Posts

As anyone who reads this blog knows, I’ve been talking about soft skills in security for quite some time now. I’m willing to say it’s one of our biggest issues at the moment, a point which I get a lot of disagreement on. I have sympathy for anyone who thinks this stuff doesn’t matter, I used to be there. Until I had to start talking to people. As soon as you talk to most anyone outside the security echo chamber, you see what’s actually going on, and it’s not great. ...

During the RSA conference, I was talking about containers and it occurred to me we can think about them like a sandwich. Not so much that they’re tasty, but rather where does your container come from. I was pleased that almost all of the security people I spoke with understand the current security nightmare containers are. The challenge of course is how do we explain what’s going on to everyone else. Securtiy is hard and we’re bad at talking about it. They also didn’t know what Red Hat was doing, which is totally our own fault, but we’ll talk about that somewhere else. ...

The RSA conference is done. It was a very long and busy show, there were plenty of interesting people there and lots of clever ideas and things to do. I think the best part is what didn’t happen though. We love talking about the exciting things from the show, I’m going to talk about the unexciting non events I was waiting to happen (but thankfully they did not). The DROWN issue came and went. It wasn’t very exciting, it got the appropriate amount of attention. Basically SSLv2 is still broken, don’t use it for any reasons. If you use SSLv2, it’s like licking the handrail at the airport. Nobody is going to feel bad for you. ...

It’s been no secret that I think the lack of soft skills in the security space is one of our biggest problems. While usually I usually only write all about the world’s problems and how to fix them here, during RSA I’m going to take a somewhat different approach. I’m giving a talk on Friday titled Why Won’t Anyone Listen to Us? I’m going to talk about how a security person can talk to a normal person without turning them against us. We’re a group that doesn’t like talking to anyone, even each other. We need to start talking to people. I’m not saying we should stand around and accept abuse, I am saying the world wants help with security. We’re not really in a place to give it because we don’t like people. But they need our help, most of them know it even! ...

After my last blog post Change direction, increase speed! (or why glibc changes nothing) it really got me thinking about how can we start to fix some of this. The sad conclusion is that nothing can be fixed in the short term. Rather than trying to make up some nonsense about how to fix this, I want to explain what’s happening and why this can’t be fixed anytime soon. Let’s look at Heartbleed first. ...

The glibc issue has had me thinking. What will we learn from this? I’m pretty sure the answer is “nothing”, which then made me wonder why this is. The conclusion I came up with is we are basically the aliens from space invaders. Change direction, increase speed! While this can give the appearance of doing something, we are all very busy all the time. It’s not super useful when you really think about it. Look at Shellshock, Heartbleed, GHOST, LOGJAM, Venom, pick an issue with a fancy name. After the flurry of news stories and interviews, did anything change, or did everyone just go back to business as usual? Business as usual pretty much. ...

Unless you’ve been living under a rock, you’ve heard about the latest glibc issue. CVE-2015-7547 - glibc stack-based buffer overflow in getaddrinfo() It’s always hard to understand some of these issues, so I’m going to do my best to explain it using simple language. Making security easy to understand is something I’ve been talking about for a long time now, it’s time to do something about it. What is it? The fundamental problem here is that glibc has a bug that could allow a DNS response from an attacker to run the command of that attacker’s choosing on your system. The final goal of course would be to become the root user. ...

I had some discussions this week about security and the market. When I say the market I speak of what sort of products will people or won’t people buy based on some requirements centered around security. This usually ends up at a discussion about regulation. That got me wondering if there are any industries that are unregulated, have high safety requirements, and aren’t completely unsafe? After a little research, it seems SCUBA is the industry I was looking for. If you read the linked article (which you should, it’s great) the SCUBA story is an important lesson for the security industry. Our industry moves fast, too fast to regulate. Regulation would either hurt innovation or be useless due to too much change. Either way it would be very expensive. SCUBA is a place where the lack of regulation has allowed for dramatic innovation over the past 50 years. The article compares the personal aircraft industry which has substantial regulation and very little innovation (but the experimental aircraft industry is innovating due to lax regulation). ...

I’ve noted a few times in the past the whole security industry is run by magicians. I don’t mean this in a bad way, it’s just how things work. Long term will will have to change, but it’s not going to be an easy path. When I say everything is run by magicians I speak of extremely smart people who are so smart they don’t need or have process (they probably don’t want it either so there’s no incentive). They can do whatever needs to be done whenever it needs doing. The folks in the center are incredibly smart but they learned their skills on their own and don’t know how to pass on knowledge. We have no way to pass knowledge on to others, many don’t even know this is a problem. Magicians can be awesome if you have one, until they quit. New industries are created by magicians but no industry succeeds with magicians. There are a finite number of these people and an infinite number of problems. ...

If you pay attention at all, this week you heard about a security flaw in OpenSSH. Link to scary security flaw Of course nothing is going to change because of this. We didn’t make any real changes after Heartbleed or Shellshock, this isn’t nearly as bad, it’s business as usual. Trying to force change isn’t the important part though. The important thing to think about is the context this bug exists in. The folks who work on OpenSSH are some of the brightest security minds in the world. We’re talking well above average here, not just bright. If they can’t avoid security mistakes, is there any hope for the normal people? ...