Tuesday, October 27, 2015

Bad Weather: Must Rant on Scientists

UUID: 42bea053-2a40-4be6-93d0-dd3e17142907

This the current NOAA weather forecast. Note the absence of blue sky. People whom I respect have fled to San Diego. Why? I'm guessing that it's because they are much smarter than me.

Somewhere between the last week of October and the first week of November, the weather always goes to hell, from Puget Sound to at least the south end of the Willamette Valley. I don't need NOAA to tell me that, which is A Good Thing, as I have already mentioned that NOAA Can't Predict Weather, Can't Secure Their Systems.

I'm still annoyed with NOAA, not least because when they have clearly blown a forecast, as in whatever they predicted is obviously wrong, their updates just ignore it. High temp of 80° F, but it's already 87° by 1130 and climbing fast? Screw it. Keep predicting 80°. Perhaps people won't notice that they are baking.

That's a really bad example, given the time of year, but the frequency of this sort of thing has led me to log at least some of the more egregious examples into daily notes file. So, worth a minor rant-by-example.

I tend to follow the weather fairly closely. I'm out in it a fair amount, though I do tend to back off when it's really rotten. So I follow some weather blogs, and a bit of research. One of the more popular blogs is http://cliffmass.blogspot.com/. He's a University of Washington scientist, and is often spot-on. When he isn't spot-the-FUBAR-off.

Problems? Yeah, I have some. Appeal to Authority flaws, sometimes in the same post that he denigrates those authorities, inconsistency of message, and more than a little hype about certain topics. Again, sometimes in the same post in which he denigrates hype.

Perhaps my biggest problem is that he is a scientist. I am very far from being some sort of anti-science Luddite; I am a heavy consumer of science. But there's a corner case involved, in his field, which seems to be ignored. Mostly, it's about where the money goes. As taxpayers, how are we to judge whether we are receiving value? Why is NOAA not quantifying errors, so that we might judge when forecasts are most likely to be erroneous?

The other axis in that corner case is this.

http://www.probcast.com/ is about probabilities and ensemble forecasting, from UW. It's an experiment, with a useful 'about' page. But still no indication of the circumstances under which it wanders off into left, and it's run by scientists. Who are often the most security-clueless people imaginable. It's somewhat understandable, because they are all about generating new knowledge, and sharing it widely.

Still, having even half a security clue is useful. There is a reason that Linux directories under /home are private in most modern distros. Despite UNIX being historically rooted in research environments.

Now and then (very occasionally) I report a problem to a Web site owner. Not often, because as often as I find them, it would burn too much time. In this case, I got on the phone. The UW person I spoke with had no idea what I was even talking about. She knew of no such site, who to contact, etc. The issue was fixed in fairly short order (do not remember exact timing) but in terms of appropriate response, it was a miserable failure.

Scientists mostly don't do operations. The concept of domain squatting (excuse me,  'cybersquatting') completely escapes them. I'm fine with that, actually. Different fields of endeavor, and I'd rather scientists were paid to do science.

But I get annoyed as hell when some scientist writes about something that is way outside their area of expertise, expecting to be considered an authority.

Wednesday, October 14, 2015

A Tier 1 Information Source: Ross Anderson

UUID: 34e6bddc-58a3-47a7-a1e2-7e83981bacc8

On 3/20/14 I published Congratulations to Leslie Lamport, winner of the 2013 Turing AwardCongratulations to Leslie Lamport, winner of the 2013 Turing Award, as announced to the public a bit later, in CACM volume 57, number 6 (June, 2014). That post is a bit dated now -- I don't host ACM logos now, the post contains a link to an Adobe Flash presentation, etc. But Lamport did so much work as the original developer of LaTeX, and that is very close to the heart of my documentation production pipeline.

Fine. Times change, sometimes for the better. Flash is finally becoming recognized as the security nightmare that it has always been. ACM still seems to have no concept of this (scientists often have absolutely no clue about security), as their webinars still require it. Another reason (there are several) that I no longer belong to the ACM.

In that issue, there is an article by Ross Anderson and Ross Murdoch. In CACM, it's behind the paywall, but it's also public, as EMV: Why Payment Systems Fail. An extract:

Now that US banks are deploying credit and debit cards with chips supporting the EMV protocol, our article explores what lessons the US should learn from the UK experience of having chip cards since 2006. We address questions like whether EMV would have prevented the Target data breach (it wouldn’t have), whether Chip and PIN is safer for customers than Chip and Signature (it isn’t), whether EMV cards can be cloned (in some cases, they can) and whether EMV will protect against online fraud (it won’t).

More generally, a summary of Cambridge Computer Laboratory research is available from Anderson, as well a more general overview from the Security Group. Once upon a time (actually twice upon a time) CLCAM used to emit "Three Paper Thursday". But it was dependent on the availability of grad students, current research priorities, etc. Back in July of 2014, I asked if he might bring it back, and it turned out to be impractical. That sucked, as I always had a block of calendar time that was devoted to reading it. Largely on the strength of reading the first edition of Security Engineering. There is a second edition out now, and it is even better. It's also available as chapter-by-chapter series of PDFs, for free. My Wiley first edition (2001) cost about what you would expect for a tech book, but that is available as well, so you can compare the two, and get a notion of how Anderson thinks the security landscape has changed. If you are any sort of security worker-bee, you have little excuse for not having read it.

Why post this now? Because UK banks were proven to not be capable of even recognizing the concepts of ethics or morality, as first widely widely published by Anderson. Does anyone think that the Oct 1 shift in liability to merchants, which will undoubtedly drive EMV adoption in the US, will be any different?

I could go on about this, and the ongoing legal battles between the retail and banking sectors. But the post is becoming very long, as is. I'm going to let it ride, at least for now. Suffice it to say that both sectors are worth trillions of dollars per year. When such enormous sums are involved, neither sector will have your best interests in mind, whether you are subject to PCI-DSS self-regulation, or are simply a consumer shopping on the Internet.

I don't do generic blogroll links, either by request or some weird notion. This is my second. The first was to Brian Krebs, largely because he is the best security blogger I know of, in the consumer space. I hate to go there (the consumer security space, not Krebs on Security), which is why my first (10/2/14) source was titled A Brief Foray Into the Horrible.

How I divide news sources into tiers (currently Vendor, then Tiers 1-3) lies somewhere in the area of proprietary, complex (as opposed to complicated), and just really hard to describe. I may post something about that in future (sorry, 'going forward' is the current corporate bullshit fashion) but no promises.

However, I do promise to talk about their take on mobile security. You can read up on it the new link to Light Blue Touchpaper, now appearing under "(Some) Blogs I Read".

Tuesday, October 13, 2015

Intellectual Property: A Useless Term

UUID: 3a061855-fa21-4efc-a0cc-494418698118

I mostly hate the term Intellectual Property (IP), because it is mostly useless. Copyright, patent, trademark, etc., law has little in common, anywhere in the world.  Personal and societal impacts of those laws are similarly disparate, as one would expect.

Now and then, something that seems to absolutely fly in the face of common sense (granting that sense does not seem to be common) is particularly grating. Such was the case with Definitive Guide (TM) to Cyber Threat Intelligence.

There are various regulatory (and attempts to self-regulate, in order to avoid actual regulation, such as PCI) regimes that require a lot of reading related to possible threats. Fine. Been doing it for years, because I regard it as necessary, and so I applaud that. But it is extremely time-consuming: the doc mentioned above is a 74-page PDF, and is only part of today's reading list. The madness that allows a common phrase to be trademarked is annoying as hell.

Still, one of the contexts that I'll be reading this in (and marking it up for future reference) is DevOps, where there might possibly be some insight to be had from Table 1-1. The first table, so I will have to read this entire pile of marketing nonsense, in case there is support for it later in the doc. There might be something relevant to more recent DevOps concepts (and other marketing nonsense that have been about it) as opposed to older security-related divisions (network, infrastructure, and security operations) within an organization, and their contributions at the 'Tactical, Operational and Strategic' levels. Never mind that tactical and operational divisions would seem very artificial.

So, 74 pages that is mostly marketing noise. Some of which is about banks, etc., being clients. I covered that above, writing about regulatory (and avoidance of same) requirements.

That DevOps reference? DevOps is also rife with marketing noise. But much of DevOps does promote ideas related to getting beyond some long-standing (and foolish) IT practices, such as throwing code over the wall. Which makes me far more tolerant of that group.

In the unlikely event that you have some twisted urge to read this doc too, it can be had from https://cryptome.org/2015/09/cti-guide.pdf. I'm not supplying a direct link to these people directly, for two reasons:

  1. Zero desire to provide them any Google-juice.
  2. I expect that some sort of registration would be required, hence you would be bombarded with email marketing for, roughly, forever.

If you never see another post on fubarnorthwest, it may be because reading
Chapter 7, "Selecting the Right Cyber Threat Intelligence Partner," enumerates criteria for evaluating cyber threat intelligence providers.
caused immediate brain-death.

Sometimes I Just Have to Rant

That is a failure on my part. I've been working on a set of three posts that would likely have been more helpful, that do not involve Intellectual Property, and would point readers toward things that are more useful, such as why I am about to recommend the Computer Laboratory, University of Cambridge.  Sorry about that. Coming soon.