I'm afraid it's come to this, Simon.

It occurs to me that the only way we can settle our debate to finality is via mortal combat.

I'm calling you out:

Real shipping versions of you only, no virtual replicas or stand-ins allowed.  We'll get sponsors.

You wouldn't want to let down the community now would you Simon?

See you in San Francisco…

/Hoff

UPDATE: Simon is THE man!  He's accepted the battle.  We'll have an
all-star panel of judges and Dan Kaminsky has agreed to referee. 
Winner gets grandma's cookies! w00t!

This is in response to my buddy Alex Hutton's blog post titled "Cloud Computing – Stormy Weather?"

If you took a poll
of folks in a crowd
asking them to define
what they thought of "the cloud"

I guess this all depends
on which model of cloud
you decide to rely on
to make your CIO proud

But the cloud ain't an answer
it's a cyclic response,
evolutionary next-steps
to what the tech. industry wants

You dress up this pig
in a nice looking dress
security will be here
to clean up the mess

I was reading Bruce's recent post on Quantum Crypto and couldn't believe what I read.  I'm horrified:

No commercial value? Doesn't solve any security problem that needs solving?  Isn't worth paying for?  Only a few folks buying and deploying it!?

Hell, I'm writing a business plan right now and going for VC funding!  This is obviously the next big thing!  After all, this is mantra that the entire security industry is predicated upon.

Silly Bruce.

/Hoff

In the immortal words of David Byrne:

Look, I love my brother from a different mother, and as entertaining as I find Amrit's latest blog on the end of the world due to the world economic malaise, I can't help but remember the last time this happened at the end of the dot-com bubble. 

You might say that it's never been this bad.  You might be right.  However, we've all weathered storms before and while things certainly change — and not always for the best — security will survive.  It may look a little different, however.  Meh.

As I have both said and experienced previously, situations such as this will deliver new regulations and oversight, more compliance requirements, stretched/reduced budgets and a streamlining in role, process, function and technology.  It's the flatlining function in the pulse before the CPR kicks in.

Amrit's predictions are interesting, but all of these things were happening well BEFORE the financial crisis hit as part of the normal cycle of punctuated equilibrium.  Seriously, we've seen this behavior for the last four years already.*  To paraphrase Amrit's "predictions:"

• Innovation will come to a grinding halt
• Coming regulations will add to compliance madness
• Enterprises will instantiate process/capability maturity and efficiency models
• Companies will move more functions/services to outsourced partners and grapple with SLA, ownership and portability issues.
• Vendors will quickly grasp at the latest buzzword in order to maintain relevance such as virtualization, SaaS, Cloud, etc.

So again, which of these weren't already happening?

Times are tough.  So are we. 

See you Monday.

/Hoff

P.S.  Buried in the comments is the most profound point I have to make in response to Amrit:

You know how I know this isn't the end of the [security] world? You [Amrit] and I — people who make a career by squawking on blogs — still have jobs

* To make it clear, because I've obviously done a poor job understanding Amrit's points, I'm not suggesting that the impacts of the last few months aren't taking a toll.  I'm suggesting, however, that the crisis(es) are acting as an accelerant delivering more quickly the outcomes of things already in motion.  Further, as I mentioned in the comments, while innovation is certainly delivered from the tech. startup community, it's also driven from corporations when necessity pushes for innovation and innovative solutions even due to reasons like cost control…

Next Generation <anything>

Sick of it.  Sucks monkey balls.  Is about as relevant and non-sensical to me as "kosher ham."

I’ve been really annoyed by this term since I ashamedly added it to my lexicon of "roll-off-the-tip-of-my-tongue" buzzwords years ago for reasons I can’t rightly remember.  Too much TV.

I suppose temporally, anything not shipping, regardless of how (r)evolutionary it may or may not be, is technically "next generation," but it’s today overly (ab)used to imply some quantum leap in capability, functionality, or saleability.  Oh, and one usually has to pay more for it.

The truth is — and as I pointed out in my disruptive innovation presentations — there just aren’t that many "big bangs" that deserve to have this moniker hung upon the mantle, but rather a series of dampened oscillations due to punctuated equilibrium until everything settles down and looks pretty much the same.

Then version 1.17 ships and BAM!  Next generation, baby!

To all you product managers and marketers, "next generation" is so over-played at this point that the populous at large simply regards it like the features lists plastered on the trunk lids of automobiles advertising the niftiest new (but abundantly standard) set of features purchased on the luxo-barge meandering about in the lane ahead.

Whilst I am happy to know that Bob got the GLX, limited edition, R-Series with ABS, sunroof, intercooled turbo with XM radio and AWD, the suggestion that his "seats 8 but still makes him look like a dork" mini-van is a "next generation" platform doesn’t really say much about Bob, now does it?

—

On the flip side, I’m just thrilled to learn via press release today that "Secure Computing [is] to acquire Securify to drive [its] next generation firewalls" which oddly enough includes a list of features that are aimed squarely at competing with folks like Palo Alto Networks’* "next generation" firewalls which were released sometime ago. 

Further, someone at PAN and Secure Computing will undoubtedly be shocked to learn that Crossbeam, Fortinet, and Cisco all have "next generation firewalls" too.  Crap!  What comes after "next generation?" 

I suppose whatever it is would have to be made of pure unobtanium…

I knew I should have trademarked that…

/Hoff

* Speaking of Palo Alto Networks, you may have missed that a couple of weeks ago, PAN secured a C-Round of $27M.  That ought to be good for a couple more ‘next generations’ of something…they also finally got a new CEO back in July (Lane Bess from Trend Micro.)

What the hell’s goin’ on here?
something’s surely a mess,
our BGP is announcing
the wrong damned AS

See, I announce with this prefix,
it’s a slash 24,
here to there should take 3 hops,
not 18 or more

I’m pinging the next hop and
that works just fine,
ping a host, subnet over,
slows like a POTS line

That Defcon session,
when we IM’d all night,
that shit’s all encrypted
you told me that, right?

My telnet shell’s cleartext!
DONE! Stabbed it with a FIN fork
So why do these Pcap’s
show SYN’s to New York!?

Somethin’ sure does look fishy,
TTLs all askew
are the ISPs tapping traffic
‘tween me and you?

I’m just paranoid, man,
I’m sure it’s all fine.
These ping-pong effects?
BGP’s grand design

I mean really, why worry?
Even though, I confess,
it’s not like we’re vulnerable
like with DNS

BGP must be foolproof
auth’d and encrypted
there’s no way they’ve gamed it,
redirected or sniffed it

It would be quite stupid
if AS routes, you could twiddle,
intercept all my traffic
with a man-in-the-middle

Nah, I’ll sit here, use torrents,
my bits are secure,
close my eyes and imagine
that the Internet’s pure

What’s next though, I wonder,
what protocol hack
will cause Internet chaos
and make the tubes crack?

I was blipping through my RSS reader this evening and noticed this new little doozy of a headline referencing a story that is now weeks old:

Revealed: The Internet’s Biggest Security Hole

Holy crap! That’s pretty scary looking, huh?  Another Internet’s biggest security hole!?  I can’t take another.  I don’t have another poem in me.  What sort of "fool" disclosure is this!?

Then again, there are plenty of big ‘holes on the Internet, so I thought I better make sure it wasn’t me this time 😉

Kapela’s and Pilosov’s cool performance at Defcon was sadly drowned out by Uncle Dan’s DNS flaw and the sheer weight of his grandma’s cookies (which I received zero samples of, by the way ;( )

The gist of this story is that by utilizing the built-in friendliness of BGP, you can cause bad things™ to happen by redirecting, intercepting and then sending traffic back on its way with a high likelihood of not being detected.

"We’re not doing anything out of the ordinary," Kapela told Wired.com.
"There’s no vulnerabilities, no protocol errors, there are no software
problems. The problem arises (from) the level of interconnectivity
that’s needed to maintain this mess, to keep it all working."

It’s another case of "everyone knows this can (and probably does) happen, but we’re just hoping it doesn’t," and very smart people have been warning others about this for years.  You shouldn’t drink the water overseas, either.

Even as recently as the YouTube/Pakistan issue which was a BGP-related issue that caused a DoS, not-so-smart people such as your humble author suggested exactly this sort of thing was possible:

Yes, this is really a demonstration of unavailability, but
what I’m getting at here is that fundamentally, the core routing
protocol we depend upon for the backbone Internet transport is roughly
governed by the same rules that we depend upon whilst driving down a
road separated by nothing more than painted lines…you simply
hope/trust that nobody crosses the line and crashes into you head-on.

There is very little preventing someone from re-routing traffic.
This could result in either a denial of service (as the traffic would
not reach its destination) or even something akin to an interception,
"storage" and eventual forwarding for nefarious means.

So, here we have a case where again we depend upon a protocol that
was designed to provide (A)vailability, yet C and I are left
floundering in the wings.  We’ll no doubt see another round of folks
who will try and evangelize the need for secure BGP — just like secure
DNS, secure SMTP, secure…

This will hit deaf ears until we see the same thing happen again…

Ooooh.  I must be psychic.

Wait until I demonstrate how to redirect the NetBIOS traffic of every Win2K/XP box that has NBT bound to the NICs by a cleverly devious combination of ICMP source quench, token ring beacons and uPnP.

I’ll be FAMOUS!

/Hoff

I just responded to a comment from Iben Rodriguez on one of my virtualization and PCI blog entries from a while back and posted an observation while at the same time managed to make a funny (see the title.)

I wanted to both reflect upon Iben’s comment as well as chuckle a bit.

From what I extracted from his comment, Iben is suggesting that perhaps virtualization should not affect an auditor’s approach or differentiate the audit process from a physical server depending upon the definition of a "server:"

Is an ESX Host a server?

It should be considered similar to the chassis holding a bunch of blade servers. 

These have management ports on separate networks, with LDAP authentication over security protocols like ssh and ssl.

And why not treat them as a hybrid device with different network switches, storage controllers, etc?

Vmware has recently removed the word "Server" from after the ESX product name…

It’s not a server, it’s a hypervisor.

It’s not a server, it’s a switch.

By defining what a server is and is not a PCI Audit should be pretty straight forward.

I think this is a messy question and one we ought to continue to address.  I need to go and check out my ISACA references to seek guidance on this matter from a, um, "higher" source 😉 I do think that ultimately this is a very subjective issue, to which I responded:

The answers to your questions/suppositions are quite simple:

"It all depends upon the auditor."

Most of the folks I’ve spoken to recently are essentially counting
upon the ignorance of the auditors and the general confusion regarding
terminology and technology to glide by at this point.

Server/blade/hypervisor/switch … it’s all fun and games until someone loses a (PC)I… 😉

"As long as I put in place the same host controls I do in a physical
environment and not tell the auditor it’s virtualized, it’s all good
and what they don’t know, won’t hurt me."

Sad but true.

From the Department Of Serendipity…

Thanks to a heads-up from my buddy Jack Daniel, rumors that Leo Laporte read my DNS Debacle poem on the Security Now podcast are confirmed. 

I’ve listened to and watched Leo’s shows for a long time and it was very cool to hear him rattle off my prose. 

Despite the glorious buzz of two-stroke gardening equipment in the background, Leo’s fantastic radio voice, dripping in the style of Dr. Suess, added a surreal quality to my poem as he read it.

Thanks very much to both Steve Gibson and Leo Laporte for the nod.

It starts at around 18:40 into the podcast.  Check it out here.

/Hoff

From AndyITGuy who summed it up perfectly:

For everything else there’s karma

• DNS vulnerability being discovered – $0
• Working with vendors to fix the problem – $0
• Having details released "accidentally" – $0
• Having exploit written by WhiteHat – $0
• Your company being pwned by your exploit – PRICELESS

Per the article above "Now he’s one of the first victims of such an attack. "It’s funny," he said. "I got owned."*

Yeah, real funny. 

/Hoff

* There’s lots of thrashing going on as to the veracity of HD’s quote rearding being owned.  Regardless of the theatrics involved, it’s interesting food for thought when the result of exploit research might be turned against the researcher…