Air Marshals Can Dress Like Us Now

Air Marshal Dress Code Changed Aug 24th - 7:23pm By LESLIE MILLER Associated Press Writer WASHINGTON (AP) - Air marshals were told Thursday they will be allowed to dress the way they want and choose their own hotels in order to protect their anonymity while on missions. (WTOP News)

Wow! Now this is a good thing. There is no question that security (if you want to call it that) was more of a joke when you could play pick the Air Marshal out of a crowd. That some people actually were taken in for questioning for doing this in days past is even more satirical of the entire process. The Air Marshals have a job to do and to be effective, they have to be anonymous. Being forced to conform with some arbitrary dress code that did not conform to what was actually being warn by the traveling public was just another example of the bumbling attempts to implement security, not to mention possibly jeopardizing the lives of the marshals.

That they can now do their job without additional, unnecessary risk is a good thing. Let us hope that it continues this way.

No laptop? Big problems

That won’t fly: How new airplane rules could affect you By M. E. Kabay Network World's Security Strategies Newsletter, 08/22/06 Not having your computer with you on a transatlantic flight may change your perspective on the productivity costs of international travel. I recommend you bring a good book, because you sure aren't going to be answering e-mail, writing that management report you intended to finish, or even watching DVDs or listening to CDs or your iPod. And forget the sound-suppressing earphones: I don't see those on the approved list, either.

This insightful article came out early this week and I thought it put rather a fine point on the current and potential future security decisions being made by those who are trying to secure air travel and the dangerous slope we are now standing on. Hop down two entries to see my major objections, but let us investigate this for just a moment.

If you think that the costs of air travel are borne on the backs of tourists, you are dead wrong. In fact, the touring public almost gets a free ride (the current price of airline tickets not withstanding). While Mr. Kabay is highlighting the issues associated with international travel, I would argue that, if restrictions, both currently in affect as well as the potential restrictions of limiting or eliminating all carry on baggage, regardless of content, then airline travel as we know it today will cease to exist because businesses will not check laptops in checked baggage without some guarantee that they will arrive at their destination. And that is not likely to happen. Why? In case you have not been paying attention:

- you can no longer secure your bags. Oh, sure if you have a TSA approved lock, you can slap that on. And for 10 bucks on-line I can buy a set of keys for those "secure" locks. But TSA also says that they cannot guarantee the contents of your bags, nor will they.

- TSA fires more people every day for failing the criminal background check.

- Baggage handlers are hardly an upstanding group, with a churn of over 50%, many never staying long enough to even have a criminal background check completed.

- LCD screens do not travel well in suitcases.

Businesses might return to the days of private aircraft to shuttle those that have to be there in person, but by and large, most meetings that took place face-to-face will now be virtual, especially with the declining costs in bandwidth and video capture and file sharing solutions.

And, of course, this does not even touch on the issues related to airline companies that now will have to start providing amenities that they long ago cut out to save on costs.

Pandemic access

IT can help fight pandemic, Thompson says BY Nancy Ferris Published on Aug. 22, 2006 Tommy Thompson, former secretary of the Department of Health and Human Services, today urged American businesses to beef up their information systems in preparation for a potential influenza pandemic. (FCW)

Every time I read about some official or another warning of this disaster or another, I chuckle to myself. It is not that they are idiots or that they do not have a clue what they are talking about (even though in a vast majority of the cases they are and do not) but usually because, occasionally, they are making a very valid point that is almost 90 or 180 degrees in opposition to how the world really works, rather than the in a perfect world model that they seem to live in. Case in point, again, is the issue of remote access, in this case because of pandemic flu, but we could be talking about snowstorms, bad traffic or business continuity and still be discussing the same basic issues. And again, one more time, the same basic obstacles are presented.

Now, the case of a pandemic is purported to be different because of the amount of time that it is supposed to involve before things get back to normal (whatever normal is defined as). And the devastation is supposed to be more wide spread (as if we are not still talking about recovery from hurricane Katrina a year later). Planning numbers, put forth by those who know estimate that up to 40% of individuals (as compared to the 30% Thompson cited) could be out of action for anywhere from one week to months either because they are directly afflicted (sick) or are caring for a family member or group of family members that are sick. The argument, therefore goes that during their downtime caring for these people, they will hop on the family computer and dial-in and do work.

For a moment, let us suspend the reality that not every company and not every employee can do their job this way and focus on the issue at hand at home. If the individual is sick, they are most likely out of the picture for the duration of the illness and recovery period as directed by the medical community. Whether that is voluntary or mandatory is beside the point, but a mandatory sick period introduces some interesting wrinkles which I will get to in a moment. If, on the other hand, the employee is caring for some one, they are just as likely to be out of the picture because the needs of the stricken family member will (and should) take priority and we all know what happens when you get tired. You become more susceptible to the illness yourself. But let us suppose that you are a super person and do not have to worry about the getting sick part. Is your home machine compatible with the corporate system? Do you have access to all the phone lists and access codes that you will need to reach your mythical corporation? What do you do for support if you are not natively intelligent in computers? These are not new questions. In fact, if you are not already asking and getting answers to these sorts of questions now and practicing, then you are not likely to be in any condition to remotely access your systems.

And of course, this assumes you have remote capability to begin with. Remember that 40% of the population I mentioned earlier? This is not 40% of the population of California or the DC Metroplex. This is likely 40% of the population of the continent, if not the world. How much of this population has access to the bandwidth that is likely to be required. If you head is starting to hurt, then you are beginning to comprehend the nature of the issue. Factor in the following just to see what is being wrestled with:

- most companies only offer two weeks paid vacation. How many, unless forced, will stay home when they are sick? A better question - how many do now? Will Congress be forced to mandate "sick leave?" Who will pay for it? Most short term disability policies (assuming your company offers it and you took it) do not start until after you are out more than two weeks, which is nice, but how many have a full two weeks of vacation to start with? Better start saving now.

- most companies do not and cannot afford, 100% employee remote access. This includes, but is not limited to:

- bandwidth
- remote control hosts (at the corporate side)
- access security
- data security (something the Department of Veterans Affairs is wrestling with)
- training (how many cover even the most basic training requirements?)

- most individual systems are not configured to do any sort of remote access, whether because of OS issues or age of system or network connectivity.

- most companies do not see it as a serious problem and even if they did, where do they get the funds and the people to build the infrastructure to support it. Most consider internal IT a necessary evil, even at companies that deal in technology, so why would they spend more than they have to when the risk factors are not that high?

Personally, I think there are more business interruptions caused by fantasy football and school breaks than there will be caused by a pandemic flu. I also believe that the unless there is a mandatory you must stay home issued, people will come to work. They do now, with things that are more contagious. What makes a pandemic flu any different than the one you had last week? So go drink your orange juice and get back to work.

You cannot win fighting yesterday's war

I am beginning to think that the best commentary on the state of the United States is being expressed by the editorial cartoonists. Now, least you think that cartoons are supposed to be happy an joyful, let me remind you that they are always been more about satire than about silly bubble headed caricatures. Today, Toles (who appears in the Washington Post) points out yet again why the Transportation Security Administration just cannot get it right.

However, it raises a serious issue. I have documented, several times, the joke that the TSA is and their lack of direction in implementing any sort of security for the traveling public beyond the window dressing and feel good measures that they have implemented thus far. As pointed out (finally) by several members of Congress, if you put unscreened packages in the cargo hold of a commercial jet liner, then you might just as well put unscreened travelers in the passenger compartment - there is no benefit and only an increase in cost. Unfortunately, the TSA does not see it this way saying it is impractical to screen 100% of all packages. Impractical? It is impractical to expect that the airlines can afford to feed the traveling public (which they will have to start doing as long as this stupid ban on liquid is in place. It is impractical to ground airline travel in a futile bid to win the war on terrorism (no, you cannot defeat an ism...I have said this before and I have not changed my stand).

I bring two wise old owl sayings to you (again). The first is from Bruce Cockburn, in is song, The Trouble With Normal written back in 1983:

Suddenly it's repression, moratorium on rights
What did they think the politics of panic would invite?
Person in the street shrugs -- "Security comes first"
But the trouble with normal is it always gets worse

The second from Frank Herbert in his book Dune, written in the 1960s - Paul is talking with his old friend Gurney Halleck, just after Paul has captured Gurney and his men in the deep bled where they should not be. Paul asks Gurney what the talk is about Raban in the villages:

"They say they've fortified the graben villages to the point where you cannot harm them They say they need only sit inside their defenses while you wear yourself out in futile attack." [Gurney]

"In a word," Paul said, "they are immobilized."

"While you can go where you will," Gurney said.

"It is a tactic I learned from you," Paul said. "They've lost the initiative, which means they have lost the war." (Dune, Ace Imprint, pg. 414)

One has to wonder, how close is the United States government to adopting the plans of the Beast Raban?

We knew this, right?

CIO warns many IT workers face dangerous stress: At Share conference, William Cross says on-the-job IT stress is a problem Patrick Thibodeau August 15, 2006 (Computerworld) -- BALTIMORE -- When it comes to testing an IT system, William Cross, the CIO of Seminole Electric Cooperative Inc. in Tampa, Fla., uses an approach that his staff describes as "brutal." But it's a system Cross hopes will avoid sleep-disturbing middle-of-the-night production failures -- part of a larger effort to keep his staff from getting stressed out. (ComputerWorld)

At the risk of stating the obvious: Duh! He goes on to say the reason people make mistakes is because they are working in the middle of the night. I have a much more important question - Why were they working in the middle of the night?

If the project does not require full support (7/24/365) and most initial projects do not, then no one (in general - I know there are those that work better at night, but then they sleep during the day) should be working in the middle of the night. I am constantly reminded about the horror stories during the release of Windows NT and Windows 95 where developers were essentially sleeping in their offices in order to meet unrealistic marketing goals signed off by development and project managers that did not know how to say no to CIOs and others at the C level that were more worried about their image than they were about either the quality of the code or the state of their employee's health.

In this day, if you do not pull the long hours your job could wind up overseas. Fine. Send it there. For the past few months I have been dealing with these overseas programmers and while I am sure there are some that are doing a fantastic job, most do not seem to even grasp the basics of design and coding standards that have been in place for close to a generation because they are just starting to learn the job. Most of the overseas code is currently what has us in the mess of increase security issues.

Perhaps, instead of stating the obvious, CIOs (and others) should think less about what could be and more about what should be, achieve what can be and then be surprised when something rises out of process, rather than trying to drive yet another square peg into a round hole and asking why it is not performing, why it is leaking data, or why it does not do what was overpromised.

Now for something completely different

Over the last few years, my parents have been joking about their "condo", a slab of granite at the local cemetery where they want to be buried. I appreciate their planning (they are getting on in years) and it made me start to think about my own mortality (sorry, if you are expecting me to checkout anytime soon, you have another think coming).

I have decided that I want to be cremated (and you can put the ashes in the garbage for all I really care) but if you have some burning desire for a memorial, find an empty bottle of scotch (single malt preferably) and a Post-It® Note and put a pithy Monty Python saying on it. Something like He's not dead (Dead Parrot Sketch) or It's just a flesh wound (Holy Grail). Feel free to select several for when the glue gives out and you have to replace it.

Remember, life is limited, but death is an eternity :-)

RFID not secure...big surprise

Expert Issues Warning About E-Passports By DAN GOODIN AP Technology Writer LAS VEGAS (AP) - Electronic passports being introduced in the U.S. and other countries have a major vulnerability that could allow criminals to clone embedded secret code and enter countries illegally, an expert warned. [Federal News Radio]

So, you have one of those shiny new U.S. passports with an RFID chip in it. The one the government swears up and down is "secure" and none of your data is at risk? And you believe them? NIST still has not got a standard for reading them and you are sure they are safe? If I could cut the chip out of mine, I would in a minute.