[SecurityRatty] tag: off-site

VeriSign, ICANN Square Off Over DNS Root

Fri, 10 Oct 2008 17:59:00 +0000

As the U.S. government starts the process of closing a major net vulnerability, two longtime net infrastructure rivals -- the non-profit ICANN and for-profit VeriSign -- are battling over who will compile and verify the net's most important document. Internet experts give the nod to ICANN and bring up VeriSign's greedy past.

Army Orders Pain Ray Trucks; New Report Shows 'Potential for Death'

Fri, 10 Oct 2008 11:17:00 +0000

After years of testing, the Active Denial System -- the pain ray which drives off rioters with a microwave-like beam -- could finally have its day. The Army is buying five of the truck-mounted systems for $25 million. But the energy weapon may face new hurdles, before it's shipped off to the battlefield; a new report details how the supposedly non-lethal blaster could be turned into a flesh-frying killer.

Finding listening ports on your Windows box using Netstat, Fport, Tcpview, IceSword and Current Ports

Wed, 08 Oct 2008 00:41:49 +0000

New Video:Finding listening ports on your Windows box using Netstat, Fport, Tcpview, IceSword and Current Ports
Host based firewalls are fine and dandy, but I'd rather turn off services I don't need than to just block them. Host based firewalls are sort of a bandage, and while they can be useful for knowing what is connecting out (see egress filtering), it's better just not to have unneeded network services running in the first place. This video can be seen as a supplement to my article "What can you find out from an IP?"

Innovators, Imitators and Idiots

Tue, 07 Oct 2008 04:32:33 +0000

Charlie Rose interviews Warren Buffett:

Charlie Rose:
And so when you look at where we are going, there seems to be two issues that are apparent to me at least, risk and leverage. We just lost sight of risk and leverage of what was appropriate?
Warren Buffett:
Yeah. Again, because it pays off for a while. You know, you can lose leverage, and it's the only way a smart guy can go broke. If you owe money, you can't pay them out. You just pay for everything, you do smart things, you eventually get very rich. If you do smart things and use leverage and do one wrong thing along the way, it could wipe you out, because anything times zero is zero. But it's reinforcing when the people around you are doing it successfully, you're doing it successfully, and it's a lot like Cinderella at the ball. I mean you know at midnight everything is going to turn to pumpkins and mice; right? But if the evening goes along, I mean, you know, the guys look better all the time, the music sounds better, it's more and more fun, you think why the hell should I leave at quarter of 12. I'll leave at two minutes to 12. But the trouble is, there are no clocks on the wall. And everybody thinks they're going to leave at two minutes to 12.

Its effectively the job of leadership to know when to take the punch bowl away and to have the credibility to do this. This is also the risk-reward balance that infosec must try to strike, part of the answer is differentiating risk and uncertainty. As our current financial situation shows, its a hard thing to pull off

Charlie Rose:
And should wise people have known better?
Warren Buffett:
People should always know better.
Charlie Rose:
Yeah.
Warren Buffett:
I mean people -- people don't get -- they don't get smarter about things that get as basic as greed and you can't stand to see your neighbor getting rich. You know you're smarter than he is, and he's doing these things, you know, and he's getting rich, and your spouse is getting unhappy with you because you aren't doing -- pretty soon you start doing it. And so you get what I call the natural progression, the three Is. The innovators, the imitators, and the idiots. And that's what happens. Everybody just kind of goes along. And you look kind of silly if you disagree. I mean, you know, you could have these crazy Internet valuations in the late 1990s, but they prove themselves out in the market. The next day they were selling for more than they were the day before, and people said, you know, you're crazy if you don't get in on this. So it's very human. Now, with housing it's something even more dramatic than that, because most people aspire to own their own home. And if you really think that houses prices are going to go up next year and the year after, you feel if I don't buy it this year, I'm going to have to buy it next year. That's not true of an Internet stock. But it's true of a home. And when somebody makes it very easy for you to do it by saying you don't really have to put up my money, you can lie about your income a little, or we'll give you 100 percent mortgage, you're going to do it, because everybody that's done it has been proven right. You have what they call social tools, and, you know, you're going to feel like an idiot if you didn't do it, because the house cost more.

And this is why its hard to pull off. There is a lot of human emotion and envy (*). I think the point Buffett raises about innovators, imitators and idiots is a useful one for infosec. We see all kinds of new projects and technologies that have risks and rewards associated with them, its helpful to categorize these under innovation (high risk but possible game changer), imitators (so called best practices), and idiots (sheep mode - blind risk acceptance). We can get some traction here to use these concepts to understand what to do when assessing say the architectural and oeprational risk of a system.

Finally, we should always spend some time to consider infosec decisions in a broader long term economic context and this is also true of our current financial crisis

Warren Buffett:
Oh, I think confidence will come back. I will tell you this. This country is going -- be living better ten years from now than it is now. It will be living better in 20 years from now than ten years from now. The ingredients that made this country, you know, the miracle of the world -- I mean we had a seven for one improvement in the average American standard of living in the 20th century. Now, we had the great depression, we had two world wars, we had the flu epidemic. You know, we had oil shock. You know, we had all these terrible things happen. But something about the American system unleashed more and of a potential to human beings over that hundred years so that we had a seven for one improvement in -- there's never been any -- I mean, you have centuries where if you've got a 1 percent improvement, then it's something. So we've got a great system. And we've got more productive capacity now than we ever have. The American worker is more productive than he's ever been. We've got more people to do it. We've got all the ingredients for a sensational future. It's just that right now the athlete's on the floor. But we -- this is a super athlete.

Again, we want to look at risk events in a broader, long term context. In Buffett's words its - "be fearful when others are greedy and greedy when others are fearful." As the world panics and Jim Cramer is melting down on TV, Buffett is quietly writing checks with both hands, buying $3B of GE, $5B of Goldman, $6.5 of Wrigley/Mars and so on. Uncertainty is one thing, it could be 6 months it could be 5 years until this thing turns around, but risk is another - you hedge your risk with price and long term advantages, i.e. moats. People will still eat candy in a bad economy.

* Buffett's partner Charlie Munger calls envy the stupidest of the seven deadly sins, because only you feel bad, there is an upside to all the others. He said you can pay someone on Wall St $2 million a year and they will be perfectly happy until they find out someone across the hall is making $2.1 million and then they will be miserable. Which is an insane way tolive.

University sets up a campus warning network for free

Mon, 06 Oct 2008 20:00:00 +0000

Elon University needed to come up with a campus-wide emergency notification system that integrated with all the possible warning-delivery systems already installed on campus, and managed to pull it off for free.

10 steps to loading dock security

Sun, 05 Oct 2008 20:00:00 +0000

It's the stuff of CSO nightmares. Early on the morning of Sept. 2, while most folks were home sleeping off the hot dogs, thieves used bolt cutters to break into an Alltel Communications warehouse and four of its loading docks in Fort Smith, Ark. Sources say they escaped with an estimated US$10 million worth of cell phones, not a bad haul for their Labor Day efforts.

Mac security focus: Firewalls

Sun, 05 Oct 2008 20:00:00 +0000

Firewalls monitor and regulate the data moving on and off your computer or network. They can keep criminals out while allowing legitimate network traffic in. Mac OS X comes with not one but two firewalls of its own. However, those two aren't always enough.

A Few Fun Bits, While I Am Preparing for My Speech at SANS

Fri, 03 Oct 2008 08:04:00 +0000

A few more things, that qualify as fun reads, with - hopefully just as fun! - comments.

Love, love, love this piece :-) Remember the "robotic gun rampage" stories from last year? How does this sound: "The gun can track 360 degress, but there is a software-driven safety zone that makes sure rounds don't blow the rotors off. If the Osprey has to maneuver away from the target and the crew chief can't hold the gun on the bad guys manually, the system slaves the gun to the point of the last shot, slewing it as the plane moves." (watch the fun video there too)
"Security idiot" meme lives on - go here. BTW, the post is a follow-up to this
A fun follow-up to my post on compliance approaches titled Is PCI DSS "Too Prescriptive"?
Finally, my fave post: "Increase Your Logging." I am sooooo happy that logging evangelism is spreading far and wide! A quote from the paper: ”Logs are interesting, logs are fun, logs should be done by EVERYONE…..get to logging!!!” (I promise that specific case was not my quote, even though I do say that very thing all the time!)

Enjoy! Time for me to run and do my preso ... about logs of course!

Taleb on the Limitations of Risk Management

Fri, 03 Oct 2008 03:48:41 +0000

Nice paragraph on the limitations of risk management in this occasionally interesting interview with Nicholas Taleb:

Because then you get a Maginot Line problem. [After World War I, the French erected concrete fortifications to prevent Germany from invading again -- a response to the previous war, which proved ineffective for the next one.] You know, they make sure they solve that particular problem, the Germans will not invade from here. The thing you have to be aware of most obviously is scenario planning, because typically if you talk about scenarios, you'll overestimate the probability of these scenarios. If you examine them at the expense of those you don't examine, sometimes it has left a lot of people worse off, so scenario planning can be bad. I'll just take my track record. Those who did scenario planning have not fared better than those who did not do scenario planning. A lot of people have done some kind of "make-sense" type measures, and that has made them more vulnerable because they give the illusion of having done your job. This is the problem with risk management. I always come back to a classical question. Don't give a fool the illusion of risk management. Don't ask someone to guess the number of dentists in Manhattan after asking him the last four digits of his Social Security number. The numbers will always be correlated. I actually did some work on risk management, to show how stupid we are when it comes to risk.

Money meltdown, Ozzie's cloud, security worries

Thu, 02 Oct 2008 20:00:00 +0000

At least those of us who are fans of professional baseball have the playoffs to take our minds off the grim news this week (at least that's the case for fans of the teams that are winning). The U.S. financial system meltdown smacked world markets and set off a whole lot of worry, which tended to overshadow all the other news.