Posts

I had a discussion last week that ended with this question. “Why do we do security”. There wasn’t a great answer to this question. I guess I sort of knew this already, but it seems like something too obvious to not have an answer. Even as I think about it I can’t come up with a simple answer. It’s probably part of the problems you see in infosec. The purpose of security isn’t just to be “secure”, it’s to manage risk in some meaningful way. In the real world this is usually pretty easy for us to understand. You have physical things, you want to keep them from getting broken, stolen, lost, pick something. It usually makes some sort of sense. ...

Josh and Kurt discuss news of the day, banks, 3D printing, and lockpicking. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/282763713-opensourcesecuritypodcast-episode-3-the-lockpicking-sewing-circle.mp3 Show Notes Segate NAS mining bitcoin Telnet honeypot activity Bravia TVs losing Youtube 10 Million Raspberry Pis last.fm passwords Hack Proof Systems 3D printing pen LulzBot Comment on Twitter

Are you an expert? Do you know an expert? Do you want to be an expert? This came up for me the other day while having a discussion with a self proclaimed expert. I’m not going to claim I’m an expert at anything, but if you tell me all about how good you are, I’m not going to take it at face value. I’m going to demand some proof. “Trust me” isn’t proof. ...

Josh and Kurt discuss how open source security works. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/281731016-opensourcesecuritypodcast-episode-2-instills-the-proper-amount-of-fear.mp3 Show Notes CII Badges CVE Node Security Project CSO open source story Comment on Twitter

Josh and Kurt discuss their first podcast as well as random bits about open source security. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/281712199-opensourcesecuritypodcast-episode-1-rich-history-of-security-flaws.mp3 Show Notes Gordon-Loeb Model for investing 37% the cost of a breach Dunning-Kruger Mudge Mercedes tweet Fear of elevators Comment on Twitter

There is an old saying we’ve all heard at some point. It’s often attributed to Donald Rumsfeld. There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know If any of us have ever been in a planning meeting, a variant of this has no doubt come up at some point. It came up for me last week, and every time I hear it I think about all things we don’t know we don’t know. If you’re not familiar with the concept, it works a bit like this. I know I don’t know to drive a boat. But because I know I don’t know this, I could learn. If you know you lack certain knowledge, you could find a way to learn it. If you don’t know what you don’t know, there is nothing you can do about it. The future is often an unknown unknown. There is nothing we can do about the future in many instances, you just have to wait until it becomes a known, and hope it won’t be anything too horrible. There can also be blindness when you think you know something, but you really don’t. This is when people tend to stop listening to the actual experts because they think they are an expert. ...

This has been a pretty wild week, more wild than usual I think we can all agree. The topic I found the most interesting wasn’t about one of the countless 0day flaws, it was a story from Slate titled: In Praise of the Private Email Server The TL;DR says running your own email server is a great idea. Almost everyone came out proclaiming it a terrible idea. I agree it’s a terrible idea, but this also got me thinking. How do you explain this to someone who doesn’t really understand what’s going on? ...

Earlier this week I had a chat with David A. Wheeler about mentoring. The conversation was fascinating and covered many things, but the topic of mentoring really got me thinking. David pointed out that nobody will mentor if they’re not getting paid. My first thought was that it can’t be true! But upon reflection, I’m pretty sure it is. I can’t think of anyone I mentored where a paycheck wasn’t involved. There are people in the community I’ve given advice to, sometimes for an extended period of time, but I would hesitate to claim I was a mentor. Now I think just equating this to a paycheck would be incorrect and inaccurate. There are plenty of mentors in other organizations that aren’t necessarily getting a paycheck, but I would say they’re getting paid in some sense of the word. If you’re working with at risk youth for example, you may not get paid money, but you do have satisfaction in knowing you’re making a difference in someone’s life. If you mentor kids as part of a sports team, you’re doing it because you’re getting value out of the relationship. If you’re not getting value, you’re going to quit. ...

Last week saw a really interesting bug in TCP come to light. CVE-2016-5696 describes an issue in the way Linux deals with challenge ACKs defined in RFC 5961. The issue itself is really clever and interesting. It’s not exactly new but given the research was presented at USENIX, it suddenly got more attention from the press. The researchers showed themselves injecting data into a standard http connection, which is easy to understand and terrifying to most people. Generally speaking we operate in a world where TCP connections are mostly trustworthy. It’s not true if you have a “man in the middle”, but with this bug you don’t need a MiTM if you’re using a public network, which is horrifying. ...

If you attended Black Hat last week, the single biggest message I kept hearing over and over again is that what we do today in the security industry isn’t working. They say the first step is admitting you have a problem (and we have a big one). Of course it’s easy to proclaim this, if you just look at the numbers it’s pretty clear. The numbers haven’t really ever been in our favor though, we’ve mostly ignored them in the past, I think we’re taking real looks at them now. ...