Emergent ChaosThe 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.Show 026 - An Interview with Adam Shostack.
The one thing I'd like to add is that we mentioned Frank Abagnale's Catch Me If You Can.
It was a fun interview.
Bookmark this post:
I'm excited and grateful to the Industry Standard for including us in their "Top 25 B-to-Z list blogs."There's some great stuff in there which I read, like "Information AestheticsVenture Hacks," "The Old New Thing" and "Schneier on Security."
There's also a set of blogs that I hadn't seen, and am checking out.
Why not take a minute to flip through the list, and see what chaos emerges in your feed reader?
Bookmark this post:
[Update: Added a link to Crispin's home page, because some readers apparently have trouble with a search engine.]
Bookmark this post:
A year ago, I discussed stupid email disclaimers in, "If I Screw Up, It's Your Fault!" This week, Brian Krebs of the Washington Post comes over the same issue, indirectly, in his "They Told You Not To Reply."
Krebs tells the story of Chet Faliszek, who owns the domain donotreply.com, which he bought in 2000 as a lark. The interesting situation is that many otherwise sane people will send broadcast messages with a return address that has donotreply.com in it. And of course, people reply. When they reply, he gets the mail.
He gets customer service mail from Charbroil grills; financial service from Capital One and Merrill Lynch; network diagrams and vulnerabity data from Yardville National Bank; faxes from Iraq contractor and former subsidiary of Halliburton, Kellog Brown & Root; and of late very interesting mail from the Department of Homeland Security.
Krebs quotes Faliszek:
"I've had people yell at me, saying these e-mails are marked private and that I shouldn't read them.""They get all frantic like I've done something to them, particularly when you talk to the non-technical people at these companies."
The most delicious emails end up on his blog. He will remove them if you show proof of a donation to an animal protection league or humane society.
Note that if you send your email to Mr Faliszek, it becomes his email. No one suggests that there is anything untoward in owning donotreply.com. No one suggests that the disclaimer has any standing. No one suggests that there is anything wrong with his letting you ransom those emails through good works.
Certainly, it's stupid to use a domain like donotreply.com. It's a legal domain. There are some reserved domain names, and they are documented in RFC 2606. For Heaven's sake, use donotreply@yourdomain! However, it's worse to have the disclaimer. Non-expert, non-technical people might think that it has standing. Note what Mr Faliszek said, that people think that because they're marked private, he shouldn't read what's delivered to his domain. I have every sympathy with these people. They think they're protected, and they're not. Fortunately for us all, Mr Faliszek is a nice guy who loves animals. Take it away, bandleader.
Photo "its just sad" by Quiz....
Bookmark this post:
Ken Belva has a new blog at http://www.bloginfosec.com/. Looks like it is more "formal" and magazine-like than the typical blog, which many people will appreciate.
There seems to be a pretty solid collection of contributors, and the hunt is on for additional qualified writers. There's even a raffle for an iPod (but I already have one).
Plenty of information is available at the official announcement page.
(Apologies for the title of this post to the late, great, James Brown)
Bookmark this post:
[Update: If you want to see all the threat modeling posts, they're at Threat Modeling SDL blog posts. They're displayed latest to oldest, which we're looking into.]
Bookmark this post:
Kim Cameron not only admits what Ben Laurie has said here, here, and here, but he says it succinctly:
OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies - the more it succeeds, the more dramatically phishable it will become.
There you have it.
It has long been a joke about crusty states such as Idaho, Oregon, New Hampshire, or New Jersey that they have signs at the border that read, "Welcome to <insert-name-here>, now go home."
As a Mac user, someone often asks me if they should switch to a Mac because it's more secure, my response to them is that the only reason a Mac is more secure than a PC is because it's only people like me who use them. As soon as hordes of people start using them, then they will no longer be as secure. I like not knowing the details of anti-virus programs. I like not bothering even to run the built-in firewall. So, no, I don't think you should switch to a Mac because it's more secure. I think you should just update your virus files every week. Besides, Macs are much more expensive than you can afford. Really. Have you heard about Ubuntu? It's Open Source! (Cue sounds of angels singing.) People tell me it's really nice. And I hate Leopard.
Despite all of these being true statements, this technique does not work as well as I would like. I think I need to take a presentation skills class.
OpenID is similar in that it's a safe neighborhood because people like me don't go there. Once enough people like me start going there, it's not going to be secure. I am reminded of comments by each of Groucho Marx and Yogi Berra.
I am happy to help keep OpenID secure by not using it. I've already written about what I think is better.
What I find amusing about Cameron's epiphany is his solution for the problem. He thinks that OpenID should become part of InfoCardSpace, and thus shipped with Windows.
There's a joke that begs to be made here, oh, how it begs. It is rim-shot worthy, so I'll not make it. I'll merely point out that if you want to get CardSpace, you have to get Vista. Ba-dum-dump.
I am again using the photo "Trunk 'n Branches" by slightly-less-random because it is the only image in Flickr that comes back from the search of "cardspace phishing" and one of two for "openid phishing".
Bookmark this post:
Our second series of three debates kicks off today and the first proposition raises important questions about civil rights and the trade-off between Privacy vs. Security. As a blogger and member of the community that The Economist aims to serve with this lively debate, we wanted to extend an invitation to you and the readers of Emergent Chaos to join the debate by blogging or commenting to the debate floor. (No subscription is necessary).The debate: "Proposition: Security in the modern age cannot be established without some erosion of individual privacy."
Have at Mr. Livingstone, arguing for the side of order and no emergent chaos, or, if you must, Mr. Barr, on the side of truth, justice, and the American way.
Bookmark this post:
The inclusion of Emergent Chaos among the blogs featured at Security Focus happened, one might say, "on Internet time". Specifically, it was a cool idea that people talked about for a while, and then it got implemented very quickly and surprised us. Quite apropos, given this blog's title.
Anyway, Adam, EC's bandleader, is away from the keyboard. Hopefully, this brief introduction to the blog will suffice in his absence.
Emergent Chaos is a group blog on security, privacy, liberty, and economics. We write on each of these topics singly (except the last -- too much high-quality competition), and in various combinations. Perhaps the best way to become familiar with Emergent Chaos is to take a look at the highlight reel.
I'd say (not speaking for EC, the President of the United States, or the National Football League) that you could do worse than to start with:
Thanks for your time. Hopefully, you'll like what you see and become a regular.
Bookmark this post:
I really like what Chris Hoff did in his blog post, "Security and Disruptive Innovation Part I: The Setup."
I did something similar after "Security Breaches Are Good for You: My Shmoocon talk." I posted a PDF of the slides. I think the PDF is less effective, because you can't skim it, search it, or excerpt it as easily as with Hoff's HTML version.
Nice work, Chris!
Bookmark this post:
Photo: FEMA news conference, AP.
[Update: We originally attributed the photo to the AP. It was actually taken by pirhoebabe. We apologize for the confusion.]
Bookmark this post:
Bernstein M. Bioethics Discussion Blog [Internet]. Los Angeles: Maurice Bernstein. 2004 Jul - [cited 2007 May 16]. Available from: http://bioethicsdiscussion.blogspot.com/.There are at least two major problems with this citation format.
Firstly, the URL to the post itself is missing. I might want to cite ""How to Cite Blogs" by the NIH / National Library of Medicine" on Kidney Notes. In which case, I should print the URL "http://www.kidneynotes.com/2007/10/how-to-cite-blogs-by-nih-national.html" It strikes me as rare to want to cite a blog in general, rather than in particulars. We get to example 29 before we see this.
Secondly, I should include a real, full date. When I cited is uninteresting. When I visited might be. When the post was posted certainly is. Only a small fraction of the citations include a date of publication, and those refer to (say) June, 2006.
Bookmark this post:
The team is also looking to share a lot more about what's happening, and one way they've done that is to open up their blog to speakers.
There are posts from Rain Forest Puppy, Halvar Flake and Ollie Whitehouse. You may remember Rain Forest Puppy for his work advancing the discussion around responsible disclosure. Well, he blogs about "The New Security Disclosure Landscape."
Reviewing an installed piece of software in your own closed environment, while conceptually subject to copyright and other intellectual property infringements, is benign enough within that exact context. However, reviewing someone else’s production web site (without their permission, of course) for security problems is essentially a criminal activity. What is the real difference between looking for a vulnerability in a web site to help make it more secure versus looking for a vulnerability in a web site for malicious purposes? In the initial stages, both approaches involve the same exact technical activity/process. The only difference is the attacker’s intent—and intent is just a subjective frame of mind of a person that can easily be (mis)interpreted in a court of law.Halvar discusses the economics of attacking Vista and what that might mean for Microsoft and researchers in "Vista and Vigilance." Symantec researcher Ollie Whitehouse discusses "Microsoft, Mobile and Security."
There's also posts from my co-workers Katie Moussouris and Mark Russinovich, and I posted "Pay No Attention to that Vuln Behind the Curtain."
I've also kicked off a series at the SDL blog, "The Trouble With Threat Modeling," and "The New Threat Modeling Process." I'm actually really excited about the series, and some of the posts I have coming up. I hope you enjoy them.
Bookmark this post:
In unrelated news, the Canadian dollar reached parity with the US dollar for the first time in thirty years. See the Canadian Broadcasting Company, "$1 Cdn = $1 US."
Bookmark this post:
Or perhaps more correctly, did not internalize Descartes when he heard of him. In "Our Lives, Controlled From Some Guy’s Couch," John Tierney writes:
Until I talked to Nick Bostrom, a philosopher at Oxford University, it never occurred to me that our universe might be somebody else’s hobby. I hadn’t imagined that the omniscient, omnipotent creator of the heavens and earth could be an advanced version of a guy who spends his weekends building model railroads or overseeing video-game worlds like the Sims.
It is for occasions such as these that the expressions "gobsmacked" and "WTF" were created. How could you survive to adulthood, let alone get a degree in what I presume was some sort of liberal arts, let alone get a job at The Paper of Record, and not once wonder about whether reality is real? This also suggests that the poor thing's youth was insufficiently misspent.
Perhaps the real interesting work in this sort of liberal arts has moved to the likes of Edward Fredkin at MIT.
It's a great article, and I'm happy that serious newspapers are talking about things like this. But in World of Warcraft, a simulation that he gives as a comparison, the characters there have a repertoire of jokes. One of the jokes that a woman might say is, "Do you feel that you aren't in control of your own destiny -- like -- you're being controlled by an invisible hand?"
I'm pleased that Oxford philosophers think about this, and I'm glad that professional journalists are paying attention to it rather than the usual fluff. For our children, however, this is just part of popular culture.
Photo courtesy of denzilm.
Bookmark this post:
It's recently been amusing to look at where Wikipedia's anonymous edits come from. There have been many self-serving edits from obvious places, as well as selfless ones from unexpected sources.
I am most amused by this selfless edit which came from IP address 132.185.240.120, which translates to webgw0.thls.bbc.co.uk.
I can only think that had the BBC person in question made an attributed edit instead of an anonymous edit, it would have been considered as coming from an authoritative source.
Bookmark this post:
Brad Stone of the New York Times is a killjoy. Geez. Part of the joy of reading The Secret Diary of Steve Jobs is was thinking of him as Fake Steve Jobs, and nothing more. Sure, it's all good that his employer was so delighted that FSJ is going to be hosted by them, now, but -- Geez. Have you no sense of decent fun?
The next think you know, someone's going to out the guy who plays Stephen Colbert.
The only good thing to come out of this is that the BBC has come out with the article, "How to mastermind a fake blog" and it is a very good thing.
Photo is the first person you get when you do a Google image search for "Brad Stone New York Times." Hah.
Bookmark this post:
Chronicles of Dissent has a good article on this topic, "If you don’t secure your data, it’s not unauthorized access."
A court in Pennsylvania ruled that it's not illegal to get information you really shouldn't have if you got it from a search engine or the search engine's caches.
This is important because there have also been some stupid cases where someone has been prosecuted for "unauthorized" access to wireless networks and this provides clarity, too. If you didn't secure your network, and my laptop finds it, it's your problem, not mine.
However, I also agree that if I am told that a network isn't free, even if it's open, I shouldn't use it. (That case was one in which someone used a cafés wireless network repeatedly after being told that it's for customers.) I think of it as the difference between a fence and a no-trespassing sign. (I was once in a hotel and saw the SSID "STAY THE HECK OFF MY NETWORK" -- except that it didn't say "heck," it used a different first two letters. It was clear that proceeding further would in fact be digital trespass.)
Read the article, and if you are so inclined the larger law report.
Photo "Unlocked door" by coveman.
Bookmark this post:
The Wall Street Journal reports that the CEO of Whole Foods, John Mackey, posted on the Yahoo! Finance board for Whole Foods under the pseudonym Rahodeb, which is an anagram of Mackey's wife's given name. (It's also an anagram of "A Bread Ho," but since the WSJ doesn't stoop to that sort of cheap joke, it falls upon me.)
Rahodeb apparently posted prolifically for eight years, quitting last August. While some people are clucking their tongues at this, it seems that if a CEO is going to natter about his own company, it's okay if we're all surprised that it was him when he's outed.
Mackey says in his defense that he did a lot of trolling. "The views articulated by rahodeb sometimes represent what I actually believed and sometimes they didn't. Sometimes I simply played 'devil's advocate' for the sheer fun of arguing. Anyone who knows me realizes that I frequently do this in person, too." For example, when someone on the board made fun of Mackey's haircut, Rahodeb said, "I think he looks cute!"
His final defense at any tongue-clucking comes from the circumstances under which he stopped posting as Rahodeb. He made a bet with Hubris12000 about the performance of Whole Foods stock, and that bet required that he stop posting if he lost. I think we've all seen web boards with both Rahodeb and Hubris12000 and didn't know which side to cheer for.
Full disclosure: "Mordaxus" is an anagram of "Doxmursa" which is thankfully not my SO's name. "Pseudonym" is an anagram of "Does my pun?" which is ungrammatical, but an interesting question nonetheless.
Photo "This Bread is Such a Ho" courtesy of Jason and Heather.
Bookmark this post:
