As I mentioned in a previous post, we went to the Security of Quality conference last week. I wanted to take the opportunity to write a quick entry about the three common quality programs that you hear about: Six Sigma, Lean/TPS, and the Theory of Constraints.

While they often get lumped into the same categories, they're actually very different systems, with very different goals. Interestingly, each of them uses a large subset of similar tools.

Lean Manufacturing is also known as the Toyota Production System (TPS). Its main goal is to eliminate waste (i.e. cut costs) from the production of any product or service.

Six Sigma is one of the most popular systems in use today: it was popularized by Jack Welch and GE, but was actually created at Motorola. Its main goal is to reduce variance in process - it assumes that variation is the root of all defects. It follows very much from the work of Shewhart and Deming.

Theory of Constraints (TOC) is a system first laid out by Eli Goldratt in his business novel The Goal. TOC aims to increase the througput of any given business process by focusing effort on alleviating the systems bottlenecks (or constraints).

Note the difference in the goals of the three processes: Lean aims to cut costs, Six Sigma aims to make things more standard (and thus better), and TOC aims to increase production (drive revenue).

The choice of quality system that you use, then, depends entirely on the problem. I'll use VERT as an example: if we're not producing enough vulnerability and application signatures (not currently a problem, given our growth of nearly 300 per month), we'd use TOC. If we're aiming to increase the quality of each of our signatures, we'd use Six Sigma. And if we're aiming for process efficiency and less "wasted motion", we'd use Lean.

Of course, you get some of the benefits with each - it's really a question of focus.

Sometimes it is extremely fascinating where you can find strange parallels between two books that look like they should have no correlation with each other whatsoever.

One of my favourite books I read last year, being the mathematician that I am, is "Fooled By Randomness: The Hidden Role of Chance in Life and the Markets" by Nassim Nicholas Taleb. The book is about the role of chance and randomness in life (with a strong focus on the stock market itself). Essentially, the book theorizes that most successful/famous people in the stock market have made their money based on the luck of the draw and that the only real way to be successful when playing the markets is to control risk. (i.e Don't put all your eggs in one basket and don't risk more than you can afford to lose at one time). Taleb really focuses on the idea of the "Black Swan," which can be defined as an "outlier", or an event that one does not expect or has not planned for. These can be both good or bad. Winning the lottery or getting hit by lightning can be considered a "Black Swan." You will be successful if you can survive any "Black Swan" situation in the markets and possibly profit from them.

On mmurray's recommendation, I have just about finished the book "Blink" by Malcolm Gladwell. The book is essentially about the subconscious and its power in our daily lives. The beginning of the book focuses on the uncanny ability to lead us toward a solution before we are even conscious of the fact that we are making them.

At first glance, there doesn't seem to be a real correlation between them. In a stretch, you can consider them both to be business books. Fooled By Randomness with the focus on the stock market and Blink with the focus on the subconscious making quick decisions (e.g. First impressions when conducting an interview).

One of the examples given in Blink was an experiment conducted by the University of Iowa where the testers asked individuals to select cards from decks that differed in colour. If someone drew from one of the decks, they would either win or lose the amount on the card. Without giving too much away, one of the decks that an individual could choose from paid off handsomely, but was also very risky. One could not win by just picking cards from that deck. The other deck was more conservative. One would not win as much as choosing from the other deck, but one would lose even less. The conclusion was that the people taking the experiment could figure that one deck was safer than the other eventually. However, they would be able to determine this subconsciously way before they consciously knew it and would be drawn to the safer deck.

I thought about being "Fooled By Randomness" right after reading this section of "Blink". Taleb talks about how humans often see patterns in things (or believe they understand how things work) that are completely random. Taking the card example that is used in the Iowa Experiment (not exactly the same, they weren't drawing from a standard deck of cards, but using it as an example), if one is drawing from a deck of cards and get 12 red cards in a row, there is a strong chance that the next card will be black. However, even though the odds of getting a black card is much higher than getting a red one, you will be pushed into towards guessing that the next card is red. Even though you know it's a standard deck and logic will dictate that you should pick black, you'll stop for a second. What if this deck is different???
The same is true with flipping a coin. If you are able to flip heads 20 times in row, what are the odds of the next coin flip being heads? (As a note: The odds of anyone flipping heads 20 times in a row is ~1/1000000, or (1/2)^20).

As a math guy, this is messed. My background is numbers and logic. One source is telling you that your subconscious can lead you toward the right conclusion without you even knowing it. Another source is telling you that your subconscious can lie or lead you in the wrong direction depending on the input. (To be fair, Blink does talk about this in later chapters). So, in the end, I conclude this from both books. Trust your instincts, but only when they are not wrong. :)
But when is that? How do I ever know that my subconscious is not leading me in one direction based on a pattern that doesn't really exist?

I woke up around 6am for an early morning and got some work done prior to the CanSec West registration (which started around 9am). The registration procedure had some technical difficulties which halted the process for a little over an hour. After successfully registering I walked towards a glass wall and stared at a piano located on the floor beneath me while contemplating a few melodies.

The first presentation, "Mobile Workstations, mitigating the crawling trojans" presented by Cedric Blancher, was about to begin. I must admit the name sparked more curiosity and excitement then the presentation itself. The "Mobile Workstation" was essentially a laptop, as expected, and the "crawling trojans" simply meant the ever changing insecure network environment the laptop is subject too. Much like in "Independence Day" the Alien skiff kept at Area 51, piloted by... monkeys, invades the perimeter defence of the Alien mother ship undetected while carrying a deadly payload. The mother ship is damaged severely because the Alien's did not anticipate the skiff to be infected by... monkeys. So the morale of the story is not to treat a "Mobile Workstation" as if it were a trusted device (such as an office workstation) because you can not control it, only the monkeys do.

The second presentation, "0wn3d by an iPod: Firewire/1394 Issues" presented by Maximillian Dornseif, was easily my favourite. First introducing the history and some technical data of Firewire/1394, I mean FireWire/1394, I mean iLink... Mr. Dornseif then explained the potential to read and/or write to any physical memory address on a system through the Firewire port without authentication. I must admit I was sceptical at first as it seemed highly illogical that such capabilities would be so easily granted. My scepticism was quickly put to shame as Mr. Dornseif provided us with a demo. Two computers were first linked together using the Firewire port and then the video memory of one computer was read and modify by the other. Someone, somewhere, must be saying "Oops" right about now.

The third presentation, "0wn3d by everything else: USB/PCMCIA Issues" presented by "David Maynor", was particularly boring. At first the issue appeared to be the potential exploitation of device drivers, then DMA, then USB, then firmware, or hiding code in FPGA's that some video cards apparently use... FPGA's used by a consumer video card? Maybe if I was not an avid IDA user I would have enjoyed the IDA screenshots. The lack of consistency left me logging into my IRC client and talking with a few friends about... lack of consistency. I felt like the sky is falling... only it is not falling... but we can pretend it is.

The fourth presentation, "Everything is Vulnerable" presented by Brian Martin & Jake Kouns, started off well. They talked about known issues with vulnerability databases that have annoyed me and my fellow coworkers since the first day we started using them. A fine example entailed a vulnerability database claiming version "1.0" and "2.0" are vulnerable... but what about "0.9"? or "2.2"? The vulnerability is not thoroughly tested (if tested at all) and therefore should only be taken as a partial answer and not a final answer. Of course all the troubles of using a vulnerability database to determine the vulnerable instances of an application can be solved by simply checking for the existence of the vulnerability directly rather then writing peripheral version check. It was also pointed out that vulnerability databases have a tendency never to revisit and update past vulnerabilities. Therefore a vulnerability that claims to have no solution, according to the vulnerability database, may in fact have a solution.

The last presentation I am going to comment on was the sixth presentation, “ICMP Attacks” presented by Fernando Gont. The talk emphasised 3 ICMP attack methods against TCP sessions that can reduce TCP session throughput, increase TCP session latency, and reset a TCP session. Four vectors are required to perform each attack: The Source and Destination IP address, and the Source and Destination TCP port associated with the TCP stream being targeted. If you know your target Source and Destination IP address, and the Destination TCP port, the only vector you need to brute force is the Source TCP port. Therefore the brute force space is only 65536 possibilities. This brute force space can be reduced when considering deterministic port ranges assigned to Source TCP ports by most Operating Systems.

The presentation “Binary Difference Analysis”, presented by Halvar Flake, talked about three key elements of binary analysis: Comparing executable objects, porting information between executable objects, and navigating executable objects.

The tool known as “BinDiff” interfaces with IDA (Interactive Disassembler) and provides the capability to compare two executable objects and provide a set of code logic differences (not physical differences). This technique would be useful (and was designed for) finding undisclosed bugs in patched software when both vulnerable and non-vulnerable executables are available. We use this technique often during Microsoft Tuesday to write rules that directly detect the existence of the patch in a non-invasive manner.

Based on the analysis of the two executable objects “BinDiff” is also capable of porting code comments, variable names, and function names between two executable objects based on code segments that are logically similar (not physically similar). This technique would be useful when you have fully documented and reverse engineered an application that is later patched, or a new version is released, modifying the originally documented executable. To complete the documentation process of the new executable you can use the previously described feature to find any differences in code logic and document them accordingly.

Navigating executable objects with “BinNavi” was very impressive. The application would associate itself with an active process of the executable object you wish to navigate and permit one to take snapshots of the functions called between two points in time. This greatly simplifies the process of determining how to execute certain segments of code (such as the vulnerable segment that was determined when detecting the difference between a vulnerable and non-vulnerable executable). This should also simplify the process of reverse engineering proprietary protocols by permitting one the ability to easily determine how an executable interprets the data it receives. The graphing present in “BinNavi” was amazing from both a usability perspective, narrowing down the amount of information to only important aspects of the graph based on function call analysis, and an eye candy perspective with graph rotations, fitting data onto a single screen (the ball of yarn), and providing graphs similar to “BinDiff”.

The presentation "Advances in Exploit Technology", presented by H D Moore & spoonm, talked about the future of exploits and how Metasploit was going to make things better... for the ones writing the exploit. They touched on comparisons of open source and closed source exploitation; dynamic vs. static addressing, return address bouncing, using the stack exception handler, polymorphic exploits to avoid detection (IDS/IPS) systems, and the concept of a multi-byte NOP sled.

The most interesting aspect of the presentation was polymorphic exploitation code. This would make the life of a passive detection system much more challenging. I would imagine that it would be possible to design algorithms capable of deciphering polymorphic code based on the same principles of "BinDiff"... look for common logic. It may also be possible to simply detect the polymorphic algorithm and completely avoid any code deciphering.

The multi-byte NOP sled was also very interesting. It appeared to be a concept for generating random OP codes that do not impact the process or shell code in a negative way. It is placed in the stack prior to the shell code when the return address is non-deterministic. The shell code must be placed in a location that is equal to or above the highest perceived return address. The multi-byte NOP sled generates random OP codes to obfuscate passive detection while simultaneously providing a clean path of execution to the shell code.

The presentation "Windows Internals", presented by Cesar Cerrudo, talked about the potential use for a shared "section" of memory associated with a privileged process. These memory regions can be found quite easily using "Process Explorer", a personal favourite Windows tool. Four additional tools were also cited during this presentation: "WinOBJ" which shows object manager namespace information, "ListSS" which lists shared section names, "DumpSS" which dumps shared section data, and "TestSS" which overwrites shared section data. A shared "section" of memory could permit a local unprivileged user the ability to view and/or alter content resulting in a potential crash, influence of functionality, unauthorized access to information, or execution of code at an elevated privilege.

Applications that use shared memory often do not verify integrity of data making it particularly easy to cause undesired conditions that may lead to a crash or execution of code with the privilege of the process. This is because applications tend to trust the content present in shared memory... and why should they not trust it? Access to shared memory should be assigned in a manner that grants an application trust regarding content.

This vulnerability is a serious issue that could easily permit spyware applications and viral software system privileges on a Windows workstation when executed in an unprivileged account. Three suggested solutions: "Set proper permission" (also pointed out above), "Use some synchronization mechanism", and "Validate the data before using it". I believe the appropriate solution is the proper definition of permission such that only trusted access is permitted. Validation of data should only be performed in situations were un-trusted access is a functional requirement. Synchronization would not solve this issue and would only provide unnecessary overhead... Windows has enough overhead.

I'll be blogging the next couple of days from the Security Leadership Conference put on by ISC2 in Washington, DC.

I'm speaking at the conference, so I'll post my slides up here tomorrow. In addition, I'll be posting updates and thoughts from within a session or two.

The first talk that I saw today was Adam Shostak's talk about patch management. His basic messages were somewhat common sense -
       - Patch unreliability presents a significant amount of risk.
       - Patching too quickly or without considering that risk is insane.
       - Consider the cost of capital and business risk before applying patches willy-nilly.

You know, while that seems pretty obvious, it's probably very much like a quote that I heard from Stephen Covey yesterday: Common sense is most often not common practice"

All in all, a decent message, especially for the audience here.

I find those trafficing in nonpublic exploits morally reprehensible
Mary-Ann Davidson, CTO, Oracle Corp.

I'm at a security conference where Mary-Ann was doing the keynote today - the quote is from her talk. She was referring to the new development in "vulnerability research" - the "vulnerability sharing clubs" that are popping up from a bunch of different research organizations. As far as I'm aware, the first group to do it was Immunity, which is Dave Aitel's company. Others have followed suit since - Core being one of the most notable.

Of course, it costs a significant fee to join these clubs - when I last inquired of Dave, the fee was up near $100K per year. In addition, they're selling tools like Canvas that make exploitation all too easy.

This type of stuff puts us in a bit of a bind. In order to keep up with what the "morally reprehensible" people are doing, we have to know what they know. (I don't think Dave or any of them are "morally reprehensible"). However, I concur with Mary-Ann in a lot of ways - this isn't exactly the type of stuff that I agree with trafficing to unknown people for a price. As she pointed out, it's all too easy for "just anyone" to sign up for this service, and own boxes if they've got the cash.

What's frustrating to me is that we're both known as teams of "vulnerability researchers" and I certainly don't want to be lumped in with that - we try to stay on the vendor's good sides. We don't sell or publish exploits. We're here to make the world more secure, not to wreak havoc for our own personal enjoyment and personal gain.

That was another quote from Mary-Ann from Oracle - that security should act as a business enabler. That's been a common position today - Adam Shostak mentioned it in his presentation as well. Basically, others are coming to the same argument I've been making on here for a couple of months now - security cannot survive as a cost center.

The real goal for Infosec needs to be to show business how we do (at least) one of the following two things:
      - Create revenue
      - Reduce costs

This can't be through sheer loss-reduction. If it is, the "it'll never happen to me" school of thought will always have a way out of making systems more secure.

Mary-Ann kept using the metaphor of bridge-building. To use similar terms, security can't just keep the bridge from falling down in an earthquake - it has to build a better bridge. If it's just about disaster avoidance and recovery, there's always going to be a reason to spend less money on it in difficult times.

I've ranted on here about Quality a great deal - I'm finally going to post something that shows a little bit about how seriously we take quality here. But first, a bit of history...

This industry was started by a bunch of hackers and admins - as such, the science of vulnerability signature writing came from the science of exploit writing. You either started with an exploit, or you started with a banner. We came from there, too. Our company's founder won Capture the Flag at Defcon 2 years in a row. We were all about exploits and banners at the beginning.

And then, somewhere in early 2001, that all changed. We started thinking about detecting vulnerabilities as a science in itself. We created a decision-tree structure for detecting applications. We invested our brains heavily into "feature-based" and "behavior-based" application and service profiling.

And we stopped looking for exploits and banners. We committed to 100% non-invasiveness, and we started looking for detection signatures. It was often heard at the time: "Banner checks suck!" That's obvious, now, of course.

Of course, when you start doing that, the first question that comes up is: "how do I know that what I'm doing is better than banners and exploits?"

And one of our engineers (Minoo) came up with the concept of what we came to call "Signature Precision" - it's the idea of limiting how far away (by codepath and information reliability) a check is from the ideal.

We take great care to differentiate this metric from the concepts of accuracy and quality: they're different things. It is possible that a rather imprecise check can be quite accurate. Or that a very precise check can have false positives and false negatives.

But our research shows that, over the long term, the higher your precision, the more likely it is that your checks will be better.

As far as I know, we're the only one in vulnerability management who is willing to talk about quality - I'd love it if our competitors were willing to talk openly with us about this. It'd let us serve all of our customers better.

You can find the precision metric whitepaper attached here. Please give it a read, and let me know what you think.

"Those who learn and do not teach are thieves"

I wish I could remember where that quote is from as the elegance of that statement is pleasing, and it feels like truth to me.

I have said it before and I will say it again: people who hoard knowledge are unworthy of respect. I do not care how high up in 'the scene' you are, or if you work for a big company. I am not claiming to be a 'white hat' or a 'black hat' - I think those terms are stupid. They are labels, and as soon as you label somthing you lose the nuance that makes something what it is. I am just an explorer in this world. Nothing more, nothing less.

People who traffic in non-public exploits are morally reprehensible.

Should people who discover new medicines or treatment methods keep them to themselves? Should ways of reducing pollution and helping the environment be available only to those who sign up for some company's product? Should we only teach children if they can pay us? 'Of course not' you should say if you are a conscientious human being.

Then why keep your exploits to yourself? How can you justify that?

Here at nCircle we use stuff from Immunitysec. That bothers me because I do not care for how they do business and how they keep their goods close to their chest. I think it is dishonourable. People that do that are pimping knowledge.

Have people forgot what it means to be a real hacker? To explore and learn about the world. To create and reveal new knowledge. That is where respect should come from.

People who traffic in non-public exploits are morally reprehensible. Fact.

More than a toothache, more than a flat tire, nothing irritates me more than the improper use of terms when speaking about security at the systems level. Turns out that the dictionary is a wonderful starting point. I'll be the first to admit that I am no scholar, but misuse of terms like Vulnerability, Threat and Proactive by security vendors is unforgivable. Everyone will make grammatical errors now and then but to use the word Threat when you really mean Attack makes me so upset that I need to take minute to 'find my happy place'.

We do live in the generation of "Entertain me or get the heck out of my face!" so I will add a little bit of color to the information given to us by Webster :-)

Vulnerability
Threat
Proactive

Pay close attention to the temporal aspects and relationship of these words. It is where they sit in time and how they relate to each other that is almost always violated.

Vulnerability \Vul`ner*a*bil"i*ty\, n. (a weakness that may or may not be oriented to threat)
The quality or state of being vulnerable
Vulnerability is specific to the target. It is a condition or state that exists prior & independent of the threat, incident, or loss. Exploitation of a Vulnerability can be planned or could occur accidentally. I am careful not to use the word attack here because it exist at time of incident whereas vulnerability and threat can exist independent of attack.

Threat \Threat\ (thr[e^]t), n. (who and what is out to get you)
The expression of an intention to inflict evil or injury on another; the declaration of an evil, loss, or pain to come; menace; threatening.
Threat sits external to the target or victim and is a description of the source of the danger. The key word above is 'intention'. The biggest violation to this word is when it is used in place of exploit or attack. An attack is happening and exists at a specific point in time. Threat is more like energy that is building but is yet to be released.

Threat is counterintelligence: information about the bad guys, their skills and capabilities, and their behavior. When you speak of a program, person or group that could (at some point in the future) bring loss to your system, you are speaking of threat.

Proactive is an adjective and the one that is most violated by the Intrusion Prevention System (IPS) vendors. Webster defines Proactive as "it is controlling a situation by causing something to happen rather than waiting to respond to it after it happens". Until Intrusion Prevention systems stop using the traffic analysis (the IDS function) for their criteria to prevent, they are in fact waiting for attacks or attack patterns to occur before they can prevent the “intrusion”. The passive analysis of traffic is what I have a problem with here since it is passive and not active. To be true to form, maybe they should say that they are Propassive and give up saying Proactive :-) Just kidding. A proactive countermeasure would be able to identify vulnerabilities at the target surface and effectively remove any line-of-sight threat prior to any active attack.

If this industry can’t even use the right language, tell me how we are helping customers?

--Tim "TK" Keanini

Would someone please define Proactive for the industry? My goodness. If I had a dollar for every time someone ...

Who is it this week? It was an article posted by on Infoworld.com

Marty Roesch, Founder of Sourcefire/Snort and Marc Willebeek-LeMair, CTO of TippingPoint recently acquired by 3com) get into quite the debate on Network Intrusion Prevention Systems. Watching those two guys go at it was like watching the season finally of the apprentice.

No one should be debating the utility of IPS but for the love of peet, don't call it Proactive. Brace yourself, here comes another one of those tk rants on Proactive vs Reactive.

Please read the article and judge for yourself. I'll offer my opinion and summary:

Willebeek-LeMair says This proactive security is unique to IPS and is a game-changing tool.

Roesch steps in and brings some sanity to the discussion with All marketing claims notwithstanding, IPS technology is not proactive. - True proactive security would be able to do more than just identify the conditions under which an attack is occurring.

Willebeek-Lemair then counters with Very accurate filters can be written based on vulnerability information, not exploit information. That is the definition of proactive protection: customers are protected before the attack (exploit) exists in time and space. These filters precede the existence of an exploit and proactively protect against any exploit targeting that vulnerability.

Why is dude talking about the authorship of filters? We are debating the context of the run-time value, not some action performed in development.

In my always humble opinion, (must be my Hawaiian heritage) :-) the confusion and debate expressed around proactive versus reactive has less to do with the technical aspects and EVERYTHING to do with the point in which the tool provides its primary value. As designers and engineers, we optimize the tool to where it can deliver its primary value (utility and usefulness). This is not to be confused by actions or functions leading up to or after this point in a logical sequence. Let us take a few examples:

• 1.a Building an effective incident response team is a proactive action.
• 1.b Successfully responding to incident is a reactive action but is where the primary value is experienced.


• 2.a The installation and testing of a fire suppression system in the data center is proactive.
• 2.b Having that damn thing go off is reactive and unfortunately is where the primary value is experienced.


• 3.a Successfully deploying an effective IPS system is a proactive action and as noted by Willebeek-LeMair, authoring content that the IPS will use is a proactive action.
• 3.b Preventing an Intrusion is a reactive event and as the name IPS suggests, it is where the primary value is experienced.

Why is it about primary value experienced by the consumer? Basic economics: higher the value, the higher the willingness to pay. If you don't understand where your customer articulates your primary value, no amount of marketing spin will help. :-)

If your product or service's primary value proposition is independent of incident or loss, you are proactive. If the primary value is at time of incident or post-incident, you are reactive. This is not to pass judgment, it just is what it is. Please people, lets not confuse customers any more than we already have.

--Tim "TK" Keanini

If the information you are reviewing has no context, ask for it!

When you seek actionable intelligence from a mountain of data, context is everything. Forgive me for stating the obvious but it is a song worth singing. As we process with our senses, context is fundamental to a proper understanding of the usefulness or utility of the information. Science teaches us to present all the information in whole and promote a discussion so that through reasoning, the truth will be discovered. The inverse is the craft of magic. A magician will present only the information set needed to satisfy the trick. I have always been one to question everything. Some call me paranoid, I like to think that I am just hyper-curious.

Why me? Why do I worry so much about the context of everything? Was it nature or nurture that brought me this hyper-curiosity? The educational system that I experienced and for that matter, the one that my children experience does not make it a priority to question everything. The teach-to-test attitude just makes me want to vomit-the-lunch. My child is being presented history in the context of what point of view? What questions should I ask about what I am learning? How should I explore the spatial and temporal relationships? Enough of this education vendor bashing, what am I going to do about it?

I asked my kid, if I tell you that tomorrow, you will have a headache, is that a positive or a negative thing for you? He says "Dude, that would suck, totally negative dad, Duh!" I replied "You have much to learn my young Padawan" in my best Yoda voice. The problem I explained is that you don't know the context of this headache. You may be experiencing a headache as a result of regaining consciousness after a really bad spill on your skateboard. Realizing that anything north of a coma was a good thing I now earned enough of his attention to give him a few other examples for him to chew on.

Who knew that context-switching would be funny?

Like magicians, the author of a joke will exploit the dual meaning (dual context) of a word. This is a simple example but it will do. Step by step, the joke teller will unfold a narrative toward the first meaning of the word and at he last step, the punch-line, he changes the context to the dimension that supports the second meaning of the word. It has been a long time theory of mine that the brain hungers to be fooled. Go ahead, call me a fool.

Exploiting the soft underbelly through the same joke technique

I'll spare you from all my other examples but you get the point. Now, what does this have to do security and risk? I am so glad you asked. Lets start from the offensive side of the equation. If I am looking for weakness to exploit, I am playing the same game as the joker. Not only do I want to identify weaknesses and vulnerabilities, I'm looking for the states in the network that could have more than one context. The best place realm to explore are systems that were engineered prior to the Internet. The designers of these systems had no concept of TCP/IP networks and there will be dual context galore. The same is happening today as iPods are no longer just a harmless entertainment device. The trick is to look to a technology or a device that has a strong primary context and find its alternate context.

Meta-Data is a beautiful thing

Gregory Bateson said in his book Steps to an Ecology of Mind that "In a strict sense, no data are truly "raw", and every record has been somehow subjected to editing and transformation either by man or by his instruments" I whole heartedly agree with this statement. Given the technology of today, we must make sure that all of the context be explicitly attached to the data as meta-data. It is no longer enough to capture information anymore. The captured data must have meta-data attached to it which describes in great detail the context of how the data was captured - the data about the data. What were the settings when it was captured, the state of other dependent sub-systems at time of capture, basically anything that would set the context for the captured data-set.

What is the point? Without explicit context associated with the data, we end up having to gather it ourselves and if you do a good job of this task, people will start to think your paranoid. :-)

CONTEXT OF THIS BLOG POSTING: TK had 3 hours of sleep last night, a great dinner, just got his kids to bed after story-time and thought he would capture these thoughts for the blog

--Tim "TK" Keanini

I just finished reading a recent post to Dave's mailing list. I started to respond from my personal account on-list, and then decided that this one was better posted on the blog.

As the blog has become more widely read, I've struggled with some of the editorial responsibility - we've got a very opinionated team, and some people often say things that others may not like.

Druid's post to the list really irritated me. To answer some of the questions from the post:

> Makes me wonder why they /continue/ to use 'stuff' from
> Immunity when they seem to have such strong feelings
> against your company.

Simply put, "we" don't have strong feelings against Immunity. Personally, I'm a fan of what Dave has done, and, as should be obvious from my own post on the "morally reprehensible" topic, I've talked to Dave about all of their products - VSC, CANVAS, etc. I'm even a regular reader of the mailing list.

However, it seems obvious that not all members of our team feel the same way and I (for one) am perfectly happy with having spirited debate. I brought up Mary Ann's comments because I found them interesting. This issue can be debated either way, and it's an interesting one.

> Perhaps Byron Sonne (bsonne@) isn't in a position to make
> that decision, which leads me to wonder what
> level of PR clearance is required to post to
> the company blog. (:

This is the real point that I wanted to make here.

It's a blog - no PR clearance is required. None. At all.

I'm the one who is responsible for editing the blog, and I'm not going to play thought police here. I won't allow anyone to post anything illegal or discriminatory, but I also won't censor opinions that I may disagree with.

How good would the blog be if I had our PR team editing everything we said? It wouldn't be real, it wouldn't be true, and I doubt anybody would care to read it. I know that I wouldn't want to read a "corporate" blog that was nothing but a bunch of marketing-speak.

At nCircle, we encourage people to have opinions and speak their mind. Even if those opinions are sometimes unpopular. It's what makes it a place that people want to work.

I'm not going to play thought-police with our blog - if I did, would you ever trust anything that we say here?

> Otherwise their stance on the issue holds no merit.

Again - it's not "OUR" stance. It's Byron's stance. I may not agree with what he has to say, but I defend his ability to say it - it's a valid point in an interesting debate.

One thing I feel is often overlooked or not given enough emphasis is consistency. It is seen very much in data gathering and statistics. For example, the consistency of ‘x’ happening can show us trends that ‘y’ may be a cause of error. Consistency in a dynamic, ever-changing world and field...in some ways, it sounds like an oxymoron. How can something be consistent, the same, in a changing environment? So how about consistency as a chance of stabilizing these ever-changing variables.

We, as humans, realize that structure is important, actually, a necessity. Life itself, without order is chaos. Templates, models are made as a starting point, an instrument for consistency. While I am not saying that there is a severe lacking in consistency among us, I emphasize that WE can ALL improve on our consistency.

By being consistent in our work, we are not only able to better determine source of errors, we provide easier solutions. For example, in the IT field, we are able to update and maintain our database easier if our work is consistent throughout. Scripts, programs, codes, all rely on consistency. It is through commonality that programs and scripts are made and exist to begin with. In the end, nothing is ever fully consistent; it would be perfect in its uniformity, and nothing is perfect. All we can do is continue to strive towards this perfection, decreasing the deviation by improving our consistency. After all, as Murray easily put it: Consistency IS quality.

Analysts report that Firefox adoption is slowing.

They also mention that, "Late last month Firefox marked 50 million downloads of its browser since the Version 1.0 release in November."

50 M sounds like a large following – until you consider what a download is. All security updates count as 1 FULL download. As previously ranted, Firefox 'update' is actually a full reinstall. The current release is 1.0.4, for a total of 5 releases. So now we are talking about 10 M functioning installations – still a pretty big number.

Why else would Firefox adoption be slowing?
"The slackening of Firefox's growth could mean that the browser has converted a substantial proportion of its natural constituency, thought to be early adopters and the technically savvy."

Well if all of the early adopters and tech savvy elite have been running Firefox since November then the 10 M is actually 3.5 M – as all self respecting geeks own more than one computer.

Now here is the quote that justifies this entry on a Security Blog;
"It could also show that the browser's widely publicised security
flaws have begun to undermine the foundation's argument that people
should switch from IE to be safer."

Could it be? Could Mozilla have their shit together so tight that people are scared to run Firefox? Not possible! Just look at their awesome security advisory page. Not only is it organized in a really sensible way, but the colour coded severity labels are all pastel! When your most severe vulns are fuchsia, I know there is nothing to fear!

Maybe this whole security scare comes from the mixed messages surrounding Firefox security;

[May 7th]
2 Critical Vulns found in Firefox.

[May 10th]
"Two vulnerabilities in the popular Firefox browser have been rated "extremely critical" because exploit code is now available to take advantage of them."

[May 11th]
"Chris Hofmann, Mozilla's director of engineering, said: "We've had a few security updates, but they've been for potential vulnerabilities, for staying ahead of the curve of potential problems that might come down the road."

While the fact that you patched your software pretty quick reassures me, I just wish you would get your story straight ...

Now for some good news;
"One of the biggest difficulties that the Mozilla Foundation has encountered in the months following the Firefox 1.0 release has been managing the Software Update System for distributing updates to 1.0 users… Darin has figured out how to get binary patching working, and is working on a system for incremental background update download." -- Ben Goodger (lead engineer for Mozilla Firefox)

Now that is what I'm talking about! Mozilla, if you deliver on that comment then truly Firefox is the shit!

Firefox 1.1 (July 2005) will be downloaded by the current fan base of 3.5 M – and then never again. We can just expect our security updates to silently arrive and then prompt us to click OK.

Oh what will the Analysts think?

It’s a shame that getting security right will decrease your popularity in the eyes of analysts. Lets just keep that little secret between us and the User-Agent: strings - ok?

Analysts don’t get Firefox, which probably means you should.

I'm sitting at a car dealership right now. While my car is being worked on, they've courteously provided me with a desk and an ethernet cable. Seems like a good idea. This way, I'm not totally unproductive while my car is out of commission. I can't help, however, thinking of this from the perspective of IT security. There was a time when a corporate IT team could reasonably believe that they have control (in some measure) over the hosts for which they're responsible. In a world where access is available everywhere, and many employees carry laptops, that control isn't even an illusion any more.

The possibility of an unstructured compromise (virus/malware) is obvious in these public scenarios. All it takes is a single infected laptop and another vulnerable host. That's the obvious concern. Less obvious is the increased feasibility of structured, intentional compromise. If I, as an attacker, have identified an intended target, I can more easily launch an attack in a public location. If I find out that my target frequents a particular Starbucks, or has an open WAP at home, there is no need to obtain access to the corporate infrastructure to achieve a compromise.

It's not that this increased threat isn't understood by the InfoSec community, it's that it isn't understood by the average user. The ability to effectively manage the vulnerabilities on each host while they are within the corporate IT infrastructure is even more important when they will inevitably leave that protective environment.

The House passed two bills aimed at stopping spyware:

H.R.29 and H.R.744

While there's a lot of interesting stuff in these two pieces of legislation, there are just a couple of things that struck me in particular. In H.R.744 section 1030A there's an awful lot of the word 'intentionally.' To legislate based on intentions is an interesting concept.

One of the clauses in here states that whoever "intentionally impairs the security protection of the protected computer with the intent to defraud or injure a person or damage a protected computer" is in violation of this law. Now, if my intent in compromising the computer is, in fact, to expose a security risk such that it can be addressed, am I still in violation of this law?

But maybe all of this is moot, since a 'protected computer' is defined in USC 18 Section 1030 as:

(2) the term ''protected computer'' means a computer -
(A) exclusively for the use of a financial institution or the
United States Government, or, in the case of a computer not
exclusively for such use, used by or for a financial
institution or the United States Government and the conduct
constituting the offense affects that use by or for the
financial institution or the Government; or
(B) which is used in interstate or foreign commerce or
communication, including a computer located outside the United
States that is used in a manner that affects interstate or
foreign commerce or communication of the United States;

Based on that definition, most home users aren't really covered. Seems odd that congress would pass this anti-spyware legislation that fails to cover the majority of the victims of spyware. Did I miss something?

I was reading an interesting paper tonight called Overcoming Serious Indecisiveness. The paper's an excellent one which many others have blogged about, but there's a quote that I had to post here.

In The Histories, written in 450 B.C., Herodotus makes the following statement:
"If an important decision is to be made [the Persians] discuss the question when they are drunk and the following day the master of the house...submits their decision for reconsideration when they are sober. If they still approve it, it is adopted; if not, it is abandoned. Conversely, any decision they make when they are sober is reconsidered afterwards when they are drunk."

I wonder if that'd make more sense than some strategies I've seen people employ. It'd certainly be more amusing to watch.

Seriously, though... read the paper. It's interesting.

I take the train to and from work every day. I like taking the train because it gives me the opportunity to relax and catch up on any reading that I want to do. Other people on the train either read, sleep, stare blankly out the window or do work on their laptops. Since the ride is very quiet, it allows people to do any of the above things easily.

The setup of the train itself is in groups of four seaters, with two people facing two others. This morning I just happened to be sitting beside a gentleman working on his laptop. He was a well dressed, older gentleman who could only type with his two index fingers (i.e. He typed very slowly). The scary part, at least coming from my skewed security point of view, is that he was not aware of anything around him. I, in the process of twenty minutes, could tell you the following information:

His full name
His title
His username
His password (Which was written on a post-it note on his laptop)

Plus a whole lot of additional information about him that I won't mention here.

The real kicker of it all is that he left his laptop (RUNNING !!!!) on the seat as he went to the washroom. How does an admin stop something like this? It really scares me that people still don't understand (or ignore) the possible consequences of doing things like leaving your password on a post-it. Security professionals and admins have been trying to train users to follow basic security steps for years, and there are still people out there who don't follow them.

I could just imagine the frustration of an admin who tries to convince a user repeatedly about following best security practices. It's frustrating me right now just thinking about it and I don't do it on a daily basis.

(As a sidebar: I wonder how many "average" users really understand the basics of security. As an example, does the average user realy know what SpyWare is, other than the fact that it's mentioned in the news all the time and that it is bad? I think buzzwords can be useful sometimes, but do people really get what SpyWare (or any other security buzzwords) means?)

This rather sparse on details article is getting quite a lot of play. The article does not provide all the information necessary, but many people are willing to suggest that it sets a precedent for 'encryption software is evidence of criminal activity." Actually, if one thinks of encryption as a tool, like, say, a knife, then this decision may make some sense. If a murder occurred and there was a knife present, wouldn't it be relevant to the case? That decision doesn't mean it was relevant to the *verdict*, but only that the judge didn't allow the defense to remove it from the trial.

From the article:
"We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him," Judge R.A. Randall wrote in an opinion dated May 3.

I'll wait for more information before drawing a conclusion on this one. "[A]t least somewhat relevant" to the case doesn't seem to quite the declaration that others are claiming.

In the end, however, isn't this type of decision a great reason for everyone to install gpg? I'm going to start encrypting my grocery list.