Via securosis I read that really good article: “Happiness Takes (A Little) Magic”.
I won’t rehash his points, but I think there is still more to these stories than appears in that one. The biggest ones: to each their own happiness, and actively choose how your spend your time and work towards achieve feel happiness with it.

(Disclaimer: This has nothing to do with information security, or even technology…and reading this is likely a waste of time for everyone, including me.)

1. To each their own, you know? It’s one thing to say, “XYZ makes *me* happy,” but another problem entirely to write a piece about happiness in a way that smacks of trying to convince the world that your view of happiness is the universal or correct one. Or just the “correcter” one. This is a failing of religion and some people in general, where there is self-doubt until such a time as other people agree with you. And if the whole entire world agrees with you, then you can relax, because clearly you’re right. If that article got 5 pagehits and 0 comments, does that make it better or worse than the one that gets 1m hits and 500 comments in a week? Or I just need to let the tone of the piece go, and move on. 🙂

2. The junk food news/information is definitely a problem. It’s why I never spent much time on Fark. It’s why I’m loathe to “hang out” on IRC again. It’s why I never got into Digg or Reddit or other news sites where the news may be interesting, but just doesn’t matter to me or my life. It takes effort to stick to useful news rather than unuseful (useless!) stuff when you’re on the Internet. It takes time to cull the useless bits from a newsreader or learn to quickly scan usefulness in a Twitter feed. I’m finding value is consciously and unconsciously spending time on things that matter. And I already feel dirty browsing YouTube videos and realizing I just lost 3 hours for no real gain.

(Then again, there is a real world analog to this. If you spend 3 hours at a bar meeting 60 people, only maybe 5 are worth your time. Or maybe all the time spent driving to get to those beautiful outdoorsy places that make you feel spiritual. Or those dozen other places that you thought would be beautiful, but just gave you a rash. Or the tourist traps akin to 40m-hit YouTube videos. Great, you can say you’ve seen it, but was it *really* that good for you? Yes, to each their own…)

Honestly, I think this is an age issue for me. Even just a few years ago, I didn’t really give a shit what I spent my time doing. These days, I’m more conscious of my shortening time in this world. Hobbies are fine and distractions/entertainment are fine as well, but I’m trying hard to keep them somewhat bounded. My main weakness is really just video gaming…. As long as I’m truly enjoying the moments, I think that’s the most we can ask for.

2.5 I’m also finding a place for things that let me consume technology in a smarter or faster way. As a youngin, I used to tailor the shit out of my Windows UI with WindowBlinds or various other tweaks whose names escape me. But I quickly moved away from that because every new system or every rebuild would require all that time input again, and the time spent is just not worth it. Being able to quickly set up hotkeys to do mundane tasks that will get me done with computer work is a blessing, but eye candy is useless. I think this is one of the places the “cloud” wants to be, but is still trying to figure out how to do it and be profitable at the same time. It’s not there, but it’s a step… That may be a sub-resolution for this year or maybe the next: to more fully adopt hotkey tools and automate even more things that I do at work and play… (But not automate it in a way that saves some time, but just moves the time spent to maintaining that automation, like scripting/coding often get trapped into.)

Simplify, simplify.

3. There’s this space of people who make money and expect to make money doing very little, i.e. lounging around online, calling themselves social media experts, pursuing page hits, and writing about themselves like they’re more important than most others. I tend to feel like many of these people are one half-step away from a shattered self-image and deep depression and financial disaster. I don’t know the numbers, but it seems like so many of these people may have a few good things to say that are worth reading, but most of it is drivel and useless and a waste of my time. And certainly not worth providing some money to. Sure, play a violin beautifully in the tunnel and I’ll chip in a 20 spot. Give me good conversation in a bar and I may buy you a beer. Give me a good article, I’ll consume and move on. For so many, I think you’re better off getting a “real job” than trying to do the laziest thing you can. (Clearly, this does not apply to everyone as there are truly effective, hard-working, and highly profitable people whose sole product is online media or writing. I’m generalizing unfairly.)

4. I think there is merit in saying human beings need a little bit of adventure, but I also believe we need a little bit of ownership and production and creation of something. Basically, a tangible result of our efforts and sense of self-value. Sort of a microscopic mirror of the problem that the US is moving away from being a manufacturing country and more of an-I-don’t-know-what country. (Consuming and ueslessness? Thinking? Information?) Creating a blog and other online content and chatting and comments should help support real life interactions or at least fill voids temporarily as needed, but none of that is really tangible enough to provide long-term happiness for many people. “I blog for a living” still, to me, even as technologically in-tune as I may be, seems like an awful way to make a living. Sure, there are some who are very useful on a weekly basis and earn it as a real journalist, but for every 1, there is likely a thousand who need to stop lying to themselves and actually create or do something real, ya know? And in turn, stop contributing to the noise.

Then again, I may just have my panties in a bunch this week (HQ power outage all day due to carrier mistake will do that) and have some unfair opinions. But I think that’s increasinfly my right for advancing in age.

When I look around my desk at work, I can see paper. I’m a notetaker. I have been since grade school. I re-use little calendar pages to take notes on, and they accumulate. While I’d love to reduce this clutter, I’m not ready to try and replace everything, such as my Moleskines. Few things are faster for taking notes than grabbing a piece of paper, a pen, and jotting something down. Few things are faster to re-reference than grabbing a piece of paper and, for example, looking at the checklist of things I have left to do on website build XYZ. Grepping my notes is harder, though. As is trying to remember a shopping wishlist while at the store when the notes are on my desk or at home on a whiteboard.

I have more little electronic devices than I’ll admit to you. Few of them get a ton of use. Part of that is the pain of using one device for a while, and then attempting to consume the same things on another device. Notes taken on a tablet are not as easily ported over to my personal laptop or my phone. And so on. Lots of people seem to be satisfied with using email to shuttle things back and forth, but that seems archaic and dirty to me.

I also have a desire to not put myself ino a position of device-dependency such that lack of that device makes me helpless. For instance, I’m already dependent on my cell phone, specifically the contact list. I don’t even know my parent’s phone number off the top of my head (though yes I have a little piece of paper in an address file). I’d hate to be even worse off if I don’t have an Internet connection nearby, or mobile hot-spot, or just an electronic device. (Story: My power recently went out, and I drained the battery on my Nook Tablet, which reminds me that I can always read physical books or magazines if I still possess the ability to create fire…)

[Aside: Magazine consumption on my tablet is a mixed bag. I like this experience, but I’m screwed on the process of ripping out a page for future reference like I can when I own the book, or maybe even taking a screenshot of a page when I’m flipping through it in the store, which I do every work day over lunch.]

All of this puts pressure on digital consumption in my life. And I also believe this is collectively a huge reason why “cloud” is on the rise. More people have more devices, and more devices that are mobile. They’re sick of maintaining their PC (though arguably most smartphones are just as challenging and frustrating to maintain). They want data/experience across multiple devices without needing experience in server/network administration.

Unfortunately, it’s still cumbersome, and the market has so many solutions that it fragments everyone and adds risk that your chosen solution will just die in a year or two. Likewise, you have lockin (iTunes, B&N store for the Nook…) or differences in experience (phone vs PC web browsers) or inability to install things (iPad-only apps). And lack of trust/privacy/assurance that you’re not being sold/used/exposed.

I’ve had EverNote on my radar for a while now, but I think my work desk situation is going to prompt me into trying it out finally. Of course, this makes me sigh in exasperation as I can probably exfiltrate data from work out to my personal systems at home, but I guess the ability to stop that is becoming more and more of a fairy tale as the months go by… Perhaps this situation is always arguable; I mean, an employee can leave a company and take everything along with him in his head, yeah?

Anyway, I had more to say in this post, but halfway through, work duties interrupted, and getting back to this has sapped my Muse…

Wired has a really strange story about Cisero’s Ristorante and Nightclub being fined for PCI violations (and alleged breaches?), having money taken from them, then sued by their bank, and thus counter-suing their bank and effectively putting this whole PCI security process under a legal magnifying glass.

PCI sounds fine, it really does. But once you start looking at the various steps on their own, it really makes you feel dirty. It’s even dirtier when you start talking about arbitrary costs, rules, changes, and general lack of communication up and down the chain.

This may not be so much a problem of PCI, as opposed to a problem with how PCI is used by the merchants, banks, and Visa/Mastercard. No one wants to eat these costs, and the less-skilled persons (merchants) end up being responsible for highly technical issues.

Definitely a story to keep an eye on.

Network traffic analysis and log analysis post is up over at OverHack. Good stuff, and I completely agree with the intro paragraph.

Doing actual log analysis is trickier than most supervisors think it is. You want to know when someone gains domain admin rights, eh? Ok, you have to watch all created accounts. You have to watch for existing account changes that slide an account into the domain admins group, or into any other group nested inside there. You have to watch for someone sliding a group into the domain admins group. You have to watch for strange account usage and failed logins to any accounts in the domain admins group. And you can’t just look for suspicious things, but you should track down every instance, even if it appears to match your account naming schemes.

Oh, and you can’t just do this once a week with a delta on accounts present. If an attacker created an account, used it, and then deleted it, will you notice? And we’re just talking about one (important) sliver of log data!

I like this new year’s tweet from hrbrmstr:

Final “Three things: Resolutions” (no blog post needed) for infosec professionals: Stop being smug; Build more then break; Quit the FUD.

Particularly, I like that middle part. (That first part can roll into people in general, not just infosec). Build more than break. It’s great and necessary that we have people who can research and find issues. And that we have people who can break into systems and play on red teams as a learning tool. All of this makes for great learning and research, no doubt.

But what really brings value to individual businesses is the ability to create defense and protect against risks in a realistic fashion. This doesn’t mean just blabbering on about best practices and what a company should do, taking your consulting paycheck, and leaving. It means actually being able to design, build, and maintain a proper defensive posture. Not just talk it, but actually be able to walk the walk and explain what works and what actually is just smoke and mirrors or way too costly despite how it sounds on paper. If you tell someone they should be watching XYZ logs for events ABC and correlating those against change mgmt forms and GHI assets, but have never done it and have no idea how much work that actually entails (let alone how fragile it is once you do figure out a way to do it), you’re not helping. And that doesn’t even take into account the audience business size/type/incomes/staff/industry…

Part of that is also being able to talk in a senior leadership sort of way to technical persons like network admins and software developers and desktop teams; to not just give them the same old lines, but be able to give actionable, technical, specific guidance for improvement.

In my opinion, all of this requires a technical background filled with actual hands-on-the-keyboard experience. Not meeting agendas and new school non-PowerPoint presentations and email mandates. Sure, these are needed, but the real value is made or broken down in the trenches.

Addendum: I feel like I shortchanged the attacker knowledge a bit. I absolutely believe we need to be able to think and behave like attackers to anticipate issues, but also it makes for a great way to test our defenses rather than waiting for an attack, enticing an attack, or waiting for that annual pen test which may or may not even trigger what you’d like to test.

In light of recent penny-arcade-and-customer vs oceanmarketting [sic] drama, I was catching up on Penny-Arcade entries and came across one for >Star Wars: The Old Republic (SWTOR) which sums it all up [emphasis mine]:

While playing last night with Scott he explained that his bounty hunter was all about completing her contracts and getting credits. She didn’t let her feelings get in the way of the job. He was thinking about this before his character was even level 10. I’d be very surprised if he had any idea what sort of “person” his Troll Shaman was in WOW.

I went from 6ish years of WoW (wow!) over to Skyrim a month or two ago, which is a single-player story-driven game that is excellence. And then over to SWTOR. So the change was a slightly phased one for me, but I absolutely felt this same presence in SWTOR that Gabe/Mike mentioned above: you feel your character. And this is entirely because of the choices you make. And unlike other games where there is one “correct” answer and one “lesser” answer so you always want to make the “correct” answer, or even other games that waffle on the idea of irrecoverable choices, SWTOR gives players roughly equal, permanent choices, and they do so in a way that eventually becomes less agonizing and more beautiful. Thankfully I came into SWTOR from Skyrim, so it was Skyrim that started conditioning me to play the character because none of my choices are ever “wrong” (ok, so I still abuse the Quicksaves…).

Anyway, for those curious, I’m only a level 15 Sith Sorceror (heal/dps), but only because I enjoy the game so much and still agonize over some of the choices such that I’ve played 4 classes up to level 11 so far, just to experience the characters, storyline beginnings, and playstyles of the classes. That game may not be “better” than WoW, but it is a very, very welcome change from the same old MO in “that other MMO.”

I was reading a Branden Williams blog post and came across a line that I agree with. It’s one of those lines that I think needs time to sink in and be pondered, as it applies to not just traditional crime, but cyber crimes as well.

When I was first interested in computer forensics, I took an optional course at a security conference, given by the head of fraud at Lucent. It was a great class, where he walked through real scenarios that he had to deal with. After the session we were talking for a bit and I asked him, “If I did *** and *** and of course ***, how would you have to change your investigation?” He responded by saying, “We’d never find you. You see, we catch the dumb ones.” [author’s italics, my bold emphasis]

It somewhat resonates to understand that law enforcement does not try to prevent all crimes. Can you imagine how ridiculous the controls and cost would be to prevent all crime in a particular type?

Really, just keep things like this in mind.

Oh, and also, definitely be scared of intelligent attackers (one [of many] reason the criminal arena of the digital world is scary). And be scared of those who operate absolutely on their own or in small circles or with the cover of diplomatic immunity of some sort. One of the biggest problems for criminals is the lack of trust in their own circles, which means lone rogues are powerful. And the less they need to rely on anyone else, like someone to sell their stolen goods to, or identity providers, the better off they are.

Thankfully, our underlying societal, governmental, and religious ideals (believe it, you’re influenced by religious morals even if you don’t specifically align with a religion) help keeps the general intelligent public from being too criminal. Unfortunately, it is far easier to cross moral lines when you’re masked by the anonymity of the internet and physical meatspace from your targets/victims/work.

And so on…

It’s been a tough week (think: windows domain DNS corruption), so I wanted to poke at something and not spend too much energy. Happily, I came across two nice entries by Ben Tomhave. The first is “3 Common Ways Security Fails People.” Sounds like fun, and I’ll go over each of the 3 points with my Devil’s Advocate robes on. I could rename these as the Neutrality Robes, or Robes That Keep Overzealous Ideas Checked Into Reality.

1) It [security] gets in the way. Well, duh. And that’s just going to be the way it is. A firewall gets in the way of traffic. A castle wall-n-moat get in the way of open wandering. I do actually like the points Ben makes here, but ultimately we are dooming ourselves if we let ourselves (and others) think that security needs to not be in the way. But yes, people who want to do things will find ways to do them. And that’s not the fault of security as much as the fault of the people finding ways around security. Just this week I had a developer using a writable file location set up for purpose X, and he decided he wanted to start writing application logs somewhere. So he picked that spot that he knew he could write to, which added an undocumented use to a location otherwise used for just one thing. Thankfully we talked about it and his need was only temporary so I allowed it, but that’s the kind of thing security runs into, and always will.

2) It makes life more difficult. Well, yeah. If you want a more secure house, you make the rounds to ensure the windows are locked, garage door is down, and alarm set. God forbid that is annoying. This wouldn’t be the case at all if a) shit worked, and b) people weren’t human. I made the comment on the blog post example that perhaps Ben was in the wrong for accessing OWASP Google Apps with a non-standard account, rather than blaming security for making his life difficult. Security is a compromise and a give-and-take [risk]. That goes both ways.

3) It doesn’t understand what’s important. I hear this enough that I’m kinda sick of it, but it’s a good point. Again, though, this goes both ways. If what you’re doing isn’t in the best interest of what’s important in the business, and security calls you on it, don’t blame security. And don’t yell at security for everything that doesn’t go your way. Yes, people do that.

The second article is similar in tone: “3 Uncommon Solutions for the 3 Common Problems.” I also like this article, but I haven’t taken off my robes yet…

1) De-Operationalize “Security” – I understand the spirit of this point: get security inherent in the way operations works. But I’m not sure this ever really properly works without oversight of some degree. First, when push comes to shove and I have to do task A to satisfy a customer or do task A with a dab of security B on top, when I already have an overflow of things I need to do to satisfy business/customers, I’ll do A and attend to B later when I have time. Operations will *always* get in trouble for not doing A, but will rarely get in trouble for pushing off security B. This is the same concept for coding. You can assign a variable a value quite easily, but to assign that variable in a secure, scalable, documented way takes more effort and knowledge. This is why I will agree that operations needs to do security, but the pressures are never really there to make sure security is as important as accomplishing the goal. If customer pressures Admin to open the firewall in an insecure way, what do you think that admin will do when part of his job appraisal is based on customer service and peer feedback?

I could even tackle the idea that security is everyone’s problem. While certainly a requirement in a blended approach, I’ll take technological controls over human decision-making any day. At least from a strictly security perspective.

2) Elevate “Security” to “GRC Program” I’m not going to tackle this because I’ve never worked in a situation like this. It’s a bit of a sideways step to my experiences. In the brief mention in this article, it just seems like another silo and something for people to point fingers at. It also feels like it will still depend on all the operational people and technical managers to filter up enough accurate knowledge for potentially non-technical GRC managers to make decision upon. I’d rather just have one layer of experts (security team), but again, this isn’t my reality.

3) Understand the Business – I’m losing mental momentum after my long week by now, so I don’t have much to say that is useful. I agree with the concept, but I don’t necessarily like the idea that regulations are distracting. Difficult and annoying, sure, but I’m not sure how any of them go against what a business wants, other than being a cost center. This may just be an illustration of the break between auditors (and external security) and their rigid interpretations of regulations and very un-agile recommendations to meet them for every business.