Monday, November 18, 2013

When is a patch not a patch?

When is a patch not a patch?  When it is not a patch.  That seems rather obvious, but sometimes we lose sight of the obvious when talking about patching and vulnerability management (and a lot of other things).

In my “day job” at Tenable, we think about vulnerability management a lot, it is what we do.  We also think about patching and patch management a lot, even though that is not what we do.  (I often wish companies who sell patching and patch management systems were similarly honest about their core competencies, but that’s a rant for another day- it is not quite floor wax and dessert topping territory, but patch and vulnerability management are two related things I do not want coming out of a single can, no matter how shiny or tasty they claim to be).

Back to the topic, patching… and not patching.  Patch Tuesday has driven many into a myopic patch mentality, sometimes that works well, sometimes it works well enough, and sometimes is leads to stupidity.  (Tangent number two: I was always a fan of Shavlik, I don’t know what VMware was thinking when they acquired and nearly ruined them, but thankfully Shavlik has survived, escaped, and will hopefully recover fully).  But patching isn’t always the answer; when a vulnerability is found there should be a logical process for dealing with it, and while “slap a patch on that bad boy” is often a great answer, and frequently the easiest answer, it is not the only answer.

Let’s say you’ve found a vulnerability (or more likely thousands) in your environment, where do you start to deal with it?  There are a handful of questions you need to answer before acting.  In no particular order:

  • Is it real?  I wrote a post on positives and negatives, true and false, some time ago- check out Are you Positive? for thoughts on the topic.  The bottom line is that you need confidence in your findings.  Acting on bad info is rarely a good idea unless you are a politician.
  • Are the “vulnerable” systems exposed?  We don’t always think about online “exposure” the way we should.  We generally understand threats that come to us, whether in the form of physical threats to our homes and offices, or services exposed to the Internet.  In the physical world, we generally only think of going to threatening places in “high-risk” environments, such as high-crime areas or potentially dangerous places such as mountain trails or beaches known for undertow.  The problem with that is that the entire Internet is pretty sketchy, not just the “high-crime” areas.  Legitimate sites are compromised, DNS is hijacked, bad things happen all over- so venturing out is always a little risky.  Any system receiving email or accessing the Internet has some exposure.  Where it gets more tricky is with the indirect exposures- systems which are exposed via pivot or relay.  This often means systems which are not directly exposed to the Internet, but which are exposed to Internet-accessing systems.  This sort of attack path analysis can be challenging, but it does add context to our efforts at understanding exposures and mitigating vulnerabilities.  (Forgive me for not addressing air-gapped systems here, but you will note I am not addressing unicorns, either).
  • Do we care?
    • Should we care?
    • If so, how much?
    • Do the vulnerabilities really expose anything important?
      • How much exposure are you comfortable with?
  • What risks are posed by potential exploit of the vulnerability?
  • What risks are posed by the patch or mitigation?
  • Does the cost of mitigating the vulnerability make sense?  Spending a dollar to protect a dime is probably not the best use of limited resources.
  • Are there known exploits in the wild for the vulnerability?  There may be unknown exploits, but ignore known Bad Things™ at your own risk.
  • Is a patch the best answer?  Maybe you should just uninstall or disable the application or service.  If you don’t need it, kill it.  Maybe there are other mitigations like network segmentation or other ACLs, configuration settings, permissions restrictions, or tools like Microsoft’s EMET which can reduce or eliminate the exposure.  This requires an understanding of the implications of each mitigation- sometimes it is easiest to “just patch”, but patching is not without risks.
  • Can you recover quickly from whatever mitigation you deploy?  Sometimes unwinding a bad patch is as simple as logging into your patch or systems management server and removing the patch.  Sometimes it involves re-imaging thousands of systems.  If faced with the latter, how would you handle it (besides updating your resume)?

I’m sure you can think of more, but this list should start or re-start a conversation I hope you’ve already had several times.

I can’t write about patching without addressing a little problem I thought was pretty much behind us, at least for Microsoft: bad patches.  For years I have advocated rapid patching of Microsoft systems since they have done an outstanding job of QA on their updates.  Back in the days when I was an admin in the trenches I patched fast, with a 72-hour patch target for desktops and laptops, and a 10-day target for most servers.  Obviously, some testing is needed, and a lot of testing is needed for critical systems- but you have to decide if the risk of deploying a patch outweighs the risk of not patching, and how other possible mitigations might change the risk.  This has been made a little trickier by the past year’s string of “less than perfect” patches coming from Redmond.  I chatted about this topic with Pat Gray on a recent episode of his outstanding Risky Business podcast.  Microsoft updates are the largest software distribution system in the world, and the quality of the patches is still generally very good.  “Generally very good” might be good enough to push patches to a lot of systems in a rolling deployment after a short test cycle, it is probably not good enough to skip thorough testing before testing on critical systems.

In the immortal words of Spock: “Patch well and prosper”.

Or something like that.


Saturday, November 9, 2013

Microsoft MVP Summit

Headed to the Microsoft MVP Summit?  If so, please stop by and join me at an informal gathering for Security MVPs and like-minded folks on Sunday night, Nov 17.  Drop in anytime between 7 and 10:30 and say hello.  Stay for a few minutes, or a couple of hours- and enjoy snacks, drinks, and conversation.  Send me an email at jdaniel [at] for more details and venue info.  (It is very close to all the MVP goings-on in Bellevue, a short walk from any of the event hotels).

This reception will be sponsored by the nice folks who routinely send me a paycheck, Tenable Network Security.  No sales pitches, banners, or anything like that- Tenable is just encouraging conversations, as we often do.

See you there.


Saturday, September 14, 2013

Can you trust them?

Let’s turn a common theme in InfoSec upside down:

Can you trust, and should you hire, former hackers government employees?

In the still-unfolding Snowden saga, we now have allegations that the US government, specifically the NSA, has attacked cryptography at scale, including the software, protocols, and algorithms we rely on for secure and private communications.  On one hand, I have to say “duh, that’s their job”, but it certainly appears to me that they have significantly overstepped their authority and damaged our ability to secure our data.  While I hold some senior NSA officials, notably General Alexander, partially responsible for part of this abuse, I believe that the real blame lies with past couple of presidents and the Congress for their utter abandonment of responsibility to the Constitution, and to us, the citizens it is designed to protect.  The NSA (as is true for much of the US federal government) is full of great people, working very hard to properly execute their assigned tasks.  But, if your assigned task is something like fighting terrorism, or combatting drugs, or child pornography- it is only natural that you will lose perspective in the face of the horrors you are trying to combat.  (Don’t get me wrong, I know that a lot of folks are in the “war on [whatever]as profiteers, but I believe most people are trying to do what they believe to be right).  That’s where the elusive property of “oversight” comes in.  Or in the case of things like the abuses of the NSA, oversight should come in, but presidents, congress critters, and others have abdicated their sworn duties.

Back to the question at hand…

Having “NSA” on your resume has traditionally been seen as an asset.  We now have credible claims that government agents have subverted the security of the systems we rely on, in some cases by covert infiltration of private enterprise.

Imbecile executives in the InfoSec industry like to make pronouncements like “We don’t hire hackers”, showing their ignorance of what “hacker” means to many people, and limiting their pool of talented recruits.  Computer criminals have a hard time concealing their past convictions, but covert agents have the power of the intelligence community behind them to create squeaky-clean résumés.  Is that former NSA researcher, the one who is now working on your software, really “former”?

Thus, we have to ask: Is it time for NSA to become scarlet letters on a résumé?

For the record, I don’t think so- but I do believe it is past time to reflect on “who can you trust” before hiring people and putting them in positions of responsibility, regardless of their past.

And that’s a belief I am confident the NSA shares with me…Edward_Snowden-2

(Image Attribution: Laura Poitras / Praxis Films)



[Note: I have not  provided links to anything in this post. There are so many sources, with so many revelations, counterclaims, and outright lies that I’ll leave you to use the sources you trust, and reach your own conclusions on the reality and implications of this mess].

Thursday, September 12, 2013

Security BSides, stories and back-stories, part 1

I realize that I’m overdue on providing an update on all things Security BSides, so here is a start.  Usual disclaimers apply, I’m writing personally, not on behalf of BSides or any of the BSides event or organizations, etc..

Bsides_Logo_No City_SM

This weekend will be the 92nd Security BSides, in Augusta, Georgia, a new city for BSides.  That makes 92 events in just over four years, spanning 51 cities, 11 countries, and 5 continents.  And event 100 is just over a month away.  In reality, there will be three events on October 18, numbers 99-101, so let’s call it a three-way tie for 100th.  That three-way tie spans three countries, Poland, Canada, and the US.  Pretty damned amazing if you ask me.

But let’s back up- just what is this “BSides” thing anyway?  There is still some confusion, and a little misinformation floating around.  It started when a handful of people had some ideas, which coalesced and merged the different thoughts into an event in July of 2009, parallel with Black Hat USA and before DEF CON.  The semi-official history is on the Security BSides wiki.  The original idea was to offer a “B-side” to the “A-side” events.  For those unfamiliar with the term, back in Ye Olden Days we listened to music on spinning bits of plastic called “records”; on singles there was usually a mass-market appeal (at least the artists and producers hoped so) song on the A-side, and the B-side was generally more experimental, or more artistic instead of pop-centric.  When such things made it to the radio A-sides were on generally AM and B-sides were often on that fancy FM.  That’s what we imagined for BSides, a place for more experimental, niche-audience content, plus some things with wider appeal.

(To save you Googling it, “Baby Face” was the A-side to this Little Richard B-side, “I’ll never let you go”)

The first event was held in a rented house in west Las Vegas, a lot of folks came together and made it happen (I won’t try listing names, there are too many to list- besides, everyone who showed up helped make it happen in some way).  We had about 200 people through the house in the two day event, and it was a great success.  People wanted more, so several of us began discussing “next steps”.

There was demand for a BSides parallel with RSA in San Francisco, and the San Francisco-based BSides crew started working to make that happen.

Before the event in San Francisco, some people wanted to have an event by the Bay in Mountain View, but there was no “A-side” event.  General consensus was that BSides events didn’t need an A-side to be successful, or to be useful to the community- so BSides Bay happened in December of 2009.  That’s right, the second-ever BSides didn’t have an A-side.  In fact, most Security BSides events haven’t had an A-side event.  By my count, only 27 of the 91 BSides events held thus far have been adjacent to, or parallel with, another event- and it is becoming less common.  Only 8 out of the 41 BSides this year have an adjacent event.  The standalone events often provide underserved communities with a security/hacker event where none would otherwise happen, and that is a huge part of the value the BSides community brings to the greater security and hacker community.

BSides do not require an A-Side, and over two-thirds of Security BSides have been standalone events.  BSides offer a B-Side to the mainstream.

Many of those 27 were done in cooperation with the adjacent event, sometimes even co-branding and cross-promoting to increase value to all attendees and participants.  Sure, some tensions are happen, but the two big overlapping event pairs (RSA US/BSides San Francisco and Black Hat/BSides Las Vegas) now have open communications and cooperation between the events.  Also, some proposed BSides events never happen; the BSides community sometimes discourages ones which might fragment or stress adjacent community-driven events.  (Note that there has never been a BSides around Shmoocon, for example).

BSides strive to work with and respect adjacent events.

There is a lot more to tell, but that’s enough for this post.  I’ll follow up with more on BSides in coming posts- until then, check the front page of the BSides wiki for all of the upcoming events around the world.

Oh, and pencil in Tuesday and Wednesday, August 5-6 2014 for Security BSides Las Vegas.  That’s right, we’re changing the days of BSidesLV to reduce overlap with both Black Hat USA and DEF CON- many people in the community have responsibilities which span two or all three of the events of that week, and this move makes it easier to meet those responsibilities.  Or maybe just give people time sneak over to Frankie’s or Double Down to unwind a bit between duties.


Tuesday, July 23, 2013

Hacker Summer Camp and @HackerRoad

Next week is “Hacker Summer Camp”, also known as BSides Las Vegas, Black Hat, and DEF CON week.  As you might expect, I’ll be at BSides most of next week, then heading over to DEF CON when we finish hiding all the bodies cleaning up and packing out.  We have a killer lineup for BSidesLV as always, and Irongeek will be recording the sessions so you can catch up if you won’t be joining us or miss one you want to see.

I’ll be giving a talk in the Common Ground track, a decidedly non-InfoSec talk:

The Erudite Inebriate’s Guide to Life, Liberty, and the Purſuit of Happineſs

An exploration of bitters, classic cocktails and other stuff

That will be on Wednesday at 16:30 in the Tuscany room.  I’ll also be joining the all-star lineup of Davi Ottenheimer, Raymond Umerley, Steve Werby, David Mortman and George V.  Hulme on Thursday at 12:30 in Florence G for a panel discussion on breach notifications, ethics, and law.

I’ll once again be participating in DEF CON Hacker Pyramid and beard competitions, and of course providing logistical support for the FAIL Panel.  But no pink camisoles this year.  Well, probably not.  Possibly something worse, though.

And finally, for a little entertainment, follow the adventures of video guy Steve and I as we drive from Cape Cod to Las Vegas and back.  Face it, you’ll just be pretending to work until next week, either in prep for the trip, or out of bitterness because you can’t go.  So follow the adventures on Twitter at @HackerRoad as we wander the countryside cursing the latest update to Google Maps for Android, stop at distilleries, and spread cheer wherever we go. Or something like that. Maps, photos, video, etc. will be posted to or linked from that Twitter feed.  (Yes, that’s the old Shmoobus account, rebranded for a more wide-ranging set of adventures).  The road trip is made possible by my awesome employers at Tenable Network Security, who are too smart to directly sponsor something this silly, but are kind enough to indulge me taking time for such madness.



Thursday, July 18, 2013

Missing the lessons

Listen up people, I enjoy a pointless socio-political sequential rant on Twitter as much as most folks (I say sequential rant instead of debate, because real debate rarely happens on Twitter)- but seriously, almost the entire InfoSec world is missing the lessons of Manning, Snowden, et. al. which are relevant to our goals of securing info.  Also, I see way too many people who should know better falling into media, troll, and pundit (hard to tell the difference sometimes, probably because there isn’t always a difference) trap of narrowing choices.

Let’s start with the choice flaw: if you are given an “either/or” choice and fall for it, you’ve let the punditroll define the terms of the conversation, and you’ve lost (or at least truth has lost, but what the hell, The Truth is sadly accustomed to losing).  Is [Snowden/Manning/U.S. Grant/George Washington] a hero, traitor, or demon? Yes and no to all of the above- it depends on your position and too many other factors.  Reject the either/or fallacy, and don’t participate in it.

Now, about the lessons- politics, justice, and all that stuff best decided on Twitter or Reddit (or 4Chan) needs to be set aside for a minute so we can look at the security challenge.  My first InfoSec reaction to both the Manning and Snowden breaches was WHY THE HELL DID HE HAVE ACCESS TO ALL OF THAT?!?!?  A few hundred thousand diplomatic cables and other sensitive info freely available at a forward military base- all of which could be accessed and copied by enlisted personnel without supervision- and without setting off any detections?  Treasure troves of Top Secret documents available to a junior contract employee of an intelligence contractor?   Epic failures of fundamental information protection.

The US Department of Defense knows better, but they failed miserably.  To their credit, they’re trying to fix those access problems, but that is not an easy task, and I fear that those beating the Drums of Cyberwar will distract the DoD from getting the basics under control.  And what about Boozed-Allen-give-us-the-Hamiltons?  We (literally we, US taxpayers) pay them a lot of money to screw up.  As I have said many times before, never outsource your core competencies, especially failure.

I understand that this is not a simple challenge, but if you can’t answer

“Who has access to what, under what conditions, and with what monitoring and safeguards?”

you have a problem.  Probably more than one.  And no, I do not expect you to be able to answer that about everything you need to protect.  But maybe, just maybe, the stuff that can embroil multiple nations and in political and diplomatic turmoil if leaked- that stuff, you should put a little thought into protecting it.  Maybe you don’t protect (or fail to protect) anything that sensitive, but you probably help protect things which if lost would cause people (including you) to have A Really Bad Day.  Skip the next round of pundit listening or troll feeding and think about that.


Monday, July 1, 2013

Please, let it go.

I though it would calm down after RSA earlier this year, all the hype and nonsense about “active defense” and “hacking back”.  But is hasn’t.  Sure, there have been ebbs and flows, but the nonsense continues.  I guess it’s my turn to add to it.

If you have had your first serious discussions about “active defense” and/or “hacking back” in the past year or so you are either new to the business, or are negligent.  Period.

If you make the claim that “active defense” is only a euphemism for “hacking back”, you are either hyping an agenda, or selling a (probably outdated) security model.  Or perhaps you’ve just been misled by the previously mentioned shysters.  By my count that’s three flavors of wrong, although one may be slightly less bitter.

Let’s start with “active defense”.  It is not a new idea, and it doesn’t necessarily mean hacking back.  It may encompass counterattacks, but there are a lot of active defenses far short of attack.  Call it what you want, active defense, or offensive countermeasures (as John Strand and Paul Asadoorian have called it), or devious defense, or maybe just “not lying there and taking it passively”.  If an action causes you or a system to take a corrective or defensive action- that is “active”.  Try too many bad passwords- we’ll lock the account.  That’s active (if somewhat lethargic) and very old.  IPS?  IDS triggering scripts to block traffic?  Those are not new, and are not passive.  (Although, as Chris Hoff posits in a recent post, most inline defenses are deployed in passive mode).  In Ye Olden Days we could even take the “active” defense of contacting an ISP and asking them to block someone (yes, kiddies, once upon a time this actually worked, albeit sporadically).  How about tools like Ben Jackson’s cool WebLabyrinth- that’s certainly active.  Sure, you can cross over to things like setting traps which report back to you when files are taken, or hiding malware in tempting looking docs- but those are one end of a long scale, and still fall short of directly attacking your attackers.  And about that “attacking your attackers” thing- if you have ever defended a network under attack and not done a little “thought exercise” about buying some temporary relief via counterstrike… well, your heart is more pure than mine and many others I know.  Also, if you believe that digital counterstrikes haven’t been an “off-menu” offering for some boutique (and probably not-so-boutique) consultancies for quite a while… let’s just say you can stop waiting for the Easter Bunny.

Oh, and the “but, but, attribution”, “blaming victims”, and “attacking innocent bystanders” stuff?  Yeah, no.  I’m so sick of this nonsense I’m going into dangerous territory and using an inappropriate and incendiary metaphor. You’ve been warned.

If you you fail to secure your firearms and someone steals them, then uses them in the commission of a crime…

(I told you it was going to be bad).  Backing away from extreme hyperbole now- my point is that if you can identify a source or relay point in an attack, you have likely identified a negligent party who is probably also a victim, but I’m not giving them a blanket grant of innocence.  This does not necessarily mean I support attacking them, but let’s be honest about their unwitting complicity in Crimes Against the Internet.  To me, this changes the nature of what *might* be an acceptable counterattack from “rm –rf” to “shutdown –h now”.  Yes, yes- it isn’t illegal to be negligent on the Internet, but the laws are so far behind the technology that they are largely irrelevant until YOU get caught up in them.

A few months ago Dan Geer took a pro- “offensive defense” position on the Risky Business podcast episode 273.  It is worth a listen, and I largely agree.  I’m not suggesting you start attacking things unless and until the laws change and your organization has serious and candid conversations on the ramifications of your actions- it is not a course of action for the unskilled or faint of heart.  For most, I think effort would be better spent improving defense and response instead of engaging in digital combat, but for some I believe it could be a viable option.  For some, it has been and will remain a viable option (debate ethics, legality, and liability all you want, that doesn’t change the fact that it has happened and will continue to happen).

Now can we please have some adult conversations about these topics, and stop the faux-naivety and real hype?  Oh, wait, InfoSec.  Right, nevermind.



Monday, June 10, 2013

More on the Second Amendment and Arms

Yesterday I put up a quick little post pondering the significance of the categorization of software as "arms", and the possible implications for Second Amendment protection of "cyber arms".  Last night, Jack Whitsitt (@sintixerr on Twitter) published a more comprehensive post on the topic, one he's been working on for a few weeks- check it out, it is a well thought out piece:


Sunday, June 9, 2013

“Cyber arms” and the Second Amendment

It started as a flippant Sunday-morning-at-the-coffee-shop tweet while I was awaiting caffeinated goodness- I tweeted:

“The Second Amendment should apply to cyber arms, for the same reasons it protects guns.”

But as I reflect on it, I realize that this raises interesting questions (even if they are just thought exercises- for now).

Amendment II states:

“A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed”


(By the way- if you ever doubted the significance of commas, this Amendment should remove all doubt- even as we argue their meaning in this case).

I have no desire to get into the gun control debates- but the Second doesn’t mention guns, it says “Arms”.  Note that “Arms” is not specifically defined, allowing for currently accepted definitions to be applied- even if (to the best of my knowledge) it has only applied to firearms up to this point in time.  The interpretation of the Second Amendment is certainly not alone in its need for clarification or interpretation in light of the changing state of “weaponization” of software- the Computer Fraud and Abuse Act (CFAA) is more desperately in need of overhaul.

It seems to me, as a non-lawyer and barstool constitutionalist, that the US government's restrictions on exports of crypto and other security technologies, combined with the recent news that

“Six U.S. Air Force cyber capabilities designated "weapons"'”

makes this a legitimate issue.  As with any tool or weapon, actual usage (and intent) will determine legality- but this could be an angle to combat those who wish to outlaw “hacking tools”.  The issue of what constitutes a “hacking tool” has always been tricky, especially since a web browser and a telnet client are sufficient to compromise hundreds of thousands of systems on the Internet.  I’m sure a strong case can be made against some crimeware kits as hacking tools- but few tools are purely evil (see Back Orifice for example, arguably a better admin tool in its day than what was commercially available).

Again I present you with more questions than answers, but now you have something to ponder while the Snowden/NSA story unfolds (and refolds, and unfolds into a Möbius strip or whatever it is now).



Wednesday, May 29, 2013


My wife and I have three vehicles: two are red, two have manual transmissions, and two are diesels.  What is statistically significant about this?

Stumped? OK, more data: none of the vehicles has all three of the characteristics listed above.

Now it is obvious, isn’t it?  That’s right, the statistical significance of this is ABSOLUTELY FRIGGEN NOTHING.  Just because you can measure something doesn’t mean you should- and even if measurement makes sense, just piling numbers up doesn’t make the resultant mess informative or useful. 

Please, think before you math.

(Why yes, I have been reading so-called InfoSec “reports” and “studies” again, why do you ask?)



Thursday, May 2, 2013

You know stuff. Share it. We’ll help.

You know stuff, you’ve seen interesting things, done interesting research, have a unique perspective.  You also know that the ability to communicate effectively deliver your message to an audience is critical to professional success.  But you haven’t spoken at a major event, and you need some advice and encouragement.  Maybe you are intimidated by public speaking- that’s very common (there’s even a word for this common fear, glossophobia).  Well, we’re here for you.  By “we”, I mean the BSides community in general, and in this case BSides Las Vegas in particular.

BSides events have always encouraged new speakers, and some events have offered or are offering guidance, up to and including mentorship and coaching. This year we are continuing the Proving Ground track at BSides Las Vegas, a program which pairs those new to speaking, or at least new to speaking at a national event, with experienced speakers who will mentor, guide, and encourage you through developing, tuning, and presenting your talk at BSides Las Vegas.

From the website:

One of our tracks is “Proving Ground” and the main criteria to get a slot in this track will be being a first time conference speaker. As we all know how hard it can be to find your voice, or even to just translate data into talking points that won’t lose your audience, we’re looking to pair each of the Proving Ground applicants up with a mid to high profile mentor, with a solid track record of public speaking, who will work with them from CFP to podium.

If this program sounds like something you’d be interested in, please review the BSLV Mentorship Program Information.

I sometimes use this image in “how to give better presentations” talks, because I think it shows what is wrong with talks at a lot of conferences- the focus is on the speaker, not on the audience where it belongs.  In the Proving Ground track our mentors put the focus on you, the new speaker- this gives you the support you need to focus on your message, and your audience.


Time is running out to submit for this opportunity, please review the information on the website, and submit if you can join us for BSides Las Vegas.

What if you are a more experienced speaker, but know you can do better?  Would a workshop with other speakers, sharing ideas and constructive criticism interest you?  Well then- let me know, and stay tuned.  And watch James Arlen’s talk on the topic if you get the chance whenever he’s giving it again.



Wednesday, May 1, 2013

The envelopes please…

I had a great time in London last week, I finally got to BSides London, had a good show at InfoSecurity Europe, and talked to partners and customers- and I got to co-host the second annual (we can call it that after only two, right?) Security Bloggers Meetup and first European Security Bloggers awards.  The blogger gathering was great, I got to meet and catch up with a lot of folks I don’t often see, and there were a lot of great conversations throughout the evening.

About those awards- the winners were:

Congrats to all the winners.

Big thanks again to Brian Honan for the heavy lifting in organizing the event and awards, to my coworkers and employer, Tenable Network Security, for sponsoring and arranging the food, drink, and venue, and to Qualys for sponsoring the awards.

We’ve already started planning for next year- the venue was great, so Tenable has again reserved the Prince of Teck pub for the evening of Tuesday, 29th of April 2014 for the next European Security Bloggers Meetup and Awards.



Friday, April 12, 2013

European Security Bloggers’ Awards

The European Security Bloggers’ Meetup is getting closer, and the nominations are in for the first European Security Blogger Awards.  Voting is now open at  The rules are simple:

  • Only one vote per person.
    • How many votes per person?
      • One
  • We reserve the right to validate any of the votes by using the contact details given.
  • Judges' decision is final.
  • The purpose of the awards is to provide a fun platform to recognise those who share with the community. Please respect the spirit of the awards.

The Meetup will be on Tuesday the 23rd of April at the Prince of Teck Pub, from 18:00.  The Prince of Teck is near Earl’s Court, the site of InfoSecurity Europe.  If you would like to join us, please register here at Eventbrite.

This wouldn’t be possible without the efforts of Brian Honan, so if you join us make sure to thank him when you see him.

The European Information Security Bloggers Meetup is sponsored by the nice folks I work for, Tenable Network Security.  And- I’m happy to announce that awards will be sponsored by the good folks at Qualys.



Wednesday, April 3, 2013

Digital Natives, Digital Savages, and immigration

It has been a while since I’ve written about “Digital Natives”, but Krypt3ia’s recent post Digital Natives, Digital Immigrants, Exo-Nationals and The Digital Lord of The Flies has me thinking about it again.  He raises some great points in that post, and I would like to add a few thoughts of my own.  If you haven’t seen it already, take a few minutes to read Krypt3ia’s post, and I’ll meet you back here.

I think about the generational issues in technology and security, and only partly because I’m old.  Generational anomalies have intrigued me since I was a kid.  Back then I had a realization about my peers, I believe there were effectively two generations of the same age- those of use who were “late babies” of folks who went through World War II, and those who were the children of younger parents.  Those of us whose parents fought the war (mom flew in the WASP, dad served in the Navy) seemed to straddle the generation between our older siblings (the real Baby Boomers) and our peers.  If you know folks born in the late 50s or early 60s float this idea past them and see what they say.  Enough tangent, back on topic Jack.

Caution: metaphor and analogy abuse ahead, with some stereotyping thrown in for added color.  And I sound like an old fart.  Which I am.

First, those who have grown up with computer technology, the Digital Natives, have a level of familiarity and comfort with technology which is often mistaken for expertise- but for many the expertise is superficial at best.  Those of us who work in technology, especially in security, are often amazed by the brilliant young people around us- but we forget they are anomalies, not the norm.  The ability to grok the latest changes to Facebook does not equate to an understanding of web technology as much as it displays a level of comfort and familiarity.

That familiarity can be a problem- familiarity removes fear, and a lack of fear leads to excessive trust.  This should be a critical concern for those involved in security and privacy.  The familiarity and comfort often translates into people with amazing proficiency in technology, and a level of effectiveness that is astounding- just don’t forget to assess the security awareness of those young folks.

And about that effectiveness, it is not ubiquitous- let’s talk about your local gas stations, convenience stores, budget hotels, and livery services…  Yeah, if we’re going to use words like “natives” for people who have grown up with tech and “immigrants” for us old farts I am going there.  Dismissing “immigrants” is stupid, they (we) often fill niches in the economy that natives do not, for whatever reason.  The same is certainly true for technology.  It would be easy resort to ignorant claims about natives’ aversion to hard work- but that is certainly not true in tech, and the work on stress and burnout I’ve been involved in proves that.  It is also true that many “immigrants” will never master the level of understanding of new technology that will be required to keep up in the rapidly changing world of technology, but it is also true that those who have survived the workplace for a few decades are more likely to be able to effectively deal with the harsh realities of working for a living after surviving it all these years.

OK then, what’s your point Jack?  I’m not sure I have one, other than a sweeping generalization warning against buying in to sweeping generalizations.  If I were a better person I would suggest more cooperation and communication between generations to help each other adapt to the challenges we face, but that’s not my style.


And get off my lawn.


Tuesday, March 19, 2013

European Security Bloggers Meetup and Awards

This year will be the second annual European Security Bloggers’ Meetup, and will include the first European Blogger Awards.  The meetup will be Tuesday evening, the 23rd of April, from 18:00-21:00, in Kensington (London) near the Earls Court conference center (the site of InfoSecurity Europe).

BSides London is the following day, so it will be a busy week- join us for a relaxing and conversational evening before the madness gets overwhelming.

If you are a security blogger or podcaster, please sign up at the event’s Eventbrite page to get all the details.

Also, if you are a European security blogger or podcaster, please participate in the blogger award survey, nominate your favorite blogs and podcast now.

And thanks to Tenable Network Security (my employer), who has signed on as sponsor of this year’s gathering.



Sunday, March 17, 2013

ThreadFix, an Open Source tool for software vulnerability management

As many know, I’ve spent the last couple of years in the vulnerability management world- at least what we generally accept as “vulnerability management”.  Although I think what we do at my “day job” (what a quaint concept, “day job”) is stellar, there is a hole in vulnerability management- vulnerability management for applications from a code review and process management perspective.  Known and published application vulnerabilities are part of a mature vulnerability management programs, but what about the results of internal and external code review and testing- how do you manage disparate data sources on vulnerabilities in your organizations code?  How do you share that information, and get the right information to the right people- in the format they want?  How do you leverage the information as quickly and effectively as possible?  For many people, I assume a kludge of ticketing and bugtracking tools are used, probably with a few spreadsheets tossed into connect dots that the tools don’t support.


Enter the good folks at Denim Group, they have created ThreadFix an Open Source “application vulnerability management platform”.  I had a chance to sit down with Dan and John from Denim at the recent RSA conference and take look at ThreadFix, I’m impressed.  Application security is not a major part of my day to day work, but it is still an area I try to keep an eye on- and ThreadFix looks like a great project.  As I mentioned, it is Open Source, but it also has an establish application security company behind it- this means you can grab the code from Google code and run with it on your own, or you can turn to Denim for assistance and support if you need some corporate backing in your environment.  The features of ThreadFix (from Denim’s ThreadFix page) include:

  • Simplified View of Application Test Results
    • Consolidate and de-duplicate imported results from open source, commercial dynamic and static scanning tools, as well as the results of manual testing and threat modeling to get a complete view of the state of your applications.
  • Reports
    • Get the latest security status of your applications while providing an eagle’s-eye view of your organization’s progress over time to pinpoint any process problems.
  • Defect Tracker Integration
    • Help security professionals translate application vulnerabilities into software defects and push tasks to developers in the tools and systems they are already using.
  • Virtual Patching
    • Create virtual Web Application Firewall (WAF) rules to help block malicious traffic while vulnerabilities are being resolved. While your organization takes on remediation of your applications, virtual patching helps guard against common vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injections.
  • Compatible with Open Source and Commercial Products
    • ThreadFix is compatible with a number of commercial and freely available dynamic and static scanning technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers.

Version 1.1 of ThreadFix is available as a release candidate now, and should be available as a stable release very soon; 1.1 adds support for additional scanners, including NTO Spider and IBM AppScan, and numerous other enhancements (and, of course, bug fixes).

If application security is part of your world, take a look at ThreadFix.

Side note and conference tip: if you want to talk with friends at an event like RSA, and know you’ll be crazy busy- go ahead and schedule a meeting, even through their PR folks’ messages in your inbox.  If you don’t, the week will disappear. Just don’t say “I’ll meet you in the lobby” at events the size of RSA, several thousand other people have the same idea and you end up playing cell phone Marco Polo.  If I hadn’t scheduled time with Dan and John I might have waved to them at a party, but couldn’t have had a meaningful conversation.



Friday, March 15, 2013

Improvement: incremental, or excremental?

“We NEED radical change- the only way we can solve the challenges of securing systems and information is through radical change in the way we… blah, blah, blah”.

What we need, and what many people understand, is to allow reality to participate in our pronouncements.  Yes, the state of InfoSec is pretty sad, and many approaches to improving it have sprouted sects which are devolving into bad religions (note that I didn’t say “metrics”, “risk”, or “pentesting”, you thought of those on your own).  To be clear, my objection is not with these practices, it is with irrational and often myopic faith in them.

I’ll tell you what we NEED, we need a cure for cancer.  Sadly, we aren’t likely to “cure” cancer anytime soon, there are too many different diseases under that label, and too many causes to simply “cure” it.  What we are getting, however, is (for many types of cancer) improved treatment, with improved quality of life, and higher survivability.  I truly hope that within a few generations people will look back on chemotherapy as we look back on bloodletting today; if that happens, I believe it will be through incremental gains.  (Note: do not naively dismiss the occasional value of bloodletting, for some maladies it enforced bed rest when that was what was needed most.  For the record, I am not a doctor, and I don’t even play one on Twitter- I am not suggesting a return to it as a mainstream medical treatment).  So, bloodletting occasionally helped people recover, when it didn’t make them worse or kill them.  Sounds a bit like chemo, doesn’t it?

As for InfoSec: we’re talking packets, not people. Having added a bit of perspective, let’s revisit what we need, and what we might get, in InfoSec.

man in yellow field


It would be lovely, like a field of flowers in spring, to make radical changes to infrastructure, code, human behavior, etc.  We could all frolic through the greenfield networks, and rest easy with robust code handling our transactions.  I’m sure we would make any mistakes in design or implementation this time. 

Man suffering from pollen allergy



Just watch out for hay fever in this dream world of yours.



I hate to rain on idealists’ parades (OK, you got me, I love it), but while some people do get to implement rapid radical change, remember that some people also get to win huge lotteries.  If you are reading this blog, I’ll assume that you, like me, are neither of the above.

Most InfoSec professionals, from the trenches to the executive level, are tied to environments with limited and infrequent opportunities for radical change.  We can make things a little better, with the goal of minimizing bad things and gradually improving overall.

Mature man manual worker in white hardhat near sewage treatment basin



Or, if we are brutally honest, we may admit we’re more like sewage plant engineers, and that “stink less tomorrow” is a laudable goal.



But some changes just aren’t worth the effort.  With our environments continuously becoming more hostile and elaborate, doing nothing means losing ground.  BUT, change does not assure improvement, and change for the sake of change may make things worse.  At the risk of offending some friends in the business, spending weeks or months researching a new anti-virus solution, then spending the time and money to implement it may not be worth the effort and investment.  Some poorly thought out “improvements” will actually make your environment less robust, and a lack of familiarity with new systems can set back your ability to properly manage and secure your environment.  Change for the sake of change is crap.  I would suggest you instead spend that time on filling known holes in your visibility and awareness- such as log aggregation and analysis (Disclaimer: yes, I know- I work for a company which sells this kind of tech. I have advocated this for years, it isn’t about sales), or application whitelisting, or improved patching- something, anything, that can actually move you forward.

Unless you are one of the “lottery winners” who can make big things happen fast, focus on the incremental changes you can make today.  And keep a wish list handy for when you win the lottery.



Tuesday, March 5, 2013

Thank goodness that’s over.

As Dickens once said:

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…”

I am, of course, talking about the week of madness in San Francisco which centers on, and swirls around, the RSA conference. I don’t know where to start, it was a wild week.

Security BSides San Francisco was a great event, a new lead organizer and team of new and veteran crew and volunteers put on a great event at a funky new venue, the DNA Lounge. The event also moved to Sunday and Monday from the Mon/Tues it has been the past two years. A couple of things could have gone more smoothly, but it was an outstanding event, in spite of some challenges. A wide variety of great content and peripheral events, and an unusual but effective venue made this event a success. It is hard to believe that three years ago was the first BSidesSF, which was only the third BSides event. BSidesSF 2013 was the 67th BSides event globally (if my count is correct), and we’ve yet to hit the four-year anniversary of the first one. There are a lot of BSides events coming up, check the BSides wiki for all the details.

The RSA Conference itself was even more “RSA Conference” than usual, record attendance (I heard numbers like 24,000 people, but that’s unconfirmed), and record highs and lows. The expo floor was largely disgusting, the level of hype and chicanery was arguably worse than ever (a record not to be savored). This year brought a couple of revelations about the expo floor, primarily this:

Fotolia_27387829_XSeditThe worst of the expo floor largely offers “InfoSec Homeopathy”, but without the advantages of any potential placebo effect- it simply diverts us from appropriate cures.

I would love to get a documentary (mockumentary?) crew to follow a few folks who’ve played this game for many years as they wander the aisles calling out the age of the “new technologies”, the acquired tech left to languish under the mismanagement of big firms, and the absolute snake oil. In this fantasy, Gene Spafford, Marcus Ranum, and Robert Graham are your tour guides through the show floor. I’m too fond of these folks to actually ask them to do it, however. In between the hype and hyperbole, there are always companies at the expo for the right reasons, to engage customers and prospects in rational conversations about their products and services- you just have to look past the booth babes, cars, and screaming barkers.

Speaking of “booth babes”, this year brought a worsening of the “booth babe” phenomenon. I hate to even mention their name for fear that P.T. Barnum was right, but ForeScout’s “Catholic Schoolgirl” attired booth women represented a new low. Based on comments from friends, it may be that no one is going to buy their product MisogynyShirtbased on its merits, but that is no excuse. Sadly, they weren’t alone in the booth misogyny department. Speaking of misogyny, I did get to wear the latest in Misogyny Networks fashions a couple of times during the week.

Note that we do not have to put up with this, InfoSecurity Europe has updated their terms and conditions to prohibit “booth babes”. I applaud InfoSecurity Europe, and hope others follow their lead.

But it was not all bad, the crowds meant good traffic through the corporate overlords’ booth, and we had many good conversations about what we do and the way we see the landscape. Many others in the industry who were at RSAC to conduct business seemed to have a productive event as well. Unfortunately, the high booth traffic meant I didn’t get to see the talks I wanted to see, and there were several that looked good and had good reviews. But for me RSAC is about the business, so that’s where I focused. It’s worth mentioning that many attendees never visit the Expo floor, and many attendees never see a talk, and many seem to only be interested in the parties. You need to find an approach to RSAC that serves your needs- if you don’t, you’ll probably be mired in misery and frustration.

Speaking of parties, I avoided most of them this year and focused on a few smaller events where I could connect and reconnect with people. I did attend the Security Bloggers’ Meetup, it is a can’t-miss event for me where I can see folks in person I normally only see online. This year’s awards were great, with one notable exception: the judges voted me into the SBN “Hall of Fame” over better and more deserving nominees. I am grateful and flattered by the award, I just think many others have contributed more the security blogging community. Also winning this year was the Pauldotcom podcast, which has won four out of the five years the awards have been given. Since Paul and Larry launched the podcast many years ago, it has grown and evolved- the current crew of Paul, Larry, Mike, Allison, Patrick, and the audio and video team is a pleasure (and occasional terror) to work with and I’m honored to have been a part of it for the past couple of years.

Now, back to work.


Tuesday, February 19, 2013

Find your pebbles

I have just left one of my favorite gatherings of the year, Shmoocon, and I’m now at the Microsoft MVP Summit.  While they are very different events, and the total attendance overlap is probably fewer than five of us, there is a common thread: I’m spending time with people who have found something which interests them, and are exploring and sharing what moves them.

different seashells on a beach sand, marine landscape

It is easy to dismiss the things we don’t care about personally, or ask “how could anyone get excited about [whatever]?”, but I think encouraging curiosity, exploration, and especially sharing what you know- these things are critically important, personally and professionally.  Even if others don’t agree, or you think you are just amusing yourself.

Some centuries ago a man looked back at his life’s work and said:

“I do not know what I may appear to the world, but to myself I seem to have been only like a boy playing on the sea-shore, and diverting myself in now and then finding a smoother pebble or a prettier shell than ordinary, whilst the great ocean of truth lay all undiscovered before me.”

Granted, some folks find pebbles which are more universally interesting, and shells which lead to advances for the greater good, but I think that quote should encourage you to find your pebbles to study and share.  It seems to have worked for Isaac Newton.


Monday, February 18, 2013

Virtually Absolute. Or not.

It is almost time for the RSA Conference, where those in attendance (and via the media, those not in attendance) will be bombarded with hype and hyperbole, on topics old, less old, contrary to popular belief, even new. 

The part of RSA which frustrates and demoralizes most attendees is the expo floor.  Some people avoid it entirely, which I can appreciate- but for those of us in the industry, we have to be on the floor, working for our companies, and checking out the state of the industry.  Others see it as a way to check out products and services, and talk directly to the vendors.  Whatever brings you to the expo floor, remember that it is a sales and lead generation event (which explains, poorly, the “booth babes”, fast cars, and other nonsense).

When talking to vendors, my standard advice applies: watch out for absolutes.  If anyone is claiming to have “the answer” to an InfoSec challenge, run away.  If someone claims to have “an answer”, you may want to listen if it interests you (but always keep the BS shields up, and keep an eye on the exit path). 

If you find someone who offers something shrouded in what are often derisively called “weasel words”, pay close attention.  These tend to fall into two categories:

Those overstating their product’s or service’s performance, who use weasel words to provide an escape clause for their “exaggerations”


those who know the world is complex and who are unwilling to promise the impossible, but believe in what they do.

In the former case, those not-quite-absolute words are indeed weasel words; in the latter, they are honesty.  Sadly, the former far outweighs the latter.  It may not be a compelling statement, but if someone tells you “I think we may be able to help you solve part of your challenge”, pay attention.  Maybe they’re offering crap, but more likely they are being brutally honest about the challenges of InfoSec, and have probably been in the trenches themselves and didn’t appreciate vendor tall tales.

Note: this advice primarily applies to face-to-face conversations.  Banners and marketing materials have to grab your attention; admit it, you aren’t going to respond if they don’t grab you.

And yes, as implied above, I’ll be at RSA, Tuesday-Thursday, mostly in the Tenable booth (it seems like the least I can do for them, considering the regular paychecks they send me).  I’ll also be around BSides San Francisco on Sunday and Monday.  Stop by and say hello, I’m pretty easy to spot.



Saturday, February 2, 2013

Don’t be “that guy”

I was recently having a conversation with a friend who was telling me a story from a conference a few years ago.  My friend had an unpleasant interaction with an unpleasant person, and in the telling said something like

“I was talking to this guy, [really common first name] something, a real tool…”

to which I said, oh, yeah, HIM! and the story continued- as another friend joined us and when caught up on the story he knew exactly who we meant and had his own stories about [really common first name].  Keep in mind that none of us had uttered a last name, although by now one corporate affiliation had been mentioned to confirm that we were indeed all talking about the same [really common first name], who we all agreed was “a real tool”.

The active part of the InfoSec community really isn’t that big, and bad reputations tend to stick.  There are a lot of brilliant people in our industry, and more than a few successful (by a variety of definitions) people; there are also a fair number of out-of-proportion egos.  Don’t be like [really common first name], a little humility and common decency are probably all that are needed to keep you in good standing.

Perhaps we could all use reminding of the classic Midwestern parents’ admonition “don’t think you’re special, because you’re not”, or maybe the modern equivalent, “yes honey, you are special- just like everyone else”.



Tuesday, January 15, 2013

A contrarian’s book review

You’ve heard about The Phoenix Project, right? This great new book by Gene Kim, Kevin Behr, and George Spafford has received a lot of praise- and deservedly so.  The book is described as “A novel about IT, DevOps, and helping your business win”.


That’s right, a novel.  I was a bit skeptical at first, but it works; it provides practical context for the issues raised.  Some of the problems seem a bit contrived, especially in some of the combinations presented- until you think back on the stunningly dysfunctional places you’ve seen, then it becomes all too believable.

The book explores many common IT issues and extrapolates the consequences across the enterprise- and it also explores the many factors which limit IT’s success, both internal to IT and from the rest of the organization.

I will admit that the ending left me a little disappointed, heroes need to die in the end, or at least ride off into the sunset leaving others behind crying- but this is a business and technology novel, not a western, so I guess I’ll have to forgive them for allowing our hero to both make substantial progress, and survive.  But if there’s a sequel, well, there just had better be fewer survivors.

There is one character who is at risk of not surviving, he suffers from serious burnout- and I want to thank the authors for integrating this very real fact of life into the book (yeah, I know- I owe you an update on that project).  It is a reminder that people are a critical part of technology.

So you already know all about modern business, DevOps, and making technology work for the organization instead of the other way around?  You’ll still get something out of the book, but you may find the book most valuable as a gift to those who you struggle to make understand these issues; this book makes our rants understandable and approachable.  I will admit that I entertained the idea of asking for an “ultra-hard cover” version so that I could use it for percussive persuasion on some folks I’ve dealt with, but Gene didn’t seem to think that was appropriate.  He also seemed to think that “delivering” the book laminated to a clue-by-four was inappropriate- but Gene is a much nicer person than I (and he probably has lawyers and stuff to advise against such things).

The Phoenix Project is available in hardcover (but not ultra-hardcover) and Kindle versions.

If you want to hear from Gene Kim himself about this and whatever else is on his mind, he will be joining us on this week’s Pauldotcom podcast.



Friday, January 11, 2013

“Experts” who tell you to do dumb things…

…are not experts.

We have just had another round of Internet Explorer and Java bugs announced in the past weeks, followed by another rounds of so-called experts telling everyone to stop using IE and Java.  This is pointless, and counterproductive, and an indication that these “experts” probably have no practical experience in a business environment.

I doubt that anyone who pays attention to security advice is running Java, IE 6/7/8, et. al. because they want to- we run these things because we have to, and the decision is out of our control.  Anyone who doesn’t understand this doesn’t understand enough to give advice.

Yes, there are a lot of people running old, vulnerable crap they don’t need.  They aren’t listening to the InfoSec echo chamber, so don’t bother trying to reach them there (here).

It’s like the folks who dumped Adobe Reader in favor of Foxit for security reasons- now scrambling to patch the latest critical vulnerability in Foxit.  I dumped Adobe Reader in favor of Foxit because I find it faster and lighter, and because of a general loathing of Adobe.  I do have to update it less frequently, but I believe that is largely due to the reduced market share relating to reduced value to attackers- much like OS X has never been “secure”, but historically it hasn’t been as targeted as Windows.

I see two central problems feeding this issue: “dump X” is a compelling headline, reality isn’t; and the ever-present quest for simple solutions to complex problems.

Here’s my advice, which you probably already know:

Dump *anything* you don’t use.  Dump anything with a proven track record of failure which you don’t need (for example, if you don’t need Java, uninstall it).  That’s the easy bit, the rest requires thought and effort. If you need Java for desktop apps, but don’t need Java in your browser- disable the browser plugins. 

If you have to support vulnerable browsers or other apps- restrict their access to only the resources which require them and use other apps or browsers for “normal” use.  Or have limited use systems if you can get away with it.  These introduce pain of their own, but can be done.  Configuring proxy settings in the browsers (or possibly mis-configuring) may be a relatively easy way to control browsers depending on the situation (or it may completely break networking for the systems).

And all the other stuff you already know:

Reduce use of admin-level permissions wherever possible, especially domain admin, and especially where you know you are supporting insecure systems.

Improve authentication- this may mean using all eight characters the crappy app allows, or maybe you can move to two-factor, or something in-between.

Crank up the logging.  Crank it up to eleven on the likely targets, and then (here’s the tricky part) actually look at those logs.

And finally, my comment to those who propose naïve and stupid things like this:

“Shut up. Just shut up.  If this were easy, even you could do it.”



Apparently obligatory Surface RT post

Everyone seems to be spewing drivel writing spewing drivel about the Microsoft Surface RT again lately, so I think I’ll join the party.  Yes, I bought a Microsoft Surface RT, and have been using it for a couple of months.

The very short, insulting intro: actually read the specs on this thing before you buy, it probably isn’t for you, so don’t complain because you spent your hard-earned (or so you claim) money naively.  Moving on…

First, the cool stuff everyone has covered:

It has a real USB 2.0 port, and while many things don’t work, the stuff you need probably does. In my case that means keyboards, mice, and especially presentation remote clicky things.  Oh, and all of your USB storage devices, reducing the pain of limited on-board storage.

The MicroSD card slot further reduces the storage issue by providing a fast and simple way to expand capacity.  This is especially important because much of the onboard storage is taken up with the OS, apps, and recovery partitions/images.  By the way, they recovery/reimage options are simple and useful.  (My 32Gb unit had 15GB available, but I read the specs before buying, so I wasn’t surprised.  Did I mention you should read the specs?)

It is a real Windows machine (almost).  It has a command prompt, PowerShell, and other stuff like a real computer.

The external keyboards connect via real connectors, not Bluetooth.  This is a huge deal if you don’t or can’t trust the area around you, or if you want to use your keyboard on an airplane or other wireless-comms restricted area (OK, if you want to use the keyboard within the rules, I see plenty of folks using BT keyboards where they shouldn’t).  Turn all the radios off, and the keyboard works- amazing.  I went for the better keyboard, with real keys, and it even has a touchpad- it is also wide enough to be usable (I consider it a mandatory option).

Some folks have observed that the widescreen layout is great for video in native resolution- but few have mentioned how good it is for multitasking or using apps like PowerPoint where some editing panes open on the side.

Which brings us to applications.  Surface RT has three solid and unique (for now) apps in the tablet space (if you believe Surface is actually a tablet).  Microsoft’s Word, Excel, and PowerPoint 2013.  That’s it, if those move you, or at least are critical to you, this thing may be worth it.  (It also has OneNote, which rocks, but is not unique in the space).  It is worth noting that if you need macros in your Office apps, RT will not do what you need.

What about the rest of the applications?  Pretty much horrible, poor selection of crappy apps.  The native mail client is pathetic and I haven’t found a less-bad one, Twitter clients suck, the only browser is what can be called “almost IE10”- which claims “limited Flash support”, and it appears limited to “none”.  And the browser puts the address bar at the bottom, and hides tabs from you, just to frustrate you- unless you jump out of “Metro” mode and to the desktop, where it flips to a normal (read usable) layout for IE10.  Speaking of browsers, the vast majority of apps in the store are just websites pretending to be apps.

What else?  The hardware is an interesting mix of good, bad, and ugly.  USB, keyboard and connector, and MicroSD were mentioned above.  The cameras are decent, the screen is no Apple magical thing, but it is very nice.  And that really-wide-screen means the onscreen keyboard takes up half the screen in landscape mode, and let’s just not talk about the uselessness of portrait made with this device.  One negative about the keyboards, they have floppy connectors, they are annoying at best if not on a solid surface.  The battery life is very good, and recharges reasonably well (but the wall wart is a plug-blocking pig).

The “kickstand” is an amazing feat of engineering, it is AWLAYS at the wrong angle.  I have no idea how much research was required to engineer this, but I’m impressed.  I am also very disappointed, because the beveled edge of my iPad Not Three (the model between iPad Two and iPad Four) makes me loathe holding the thing for any length of time, and makes it hard to park anywhere useful without external aids- I had hoped this would solve that problem.  It does help a little, but it is far from solved- and the Surface also has a beveled edge.  It is less painful to hold than an iPad, but “less painful” is not really what I wanted.  Also, that beveled edge means you have to get almost-but-not-quite standard looking video adapters from Microsoft if you want to connect to VGA or HDMI (see, they are learning from Apple, just the wrong things).

So in other words, don’t buy one.  Unless, like me, a lightweight, highly portable, long lasting MS Office tool is of great value to you- then get one if you can justify the expense, but know you’ll probably still carry your Android or iThing for everything the Surface won’t do.  For me, PowerPoint 2013 is a huge deal, and the extra wide screen means that the much improved “presenter view” in PPT ‘13 is fantastic.  That’s my rationale, and it has proven valid and valuable repeatedly already- this is a fantastic presentation tool for me.  I carry the VGA adapter, presentation remote, and I’m in business- with a machine I can really create and edit with if needed.  If Apple didn’t hate me (contrary to popular belief, I don’t hate Apple, I just hate everything they make, which tells me they don’t like me), I would probably be all over a MacBook Air for this need, but that’s significantly more money than a Surface (but is also more machine).



Tuesday, January 8, 2013

Managing employees and expectations

Time for another rant about employers and employment.  Not mine, I’ve been very lucky lately have have worked for great companies, but I see a lot of things which make me crazy, and which cost companies good employees.  It is entirely possible that I’ve made some of this blunders myself back in a past life.

First, a bit of background.  There are some InfoSec jobs in some market segments and geographic areas which effectively have zero unemployment, and the headhunters are circling like sharks to pick off those willing to change.  This means you have to treat your people well to keep the sharks hungry.  There are also title/skills/regions which are not in the insane demand cycle.  Sadly, many organizations can’t (or won’t) expand their horizons to grab some of the talented people who “almost fit”, but that’s a whole other discussion which gets into education, relocation, telecommuting, etc.  Bottom line is that if you want to hire and retain the best, it takes effort.

Let’s start with turmoil.  Turmoil happens, organizations grow, shrink, and merge.  Rumors start, and spread fast.  Employers need to calm employees and tell them the truth.  I know that many times secrets need to be kept, but either tell the truth or keep quiet- lying to employees “temporarily” is a short-sighted move.  If there are key employees you really need to keep productive, they need to know more than simply “your job is safe”, but that they are important to the bigger/smaller/merged organization and will be treated as such.

Honesty matters, in times of turmoil as mentioned above, but also at all times. If you don’t know something, admit that, if you can’t tell an employee something, find a gentle way to explain that.  People don’t like being lied to, and when we find out we’ve been misled (which almost always comes out eventually) we are more likely to move on- and tell other prospective employees that the employer can’t be trusted.  Pre-burning bridges is a really bad idea.

Finally, remember that we all talk to each other, word spreads, and if you want the best employees, a trail of disgruntled past and current employees will make it much harder to hire the right people, and it is already nearly impossible.



Sunday, January 6, 2013

Pointless observation on snow removal and InfoSec

Winter has finally arrived here on Cape Cod (although global warming has apparently altered the migratory patterns of the snow birds who should all be in Florida by now- but they are still here, driving very slowly along Route 6A, their little blue haired heads barely visible behind the wheel).  But I digress.


As we were shoveling the driveway and deck, it occurred to me that snow removal is a lot like the tedious bits of InfoSec. It is always reactive, and we have to do it or things get worse- but we’re always in clean-up mode, never preventative mode (except possibly for the aforementioned global warming).

That’s it.  I told you it was pointless.



Tuesday, January 1, 2013

A “tax” time rant.

January first, and I got my annual “pay up for the privilege of being able to put potentially embarrassing letters after your name” note from the (ISC)2, also known as my annual member statement and invoice for AMFs (annual maintenance fees).  I consider many certifications, especially the CISSP, to be an InfoSec career tax; you have to pay it if you want to participate in many parts of the field, especially to get past hiring issues where blind adherence to checklists prevents rational hiring decisions (see US DoD 8570 for one example of  this mentality).

Some folks may have noticed that I’m not very fond of the (ISC)2, or its alleged “ethics” process, or elections process, or stale content.  If you want some back story on this, I’ll refer you to these posts by Robert Graham and the Security Curmudgeon over at Attrition.  I won’t add any details of my own, and everything here should be understood as just my *opinion* (because I’m terrified that (ISC)2 will sick the legal terriers, or worse, on me- and I can’t afford all the new socks that would be required after that much ankle-biting).

I think that the (ISC)2 ethics “problem” is simply that their goal is to protect (ISC)2, not to protect the value of the certifications, and certainly not to protect the InfoSec community or our customers and clients.  In other words, what I (and many others) see as a problem is in fact their desired outcome. I believe that (ISC)2 hides behind disqualification of complaints, and secrecy, to shield itself from having to take action or provide full accountability.

Here’s my fantasy for the ethics process: transparency.  (My real fantasy is the dissolution of (ISC)2 and abandonment of all of its certifications, but that one seems even more unlikely than this one, so let’s move on).  I understand one rationale for secrecy around ethics complaints, protection for the falsely or erroneously accused.  I reject that- ethics challenges can and should be published and the results of investigations should be made public.  False or erroneous charges would be publicly addressed, and the air cleared.  Ethics complaints which are rejected for a failure of the complainant to meet the requirements of procedure or standing should be published, with reasons for rejection- if the standards or grounds for “standing” to bring complaint seem onerous, it will be visible, and can be addressed through the Board of Directors or other means.  I have not had faith in some of the people entrusted to review ethics complaints, and opening the process to scrutiny would help to either assure us that all participants are acting in good faith- or expose them so that action could be taken to address concerns.

I am sick of (ISC)2 hiding behind policy and being able to weasel out of admitting that complaints have been filed by hiding behind intentionally restrictive policies- apparently if a “complaint” isn’t accepted, it isn’t a “complaint”, according to the (ISC)2- and if someone says a complaint was filed (ISC)2 can reject that assertion because the complaint wasn’t accepted.  In my opinion that’s unethical and dishonest.

By the way, when I say published, I mean publicly, not behind an (ISC)2 login, the aggrieved parties are not always members.  More importantly, since the CISSP is used as a de facto public standard it should have transparency.