Thursday, 12 June 2008

GPS cows

MIT has been conducting some interesting research into GPS tracking herd animals. I did some research into this area using RFID a few years back. The issues I had were battery life, range and most critically, bulls taking down fencing and bypassing the RFID readers.

The MIT team have made an Ear-A-Round (EAR) device with state-of-art electronics. Their latest prototype is a doughnut-shaped stereo headset worn over each ear. The headset design is based on a knowledge of range animal ecology which has been combined with the MIT scientists' electronics skills in robotics and mobile computing.

This has been conducted at the Jornada Experimental Range in the US.

The paper ( on virtual fencing is a good read.

Wednesday, 11 June 2008

Corporate Spies Killing The CIAMay 8, 2008

A recent article ( has stated that the CIA is having troubles keeping analysts.

The CIA is having a growing problem with their analysts and spies being recruited away by corporations. One unpleasant, for government intelligence agencies, development of the last few decades has been the growing popularity of "competitive intelligence" (corporate espionage.) It's a really big business, with most large (over a billion dollars of annual sales) corporations having separate intelligence operations. Spending on corporate intel work is over $5 billion a year, and is expected to more than double in the next four years.

I personally see the bigger issue GETTING analysts into Security. Not the CIA, but into companies with Critical Infrastructure.

Lets stop measuring Perception and look at QUANTITATIVE methods!

SOX Problems

Based on recent client documents and engagements I have come to the determination that most companies do not understand that SOX requires more than compliance with §§ 302 and 404 for IT systems. Most would not even make it this far.

Two significant provisions of Sarbanes-Oxley are defined in §§ 802 and 1102 and codified, respectively, at 18 U.S.C. 1519 and 18 U.S.C. 1512(c). These provisions impose substantial criminal penalties on any individual or entity -- public or private -- for destruction of evidence or obstruction of justice regarding any actual or "contemplated" federal investigation, matter or official proceeding.

In Dec. 1, 2006, amendments to the Federal Rules of Civil Procedure where introduced to focus on retention and production of electronically stored information. Courts, government regulators, public auditors and the plaintiffs' bar require increasingly sophisticated means of electronic discovery detailing issues such as metadata, keyword searching and forensic imaging. In turn, the demands have intensified for greater transparency in companies' policies and practices.

There is supporting case law for these provisions [see U.S. v. Ionia Management S.A., No. 3:07 CR 134, 2007 U.S. Dist. Lexis 91203 (D. Conn. Dec. 12, 2007) and U.S. v. Fumo, No. Crim. A. 06-319, 2007 U.S. Dist. Lexis 79454 (E.D. Pa. Oct. 26, 2007)].

I have not seen one company with SOX requirements who has an adequate data retention policy and associated process as yet.

The Real-Time Disclosure (§ 409) reporting also requires the disclosure of legal risks. With the determination of the 2001 California case against Cisco and the subsequent introduction of security breach disclosure rules, it is legally mandated that SOX also encompasses monitoring.

Mistakes or omissions are incorporated in § 906. This requires that data handling and error testing has been conducted. It is insufficient to state that we use a vendor product as a number of companies have done.

Non-compliance with § 802 is the simplest breach. The US courts have determined that email is a business record. Two week backup and retention cycles (as many clients are doing) is a breach of SOX and also Australian legislation. This is attached to fines of up to $5,000,000 and imprisonment for up to 20 years (it is a criminal offence). I have not noted a current SOX client that is even considering this.

Tuesday, 10 June 2008

Prototype of machine that copies itself goes on show

I have been watching rapid prototyping for some time now. These are machines that "print" 3d components. The article below is not new, but it is now public. The machine from bath is the first GPL self replicating machine.

So the idea of the Star trek replicator is getting closer.

"A University of Bath academic, who oversees a global effort to develop an open-source machine that ‘prints’ three-dimensional objects, is celebrating after the prototype machine succeeded in making a set of its own printed parts. The machine, named RepRap, will be exhibited publicly at the Cheltenham Science Festival (4-8 June 2008)."

Monday, 9 June 2008

What is Steganography?

Provos and Honeyman (2003) define steganography (aka stego) as “the art and science of hiding communication; a steganographic system thus embeds hidden content in unremarkable cover media so as not to arouse an eavesdropper’s suspicion”.

The majority of modern steganographic systems begin with discovering the redundant bits within the host media or data. The goal is to be able to modify the host data in a manner that does not obliterate the integrity of the source data. Another objective of steganography is to not be detected in the host file. It is in effect, a means of hiding data within other data.

Although modern steganography is a relatively modern field, both Richmond (1998) as well as Johnson & Jajodia (1998) mention an ancient example. In their paper they note the example of an early steganographic system. Richmond notes the practices of the ancient Athenians where the head of a messenger was shaved and subsequently tattooed with a message that would be covered with hair rendering it unseen if the messenger was captured. Johnson & Jajodia mention how this same system was adopted by a Roman general who shaved a slave’s head and tattooed a message on it sending the messenger on the errant after the hair grew back.

The majority of steganographic methods that have been developed in modern times have been centered on hiding a message within images and audio files (such as BMP., GIF, JPEG, WAV and MP3 file formats). A number of other methods include hiding messages within Word documents or even within embedded macros and Metadata.

Sunday, 8 June 2008

The biggest issues with Audit, Security IT etc...

The biggest issue in both Audit and IT is a lack of strategic thought.

As one of many examples, there are plans in the SEC (and the equivalent in AU and others will follow) to make continuous audit mandatory. This is a combination of financial systems and IT. Security comes on board as these systems will “report live”. That is, changes in the company financial position will be available to analysts live. In fact, these provisions are in CLERP 9 in Au now and may become mandatory before the SEC does this.

When, 2015. This is where it all comes falling down. Being 7 years away, most people do not care. The issue here is that building these systems to the required levels will take 5-6 years to implement correctly. This means a year or two to start planning now and a 5 year project. This is what strategic thinking is all about.

What we see most in IT (even commonly at the CISO, CIO etc levels) remains for the most part tactical thought. What can go wrong tomorrow… today…

Without forward planning, we just go from disaster to disaster…