The More You Know….

The less nostalgia you might have.

Things have come to light over the past couple of months that make me ask who knew what, and when.

People do go to prison.  I was told emphatically that that just didn’t happen.  Guess what — it does.

And, even if it’s not explicitly your job, you do have a responsibility to keep everybody honest.

“It’s not a moral issue!”

Actually, it is.  If you’re so busy trying to keep from seeing that it is both a moral and ethical issue, you’re beyond help.

When I’m full of shit, I deserve to be told so.  When I’m considering doing something that I know isn’t right, I should be reminded.

Maybe there’s some letters after my name I can buy that’ll convince me that hair can actually be split longitudinally into five pieces.

Or maybe it’d be better for me to just act omniscient, and later be proven a charlatan.  (That’s to someone else who refuses to answer email, or pick up the phone.)

So, what have I learned with this latest unplanned vacation?

1.  Hiding who and what I am doesn’t benefit me at all, and;

2.  Don’t trust the “old ways” of doing things.  They’re often incredibly expensive, and ultimately ineffective.

Number two is probably very offensive to some people.  See number one;  I don’t care.

Appreciate the Process

I recently wrote about process adherence on a separate issue.

A week ago, I interviewed for a job with a company for whom I used to be employed.  I found out, informally, that I didn’t get the job.  This afternoon, I got an email confirming that.

Yes, it was mainly boilerplate for every candidate who applied.  Yes, I am disappoint.  At the same time, I appreciate why they’re trying to stick to their processes.

That appreciation made me not a team player for the four-letter.

I’m okay with that.  Processes never work if you’re willfully ignorant of them.

Only so many spoons

Since I’m not using a lot of them working right now, my brain is moving at an insane rate in this late hour.

Before Shmoocon 2013, I’d started on a CFP response, inspired by Mouse’s talk the year before about active defense. My scarred-up brain started down this path after seeing Mudge’s keynote the last year at the Marriott (aka Snowmageddonpacolypsewhatever).

When he was talking from his carefully-sanitized slides, he showed a common host. It had eight vulnerabilities via a Retina scan.

Someone about four rows back raised his hand. Before he was really recognized to speak, he pointed out that at least three of them were HBSS vulnerabilities.

So, after musing on those two talks some, my premise was, essentially, that building monolithic systems increases the attack vector. So, what do you do? Throw something else on top of that monolith to protect it.

Once the attacker is around the defenses, he’s got a target-rich environment to exploit the system.

Unfortunately, as I was walking through the rebuttal I could expect from the audience, I came across an argument I couldn’t refute — some of these defenses do actually close some holes. While the overall vector may be bigger, it’s less vulnerable to some of the more common attacks.

As I’ve been listening to my wife dig through her math coursework, I’ve been thinking about what the equation on this would look like.

The vector calculation would need to include the overall attack risk of the base OS, each application installed atop the OS, minus the holes patched by the sekurity measures (whether hard or soft).

What are the most common NVD for the OS? Which are closed by the security measures? Of the remaining, what are the of exploit for each?

Busted-ass WinXP box has a 38% chance of getting 0wned in a month. It has Flash and Java installed on it, which raises the chance to 60%. It has SuperSEkurSoftFW installed, which brings the XP number down to 33%, and knocks two points off Java and Flash, leaving 51%.

I wish I had more math skills to write a nasty-looking equation for all this. *sigh*

But the overall concept remains — the less stuff you stack on a host, the smaller the overall vector, regardless of whatever security middleware you throw on it to plug holes.