17 May, 2007


One of the best comments I have ever seen.

"It seemed to me that on one side you had representatives of a fanatical cult trying to foist its views on the rest of the world and on the other... the Church of Scientology.

Truly, they deserve one another."

Posted by Patrick Crozier

About the BBC

On Samzidata

Via the Instapundit.

What is even more funny is that I am sure this will top Google for a while when someone looks up Scientology.


I am sorry I haven't been keeping up the posting. I am very loaded down in my day job and giving it all my bandwidth. To be honest I will probably go to a few posts a week vs the few posts a day I used to do. I will try to pick up the quality of those posts but I am not sure how much time. The good thing is that I am actually fully engaged at work and the items that are taking up my time seem likely to result in some long term benefit to me. I don't want to jinx it and honestly am not sure of the direction but it is far more positive that some of my posts from last month might lead one to believe.

14 May, 2007

Control System Cyber Security Conference Registration Information

Joe Weiss is putting on a control system cyber security conference August 13th - 16th.

Here is his announcement.

The website for the August 13-16th Annual Control System Cyber Security Conference to be held this year in Knoxville, Tennessee is ready for registrants at http://realtimeacs.com/. (Please go to www.realtimeacs.com and click on Register for the Conference on the right toolbar.). The host hotel for this exciting event is the Knoxville Marriott.

The Conference is focused on industrial control systems. There is more commonality between control systems, control system suppliers, and control system communication protocols between different industries than the IT infrastructure within a company. This was the rational for ISA establishing SP99 to address cyber security on an industry-independent basis. Common control system policies, procedures and cyber vulnerabilities apply to electric power, water, oil/gas, chemicals, manufacturing, etc. Focusing on any one industry diminishes the value of information sharing.

The term “cyber security” is an IT artifact that does not reflect the need to assure control system reliability and availability. Generally, the term cyber security refers to protection against attackers. For this Conference, the term cyber security refers to all electronic communications that could impact the performance of control systems. This definition includes intentional events (eg, viruses and worms), malicious events (eg, hackers), and unintentional events (eg, inappropriate policies and testing). Based on the data I have collected, there have been significantly more unintentional events than intentional ones. Some of these unintentional events have caused significant damage. I believe there will be significantly more unintentional events than intentional events until appropriate awareness, policies, procedures, technologies, training, and testing are in place. Consequently, the Conference will focus on the need to maintain control system reliability and availability in the age of interconnected systems and modern communications.

The draft agenda will continue to be updated. As in the past, the agenda will remain flexible enough to address recent issues of interest. Two topics that I believe will be of interest to all are:
(1) The detailed analysis of a cyber incident that directly contributed to a gasoline pipeline rupture resulting in significant environmental damage and deaths, and
(2) A discussion of a recent broadcast storm at a commercial nuclear power plant affecting plant equipment that significantly reduced power production and resulted in a manual scram of the plant.
In addition, there will be a poster session of current industry and standards organizations efforts on control system cyber security. These are just a sampling of some of this year’s instructive and enlightening topics that you won’t want to miss.

The Kingston Steam Plant Tour promises to be one of the many highlights of the Conference, but since Kingston is an operating power plant and August is a power-hungry month, we must limit the number of attendees to the first 40 interested registrants. Consequently, when you fill out your registration form, please indicate if you wish to take the tour by checking the appropriate box and filling out the corresponding TVA forms.

We would also like to get an accurate count for the Monday afternoon training session and the Thursday afternoon - Friday morning NIST workshop. Again, please check the appropriate box on the registration form to assure your space.

If you have any questions on the technical content of the Conference, please let me know. If you have questions concerning the Knoxville Marriott Hotel or other administrative questions, please contact MaryAnn Gerst at
maryann@atfab.com or (505) 822-1705.

I look forward to seeing you in Knoxville,

Joe is a good guy and quite enthusiastic about the field.

09 May, 2007

Cool I want 42 or or 2112 or or 8675309 or or the possibilities are endless.

How to stomp out XSS and SQL injection at your company

Faced with a Cross Site Scripting and SQL injection problem the following compliance based info security process .should be implemented

After long intense thought and some discussion with colleagues, and in keeping with the successful SOX attestation control program I think the obvious solution is as follows.

Send a mail to all employees stating that for information security purposes it is a policy to remove the following keys from all company keyboards.
< >

Keys should be removed promptly and kept in a locked cabinet on the second floor. Only three people may have access to this cabinet.

If it is necessary to use one of these key it is possible to gain temporary access to them by filling out the appropriate Emergency Access Request ticket. Within 1 hour A temporary combination to the cabinet will be mailed to you and a log entry will be made so that any injected code can be traced back to the person that has the access at the time of the injection.

You can then retrieve the keys and use them for up to one day. (at your own risk)

For individuals that have need to use these keys on a regular basis it is possible to file for a SOX attestation exception so that you can be given access to a keyboard in a locked room when needed.

Yep I think this will match the spirit and effectiveness of most SOX Compliance processes perfectly.


I Support Democracy in Iraq

I have been stewing on this post for quite a while. Everybody knows I shed my "just blogging on info security and process control" take a while ago basically because I don't need this site to support a business and I get bored talking about work even in my off time. So that hasn't stopped me. What has stopped me is that a good chunk of my readers are in a community that leans pretty liberal and the default liberal take on this stand might cost me what little patronage I have. As I thought about it though I realized that this assumption is pretty dumb. For one I am not giving everyone credit for their ability to dispassionately assess the implications and not blindly react and for another item I am overlooking the possibility that many might agree with me.

So simply put I Support Democracy in Iraq.

And at Classical Values

I probably take a bit of a different approach than the sites linked above but I still support it.

Regardless of the reason we entered the war. Regardless of whether it was right or the result of stupidity, negligence, disinformation or outright lies. What matters is that we (and several other countries) took actions that resulted in the destruction of infrastructure as well as political and social stability. One can argue whether that was good or bad all day but the end point is that

We Took Action.

Taking action and initiative results in assuming responsibility.

We have a responsibility to the people of Iraq to other countries in the region and ultimately to the world to ensure what stability and humanity that we can. Anything else is selfish and shortsighted.

So at this point the question becomes - Would stability and the human welfare of the people of Iraq be better served if we removed military presence or maintained it?

I don't think that the answer to that is as simple as either side would have you believe.

Most of the violence right now is Iraqi on Iraqi so it is naive to assume that will stop because we withdraw our troops. Likewise it is almost certain that our troops presence in many places serves as either a source of resentment or at the least as a target of existing resentment.

There are two extreme possible results of a troop withdrawal and draw down.

One extreme is that there is a intense civil war followed by a Pol Pot type ethnic cleansing in which hundreds of thousands of people (possibly millions) are maimed, tortured and killed and certainly millions are displaced. The violence spreads into neighboring states and results in a large scale regional upheaval that results in significant unrest and possibly violence in European and Asian Muslim populations.

The other possible extreme is that now that the American (and British because I doubt they will be willing to fill a gap left by us) antagonist is gone all of the factions sit around a campfire and sing Kumbiya.

Obviously the first is far more likely than the latter.

The most likely outcome is probably an extended civil war with hundreds of thousands of casualties ending with a Balkanized Iraq with Sunni, Shia and Kurdish Quasi-States possibly the the Shia being absorbed by Iran (in effect if not in fact) and the Kurdish State causing significant problems in Turkey (for right or wrong).

I say that we have a responsibility to ensure that Iraq turns out closer to Germany than Vietnam.

We have a responsibility based on having taken action.

We choose whether we "win" or "loose" this one based on our actions. In the long run we are perfectly capable of achieving any outcome unless we choose to accept a lesser one.

As for me. I choose to support democracy in Iraq.

Digg this post

03 May, 2007

When the Prophet Speaks - AI


Not certain that I buy it implicitly but the time lines continue to match even after the last several years. More significantly if you go to Drexler's stuff you would almost have to be convinced that it has tracked in general terms since then.

02 May, 2007

Yahoo Music Night

Mindy Smith - Come to Jesus
Gospel inspiring amazing voice beautiful wholesome song

Seether - Remedy
Dark antagonistic energy

Fall Out Boy - A little less 16 candles
Definately know how to make videos from a different angle

The Bravery - Time Won't let Go
Its OK might grow on me

Seether and Amy Lee - Broken

I can't decide if Amy Lee or Mindy Smith has a more amazing voice. Two sides of a coin image wise as well.

Justin Timberlake - What Goes Around
I know I said the same thing last time but I can't believe it but it doesn't suck
I have never liked anything by him before. But this is pretty good.