another view on how sopa illustrates the process in action

Bare with me for a moment while I make a statement or two that I’m just throwing out there, but not really meaning to defend with any huge force, especially considering this is one of theonly times I can recall where I’ve defended politicians or Congress… (and before anyone exercises their right to be dumb and not understand what I’m saying, I oppose SOPA as well.)

Yesterday, many sites went black in protest of SOPA. In addition, many people are upset about such legislation even being proposed, citing corporate interests and corrupt Congress and technological idiots in Congress.

Personally, I love what happened yesterday, but not because the Internet swelled up and got seen on the front pages of every mainstream news outlet. Rather, I love that this is exactly how the process is supposed to happen.

Congress doesn’t jot down new legislation and throw it into the hopper to be perfect and the answer. It’s discussed, changed, challenged, sometimes approved, and sometimes stricken down through the checks and balances system as well as peer and public discourse.

Yes, “politics” does influence things, but the idea of throwing SOPA out there, discussing it, reacting to public opinion when it swells, and maybe even rejecting bad ideas, is part of our democratic process.

In other words, be sure to focus your wrath a bit. Don’t just assume Congress politicians are idiots (at least not based on this one issue; since I also think many of them are idiots). Even submitting idiotic laws and acts is part of the process which hopefully keeps them from doing more harm than good in the long run.

personal notetaking dilemma and the rise of the cloud

When I look around my desk at work, I can see paper. I’m a notetaker. I have been since grade school. I re-use little calendar pages to take notes on, and they accumulate. While I’d love to reduce this clutter, I’m not ready to try and replace everything, such as my Moleskines. Few things are faster for taking notes than grabbing a piece of paper, a pen, and jotting something down. Few things are faster to re-reference than grabbing a piece of paper and, for example, looking at the checklist of things I have left to do on website build XYZ. Grepping my notes is harder, though. As is trying to remember a shopping wishlist while at the store when the notes are on my desk or at home on a whiteboard.

I have more little electronic devices than I’ll admit to you. Few of them get a ton of use. Part of that is the pain of using one device for a while, and then attempting to consume the same things on another device. Notes taken on a tablet are not as easily ported over to my personal laptop or my phone. And so on. Lots of people seem to be satisfied with using email to shuttle things back and forth, but that seems archaic and dirty to me.

I also have a desire to not put myself ino a position of device-dependency such that lack of that device makes me helpless. For instance, I’m already dependent on my cell phone, specifically the contact list. I don’t even know my parent’s phone number off the top of my head (though yes I have a little piece of paper in an address file). I’d hate to be even worse off if I don’t have an Internet connection nearby, or mobile hot-spot, or just an electronic device. (Story: My power recently went out, and I drained the battery on my Nook Tablet, which reminds me that I can always read physical books or magazines if I still possess the ability to create fire…)

[Aside: Magazine consumption on my tablet is a mixed bag. I like this experience, but I’m screwed on the process of ripping out a page for future reference like I can when I own the book, or maybe even taking a screenshot of a page when I’m flipping through it in the store, which I do every work day over lunch.]

All of this puts pressure on digital consumption in my life. And I also believe this is collectively a huge reason why “cloud” is on the rise. More people have more devices, and more devices that are mobile. They’re sick of maintaining their PC (though arguably most smartphones are just as challenging and frustrating to maintain). They want data/experience across multiple devices without needing experience in server/network administration.

Unfortunately, it’s still cumbersome, and the market has so many solutions that it fragments everyone and adds risk that your chosen solution will just die in a year or two. Likewise, you have lockin (iTunes, B&N store for the Nook…) or differences in experience (phone vs PC web browsers) or inability to install things (iPad-only apps). And lack of trust/privacy/assurance that you’re not being sold/used/exposed.

I’ve had EverNote on my radar for a while now, but I think my work desk situation is going to prompt me into trying it out finally. Of course, this makes me sigh in exasperation as I can probably exfiltrate data from work out to my personal systems at home, but I guess the ability to stop that is becoming more and more of a fairy tale as the months go by… Perhaps this situation is always arguable; I mean, an employee can leave a company and take everything along with him in his head, yeah?

Anyway, I had more to say in this post, but halfway through, work duties interrupted, and getting back to this has sapped my Muse…

illustrating the facepalm of security discussions

If you’d like a quick dose of why discussion in the security circles goes in, well, circles, check out the “Rate Stratfor’s Incident Response” thread taking place on the full-disclosure mailing list. The real headache-inducing pieces take a few responses to get to, but eventually the discussion piles into hiring hackers, security economics, and perfect security. Unfortunately, some of the discussion is driven by one or more people who fail a bit at critical thinking in discussions like this, but it still illustrates some of the pain in security, especially how people coming in from different perspectives are just as correct as others from other perspectives. And this is just discussion and not real action! (I’m ignoring any difficulty in non-english responses, but that is also a troublespot in the small, global community of security).

Granted, there are some non-industry people in the list, and some who don’t really sound like they’ve had a real deep technical job (or have any business sense), but certainly there are plenty of decent participants.

when pci makes you feel dirty

Wired has a really strange story about Cisero’s Ristorante and Nightclub being fined for PCI violations (and alleged breaches?), having money taken from them, then sued by their bank, and thus counter-suing their bank and effectively putting this whole PCI security process under a legal magnifying glass.

PCI sounds fine, it really does. But once you start looking at the various steps on their own, it really makes you feel dirty. It’s even dirtier when you start talking about arbitrary costs, rules, changes, and general lack of communication up and down the chain.

This may not be so much a problem of PCI, as opposed to a problem with how PCI is used by the merchants, banks, and Visa/Mastercard. No one wants to eat these costs, and the less-skilled persons (merchants) end up being responsible for highly technical issues.

Definitely a story to keep an eye on.

india gov backdoors into mobile devices

If you don’t think this sort of backdoor stuff happens as a requirement to do business with communications networks (and increasingly technology devices), you’re not keeping up with the times.

The memo suggests that, “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices.

Communications eavesdropping, device backdoors, and external/subpoena access to data should always be on your mind. No site or company is going to risk those recriminations on your behalf when pressed.

overhack on network log monitoring

Network traffic analysis and log analysis post is up over at OverHack. Good stuff, and I completely agree with the intro paragraph.

Doing actual log analysis is trickier than most supervisors think it is. You want to know when someone gains domain admin rights, eh? Ok, you have to watch all created accounts. You have to watch for existing account changes that slide an account into the domain admins group, or into any other group nested inside there. You have to watch for someone sliding a group into the domain admins group. You have to watch for strange account usage and failed logins to any accounts in the domain admins group. And you can’t just look for suspicious things, but you should track down every instance, even if it appears to match your account naming schemes.

Oh, and you can’t just do this once a week with a delta on accounts present. If an attacker created an account, used it, and then deleted it, will you notice? And we’re just talking about one (important) sliver of log data!

build more than break

I like this new year’s tweet from hrbrmstr:

Final “Three things: Resolutions” (no blog post needed) for infosec professionals: Stop being smug; Build more then break; Quit the FUD.

Particularly, I like that middle part. (That first part can roll into people in general, not just infosec). Build more than break. It’s great and necessary that we have people who can research and find issues. And that we have people who can break into systems and play on red teams as a learning tool. All of this makes for great learning and research, no doubt.

But what really brings value to individual businesses is the ability to create defense and protect against risks in a realistic fashion. This doesn’t mean just blabbering on about best practices and what a company should do, taking your consulting paycheck, and leaving. It means actually being able to design, build, and maintain a proper defensive posture. Not just talk it, but actually be able to walk the walk and explain what works and what actually is just smoke and mirrors or way too costly despite how it sounds on paper. If you tell someone they should be watching XYZ logs for events ABC and correlating those against change mgmt forms and GHI assets, but have never done it and have no idea how much work that actually entails (let alone how fragile it is once you do figure out a way to do it), you’re not helping. And that doesn’t even take into account the audience business size/type/incomes/staff/industry…

Part of that is also being able to talk in a senior leadership sort of way to technical persons like network admins and software developers and desktop teams; to not just give them the same old lines, but be able to give actionable, technical, specific guidance for improvement.

In my opinion, all of this requires a technical background filled with actual hands-on-the-keyboard experience. Not meeting agendas and new school non-PowerPoint presentations and email mandates. Sure, these are needed, but the real value is made or broken down in the trenches.

Addendum: I feel like I shortchanged the attacker knowledge a bit. I absolutely believe we need to be able to think and behave like attackers to anticipate issues, but also it makes for a great way to test our defenses rather than waiting for an attack, enticing an attack, or waiting for that annual pen test which may or may not even trigger what you’d like to test.