Copyright © 2009 What The Hell? Security
My previous entry likened security to an opposable thumb on the hand of reliability.
This metaphor is also helpful when somebody asks you the dreaded “So, what’s the ROI on security?” Just hold up your palm and say “20% of this.”
And if it’s your CFO asking, be sure to point out which finger you don’t mean.
Filed under: Uncategorized | Tagged: security humor, security soapbox | Leave a Comment »
Copyright © 2009 What The Hell? Security
Here’s a perspective on security that always nets the biggest win: Don’t objectify it. If you’re looking for five digits, odds are you really want a hand.
Security, forever the opposable thumb, is indeed separable from the hand of reliability. (It’s also what distinguishes our software from that of non-primates…but I digress.) Separable from its neighboring four fingers of availability, scalability, performability and resilience.
Naturally, a grafted thumb forever impairs the hand.
Filed under: Uncategorized | Tagged: security soapbox | 1 Comment »
Copyright © 2009 What The Hell? Security
There’s a really good reason that Web security is such a pain. It’s not supposed to be secure.
Sorry to break it to you, but hypertext was thirty years old before we decided to use the Web as a platform for commerce. That’s, what, three years longer than the span between the launches of MS-DOS 1.0 and Windows 7.
Plenty of time to work out a few security kinks, if there were any. But there aren’t, because security was out of scope when hypertext was designed. As it remained when the Web was designed. As it remains today.
So happens when you run a multi-trillion dollar marketplace atop an insecure platform? Phishing is what happens. Drive-by malware. Fraud.
When you think about it, if there’s anything remarkable about Web fraud, it’s that we experience as little of it as we do.
Filed under: Uncategorized | Tagged: fraud, hypertext, malware, phishing | Leave a Comment »
Copyright © 2009 What The Hell? Security
CISOs, let’s face it, are a dry breed. But some really know how to raise hell. In a good way. Here are eight skills to, ahem, emulate.
1. Abate - The bad rep security has among people who like to deliver projects on time.
2. Automate – In-house. Because some problems, vendors just can’t solve.
3. Delineate – Isn’t afraid to say “Improving the security of _____, while desirable, is admittedly beyond the scope of this project.”
4. Disappropriate – Surrenders a slice of the security budget for the greater good.
5. Elucidate – Pick a policy. Any policy. Unhesitatingly rattles off the business driver behind it — without uttering the word security.
6. Pollinate – Exports a security engineer to the networking team. Imports a database engineer to the security team. Antonym of Isolate.
7. Resonate – Promotes the flavor of security that blends with the established grain of the business. Antonym of Intimidate
8. Violate – Occasionally does this to a security policy when it just makes sense to.
Filed under: Uncategorized | Tagged: security soapbox | Leave a Comment »
Copyright © 2009 What The Hell? Security
There’s a belief among CAs (ok, VeriSign) that a merchant can minimize the number of abandoned carts — presumably by promoting them to orders — by introducing trust symbols at checkout. Symbols like the EV-SSL green bar and VeriSign’s logo. Balderdash. Checkout is the last place to do it.
Literally the last place. To be clear, I’m not saying it’s a bad idea. It’s a great idea, if not to convey an often accurate sense of security, then to create more brand impressions. My point is, there are also five earlier opportunities, each of which can add to the ripple:
Personally, I seriously doubt if VeriSign has a comprehensive understanding of the phenom of cart abandonment. Looking at their press releases, it smacks loudly of digging for data to support an admittedly catchy marketing campaign.
Anyway if there’s any truth at all to VeriSign’s claim — I believe there is — then imagine the sheer truthiness of injecting the five additional opportunities I outlined above. CHA-CHING, BABY!
Certified webforms I’ve already written about. As for certified links, more to come.
Filed under: Uncategorized | Tagged: fraud, ssl | 1 Comment »
Copyright © 2009 What The Hell? Security
This past April, I gave the keynote speech at the annual RSA conference. Huge venue, that Moscone Center is. All the bigger when you’re the only attendee. What’s that? Oh! I don’t mean that RSA. That one was crowded as hell. I mean the one on Religious Security Advice.
In the brilliant speech I gave to the standing room only crowd (I stood at a podium), I spoke of the pending arrival of Billion Bit RSA. That is, the Billionth Bit of Religious Security Advice. Brilliant visionary that I am, I predicted it would pertain to — get this — passwords. Was I dead on or what?
I know what you’re thinking. “Passwords? Why are we still beating that dead horse?“ The answer is, of course, that horse, being a dictionary word, is a crappy password.
Which isn’t necessarily a bad thing. Using horse as a password, I mean, not equestrian beatings. If you don’t understand why, it’s because you aren’t thinking context.
Which is a huge problem when it comes to converting security heathens. In the security field, we can (and do) preach security commandments until we’re blue in the face, and in case you haven’t noticed, it ain’t working.
That’s because we don’t consider context. We fixate on those damn commandments as if they were the goal rather than the means to a goal. Which causes people to tune out rather than in. (Not that we’ve ever let that discourage us.)
So what’s the best way to get people to ante up their security tithes? Easy — offer them one piece of stay-out-of-hell advice:
That’s where all security thinking should start. It makes the whole issue a personal one, and it provokes lots of questions worth asking, whether you’re a naive Web surfer or a protocol engineer designing IPv7. Following best practices is important, but it’s the wrong place to start. It gives rebellion an immediate unnecessary toehold.
So using horse as a password? Use it all you like, so long as doing so doesn’t shoot off your big toe. It’s a password I use for something inane on my kids’ computer. It’s one I recommend to people who need one of no significance. Get it? Context. When you act in context, people will listen to you when it counts.
If you think I’m stating the obvious, ask yourself: Of the last ten security skeptics that you debated, how many were you able to convert in earnest? If the answer isn’t ten, you have a context problem. You aren’t relating with those people for where they are. Make it personal. Not as in, “Gee, don’t you care if hackers drain your bank account?” As in, “Don’t let some invisible bonehead dictate your cash flow.”
The Billionth Bit of Religious Security Advice is is already out of the bag. I say we cap it at a billion and one. Remember: Don’t harm yourself.
Filed under: Uncategorized | Tagged: security soapbox | Leave a Comment »
Copyright © 2009 What The Hell? Security
What does SSL stand for? H-Y-P-N-O-T-I-S-M.
No, really. Give me the first answer that comes to your mind. Don’t filter it. Why do you purchase SSL certificates for your site?
You answered something having to do with security, right? You are so not right. What you’re doing is buying your way out of the penalty-boxes-from-hell that browsers present when they encounter a certificate signed by an unrecognized CA. The system is rigged, and in my book that’s a bribe.
Look, I’m not trying to be cynical, or cute, or anything of the sort. I’m being brutally objective. SSL purports to do only two things:
If that sounds like security stuff, that’s because it is. No argument there. But that’s not what I’m talking about. Let’s examine these separately.
1. Unilaterally or mutually authenticate the application endpoints. First, let’s agree that nobody in their right mind requires mutual authentication when one endpoint is a browser. It’s two orders of magnitude too high of a bar. (Until fairly recently Amazon.com allowed one-character passwords. Well, actually it allowed zero, only that would lock you out of your account.)
But there is value in authenticating the server end, right? Wrong. If that were true people would be able to distinguish between legitimate and fraudulent sites. If that were true, we wouldn’t have phishing. If that were true, we wouldn’t need EV-SSL. If that were true, we’d all be mathematicians.
Summing it up, excepting for the minor net impact of EV-SSL, there’s no business value in #1. Self-signed server certificates would suffice just as well — if we could keep browsers from having cows over them.
2. Establish an encrypted and integral channel. SSL does this perfectly well even in the case of self-signed certificates. Despite what anybody might tell you, you’re not paying for mathematical privilege.
Case closed. Except you might be wondering why I said hypnotism. It’s like this: We bought into the CA model hugely in 1995, and the only thought we’ve given to it since is how to make more money off it (if you’re a CA) or how much cheaper it is to buy Godaddy’s certs instead of VeriSign’s (if you operate a website).
When you do something you’d rather not do for fifteen months running you become numb to it. When you do it for fifteen years running you become numb to the numbness. So you keep writing checks. And the truth is, even if we weren’t numb over this, it’s probably easier just to keep writing checks than it is to buck the system.
P.S. You might have the impression that I don’t like SSL, or CAs, or the rigid PKI model this stuff is built on. Respectively: (1) I do; (2) I don’t, but only because they’re unimaginative and uninventive, and in VeriSign’s case they’re arrogant to a fault; (3) It’s ok.
What I don’t like is how we’re using SSL in the browser. There are killer apps out there waiting to happen, like certified webforms. Of which, incidentally, communicating the site owner is among their least interesting features.
Filed under: Uncategorized | Tagged: security soapbox, ssl | Leave a Comment »
Copyright © 2009 What The Hell? Security
Assume for a moment that you are a legitimate business entity called Example.com. By legitimate I mean you have been vetted in a way that demonstrates you qualify for an Extended Validation SSL (EV-SSL) certificate, whether or not you actually own one or even want to. You publish a webform on your site for consumers to maintain their personal medical history.
You have at your disposal a means to assure a consumer than the form she is at this very moment staring at is yours. By assure I mean:
As the late Billy Mays would say, But wait! There’s more! The aforementioned means also permits you to publish different-looking versions of the form:
… and revoke them in real time. Knowing how hard you, Example.com, scrape for every nickle of revenue, is it worth spending a few of them on this?
If you said no, then I know that you have been drinking waaaay to much EV-SSL kool-aid.
How do I know that? Because you clearly haven’t tried explaining to Joe “Kool-Aid” Sixpack how the green bar works in the context of a form.
Take the garden variety sign-in page. In precisely which of the sixteen possible cases below (other than the first) should Joe be looking for the green bar in order to feel safe? Hell, YOU explain it to him.
Legend: Yes = Shows a green bar, No = Does not show a green bar
| Case | Page With Sign-In Link |
Sign-On Page | After Submit, Before Land |
After Landing |
|---|---|---|---|---|
| 1 | No | No | No | No |
| 2 | No | No | No | Yes |
| 3 | No | No | Yes | No |
| 4 | No | No | Yes | Yes |
| 5 | No | Yes | No | No |
| 6 | No | Yes | No | Yes |
| 7 | No | Yes | Yes | No |
| 8 | No | Yes | Yes | Yes |
| 9 | Yes | No | No | No |
| 10 | Yes | No | No | Yes |
| 11 | Yes | No | Yes | No |
| 12 | Yes | No | Yes | Yes |
| 13 | Yes | Yes | No | No |
| 14 | Yes | Yes | No | Yes |
| 15 | Yes | Yes | Yes | No |
| 16 | Yes | Yes | Yes | Yes |
There are plenty more reasons why I think you need a kool-aid intervention, but go lick this problem before I point them out.
Filed under: Uncategorized | Tagged: hypertext, security soapbox, ssl | Leave a Comment »
Copyright © 2009 What The Hell? Security
Convenient to the point I make here, the terms Moore’s Law and Hypertext were both coined in 1965.
Since then, if I’m counting correctly on fingers and toes, CPUs should have improved by roughly a factor of (2 **(((2009 - 1965)*12)/18)) = 676,414,963. The actual number doesn’t matter because I’m using it as a point of reference.
Also since then, hypertext has improved by roughly a factor of 0 (zero). Which is perfectly fine when you consider that hypertext was designed to link relevant tidbits of information. It does that, in spades. With quarter of a billion active sites, if it didn’t, we’d know it.
It follows that hypertext security has improved by zero, meaning it remains at zero. Which is perfectly fine when you consider that security was as far out of scope as was changing kitty’s litter box.
Not all Web security hinges on hypertext. Classification-wise, very little does. But there’s no denying that some does, and dollar-wise, it’s very expensive.
The stuff that hinges is, well, the hypertext-y stuff. Links. Forms. Clicks (a term let’s agree right now encompasses all flavors of actuation). Ever get phished or pick up a case of drive-by malware without clicking on a link or a submit button? Didn’t think so. (Domain name typos don’t count.)
It’s the clicks, stupid. You know I’m right. If phishing and drive-by malware aren’t problems rooted in hypertext then I don’t know what are. But we don’t treat them like hypertext problems. We treat them like email problems, like advertising problems, like search problems. What the hell?
So what does this have to do with Moore’s Law? Not much, other than it makes me wonder if we’ll cross the “times a billion” CPU performance mark before we figure out we need to add some security to links and forms. Not all mind you, just the ones that count.
Filed under: Uncategorized | Tagged: fraud, malware, phishing, security soapbox | Leave a Comment »
Copyright © 2009 What The Hell? Security
Phishing is so pre-”What The Hell Security.” Here’s what post-click fraud has that phishing doesn’t.
In name:
In meaning:
Filed under: Uncategorized | Tagged: fraud, phishing | Leave a Comment »
