Will Another President Call?

I read with interest the New York Times article Lose the BlackBerry? Yes He Can, Maybe. It mentions how “like legions of other professionals, Mr. Obama has been all but addicted to his BlackBerry. The device has rarely been far from his side…” It brought to mind another new administration, and another set of requirements.

Late in 1992, DARPA contacted one of its contractors, Trusted Information Systems, Incorporated, in Glenwood, MD. TIS had previously, and was at the time, working on DARPA projects, as well as projects for NSA and NIST. DARPA basically wanted to know if anyone at TIS knew anything about Internet Firewalls. Well, it just so happened that both Marcus Ranum and I had recently left DEC for TIS, bringing our experience with the DEC SEAL (Digital Equipment Corporation Secure External Access Link) to TIS.

It seems that the incoming (Clinton) team was used to using laptops and Internet email, and found in the Bush (George H. W.) “IBM Selectric Typewriters.” The question from DARPA was basially, could we propose a way to secure the administration’s laptops and desktops, and could we put the White House on the Internet? (I know this seems quaint now, but Intenet Firewalls were relatively unknown in 1992 except for the handful of places and people actually playing with and developing them.)

A very small team of us drew up the design and achitecture and very small band of programmers coded it (originally 1, Marcus, and then 2-3 others were added). The design for the whole system proposed is in the February 1994 paper, A Network Perimeter With Secure External Access. As with all good research, after it was done the operational customer—the White House—only made use of the firewall gateway.

Reading the above-cited NYT article, I cannot help but think that some of what President-elect Obama wants (I almost wrote “needs”) is able to be done. Organizations like DISA and DARPA know what COTS solutions would be required. But, I suspect that it will never come about. Too much government in the way, I suppose. It is not a technical problem that will require President Obama to hand over his Blackberry®.
Further reading:

There is still a boarding-pass loophole

Three years ago, I blogged about the uproar when someone actually used a home printer to fake a boarding pass. I was dismayed that in the uproar, it was clear that this was news to lawmakers and the TSA. I wrote, “Only the computer illiterate will be surprised that the boarding passes you print out on your home printer can be faked. I don’t expect members of Congress to be computer or technology experts, but even if their eyes and brains don’t tell them this, don’t any of them have smart, computer-savvy aids with a clue?”

Well, apparently they are close to Closing that Boarding-Pass Loophole.

Three years. A lifetime in government programs.


More on Phishing from Dave Piscitello

Previously, I’ve “promoted” work by my friend and colleague, Dave Piscitello. I mentioned both him and Radio Free Security in Router Rooter

Recently, in Dave’s blog, Security Skeptic, he has talked about phishing in Making Waves in the Phishers’ Safest Harbors and Phlavors of Phishing


The world is shocked! The Washington Post was biased towards the Democrat!

I just found this amusing in a “no duh, Sherlock” kind of way. (Yes, I know that’s not really the phrase.) The Post’s Ombudsman, Deborah Howell, just reported, “An Obama Tilt in Campaign Coverage during the period November 11, 2007 through November 11, 2008.

I look forward to reading what they intend to do about it going forward, but it is kind of like someone noticing that NPR is biased towards liberal, Democratic candidates.

“Risk” defined

In the network and computer security field, we frequently discuss threats, vulnerabilities, and risks. (I have always liked Dr. Peter Tippett’s “Risk Equation,” which I lay out in NetSec Letter #33.)

In its Special Publication 800-39, NIST defines risk thusly:
A measure of the extent to which an entity is threatened by a potential circumstance or event. This extent is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
The definition is in the current drafts of SP 800-39 and SP 800-30 Rev 1. What do you think of it?