Rants by Chort
What's wrong with everything

Recently I decided to write an application for Twitter to report changes in my friends and followers. As part of the process I went looking for a pre-built library of methods that I could use to interact with the Twitter API. I settled on python-twitter as an actively-developed solution that should keep up with changes to the API.

Due to Twitter's rocky past with SSL/TLS (henceforth simply SSL) support on their web interface, I decided it would be prudent to investigate whether their API used SSL. It turns out that it does, and it has a properly signed certificate. Then I looked at twitter-python to see if it had and option to connect over SSL, and was pleased to notice that it does by default. On a hunch I checked out the underlying library that python-twitter is using to make HTTP requests, and I was shocked at what I found.

Read the rest of this story...

Ready for a shocker? You shouldn't be spending all those resources trying to shore-up your network against attacks. It sounds insane, but this is the conclusion I've reached after spending a week talking to some of the best and brightest minds in Information Security.

Read the rest of this story...

I just took 3 days off from work to attend BSidesSF and the Barracuda Networks Security Wine-out, with an interlude to work the RSA Conference. The following is a rambling summary of the topics and ideas I encountered this week, along with my commentary.

Read the rest of this story...

A few days ago I was using a free DNS monitoring utility called dnstop. I had found a few bugs while trying to build and run it on OpenBSD. I knew one of the authors was active on public mailing lists, so I e-mailed him to report the bugs. To my surprise and delight, he responded quickly and began investigating.

When he was unable to setup a test environment to mimic mine in a timely manner, he asked if he could login to one of my systems to verify the behavior. I gave him access to a virtual machine and a day later, after several e-mail exchanges, all my reported problems were fixed and a new version of the software was available for download. Since the software itself was free, but the maintainer had gone to considerable trouble to fix my bugs in a very responsive manner, I offered him the continuing use of the shell account as payment.

A few days later I was downloading an update to TinyUmbrella and noticed a "Donate" button on the website. I thought about how much potential hassle that utility saves me and decided to donate. It only took a minute to contribute a few dollars to the project through PayPal. These two experiences prompted me to muse on the amazing value that authors of free software deliver, and what proper compensation is. This lead me to create the "WWIPAS" rule. What on Earth is that? I'm so glad you asked, read on...

Read the rest of this story...

Surrendering my 4th amendment rights should not be a condition of travel within the United States.

With strengthening of cockpit doors and revised flight procedures to restrict cockpit access, the likelihood of a hijacking being leveraged to use an aircraft as a weapon has been drastically reduced. Couple that with passengers' realization that compliance with terrorists is not in their best interest, the probability of any future airline attack causing more casualties than the passengers and crew on board is near nil.

This means that airplanes are not unique from sports stadiums, shopping malls, trains, buses, subways, cinemas, or scores of other kinds venues where inflicting hundreds of casualties is possible.

We cannot create a police state where every citizen must be viewed naked or sexually groped in order to venture into public places. Stop the Security Theater with airplanes and the inconvenience to millions of people who must fly for their jobs every week.

Sincerely,
Brian Keefer

You may send your own complaint to the TSA here.

PS Of the last 3 terrorist attempts vs. aircraft going to the United States, only 67% were against passenger planes, none of them were hijackings, and none of them went through TSA security. Given those facts, do you really think drastic and invasive escalations against US citizens are necessary?

Update: Thanks to @georgevhulme for pointing out several typos. Also thanks to @mckeay for reminding me that money talks--I've stopped flying short trips (as of last year) due to TSA hassles, and have been driving instead. That takes money away from airlines, pollutes more, and (statistically speaking) causes more deaths. How is this "security" helping again?

If I were a CSO, I'd go to firms like Securosis for analysis. Why? Because they have a no BS approach. They call out vendors for bogus claims and useless products. People who have been in the security field for a long time and have really looked critically at enterprises and vendors can spot regurgitated marketing spin a mile off. We can also tell when advice being given has no foundation in actual experience.

It seems like the vast majority of "analysis" is simply an indicator of herd mentality. I don't want to know what a bunch of people with no idea are doing; I want to know what intelligent and measurably successful people are doing. The "conventional wisdom" is often wrong. The "best practices" are rarely updated, and usually only with additions of new practices, not subtractions of outdated practices.

That sentiment is echoed by few analysts outside of Securosis, but one of them is Josh Corman from The 451 Group (which has recently hired a few common-sense folks to fill out their ranks). I'm not familiar with The 451 Group's work, but if their hiring practices are any indication (in addition to Corman, they've also picked up Wendy Nather) it's probably solid.

It's about time people started applying healthy skepticism and subject-matter expertise, rather than the modern-day version of "nobody got fired for buying IBM".

If you want to follow the Securosis guys on Twitter they are (in part): Rich Mogull, Mike Rothman, Adrian Lane, and David Mortman.

There has been a lot of press and grass-roots coverage of the TSA recently, specifically revolving around the increased usage of backscatter x-ray devices and more invasive physical inspections. Various DHS and TSA officials have made statements to the effect that they're sympathetic to the complaints, but the new measures are "necessary" and they're "striking a balance" between constitutional rights and security.

When I hear someone say "strike a balance" I visualize a see-saw, or a scale of justice, where the two sides are equally weighted in order to balance them. If we were to take the comments by Janet Napolitano and John Pistole at face value, we might reasonably think they're trying to find a middle ground somewhere between completely acceptable (say, passing through a magnetometer) and totally unacceptable (like cavity searches). The problem is that there is no balance. The scale is so far tilted to the side of violating constitutional rights that even a former Director of TSA Security Operations, Mo McGowan, actually admitted these measures violate the 4th amendment.

Read the rest of this story...

I just finished reading @TanAtHNN's 1999 paper contrasting inspection of electrical devices and safes with software and information security products (thanks toJosh Corman for brining it up). The paper pointed out failings of prominent technology associations in the area of certification, and indicated encryption standards (such as FIPS) as examples of how it could be done right.

Overall I think the paper raises good questions. I think you would be hard-pressed to find people in the industry (especially security researchers) who don't think companies should be held to a higher-than-current standard for information technology. I believe the paper comes up a bit short, however in recognizing the differences between physical productions and digital products.

Read the rest of this story...

I was recently reading excerpts from an interview with Melinda Gates in the New York Times. What struck me is she forbade her children to have iPods when they asked, and instead offered Zunes. This is consistent with past articles I recall reading where Microsoft employees were criticized by supervisors for having iPods or iPhones.

It's easy to use the Microsoft examples, but I'm sure there are many others. Your initial reaction is probably along the lines of "how dare a company try to dictate what their employees use for personal entertainment", but really there is a more interesting aspect: What does it say about your products when you have to force your employees to use them?

Read the rest of this story...

Recently I was talking with an executive about challenges they were having generating revenue from customers. The exec shared that they had some unprofitable customers, and most of the expense was in support. The problem was identified as the customers not having enough education on the product and/or not being smart enough to use it.

Since I have some experience with their product, I asked if the problem might be more due to the complexity of the product and the fact that even a training course isn't sufficient to make an administrator proficient with it. The exec admitted there are some complexities, but insisted they've been "working on it" and cited one example from long ago where they fixed a major usability issue. The exec then went on to point out how many hours the developers have been working and basically had a cheer-leading session for their efforts to roll-out new features.

Click here for the ranty bit.

Read the rest of this story...