January 2010 Archives

This post has pretty much nothing to do with infosec, but rather comes on the heels of yet another Vikings OT NFC Championship loss. It's the only game I know of where so much emphasis is put on player skill and development, and yet comes down to the flip of a coin at the most crucial point of the game: Overtime (OT).

For those unfamiliar... in the NFL, and only the NFL, if the teams are even at the end of regulation, then OT commences as following: the ref flips a coin, the visitors call it, and whoever wins takes the ball, because it is immediately "sudden death" (that is, the first team to score wins). The inherent unfairness here is that 60% of the time, the winner of the coin flip scores and wins the game, most often without their opponent being given a chance to score (this is based on stats I'm too lazy to dig up a citation for). At all other levels, both teams are given a possession to attempt to score.

I finally bit the bullet and tackled some of my back-log of non-fiction reading. I've been spending most of my free reading time on the Discworld by Terry Pratchett. That being said, I've just zipped through a couple non-fiction titles of note, The 50th Law by 50 Cent and Robert Greene, and Managing Softly by Bertrand Jouvenot. Both are quasi business/life-skills type books. Following is a quick-hit summary of each.

Hold onto your hats, folks, cuz there's a PR/marketing storm sweeping the lands! It seems that Microsoft has decided to take the "bold" step of removing the IP address associated with a search query starting now at the 6-month mark. Ooooo how exciting. (that was cynicism) Actually, I could really care less. Well, ok, I think this is a good thing, but let's be honest here, it's so minor and trivial that it is just the thing for PR/marketing, not really the thing for actual meaningful privacy improvements.

So, what all my cynicism on the topic? Allow me to draw your attention to the AOL search data leak of August 2006. For a quick background on that story, check out these links (don't worry, I'll wait):
* Wikipedia
* TechCrunch
* EFF

Andrew Hay posted an interview with me today as part of his "Security D-List" feature. Check it out here:
http://www.andrewhay.ca/archives/1286

I was going to write a lengthy post on how I think that we give Google too much information, and that we trust them far too much. They are, after all, a for-profit enterprise. They have motivations just like any other enterprise, despite their alleged "do no evil" mantra. Add in the flawed perspective of their chief exec with his statement that "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." (see here for more on that)

However, rather than waste a lot of bandwidth, allow me to just point you a recent Rich Mogull post that pretty much sums things up.
Securosis: Google, Privacy, and You

I've been saying it for a while now... IBM was the "bad guy" until Microsoft displaced them... Microsoft has been the "bad guy" for quite a while now, but they're quickly being displaced as well... Google is the new boogie man, and for very good reason. They have too much information, too much control, and they've asked us to have too much faith in their willingness to put "good intentions" over "profit." As with any enterprise, we should always look at the profit motive behind key decisions - whether it be turning HTTPS on by default for GMail, or threatening to withdraw completely from China.

Just sayin', fwiw.

Help me out, folks, cuz I'm at a loss here... I think there's something seriously wrong with DIRECTV's billing system... or maybe it's billing systems? The past couple months I received summary statements by email that said I owed $0.00. This was great - free TV, who wouldn't like that? So, just to be sure, I go online, and sure enough, the online statements say that I owe $0.00.

Then I get my credit card bill (yeah yeah misconfigured payment method sue me - actually, check that, it wasn't my fault, but anyway)... I have charges for the months of Nov and Dec - the very same months where the statements said I owed $0.00. ?!?!?!?!?! So, I start digging further and I find that, yes, the statements do in fact reflect a payment made in conjunction with the billing cycle. As a matter of fact, it turns out that the reason my bills said I owed $0.00 was because they were charging me on the same day that the statements were generated, which meant that my summary would zero out even though I'd just made a payment.

A man recently slipped through the airport security exit at Newark to accompany his girlfriend to the gate. TSA typically has a guard or two stationed at these exits, but in this case the guard had wandered away, leaving the exit unattended, leading to the "breach" of security. The man has since been identified and arrested, and he faces trespassing charges in the State of New Jersey. That's right, there's no federal violation here, nor is there in fact even a major violation of law. He simply ducked a rope and walked the wrong way so he could spend a few extra minutes with his girl.

The way the media tells it, you'd think he was the Antichrist bringing the Apocalypse. On the heals of the failed Nigerian Underwear Bomber the masses have already been whipped into a frenzy. This incident just takes that to the next level. Check out these news stories about the incident, paying close attention to the "average citizen" interviews at the end. Note the panic, the hysteria, and - in particular - how very low frequency events like this are met with shock, outrage, and outright hysteria. The mother escorting her son to his first international flight stood out for me as the most indicative of the problem. See Schneier here for his thoughts on the knee-jerk security theater reactions to incidents.

Just a quick aside... as of yesterday, this blog has been around for 3 years. This will be post #644. Hopefully, of all those posts, at least a couple have been worth reading. Thanks to those of you who've been reading and commenting. It's been a lot of fun, and will hopefully continue to be so! :)

It's quite possible (likely?) that this is not an original idea, but it's something that occurred to me while we were discussing presentation planning for the year at the most recent OWASP NoVA chapter meeting. To me, application security can be neatly divided into three key domains: Architecture, Secure Coding, and Testing. Each of these domains represents a distinct set of practices that need to be addressed to have a truly complete appsec program.

What I find fairly interesting about these domains is that they're not always all considered, whether it be in a software security program, or a Computer Science curriculum, or in contributions from key organizations like OWASP. In fact, it seems that Architecture, in particular, doesn't get much love at all, while a nominal amount of time is spent on secure coding (still less than we need), and while the lion's share of time is dedicate to the development of tools for testing.

My friends Erik Heidt and Dan Houser have once again been granted the privilege of presenting their excellent 1-day tutorial on identity management. They have been working to refine this class over the last few years and it looks to be better than ever. Says Erik:

"Identity Management is at the core of a successful Information Security program. In many ways, it is the primary technical control for policy enforcement and oversight. In addition to the important role Identity Management plays in risk management and oversight, many of your business partners think of Identity Management “as” Information Security. The question of "how do I get access to X" is a question near and dear to the heart of your business partners. Many of the security controls we all work with day to day are largely invisible to business partners, but password problems, access request delays, and audit findings are very visible to them."

You can get more information about this session (TUT-M21 "Foundations for Success: Enterprise Identity Management Architecture" - see description below) at:
http://www.rsaconference.com/2010/usa/agenda-and-sessions/one-day-tutorials.htm

Hello good people - we need your help! In conjunction with SXSW Interactive, we are working to setup a BSides Austin event on March 13th in Austin, TX. In order to bring this event to fruition, we need:
* Sponsors (named or unnamed) - We need financial support to secure a location, AV equipment, and snacks/food for the day. We're also looking for sponsorship to extend the event to a lounge in the evening.
* Supporters - We need help spreading the word. We'll need on-site help running the event. And, probably a dozen other things.
* Speakers - The format is an unconference, so we need attendees who are comfortable speaking or leading discussion groups. Given the conjunction with SXSW Interactive, this event may be well-geared toward developers, the development community, and appsec.

For more information, to volunteer, or to contirbute, please check out http://www.securitybsides.com/BSidesAustin, or leave me a comment, or ping me on Twitter, or track me down some other way.