I try to read the blog of Dave Hitz, one of the founders of Network Appliance, and while I don’t link all the time I found one of his entries pretty on topic.
Like my title above, Dave stole the most provocative words from his post to stir interest. His post is titled, “Beware of Cyanide Gas“.
Another fine example of security is such an arms race. I recall talking to clients just a couple of years ago and the standard was that server disks should be wiped and then destroyed. That is still the standard, but the definition of destroyed keeps moving on us. Dave points out the ridiculously small slivers of intact disk platter needed to read data and the reaction of one our our more security conscious customers was, “I guess we will have to add an acid bath after we sledge them…”.
A big part of this battle is just staying in formed on what can be done and then figuring out whether you care or not. If you have passwords and huge databases with Social Security Numbers or Credit Card numbers then letting someone read even one sliver of the platter may be disaster (though small by today’s standards as massive security blunders go).
Always think about the level of response based on the threat. If a serial killer escapes in your neighborhood then you are justified to double the locks on the doors and get a bigger dog, but if they escaped 3,000 miles away from you with no history or indication that they would come looking for you then you are overreacting. If you apply these same standards to your electronic response then you will probably come out alright.
Lastly, as always watch out for the cyanide gas!
Monthly Archives: November 2005
Physical Defense
I had a conversation with a friend of mine recently about the physical protection of his home. I have a bit of a reputation as a gun enthusiast that is somewhat earned. What surprised my friend and got him to urge me to post this entry is that my advice was a surprise to him and something he admits he had never heard before from anyone.
The issue wasn’t computer or even company security, but security at home. How do I protect my family in a world where convicts escape, kids kill and home invasion is a common occurence? I do have weapons including an AK47, but they are not ready at a moments notice. I have kids so I have bolts out and disassembled, ammo stored away from the weapons and trigger locks (in the case of the AK there is a cable locked through the barrel). I can’t just run and grab one of these weapons for the defense of my home and that works since that isn’t my plan. We have 3 dogs who average about 70 pounds each and should they alert me to a problem I am most likely to grab my paintball gun or a wooden sword to join the fray. If I confront an intruder in my house with a paintball gun then there are several advantages. I won’t be having rounds going through walls and hurting my family or pets, I won’t be causing a fire or water damage with paintballs, but if I put 20 rounds into someone at close range they will be down. Anyone who has played paintball knows what I mean, especially if they have been hit from 10 feet or less (not recommended). I live in NH which means that I am unlikely to be prosecuted should I kill someone invading my home, but why make killing the person a goal? I view it as impossible for a court to convict someone if they choose an obviously non-lethal weapon especially when given more deadly alternatives.
I know this seems to be off the topic of security as it relates to technology, but if you have been reading my posts you know that I don’t see a distinction in most cases. Security is security. I would welcome your comments on how this concept (well recieved by all I have discussed it with) might apply to technical security. I will reserve my analogies for now.
Sony writes a RootKit
Mark Russinovich is a brilliant guy and likely not so popular with the people at Sony these days. Mark was testing out some root kit detection and removal software and discovered that in their exuberance to implement Digital Rights Management Sony has created a very ham handed solution that behaves more like a rootkit than some of the very worst actual rootkits out on the Internet.
Read Mark’s Blog which details his discovery or go to theregister.co.uk article that summarizes it. Good reading about bad code!