tag:blogger.com,1999:blog-41150236561462006132024-03-14T07:12:52.467-07:00fubarnorthwestGreg Metcalfe. Random Security Droid. greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.comBlogger111125tag:blogger.com,1999:blog-4115023656146200613.post-83338220255509380232017-09-02T12:40:00.000-07:002017-09-02T16:20:50.397-07:00Can We Learn Anything From Juicero?At the risk of over-generalizing, I would think that in the security community most have long since fully internalized that
it is all about managing risk
1 is hard
Now we have a new, and very public example of a risk management failure: Juicero, which ceased operations yesterday, costing at least 18 investors at least $118.5 million.
There has been snark flying around about crafty, greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-37434269518893372532017-08-24T16:16:00.001-07:002017-09-03T08:09:00.201-07:00Mean-of-Means Under Unequal CardinalityThese days, I'm hearing too much politics, of the weird and/or horrible sort. This is weird and/or horrible only in the sense of really bad statistics. Assuming that a political poll matches reality, anyway.
A former co-worker recently sent me an 'analysis' of a Gallup poll, purporting to show Trump's approval declining in stages. A lot of effort went into this. Each data point was tediously greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-71743230068275320092017-07-03T15:17:00.000-07:002017-08-26T08:14:39.679-07:00Tools for HR DepartmentsThe following is the text that went into gitlab.com/secinfo/hr.
Over the years, it’s become apparent to me that HR departments could use some
help on the security front. The cannonical example is a breakdown in
communications with IT that results of former employees being left on systems.
More subtle are issues with the hiring process: I’ve seen jobs advertised
looking for admins for old, greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-73005866309858041722016-10-11T16:38:00.000-07:002017-08-26T08:19:30.189-07:00Resource Depletion Attacks: Commonly Performed by Security IndustryI make heavy use of the Linux 'at' and 'batch' facilities, which provide simple but very effective methods of increasing productivity via automation. Essentially, I want machines working to their thermal, IO, etc., limits as much as possible, so that I don't have to work to my thermal, IO, etc., limits. Naturally, I regard unused cores or threads, etc., as Bad Things.
At lunch today, there were greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-43425881680371414842016-07-13T18:25:00.000-07:002016-07-14T07:32:17.612-07:00It's So Easy to Be Taken In In other exciting news, Social Engineering attacks still work. Duh. But here's an illustrative example of it being done completely innocently. This is from another security worker-bee who was all on about why mobile and Bring Your Own Device (BYOD) was such a corporate threat.
Bogus Vatican Image
That's a complicated topic, as evaluating risk always is, and is wide of the point that I want togreg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-52316497805922155752016-04-19T16:06:00.000-07:002016-06-19T11:03:53.234-07:00Blackhole Crimeware Creator Gets 7 YearsThat's a nice law enforcement win. 'Blackhole' is variously known as an exploit-kit or -pack or just straight-up crimeware, as it often came with regular updates, or even support contracts. I have enough Blackhole references, dating back to 2012, in my database that it became boring to add them.
Brian Krebs reported this on 2016-04-14, at http://krebsonsecurity.com/2016/04/greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-42542325666751478132016-04-10T21:49:00.001-07:002016-05-23T14:10:55.343-07:00DitL: writing about files, of all thingsHave a Day in the Life post, written on a Sunday night, after a lovely Spring afternoon spent with a text editor. Gack. That is just wrong.
Writing. 121 lines, 965 words, 5836 bytes, and all about writing files of all things. It really did take all afternoon, for not very much usable output. Some days just go like that. I mostly discovered what I should have been writing, which is a piece in greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-52616869519877709942016-02-19T13:39:00.000-08:002017-07-08T15:13:52.931-07:00NIST Defines Microservices, Application Containers and System Virtual MachinesCommentary::Architecture
Audience::All
I'm back on about microservices again, as I was in my
last post, Microservices and Linters. Because yesterday NIST released a draft of Definition of Microservices, Application Containers and System Virtual Machines, which you can see at http://csrc.nist.gov/publications/PubsDrafts.html#800-180.
I have problems with it. The public comments period runs greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-58988735827168966012016-01-28T16:23:00.002-08:002016-02-19T13:42:53.275-08:00Microservices and Linters
Commentary::Coding
Audience::Entry
Microservices are
all the rage at the moment, for good reason. I am of course
interested in the security aspects, and I am also on record as loving me
some Python. Why, in detail, is probably something I should write up
in a future post. For now, I'm just going to mention an intersection
between the two.
In Chapter 9
(Security) of Building Microservices greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-12850744996881419902015-11-17T16:14:00.000-08:002017-08-26T08:31:50.992-07:00If There Were One Feature I Wish Bugzilla HadCommentary::Performance
Audience::Entry
UUID: ddf3eae9-a84d-4083-987e-a84cf2ec8aec
It would involve track records. Specifically, there is no way to know how many bugs in Open Source software you have reported have never been assigned, and were simply closed due to End of Life (EOL), or what the track record of an assignee (who never addressed it, but simply closed EOL), closed but reopened greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-68859734629536623082015-10-27T20:57:00.000-07:002017-08-26T08:33:59.180-07:00Bad Weather: Must Rant on ScientistsCommentary::Science
Audience::Entry
UUID: 42bea053-2a40-4be6-93d0-dd3e17142907
This the current NOAA weather forecast. Note the absence of blue sky. People whom I respect have fled to San Diego. Why? I'm guessing that it's because they are much smarter than me.
Somewhere between the last week of October and the first week of November, the weather always goes to hell, from Puget Sound greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-65336091017596153802015-10-14T17:40:00.000-07:002017-08-26T08:54:50.645-07:00A Tier 1 Information Source: Ross AndersonCommentary::Sources
Audience::Intermediate
UUID: 34e6bddc-58a3-47a7-a1e2-7e83981bacc8
On 3/20/14 I published Congratulations to Leslie Lamport, winner of the 2013 Turing AwardCongratulations to Leslie Lamport, winner of the 2013 Turing Award, as announced to the public a bit later, in CACM volume 57, number 6 (June, 2014). That post is a bit dated now -- I don't host ACM logos now, the postgreg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-72645998593694107452015-10-13T11:18:00.002-07:002015-10-13T11:21:38.159-07:00Intellectual Property: A Useless TermCommentary::Marketing
Audience::Entry
UUID: 3a061855-fa21-4efc-a0cc-494418698118
I mostly hate the term Intellectual Property (IP), because it is mostly useless. Copyright, patent, trademark, etc., law has little in common, anywhere in the world. Personal and societal impacts of those laws are similarly disparate, as one would expect.
Now and then, something that seems to absolutely greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-33823210494378192062015-09-16T15:40:00.000-07:002017-08-26T08:53:11.420-07:00Long Odds: 7,975 to 1 AgainstCommentary::Statistics
Audience::Entry
UUID: df96273e-2da9-4d92-9b6d-cbdfdfb9b5c8
What went wrong by noon. So that you can say, "I am doing way better than that guy."
Waking up at 0430
That's 4:30AM to an unfortunate majority of my fellow citizens. Side note: we are one of a very few countries to use this system, and I hate it. It's harder to parse in software, etc. But leaving the side greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-77971941144358274662015-09-14T09:34:00.000-07:002015-09-14T11:29:04.779-07:00Risk Transfer Failure: a Possible ExampleCommentary::Risk
Audience::Intermediate
UUID: 2f7d104e-1066-4735-a1a7-c1c0f39882f4
In classic risk
analysis, if such a thing can be said to exist, there are four
categories of risk response.
1. Mitigate
2. Avoid
3. Transfer
4. Accept
where Transfer means
transfer part or all of the risk by e.g. insurance, hedging, outsourcing, or
partnering. This category is sometimes split into greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-58389958760517395712015-09-08T09:36:00.000-07:002015-09-16T16:05:50.073-07:00Don't Roll Your Own Crypto: ExamplesCommentary::Crypto
Audience::Entry
UUID: bb828445-8bfc-4ccf-835b-5fdfa181ffc6
The usual reason given for asking software developers to not roll their own crypto is that anyone can build a cryptosystem that they cannot themselves break. That is perfectly true, but there don't seem to be many concrete examples that might convince the unwary. I'd like to provide a couple.
What most people see are greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-86579870194311575402015-08-20T18:47:00.001-07:002015-09-16T16:07:22.341-07:00The Ashley Madison Breach Was Likely a Good ThingCommentary::Breach
Audience::Entry
UUID: 4cf5d0bf-381b-4bc5-be2f-f31b8fb0d481
Unless you happen to be a victim, anyway. There is a large set of users who will trust their most sensitive secrets to some random Web site. That has been true since the Web was born, and it isn't going to change, save temporarily. This is one of those moments when a lot of people get outed, and the extent to greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-22538272414729512582015-07-14T17:27:00.000-07:002015-07-15T18:46:59.007-07:00Some Remarks About the Hacking Team HackCommentary::Disclosure
Audience::All
UUID: 90e9fc07-e6ab-454d-8265-48876691db93
I have to say, right up front, that I haven't been tracking this too closely. Things have been too busy (with things that I can't write about) for me to do more than follow a bit of the trade press, and do some very minimal exploration. Plus, it's a bit odd to be doing two posts is a row (7/15/15 update: greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-58479577120442733282015-07-09T11:49:00.001-07:002015-07-15T12:09:33.690-07:00What and When means better support and softwareRecommendation::Documentation
Audience::Entry
UUID: cd1d2cf8-266a-11e5-8834-00224d83fb0a
Finding help for a problem in the Open Source world often involves search engines, filtering out random rants, and all too often finding something that does not work, as it was only appropriate four years ago. Which is I put publication dates at the top of my infrequent posts.
This is a problem in my greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-10224078621441492902015-06-12T10:36:00.000-07:002015-07-15T11:55:18.502-07:00Does the Navy Buy Vulnerabilities Too?Commentary::Disclosure
Audience::All
UUID: e62e4ab8-ad7e-449d-9a4b-d2f2f2dd459e
This morning, I happened across this dead as I write this link. It goes to the FedBizOpps.gov site, and was original for Solicitation Number N0018915T0245, titled 70--Common Vulnerability Exploit Products. I happened to open it in another browser because I was curious about a rendering problem, which can be seengreg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-51031611435408621612015-05-26T19:17:00.000-07:002015-09-16T16:08:30.220-07:00Anti-tracking May Lower Temperatures, and It May Not MatterCommentary::Reliability
Audience::All
UUID: c078319b-b156-404f-a48b-1e639dd734b6
Earlier today, in the midst of an ongoing project, I noticed that
The temperature of a single physical CPU was running at 104° F; about 10° hotter than expected.
There were a large number of Firefox tabs open (40-odd), as is typical when abnormal high temps are seen.
My first reaction was my normal knee-jerk: greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-85628258730161242332015-05-13T16:56:00.000-07:002015-07-15T12:03:39.346-07:00Open Thread: Is There Any Point in a Security Blog?Commentary::Internals
Audience::All
UUID: 1af6f74e-015a-4cc6-a668-181a083b1850
Earlier today, I published #101, since 2013-03-17. A bit of a milestone, I guess, though I don't pay much attention to that sort of thing; I totally missed #100.
It does bring up a bit of a question, though. Some time ago, I mentioned that I wanted the date of publication right up top, where viewers would greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-31351021343660323602015-05-13T13:30:00.001-07:002015-07-15T15:10:46.148-07:00A SOHO Router Security UpdateCommentary::Network
Audience::All
UUID: 6cb54b70-6f80-4959-bb8b-c8d20fc07e93
In April, 2014 I published Heartbleed Will Be With Us For a Long Time. One point of that post was the miserable state of SOHO router security. I referenced /dev/ttyS0 Embedded Device Hacking, pointing out that /dev/ttyS0 has been beating up on these devices for years. If you don't feel like reading my greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-879803141484836682015-05-07T15:49:00.000-07:002015-07-15T12:03:39.351-07:00Sharing is Complicated
Commentary::Internals
Audience::All
UUID: bd74c00b-02cd-42b4-8d62-514dfab4b217
There are a lot of
things I want to share, from images to code. Roadblocks are often
unexpected, and can be weird as hell e.g. file-naming issues with my
camera that began at the same time that I modified the copyright
information that is stamped into EXIF data. The solution to that
probably involves adopting greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0tag:blogger.com,1999:blog-4115023656146200613.post-17360052877640735492015-04-20T15:10:00.000-07:002017-08-26T09:13:38.875-07:00Exploring System Data: Use Anything but bash.Recommendation::Language
Audience::Intermediate
UUID: 4e163e7c-ec63-430e-83e2-605e9df95526
In a gmail conversation related to changes to the Linux kernel, I asked whether anyone still used gnuplot, which was used in the example. Because one of the first things you do when exploring data is to look at the distribution. Duh.
Of course, I am sure that gnuplot is still in constant use. People greg, freestylehttp://www.blogger.com/profile/09834523396172023340noreply@blogger.com0