Sep 14 2014

Limiting online time

Published by under Family,General

I limit online time.  Not for me, for my children.  Apparently I’m among a fairly prestigious group of people who do so, since many of the C-level execs in Silicon Valley also limit their children’s time with tech.  Though it looks like many of them are even stricter than I am about how much time the children get to interact with their computers.

We’ve always limited the amount of time our children can spend on the computer.  We found from an early age, they’d spend every waking moment playing games and surfing the internet if they could.  I wonder who they’re using as their role model?  When they got their first computer, one I’d rebuilt from parts of several of my older computers, we allowed them to have it in their room.  We found out quickly that was a mistake, as our youngest had taken to watching videos that contained language we didn’t want him using.  Ever.  Since then the computers have been in the computers have been in a common area where we could look over their shoulders whenever we wanted.

We have hard limits for when they’re allowed on the computer, which are probably not as strict as many of the parents mentioned in the times article.  The children often try to get around these limits by grabbing their iPhones or a tablet, but it’s made clear that these also count as time online and aren’t allowed.  We have hundreds of books, scattered around the house, and reading is always encouraged, no matter the time of day.  Now if we could only teach the youngest how to treat books with proper respect.

One thing we’re looking at changing is their use of social media.  Neither of the children have any social media accounts at all.  It’s not just that we don’t want them to have Facebook or Twitter accounts, it’s also that they’ve heard me talk about social media so much that they have decided on their own that it’s not worth it to have them.  They do have Skype accounts for keeping in touch with their friends back in the States and a few forum accounts, but these aren’t really ‘social media’ as I think of it, though maybe I’m wrong.

This might change in the near future, as our older has started expressing some curiosity towards social media and would like to experiment some.   As long as he understands his parents will be following him and watching who he interacts with, at least at first, I think we can allow him to try it.  I don’t want him to be like the guy who keeps a case of soda in his room because his parents never let him have it as a kid.  Instead we’ll let our children learn in a relatively safe environment, or at least one where we can intervene if we need to.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Sep 08 2014

Buffer between Target and banks

Published by under PCI,Risk

We all know that Target got compromised last year, but what some of you might not know is that the banks who issued the credit cards that were compromised are suing Target.  They’re saying that because Target didn’t take sufficient measures to protect the card data the banks had to spend millions of dollars in order to re-issue every one of the cards that were compromised.  It makes sense on the surface, since the banks incurred the cost due to the insecurity of Target’s systems.  But here’s the rub: there’s no direct relationship between the issuing banks and Target.

I find it funny because this relationship is one of the things that was drilled into me from the start of my Qualified Security Assessor training.  There is a relationship between the merchant and its bank, called the acquiring bank, between the acquiring bank and the card brands, between the card brands and the issuing banks and finally between the issuing bank and the consumer.  This was done with careful thought to create a buffer between the card brands and both merchants and consumer.  As a consumer if you have an issue, you have to take it to your own issuing bank or the merchant, since you have no direct relationship with the card brand or the acquiring bank.  It’s also why the card brands have always said that they don’t issue fines to compromised merchants, it’s the merchant’s bank that have to issue the fine. The picture below illustrates this relationship and is similar to what was used to train QSA’s when I went through training.


I find a certain poetic justice in this defense being used by Target.  The card brands and the banks developed this system in part because it’s a reasonable way for transaction clearance to work, but also in large part because it gave as many parties as possible a way to distance themselves from the sins of another party.   Except the banks and card brands meant for it to be a buffer from lawsuits between them and both merchants and consumers, never thinking it would provide a buffer for the merchants as well.

I don’t claim any deep understanding of the underlying legal statutes that could affect this case, but I do see that Target’s defense could bring up any QSA that is worth his or her salt to the stand to illustrate their point.  It’s going to be much harder to establish a responsibility from Target to the issuing bank when any witness with knowledge of the Payment Card Industry Data Security Standards is going to have to say, under oath, that they had been trained from the first day that there’s no relationship between the two entities.  On the other hand, if the buffer is dismantled legally, it also opens a venue for merchants to sue the card brands, so either way the banks are going to be losers in this battle.  Well played, Target, well played.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Sep 07 2014

Is pay rising with demand in security?

If you follow me on twitter, you know I like to throw out questions occasionally just to stir things up.  On Friday I asked the following question about jobs in the security realm:

We keep hearing about how desperate companies are to hire infosec professionals. So how come we still see so many low ball salary offers?

This hit a nerve with quite a few people, many of who mentioned that besides having low salaries for the apparent demand, we also see low stature in the company and that while there’s a demand, companies still don’t see how paying a security professional leads to profit.  The conversations on twitter led to an interesting side road about how newcomers to the field are expecting huge salaries without having any experience at all.  But the most comprehensive response came from John Wood, who wrote a whole blog post about it rather than responding 140 characters at a time.

John sees the reasons as being a) the company doesn’t really care about security, so they’re just trying to get the lowest paid person they can, or b) they have no idea what the actual job market for security professionals is like in the real world.  If it’s ‘a’, I’d agree with John and say far away from the company; let someone who’s willing to suffer through a thankless job take the role on.  His suggestion for the second part is that you should talk to the hiring team and explain to them what salaries are like in the real world, then walk away until they’re willing to pay what you feel reasonable.  I’ve worked at a lot of companies in my career and I’ve never had this strategy pay personally, but maybe it has worked for others.

I see the effect of companies who just want ‘check box security’ a lot.  Having been a Qualified Security Assessor (QSA) dealing with PCI in a former life, I’m all to familiar with the concept.  I understand that most companies out there still don’t see that security has to be part of core processes in order to be effective and still see it as an impediment to be overcome rather than a selling point for the company.  Besides being directly responsible for the low salary offers, it’s reflected in the low stature the security team is often given within a company.  Of course, there’s the whole argument that we still don’t know how to speak ‘business’, but that’s a drum to beat another day.

Security as a core competency, as  business process that leads to more sales and greater profit is a hard sell and one that’s always going to be difficult to draw a direct correlation to.  I’m lucky in that I work for a company where security is a part of the discussion any time a product is sold, but how do you bring security into the conversation when you sell widgets?  It’s not easy, there are no simple answers and it’s something that each organization has to discover for itself.  The more we can make business aware that a good, well trained security team is essential to the health of the company, the more likely we are to see a willingness to pay salaries commensurate with the market rate for those roles. On the other hand, I’ve been told at a number of places sometimes there is no way of creating that linkage and security will always remain a check box for that company.

What about the new security professionals who are asking for high salaries with just an education and little or no experience?  That’s a hard one for me, since when I started in the security profession the only way to get a job was through experience.  I’d guess that it’s a dark reflection of the demand for security professionals; while in school the student hears again and again about how much demand there is and has unrealistic expectations once they graduate.  Or maybe they’re not that unrealistic after all, since at least some of them seem to get the salary they demand, even if they have to grow into the role they take on.

As a closing thought, one of my coworkers, Brian Sniffen, states

Only contractors are paid spot price. Salary is an annuity.

His point being that if you want the flexibility that creates a high end salary, you have to take the risks that a contractor does, including changing jobs regularly and having an uncertain stream of income.  In security, that risk is probably lower than in many careers, but it’s still a risk that’s there.  I’ve been a contractor and I’ve hopped jobs a lot in my career, which is another way to deal with the pay issue.  I’m not ready to do much of either in the near future, thank you very much.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Sep 04 2014

Congratulations, Rich

Published by under Family,General,Humor,Personal

Wow, it’s been seven years since Rich Mogull left Gartner and started Securosis.  I met him shortly before he took the leap, introduced by a mutual friend, Richard Stiennon.  I worked with Rich and a host of others to organize the first Security Bloggers Meetup at RSA, which is still going, and when I heard he was leaving Gartner, I invited him to participate in the Network Security Podcast with me, a partnership that lasted over six years.  He’s  a good person, a good friend, and someone I truly feel lucky to have met in the security community.

It’s interesting to see the progression any security professional makes in their career.  Many of us reach a certain level and seem to be content to rest there, while others never stop, never slow down and are never content with where they are now.  You can guess which of these two I believe Rich to be.  It’s heartening to see friends be successful, since one of the recurring themes in security is how we’re losing the war and burning out.  Seeing someone who’s still excited by their role, if not waking up in the morning, is a wonderful experience to behold.

Where were you seven years ago?  I was the security manager for a small company that had been in start-up mode for 12 years.  Now I’m living near London, working as Akamai’s Security Advocate for Europe and traveling the world over.  If I look at Rich as a benchmark, I feel a little inadequate sometimes.  But if I look at where I started versus where I am now, I’m happy, especially if I think about how much farther I can go.  I’m happy that my friends have been successful beyond my wildest dreams.

Congratulations on seven years of success to Rich Mogull and the rest of the team at Securosis.  You deserve the prosperity you’ve enjoyed over the years and I hope you have many, many more years of the same.  Just one thing:  Keep your pants on.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 25 2014

An American in London

Published by under Family,Personal

Almost exactly a year ago my family and I moved from Northern California to 20 miles west of the capital of the United Kingdom, London.  It was the start of an adventure that’s exposed us to a new culture, cut us off from most of our friends and family and made massive changes to how we see the world.  We’ve had to make huge adjustments in our expectations, our lifestyle and how we drive, but my wife and I both think it’s been worth it.  The children seem to disagree, if you believe their loud and frequent complaints.  But these seem to be fewer and fewer as time goes by.

The first few weeks we were living in an apartment a few miles from where we live now.  It was a good landing spot while we waited for our shipment to arrive.  But being a family of four in a two bedroom apartment was its own special level of hell when you’re used to having a little privacy from time to time.    Thankfully our stuff arrived in fairly short order and we got to move into the house we’re living in now.  Everyone has their own space, though my wife spends most of her time in the kitchen or her office, while the kids spend theirs on the computer in the reception room we designated their office and I spend mine in an office that was converted from half the garage.  It’s a good house, about 100 yards from the station, with two trains an hour into London’s Waterloo station.

Learning to drive on the other side of the road wasn’t difficult and we’ve only made the mistake of driving on the right side of the road a few times each, thankfully in parking lots for the most part.  Getting used to roundabouts was more of a learning experience and I know I got honked at more than a few times that first month.  Now I’m fully adjusted and wondering why they’re being used so badly in the US, when they really do contribute to traffic flows when used properly.  The biggest problem I’ve had adjusting has been the bathrooms here, with the light switch on the outside, separate hot and cold water taps and toilets that just don’t seem to work as well as I’d like.  There’s also the shopping, but over the last year we’ve managed to decipher the English equivalent of American products, even if it doesn’t always look or feel exactly like we’re expecting.  There are a few products we still can’t get, like proper stuffing and chocolate chips.  But my occasional business travel to the US makes those limitations livable if we’re frugal in using our resources.

The children are the one’s who’ve had the hardest time adjusting though.  School has been a step back for them, since the UK schools don’t seem to be equipped to deal with exceptional children and this has frustrated them greatly.  They miss their friends, which is sometimes harder because they can get on Skype and talk to them whenever their sleep patterns allow.  What they absolutely hate the most is when the wife and I say, “You’ll look back on this when you’re older and realize what a great opportunity it was.”  Tomorrow’s appreciation is for tomorrow, while today’s whining and complaining is for today.   What they don’t realize is that they’ve seen half a dozen countries in the last year, more than many Americans will ever see in their entire life.  I hope they don’t hate us too much until the light of appreciation dawns upon them.

This is the end of the first year in England, with at least two more to go, barring the unexpected.  We’re settled in as a family, I’m settling in more to the role I’ve chosen at work and at least the wife and I are glad we made the choice to leave the US and immigrate to England, at least temporary.   We spent a week December exploring Munich, my wife spent her 50th birthday visiting museums around Amsterdam and we took a train into London on Saturday to explore Brick Market and Old Spitalfield Market.  These are the kinds of experiences we came to Europe to have.  And this week we have both friends and family visiting from the States.  I hope I survive the experience.

We’ll always be outsiders in England.  But life here almost feels … normal.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

Aug 24 2014

Last Hacker Standing – Vegas Recovery Edition, Episode 5

Published by under Podcast

“This is not the Last Hacker Standing: Episode IV – Part II Revenge of the @k8em0 that you’re looking for!”

To fill the void in your lives before we release the epic that is Episode IV Part II we got the crew together to chat about hacker summer camp and our personal recovery plans… In a break from the norm (not sure we have a norm yet, but I’m gonna stick with that) we chat randomly about BlackHat, BSidesLV, DEF CON and the burning hell that is Las Vegas.

You may also note that we’ve got an RSS feed now… and we’re also on the iTunes!

If you like the show, make sure to click the “5 stars” on iTunes so less educated people can find us too ;)

Enjoy!

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Aug 21 2014

“I’m proud of my ignorance”

It’s true, we don’t want little things like experience and a broad knowledge of the landscape of technology getting in the way of our policy makers, now do we?  Or at least that seems to be the way US White House cybersecurity coordinator, Michael Daniel thinks.  Why get lost in an understanding of the big picture when you can make decisions based on the information fed to you by consultants and advisers with their own agendas to push?

In a way, I understand what Mr. Daniel’s point is; it’s very important for someone in his position to be able to understand the in and out of policy, perhaps at least as important as understanding the technology.  I wouldn’t want most of the people I see at Defcon or a BSides event making policy decisions; they don’t have the understanding of the long term consequences policy has on the wider world.  But by the same thought process, someone who doesn’t understand the deeper aspects of underlying technologies he’s making decisions about can’t understand the long term consequences of his decisions either.  How can someone make informed decisions if they don’t understand the difference between a hashing algorithm and an encryption technology?

The cybersecurity coordinator role is a management role and most of us have worked with senior managers and C-level execs responsible for security with little or no security experience.  And we know how well that’s worked out.  In rare cases, you find a manager who knows how to listen to people and, perhaps more importantly, knows how to tell the difference between a trustworthy adviser and someone pushing their agenda forward without regard to the outcome.  Those people can be successful as non-technical managers of technical people.  But more often you get non-technical managers who don’t understand the landscape they’re expected to be responsible for, who don’t understand the decisions they’re being asked to make and who are easily led astray by those around them.  And having a non-technical manager with the understanding to communicate with the management team above them is nearly unheard of.

Willful ignorance is never a feature to be lauded or boasted about.  Being proud of your ignorance is a red flag, one that should be a warning to everyone around the individual that they are not currently mature enough for their position.  Better to say, “I’m ignorant, but I’m learning.” to say that you know your limitations but are willing to overcome them than to embrace your limitations and act like they’re really a strength.  Yes, your other experience can help you overcome the areas you’re lacking in, but you have to acknowledge the weakness and work to make yourself better.

As the Vox article points out, we’d never have a Surgeon General who didn’t have decades of experience in medicine, we’d never allow an Attorney General who wasn’t a lawyer and had spent years in a courtroom.  So why are we allowing a person who couldn’t even qualify for to take the CISSP test to advise the leaders of the United States on how to deal with information security issues?  Think about that for a moment: the person who’s advising the White House doesn’t have the experience necessary to apply to for one of the starting rungs on the information security career ladder.  Scary.

Update:  You might also want to listen to the interview with Micheal Daniel and the subsequent defense of his statement about his own ignorance.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Aug 20 2014

Heartbleed vs. Juniper

Published by under Firewall,Hacking,Privacy

The compromise of Community Health Systems (CHS) is being reported as the first major breach involving the Heartbleed vulnerability.  The details are slim, but apparently the vulnerability was exploited on a Juniper remote management console that hadn’t been properly updated.  Heartbleed is an OpenSSL vulnerability that allows an attacker to dump part of the memory from an vulnerable server.  The portion of memory is used by OpenSSL itself and often carries secrets, which in this case included a set of valid credentials for the CHS VPN.  From there, it was easy for the attackers to get into the rest of the corporate network and make off with 4.5 million healthcare records.

Juniper had released a patch to fix the Heartbleed vulnerability within days of its disclosure, so why was this health organization compromised for three months?  Because patching is hard, especially in organizations like healthcare, where security is often an afterthought, if it isn’t just considered a nuisance that everyone has to work around.  And when I say ‘hard’, I simply mean that it takes a lot of resources, especially time and planning, to make happen, something that’s scarce at every healthcare organization that I’ve ever talked to.  

I do find it amusing that Mandiant was called in to do the forensics on this case and found it linked to Chinese nationals.  Of course it was linked to China; everything Mandiant finds is linked to China somehow.  Or I could just be making light of a serious situation.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Aug 19 2014

A swarm of cars

Published by under General,Risk

It’s a given that we will have ‘intelligence’ in our cars within the next decade.  Quite frankly, there’s no way it is avoidable, given the appetite of consumers for 

all things to be connected to the Internet and too each other.  In the case of cars, it actually makes sense for them to be talking to each other.  But there’s one question: what will the unintended consequences be?

Earlier this week the National Highway Traffic Safety Administration (NHTSA) revealed plans to implement vehicle to vehicle (V2V) communication technology that allows one car to communicate with another and transmit information about location, speed of travel and direction of travel.  Basically, 10 times a second a V2V car tell other V2V enabled cars its exact location, where it’s headed and how fast it’s getting there.  The theory is that this would enable your car to warn you when someone is going to run the red light in front of you or is merging onto the highway in an unsafe manner near you.  Presumably this would also integrate into smart car technologies, enabling them to better fend for themselves in high traffic conditions, since they’d no longer have to solely rely on their own sensors in the decision making process.

I have a host of security concerns about the idea of V2V cars, since most of the manufacturers who are creating the Internet of Things have shown that security is their last concern, if they even think about it at all.  I can imagine the V2V system being used to track individuals every movement in a way that makes Orwell’s 1984 look Utopian.  The privacy implications of having a car that’s constantly beaconing its location are pretty severe and in all likeliness the ability to track individual cars will be mandated by law. I can also imagine someone breaking into the communications systems to cause chaos, either by targeting an individual vehicle with false information or by disrupting a segment of the network that V2V relies on.  At least there is someone else who’s thinking about the security concerns of interconnected vehicles, mainly I am the Cavalry and their Five Star Automotive Cyber Safety Program.

But what I find interesting in relationship to V2V is work that’s being done in swarm intelligence, as it relates to the idea of cars.  Researchers at the Harvard School of Engineering and Applied Sciences have developed a swarm of tiny robots that can self-organize into a number of shapes without needing a central controller to manage them.  The tiny little robots, Kilobots have very little intelligence (meaning computing power) individually and they don’t know much about their position as compared to the whole of the swarm, yet they manage to communicate with their peers in order to create organized shapes when they receive a command from the researchers.  They know where they are in relationship to other robot near them and they use this information as to figure out what their role should be forming the shape requested, rather than having some sort of central program with an overview of the whole telling them what to do.  

The swarm research that’s being done at Harvard is directly relatable to the V2V technology that (NHTSA) is doing.  Even if there is never a centralized tracking program implemented with V2V (which I posit there will be, it makes tracking easier for the government) there will be swarm behavior from these smart cars.  Swarm behavior already exists on our roads, it’s just that instead of a computer program making decisions, it’s human beings with limited awareness of the world around them.  We make the same sorts of decisions that V2V cars would be making constantly; we call it ‘driving’.  Most humans don’t have an overall view of the roads and what’s going on, though a lot of work has gone on to develop apps to give us this awareness of traffic.

Part of what makes a swarm of cars interesting, and a little scary, is the concept of emergent properties, or the idea that the whole is greater than the sum of its parts.  This is exactly what’s going on with the Kilobots, the emergent properties of their intelligence means that the whole is able to figure out how to form shapes without an individual Kilobot having to be told exactly where it’s place is in the grand scheme.  It’s up to the individual to do it’s best to conform to the needs of the whole to create the shape.  But while the emergent properties of the Kilobots was the end goal of the experiment, what happens when you design a swarm of cars without an emergent property in mind?

We’re in the beginning stages of understanding how a swarm does what it does.  How does a flock of birds really fly and wheel in unison?  How does a school of fish form and stick together?  How does a swarm of bees operate?  Maybe over the next 5-6 years we’ll have a better understanding of what makes these things work like they do, but will this understanding be applied to our vehicles?  The implications of a system of cars that have some sort of emergent property concerning how they enter, exit and move through traffic could be pretty severe, unintentionally creating gridlock and other safety concerns.  It could also work to alleviate the same gridlock in unforeseen ways, which makes the technology worth pursuing.

And then there’s the sci-fi concerns, ala Maximum Overdrive.  Swarm behaviors plus smart cars could create a series of emergent properties that make our cars decide that the safest option is to not get on the road in the first place.  Or that it’s better to be in the middle of the swarm and keep driving instead of getting off at the proper exit.  Or a hundred other scenarios that science fiction authors have explored in depth multiple times.  It’s not that this sort of ending is a certainty, it’s more that it’s a possibility that has to be explored and prevented, rather than dismissed as an impossibility.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 17 2014

Con flu, con crud and conxhaustion

Published by under Humor

I want to create a new word, ‘conxhaustion’.  That feeling you have halfway through the conference where you’ve been living on 3 hours of sleep a night and realize you have days more to go before you’ll sleep normally again. 

I love going to the conferences in Las Vegas every summer: Black Hat, Defcon and BSides.  But I hate Vegas itself and I hate it even more now that I have to travel from London to get there.  It was bad enough when I got half way through the week and was exhausted because of lack of sleep when I was in the same time zone. When you throw an eight hour time difference into the mix, even surviving a week in the desert is grueling task.  But it’s the only place I ever get to see many of my friends, peers and co-workers, so it’s a necessary evil, year after year.  I have to admit, RSA is just as tough, but at least it’s my old stomping grounds and a lot cooler, both physically and metaphorically.

Almost everyone who goes to Las Vegas gets their regular cycles and habits thrown off; it’s what the city is meant to do.  The light and temperature are always constant inside, so you have no way of knowing whether it’s day or night.  The water from the tap invariably tastes awful and anything you get in a bottle is probably going to cost an arm and a leg.  And eating in anything like your normal habits is difficult to say the least, especially since the amounts are huge and the calories are even huger (is that a word?  It is when referring to Vegas).  Keeping hydrated and properly fed becomes nearly impossible for anyone who doesn’t want to spend more time looking for a place to eat than actually eating.

And it doesn’t really stop once you get home, at least not for me.  If you’re relatively local, your schedule’s off because you’ve been staying up so many late nights and it takes a few days to recover.  If you’re coming from another continent, like me, you’d just gotten used to the Vegas time zone when you’re forcing your body back to its normal time zone.  Which, at least for me, takes another week to get re-adjusted. 

So you’re home, you’re dehydrated, you’re exhausted from the running around and the lack of sleep and you’ve had a horrible diet for the last week.  Which is why we all so often cap off conferences and conxhaustion with con flu and con crud.  Oh, did I forget to mention that all those handshakes and hugs introduced your body to tons of new germs and bacteria?  It’s not like people are their most hygienic during cons, since showers are optional and there’s always a line to get into the bathroom.  Why bother washing your hands?

So it’s no wonder we come home from a week in the desert and spend another couple of weeks recovering from the experience. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Next »