Security BSides San Francisco, and RSA conference

I thought we were making progress last year, but I may have been mistaken.  The RSA Conference is enforcing the non-compete clause in their sponsor and exhibitor agreements, that means a written waiver is required for an RSA Conference sponsor/exhibitor to hold or participate in anything RSAC feels is “competing” within five miles of the RSA Conference (their definition of “competing” is pretty broad, too).  Last year they issued waivers for BSidesSF sponsors, but so far this year they are refusing to issue waivers.  For more details on this situation, please see this post at Infosec Island.

It would be great if you politely let RSA know that supporting the community is not a bad thing.  They really don’t need to feel challenged by a free event drawing a few hundred people next to their commercial event drawing well over 10,000.  Don’t go flaming @RSAConference on Twitter or anything like that, but if you are a sponsor/exhibitor, speaker, or attendee- maybe take a minute and let them know how you feel.

I will be speaking at RSA this year, partly because one of the comments we heard last year was that many BSides speakers don’t even submit to RSAC.  That seems unlikely to happen again if I have misunderstood RSA’s true attitude towards BSides.

Oh, and if you happen to know anyone who is not exhibiting at RSA who might be interested in sponsoring BSidesSF- you know where to send them.

Thanks

Jack

Bumper Sticker “wisdom”

I saw a bumper sticker the other day that made me think about the trite things often said in InfoSec.  The bumper sticker said (paraphrasing):

“War never solved anything, except ending communism, fascism, nazism, and slavery”

While somewhat nonsensical, I’m sure a lot of folks cheer the sentiment.  I really wasn’t in the mood to interrupt my vacation to discuss the state of global communism, the fall (and pending rise) of Russia; China, its sphere of influence, and the economic power wielded there.  Nor did I wish to engage on fascism’s passing due to natural causes when Franco died a comfortable old man.  I’ll give him the nazism thing, but given the number of people enslaved globally that is far from “ended”.

My point is not about the politics of war, but about the temptation to buy into things which “sound right” and make you feel good.  Things are rarely that simple.  Let’s consider anti-virus, the Schrödinger's cat of InfoSec (reported to be both dead and alive, and we don’t know for sure until we open the malware).  The truth is that it is alive, but sickly; hairballs everywhere in spite of special diet of CPU and RAM.

If the answers were bumper-sticker-easy, InfoSec wouldn’t be fun.  Of course, some days (especially post-vacation Mondays) I would settle for less “fun”.

 

Jack

InfoSec career attitudes survey

I have a favor to ask- please consider taking a survey on attitudes about your career in Information Security.  I’m helping a group of smart folks look into what makes InfoSec folks tick, and what makes us twitch.
This survey is mostly focused on your current situation, and this specific survey was selected because it is a standard measurement recognized by folks who study such things; this means aggregated results can be used for comparison with other professions (where there is survey data available) and averages.
The survey is copyrighted, and has some license restrictions imposed on anyone who uses it, the most notable is that unique logins are required for anyone taking the survey.  This means we need you to send a request to take the survey, and provide us an email address under your control so we can reply with a link to the survey, and enter the address in permitted users list.  We do not care what email address you use, so feel free to use an anonymous account from any of the freebies like Gmail, Hotmail/Live, etc.  The survey site requires a username, we are using the email address you provide as the username- again, we’re happy with anonymized addresses.  If you request to take the survey we do ask that you follow through and take it, each email address we enter counts as a licensed survey, whether completed or not and we pay per license to administer the survey.
We are going to give a $100 Amazon gift card to a randomly selected survey respondent as an incentive, if you are interested in that and use a “disposable” email address you may want to keep the account until early March when the winner is notified.

What to expect:

The first step is to request access to the survey and provide consent to participate (see below).  We will send a survey link to each person requesting to participate.
At the survey site enter the email address used for the request, create a password to complete account setup, then continue to the survey.
The survey starts ten demographic questions, these will help categorize results, and discover patterns- but they are optional, if you wish to skip any, please do.
The survey itself has a sample question and sixteen real questions, all multiple choice.
Expect to spend ten to fifteen minutes total on the registration and survey. Unless you obsess over stuff, like I often do- but even then it shouldn’t take much more than fifteen minutes.

The privacy and confidentiality bits:
The survey data is downloaded with email addresses included, they will be stripped from the data immediately.  We will keep two files, one with email addresses only (for notifying the winner of the gift card), the other with raw data (demographic data and survey results).  When the current project is complete and winner notified, all email addresses will be deleted from files and email system used for the survey, and we will request the data be purged from the survey administration site.  Anonymized results will be analyzed, and the results presented at appropriate venues, but raw data and email address files will always be encrypted when retrieved from the survey host, both file-level and full-disk encryption, using two different encryption applications.
There is more info on the survey website.  If you would like to participate, please submit the Contact form on the survey site, or send an email to info@careerstudy.org consenting to participate and we will reply with a link to the survey.
I know you have a lot of demands on your time, I would be grateful if you would consider participating in this survey and sharing ten to fifteen minutes to help our research.
[EDIT] I missed two things in the initial post:
1) We will share aggregate results in a couple of ways, I'll post some here, other members of the team will post some, and we will present at a variety of events.  I'll try to list upcoming presentations as I become aware of them.
 2) The careerstudy.org site is Flash (yeah, I know, it was free with the domain).  If Flash is not an option for you, just send an email to info@careerstudy.org to give consent and request access- we will reply with a survey link.

Thanks
Jack

Compensating, or compounding?

Back in the Dark Ages I managed parts departments for a few car dealerships.  This was back in the land before time, when dinosaurs, Renaults, and even worse-Peugeots, roamed the US.

(Not this long ago)

One of the lessons I learned was about the curious views some people have about errors.  My introduction to this was during a discussion of inventory results with another manager.  Using made up numbers- let’s say we have $100,000 in inventory on the books, we count everything, make all the required adjustments, and end up with $99,000 in inventory.  There’s a grand missing, but that’s only one percent, right?  Assuming the industry standard of annual inventories, being off by one percent isn’t bad, right?

Here’s where a wrong idea leads us into the weeds, and compounds future errors in thinking.  The inventory dollar value was one percent short, but that does not mean the inventory was only off by one percent.  A more likely situation is that the inventory was $5-6,000 short on some items, and $4-5,000 over on others.  Someone got the wrong part, maybe swapped it for the correct one, and no one corrected the transaction history.  Maybe the wrong parts went out to customers who never used them (not going down the auto body shop/insurance industry rat hole today).  Who knows, but inventory always drifts.  Back to the numbers: let’s assume a $100k inventory with $6k in shortages and $5k in overages.  The value of the inventory is only off by one percent, but the inventory is off by eleven percent.  The errors do not offset, they compound.  What counts in inventory management is the ability to hand the customer the correct piece when they need it, incorrect counts on the shelf induce errors in ordering systems, obsolete parts returns, order shipments and other areas. 

It is a measurement problem at heart, in this case using the wrong scale (dollars) to measure inventory accuracy.  I’m not saying dollars don’t count, but some people always claim they are all that count.  Explain that to the guy who needs a left front wheel bearing for his Peugeot 504 but your inventory is wrong and you only have a right side bearing.  Hasn’t the poor guy suffered enough?

Luckily for us, this is just a walk down memory lane, I can’t think of any situations in InfoSec where we pretend offsetting errors compensate for each other instead of compounding the problem.  Nor can I imagine ever getting the metrics wrong.  It is awesome being able to be smugly superior to stupid folks like the guys down at the garage, isn’t it?

 

Jack

The Pandering Pentagram of Prognostication

This seems to be the year for ridiculing predictions, but I’m not jumping on that bandwagon.  I am here to help you get the most from the meaningless drivel you spew in the name of prediction (and more importantly, page views).  I have invented a brilliant methodology for measuring (because it is all about the metrics, isn’t it?) your drivel, and the drivel of others, in this most festive time of the year.  No, not the “Judeo-Christian-Pagan-Northern Hemisphere Damn it’s getting cold and dark Holiday season”, but the “I’m too sick of this crap to write anything meaningful, so I’ll just phone it in until next year” season.  (Admittedly there is some overlap).

With this altruistic goal in mind, I present you with the Pandering Pentagram of Prognostication.

The five points of the pentagram represent the key elements of “good” predictions, get them all and your prediction will land in the center of the pentagram, assuring a center brain shot to your victim.  I mean reader.  Whatever.

The five elements are outlined below, miss even one and your prediction may be off target and you will fail to hit your target.

Your prediction must be self-serving.

Your prediction must suck up to your customers, prospects, or others whose favor you are trying to win.

You must oversimplify complex issues to the point of nonsense.

Predictions must slight your competition.

And the big one, always play to Fear, Uncertainty, and Doubt.

There you go, Jack’s Pandering Pentagram of Prognostication.  Use it wisely.

 

Jack

Are you positive?

It will not die, and this won’t end it, but I have to try.  “False positive” findings are hotly debated by some folks, but that debate often centers on erroneous definitions or assumptions.  Regardless of the type of system we are discussing, IDS, Anti-Virus, vulnerability tool, whatever- there are some basic ideas involved.

 

The Basics:

There is a defined condition which either exists, or it doesn’t.

The tool or utility detects it, or it doesn’t.

This gives us a pretty simple set of situations, expressed in the table below:

 

	Detected	Not Detected
Condition: Exists	Valid: True Positive	Invalid: False Negative
Condition: Does Not Exist	Invalid: False Positive	Valid: True Negative

 

There are issue which complicate this simple picture.  One is how strictly we define the condition:

If I want my anti-virus to detect viruses and it misses one- that is a false negative to me.  It is supposed to detect malware, it missed, simple.  Unfortunately, modern malware is constantly evolving and signatures and other triggers are frequently behind the malware- this means the tool misses something it is not configured to detect.  You are still left wiping and rebuilding the computer, but there’s something to consider while looking for the right CD, DVD, or image file.  For what it’s worth, I still consider that a false negative, we use A/V to prevent malware in general, not to block WORMBOTTROJAN.X87.03 or other specific Bad Things with even more pathetic names.

We should be able to ignore two of these for this discussion, the green ones I have labeled “Valid”.  Note I said we *should* be able to ignore.  Sadly we can’t, because true positives are often dismissed as false positives.  Sometimes it is because we don’t care about the result, or it is not relevant in our environment.  Sometimes it is because we can’t handle the truth.  (Thanks to Graham Lee, @iamleeg, I now refer to these as Unacceptable Positives).  Regardless of our level (or lack) of concern, or the discomfort caused by the truth, if the condition exists and it is detected it is not a false positive.  It is often easy to prevent the utility from reporting on findings, either by changing how it searches, or how it reports on findings.  Go ahead and accept the finding and dismiss it in your environment- just don’t call that a false positive. 

Real false positives certainly do exist, and can be a burden.  There are a myriad of reasons they occur, some specific to the technology in question.  Anti-Virus may trigger on a file which looks close to a known bit of malware.  People can screw up signatures. There may be performance trade-offs, looking at larger chunks of network traffic may provide more accurate detection and identification at the expense of speed, either of the detection system, the network (when inline), or both.  Slow down the network, users scream.  Slow the system, traffic overruns the utility and some things will get by.  Tune for performance, miss a few detections.  For scanners, there is a limited amount of information which can be determined in a scan from “outside” a system.  An exhaustive network scan can find a lot of things, but it can also cause network problems due to the load placed on the network.  The limited information available without logging in to inspect a system can lead to inaccurate detections by the tool, positive or negative.  (Note: this is why I always recommend credentialed scans when possible- but that’s another post).

True negatives are safe to ignore, nothing is reported because nothing is there.  Unless, of course, you are a typical security-minded person, in which case you always wonder if something has been missed. Caution leads us to try multiple tools to validate our non-findings (when budget and time allow).

False Negatives are very real, too.  This is where anti-virus gets beaten up, and generally for good reason.  It isn’t only A/V, network load when using scanners and sniffers can lead to missed detections.  Sometimes the signatures just don’t work.  Sometimes the condition we are trying to detect has changed.  This is true for everything from malware to operating systems- new versions come out, patches are applied, and detections change.

Remember that the nature of the system will dictate the tolerance for errors.  A good example can be seen by comparing IDS (true passive intrusion detection systems) and IPS (inline and blocking intrusion prevention systems).  While the technologies are very similar, the goals are different.  A good IDS will not miss detections, false negatives are a serious problem because we don’t want to miss anything- this means false positives are more acceptable if the trade-off means not missing Bad Things.  An IPS false positive means we block valid network traffic, users wail and gnash teeth, and security takes a beating for hindering the operation of the organization again.  Keeping false positives at a minimum is a priority, this means it is more likely that some false negatives will occur.  If the cost of the occasional missed detection is lower than the cost of false positives blocking valid traffic, the trade-off is worth it.

Knowing the strengths and weaknesses of your environment and the tools you use is important in tuning for optimum results. Yes, tuning- you share responsibility here- choosing the right tools and using them properly will reduce the pain that leads to tedious blog posts like this.

 

Jack

(ISC)2 election reminder

Not that you are likely to forget, but if you are an (ISC)2 member (hold the CISSP or other certification), the election is on for the Board of Directors.

There were a handful of unendorsed candidates who tried to make it onto the ballot,  One candidate, Wim Remes, made the ballot.  Two others, Rolf Moulton and Javed Ikbal missed making the ballot, but are running as write-in candidates.  And, of course there is the endorsed slate.

First: you should vote if you are eligible. That’s the most important part- participate, and vote for those you feel best represent you.

Second: My opinion may not be relevant to you, but I’m voting for Wim. And writing in Rolf and Javed. I think Wim can win, and I hope he does- I have faith in him.  I also hope that frustration with (ISC)2 can get Javed and Rolf on the board, too.

You can vote for up to four.  I’ll be voting for three.  I will say that at least one of the board “elders” represents what I feel is wrong with (ISC)2, and to a certain extent, InfoSec.  Choose wisely, and hope it makes a difference.

Oh, yeah- it is the (ISC)2 website, so the links don’t go where you expect and one thing labeled “ballot” dead-ends at the candidate page.  At least I didn’t see any certificate errors this time.  If you have problems voting, complain to (ISC)2.

Go here to vote:

https://webportal.isc2.org/custom/ElectionBallot.aspx?YEAR=2011

If you choose to write-in candidates, please make sure their names are spelled correctly.  There are instructions on both Javed and Rolf’s websites.

 

Jack

End of year predictions

The end of the year is approaching, so the annual flurry of predictions must be right around the corner.  Or maybe that smell is just a septic pumping truck, the contents are similar, except there are regulations covering the disposal of septic waste.

Here are my predictions:

People will predict stuff, and for the most part only their successes will be remembered.

Some people will predict the same things they have been predicting for years (or maybe even decades), and if they are eventually “right”, no one will ask about all the times they were wrong, and even of they did it would be shrugged off as “I was right, just off on timing”.

2012 will not be the year of Linux on the desktop.

And because I feel compelled to make one real prediction, Windows 8 as a desktop OS will be as disappointing as Windows 7 has been successful.

No matter what is predicted or what actually happens, randomness will not get the credit it deserves as people look both forward and backwards in time. Admitting that “life is a crap shoot” doesn’t get you the respect it should.

I’ve listened to a couple of interesting books in the past several months, and a recent episode of the Freakonomics podcast does a great job of summarizing a lot of ideas into a one-hour show.  Short version: random stuff happens, and that makes prediction hard.  Really hard.  Also: so called “experts” are usually wrong- and the more adamant and certain an “expert” is, the more likely they are to be wrong.

The Freakonomics “Folly of Prediction” episode does a great job of distilling a lot of research into an easily digestible audio format.  (Note: If you aren’t familiar with Freakonomics, you should be- they make economics entertaining, challenging, and informative.  I’ve read both books and am a regular listener to the podcast.  Unrelated to this post, the recent episode on quitting was another great one).  Some of what they bring up in the predictions episode of  Freakonomics podcast is covered in much greater detail elsewhere, including a couple of books I listened to earlier this year.  The predictions podcast briefly discusses prediction markets, which seem much more promising than traditional pundit-centric pontification style prediction.

Note: I listened to both as audiobooks, Audible is not perfect, but for the commuter and frequent traveler they are great.  (I’ve also heard audiobooks are great for people who “exercise”, but people who do things like that clearly have too much to live for and are just punishing themselves for it).

The first book I listened to was The Drunkard’s Walk by Leonard Mlodinow.  Here’s an excerpt from Stephen Hawking's Amazon Review of The Drunkard's Walk:

In The Drunkard’s Walk Leonard Mlodinow provides readers with a wonderfully readable guide to how the mathematical laws of randomness affect our lives. With insight he shows how the hallmarks of chance are apparent in the course of events all around us.

The Drunkard’s Walk covers a variety of probability topics, from the significance of randomness to some history of the study of probability, and uses many illustrative anecdotes (including a look a the Monty Hall problem and others where “common sense” appears to let us down).

The second book was Future Babble by Dan Gardner.  From the author’s site:

Future Babble, a critical look at expert predictions and the psychology that explains why people believe them even though they consistently fail.

Future Babble is focused on prediction, but as random events and probabilities are challenges to prediction this book does have some content which overlaps with The Drunkard’s Walk.

Both books are overly negative at times, and thoroughly dismissive of many “experts”, but together they make a compelling case for a healthy dose of skepticism.  These works do highlight issues of bias and fallacies which lead us into making or accepting seemingly “logical” but wrong predictions, being aware of these biases and fallacies can help us identify and avoid them.

One of the recurring lessons of all of these works is that the more confident and adamant someone is about their predictions, the less likely they are to be correct, and the more likely they are to deny when they have been proven wrong.  A lot of this goes back to Philip Tetlock’s works including Expert Political Judgment, a skewering of political pundits’ ability to predict much of anything.  Tetlock often speaks of “hedgehogs and foxes”, a reference to the phrase:

“The fox knows many things, but the hedgehog knows one big thing”

from the ancient Greek poet Archilochus.  The hedgehogs are those with an ideology or single big idea, they hold onto the idea and rationalize around it.  Hedgehogs tend to use absolute words and are very confident in their predictions- hide from these people (television, especially cable news and talk radio are full of them).  Foxes, by comparison see much more variability in the world and are prone to use what we often derisively call “weasel words” such as “probably” or “likely”.  Foxes are also much more likely to admit they were wrong when history proves their predictions in error.

I am not saying that nothing can be predicted, and I’m not tossing stones at my risk and metrics friends- I am just suggesting that we pay attention to the realities of the world.  And the reality is that random events happen and have a large impact on our lives, and that some things which appear random are not.  And that means predictions are often hard, if not impossible.

I’ll leave you with a final quote, this one from the great philosopher Yogi Berra:

“It’s tough to make predictions, especially about the future.”

 

Jack

Cyber War posts by Marcus Ranum

As long as I’m not filling your RSS feeds, maybe you want to wander over to the Fabius Maximus blog and read a series of guest posts by Marcus Ranum.  Marcus’ topic for this series is “Cyberwar: a Whole New Quagmire”.  It is a good read, insightful and occasionally inciteful (it is Mr. Ranum after all).  Three parts have been posted so far:

Part 1: The Pentagon Cyberstrategy

Part 2: “Do as I say, not as I do” shall be the whole of the law.

Part 3: Conflating threats

OBTW, obligatory disclaimer: Yes, Marcus is now a co-worker.  Not relevant to this post, but I like to pretend to be ethical and open.

 

Jack

Crunch time for (ISC)2 endorsements

In case is slipped off your ever-growing to-do list, a gentle reminder that there are five unendorsed candidates for the (ISC)2 Board of Directors.  I happen to think it would be a great idea of any CISSP or other (ISC)2 member in good standing endorsed all of these fine folks.  The deadline is soon.

Remember, endorsement just helps get them on the ballot, the election is coming later this fall.  A refresher:

• Tadd Axon
  • email: isc2bodpetition@tadda.org
  • website: https://sites.google.com/a/tadda.org/isc2petition/
• Seth Hardy
  • email:  shardy@asymptotic.ca
  • website:  http://sethforisc2board.org
• Javed Ikbal
  • email: javed@bodelection.com
  • website: http://bodelection.com
• Rolf Moulton
  • email:  rolf.moulton@boardcandidate.com
  • website:  http://www.boardcandidate.com
• Wim Remes
  • email: wim@remes-it.be
  • website:  http://blog.remes-it.be/petition.html

Thanks

Jack