Tuesday, May 29, 2007

Friday, May 25, 2007

Ack, Ack, Ack

Just wanted to reiterate something from Wade's blog:

Watch your thoughts: They become your words.
Watch your words: They become your actions.
Watch your actions: They become your habits.
Watch your habits: They become your character.
Watch your character: It becomes your destiny.

OSX'ers... please don't create a monoculture!

Well there is an argument out there that the security framework of OSX/BSD's is far superior to that of Windows - however - aside from the MOAB Month of Apple Bugs ( which incidentally didn't have an unassisted arbitrary remote code exploit - which was wormable ) it's nice to see some of my trusted analysts chime in.

"Apple running OS-X is the clear operating environment of choice today for most
normal users and most businesses, especially for notebook computers."

Report here from Fred Cohen and Associates: http://all.net/Analyst/2007-06.pdf

Saturday, May 19, 2007

How to assign value to digital objects and flows

This may be my next programming project. As a wise man once said, "You either code, or you don't!". Hmmm.. I think it was me actually. As a student of life once said, "...

Anyway here's the new pitch. A statically linked, cross platform binary to implement my 'Doobies' implementation of information evaluation in an enterprise. It takes advantage of multicast DNS and unicast DNS, thus the paths are already there! The client shoots off reports every so often to the 'reporter' which is the first entry in the 'value' subdomain, under 'reporter.value.companyx.com'.

Building blocks for client: Zeroconf, Netconf, BeePy, mDNS , nProbe and for some unknown reason, maybe resiliency?.. DHT's come to mind as does Anycast !

My head hurts ...


The web is about to explode all over again, and I mean in a 2002/3 CodeRed/Slammer/Nimda/Blaster/Nachi type of way. With services like Dapper and the new flavours of mashup AJAX'y type apps - it's hard to get your head around how information will be mangled by consumers, hobbyists and MISCREANTS.

I believe soon everyone will be running their own OpenID servers or will require SSO services to reduce the identity overheads of all these network-centric services. No one has addressed the old issues of domain ownership and transferral though. These are generally rooted in silly things like confirmation by fax, whereby no one bothers to check the calling parties number. Don't get me started on headed notepaper.

I used to "dis" the Jericho Forum, but the web is morphing from the inside out. Combine this with mesh, mobility and multicast/p2p and the funny thing is... we need to secure even more rather than less in enterprises. We've known this for a while. Anyone who throws out their firewalls yet might as well take the doors off their houses too. Decommisioning is expensive at all levels and hard to do well. Legacy kit and issues abound.

However, the paradigm has already changed. It's still the Internet and World Wide Web, just there's more of it and the information is being atomized and made even more malleable and 'remixable'.

This scared me today, though I had heard of the previous incidents of self-replicating XSS ...

Funny thing is, all these open API's are creating another type of wider monoculture built on more layers than just TCP/IP.

Doobies.

I have joked before about units called 'doobies' but the idea is simple and flexible. Assume secure DNS. Use DNS as the dynamic database that it is - to create a sub-domain that relates to value. Each organisation may have different values/exchange rates to their own countries currency unit.

Once you breakdown your traffic to objects and flows and start quantifying different types, you can then assign arbitrary amounts to atomic entities to begin with and tweak from there.

value.companyx.com

dns-flows.value.companyx.com
dns-packets.value.companyx.com
dns-records.value.companyx.com
customer-ssn.value.companyx.com
customer-address.value.companyx.com

This could get very complicated very quickly, but could also be as basic and simple as one wanted. Using either any part of IPv4 address space or just BOGONS/Martians RFC1918/RFC3330 current values are resolved and could have huge scope depending on the organisation.

This value is your 'dooby' value. Devices report back, or are queried, on how many of each type of object they have processed or stored in an interim. Devices then supply flexible stats and can consult a central value database.(Kinda like SNMP/RMON only better, unless I am missing
something!)

DNS is ubiquitous. Kernel hooks to a special accounting/reporting client is required.

Device processed x times type y 'doobies'. What is the current 'dooby' exchange rate for my organisation?

Maybe you could re-use SNMP but I think the centralised DNS store of current values is more flexible.

Thoughts, this is just a beer mat type scribble idea on my behalf.

Thursday, May 17, 2007

Horse and cart? Cart and horse?

Donal to Securitymetrics mailing list.

(snippet)

Is not our problem that of assigning value to digital objects and/or their contents? First we need a good handle on our objects.

So intrinsic in 'Security Metrics' I posit are 'Non-Security Metrics' of sorts ;)

Are we putting the cart before the horse?

(snippet)


Basically the thrust here is that we are trying to measure security and risk without actually fully measuring the playing field, players and game to begin with. This is self-defeating as we only then sell FUD. One must first assign a value to digital objects no matter how hard that may be. I have suggested interim value units in the past that can be susequently assigned dynamic financial values on a per organisation basis. This could be achieved with DNS ( though DNS is a target in itself! )

"Security metrics deal with risk and risk is not about security - it's about the utility of content." ( From a highly respected individual in the field. )

So how do we measure our content and track it in the first place?

We cannot assign a value to something if we don't know it's actually there, what it is exactly... how many of them there are and where etc. Flexible real time distributed content inventory is required. This harks back to my emerging belief in a form of 'Total Information Awareness' and digital surveillance of networks. Distributed endpoint file/object indexing, keylogging etc. This then also raises issues regarding the security of said goldmine of information.

Yes, I am steering back towards the 'network computer'... thin everything!

Wednesday, May 16, 2007

Watch the bits go bye!

More Infosec stuffing:

Haven't brushed up on 'information geometry' yet ;) but this reminds me of what I was trying to map out with raw real data here:
http://static.flickr.com/47/174233556_2c39eb159b_o.jpg

Long rambling post lives here if anyone is interested, but very network centric and is garrulous and overblown: http://bsdosx.blogspot.com/2006/06/byo-rfc.html

Basically, should we be mapping everything real time at the data object and/or flow level from an operational perspective. Could every managed node actively stream back data? Should there be secure management covert channels ( Think Sebek http://www.honeynet.org/tools/sebek/sebek_intro.png ) to constantly feed back a nodes state, message passing and flows?

When you think about it, are nodes too independent and not surveilled enough? Rather than configure something to monitor/watch them (Openview, IDS, Argus), assuming initial trust, could they *constantly* advertise/disseminate statistical/session data that could be base lined (other than syslog/SNMP traps etc)? Am thinking initial zeroconf and MANETS style operation here, or MMORPG gaming clients? libkstat on steroids?

I know Verdasys have Digital Guardian, CA have Audit... but will Enterprise Digital Rights Management scale, or does it have the same problems as PKI.

Surveillance and Adhocracy scale. With utility computing, servers will move and be re-purposed and the clients are already on the move.

Tuesday, May 15, 2007

Future, past and present.

I'm brewing a post about the future, as I think we are somewhat
entrenched in the past and present.

For the moment the powers that be are waking up to support the object
level security model, until reductionist thought strikes again :) I
guess we'll always have data at rest, data being utilised and the
resulting message passing or flows.

Anyway onwards and upwards.

a) Van Jacobson (Research Fellow at PARC) talks about new paradigms
and security problems from the network up. Jump to 38 minutes in, as
the start is a history lesson, albeit frames the old paradigms and
ensuing discussion extremely well.


http://video.google.com/videoplay?docid=-6972678839686672840

Thanks Wade. Props to http://www.blog.wi.id.au/

b) Also, when looking at things like new paradigms for computing.
[Stargate replicators anyone]?

Neil Gershenfeld (MIT Director for Bits and Atoms) The beckoning
promise of personal fabrication.

http://www.ted.com/index.php/talks/view/id/90


"We don't need to keep having a digital revolution"


Personal note: I especially love the fact that the Google video is
subtitled and that at the time there was a person signing for the
deaf. We need to cater for all walks of life as per the colour blind
discussions on visualising data. It shouldn't just be about 'survival
of the most adaptable'. Is Future Shock and technology going to
implement an unconscious eugenics program?

Monday, May 14, 2007

The Holy Grail?

"Loosely coupled, rich internet applications and media delivered via infinitely scalable and secure utility computing to mobile thin clients in mesh environments."

I invite suggestions for my description. I invite comments and criticisms.

Note: Must keep to one sentence though ;)

Sunday, May 13, 2007

Time for a smile.

This kid breakdancing is the first thing in a while to make me laugh out loud, enjoy!



Another brief smile is here.

Maybe there is something weird in the ether today, but here is another one.

Saturday, May 12, 2007

Infosec the video.

Video Link

forward-thinking

Rob Thomas has been a hero of mine ever since reading him on the First.org private lists. He founded (http://www.cymru.com/) Team Cymru. He features in this video, along with Richard A. Clarke.

Good to see the Department of Homeland Security training up the United States Secret Service. Geo-political boundaries anyone?

Rob first opened my eyes to the fact that something like a GSR ( Cisco 12000 Series Internet Routers ) could be 0wned and used to bounce or generate malicious traffic. Can you actually imagine a box with multiple OC-48 ( and above ) POS interfaces ready to do some miscreants bidding? “im4 g0nn4 p4x0r j00!”

More ForwardEdgeII training videos!

Friday, May 11, 2007

I love it...

Just re-read one of my links to recent testimony given by Dan Geer to the US Department of Homeland Security's Sub-Commitee on Emerging Threats, Cybersecurity, and Science and Technology.

Quote from page 2:

"Information security is perhaps the hardest technical field on the planet."

F**kin' A.

(I, or even he may seem biased, but those in the know will wholeheartedly agree.)

Q.E.D.

Wednesday, May 09, 2007

Collections of quotes.

I had emailed these around recently, you gettin' any warm and fuzzies?

The religion of the future will be a cosmic religion. It should
transcend personal God and avoid dogma and theology. Covering both the
natural and the spiritual, it should be based on a religious sense
arising from the experience of all things natural and spiritual as a
meaningful unity. Buddhism answers this description. If there is any
religion that could cope with modern scientific needs it would be
Buddhism. (Albert Einstein)

A human being is part of the whole called by us universe ... We
experience ourselves, our thoughts and feelings as something separate
from the rest. A kind of optical delusion of consciousness. This
delusion is a kind of prison for us, restricting us to our personal
desires and to affection for a few persons nearest to us. Our task
must be to free ourselves from the prison by widening our circle of
compassion to embrace all living creatures and the whole of nature in
its beauty. The true value of a human being is determined by the
measure and the sense in which they have obtained liberation from the
self. We shall require a substantially new manner of thinking if
humanity is to survive. (Albert Einstein)

The most beautiful and most profound experience is the sensation of
the mystical. It is the sower of all true science. He to whom this
emotion is a stranger, who can no longer wonder and stand rapt in awe,
is as good as dead. To know that what is impenetrable to us really
exists, manifesting itself as the highest wisdom and the most radiant
beauty which our dull faculties can comprehend only in their primitive
forms - this knowledge, this feeling is at the center of true
religiousness.
( Albert Einstein - The Merging of Spirit and Science)

Reality cannot be found except in One single source, because of the
interconnection of all things with one another. (Leibniz, 1670)

All things are parts of one single system, which is called Nature; the
individual life is good when it is in harmony with Nature. (Zeno)

But also really like Wade's quote page [ http://tumblr.wi.id.au/ ]as it has a similar theme.

Saturday, May 05, 2007

Game theories for the World

Should we all be playing non-zero-sum games?

In the words of author Robert Wright (TED talk), "players with linked fortunes tend to cooperate for mutual benefit", and "All the salvation of the world requires is the intelligent pursuit of self interest in a disciplined and careful way".

Moral evolution is required via appreciation for the interconnectedness of all things.

I have been thinking for quite some time now that games like Sim City are required as part of a more subtle education system to help to teach kids about interdependence and how societies and civilisation actually works. Also, if kids aren't creating entertainment any longer and just consuming entertainment while mimicking the wrong role models , surely as a society we are responsible for re-architecting how they perceive society and should introduce different paradigms to their learning and living. We have indeed outsourced almost all thought, decision making and learning to the mass media while demonstrating mostly the negative traits of human nature such as greed, intolerance and lack of discipline. We breed autonomic consumers.

Personally I believe we should be getting kids to game with things like Sim City, A Force More Powerful and FoodForce . Imagine a multiplayer non-zero-sum game akin to Command and Conquer where the only answer was to negotiate and collaborate rather than mutual assured destruction. Let them play it out over the course of a term in teams and hopefully like WOPR they would come to realise the best strategy!

We are either unconsciously breeding a new generation unequipped for the present/future day or we can consciously adapt to the increasing rate of change in the world and move out of the outdated and inept mass-industrialised focussed educational structure to a more modular digitally orientated autodidactic framework.

"Welcome to the internet my friend."

Friday, May 04, 2007

Wednesday, May 02, 2007

Good things, when short, are twice as good.

If you know anything about information security, claim to, or even have a passing interest; then this 3 page PDF document will reinforce, refresh, and explain concisely the issues we face.

"The Committee on Homeland Security's Subcommittee on Emerging
Threats, Cybersecurity, and Science and Technology will hold a
hearing entitled "Addressing the Nation's Cybersecurity Challenges:
Reducing Vulnerabilities Requires Strategic Investment and Immediate
Action." Witnesses include Dr. Daniel E. Geer, Jr., Principal, Geer
Risk Services, LLC; ........."
....

Dan's testimony is here:

http://geer.tinho.net/geer.housetestimony.070423.PDF

Security metrics, expertise supply, increasing risk due to intelligent attacks, information sharing (my personal favourite) and accountability as opposed to access control.

Note: You may be interested also in some of Dan's other publications:
1. "Data Loss Prevention" [http://www.verdasys.com/pdf/dlp_whitepaper.pdf]
2. "Securing the Point of Use" [http://www.verdasys.com/pdf/SecurePOS.pdf]
3. "Convergence" [http://geer.tinho.net/ieee.geer.0606.pdf] of physical and digital security.
4. "The Evolution of Security" [http://geer.tinho.net/acm.geer.0704.pdf]