainly a lot of enthusiasm you can't ignore.

Perhaps it was the town hall format - Obama spoke for about 20 minutes, and then answered audience questions for another hour, but he didn't seem to be at his best. There was a certain rhythm to his answers - each one started in a halting way to answer the question, and then he suddenly seemed to remember his talking points, and went into a canned speech, and wound up the answer with a big applause line.

I'm glad I went, but disappointed that I wasn't wowed by his speaking. I'm no less committed to him - I agree with him on nearly everything. Just disappointed that I didn't hear a once-in-a-lifetime speech.

Two questions he was asked (out of roughly a dozen) that I found particularly interesting: one about his commitment to science (he promised to double science research funding and bring commitment to science back to the White House - both of which would be a good start given the impact on science during the Bush administration), and he defended his vote for the get-out-of-jail-free card for the telecom companies on the grounds that he believes that monitoring is important and the Inspector General report required by the law will tell us about Bush's violations of FISA. I'm thrilled about the science part, and disappointed about the domestic surveillance bill. But I guess that one of two is better than none.

Maybe not surprising, given the locale (Fairfax County is one of the most educated and wealthiest places in the country) - but the fact that two of the questions focused on science & technology questions is interesting.

I hope that twenty years from now I'll think back on this afternoon, and remember that I saw America's first African-American president. And with luck, the president who brings science back into the White House.

Wednesday, July 09, 2008

How many laptops are lost - lies, damn lies, and statistics

A Ponemon Institute survey (sponsored by Dell) says that about 12,000 laptops are lost at US airports every week. But when Computerworld magazine called some of the airports cited in the study, the numbers they gave differed dramatically from the study reports. For example, in Miami Ponemon said 1000 laptops/week while TSA said that there were 68 stolen and 480 turned in - for all of 2007. At Washington National airport (*) Ponemon claims 450/week, but TSA says 276 laptops were turned in for the whole year.

So what's the truth here? Is TSA underestimating, or is Ponemon exaggerating for effect? As usual, the truth is probably somewhere in between. But if I had to make a bet, I'd guess it's a lot closer to the TSA's numbers than Ponemon's.

Let's try some round numbers. Miami airport had 33 million passengers in 2007. (I don't know if that includes people changing planes, and whether that includes both departures and arrivals.) But let's assume that's only departing passengers, which comes out to about 650,000/week. Let's assume that half of the lost laptops are at security checkpoints, since that's the place where things tend to get misplaced the most. So let's take half of Ponemon's numbers, or 500/week. In very round numbers, that means 1 out of 1000 passengers loses their laptop going through security. So if you're flying on a 747 (which seats about 400 people), the odds are roughly 50% that someone on that flight lost their laptop on the way to the plane.

I find that hard to believe - you'd think that if it happened that frequently, there would be paniced people running around airports on a regular basis looking for their laptops... and we'd all hear horror stories from our friends and relatives.

This is all back of the envelope calculation, so even if I'm off on some of these numbers, it's not going to change the overall answer.

Back of the envelope calculation is a useful technique to sniff out the unlikely in statistics. I'm surprised that Ponemon didn't ask "do these numbers really seem likely".

(*) Out-of-towners call it "Reagan", but to locals, it's always National.

Thursday, July 03, 2008

Free & open source security testing tools

HP recently released its free Scrawlr tool, a dumbed-down version of the former SPI Dynamics tools that can find some forms of SQL injection. Google released the source code for their RatProxy tool that can "pick up cross-site scripting flaws and incomplete cross-site defence mechanisms, as well as potential data leak sources and risky code that retrieves data from outside domains".

Making tools freely available is a Good Thing(TM). But the real question is - will they get used by companies and individuals to find vulnerabilities in their sites, and even more critically, will they fix the problems identified? Like almost any security tool, Scrawlr and RatProxy are dual-use technologies - they can be used by defenders to find problems (and verify that the fixes work), but they can also be used by adversaries to figure out the most promising avenues for attack.

No one should rely on these tools as the sole measure of a web site's security, but they're ignored at your own peril.

Put another way: any web site owner who has dynamic content and is NOT using these free tools (or something better) AND fixing the problems they identify is taking a big risk - if you don't use them yourself, the bad guys will!

Wednesday, July 02, 2008

New attacks, and taking risk measurement personally

Today, a terrorist used a bulldozer as an attack weapon, running over several cars in Jerusalem, and killing at least three people and wounding many others. It's a novel attack method - the Israeli police and army have gotten quite good at stopping car bombs by preventing them from getting into Israel, but this is a weapon that's already present (and the terrorist was an authorized user of the vehicle, although obviously not for that purpose).

While not taking away from the tragedy of the people killed, or the crime by the terrorists (including their sponsors who are perversely cheering these murders), it's important as security engineers that we're always aware of attacks that don't follow our "script". That's as true for real-world ("kinetic") attacks as for cyber attacks.

More to the point, this attack made me think about risk. My son is in Israel, and his plans are to go to Jerusalem tomorrow - probably even going past the very place where the attack occurred. Should I let him? What are the risks of another terrorist attack? How do those risks compare with the risks that would ordinarily be present in a city - the risk of getting hit by a car while crossing the street? Ultimately, I decided that the risk of another terrorist attack is fairly small in comparison with other risks.

(Incidentally, there's very little non-terrorist violent crime in Israel, so I don't worry about him getting mugged walking around the streets even at night - something I might be more cautious of in an American city.)

Like all parents, I worry when my kids are out driving late at night (even though I don't believe they drink, there's always other drivers to worry about, as well as the fact that they're not very experienced drivers), when they travel, etc. My older daughter is spending the summer in Pittsburgh - and like any big city, there's some amount of street crime there. How much should I try to protect her? (Both my son and older daughter are old enough that I have no legal control, just a parent's moral influence.) Figuring out which risks to allow them to take and which to prohibit is one of the hardest things about being the parent of young adults.