Emergent Chaos
Or something like that. You have to know how to use a Mac and be British. Her Majesty needs you.
Bookmark this post:
I am delighted to announce that Crispin Cowan has joined the core Windows Security Team!Let me add my own welcome. Crispin and I have collaborated on a couple of projects, and I look forward to working with him more, and seeing what happens when he applies himself to Windows security.For those of you who don’t know Crispin, Crispin is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain and AppArmor. I’ve known Crispin for many years, and have nothing but the utmost respect for the guy. He’s well published, wicked smart, a non-zealot and brutally pragmatic. In my opinion, AppArmor is shining example of his pragmatism, it’s simple and it works. What excites me the most is he’ll bring a different perspective to the Windows team, and I’m a big believer in stirring the pot!
[A clarification: Crispin is joining Microsoft, not Emergent Chaos (today, anyway). I remain the only MS employee blogging here, and my comments do not represent my employer. I was simply excited and wanted to share the news.]
Bookmark this post:
If you need a change in your life, consider this job posting:
Read on. If you like being the sheriff who cleans up town, this could be for you!Title: IT Security Architecture Manager Needed
Company: TJX Companies
Location: Framingham, MA
Skills: Very strong technical security background in both the mainframe and distributed environments.
Term: Full Time
Pay: DOE
Length: Full Time
Detail:
TJX Companies is seeking an IT Security Architecture Manager who has at least 6 years experience in Information Technology and certification related to the security profession (CISSP, CISA, CISM) preferred.
Bookmark this post:
Director Mike Figgis flew into LAX airport and was detained for five hours because he oopsed. He said, "I'm here to shoot a pilot."
On the one hand, yes indeed, on the list of things you shouldn't say while in Immigration, "I'm here to shoot a pilot" is right up there with being careful how you greet your friend John.
But on the other hand, is the US government really filled full of so many beady-eyed, mouth breathers with brains the size of cashews that it takes five hours to clear this up? And in Los Angeles, of all places? Dear God, click on the link above. It's a Google search for "Mike Figgis." All ten links on the first page point to the director, celebrity, and film maker Mike Figgis. Link #1 (IMDB), link #3 (filmbug.com), and link #5 (mooviees.com) all have pictures of him.
Admittedly, IMDB says he was born in Cumbria, England, and hollywood.com (link #4) says he was "Kenyan-born." Hmmm. Highly suspicious. But filmbug says,
Born in Carlisle, England, Figgis moved to Nairobi, Kenya as a baby. He lived there until his family relocated to Newcastle in the north of England when he was eight.
And that seems to clear it up a bit. Mooviees tells us: Born: Saturday, February 28, 1948 (Carlisle, Cumbria, England, UK), and that seems to let us know that Carlisle is in Cumbria, and hey, there's a date that might be on his passport! Wikipedia (link #2) agrees with that date, but says, "Cumberland" instead of "Cumbria" and unless you've taken Latin, that might look suspicious as well.
So what happened? Did the dates not match properly? Did he cut the curls and go all Bruce Willis? Surely there must be some reasonable explanation. Maybe they really hated Leaving Las Vegas. Or perhaps it was that Sopranos episode. Maybe he called the Immigration agent "Sugartits."
Tip of the hat to 27 B Stroke 6. Original article from The Guardian. Photo of the perp along with Saffron Burrows shamelessly stolen from IMDB, whom I would have linked to if they'd made it easy.
Update on 31 May 2007: This story is apparently too good to be true. Boing Boing got told by people in the know that it's not true.
Bookmark this post:
The SnoopStick offers full realtime monitoring of another computer. It's Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both.
Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer.
There is other amusing information on the web site, such as:
All SnoopStick monitoring messages are sent through our data centers, and none of the information is stored here locally at any time. Additionally, all SnoopStick messages passing through our systems are encrypted with an industry standard encryption algorithm.
Solid Oak and its employees are not able to view any SnoopStick activity sent through our networks because of the encryption used by all components of the system. You can rest assured that the information gathered by SnoopStick is only accessible by the owner of that particular SnoopStick.
What a relief! An industry-standard encryption algorithm. Wanna bet it's in ECB mode, with known headers? And what about the IP addresses the messages are coming from, and so on. I'd love to see a security analysis of this thing. Even better would be to see what AV and anti-spyware systems will catch it, and if not then why not?
Picture of the SnoopStick shamelessly appropriated from their web site, because I didn't want their weblogs to get the information. It's bad enough to write about them at all.
Bookmark this post:
In the Christmas double issue of The Economist, there is an interesting article about Google's new domain-level email services and their applicability to business. I'm traveling, so I listened to the podcast version.
I'm not going to criticize Google today. I think Gmail is a good service. I have several Gmail accounts. I am personally tempted by the service for some of my own domains.
The Economist also thinks it's a good idea, so much so that they slur us in IT security:
IT bosses tend to argue that web-based software is not secure. Their real fear, probably, is that web-based software will mean fewer jobs in corporate IT. But the trend will be hard to resist. Trusting the web with your software is not so very different from trusting the bank with your money, instead of keeping under the mattress at home.
There are several things to object to here. The first is the smug attack on the professionalism of corporate IT people. I find it all the more obnoxious for hiding behind the word "probably" which is one of the oldest rogue's tricks in journalism. I won't dwell on that too much, because it is unusual for The Economist to have such a lapse, and this one is forgivable because it is probably caused by the onset of tertiary syphilis in the responsible editor. (I'll apologize for my counter-slur if a paper supporting the claim that the probability that "security" concerns are actually about budgets is greater than 0.5 is accepted at WEIS this year.)
The next thing to object to is the confusion between software and data. Email, and any concerns with it, are not about the software, they're about the data. Anyone who has qualms about outsourcing to Google most likely has it about the data, not about the software.
Another confusion The Economist makes is between money and information. There are a number of differences between money and information, but one that is relevant here is that if my bank is robbed, I still have my money (which is one of many reasons why banks are better than mattresses). This is not true with information. If information is stolen, you can't pull it back. Furthermore, Google isn't going to insure or indemnify against information loss the way that governments and banks indemnify depositors. If an outsourcer gets broken into, it's still my breach, and breaches are not cheap.
Not only are emails information, but they are corporate documents. They can be subpoenaed or discovered. I have no idea what would happen if I were in a lawsuit and Google were asked to turn my email that they host over. I would hope that Google would refuse, but what happens if a judge disagrees? Let us also not forget that any such dispute would happen in the US courts. It would also be subject to US national security laws, and these laws not only require your service provider to turn over your emails, but require them not to tell you about it. Additionally, some assert that emails lose their status as protected communications after they've been aged for 180 days. My eyebrow is raised, as I am an equal-opportunity cynic, but that's hardly tin-foil-hat territory.
The last thing to remember is that despite what The Economist seems to think, rarely does one find a free lunch. Google does not offer email services for free. It sells them to you, and you pay by letting them use your data to sell adverts. Google's payment is exactly the advertising value of scanning all your email. You may think it's worth it, but you may not. I think this is something about which gentlebeings can disagree.
There are situations in which outsourcing one's documents may make sense. If, for example, you're a state university and your documents are ultimately the property of the taxpayers, then some of the security concerns go away. But not all of them. To get rid of the risks, an outsourcer would have to secure the data so that they can't lose it or be compelled to release it. Unfortunately, that would most likely change the economics of the bargain and make it so that the outsourcer would be giving out a free lunch.
None of this means that outsourcing your domains to Google is a bad idea, it just means that there are costs, benefits, and risks. The cost of a Gmail-hosted domain is the value of the use of your information. This might be analogous to letting the bank use your money, and may be worth it. However, implying that managing your own information is like keeping your money in a mattress is wrong. It's more like buying your own shares rather than letting a fund manager do it. It's a tradeoff of many things: time, money, effort, etc. Surely an economist can understand the difference between saving and investing.
Bookmark this post:
Bookmark this post:
These are leadership level positions in a growing company with great financial resources. Each of these team members will have the chance to attend conferences, participate in industry developments, and will be encouraged to establish their leadership in the industry through publications and/or presentation opportunities. For a technologist, this is a chance to make (and be rewarded for) critical contributions to the success of a company for whom technology is both its heart and lifeblood.I have fond memories of working with a number of these people when we were at Zero-Knowledge. They're great folks in a great city, and if you fit the bill, you should give them a chance.
I'm happy to facilitate introductions.
Bookmark this post:
PS: Just when Window and I were gonna live in the same city, again, too. Bugger.
PPS: Apparently, it's from Mike Schroepfer's blog post.
Bookmark this post:
I started my career as a UNIX sysadmin. You can find really old email from me to Sun-managers, or a 1994 "Introduction to S/Key." In the past, I've heaped scorn on Microsoft's security related decisions. Over the last few years, I've watched Microsoft embrace security. I've watched them make very large investments in security, including hiring my friends and colleagues. And really, I've watched them produce results.
In making this decision, I've had conversations with many people and organizations. The one theme that stands out was the difference in the conversations I had with Microsoft versus other software producers. Some of things that Microsoft does and are looking to improve haven't even made it in rudimentary form anywhere else. I found myself having to shift gears and explain Microsoft's Security Development Lifecycle. I noticed no one else with a Blue Hat conference. No one else stopping feature development to hunt for bugs. I (re-)discovered how few organizations have even basic formal security processes in place, and how few of those have audit to make sure that their processes are followed.
I realized just how many smart people are thinking about these questions at Microsoft, and I'm glad to be joining them. I'll be working on threat modeling and improving that afore-mentioned Security Development Lifecycle.
Part of the process that's taken a long time and has been hard for me is that Microsoft is adamant on minimizing risks of intellectual property contamination, and that includes technical advisory boards (TABs). Looking around, I found exactly two Microsoft employees on commercial TABs. One was John Conners, CFO, the other is Rob Willis, who founded the company he now advises. Two people. Six years. I might have had a slightly better chance if I wasn't taking the role I'm taking, in a central security group. I want to be clear that my decision is about the tremendously cool opportunity within Microsoft, not a lack of confidence or enthusiasm for the companies I have had the pleasure of working with. I remain enthusiastic, and wish all of them them great success.
That said, Microsoft didn't offer to buy this blog. It remains mine, with a healthy dose of Chris and Arthur, and lots of great reader comments. I am free to say what I want here, and they're free to question my judgment. At the same time, I'm going to shy away from some topics: Microsoft. How other companies do security processes. Why you should use IE. I'm going to shy away from these, at least initially, because there's a tendency to take everything Microsoft employees say as company gospel, regardless of disclaimers, etc. I expect to speak more about liberty, privacy, breaches, usability, and as I find them, giant animals.
So, I've joined Microsoft, and I look forward to doing great things here.
Bookmark this post:
We're working on a self-healing system for improving server reliability and security. It more directly addresses some of the most prevalent security problems than do traditional ways that revolve around doing everything with network traffic. We're also collaborating on some related research that advances our mission of making network software more robust.
REVIVE SYSTEMS: VP, SOFTWARE ENGINEERING
DEVELOPER/MANAGERS: DO YOU WANT TO BE A PART OF SOMETHING NEW AND DIFFERENT?
Do you want to lead the development of real technology that will defend networked systems against previously-unknown (0-day) threats? Does the idea of "self-healing software" sound intriguing? Have the uptimes of production applications you've written been measured in years rather than days? If so, you're the type of person we'd like to meet.
Revive Systems is seeking an exceptional and experienced VP of Software Engineering to be responsible for leading the development of our next-generation self-healing software platform. The ideal candidate may have built high-availability network-facing applications, such as in an e-commerce, large ISP, financial, or hosting provider environment. The VP of Software Engineering should be a hands-on type who enjoys writing code if necessary to ensure that the job is done right the first time. We're building a small but exceptional team to deliver the next big enhancement to system reliability and security.
Current Linux and UNIX systems programming experience is preferred. Current experience with multiple languages, particularly C and Java, is required.
Expertise with advanced finite state-machine grammar or compiler development is highly desirable. Experience with networked TCP/IP production applications is critical. Security expertise is a major plus.
The ideal candidate will have led the development of complex commercial network application products or significant open source applications, particularly those deployed in high-availability environments.
ABOUT REVIVE SYSTEMS
Revive Systems is creating an advanced self-healing software technology that significantly enhances the security and reliability of network applications. Revive's founders, Loren Burnett - President and CEO and Robert Stratton - CTO, come from tier-1 ISPs, large managed security providers, and successful security product companies. Our founders understand the challenges of enterprises with high uptime requirements, constant security concerns, and global networks. Our patent pending technology was invented in the computer science labs of Columbia University. Revive Systems is funded by Novak Biddle Venture Partners.
VP, SOFTWARE ENGINEERING POSITION DESCRIPTION:
The VP, Software Engineering will be responsible for:
Bookmark this post:
I'm very happy to report that Ian Goldberg has accepted a position, starting in the fall, at the University of Waterloo. I had the privilege of working with Ian while he was Chief Scientist and Head Cypherpunk for Zero-Knowledge Systems, and he spans academic and practical computer security in a way that's all too rare. He's looking for outstanding Master's degree candidates in security and privacy.
If you're interested, send mail to iang at cs dot uwaterloo dot ca. [Corrected. Canadian Universities are all too cool to use .edu.]
Congratulations to both Ian and the University of Waterloo, who gains an outstanding addition to their faculty.
[Photo by Kat Hanna.]
Bookmark this post:
Hi,Having read all that, I'm confident that you have a position that's great for me. Thanks especially for taking the time to include my name in your email, and letting me know what caught your eye. I know, there's only a little bit about me online, so I ought to be able to guess why you'd like to hire me.My name is () and I am a recruiter for (). I came across your name on an internet search and wanted to tell you about our opportunities available within our NYC and Houston locations.
(), a key component of the firm's () practice, provides the building blocks for a secure and protected business environment. Employing state-of-the-art technology, () security professionals deliver enterprise security and risk-based services enabling our clients to take advantage of the evolving electronic economy in a secure manner. STS professionals have extensive experience with information security protection, system security planning, information security assessments and implementation, security program development, business continuity planning, and strategic technology planning. These services help companies validate their infrastructure; design and implement business processes and technology solutions; address regulations; and educate and train management and employees.
If you are interested in exploring new employment opportunities, I would love to talk to you about...
Oh, I know, you're a body shop! Thanks for the blog-fodder. If you don't want to be treated like this, let me say a good word for my friends at Alta and Associates. They've never placed me, and never pressured me to take a job that wasn't right. I've not yet hired through them, but we still talk, and I value that they treat me like a person. Let me also say a word for my friend ClueChick, who writes about online dating, and often encounters this pattern.
Bookmark this post:
My friend and former boss at Radialpoint is looking for a malicious code and malware expert:
The Director of Malicious Code and Malware will be responsible for being the leading authority on the security and protection of more than 14 million broadband subscribers, the largest community of broadband subscribers in the world. This high profile, expert position will be in the company’s Center of Excellence (CoE) and report to the Chief Strategy Officer. The CoE group will be responsible for research, market analysis, and develop information products for both internal and external customers.Radialpoint is the company formerly known as Zero-Knowledge Systems. Zero-Knowledge was one of those companies that everyone had an opinion about, but I'll simply say that I learned a great deal, and am quite pleased with the time that I spent there, and miss many of the great folks I worked with while there.
If this position was a better fit for me my current skills and interests, you wouldn't be hearing about it here.
Bookmark this post:
My friend and colleague Scott Blake is looking for smart people:
I have openings for 5 information security analysts. Level of seniority is negotiable, but I prefer senior-level folks. I'm looking for the following specialties: security awareness training/communications, secure application development, risk assessment, network architecture, and security policy development.A lot of my thinking about security and its relation to the business has been shaped in conversations with Scott over the years, and I expect that the folks who get these jobs will find them a good career move.I also have an opening for a process facilitator/administrator type (Security Project Administrator is the title). This is a nearly-entry level position for someone technically savvy, but not necessarily a security specialist. Should be ambitious.
If interested, go to www.libertymutual.com and click on Careers. Though there you can find the jobs. Search for security in Portsmouth, NH (all positions are here, though it may be possible to negotiate office space in Boston, Indianapolis, Kansas City, Wausau, and a few others). Liberty is a rock solid company that's great to work for. Relo assistance available for most positions. If now isn't a good time for you, check back after the first of the new year. I expect to be opening another 6+ positions then.
Bookmark this post:
