It’s a presidential election year here in the US, and that means the master spin meisters, manipulators, and liars politicians are out in full force. Normally I just tune out, wait for the primary season to end, and then figure out who I want to vote for. But I know better than to discuss either religion or politics with people I like. And that means you. So I’m not going to go there. But this election cycle is different for me, and it will be strange.

I suspect I won’t be able to stay blissfully unaware until late summer because XX1 is old enough to understand what is going on. She watches some TV and will inevitably be exposed to political attack ads. It’s already happened. She’s very inquisitive, so I was a bit surprised when she asked if the President is a bad man. I made the connection right away and had to have a discussion about negative political ads, spin, and trying to find the truth somewhere in the middle.

Your truth may be different than my truth. Fundamentally, totally different. But suffice it to say the venom that will be polluting our airwaves over the next 6 months is not close to anyone’s truth. It’s overt negativity (thanks, Karl Rove) and I have no doubt that once the Republican candidate is identified, the Democratic hounds will be unleashed against him. Notice I was male gender specific, but that’s another story for another day.

I guess it must be idealistic Tuesday. Can’t the candidates have an honest, fact-based dialog about the issues? And let citizens make informed decisions instead of manipulating them with fear, uncertainty, and doubt? Funded by billionaires looking to make their next billions. Yeah, no shot of that. You see, I’m no pollyanna. I know that anyone actually trying to undertake a civil discourse would get crushed by the 24/7 media cycle and privately funded attack ads which twist their words anyway. We elect the most effective poop flinger here in the US, and it’s pretty sad.

Lord knows, once they get elected they face 4 or 8 years of gridlock and then a lifetime of Secret Service protection. It’s one of those be careful what you wish for situations. But hey, everyone wants to be the most powerful person on the world for a while, right?

Again, normally I ignore this stuff and stay focused on the only thing I can really control: my work ethic. But with impressionable young kids in the house we will need to discuss a lot of this crap, debunk obvious falsehoods, and try to educate the kids on the issues. Which isn’t necessarily a bad thing, but it’s not easy either.

Or I could enforce a media blackout until November 7. Now, that’s the ticket.


Note: Next week is the RSA Conference, and that doesn’t leave a lot of time to do much Inciting. So we’ll skip the Incite next week and perhaps provide a jumbo edition on March 7. Or maybe not…

Photo credits: “Poop Here” originally uploaded by kraskland

Heavy Research

No holiday for us. We hammered you on the blog Monday, which many of you may have ignored. So here’s a list of the things we’ve posted to the Heavy Feed over the past week.

Malware Analysis Quant

RSA Conference 2012 Guide

Here’s the other stuff we’ve been up to:

Remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory. So check them out and (as always) please let us know what you think via comments.

Incite 4 U

  1. It’s not about patching, it’s about web-scale architecture: It seems Rafal Los got his panties in a bunch when Mort threw out a thought balloon about shortening patch windows with smaller and more frequent patching. Though I think the term ‘patch’ here is what’s muddying the issue. Everyone realizes that most SaaS apps ‘patch’ whenever they need to with little downtime. At least if they are architected correctly. And that’s the point – I Mort as saying we need to really rethink application and deployment architectures to be more resilient and less dependent on huge patches/upgrades that can cause more problems than they fix. As LonerVamp points out, downtime is a hassle and more frequent patches are a pain in the backside. And for the way we currently do things, he’s right. But if we rethink architecture (which does take years), why wouldn’t we choose to fix things when they break, instead of when there are a bunch of other things to fix? – MR
  2. Political Deniability: I learned long ago to ignore all the cyberchatter coming out of Congress until they actually pass a bill and fund an enforcement body, and someone gets nailed with fines or jail time. How long have we been hearing about that national breach disclosure law that every vendor puts in their PowerPoint decks, despite, you know, not actually being a law? Si we can’t put too much stock in the latest National Cybersecurity Bill, but this one seems to have a chance, if the distinguished senior senator from my home state of Arizona doesn’t screw it up because he wasn’t consulted enough. Come on, man, grow up! The key element of this bill that I think could make a difference is that it’s the first attempt I’m aware of to waive liability for organizations so they can share cybersecurity information (breach data). That’s a common reason I hear for people not sharing information, and we have been asking for it since the early ISAC days. – RM
  3. Behavioral Secrets: If you have not read the New York Times’ How Companies Learn Your Secrets, about Target’s use of statistics and behavioral monitoring to target shoppers, read it. It’s fascinating. It touches on many issues of personal privacy, but what does it have to do with security? A lot. First, behavioral monitoring uses similar techniques to analyze human behavior and repeated patterns, in order to establish baselines of ‘normal’ behavior – things outside that norm are flagged as ‘suspicious’. Second, most phishing attacks leverage affinity and familiarity to gain trust, and effectively bypass users’ critical thinking, in order to get them to act in a particular way. This concept that repeated activity requires less brain power is key, as people strive to make their daily lives easier and less complicated. Face it – we don’t have enough time in our days to give serious thought to every email we receive or every web link we receive. Social engineering relies on usurping established trust and patterns to work, much the way marketers position their products. Anyway, the article is highly recommended. – AL
  4. Best of Breed Heresy: Stiennon is at it again (h/t to Shimmy), calling for networking capabilities to be integrated into security devices. Though I’m not sure whether Richard thinks a security vendor will displace traditional networking devices or vice-versa. But in fairness he has been talking about security being woven into the fabric of networking for a long time. Hasn’t happened. Not going to happen. Seems Richard forgets that network and security guys tend to hate each other. If the network guys win and rule the infrastructure world, they will just try some security genocide, and absorb those capabilities into their networking boxes. Or more likely the perimeter security boxes will continue to consolidate (as we’ve been saying for years), folks will build moats around their data centers (which house the important stuff) using vaults, and perhaps they do some simple stuff (like VLANs) with unimportant segments to maintain some semblance of order. But to burden every switch with deep packet inspection and policy enforcement? Why? How could you justify that cost? I’m with Shimmy. Stiennon is toking on the hookah again. – MR
  5. Searchable Passwords? A Google Password Generator is in the Works. I can think of a lot of reasons this is a bad idea. You know, like leaky wallets and somehow being surprised. Evil? Nah, honest mistake, right? Most password managers are local applications with the ability to pass information to the browser, but are not native to the browser. The browser is a poor choice to handle strong random number generation. Most browsers can be duped, hacked, or have their sessions compromised – so I have no confidence that browser-resident passwords wouldn’t leak. Perhaps it’s the well-worn cynic in me, but it just seems like a bad idea. My guess is that Google is adding the personal password manager initially for their wallet to gain ‘stickiness’ with clients, since it’s a cool (and very useful) capability. It a logical idea to extend this function to the browser, but I don’t believe it’s a good idea. That’s my story and I’m sticking to it. – AL
  6. And umbrella makers expect an explosion of rain: As this week’s hopeful self-fulfilling prophesy, we have a dude from McAfee talking about how they expect an explosion of mobile malware. Uh, what else could he say? Of course, no source for this ‘explosion’. Just more FUD flinging garbage. But how cool would it be if any of these guys were really honest? You know McAfee loves the fact that Google hasn’t locked down the Android app store, because their mobile malware has a reason to live. But the FUD flingers forget that mobile devices are not yesterday’s vulnerable PCs. They are architected differently and harder to compromise. Not impossible – especially with folks who jailbreak their devices and get hurt. IMO they deserve whatever they get. If you obviate the OS controls built to protect you, then it’s your own problem when you get nailed. But at this point infected Android apps are great for all the snake oil salesmen trying to sell mobile AV. They are hoping to extend their broken business model to a new generation of devices. Oh, did I say that out loud? – MR
  7. Play nice in the sandbox: Judging by our pageview spike last week (10x normal) I should stick to writing about Apple. But, alas, you enterprise folks pay more. Unfortunately not to us, but we’re working on that. Apple is entering an interesting security transition. The platform’s popularity is going nowhere but up, which means they are drifting inevitably into the spotlight for attackers. Based on the success they’ve seen on iOS, it’s clear the folks in Cupertino are trying to adapt the restrictive iOS model to the Mac, without crimping things so tightly it ruins the user experience on their desktop operating system. I really do think Apple is doing this for the right reasons (security) and working hard to balance the needs of users and developers. Unfortunately this is hard for some developers to come to terms with. In the end we need a ‘safer’ option to restrict downloading apps for the users who want them, combined with the ability to install whatever crap you want for you pr0n and gambling obsessed warez demons. Apple pushed the sandboxing deadline back to June 1, and I expect Microsoft to take the same optional lockdown approach to Windows 8. There really isn’t any other option for consumer computing, and the key for these OS vendors will be how to still allow us risk takers to do what we want. – RM
  8. Bonus: Surviving RSA: Our pal Andrew Hay is letting logic and experience get the best of him, providing some pointers to surviving RSA. Come on, man! Don’t you remember that once you step into Moscone for the RSA Conference, all your built-in defenses are socially engineered? You don’t eat. You don’t sleep. You drink. You network. You party hop. You try to do some business. Sure it would be great to drink water, but who has time for that. Not when you have an open bar and strippers dancers doing their thing within 10 feet of you. I appreciate your advice – it’s good stuff. But I’ve been doing this for too long to believe it will be any different this year. – MR