In Nassim Nicholas Taleb's book "The Black Swan", he explains a type of ingratitude that I think the security professional knows all too well. It goes something like this: Who gets rewarded by society, the person who nearly kills himself trying to avoid a huge problem or the person who corrects a bad situation after it is already in progress? History will show time and time again that it is the latter. He says "Everyone knows that you need more prevention than treatment, but few reward acts of prevention."

The other day, someone asked me "If this DNS Vulnerability was such a big deal, then why did we not see horrible things happen on the Internet?" We as humans find it difficult to value that which we don't know or have not directly experienced. There were many people working their tails off once they were notified of this DNS bug so that the highest level of preventative steps could be taken. I salute those who listened to what Dan had to say and took action.

The administrator that worked over the weekend to remediate an unruly set vulnerabilities will not be rewarded on Monday the same way that he would if problems happened over the weekend and he fixed it before doors opened on Monday. We prioritize our preventative measures on likelihood and impact and that is an entirely different topic for another blog entry.

The same pattern can be seen at the personal level where until you have a bout with death, preventative tasks just don't get the priority they deserve. IMHO, it comes down to an individual being able to experience the bad situation that is to be avoided so that when asked to spend time, energy, or money on the preventative action, the avoidance is self-evident.

If you follow me so far, you would come to a sociological theory of information security that says that in order for your community to understand the value of preventative measures, they must have had to experience that which is trying to be prevented on a personal level. Don't take this like I am trying to make everyone into a communicator of fear, not at all. All I am trying to do is to present the biases that we have as a society so that we can leverage them when it is appropriate to do so and we can avoid them when they get in the way of good decision making.

I'm back from BlackHat 2008 and had a great time. This year, most of the press coverage was on Dan Kaminsky's DNS vulnerability. Dan is smart, clever, and will always go out of his way to recognize other people's good work - gotta love it.

This weakness in DNS has been seen by some as over exaggerated and by other as one of the deadliest the Internet has seen in years. No matter where you stand on the issue, the problem is what this weakness makes feasible and not the weakness itself.

Although the discussion is about DNS, your countermeasures should focus on man-in-the-middle (MiTM) attack scenarios - this is where the game is played. This weakness when exploited makes many MiTM attacks extremely feasible and difficult to detect by the victim at the time of the incident. If the attacker is able to get in the middle of the applications you are using directly (your web browsing, file transfers, etc) or ones that you use indirectly (auto-updating of software packages, automated agents including email MUA/MTA), you better hope there is proper cryptographic methods to protect the data and validate the other-end of the connection. Not only are most applications in bad shape but studies have shown that if you warn a user about this type compromise during their session, they will likely just click-through the warnings because remember, they are busy and need to get their work done. More about this behavior later.

Now before you start blaming the big bad Internet for being so insecure, when did someone say it was ok to start trusting services like DNS anyway? Some of the very first requirements for the Internet was that "the host shall never trust the network, and the network shall never trust the host". The sooner we all stop trusting insecure protocols, the better. I'm not saying stop using them, I'm saying use them but know their limits and be accountable for the risks within your design.

Why do people take shortcuts in their designs, cheat when they don't think they will get caught, and generally pick the "easy" route? Because we are creatures that favor convenience and the Internet and its protocols are dangerously convenient. We like all other living organisms fundamentally are wired to conserve energy. We will always try to find the most efficient path to our goals and in turn do so at some risk. We are quick to understand the benefits of an action but not always quick to evaluate at what future cost.

The Internet and its protocols are dangerously convenient. Can we not design systems that are both convenient and secure? The correct but not so useful answer here is "It Depends". My point in all of this was that these social biases point toward a much more fundamental security issue than any line of code. We must never forget that we are not designing system for arbitrary faults, we must design knowing there is an active opponent out there trying to get at something of ours that has a high utility to them and when they have taken it from us, we still have it.

Call me paranoid, call me what ever you like but if you are going to download software to my system please offer me the chance to review the ingredients before I click OK.  Ultimately, it would be nice to know what I am about to approve don’t you think?

I wonder if I am the only one that feels this way.  Major application and OS’s do a great job at offering this review before a user approves the update but such is not the case in the land of the Xbox 360 game console.  Sure you could argue that console gamer is not going to know a DLL from LSD but nonetheless, offering optional information about what the update is going to do for them is good form.   In Xbox360 land, you get a screen that looks something like this

and it would be great if the X or Y button gave you information on what was about to change on your system.  And while your taking down my feature request wonderful product manager of the xbox360, it would be nice to see the update history of the machine. 

Does the information exist?  Sure it does but you have to really hunt for it and I’m not sure all the updates have made it to the web.  For example, http://blogs.msdn.com/xboxteam/archive/2007/11/30/december-2007-system-update.aspx

http://www.xbox.com/en-US/community/news/2006/1030-novemberupdate-completelist.htm

From a security stand point, it just spooks me out when I approve an update to my system and have no idea what has downloaded or what has been modified.  The number of independent game developers for Xbox360/Xbox-live are taking off and Microsoft has a solid program.  Lets just say that things will start to get very interesting.

—tk

I buy lots of electronics and have been experiencing a trend lately with rebates.  It may be just paranoia on my part but thought I would post this blog entry to see if anyone else is seeing the same pattern.

I bought another LCD monitor and with it was a mail-in rebate for 30.00.  Like all of these, you spend time to gather the required information, sent it in, and after a good 6 weeks time, you get a check.  Done?  Not quite because the “Pay To the Order of” has misspelled my last name.  If this was the first time this happened, it would not be an issue but 3 times in the last 6 months, something seems wrong.

Could it be that there is a strategy out there to raise the cost of accounting on the payee so that they at some point think it is not even worth it to pursue?  I wish we could see the statistics of all the people who go through with the mail-in but because of the run around, end up ultimately not redeeming their rebate. 

This information is not available so all we have to go on are patterns and paranoia.  Is 30 minutes of sitting on hold and filing more paperwork worth $30.00?  At some point, everything come to a cost/benefit decision.

—tk

Anyone who has been going to RSA year after year has seen lots of change.  Changes in the quantity of vendors, changes in the vendor types, changes in the booth personnel, even changes in the swag you get if you sit through a presentation.  I’m so glad we are past that dry spell of just pens and mints, we like t-shirts, USB-drives and remote control helicopter s!  This year was a great show and I’d like to share with you some observations. 

When I first started going to RSA, there were more vendors than there were customers.  It was a huge vendor boondoggle and while the business development people were having a great time, I was looking for customers to speak with and have a great conversation about what they were looking for at the show and what type of problems they were trying to solve. 

This year was great in terms of customers-to-vendor ratio.  We had a great turnout at our booth and I’ve almost lost my voice from non-stop conversations.  What does this change mean for future RSA shows?  I remember one year being at the show and having a customer tell me “You know what TK, this is a show of car parts, and frankly, I need transportation.”.  I’ll never forget this statement and I have a working theory. 

In the early days of the RSA show, the exhibitors sold all kinds of parts that when put together by a skilled craftsmen, created a powerful solution.  Composability was more important than Usability.  As the attendees change to more of a business level buyer persona, consumers that are not security subject matter experts, we move toward deeper solutions where Usability trumps Composability. 

When I hear those words “…this is a show of car parts, and frankly, I need transportation.”, I imagine a trend on the exhibit floor dominated by much more complete solutions.  Product designed for a persona that does not know how to fire up a debugger, does not know how to read a set of ACLs, but knows how to read market results and can use Excel to model any financial system you can imagine.  That might be a little extreme but nonetheless, the customers out number the vendors by a larger and larger margin. 

I predict that RSA next year will have less small highly technical one-trick-pony companies and more multi-product solutions and managed services companies.  To use that great quote, there will be more vendors selling cars and transportation services than there will be vendors selling parts. 

—tk

Xbox LIVE will be unavailable for approx. 3 hrs on April 1^st from 2pm PDT

Huh?  With all that virtualization, load balancing, and other service abstraction strategies we have today, why do we still have to deal with scheduled downtime?

I understand that we cannot plan on ever getting rid of an unscheduled outage because “stuff happens” but we certainly have at our fingertips methods that can avoid scheduled downtime once and for all.

I’m just bitter because it may take a bite out of my Halo3 Team Slayer.  The Master Chief would never allow for scheduled downtime!  It must be the work of the Covenant.  The fight continues…

—tk

At South-by-Southwest I attended talk given by Jennifer Fraser on Vitruvius who was the first Roman architect to write about the craft.  I saw some invariant patterns of good design that could be useful as we design information systems.  The warning I must underline is that building physics-based systems are different than building information-based systems, at least this is true in March of 2008.  Rival goods are not the same as non-Rival goods.

Marcus Vitruvius Pollio was born ~80 BC and died 25 BC.  Regardless of his abilities as an architect, he lives today because he was the person who wrote about the craft and documented the essence the architecture of his time.  If being referenced some 2000+ years later is not enough of a value proposition to get you to document your contribution,  I don’t know what is.

Jennifer referenced De architectura (Latin: “On architecture”) which consisted of 10 scrolls and “The Ten Books on Architecture” which is the translation and available on books.google.com.  Vitruvius said that well-designed buildings must exhibit three qualities: firmitas, utilitas, and venustas.  Respectively, utility, attractiveness, stability.

Looking at information system design, these qualities are also beneficial.  What is interesting in Jennifer’s presentation is that applications at some moment in time can be mapped to a vector in a firmitas, utilitas, and venustas space.

For example, an application can be at position ‘X’ when it is in demo format and ultimately its goal is to move to position ‘Z’.  There are times when an application would be not as attractive or has low utility but is ultra stable like ‘Y’; its goal over time is to get to position ‘Z’. 

Another thing that was clear was how Vitruvius understood his users.  He had an intimate understanding of who would occupy the dwelling and what tasks they would perform on a daily basis.  Up front in the design was a serious considerations for private and public spaces.  I can see how this has a parallel with information system. 

Vitruvius is quoted as saying “The eye is always in search of beauty” and who can argue that.  We should set our design goals high and demand beauty, utility, and stable system. 

—tk

Check out http://sxsw.org/

It is South by Southwest time again and Austin Texas is completely consumed by inventors, designers, artists, gamers, authors, and any other category that describes a creative class.  The beauty of this conference is that it brings together many creative disciplines and everyone shares their passion.  It is the intersection of software, film, and music. 

Today was registration and as you can see by my badge, I’ll just attend the technical sessions this year.  If I sound a little bummed about that it is because there are a few bands this year that I really wanted to see but things are just too busy at work.  Oh well.  This afternoon, I sat in on a good talk about Javascript patterns and tomorrow I’m looking forward to some great design sessions.  I’ll blog some of my thoughts. 

—tk

Hey, I want to apologize for being absent for so long.  I have a lot of stuff to write about and I’ll be getting it out in 2008.

Will you be at RSA?  I’m giving a talk on Game Theory and how these patterns can be applied to IT Security.  Check your program and don’t be shy – come over and say hello.

—tk

There is a new video game being released on Aug 21st called BioShock. It will be released for the Xbox 360 and PC - I've already got my copy pre-ordered. If you are interested there is a great Wikipedia page on it.

You may take a look and think it is just another first-person shooter but there is a very important pattern to what these designers are after and at the end of this posting I will tie that back in to how this pattern should apply to designers of vulnerability management and configuration compliance systems. Heck, this pattern applies to all information technology systems but I am getting ahead of myself. What makes this game different is that all the objects in this world work the way you would expect them to and therefore it is the player, not the game design that creates the tactics and strategies. It lets every player of the game express themselves differently and in ways that the game designer may have not predicted. I have come to know this form as 2nd-order game design; it is a game that facilitates games. I'll come back to this in a bit.

A popular thing gamers talk about are 'walk-throughs'. This is a document that some awesome player authored describing in fairly static terms the step-by-step progression of a game start to finish. It is a linear progression of what the game designer wants you to experience while you play the game. You are not going to find a walk-through for BioShock because it is all about choice, options, invention, and this static tree-like prescribed experience from the game designer does not apply. The game has an invention system which basically makes you the designer of your own game as you are in the game. In these 2nd-order designs, you are placed in to a world where every player would be entitled to a separate but just as exciting experience. The term 'sandbox' is used sometimes to describe this situation but I think the term falls short in describing the patterns exhibited by 2nd-order designs.

I can point to other systems that leverage this 2nd-order design pattern. One that I think you would will enjoy is http://ldd.lego.com/ Lego Digital Designer. Essentially, the consumer has the same authorship over the creation of a LEGO structure as the designers at Lego. My kid was invited to a birthday party and wanted to build his own Lego toy for his friend. He used this software to design, build a Lego creation and, he uploaded the design model to Lego. Lego, it captures an image of the creation as a label for the and puts it on the outside of a box, assembles all the components and ships your completed design with all the pieces and ships it to you. An important characteristic common to these 2nd-order designs is that the user is equally a consumer and a producer. The Lego Digital Design product is a product that creates markets that create products.

What does this 2nd-order design pattern have to do with Vulnerability Management and Configuration Management? I've been watching this market evolve for the past 10 years and in the beginning, designers/vendors hads a very strong opinion and position on what qualified as a vulnerability and what was "secure" versus 'insecure". Like early 1st-order game designs, the designer "told" the user how they should experience their world. The designers valued systems and opinions were forced on the user of the system and hopefully the two would be in harmony. This is yesterday's pattern and information system architecture will over time, favor the 2nd-order form where the role of designer/producer and user/consumer is dynamically portrayed by every member of the system.

I encourage the designers of information technology systems to get out of their own way; build 2nd-order systems: systems that allow the building of systems. Allow the user to build risk models and domain ontologies that the designer had no comprehension of when the product shipped. Let every player/user express themselves differently and in ways that the designer may have not predicted.

I have a vision of how information systems will evolve and hopefully in the coming days I'll blog about it.

--tk