Incite 4/18/2012: Camión de CalorBy Mike Rothman
It was a Mr. Mom weekend, so I particularly appreciated settling in at the coffee shop on Monday morning and getting some stuff done. And it wasn’t just trucking the kids around to their various activities. It was a big weekend for all of us to catch up on work. XX1 has the CRCT standardized test this week, which is a big deal in GA, so there was much prep for that. Both XX2 and Boy have How to presentations in class this week. So they each had to write and practice a presentation. And I had to finish up our taxes and update the Securosis financials. With the Boss in absentia, I was juggling knives trying to get everything done.
I look back on an intense but fun weekend. But when you spend a large block of time with kids, they inevitably surprise you with their interrogation… I mean questions. I was wearing my Hot Truck t-shirt (pictured at right), and the Boy was fascinated. What’s a Hot Truck? Is it hot? That was just the beginning of the questioning, so the Boy needed a little context. The Hot Truck is an institution for those who went to Cornell. Basically a guy made French Bread pizzas in a truck parked every night right off campus. Conveniently enough the truck parked around the corner from my fraternity house, and it was clearly the preferred late night meal after a night of hard partying. At any time of year you had folks milling around the truck waiting for their order.
Of course the truck itself was pretty cool. It was basically an old box truck fitted with a pizza oven. The city set up a power outlet right on the street and he’d drive up at maybe 10pm, plug in, and start cooking. Things didn’t get exciting until 1 or 2 in the morning. Then the line would be 10-15 deep and the money guy would write your order on a paper bag. No name, nothing else. Just your order. Obviously there were plenty of ways to game such a sophisticated system. You could sneak a peek at the list and then say the sandwich was yours when it came up. Then wait until the real owner of the sandwich showed up and tried to figure out what happened while you munched on their food. The truck was there until 4am or so – basically until everyone got served.
Over time, you got to know Bob (the owner) and he’d let you inside the truck (which was great on those 10-degree winter nights) to chat. You’d get your sandwich made sooner or could just take one of the unclaimed orders. He must have loved talking to all those drunk fools every night. But best of all was the shorthand language that emerged from the Hot Truck. You could order the PMP (Poor Man’s Pizza), MBC (meatballs and cheese), RoRo (roast beef with mushrooms), or even a Shaggy (a little bit of everything) – named after a fraternity brother of mine. And then you’d put on the extras, like Pep (pepperoni) or G&G (grease the garden – mayo and lettuce). All on a french bread pizza. My favorite was the MBC Pep G&G. Between the Hot Truck and beer it’s no wonder I gained a bunch of weight every year at school.
But all things end and Bob sold the Truck a few years ago. It was bought by a local convenience store and they still run the truck, as well as serve the sandwiches in their store in downtown Ithaca. It’s just not the same experience though – especially since I don’t eat meatballs anymore. But the memories of Hot Truck live on, and I even have the t-shirt to prove it.
Photo credits: “Hot Truck T-Shirt” taken by Mike Rothman
We’re back at work on a variety of our blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS to get all our content in its unabridged glory.
Vulnerability Management Evolution
Watching the Watchers (Privileged User Management)
Understanding and Selecting DSP
Malware Analysis Quant
Incite 4 U
Stone cold responders: I recently did a session with a dozen or so CISOs at an IANS Forum, and one of the topics was incident response. I started to talk about the human toll of high-pressure incident response, and got a bunch of blank stares. Of course we dug in, and the bigger companies with dedicated response staff said they staff incident response teams with even-keeled folks. The kind who don’t get too excited or depressed or much of anything. Which kind of aligns with Lenny Z’s post on the kind of personality that detects security issues early. Seems anxious folks on edge all the time may not have an effective early warning system. Just more evidence that you need the right folks in the right spots for any chance at success. – MR
PCI: Living on borrowed time? Bob Carr of Heartland Payments says Anyone that thinks they’re not going to be breached is naive. This interview, posted just days after Heartland’s financial settlement details went public, reinforces the notion that – just like cockroaches are the only survivors of a nuclear holocaust, only lawyers win in lawsuits. It was expensive for Heartland, and CardSystems Solutions did not survive. Which is topical in light of the Global Payments breach, which illustrates the risk to financial companies when Visa is offering to forgo PCI audits if a majority of merchant transactions originate from EMV terminals. Keep in mind that the breach to Global Payments – or Heartland for that matter – and fraud managed by cloning credit cards are totally separate. So time when merchants and payment processors should more aggressively look at security and breach preparedness as Mr. Carr advocates… Visa is backing off on audits to boost EMV. Some will say this is an exchange for back office security for anti-fraud capabilities, some feel EMV is good for the bottom line. Does this mean Visa – and probably eventually PCI by default – expect market forces to ensure payment processor security without (private) regulation? That’s what it looks like to me. – AL
Why so serious? Interesting interview on InfosecIsland with The Jester, who did a chat session with a bunch of college students. You know th3j35t3r – the hacker “for good” who takes down terrorist sites and antagonizes Anon. It seems like he has a very clear perspective on what he’s doing, why, and the ramifications. He acknowledges that he’s a criminal and expects to be caught at some point. He also seems to be somewhat human, going to DEFCON, having a day job, and enjoying the battle. With all these unknown folks you never know what is information, what is misinformation, and ultimately whether the difference matters to you in any way. But in terms of lessons this guy seems to trust no one, works alone, and is extremely careful. Although it’s getting harder and harder to truly stay unknown. Then you get to ask whether the Feds do know who he is and have chosen to leave him alone. For now. – MR
Log simple: Andrew Hay does a great job outlining the available technologies for extending basic
syslogformat and function, and asks the tough question “what do you choose”? My answer? None. We know most people want
syslogto do more with the data. And every log management and SIEM vendor is happy to offer their own version of extensible log standards, showing just how ‘open’ they are to the rest of the world adopting their standard. So we get standards by committee (DARPA, CIDF, IDMEF, and CIEL), which like most committee-designed ‘standards’ are clumsy and complex and embody the skewed desires of committee members.
syslogworks because it’s dead simple. Coders like simple and extensible. And it’s unlikely that a committee would come up with a standard for coders – more likely some coder will come up with a simple tool that gets used and eventually adopted (as
syslogdid) because it’s simple, extensible, and functional. – AL
You get what you pay for: When is free not such a great deal? When the tool allows you to upload compromised code and totally own the server. The Average Security Guy was playing around with Splunk Free and found a feature you should probably know about. Yup, if the Splunk user has admin rights to the Splunk server, it can be totally compromised. The exposure is there because of the flexibility they provide to allow folks to upload their own Python scripts to add capabilities to the base software. Combine that with the lack of authentication in the free version’s web interface, and all sorts of lulz result. ASG mentions some workarounds in his post, and that’s fine, but it comes back to the point about the true cost of free. Splunk is a great tool and very useful for plenty of folks, but that doesn’t mean the entry-level offering is bulletproof, or that you should store your sensitive data there. – MR