To a certain co-worker:
There are two possibilities here.
1) I have enormous, supernatural, evil sway over all executive management and just about everyone else in this building, and they always agree with me, no matter how unfair it is. And I always defend my staff because (a) I’m blindly loyal to all of them, (b) I’m sleeping with them, and/or (c) I just don’t like you, so I’ll take their side.
2) You’re just plain wrong, and everyone knows it but you.
Now, I know which one is better for your ego to believe, and that’s the one you tend to pick. But I thought I’d throw out option #2 there, just in case.
Posted by
shrdlu on Wednesday, September 26, 2007
(1)
Comments •
Permalink •
I was doing my Quicken updates this morning and saw a bunch of transactions going by on my credit card that confused me:
“Xfer Purchase Bal to [some other number]”
WTF??
So I went downstairs to my stack of paper mail, and found one of those innocuously marked envelopes that are rigid in the middle and just scream “NEW CREDIT CARDS.” Opened it, and sure enough, there were new credit cards with a BRIGHT yellow slip of paper enclosed, explaining that one of the merchants I had done business with in the past had reported a security breach, and to be on the safe side they were closing my old card account and opening a new one for me. They gave me until the middle of next month to call and activate my new cards, otherwise they’d close my account completely.
Okay, I’ve got to give Citibank major props here. Obviously they’ve got this worked out to a science now. The automated card activation phone tree let me choose to talk to a service rep, who knew why I was calling and had the right “security breach” script in place. The only thing that bugged me is that they wouldn’t tell me who the merchant was, citing “ongoing security investigations.” But they made it as easy as possible for me to switch things over, and the service rep mentioned in passing that they were having to change “millions of card numbers.”
The only annoying thing is that I have to change bill paying details, automated charges, and the like, at various online sites. But at least I know that my old account is closed and even if I forget to update someplace, the worst that will happen is that the charge will be rejected. But it could be much, much, much worse. I could have actually seen a fraudulent charge before they had done anything.
So I’ve got a new “real life anecdote” to tell my users the next time I have to lecture them about security and identity theft. That’s not a bad thing.
Posted by
shrdlu on Saturday, September 22, 2007
(3)
Comments •
Permalink •
I was tickled pink to see a real live recommendation* from one Michael Willig on LinkedIn:
Layer8 - Kind of a light hearted blog where I can frequently identify with the author, and once in a while I find some insight that makes it worth the read for me.
But I’m kinda worried. Which parts can he identify with? The BSOFH ones? If so, I’m scared.
And if there’s any useful insight, I’ve obviously been careless and I’ll get to work on eradicating it right away.
Seriously, though, thanks for the shout-out, and in return I’ll list some of the blogs I read that have nothing to do with security:
Thomas P.M. Barnett—I’ve been reading him ever since I saw his talk on leviathan forces vs. system administrators. The reading level is, like, 20,000th grade, but I do learn things.
In the Pink Texas—My kind of snark-o-rama. Reminds me of my seester.
Pharyngula—Angry, angry atheist. A, A, A. Part of the Friday Squid Blogging Network.
Kevin Smith’s Boring-Ass Life—He lets me channel my inner naughty boy vicariously, bless his twisted little heart.
Bag of Toast—‘Nuff said.
Saturday Morning Breakfast Cereal—Ditto.
xkcd—There is just nothing I can add to this except that I want to meet him sometime. From a distance.
Wondermark, an Illustrated Jocularity—This is so damned close to something my college roommate could have produced. My all-time favorite one is this:
Share and enjoy!
*As opposed to the ones I pay for.
Posted by
shrdlu on Saturday, September 22, 2007
(5)
Comments •
Permalink •
... so precisely, that I just have to share it:
Courtesy of http://lolthulhu.com/
Posted by
shrdlu on Thursday, September 20, 2007
(1)
Comments •
Permalink •
Hardly anyone comes into my office, and if they do, they don’t stay for long.
My boss barrels halfway through the doorway, and then stops short as if he’s suddenly run out of leash. “My god, what is that … smell??”
“Lunch,” I say through a happy mouthful. “Gyros with onions, garlic, extra tzatziki, extra onions, more garlic, and garlic.”
“That’s enough to kill every werewolf within fifty miles of here!”
“Garlic is a vegetable,” I reply loftily, “and should be consumed in appropriate amounts.”
“But it’s not the garlic by itself. What else is making it smell so bad in here?”
“Oh, that’s probably my new pine tar soap. How do you like it?”
“Horrendous,” he says, and starts to make his exit.
“Would you rather I come to your office?” I offer.
“NO!! I’ll send you an email,” he shouts over his shoulder.
Pretty soon he’ll give up trying to talk to me at all.
* * * * *
Another foolhardy visitor is soon there to disturb my lunch hour. “Hi, are you the security officer?”
“Yep, that’s me.”
It’s a whiny intern, probably not more than 20 years old. “I need you to fix my computer’s lockout policy. It locks up after ten minutes, and it’s driving me crazy.”
“Work more,” I reply heartlessly. “Then it won’t lock up.”
“But … I can’t even go to the bathroom without having to log back in!”
“Stop taking that one-handed literature in with you, and it won’t take so long.”
He turns pale, and without another word, walks out. It was a lucky guess on my part, but it usually works with guys that age. I make a mental note to go visit his workspace the next time the hallway cameras show him heading for the men’s room. The old cat lady in the cubicle next to his is gonna get a love letter she’ll never forget.
* * * * *
I polish off my gyro wrap and start on the chocolate mints, just as an instant message pops up on my screen. It’s from one of the HR recruiters, and it contains a very detailed, indecent suggestion. I know it’s not meant for me; it’s for his newest conquest down in Accounting. Management told me I couldn’t log instant messaging, but they never said I couldn’t create screen names that were common typos of coworkers’ existing screen names.
“OMG totally,” I send back to him. “Cant wait you big STUD!!1”
I turn my attention to the new programmer on the 5th floor. She’s from MIT, and makes sure everyone knows it. There’s nothing you can tell her about application development that she won’t either ignore or try to pretend was her own idea to begin with. She managed to get her first build released without putting it through security testing, since she has her management believing that she walks on water.
But what they don’t know, but I do, is that she’s hosting half of the production code on her own workstation so that she can “tweak” it as she goes. I use my domain admin powers to tiptoe through her C: drive, and replace a few choice files with ones of my own. Pretty soon the VP of marketing is screaming for her head because our company logo has turned into … well, let’s just say an advertisement for the domain goat.se. Release control, b33tch. Use it.
It’s almost quitting time. I take the latest draft of my new HIPAA c*mpliance policy, run it through Babelfish to translate it into French, then into German, then Japanese, then Urdu, and then back to English. Right in time to take it upstairs to the executive C-suite and drop it off at the CEO’s assistant’s desk. While I’m there, she starts to ask me about some lame problem having to do with her browser not letting her “log on to the Internets,” but then she thinks better of it after I stand next to her for five more seconds.
On my way out of the building, I drop my pager in the trashcan used by the smokers. All of the SQL server passwords are set to expire at midnight, and it’s going to be a busy time for the sysadmins and DBAs. They keep saying that security isn’t necessary, so I’m sure they won’t need my help dealing with the fallout. I just hope they have a good stock of 22-character passwords ready, though, to comply with the new complexity settings I talked our auditors into requesting. When you don’t show up for audit meetings, you wind up with a few surprises later on ...
Posted by
shrdlu on Sunday, September 16, 2007
(5)
Comments •
Permalink •
I discovered recently that there are two different ways that people treat USB flash drives these days.
- Either you view it as a smaller version of a disk drive, in which case you tend to tag it and track it as a hardware asset, or
- You view it as a more voluminous writable CD or DVD, in which case you treat it as a stockroom item, like paper clips.
Is your organization handing out USB drives like Hallowe’en candy? Do you have any idea who is using them, for what data, and why?
No, don’t tell me that you can simply forbid their use and disable USB ports on all computers. For every user with a key fob full of jpegs, there’s a sysadmin who’s carrying around a key fob with useful diagnostic tools.
Besides, that’s not the point. We are moving data more and more off of static, established infrastructure and onto temporary, ephemeral waystations that flash (if you’ll pardon the pun) in and out of existence. I’m just waiting for the day when I get a call that a million SSNs were lost because someone’s body piercing jewelry accidentally washed down the shower drain. The security officer in me wants to force everyone to go back to the equivalent of a dumb terminal, but I understand very well that users want to have and hold their data. They want to carry it with them; they want to take it home and love it and call it George. If you give a user a blindingly fast remote desktop connection from home, he will STILL prefer to put everything on a USB drive where he can keep an eye on it.
Both this and virtualization start to make mincemeat of our usual models of data containment. If you have virtualized instances of systems with data on them, all wrapped up in hosts like so many Matryushka dolls, do you treat them all as being in one box for the purposes of securing and tracking them? Will we ever be able to secure the data itself and ignore where it happens to be located at the time?
I doubt that we will, for psychological reasons. The same impulse that makes us primates feel as though we’re protecting something more if it’s physically within our reach is also causing us to worry more when it’s outside of a territorial boundary. We get naturally more nervous if data is being viewed from outside of a corporate building—never mind that it’s the same pair of authorized eyeballs looking at it, and statistically speaking, the data is just as much at risk when it’s in the building as outside of it. Since security risk involves perception, information owners will never completely be able to estimate risk without wanting to envision a specific container and location for their data.
It’s at times like these that I want to take off my Sorceror’s Apprentice hat and stop all the brooms from multiplying before my eyes.
Posted by
shrdlu on Thursday, September 13, 2007
(2)
Comments •
Permalink •
I took this quiz and this is what I am:
Your Score: Hieroglyphics
You are Egyptian Hieroglyphics! Monumental, ornate and even in technicolour! Your users contributed virtually all ancient knowledge on inks, dyes and writing surfaces - to the point where the popular reed of Papyrus became the universal name for organic, manufactured writing surfaces in the western hemisphere for thousands of years. Proud, upstanding and dignified.
Posted by
shrdlu on Monday, September 10, 2007
(4)
Comments •
Permalink •
This entry is just so that I can dump several things at once that have been cluttering my thoughts:
David Beaver’s delightful meta-blog entry. I didn’t know I was following his maxims so closely, which include:
Maxim of Enlightenment:
1. Bring enlightenment.
2. Wear shades.
However, it seemeth to me that all of bloggerdom is really just an escalation of Usenet, except that posters can now have their own cribs and decorate them any way they like. (I favor the Spartan Stylee, in case you hadn’t guessed.) Is there really any difference between the Security Bloggers’ Network and alt.security.bizarre?
The other main feature of bloggerdom is that you can create the equivalent of your own newsgroup that nobody else reads. 
To tie things back to the title of this post, I’ve really been enjoying the Sci-Fi Channel’s series Eureka, in which Matt Frewer plays a totally wacked-out Aussie, to adorable effect.
Posted by
shrdlu on Sunday, September 02, 2007
(2)
Comments •
Permalink •
While Hutton and Bejtlich go point-counterpoint ("Alex, you ignorant slut ..."), I’ll just riff off of Hoff, not just because it tickles my alliteration funnybone ...
Chris points out the growing horror of endpoint security software sprawl, to which I just want to ask one question:
How much of this proliferation is a desperate attempt to protect against your own users?
Chris writes: “After all, the endpoint is the closest thing to the data, so the more endpoint control the better, right?”
Not quite. The endpoint is the closest thing to the USER. Who is opening attachments, downloading software, browsing questionable sites, mailing himself confidential data, and generally ignoring both policy and good technical sense. Let’s take a look into the future, where we’re all on blades. Where are you going to see the most security at that point?
I submit that there is only so much you can do to protect your enterprise data against the people you’re allowing to access it. The overarching priority should be to simplify user interfaces and educate the users (yes, with a cluebat if necessary). You’ll still have self-propelling worms and hostile scans to deal with, but you’ll be so much better off if your users simply don’t open strange attachments or go to AdultFriendFinder.com.
We tend to rely more heavily on technology, because let’s face it: most of us in this field are introverts and we don’t like talking to real live people if we can possibly help it. But as security people, we can’t be everywhere. We can’t be clicking the mice for all the users, and we certainly can’t watch every move. We should be simplifying what users can do as far as possible so that there are fewer ways that they can shoot themselves in the foot, and then we should be teaching them gun safety.
Hoff is right: we are getting to the point where we are deploying too much complexity, which in itself creates security problems. We’re slapping one Band-aid after another on top of an already complicated mess. Let’s get back to the root cause and address that instead.
Posted by
shrdlu on Sunday, September 02, 2007
(4)
Comments •
Permalink •
... is getting to watch the Epistemological Cage Match between Richard “detect, warn, deny, destroy, and delay” Bejtlich and Alex “So-Crates” Hutton.
This is going to go so nicely with my new book, Yo, Cicero! Latin for Gangstas.
Posted by
shrdlu on Sunday, September 02, 2007
(0)
Comments •
Permalink •
Okay, so this is my view of the new virtualization hype:
So what’s the big deal? Am I missing something, Herr Hoff?
Posted by
shrdlu on Saturday, September 01, 2007
(5)
Comments •
Permalink •
Rich Mogull with his LiveChat service is gonna end up in a conversation something like this:
h4x0r: Hey, I hear you like to cyber.
brtne666: Sure, you wanna get it on?
h4x0r: Yeah, tell me what you’ve got on.
brtne666: I’ve got this cute little black thong, and a leather bikini top
h4x0r: No, I mean, what services have you got on? ssh? telnet?
brtne666: Huh?
h4x0r: It’s okay, I’ll do an nmap. Yeah, baby, you’re wide open for me, aren’t you?
brtne666: I’m running my fingers through your hair
h4x0r: You’re running finger? Oh, that’s great. Let me unzip my tools here.
brtne666: You’re unzipping your tool already?
h4x0r: I enumerate your users. You give it all up for me.
brtne666: Okay baby
h4x0r: I crack one of your passwords. Now I’m in.
brtne666: What’s that about my crack
h4x0r: I start uploading my secret files to you. Ooooh, that’s nice.
h4x0r: I install a back door so I can come back later whenever I like.
brtne66: Hey, y’know I don’t really go for back door action k?
h4x0r: Relax, baby, I’ll be gentle
h4x0r: Now I’m installing a keylogger so I can watch everything you do.
brtne666: You like to watch, baby
h4x0r: Oh yeah. Now I’m penetrating your defenses. You’re disabling your rulesets for me.
brtne666: Okay, whatever
h4x0r: It’s uptime, baby!!1
h4x0r: I slip your sweet site the hot sql injection
brtne666: the what??
h4x0r: I’ve got all your tables
brtne666: we’re doing it on the table?
h4x0r: oh yeah, you love it
h4x0r: I’m pounding your network with my dos attack
brtne666: wtf
h4x0r: pounding harder and harder
h4x0r: you cant even do a reverse lookup
h4x0r: youre beggin for mercy
h4x0r: your data is leakin all over the dmz
brtne666: ok, I think we’re done here
h4x0r: just one more min
h4x0r: almost there
h4x0r: ...
h4x0r: oh yeah
h4x0r: I pwned you so good baby
h4x0r: but now I gotta go, there’s a juicy online brokerage that’s begging for my attention
h4x0r has left the room.
brtne666: what? you BASTARD!!!
brtne666: oh well
brtne666: at least he didn’t try that Bayesian risk analysis sh*t like the last guy.
Posted by
shrdlu on Sunday, August 26, 2007
(7)
Comments •
Permalink •
So I’m starting this blog entry just to annoy another blogger, ignoring the stack of request forms on my desk waiting to be signed, when my boss walks in.
“We have a problem,” he announces.
“Who-um ‘we,’ Paleface?” I mutter into my McMigas.
“Excuse me?”
“Nothing,” I say more clearly. “What’s the problem?”
“The problem,” he says, “is that we have three department heads waiting to get access to the SSO portal.”
“...And?” I prompt him.
“And ... well, do something! Set them up.”
“Oh, I don’t do account creation,” I purr. “That’s all automated.”
“So how do they do it?” he asks impatiently.
“They go to this URL --” I scribble on a Post-It note—“and fill out the form and click on Submit.”
“And then they’ll be set up? Isn’t that kind of dangerous? I mean, anybody could fill in that form.” My boss is finally starting to show signs of thinking like a security pro.
“Don’t worry,” I reassure him. “They have to be approved by a Requester.”
“Who’s a Requester?”
“That’s the person who gets their request and then approves it. They get a notification by email that a request is waiting for them, they log in, and they approve it.”
“But isn’t the Requester the one who needs the account?”
“No, the Requester is the approver. The User is the one who needs the account.”
His eyes start to glaze over, but he makes an effort to stay with me.
“So the Requester approves it ... and then what?”
“Then it goes to the Approver.”
“Say what?”
“We have two layers of approver in our system. It’s very secure. First the User submits the request, then the Requester approves it, then it goes to the Approver for Administration.”
“Who’s the Approver?”
“It depends on what the User is requesting. It’s automatically routed.”
“Okay, so the department head fills out the form and submits it. How soon will the approver approve it?”
“You mean the Requester,” I say helpfully.
“What?”
“The first approver in line is the Requester.”
“Oh, right,” he says. “So how soon will it get done?”
“I dunno,” I say. “It could take a while.”
“Can’t we just call the Requester and ask them to approve it quickly?”
“We could ... but ...”
“But what?”
“The User’s request goes to the Requester for that department.”
“Who is the Requester for the department?”
“The department head.”
“Wait a minute,” he says, struggling. “Do you mean to tell me that the department head is the Requester, but he can’t get his request approved because he’s supposed to be the Requester?”
“That’s right,” I reply calmly.
“Well, then, how do we set him up as a Requester?”
“Oh, that’s easy. He requests it by going to this URL and filling out the form ...”
A strangled sound emerges from my boss. It sounds very much like a constipated duck asking for a suppository.
“No, really, it’ll be okay,” I tell him. “If he’s asking to be added as a Requester, that’s a different application, and it goes to a different Requester for approval.”
“Who’s the Requester?”
“One of my staff. They’ll approve the request for him.”
“And then who does it go to?”
“The approver for the application that lets you approve,” I say very slowly. It doesn’t help.
“So to get set up as an approver --”
“Requester.”
“Okay, Requester. To get set up, you have to request the application that lets you be set up as a Requester. And the Requester for that application is ... on your staff.”
“Right.”
“And when your Requester approves it, who is the Approver for that request for that application?” It’s a Herculean effort, but he’s starting to get it.
“I am.”
“You’re the Approver for the requests to be made a Requester?”
“Yep.”
“You’re the Approver for everything around here?”
“Oh, no,” I say. “We have a separation of duties here. I just approve the requests for this application. Not all the other ones.”
“So there are other Approvers for the other applications. How do they get set up?”
“Well, first they go to this URL ...”
“Stop, stop, stop,” he says, starting to look frantic. It’s too late for him to stop; he’s at the top of the first hill and it’s too late to get off the ride. “They request to be an Approver, and a Requester approves their request?”
“Exactly right,” I beam at him.
“But you approve ...” He stops dead in the water.
“I approve the requests for Requesters and Approvers.”
“But ... how did you get approved to be an Approver for all the other Approvers?”
“Easy. I just went to this URL ...”
It took my minions eight hours to clean all the brain matter off the framed Demotivator posters on my walls. But I didn’t charge it against their comp time.
Posted by
shrdlu on Sunday, August 19, 2007
(8)
Comments •
Permalink •
It’s 7 am. I’ve cracked open my first Diet Coke with Lime of the day to wash down my cold pizza (excuse me, Italian Cheese Toast). I wade through the dozens of alert messages in my inbox (oho, we’ve found ANOTHER f*****g virus?? Do tell), and the overnight spam mailings from security vendors ("Learn the top 10 ways to crash Vista while securing your ROI!"). I scrutinize my calendar, close my eyes, and choose one meeting appointment at random to delete (without notifying the organizer, of course). Then I fire off an order to one of my team to produce an arbitrarily chosen report—this time on the number of non-system accounts in a particular division whose crackable passwords contain any part of the user’s name. That’ll keep him tearing out what’s left of his dreadlocks for two full days, seeing as how we don’t have the infrastructure to produce ANY automated reports other than firewall logs. I also send out an edict to disable the Blackberry server on the false rumor of a new zero-day exploit so that all the top brass actually have to pay attention at their meetings today.
Yep, I’m the Bastard Security Officer From Hell.
Contrary to popular belief, I was actually born this way. I’ve always enjoyed torturing people, making up arbitrary and complicated rules, reading their secrets, and wielding disproportionate power. It comes from my being the oldest in the family and having wimpy siblings. I heartlessly manipulated them, stole their desserts, and then beat the snot out of them if they dared complain.
These days, of course, in the corporate world, I don’t beat the snot out of people. That’s what I have ex-military drones on my staff for.
I started out my career as a BOFH, but I found that it still involved too much work and not enough policy-making. You can issue a lot more ridiculous commands in the name of security, and what’s more, you get to see them enshrined in corporate policy. Better yet, I get to demand stellar customer service from the system administrators without having to lift a finger to click my own mouse.
Besides, I’ve found the one club that I can wield even over the CEO and Chairman of the Board. I can make all the executive management cower in their seats, even if they haven’t got a single skeleton in their closet for me to expose.
It’s the C-word.
C*mpliance. Whoever invented that word was one sadistic mofo. It’s got shades of National Socialism mixed with the dusty funk of 65-year-old auditors, with a couple of power ties from the ‘80s thrown in. I can use it to justify any expenditure, kill millions of trees in a single reporting period, and give sweet desk jobs to all of my friends, no matter which consulting company they work for. I can turn my 5-year-old’s artwork into a PowerPoint slide and make the management think it’s the newest ITIL model. Then I can rotate it 90 degrees, flip it 180, and sell it to them the following month all over again.
Fear, Uncertainty & Doubt are even more powerful than Smith & Wesson. I give our lead attorney nightmares just by whispering the letters “SSN” in his shell-like ear. I send the latest privacy breach news stories around to every manager to explain why I’m going to insist on another round of security testing before they’re allowed to release their emergency code fixes.
These sorts of fears don’t tend to impress the lowest levels of staff, though. They don’t really care what happens to company data as long as they can listen to their bootleg mp3s and watch their DRM-cracked DVDs during business hours. Threats and intimidation, however, work just fine on their brutish little minds. I had our web filter error messages customized to say, “You have tried to visit an unauthorized site. Take your hands off the keyboard and begin removing all personal items from your cubicle. Security and Human Resources officials will be arriving at your location in 3 ... 2 ... 1 ...”
Our CFO needed a new office chair after seeing THAT one on his screen. It was great. We were watching on the webcam, of course. From then on, we had only to mention the words “hotcpasex.com” to get him to approve every year’s budget.
Today, though, I’m going to play Yahtzee with our firewall ACLs. We’ll roll the dice and disable whatever comes up. Three dice for the last two octets of the IP address, and the last two dice for the port number. Then if someone complains, I’ll make him fill out a change request form in triplicate to get it opened up again. Gotta keep records for the C-word, y’know.
I think it’s going to be another beautiful day in SecurityLand.
(Simon Travaglia is my hero.)
Posted by
shrdlu on Saturday, August 18, 2007
(13)
Comments •
Permalink •
Or, around the world in security blogrolls in six jumps.
Here are the rules:
You start out by jumping to someone on your site’s public blogroll.
Jump to someone on their public blogroll.
And so on. Go as long as you can but still end up with someone whose public blogroll links back to you.
Caveats: each blog must be primarily about security. None of the intermediate jumps can have you on their blogroll. (So you can’t just jump around to all the people you know link to you too.)
I started out by going to Quarterman’s Perilocity,
then to Gunnar Peterson’s 1 Raindrop,
then to those funky guys over at Emergent Chaos,
then to Not Bad For a Cubicle,
then to the always-incisive Another Set of Teeth,
and finally back home to Layer 8.
I went down quite a few wrong paths. A lot of the top bloggers don’t publicly link to anyone else. Once I got lost in Scandinavian blogger-land and couldn’t tell whether the blogs were about security any more (my Danish is just as bad as my Norwegian), so I had to back up a few jumps and try again. Once I had to stop at a gas station. But it was a fun trip.
Let me know what your tour looks like!
Posted by
shrdlu on Sunday, August 12, 2007
(4)
Comments •
Permalink •
