Archive for April 2014
Vendor Hell
Vendor conferences and webinars:
Yesterday many of you who might read my ravings saw my Twitter feed explode with rage over a vendor sponsored conference I attended on the “Target Hack” The invitation to this meeting local to me …well an hour away that is, promised new and interesting information on the Target case and I decided to attend in hopes that there would be some inside info. What I got instead was a chance to listen to the meanderings on the 2nd amendment by Asa Hutchinson and the community college version of X-Force’s state of the hack.
The finale though was the talk on the Target hack which was prefaced with “Everything I am going to talk about today is open source and from the news” …really now, this is your inside information that you said would be given? What proceeded was a description of information you could get by reading the news reports and in particular Brian Krebs blog on the subject. This was nothing like that which I had been lead to believe was on offer and it made my bile rise as you may have seen. It was a giant time suck and really should only have been on offer for those who hadn’t a clue about the hack. In fact, this may well have been useful were you an executive without a clue. Which I am not.
A proposal for a ratings system:
I left the conference after IBM had done their dog and pony show on Target with a headache and a real distaste for all things vendor. I know, this is the norm for the bulk of the people in this business but it made me start thinking on the hour drive home. Perhaps in a perfect world we could have a ratings system for these meetings. If we were to be completely efficacious we could craft a way to denote the level of information being given and those best suited to attend. I know this is likely a pipe dream but I just have to toss this out there.
While I was completely bored and enraged by the conference yesterday, it did have it’s merits for someone who had no clue about the Target hack. Chris Poulin did a fair job at describing the events that were in the news and in the blogs and I believe a lay person (exec) would have learned at least something from it. So could we perhaps work with vendors to get a ratings system as well as maybe work with them to inform our managements in an efficacious way? I know, I may be dreaming a bit here and sound like a Cavalry Unicorn but hey maybe an aneurysm from yesterday made me more open to the idea.
All I am really saying is that if we want to be better at getting our execs to understand some things perhaps we need to control our vendors a bit more and get them to actually be useful to us instead of just hawking bad data and wares. Perhaps the reality is we as security professionals need to look at all of these vendor offerings and choose which ones can be trusted to be at least somewhat informative and worth going to for our management. A simple rating system would be very helpful, let’s say a 1 for n00bs, 2 for intermediate people and a 3 for technical and competent people?
Please? Pretty please?
The community wants better communication? Start reigning these guys in:
I guess what I am saying is that with all of the hubbub over Cavalry and “doing better” I would suggest we first start working with vendors offerings. Let’s cut the bullshit right out and start getting our managements to offerings that will actually help them comprehend the job they are supposed to be doing. Perhaps that only really means not letting them attend anything from a vendor at all huh? Perhaps these are all just in reality boondoggles …which incidentally I feel security conferences are today anyway, that need to be avoided like the plague.
Maybe there is no winning here.. I feel the rage returning which is the prelude to the apathy again, turn, turn, turn. Look, we all complain every day about managements lack of comprehension so if we are going to fix that perhaps strictly monitoring their vendor conference attendance is a good start. As for us, well, we need to continue to be jaded about these calls, webinar’s and meetings accordingly. If yesterday was any indication for X-Force then I need to start pulling away from anything they put out there. I cited it in a tweet but I have no idea how they put a <1% attack traffic on Aerospace and Defense in their slide. Perhaps that datum might speak more to their lack of penetration and usefulness in the space though.. hmmm….
I guess in the end the words to live by are “Caveat Emptor Stupid!”
K.
SEC BURNOUT and The Psychology of Security
Recent Days of Whine and Wiping of Noses:
Recently I have had my sensibilities assaulted by the whining on my Twitter feed coming from soundbites from Source Boston as well as others talking about INFOSEC Burnout and community communication issues. What really grinds my gears is the sense that we are all just helpless mental geniuses that need to learn how to communicate better to do our jobs more effectively as well as the whole “Woe is me no one listens to me” bullshit I keep seeing it reverberate across the community. Well I am here to tell you right now to stop blubbering and put on your big girl/boy/transgendered pants and cut it out.
Last week I had a long back and forth with someone who is “studying” INFOSEC burnout and throughout the conversation (yes hard really in 140 chars per yes yes yes I know Beau) I could not get them to nail down exactly how they were “studying” it as well as what would be the efficacy of doing so. What are the ends that justify the means of this study? Was there to be a self help book? Or are you just having a kumbaya “I’m in INFOSEC and no one listens to me!” bitch session at each conference?
At the end of the day people got hissy and I began to think more and more about just how entitled this community thinks they are as well as how smart they “think” they are. So smart that they can’t get past a problem that properly studied would likely give you all some perspective and solace perhaps and this chaps my ass. While some of you out there are being vocally the new INFOSEC Dr. Phil’s others just go about their day in the war and do their jobs without whining about it.
Not all of us have INOFSEC Jesus complexes.
The Problem Statement:
So here’s the general feeling I get from what I have seen (yes I went to an infosec burnout presentation) from the community on this whole burnout thing.
- We can’t win the war and it’s hard to even win battles
- The job is hard because the adversaries have no rules while we do
- We are constrained by our managements
- Our end users are morons
- We’re the God damned smartest people in the room and no one listens to us!
- We are just perceived as an obstacle to be bypassed or ignored
I am sure there are other complaints that weigh heavily upon the INFOSEC brow but these are the biggies I trust. Perhaps a real study with a real psychological questionnaire is required to get some analytical data to use for a proper problem statement but to date I have seen none. While I agree we work in a tough field from the perspective of “winning” the day and yes we are looked upon by the masses as an impediment and a cost centre this is not the problem set we need to work on. I propose that this problem set is the most self centered and useless one making the rounds today and smacks of every bad pop psychologist’s wet dream of making it big.
In other words; You are all problem solvers. Solve the god damned problem by studying the root causes and then implement what fixes you can come up with. What you are dealing with is human nature, the mechanics of the human brain, and the psychology that goes along with all of this. Apply that laser like focus you all claim you have out there on the problem set and you will in fact come to some conclusions and perhaps even answers that will make you see the problem in a pragmatic way. Once you do this you can then rationalize all of these problems at the end of day and hopefully get past all this self centered bullshit.
Then again this is a community full of attention seekers and drama llama’s so your mileage may vary.
The Psychology of Security:
Once, a long time ago, I found Bruce Schneier relevant. Today I don’t so much think of his mumblings as at all useful however he did write an essay on Psychology and Security that was pretty damn prescient. I suggest you all click on that link and read his one piece on this and then sit back and ponder for a while your careers. What Bruce rightly pointed out is that our brains are wired for “Fight or Flight” on a core level when we lived on the great savannah and that Amygdala (lizard brain) is often at odds with the neocortex, (the logical brain with heuristics) that often times helps us make shortcuts in decision making out of pattern recognition and jumping to conclusions to save the brain cycles on complex data that is always coming at it.
What Bruce and others out there have pointed out is that all of our experiences in security, good and bad, are predicated on the fact that primates at the keyboards are the problem set at the core of the issues. We create the hardware and software that is vulnerable. We are the ones finding and creating vulnerabilities that are exploited by bad people. We are the ones who at a core level cannot comprehend the security values and problems because we are not wired to comprehend them on average due to the way the brain formed and works even today. There are certain problems psychologically and brain wiring wise on the one hand and then there are the social and anthropological issues as well that also play a part in the problem statement. All of these things can and do hinder “security” being something that generally is comprehended and acted upon properly as a society and a species that play into our day to day troubles as INFOSEC workers and we need to understand this.
So, when I hear people decrying that security is hard and that they are burned out because you can’t win or that the client/bosses/those in charge do not listen to you please step back and think about Schneier’s essay. The cognitive issues of comprehending these things is not necessarily the easiest thing to do for the masses. Perhaps YOU are just the Aspergers sufferer who’s wired differently to get it, had you ever considered that?
Security is a complex issue and you INFOSEC worker, hacker, Aspergers sufferer, should look upon all of this as a tantalizing problem to solve. Not to whine about and then turn it on it’s ear that you need to be more soft, and listen to your clients/bosses to hear their woes. We all have problems kids. It’s just a matter of looking at the root of the issues and coming up with solution statements that work. In the case of the brain and cognition we have our work cut out for us. Perhaps someday someone will come up with a nice framework to help us all manipulate the brain to understand the issues and cognate it all efficiently… Perhaps not. Until then, just take a step back and think about the issues at hand.
A Pragmatic Approach To Your Woes:
So with the problem statement made above what does one have to do to deal with the cognitive problems we face as well as our own feelings of inadequacy in the face of them? The pragmatist would give you the following advice:
- It is your job to inform your client/bosses of the vulnerabilities and the risks
- It is your job ONLY to inform them of these things and to recommend solutions
- Once you have done this it is up to them to make the decisions on what to do or not do and to sign off on the risks
- Your job is done (except if you are actually making changes to the environment to fix issues)
That’s really all it’s about kids. YOU are a professional who has been hired to be the canary in the coal mine. You can tweet and twitter all you like that the invisible gas is headed your way to kill you all but if the miner doesn’t listen …Well you die. If you want to change this problem statement then you need to understand the problems cognitively, socially, and societally (corporately as well) to manipulate them in your favour at the most. At the least you need to understand them to deal with them and not feel that burnout that everyone seems to be weeping about lately.
Look at it this way, the security issues aren’t going to go away. The fact of the matter is they will only increase as we connect every god damned thin to the “internet of things” so our troubles around protecting ourselves from the digital savannah and that “cyber tiger” *copyright and trademark to me…derp** are not going to diminish. Until such time as the brain re-wires or we as a society come to grips with the complex issues of the technologies we wield today we as security workers will need to just deal with it. Either we learn to manipulate our elephants or we need to get out of the business of INFOSEC and just go hack shit.
Catharsis:
Finally one comes to a cathartic state when you realize that only YOU can fix your problems coping with your work. Sure, people can feel better if this sit around and bitch about their problems but that won’t stop their problems from being problems will it? Look at the issues as a problem statement Mr. or Miss/Mrs security practitioner as a problem to hack. Stop being a whiny bunch of bitches and work it out.
HACK THE GOD DAMNED SYSTEM!
Failing that, come to accept the problems and put yourself in the place where you are just the Oracle at Delphi. You impart your wisdom and say “You’re mileage may vary” and be done with it. Until such time as you manipulate the means that you get this across to the companies management and they make a logical decision based on real risk you just have to accept it. If your place of work has no real risk acceptance process then I suggest you get one put in place or perhaps find a new job. You are not Digital Jesus. You can’t fix everything and you cannot fix those who are broken like Jesus did in healing the blind and making a hell of a lot of fish sandwiches from one tuna can.
Either understand and come up with a way to fix the problem or accept it for what it is and move on.
Stop the whining.
K.
New Age INFOSEC
Yesterday’s Source Boston keynote started bubbling up in Twitter like swamp gas releasing soundbites that were reminiscent to new age babble on how we as a community are bad communicators. While I agree that many in the community at large are bad at communicating anything other than self interest (i.e. con deadheads) I would have to say that there are many many more of us with day jobs who can communicate and do.
Often.
The fact of the matter is that if you are a con deadhead then perhaps Justine Aitel is talking to you, which she did coincidentally at a conference! Gross generalities make my eye twitch and so do new age koans about such a complex issue as information security. So I would like to address the snippets that came out yesterday in my usual style of bilious and yet hopefully thought provoking responses.
The first slide in the roster actually struck me as something I have been saying for quite a while but in this re-telling it’s much softer. I have been calling bullshit on the con deadheads for a while now but I guess it’s finally getting traction. The truth of the matter is that if you are just speaking at conferences all the time what the fuck are you really doing? You speak to the same crowds and often times of late you present the same god damned things. What is the fucking point?
So yes I agree with you Justine on this but I think you could be more blunt. If all you do is go from con to con partying and giving the same talks then you sir or madam are committing cyber douchery. It’s just that simple.
We develop secret knowledge and power? Holy what the fuck does that even mean? If this is the case then we are all collectively Dr. Evil at worst or Bloefeld at the best? We also suck at listening because we are evil geniuses? What the fuck does this even mean? Look we are technical people and we speak in technical language which often times seems like magic to the people who do not comprehend the rudiments of technology never mind some of its most complex theory and implementation.
We also suck at listening? Really? All of us? Gross generality much? Look there are two sides to the equation here and sure some of us in the community may not listen well. For that matter we may not listen at all except to our own base drum of LOOK AT ME! LOOK AT ME! but please, we aren’t the only problem here when it comes to the security problems of today. You are over simplifying things just a bit in a time when we need more complex and nuanced thought on the matter. The corker here is that all of this is being transmitted by soundbite by Twitter of all things.
#FAIL
Uh what? Are you going to tell me that Hitler wasn’t a great communicator? Have you seen those old movies of his speeches? I am in no way saying he was a huggybear but HOLY WTF are you on a roll with generalities and useless new age speech. So once again you see us as great technical masters of the universe and yet we are all portrayed as somewhere on the far end of the spectrum on the DSMV for Aspergers? Look, we may have great technical abilities in some cases. In others we may be just useless twats. Let’s not put this into axis of evil territory or paint us all with the same inept brush of bad communicators or sufferers of Aspergers here.
Oh here we go.. We need to be vulnerable to grow. Thanks Dr. Phil. How about instead we just be more self aware and able to comprehend the social surroundings we are in. Understand the system to work the system. Better yet how about you understand the system and the players to come to the place where you accept that nothing you do really matters unless the people WHO PAY YOU are willing to make changes or LISTEN to you. It has nothing to do with being soft or vulnerable and this kind of shit is just as bad as the polar opposite of “Real men don’t eat quiche”
Twattle.
No no no NO. The word CYBER is a mystical amulet that the masses use to infer some vague notion of all things magic and incomprehensible! This is not something we should promote whatsoever. It’s perpetuation should stop and you just crossed the Rubicon on this. This really burns me and that this idea was even floated makes my blood boil. You say you want to communicate but you are willing to compromise with the word CYBER instead of using real language to convey the complexities we deal with? Good God this is one of the most idiotic statements I have seen of late!
I agree.. Much of society at large has no idea what we do. Do you really want to know why this is true? Have you ever tried to explain to them why it’s important and how it works? Even in small words? You get the glazed eyes and they begin musing on what Kim Kardashian is doing. THEY DON’T CARE TO UNDERSTAND! Still you want to call it CYBER and use general terms in an attempt to dumb it down so they get it? I am saying to you right here and right now that they won’t care and they won’t get it. It’s all fucking CYBER APT CLOUD MAGIC to them all.
So as an industry we are too self involved and unable to listen to the people we are tasked with protecting… Hmmm… Ok sure. We are a calamity of derp as an industry that has been riddled with FUD and sales buzzwords. We also have a populace of attention seekers with a real penchant for TNT Dramallama flogging. We wallow in our soup of “Ain’t I cool” and look at me look at me! It’s true. However, that is not the whole community and this is yet another generality that borders on the new age derpy.
I also would say just what is it we need to listen to? Listen to the companies and players who have agenda’s that make bad choices in the face of being told that they are vulnerable? Listen to the people who say that the work is too hard and that out of hand deny anything you say is relevant or important? Some actually put on a show and say they will fix things or change their ways but really, how many times have we seen that and then seen nothing change? Listening is just fine but the crux of the matter today is that you tell the client what is wrong and then say “You can fix this or you can accept the risk on this”
That’s it.
You don’t need to be a great communicator here or all new age fuzzy because the fact of the matter is that people will make decisions based on their own needs and desires and not the truth. What this community (and the one I speak of are the con deadheads) needs to do is grow up. Spend less time lauding their own ingenuity and grok a bit more on other things in the world. Perhaps there are a mass of Aspergers sufferers at these cons but that is no reason to paint the whole community of security with the same brush. I communicate just fine and I have come to accept the fact that all I can really do is present the information, the risks, and recommendations. It is up to the client to decide whether or not it is in their own interests to do anything about them. I just get them to sign off on the risks of not doing so and my job is done.
Enough of the new age fuckery…
K.
So you want to go to the Darknets huh?
DARKNETS!
I recently asked people on Twitter what they would like to see me write about here for a new post and the majority of people came back with something around the Darknets. So I am bowing to all those calls and I now present to you a post on THE DARKNETS! How to get there, what to see, and how not to get yourself into a shitload of trouble…
Well, I can’t vouch on that last one though…
I suppose though I should back up a bit and explain to some of you out there just what the darknet is. The darknet is actually just a sub-basement of the Internet that is comprised of systems on the regular internet that have a separate gateway to get to them and an infrastructure that is separate from the internet proper. Simply put, the basement analogy is really apropos due to two things. First, the connection to it is rather like taking a creaky and rickety old staircase into a dark basement in an abandoned building. Second is what you find once you are in that dark and creepy basement often times are things you want to never see again yet you cannot un-see.
So take care gentle reader for if you decide to follow me into the dank world of the DARKNETS you may encounter things that you might never recover from. Alternatively you could just laugh and laugh and laugh as you see some of these sites out there offering snake oil and drugs. Hey, maybe you can buy snake oil as a drug! Oh and yeah one more thing. If you decide to go anywhere near the child porn I will personally hunt you down and make you disappear into federal custody.
Just sayin….
Do you know the way to the Darknets?
Do you know the way to the DARKNET? Well obviously if you are looking at this blog post you don’t. That is unless you want a good giggle. Anyway, the darknet can be reached pretty dang easily today and you have a few choices on how to get there as well as varying versions of networks to choose from. The best way though for the casual observer would be to go to the Googles and just type in TOR BROWSER DOWNLOAD
You download the file for your system (one hopes it’s a Linux or UNIX system.. Or maybe even that MAC crap) and then install it. Once installed you RUN it. It’s really that simple. Of course if you are in Linux you unzip, save it to a directory, then run it (run as program not as a txt file thank you very much!) which will start the version of Firefox fr you that is already pre-configured to proxy to TOR.
Guess what.. If you have done this then you are able to get to the DARKNETS! Now you just need to find some links like to The Hidden Wiki (the first layer of 7 levels of DARKNET HELL! *waves at Dante*) This site was recently taken control of by the inimitable DOXBIN because of the amount of paedo links that it was allowing to fester. This is just one place where you can get links to the DARKNET sites out there though. You can in fact use the TOR SEARCH or something like that but the best way I have found of late is just to hit up Pastebin.
There you have it.. By doing some simple points and clicks and then using your frontal cortex a bit you too can be on the DARKNETS with the rest of us. Come on in! The water is… Well.. Scummy but it’s at least warm from all the kids peeing in the pool!
TOR vs. i2p:
Now some old timers may tell you that the TOR is full of Feds and that you need to just go straight for i2p for your DARKNET binges. I for one would tell you that this is a falsehood because i2p is FUCKING SLOW AS ALL SHIT. However, it is an option if you aren’t in a hurry to see anything and you want to see different content than what you may map out on the TOR DARKNET.
Another word of warning on the i2p front is that you have to be a bit more savvy than the usual user to make this one work for you and to correctly manage and configure your system because YOU are also a router within the arcology when you get on i2p. You can of course change that and secure the system more so that you aren’t going to be pwned but you have to keep this in mind before you just go download and run it.
Be.
Forewarned.
On the other end of the spectrum you can also go download the full TOR node setup and make youself a page or you can just use it to access the net in a configuration of your choice (secure one would hope) instead of the pre-configured browser bundle. If you choose to do this just make sure you understand what you are doing and do keep an eye on the versions out there. TOR seems to be a target for security flaw hunting by the likes of the NSA so ya know, you kinda have to be careful if you are out there doing things you perhaps shouldn’t be on an un-secured version.
Personally I use all of the above but as you might have guessed from above, I find the idea of all the caching on i2p to be rather tedious so I don’t go there often. You can in fact find gateways to both DARKNETS if you GOOGLE for them. These are gateways that allow you to enter by using the CLEARNET (i.e. internet) as the gateway with a node handling all the routing for you. I don’t know about their security but let’s put it this way; people can see your traffic in the clearnet so… Yeah…
Abandon hope all ye who enter here…
Ok so now you know how to get the software, what to click and where to get links. Now comes the abandonment of hope. See once you get inside the darknet and you start looking around you realize just how much of it is lame, how much of it is illegal, and how much more of it seems to be rather puerile. I have spent hours, aw hell, let’s say days in there looking around. I have laughed, I have cried, and it changed my life like “Cats” the musical. The gist here is prepare yourself for an experience that may just leave you slumped in your seat saying “Is that it?”
Alternatively you might be able to find new and interesting sites that no one really knows about (if you do please tell me!) such as a nice site on furry on furry cosplay sheise movies. Who really knows what you will find. Take a stroll around and see what you see. Mostly though I think you will find that unless you start messing about with the technology deeply, you will just see the same things everyone else does.
Porn
More porn
Drugs markets
chans
dropboxes
etc.
I for one have begun looking at the intracacies of things like transient sites and covert url exchanges but that’s just me. You might want to do other things. All of these things though usually are shall we say more exotic in nature to begin with and mostly considered illegal and this is why they are in the DARKNET to start. They think that it’s all anonymous and that you can then not only access the DARKNET but the internet without leaving a digital trail. This of course has been shown to be wrong.
The Arcology:
This brings me to the arcology of the DARKNET and security. There are ways that you can in fact be tracked by wily people who can poison the network with their own nodes or be sniffing their exit data. In one case it has been posited that the whole of the onion router system could be cracked by the use of nodes under the control of a determined adversary.
This is an interesting idea as are all of the others out there on how to de-obfuscate users on the DARKNET. Be aware that the NSA is more than likely working on this if not already there and monitoring traffic. Why aren’t more people being arrested then you ask? Well, then how would they get the really bad guys if they tipped their hand huh? Cracking the DARKNET would be a HUGE thing and a real tipping of the scales were it to get out in the open. Is it happening now? I am not sure but what I am sure of is that they are trying very very hard to make it happen at the very least.
So gentle reader go forth, get the software, secure it as best you can and then wade into the DARKNET! Remember, the water is warm because of all the pee.. And remember too that; “We are the reason we can’t have nice things”
K.