Dibbler's Net

Via Slashdot to the CBS SF web site Security Breached At SFO Due To Stolen Laptop. So all Clear users have possibly had all their data stolen, however I doubt this is new.

There are more of these stories everyday and I think we are finally seeing critical mass on these. This has been long covered by Bruce Schneier in his Crypto-Gram Newsletter for years.

Now for my Rant on this, which involves two separate issues on this topic.
Issue 1: I come from the days of mainframes. All the data in a secure location with dumb clients that validated users before allowing them access to the data. When dealing with these large databases of users why do they exist in a standalone form on the notebook. Is there a reason for offline access ? When you have offline access to this database how do you as a company audit access to the data and verify data stability. With the proliferation of VPN’s, Mobile data cards, and really the ability to have networks anywhere why does this need to be on a standalone machine. This has always been a base rule of security. If you can’t control the physical access to the machine then you have already lost.

Issue 2: The laptop has been stolen so now people consider that the data is insecure and that places the names at risk. I assert that by admission of the data being on the notebook in the first place there is already a high probability that the data has already been compromised. Let’s take a logical look at this. If the database exists on the notebook in a standalone form that means that at a minimum it exists in the form of an Excel spreadsheet, or maybe an access database with a small gui frontend, or even possibly a standalone Oracle or MS SQL install that holds the data, but really for 33,000 records I really doubt they have gone to that extreme yet. So if the data is an access database or an excel spreadsheet how did it get there ? Was it sent by cleartext email to an unknown number of accounts where it can be read or forwarded without issue ? Maybe it was sent out to employees on a CD which is then used to install on the notebook but then is the CD safely destroyed ? The point here being that if they feel safe keeping the data in a standalone application on the notebook then one can assume the data has already been disclosed prior to the notebook being stolen.

In the end this comes down to what FISMA, Sarbanes-Oxley, and every other federal regulation has been trying to establish. There are three critical areas when it comes to data storage. The ability to limit access to allowed users with a need to create, view, modify, delete. The second item is to be able to validate and verify the integrity of the data so you can detect changes that make the data wrong. The third is to audit data, you should know who looked, changed, added, or deleted data at any time. Currently the easiest way to meet these three is to start with a safe infrastructure that holds the data. A notebook in an office is not a good start and shows a bad corporate stance. If your the CIO of Clear then you have a real uphill battle on getting the trust back of not only your current customers but of those future customers of which I will not be one. I also think it’s about time we stop trusting companies by default and start making companies show us that they are safe before we become customers.

D~

I have been accused of not liking linux. Mainly because I prefer to use FreeBSD or Solaris.

Now for the history part (If you don’t care about the history skip this section).
    The first Unix I touched growing up was AIX and AT&T Unix. With that and my windows 3.1 knowledge I started to learn more about what I could learn when not at work. Back home I had windows 3.1 machines and some OS/2 so why not find out more about unix. It was then that I compiled and ran my fist linux kernel on a 3.5 floppy (yes this is a long time ago). My employer at the time wasn’t going to give me an IBM server and a copy of AIX to take home and play with so I had to find other options. For me liunux was great. I connected with it and I could use it at home. So I used linux for a long time, compiling kernels, tweaking applications, I was a true adopter. Over time I had the opportunity to have a T1 into my company’s small office and was going to setup some servers. One server we were co-hosting was an sparc 5 running Solaris. I was already familiar with Solaris and had setup a linux server for basic mail and dns and wanted to try something new. A friend of mine was running a white box router running NetBSD and a T1 card. This intrigued me as cisco routers were costly and this was another option. Wanting to know more and being cheap I tried FreeBSD instead of NetBSD. So for many years I ran linux, solaris and freebsd all very happy with each other.

What changed ? In some ways OS’s are like relationship’s. My relationship with windows was ok, it ran most of my games and paid the bills. With Solaris I kept my skills up and work also used it along with AIX so I had a friend in the Unix world. Now Linux and FreeBSD I used only at my company and they were good friends. We had moved up and were doing hosting of applications and websites. Those servers were making money and my friends didn’t require much of me. Then it happened, this os that had been my friend, stayed compatible when I gave it new hardware, didn’t use up all my money for memory, and ran applications with little down time. That friend had betrayed me, opening itself up and giving away my system, bandwidth, customers data and everything to some cracker from another country. I had been faithful and patched but that was not enough. A memory hole had allowed for a web application to let someone in and then they elevated to root and used my system to spam. Now that is the overly dramatic version. In reality it was 4 days of my life with no sleep and it made me very unhappy. Everything on that server moved to the FreeBSD one and I had no more issues.

Today: Well I could say that FreeBSD has a better network stack, but I can’t find the data to prove that like in the old days. I could say that Solaris is a better commercial Unix OS than Linux but really that would be hard to prove. In the end it comes down to preference. I stopped using OS/2 because they stopped making it. I stopped using my Amiga for the same reason. I have nothing against Linux other than at one time in my life it scarred me. Since then I have preferred FreeBSD for small systems and shops or where cost is an issue. For anything larger or more commercial I prefer Solaris as the customer can have the full support. In the end I even agree and prefer that there are times where Windows is the right choice of OS. The difference here is that I don’t miss anything by skipping Linux and using FreeBSD or Solaris. If I did then for that I would use Linux. I think it’s important to note that we have so many good choices and really I don’t hate Linux I just had a bad personal experience. Will I use Linux again ? Yes if the need is there then I will.

D~