Network Security Blog

If you don’t know who Bruce Schneier is, I hope you’re coming to my site because I wrote about the TSA, not because your a security professional.  He wrote several books that are staples on almost every security professionals’ shelves.  You could literally say he wrote the book on applied cryptography, since that’s the title of one his book.  He’s been in the security community for a long time, he’s contributed a lot over the years.  And he’s one of the TSA’s biggest critics in the security field.

Last Friday, Bruce had been invited to a House Committee on Oversight and Government Reform to talk about the effectiveness of TSA security measures.  Perhaps unsurprisingly, someone at the TSA caught wind of the fact that he was supposed to be there in person, challenging TSA assertions and had his inclusion in the proceedings blocked.  For some odd reason, the TSA is leery of having someone on the panel who not only understands most of the visible security measures we experience at airports, but can also articulate that in a manner the public can understand.  Of course, the reason the TSA claims they had him blocked is because of a lawsuit he currently has going on against them.

The TSA (and the DHS) is well aware of their detractors and takes great pains to avoid directly confronting any of them or giving critics a chance to get real answers to charges of ineffectiveness.  And Bruce Schneier has been one of the voices that’s taken them to task many times, coining the term ‘security theater’ to describe security that looks like it’s making us more secure while really providing little or no actual protection.  In fact, security theater is often harmful, since it makes us think we’re safer than we really are. 

One thing people tend to forget is that the TSA is a political organization first and foremost.  The people who run the DHS, currently Janet Napolitano, are appointed politicians who’s primary goal is not security, is not safety, but is instead simply keeping their jobs and doing whatever it takes to appear effective.  I know it’s cynical, but politics have always been about appearances rather than the actual utility of the actions politicians take.  And since the TSA’s role is so well defined, it’s easier to measure that effectiveness, or lack there of, than it is with many governmental agencies.  Which is why in most airports, no one is keeping count of the number of people who opt out of backscatter x-rays; if we counted, there would be metrics that could be used as a yardstick.  But of course, we wouldn’t want to know how good or bad our security measures are, since that means we’d expect changes to be made to make them more effective.

I had the dangers of mixing politics and security at the TSA made painfully clear to me several years ago when I had a chance to interview Michael Chertoff, who was then the outgoing head of the DHS.  At one point I asked Mr. Chertoff if there was ever going to be a time when we don’t have to take off our shoes when going through a security checkpoint.  His basic answer was, “I’m a politician.  The shoe bomber happened and if I don’t make sure it never happens again it’s the end of my career, so you’ll have to keep taking your shoes off for the foreseeable future.”  Which told me that for a career politician, protecting his career is much more important than protecting the folks who are traveling through the airport.  And by the by, Mr. Chertoff went to work for one of the companies who build and sell backscatter x-rays to the TSA when he left office.  Let that one sink in for a while. 

All in all, this is just one more data point in the argument that the DHS and TSA are less about actually protecting the public than they are about perpetuating a political power base built on fear of a once in a lifetime event.  The TSA has created a situation where people have given up a number of personal freedoms for the very thin illusion that they may be safer while flying.  But the sheer amount of inconvenience and humiliation that the TSA has heaped upon travelers is gathering more and more momentum for change as the public gets tired of it.  Which tells me that we might see some sort of incident or another in the near future that will re-instill fear of terrorists in the public.  Or is that too much cynicism and paranoia?  It is security theater after all.

Dell SecureWorks Chief Technology Officer Jon Ramsey took a few minutes out of his day at the RSA Conference to talk to me about a new study his team had recently written on series of attacks they dubbed Sin Digoo Affair.  In addition to being a detailed analysis of the tools and actions performed by the attackers, the paper also contains specific steps defenders can take to detect and respond to similar attacks.  This is part of an ongoing series that the folks at SecureWorks have been publishing.

RSAC2012 Microcast:  Jon Ramsey from Dell SecureWorks

My first interview this year at the 2012 RSA Conference was with Urvish Vashi from AlertLogic.  We talked briefly about the recent acquisition of ArmorLogic, but my real interest was the State of Cloud Security Report issued by AlertLogic.  It’s an interesting report and gives us some fuel for the debate about which is more secure, cloud or on-premise.  But it’s a first effort and raises more questions than it answers and definitely doesn’t answer the ‘which is more secure’ question.  It’s hard when you’re comparing apples to cucumbers, which is what AlertLogic has done, unless they’ve normalized the data to take into account that desktops are included in the statistics.  Which they fully acknowledge, by the way.

RSAC 2012 Microcast:  AlertLogic

The RSA Conference is one of the most stressful times of year for me, as well as for thousands of other security professionals who descend on the Moscone Center every year.  It’s great to see all the friends that you may only see at RSAC because your paths don’t cross otherwise, as well as the friends you haven’t seen since some other event.  But to make that possible, there’s thousands of moving parts that have to all align properly or chaos ensues.  In my own case, I’m wearing three hats this year (press, speaker and vendor) and making them all work together has been difficult.  I think I’ve spent more time in the last month preparing for RSAC than I’ll actually spend at RSAC.

I’m glad to say that my employer, Akamai, agrees that the work I do podcasting is important enough that it takes first priority on my time at the convention, followed closely by my speaking engagements.  I still have work responsibilities and it’s possible you’ll find me in booth #851 from time to time, but mostly my co-workers will be taking care of booth duty for me.  Thursday morning I’ll be doing an Akamai webinar with Andy Ellis (@csoandy) live from RSAC, where we’ll, among other things, rate some of the tchotchkies we find at the show.  If you see some really interesting giveaways, stop by the booth.  I think we’ll be giving away coffee.

I’m speaking 3 times this week, twice on panels, once by myself at BSidesSF.  We’ve got a lot of new data for the stress panel, which I’m sure preparations for RSAC will leave people empathizing with.  The Data Mining panel should be interesting, because I fully admit I’m the new kid on the block, with the least experience with data mining of anyone on the panel; I’m there primarily to learn.  And my Fundamental Flaws talk seems to be resonating with a lot of people, so I’ll be giving that at BSides on Tuesday.

RSAC 2012: Stress and Burnout in the Information Security Community

Data Mining Methods for Enterprise Level Security

Fundamental Flaws in Security Thinking

Then there’s the interviews I have scheduled.  This is not an exhaustive list, but I think it’ll cover most of my interviews:  Good Harbor, Abaca, Dell Secureworks, Sophos, Adam Shostack from New School of Security, VSS, Checkpoint, and a few others.  In fact, I should probably add double-checking my calendar to the to-do list for today.  I’ll be getting a couple of these out Monday-Thursday, with any stragglers coming the week after RSAC.  The microcasts I do at RSAC are a lot of fun and introduce me to some interesting people and companies. 

Finally, there’s the parties.  I’m helping put on the Security Bloggers Meetup again this year, though Jennifer Leggio does most of the real work.  I’ve been nominated for a couple of Social Security Awards as well, for Best Podcast and Best Blog Post, so wish me luck on those.  Akamai has a small party, then there’s the dozens of other parties that are going on, primarily on Tuesday and Wednesday nights.  And we can’t forget the Securosis Recovery Breakfast on Thursday morning.  I will be attempting to drink lightly this week, since I’m going as a company representative for once, rather than having to take time off to attend.

So it’ll be a busy week.  Somewhere amongst the chaos, I need to find a little time to walk the showroom floor as well as socialize.  Looking at the slim gaps in my calendar, that’s going to be catch as you can.  By Friday, you’ll see thousands of very tired security professionals streaming out of San Francisco and SFO.  I’m lucky, I get to drive home Friday night, though I’m hopping on a plane again the Monday after.

With the 2012 RSA Conference less than a week away, we decided to try to record a short podcast focused on the event this week.  Of course, since Rich and Martin are involved, things ran away and the show ended up being the same length it normally is.  Zach won’t be at the RSA Conference this year and offers a counterbalance to Martin and Rich’s opinions

Network Security Podcast, Episode 268, February 21, 2012

Time:  28:51

Show Notes:

• Securosis RSAC 2012 Guide
• Josh Corman: RSAC 2012 Preamble
• How to survive RSA & Bsides Deconfalon
• Music:  Alan Grandy – Knock on my door

A friend of mine recently complained in Twitter that, according to his count, nearly 80% of all talks given at the security conferences he’d looked at recently were now non-technical.  It might be in part because he’s @ramblinpeck on twitter, aka Daniel Peck, Research Scientist or something like that at Barracuda Networks.  Which is my way of saying his idea of a technical talk might be a little more technical than many peoples’.  But whether you’re at his level of technical expertise or mine, I think he’s got a valid point in saying that at most security conferences, the majority of the talks are less about the technical aspects of security and more about the philosophy or generalities of security.  And that’s probably the way it should be.

Why should most talks be more about principles of security and less about the technical aspects of security?  The first reason is that, with a few exceptions, the whole reason that conferences exist is to get butts in seats and to a place where vendors can get at them.  Even community led events like the BSides movement are about getting people to attend and mingle, the goal is still to create an atmosphere that draws people into the event and around other like minded individuals.  And many technical talks are counter to that goal, not in their content, but in who they pull in.  For example, a talk about a bug in a compiler on a OS X box is great for the few individuals in the crowd of attendees who a) work on Apple b) are worried about bugs in compilers and c) have enough technical knowledge and interest to travel the distance to attend an event.  But for the other 98% of the people interested in security who might be willing to travel to an event, they’ll take a look at the subject matter and decide it’s not for them.  Finding the right audience for any deeply technical talk is an art form at best and in most cases is more closely akin to guesswork than anything resembling a science.

A second reason it’s hard to have technical talks at security conferences is because of the wide variety in skill levels attained by security professionals.  I’m fairly smart, I’ve been in security for a long time and I understand at least the basics behind most of the technologies that make the Internet tick.  There are even one or two aspects of security that I can do the deep geek dive with almost anyone.  But when a talk is given that assumes a level of expertise that may not exist in more than a dozen people worldwide, I’m going to be left out and leave the talk annoyed and confused.  Or worse, if a talk was advertised as being technical but I find out when I attend that it’s a primer level of technical and I already know most of what’s being presented, I’m going to be annoyed, probably vocally so, and tell people that the talk was mislabeled.  It’s very hard, if not impossible, to create a presentation that captures multiple levels of technical background and it’s even harder to look at an abstract for a talk and decide what level of technical expertise it’s appropriate for.  Which, again, makes it less likely that the talk will be selected for a conference.

The third, and possibly most important, reason we’re talking about the philosophy behind security more than the technology is that so many of the assumptions that have gone into building the technology are wrong!  Security isn’t something that was designed into the Internet and corporate networks from the start, it was bolted on after, the cracks were spackled over and huge loads of duct tape were wrapped around the whole thing and it was called ‘secure’.  Or, more often, security has simply been ignored as a cost center until a compromise happens and data is lost.  Instead of building a cohesive, multilayered approach, we’ve built a collection of point solutions, few of which actually deliver on their promises and even fewer of which are properly configured to fully deliver what they’re capable of.  Given some of the compromises we’ve seen over the last year, we have every reason to believe what we’re doing isn’t working.

We’re at a point where we need to re-examine the fundamental thinking that underlies how security works.  It’s not an issue of flipping the evil bit off in a packet, it’s an issue of engineering a new set of solutions from the ground up.  The technical aspects of these solutions will be vitally important, but unless we can understand the underlying assumptions we’ve made, we’re going to make the same mistakes again on an even larger scale.

Security professionals come in all levels of technical expertise, but all of us benefit from a better understanding the philosophy that underlies our decision making processes.  I think that understanding where your decisions are coming from is even more important than the technical details of how those decisions are implemented.  I’ve seen many technical decisions made that looked good in the short term, but led to dead ends both in terms of the technology and the opportunities that the decisions limited.

This is all my way of saying that I believe an 80/20 split of non-technical to technical talks is probably appropriate for most security conferences.  The majority of people aren’t going to care about a specific technology because it simply doesn’t affect them directly.  But so many of us want to understand the underlying foundations of our chosen field.  It’s great to dig into the deeply geeky details of a protocol, but the vast majority of professionals will never need to do that for fun or for profit.  But every person who works in the security field needs to understand the philosophy that goes into making security decisions at all levels.

PS.  I’ll be giving a related talk, ‘Fundamental Flaws in Security Thinking’ at BSidesSF on Tuesday, February 28th at 1pm.  Come tell me how I’m wrong.

On this wonderful (?) Valentine’s Day, we are joined by guest-host and friend-to-the-show Michelle Klinger, while Rich is overcoming some throat-in-tube type illness (feel better, Rich!).

Network Security Podcast, Episode 267, February 14, 2012

Time:  34:41

Show Notes:

• HOIC DDoS Analysis and Detection
• Cybersecurity Disaster Seen in U.S. Survey Citing Spending Gaps
• Boston Police hits back at Anonymous with sarcasm
• Protests erupt across Europe against web piracy treaty
• How I Inadvertently Social Engineered the TSA
• Tonight’s Music:  Heartless by Michael Burkes

We’re a day late, but we still managed to get this week’s show recorded! Rich is soaking up sun (or “teaching”, as he claims) in Cancún, Mexico, so we decided to rope in the illustrious Mike “Rybolov” Smith to discuss, surprise-surprise, privacy and monitoring.

Network Security Podcast, Episode 266, February 1, 2012

Time:  42:36

Show Notes:

• Google announces privacy changes across products; users can’t opt out
• On The Google Privacy Policy Controversy And The Fantasy Of Opting Out
• FBI to monitor Facebook, Twitter, Myspace
• 6 things you need to know about the new EU privacy framework
• What Europe’s ‘Right to Be Forgotten’ Has in Common with SOPA
• Symantec tells customers to disable pcAnywhere software
• Tonight’s Music:  Boggie with Holy Ghost Blues

If you follow the blog, you may remember several months ago that I built myself a standing desk out of some cheap lumber and plywood I had in the garage.  It took an afternoon to build and was a proof of concept as to whether or not I’d actually like working at a standing desk.  The funny part of the project was that it took me longer to draw it up in Google SketchUp than it did to actually put the desk together itself.  After several weeks of working on the desk I decided I really liked it and wanted a more permanent version of the desk that I could feel was an actual piece of furniture and not just something that looked like an escapee from the lumber pile.

The first week or two that I had the desk, there was some definite back and foot pain as I transitioned from sitting 12-14 hours a day to standing for the same amount of time. But it was very apparent after I’d made the adjustment that a standing desk was the right decision for me.  I felt better at the end of the day and there’s a certain mental energy that comes from standing and walking around the office that I never had while sitting.  It’s hard to describe, but standing seems to put me in a slightly different state of mind than sitting does.  And, along with walking 2-3 miles a day, I’ve lost nearly 10 pounds since the beginning of the year, though I attribute that more to the walking than the desk. Oh, and there was one problem which was created by playing MineCraft for about 6 hours straight over the Thanksgiving weekend, but I don’t blame the desk for that.

There were a few things about the desk I wanted to change after working on it for two months.  The first was the top shelf; the original shelf was six inches shorter than the desktop on each side and while it fit two monitors fine, I wanted to add a third so I can put my work laptop on it as well.  Making it the same width as the desktop was the perfect solution, all three monitors fit perfectly on the shelf.  I can check work email, personal email and twitter with just a glance.  I also wanted the bottom shelf to be lower, since the space underneath it was wasted and I hoped to add another shelf.  Finally, I wanted it edged, sanded and finished so it actually looks like a piece of furniture.

All of this is why I asked my father in law to help me build version 2.0 when he came down for Christmas week.  He’s not a professional carpenter, but he does woodworking for fun like I do computers and security for fun.  Except he’s been doing the woodworking since before I was born and experience counts for a lot.  We went shopping for wood, picked up some decent 2×4′s and 4×4′s, cabinet grade plywood and a really big can of stain/polyurethane mix for me to put a finish on with.  At which point I gave him my plans from the original, the changes I wanted to the design and got out of his way.  He came back with an offer to add a pair of drawers to the design, something I wanted, but didn’t have the skills to make myself.

When I made version 1.0, it took a Saturday afternoon; when my FiL made version 2.0, it took five days to complete the desk and another week for me to put two coats of stain/poly on the supports and 4+ coats on all the other parts of the desk.  I got slightly carried away and put six thin coast on the front of the drawers.  And because the desktop is two pieces of 3/4″ plywood together, it took calling my younger brother in order to manhandle the desk into the office.  But once everything was in place, it was worth every bit of the effort we’d put into it!

So there you have it, my experience in building a standing desk.  I’d say it was worth it, but maybe I’ll write more on it in a year or so.  I have a lab stool to sit in when my feet start to hurt, but I only use that about 15 minutes a day, maybe a little more if I decide to play any games on my PC at the end of the day.  I get a little confused once in a while when the mouse doesn’t work, until I realize I’m using the wrong mouse and have to take a step to left or right.  I also had to put a piece of stained wood under one of my monitors, since they’re not the same height.  And version 1.0 wasn’t dismantled, it was moved into the garage where it will spend the rest of it’s life as a workstation for playing with arduinos, Lego Mindstorm and occasional light soldering.  And maybe a little locksport as well.