Here we are again. I just checked in to my hotel room and can't believe a year has pasted since the last show. This year, no DEFCON for me - too bad - back to work ASAP.

The content this year looks decent and then there are the parties. Oh yes, the glory and the pain.
My buddy Cody was on the plane with me from Austin to Vegas. Their ZDI party is at 7pm tomorrow at the Hard Rock and I am sure it by invite only. The nCircle shindig is 8pm at the same place it was last year. Where? Well, for that you should stop by the booth and grab an invite. Seriously, if you are in Vegas, stop by the booth either way. It is time to lock your terminal for a few minutes and be social. If you catch me with my face in my Sidekick3, just through something at me and I'll snap out of it.

I'll have to blog this con as it happens. Stay tuned.
--tk

As far back as I can remember, DEFCON has had the 'spot the fed' contest. Essentially, if you could spot the person at the con who was from the Secret Service or FBI, you win. I raise this relationship between law enforcements and the hacker community because attitudes are changing, at least that is what the FBI says about their attitude.

The Keynote for Blackhat was given by an FBI dude named Dan Larkin. I was disappointed that the Secret Service did not deliver this content because they really understood this partnering concept many years ago. When you are small, you learn quickly that you can't do it all yourself and develop non-zero-sum relationships as a survival skill. :-)

In my opinion, the main message the FBI had for the Black Hat audience was "we need a stronger partnership". 'Spot the Fed' becomes 'Partner with a Fed*'. In the past it was all about getting intelligence out of the hackers but the benefit seemed very one-sided. He said that the FBI would like to make it more of a two way street. They want to give back to the hacker community but did not go in to detail on what form this would take other than mentioning Infragard (FBI). The big message was : Team up and be better partners against cybercrime in the 21st centry.

He rightfully points out that as much as technology advances, it is all about the people. It is about the people executing the criminal networks via technological advancement. I sure hope this did not surprise anyone in the room.

When making reference to what was once referred to as CyberCrime, the FBI is just calling it organized crime. When they do their work internationally, everyone understands the term organized crime. He points out that organized crime is using technology to be quicker and widen their scope. He spoke about the notion of "packaging" and that cybercrime is just another packaging of organized crime. I fully agree and from a gaming perspective, crime is just a community that is playing another game that has a negative impact on your game. (or a violation of your game that works to increase their payoff) The gaming analysis is worth an entire posting itself so I'll stop here. :-)

As you would expect, he did a very good job in making the point that intelligence is key. The advantage goes to the one who has better intelligence, better observation, and better orientation.

In summary, his main position was that we cannot forget human reasoning. It is what I have been saying for a while now: all of this is a game being played between two or more opponents. We need to stop being so focused on the game technology and focus on the mind of the opponent. Is winning a card game really about the chips, cards, and table? Like it or not, you've been dealt in to the game and it is your turn. :-)

I don't know about you but when I think of a powerful keynote address, I think about a message and a speaker that really starts my engine and inspire me for months after the show. With all due respect, this was not one of those.

The attendance was so overwelming this year at Blackhat that the entire auditorium was standing-room-only. I had to go to another room to be confortable and watch it over a video feed. The only problem was that the slides he was speaking to did not get covered on the remote monitors. Oh well, what do I know. Does great attendance mean success? I would say so.

I absolutely cherish the hallway conversations and the people. BlackHat for myself and many means a chance to get to see friends you only see once a year and hang out. When I think of the partnerships, partnerships between people, I think about a great deal of mutual respect and understanding. IMHO, there is still a lot of work to be done between law enforcement and that culture that is Blackhat/DEFCON.

It’s the second Tuesday of the month, so it’s that time again. Time to start the automatic updates, watch how the new patches affect your test environments, ensure that WSUS is pushing out updates to the right people and it’s time to get ready for the wave of new attacks that will follow this months “Patch Tuesday” advisories. For us, it means another long day. We’re planning to have lunch shortly so that we’ll be ready to go when the advisories finally come out, all 12 of them. That’s right, for those of you that haven’t heard yet, Microsoft is releasing 12 security advisories today, 10 for Windows and 2 for Office, and over the next 24 hours we’ll kick research into overdrive and figure out how to detect these.
12 Advisories…. There have only been 39 Advisories up to this point, which means that after today nearly 25% of all advisories will have been released in August. It also means we’re only 4 advisories away from last years total of 55, we’re surpassing 2004’s total of 45 and we’ll be tied with 2003’s count. You have to wonder what’s going through Microsoft’s mind right now; with 4 months left the count could go quite a bit higher. With their security initiative in full force right now this must be weighing heavily with them.
While Microsoft security is being tested, today is going to be a test of teamwork and collaboration skills for us. We’ll have to identify the patches being released, define what work has to be done for them, co-ordinate who is working with who and what they will be working on and then get down to work.
There’s been lots of speculation about what will be patched this month… PowerPoint, Access, the new WMF attack.
I’m sure you’ll see more from us as the day progresses, but in the mean time we’ve got work to do.

Yeah -- They're crashing Cisco again this year.. but this time it's their party and not IOS.

When you're at Blackhat / Defcon and you want to bounce between private parties it's "Be somebody or Know somebody". Waiting in a line wasn't an option this night... After plowing through the line and being shouted at by the oh-so-polite lady attempting to cross names off the list, Michael quickly explained, "Oh, we're not on the list.".

Shortly afterwards however the crowd was pushed aside and we we're all let through.

The party was kind of lame but we quickly snapped a shot below the cisco banner in the club, grabbed a few triple whiskey and gingers before heading to the next party (ZDI). It seems these are the benefits of partying with rock stars.

We'll have many more postings on the actual content in a bit, stay tuned!

EDIT: Apparently this got a lot of press... the facts are incredibly inaccurate and in some cases completly false.

NetworkWorld has an article here

For those of you that haven't patched yet... a worm (a variant of MocBot or a 'new' virus according to MS named Graweg) is circulating for MS06-040... it's fairly standard.. exploit, install a service.. service connects to IRC to wait out commands..

LurHQ has a great analysis of the virus

They also have snort signatures available on their site which they've submitted to bleeding snort.

The MSRC blog is reporting this:

Keep the bolded portion in mind as you read this next writeup (the original from ISC):

Microsoft has updated Advisory 922437 due to this activity.

Hot on the heels of the MS06-040 worm, we have more bad news for Microsoft users. An email came out on Bugtraq yesterday that addresses a MS06-035 exploit which seems to be crashing machines, even after the patch is applied:

This story is also being followed by the ISC as it unfolds - Unpatched exploit gets publicity - in which they add:

It appears that Microsoft made a small mention of this previously on their MSRC blog. The specific mention of this issue actually dates back to July 28th, where they say:

This last point is key! This was when they had posted it... Now a Bugtraq posting has been read by how many readers and reposted on how many blogs and forums? That email and a follow up have provided links to Proof-of-Concept code that crashes patched computers. With no definite time frame for the release of a patch, MS is giving the script kiddies extra time to “play”.

At the recent BlackHat 2006 in Las Vegas, I attended a panel discussion regarding Col. John R. Boyd's OODA "loop". The conference program billed it as "Meet the Feds: OODA Loop and the Science of Security" including panelists from the US Postal Service, FBI, DOD, GAO, CIA, SRA and other various federal agencies. The objective of the panel was to discuss

... the governments efforts to try to get inside the cyber adversaries' OODA Loop and survive another type of potential cyber lethal engagement.

The understanding of Col. Boyd's work varied, one who admitted to becoming familiar with the OODA loop a few days prior, another who understood it and had applied it in their organization, but no one seemed to have possessed both an understanding of the OODA loop together with a deep understanding of IT security. Worse, they were giving IT examples of its application that were wrong! I kept thinking to myself during the session, if Col. Boyd were here to see his work misrepresented, he would have been in a rage.

I am sure these panelist were well qualified for their roles in their organizations but they either did not know the OODA "loop" concept or they had no operational knowledge regarding the dynamics of IT security. With the upmost respect for these panelists and the organizers of BlackHat, I'd will clarify the OODA loop and offer my opinion on how the OODA loop applies to IT security. My time spent here is not to poke anyone in the eye but to raise your interest enough to explore the amazing work of Col. John Boyd.

Col. Boyd developed a series of briefings, the central theme of which was a time-based theory of conflict. He delivered an hour long briefing called "Patterns of Conflict" and years later as a civilian, he delivered a two day briefing entitled "A Discourse on Winning and Losing". In this work, Boyd leaves us with the Observe-Orient-Decide-Act cycle: the OODA "loop".

The OODA loop is often portrayed as a simple sequence of Observation, Orientation, Decision, and Action. The emphasis is always placed on speed and while this is an important factor, it is not enough of an understanding to win against one who truly understands Col. Boyd's concept. The panelists went as far as crediting Col. Boyd and explaining the acronym but in my opinion, failed to communicate its true power and beauty. The audience would have been better served by just going to Google and doing the research.

First of all, the OODA loop is not a loop at all, it is a concept that contains many possible loops. As shown in diagram 1, multiple arrows connect O.O.D.A sections with a detailed breakdown of Orientation. The first two components of the loop -- Observation and Orientation -- supply the necessary intelligence; the last two components of the loop -- Decision and Action -- deliver the operations.

Diagram 1 (click to enlarge)

In summary, the two most important factors missed in this panel discussion was the multiple loops of OODA and a detailed discussion on the Orientation phase. The opponent who is well oriented is able to compress time by cutting through with 'Implicit Guidance & Control' thus allowing the ability to get 'inside' the opponents OODA cycles and dominating the conflict. The power of the OODA loop is difficult to explain, Col. Boyd's briefing was said to contain 185 slides. Nevertheless, the one who takes the time to truly understands its power will be able to dominate the competition.

The panelists shared with the audience how OODA applies to government efforts but did not attempt to answer how OODA might apply to the private sector. Let me first point out that the biggest difference between the public and the private sector is that the latter will favor 'business continuity' over 'catching crooks'. It is much more important for the Fortune 500 to keep the business flowing than it is to build up an offensive that is able to act upon the adversary. This will be an important factor in the discussion below.

In Diagram 2, let's make the blue team the good guys and the red team the bad guys in this conflict.
Red acquires through Observation, critical information about Blue. Red orients itself by considers all of the observation in context. Red has the Intelligence needed for operation. Red makes a decision and takes action upon Blue. If Red is turning this loop faster and leverages some of the smaller loops described in Diagram 1, Blue is left reactive in it observation, disoriented, making their decisions and actions less and less accurate and effective.

Diagram 2

The Blue team acts upon the Red team and here is where we start to run in to problems when applied to the IT security strategy of most if not all private sector organizations. Lets make the Blue team one of the Fortune 500 and the Red team an adversary somewhere on the Internet. The Blue team cannot act upon the Red team: Blue's IT security does not have any offensive means. In fact, given the choice between the continuity of the business and conflict with the adversary, you'd be hard pressed to find the latter popular at the leadership level of any organization.

In researching Boyd's work, I continuously asked myself, if Boyd was a CISO, how would he apply his OODA loop. Clearly, the OODA loop can be applied in Sales, Marketing, and other competitive business functions because they can act upon the opponent but how does it apply to IT security? Then it came to me: prior to any conflict, create a system where both OODA loops were always present - move a reactive defense to a proactive defense by taking the position of your adversaries OODA loop upon yourself.

Diagram 3

Create a strategy whereby you are able to get in to the mind of your adversary and understand what intelligence (OO) is most important to their operations (DA). When done correctly:

you will continuously raise the cost of their observation leaving them the choice of becoming more exposed or waiting for a low cost opportunity

you will be in a state of continuous change to your adversary but internally stable

your opponent will be operating on observations that are a cycle or two out of date

I was the first to raise my hand in the question and answer section of this panel. I thought it was unprofessional when the panelist that answered my question began with "well, my answer will not nearly be as long as your question" and another panelist applauding him for saying that to me. I raised the issue of organizations represented in the audience not having the offensive means to act upon the adversary. They agreed and said that a stronger partnership must be formed between private and public in order to gain this capability. While this may be true, we need to find a way to leverage Col. Boyd's work today! I'd go as far as saying that the bad guys are using Col. Boyd concepts better than the good guys at this point in time and if Col. Boyd were with us today, he would have no tolerance for this nonsense.

References to Col. John R. Boyd's work
http://www.fastcompany.com/magazine/59/pilot.html
http://www.d-n-i.net/index.html
http://www.codeonemagazine.com/archives/1997/articles/jul_97/july2a_97.html
http://www.arlingtoncemetery.net/jrboyd.htm
Boyd: The Fighter Pilot Who Changed the Art of War by Robert Coram
http://www.belisarius.com/modern_business_strategy/hammond/essential_boyd.htm
http://www.belisarius.com/fighter_pilot.htm

The security industry is small, and always changing - that's one of my favorite parts about this industry. Where else could I work for a consulting company, an IDS company, a vulnerability management company, and a security risk management and compliance company over the course of six years of my career, and never leave one company? :)

Except that there are always times for new beginnings. And this will be my last post on the nCircle blog, because I'm off to a new beginning myself. I'm returning to the customer side of the world, going off to help a big company protect its customers and its network from the bad guys directly.

I have been incredibly proud to lead this team of amazing engineers (and even more amazing people) over the past few years - they are superstars with brilliant thoughts and the ability to become leaders in the industry.

Of course, my blogging won't end. I have re-opened my own personal blog at my website - I'm looking forward to continuing the dialogs on this blog from my own soapbox.

Please check it out.

A few years ago, I'm passed a handout at a meeting and unlike most of these boring pieces of paper you just doodle on the entire meeting, this had something to say to me. The charts were not your canned Microsoft Office creations, they were different. I listened to the presentation and learned something. After I asked the presenter to fill me in on his graphical kung fu. He told me that prior to working at nCircle, he taken a class from a dude named Edward Tufte and it changed his life. Later I would take the same class and experience the same transformation.

Edward Tufte (he goes by ET on his site's forum) is one of those amazing people who you just can't believe is alive during your period on earth. Everything you want to know about the guy is on his site so I'll just end here by listing his URL.
http://www.edwardtufte.com/tufte/index

I attended one of his seminars a few years back and was hooked. As an attendant, he gives you all of his published books ( I hope this is still the case). It seems that he releases a book every 7 years or so. His latest was just released a few weeks back and being the geek that I am, I pre-ordered "Beautiful Evidence" and got it the first week they shipped.
http://www.edwardtufte.com/tufte/books_be

I'm not the only Tufte fan at nCircle. The majority of our developers have been to the seminar and his principals are always present at our design meetings. His course is starting up again and the schedule is posted on his site. I encourage any one who hasn't been to this one-day course to do it.

The last thing I will mention is a little bit of nCircle trivia. The risk performance lines in the v6.6 release were influenced by Tufte's Sparklines. These are small, high resolution graphics embedded among words: word-sized graphics that communicate performance over time. Grab ET's Beautiful Evidence and check out page 46 to see what I mean.

So many more concepts to apply, so little time.

--tk

14 years ago, I made the move from a desktop computing environment to a mobile computing environment. The lure of always having my complete work environment available to me at any location. It had me hooked and over the years I would continue to purchase faster, smaller, and lighter machines. The ideal consumer, I spend hours researching and many thousands of dollars buying the latest and greatest in mobile computing. Staying productive was the name of the game and there wasn't a place on earth where I felt without my creative tools.

My computing "habit" over the years required more connectivity, more memory and storage, and all these dimensions hit a critical point for me in July of 2006. My mobile computing timeline from 1992 to the present:

Apple PB 100
Apple Newton 110
Apple Emate
Apple Powerbook 140
NEC Ultralite Versa V50
DEC HiNote Ultra II
DEC Hinote Ultra 2000
Toshiba Tecra
SparcBook
HP200 LX
HP320 LX
Palm Pilot
ThinkPad A22
ThinkPad T40
Apple Ti-Book (400, 667, and 1.2M)
Danger Sidekick I (black/white)
Danger Sidekick II
Danger Sidekick 3
Apple MacBook Pro 2.16G dual core

I thought that my last purchase, the Apple Macbook Pro would propel me to the next level that I needed in computing. This was my first multi-CPU mobile computer: 2G of memory, 120G of storage, and all the connectivity options available. I thought I had once again satisfied my needs and concurred the requirement to be tied to a powerful desktop computer chaining me to my office. I was wrong.

The MacBook Pro is hot (literally and figuratively). Sure, it was the first revision and I am a demanding user with compilers going in the background, lectures or music going via mp3 or mpgs, MS Office applications open, multiple browser windows, IRC, IM, and H.264 video conference clients, ssh sessions to remote servers, skype, to name a few but that is just who I am and how I remain productive. The main obstacle now is screen real estate, heat, and runtime with the latter two being my biggest concern.

I was in a downward spiral. My computing needs ran the unit hot, Lithium-Ion batteries hate being hot (shortens their life), and like my batteries, my hands hate being on a hot surface typing for hours. Either I needed to change my computing behavior or I would have to ask mother nature to change the laws of physics. I thought long and hard about the total system and all of the cybernetics circuits: the human, the CTO, the computer and subsystems, the applications and services I required, and all of the infrastructure that make up the larger system. I mapped it all out and came up with a plan that would requires change on all parts of the system but would yield results that could not be achieved with the prior strategy.

With this new strategy, I travel with less weight doing from a pack that averaged 20 pounds down to 10 pounds. The biggest and more welcomed change was that of runtime. My full-size keyboard computing device gets 500+ hours on 3 AA's -- I am no longer a slave to power-outlets! When I am not mobile, I am a part of several desktop environments which have no problem bring well resourced.

My mobile arsenal consists of:
Danger Sidekick 3
Iomega Mini Flash Drive
AlphaSmart NEO

The Sidekick 3 offers me the always on connection and has an ssh client as well as all the main apps for IMAP-SSL, IM and a browser;
the Iomega Flash Drive has my presentations for when I am speaking at a customer's site or a conference;
the AlphaSmart NEO gives me a full-size keyboard text processor that weights less than 2 pounds and runs 700 hours on 3 AA's. If you see my blogging rate go up, it is because of this wonderful device. This device is completely zen.

This is my new setup and it seems to be working out well. I need another 3 to 4 months before I can claim victory.

--tk

Alan Shimel made an interesting comment in response to Mike Murray's response to Alan and other's comments in the wake of MS06-040, he said: "I think the world has changed for these type of exploits." In reference to the absence of a genuine full-blown, sasser-esque, worm exploiting MS06-040. I was tempted to dismiss this out of hand as apologist nonsense, but it caused me to wonder, why hasn't such a worm materialized (yet)?

Call me cynical, I have a hard time believing that the world is kinder, gentler place than it was two years ago. For criminal elements, organized or otherwise, a wormable exploit is an opportunity for profit. Yet this "perfect storm" vuln is only getting worked over by a lousy spambot engine?

One possible answer: Yes, the world has changed. If a worm is released, (almost) everyone will patch their systems. People have started to "get" patching. But the gains ($$$) to the worm creator will be minimized by a rapid response from a maturing security industry.

However, if there is no worm, then fewer systems would be patched. Thus more systems would be vulnerable to compromise via targeted attacks with a potential for greater payoff. Anyone have a better theory?

As the security industry matures, we must never forget that our adversaries are maturing too.

There was a day when we could all be safe in ridiculing the tinfoil hat crowd. When I saw Adam Shostack with a piece of the shiny stuff wrapped around his badge at RSA this year, I thought that times may have changed. It's not quite the same concern. The foil headgear is intended to protect one from mind control, alien influences, and the MLB satellite. I'm not so much talking about keeping others out, as keeping my information in. As RFID creeps up in more and more places, perhaps it's time to start worrying about what information you might be leaking. Enter the RFID blocking wallet!

Tinfoil hat of the future or the next ubiquitous personal tech?

Recently, a fellow competitor took issue with nCircle's 24-hour SLA on Microsoft vulnerabilities claiming that it is too slow relative to the competition. While I completely respect this opinion, the issue is not that there are 86400 seconds in day, the issue is listening and responding to the needs of a target market.

First, a bit of background.
I didn't get up one morning and say "Golly, we should wrap an SLA around our Patch Tuesday release." The entire idea came from our customers. In fact, I spent a lot of time on the road asking them about time parameters and the result was a 24 hour window. No magic at all, just a good conversation with the consumer. Yes, they do care about the timely delivery of a authenticated and non-authenticated check, but they are also concerned about the quality of that check, the details of the descriptions, and ultimately the actionable results from that check. I cannot speak to other target markets but in the case of nCircle, the large enterprise is a very different beast and is never shy about sharing their opinion.

I have a deep respect for all of the other vendors in the Vulnerability Management space and by no means want to suggest that quality and time are always in a direct relationship with each other. My one goal with this posting is just to say that nCircle's 24-hour SLA is not meant to annoy other vendors, it is there because our customers asked for it. If they feel that a 12-hour or 48-hour time window is more appropriate, then we make changes and move on.

As long as we are all sharing pet peeves, why can't vendors treat each other with more respect? If I have offended anyone with this posting, I'm sorry. The more vendors can work together, the more customers benefit.

--tk

So you are an administrator within random company 'X'. You have been happily using a certain product that has had some known vulnerabilities within it. However this isn't a problem as you've patched them as the patches have come out. The vendor came out with a new version of the product a year ago and has been pushing all users to upgrade. Being a safe administrator worried about the interaction of new products and desktop installs, you've been testing the product in your test lab and everything seems a-ok. So you decide to push the new product out to all the desktops slowly department by department. Everything works well. All users are happy.

After a couple of weeks though, users are reporting that their boxes are acting funny. After some detective work, you've noticed that the boxes have been exploited with an old exploit in one of the vulnerabilities within the product you just upgraded to. Knowing that you patched already a couple of months ago when the patch came out, you believed that you were safe. Taking a look at the patch management system, the system reports all the exploited boxes as patched to this vulnerability. Management is unhappy and you are SOL.

So, what happened here? This is very similar to an issue with upgrading Microsoft's Windows Media Player (WMP). Let's say you are running WMP 9 on Windows XP SP2 fully patched with all the latest WMP patches (explicitly MS06-005 and MS06-024). You want to upgrade to version 10, so you do. The issue is that the version of WMP 10 from the Windows Media Player website , is old. It is still vulnerable to MS06-005 and MS06-024 because it ships with an older version of wmp.dll. Also, on upgrade, it does not remove any of the references to all the patches previously installed for WMP9 so it *looks* like you're patched, but you are not.

So, if you're a regular user, diligent on the patching of your computer, how would you ever know? The answer is that there is almost no way that you would. For a company that is starting to focus heavily on security, why would they let users download a vulnerable version of a program? It's not like the product is sitting on a CD somewhere that is out of their reach. They are the ones shipping a vulnerable version to all users who are willing to upgrade. It would be like an automotive company recalling a part with a car they ship to solve safety issues, but still including the part in all new cars. It's counterproductive and puts all your users needlessly at risk, which is odd because it is something the company controls.

I can understand why a big vendor may have difficulty consolidating all the information for patches between all the different groups within the company. I can understand why it might take some time for an upgraded package to be placed on the product website. However, putting your users at risk to vulnerabilities that already have patches for them is tough.

As a note, I'm not here to bash this vendor solely. There are probably a lot of other vendors who are guilty of this.

Reading murray's blog this morning, I was interested to see his post on good bosses and bad bosses. As usual, Mike had great insight objectively and a healthy dose of self awareness. As soon as I read the title, I expected no less. :)

Also as usual, our thinking was very similar, but I do see one part of his post in a very different light:

"I have always believed that management is a responsibility that can be measured by a single factor: staff retention."

I think there's some truth in that statement - untimely and/or unexpected attrition is a bad thing - but I don't believe that staff retention is a powerful enough measurement to capture the success of management as a single factor. One of the most important things that you can do as a manager is to support the growth of your people. Behavioral growth, skills growth, creativity growth. In many cases, this leads to your most talented staff being capable of more than the job they're in. For those who evolve with the team, retention becomes much easier. For those who don't, attrition is not always a bad thing.

There is an impressive list of *extremely* talented people who have worked with the VERT team over the years, and in most of those cases the decision to move to a new challenge has come on the heels of *good* management (myself excluded perhaps?). Staff retention is one of the highest priorities for me as a manager; keeping my team energized and happy is the most rewarding part of what I do.

For the record, Mike is one of the best coaches I have ever worked with. He does a phenomenal job of promoting growth in his staff. Maybe he doesn't give himself enough credit when thinking about his former staff who have moved on.

Perhaps that's a sign of a good boss.

Jaron Lanier’s recent essay “DIGITAL MAOISM” casts users of online collaborative systems like Wikipedia and Digg into slaves of the faceless mob; each of us a subservient to the rejection of individuality and creativity.

For both the attacker and defender security engineer, its generally believed that being unpredictable and diverse provide an upper hand. Conversely, supporting n+2 operating systems and identity tools equates to n+10 support and integration issues. As such, IT departments have historically relied upon the Common Operating Environment. For the sake of interoperability, the Internet as a whole relies on RFCs and bodies like the IETF. These organizations provide a like-minded outcome and each of us develop tools based upon the standard.

Lanier would have us believe that at some point in time, collaboration falls on its own sword and creates a reversal. From that climatic point going forward it’s a down turn, nose-snubbing smear to creativity and individual thought. Turing this supposition into serious thought regarding security practices proves to be both tough and interesting. If every organization were to look the same, be the same, act the same then a single defector could 0wn us all. I relish in the day when every person reads email in plain text and changes their password regularly. There is a natural life cycle of the hive mind and for security; we are still at the infancy stage of “security awareness”. For the time being, our skills are probably still desired.

Can Lanier’s essay hold water outside of Wikipedia and Digg?

Radio Shack's recent firing of 400 people by e-mail reminded me of this (relatively famous) Dilbert cartoon.

I'm not going to discuss the firing from a PR perspective at all. You can find numerous other blogs and news outlets talking about this. I am going to look at this solely from a security standpoint.

In most cases, when you fire people, you try to limit their access to any aspect of the company. You are getting rid of them, so you really do not want them hanging around the office accessing their computers. Who knows what they might do? If you are firing a group of employees over e-mail, it still means that they still are logged into the computer (which is probably authenticated to some domain), and they still have access to their e-mail (because they have to read it to know they are fired). I'd love to give Radio Shack the benefit of the doubt and presume that they restricted access to everything for all the employees that they let go, but they are a big company and it's difficult to disable access and delete accounts for 400 employees in real time.

So, Radio Shack is left with 400 former employees, some of whom are probably very disgruntled. It gives them the opportunity to send mass e-mails out to present employees, steal confidential data and damage company property. All it takes is for one of the ex-employees to do something stupid and unprofessional for it to be detrimental to the company. A backdoor here, malicious code there, or confidential data sent to an e-mail account abroad or placed on a CD, who knows what 400 angry employees could do?

To save time and bypass the wrath of the employees, management opened a can worms and left the company vulnerable to attack from the group of people who are already most likely to do harm to the company. It's a classic case of shortsightedness, where management took the easy road and (possibly) ignored the security ramifications of their decision all together.