Last week we celebrated Independence Day in the US. It’s a day when we reflect on the struggles of our forefathers establishing the country, the sacrifices of the Revolutionary War, and what Freedom means to us all. Actually, most folks gorge on BBQ, drink a ton of beer, and light fireworks imported from China. Which I guess is another interpretation of freedom.

I thought it would be great for each of us Securosis guys to describe what Freedom means to us for last week’s Incite. Alas, the best laid plans got derailed when it got to be late on Tuesday and I wanted to start my holiday. No Incite for you. Adrian put everything in context by remarking, “You are free not to do it.” Nice. But here’s the deal – I take freedom for granted, and if you live in a free society, you probably do too.

I don’t think about the struggles involved in maintaining a free society. A couple times a year (you know, Memorial Day), I remember the brave military folks away from their families making sure my biggest issue is which Starbucks I choose to write at that day. The Boss and I try to impress upon the kids how lucky they are to live in a free environment. They learn about the Holocaust to see the worst in people. They’ll also read and hear about other oppressive regimes, and be thankful for where they were born.

But if I’m being honest with myself, I haven’t felt free for most of my life. A conversation I had recently with Mike Dahn reinforced that. I was captive to my own expectations. Regardless of the fact that I could do anything (besides break the law, I guess), I always felt a responsibility to do what was expected of me. I compared myself to some vision of what I should be. What I should achieve. But that vision was only in my head. It wasn’t like my folks told me what to do. All those expectations made me feel like a failure, even though I achieved quite a lot. That epiphany became the impetus for my Happyness talk.

I wasn’t until I let go of those self-inflicted expectations that I’ve been able to make strides toward being happy. Of course, I have good days and not so good days, like everyone else. But tossing my own expectations has given me the freedom to live my life – not anyone else’s. Not setting specific goals means I can enjoy the journey, not fixate on how far I have left to go. The US celebrates Independence once a year. But I get to celebrate my own Independence every day. And I don’t plan on taking it for granted.

–Mike

Photo credits: Independence, Oregon originally uploaded by Doug Kerr

Incite 4 U

1. It’s not the message, it’s how you say it: Sometimes you read something that hits very close to home. Bejtlich’s perspective on the importance of how you deliver the message resonated. The Boss chides me all the time about the fact that no matter what I’m saying, the kids shut down because I’m barking at them. “But they don’t listen! I need to get their attention,” I respond. And she just laughs. No matter what I say, they only hear more yelling. So when Rob Westervelt said a panel at an April security conference got contentious, clearly the folks in the audience didn’t get the message. It’s not that any of the panelists were wrong, but if you don’t package the message in a way that will get through to the other party, there is no wrong or right. Only wrong. So keep that in mind next time you present to business folks or chastise a user for doing something stupid. – MR
2. The cloud is down. No it isn’t. Yes it is: Last week there was another cloudastrophe when Amazon AWS had an outage in their main US data center. The root cause was a combination of weather and a failure in their emergency power procedures. I don’t overly blame them, since it’s really hard to effectively test every scenario like that. But it’s a reminder that not only can the cloud go down, but it can be difficult to architect availability for such a complex system. Extremely difficult, as Netflix shared in a killer post discussing why they went down. Now, for the record, this was a major personal disaster because my 3 year old couldn’t watch “the Apple TV” (which also had a “rough morning” Tuesday due to low bandwidth). This isn’t a security failure but it does highlight the complexity of fully moving to cloud and how that impacts fundamental design and DR/BC scenario planning. Security is no different than availability and we are all going to learn some of these lessons together the hard way. – RM
3. No access, no problem: Brandon Williams asks how do we arm small and medium businesses (SMB) for the change in threat landscape with the switch to EMV cards? His premise is that if the EMV credit card format comes to the US, we expect to see a shift from “card present” to “card not present” (i.e., Internet sales) fraud, mirroring the trend in Europe. The cards are harder to forge, the terminals perform some validation, and the infrastructure supports real point to point encryption instead of the mockery we’ve seen for the last decade or so. But does that mean SMB is at a disadvantage? I don’t think that’s the case. The terminals are expensive, but SMBs have lower overall switching costs to EMV. By combining it with tokenization, they have removed sensitive data from their environments, and pushed much of the liability back on payment processors by not being privy to payment data. Logically there is little difference between an Internet sale and an EMV transaction – payment gateways offer plug-ins and edge tokenization services perform equivalently to EMV without a card reader. As the merchant is no longer embedded in the payment process itself, it’s up to the payment gateways and banks to detect fraud or determine whether the user is legit. I maintain that the real question remains, “What happens to the PCI standard?” when merchants no longer have any access to card data. – AL
4. Depends on your definition of diverge: Ah surveys, security marketing catnip for all beat reporters. Regardless of the logic of the conclusions, or the kinds of folks being surveyed, anything attached to a survey will generate lots of ink. So my pals at Core did a survey and their top line was that “CEOs & CISOs Diverge Sharply.” Really? Only 15% of the CEOs are “very concerned,” but a majority are “somewhat concerned.” Let me tell you about CEOs. They are concerned with making their numbers, keeping their jobs, and getting their big fat bonuses. They hire folks to be “very concerned.” The fact that they are concerned at all means it’s a high profile issue. Pretty much all the questions are like this. CEO answers are logical and I don’t believe really diverge from what CISOs are paid to worry about. Though one question is very telling. CEOs clearly don’t think they have enough information to know what’s really going on, and about 75% of respondents don’t get daily or even weekly briefings from their security teams. That seems to be a failure to communicate, rather than a divergence of viewpoint. – MR
5. Want a Beemer? Cheap? I swear, I don’t understand how all these idiots think that brushing off a massive security vulnerability is the best course of action. We see it all the time, and BMW is the latest example. It turns out you can hack into the latest models using a vulnerability in the keyless entry system. The On Board Diagnostics port is a blind spot for the alarm system, always powered, doesn’t have a password, and you can use it to program new key fobs. BMW’s response? “The battle against increasingly sophisticated thieves is a constant challenge for all car makers. Desirable, premium-branded cars, like BMW and its competitors, have always been targeted … Currently BMW Group products meet or exceed all global legislative criteria concerning vehicle security.” Right, good one. Glad I have a Ford – it runs on Microsoft, so while it might crash, I know it’s secure. (Actually, the latest update works really well). – RM
6. Breaking in: If you have not been following the series, then grab a cup of coffee and spend a few minutes with Brian Krebs on How to break into security: Thomas Ptacek edition, followed by the Bruce Schneier and Jeremiah Grossman editions. If you are looking to break into security these posts are informative. I tend to agree with Grossman and Ptacek on needing to both understand and have a natural curiosity about, programming. It’s a lot easier to understand how hackers work once you’ve sat down with someone else’s horrific API and figured out hundreds of ways it won’t work, and stumbling upon a weird quick that totally breaks it. And it’s programmers who, by their desire to build useful tools, are the most surprised by that ‘Oh S%&^’ moment when they realize the destruction, and mayhem hackers can cause by abusing a programmers bad assumptions. Schneier says that you need the ‘security mindset’, but unfortunately you won’t know what that is until you know what that is. My advice – get some development experience under your belt and then go work with a security company where real security people work. Being around people who are good at breaking stuff helps. But while seeing what’s possible with malware, cross site scripting, breaking a crypto system, or just injecting malicious SQL into someone’s database is great; it’s every bit as educational to have to go through the processes of threat modeling, designing and programming secure code. – AL
7. The power of one: It’s a bit of a love fest, but TJ OConnor’s paper on th3j35t3r (PDF) is an interesting read. Apparently he wrote it as part of a SANS masters program. But it goes through the story of the lone wolf hacker and how his tactics have changed over time. If you follow Jester on Twitter, you already know most of this stuff. The most interesting part of the story is how the Internet has really democratized everything. Allegedly one guy (because we can’t be sure it’s really only one person) can apply leverage via online mechanisms like we haven’t seen before. I just imagine a bunch of Anons sitting around a virtual table screaming at each other: “It’s only one guy! Why can’t we find him?” And no, pulling an OAuth hijack on his Twitter stream (which happened on Monday) isn’t really finding him. – MR