The Farce of Hardening Guides

2012-11-05 07:37:35 by chort

Today I was directed to a blog post from VMware that discloses a leak of ESX source code. What struck me wasn't the leak itself, but the mention of security hardening guides. This isn't unique to VMware. Just about every enterprise IT vendor has hardening guides or knowledge base articles for how to take the default configuration, apply a bunch of changes, and make it more secure. This prompted me to muse about some ideal future where vendors instead post "softening guides" for the rare customer who wants to downgrade the default, highly-secure configuration.

Isn't that just wishful thinking on my part? Isn't it a good thing that vendors make the effort to create and publish hardening guides? I'll tell you why I think hardening guides are fundamentally dishonest and customers should demand better.

Read the rest of this story...

Stop the Cyberbole

2012-10-20 01:25:23 by chort

We've been hearing an ever-swelling drumbeat lately about vulnerabilities in critical US infrastructure and the "need" for government regulation to "solve" the "crisis." The latest crescendo comes from Senator Lieberman, who published an op-ed in the New York Times pushing for more legislation.

I believe this message is dangerous and misleading for several reasons, some of which have already been called-out by @krypt3ia on his blog. Here I'll expand on some of those points and add my own.

Read the rest of this story...

Quick Post on Security Rockstars

2012-10-19 23:09:05 by chort

This week there has been a debate about "security rockstars," which I've mostly tuned out. Today a comment jogged my memory and I recall that last year a PR consultant for our company (who appears to do a fairly competent job, not that I would know) heard that I was submitting a CFP for a conference. She told me "I made [insert name of "thought leader"] a rockstar. [person]'s blog now receives [number] of impressions a day. I can help you do the same thing."

I don't really fault the consultant here. She was trying to a) bill more hours (who doesn't want to do that?) and b) get more publicity for the company I work for (which is what we pay her for). I'm pretty sure she's good at her job and she chose her words carefully. This leads me to believe that her pitch is tailored to work on geeks like me. In my case, I did a polite version of running away screaming.

For my own satisfaction, it means a lot more to me to do work that I know is high-quality, know I'm helping other people, and be respected by my peers. I don't want teaming masses who barely know me to hold me up as some shining example when they don't even understand what I'm saying. I also don't want the pressure of being expected to be amazing all the time. I'm human, I make mistakes. I don't want my every decision under a microscope, so I don't go seek out publicity. It seems simple to me.

I realize different people have different priorities, and other people derive their self-worth in other ways. That's OK with me. If someone wants to be a "rockstar," fine. Just remember, with popularity comes scrutiny. The same people who held you on their shoulders will be twice as quick to kick you when you're down.

For everyone else, if you're sick of rockstars, stop feeding their behavior. PR reps wouldn't pitch geeks on becoming "rockstars" if it wasn't something a lot of geeks aspired to.

Installing Thug Honeyclient on Ubuntu 12.04.1 LTS Cheat Sheet

2012-10-15 20:56:43 by chort

Just some quick notes on the steps I had to do differently from the main documentation.

* You need to install build_essential, libboost-python-dev, and setuptool (possibly autoconf too, if build_essential doesn't install that)

* Apply static const int kMaxNumFunctionParameters = 65534; to v8/src/parser.h manually (V8-patch2.diff is out of date)

* Beautiful Soup 4 (python-bs4), html5lib, PEfile (python-pefile), chardet, httplib2, Zope.Interface (python-zope.interface), and scons are all in packages, search for them with apt-cache search and install with sudo apt-get install

* You need to add --enable-python-bindings to options when configuring libemu

* Create /etc/ld.so.conf.d/libemu.conf with the line /opt/libemu/lib and run sudo ldconfig

I think that's it. I haven't tried analyzing any content yet, but python thug.py -h works at least. Let me know if this is helpful (or is missing a step).

PS there was a guide for this already. Derp. It's prettier and more complete. Just remember to manually change v8/src/parser.h.

Information Sharing Considered Harmful, Maybe

2012-09-24 22:12:59 by chort

Lately the security echo chamber has been reverberating with talk of information sharing. Many parties, including (in possibly the most ironic blog post of the year, Oracle) are calling on the industry in general to share more information. The call is not unanimous, however. Several voices have urged restraint with information disclosure. Each side has good arguments and I think everyone can agree that the status quo is not working. I urge more sharing, read-on to see why.

Read the rest of this story...

Don't Believe The Internet

2012-09-06 09:32:21 by chort

This week the Internet was abuzz with "news" of AntiSec leaking a list of Apple UDIDs and attributing it to an FBI agent. Other hackers claimed to have hacked Mitt Romney's tax returns. Both stories delighted critics of Apple, the FBI, and Mitt Romney respectively and quickly spread like wildfire on social media. The problem is, it's unlikely either of them are true. Even worse, while pointing out the dangers of repeating unproven claims, I fell for one myself.

Read the rest of this story...

Is IDS Effective? It Depends.

2012-08-04 22:54:34 by chort

Recently Steven Alexander wondered if IDS is effective. This is a topic I've been ranting about at work recently, so I will share my thoughts here in long form.

Read the rest of this story...

The Great Security Pill Scam

2012-08-04 16:36:24 by chort

What do Information Security and weight loss have in common? Many people who pretend to be interested in each try to get desirable results without making any substantial changes. I recently posed the question "would you hire a trainer & ask them to make you skinny & fit, as long as no exercise or diet change?" It was rhetorical of course, but one of the replies pointed out that most Americans would do just that.

Sadly I feel like I spent several years running late-night infomercials, selling expensive gadgets to people who wouldn't really use them. Sadder still is the prevailing attitude in the IT industry that buying a product is the solution to every tough problem, because it's easier to whip out the corporate checkbook than it is to solve in a thoughtful way. The problem, as most of my peers know, is that these products rarely solve anything on their own. The only benefit is an organizational perception that "something has been done." When security incidents happen, because the issue wasn't solved comprehensively, everyone is shocked and loudly protests "but we were following industry best-practices!" The people who say things like that actually believe it. How can we change the tune?

Read the rest of this story...

Linux on the desktop sucks and always will

2012-07-01 21:35:54 by chort

Forgive me dear readers, I'm in something of a rage. You see the upcoming release of oclHashcat requires GLIBC 2.14, which for Ubuntu users means an upgrade to 12.04 is necessary. If you're anything like me, you dread the inevitable disruptions of an OS upgrade, but nothing could have prepared me for the horror.

This ordeal has reminded me of why I believe "Linux on the desktop" will never happen. Linux projects simply don't focus talent on the critical problems. When engineers design things, they expect users to act like engineers, and that's only the beginning of the problems.

Read the rest of this story...

The Value of Anti-Virus

2012-03-17 21:37:34 by chort

There has been a lot of noise recently about whether it's worth the cost to run anti-virus software. As laid-out in the Wired article, the opposing viewpoints typically boil down to:
FOR: Anti-virus is essential for protecting careless users.
AGAINST: There are more effective ways to spend security budget.
Those are both good points, so I think making a purely binary use it/don't use it decision is short-sighted.

Before I get to the main point, I'd also like to note the only source on-record in that article vigorously defending anti-virus is a giant analyst firm. You don't have to think very hard to see a huge economic reason for a company that makes a lot of money off of vendors being a vocal cheerleader for the two companies who dominate all security spending. A cynic might wonder how good the advice is they're getting from an analyst who puts the interest of their own firm ahead of their customers. It seems there's a lot of that going around. I'd wager this situation contributes greatly to the suspicion of giant AV vendors.

Read the rest of this story...