Way too many people have run around all crazy about the recent Amazon cloud outage that left various companies and persons high and dry for a period of time. I won’t belabor the topic further but to point out two links.

First, this wonderful forum thread that claims patient lives are at risk with the outage. Talk about fail; sort of a laughing while facepalming issue. Be thankful your business (probably) doesn’t actually have lives depending on it…

At the end of that thread is a link to a blog post that essentially reasons that all of this is Amazon’s fault.

I wouldn’t presume to say Amazon, in this case, may have overpromised or even misled people; and they may have just flat out fucked up.

But, so what? Does that mean your customers nod and say, “That’s ok?” Does that mean you get your revenues back that you lost? Maybe a refund? Does that mean your boss isn’t going to throw your ass under the bus when shit hits the fan? When he asks the status, you just point over to the Amazon support number and say, “They’re working on it?”

If I give you a promise and I fail to deliver, what the fuck are you going to do? Sure, we may be talking contracts and actual damages and, worst case, tort law, but do you really think that’s going to help? What if the court says, “Hey, why didn’t you have a backup plan?” Or what if I skip town? What if the event is so catastrophic that your provider collapses and goes bankrupt? You really *can’t* rely on something like that to help you out. While you shake it through the courts, your business might be done; or your job.

I dunno. Maybe it’s the operations guy in me who knows that outages occur and they occur for an infinite number of reasons. And the less money you spend the more you get.

Lastly, if Amazon fucked up and didn’t do something right, do you really think some other provider (not named Akamai, let’s say) will be less error-prone? Really? At least Amazon now probably has one less issue to ever deal with, right? They *did* just gain valuable experience.

As the blog post says, choose your provider carefully. Oh, and this issue somehow makes it easier to choose a provider? Or give any further insight that cannot be gotten by common sense? Or insight that goes beyond the magic curtain the provider puts up in exchange for managing your infrastructure for you? No. Saying that is like having a Toyota recall and then glibly telling your Toyota-driving friend he should have picked his car better. The proper feeling in response to that is, “Ass.”

I was listening to pauldotcom 236 last night and Bugbear had a great point that I wanted to tackle. I’ve combined two quotes into one:

…in order to catch up with attackers, we’re going to have to understand our information systems better so that we can detect, triage, and deal when we do get compromised, because it’s only a matter of time. And that does not include clicking on a management console somewhere.

I wholeheartedly agree with this. As defenders and even as *effective* attackers, the knowledge has to get deeper. I would also add that this understanding also does not include just having good inventory and documentation; we’re talking real, expert/working-level knowledge.

Sadly, I wanted to tackle this idea not to preach to the choir, but just to play devil’s advocate and not try to make it sound like once you accept this idea, your head is in the clouds where puppies and kitties frollick amongst forests of candycanes and pastures of skittles. Instead, there’s a heck of a lot of pressure that keeps us from being the experts we need to be in order to do security well.

1. Technology moves on – Lifelong learning is a mantra in security; duh. But there does need to be acknowledgement that even if you devote the time to learn something deeply, someday you’ll start the whole process over when your knowledge is obsolete and needs updated. Once you understand A, we’ll have B, C, and D beating down our doors. Security is one area where you need to have deep knowledge on things past as well as what’s coming tomorrow. That’s a tough job, and it’s ego-sapping. You can’t come in with an ego and expect someone to help you. We’re constantly wisened adults and learning infants at the same time.

2. Know your security tools as well – Deep knowledge on your own systems? Check. Deep knowledge on your security tools? Wait, what? As full-disclosure recently demonstrated, even security tools have issues. Could *you* have seen that Pangolin reported back to a mothership? The security community is just as interested as any in punking its own, and who better to pwn than the guys with the vuln reports, admin access, risk analyses?

3. Security dashboards don’t [always] help us – My one biggest issue with security suites and large management tools is the same interface that allows management of an enterprise-wide array of data/systems/information is the same interface that steals away our ability to be agile, hands-on, and expert with the underlying roles it serves. If you rely on a tool to do your nmap scans, you’ll lose the ability to do your own nmap scans without the tool. Layer such management tools on top of other management tools on top of other layers, and pretty soon security analysts can only work on those monolithic management dashboards and can’t do crap on the command line, hands-on. That’s not to say you should know how to write an AV detector rather than buy an AV suite, but you do need to be functional underneath the tool if need be. Low-level skills are important, like those found in forensics or coding or traffic analysis or reading your own damn logs, etc.

4. Experts at everything – Yeah, as if it didn’t suck enough all the technical things to know, we should also be aware of interpersonal social skills, both from an attacker perspective (SE) to inner political workings of a business. And the business processes, risks, and goals. Granted, this is why we make various levels in security, from technical analysts to risk managers, but still we’re far to few to rely on that stratification. We need to field questions and give actionable answers on a variety of topics including mobile security, virtualization and cloud, malware, espionage, physical theft, C++ code, .NET code, scripting, encryption cipher strengths, traffic captures, VOIP and VLANs, CCTV/IP cameras… Ever try to BS developers on security practices? 🙂 Ever get asked to prove that something is a risk or that the risk is more costly than the fix?

5. You don’t know enough – You know the saying, “There’s always someone better than you.” That’s true with knowledge as well; none of us will know everything about something. There will always be places to learn more, tricks to practice, technical talks to attend that don’t just speak obvious unhelpful generalities like, “security sucks.”

A couple days ago I posted a reaction to the “SSL is Broken” topic floating around. Via Securosis I was pointed to a much better article directly from the mouth of an expert: SSL And The Future Of Authenticity by Moxie Marlinspike.

Rather than go all sensational and say something like, “SSL is broken,” Moxie digs much deeper and smarter by tackling the specific problems with SSL, namely authenticity and “trust agility.”

I look forward to Moxie’s future posts on proposed solutions. I agree with his sentiments, and I firmly agree with his reservations about tossing away CAs for a kneejerk replacement that may not be better and my in fact be worse!

This illustrates part of my point in my post: it is hard to patch an ultimately human problem. And I still really think that trust in a human-backed entity is inherently going to be a problem unless they have the ethics of the Supreme Court or something And globally, that will never be possible. This is why I’ll sympathize with the idea there are issues with SSL, but it might just be “good enough.”

[struck a really offtopic rant about complaining, thinking several plays ahead, and ultimately “just enough security” being ok, i.e. there *are* shades of grey…none of which was ever worth reading and so unformulated…]

To briefly put on my tinfoil hat, it might be worthwhile to say something like, “Let’s just get perfect, universal encryption for everything.” But never, ever, ever underestimate the desire for governments (and on smaller scales, corporate entities) to have the ability to intercept and inspect. Ever. China and other countries may make the news with their heavy-handedness, but don’t think for a moment that govs like the US don’t do many of the same things, only in more secrecy.

Speaking of Suricata, here is a distribution iso for Smooth-Sec, which is a Suricata + Snorby build on top of Ubuntu 10.04. I have not tried this, so I can’t attest to how easy it is to install or get ready, but it sounds like a promising IDS/IPS setup, even though the wiki (documentation?) is behind a sourceforge registration-wall.. The wiki is here!

I would be remiss to encourage rooting a Nook Color without making mention that Barnes & Noble has been planning on rolling out updates to the device that actually include Android 2.2. The only thing that may doom this in my mind is if B&N wants to lock people into their app store apps or some captive portal or something, which would be a travesty. This is an awesome tablet and device, and I would hope they embrace the creative ways people are consuming it rather than stifle it.

I even have a second Nook Color just to test out these updates on a non-rooted device. The worst thing about being a tinkerer with systems is that I eventually start to hate rebuilding something I broke. It’s one thing to make your main system a strange operating system, but you eventually take less risks with it because you don’t want to fuck up your main system, yeah? Well, at least *I* have that hang-up. So I like having a backup plan in place where I have other VMs or spare systems to do my dirty work on.

Just recording some notes on my Nook Color here. For starters, the Nook Color can be easily rooted by heading over to NookDevs.com. The process (I did an AutoNooter rooting, which leaves the original software intact rather than fully replacing it with Android Froyo/2.3/Honeycomb…) is straight-forward once you start doing it. In fact, the hardest part is simply getting the microsd card inserted into the awkward slot in the corner of the Nook. Other tricky parts include making sure you have a Google account on hand as well as an open (or easily-connected-to) wireless network for the device setup. You won’t have a chance to get the MAC address during setup, so if you use MAC whitelisting, be sure to harvest that item first.

Whenever rooting a device, there is usually that risk of turning it into a brick, but with the Nook Color there is very little risk since you can factory reset the device including the original software. Basically, why wouldn’t you make a try of it?! I personally used the AutoNooter tool so that I can still at least have the default software running, but with the extra capabilities of installing apps from the Android Market, and beyond.

Also read this post (or this original location) that goes through the initial process, but also details some great “next steps” to do after rooting the Nook Color. Specifically, follow the suggestions for SoftKeys and Advanced Task Killer so you can refresh the installed apps list (Extras) without a full reboot. Since this post is hosted on a public education site, I’ll be quoting portions of it below for my own future reference in case the original goes away. That link also reminded me that I can play movie files on the tablet, and includes some suggested settings in Handbrake to encode files in playable format. Score!

Lastly, I’ve been trying out some of the games on the android market. While I find app games to be pretty and kinda fun to control with touch, none have really been nearly as solid or exciting as games I’ve been able to get on various dedicated gaming consoles or handhelds. Yes, Angry Birds is addicting, but it’s not a fulfilling game for a hardcore gamer; I’d even prefer to fire up SMB3 or FF1 all over again. So I’ve gone ahead and installed Nesoid, SNESoid, and Gameboid, to start out. Pair this up with all my ROMs on the microsd card I leave in the Nook, and I’ve now got a nostalgic and gorgeous handheld gaming system to play ‘golden age’ games! The touchscreen controls take time to get used to, and just won’t ever feel good in some games, but most of the time that is forgivable. Now to just get a controller and stand…

(Aside: The NookColor comes with an unused Bluetooth radio, so it does have the potential to become enabled and start attaching Bluetooth controllers! Would also enabled the use of microphones/headsets…)

Video conversion for Nook Color (to unprotect DVDs or rip them local, I use AnyDVD):

[paragraph formatting has been removed for space] The trick with Handbrake is figuring out what settings are best for a particular device. Lucky for you I’ve already done this for the Nook Color. Note that Hadbrake will not convert any videos that you have purchased on iTunes, as these are copy protected and only work with Apple devices. When using Handbrake to encode video from a DVD or other (un-protected) video file, set Handbrake up as follows: On the main page, set the Video Codec to “MPEG-4”, check the “2-pass encoding” box, and set the “Average bitrate” to “1000”, as you see below: Next, click on “Audio” and set the first track to a bitrate of “128”, then disable any other tracks you see: Finally, click the “Picture” button and set the width to “512” (the height will adjust automatically).

Fixing Extras (because it won’t refresh and list newly installed apps until you reboot…or do this!):

If you decide to install Advanced Task Killer, you’ll need to change a few settings to get it to do what we want. Once installed, launch Advanced Task Killer, then tap the menu button, followed by Settings. Scroll the page up and tap “Security Level”, then set to “Low”. I also uncheck “Show Notification” because I don’t like having an advanced task killer icon in my notification bar, but that’s up to you. Press the back button twice to close Advanced Task Killer, then re-open it. You should now be able to see com.bn.nook.applauncher in the app list. Hold your finger on com.bn.nook.applauncher and select “Kill” from the menu that appears. The next time you open Extras, it will reload the launcher and refresh the list.

A bit of a personal update, since I’m avoiding work on a beautiful Friday… Much of my free time has been devoted to really three major areas recently.

First, this cam watching the nest of a pair of bald eagles and their 3 newly-hatched eaglets is absolutely fascinating. I am a closet naturist (my first major in college was Environmental Studies until I realized that has more to do with water dynamics and even engineering than biology and ecology…) and love me things like this. The eaglets are still tiny and awfully adorable, having all 3 hatched over the last week and a half. Oh, and they’re in Iowa.

Second, I’ve recently, FINALLY, bought into the smartphone market (and android market and e-book reader market…) with my HTC Thunderbolt on Verizon as well as my Nook Color which I have rooted to allow the installation of market apps and such. The phone is really cool and fills some gaps in my ability to be connected and use things away from a desk. Laptops are great, but admittedly bulky and so 2002. Netbooks are fine, but for being just a little bit too bulky, they end up having far less power than I hope. Even with proper expectations and usage, netbooks just feel weak (I personally believe it is the bloated and needs-rebuilt-badly OS on top of them). I just found I didn’t use the Netbook much. But, the Nook Color is one of the best things I’ve bought in some time and am completely happy with it; I’m pleasantly happy reading books on it as well.

Third, I still play WoW, and I still don’t raid. I just level up my toons, run instances, gear up, and do heroics until I’m satisfied. Basically, for a casual player like me, my characters are done when they can run through all the heroic 5-man content without too much problem.

My healers are an 85 shaman and an 85 aa/disc priest. I really absolutely love the heal role, but since they’ve both done all the heroics with no issues anymore, I don’t play them much. I have done holy and that’s fine, but I really like the mechanic of the smite/shield focus for the aa/disc priest. No, I don’t get excited about the dps; I rather just like the amount of busy-ness it affords and how it sets up everything else and has good mana-management. The shaman is a busier healer (especially when using lightning bolts to regen mana), but I feel the priest is the easier one.

My tanks are an 85 warrior, 81 death knight, and 39 druid. The warrior was a surprise for me; an old bank toon, I got bored waiting for Cata so leveled him up almost exclusively tanking instances from level 24 up. He’s only done 2 heroics, but I’ve also only ever tried 2 heroics on him. Surprisingly, I found him fun and somewhat easy. Just last weekend I started in on the death knight and am only now getting my head wrapped around blood tanking. Other than having issues getting AoE threat with out-of-control PUG DPSers, it’s been an experiment. My Bear tank is my original worgen whom I am leveling up with a friend, and has gotten behind as our schedules haven’t matched up lately. Eventually the druid will also dual-spec as a healer, just so I can see what rolling hots is like on a druid.

My sole dps toon is my original toon, an 85 warlock. Even with all the changes in Cata, my afflication warlock still plays roughly the same as he always has, which has caused me to get bored pretty quickly with him once I hit 85. I’ve not taken him into a heroic yet, since I’m not even geared for one…plus he’s still only teasing 7-8k dps, which is my personal cutoff for being able to be successful in a heroic (7k dps or higher).

Last year Gucci had some drama in their networks as a former employee wrecked some havoc in their systems after being terminated. This brief from the New York DA’s office goes over the quick details.

What I find interesting is that Yin had enough rights to make himself a fake employee account before the fact, and then used that fake account to remotely connect to the network and do his thing. Being able to track and stop that sort of thing is definitely a step up from the obvious recommendation to disable/audit terminated employee accounts.

You need to track changes and map those changes to valid requests.
You need to regularly audit accounts to make sure they’re needed and legit. (ask boss?)
You need to audit VPN access to make sure they’re allowed.
You need to catch any weird VPN setups, like a regular user mapped to servers or a service account appearing in the list.
You need to audit any users who aren’t locked into certain targets for VPN access (i.e. their existing desktop or a virtual system).
You need to educate help desk persons on SE and procedures/challengebacks.
You need to monitor and audit VPN logs on access/activity.
You need to regularly change service account passwords (those can be usurped too!).
You need to regularly audit any account with elevated privs (domain admins!)

As a privileged person, myself, sitting back and wondering at all the ways I can sneak in a fake account to pose as a fake person in the absence of my normal access is quite intriguing. Definitely don’t forget that I have the ability to create service-type accounts in addition to regular users, or have access to service-level passwords!