Security Musings

Security Musings

Information Security Travel Guide

Stephen Northcutt, an Information Security Researcher, United Airlines 1k, Writer and Instructor, documents the struggles of the travel and hospitality industries as we all face continually increasing energy costs. He and his peers share their travel experiences and give you quick tips and short reviews of the companies they do business with as they travel. If you came across this article because of a Google search, what you want is probably here, just use find with your browser (CTRL - F), it is easier than reading from top to bottom; however, you may get some useful tips if you stick around and read. Each major cluster of trips is documented in a separate file.

Other Related Articles in Information Security Travel Guide

Information Security Travel Guide: October 2008, Kauai to Monterey CA and Richmond VA

By Stephen Northcutt
Version 1.4

[November 8, 2008] Richmond to Lihue. First flight was United 8006 to Dulles (IAD), a puddle jumper, slept the entire flight. Next 301, from Dulles to Denver. Great flight, but had to really hustle to get to the gate, unable to purchase water and I had left my empty water bottle in the hotel. However, the flight crew came by with plenty of liquid. It was a 767, so you got to choose between movies, I did not choose well, chose Journey to the Center of the Earth. However, after it was over, Mama Mia was still running; the ending is great, I plan to buy that DVD. Only food on the flight were those snackboxes, I am starting to get really tired of those snackboxes. Final flight was UA 1041, again I had to race to the gate, I had been told I was first on the list and there were still seats, but when I got there, the gate agent said first class had checked in full. Translation, you got here after we started boarding and lost your chance. Once again, because I raced through the airport, I didn't get water, but once again, the crew did a great job of serving water, and to Economy class yet. Very long flight, we were late because they had not stocked enough blankets and pillows and the return flight was a red eye. The plane was a 757, for some reason I thought it was going to be a 777; anyway, it was tolerable, not great. Right now, United has changed the price of snackboxes to $6 and the fresh pick to $9, and, of course, the crew doesn't carry $1 bills. Fortunately, I keep ten or so singles in my carry-on, so I was able to help them out. The fresh pick was a turkey asparagus wrap, that was edible, but certainly not great. Anyway, I am back home, so Nov 8 ends this installment of the Security Travel Guide; we will be on the ground for about seven days then off on a major trip to Europe, so that should be an exciting time.

I am going to end with an off-topic discussion: I read an interesting blog by Andy Martin suggesting GM should file for bankrupcy: "GM managers did not want to file in 2005 because they probably foresaw that bankruptcy could come some day, and they wanted to protect their executive pensions by insulating them from future creditor claims. In addition, GM's astronomical executive salaries could not survive a bankruptcy proceeding. Fair enough. But GM's labor costs would be slashed as well in bankruptcy. In the long run, there is no way the existing labor cost structure can be preserved in the automobile industry. If GM and others move quickly, they can still save tens of thousands of good jobs and preserve good pay and good benefits. But every day's delay will cost the economy future jobs. This weekend auto industry executives were in Washington seeking a bailout. Congress and the president should say no. The executives' demands place Barack Obama in a quandary. Michigan voted for Obama and the Democrats. Labor unions will claim that they want a bailout instead of a handout. But the Democrats and union leaders are living in a dream world. Repeat: every day that bankruptcy is delayed will cost every American economic security." I certainly lack the wisdom to know if GM should file for bankrupcy, but they remind me of United Airlines before their bankrupcy experience. A sense of entitlement and a lack of customer focus. United certainly is not perfect today, but just the other day I was on a plane in Economy class with no water bottle, and the flight attendants were working hard enough that I did not get dehydrated; that speaks volumes.

[November 7, 2008] Trying to change my reservation with United. Well, it looks like we will be in good shape to make an offer on a house in Richmond so getting back to Hawaii is now job one. I called United (like a fool, I lost the 1k desk number, so I got treated like a regular Joe which is eye opening). Made it through the automated help line pre-screen system which promised to pass my information to the agent. That did not happen. She was able to change my reservation. I asked that a copy be sent to my email so Kathy and Diane could know what I am up to. That didn't happen, also I asked to upgrade the last leg with miles, no comment, she just said goodbye and then of all things I got a customer satisfaction survey. Since I got my flight change and that is the most important thing, I gave all neutrals on the survey which was a tad generous. Hey, though, no major complaints, it looks like I am getting home, what else matters? Still, I went online to try to upgrade the last jump myself. The only option was to do it on the website was with 500 mile certificates (according to the website I have 44 of those). I tried and got the following error message: "One or more of your flight upgrade requests could not be confirmed.Please contact United reservations at 1-800-UNITED-1 (1-800-864-8331)." So, I called, went through the automated pre-screen system (takes about five minutes each time), it said it would put me through to an agent, then the call failed on United's end. Yikes! OK, no more time to play around with that, have work to do. Note to self, write down the 1K desk phone number and keep it in my wallet.

Reflections on the Downtown Richmond DoubleTree hotel. They have a note in the room that says to call 4402 if anything is not a "10". My room was not vacummed before I got to it, the same pieces of plastic are still on the floor today, one is .5" x .5" dark flimsy film of some sort, another is clear filament. So, it probably was not vacummed yesterday either. Right next to the clear filament is a staple. The shampoo, lotion and soap were not replaced. I am not going to tip today. However, I don't think I should call 4402 before I am ready to leave, who knows what would happen to my room if I make them mad. I was able to order eggs over medium at the breakfast buffet ( I get very tired of scrambled eggs being on the road so much), but they were not cooked, still runny whites. Salmonella on the road would really be bad. I would stay here again, nothing is past my pain point, and the price is right, but these are indicators that they need to tighten up; will try to call them when I get back from house hunting.

My real estate agent today is Matt Smith. (804) 366-0200, an independent Long & Foster realtor. Here is how we found our agents. We went to Craigslist and clicked on some reasonable homes. As people responded, we responded back. We tried to see who was serious and knowledable. Then when I was teaching in Monterey, Kathy started on a priority list. We pared down pretty quickly to Matt and Kay. I wish we could have pared down to one, but since we are out-of-town buyers, we needed the odds to work in our favor. Speaking of Craigslist, I read in the USA today, Craigslist has been selling prostitution services and have agreed to stop, what an amazing world. Apparently you can still advertise, but have to provide a phone number and a credit card. USA today really is an amazing newspaper if you read the tidbits, I saw SANS was quoted yesterday, wow!

[November 06, 2008] House hunting in Richmond. We have been doing Internet research, the market is on a low and we think it may be wise to make an investment; we also have family here and Hunter is considering going to school here.Our agent today is Kay Shobe, Remax. The woman is a real estate machine, well connected, knows her stuff, and works hard. To be honest, she started to give me a headache; she overdrives the system, but would I use her again? Heck yes. The west side, Henrico county seems like the best choice so far; we have family there and it would give me a place to layover on the mainland when I am in between gigs. For lunch, we ate at the Sakura Japanese Steak House on Broad Street. I don't usually eat sushi while on travel, so we opted for the hibachi table. Good show, mediocre food. For supper, I ate at the Popkin Tavern on Broad Street and I may go back, it is only two blocks from the hotel. I had the Shrimp and Spicy Sausage Pasta Diablo, spicy red sauce served over cavatappi $12.95 (full price). It was spiced exactly right, the pasta was not overcooked, what is not to like. They were having a number of specials including parent-child night, and an India Pale Ale was $2.00 (yummy) and all pasta dishes were half off. I had two beers and my meal was still cheaper than the breakfast buffet at the Richmond DoubleTree (which was fine, your standard hotel scrambled egg breakfast buffet, I am going down early this morning to see if I can order a couple eggs over medium from the back ).

[November 5-6, 2008]
Monterey to Richmond. I called the hotel before falling asleep and asked if I needed to book a cab; they said no. Next morning, no cabs, 20 minutes to get one, fortunately I got up early enough to still make my flight. Monterey to Richmond. UA 6732 to Denver was on time, the folks did a good job checking people in, and I slept on the plane. UA 902 to IAD was a 777 and I scored the upgrade to business class, that was nice. These were not the new lay-flat seats, haven't yet experienced those, but this was just good enough; also, the service was good and the plane was on time. UA 7987 was overbooked by five seats. How can a puddle jumper be oversold by five seats? Anyway, made the 22 minute flight to Richmond, got my car without incident, made it to the Downtown Richmond DoubleTree hotel.

[November 4, 2008]
Problems with the Portola Hotel. I like the Portola, formerly DoubleTree, been going there for over ten years, like the location. However, it is not clear we are going back and that is sad. My room was great, the majority of the staff was very friendly and helpful. However, their conference side of things is just a mess, no customer service focus, food was shorted, or brought out and then taken back immediately, time and time again. There were serious Internet problems, we had contracted Internet and the first day we kept getting blocked. The Internet guy kept insisting it was happening automatically, but it only happened the first day, so how do explain why it changed? He was so rude, my students noticed and remarked on that more than once. And the students noticed the problems, one said he was going to take his business elsewhere. Again, great facility, however, if you want to run an event there you better make sure the performance part of your contract is very, very, tight. Specify your expectations for Food and Beverage and Internet. To try to recover, we put out a gift for all of our students and attached a letter of apology to the gift. We did talk with the Portola folks, and to their credit, they fired the Convention Services Manager, but the damage is done. I just finished reading another note from another attendee, so we will probably lose some repeat business; ouch.

You can see the current economic conditions on the Monterey Pier. The restaurants are not full, people just aren't spending money.

[November 2, 2008] Still teaching in Monterey. Mostly eating fast food.

Read a great new file by Lenny Zeltser. It is a cheat sheet captures tips for examining a suspect server to decide whether to escalate for formal incident response. If you run a security team, you might want to take a look at it.

[October 31, 2008]
Halloween in Monterey. The Portola hotel departments have a pumpkin carving contest and the results are in the lobby, pretty creative.

I see Kauai made the news in backpacker magazine. Kalalau Trail made the list of the ten most dangerous hikes in America. ""The trail bed is narrow and crumbly, and I've talked with many people who have either fallen off the trail or seen it happen." The footing is twice as treacherous after the island's abundant rainfall turns the track into a greasy slip 'n slide–not amusing when you're edging along a 300-foot cliff that spills straight into a rocky surf." The article goes on to say nearly 100 people have drowned at the beach people make the hike for, Hanakapi'ai. I'm not certain the 100 number is correct, it is based on a sign at the beach, but not sure it was validated. In any case we just lost another visitor, so if you visit Kauai, please be cautious, "The 25-year-old visitor who drowned Monday morning while swimming at Hanakapi‘ai Beach was identified yesterday by the Kaua‘i Police Department as Klaudiusz Piotr Dragun, of Poland. Dragun hiked two miles in to Hanakapi‘ai Valley and decided to jump in the water upon his arrival at the North Shore beach, according to witnesses. Within minutes, he was reportedly overcome by the strong current and swept out to sea."

Register for Charity - Hackers for Charity (Johnny Long) & The Academy (Peter Giannoulis) have partnered up to raise money for the people of Uganda. The Academy, a security site, has offered to donate $1 to Hackers for Charity for every user that registers for a free account at for the entire month of November. If you’re a registered user already, please forward this email or post it on a blog. Anything you can do to spread the word would be greatly appreciated. Let’s try to make a substantial donation to charity this month. Thanks everybody!

I know both of these guys and they are for real; you will note Peter has written some of the documents on the security laboratory, such as this and that.

[Ocober 29, 2008] LIH to Monterey Peninsula Airport. Flight 68 from Lihue to Los Angeles left on time. I diidn't get upgraded, but had an aisle in Economy Plus and it was fine. When you get 1k status they send you some free drink tickets and I burned one of those. There was no fresh choice of food, only the snack boxes, but that was not bad either. I had the MiniMeal; the pepperoni was a bit too greasy, but otherwise enjoyable. The movie was Kit Kitridge American Girl; I watched it on a previous flight so I slept, but if you haven't seen the movie, I think it is worth watching. My next flight was UA5515; it was over an hour late, but I got to watch the sunrise in Los Angeles. There is something very special about the light in California, you can see it in the artwork. I enjoyed the flight to Monterey, this must be the tenth time I have come here to teach and it is where I got my start, teaching intrusion detection in the Steinbeck Forum, what an awesome facility. My room at the Portola Plaza hotel was not ready when I arrived; I don't mind, I checked my bag with the bell desk and, as usual, settled into one of those comfortable chairs by Jacks. Jacks is named for David Jacks a major landowner in Monterey history and dairyman. He had so much milk, he needed to process it to preserve it and invented Monterey Jack cheese. Anyway, for the whole eleven years I have been coming to the Portola, they have had comfortable chairs located in the atrium; yup, I am indoors surrounded by trees. The heat of my laptop on my legs is enough to keep me warm, it is 54 degrees right now; well, at least the heat is enough to keep me from being too, too, cold (after all, I am a tropical product.) And, they just got a room for me - yippee! I will go drop my bags off and then help set up the conference; Barrington's plane got scrambled and the hotel has not released our conference rooms yet, so this may be a long night.

I took a few minutes to watch a Gunnar Peterson video (no, not the workout guy, the sofware guy from Fortify). His major points are that software is about improving the quality of life and vulnerabilies in software keep us from improving the quality of life. He then correctly reasoned that security people like me will not be able to help him. He feels that developers need to innovate out of this problem. Now, he does overdo the security people depend on firewalls for everything line, but it is deserved to some extent. He also points out that security should be a business enabler, in the same way brakes, seatbelts and other safety features allow you to drive fast and live.

Next, Mr. Peterson began to focus on SOA. One of his points is that attackers don't break standards, they break implementations. Boy, do I agree with that. One thing that he suggests for security people is to help with threat modeling and helping the developers focus on the failure modes. Then he points back to research done by Saltzer and Schroeder, in their seminal paper The Protection of Information in Computer Systems. Three of their principles that have always made a lot of sense to me are (taken from the Matt Bishop course page referenced above):
  • The protection mechanism should have a simple and small design.
  • The protection mechanism should deny access by default, and grant access only when explicit permission exists.
  • The protection mechanism should check every access to every object.
Mr. Peterson does not feel this can really be done by the XML gateways for SOA, that they have more of a role of enforcing standards. It has to be built into the apps and I certainly agree with that. Anyway, I am going to try to get my mind around all of this, I certainly do not want to become an expert in software security, but it is important, and security people need to understand where we can and cannot help.

As I was reading my email, I caught a story from Government Computer News that said a bi-partisan team was getting ready to give cyber-security advice to whomever wins the presidential election. I hope they give some good advice, I think the current presidency has made some poor choices as does this commission: "Bush put DHS in charge of the country’s cybersecurity in the initiative launched in January with Homeland Security Presidential Directive 23. “The commission strongly disagrees with that,” Langevin said in an interview with Government Computer News. “This needs to be directed out of the Executive Office of the President,” in close cooperation with the National Security Council. Langevin called the president’s Cyber Initiative a good first step, but said DHS is not yet up to the task. “DHS will not be able to handle it at this point,” he said. “It is still a young, immature agency trying to stand itself up.”

I just read that Alan Paller was added to the SAFECODE Advisory board. "Included on the board is William C. Barker, Chief Cyber Security Advisor, National Institute of Standards and Technology, Dr. Paul Dorey, Chairman of the Institute of Information Security Professionals, Claudia Eckert, Professor, Fraunhofer Institute for Secure Information Technology and Alan Paller, Director of Research, SANS Institute. “SAFECode has brought together this group of renowned information security experts to help guide and inform our efforts to improve the security and integrity of software.” said Paul Kurtz, executive director of SAFECode."

Since insecure sofware is the cause of so many problems, it makes sense for organizations to start really paying attention to this topic. They are starting to publish guidance; for instance, they suggest you avoid functions like strcpy, strcat, scanf, sprint and, of course, gets. All very wise, although those are C/C++ specific and I'm not sure if anyone is using that much anymore. There is a paper I find useful on the top three programming errors, they are:
Error 1. Accepting input from users without validating and sanitizing the input.
Error 2. Allowing data placed in buffers to exceed the length of the buffer
Error 3. Handling Integers Incorrectly

I certainly agree with one and two. If you code and have an opinion, drop me a note if you think 3 is correct or incorrect (

[October 27, 2008] Hitting the wall. Three more days to Monterey and then off to Richmond VA. I woke up tired today, just not motivated right now for the next trip but looking forward to teaching my students, so I tried to have some quiet time. We worked hard on the farm yesterday, even my muscles have sore muscles.

[October 25, 2008] Getting ready for the weekend. I received a letter yesterday from Rachel F. McCarthy of the United Contact Center-Customer Solutions apologizing for the mechanical delay flying from San Francisco to Kauai October 20th. No problem Rachel, that actually worked out well for me; my friend Dileep G. Bal, the Public Health Officer of Kauai, was on the flight and it gave us a chance to catch up, we have both been running pretty hard. We are headed up to Growing Greens in a few minutes to pick up some more fruit trees for planting; light rains today, perfect for planting.

I see Government Computer News has released the "Coolest Security Jobs" study they have been working on with SANS. Here is a sample:

"1. Information security crime investigator/forensics expert
Why it’s cool: “The thrill of the hunt! You never encounter the same crime twice!”

2. System, network and/or Web penetration tester
Why it’s cool: “You can be a hacker, but do it legally and get paid a lot of money!” “The power to understand how systems can be penetrated and misused is something less than 1 percent of people in the entire security industry know, let alone the average citizen.”

3. Forensics analyst
Why it’s cool: “It’s CSI for cyber geeks!” “It's like being one of the good spies on James Bond.” “Trying to find evidence without altering the system and maintaining the chain of evidence is challenging.”"

I have a special place in my heart for Government Computer News, that was my first paid security writing gig. And, at the time, they were owned by the Washington Post; imagine getting your first check as a writer from the Washington Post. They also have a bit of a scary story about Twitter tracking the national debt, seems we have run out of digitts.

[October 22, 2008] Still on Kauai. Kathy is out at the farm meeting with a Kauai county official. Our agricultural status was originally based on cattle, but while I was teaching SANS Security Leadership Essentials For Managers in Vegas, we were sent a certified letter from John Herring dated August 26 saying we had to update our plan by September 15 or we would lose our agricultural dedication (and pay a lot more tax). Of course, since we were teaching in Vegas, we had our mail stopped and did not get the letter until September 17. Anyway, the head of the Kauai Real Property Assessment Division was on vacation, so we finally had this opportunity to show him the farm and let him see we are actually producing food for local consumption in a sustainable manner.

I was spot checking the quotes for our courses today from the Vegas event. All in all pretty good, almost every course scored 9 or higher overall, on a 10 point scale. This one quote from SEC 504 Hacker Techniques, Exploits and Incident Handling really stood out for me:
Arm yourself with the latest knowledge to defend against the relentless attacks on your organizations. Learn to defend your assets by recognizing your attackers tools, techniques, and methods” (Jeff Warson, Symantec Corp.)

Got a Google alert for the SANS Institute and they plugged SCORE, "The SANS Institute, in conjunction with the Center for Internet Security, offers the Security Consensus Operational Readiness Evaluation, which seeks to provide a minimum standard for information security procedures and checklists. ISO 17799, which provides guidelines for security management, also covers incident management."

From the mailbox, I got a note from one of my Security Heros, William Murray. He was commenting on my most recent editoral for NewsBites:
Court Says Pair Must Turn Over Encryption Keys (October 16, 2008)
A British Court of Appeals has ruled that two men must divulge their encryption keys to law enforcement authorities. The men maintained that turning over the keys would be tantamount to self-incrimination and therefore a violation of their rights. The court said that the right not to incriminate oneself is not absolute; the password itself is not incriminating and the keys and the computers' contents exist as separate entities from the men. "In the eyes of the law, the information on the computers is already in the possession of the police." One of the men had been charged with offenses under the Terrorism Act for allegedly helping a third individual move to a new location, despite an order that required said individual to obtain permission from authorities before moving. Both men had received notices under the Regulation of Investigatory Powers Act (RIPA) ordering the keys' disclosure.
[Editor's Note (Northcutt): Establishing this sort of case law is important, the US just decided slightly differently (that you would have to give up crypto keys, but giving up the pin that protects those keys violates 5th amendment). My guess is that it will take a few more cases like this to find the legal center. There are also concerns about forcing travelers to decrypt data when entering customs, a particularly interesting question since you are between two countries.

Here is Bill's Comment (used with permission):
Stephen, I am going to argue that the issue should never be how the citizen has elected to protect his data but whether or not a court has determined that there is probable cause to believe that a crime has been or is being committed and whether or not the legislature has granted the official the authority to look at the data. There are issues of abuse, torture or coercion, fishing expeditions, and the presumption of innocence here. However, the courts have been dealing with these issues since Magna Carta. This should not be an issue of the cost or effectiveness of the technology. Courts have held for generations that one cannot use a vault to conceal evidence. One must produce the combination on demand.

Borders become an issue because customs officials have broad authority. However, the DHS policy that permits ICE to exploit what it finds by sharing it with any other agency of government that it chooses goes far beyond what is contemplated by that authority. DHS admits that this authority is not explicitly granted by the legislature and asserts that it does not require judicial authorization. That comes very close to the definition of tyranny. In the absence of cheap portable storage, one would never carry so much information. In the absence of cheap crypto one might protect whatever data one carries with a locked brief case. ICE does search brief cases and does demand the key or the combination to the lock. While it might confiscate contraband, it does not take whatever it finds and share it with other agencies. RIPA is an act of Parliament. One might argue that it is so broad as to invite abuse. However, again, the issue should be one of judicial consent, not technology.


Bill is probably correct that which is true for paper should be true for digital information, but I was just reading a court case that decided otherwise:
Zubulake, the seven step standard for transferring cost in eDiscovery only applies to electronic discovery. In a case involving Rite Aid, a judge ruled that Rite Aid would need to bear the cost of photocopying employment records, about $100k and Rite Aid appealed and won as photocopy is different than electronic discovery.

And Bill writes back:
Stephen, permit me to clarify my position.
My reading of the history of the law is that changes in technology impact rules and procedures. For example, first public records and then business records became preferred to the memory of the village elders. Just a hundred years ago typescript replaced manuscript as the preferred means of recording. Now digital records are replacing analog records. One impact of technology is to shift the burden of discovery between the parties.

However, the changes should be limited to rules and procedures; in the absence of legislation, they should not alter the law. We must be alert to instances where the state attempts to use changes in technology to erode the rights of citizens. Similarly, we should not permit the citizen to use cheap technology to resist the state in the exercise of its legitimate authority.

The DHS policy on searching laptops at the border raises alarms. Customs officials have been granted a general exception to the Fourth Amendment that provides that searching luggage for contraband at the borders is “reasonable” even in the absence of judicial review, cause to believe that a crime has been committed, or a warrant. One might well argue that the exception did not contemplate that the citizen might carry all of his “papers” in his luggage. One might well argue that law that permits customs official to seize contraband did not contemplate that it be used to seize all of a citizen’s papers, deny the citizen access to them, and provide them to other agencies of the state to use for purposes for which in other circumstances they would clearly require a warrant.

Similarly, the citizen should not be able to use cheap technology, for example, cryptography, to resist his responsibility under the law, warrant, or subpoena, as applicable, to provide evidence. If a court can order that a vault be opened to provide access to evidence, then the court should be able to order that encrypted evidence be provided in the clear. In the absence of law, the penalty for resisting such an order should not be contingent upon the cost to the state of obtaining the evidence by brute force, clearly higher in the case of cryptography than In that of the vault.

Changes in technology may impact rules and procedures but we must be able to look to stable law to mediate that impact. We must be able to look to courts and legislatures to check the zealotry natural to the executive.

[October 21, 2008] Looking forward to Monterey. I am on the ground for a while (one week) on Kauai, and it is a beatiful day, so I think Kathy and I will get our bicycles out in ten minutes.