Rational Survivability

One of my responsibilities as security cruise ship entertainment director is to distill the most complex things down into bite-sized digestible nuggets of chewy informative goodness whilst ensuring a good time is had by all.

It is in this spirit that I offer this gem regarding the release of PoC/Exploit code by supposed "whitehats" immediately after the disclosure of a nasty vulnerability.  This post is random, of course, and is in no way a reference to any current event.

This quip was brought to you via Twitter which managed to stay up and functional long enough for me to tweet it:

POC code for near-zero day ‘sploits is like SPAM advertising penis-extending drugs…the only dick it’s helping is the one writing it…

That is all.

/Hoff

Hat tip to Rothman for this.

I don’t know if Stiennon is off his meds or simply needed to re-post something from 2001 to meet an editorial quota, but his Network World article titled "The Most Important Networking Trend of 2008" ties thus far with the "Evolution of Dance" as my vote for most entertaining Internet content.

Richard’s epiphany goes something like this:

• Multifunction network devices that have the ability to "route" traffic and combine security capabilities are the ‘next big thing’
• If a company offers a multifunction network device that has the ability to "route" traffic and combine security capabilities but have the misfortune of using Linux as the operating system, they will "…forever be pigeon-holed as SMB solutions, not ready for enterprise
  prime time."

• The Wall Street Journal issued "… the year’s most important article on networking" in an article titled "New Routers Catch the Eyes of IT Departments" which validates the heretofore undiscovered trend of convergence and commoditization!
   
• "Real" network security players such as Cisco, Juniper and Redback are building solutions to this incredible new trend and because of the badge on the box, will be considered ready for "…enterprise prime time."
   
• The WSJ article talks about the Cisco ASR1000 router as the penultimate representation of this new breed of converged "network security" device.
   
• Strangely, Stiennon seems to have missed the fact that the operating system (IOS-XE) that the ASR1000 is based on is, um, Linux.  You know, that operating system that dictates that this poor product will "…forever be pigeon-holed as SMB solutions, not ready for enterprise
  prime time."

Oh, crap!  Somebody better tell Cisco!

So despite the fact that Cisco ASR1000 is positioned as an edge device as are these crazy solutions called UTM devices, it seems we’re all missing something because somehow a converged edge device now counts as being able to provide a "secure network fabric?"

In closing, allow me to highlight the cherry on top of Stiennon’s security sundae:   

Have you ever noticed how industry "experts" tend to get stuck in
a rut and continue to see everything through the same lens despite
major shifts in markets and technology?

Yes, Richard, I do believe I have noticed this…

Funny stuff!

/Hoff

Amrit turned me onto a Network World article titled "12 Ways to Visualize Network Security" in which his analog of security as a cheese grater is featured.

Yup, there’s castles and cars and…

In an attempt to annoy the crap out of everyone, I decided to start spewing out my candidates via twitter (beaker) so as to force as many un-follows as possible. 

Here are some of my off-the-cuffs [remember, these have to fit in < 140 characters]:

• Security is like Escargot. It’s crunchy on the outside, chewy on the inside, and like everything else, should be blamed on the French!
• Security is like Kimchee…to make it you have to slap it together, bury it and then dig it up when it smells to explain how special it is..
• Security is like Durian: It’s lousy in airports, stinks when exposed and looks oddly out of place no matter how you slice it…
• Security is like fertilizer, the more shit you spread around the worse it gets and watering it down only makes it worse
• Security is like a vibrator, the more you have to use it, the less fun the real business becomes…
• Security is like weed, homeopathy and faith healing; sometimes nothing beats cutting the tumor out, but faith in snake oils is more fun
• Security is like a pig; well, ’nuff said.
• Security is like your ’82 Ford Escort; you can keep telling everyone that it was your mom’s ride & gets good mileage, but everyone knows…
• Security is like a pomegranate; seriously, who the fuck thought it was a good idea to try THAT!
• Security is like balut; when crunchy on the outside, chewy in the middle doesn’t work, go crunchy everywhere?  Sweet Jesus.
• Security is like a vacuum cleaner; both have dirtbags and "suckage" is the primary metric.

Sadly, nobody un-followed and instead I got like 10 new TwitterBots following me instead.  Ain’t that a bitch?

/Hoff

P.S. My man Mogull flung back some fine satirical smackage…nicely played, sir!:

Talk about your weapons of mass distortion!  As much as I detest Rachel Ray, her proclivity for abbreviating ingredient names, and her lack of actual mad chef skillz, this is absolutely retarded.

The Chicago Tribune reports that Dunkin’ Donuts, for whom Ray is a spokesperson, has pulled an advertisement featuring her EVOO-ness because some nut job — Michelle Malkin — suggested that the scarf she was wearing in the commercial looked like a "jihadi (chic) keffiyeh" worn as traditional garb by Palestinians:

Dunkin’ Donuts has canceled an online advertisement featuring celebrity chef Rachael Ray after complaints that a scarf she wore in the ad offers symbolic support for terrorism.

Dunkin’ Donuts said Wednesday it pulled the ad over the weekend because of what it calls a "misperception" about the scarf that detracted from its original intent to promote its iced coffee.

Critics, including conservative commentator Michelle Malkin, complained that the scarf appeared to be traditional garb worn by Arab men. The ad’s critics say such scarves have come to symbolize Muslim extremism and terrorism.

Malkin decided to describe Ray’s choice of accessory as "hate couture."  Unbelievable.

Well, I guess I’ll have to go back to drinking Starbucks since consuming DD iced coffees is obviously the equivalent of state-sponsored (or at least costumed) terrorism.

Land of the free, indeed…

/Hoff

I do these every once in a while.

Enjoy

—

The Air Force, it seems,
wants its own net of bots
how many you ask?
The good colonel says "lots!"

The best defense is offense
to defend, they’ll attack
After the DDoS
you’ll get your game console back

Seems NATO’s on board
the Baltics are chuffed
the Cybersecurity center
means attacks will be stuffed

If your cable’s from Charter
they’ll know you surf porn.
Want your privacy back?
Get Obama on the horn

Speaking of privacy,
can you say P-R-N-G?
if you’re running Ubuntu
I’ve pwned your root key

The free email archival
from NSA — quite a mess
they got knocked off the air
‘cos of bad DNS

Seems virtualization security’s
not Simon’s problem to fix
beyond hypervisors
they simply don’t mix

Troubled by compliance?
governance giving you fits?
risk management efforts
driven by auditor twits?

Fear not my good lemmings
I’ve the answer, you see
close your eyes, send a check
Behold: GRC!

Check Point launched ForceField
sandboxed browsing – how zen
I installed it, went browsing
but it broke VPN

Nessus licensing changed
not that much of a hassle
though some might have to pay
for the  coolest new NASL?

Dave & Busters suggests
that you eat, drink, and play
Three dudes from east europe
took that quite the wrong way

Yahoo’s in turmoil
Ichan wanted a "yes!"
HP spent near twelve billion
and they bought EDS

HSBC lost a server
Oh what could be finer
than your banking details
floating ’round China

Oh rootkits, we love thee
Where are you hiding them then?
In software, in firmware?
Oh, look! SMM

Don’t forget IOS,
there’s a rootkit there, too
pwnage of routers
means no sleep for you!

Intrusion tolerance solutions?
What’s that you may query?
It’s admitting that losses
are real, not theory 

New PCI — deadline’s coming,
what will you do,
to comply with the new stuff
in version 1.2?    

And finally,
I’m bullish on Google, I am
except when their mailer
starts sending me spam 

What was the biggest thing at RSA this year?

Information Centricity?  Been there, done that.
Security Innovation?  SO last Tuesday.
DLP?  Nope.
NAC? Nah-Uh.
GRC? Not so much.

The biggest thing at RSA this year was, of course, my conference badge:

The intellectual integrity scandal of the century has reared its ugly head once again. 

At RSA in the bar of the Westin, I was confronted by an unruly mob of Ex-@Stakers, fueled by their infamous ringleader Dan "El Guapo" Geer, who cornered me rather forcefully between a Bellini and a half-empty bottle of Dos Equis.  He suggested that were I not to cooperate, a true demonstration of punctuated equilibrium would be at my expense.

It was during this mental waterboarding session that I was unduly pressured to provide a public admission of guilt and forced to yield to photographic evidence of the event after El Guapo craftily scratched out "my " confession on a bar napkin which read "Hoff stole my preso."  At least he spelled my name correctly.

This was a sad day, indeed.  El Guapo sank my battleship 🙁

/Hoff

Hat tip to Scott Lowe…

This is an honest-to-[insert diety here] book.  You can check it out on Amazon.  You can also read the online version here.

Unfortunately this book hits a little too close to home.  Literally.

You see, there are currently two rackmount appliances, several switches and some laptops whirling away in my my wife’s sun room.  Last week they were accompanied by a couple of network security appliances, also.  I work out of my house lab, so I need stuff to hook to my 20Mb/s FIOS line to justify the expense (besides the UFC pay-per-views.)

Each of these global warmers has what must be several hundred cooling fans, various buzzing thingys and 40 power supplies amongst them.  They’re so neat to look at in the dark, casting eerie LED reflections onto the snow outside on my deck.  Yet I digress.

But what are they doing here, you ask?  Why are they in the Sun room?

That is exactly the question asked by my four year old.  Daddy calmly answered "Well because they sound like the combined output of a swarm of angry bees and a Sikorsky dual-rotor helicopter and I sure as hell don’t want them in my office."

Puzzled, she toddled off to watch Dora the Explorer downstairs in the family room where the only thing resembling a computer is the Verizon FIOS STB with DVR.  Ingrate.

I shall print this handy guide to edumacating my child-spores so that no longer shall I have to endure their petty little questions regarding the 20-node Beowulf cluster I’m building in the kitchen.

Anyone have the ISO for the latest DivorceOS?

/Hoff

I found the following dialog which I borrowed liberally (and slightly modified) from the script of "A Few Good Men" deliciously apropos.

Given the recent rash of status quo apologists who continue to cling to some bizarre notion that all I want to do is steal their girlfriends, call them names and separate them from their precious firewalls, I couldn’t help myself. 

Two outa three ain’t bad, I suppose.

I’ve got people putting together bitchin’ soundtracks in my honor and showing real concern that I’ve just gone off the deep end, pleading with me to revert to my prior ways before an intervention is required.

So what the hell…let’s have some fun with that concept.

In this scene, I imagine myself (I’ll be Tom Cruise) interrogating one of my firewall-fanboy antagonists (Nicholson) regarding the unnatural attachment to implementing technology rather than solving business problems right after a botched cover-up of (and if this isn’t serendipity…) a "Code Red"

Son, we live in a world that has firewalls, and those firewalls have to be configured by men with  policy editors, bad attitudes and an extensive knowledge of ACL’s.  Who’s gonna do it? You? You Lt. Weinburg?  I have more responsibility here than you could possibly fathom.

You weep for de-perimeterization, and you curse the firewall jockies. You have that luxury.  You have the luxury of not knowing what I know. That the perimeter’s much greatly exaggerated death, while tragic, probably saved my ass from not patching my servers.  And that my existence, while grotesque and incomprehensible to you, saves machines.

I know deep down in places you don’t talk about at parties, you don’t want me on that firewall, you need me on that firewall.

We use words like threat, vulnerability, budget. We use these words as the backbone of a life spent defending "something." You use them as a punchline.

I have neither the time nor the inclination to explain myself to a man who rises and sleeps under the blanket of the very security I provide, then question the manner in which I provide it.

I prefer you said thank you, and went on your way, Otherwise, I suggest you pick up an IPS and weed out false positives. Either way, I don’t give a damn what you call what I do!

That pretty much sums up the situation thus far, I’d say…

You can find the original dialog here.

/Hoff
(If even one of you takes this seriously, I’ll really put some effort into annoying you…)