Saturday, October 19, 2013

Ultimate Adversarial Code Review

Some people hate day-to-day code reviews. I tend to welcome them, and miss them on engagements where I am going it alone. Yes, there is a certain sense of freedom, but some things I miss.

  • I will almost undoubtedly learn something
  • You can identify people you want to work with (reviewing the reviewer)
  • They can save me from an embarrassing 'burning tree' scenario
Sometime politics enters the picture. That is never pleasant, unless you are a politician. I can do politics, but I tend to add fees when dealing with adversarial, politically-charged environments. In short, it is a complete pain in the ass, and I charge more if I have to deal with it on a daily basis.  

That brings up an interesting question. In the limit, what might an engagement that is *all about* an adversarial relationship look like? I have limited (but not zero) exposure to this environment. For instance, it's possible to invisibly (to the user) pre-load objects via Javascript which will then appear in the user's browser cache.

In the context of something like a patent fight, I have an excellent idea of what tools I might need, and how to employ them, but no experience. On the other hand, I know of someone who does. Avi Rubin has a security track record dating back many years, as USENIX members know. His credentials are available at Professor of Computer Science and Technical Director of the Information Security Institute at Johns Hopkins University, and it goes back from there...

Avi has spun up another company that specializes in this sort of thing, and has a practical guide on how to procede: This is highly recommended reading.

Tuesday, October 15, 2013

Is IPv6 Coming To Your Network?

A year or so ago, I recommended a couple of things to a Network Security Guy (and a friend of mine). First off, have a look at R. I think I dealt with that one (Choosing Python over R) earlier today.  But this guy also believed that Intrusion Detection/Prevention systems are highly effective. Probably because he implemented one years ago that met the needs of the times. Evolve, plz.

I didn't then, and certainly don't now (attacks only get better), have any confidence in IDS/IPS, and also recommended that he have a look at Evader. Apparently, a year down the road, he had done neither of these things. So be it--this was just a breakfast conversation with a friend, and really none of my business.

Today, I had a conversation with another Network Security Guy (and another friend of mine) who had a serious need to vent. For reasons unknown (but it seems likely that some senior manager had read some scare-piece about IPv4 number exhaustion), a mandate had come down from on high, that IPv6 Would Be Implemented in 2014. Behind the firewall.

Heavy sigh, and all that. But what this guy, who was in more of a managerial position, was concerned about was that it was going to thrash his tentative 2014 hardware budget planning, which was already late. Well, yes. It surely will thrash his hardware budget planning; IPv6-capable network infrastructure requires more horsepower, and economies of scale are not yet present.

Here is the FUBAR bit, and I felt bad about dropping this one him, because I had worked with one of his Evil Minions on setting up some basic defenses, years back.

  • Yes, your hardware will cost more 
  • IDS/IPS systems will be even less effective that they were under IPv4
  • Internal network scans will no longer be effective
  • Pretty much nothing of your current notions of VPN security will (or should) survive
This is off the top of my head. I could get creative, and start thinking about, for example, PBX and video-conferencing systems.

IPv6 is coming, but there is already sufficient pain. It is likely that every aspect of your network security posture will have to reevaluated, via whatever risk-analysis methodology you prefer. What is certain is that a valid reason for deploying IPv6 almost perfectly does not resemble management by proclamation.

We know that waiting until the last moment will only make it worse, and that proclamations lead to FAIL. So, please, start thinking (rationally) about it now. You are far more likely to be ready when you have a real roll-out date.

Choosing Python Over R

I feel the need for speed. If you are messing about with decision-support in a security context, you probably do too. It turns out that for most of what I have needed to do in the last couple of weeks, Python has been taking closer me to my targets than R.

It will be a while (probably a long while) before Python tooling can match the comprehensiveness of R, which has > 4k packages available.

For pure statisticians, R is still the win, and I don't mean to trash the tool or the field in any way. If I hadn't found R, way back when, I would probably have thought MS Excel was an acceptable program for stats. Leading to FAIL.

But, Python tooling looks like being faster, in both execution and development speed for my needs of the moment. R may still be the winner in creating interactive doc. I still need to take a weekend and compare the two. But free weekends are in short supply right now, and it would have to be an awfully big win to make much of a difference. I am huge believer in 'go get knowledge, then teach it' but I am not primarily an educator, and tools such as the iPython HTML Notebook seem adequate.

Regarding iPython: don't use anything else. Seriously. The only time I ever enter 'python' instead of 'ipython' on the command line is if I need a quick basic calculator, or if all I want to do is import numpy, do a couple couple of quick array operations, and leave.

Don't laugh at the idea of using Python as a basic calculator (snarking on KDE Kcalc):
import math
Seriously, kcalc, WTF is your problem? People have been able to take square roots on hand-held calculators for 40 years, but your software, running on this comparative pile-driver of awesome, cannot.

With iPython,  you get log files and other huge advantages. Mess around with it for a couple of evenings, and you will never go back. I wished for something like this for ten years before we got it, so now I have been enjoying it. You will too.

Saturday, October 12, 2013

Probably Relocating to Portland or Seattle

Living in the hinterlands of the central Willamette Valley, as someone engaged in the theory or practice of information security is a hard thing to do. Most of the people I need to talk for business purposes are northwards, in Portland or Seattle.

That is not the major part of the problem; even skinny pipes can deal with most bandwidth issues, such as sample data sets. The clients you really want Just Get It. Perhaps surprising, but true. And they are such a joy to work with, which makes up for many things.

One of the things that they can not make up for is isolation. That is a constant threat to productivity for anyone working at home.

On one hand, you are undisturbed, and it's easier to get into The Zone, and be extremely productive. Call it Flow State, or whatever. To me, it will always The Zone.

On the other hand, the inspiration that comes from talking to colleagues is missing. Make no mistake: as a commercial proposition, being the expert rules. But you do have to be demonstrably right, roughly 100% of the time, and there is little that will give you any insight into solving the next client's problems.

For that, you need a research community, and diversity. Or you could take my approach, which involves one hell of a lot of homework, and sunk costs. This can work, in specific areas; I have a track record dating back 13 years or more.

But the security industry, as a whole, has to do vastly better. As I think about host security (secure against what threats? who have what resources?) I want network people next to me. I want rootkit specialists, and people expert in state machines and log analysis. I sure as hell want to have people that have a clue about authentication and authorization.

There is no substitute for a group of really clever people scribbling on a whiteboard. It's a huge buzz of argument, and about the coolest thing ever. I hugely miss the diversity, the frenzied scribbling, and the ensuing arguments.

The really nice bit is that I have enough latitude on the current engagement that I can just do it, if it still seems wise a couple of weeks from now. In essence, I would be moving closer to daily arguing-around-a-whiteboard range, and they are *fine* with that idea.