Tuesday, June 14, 2016

Bad analogy, bad. No biscuit.

If you use the “If I leave my door unlocked you don;t have the right to walk in…” analogy when discussing web disclosures, you really need to stop.  Bad analogies are bad.

You know the cases, folks find things on the Internet that people didn’t mean to make public, and a storm ensues and all kinds of people say all kinds of na├»ve stuff, including people who should know better.

Your website is not a house, and not just because of the physical vs. virtual difference.  If we have to use this analogy, let’s at least get it more accurate.

You live on a road, it may be public, or it may be private, but either way it is open to the public- in fact public use is encouraged.  That’s why you put your house there, because of good access in and out to the rest of the world.  You put sensitive data on signs in your yard, visible from the road.  There might even be a sign that says “only read your own data”, but it is all visible.  Someone drives by and reads someone else’s sign from the road.  Maybe they take pictures of the signs.

Still imperfect, but much more accurate.  And so convoluted it doesn’t help make any point.  These issues are not simple and misrepresenting them and oversimplifying things does not help.

Note that I have not made any judgements about who exposed what where, and who drove by and looked at it.  If it is your house and you post my data in an irresponsible manner, you are being irresponsible.  If someone feels the need to copy everything to prove a point, that causes problems, even when their intentions are good.

Without picking any specific cases, most of the ones that make the news are a combination of errors on both sides.  You should act like sensitive data is, I don’t know, sensitive.  And when you stumble across things like that (and you will if you use the Internet and pay attention), you should think about how folks will react, and keep the CFAA in mind.  Right or wrong, that’s the world we live in.  I think the CFAA is horrible and horribly out of date, as is the DMCA- but while they are the law and enforced, ignore them at your peril.  It is worth considering that when people find stuff that shouldn’t be posted publicly, it generally doesn’t require downloading the entire dataset to report the problem, in fact that is likely to create problems for everyone.

And yes, that’s a gross oversimplification from me in a post where I decry gross oversimplification.  Literary license or something.

And because I actually care about this mess we’re in, I’ll make an offer I hope I don’t regret: if you stumble across things which are exposed and you really don’t know how to handle it please pause and reach out to me.  I’ll ask friends in law enforcement for guidance for you if you wish to remain anonymous, or I’ll try to help you find the right folks to work with.  If you are outside of the US, I’m unlikely to be if much help, but I’ll still make inquiries.

Note that if you are on any side of one of these situations and act like a dumbass, I reserve the right to call you a dumbass.  I’ll still try to help, but I’m calling you a dumbass if you deserve it.  That’s as close to idealistic as you’ll get from me.

 

Jack

Monday, March 28, 2016

Where’s Jack, updated

A few changes and an addition- In the upcoming weeks and months I’ll be speaking at the following events:

InfoSec Southwest, Austin, April 8-10

Sayers’ #Curio Technology Summit, Chicago, April 13

BSides Calgary, April 28-29

ISSA-LA Summit, May 19-20

IT-PRO, Seekonk MA, June 15

ISSA-NE, Waltham MA, July 12

I will not be speaking there, but I will be at the NIST Cyber Security Framework Workshop at NIST in Gaithersburg, MD- if you’re going to be there please say hello if you see me.

And I’m sure I’ll be at a few more.  See you on the road.

 

Jack

Friday, March 25, 2016

Debunking debunking, part 1

Things need to be proven, or disproven. Urban legends need debunking.  But unless you dig into the history and have some context you may be wasting your time.  And if you have the context, you can make your case more convincingly.

Let’s venture into automotive lore for two examples.  First, a simple one- there’s a longstanding belief that you should never place a battery on bare concrete or it will damage the battery, or at least cause it to discharge.  You regularly see shops with batteries on scraps of plywood to this day.  I had this “debunked” at a manufacturer’s tech training many years ago, one of the instructors put a fully charged battery on the bare floor and the beginning of a week of training and it was fully charged at the end of the week.  End of story, right?  Well, not quite. 

First, the school was new and well equipped, it even had infrared heating, so the concrete floors were always warm, as opposed to the cold, damp floors many garages have throughout the winter.  Putting a modern battery on a cold damp floor really won’t hurt the battery- but cold batteries don’t release their power as well as warm ones, so putting a marginal battery on the floor could make it weak enough that it won’t start a car without being charged.

Second, above I said:

“Putting a modern battery on a cold damp floor really won’t hurt the battery”

The word “modern” is key to this legend.  In ye olden days car battery cases were made of “sealed” wood, then of natural rubber- both of which were somewhat porous.  Concrete is very good at wicking moisture, so putting one of these old batteries on concrete could really discharge it and suck water out of the battery.  Knowing this backstory means you can make a more convincing argument when faced with this particular legend.

Later, I’ll dive into one that has been “debunked” on TV and in universities.  By people who apparently don’t get the significance of context.

 

Jack

Monday, March 7, 2016

Where’s Jack?

Hey Jack, you weren’t at RSA/Shmoo/Derby, what’s up with that?

Well, life and stuff.  But I am out and about quite a bit, I’m just much more likely to be at smaller and more regional events lately.  I heard there were something like 40,000 people at RSA, it seemed to do OK without me this year.

In the upcoming weeks and months I’ll be speaking at the following events:

BSides Salt Lake City, March 10-11

Chattanooga ISSA, March 14

InfoSec Southwest, Austin, April 8-10

Alberta (ISC)2, Calgary, April 27

BSides Calgary, April 28-29

Rocky Mountain Information Security Summit, Denver, May 11-12

ISSA-LA Summit, May 19-20

IT-PRO, Seekonk MA, June 15

ISSA-NE, Waltham MA, July 12

And I’m sure I’ll be at a few more.  See you on the road.

 

Jack

Saturday, January 23, 2016

For the bored: Infosec Noir

Instead of doing productive things I’ve found a new outlet for self-entertainment, and I seem to be amusing a few others, too.

My newish Twitter account is @InfosecNoir, it is:

“The adventures of Jimmy Black. He decrements the TTLs of cybercriminals so you don't have to.

He has a drinking problem, but only when his glass is empty.”

It is pretty low volume, and is meant to entertain me.  If it entertains you, too, then maybe follow, or just check in occasionally.

Important note: While some of it is autobiographical, and some is “based on true stories”, much is pure fiction.  I’ll admit the first tweet is autobiographical,

image

after that, your guess is as good as mine.  And for the pedantic, it was Atorvastatin, not Lipotor™.  Yay generics.

 

Jack

Tuesday, January 19, 2016

Open Live Writer

Oh, hey- bloggy thing.  I know I should blog more, both here and over on my travel drinking blog, but you know…

Open Live Writer

One very nice recent development is that a team at Microsoft has created an Open Source fork of Windows Live Writer.  WLW used to be a really sweet, lightweight WYSIWYG blog tool for Windows- then it got Microsofted and bloaty, then abandoned.  Open Live Writer brings it back from the dead, updates authentication to work with modern platforms, and pulls out a lot of cruft.

It is still early in development, but so far it is working well for me and I do not miss any of the “missing” features.  I’m enjoying the speed and functionality of Open Live Writer, and I’m grateful that some folks at Microsoft have revived this great little tool.  If you are a blogger and Windows user, check it out.

 

Jack

Sunday, January 17, 2016

Introducing the PIVOT Project

OK kids, this is cool.  Know a hacker or computer club or school that could use some free, community-contributed labs?

Pivot Cyber Challenges

 

From the website (pivotproject.org):

“People who earn great jobs in cyber security have mastered both academics and hands-on skills.  But where can people with a wide variety of skill levels get hands-on practice with real-world cyber security problems?  On January 12, the PIVOT project goes live to help meet that need. PIVOT makes it possible for students and others, all over the world, to build their hands-on skills in a fun, challenging, real-world cyber environment.  PIVOT provides exciting hands-on labs and challenges for student groups and associated faculty, completely free.  Through a variety of engaging downloadable materials, participants build their hands-on skills to help them pivot from academic studies to their future cyber security careers.”

To kick things off there’s a contest to get things moving and gather feedback:

“We’re launching PIVOT with a special contest and over a dozen prizes so you can help make PIVOT even better.  Prizes include gift cards, club pizza feasts, t-shirts, and more!

To participate in the contest and help us make PIVOT even better, all you need to do is have your group work through your choice of at least two of our current labs, and then have a student leader or faculty member fill out our contest form by February 15, 2016.  The contest form gathers information about your experiences with the labs and recommendations for additional PIVOT challenges.  From all submitted entries, we’ll select the top 5 with the most useful input to receive our grand prizes.  Then, from all submitted entries, we’ll select another 10 at random to receive a prize.”

Please check out PIVOT Project and spread the word, it is off to a great start but now we need to build the community.

 

Jack

Saturday, January 9, 2016

A different kind of magic

Yesterday the world lost a good man, and the hacker community lost a great friend.  David Jones, better known to many as Rance, or @RevRance, ended his battle with cancer early yesterday morning, his suffering is over.


A great photo of Rance by Kevin Riggins
Throughout history we’ve called anything we don’t understand “magic”.  To those of us in technical fields we often think of Arthur C. Clarke’s third law:
“Any sufficiently advanced technology is indistinguishable from magic”
but many things we don’t understand other than technology have been called magic as well.

Rance had a special magic.  We may not have understood how he always seemed to know who needed a kind word, or how he knew exactly what the needed word was, but he did.  In the last couple of years it was sometimes hard to understand how he remained so kind, generous, and happy in the face of his cancer battles- but he did, because he was Rance.  That is a special kind of magic, and we will miss it dearly.

While we mourn our friend we can remember him best by trying to find a little of that special Rance magic in ourselves and each other.



Jack

Friday, October 2, 2015

Recruiter and SEO response templates

I’m normally sympathetic to technology recruiters, but some are just hopeless.  These, I have no sympathy for.  An the SEO spammers, no sympathy for any of them.  Every now and then, one is so obnoxious that I feel compelled to respond, and as a community service I’m sharing templates I use for responding to the worst of them.

For the recruiters:

[Dude/Dudette], I hate to be an ass, but really- digging up an ancient resume and throwing names at the wall to see if any stick- this is why recruiters like you and your ilk are loathed.  As someone who spends a lot of time trying to help folks develop and advance their technology and security careers this shit really pisses me off.

I'm not interested in moving at this time, but not being a fool I would entertain appropriate offers.  That means a minimum of [INSERT LARGE NUMBER HERE] plus options or equity, a maximum of [SMALL AMOUNT OF TIME HERE] hours per week dedicated to direct company work, support of my [LARGE NUMBER] of hours per week for community development and engagement, plus research time.  Oh, and support of my [TRAVEL, SPEAKING, DRINKING, ETC.] schedule.

The one I use for SEO is specific to Security BSides, but feel free to adapt as appropriate for your needs:

I'm sorry [SEO SCUMBAG'S NAME HERE], but we're a global community of technology and security experts, many of us have been in the field since pre-Web days... and none of us has ever heard of you or your firm.  We have a globally recognized and respected brand and have drawn several thousand participants to hundreds of events around the world without your help.

In fact, perhaps you would be interested in contracting with some of our technology, social media, and marketing experts to help build your brand- at competitive consulting rates, of course.  If not, please remove this, and every other Security BSides affiliated email from your lists.

Yes, I can be a bit of an ass, but it is occasionally justified.

Jack

Sunday, September 20, 2015

SWAMP, the Software Assurance Marketplace

SWAMP-Logo-Final-Med

I recently took a fresh look at the “SWAMP”, the Software Assurance Marketplace- it is a great idea and a valuable resource.  The short and incomplete story is that SWAMP is a suite of software analysis tools integrated into a centralized, cloud-based software testing environment- and it is available to software developers, software tool developers, and researchers- for free.

From their website:

“Software is a crucial component of daily living, affecting worldwide economic structures and the services we depend on every day. With the increasing rate of security breaches, it is clear that conventional network security solutions are no longer able to defend our privacy, corporate data, and critical banking information. Today’s applications need to be built more securely at the code level, and that code needs to be tested regularly.

The SWAMP was developed to make it much easier to regularly test the security of these applications and to provide an online laboratory for software assessment tool inventors to build stronger tools. Testing is often complicated and challenging, because comprehensive testing requires the use of several disparate tools with no central means of managing the process. The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of  open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation. A first in the industry, the SWAMP also offers a library of applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own static and dynamic testing tools. Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software, the SWAMP integrates security into the software development life cycle and keeps all user activities completely confidential.”

The current test environment is able to test software written in C/C++, Java (including Java on Android), Ruby and Python- with JavaScript and PHP in development.  SWAMP will support eight languages by the end of the year.  There are currently sixteen tools in the suite with more being added, and numerous commercial companies are participating- including Veracode, CodeDX, Goanna, GrammaTech, and Parasoft.

The Marketplace team includes some serious academic centers for technology, the Morgridge Institute and the Department of Computer Sciences at U of Wisconsin-Madison, the Pervasive Technology Institute at Indiana University, and the National Center for Supercomputing Applications (NCSA) at U of Illinois Urbana-Champaign.  In my conversation with Bart Miller and Miron Livny of SWAMP it was clear that this project was built for practical use in the real-world, it is not an academic exercise- this is immensely practical and useful stuff.

There are many more details on their background page, including some impressive tech specs (at least I consider 700 cores, 5 TB of RAM, and 104 TB of HDD impressive).

We are going to try to get folks from SWAMP on the Security Weekly Podcast to discuss the marketplace in depth.  Stay tuned for more on that.

 

Jack