Securityblog

Sysadmins used to rule the world. Anyone who’s been around for more than a few years remembers the days when whatever the system administrator wanted, the system administrator got. They were the center of the business. Without them nothing would work. They were generally super smart and could quite often work magic with what they had. It was certainly a different time back then. Now developers are king, the days of the sysadmin have waned. The systems we run workloads on are becoming a commodity, you either buy a relatively complete solution, or you just run it in the cloud. These days most anyone using technology for their business relies on developers instead of sysadmins. ...

This title is a bit click baity, but it’s true, not for the reason you think. Keep reading to see why. If you’ve ever been involved in keeping a software product updated, I mean from the development side of things, you know it’s not a simple task. It’s nearly impossible really. The biggest problem is that even after you’ve tested it to death and gone out of your way to ensure the update is as small as possible, things break. Something always breaks. ...

I had a discussion last week with some fellow security folks about how we can discuss security with normal people. If you pay attention to what’s going on, you know the security people and the non security people don’t really communicate well. We eventually made our way to comparing what we do to the door to door religious groups. They’re rarely seen in a positive light, are usually annoying, and only seem to show up when it’s most inconvenient. This got me thinking, we probably have more in common there than we want to admit, but there are also some lessons for us. ...

Sometimes when you plan for a security event, it would be expected that the thing you’re doing will be making some outcome (something bad probably) impossible. The goal of the security group is to keep the bad guys out, or keep the data in, or keep the servers patched, or find all the security bugs in the code. One way to look at this is security is often in the business of preventing things from happening, such as making data exfiltration impossible. I’m here to tell you it’s impossible to make something impossible. ...

If you’re paying attention, you saw the news about Yahoo’s breach. Five hundred million accounts. That’s a whole lot of data if you think about it. But here’s the thing. If you’re a security person, are you surprised by this? If you are, you’ve not been paying attention. It’s pretty well accepted that there are two types of large infrastructures. Those who know they’ve been hacked, and those who don’t yet know they’ve been hacked. Any group as large as Yahoo probably has more attackers inside their infrastructure than anyone really wants to think about. This is certainly true of every single large infrastructure and cloud provider and consumer out there. Think about that for a little bit. If you’re part of a large infrastructure, you have threat actors inside your network right now, probably more than you think. ...

TL;DR - No. Here’s why. I was talking with my Open Source Security Podcast co-host Kurt Seifried about what it would be like to access the modern Internet using dialup. So I decided to give this a try. My first thought was to find a modem, but after looking into this, it isn’t really an option anymore. The setup No Modem Fedora 24 VM Firefox as packaged with Fedora 24 Use the firewall via wondershaper to control the network speed “App Telemetry” firefox plugin to time the site load time I know it’s not perfect, but it’s probably close enough to get a feel for what’s going on. I understand this doesn’t exactly recreate a modem experience with details like compression, latency, and someone picking up the phone during a download. There was nothing worse than having that 1 megabyte download at 95% when someone decided they needed to make a phone call. Call waiting was also a terrible plague. ...

I had a discussion last week that ended with this question. “Why do we do security”. There wasn’t a great answer to this question. I guess I sort of knew this already, but it seems like something too obvious to not have an answer. Even as I think about it I can’t come up with a simple answer. It’s probably part of the problems you see in infosec. The purpose of security isn’t just to be “secure”, it’s to manage risk in some meaningful way. In the real world this is usually pretty easy for us to understand. You have physical things, you want to keep them from getting broken, stolen, lost, pick something. It usually makes some sort of sense. ...

Are you an expert? Do you know an expert? Do you want to be an expert? This came up for me the other day while having a discussion with a self proclaimed expert. I’m not going to claim I’m an expert at anything, but if you tell me all about how good you are, I’m not going to take it at face value. I’m going to demand some proof. “Trust me” isn’t proof. ...

There is an old saying we’ve all heard at some point. It’s often attributed to Donald Rumsfeld. There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know If any of us have ever been in a planning meeting, a variant of this has no doubt come up at some point. It came up for me last week, and every time I hear it I think about all things we don’t know we don’t know. If you’re not familiar with the concept, it works a bit like this. I know I don’t know to drive a boat. But because I know I don’t know this, I could learn. If you know you lack certain knowledge, you could find a way to learn it. If you don’t know what you don’t know, there is nothing you can do about it. The future is often an unknown unknown. There is nothing we can do about the future in many instances, you just have to wait until it becomes a known, and hope it won’t be anything too horrible. There can also be blindness when you think you know something, but you really don’t. This is when people tend to stop listening to the actual experts because they think they are an expert. ...

This has been a pretty wild week, more wild than usual I think we can all agree. The topic I found the most interesting wasn’t about one of the countless 0day flaws, it was a story from Slate titled: In Praise of the Private Email Server The TL;DR says running your own email server is a great idea. Almost everyone came out proclaiming it a terrible idea. I agree it’s a terrible idea, but this also got me thinking. How do you explain this to someone who doesn’t really understand what’s going on? ...