I just turned down being interviewed for a contract position due to the client's demands for an invasive examination of my life which even exceeded what I had to do for a Secret security clearance.

Here's what they wanted me to fill out before a phone screen was even done:

• The usual employment stuff
• Detailed job history
• Authorization for investigative consumer report (salaries, lifestyle, friends, etc)
• Authorization for credit check
• Authorization for drug testing
• Authorization for fingerprint and criminal background check

Every form had my address/social security number/birth date on it and would likely be faxed to some subcontractor. There were no assurances of protecting my privacy on any form. Faxing these forms to the recruiter would open me to all sorts of identity theft since I have no way to measure the honesty of everyone in the chain (or even know who they might be).

I can understand an employer/contractee's need to verify that I am not a crook or likely to steal something after making a tentative agreement to hire me, and then where I have at least some idea of who is in charge of the information (like an HR department).

In the early 80's I qualified for a Secret Security Clearance from the DOD, and it actually had less requirements than this simple contract (which is not a defense company, just a financial services company like ones I have worked for in the past). In that defense job I was hired and then began the clearance process (although I had the clearance I never actually needed it). The FBI did all the work; whatever you might think of the government, at least they already had all the info I gave them.

So I've said no to this one, unless they decide to change their tune (sometimes people make demands they are willing to negotiate on), I will continue to work with other contract options that are less invasive.

I have nothing to hide that would concern anyone, but defending your privacy and personal information is all about avoiding giving others the opportunity to rip you off. You have to balance giving out enough to satisfy a reasonable request to the risk of losing your identity.

I'm not willing to risk all for a chance at a job.

My Tags: jobs security

All the storms today about the infamous HD DVD key seem like old news to me. Copy protection has never worked, and as far as I know, never will.

In the olden days (early 80's) game manufacturers first started putting weird hacks on the floppy disks that their games came on. Usually they would take advantage of odd hardware features to try and subvert the ability to duplicate and run the disk. One scheme would work for a while until someone found a way to defeat it, and then a new one would appear. That too would be defeated, and so on it went.

The problem with any such scheme was that the software at some point would have to actually run in the computer. You couldn't really hide it all that well. Sometime people would have simple code in their games to check for passing the complex copy protection.

if (pass)
{
  playgame();
}

This of course was a laughable bit of code to circumvent.

Over the years companies have tried virtually every kind of scheme since then, and without exception all have eventually fallen. As long as you have to (or it can be forced to) run the code on a computer it will be found. The whole idea of having a single key for all HD DVD's is itself laughable; it's like having a single key to all the houses in the country; lose it once and everyone's unsafe.

Only a complete fool would expect this to be kept secret.

Then again we are talking about the MPAA and their good buddies the RIAA, for whom bad sense would be an improvement. Today their lawyers are trying to deliver cease-and-desist letters to every site that even points to an article with the key in it (ie Digg, Google, etc). Yet the more they try the wider spread the key gets. The more they try the funnier it gets as well. This is the best kind of security theater.

You can't order the internet and its users to cease-and-desist and expect it to happen. Even governments try and fail.

Maybe these folks should check out a little history and discover the title to this article is old hat.

My Tags: opinion security

The news from TJX (Parent of TJMaxx and Marshalls Stores) keep getting worse. Not only were records from 45 Million people were stolen, it apparently went unnoticed for 18 months and was only found by accident.

Pardon my humble drawing skills, but I felt like drawing a cartoon, given the cartoonish nature of their security practices. (Yes I misspelled TJ Maxx).

Apparently the hackers were highly organized and were able to install software onto their transaction systems in order to capture the unencrypted information being sent to the card processor (I would guess by stealing or intercepting the logs which appear to have been left undeleted). There is also a mention of them getting access to whatever system they were using to decrypt the data that was encrypted.

How is it possible that someone can install software on your transaction systems and no one notice it? Did these people have any data security people? Did they routinely hire a security auditing firm to check up on their systems? I can understand home users having no security but this is a 16 billion revenue per year company. "Cmon in ya'll help yourself" is great for a store but not for a data center.

I can understand this a bit more after working at a financial services company; although it didn't really process card transactions (the bank outsourced this) the bank did offer credit and debit cards and that side of the house did have to track them. During my stay card numbers that did move in the network were finally chopped before transit (for display in the customer portal). However other personal financial information resided unencrypted in the AS/400 and also moved around into various other systems. There was a great deal of talk about data security but at the point I left there were still many questions on how to actually implement it. They did, however, spend an inordinate amount of time protecting the PC's against viruses.

I never put my money in the company's investments or the bank.

An interesting comment from a cio.com post:

I worked there for three years. During that time it was made clear to me, more than once and by Paul Butka (now CIO), among others, that while TJX was writing policies regarding data security, the policies were not to interfere with the speed of any software rollouts. Repeated suggestions that we hire QA people to test our security were ignored.

This mirrors the kind of thinking I have seen in my previous job. Security is very important, but not as important as business as usual. Maybe now people will take it seriously?

How can you ensure your company won't wind up in the same discussions as TJX? For one thing, security is not an isolated concept; you have to consider it over the entire organization. If your organization touches sensitive customer data, you must not only look at security practices before, during and after development projects, but also hire competent outside security auditors on a regular basis to test everything. It's not rocket science but it is hard work, and not cheap.

I once worked briefly at a university where the web single sign-on system exposed user's passwords in the URL, which no one noticed until I showed up. Another thing they were doing was to expose database ids unencrypted in urls (and using GET for write operations). The system in question was used by all parts of the university to verify that state money was correctly spent and was a requirement for the university to be paid. With the naked database ids I could sit there in the browser and delete the entire database. Lovely. I tried to convince them to hire an outside auditor to look for other problems, but it was a short contract and after I left I never heard if they did.

Of course the university example was obvious (to me anyway) and easy to fix (I encrypted the id's shown based on the session and rejected non-matching ids, a quick way to fix the problem).

You look at TJX and it just is amazing to me how this went on for 18 months! Imagine how many other companies may be in the same boat and either don't know it or refuse to tell anyone.

PT Barnum's famous saying (which he apparently never said) was "There's a sucker born every minute...and two to take 'em." Whatever you are, don't be a sucker because there are two hackers out there to take you out.

My Tags: wtf security

What could be worse than a computer virus infection? How about a mother-of-all-virus-checkers infection? Note that this story is true despite its unbelievable details.

The day known as Black Wednesday started innocently enough, 600 employee's PCs humming away, running Mcafee version 7 which although occasionally irritating was not causing much trouble. The company had had no virus infections since I started working there so our internal security seemed to be working. Then at 12 noon our dear beloved Network Operations group (please note the sarcasm intended) without any warning turned on the Windows XP automatic update and simultaneously auto-updated Mcafee to version 8 for all non-production computers and servers.

The whole company ground to a halt.

Every PC tried to collect and install around 70 updates to Windows (requiring multiple restarts) and install the new version of Mcafee (with all of its various parts) all at the same time. The network was overwhelmed, even our external web presence stopped working (our internal and external network traffic shared the same bottlenecks, don't ask). The lunch people were unable to supply lunch (their POS PC froze). Customers couldn't be served, our field staff was unable to create orders, basically the whole company went dormant for the rest of the day.

The rest of the Java team and I went home that evening assuming things would work themselves out by the next day. We were wrong; the hell of the coming months started the next day.

Our Java team used the usual Java tools such as Eclipse, IntelliJ, Weblogic Workshop, DBVisualizer, and Weblogic. In Java, every piece of code (and often associated data) is packaged in JAR, WAR and EAR files, which are specialized versions of ZIP files. Everything you do in Java involves reading and writing these files, both when running Java applications and building applications. In all cases these files are read by the Sun Java runtime, and executable code is limited to valid and secure Java bytecode, not native code.

The Network Operations folks had turned on every feature in the new Mcafee, including the dreadful "Uncompress compressed files" setting. All of our Java development was stopped virtually dead in its tracks. Every access of a JAR, WAR or EAR file now resulted in the computer to freeze as Mcafee opened the file, uncompressed its contents, scanned each file inside, and then only returned control to the application once it was complete. During this time the CPU was entirely utilized by Mcafee, which was set to high priority. Launching your IDE usually took a few seconds, now it took 20 minutes. Some application builds took hours (especially with the weblogic.jar file, which was enormous) instead of minutes. Just typing in your IDE was type type type, wait 2 minutes, type type type. It turned your PC into a single-tasking computer circa 1979 running the full Windows XP.

At first we though it was simply a configuration error, and reported it as such. Network Operations said it was working as intended. We had to blink, this made no sense. Every Java developer was getting about 1 hour of work done per day at best. Being engineers we figured out what feature of Mcafee was causing the trouble. We couldn't turn it off, it was locked. We complained to our management, but Network Operations was more highly regarded in the company pecking order, and they simply said we were whining and the company's safety versus virus attacks (even though we had never had one before) was more important. We argued that native code viruses hiding in Java JAR files couldn't be executed by the Sun runtime and that there were no such viruses.

So they said (to everyone) we know of many Java viruses in the wild. Given that we had done an exhaustive search and found nothing, this was unbelievable so we demanded a meeting. The head of the NO department said (to a roomful of Java engineers) that he had a list of 500 Java viruses and that was the basis of why this was being done. No matter what we said he said the same thing over and over.

After the meeting I challenged him to turn over the list to us but he passed it off saying the head of Security was assembling the list. This guy never returned any messages (what could do say, he really worked for NO). Later one of the NO employees said that they had typed Java into a virus checker company search form and found 500 hits. Really. We looked and the only actual viruses were in the ancient Microsoft java runtime, which only ran in IE, and only for applets. Pointing this out to everyone made no difference. The NO had spoken.

This went on for about 3 months (I had just started a project that should have take a couple weeks and it dragged out over the whole 3 months) before we finally got our manager to suggest that we hire an "expert" to come in and suggest some kind of improvement. NO agreed but only if we paid for it, and they were allowed to pick the vendor. This was approved and so they hired an "expert" who turned out to be the vendor whose main customer was the NO group. His "analysis" said to turn off the compressed file option, but only for those employees who would run their PCs as ordinary users and give up their administration rights. Say what?

For those who don't do development on Windows XP, everyone runs as admin since ordinary users don't have enough rights to make any changes in their environment. It can be (painfully) made to work for simple Word users, but for programmers it's impossible. So now we had paid for the "expert" and it would look like we were just whiners who didn't want to get any work done if we didn't acquiesce to this. So we had no choice. First they wanted to test the choice so a few Java developers (and the QA team) lost their admin privileges.

Let me also add that this was not just affecting the Java team, though much worse. Our DBAs used DBVisualizer which is a Java application, and even they had trouble getting anything done. It didn't help that people like our "Enterprise Architect" said he didn't understand why we were whining, since it didn't make his computer any slower (he only used Word and Powerpoint). Some ordinary users reported virus infections as their computers were sluggish and stalled at times (no one ever told them about the changes) but were told it was nothing.

Upper management didn't seem to care or understand why the Java team had so much trouble getting any work done. After all, the production servers still ran as fast as usual (still running Mcafee version 7, yes our production servers ran virus checkers!) and their PCs seemed OK. The web systems folks were also in pain, as builds took all day (and often they turned off the virus checker, despite warnings of firing). Many of our test and QA systems were built with multiple copies of VMWare, thus they ran terrible slow as each virtualized system ran a copy of Mcafee 8.

Anyway the admin rights turned out to be a disaster as well, as we could no longer install software, even a Java runtime upgrade was impossible. The QA team would not even install our C++ applications to test them. Every install required filing a ticket, waiting for someone to get around and do it. The support staff was overworked now as well.

It didn't matter, viruses were everywhere, security was more important!

The "test period" went on for months as well, nearly a year later not everyone was even "upgraded" to the new option, which itself was terrible. However by that time I was gone, and a flood of other senior people left as well. Eventually the departure of so many valuable people was enough that upper management finally told the NO team to start caring.

Of course I no longer cared.

In this entire time not a single virus was ever caught anywhere in the entire software development area. I never heard of any computer actually spreading a virus anywhere in the company. And of course our production servers still ran Mcafee 7, so the argument that Mcafee 8 was necessary was itself silly.

The real irony of this whole story is that it's the same company in WTF #1:It's Not The Database Stupid.

My Tags: wtf security disasters java it

I happened to be home today when a burglar kicked in my front door (the usual mode of entry for home burglars in the US). As I came running out of my bedroom I yelled in my best imitation of a police officer's command voice something unoriginal like "get the hell out of here". He slammed the door shut, ran to his car and peeled off.

My home does not have good front vision, so I could tell the car's make and approximate description but no license. I did get a glimpse of the culprit but not good enough to ID him. The police dusted my door for prints (finger and shoe) but I doubt it will lead to any arrests.

My home as the neighborhood watch sign out front, signs indicating a security system everywhere (and I do have one). Even with all I know about computer security, I should have been more aware of the vulnerability of my front door to brute force. Sometimes the most obvious issue in securing a system is not stopping the clever hacker but the guy who steals a laptop or breaks into a server room. I have read many stories of ATM machines being dynamited to gain access but a recent discussion led to the realization that many ATMs still have default passwords and can be broken in the easy way.

Of course if I had had a loaded gun the guy might be bleeding away on my front porch so I'm sure he was shocked I was home (he knocked but I didn't get out of the bathroom for a bit) and he got away. In Texas we have the total right to defend our homes with deadly force (not true in every reader's country) although I'm not much on firearms.

The lesson learned is that security begins at home (!). Or maybe the real lesson is that security has to be a total effort in any system, you can't just defend against a few things and leave other access points open. It's the one you didn't consider or ignored that will get you.

My Tags: security