Tuesday, January 15, 2013

A contrarian’s book review

You’ve heard about The Phoenix Project, right? This great new book by Gene Kim, Kevin Behr, and George Spafford has received a lot of praise- and deservedly so.  The book is described as “A novel about IT, DevOps, and helping your business win”.


That’s right, a novel.  I was a bit skeptical at first, but it works; it provides practical context for the issues raised.  Some of the problems seem a bit contrived, especially in some of the combinations presented- until you think back on the stunningly dysfunctional places you’ve seen, then it becomes all too believable.

The book explores many common IT issues and extrapolates the consequences across the enterprise- and it also explores the many factors which limit IT’s success, both internal to IT and from the rest of the organization.

I will admit that the ending left me a little disappointed, heroes need to die in the end, or at least ride off into the sunset leaving others behind crying- but this is a business and technology novel, not a western, so I guess I’ll have to forgive them for allowing our hero to both make substantial progress, and survive.  But if there’s a sequel, well, there just had better be fewer survivors.

There is one character who is at risk of not surviving, he suffers from serious burnout- and I want to thank the authors for integrating this very real fact of life into the book (yeah, I know- I owe you an update on that project).  It is a reminder that people are a critical part of technology.

So you already know all about modern business, DevOps, and making technology work for the organization instead of the other way around?  You’ll still get something out of the book, but you may find the book most valuable as a gift to those who you struggle to make understand these issues; this book makes our rants understandable and approachable.  I will admit that I entertained the idea of asking for an “ultra-hard cover” version so that I could use it for percussive persuasion on some folks I’ve dealt with, but Gene didn’t seem to think that was appropriate.  He also seemed to think that “delivering” the book laminated to a clue-by-four was inappropriate- but Gene is a much nicer person than I (and he probably has lawyers and stuff to advise against such things).

The Phoenix Project is available in hardcover (but not ultra-hardcover) and Kindle versions.

If you want to hear from Gene Kim himself about this and whatever else is on his mind, he will be joining us on this week’s Pauldotcom podcast.



Friday, January 11, 2013

“Experts” who tell you to do dumb things…

…are not experts.

We have just had another round of Internet Explorer and Java bugs announced in the past weeks, followed by another rounds of so-called experts telling everyone to stop using IE and Java.  This is pointless, and counterproductive, and an indication that these “experts” probably have no practical experience in a business environment.

I doubt that anyone who pays attention to security advice is running Java, IE 6/7/8, et. al. because they want to- we run these things because we have to, and the decision is out of our control.  Anyone who doesn’t understand this doesn’t understand enough to give advice.

Yes, there are a lot of people running old, vulnerable crap they don’t need.  They aren’t listening to the InfoSec echo chamber, so don’t bother trying to reach them there (here).

It’s like the folks who dumped Adobe Reader in favor of Foxit for security reasons- now scrambling to patch the latest critical vulnerability in Foxit.  I dumped Adobe Reader in favor of Foxit because I find it faster and lighter, and because of a general loathing of Adobe.  I do have to update it less frequently, but I believe that is largely due to the reduced market share relating to reduced value to attackers- much like OS X has never been “secure”, but historically it hasn’t been as targeted as Windows.

I see two central problems feeding this issue: “dump X” is a compelling headline, reality isn’t; and the ever-present quest for simple solutions to complex problems.

Here’s my advice, which you probably already know:

Dump *anything* you don’t use.  Dump anything with a proven track record of failure which you don’t need (for example, if you don’t need Java, uninstall it).  That’s the easy bit, the rest requires thought and effort. If you need Java for desktop apps, but don’t need Java in your browser- disable the browser plugins. 

If you have to support vulnerable browsers or other apps- restrict their access to only the resources which require them and use other apps or browsers for “normal” use.  Or have limited use systems if you can get away with it.  These introduce pain of their own, but can be done.  Configuring proxy settings in the browsers (or possibly mis-configuring) may be a relatively easy way to control browsers depending on the situation (or it may completely break networking for the systems).

And all the other stuff you already know:

Reduce use of admin-level permissions wherever possible, especially domain admin, and especially where you know you are supporting insecure systems.

Improve authentication- this may mean using all eight characters the crappy app allows, or maybe you can move to two-factor, or something in-between.

Crank up the logging.  Crank it up to eleven on the likely targets, and then (here’s the tricky part) actually look at those logs.

And finally, my comment to those who propose naïve and stupid things like this:

“Shut up. Just shut up.  If this were easy, even you could do it.”



Apparently obligatory Surface RT post

Everyone seems to be spewing drivel writing spewing drivel about the Microsoft Surface RT again lately, so I think I’ll join the party.  Yes, I bought a Microsoft Surface RT, and have been using it for a couple of months.

The very short, insulting intro: actually read the specs on this thing before you buy, it probably isn’t for you, so don’t complain because you spent your hard-earned (or so you claim) money naively.  Moving on…

First, the cool stuff everyone has covered:

It has a real USB 2.0 port, and while many things don’t work, the stuff you need probably does. In my case that means keyboards, mice, and especially presentation remote clicky things.  Oh, and all of your USB storage devices, reducing the pain of limited on-board storage.

The MicroSD card slot further reduces the storage issue by providing a fast and simple way to expand capacity.  This is especially important because much of the onboard storage is taken up with the OS, apps, and recovery partitions/images.  By the way, they recovery/reimage options are simple and useful.  (My 32Gb unit had 15GB available, but I read the specs before buying, so I wasn’t surprised.  Did I mention you should read the specs?)

It is a real Windows machine (almost).  It has a command prompt, PowerShell, and other stuff like a real computer.

The external keyboards connect via real connectors, not Bluetooth.  This is a huge deal if you don’t or can’t trust the area around you, or if you want to use your keyboard on an airplane or other wireless-comms restricted area (OK, if you want to use the keyboard within the rules, I see plenty of folks using BT keyboards where they shouldn’t).  Turn all the radios off, and the keyboard works- amazing.  I went for the better keyboard, with real keys, and it even has a touchpad- it is also wide enough to be usable (I consider it a mandatory option).

Some folks have observed that the widescreen layout is great for video in native resolution- but few have mentioned how good it is for multitasking or using apps like PowerPoint where some editing panes open on the side.

Which brings us to applications.  Surface RT has three solid and unique (for now) apps in the tablet space (if you believe Surface is actually a tablet).  Microsoft’s Word, Excel, and PowerPoint 2013.  That’s it, if those move you, or at least are critical to you, this thing may be worth it.  (It also has OneNote, which rocks, but is not unique in the space).  It is worth noting that if you need macros in your Office apps, RT will not do what you need.

What about the rest of the applications?  Pretty much horrible, poor selection of crappy apps.  The native mail client is pathetic and I haven’t found a less-bad one, Twitter clients suck, the only browser is what can be called “almost IE10”- which claims “limited Flash support”, and it appears limited to “none”.  And the browser puts the address bar at the bottom, and hides tabs from you, just to frustrate you- unless you jump out of “Metro” mode and to the desktop, where it flips to a normal (read usable) layout for IE10.  Speaking of browsers, the vast majority of apps in the store are just websites pretending to be apps.

What else?  The hardware is an interesting mix of good, bad, and ugly.  USB, keyboard and connector, and MicroSD were mentioned above.  The cameras are decent, the screen is no Apple magical thing, but it is very nice.  And that really-wide-screen means the onscreen keyboard takes up half the screen in landscape mode, and let’s just not talk about the uselessness of portrait made with this device.  One negative about the keyboards, they have floppy connectors, they are annoying at best if not on a solid surface.  The battery life is very good, and recharges reasonably well (but the wall wart is a plug-blocking pig).

The “kickstand” is an amazing feat of engineering, it is AWLAYS at the wrong angle.  I have no idea how much research was required to engineer this, but I’m impressed.  I am also very disappointed, because the beveled edge of my iPad Not Three (the model between iPad Two and iPad Four) makes me loathe holding the thing for any length of time, and makes it hard to park anywhere useful without external aids- I had hoped this would solve that problem.  It does help a little, but it is far from solved- and the Surface also has a beveled edge.  It is less painful to hold than an iPad, but “less painful” is not really what I wanted.  Also, that beveled edge means you have to get almost-but-not-quite standard looking video adapters from Microsoft if you want to connect to VGA or HDMI (see, they are learning from Apple, just the wrong things).

So in other words, don’t buy one.  Unless, like me, a lightweight, highly portable, long lasting MS Office tool is of great value to you- then get one if you can justify the expense, but know you’ll probably still carry your Android or iThing for everything the Surface won’t do.  For me, PowerPoint 2013 is a huge deal, and the extra wide screen means that the much improved “presenter view” in PPT ‘13 is fantastic.  That’s my rationale, and it has proven valid and valuable repeatedly already- this is a fantastic presentation tool for me.  I carry the VGA adapter, presentation remote, and I’m in business- with a machine I can really create and edit with if needed.  If Apple didn’t hate me (contrary to popular belief, I don’t hate Apple, I just hate everything they make, which tells me they don’t like me), I would probably be all over a MacBook Air for this need, but that’s significantly more money than a Surface (but is also more machine).



Tuesday, January 8, 2013

Managing employees and expectations

Time for another rant about employers and employment.  Not mine, I’ve been very lucky lately have have worked for great companies, but I see a lot of things which make me crazy, and which cost companies good employees.  It is entirely possible that I’ve made some of this blunders myself back in a past life.

First, a bit of background.  There are some InfoSec jobs in some market segments and geographic areas which effectively have zero unemployment, and the headhunters are circling like sharks to pick off those willing to change.  This means you have to treat your people well to keep the sharks hungry.  There are also title/skills/regions which are not in the insane demand cycle.  Sadly, many organizations can’t (or won’t) expand their horizons to grab some of the talented people who “almost fit”, but that’s a whole other discussion which gets into education, relocation, telecommuting, etc.  Bottom line is that if you want to hire and retain the best, it takes effort.

Let’s start with turmoil.  Turmoil happens, organizations grow, shrink, and merge.  Rumors start, and spread fast.  Employers need to calm employees and tell them the truth.  I know that many times secrets need to be kept, but either tell the truth or keep quiet- lying to employees “temporarily” is a short-sighted move.  If there are key employees you really need to keep productive, they need to know more than simply “your job is safe”, but that they are important to the bigger/smaller/merged organization and will be treated as such.

Honesty matters, in times of turmoil as mentioned above, but also at all times. If you don’t know something, admit that, if you can’t tell an employee something, find a gentle way to explain that.  People don’t like being lied to, and when we find out we’ve been misled (which almost always comes out eventually) we are more likely to move on- and tell other prospective employees that the employer can’t be trusted.  Pre-burning bridges is a really bad idea.

Finally, remember that we all talk to each other, word spreads, and if you want the best employees, a trail of disgruntled past and current employees will make it much harder to hire the right people, and it is already nearly impossible.



Sunday, January 6, 2013

Pointless observation on snow removal and InfoSec

Winter has finally arrived here on Cape Cod (although global warming has apparently altered the migratory patterns of the snow birds who should all be in Florida by now- but they are still here, driving very slowly along Route 6A, their little blue haired heads barely visible behind the wheel).  But I digress.


As we were shoveling the driveway and deck, it occurred to me that snow removal is a lot like the tedious bits of InfoSec. It is always reactive, and we have to do it or things get worse- but we’re always in clean-up mode, never preventative mode (except possibly for the aforementioned global warming).

That’s it.  I told you it was pointless.



Tuesday, January 1, 2013

A “tax” time rant.

January first, and I got my annual “pay up for the privilege of being able to put potentially embarrassing letters after your name” note from the (ISC)2, also known as my annual member statement and invoice for AMFs (annual maintenance fees).  I consider many certifications, especially the CISSP, to be an InfoSec career tax; you have to pay it if you want to participate in many parts of the field, especially to get past hiring issues where blind adherence to checklists prevents rational hiring decisions (see US DoD 8570 for one example of  this mentality).

Some folks may have noticed that I’m not very fond of the (ISC)2, or its alleged “ethics” process, or elections process, or stale content.  If you want some back story on this, I’ll refer you to these posts by Robert Graham and the Security Curmudgeon over at Attrition.  I won’t add any details of my own, and everything here should be understood as just my *opinion* (because I’m terrified that (ISC)2 will sick the legal terriers, or worse, on me- and I can’t afford all the new socks that would be required after that much ankle-biting).

I think that the (ISC)2 ethics “problem” is simply that their goal is to protect (ISC)2, not to protect the value of the certifications, and certainly not to protect the InfoSec community or our customers and clients.  In other words, what I (and many others) see as a problem is in fact their desired outcome. I believe that (ISC)2 hides behind disqualification of complaints, and secrecy, to shield itself from having to take action or provide full accountability.

Here’s my fantasy for the ethics process: transparency.  (My real fantasy is the dissolution of (ISC)2 and abandonment of all of its certifications, but that one seems even more unlikely than this one, so let’s move on).  I understand one rationale for secrecy around ethics complaints, protection for the falsely or erroneously accused.  I reject that- ethics challenges can and should be published and the results of investigations should be made public.  False or erroneous charges would be publicly addressed, and the air cleared.  Ethics complaints which are rejected for a failure of the complainant to meet the requirements of procedure or standing should be published, with reasons for rejection- if the standards or grounds for “standing” to bring complaint seem onerous, it will be visible, and can be addressed through the Board of Directors or other means.  I have not had faith in some of the people entrusted to review ethics complaints, and opening the process to scrutiny would help to either assure us that all participants are acting in good faith- or expose them so that action could be taken to address concerns.

I am sick of (ISC)2 hiding behind policy and being able to weasel out of admitting that complaints have been filed by hiding behind intentionally restrictive policies- apparently if a “complaint” isn’t accepted, it isn’t a “complaint”, according to the (ISC)2- and if someone says a complaint was filed (ISC)2 can reject that assertion because the complaint wasn’t accepted.  In my opinion that’s unethical and dishonest.

By the way, when I say published, I mean publicly, not behind an (ISC)2 login, the aggrieved parties are not always members.  More importantly, since the CISSP is used as a de facto public standard it should have transparency.