Wednesday, April 30, 2008

Phrase of the day...

Reading away in some offical blueprint documents for a client ..... came across the phrase "opportunistic use of automation"... tee hee.

Definition of opportunistic from my Mac's 'Dictionary and Thesaurus':

opportunistic |ˌäpərt(y)oōˈnistik|

exploiting chances offered by immediate circumstances without reference to a general plan or moral principle : the change was cynical and opportiunistic.

Tuesday, April 15, 2008

Internet Infrastructure Report from Arbor

Nearly forgot to read/listen to this this year. Sound ain't great, would have expected more from the guys, however the content is worth a listen or the report a read.

PDF below:

Monday, April 14, 2008

Screwing with perception.. quality

So basically time stops and challenges peoples perception of reality. Wonderful really.

Friday, April 11, 2008

Microsoft end to end rebuttle, trust me

From: "Establishing_End_to_End_Trust.pdf"
The word transitive is not used once though hinted at. Let me preface the below rant with the fact that I don't have the answer(s). As pointed out in the article on Page 7: "As noted below, there are historic, economic, social, and political forces that suggest a well-constructed regime is better than none at all, especially in light of the challenges we face on the Internet and the desire of people to be more secure in their daily lives"... and "We must create an environment where reasonable and effective trust decisions can be made." Agreed.

However: ( Christ their lingo could do with some updating and accuracy though... read on... !)

Apparently sloppy code, the pace of technology, a bloated, incestuous, self-serving IT industry lacking in basic engineering discipline (around tolerances and expected usage) coupled with complexity, default permit, cost of massive parallel attacks, jurisdictional immunity.. yadda, yadda has *nothing* to do with our current predicament.... it's *all* about end-to-end trust... hmm subjective or objective guys? I'm hoping end-to-end includes dependencies relating from transitive trust...

Apparently though "Experience shows that most cybercriminal schemes are successful because people, machines, software, and data are not well authenticated and this fact, combined with the lack of auditing and traceability, means that criminals will neither be deterred at the outset nor held accountable after the fact. Thus the answer must lie in better authentication that allows a fundamentally more trustworthy Internet and audit that introduces real accountability"

Page 4 "But staying the current course will not be sufficient; the real issue is that the current strategy does not address effectively the most important issue: a globally connected, anonymous, untraceable Internet with rich targets is a magnet for criminal activity—criminal activity that is undeterred due to a lack of accountability.".... hmmmm yeah but what about

Geer:"Everything about digital security
has time constants that are three or-
ders of magnitude different from the
time constants of physical security:
break into my computer in 500 mil-
liseconds but into my house in 5 to
10 minutes."

Geer:"Human-scale time and rate con-
stants underlie the law enforcement
model of security. The crime happens
and the wheels of detection, analysis,
pursuit, apprehension, jurisprudence,
and, perhaps, penal servitude then,
paraphrasing Longfellow, “grind
slowly, yet they grind exceeding
fine.” In other words, law enforce-
ment generally has all the time in
the world, and its opponent, the
criminal, thus must commit the
perfect crime to cleanly profit from
that crime."

Geer:"If the physics of digital space and
digital time mean we ally ourselves
with the intelligence world view
and not the law enforcement world
view, we have to ask ourselves two
things: is the price of digital sur-
veillance a bearable price for the
benefit of digital safety? And, if so,
what is the unit of digital surveil-
lance? What do we watch—people
or bits?"

Back to Microsoft:Establishing_End_to_End_Trust:..

Page 8: Mis-use of the word hacker "external hackers with access to their systems, in large part because a hacker ".. will they ever learn or at least work harder for a little respect? Apparently "device-to-device authentication" will foil the "hackers"... and scripting attacks facilitates "thus making anyone an “expert” hacker; and the amount of data that can be stolen is limited only by bandwidth. "(Page 10)

Page 8: "robust management tools" are predicated on trusted management tools and one would hope them to be robust to begin with :)

Page 8: "depending on the threat level" , define threat and what metric is employed to address the level?

Page 8: "flooding and probing attacks"... is probing an attack?

Page 8: "Autonomous defense would be possible if, for example, packets likely to be malicious (because they are reliably identified as coming from a dangerous source) could be dropped shortly after entering the network or at a computer’s interface to the network." erm, a self-defending network by virtue of a firewall?

Page 8: "Even the intractable insider threat could be more successfully addressed because better audit tools would make it easier to identify suspicious access patterns for employees in a timely manner." ok so this is anomaly detection now via trust?

Page 8: "The authentication of identity, device (and its state), software, and data could be used to generate trust measurements that could also be used to reduce risk to the ecosystem." don't get me started although 'trusting the state' is a good concept, trust measurements spins me out considering 'trust' is somewhat boolean or a nominal measurement :)

Page 8: Apparently "one of the reasons that large enterprises manage risk relatively well is that they have dedicated IT staff implementing risk management programs." hmmmmm.... so throw some people at the issue and get the job done 'relatively' well :)

Page 8: Here comes the NAP pitch "Yet there is no chief information officer for the public, and no mechanism for protecting the broader Internet by taking best practices from enterprises, such as Network Access Protection, and applying those practices to the public." What about FIRST, NSP-SEC, Arbor, Internet Motion Sensor, Network Telescopes and ISPs in general? Ummm... NIST? SANS? Sorry guys Net Neutraliy vs extreme ISP Hostility with NAP?.. the oul' internet would break methinks... erm... we don't all conform on the endpoints ladies and gents, good luck on that one... the internet is a superorganism that is evolving its immune system. Surveillance and telemetry is the first step.

Page 8: We can fix it all "With better authentication and audit, dynamic trust decisions could be made (based upon, for example, the state of a machine) and Internet service providers could use network access controls to limit the activities of “untrustworthy” machines until they were updated."

So Internet wide NAC/NAP is the answer, don't let the "bad guys" or "bad nodes" on in the first place and kick em' off if they're bad(tm)

Page 9: Hmm, "Second, absent the ability to identify and prove the source of misconduct, there can be no effective deterrent—no effective law enforcement response to cybercrime and no meaningful political response to address international issues relating to cyberabuse." true.

Page 10: "Because all software operates in an environment defined by hardware, it is critical to root trust in hardware." hmmmmmm "If machines did a machine-to-machine-based authentication rooted in TPM keys before allowing a network connection, then one could arguably exclude unapproved machines from accessing network resources. Using new cryptographic techniques, this can be done in privacy-compliant ways." hmmmm cold boot?

Page 14 states: "As the firewall continues to diminish in importance, it is important to focus on protecting data as opposed to simply protecting the machines that store such data." Not sure I'd use this phrase rather that the focus from all sides is moving up the stack, but by no means obviating the need for firewalling.

Page 15: "standardizing audit data formats and tools".. erm syslog?

Page 15: "one can call or send mail to millions of victims, but the time and cost makes this infeasible. " ye think? yeah SPAM is really on the decline, NOT! Micrsofts Penny Black project made sense though...

Ok at this point I give up or this will get too long..... the whole section on F.Audit Page 14/15 is purile and so far behind the times it's scary... they need to look outside of their Microsoft shaped box in Redmond.

No mention of the network.

As Ranum states on "The Internet applications stack depends heavily on ARP and DNS and those protocols depend on a tamper-free network. It’s just silly to think your end-point can secure itself if the network fabric is untrustworthy! If the network is untrustworthy, it’s “game over, man!” as Private Hudson would say."

At the end of the piece a question is posed "can we maintain a globally connected, anonymous, untraceable Internet and be dependent on devices that run arbitrary code of unknown provenance?"... Apparently if the answer is no, then " we need to create a more authenticated and audited Internet environment"... DOH!

"it is important to address all of the complicated social, political, economic, and technical issues raised to ensure we end up with the Internet we want, one which empowers individuals and businesses, and at the same time protects the social values we cherish. " Agreed but which *we* is that? And do we want backwards compatibility?

Thursday, April 10, 2008

Counterpoint to the generational divide...

So my Mum sends me this email. She was only introduced to the Internet in 2000.

"I suspected something was running in the background. And fssm32.exe was quoting 92-95 under CPU usage. I googled "fssm32.exe and CPU usage" and found this:

which was exactly my problem. I had had an error message from F-Secure saying it
couldn't connect to update. I updated it manually, after a few tries, and ran a

It told me I had two trojan keyloggers, and listed them in the TIF but said it
couldn't delete. But they didn't show up under my identity. I found them under
the Admin identity, and deleted them. But of course when I rebooted and ran a
scan, they were back, only this time in a .dbx of the administrator. The
Phishing Email folder. So I deleted both .dbx (me and the admin, who are the
same person) cos I knew new folders would be recreated in Outlook. Then I ran
"Window Washer" with "bleach" (which means it overwrites files three times) and
included 'free space', as well as TIF and the rest ... Then rebooted and ran
F-Secure again.

When F-Secure said I was clean, I confirmed it with two online scans --
TrendMicro and Panda. The sluggishness has disappeared. And CPU for fssm32.exe
is now saying 02 or 03 when I have only Outlook open. I'm *assuming* for now
that if there were any files still in registry, that F-Secure should be telling
me. Maybe I shouldn't assume.

On the F-Secure info page about the type of trojan, it said I'd better change
all my passwords when I was sure I was clean.

I have "HijackThis" but am nervous of using it without guidance.

The problem *seems* to be related to Windows Automatic Updates. I'm set to
Automatic, but when I checked last night, it downloaded 9 Updates, which was a
shock. No idea at all how that happened. I'm still set to Automatic Updates."

Noice huh?

Tuesday, April 08, 2008

Sentence of the day, even if I do say...

To a colleague today about IT security and information assurance.

"theory" looking for visionary leadership in a world gone sour with an inverted pyramidal house of cards being built on yet smaller physical footrprints with sedimentary protocols forming ingrained foundations whereupon we dance with virtualisation in expanded cyberspace with even less capacity for visibility and management, let alone surveillance and optimsation. L2/L3/L2 -> Ethernet/IP-MPLS/VPLS... ESX/VSwitch/Windows = layers of complexity, layers of code, and yet fully fledged OS's pushed further away from the networking stack... abstracted in to inner space.....

Sunday, April 06, 2008

Great talk by Richard A. Clarke at Source Boston 2008

As Ranum et al have been banging on about for ages, Richard has actually been in the belly of the beast! (I think I'm gonna go read Richard's book, a "fictitious" account of state sponsored cyber-terrorism.)

Saturday, April 05, 2008

Gmoon, Gsky, Gmars

Safety for kids and a trip to Mars?


I have been looking for something like this for a while to point parents towards to help them with some direction around their children's online activities.

It's a scary topic when you delve deeply in to tech, how to protect the kids. Personally I think parents should key log kids machines, but what about outside the home?


Virgin and Google team up to go to Mars.

Twitter'ish musings...

    Come join me on Twitter