17 March 2009

Happy St. Tornado Preparedness Day!


Seriously, to those of you celebrating St. Patrick's Day:

"Sláinte chuig na fir, agus go mairfidh na mná go deo!"

or, "health to the men, and may the women live forever"

(I do have a dog named Guinness and there is a picture of me somewhere on the internet by now under the likely title of "Guinness Fairy", so I was obliged to get that out there.) Well, on to the original purpose here. It is American Red Cross month and today is Tornado Preparedness Day here in Virginia. Disaster Preparedness season never ends or takes a holiday. Take a moment to go through the checklists to make certain your family or business is prepared or you have prepared your family. Look at the Red Cross site and the FEMA sites as well. Find the resources beyond tornadoes for disasters that may suit the geographic region for the dangers you face. Earthquakes, hurricanes, floods, fires (home and brush/forest), theft, crazy third-world dictatorships, you get my drift.

Do not forget for your home and business to make certain you have properly identified your critical assets, updated all critical disaster response processes and policies for data backup and restore. Perform a business impact analysis, defined business continuity and contingencies. For getting a risk assessment initiated at a business enterprise level, the Carnegie Mellon CERT's OCTAVE approach to Risk Assessment may assist you quite a bit. There are courses offered as well (I get no kick-back!. I have taken the course and find it very-worthwhile, so I am suggesting it as an option).

Again, the Red Cross has some links and documents that can help pull all this together as well.

We could go on about this stuff for weeks; but I have given you some important resources at least. You can always shoot me a comment to further discussion. I may get motivated and add a checklist of my own, or two! Send ideas. And least I forget, I know the good folks over at SANS have papers and checklists on the subject of DR/BIA/COOP on their sites as well, so check them out (Again, I get no kick-back; but they do have classes, and I have taken many of them that are absolutely first-class - excuse the pun!).


Sláinte!

16 March 2009

Pesky Malicious Antivirus Under the Scope


I just wanted to point to another nice piece of reporting and analysis today by Washington Post columnist Brian Krebs. Having had to scrub this malware (or virus) from children's and 'friend's' computers alike, it is a story about something I find interesting as well. Please check out the link. (Photo credit: www.polyvore.com)

Massive Profits Fueling Rogue Antivirus Market

In the cyber underworld, more and more individuals are generating six-figure paychecks each month by tricking unknowing computer users into installing rogue anti-virus and security products, new data suggests.


One service, that exemplifies a very easy way these bad guys can make this kind of money is TrafficConverter.biz, one of the leading "affiliate programs" that pays people to distribute relatively worthless security software. Affiliates are given a range of links and Javascript snippets they can use to embed the software in hacked and malicious Web sites, or tainted banner advertisements online...


Full Story

09 March 2009

Common Sense has Left the Building

There is a rule in the Virginia High School League that states basically a player cannot move within a school year from one place to another and be eligible to play sports. (I am going to at the end, bring this into a perspective from my job in information security and policy and former work in law enforcement and even accounting.)

Well, I understand all the cheating that has gone on for years and why the rule was put in place. Somehow the "spirit" of the rule was lost long ago. History in case you did not know: that it is to prevent a student/athlete from going to one school to play football and another to play baseball or for switching schools because of being recruited by coaches. I have through the years heard the stories of the "Aunt" having a house rented for her and the nephew coming to live with her in the new school district that just happens to need a defensive lineman. 'What, this boy plays DE and is 6'5", 270 and runs a 4.5 as a sophomore!!! And he just happens to move into the neighborhood. What great fortune!' ;-) We can see these issues and know why this rule was written:

"Transfer Rule – You must sit out of VHSL activities for 365 calendar days following a transfer to the school unless the transfer corresponded with a family move into the school attendance zone."


There is a bit more regarding Freshmen and the like; but it is not pertinent here. In the case of our son (my step-son) my wife had some medical issues and my son thought he'd like to go stay with his dad for a little while (in another school district about 15 miles away--not possible to drive him to the same school as his father also commutes to work about 50 miles in the other direction). So, at the beginning of the school year, he was enrolled at a different school in the same county of Virginia for what ended up being five weeks. He moved back to our house as his mom's condition stabilized, he was missing his family, his friends and his old school. He never participated in any sports or even meetings at the other school.

Now, keep in mind, the whole purpose of the rule is to keep schools from gaining an unfair advantage and recruiting players, etc. The rule is strictly to keep sports at level playing fields. Also, it is to the benefit of the child that they not be bounced around and used, obviously.

So, I submitted a couple letters, my wife presented a short letter, we gave two doctor's letters, a detailed account of one hospital stay (just in case some proof was ever asked I wanted to head it off), the guidance counselor at the current high school wrote a letter and I have had numerous conversations with the VHSL as has the student activities director and the principal. OH, AND, the Region in which my son plays in and both schools are located OK'd the transfer and have no problem with his participation on the team. No coaches at other schools have a problem. He was not recruited nor did he play any sports or have contact with coaches at either school during his time at away from the current school.

With all of this, they still want documentation that goes more in depth into the wife's medical issues and the home conditions and frame of mind of my son. My point is the VHSL rules basically have no room for any kind of looking at the spirit of the rule and seeing that this does not violate the reason which the rule was put in place. There are twelve exceptions spelled out. We only have wiggle room under the HARDSHIP exemption. That being the home life was a hardship on my son and he had to move. And then, somehow prove why he came back is still ambiguous. I am sure that will be the hammer to drop next. You are allowed one "free move" That was when he basically went to stay at his father's. So, we show that was due to hardship and show that was relieved five weeks later. Not certain how we prove why he came back.

I am dealing with the decision maker. For the life of me, why they do not have the discretion to simply say "I see your son is not one of the people this rule was put in place for, so I will grant an exception". (Remember; he did not even play sports at the other school! He was not an all-star last Spring. He played JV ball. He is still my favorite player.) As it stands now, because his mother was ill and basically he decided to spend time at his dad's to have a bit more stable home while attending school, he will lose a year of being able to play a high school sport. Nothing like being punished because your mother was sick. But let us take it a step further and move beyond my son. This is where I want to go. Why is it that if a child and parents decide he/she should go stay with one parent and for any reason to move back (with the same parties agreeing it is the best thing for the child) that the child should be penalized?

Why, if it just did not work out for whatever reason, should things be up to a state sports board to decide the future of a child. Missing a year of eligibility in a sport may mean missing some scholarship money or even just getting into a college. Let alone just penalizing the child for no real reason. One can clearly look at the facts and see that a child moved from one parent to the other parent. The child participated in no sports at the other school; nor did he participate in any organizational meetings. The child moved back and will be playing lacrosse at the school he played for the prior year.

So, I have been in courtrooms enough to hear a judge say, 'So, you ran the stop sign but there was a bee in your car and you were only distracted trying to get the bee out the window because you are allergic and panicked. Dismissed.' (True story. Though paraphrasing.) We took an inmate to court fro sentencing one time who was a walk-away from a minimum security prison who stayed out nearly a year. As I recall he faced an additional seven year sentence. While in prison originally before walking-away after transfer to the minimum security facility, he had learned to read, gotten his GED, apparently kicked drugs and alcohol and for all I remember brought peace to all the gangs in the prison (not).

In any event, he walked-away just before Christmas and his mother had fallen ill. He got a job actually somewhere in his old neighborhood making some cash in a store. Stayed out of trouble that year until he was final found and brought back in. Well, the judge gave him two years and six months with two years suspended (or close to that) credit for his time served on the six months which was running concurrent to the time he was serving anyway finishing the original sentence. Really, I think you have a high school student who has done nothing wrong held to a higher standard than an escaped convict. Not that I disagree with the judges decision.

I can go on and on with these types of stories most of which come down to an officer or judge's discretion and judgment.

In accounting, I do recall back when I did that for a living in the old days, if we were taking a conservative approach to something and could show why and justify it, then even if it was not to the letter of the regulation, we could still be justified in our approach. I never had an auditor disagree. You might have to walk them through it a couple times to understand; but as ling as they understood there was no advantage gained or to be gained (hey, you did not even play a sport at the other school); then there was not a problem.

In information security we deal with policies. The Information Security Policy states certain things where the business will come to you and ask that an exception be granted. Let us generically talk about a firewall policy stating that only http/https (web and secure web traffic) is allowed directly outbound to the internet from workstations. The business states that there is a workstation that requires the ability to transmit encrypted data over a specific encrypted TCP port to the insurance companies new program. The business group asks for an exception to policy. You gather your information to make certain the connection will be secure as well as the data. And, you likely go ahead and approve the exception. These are fairly common situations. We do not go into who the vendor is and why are we using them. Why are we not using this insurance company because we used them before, etc. (Hopefully we had a little due diligence along the way with selection and with the software upgrade requirements). This is way beyond the scope of our job and the need for a policy exception.

So, I am moving to start or be a member of the "Common Damn Sense Political Party" or the "Start Making Sense Political Party". Something like that. Some of this stuff is just absurd. If my party gets elected to party; if you do not make sense, I am bringing back the public square and dunk tanks, stocks, floggings and cotton candy! Funny I mention politics; because we all know that enters into some of these decisions too!

08 March 2009

They said it; I didn't

How many times have we had similar thoughts:


http://sports.espn.go.com/espn/page2/story?page=simmons/090306


Q: My office is having a blood donation drive. All blood donors get two free tickets to an upcoming Clippers game. Do you think we should make clear to people that they DON'T have to actually go watch the Clips play? I would hate it if the Red Cross lost blood donors -- and innocent people died -- because they were threatened with going to see the Clippers.
-- Mike Wilner, Los Angeles

SG: Ladies and gentlemen, one more time, your 2009 Los Angeles Clippers!


A drum roll please.