Rational Survivability

Saw this on Boing-Boing. Click on the picture.

There’s now no excuse for not shredding those unsolicited
credit card offers that show up in the mail.  This works on
report cards, too, kids!

It’s eco-friendly, makes its own bedding/toilet, entertains
your kids, able to turn vege-left overs into leveraged mechanical advantage, and gosh-darn it, it’s so damned cute!

That’s right, folks.  The coolest hack, evah!  Hamster-powered shredder!

That’s Web2.0, baby…

In the NY times this morning, I read an article titled "A Call for Manners in the World of Nasty Blogs" wherein the author posits whether it’s "…too late to bring civility to the Web?"  I found it online here.

Pairing this article with various allusions and outright claims that I’ve been less than "civil" lately in the manner in which I publicly interact with other security "professionals," especially when they let their butt hang out, I paused for a moment to contemplate the article and the underlying message it sought to communicate.

I further contemplated messages from fellow bloggers who want to encourage meaningful, supportive and positive dialogue within our community instead of provoking or otherwise poking those with whom we disagree.  I took this to heart and thought long and hard about this.

No, really.  I did.

I realized several things, denied about 6 others, and thought diligently about seeking therapy regarding my unhealthy obsession with gym socks and pickled herring.

I concluded a couple of things:

1. The Internet is indeed a "…prickly and unpleasant place."  There’s www.kittenwar.com where the vile mediator of all things cuddly and feline suggests "May the Cutest Kitten Win!" but I’m not sure that really counts.

 

2. There are two types of people in the world.  Those that blog and read blogs and those that visit www.kittenwar.com.

 

3. "Recent outbreaks of antagonism…" describes my encounters daily with my local Starbucks Barista.  Posting my opinion wherein someone lets their butt hang out is reasonable, warranted, sometimes juvenile and above all, fun.

 

4. The community that is the Internet is self-policing.  We kick ass when we need to and let the whole unregulated bunch ramble on as due course.  Sometimes people throw their toys out of the pram, but that happens in grade school — the Internet’s no different.

 

5. Mr. O’Reilly and Mr. Wales should stick to allowing and ensuring the freedom of speech, not refereeing it.   I didn’t vote for them.  Did you?

 

6. If, as Siskel and Eibert above get their way, I’ll have to rate my blog indicating "the principles…and what kind of behavior and dialogue [my blog will] will engage in.  I liken that to the L.A. County Dept. of Health certifications on restaurants…while you certainly have a CHOICE not to eat at a restaurant with a ‘D’ rating, you’d miss every fantastic Vietnamese Pho restaurant this side of Delaware just because of a little E-Coli.  Likewise, with this rating system, you’d miss all the best blogs out there!

 

7. Turn off anonymous blogging or weed through the posts.  Nobody said blogs were themselves administered as a democracy.  You don’t like it, delete it.  That’s an instantiation of free speech, too…mine.

 

8. Last time I looked, nobody tapes peoples eye’s open and makes them read my blog.  There is that group of folks in Gitmo, but they swear it’s just mild hazing.

 

9. It occurs to me that what seems to be at issue here is actually
   ANONYMOUS blogging.  Fine.  Turn the feature off.  Require registration
   and then  folks can face those that annoy them.

    

10. Civility is not the same thing as criminality or vulgarity, just to clear that up.

Just to be clear, the reaction by Mr’s. Wales and O’Reilly that were flamed by recent events are understandable, and the utter lunacy and despicable nature of the threats and taunts that Kathy Sierra endured are unconscionable.  Nobody deserves that sort of harassment when lines are crossed and physical violence is threatened.

Look, O’Reilly’s "Blogger Code of Conduct" isn’t all that bad, and quite honestly I abide by most of the "code" as a function of being a reasonable human being and a rational contributor.  Those items highlighted I find relevant, the rest, not so much:

• We take responsibility for our own words and for the comments we allow on our blog.
• We won’t say anything online that we wouldn’t say in person.
• We connect privately before we respond publicly.
• When we believe someone is unfairly attacking another, we take action.
• We do not allow anonymous comments.
• We ignore the trolls.

That said, whether "free speech is enhanced by civility" or not is irrelevant.  Free means unencumbered to me. In fact, here’s the Wikipedia definition of "Free Speech":

Freedom of speech is the concept of the inherent human right to voice one’s opinion publicly without fear of censorship or punishment. The right is enshrined in the United Nations Universal Declaration of Human Rights
and is granted formal recognition by the laws of most nations.
Nonetheless the degree to which the right is upheld in practice varies
greatly from one nation to another.

In many nations, particularly those
with relatively authoritarian forms of government, overt government censorship is enforced. Censorship has also been claimed to occur in other forms (see propaganda model) and there are different approaches to issues such as hate speech, obscenity, and defamation laws even in countries seen as liberal democracies.

I’d like it very much if we can just leave the "community" to self-police itself and not infringe on my ability to write what I like, when I like it about whomsoever I like to write about. 

That’s just my uncivil opinion.

[Ed. I found Tristan Louis’ dissection of O’Reilly’s draft "Blogger’s Code of Conduct" quite interesting.]

/Hoff

CAUTION:  I use the words "Nostradramatic prescience" in this blog posting.  Anyone easily offended by such poetic buggery should stop reading now.  You have been forewarned.

That’s it.  I’ve had it.  I’ve taken some semi-humorous jabs at Mr. Stiennon before, but my contempt for what is just self-serving PFD (Pure F’ing Dribble) has hit an all time high.  This is, an out-and-out, smackdown.  I make no bones about it.

Richard is at it again.  It seems that stating the obvious and taking credit for it has become an art form. 

Richard expects to be congratulated for his prophetic statements that
are basically a told-you-so to any monkey dumb enough to rely only on
Network Admission Control (see below) as his/her only security defense.  Furthermore, he has the gaul to suggest that by obfuscating the bulk of the arguments made to the contradiction of his point, he wins by default and he’s owed some sort of ass-kissing:

And for my fellow bloggers who I rarely call out using my own blog:
are you ready to retract your "founded on quicksand" statements and
admit that you were wrong and Stiennon was right once again?  🙂

Firstly, there’s a REASON you "rarely call out" other people on your blog, Richard. It has something to do with a lack of frequency of actually being right, or more importantly others being wrong.  

I mean the rest of us poor ig’nant blogger folk just cower in the shadows of your earth-shattering predictions for 2007: Cybercrime is on the rise, identify theft is a terrible problem, attacks against financial services companies will increase and folks will upload illegal videos to YouTube. 

I’m sure the throngs of those who rise up against Captain Obvious are already sending their apology Hallmarks.  I’ll make sure to pre-send those congratulatory balloons now so I can save on shipping, eh?

Secondly, suggesting that others are wrong when you only present 1/10th of the debate is like watching two monkeys screw a football.  It’s messy, usually ends up with one chimp having all the fun and nobody will end up wanting to play ball again with the "winner."  Congratulations, champ.

What the heck am I talking about?  Way back when, a bunch of us had a debate concerning the utility of NAC.  More specifically, we had a debate about the utility, efficacy and value of NAC as part of an overall security strategy.  The debate actually started between Richard and Alan Shimmel. 

I waded in because I found them both to be right and both to be wrong.  What I suggested is that NAC by ITSELF is not effective and must be deployed as part of a well-structured layered defense.  I went so far as to  suggest that Richard’s ideas that the network ‘fabric’ could also do this by itself were also flawed.  Interestingly, we all agreed that trusting the end-point ALONE to report on its state and gain admission to the network was a flawed idea.

Basically, I suggested that securing one’s assets came down to common sense, the appropriate use of layered defense in both the infrastructure and on top of it and utilizing NAC when and how appropriate.  You know, rational security.

The interesting thing to come out of that debate is that to Richard, it became clear that the acronym "NAC" appeared to only mean Network ADMISSION Control.  Even more specifically, it meant Cisco’s version of Network ADMISSION Control.  Listen to the Podcast.  Read the blogs.  It’s completely one dimensional and unrealistic to group every single NAC product and compare it to Cisco.  He did this intentionally so as to prove an equally one dimensional point.  Everyone already knows that pre-admission control is nothing you solely rely on for assured secure connectivity.

To the rest of us who participated in that debate, NAC meant not only Network ADMISSION Control, but also Network ACCESS Control…and not just Cisco’s which we all concluded, pretty much sucked monkey butt.  The problem is that Richard’s assessment of (C)NAC is so myopic that he renders any argument concerning NAC (both) down to a single basal point that nobody actually made.

It goes something like this and was recorded thusly by his lordship himself from up on high on a tablet somewhere.  Richard’s "First Law of Network Security":

Thou shalt not trust an end point to report its own state

Well, no shit.  Really!?  Isn’t it more important to not necessarily trust that the state reported is accurate but take the status with a grain of salt and use it as a component of assessing the fitness of a host to participate as a citizen of the network?   Trust but verify?

Are there any other famous new laws of yours I should know about?  Maybe like:

Thou shalt not use default passwords
Thou shalt not click on hyperlinks in emails
Thou shalt not use eBanking apps on shared computers in Chinese Internet Cafes
Thou shalt not deploy IDS’ and not monitor them
Thou shalt not use "any any any allow" firewall/ACL rules
Thou shalt not allow SMTP relaying
Thou shalt not use the handle hornyhussy in the #FirewallAdminSingles IRC channel

{By the way, I think using the phrase ‘…shalt not’ is actually a double-negative?} [Ed: No, it’s not]

Today Richard blew his own horn to try and reinforce his Nostradramatic prescience when he commented on how presenters at Blackhat further demonstrated that you can spoof reporting compliance checks of an end-point to the interrogator using Cisco’s NAC product using a toolkit created to do just that. 

Oh, the horror!  You mean Malware might actually fake an endpoint into thinking it’s not compromised or spoof the compliance in the first place!?  What a novel idea.  Not.  Welcome to the world of amorphous polymorphic malware.  Been there, done that, bought the T-Shirt.  AV has been dealing with this for quite a while.  It ain’t new.  Bound to happen again.

Does it make NAC useless.  Nope.  Does it mean that we need greater levels of integrity checking and further in-depth validation of state.  Yep.   ‘Nuff said. 

Let me give you Hoff’s "First Law of Network Security" Blogging:

Thou shalt not post drivel bait, Troll.

It’s not as sexy sounding as yours, but it’s immutable, non-negotiable and 100% free of trans-fatty acids.

/Hoff

(Written from the lobby of the Westford Regency Hotel.  Drinking…nothing, unfortunately.)

Seriously, this really wasn’t a thread about NAC.  It’s a great soundbite to get people chatting (arguing) but there’s a bit more to it than that.  I didn’t really mean to offend those NAC-Addicts out there.

My last post was the exploration of security functions and their status (or even migration/transformation)  as either a market or feature included in a larger set of features.  Alan Shimel responded to my comments; specifically regarding my opinion that NAC is now rapidly becoming a feature and won’t be a competitive market for much longer. 

Always the quick wit, Alan suggested that UTM was a "technology" that is going to become a feature much like my description of NAC’s fate.  Besides the fact that UTM isn’t a technology but rather a consolidation of lots of other technologies that won’t stand alone, I found a completely orthogonal statement that Alan made to cause my head to spin as a security practitioner. 

My reaction stems from the repeated belief that there should be separation of delivery between the network plumbing, the security service layers and ultimately the application(s) that run across them.  Note well that I’m not suggesting that common instrumentation, telemetry and disposition shouldn’t be collaboratively shared, but their delivery and execution ought to be discrete.  Best tool for the job.

Of course, this very contention is the source of much of the disagreement between me and many others who believe that security will just become absorbed into the "network."  It seems now that Alan is suggesting that the model of combining all three is going to be something in high demand (at least in the SME/SMB) — much in the same way Cisco does:

The day is rapidly coming when people will ask why would they buy a box
that all it does is a bunch of security stuff.  If it is going to live
on the network, why would the network stuff not be on there too or the
security stuff on the network box.

Firstly, multi-function devices that blend security and other features on the "network" aren’t exactly new.

That’s what the Cisco ISR platform is becoming now what with the whole Branch Office battle waging, and back in ’99 (the first thing that pops into my mind) a bunch of my customers bought and deployed WhistleJet multi-function servers which had DHCP, print server, email server, web server, file server, and security functions such as a firewall/NAT baked in.

But that’s neither here nor there, because the thing I’m really, really interested in Alan’s decidedly non-security focused approach to prioritizing utility over security, given that he works for a security company, that is.

I’m all for bang for the buck, but I’m really surprised that he would make a statement like this within the context of a security discussion.

That is what Mitchell has been
talking about in terms of what we are doing and we are going to go
public Monday.  Check back then to see the first small step in the leap
of UTM’s becoming a feature of Unified Network Platforms.

Virtualization is a wonderful thing.  It’s also got some major shortcomings.  The notion that just because you *can* run everything under the sun on a platform doesn’t always mean that you *should* and often it means you very much get what you pay for.  This is what I meant when I quoted Lee Iacocca when he said "People want economy and they will pay any price to get it."

How many times have you tried to consolidate all those multi-function devices (PDA, phone, portable media player, camera, etc.) down into one device.  Never works out, does it?  Ultimately you get fed up with inconsistent quality levels, you buy the next megapixel camera that comes out with image stabilization.  Then you get the new video iPod, then…

Alan’s basically agreed with me on my original point discussing features vs. markets and the UTM vs. UNP thing is merely a handwaving marketing exercise.  Move on folks, nothing to see here.

’nuff said.

/Hoff

(Written sitting in front of my TV watching Bill Maher drinking a Latte)

It’s not the sordid tale of lust, information security and circus midgets you might have been expecting from the title, but instead the highlights of a couple of evenings spent entertaining a wayward analyst soul from Phoenix.

Rich Mogull, Gartner analyst and data protection mercenary, was in town for a couple of evenings, and I played cruise ship entertainment director.  It’s what I do.  If a fellow blogger or security wonk comes to my town, has a few minutes to spare, it’s my self-appointed duty to make damned sure they have a good time.

I’m all about the full disclosure.  It’s how we roll. 

As Rich so kindly nominated me for "Best Host for Security Geeks in Boston" I must suggest that he plays the role of visiting team quite well.  Damned good head on his shoulders, fun dude to talk with and listen to, and should you ever need saving on the side of a snow-covered mountain, it seems that he’s all you’ll ever need.

We had a great dinner at the Naked Fish (which incidentally has nothing to do with my tattoos,) and then ended up closing that down in favor of the hotel bar in Bedford in which we most certainly were the worst dressed amongst the crowd.  We executed on the wild tech. guy role very well using every free napkin in the house to scribble the solutions to every known security problem currently defined.

I called Shimmy because whilst late, I suggested I could do his podcast drunk with Rich adding beatbox sound effects in the background.  Alan listened to me ramble for 10 minutes before he asked "Who the hell is this!?"

The next night we hit BeanSec! and hooked up with Mike Murray, 78% of Veracode’s employees (except for Wysopal who is now finally too l33t to hang with us) and 46% of Crossbeam’s staff.

I tried for an analyst trifecta:

Jaquith was invited but he was in Utah gettin’ all Mormon’d up.  Rothman was, well, not there because BeanSec! is not pragmatic enough.  Stiennon was busy securing the network fabric of the entire nation state of Haiti and nobody @ IDC would answer my calls.  Ah well.

Despite that, a good time was had by all.

Good seeing you, Rich.  Come back sometime…as soon as you add me to your BlogRoll, that is. 😉

/Hoff

(P.S. Just to be clear, a "Grassy Knee" is one of the specialty drinks at the Enormous Room in Cambridge where we hold BeanSec!  along with the "Bad Babysitter" and "God in Little Pieces."  Any other imaginative definition is your own fault, you perv.  That is all.)

Hey, do you remember reading this little snippet as a quote from a certain industry personality we all know and love in regards to his lack of love for UTM?

"I have a problem with the idea of Universal Threat Management
appliances.  Leaving aside the horrible terminology (Who wants to
manage threats? Don’t you want to block them and forget about them?)
the question that I always ask is: If best-of-breed is the standard for
large enterprises why would it be good practice for a smaller entity to
lump a lot of security functions such as firewall, email gateway, spam
filter, anti-virus, anti-spyware, IDS, IPS, and vulnerability
management all in one under-powered device?"

I’ll give you a hint.  It was posted here by the original author and I responded to it, here.

That’s right!  It was my buddy, Richard Stiennon — lambasting Universal (sic) Threat Management appliances…like those of Fortinet, before they offered him a job.  Perhaps Fortinet doesn’t count because they make Unified, not Universal, Threat Management devices?

Don’t hate the player, baby, hate the game!  (i.e., be careful what you blog, it could come back to hire haunt you.)

Sorry, Rich.  3 Bourbons and a long week make Johnny a lit boy.  Couldn’t help myself.  Fire Away!

/Hoff