Are you an expert? Do you know an expert? Do you want to be an expert? This came up for me the other day while having a discussion with a self proclaimed expert. I’m not going to claim I’m an expert at anything, but if you tell me all about how good you are, I’m not going to take it at face value. I’m going to demand some proof. “Trust me” isn’t proof. ...
Josh and Kurt discuss how open source security works. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/281731016-opensourcesecuritypodcast-episode-2-instills-the-proper-amount-of-fear.mp3 Show Notes CII Badges CVE Node Security Project CSO open source story Comment on Twitter
Josh and Kurt discuss their first podcast as well as random bits about open source security. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/281712199-opensourcesecuritypodcast-episode-1-rich-history-of-security-flaws.mp3 Show Notes Gordon-Loeb Model for investing 37% the cost of a breach Dunning-Kruger Mudge Mercedes tweet Fear of elevators Comment on Twitter
There is an old saying we’ve all heard at some point. It’s often attributed to Donald Rumsfeld. There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know If any of us have ever been in a planning meeting, a variant of this has no doubt come up at some point. It came up for me last week, and every time I hear it I think about all things we don’t know we don’t know. If you’re not familiar with the concept, it works a bit like this. I know I don’t know to drive a boat. But because I know I don’t know this, I could learn. If you know you lack certain knowledge, you could find a way to learn it. If you don’t know what you don’t know, there is nothing you can do about it. The future is often an unknown unknown. There is nothing we can do about the future in many instances, you just have to wait until it becomes a known, and hope it won’t be anything too horrible. There can also be blindness when you think you know something, but you really don’t. This is when people tend to stop listening to the actual experts because they think they are an expert. ...
This has been a pretty wild week, more wild than usual I think we can all agree. The topic I found the most interesting wasn’t about one of the countless 0day flaws, it was a story from Slate titled: In Praise of the Private Email Server The TL;DR says running your own email server is a great idea. Almost everyone came out proclaiming it a terrible idea. I agree it’s a terrible idea, but this also got me thinking. How do you explain this to someone who doesn’t really understand what’s going on? ...
Earlier this week I had a chat with David A. Wheeler about mentoring. The conversation was fascinating and covered many things, but the topic of mentoring really got me thinking. David pointed out that nobody will mentor if they’re not getting paid. My first thought was that it can’t be true! But upon reflection, I’m pretty sure it is. I can’t think of anyone I mentored where a paycheck wasn’t involved. There are people in the community I’ve given advice to, sometimes for an extended period of time, but I would hesitate to claim I was a mentor. Now I think just equating this to a paycheck would be incorrect and inaccurate. There are plenty of mentors in other organizations that aren’t necessarily getting a paycheck, but I would say they’re getting paid in some sense of the word. If you’re working with at risk youth for example, you may not get paid money, but you do have satisfaction in knowing you’re making a difference in someone’s life. If you mentor kids as part of a sports team, you’re doing it because you’re getting value out of the relationship. If you’re not getting value, you’re going to quit. ...
Last week saw a really interesting bug in TCP come to light. CVE-2016-5696 describes an issue in the way Linux deals with challenge ACKs defined in RFC 5961. The issue itself is really clever and interesting. It’s not exactly new but given the research was presented at USENIX, it suddenly got more attention from the press. The researchers showed themselves injecting data into a standard http connection, which is easy to understand and terrifying to most people. Generally speaking we operate in a world where TCP connections are mostly trustworthy. It’s not true if you have a “man in the middle”, but with this bug you don’t need a MiTM if you’re using a public network, which is horrifying. ...
If you attended Black Hat last week, the single biggest message I kept hearing over and over again is that what we do today in the security industry isn’t working. They say the first step is admitting you have a problem (and we have a big one). Of course it’s easy to proclaim this, if you just look at the numbers it’s pretty clear. The numbers haven’t really ever been in our favor though, we’ve mostly ignored them in the past, I think we’re taking real looks at them now. ...
Unless you live in a cave (if you do, I’m pretty jealous) you’ve heard about all the political hacking going on. I don’t like to take sides, so let’s put aside who is right or wrong and use it as a lesson in thinking about how we have to operate in what is the new world. In the past, there were ways to communicate that one could be relatively certain was secure and/or private. Long ago you didn’t write everything down. There was a lot of verbal communication. When things were written down there was generally only one copy. Making copies of things was hard. Recording communications was hard. Even viewing or hearing many of these conversations if you weren’t supposed to was hard. None of this is true anymore, it hasn’t been true for a long time, yet we still act like what we do is just fine. ...
I’ve been getting myself ready for Blackhat. If you’re going you know this conference isn’t like most. You don’t bring your normal gear with you. You turn the tinfoil hat knob up to an 11, then keep turning it until it breaks off. I did do one thing that’s pretty clever this year though, I have no doubt it could be useful for someone else putting together an overengineered tin foil hat security rig. ...