Old wine or whisky can become more complex and interesting.
Old code becomes insecure:
Or at least become more vulnerable. I’ve recently been helping a client
with their secure coding initiative and as a result I’ve been reading
Mike Howard and Dave LeBlanc’s Writing Secure Code which reminded me of
an important aspect of maintaining a secure code base which often gets
overlooked: That is that as code ages it becomes insecure.
Evolve or Die,
August 29, 2007 at 7:47 AM
The state of the art in discovering vulnerabilities advances.
I remember when nobody worried much about buffer overflows.
Related to that, programs get used in environments they weren’t written for.
Who really cared about buffer overflows on the early Internet
when just getting it working for a few researchers was the goal?
Related to that, the number of people motivated to break code
keeps increasing, especially those with monetary motivation.
With enough eyes are bugs are shallow also means with enough eyes
all vulnerabilities become easy to find.
Or, in this postmodern world, even computer programs are largely
what people perceive them to be, and those perceptions change.
So we were
discussing Peter Sandman’s recommendations for outrage management,
which mostly have to do with how to deal with management not
doing something that you’ve given them rational reasons to do,
because of some emotional resistance or other.
The opposite problem also occurs: they believe you; they just don’t care.
Then you could use some outrage.
I’m afraid that outside of usefulness in those communications channels,
I just would hesitate to use the term "Outrage". For example, creating
"Outrage" metrics sounds like you’re working in hollywood publicity for
Paris Hilton, not protecting business assets.
Yes, exactly, it’s usefulness in these communications channels, that is,
with management, that emotion, up to and including outrage, has to be used
Most exploits through the Internet have been relatively small guys
(individuals, gangs, etc.) against big companies and governments.
Yet they’re already using botnets to leverage their activity.
What happens when botnets start connecting with other botnets via wireless?
Consider the following scenarios:
malware infected PCs actually opening a WiFi connection in a port-knocking nature to the wireless botnet master only
no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable population around a given region in the age of malware geolocating IPs using commercial services
once a PC gets infected inside an organization, it can automatically turn into a wardriving zombie exposing vulnerable WiFi connections within
Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the range of the infected host
It already wasn’t clear which side the asymmetry favored, since the bad guys
use the full leverage of the Internet and the defenders mostly don’t.
Now the bad guys can leverage the leverage of the Internet by also using
local wireless connections to further interconnect.
Did we need more proof that there’s no such thing as a perimeter to fortify
The term "Outrage" suggests that risk cannot or should not be discussed
in a rational manner.
What I think Sandman is getting at is that often risk isn’t
discussed in a rational manner, because managers’ (and security people’s)
egos, fears, ambitions, etc. get in the way.
In a perfect Platonic world perhaps things wouldn’t be that way,
but in this one, people don’t operate by reason alone, even when
they think they are doing so.
Outrage x Hazard may be a means to express risk within the context of the organization, but I like probability of loss event x probable magnitude of loss better for quantitative analysis.
Indeed, quantitative analysis is good.
However, once you’ve got that analysis, you still have to sell it to management. And there’s the rub: that last part is going to require dealing with emotion.
So, Windows update: Skype outage cause or smokescreen?
The disruption was caused by a routine Windows patch update distributed
Tuesday that required users to restart their computers. When a large
number of Skype subscribers began logging back in around the same
time, the requests – combined with the day’s traffic patterns – began
overwhelming the system, revealing a bug in the software that normally
helps the system allocate resources and “self heal.”
“Skype has now identified and already introduced a number of improvements
to its software to ensure that our users will not be similarly affected
in the unlikely possibility of this combination of events recurring,”
Skype spokesman Villu Arak said.
So we seem to have here a combination of hazards tripping each other.
This does raise the more general question of what other bugs are
synchronized Windows updates exercising?
And how long before such a Windows update installs a vulnerability that
immediately gets exploited?
And how long before such updates themselves do cause massive outages?
In software monoculture, Windows may be its own boll weevil.
Here’s another company detecting effects of botnets:
The Click Fraud Index™ monitors and reports on data gathered from
the Click Fraud Network™, which more than 4,000 online advertisers and
their agencies have joined. The Network provides statistically significant
pay-per-click data collected from online advertising campaigns for both
large and small companies.
“We’re not surprised to see the industry average click fraud rate climb this quarter as a result of botnet activity,” said Robert Hansen, CEO of SecTheory and one of the industry’s leading experts in online security threats. “Our clients are well aware that botnet activity is on the rise and that botnets are being used for a variety of online fraud activities, including click fraud.”
They claim the country originating the most click fraud is France,
followed by China.
However, it would be more useful to show which ISPs are originating
most click fraud, i.e., which ones are most infested by botnets.
Countries are too big and too slow to have much of a chance
of doing something about this.
There’s a bit of comment discussion going on in
Metricon Slides, and Viewed as PR
about counting vs. selling, in which the major point of agreement
seems to be that even at a metrics conference there weren’t a lot
of metrics presented that were strategic and business-like.
Let’s assume for a moment that we have such metrics, and listen to
Peter Sandman, whose website motto is Risk = Hazard + Outrage:
Sometimes, of course, senior management is as determined as you are to
take safety seriously. And sometimes when it’s not, its reservations
are sound: The risk is smaller than you’re claiming, or the evidence
is weak, or the precautions are untested or too expensive. But what’s
going on when a senior manager nixes your risk reduction recommendation
even though you can prove that it’s cost-effective, a good business
decision? Assume the boss isn’t too stupid to get it. If the evidence
clearly supports the precautions you’re urging, and the boss isn’t
dumb, why might the boss nonetheless have trouble assessing the evidence
As a rule, when smart people act stupid, something emotional is usually
getting in the way. I use the term “outrage” for the various
emotion-laden factors that influence how we see risk. Whether or not
a risk is actually dangerous, for example, we are all likely to react
strongly if the risk is unfamiliar and unfair, and if the people behind it
are untrustworthy and unresponsive. Factors like these, not the technical
risk data, pretty much determine our response. Risk perception researchers
can list the “outrage factors” that make people get upset about a
risk even if it’s not very serious.
It wasn’t just the tornado in Brooklyn — the first in recorded history in
the borough — it was the huge quantities of rain that flooded basements
and stranded rail and road commuters from Mineola to Midtown.
The slides from MetriCon 2.0 are all
Many good talks in there; I’ll probably comment on some more of them later.
One of the most interesting aspects was to see those with business experience
try to explain to those who said "Just tell me what to count!"
that counting isn’t enough.
If you want business managers and executives and board to pay attention,
you need to say what your counts mean.
Chatting with attendees, it became clear some of them interpreted
that latter as a call to make up numbers to match whatever you wanted
to sell to management.
Far from it.
The point is to abstract your numbers and to describe them in terms
of what they mean to the business.