tag:blogger.com,1999:blog-4088979.post5817337103942798446..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Minneapolis Bridge Lessons for Digital SecurityRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-4088979.post-29363845586169668672011-09-25T02:36:03.383-04:002011-09-25T02:36:03.383-04:00Nice postNice postAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-81162731159668406072007-08-31T15:21:00.000-04:002007-08-31T15:21:00.000-04:00As a resident of the city who lives on the north e...As a resident of the city who lives on the north end and often works on the south end, that could have been me. It did however take the life of an information security expert at one of my client companies. Peter Hausmann at <A HREF="http://www.assurityriver.com" REL="nofollow">Assurity River</A>. There’s a piece on him here:<BR/><BR/>http://minnesota.publicradio.org/display/web/2007/08/07/hausmannobit/<BR/><BR/>So, the tragedy had a more direct link to network and information security than even Richard’s post imagined.Tom Pickhttps://www.blogger.com/profile/04619907810304128318noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-15011850499399347442007-08-14T18:17:00.000-04:002007-08-14T18:17:00.000-04:00Anonymous,Are you talking to me? If yes, what par...Anonymous,<BR/><BR/>Are you talking to me? If yes, what part about "Dedicated to FreeBSD, network security monitoring, incident response, and network forensics. Email taosecurity at gmail dot com." at the top of my blog did you miss? And why the need to mention anyone "better than me?"Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-74065401065477491792007-08-14T17:40:00.000-04:002007-08-14T17:40:00.000-04:00Actually as JB said above, you really should have ...Actually as JB said above, you really should have a way to contact yourself directly. <BR/><BR/>Most other security researchers do ... even ones that are better than you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-20371480904376271012007-08-07T19:15:00.000-04:002007-08-07T19:15:00.000-04:00Yes, it comes down to risk, but $300 million and s...Yes, it comes down to risk, but $300 million and some proper oversight of the Corp of Engineers and its contractors would have been a lot cheaper insurance than the $30 billion us taxpayers are paying for Katrina's mess. Another example with Katrina is the insurance companies contesting storm claims. If they don't pay your insurance claim when your mission critical app goes down due to a datacenter accident, then your premiums were money down the drain.jbmoorehttps://www.blogger.com/profile/09751110750712243573noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-41433350822403840032007-08-07T16:05:00.000-04:002007-08-07T16:05:00.000-04:00If my server gets pwned at work, do we really need...If my server gets pwned at work, do we really need to call in an oversight board? Eventually we would have to figure out how big is big enough to invoke some oversight review... It would help wiwth bridges because bridges are built publicly and used publicly, whereas companies are not always so public. Liability is a whole new ballgame, I guess.<BR/><BR/>What about the costs of upgrading the bridge? Maybe it was outdated and new discoveries and technologies could have dramatically improved it? Then we get into talks about costs and risks, which isn't really fair in comparison to digital security because of the human life factor. The same with Katrina and the levees not being good enough for that 500-year storm. Risk was taken and they failed on those odds...<BR/><BR/>I don't think there is any right answer unless you can answer the question: Do you work under the assumption that you need perfect security (craftmanship/safety) or do you work on some gradient of risk?<BR/><BR/>I read in one place that they were working on the bridge in recent weeks. It might be possible that work interrupted the integrity of the bridge, maybe maintenance or perhaps upgrades? Even Blackberry can tell us about the possibilities for upgrades taking something offline for a moment...<BR/><BR/>(Sorry I'm not more cohesive in my response, sitting in a coffeeshop at the moment...)Unknownhttps://www.blogger.com/profile/15357840241031190415noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-25010254521756148902007-08-07T14:58:00.000-04:002007-08-07T14:58:00.000-04:00http://p068.ezboard.com/bminnesotabridgecollapseA ...http://p068.ezboard.com/bminnesotabridgecollapse<BR/><BR/>A board to discuss the collapseAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-85590020748179247112007-08-07T13:40:00.000-04:002007-08-07T13:40:00.000-04:00There may be no negligence involved,or the neglige...There may be no negligence involved,or the negligence may be with the bureaucrats and politicians who cut upkeep. The bridge failed completely and suddenly from looking at the video. According to wikipedia.org, it had no redundancy. The failure could have been due to natural resonance. The contractors on the bridge who were removing concrete and resurfacing noticed the harmonics. Then too, the bridge is in Minnesota. It underwent over 40 years of thermal cycling and salt corrosion. Couple that with visual inspections that may have easily missed damage and you have what we've seen. You can't rule out number two though, because a contractor might have used substandard steel which would be criminal and not negligence.jbmoorehttps://www.blogger.com/profile/09751110750712243573noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-50499129315967893342007-08-07T13:35:00.000-04:002007-08-07T13:35:00.000-04:00Going after the perpetrator doesn't always work, e...Going after the perpetrator doesn't always work, especially if they are dead.<BR/><BR/>The US has pretty much avoided suicide attackers so far(outside of 9/11), but deterrence is hard to do against them.<BR/><BR/>I'm not sure what the response is, because hardening a bridge seems nearly impossible. I think we need to just live with an attack every N years, like we deal with M thousand driving deaths every 1 year.Dan Weberhttps://www.blogger.com/profile/06626675217693199470noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-36560407150220416942007-08-07T13:22:00.000-04:002007-08-07T13:22:00.000-04:00Going to your point of "everyone blames the victim...Going to your point of "everyone blames the victim," I would venture to guess that unlike a bank robbery which would make local news, most companies don't report many security breaches that involve the lost of confidential and valuable data. That's where hopefully efforts like Infragard facilitate the reporting and handling of cybercrime in a sensitive manner. <BR/><BR/>At this point, after the data theft has taken place, my guess is that no one knows the company is a victim because the party is too afraid or too ashamed to come forward. What do you think of laws that compel companies to report data theft or security breaches? Do they work well? Also do you think that these crimes are more widespread than reported, or has vendor hype in an attempt to sell security tools caused reporters to sensationalize the issue? Thanks.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-22674261470645328092007-08-07T12:04:00.000-04:002007-08-07T12:04:00.000-04:00Hi Richard,It's JB - making a comment on your brid...Hi Richard,<BR/><BR/>It's JB - making a comment on your bridge post just to try to figure out how to get in touch with you. Remember me, I'm the Alt-F4 guy...?<BR/><BR/>Hope you're doing well and would like a way to contact you directly. Email me at jabesnyder@hotmail.com and I'll reply.<BR/><BR/>Best,<BR/><BR/>JBAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-75772826377950499962007-08-07T11:12:00.000-04:002007-08-07T11:12:00.000-04:00Its #1. I work a mile away from it and my boyfrie...Its #1. I work a mile away from it and my boyfriend witness the collapse. I also know one person in the hospital. Now that I am back from defcon I'll be walking over and checking it out myself.<BR/><BR/>Its not a cement bridge. It was a steel bridge. In fact it had many construction qualities about it that made it unique including one of the longer steel beam spans so they could avoid putting the peers in the water. So, imho, its a bad example.<BR/><BR/>But to your point - I was at defcon over the weekend and it continues to amaze me how many people avoid using the network because "its hostile" (i fail to see how its more hostile than an airports wifi but I digress). Both myself and peers happily plugged in and even vpn'ed to our respective companies networks to grabbed e-mail. Why did we do this? Simple because our defenses are sound. You can build sound, stable, and secure infrastructure that can withstand attacks. The problem is many don't.yoshihttps://www.blogger.com/profile/00081974018229308110noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-51281558855939771122007-08-07T10:44:00.000-04:002007-08-07T10:44:00.000-04:00Richard,I think if #1, They understated the "minor...Richard,<BR/>I think if #1, They understated the "minor things that needed attention". The bridge was reported to be about 40 years old and was last inspected in 2006. <BR/><BR/>Could this be a case of set it and forget it based on assumption that concrete construction couldn't fail in only 40 years because the designers claimed it would have to be replaced in 2020?<BR/><BR/>Sounds a lot like security companies and the misgivings of management when the security folks say "it's a minor risk if we leave it". Ooops.<BR/><BR/>It is an awful tragedy.hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.com