Wednesday, November 30, 2005
Tuesday, November 29, 2005
Sunday, November 27, 2005
Would someone in Denver please ring up Tom and tell him the problems with his logic? Stuff like:
- iPods are not x86 or Windows-based. Ask him to name one ARM or MIPS based virus that's capable of self-replication.
- Podcasts are normally delivered from static, one-way sources. For a podcast to become infected, it (theoretically) would require malicious action on the part of the podcast author. There's no two-way data feeds involved.
- RSS feeds are not like e-mail. They don't mysteriously show up on your iTunes list. You have to subscribe to them. In other words, there's a certain amount of reputation and trust involved with podcast sources.
In short, there are too many things missing from the environment that would support malicious code. "In ain't gonna happen." Instead, Mr. Martino should be ranting about virus scanners for our cars. There are models out there that run versions of MS Windows.
In a recent discussion, I took the stance that "risk = threat X vulnerability X asset replacement cost" is not a good formula for sound business decisions.
I will admit to having "poked fun" at their belief that the above is a "security formula". It isn't. It's a business formula, used to decide how much money is safe to throw at a department with no ROI.
I took the stance that the formula is usually a rationalization used to support a business decision that's already been made. That the formula comes from a "recognized" organization of security "professionals", makes it that much more of a problem. My argument follows...
Let's get "threat" and "vulnerability" out of the way. Both are binary in nature or, at least, that was the original intent. You either have the vulnerability or you don't. If you have the vulnerability, it's either exposed or it isn't. The formula becomes "risk = (1 or 0) X (1 or 0) X asset replacement cost".
You can state that "threat" and "vulnerability" are quantitative values ("1" or "0") unless you attempt to put a "degree" on it. If the terms "degree" or "percentage" are applied to either value, that value becomes subjective and I no longer have to argue the point. Unfortunately, you'll usually hear "degree of exposure" or threat described as a percentage (i.e., "how much of a threat is it?").
The real trouble lies within "asset replacement cost". It's an oversimplification and a subjective value hiding behind a number. (i.e., it isn't quantitative!) Don't think so? Try this:
- The basic "asset replacement cost" works best with a standalone system. If it's connected to any other asset, networked or not, the value quickly becomes a WAG (nice version: Wild Assumed Guess) (not-so-nice: drop "um" from the middle word and add a hypen between the first two words)
- The basic "asset replacement cost" works best with a dedicated system. In other words, it's not used for anything else. If the system is used for any additional function, "asset value" gets complicated and other systems may be dragged into the equation. If the equation is artificially limited to the system under discussion, the value loses it's integrity.
- "Asset replacement cost" is only valid when applied to hardware or programs. It fails horribly when applied to data. Normal business types will attempt to say that data replacement cost is nil ("we have a backup, don't we?"). I've yet to see any organization, outside of federal, that will attempt to actually recover "lost" data. Oh, and a law suit does not meet the definition of "recovery". At best, an organization might take into account penalties for lack of due care and/or due dilligence.
The end result is that the formula usually ends up being "risk = estimate X guess X stubbornly narrow error", losing it's security "value" entirely and becoming a rationalization for a business action that might not improve security at all.
In any case, I enjoyed the argument, though it would have been better demonstrated if a white-board was involved. I also won't deny that I enjoyed tormenting two people who actually needed it. Many people who obtain certifications often "stop" once they get them. If a person stops thinking about (and practicing) security, the certification becomes little more than a badge to hang on the wall.
Saturday, November 26, 2005
Friday, November 25, 2005
Thursday, November 24, 2005
However, I could have gone without the marketing approach that the Redmond Dog & Pony Show used. They seem to have taken a page from the Presidential Race strategy guide, where you say little about what you can do and verbally deride all of your competitors.
The part that struck me as a bit odd was about interoperability, a point which they stress repeatedly when talking about the Office 12 product. It's taken me almost a month, but I think that I've finally figured out what they meant by the term: they're not talking about platform interoperability, they're talking about interoperability between Office 12 products! [*sarcasm on*] Now there's something new. [*sarcasm off*]
Just call me "slow" this month.
Microsoft almost "gets it". They've said that they're going to allow others to "use" their document format via a free license. The only restriction appears to be "with attribution to Microsoft". What "attribution" means may be a sticky point in the future. I need to find a copy of the EULA and license agreements they're using.
Update: Is this a case of schizophrenia? How can something be patented and open source at the same time? Seems that the open source format has been submitted for patent in certain countries... This will be interesting to watch as it unfolds.
Wednesday, November 23, 2005
Tuesday, November 22, 2005
issue of "<a href="http://www.sleuthkit.org/informer/sleuthkit-
informer-21.html">The Sleuth Kit Informer", a newsletter he writes in
conjunction with the Sleuth Kit. This issue talks about the new license
for the Sleuth Kit and about changes to the ils tool.
Monday, November 21, 2005
Measurement: Extracting Insight from Spurious Traffic for
whatever award you'd give for using-evil-for-good ideas. The paper
discusses the shortcomings in current network visibility techniques and
suggests extracting data from the noise generated by infections, spam,
and denial of service attacks.
Sunday, November 20, 2005
It's what amplifies the effects of malicious code to the point where it
can have devastating effects.
Here is another
paper from last year's WORM, this one describing a method called
synthetic diversity as a method for combating malicious code.
interesting read but I disagree with most of it for a number of
- Synthetic diversity within a program can only go so far.
While the techniques may reduce the number of attack points within a
program, it won't remove them entirely. Add millions of users to that
situation and diversity within a program that does the same function,
time after time, becomes a bit shallow.
- As always, adding
complexity isn't a good response to lessen vulnerabilities. The KISS
principle is better.
- Diversity can only be provided via a small
number of methods. It wouldn't take long for the "bad guys" to adapt.
Even if more methods were developed, it would lead to an already
familiar type of arms race.
Anyone care to argue for or
Saturday, November 19, 2005
Friday, November 18, 2005
The good news is that I did find some new security and tech-related casts to listen to (for a list, see my Bloglines subscriptions link at the top of this page).
Thursday, November 17, 2005
Wednesday, November 16, 2005
Tuesday, November 15, 2005
Monday, November 14, 2005
Sunday, November 13, 2005
story=20051112154004597">Nothing joke". The joke has been stretched
so far that when it does fail, Nothing will be funny.
sacred. According to the theory of relativity: Nothing travels faster
than light, Nothing existed before the Big Bang and Nothing can have
negative mass. In the real world, Nothing is perfectly symmetrical and,
for most of the time, Nothing changes.
When you're sick: Nothing
tastes good, Nothing is interesting and Nothing really matters. Then
again, Nothing is better than sleep to help you get better.
A lot of
parents end up sending their kids to college to learn Nothing. Many of
those students think that Nothing is harder to learn than Calculus. If
those students learn Nothing, their parents tell them that they're good
That's about it for the puns. (I'm hiding Nothing.)
Please contribute Nothing to further the joke.
SCO: you started this!
and roughly nine weeks until ShmooCon. I have more shopping done for
the latter than for the former.
(If you're married, ignore the rest
of this. You already know the futility of the thought(s).) How can
it be my fault though? She still hasn't filled out her wish list!
Saturday, November 12, 2005
Friday, November 11, 2005
think that I'm anti-MS: it's the marketing aspect that I like to poke
fun at, not the tech.
Example: the ongoing OpenDocument bickering.
The marketing department would like you to think that Massachusetts is
going to require Linux and OpenOffice. I doubt anyone who reads this
blog is confused but just in case, THEY'RE NOT THE SAME!!
OpenDocument is a document format, not a program. MS Office
could save files in OpenDocument format with no more difficulty than
saving in .RTF or .TXT formats. If MS doesn't adopt the format, we'll probably see it as a third party plug-in.
So what's the controversy? Why the
smoke and mirrors from Redmund? How about the "free
flow of data in and out"? With the OpenDocument format, MS no
longer owns any part of your documents, rather than the current
proprietary format where they own the font, the metadata format, and the file storage format.
MS's risk in adopting the OpenDocument format?
Loss of user "lock in" (many companies initially adopt MS Office because
it's considered the "industry standard"), loss of font "lock in" (many
fonts are proprietary to MS Office), loss of feature "lock in" (a common
format is just that: common, and people will come to prefer
interoperability over proprietary features)(will anyone miss fighting
I've had to explain this issue multiple times
this week. Hopefully those in the State Government can recognize the
difference. Unfortunately, it's entirely possible that one or more of
those people can be hired to influence the rest.
Update: Here's yet another view and reason for "the stink".
Thursday, November 10, 2005
Wednesday, November 9, 2005
Tuesday, November 8, 2005
other 49 states but Virginia has lived through a very nasty election
campaign for Governor. Nothing but negative ads during prime time. I
swear, if the independent had bought one commercial last night and did one
"clean" commercial, he'd probably be Governor Elect tomorrow.
Monday, November 7, 2005
Sunday, November 6, 2005
Einstein quotes that I'm enamoured of:
- Any intelligent fool
can make things bigger and more complex... It takes a touch of genius -
and a lot of courage to move in the opposite
- Anyone who has never made a mistake has never
tried anything new.
- Problems cannot be solved by the same
level of thinking that created them.
Saturday, November 5, 2005
Hey Cox! WTF?
Friday, November 4, 2005
Thursday, November 3, 2005
I contributed by providing a little bit of content and a whole lot of argument. (My name is on page 6!) Those that know me want the subtitle "Loudly & At-Length: Yet More Evidence That Tim (err.. joat) Likes to Argue"
Wednesday, November 2, 2005
Tuesday, November 1, 2005
I still have some of the scripts laying around here. If anyone wants 'em, let me know. The majority of them are just wrappers for the tools named above, most of 'em aren't pretty.