Subscribe to

Blogs

Security and the election

 - 
Monday, September 29, 2008
I'm going to try to look at the presidential election fairly often over the next month for clues about how each candidate will perform for the security industry. There is, on one hand, the simple fact of how they'll perform for the economy in general, and small businesses especially, since the vast majority of security companies are simply small businesses trying to get by in what are increasingly uncertain economic times. But what of the candidates' views on actually keeping people safe? Sure, from terrorism and the like, but also from crime in general. I think this article from the Arizona Republic raises some interesting points about how security has been pushed to the side as the economy dominates presidential discussion. The candidates hardly discussed national and domestic security in Friday's debate. Why? Recent polls suggest that voters have relegated terrorism to a secondary concern, though it remains a major unresolved issue for the next president. Congressional and non-partisan reports lay out a list of 9/11 Commission mandates that remain unfinished, such as tighter transit security to better efforts to interdict weapons of mass destruction. The two candidates have staked out similar positions on bolstering border security, hunting Osama Bin Laden and closing Guantanamo Bay prison. But in the dozen times the two senators cast votes together on homeland-security bills, they agreed only twice. So how are voters supposed to figure out where they really differ? Well, you can try the candidates' web sites. For McCain, go here, here, here, and here. I'm not 100 percent sure what the difference between "National Security" and "Homeland Security" is, but maybe you can figure it out. For Obama, go here, here, and here. It looks like "Defense" is for fighting overseas and "Homeland Security" is more defending the borders, but there's some bleed. Also, Iraq is separated out for Obama. But if you read all of that, you'll see scant mention of the private security industry. I think this is a well-made point: Domestically, "we are obsessing about securing the border, but there are lots of other things out there to be concerned about: protecting the food supply, water supply, nuclear plants, natural-gas supplies and so on," said Courtney Banks, chief executive officer of National Security Analysis Worldwide. Is anyone reaching out to the security industry? The NBFAA, especially, has a presence on Capitol Hill, but despite their lobbying efforts, there's never much of a mention at all of the private security industry in the public discourse. Everyone's just talking about military and government efforts, but there's no way publicly funded efforts can keep everything safe. It's up to private water companies to protect their water supplies, up to private food manufacturers to make sure their products aren't tainted, up to private natural-gas facilities to make sure their plants aren't attacked and destroyed. CFATS and other government regulations dictate how some of these places must secure themselves, but they are largely unfunded mandates and it's up to the private security industry to figure out how to solve the problems as efficiently as possible. Has anyone suggested tax breaks for private businesses who invest in security? Has any candidate suggested a nationwide private information gathering service, a linking of IP-based surveillance systems? I haven't heard it if they have. Please send anything you see along and I'll take a look and make it widely available.

ASIS, day 3

 - 
Saturday, September 27, 2008
Much of today's discussion was dominated by standards, especially video standards and the seemingly competing PSIA and Sony-Axis-Bosch video standards groups. I say seemingly because there's a lot that can be misconstrued in the "standards" discussion. First and foremost, it's not even standards we're talking about. As has been noted often today, anything either group releases will really just be a specification. Without the verification of a standards body like SIA or ANSI, they don't quite reach the level of "standards," even if people talk about the specifications they hope to release in that way. Second, there's the perception on the show floor that the two groups are competing, and that both groups are competing with SIA in some way, but most conversations I've had with the interested players have seemed to indicate that everyone would ideally like to play together. As evidence, SIA treasurer Rob Hile was named PSIA chairman today, and as for creating a good relationship with SIA, he said today, "I'm personally going to take that on my shoulders." Are standards a big deal anyway? The are and they aren't. On one hand, just about every major camera company works with every major video management software company, so what's the big deal? Well, both David Bunzel, an originator of the PSIA, and Fredrik Nilsson, general manager at Axis, made the point that software makers like Milestone, Genetec, OnSSI, etc., spend way too much time and energy integrating cameras. What if they never had to spend that money again? Wouldn't that allow those companies to spend much more time and energy on improving functionality and adding features? Seems like a no brainer. So, no, the industry isn't being dragged down by a lack of standards, but, yes, the industry could be made much more efficient with a solid group of interoperability standards. I'll have more on this in the next paper.

Fake security signs in vogue, again

 - 
Friday, September 26, 2008
Apparently, faux security signs are back in vogue. A news outlet near Norfolk, Va., randomly checked seven homes that had security signs, and found out that four of the homes didn't have the security system to go along with the sign. One woman said she got the sign from her brother 15 years before. At least—judging by the photo in the story anyway—her sign is for an authentic security company (the one and only ADT). Faux security signs were fashionable at my house when I was growing up way back in the 1970s, but we didn't have a sign from a real security company. Here's what happened: Our house was broken into and the thief stole a TV or two, and not much else. (We were away, and I think there was about a week's worth of Boston Globes piled up on the front walk, no lights on in the house, and other tell-tale signs announcing that the Entwistles were on vacation.) To increase security, my thrifty father sent away for these little green stickers that had lightening rod decorations and proclaimed: "Warning! This home protected by Electronic Automatic Alarm System." I think he thought they looked pretty fake, but we put them on all of our doors and a bunch of windows. There were other new security measures implemented as well after the break-in: For added protection when we went away, my father used to cover up the TV in our family room—which was plainly visible through sliding glass doors— with newspapers. (This prompted one of my brothers to put a sign on the newspaper-covered television set--also visible from the glass doors-- that said ,"This is not a TV!") The newspapers and accompanying sign became a security tradition in my family when we went away. Maybe the stickers and newspapers deterred criminal activity; Maybe thieves just never showed up again. At any rate: We were never broken into again.

Ghost story makes it to Australia

 - 
Friday, September 26, 2008
Okay, some people prefer to suspend disbelief more than I do. The ghost-in-the-gym story has made it to Australia. I love how every story about this makes sure to mention that bugs, dust, and headlights have been ruled out. Those, of course, are the only possibilities. If it's none of those things, it must be a ghost. Clearly.

Security cameras capture ghost?

 - 
Thursday, September 25, 2008
If this were a Sherlock Holmes story, it might be "The Case of the Floating Orb." Let's use our deductive powers: Unexplained Orb Floating Around Dumbbells Baffles Gym Owners Security Company Rules Out Bug, Dust, Car Lights Why do I get the feeling that this story involves lots and lots of "dumbells?" OVERLAND PARK, Kan. -- A white orb repeatedly seen on motion-detecting cameras inside a Kansas gym has baffled owners and a security company. Yes, this is another one of those stories involving "a security company." They name the gym, but not the security company. Why is that? Security cams at the Overland Park gym videotaped the image hovering and lingering around dumbbells between 2 a.m. and 4:30 a.m. "Cams." That's a technical term. The motion-detecting system has been activated nine times at the business. By these same orbs? Always at the same time? It's unclear. Gym owner Kim Peterson said she's sure there is a logical explanation but her security company is unable to explain the events. Representatives from the security company said the system is activated by motion but a bug would not activate the model of cameras used at the gym. They also ruled out dust or headlights passing by from outside the gym. "I called my security company and said, 'Is there a lightbulb going out or do I need to get up and clean the lens?'" Peterson said. "They reviewed it and said, 'We have no idea what that is.'" The security representative said 600 other clients have the same system and had problems. I, Sherlock Holmes, will now solve this mystery: The system ... is CRAPPY! Now I know why the security company didn't want to be named. If this situation were unusual, maybe it would be interesting. But 600 other clients are having similar problems? Shouldn't that have been a bit higher up in this non-story? [[ Edit: Okay, someone pointed out another version of this story where the above sentence is "600 other clients have the same system but none of them have ever recorded a mystery." That version also contains camera being made plural as "camera's" and a fundamental lack of understanding about comma use, but is much more clear about this: "It leaves the frame, then comes back and kicked the motion sensors into action a total of 9 times between 2 and 4:30 in the morning." Interesting that two stories can be so similar and so different, no? ]] This could also be the solution to the mystery, though: "My 8-year-old said, 'Maybe Grandpa is just making sure you are OK in your new business, mom,'" Peterson said. "It could be a spirit," a woman at the gym said. "Nothing is impossible." "Woman at the gym" makes a good argument. Holmes is now going with this conclusion: It's the ghost of Captain Lou Albano! (Huh? What's that? Lou Albano's not dead? Hmmm. Back to the drawing board.)

Now the IT guys are paying attention (is that a good thing?)

 - 
Wednesday, September 24, 2008
Cisco's increasing activity in the physical security space is, predictably, drawing the attention of traditional IT media. Sometimes, they have something interesting to offer on a story, sometimes they muddy the waters. With this story, I think they muddy the waters. The actual content of the IT World Canada story is mostly fine, it's the title that's dead wrong: New standard to unite physical and IT security Wowzer! That would be awesome! But they're just talking about the PSIA (see discussion below and details here) and their device discovery API. How does something that lets video cameras integrate with video management systems "unite physical and IT security"? It doesn't, and I suspect the author of the story knows that, since it's not mentioned in the story at all, and some editor just slapped on an incendiary headline. Oh well. That'll happen. Still, this is the kind of confusion that can be created when industries that have long been separate start to come together, and it's important to define terminology and nomenclature early. By my definition, IT security is making sure no one messes with your network - firewalls, passwords, content filtering, network access, etc. There's no way that Cisco's cameras easily integrating with Genetec's video management software is going to have anything to do with someone hacking your network and stealing your data (or, for that matter, making sure someone doesn't hack your network and look through your cameras). Also, by the way, even the PSIA will tell you that what they've got to offer is a specification, and not a standard. There's a difference. Jeez.

Access Control Source Book/ISC East

 - 
Wednesday, September 24, 2008
Hey, if you're a manufacturer of products that can be used for access control, you can get in our upcoming access control source book by going here. Also, if you're going to ISC East and you've got a new product to push, go here. That's all the housekeeping for today.

Hold your hosses!

 - 
Tuesday, September 23, 2008
Nervous about this Wall Street bailout? Me too. On today’s Times op-ed page, columnist Bob Herbert said we should seek a second opinion on treasury secretary Henry Paulson’s bailout recommendation. (Herbert is hardly alone, plenty of pundits of all political stripes, economists, not to mention plain old taxpayers—agree.) Something needs to be done, and soon, but we’re talking about $700 billion. Read that slowly: seven hundred billion dollars. That’s a staggering amount of money, and this bailout’s got to work, the first time. As Herbert says, it just makes sense to take a couple days to explore “the weak points, the loopholes, the potential unintended consequences of a bailout of this magnitude.” Herbert points out “Lobbyists, bankers and Wall Street types are already hopping up and down like over-excited children, ready to burst into the government’s $700 billion piñata. This widespread eagerness is itself an indication that there is something too sweet about the Paulson plan.” He notes a very important point--that the bailout is not supposed to be a good deal for business, and quotes economist Dean Baker: “The idea is that you’re coming here because you would be going bankrupt otherwise,” said Mr. Baker. “You’re coming here because you have no alternative. You’re getting a bad deal, but it’s better than going out of business. That’s how it should be structured.” So, how should it be structured? I'm not sure, but let's at least talk about it a little. There's an interesting story In the Times business section about an successful early 90’s bailout in Sweden, which had managed to get itself into big problems because of "imprudent regulation, short-sighted economic policy and the end of its property boom." From the story: Sweden did not just bail out its financial institutions by having the government take over the bad debts. It extracted pounds of flesh from bank shareholders before writing checks. Banks had to write down losses and issue warrants to the government. That strategy held banks responsible and turned the government into an owner. When distressed assets were sold, the profits flowed to taxpayers, and the government was able to recoup more money later by selling its shares in the companies as well. “If I go into a bank,” said Bo Lundgren, who was Sweden’s finance minister at the time, “I’d rather get equity so that there is some upside for the taxpayer.” So what happened? According to this story, Sweden spent 4 percent of its GDP to rescue the banks. (The $700 billion bailout represents roughly 5 percent of the American GDP, the story says.) The final cost to Sweden, the story says, was 2 percent of GDP (though some say it was closer to zero) and Sweden seems to have survived very well thank you since that time. When my five brothers and sisters and I were kids, things from time to time got a little crazy in my house. When it was time to slow down and take a breather, my mother used to say (ok she used to yell) , "Hold your hosses!" (That's horses, for those of you who didn't grow up near Boston.) That's what Congress needs to do. This is a big deal. Let's get it right. We've got time to debate these issues. We don't have time to get it wrong.

What can we learn from IT standards processes?

 - 
Tuesday, September 23, 2008
I found an interesting article in today's Times about IBM throwing a bit of a hissy fit because a standards discussion was not going its way. Essentially, IBM is threatening to bail out of certain standards bodies unless they change the way they go about their business. For example, Microsoft submitted OOXML to the ISO under a so-called Fast Track process, which some opponents believed was too rushed and resulted in a poor-quality standard. Many countries and technical experts questioned the need for another standard document format. Similarly, people are labeling the PSIA (no, not the Professional Ski Instructors of America; the Physical Security Interoperability Alliance. Geez) the "Cisco Group," and expressing similar concerns, because the essentials of its first recommended specification (I'm going to get to the difference between a specification and a standard) came from a document supplied by Cisco. And this is why this standards discussion can get so murky. First, the difference between standards and specifications: A specification is a way of doing something issued by an industry group or manufacturer that's kind of like a recommendation or a theory on the best way of doing things. That specification only becomes a standard when an accredited body, like an IEEE or ANSI, vets that specification, puts it through its paces, and then issues it as an accredited standard. Second, the murkiness: Say you're a big manufacturer who'd like to get on this whole "open standards" wave, but would still like to retain its dominance in the marketplace, which was attained through a semi-proprietary way of doing things. Wouldn't you submit your specification for a way of doing things to a standards body and try to fast-track it through, so your way of doing things became the standard and all of your competitors had to play catch-up? And if your competitor did that, wouldn't you, like IBM, cry foul and threaten to take your ball and go home? So, here are some of the questions: Is Cisco using the PSIA as a puppet, knowing that it's done so much heavy lifting on creating the specification for device discovery that the PSIA member companies would be unlikely to change much and just generally be happy with it? Is the Sony-Axis-Bosch alliance (sorry, I mean the ONVIF) similar to IBM's fuss-making, or are they really the more "open" discussion? Here's the essence of the IBM position: IBM's guidelines are based on its belief that open standards increase the range of software products that are interchangeable. Standards prevent one software vendor from capturing a large part of a market by locking users into a proprietary format and limiting their ability to easily switch to another product. Microsoft has long been accused of dominating the market for office productivity programs due to its use of closed file formats. Microsoft changed course, however, and submitted its OOXML format to become an international standard, which means other vendors could implement OOXML in their products. But OOXML was criticized for being unnecessarily complex. Also, Microsoft was accused of pressuring countries to support the standard, which left companies such as IBM fuming. IBM is a long-time backer of ODF. The analogy to security is less than perfect, since the standards are much more developed in IT and security is really just beginning to iron things out, but the potential political situation seems kind of similar to me. Long-time backers of standards are going to resent new positions by old vanguards that, no, really, we're totally into this open standards thing. But that doesn't mean that the old vanguards don't have an ability to write good specifications that would actually be of benefit to the industry. What's going to be important is that people actually look at the documents being created by the PSIA and Sony-Axis-Bosch (and hopefully it won't come to the point where they're issuing competing specs for device discovery, because that would just seem wasteful) and actually figure out which makes more sense for the security community, and not just side with whomever they're friendliest. That would simply be counter-productive in the long run. We've talked here not too long ago about the benefits of standards, and they seem legion, but no one said the process was enjoyable.

Okay, I'm on Twitter now

 - 
Monday, September 22, 2008
I can't imagine how often I'm going to use this yet, but I am now on Twitter if you want to be my Twitter follower (I believe that's the right terminology) or want me to follow you: http://twitter.com/Sam_Pfeifle. I've also got a LinkedIn page, which you can find in the sidebar on the lower right, and a Facebook page, which I'm keeping for personal stuff right now, and a Myspace page, which is for my band, the Grassholes. Plus, I've got online identities in half a dozen online forums. All of this is getting time consuming...

Pages