Because I'm all about the "good enough."

Saturday, August 18, 2012

Pre-rejected CFP submissions.

Here are some of my planned conference submissions that I thankfully abandoned early in the process:

"Increasing Security Awareness Using Wall-to-Wall Counseling"
Most security awareness training is less effective than it could be.  Introducing a physical reminder component boosted our compliance levels up to 450% (but did necessitate a new carpet from time to time). 

"Zero-Day Exploits For CP/M"
There are critical risks to data integrity for every enterprise using WordStar.  Help us get the word out about these frightening vulnerabilities that have been around for DECADES.

"A Meta-Discussion on Meta-Talks at Security Conferences"
A disturbing trend in security conferences is meta-talks that have nothing to do with, like, pwning stuff.  Burnout, sexism, career advice, economics, recruiting, food, exercise and other presentations, usually on what's wrong with the security industry, are replacing actual knowledge transfer involving shell scripts, cookie abuse and lockpicking. Our whole community is in danger of extreme navel-gazing.  This presentation aims to point out the meta-risks of meta-talks.

"On a New Certification For Security Professionals"
We can't possibly take ourselves, or each other, seriously in the security industry without certifications.  The current ones are not fine-grained enough to depict the exquisite subtleties of arcane knowledge that make us so proud to be in this business.  In this presentation, we will propose a new certification model with 25 levels and over 18,000 separate certifications to remedy this granularity problem.  (And all of them start with the letter C!)

"Musical Ports"
After many years of research, we have discovered a new weapon in the battle against intruders:  musical ports, in which services migrate every few seconds to new port numbers so that they can't be found and exploited.  This is done to the system administrator's choice of music (or you can leave it on the default setting, which uses streaming dancehall reggae).  Every so often, when the music stops, one service that can't find an open port is arbitrarily terminated.  The end effect is a much more secure infrastructure.

"The Original Internet Privacy Threat: Your Mom"
You think you can still fight for your privacy?  Privacy is deader than you know.  Your mom built the Internet, punk, and not only has she been monitoring all your activity, she's got Google alerts on you and has a network of other moms planted where you least expect them. She thinks it's really cute how you change pseudonyms every so often, by the way. And since you're reading this, she'd like to remind you to take out the garbage and brush your teeth.

"It's Probably Okay, Don't Worry About It"
Security isn't the problem that people think it is.  Chill, folks.  It's just ones and zeroes.  You're just getting everyone upset with all this bogeyman talk about APTs and insider threats and whatnot.  Relax, open up the firewall to let it breathe, and embrace the Internet.

Thursday, August 16, 2012

Actually, you're both right.

I normally don't like to write about gender issues.  It's not that I don't have opinions on them; it's just that it would be like taking a public stand on other controversial topics that may (or should) not have anything to do with my profession.

But it seems that the pot has come to a rolling boil these days over sexism and other kinds of harassment, and since I think I understand both sides of the arguments, I thought I'd just come out and say that everyone is (mostly) right.

I think the fundamental problem is that there is a continuum of acceptable conduct and/or speech that at some point crosses over into unacceptable.  The problem is that the dividing line is very blurry, and people who are most in danger of crossing it resent attempts to define it too closely or to move the goalposts without notice.  In fact, it's pretty hard to define it completely without writing a huge book on it.

Harassment is bad, no matter who does it or to whom.  Harassment should be defined as well as is possible and should not be tolerated. 

I can understand how someone can write in his usual style -- blunt, verbose, with a touch of condescension -- and not mean it to be any different just because the current target is a woman as opposed to a man.  I can also see how a woman can take it as an inappropriate attack.  They're both right.  In a case where someone is treating a woman exactly the way he would treat a man, it's not sexism on his part.  At the same time, if that treatment happens to match sexist acts that the woman has experienced, to her it's certainly more of the same.  There is no getting around the mismatch, and it can't always be remedied.  

So when harassment or sexism is contextual -- something is a normal behavior when doing it to a man, but not to a woman, for example -- then I can see how it can be very confusing to someone who doesn't innately experience the difference.  People can wind up perplexed rather than informed.  It can look like one team has a secret rulebook and there might always be a rule or two that could be violated without warning.

The key here is "without warning."  Feedback, like salad, is best when it's fresh.  (I don't know where that analogy came from.  Work with me here.)  Feedback needs to be immediate and unambiguous, which means that it can't always be subtle or polite.  When it comes to unwanted actions of any kind, people have to speak up right then and there.  Women need to be able to yell, push, or punch someone in the nose if all other tactics fail.

A long time ago, in a club in a country far, far away, some drunken guy grabbed me around the waist in what presumably was an attempt to dance with me.  I shoved him away.  The international language of "no" was clear, and I didn't have to do it twice.  Were his feelings hurt?  Probably.  Did I overreact?  We could sit here debating that for hours.  But the fact is, it worked without any need for escalation.  He could have had harmless intentions, other women could have found it charming, and at the same time I still felt it was an unwanted and obnoxious act.  Short of putting the decision to Schrödinger's cat, we're always going to have two states here.  And if we're all going to get along, we have to recognize that and build bridges to deal with both of them.

There are some forms of harassment that we can all agree on:  using threatening language, launching  attacks that do damage, calling someone names.  And most of the time, those types of harassment are clearly intentional.  As a community, we can and should work together to fight that kind, because it's a shared standard.  Where a reasonable person could claim that something is not intentional, however, we need to recognize that and respond in a way that gives feedback, not accusations or punishment.  We can also recognize that this feedback may not be well received, but we can work to make sure it's understood.  And anyone who agrees with the feedback can and should speak up to support it -- not to make it worse, not to escalate it, but to strengthen it.

What we don't want is to wind up in extremes:  where both sides feel attacked, albeit for different reasons.  We don't want women, men, ethnic minorities, people of size, people of age*, or anyone else to be wary of attending a conference for fear of intentional harassment.  We also don't want people attending conferences to be scared of unintentionally offending someone through the mismatch described above.  We want people to be able to write what they think is normal language, and get a second chance if they mess up once.  In all of these cases, though, if you keep getting the same feedback for the same actions or language, maybe you'd better take the lesson to heart, whether you understand/agree with it or not.

* Hello.

Wednesday, August 15, 2012

The OTHER problem with passwords.

There are some sites that I use very rarely, and I can never remember what I used for a password there.  But it doesn't matter, because honestly, the reset procedure is less onerous than trying a few passwords and risking getting locked out.  So I just don't bother: I put in a crazy strong password, forget about it, and when I come back to the site I just ask for a reset.  In many cases there aren't even security questions to answer; I just get a new password mailed to my address of record.  In the case of one site where they wanted me to change the password every 90 days, I did this dance every 90 days.

Yes, yes, I know, password manager.  But most of the public doesn't use one. And site designers know it.  Any site feature that makes it harder for a non-technical user to do a password reset causes that user to email or call the support desk, and every use of the support desk (as in actual humans) costs money.  So organizations are motivated to prioritize ease of use over security, if they feel their target audience won't be able to use more advanced features without support.  The end result is that the password reset process to an address of record is the easiest way to get into an account.

And of course attackers know this too: this is why many publicized breaches today started with the password reset.  If it's a simple enough process, getting into an account is no longer "something you know;" it's "something you have," as in control of the email address.  If you've broken into the address of record, you can collect password resets from as many sites as you can find without having to do any more homework. 

The next level up in attacking an account is to add a new email address of record that you control, which often requires social engineering of the support desk.  But support people are incentivized to help the helpless, which tends to make the process easier.  And as Mat Honan found out, the types of security verification data that support desks use can often be found out with a little Google action (and in his case, the clever use of an Apple process loophole).  This is why I've never liked the use of the last four SSN digits as an identifier; they're even more widely used than the whole SSN these days, and they're used for everything, including utility and phone service accounts. It's arguably less secure than a site-specific PIN.

Make no mistake: designing identity and access management while balancing cost and security is hard.  You can't control the biggest factor, which is the level of expertise for your users (particularly if they're all external to your organization).  With each of these breaches, we're learning more about what works and what doesn't in these designs.  But there's still a lot of risk out there.


Monday, August 13, 2012

CFP Karaoke.

I have to thank Wim Remes for coming up with the idea of CFP Karaoke:  you come up with a talk title, and someone else has to do the rest of the work.  Here are some of the gems he came up with on Twitter; feel free to take one and run with it.

@wimremes: "Two and a half clouds : how to keep winning on tiger blood as a service"
@wimremes: "Infosec and the God complex : we're better than we are and worse than we realize."
@wimremes:  "Exploit sales for the masses : do you want a patch with that?"
@wimremes: "Cutting through the infosec BS : is there an evangelist in the house?"
@wimremes: "Eeny, meeny, miny, mo, your QSA says it's secure but I say no."

Tuesday, August 7, 2012

When the mothers talk ...

Seeing as how I've been on the bench for roughly the past nine months, I'm looking forward to getting back to some conferences.  Here's what's planned, at least for now:

9/12-9/14/12 - Looking forward to speaking again at the UNITED Security Summit in San Francisco.  This year I'm talking about "Why Doing Application Security Remediation Is Like Building a Rube Goldberg Machine."  (If this sounds familiar, it's because I'm going green and have recycled it from SOURCE Boston 2011.)

9/18-9/20/12 - My employer's gala event, the North American Hosting and Cloud Transformation Summit in Las Vegas.  This isn't a pure security event, so I enjoy talking with a wider variety of attendees.  This year's panel is called "Security and DevOps: Table Stakes of Doing Business?"  And I've got some heavy hitters who will be contributing to the discussion.

10/9-10/11/12 - I'll be hanging around at RSA Europe, because I really love London.

10/25-10/26 - Of course I can't possibly miss the OWASP AppSec USA conference, especially as it's in the 512 this year.

12/3-12/7/12 - In what I'm sure will be the blowout of the year, Security Zone 2012 will be gathering a whole lot of security experts in Cali, Colombia.  Oh, and I'll be there too, talking about the Security Poverty Line.

It'll be great to see a lot of cool people again, and catch up on the latest research.