August 2012 Archives

There's a new Java 0-day exploit circulating in the wild, supported by a Metasploit module, among others. In response to this new vulnerability, I received the below email from a security vendor overnight:

I found their email to be a bit alarming, since it suggests what I would consider to be a "nuclear option" approach to the problem. Unfortunately, I find it oddly lacking in reasonable context, risk analysis (which rarely can be universalized, but must rather be performed on a per-entity basis), as well as to be a near-impossible suggestion to implement (not technically, but rationally).

If you've not had the opportunity to read the recent Dan Geer / Jerry Archer IEEE S&P Cleartext column titled "Stand Your Ground," then please go read it now. It's only a single page, two-column article and it won't take you long. It is, hands-down, one of the best summaries of contemporary, leading-edge thinking on the state of infosec that I've seen.

Finished? Cool... let's continue...

A partially-formed thought this morning... it occurs to me that "IT Consumerization" and Supply Chain Management have similar, interleaved concerns... in particular, that of quality.

I had the unfortunate experience yet again this weekend of dealing with deployment and roll-back (at home) of consumer-grade electronics... I found the entire experience irritating, as usually... Saturday I deployed a new wifi router at home in hopes of realizing better throughput... unfortunately, being consumer-grade equipment, while the setup and deployment was easy, we started having problems within a few minutes... specifically, the wifi had several issues, ranging from the "auto" choice of channels always picking the busiest channel (in 2.4GHz)... the wifi dropping outright (or, at least, not allowing connections)... and the DHCP issuing addresses then refusing to allow that address to continue being used... in all of these cases, the only "solution" was to physically reboot the router...

So, I called the "24x7" support line... which read me a message, waited 30 seconds, and then said "we're sorry, no agents are currently available, please call another time" and unceremoniously hung up on me... so, by "24x7" they apparently meant...? Who knows...

Here's an interesting difference between infosec and physsec that highlights a failure to evolve. One of my talk proposals was accepted for the ISC2 Security Congress 2012 in Philadelphia this September. A couple weeks ago, I received a rather startling template email from one of the event coordinators. As a speaker, I was being offered a day pass to the event for the day I was speaking, which in reality translates to maybe seeing 2 talks. To say the least, I was taken-aback, since the norm in the infosec industry is to grant speakers a full conference pass. I mentioned this ridonkulousness to a few people directly, as well as in passing on Twitter, and was contacted by a rep from ISC2 to explain the situation.

Quite simply, the situation is this: ASIS International does not offer speakers conference passes. Period. End of story. Apparently they never have in their 58 year run. ISC2 is co-locating their event with ASIS 2012 - at the request of ASIS, it should be noted - and thus is subject to the ASIS rules, no matter how outdated and insulting they might be.

Now, mind you, ASIS doesn't charge as much as events like RSA do ($875 early-bird reg for members, $1125 for non-members), but still... this is a very large event (as big as, if not bigger than, the US-base RSA Conference). In this day and age - especially with the economy as it is - I find it egregiously disrespectful that a major conference would not comp speakers a full pass.

So, there you have it... ASIS is unwilling to evolve their policies and show their speakers a little hard-earned respect.