Grab the Popcorn: It's the First 2008 "Ethical Security Marketing" (Oxymoron) Dust-Up...

Robert Hansen (RSnake / ha.ckers.org / SecTheory) created a little challenge (pun intended) a couple of days ago titled "The Diminutive XSS worm replication contest":

The diminutive XSS worm replication contest is a week long contest to get some good samples of the smallest amount of code necessary for XSS worm propagation. I’m not interested in payloads for this contest, but rather, the actual methods of propagation themselves. We’ve seen the live worm code and all of it is muddied by obfuscation, individual site issues, and the payload itself. I’d rather think cleanly about the most efficient method for propagation where every character matters.

Kurt Wismer (anti-virus rants blog) thinks this is a lousy idea:

yes, folks... robert hansen (aka rsnake), the founder and ceo of sectheory, felt it would be a good idea to hold a contest to see who could create the smallest xss worm... ok, so there's no money changing hands this time, but that doesn't mean the winner isn't getting rewarded - there are absolutely rewards to be had for the winner of a contest like this and that's a big problem because lots of people want rewards and this kind of contest will make people think about and create xss worms when they wouldn't have before...

Here's where Kurt diverges from simply highlighting nominal arguments of the potential for misuse of the contest derivatives.  He suggests that RSnake is being unethical and is encouraging this contest not for academic purposes, but rather to reap personal gain from it:

would you trust your security to a person who makes or made malware? how about a person or company that intentionally motivates others to do so? why do you suppose the anti-virus industry works so hard to fight the conspiracy theories that suggest they are the cause of the viruses? at the very least mr. hansen is playing fast and loose with the publics trust and ultimately harming security in the process, but there's a more insidious angle too...

while the worms he's soliciting from others are supposed to be merely proof of concept, the fact of the matter is that proof of concept worms can still cause problems (the recent orkut worm was a proof of concept)... moreover, although the winner of the contest doesn't get any money, at the end of the day there will almost certainly be a windfall for mr. hansen - after all, what do you suppose happens when you're one of the few experts on some relatively obscure type of threat and that threat is artificially made more popular? well, demand for your services goes up of course... this is precisely the type of shady marketing model i described before where the people who stand to gain the most out of a problem becoming worse directly contribute to that problem becoming worse... it made greg hoglund and jamie butler household names in security circles, and it made john mcafee (pariah though he may be) a millionaire...

I think the following exchange in the comments section of the contest forum offers an interesting position from RSnake's perspective:                   

Re: Diminutive XSS Worm Replication Contest

            

Posted by: Gareth Heyes (IP Logged)

      

Date: January 04, 2008 04:56PM

      

@rsnake

This contest is just asking for trouble :)

Are there any legal issues for creating such a worm in the uk?

------------------------------------------------------------------------------------------------------------

 

Re: Diminutive XSS Worm Replication Contest

 

            

Posted by: rsnake (IP Logged)

      

Date: January 04, 2008 05:11PM

      

@Gareth Heyes - perhaps, but trouble is my middle name. So is danger. Actually I have like 40 middle names it turns out. ;) No, I'm not worried, this is academic - it won't work anywhere without modification of variables, and has no payload. The goal is to understand worm propagation and get to the underlying important pieces of code.

I'm not in the UK and am not a lawyer so I can't comment on the laws. I'm not suggesting anyone should try to weaponize the code (they could already do that with the existing worm code if they wanted anyway).

So, we've got Wismer's perspective and (indirectly) RSnake's. 

What's yours?  Do you think holding a contest to build a POC for a worm a good idea?  Do the benefits of research and understanding the potential attacks so one can defend against them outweigh the potential for malicious use?  Do you think there are, or will be, legal ramifications from these sorts of activities?

/Hoff

Really Interesting Blog Snippets I Don't Have Time to Comment On...

I'm swamped right now and have about 30 tabs open in Mozilla referencing things I expected to blog about but simply haven't had the time to.  Rather than bloat Mozilla's memory consumption further and lose these, I figured I'd jot them down.

Yes, I should use any number of the services available to track these sorts of things for this very purpose, but I'm just old fashioned, I guess...

Perhaps you'll find these snippets interesting, also.

• Princeton University Center for Information Technology Policy: Computing In the Cloud Workshop - I really want to go to this
• Ten Virtualization Vendors to watch in 2008 - Management & Security top the list
• Google as predicted in 1964 - Cool!
• Forrester lays out 10 reasons why IT shouldn't support the iPhone - Get over yourself, it'll happen anyway.
• How to manage your multivendor firewalls like a pro - This is a nasty problem in large enterprises.
• Unix admin tries to axe California power grid - Forget SCADA attacks, we need dual authentication for the EPO button!
• Is Google your next hosted security partner? - Don't say I didn't tell you so...
• Scott Berinato's top 10 data breaches of 2007 - Hurry, there's still time for more!
• Virtual machine sprawl will challenge IT management skills - Um ,yup.
• Stiennon's 2008 Predictions are so right, they happen in 2007. That's all I'm gonna say about that.
• Anton's excited about Ranum's rants on stuff we've been arguing about for 10 years - Arguing about stateful inspection is so last decade.
• DIY "secure virtual machine network in a box" - Holy crap.  The end of the world is nigh!
• Measuring the return on IT Security Investments - Intel does a lovely job with this.  Hat tip to Lindstrom.
• Information security strategies fail to meet corporate needs - Ernst & Young survey
• NSA's Central Security Service: Security Configuration Guides - Good resource for config. baselines.
• No browser for you today! - Pixar's "extreme" security policies
• Mobile & Wireless: 2007's biggest emerging technology disappointments - Sigh.
• Data Centrism, De-Perimeterization, and fanatacism - Didn't we cover this already?
• Jericho still speaking in Tongues - ...I guess not!
• You can't buy "just a firewall" anymore - Don't look now, it's UTM!
• Charlie Giancarlo resigns from Cisco - Buy stock in wherever he goes!
• Orkut XSS Worm - If Stiennon can do it, so can I!  Told ya so...
• Backdoors in software distribution points - The Chris' from Veracode tell us why MD5 ain't your friend
• 8 Bold predictions on Google's next moves - Good read; some I've blogged about.
• Security's Top 5 priorities - More technology...that's the problem.
• Common Criteria = Safe? - Eric Bidstrup's very good read

Sadly I may not get around to blogging about many of these.  I've got a ton more from the emerging technology, VC and virtualization space, too. 

I don't want to become another story summarizer, but perhaps I'll use this format to cover things I can't get to every week.

/Hoff

First Tibet and Now Me...The Great Firewall of China Claims Another Victim.

Thanks to Mr. Stiennon, it seems that I have been labeled a threat to the People's Party and access to this, my seditious and politically undermining little pile in cyberspace has been, gasp!, blocked by the eeeeeviill Chinese Firewall of Disinformation.  Well, that sucks.

I have to say that Richard really did me a favor by posting this.

Firstly, it reminded me that despite my many travels, I've become quite an American-centric little drone without much of an appreciation for the hardships experienced by those in many other countries as it relates to censorship and net neutrality.  We take a lot of things for granted over here and in many cases Americans seem to wield the hammer of nationalism a little to heavily, even if inadvertently.

I was reminded of this by a high-ranking member of a British Telecoms company recently when, despite all attempts to rectify my ill-timed transgressions, he suggested that my sense of humor needed a much better cultural filter applied to it should I not wish to piss people off with my "Americanism."  Ouch.  I find it odd typing this because I'm somewhat culturally conflicted because whilst I was born in the U.S. and love it dearly, I moved to New Zealand and grew up there for most of my early life.

It made me think, so I really do owe you both a renewed apology and a thanks, Ray. 

Secondly, I would really like to be able to use something like Google to compare natively a search using any one of their engines to determine where, what and how searches and click-throughs are allowed or blocked in the countries they serve.  I reckon that as we get closer to GooglePOPs around the world, this ought to be plausible.

At any rate, back to the post at hand.  I quoteth Richard:

On my recent travels in China I had an opportunity to experience first hand China’s so called “Golden Wall”. In each hotel I would try to get to several sites.  For some reason  this security blog is censored throughout China. How does that make you feel Mr. Hoff? And a Google search on “Tibet” will have the usual results but you cannot click through to any of the links on the first page of results. I did not search on Falun Gong for fear of really setting off the alarms and reprisals. Next time I think I will set up GoToMyPC at home and use it as a poor man’s proxy.

To answer Richard's question directly, I guess I'm flattered on two fronts; firstly that Richard bothered to try to get to my blog while surfing in China (bored much?) and secondly that some government other than my own considers me a threat to their sovereignty.

I could, of course, rant tirelessly about my opposition to widespread and targeted filtering of information and the impact on privacy, etc., but there are far more qualified people than I to do so.  At a much more basal level, I think it sucks, because now nobody in China will be able to follow along as Richard and I smack each other. ;(

In protest, no more General Tsao's chicken for me.

{Posted @ 2:30am after I just got back from Blackhat/Defcon with no luggage.  Apologies for any perceived lack of sensitivity for the greater global political issue of censorship here, but I want my toothbrush back from United Airlines and it's clouding my judgment}

/Hoff

San Francisco is DOWN: The Fragility of Web 2.0 Ecosystem - Common Sense Must Not Have Made the Feature List

I was just leaving the office for a client dinner last night when I noticed I couldn't get to my TypePad blog, but I chalked it up to a "normal" Internet experience.   

When I fired up Firefox this morning (too much wine last night to care) I was surprised to say the least.

I am just awestruck by the fact that yesterday's PG&E  power outage in San Francisco took down some of the most popular social networking and blogging sites on the planet.  Typepad (and associated services,) Craigslist, Technorati, NetFlix etc...all DOWN. (see bottom of post for a most interesting potential cause.)

I'm sure there were some very puzzled, distraught and disconnected people yesterday.  No blogging, no secondlife, no on-line video rentals.  Oh, the humanity!

I am, however, very happy for all of the people who were able to commiserate with one another as they apparently share the same gene that renders them ill-prepared for what is one of the most common outage causalities on the planet: power outages.

Here's what the TypePad status update said this morning:

Update: commenting is again available on TypePad blogs; thank you for your patience.  We are continuing to monitor the service closely.

TypePad blogs experienced some downtime this afternoon due to a power outage in San Francisco, and we wanted to provide you with the basic information we have so far:

• The outage began around 1:50 pm Pacific Daylight Time
• TypePad blogs and the TypePad application were affected, as well as LiveJournal, Vox and other Six Apart-hosted services
• No data has been lost from blogs.  We have restored access to blogs as well as access to the TypePad application. There may be some remaining issues for readers leaving comments on blogs; we are aware of this and are working as quickly as possible to resolve the issue. (See update above.)
• TypePad members with appropriate opt-in settings should have received an email from us this afternoon about the outage.  We will send another email to members when the service has been fully restored.
• We will also be posting more details about today's outage to Everything TypePad.

We are truly sorry for the frustration and inconvenience that you've experienced, and will provide as much additional information as possible as soon as we have it. We also appreciate the commiseration from the teams at many of the other sites that were affected, such as Craigslist, Technorati, Yelp, hi5 and several others.

I don't understand how the folks responsible for service delivery of these sites, given the availability and affordability of technology and hosting capability on-demand, don't have BCP/DR sites or load-balanced distributed data centers to absorb a hit like this.   The management team of Sixapart has experience in companies that understand that the network and connectivity represent the lifeblood of their existence; what the hell happened here in that there's no contingency for power outages?

Surely I'm missing something here.

Craigslist and Technorati are services I don't pay for, so one might suggest taking the service disruption with a grain of SLA salt (or not, because it still doesn't excuse not preparing for issues like this with contingencies)  but TypePad is something I *pay* for.  Even my little hosting company that houses my personal email and website has a clue.  I'm glad I'm not a Netflix customer, either.  At least I can walk down to Blockbuster...

Yes, I'm being harsh, but I there's no excuse for this sort of thing in today's  Internet-based economy.  It affects too many people and services but really does show the absolute fragility of our Internet-tethered society.

Common sense obviously didn't make the feature list on the latest production roll.  Somebody other than me ought to be pissed off about this.  Maybe when Data Center 3.0 is ready to roll, we won't have to worry about this any longer ;)

/Hoff

Interestingly, one of the other stories of affected sites relayed the woes of 365 Main, a colocation company, whose generators failed to start when the outage occurred.  I met the the CEO of 365 Main when he presented at the InterOp data center summit on the topic of flywheel UPS systems which are designed to absorb the gap between failure detection and GenStart.  This didn't seem to work as planned, either. 

You can read all about this interesting story here.  This was problematic because the company had just issued a press release about a customer's 2-year uninterrupted service the same day ;)

Valleywag reported that the cause of the failure @ 365 Main was due to a drunk employee who went berserk! This seemed a little odd when I read it, but check out how the reporter from Valleywag is now eating some very nasty Crow ... his source was completely bogus!

Security RROI (Reduction of Risk on Investment)

The security blogosphere sure is exciting these days.  I can't decide whether to tune into the iPhone junkie wars, the InfoSec Sellout soap opera or the Security ROI cage match!

I'm going to pick the latter because quite honestly, the other two are about as inflated as Bea Arthur's girdle...

(edit: link added for Cutaway whose predilection towards Bea Arthur and her undergarments are disturbing at best...) Warning...May Cause Chaffing...)

Unless you've been under a rock (or actually, gasp!, working) you've no doubt seen Rich Bejtlich's little gem titled "No ROI?  No Problem" that re-kindled all sorts of emotive back and forth debating the existence of Security ROI.

It was revisited by Rich here and then here...and then picked up by Lindstrom, Hutton, Cutaway and the rest of the risk management cognoscenti.  All good stuff.

It seems that the unofficial scoring has the majority of contributors to the debate suggesting that Security ROI does not exist...sort of.  The qualification of the word "return" really seems to be the important lynchpin here as contribution (margin, profit, etc.) versus cost avoidance really is what sends people off the deep end.

It appears that if we define 'return' to suggest that what you get back is a way of avoiding shelling out money, then indeed, one may quantify a return on the investment made.

Fine.  I'm good with that.  To a point.

However, I've never used ROI in any metric I've produced.  NPV?  Nope.  ROSI?  Nuh-uh.

What I have chosen to use is RROI -- the reduction of risk on investment.  HA!  Another term.

Basically, I've used various combinations of metrics and measurements to quantify data points and answer the question:

"If I invest in some element of my security program (people, process, technology) -- or after I have invested in it -- am I more secure than I was before and how much more?  Furthermore, how should I manage my investment portfolio to give me the best reduction of risk?"

One doesn't hire security guards because of an expectation that this action will cause one to be more profitable; it's a cost of doing business that allows one to asses the risk based on impact and decide how, if at all, one could or should invest in security to defray the impact and cost associated with the event(s) one is trying to mitigate.

Ah yes, the old "why would you spend $1000 to protect a $10 asset?" question.  Can you answer this question for every security investment you make?

I'd say that I've always been able to communicate what the "return" (see above) would be on investments made and done so in a manner that has always seen my security budgets grow when necessary and trim when warranted.  The transparency I strive to produce is communicated in business terms that anyone who can understand basic math and business logic can process.  Maybe I'm just lucky. 

I'm not saying I have the problem licked or that I found the holy grail, but the problem just doesn't seem to be as daunting as some would have you believe.  Start small, be rational and build and manage your portfolio accordingly.

So, how many of you have risk dashboards that can, in near-time, communicate where you invest, why and how this maps to the business and helps you most effectively manage risk per dollar spent?  This is what's really important.

I'm just wondering that instead of trying to globally force-feed a definition across a contentious landscape of religion and philosophy, perhaps we could spend the time arguing less about terms and more about solving problems.  Ask the business how they want to see your security value communicated and go from there.  If they want ROI, then fine...define the "R" appropriately and move on.

I'm going to "return" to work now... ;)

/Hoff

None of you Bastadges Use Trackbacks Anymore!?

A personal plea...

I spend a decent amount of time trying to engage folks in discussion.  I blog and expect that there will be those who agree and those who disagree with my comments.  I am truly interested in seeing both perspectives in your responses.

In order to do that, however, I have to know that you've written something in response.  Unless you leave a comment I can't tell that, especially if you've authored a response on your blog and don't leave a trackback.

Really, how hard is that, exactly?

I do that with every post I reference.  Can I ask you a favor and do the same for me?

Your opinion counts.  Make it so, please.

/Hoff

Did I hurt your feelings? I'm OK, You're OK...

In the NY times this morning, I read an article titled "A Call for Manners in the World of Nasty Blogs" wherein the author posits whether it's "...too late to bring civility to the Web?"  I found it online here.

Pairing this article with various allusions and outright claims that I've been less than "civil" lately in the manner in which I publicly interact with other security "professionals," especially when they let their butt hang out, I paused for a moment to contemplate the article and the underlying message it sought to communicate.

I further contemplated messages from fellow bloggers who want to encourage meaningful, supportive and positive dialogue within our community instead of provoking or otherwise poking those with whom we disagree.  I took this to heart and thought long and hard about this.

No, really.  I did.

I realized several things, denied about 6 others, and thought diligently about seeking therapy regarding my unhealthy obsession with gym socks and pickled herring.

I concluded a couple of things:

1. The Internet is indeed a "...prickly and unpleasant place."  There's www.kittenwar.com where the vile mediator of all things cuddly and feline suggests "May the Cutest Kitten Win!" but I'm not sure that really counts.

 

2. There are two types of people in the world.  Those that blog and read blogs and those that visit www.kittenwar.com.

 

3. "Recent outbreaks of antagonism..." describes my encounters daily with my local Starbucks Barista.  Posting my opinion wherein someone lets their butt hang out is reasonable, warranted, sometimes juvenile and above all, fun.

 

4. The community that is the Internet is self-policing.  We kick ass when we need to and let the whole unregulated bunch ramble on as due course.  Sometimes people throw their toys out of the pram, but that happens in grade school -- the Internet's no different.

 

5. Mr. O'Reilly and Mr. Wales should stick to allowing and ensuring the freedom of speech, not refereeing it.   I didn't vote for them.  Did you?

 

6. If, as Siskel and Eibert above get their way, I'll have to rate my blog indicating "the principles...and what kind of behavior and dialogue [my blog will] will engage in.  I liken that to the L.A. County Dept. of Health certifications on restaurants...while you certainly have a CHOICE not to eat at a restaurant with a 'D' rating, you'd miss every fantastic Vietnamese Pho restaurant this side of Delaware just because of a little E-Coli.  Likewise, with this rating system, you'd miss all the best blogs out there!

 

7. Turn off anonymous blogging or weed through the posts.  Nobody said blogs were themselves administered as a democracy.  You don't like it, delete it.  That's an instantiation of free speech, too...mine.

 

8. Last time I looked, nobody tapes peoples eye's open and makes them read my blog.  There is that group of folks in Gitmo, but they swear it's just mild hazing.

 

9. It occurs to me that what seems to be at issue here is actually ANONYMOUS blogging.  Fine.  Turn the feature off.  Require registration and then  folks can face those that annoy them.
   

    

10. Civility is not the same thing as criminality or vulgarity, just to clear that up.

Just to be clear, the reaction by Mr's. Wales and O'Reilly that were flamed by recent events are understandable, and the utter lunacy and despicable nature of the threats and taunts that Kathy Sierra endured are unconscionable.  Nobody deserves that sort of harassment when lines are crossed and physical violence is threatened.

Look, O'Reilly's "Blogger Code of Conduct" isn't all that bad, and quite honestly I abide by most of the "code" as a function of being a reasonable human being and a rational contributor.  Those items highlighted I find relevant, the rest, not so much:

• We take responsibility for our own words and for the comments we allow on our blog.
• We won't say anything online that we wouldn't say in person.
• We connect privately before we respond publicly.
• When we believe someone is unfairly attacking another, we take action.
• We do not allow anonymous comments.
• We ignore the trolls.

That said, whether "free speech is enhanced by civility" or not is irrelevant.  Free means unencumbered to me. In fact, here's the Wikipedia definition of "Free Speech":

Freedom of speech is the concept of the inherent human right to voice one's opinion publicly without fear of censorship or punishment. The right is enshrined in the United Nations Universal Declaration of Human Rights and is granted formal recognition by the laws of most nations. Nonetheless the degree to which the right is upheld in practice varies greatly from one nation to another.

In many nations, particularly those with relatively authoritarian forms of government, overt government censorship is enforced. Censorship has also been claimed to occur in other forms (see propaganda model) and there are different approaches to issues such as hate speech, obscenity, and defamation laws even in countries seen as liberal democracies.

I'd like it very much if we can just leave the "community" to self-police itself and not infringe on my ability to write what I like, when I like it about whomsoever I like to write about. 

That's just my uncivil opinion.

[Ed. I found Tristan Louis' dissection of O'Reilly's draft "Blogger's Code of Conduct" quite interesting.]

/Hoff

It's a sNACdown! Cage Match between Captain Obvious and Me, El Rational.

CAUTION:  I use the words "Nostradramatic prescience" in this blog posting.  Anyone easily offended by such poetic buggery should stop reading now.  You have been forewarned.

That's it.  I've had it.  I've taken some semi-humorous jabs at Mr. Stiennon before, but my contempt for what is just self-serving PFD (Pure F'ing Dribble) has hit an all time high.  This is, an out-and-out, smackdown.  I make no bones about it.

Richard is at it again.  It seems that stating the obvious and taking credit for it has become an art form. 

Richard expects to be congratulated for his prophetic statements that are basically a told-you-so to any monkey dumb enough to rely only on Network Admission Control (see below) as his/her only security defense.  Furthermore, he has the gaul to suggest that by obfuscating the bulk of the arguments made to the contradiction of his point, he wins by default and he's owed some sort of ass-kissing:

And for my fellow bloggers who I rarely call out using my own blog: are you ready to retract your "founded on quicksand" statements and admit that you were wrong and Stiennon was right once again?  :-)

Firstly, there's a REASON you "rarely call out" other people on your blog, Richard. It has something to do with a lack of frequency of actually being right, or more importantly others being wrong.  

I mean the rest of us poor ig'nant blogger folk just cower in the shadows of your earth-shattering predictions for 2007: Cybercrime is on the rise, identify theft is a terrible problem, attacks against financial services companies will increase and folks will upload illegal videos to YouTube. 

I'm sure the throngs of those who rise up against Captain Obvious are already sending their apology Hallmarks.  I'll make sure to pre-send those congratulatory balloons now so I can save on shipping, eh?

Secondly, suggesting that others are wrong when you only present 1/10th of the debate is like watching two monkeys screw a football.  It's messy, usually ends up with one chimp having all the fun and nobody will end up wanting to play ball again with the "winner."  Congratulations, champ.

What the heck am I talking about?  Way back when, a bunch of us had a debate concerning the utility of NAC.  More specifically, we had a debate about the utility, efficacy and value of NAC as part of an overall security strategy.  The debate actually started between Richard and Alan Shimmel. 

I waded in because I found them both to be right and both to be wrong.  What I suggested is that NAC by ITSELF is not effective and must be deployed as part of a well-structured layered defense.  I went so far as to  suggest that Richard's ideas that the network 'fabric' could also do this by itself were also flawed.  Interestingly, we all agreed that trusting the end-point ALONE to report on its state and gain admission to the network was a flawed idea.

Basically, I suggested that securing one's assets came down to common sense, the appropriate use of layered defense in both the infrastructure and on top of it and utilizing NAC when and how appropriate.  You know, rational security.

The interesting thing to come out of that debate is that to Richard, it became clear that the acronym "NAC" appeared to only mean Network ADMISSION Control.  Even more specifically, it meant Cisco's version of Network ADMISSION Control.  Listen to the Podcast.  Read the blogs.  It's completely one dimensional and unrealistic to group every single NAC product and compare it to Cisco.  He did this intentionally so as to prove an equally one dimensional point.  Everyone already knows that pre-admission control is nothing you solely rely on for assured secure connectivity.

To the rest of us who participated in that debate, NAC meant not only Network ADMISSION Control, but also Network ACCESS Control...and not just Cisco's which we all concluded, pretty much sucked monkey butt.  The problem is that Richard's assessment of (C)NAC is so myopic that he renders any argument concerning NAC (both) down to a single basal point that nobody actually made.

It goes something like this and was recorded thusly by his lordship himself from up on high on a tablet somewhere.  Richard's "First Law of Network Security":

Thou shalt not trust an end point to report its own state

Well, no shit.  Really!?  Isn't it more important to not necessarily trust that the state reported is accurate but take the status with a grain of salt and use it as a component of assessing the fitness of a host to participate as a citizen of the network?   Trust but verify?

Are there any other famous new laws of yours I should know about?  Maybe like:

Thou shalt not use default passwords
Thou shalt not click on hyperlinks in emails
Thou shalt not use eBanking apps on shared computers in Chinese Internet Cafes
Thou shalt not deploy IDS' and not monitor them
Thou shalt not use "any any any allow" firewall/ACL rules
Thou shalt not allow SMTP relaying
Thou shalt not use the handle hornyhussy in the #FirewallAdminSingles IRC channel

{By the way, I think using the phrase '...shalt not' is actually a double-negative?} [Ed: No, it's not]

Today Richard blew his own horn to try and reinforce his Nostradramatic prescience when he commented on how presenters at Blackhat further demonstrated that you can spoof reporting compliance checks of an end-point to the interrogator using Cisco's NAC product using a toolkit created to do just that. 

Oh, the horror!  You mean Malware might actually fake an endpoint into thinking it's not compromised or spoof the compliance in the first place!?  What a novel idea.  Not.  Welcome to the world of amorphous polymorphic malware.  Been there, done that, bought the T-Shirt.  AV has been dealing with this for quite a while.  It ain't new.  Bound to happen again.

Does it make NAC useless.  Nope.  Does it mean that we need greater levels of integrity checking and further in-depth validation of state.  Yep.   'Nuff said. 

Let me give you Hoff's "First Law of Network Security" Blogging:

Thou shalt not post drivel bait, Troll.

It's not as sexy sounding as yours, but it's immutable, non-negotiable and 100% free of trans-fatty acids.

/Hoff

(Written from the lobby of the Westford Regency Hotel.  Drinking...nothing, unfortunately.)

On Flying Pigs, DNSSEC, and embedded versus overlaid security...

I found Thomas Ptacek's comments regarding DNSSEC deliciously ironic not for anything directly related to secure DNS, but rather a point he made in substantiating his position regarding DNSSEC while describing the intelligence (or lack thereof) of the network and application layers.

This may have just been oversight on his part, but it occurs to me that I've witnessed something on the order of a polar magnetic inversion of sorts.  Or not.  Maybe it's the coffee.  Ethiopian Yirgacheffe does that to me.

Specifically, Thomas and I have debated previously about this topic and my contention is that the network plumbing ought to be fast, reliable, resilient and dumb whilst elements such as security and applications should make up a service layer of intelligence running atop the pipes. 

Thomas' assertions focus on the manifest destiny that Cisco will rule the interconnected universe and that security, amongst other things, will -- and more importantly should -- become absorbed into and provided by the network switches and routers.

While Thomas' arguments below are admittedly regarding the "Internet" versus the "Intranet," I maintain that the issues are the same.  It seems that his statements below which appear to endorse the "...end-to-end argument in system design" regarding the "...fundamental design principle of the Intenet" are at odds with his previous aspersions regarding my belief.  Check out the bits in red.

Here's what Thomas said in "A Case Against DNSSSEC (A Matasano Miniseries):

...You know what? I don’t even agree in principle. DNSSEC is a bad thing, even if it does work.

How could that possibly be?

It violates a fundamental design principle of the Internet.

Nonsense. DNSSEC was designed and endorsed by several of the architects of the Internet. What principle would they be violating?

The end-to-end argument in system design. It says that you want to keep the Internet dumb and the applications smart. But DNSSEC does the opposite. It says, “Applications aren’t smart enough to provide security, and end-users pay the price. So we’re going to bake security into the infrastructure.”

I could have sworn that the bit in italics is exactly what Thomas used to say.  Beautiful.  If, Thomas truly agrees with this axiom and that indeed the Internet (the plumbing) is supposed to be dumb and applications (service layer) smart, then I suggest he should revisit his rants regarding how he believes the embedding security in the nework is a good idea since it invalidates the very "foundation" of the Internet.

I wonder what that'll do internal networks? 

That's all.  CSI is on.

/Hoff

(Written @ Home drinking Yirgacheffe watching UFC re-runs)

If it walks like a duck, and quacks like duck, it must be...?

Seriously, this really wasn't a thread about NAC.  It's a great soundbite to get people chatting (arguing) but there's a bit more to it than that.  I didn't really mean to offend those NAC-Addicts out there.

My last post was the exploration of security functions and their status (or even migration/transformation)  as either a market or feature included in a larger set of features.  Alan Shimel responded to my comments; specifically regarding my opinion that NAC is now rapidly becoming a feature and won't be a competitive market for much longer. 

Always the quick wit, Alan suggested that UTM was a "technology" that is going to become a feature much like my description of NAC's fate.  Besides the fact that UTM isn't a technology but rather a consolidation of lots of other technologies that won't stand alone, I found a completely orthogonal statement that Alan made to cause my head to spin as a security practitioner. 

My reaction stems from the repeated belief that there should be separation of delivery between the network plumbing, the security service layers and ultimately the application(s) that run across them.  Note well that I'm not suggesting that common instrumentation, telemetry and disposition shouldn't be collaboratively shared, but their delivery and execution ought to be discrete.  Best tool for the job.

Of course, this very contention is the source of much of the disagreement between me and many others who believe that security will just become absorbed into the "network."  It seems now that Alan is suggesting that the model of combining all three is going to be something in high demand (at least in the SME/SMB) -- much in the same way Cisco does:

The day is rapidly coming when people will ask why would they buy a box that all it does is a bunch of security stuff.  If it is going to live on the network, why would the network stuff not be on there too or the security stuff on the network box.

Firstly, multi-function devices that blend security and other features on the "network" aren't exactly new.

That's what the Cisco ISR platform is becoming now what with the whole Branch Office battle waging, and back in '99 (the first thing that pops into my mind) a bunch of my customers bought and deployed WhistleJet multi-function servers which had DHCP, print server, email server, web server, file server, and security functions such as a firewall/NAT baked in.

But that's neither here nor there, because the thing I'm really, really interested in Alan's decidedly non-security focused approach to prioritizing utility over security, given that he works for a security company, that is.

I'm all for bang for the buck, but I'm really surprised that he would make a statement like this within the context of a security discussion.

That is what Mitchell has been talking about in terms of what we are doing and we are going to go public Monday.  Check back then to see the first small step in the leap of UTM's becoming a feature of Unified Network Platforms.

Virtualization is a wonderful thing.  It's also got some major shortcomings.  The notion that just because you *can* run everything under the sun on a platform doesn't always mean that you *should* and often it means you very much get what you pay for.  This is what I meant when I quoted Lee Iacocca when he said "People want economy and they will pay any price to get it."

How many times have you tried to consolidate all those multi-function devices (PDA, phone, portable media player, camera, etc.) down into one device.  Never works out, does it?  Ultimately you get fed up with inconsistent quality levels, you buy the next megapixel camera that comes out with image stabilization.  Then you get the new video iPod, then...

Alan's basically agreed with me on my original point discussing features vs. markets and the UTM vs. UNP thing is merely a handwaving marketing exercise.  Move on folks, nothing to see here.

'nuff said.

/Hoff

(Written sitting in front of my TV watching Bill Maher drinking a Latte)

What Do "Grassy Knees," a Gartner Analyst, Cuban Garlic Chicken and Poor Fashion Choices Have in Common?

It's not the sordid tale of lust, information security and circus midgets you might have been expecting from the title, but instead the highlights of a couple of evenings spent entertaining a wayward analyst soul from Phoenix.

Rich Mogull, Gartner analyst and data protection mercenary, was in town for a couple of evenings, and I played cruise ship entertainment director.  It's what I do.  If a fellow blogger or security wonk comes to my town, has a few minutes to spare, it's my self-appointed duty to make damned sure they have a good time.

I'm all about the full disclosure.  It's how we roll. 

As Rich so kindly nominated me for "Best Host for Security Geeks in Boston" I must suggest that he plays the role of visiting team quite well.  Damned good head on his shoulders, fun dude to talk with and listen to, and should you ever need saving on the side of a snow-covered mountain, it seems that he's all you'll ever need.

We had a great dinner at the Naked Fish (which incidentally has nothing to do with my tattoos,) and then ended up closing that down in favor of the hotel bar in Bedford in which we most certainly were the worst dressed amongst the crowd.  We executed on the wild tech. guy role very well using every free napkin in the house to scribble the solutions to every known security problem currently defined.

I called Shimmy because whilst late, I suggested I could do his podcast drunk with Rich adding beatbox sound effects in the background.  Alan listened to me ramble for 10 minutes before he asked "Who the hell is this!?"

The next night we hit BeanSec! and hooked up with Mike Murray, 78% of Veracode's employees (except for Wysopal who is now finally too l33t to hang with us) and 46% of Crossbeam's staff.

I tried for an analyst trifecta:

Jaquith was invited but he was in Utah gettin' all Mormon'd up.  Rothman was, well, not there because BeanSec! is not pragmatic enough.  Stiennon was busy securing the network fabric of the entire nation state of Haiti and nobody @ IDC would answer my calls.  Ah well.

Despite that, a good time was had by all.

Good seeing you, Rich.  Come back sometime...as soon as you add me to your BlogRoll, that is. ;)

/Hoff

(P.S. Just to be clear, a "Grassy Knee" is one of the specialty drinks at the Enormous Room in Cambridge where we hold BeanSec!  along with the "Bad Babysitter" and "God in Little Pieces."  Any other imaginative definition is your own fault, you perv.  That is all.)

How to make a Security Sandwich out of Ron Gula and Stephen Toulouse? Just add Hoff...

Firstly, my apologies to both Ron and Stephen for the grotesque visual...especially when you consider that this ridiculous analog is all the more absurd when you consider that I'm suggesting I'm the bologna in the middle. 

Ew. 

As I write this, I regret it immediately.

I'm referring to being included -- along with the usual cast of characters; Rothman, Shimel, Williams, Stiennon, etc. -- in ITSecurity.com's Top 59 Influencers in IT Security listing.  I'm #24, right in between Gula and Toulouse!  This is how we roll, yo!

I'm sure Alan's going to complain that Amrit beat him out for #1, but I find it hysterical that John Thompson and Tom Noonan are below me!  Technically, I'm listed twice; once in the bloggers section and again under the Corporate Security Officers section. 

The only way this list is in actual order of anything is the possibility that the ranking represents the number of complaints regarding content from my rabid blog readership of 4 (and you know who you are.)  Nonetheless, thanks for voting 6 times each, ya'll!   

You can check out this interesting list of people here.

/Hoff

The semantics of UTM messaging: Snake Oil and Pissing Matches

Those of you who know me realize that no matter where I go, who I work for or who's buying me drinks, I am going to passionately say what I believe at the expense of sometimes being perceived as a bit of a pot-stirrer. 

I'm far from being impartial on many topics -- I don't believe that anyone is truly impartial about anything --  but at the same time, I have an open mind and will gladly listen to points raised in response to anything I say.  I may not agree with it, but I'll also tell you why. 

What I have zero patience for, however, is when I get twisted semantic marketing spin responses.  It makes me grumpy.  That's probably why Rothman, Shimmy and I get along so well.

Some of you might remember grudge match #1 between me and Alex Niehaus, the former VP of Marketing for Astaro (coincidence?)  This might become grudge match #2.  People will undoubtedly roll their eyes and dismiss this as vendors sniping at one another.  So be it.  Please see paragraphs #1 and 2 above. 

My recent interchange with Richard Stiennon is an extension of arguments we've been having for a year or so from when Richard was still an independent analyst.  He is now employed as the Chief Marketing Officer at Fortinet. 

Our disagreements have intensified for what can only be described as obvious reasons, but I'm starting to get as purturbed as I did with Alex Neihaus when the marketing sewerage obfuscates the real issues with hand-waving and hyperbole. 

I called Richard out recently for what I believed to be complete doubletalk on his stance on UTM and he responded here in a comment.  Comments get buried so I want to bring this back up to the top of the stack for all to see.  Don't mistake this as a personal attack against Richard, but a dissection of what Richard says.  I think it's just gobbledygook.

To be honest, I think it took a lot of guts to respond, but his answer makes my head spin as much as Anna Nicole Smith in a cheesecake factory.  Yes, I know she's dead, but she loved cheesecake and I'm pressed for an analogy.

The beauty of blogging is that the instant you say something, it becomes a record of "fact."  That can be good or bad depending upon what you say. 

I will begin to respond to Richard's retort wherein he first summarily states:

Here is where I stand. I hate the huge bucket that UTM has become.  Absolutely every form of gateway security can be lumped in to this category that IDC invented. We discussed this at RSA on the panel that Mr. Rothman so graciously hosted.

I also assume that this means Richard hates the bit buckets that Firewall, IPS, NAC, VA/VM, and Patch Management (as examples) have become, too?   This trend is the natural by-product of marketers and strategists scrambling to find a place to hang their hat in a very crowded space.  So what.

UTM is about solving applied sets of business problems.  You can call it what you like, but the only reason marketeers either love or hate UTM usually depends upon where they sit in the rankings.  This intrigues me, Richard, because (as you mention further on) Fortinet pays to be a part of IDC's UTM Tracker, and they rank Fortinet as #1 in at least one of the product price ranges, so someone at Fortinet seems to think UTM is a decent market to hang a shingle on.

Hate it or not, Fortinet is a UTM vendor, just like Crossbeam.  Both companies hang their shingles on this market because it's established and tracked.

When trying to classify a market you look for common traits and, even better, common buying patterns, to help lump vendors or products in to a category. But for Crossbeam, Fortinet, and Astaro to be lumped together has always struck me as a sign that the UTM "market" was not going to work.

You're right.  Lumping Crossbeam with Fortinet and Astaro is the wrong thing to do.  ;)

Arguing the viability of a market which has tremendous coverage and validated presence seems a little odd.  Crafting a true strategy of differentiation as to how you're different in that market is a good thing, however.

I much prefer the Gartner view (as I would) of Security Platforms. These are devices that are able to apply security policies using a bunch of different methods and they can loosely be thrown on to a grid...

So what you're saying is that you like the nebulous and ill-defined blob that is Gartner's view, don't like IDC, but you'll gladly pay for their services to declare you #1 in a market you don't respect?

Now, yes, I did join a company that IDC considers to be a major UTM player- leading in volume shipments in those parts of 2006 that they are reporting. But, I was an independent analyst and I NEVER classified Fortinet as a UTM play.

You mean besides when you said:

"By all accounts the so called UTM market is doing very well with players like Fortinet, Barracuda, Sonicwall, Astaro, and Watchguard, evidently seeing considerable success" 

Just in case you're interested, you can find that quote here.   There are many, many other examples of you saying this, by the way.  Podcasts, blog entries, etc.

Also, are you suggesting that Fortinet does not consider itself a UTM player?  Someone better tell the Marketing department.  Look at one of your news pages on your website.  Say, this one, for example -- 10 articles have UTM in the title and your own Mr. Akomoto (VP of Fortinet, Japan) says "The UTM market was pioneered by us," says Mr. Okamoto, the vice-president of Fortinet Japan. Mr. Okamoto explains how Fortinet created the UTM category, the initial popularity of UTM solutions with SMBs..." 

Heck, in the 24 categories for the security market that I maintained I did not even track UTMs. As I tracked Fortinet over the years I considered them a security platform vendor and one that just happened to be executing on my vision for the network security space.

Yes, I understand how much you dislike IDC.  Can you kindly show reference to where you previously commented on how Fortinet was executing on your vision for Secure Network Fabric?  I can show you where you did for Crossbeam -- it was at our Sales Meeting two years ago where you presented.  I can even upload the slide presentation if you like.

As you know Chris I have always been a big fan of Crossbeam and in the interest of full disclosure, Crossbeam was a client while I was a Gartner analyst and my second client when I launched my own firm. Great people and a great product.

Richard, I'm not really looking for the renewal of your Crossbeam Fan Club membership...really.

Crossbeam is the security platform of choice for running legacy security apps.

Oh, now it's on!  I'm fixin' to get "Old Testament" on you!

Just so we're clear, ISV applications that run on Crossbeam such as XML gateways, web-application firewalls, database firewalls and next generation network converged security services such as session border controllers are all UTM "legacy applications!?" 

So besides an ASIC for AV, what "new" non-legacy apps does Fortinet bring to the table?  I mean now.  From the Fortinet homepage, please demonstrate which novel new applications that Firewall, IPS, VPN, Web filtering and Antispam represent?

It must suck to have to craft a story around boat-anchor ASICs that can't extend past AV offload.  That means you have to rely on software and innovation in that space.  Cobbling together a bunch of "legacy" applications with a nice GUI doesn't necessarily represent innovation and "next generation." 

Now let's address the concept of running multiple security defenses on one security platform. Let's take three such functions, Firewalling, VPN, and IPS. Thanks to Checkpoint, firewalls and VPN are frequently bundled together. It has become the norm, although in the early days these were separate boxes. Now, you can either take a Snort implementation and bolt it on to your firewall in such a way that a signature can trigger a temporary block command ala Checkpoint and a bunch of other so called IPS devices or you can create a deep packet inspection capable firewall that can apply policies like: No Worm Traffic. To do the latter you have to start from scratch. You need new technology and several vendors do this pretty well.

It's clear you have a very deluded interesting perspective on security applications. The "innovation" that you're suggesting differentiates what has classically been described as the natrual evolution of converging marketspaces.  That over-played Snort analogy is crap.  The old "signature" vs. "anomaly detection" argument paired with "deep packet inspection" is tired.  Fortinet doesn't really do anything that anyone else can't/doesn't already do.  Except for violating GPL, that is.

I suppose now that Check Point has acquired NFR, their technology is crap, too?  Marcus would be proud.

So, given a new way to firewall (payload inspection instead of stateful inspection) what enterprise would choose *not* to use IPS capability in their firewall and use a separate device behind the firewall? See the trouble? A legacy firewall is NO LONGER BEST OF BREED! The best of breed firewall can do IPS.

Oh come on, Richard.  First of all, the answer to your question is that many, many large enterprises and service providers utilize a layered defense and place an IPS before or after their firewall.  Some have requirements for firewall/IDS/IPS pairs from different vendors.  Others require defense in depth and do not trust that the competence in a solutions provider that claims to "do it all."

Best of breed is what the customer defines as best of breed.  Just to be clear, would you consider Fortinet to be best of breed?

If you use a Crossbeam, by the way, it's not a separate device and you're not limited to just using the firewall or IPS in "front of" or "behind" one another.  You can virtualize placement wherever you desire.  Also, in many large enterprises, using IPS's and firewalls from separate vendors is not only good practice but also required.

How does Fortinet accomplish that?

Your "payload inspection" is leveraging a bunch of OSS-based functionality paired with an ASIC that is used for AV -- you know, signatures -- with heuristics and a nice GUI.  Whilst the Cosine IP Fortinet acquired represents some very interesting technology for provisioning and such, it ain't in your boxes.

You're really trying to pick a fight with me about Check Point when you choose to also ignore the fact that we run up to 15 other applications such as SourceFire and ISS on the same platform?  We all know you dislike Check Point.  Get over it.

I have spent eight of the last 12 weeks on the road meeting our large enterprise clients in the Americas, Asia, and EMEA. None of them shop comparatively for UTM appliances. Every single customer was shopping for firewall upgrades, SSL VPN, spam or virus filtering inline, etc.

Really?  So since you don't have separate products to address these (Fortinet sells UTM, afterall) that means you had nothing to offer them?  Convergence is driving UTM adoption.  You can call it what you want, but you're whitewashing to prove a flawed theorem.

During the sales process they realize the benefit of combined functionality that comes with the ability to process payloads and invariably sign up for more than just a single security function. Does that mean UTM is gaining traction in the enterprise? To me the answer is no. It means that the enterprise is looking for advanced security platforms that can deliver better security at lower capex and opex.

...and what the heck is the difference between that and UTM, exactly?  People don't buy IPS, they buy network level protection to defend against attack.  IPS is just the product catagory, as is UTM. 

I would lay off the Bourbon Chris. Try a snifter of my 16 yr old Lagavulin that I picked up in London this Friday. It will help to mellow you out.

I don't like Scotch, Richard.  It leaves a bad taste in my mouth...sort of like your response ;)

Massive Security Blog Consolidation Underway: RationalSecurity to Acquire "StillSecure After All These Years" Blog

BOSTON MA, March 3 /PRNewswire/ - Rational Security 
BlogoDomination Corp. (RSBC) announced its intention 
today to continue the expansion of its consolidation 
strategy in the overly saturated Security Blog Market 
with the unsolicited hostile takeover bid and acquisition
of Alan Shimel's "StillSecure After All These Years 
(SSAATY)" Blog.

Christofer Hoff, CEO and Dark Overlord of the Security
Blogsolidation Dominion, today announced that upon 
release of SSAATY's recent earnings report showing a 
marked uptake in revenues with income hovering at over 
$18 per month, that RSBC would offer an unheard of 20X 
revenue multiplier in a stock-for-stock exchange and
an "I (heart) NAC" bumper sticker.

Alan Shimel, SSAATY's CEO/CTO/CMO/CIO/CFO/CSO refused 
comment other than to crisply and vehemently reject
Hoff's bid citing unacceptable terms; balking at only a 
20X multiplier, he pointed to Ken Xie's $4B sale of 
NetScreen to Juniper and suggested that Hoff "...get real if he expects this bulls**t
takeover attempt to warrant any sort of attention other than a trackback and lower 
Technorati rating."  

Art Coviello, CEO of RSA, complemented his prognostications from his recent 2007 RSA 
Security Conference keynote wherein he stated that there would there not be any 
independent security companies in 3 years, and Hoff's RSBC would "...subsume all 
security blogs within the same timeframe."  Mike Rothman was quoted as "...not giving
a crap because neither of them purchased a copy of the P-CSO."  

Hoff's response was just as shrill, "If Shimel doesn't pony up like the little bitch
that he is, I'll buy his lap dog Mitchell's blog instead."

Contact:

Christofer Hoff				Alan Shimel
CEO and Dark Overlord of the Security	CEO/CTO/CMO/CIO/CFO/CSO
Blogsolidation Dominion			StillSecure After All These Years
[email protected]	[email protected]