May 2011 Archives

I had the opportunity to get away over the Memorial Day weekend. We drove out to the beach and did generally non-technical things for a few days and, I have to say, it was rather nice. Now, I'm not generally a beach person. I don't like the smell of the ocean, nor do I like the pervasive mess that is sand, but I do enjoy spending time away with the family. Even more, I enjoy not working for a few days, including getting away from this industry, which has become so acrimonious of late.

There's an interesting phenomenon at the "shore" (as some call it out here), and that's what I call "beach food." In the real world, few of us would generally consider eating much of what is served as "food" in restaurants at the beach. Yelp reviews atoll the greatness of sandwich shops or fried seafood eateries, all of which are grossly overpriced (I'll come back to this point in a minute), but in general, well, it's really all pretty awful. There is the occasional exception (like the kabob shop we found a couple years ago), but for the most part, the food is just plain sub-par.

The age-old quant challenge of "imperfect data" seems to be making the rounds again. Part of this is playing out with questions about the utility of data breach reports, such as the Verizon DBIR. The same questions can be equally applied to various vulnerability-oriented descriptive reports, such as those from White Hat Security and Veracode. One of the most common quips is that there is no way to know how representative any of these reports are of "reality." That is, the data is not collected through some form of population sampling, but rather the data is "self-selected" by virtue of an incident occurring. We must thus be very careful in how we use these reports. That said said, we certainly shouldn't throw them out altogether, either.

I've been peripherally aware of the "Understanding and Managing Risk in Security Systems for the DOE Nuclear Weapons Complex" report released over the past couple weeks, including the bit of a stir it's caused. However, it wasn't until reading Jack Daniel's post that I sat up and started to take notice. Why? Well, for starters, because I get irritated when people criticize something that I don't think they understand (and, here, I'm really talking more about Nuclear and Radiation Studies Board than anybody else).

The fundamental problem with the report is that it seems to be both misleading and misinformed. On the first count, I believe the Abbreviated Version does not really get across the true sentiments of the Board. They both disparage use of quantitative models, and yet endorse their use in certain scenarios. I believe there's a reason for this, which I'll come back to in a minute. On the second count, the comments they make against quantitative risk analysis methods take on a tone very common in criticism of these methods. Specifically, they're questioning the ability to estimate the abilities of an attacker, with a dash of "black swan" thrown in for fun. More on that later as well.

Though on travel last week, I've followed with interest the developing story over Dropbox misrepresenting its services (Wired has a copy of the complaint). In short, Dropbox made claims that data was encrypted and secured on its systems, and, in particular, that they didn't have access to the data. As it turns out, this isn't true. It now appears that they were - at best - using a shared AES256 key to encrypt the data, which the admins could use for indexing and recovery purposes. This issue has come to light in particular because law enforcement has been able to subpoena data from Dropbox directly, which was allegedly encrypted with a key unique to a user and unrecoverable by Dropbox, but which, it turns out, was readily recoverable. Dropbox has subsequently modified their license to remove the offending text.

I had the good fortune over the pass week to attend two excellent regional conferences, as well as to speak for the OWASP MSP chapter. Overall, the trip was very positive (despite my allergies triggering a cold) and it was a good reminder that you do not need to attend the "major" conferences to hear good speakers.