Incite 6/16/2010: Fenced inBy Mike Rothman
I spent last weekend at my 20th college reunion. I dutifully flew into Ithaca, NY to see many Cornell friends and (fraternity) brothers. It was a great trip, but I did have an experience that reminded me I’m no spring chicken any more.
I guess I could consider the unbelievable hangover I had on Saturday morning as the first indication that I can’t behave like a 20-year-old and expect no consequences. But it gets better. We were closing da Palms on Saturday night and an undergrad called me over because he had about 3/4 of a pitcher left and graciously asked for some help. I scurried over (because who turns down free beer?) and we started chatting.
So he asked me, “When did you graduate?” I responded that I was Class of 1990. He looked at me cross-eyed and I figured he was just respecting my beer drinking prowess. Not so much. He then said, “Wow. I was born in 1989.” Uh. This kid was crapping his pants when I graduated from college. I literally have T-shirts that are older than this guy. That put everything into perspective: 20 years is a long time.
Of course the campus has changed a lot as well. Lots more buildings, but the biggest change was the ever-present fences. In the last year, there have been numerous suicides on campus. It’s actually very sad that kids today can’t deal with the pressure and have no perspective that whatever it is, and however hard it feels, it will pass. So they jump off any number of bridges overlooking Ithaca’s beautiful gorges. Splat.
So the Cornell administration figured one way to stop the jumpers is to put 10-foot-high fences on all the bridges. It now looks more like a detainment camp than an Ivy League university. That’s sad too. Cornell is one of the most beautiful places I’ve ever been. Now not so much. It’s still a campus, it just feels different.
Being the engineers many of my friends are, we tried to come up with better solutions. The ideas (after a number of beers, as I recall) ranged from a big airbag on the bottom of the gorge to a high speed blower to keep the jumper suspended in air (like those Vegas rides). We also talked about nets and other ideas, of course none really feasible.
I guess I’ll just have to become accustomed to the fences, and remember how things were. With the understanding that like my ability to recover quickly from a night of binge drinking, some things are destined to stay in the past.
Photo credits: “Fenced In” originally uploaded by Mike Rothman
Incite 4 U
Getting to know your local Hoover – No, this isn’t about vacuums, but about getting to know your local law enforcement personnel. It seems the FBI is out there educating folks about how and when to get them involved in breaches. The Bureau is also taking a more proactive stance in sharing information with the financials and other corporates. All this is good stuff, and a key part of your incident response plan needs to be interfacing with law enforcement. So defining your organization’s rules of engagement sooner rather than later is a good thing. – MR
String theory – Kelly Jackson Higgins had the most interesting post of the past week, covering Dan Kaminsky’s announcement of Interpolique. Actually, the story is mostly a pre-announcement for Dan’s Black Hat presentation in Vegas later this summer, but the teaser is intriguing. The tool that Kaminsky is describing would automatically format code – with what I assume is some type of pre-compiler – making it far more difficult to execute injected code via string variables. The only burden on the developer would be to define strings in such a way that the pre-compiler recognizes them and corrects the code prior to compilation/execution. That and remembering to run the tool. This is different than something like Arxan, which acts like a linker after compilation. Philosophically both approaches sound like good ideas. But Interpolique should be simpler to implement and deploy, especially if Recursion Ventures can embed the technology into development environments. Dan is dead right that “… string-injection flaws are endemic to the Web, cross all languages …” – the real question is whether this stops injection attacks across all languages. I guess we have to wait until Black Hat to find out. – AL
Hatfields and McCoys, my ass – Evidently there is a feud between Symantec and McAfee. I guess a VP shot another VP and now the clans have been at war for generations. Computer security changes fundamentally every couple years. And fervent competition is always a good thing for customers. Prices go down and innovation goes up. But to say the AV market is a two-horse race seems wrong. To get back to the Coke vs. Pepsi analogy used in this story, in this market Dr. Pepper and 7Up each have a shot because some customers decide they need a fundamentally different drink. Security is about much more than just the endpoint, and if the Hatfields or McCoys take their eyes off the Microsofts and the HPs, they will end up in the annals of history, like the DECs and the Wangs. – MR
Speed may kill… – Sophos is hoping that the security industry has a short memory. They just announced a ‘Live Protection’ offering in their endpoint suite that uses a cloud service to push signature updates. Right, that’s not novel, but they are using speed as the differentiator. So you can get real-time updates. Of course that assumes you won’t have a Bad DAT(e) try to slip your devices a roofie that renders them useless. Needless to say, there is a bunch of marketing hocus-pocus going on here, since Sophos is also talking about their speed gain resulting from not pushing full signature updates, but doing some analysis in the cloud. Ah, calling Dr. Latency – this is something most other endpoint vendors are already doing. In any case, as our friends from McAfee showed a whole bunch of customers, sometimes it pays to wait a few hours before pushing a signature update. – MR
Fail Whale II, the sequel – If you were on Twitter this morning, you were probably up to your eyeballs in AT&T FAIL on iPhone 4 pre-orders. Yes, the accusation that AT&T was deliberately killing its own site because they ran out of iPhones was funny but untrue! Most people simply could not make it through the session without some form of timeout or “service unavailable” message due to an overburdened (underprovisioned) system. But I was reading on Gizmodo about how user sessions were being compromised and you could randomly access other people’s accounts. With screen shots to prove it! As if AT&T’s reputation were not tarnished enough, their Internet capabilities are as bad as their cell coverage. Then AT&T released a support message saying “We have been unable to replicate the issue …” Awesome! Probably because the support techs were actually inside the firewall, rather than outside, where the thrashing load-balancing routers were spitting out customer data to anyone and everyone visiting the site. Their claim that “information displayed did not include call-detail records, social security numbers, or credit card information” is ridiculous. If they could not reproduce the issue, how could they know that information was not accessible, even if it wasn’t (supposed to be) shown on the pricing page. As with many of the nations banks, “too big to fail” needs to be supplanted with “too F’ed up to fix”. – AL
Skills you can sell – Since I’ve stepped off the corporate ladder, I’m not overly concerned with career management. My primary concern is to make sure that Rich and Adrian don’t walk me to the (virtual) door. But almost everyone else needs to think about what’s next. Dark Reading has a good analysis of what kinds of skills are in demand now, including incident response, compliance, and security clearances for government work. Surprisingly enough application security isn’t at the top of the list, and given the skills gap between the number of qualified folks and the number of exposed apps, that’s strange to me. But I guess apathy isn’t a good hiring manager and clearly there is application security apathy in spades throughout the industry. – MR