For June, we have an 802.1X hat-trick to blame for my slack blogging habits. Over the past few weeks, I’ve had back-to-back 802.1X implementations, one wired, one wireless and one with both. Two government customers and one commercial, not in that order. And I even did one semi-training-slash-semi-implementation-quick-start for another customer.

It’s been fun, but 1X is always challenging. The variety of components, the nature of the interactions and the ‘newness’ of actual implementations make it difficult to work from any type of cookbook or implementation guide. There are just too many variables.

When will it be easier? I think as 1X is more widely implemented in the real world, customers will become more familiar with the concepts and integrators will have more experience to make it go smoothly. For now, everyone has to just take it one step at a time and address issues as they arise. And, for now, I’ll enjoy the job security that 1X offers ;)

Luckily, I’ve had the opportunity to work with a variety of customers and a variety of environments and equipment while hammering out 802.1X. The experience and exposure has certainly given me a unique insight into the issues, complications and solutions that come along with a 1X project.

At present, I think we’ve successfully configured 1X on about a dozen different types of equipment, both switches and wireless APs and controllers, from a variety of vendors. It may not sound like much, but in the world of 1X, that’s quite a variety when you consider each manufacturer has their own ‘system’ for configuring 1X and the commands and procedures can vary greatly even from product-to-product from the same vendor.

Is the 1X streak over? Not at all. We have several customers with NAC and 802.1X projects that we had to queue up for after June 30. I’ll keep you posted!

# # #

So what motivates me to attend BlackHat? The #1 reason for me is networking — meeting new people and catching up with old friends and colleagues. Despite our best intentions, we are all busy and our networks are constantly expanding, making it increasingly difficult to stay in touch with old friends in the industry. Twitter and other forms of microblogging help you chip away at the communication gaps; you get a glimpse into peoples’ lives but it’s no replacement for a real conversation.

Obviously, the briefings themselves are a major draw. Even though it’s expanded to over 10 tracks now, the quality hasn’t really suffered. This year’s experiment with allowing paid delegates to vote on speakers seems to have produced a good lineup, though I’m sure there was still a selection committee that could and probably did overrule the votes in some cases. Either way, BlackHat presentations are a decent indicator of the overarching themes that will be prevalent in information security for the upcoming year or two.

When I first started attending BlackHat, I was drawn to the talks discussing 0-day vulnerabilities, tool releases, shellcode tricks, and the like. These days, anything relating to static analysis, automation, and of course web security are most interesting to me. I also consider who’s speaking, regardless of the topic (e.g. one of these guys presents, I’m there). In general, I’ll try to gauge how much value the speaker will add to the presentation — in other words, what do I gain by attending the talk vs. flipping through the slides later? I never attend every time slot; sometimes the hallway conversation is just more interesting.

Some of my other reasons for attending, in no particular order, most of which fall under the “networking” umbrella:

• The parties (duh)
• The Pwnie Awards
• Meeting fellow security bloggers
• Recruiting speakers for SOURCE
• Finding future Veracode employees
• Trading war stories
• Picking up vendor schwag for my kids (RSA is much better for this one)
• Meeting current and former customers — and future ones, hopefully

Things I could do without:

• The cigarette smoke
• The heat
• Quark’s

I’ve stuck around for DEFCON a couple times in the past, but I don’t anymore. I fly out Friday morning or early afternoon so I get home in time to spend the weekend with the family. Personally, three days in Vegas is plenty for me.

When it gets closer to BlackHat time, I’ll post my picks from the briefings schedule.

Gartner IT Security Summit - June 1-3, 2008 - Washington, DC.

Alright - call this an omnibus posting.

I had planned to do a better job of intra-day postings, but the schedule here is hectic and as anyone who knows me can attest, I really do work to get maximum value out of any conference that I go to.

Highlights here - much more detail available if anyone comments/emails me to ask.

Day 1
Opening Keynote - The next 10 years in IT Security - Rated: Good.
Keynote - Google’s Security - Rated: Excellent.
Keynote - SciFi Authors’ Future View of IT Security - Rated: Excellent.

“F” Track - Gartner Analysts/Researchers speak on the topic of “The CISO” - Rated: Mediocre to Good.
Exhibition Floor - Rated: Good.
Food - Rated: Hotel Std. Bring Pepto
Product Highlight - Alcatel-Lucent OmniAccess 3500 Nonstop Laptop Guardian It’s a way to lojack your laptops - a device that stores your crypto keys, 2nd factor auth token, acts as your 3G WWAN, GPS enabled, has an on-board Linux which acts as the “IT department’ controlled/controllable machine. Main feature - remote kill the laptop you lost.

Day 2
Keynote - Security Architecture for the Next 10 years - Rated: Excellent
“F” Track - Gartner Analysts/Researchers speak on the topic of “The CISO” - Rated: Good to Better
Exhibition Floor - Rated: I don’t want to try to get that much shwag through airport security. SRSLY.
Food - Rated: I cannot wait for my kitchen. I cannot eat this much commercial grade food and stay healthy/alive. Amazing how even the fresh fruit is labelled “Hotel Froot”. It’s like an episode of the Simpsons.

Overall Review: I’ll probably come back - the issue of credibility in ensuring that I can quote someone that the business / IT folks respect rather than just my own opinion is a good thing, however, as a prominent (ha - take that Mike) security blogger, I’m a 4-5 on the CISO-CMM — and I’m surrounded by a whole lot of zeros and ones. Gartner is a good host, they take feedback seriously and are very interested in delivering some real value to people like me.

What needs to be fixed:

1. You may have noted that I’m not really chuffed by the food, and you’d be damn right. What is it with the “Conference Hotel/Venue” market that gives them such perfect 2 dimensional homogeneity of image and food? Fix the food.
2. Reorganize the environment such that I spend less time walking back and forth down this hallway.

3. Wifi… oh terrifying wifi. If there was a Wall of Sheep here, you couldn’t read it - it’d be scrolling too fast. Don’t you idiots have a freakin’ VPN?
4. BoF Sessions would be good — there’s not a whole lot of time in the schedule just to stir around and talk to people. There should be a number of areas that allow for free form communication amongst attendees. Have Gartner Analysts in and around those areas to spur conversations.
5. And lastly - Washington? WTF? Flying in to the DC area is practically a strip search. Conferencing is getting harder as the airline industry squeezes - and if I’ve got to fly, I want as little friction as possible.

It’s been a blast, but I need to pay attention and watch the countdown to my airport transfer at 1600.

Tags: Gartner, Gartner IT Security Summit, Alcatel-Lucent, OmniAccess 3500, Security Conferences

I realize I’ve been a total slacker on organizing these; we really need to figure out a regular schedule at some point.

We’ll be starting at Furio in Old Town Scottsdale for happy hour at 6 (we’ll probably head down early at 5), and possibly move someplace cheaper after happy hour ends.

As always, email me with any questions, and we hope to see you there. SunSec is an informal gathering of anyone with an interest in security. We hang our, drink beverages, and just generally socialize.

I realize I’ve been a total slacker on organizing these; we really need to figure out a regular schedule at some point.

We’ll be starting at Furio in Old Town Scottsdale for happy hour at 6 (we’ll probably head down early at 5), and possibly move someplace cheaper after happy hour ends.

As always, email me with any questions, and we hope to see you there. SunSec is an informal gathering of anyone with an interest in security. We hang our, drink beverages, and just generally socialize.

What a week - it’s like I’m swimming uphill both ways and it’s snowing. An extra large helping of news to make up for being late this morning. And hey - thanks to all of our new subscribers that joined us yesterday. Welcome!

Click here to subscribe to Liquidmatrix Security Digest!

And now, the news…

1. The Attack that made Kevin Rose Cry - Revision3
2. BBC NEWS | Science/Nature | Monkey’s brain controls robot arm Always mount a scratch monkey - seriously.
3. Will your mobile squeal to the police? | The Register Will your mobile find a horse head in it’s bed?
4. Download al Qaeda manuals from the DoJ, go to prison? | The Register Another pair of articles analyzing the somewhat chilling effect of doing research and finding yourself in jail… do we accept this as a society or not?
5. The New Order: When reading is a crime | The Register
6. Facebook mob trashes £4.4m Spanish villa | The Register Anyone else surprised that the girl didn’t claim it was hackers — and faintly reminiscent of the Craigslist “The contents of this house must go” issue.
7. Bletchley Park and the decay of the museum buildings Plcurecuernxf - fcraq n craal ba gur ravtzn naq fnir gur jbeyq sebz Uvgyre ntnva - be gur npnqrzvp trgf vg.
8. 22 French Hackers Arrested 22 SkriptKiddies singing the Jean Valjean lines from Les Miserables… the horror.
9. USA 2008 : Briefings Schedule All your briefs belong to Jeff Moss
10. Rands In Repose: We Travel in Tribes I’m sneaking this one in to see if you are paying attention - which Diamond Age phyle do you belong to?
11. State of the Internet It’s all about the metrics baby.
12. Red Curtain: An Unsung, Free Security Application Anyone willing to sing in the comments?
13. Computer trained to read minds Neo sez - BLUE PILL, take the frakkin blue one!
14. National Journal Magazine - Chinas Cyber-Militia Good catch Matt Franz - is this responsible journalism or just journalistic asshattery.
15. Did Hackers Cause the 2003 Northeast Blackout? Umm, No | Threat Level from Wired.com And 27/b6 weighs in on the issue… with maybe a little more journalistic integrity.

Tags: News, Daily Links, Security Blog, Information Security, Security News

For Immediate Release

The very first of the speaker slots for The Last HOPE have been announced with many more to come next week. We have had more submissions than ever and will need to add an additional track in order to accommodate the best of them. What follows are some of the highlights to date.

- Steven Levy, author of Hackers: Heroes of the American Revolution and chief technology writer and a senior editor for Newsweek.

- Adam Savage, co-host of the popular TV show Mythbusters and “a maker of things.”

- Kevin Mitnick, “the world’s most dangerous hacker” in the eyes of the government and mass media, imprisoned for over five years, and now a successful computer security consultant.

- Jello Biafra, a tradition at the HOPE conferences, former lead singer of The Dead Kennedys and one of America’s most interesting social activists.

- Steven Rambam, private eye extraordinaire, who can find out anything about anybody and has always been willing to share his knowledge of privacy with the hacker community. (The FBI prevented his 2006 talk from being given by swooping in and arresting him moments earlier. The case against him was later found to have no merit.)

These five speakers are only the tip of the iceberg. By the time the dust settles, we expect to have over 100 presentations in four tracks. While time is now quite short, if you feel you have an amazing talk idea or panel suggestion, you can still email us at speakers@hope.net. We will try and schedule as many good talks as we can cram into the weekend.

The Last HOPE will take place from July 18-20, 2008 at the Hotel Pennsylvania in New York City.

To preregister, visit http://store.2600.com/lasthope.html
To submit a speaker proposal, email speakers@hope.net
To become a vendor, email vendors@hope.net
To volunteer to help us run the conference, email volunteers@hope.net
To visit the official Last HOPE website, go to http://www.hope.net

Contact: HOPE Staff +1 631 751 2600
hope@hope.net

… and since I’m temporarily in charge — shwag is only available to those who recognize me.

Tags: the last hope, hacker conferences, 2600 magazine

Have you ever sat in a corporate training? Some are good, some are bad, but did you ever say, “man I can’t wait for training today.” What about mandatory training? What about mandatory training in a subject that you really don’t think is your area? What if you had to do it every year, and got harassed if you didn’t do it? What if you were, say, an audio engineer and were dragged into a security class?

I ran the SDL training program at Microsoft for a long time, and developed and taught a big chunk of the training. I spent hundreds of hours in front of thousands of developers, testers, and program managers. I got some really good reviews (and a few bad ones) on the classes I offered. And I tried to do a lot of things to try to make the trainings interesting. I handed out dozens of fresh peaches in an early class on fuzz testing, for example.  The room smelled really nice after that, and there are probably still a few people around Microsoft who think of fuzz testing when they see a peach.

But even on my best day, I was under no illusion that the majority of the audience was excited to be there, and I was certain that they weren’t going to go back to their offices and spend weeks applying the lessons from the class, setting aside other things that are causing present and immediate problems in favor of something that is far off into the future.

You have to work at getting people’s attention – especially as it relates to security and privacy. From time to time, I would see people reading their mail in class, and I would point to them and ask them a question. That did not endear me to the audience as much as the peaches, but embarrassment is always fresh and in season.  J

One student wrote of one of my classes, “the basics for secure design - could be replaced by non-anonymous site-wide exam with open material.”  He was not alone, I assure you.

Is that an indication that our training, or any training, is pointless? Hardly, but training alone is not a change agent.

Richard Derwent Cooke wrote,   “It is a first principle of Change Management that people will act in what they perceive as being their best interests.”

At best, training can provide people with insight into what they need to do to solve a security problem if they believe that solving that security problem is in their best interests.

To be effective, training needs to happen in an environment:

·         Where expectations are clearly set (the SDL sets specific minimum requirements).

·         People have appropriate incentives and consequences (security is a great career path at Microsoft, and nobody wants to be the one holding up a ship schedule for failure to meet a security requirement).

·         Where tools and resources to accomplish the goals are available (we build a whole variety of tools that map to the SDL requirements).

·         Where management models the behavior (recall the original BillG TWC memo).

·         Where the environment reflects and supports the values presented in the training (apparent in everything Microsoft does).

Don’t make the mistake of thinking that a bunch of training, even really high quality training done periodically, will result in actual behavior change. It won’t. You have to build an environment where people perceive solving security problems as being in their best interests. You have to make security their problem – not in the sense of passing the buck, but in the sense of changing their behavior so they will bring security problems to you.

To illustrate further, I’ll cite two examples. First, fuzz testing. Fuzz testing has been a success story here at Microsoft. Tools arise spontaneously to solve new fuzzing challenges, written by people who believe the challenges are their challenges. There are people who feel ownership for our fuzzing strategy and on-going research and science, there are specific goals and requirements, we have training (remember the peaches?), and internally developed fuzzers have won prestigious awards within the company, handed out by members of the executive staff, and all of this gets revisited periodically as part of the SDL.

 By contrast, I’ll choose a less successful area – defect estimation. On my own volition, I created (based mostly on some excellent material from Microsoft Research) and taught a class called “Defect Estimation and Management” and added it to the SDL curriculum. Microsoft is a great place to work in that regard. It was pretty close to the best-reviewed class I taught. But, we have not yet been able to establish a set of tools to estimate security defect density effectively, and establish a fair set of expectations, incentives, and consequences, or even  decide what we should do if we had the data. We discovered some things, though. For example, based on what I observed (which should not be construed as rigorous research), it does not appear as if the density of general defects correlates closely with the density of security defects.  And Microsoft Research found higher code coverage in testing correlates with higher bug rates in the field.

And so even though people like the idea of defect estimation, and we’ve got some interesting and surprising data, we’ve not yet been successful in changing people’s behavior.  Generally speaking, an individual test manager does not feel that establishing a high quality estimate of their defect density is in his or her best interests, as compared to, say, improving the time in which an established series of tests can be performed .  

We need to build an environment that has the tools, training, rewards and incentives, and expectations and consequences to change people’s behavior. Not that we’re not trying. But training won’t solve it alone, nor would tools, trophies, rants, testing, code review, or some edict from on high. The SDL is as much about changing the culture and influencing the behavior of individual engineers as it is anything else.

I’m convinced that Microsoft’s SDL process works because it addresses the end-to-end problem - from training through servicing, and provides a complete environment where people feel ownership of their part of the security problem and have the resources to solve it.

So the next time you find yourself sitting in some mandatory training, remember the lessons of the SDL (and most of the research on human performance management): training alone won’t cut it. If you want real behavior change, there have to be things outside the lecture room to influence people to change their behavior.