- This is not an attack on security vulnerability researchers. The
market of "bug bounties" and paid exploits for use in security
products has been generally well developed these past seven/eight
years.

- I say generally because boutique shops like FinFisher and VUPEN
indeed pay, and then keep secret, their vulnerabilities from upstream
development shoppes unless there is another customer agreement in
place. And it's somewhat suspect if even in those cases there is not
another agreement, with a Nation-State, that trumps that concern in
the name of National Security.

- When the likes of Charlie Miller, one of the most respected and
successful vulnerability researchers (and a good guy by all accounts),
takes $50k USD payouts from the United States Government for 0-days
and then also pleads poverty - something is seriously wrong with the
perceptions of what the market can bear. Even if he wasn't entirely
serious he defends his position by saying if he was a billionaire
software shoppe it'd be equal game against him.

- So as an industry security just points the finger of blame at
programmers and business people. Business and programmers say security
is too hard. And as a security professional myself I actually believe
they're right BUT they aren't right because they've actually tried and
failed. They just happen to be right and haven't come any closer to a
middle ground as "we" (the collective security industry) has to
providing easier failsafe pathways to security

- So the landscape has, at least:
-- Poor architectural choices with protocols and systems developed as
Turing complete in the worst possible places - document formats,
network management protocols, etc.
-- Poor software engineering practices on top of potentially naively
developed programming languages. Or languages developed well before
the scope of problems were understood with installed bases entirely
too huge to undo/address comprehensively in any reasonable timeframe.
-- And installed base of legacy systems at all levels of society that
are hard to replace, are sometimes undocumented, and increasingly
connected to the Internet.
-- Ongoing business and political drivers that favor expedient
distractions and movement over longterm strategic security.
-- (Really simplifying to save pages.)

- Then you have a World with the same old problems and dynamics.
Lesser developed economies look for the fastest most expedient way to
expand and in-turn make Faustian bargains at all levels. And as their
ICT infrastructure comes into play they find a world of easy money
cybercrime waiting for them. They also in-turn host already capable
actors of questionable ethical beliefs. The hot-beds of cybercrime,
and not spam or other junk, are indeed the economies which developed
the ICT the fastest while everything else lagged behind. It's popular
to go the US is still the biggest exporter of cybercrime but that's
been counting installed base infections (not malice per se) and spam.
Even with current Anonymous related activities it's not even
comparable to the actual underground black market of cybercriminal
wares overseas.

- Western powers respond in more traditional means to little overall
effect. Even the biggest busts have effective lifespans of days - if
that. And the politics kicks into high gear with FUD and ineffectual
grand strategies that usually involve more surveillance, more control
over the Internet, less Privacy, more hardware and software engrained
requirements, etc. etc. that increase costs, don't get adopted by the
Nation-States acting as cybercrime safe-havens, and are usually
technically impotent anyway.

- So in the end the Western responses create two beastly bodies to
deal with: One) They actually just further burden the Western
economies and development while developing tools that are being used
elsewhere to actually further disconnect the rest of the world (RE:
Wikileaks Spy Files). And the activist response is ineffective because
as the cat's out of the bag the alternative providers, from Russia and
the Far East right now, step in to take over. And Two) They erect
barriers and strange ideas of more control and isolation over an
ecosystem that can't afford to be, and really isn't going to be
easily, fragmented.

- This fragmentation and a drive toward National Intranets again loops
back into rising costs, less information freedom, less educational
resources, isolationism, etc. and creates a negative feedback loop for
all participants. And it further legitimizes the efforts of already
oppressive censorship regimes. So, in effect, the West has just
dramatically improved the market for this undesirable pathway
regardless. Even if they're not directly enabling troubling regimes.

- The Actors most hurt by this continued slide are those at the lowest
end of the ICT development spectrum. They now have reduced information
resource, reduced investment from the West (sometimes in direct
response to "not enabling" cybercrime), and then less integration with
the Core. And as most people understand now, that lack of integration
is the single greatest threat to International Security today (e.g.
breeds extremism).

- So going full bore loop back to the topic at hand you've now got
serious five and six digit sums being paid for 0-day exploits by
*Governments*. They may be single fire opportunities or even if they
last a while they will be discovered and, even if you release details
and patches are generated, a large swath of systems will remain
vulnerable for years to come. And even if the cyber weapon (I hate the
nomenclature but it is what it is) is sufficiently unique enough not
to be readily applicable elsewhere the techniques and tactical
processes behind it are still exploitable by another adversary. This
will, it absolutely will, cause situations where you're likely facing
your own medicine.

- And as a response to that, like cybercrime response, there is more
isolationism and protectionism. Instead of open standards systems you
end up with larger scale conspiracy and grandiose edicts.

Permalink | Leave a comment  »

@chriseng - Chris Eng
I find it interesting and refreshing that @trailofbits is focusing on
*defensive* services. Breakers do make the best defenders, IMHO.

@taosecurity - Richard Bejtlich
@chriseng Cool to see @trailofbits Tho, IMHO, breakers aren't great
defenders b/c they don't appreciate how operationally tough defense
is.

@taosecurity - Richard Bejtlich
In my experience, breakers can't handle the political, legal, org,
etc. straightjackets in a biz; much tighter than rules governing
offense.

@taosecurity - Richard Bejtlich
@dguido No disrespect, but have either of you been a CSO, or run a sec
team w/operational responsibilities at a company? It's different.

----

I found this (growing) exchange somewhat bizarre.

1) Now that we've now drawn the C-level line between Breakers and
Defenders... exactly what is the body of huge massive successes the
Defender CSO can stand behind? And exactly how much (and what source!)
pot was smoked to come to that delusion? Seriously, have we
"Defenders" that have run all sorts of teams to date had massive
success? Do we really truly believe we haven't had leaks out the kazoo
and incidents we responded to "perfectly" that still dribbled bits
onto the floor?

2) Have you READ what Dan, Dino, and Alexander have done? Even the
most cursory review would tell you they have PATIENCE, are POLITICALLY
AWARE, have dealt with LEGAL issues, .. to do what they've published
publicly takes a particularly insightful, well researched, hard
working, patient, agonizingly detailed, and aware person.

3) Have you written a reliable exploit that works across millions of
disparate installs, networks, languages, eras, .. fsck? Even when you
try to trace the exact steps Alexander has laid out at times, you just
fsckin' piss yourself. I repeat: Even AFTER they give you the SOLUTION
it's still non-trivial to try to reproduce and understand the steps
and do something new with it at remotely close to the same scales.

Lets say for a moment you completely disregard their collective
Defensive abilities (read the rest of the timelines). What they've
brought to the table in sheer Engineering, Motivation, and Process
capabilities should be enough to go Whoa. WHOA. Yeah, they're bringing
something new to the table.

Most importantly this is about respect in an industry which seems to
have none for itself, peers amongst us, and a tendency to "eat its
young".. w/ all the charlatans running around we sure could use a bit
more recognition when serious collaborations like this come together.
And yes, I was being a bit disrespectful above myself. And we all need
to cut it the fsck out. -Ali

Permalink | Leave a comment  »

Writing will return after a side-project matures to announcement.
Hopefully before Q1 ends. In the meantime check out the Cloak &
Swagger podcast at http://mixlr.com/packetknife or RSS and
alternative downloads at https://packetknife.minus.com/. Cheers, -Ali

Permalink | Leave a comment  »

Permalink | Leave a comment  »

Mmmm… more blinky lights…

I find it’s useful to consider three contemporary fields in particular
when pondering InfoSec strategies and our future: Defense, Economics,
and Healthcare. And all three fields have grasped nonlinear
preventative and swarm tactics in a way InfoSec would be wise to
consider. And, like InfoSec, all three also have their snake oil
salesmen and demons to satiate.

Recently Meredith Patterson (@maradydd) tweeted about an opinion piece
in The New York Times (1) on Healthcare:

“If high touch medicine offers additional monitoring and services, how
can it save money? Arnold Milstein, now a Stanford professor,
identified physician groups that were above average in quality but
treated patients for 15 to 20 percent less money than average.

How did they do it? By preventing emergency room visits and subsequent
hospitalizations.”

I’d argue this approach is missing almost entirely in Enterprise
Security plans. Conceptually everybody talks about preventative care
(e.g. configuration/patch management, security life-cycles) and rapid
incident response. However, we discharge the patient as soon as
possible with a new gizmo hanging somewhere and pat ourselves on the
back. Only to be revisited by misery a short time later to do the
InfoSec triage over again.

Organizations need to invest in strategic longterm care of their
assets. Every response should be pervasive and prompt a re-examination
on existing architectures, controls, training, etc. Don’t scoff, it’s
really not that difficult. Your team has likely considered every
nuance in their minds more than once. Actually addressing them isn’t
as intensive each subsequent time. And, like the study (2) The New
York Times opinion piece covered, you’re going to see a cost savings
and quality improvement across your Enterprise.

When I broach this topic I usually get a range of responses but they
all circle one issue: Nobody cares about the longterm because they
won’t be there. That’s not frequently true, it simply can’t be,
because professionals need to have an accomplished and tangible record
to move on in the first place. And usually a significant body of work
to progress your career. Such a body of comprehensive and responsible
work, as I suggest above, would produce more data and metrics. It also
gives your colleagues and team more confidence in your leadership
abilities. In the respect you have for their body of work. There is
nothing an InfoSec professional hates more than to see their hard work
squandered.

Do you want your team to look at you as a Homer Simpson or a Lord Nelson?

(1) http://opinionator.blogs.nytimes.com/2011/11/16/saving-by-the-bundle/
(2) http://content.healthaffairs.org/content/28/5/1317.abstract

Homer Simpson is awesome and is © 20th Century Fox

Permalink | Leave a comment  »

It would seem at least some Iranians believe the US used "idiots"
intentionally to take Hezbollah and others off of the "true"
operational pathways. This is somewhat curious to me because it really
attributes a degree of strategic forethought to the US leadership. At
the same time many of these same people have berated the US for the
levels of stupidity in not understanding the Egyptian Spring, Afghani
tribal politics, or Iraq. Had anybody in this circle been tied to say,
a captured American "hiker", then it would have been a completely
different (and victorious) story. While I read and listened to the
back-and-forth in this particular chatroom two things occurred to me:

- Iranian armchair geopoliticians have their conspiracies
diametrically opposed to one another

- The Iranian "grip" on the Internet and media is more effective than I thought

It's the latter point that was more bothersome to me. Indeed it does
appear that many people inside of Iran that were familiar with tools
like Tor actually do believe, and repeat emphatically, that various
sources of software inside of Iran include countermeasures and
poisoned versions of various anonymity and anti-censorship tools. This
had come up on one of the Tor lists fairly recently and when pressed
for sample or details, nothing came of it. I also dismissed it. Now
I'm seeing/hearing it from people that should know better and again,
when pressed, they are afraid to get involved or provide evidence. And
simultaneously they had a degree of faith in this video/voice/text
chatroom? However, this time I'm having a harder time dismissing the
initial claim entirely.

Anyhow, random rambling musings of the evening. Cheers, -Ali

Permalink | Leave a comment  »

http://lockerz.com/s/155222904

My first mention of this was online via Twitter and the response was
mild and supportive. And that ended the positive reception. In the few
days since I've lost count of how many "friends" and professionals
have commented that I look "Mexican" and I should get rid of it. More
than once I was told it's "unprofessional" and, again, "it looks
Mexican"..

So I decided to ask somebody I trust from a Fortune 100 company if
this facial hair would really be a deciding factor for a position. An
excerpt of the conversation quoted to the best of my memory a few
hours later:

Him: "Yeah, of course, it looks low-class and hoodlum."

Me: "Are you talking customer-facing or just generally?"

Him: "It doesn't matter, it wouldn't go over well with
upper-management. I just wouldn't hire the person."

Me: "Even me?"

Him: "*pause* Well, I guess not, I know you though. That's not a good
comparison."

I'm honestly more than a bit taken aback. I get dressing
professionally and being clean. I understand pretty people do better.
If this happens to a professional man for facial hair that wasn't, in
my opinion, unusual.. then what the heck do women go through?!
*boggles* -Ali

Permalink | Leave a comment  »

And the first major breakthrough will be finding our pariahs.

Every major movement has a pariah moment that, whether remembered or
not, change the approach of The People radically and quickly. In
environmental activism it came from Bjorn Lomborg ("The Skeptical
Environmentalist") and in military projection/geopolitics it came from
Thomas P.M. Barnett ("The Pentagon's New Map"). You can endlessly
debate the staying power and nuances of the messages but the bottom
line is that the ~way~ people thought about problems changed
significantly w/ Lomborg and Barnett.

You may not remember it well but take a good look through Google News,
LexisNexis, and Factiva. You'll notice the same, roughly, three-year
cycle whereby a small vocal group of "thought leaders" responded that
Lomborg and Barnett were idiots, naive, or liars. Then it slowly crept
into The Economist, NY Times, WSJ, etc. And finally, while
simultaneously dismissing their contributions, people started sounded
more-and-more like Lomborg and Barnett. In Lomborg's case it went so
far as institutional character assassination later rebuked/reversed by
larger Government investigations.

I think it beneficial to concentrate on Lomborg for the moment. In
particular these three books which he wrote or edited:

The Skeptical Environmentalist (2001)
Solutions to the World's Biggest Problems (2007)
Global Crises, Global Solutions (2009)

Specifics on each book's details or proposed solutions is not the key
takeaway. The key takeaway was that Lomborg and contributing authors
proposed using resource and fiscal economics balanced against
measurable metrics of human well-being as the basis for ~all~ big
decisions.

OK, so a bunch of you are going: "I do that! This is old news! Pfft,
tell me something I don't know!"..

Yeah, you're probably right. I'd wager most of my Twitter friends
actually think similarly to this already. And have for quite some
time. However, the InfoSec Industry as a whole does not. And we need a
voice or a few voices to totally shatter the "thought leaders" of
yesterday. Of today even. Who decided who these so-called thought
leaders are? Where was this committee convened? Consider for a moment
that encryption, courtesy of Bruce Schneier, is still quite frequently
considered the end-all of security. It's been nearly two decades since
"Applied Cryptography" and even Schneier can't shake this Ghost of
Security.

Here is the good news… great news actually. Lomborg and Barnett had to
come from the proverbial left field to make their impact. Our change
is evolving internally due to a pervasive awareness of bigger issues
(e.g. environmentalism and geopolitics) by practitioners in InfoSec.
Our pariahs are already in place but not well recognized outside of
our community. (I'm going to avoid naming names, unless asked
directly, simply because it'd be unfair of me to singularly nominate
some people.)

So here is what I'm proposing..

Take the community models that have driven InfoSec's greatest changes
of the past decade. In particular a fairly new entry into the
community, PTES (Penetration Testing Execution Standard), and base an
outreach program on that model. An informal to semi-formalized
committee of peer reviewing open Wiki publishing InfoSec practice
ideals. Things that can translate to Congressional Hearings, DoD
Acquisition Guidelines, Insurance Riders, Mainstream Media, etc. etc.
Explicitly not built upon an existing certification or standards
group. Not ISC, not Jericho, not SANs, nobody.. something more organic
and peer driven.

A group like this can take public perception and discussion in a
better direction than either Anti-virus or new-fangled Anti-Dragon
Tear's APT Conan Swords. A group like this can hold enough weight to
temper the FUD of a few whoring repetitive messages in the press. CNN,
Christian Science Monitor, Fox, etc. need a more balanced message? We
got it. Congress needs more reasonable perspective? We got it.

Yes? Can't this be done in a community driven, organic, and
professional way? I do indeed believe so!

So who wants put their name in the hat as a prospective Pariah? It'll
be the most fulfilling skewering you ever get. -Ali

Permalink | Leave a comment  »

Permalink | Leave a comment  »

You'd be forgiven for getting mixed up and I'm confident I still am.
Oh yeah, so a lot of people went..... Say what?! Los Zetas released
somebody alive?!

(UPDATE: Meanwhile The Grey Lady updates their coverage at
http://www.nytimes.com/2011/11/05/world/americas/in-mexico-facts-blur-as-onli...
..)

So I decided to do some digging because some discussions on IRC
indicated Los Zetas actually has released prisoners in the past and
participated in swaps. However, I can find nothing to corroborate this
in the tsunami of Los Zetas news. Quite simply, the only people being
released by Los Zetas alive seem to be the upwards of three hundred
prisoners broken out of Mexican prisons w/ the help (alleged) of Los
Zetas. In news between 2008 and mid-2011, and looking across multiple
cartels and operations across Latin America, there seems to be no
reason to believe Gulf, Sinaloa, La Familia, New Republic, Beltran
Leyva, etc. (much less Los Zetas) made a habit of releasing much of
anybody alive. There does appear to be affiliated kidnap and ransom
releases further down into South America but I'm not seeing much tied
to the numerous Mexican drug cartels.

So here is my thought now... is this a lose-lose-lose for Anonymous
regardless? Even if they release nothing and back off #OpCartel
completely the coverage of this issue has been insane.

If you goto news.google.com and select "past hour" you'll notice the
Spanish language sources alone was in the 600 - 1200 range. A majority
of that is syndicated distribution of sorts but regardless, it's a
huge amount of very loud coverage. The question becomes, when it comes
to drug cartels, is there no such thing as bad press? And as this is a
compelling storyline for many, does Los Zetas have something to gain
by continuing it in a traditional fashion w/ Anonymous?

What I'm saying is... I'm not sure Anonymous and Barrett Brown can
just walk away from #OpCartel even if they want to. They might be
done-and-done but Los Zetas sets the rules and the pace in this
engagement.

I have said elsewhere and before that organizations like Los Zetas
operate more like Nation States in African war-torn regions than
anything most are familiar with. That's my longtime perception
although I won't claim any expertise. The thing about that is though,
you don't touch Nation States unless you're one. It's part of the club
rules. You can kick and scream and moan (e.g. WikiLeaks) but you just
don't touch.

I think this story gets a lot louder before it goes away. Cheers, -Ali

Permalink | Leave a comment  »

In the opening barrage
(https://www.infosecisland.com/blogview/17677-EntSec-Not-Business-Relevant.html),
I suggested the greatest sin of security professionals is not using
their skills to produce better product for the Enterprise. Both
internal and customer deliverable product. My second point, and the
topic of this post, was stated as "Security needs to provide product,
service, and visibility to the core business" and in retrospect that
was possibly the worst way of saying "Security needs to be a selling
point for all products and services"..

Now that we've decided we're going to engage our skill set through
side-channels to help our Enterprise deliver better product, increase
our business relevance, and integrate ourselves into the development
lifecycle we're going to ~market~ our new-found Enterprise Religion to
the outside world. Marketing and Engineering won't like this, I can
almost promise that. However, when those same exact people are
customers elsewhere they fall prey to market-speak about security like
the infamous 'Military-grade encryption' gambit. So it's time we take
back our own marketing and talk about security and privacy as we
expect our own family members and professional counterparts to
practice it.

I don't know a better way of expressing this than through hypothetical
examples...

Lets say you're Zerocks and rolling out a new multi-function
copier/printer/fax/bagel toaster. Don't be afraid to talk about how
you've integrated security into the development lifecycle. Right on
the one/two page PDF put information on where they can find out about
your privacy policy for support, your security contacts for reports
and questions, your downloads for security errata. Just like the total
page lifecycle and failure rates are stated, make sure your security
message and availability is provided. You work 24/7, monitor your
email, stay up hoping not to see your company name on Pastebin.. let
them know exactly how hard you work for their security. Everyone is
going to suffer escapes, and just like technical incident response,
it's how you communicate and make yourself available to customers that
defines how they'll react to you in the future.

Now you've moved on to Jawbohn and you've created a new-fangled
bluetooth enabled health recording device. What's the security model?
How do you wipe the device? Is your on-line portal for syncing to say,
Nyke, tested regularly for vulnerabilities? All of this needs to be
clearly documented, turned into standard work, and integrated into the
marketing and support workflows across the Enterprise.

Insist on it. Insist.

I'd go so far as saying if you're interviewing for new employment talk
about these ideas and see how receptive a new employer is to raising
the visibility of their Enterprise Security department.

If you get pushback, approach it from the same perspective that
Engineers would for an Industrial product. Have you increased fuel
efficiency? Interval between regular maintenance? Etc.

In reality you've done exactly those type of improvements through your
integrated security lifecycle and participation discussed in the prior
post. Start, with humility, to take credit for it and communicate it
pervasively. This stuff matters to customers, it really does. Now, I
know that Sony and others have seemingly gotten away with massive
escapes, but that tide has shifted. It may not have reflected in stock
prices yet, but if you wait until it does, you've waited too long. It
can be a competitive advantage now and, in particular, with the key
tech and privacy savvy influencers of families, Universities, and
classmates. Respect of a brand can carry with someone through decades.
It's my belief that if you influence through Enterprise Security that
you will attract a better breed of customer and customer loyalty. This
is a worthy selling point and worth marketing. And you still don't
have to shave or put on shoes to do it.

We need a bigger piece of the proverbial pie, we simply must have it
(1), and I hope you agree that my rambling musings can help you slowly
get a bigger cut for your Enterprise Security department.

Cheers, -Ali

(1) Daniel Geer and Peter Kuper:
http://geer.tinho.net/ieee/ieee.sp.geer.1109.pdf

Permalink | Leave a comment  »

When Rafal Los (@Wh1t3Rabbit) asked people to describe Enterprise
Security in three words I took the humor approach with selections like
"Complete Cluster Fsck" and "Advanced Persistent Marketing". Rafal was
kind enough to post a running document with all suggestions for
reference at http://t.co/iqWlkudO and a blog post at
http://bolt.thexfil.es/3sqzj. Now, I was being quite cynical in my
responses but I do have very serious and strong feelings about this
topic.

Enterprise Security is Not Business Relevant. Now, that's quite the
inflammatory statement but unless your business is security then it's
true in practice today. Before the flaming begins let me start by
saying I believe firmly it ~IS~ business critical but I want to make
it actually _relevant_. I'm going to briefly explore what this means
to me:

- Security needs to produce better product
- Security needs to provide product, service, and visibility to the
core business
- Security needs to instill trust and good faith amongst employees and customers
- Security needs to be a competitive advantage

I'm going to talk about the first point in this post; Security needs
to produce better product.

I'm not talking about Security vendors here, I'm talking about
Enterprise Security departments within industrials, banks,
pharmaceuticals, etc. Security and privacy offers all stages of the
product lifecycle lessons, expertise, and benefits not immediately
thought of by most internal customers. Some examples:

- Security Engineering frequently identifies bugs and
incompatibilities that present themselves in non-traditional or
internationalized use-cases. Or with popular but untested software and
up-and-coming standards. I've yet to see a security oriented code
review that didn't improve the tightness, readability, documentation,
etc. of code. Or that didn't also improve stability and compatibility
in some aspect or another.

- Techniques used by security professionals can be used to improve the
performance and stability of almost any production environment. We
look at things through the lens of DTrace or Packet Captures in a way
most people do not. Working alongside developers and systems
administrators in this way can yield, once again, better development
and product.

- Security professionals can instill in your staff better overall
intellectual property protections by also making the privacy and
security of the end-user product better. When devops consider the
end-user privacy in the context of their own then they will also
further that practice with enterprise data. (This parallels what I've
referred to as 'Security through undoing Facebook' which I will
re-visit in another post.)

- Security professionals have almost endless bandwidth for
understanding innovation. This is somewhat vague and arrogant but I
truly believe it from what I've seen over the past fifteen years.
Security professionals can "get" almost anything you're trying to do
and brainstorm and critique with the best of people. It's not
something that is taught, I just believe it's something that also
draws people to the security field.

Taking these examples and trying to put them into practice and play is
non-trivial in most environments. There are institutional barriers,
egos (our own included), hours in a day, etc. that all get in the way.
However, it's critical that Security becomes more engrained in the
production of product and thus business relevant if we ever want to
get the funding, respect, and eventually rest we all desire.

How do I suggest you do this? Well, my first and most important step
would be to actually ~DO~ it. Seriously.. start with the developers
and see if they have a bug system you can peruse, check out a copy of
their code, submit a patch. Work with them in an agile environment.
That's effectively your road-show to the developers. Just get in the
muck and pain with them without prejudice or reservation. Don't
differentiate yourself in any way except the output. Comments,
patches, etc. You might have to learn new APIs or languages even but
it's about bleeding with them for their blood in return. Secondly
provide unsolicited observations of the end-product in well written,
visualized if possible, and non-judgmental ways. Over a decade ago I
first did this with a few page analysis of the core daemon for a
software product. I provided information based on profiling, disk IO,
network traffic, etc. that was all of interest to me in building a
security model BUT I didn't say any of that. I just provided it to
them in the numerous contexts of improving their product performance,
lessening infrastructure dependencies, and improving stability. By the
time they got done appreciating and implementing all that I only had a
minimal number of "security" issues to address and they were more than
happy to oblige. This lesson stuck with me ever since and it's been
endlessly valuable. And finally you evangelize and take pride in your
companies products and services. We're a cynical bunch but we can be
fanboys too. Try it sometime and those who fund you and you need to
influence will appreciate it. It's not social engineering exactly..
well.. OK, so it is in a sense but you'll be happier for it I wager.

That's the short of it for now. I will build on this basis in future
posts and appreciate any feedback. Cheers, -Ali

Permalink | Leave a comment  »

To consider this properly a little historical context is in order.
Consider where business was ten and twenty years ago? I affectionately
cal it the Jack Welch era. Where is business today? More agile,
adapting to niche markets, passionate individualism, engaged directly
with the customers, distributed worldwide by default, etc. How
different is that from the GE model of the 1990s? According to Fortune
and others, it's as night and day as you get. However, when you talk
to business insiders - and I've been fortunate (unfortunate?) to have
spent a lot of hours with some big Fortune 100 C-levels - they say
it's evolutionary and they re-tool and adapt regularly. So no panic
there.

Now, consider IT over that same period... and you'll notice agile,
niche, passionate individualism, engaged directly w/ end-users,
distributed by default, etc. That sounds familiar, does it not?
However, we can't retool completely because systems have to keep
business running 24/7/365 and our customers don't see the
architectural rot that we do. So we have layers of hugely disparate
systems that linger for decades. A bit of panic.

What alo has happened is that ~casual~ life expectations have aligned
themselves across ALL industries in such a way that we're all our own
C-levels. Things like personal finance and taxes have moved upward and
things like "manufacturing" (aka DIY) have moved down-ladder. Likewise
families and communities have become distributed geographically
through the Internet while simultaneously insular on the neighborhood
level. So, tying this all together, we now have a generation of Open
Source and Open Community Citizen Engineers led by early frontrunners
Linus Torvalds and Larry Wall that looks remarkably like the business
play-books of the Fortune 100. The Soccer Mom management edict of
communities put on steroids dealing with bigger egos, language
barriers, and the eyes of everyone. Our OS/OC Citizen Engineers have
created their own Six Sigmas and are rocking industry after industry
through trial-by-fire growth.

This is not to say that business professionals and C-levels don't have
massive amounts of expertise and perspective that everybody else does
not. They most certainly do. However, we can now relate to business
people in a way we could not a decade or two ago. Likewise in other
industries (e.g. Medical, Legal, ..) we have the same commoditization
to the Citizen of the basic underpinnings. As I'm sure we're all
aware, this trend has potentially catastrophic downsides too but
that's for another debate.

OK, ~NOW~ consider Security over the same timeframes and there is one
notable difference. There. Is. No. Baseline. As an industry we're
still selling snake oil and have huge differences of opinion with
about the same market result (e.g. hacked, stock doesn't budge). The
rules of engagement that have made it down to the end-user are so
ridiculously primitive that if we were Doctors our version of WebMD
would say "have an Apple and an Aspirin" for ~every~ ailment.

Back to the first paragraph.. it's because of that, because of the
organic nature and relative immaturity of our field, that I feel
strongly that you can't teach a CSO/CISO the ~S~ on the job. They have
to already lived and breathed that for the past decade to have even a
fighting chance of being the C-level over the Anarchist mass of
Security Professionals. When the baseline customer is used to posting
the most intimate details of their lives and passwords, install AV,
and patching is all they know otherwise.. well.. you're screwed at
that starting gate. If "Turing Complete" triggers a visit to Expedia,
you might as well pack up your data and leave it in the mall parking
lot.

I guess a rude way of saying it would be that you can't teach insanely
dangerous intellectual curiosity. We haz it. Sorry for the random
rant, just thinking out-loud, Cheers, -Ali

Permalink | Leave a comment  »

Some high-level randoms: #HFC and associated discussion were the most
talked about overall on Twitter. Outside of the core founders/hosts,
Rob Fuller (@mubix) from direct views, RTs, etc. seems to have reached
the most people about #DerbyCon. HD Moore (@hdmoore) was a close
second. THOTCON's CFP got a big boost through @hdmoore and #DerbyCon.
And the Microsoft MS08_067 cake pic(s) were a huge early hit. Oh, and
@dualcoremusic, was a huge hit getting more talk than most parties got
at any other con as I could find.

Some comparisons: #DerbyCon was far more level in chatter over the
three days than DEFCON or Black Hat. In other words, people were
almost equally as excited/chatty across all three days (~5% variance).
In both DEFCON and Black Hat the first main day generated over 2x as
much noise as the following days (again, excluding MSM). Number of
tweeters vs. known attendees had a much better ratio, almost 10x, than
DEFCON and Black Hat. That ratio of tweeters/RTs/attendees was about
the same as ShmooCon 2011 and a bit better than CanSecWest. Of course
that's also a reflection of how many attendees relatively have Twitter
accounts. People seemed to get a touch more sleep at #DerbyCon than
DEFCON or ShmooCon but not much (gauged by 24/7 tweet rates).

Now, the next part will be breaking down speakers and tracks better
but at first glance it would appear Track 3 had the highest overall
talk. It will take some more time to break that all down.. I'll try to
get that done later this week. And maybe see if I can pull Identi.ca
and Diaspora into the mix a little. -Ali

Permalink | Leave a comment  »

Earlier this week I was joking w/ a friend that we need a "Jimmy the
InfoSec Bartender" for the industry. Or maybe a duo like Chris Knight
and Lazlo Hollyfeld (Real Genius, 1985). People you can turn to for a
beer or a dram and settle your nerves and turbulent thoughts with some
succinct sage advice. Enter Daniel Geer & Marcus Ranum. Dr. Geer &
Peter Kuper released an article from an upcoming issue of IEEE
Security and Privacy about the InfoSec/NetSec investment market, or
lack thereof, metrics, and the geopolitics
(http://geer.tinho.net/ieee/ieee.sp.geer.1109.pdf -). Ranum continued
his "Cyberwar: a Whole New Quagmire" series at Fabius Maximus with
"Part 4: About Stuxnet‏, the next generation of warfare?"
(http://fabiusmaximus.wordpress.com/2011/09/29/29291/ -).

If you've been reading about Stuxnet nuclear fallout, mass casualties,
and flying UN*X hosts then you need to read Ranum. He presents a much
larger picture of where we are, where we might be, and how to ~think~
about solving the problems. He isn't mucking it up with turf wars or
questionable disclosures. He is just trying to get "US" back on track.
I think he does so wonderfully.

Now, I'd like to concentrate on Dr. Geer & Kuper's paper for a bit..
what they say stands well but I'd like to season it a bit.

- The Real Cost of Facebook -- Everything they say SCREAMS that
winning the ~privacy~ debate w/ Facebook, Google, Sony, Apple, Amazon,
etc. etc. is CRITICAL to National Security. Why? Because _those_
players define the relative value of ALL data in the marketplace. I'm
going to extrapolate a long way and say that TS/SCI will become
meaningless in the coming decades if we can't get people to value
their own privacy and personal data.

- This is not blanket xenophobia, this is market economics and
geopolitics. You might be tempted to frame it as Economic Nationalism
gone awry but it's not that either. It's DATA. You have to make a
geopolitical decision w/ that data. Are we OK with a decreasing value
to our data and thus overall economy or are we willing to make a
change? And can we play nice w/ the markets to do so? "This is no
longer a game" indeed..

- The pain threshold for major data loss is too low. Wayyy too low.
And we can't mandate or over-regulate it because, as the author's say,
that becomes the ceiling instead of the floor (think PCI). As Security
Professionals how do we make our customers, family, and friends see
things differently? Ah yes, that recurring theme from prior posts.
Still a big question but where Geer & Kuper start is by figuring out
how to make the market see things differently. I say (back to bullet
one), make the Facebook and Google+ populace see it differently first.

We all knew this, right? Well.. yeah.. I think we did. However, on any
given week I'd posit that a majority of us forget to think about these
things. We're consumed with the fires burning our souls right that
moment. I get that but getting back to basics and real meaningful
metrics is always a good way to go into the next week, no? -Ali

Permalink | Leave a comment  »

In Dr. Wright's latest entry into the mix
(http://bolt.thexfil.es/9ajuh -) he says:

"I am saying more than I am allowed to here already before the launch
on the 7th of October, but we are expanding such that we will have
over 100 doctoral students in information security and digital
forensics at the school."

And

"Not naming names here and nor will I even when plied with drink, but
basically, some of the CSC guys I worked with also did the Telstra
tower and worked in TS and general systems. They needed to manage
these and the budget only allowed them to do so much.

So, they had implemented TCP 53 outgoing from anything on the
firewall. All the auditors missed this. It was simply DNS and so
nothing was ever noted in a single report."

In the first quote he is referencing an educational program at Charles
Sturt University and in the later (and indeed the post as a whole)
issues of National and International security and collaboration.
Including references to Top Secret networks and programs. Anecdotes,
names changed, resistance to drunken interrogation, etc. aside. What
is your end-game Dr. Wright?

The point Scot made is that what good does THIS level of attention
garner other than personal publicity? And if you really care, is this
how best to effect change? Do you think we're dullards? Heck, even if
you assume we ~don't~ know ourselves (I'm talking generically about
the InfoSec/NetSec community as a whole), can't you safely assume that
we listen to Exotic Liability?

You are proving Scot's initial post in that this level of
Fear-Uncertainty-Doubt is best used for advertisement and
self-promotion. Not creating solutions. Not one person who didn't know
these problems existed or who was in a position to ~do something~
about these problems will be effected through this tactic of release
and publicity. Not. A. Single. Person.

That's not even addressing the voracity and other implications of some
of your claims. (I'm fairly sure voracity isn't the right word?)

So lets get to the REAL issue here....

You have now moved firmly into the Whistle Blowing category. You are
claiming specific information related to incidents not in the OSINT
realm. You are going so far as to indicate personal knowledge of both
Australian and US Classified networks and breaches to said networks:

"I have seem so many kludges connecting SIPPER and NIPPER networks in
the US it is not funny and they have links to us here in Oz as well."

I assume you meant SIPRNet and NIPRNet? And you specifically call out
TS above that. In both the US and Australia there are CSIRTs,
Inspector General offices, Defense Security Service, etc. etc. Why are
you expanding your story here? Shouldn't you be in their offices now?
Even if you were before, shouldn't you be there again? And again? You
certainly write well and are well spoken. Do you think you're
influencing somebody w/ actual actionable options via these syndicated
blog posts? It's an honest question, I'm very curious.

So now you've publicly gone on record as saying you've observed said
things AND people have sent you an outpouring of support including
potentially Government or Corporate protected information. See... I'm
all about fighting over-classification. All about raising a ruckus.
However, the debate on "responsible disclosure" should be something
you're very well aware of.. as a matter of fact you wrote a nice piece
about market factors and responsible disclosure
(http://bolt.thexfil.es/9sxcr -).

So I'm seriously questioning your motives here... Throwing this all
out there isn't ~helping~ actually solve anything. Especially the more
sensationalized it becomes. You either leave people with a feeling of
Chicken Little or you make them overwhelmed and let them get caught up
in their own self pity. Are you going the WikiLeaks or Anon route and
hoping for public political pressure? If so, it certainly isn't coming
across in your approach.

And before you say it, nobody actually working these systems was
hiding anything either.. exactly the number of people well versed
enough and staffed enough to address them are working on them. It's
not like you suddenly created a ton of extra people for us to hire and
work alongside? Ohhh yeah... you're University advertisement.

So full circle it appears you're proving Scot's point. Honestly Dr.
Wright, I'd love to know what you propose the outcome of your
mini-series to be here? Do you have a free course offering, new
mailing list, free labor available, etc. to help those of us already
in the trenches fighting this battle? A new way of helping us
communicate and influence in and upstream? If so, then by all means
let me buy you a keg and Wagyu beef and lets talk. Perth? Sydney?
Hobart? Your call. Cheers, -Ali

DISCLOSURE: Scot and I have worked together in the past. We've had
SERIOUS disagreements. And I disagree with a number of things and his
approach in this particular series of conversation. That didn't
influence my rant above.

Permalink | Leave a comment  »

Permalink | Leave a comment  »

(This is as good a spot as any to reboot some blogging. *shrug*)

OK, back when the DigiNotar/Iran MitM mess was fresh there was a small
back-and-forth between @awilsong, @dakami, and @gregcmartin. You can
get a glimpse of it at
https://twitter.com/#!/dakami/statuses/108440352591052800. I chimed in
that @dakami was not taking this seriously enough, that he was wrong,
.. an excerpt:

---
"I understand what @dakami is trying to say but I disagree because the
difference being that this is not speculative. When a State-level
player actually uses email, web traffic, social networking, etc. to
carry out oppressive agendas against other religions, ethnic
minorities, or dissidents it's moved squarely into the arena where
“life criticality” is valuable metric. It has a historical and
economic basis at that point.

In general the snake oil labeling in the Security field has mucked up
a lot of things. I'm sure I can share in some of the blame. However, I
think the bigger problem continues to be the security industries'
inability to relate to life in general. Whether it's usability or
priority, the consumer level concerns always seem to fall on one side
or the other. Either an existing broken system & perpetuating the same
broken system or a completely unusable one. It doesn't matter what
happens then, you can choose either path and “life criticality” is a
valid metric."
---

I take it back. I. WAS. WRONG.

Life criticality is a useless and counterproductive metric until
exactly the moment it is not. Until then it's a huge hindrance to
actually making progress in applied security and security engineering.
It's counterproductive... for the sake of discussion, let me consider
two IRL situations before moving onto ~how~ I got to this point.

1) DigiNotar/Iran -- Technology meets geopolitics and lives are very
much at stake. Should the Certificate Authority system and SSL/TLS be
designed with this sort of situation front-and-center? And if this was
the example of abuse would the system have been improved in any
notable way at the time it was designed?

2) The flu "pandemic" -- Did considering "life criticality" seriously
change the approach end-users (read: citizens) and technology enablers
(read: Doctors and Purell) took toward a potential outbreak? They were
talking double-digit percentages of human lives lost on Earth!!

If we knew that Iran was going to attack CAs from the start, do you
think it would have resulted in an engineered for resiliency system?
No, not a chance. The politics of Internet control, the geopolitics,
etc. would have derailed it so far that I'm willing to wager CAs would
have been worse off. A more fragmented system where browser vendors
would have had a harder time identifying mistakes and implementing
controls. I'd go so far as to say alternative browsers would not have
been viable in such an environment. And what was the result of massive
scare-mongering regarding the flu? Just a lot more Purell and about
nothing else. Was there even anything more that could have been
reasonably done?

So for those two examples and their respective professional
populations.. what did we accomplish? Nobody but the people who
already took it seriously, takes us seriously. Seriously. Think about
it.. did anybody who would have a gambler's chance of understanding
what the right things to do actually benefit? For (1) we had some MSM
coverage of the issue, a few patches, a lot of non-patching (I'm
looking at you Android), and it's forgotten outside of the circles
that knew it was only a matter of time anyway. And for (2) the
situation probably got worse although it would be hard to quantify it.
More abuse of sanitizing products and an increasing muting of the
voices of alarm and/or reason.

So what brought about my change of heart? Stuxnet and "mass
casualties" from nukes, water supplies, jumbo jetliners, etc.
Primarily the posts and responses between @krypt3ia
(https://twitter.com/#!/krypt3ia) and @Dr_Craig_Wright
(https://twitter.com/#!/Dr_Craig_Wright). In order from oldest to
newest:

http://packetknife.bo.lt/48kli -- Stuxnet is not going to blow up the
world post by @krypt3ia
http://packetknife.bo.lt/hjdo2 -- Stuxnet is still not going to blow
up the world or rape and pillage by @krypt3ia
http://packetknife.bo.lt/br0pk -- OMG @krypt3ia it's going to do all
that and more by @Dr_Craig_Wright

(At the time I rambled this blog rant out I had not read @krypt3ia's
latest response: http://packetknife.bo.lt/droj6 ..)

Although I really would rather not, I should post the two articles
that triggered these posts and discussion.

http://packetknife.bo.lt/22lxx -- Stuxnet will blow up the world
article referencing Tomer Teller
http://packetknife.bo.lt/e4yda -- 'Why is he getting the attention
when I did the work?' Stuxnet article referencing Ralph Langner

Don't get me wrong. There are very real problems w/ SCADA and other
supposedly secure "industrial" network practices today. I've seen them
up close and personal. Tomer Teller and Ralph Langner aren't chumps.
They most definitely know the industry and know what they're doing as
well as anybody in our (relative) infancy does. Important people will
listen to them, we'll listen to them, and that's why I've had my
change of heart and I'm ranting and raving like a sedated lunatic
right now. This is all about how we carry the message and change.

"We" sound ridiculous (circling back to @dakami's position). And if we
sound ridiculous, the people w/ the resources and influence to make
things happen WILL ignore us.

So what's the right approach?

You'd think the fear of human lives lost would be a good approach but
it's not primarily because it's already been factored into the risk
equation. Lets use Wright's example of the 747 (both Scot and I have
some experience, significant, in this area BTW).. the liability and
risk of an incident regardless of cause comes down to price per
passenger death. In other words, from the inside and from an influence
perspective, you have to talk in a language that isn't ~already~
quantified in dollars and cents (liability caps, insurance, etc.).
What does this mean? Lets face the facts, most people who are powerful
enough to make large scale shifts happen have a political motive.
Whether they are in business or in Government. You have to present an
argument, that ahead of any speculative disaster, seriously undermines
their comfort. Or seriously motivates profit.

And "life criticality" is almost the worst possible way to do that..
whether it's diabetes gear, nuclear weapons, or jumbo jets. Unless
people have already fallen over dead, they're simply not going to
care. So you either kill people (don't) or you start working within
the comfort zone of the customers. Not the press, not your peers, but
the people actually coming up w/ the monies and motivators. You need
to personalize this. Make somebody the champion and develop a
meaningful business or political platform around it. Until then,
nobody is going to listen.

Unfortunately this can take us in another dangerous direction.....
think "APT"... more marketing, more FUD, but it's Dumb and Dumber...
and we've got to keep going in the right direction after a continued
slide through snake oil and the preposterous.

Here is where I'm stuck.. we've seen when "life criticality" becomes a
metric of consequence. We all have. On September 11, 2001 it became
the _ULTIMATE_ example of such a metric. It can't be ignored, it had
hard historical data behind it, .. what do we do then? The same thing.
You dimiss it as the sole metric unless it can be quantified against
other lives, resource economics, and geopolitical posturing. Sorry,
that's just the way of it. Life criticality is just almost always
going to be the wrong metric at the wrong time for the wrong reasons.
Don't use it. Ever.

More on this later.. Cheers, -Ali

Permalink | Leave a comment  »