Silly-Yammerings
The myth of the expert
Something we preach very strongly in our training is the importance of
an understanding of the underlying technology / application / issues,
and being able to dig into the core of an issue, not just try a trick or
two and move on. Sadly, most people don’t see it this way.
It’s also somewhere between sad and frustrating for me that there seems
to be an over-abundance of so-called “experts” in our field. While this
isn’t an issue for those who have a deep understanding, the fact of the
matter is that for many of our customers, their key competence is their
respective industry, and not information security.
Medical Doctors.. bah! hambug..
I’ve ranted a few times about things i hate about the way we “do medicine”. (Doctors are not alone here.. i cant believe that in the age where we operate on the eye with lasers and see production ready nano-tech. we consider yanking teeth with a pair of pliers a reasonable option)
Recently i heard an interview with the head of MS Research where he spoke about some of the same things.. i.e. that 9/10 people are visiting the doctor for the same thing (that new strain of flu going around) and that we could help alot of things with a simple “if you have a fever, and a runny nose and red spots today, u have the latest X going around.. take 2 of X and get some rest”. This would handle the majority of the ppl walking in..
MTBF and Light Bulbs..
Some of you will know that i finally moved out of the shoe box i lived in for 6 years and moved into a house (about 3 months ago) Since then i have replaced 3 different light bulbs at different places in the house.. Now this made me start thinking.. Surely when the house was new, they fitted in all the bulbs as brand new.. Now some sections of the house light a series of 4 or 6 bulbs at once.. yet there appears to be no link at all between “sibling” bulbs and their life-span..
2 Un-related thoughts.. on Echelon and the recent Skype Outage..
I suspect somewhere there exist cardinal rules of blogging which would state that using a single post to make 2 completely un-related posts is a no-no.. I will now promptly ignore it 2 push out 2 random thoughts that came up..
Echelon and Echelon spam..
While watching the Bourne Ultimatum the other night the usual “echelon“esque scene played out.. Guy on phone says keyword.. pan to NSA/CIA type building.. computer drone type person screams something like “we have a hot one”..
mh.blackhatFeedback(Side-jacking, Hamster)
Ok.. so its a lot later than i promised, but i did mention that i would post some feedback on some of the talks i ended up catching at this years BlackHat. By far the talk that grabbed the most press was the Erratasec talk on Side-Jacking.
Essentially the researchers demonstrated a tool (hamster) that allows an attacker on a shared network (wifi was used as an example, but i guess any shared medium would suffice) to hi-jack users accounts by sniffing their session-ids.
On hacking and politics
I meant to blog this whilst I was still in Vegas, but only got around
to it now. Its arb, but worth a bit of thinking… Kenneth Geers’
talk titled ‘Greetz from Room 101’ was on which countries have the
Top Ten most Orwellian computer networks. In his precis he asks
“Could a cyber attack lead to a real-life government overthrow?”
I find these kinds of discussions really interesting, because of the
significant role that information technology plays in today’s wars on
crime and ‘terror’. In such “wars” the lines between right and wrong
are very loosely defined. As we saw clearly in South Africa today’s
terrorist is tomorrow’s freedom fighter. Thus, a technology that
could be used fight terror today, could just as easily be used to
oppress freedom tomorrow. Technology will serve any master.
Have a (one) care sir….
Someone in the office was discussing Microsoft’s recent horrible foray into the anti-virus market. Apparently an online source held one-care as faring worse than a simple man with a perl script. A quick scan shows that they have indeed faired pretty poorly in independent tests:
“(BBC News) OneCare was the only failure among 17 anti-virus programs tested by the AV Comparatives organisation.”
Now the obvious question was: How could Microsoft possibly get it so wrong? (Cue the drum roll, bring out your tin foil hats)
In Defense of Testing Pens… (aka how to keep your soul while being a pen-tester)
A short while back, a discussion broke out on a mailing list about the nature of being a pen-tester. The discussion quickly gravitated towards the number of “security” companies where numbers of projects far out-weigh the interestingness of projects, leading rapidly to a cookie-cutter mentality to pen-test engagements..
Of course if you have spent any time in the industry, you already know this to be true.. the obvious danger with this is that you have a lot of unhappy pen-testers giving shoddy output to (eventually) very unhappy customers. Sadly this soon follows the well published “market for lemons” problem where eventually due to information asymmetry, bad products will soon push out good ones.. i.e. because its hard for customers to tell the difference between good pen-tests and lame pen-tests, eventually the market price drops towards low grade pen-tests (since the customer is paying for what they expect) and at the low prices, good pen-test teams will close shop and move on to other lines of work..
and then there was one….
First IBM announced their interest in Watchfire, and now HP announces their interest in SPI Dynamics. “Consolidation in the industry” is one of those horrible phrases that are always bandied about because it makes people seem analytical and fore-casty, but i think its pretty clear that there are stirrings in buyout land right now.. I guess it bodes well for WhiteHatSec and similar folks.. they surely have to be on the radar..
Talking of buyouts, its always been strange for me that CORE have managed to go by as long as they have without being purchased. Their technical roots being in Argentina might have explained it for a little while, but a whole bunch of years later.. i dont get it.. (Having said that, i must add the caveat that i am talking completely through my ear since im pretty sure they would have been approached often enough and could simply have been rejecting offers waiting for the right match..)
Shuttleworth comments on Microsoft/Ubuntu deal rumours
Mark Shuttleworth on his blog makes it clear
-snip-
“We have declined to discuss any agreement with Microsoft under the threat of unspecified patent infringements.”
…
I have no objections to working with Microsoft in ways that further the cause of free software, and I donâ€t rule out any collaboration with them, in the event that they adopt a position of constructive engagement with the free software community.
…
All the deals announced so far strike me as “trinkets in exchange for air kissesâ€. Mua mua. No thanks.
-snip-