We all know that IT security and operations is becoming a more challenging and untenable problem day by day – see “Top 10 Reasons Your Security Program Sucks and Why You Can’t Do Anything About it” – The reality is that we continue to build on top of inherently insecure and fundamentally weak foundations, such as the operating systems and routing infrastructures that power much of the global economy.
We need an alternative to the current computing paradigms that all organizations struggle with.
To economists, the term “Broken Windows” refers to the question that if a shopkeeper pays a glazier to repair a broken window at his store, does this deliver an economic benefit to society? Many people would say yes, because it generates demand for glass and work for the glazier.
Have you ever been witness to the fury of that solid citizen, James Goodfellow, when his incorrigible son has happened to break a pane of glass? If you have been present at this spectacle, certainly you must also have observed that the onlookers, even if there are as many as thirty of them, seem with one accord to offer the unfortunate owner the selfsame consolation: “It’s an ill wind that blows nobody some good. Such accidents keep industry going. Everybody has to make a living. What would become of the glaziers if no one ever broke a window?
Excerpt from the 1850 essay “That Which is Seen and That Which is Unseen” By Frederic Bastiat Continue reading
In the security industry we like to fool ourselves into thinking that we can materially impact an organizations security posture. We believe that new tools, a new framework, a new regulation, a new school of thought will lift the veil of organizational ignorance and enable us to attain the state of enlightened security practitioner.
But as we trudge through the mud and haste of our increasingly digital lives we embrace the continuity of failure that is security, only we have more of it…more threats, more tools to deal with the threats, more people to deal with the tools, more process to deal with the people, more adoption of technology leading to more threats, which of course leads to more of the same – more fail.
Maybe it is time to stop fooling ourselves and recognize that to move forward we have to know our limitations and start to question the status quo that so many others rely on for their livelihood.
So as you stare out the window, morning cup of coffee in hand, a tear rolling listlessly down toward your chin and as your sitting there pondering what went so terribly wrong take a moment to reflect on the top 10 reasons your security program sucks and why no matter how much you kick and scream it will continue to suck…
From Computer World UK (here)
Black Friday and Cyber Monday have come and gone. Now it’s time for Amrit Wednesday, or Thursday, or Friday—oh, whatever—to pay our industry back for all the dubious cheer it spread in 2009. Believe me, when it comes to this list, it’s much better to give than receive. Here goes:
So apparently the latest version of the Qualys Laws of Vulnerabilty Report has Qualys jumping to some pretty outrageous claims about how cloud-computing – invented by Qualys according to Courtot (insert cute smiley here) – can secure IT more effectively or allow people to not patch any more or some such nonsense (thanks to Hoff for the heads up).
Anyway so the logic flaw goes something like this -> Continue reading
They’re back!
It has been awhile since we had a good old fashioned, highly publicized, hysteria inducing, globally distributed, mass-infecting worm. The AV vendors (here) and (here) must be ecstatic that 2009 is really turning out to be the year of the largest security incidents since the beginning of forever as I predicted it would be back in January (here). Of course you could make that prediction every year for the next 20-30 years and pretty much experience an 80%+ success rate, it’s like predicting that as social media becomes ubiquitous we will experience more social media related security threats, or that as the economic condition worsens it will drive even more financially motivated cybercrime buoying an already burgeoning digital black market, or that there will be more high-profile data breaches – all no brainers. Continue reading
Well friends we are nearing the end of another year and closing in on the first decade of the century. As we prepare for the onslaught of 2009 predictions I thought it would be appropriate to look back on all that is FAIL in the world of technology over the past decade so we can learn, grow and laugh at someone else’s expense. So I give you the top 10 worst technology failures of the last decade…
10. Oakley MP3 sunglasses (The Death of Cool)
MID MORNING
A WAGNERIAN ARIA plays, a crystalline TENOR SOLO haunting in its beauty consumes an executive board room
FADE IN:
Oakley Executive #1
“Let’s take one of the hottest sunglass brands and combine them with one
of the hottest consumer gadgets and make millions”
All
“Yeah, we will make millions, let’s do it”
This is definitely a case of two things that do not go well together, sort of like Mento’s and Soda, or Symantec and Innovation, aside from the logistical issues of having to wear sunglasses to listen to music, there is simply no way to look cool wearing a pair of dork specs, and honestly who buys a pair of Oakleys if they didn’t want to look cool.
Full Disclosure: I owned stock in Oakley, was actually quite happy that they signed a contract with the Army and when they released the oil drum model I was sure the stock would sky rocket, oh well.
9. The Original DIVX (Making Betamax look genius)
In an awe inspiring moment of fail Circuit City (here), the now gasping for air consumer electronics chain, made an attempt to corner the movie rental industry with the introduction of the Digital Video Express (DIVX) format. The concept was simple, you – the consumer – pay them $4 for a disc that is only viewable for 48 hours and only on a DIVX player – after 48 hours it became as useless as silicone thigh implants, unless you coughed up an additional $3-4 for another 48 hours.
8. HD DVD (The FAIL of a new generation)
The now obsolete high-definition digital video format introduced by Toshiba lost the HD format wars to Blu-Ray, I wold love to weave a David and Goliath story that touched the four corners of the entertainment industry, spin a tale of how the XBox and PS3 were instrumental in the success of one and demise of the other, or how tech savvy consumers, battle hardened from decades of format evolution, were able to understand the nuances of quality, cost, storage capacity and available content. I would have loved to post that the porn industry won the battle, but in the US they actually standardized on HD DVD. So how did HD DVD lose? purely conjecture on my part, but it would appear that Sony simply out biz dev’d Toshiba, scoring retailer and major studio support and amassing a larger collection of movie titles.
7. The Millennium Bug (Y2Fail)
Billed as the technology equivalent of the “Day After” (here), a movie depicting the devastating effects of a nuclear holocaust, the Y2K, or Millennium bug, was supposed to result in a total technology breakdown. It was feared that planes would fall from the sky, critical services would cease to function and the world’s power grids would go dark. I remember at the time I was working at McAfee (here) and as the clock moved closer to New Years the office was crawling with reporters hungry for a front row seat to digital Armageddon. Of course, nothing happened and all the doomsayers were forced to take down their sandbags and unload their automatic rifles – to some this was a really disappointing turn of events, for others it marked the most visible technology FUD fail of all time.
6. Windows ME (Mistake Edition)
I would have said Bob, but that fail was so 1995. Windows ME (here), dubbed the slowest, buggiest, and most unstable operating system ever released, has won top honors as the worst Microsoft OS to date. The biggest flaw in Windows ME, and earlier versions of the Windows OS, is a lack of memory protection. This problem was exasperated in Windows ME as they attempted to introduce a broad set of new capabilities, such as new system utilities like system/virus restore, media support, automatic updates and the new TCP/IP stack all of which allowed Micrsoft to achieve a whole new level of stabiilty fail.
5. The Sony BMG Rootkit (Meine kleine digitale Parasiten)
In what has probably become the epic DRM (digital rights management) fail of all time (here), Sony BMG implemented a copy protection scheme that was distributed through music CD’s to consumer desktops, essentially installing a nearly undetectable rootkit that collected user information and sent it to the Borg collective. It was eventually detected and there was a major backlash from the security industry. Sony is still in the middle of fending off class-action lawsuits as a result.
4. Second Life (Give us your marginal, your dispossessed, your virtually lost)
Second life (here), the internet based virtual world created by Linden labs, in which virtual “residents” roam a 3D virtual world, virtually interacting with each other and virtually trading virtual money, called Linden dollars. No mythical creatures, no battle axes, or quests, or zombies, or explosions, or really any point to it at all. What kind of folks spend their time in a virtual world? Well according to Linden Labs Chairman of the board, Mitch Kapor…
the earliest wave of pioneers in any new disruptive platform, the marginal and the dispossessed are over represented, not the sole constituents by any means but people who feel they don’t fit, who have nothing left to lose or who were impelled by some kind of dream, who may be outsiders to whatever mainstream they are coming from, all come and arrive early in disproportionate numbers.
Just massive amounts of time doing nothing “virtually” with a group of marginal and dispossessed individuals, really? seriously? is this for real? perhaps they should change the name to secondlife.com.
3. Windows Vista (Windows ME Take 2)
Windows Vista (here), the successor to Windows XP was supposed to herald in a new era of Windows security, stability, and functionality, unfortuantely it failed on at least 2 of those fronts as there was widespread incompatibility and performance issues. In one of the oddest enterprise software ad campaigns to date, Microsoft unveiled “Mojave” the “Ha! I tricked you it really is just Vista” experiment (here) – call it what you will, fail is as fail does. Windows is now looking to fast track the release of Windows 7, which is the final nail in the Vista coffin. The folks over at ZDNet have a nice writeup on the top 5 reasons Vista failed (here)
2. The Internet bubble and dot com bomb of the early decade (E Pluribus, deficio)
I loved the 90’s back then you could get your money for nothing and your chicks for free, but like every wild party someone has to deal with the massive hangover the next day (here), and that hangover was the sudden reality that more than half of the .com companies were not only poorly managed and had ridiculous valuations, but were based on business models that seemed to be developed by third graders. Seriously not just one company that sells pet food over the internet but 5? Remember when the market cap for Amazon was greater than the entire addressable market they served, not only the digital market place but brick and mortar included. I know, I know, greed trumps common sense as we are experiencing with the sudden, although not unexpected, mortgage collapse and financial crisis, but didn’t someone think to ask “Seriously, you are willing to invest $20m in my company if I add a .com after the name – that’s just stupid”
1. The paperless office
No greater fail in our lifetime has had the impact that the myth of the paperless office has had. It has driven an entire industry in the PC and shaped a new generation of technical gadgetry and digital fail, from ebooks to digital document management systems, the paperless office has been a myth of epic proportions. Now I wasn’t around in the 40’s, which is when I believe the term was coined, but I imagine that there was far less paper floating around then there is now and there seems to be no let up in the tsunami of felled trees and charred Brazilian rain forest that fuel our appetite to print everything even if a new ink jet print cartridge costs more than a weeks worth of groceries.
Of course this is just one analysts opinion (and an entire market of data) so let me know – what did I get wrong and what did I miss?
Now of course it would be easy to slap the hide of NAC, IDS, and DLP technologies, but why kick something when it is down, besides we have Stiennon for that (here)…so I give you the 11 worst ideas in security, presented in far less a grumpy format than Ranum’s 6 dumbest ideas in security (here), and of course I kicked it up to 11…
11. Security Industry and Market Analysts (I am become analyst, the destroyer of markets)
Those bastions of knowledge, defenders of the objective faith, and creators of 2-page, in depth, market analysis reports. They don’t actually analyze security they analyze the security market, they say cool things like “By the end of 2007, 75% of enterprises will be infected with undetected, financially motivated, targeted malware that evaded their traditional perimeter and host defenses.” and come up with amusing names and acronyms, (did you know that NBA – Network Behavior Analysis – was at one time called NADS – Network Anomaly Detection System – you can imagine the fun Gartner could of had with an overview of the NADS market). I spent years as an analyst myself and I loved my time, but I will always regret that analysts never actually test, demo, or even interact with the technology they so confidently and assertively write about.
10. Microsoft CPAV (Central Point Anti-Virus – when turning it up to 11 is 10 too many)
Many of you may not remember that Microsoft used to ship an integrated AV product – CPAV (Central Point Anti Virus) CPAV = total suckage. It was a simpler time, malware consisted of threats like the stoned virus (infect the computer, make it look droopy and display a “your computers stoned” message) and you really didn’t need quality, but you did need something that didn’t completely impact user productivity, suck all the computing resources, and disrupt other services – ah the good old days.
9. The Vulnerability market (what can I get for $.63?)
What happens if you create a market and no one buys? Nothing, but a whole lot of complaining from a whole lot of grumpy researchers about how no one takes security seriously and what a thankless job it is to break someone else’s software and then not be showered with accolades when you present them with the data that their software is broken.
8. Scan and Patch (The never ending hamster wheel of late nights and working weekends)
The security group will scan the environment against a database of known vulnerabilities and then harass, scare and guilt-trip the operations team into actually fixing something – it is also referred to by Philip Roth as the Jewish Mother process. This never-ending, reactionary, ad-hoc, false-positive laden, non-environmentally aware, slow, cumbersome, disruptive, snapshot in time approach equals = effectiveness fail. I have written about this before (here)
7. PKI (Easy to deploy, manage, and administer – oh, wait, whoops, never mind)
Quick Story: When I was with McAfee we acquired PGP, as part of the acquisition the McAfee IT department attempted to roll-put PGP encryption. It was a total fail. It was never properly deployed and the IT folks just gave up and moved on to some other important project, like getting their hands on some cool network sniffers. At the time I thought Wow we own this crap and can’t deploy it, how the hell will the people we sell it to – it would require like a ton of bureaucracy and an army of civil servants to be successful, and this is why the federal government loves PKI.
6. Security Through Obscurity (These are not gur qebvqf lbh are looking for – guess how I cryptoed that)
Frphevgl guebhtu bofphevgl qbrfa’g jbex…crbcyr jvyy nethr gung vs lbh anzr lbhe FFVQ fbzrguvat yvxr AFN Abqr, ab bar jvyy oernx va – OF, be vs lbh pnyy lbh Jvaqbjf obk SerrOFQ, be qvfnoyr inevbhf UGGC cbfg erfcbafrf gung lbh ner fnsr – jebat, lbh’er whfg na vqvbg =)
5. WEP (French encryption – it surrenders in minutes)
What is worse than no security? ineffective security that doesn’t work – WEP is like putting up an aluminum foil door and pretending that no one can break through it – far better to just not have a door and know it – really not a lot more to add.
4. Signature-based AV (Design fail – only works if there is parity between sigs and viruses)
Signature based AV isn’t protecting anyone anymore (here), it certainly wasn’t providing any protection against spyware or some of the nastier threats that have popped up recently. It didn’t stop blaster, or sasser, or slammer, it did nothing to help choicepoint, or the VA or the orgy of disclosure we have all become numb too. It was running happily along, updated and content on my mom’s machine when it turns out her Windows XP box was infected with some pretty nasty bits. The real problem though is the sheer volume of malware that one needs to create a signature against – and wha does one do with a 5 million signature dat file – no wonder every time Symantec runs an application dies
3. The Vulnerability Disclosure Debate (good, bad, good, bad – who gives a crap)
There was a time when I had some passion for htis topic, right or wrong I had an opinion and was looking for responsible disclosure (here). I have come to realize that a. It really doesn’t matter and b. those with malicious intent are far less concerned with silly disclosure debates than those fighting the good fight. The vulnerability disclosure debate is the security’s equivalent of Britney Spears – no matter how bad it gets, you can’t help but be curious.
2. Passwords (2Chr177xh0ff)
Passwords suck (here), they are cumbersome, difficult to manage, prone to attack and require continuous care and feeding – they also aren’t terribly effective, but they are the best we can do with what we have, so remember choose wisely and don’t feel like less than a man simply because you have to use a password manager, everybody needs a little assistance now and again.
1. Security Vendors and the VC’s that love them (The root of all security evil)
The goal of the security industry is not to secure, the goal of the security industry is to make money. I think we all know this conceptually, and even with the best intentions in our capitalistic society we must understand that security companies are motivated by profits. This isn’t necessarily a bad thing, but it should help to dispel the myth that security companies are smarter than hackers, they aren’t, they are just smarter than the buyers – from (here)
Something, something this way blogs 