Steps are now being taken, rather faster since Dan Kaminsky came up with a really effective DNS poisoning attack, to secure DNS by using DNSSEC.

The basic idea of DNSSEC is that when you get an answer from the DNS it will be signed by someone you trust. At some point the “trust anchor” for the system will be “.” the DNS root, but for the moment there’s just a handful of “trust anchors” one level down from that. One such anchor is the “.se” country code domain for Sweden. Additionally, Brazil (.br), Puerto Rico (.pr), and Bulgaria (.bg) have signed their zones, but that’s about it for today.

So, wishing to get some experience with the brave new world of DNSSEC, I decided that Sweden was the “in” place to be, and to purchase “cloudba.se” and roll out my first DNSSEC signed domain.

The purchase wasn’t as easy as it might have been — when you buy a domain, Sweden insists that people provide their identity numbers (albeit they have absolutely no way of checking if you’re telling the truth) — or if a company they want a VAT or registration number (which are checkable, albeit I suspect they didn’t bother). I also found that they don’t like spaces in the VAT number — which held things up for a while!

However, eventually they sent me a PGP signed email to tell me I was now the proud owner of “cloudba.se”. Unfortunately, this email wasn’t in RFC3156 PGP/MIME format (or any other format that my usually pretty capable email client understood).

The email was signed with key 0xF440EE9B which was reassuring because the .se registry gives the fingerprint for this key on their website here. Rather less reassuringly footnote (*) next to the fingerprint says “.SE signature for outgoing e-mail. (**) June 1 through August 31.” (the (**) is for a second level of footnote, which is absent — and of course it is now September).

They also enable you to fetch the key through a link on this page to their “PGP nyckel-ID” at http://subkeys.pgp.net.

Unfortunately, fetching the key shows that the signature on the email is invalid.

Since the email seems to have originated in the Windows world, but was signed on a Linux box (giving it a mixture of 0D 0A and 0A line endings), then pushed through a three year old copy of MIME-tools I suppose the failure isn’t too surprising. But strictly the invalid signature means that I shouldn’t trust the email’s contents at all — because the contents have definitely been tampered with since the signature was applied.

Since the point of the email was to get me to login for the first time to the registry website and set my password to control the domain, this is a little unfortunate.

Even if the signature had been correct, then should I trust the PGP key?

Well it is pointed to from the registry website which is a Good Thing. However, they do themselves no favours by referencing a version on the public key servers. I checked who had signed the key (which is an alternative way of trusting its provenance — since the email had arrived to a non-DNSSEC secured domain). Turned out there was no-one I knew, and of 4 individual signatures, 2 were from expired keys. The other signature was the IIS root key — which sounds promising. That has 8 signatures, once again not people I know — but only 1 from a non-expired key, so perhaps I can get to know some of the other 7?

Of course, anyone can sign a key on a public key server, so perhaps it makes sense for .se to suggest that people fetch a key with as many signatures as possible — there’s more chance of it being signed by someone they know. Anyway, I have now added my own signature, using an email address at my nice shiny new domain. However, it is possible that I may not have increased the level of trust

By now you have probably heard that Brocade is making a big push from storage networking switches into Ethernet switches by buying Foundry Networks for almost 3 billion in cash.  Actually the deal is valued at about 2.8 billion.  However, Foundry has about 800 million or so in cash and liquid assets.  So taking that into account, the deal is for about 2 billion really, according to the San Jose Mercury News. Still that is quite a number when you consider that $18.50 of the $19.25 price per share is in cash.  That works out to about 2.7 billion.  Considering Brocade only had about 700 to 800 million in cash itself, that means someone is lending them about a billion and half.  Again according the Mercury News, it is Bank of America and Morgan Stanley. This is a 41% premium over Foundry's closing price.  Pretty sweet!

The real question is what does Brocade do with this.  With all of that debt, do they have what it takes to go on and take on Cisco now?  The highways and byways of Silicon Valley are littered with companies that have tried to take Cisco out of this market.  What about the 7 dwarfs who currently compete in this market.  Companies like HP ProCurve, Extreme Networks, Nortel, Enterasys, Alcatel-Lucent and Force 10 are not small little companies. These are companies with 100's of millions, if not billions of dollars of market cap themselves.  They are not going to roll over and die here. Will this set off a round of consolidation for these players to bulk up in order to compete in this brave new world of networking? I think so. What about next gen secure switches like ConSentry, Nevis and Napera? Or some of the other smaller switch vendors like D-link?  Do they view this a a good opportunity to get bought by one of the giants or do they think they can run through the legs of these giants?  I don't know but it is going to be a high barrier of entry into this market.

Ultimately though I don't think Cisco will lose its place of dominance very easily. Brocade will be another competitor among the other switch vendors fighting over 25% of the market. But it sure will be interesting in the switch market for a while.

By now you have probably heard that Brocade is making a big push from storage networking switches into Ethernet switches by buying Foundry Networks for almost 3 billion in cash.  Actually the deal is valued at about 2.8 billion.  However, Foundry has about 800 million or so in cash and liquid assets.  So taking that into account, the deal is for about 2 billion really, according to the San Jose Mercury News. Still that is quite a number when you consider that $18.50 of the $19.25 price per share is in cash.  That works out to about 2.7 billion.  Considering Brocade only had about 700 to 800 million in cash itself, that means someone is lending them about a billion and half.  Again according the Mercury News, it is Bank of America and Morgan Stanley. This is a 41% premium over Foundry's closing price.  Pretty sweet!

The real question is what does Brocade do with this.  With all of that debt, do they have what it takes to go on and take on Cisco now?  The highways and byways of Silicon Valley are littered with companies that have tried to take Cisco out of this market.  What about the 7 dwarfs who currently compete in this market.  Companies like HP ProCurve, Extreme Networks, Nortel, Enterasys, Alcatel-Lucent and Force 10 are not small little companies. These are companies with 100's of millions, if not billions of dollars of market cap themselves.  They are not going to roll over and die here. Will this set off a round of consolidation for these players to bulk up in order to compete in this brave new world of networking? I think so. What about next gen secure switches like ConSentry, Nevis and Napera? Or some of the other smaller switch vendors like D-link?  Do they view this a a good opportunity to get bought by one of the giants or do they think they can run through the legs of these giants?  I don't know but it is going to be a high barrier of entry into this market.

Ultimately though I don't think Cisco will lose its place of dominance very easily. Brocade will be another competitor among the other switch vendors fighting over 25% of the market. But it sure will be interesting in the switch market for a while.

Call me easily impressible, call me naive, darn, call me "out of touch with current security issues," but this book struck a major, major chord with me. It really did.

Now, I have experienced as much poor quality and insecure software as the next guy. I am never ever surprised about some feature in MS Office (or other application, really) just flat out not working or not working as expected or not working every time.

I suspect that, by now, every human on Earth who ever laid their hands on a computer knows:

software = might NOT work.

Now, we expect roads, bridges, toasters, chainsaws, bicycles, cars (until they put software in them...) to work and work they do. And if they don't - the company who manufactures them usually makes them work for us fast - or goes away, cut down by the "benevolent" axe of capitalism. Now, software is totally different (my thinking about this one).

And everybody knows it. But nobody was brave enough to take a hard look at this and analyze how that simple fact affected, affects and will affect our society. And, for my extra-paranoid readers: "... and how it might end that very society."

Until "Geekonomics!"

This book might not reveal any secrets about how software works to an IT professional (it will reveal how law works though!), but it will explain why bad software is everywhere, why we are stuck with it, why it will not improve by itself and - sorry for a hysterical note here! - how we might all fucking die because of it. It then unemotionally predicts why more people will certainly die because of bad software. It studies the complicated dynamics of today's software market such as who is more at fault for bad software - buyers who agree to buy or vendors who make it (or both). It also suggests that many of today's regulations and compliance "thingies" are a little misguided (e.g. in a battle a PCI DSS-compliant enterprise and a 0-day-wielding hacker, any sane person will bet on an 0-day). It is also very well-written; it won't bore an experienced IT  or security pro and it will not overwhelm a mere IT user.

First, it explains why the software is the "foundation of our civilization" today, and how it will be more so in the future. Next, it casts a look at "innovation" and ponders how innovation-driven software development relates to the  fact that users don't touch 90% of features of a typical software. In the third chapter is presents the view of the "0wned world" where "only the stupid [cybercriminals] get caught."  Next chapters looks at how government oversight works in other areas (e.g. FDA), how it might work - and how it might fail (and did fail in the past). While doing it, the book dispels the "government will just  make it worse" myth (basically, because some things are really bad and quickly streaming towards worse already). The amazing chapter 5 gives the clearest explanation of litigation (torts, etc) that I have ever seen (the book is worth reading just for chapter 5 alone!). Chapter 6 takes a super-pessimistic look at open-source software (no comment - just read it). Finally, several possible future - "the way forward" - is discussed.

Another thing I would like to mention about this book is that a reader should keep in mind that it is not about "insecure" software: it is about bad quality, unsafe software in general and less about "hackable" software. The author chose to not make this distinction very clear, perhaps on purpose.

So, everybody in software business, security business - in fact, just everybody who uses a computer - MUST READ THIS BOOK! Seriously, understanding the point made there might be a matter of life or death for some (all?) of us.

As a conclusion, if you want the visual image of the future to end my review, here it is: it is not "Terminator" future (where machines kill people out of evil) that we must fear and work to prevent, but "Robocop" future (where they do due to software bugs).

Go read the darn book!  And support liability for software manufactures. Also, in a few days, check this out (not yet but hover over the link to get a preview...)

1. Dhandho Investor by Mohnish Pabrai. I posted on how much I enjoyed this book in the past, and James McGovern did as well. Key thing here for us infosec types is to decouple risk and uncertainty and focus more on the former. I have often said, that I have learned more about security from reading Buffett and Munger than anything in information security literature. Pabrai is a fellow traveler on the Buffett Munger trail.

2. World is Flat - ubiquitous, but the best quote on why this work matters comes from Chris Ceppi he said to me that he thinks this book does a better job at explaining federated identity than any technical work. I agree.

3. Pentagon's New Map and Blueprint for Action by Thomas Barnett - these two books are absolutely critical to understanding 21st century security - how to think horizontally about security, deliver decentralized security services, and enable resiliency for the system as a whole. Barnett gives us a 21st century security builder model. The best work I have seen on the overlap of economic models and security models.

4. Brave New War by John Robb as I mentioned in my review Robb is the Black hat to Barnett's White hat. But when he does get perscriptive about dealing with the asymmetric threat problem that globalization has unleashed on us - the action items are all around survivability and resilience.

5. Starfish and the Spider by Ori Brafman and Rod Beckstrom - again a focus on decentralization, mapping services and skills; identifying and enabling catalysts, through trusted networks. Spiders die, starfish regenerate - think about that next time you are designing access control. Interestingly enough, Rod Beckstrom is now the cyber security czar, and I am very hopeful to see some good things come out of this appointment. Its very interesting to think about OWASP as a starfish organization. Totally decentralized, I believe one employee, a major global impact - the single best source for software security (not just web app security) - OWASP is a living testament to the positive power and impact that starfish organizations can have.

One thing these all have in common is decoupling and decentralization. In the field many times people automatically associate security with centralization, but this is often the wrong approach. Many times, the most cost effective, proportional approach is to take a decentralized path, these books give some ideas on how to do that.

Update: Chapter 5 of The New School of Information Security by Adam Shostack and Andrew Stewart is about this same issue of learning from other fields. I will have a review of this book soon, they go into quite a lot of detail about what Information Security can glean from economics, psychology and other disciplines, and I particularly like their last sentence in that chapter:

Lessons from other sciences allow us to observe the world, ask why, and receive an answer.

But the brave folks at the Pirate Bay seem to be faced right and left these days with international lawsuits for hosting their torrent trove of pirated treasures.

But they wouldn’t be pirates if they didn’t have witty, snarky come-backs to their pursuers — like the following.

Peter Sunde has reportedly said, in response to the latest lawsuit:

“We might be able to pay in Monopoly money. This proves that they are out of touch with reality. They might as well ask for a billion crowns. This is fear-based propaganda; they’re trying to make it sound serious when we link to things that you download from elsewhere,” Sunde told SvD. “We should send them an invoice instead. All research shows that file-sharing grows the market for the movie industry. I go by research; they make it up as they go.”