Adam on “Silver Bullet Security” Podcast

The 26th episode of The Silver Bullet Security Podcast features Adam Shostack, a security expert on Microsoft’s Secure Development Lifecycle team who has also worked for Zero Knowledge and Reflective. Gary and Adam discuss how Adam got started in computer security, how art/literature informs Adam’s current work, and the main ideas behind Adam’s new book The New School of Information Security. They go on to chat about Adam’s aversion to the term “best practices,” the role IEEE Security & Privacy magazine plays in bringing the science of security to a practical level, and whether the biggest problem of the CardSystems breach was the following the letter, rather than the spirit, of PCI. Also on the agenda, duck-billed platypuses, Kandinski, and books by Pynchon.

Show 026 – An Interview with Adam Shostack.

The one thing I’d like to add is that we mentioned Frank Abagnale’s Catch Me If You Can.

It was a fun interview.

Let’s not ask the experts?

Can Sips at Home Prevent Binges? is a fascinating article in the New York Times. It turns out there’s very solid evidence about this:

“The best evidence shows that teaching kids to drink responsibly is better than shutting them off entirely from it,” he told me. “You want to introduce your kids to it, and get across the point that that this is to be enjoyed but not abused.”

What is the evidence? In 1983, Dr. George E. Vaillant, a professor of psychiatry at Harvard University, published “The Natural History of Alcoholism,” a landmark work that drew on a 40-year survey of hundreds of men in Boston and Cambridge.

Ironically, the Times decided to ask their readers: “Do you think teenagers drinking wine with their parents at home encourages reckless drinking or more responsible habits with alcohol later in life?” See the sidebar. Without any disrespect to people reading the Times, why would we care what they think about this? We have evidence of what really happens. Why not ask “Why do you think we can’t fix a broken law?” or “Would you vote for a candidate who promised to fix these laws?”

Relatedly, Adam Barr wrote:

I saw an article today about how the Smart ForTwo (that tiny car you see around) had earned top marks in safety tests conducted by the Insurance Institute for Highway Safety. Despite this, the Institute decided to disqualify the car from potentially earning its “Top Safety Pick” designation because it is just too dang small. “All things being equal in safety, bigger and heavier is always better,” says the president of the Institute. (“Things that Everybody Knows.”)

Experts are experts because they have data and the tools to analyze them. That’s why we listen to them. When did we become so resistant to science?

Uncle Harold and Open Source


Uncle Harold (not his real name, not our real relationship, and I never even called him “Uncle”) was a cool guy who always fixed his own cars. Most of my life, Uncle Harold has been complaining. It used to be you could actually fix a car. You could put things in, take them out, adjust them, tune them, and so on. As time has gone on, cars got electronics in them, then computers, and nowadays an auto mechanic is as much a computer tech with grease under his nails as a mechanic.

I never was much into mechanics as a kid. My father wasn’t, either, and discouraged me from ever being a mechanic. If he were to read this, he’d deny discouraging me, but he did. All he did was point out that some bit of automotive fluff that caught my eye would literally be high-maintenance, and either you do that yourself or you pay someone else.

I eventually did buy a pre-1968 bit of automotive loveliness as part of a quarter-life (okay, third-life) adjustment. The 1968 date is important because that’s when the US started requiring pollution controls, safety equipment, and so on that caused the transit of the gloria of Uncle Harold’s mundi.

For a technologist, a pre-’68 car is utterly amazing because of sublime lack of technology in it. It needs petrol to burn, water to cool, oil to lubricate, and enough electricity to drive the spark plugs. That’s it.

The first time I tuned a pair of SU carbs, it was amazing fun. I could really understand Uncle Harold’s irritation. The tenth time it was far less fun, partially because I’d gotten good at it. It was just a chore. I could really understand my father’s point of view even better. Eventually, the antique bit of fluff got sold and I got a modern fun car that has computers that run everything from engine to brakes.

It’s really sort of sad that I can’t tune the carbs (which of course I don’t have; it’s all fuel-injected). It’s even amusing that if you pull the power from the car, the computers lose their state and they they have to re-tune the ignition system, over the next few miles you drive — in a wtf sort of way. I mean, haven’t these people heard of flash? How much space does it take to store ignition settings and radio presets? (Yes, Uncle Harold, a real radio stores its presets mechanically. Thanks.)

But it’s really wonderful that I don’t have to tune the carbs. There are reasons why those wonderful old systems were replaced. The new ones really are better. Uncle Harold thinks the world has gone to hell in a hand basket. I see the merit in what he says, but when it comes right down to it, I prefer my present hell to Uncle Harold’s heaven.

The brilliant Ivan Krstić has recently written about the transit of his own personal gloria, the OLPC project. In part of his essay, he shows clearly about how some open source people, in particular RMS, have become Uncle Harold, insisting that if you can’t tune those metaphorical carbs, it’s like forcing people to be crack addicts. (And this is paraphrasing, not misquoting RMS.)

Krstić also talks about the same Haroldisms. He says:

About eight months ago, when I caught myself fighting yet another battle with suspend/resume on my Linux-running laptop, I got so furious that I went to the nearest Apple store and bought a MacBook. After 12 years of almost exclusive use of free software, I switched to Mac OS X. And you know, shitty power management and many other hassles aren’t Linux’s fault. The fault lies with needlessly secretive vendors not releasing documentation that would make it possible for Linux to play well with their hardware. But until the day comes when hardware vendors and free software developers find themselves holding hands and spontaneously bursting into one giant orgiastic Kumbaya, that’s the world we live in. So in the meantime, I switched to OS X and find it to be an overwhelmingly more enjoyable computing experience. I still have my free software UNIX shell, my free software programming language, my free software ports system, my free software editor, and I run a bunch of free software Linux virtual machines. The vast, near-total majority of computer users aren’t programmers. Of the programmers, a vast, near-total majority don’t dare in the Land o’ Kernel tread. As one of the people who actually can hack my kernel to suit, I find that I don’t miss the ability in the least. There, I said it. Hang me for treason.

My theory is that technical people, especially when younger, get a particular thrill out of dicking around with their software. Much like case modders, these folks see it as a badge of honor that they spent countless hours compiling and configuring their software to oblivion. Hey, I was there too. And the older I get, the more I want things to work out of the box. Ubuntu is getting better at delivering that experience for novice users. Serious power users seem to find that OS X is unrivaled at it.

I used to think that there was something wrong with me for thinking this. Then I started looking at the mail headers on mailing lists where I hang out, curious about what other folks I respect were using. It looks like most of the luminaries in the security community, one of the most hardcore technical communities on the planet, use OS X.

And lest you think this is some kind of Apple-paid rant, I’ll mention Mitch Bradley. Have you read the story of Mel, the “real” programmer? Mitch is that guy, in 2008. Firmware superhacker, author of the IEEE Open Firmware standard, wrote the firmware that Sun shipped on its machines for a good couple of decades, and in general one of the few people I’ve ever had the pleasure of working with whose technical competence so inordinately exceeds mine that I feel I wouldn’t even know how to start catching up. Mitch’s primary laptop runs Windows.

I know exactly what he means. Once, long ago, I’d fire up my GosMacs session in the morning and close it down when I’d go home. I and my colleagues had so customized our editors (which we lived in) the we said that using someone else’s emacs was like using someone else’s toothbrush. It’s just not done.

When the Story of Mel came out, one of my coding buddies read it and it really creeped her out. She sent out an email to all of us that said, “Oh, my God, that’s my *DAD*!”

I once patched a running CVAX just to watch it fly. I admit that I did it because of the smart remark in Dungeon. And I’ve changed my unices so many times I don’t know what I look like.

Like me, Ivan’s stopped being Uncle Harold with computers. I like being able to get grungy, but I also hate having to. The last remnant of my Uncle Haroldism is my main server that’s running FreeBSD. I am especially glad this week that I listened to Ben and didn’t put Ubuntu on it. I’m even chafing at that system and asking myself why I don’t just outsource the whole damned thing. I’d tell you, but then you’d see my tinfoil hat. (Oh, all right. If you run your own mail server, they can’t NSL your sysadmin. I know what you’re going to say. I’ve said it myself. Hush.)

Nonetheless, the Uncle Harolds of the world have a point. It’s nice to be able to change your kernel. It’s nice to be able to recompile everything. It’s just a drag to have to. When Open Source realizes that, it will make great strides to getting back people as non-technical as Ivan. And yeah, Ubuntu’s getting close, I know that. I actually do love puttering around, but another prop has occupied my time.

Photo courtesy of Light Collector.

Check out these great blogs!

industry-standard-top-25.jpgI’m excited and grateful to the Industry Standard for including us in their “Top 25 B-to-Z list blogs.”

There’s some great stuff in there which I read, like “Information AestheticsVenture Hacks,” “The Old New Thing” and “Schneier on Security.”

There’s also a set of blogs that I hadn’t seen, and am checking out.

Why not take a minute to flip through the list, and see what chaos emerges in your feed reader?

The Difference Between Knowledge and Wisdom


If you haven’t heard about this, you need to. All Debian-based Linux systems, including Ubuntu, have a horrible problem in their crypto. This is so important that if you have a Debian-based system, stop reading this and go fix it, then come back to finish reading. In fact, unless you know you’re safe, I’d take a look at updating your system anyway.

The problem is that they “fixed” the random number generator so that it doesn’t generate random numbers, but a semi-fixed stream of pseudo-random bytes.

A friend of a friend is now working on generating the whole set of possible keys, and will release them to the world here. (Agree or not with this, but remember that the bad guys have them by now.)

Ben Laurie has written about it in gory detail here and here. If you want a summary, this problem comes about because the OpenSSL random number generator does some things that are unconventional, but not wrong. The unconventional coding was flagged by a code-analysis tool, and a Debian person removed it. That change made all randomness vanish from the random number generator.

Plenty of people have debated the whole thing. For example, there’s the debate that says the Debian developer was an idiot, adn the people who say that the folks who did unconventional things were idiots.

I think that this is the sort of expected failure that happens in complex systems. I am reminded of code optimizers that see that a programmer clears a variable and then doesn’t use it, so they optimize out the clearing, not realizing that that is erasing keys or passwords or whatever.

I’ll add in that what leapt out at me was that the unconventional coding had an excessively vague comment noting that the analysis tool wouldn’t like it. It would have been much better to have an over-the-top comment.

I was once notorious for a comment I had in some extremely hairy code that said something akin to:

This code is delicate. Don’t modify it unless you understand it. If you think you understand it, you don’t. I wrote it and I don’t understand it.

That’s what I meant by an over-the-top comment. I wanted the poor person who maintained my code to think three times. When you do something unconventional, you need to point out to the other developers in the ecosystem that you did what you did intentionally.

And for those of you who read the whole of this article before patching — shoo. Go. Install that update. Now.

Photo “Random # 15 MSH” by Saffanna.

6/16ths of Chileans personal information leaked by hacker

A hacker in Chile calling himself the ‘Anonymous Coward’ published confidential data belonging to six million people on the internet.

Authorities are investigating the theft of the leaked data, which includes identity card numbers, addresses, telephone numbers, emails and academic records.

Chile has a population of about 16 million, so that’s 3/8ths of the country.

See “ALERTA: Se filtran datos personales de 6 millones de chilenos vía Internet” (Google translated). The blogger, Leo Prieto, gets a rude awakening when he reads the law, “¿Es privada la información personal en Chile?” (see translated version)

Via PogoWasRight.

¿As an aside, why doesn’t English use those awesome ‘¿’ to tell you you’re reading a question? We use the opening punctuation for quotes.

UK Information Commissioner’s Office Can Now Fine Your Ass

From the article:

The Criminal Justice and Immigration Act has received Royal Assent creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO). This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.

It’s about time that the Data Protection Act got some teeth for dealing with breaches. Unfortunately, I haven’t been able to find out much more information on this. All I could find on the ICO’s site was a press release and this position paper on the need for the ability to fine for breaches. Anyone out there know more?

Jack Jones on Risk Management


I really enjoyed watching the podcast version of a talk that Jack Jones gave at Purdue, “Shifting focus: Aligning security with risk management.”

I liked the opener, about what it’s like for executives to talk to security professionals, and the difference between what might happen and what’s likely to happen. The screenshot is from a discussion of how to play Russian Roulette.

I also like the way he critiqued best practices (you’ll have to watch). It’s a little hard for me to assess his risk management methodology from a podcast, but it’s a very worthwhile 45 minutes.

(Now only if he had some Kandinsky in there, I’d have no doubt that the Risk Management Insight Institute, which Jack heads, is part of what we call the “New School.”)

Call me crazy?

There’s an article in the New York Times, “‘Mad Pride’ Fights a Stigma

“It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was a death sentence, professionally and socially.”

She added, “We are hoping to change all that by talking.”

Participants write and distribute publications, stage community talks, trade strategies for staying well and often share duties like cooking or shopping.

Many psychiatrists now recognize that patients’ candid discussions of their experiences can help their recoveries. “Problems are created when people don’t talk to each other,” said Dr. Robert W. Buchanan, the chief of the Outpatient Research Program at the Maryland Psychiatric Research Center. “It’s critical to have an open conversation.”

Call me crazy, but I think these folks might be onto something. Learning about coping strategies from one another? Testing what works and what doesn’t, and reporting on it? Maybe “we were broken into” isn’t the most embarrassing thing you can say in public.

Credit Bureaus and Outsourcing

The “I’ve Been Mugged” blog has a great three part series on outsourcing by credit bureaus:
Is It Wise For Credit Bureaus To Outsource To Foreign Call Center Firms? (Part 1),” “part 2” and “part 3.”

He digs deep into how extensively TransUnion outsources, and where. I went looking, and was surprised to see that their privacy policy is at least honest. They make no claim that they care about your privacy, nor any that they apply the highest standards of security to your information.

Security Cameras Functional


Use of CCTV images for court evidence has so far been very poor, according to Detective Chief Inspector Mick Neville, the officer in charge of the Metropolitan police unit. “CCTV was originally seen as a preventative measure,” Neville told the Security Document World Conference in London. “Billions of pounds has been spent on kit, but no thought has gone into how the police are going to use the images and how they will be used in court. It’s been an utter fiasco: only 3% of crimes were solved by CCTV. There’s no fear of CCTV. Why don’t people fear it? [They think] the cameras are not working.” (BBC, “CCTV boom ‘failing to cut crime.’“)

Blogosphere analysis: Schneier, Stoddard.

Our thought? Their chocolate ration needs to be increased to 20 grammes. Action this day.

Image credit: Emergent Chaos

Hiring Fraudsters?


PARIS — Jérôme Kerviel, the Société Générale trader who used his knowledge of the French bank’s electronic risk controls to conceal billions in unauthorized bets, has a new job — at a computer consulting firm.

Mr. Kerviel, who was given a provisional release from prison on March 18, started work last week as a trainee at Lemaire Consultants & Associates, which specializes in computer security and system development, a spokesman for the former trader, Christophe Reille, confirmed on Friday. (“ After Trading Scandal, Banker Gets I.T. Job,” The New York Times.)

First let me say that I’m fond of the phrase “paid his debt to society.” It’s out of fashion, but it used to mean that someone, after their sentence was carried out, was done. That they ought to be allowed to get on with their lives. I’ve publicly commented on Frank Abagnale being in this class.

Kerviel clearly understands how to get around IT controls. I expect that there’s a great deal which he might be able to teach people about what’s important in security design, and some about what isn’t. (His ability to generalize his approach hasn’t been tested yet.)

At the same time, he hasn’t yet been tried for his actions. What would be the right framework for making a hiring decision like this?

Photo: REUTERS/Benoit Tessier

Spending to Protect Assets

smartbike.jpgThere’s a story in the New York Times about a bike rental program in Washington DC. It’s targeted at residents, not tourists, and has a subscription-based model.

Improved technology allows programs to better protect bicycles. In Washington, SmartBike subscribers who keep bicycles longer than the three-hour maximum will receive demerits and could eventually lose renting privileges. Bicycles gone for more than 48 hours will be deemed lost, with the last user charged a $200 replacement fee.

That technology comes with a price, which is one reason cities and advertisers started joining forces to offer bike-sharing. The European programs would cost cities about $4,500 per bike if sponsors did not step in, Mr. DeMaio said. “Bicycle-Sharing Program to Be First of Kind in U.S.

$4,500 is 22.5 bikes. Put another way, they could buy 2,500 bikes, rather than the 120 they’re buying. That would require a lot more space if you bought them all at once, but you might just buy them as bikes are stolen. Looking at it another way, if you took the $500,000 being spent on technology, and invested it at 5%, you would make $25,000 per year, enough to completely replace the fleet annually.

This is (obviously) an incomplete analysis. But the cost of protection jumped out at me. Maybe it’s typical for how people in Washington think about asset protection.

A question of ethics

Various estimates have been made regarding the quantity of personal identifying information which has been exposed by various mechanisms. Obviously, though, we only know about what we can see, so seeing more would make such estimates better.
One way to see more would be to look in more places, for example on peer-to-peer file sharing networks.
So here’s the question: would it be ethical (and if so, under what conditions) to deliberately seek out files containing PII as made available via P2P networks, in order to better understand the extent to which such information is exposed, and how?
I have an opinion on this question, but I’m very interested in what others think.