Puzzles v/s Mysteries

Posted May 31st, 2007 by

There’s a nice article at the Smithsonian about the difference between riddles and mysteries. I received this via the security metrics email list.

Risks and Riddles

This reminds me of intelligence work, for obvious reasons.

There are 2 major types of offensive actions an army can conduct: deliberate attack and movement to contact. (Yes, those of you pedantic enough will bring up hasty attacks and a dozen other scenarios, I’m being a generalist here =) )

In a deliberate attack, you know roughly what the Bad Guys are doing–they are defending key terrain. The task for the intelligence people is to find specific Bad Guy battle positions down the the platoon level. This is a puzzle with a fairly established framework, you are interested in the details.

In a movement to contact, you have a very hazy idea that there are Bad Guys out there. You move with an eye towards retaining flexibility so that you can develop the situation based on what you learn during the mission. The task for the intelligence people is to determine the overall trend on what the Bad Guys are doing. This is a mystery, and you’re more concerned with finding out the overall direction than you are with the specifics–they’ll get lost due to “friction” anyway.

Now translated to information security, there is some of what we know about the Bad Guys that is static and therefore more of a puzzle–think about threats that have mature technologies like firewalls, Anti-virus, etc to counter them. Solutions to these threats are all about products.

On the other hand, we have the mysteries: 0-day attacks, covert channels, and the ever-popular insider threat. Just like a well-established military has problems understanding the mystery that is movement to contact, information security practitioners have problems responding to threats that have not been well-defined.

So information security, viewed in the light of puzzle v/s mystery becomes the following scenario: how much time, effort, and money do we spend on the puzzles versus how much time do we spend on mysteries? The risk geek in me wants to sit down and determine probabilities, rate of occurance, etc in order to make the all-important cost-benefit-risk comparison. But for mysteries I can’t, by definition of what a mystery is, do that, and our model goes back to peddling voodoo to the business consumers.

Similar Posts:

Posted in Army, Rants, Risk Management, What Doesn't Work, What Works | 1 Comment »

Manitoba Chiefs Want Cellphone Revenue

Posted May 31st, 2007 by

Hey, makes sense to me. If you’re a sovereign nation, you have a right to manage the radio spectrum above your territory, no matter how large or small the territory is.

The BOFH in me thinks it’s a perfect unintended consequence of the white man’s greed hundreds of years ago. =)

Manitoba Chiefs Want Cellphone Revenue

Similar Posts:

Posted in Odds-n-Sods | No Comments »

Famous Quotes: George H

Posted May 30th, 2007 by

“When I was a kid, I wasn’t a criminal but I sure did some things that I could have been sent to jail for.” –George H

George was my squad leader back in 1998.

I think it’s still apropos, only today instead of poaching salmon and doing unnatural acts with firecrackers, the kids have computers. =)

Similar Posts:

Posted in Odds-n-Sods | 1 Comment »

Training for the Zombie Pandemic

Posted May 30th, 2007 by

Why wait until the zombie outbreak to figure out what your response will be?  Why not start training now?
Kevan Davis has written a very good web-based MMORPG called Urban Dead.  I’ve been playing it for about 3 weeks now, although the game has been live for over 2 years.

What’s amazing to me is that the game has roughly 38K players and has a HUGE amount of user-created content on it’s wiki.  In addition to that, each player group has their own forum that they maintain.  That places the game squarely in the “cult” category. =)  Try it, it’s lots of fun.

Skills you will need for the upcoming zombie pandemic:

  • Barricade buildings to keep the zombies out
  • Revive zombified buddies
  • Heal your friends that have been bitten and infected with zombie mojo
  • Kill the zombies that are in your well-barricaded building
  • Dump the corpses outside so they don’t come back as undead inside your building

Inside the wiki, there are fantastic guides that tell you how to survive in the zombified streets of Malton.  I recommend you read up on these and incorporate them into your zombie pandemic response plans.

Similar Posts:

Posted in Zombies | 8 Comments »

How I Became the Owner of Two Rogue WiFi APs

Posted May 29th, 2007 by

I’ve been a bad little CISO. I should know better. But hey, how can I maintain my BOFH credentials if I don’t do something bad from time to time?

Anyway, let me explain it all.

Inside my area of responsibility (aka my job scope) there are several networks. One is a closed network that we use for management and monitoring of our customers. Another is our corporate network. A third is our guest network where all you can do is access the outside world.

So what we wanted to do was to add a wireless access point to the guest network. That way our guys can stay connected between meetings. Not all too uncommon of a use-case.

Corporate IT has a solution they roll out everywhere. If I give them a cost center, they would give us a completely wide-open WiFi AP with a essid of “guest”. It’s the only solution that they would support.

I have 20 or so customers. They have varying levels of security savvy depending on how mature the organization is. Some of them believe in “Security Through Level of Pain”–in other words, they make it so hard to ask for permission that nothing ever gets done.

Now, with some of these clients, they think that they own my building. That’s not necessarily a bad thing, but if I have a wide-open “guest” AP in my building, then they all think that I have broken their security policy which says “no WiFi”. Even though eventually I can explain how the wireless is not connected physically, logically, or even tangentially to their network, their gut reaction is to make me take it down. I have yet to lose a disagreement over things like this, but 20 customers later, they’ll wear me down to the point where I need to go home and sleep. That’s very much in the spirit of “Security Though Level of Pain”.

If I have WiFi in the building, it has to be WPA2, no questions asked. I can justify that to the government, it makes my life oh-so-much easier. I ran a waiver through my boss and his boss that documented the security controls around how I wanted the design to be.

I talked to the guy from Corporate IT. I explained to him who I was and what I wanted to do. I explained the waiver and what the risks are. His answer was that he needed approval through management. However, he wouldn’t tell me who “the management” was. The only saving grace in this conversation was the fact that he didn’t remember my name. =)

I got a forwarded email a couple of days later from the Corporate IT guy asking our data center manager who could authorize a wireless connection (I had already authorized it with a waiver, remember?). I had a quick conversation with the data center manager that went along the lines of “Yeah I know about that, it was me.”

Rather than pull teeth, I bought 2 Linksys SoHo APs and wired them to the guest network. It’s not perfect (if you go from one side of the building to the other, you lose your association and have to do stuff like reconnect via VPN), but I set it up with WPA2 and it’s on the guest network where all you can do is get to the Internet. One sits in my office, the other sits in a closet between two conference rooms. Everybody who needs to use the APs knows how to do it.

Hi, my name is “Mike” and I’m the owner of two rogue wireless access points.

I’m also a Guerilla CISO.

Similar Posts:

Posted in Technical, The Guerilla CISO | 4 Comments »

Zombie Flash Mob

Posted May 29th, 2007 by

Saso said it, but I figured it was good enough to get its own posting:

Well, zombies are making it big: http://news.com.com/8301-10784_3-9723086-7.html

Shame, really. Smart money is still on werewolves and vampires. ;-)

Original Post: http://www.guerilla-ciso.com/archives/111

Similar Posts:

Posted in Zombies | 1 Comment »

« Previous Entries

Visitor Geolocationing Widget: