I am a pretty upbeat person, and despite my tendency towards snark I am optimistic by nature. You might find that surprising, given my profession of computer and software security, but it’s not. I have gotten a daily barrage of negative news about hacks, breaches, and broken software for well over a decade now. Like rainwater off a duck’s back, I let the bad news wash over me, and continue to educate those interested in security. Sure, I have had days where I say “Crap, security on everything is broken – and worse, nobody seems to get it.” Which is pretty much what Quinn Norton said last week with Everything is Broken. But her article was so well-written that it got to me. It is a testament to the elegance and effectiveness of her arguments that someone as calloused as I could be dragged along with her storyline, right into mild depression. It didn’t help that my morning reading consisted of that and this presentation on how the Internet and always-on connectivity may be making our lives worse. Both offer a sober look at the state of security and privacy; both were well done, with provocative imagery and text. And I admit, for the first time in a long time, I allowed them to get to me. Powerful posts.
I think most people in security get to this same point of frustration at some point in their career. Like Quinn, I try to un-frack my little corner of the world whenever possible. Perhaps unlike Quinn, I accept that this is a never-ending game. Culture is not broken – it is in its natural state between civilization and chaos. It just pisses us off that it’s our own government spending our tax money to create so much of the chaos. Computers and electronic systems are probably a bit more secure from Joe Hacker than they were in 2001 – about when I came to this realization – but government hackers and criminals are much better too. For most folks the daily grind is a balancing act, where things are only unbroken enough to work most of the time. Those of us in security think that if you don’t control your systems, they are essentially non-functional and broken. But for the people people who own the systems, software, and devices there are many competing priorities to worry about; so they put just enough time, effort, and money in to patch things up to achieve their acceptable level of dysfunction. In the balancing act I can apply some affect momentum, but not define the balance point. At least that’s what I tell myself as I swing in my hammock, shaking off the blues.
On the totally opposite end of the spectrum is Shack. And thank $DEITY for that! His post this week – A Hacker Looks at 40 – is a classic. Reading it is like surfing the banzai pipeline. “First, the industry we’re in. WOW. What a shit show … Yeah, it is volatile, and messy, and changes all the time. Thank goodness.” It’s all that an more. Loved Shack’s #1 takeaway: Learn Constantly. That is one of Rich Mogull’s too. You may be tired of hearing about cloud, mobile, and big data as disruptive tech; and the term DevOps makes many wince, but once you jump in it’s awesome and exciting. What a great time to be in security!
They say there is no such thing as bad press, but Ubisoft’s promotion of Watch Dogs got pretty close. Apparently they anonymously mailed a black safe to several media outlets, including Ninemsn. Locked, of course. Then they mailed an anonymous letter telling the recipients to check their voicemail. And left anonymous voicemail with the PIN to open the safe, but not before it started beeping. Cool, right? But Homer Simpson was not there to open the safe for them, so Ninemsn called the bomb squad. After the initial panic and clearing of the building, a copy of the new Watch Dogs game was found. Ah, good times! The presence of booth schwag is unconfirmed. I am just disappointed that the bomb squad wouldn’t say whether they liked the new video game or not. I mean, getting the word out was the whole point, right?
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- David Mortman: What You Need to Know About Amazon’s New Volume Storage Encryption.
- Adrian Lane: What You Need to Know About Amazon’s New Volume Storage Encryption. I say “Cheap, Fast, and Easy” wins, and AWS made volume encryption just that.
- Mike Rothman: What You Need to Know About Amazon’s New Volume Storage Encryption. Amazon is pushing things forward pretty quickly. Pay attention to their new stuff. And what Rich didn’t mention is that every time Amazon changes stuff, he has to update our CCSK training screenshots. So I think he’s secretly hoping for slower innovation…
Other Securosis Posts
- Incite 5/28/2014: Auditory Dissonance.
- Translation Machine: Responding to (Uninformed) Bloggers.
- Summary: A Thousand Miles.
Favorite Outside Posts
- Dave Lewis: ISS’s View on Target Directors Is a Signal on Cybersecurity. If you are keeping score at home we have a number of firsts: CIO dismissal, credit rating downgrade, CEO dismissal, boardroom shakeup. That is a lot of firsts – this is a Sputnik moment for security.
- David Mortman: Postmortem for outage of us-east-1. <– Joyent accidentally reboots an entire data center. Not a pure security issue, but input validation (or the lack thereof) strikes again
- James Arlen: TrueCrypt’s demise. Kees Leune nails the TrueCrypt thing in this post.
- Adrian Lane: A Hacker Looks at 40..
- Mike Rothman: Tribal organizing (right and wrong, slow and fast). It has been a while since I linked to Godin. This is a good one about building a community – the right way. I love how he calls out folks for using invented urgency. We see that every day in security. Every. Single. Day.
- Rich: Why NSA Critics Are Wrong About Internet Vulnerabilities Like ‘Heartbleed’. I don’t agree completely with Aitel, but I also don’t agree with people who say the NSA shouldn’t hold any 0day. Fuzzy lines on a tough issue that won’t go away anytime soon.
Research Reports and Presentations
- Defending Against Network-based Distributed Denial of Service Attacks.
- Reducing Attack Surface with Application Control.
- Leveraging Threat Intelligence in Security Monitoring.
- The Future of Security: The Trends and Technologies Transforming Security.
- Security Analytics with Big Data.
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7.
- Eliminate Surprises with Security Assurance and Testing.
- What CISOs Need to Know about Cloud Computing.
- Defending Against Application Denial of Service Attacks.
Top News and Posts
- AMD: Why we had to evacuate 276TB from Oracle DB to Hadoop. More evidence of disruption caused by NoSQL.
- Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update [Fixed]. It happens.
- 128-bit crypto scheme allegedly cracked in two hours. Not clear which crypto scheme.
- That One Time I Threw A CryptoParty With Edward Snowden.
- Lowe’s Warns Of Cloud-related Data Compromise.
- Google calls time on third-party Chrome extensions.
- Snowden says NSA watches our digital thoughts develop.
- OpenSSL receives funding.
- California Joins Other States In Investigation Of eBay Hack.
- Microsoft Stands Up To FBI Over Customer Data.
- Oy vey, eBay! Five questions for you…
- US cybercrime laws being used to target security researchers. A modern witchhunt.
- eBay Urges Password Changes After Breach.
Blog Comment of the Week
This week’s best comment goes to Andrew Yeomans, in response to Mike’s post on Auditory Dissonance.
Soon all the adverts in your web pages will be for Bieber shirts and perfume! Enjoy!