Network Security Blog

*** Dire Warning ***
If you’re in the habit of reusing passwords AT ALL, 1) stop it! 2) if you have a LinkedIn account change your password immediately on as many sites as you can remember.  Then get yourself a password management program (like 1Password or LastPass) with a random password creator and learn to use it for all sites.
*** Dire Warning ***

Now that the dire warnings are out of the way, let’s look at what happened.  This morning it was disclosed that 6.5 million LinkedIn password hashes were posted online.  LinkedIn was not using a salted hash for storing passwords, which means that while the passwords can’t be decrypted in any way, attacking the password file by dictionary attacks and other similar methods are very effective.  Additionally, the 6.5 million hashes are each unique, meaning that they represent a much larger portion of the LinkedIn passwords, possibly even the entire database.  One of the best analysis of the password hashes and what they mean was done over at Hacker News and covers a lot of what the disclosed hashes mean in really geeky terms.  Another great resource, thrown up by Robert Graham this morning, lets you take a password to see if your password is amongst those stolen.  If you don’t find your password in the database, try replacing the first 5-6 characters with zeros and look again. 

The other point I wanted to make was that while LinkedIn’s response (1, 2) to this compromise hasn’t been atrocious, it’s been far from being a good example of how to do compromise disclosure.  If you want a good example, look at the recent post mortem writeup by CloudFlare, stating in great detail how they’d been compromised so others could learn from their problems.  I’m willing to give the LinkedIn team and Vicente Silveira the benefit of the doubt and assume they learned about the password file at the same time as everyone else, but their initial reaction was to say they were looking into it, even though a number of security professionals had already stated their passwords were definitely in the file.  When they did admit it was their database a few hours later, they stated they had ‘enhanced’ their security to include hashing and salting of the database.  I can only assume the enhanced security measures were put in place this morning, and I’d give them more credit if they’d admitted that instead of making it seem like it was something they’d already planned to do.  I do have to give them kudo’s for reacting quickly and giving users concrete steps to take in response to the compromise, but they lose at least as many points for not being up front about what’s really happening.  Of course, that may be because of the Marketing and PR departments more than anything, but I’m not willing to cut either of those departments any slack for a security incident.

Of course, this is all injury added to the assault that was disclosed yesterday, the fact that the LinkedIn mobile application collects all of your calendar notes.  And since they had your calendar data and there’s a possibility your account was compromised, if you’re using the LinkedIn iPhone app, you’d better assume all of your calendar data is also compromised.  I hope you didn’t have any important or sensitive information in your calendar!

I’ve always hated the way Facebook has endeavored to track every single action their users do.  Which is funny, considering how much of my life I put on Twitter.  But the main difference between the two social media platforms is about choice, at least for me.  With Twitter, I decide what to put online 140 characters at a time.  I might reveal a little more information if I’m not careful with GPS settings on my phone or camera, but for the most part it’s simply the statements that I choose to make that go online and are published for everyone to read.  However, from the early days, Facebook has been far more intrusive and has done everything they can to track each and every digital step that it’s users take.  With constantly shifting privacy policy, the way they change and reset privacy settings every few months and Timeline being a tracking monstrosity that became mandatory, Facebook is a privacy advocate’s worst nightmare.  The list of ways that Facebook tracks and collates data on every user is both awe inspiring and terrifying in it’s magnitude and Timeline is a privacy violation of the first order, at least in my mind. 

But, to put it quite simply, they’re the biggest kid in the social media playground.  When your grandmother, who can barely answer an email, starts following you on Facebook, you know it’s gotten deep penetration in the marketplace.   And since it’s so big, just by nature of it’s natural gravity, more users and more businesses are drawn to it.  If you don’t have an account, people look at you like you’re a little strange and behind the times, whether it’s true or not.  Quite frankly, in many people’s lives, it’s become a necessary tool for communicating with friends, family and/or customers, to the point that not having an account is nearly unthinkable. 

Even I’ve had a Facebook account for years, as much as I’ve hated the idea.  The main reason I created it was simply to grab my own name; I had already seen several people in the security community be impersonated by someone who grabbed their name before they did and have a page created for them.  Usually with malicious aims.  I didn’t want to have that happen to me, so grabbed my account.  I used it a little at first, mostly by integrating my twitter stream into Facebook, but as the privacy concerns got bigger and bigger, I stopped using it all together.  I kept the account and logged in every six months or so, immediately clearing my cookies and rebooting my system afterward to clean the stain it left behind.  I know millions of people use Facebook daily without serious harm, but the thought of having my activities tracked to the degree that Facebook does it is not something I’m comfortable with.

But, as I stated earlier, if you’re not on Facebook, you’re handicapping yourself in interacting with friends, family and the people you do business with in a significant way.  As much as I hate being tracked, I came to the conclusion that it’s time find a way to use Facebook while also maintaining control of what data is being pulled into my social media network(*).  So I did what any social media security geek would do, I tweeted about the problem and waited for the replies to come in.  And did they ever.  I’ve collected some of the best links and software suggestions below.

When all was said and done, I decided the best way for me to use Facebook was to use the one major browser I hadn’t been using on my main system, Chrome.  Rockmelt sounded cool, but I didn’t want to spend the time to research it and learn a different interface.  Adding privacy filters or other extensions that allowed me to use Facebook privately in Firefox had some appeal, but relying on the extensions to keep up with Facebook’s changing policies and technologies didn’t inspire confidence in me over the long haul.  I already had Chrome installed and wasn’t using it, so it was actually a pretty easy choice and because I’m only using it for Facebook a lot of the concerns around having my browsing practices tracked are almost completely assuaged.   At least until Facebook learns to track across multiple browsers, that is.

Since I’m using Chrome as a dedicate Facebook browser, I decided to simply rely on the default install and change a number of the privacy settings, not something I would suggest if you use Chrome for other web browsing as well.  If you click on the wrench in the upper right hand corner of Chrome and select ‘settings’, it will open a new tab for the settings page.  At the bottom of the page is a link, “Show advanced settings…” which opens advance settings such as Privacy.  The ‘Content Settings’ button under Privacy opens up a new window, where the meat of the controls I wanted are.  I selected the following controls:

• Cookies: Allow local data to be set for the current session only.
• Cookies:  Clear cookies and other site plug-in data when I close my browser
• Javascript:  Do not allow any site to run Javascript (You have to make exceptions for Facebook itself, https://[*.].facebook.com:443 and http://[*.].facebook.com)
• Handlers:  Do not allow any site to handle protocols
• Plug-ins: Click to play
• Notifications:  Do not allow any site to show desktop notifications

There’s probably more I can do to protect myself from tracking, especially if I wanted to install some of the Chrome plug-ins specifically aimed at Facebook.  I’ve been using Facebook again for about a week or so.  I plan on using it more in the future for putting up some of the pictures I take during my world travels, to promote the podcast and to promote the work I do at Akamai.  I’m not really happy at getting sucked back into Facebook, but it isn’t really as evil as I sometimes make it out to be.  It is, however, a huge, faceless organization that is determined to make a profit off of me no matter what else happens.  

BTW, I do my banking on a completely separate computer that I do almost no other browsing on.  Or email or social media for that matter.

Additional links:

• How to stop Facebook from tracking you on the web – All you need to know
• Firefox and Facebook
• Rockmelt -This one intrigues me and merits further research
• 30 days with isolated apps in Chrome

(*The new version of ‘privacy’ is controlling the information about you that flows onto the interwebz.  The pre-2000 view of privacy is dead, and even the new version is on life support with the data mining capabilities of many of our modern tools.)

I generally try to stay out of the political arena on the blog, mostly because politics is such a contentious topic in and of itself.  And I’ve been staying away from SOPA in particular because there’s been so much coverage that one more voice added to the choir wouldn’t have done anything.  The music and movie companies once again tried to introduce legislature that made pirating content a crime and gave the entertainment industry incredible power to police the internet and block any site they felt *might* link to copyrighted content.  But we, the Internet, rose up in unison as major sites blacked themselves out in protest and support for the legislation is suddenly falling away as if the Stop Online Piracy Act might be toxic.  Yay Us, we won and the bad entertainment industry was put in it’s place.  War’s over and we can all go back to our daily lives.  At least that’s what it seems like in a nutshell to me.

But it’s not over, not by a long shot.  In an oddly coincidental case of good timing, yesterday the US Government took down the site Megaupload, a hugely popular file sharing site.  Since this event probably took months of planning to set up, the timing probably was mostly accidental, though I wouldn’t be surprised to find out the date got accelerated a little in response to this week’s Internet blackout.  And in response to that, the group Anonymous started a DDoS campaign¹ against the likes of the White House, the FBI, DoJ, MPAA, RIAA and a number of other sites using the LOIC tool.  There are quite likely one or two other groups using some of the noise created by Anonymous in order to perform some slightly quieter attacks under cover.  And according to my count, the move is now back to the Government, probably coming in the form of a kinder, gentler form of SOPA or additional site take downs.

The movie and music distribution engines only see the Internet as a method for taking money out of their pockets.  The technorati see the Internet as a boon and the current distribution model used by the entertainment industry as antiquated and only serving the big studios, not the artists.  There’s a certain amount of truth to both arguments, though I find myself far more in line with the thought that the entertainment industry has refuse to adapt as technology and societal norms have changed, so they have to pay the price.  This is a lesson Kodak is learning the hard way.  Now the real battle of finding out if we make the technology and society bow to laws that are counter to how we want to act or if we change the laws to be more in line with how people want to act in the first place.

The ethics of file-sharing aren’t really important to the folks backing legislation like SOPA, they’re defending a business model and nothing more.  Therefore, they have to continue to push for this legislature in one form or another in order to gather more power to bolster a dying business model.  They have no choice, other than completely reworking the way they do business, which is more risky than doing battle in the court systems.  While the Internet may have risen up and smashed down the SOPA legislation today, it’s the long haul of trying to get the power clauses passed into law that the lawyers excel at.  Expect to see several more forms of this Act come up for  consideration and votes, later this year.

The interesting part will be see how the dynamics between the creation of laws and the Internet change over the coming year.  Between blackouts in protest and DDoS in protest, it’s clear that a lot of attention can be drawn to an issue very quickly.  But can it be sustained and will these forms of protest have any long term affect?  Part of what led to the uproar against SOPA was the technical infeasibility (or possibly stupidity) of the act; what would happen if the backers of SOPA created something that was more reasonable and technically possible to combat piracy? Will the resistance fade if something more palatable comes along?  I somehow doubt it, but more I doubt I’ll have a chance to find out, since a compromise like that isn’t even something I believe the entertainment industry could even conceive of.  It’s more likely we’ll continue to have a chance to see the evolution of the Internet as a political force.

So the back and forth between content distributors and pirates will continue, with the ball now in the government’s court.  There could be more take downs like Megaupload.com, the folks who supplied the thralls for LOIC could find FBI agents at their doorsteps, or there might be a lull while newer legislation is created.  But the reality is that what we’ve seen in the last few weeks is just an early set of skirmishes on the battlefield.  What the next step in the escalation is remains to be seen, on both sides.
 
¹I know where that graphic came from! 

Christmas is over!  I hope yours was good, but I personally find the whole build up and let down stressful and I’m glad when it’s done with.  Especially the part where my kids are home from school for a week and whine every time I tell them to get out of the house for a little while before I have to hurt them.  Not that I’d actually hurt my kids, but it’s sometimes the only threat that will get them moving. 

There have been some interesting stories leading up to Christmas and it’ll be interesting to see what’s been happening behind the scenes while the majority of us have been chomping on candy and ripping open our presents.  I have nothing to support the theory yet, but I strongly suspect most of the bad guys left their tools running while they took some time off, so their might be reports of compromises in the not too distant future.  After all, there were a couple of reports that came out before the weekend, perhaps hoping to get ignored and bypassed in Christmas craziness.

A quick thought on the boycott of GoDaddy over the SOPA legislation.  GoDaddy is such a minor player in this realm and probably signed on to the legislation like a little brother following his older brother, Big Media; they wanted to sound and act cool in the eyes of everyone else without having the faintest idea that what they were doing had real world consequences.  Boycotting GoDaddy is like bullying the little brother when what you really want to do is punch the elder brother in the eye!  It’s ineffective, both in the long run and in the short term, to boycott GoDaddy when what we should really be doing is making the larger players behind SOPA aware this is an evil and unacceptable way to try to regulate the internet.  A crowdsourced version of the list of supporters on the list is available as a Google doc.  If you really want to do something important, boycott some of the big boys on the list and quit going to their movies and buying their products. 

Open Tabs – 12/26/11

• Chinese computer hackers hit U.S. Chamber of Commerce – I wonder what our hackers are doing to the Chinese behind the scenes.  Not the vocal ones on the con scene, the ones employed by the Three Letter Agencies.  Never mind, we don’t do that, do we.
• LOIC (Low Orbit Ion Cannon) – DoS attacking tool – The tool is old news, but this is a pretty good writeup.  If you want to know more though, one of my co-workers could tell you a few things more about how it works.
• The Thought Leader … One year later – Chris Eng’s further harpooning of the information security thought leaders.  I know about half of the video applies to me at least as much as it does anyone else. 
• How hackers gave Subway a $30 million lesson in point-of-sale security – There’s another meaning for POS, especially when you don’t bother changing default passwords and trust owners to follow procedures.
• The Dark side of B-Sides – I’m staying out of this fight, since I know all the players.  But I know there’s a lot of truth to both sides of the stories, and the sooner this can be opened up and the aired out, the better for everyone involved.
• Hackers steal data on millions of Chinese net users – No need for nefarious government hackers when criminals will hack into Chinese sites because they data they hold might be worth something.
• Insurance against cyber attacks expected to boom – Let’s just insure our systems rather than taking the time to secure them!  Because the insurance companies won’t place caveats on what’s ensured and what constitutes a breach of contract to include poor maintenance control, will they?  “What do you mean our insurance doesn’t cover this?” is a phrase I expect to hear once cyber insurance (I shudder at the name) becomes common place.
• Congress calls on Twitter to block Taliban – Oh yeah, because it takes so much to set up another account and tell everyone to go there instead.  And because censorship should always be one of the first tools used by a free, democratic system.  These people spend too much time thinking in hyperbole and too little time thinking in reality.

This week’s podcast conversation with HD Moore and Josh Corman was a good thing.  Getting the ideas of “HD Moore’s Law“, the security poverty line and security debt out there so other people can beat on the ideas, examine them for flaws and hopefully incorporate portions of the concepts into their own thinking.  This is, after all, the whole reason I started blogging and podcasting in the first place.

Open Tabs 11/03/11:

• An open letter to Chris Dodd:  Silicon Valley can’t help Hollywood if you first cripple it with bad regulation – More on the horrible legislation that’s currently being considered.
• Debating human rights in the IT industry – The last few years have shown us exactly how important the Internet and computers are to basic human freedoms in the 21st century.
• Anonymous cancels Operation Cartel as Los Zetas track hacktivists – Good call.  The government isn’t going to kill you and hang your body from a bridge; these guys will.  I hope it wasn’t too late of a call. 
• Researchers flood Facebook with bots, collect 250Gb of user data – People were more willing to friend someone who’s got a hot picture?  Color me unsurprised.
• Kill Switch – Still more on the horrible idea of the Protect IP law.  Yes, this topic annoys the heck out of me and scares me with it’s ignorance.
• BayThreat speakers announced – Last year’s event was great, I have to believe this year’s will be even better.
• HouSecCon going on now, BSidesATL tomorrow and I’m closing out BSidesDFW on Saturday!  What a full weekend!

I’m not much of a programmer.  I’ve written a few thousand lines of code in my life, but that’s just enough to make me familiar with the generalities of programming.  One of the things I learned early is that I could either learn to program and sacrifice a large amount of my social skills in the process, or I could learn to pretend to be relatively normal instead.  But one thing I did learn about programming is that you always start any array at 0, not 1.  Though Andy Ellis did have to remind me of this a couple years ago when I started tweeting about my family occasionally.

If you follow me on twitter (@mckeay) you’ll know that I occasionally write about some of the things my family do and/or say.  Even if they sometimes only do and/or say the things I attribute to them in my head.  And whenever I mention their actions, real and imagined, I refer to them as “Wife0″, “Spawn0″ and “Spawn1″.  Which causes me to get a lot of questions about why I call them that.  As well as the occasional joke about “Does that mean you plan on instantiating Wife1?”  To which I reply, “No, since instantiation of Wife1 would require the utter destruction of the Martin parent process”  Oh, geek humor.

Why don’t I just refer to them by name?  Partially because it’s become a running joke in the family and it amuses me.  But mostly because the names of my family are none of the business with 99% of the people who follow me on twitter and of 99.99% of the people on the Internet!  If you know me well enough that I feel like telling you or if I know you well enough that I’ve actually introduced you to my family, then you have a right and need to know what their names really are.  But if you’re an ‘internet friend’, someone I meet every few months at a conference or simply someone who’s decided to follow me because I’m sometimes entertaining on twitter, there’s no need or reason for you to know what I call my family at home.  I always refer to Wife0 as Wife0, Spawn0 as Spawn0 and Spawn1 as Trouble… er, Spawn1. 

Seriously though, there’s enough information leakage that I knowingly let out on twitter and the blog.  And I leak a fair amount of information about my wife and children just by talking about them from time to time.  If someone really wanted to, it wouldn’t be that hard to look them up and find out who they are, where we live and any number of other facts about my family.  But I see no need to make that any easier by spewing out their names every time I want to share an amusing anecdote with my friends and followers on the Internet.  I give them some small manner of anonymity by not referring to them by name and by making no guarantees that anything I’ve ever said about them was based on reality.  And there’s a fair portion of what I say about them on twitter really does only happen in my mind.  But that doesn’t mean it amuses me any less.

Last night I got an email from Jim Engineer at e-Rainmaker PR stating that Kevin Mandia from Mandiant would be appearing before Congress.  I’m always interested in hearing the leaders in our industry speak to members of Congress, because it reveals a lot not only about how the thought processes of the folks who are presenting to Congress, it also reveals what our Congressmen think about security.  This hearing was no different from most, in that it showed there are definite agendas at work,but it also showed that the biggest concern for our Congress is the threat of China to our businesses and intellectual property, in addition to attacks on government properties.  I live tweeted as much of it as possible and I’d like feedback in the form of comments if you found it valuable.  Or even if you didn’t. Any misquotes are my own and are attributable to trying to listen and tweet at the same time.

General Hayden impressed me the most of the three speakers.  His main message was that the issue of cyber-security is a not something we should be in a rush to come up with ‘the answer’ for, but that we should be looking at having long conversations about what needs to be done in a thoughtful, logical manner.  While he encouraged legislation, he made it clear he wants the goal to be outcomes, not just compliance.  He was level headed and clearly understood the difference between security and compliance, something Kevin Mandia also backed up.

I thought Kevin was underutilized in this conversation.  He had some very good, clear thoughts on the subjects at hand, but the members of the committee seemed to give his testimony less credence, since it didn’t directly feed into the narrative they were trying to lead to.  His strongest statement was, “You will be breached, the security compromise is inevitable.” He followed it by stating that “In our last fifty incidents, forty-eight of them learned of the compromise from external third-parties like the FBI”.  That’s a pretty damning statement about the state of detection in our industry today.

And then there was Art Coviello.  I’m not going to dig too deeply into Mr. Coviello, but he was being a good CEO while also being an intellectually dishonest security professional, if you could call him a security professional at all.  Statements like “Our advanced technology allowed us to detect and react to the attack in progress” and “We were within hours of being able to stop the compromise” and other comments about how ‘swiftly’ RSA responded to the compromise go directly against the timelines in the press and against the history of how RSA notified the public and their customers of their compromise.  Remember, they didn’t even have a Chief Security Officer before the compromise, there was no one at the C-level responsible for security.  I was very unimpressed with Mr. Coviello today.

Not much will come from this Committee meeting, but it was educational to learn what message the members of Congress wanted to put out and how businesses are willing to help them.  It was also a lot of fun to live tweet it and see what security professionals around the country think.  Marty Roesch from Sourcefire (@mroesch) was especially cynical and entertaining.  But there were a lot of people who had good feedback and questions, for which I’m thankful.

Feedback on live tweeting is very appreciated, leave comments and expect me to do the same next time I have time and opportunity.  And here’s the press release from Jim.

For your information, MANDIANT
CEO Kevin Mandia will offer testimony to the House Intelligence
Committee at the invitation of Chairman Mike Rogers (R-MI) tomorrow Tuesday, Oct. 4, from 10 a.m. to 1 p.m.
Kevin is available to comment on his testimony should you have an interest in pursuing.

To view the testimony please visit:

http://intelligence.house.gov/hearing/cyber-threats-and-ongoing-efforts-protect-nation#

“Cyber Threats and Ongoing Efforts to Protect the Nation” 10:00am – 1:00pm ET HVC-210

·         The Honorable Michael V. Hayden, Principal, The Chertoff Group
·         Mr. Arthur W. Coviello, Jr., Executive Chairman, RSA
·         Mr. Kevin Mandia, Chairman and Chief Executive Officer, MANDIANT

Chairman Rogers on the Cyber Security Hearing:
“Examining the threat of cyber attacks against the United States is of
utmost importance. The threat of cyber attacks continue to evolve. What
started out as a kid in the basement hacking into a school computer to
change a grade, has evolved into entire nation states focused and
determined to exploit our nation’s cyber systems. The Committee will
review recent developments in the evolution of the cyber threat against
the United States by nation state actors and others. Additionally, we
will evaluate the status of the United States government’s efforts at
providing cyber security within the government, the status of cyber
security in the private sector, and the sharing of government
information, including intelligence information, with the private sector
to enable it to better defend and protect our nation’s most critical
private systems.”

Jim

PS>  I think I only heard the dreaded “APT” once, from Art Coviello.  Figures.

It’s not uncommon for me to get questions from aspiring security professionals asking, “What should I be doing to break into security?  How can I learn more about security?”  More and more, my answer to that is becoming simpler:  Get on Twitter.  (I’m @mckeay, unsurprisingly enough)

Twitter has become the “digital water cooler” for a huge number of security professionals.  I’m not saying all security professionals are on it, nor should they be.  But we long ago reached a point of critical mass where there are regular conversations on that used to only happen in the hallway tracks at conventions.  If you look at some of the organized conversations that several companies have done on Twitter (Symantec comes to mind) you’ll start to understand that they see a value to it.  If you look at some of the conversations I’ve personally had in the last 24 hours on almost any day, you’ll see bits and pieces that are of great value, even if the majority of the tweets are stupid quips and pointless jabs at friends.

And that’s what twitter is about, not the huge sweeping conversation or revelation that happen once in a blue moon, but the accretion of little ideas, little questions that will lead you to a deeper understanding of what the people who work in the security world day in day out are thinking.  Don’t expect a single tweet to rock your world and reveal the secrets of the universe.  Instead, look for the threads that explain how many people view security and the inner dialogue that led them there.  Don’t try to read every tweet, dip your toes into a communal stream of consciousness.  Boy, that sounds so pretentious when written out, but in a lot of ways, that’s exactly what twitter has become.

You’re going to have to dredge through a lot of crud to find the jewels in the twitter stream.  I know my own twitter stream is a perfect example of that.  For every one tweet I send that has value, I probably send twenty that are in-jokes or stupid references to some meme that no on cares about.  But I hope I make up for that when get started on a rant about PCI compliance or get involved in a conversation about the difference between learning security and learning business. You may have to put up with a hundred tweets or a thousand, but when you get the one piece of information you needed to hear at that specific moment, it will make everything else worth it.

Don’t plan on getting involved in twitter, other than very superficially, for the first month or so.  Send out a ‘hello world’ tweet before you follow your first person; we security types tend to be a little paranoid and may report you as spam if you’re just a raw profile with no tweets or a description of who you are.  Don’t spend a lot of time on twitter, just check in from time to time and add people who sound interesting as time goes by.  If you need a seed list of people to follow, start with Bill Brenner’s Security pros to find on Twitter.  He updates it almost every Friday.  Soak in the conversations and when you feel the time is right, start responding to people and putting forth your own ideas.

My boss recently started on twitter.  I was a little concerned when he followed me, but I figure anything I say on twitter is public anyway, so if he wanted to check in on what I said, it wouldn’t take more than an extra 30 seconds to find anything, so why worry.  If you’re worried about your friends or family or coworkers following you, then make your profile private or just make sure you don’t tweet anything you need to worry about (unlike certain Congressmen).  But one of the most interesting things I realized from having my boss follow me is that I’ve completely abandoned my RSS feeds in favor of getting most of my news from Twitter.  I learn about new stories faster on twitter than I ever did when they were coming to me through my news reader.  Better, I get to benefit of having people who’s views I have some understanding of filtering through the stories before I ever read them.

Once you’ve been on twitter for three to six months, you’ll no longer be an outsider if you’re making an attempt to engage.  Don’t force it, but don’t be afraid to contribute either.  Be natural, talk to the people who are out there, and get an understanding of the community.  There will be many voices, like mine, that seem to be nattering away at almost every hour of the day.  There will be voices that only speak up once every week or two.  Both have their value, both are worth listening to.  And don’t be afraid to unfollow someone if they offend you or seem to be a waste of time.  I won’t mind at all… I mean they won’t mind at all.

You should be looking to get an understanding of how security professionals view not only the hard security issues, but life in general in all the myriad aspects of a security career.  These are real people candidly expressing their viewpoints, exchanging ideas and generally growing by being part of the community.  Once you’ve started gaining that understanding of how people think, the part that’s really going to improve you as a security professional starts: challenge the status quo, question assumptions and look for the areas that people are turning a blind eye towards.

It’s important that new security professionals understand we don’t exist in a job space that’s stable and safe.  Information security as a profession isn’t even 50 years old yet!  Some would say that it’s not even 25 years old as a distinct profession.  And it shows; every day the playing field is changing.  Right now it seems that the bad guys are winning, but by this time next year we may have turned things around and have a good handle on it.  Or things may be so bad you can’t trust anything that your computer tells you.  In either case the only constant you can reasonably expect in a career in security is change.  If you can’t live with that, get out now.

Why is this understanding of change important?  Because a lot of people on twitter come across as experts, either because they purposefully portray themselves as such or because they speak with such authority that other people ascribe that description to them.  In either case, there are a lot of people with strong opinions about how security came to where it is now, what is what in security, and how security should be.  Every one of them has a valid point somewhere, but every one of them makes mistakes and has ideas that won’t fit in your worldview or make sense as they’re presented.  So don’t take them at face value, challenge these ideas, form your own and come to a new understanding of how security was, how security is and how it should be.  If you’re going to be spending time in the security community, you have to realize you’re going to be one of the people who’s going to make the future happen, for better or worse. 

A closing thought: if you’d like a role-model for how to approach the security profession and twitter, ask Joseph Sokoly aka @jsokoly.  Joseph is young, hasn’t quite graduated from college yet, but has already created a name for himself in the community; first by reaching out to other security professionals to learn and later by presenting on breaking into the security field at BSides Las Vegas in 2010.  Is Joseph smart?  Hell yeah.  But is he so special that that alone makes him stand out in a crowd?  Not by a long shot; in a field that includes some brilliant minds, he only sits a little above average.  Where he has proven to be exceptional is that he’s integrated himself into the community and used twitter as his tool to get it started.  Not too many people will be able to reproduce his efforts, but not many people should try.

Twitter is an echo chamber.  Don’t ever make the mistake of thinking it is the sum total of what is out there for the security community or any community.  But do understand that it’s a powerful tool in learning what it means to be a security professional and its a valuable tool for getting to know people.  That involvement may be what gets you your first job as a security professional.  Or it might just teach you a new way of thinking about security.  And its always possible that I’m completely wrong and twitter may be a complete waste of time for you.  But it is worth looking into.

Tweet

I am so behind on my blogging it’s not funny.  I was supposed to say something about the 2011 Social Security Awards a couple of weeks ago, but between running around the country and writing long, boring reports on PCI compliance, something had to fall off the to-do list, and blogging was it.  Which is why it’s a little ironic to break the silence with a post honoring some of the best writers in our business.  After which I’ll probably be going back to radio silence as I try to create a small bubble of calm in my work schedule that will allow me to attend the RSA Conference with minimal interference.  Or at least that’s the theory.

This is the third annual Social Security Blogger Awards, and once again the committee putting it together, led by the incomparable Alan Shimel, has worked hard to improve both the process for deciding the categories and the process for voting.  There were a number of categorizations in last year’s awards that had many of us laughing and shaking our heads in confusion, but by that time it was too late to make changes.  So this year Alan and his team of judges, who are all professional writers who cover the security field, revamped the categories and I think everyone involved will agree that they’ve done a great job of it.  The judges picked the cream of the the blogs and podcasts from all the great people we have writing, now it’s up to you to decide who the real winners are.

As always, I look forward to the night of the Security Bloggers Meetup at RSA.  This year, my influence on the whole process has been minimal, and as always, Jennifer Leggio has been shouldering far more than her fair share of the work.  Not to say I haven’t done anything… well, actually, I haven’t.  We’ve been doing this for a number of years now and it’s clear that Jennifer has a handle on everything and if I try to get further involved I’ll slow things down more than help.  Which goes back to my original point that I’m already too busy with the day job to help much.  But the SBM has become the central event of the RSA Conference, at least for me, and the pivot that all my other plans revolve around for the week.  The few hours we take out of an evening to connect and reconnect with the people in our community who distinguish themselves by trying to express the problems and solutions for our industry is worth more than almost anything else that goes on at RSA, at least for me.  People who are passionate about what we do are always exciting to be around.

Who are your favorites for this year’s Social Security Awards?  I especially like the new category “The single best security blog post of the year”.  Not everyone can write regularly, in fact some people may only put out one or two blog posts a month.  But the thought and quality of writing that goes into those infrequent posts is exceptional and deserves to be recognized.  And the folks who continue to put out exceptional content day after day just blow my mind. 

Go now, vote on the Social Security Awards.  Vote for your favorite, vote for the person you think is most deserving or vote in an utterly random fashion, as long as you vote.  While the awards are for bloggers and by bloggers, the reason we write is for the readers and listeners in the real world.  And this is your chance to help recognize the people you think have had the most impact and influence on our community.  Or at least amused you the most.

You’d think that security professionals would get sick and tired of attending security conferences; RSAC, Black Hat, Defcon are the big ones that everyone tries to get to, plus a lot of mid-sized cons like Shmoocon and Toorcon. But the truth is, for most people, those are either business opportunities/obligations or so far away and costly that it’s nearly impossible to attend anything that requires travel, a hotel and several days away from work. Which is why smaller, local events like BayThreat, DojoCon and BSides are becoming so important to security professionals around the globe; the ability to go to a small, local event far outstrips the cost to value ratio of any of the big cons and it’s so much easier to actually see the speakers you want to see.

This last Friday and Saturday were BayThreat, and a huge thanks has to go out to @dewzi and the crew who organized the event.  Held at the Hacker Dojo in Mountain View, CA, the event was far enough from home for me that I had to get a hotel room.  But the majority of the attendees who live in the Bay Area were able to return home each night.  Considering that a airfare and the hotel are the majority of the costs of many conferences and that BayThreat only cost $45 to attend, this was a huge draw for most attendees.  And seeing the inside of Hacker Dojo was a plus as well.

I don’t know what the real count was, but the best guess I heard for attendees was somewhere between 150 and 200 attendees between Friday and Saturday.  The speakers where some of the same people you might see at a major event like Black Hat, folks like Dan Kaminsky, Moxy Marlinspike and Dino Dai Zovi, but also a lot of great local speakers like Jeremiah Grossman, Allison Miller and Sam Bowne.  I’m just hitting some of the high points, check out the list of speakers for yourself and you’ll see how many great presentations we were treated to this weekend. 

Two of my personal favorites in the speaker track were Mike Smith’s presentation about DDoS, with a lot of information about the current situation about Wikileaks, and Steve Adegbite’s presentation “Rage against Security: A different Scene Shift”.  Mike is giving the same talk at Dojocon after flying cross country last night, which may make the presentation more amusing, if not better.  That’s not to say there weren’t other great presentations, there were, but I kept getting distracted by the hallway track and meeting many of the people who were just a twitter handle to me until this weekend. 

I have to say that BayThreat is one of the first security conferences I’ve been too that’s left me wishing it was still going on when I headed for home.  There’s a lot to be said for having a conference that’s short and sweet and doesn’t leave you spending the next week trying to recover from the hangover and exhaustion.  But I still wanted more time to hang out with so many great people.  And I’m looking forward to having another great event next year.

Update:  Mike Smith’s DDoS slides have been uploaded to the BayThreat site.