Incite 7/6/2011: Reading Between the LinesBy Mike Rothman
As mentioned last week, our girls are off at sleepaway camp. They seem to be having a great time, but you can’t really know. Obviously if there was a serious issue, the camp would call us. Since we dealt with the nit-uation, we have heard from the guidance counselor that XX2 is doing great, and from the administrator that XX2 needs more stationary. Evidently she is a prolific writer, although our daily mailbox vigil has yielded nothing thus far. We’ll save a spot for her at Securosis, since by the time she’s out of school, I’ll need someone else to pick up the mantle of the Incite.
The one thing that is markedly different than when I went to camp is the ability to see daily photos of the camp activities. Back when I went in the 80’s camp was a black box. We got on the bus, we’d write every so often, but my folks wouldn’t really know how we were doing until they came up for visiting day. Now we can see pictures every day, and that’s when the trouble begins.
Why? Because the pictures don’t provide any context. Our crazy overactive brains fill in the details we expect to be there, even if it means making stuff up. We read between the lines and usually it’s not a positive thing. So you see XX1 in a picture she isn’t wearing her skirt. What’s the matter, doesn’t she like her clothes? Or she is smiling from ear to ear, but is that a genuine smile? Or she’s at the end of the row of kids. Why isn’t she right in the middle? Yes, we understand this line of thinking makes zero sense, but your brain goes there anyway.
And even worse is when the girls aren’t in any pictures. What’s the deal with that? Are they in the infirmary? Aren’t they having fun? Why wouldn’t they be attention whores like their Dad and feel compelled to get into every picture. Don’t they know we are hanging on every shred of information we can get? How inconsiderate of them.
Yes, I am painfully aware that this behavior is nonsensical. Camp is the greatest place on earth. How could they not have a great time? Grandma got a letter from XX1 and she said her bunk is awesome. We know the girls are doing great. But I also know we aren’t alone in this wackiness – when we get together with our friends we’re all fixated on the pictures. I’m pretty sure having the ability to fill in details in the absence of real information saved our gene line from a woolly mammoth or something 10,000 years ago, so it’s unlikely we’ll stop. But the least we can do is make the story a happy ending each day.
Photo credits: “Reading Between The Lines” originally uploaded by Bob Jagendorf
Incite 4 U
Most (but not all) is lost: Good thought-provoking piece here by Dennis Fisher entitled Security May Be Broken, but All is Not Lost. His main contention is that the public perception is awful, but that’s only half the story – folks who block stuff successfully are not highlighted on CNN. It’s part of why I call security a Bizarro World of sorts. Only the bad news is highlighted and a good day is when nothing happens. But the real issue that Dennis pinpoints is the continued reticence to almost everyone about share data on what’s working and what isn’t. Whether the sharing is via formal or informal ISAC-type environments, security benchmarks, online communities (like our sekret project), or whatever, Dennis is spot on. Until we start leveraging our common experience, nothing will get better. – MR
Dropped Box: It’s hard to root for a company – whose product you use and like – when they keep making boneheaded moves. If you didn’t hear, Dropbox poured gasoline on the idiocy fire when they came out with new Terms of Service that grant them wide latitude to mess with your stuff. I was hoping for an acknowledgement of the security architecture issues on the client and server side, along with a roadmap for when they will be resolved. Instead they lawyered up and gave themselves immunity to do stuff to your stuff, and when customers complained, they basically said customers misunderstood them. Yes, customers must be wrong because Dropbox is the first company to hold vast stores of customer data, so no one else could not possibly understand the nuances of their business. Who over there is not getting it? Management? Tech staff? Their PR agency? Their lawyers? All of the above? Do they not understand they must never – under any circumstances – allow a stolen configuration file to grant any client access to customer data? There is no reasonable explanation for a cascading failure on the server side which exposes accounts. It might be understandable that you need to make ‘translations’ of content (though Mike says that’s a bunch of crap); so they should specifically only need permission to do that. Don’t use overly broad legalese, like derivative works, because that opens up totally unacceptable use cases! Why is anyone satisfied with a security document that fails to explain how they handle key management or multi-tenant data security? I moved everything except 1Password’s independently encrypted password store off Dropbox yesterday, and am evaluating Spideroak. I’ll come back as an advocate and customer if they fix their mess, but they continue to pat themselves on the back for bad decisions, so it might be a long wait. – AL
Second: Hopping onto Twitter at one point over the weekend I thought Dropbox had been taken over by Kim Jong-Il and all my data printed out and personally mailed to Anonymous, the NSA, and my third-grade English teacher. Hunting it down (you know, by reading 2 tweets back), I learned it was a change in the Terms of Service. Then I read the new terms and I realized some cruddy lawyer dropped in a bunch of boilerplate language for online services, but the new terms don’t really change anything. Dropbox is still just as secure/insecure as it was the day before, but that didn’t stop the pile-on. The thing is, when it comes to the news, it often pays to be second. Instead of reacting, some things are worth riding out for a few minutes, hours, or days to see what happens. In this case the Dropbox folks realized their mistake, and updated the terms to be clearer. That doesn’t mean they don’t have serious issues – while we already encrypt the really sensitive stuff we have there, we’re looking at alternatives for the less-sensitive but still valuable stuff due to Dropbox’s recent security failure, and our guts tell us their culture doesn’t really get security and privacy. But, aside from their problems, watching the Twitter stream this weekend really emphasized that it’s often better to let the facts play themselves out before jumping. This is the difference between “analysis” and “reporting”. – RM
Spafford finally comes clean: When Bejtlich calls you one of the three wise men in the security industry, you know there is something there. But there probably isn’t a more modest guy than Prof. Gene Spafford in the business. In this great post, he finally admits some of the key innovations he has been involved with. A few years ago, I’d figure he was probably a bit sore not to have directly profited from these innovations, but anyone that stays in academia for 20+ years isn’t really chasing a brass ring. But besides marveling at the Professor’s crystal ball, pay very close attention to the techniques he was pioneering decades ago. Honeypots, extensive monitoring, encryption of sensitive data. Things we take for granted today, but still screw up in reality. And I’m a bit glad these tried and true techniques are largely the same after so much time has passed. It means there is a timeless nature to solid defense, and that we need to focus on these tactics and stop chasing shiny objects shipped in newfangled boxes. Amen to that. – MR
Pirates vs. Privacy: I have heard several times that Apple’s iTunes Match is a brilliant concept: Apple found a way to monetize pirated music without wasting all the profits on RIAA lawsuits. While I don’t agree with the characterization, a lot of people view the services this way. What immediately came to mind is RIAA trolls, and Ars Technica is asking the same question: Will iTunes Match be used to chase down music pirates? It would be fit the RIAA’s modus operandi – subpoena all Apple iCloud accounts and see if they can detect pirated music, then send every user a bill along with threatening letters. Apple’s real value here is threefold: Ubiquity of music, higher resolution than what people originally digitized, and no time & bandwidth consuming uploads. But it calls into question every privacy agreement between a user and their cloud service provider if every cloud provider can be forced to supply private customer data via subpoena. In the long term, it will behoove service providers to divorce themselves from the content they serve – even to the point of having the client encrypt data to avoid having access. It relieves them from some of the security and legal burdens. Obviously with Apple’s iTunes Match model this may not be feasible, but any intelligence gathering from the client side should be limited to ensure Apple is safeguarding their customer data and interests. I expect we will hear a lot more about this in the coming months, and I will wait a while before jumping on the bandwagon, so see how quickly the RIAA jumps on customers. – AL
Feds on the ball: For most of the history of cyber-security we have operated with very little support from law enforcement. Sure, there were always a few good agents/officers to handle some of the bigger cases, but for the most part the rest of the world was on their own. The FBI or Secret Service was as likely to take your servers and pull your entire company down as actually help you. This most definitely appears to be changing, as described in this interesting article that culls an agent’s testimony in a case. The Secret Service isn’t just snagging systems and sending them off to a non-existent forensics lab, they are penetrating the computer underground, working with other international agencies, and putting actual bad guys in jail. Think about it – the bad guys behind many of the big breaches are behind bars or on trial. Now we just need a little trickle down. And if I were in LulzSec I’d be a little nervous. – RM
Buy this man a ticket to the security theater: Before I light him up, let me say that Nick Selby is a friend of Securosis. Back from his 451 Group days, we’ve followed and engaged in a lot of what Nick has been talking about. But in his piece from last month, Security is not about marketing until it fails, he misses the point. Using RSA’s marketing of their breach (or lack thereof), he concludes that security is not about making customers “feel” secure, it’s about actually protecting things. Au contraire, I don’t see how you can separate the two. We all suffer through the indignity of TSA groping or ineffective cancer scans, mostly because they make people feel better. Schneier calls this security theater. There’s no difference in how every company markets their security products/services. Part is about security stuff, but in the trenches we know the folly of that. So a large part is addressing the psychological/compliance need to doing something. And businesses are willing to spend billions each year to scratch that psychological itch. To think that RSA or any security should just focus on protecting (especially when the aura of protection is questioned due to a breach) shows a general naivete about how the security industry works, which is frankly surprising from Nick, given how long he’s been around. – MR
- *Editor’s Note:** As you see above, at times we have differences of opinion internally. The situation with Dropbox is one example, but we like to debate things in public and let everyone make their own decisions, seeing both sides of the argument. Not that Rich and Adrian’s views are fundamentally incompatible – Adrian is more pissed about Dropbox security FAIL than anything else – but it’s still a disagreement. I could have sent these back to both of them and asked them to provide a coordinated _Securosis_ view of the situation, but what fun would that be? – Mike.