March 2008 Archives

Just a quick heads-up: in reviewing the extended article draft that corresponds to my March 21st post titled "The Key Management Lifecycle" I found that my second figure was incorrect. For some reason I had drawn a corollary between Rotation and Deployment, when instead if should have been between Rotation and Expiration. This problem has been remedied. Apologies for any confusion created.

And Now, Something Funny!

I'm a big fan of the ImprovEverywhere productions. This one amused me greatly this morning.

Hat tip to Angeline...

I've just finished reading the Signet Classics version of George Orwell's eerie novel, 1984 (also see here). Hands-down, this is the most disturbing work that I've read in recent memory. What I found so disconcerting is that it was published in 1949, yet in many ways could be describing modern times and the future-path that we're on. At several times throughout the book I wondered if Rove and the Neoconservatives have based their entire approach to governing on the principles represented by the Party. I'll come back to this thought with the quotes below.

This is a definite MUST-READ book for anybody interested in a lot of the modern concepts and terms that we use, particularly with regard to politics. Concepts like doublespeak, and the various abuses of human rights and civil liberties all have a lingua franca derived from this book. Beyond that, the level of technical insight is intriguing. For instance, Orwell envisioned the surveillance society, complete with the Internet and flat-screen televisions. In his vision, the Thought Police (another concept originating here) monitor all members of the Party through their "telescreens." Other concepts discussed include oppression, war, the role of fear, hate, and anger in motivating conformance, and the willingness of a people to turn over power to an oligarchy.

This is a very fascinating, downright scary documentary about the origins of Islamic Fundamentalism and Neoconservatism. It looks at their common roots in the "failure of the liberal dream to build a better world." To say that this is disturbing is to understate things dramatically. It provides documentation that confirms what I've suspected for a while: that much of the current war on terror is really just an extension of failed threat- and fear-mongering based on failed fallacies of 30+ years ago.

To understand the import of this approach, based on FUD, lies, and a nasty mix of fearmonger and warmonger, one need only read a recent post on Schneier's blog, Security Perception: Fear vs Anger. People who are afraid are less optimistic, and thus less likely to advocate aggressive measures. They would seem to be more easily oppressed and placated, too. In contrast, angry people are far more aggressive, optimistic, and likely to take greater risks. Very interesting...

Everybody knows that the "Dummies" series of books are really aimed at the high-end market, right? Apparently so. According to this story, a teenager in Wisconsin has been arrested for "hacking" his school's computer systems (though no indication of damages has been provided). As part of the arrest, his copy of The Internet For Dummies (Internet for Dummies) was seized as evidence. Ummm... yeah. That's right, you heard me, local LE there thinks that Internet for Dummies is a 1337 h4X0r tome ("elite hacker tome"). Sure it is. Good job super-cops! :) They'd better move swiftly to ban that dangerous hacking book!

Not to let you think that all the truly hard-core tech criminals are based in Wisconsin, you might also check out this lovely story about a teen in Iowa who brazenly stole a girl's iPod, holding it ransom with the demand that she be taped doing naughty things and provide said tape for his own "entertainment" purposes. The genius of course included his email so that she could email over the mpeg with great haste. Now, physical security concerns aside, not exactly the brightest bulb.

Check out this commentary from Mark Danner titled "Taking stock of the war on terror" over on Salon.com. He pretty much hits the nail on the head, pointing out that the war in Iraq has actually done more damage than good in trying to address the global and domestic threat of terrorism. Chalk up another win for the Bush administration (terrorize Americans? check. drive the expansion of global jihadism? check. roll back civil liberties? check. violate and undermine the Constitution and American and international law? check. violate human rights? check. illegally suspend habeas corpus? check. turn the world uniformly against us? check.).

Brett's "Ah-Ha Moments"

RKC II Brett Jones has a great post up today on a few of his "ah-ha moments" in his fitness career. Good stuff - well worth the read!

"Insanity: doing the same thing over and over again and expecting different results."
- Albert Einstein

If you've watched the Matrix trilogy of movies, then you might recall one of the themes from the movie. In the second installment, Neo meets the Architect, who tells him that the current Matrix was not the first, but was in fact a later revision. The problem, it seems, was that the original version was too perfect (a perfectly balanced equation), which could not be accepted by the human mind, and which then led to the entire system collapsing. The solution was to create an unbalanced equation, and then a method for managing the remainder as necessary.

In the security industry, we've reached a point where the equation is balanced, at least as far as the business is concerned, and bad things are starting to happen. Over the past 15 years, technology has been able to evolve to match most threats, but the simple truth is that we're still not winning the battle. Businesses are still not properly incentivized to invest more into security countermeasures, but instead do the minimum necessary to keep their shareholders from sacking the lot. Ladies and gentlemen, I submit to you that it is now time to unbalance the equation.

As mentioned yesterday, Google's image is starting to tarnish thanks to reports from the interview process. Now comes this article from IT World about how (courtesy Slashdot), some day, we'll likely view Apple and Google less favorably, much as has happened to Microsoft. It's an amusing read about the fickleness of consumers.

This concept seems to generalize fairly easily, too. The US is a good example, in that we were the golden child for a long time, helping out in WWI and WWII. Then, as our prevalence and dominance expanded, we became targets of our own allies, until today, as our economy stumbles (possibly taking down others with us), we're looked at as the horse's rear. Environmental policy is a good example, in that the US opposed the absurd Kyoto protocol, refusing to sign (unlike the hypocrites who have signed it, but concluded that it's too expensive to implement) on the basis of its being inadequate, ineffective, too costly, and unfair.

I find it interesting. It's so easy to hate the big leader. It's so much harder to create constructive criticism and actually initiate meaningful change.

No, not from me directly. Some amusing/interesting comments are available here. I've never interviewed with Google, and I don't know that I would voluntarily apply (they're getting kind of big to sustain their "do no evil" culture). I remember my screening tech interview with Microsoft back in the late 90s, and these comments seem to jive well with that. This quote very much reminded me of that experience:

"The whole vibe was eerily like I felt when interviewing on Wall Street years before: arrogance personified, with the brusqueness coming from certain knowledge that they are the Masters of the Universe and you are very lucky to even be in their presence."
If Google came calling, would I turn them away? No, of course not. I just don't know if I'd seek them out.

Happy Monday!

The Key Management Lifecycle

| 1 TrackBack

(NOTE: This blog post was updated on 3/31/08 to properly reflect the overlap of Rotation and Expiration. The original draft published incorrectly showed overlap between Rotation and Deployment, which, upon reflection, made no sense whatsoever.)

In my past life, I was involved in the review and management of cryptographic services, including helping define key management processes and requirements. Now that I'm back into the consulting world, I'm finding that the topic of key management and encryption requirements is one of interest to a fairly broad, and rapidly expanding audience. Let's face it: the PCI DSS requirement for encrypting data at rest has served as the catalyst for deployment of numerous crypto systems, creating a secondary risk scenario related to improper management of those systems and related crypto materials (keys).

Toward that end, I've put together here an overview of how I view the key management lifecycle. While I do not claim to be an expert in crypto systems, by any means, I hope that you will find my thoughts on this matter to be of use. If nothing else, I hope that you can use it to analyze crypto systems within your environment and help ensure that the amount of risk related to these systems and associated key management processes is acceptable, or can be revised to bring them inline with accepted risk tolerances.

The Security Mindset

There's an excellent article on Wired.com by Bruce Schneier about the mindset of the security professional. I'll be the first to tell you that I certainly think differently than the average person. In fact, I drive many people (engineers, developers, etc) nuts sometimes because my approach to problem-solving can be so completely sideways to "the norm."

Hat tip to Anton for sending the link around...

There's an interesting post up on PickTheBrain.com this morning talking about how the current economic crisis really stems from moral depravity. The gist of the article is:

"Many people give little attention to the means as their ego tells them the ends justify the means. This approach was infamously promoted by Machiavelli in The Prince, which suggested, amongst other things, the shrewd methods an aspiring prince could use to acquire the throne (remind you of any modern day politicians?)."

It's a very quick read, and definitely recommended. It doesn't get all self-righteous and sanctimonious, but simply points out that the current problems stem from greed-motivated actions that were deceptive and illegal in nature. Not to beat a dead horse or anything, but this seems to be the hallmark of the Baby Boomer generation.

I don't have a lot of time this morning to write, but I did want to jot off a couple quick notes after seeing on the local news this morning that Dulles and Reagan airports (here in DC metro) are activating Clear programs this morning. Clear is one of the commercial companies providing services under the TSA's Registered Traveler program (also here).

Obama's Speech in Philadelphia

If you read/watch only one of Barack Obama's stump speeches this year, then I highly recommend that it be this one, from today in Philly. Full text and video are available at that link.

Fear In a Time of War

Cory Doctorow had an excellent commentary piece in The Guardian last week. It compares the message from the UK government in the past during times of conflict, versus the current message under the threat of terrorism. It's an excellent read that I highly recommend. To whet your appetite:

Back then, the government's message to the people wasn't "Take your shoes off" or "place your liquids in this bag". Instead, King George's printer stuck up millions of royal red posters bearing the legend "KEEP CALM AND CARRY ON."

Hat tip to Anton Aylward.

I know, I know... peanut butter and bananas are the classic snack (add raisins and you have "bumps on a log," right?). Well, I'm here to tell you that Banana Cream Muscle Milk is not a banana, and it therefore does not taste good with peanut butter. I know, because I just tried it, and am now somewhat grossed out (the stomach and tastebuds are not pleased). In case you were curious. :)

The Washington Post has a very interesting commentary posted today by H. Sterling Burnett. I'm sure the wingnuts on the extreme left are going to respond purely with derisive comments along the lines of "you can't believe him, he's a global warming denier!" - but such comments would not actually dispute his core points (something very common in this trumped-up "holy wars"). Essentially, his commentary boils down to two key points: the current IPCC reports are victim to politicization and bad science, failing to follow even the most basic requirements from statistical sciences, among other things (e.g. the fabled "hockey stick" graph that has since been retracted by the IPCC).

RKC II Brett Jones has an excellent post up today about his ongoing struggle with eating right to feel right. Check it out here - it'll be well worth your time!

Montana Leads Fight Against REAL ID

Excerpted from the EFFector Vol. 21, No. 09 March 14, 2008 (note, this issue is not yet online - don't know why).

Real ID Rebellion Roundup

This week, Pedro Nava, a prominent California Assemblymember, introduced a non-binding resolution that asks California's members of Congress to oppose Real ID, the unfunded federal mandate to turn driver's licenses into national ID cards. It highlights the state's growing opposition to Real ID, as legislators and citizens begin to realize the astronomical cost and catastrophic privacy implications of participating in the federal program.

The California resolution comes hot on the heels of a widely-heard NPR interview with Brian Schweitzer, the governor of Montana, who outlines his state's staunch opposition to the Real ID mandates. In the interview, he cites such concerns as state sovereignty and the absence of
systems to actually facilitate Real ID. Also in the interview, Gov. Schweitzer boldly announces that his state will call the federal government's "bluff" on the issue of air travel -- the Department of Homeland Security has threatened that on May 11th, states that have not embraced Real ID will find their licensees treated differently in regards to air travel and access to federal buildings.

Finally, Real ID opposition at the federal level features a budget amendment sponsored by Sen. Jon Tester (D-MT) that seeks to funnel money away from Real ID to be used to benefit veterans instead.

For California Assemblymember Pedro Nava's release calling for opposition to Real ID:
http://democrats.assembly.ca.gov/members/a35/press/20080311AD35PR01.htm

For the NPR interview with Gov. Brian Schweitzer:
http://www.npr.org/templates/story/story.php?storyId=87991791

For this post:
http://www.eff.org/deeplinks/2008/03/real-id-rebellion-roundup

The Washington Post has a somewhat disturbing article up titled "Non-European PhDs In Germany Find Use Of 'Doktor' Verboten." It's an interesting read. If I were in academic research, I think I'd advocate boycotting research in Germany until they figured out to properly recognize legitimately credentialed professionals. Why risk the harassment? I agree with this quote from the article:

"This is a completely overdone, mad, absolutely ridiculous situation," said Barbara Buchal-Hoever, head of Germany's central office for foreign education. "We are talking about highly acclaimed researchers here. . . . The people who have pressed charges must be gripers or troublemakers who wanted to make a totally absurd point."
It seems extremely likely that this is just a petty tool used by those jealous over not being themselves recognized or having their research funded. Talk about a lousy way to mess with someone's career. To me, the person making the report should be drawn up on charges, too, such as criminal mischief or trying to incite trouble of some sort.

Bush is FUD, FUD is Bush

The House is unwilling to grant telecom immunity in the warrantless wiretapping situation. They've listed their reasons given the lack of credible evidence supporting the need. El FUD (Bush) has now come out with a new tac (see here and here)t: telecom immunity would reward the patriotism of the telecoms for cooperating with the feds (illicitly, it seems), regardless of whether or not their actions were in good faith.

"Companies that may have helped us save lives should be thanked for their patriotic service, not subjected to billion-dollar lawsuits that would make them less willing to help in the future."
This issue is not about patriotism. There's no demonstrable evidence that this program has saved lives (it's only unverifiable rhetoric at this point). At least one telecom refused to participate in the warrantless wiretapping program because they were concerned about the legality. FISA, revised numerous times since its inception, provides a legal way to get wiretaps. The telecom that did not participate still exists, though it has undoubtedly suffered some sort of consequences at the hand of the Executive Branch. Those that opted into participating had to have done so knowing full well that there was a risk of legal exposure resulting from the bad faith actions of the Bush Administration. Now, rather than take responsibility for their actions and bad decisions, they'd rather sweep it all under the rug. None of this should come as a surprise, given the strong tendency that this administration has had for extreme secrecy and opacity.

Robert Reich also sees telecom immunity as being inappropriate.

Do not believe the lies or the FUD. This battle is about the Bush administration trying to protect itself from full exposure of the illegal, unconstitutional, unethical, and likely immoral actions that they have perpetrated and advocated. Resist their rhetoric for the sake of national security (integrity, in particular).

Suffering a Fool

Is it worse to let go unchallenged a fool making known factually incorrect statements in a professional forum (like a mailing list), or to challenge the fool and potentially have the thread devolve into flames?

From a risk perspective, I view the trade-off analysis as being setup thusly:

1) Let the fool go unchallenged. The cost (impact) is that less experienced and/or impressionable participants in the forum may take the fool's comments as accurate, giving them a life of their own. Overall, this has the effect of reducing the quality of professionals in the industry, leaving some worse off than when they entered the forum.

2) Challenge the fool. The cost (impact) is that the thread may devolve into flames, causing people to disengage, possibly permanently. Overall, this has the effect of decreasing learning opportunities for these professionals, but hopefully does not leave them worse off than if they had not joined at all (though outcome #1 above is still a possibility).

Which risk is greater? It's unclear to me, and strikes me as a lose-lose situation. Perhaps there's a third option that someone could point out.

I finished A.J. Jacobs' book The Year of Living Biblically: One Man's Humble Quest to Follow the Bible as Literally as Possible this week, and I highly recommend it! In the book, Jacobs divides his time between the Old Testament (8 months) and New Testament (4 months). His attention to detail in identifying the "laws" by which to live is quite impressive, as is his arrayed panel of experts, ranging across most major sects of Judaism and Christianity. My only disappointment with the book was in the NT section. It felt very light and rushed, which I potentially attribute to his inability to connect and commit to the text given his roots, combined with the challenges of having a wife in her 3rd trimester with twins, and then the delivery of said twins. My guess is that "little" event absorbed most of the final 4 months of the project.

At any rate, if you have any historical interest whatsoever in the roots of Judaism and/or Christianity, then this is a good book to read. Jacobs provides historical context and explanations, from a layman's perspective, throughout, in a manner that is accessible and reasonable. He openly admits his biases, and talks much about his mental challenges in overcoming these biases.

Some of my favorite moments include his realization that the Falwell clan at Thomas Road Baptist Church aren't all hellfire-brimstone all the time, that the Christians who speak in tongues and handle snakes are still decent folks, his realization that there is an important social angle of religion that he missed out on, and that, really, in the end, people and the sects to which they subscribe tend to pick and choose the rules they like, leaving the rest behind. Good stuff!

My next reading project is the George Orwell classic, 1984, which already has an eerie resemblance to modern times.

A Good Grief: TIA Lives On

While I'm trying to reduce political posts, in an attempt to re-focus this blog on the original intended subject matter (infosec and technology), you'll have to excuse me on occasion if I fall back into my old ways. Today, for instance, I've read that, despite being told by Congress "you are not allowed to do this," the Pentagon went ahead and built-out the Total Information Awareness (TIA) program via its black ops budget, specifically at NSA.

Mulching Season is Upon Us

My two favorite seasons, in order of preference, are Fall and Spring. There's nothing like the cool, crisp air and the colors of the foliage to put the mind at ease come September/October/November (depending on where you live). Spring, on the other hand, often means a return of sunshine, warmth, and the colors of trees and flowers blooming everywhere. Unfortunately, in addition to being colorful, both of these seasons share another attribute (on the East Coast, anyway): smelly mulch.

Though Spring has not yet sprung here (despite stupid DST kicking in early), the landscapers were out in force as of late last week, dumping the foul smelling mulch around trees and flower gardens, in preparation of the growing season. This mulch seems to be home to one of my arch-nemeses: mold. There is, in fact, a specific type of mold (don't recall which) that seems to be in the mulch around here that absolutely kills me.

So, beware, Mid-Atlanticans: the Spring season is here, and your allergies will be striking. Get those inhalers and sprays all primed (Astelin to the rescue!), because it could be a doozy. :)

End of an Era: F-117 Retiring

According to CNN.com, the Air Force will be retiring the F-117 Night Hawk "stealth" fighter in April. It's astonishing to me that this beauty has been in the fleet for more than a quarter century. As Dad always says, "If this is what the Pentagon will admit to owning, imagine what they're hiding." This deserves a round of Auld Lang Syne, methinks.

A Few Quick Thoughts...

| 1 TrackBack

I haven't had a lot of time the last few days to devise and compose a particularly useful post on infosec, but I had a few passing thoughts that you might find amusing. Click through to see them...

You can lead a horse to water, but you can't make it drink.
As I've recently noted, the information security industry seems to be stagnated. We've come a long way from the old days of "security==firewall" - and yet, it strikes me that we still aren't really getting all that much done. As a consultant, it can be very frustrating to realize one's own mortality; we aren't able to play Superman in all situations. When we succeed in moving a mole hill cum mountain, we're hailed as heroes. When we get something done, our invoices/salaries get paid. Surely there must be more.

Someone recently asked on a mailing list what people thought of the impact of PCI DSS on software security (the current v1.1 of the standard has requirements to follow OWASP practices in secure coding). In thinking about the effectiveness of PCI, I concluded that it, like SOX, has reached a point of equilibrium as ineffectual. Businesses still seem to universally fail to grasp the value of most security practices, and thus resist the up-front costs required to undertake a truly transformational program.

Mid-Week Blogroll...

I'm working on a few other posts for this week, but have not had adequate time to form them. So, until that time (soon, I hope), here are a few of the things I've read over the past week that I've found interesting. Topics range from cool new technology (a UV water purifier pen) to security solutions to risk management discussions to tips for learning guitar on the web to a scholarship opportunity from ISC2 for post-grad research.

This post is a continuation of my plan to provide a monthly reflection piece on progress against my 2008 Goals (previous report: January).

Overall, February was a decent month marked by a forward-looking obsession. With a baby on the way, I'm trying to plan appropriately for many of the changes coming. Financially, I'm continuing to work aggressively toward paying off the boat anchor of old debt that slows us down. I'm looking into a replacement for my 2-door car that will better facilitate access to a baby seat. And, I've begun thinking about our need to move to a new home come late-May (our lease is expiring, we'll need a bit more room, and Hanna is already tired of climbing the 4 stories up). March holds the promise of making additional progress against these financial goals.

More details after the jump...

My Philosophy of Security

| 6 TrackBacks

In 2006 I completed the Masters program in Information Security Management at the George Washington University. As part of that process, I completed a Masters thesis, in which I performed a high level review of "models, frameworks, and methodologies" under the umbrella of "assurance" (aka "information security, "infosec assurance," "computer security," etc). The goal of this initial literature review was to find a single model that could be used across an entire assurance program, incorporating what I posited as the core competency areas of Enterprise Risk Management, Operational Security Management, and Audit Management. The result of this first phase was a determination that no such model existed. Being stymied and frustrated by this lack of enterprise-level models for instituting assurance management, I embarked on creating my own. The resultant Total Enterprise Assurance Management (TEAM) model accomplished this goal, and then some (I'll come back to this in a bit). It's worth noting, incidentally, that the literature review is now about 2.5 years old, yet I firmly believe that the conclusions are just as valid today.

I bring this all up now because security philosophy has been bugging me over the past couple weeks. In returning to security consulting, I am again reminded that not everyone understands security beyond their niche, which can be very problematic when trying to work in a cross-organizational manner.

About this Archive

This page is an archive of entries from March 2008 listed from newest to oldest.

February 2008 is the previous archive.

April 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Pages

  • about
Powered by Movable Type 6.3.7