Archive for the ‘Uncategorized’ Category

Attribution is the new black…what’s in a name, anyway?

February 26th, 2015 No comments

Attribution is hard.  It’s as much art as it is science.  It’s also very misunderstood.

So, as part of my public service initiative, I created and then unintentionally crowdsourced the most definitive collection of reality-based constructs reflecting the current state of this term of art.

Here you go:

  • Faptribution => The process of trying to reach PR climax on naming an adversary before anyone else does
  • Pattribution => The art of self-congratulatory back patting that goes along with attributing an actor(s) to a specific campaign or breach.
  • Flacktribution => The process of dedicating your next press release to the concept that, had the victim only used $our_software, none of this would have happened. (Per Nick Selby)
  • Maptribution => when you really just have no fucking idea and play “pin the tail on the donkey” with a world map. (Per Sam Johnston)
  • Craptribution => The collective negative social media and PR feedback associated with Snaptribution (Per Gunter Ollmann)
  • Masturbution => When you feel awesome about it, but nobody else gives a flying f$ck (Per Paul Stamp, but ‘betterized’ by me)
  • Snaptribution => naming the threat actor so quickly you can’t possibly be right but you are first. Also known as premature faptribution. (Chris Wysopal)

May you go forth with the confidence to assess the quality, scope and impact of any attribution using these more specific definitions.


Categories: Uncategorized Tags:

On the Topic Of ‘Stopping’ DDoS.

March 10th, 2014 11 comments

The insufferable fatigue of imprecise language with respect to “stopping” DDoS attacks caused me to tweet something that my pal @CSOAndy suggested was just as pedantic and wrong as that against which I railed:

The long and short of Andy’s displeasure with my comment was:

to which I responded:

…and then…

My point, ultimately, is that in the context of DDoS mitigation such as offload scrubbing services, unless one renders the attacker(s) from generating traffic, the attack is not “stopped.”  If a scrubbing service redirects traffic and absorbs it, and the attacker continues to send packets, the “attack” continues because the attacker has not been stopped — he/she/they have been redirected.

Now, has the OUTCOME changed?  Absolutely.  Has the intended victim possibly been spared the resultant denial of service?  Quite possibly.  Could there even now possibly be extra “space in the pipe?” Uh huh.

Has the attack “stopped” or ceased?  Nope.  Not until the spice stops flowing.

Nuance?  Pedantry?  Sure.

Wrong?  I don’t think so.


Categories: Uncategorized Tags:

An Ode To Glass

May 18th, 2013 1 comment

hoff-glassGoogle Glasses reviewed, often spiced with profanity
A technology, profound, previews dystopic humanity

Augmentation, extension, lensless optics you blink through
Winking gestures, #hashtagged pictures, an earpiece you talk to

It gives you directions, sends you tweets, you’ll hangout!
Wifi and bluetooth, “PEACOCK!” its users all shout

“Don’t diss the tech, man,” the fanbois decree
You’ve nothing to fear…except privacy

They’re a curious bunch, these intrepid explorers
While last week’s cool toys now lay dusty and choreless

Want lunch? Movie review? Need directions? A clue?
You needn’t ask, they’ll just Glass it for you.

They look down when they speak and up when they Glass
Don’t take offense, they’re not being an ass

There’s two planes of existence, “outside Glass” and thus “through”
They live on one side, on the other, there’s you

The worldwide web at you pupil-tips, it sounds quite the perk
Til you end up all cross-eyed, like Steve Martin’s “The Jerk”

Glassdebating on Twitter…it seems to last for hours
Those in technorapture post pics of themselves in showers

The experience, transcendent, it seems quite zen
But the users seem to be just middle-aged white men

We’ve already got Aspies, the socially inept
Now we’ll bear witness with those with whom you’ve slept

They’ll be segregated seating; “Glass OK” and “No Glass”
The have’s and the have-not’s, it’s gonna be crass

As social interaction becomes more and more abstracted,
people wearing Glass will converse with others much distracted

Are you recording?  Is that thing on?  Are you Googling me as we speak?
At first it seems quite quaint, a parlor trick for geeks

And then as comfort and fashion sense collide and people will withdraw,
alas some good technology, will not seem cool much more

You’ll pull out a smart phone, look like a T-Rex
While a Glasshole whispers snidely “Bet he still codes in hex!”

Those who hold out will proudly boast along with loud retort:
“Hey man, I’m not tethered, this ain’t Minority Report!”

“OK Glass” is a statement, a command, so stop hating.
To some it’s a class thing, a tech thing, to some it’s berating

If your perspective is at just one end of the spectrum,
the schism of your prism could have you kicked in the rectum

At the end of the day, it’s a magnificent tool
some think it obtuse, some think it quite cool

For me and my smartphone with my old school connection
I feel no need for this UX inflection

I have some serious things I’ll say about this after being accosted for my opinions — which I actually researched by having Adrian let me use his Glass.

I’ll talk about that soon.

Oh, and if you haven’t seen these:


…you really ought to :)

Enhanced by Zemanta
Categories: Uncategorized Tags:

InfoSecFail: The Problem With Big Data Is Little Data

June 26th, 2011 1 comment

(on my iPhone while my girls shop…)

While virtualization and cloud security concerns continue to catch the imaginative pause of pundits everywhere as they focus on how roles and technology morph yet again, a key perspective is often missing.

The emergence (or more specifically the renewed focus and prominent feature) of “big data” means that we are at yet another phase shift on the Hamster Security Sine Wave of Pain: The return of Information Centric Security.

(It never really went away, it’s just a long term problem)

Breach after breach featuring larger amounts of exfiltrated information shows we have huge issues with application security and even larger issues identifying, monitoring and protecting information (which I define as data with value) across it’s lifecycle.

This will bring about a resurgence of DLP and monitoring tools using a variety of deployment methodologies via virtualization and cloud that was at first seen as a hinderance but will now be an incredible boon.

As Big Data and the databases/datastores it lives in interact with then proliferation of PaaS and SaaS offers, we have an opportunity to explore better ways of dealing with these problems — this is the benefit of mass centralization of information.

Of course there is an equal and opposite reaction to the “data gravity” property: mobility…and the replication (in chunks) and re-use of the same information across multiple devices.

This is when Big Data becomes Small Data and the ability to protect it gets even harder.

Do you see new and innovative information protection capabilities emerging today? What form do they take?


Categories: Uncategorized Tags:

OpenFlow Is the New “Cloud…”

June 24th, 2011 4 comments
Categories: Uncategorized Tags:


June 23rd, 2011 No comments
Categories: Uncategorized Tags:

George Carlin, Lenny Bruce & The Unspeakable Seven Dirty Words of Cloud Security

January 26th, 2011 1 comment
George Carlin
Cover of George Carlin

I have an upcoming cloud security presentation in which I map George Carlin’s “Seven Dirty Words” to Cloud Security challenges.  This shall accompany my presentation at the Cloud Security Alliance Summit at the RSA Conference titled: Commode Computing: Relevant Advances In Toiletry – From Squat Pots to Cloud Bots – Waste Management Through Security Automation”

I’ll leave it as an exercise for the reader to relate my 7 dirty words to George’s originals:


Of course I could have modeled the talk after Lenny Bruce’s original nine dirty words that spawned George’s, but seven of nine appealed to the geek in me.


P.S. George looks remarkably like Vint Cerf in that picture above…uncanny.

Enhanced by Zemanta
Categories: Uncategorized Tags:

Virtualization & Cloud Don’t Offer An *Information* Security Renaissance…

May 11th, 2010 No comments

I was reading the @emccorp Twitter stream this morning from EMC World and noticed some interesting quotes from RSA’s Art Coviello as he spoke about Cloud Computing and security:

Fundamentally, I don’t disagree that virtualization (and Cloud) can act as fantastic forcing functions that help us focus on securing the things that matter most if we agree on what that is, exactly.

We’re certainly gaining better tools to help us understand how dynamic infrastructure, amorphous perimeters, mobility and  collaboration are affecting our “craft,” however, I disagree with the fact that we’re going to enjoy anything resembling a “turnaround.” I’d suggest it’s more accurate to describe it as a “reach around.”

How, what, where, who and why we do what we do has been dramatically impacted by virtualization and Cloud. For the most part, these impacts are largely organizational and operational, not technological.  In fact, most of the security industry (and networking for that matter) have been caught flat-footed by this shift which is, unfortunately, well underway with the majority of the market leaders scrambling to adjust roadmaps.

The entire premise that you have to consider that your information in a Public Cloud Computing model can be located and operated on by multiple actors (potentially hostile) means we have to really focus back on the boring and laborious basics of risk management and information security.

Virtualization and Cloud computing are simply platforms and operational models respectively.  Security is as much a mindset as it is the cliche’ three-legged stool of “people, process and technology.”  While platforms are important as “vessels” within and upon which we build our information systems, it’s important to realize that at the end of the day, the stuff that matters most – regardless of disruption and innovation in technology platforms — is the information itself.

“Embed[ding] security in” to the platforms is a worthy goal and building survivable systems is paramount and doing a better job of ensuring we consider security at an inflection point such as this is very important for sure.  However, focusing on infrastructure alone reiterates that we are still deluded from the reality that applications and information (infostructure,)  and the protocols that transport them (metastructure) are still disconnected from the cogs that house them (infrastructure.)

Focusing back on infrastructure is not heaven and it doesn’t represent a “do-over,” it’s simply perpetuating a broken model.

We’re already in security hell — or at least one of Dante’s circles of the Inferno. You can’t dig yourself out of a hole by continuing to dig…we’re already not doing it right.  Again.

Two years ago at the RSA Security Conference, the theme of the show was “information centricity” and unfortunately given the hype and churn of virtualization and Cloud, we’ve lost touch with this focus.  Abstraction has become a distraction.  Embedding security into the platforms won’t solve the information security problem. We need to focus on being information centric and platform independent.

By the way, this is exactly the topic of my upcoming Blackhat 2010 talk: “CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity”  Go figure.


Reblog this post [with Zemanta]
Categories: Uncategorized Tags:

Security: In the Cloud, For the Cloud & By the Cloud…

May 3rd, 2010 1 comment

When my I interact with folks and they bring up the notion of “Cloud Security,” I often find it quite useful to stop and ask them what they mean.  I thought perhaps it might be useful to describe why.

In the same way that I differentiated “Virtualizing Security, Securing Virtualization and Security via Virtualization” in my Four Horsemen presentation, I ask people to consider these three models when discussing security and Cloud:

  1. In the Cloud: Security (products, solutions, technology) instantiated as an operational capability deployed within Cloud Computing environments (up/down the stack.) Think virtualized firewalls, IDP, AV, DLP, DoS/DDoS, IAM, etc.
  2. For the Cloud: Security services that are specifically targeted toward securing OTHER Cloud Computing services, delivered by Cloud Computing providers (see next entry) . Think cloud-based Anti-spam, DDoS, DLP, WAF, etc.
  3. By the Cloud: Security services delivered by Cloud Computing services which are used by providers in option #2 which often rely on those features described in option #1.  Think, well…basically any service these days that brand themselves as Cloud… ;)

At any rate, I combine these with other models and diagrams I’ve constructed to make sense of Cloud deployment and use cases. This seems to make things more clear.  I use it internally at work to help ensure we’re all talking about the same language.


Related articles by Zemanta

Reblog this post [with Zemanta]

Dear SaaS Vendors: If Cloud Is The Way Forward & Companies Shouldn’t Spend $ On Privately-Operated Infrastructure, When Are You Moving Yours To Amazon Web Services?

April 30th, 2010 6 comments

We’re told repetitively by Software as a Service (SaaS)* vendors that infrastructure is irrelevant, that CapEx spending is for fools and that Cloud Computing has fundamentally changed the way we will, forever, consume computing resources.

Why is it then that many of the largest SaaS providers on the planet (including firms like, Twitter, Facebook, etc.) continue to build their software and choose to run it in their own datacenters on their own infrastructure?  In fact, many of them are on a tear involving multi-hundred million dollar (read: infrastructure) private datacenter build-outs.

I mean, SaaS is all about the software and service delivery, right?  IaaS/PaaS is the perfect vehicle for the delivery of scaleable software, right?  So why do you continue to try to convince *us* to move our software to you and yet *you* don’t/won’t/can’t move your software to someone else like AWS?

Hypocricloud: SaaS firms telling us we’re backwards for investing in infrastructure when they don’t eat the dog food they’re dispensing (AKA we’ll build private clouds and operate them, but tell you they’re a bad idea, in order to provide public cloud offerings to you…)

Quid pro quo, agent Starling.


* I originally addressed this to via Twitter in response to Peter Coffee’s blog here but repurposed the title to apply to SaaS vendors in general.

Reblog this post [with Zemanta]