Archive for August, 2014

Aug 25 2014

An American in London

Published by under Family,Personal

Almost exactly a year ago my family and I moved from Northern California to 20 miles west of the capital of the United Kingdom, London.  It was the start of an adventure that’s exposed us to a new culture, cut us off from most of our friends and family and made massive changes to how we see the world.  We’ve had to make huge adjustments in our expectations, our lifestyle and how we drive, but my wife and I both think it’s been worth it.  The children seem to disagree, if you believe their loud and frequent complaints.  But these seem to be fewer and fewer as time goes by.

The first few weeks we were living in an apartment a few miles from where we live now.  It was a good landing spot while we waited for our shipment to arrive.  But being a family of four in a two bedroom apartment was its own special level of hell when you’re used to having a little privacy from time to time.    Thankfully our stuff arrived in fairly short order and we got to move into the house we’re living in now.  Everyone has their own space, though my wife spends most of her time in the kitchen or her office, while the kids spend theirs on the computer in the reception room we designated their office and I spend mine in an office that was converted from half the garage.  It’s a good house, about 100 yards from the station, with two trains an hour into London’s Waterloo station.

Learning to drive on the other side of the road wasn’t difficult and we’ve only made the mistake of driving on the right side of the road a few times each, thankfully in parking lots for the most part.  Getting used to roundabouts was more of a learning experience and I know I got honked at more than a few times that first month.  Now I’m fully adjusted and wondering why they’re being used so badly in the US, when they really do contribute to traffic flows when used properly.  The biggest problem I’ve had adjusting has been the bathrooms here, with the light switch on the outside, separate hot and cold water taps and toilets that just don’t seem to work as well as I’d like.  There’s also the shopping, but over the last year we’ve managed to decipher the English equivalent of American products, even if it doesn’t always look or feel exactly like we’re expecting.  There are a few products we still can’t get, like proper stuffing and chocolate chips.  But my occasional business travel to the US makes those limitations livable if we’re frugal in using our resources.

The children are the one’s who’ve had the hardest time adjusting though.  School has been a step back for them, since the UK schools don’t seem to be equipped to deal with exceptional children and this has frustrated them greatly.  They miss their friends, which is sometimes harder because they can get on Skype and talk to them whenever their sleep patterns allow.  What they absolutely hate the most is when the wife and I say, “You’ll look back on this when you’re older and realize what a great opportunity it was.”  Tomorrow’s appreciation is for tomorrow, while today’s whining and complaining is for today.   What they don’t realize is that they’ve seen half a dozen countries in the last year, more than many Americans will ever see in their entire life.  I hope they don’t hate us too much until the light of appreciation dawns upon them.

This is the end of the first year in England, with at least two more to go, barring the unexpected.  We’re settled in as a family, I’m settling in more to the role I’ve chosen at work and at least the wife and I are glad we made the choice to leave the US and immigrate to England, at least temporary.   We spent a week December exploring Munich, my wife spent her 50th birthday visiting museums around Amsterdam and we took a train into London on Saturday to explore Brick Market and Old Spitalfield Market.  These are the kinds of experiences we came to Europe to have.  And this week we have both friends and family visiting from the States.  I hope I survive the experience.

We’ll always be outsiders in England.  But life here almost feels … normal.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

6 responses so far

Aug 24 2014

Last Hacker Standing – Vegas Recovery Edition, Episode 5

Published by under Podcast

“This is not the Last Hacker Standing: Episode IV – Part II Revenge of the @k8em0 that you’re looking for!”

To fill the void in your lives before we release the epic that is Episode IV Part II we got the crew together to chat about hacker summer camp and our personal recovery plans… In a break from the norm (not sure we have a norm yet, but I’m gonna stick with that) we chat randomly about BlackHat, BSidesLV, DEF CON and the burning hell that is Las Vegas.

You may also note that we’ve got an RSS feed now… and we’re also on the iTunes!

If you like the show, make sure to click the “5 stars” on iTunes so less educated people can find us too ;)

Enjoy!

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Last Hacker Standing – Vegas Recovery Edition, Episode 5

Aug 21 2014

“I’m proud of my ignorance”

It’s true, we don’t want little things like experience and a broad knowledge of the landscape of technology getting in the way of our policy makers, now do we?  Or at least that seems to be the way US White House cybersecurity coordinator, Michael Daniel thinks.  Why get lost in an understanding of the big picture when you can make decisions based on the information fed to you by consultants and advisers with their own agendas to push?

In a way, I understand what Mr. Daniel’s point is; it’s very important for someone in his position to be able to understand the in and out of policy, perhaps at least as important as understanding the technology.  I wouldn’t want most of the people I see at Defcon or a BSides event making policy decisions; they don’t have the understanding of the long term consequences policy has on the wider world.  But by the same thought process, someone who doesn’t understand the deeper aspects of underlying technologies he’s making decisions about can’t understand the long term consequences of his decisions either.  How can someone make informed decisions if they don’t understand the difference between a hashing algorithm and an encryption technology?

The cybersecurity coordinator role is a management role and most of us have worked with senior managers and C-level execs responsible for security with little or no security experience.  And we know how well that’s worked out.  In rare cases, you find a manager who knows how to listen to people and, perhaps more importantly, knows how to tell the difference between a trustworthy adviser and someone pushing their agenda forward without regard to the outcome.  Those people can be successful as non-technical managers of technical people.  But more often you get non-technical managers who don’t understand the landscape they’re expected to be responsible for, who don’t understand the decisions they’re being asked to make and who are easily led astray by those around them.  And having a non-technical manager with the understanding to communicate with the management team above them is nearly unheard of.

Willful ignorance is never a feature to be lauded or boasted about.  Being proud of your ignorance is a red flag, one that should be a warning to everyone around the individual that they are not currently mature enough for their position.  Better to say, “I’m ignorant, but I’m learning.” to say that you know your limitations but are willing to overcome them than to embrace your limitations and act like they’re really a strength.  Yes, your other experience can help you overcome the areas you’re lacking in, but you have to acknowledge the weakness and work to make yourself better.

As the Vox article points out, we’d never have a Surgeon General who didn’t have decades of experience in medicine, we’d never allow an Attorney General who wasn’t a lawyer and had spent years in a courtroom.  So why are we allowing a person who couldn’t even qualify for to take the CISSP test to advise the leaders of the United States on how to deal with information security issues?  Think about that for a moment: the person who’s advising the White House doesn’t have the experience necessary to apply to for one of the starting rungs on the information security career ladder.  Scary.

Update:  You might also want to listen to the interview with Micheal Daniel and the subsequent defense of his statement about his own ignorance.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on “I’m proud of my ignorance”

Aug 20 2014

Heartbleed vs. Juniper

Published by under Firewall,Hacking,Privacy

The compromise of Community Health Systems (CHS) is being reported as the first major breach involving the Heartbleed vulnerability.  The details are slim, but apparently the vulnerability was exploited on a Juniper remote management console that hadn’t been properly updated.  Heartbleed is an OpenSSL vulnerability that allows an attacker to dump part of the memory from an vulnerable server.  The portion of memory is used by OpenSSL itself and often carries secrets, which in this case included a set of valid credentials for the CHS VPN.  From there, it was easy for the attackers to get into the rest of the corporate network and make off with 4.5 million healthcare records.

Juniper had released a patch to fix the Heartbleed vulnerability within days of its disclosure, so why was this health organization compromised for three months?  Because patching is hard, especially in organizations like healthcare, where security is often an afterthought, if it isn’t just considered a nuisance that everyone has to work around.  And when I say ‘hard’, I simply mean that it takes a lot of resources, especially time and planning, to make happen, something that’s scarce at every healthcare organization that I’ve ever talked to.  

I do find it amusing that Mandiant was called in to do the forensics on this case and found it linked to Chinese nationals.  Of course it was linked to China; everything Mandiant finds is linked to China somehow.  Or I could just be making light of a serious situation.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Aug 19 2014

A swarm of cars

Published by under General,Risk

It’s a given that we will have ‘intelligence’ in our cars within the next decade.  Quite frankly, there’s no way it is avoidable, given the appetite of consumers for 

all things to be connected to the Internet and too each other.  In the case of cars, it actually makes sense for them to be talking to each other.  But there’s one question: what will the unintended consequences be?

Earlier this week the National Highway Traffic Safety Administration (NHTSA) revealed plans to implement vehicle to vehicle (V2V) communication technology that allows one car to communicate with another and transmit information about location, speed of travel and direction of travel.  Basically, 10 times a second a V2V car tell other V2V enabled cars its exact location, where it’s headed and how fast it’s getting there.  The theory is that this would enable your car to warn you when someone is going to run the red light in front of you or is merging onto the highway in an unsafe manner near you.  Presumably this would also integrate into smart car technologies, enabling them to better fend for themselves in high traffic conditions, since they’d no longer have to solely rely on their own sensors in the decision making process.

I have a host of security concerns about the idea of V2V cars, since most of the manufacturers who are creating the Internet of Things have shown that security is their last concern, if they even think about it at all.  I can imagine the V2V system being used to track individuals every movement in a way that makes Orwell’s 1984 look Utopian.  The privacy implications of having a car that’s constantly beaconing its location are pretty severe and in all likeliness the ability to track individual cars will be mandated by law. I can also imagine someone breaking into the communications systems to cause chaos, either by targeting an individual vehicle with false information or by disrupting a segment of the network that V2V relies on.  At least there is someone else who’s thinking about the security concerns of interconnected vehicles, mainly I am the Cavalry and their Five Star Automotive Cyber Safety Program.

But what I find interesting in relationship to V2V is work that’s being done in swarm intelligence, as it relates to the idea of cars.  Researchers at the Harvard School of Engineering and Applied Sciences have developed a swarm of tiny robots that can self-organize into a number of shapes without needing a central controller to manage them.  The tiny little robots, Kilobots have very little intelligence (meaning computing power) individually and they don’t know much about their position as compared to the whole of the swarm, yet they manage to communicate with their peers in order to create organized shapes when they receive a command from the researchers.  They know where they are in relationship to other robot near them and they use this information as to figure out what their role should be forming the shape requested, rather than having some sort of central program with an overview of the whole telling them what to do.  

The swarm research that’s being done at Harvard is directly relatable to the V2V technology that (NHTSA) is doing.  Even if there is never a centralized tracking program implemented with V2V (which I posit there will be, it makes tracking easier for the government) there will be swarm behavior from these smart cars.  Swarm behavior already exists on our roads, it’s just that instead of a computer program making decisions, it’s human beings with limited awareness of the world around them.  We make the same sorts of decisions that V2V cars would be making constantly; we call it ‘driving’.  Most humans don’t have an overall view of the roads and what’s going on, though a lot of work has gone on to develop apps to give us this awareness of traffic.

Part of what makes a swarm of cars interesting, and a little scary, is the concept of emergent properties, or the idea that the whole is greater than the sum of its parts.  This is exactly what’s going on with the Kilobots, the emergent properties of their intelligence means that the whole is able to figure out how to form shapes without an individual Kilobot having to be told exactly where it’s place is in the grand scheme.  It’s up to the individual to do it’s best to conform to the needs of the whole to create the shape.  But while the emergent properties of the Kilobots was the end goal of the experiment, what happens when you design a swarm of cars without an emergent property in mind?

We’re in the beginning stages of understanding how a swarm does what it does.  How does a flock of birds really fly and wheel in unison?  How does a school of fish form and stick together?  How does a swarm of bees operate?  Maybe over the next 5-6 years we’ll have a better understanding of what makes these things work like they do, but will this understanding be applied to our vehicles?  The implications of a system of cars that have some sort of emergent property concerning how they enter, exit and move through traffic could be pretty severe, unintentionally creating gridlock and other safety concerns.  It could also work to alleviate the same gridlock in unforeseen ways, which makes the technology worth pursuing.

And then there’s the sci-fi concerns, ala Maximum Overdrive.  Swarm behaviors plus smart cars could create a series of emergent properties that make our cars decide that the safest option is to not get on the road in the first place.  Or that it’s better to be in the middle of the swarm and keep driving instead of getting off at the proper exit.  Or a hundred other scenarios that science fiction authors have explored in depth multiple times.  It’s not that this sort of ending is a certainty, it’s more that it’s a possibility that has to be explored and prevented, rather than dismissed as an impossibility.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 17 2014

Con flu, con crud and conxhaustion

Published by under Humor

I want to create a new word, ‘conxhaustion’.  That feeling you have halfway through the conference where you’ve been living on 3 hours of sleep a night and realize you have days more to go before you’ll sleep normally again. 

I love going to the conferences in Las Vegas every summer: Black Hat, Defcon and BSides.  But I hate Vegas itself and I hate it even more now that I have to travel from London to get there.  It was bad enough when I got half way through the week and was exhausted because of lack of sleep when I was in the same time zone. When you throw an eight hour time difference into the mix, even surviving a week in the desert is grueling task.  But it’s the only place I ever get to see many of my friends, peers and co-workers, so it’s a necessary evil, year after year.  I have to admit, RSA is just as tough, but at least it’s my old stomping grounds and a lot cooler, both physically and metaphorically.

Almost everyone who goes to Las Vegas gets their regular cycles and habits thrown off; it’s what the city is meant to do.  The light and temperature are always constant inside, so you have no way of knowing whether it’s day or night.  The water from the tap invariably tastes awful and anything you get in a bottle is probably going to cost an arm and a leg.  And eating in anything like your normal habits is difficult to say the least, especially since the amounts are huge and the calories are even huger (is that a word?  It is when referring to Vegas).  Keeping hydrated and properly fed becomes nearly impossible for anyone who doesn’t want to spend more time looking for a place to eat than actually eating.

And it doesn’t really stop once you get home, at least not for me.  If you’re relatively local, your schedule’s off because you’ve been staying up so many late nights and it takes a few days to recover.  If you’re coming from another continent, like me, you’d just gotten used to the Vegas time zone when you’re forcing your body back to its normal time zone.  Which, at least for me, takes another week to get re-adjusted. 

So you’re home, you’re dehydrated, you’re exhausted from the running around and the lack of sleep and you’ve had a horrible diet for the last week.  Which is why we all so often cap off conferences and conxhaustion with con flu and con crud.  Oh, did I forget to mention that all those handshakes and hugs introduced your body to tons of new germs and bacteria?  It’s not like people are their most hygienic during cons, since showers are optional and there’s always a line to get into the bathroom.  Why bother washing your hands?

So it’s no wonder we come home from a week in the desert and spend another couple of weeks recovering from the experience. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Con flu, con crud and conxhaustion

Aug 03 2014

Last Hacker Standing, Episode IV – The Last Hope

Published by under Family,Hacking,Humor,Podcast

Well, I told you I couldn’t go that long without recording a podcast.  And a couple of weeks ago I got together with my friends Chris John Riley and Dave Lewis and started a new project, Last Hacker Standing.  In the inaugural podcast, we talk news (straight up, with a twist), alongside our wonderful guest Katie Moussouris from Hacker One.  I’m going to try to have fun with this one, not taking it too seriously.  Not that I ever took the Network Security Podcast all that seriously, of course.  Our format is going to be a podcast twice a month, with a guest who will join us to talk about news stories for the first half and talk about themselves for the second half.  We do reserve the right to change this format whenever we please.

Last Hacker Standing, Episode IV – The Last Hope

LastHackerStanding_singleFace

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far