Sunday, May 31, 2009

Cyber-Cyber-Cyber-Cyber-Oh stop already

I have recently been fuming and ranting about all the cyber-stupidity going around, from the various reports by the various commissions to the lies, hype, and nonsense President Obama has recently spread (of course some of his talk was lies, he is a politician, it's what they do- come on, you are interested in security, you can't afford to be naive).

I have found a couple of very good posts on the issues, whether you are interested in cutting through the hype or fanning the flames of FUD, check out Gene Spafford's excellent post, A Cynic’s Take on Cyber Czars and 60-day Reports.  Also, be sure to check out S.773 - The Cyber Security Act of 2009 - part 1 over on the SoVAsec blog for a detailed analysis (and skewering) of the Cyber Security Stupidity Act of 2009.

It appears that rolling out the memory of 9/11 is no longer guaranteed to have people rolling over and throwing money, so something new is required- calling it cyber-something.  (Here's a neat trick, the next time someone within earshot babbles something about 9/11, ask them what year it happened and watch them fumble).  Now the threat of a "Cyber-Katrina" or "Cyber-9/11" is supposed to make us throw money at an undefined problem and possibly cede control (via laws and regulations) of networks and systems to regulators.  Given how disastrously the US government handled the incident response and remediation of 9/11 and Katrina, I cannot imagine that any sentient beings would fall for it, but then I am apparently a naive optimist for thinking this way.  (Any day that I fall into the category of "naive optimist" we are SCREWED).  And, who do you think is lining up for the buckets of cash? That's right, the usual suspects in the military-industrial complex.  That would be great if the defense contractors had not repeatedly proven themselves inefficient, overpriced, and incompetent.

And remember, when people talk about spending "government money" on a problem, they are really talking about "tax money"; you know, money that was formerly yours.



Tuesday, May 26, 2009

Useful remnants of that past life

As I was cleaning out some directories on a server to be decommissioned, I found an old webpage full of links to various manufacturers service information websites. This is where you turn when you need the official word of the manufacturer, when the parts store manuals just won't do.  You can also order service manuals and wiring diagrams from many of these sites.

I have updated the list and offer it here.  Most will cost you something, some are reasonable, some are not.  Almost all require Internet Explorer, a couple appear to still be happiest with (egad!) IE6.  This is the info which sorts the free scan at CheapoPartsWorld from the $100-$200 scan at the dealership- actual facts and details, technical service bulletins and more.  Note: if you are working on older vehicles, make sure information is available for your model year before spending your money.  This is a list of US sites, you may need to dig around to find the appropriate site of you are outside of the US (or find an appropriately-located exit node, but vehicles outside of the US may be different than US-spec vehicles).  Below find links to the sites, a little info on pricing, and maybe a description or snarky comment.

Prices start at ten bucks for three days of Honda or Acura information.

"If you're looking for service and parts information for Honda and Acura vehicles, please check out our Web site.The same factory-authorized information available to our dealers is available to you. ServiceExpress has all vehicle service information back to 1990, plus all active bulletins back to the early '70s."

Not a bargain, but if you own a Beemer, you already expected that, no?  Starts at $30 a day, goes up to $2500 for a year.  Note: this is auto-only, no motorcycle info here.

General Motors/Saab
The AC-Delco site is what you wish others were- more info than you can handle, some free content (like parts info), subscriptions for premium content start at $20 for three days.

Free.  Yes, FREE service information- and even offers some free training, too.

Online subscriptions start at $19.99 for a one-day subscription.

"Unlimited online access to Infiniti Service Manuals, Technical Service Bulletins, Interactive Online Training, and more for the duration of your online viewing subscription"

Jaguar is especially difficult (of course).  They won't even let you get subscription prices without completing an annoying registration.  A couple of years ago (when they were still part of Ford) prices started at $10 per day for a single vehicle model and went up from there.

Another "register first" site, prices used to start at $10 for three days, but Kia owners could access the same info for $10 a week.

A good site, lots of information, a decent amount of free information, subscriptions start at $10.95 for a single model for three days.

Your tech info source for Chrysler Corporation vehicles, which may come in handy considering how hard it is these days to find a Chrysler/Jeep/Dodge dealer with the doors open and the lights on.  Subscriptions start at $20 for one day.

Anti-theft codes, bulletins, and service manuals can be found here, subscriptions starting at $19.95 a day.


This is the same site as BMW, with the same issues- from $30 a day for subscriptions.

This one is a pretty good site, they even let you search before you buy, so you can make sure you are getting the answers you need for your money. Subscription start at $19.95 a day.

Excellent coverage, including easily printable downloads of information. It is easy to use and includes some videos. Access costs start at $19.99 for one day.

I haven't checked in a while, but last time I looked this was not the most user-friendly site- but it is Mercedes, so they don't really expect a lot of do-it-yourself types to be hacking away at their SLR McLaren in the driveway. Subscriptions start at $18 for 24 hours.

Obtuse and impossible to navigate. Used to be pay per document, but now, who knows.  There's a guy near the Porsche dealer who used to work there and got sick of the BS so he opened his own shop, go to him for help. Really, this is true almost everywhere.

Subaru [edit- added entry]

Thanks to tw000 for adding this one in the comments- Subaru's pricing starts at $34.95 for 72 hours, and they have a free tutorial on the use of the site available without registration.

Toyota, Scion, Lexus
This is one of the best technical information centers, starting at $15 for a two-day personal subscription.

"A Standard TIS subscription provides access all of the product support information necessary to maintain, diagnose, and repair vehicles manufactured by Toyota and marketed in the USA. As a general rule, model coverage begins with the 1990 model year with some information, like Technical Service Bulletins, available back to 1987."

Volvo breaks down payment by desired information. For instance, wiring info is $4 for 3 days, service bulletins $3 for three days, and so on.  Yes, it is a pain. But a safety-first pain.

VW    Audi 
Not so user friendly. Yes, this is a trend with German manufacturers, they hate you, get over it.  Another "register before you even get pricing" site. The first thing you will notice is the certificate mismatches, apparently VW/Audi are new at the Internet. But, if you are desperate enough, go for it.

Of course, if you just need basic info, AutoZone has rudimentary manuals online for many vehicles.  NOT an endorsement of AutoZone, or their website- but the free guides are a handy resource for the frugal do-it-yourself mechanic.

Add a whole huge disclaimer here: cars are dangerous, working on them is dangerous, be careful, don't get in over your head, and remember all the stuff on the other end of those links above is copyrighted/trademarked/DRMed, etc.

Happy busted knuckles-



Saturday, May 23, 2009

Flashbacks from a past life

Actually, more like acid reflux than a flashback.

In a past life I worked in the car business, and I have just lost my last auto dealer customer.  From pumping gas and doing light repairs as a teenager, to being a master tech, to managing parts and service operations, to IT and internal audit, I have seen a lot change in the auto industry in the past several decades.  And yes, there are more than a few scumbags and crooks in the car biz, but there are many more good people, working long and hard to make a living.

<RANT>When the !@#$%^ morons at Chrysler and GM babble about the need to to terminate ~2,000 dealers between them to stay afloat, the imbeciles who created the problem fail to mention that those ~2,000 US dealers employ almost 200,000 people- that is more than all employees of GM and Chrysler combined. Let me repeat that, those "small" and "under-performing" dealers employ (well, they used to) more people than the manufacturers shutting them down.  Screw bailing out the people who caused the problem, bail out the folks who employ people in YOUR community and pillory the heads of the manufacturers</RANT>

You can easily make some security connections here- like the obvious question about how well failing companies are taking care of personal info (example here)- but I'm really just lamenting the state of things.  Good luck to my friends who are trying to stay in the business, and to those trying to transition to a new career in this economy.


Thursday, May 21, 2009

Don't say "No"

Security types are not known for being agreeable. This makes sense, because we are often asked to do stupid things like blow gaping holes in security just because some schmuck wants to do his/her job more easily.  The nerve, what do these folks think- that we are running a business instead of running a secure infrastructure?  Oh, crap...

So here's how my standard answers have evolved over the years;

First, (like almost everyone else) I simply said NO to any request.  It is a safe answer, you know there is something wrong with every request- insecure, incompatible, can't afford it, etc.  But then people start bypassing you, overruling you, or ignoring you- and then you are forced to deploy bad ideas, or worse yet, stabilize and/or secure things after they are deployed poorly.

Next I realized I needed to try to steer things without being an obstructionist, so my standard answer became "Yes, but..." and I listed issues and concerns with the idea in a constructive manner.  The results were better, but some folks only heard the word "yes", and then we're back to the same mess as before.

My current approach isn't perfect, but it is another step forward.  My answer to requests has evolved into "If you do...".  The reactions can be entertaining, people are sometimes shocked to have responsibility for their requests placed neatly in their laps.  If someone wants something, make them be involved and responsible for the outcome.  Some still won't come around, but some will.

And recently, Allen Deryke suggested another, potentially better, approach: answer with "If we do...".  Now you have (ideally) added an element of teamwork into the solution while putting some responsibility on whoever is making the request.  You will just have to make sure that you aren't assumed to be using the royal we.  There is also a danger that the end-users will think you actually like them, but that's a risk that may be worth taking.



Tuesday, May 19, 2009

A couple of quick updates

Following up on my Matchmaker post, the good folks at IOActive and Qualys are looking for people.  I know IOActive is specifically in need of of QSAs, and Qualys is hiring for several positions.  Again, not trying to compete with Dice, I'm just sharing a few openings which I know are real.

Also, my favorite log parsing tool for Windows, Mandiant's Highlighter has been updated.  Still free, version 1.1.1 of Highlighter includes several bugfixes and new features- including support for opening much larger files (it is no longer bound by available RAM as it was in earlier versions).  If you use a Windows system to crawl log files, Highlighter should be in your toolbox, now more than ever.



Sunday, May 17, 2009

It isn't magic

Yet another Twitter conversation turned blog post-

Misdirection, it is the key to so many things- from running backs faking one way then turning anotherPhoto of a Magician- to politician's challenges to opponents.

Remember when you were a kid and started trying to figure out how magic tricks worked? You discovered the first step was to not look where the magician directed your attention, that's when things started to click, and you began to see through the "magic".

When you are confronted with an issue you need to understand, especially if there are cheerleaders involved (by cheerleaders I mean sales weasels, analysts, anyone with a strong point of view driving the topic), step back and look where people are not pointing.

For example (and at the risk of inciting another heated conversation on the topic) apply this to PCI DSS.  Where is the payment card industry focused? On the merchants and processors. Where is the industry not focused? Well, they aren't focused on themselves, improving chargeback mechanisms to remove the need for keeping card data, nor anything else which would inconvenience the industry or consumers (two places where changes would make a real difference).

Think about it.  Where else are you not looking?



Sunday, May 3, 2009

Connections, and weak links?

In my last post I listed a few vendors who have job openings- and the ever-alert Martin McKeay commented and questioned why some of the careers pages were external links.  Good question.  There are some companies like Taleo who specialize in providing outsourced "Talent Management", and in small-mid sized companies it may make sense to let others gather resumes and do initial screening- but that is a great way to lose talent in the process.  Many IT (and especially "security") positions have fairly esoteric requirements- the best candidates may have the right attitude and aptitude, but not know the specific tools.  The ability to learn and perform is often more valuable than specific skills, and pre-screening often focuses on checklists (if they love checklists so much they should just become auditors), which can weed out some of the best candidates.  Besides, expert knowledge of Forensicator Pro 2007 is obsolete as soon as the Next Great Thing TM comes along, the ability to learn and perform never becomes obsolete.

I should also mention a couple of other obvious items- someone else has PII theoretically submitted to your company and that third party may also provide an attack vector to your world.  I would make sure that the "talent management" firm does a very good job of protecting the data gathered and processed on your behalf (a requirement of 201 CMR 17.00, by the way)- and I would hope some level of audit or testing of the firm would be in scope for any pentest or vulnerability assessment of your company.  Remember, "out of scope" doesn't stop the bad people who are attacking you.



Friday, May 1, 2009

Playing Matchmaker

I don't normally parrot job posts, especially here on the blog, but I know plenty of people are looking for work, and I know some security vendors who are looking for people, so here goes my attempt at hopefully helping both.  (Not an endorsement of them, I have no details, I'm just passing along the information).  If you are looking for a new position, you have probably already found these through the wonder of Google, but just in case...

Kaspersky has openings in Woburn, MA:

BigFix and Fortinet have openings, most around the SF Bay area, but other locations, too:


ICANN has several openings:

Symantec also has some positions open:

IBM's looking for consultants to work in their hosted av space. Involves malware disassembly. Fishkill NY (They have plenty of other listing on their careers site, but I know these are real, active openings).

I have no desire to turn this into a job board, but if you know of REAL openings for direct hires (not through agencies), let me know and maybe I'll add them to the list.