« May 2006 | Main | July 2006 »

June 30, 2006


Zipcar just showed up in the new parking garage at work. Interesting to note that they've now added the Scions (xA and XB), Element, and Matrix to their line-up.

I assume that means they're seeing demand for more cargo space, which seems to me to be the big gap for people who rely on public transportation.

Social Engineering Self-training

Most security systems have the annoying side effect that increasing attack volumes can degrade them, usually through tuning of defenses, or desensitization (Yes, this is a generalization). Social Engineering, on the other hand, has the nice feature that the more often someone tries to social engineer you, the less likely the next person is to succeed - even if the first attack is incompetent, and the second one highly competent.

That's because every failed attempt is a training exercise for the target.

June 8, 2006

Policy and Practice - a Talmudic distinction

It's hip, of course, to be able to use Talmudic in a description of regulatory environment - but this is actually going to use the Talmud as a source. Policy is what we write down; practice is what we do. The relationship between them is nicely covered in the first tractate of the Talmud.

Mishna. From what time can the Shma be recited in the evening? From the hour when the priests go in to eat their tithes until the end of the first watch - the words of Rabbi Eliezer. And the Sages say: Until midnight. Rabban Gamliel says: Until the break of day (Brokhos 2a).
There is a bunch of esoteric coverage about the start point - but what about the end point? Why are both midnight and daybreak listed?
Mishna. Whenever the Sages say "until midnight," the obligation extends until the break of day.... Then why did the Sages say "until midnight"? In order to keep people from transgressing (Brokhos 2a).
And that is the difference between policy and practice. A well written policy should never be broken - and one way to ensure that is to have practice be more stringent than the policy.

Note that I except from this rule CYA policies, of the sort lawyers tend to write to protect organizations from liability.

(Thanks to Born to Kvetch by Michael Wex for the inspiration).

June 1, 2006


We're all so paranoid about phishing, but it seems like we only really care about banking. I wonder, if the banking industry ever gets its game on, if identity thieves will start going after other sites.

Like LinkedIn. I've been playing with it lately (more on my observations later), and it sends out HTML email to your new contacts inviting them to link to you. If you receive one, and it was sent to a different address than the ones you've already provided, it lets you log in and register that address.

It would be pretty trivial to phish that login. At the least, I bet most people don't have a unique password there, and it would certainly let you start to build up a network of relationships - and if you're trying to get people to read your fraudulent email, it's all about getting them to trust the putative sender of a piece of email.

It's a lot of work to go after something like LInkedIn, or Evite, and I wouldn't expect to see it happen any time soon. But I really thought about it when my father-in-law called me this morning to verify that I had, in fact, generated the LinkedIn email he hadn't yet opened. Maybe we all need to be a bit more paranoid.