Friday, January 10, 2014

Non-Slacker Friday

Some people can do humor, or go off on weird tangents on Friday. The canonical example of the latter may be Bruce Schneier's Friday Squid Blogging. I can't do this.

First Off

It is fascinating to watch companies and/or governments try to drop bad news on Friday.

Today, for example, we find that Target seems to be attempting to beat the 2007 TJX record, which affected 45.7 million people. For the 2009 Heartland Payment Systems breach, I don't have any data relating number of compromised records (130 million) to the number of people affected. Heartland also tried to drop this bomb into a day when many people in the U.S.were distracted--Inauguration day. The new Target information in the above link is that more data fields were compromised than previously known/revealed, and that the number of "guests" (also known as customers) could top 100 million.

Somewhere, statistics people will probably be arguing whether or not a record is defined as a complete row in a database, or each field within a row. To me, the answer is obvious--each field. CVV data (that 3-digit security code on the back of a card) for example, will be stored as a field. CVV data has an obvious impact on the risk unwittingly assumed by customers, and it was compromised, to at least some degree.

I think we can all agree that this has been a Bad Thing, so let's just go with that. Particularly as Target news is sensational, but not actionable.

More interesting is how, in an age of cheap illicit attack parallelism, SnapChat might have thought that rate-limiting in their API was any sort of defense against massive data loss. Stolen credit card numbers cost almost nothing in bulk and can be used to spin up Amazon VMs, and renting botnets is also cheap. How, then, is rate-limiting a component of a serious defense?

From what I understand, their entire business model is based around selfies, sexting, or whatever the hell pop culture currently calls sending provocative photos, which are only briefly available. Being a guy, I could wish I got more of those. OTOH, I'm glad I don't hang out with women that don't realize that screen capture software exists. Or (running the risk of turning this into Friday humor) the same tool they used to capture and upload that image (a freaking camera) could be used to capture and upload it on the other end.

I'm going to bottom out on being glad I don't hang out with silly people. Worse yet is that SnapChat turned down a $3 billion offer, from equally silly people at Facebook. Bad call, founders. But at least the SnapChat thing is at least somewhat actionable, in that you can look for, and reevaluate any instances of defense by rate-limiting within your organization. Logging systems are likely a good place to start, though they are also likely to contain an example of rate-limiting as a useful tool: a means of preventing logs from filling with diplicate entries.

Secondary Point

In a rich news week, what may be more actionable is the new extent of cooperation between Red Hat and the CentOS project. I was most interested in reading about it from the CentOS perspective. Most of the relevant information is linked from there. Including Fake FAQs (not Frequently Asked Questions, just the intended message) from both parties.

Some time ago, I gathered and analyzed time-series data on security alerts and updates from CentOS. I found a significant delay, and a correlation to dot releases. It seemed to me that the then handful of people at CentOS were having trouble keeping up with security issues when they were also under pressure to get the next dot release out the door.

Those are old data. I probably have it on a backup, or at least a plot generated from those data. But it probably is not relevant to many. The landscape has changed in that significant resources have become available to CentOS. It is probably easier to regenerate the data than to find the old, and analysis tools have become significantly better.

Tertiary Point

I am way jealous of the people that can do tangents on a Friday. I am usually slammed. Part of that is just project planning; people tend to assign due dates for milestones by the end of a work week. Nice as it would be to rant about that, I do it to myself all the time. That is at least an oops, if not a FUBAR.

This time of year, it's really hard to stay organized. In addition to the news-driven sort of thing, like the above, there are things to do. In no particular order, for what I laughingly refer to as my weekend:
  • planning CAPEX for the coming year
  • looking at some old code that uses week numbers (not a coincidence) for ISO 8601 compliance
  • work on a security model needed to move a database from straight PostgreSQL to SEPostgreSQL

Quaternary Point

There is no quaternary point. Things are busy enough.

No comments:

Post a Comment

Comments on posts older than 60 days go into a moderation queue. It keeps out a lot of blog spam.

I really want to be quick about approving real comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.