Friday, October 22, 2010

Information Classification Like Creative Commons [Part 3]

So it seems that at least one person reads this blog.

I got email from Andrew Yeomans from Commerzbank AG about my ideas in my recent Blog posts - Information Classification Like Creative Commons. (Part 1 and Part2)

I came up with the idea myself but it seems that I was beaten to it by a group called SPIDER in a document available on the 'net here [pdf]. 

They discuss using graphics as opposed to words to describe what classification a document is. I just took it a bit further by using "creative commons" for icons. But my idea is a bit more important than that. For this to be truly useful the icons used must be instantly recognizable. Anyone who uses the Internet for some time and is involved in publishing even non-professionally will be able spot creative commons icons, know what they mean and know what it means to them. And then abide by them. It would be useful for us to have icons that can do the same for sensitive documents. 

I also took it one step further. I proposed the idea of including direction of what technology could be used with documents. So, if it is a "top secret financial document" then you may/may not email the document and there will be an "email permitted/not permitted" icon as the case may be. 

Andrew commented that this may be a problem the way that technology moves forward but I believe it to be a good start. It may be better (in future) to have some "meta-mechanism" that automatically adds the icons in as technology is adopted or documents change levels of confidentiality. 

It is nice to get some serious comments and I hope to hear more. It makes me think through my posts and tweak them. Hopefully, somewhere down the line it will add to the world's knowledge. 

Monday, September 13, 2010

I bought a Kreepy Krauly BullShark...

[... and the documentation came on CD-Rom.]

I think this is totally missing the whole point. Why not just give me paper?

It can't be more environmentally friendly to make a CD, copy the information onto it and then print a pretty design onto the CD.

So my story is that on Sunday, I opened the box, took everything out. I decided to do the installation by the book. And there was no book. Just a CD.

So, I had to go inside, boot up my PC, load the CD, run the software, click through the options.

Then run outside, do some installation.

Run back inside read up some more, run outside, run inside.

Still no luck so I have to take some of the wet pieces of the unit inside, put them quite close to my PC. Run outside.

This is not a major complaint (unlike my last post) but it just shows how someone decided to use technology because it was cool but really it just makes life difficult.

Tuesday, September 7, 2010

Why #nokia gets a #brandfail from me

It is with great sadness that I write this post. I love Nokia. Loved. When something that you really like so much disappoints you so badly then it takes a lot to gain that respect back.

The short story is that my Nokia E71 stopped working a few weeks back and I took into Nokia to be fixed. They refuse to fix it alleging that it is "liquid-damaged". I refuse to believe that the cause is Liquid-damage. And they refuse to listen to me and fix the device.

I have had a very long history with Nokia. The first cellphone I ever used was a Nokia 2110 (The Brick). I have had many different Nokia "candybar" phones of differing features and costs. My last one was a 6233 which I really, really enjoyed using even though it was a Symbian S40 device. It got stolen and I moved onto a phone I coveted for ages - the E71.

The E71 was everything I wanted in a phone and I used all of its features. When my car radio was stolen, my phone became my music player. It was my diary. It was my watch. It was my browser. It was my mail. My connection to my world. I downloaded all the Google services that I could and all the Ovi services. I even signed up for Nokia Music. The only issue I had with my phone was the expensive Maps software but when Ovi Maps became free for the E71 then my phone was completely perfect.

I actually talked 2 people into buying E71s, 1 person to get an E72 and 2 people into buying E62s.

Then my phone starting flaking out.

One day it just started switching off. Strange, because usually the battery life is great. But that was fine, I charged it and it came back again.

Then one day it just would not switch on.

I took it to a shop and tried a different battery and no luck. We tried another battery and still no luck. I took it to another shop and we tried another battery. Finally I borrowed a battery from a friend who also had an E71 and still no luck. It wasn't the battery.

So I took my phone into two MTN shops and they both said it would take about a month to fix my phone. I should have gone for it but the one lady did mention that a Nokia shop would be able to look at my phone within one hour and "probably fix it" right then.

I was sold so I drove to the Nokia shop with my E71.

This is where the wheels fell off the cart.

I spoke to a lady who told me that if a non-Nokia-approved technician had worked on the phone then the warranty would be void and I would have to pay for their time. No worries there. She also told me that if the phone had suffered any liquid damage then the same would apply. No worries there.

Or so I thought.

At this point let me get it clear:

I have NEVER dropped my phone in water or any other liquid.
I have NEVER spilt coffee or any other drink on my phone.
I have NEVER lent my phone to anyone who wasn't in my general vicinity.

I would swear to the above in a court of law and sign an affidavit that says as much. I have even offered to do so for Nokia.

What I can't promise is that my phone has never come into contact with water. There is water in the air. I can't promise that I have never walked in the rain with my phone in my pocket although it hasn't rained for a long time in Johannesburg.

So, knowing the above, I handed in my phone. Signed the documents. The E71 has a known issue in that it picks up pocket fluff and some of that can get into the area between the screen and the glass over the screen so I asked that they clean that. I then went for a walk around the shopping centre for about an hour.

When I returned I was informed that the phone could not be fixed because the motherboard was no longer working and it is too expensive to replace the motherboard. Apparently its actually cheaper just to replace the whole phone.

I was also told that there was "liquid damage".

The blood drained from my face. How could there be?! It was like I had walked into an alternate reality like a Lewis Carroll novel.

They pulled up a screenshot of the back the inside of my phone where the battery lives. They showed me the damage and told me that it looks like "liquid damage". The picture was taken very zoomed in and close up it seems that two places on the motherboard have something the looks like rust.

The one thing they confirmed is that they were not able to find any moisture in the phone itself at all - not in the speakers (which are usually the worst parts for water damage) and not in the screen (which has dry fluff in it). But tucked away behind the battery is some sort of "rust" that "proves" liquid damage and hence according to Nokia this lets them off the hook from their warranty and they are therefore not liable to repair the phone.

When the shop people started telling me that my phone could have gotten the damage from water in the air or "sometimes you sweat and your phone in your pocket could have absorbed it" was when I decided that I should leave.

Nokia phones.

So, I left the store fuming. I left my phone there because now, not only did I not get my phone fixed and not only would they not fix it but I had to pay a "consulting fee" for them trying to fix a phone that was not fixable and they would be keeping my phone until they got that money.

I did sign that I would pay the consulting fee if there was water damage. I don't debate that. But I was shocked to find out that there was allegedly liquid damage. Two shops had swapped out batteries without noticing anything wrong with the motherboard but then they didn't have a magnifying glass to hunt for signs of possible "liquid damage" and I *knew* that I had never caused liquid to get into the phone.

I was cross but I figured that a simple call to Nokia head office would sort everything out. They are a very switched on firm and would like to help me out once they hear my story. So I spoke to a very kind, sweet woman and told her the whole story above including the bit about being willing to sign an affidavit and the "water in the air". To her credit she told me the water in the air story is junk. However, the Policy is the Policy and if the shop said it was "liquid damage" then there is nothing that Nokia can do. Can do or would do?

She suggested that I take it to another Nokia shop and get a second opinion. This means I risk another "consulting fee" of R250 in the hopes that another Nokia store may decide that the damage is not water damage. She suggested that I take it to MTN which means she is just passing the buck.

WTF?! Can she not just admit that the phone is defective and get it sorted out? No - there is the Policy.

Can I get someone independent to check the phone out? No, only a Nokia authorised repair person can open the phone or the warranty is gone anyway.

So here I am without a phone and feeling totally let down. My insurance will cover my phone for water damage and I'll be able to replace it but I guess I just wanted Nokia to come to the party.

Actually, I guess I had too much respect for the Nokia brand and wanted reality to reflect my perception.

I'm not an Apple person but I'm surrounded by happy Blackberry users. I guess my next phone will be a Blackberry ... something I've been fighting for a while now but I've been let down.

Friday, August 27, 2010

Information Classification Like Creative Commons [Part 2]

[Part 2 - A picture is worth a thousand words]


Following on from my last post on Information Classification - I think that this concept would be better shown by using examples. I guess that the irony of the last Blog is that I was trying to say "Using pretty pictures is better than using text" but I tried to do that in a Blog post which lacked pictures totally. Still, I did get some good feedback on the post even though my coments don't work. 


I have done a little bit more research and tried to find some pictures to show what I am aiming toward. 


These pictures are all from an icon pack I found here but I'm not sure what pack I would use when it is finished or even if I should make my own. These are just for demonstration purposes. Please don't steal these graphics (they are free so just follow the link). 


*deep breath* Here goes:


If a document contains anything to do with someone's medical condition or some such - it gets labled "Medical" and has the following graphic printed on it: 

If a document is confidential - it gets labeled "Confidential" and has the following graphic:


Then what you can do with the document is listed - so you can copy it to CD, email it, move it on the network and take it home:




If you are not allowed to do any of these things then a little circle with a cross through it will be added to the image. 

Putting it all together again - you have a piece in the footer of the document that says:


This document is classified as "Medical-Confidential". You may do the following: burn to cd, transmit internally, email outside of the network, take the document home. 
Then under that, you have the images to re-enforce. The important thing is that the images must be a standard set so that users across companies, regions, businesses, etc all can look at them and at a glance know what is expected from them regarding the document. 


For bonus marks it would be nice to have a tool that can automate this process. 



Monday, June 21, 2010

Quick Thought: Information Classification Like Creative Commons

[Stealing the CC Ease of Use Icons for Info Classification]

When something is complicated then it usually is quite wrong. I learnt this lesson with Firewall Rules. Usually when something was twisted around and not easy to understand it was because the Firewall was being used for a purpose ti was not designed for.

Information Classification is usually pretty easy to understand. It is logical. There is stuff you want the public to know about, stuff you don't mind them knowing about, stuff that you don't quite want them to know about and stuff they most certainly shouldn't know about.

There is also stuff that can't be shared outside of the company with out breaking the law or some "governance" and stuff that can't be shared overseas.

Finally, there is stuff that shouldn't be shared outside of a department such as "strategy stuff" or "HR stuff".

What you call these is just semantics and what you do to keep these where they should be is where the fun comes in.

Information Security is accused of being overly complex and it really shouldn't be. Much like copyright is (generally) complex. So, the good people of the Creative Commons worked out just how to separate the tricky-to-understand bits from the easy-to-understand stuff and get people using CC without having to read law at Harvard or some such. You choose the pretty pictures that show you what you want and voila.

So, can we do the same with Information Classification?

Friday, May 21, 2010

I'm Cool Like That...

So, it seems that I am following the trend with Blogging which is somewhere I am not proud to be but it is interesting just how closely I have followed this trend.

Statistics (when they are not manipulated) are ugly things. Sometimes they tell the truth like a little kid with no idea of how to be "nice". So here goes - my statistics of Blogs published on my site:

2007 - 78
2008 - 32
2009 - 34
2010 - er... 3

I had a lot to say in 2007 and a lot of time to say it. I accept that. 32 posts a year is not great, but it is not bad... 3 is pathetic. 

Its not that I have been busy.. I have been busy but not way way way more busy than in 2008/2009. I haven't moved my online conversations onto Twitter either. Twitter has impacted on my time a bit... but not that much that 1 blog post a week would break me. 

I just haven't blogged. And other people have stopped too. Rich of Securosis seems to think that Twitter is the reason but I think it is more about two other things - 

  1. I belive Information Security Bloggers (maybe other blogs too) have just emerged from the Trough of Disillusionment (go, go Gartner, go).
  2. Blogs tend to be mostly a one-way conversation but really are about gathering the ideas of what is floating about in the world and forming an opinion about it then writing about it. So technically its like a general conversation and if everyone has left the conversation then there really is not very much to discuss.
But we are coming back and most of us (me included) are just really blogging about how we have stopped blogging and are now back. But we'll get there... it has been a bit of an awkward silence but its ended. 

Monday, May 17, 2010

I am a hacker - whether I like it or not

[... and not the bad cyber criminal type.]

For the latest ITWeb Security Summit (which was amazing) I was chosen as a speaker.

I had the following challenge -

  • talk about the different InfoSec Standards available
  • do it at 3:40pm 
  • do it straight after the tea break
  • make sure that the attendees don't fall asleep
Needless to say - it took a lot of thought but I eventually managed to keep them interested according to some positive reports I got after the talk.

I'm not going to go into the details of the talk here but after quite a bit of re-assessment I realised that I had basically "hacked" the standards. Hacked - in the good sense. There was no "piracy" involved (me maytee) and everything was above board. (and above plank.) 

But to keep the attendees interested in the talk I basically took the standards and applied them in ways they were just not designed to be used. And that is the true definition of hacking. 

In the past 4-ish years or so I have tried to model myself as a serious Information Security Professional. I have tried to put away the "hacking" part of me and concentrate on "working for the Man" but it seems that, without me trying, that part of my brain will find a way out. 

So, I will set my aim for the next year to nurture the "hacking" side of my brain and mold it into something I can use as an Information Security Professional. 

Friday, May 14, 2010

Back.

Someone (who shall remain anonymous) took me to task about not blogging. Which is fair enough since I haven't done a blog post since the end of last year - nearly 6 months ago. And it was my aim for the last few years to be the most prolific Information Security Blogger in South Africa (which really means writing more posts than that particular person). And I have been losing the race quite badly recently.

On the other hand that person fell asleep while chatting with me. Which is actually more a comment on how much sleep he had had the night before rather than how exciting the conversation was. I hope.

But.... that someone had an interesting point which I think is quite right - my excuse that I have nothing to blog about is wrong - I should blog and things to write about will come to me. Thats sounds very Zen. Or Xen.

So, I am starting up the blogging again and I hope that all my faithful readers will forgive the lack of posts and come back to be challenged again. (I'm watching you - both of you!)

So, see you soon.