An Information Security Place

This is one of the funniest video’s I have ever seen.

http://www.thewebsiteisdown.com/

Vet

I would like to announce my new partnership with TradePub.com.  They offer a lot of subscriptions to trade publications and whitepapers that are relevant to many different industries.  The Resource Center is over on the left in the first sidebar.  You can choose a category using the widget there, or you can just click on the top of it and go to the page to choose more resources.  I hope you find some stuff there you can use. 

Vet

I have been off this whole week working at Vacation Bible School at our church.  I am in charge of eleven screaming kindergartners.  Hmmmm… security or 5 year olds?  Those kids make Russian hackers look like weenies. 

Vet

I wrote a post here the other day that explained that I would not be loading FF3 on my laptop until some flaws were discovered and fixed first.  Then I wrote a post over at my CW blog the next day after a flaw had been found (you need to go read the post to understand the rest of this post).  It was not a "I told you so" post.  Rather it was a post asking people their motives in downloading and installing FF3 so quickly.  After all, this was a MAJOR upgrade, not a bug fix.  Of course, that just pissed off ol’ NickF (whoever he is).  His comment is below:

1. It’s faster, much faster than FF2, mostly in handling JavaScript. And yes, it is MUCH faster than IE7. Before you brag about IE7 being faster than FF2, you should look at FF3, to see how FF2 and IE7 are slow.

2. It’s much more efficient than FF2, and IE7, less memory is used, ad more efficiently.

3. The world my friend, moves on. It’s called progress. Since FF3 is free and it’s a proven enhancement over the current version, you might want to give it a try. Besides, would you hold on IE8 when it comes out? Would you refuse an automatic update from MS? About Safari?

I honestly hate when people criticize products they haven’t even tried. It’s not FF vs IE flamewar that bothers me, it’s really the lack of spirit in trying something new before writing an otherwise pretty pointless article.

And since I didn’t want to aggravate any of my editors over at CW, I am writing a reply here.  I am, however, linking to this post in the comment section over at CW.  So here goes:

@NickF,

"Before you brag about IE7 being faster than FF2, you should look at FF3, to see how FF2 and IE7 are slow."

First, I have no reason to brag about IE7.  I was not on the IE7 development team.  Second, and more importantly, did you even read my post?  I said I would download FF3 WHEN they have made some fixes. 

"Since FF3 is free…"

IE7 is free.  It comes with the operating system.  Oh wait, you have to pay for Windows, so it’s not free… semantics.  You can get either one, and you’re not shelling out money for it.  You might not be able to get IE anywhere but on Windows, but hey, that’s good for FF, right?

"…and it’s a proven enhancement over the current version, you might want to give it a try."

Again, did you read my post?

"Besides, would you hold on IE8 when it comes out? Would you refuse an automatic update from MS? About Safari?"

Nice question to ask a security person.  The answer is "Yes".  I don’t load major updates on major apps that have huge potential to be avenues for malware, etc. until I have done some investigation.  That is why I have said I won’t load FF3 for a bit.  I did not load IE7 for months after it came out.  The only reason I loaded the newest Safari was because it was a bug fix for a flaw.  It went from 3.11 to 3.12, not 3.11 to 4.0. Big difference.

"I honestly hate when people criticize products they haven’t even tried.  It’s not FF vs IE flamewar that bothers me…"

First, I am glad you honestly hate it instead of dishonestly hate it.  That’s so much better.  Second, did I flame any browser? No.  Did I criticize?  No. If anything, I did the opposite of flame  and criticize (whatever that might be called).  I said "I use FF.  I also use IE, and I also use Safari for Windows (yes, I updated to 3.1.2) because I like features in each."  AGAIN, did you read my post?

"…it’s really the lack of spirit in trying something new before writing an otherwise pretty pointless article."

Come one NickF.  I never said you should NEVER go to FF3.  I never said IE rules and FF drools.  I never said anything bad about FF as a browser other than it is susceptible to some of the same flaws.

So, one last time.  DID YOU READ MY ARTICLE????????????  Or did your knee just jerk when someone dared question FF3?  My article was about asking motives.  If you would have calmly digested my article rather than just reacted, you would have seen my points.  Instead, you couldn’t resist moving this issue to the religious side of the aisle.  You claim to be honest about your motives, but you’re not.

Vet

I apologize if you have made some comments in the last few weeks and they have not shown up.  I get an email From Intense Debate that comments need moderation, but sometimes I miss them or don’t read the email correctly or whatever other lame-brain excuse I can come up with.

They should be there now.  I know you all were wondering what was going on.

Vet

OK, Armageddon is officially here.  Alan Shimel has made the comment that security marketing might not be "worth the paper it is written on".  Holy crap.

Though I am just having some fun with Alan, this still makes me wonder if the comments from Greg Ness (quoted in Alan’s post) are right.  Are the days of "entrapment marketing" over?  I am not in the position of getting a thousand calls everyday as a security manager anymore, but I do see a lot of those whitepapers still out there.  I still get a lot of email asking me to download them.  But Greg is also right that social media is taking over a lot for this.  That is why I created a talk / presentation where I talk about how to use security blogs as research tools.

Marketers MUST recognize this trend.  I still see a lot of old school marketers out there trying the old ways.  These people are either not adaptable, or they just have been under a rock for the last few years.  I get too much info on new products and trends from blogs for it to be worthwhile to download whitepapers that some vendor wrote.  Just doesn’t make sense.

Thanks for the post, Alan.  I am in Heaven!

Vet

I’m waiting.  Sorry I couldn’t contribute to "Download Day".  I guess I could have pulled it down and not installed like Martin, but I didn’t.  I just didn’t want to waste my time because I know there will be a new release in a few days that fixes a bunch of crap, and probably another one soon after that.  I know it is Firefox, but they are catering just as much as MSFT anymore, so there will be vulnerabilities.  I don’t feel like making my machine vulnerable to anything else.

Vet

I get a lot of foreign-language spam, and most of it gets sent to junk and deleted.  So while searching through my email today, I ran across these three emails.  The bottom two emails are identical, but when I saw the first couple of words, I thought they were foreign and almost hit the delete key.  Then I noticed they were from companies with crazy names.

Is it just me, or are these company names getting crazier and crazier?  Do they run these things through a random word generator or something?  And sometimes I wonder why they even bother since they are probably just going to get bought in a couple of months anyway.  Might as well just call them "Company A".  Does the name mean that much?  I know sometimes I get kinda confused when a tech company name does not reflect at all what they do or produce, but come on.  Anyway…

</rant>

Vet

Well, I was hoping for more people (it is hard to tie Houston people down), but I am counting this BayouSec as a success because of the presentation by Adam Pridgen (see below).  Adam reverse-engineered a bot and stepped through the process for the group.  I have to say that much of it was at a level I don’t play in since I am not a developer, but the process was very interesting to see. 

If you live in the Houston area and didn’t get to make this one, please consider getting to the next one (haven’t set a date yet).  I am working on getting more people to speak.  Some of the smart guys at Alert Logic have said they would do some talks, and I plan on doing a couple myself (who wouldn’t want to see that, right?… RIGHT??)

Here’s Adam’s preso and the video that went with it.  The video is kinda hard to see at times.  Too many windows and too small a font.  But Adam said it was his first time at doing the video capture.

Adam’s Presentation

Adam’s Video

Vet

It is at the Alert Logic facilities @ 1776 Yorktown, 7th floor, just south of the Marathon Oil tower on San Felipe.  It will start at around 6:30pm.

Below is the information on the talk and the speaker.  I expect the talk to last about 25 minutes, and then it will be open to questions and comments.  We can just let it grow from there. 

Thanks to Adam Pridgen for volunteering for this.  In the future, if you have something you want to speak on, please let me know.

Michael Farnum

—————————-

Speaker:

Adam Pridgen

Title:

Reverse Engineering Software with Basic Protections

Summary:

The presentation will cover the basics of reverse engineering malware or any other software protected with basic protectors and packers using ImmDbg, IDA Pro, LordPE, ImpRefound, Wireshark, and an IRC server.  The presentation will walk through dumping the malware to disk, and then cover the general process I used to identify the command structure, functionality, and required parameters to interact with the malware sample.
Bio:
Adam Pridgen is an independent security researcher and contractor.  Previously, he worked for Foundstone Professional Services where he was involved with code reviews, threat models, penetration testing, among other tasks such as teaching and lab development for the Foundstone’s Ultimate Hacking classes.  Prior to Foundstone, he spent a little over five years in the security community working on software development projects, software testing, and in telecommunications for a variety of organizations.  Adam’s most notable accomplishments include an MS and BS in Electrical and Computer Engineering and an Honorable Discharge from the US Army.

—————————-

Why is it when you praise Vista or slam Mac, you are a dumbass and a MSFT shill, but when you praise Mac and insult Vista, you are a wonderful and enlightened person?  This comes from observation of the blogs over at Computerworld (blatant plug - I blog over there as well).

Look at Seth Weintraub’s blog.  His blog is called Apple, Ink.  He writes about Apple and the wonders contained therein.  Look at his ratings.  Very few are anything less than +20, with many +30 and above.

Now, look at Preston Gralla’s blog.  His blog is called Seeing Through Windows.  He is typically pro-MSFT and even fairly anti-Mac.  Now look at his ratings: -100, -103, -182… Sheesh.  And he gets flamed every time in his comments as well, constantly being accused of being on the MSFT payroll. 

I don’t have a Mac.  I run XP on my laptop, and my wife’s new Dell has Vista.  And honestly, I wanted to try a Mac when we started looking for a new computer.  But the reason I didn’t buy one was because of price.  An Apple would have cost me twice as much money.  I can’t use the learning curve argument because Vista and Office 2007 changed everything up and drove my wife batty.  But at least it was a lot cheaper than a Mac, and it is damn fast (quad core, 3 gigs RAM, 7200 RPM SATA, HD, 128 meg nVidia video card, etc etc).

So if you own a Mac and you think it is the best thing since sliced silicone, then more power to you.  Just get off your preppy horse with a quasi-Mohawk and an earring and quit telling us PC owners that we are stupid.  Sheesh…

Vet

OK people, we have a speaker for BayouSec. It will be on June 5^th at the Alert Logic facilities @ 1776 Yorktown, 7th floor, just south of the Marathon Oil tower on San Felipe. It will start at around 6:30 (finding that the later time is better).

Below is the information on the talk and the speaker. I expect the talk to last about 25 minutes, and then it will be open to questions and comments. We can just let it grow from there.

Thanks to Adam Pridgen for volunteering for this. In the future, if you have something you want to speak on, please let me know.

—————————-

Speaker:

Adam Pridgen

Title:

Reverse Engineering Software with Basic Protections

Summary:

The presentation will cover the basics of reverse engineering malware or any other software protected with basic protectors and packers using ImmDbg, IDA Pro, LordPE, ImpRefound, Wireshark, and an IRC server.  The presentation will walk through dumping the malware to disk, and then cover the general process I used to identify the command structure, functionality, and required parameters to interact with the malware sample.
Bio:
Adam Pridgen is an independent security researcher and contractor.  Previously, he worked for Foundstone Professional Services where he was involved with code reviews, threat models, penetration testing, among other tasks such as teaching and lab development for the Foundstone’s Ultimate Hacking classes.  Prior to Foundstone, he spent a little over five years in the security community working on software development projects, software testing, and in telecommunications for a variety of organizations.  Adam’s most notable accomplishments include an MS and BS in Electrical and Computer Engineering and an Honorable Discharge from the US Army.

—————————-

Vet

…for this interview?  It is titled "Embedding security has drawbacks says TippingPoint chief architect", but the explanation Brian Smith gives is about as weak as the American dollar.  Did TippingPoint marketing write the questions?  Sheesh.

Look, there is a need for embedded security AND security on the edge.  It really comes down to your business.  When good and fast security becomes built into the switch, I will look at it and judge it’s merits for MY BUSINESS (or my client’s business).  But this whole thing about switching and routing technology being outpaced by security technology is the largest piece of crap answer I have ever heard.  Of course the security technology is outpacing it.  That is because security is hot, hot, hot right now, and it has been for the last few years, whereas routing and switching are routing and switching.  But what does that mean?? 

Mr. Smith, was the incorporation of IPS into 3COM switches was a "fool’s errand", as you called it at 3:21 in the video?  Does that mean that you can’t incorporate the two?  Does it simply not work?  Is this just not feasible?  Of course not.  The reason you are saying this is because the 3COM / TP deal fell through for other reasons.  Plain and simple, 3COM was not in any kind of position in the switching market to make a dent.  I wrote about this a while back.  Here’s most of that post:

When I was an infosec manager, I was a TippingPoint customer. When I bought the TippingPoint box, stand-alone devices were still all the rage. UTM and NAC were pretty much still new terms. But right about the time TippingPoint was bought by 3com, the convergence track had started to emerge. Cisco was really getting into putting different devices in their switches. Things were really starting to move in that direction, and 3com probably thought they should do the same.

But just in case things were not what they seemed, 3com decided to test the waters (conjecture on my part, but plausible conjecture nonetheless). So they surveyed their customers (or TippingPoint customers, at least). I received one of these surveys. Among other things, it asked if I would buy a 3com enterpise switch with a TippingPoint IPS blade integrated into it. Understand that I come from the network engineering world. I have installed and configured many a switch and router. And for the immediate 4-5 years before this survey hit my inbox, 3com had been about as present in the enterprise switch space as a woman at an ISSA chapter meeting. The biggest place you saw 3com was on a NIC or a little white 8-port hub in a room full of cubicles. So, I answered a definitive “not no, but hell no”.

To clarify (if the above didn’t explain it well enough), it was the 3com switch that threw me. I wasn’t unhappy with TippingPoint (except that they had been bought by 3com). I liked the box. It served me well. If I could get a TippingPoint blade for the 4506, I would have seriously considered it. But there was no way I was going to replace my Catalyst 4506 with a 3com switch, no way, now how.

Of course, I cannot answer for every TippingPoint customer who received the survey, but I can guess that many of them answered the same way. And this makes me wonder if 3com and TippingPoint are sitting in ivory towers and ignoring the trends because it doesn’t compute that people don’t like their switches.

And to add one more thing that may add some credence to my hypothesis: I also had a couple of 3com reps come out to visit me during the final months of my tenure as an infosec manager. When my boss and I told the 3com guys that we would not consider in any way replacing our current switching infrastructure with 3com because of our impression of 3com as a serious player, they were completely surprised by our attitude. Now maybe they had never received that reaction before because we were just a little more harsh and up front with our opinions. But my immediate opinion was that they really didn’t know they had that kind of reputation. Maybe it is just me that thinks this about them, but I don’t think so.

 

So basically, what it came down to was that 3COM did not impress me, so I would never have bought their switches.  The IDEA was a good one.  They recognized that it was a good one.  But they could not make it happen because no one wanted to buy 3COM switches.  Plain and simple. 

Now let us get back to the business of security while you guys go try to fool a few more people.

Vet

The Internet is a nuisance. Really, it is. It never ceases to amaze me how much "trouble" the Internet causes.  Now I will be the first to say that it is possibly the best innovation in human history. But at the same time, it has also caused more problems, headaches, and heartaches than almost any innovation that I can think about. And it continues to redefine everything we do as a society and a race

I know this is really not news, but it just struck me when I was poking around the news this morning and ran across this article about some websites looking to sue the state of Oregon over publishing laws online (I have written about issues similar to this about governments and publishing SSN’s online here and here).  Here’s some of the opening paragraph:

Both Justia and Public.Resource.Org have been at loggerheads with the State of Oregon over their desire to publish the state’s complete body of law online, for free. While that sounds noncontroversial—state law even requires the laws to be offered as widely as possible—the state’s Legislative Counsel Committee claims copyright over portions of its Revised Statutes.

And as I started to think of something to write about this, it struck me that this was really just a symptom of a larger issue. Basically, the problem is that no one has figured out just how to deal with these issues because we have moved so far so fast in the last 15 years.  But why can’t we catch up? 

Seriously, we have been moving a the speed of light with technology for the last 100 years or more, and we have always been able to catch up with safety and laws pretty fast.  Cars were invented, there was the first crash, and then we started figuring out that we need to have some kind of traffic control  It may have been a while before it was worth a crap, but we caught up relatively quickly.  Then there were airplanes.  The Wright Brothers invented it (I have heard that it is debatable), then they crashed it and killed someone, and we figured out that we needed to make this safer.

Honestly, I don’t know how quickly people started figuring out that these types of things needed to be regulated.  Likely it was all about risk since there weren’t a lot of planes or cars around when they were first invented, so a lot of safety was needed yet.  But we got smart eventually.  Consider this quote:

It’s like trying to predict back in 1910 the impact of the automobile on society - the highway system, gasoline refineries, motels instead of hotels, new dating patterns, increased social mobility, commuting to work, the importance of the rubber industry, smog, drive-thru restaurants, mechanized warfare, and on and on. The net will bring more than quantitative changes, it will bring "qualitative" changes. Things that were impossible will now become inevitable. – Larry Landwehr, 1993

The move to adopt the Internet and the rush to make it better and faster just came to quickly.  Just like the Wright Brothers probably didn’t imagine planes that could traverse the globe in a matter of hours, the inventors of the Internet never really factored into their design a world wide public network that had to contend with a bunch of thugs trying to steal everyone’s information.  They were trusting souls who figured it would just be a bunch of geeks from colleges talking to each other over email because they couldn’t get a date. 

But it became so much more so much more quickly than anyone imagined.  And it pervaded everything.  And now it is a struggle to catch up because the people who are really trying to fix the problems are often contending with the bad guys and the people who look like they are doing something and are really just riding the gravy train that the security issues have created (I have been guilty of that and still am in many people’s eyes since I sell security services and products).

So how do we fix this stuff?  Well, short of bombing us all back to the bronze age ("Stone Age" is so overused, and bronze is shinier), I really don’t know.  There are theories abounding.  Some people say we need to go back to the people and get them to buy in to doing things right.  Some people say we need to leave them out of the equation and just implement technology.  Others say we should just start over from scratch and build in security from the ground up.  There are books upon books and speakers upon speakers (two more lucrative by-products of bad security) talking about security and the Internet.  But it all keeps coming back to one thing: we’re still insecure.

What I don’t understand is how the bad guys keep figuring out how to break in when we supposedly have people out there trying to find the flaws before they do.  Is it simply a numbers game?  Do they have that many more people looking than we do?  Do they have a much more lucrative job than we do, so they are better motivated?  Is it because the countries in which many bad guys reside don’t give a crap or just don’t have the resources to catch them?  All of the above?  What else?

How do we get ahead of this?  How can we put the same amount of resources into this to find the vulnerabilities before the bad guys?  People have tried to create communities and projects where they pay for vulnerabilities.  But there’s no guarantee that they are the only ones getting the results of their research. 

You know what?  I don’t see and end to this.  I think there is really no way to fix it.  This simply is a human problem.  There have always been bad people, and there always will be.  And since humans are imperfect and will make mistakes, the bad guys will find ways to exploit those mistakes.  There are smart people on both sides, and they will continue to struggle against each other forever (I know, kind of melodramatic).  All this talk about "security should have been built in" is just a pipe dream.  Security Nirvana is not possible.  There will always be mistakes.  Every time we come up with something new, someone figures out how to break it.  And yes, part of that may be because it is based on old, insecure technology, but the human element will always creep in.

I just don’t see another way.  Yes, there can be some model changes when it comes to how stuff is sold and what really works and other things can be factored in to make change happen on a substantial level.  But this is really what we have to work from.  I know there is a lot of room for discussion here, and I welcome it.  Please help me see this differently.  But for right now, this is how I see it.  I am not being cynical.  I am not quitting on security.  I just think it is going to be a protracted battle that will require dedication and persistence. 

Vet

Vet

OK, I know I started a personal blog so I could keep this place security centric, but I really just don’t like doing that.  As Alan would say, this is my blog, and I will post what I want.  So I have decided to start putting personal stuff over here again.  That being said, here’s a personal post.

Meet Lizzie:

She is a German Shepard / Rottweiler mix that we adopted from the SPCA.  We really went in there looking for a smaller dog, but she (corny alert) captured our heart before we really had a chance to look (I’ve heard the dogs picks the family, not the other way around, and I believe it now).  She is three months old, and she is already showing me she is one of the smartest dogs I have ever met.  And the family loves her already, even though the kids have felt the wrath of sharp puppy teeth from playing with her.

By the way, she is named after Elizabeth Bennet from Jane Austen’s Pride and Prejudice, even though I am pretty sure Austen spelled her nickname "Lizzy".  Austen is a favorite author of my wife and me.

Vet

Need a good one-liner?  Take a look.

Vet

…make Michael a low-volume blogger.  I have back and forth between Houston, Dallas, and Austin over the last couple of weeks, and most of those trips have been driving.  So, When I get to my hotel room or back home, I am just worn out. 

And work has been pretty hectic lately as well.  I have two statements of work due today that are pretty dang big, and I have a couple of conference calls to boot.

So all of that translates into low volume. 

I’ll be back…

Vet

OK, as much as it pains me, I have to respectfully disagree with The Shimel about his review on Iron Man.  First off, I really think you have to have some knowledge of the Iron Man comic story to truly appreciate this movie.  Clearly Alan does not have that history (and he is probably going to call me a dork or something since I do) when he makes statements like this :

I didn’t understand how he got the superpower, it was just a powered suit and how it worked was pretty silly.

HOLY CRAP!!!  That is near heresy in the Marvel Universe!  Tony Stark does not have powers other than he is extremely intelligent (I believe he developed some extrasensory powers one time, but I have not collected and read comics for a while).  That is what enabled him to make the suit and the piece of technology that powered the suit.

I have to say that while I do agree with Alan that the movie is predictable, I also must say that it is thus far the best big-screen representation of a Marvel Comics character.  It stayed very true to the original story, which is always very important to me.  In contrast, the Hulk movie was horrible and boring (have more hope for the next one), Daredevil was just pure idiocy (mostly because it Ben A Fleck in it - though the playground fight scene was almost as bad as the ice skating scene in King Kong), the Spiderman series has always been underwhelming (they have screwed that story up so bad that Spidey might as well be shooting webs out his ass), The Fantastic Four movies were just…well, I wish they weren’t (especially since they royally hosed Silver Surfer’s story and character, which really pissed me off since he is my MOST favorite Marvel character of all time), and the X-Men movies, while pretty dang good, were still off on the story lines.

I guess what this all comes down to is three categories:

1. You have no preconceived notion of what the movie was about, so you can enjoy it or dislike without baggage

2. You thought you had some idea what the history of the characters are, so when you see something other than what you expected you don’t like it (similar to Alan’s review in this case)

3. You are intimately familiar with the story line pre-movie and either love the movie for being accurate or hate it immensely because they screwed the story up completely.

Of course, then there’s the fourth group that would not go see the movie if they were strapped to a wild team of mad donkeys (my wife falls firmly into this category - love you baby).

So anyway, now that I have blown off some steam, I think the movie was good precisely because Tony Stark did NOT have superpowers.  He didn’t in the comic, and he didn’t in the movie.  Just a really smart dude who knows how to build really cool toys that just happen to blow up crap.  Kinda like Batman (yes, I know he is DC).

Man, I know way too much stuff about comics.  Oh, here’s a picture of me with The Hulk.  It’s remarkable how close our builds are, isn’t it?

And here’s what I looked like after I read Alan’s post on Iron Man:

UPDATE:  I think I will use the Hulk picture in the same way I use my Orange Juice Award picture, except it will be reserved for when someone pisses me off…

Vet

OK, I am going to do a little self-pimping here.  For those of you who have been reading my blog for a year or so, you probably know that I also blog over at Computerworld.  But if you haven’t been around a while, or you just plain missed it, please go take a look when you get the chance (and subscribe to the feed).  My writing is typically a little more subdued over there, simply because CW can’t have me calling people an ass. 

Also, there are a lot of blogs over at CW, and they have a bunch of different subjects.  The site is great (it has won some awards), and the editing staff is awesome as well.

OK, self-pimping is over.

Vet

First, let me be very clear that I have, in the past, downloaded music illegally.  I have also used pirated software in the past.  And while I can’t say that every song I have on my iPod is legal (simply because I can’t remember where I got some of them), I can say that I discontinued the use of pirated software a while ago.  So, moving on…

Don Tennant is an editor over at Computerworld, and he is also a blogger.  He recently posted a story that his son wrote while attending Worcester Polytechnic Institute in Massachusetts.  The story was about a group of pirates (software, music, and movie pirates - not the kind who says "ARGH") at his school who were very prolific in their pursuits and ended up getting caught and quite busted.  It is a great read, and it goes into a lot of good detail (Don, looks like your son got your writing talents). 

But as good as the story is, my point for this post is the comment that was made on the post.  Someone that didn’t post their name (people like this usually don’t) wrote a fairly lengthy comment.  Here’s the main excerpt that makes me cringe:

Sure what the students is doing is "illegal" but the fact of the matter is that there is nothing that they could ever do to completely stop this type of illegal activity.

Here’s my reply:

I worked for a company a few years back that built apartment complexes at major universities all over the country. We were also the ISP for the students that lived in our complexes. The network became a huge P2P site after a while (as well as a rampant malware playground). We received notices from the RIAA and others on a fairly regular basis about copyright violations coming from our IP space. It was nasty. We ended up putting in "application aware" security appliances and throttled down the traffic for everything but a few known apps. This worked even for traffic being tunneled over http, but anything https got through. Advances have been made since then, but it is still going on.

But this is not really a technology problem, is it? This is a moral and ethical problem that will never stop because people like Anon put quotes around the word "illegal".

That is really what this is about.  As long as people can justify in downloading music, movies, and software illegally, it is going to continue to happen.  This is not a problem that technology is going to solve.  The different industries have tried again and again, but to no avail.  It really comes down to people’s hearts. 

And having made that disclaimer above, I also want to say that I am not writing a "holier-than-thou" post.  I am simply writing this post to say that when you are breaking the law, no amount of quotes around the word "illegal" makes it OK.

Vet

I had a long talk with a client yesterday regarding IPS.  They were setting up a nice sized extranet infrastructure to serve their clients, and they needed to build some security into the design before they implemented.  They had already thought of a lot of pieces, and now they were looking at putting in IPS.  They were already being courted by one IPS company, but they wanted to know about others and what the strengths and weaknesses were.

So as I started into the discussion, I diverged a bit from the pure technical discussion and talked about the view of the network as a whole.  Basically, I tried to get them to look at the big picture of what they were buying versus just an IPS as a single silo.  What I talked about was how the one IPS they were looking at was an excellent IPS, but I also told them that they really had no big advantage over any of the other big IPS vendors in the market.  If you look at the Gartner chart for IPS, there are about 5-7 vendors in the magic quadrant.  Basically, the product is a commodity, just like anti-virus and other mature products.  Though some boxes have advantages over others, they all really can do the job.  Most are able to protect multiple segments and can handle multi-gig speeds.  Most have a default set of policies that are not very noisy and protect against the big threats.  Most are HA capable.  Most have fail open or fail close options. Etc, etc, etc.  Some people might disagree here, and I understand that.  One IPS might have a feature that another one does not that may fit a certain need.  But I contend that in a general sense, none of the big ones really have a huge advantage.

So in that light, what are the factors you have to consider?  Well, it really comes down to the intangibles.  Let’s look at a few of those:

Is the company diversified in their product line?  In today’s converging security market, that tells us whether the company is likely to be snatched up or simply disappear, depending on product quality and whether there is someone out there who has money and has a whole in their product line. 

Product diversification may also mean that the company is trying to take a look at the network as a whole versus just one piece.  If they have developed or bought different products that compliment each other and are trying to bring them together in a way that gives insight into the network and allow collaboration, then that type of company is likely planning on sticking around for a while.

In this light, also look at management of the product.  Though this is not exactly an intangible, it is still something that many companies don’t think about.  What about the learning curve for you employees?  Do you already have products from this vendor?  If so, does this new technology fit well into that console, thus lessening the time the your employees need to learn it? If a company fits the diversification example above, they might have a problem in this area.  Of course, if they are serious about making it work, they might very well have an EXCELLENT console.  Take a close look.  You also have to consider the talents of your employees with this factor.

Another intangible is support.  How well do they support their product, keeping in mind that the company with one product may be better at this versus the big one with multiple products?

There are probably many other factors to consider here, but the basic point is that when you are looking at a mature, commoditized product (this does not just apply to IPS, obviously), a decision should not be made on technical issues alone.  Look at your business. Look at your risk.  Look at your employees.  Look at the vendor as a whole.  Compare their position in the market to other vendors.  How do they stack up?  Do they seem to have tunnel vision, or are they trying to diversify?  Make sure you don’t let your technical folks make the decision by themselves and then hand you a PO to sign.  They may like the product in the short term, but you have to think long term.  You might piss off the team for a bit, but you can use the decision as a lesson to help mature your staff.

Vet

John Thompson is an ass.  There, I said it.  Whew…

So now, let me ’splain.   I did not really have an opinion of John Thompson until the 2005 RSA Conference (except for the acquisition of Veritas - it made sense to me, but it royally screwed me over at a critical time - explained below).  I just thought of him as another CEO of a pretty successful security company.  Either he had not done enough to stand out to me, or I simply had not paid attention to him up to that point.  Anyway, I was sitting in the audience at RSA 2005, and I had just finished listening to Bill Gates talking about their entry into security.  Like many people, I met this with apprehension and doubt, but I still listened with respect.  But then Mr. Thompson came up after Bill was done, and that respect factor went right out the window (for Mr. Thompson, that is).  He proceeded to rip Bill Gates up one side and down the other, and it was the single most rude and disrespectful display I have ever seen.

Now don’t get me wrong.  I am not a MSFT fanboy.  I have slammed them on many an occasion.  But what Mr. Thompson did was really beyond just trying to head off a competitor.  It was unprofessional, and it smacked of school-yard bully tactics.  And to add to it, Mr. Thompson had a crew waiting at the doors handing out review forms to see what the audience thought of his little speech.  I gave it negatives across the board, handed it back with a sneer, and then slapped the person who handed it to me (OK, that last part about smacking them was made up… but I DID sneer).

Now he is being downright condescending towards McAfee.  When asked how he felt about them since they are viewed as Symantec’s chief competitor, he said:

It’s a nice little company and they do a nice job. The industry needs competition. But we don’t see their portfolio as competing directly with ours. We help customers manage their infrastructures better.

Dude, come on.  Please get off your friggin’ crystal tower.  You can debate your quality versus their quality if you want, but pitiful statements like that are beyond ridiculousness.  Confidence is needed in a CEO.  Arrogance just looks petty.  Eric Hoffer said, "“Rudeness is the weak man’s imitation of strength."  You are looking pretty weak, Mr. Thompson. 

BTW, I am not a McAfee fanboy either.  But Mr. Thompson, I have run and managed both your AV products and McAfee AV products in ENTERPRISE settings.  McAfee has ALWAYS beat yours, hands down.  And that is in management, performance, and accuracy.  That is my experience.  And while I have limited experience in some of your other products, I can say that from the outside, your product line looks like a mismash of crap. 

And your acquisition of Veritas way back when?  I was actually one of the few people who thought that acquisition made sense.  But that also hosed me in so many ways.  Like when I was trying to perform my DR test in Arizona.  I’m a big boy, so I take responsibility for that kind of failure.   But horrible support from Veritas / Symnatec single-handedly screwed up my DR test.  Support was already bad at Veritas, and you jacked it up even worse.  Great job.

So there’s my rant.  I hope I don’t get sued for libel. :)  BTW, it looks like someone else out there feels the same way I do about Mr. Thompson (though they said it in a nicer way).

Vet

Monday was meetings.  Then spent Tuesday and Wednesday in New Orleans doing an eval install for Bluesocket (actually, the SE for Bluesocket did the install - I was there to learn).  Then I spent all day Thursday driving around one of our sales people from Dallas since she has a few clients down here in Houston (we had some good meetings, so it is worth it).  THEN Friday was spent driving roughly 6 hours (round trip) to Austin for ONE meeting (I also picked up one of our sales guys at the Austin airport - I love being a chauffeur).

That is often the life of a sales engineer.  Driving, flying, installing evals, driving, flying, talking to clients, flying, driving, driving, flying… You get the picture.  Just seems horribly inefficient sometimes.  But all part of the gig.

Vet

Man, Brian Krebs is just trying to talk about the incident over at the Obama blog where someone stuck in some code to redirect visitors to the CLinton website.  And what happens?  Just go over to Brian’s site and read the stupidity.

What is it about politics that brings the worst out in people??

Vet

Diebold Accidentally Leaks Results Of 2008 Election Early

My pastor writes a blog on our church website that I follow, and today’s message was very good.  Here’s an excerpt:

Life is a long series of “moving-up-a-level” experiences. We move from kindergarten to first grade, or from middle school to high school, or from engineer to project manager, or from club member to club president, or from team member to team captain, or from salesman to sales manager, or from second string to first string, or from busser to waiter. 

In this “moving up” process we spend a lot of time and energy desiring to move up and wanting more responsibility and more money and more control and more recognition—and we spend very little time and energy considering the struggles that are coming with that new level. At new levels there are new challenges.

 

This really struck me.  Almost everyone thinks about the next level and what it would mean for them.  Like Pastor Dave says, it means more money, more control, more power, more fame maybe.  But if we would just stop to see what bad things that new level involves, we might not be so eager to make that climb.

Now, Pastor Dave is in no way saying we shouldn’t strive for the next level.  Look at this quote:

There is nothing wrong with desiring a new level in life—just be sure you are prepared for the new devils at those new levels.

Obviously this is written from a Christian perspective, so you will have to apply the term "devil" to whatever your belief system happens to be.    "Devils" can be a term that can be used for any issue that arises when you move on to new challenges, no matter if you are Christian, Buddhist, Jewish, Muslim, atheist, or whatever.  But the message still applies.  Moving up brings new challenges.  Those can be exciting, but you might want to make sure you are prepared for those challenges before you start the climb (or even start looking for the ladder).

From a personal perspective, I can say that I made the climb early in my career.  I started in IT during the golden age of the 90’s.  If you had a CNE or a even a MCSE, you could pretty much write your own ticket.  Everyone needed a network admin, network engineer, webmaster, etc.  Everyone was growing, and they needed more people to grow with them.  So I sought and got promotions very quickly.  I learned a lot from those experiences, and I don’t regret any of it.  However, I know now through hindsight that I was not prepared for some of those jumps.  I struggled through a lot of those new jobs and levels.  I happen to learn better through doing, so it was good for me.  But not everyone learns that way.

So basically, use caution when seeking that next level.  Be patient and honest with yourself.  Sometimes delayed gratification is better.  Always seek to better yourself, but make sure you are doing it in a smart way.

Vet

I just received a nice little USB stick from LogLogic.  It has a bunch of info on how to sell their new MX line of products.  That’s great.  Seems to be a good idea.  But guys, you DO know what these are used for, right?  They immediately become wiped (that is, if the person is not too paranoid to actually use it).  Hopefully the person copies off the material before they wipe it, but that obviously cannot be guaranteed.

So here’s my gripe.  If you are going to give me a flash drive and want me to sell your stuff, make the drive 1 Gig or more.  This 512 meg crap just don’t cut it.  Dr. Anton, speak to your marketing people, man!

BTW, eEye did the same thing last week at RSA, but their drive was 1 gig.  Kudos to the eEye marketing folks!

These branded flash drives also make great attack tools.  The random USB drive might not be trusted.  But if it is branded, why not?

Vet

I have announced a few new security blogs here at An Information Security Place over the last couple of years (yes, I have been here for over two years now - just realized that myself).  Well, this time I am not actually announcing a new blog, but a new blogger.  I am specifically talking about Sam Van Ryder, who works over at Alert Logic.

While Sam has been a prolific blog commenter for a while now, he had never taken the next step into his own blog.  I guess he still has not done that, since he is actually blogging at Alert Logic’s blog.  However, he is officially part of the club now, no matter is he has his own blog or is using another platform to do so.  WELCOME, SAM!

Now, fair warning.  Sam works for a manufacturer, so I am sure we will have to hear the party line from time to time.  However, I know those guys over at Alert Logic very well (they are based here in good ol’ Houston), and I can tell you that they have some unwaveringly honest people over there.  So yes, they are going to speak well of their company.  That is to be expected, and I am totally fine with that.  But I know Sam will also be a refreshing voice that will do a whole helluva lot more than be a cheerleader for Alert Logic.  Just go judge for yourself by reading his first post.  His writing style is very good, and he has some good insights.

Great stuff, Sam.  Welcome to the club.  Now people can be star struck by you in a couple of years. :)  And kudos to Misha for getting you on there.  Now if you can kick his ass enough so he will start writing again…

Vet

I have been getting this crap steadily for the last month.  Driving me nuts.

Vet