Monday, November 30, 2009

I got that wrong.

Shortly after uploading my last post I realized I was wrong about money losing its voice.  It isn't losing its voice, it is just hoarse from screaming.  It also seems to be gaining an Asian accent.



Friday, November 27, 2009

A balancing act

I had a great conversation with Nick Selby this afternoon, and one of the many topics we discussed was triggered by a couple of his recent blog posts about critical infrastructure- one touching on the 60 Minutes piece hack-job and another on Fudsec about where the risk should be placed.

At first, I was really wound up about Nick's post on the 60 Minutes piece because he seemed to be excusing sloppy "journalism" because the value of reaching a wider audience outweighed the problems of questionable reporting.  [Part of my reaction was certainly due to my contempt for 60 Minutes, I feel that that they don't do investigative journalism, they are what is wrong with "investigative journalism" on television.  The fact that 60 Minutes is generally less horrible than anything else in genre is not comforting].  In case you somehow missed it, there was quite a bit of furor over 60 Minutes' claim that a Brazilian blackout was caused by hackers.  Robert Graham had a pretty terse post about this on the Errata Blog, and Rich Mogull did a good job of providing a balanced perspective.

My take on the 60 Minutes bit is that investigative reporting should investigate, and do so with a significant dose of skepticism, and report findings honestly.  I also think that we as the audience have a responsibility to be skeptical of the reporting.  60 Minutes' hacker claim could not be backed up conclusively (at least not publicly and on the record), so I believe they should have been honest about that instead of going for the hype.  If they had said something like

"There are some conflicting reports as to the true cause of the outage, but we have high confidence in our sources.  What may be more troubling than the actual cause of the outage is the fact these systems are so vulnerable to so many attacks, and so poorly monitored and regulated, that even after a major outage the true cause cannot be determined conclusively."

I would have been happy with that.  But, that isn't a sexy soundbite.  Oh, well, it is television.

I thought Nick's post on the Fudsec blog was good, but it included a fairly flip comment about the ease of mitigating the Aurora vulnerability (585k PDF), which triggered objections.  Nick clarified his position on this in a comment to his post.  The central idea of the post is an interesting one- that getting customers mad at the negligent utilities and demanding improvements is the way to address the problem of vulnerable private critical infrastructure.  I am not sure how likely that is to happen, but that is the capitalist way to do it, and money talks (although it has nearly lost its voice of late).

Where does this leave us?  Nick has made some very good points, and I think he has hit a fundamental problem in trying to get the word out to a larger audience than those of us in the security world: how to simplify the issues into concise and understandable language (NOT dumbed down) so that non-professionals can understand it, while not running afoul of appropriately detail-oriented, accuracy-demanding professionals.

This has to get sorted out, too much effort in the security community is spent in navel-gazing, chest-beating, choir-preaching, and other hyphenated silliness.  We need to engage and educate people outside our community if we are going to make real progress.



Monday, November 23, 2009

IT as Utility, that is just stupid. And Wrong.

This set of ideas just won't die, no matter how wrong they are.Deceased IT

"IT will be completely commoditized"

"IT will be just another utility, like power and water"

And my favorite:

""IT is dead"

We've heard this idiocy from a variety of smart people, including Nicholas Carr and even The Bruce, and there is some truth to it- some parts of IT are becoming commodities, and IT is certainly evolving.  Some people have extrapolated these ideas into saying that careers in IT are dead-ends.  Now I've got nothing against the judicious use of hype and hyperbole to make a point, but these ideas fall apart pretty quickly under a little scrutiny.  As far as "death" of the careers, these lies aren't even true for actual utilities such as power and water.

Let's start with commodity- it is certainly true that in IT you can often get similar services from a multitude of sources, but the commodity/utility analog only goes so far.  For one thing, utilities usually offer little or no choice; your water company is the only game in town, unless you dig a hole in the yard.  Other utilities do have some competition, but "the x company" is often responsible for "last mile" connectivity regardless of who you send the check to each month.  Turning to the product- when I turn the knob on the faucet I get water; when my neighbor turns on her faucet she gets water, too- and it is the same water for the entire area, and whoever needs it, gets it.  Same goes for electricity, natural gas, etc.  Sure, there are a couple of different pressure/voltage/flow options, but it is all just increments of the same thing.  And as far as electricity, it is crap.  "You'll outsource your network the way you outsource electricity".  Except NO ONE with a need for stable and reliable electricity outsources it completely- what comes off the wire is garbage, we have to use a variety of devices, from UPSes to power conditioners to have any faith in what comes out of the wall.  Oh, and I don't suppose you've noticed the booming sale of generators to businesses large and small (and to homeowners)- that's because the commodity is not good enough and not reliable enough to trust.  I hear the arguments, "but Jack, my phone is MY number", and that is true, but it is still the same capability set with a little personalization.  Cable TV falls into this category, your whole neighborhood gets a set of available features, if you want something unique, you get lots of practice at "wanting", because you aren't getting it.  The phone company does offer a lot more than POTS lines these days, but they need a lot of people to do it- and you need people to take their services from the demarc point to something useful. 

Moving on to the "... is dead" or "... is irrelevant" nonsense.  Starting with the obvious: if everyone doesn't generate their own electricity, but instead buys it... the electric company has to hire a buttload of electricians and engineers to make this work.  The task is not "dead", it just moved. As we move beyond that, answer this: if something is dead or irrelevant once it is a "commoditized utility" , can you explain why you see so many plumbers and electricians on your daily commute?  Because things go wrong. Because it has to be installed.  Because if you get a "one size fits all" commodity, someone has to make it fit for you.  Because someone has to get the various commodities where they are needed and to keep them from leaking into unwanted places.  Let's not overlook all the plumbers and electricians you don't see, the ones who go to work at the same site every day- plants, retail facilities, hotels, and so on.  They have careers in spite of working with utilities. Some have jobs because of the utilities' poor quality and service.

Part of this flawed mindset is human nature, at least the nature of humans who aren't curious or observant- if someone else does something for me, it is automatic, and I can ignore automatic things.  Until they fail and I'm screwed because I don't know how it works, so I can't even figure out the right person to call.  Here, we're actually on to something, because that describes a lot of what we deal with in IT.

As mentioned earlier, IT is evolving, and some things are being "commoditized".  Cloud computing, whatever that means*, is a great example of this.  Unfortunately, there is a lot of confusion about cloud computing, and even more misinformation.  It will eventually get worked out, but for now, I like being on the sidelines of the cloud game.

The "dead-end" career talk about IT is, however, absolutely accurate- if you aren't ready, willing, and able to work in an evolving environment.  On the other hand, if you are working to keep up with your industry and looking ahead, you are probably as safe as anyone in this volatile global economy.

*I actually have a grasp on "cloud" terminology, but it is not my focus.  If you want to know about cloud computing issues you are already a reader of Hoff's blog, or you should be.

You may have noticed I didn't mention anything about the impact of commoditization on security, or security's impact on commoditization.  That is a set of discussions for another time, but for now let's just go with "What could possibly go wrong?"



Saturday, November 21, 2009

Layer 8 post: The meaning of metrics

Always accurate, insightful, and irreverent, there's another great post over on the Layer 8 blog, this time taking aim at the "security metrics" landscape.  "The meaning of metrics" has a great take on metrics, and really separates reality from navel-gazing.  It also provides some memorable quips and quotes.  I especially like:

"Keep applying the “so what?” criterion to your metrics."

and words to live by:

"Don’t be a metrics wanker."



Sunday, November 15, 2009

Whose customers are they?

Those nice folks who give money to your company, you know, the customers- whose customers are they? Are they the company's customers, or the salesman's? Or a bit of both? Maybe it is more complicated than that, if your company sells through partners/agents/resellers- now whose customers are they?

And the tricky bit- you aren't trying to secure customer data without everyone involved understanding, and agreeing on, whose customers they are, and who is responsible for the data, are you? That would be waste of time, wouldn't it?

If you are new at this, especially if you only see it from an information security perspective, this may seem fairly simple. It isn't. Salesmen (real salesmen, as opposed to people who just sell stuff) always have their "Rolodex" with their customers in it. That's part of what you get when you hire a salesman, access to their customer base- and the salesman takes it with them when they go. The salesman's right to take their customer list with them was supposedly codified in law in some states, but regardless of law, the practice has been universal. And now we have breach disclosure and data protection regulations preventing customer information from "leaking", so that magically stops, salesmen readily surrender their livelihoods without a battle (to a salesman, their customer list is their livelihood, make no mistake about that), and we're covered. And those jurisdictions which codified the salesmen's rights to their customers, I'm sure they updated their laws to reconcile the conflicts between the various laws and regulations protecting the salesmen's rights and the customer's data. No state would leave businesses stuck between contradictory laws, twisting in the wind. Things like that just don't happen.

I would like to offer a simple answer, but this is another one where lawyers most likely need to be consulted, the problems discussed, policies drafted, etc. The critical part will be making sure everyone involved knows and understands what the policies are, what legal implications drove the policies, and how the policies will be enforced. And then the policies must be enforced.

I do have a few ideas about this-

  • Social Security, credit card, or other account numbers need to be expressly prohibited from entering or leaving via "the Rolodex"
    • No brainer, but needs to be clear to all involved
  • If any information is allowed to enter the company via "the Rolodex", it is only fair to allow it to leave that way
    • If it can't leave, don't let it come in.
      • If it comes in, it came from somewhere else where they are fighting the same battle
  • The data is going to leave anyway. Deal with it.
    • Really, deal with it.
      • Everyone has to know what is and is not allowed
      • Steps need to be taken to control and monitor data
    • This doesn't excuse the company from doing the right thing whenever possible- but the nature of people, especially salespeople, must be taken into account.

So, whose customers are they? And who is responsible for their data?


Monday, November 2, 2009


I know, that cool widget over there needs an update.  I tried that, but they are having "technical difficulties" at right now.  I'll be adding Exotic Liability, Threatpost podcasts, and others, with some details soon- if they get the widget fixed.  If not, I'll swap it out for a different widget.

While you're waiting, head over to Pauldotcom and listen to me humiliate myself and several others on their Halloween episode.  Not or the faint of heart, easily offended, or anyone burdened by a sense of decorum.  The remaining parts of the podcast were great, tech segments, juvenile yet informative banter, etc.