Posts by mmccul

What really is clear from reading the actual SEC release on their charges is that the charges rely heavily on supposed warnings by a single individual. That creates the question, was the individual who issued the warnings a known worrywort, with a reputation for overstating risks and demanding disproportionate security for the analyzed risk? Just because they were right this time doesn't mean that a reasonable person, at the time, would have viewed the warnings by that person as realistic or appropriate.

I raise this point because I've been at shops where someone tried to demand completely disproportionate security to the threat profile, which would have exceeded the entire IT budget to address. I've also seen cases where risks were claimed in order to justify "security" tools that actually created more risk for the organization (I'm sure you know the kind I mean).

I expect we'll see a lot of expert witnesses arguing that not only were the warnings commensurate to the known threat profile at the time, but that they were willfully ignored rather than postponed due to other legitimate priorities.

"CISO"

Many shops I've gone (as a consultant), the "CISO" was actually doing the work of a security team lead, thinking they had a technical role in addition to a direct supervisory role over technical staff. Very few shops was the CISO given actual authority over building a strategy for the security program, the ability to craft a budget to execute that strategy.

Some of it was CISOs who refused to admit they were no longer in a technical role, but a managerial one. Other times, it was their own manager wouldn't give them the authority they needed to do their job. I've worked with CISOs who knew they were not a security analyst, not a security manager, or even director of security, but a CISO. It was very different in experience. I wonder, how many of these "CISOs" were doing the job of a CISO, how many were doing the job of a security team lead?

"Apple unsurprisingly rejected the ANFR's claims. It told The Register that ..."

Apple actually responded to The Register?

Not sure what to think

On the one hand, it's bad if Microsoft (or any vendor) downplays legitimate vulnerabilities, but on the other hand, I've seen plenty of cases where "vulnerability researchers" glory-hound and try to attract attention by verbally attacking the organizations that the "researchers" claim have vulnerabilities for not moving fast enough.

Tenable isn't exactly on my good list for respectable behavior or quality vulnerability detection or analysis. I deal with far too many cases on a regularly basis of hilariously bad detection logic, invented vulnerabilities (without even a CVE or CVSS score but are "high severity") with the software to trust their research completely. That back history I have causes me to be less willing to trust them than many other vendors.

Microsoft, as a vendor, has plenty of motive to downplay or belittle the vulnerability report. While the Microsoft of today is nothing like the Microsoft of fifteen years ago, there is still some inherent distrust I have of them.

And no, I'm not willing to presume that the truth is "in the middle", because that just encourages one side to lurch dangerously to an extreme, arguing that the truth "must be in the middle" when they defined the middle by their extreme position.

Compared and found lacking

I just did a comparison of a few fonts. Calibri, Times New Roman, Bierstadt, Bierstadt Display and Roboto. I used the same text and 12pt size

Interestingly, Bierstadt was the widest of the fonts, with Calibri being the narrowest. None of the fonts passed the capital o vs zero test of being able to readily identify which it is without them being next to each other in a case where either would make sense.

Bierstadt and Bierstadt Display's lower case L was awkward and the tail bled into the next letter, especially apparent when the next letter was vertical as well.

None of the sans serif fonts knew how to differentiate a pipe character | from others except making the pipe a bit longer than the capital i.

Roboto "appears" to be the largest visually. Bierstadt Display and Calibri were easily the two smallest. I could not readily decide which of the two was smaller.

Times New Roman, despite being on the smaller side for apparent height, had the largest apparent spacing between words, causing (for me) the least bleeding of words into each other. The difference may not be real, but it looked that way to me.

Obviously, everyone has different preferences, mine tend to wider spacing between letters and words to make each letter easier to distinguish, as well as a more distinct visual display between each letter, but none of the "chunkiness" I find in some fonts.

My testing was similar to an eye doctor saying "is this larger/clearer, or is this one?" Looking at two lines first one, then the other, reading the whole text as well as examining selected letters commonly hard to distinguish.

I'm just envisioning the implications to firewalls that do threat detection and classification of websites based on such precedents, not to mention other, more useful tools in the anti-malware arena.

It would not be pleasant to say the least.

Okay, I must be missing something, because everything I'm reading explicitly states that the police must obtain permission from the camera owner. Yes, we can all imagine the permission clause being abused, but it's a pretty big barrier to certain forms of misuse, because a camera owner might very well withdraw said permission if they feel it is bad for them. Current culture that I see in the Bay area I've seen includes refusal to offer even non-real time view into the cameras to police even if a crime has been committed, so I don't see it as overly likely that many camera owners will cooperate unless they see it as explicitly to their advantage.

LCLS

The LCLS system is actually a really nifty idea. "We know that if we shine a light on this, it'll destroy the sample, so let's shine a light ten million times brighter instead." Then they just have to collect femtosecond precision results to assemble the pictures. A lot of really interesting tech in it.

Green Rabbit

Am I the only person who heard of this as "green rabbits"? It was described to me thusly: They're really really fast, but they're so green they can't do anything. Send someone quickly to the site, but they often don't even pretend to do anything except declare the SLA for a tech arriving onsite had been met.

The problem is desktop components on servers

The recent trend on Linux in my experience is that an OS in theory aimed at a server comes with so many mobile end user system components, some of which are even harder to strip out than ever before that I feel like I'm running a laptop, not a server. I've done the exercise many times of sit down and justify every package installed or remove it on a few Linux distributions, and often end up stripping at least fifteen daemons, some of which are network related, that I couldn't justify ever existing on a server. (Yes, said systems ran in production for years in various functions without needing said packages re-installed.)

More recent trends in Linux only accelerate this tendency to treat the entire OS as a laptop, to the point that I've argued the people making the decisions for some Linux distributions are only using it on their personal laptop and think no one ever uses the OS on a server.

Context missing

I've participated in helping to analyze organizations against the very scale in question. Very few organizations I've reviewed would get even a level 2 rating in most target areas I was asked to review, including some that thought they were "pretty good" in infosec before I got there. A lot of the specifications required just for level 2 are missing from the vast majority of commercial shops.

I'm not saying that NASA doesn't need to improve, but merely getting a "level 2" on several enclaves and categories doesn't necessarily mean they're much worse than I'd expect. The point of the maturity model is to help understand where you are so you can plan meaningful improvements over time that doesn't block the mission of the organization unnecessarily.

For example, the detect category may be considered level 2 only if there are identified gaps against some of the directives to collect and analyze certain data sources that I've almost never seen even attempted outside government organizations. For any example I give, I'm sure there are shops that do it, but a lot of shops don't, and that's the point.

From a process perspective, again, the level of detail required for a government shop is much higher than I see in the private sector. What we don't know from the article are the details of the gaps.

Overall, the piece feels like a lot of necessary context is missing to understand how they really fare compared to a moderately security aware non-government shop of a reasonable size.

Maybe reach out again for comment?

I see cribl has posted a response at https://cribl.io/blog/cribl-denies-splunk-allegations/ and I've been told they have fixed their email address for media inqueries. (No connection here with the company, I just know where to mention such things)

NIST SP 800-63a issues

Having recently had to re-read NIST SP 800-63a, the Identity Assurance Level (IAL) tiers of what constitutes IAL-2, there is a small part of me that feels sorry for the IRS. More than likely, someone told them they have to meet IAL-2 for online access to taxpayer data. That's hard. A lot of what I've seen around the id.me stuff has been, if not something to make me feel good, at least something I can sort of understand in the context of IAL-2.

Section 4.2 statement 10 actually encourages the organization to conduct a fairly vaguely described fraud mitigation mechanism. I'm not overly conversant on the fine details of SP 800-63a, so I can't say that id.me followed the additional rules in it. But I can at least feel some understanding for what's going on. When someone I knew went through the id.me process some months ago, we compared each requirement of id.me back to the document and couldn't find any case where they weren't following a plain reading of the rules, even the steps that made us concerned were clearly listed as things they were supposed to do. I won't say I'm happy about what happened, but if we want to prevent such things from recurring, we need to understand what rules may have caused people to select a certain approach, or the next company to come along will do much the same thing, just with slightly different marketing.

Browser profiles?

Instead of using a guest profile, why don't more people use persistent browser profiles? Especially on my work computer, I use multiple profiles so that it feels like just a separate window of the browser logged into different accounts. Side benefit is I get different sets of cookies that are persistent, so other vendor websites or services can be bound to the correct account automatically.

Coding is not the end

Coding interviews miss the point. How does the candidate work with the team? Do they demonstrate an awareness of process? Can they demonstrate an understanding of ways to juggle competing requirements for the code? I used to say that the job was at most one third technical skills. The other two thirds were general problem solving and people skills.

Who knew, hiring is hard.

Sales pressure

Gartner has a strong reputation for engaging in behavior that if you are feeling exceedingly polite and generous, would be called high pressure sales tactics on companies to be included in their listings as well as "improve" their ratings. For them to warn about another company engaging in high pressure tactics feels more than a little ironic.

Air gap can be hard

Several times, I've heard of supposedly air gapped systems that were connected to a command and control network, legitimately, which was connected to an administrative network, with all the sysadmins knowing that, but that admin network was connected to the ... and eventually, to the public network. Each link seemed appropriate in isolation, but not together, and no one realized the overall chain of links until something happened to demonstrate it.

It's not a new problm, and it doesn't have to be malicious incompetence. Air gapping a single server is easy. Air gapping a network of systems that need to talk to each other to do their primary function is much harder.