Saturday, March 27, 2010

Personal Security, Conference Stupidity

You've seen them. You've probably even been one. But you know better. I am talking about the "conference dorks", the folks who go to events and wander all over town proudly displaying their conference badges, usually with plenty of computer and/or camera gear dangling off their shoulders- you know, screaming "I'm a tourist, rob me!".

BadgeVictm

I am pretty sure what I saw wandering around SXSWi this year was the worst I've ever seen, but I've seen some pretty dumb things at RSA and NADA conventions, too- and those aren't in cities as nice as Austin. This isn't meant as a paranoid rant, or meant to spoil your fun, but seriously, think about what you're doing. Here are a few tips, primarily designed for the pedestrian, and it is far from a comprehensive list- feel free to add more or argue with me:

  • Ask someone what areas are safe, and which are not. Also ask WHEN things might be less safe.
    • Ask friends who live in the area. Not the practical joker friends, either.
    • Ask at your hotel (they want you to live long enough to check out and pay your bill).
    • Ask a local cop. Don't bother them while they're busy, don't waste their time- but they know, and they do not want to have to fill out yet another report about a crime involving an ignorant tourist.
  • Do not advertise being a tourist:
    • Don't wear name tags/badges when outside event venues. I don't care if it is a SXSWi Platinum badge, don't do it.
    • Think about the gear you carry and the way you carry it.
      • Travel light.
      • Keep straps short, and gear tucked in close.
      • If you have to carry things any distance, make sure you have one hand free at all times (or have something you don't mind dropping in one hand).
    • Look at yourself, think about where you are going (and how you're getting there). If the images don't line up, change something (clothes, route, attitude)
  • Be aware of your surroundings, and stay alert.
    • Don't be nuts, but keep your eyes open, and look around.
    • "Sweep" your path with your eyes, note what people have in their hands and look at their faces.
      • Eye contact is a tricky thing, it makes some people uncomfortable. Glance, do not stare at people.
    • If something makes you uncomfortable, stop and ask yourself why.
      • Our Fight or Flight wiring is not ideal for our modern world, but ignoring "odd feelings" about a situation is just plain dumb.
  • When walking, plan your path several dozen feet in front of where you are.
      • Avoid walking close to blind doorways, spaces between cars, blind spots near dumpsters, mailboxes, any obstacles.
      • This limits both innocent surprises of people stepping out of blind areas into your path, and puts you a step or two away from potential harm.
      • If there are solid walls or fences on one side of your route, stay close to them (stepping away for gates/doors/etc).
      • Glance back occasionally.
        • Stopping before crossing a street keeps you from getting run over, and allows you to take a good look around without being too obvious about it.
  • Traveling in groups is usually better than traveling alone.
    • But a group of idiots isn't always much better.
    • Also, ask yourself if your group could appear threatening to others.
      • Groups of drunken, obnoxious con attendees are never pleasant.
        • Unless you are in the group.
          • And even then it can be ugly.
    • Do not assume that anyone in the group knows where they are going. Plan your routes accordingly.

Another thing, I don't care who you are, or how tough you are, or what movies you've seen- avoiding a problem is the best course of action. If you go out looking for trouble, you are likely to find it.

Be safe.

Jack

Monday, March 22, 2010

Security BSides San Francisco and Austin

That was fantastic! But please remind me to leave more than ten days between these things, OK? Two more amazing BSides events have happened, first in San Francisco, then in Austin.IMG_0858

San Francisco was a two day event, there is a lot of information of the event site, audio and video will be posted "as volunteer time permits". The talks were great, every one, and the second incarnation of the PCI/Compliance panel we did at Shmoocon included a merchant and a QSA, with (not surprisingly) some strong opinions from the audience. There are more details on all presentations on the talks page. I have a photo set up in Flickr from BSides San Francisco.

IMG_1196Austin was a one day, less structured event, lining up with SXSWi, but not a traditional security conference- and there was very little crossing of the audiences. We tried to downplay expectations, but ended up with great attendance and amazing content again- and we did it in a true unconference format, even using Open Spaces in one of the rooms for breakout sessions while having the other room set up for traditional presentation formats. Links to audio and video are also being added to the site as they are posted. I have photos and a IMG_1254few video clips of BSides Austin, including the amazing afterparty, Hackers on a Duck- an after-hours, grown-up version of the classic Duck Tour.

Now that I've had a week to recover, I am really looking forward to the upcoming BSides Boston event, if you want to join us there, please sign up at EventBright, and if you would like to speak, sign up on the talks page. We will most likely do a hybrid model, some scheduled talks and some rooms setup for breakouts and impromptu conversations.

Jack

Sunday, March 21, 2010

I knew what I meant.

In my last post I shared some thoughts on Howard Schmidt and his new CyberThingie position.  I really wasn't clear on my "burning bridges" idea, and I need to correct that.  Adam Shostack gently pointed out shortcomings in the post, and helped me focus my thoughts- the clarifications follow.

To clarify what I meant in the earlier post-

I think that Howard has no budget authority, and although he negotiated a significant improvement in how he reports up the ladder and who he reports to, he is still very limited in what he can accomplish directly. Adam had some very constructive suggestions, I think pushing for transparency, and helping build/publicize guidelines/standards could actually make a difference.  But, I think he will run up against entrenched people who won't cooperate, and that's where a willingness  to spend personal capital could be critical (at least in the mind of this curmudgeon).  When persuasion and compromise fail, he has nothing to fall back on- except the fact that he can call people out, as publicly as necessary, and use all those contacts and connections he has built in his career to make it very uncomfortable to be a security obstructionist.  I don't think that is something he should undertake lightly, or regularly, but I do think setting a "don't push him too far" expectation could compensate for some of the weaknesses of his position.  I believe his situation, not needing the position, being able to go home and forget it all when he's done, could be empowering- he doesn't have to play the beltway clique games by the rules.

But, I don't think that is his style.  As I said, I hope I'm wrong, and I'm willing to help him prove me wrong.

This leaves the question of how he should distinguish between those who deserve to be called out because they really are a problem, and those who have not been convinced by his arguments.  Here I think Mr. Schmidt can turn to some of his trusted contacts before acting, but this will always be a tricky balance.

Better?

Jack

Sunday, March 14, 2010

A belated "open letter" to Howard Schmidt

I know I'm late to this party, but we have a new (but not really) Cyber-Something (not czar/tsar or anyone with authority to inflict papercuts much less beheadings), Howard Schmidt- and I have a few opinions to inflict, and an "open letter" of sorts to offer.

There were nice people who offered nice Open Letters to Mr. Schmidt in the face of ugly cynicism about the appointment, including these from Adam Shostack and Chris Hoff.  Adam had some very good suggestions, and Hoff made a genuine and altruistic offer.

I just happen to think Howard Schmidt is not the right guy; he could be, he has the credentials and experience, I just don't think he's going to move us forward.  He talks about InfoSec leadership from our paralyzed and dysfunctional federal government as being needed to solve the problems of private industry.  The phrase

"We're from the government, and we're here to help you"

has brought out the literal and figurative shotguns from concerned citizens throughout history, and in hindsight, that was often an under-reaction.

He talks about the relationships he's built and his experience.  He does not talk about the powerlessness of the position (although he did improve this dramatically before accepting the job).  Largely missing is talk about transparency, and completely missing are direct challenges to those in the way of progress.  Schmidt has the connections to make some things happen- but more importantly he has connections he can burn if they get in his way.  That's what it will take to get power into this feeble position, a willingness to pick fights, even with old friends, and publicly call out the worst obstructionists.  Schmidt is in a unique position, he does not need this, he can go live happily on his mountain, maybe sit on some boards for entertainment- so a few burned bridges aren't career limiting for him.

With these things in mind, here's my "open letter" to Howard Schmidt, I really hope he has better things to do than read this nonsense, but...

Dear Mr. Schmidt,

I'm not sure you are really the best person for the job.  It is not that you aren't qualified, but I think you are unlikely to burn bridges that you have spent a lifetime building- unfortunately, calling out people who obstruct security is one of the few powers you have.

I hope I am wrong.

As a matter of fact, I so sincerely hope I'm wrong that if you ever get desperate enough to ask me for help, I will do whatever I can to help you prove me wrong (I prove myself wrong regularly, I'm pretty good at that).  I'm not sure what skills I have to offer, but I'll try whatever you need.  I do have a talent for offending people which may be handy.

Your Humble Curmudgeon

There, that's it.

Jack

Monday, March 1, 2010

A step in the right direction

Sure, I may have trashed the regulation and regulatory process, but it is still significant.

iStock_000006229191XSmallNot Earth-shattering, but significant, especially here in the US.  Not near as significant as it should be, but a starting point.  Massachusetts' MA 201 CMR 17.00 data protection regulations are now in effect, and that is a huge step forward for the protection of personal information.  Breach disclosure laws are old news, but 201 CMR 17.00 is different, it prescribes data protection specifics, and it is not limited to those in Massachusetts:

"201 CMR 17.01 (2) Scope 
The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth."

Yes, all persons (which includes companies and organizations), regardless of where they are located, are covered if they:

"Owns or licenses, receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."

The standard interstate commerce laws cover out of state jurisdictional issues- being out of the state does not shield anyone.

This is a big deal, for two key reasons. 

First, it is leading the way in state regulation of the protections of our data.  There have been other regulations about protection of data, but I believe this is ground breaking and will be followed by other states (or at least watched from the sidelines with a bucket of popcorn and a cold beer).

Second, it has a very broad reach, it is not industry-specific, it applies to a large number of organizations which have never had regulatory requirements on their IT system before.  Specifically, it applies to:

"Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof."

Oh, and don't get wound up about the government exclusion for Massachusetts, they are covered under Executive Order 504, which mandates similar protection of data for them.

This regulation can put a significant burden on businesses which do business with Mass residents (and bother to comply), and I believe that small businesses face the biggest challenges.  (Let's be honest, the burden is to do what they should already be doing, but are not; that doesn't mean it will be easy).  Small businesses are the least likely to have dealt with regulation before (except in specific regulated fields), and they are the least likely to have the knowledgeable personnel and financial resources required to comply.  Those organizations in the 40-200 user size are probably going to have the hardest time (as they often do)- they're too big for doing everything manually, and not big enough to justify the enterprise tools to help manage some of the tasks at hand.

It will be interesting to see where this goes, if anywhere.  I don't think most people in Massachusetts are aware of this, much less those outside of the state.

Jack