Posts

If you pay attention at all, this week you heard about a security flaw in OpenSSH. Link to scary security flaw Of course nothing is going to change because of this. We didn’t make any real changes after Heartbleed or Shellshock, this isn’t nearly as bad, it’s business as usual. Trying to force change isn’t the important part though. The important thing to think about is the context this bug exists in. The folks who work on OpenSSH are some of the brightest security minds in the world. We’re talking well above average here, not just bright. If they can’t avoid security mistakes, is there any hope for the normal people? ...

If you live in the US you can’t escape the news about the Powerball lottery. The jackpot has grown to $1.3 Billion (with a capital B). Everyone is buying tickets and talking about what they’ll do when they win enough money to ruin their life. This made me realize the unfortunate truth about security we like to ignore. Humans are bad at reality. Here is how most of my conversations go. ...

Over the holiday break I spent a lot of time reading and thinking about what the security problem really is. It’s really hard to describe, no analogies work, and things just seem to keep getting worse. Until now! Maybe. Well, things will probably keep getting worse, but I think I’ve found a way to describe this almost anyone can understand. We can’t really talk about our problems today, which makes it impossible to fix anything. ...

If you have any sort of gym membership you dread the month of January. Every year, there are countless people who make a resolution to get in shape, so the gym is flooded with people for much of January. I’m in favor of everyone staying in shape and having a gym membership, my point isn’t to claim how annoying the n00bs are. The point of this story is how few people stick around, and most give up because doing nothing is often easier than doing something. ...

Mallory was dead: to begin with. Bob knew he was dead, and nobody liked Bob, he was the security guy, nobody likes the security guy. “Merry Christmas Bob!” said Alice. “Bah humbug!” was the reply. Bob had to work over Christmas protecting the network, he had no reason to be merry. As Bob opened the door to the server room he noticed the door knocker looked like Mallory, which was odd as the server room door didn’t have a knocker. A closer inspection led Bob to believe his mind was playing tricks on him. ...

If you’re old enough, you remember reading a lot about the coming “paperless office”. It never came, but I realized there are parallels we can draw in the context of our current security problems. Back in the 90’s, everyone wanted a paperless office. It sounded neat and with the future coming, who would need paper with all the flying cars and hoverboards! It turns out paper didn’t go away. Everyone keeps talking about how security is the most important thing ever, investing in the paperless office was once the most important thing ever. ...

I had a meeting with some non security people to discuss some of the challenges around security. It’s a rather popular topic these days but nobody knows what that means (remember 5 years ago when everyone talked about cloud but nobody knew what that meant?). The details are irrelevant, the most important thing that came out of this meeting was when someone pointed out as a group we are impatient. ...

There’s a story of a toothbrush security advisory making the rounds. This advisory is pretty funny but it matters. The actual issue with the toothbrush isn’t a huge deal, an attacker isn’t going to do anything exciting with the problems. The interesting issue here is we’re at the start of many problems like this we’re going to see. Today some engineers built a clever toothbrush. Tomorrow they’re going to build new things, different things. Security will matter for some of them. It won’t matter for most of them. ...

This tweet https://twitter.com/RichFelker/status/666325066838339584 Led to this thread http://marc.info/?t=144778171800001&r=1&w=2 The short version is there are some developers from Red Hat working on gcc attempting to prevent ROP style attacks. More than one person has accused this work of being pointless and a waste of time. It’s not, the waste of time is arguing about why trying new things is dumb. Here’s the important thing security people always screw up. The only waste of time is if you do nothing and complain about the people who are doing something. ...

Today containers are a bit like how cars used to work a long long long time ago. You couldn’t really buy a car, you had to build it yourself or find someone who could build one for you in their barn. The parts were terrible and things would break all the time. It probably ran on steam or was pulled by a horse. Containers aren’t magic. Well they are for most people. Almost all technology is basically magic for almost everyone. There are some who understand it but generally speaking, it’s complicated. People know enough to get by which is fine, but that also means you have to trust your supplier. Your car is probably magic to you. You put gas in a hole in the back, then you can press buttons, push peddles, and turn wheels to transport you places. I’m sure a lot of people at this point are running through the basics of how cars work in their heads to reassure themselves its’ not magic and they know what’s going on! ...