Rootkit on a Stick


The SnoopStick offers full realtime monitoring of another computer. It’s Vista-ready, too, which perhaps says something about Vista security, or perhaps about people who have had trouble working with Vista, or both.

Any time you want to see what web sites your kids or employees are visiting, who they are chatting with, and what they are chatting about, simply plug in your SnoopStick to any Windows based computer with an Internet connection and a USB port. SnoopStick will automatically connect to the target computer.

There is other amusing information on the web site, such as:

All SnoopStick monitoring messages are sent through our data centers, and none of the information is stored here locally at any time. Additionally, all SnoopStick messages passing through our systems are encrypted with an industry standard encryption algorithm.

Solid Oak and its employees are not able to view any SnoopStick activity sent through our networks because of the encryption used by all components of the system. You can rest assured that the information gathered by SnoopStick is only accessible by the owner of that particular SnoopStick.

What a relief! An industry-standard encryption algorithm. Wanna bet it’s in ECB mode, with known headers? And what about the IP addresses the messages are coming from, and so on. I’d love to see a security analysis of this thing. Even better would be to see what AV and anti-spyware systems will catch it, and if not then why not?

Picture of the SnoopStick shamelessly appropriated from their web site, because I didn’t want their weblogs to get the information. It’s bad enough to write about them at all.

The Price of Nothing and the Value of Everything

money-mattress.jpgIn the Christmas double issue of The Economist, there is an interesting article about Google’s new domain-level email services and their applicability to business. I’m traveling, so I listened to the podcast version.

I’m not going to criticize Google today. I think Gmail is a good service. I have several Gmail accounts. I am personally tempted by the service for some of my own domains.

The Economist also thinks it’s a good idea, so much so that they slur us in IT security:

IT bosses tend to argue that web-based software is not secure. Their real fear, probably, is that web-based software will mean fewer jobs in corporate IT. But the trend will be hard to resist. Trusting the web with your software is not so very different from trusting the bank with your money, instead of keeping under the mattress at home.

There are several things to object to here. The first is the smug attack on the professionalism of corporate IT people. I find it all the more obnoxious for hiding behind the word “probably” which is one of the oldest rogue’s tricks in journalism. I won’t dwell on that too much, because it is unusual for The Economist to have such a lapse, and this one is forgivable because it is probably caused by the onset of tertiary syphilis in the responsible editor. (I’ll apologize for my counter-slur if a paper supporting the claim that the probability that “security” concerns are actually about budgets is greater than 0.5 is accepted at WEIS this year.)

The next thing to object to is the confusion between software and data. Email, and any concerns with it, are not about the software, they’re about the data. Anyone who has qualms about outsourcing to Google most likely has it about the data, not about the software.

Another confusion The Economist makes is between money and information. There are a number of differences between money and information, but one that is relevant here is that if my bank is robbed, I still have my money (which is one of many reasons why banks are better than mattresses). This is not true with information. If information is stolen, you can’t pull it back. Furthermore, Google isn’t going to insure or indemnify against information loss the way that governments and banks indemnify depositors. If an outsourcer gets broken into, it’s still my breach, and breaches are not cheap.

Not only are emails information, but they are corporate documents. They can be subpoenaed or discovered. I have no idea what would happen if I were in a lawsuit and Google were asked to turn my email that they host over. I would hope that Google would refuse, but what happens if a judge disagrees? Let us also not forget that any such dispute would happen in the US courts. It would also be subject to US national security laws, and these laws not only require your service provider to turn over your emails, but require them not to tell you about it. Additionally, some assert that emails lose their status as protected communications after they’ve been aged for 180 days. My eyebrow is raised, as I am an equal-opportunity cynic, but that’s hardly tin-foil-hat territory.

The last thing to remember is that despite what The Economist seems to think, rarely does one find a free lunch. Google does not offer email services for free. It sells them to you, and you pay by letting them use your data to sell adverts. Google’s payment is exactly the advertising value of scanning all your email. You may think it’s worth it, but you may not. I think this is something about which gentlebeings can disagree.

There are situations in which outsourcing one’s documents may make sense. If, for example, you’re a state university and your documents are ultimately the property of the taxpayers, then some of the security concerns go away. But not all of them. To get rid of the risks, an outsourcer would have to secure the data so that they can’t lose it or be compelled to release it. Unfortunately, that would most likely change the economics of the bargain and make it so that the outsourcer would be giving out a free lunch.

None of this means that outsourcing your domains to Google is a bad idea, it just means that there are costs, benefits, and risks. The cost of a Gmail-hosted domain is the value of the use of your information. This might be analogous to letting the bank use your money, and may be worth it. However, implying that managing your own information is like keeping your money in a mattress is wrong. It’s more like buying your own shares rather than letting a fund manager do it. It’s a tradeoff of many things: time, money, effort, etc. Surely an economist can understand the difference between saving and investing.

Radialpoint Needs People

My friends at Radialpoint are looking for a few great people to help drive their service delivery platform. They need a database development architect, a software architect, and a senior Java developer:

These are leadership level positions in a growing
company with great financial resources. Each of these team members will have
the chance to attend conferences, participate in industry developments, and
will be encouraged to establish their leadership in the industry through
publications and/or presentation opportunities. For a technologist, this is a
chance to make (and be rewarded for) critical contributions to the success of a
company for whom technology is both its heart and lifeblood.

I have fond memories of working with a number of these people when we were at Zero-Knowledge. They’re great folks in a great city, and if you fit the bill, you should give them a chance.

I’m happy to facilitate introductions.

I’m Joining Microsoft

I’m very pleased to announce that I’ve accepted a position with Microsoft. I’ll talk in a bit about the work I’ll be doing, but before I do, I’d like to talk a bit about the journey that’s brought me here, and the change I’ve seen in Microsoft that makes me feel really good about this decision.

I started my career as a UNIX sysadmin. You can find really old email from me to Sun-managers, or a 1994 “Introduction to S/Key.” In the past, I’ve heaped scorn on Microsoft’s security related decisions. Over the last few years, I’ve watched Microsoft embrace security. I’ve watched them make very large investments in security, including hiring my friends and colleagues. And really, I’ve watched them produce results.

In making this decision, I’ve had conversations with many people and organizations. The one theme that stands out was the difference in the conversations I had with Microsoft versus other software producers. Some of things that Microsoft does and are looking to improve haven’t even made it in rudimentary form anywhere else. I found myself having to shift gears and explain Microsoft’s Security Development Lifecycle. I noticed no one else with a Blue Hat conference. No one else stopping feature development to hunt for bugs. I (re-)discovered how few organizations have even basic formal security processes in place, and how few of those have audit to make sure that their processes are followed.

I realized just how many smart people are thinking about these questions at Microsoft, and I’m glad to be joining them. I’ll be working on threat modeling and improving that afore-mentioned Security Development Lifecycle.

Part of the process that’s taken a long time and has been hard for me is that Microsoft is adamant on minimizing risks of intellectual property contamination, and that includes technical advisory boards (TABs). Looking around, I found exactly two Microsoft employees on commercial TABs. One was John Conners, CFO, the other is Rob Willis, who founded the company he now advises. Two people. Six years. I might have had a slightly better chance if I wasn’t taking the role I’m taking, in a central security group. I want to be clear that my decision is about the tremendously cool opportunity within Microsoft, not a lack of confidence or enthusiasm for the companies I have had the pleasure of working with. I remain enthusiastic, and wish all of them them great success.

That said, Microsoft didn’t offer to buy this blog. It remains mine, with a healthy dose of Chris and Arthur, and lots of great reader comments. I am free to say what I want here, and they’re free to question my judgment. At the same time, I’m going to shy away from some topics: Microsoft. How other companies do security processes. Why you should use IE. I’m going to shy away from these, at least initially, because there’s a tendency to take everything Microsoft employees say as company gospel, regardless of disclaimers, etc. I expect to speak more about liberty, privacy, breaches, usability, and as I find them, giant animals.

So, I’ve joined Microsoft, and I look forward to doing great things here.

Startup Opportunity: Revive Systems

My friend Robert Stratton has taken the CTO role at Revive Systems. He’s both a serial startup guy (Wheel Group and UUNet) and has been on the investor side In-Q-Tel. We’ve spent some time talking about the technology, too, and it sounds very intriguing. The remainder of this post is his job description for their VP Software Engineering.

We’re working on a self-healing system for improving server reliability and
security. It more directly addresses some of the most prevalent security
problems than do traditional ways that revolve around doing everything with
network traffic. We’re also collaborating on some related research that
advances our mission of making network software more robust.



Do you want to lead the development of real technology that will defend
networked systems against previously-unknown (0-day) threats? Does the idea
of “self-healing software” sound intriguing? Have the uptimes of production
applications you’ve written been measured in years rather than days? If so,
you’re the type of person we’d like to meet.

Continue reading

Congratulations, Professor Ian!

professor-ian-goldberg.jpgI’m very happy to report that Ian Goldberg has accepted a position, starting in the fall, at the University of Waterloo. I had the privilege of working with Ian while he was Chief Scientist and Head Cypherpunk for Zero-Knowledge Systems, and he spans academic and practical computer security in a way that’s all too rare. He’s looking for outstanding Master’s degree candidates in security and privacy.

If you’re interested, send mail to iang at cs dot uwaterloo dot ca. [Corrected. Canadian Universities are all too cool to use .edu.]

Congratulations to both Ian and the University of Waterloo, who gains an outstanding addition to their faculty.

[Photo by Kat Hanna.]

Dear Recruiter


My name is () and I am a recruiter for (). I came across your name on an internet search
and wanted to tell you about our opportunities available within our NYC and
Houston locations.

(), a key component of the firm’s () practice, provides the building blocks for a
secure and protected business environment. Employing state-of-the-art
technology, () security professionals deliver enterprise security and
risk-based services enabling our clients to take advantage of the evolving
electronic economy in a secure manner. STS professionals have extensive
experience with information security protection, system security planning,
information security assessments and implementation, security program
development, business continuity planning, and strategic technology planning.
These services help companies validate their infrastructure; design and
implement business processes and technology solutions; address regulations; and
educate and train management and employees.

If you are interested in exploring new employment opportunities, I would love
to talk to you about…

Having read all that, I’m confident that you have a position that’s great for me. Thanks especially for taking the time to include my name in your email, and letting me know what caught your eye. I know, there’s only a little bit about me online, so I ought to be able to guess why you’d like to hire me.

Oh, I know, you’re a body shop! Thanks for the blog-fodder. If you don’t want to be treated like this, let me say a good word for my friends at Alta and Associates. They’ve never placed me, and never pressured me to take a job that wasn’t right. I’ve not yet hired through them, but we still talk, and I value that they treat me like a person. Let me also say a word for my friend ClueChick, who writes about online dating, and often encounters this pattern.

Director, Malicious Code and Malware

My friend and former boss at Radialpoint is looking for a malicious code and malware expert:

The Director of Malicious Code and Malware will be responsible for being the leading authority on the security and protection of more than 14 million broadband subscribers, the largest community of broadband subscribers in the world. This high profile, expert position will be in the company’s Center of Excellence (CoE) and report to the Chief Strategy Officer. The CoE group will be responsible for research, market analysis, and develop information products for both internal and external customers.

Radialpoint is the company formerly known as Zero-Knowledge Systems. Zero-Knowledge was one of those companies that everyone had an opinion about, but I’ll simply say that I learned a great deal, and am quite pleased with the time that I spent there, and miss many of the great folks I worked with while there.

If this position was a better fit for me my current skills and interests, you wouldn’t be hearing about it here.

Job Openings

My friend and colleague Scott Blake is looking for smart people:

I have openings for 5 information security
analysts. Level of seniority is negotiable, but I prefer senior-level
folks. I’m looking for the following specialties: security awareness
training/communications, secure application development, risk assessment,
network architecture, and security policy development.

I also have an opening for a process facilitator/administrator type
(Security Project Administrator is the title). This is a nearly-entry
level position for someone technically savvy, but not necessarily a
security specialist. Should be ambitious.

If interested, go to and click on Careers. Though there you can
find the jobs. Search for security in Portsmouth, NH (all positions are
here, though it may be possible to negotiate office space in Boston,
Indianapolis, Kansas City, Wausau, and a few others). Liberty is a rock
solid company that’s great to work for. Relo assistance available for most
positions. If now isn’t a good time for you, check back after the first of
the new year. I expect to be opening another 6+ positions then.

A lot of my thinking about security and its relation to the business has been shaped in conversations with Scott over the years, and I expect that the folks who get these jobs will find them a good career move.