[SecurityRatty] tag: charlie

Innovators, Imitators and Idiots

Tue, 07 Oct 2008 04:32:33 +0000

Charlie Rose interviews Warren Buffett:

Charlie Rose:
And so when you look at where we are going, there seems to be two issues that are apparent to me at least, risk and leverage. We just lost sight of risk and leverage of what was appropriate?
Warren Buffett:
Yeah. Again, because it pays off for a while. You know, you can lose leverage, and it's the only way a smart guy can go broke. If you owe money, you can't pay them out. You just pay for everything, you do smart things, you eventually get very rich. If you do smart things and use leverage and do one wrong thing along the way, it could wipe you out, because anything times zero is zero. But it's reinforcing when the people around you are doing it successfully, you're doing it successfully, and it's a lot like Cinderella at the ball. I mean you know at midnight everything is going to turn to pumpkins and mice; right? But if the evening goes along, I mean, you know, the guys look better all the time, the music sounds better, it's more and more fun, you think why the hell should I leave at quarter of 12. I'll leave at two minutes to 12. But the trouble is, there are no clocks on the wall. And everybody thinks they're going to leave at two minutes to 12.

Its effectively the job of leadership to know when to take the punch bowl away and to have the credibility to do this. This is also the risk-reward balance that infosec must try to strike, part of the answer is differentiating risk and uncertainty. As our current financial situation shows, its a hard thing to pull off

Charlie Rose:
And should wise people have known better?
Warren Buffett:
People should always know better.
Charlie Rose:
Yeah.
Warren Buffett:
I mean people -- people don't get -- they don't get smarter about things that get as basic as greed and you can't stand to see your neighbor getting rich. You know you're smarter than he is, and he's doing these things, you know, and he's getting rich, and your spouse is getting unhappy with you because you aren't doing -- pretty soon you start doing it. And so you get what I call the natural progression, the three Is. The innovators, the imitators, and the idiots. And that's what happens. Everybody just kind of goes along. And you look kind of silly if you disagree. I mean, you know, you could have these crazy Internet valuations in the late 1990s, but they prove themselves out in the market. The next day they were selling for more than they were the day before, and people said, you know, you're crazy if you don't get in on this. So it's very human. Now, with housing it's something even more dramatic than that, because most people aspire to own their own home. And if you really think that houses prices are going to go up next year and the year after, you feel if I don't buy it this year, I'm going to have to buy it next year. That's not true of an Internet stock. But it's true of a home. And when somebody makes it very easy for you to do it by saying you don't really have to put up my money, you can lie about your income a little, or we'll give you 100 percent mortgage, you're going to do it, because everybody that's done it has been proven right. You have what they call social tools, and, you know, you're going to feel like an idiot if you didn't do it, because the house cost more.

And this is why its hard to pull off. There is a lot of human emotion and envy (*). I think the point Buffett raises about innovators, imitators and idiots is a useful one for infosec. We see all kinds of new projects and technologies that have risks and rewards associated with them, its helpful to categorize these under innovation (high risk but possible game changer), imitators (so called best practices), and idiots (sheep mode - blind risk acceptance). We can get some traction here to use these concepts to understand what to do when assessing say the architectural and oeprational risk of a system.

Finally, we should always spend some time to consider infosec decisions in a broader long term economic context and this is also true of our current financial crisis

Warren Buffett:
Oh, I think confidence will come back. I will tell you this. This country is going -- be living better ten years from now than it is now. It will be living better in 20 years from now than ten years from now. The ingredients that made this country, you know, the miracle of the world -- I mean we had a seven for one improvement in the average American standard of living in the 20th century. Now, we had the great depression, we had two world wars, we had the flu epidemic. You know, we had oil shock. You know, we had all these terrible things happen. But something about the American system unleashed more and of a potential to human beings over that hundred years so that we had a seven for one improvement in -- there's never been any -- I mean, you have centuries where if you've got a 1 percent improvement, then it's something. So we've got a great system. And we've got more productive capacity now than we ever have. The American worker is more productive than he's ever been. We've got more people to do it. We've got all the ingredients for a sensational future. It's just that right now the athlete's on the floor. But we -- this is a super athlete.

Again, we want to look at risk events in a broader, long term context. In Buffett's words its - "be fearful when others are greedy and greedy when others are fearful." As the world panics and Jim Cramer is melting down on TV, Buffett is quietly writing checks with both hands, buying $3B of GE, $5B of Goldman, $6.5 of Wrigley/Mars and so on. Uncertainty is one thing, it could be 6 months it could be 5 years until this thing turns around, but risk is another - you hedge your risk with price and long term advantages, i.e. moats. People will still eat candy in a bad economy.

* Buffett's partner Charlie Munger calls envy the stupidest of the seven deadly sins, because only you feel bad, there is an upside to all the others. He said you can pay someone on Wall St $2 million a year and they will be perfectly happy until they find out someone across the hall is making $2.1 million and then they will be miserable. Which is an insane way tolive.

Assets Good Until Reached For

Mon, 15 Sep 2008 05:41:43 +0000

A few months back Minyanville wondered whether this subprime mess would end up as a cancer or a car crash. Guess we know the answer now. The question is - should we be at all surprised? Some smart folks have been warning for a long time. Warren Buffett famously called derivatives financial weapons of mass destruction.

Charlie Munger, as he is wont to do, went a bit further (from 2004):

I think a good litmus test of the mental and moral quality at any large institution [with significant derivatives exposure] would be to ask them, "Do you really understand your derivatives book?" Anyone who says yes is either crazy or lying.

They have many other statements in the same direction, based on their own experience from buying companies that used deriviatives where they were unable to to unwind the books and figure out who owed who. At the last Berkshire Hathaway annual meeting someone asked Charlie Munger what we could learn from past blow ups about the present crisis

It was a particularly foolish mess. We talked about an idiot in the credit delivery grocery business, Webvan. Internet based delivery service for groceries -- that was smarter than what happened in mortgage business. I wish we had those Webvan people back.

What can we learn from all this?

Well Dan Geer launched a revolution with his famous speech about risk management. He got the big picture part right on the security industry evolving into more risk management practices, however the examples we assumed that were right at the time, the financial industry are proving wrong. For one thing you can't manage a risk if you don't know the assets (back to Charlie Munger, emphasis added):

It is crazy to allow things to get too big to fail, run with knavery. As an industry, there is a crazy culture of greed and overreaching and overconfidence trading algorithms. It is demented to allow derivative trading such that clearance risks are embedded in system. Assets are all “good until reached for” on balance sheets. We had $400m of that at general re, “good until reached for”. In drug business you must prove it is good. It is a crazy culture, and to some extent an evil culture. Accounting people really failed us. Accounting standards ought to be dealt with like engineering standards.

So, yes it is about risk management, but if you build too many abstractions on top of your assets through derivative accounting and such you may find you don't have any assets when you need them. Don't fall in love with your abstractions, manage your assets.

There are some clear lessons for us in Information Security, err I mean Information Risk Management.

Margin of safety Its our job to manage risk, but this doesn't mean that we have to build layers and layer of abstraction on top of it. It also means that we help to design, build, deploy, and operate systems with margins of safety. Understanding the failure modes and accounting for this in design. Developers (because they are supposed to) and architects (because they haven't been properly trained) focus on functional requirements, building features, but on security not so much. There are many ways to improve security in a system and they are all inadequate by themselves, but we can help find cost effective improvements.

Don't fall in love with abstractions

If you have a 100,000 dekstops or 100,000 servers it hard to manage. You will need to automate and to do that you need to abstract, but you should also realize that its a drawing on a whiteboard not reality. You need abstraction assurance.

Ian Grigg commented on an earlier post

There are distinct parallels between phishing / retail payments, and the bigger investment mess. In both cases, banks would argue these are core business. In both cases, they have applied risk-based security models, and accepted some loss. In both cases, they have the ability to apply substantial experience to the monitoring, allocating and absorbing risks and losses.

In both cases, they watched and did nothing as the risks started from low, and migrated upwards. Are we at the point where regulation has killed the ability of banks to apply their (arguable) one core skill, to whit, risk-based analysis? Are banks that far out of banking that they no longer have it?

So you have to remember that top down and bottom up need to be combined.

Design for failure

Dan Geer has also told the story that he sat in a large bank's risk management training, and the trainer said "you may wonder why this works so well. it works because there is zero ambiguity over who owns what risk." Dan's thought was - "in my field we have nothing but ambiguity." Turns out the second part was right, we have nothing but ambiguity over who owns what risk; unfortunately the financial people have much more ambiguity than they thought! So we do have a lesson here after all, and it this - when the thing you thought was true isn't, the failure mode is very ugly. Design for failure - add layers of protection.

Keep it simple.

They have some smart engineers at Google to be sure, but even they had incredibly basic errors in their SSO. I have seen other obvious fails like people signing WS-Security messages, and the recipient checks for a signature but not if they trust the signer! There are so many ways to shoot yourself in the foot in a loosely coupled systems, and we have so many abstractions layered on top of each other, part of the mantra of protecting assets has to be keeping it simple.

So that is my list, to do all these things it requires that Infosec get in the game, understand the use cases, understand the business value (it should be abundantly clear that you can't simply rely on "business people" to be "business experts"), and that you not lose sight of the asset amidst all the abstraction. Finally, the systems we build security on are very primitive, a firewall and SSL are fine, a seatbelt was fine in 1935 and its still fine today, but there are lots of other safety controls in cars. ABS, airbags, traction control, they all protect the assets far better than in 1935, that's what we need to build.

Anyone can make bad assumptions (assume you know who owns what risk) and its easy to make bad abstractions (the firewall protects the information system), but when you combine bad assumptions with bad abstractions you'll get assets that are good until reached for sooner or later

Bubblicious

Tue, 15 Jul 2008 17:26:02 +0000

iang surveyed the events that conspired to our present ever mounting economic problems. Interestingly enough Charlie Munger identified much the same themes (not all the particulars) way back in Wesco Financial's 1990 letter

Granting the presence of perverse incentives, what are the operating mechanics that cause widespread bad loans (where the higher interest rates do not adequately cover increased risk of loss) under our present system? After all, the bad lending, while it has a surface plausibility to bankers under cost pressure, is, by definition, not rational, at least for the lending banks and the wider civilization. How then does bad lending occur so often?

It occurs (partly) because there are predictable irrationalities among people as social animals. It is now pretty clear (in experimental social psychology) that people on the horns of a dilemma, which is where our system has placed our bankers, are extra likely to react unwisely to the example of other peoples' conduct, now widely called "social proof". So, once some banker has apparently (but not really) solved his cost-pressure problem by unwise lending, a considerable amount of imitative "crowd folly", relying on the "social proof", is the natural consequence. Additional massive irrational lending is caused by "reinforcement" of foolish behavior, caused by unwise accounting convention in a manner discussed later in this letter. It is hard to be wise when the messages which drive you are wrong messages provided by a mal-designed system.

In chemistry, if you mix items that explode in combination, you always get in trouble until you learn not to allow the mixture. So also, in the American banking system.

So Munger identified this volatile combination about 17 years ago at least. In the same letter Warren Buffett added:

A few small sections of Mr. Munger's letter have been excluded: When Berkshire's report exceeds 72 pages, we have problems in binding it. Because of this limitation, either Charlie's letter or mine had to be cut and I decided a coin flip was appropriate. In fact - as things turned out - I finally decided nine flips were appropriate. -- W.E.B.

Only thing I would (and did) add to iang's post is that historically speaking when things are looking bad is when deals are found. Jason Zweig (channeling Ben Graham)

"Could things possibly get worse? I don't know, but I am an optimist -- so I certainly hope things do get worse. Nothing else should satisfy an intelligent investor."

Dude Dont Hack My Coffee

Wed, 18 Jun 2008 01:19:11 +0000

As someone trying to get off the coffee train I find the recent reports of vulnerabilities in network connected coffee machines somewhat amusing. It seems some guy tht has $2,900 to spend on a coffee maker(!!) also has the skillz to find a buffer overflow in it.

This type of thing is only going to increase as people slap more stuff onto the network with little to no care about security. These things generally all have web UIs which makes the vulns that much more interesting. It is somewhat easy to detect the spread of a mass SQLi attack on public facing web sites but what happens when we get this attack on internally facing systems? They are much harder to track and even detect. What if my coffee maker now does drive by malware attacks? What if my wireless router does? Our jobs are only geting harder people.

Link

HP Printer Hack Old News
I chuckled when I saw this Change the message on HP printers cause I thought it was pretty funny. Th...
Mac Hacked in 2 Minutes, Apple is a lame patcher
At the CanSec West conference Charlie Miller wins the PWN 2 OWN contest. I think these contest are k...
These are the crazy people in your security neighborhood - Part 2 Private Pyle
When you have been around the IT/Security space as long as I have you run into to a lot of whacky pe...
Review: The Web Application Hacker’s Handbook
These are the crazy people in your security neighborhood - Part 4, Packet Pete

Post from: Grumpy Security Guy

Dude Don’t Hack My Coffee

Top 5: Why Customers Consider NAC

Sat, 31 May 2008 18:10:33 +0000

On a daily (and nightly) basis I have the wonderful experience of talking to, chatting about, presenting on or asking questions of customers about NAC.

At each of these opportunities, I like to ask ‘Why are you considering NAC?”

Here’s my Top 5 of Why Customers Consider NAC (or think they want NAC). This is not based on any other organization’s research or polls, nor is it based on analyst analysis. It’s not based on forethought or musings of an ‘expert’. It’s just my personal experience from my daily interactions.

#1: Endpoint Compliance
I put this one first, because I think it’s the most-hyped and possibly least significant. I know, that’s harsh, especially when endpoint compliance seems to be the big bat NAC carries around. Truth be told, it’s more of an ‘icing on the cake’ for the people I talk to. Until the auto-remediation features are a little more mature, the idea of checking for much beyond presence of anti-virus and possibly patches is unattractive. Frankly, endpoint compliance for LAN-based devices can be a Charlie Foxtrot except under the most ideal circumstances. There are many large organizations and DoD groups that need endpoint compliance, and that’s a primary driver for them. For the rest, one of the other reasons below is a primary compelling feature and endpoint checking is just another knob they can play with.

The lack of fervent interest in endpoint checking is why I had to disagree so strongly with Stiennon’s when he advises in his NWW article “Don’t even bother investing in NAC”. The entire premise of his issues with NAC center around various endpoing checking. (You can check out Shimel’s response too Stiennon’s blog here.)

#2: Guest Access
Believe it or not, the most frequent response I get for “why are you considering NAC” is “guest access”. Guest access seems to be a thorn in every organization’s side. It’s a simple problem with impossibly complex solutions… or so they think. For years, we’ve been provisioning safe and secure guest access for customers with the use of clean and simple protocol-less VLANs and so, I know that about 82% of the time, there are much simpler ways to offer guest access than by rolling out a full NAC implementation. If guest access is your primary and only goal with a NAC solution, there’s probably a better, faster and less expensive solution. If money and time are no object, then NAC can be a good way to get from point A to B and give you a few fun technical trinkets to play with.

#3: Edge Port Security
After guest access, the next thing I hear most is interest in adding edge port security with a 802.1X NAC solution. (We call this Layer 2 NAC.) I tend to think for the time being, this is NAC’s sweet spot. Note I said ‘for the time being’, I think this may change in the next 18-24 months. But for now, the ability to lock down edge ports and secure switch-to-switch links is an extremely attractive feature. Outside of the 802.1X protocol, there aren’t really any other ways to skin this cat. I know what you’re thinking… you don’t have to do NAC to use 802.1X… and that’s certainly true, but for a network of any size, NAC makes an 802.1X implementation easier to manage and monitor centrally and gives you more of that NAC icing we all love.

When the 802.1X-REV comes out (probably early 2009) I think you’ll see organizations that have previously blown off 1X seriously considering it for all the added security and multi-user support it will bring to the table.

#4: User & Resource Accounting
Unless you have a 3rd party solution or want to dig through mounds of RADIUS syslogs, you probably don’t have a good way to account for user authentication and accountability of resource access throughout the network. Most vendors’ NAC solutions already have pretty good logging and reporting features built in today. Depending on the solution and integration of other devices, you may even get detailed accounts of which user viewed exactly what, when and from where. This is a great selling point to organizations that are trying to follow strict regulations for accountability of financial or extremely sensitive resources. The standards bodies (IEEE, TNC framework and IETF) are coming out with more and more ways to leverage 3rd party security devices within NAC. The IF-MAP is a great example and we’ll be seeing more I’m sure.

#5: Dynamic VLAN Assignment
Lastly, but not least, I hear a lot of customers that are looking for a good way to dynamically provision attributes, such as VLAN assignment and QoS to users or devices. It makes switch configuration and management much simpler, and eliminates the need to assign port-based VLANs. The ability to leverage your existing user directory and define both broad and very granular attributes is certainly a draw, and NAC is a great way to offer that.

That wraps up my Top 5. Of course, there are plenty more drivers, both business-based or technology-based, but these are the 5 I hear most.

# # #

Links List 5.30.08

Fri, 30 May 2008 16:24:44 +0000

We gave a nod to IBM Tivoli for its Big Green initiative in a post last week. Here’s Michael Cote of RedMonk weighing in on the Tivoli’s green announcement. “The impressiveness…is twofold: bringing actual metrics to the question of power consumption and building out an ecosystem of vendors to service reacting to those metrics.” And then my favorite line “Much green-in-the-data-center talk often comes off as fluffery that can’t be executed.”

Charlie Babcock at Information Week reported that VMWare just acquired an application performance management company. What is it with VMware and the little companies they purchase? Actually, comments like that aside, I think this is a very interesting acquisition. Clearly moving in the right direction to take advantage of virtualization features to help optimize app performance/availability and maybe even automate remediation based on the info coming out of B-Hive and policies set up in VI3. We’ll see.

A new series called “OpsMgr Answer This” began this week on Windows’ Operation Manager blog. The first question asked, “Why should one go to Operations Manager 2007? You may be using MOM 2005 and be perfectly happy with it. There is an adage: "if it works, don’t break it" - so why go to Operations Manager 2007?” Kerrie Meyler answered with this, “The biggest change in OpsMgr 2007 versus MOM 2005 is in its approach to monitoring. OpsMgr incorporates end-to-end monitoring - not just server monitoring with MOM 2005… but the health of applications (including identified components across the network) and services. Which would you prefer to know?” We already know our answer.

Virtualization implementation needs more strategy behind it, says Michael Vizard of eWeek’s Masked Intentions. “Instead of thinking of virtualization as glorified system software, IT organizations need to take a more holistic approach to virtualization.” We couldn’t agree more – in fact, we talk about virtualization as a technology strategy in and of itself. A successful virtualization strategy combines people and process changes with the right tools for a company’s unique computing environment and goals.

ShareThis

Links List 5.30.08

Fri, 30 May 2008 16:24:44 +0000

ShareThis

Links List 5.30.08

Fri, 30 May 2008 16:24:44 +0000

ShareThis

Personal information from two Colorado mortgage companies found in dumpsters

Wed, 07 May 2008 18:20:50 +0000

Technorati Tag: Security Breach

Date Reported:
4/28/08

Organization:
Cove Creek Mortgage
Front Range Mortgage, LLC

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown

Types of Data:
Mortgage files, tax returns, pay stubs, Social Security numbers, and other personal information

Breach Description:
"ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend."

Reference URL:
Denver Channel 7 News
Denver Channel 7 News (update)

Report Credit:
Denver Channel 7 News

Response:
From the online sources cited above:

ENGLEWOOD, Colo. -- The Arapahoe County District Attorney's Office is advising anyone who has used Cove Creek Mortgage to watch out for identity theft after hundreds of mortgage files were dumped in a public trash bin over the weekend.
[Evan] Cove Creek Mortgage joins the ranks of other mortgage companies reported for similar breaches on The Breach Blog. The others are Affordable Realty and Union Mortgage Services of Cleveland, Inc..

Cove Creek's owner had abandoned his Englewood office in January, and property managers had not been able to find him
[Evan] What kind of businessman just abandons an office full of confidential files and equipment?

On Saturday, the property manager had a crew clean out his office and throw all items from the office -- including complete mortgage files -- into two Dumpsters.
[Evan] Maybe the property manager should pay a little closer attention to the things they throw in the dumpster. Having said this, the property manager is not really at fault.

David Peters who works in the same complex found the files Monday morning.

"I was taking some other trash out to the garbage can and opened the lid and on there was a couple of laptops,"

"Directly underneath them were files with people's names on it and I was like, 'Well, this is not right.'"

"There were tax returns, pay stubs, everything in there," he said. "And as I looked at the different files I realized that it was mortgage files, which was kind of scary, because who do you disclose the most information to or all of your information? That is when you are getting a mortgage loan."
[Evan] According to the news report, Mr. Peters contacted authorities. This could have easily been much worse for victims.

The Dumpsters were not secured and located at 88 Inverness Drive East, Bldg. F.

Sheriff's investigators finally found the owner of Cove Creek and talked him into retrieving the files, many of which had private information, including Social Security numbers and credit history.
[Evan] Mr. owner guy, will you please come get your stuff and the personal information that was entrusted to you? According to zoominfo a guy named Charlie Cartwright is/was the president of Cove Creek Mortgage. I have no idea if this is the same guy that is referred to in the news article.

The district aAttorney's office got a tip about numerous mortgage files and two laptop computers in a Dumpster behind offices formerly used by Cove Creek Mortgage and Front Range Mortgage.
[Evan] Now Front Range Mortgage joins the ranks. Front Range Mortgage offers credit repair services too! Do you suppose they could have repaired the damage that could have been done?

"With a name, Social Security number and bank account number, they can clean you out before you even know," said Arapahoe County District Attorney Carol Chambers.

The files and computers contained sensitive information on many former customers of Front Range Mortgage, including names and addresses, Social Security numbers and bank, credit card and investment account information.

While there are civil laws against dumping such documentation, Chambers said it is not against the law.
[Evan] It's too bad that we have to write and enforce laws to protect us from idiots.

"I think it is a matter of legislation not catching up with the realities of identity theft," said Chambers. "And absolutely, we think recklessly disposing or negligently disposing of this kind of information should maybe carry a criminal penalty, just to get people's attention that you can't just leave this information or leave it out in a Dumpster."

"The district attorney recommends that any former customers of Front Range or Cove Creek should place a fraud alert on their credit reports and monitor any bank, credit card or investment accounts that might have been included on a mortgage application with that firm."

For further information, assistance or questions, call the District Attorney's Fraud Assistance Line at 720-874-8547.

Commentary:
What is with these mortgage companies? The 90's and early 2000's was a wild ride for mortgage brokers, real estate agents, and investors. The money attracted people from all walks of life and a lot of poor decisions were made. Now that the bubble has burst, we start to see the true colors of some of these "professionals".

I don't know much if anything about the owners of these companies, but I do know that securing personal information poorly is bad business.

Past Breaches:
Unknown

Manuals (CIA and NGO)

Wed, 07 May 2008 12:57:00 +0000

Today is midweek manual day, and here's a quick selection of interesting manuals to read.

At the top of the list is the CIA's Psychology of Intelligence Analysis by Richards J. Heuer. This is a must read if you're into critical thinking and the inner game of security. It covers information gathering, analysis and the various biases that can creep in and influence decisions. The content presented in this manual should be taught in every introductory humanitarian security course.

Next up, Charlie writes in with some links to a few humanitarian security manuals and resources:

http://www.frontlinedefenders.org/manuals/protection

http://www.frontlinedefenders.org/manuals

http://www.aidworkers.net/?q=advice/security

http://ec.europa.eu/echo/evaluation/security_review_en.htm

(A few of these may seem familiar, but it's good to mention again for new blog readers.)