0wnage and the null hypothesis

H₀: Our systems are not hacked.

That is what management wishes to hear all the time and expects to hear it with absolute certainty.

– But …

There are no buts in such matters for management, right? Oh but there are…

	H₀ True	H₀ False
Reject H₀	Type I error	Correct
Do not Reject H₀	Correct	Type II error

In reality there is no way to know whether the systems we maintain are hacked or not. We can only know with absolute certainty that they are owned and this only when the fact is detected. To help management understand this, use a “simpler” example:

H₀: This message is not spam

Work with the not-spam example and the table above. It seems fairly straight forward that if your anti-spam measures are relaxed you receive a lot of undetected spam (Type II error) and if you tighten the controls you risk having legitimate messages characterized as spam (Type I error).

In a similar fashion you can detect that your systems are hacked and therefore you can reject H₀. You can have your Intrusion detection systems, monitoring systems, processes or other controls “cry wolf” (a Type I error) or they may stay silent while in fact infiltration has happened (a Type II error). A Type II error means that an opportunity to detect a breach was lost.

So you see management, we cannot under absolute certainty assure you that we are and will remain unbreakable till the end of time. After all, if you really think about it hard, time is on the side of the blackhats. We can only provide you with data that we are doing our best with the tools you are providing.

What constitutes a security incident?

From a question posted over at CISACA-L:

b). Secondly what constitutes a security incident. Is there a generally / generic agreed list. We all have our views on what constitutes a security incident, but i would just like to seek clarity

I offered the following definition:

Well anything that violates the security policy is a security incident. If no policy exists, you know that an incident is a security incident when you detect one.

If you find the above definition vague, or subjective please help refine it. But read “In Praise of the handshake” first. Like complete contracts, overengineered policies are inevitably imperfect. And that is why I like the informal SLA too.

Η επιστροφή του επιστήμονα οπαδού

“The stock was down 86 cents over the day. That means Bill lost $70 million today, whereas I only lost fuck all. But guess who’ll sleep better?” —Microserfs

Ομοίως: Το βράδυ κοιμήθηκε καλύτερα ο Σισέ ή ο ανεγκέφαλος που έκανε “ντου” στον αγωνιστικό χώρο; Αν προτιμάτε άλλο παράδειγμα, ο Παπαλουκάς ή ο ανεγκέφαλος που του πέταξε τη φωτοβολίδα; Γύρνα τώρα στο μισθό σου (για όσο υπάρχει) και αυτός στα εκατομμύριά του. Ναι ξέρουμε ποιος κοιμάται καλύτερα. Και χτες και σήμερα και αύριο.

Προς τους διευθυντές marketing των ΠΑΕ και των ΚΑΕ: Να τα βράσω τα πτυχία σας και την προστασία του προϊόντος σας: Αλήθεια σε γήπεδο με εμπορική δραστηριότητα γύρω-γύρω (που όλοι τέτοια θέλετε να φτιάξετε) ποιος ακουμπάει πιο πολλά; Πατέρες με παιδιά ή μπάκουροι με την παρέα τους; Βάζετε τα δυνατά σας όχι μόνο για να μην υπάρχουν μελλοντικοί καταναλωτές του προϊόντος σας, αλλά για να φύγουν και αυτοί που τους δημιουργούν! Φυσικά όταν το καράβι θα βουλιάζει (που και εσείς θα έχετε βοηθήσει σε αυτό) εσείς θα είστε ήδη σε άλλη δουλειά και πάντα φταίει ο τελευταίος, έτσι;

→ “Ολυμπιακάρα μου, λέω να πάψω να σ’ αγαπάω για μερικά χρόνια“

Μπακάρντι-γκρέιπφρουτ

Αν θυμάμαι καλά ήταν 1997 και έβρεχε. Με τον Ντίνο είχαμε φύγει από το Εργαστήριο και λέγαμε να πάμε καμιά βόλτα:

– Ρε συ μου έχουν πει για ένα μπαρ που το έχει ένας παππούς και παίζει Τζαζ.
– Ξέρεις που είναι;
– Κάπου στο Κολωνάκι
– ΟΚ, θα πάρουμε τους δρόμους με τη σειρά και θα το βρούμε.

Μπήκαμε μέσα, κάτσαμε δεξιά στη γωνία της μπάρας και μετά από λίγο ήρθε ο παππούς για να πάρει παραγγελία:

– Μάγκες, άμα ξαναμπείτε μέσα και δε χαιρετήσετε, δε θα σας σερβίρω.

Σιγά-σιγά φτάσαμε να κλείνουμε το μαγαζί με τον παππού να μας κερνάει τσίπουρα.

Αντίο Κώστα.

The Stockdale Paradox

“You must never confuse faith that you will prevail in the end—which you can never afford to lose—with the discipline to confront the most brutal facts of your current reality, whatever they might be.” –Vice Admiral J. B. Stockdale

I think I first read about it back in 2001 when “Good to Great” came out.

But right now, this is how I’m feeling.

Parkinson’s Law of Triviality

Over that past ten days or so I found myself making constant references to Parkinson’s Law of Triviality in order to explain certain dilatory behaviors. If (like me) you do not have a copy of the book, Poul Henning-Kamp has written an excellent write-up on the concept which is hosted on bikeshed.com:

Parkinson shows how you can go in to the board of directors and get approval for building a multi-million or even billion dollar atomic power plant, but if you want to build a bike shed you will be tangled up in endless discussions.

Parkinson explains that this is because an atomic plant is so vast, so expensive and so complicated that people cannot grasp it, and rather than try, they fall back on the assumption that somebody else checked all the details before it got this far. Richard P. Feynmann gives a couple of interesting, and very much to the point, examples relating to Los Alamos in his books.

A bike shed on the other hand. Anyone can build one of those over a weekend, and still have time to watch the game on TV. So no matter how well prepared, no matter how reasonable you are with your proposal, somebody will seize the chance to show that he is doing his job, that he is paying attention, that he is *here*.

So you wrote ci passwd and lost your password file…

So you wrote ci passwd instead of vi passwd and you lost your password file.

DO NOT PANIC!

Type co passwd and bring it back.

And now that you’ve cooled down you can read rcsintro(1).

100.000 disclaimers δεν κάνουν μία γνώμη προσωπική

“In dealing with customers and outsiders, remember that you represent the company, ostensibly with full responsibility and authority.

You may be only a few months out of college, but most outsiders will regard you as a legal, financial, and technical agent of your company in all transactions, so be careful of your commitments.”

[via “The Unwritten Laws of Engineering“, 1944]

Using Mathematics as an argument

I just came out of a meeting where the following phrase was spoken (and the meeting’s context does not really matter):

– Mathematics has spoken. You can never ever have everything as a variable. You have to have constants.

This was used as a math-therefore-I-am-right-full-stop argument. Never, ever use Mathematics, Science or any other bus-stop argument in a room filled with 60+ people with Mathematics, Engineering and Computer Science degrees and expect to be taken seriously. Interpret the fact that you were not countered as politeness instead.

reboot to fix

Appart from its historic value, “The Hacker Crackdown” is full of gems, like:

Starting over from scratch will generally rid the switch of any software problems that may have developed in the course of running the system. Bugs that arise will be simply wiped out by this process. It is a clever idea. This process of automatically re-booting from scratch is known as the “normal fault recovery routine”.

So you see this was not Bill’s idea in the first place.

Personally I hate reboot-to-fix. Rebooting must be a final(?) solution which in fact not only puts the problem under the carpet, but also deprives one of the possibility (and sometimes data) of finding out what the cause of the problem is. It is performed under pressure, under hurry and usually with no data at hand to replicate the problem and study it in a test environment and with some peace of mind. “Make the danm thing work first; find out what happened later! We’re losing money!” Downtime is an option and so routers and servers get reloaded… I will not sit in an ivory tower though pointing fingers, for I’ve practiced this “problem solving” technique a number of times.

Reboot-to-fix comes with a price: While at times it seems like a time saver, it only pushes forward in time the manifestation of the problem. At a later (and more inconvenient) time. And then it stops looking like a time saver. And if doing the same thing over and over expecting different results can be considered as a sign of paranoia, reboot-to-fix is just another sign of that.

Update: Some 12 days later, Paul Venezia wrote “When in doubt, reboot? Not Unix boxes“. Cool stuff!