We have scheduled our first Developer course for April in Pretoria, should you know of anyone in your area that would like to attend.
- Hacking by Numbers - Developer Edition (28-30th April)
Information about the course:
A registration form can be downloaded from [here]
Otherwise please mail [firstname.lastname@example.org] for more information.
A little while back i commented on Marcus Ranums HiTB talk "Cyberwar is Bullshit!". I ended the post with the words "Ranum is indeed much better than this..". Ranum spoke recently at Source Boston, and his talk [The Anatomy of Security Disasters] indeed shows this is true..
If you are in the industry to make a quick buck, or because it beats flipping burgers at McD's, you probably dont need to, but if you are involved with security decisions at any level, then you really should take a few minutes to digest his talk.
If i have any criticism of the piece, it is simply this: Ranum frames the issues in terms of computer security, but actually the behavior he describes is pretty symptomatic of dysfunctional management in general.
"there is a huge disconnect between what management hears and what they are told — a disconnect so severe that senior management .. can deride security practitioners as "whiners" while still expecting them to enable business securely"
His timeline of a disaster is spot on, and im sure is something that will cause vigorous head nodding from readers all over the planet:
"At the beginning of the disaster, a bad idea is proposed. Often, someone immediately tries to shoot it down, or point out its flaws. In very rare corporate cultures, the idea dies there and the whole disaster is averted. More typically, the bad idea survives - as does the trail of Emails pointing out the initial flaws.
Next comes the most interesting part of the disaster. Suppose management is duly and accurately apprised of the fact that the idea is bad. If the idea is something management really wants to do, there is sometimes a period of negotiation, or re-tuning. The idea bounces back and forth and has various tweaks applied to it, but two important things remain:
Then comes the most crucial part of the disaster: the point at which management's expectations begin to form a reality gap. Generally, this happens because management believes it has set out some objectives, and does not realize that those objectives are being renegotiated because the basic objectives are literally impossible or simply ridiculous.
Up in the corner office, they see people working hard on making the idea come to fruition, plans are being made and considerations are being weighed. The trade-offs that are being made, which place the organization at risk, are being somewhat improved with compensating controls, but nobody has been able to break it to the corner suite that we're still dealing with a fundamentally bad idea. More importantly, still, the compensating controls may serve to obscure the fact that they amount to little more than butt-covering. In the most dysfunctional organizations, you get senior (or sometimes mid-level) executives who 'shop a bad idea' until they find someone who is willing to tell them it is good."
I originally planned to include only small sections of Ranums talk, but felt i couldnt leave those snippets out.. I have sat in on more than my fair share of executive meetings, and his words ring true wether it relates to security decisions or even just strategic ones.. I love the Feynman report he quotes, and firmly believe that one of the biggest challenges we face is trying to break the insane "reality gap" that seems to prevail in boardrooms across the globe.
"Simply put, such disasters are purely the fault of poor management; managers who 'shop' bad ideas, or who create organizational cultures in which staff that point out problems are "whiners" or "nay-sayers." Unfortunately, in most businesses, senior level managers are recruited for being "can do" types who get the job done, which means that you're particularly in danger of having to deal with a senior executive that is comfortably living with a serious reality gap"
Way back when i was a sysadmin, i recall reading a quote from one of the ATT greybeards who said something to the effect of "every competent sysadmin should be able to build his own network card".
Of course most of us have spent tons of time ripping apart electronics and "watching what happens when you connect X and Y", but unlike the electronic engineers with their oh-so-cool multi-meters ive never actually done any plc programming..
Which is why i think arduino has so much of promise. Other than the cool stuff that people are doing with it, its cool just cause its going to get a whole bunch of people tinkering with hardware and sensor based computing.
As a self confessed noob, i took great pleasure in going from 10 lines of code, to a blinking LED!
(i have placed the board next to a standard sized business card as a size reference - its much smaller than i expected (in my mind i imagined a NIC2000 type green PCB, not the prettyness that is the Duemilanove (Made in Italy, should have known!)))
The sentiment pops up periodically (in different forms) and it seems like CansecWest this year has seen a resurgence of it.. From Charlie Millers comments on the Safari bug:
"Did you consider reporting the vulnerability to Apple?
I never give up free bugs. I have a new campaign. It's called NO MORE FREE BUGS. Vulnerabilities have a market value so it makes no sense to work hard to find a bug, write an exploit and then give it away. Apple pays people to do the same job so we know there's value to this work. No more free bugs."
to the art captured by Garett Gee:
(Alex Sotirov && Dino Dai Zovi)
As usual this sparks loud debate on both sides. Ross Thomas from SophosLabs came out loudly against Miller for being "so breathtakingly cavalier about the safety of my data and the privacy of my personal information" (sic)
Personally i must confess that i find Rosses reasoning pretty dodgy, but i recall having a similar discussion at 04h00 in the morning with singe in a Las Vegas food court..
PS. oh.. almost forgot, it doesnt matter which side of the argument-line you fall on, you have to give props to Internet Security's latest rockstar - the hax0r known as Nils for his elite browser trifacta [Safari|IE8|Firefox]
PPS. Oh.. can we please stop people talking about how the machines were hacked in X seconds. It makes a good headline, but its annoying..