Blog

Incite 8/29/2012: Always on the Run

By Mike Rothman

Wake up. Get the kids ready for school. Exercise (maybe). Drink some coffee. Write. Make calls. Eat (sometimes too much). Write some more. Make more calls. Drink more coffee. Think some big thoughts. Pick up the kids from some activity. Have dinner. Get the kids to bed. Maybe get back to writing. Maybe watch a little TV. Go to bed much too late. Wake up and do it again. That’s an oversimplified view of my life, but it’s not far off.

I'm running so fast it's just a blur...But that isn’t a bad thing – I really enjoy what I do. I reflect at least daily on the deal I cut with Satan to be able to actually make a living as a professional pontificator. But I am always on the run. Until I’m not, because there are times when my frontal lobe just shuts down and I sit in a mostly vegetative state or pass out on our couch. There doesn’t seem to be much in between.

Is it healthy? You know, running as fast as you can until you collapse and then getting up and running full tilt again? I’m no runner, but it doesn’t seem to be a prudent way to train or live. A mentor always told me, “It’s not a sprint, it’s a marathon.” With ‘it’ being basically everything. Intuitively I understand the message. But that doesn’t mean anything changes. I still run at the razor’s edge of burnout and implosion, and every so often the machine fails. Yet I still find myself running. Every day. Consulting my lists and getting agitated when there isn’t structure to what needs to get done, especially at home. I’m constantly badgering the Boss for my list of house tasks every Saturday morning, so I can get running.

Yet if I’m being honest with myself, I like my lists. More specifically, I like checking things off my lists. I like to feel productive and useful and getting things done helps with that. Again, that doesn’t mean that at the end of a long day or on Sunday afternoon I’m not slipping into that vegetative state. That’s how I recharge and get ready for the next day. This run, collapse, repeat cycle works for me. At least it does for now.

In another 15 years, when the kids are out of college and fending for themselves, maybe I’ll have a different opinion. Maybe I’ll want to play golf, lounge by the pool, or sit in a cafe all day and read the newspaper. Or read whatever delivers news to me at that point in time, which is unlikely to be paper. Maybe I’ll just chill out, stop running, and enjoy the fruits of my labor.

Then again maybe not. As I look back, I’ve been running at this kind of pace as long as I can remember. But it’s different now. Over the past couple years I stopped worrying about where I’m running to. I just get up every morning and run. Obviously I know the general direction my efforts are pointed in, but I no longer fixate on when I’m going to get there. Or if I’ll ever get there. As long as I’m having fun, it’s all good.

And then a funny thing happened. I realized that I have a shot at hitting some of those goals I set many years ago. To actually get to the place I thought I was running to all this time. That’s kind of weird. What happens now? Do I set new goals? Do I slow down? Do I savor my accomplishments and take a bow? I’ll take D) None of the above. I think I’ll just keep running and wind up where I wind up. Seems to have worked out okay for me so far.

–Mike

Photo credits: Running originally uploaded by zebble


Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Endpoint Security Management Buyer’s Guide

Pragmatic WAF Management


Incite 4 U

  1. Massive unpatched java flaw being exploited: First, just the facts. There is a massive remotely exploitable cross platform flaw in the latest version of Java. How exploitable? Just read David Maynor’s description of owning everything including OS X, Windows, and Linux. This is as bad as it gets folks. Here’s the drama: after FireEye posted some info, based on real world exploitations, the attack was quickly added to Metasploit and now any script kiddie can compromise nearly any vulnerable system they can get their hands on. I’m generally not thrilled when Metasploit adds exploit code for 0days without giving defenders any chance in hell of blocking or otherwise mitigating the problem. On the latest Network Security Podcast my co-host Zach mentioned that the exploit itself may have leaked from Immunity, who frequently includes 0days in their pen testing product and doesn’t notify vendors or wait for patches. Once again, we are shooting ourselves in the head as an industry because someone doesn’t like the smell of our feet. – RM

  2. Epic security research fail: You know those times when you aren’t paying attention to where you’re walking and you run into a pole? And when you get up you look around and hope no one is watching. That happened to FireEye’s research team last week when they inadvertently stumbled upon a honeypot set up by Kaspersky and made a big stink about a change in attacker tactics. It didn’t take long for the Kaspersky researchers to call them out, and within a few hours FireEye issued a retraction. As my kids say, whoopsie! But this is a manifestation of the race for something newsworthy to fill the media sites with fodder to drive page views. Rich penned a piece a while back, being thankful that we don’t need to be the first to report something, which helps us avoid this type of land mine. I feel for the FireEye researchers, who thought they were on to something. And I’m sure the guys in Moscow did a couple vodka shots over that one. – MR

  3. Hard coded: At a previous employer, one of the first things I did after joining the company was a code review. I discovered all sorts of horrors that should have been sent to every collegiate computer program in the country for Comp Sci 110: “What to not do in software development”. There were too many grotesque errors to count, but a couple of the bad ones were the database admin password hard coded in the application, and the archive encryption key stored on disk. The same password and encryption keys for every customer! This type of idiocy is so overwhelming it makes you lose faith in the code – you don’t know what else is totally FUBAR. So when I read about a secure networking company whose Devices Have Hard-Coded SSL Keys, I cringe. I’ve been there. I’ve lived through that movie, and it’s a horror show. The problem is not this specific flaw; that’s easy enough to patch. The problem is what other incredibly stupid stuff is in the product line? It’s an issue of trust – when a vendor gets the basics wrong that badly it must cast serious doubts on their ability to get the tough stuff right. – AL

  4. Put up or shut up yourself! Let us mark a moment of silence at the irony of the CSO of the least (security) transparent platform vendor on the planet haranguing the industry and government for lack of information sharing. Taste the richness that oozes from the words drawing themselves on your screen. Martin McKeay does a great job of explaining that the situation isn’t as bleak as MAD claims, and debunks a few of her worst assumptions. But as much as I’d like to totally dismiss her post, she does have a few salient points on some of the current issues. Especially the lack of sharing by government agencies. I have heard very similar stories about attacks being classified and leaving targets at risk – just ask Stratfor how much the FBI helped them while the agents contributed to attack planning. The problem is that Mary Ann has an extremely narrow view of sharing (no details, especially not about her products, with gamed up CVE ratings), and if you know her positions, you can see how this post is more about getting the info she wants without revealing anything outside her definition, no matter how much it might help customers using her company’s products. – RM

  5. Step away from the perfection: Great post by Daniel Blander describing his personal epiphany about giving up on precisely quantifying risk. He really nails the difficulty of getting things exactly right, instead of sufficiently accurate, and some of the psychology behind why we have trouble estimating things. I also like his 5 questions to get at the likelihood of something happening. I reminds me of the template we used in marketing to build a mission statement. It seemed stupid at the time, but if you answer the questions, amazingly, you get pretty close to what you’re looking for. Likewise with his process for building a risk description to provide a vernacular help folks understand what they are facing. I’d add a bit on what kinds of controls would be required to address the issue, so they understand the costs of specific risk avoidance, but otherwise it’s a very solid approach. Of course some folks would to cling to their Monte Carlo simulators, and there’s a place for that. But I have always favored the quick and dirty approach. That’s just me. – MR

  6. If not now, when? I think the statement “the most vulnerable repository of documents in our company is also the most widely used application” would be true for most companies. The biggest app is the biggest risk. Data has value, and the more we use data, or an application that manages data, the more value it has. Mathias Thurman does a nice job of looking at the tradeoffs of securing one such application – Exchange – and the myriad of ways that Outlook lets you access data from it. He cites a common example that is often the catalyst for getting management buy-in on restrictions on a critical business application like email – in this case a near-miss on a data breach. Where he chooses to draw the line is a bit more restrictive than some of the other CISOs I have discussed this problem with, but each firm has to balance security against getting in the way of the business. He’s lucky that the change in policy was not made under the duress of a breach. Not many are similarly lucky. Food for thought. – AL

  7. No mux for you: How many of you know what a multiplexor is? When I saw that Sonus Networks closed their acquisition of NET, a wave of memories came flooding back of my early days as a networking analyst – covering WAN equipment among other things. Some of you kids may not remember when TDM ruled the world, or even what Frame Relay is. I still remember telling the entire Sprint data sales force how stupid selling 0 CIR frame relay services was, and that I’d never recommend that to clients. They didn’t like it much. Back in the day, NET ruled the roost. I remember sitting in a meeting with Dan Warmenhoven (yes, the guy who subsequently grew NetApp), NET’s CEO at the time, debating frame relay and ATM and all sorts of other cool technologies they were looking at. Turns out they missed the boat on all of them and let upstarts like Cisco, Wellfleet, and Stratcom drink their milkshake. Good times. Now if any of you snot-nosed kids get out of line, I think we’ll just put you on front end processor maintenance duty. That will show you. Old school, baby! – MR

No Related Posts
Comments

Let’s hypothetically look at Immunity and their 0day usage without notifying vendors. Before reading the blurb above RE:Java 0day, I honestly hadn’t thought about this before. (And I’m woefully behind on podcasts…)

What’s Immunity’s purpose in life? If it’s to better ensure that they blow down the doors and deeply penetrate their clients, then more power to them to hoard 0days.

But if it’s to provide better security to themselves, their clients, and everyone, then we have an interesting conversation. Does it add value to security to hoard their 0days for not only themselves, but also those who have subscriptions to their wares?

This probably teases back to the old discussion about the 0day-selling industry in the first place. (I hesitate to drag in the full/responsible disclosure discussion as well, but that’s likely where it all leads.)

 

By www.filmizleti.com


Let’s hypothetically look at Immunity and their 0day usage without notifying vendors. Before reading the blurb above RE:Java 0day, I honestly hadn’t thought about this before. (And I’m woefully behind on podcasts…)

What’s Immunity’s purpose in life? If it’s to better ensure that they blow down the doors and deeply penetrate their clients, then more power to them to hoard 0days.

But if it’s to provide better security to themselves, their clients, and everyone, then we have an interesting conversation. Does it add value to security to hoard their 0days for not only themselves, but also those who have subscriptions to their wares?

This probably teases back to the old discussion about the 0day-selling industry in the first place. (I hesitate to drag in the full/responsible disclosure discussion as well, but that’s likely where it all leads.)

By LonerVamp


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.