pci guru on the issues with pci

PCI is an easy horse to beat when looking for impassioned discussions with other security profressionals. Sadly, too many discussions just talk about “how-it’s-not-perfect-so-it’s-dumb” vs “I-didn’t-have-budget-before-but-I-have-it-now” points, and don’t get down in the trenches of the issues, as it were. Mr. PCI Guru has a lengthy, deeper post, “The Failure of PCI?” which hits many points I sympathize with, like this:

A lot of QSAs are great technologists, but would not know a good or bad control environment if it bit them in the posterior. Fewer QSAs and most ISAs know controls, but would not know a proper firewall or router configuration to save their lives. And finally, there are a very, very few QSAs and some ISAs that know the technology and controls. Unfortunately, the PCI SSC has not found the way to winnow out the QSAs and ISAs so that only the ones that know both technology and controls remain.

General media is a problem when it comes to security. Security is a nuanced, complicated topic to talk about, and media, even IT/security media, doesn’t have the patience or expertise to usually talk properly about it. Instead we get dumbed down and overly simplistic headlines and quotables like how PCI works if you follow it or PCI doesn’t work because a breach happened. None of it does anything except stir the pot and makes those who quote the quotes (read: poor CTOs) look idiotic in front of their (maybe) talented staffs.

Or maybe better yet, the PCI Council/DSS is in a weird position of trying to defend itself while also wipe its hands clean when necessary. That’s an unfortunate position, but is a PR/positioning problem. (Actually, this *may* end up being a legal/insurance/CYA problem at the root…)

But that’s not a PCI problem, per se, rather than overall security.

details on the complicated cloudflare ceo hack

Via Securosis, check out Krebs’ (seriously, I don’t have a bromance, he’s just the best security journalist out there…) article on CloudFlare’s CEO’s email hack from the other week. Check CloudFlare’s blog for an image of the visual timeline of the incident. Talk about involved!

Some web filters will flag that image location as bad, but the barely-readable preview was enough for me. Hopefully that link persists. If not, right-click the image and try to view it directly.

What’s fun is the CEO wasn’t the target, nor was CloudFlare. Apparently, the target was a client of CloudFlare’s, from what I gather. Bottomline, an attack can come from anywhere and try to get anywhere else. It’s not just targeted stuff that’s all about you, or APT that cares about you. Maybe you’re just peripheral to other goals, either as a company or as employees at a company. I hear a lot of talk about threat modeling and such, and that’s fine, but do threat models pick up things like this any better than general best practices, diligence, and education? Not sure, there.

my good and bad on diablo 3

Been playing Diablo 3 since it released, and I think I’m far enough to dump out some thoughts. My female Wizard hit level 60 this weekend and also finished Act IV Hell. I dipped my toes into Inferno difficulty (the highest) last night. Here’s a hopefully quick list of some good and bad things about the game. Overall, this is a great game and satisfies the action/loot RPG itch perfectly. (For background, I played D1 when it was out and D2 later. I played almost every class up to level 90+ in D2 [didn’t like the assassin], and did the requisite farming on my sorc [meph runs ftw!].)


1. The Skills.Skill trees and skill points are gone, and in their place are skill assignments you can bind to 1 of 6 hotkeys, and runes which bring minor changes to those skills. I wasn’t sure how this would play out, since skill trees and spending skill points is always fun and a staple of RPGs these days, but holy damn did Blizzard nail this one. My Wizard has 23 skills with 5 runes to augment each, making for 115 skills at my disposal. That sounds like a lot of filler, but I’ve found very few of those skills are such. The ability to tailor my playstyle so much is absolutely brilliant. Which leads to…

2. Skill Balance. Blizzard made it a goal to do skills in a way that didn’t result in players heading to the web to find the one “uber class build” they should go for in the endgame. Blizzard succeeded (with some combo exceptions that have been patched). There are three subpoints for this. A) I’ve really never had a game where I can use a skill buildout where I might get pwned against a boss, then switch things around and try new stuff, which leads me to be the pwner. And it’s not because of skill imbalance, but rather changing my character build to accommodate the situation and how I play. B) Some skills do seem like filler with certain builds, but really many of them are meant to synergize with others for completely new builds. For instance, there’s no reason for me to add to my fire damage when I’m dishing out arcane damage instead. C) In the hardest difficulty level, I’ve seen vids of players using a wide variety of skills and playstyles, and it’s awesome that so much is viable. Which segues nicely into…

3. Endgame – Challenge. Diablo 2 was not really that hard, even in Hell mode. D3’s difficulty is tweaked far better. Normal mode is an easy introduction to the game, but from there things ramp up nicely. While the biggest bosses have some disappointments, finally I feel like champion packs and rare packs are given the respect they deserve in this game. In short, shit’s challenging once you get up there, and that is a welcome piece of endgame enjoyment!

4. Endgame – Replayability. If you played through normal mode in D2, you played the whole game. The only things that saved the game from being useless were the randomized dungeons and random champion/rare encounters and random loot drops. D3 still has the above, but at least this time there are quite a number of random events that you can find in the world, and the random champion/rare packs are more vicious, tougher, and fun. So, while not for everyone, it is a step up from D2. (Too bad the bosses aren’t exciting after the first time around….)

5. Feels finished. I played Torchlight and was highly annoyed that it felt unfinished. D3 feels like a solid, tight, finished game, and I’m very happy with it. It looks beautiful, sounds great, and plays like a dream for the most part (I am a twitch gamer, so sometimes when I try to stick-n-move the game doesn’t register the up-key and instead keeps me standing and firing…)

6. All the little things you didn’t know were annoyances in D2 are fixed. No more identify and town portal scrolls*; you can just do this stuff. In fact, no scrolls/tomes at all. You pick up gold by walking over it. Gems are a bit simplified. Charms are gone. No more mules, since your stash and gold are shared across characters. Every item only takes up 1-2 inventory slots (this is good and bad, as all weapons feel the same as opposed to the old school 6-slot spears, etc, but does save room!). No trapped chests/bodies, though sometimes a zombie or skellie pops out of a jar.

7. Heath pot cooldowns. I was skeptical of the changes to health restoring from D2, but I think it is an integral component to the challenge and strategy of the game. Small change, big positive effect.

8. Followers have been improved. The no-name followers from D2 that were simply forgettable meat shields are replaced with actual characters who never die and have back-stories. That’s kinda cool. While I wish I could equip them with more things, they do a much better job about being an important part of the action in solo games, especially since you can slightly tailor their own special skills (choose 4 of 8 available skills as they level up).

THE BAD (or rather, the NOT-SO-GOOD)

1. Endgame – Level Grind. The level 99 grind from Diablo 2 is gone, replaced by a relatively easily reachable level cap of 60. I never did have a level 99 in D2; the grind from level 91 and up is insane, and even in my free-time-college-years I didn’t have the patience for it. But some people did. I really wish that was back, as it was pretty important to always have something to gain from time spent.

2. Some bosses are lame. The Act 2 and Act 3 bosses, at least for a Wizard, are laughably dumb. I dislike the Act 2 boss mechanics (from being cheap with constant adds to just standing in place and slamming tentacles onto the ground). And the Act 3 boss I think I am 3 for 3 against because he does all ranged stuff that is avoidable if you move. Badly underwhelming. The Act 1 and Act 4 bosses, however, are super fun, though a bit simplistic once you have a rhythm. Still, they’re better than just beating on Duriel like D2 Act2…

3. The story. Diablo games are not known for their deep, resonating, and twist-filled stories, but yet they are pretty immersive and interesting. D3 attempts to be more complex with the storyline, but it’s either filler, easily predictable, or simply underwhelming. Or it simply feels like a retelling of D2 (start in Tristram, go to desert…deja vu?).

4. The voice-acting. Maybe I’m hugely spoiled by Skyrim (despite the heavy actor re-use) and Star Wars: The Old Republic (amazing voice acting), but the voice actors and the lines they use in this game. Are. Awful. A few work, like some of the bad guys, Cain, and a couple classes, but for the most part, they’re painful. For instance, my Female Wizard comes off as an arrogant bitch and I really hate hearing her voice or the things she says. (Side note: I am, however, amused by some of the background banter, which changes based on who your companions are or even what zone you’re in.)

4b. My character has a voice. I don’t recall my player talking all that much in previous Diablo games (see also the simplistic story), but it badly draws me out of the immersion when I hear my character’s voice, especially if I don’t like it and she has a terrible tone and attitude. Other classes are even worse.

5. The music. Wait, what music? The music in Diablo games is memorable and part of the immersion and experience. The D2 music is absolutely superb, and even thinking about it makes my skin tingle. My first hour of playing D3 immediately had me noticing the lack of music. The “music” in D3 is mostly just ambient stuff that you don’t really consider music. I’m greatly disappointed in the lack of a worthy soundtrack to my pwning. When music does kick in, it’s not very interesting nor really helps the tone. It’s like they went way too ambient and then way too pom-and-circumstance in later levels, rather than the perfect in-between of D2.

6. Very little social support (so far). There is coop play, and it’s really done well, but that’s been largely it for social support in this game. The chat rooms of D2 are replaced with an Auction House (an improvement), but there’s very little chance to meet new people in a social setting like a typical MMO RPG. We have drop-in-drop-out public games with random people, and we now have a mandatory general chat with a max of 99 other random people, and friend lists. While this is all a step up in most cases from D2, I seriously think Blizz is dropping the ball on support for better social ability. No leaderboards? No chat rooms at all? It might be cool to be able to join a game to watch. Etc.

7. Game world lack of persistence. In D2, if you left your game, but then went back into it, the game world would persist for a short period of time. So if you lagged out or wanted to trade an item to your mule, you could get back in and be ok. If you leave the game in D3 and try to get right back in, you may be back at the same spot you were at, but the layout will be new and the monsters respawned. Yes, that means you can lag out, come back, and be immediately set upon.


1. Endgame – The Loots! Since I’m new to Inferno, I’m still not sure how well the loot grind from D2 will feel in D3. So far the items don’t feel quite so legendary or special, though I’ve only dropped 3 legendaries so far. I think it’s maybe the higher rate of drop on rares (yellows) that deadens my excitement? Not sure yet.

2. Auction House. The real-world-money AH isn’t out yet, but I’m still unsure about the current AH. It’s clunky, it’s filled to the brim with items. But it’s a huge (huge!) step up from the chat rooms and nervous in-game trading/bartering from D2. Still, there’s something social-wise to be missed about offering 10 SOJ for a top-stats Windforce.

3. No more stat points. I’m torn on this one, and ultimately probably won’t miss it. In D2 you assigned your own vitality, str, int, dex points. This game allocates them automatically as you level up. While this simplifies things and prevents me from being stupid, it does take away a small bit of tweaking you could otherwise do.

4. Will I look like a badass? I’m not sure yet whether a character’s look is the same based off gear tier, or whether I’ll look relatively unique when I find cooler things. Not that it is a huge deal, since the character is typically pretty tiny on screen….

5. Secret doors? Maybe I’ve not seen any yet, but I miss the occasional secret door you can find in dungeons.
* Of minor note, you can’t stash a town portal at the start of every level that you can race to when shit hits the fan. The town portal ability has an interruptable cast time. This means some dungeons have no way out but a game restart, if you run into a bad champion pack.

privacy and social engineering

Brian Krebs also has a neat article up titled, “Alleged Romanian Subway Hackers Were Lured to U.S.” The article has this to say:

Investigators had subpoenaed Yahoo!, GoDaddy and other communications providers to snoop on Butu’s emails. Information gleaned from those messages included quite a bit of information about where he’d traveled, bars he’d visited, his friends, etc.

Armed with this information, U.S. investigators reached out to Butu posing as an attractive female tourist he had met while he was in France approximately one year earlier.

This, friends, is a classic example of social engineering by knowing a little bit about someone. In this case, he probably thought his emails were private, but investigators (or anyone else) could find similar information about someone on relatively public sites. Essentially: privacy is important.

brian krebs and thomas ptacek on password security

Brian Krebs has a nice article/interview with Thomas Ptacek in regards to recent password theft issues (LinkedIn, etc). Definitely worth a read and does some nice teaching (I didn’t know password hash and cryptographic hash were two different things). The main point is how often developers don’t know security mechanisms. To me, though, that’s not so much a knock to them as developers, but rather our whole process to development. It’s hard/difficult to expect developers to know all this stuff and yet remain rockstars in their own arena. More knowledge, more time, more experience is really key, along with some positive encouragement and support. Oversight by the experts would help as well (and the desire for companies to ask for that help). Oh, and 2F auth….