“Hi Mike, how are you this morning?” When I heard those words I instinctively checked over my shoulder, since no one really calls me by name in any of the coffee and bagel shops I frequent. And that is intentional. I like to be the nondescript guy who may look familiar, but you don’t know from where. I don’t do small talk, and if I’m in a very good mood, maybe you’ll get a smirk. Other than that, I’m just the guy with his head down, inhaling coffee, and banging away at his Mac.

Friendly anonymous is an oxymoron...Part of this is the security mindset. I vary my patterns and try to blend in. You never know when that hit team will be after you, so I don’t want to be a soft target. I’m also mostly anti-social. Sure, I turn it on for a few events a year, but truth be told, I’m like most of you. Introverted and happy to do my thing and not engage in small talk about stuff I mostly don’t care about. Unless I’m talking to you, then I’m very interested. Really.

So once I realize the gig is up and they know who I am, my mind goes into response mode. I start thinking about extraction of the threat and how to eliminate any forensics trail. I’m sure the CSI team in my city is top notch. I’m evaluating locations for my Dexter-style kill room. I’m thinking of where I can get those rolls of plastic, and it’s time for a new reciprocating saw anyway, so my old trusty saw will do just fine. But then I realize being friendly isn’t a capital offense, so I’ll have to let it slide. This time.

It turns out the staff at the bagel shop aren’t the only folks recognizing me. I had a guy come up to me in Starbucks and basically introduce himself because he’s seen me a number of times over the past few weeks. Another one who has to disappear? Of course, I recognized him too, since I pay attention to stuff like that. He rotates the stores he goes to as well. Not because he’s a paranoid security guy or socially inept, he just has various meetings around town and it’s convenient.

So I guess the gig is up. I guess after living in ATL over six years and being in coffee shops 3-4 times per week, I can no longer slip entirely under the rader. Is it time for a change in behavior? Maybe smile a bit and even make conversation? Yeah, not so much. I can get comfortable with some level of recognition, but being friendly? Homey don’t play that.


Photo credits: “Anonymous is Friendly?” originally uploaded by liryon

CCSK Training @ RSA

Going to RSA? Interested in proving your cloud competency? Then you may be interested in the CCSK (Certificate of Cloud Security Knowledge), offered by the Cloud Security Alliance. We have partnered with the CSA to build a full-day training session to make sure you are ready to pass the test. The maiden voyage of this course will be Feb 13, the day before RSA.

The training program costs $400, which includes a token to take the test (which costs $295 otherwise). So basically, you can spend a day with the Securosis team for $100. Let’s just say that’s a fair bit below our normal rates. And we are cutting off registration at 30, so you’ll get personal attention, whether you want it or not. We have a handful of slots left, so sign up now.

Incite 4 U

  1. Groundhog Security Day: Love this obvious observation from Julie Starr on the reality that the more things change, the more they stay the same. Wait, a persistent attacker? Yes, we’ve seen this movie before and as Rich says, we aren’t going to change human behavior. Bad guys will find ways to do bad things. N00bs will continue to think they can win. One step above n00bs, folks will think they can protect something a persistent attacker wants. And the rest of us need to continue reminding these folks of the reality of our predicament. To answer Julie’s question on whether we’ve made progress, I’d say we have. Security is top of mind for most. That doesn’t mean it’s easy, or that we get what we want, or all our users any smarter. It just means organizations are now making conscious decisions to ignore security. And most are no longer blissfully unaware. No, it’s not where we want to be, but it’s still progress from where we were. – MR
  2. Open sourced: Apparently the source code of the KLAVA AV engine created by Kaspersky Labs was leaked to the Internet. Kaspersky is downplaying the report, saying it’s only a fragment of code, and it’s from 2008. But when you are talking about the core of a processing engine, 2,000 lines of C++ code is a lot and it’s pretty important. It’s very unlikely, given Big AV’s focus on adding features and researching new signatures, that the current engine has been fundamentally altered from the leaked version. To say it another way, there is a reasonable likelihood this is close to current production code. Will it affect the business? No. Existing customers pay for the signatures and all the other crap that goes along with an endpoint suite nowadays. The bulk of development costs go into research, so this is likely to have no effect on the business. Knowing how the processing engine works shouldn’t help attackers circumvent AV, so it’s pretty much “no harm, no foul”. – AL
  3. Getting real doesn’t make crap products work: I’m a big fan of MacGyver, so when I saw an article on a MacGuyer approach to security, I was intrigued. Some aspects of Richard Rushing’s approach are good. Especially the idea of “faster ways to detect and seal the vulnerabilities”, say the React Faster and Better guys. But the idea of “real” AV, IDS/IPS, and firewalls leaves me scratching my head. Richard’s point seems to be that you need to pay attention to the tools. Which is fine. compared to not paying attention. But let’s be clear that AV, IDS/IPS, and firewalls (at least traditional firewalls) are not very useful for detecting most of the attacks out there. The status quo is dying, dude, regardless of how closely you monitor you logs. – MR
  4. Oracle, coming to an unboxed cloud near you: Amazon officially announced that they will offer prepackaged Oracle database and middleware stacks on Amazon EC2 AMIs (Amazon Machine Images) in 2Q 2011. Yes, I know, not as cool as ‘Cloud in a Box’, but it carries a slightly lower cost of entry. What’s kind of cool is that you can use your own licenses – implying your site license is extensible to VMs that run in the EC2 cloud – or simply pay per instance hour. What’s not clear from the press release is whether the two services that really help to secure Oracle will be available in the cloud: TDE and label security. Both these features are charged add-ons for advanced security. Personally, I am very interested to see whether this service is widely used – the cost of setting up a relational schema and loading it with data may not fit with transitory per-hour or per-use service options. There are also a number of lower cost options for cloud-resident databases, so unless a company has a site license (or uses a lot of Oracle stored procedures, etc.), the value is not clear. For applications that need elastic storage, this could be a good fit, and Oracle has architected capabilities into the database to leverage cloud resources. – AL
  5. Time for the anonymizer?: Dating site plentyoffish.com was compromised and they even tried to point the finger at Krebs. Bad idea. They lost information on lots of their customers. They called it a shakedown, but the impact to the customers is the same. Their stuff was lost. And this is a legit dating site. What if it were Ashley Madison, you know, that site where cheaters go to find other cheaters? Or other niche sites. How long before nambla.com will be pwned and all those folks outed for weird interests? Right, if you aren’t using a fake name/email for these sites, then you made the bed, now sleep in it. I also use my dummy credentials (which are linked up to a real domain I own, so it’s not totally anonymous, nor do I need it to be) to register on vendor sites. Better safe than outed for all those strange hobbies we don’t want to know about. – MR