Earlier this week I was joking w/ a friend that we need a "Jimmy the
InfoSec Bartender" for the industry. Or maybe a duo like Chris Knight
and Lazlo Hollyfeld (Real Genius, 1985). People you can turn to for a
beer or a dram and settle your nerves and turbulent thoughts with some
succinct sage advice. Enter Daniel Geer & Marcus Ranum. Dr. Geer &
Peter Kuper released an article from an upcoming issue of IEEE
Security and Privacy about the InfoSec/NetSec investment market, or
lack thereof, metrics, and the geopolitics
(http://geer.tinho.net/ieee/ieee.sp.geer.1109.pdf -). Ranum continued
his "Cyberwar: a Whole New Quagmire" series at Fabius Maximus with
"Part 4: About Stuxnet‏, the next generation of warfare?"
(http://fabiusmaximus.wordpress.com/2011/09/29/29291/ -).

If you've been reading about Stuxnet nuclear fallout, mass casualties,
and flying UN*X hosts then you need to read Ranum. He presents a much
larger picture of where we are, where we might be, and how to ~think~
about solving the problems. He isn't mucking it up with turf wars or
questionable disclosures. He is just trying to get "US" back on track.
I think he does so wonderfully.

Now, I'd like to concentrate on Dr. Geer & Kuper's paper for a bit..
what they say stands well but I'd like to season it a bit.

- The Real Cost of Facebook -- Everything they say SCREAMS that
winning the ~privacy~ debate w/ Facebook, Google, Sony, Apple, Amazon,
etc. etc. is CRITICAL to National Security. Why? Because _those_
players define the relative value of ALL data in the marketplace. I'm
going to extrapolate a long way and say that TS/SCI will become
meaningless in the coming decades if we can't get people to value
their own privacy and personal data.

- This is not blanket xenophobia, this is market economics and
geopolitics. You might be tempted to frame it as Economic Nationalism
gone awry but it's not that either. It's DATA. You have to make a
geopolitical decision w/ that data. Are we OK with a decreasing value
to our data and thus overall economy or are we willing to make a
change? And can we play nice w/ the markets to do so? "This is no
longer a game" indeed..

- The pain threshold for major data loss is too low. Wayyy too low.
And we can't mandate or over-regulate it because, as the author's say,
that becomes the ceiling instead of the floor (think PCI). As Security
Professionals how do we make our customers, family, and friends see
things differently? Ah yes, that recurring theme from prior posts.
Still a big question but where Geer & Kuper start is by figuring out
how to make the market see things differently. I say (back to bullet
one), make the Facebook and Google+ populace see it differently first.

We all knew this, right? Well.. yeah.. I think we did. However, on any
given week I'd posit that a majority of us forget to think about these
things. We're consumed with the fires burning our souls right that
moment. I get that but getting back to basics and real meaningful
metrics is always a good way to go into the next week, no? -Ali

In Dr. Wright's latest entry into the mix
(http://bolt.thexfil.es/9ajuh -) he says:

"I am saying more than I am allowed to here already before the launch
on the 7th of October, but we are expanding such that we will have
over 100 doctoral students in information security and digital
forensics at the school."

And

"Not naming names here and nor will I even when plied with drink, but
basically, some of the CSC guys I worked with also did the Telstra
tower and worked in TS and general systems. They needed to manage
these and the budget only allowed them to do so much.

So, they had implemented TCP 53 outgoing from anything on the
firewall. All the auditors missed this. It was simply DNS and so
nothing was ever noted in a single report."

In the first quote he is referencing an educational program at Charles
Sturt University and in the later (and indeed the post as a whole)
issues of National and International security and collaboration.
Including references to Top Secret networks and programs. Anecdotes,
names changed, resistance to drunken interrogation, etc. aside. What
is your end-game Dr. Wright?

The point Scot made is that what good does THIS level of attention
garner other than personal publicity? And if you really care, is this
how best to effect change? Do you think we're dullards? Heck, even if
you assume we ~don't~ know ourselves (I'm talking generically about
the InfoSec/NetSec community as a whole), can't you safely assume that
we listen to Exotic Liability?

You are proving Scot's initial post in that this level of
Fear-Uncertainty-Doubt is best used for advertisement and
self-promotion. Not creating solutions. Not one person who didn't know
these problems existed or who was in a position to ~do something~
about these problems will be effected through this tactic of release
and publicity. Not. A. Single. Person.

That's not even addressing the voracity and other implications of some
of your claims. (I'm fairly sure voracity isn't the right word?)

So lets get to the REAL issue here....

You have now moved firmly into the Whistle Blowing category. You are
claiming specific information related to incidents not in the OSINT
realm. You are going so far as to indicate personal knowledge of both
Australian and US Classified networks and breaches to said networks:

"I have seem so many kludges connecting SIPPER and NIPPER networks in
the US it is not funny and they have links to us here in Oz as well."

I assume you meant SIPRNet and NIPRNet? And you specifically call out
TS above that. In both the US and Australia there are CSIRTs,
Inspector General offices, Defense Security Service, etc. etc. Why are
you expanding your story here? Shouldn't you be in their offices now?
Even if you were before, shouldn't you be there again? And again? You
certainly write well and are well spoken. Do you think you're
influencing somebody w/ actual actionable options via these syndicated
blog posts? It's an honest question, I'm very curious.

So now you've publicly gone on record as saying you've observed said
things AND people have sent you an outpouring of support including
potentially Government or Corporate protected information. See... I'm
all about fighting over-classification. All about raising a ruckus.
However, the debate on "responsible disclosure" should be something
you're very well aware of.. as a matter of fact you wrote a nice piece
about market factors and responsible disclosure
(http://bolt.thexfil.es/9sxcr -).

So I'm seriously questioning your motives here... Throwing this all
out there isn't ~helping~ actually solve anything. Especially the more
sensationalized it becomes. You either leave people with a feeling of
Chicken Little or you make them overwhelmed and let them get caught up
in their own self pity. Are you going the WikiLeaks or Anon route and
hoping for public political pressure? If so, it certainly isn't coming
across in your approach.

And before you say it, nobody actually working these systems was
hiding anything either.. exactly the number of people well versed
enough and staffed enough to address them are working on them. It's
not like you suddenly created a ton of extra people for us to hire and
work alongside? Ohhh yeah... you're University advertisement.

So full circle it appears you're proving Scot's point. Honestly Dr.
Wright, I'd love to know what you propose the outcome of your
mini-series to be here? Do you have a free course offering, new
mailing list, free labor available, etc. to help those of us already
in the trenches fighting this battle? A new way of helping us
communicate and influence in and upstream? If so, then by all means
let me buy you a keg and Wagyu beef and lets talk. Perth? Sydney?
Hobart? Your call. Cheers, -Ali

DISCLOSURE: Scot and I have worked together in the past. We've had
SERIOUS disagreements. And I disagree with a number of things and his
approach in this particular series of conversation. That didn't
influence my rant above.

Posted via email for the first post (below) and formatting was
curious. The wrap was before the normal 78/80 characters I would
expect. Just giving it another quick look to see what happens. -Ali

(This is as good a spot as any to reboot some blogging. *shrug*)

OK, back when the DigiNotar/Iran MitM mess was fresh there was a small
back-and-forth between @awilsong, @dakami, and @gregcmartin. You can
get a glimpse of it at
https://twitter.com/#!/dakami/statuses/108440352591052800. I chimed in
that @dakami was not taking this seriously enough, that he was wrong,
.. an excerpt:

---
"I understand what @dakami is trying to say but I disagree because the
difference being that this is not speculative. When a State-level
player actually uses email, web traffic, social networking, etc. to
carry out oppressive agendas against other religions, ethnic
minorities, or dissidents it's moved squarely into the arena where
“life criticality” is valuable metric. It has a historical and
economic basis at that point.

In general the snake oil labeling in the Security field has mucked up
a lot of things. I'm sure I can share in some of the blame. However, I
think the bigger problem continues to be the security industries'
inability to relate to life in general. Whether it's usability or
priority, the consumer level concerns always seem to fall on one side
or the other. Either an existing broken system & perpetuating the same
broken system or a completely unusable one. It doesn't matter what
happens then, you can choose either path and “life criticality” is a
valid metric."
---

I take it back. I. WAS. WRONG.

Life criticality is a useless and counterproductive metric until
exactly the moment it is not. Until then it's a huge hindrance to
actually making progress in applied security and security engineering.
It's counterproductive... for the sake of discussion, let me consider
two IRL situations before moving onto ~how~ I got to this point.

1) DigiNotar/Iran -- Technology meets geopolitics and lives are very
much at stake. Should the Certificate Authority system and SSL/TLS be
designed with this sort of situation front-and-center? And if this was
the example of abuse would the system have been improved in any
notable way at the time it was designed?

2) The flu "pandemic" -- Did considering "life criticality" seriously
change the approach end-users (read: citizens) and technology enablers
(read: Doctors and Purell) took toward a potential outbreak? They were
talking double-digit percentages of human lives lost on Earth!!

If we knew that Iran was going to attack CAs from the start, do you
think it would have resulted in an engineered for resiliency system?
No, not a chance. The politics of Internet control, the geopolitics,
etc. would have derailed it so far that I'm willing to wager CAs would
have been worse off. A more fragmented system where browser vendors
would have had a harder time identifying mistakes and implementing
controls. I'd go so far as to say alternative browsers would not have
been viable in such an environment. And what was the result of massive
scare-mongering regarding the flu? Just a lot more Purell and about
nothing else. Was there even anything more that could have been
reasonably done?

So for those two examples and their respective professional
populations.. what did we accomplish? Nobody but the people who
already took it seriously, takes us seriously. Seriously. Think about
it.. did anybody who would have a gambler's chance of understanding
what the right things to do actually benefit? For (1) we had some MSM
coverage of the issue, a few patches, a lot of non-patching (I'm
looking at you Android), and it's forgotten outside of the circles
that knew it was only a matter of time anyway. And for (2) the
situation probably got worse although it would be hard to quantify it.
More abuse of sanitizing products and an increasing muting of the
voices of alarm and/or reason.

So what brought about my change of heart? Stuxnet and "mass
casualties" from nukes, water supplies, jumbo jetliners, etc.
Primarily the posts and responses between @krypt3ia
(https://twitter.com/#!/krypt3ia) and @Dr_Craig_Wright
(https://twitter.com/#!/Dr_Craig_Wright). In order from oldest to
newest:

http://packetknife.bo.lt/48kli -- Stuxnet is not going to blow up the
world post by @krypt3ia
http://packetknife.bo.lt/hjdo2 -- Stuxnet is still not going to blow
up the world or rape and pillage by @krypt3ia
http://packetknife.bo.lt/br0pk -- OMG @krypt3ia it's going to do all
that and more by @Dr_Craig_Wright

(At the time I rambled this blog rant out I had not read @krypt3ia's
latest response: http://packetknife.bo.lt/droj6 ..)

Although I really would rather not, I should post the two articles
that triggered these posts and discussion.

http://packetknife.bo.lt/22lxx -- Stuxnet will blow up the world
article referencing Tomer Teller
http://packetknife.bo.lt/e4yda -- 'Why is he getting the attention
when I did the work?' Stuxnet article referencing Ralph Langner

Don't get me wrong. There are very real problems w/ SCADA and other
supposedly secure "industrial" network practices today. I've seen them
up close and personal. Tomer Teller and Ralph Langner aren't chumps.
They most definitely know the industry and know what they're doing as
well as anybody in our (relative) infancy does. Important people will
listen to them, we'll listen to them, and that's why I've had my
change of heart and I'm ranting and raving like a sedated lunatic
right now. This is all about how we carry the message and change.

"We" sound ridiculous (circling back to @dakami's position). And if we
sound ridiculous, the people w/ the resources and influence to make
things happen WILL ignore us.

So what's the right approach?

You'd think the fear of human lives lost would be a good approach but
it's not primarily because it's already been factored into the risk
equation. Lets use Wright's example of the 747 (both Scot and I have
some experience, significant, in this area BTW).. the liability and
risk of an incident regardless of cause comes down to price per
passenger death. In other words, from the inside and from an influence
perspective, you have to talk in a language that isn't ~already~
quantified in dollars and cents (liability caps, insurance, etc.).
What does this mean? Lets face the facts, most people who are powerful
enough to make large scale shifts happen have a political motive.
Whether they are in business or in Government. You have to present an
argument, that ahead of any speculative disaster, seriously undermines
their comfort. Or seriously motivates profit.

And "life criticality" is almost the worst possible way to do that..
whether it's diabetes gear, nuclear weapons, or jumbo jets. Unless
people have already fallen over dead, they're simply not going to
care. So you either kill people (don't) or you start working within
the comfort zone of the customers. Not the press, not your peers, but
the people actually coming up w/ the monies and motivators. You need
to personalize this. Make somebody the champion and develop a
meaningful business or political platform around it. Until then,
nobody is going to listen.

Unfortunately this can take us in another dangerous direction.....
think "APT"... more marketing, more FUD, but it's Dumb and Dumber...
and we've got to keep going in the right direction after a continued
slide through snake oil and the preposterous.

Here is where I'm stuck.. we've seen when "life criticality" becomes a
metric of consequence. We all have. On September 11, 2001 it became
the _ULTIMATE_ example of such a metric. It can't be ignored, it had
hard historical data behind it, .. what do we do then? The same thing.
You dimiss it as the sole metric unless it can be quantified against
other lives, resource economics, and geopolitical posturing. Sorry,
that's just the way of it. Life criticality is just almost always
going to be the wrong metric at the wrong time for the wrong reasons.
Don't use it. Ever.

More on this later.. Cheers, -Ali