I’ve been waiting all of September for FedRAMP to be released and hoping they get over the last-minute hurdles to put something out into view. Our lolcats will feel much more secure now with a squishy buddy.

• Lolcats Coming to you from the Cloud
• Lolcats and QR Codes
• Shmoocon: Less Moose, More LOLCATS
• Redundant Lolcats
• Lolcats, Capital Hill, and a Haiku

Ah yes, I’ve explained this about a hundred times this week (at that thing that I can’t blog about, but @McKeay @MikD and @Sawaba were there so fill in the gaps), thought I should get this down somewhere.

the 3 factors that determine how much money you will make (or lose) in a consulting practice:

• Bill Rate: how much do you charge your customers.  This is pretty familiar to most folks.
• Utilization: what percentage of your employees’ time is spent being billable.  The trick here is if you can get them to work 50 hours/week because then they’re at 125% utilization and suspiciously close to “uncompensated overtime”, a concept I’ll maybe explain in the future.
• Leverage: the ratio of bosses to worker bees.  More experienced people are more expensive to have as employees.  Usually a company loses money on these folks because the bill rate is less than what they are paid.  Conversely, the biggest margin is on work done by junior folks.  A highly leveraged ratio is 1:25, a lowly leveraged ratio is 1:5 or even less.

Site Assessment photo by punkin3.14.

And then we have the security assessments business and security consulting in general.  Let’s face it, security assessments are a commodity market.  What this means is that since most competitors in the assessment space charge the same amount (or at least relatively close to each other), this means some things about the profitability of an assessment engagement:

• Assuming a Firm Fixed Price for the engagement, the Effective Bill Rate is inversely proportionate to the amount of hours you spend on the project.  IE, $30K/60 hours=$500/hour and 30K/240 hours = $125/hour.  I know this is a shocker, but the less amount of time you spend on an assessment, the bigger your margin but you would also expect the quality to suffer.
• Highly leveraged engagements let you keep margin but over time the quality suffers.  1:25 is incredibly lousy for quality but awesome for profit.  If you start looking at security assessment teams, they’re usually 1:4 or 1:5 which means that the assessment vendor is getting squeezed on margin.
• Keeping your people engaged as much as possible gives you that extra bit of margin.  Of course, if they’re spending 100% of their time on the road, they’ll get burned out really quickly.  This is not good for both staff longevity (and subsequent recruiting costs) and for work quality.

Now for the questions that this raises for me:

• Is there a 2-tier market where there are ninjas (expensive, high quality) and farmers (commodity prices, OK quality)?
• How do we keep audit/assessment quality up despite economic pressure?  IE, how do we create the conditions where the ninja business model is viable?
• Are we putting too much trust in our auditors/assessors for what we can reasonably expect them to perform successfully?
• How can any information security framework focused solely on audit/assessment survive past 5 years? (5-10 years is the SWAG time on how long it takes a technology to go from “nobody’s done this before” to “we have a tool to automate most of it”)
• What’s the alternative?

• Security Assessment Economics
• Split-Horizon Assessments and the Oversight Effect
• Security Assessments as Fraud, Waste, and Abuse
• The CyberArmy You Have…
• How to Not Let FISMA Become a Paperwork Exercise

So last week Anonymous staged a Distributed Denial of Service against the RIAA, MPAA, and Aiplex over Aiplex’s announcement that they were launching DDoS attacks of their own against torrent sites sharing copyrighted content.  In doing a bit of research on techniques that were being used, I came across this wonderful bit of script:

while true; do wget ‘http://riaa.com/goldandplatinumdata.php?table=SEARCH_RESULTS&title=&artist=&label=&format=&category=&type=&awardDescription=&startMonth=1&startYear=0&endMonth=12&endYear=2009&sort=Date&sense=ASC&perPage=5000000000&go=Search’ > /dev/null &  done

For those of you who don’t get it just yet, this is an awesome attack to study.  Basically what it does is to run an endless loop grabbing a search page url with parameters that will do a huge database query.  The beauty of the attack is that it’s “highly leveraged”: for one http get, you generate a sizeable amount of database load.  Now multiply that by thousands of yahoos out there running the same script, and it will rollover the target’s database server and possibly the applications servers that query it.

• A Little Story About a Tool Named #RefRef
• The Rise of the Slow Denial of Service
• Apache Killer Effects on Target
• DDoS and Elections
• DDoS Planning: Business Continuity with a Twist

My talking schedule over the next couple of months:

October 25-27: SecTor in Toronto, talking on DDoS and a turbo talk on some of my barcode stuff.

November 8-11: AppSecDC in um… DC, talking on the internal security program for a cloud vendor.

And coming to you, if you give me a call.  =)

• Where is Rybolov?
• DojoCon DDoS Video
• Metricon 5 Wrapup
• The “Off The Record” Track
• Massively Scaled Security Solutions for Massively Scaled IT

In the spirit of Shockwave Rider’s information-sharing worm, the charm of StumbleUpon, and this xkcd cartoon:

And based on the fact that QR codes are “teh awesome”, I have created something both wonderful, inspiring, and evil all at the same time: a Random QR Code Redirector.  Just point your phone’s QR reader app at this barcode, sitback, and enjoy the mayhem.  Sometimes you get a neat hack url, sometimes you get a funny movie, sometimes you get information about barcodes, sometimes you get something that “once seen, cannot be unseen”.  Feel free to print them out and leave them places.  =)

And ta-da, the barcode:

Readme, Clickme!!!

Get a QR reader and other QR Code infos here.

“How’s it all work?”  Well, for starters I got a vanity domain at co.de (works swimmingly for software projects because, well, it’s “code”).  Then I built a database and ~15 lines of php code.  I make a weighted random select from the database and send a redirect to the browser.

Table create statement:

CREATE TABLE IF NOT EXISTS `qr_redirect_links` (
`id` smallint(3) NOT NULL auto_increment,
`url` varchar(1500) collate utf8_unicode_ci NOT NULL,
`weight` smallint(3) unsigned NOT NULL,
`comment` varchar(1500) collate utf8_unicode_ci NOT NULL,
PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=37 ;

The query code is as follows:

<?php
$con = mysql_connect(“<hostname>”,”<username>”,”<password>”);
if (!$con)
{
die(‘Could not connect: ‘ . mysql_error());

}

mysql_select_db(“random_urls”, $con);

//You could do a bunch of random select stuff in php but using the database Rand()*(1/Weight) is the easiest 1-liner I know to get a random result.

$result = mysql_query(“SELECT url FROM qr_redirect_links ORDER BY Rand()*(1/Weight) LIMIT 1;”);

while($row = mysql_fetch_array($result))
{
$newurl = $row[‘url’];
header( “Location: $newurl” ) ;//actually send the redirect here
}

mysql_close($con);
?>

I’m also collecting interesting urls, just email/twitter/whatever to me, the only rules are that they need to not harm the browser and I have final say on what meets my stringent url quality standards.

• Lolcats and QR Codes
• QR Code Temporary Tattoos Howto
• Barcode Hacking Process
• Barcode Hacking
• Keeping Up With the DDoS Kids

It’s at the end of September, check it out.  Even if you’re not in the vulnerability/patch rat race on a daily basis, it would “behoove” you to go check out what’s new.  If you’ve been paying attention to OMB Memo 10-15, you’ll notice that Cyberscope takes some SCAP input.

• Save a Kitten, Write SCAP Content
• Ed Bellis’s Little SCAP Project
• Security Automation Developers Conference Slides
• Federated Vulnerability Management
• NIST and SCAP; Busting a cap on intruders Part 1