A naïve view of virtualization.
Okay, so this is my view of the new virtualization hype:
So what’s the big deal? Am I missing something, Herr Hoff?
Posted by shrdlu on Saturday, September 01, 2007(5) Comments • Permalink •
(5) Comments • Permalink •
If he isn’t careful ...
Rich Mogull with his LiveChat service is gonna end up in a conversation something like this:
h4x0r: Hey, I hear you like to cyber.
brtne666: Sure, you wanna get it on?
h4x0r: Yeah, tell me what you’ve got on.
brtne666: I’ve got this cute little black thong, and a leather bikini top
h4x0r: No, I mean, what services have you got on? ssh? telnet?
brtne666: Huh?
h4x0r: It’s okay, I’ll do an nmap. Yeah, baby, you’re wide open for me, aren’t you?
brtne666: I’m running my fingers through your hair
h4x0r: You’re running finger? Oh, that’s great. Let me unzip my tools here.
brtne666: You’re unzipping your tool already?
h4x0r: I enumerate your users. You give it all up for me.
brtne666: Okay baby
h4x0r: I crack one of your passwords. Now I’m in.
brtne666: What’s that about my crack
h4x0r: I start uploading my secret files to you. Ooooh, that’s nice.
h4x0r: I install a back door so I can come back later whenever I like.
brtne66: Hey, y’know I don’t really go for back door action k?
h4x0r: Relax, baby, I’ll be gentle
h4x0r: Now I’m installing a keylogger so I can watch everything you do.
brtne666: You like to watch, baby
h4x0r: Oh yeah. Now I’m penetrating your defenses. You’re disabling your rulesets for me.
brtne666: Okay, whatever
h4x0r: It’s uptime, baby!!1
h4x0r: I slip your sweet site the hot sql injection
brtne666: the what??
h4x0r: I’ve got all your tables
brtne666: we’re doing it on the table?
h4x0r: oh yeah, you love it
h4x0r: I’m pounding your network with my dos attack
brtne666: wtf
h4x0r: pounding harder and harder
h4x0r: you cant even do a reverse lookup
h4x0r: youre beggin for mercy
h4x0r: your data is leakin all over the dmz
brtne666: ok, I think we’re done here
h4x0r: just one more min
h4x0r: almost there
h4x0r: ...
h4x0r: oh yeah
h4x0r: I pwned you so good baby
h4x0r: but now I gotta go, there’s a juicy online brokerage that’s begging for my attention
h4x0r has left the room.
brtne666: what? you BASTARD!!!
brtne666: oh well
brtne666: at least he didn’t try that Bayesian risk analysis sh*t like the last guy.
Posted by shrdlu on Sunday, August 26, 2007
(7) Comments • Permalink •
BSOFH: This is your identity and access management system on drugs.
So I’m starting this blog entry just to annoy another blogger, ignoring the stack of request forms on my desk waiting to be signed, when my boss walks in.
“We have a problem,” he announces.
“Who-um ‘we,’ Paleface?” I mutter into my McMigas.
“Excuse me?”
“Nothing,” I say more clearly. “What’s the problem?”
“The problem,” he says, “is that we have three department heads waiting to get access to the SSO portal.”
”...And?” I prompt him.
“And ... well, do something! Set them up.”
“Oh, I don’t do account creation,” I purr. “That’s all automated.”
“So how do they do it?” he asks impatiently.
“They go to this URL—” I scribble on a Post-It note—“and fill out the form and click on Submit.”
“And then they’ll be set up? Isn’t that kind of dangerous? I mean, anybody could fill in that form.” My boss is finally starting to show signs of thinking like a security pro.
“Don’t worry,” I reassure him. “They have to be approved by a Requester.”
“Who’s a Requester?”
“That’s the person who gets their request and then approves it. They get a notification by email that a request is waiting for them, they log in, and they approve it.”
“But isn’t the Requester the one who needs the account?”
“No, the Requester is the approver. The User is the one who needs the account.”
His eyes start to glaze over, but he makes an effort to stay with me.
“So the Requester approves it ... and then what?”
“Then it goes to the Approver.”
“Say what?”
“We have two layers of approver in our system. It’s very secure. First the User submits the request, then the Requester approves it, then it goes to the Approver for Administration.”
“Who’s the Approver?”
“It depends on what the User is requesting. It’s automatically routed.”
“Okay, so the department head fills out the form and submits it. How soon will the approver approve it?”
“You mean the Requester,” I say helpfully.
“What?”
“The first approver in line is the Requester.”
“Oh, right,” he says. “So how soon will it get done?”
“I dunno,” I say. “It could take a while.”
“Can’t we just call the Requester and ask them to approve it quickly?”
“We could ... but ...”
“But what?”
“The User’s request goes to the Requester for that department.”
“Who is the Requester for the department?”
“The department head.”
“Wait a minute,” he says, struggling. “Do you mean to tell me that the department head is the Requester, but he can’t get his request approved because he’s supposed to be the Requester?”
“That’s right,” I reply calmly.
“Well, then, how do we set him up as a Requester?”
“Oh, that’s easy. He requests it by going to this URL and filling out the form ...”
A strangled sound emerges from my boss. It sounds very much like a constipated duck asking for a suppository.
“No, really, it’ll be okay,” I tell him. “If he’s asking to be added as a Requester, that’s a different application, and it goes to a different Requester for approval.”
“Who’s the Requester?”
“One of my staff. They’ll approve the request for him.”
“And then who does it go to?”
“The approver for the application that lets you approve,” I say very slowly. It doesn’t help.
“So to get set up as an approver—”
“Requester.”
“Okay, Requester. To get set up, you have to request the application that lets you be set up as a Requester. And the Requester for that application is ... on your staff.”
“Right.”
“And when your Requester approves it, who is the Approver for that request for that application?” It’s a Herculean effort, but he’s starting to get it.
“I am.”
“You’re the Approver for the requests to be made a Requester?”
“Yep.”
“You’re the Approver for everything around here?”
“Oh, no,” I say. “We have a separation of duties here. I just approve the requests for this application. Not all the other ones.”
“So there are other Approvers for the other applications. How do they get set up?”
“Well, first they go to this URL ...”
“Stop, stop, stop,” he says, starting to look frantic. It’s too late for him to stop; he’s at the top of the first hill and it’s too late to get off the ride. “They request to be an Approver, and a Requester approves their request?”
“Exactly right,” I beam at him.
“But you approve ...” He stops dead in the water.
“I approve the requests for Requesters and Approvers.”
“But ... how did you get approved to be an Approver for all the other Approvers?”
“Easy. I just went to this URL ...”
It took my minions eight hours to clean all the brain matter off the framed Demotivator posters on my walls. But I didn’t charge it against their comp time.
Posted by shrdlu on Sunday, August 19, 2007(8) Comments • Permalink •
Introducing the BSOFH.
It’s 7 am. I’ve cracked open my first Diet Coke with Lime of the day to wash down my cold pizza (excuse me, Italian Cheese Toast). I wade through the dozens of alert messages in my inbox (oho, we’ve found ANOTHER f*****g virus?? Do tell), and the overnight spam mailings from security vendors (“Learn the top 10 ways to crash Vista while securing your ROI!”). I scrutinize my calendar, close my eyes, and choose one meeting appointment at random to delete (without notifying the organizer, of course). Then I fire off an order to one of my team to produce an arbitrarily chosen report—this time on the number of non-system accounts in a particular division whose crackable passwords contain any part of the user’s name. That’ll keep him tearing out what’s left of his dreadlocks for two full days, seeing as how we don’t have the infrastructure to produce ANY automated reports other than firewall logs. I also send out an edict to disable the Blackberry server on the false rumor of a new zero-day exploit so that all the top brass actually have to pay attention at their meetings today.
Yep, I’m the Bastard Security Officer From Hell.
Contrary to popular belief, I was actually born this way. I’ve always enjoyed torturing people, making up arbitrary and complicated rules, reading their secrets, and wielding disproportionate power. It comes from my being the oldest in the family and having wimpy siblings. I heartlessly manipulated them, stole their desserts, and then beat the snot out of them if they dared complain.
These days, of course, in the corporate world, I don’t beat the snot out of people. That’s what I have ex-military drones on my staff for.
I started out my career as a BOFH, but I found that it still involved too much work and not enough policy-making. You can issue a lot more ridiculous commands in the name of security, and what’s more, you get to see them enshrined in corporate policy. Better yet, I get to demand stellar customer service from the system administrators without having to lift a finger to click my own mouse.
Besides, I’ve found the one club that I can wield even over the CEO and Chairman of the Board. I can make all the executive management cower in their seats, even if they haven’t got a single skeleton in their closet for me to expose.
It’s the C-word.
C*mpliance. Whoever invented that word was one sadistic mofo. It’s got shades of National Socialism mixed with the dusty funk of 65-year-old auditors, with a couple of power ties from the ‘80s thrown in. I can use it to justify any expenditure, kill millions of trees in a single reporting period, and give sweet desk jobs to all of my friends, no matter which consulting company they work for. I can turn my 5-year-old’s artwork into a PowerPoint slide and make the management think it’s the newest ITIL model. Then I can rotate it 90 degrees, flip it 180, and sell it to them the following month all over again.
Fear, Uncertainty & Doubt are even more powerful than Smith & Wesson. I give our lead attorney nightmares just by whispering the letters “SSN” in his shell-like ear. I send the latest privacy breach news stories around to every manager to explain why I’m going to insist on another round of security testing before they’re allowed to release their emergency code fixes.
These sorts of fears don’t tend to impress the lowest levels of staff, though. They don’t really care what happens to company data as long as they can listen to their bootleg mp3s and watch their DRM-cracked DVDs during business hours. Threats and intimidation, however, work just fine on their brutish little minds. I had our web filter error messages customized to say, “You have tried to visit an unauthorized site. Take your hands off the keyboard and begin removing all personal items from your cubicle. Security and Human Resources officials will be arriving at your location in 3 ... 2 ... 1 ...”
Our CFO needed a new office chair after seeing THAT one on his screen. It was great. We were watching on the webcam, of course. From then on, we had only to mention the words “hotcpasex.com” to get him to approve every year’s budget.
Today, though, I’m going to play Yahtzee with our firewall ACLs. We’ll roll the dice and disable whatever comes up. Three dice for the last two octets of the IP address, and the last two dice for the port number. Then if someone complains, I’ll make him fill out a change request form in triplicate to get it opened up again. Gotta keep records for the C-word, y’know.
I think it’s going to be another beautiful day in SecurityLand.
(Simon Travaglia is my hero.)
(13) Comments • Permalink •
Six degrees of security.
Or, around the world in security blogrolls in six jumps.
Here are the rules:
You start out by jumping to someone on your site’s public blogroll.
Jump to someone on their public blogroll.
And so on. Go as long as you can but still end up with someone whose public blogroll links back to you.
Caveats: each blog must be primarily about security. None of the intermediate jumps can have you on their blogroll. (So you can’t just jump around to all the people you know link to you too.)
I started out by going to Quarterman’s Perilocity,
then to Gunnar Peterson’s 1 Raindrop,
then to those funky guys over at Emergent Chaos,
then to Not Bad For a Cubicle,
then to the always-incisive Another Set of Teeth,
and finally back home to Layer 8.
I went down quite a few wrong paths. A lot of the top bloggers don’t publicly link to anyone else. Once I got lost in Scandinavian blogger-land and couldn’t tell whether the blogs were about security any more (my Danish is just as bad as my Norwegian), so I had to back up a few jumps and try again. Once I had to stop at a gas station. But it was a fun trip.
Let me know what your tour looks like!
Posted by shrdlu on Sunday, August 12, 2007(4) Comments • Permalink •
Introducing the concept of application security.
More to the point, introducing the concept of application security to the ones who need it most: the application developers.
Sometimes I’m amazed at their obtuseness, really. We’ll have a conversation that goes something like this:
Me: You need to validate your input.
J. Random Luser Developer: But this application doesn’t take user input.
Me: Can the user click on anything?
JRLD: Uh, yes, but—
Me: Can the user type anything into that SEARCH BOX AT THE TOP OF THE PAGE?
JRLD: Yes, but—
Me: Then it’s input and you need to validate it.
JRLD (totally uncomprehending): Why?
Me: Because hackers can create input that will cause your application to break or allow them to get around access controls.
JRLD: And this is bad because ... ?
Me: You’re writing the largest financial application in the company and you have to ask why this is BAD??!??
JRLD: Who would do something like that? This application is only internal, you know. Besides, it would take too much work to redesign it the way you’re asking.
Me (to deputy): Take over, will you? I suddenly feel the need to go for a walk. Before I hurt him.
My forehead wasn’t always keyboard-shaped, you know. But I’m seeing more and more of this syndrome.
Developers don’t understand the basics of what their code does, thanks to GUI-based object-oriented programming. Or they’re re-using someone else’s code and don’t understand it either. They don’t even understand how HTTP works, for crying out loud: how you can talk directly to a web server or modify your browser’s requests to send anything you want. They honestly don’t believe you when you try to explain that any application could be a target, and that there is a real risk out there even if they don’t see it. Because they don’t understand it and have never been exposed to it, they automatically assign it a probability of damn-near-zero.
And bottom line, it’s not their call to make. They don’t get to accept risk on behalf of their organization. It needs to be done by the management, in a well-informed manner. And yet, this is what developers are doing all over the world: making risk decisions that their managers don’t even know they’re making. They’re doing it completely in the dark, in many cases.
So how do you battle this kind of stubborn ignorance? I don’t have time to teach them all about risk analysis, or even teach them the programming knowledge they’re clearly missing. I don’t really want to resort to the “Because Security said so,” either. How do you deal with the equivalent of a Flat-Earther who doesn’t get it, doesn’t want to get it, and yet is primarily responsible for making sure your cruise ship gets safely to New York?
Please help, because it’s just a matter of time before we find that iceberg.
Posted by shrdlu on Wednesday, August 08, 2007
(15) Comments • Permalink •
On a side note ...
I have to wonder whether all the badasses at DefCon who outed the reporter would have been so gleeful and mob-like about it if, say, the reporter had been male. Or even a female Federal agent, presumably packing heat.
Maybe Ryan was right.
Posted by shrdlu on Monday, August 06, 2007
(8) Comments • Permalink •
Platonic forms.
Wherever two or more are gathered in the name of access control, there are usually forms.
Why do we have forms? Where they exist on paper, they’ve usually served any of three functions:
1) to ensure correctness and completeness of information being submitted;
2) to provide some show of authorization (“I permit this person to get what they’re asking for with this form”); and
3) to obtain some legal acknowledgment of responsibility (“I affirm that the information on this form is true and correct” / “I promise I will not do anything heinous with the access you are about to give me”).
You can get all three of these things on a paper form by getting two more more signatures. However, once you try to put any of this process online, you get the opportunity to split these up or forgo them altogether.
You can get written requests without the use of a form.
You can assume that someone has “signed” a form, in the sense of 2) or 3), by the mere fact that they sent it in an email to you from an individually registered account, or in any other way authenticated themselves beforehand (usually by means of knowing a password).
This starts begging the question of what you really need. If someone knows the information you need and can provide it, does he really have to fill out a form? If he’s authenticated himself once, does he need to go through the trouble of filling out an online form, printing it out, and affixing a signature on it just to get another form of acknowledgment on it?
Digitized signatures have never made much sense to me. They’re a throwback, a gesture of accommodation to the kind of person who wants to see a scribble on a piece of paper or a screen, even though the sender probably didn’t put it there himself. It doesn’t carry any legal weight, that’s for sure; it’s just a feel-good flourish.
Digital signatures, on the other hand, add a little bit more to the assurance: you can reasonably expect that whoever knew the password protecting the private key used it to sign a message and then it was no longer altered after that. Not quite as foolproof as some would have it, but it’s better than just a login on AOL.
But do digital signatures, or clicking an “I agree” box from a login, reasonably provide the function of #3 above? My state’s statutes say that you can use digital signatures to close any deal where both sides agree to use them. But I don’t know how many lawyers would be willing to come out and say that they’d always be willing to accept them in lieu of a cold, hardcopy signature.
Do auditors still need to see forms? I can easily see how an organization could resort just to using email to request and authorize access, as long as all the information was being provided and it was being authorized by the right holders-of-passwords. If the functional requirements are being met, does it matter to them that not all the emails look the same? Is there an additional aesthetic that causes an auditor to reject this method of access management?
I’m almost tempted to try an experiment: use two different processes for the same account requests. They both require the originator to log in to the same account, but in one process, they click through an online form and submit it, and in the other process, they just send an email from that account. Functionally, they are both the same, but I somehow doubt that an auditor would consider the latter to be as acceptable as the former.
(I said “almost tempted.” I’m not that fond of my auditors that I want to spend any more time with them, thankyouverymuch.)
Posted by shrdlu on Monday, August 06, 2007(0) Comments • Permalink •
Self-portrait.
I’m about this fluffy but not nearly as cute.
(Forget MyFace, SpaceBook or Second Life ... how did we ever exist before LOLCATZ? Best thing since sliced Internet.)
(1) Comments • Permalink •
More than a hint of ridiculous.
Since Rob’s been encouraging me, and because it’s been That Kind of Day already, I thought I’d share with you a ditty that just popped into my head:
(To the tune of “Sing a Song of Sixpence”)
Sing a song of hacking,
The boss is getting spam;
All the sleazy vendors
Know who I am;
I can’t get my work done,
They all come bitch at me,
Why, oh why am I still working in securitee?
Posted by shrdlu on Friday, August 03, 2007
(3) Comments • Permalink •
Changing the culture.
It’s often not enough to increase the level of security awareness in your organization; you have to change the culture. Telling someone to secure their files isn’t going to work if they don’t care; telling them why they should care isn’t the same as getting them to care. (And threatening them with punishment isn’t the same as getting them to care—see how well compliance works when nobody’s auditing? About as well as the threat of eternal damnation; nobody thinks it’s going to happen to them.)
So how do you do it?
Answer: slowly and steadily, with a great respect for the inertia that matches the size of the organization.
It usually takes me about two years to make a lasting effect, longer if there’s a lot of staff turnover. Once I had to bring the concept of 24x7 support to a company’s branch where their pagers didn’t work outside the building and they didn’t have voicemail (the rationale being, if you weren’t at your desk nobody should be bugging you anyway). When you step into a world that alien, you’ve got to spend time learning the language first, and reassuring them that you come in peace.
Here are some tips for making that sea change:
- First, walk the talk loudly, so that everyone around you can hear it. Don’t underestimate the power of setting an example (or, in more woo-woo terms, becoming the change you want to see in the world).
- Recruit like-minded individuals, ideally spread throughout the organization. Each one can be a seed for your nefarious plans.
- Use both humor and bribery, early and often.
- Pace yourself. There will be a lot of people who don’t like change, or don’t like your particular change. Wait them out. If they’re unhappy with you, chances are good that they’re unhappy with other things too, and eventually they’ll move out.
- Be consistent.
- Be visible.
- Be generous. People are most likely to listen to you when you’re helping them.
- Make sure your management is supporting your change. You need at least one person above you who can go to bat for you.
- And finally, save the big guns for later in the campaign, if you really have to take out some lingering resistance. By the time most of the organization has turned, you won’t create as much ill-will when you’ve got to drop the hammer on someone who’s refusing to get with the program. (In some cases, you won’t even have to use the big guns yourself.)
When you’re a security manager, you have to learn to embrace your inner tortoise. Don’t worry, you’ll get there.
Posted by shrdlu on Friday, August 03, 2007
(3) Comments • Permalink •
Defending policy makers.
Alex got me going with his rant about the extremely irresponsible Wall Street Journal article, and other ignorant commenters haven’t made it any calmer, so I thought I’d toss a few things out there for anyone who’s tempted to complain about a security policy.
I actually felt a lot of sympathy for Kip Hawley, who is currently being raked over the coals (very expertly, I might add) by Bruce Schneier over on his blog. Kip said:
Imagine for a moment that TSA people are somewhat bright, and motivated to protect the public with the least intrusion into their lives, not to mention travel themselves.
First thing, imagine for a moment that policy makers are well-intentioned, mostly intelligent, and have good reasons that you don’t know about for the policies they create.
The loudest and stupidest criticisms of security policies come from people who have never been in a position of responsibility for security—especially when the stakes are high.
People who give their bosses a hard time often have no idea how annoying it would be to them to be on the receiving end of the same grief. If you’re a learning person at all, you learn a lot in your first supervisory position. It’s a lot like the one-way mirror of parenting: when you’re on one side, you see only yourself; when you’re finally on the other side, you see both sides.
As someone who has had to sit in on policy meetings, keep ugly secrets, and write up policies that met management and legal objectives without going overboard, I can tell you that there are almost always stories behind a new policy that you know nothing about. A new or changed policy is usually brought out in reaction to an actual event, and the reason you don’t hear about it is that litigation is still pending, law enforcement asked us not to talk about it while they’re still investigating, or it’s an HR issue and none of your damned business. If two employees were caught cybering each other on IM and one of them filed a harassment complaint, you’ll see an addition to the sexual harassment policy of your organization that happens to mention “email and instant messaging.” You won’t hear the story unless gossip gets around; management won’t tell anyone who doesn’t have a need to know.
With military or homeland security, the iceberg goes even deeper. You can complain about the secrecy, but only to a point: there are plenty of good reasons why some things are classified, and you won’t understand this unless you walk a mile in the shoes of the people who are really trying to tackle this.
When I try to imagine what Kip Hawley’s organization is trying to prevent, and what they’re not allowed to reveal, I can believe that he’s representing himself creditably in the firing line. When you’re in security, you’re always walking a tightrope, trying to keep public opinion on your side while at the same time protecting things they don’t know or care about, and enforcing rules broken by self-centered idiots or actual malevolent threats. If you succeed, nobody thanks you; if you fail, everyone wants your head.
So let’s cut security officers of the world some slack, ‘k? Assume that they’re just like you—because they are—and that they are both trying to do a good job and know more about the details of that job than you do. If you have been in their place, then you can criticize them. If you don’t think they’re doing a good job, then get out there and start doing it yourself. Make a difference.
Otherwise—and I mean this most sincerely—shut your pie-hole.
(3) Comments • Permalink •
Vulnerability pimp tries extortion, settles for “fame.”
What’s wrong with this picture?
DeMott, who runs Rockford, Mich.-based VDA Labs with his partner Justin Seitz, said he called LinkedIn to either sell the bug or offer his company’s consulting services, like he does for any vendor impacted by a vulnerability discovered by DeMott or Seitz.
VDA Labs charges about $175 to $200 an hour for consulting and usually about $5,000 to purchase a significant zero-day flaw, DeMott said.
There’s just no pretense at all about looking out for the interests of users or vendors here. Just himself and his wallet.
DeMott said he never sells vulnerabilities to non-U.S. or criminal buyers, nor does he do business with such bounty programs as VeriSign iDefense Labs and TippingPoint Zero Day Initiative over worries they might keep the vulnerability details, even if they reject the discoverer’s findings.
In other words, he’s afraid they’ll use his “intellectual property” and ruin his own chances of making money off it.
“I see both sides of it,” he admitted “But I also see that as a researcher, I work hard days and nights to find these bugs. I think we deserve some compensation.”
Without getting too Lindstromian (Lindstromesque?), who asked you to look for them??
Posted by shrdlu on Wednesday, July 25, 2007
(13) Comments • Permalink •
Not the bright center of the universe.
I read this article with no surprise at all. I’ve been meaning for some to blog about what I see as widespread ignorance of security work outside of the US. I just never got time to collect all the examples I wanted to highlight. But Jason Hiner’s article serves as a good enough springboard all by itself.
His attempts to reassure American readers just perpetuate their self-centeredness and ignorance.
“The U.S. is at a tactical disadvantage at the moment. Since many of today’s latest technologies (in virtually every field) are simpler to use and implement, have more features, and are much cheaper than their predecessors, international upstarts have a big advantage right out of the gates when they establish their internal IT infrastructure.”
In other words, “Of course we invented all the good stuff and made it so easy, a caveman^H^H^H^H^H^H^Hforeigner could use it.” The use of the word “upstart” is a dead giveaway. How dare these foreigners attempt to achieve our level of technological superiority?
“This was bound to happen as IT helped accelerate globalization.”
Again, the assumption that Americans created all IT and passed it on to everyone else.
“Silicon Valley is still the epicenter of the technology world ... there are still more new and innovative tech ideas concentrated in Silicon Valley than anywhere else on earth.”
The key word here being “concentrated.” Sure, you might have more IT shops per square inch in Silicon Valley, but do they really out-innovate all the other IT companies and universities all over the world? I don’t think so.
“The sleeping giant hasn’t woken up yet.”
Don’t worry, Americans, you can still grab the crown back if you try.
This sort of arrogance and complacency on the part of the US completely misses the fact that there has been plenty of innovation throughout the rest of the world, and it certainly isn’t a new thing. Fifteen years ago I was working in Europe, joining international working groups, and seeing firsthand the groundbreaking work that was being done. The Swiss have their ETHZ; Germans have their high-tech incubators and excellent academic research all over the country; the British have IT centres in Ireland, Scotland and of course England; the French had their Minitel way before the World Wide Web (which, I hardly need point out, was invented by an Englishman at CERN). Today, Israel receives a grudging acknowledgment of its innovation in security software. Chinese hackers wouldn’t pose nearly the threat that they do to US military networks if they weren’t any good at it. There’s plenty of innovation going on in Russia and South America, not all of it good, but certainly noteworthy. Singapore invented the high-tech city long, long ago.
Do I need to mention Knoppix (German)? IRC (Finnish)? Linux (Finnish)? The well-known Polish researcher at COSEINC in Singapore? Korean broadband, which just blows the US away? Let’s not even get started on what Japan has done.
People, the only ones who ever thought the US was the bright center of the tech universe were the Americans themselves. Once in a while the “sleeping giant” wakes up a little bit and realizes that there’s the rest of the world out there. Too bad, so sad.
Posted by shrdlu on Monday, July 23, 2007
(1) Comments • Permalink •
Things you never thought you’d hear yourself say ...
when working in IT security:
1. Quick, I need a medium-scandalous JPEG to post.
2. Make mine a Caesar cipher ... with the bacon bit, please.
3. When he goes falsetto, you know it’s time to leave the room.
4. Yes, we’re the security group, but we don’t break into lockboxes. Sorry.
5. Let’s just hook up the printer straight to the shredder.
6. Damn, I forgot your password.
7. No, drawing a black line in the Word document doesn’t count as redacting.
8. Just how far DID we get bent over?
9. Let’s get the pentester drunk tonight so that he’ll sleep late while we upgrade the firewall.
10. I sure hope that’s a milkshake on that keyboard.
And things I never thought I’d hear myself say ... quite so much:
1. We’re doing WHAT??!??
Posted by shrdlu on Sunday, July 22, 2007(3) Comments • Permalink •
About the Bloggiste
I'm an IT security manager who has worked in various places around the world and in the US. If I told you more, well ... you know.
Members
RSS Feeds
RSS 2.0Atom
Favorite links
IT Security GeekPerilocity
Rob the n00b1e
Schneier on Security
TaoSecurity Blog
The VERT Daily Post
Matasano Chargen
RiskAnalys.is
A Day in the Life of an Information Security Investigator
Managing Intellectual Property and IT Security
Dark Reading
The Guerrilla CISO
Tenable Network Security Blog
The Rear Guard Security Podcast (aka Ranum's Rants)
Latest entries
Why the MD5 cert hack doesn’t matter.A meaningful degree of FAIL.
Out with the old, in with the new.
Condemned to repeat it.
Blood on the dashboard!