The More You Know….

The less nostalgia you might have.

Things have come to light over the past couple of months that make me ask who knew what, and when.

People do go to prison.  I was told emphatically that that just didn’t happen.  Guess what — it does.

And, even if it’s not explicitly your job, you do have a responsibility to keep everybody honest.

“It’s not a moral issue!”

Actually, it is.  If you’re so busy trying to keep from seeing that it is both a moral and ethical issue, you’re beyond help.

When I’m full of shit, I deserve to be told so.  When I’m considering doing something that I know isn’t right, I should be reminded.

Maybe there’s some letters after my name I can buy that’ll convince me that hair can actually be split longitudinally into five pieces.

Or maybe it’d be better for me to just act omniscient, and later be proven a charlatan.  (That’s to someone else who refuses to answer email, or pick up the phone.)

So, what have I learned with this latest unplanned vacation?

1.  Hiding who and what I am doesn’t benefit me at all, and;

2.  Don’t trust the “old ways” of doing things.  They’re often incredibly expensive, and ultimately ineffective.

Number two is probably very offensive to some people.  See number one;  I don’t care.

Appreciate the Process

I recently wrote about process adherence on a separate issue.

A week ago, I interviewed for a job with a company for whom I used to be employed.  I found out, informally, that I didn’t get the job.  This afternoon, I got an email confirming that.

Yes, it was mainly boilerplate for every candidate who applied.  Yes, I am disappoint.  At the same time, I appreciate why they’re trying to stick to their processes.

That appreciation made me not a team player for the four-letter.

I’m okay with that.  Processes never work if you’re willfully ignorant of them.

Only so many spoons

Since I’m not using a lot of them working right now, my brain is moving at an insane rate in this late hour.

Before Shmoocon 2013, I’d started on a CFP response, inspired by Mouse’s talk the year before about active defense. My scarred-up brain started down this path after seeing Mudge’s keynote the last year at the Marriott (aka Snowmageddonpacolypsewhatever).

When he was talking from his carefully-sanitized slides, he showed a common host. It had eight vulnerabilities via a Retina scan.

Someone about four rows back raised his hand. Before he was really recognized to speak, he pointed out that at least three of them were HBSS vulnerabilities.

So, after musing on those two talks some, my premise was, essentially, that building monolithic systems increases the attack vector. So, what do you do? Throw something else on top of that monolith to protect it.

Once the attacker is around the defenses, he’s got a target-rich environment to exploit the system.

Unfortunately, as I was walking through the rebuttal I could expect from the audience, I came across an argument I couldn’t refute — some of these defenses do actually close some holes. While the overall vector may be bigger, it’s less vulnerable to some of the more common attacks.

As I’ve been listening to my wife dig through her math coursework, I’ve been thinking about what the equation on this would look like.

The vector calculation would need to include the overall attack risk of the base OS, each application installed atop the OS, minus the holes patched by the sekurity measures (whether hard or soft).

What are the most common NVD for the OS? Which are closed by the security measures? Of the remaining, what are the of exploit for each?

Busted-ass WinXP box has a 38% chance of getting 0wned in a month. It has Flash and Java installed on it, which raises the chance to 60%. It has SuperSEkurSoftFW installed, which brings the XP number down to 33%, and knocks two points off Java and Flash, leaving 51%.

I wish I had more math skills to write a nasty-looking equation for all this. *sigh*

But the overall concept remains — the less stuff you stack on a host, the smaller the overall vector, regardless of whatever security middleware you throw on it to plug holes.

Everything Passes

Some bring relief, others grief.

So, number one — my “job” at the four-letter. I went to Shmoocon after being told that things were okay through September. When I got back to work Tuesday, I was given my layoff notice. Winning!!1! Charlie Sheen-style! I’ve been digging hard looking for a new job all week, seemingly without success. Have I learned some lessons from my time there? Absolutely. Have I made some friends? Yes. Have I met several others I’ll never respect? That, too; I’ll try to avoid working with those folks ever again.

Number two, speaking of job-hunting, someone for whom I’d done a considerable amount of work without charge isn’t answering my E-mails these days. Noted with somewhat bittersweet interest. (I guess I pissed him off by pressing an issue a few months ago. I admit I was a bit jumpy, but there’s no words to express how much I didn’t like my situation at the four-letter company…. I’m not 25 anymore. I’m married. I have a chronic illness. The stakes are higher.)

Number three is on an unrelated topic. I’m very sad to see Shady Grove Marketplace closing up shop. It’s a tough time to be a resounding success in business for a variety of reasons, but I will miss Luke and Emily very much. I wish them the best of luck in their future endeavors.

Number four: I’ve talked a bit with Dana about writing. Why do I do it? What purpose does it serve? My anonymous writing outlet for nearly fifteen years is shutting down permanently any day now after several months of serious malfunction. I’m sad to see it go, but it did kick me into writing again*, and everything gets deleted, eventually. I’d fallen away from writing a bit after I met my wife. I got back into it, seriously, after I found out that I was sick. There’s something cathartic about writing for me. I haven’t quite figured out what it is So now, I’m going to have to use different tools, but I was dedicated to doing that before I knew I’d be forced to.

*I’d been a pretty ardent journal-writer in junior high and high school. That all changed after one of my English teachers offered keeping a journal as an extra credit assignment. Two entries per week through the grading period, and an extra letter grade. I wrote nearly every day, largely about girls, being forcibly removed from my friends (I’d moved from Germany to Pennsylvania, didn’t have any romantic prospects, was sick with some unknown affliction, and was too slight to play football anymore), etc.. I was the only one in the class who took her up on the offer, so she read what I’d written with great interest. I’ll just say that she was worried about me. Seeing as how this was only a few months removed from Kurt Cobain’s suicide, the education establishment was really worried about dour dudes in flannel. My Godfather sent me an envelope full of floppy disks with this new thing called Linux, we moved to Virginia, and things improved for awhile.

On Process

One of the things that’s kind of been driven home to me, even more forcefully this week, is that following process is important.

While I agree with Mark Herring’s new stance, (as opposed to Larry Craig’s wide one….) he is violating the Virginia constitution he swore to defend.

Yes, in Federal court, Virginia would lose, but it’s up to the General Assembly to do the cooking by the book, and ask the voters to fix the Virginia Constitution. There is no shortcut. The General Assembly also needs to fix its Crimes Against Nature statute, which it cannot enforce. That’d actually be easier than the same-sex marriage ban.

If Herring is going to refuse to do the job he was elected to do, impeachment and removal are the only options open to the General Assembly. (And I’ll spare the lecture on how Virginia’s government functions more like the UK parliament than the US Federal governmetn does….)

What’s lost in all this? As I’ve said many times, Congress could have spared everybody this debate, simply by amending the Civil Rights Acts to incude sexual orientation as a protected class under them. They chose not to in 2009. Why, Ms. Pelosi? Couldn’t be because you have bigots in your own caucus, now could it? Unpossible.

Similarly, some of the nonsense I’ve dealt with work-wise the past year has been because people willfully ignore published procedures. Don’t like them? Change them. Oh, but that’s difficult, too. Just “hand jivejam” it!

Elections do have consequences, sure. But laws, rules, and regulations simply don’t evaporate just because there’s new folks executing them.

But I’m “pushing back.” I need to learn to quit doing that.

Free Agent

I’ve gotten a couple of questions about it, so I’ll make the response concise — after Monday, I am unemployed. For the second January in a row, I’ve been laid off.

My resume.

Due to my health issues, I’d like to find something with significant telecommuting options. Relocation is not really an option until after my wife finishes her studies at Old Dominion.

And the end

I’m home. I wrote this on the train, but the Amtrak WiFi wasn’t working when I went to post. Later, I saw that someone had had pretty much the same take I had about the lack of IPv6….

Final Shmoosings.

The last presentation prior to the closing was a bit hard to take. They (and Squidly1) insist they’re the good guys, and network admins shouldn’t take steps to stop their active probes.

Maybe I’d feel differently if the probes were passive, but these aren’t. (Coming from Punk Spider.) To me, you’d be a fool to let them continue to scan your network with impunity.

Yes, the Koreans they’re scanning might well be idiots. It doesn’t make the intrusion okay!

It’s things like this that make me wish iptables or pf had a –reject-with-diaf-blast flag. For some, –with-tcp-reset isn’t sufficient.

Summing up:

1. They’re treading on thin ice with their active probes. If they were using passive sniffing, it’d be one thing, trying to scan the entre Internet is another matter, altogether.
2. But they’re not scanning the entire Internet! IPv4 is a deprecated legacy protocol. If they were doing any sort of v6 scanning, things might be slightly more intriguing. Over at Users and Icecube, we’ve been getting scanned normally a couple of times a week over v6. I’m pretty certain nothing’s come of it. Obviously Cawcks doesn’t give us a native allocation, so we’re using a tunnel broker, but it’d likely be the same with a native connection.

But even with the biggest AWS node the world’s ever imagined, they wouldn’t have the horsepoer to scan the entire Internet over v6. And more and more of the backbone traffic actually is going that way. Maybe you can stay ignorant of that fact, but it doesn’t take much research to verify.

Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:4f8:3:7::25])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by users.757.org (Postfix) with ESMTPS id 7C795A9B6
for ; Thu, 2 Jan 2014 03:48:56 -0500 (EST)
Received: by mail.netbsd.org (Postfix, from userid 605)
id 0E08A14A12D; Thu, 2 Jan 2014 08:48:50 +0000 (UTC)
Delivered-To: netbsd-users@NetBSD.org
Received: from localhost (localhost [127.0.0.1])
by mail.netbsd.org (Postfix) with ESMTP id A6E4114A12A
for ; Thu, 2 Jan 2014 08:48:45 +0000 (UTC)
X-Virus-Scanned: amavisd-new at NetBSD.org
Received: from mail.netbsd.org ([127.0.0.1])
by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025)
with ESMTP id 9RaUQzm2pzs7 for ;
Thu, 2 Jan 2014 08:48:45 +0000 (UTC)
Received: from korriban.imil.net (korriban.imil.net [IPv6:2001:470:cbba::3])

So, that was Shmoocon. More than willing to discuss over a beer if someone is interested.

You don't have a clue

Watched this. Take-aways:

    I’m going to blame the speaker for being a Failcons’ fan. No, I don’t know that for sure, but he is from Georgia.
  • Rules of Evidence aren’t just a judge’s whim.
  • “Putting the air inside ping-pong balls is kind of an old school black programs inside joke.

Not going to hate too much, because it’s unfair.
1. Judges don’t just make snap decisions on evdience admissibility. These things are published. Since you don’t know that, it’d be smart for lawyers on both sides to try to exclude your evience just because you might testify.
2. The presentation focuses on admissibility of physical disks, and the data stored on them. Hashing ca work at the file level, then the machinations of what’s going on underneath aren’t important anymore. My question was: why would you ever go lower than the lowest admissible layer?
But I’m not going to hate too much. The last presentation is going on right now.

You don’t have a clue

Watched this. Take-aways:I’m going to blame the speaker for being a Failcons’ fan. No, I don’t know that for sure, but he is from Georgia.

  • Rules of Evidence aren’t just a judge’s whim.
  • “Putting the air inside ping-pong balls is kind of an old school black programs inside joke.
  • Not going to hate too much, because it’s unfair.

    1. Judges don’t just make snap decisions on evdience admissibility. These things are published. Since you don’t know that, it’d be smart for lawyers on both sides to try to exclude your evience just because you might testify.
    2. The presentation focuses on admissibility of physical disks, and the data stored on them. Hashing ca work at the file level, then the machinations of what’s going on underneath aren’t important anymore. My question was: why would you ever go lower than the lowest admissible layer?

    But I’m not going to hate too much. The last presentation is going on right now.

    Going for Broke

    Went and watched about forty minutes of this. After that long of the speakers not getting to the point about how they’re making attackers’ activities expensive, I gave up and left.

    Wow, that’s an awesome app signature tool you found in your Microsoft class! I’m sure its mere existence dissuades people from trying to write malicious things. I mean, it’s totes hard to get a copy of VS!

    Yes, you have to make it difficult for malicious stuff to run. I understand that. How are you costing the attackers anything? Their shit won’t run on your network; how are you costing them money, really? Quantify it.

    For things like malicious embedded attachments, bouncing group messages indiviually would quickly fill thier mail queues. Maybe an automated method to report them to ISC, get them added to blacklists galore?

    SMH.