I just want to post and save a link to a discussion/essay that RSnake has written. In it, he talks about increasing the penalties for digital crime, maybe to an exaggerated level. It is worth a good read along with the comments.

Like security, I’m of a mind that there is no “solving” of digital crime in general. It is a fact of life and we have to find a moral equalibrium, just like any law enforcement category.

Sadly, I think the only way RSnake’s approach will work is if we remove one of the fundamental drivers of what makes many of us even use the Internet: the privacy. To achieve better punishments for more criminals, we absolutely must remove the anonymity, privacy, and transparent digital borders between nations.

This all goes back to what your “security religion” is. Are you a glass half empty kind of guy? Are you a “It’s not secure unless it is absolutely secure? sort of guy?” Or are you a glass half full person who sees value in partial security or incremental steps towards a goal that doesn’t need to be absolutely attainable? This is not just fundamental to a consistent approach to security solutions, but also fundamental for our attitude in our career.

I sometimes skip posting about major events for a few reasons, two of which being I hate sounding like I’m just repeating what everyone else says, and any one who reads my blog should be involved enough to not use my blog for breaking news.

Anyway, the Downadup/Conficker worm has arrived and made its way into the mainstream media. I posted some info to my team and boss about it this weekend. Here are some links to more information (the more the better, especially for the analysis since no one source seems to get it all).

CNN article
F-Secure details
SANS info

Really, this whole worm occurence begs the age old question, “Did you update when you were told? Did you even know this was brewing?”

For us, this is still a somewhat non-event, although the widespread reality of this worm raises my concern over incoming laptops and VPN connections from home users, but not enough to keep me up at night, yet.

Joel Spolsky recently posted his latest inc magazine article dealing with the topic of performance rewards. While I think he dropped the ball on the actual reward he offered, I feel he has good food for thought on the subject. Questions like:

How do you measure performance and contribution?
If you measure, how do you know you’re measuring enough pieces to get a proper view of the employee?
How do you reward contribution without stepping all over your other employees?
How do you reward such that a competitor can’t just match it and steal away the employee?
How do performance rewards influence the attitudes of the other employees?
Should you reward based on how their updated resume would look to someone else?
Do you want to run a socialist or capitalist company? (Ok, I’m stretching it there!)
I think Joel has a good approach when he talks about the intrinsic and extrinsic motivations. Money and peer recognition are cool, but ultimately geeks like me derive their motivation internally because we love what we do and want to do it well. Obviously, that is not for everyone or every company.

Why do I think Joel dropped the ball with his example? Because that intern walked away with absolutely zero reward from Joel; instead walking away with what amounts to a coupon for a store you may or may not want to shop at again. Granted, his real reward (especially as an intern) are the line items on his resume and knowing Joel was impressed. I’m also not a big fan of ‘stock’ in its various forms. I’m not a huge fan of only doing peer recognition (unless it winds up as a resume line item) because it really has little monetary value (the fundamental reason almost everyone works) and can become so unvalued in other ways over time and if mismanaged. And I can go both ways when it comes to performance-based rewards.

Obviously Joel does other little things beyond direct monetary compensation to make work enticing and fun for his programmers; making it a place they *want* to work. So maybe he doesn’t truly need to think too hard about monetary performance-based reward schemes and instead keep doing what he does. Maybe give Noah an extra gift of some sort, but don’t otherwise break the cooperative culture that he obviously values. Maybe the reward or lack of one should not be a reason his workforce remains present and motivated.

At the bottom of the article, click the link to go to the base page if you want to read other comments posted directly to the article.

To circle back around to an earlier link to a packetlife challenge/contest notice, the answers are now up. What did I learn? Well, I didn’t know Wireshark could decode SNMPv3 data if I had the proper info. In fact, I couldn’t even do it with my installed version of Wireshark. I had to update to get the features. Cool challenge. Simple, but not necessarily elementary.

I’m finally getting around to reading the NetworkWorld article that cited Fortify Software Inc. co-founder Brian Chess as essentially saying that penetration testing as we know it today is dying/dead. The article further states, “Customers are clamoring more for preventative tools than tools that simply find the weaknesses that already exist, he said. They want to prevent holes from opening in the first place.”

Talk about confusing!

I think the assertion is correct that customers want preventative tools. I want preventative tools wherever possible. But I think there are three incorrect assumptions here. First, that preventative tools can possibly prevent or even anticipate every potential hole (or even most of them!). Second, that preventative tools are something more than just a band-aid on other issues. Third, that companies know all their weaknesses already.

The article (and Mr. Chess) make it sound like the security buck stops at “preventative tools.”

There is value in preventing issues, but there is no way penetration testing is going away or even beginning to die or dwindle for many years. Too many corporations still thirst for knowledge on their security stances and weaknesses, or for more leverage to higher-ups for budgets or project direction.

Prevention, detection, testing…these and more are all parts of a solid security posture. No one trumps the others, nor does one lag behind as dying or even changing.

Here are a couple statements on my view of pen-testing.

If you have little existing security, pen-testing helps give direction and information on where to make improvements.

If you have a security plan in place, pen-testing helps give third-party validation to the results, while also potentially exposing weaknesses that were overlooked (the more eyes that read this post, the more we can say all the typos were caught!).

A couple points I want to throw out for a Monday:

1. Security takes knowledge.
2. Security takes time.
3. Insecurity arises when shortcuts are taken. (Yes, you fall into this area, web developers!)
4. It is no surprise security permissions (in general) are lax, because they suck to manage.
5. We all started in a place where we didn’t have expert knowledge.
6. Don’t overinflate your abilities. This is where ‘paper CISSPs’ harm our field, not because they aren’t experts yet, but because they profess to know more than they do.

In recent weeks, Snosoft’s (Adriel Desautels) blog has delved into the topic of fraudulent security experts and how corporations can tell if they have a quality security expert (or vendor). I applaud the effort, even if he is preaching to the choir and may be tackling issues that are universal and have no absolute “oh-my-god-epiphany-that-will-change-the-world” answers. Those posts and a headache-inducing security permissions issue I tackled today prompted this post.

I had a longer essay presenting those 5 topics above, but I think I’ll just let them sit alone. Anyone reading my blog can either outright agree, or think for themselves on how those points apply. Just one hint: “knowledge” can refer to both technical as well as business knowledge.

What is it about the Internet that has most changed our lives and society? Well, I would surmise that it is our ability to self-serve information-finding. In 1990, what did we depend upon for information? Today, I can self-serve by looking it up.

For future reference, SourceMap: “SourceMap is designed to scan to a port from multiple different source ports, to aid in finding weaknesses in firewall rule sets. It is possible to scan ports on a host from all 65535 source ports, somthing that nmap could not do. SourceMap is a mutil threaded perl wrapper arround nmap.”