Posted November 29th, 2007 by rybolov
Disclaimer: I’ve had some very indirect dealings with the OSC this year.
But still, if you’re going to wipe your drive with 7 passes (I think that’s what a “Seven-Level Wipe” means), don’t call Geeks on Call or at least have the common sense to get them to do the invoice “right”. Better yet, ask your 15-year-old neighbor kid how to do it. Or look it up on the Internet, it’s not like somebody’s going to be able to look through your browser history after you’re done with the hard drive. =)
I think the moral of the story is this: Keep black ops black ops by not involving people who generate a paper trail.
Posted in Rants, What Doesn't Work | 3 Comments »
Posted November 28th, 2007 by rybolov
It’s a silly idea, but OK, I’m into it. Check out the movie Zombie Honeymoon.
“What’s a girl to do? She downs a couple tequila shots, smokes a cigarette, and helps him clean up the mess. He promises to never hurt her, so she sticks to her vows and tries to plot a way for them to leave the country and make Danny well again. But can they jet off to Portugal before Danny claims more victims? And will she be able to put on the perfect candlelight dinner if his skin’s shedding into the soup?”
Posted in Zombies | No Comments »
Posted November 27th, 2007 by rybolov
Let’s introduce people to a manufacturing concept: that of zero defects and the zero-defects mentality.
See, life in the army during peacetime (and rarely during wartime) sometimes means that you are always “inspection-ready”. In some of the units I’ve seen, they were big on inspections. They would have a formal barracks inspection every week and informal inspections daily. If this seems a little obsessive, then you are right.
So what happens in units like this? Well, people start working around the system: they live out of their cars! If you’re going to do that, why don’t you skip the barracks altogether and just issue people cars to live in? Well, because obviously then the management would expect to inspect the cars for orderliness.
Of course, what does this have to do with security? Well, in most companies and the government in particular, you’re trying to project a zero-defects image to your customers. That’s the way the business and marketing side works. Marketing and security don’t mix precisely for this reason: one is trying to project an image of perfection, the other needs understanding of flaws and risks in order to make informed decisions. I won’t even go into security vendors, but you should be able to extrapolate now what I feel about some of them.
But in security, we’re not doing ourselves any favors by presenting a zero-defect facade to the rest of the world. Sometimes you need disclosure if you want to change the world. That’s why Adam Shostack is so gung-ho on breach disclosure, and I think disclosure is working to the extent that the public gradually is getting over the stigma attached to a breach at least enough to differentiate the “typical breach” with the “holy sh*t that’s an obscene breach!”
Looking at FISMA report cards in particular, it’s turned somewhat into a “management via public disgrace” activity. Not bad in some cases, but then again, it’s not exactly the kind of information you put out there when you’re expecting positive change–you’re encouraging everybody to show a zero defects face out of self-preservation.
Adam has a phenomenal idea that he presents in his breach research: using the public health model for IT security. We have to be able to track breaches back to the root cause in order to prevent it further. If I take my network and connect it to your network, I have a right to know what vulnerabilities you have. Carry this public health model maybe a bit too far, I’m now sleeping with all the people you’ve slept with, and if you come down with an STD, I have a right/need to know.
The good news is that this is where the Government is headed: disclosure with business partners. I’m not sure how it will all work out in the end and if even culturally the Government can make it work, but it has potential to be a good thing.
Posted in Army, FISMA, Rants, What Doesn't Work | 4 Comments »
Posted November 27th, 2007 by rybolov
I recently ended up in the assessee’s chair. I’m fairly familiar with it by this time, since every project that I host or support has to be tested every year or so. Let’s just say I host auditors at least every couple of months. Only this time it’s different, let me explain.
Back in the halcyon days of 2003, I was on a Security Test and Evaluation Team traveling to a wide variety of contractor sites. We would go assess their security posture and make recommendations to the government. After that I would usually get out of the way as the two battled over the costs associated with fixes.
Now the fun thing was that my company offers some of the same services as the people that we were assessing. At some points, we had to subcontract the work to a different company where we were in direct competition for a contract. At some times we would end up having these surreal discussions where we would play “200 questions” where the answer was almost always “stuff” or something equally non-helpful.
So now for the situation I’m in: that of the business partner and competitor. For the past three weeks I’ve had people running all over my operations group learning how we do things so that they could partner with us for a big contract. And yet you wonder, deep down inside, how much are you training the people who will come “eat your lunch” later? It’s not my favorite place to be in.
Anyway, associated lessons learned from doing ST&E work:
- Nobody is completely objective.
- Conflict of interest exists, you just have to identify it and react to it.
- Paper versions of documents are OK. Electronic versions are too easy to copy verbatim.
- An assessor can say the exact things to your boss’s boss’s boss that you’ve been saying to them for years, but it suddenly carries more weight.
Posted in The Guerilla CISO | No Comments »
Posted November 26th, 2007 by rybolov
All I need is a guitar, a harmonica, and a bottle neck. No, not that kind of bottle neck. =)
Well I got up early this morning
With one of those calls from the SOC
Spent five hours on con-call
Just reboot the #$%^@!ing box.
Oh yeah, you know I really pay my dues
What a great big PITA it is when you got those….
I got outages to the left of me
Hackers and worms to the right
Thanks to all my S-L-As
I never sleep at night.
Can’t find anybody to hire,
Engineers walkin’ out the door.
All because of shift work
And wanting 5K more.
Customers are requesting changes
They got a lot of hope.
Won’t be getting any work done soon
‘Cause it’s all out of scope.
Syslog messages aren’t collectin’
It’s broke as far as you can see
We lost hours of logfiles
Because the traffic’s all U-D-P.
Posted in Outsourcing, The Guerilla CISO | No Comments »
Posted November 21st, 2007 by rybolov
Wanna meet similarly-minded zombie people?
Wanna harass the local populace?
Well, go join a zombie walk.
Posted in Zombies | No Comments »