Tuesday, April 08, 2008
Sentence of the day, even if I do say...
To a colleague today about IT security and information assurance.
"theory" looking for visionary leadership in a world gone sour with an inverted pyramidal house of cards being built on yet smaller physical footrprints with sedimentary protocols forming ingrained foundations whereupon we dance with virtualisation in expanded cyberspace with even less capacity for visibility and management, let alone surveillance and optimsation. L2/L3/L2 -> Ethernet/IP-MPLS/VPLS... ESX/VSwitch/Windows = layers of complexity, layers of code, and yet fully fledged OS's pushed further away from the networking stack... abstracted in to inner space.....
Sunday, April 06, 2008
Great talk by Richard A. Clarke at Source Boston 2008
As Ranum et al have been banging on about for ages, Richard has actually been in the belly of the beast! (I think I'm gonna go read Richard's book, a "fictitious" account of state sponsored cyber-terrorism.)
Saturday, April 05, 2008
Safety for kids and a trip to Mars?
Kids:
I have been looking for something like this for a while to point parents towards to help them with some direction around their children's online activities.
It's a scary topic when you delve deeply in to tech, how to protect the kids. Personally I think parents should key log kids machines, but what about outside the home?
http://www.google.com/intl/en/landing/familysafety/
Mars:
Virgin and Google team up to go to Mars.
http://www.google.com/virgle/index.html
I have been looking for something like this for a while to point parents towards to help them with some direction around their children's online activities.
It's a scary topic when you delve deeply in to tech, how to protect the kids. Personally I think parents should key log kids machines, but what about outside the home?
http://www.google.com/intl/en/landing/familysafety/
Mars:
Virgin and Google team up to go to Mars.
http://www.google.com/virgle/index.html
Tuesday, March 25, 2008
ipv6 trix
More notes for myself for future reading, mesh, mobility and stuff...
Google v6 Tech Talks
http://tinyurl.com/2afeqc
What the US is missing by ignoring v6
http://www.infoworld.com/article/08/03/12/11NF-ipv6_2.html
Google v6 Tech Talks
http://tinyurl.com/2afeqc
What the US is missing by ignoring v6
http://www.infoworld.com/article/08/03/12/11NF-ipv6_2.html
Monday, March 24, 2008
Sunday, March 02, 2008
Anchored in time and tech, need new flows
Information Technology is fluid. IT is a capability whos ultimate goal stays the same, i.e. that of managing information. Unfortunately its operating environment, rules and players constantly change. Essentially what is being dealt with is a 'sliding window' of services constantly being built, tweaked and evolved on a platform of aging non-modular equipment and code.
Sliding windows suffer from extreme lag when they are consistently anchored by non-modular, non-extensible technology *and* people. We find ourselves constrained generally by the long tail of the process, thus consuming inordinate amounts of time and resources which could be better allocated and more productive elsewhere.
One of the foremost problems facing our society today from a technological perspective is not power consumption, general acceptance, awareness or learning, it's actually that of being trapped in the past, the near past. We are not so much trapped per se, but beholden to the constraints imposed upon us by the previous architects, engineers, management and chosen technologies. One must ask oneself, why be so short sighted? Did they really have a choice? Did they not factor the costs to maintain and deal with change? How does one manage change in an environment where the priorities seem to change daily and technology evolves almost independently while we wait for the darwinian champion of the 'most adaptable' to succeed.
Once more we should look to nature to see what the criteria for success are in an ever changing environment. Perhaps with this technological challenge we will be more aware of the interconnectedness and influence we exert in the evolution of cyberspace. What is it that we can manage? What is it that we can measure? Either the code needs to start taking care of itself or we need to embrace more fully an old engineering paradigm of loosely coupled replaceable sub-components. I would enjoy seeing both more! Don't get me wrong we will always need specialists and specialist systems, just built more-so from re-deployable units or resources. I am not advocating a monoculture, but a viewpoint or perspective on how we build considering the future caretakers of our digital creations from the outset.
At this point let me ask you a direct question dear reader; how many projects or times has legacy code, legacy infrastructure or tightly coupled systems thrown a virtual spanner in the works?
Virtualisation itself has started to offer some of the desired benefits alluded to above in relation to extensiblity and modularity, but many in management or leadership roles cannot tell you why or how virtualisation will and can benefit us, just that everyone else is doing it and it saves on the power bill.
Until we have our grey goo, a version of true utility computing whereupon perhaps we can 'pour' more computing in or on, or have any node re-purpose itself on the fly as another role, we will continue to build ourselves in to cul-de-sac's of wasteful practices. How much time and resources are spent trying to manage, measure or repair (while excessively consuming energy) the wrongs of the near past in our IT footprints.
We waste fossil fuels needlessly all the time within IT, but we also waste human capital trying to clean up after an unconscious breed of Information Technology 'professionals' who haven't seen the obvious staring them right in the face... survival of the most adaptable! Corporate memory just like public memory is short lived, however techs just like civil servants see the politics at play and the players only trying to further themselves. There is a new breed coming, an undercurrent of massively distributed techs with instant communication and new paradigms slowing trying to strip away the ineffectual practices of old. If you are the equivalent of a paper(email) shuffler in the office, adding no value, watch out I tells ya'... the language and sands are shifting and buzzwords just don't cut it any more!
Friday, February 15, 2008
My path, your path?
It exists inside. The gateless gate. It is already there. There is no path. It begins and ends within. There is no formal path. Some need training. Some need challenges. Some need to allow themselves to see further only to see closer. Whether lay or not is not the issue. Practice is all around. Formality can assist, can speed the path. It however is a pathless path, a gateless gate. We have already stepped through. The point at which one embarks on the journey is when they have both left and arrived. You get what I'm saying? YOU are awake already, once you question and ask if you are awake! The next step is only the depth, path and continuing effort or style. Sometimes thinking too much is destructive. Sometimes not thinking at all is destructive. To find the middle way is to have walked the edge and reached many extremes. Extremes cannot be found in comfortable places. The most uncomfortable places are in the mind, not in a geographical space, place or time.
My 0.02 brain cycles worth... my subjectivity is built from "our" objectivity and your subjectivity ;)
My 0.02 brain cycles worth... my subjectivity is built from "our" objectivity and your subjectivity ;)
Thursday, February 14, 2008
Simplicity
What is it that defines us?
What is the most important thing to us in our short existence?
What is the thing we should cherish most in our lives?
What do we have from birth to death and has the power to colour our lives for better or for worse?
Easy.... our minds, our consciousness...
So why do we neglect something so deeply important to our quality of life and base existence?
Surely we need to engage in some form of mind training or develop more tools to address and deal with our perception of reality?
Cmon' guys, why allow a crazy world to passively pollute our minds unnecessarily, why not focus a little bit on awareness and mindfulness. Start by observing yourself. Then take the time to quietly observe others without judging. Remove yourself from your preconceptions and look with clearer neutral eyes. Perceive from a neutral standpoint and quieten your monkey mind for a moment.
A good, easily digested, palatable first step in this modern age are talks online by people like Mattheau Ricard http://www.youtube.com/results?search_query=matthieu+ricard+happiness&search_type= and Anthony De Mello.
http://goldfusion.wordpress.com/2007/08/22/tony-de-mello-videos-online/
What is the most important thing to us in our short existence?
What is the thing we should cherish most in our lives?
What do we have from birth to death and has the power to colour our lives for better or for worse?
Easy.... our minds, our consciousness...
So why do we neglect something so deeply important to our quality of life and base existence?
Surely we need to engage in some form of mind training or develop more tools to address and deal with our perception of reality?
Cmon' guys, why allow a crazy world to passively pollute our minds unnecessarily, why not focus a little bit on awareness and mindfulness. Start by observing yourself. Then take the time to quietly observe others without judging. Remove yourself from your preconceptions and look with clearer neutral eyes. Perceive from a neutral standpoint and quieten your monkey mind for a moment.
A good, easily digested, palatable first step in this modern age are talks online by people like Mattheau Ricard http://www.youtube.com/results?search_query=matthieu+ricard+happiness&search_type= and Anthony De Mello.
http://goldfusion.wordpress.com/2007/08/22/tony-de-mello-videos-online/
Tuesday, February 12, 2008
3 IS the magic number - Mobile, Mesh, Multicast
Real time feedback loops to help the world.
a) have a read of this, link from Wade(bit long but worth it):
http://www.cityofsound.com/blog/2008/02/the-street-as-p.html
b) watch this from a Multimedia perspective to round out the concepts
http://www.albinoblacksheep.com/flash/epic
c) as I'm reading Arthur C Clarke's "The Light of Other Days" http://en.wikipedia.org/wiki/The_Light_of_Other_Days
it hammers the point home. Transparency. The multitude of data already out there. Our re-interpretation thereof. Intent. Information management and the integrity thereof. Interdependence demonstrated. Wake up. Welcome to the future. See the MESH. Feel the quantum foam ;)
a) have a read of this, link from Wade(bit long but worth it):
http://www.cityofsound.com/blog/2008/02/the-street-as-p.html
b) watch this from a Multimedia perspective to round out the concepts
http://www.albinoblacksheep.com/flash/epic
c) as I'm reading Arthur C Clarke's "The Light of Other Days" http://en.wikipedia.org/wiki/The_Light_of_Other_Days
it hammers the point home. Transparency. The multitude of data already out there. Our re-interpretation thereof. Intent. Information management and the integrity thereof. Interdependence demonstrated. Wake up. Welcome to the future. See the MESH. Feel the quantum foam ;)
Tuesday, January 15, 2008
Monday, December 10, 2007
Spiritual IT Security.
Some duality, some overlap, some scientific methodologies.
Monitor and surveil both your IT and personal "outputs" i.e. what you or the network or system generates and redistributes in to the interconnectedness; be it social, personal or techincal.
*Then*, and only then, base your controls, processes, methodologies and frameworks or risk assessments upon empirical evidence.
No wonder it's so hard to listen to a system or network, when we don't even listen to ourselves.
Monitor the outputs. Control the inputs. Refine the processes.
Monitor and surveil both your IT and personal "outputs" i.e. what you or the network or system generates and redistributes in to the interconnectedness; be it social, personal or techincal.
*Then*, and only then, base your controls, processes, methodologies and frameworks or risk assessments upon empirical evidence.
No wonder it's so hard to listen to a system or network, when we don't even listen to ourselves.
Monitor the outputs. Control the inputs. Refine the processes.
Thursday, December 06, 2007
Tell it like it is boys
Spotlight: Cyber Terrorism Roundtable with Sami Saydjari, Marcus Ranum, Dean Turner and hosted by Nicole Greco. Discussion on cyber warfare, cyber terrorism, cyber defense with interviews by Mikko Hypponen and Andrew Colarik. Key issues on Estonia, China, Russia. Aired in November 2007.
And here is a snippet from one of Gunnar Peterson's posts I heartily agree with:
"If you want to make a bunch of acquisitions, outsource a ton of work, send a bunch of projects overseas, have multiple reorgs, connect up a ton of historically siloed systems, hook everything to the web and THEN GO ON A QUEST FOR CERTAINTY - well good luck to ya, mate. I think your time is better spent finding ways to lower your risk of permanent loss than trying (pretending) to achieve some semblance of certainty in that environment." From http://1raindrop.typepad.com/1_raindrop/2007/11/dhandho-infosec.html
Tuesday, November 27, 2007
Note on Virtualisation and RANT
Virtualisation lowers certain overheads and increases flexibility and modularity.
Virtualisation does not address SECURITY until whole system images are checksum'ed and rotated in a defensive time-based security method/model, including the abstraction layer and hardware playing a key role in defenses as well.
I have mused over this before here http://bsdosx.blogspot.com/2006/11/machine-and-service-integrity.html
As Theo De Raadt mentions over at http://kerneltrap.org/OpenBSD/Virtualization_Security;
"x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
On a side note, I'd like to repeat the below, courtesy of me;
"Everything will be a server, client and fast cache. The P2P model will win. It's the only thing that can. More "zeroconf" is needed. There seems to be no margins for error, tolerances or defensive programming anymore. What gives someone the right to call themselves a software "engineer" anyway?"
I'll post shortly on my new idea regarding regulation of business IT and an IT TAX to force enumeration, visibility and accountability.
Some time soon, I'll get back to IT security. Currently I am working in other areas and departments and re-learning about the human side and realities in which we all operate. The disconnect is massive. The cowboys operating in IT Security are very disheartening to me. The idiots and "old-guard" on both sides of the fence worry me. So many people have no clue of the complexity, and will never grok it. We need to simplify and innovate.
We need to regulate our "industry" somewhat without stifling innovation. Perhaps the Universities should take some of the blame in turning out ignorant coders who don't understand networking or security.... perhaps, perhaps not..... it remains to be seen. I can only talk from experience, and my experience in Uni taught me nothing; other than I hated coding and ignored my networking lecturer. I got a degree in Computer Science, I crammed before all exams, some days not even knowing what exam was on that day until I asked my colleagues. All Comp Sci did was pique my curiosity, I might as well have stayed in the Uni bar *all* the time. This might just be my personal version of "learning" at Uni (I like to call it regurgitation), but 99% of my tech was learned on the job ;)
How did I become so bitter and twisted? Am I really? Surely I am an optimist at heart?
Once we see the COMPLEXITY we harken after SIMPLICITY in all matters in life.
Virtualisation does not address SECURITY until whole system images are checksum'ed and rotated in a defensive time-based security method/model, including the abstraction layer and hardware playing a key role in defenses as well.
I have mused over this before here http://bsdosx.blogspot.com/2006/11/machine-and-service-integrity.html
As Theo De Raadt mentions over at http://kerneltrap.org/OpenBSD/Virtualization_Security;
"x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
On a side note, I'd like to repeat the below, courtesy of me;
"Everything will be a server, client and fast cache. The P2P model will win. It's the only thing that can. More "zeroconf" is needed. There seems to be no margins for error, tolerances or defensive programming anymore. What gives someone the right to call themselves a software "engineer" anyway?"
I'll post shortly on my new idea regarding regulation of business IT and an IT TAX to force enumeration, visibility and accountability.
Some time soon, I'll get back to IT security. Currently I am working in other areas and departments and re-learning about the human side and realities in which we all operate. The disconnect is massive. The cowboys operating in IT Security are very disheartening to me. The idiots and "old-guard" on both sides of the fence worry me. So many people have no clue of the complexity, and will never grok it. We need to simplify and innovate.
We need to regulate our "industry" somewhat without stifling innovation. Perhaps the Universities should take some of the blame in turning out ignorant coders who don't understand networking or security.... perhaps, perhaps not..... it remains to be seen. I can only talk from experience, and my experience in Uni taught me nothing; other than I hated coding and ignored my networking lecturer. I got a degree in Computer Science, I crammed before all exams, some days not even knowing what exam was on that day until I asked my colleagues. All Comp Sci did was pique my curiosity, I might as well have stayed in the Uni bar *all* the time. This might just be my personal version of "learning" at Uni (I like to call it regurgitation), but 99% of my tech was learned on the job ;)
How did I become so bitter and twisted? Am I really? Surely I am an optimist at heart?
Once we see the COMPLEXITY we harken after SIMPLICITY in all matters in life.
Sunday, November 18, 2007
Damn straight... but sorta' bendy
From Drazen comes this snippet of a quote from Computerworld interviewing the legendary Frank Abagnale of 'Catch me if you can?' fame:
"Computerworld Staff: Is there anything we can do to make illicit computer-related activity a less attractive pursuit for young people?
Frank Abagnale: There are about four reasons why we have crime to begin with. One of them is, of course, that we live in an extremely unethical society. We live in a society that doesn't teach ethics at home, a society that doesn't teach ethics in school because the teacher would be accused of teaching morality. We live in a society where you can't find a four-year college course on ethics. I have three sons who went through graduate school; only the one who went to law school had a course even offered on ethics. So today you have a lot of young people who have no character, no ethics and they find no problem in defrauding somebody or stealing from somebody or cheating somebody. Until we change that, crime is just going to get easier, faster, more global, harder to detect.
Computerworld Staff: Any thoughts on how we can bring that change about?
Frank Abagnale: I think you need to bring character and ethics back into schools, and you certainly need to bring it back into colleges and universities as part of a curriculum. Only about half of Fortune 500 companies even have a code of ethics or code of conduct. The ones that do have one publish it every five years on an inside page of their annual report to appease their shareholders. So, obviously, there's no big effort out there to bring about that change. Rutgers just finished a five-year study that found that 56% of MBA students cheated.
There are really no con men anymore like there were in my day, because you really don't have to associate with anyone. You don't have to be well dressed and well groomed and well spoken. Everything's done on a computer; there are no witnesses. So even if you know who's doing it, you probably don't have the ability to go capture them. Chances are you have no idea what they look like; they can sit in their pajamas and commit all these crimes."
There seems no mandatory or enforceable cost anymore for performing an act that is detrimental to the health of the net or its component systems. Our super-organism(internet) is being eaten from the inside out while we don't realise nor appreciate the symbiotic relationship we have created between man and machines.
Who is held accountable and how, when we can't even agree upon nor incentivise actions to help protect our immediate and more fragile internetwork, the green planet we call home. I had a few ideas here: Some cud, but I still wonder about the fact that there are too many humans, just ask Mr. Malthus!
"Computerworld Staff: Is there anything we can do to make illicit computer-related activity a less attractive pursuit for young people?
Frank Abagnale: There are about four reasons why we have crime to begin with. One of them is, of course, that we live in an extremely unethical society. We live in a society that doesn't teach ethics at home, a society that doesn't teach ethics in school because the teacher would be accused of teaching morality. We live in a society where you can't find a four-year college course on ethics. I have three sons who went through graduate school; only the one who went to law school had a course even offered on ethics. So today you have a lot of young people who have no character, no ethics and they find no problem in defrauding somebody or stealing from somebody or cheating somebody. Until we change that, crime is just going to get easier, faster, more global, harder to detect.
Computerworld Staff: Any thoughts on how we can bring that change about?
Frank Abagnale: I think you need to bring character and ethics back into schools, and you certainly need to bring it back into colleges and universities as part of a curriculum. Only about half of Fortune 500 companies even have a code of ethics or code of conduct. The ones that do have one publish it every five years on an inside page of their annual report to appease their shareholders. So, obviously, there's no big effort out there to bring about that change. Rutgers just finished a five-year study that found that 56% of MBA students cheated.
There are really no con men anymore like there were in my day, because you really don't have to associate with anyone. You don't have to be well dressed and well groomed and well spoken. Everything's done on a computer; there are no witnesses. So even if you know who's doing it, you probably don't have the ability to go capture them. Chances are you have no idea what they look like; they can sit in their pajamas and commit all these crimes."
There seems no mandatory or enforceable cost anymore for performing an act that is detrimental to the health of the net or its component systems. Our super-organism(internet) is being eaten from the inside out while we don't realise nor appreciate the symbiotic relationship we have created between man and machines.
Who is held accountable and how, when we can't even agree upon nor incentivise actions to help protect our immediate and more fragile internetwork, the green planet we call home. I had a few ideas here: Some cud, but I still wonder about the fact that there are too many humans, just ask Mr. Malthus!
Wednesday, October 31, 2007
Process begets process...
"Time was when we could just re-cable the server ourself, and not have to pay some idiot $100 to move the thing", was heard across the room today in a large clients office, and oh did it ring true... however as organisations mature -> processes place a framework around work carried out and services are measured via uptime and other SLA's....no more adhocracy, only at the wiki level!
Measure.. hmmmmm.. that's a funny word in IT isn't it... 'MEASURE','MEASURE'...M-E-A-S-U-R-E
So I text myself sometimes when particular thoughts cross my mind;
"First you need visibility/surveillance, and then accountability of packets, flows and data objects, then comes valuation of said data objects, services and supporting infrastructure... now we can have meaningful conversations about risk and IT security"
Hmmmmm... sampling, measuring, identifying.... what's your IT footprint? What's the last IT related report you looked at, what did it measure and what did it really say about your organisational IT footprint?
Measure.. hmmmmm.. that's a funny word in IT isn't it... 'MEASURE','MEASURE'...M-E-A-S-U-R-E
# measurement: the act or process of assigning numbers to phenomena according to a rule; "the measurements were carefully done"; "his mental ...
# standard: a basis for comparison; a reference point against which other things can be evaluated; "the schools comply with federal standards"; "they set the measure for all subsequent work"
# how much there is of something that you can quantify
# any maneuver made as part of progress toward a goal; "the situation called for strong measures"; "the police took steps to reduce crime"
# bill: a statute in draft before it becomes law; "they held a public hearing on the bill"
# determine the measurements of something or somebody, take measurements of; "Measure the length of the wall"
# meter: (prosody) the accent in a metrical foot of verse
# quantify: express as a number or measure or quantity; "Can you quantify your results?"
# have certain dimensions; "This table surfaces measures 20inches by 36 inches"
# musical notation for a repeating pattern of musical beats; "the orchestra omitted the last twelve bars of the song"
# measuring stick: measuring instrument having a sequence of marks at regular intervals; used as a reference in making measurements
# place a value on; judge the worth of something; "I will have the family jewels appraised by a professional"
So I text myself sometimes when particular thoughts cross my mind;
"First you need visibility/surveillance, and then accountability of packets, flows and data objects, then comes valuation of said data objects, services and supporting infrastructure... now we can have meaningful conversations about risk and IT security"
Hmmmmm... sampling, measuring, identifying.... what's your IT footprint? What's the last IT related report you looked at, what did it measure and what did it really say about your organisational IT footprint?
Monday, October 15, 2007
Some fun...
Was surfing here, http://xkcd.com/ and added it to my RSS feeds http://syndicated.livejournal.com/xkcd_rss/profile ;) Actually came from the FUNSEC mailing list but my mate Wade had sent me one of the comics before.
Monday, October 08, 2007
'Meta' or 'Metta' security....
Basically I'll let Mr. Bejtlich summarise from his 'Three Wise Men' of security, practically all there needs to be currently known about the state of play in and around the IT Security Industry and IT Security Risk areas. On the shoulders of giants and all that!
http://taosecurity.blogspot.com/search?q=three+wise+men
Dan and Marcus are definetly on my list, though I haven't really read this Ross Anderson guy, however Richard himself is on my list, along with Rob Thomas from Team Cymru.
On another note, to save you signing (or reading about signing up) for tonnes of bullshit, please find below a great 'Point:CounterPoint' from Bruce Schneier and Marcus Ranum. DRM/Copyright.. nah...
Erm, hopefully without getting in trouble and making others spend 5 minutes signing up to read the below, here it is in all it's glory.
Bruce Schneier
Point: To the average home user, security is an intractable problem. Microsoft has made great strides improving the security of its operating system out of the box, but there is still a dizzying array of rules, options and choices users have to make. How should they configure their antivirus program? What sort of backup regime should they employ? What are the best settings for their wireless network? And so on.
How is it possible that we in the computer industry have foisted on people a product that is so difficult to use securely, it requires so many add-ons? It's even worse than that. We have sold the average computer user a bill of goods. In our race for an ever-increasing market, we have convinced every person that he needs a computer. We have provided application after application--IM, peer-to-peer file sharing, eBay, Facebook--to make computers useful and enjoyable to the home user. At the same time, we've made them so difficult to maintain that only a trained sysadmin can.
And we wonder why home users have such problems with their buggy systems, why they can't seem to do the simplest administrative tasks, and why their computers aren't secure. They're not secure because home users don't know how to secure them.
At work, I have an IT department I can call if I have a problem. They filter my Net connection so I don't see spam, and most attacks are blocked before they get to my computer. They tell me which updates to install. And they're available to help me recover if something happens to my system. Home users have none of this support.
This problem isn't going to go away as computers get smarter and users get savvier. Next-generation computers will be vulnerable to different attacks, and next-generation attack tools will fool users in different ways.
This isn't simply an academic problem; it's a public health problem. In the hyperconnected world of the Internet, everyone's security depends in part on everyone else's. As long as there are insecure computers out there, hackers will use them to eavesdrop on network traffic, send spam and attack other computers. We are more secure if those home computers attached to the Internet via DSL or cable modems are protected against attack. The only question is, what's the best way to get there?
I wonder about those who say "educate the users." Have they tried? It's unrealistic to expect home users to be responsible for their security. They don't have the expertise, and aren't going to learn. And it's not just user actions we need to watch; computers are insecure out of the box.
The only way to solve this problem is to force the ISPs to become IT departments. There's no reason they can't provide home users with the same level of support my IT department provides me, or a "clean pipe" service to the home. Yes, it will cost more, and require changes in the law to make this mandatory. But what's the alternative?
In 1991, Walter S. Mossberg debuted his Personal Technology column in The Wall Street Journal with the words, "Personal computers are just too hard to use, and it isn't your fault." Sixteen years later, it's doubly true when it comes to computer security.
If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There isn't any other way.
Marcus Ranum
CounterPoint: I'm sure that many of the things Bruce points out about computers at some point or another applied to automobiles or any other technologically interesting and complex device. There was a time, in the early days of the automobile, when any idiot could go 75 miles per hour with no requirement for training, safety equipment or sobriety. As Bruce says, eventually that kind of thing becomes a public health issue and then society begins to enforce constraints. Question is, do society's constraints make a difference, or does time cure these ills?
When I was growing up, there was just one kid in my entire high school who had a computer. Today, it seems every kid 8 and older is a Windows sysadmin. And some of them are better at it than you might expect. That's because they grew up doing it, and the human brain appears to be able to integrate amazingly complex tasks as "normal" as long as we're introduced to them early enough. Bruce, I think the problem is not with all the home users--I think it's with the adult home users.
I see the generational distinction most clearly with my parents. My father still writes using an old Underwood typewriter. My mom has adopted a computer, but she's exactly the kind of user you're worried about--she clicks "OK" on anything, and seems to be trying to collect spyware. Thinking about it, most of the generation before mine is pretty uncomfortable with computers, and I was one of the early experimental kids who grew up networking on the ARPANET and BITNET. Does that have something to do with the fact that I have always had a good grasp of the concepts of transitive trust and distributed systems? I think it does; I think the analytic parts of our brains, if given a task early on, are able to make sense out of all kinds of insanely complicated things.
"Educate the user" is an old mantra in security, and its uselessness is one place where Bruce and I agree. I think, though, that building simpler systems is not the answer. The answer is to let the current user population die off! It's going to happen, anyhow.
Forcing ISPs to support home users, or re-engineering computers to be simple enough for us old coots to understand, completely misses the point. At the point where enough customers want simple-to-use Internet terminals, a market will develop. Arguably, it already has--witness the evolution of handheld PDAs and centralized "no spam" managed free email services. The complexity of the Internet and software administration is getting absorbed into the IT infrastructure of Google, Yahoo and MySpace.
I'm not demanding that Detroit make cars that are simple enough for me to repair; I choose to buy vehicles that are usually reliable, and I outsource the repair work to the mechanic up the street. Perhaps what we're doing is shifting complexity around in our lives: I never learned how to fix a transmission, but I can still scratch-bake a firewall with a custom filtering reverse Web proxy in a weekend. I've seen home users who can't manage a Windows XP upgrade, but who can successfully instrument-land a jet fighter.
Bruce, when you and I are old coots sitting on the porch, you'll be amazed to see the current generation of kids nimbly navigating their way through software and system configurations that completely blow our minds. Relax; it's just what progress looks like from our side of the hill. Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.
http://taosecurity.blogspot.com/search?q=three+wise+men
Dan and Marcus are definetly on my list, though I haven't really read this Ross Anderson guy, however Richard himself is on my list, along with Rob Thomas from Team Cymru.
On another note, to save you signing (or reading about signing up) for tonnes of bullshit, please find below a great 'Point:CounterPoint' from Bruce Schneier and Marcus Ranum. DRM/Copyright.. nah...
Erm, hopefully without getting in trouble and making others spend 5 minutes signing up to read the below, here it is in all it's glory.
Bruce Schneier
Point: To the average home user, security is an intractable problem. Microsoft has made great strides improving the security of its operating system out of the box, but there is still a dizzying array of rules, options and choices users have to make. How should they configure their antivirus program? What sort of backup regime should they employ? What are the best settings for their wireless network? And so on.
How is it possible that we in the computer industry have foisted on people a product that is so difficult to use securely, it requires so many add-ons? It's even worse than that. We have sold the average computer user a bill of goods. In our race for an ever-increasing market, we have convinced every person that he needs a computer. We have provided application after application--IM, peer-to-peer file sharing, eBay, Facebook--to make computers useful and enjoyable to the home user. At the same time, we've made them so difficult to maintain that only a trained sysadmin can.
And we wonder why home users have such problems with their buggy systems, why they can't seem to do the simplest administrative tasks, and why their computers aren't secure. They're not secure because home users don't know how to secure them.
At work, I have an IT department I can call if I have a problem. They filter my Net connection so I don't see spam, and most attacks are blocked before they get to my computer. They tell me which updates to install. And they're available to help me recover if something happens to my system. Home users have none of this support.
This problem isn't going to go away as computers get smarter and users get savvier. Next-generation computers will be vulnerable to different attacks, and next-generation attack tools will fool users in different ways.
This isn't simply an academic problem; it's a public health problem. In the hyperconnected world of the Internet, everyone's security depends in part on everyone else's. As long as there are insecure computers out there, hackers will use them to eavesdrop on network traffic, send spam and attack other computers. We are more secure if those home computers attached to the Internet via DSL or cable modems are protected against attack. The only question is, what's the best way to get there?
I wonder about those who say "educate the users." Have they tried? It's unrealistic to expect home users to be responsible for their security. They don't have the expertise, and aren't going to learn. And it's not just user actions we need to watch; computers are insecure out of the box.
The only way to solve this problem is to force the ISPs to become IT departments. There's no reason they can't provide home users with the same level of support my IT department provides me, or a "clean pipe" service to the home. Yes, it will cost more, and require changes in the law to make this mandatory. But what's the alternative?
In 1991, Walter S. Mossberg debuted his Personal Technology column in The Wall Street Journal with the words, "Personal computers are just too hard to use, and it isn't your fault." Sixteen years later, it's doubly true when it comes to computer security.
If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There isn't any other way.
Marcus Ranum
CounterPoint: I'm sure that many of the things Bruce points out about computers at some point or another applied to automobiles or any other technologically interesting and complex device. There was a time, in the early days of the automobile, when any idiot could go 75 miles per hour with no requirement for training, safety equipment or sobriety. As Bruce says, eventually that kind of thing becomes a public health issue and then society begins to enforce constraints. Question is, do society's constraints make a difference, or does time cure these ills?
When I was growing up, there was just one kid in my entire high school who had a computer. Today, it seems every kid 8 and older is a Windows sysadmin. And some of them are better at it than you might expect. That's because they grew up doing it, and the human brain appears to be able to integrate amazingly complex tasks as "normal" as long as we're introduced to them early enough. Bruce, I think the problem is not with all the home users--I think it's with the adult home users.
I see the generational distinction most clearly with my parents. My father still writes using an old Underwood typewriter. My mom has adopted a computer, but she's exactly the kind of user you're worried about--she clicks "OK" on anything, and seems to be trying to collect spyware. Thinking about it, most of the generation before mine is pretty uncomfortable with computers, and I was one of the early experimental kids who grew up networking on the ARPANET and BITNET. Does that have something to do with the fact that I have always had a good grasp of the concepts of transitive trust and distributed systems? I think it does; I think the analytic parts of our brains, if given a task early on, are able to make sense out of all kinds of insanely complicated things.
"Educate the user" is an old mantra in security, and its uselessness is one place where Bruce and I agree. I think, though, that building simpler systems is not the answer. The answer is to let the current user population die off! It's going to happen, anyhow.
Forcing ISPs to support home users, or re-engineering computers to be simple enough for us old coots to understand, completely misses the point. At the point where enough customers want simple-to-use Internet terminals, a market will develop. Arguably, it already has--witness the evolution of handheld PDAs and centralized "no spam" managed free email services. The complexity of the Internet and software administration is getting absorbed into the IT infrastructure of Google, Yahoo and MySpace.
I'm not demanding that Detroit make cars that are simple enough for me to repair; I choose to buy vehicles that are usually reliable, and I outsource the repair work to the mechanic up the street. Perhaps what we're doing is shifting complexity around in our lives: I never learned how to fix a transmission, but I can still scratch-bake a firewall with a custom filtering reverse Web proxy in a weekend. I've seen home users who can't manage a Windows XP upgrade, but who can successfully instrument-land a jet fighter.
Bruce, when you and I are old coots sitting on the porch, you'll be amazed to see the current generation of kids nimbly navigating their way through software and system configurations that completely blow our minds. Relax; it's just what progress looks like from our side of the hill. Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.
Saturday, October 06, 2007
Non-separability and thoughts in the ether
I've been banging on about this for ages:
http://taosecurity.blogspot.com/2007/09/microsofts-anemone-project.html
"Reclaiming Network-wide Visibility Using Ubiquitous Endsystem Monitors."
http://taosecurity.blogspot.com/2007/09/microsofts-anemone-project.html
"Reclaiming Network-wide Visibility Using Ubiquitous Endsystem Monitors."
Monday, September 24, 2007
5 years from now!
Stuff to think about:
- PCI DSS(Payment Card Industry Data Security Standards) QSA (Qualified Security Assessor)
- NetFlow/IPFIX (Crannog/NetScout/Arbor) as networking/security is increasingly about context/relationships/visibility.
- Normalization/baselining tools a la PeakFlow, SourceFireRNA
- Visualisation and Modelling (Opnet)
- IDS/Rootkit detectors for virtualised environments.(Watch this space... BluePill/F-Secure )
- Security Metrics(emerging/huge future as currently un-quantifiable!) and audit via Skybox / Algosec
- Digital Signage, MCAST/P2P distribution JOOST style.
- Infrastructure/solutions to facilitate SoaS(Software-as-a-Service) e.g. Salesforce/Joomla/Atlassian(Confluence)/GoogleApps/Zimbra/Zoho, virtual offices whereby nodes act as client/cache/server and don't backup locally but more to Web Services akin to AWS(Amazon Web Services),S3,EC2. Managing a virtual customer's DNS and aggregating management of their services has potential?
- Mobile and mobility gateways, 3G(HSDPAv2) vs WiMAx back-haul for project offices/satellite sites and SME/SOHO
- Location based services and GIS(Geographic Information Systems)
- Identity Management via OpenID/Cardspace(InfoCard) hosted services.
- Thin clients (Neoware)
- Fixed Mobile Convergence(Still a while off!) Engin / MyNetPhone / SIP/IAX/Asterisk
Web 2.0+ has as many solutions as problems, a new middleware-tier('internet-service-bus' if you will!). Businesses will increasingly want more audit/control and lower operational overheads and greater security via thin-client computing utilizing the browser as the platform of choice, also generating secure local host based flows for compliance and reporting. Thin clients and infinitely scalable distributed computing/storage is on the way. If you don't run the data-centre processing/storage nor have the power, you'll want to control the gateways/reporting/auditing/caching and own/re-sell/manage as much of the local infrastructure/bus and back-haul as possible!
Regulatory and compliance requirements will always have a perceivable effect, especially in the financial services sector.. but with breach disclosure laws on the way in Oz the security -> landscape/consulting/auditing/accountability/visibility aspects of networks/services are not going to allow organizations to keep their heads in the sand for much longer.
- PCI DSS(Payment Card Industry Data Security Standards) QSA (Qualified Security Assessor)
- NetFlow/IPFIX (Crannog/NetScout/Arbor) as networking/security is increasingly about context/relationships/visibility.
- Normalization/baselining tools a la PeakFlow, SourceFireRNA
- Visualisation and Modelling (Opnet)
- IDS/Rootkit detectors for virtualised environments.(Watch this space... BluePill/F-Secure )
- Security Metrics(emerging/huge future as currently un-quantifiable!) and audit via Skybox / Algosec
- Digital Signage, MCAST/P2P distribution JOOST style.
- Infrastructure/solutions to facilitate SoaS(Software-as-a-Service) e.g. Salesforce/Joomla/Atlassian(Confluence)/GoogleApps/Zimbra/Zoho, virtual offices whereby nodes act as client/cache/server and don't backup locally but more to Web Services akin to AWS(Amazon Web Services),S3,EC2. Managing a virtual customer's DNS and aggregating management of their services has potential?
- Mobile and mobility gateways, 3G(HSDPAv2) vs WiMAx back-haul for project offices/satellite sites and SME/SOHO
- Location based services and GIS(Geographic Information Systems)
- Identity Management via OpenID/Cardspace(InfoCard) hosted services.
- Thin clients (Neoware)
- Fixed Mobile Convergence(Still a while off!) Engin / MyNetPhone / SIP/IAX/Asterisk
Web 2.0+ has as many solutions as problems, a new middleware-tier('internet-service-bus' if you will!). Businesses will increasingly want more audit/control and lower operational overheads and greater security via thin-client computing utilizing the browser as the platform of choice, also generating secure local host based flows for compliance and reporting. Thin clients and infinitely scalable distributed computing/storage is on the way. If you don't run the data-centre processing/storage nor have the power, you'll want to control the gateways/reporting/auditing/caching and own/re-sell/manage as much of the local infrastructure/bus and back-haul as possible!
Regulatory and compliance requirements will always have a perceivable effect, especially in the financial services sector.. but with breach disclosure laws on the way in Oz the security -> landscape/consulting/auditing/accountability/visibility aspects of networks/services are not going to allow organizations to keep their heads in the sand for much longer.
Subscribe to:
Posts (Atom)