Monday, December 26, 2011

Compensating, or compounding?

Back in the Dark Ages I managed parts departments for a few car dealerships.  This was back in the land before time, when dinosaurs, Renaults, and even worse-Peugeots, roamed the US.

Not this long ago

(Not this long ago)

One of the lessons I learned was about the curious views some people have about errors.  My introduction to this was during a discussion of inventory results with another manager.  Using made up numbers- let’s say we have $100,000 in inventory on the books, we count everything, make all the required adjustments, and end up with $99,000 in inventory.  There’s a grand missing, but that’s only one percent, right?  Assuming the industry standard of annual inventories, being off by one percent isn’t bad, right?

Here’s where a wrong idea leads us into the weeds, and compounds future errors in thinking.  The inventory dollar value was one percent short, but that does not mean the inventory was only off by one percent.  A more likely situation is that the inventory was $5-6,000 short on some items, and $4-5,000 over on others.  Someone got the wrong part, maybe swapped it for the correct one, and no one corrected the transaction history.  Maybe the wrong parts went out to customers who never used them (not going down the auto body shop/insurance industry rat hole today).  Who knows, but inventory always drifts.  Back to the numbers: let’s assume a $100k inventory with $6k in shortages and $5k in overages.  The value of the inventory is only off by one percent, but the inventory is off by eleven percent.  The errors do not offset, they compound.  What counts in inventory management is the ability to hand the customer the correct piece when they need it, incorrect counts on the shelf induce errors in ordering systems, obsolete parts returns, order shipments and other areas. 

It is a measurement problem at heart, in this case using the wrong scale (dollars) to measure inventory accuracy.  I’m not saying dollars don’t count, but some people always claim they are all that count.  Explain that to the guy who needs a left front wheel bearing for his Peugeot 504 but your inventory is wrong and you only have a right side bearing.  Hasn’t the poor guy suffered enough?

Luckily for us, this is just a walk down memory lane, I can’t think of any situations in InfoSec where we pretend offsetting errors compensate for each other instead of compounding the problem.  Nor can I imagine ever getting the metrics wrong.  It is awesome being able to be smugly superior to stupid folks like the guys down at the garage, isn’t it?



Tuesday, December 20, 2011

The Pandering Pentagram of Prognostication

This seems to be the year for ridiculing predictions, but I’m not jumping on that bandwagon.  I am here to help you get the most from the meaningless drivel you spew in the name of prediction (and more importantly, page views).  I have invented a brilliant methodology for measuring (because it is all about the metrics, isn’t it?) your drivel, and the drivel of others, in this most festive time of the year.  No, not the “Judeo-Christian-Pagan-Northern Hemisphere Damn it’s getting cold and dark Holiday season”, but the “I’m too sick of this crap to write anything meaningful, so I’ll just phone it in until next year” season.  (Admittedly there is some overlap).

With this altruistic goal in mind, I present you with the Pandering Pentagram of Prognostication.


The five points of the pentagram represent the key elements of “good” predictions, get them all and your prediction will land in the center of the pentagram, assuring a center brain shot to your victim.  I mean reader.  Whatever.

The five elements are outlined below, miss even one and your prediction may be off target and you will fail to hit your target.

Your prediction must be self-serving.

Your prediction must suck up to your customers, prospects, or others whose favor you are trying to win.

You must oversimplify complex issues to the point of nonsense.

Predictions must slight your competition.

And the big one, always play to Fear, Uncertainty, and Doubt.

There you go, Jack’s Pandering Pentagram of Prognostication.  Use it wisely.



Monday, November 21, 2011

Are you positive?

It will not die, and this won’t end it, but I have to try.  “False positive” findings are hotly debated by some folks, but that debate often centers on erroneous definitions or assumptions.  Regardless of the type of system we are discussing, IDS, Anti-Virus, vulnerability tool, whatever- there are some basic ideas involved.
The Basics:
There is a defined condition which either exists, or it doesn’t.
The tool or utility detects it, or it doesn’t.
This gives us a pretty simple set of situations, expressed in the table below:


Not Detected


True Positive

False Negative

Does Not Exist

False Positive

True Negative


There are issue which complicate this simple picture.  One is how strictly we define the condition:

If I want my anti-virus to detect viruses and it misses one- that is a false negative to me.  It is supposed to detect malware, it missed, simple.  Unfortunately, modern malware is constantly evolving and signatures and other triggers are frequently behind the malware- this means the tool misses something it is not configured to detect.  You are still left wiping and rebuilding the computer, but there’s something to consider while looking for the right CD, DVD, or image file.  For what it’s worth, I still consider that a false negative, we use A/V to prevent malware in general, not to block WORMBOTTROJAN.X87.03 or other specific Bad Things with even more pathetic names.

We should be able to ignore two of these for this discussion, the green ones I have labeled “Valid”.  Note I said we *should* be able to ignore.  Sadly we can’t, because true positives are often dismissed as false positives.  Sometimes it is because we don’t care about the result, or it is not relevant in our environment.  Sometimes it is because we can’t handle the truth.  HandletheTruth(Thanks to Graham Lee, @iamleeg, I now refer to these as Unacceptable Positives).  Regardless of our level (or lack) of concern, or the discomfort caused by the truth, if the condition exists and it is detected it is not a false positive.  It is often easy to prevent the utility from reporting on findings, either by changing how it searches, or how it reports on findings.  Go ahead and accept the finding and dismiss it in your environment- just don’t call that a false positive. 

Real false positives certainly do exist, and can be a burden.  There are a myriad of reasons they occur, some specific to the technology in question.  Anti-Virus may trigger on a file which looks close to a known bit of malware.  People can screw up signatures. There may be performance trade-offs, looking at larger chunks of network traffic may provide more accurate detection and identification at the expense of speed, either of the detection system, the network (when inline), or both.  Slow down the network, users scream.  Slow the system, traffic overruns the utility and some things will get by.  Tune for performance, miss a few detections.  For scanners, there is a limited amount of information which can be determined in a scan from “outside” a system.  An exhaustive network scan can find a lot of things, but it can also cause network problems due to the load placed on the network.  The limited information available without logging in to inspect a system can lead to inaccurate detections by the tool, positive or negative.  (Note: this is why I always recommend credentialed scans when possible- but that’s another post).

True negatives are safe to ignore, nothing is reported because nothing is there.  Unless, of course, you are a typical security-minded person, in which case you always wonder if something has been missed. Caution leads us to try multiple tools to validate our non-findings (when budget and time allow).

False Negatives are very real, too.  This is where anti-virus gets beaten up, and generally for good reason.  It isn’t only A/V, network load when using scanners and sniffers can lead to missed detections.  Sometimes the signatures just don’t work.  Sometimes the condition we are trying to detect has changed.  This is true for everything from malware to operating systems- new versions come out, patches are applied, and detections change.

Remember that the nature of the system will dictate the tolerance for errors.  A good example can be seen by comparing IDS (true passive intrusion detection systems) and IPS (inline and blocking intrusion prevention systems).  While the technologies are very similar, the goals are different.  A good IDS will not miss detections, false negatives are a serious problem because we don’t want to miss anything- this means false positives are more acceptable if the trade-off means not missing Bad Things.  An IPS false positive means we block valid network traffic, users wail and gnash teeth, and security takes a beating for hindering the operation of the organization again.  Keeping false positives at a minimum is a priority, this means it is more likely that some false negatives will occur.  If the cost of the occasional missed detection is lower than the cost of false positives blocking valid traffic, the trade-off is worth it.

Knowing the strengths and weaknesses of your environment and the tools you use is important in tuning for optimum results. Yes, tuning- you share responsibility here- choosing the right tools and using them properly will reduce the pain that leads to tedious blog posts like this.



Friday, November 18, 2011

(ISC)2 election reminder

Not that you are likely to forget, but if you are an (ISC)2 member (hold the CISSP or other certification), the election is on for the Board of Directors.

There were a handful of unendorsed candidates who tried to make it onto the ballot,  One candidate, Wim Remes, made the ballot.  Two others, Rolf Moulton and Javed Ikbal missed making the ballot, but are running as write-in candidates.  And, of course there is the endorsed slate.

First: you should vote if you are eligible. That’s the most important part- participate, and vote for those you feel best represent you.

Second: My opinion may not be relevant to you, but I’m voting for Wim. And writing in Rolf and Javed. I think Wim can win, and I hope he does- I have faith in him.  I also hope that frustration with (ISC)2 can get Javed and Rolf on the board, too.

You can vote for up to four.  I’ll be voting for three.  I will say that at least one of the board “elders” represents what I feel is wrong with (ISC)2, and to a certain extent, InfoSec.  Choose wisely, and hope it makes a difference.

Oh, yeah- it is the (ISC)2 website, so the links don’t go where you expect and one thing labeled “ballot” dead-ends at the candidate page.  At least I didn’t see any certificate errors this time.  If you have problems voting, complain to (ISC)2.

Go here to vote:

If you choose to write-in candidates, please make sure their names are spelled correctly.  There are instructions on both Javed and Rolf’s websites.



Monday, November 7, 2011

End of year predictions

The end of the year is approaching, so the annual flurry of predictions must be right around the corner.  Or maybe that smell is just a septic pumping truck, the contents are similar, except there are regulations covering the disposal of septic waste.

Here are my predictions:

People will predict stuff, and for the most part only their successes will be remembered.

Some people will predict the same things they have been predicting for years (or maybe even decades), and if they are eventually “right”, no one will ask about all the times they were wrong, and even of they did it would be shrugged off as “I was right, just off on timing”.

2012 will not be the year of Linux on the desktop.

And because I feel compelled to make one real prediction, Windows 8 as a desktop OS will be as disappointing as Windows 7 has been successful.

No matter what is predicted or what actually happens, randomness will not get the credit it deserves as people look both forward and backwards in time. Admitting that “life is a crap shoot” doesn’t get you the respect it should.

Dice, random or predictable?

I’ve listened to a couple of interesting books in the past several months, and a recent episode of the Freakonomics podcast does a great job of summarizing a lot of ideas into a one-hour show.  Short version: random stuff happens, and that makes prediction hard.  Really hard.  Also: so called “experts” are usually wrong- and the more adamant and certain an “expert” is, the more likely they are to be wrong.

The Freakonomics “Folly of Prediction” episode does a great job of distilling a lot of research into an easily digestible audio format.  (Note: If you aren’t familiar with Freakonomics, you should be- they make economics entertaining, challenging, and informative.  I’ve read both books and am a regular listener to the podcast.  Unrelated to this post, the recent episode on quitting was another great one).  Some of what they bring up in the predictions episode of  Freakonomics podcast is covered in much greater detail elsewhere, including a couple of books I listened to earlier this year.  The predictions podcast briefly discusses prediction markets, which seem much more promising than traditional pundit-centric pontification style prediction.

Note: I listened to both as audiobooks, Audible is not perfect, but for the commuter and frequent traveler they are great.  (I’ve also heard audiobooks are great for people who “exercise”, but people who do things like that clearly have too much to live for and are just punishing themselves for it).

The first book I listened to was The Drunkard’s Walk by Leonard Mlodinow.  Here’s an excerpt from Stephen Hawking's Amazon Review of The Drunkard's Walk:

In The Drunkard’s Walk Leonard Mlodinow provides readers with a wonderfully readable guide to how the mathematical laws of randomness affect our lives. With insight he shows how the hallmarks of chance are apparent in the course of events all around us.

The Drunkard’s Walk covers a variety of probability topics, from the significance of randomness to some history of the study of probability, and uses many illustrative anecdotes (including a look a the Monty Hall problem and others where “common sense” appears to let us down).

The second book was Future Babble by Dan Gardner.  From the author’s site:

Future Babble, a critical look at expert predictions and the psychology that explains why people believe them even though they consistently fail.

Future Babble is focused on prediction, but as random events and probabilities are challenges to prediction this book does have some content which overlaps with The Drunkard’s Walk.

Both books are overly negative at times, and thoroughly dismissive of many “experts”, but together they make a compelling case for a healthy dose of skepticism.  These works do highlight issues of bias and fallacies which lead us into making or accepting seemingly “logical” but wrong predictions, being aware of these biases and fallacies can help us identify and avoid them.

One of the recurring lessons of all of these works is that the more confident and adamant someone is about their predictions, the less likely they are to be correct, and the more likely they are to deny when they have been proven wrong.  A lot of this goes back to Philip Tetlock’s works including Expert Political Judgment, a skewering of political pundits’ ability to predict much of anything.  Tetlock often speaks of “hedgehogs and foxes”, a reference to the phrase:

Four-toed Hedgehog, Atelerix albiventris, 3 weeks old, in front of white background

The fox knows many things, but the hedgehog knows one big thing

Red fox (4 years)- Vulpes vulpes

from the ancient Greek poet Archilochus.  The hedgehogs are those with an ideology or single big idea, they hold onto the idea and rationalize around it.  Hedgehogs tend to use absolute words and are very confident in their predictions- hide from these people (television, especially cable news and talk radio are full of them).  Foxes, by comparison see much more variability in the world and are prone to use what we often derisively call “weasel words” such as “probably” or “likely”.  Foxes are also much more likely to admit they were wrong when history proves their predictions in error.

I am not saying that nothing can be predicted, and I’m not tossing stones at my risk and metrics friends- I am just suggesting that we pay attention to the realities of the world.  And the reality is that random events happen and have a large impact on our lives, and that some things which appear random are not.  And that means predictions are often hard, if not impossible.

I’ll leave you with a final quote, this one from the great philosopher Yogi Berra:

“It’s tough to make predictions, especially about the future.”



Friday, September 16, 2011

Cyber War posts by Marcus Ranum

As long as I’m not filling your RSS feeds, maybe you want to wander over to the Fabius Maximus blog and read a series of guest posts by Marcus Ranum.  Marcus’ topic for this series is “Cyberwar: a Whole New Quagmire”.  It is a good read, insightful and occasionally inciteful (it is Mr. Ranum after all).  Three parts have been posted so far:

Part 1: The Pentagon Cyberstrategy

Part 2: “Do as I say, not as I do” shall be the whole of the law.

Part 3: Conflating threats

OBTW, obligatory disclaimer: Yes, Marcus is now a co-worker.  Not relevant to this post, but I like to pretend to be ethical and open.



Thursday, September 15, 2011

Crunch time for (ISC)2 endorsements

In case is slipped off your ever-growing to-do list, a gentle reminder that there are five unendorsed candidates for the (ISC)2 Board of Directors.  I happen to think it would be a great idea of any CISSP or other (ISC)2 member in good standing endorsed all of these fine folks.  The deadline is soon.

Remember, endorsement just helps get them on the ballot, the election is coming later this fall.  A refresher:



Monday, September 5, 2011

Social Media Devolution

It is over.  The dinosaurs may not know it yet, but the “Social Media Revolution” is over, and many of the dinosaurs (aka Social Media Experts, Gurus, etc.) apparently didn’t get the message.  That may be because there was no comet, no dust cloud, no global cooling.  The “revolution” suffered the most humiliating defeat possible- it won, and it became mundane.


The “experts” are still out there, screaming about how you should and should not use social media.  They are increasingly doing this alone, or in little clusters here and there, and many think SXSWi is still about them.  Every new platform sparks a new round of hue and cry and fewer people listen with each iteration. Their problem is hundreds of millions of people have discovered everything from Flickr to Facebook to Google+ and Twitter- then they figured out how they worked for them, and are using them the way they want.  That means when the experts tell others how to use Twitter or whatever they are ignoring the way many people already use the services.

There is no longer a need for “the social media person” at a company who is “The Voice” of the organization on social media, and there is a rapidly diminishing need for experts or consultants in this area.  A lot of these folks really need to get to work on their great American novels and become baristas, or find some other way to be contributing members of society.  Their very “special” skills are becoming commonplace, and they need to shut up and move on.Fotolia_30196881_XS

To be sure, there is still a need for the “official” voice of the organization, and there is certainly a need for policies covering what is and is not appropriate use of social media in the workplace, and as it relates to work.  But instead of a single voice, smart organizations are letting employees participate in social media to amplify their message.  This doesn’t mean turning everyone into company shills, but it does mean that it is good to show the world that your organization is full of competent and engaged people.  If social media is simply a part of many people’s lives it should also simply be part of your organization.  Someone has to be responsible for the official messaging, managing groups, monitoring policy compliance and related administrative details, but that’s not magic, that’s management.

“But Jack, what about the special audio and video skills needed for podcasts and videocasts?”  I hate to break it to you, but those were rarely very “social” in the past, and it is increasingly rare now.  Some developed real communities and continue to engage and interact.  Not many, though.  There were and still are plenty of what I’ll call “engaged fans”, but that has been true of any media.  Few people or organizations really took advantage of the “social” potential of podcasting and videocasting.  As far as the skills required, anyone can handle the basics, but if you want high quality content, you will need the right people.  These would be Audio/Video pros though, not “social media experts”.

There is also an ongoing need for people to champion security and privacy issues in social media.  We are a long way from solving those problems- but the Experts and Gurus rarely addressed these issues anyway, that has always been up to those interested in privacy and security.

There are people doing interesting things in “social media”, but they are really just doing things like advertising, community relations, marketing, customer support, and PR in a modern context.  So let’s call it what it is.

And wait for all the Social Media Gurus to serve us our coffee.



Tuesday, August 30, 2011

(ISC)2 elections time again

If you hold a certification from (ISC)2 such as CISSP, this is for you.  If not, you may want to skip this one.

It is pretty well known that I have a few issues with (ISC)2, but I keep reluctantly renewing my CISSP in the hopes that things will improve.  If you are in the same situation, or even if you are happy with things, I encourage you to check out some of the unendorsed candidates for the (ISC)2 board.  Some on the endorsed slate are the kind of folks who I see as “the problem” NOT part of “the answer”.  The unendorsed candidates need at least 500 (ISC)2 members in good standing to endorse them so that they can be listed on the ballot.  Note that endorsing them doesn’t bind you to vote for them, it just gets them to the ballot.

There are five unendorsed candidates that I know of, all of whom are worthy of consideration.  I would really like to see all of them make it to the ballot- maybe a full slate of write-in candidates would send a message.  Maybe not, maybe it would just split the vote.  But, I keep paying my dues and submitting my CPEs (CPEs, now there’s a rant for another day) in the hopes it will get better.  I firmly believe endorsing these people may help change the beast- if you agree, please endorse them and vote as you see fit in the election.

Below are the five candidates I am aware of, in alphabetical order:

Vote early, and vote often.  Well, maybe “endorse now, and vote for as many as you are allowed” is more appropriate in this case.



Sunday, July 24, 2011

InfoSec’s misunderstanding of business.

You have heard it ad nauseum, “if we as security practitioners want to be taken seriously, we need to understand the businesses we support and speak to the values of the business, blah, blah, blah”.  And that, my friends, is bullshit.  Still steaming in the pasture on a spring morning bullshit.


Want to move your objectives forward?  You need to understand greed and fear, the greed and fear of the people who control the resources.  Trying to understand your organization’s business only works if the leaders of your org understand them- and they are not bound and/or blinded by monthly/quarterly objectives.

Don’t believe me?  Take a look at the banking industry, or the US auto industry, or whatever area you know about.  People who understood the business saw the train wrecks coming, and they tried to warn people about them- but they were ignored or worse.  Understanding the business can only lead to frustration because the people running the business either don’t understand the business (but they have MBAs) or they aren’t allowed to act in the long term interests of the business.

If you want to improve security in your organization, you need to understand how your organization works, not how it should work.  You need to know what feeds it and what scares it.  Sadly, that may have no relation to the business your organization is in.

Yes, I know that sounds a little bitter and depressing- but it really is OK.  The system is just broken enough to work (just like infosec).



Monday, June 20, 2011

Are you missing the empty glass moment?

I’ve recently dined at a couple of places which won’t make it to my other blog.  They weren’t bad, but they fell short of being blog-worthy.  One of the things that they had in common was that I dined at the bar, and I had to ask the bartenders for additional drinks when confronted with the horror of empty glasses.

Empty scotch glass

An empty glass in front of a patron at a bar is an opportunity for the bartender, not just to sell another drink, but to make small talk, offer a glass of water, anything to improve the drunkard/patron’s experience.  The mercenary reasons are for both the additional sales opportunity and for the shot at improving the tip.  A more strategic reason is to build a relationship, and improve the chances of repeat business.  Another, more human reason is that happy customers are nicer to be around and make the job better.  It is an opportunity to engage the customer when there is an obvious invitation for interaction, a shot at satisfying the customer and maybe even making a buck at the same time.

You’re probably wondering where I’m headed with this, and if I may have been over-served before writing, but fear not, there is a point coming…

A lot of folks aren’t comfortable starting conversations, so we don’t do it.  I get it, it can be hard, and awkward.  One way to make it easier is to look for our own “empty glass” moments, those opportunities where there is a void to be filled.  They may not be as obvious as the empty glass, but look for them, and take advantage of them.  They may be as direct as someone floating a question in a group, or as subtle as a prolonged silence, but if you look for the opportunities you will probably find some.  Instead of selling drinks, we can sell ideas, or simply make connections and make people aware that we are paying attention so that it is easier for us when we really do need their attention.

That’s it, deep thoughts from the end of the bar.




Tuesday, June 14, 2011

A transition

I am very excited to announce that I am joining Tenable Network Security in the role of product manager; I am also saddened that this means I am leaving my friends and my fantastic position at Astaro.

This was obviously not an easy decision, and it was made more difficult by the recent announcement of Astaro’s planned acquisition by Sophos.  This move is, however, unrelated to the acquisition- as a matter of fact I have been looking forward to the expanded opportunities available in the combined organization.  (I was especially looking forward to working with the Naked Security and Sophos Labs teams).


When offered an opportunity to join the team at Tenable, I had to explore the possibilities- and the conversations quickly led to an offer I could not pass up.  From the team of people I will be working with, to the product line (including Nessus), and the challenge of the role I will be assuming, the reasons to make the change have been overwhelming.

My time at Astaro has been great; I am thankful for all of the opportunities I have had while there, and for Astaro’s support of many community projects and events.  It has been an honor and an pleasure to work with friends and co-workers at Astaro, and I will miss working with them- and I wish them all the best.  (I also still believe in Astaro products, that’s why one of the first things I have done in converting my office is set up an Astaro gateway running the free, 50-IP home-use license).

As far as what this means for my involvement in BSides and my various other activities- I’ll still be as engaged as possible, and Tenable supports my efforts.  I do expect to spend less time on the road in my new position, so I may not attend quite as many events in person.  And yes, of course I will be in Las Vegas for the annual week of madness in August for BSides Las Vegas and DEFCON

By the way, if you are looking for your next great career opportunity I have leads for you: Astaro, Sophos, and Tenable all have positions open, see their careers pages for details:



Sunday, May 29, 2011

Spaf’s Memorial Day thoughts on “CyberWar”

Take a few minutes and go read Gene Spafford’s “U.S. Memorial Day Thoughts on Cyber War”.  This is not the typical “OMFG THE SKY IS FALLING ONLY THE GOVERNMENT AND MILITARY CONTRACTORS CAN SAVE US FROM THINGS THEY CAN’T DEFEND THEMSELVES AGAINST!!!11!1” bullshit we regularly see, nor is it the oft-repeated flippant dismissal of the existence of whatever it is people mean by “cyber war”.  It is a reasoned and balanced view of the current situation, and a look at where we seem to be headed- from the perspective of Dr. Spafford.

His observations about the state of technology education may be the scariest thing about the situation, and if unchecked will likely be more devastating than any “attack” we may suffer.



Monday, May 23, 2011

Risk analysis and things that go boom.

A recent paper with the sexy title “Understanding and Managing Risk in Security
Systems for the DOE Nuclear Weapons Complex
” (and subsequent coverage of it) wound some people up over its attack on probabilistic risk analysis (PRA).  You can download a free copy of the PDF at  It is worth a read, it is only 30 pages, and the meat is really only a few pages.  Read the preface on page IX, then the content from pages 1-5 and you can skip the rest unless you really want the tedium of government documentary fluff.  (Note: this is the public, sanitized version- there is a longer, and understandably classified version).
Here’s the quote that seems to trigger the reaction:
“The committee concluded that the solution to balancing cost, security, and operations at  facilities in the nuclear weapons complex is not to assess security risks more quantitatively or more precisely.  This is primarily because there is no comprehensive analytical basis for defining the attack strategies that a malicious, creative, and deliberate adversary might employ or the probabilities associated with them.”
I don’t have a problem with this, I think it is dead on.  Part of my frustration with the risk analysis crowd is many of them insist on using made-up or otherwise useless metrics for “calculating” their “probabilities”.  That isn’t the issue here, though- In this case, PRA fails for the the reason stated above:
“…there is no comprehensive analytical basis for defining the attack strategies that a malicious, creative, and deliberate adversary might employ…”
This is especially true in the context of this document- physical threats to the US nuclear weapons arsenal.  The consequences are simply too high to not just do the absolute best job possible.  That is not true for what we deal with in information security, no matter what the cyberhypemeisters tell us.  Things like “acceptable level of compromise” aren’t acceptable when we’re talking about nuclear weapons.  Small incidents with nukes are not small.  (Tangent: say what you will about his politics, birth certificate, whatever- I am relieved the hear a president who doesn’t say “nuculer”).
Now, if you want to put together some good metrics, reliable and repeatable ones, and use them for predictive modeling in environments where some margin of error is acceptable (as in most of what we do in InfoSec), we can work on that.  Just don’t tell me that those good metrics are common in our field, and never forget the underlying truth that an attacker with adequate resources will ALWAYS defeat us- and we have something to work on.  Even the authors of this paper see the value in PRA, just not as an absolute.  Immediately following the above quote is this comment:
“However, using structured thinking processes and techniques to characterize security risk could improve NNSA’s understanding of security vulnerabilities and guide more effective resource allocation.”
Brian Snow talked about this paper on an episode of Risky Business last month if you want to hear his perspectives (Brian was one of the authors of the paper).
My takeaway?  We have to determine of the tools we use are truly appropriate for task at hand- and if we are using those tools properly.  With good metrics and measurements we can gain insight from risk analysis.  Conversely, with crap statistics, improperly applied, we can waste an astounding amount of time and money.  No hype, no drama, just a little common sense.
[Note: Some days you question the paths you have taken in life, and where they have led you.  One such day (night, actually) I had just returned to my room from Frankie’s Tiki Room in Las Vegas.  I was preparing for a brief slumber when I noticed the two documents on my desk- and asked myself how the [expletive] I got to a place in life where this makes sense (at least to me)].



Friday, May 6, 2011

Astaro accepts offer from Sophos.

This is about my employer.  It is an unusually corporate market-y sounding kind of post for me.  Feel free to skip this one if you aren’t interested, I will not be offended.

It is kinda big news for some of us.  The nice folks who pay me to do all kinds of cool things, Astaro, have agreed to be purchased by Sophos.  There are a lot of questions that I have seen and heard, and some utter nonsense has been said.

BUT FIRST: I am just an employee of Astaro.  I am not a founder, owner, or senior management team member.  What follows are my personal observations and opinions.  I have no “inside knowledge” to share, and even if I did, I couldn’t.

The official press release and FAQ have the basic info.  There are several blog posts and articles about it.  My new colleague Graham Cluley over at Sophos’ Naked Security Blog did a good summary post with links to several other articles and posts.  Mike Rothman’s analysis over at Securosis is a good one.  I’m sure you can find more.  You can also find some that are off the mark.  If you read something that doesn’t make sense, please apply a little skepticism.  (If you read this blog, that should be easy for you).

I have received several questions, and I will UNOFFICIALLY answer them based on my understanding of the situation:

Q: What about the free home version of Astaro?

A: Don’t worry it is not going away.  Astaro’s management team will continue to manage the Astaro line as part of Sophos.  The home version is important to them, and to most of us in the Astaro team.  It is a key part of Astaro’s success, and a key part of building the Astaro community.  It would be silly to discontinue it.

Q: You say that now, but will it change as the product evolves? 

A: I am sure it will, and have no idea what that will look like.  If I were psychic, I’d be a gambler, not a packet monkey.  But, see previous answer.

Q: What about X Open Source project?

A: Open Source provides great value to Astaro, and Astaro provides support back to Open Source projects.  That will continue.  And, any Open Source code will stay Open- as the licenses require.

Q: What about BSides and other community sponsorships and support?

A: Short term- nothing changes.  The awesome Astaro PR and Marketing team is committed to building communities.  It is a differentiator for Astaro, and it is the right thing to do.

Long term- it is a financial decision, as long as it makes sense, I expect it to continue.  And I expect that to make sense for a long time.

Now, a little strategy talk. 

This creates a combined company with a broad diversity of security and management products.  There is not a lot of overlap in product lines, so there is not much redundancy to reconcile, there will just be the challenges of integration where appropriate.  (On the Astaro gateway side, that’s pretty easy- it is a modular platform which has allowed adding and modifying components and features as the product and customer needs have evolved).

Some have said that the endpoint and network security channel partners are different, and the buyers are different, and this will cause difficulty for the combined company.  While that may be true in limited cases, most likely in larger environments, my experience brings me to quite the opposite conclusion.  I talk to our partners, as well as other VARs, MSPs and resellers regularly; most I speak with want a complete and diverse product line to offer their customers and prospects.  Likewise, the pressures of the economy and the never-ending push for increased efficiency are driving the consumer to look for efficiencies and cost savings.  This pressure on those in the IT trenches is why the UTM (Unified Threat Management) segment is gaining traction in ever larger environments- simplified, unified, cost-efficient products conserve scarce resources.  It only makes sense that a properly integrated, quality suite of products will be attractive to businesses.  And even in the cases where the desktop team doesn’t “play nice” with the firewall guys (or web filtering, or whatever), I have a couple of thoughts:

  • It is about the company’s best interests, the pressure is on, and cooperation is happening, or will happen.  With the current teams, or those who replace them.
  • More importantly, the budget authority is frequently above these levels, and good managers understand the value of efficiency.

Things will change. There will be opportunities, there will be missteps, and there will be successes. I believe this is a good move, but that is speculation: it is now up to us in the new, combined company to prove it.

And finally (for now): if you have questions, comments, or concerns- let us know.  If you do not know who to ask in the Astaro team, or at Sophos, ask me.

Drop a note to jdaniel at astaro dot com.  I am on the road a lot, especially for the next month, so my responses may not be immediate, but ask me, and I will answer as soon as I can, or I will connect you with the answer.



Wednesday, May 4, 2011

Verizon DBIR (or, I told you so)

Now that I’ve had over a week to read, re-read, digest, etc.

I told you so.  For all the scary, uber-sophisticated attacks we run off to conferences to see, and all the amazing feats of exploitation we hear about, real-world compromises are most often exploiting basic failures in security.  If you are a regular reader of the Verizon Data Breach Investigations Report you will know that the DBIR has again confirmed our failure to secure the basics.

That is a pretty gross oversimplification, but it is true.  This year’s report reflects a pretty significant shift from the enterprise to SMB, and has some interesting data.  One thing that many have latched on to is the rise in the number of breaches, but significant drop in the number of records breached in 2010; if Verizon’s numbers reflect the world at large we will see a stunning reversal in the 2011 data.  This anomaly doesn’t alter the value of DBIR data, but it highlights the difficulties in making pronouncements based on a single report.

Before we go on, some background information will be useful.  The Verizon report includes both Verizon and US Secret Service data, and while it represents hundreds of cases the experience is far from universal.  There is a lot of selection bias at play, and that narrows the scope of the results.  See my recent How to misinterpret the Verizon DBIR post for more thoughts on interpreting the report.

As far as the substance of the report, there are a handful of things I find insightful, or at least interesting:

  • The “internal threat” is real.  Just not a big deal compared to outsiders kicking our butts.  And, the insider take tends to be smaller than external attackers.
  • 83% of victims were targets of opportunity.  Too many people are still making it easy.
  • Speaking of… 92% of attacks were “not highly difficult” per Verizon.  Even if we argue about the ones Verizon labels “moderate”, there are still 43% of attacks in the “stupid easy” category.  (OK, technically speaking, Verizon refers to 6% with a difficulty of “none” and 37% “low”).
  • 89% subject to PCI-DSS had not even achieved compliance with this fraudulently imposed sub-minimum sub-standard.  (Sorry, I may have let a little editorializing slip in there).

Continuing trends included:

  • Organizations not knowing where their stuff is and how it can be accessed (the unknown unknowns) appear to be improving, but this is still a big problem.
  • Organizations do not log everything they should, but it is OK, because they don’t look at the logs anyway.  At least not until it is too late.
  • And how do they know it is too late?  Again, third parties are much more likely to discover a breach than the organizations themselves.

There are a lot of ATM, gas station, and other POS (Point of Sale systems) attacks in this year’s report, largely split into two categories: physical compromise of ATM and gas station card readers, and exploitation of remote access deficiencies in POS systems.  While the remote access attacks fit in with our traditional idea of criminals attacking computer systems, the physical installation of skimmers on ATMs and gas pumps does not.  It is hard to look cyber while standing at the location of compromise while carrying hardware and wearing a toolbelt.

I like this report more each year.  BUT, there are things which make me nuts.  If I could have two things from the DBIR team they would be:

  • More raw data.  Give me the numbers.  I understand that too much detail could undermine the anonymization, but I want more raw data.  (Yes, I’m one of those folks who generally believes good data visualization means a readable font in the spreadsheet).
  • An adult version of the report.  Take out the redundant high-point popups, they’re a distraction to those of us who really read the report.  Pull out some of the infographics, too (see above). I’ll read the whole report, with highlighter and pen in hand, more than once, and decide what is important to me.

That’s enough from me- there are already more than enough summaries of the DBIR out there.



Monday, May 2, 2011

Cloud computing resources

No hype here.  No “cloud will change everything” nonsense (it won’t).  No “cloud is nothing new” nor “cloud is completely new” nonsense, either (cloud is perfect for a wedding- “Something Old, Something New, Something Borrowed, Something Blue, and a Silver Sixpence in Her Shoe.” But you’ll need more than sixpence).
If you’ve been keeping up with the smart cloud folks, you probably won’t find anything exciting here- but below are some good general resources.
Properly deployed for appropriate purposes, cloud computing can be fantastic.  I have moved most of my lab systems to a cloud environment and it has provided a huge improvement in my ability to test systems and deliver demonstrations.  My employer uses cloud systems to deliver content and services for partners and customers more effectively that we could with internal resources.  But, cloud computing is not for everyone, or for everything.  You just need to research, plan, and migrate wisely.
There are a handful of very good cloud computing security documents out there, here are ones I recommend (some are pretty big PDFs):
Start with the NIST definitions doc, it was only two pages, but has been bloated to seven without adding value.  Just read the last two pages, ignore the rest.  It is not “security specific”, but is sets a common terminology for the rest:
My new favorite cloud security reference is from the Australian Defence (yeah, they spell it funny over there) Signals Directorate; their Cloud Computing Security Considerations is great resource, and a great conversation starter for those considering a move to cloud computing.  (It is 19 pages and an easy read, too).  If you read only one, read this.  And share it.
For more meaty discussions of cloud security, it is hard to beat the documents recommended for those preparing to take the Cloud Security Alliance CCSK (Certificate of Cloud Computing Knowledge) exam:
CSA’s own “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” is not a light read, and is enterprise focused, but has a lot of good information.
The other study document is the ENISA “Cloud Computing Risk Assessment”.  It is also not a quick read, but has more small- to mid-sized business focus (reflecting its European origin).
Speaking of CCSK, it is an interesting certification.  I’ve recently passed the exam, and heartily recommend the study material- but the certification is probably of limited value to most people until “cloud” is better understood.  As you would expect, CSA has an enormous amount of information on their site, covering a myriad of cloud concepts.
A couple more references for those of you who want a broader understanding:
NIST also has a “Cloud Computing Reference Architecture” which needs some help in the area of readability, but is a good resource, especially for the discussion of cloud computing roles.
OpenCrowd’s Cloud Taxonomy is useful for help in categorizing cloud products and services and for understanding the categories.
This is by no means a complete, or even exhaustive list (although I do feel somewhat exhausted); it is just a pile of stuff that I hope will be helpful to those considering a move to cloud computing (or to those already in the clouds, but afraid of heights).


Monday, April 25, 2011

How to misinterpret the Verizon DBIR

Actually, a post on the topic described in the title would be pretty much redundant, because a lot of people seem to have a natural talent for misinterpreting information.  And the Verizon Data Breach Investigations Report is one that really gets some bizarre spins put on it (and that’s before the sales weasels get their paws on it and start trying to scare prospects into buying stuff).

In case you’ve been under a rock, Verizon released their 2011 DBIR last week.  Get your own copy from the Verizon Security Blog.  Read it, there’s good stuff in there.  Keep your filters up as you read it; this is good, and it is data few others share- but not perfect, and the experiences are not universal (and Verizon is candid about this).

For practical advice on reading the report (and many others), I will offer the following:

  • The sample sets are not the universal experience.  Informative, but not universal.
  • Correlation is not causation.  Never was, still isn’t.
  • The report provides data on both the number of breaches and the number of records lost.  They are very different, and should not be confused.
  • The report also lists both raw numbers and percentages.  These sometimes appear to generate conflicting information.
    • And really provide for some apparently conflicting trends.
  • Combine misunderstanding of the difference between number of breaches and number of records lost with a misunderstanding of percentages versus raw numbers… and you are ready to be interviewed on the DBIR.

Really, go read it for yourself.  It is good- just be wary of what others tell you it says.



Friday, April 1, 2011

Quasi-annual semi-disclaimer

I need to head off a little confusion, most folks know this, but here goes:

I am the Community Development Manager for Astaro.  It is a great job, with a great company, and I’m eager to assist people with the products and the company any way I can.  BUT, I am not in the sales, support, or development teams- nor can I snap my fingers and make things happen (believe me, I’ve tried).  Unless I state otherwise in a conversation, presentation, whatever- I do not speak for Astaro, its founders, employees, etc.  If you want to contact me about Astaro, I want to hear from you and will do whatever I can to answer questions or assist you; please drop me a line at jdaniel [at], or hit me up on Twitter @Astaro_JD.

I am one of the co-founders of Security B-Sides, and am one of the core group of people who help keep it rolling and growing.  I also help run some of the events.  As I have said many times, the B-Sides phenomenon is amazing, the community is beyond amazing, and I am both proud and humbled to be a part of it.  BUT, I am not B-Sides, I’m just one of the team.  Unless I state otherwise, I do not speak for B-Sides, and any opinions expressed are my own.  I specifically maintain some distance from some things in the B-Sides world, generally involving specific sponsorship and financial matters.  This is because I work for a sponsor and do not want any appearance of conflict.  I am eager to answer questions about B-Sides, help organizers where I can, connect people- whatever I can to to help sustain Security B-Sides.  To contact me about B-Sides, please send a note to jack [at]  For general information (or to reach the core team) please send messages to info [at]

Note: I have considered a separate blog for B-Sides commentary and updates, but instead will continue to post B-Sides content here- but out of deference for those who may not be interested, I will make sure the title of all B-Sides posts begins with “B-Sides” so that you can skip them if you are so inclined.

If you want to contact me about anything other than B-Sides or Astaro, and don’t know where to turn, I’m on Twitter @jack_daniel or you can email me at jdaniel [at]

Now, back to not blogging enough.  Except I really need to do that blog on Frankie’s Tiki Room over on the other blog.



Friday, March 18, 2011

BSidesAustin slideshow

In case you hadn’t noticed, I like Animoto…


This is what you missed if you weren’t there.

The music is from Lisa Marshall, she entertained us on Hackers on a Duck II and played all over Austin during SXSW.


BSides Austin Job Board

It looks like the security biz is doing OK. At Security BSides Austin companies were trying to fill several positions- so I thought I would list them here.  Not turning into a job board, this is not an endorsement of anyone (although companies involved in BSides are pretty cool in my book).

Trustwave – junior and senior app pentesters needed

AlientVault – Pre- and Post-sales tech

NetWitness - SE and services positions

Atsec – Software evaluators and seasoned pentesters

AlertLogic – Security Analysts and Developers

Denim Group – All kinds of cool stuff

No links, Jack?  You could look at the jobs board pics on the BSides Austin Flickr set.  Or maybe as the Google, that dude knows everything (and some of it is even correct).

Oh, yeah.  BSides Austin rocked.  It was a BSides, in Austin, what did you expect?



If you aren’t doing THIS, you aren’t doing your job.

Ever heard that from someone?  It doesn’t really matter what “this” is, “this” is always a critical component of your job which you are foolishly overlooking.  Curious, really.  It turns out that many people are actually too busy doing their jobs to be bothered with doing what other people think their jobs are.

If you say this to someone, or to an audience, be prepared to be shut down.  I am not saying never do it, but you need to consider the risks of alienating your audience.  Sometimes people need a wake up call, but know that this, or similar statements, can lose people- it gives them an excuse to ignore you.

Flip it over:

If I were in your situation, even with everything you have to deal with, I would be very concerned about THIS, and making plans for it, because…

There, make the point, avoid getting rotten fruit thrown.



Thursday, March 3, 2011

That conference and the façades of vendors


There was this Really Big Security Conference a couple of weeks ago.  Actually, it appears that there were a few Really Big Security Conferences a couple of weeks ago based on the bewildering array of opinions about it/them.  I liked Zach’s take on it, but some folks really disagreed with his sentiments. I think this was my fourth of these things, and I was more depressed than usual after the event.  There appeared to be more good talks this year, but without a reduction in the number of obvious sales pitches or old-news talks.  But everyone knows where I go for content and conversation, so let’s skip that part.

While others saw it differently, to me the vendor area was ugly.  People I used to respect were screaming not-quite-truths over PA systems, vendors were giving away cars while screaming errors-of-omission, booth babes (including at the NSA booth), all of the usual stuff, only more and louder than normal.

What really depresses me is not just the screaming lies, but it was who was skirting and subverting the truth.  Brilliant people, respected in the industry, reduced to sleight of mouth to pitch their wares.  Another things which disgusts me is attacking competitors.  There is a big difference between promoting market differentiators and trash talk, a lot of sales folks never learn this.  No, I will not name names- I feel guilty for not calling them out publicly, but at least one was a direct competitor and there is no way to call them out professionally.

But that’s sales, build a pretty façade and hope people like it.  Unfortunately, they can be problematic in architecture; they require a lot of support and add weight that can actually detract from the structural integrity of the building if not planned into the design.

The façade of perfection and overstatement of features in security systems is not “built in to the infrastructure”.  As with some inappropriately adorned buildings, the hype usually just adds a burden to a otherwise solid products.


Let’s assume the vaguely-resembles-the-truth sales pitch delivers a customer and closes a deal, what happens when they discover the actually-is-the-truth about the product?  Disgruntled customer, high support costs, low customer retention rates.

Here’s my crazy idea: sell what you are selling based on its strengths and key differentiators. Of course you will promote it positively, but don’t lie about it, and do not trash the competition. Sales is not athletics, but I would really like to see more of the attitude good athletes have- the way to win is to win, not to make others lose.

Note: No, I’m not new at this, nor am I naïve.  I have decades of auto industry experience, and I assure you that as scammers, liars and frauds the security industry are a bunch of amateurs.  That doesn’t mean I have to be content with the crap.



Monday, February 28, 2011

So I missed a point or two…

As is often the case with quick blog posts, a bit of reflection before posting could have added some clarity to my last one, The true cost of non-compliance is ZERO* .

As far as “things going wrong”, the trigger for pushing the cost above zero may not simply be “suffering a breach”, but is more likely “suffering an incident which is so bad we have to deal with it”.  Again, not a happy thought, but one we must accept if we want to make progress.  I am tempted to opine that this is especially true in small to mid-sized organizations, but I am repeatedly reminded that many large enterprises are just really big small businesses, so I’ll refrain from that.

Andy Ellis pointed out that there are costs, specifically internal reputational cost, which I missed.  Andy is smart like that.  that means hiring and keeping good people will be a problem, as will other things that can accompany morale issues.  They are hard to measure though, and are often overlooked until they reach a crisis stage- which I guess would qualify as “something going wrong”.



Sunday, February 27, 2011

The true cost of non-compliance is ZERO*

There has been lots of talk about the cost of compliance, and lately about the cost of non-compliance.  Most of the talk conveniently ignores this fact:
The cost of non-compliance is ZERO*

*if nothing goes wrong.

If you don’t think that the people making decisions on budgets should and do consider this fact, you are probably both more frustrated and less effective than you need to be.

I hear you saying “but Jack, things always go wrong”.  That is both true, and not true.  In the security world we mostly deal with things which have gone wrong, and that’s what we see.  The stuff humming along nicely (or at least not horribly) is usually under our radar.

The things most likely to go wrong are:

  • Getting caught
    • This likelihood ranges from “probable” for many under PCI to “indistinguishable from zero” for many others laws and/or regulations.
      • Note: you need to have former Assistant DAs explain lack of funding for regulatory enforcement to you when you try to convince them to secure their law practices to really enjoy this topic. Or so I’ve heard.
  • Suffering a breach
    • This still leaves open the question of whether being complaint would have prevented the breach
      • “Compliant” does not guarantee “secure”.
    • More importantly, this does not address whether compliance would have provided the most effective preventative (both from cost and logistic perspectives).

Monday, February 21, 2011

The Tonga Room, a moving experience


Note: this is a cross-post from my travel/liver damage blog.  I also posted here because of the significance of the topic to the InfoSec community.  Really.

It looks like the future of the Tonga Room involves a move to a new location.  What is the Tonga Room?  The Tonga Room is one of those special places which is so tacky that it comes out the other side and has class again.  Follow the link above to my last post on it for more details.  Rumor (wink, wink) is that the Tonga has been sold; name, fixtures, even employees- as a whole, to be moved to an as yet unknown location

Details are sketchy, but my sources are impeccable (always trust people in Hawaiian shirts) .  Expect the "new" Tonga in a new venue, but I don’t know when.  The month of April is when something happens, but as of yet I do not know if that is closing, reopening, or what.

There are more questions than answers at this time.

Will it still have the pontoon tiki boat stage?

Will the complete set of fixtures be part of the resurrected Tonga- including the masts ,railings, and rigging from the Forrester?

Will the loyal employees be treated well under the terms of the sale and under the new owners?

Will the Mai Tais still kick your butt down the hill?

Will there still be a hill to have said butts dragged up and kicked down?


For the past few years I have made a pilgrimage to the Tonga Room at the beginning (and often middle and end) of the week of the RSA conference (and now the week of Security BSides San Francisco, too). 


This year we spread the word a bit more and ended up with TongaCon, which kicked serious butt.  There were probably about 35-40 people who rolled through, more paper umbrellas than I could count, a live RickRolling of the bar by the band (FYI, Rick Astley covers should always be done by lounge bands on a pontoon boat).  There may have even been unfortunate events involving an unnamed journalist’s bald head and someone else’s beard, and possibly a “how many umbrellas can we stick in Jack’s beard” contest.  (You will have to find those pictures on your own).



More TongaCon photos here.

I am asking San Francisco locals (and everyone else interested) to keep me posted on the future of the Tonga Room, and I’ll share the info.



Friday, February 18, 2011

Value of Certifications survey

Mike and Lee over at Information Security Leaders have kicked off a new survey on the value of certifications in your information security career.  They put a lot of effort into their studies, and always share the results- so if you have 5-10 minutes take a look at the survey.

Take the survey from here:



Monday, February 14, 2011

Digging deeper into my last post

In my last post I mentioned my observation about Shmoocon Labs’ success at emulating an enterprise network, including some attributes not planned- specifically some inefficiencies, complexities, and balkanization of roles.
Note: as I said in the last post, this is not a shot at Shmoocon Labs, I think the Labs are fantastic- I’m just extending the learning experience beyond the stated curriculum.
Modern networks, even fairly small ones, are often more complex than they need to be.  The people who manage the networks have limited areas of expertise and generally work within their knowledge areas- this tends to mean a bias towards specific products, services, and techniques.  These are expected issues, no one can master all aspects of network or system administration; we all (well, most of us) do the best we can with the resources available and make stuff work.  I want to reiterate that point:
We do what we can, with what we have, and make the best of it.
That does mean that the results aren’t always pretty- but as is also true of my old pickup truck, we get the job done.
After years of doing the best we can with what we have in our environments, the cumulative result is frequently downright ugly- especially when seen through the eyes of outsiders.  (Good thing we aren’t judgmental when we enter new environments).
I am not suggesting we excuse or ignore the train wrecks we see in our daily InfoSec grind, they are usually easy to spot and should be called out.  It is our job to identify and try to resolve problems. 
If, however, we fail to consider how the situation evolved into its current state or we forget that no one set out to make a train wreck, we are likely to be ignored- or we will repeat the same mistakes that created the old mess (although the technology industry has an amazing aptitude for making the same old mistakes in new and exciting ways- but this isn’t a post on Cloud computing, so we won’t go there).


Saturday, February 12, 2011

Just like the real thing

NOTE: I debated writing this because some might take it as criticism of Shmoocon or dismiss it as my disappointment in the failure of my plans for participation in the Shmoocon Labs this year.  It is neither, it was simply a great learning experience- and like most of the best learning experiences, the lessons learned were not on the curriculum.

Shmoocon was great again this year.  The Shmoobus was entertaining as always, blizzard and its aftermath on the way down, rolling LAN party and much more on the way home. 

One of the things Shmoocon does every year is build their event network as a training event, Shmoocon Labs, not just to provide connectivity for the con.  They swoop in, split into teams (switching, firewall, wireless, services, visualization, etc.) and start building a network on Thursday morning and by Friday afternoon they have a (mostly) functional network serving the needs of the conference and its attendees.  And by Sunday evening it is all gone.  The goal is to build a truly “enterprise class” network, and they pull it off every year.

The various teams handle specific segments of the network, and while everyone works together, there is a segregation of duties between teams and tasks stay in the appropriate team.  Everyone on the labs crew is a volunteer, many even pay extra to participate and learn- this means expertise is based on the experience of those participating.  There are a lot of very experienced network engineers in the Shmoo team, and they do a killer job…


The network is complex.  It is done on purpose, as part of the training experience.  But complex *anything* is problematic in many ways.  Complexity brings challenges to configuration, compatibility, manageability security, and more.


Task isolation between teams means that sometimes the most expedient solutions are not applied because the team with primary responsibility for the task or service is given the opportunity to work through the issue and learn.


These “problems” aren’t really problems at Shmoocon, right?  They are part of the program, there are very good reasons for intentionally introducing these burdens and challenges.  And besides, everything works eventually and thus the labs are a success.

Hey, wait a minute…

“That’s not a problem because we do it on purpose, and besides, it works” sounds vaguely familiar, doesn’t it?  It turns out that they manage to capture more details of a true “Enterprise Network” than are in the plans.



Monday, February 7, 2011

Choir preaching, chamber echoing, etc.

There has been a lot of talk about the “echo chamber” of information security lately, mostly inside the echo chamber- about how we need to get outside of the echo chamber.


(image credit: Hugh MacLeod’s Gaping Void)

Likewise, there has been a debate about the “preaching to the choir” aspect of many security conferences.  This really makes me worry about what kind of churches you people go to.


If we’re going to play with these metaphors- I do not have a problem with the comfort of the echo chamber, nor do I think there is a problem with preaching to the choir.  We deserve to have fun occasionally, share information with people we know, build the relationships that help us do our jobs and get through our crises, and all the other things we do at gathering places- both physical and virtual.

The problem is when we never leave these enclaves.  We need to share what we learn.  We need to get our teeth kicked in by the realities of the real world, business needs, people’s priorities and biases.  Then retreat to our little cliques, recharge, and repeat.

Face it, if it was easy, most of us wouldn’t do it.  There is something a bit off about the “infosec” mind, and that’s OK.



Friday, January 28, 2011

Shmoobus on Tumblr

OK, my grand plans for streaming live yesterday didn’t work, but a lot of Shmoobus antics were fed to, and will be again on Sunday for the trip home.


By the way, this is no way to start a road trip. Shmoocon Snowpocalypse II.  As always, thanks to Astaro for sponsoring this mayhem.

Wednesday, January 26, 2011

Shmoobus Live Feeds

This is a test post, the live feeds will move to when we work out any issues.  Thanks again to Astaro for sponsoring the ShmooBus.

You have better things to do than watch this and be jealous that you aren’t with the cool kids on the Shmoobus.  BUT, if you want to watch anyway, I’ll be trying both Qik and Ustream and streaming on whichever works better.  Widgets for both are below.
Qik ShmooBus Stream
Ustream ShmooBus Stream

Wednesday, January 19, 2011

In Defense of FUD

That’s right, I’m defending FUD. Yes, I mean Fear, Uncertainty, and Doubt. That kind of FUD. And I’m here to defend it.

FUD is under unjust and unreasonable attack. Not from people who decry its use, but from some vendors, consultants, analysts, politicians, pundits, and regulators. Yes, they use FUD to sell their products, services, ideologies, whatever- but that is only the beginning of the problem. Things really turn ugly with the promises these folks make: if you will just buy what they are selling they will deliver you from FUD and bestow upon you BCC (Bravery, Certainty, and Confidence). And Confidence is the right word, because this is a con game. If you think buying anything, whether physical or metaphysical, can completely relieve you of fear, uncertainty, and doubt, you are naïve. People don’t work that way, and we shouldn’t. Fear, uncertainty, and doubt, at reasonable levels, keep us alive, and alert.

I am not a proponent of crippling fear any more than I am a fan of naïve confidence, but a little bit of discomfort and uncertainty can drive us to question our preparedness, and rethink the challenges we face. And that is healthy. If you find yourself confronted by someone whose promises are absolute, you need to be very careful (I generally either flee, or mess with their tiny little brains, buying is not an option). We want to feel safe and certain, that is why there is a “security” industry- but if we are honest, the real goal is to reduce the chances of something bad happening down to an acceptable level. We are never completely “safe”, and anyone who claims that what they are selling can change this fact is a charlatan.

Some of the most dangerous sources of inflated FUD and unreasonable BCC are organizations and agencies pushing their various certification and compliance agendas. Compliance with a standard, even a professed “security” standard, does not make you secure. A new set of letters after your name doesn’t change the world. These things *might* move you forward, but they won’t *solve* your troubles- keep that in mind when spending time and money on them.

That’s it. I’ll take a manageable dose of FUD over any blind BCC any day. And you should, too.



Friday, January 14, 2011

Good news, bad news

Have you heard? It isn’t new, but many seem to have missed it- Mozilla’s plugin check tool now supports multiple browsers, not just Firefox.  Just go to the URL, with each of your browsers and the plugin tool will list installed plugins and give you a status:

Outdated Version gives you a link to update

Up to Date gives a “thumbs up”

Unknown gives a “research button” which launches a search for you.

The value isn’t just in making sure your plugins are up to date, but also in showing you a list of them.  As with anything else in security, get rid of any you don’t need.  You may have to settle for disabling some items which can’t be uninstalled.

So what’s the bad news?  After you have done this with all the browsers you use, stop and think about doing that throughout your network.  Mildly annoying to take a few minutes sitting in front of your machine; painful to agonizing, or even impossible throughout a network.  It is enough work making sure the browsers themselves are up to date, plug-ins and add-ons are pretty much hopeless.  Sure, patch- and systems-management tools get the browser and applications, but the extras are hanging out there exposed- and there isn’t a good answer for that.

There’s your weekend ray of sunshine…



Wednesday, January 12, 2011

Shmoocon FireTalks

Shmoocon is only a couple of weeks away.  This year, I’ve offered to help with the FireTalks.  FireTalks are two-hour sessions of 15 minute talks given in the evenings between the normal course of Shmoocon talks and whatever debauchery is planned for the later hours.

There are still speaking slots open, and we could use a few more sponsors, too.

Head over to the NovaInfosec Portal and see this post for more information.