Yes, I feel guilty about that.
I'm changing domain registrars and will inevitably miss a simple step and knock myself offline, but I'll be back here if I disappear.
Small Business Information Security has been an oxymoron for too long-
this is my attempt at changing that.
And a place for me to spout off.
I’m old. My hearing sucks. Years of power tools, especially air tools, a few concerts with the volume cranked to 11, and age have combined with male selective hearing to leave me with a bit of hearing loss. Not bad mind you, but I know I’ve lost a lot of hearing range. But I recently gambled on an inexpensive pair of IEMs, and was amazed at how much better they are than any earbuds I’ve ever tried. Even the bottom end of the Shure IEM line lets me hear things in music that I haven’t heard in years. I’m not likely to get much value from high-end IEMs, but I may experiment. And properly fit earpieces block so much noise that they shut out the world as well as noise cancelling headphones- but with vastly better acoustic range. I use them all the time now.
But now I’m walking around San Francisco (a remarkable safe city, BTW) and I’m freaked out by the sounds isolation- my loss of situational awareness makes me uncomfortable even on a gorgeous day in a nice neighborhood. I’ve started walking around with one earpiece out, only listening to music through one ear so I can hear the world around me. Thankfully I realized the problem in a safe environment.
Once again I’ll leave you to connect the dots to InfoSec… new toys, myopic focus, loss of big picture…
Q: Why do you use that software? It’s horrible!
A: Because it’s what I know, and once you get used to it it isn’t so bad.
Sound familiar? It’s what I like to call “Software Stockholm Syndrome”, and we’re all victims.
Take the application I’m using to write this post, Windows Live Writer. Writer used to be a sweet little WYSIWYG blog editor, lightweight and versatile. Sure, a little light on features, but a great little app. Microsoft put their stamp on the app they acquired with the Onfolio acquisition until it had a few more features and a stunning amount of bloat. And yet, I use it regularly. OK, not that regularly (it gets more use these days for my travel^^drinking blog), but I stick with it because I know it. Don’t laugh, pretty much everyone does it with some software. Some companies are worse than others, even Apple does some things horribly- see every other iteration of the dreaded iTunes (aka iTurds), or that recent OS update that shattered audio (and other) workflows.
Software Stockholm Syndrome is part of the reason that those people who’s computers you fix don’t want to give up their AOL accounts, or Windows XP, or whatever. But it isn’t just the luddites, even those of us who love new stuff cling to a few things out of familiarity.
Of course, newer isn’t always better (what, did I say “Windows 8”?), but if we don’t question our choices we’re all stuck with crappy software because “it’s popular”.
I don’t have a cure for Software Stockholm Syndrome, but as with many problems awareness is the first step to recovery.
One of the InfoSec community’s greatest distractions lately has been attribution, both specifically and generically.
Let’s start with the Sony fiasco and the FBI’s pinning the attribution tail on the North Korean donkey. Many people have beaten this to death, there has even been name calling over it. And I don’t care. There are certainly questions unanswered, but I’m not opposed to the idea that it was North Korea, I’m just not convinced “beyond a reasonable doubt”. The argument is lost in the greater public, everyone believes it, just like they believe “hackers” are all bad. In InfoSec many of us refuse to blindly believe the government for a variety of reasons- political, factual, conspiratorial, and probably even astrological. Here’s my take- if the FBI came out and said something like:
“Hey, remember those Snowden docs? Well then you won’t be surprised to hear that we’re all up in North Korea’s stuff and have been for years. The NSA saw things come and go which prove to us that they are responsible, but we can’t show you the sensitive bits for obvious reasons.”
we would have grumbled about facts and proof and stuff, but I think many of us would have bought the story more than we did with the approach they took. I’m not sure how Sony would have felt about that revelation, but they’ve probably figured it out by now. The feds told us they had proof, then released some data, some of which was refutable or inconclusive- and being skeptics, several folks in InfoSec took the data apart and poked holes in some details and raised questions about others. Being skeptical is what we do. Gullibility is not a great trait for a career in InfoSec. Even if the feds had released what they did with the disclaimer “this is imperfect, but it is all we can release because: reasons” it would have been better. But most folks bought the story blindly, so I guess they don’t need PR lessons from me.
If you want some good reading material on attribution, Marcus Ranum recently wrote “Attribution is Hard” Part 1 and Part 2, a good look at the challenges of attribution. If you want more visceral posts on attribution, head over to Krypt3ia’s blog for some great rants and content.
As for me, when I feel like getting all wound up over attribution I update and patch systems in my home and lab environments- it is more productive than pinning the attribution tail anywhere other than on my own butt.
The fundamental flaw with most attribution stories I see is that they are based on forensic evidence alone. That means evidence the attackers were willing to let us see. That’s a problem for me, it means that if the apparent attacker is the real attacker I’ve been beaten by a lazy or incompetent attacker, and otherwise I’m unlikely to find the real culprit with my limited resources. Either way, I would be better served making backups, checking configurations, and typing “yum –y update” or “apt get update” into SSH sessions.
Don’t get me wrong, for some folks attribution is important, and for many of us it is an amusing diversion. If you are trying to prosecute criminals, you need solid attribution. If you are doing serious threat intelligence then attribution matters (whatever the hell “threat intelligence” means- it’s become yet another InfoSec term that means so many different things that it means nothing).
If you have the choice between spending your limited post-breach resources on chasing attribution or fixing stuff, I suggest you fix stuff. If you have truly secured your environments well and have the resources, maybe post-breach attribution will be valuable. I think those situations are rare. Note that I resisted the temptation to say “if you’ve secured your environment you wouldn’t need attribution because you wouldn’t get breached”, I think we all know those days are long gone (if they ever existed).
Jack (as far as you can tell)
A few folks have asked me about my roles on the advisory board for Intelligent Defence and as a judge for RSA’s new crowdsourced track. I’m often thought of as “Mr. BSides”, which is unfair to a lot of people who do a lot more than I do to build and sustain the Security BSides movement and community, and unfair to the thousands of organizers, volunteers, speakers, sponsors, and participants who make BSides what it is. This also overlooks the fact that I have long been engaged with a variety of groups and events, and I work in the security industry.
The short version of the story is this:
Two big events are listening to their attendees and responding to their audiences’ requests, and they asked me to be involved. As someone who has pushed for better content, conversations, and community engagement in numerous events and organizations over the years I jumped at the opportunities; I would have to be a much bigger hypocrite than I already am to decline the requests.
Of course I am watching to see if these new programs have any impact on the local security and hacker communities, but the nearby BSides San Francisco and BSides London events have a very different vibe from RSA and Infosecurity Europe, and other events such as 44Con are at other times of the year. My hope is that the new programs will expand the much-needed conversations about information security and security research and help grow the security community, that’s why I’m involved.
The US RSA Conference is adding something new for 2015, a crowdsourced submissions track. RSA gets a stunning number of submissions each year, and it takes a long time to sort through them all- leading to a common grumble about the long lead time between submissions and the conference. And as with almost any event, some question why certain talks were accepted over others. RSA has been listening, and is trying this new crowdsourced track to address some of the feedback they have received. You want a short leadtime for talks to allow for recent topics? You want a say in some of the talks which get accepted? The new track will add 12 sessions to answer these requests.
The Call for Papers opened today, January 29, and will close on February 27 (less than two months before the event). Given the size and scope of the RSA Conference, it is significant that they have taken this step.
I am excited to be one of the judges for this program, joining industry leaders Alex Hutton, Eve Maler, Jennifer Minella, and Rich Mogull. Our role is to make sure the submissions follow the guidelines, aren’t sales pitches, and to filter out any “ballot stuffing” which might happen. See the Crowdsourced Submissions FAQ for details.
“Infosecurity Europe's meticulous research revealed that attendees of the Number 1 exhibition and conference in Europe require more in-depth, technical research sessions.”
The folks at Infosecurity listened, and then acted, creating this new conference which will run parallel with Infosecurity Europe. Again from the Intelligent Defence site:
“Infosecurity Intelligent Defence 2015 is a two-day, technical security conference, focusing on the latest research into vulnerabilities and exploits and sharing insight into how to defend against them. The Conference provides a new and exciting platform for the latest technical research and defensive tools and techniques to be shared with the wider information security community.”
I am honored to be a member of the Advisory council for Intelligent Defence, along with industry luminaries Dr, Eric Cole, Rik Ferguson, Trey Ford, and James Lyne.
The call for papers for Intelligent Defence is open until Thursday, February 12, so act fast if you want to get in on the first year of this new event.
Note: yes, I know they spell “defence” (and a lot of other things) funny over there- like what’s with all the extra “u”s? (I must now run and hide from my “proper” English speaking friends).
Another year is gone, and it was a pretty amazing one for Security BSides. It is hard to believe that this adventure began five and a half years ago, with the first event happening in July of 2009. BSides has exploded since then, there have been a total of 167 BSides events globally- with 58 in 2014 alone. BSides have now been held in 74 cites in 16 countries, on every continent except Antarctica. 2014 brought BSides to more than a dozen new cities across the world, including the first events in Asia. Some of 2014’s new BSides cities included Dubai (UAE), Hyderabad (India), Singapore, Bogota (Colombia), Reykjavík (Iceland), Hamburg (Germany), and many across the US.
Check out the “World of BSides” map showing all BSides cities:
There are already well over a dozen BSides events on the calendar for 2015, with many more in the planning stages. The latest information on all BSides events can always be found on the BSides wiki.
BSides is a stunning success because of the huge community of organizers, volunteers, speakers, sponsors, and participants who have come together to make something amazing. The “What BSides Means to Me” page on the wiki has some fantastic insights into what drives us to sustain and grow BSides, it is worth a read.
As promised, that other hospital tech incident. I was leaving a friend’s room right after the nursing shift changed and the new nurses were beginning their rounds. As I was preparing to leave I heard the nurse outside my friend’s room call down the hall “Is your computer working?”. I paused in saying my goodbyes and we listened to the nurse muttering and typing ever louder on the mobile cart keyboard. Not good. Especially since that computer stood between my friend, and every other patient, and medications. The nurse popped in, said they were having computer issues, and that she was going to pull his medications manually- the delay would only be a few more minutes. And true to her word, his meds arrived only about 20 minutes late thanks to a manual backup routine for checking out medications.
As I left I saw that two of the cart computers were displaying “unable to authenticate” errors. I don’t know what the problem was, and my friend never found out. I guess he was too busy being seriously ill to diagnose authentication failures.
Not bad, eh? There was a system failure, but backup procedures were in place to prevent serious problems. High fives for all?
Not so fast. That 20 minute delay doesn’t seem significant, unless of course you were the one waiting for medication. Most critical meds would be administered intravenously so… wait, those are behind the same system. But still, only a 20 minutes delay… except the process had to be repeated for each patient until the error was resolved, and the manual paper records had to be transferred into the computers when they were restored- so at the end of their shift the nurses were further distracted from patient care to do data entry.
I’m not repeating these medical computer issues to throw stones at the medical profession, or at technologists working in healthcare- but to illustrate some fundamental issues with technology and security.
In the first tales of poor communication, there seemed to be be a few symptoms and causes, but one crucial result. Data input was inconsistent and maybe not as easy for medical professionals to use as it could have been. Probably related since there often wasn’t timely info available in the computer system, people relied on it less, and thus input less frequently- a classic “chicken and egg” situation. The critical end result was delayed patient information, but there was also the sadly familiar case of a system becoming a burden (and possibly even a liability) when it should have been an asset. Usability, user buy-in, and management oversight all needed to improve to move this forward. I’m sure that sounds familiar, although hopefully in different contexts.
Today’s tale is a bit different, it is about a failure to understand the consequences of operating on backup procedures. “We have a plan for when things go wrong” is great and all, but if it doesn’t let people do their jobs in a reasonable manner without undue consequences your fail-safe is a failure. Granted, these are extreme conditions; delayed email is not the same as delayed patient care, but there are still lessons to learn.
Oh, and you’ll note I didn’t mention compliance, that wasn’t an oversight. I’m not an expert on healthcare compliance (unlike many who pontificate on it but can’t spell HIPAA) and I don’t want to blindly speculate on things like what perversions to pain management are imposed by the “war on drugs” and what that means for procedures for dispensing controlled substances. If potential impact on patient care doesn’t get you thinking, I hope you aren’t working in healthcare.
The first Hancock story I mentioned last week is the opening story in his new book. He tells the story better than I do.
I’m not far into the audiobook, but I wanted to hear a bit of it the other day between chapters of Kim Zetter’s new(ish) book on Stuxnet. That one is good, too- Zetter balances making the story approachable to non-techies with detail enough to keep those with some knowledge of the events engaged. Unfortunately, the audiobook version means I don’t have access to the extensive footnotes unless I buy a print copy, too- but I spend enough time on the road that the audiobook was the fastest way I would get to digest the book.
A note on the audio of these two books- the reader of Zetter’s “Countdown to Zero Day” speaks slowly and clearly, so slowly that I find the book much more listenable at 1.5x speed. Herbie Hancock reads his own book and tells his own stories, his delivery is, not surprisingly, fantastic.
Yeah, I still owe you that other hospital story. Remember, patience is a virtue. It is not one of mine, but that’s another story.