innismir.net

Andrew Hay has been doing a series of interviews with the various unsung heroes of the security industry calling it the “Security D-List”. I’m pleased to say that if anyone asks, I can now say where I rate.

Bored at lunch and sketched this out…

“Son, we live in a world that has firewalls, and those firewalls have to be administered by people with a clue. Who’s gonna do it? You? I have a greater responsibility than you could possibly fathom. You weep for your Internet access, and you curse the security admins. You have that luxury. You have the luxury of not knowing what I know. That the firewall rule set, while convoluted and not perfect, probably saved data. And my existence, while grotesque and incomprehensible to you, saves data. You don’t want the truth because deep down in places you don’t talk about at parties, you want me on that firewall, you need me on that firewall. We use words like “high availability”, “cloud”, “ISO 27001 compliance.” We use these words as the backbone of a life spent defending something. You use them as marketing fodder. I have neither the time nor the inclination to explain myself to a man who surfs and e-mails under the blanket of the very security that I provide, and then questions the manner in which I provide it. I would rather you just said thank you, and went on your way, Otherwise, I suggest you install an IDS console, and stand a post. Either way, I don’t give a damn what you think you are entitled to.”

“Did you block Facebook access from the company?”

“I did the job I…”

“Did you block Facebook access from the company?“

“You’re Goddamned right I did!“

Not up to the same level of Hoff’s creativity, but I found it amusing…

So, a quick post about two things:

1st, I did a presentation to the Boston Chapter of the Association of Government Accountants for their monthly meeting as part of my day job. I’d like to think I did fairly well and there certainly was a fair amount of discussion afterward. In case any of them find their way here in an attempt to find my slide decks, I am happy to oblige:

• Information Security and You PPT (1.4MB)
• Information Security and You PDF (1.8MB)

2nd, I have been selected to speak at QuaghogCon in Providence, RI the weekend of April 24th and 25th. I’ll be departing from my usual “Information Security” speaking groove and instead will be evangelizing Amateur Radio. Sadly, this means I’ll be missing out on B-Sides Boston, but that’s the way the cookie crumbles. Registration is open now and I’ve heard rumors that attendance will be capped at 150, so even if you don’t want to hear me speak, buy a ticket; there are going to be some awesome presentations.

I was very lucky this summer because the Security Office got some funding for training and footed the bill for another SANS course. I opted to go for SANS SEC504: Hacker Techniques, Exploits & Incident Handling. I did a “At Home” course this time, which met three times a week online and was taught Ed Skoudis and John Strand. While I did like the self paced learning that I had for SEC503, but it was very cool to be taught by the folks that you always heard on and about PSW. Plus, I was able to make snide remarks in the chat window.

As much as I still wonder about certifications in general, I am starting to really like SANS courses. The course wasted little time on the basics and quickly had us rolling up our sleeves mucking about in what I classify as “cool sh*t”. While I did have stretches where I was just nodding and going “yeah… yeah… know that… uh-huh…” I would occasionally see or hear something, go “Oooh!”, and make write down some notes. The course consisted of 5 books of material, ranging from incident planning and handling to how to exploit systems, and then culminated in a capture the flag contest. I am ashamed to say the CTF was designed well enough that I could barely establish a toehold on the first server, I guess my days of staying up for an entire weekend and dominating the CTF at Northeastern is far behind me.

Although the course itself wrapped up sometime in the summer, I finally took my certification test today and passed with flying colors. I am happy to report that I have even more alphabet soup after my name and I am now “Ben Jackson, GCIA, GCIH”

In the words of the late, great, Irving Snyder, WA1ETG SK, I have a “tale of woe.” As always, as an employee of the fantastic Commonwealth of Massachusetts, the opinions of this website are my own and not the view of my employer or anyone else.

Late in August, I was in a rush on a Wednesday and couldn’t change my five dollar bill for ones to pay for parking. With the MBTA, they have something called an “honor box” in which you pay your $4 parking fee into a small slot numbered with your space. “No worries…” I said to myself, “…since I am in a rush, I will eat the late fee and just pay them when I get a violation notice.” A brilliant plan, correct? It was, I’ve done it before. Also, since I knew I was likely going to face the same problem on Friday I was just going to pay $10 with the Friday violation notice. This plan crashed to earth when I got the Friday violation notice:

Can you spot the key difference between these two notices? According to the 8/21 notice, I have 8 outstanding violations. This is impressive, as with every violation notice previous to this, including the 8/19 notice, hasn’t included a peep about any kind of outstanding violations. So, I place an e-mail to LAZ Parking, as they suggested on their voice mail greeting, to ask them how the heck this happened. They politely provided me a spreadsheet showing that I hadn’t paid my violations numerous times since they took over.

Slight problem: I did pay them.

I’m no angel. According to the spreadsheet I had 16 violations since December 1st. However, I have been extremely thorough in paying my violations since the parking fee increase, specifically because I knew that $5/pop could add up quick. While I cannot specifically say “Oh, hey, I paid that violation on June 23rd.” (Because really, who remembers that?) There were two violations that I was sure I had paid. Also, apparently, I did possibly owe them $2.75 from a violation in December. I won’t even attempt to remember that.

So, I ask them how I can contest it? Well, simple, I just tell them which spot I parked in during those dates and they can check.

Slight problem: There is not assigned parking at the MBTA.

With the MBTA commuter rail, each spot is numbered and that’s the number you pay for. However, it’s first come first serve. Most days I usually get a spot in the between 50 and 100. But really, I now have to keep track of which spot I park in on a daily basis just in case LAZ says I didn’t pay? What? I explained this to the CSR and after following up a week later asking them if there was any movement on this she reiterated she needed the numbers.

This brings us to today.

I give up.

That’s it MBTA, you win. You’ve created a system where you can tell people they owe money and they have little to no recourse. You have a cash system, someone can have no proof they paid on random dates and in order to contest it, you make them jump through nearly impossible hoops. I give up. I am bending over and taking it.

So, now, in order to cover my ass:

• I will be paying my outstanding fee with a check, probably hand delivered, and I will get a receipt.
• Further violations will be paid with via a check, as suggested by LAZ, and I will be keeping the canceled checks on record.
• After I get the canceled check, I will be following up with LAZ to make sure they credited it to my account.

Plus, just to add insult into injury halfway through the back and forth with LAZ, I get this on my windshield:

A $15 ticket because I was parking in the lot with an “outstanding balance”

Thanks, MBTA.

Mark, K6HX writes another good article regarding the NSC and ARRL letters and does some math on what we might expect to see if we tried to find evidence on Ham Radio operation while mobile:

There are only about 660,000 or so hams licensed in the U.S. The vast majority of these do not operate mobile. The vast majority of those do probably spend most of their time listening. In such a case, we’d expect that the number of accidents caused to be much lower than those caused by cell phones, even if mobile operation was every bit as dangerous as using a cell phone. The overall instance of accidents may be only 0.1% or less of the levels we see from cell phones. One study estimated that 6000 accidents might have been caused by cell phones in California in 2001. Even if ham radio were as dangerous, we might expect to see only six accidents in the entire year from ham radio operation.

Now, the are some other variables at work that would be interesting to toss around:

• A lot of amateur radio operators are older, would cause the rates to trend upwards?
• Are amateur radio operators more distracted when we have to fiddle around, find a mic, adjust the radio, etc?
• Is a study done in 2001 going to accurately reflect numbers in 2009?

However, the kicker of this whole article is not the post by Mark, but a comment done by Schley Cox:

I operate mobile with amateur radio using Morse code. I copy in my head, my eyes never leave the road in front of me and my right hand (sending hand) is not more than 2 inches from the bottom of the steering wheel. I tune my radio by ear only. I work a narrow range of frequencies without ever looking at the radio. Compare all these situations with using a cell phone, or even a mobile radio using a microphone.

My right and left brain don’t have much to do with each other and it doesn’t seem distracting to me to both send and receive Morse code while driving on stretches of highway. If I need both hands on the wheel while sending I simply send AS and the other operator knows to wait for a while. I don’t have to explain to her (or him) why I am stopping sending.

I don’t operate at all on busy highways. Period. There’s not even time to send AS somewhere (like I-65) while careening between lanes at 80 mph trying to keep from getting rear ended by the rush behind.

Holy crap, where do I begin? Mark makes the statement in a later comment that “This is precisely the kind of argument that I think we should all view with skepticism.” and I wholeheartedly agree. I’m scared the Mr. Cox can think he can do CW in his head and fully concentrate on driving. I will give credit to him for at least realize that doing it on a busy highway is bad, but I hope he isn’t sharing the road with me while I commute. Mark is right to point out that distractions come in all different shapes and sizes while driving: people in the car, twiddling the A/C, and using a mobile phone. It’s foolhardy to think that we are somehow above all that.

Late in July, the ARRL wrote a letter to the National Safety Council regarding the operation of amateur radio while mobile. Joel Harrison, W5ZN, president of the ARRL wrote lobbied (lets not kid ourselves, that what the ARRL does) the NSC to help them ensure that Amateur Radio is not caught up in no-cell-phones-while-driving laws by waving the bloody shirt of public service.

Amateur radio operators provide essential emergency communications when regular communications channels are disrupted by disaster. Through formal agreements with federal agencies… Amateur Radio volunteers protect lives using their own equipment without compensation. The ability of Hams to communicate and help protect the lives of those in danger would be seriously hindered if… governments do not ensure that Amateur Radio operators can continue the use of their mobile radios while on the road.

Now, don’t get me wrong. I use my FT-7800 in my car on an almost daily basis. I am by no means innocent and I did write my representatives when Massachusetts tried to pass a cell phone ban in 2008. It’s my hobby, I enjoy it, and in the car is the only time I get the “play radio” for the most part. I enjoy talking to my friends via it. I try to be responsible, however, I think that if anyone tells you that they are 100% concentrated on driving while they are playing radio, they’re a bold-faced liar.

President Janet Froetscher of the NSC’s response is very political and does a great job at walking right down the middle by giving a response without giving a response. While everyone is touting the NSC’s statement saying that “NSC does not support legislative bans or prohibition on [amateur radio] use” and counting it as a victory, however, the letter from the NSC says some very different things:

We are not aware of evidence that using amateur radios while driving has significant crash risks. We also have no evidence that using two-way radios while driving poses significant crash risks. Until such a time as compelling, peer-reviewed scientific research is presented that denotes significant risks associated with the use of amatuer radios, two-way radios or other communication devices, the NSC does not support legislative bans or prohibition on their use.

Sounds like we’re in the clear, right? Well, kind of. Indeed, there is no evidence that using two-way radios while driving poses significant crash risks, but what evidence are we citing that shows there isn’t a link? From the ARRL policy statement on mobile operation:

is aware of no evidence that [mobile] operation contributes to driver inattention. Quite the contrary: Radio amateurs are public service-minded individuals who
utilize their radio-equipped motor vehicles to assist others, and they are focused on driving in the execution of that function.

Hmmm… That doesn’t sound like compelling, peer-reviewed scientific research to me. What did the ARRL present in their letter to the NSC?

As ARRL Chief Executive Officer David Sumner has observed based on more than 40 years of experience, “Simplex, two-way radio operation is simply different than duplex, cell phone use. Two-way radio operation in moving vehicles has been going on for decades without highway safety being an issue. The fact that cell phones have come along does not change that.”

This is, by definition, anecdotal evidence. Plus, would you really trust this if the National Association for Juggling president state that, after 40 years of experience, he observed that juggling is completely different from cell phone use and has been going on for decades without highway safety being an issue? I wouldn’t and neither should you. When I read this back in August, I did find this a bit amusing as the first thing that popped into my head is the final scene in the movie Thank You for Smoking. The protagonist, who used to lobby for the Tobacco industry, is talking to clients in a meeting regarding cell phone usage:

Gentlemen, practice these words in front of the mirror: Although we are constantly exploring the subject, currently there is no direct evidence that links cellphone usage to brain cancer.

Amateur Radio is in the same position. There is currently no direct evidence that links mobile operation with accidents. The kicker is that there is no evidence that mobile operation is safe either. From what I can tell, there have been no studies regarding the issue. I think that if the ARRL was really interested in safety concerns, they would commission a third party study on this. However, like any special interest group (again, this is exactly what they are and I have no problem with it) their primary interest is promoting their interests.

Froetscher also made a statement to the ARRL that I have not seen mentioned in any coverage of the letter either:

I appreciate your focus on the use of amateur radios for emergency communications during disasters. I encourage ARRL to adopt best practices for the safe operation of vehicles that confines use of amateur radios while driving only to disaster emergencies. You may want to consider documenting this through a formal policy for all of your members.

This is the political equivalent of the NSC saying “…and the horse you rode in on.” By the ARRL using Amateur Radio’s disaster communications as a shield to hide behind in order to avoid being banned under distracted driving laws, the NSC called them out on it. If we, as amateurs,  “provide essential emergency communications when regular communications channels are disrupted by disaster”, why is the ARRL telling its members to avoid using their radios while mobile unless there is an emergency? While the obvious answer is “because we want to play radio” I don’t think the ARRL is going to say that. So, instead, since the ARRL is touting the response, I look forward to them working with the NSC to re-draft their policy to limit mobile Amateur Radio use to only emergency and disaster situations.

I don’t know why this appealed to me, considering that I can’t stand these things on Facebook/e-Mail/etc, but since Andrew Hay did it, and since he started it, I felt like I should play along.

1. I was the host of a weekly “hacker” podcast for about a year. It was a lot of work, but I do miss it. It was fun to rant and rave for a few hours a week.
2. I did not go to any dances or proms in High School
3. I am a published author. Another one of those things that was a lot of work but it was a lot of fun at the same time.
4. My wife and I met on the Internet before it was “trendy”. For a long time we would skirt the question “How did you meet?” because of the looks we would get. During our wedding, the priest mentioned it in his sermon and we were sure that this was the first time a few people in the audience found out.
5. I flunked out of Computer Science in college (Calculus) and transferred to Computer Engineering Technology (“Computer Engineering lite” as I called it) which I graduated from.

I will not, however, “tag” anyone else. I can’t stand being “tagged” and therefore will not “tag” anyone myself.

Farhad Manjoo over at Slate recently did his best Moses imitation and cried out “Let My Office PC Go!” and railed against restrictive IT policies in the Office environment. While I understand his pain, it illustrates the disconnect between users, IT, and Information Security.

You ask your IT manager to let you use something that seems pretty safe and run-of-the-mill, and you’re given an outlandish stock answer about administrative costs and unseen dangers lurking on the Web. Like TSA guards at the airport, workplace IT wardens are rarely amenable to rational argument. That’s because, in theory, their mission seems reasonable. Computers, like airplanes, can be dangerous things—they can breed viruses and other malware, they can consume enormous resources meant for other tasks, and they’re portals to great expanses of procrastination. So why not lock down workplace computers?

Here’s why: The restrictions infantilize workers—they foster resentment, reduce morale, lock people into inefficient routines, and, worst of all, they kill our incentives to work productively. In the information age, most companies’ success depends entirely on the creativity and drive of their workers. IT restrictions are corrosive to that creativity—they keep everyone under the thumb of people who have no idea which tools we need to do our jobs but who are charged with deciding anyway.

Productivity and Morale are two very important things and I understand where Farhad is coming from. I agree that draconian restrictions can kill productivity. In my career (2001-ish) upper management decided to install web monitoring software at my place of work unannounced and came down hard on people who spent “too much” time on the web (including yours truly). It didn’t matter that my work was getting done, or I got glowing reviews from the users I supported, or that I spent my time on technology sites,  I was spending “too much” time on the web. The “solution” to this was to have me sit there and stare at my e-mail folder waiting for a support ticket. Loads of fun.

While Farhad does a great job illustrating that productivity can go up when users are given more control over their desktops, he inadvertently provides and example of exactly why users shouldn’t be given free reign over their desktops:

When I worked in an office not long ago, though, a new man in IT decided that forwarding company mail to my Gmail account might violate the Sarbanes-Oxley Act. I tried to explain that was ridiculous—Sarbanes-Oxley proscribes deleting mail, which I wasn’t doing, and, anyway, the IT department had no problem forwarding mail to people’s BlackBerries and iPhones.

Uhhh… Hey what now? While the only SOX I know in detail are the red ones, this, as a “security guy” makes me cringe. SOX aside, this is very much a BadThing™, and while yes, this might make it incredibly easy to access your work e-mail from home and give you all kind of options that your work e-mail environment may not provide it’s a bad move from a security viewpoint. How is it bad? This can be illustrated by the massive Twitter document leak this past July. A combination of bad passwords and Google Apps absolutely reamed Twitter. By putting your e-mail to a non company controlled system you are bypassing any kind of security that your company provides. Internally your IT department may have firewalls, anti-virus, intrusion detection systems, strong password policies, etc. Google, Hotmail, Yahoo, etc provides none of this for your account. If your IT department is smart, they’ll notice your account being accessed by someone who shouldn’t have access to it, while if you use GMail, how do you know that your account isn’t compromised? More importantly, how can you prove it isn’t?

As a side note, Blackberrys and iPhones are their own beast within themselves. Thankfully, RIM and Apple as of the iPhone 3GS provide pretty good restrictions on enforcing secure usage. For example: we can require you to enter a complex password if you haven’t used your device for 15 minutes. This provides us with a reasonable assurance that if you leave your device in the back of a Taxi while you’re sloshed on a Friday night, it limits the exposure of the information it contains to 15 minutes. While it’s not perfect, it does give us a bit of breathing room. If you set up some kind of Rube Goldberg system where your device checks into GMail which you sync your device to, you’re torpedoing this.

Farhad compares IT workers to the TSA, and while I’m not going to suggest that all IT workers are helpful and flowery, I can make the counter point that many times a “rational argument” boils down to “I want to use this because I want to use it” rather then providing justification. More often then not when someone “wants something” for their PC, they can rarely provide reasoning equating to “Look! Shiny!” and when pressed to answer some fairly basic questions on why they need it, it suddenly becomes the IT department standing in the way of progress. That’s not to say that there are cases when users provide an actual business justification on why they need a product and said business justification has outweighed the risk, it’s just that it seems to be the exception rather then the rule.

I’m not saying that IT needs to lock down PCs into some kind of 1984-esque environment (Although, quite frankly, it would make my job a hell of a lot easier), nor am I agreeing that everything would be sunshine and puppies if we allowed users to completely control their PCs. What I’m saying is that both IT and users need to meet each other halfway on this issue; while IT needs to understand that certain products and websites can help users do their jobs better, users need to understand that certain products are not allowed for a reason.

The entire discussion really can be reduced to a single question. IT departments face this question regularly and if we follow Farhad’s advice I think it should be passed on to the user.

As a user, are you ready to accept personal responsibility if something you want affects the security of the network?

Keep that in mind the next time you want to use Facebook at work.

Goodbye Crash, Goodbye Burn. You have been faithful lab servers for the past two-plus years, but I must send you into that big beowulf cluster in the sky. I still remember when you were the only two servers we had, jammed full of VMWare images, utilities, and malware for analysis. But your age has finally caught up to you and your Pentium III processors and limited RAM are showing their age.

Good night you princes of the rack, you kings of the lab!