Summary: Thin Air
Rich here. A quick mention: I will run a security session at Camp DevOps in Boulder on May 20th. I am looking forward to learning some things myself. My wife and I spent this past weekend up in Flagstaff, AZ for our anniversary. I am not much of a city guy, and am really much happier up in the mountains. There is just something about the thin air that lifts my spirits. Our home is on the Northwest corner of Phoenix, with easy access to the hills, so Flag is a frequent getaway. It has mountains, half a dozen craft breweries, a compact downtown with surprisingly good food, and a place called “Hops on Birch” – what’s not to like? The best part (that I will talk about) was walking into a coffee shop/bar around lunchtime and realizing it was where all the local bartenders congregate to recover. We learned a lot about the town while sipping Irish coffees. Scratch that – the best part was ditching the kids. And walking to three of those craft breweries before ending with dinner at the Thai place. But top three for sure. As a researcher sometimes I forget that what seems blatantly obvious… isn’t. Take the reports today about Apple revealing what data it can share with law enforcement. I figured it was common knowledge, because Apple’s security model is pretty well documented, and I even lay out what is protected and how in my iOS security paper. But most reports miss the big piece: Apple can access the file system on a passcode protected device. Anyone else needs to use a jailbreak technique, which I find interesting. Especially because jailbreaks don’t work on recent hardware without a passcode. I had a pretty cool moment this week. I was writing an article on security automation for DevOps.com. I didn’t have the code for what I wanted, and it involved something I had never tried before. It only took about 20 minutes to figure it out and get it working. My days as an actual coder are long over, but it feels good to have recovered enough knowledge and skills that I can pinch hit when I need to. But it didn’t last long. I spent about 12 hours yesterday struggling to repair one of our cloud security training class (CCSK) labs. We have the students pick the latest version of Ubuntu in the AWS user interface when they launch instances, and then insert some scripts I wrote to set up all the labs and minimize their need for the command line. It pains me, but a lot of people out there get pissed if you force them to type in a black box instead of clicky-clicky. Thinking is hard and all. Ubuntu 14.04 broke one of the key scripts needed to make the labs work. I started debugging and testing, and for the life of me couldn’t figure it out. Nothing in logs, no errors even in verbose mode. I quickly narrowed down the broken piece, but not why it was broken. Running all the commands manually worked fine – it was only broken when running scripted. MySQL and Apache take a lot of domain knowledge I don’t have, and the Googles and Bings weren’t much help. Eventually I realized restarting MySQL was dropping the user account my script added. By changing the order around I got it working, but I still feel weird – I don’t know why it dropped the account. If you know, please share. On the upside I made the scripts much more user-friendly. I thought about completely automating it with all the DevOps stuff I have been learning, but the parts I have in there are important to reinforce the educational side of things so I left them. So a great weekend, fun coding, and a reminder of how little I really know. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted in “Do you really think the CEOs resignation from Target was due to security?” Adrian and Mort speaking next week at Secure360. Rich with Adam Engst at TidBITS on the iOS Data Protection bug. Favorite Securosis Posts Adrian Lane: Firestarter: There Is No SecDevOps. The boys did a nice job with this one – and Mike got all existential! That mindful stuff must be having an effect. Mike Rothman: Firestarter: There Is No SecDevOps. I get to say “Security must lose its sense of self in order to survive,” in this week’s Firestarter. That’s all good by me. We were a little light this week – sorry about that. Big projects, travel, and deadlines have been ongoing problems. But heck, we still blog more than nearly anyone else, so there! Other Securosis Posts Incite 5/7/2014: Accomplishments. New Paper: Advanced Endpoint and Server Protection. Favorite Outside Posts Adrian Lane: Shifting Cybercriminal Tactics. You may be tired of cyber security reports, but this one from MS is a quick read – and the change in tactics is a sign that MS’ efforts on trustworthy computing are working. Rich: The Hunt for El Chapo. I have been on a real crime story kick lately. Mike Rothman: Antivirus is Dead: Long Live Antivirus! Krebs goes on a rant about how attackers test their stuff before attacking you with it, and that is a big reason AV doesn’t work well any more. Research Reports and Presentations Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. What CISOs Need to Know about Cloud Computing. Defending Against Application Denial of Service Attacks. Top News and Posts What Target and Co aren’t telling you: your credit card data is still out there. Network Admin Allegedly Hacked Navy While on an Aircraft Carrier. Serious security flaw in OAuth, OpenID discovered. How the Target CEO resignation will affect other execs’