I’ve finally actually read the article I previously mentioned, IT heresy revisited: Let users manage their own PCs . While I like the topic and it brings good discussion, the author goes off on too many bad points. In fact, I think the author needs to simply spend some time in an IT department (more than likely the author is a stay-at-home cyber journalist who is king of his 2 computer home network and all-in-one fax-printer…).

I want to start out with a disclaimer that I am sypathetic to both sides of this debate, both on the side of centralized control (both for operations and security) and on user freedom. I can argue this on both sides all day or night.

The author repeatedly uses Google and BP as examples of this empowerment of users, but this is misleading.

Search giant Google practices what it calls “choice, not control,” a policy under which users select their own hardware and applications based on options presented via an internal Google tool. The U.K. oil giant BP is testing out a similar notion and giving users technology budgets with which they pick and buy their own PCs and handhelds.

This is a hell of a lot different than opening up employees to truly choosing their own hardware and software. This is still a list approved and likely supported by Google’s internal staff.

In this Web 2.0 self-service approach, IT knights employees with the responsibility for their own PC’s life cycle. That’s right: Workers select, configure, manage, and ultimately support their own systems, choosing the hardware and software they need to best perform their jobs.

Really, they support it? So when they mess it up, they have administrative rights to uninstall and reinstall? Do they have the ability to call the manufacturer and talk through a motherboard that is flaky and get a new one sent out? I’d have to call dubious on that. Sure, they can choose their software from a list of options, but that’s still not truly the freedom many workers are looking for in managing their own workstation. If they can’t put on Yahoo toolbar, Google toolbar, 3 different IM systems, and 4 screensavers of their choice (yes, people still do that!), then it’s not the freedom they’re often wanting. The author is misrepresenting this group, or poorly defining the group (more on that later!).

All too often, IT groups write and code policies that restrict users, largely based on a misbegotten belief that workers cannot be trusted to handle corporate data securely, said Richard Resnick, vice president of management reporting at a large, regional bank that he asked not be identified. “It simply doesn’t have to be this way,” Resnick said. “Corporations could save both time and money by making their [professional] employees responsible for end-user data processing devices.”

I can’t outright agree with these sentiments. There are plenty of instances where employees shouldn’t be trusted with such data. In my company, we have an email filter that looks for sensitive data such as SSN fields in an Excel spreadsheet being sent. It captures this and turns the email into an “encrypted” email by forcing the recipient to log into an account on our mail server and pick it up. Users don’t like this (duh, it’s a terrible solution) and we’ve had one user mask the SSN field just so she could email the document to a client. This user didn’t even have any admin rights on her system, but still had the ability to put data at risk to satisfy a task.

People don’t think about data security, even if that is spelled out as their responsibility in a policy. Users care about getting their jobs done. While this isn’t universal and plenty do act responsibly, we are forced to react to those that don’t.

To IT, the glaringly obvious advantages of user-managed PCs are reduced support costs and far fewer pesky help desk calls.

I don’t buy this either. Users may have more questions since they all have their own setups and IT staff will need to know a wider array of those options. That or they will turn users away when confronted with unsupported software/hardware, causing frustration.

One thing IT needs to worry about is simply displacing the frustrations that users have. Such empowerment may move frustration from users not having enough freedom to users having so much freedom that IT can’t properly support them. Should users be frustrated with not being able to install their favorite softwares or be frustrated when their PC runs dog slow with all the crap on it? Or will they be frustrated with the array of choices in software and hardware and just want a template for their job? I know many coworkers who would actually be unable to properly choose their own hardware and software to get their jobs done, and feel far more comfortable having it prescribed to them. Sure, the freedom may be fun, but the grass on that side of the fence still tastes like grass after a few chomps.

Google CIO Douglas Merrill concurred. “Companies should allow workers to choose their own hardware,” Merrill said. “Choice-not-control makes employees feel they’re part of the solution, part of what needs to happen.”

Again, I disagree in part. For many workers their job duties do not include maintaining a proper PC system. They want and need IT to take care of that often frustrating piece of their day. We fight this every day in the security field with people claiming security isn’t their job. (And I’ll argue that they’re both right and wrong.) Besides, do you want your employee making sales calls all day, or spending half the day maintaining their system?

“Bottom line: The technology exists,” Resnick said, “[But] IT has no interest in it because their management approach is skewed heavily toward mitigation of perceived risks rather than toward helping their organizations move forward.”

I’ve disagreed a lot with this article, but I do realize the problem posed above. I don’t think these risks are necessarily perceived risks, but we do have to keep an open mind toward improving employee morale and productivity with computing. If we can peel back control without incurring excessive costs and risks, why not? Are we holding the company back, or are we encouraging innovation and creative solutions?

Sadly, the article continues to pound home that workers should be able to choose their own hardware and systems. This is a hell of a lot different than someone downloading and installing and managing their own software independent of IT entirely.

“I would expect most companies to implement basic security protocols for employee PCs, including virus scanning, spam filters, and phishing filters,” Maine’s Angell said. “They might provide software tools or simply implement a system check to make sure that such items are running whenever the employee’s laptop is connected to the company environment.”

Unfortunately, some host-specific security mechanisms will be more useless if users have administrative rights to the systems. IT cannot rely on the host-based firewall to be configured to limit access to network resources (users can just turn it off) or to stop the egress of malicious connections (users can just click allow). A piece of malware run by a user may disrupt such controls immediately. Basically speaking, IT can monitor systems remotely that users control, but can guarantee no level of security. IT no longer owns that piece of hardware, someone else does.
Finally! At the end of the article the author defines the audience he’s really been addressing this whole time: users who have some technical proficiency and stake in remaining creative with their problem-solving using their PCs. The author should really have put this at the front of the article, but instead chose to hold it back until now. Basically stirring the pot with a sensational piece and then limiting it down to something more reasonable at the end, much like trudging 3 blocks in the pouring rain only to arrive at your destination and realize you could have gone one extra block and taken a skywalk the whole way.

I’d been slowly compiling a list of points on the topic of corporate users being allowed administrative rights on their systems. Not that I want users to have such power, but what if it’s not your choice? What if it costs more to piss off your users and steal creativity than it does to exert draconian control on their systems? The sort of a topic that goes into what to do in such an environment to tip the scales back in the IT/Sec team’s favor.

Seems a similar story has run on InfoWorld, been Slashdotted, and mentioned elsewhere. Nice discussion! Hopefully soon I can tie up my own post, but, being a braindump sort of post it seems never-ending!

Sometimes you need a little perspective in the business world, mostly to remind yourself that everyone is still human, no matter what their station or salary in life. Even sec geek-related news can offer perspective (e-Discovery).

Seattle is in the midst losing its NBA team, the Seattle Supersonics. The new owners bought the team in 2006 and have maintained that they are operating in good faith with the city of Seattle and simply not able to come to a compromise. The owners want to move the team to, of all places, Oklahoma. Recently obtained emails paint a far different story.

Here is an exchange between Clay Bennett and Tom Ward. Clay Bennett is now a co-owner of the Supersonics, parks his arse as chairman in a couple places to do with energy, and a previous co-owner of the San Antonio Spurs. Tom Ward appears to be a billionaire of something or other to do with energy and also a co-owner of the Supersonics.

“Is there any way to move here [Oklahoma City] for next season or are we doomed to have another lame duck season in Seattle?” Ward wrote.

Bennett replied: “I am a man possessed! Will do everything we can. Thanks for hanging with me boys, the game is getting started!”

Aubrey McClendon, a minority owner of the Supersonics (and a CEO blah blah blah also involved with energy) sent this email to Bennett and Ward shortly after purchasing the team:

…McClendon celebrated the news with the subject line: “the OKLAHOMA CITY SONIC BOOM (or maybe SONIC BOOMERS!) baby!!!!!!!!!!”

Of course, if you’ve ever managed a mail server in any fashion you have certainly seen the lameness that passes through email exchanges. Hell, I’m sure my own missives include plenty of lowbrow sludge. But still, it is always refreshing to see such eloquence from important business people who have more money at their fingertips than I will ever have a chance to have, writing in a way that makes me want to crack open a Busch Light and watch South Park after class with my other hand in my sweatpants.

Just want to post a link to an article titled, The Top 10 Security Landmines.

In preparation for taking the OSCP training from Offensive Security, I have downloaded and begun to try out BackTrack3 beta. Some initial thoughts.

• Upon booting from the live cd, my system immediately hopped onto the nearest open wireless network. “Hello neighbor, I didn’t know you put this up recently! Thanks for welcoming me right in, don’t mind if I do rummage in your cupboards!” This is a deviation from the stealthy approach BT2 took. I hope BT3 will return to the stealthy approach when it moves from beta.
• The permanent hard disk install is not yet automated, although there is an option for it. Hopefully this is fixed, since the steps needed are not many or varied at all. Choose destination, copy files, fiddle with lilo, done!
• Stupid me, I didn’t write down my settings from my local BT2 install before wiping it out and installing BT3, so now simple things like monitor mode and kismet don’t work. Annoying, but should be simple to fix.
• One BT3 is installed, I see the remote-exploit.org forums have really fleshed out since last I browsed around, and there are a lot of video and text tutorials and people throwing out ideas and such. The wiki is also working out nicely.

As mentioned, I installed it onto the hard disk of a laptop; the same system that has run BT2 for quite some time. I don’t need a dual boot setup since I’m an actual geek and have spare systems so I don’t have to pretend I use Linux (BackTrack) while really booting into Windows 99% of the time! This wasn’t difficult, but it does take about an hour to complete.

After booting into the livecd, the first thing I did was run fdisk /dev/hda1 to remove my existing partitions, then create new ones. The path names can be found under System->Storage Devices in KDE. I then followed some instructions posted on the forum. There is also a vid (camptasia capture/shockwave) going through the same steps.

Maybe when BT3 goes out of beta I’ll post, for my own future benefit, the actual keystrokes and steps to do an HD install and some intitial configurations to get kismet and injection working, but for now the above links should suffice any of my needs.

Amrit posted a really nice piece about what drives spending on security. I agree with his three reasons: an incident, a requirement/law, and insecurity is impacting availability. I think I’ve known and accepted this for some time, with caveats. One thing to notice in these three reasons: rather objective, firm reasons that you can measure; binary, black or white, on or off. I think many organizations drive security spending in exactly that fashion; even some that won’t admit it to themselves.

However, if Amrit is correct, then there should be many companies that do not even follow best practices like using passwords, at least not until they suffer an incident. I can’t quite buy that.

I don’t buy this because the reasons he gives that are not reasons that drive IT security spending do in fact drive security spending in some places. Some people do believe in security ROI and enablement, some companies do try to be proactive, others do afford their security curmedgeons a high level of credibility enough to drive spending based on their risk assessments.

For instance, some people do buy alarms for their house, not because they’ve had an incident, are required to, or because it helps availability. It’s because of their personal, subjective risk assessment to prevent something bad from happening. They understand the potential incidents that may occur, and make a value judgement based on their comfort level, their environment, their assets, and their available funds.

But, if I were to make expectations on security spending, Amrit’s reasons are the ones I would book on. There are plenty of organizations whose security spending is entirely based on those three reasons.

It has gotten to be a very busy couple months and only promises to get busier (coworker just resigned, death in the family, etc). Nonethless, I’ve decided to move forward with getting hooked up with the Offensive Security 101 training offered by the good people behind the BackTrack project. Either that or I wait until it’s convenient to me, but I doubt that will ever happen; never does! My start date may be April 6th, or later if I’m slow on the payment.

If anyone has any experience with the course, feel free to drop me a line. I don’t expect a huge sweeping ton of things, but I do expect to learn more about BackTrack and security assessing using it (I off and on use BT both from livecd and a laptop I’ve installed it to). I fully approve of videos and self-paced training, and look forward to that practical at the end. If this goes well, I’ll likely go ahead with the next course in this series as well, BackTrack to the Max.

CanSecWest is over and that also means the Pwn 2 Own contest is over. I did a quick faux-prediction a few weeks ago thinking the kill order would be Ubuntu, OSX, Vista. I’m a little surprised that Ubuntu survived unscathed even through the last day. I’m not surprised OSX or Vista were owned, particularly through applications (Safari in OSX and Flash in Vista). I think this means Ubuntu just isn’t important enough to pwn yet, though I’m surprised by that since I figured many researchers to be Linux-friendly. Perhaps more are on Macs and Windows than the secuirty clubs would like to admit. 🙂

A fun contest, although I’d hesitate entirely to trumpet the results to back any sort of “xxx OS is more secure” arguments. The real benefit is increasing interest in doing these sorts of things on the good side of the fence before the bad side of the fence does them. It also appears to get Apple to patch their crap… Besides, this is fun for our community, and we really need more fun and back-papping in the field.

Speaking of predictions, I’m kicking myself a bit for not getting into any NCAA Tournament pools this year, having picked 5 of the elite 8, all final fours, and am still confident in UNC over UCLA in the final. Of course, not a ton of broken brackets this year, so I expect lots of people would have been up there with me. I’ve been very busy lately and didn’t research much before the games, so opted not to ante up to anything this year.

Need a tap on the cheap? I found a blog post detailing making a cheap passive tap using some wiring plugs. Makes sense! The post didn’t mention it, but, while there are 8 wires in an ethernet cable, 4 of them are not used. If the cable is built to standard, the brown and blue pairs are not used. The oranges take care of traffic in one direction, and the greens take care of the traffic in the other direction.

This is easy enough that it really should be added to the list of tasks all security neophytes should complete.

A link was recently posted to the DailyDave mail list with the simple subject, “the typical security guy I interview.” The link went to a Craiglist resume post which I found quite amusing. I’ll repost it below, in case the original ever goes down. This is not my work!

I chat all day long on the underground hacker chats including _SILC_ AND _IRCS_ ones, not just public IRC servers. Therefore I KNOW ALL THE HACKERS. When it comes 2 the streets of the internet underground I have my ear 2 the ground.
i never use a spell checker, and i send terribly formatted work emails often with numbers used for letters and words.
I’m basically extremely lazy and I scope projects that take 4 hours of real work time for about 1-2 weeks since thats how long it takes to bring myself to work on whatever stupid project I’m assigned. I’ve been mudding against recently, I have to get the good eq. drops.

I work marginally well on teams. I dont have a problem with authority, I just dont view them as being authoritative. I am late to work constantly, but not _THAT_ late. I need at least $105k a year. I consistently order the most expensive drinks I possibly can get away with when the company card is down. I will even order drinks to then just pour out into the toilet or onto the carpet just to make the company tab higher.

I can program a variety of languages including but not limited to C, C++, a number of assembly languages, PERL, BASH, TCL and SPIN.

I cannot currently program ERLANG, SCHEME, PYTHON or RUBY but if required (which is highly likely if you think your company is a cool, hip and intelligent one), I can learn any of these languages in 2 days with fluent programmign ability with 2 weeks, as any real programmer can do with any language.

I’m an excellent programmer but many aspies (people with aspergers) can out-program me.

I have microcontroller and embeded systems programming and hardware experience including fabrication and circuit design, although I am by no means an expert in this.

I have a very useful formal college education in mathematics from a top tier university I dropped out of, and therefore I can solve many problems very logically with many extra mental tools. I am by no means a mathematics genius.

I have 10+ years in professional (PAID) computer security experience but the security industry is completely retarded now. So I don’t want to secure your web apps, _AT ALL_.

Wired has a Bruce Schneier essay posted that dives “Inside the Twisted Mind of the Security Professional.” Mostly, he talks about having a security mindset.

The lack of a security mindset explains a lot of bad security out there: voting machines, electronic payment cards, medical devices, ID cards, internet protocols. The designers are so busy making these systems work that they don’t stop to notice how they might fail or be made to fail, and then how those failures might be exploited. Teaching designers a security mindset will go a long way toward making future technological systems more secure.

“Reality is that which, when you stop believing in it, doesn’t go away.” -Philip K. Dick

More than a couple hospital workers have been fired or punished for accessing private information on singer Britney Spears at the UCLA Medical Center. This brings up two quick points.

First, considering how many people checked out the information, I’d have to say access controls are pretty lenient. I think I’d be safe in saying that if this many people accessed her records even though they had no need to know, it indicates this has been done before…maybe up to a point where some didn’t think this was a bad thing. That hot girl in bed 312? Let’s check her records out! Lenient controls may help everyone do their jobs, granted. But at least it sounds like they had good auditing to track the accessing.

Second, give your management a new test, something that can be called the “Celebrity” test. Assume you have some huge profile celebrity using your services. How many of your own authorized employees would let curiosity pull them to access information about the celebrity? Or perhaps a hot new movie you have access to. Or hot new game. Or important information that could lead to recommendations to trade or not trade for your parent’s stock portfolio. And so on. Assume that instead of the normal run-of-the-mill corporate data you have, replace it with something very enticing to normal employees. Do your controls rely on people beating the curiosity beast? Or at least being able to audit those breakdowns? Good employees who’ve resisted accessing data 34,212 times previously may think differently in the Celebrity test, “Just this one time…” Guess which makes the presses?

Sure, that may over-value the data you really do have, but it is a good exercise to mentally test your own controls and security posture. Besides…do you know for sure that tomorrow won’t see Britney Spears as a new customer of yours?

A quick InfoWorld article on the traits of a good CISO. The tagline says some of these traits are surprising (or that maybe deep technical knowledge being lower is surprising), but I’m personally not surprised by this at all. I think the technical knowledge is related to making informed decisions, knowing what information is needed to make informed decisions, and in being a good mentor. Other traits are a good moral compass and the ability to take the blame. I really like the mention of taking blame, since it is so hard to admit being wrong or just taking the blame for someone else. We’re not trained that way as kids with school and report cards and everything else. We’re questioned by adults (parents) until we make up some excuse or blame someone else.

Oops, that turned into a ramble.

Marcin last night linked me this image of “an activity diagram to describe the resolution of HTTP response status codes, given various headers.” I wanted to save this flowchart, so this post is me saving it!