Tag: Engineering

Distraction-Free Writing

That’s what the latest round of updates to WordPress promised me. Still, I’ll probably be just as bad at writing as I have been lately.

It’s been a busy month. After the past two weeks of work, I’ve had absolutely no energy left for doing things on the weekend. I’m hoping for some major changes come January, but it remains to be seen.

Today, I explained some basic engineering practice at work. A bit shocked that I have to do this sort of thing, really. Maybe I haven’t been in a bubble penetrated only occasionally by “sales engineers.” I’m okay with this. My posterior-kissing skills are almost as bad as my eyesight at this point. Maybe that makes me a bad person.

I’ve also completely forgotten what I wanted to write about. I’m watching football, which is doubly-sad considering the Saints’ performance yesterday. As bad as the CoonasstroSuperdome looked after Katrina, I guess it could be the man-made disaster that is Detroit.

In a way, though, I feel like I’ve been dropped into the Silverdome at work. So much went into what’s there, and there’s just zero willingness to actually fix it.

My debate for tomorrow is whether I try to get down to a going-away party for someone who is very important to me. It’d be tough, but I’m inclined to at least make an effort.

Distraction-Free Writing

That’s what the latest round of updates to WordPress promised me. Still, I’ll probably be just as bad at writing as I have been lately.

It’s been a busy month. After the past two weeks of work, I’ve had absolutely no energy left for doing things on the weekend. I’m hoping for some major changes come January, but it remains to be seen.

Today, I explained some basic engineering practice at work. A bit shocked that I have to do this sort of thing, really. Maybe I haven’t been in a bubble penetrated only occasionally by “sales engineers.” I’m okay with this. My posterior-kissing skills are almost as bad as my eyesight at this point. Maybe that makes me a bad person.

I’ve also completely forgotten what I wanted to write about. I’m watching football, which is doubly-sad considering the Saints’ performance yesterday. As bad as the CoonasstroSuperdome looked after Katrina, I guess it could be the man-made disaster that is Detroit.

In a way, though, I feel like I’ve been dropped into the Silverdome at work. So much went into what’s there, and there’s just zero willingness to actually fix it.

My debate for tomorrow is whether I try to get down to a going-away party for someone who is very important to me. It’d be tough, but I’m inclined to at least make an effort.

Only so many spoons

Since I’m not using a lot of them working right now, my brain is moving at an insane rate in this late hour.

Before Shmoocon 2013, I’d started on a CFP response, inspired by Mouse’s talk the year before about active defense. My scarred-up brain started down this path after seeing Mudge’s keynote the last year at the Marriott (aka Snowmageddonpacolypsewhatever).

When he was talking from his carefully-sanitized slides, he showed a common host. It had eight vulnerabilities via a Retina scan.

Someone about four rows back raised his hand. Before he was really recognized to speak, he pointed out that at least three of them were HBSS vulnerabilities.

So, after musing on those two talks some, my premise was, essentially, that building monolithic systems increases the attack vector. So, what do you do? Throw something else on top of that monolith to protect it.

Once the attacker is around the defenses, he’s got a target-rich environment to exploit the system.

Unfortunately, as I was walking through the rebuttal I could expect from the audience, I came across an argument I couldn’t refute — some of these defenses do actually close some holes. While the overall vector may be bigger, it’s less vulnerable to some of the more common attacks.

As I’ve been listening to my wife dig through her math coursework, I’ve been thinking about what the equation on this would look like.

The vector calculation would need to include the overall attack risk of the base OS, each application installed atop the OS, minus the holes patched by the sekurity measures (whether hard or soft).

What are the most common NVD for the OS? Which are closed by the security measures? Of the remaining, what are the of exploit for each?

Busted-ass WinXP box has a 38% chance of getting 0wned in a month. It has Flash and Java installed on it, which raises the chance to 60%. It has SuperSEkurSoftFW installed, which brings the XP number down to 33%, and knocks two points off Java and Flash, leaving 51%.

I wish I had more math skills to write a nasty-looking equation for all this. *sigh*

But the overall concept remains — the less stuff you stack on a host, the smaller the overall vector, regardless of whatever security middleware you throw on it to plug holes.