Incite 9/20/2012: ScabsBy Mike Rothman
You will probably read this on Thursday or even Friday, and that’s late. This week got all screwed up. It’s a little matter of a bunch of things happening at the same time, mostly personal, all good. So Monday was a holiday for me and starts the fall renewal process where I don’t set goals and don’t worry about what I’m striving for any more. It also turns out Monday night was the Falcons home opener. Many of my ATL buddies consider me a sinner for going to a football game on the High Holy Days. As I told the Boss, “Football is my other religion,” so there was never a question whether I would go.
Normally I work late on Tuesday night, but we took XX2 to see a Ben Folds concert for her birthday. So up late Monday (I’ll get to that) and up late Tuesday. And a check-up for the kids Wednesday morning. Which means not a lot of time to actually, well, work. And I won’t even mention the road trip to go see the Giants play in Carolina on Thursday night. Yeah, I have a pretty sweet deal.
Now back to Monday night. Everyone was amped up for the game. The Broncos and their rebuilt QB, Peyton Manning, were in town. The atmosphere was electric. Until about midway through the first quarter, when the replacement refs lost control of the game. I mean totally lost control. I have never seen anything like it. Penalties were reversed or not called. Fights broke out. The ball was spotted wrong. The first quarter took over an hour. Monday Night Football didn’t end until Tuesday morning. NFL referees are like security folks. Until they are gone and all hell breaks loose, you don’t even notice them.
The NFL is taking a hard line about pensions, and they locked out the regular referees. I thought I had a sweet deal, but refs have it pretty good too. Some make as much as $120K a year to work maybe 20 games, including playoffs. Even based on the NFL’s latest offer, they’ll still get something like $15K contributed to retirement. But it’s not enough.
Everyone always wants more. So the NFL finds replacement refs, most of whom do a good enough job. Some don’t (like the team on the field in ATL on Monday night). But at the end of the day, Steve Young was right. The NFL is in an inelastic demand situation, and how cool is it that a Hall of Fame QB talks about Econ 101 on national TV? The NFL will take a hard line because the fans will continue to show up. And we will. I’ll bitch and moan to my pals. The football talking heads (which is actually a much bigger echo chamber than security) will bitch and moan. The fans will keep showing up. As evidenced by my upcoming road trip to Charlotte.
So the scabs will continue to be entrusted with keeping games on track and in control. Hopefully no one gets hurt and the games end fairly. Truth be told, scabs is a derogatory and unfair term for the replacement refs. It’s not their fault they are in deep water. It’s like taking a recent security graduate and asking them to defend something important from [name your favorite pen tester]. It’s going to end poorly.
Ultimately the real refs will cave. It’s all about the leverage. It’s always about the leverage. The real refs have none. The NFL continues to have record ratings and record attendance and record activity in the NFL ecosystem, even with replacement refs. And once the refs realize they are very small cogs in a multi-billion-dollar wheel, they will pull off the scabs and get back to work.
Photo credits: Scabs originally uploaded by Thomas Hawk
We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
Defending Against Denial of Service (DoS) Attacks
Securing Big Data
Incite 4 U
What makes an expert? Rob G levels a very uncharacteristic personal attack in his The know-nothings of cybersecurity, with the argument that someone who hasn’t actually configured a firewall or injected SQL cannot really be an expert. I reject that – it depends on what aspect of cybersecurity you’re talking about. A cybersecurity policy wonk probably hasn’t pwned devices using cool XSS code, but that doesn’t mean they don’t understand policies. And even if you are talking about technical expertise, it depends on who you’re talking to. Anyone can be an expert, if they are talking to n00bs. I’m no fan of generic statements that can’t be proven, nor am I a fan of the tons of charlatans claiming to be something they aren’t. But I don’t buy that there is only one kind of cybersecurity expert. – MR
Mobile payments are HOT HOT HOT: Hat tip to Martin McKeay for bringing this up as we were recording this week’s Network Security Podcast. It looks like the PCI Council is going to release guidance on mobile payment applications. This is a big deal – a lot of apps tie into credit cards in some way, shape, or form. On one side are tools like Square payment card readers, but I suspect we might see other forms of apps tying to credit cards coming under scrutiny. It’s not something I would put money on – just something to watch. Think of all the QR-code based apps that use credit card somewhere on the back end. Then again, the PCI will do whatever they expect to piss off the smallest number of
vendorsmembers, and Visa will end up making a blanket decision, anyway. – RM
Estimates are like … never mind: There is a reason software projects always take twice as long and cost three times as much as original estimates. Engineers suck, in my experience, at estimating how long their efforts will take. They’re optimistic and seldom account for all the work it takes to get working production-quality code. This is especially true when it pertains to new software. Jim Bird asks Can you get by without estimating? This is not just an intellectual exercise – it has a real impact on the development process. Get back to the reality that estimates exist largely for outsiders (people not on the development team), and external pressures critically impact engineering decisions when deadlines approach. I recommend trying to get rid of estimates as much as possible. Start with the more experienced engineers, but it’s best to interrogate them to ensure they have thought things through and know exactly what needs to get done. But you will only be able to get so far – you run the risk of getting no estimate as to when your next paycheck will arrive, as a previous CEO casually informed me. – AL
Shakedowns don’t need to be sophisticated: The security purists among you probably read about the latest in ransomware and end up disappointed. The Naked Security folks look at a recent attack and show that the crypto is novel, but the malware is not. But the malware doesn’t need to be sophisticated – it just needs to get there. Once the files are encrypted it’s game over. An advanced attacker doesn’t need to use advanced attacks. And to steal your lunch money a thief doesn’t need a nuclear reactor. Of course, this is Sophos speaking, so the answer is up-to-date anti-virus. Excuse me while I puke. But it is good advice to keep sensitive files backed up. – MR
Goodbye wires and plugs: During most of the current practice of security, we have relied on simple physics: for two things to talk to each other there must be a wire connecting them, and we know where the wires are. A large portion of our security comes down to understanding these connections and dropping more boxes inline to create enforcement points. Lori MacVittie talks about how the DMZ is dead due to BYOD. I’m not sure I completely agree – BYOD is only one small reason to change old-school DMZ concepts. The nature of current attacks broke the DMZ model 10 years ago – never mind cloud computing and the incoming missile of software defined networking (SDN). In the Matrix you can’t trust the wires and plugs either, and this fundamental truth will change much of our security in the coming years. – RM
PCI community meetings: A couple of our clients called me up this week. They wanted to know what was new with PCI and how the changes would affect them. I told them flat out: There is not much new. Which is a shame, because despite the Council’s desire to move in three-year cycles (driven by member pushback against constant churn) the payment industry is changing quarterly. As Gary Palgon’s quick overview of the PCI meetings points out, a 3-year cycle is a problem in this much more rapidly evolving market. Sure, things are much calmer and quieter when you jettison squabbling steering groups that constantly miss deadlines. But as with having your kids in the back of the car during vacation, you can’t actually leave them on the roadside when they get all whiny – no matter how much you want to. And they have been dragging out guidance for smartphone apps and mobile payment like they would go away if they just ignored them hard enough – but apps and mobile payments are not Dinky the dog. – AL
Real-time fraud detection: I needed new tires for our van and I went to a local tire shop to get them. I used my Citi credit card to pay. I was declined. Wait. What? Don’t these guys know my history? I tried again. Declined again. A second later I got a text message asking whether the transaction was legit. I texted back that it was. Within a minute the transaction was approved, and I was on my way. Pretty cool, eh? But what happens if my phone is gamed? Using tactics described by Mat Honan (yes, the guy who got iPwned), if they get into my email and/or credit card, they could own my phone and therefore beat the 2nd-factor credit approval. This is a low-probability scenario but everything is so interconnected now that it’s a matter of when, not if, this blows up. Like all other fraud controls. – MR