Grant is Gone

Who would be a football manager? It seems that coming second in the Premier League and making the final of the Champions League (something Mourinho didn't manage for Chelsea) isn't good enough if you're a manager for a club that's owned by a billionaire.

Sadly, it looks like the top clubs in the EPL are going to start suffering the same fate as Real Madrid and Barcelona, with a constantly revolving door ushering in a new Manager each season. It pains me to say it being a Liverpool supporter, but you've got to admire Manchester United. Alex Ferguson achieved tremendous success in the 90's but in the last few years when Man Utd played second fiddle to Chelsea and Arsenal the board at Man Utd kept faith with their manager. It makes you wonder how many more seasons Wenger could last in the current climate if he doesn't deliver the Premiership trophy for Arsenal again.

I'd be embarrassed to be a Chelsea fan right now. Where is the heart and soul of the club? How can you support a club whose formula for success is to pour hundreds of millions of pounds into the club and then sack the Manager if he doesn't achieve miracles within months of joining?

It's a sad state of affairs.

A Year Down Under

Yesterday was the 1st anniversary of our arrival in Australia. I was going to do a big blog post to mark the occasion but I can't be arsed - too busy working on my website. Suffice to say it's been a fantastic first year - everything we hoped for and more. There are lots of positives and very few negatives.

We do miss everyone but there's definitely no going back!

AusCERT 2008

On Wednesday I attended AusCERT 2008. AusCERT is an annual conference for the IT Security industry organised by the Australian Computer Emergency Response Team. Held at the plush surroundings of the Crown Plaza Royal Pines Resort on the Gold Coast, the event is a chance for vendors such as Check Point, Microsoft, Symantec, CA, and the likes to show off their wares, and also a chance to hear presentations from industry leaders, as well as get some free training to boot (although it's not free). Representatives from such luminaries as the US Department of Homeland Security and NSA were also in attendance.

The event is similar to an annual event I used to attend in the UK - InfoSecurity Europe - which is held at the London Olympia. Although AusCERT is not nearly the size of InfoSecurity Europe.

I was pretty disappointed by AusCERT 2008. I thought I might have made a bad choice with the presentations I attended but after speaking to others the general consensus was that it was pretty crappy all round. There were a couple of gems in their but mostly it was presenters telling me stuff I already new. A lot of the presentations were too high-level to be of any value.

Every year you find that there's a new theme - a new subject which is getting the industry in a flap. This year it was web 2.0 security. This is not surprising really with the amount of stories you hear about privacy issues around Facebook, MySpace and other similar social networks that are able to harvest vast amounts of personal data. I advise everyone to be very careful about what information they put on social networks. Even if you set up your privacy settings properly it doesn't necessarily mean that your data is safe.

A combination of factors means that your data could still be at risk. The look and feel of Facebook is slick because it uses AJAX - a web scripting language for which hackers keep finding new vulnerabilities. Also, many of the applications that you may add to your Facebook, such as FunWall, aren't built by Facebook, they are built by third parties. Meaning that these third party applications, that Facebook has little control over, is also accessing your private data and could be doing anything with it, as this BBC article explains.

The one presentation that I did find interesting was presented by the Standard Chartered Bank and was an overview of their project to roll-out two-factor authentication for their customers across 15 countries. I know many banks have been trailing this for a while now but not many banks have actually implemented it due to the cost and administration issues around issuing and managing tokens. However, this is set to change as they slowly get over the issues; and as the take-up of internet banking continues to increase, so does the risk of internet fraud.

So if you use internet banking you're probably likely to find that the way you log-on is set to change in the next couple of years.

Two-factor authentication means that when you use internet banking, instead of just presenting your username and password, and maybe some secondary information like the 1st and 4th character in your PIN (this is all classed as one-factor authentication - something you know), you will also require a second factor of authentication, such as something you have, or less commonly, something you are (biometric identification such as fingerprint, face scan, retina scan, etc). The most common implementation of two-factor authentication is using a token that creates a One-Time-Password. The bank would issue you a token which displays a randomly generated number, This number is usually either generated when you press a button, or it's a number that constantly changes every 60 seconds or so. By entering the number displayed on the LED screen on your token, you're proving that the person authenticating to internet banking is the person that was issued the token, i.e. you, or so the theory goes. Obviously it's not fool-proof, but it does add another level of security to the process.

Many companies use two-factor authentication for employee remote access to their networks. One of the big issues with token-based two-factor authentication is the cost of the tokens and the management of them. This is particularly a problem when you're using it in a business to customer (B2C) environment like a bank, when you may have to issues tokens to 1 or 2 million customers.

To get around this, another option is to use the customer's mobile phone as the 'something you have' device. So for instance, when entering internet banking a text message could be sent to your mobile phone with a random number that you would enter into the internet banking login screen. Alternatively, there's a thing called IVR callback, which basically means that you would receive an automated phone call from your bank which would say something like 'Someone is attempting to log on to your internet banking account, if this is you, press 1'.

None of these methods are fool-proof - they all have an element of risk. For instance, when it comes to using mobile phones for two-factor authentication you're then relying on a third party - the telecommunications provider - as part of the process.

Anyway, the findings from their surveys were quite interesting, as was the story the presenter told about banking fraud in Malaysia.

Some of the other presentations were dire though.

One presenter, who was doing a presentation about the security risk management lifecycle, I swear must have based her presentation skills on David Brent in The Office. At one point, to the amazement of all of us, she actually picked up a bag full of some stupid plastic keys that they were handing out to everyone with their branding on it, and dramatically threw them across the stage. As they scattered everywhere across the stage she shouted 'You see people, how on earth can you get a grip of your network if you're having to manage that many applications' or something like that. I was gobsmacked and had to stop myself from laughing out loud. What did she think she was proving by that display? Didn't she feel a bit stupid that she now had to go and pick all of those keys up?

The good points about the day was 1) we got served a really nice meal at lunch time, and 2) I came home with some freebies, although one of these was a Microsoft t-shirt which has the words 'Microsoft: Our Security Rocks' printed on it, which I thought was a bit ironic given the awful reputation of Microsoft's security.

End of Recorded Programme

As the Champions League Final was on in the middle of the night our time I recorded it on Foxtel IQ (same as Sky+ in the UK) to watch when I got home from work tonight. What a game. The first 20 minutes were cagey but the rest of the game was gripping. When it entered extra time I new this game was set on for a penalty shoot-out - it was just too close to call. I was on the edge of my seat in extra time - both teams had a number of chances and you could see they were giving it all they had even though cramp was setting in and they were all struggling with the awful pitch, made worse by the weather conditions. Then in the 114th minute it all kicked off, a big fracas erupted but there was so much going on you couldn't really see who was doing what. And then... 'End of recorded programme'. God, Foxtel pisses me off!

It kind of took the excitement out of the penalty shoot-out when I had to turn to the Internet to find out what happened.

The Commission

I've just finished reading 'The Commission: The Uncensored History of the 9/11 Investigation' by New York Times reporter Philip Shenon. This fascinating book gives a behind the scenes insight into the 9/11 commission's investigation, and provides a context for the well-documented omissions and distortions in the final report that continue to fire the 9/11 conspiracy theories.

The book itself is a gripping read. Many of the chapters read like a novel; particularly in the first chapter which tells the story of how Sandy Berger, former National Security Advisor to President Clinton, stole classified documents from the National Archives.

The main point you get from the book is that because of the bi-partisan make-up of the commission, and the determination of the Commission's Republican Chairman and Democrat Vice-Chairman to produce a report that rises above partisan politics and does not assign blame, some of the significant facts found during the investigation, which would certainly have damaged Bush and his top echelon, were merely assigned to footnotes in the final report.

The chapter that amazed me the most was the one that covered the emergency response to the World Trade Centre attacks in New York and in particular the acts of Rudy Giuliani - the Mayor of New York on Sept 11th 2001.

If you remember, Rudy Giuliani became a local and national hero after 9/11. Seen by the public as the great leader who led New York, and America, through the tragedy of 9/11 while George Bush fled to the skies in the safety of Air Force One.

As it turns out, according to Philip Shenon, Rudy Giuliani's hero status was a fortunate consequence of his own inept actions. In 1998 Mayor Giuliani was building a forty six thousand square foot Emergency Command Centre for himself and his senior staff dubbed "The Bunker". The press at the time had a field day lambasting the project, criticising the cost of the construction as an example of Giuliani's oversized ego. The press also criticised the planned location of "The Bunker". The command centre was going to be built in, of all places, the World Trade Centre complex - the site of a terrorist bombing only 5 years earlier and what was still regarded as top of the list on many terrorist's target lists. The building would be built in WTC building 7 - directly across from the twin towers. Not only that, even though it was dubbed "The Bunker", the command centre was actually to be situated on the 23rd floor, with panoramic views out to lower Manhattan.

So as Philip Shennon points out in the book, what was to happen on September 11th was all too predictable:

"Giuliani never managed to get to the command center in the chaos of the attacks that morning. By about 9:30am, before either of the twin towers collapsed, everyone in the command center was ordered to evacuate to the street because of fears that more hijacked planes were heading for Manhattan. The crisis center was shut down because there was a crisis. In a final bit of irony, it was determined that a fire that later destroyed WTC 7 on September 11 was probably caused by the rupture of the building's special diesel fuel tanks; the tanks that had been installed to provide emergency power the mayor's command center.

On September 11, with the command center shut down, Giuliani and his top aides were left with no obvious place to gather away from City Hall. That left the mayor on the street, resulting in the heroically iconic image of the soot-covered Giuliani leading hundreds of other New Yorkers to safety as he walked north through the gray clouds of debris unleashed by the collapse of the Twin Towers."

On May 19th 2004, the Commission had the opportunity to tackle Giuliani about this in the commission's public hearing which interviewed Giuliani and the chiefs of the emergency services. However, the commissioners wimped out because of what happened the day before. On the 18th May the commissioners interviewed the chiefs of the emergency services and heavily criticised them for the disastrous crisis plan and mis-management on the day of the attacks. The overt criticisms galvanised the press and public, as the hearings were being held in New York, to lambast the Commission. How dare they criticise 'our hero's of 9/11'. So after the scathing attacks back at them, when it came to interviewing Giuliani in the public hearing on May 19th, instead of criticising Giuliani and challenging him, the Commission heaped praise on him for being a great leader.

That response on May 19th was evocative of the entire handling of the investigation and the final report; no one was to be assigned blame.

The area that the book focuses most on though, and the story which I believe has had most criticism since Philip Shenon published this book, is Philip Shenon's portrayal of Philip Zelikow - the Executive Director of the Commission - and his obvious conflicts of interest and his attempts, in Shenon's view, to manipulate the investigation and the final report into avoiding any criticisms of the Bush presidency and his senior staff.

The conflicts of interest are obvious and according to Shenon, it was due to a lack of proper background checks on Zelikow by the Commission's chairman and vice-chairman, that meant his conflicts of interest were unknown to the commission when they appointed him as Executive Director. The conflicts of interest were made even more significant due to the way Zelikow ran the investigation. As much as the 10 commissioner's (5 Republican, 5 Democrat) were the public face of the commission, it was ultimately Zelikow who ran the investigation; deciding who was to be interviewed, what line the investigation would take, and ultimately what was to be included in the final report.

It comes as no surprise then that the final report lacked any criticism of Bush and particularly, Condoleezza Rice, when you learn that not only was Zelikow a close friend of Condoleeza Rice, but he was also on the transition team when Bush took office in the White House, and was the main contributor the to paper that changed America's National Security Strategy, which for the first time introduced the doctrine of pre-emptive attacks. These facts are significant and, according to Shennon, help explain why Zekikow:

• Broke the Commission rules and repeatedly telephoned both Rice and Karl Rove, Bush's chief advisor', behind the back of the commission.
• Attempted to steer the commission into making links between the 9/11 attacks and Saddam Hussein even though there was no evidence to support the links.
• Managed to shield Rice from criticism in the final report even though there was clear evidence that, as Bush's National Security Advisor, Rice received clear warnings from the CIA in the months leading up to 9/11 about an imminent attack by Al Qaeda against America, yet did absolutely nothing to act on those warnings. Including the now famous August 6th PDB (Presidential Daily Briefing) which warned of possible terrorist hijackings of commercial airliners and intelligence that terrorists were carrying out surveillance on buildings in Manhattan.

Other revelations in the book included: the fact that the commission left the investigation of the the NSA's vast archives until the last minute and therefore only managed to read a fraction of the intelligence; how Dick Cheney, as the Vice-President, gave a shoot-down order on the morning of 9/11 which was unconstitutional (Dick Cheney claims that he was acting on behalf of Bush but there was no evidence to corroborate Cheney's assertion); and how the final report failed to fully emphasise the abysmal failings of the FBI largely because the new FBI Director managed to schmooze the commissioners into believing that he could change the FBI for the better and there was no reason to break it up, which was certainly in the minds of the commissioners when they first learned of the FBI's bumblings.

All in all the book is a fascinating read and I highly recommend it if, like me, you're intrigued by everything surrounding 9/11.