Wednesday, May 28, 2008

Why Voicemail should go extinct

I hate voicemail. The other day I put some thought into why I hate voicemail. There's a few that I came up with.
It's arcane. I realized it was arcane when apple revised it with their iphone to take voicemail out of the FIFO mentality. I don't have the patience to fight the interface anymore because there are simply better ways for people to get a hold of me. And they will find those ways when voicemail goes unanswered.

Its both pull and push. The sender pushes the message to me, which is great! I then have to pull the same message to me. And I have to blindly pull, not even selectively prioritize or filter. Voicemail is an all or nothing pull, and one that the sender blindly pushes and can only assume it's delivered. It's like UDP except with a horrible interface.

Email me, IM me, text me, twitter me, call my mobile. Do not leave me a voicemail because it has a high chance of not being filtered out and responded to but instead routed to the bit bucket.

Tuesday, May 27, 2008

Attacking the supply chain

What happens when attacks are on physical commodities and their supply chains? Last week's hubbub about counterfeit Cisco devices has created a bit of a stir. It's easy when it's software which can be corrected in a matter of months, but what happens when you can't trust your hardware? It seems that Cisco's current stance is to stand behind their supply chain.
This is a precarious position, indeed, it's something the Oil industry is trying (and failing) too. The software (or anything virtual/logical) supply chain can be easily fixed as the turnaround time can be hours or days. What happens when release cycles last months or years? If such a supply chain is attacked, or simply can't be trusted, then it'll be a bigger issue of applying a few patches.
Think oil and energy, think food, think transportation, think how slow the military industrial complex is on reacting.

Clay Shirky's new book

I'm about halfway through Clay Shirky's Here Comes Everybody. It's a great book so far and should be required reading to anyone who assumes that installing a wiki will automatically create some sort of community. But on page 42 was something very quotable which I wanted to share:

"his [now typical organization hierarchy] management system was designed to produce "such information, to be obtained through a system of daily reports and checks, that will not embarrass principal officers nor lesson their influence with their subordinates." If you have ever wondered why so much of what workers in large organizations know is shielded from the CEO and vice versa, wonder no longer: the idea of limiting communications, so that they flow only from one layer of the hierarchy to the next, was part of the very design of the system at the dawn of managerial culture."

I love that paragraph and the assertion that the hierarchal organization chart used by industry today, on principal, follows the OSI Model. The idea of social networks, collaboration, sharing, self-organizing, web 2.0, wikis, and other latest buzzwords conflict with this at a core level is interesting. Also, I would suggest that practiced data security models today rely on this OSI data encapsulation and without access control and data protection built into these web 2.0 products then little can be done to secure them.
One final thought: the person who creates a blog platform for organizations that lays out ACLs based on the companies org chart and creates communities based on peer levels as such will be have a nice hybrid platform for transitioning companies who are struggling to get out of the old hierarchy.

Monday, May 19, 2008

Another spin on hyperconnectedness

SC has an article up on The next generation of workers and their expectations. This combined with digital natives, hyperconnectedness, social surplus and the application of open source concepts to society are going to define information (and it's security) in the next 10-20 years.

Thursday, May 15, 2008

hyperconnectedness

Ars posted a blurp on hyperconnectivity on the rise.
This begs several questions. If everyone is hyperconnected then everyone has devices that blur the line of business and personal. How is that secured traditionally? Will traditions work in that sort of environment?

I'd argue that traditions, as well as what is thought of as the typical company network perimeter, were just fads and band-aids. We need better solutions.

Security Systems

Way back in 2005 Emergent Chaos wrote up some examples of security principles based on the Star Wars movies. It was a bit goofy.

But offering examples based on a simplistic universe where everything can be taken at face value is extremely useful. It's much harder analyzing something such as a... grocery store, as not everyone is familiar with their processes and things that may happen behind the scenes.

But there are systems out there that can be analyzed from a security perspective that you don't need intimate knowledge of. The latest one that's occurred to me is the highway system. Next time you're stuck in traffic take a look around.

  • Sign poles
  • barriers
  • privacy/sound walls
  • lighting
  • CCTV
All of these have an impact on security and some of the designs are specifically for that. Over head signs, for instance, have smooth poles up until past human reaching distance- any cross members aren't reachable- to prevent climbing.

Tuesday, May 6, 2008

marginalizing threats

I sit through several presentations a month. It's part of my job, and some of the presentations can even be insightful. But lets talk about threats. This is something most people like to touch on; certainly it's a topic that can be on the more exotic side. Cloak and dagger, espionage (e-espionage? i-espionage?) and all that.
Some advice to separate you from your competitors:
Do not talk about RBN (or other such organizations) and then reference "people living in their mother's basement".

On second thought, do not mention pimply kids or mothers basements no matter what your discussing.

It marginalizes the threat into a pigeon-holed ideal of what the threat was in 1989. Nowadays, The guy may still be in the basement but he simply an agent of a larger threat. It's irrelevant where he lives, but the fact that he spends 40-60 hours a week on herding his bot or owning websites and generally being a symptom of a bigger problem.

Get out of the old mindset, you're hurting the real issue here if you keep floating back and forth between threat models.

additional reading: Evolving Threats by Corman.

Thursday, May 1, 2008

Charmsec #3

I'm trying to organize a <a href="http://citysec.org">citysec</a> meetup in baltimore.  There were a <a href="http://lists.shmoo.com/pipermail/secgeeks/2007-May/subject.html">few attempts</a> last year but it fizzled out.

<a href="http://citysec.org/forums/1/topics/15">Official update</a>

<blockquote>
What:
Informal meetup of infosec folks.

When:
Wednesday May 14th (humpday!)
7:00pm - whenever

Where:
Wharf Rat @ Camden (good beer, conveniently near 395 on Howard St & Pratt)
Barside. I’m not going to post a sign as the place is small. We’ll be the geeky looking folks in black shirts, right?

Why:
To talk security with other people who aren’t there just to get 3 CPE points.</blockquote>