innismir.net

Farhad Manjoo over at Slate recently did his best Moses imitation and cried out “Let My Office PC Go!” and railed against restrictive IT policies in the Office environment. While I understand his pain, it illustrates the disconnect between users, IT, and Information Security.

You ask your IT manager to let you use something that seems pretty safe and run-of-the-mill, and you’re given an outlandish stock answer about administrative costs and unseen dangers lurking on the Web. Like TSA guards at the airport, workplace IT wardens are rarely amenable to rational argument. That’s because, in theory, their mission seems reasonable. Computers, like airplanes, can be dangerous things—they can breed viruses and other malware, they can consume enormous resources meant for other tasks, and they’re portals to great expanses of procrastination. So why not lock down workplace computers?

Here’s why: The restrictions infantilize workers—they foster resentment, reduce morale, lock people into inefficient routines, and, worst of all, they kill our incentives to work productively. In the information age, most companies’ success depends entirely on the creativity and drive of their workers. IT restrictions are corrosive to that creativity—they keep everyone under the thumb of people who have no idea which tools we need to do our jobs but who are charged with deciding anyway.

Productivity and Morale are two very important things and I understand where Farhad is coming from. I agree that draconian restrictions can kill productivity. In my career (2001-ish) upper management decided to install web monitoring software at my place of work unannounced and came down hard on people who spent “too much” time on the web (including yours truly). It didn’t matter that my work was getting done, or I got glowing reviews from the users I supported, or that I spent my time on technology sites,  I was spending “too much” time on the web. The “solution” to this was to have me sit there and stare at my e-mail folder waiting for a support ticket. Loads of fun.

While Farhad does a great job illustrating that productivity can go up when users are given more control over their desktops, he inadvertently provides and example of exactly why users shouldn’t be given free reign over their desktops:

When I worked in an office not long ago, though, a new man in IT decided that forwarding company mail to my Gmail account might violate the Sarbanes-Oxley Act. I tried to explain that was ridiculous—Sarbanes-Oxley proscribes deleting mail, which I wasn’t doing, and, anyway, the IT department had no problem forwarding mail to people’s BlackBerries and iPhones.

Uhhh… Hey what now? While the only SOX I know in detail are the red ones, this, as a “security guy” makes me cringe. SOX aside, this is very much a BadThing™, and while yes, this might make it incredibly easy to access your work e-mail from home and give you all kind of options that your work e-mail environment may not provide it’s a bad move from a security viewpoint. How is it bad? This can be illustrated by the massive Twitter document leak this past July. A combination of bad passwords and Google Apps absolutely reamed Twitter. By putting your e-mail to a non company controlled system you are bypassing any kind of security that your company provides. Internally your IT department may have firewalls, anti-virus, intrusion detection systems, strong password policies, etc. Google, Hotmail, Yahoo, etc provides none of this for your account. If your IT department is smart, they’ll notice your account being accessed by someone who shouldn’t have access to it, while if you use GMail, how do you know that your account isn’t compromised? More importantly, how can you prove it isn’t?

As a side note, Blackberrys and iPhones are their own beast within themselves. Thankfully, RIM and Apple as of the iPhone 3GS provide pretty good restrictions on enforcing secure usage. For example: we can require you to enter a complex password if you haven’t used your device for 15 minutes. This provides us with a reasonable assurance that if you leave your device in the back of a Taxi while you’re sloshed on a Friday night, it limits the exposure of the information it contains to 15 minutes. While it’s not perfect, it does give us a bit of breathing room. If you set up some kind of Rube Goldberg system where your device checks into GMail which you sync your device to, you’re torpedoing this.

Farhad compares IT workers to the TSA, and while I’m not going to suggest that all IT workers are helpful and flowery, I can make the counter point that many times a “rational argument” boils down to “I want to use this because I want to use it” rather then providing justification. More often then not when someone “wants something” for their PC, they can rarely provide reasoning equating to “Look! Shiny!” and when pressed to answer some fairly basic questions on why they need it, it suddenly becomes the IT department standing in the way of progress. That’s not to say that there are cases when users provide an actual business justification on why they need a product and said business justification has outweighed the risk, it’s just that it seems to be the exception rather then the rule.

I’m not saying that IT needs to lock down PCs into some kind of 1984-esque environment (Although, quite frankly, it would make my job a hell of a lot easier), nor am I agreeing that everything would be sunshine and puppies if we allowed users to completely control their PCs. What I’m saying is that both IT and users need to meet each other halfway on this issue; while IT needs to understand that certain products and websites can help users do their jobs better, users need to understand that certain products are not allowed for a reason.

The entire discussion really can be reduced to a single question. IT departments face this question regularly and if we follow Farhad’s advice I think it should be passed on to the user.

As a user, are you ready to accept personal responsibility if something you want affects the security of the network?

Keep that in mind the next time you want to use Facebook at work.

Goodbye Crash, Goodbye Burn. You have been faithful lab servers for the past two-plus years, but I must send you into that big beowulf cluster in the sky. I still remember when you were the only two servers we had, jammed full of VMWare images, utilities, and malware for analysis. But your age has finally caught up to you and your Pentium III processors and limited RAM are showing their age.

Good night you princes of the rack, you kings of the lab!

Last week I made the jump from a T-Mobile MDA  (aka a HTC Wizard) to a Palm Pre from Sprint. I loved my MDA and had been a loyal T-Mobile customer since 2003 (When I got my first SmartPhone a Color SideKick), however, their selection of phones was quite lacking so I decided to jump ship. When asking around, everyone said “Apple iPhone” almost instantly and while I did give it a hard look, I tested a 3G last year for work and was decidedly unimpressed with it’s soft keyboard and battery life. With the iPhone out of the running I looked around, decided to suck it up and deal with Sprint, and went with a Palm Pre. Since in the course of my research I didn’t find a lot of “hands on” reviews besides the “It sucks!” or “It is amazing!” ones, I decided to toss a someone independent review of the device overall.

Hardware: B-, Sleek, great size, and a nice form factor. However, the device can feel rather flimsy at times. I am afraid that the device will fall with the keyboard open and my Pre will do some kind of morbid Oreo Twist to itself. Also, when shut, the device has some give where the two halves meet. In addition to this, Palm: MicroUSB port? Come on. Doesn’t every geek have a ton of accessories for Mini USB connectors? Are we seeing the connector conspiracy rear it’s ugly head again? Finally, the little gasket over the connector is annoying to get off, makes charging it annoying.

Battery Life: C+, I’m pleased how long it lasts, but considering my MDA could last about 2 days under fairly heavy use and how I can blow through about 1/5th my Pre battery in an hour under similar conditions? Not good. I think a car charger and a MicroUSB cable for USB charging are required accessories for any Pre user.

WebOS: A-, Wow. WebOS is nice. That’s not to say it has some very rough spots: Want to have one notification sound for an SMS message and another for an e-Mail? Tough noogies.  Navigate to a specific spot in a text field? We may be here for a while. However, all the rough spots can be buffed out in future updates. Overall, it’s zippy, the app store is filling up with goodies regularly, and the UI is great. Multitasking is awesome too, the lack of which is one of the things that turned me off about the iPhone. Overall, you can tell that WebOS is still a 1.X operating system, but with a little work by Palm it can easily take over the iPhone OS.

Network coverage: D, In a word: Bleh. THIS is the one drawback to the device: Sprint ‘Now” network. I think the “now” means that “You’ll be checking if you have coverage now.” I’ve heard mixed reports that it’s a Pre problem versus that it’s a Sprint problem, but I have seen it fluctuate between 1 and 5 bars in specific spots while staying stationary. I also seem to flip over to “roaming” (thankfully, free) at random spots, which means while I can still get voice, I can’t get a data connection. While T-Mobile was not without dead spots, I seemed to get better coverage with them. I’m hoping this is more of a problem with WebOS then Sprint as I can probably wait for Palm to work the kinks out of it’s transceiver rather then wait for Sprint to add additional cell sites.

Accessories: C, Come on, no holster? Just a stupid pouch? Geez. Also, the fact that the USB cable also doubles as the charging cable by plugging into the wall adapter? Lame. Palm, come on, give me two cables so I can keep one around in case I need to do an emergency charge off a USB port. It can’t be that expensive. As a side not, while I make no endorsement of it, the web store over at Treonauts seems to have lower prices for Pre accessories then Sprint.

Overall: B/B-, I am pleased and the Pre is a great device. I keep finding myself pleasantly surprised that it does something with ease that my old Windows Mobile device couldn’t (Like… say… delete e-mail messages from my mail server! Amazing!).  That’s not to say that there are some chinks in its armor, but I think it’s a worthy competitor to the iPhone. It’s still very much a 1st generation device and has the issues thereof, however if you’re looking for an iPhone alternative, I’d recommend giving the Pre more then a casual look.

This floated across my Twitter stream yesterday: Internet Lawyer Take: DEFCON Spinning Out of Control? Watch out, you might want to make sure you’re caffeinated and sitting down while you read it.

Where do I begin?

Typical DEFCON attendee in Mr. Dozier's Mind

• Basing the criticism off two anonymous people’s complaints? Check
• Vague complaints about evil hackers trying to deface his website during Defcon? Check
• Suggestions about a possible Oracle genocide because of DEFCON? Check.
• DEFCON is all about 15 year old kids learning to do l33t h@x? Check.
• Sensationalizing various happenings without going into detail as to what happened? Check. Check. Check.

Dozier seems to be of the opinion that DEFCON is a cespool of high school students who sit around their laptops trade mad hax and attempt to knock power grids offline all weekend. As anyone who has attended DEFCON knows, this is a complete load of horse puckey. DEFCON is essentially a Black Hat after party in which you get to kick back, enjoy Vegas, talk shop with other InfoSec people, and essentially spend most of the convention in an inebriated state (provided you’re over 21). I thoroughly enjoyed both times I attended.

Mr. Dozier seems to really dislike anonymity. He goes to suggest that DEFCON get full details on every attendee to flush out the less desirable elements. I’m sure Mr. Dozier would be aghast to know that when I spoke I used a pseudonym. Why would an upstanding citizen like me choose to be anonymous even when I was speaking about an relatively innocuous topic? Because I enjoyed keeping my identity somewhat under wraps and more people knew me under my pseudonym rather then my real name.  When you deal with random people on the Internet, it’s very common to associate an e-mail, Twitter name or forum handle more easily with them rather then a full name. This has been the case since the early days of networked computing, as evidenced in Guy Steele’s “Confessions of a Happy Hacker” from The New Hacker’s Dictionary, 3rd edition. (Aside: If you like Hacking History, get this book.)

…when Barbara and I got married, we sent out wedding invitations of the usual sort without considering the consequences. One hacker friend was completely puzzled: “Barbara Kerns … Guy Steele … Who are these people???” His girlfriend looked over his shoulder and said, tentatively, “Guy Steele … isn’t that Quux?” This was someone I knew quite well, but he knew me only by that handle.

The statements on Oracle really have me scratching my head. Mr. Dozier seems to be confused about the cause and effect of things. In his train of thought, any kind of Oracle breaches from here on out are solely the fault of DEFCON and the MetaSploit project. Never mind the fact that all of the exploits have existed in the wild for quite some time, or the fact that they will be used by people such as myself to demonstrate to non-technical people that their Oracle server is doomed. These tools will only be used by 15 year olds who will deface websites, steal identities, and use their ill gotten gains to fuel their $1500 a day XBox Gamer Point habit.

As for “embarassing [sic] the federal authorities” everyone who goes to DEFCON is well aware of the “Spot the Fed” competition. Every time I saw a “Fed” “spotted” it was very non-adversarial and amusing for all parties involved. If his “exceptionally talented and knowledgeable government security types”  have a problem with this they need not attend, which they don’t. I also think that they need to develop a touch thicker skin.

Finally this leaves me shacking my head:

Is there a Free Speech right, protected by our First Amendment, to describe in detail ways to hack into computer systems when it is a federal and state crime to hack into a protected computer? At Dozier Internet Law we know this issue is yet to be fleshed out fully but we expect that criminal conspiracy laws could come into play at some point.

Mr. Dozier better get his lawsuits warmed up. I hear there are also conferences where people talk about things like guns and ones that talk about cars too. People get killed by cars and guns EVERY DAY! Surely this needs to stop!

One thing I will give him credit for is his web design: I think I’m start calling myself an “Internet Security Engineer” and rename my weblog to “Ben Jackson, Internet Security Engineer for the Commonwealth of Massachusetts, GIAC Certified Intrusion Analyst, Author of “Asterisk Hacking”, FCC licensed radio amateur, subject of an article in Infoworld, and stunningly handsome offers and Internet Security Engineer perspective on the web, Amateur Radio, and his life” — Instant credibility.

Happy Digitial Transition Day!

It’s the end of an era! Today, the FCC has mandated that analog TV transmissions cease by midnight and stations broadcast only in digital format.

Confirmed Boston Area station cut-over times are:

• WBZ-4 ending regular programming at 12:30 PM, then starting nightlight programming
• WSBK-38 shutting down analog completely at 1:00 PM
• WHDH-7 shutting down analog completely at 11:59 PM, then moving their DT signal from the current 42 to actual 7
• WLVI-56 shutting down analog completely at 11:59 PM

Still Unknown:

• WCVB-5 (Cutting over to nightlight service)
• WGBH-2 (Cutting over to nightlight service)

Well, I haven’t updated here in a while, as I haven’t done much in the way of my hobbies recently. The cause for this is simple: On March 30th, as 6:52PM EDT, my son, Brady made his arrival into this world.

Brady and Dad

Mom did great and the entire process too less then 6 hours. That was the easy part. Needless to say, these past few weeks have been all baby all the time. This leaves very little time to play InfoSec and Radio. I have started to leverage the 3AM feeding into catching up on RSS feeds and I still occasionally post to Twitter. I am also looking forward to go to NEARFest (sans Brady) at the beginning of May. However, there has been quite a shift of priorities for the forseeable future.

I’ll leave it with another quote from Jeff Atwood, whose own son was born about two week prior to mine:

If you’ve been reading my blog for a while, I’m sure you know I will approach our new parenting adventure the same way I do programming — with absolutely no freaking idea what I’m doing. And often hilarious results.

Yup.

I just finished watching the the season finale of the TNT show Leverage on the DVR. Knowing TNT, there will be repeats galore, plus it’s available online so you should invest some time and watch it also.

I’m not a huge TV fan, many of the shows I “like” I could easily drop, but Leverage has easily come into competition with Burn Notice as my favorite show. I’ve always been amused by Social Engineering in practice. Back in my “grey hat” days I would be amazed when record themselves calling up some business and get information about a customer. So Leverage is relevant to my interests as most of the plot deals with scamming people who richly deserve it. Some of the plots are slightly far-fetched from a technical standpoint, but I can suspend my disbelief well enough only to emit a light chuckle. The characters are great and the show has some great lines:

I’m a functioning alcoholic; the trick is not to get hung up on the ‘alcoholic,’ but celebrate the ‘functioning’ part of the sentence.

The show is up there with (Clooney) Oceans 11 for writing and plot. I would highly recommend it to anyone within the InfoSec crowd or anyone who enjoys good “heist” style plots.

Since she’s the one with the liberal arts degree, and it pretty sums up my thoughts exactly, I’ll let my sister, @mcwonthelottery, speak for me:

My mom had surgery today.  Got her knee replaced for the second time.

AND HOW HARDCORE IS MY MOM? The surgeon went in only to discover that she had BROKEN her old metal knee. TITANIUM. SHE BROKE TITANIUM. The doctor had never seen it happen before. He’s sending it to engineers at Dartmouth University. Amazing. Way to go, mom!

To be fair, I’m pretty sure these knees are only supposed to last ten years, but my mom will never throw something out until it’s completely useless, so she had hers for sixteen. I’m pretty sure that shit got worn through.

She is doing well, though a bit out of it.  But she’s got her magic morphine, so life is good.

Yup, that’s about it.

SOURCE Boston officially let the cat out of the bag yesterday by posting their schedule, so I can now say what I’ve known for since about mid-December: I’m doing a talk on the SOURCE business track entitled Massachusetts Data Breach Laws, Regulations, and Responsibilities.

I’m excited to be a part of SOURCE. I attended last year and it was an excellent conference. A great mix of  secruity geeks and business types and everything just seemed to click. Not as “free-for-all-ish” as DEFCON or HOPE, not as stuffy as a business conference. This year, it’s shaping up to be even better: They moved the conference to a better location, and the schedule is even more impressive then last year. If you’re a security geek, you should definitely look into attending. It is worth every penny.

Of course there is an off chance that someone might make a grand entrance a touch early. I think everyone is hoping that doesn’t happen.

Steve, K9ZW, has asked What’s the Worth of Twitter?

I’m slowing my Twitter “Tweets” and following of Twitter based on a difficult to use Signal/Noise Ratio.

…

One very active Twittering Ham has a goal of posting 10,000 Tweet posts during the year.

If everyone of those Tweets takes but a second or two out of my attention, that is asking me as a Twitter Follower to give up 5-6 hours of accumulated time.

It’s simply not going to happen.

This was followed up by N0HR’s Twitter Overload post:

Steve notes that one ham has a goal of “tweeting” 10,000 times in a year. Yikes. What possible value could that have to anyone? I could see some value in group using Twitter to meet at the Dayton Hamvention – when you’re all trying to meet you’d know that Frank’s at Denny’s having breakfast, Chuck’s in the flea market and Stan is lugging a boat anchor to the car. That’s about it though.

First off, let me state for the record that I am the said “active Twittering Ham”, but I do not have a “goal” of having 10000 tweets in a year. I did wonder if I’ll hit that number which is looking more and more likely now that I’m less then 50 shy of 9000, but I wouldn’t consider it a goal. Next off, I’m not pissed at Steve for unfollowing me at all. I did mention it in a tweet, but I am not saying that I am sad, angry, or disappointed in Steve.  I am very much in @mediaphyter’s corner regarding following:

…let me make a list of what Twitter is not:

1. A venue for a popularity contest
2. An obligatory mutual instant message system
3. A place where anyone has anything to prove

Exactly. Twitter is different things to different people. Suit your follow list to what you want to see. I’ll be the first to admit that I am a prolific tweeter. My sister never added me to her phone because it she was overwhelmed by texts. I tweet about Ham Radio, InfoSec, the MBTA not working, and any other completely random thing that floats into my head. A lot of my friends are the same. However, I know that this does not suit everyone. I have no problems with someone unfollowing me because I tweet so much, if you’re not going to follow a smaller group of people, I’m going to quickly overwhelm your “stream” on your page, likely providing more signal with noise. There are ways to sift through volumes of tweets, but a lot of people have neither the time or inclination to do so.  Don’t feel the need to follow anyone because “everyone else does it” or if they’re following you. Only follow the people that tweet topics that you’re interests and tweet at your pace. Also, look at the option of turning of

If you’re on Twitter, don’t think you’re going to hurt someones feeling by unfollowing them. I occasionally go through my lists and “purge” people that no longer interest me. If I no longer intrest you, unfollow me! Please! If I follow you, I’ll still reply when you say something I want to comment on and it will still show up in your stream.

Steve, I’m still following you, as you’re one of the Hams who’s tweets I always enjoy. I hope to see you around, and I look forward to you live-tweeting Dayton.