Bright Stove

Reflecting information risk journey

Archive for August 2008

Who should be doing what for Cybersecurity

leave a comment »

The Los Angeles Times reported yesterday that "Public, private sectors at odds over cyber security". It seems that there are high expectation in the US that the government should play a central role in Cybersecurity, and if the current and/or incumbent US President gives focus on this topic, and government regulations and laws are in place, organizations and people will do the "right" things. On the other hand, according to the newspaper report, businesses do not wish to tackle the problem until the government steps up. While both sides seem to have valid points, the issues involved in Cybersecurity is more complex than just a tussle over priorities and budgets between public and private sectors. It is something that has a much broader audience group, and more that just the US or any specific country per se (as in this other report from the Network World that "Cybersecurity lacking in Africa"). Partnership, cooperation, and collaborations are key among the stakeholders, including individual users of the Cyberspace.

Cyberspace does not exist in just a particular country per se. Even if the entire US industry and government put all their resources into doing their individual parts and march off to "secure the Cyberspace" (if there’s such a thing that can be done once and for all), the problem will still not solve. There are many other countries, businesses and individuals outside of the US that do not play their roles or simply ignorant of their roles for Cybersecurity, given other priorities that they have on hand, and also weaknesses in Cyberspace that they could possibly leverage for certain economical or political advantages. At the same time, Cyberspace is a constantly changing thing. It evolves every moment when someone plug a computing device to the Internet, introduce a new piece of program on it, upload certain information (such as vulnerability or exploit code) and when someone get connected and start to learn about the space, and do all kinds of things in it, for good or otherwise. Security is only as strong as the weakest link. This applies to Cybersecurity as well. If we look at the recent DNS security issue, all it takes for an attacker to succeed is just to have one DNS server poisoned and he/she is on the way to make many other people suffer, and that particular DNS server does not need to be in the US to inflict losses or cause inconveniences to Netizens in the US or anywhere around the world as long as they are connected.

Yes, the government (in all countries, not just the US) needs to give priority to the security problems in the Cyberspace. There must be laws in each sovereignty and programs initiated to protect their citizens and assets on the Cyberspace and deter if not stop the conduct of Cyber-fraudulent, criminal, and other undesirable activities. More importantly, every organization and individual on the Cyberspace must also recognize their roles and responsibilities for Cybersecurity, and do the right things when they use the Cyberspace.

The challenge we have today however is answering the question of what are the right things that organizations (including businesses and governments) and individuals should be doing, over and above those things that they are already doing for information security, computer security, network security, and Internet security. That’s what WG 4 in ISO/IEC JTC 1/SC 27 has set forth to develop in the ISO/IEC 27032 project — "Guidelines for Cybersecurity". I think fundamentally, the question of "What is Cybersecurity" needs to be agreed upon before we can have a useful guideline as a standard to improve practices and systems in the Cyberspace. The draft document for ISO/IEC 27032 therefore works on the basis of the "working definition" and understanding as described in my earlier blog entry on this question of "What is Cybersecurity". I would love to hear from you your views on this working definition, and what should be in the guidelines as well.

Written by mengchow

August 27, 2008 at 2:18 pm

Posted in Security Standards

Read and run

leave a comment »

I was browsing thru’ Amazon Kindle’s catalogue of e-books about 3 or 4 weeks ago and stumbled upon "What I talk about when I talk about running" by Haruki Murakami, a Japanese novelist whose novels all seems interesting but I just couldn’t prioritize them into my reading list somehow. The title and abstract on this book about running somehow aroused my interest and led me to click the buy button. Within a couple of days (between busy times, on the plane, in the Cab, in the Thinking Room, and so on) I managed to read it. I must said that it is an inspiring book in a number of ways. Besides providing the motivation for me to strive for longer distances than the usual 4 km that I do in the gym, it shares many ideas about what Murakami thinks about during long runs and training for the marathons, and also how such activities relate to novel writing. Another interesting thing is how he decided to change his career from a pub owner to a novelist, how he changed his lifestyle from those of the night owls to a day-time person. I have no intention to write a review of the book here. If you are interested to find out more without reading the book, I would suggest the reviews available at the Amazon site where the book can be found. One reason I write this blog entry is to provide a link and a short brief of what I think about the book, as whenever I talk about my running, people ask me why I run, and when I talk about the book, they want to find out more about the book. I do share a number of thoughts and experiences about running that Murakami wrote.
 
In fact, I don’t run just because of reading Murakami’s running logs and reflections. Reading them give the extra boost, but fundamentally, I like to run and have been running all these years. The difference is that I go for quick runs, in a gym, with a simple idea just to keep fit, and get some extra benefits in the outcomes. After reading about Murakami’s quests involved in running, I think there are more to discover and experience thru’ running than just keeping fit.  
 
My place in Beijing is overlooking the Chaoyang Park, a theme park that I learned from a colleague that it was modeled after the New York Central Park, and has a circumference of about 8.5 km (or slightly more or less). Over the past 18 months here, I had only ran towards the park once, but turned back after about 1.5 km as it was just too cold during the winter then. Despite that, I have been thinking very much about taking a shot at it, to go round the park in its entirety one day. I know that I can do it, since I had in a few ocassions ran beyond my usual 4 km outside of the gym back in Singapore. With Murakami’s motivation, I finally took the plunge on Sunday, Aug 16, 2008, and successfully completed the circuit. Since then, I have completed another run on Monday, and Wednesday, all around the Chaoyang Park circumferencing roads, and when I was in Singapore afterwhich, I did a run around the Botani Garden area as well (about 6 km according to my Nike+ sensor.) When I returned to Beijing, I did another round at Chaoyang Park on Sunday, and again yesterday. So Chaoyang Park is now done 🙂 The challenge now is to maintain the frequency of runs, and accumulate the distances.
 
Yes, as I mentioned earlier, I bought a Nike+ sensor to plug into my iPod Nano to track my runs. The device didn’t work as smoothly as I had anticipated earlier even though it did what it was supposed to do during the run–tracking the distance and timing. The not-so-ideal thing was the upload of the workout data to Nike+ web site, which did not have all my workout data collected at the web site except for the run on Aug 25, even though iTune reported that it has successfully uploaded all the data. So I have only one of the many results to show off here 🙂 But I’m now discovering new things (and challenges) at the Nike+ site that are designed to motivate runners further (of course to also for them to sell more Nike products). The chart below is a feature supported by Nike+ site indeed. There are always new things to learn when you explore technology. With combination of lifestyle needs, it is getting more interesting everytime as well–provided it works reliably, and of course, securely.

    http://nikeplus.nike.com/nikeplus/v1/swf/scrapablewidget/rundetail.swf

All in all, I think the book (perhaps the author) is such a powerful influence!

Written by mengchow

August 26, 2008 at 2:11 pm

Posted in Running

Why standards matter

leave a comment »

I was at the SPRING Singapore’s Quality and Standards 2008 (QS2008) conference on Aug 20, 2008 and at the keynote was Mr John Wilson, Lead Economist of the World Bank. Mr Wilson spoke about the importance and benefits of standards, in terms of its contributions to the economy. The talk provides new insights on the importance of standards and why countries, in particular, developing economies should pay attention. I think some of the points mentioned are worth reiterating (and documenting) here as such.
 
Mr Wilson’s main assertion is that "standards contribute to productivity, and productivity contributes to economic growth". From the perspective of deveoping the economy, standards also play a critical role in enhancing human development. How this happens is that standards result in increasing in trades (in particuar, export), which helps to bring about growth in the nation’s GDP, and this helps to improve peoples’ livelihood and standard of living. The correlation between standards and trade is such that trade, in particular, export, depends on among other things quality of products [and services], and standards are fundamental for improving product quality.
 
However, poorly institutionalized or ineffective standard implementation, in particular, non-transparent technical regulation and misuse of standards could also impact on the economy’s efficency and increase the cost of production. According to Mr Wilson, the results of studies conducted in Europe showed that in general, the implementation of standards would incur a one-time setup cost that is approximately 2.2% of the total sales involved, and tightening standards by 1% would result in 0.06% increase in production cost. Duplicative testing procedures cut export by as high as 9%, and multiple testing procedures reduce likelihood of exporting to multiple market by 3%. This shows the importance of harmonization of standards. Similarly, productivity of firms in developing countries entering export market is 52.3% higher if Mutual Recognition Agreement (MRA) is in place.
 
Mr Wilson’s conclusion was that "standards do matter to trade and development, and growth, wealth creation, and proverty reduction are all tied to standards". He added that Asia’s economic future depends on trade expansion, economies therefore should adopt international standards to lower their barriers for trade.
 
In Asia, in particular South East Asia, not many economies are however giving much attention (or perhaps I should say high priority) to standards. In the area of IT security, only Singapore and Malaysia are active participants of ISO/IEC JTC 1/SC 27 ("Security Techniques"), even though the RAISE Forum have been established since 2004 to promote such efforts purely from the information security perspective. With a clearer view of the economic implications, it could perhaps help to drive the participation of security standards activities and adoption of related ISO/IEC and ITU-T security standards in the region. With so many technical committees developing IT related standards in ISO/IEC, the participation rate across the South-East Asia region is even worst, and potential impact could be even greater should they be involved. This is perhaps something that ASEAN and/or APEC ministers should think about improving as part of their agenda for the region, especially given the clear link that Mr Wilson has presented between standards and economy growth.
 
 

Written by mengchow

August 24, 2008 at 7:23 am

Posted in Security Standards

Less is more

leave a comment »

If you travel a lot like me, you will probably be one of the readers of inflight magazines, which are the most freely available magazines you can get hold of in any flights, regardless of which class of travel you are in. It is the same magazine from Suite, First, Business, to Coach (or Economy). Nothing else is more equal in the air plane than the inflight magazine available.
 
An interesting thing about inflight magazines is that they are all different for every airline, since that’s the publication that the airlines use as one of the means to highlight their specialities, what do they represent, which country, state, or city they come from, and what they strive to do for the passengers. So you get to read about places of interests, beautiful cities, and at times, interesting articles about those places, histories, people, etc. Accompanying the inflight magazines are often another magazine, which is the inflight sales catalogue. Again, it differs from airline to airline. I like those from the Japanese airlines such as ANA and Japan Airline, as well as the US airlines, like UA, which are very comprehensive catalogues. I’ve never ordered anything from the Japanese or US airlines’ inflight catalogue before though, but like browsing through when I am onboard. Those catalogues give me a sense of their lifestyles and culture, the unique things they use in their countries, such as the furnitures, gardenware, gadgets, etc., that you don’t find normally in shopping malls, or other off-flight catalogues. The items listed seem endless as well. They are therefore a good means for passing time, like when waiting for the flight to take off, or during landing, when all electronic equipment has to be turned off. One thing about the design and physical aspects of those US and Japanese’s magazines is that no matter how many items in them, they don’t seems to be bulky or heavy at all. The papers are thin, and flip through easily. The layout, color, etc., seems to be well coordinated as well, which therefore make for easy reading. I just realized that there’s something different in these characteristics on the Air China airline yesterday when I flew back to Beijing from Hongkong. There’s a difference not just in terms of their services, but also such things as their inflight magazines and catalogues, as compared with many other international airlines.
 
As I didn’t bring along any physical book this round (I was carrying an Amazon Kindle), I don’t have anything else to read after browsing the newspaper before the take off, and also during landing. So I looked for the inflight magazines and sales catalogue. I saw two magazines in the seat pocket, but no sales catalogue. The look at the thickness of the two put me off a little, but I proceeded to try to take one out, the thicker one, and it was so heavy, like nearly 1 kg (maybe slightly less), I placed it back, and took out the newspaper instead. During landing, I thought, why does the airline allow for such thick and heavy magazine in-flight? Let’s say each copy is 500g, with say 300 seats, they weigh 150 kg in total. That’s a lot of additional but useless weight on the plane. Given the weight (and thickness), most passengers would be put off by it and not reading or browsing it. So all the efforts of putting up that magazine are down to waste! That’s a big waste of resources, and also energy, paper, etc., on flight.
 
I took a closer look at the made up of the magazines. They contained at least 70% of advertisements, in more than 260 pages, in very colorful and grossy papers–hence the weight. With the energy crisis going on today, and also the Green movement, perhaps it is time for Air China, and many other airlines to re-examine such simple things that they are carrying around, up and down the plane, across cities and countries everyday. Do they really need to carry two magazines (one Air China’s brand, and another CAAS branded magazine in this case), totalled at nearly 500 pages, and more than 1 kg in each seat pocket? Perhaps the monetary gains they received from those advertisements in the magazines outweight the cost of carrying them around even without passengers reading them. Advertisers should perhaps also consider whether it makes sense for them to advertise in such heavy and bulky chunk which immediately put off the passengers. It may probably make more sense, for the sake of Green, and energy savings, and at the same time enhance readership for the efforts put into this stuff, by establishing some boundaries such as paper quality, number of pages, efficient use of space in each page, etc. henceforth. Perhaps the idea of less is more often takes more for it to be realized.
 

Written by mengchow

August 16, 2008 at 6:05 am

Posted in Travel

Superwomen at the Beijing Olympic 2008

leave a comment »

After watching the super long celebration of the Beijing Olympic 2008 opening last night — four hours on the couch, accompanied by three pots of Pu Er tea, I was exhausted. The first hour of the event was fresh and touching though. It depicted the path of the Chinese culture, from past to present. The final strike, which leads to the light up of the Olympic torch at the stadium, although interesting, didn’t seem signifying, or inspiring, unlike the torching at Barcelona (with the archer shooting a lighted arrow to the torch) and the one involving Mohammad Ali. It just looked like one of those movie feats.
 
This morning, first thing, I went to the gym to have a jog to recharge. The air outside was still not good, gloomy and blurry, it’s been nearly two months that I have not seen a clear blue sky day. The temperature is rather high as well, at around 30 degree Celsius. Can’t run out there.
 
At the gym, while on the treadmill, trying not to run like a lab rat, I have my MP3 player on, and also the TV tuned to the Olympic broadcast channel — yes, it is channel eight (the "auspicious" channel). The TV was broadcasting the women’s 48 kg category weight lifting competition. Those women participating weigh around 48 kg (in fact, 47+ kg in general). The event started with the Snatch technique competition, with Nicaragua’s Karla Moreno taking the first attempt at 65 kg weight, and she dropped. She looked nervous, and it was certainly a blow. At the second attempt, she made the mark at 65 kg, and I was happy for her, and still running. Then she tried 71 kg, and dropped again. That’s done for her. Next came Canada’s Marilou Dozois-Prevost. Her first attempt was 73 kg. Hmm, that’s courageous, I thought. The previous one just dropped dead at 71 kg, and now she was setting a new bar, and she made it, and carried on to pass 76 kg (happy for her), but dropped at 78 kg in her third attempts (oops!). Next came France’s Melanie Noel, who successfully lifted 75 kg, 78 kg, and 80 kg, in her three attempts, respectively, interjected by Poland’s Marzena Karpinska and Japan’s Misaki Oshiro, in quite a close fight. Wow, I thought, since this is the first time I ever watched such a competition. Poland’s Karpinska started at 79 kg but didn’t make the 82 kg bar she set for later two attempts. Japan’s Oshiro started with 77 kg and completed at 80 kg successfully. At that moment, I thought the bar of 80 kg was pretty much set and whoever can beat that in a few kg will win the gold. Then came Korea’s Jyounghwa Im who started with 83 kg and made it, setting a new bar for the rest! Next, more surprising, Taipei’s Chen Weiling came and set another bar at 84 kg. But that’s not the end yet. Turkey’s Sibel Oskan came in fresh — with a small frame, unlike a weight lifter if you see her on the street — and set another new bar at 86 in her first attempt, and 88 kg in her third attempts. That looks like it then. But wait, where is China’s rep then? There were some documentary about her before the event started, how come she didn’t appear? And up onto the stage came China’s Chen Xiexia. Amazingly, she started at 90 kg, followed by 93 kg, and completed at 95 kg, beating every Superwomen in the race, flat! That’s truly "a mountain taller than another mountain", as the Chinese saying goes (一山还比一山高).
 
When I reflected on this amazing competition (after stepping out from the treadmill), I thought, this truly reflects the arms race we experience in information security. Just when I thought Canada’s Dozois-Prevost has set the bar, Japan and Poland tried to break it, and Korea’s Im broke it. And shortly after, Taipei’s Chen set another one, then Turkey set the next, and finally, China’s Chen set it straight. Isn’t this the same as the security vulnerability-exploit-countermeasures arms race that’s in the information security arena? There’s no ending. Even for Chen Xiexia, she has to watch the next Olympic, and next, and so on. Another Superwomen will pop up one day to set the next bar higher.
 
That’s not over yet. When I got back home, the second round, known as the "Clean and Jerk" technique just started. This, unlike the Snatch (and lift) technique, kind of more involved, in which the lifter first lift the weights to her upper chest at the shoulder level, then pushes it up from there. With a change of technique, interestingly, I see new results.
 
Recall earlier that Nigaragua’s Moreno could not go beyond her 65 kg mark with the snatch, but with this technique, she returned and completed 83 kg, then 85 kg (in her third attempts). That’s another 20 kg more! Amazing. The same went for Canada’s Dozois-Prevost, who reached 90 kg, Japan’s Oshiro at 105 kg, Chinese Taipei’s Chen Weiling at 112 kg, and finally, China’s Chen Xiexia at 117 kg and broke the Olympic record with a gold medal — the first gold medal for China in this Olympic. You can read more about this in the various news broadcast. What I think the learning from these Superwomen here is that with just a switch of techniques, the results are so different. It just showed the importance of looking for and using alternative approaches to solve problems, i.e., innovation.
 
Another important point is that the Superwomen were carrying weights that are more than twice their own body weight. It is pure energy that they are exerting. Where did they get all those strengths? The limit of things human can do is actually quite an unknown indeed. While they may be gifted with certain attributes or characteristics, a lot of their achievements are really the results of training and practicing. I guess the gold medalist Chen Xiexia will also say the same if you have a chance to talk to her (I haven’t have one though) 🙂
 
Enjoy the Olympic 2008!
 

Written by mengchow

August 9, 2008 at 7:42 am

Posted in Risk Management

%d bloggers like this: