A Mini-Review of “The Practice of Network Security Monitoring”

NSM book coverRecently the kind folks at No Starch Press sent me a review copy of Rich Bejtlich’s newest book The Practice of Network Security Monitoring and I can’t recommend it enough. It is well worth reading from a theory perspective, but where it really shines is digging into the nuts and bolts of building an NSM program from the ground up. He has essentially built a full end to end tutorial on a broad variety of tools (especially Open Source ones) that will help with every aspect of the program, from collection to analysis to reporting.

As someone who used to own security monitoring and incident response for various organizations, the book was a great refresher on the why and wherefores of building an NSM program and it was really interesting to see how much the tools have evolved over the last 10 years or so since I was in the trenches with the bits and bytes. This is a great resource though regardless of your level of experience and will be a great reference work for years to come. Go read it…

A Very Late Book Review


I have to start off by apologizing for how very late this review is, an embarrassing long time ago, the kind folks at No Starch Press very kindly gave me a copy of “Super Scratch Programming Adventure” to review. Scratch for those that aren’t familiar is a kids oriented programming language designed by Mitchel Resnick of the MIT Media Lab, the same team that developed the programmable bricks for Lego Mindstorms.

The book is in manga format and very entertaining and I enjoyed it thoroughly. It was so much fun, that when my then ten year old asked to learn how to program with the long term goal of writing his own minecraft mods, I handed him the book and asked him what he thought. To say he whipped through the book is an understatement. He actually finished it in one reading and immediately asked if he could start playing with Scratch on the family laptop.

Over the next few days he worked his way through some of the programs in the book and put the book aside for a long while. Recently we were talking about an upcoming Lego robotics class he had coming up and he remembered that he had the copy of “Super Scratch Programming Adventure” in his room. He dug it out and this time he worked his way through all the programs quite quickly.

I asked him what he thought of the book and said it was very good; that he really liked the comic book format and that he wished more books were done that way. At this point he’s excited enough that we’ll either dig deeper into Scratch together or we’ll switch to a games oriented text like No Starch’s “Realm of Racket” or possibly Sweigarts’s “Invent Your Own Computer Games with Python”.

Regardless of what we decide to do however, I can highly recommend ““Super Scratch Programming Adventure” as a great introduction to programming for kids or even non-kids who want a first very friendly exposure to programming. And again, my apologies to the folks at No Starch Press for taking so long on this review.

A flame about flame

CNET ran a truly ridiculous article last week titled
“Flame can sabotage computers by deleting files, says Symantec”. And if that’s not goofy enough, the post opens with

The virus can not only steal data but disrupt computers by removing critical files, says a Symantec researcher.

ZOMG! A virus that deletes files! Now that is cutting edge technology! It’s shit articles like this that reifies the belief that the security industry in general and the AV industry in specific is filled with people who are completely out of touch with the rest of the world.

“These guys have the capability to delete everything on the computer,” Thakur said, according to Reuters. “This is not something that is theoretical. It is absolutely there.”

ProTip to Symantec and Reuters, viruses have been doing this since at least the 80s. Are you really that desperate for yet another story that this is the level that this is the sort of thing you feel is worthy of a press release and news article. How about you save that time and effort and instead focus on making a product that works better.

Book Review: Cloud Security Rules

A while back, Kai Roer graciously sent me an electronic copy of the book Cloud Security Rules that he co-authored with an all-start cast including luminaries Wendy Nather and our very own New School’s Alex Hutton. All in all, it’s a solid read covering the gamut of topics from Risk and Compliance to technology versus the human factor and finishes nicely with a section on business models. A few chapters about more about security without being a particular focus on the cloud(tm), but that’s not particularly a problem.

My only real complaint about the book is that with so many authors, things don’t always flow as smoothly as they could when moving from chapter to chapter. This is however made up for by the general high quality of the work. In particular, un addition to the authors mentioned above, you’ll also want to make sure to read the sections by Lori MacVittie, Brian Honan and Kevin Riggins.

This book is targeted at decision makers, managers and othesr who need to understand cloud from business view, so if that’s you, I encourage you to read this book. Definitely worth the price.

Chocolate Waffles

Too good not to share (inspired by: Chocolate-Hazelnut Waffles with Frangelico-Brown-Butter Syrup)

Ingredients :
6 oz. (1-1/3 cups) fresh ground whole-wheat flour
2 oz. (2/3 cup) natural cocoa powder
1-1/2 tsp. baking powder
1/2 tsp. baking soda
1 tsp. kosher salt
3/4 cup granulated palm sugar
2 large eggs, at room temperature
3 oz. (6 Tbs.) unsalted butter, melted
1/3 cup yogurt
1/2 tsp. pure vanilla extract
3/4 cup warm water

Directions:
Pre-heat waffle maker.

Mix the flour, cocoa powder, baking powder, baking soda, and salt in a medium sized bowl and mix thoroughly.

In a large bowl, whisk the sugar and eggs until smooth. Stir in the butter, yogurt, and vanilla until smooth. Mix in the warm water until smooth. Add the dry ingredients to the wet and fold until just mixed. It should still have some lumps.

Cook in waffle maker and serve warm.

Friday Bread Baking

bread

A few folks have asked, so here’s my general bread recipe in bakers percentages. In bakers percentages everything is based on a ratio compared to the weight of the flour. The formula for my bread is:

100% Whole wheat flour (I’m a geek, I grind my own)
72% Water (or whey)
2% Salt
1% Yeast

So if I’m using 1000 grams of flour, I need 720 grams of liquid, 20 grams of salt and 10 grams of yeast.

Mix everything together in a bowl. I highly recommend putting the liquid in first; it makes it much easier to do the mixing. Knead the dough until it is elastic and the window pane test works. Cover and let rise until the dough doubles in volume.

Degas the dough, cut and preshape into rough loaves. Be very gentle here. Let rise again. Degas and shape into loaves. Let rise one more time. Preheat oven to between 400 and 450^F (lower temperature for larger loaves) with a cast iron skillet or metal pie plate on the floor of the oven. When the loaves are doubled in volume place them in the oven then pour a 1/4 cup of water into the cast iron skillet. Bake until the interior temperature of the bread is 195F or sounds hollow when you thump the bottom. This will take between 20 and 45 minutes depending on how large your loaves are.

What the FBI Was Doing on Beethoven’s Birthday

monkey-cat.jpg

This is unfair, but I can’t resist. Nine days before we found out again that PETN is hard to detonate, the FBI was keeping us safe:

FBI FINALLY MAKES AN ARREST OVER ‘WOLVERINE’ LEAK

The FBI has announced the capture of an individual connected with the leak of 20th Century Fox’s “X-Men Origins: Wolverine.”

“Wolverine” has raked in nearly $375 million in worldwide gross since its release. How much money the leak cost Fox will never be settled for certain.

I’m glad we’re spending money on things to keep us safe.

Observations on the Christmas Bomber

Since there’s been so much discussion about the Chrismas Bomber, I want to avoid going over the same ground everyone else is. So as much as I can, I’m going to try to stick to lightly-treaded ground.

This is a failure for the terrorists. A big one. Think about it; put yourself on the other side of the chessboard and read this movie-plot description. Yemeni Al Qaeda has a newly-radicalized, rich engineering student who wants to strike a blow against the evilness of George Clooney and Vera Farmiga. Despite being ratted out by his father, the student gets a visa, likely because he’s “wealthy, quiet, unassuming.” Using the very clever tactic of getting on a plane in Africa and transferring onto an American flight, he has one of the most powerful high explosives known sewn into his pants. Before landing in MoTown, he — fails to detonate it. Think about that again. An engineering student from one of the best universities in the world fails to set off a bomb in his lap. Worse, he ended up with a fire in his pants, leading to many humiliating jokes.

Fail, fail, fail. Epic fail. Face-palm-worthy epic fail. Worse, the US is sending counter-terrorism folks to Yemen to help find the people who planned this epic failure. For them, this is just bad, and about as bad as it gets. Supposedly, recruit these guys with promises of a half-gross of virgins, not with burning their nuts off. Ridicule is one of the most powerful forces there is, and this is deserved.

On top of this, now that the would-be bomber has been captured, he is singing like the proverbial canary. So that means that the planners really should be looking for new places to stay, because even their allies will want to purge losers from their ranks, or at least not take the fall for them.

Yet, all is not lost for the forces of terrorism. The world’s security services have panicked and instituted to security procedures that will actually make it easier for the next person by setting up rules that everyone’s supposed to stay in their seats in the last hour of flight. But that’s pretty slim pickings for them. It’s not even as good as the one-last-shocker in the traditional horror film.

Defense-in-Depth Works. The major problem in fighting terrorism is that the fraction of figure to ground is between six and nine orders of magnitude. If you look at it as a signal processing issue, that’s -60 to -90 decibels of signal in noise.

Any detection system has to deal with false positives and false negatives. In the counter-terrorism biz, that means you have to deal with the inevitability that for every terrorist, you’ll be stopping tens if not hundreds of thousands of innocents. And remember as well, the times that the terrorist is not actually on a terror mission, they’re innocents.

So yeah, the guy was on a watch list. So are a million other people. (And yes, this is a reason why we need to trim the watch list, but that’s a different issue and has a different set of problems.) (And yes, yes, those million other people are only the US citizens on the list.) This still leaves the problem of what they’re supposed to do when some rich guy complains that his son has fallen in with the wrong crowd.

Here are some hard questions: Do we search every kid who pissed off a relative? Do we search everyone who ever went to Yemen? Damascus? How about people who change planes? Travel in carry-on? Have funny underwear?

The answer is that we can’t do that, and even if we do, we merely teach the bad guys how to adapt. The point of defense-in-depth is that you stack a series of defenses, each of which is only a partial solution and the constellation of them works, not any given one. Airport screening worked some — he didn’t get in a good detonator. Passenger resistance worked some — once there was a firecracker-like explosion and a fire, they saved the plane. Defense-in-depth in toto worked.

This is not the reason to disband DHS. This is not the reason to sack Napolitano. Note that I did not say that DHS shouldn’t be disbanded. Nor did I say that Napolitano shouldn’t be sacked, merely that if you’re looking for a reason, this isn’t it.

If we look at what happened and think about what we could do better, DHS isn’t involved. The visa issue is the one to examine and DHS doesn’t give out visas, State does.

My criticism of DHS is that they flinched. They’ve put up these brain-dead stupid policies that are going to annoy travelers and are as likely to make us less safe, not more safe. They should have said that the system worked and there will be no changes so have a happy new year and stay calm.

I am willing to cut them a bit of slack, but if they don’t change their tune to “Keep Calm and Carry On,” then there will be a reason to start demanding heads. Sending people to Yemen was the right response. No headphones on the plane is the wrong one.

If DHS and TSA want to give people reason to call for firings and disbandings, they should keep doing what they’re doing now, not then.

Life is Risk. Keep calm and carry on is good advice for the rest of us, too. The vast majority of us are more likely to be struck by lightning while being eaten by a shark than we are to be a victim of a terrorist. Nonetheless, there are bad, crazy people out there. Sooner or later, no matter what we do, somethings’s going to happen. A plane will go down, a ship will have a bomb on it, a train will be attacked, or something will happen.

The actual risk of terrorism is so low that most adaptations are worse than the threat. More people died in traffic accidents as a result of shunning airplanes after 9/11 than in the actual attacks. After those attacks, the best terrorist second punch would have been a simple suicide bomber in the airport security lines.

When we wring our hands because we think that risk should be zero, we’re part of the problem, too. Schneier is right: we need more investigation and counter-terrorism and less security. Kudos to CNN and Maddow for airing a bit of reason.

So we should all thank our lucky stars that PETN isn’t as easy to detonate as we’re told. We should thank the same stars for passenger resistance. And we should breathe a sigh of relief for an incident that was botched so badly it’ll make others think twice or three times or more. And while you’re at it, don’t play with sharks in a thunderstorm.

St. Cajetan’s Revenge

For some time, I’ve watched the War on Bottled Water with amusement. I don’t disagree with figuring out how to reduce waste, and so on and so forth, but the railing against bottled water per se struck me as not thought out very well.

The major reason for my thinking is that I never heard any of the venomous railing against water extending to any other drinks that come in bottles. To my mind, it seemed that a Coke, hey, that’s okay, but if you start with one and take out the sugar, the caffeine, the artificial flavors, and CO2 you end up with water. Coke okay, water evil.

Me, sometimes all I want is a cool drink of water. More often, I want something a little more. I’m very fond of those fizzy waters with a bit of essential oils in them, as well as iced tea. But I don’t want the sugar. I want an artificial sweetener even less, and often when faced with decisions, water is what’s available. When I’m traveling nearly anywhere, I think I’d rather have it in a bottle, thanks.

The prejudice against water comes from thinking that it’s just water. Rarely is there such a thing as just water. The only just water there is is distilled (or in a pinch deionized) water, and that is itself special because it is unusual for something to be just water.

And now, I can’t help but think, “Uh huh” as I read, “Millions in U.S. Drink Dirty Water, Records Show.”

The summary is that more than 20% of US water treatment systems have violated key provisions of the Safe Drinking Water Act over the last five years. The violations include sewage bacteria, known poisons and carcinogens, parasites, and so on. Mid-level EPA investigators say that the government has been interested in other things and just not enforcing things, and they don’t think change will happen.

Security isn’t just going after terrorists, it’s basic thing. Like water.