log

Ήθελα να σχολιάσω το άρθρο αυτό καιρό τώρα:

“Ανάμεσα σε άλλους λόγους, γιατί οι άνθρωποι φέρουν τη γνώση του οργανισμού η οποία είναι πολύτιμη, σπάνια, και άρα, αναντικατάστατη. Μάλιστα πολλές φορές, η γνώση υπάρχει σε μια επιχείρηση σε τόσο αφηρημένη μορφή που δεν μπορεί να κωδικοποιηθεί και να αποθηκευτεί σε μια βάση δεδομένων και άρα να ξαναχρησιμοποιηθεί στο μέλλον.”

Κι όμως, υπάρχουν χώροι (π.χ. Αρχαιολόγοι) που το πρόβλημα αυτό έχει μια, μερική έστω, λύση. Τη λένε ημερολόγιο. Και πράγματι μια τέτοια λύση είναι μερική γιατί ένας άνθρωπος μπορεί να γράφει 10 σελίδες το μήνα και άλλος 10 την εβδομάδα και ταυτόχρονα και η ποιότητα να διαφέρει από γραπτό σε γραπτό, αλλά το ημερολόγιο εξασφαλίζει την παραμονή κάποιας πληροφορίας. Και εάν έχει φροντίσει ο οργανισμός να διαμορφωθεί η κατάλληλη κουλτούρα (ανάγνωση από συναδέλφους, αναφορά σε αυτά εάν υπάρχει κάποιο πρόβλημα προς επίλυση, κ.λπ.) αυτά είναι διαχειρίσιμα προβλήματα.

Το πραγματικό πρόβλημα είναι όμως πως οι information workers δεν έχουν μάθει να δουλεύουν έτσι:

  • Θα γράψουμε documentation αργότερα
  • Θα γράψουμε τα σχόλια στον κώδικα αργότερα
  • Ο κώδικάς μου είναι self-documented, δε χρειάζεται σχόλια

Αργότερα. Όλα αργότερα. Όταν θα έχουμε χρόνο. Μόνο που χρόνο δεν έχουμε ποτέ, γιατί το επόμενο project χτυπάει την πόρτα (ή τη χτυπάμε εμείς φεύγοντας).

blank Subject:

Subject: line occurrences

The graph above (click it to see the full image) displays the occurrences of Subject: lines within a week, for emails that went through an auxiliary outgoing / filtering mail server, set up specifically to deal with a spam outbreak that affected our customers. They were all about pain-killers and other “enhancements”, making it easy to write quick filters on the spot, with the exception of #66, the blank Subject: line.

[ Update: The above means that for that week the most common non-spam outgoing email subject was the blank subject. Some more numbers: 196493 messages passed through that system. The most common spam subject appeared 3588 times. 679 messages had blank subjects. 5 had “(no subject)” as subject. 6707 messages had subjects that appeared less than 100 times each. 5628 of them I would not classify as spam based on the subject line. So 10.7% of the messages that could not be considered as spam based on their subject’s content had empty subject lines. ]

It seems that people are still sending emails without a Subject: line. Although this seems weird to me, to a lot of others it is perfectly natural. Am I alone in believing that one should not send subject-less emails?

1981/02/09

Χτες ήταν η θλιβερή επέτειος. Χάρη στο ψηφιακό αρχείο της Αθλητικής Ηχούς είναι εύκολο να δει κανείς πως καλύφθηκε η τραγωδία από τις πρώτες κιόλας στιγμές. “Η μεγαλύτερη αθλητική τραγωδία του τόπου μας”, Αθλητική Ηχώ, 1981/02/09, σελίδες 1 και 8. Χρειάζεται DjVu.

nslookup

Από το INBOX μου:

Γιώργο,
Μπορώ να κάνω nslookup χρησιμοποιώντας άλλον dns π.χ. dns1.ΧΧΧΧ.gr ;

Παλιά μπορούσα αλλά τώρα δεν μπορώ από κανέναν άλλο να δω πλην από ΥΥΥΥ. Γνωρίζεις κάτι;

Οι περισσότεροι ISP δεν επιτρέπουν recursive queries στους DNS servers τους “έξω” από το δίκτυό τους. Το (φιλικό) Internet όπως το μάθαμε έχει τελειώσει. Οπότε η αμέσως καλύτερη επιλογή είναι οι server του Google:

– 8.8.8.8 και
– 8.8.4.4

και όχι μόνο για DNS lookups, αλλά και για traceroute και ping.

The need for discipline

A major point of David Greer‘s talk at AIFS was the hyper-connectedness of people. Most computing professionals are already hyper-connected and most connected people will be in less than five years. Hyper-connectedness here is used in the context that people use a lot of different devices to connect to the Internet, their home computer, their work, access resources and do whatever they want to do by using these facilities remotely. They have many interfaces to the Cyberspace.

So now the attack vector expands: “you or your child uses your home computer to share information through social networks or email and through this process may infect the computer with a virus. You then could use this computer to “work from home” and indirectly infect a work related file or through network connections, infect your corporate workstation”. Interestingly (inspired by a friend who advocates “people get hacked and not machines”) I had blogged about such a possibility back in 2007.

@gkoutep tells me, for quite some time now, that we are to expect “single target” attacks. The need for discipline for us who use different devices to connect to networks that we manage and/or the Internet is more than pressing: Shall we connect to our corporate network using a friend’s computer in case of an emergency? Although most systems now boot from USB drives (which avoids the possibility of an infected host system) what about our friend’s home network? Will “proper procedures” for exceptions be followed, or should one wait until being in front of a better controlled terminal?

While in the “old days” we could relax temporarily some restrictions in favor of convenience, friendship (being friends with the BOFH could result in exceptions) or emergency, this is no more. (Digital) Trust is not what it used to be (or what we believed we could get away with when bending the rules).

We live in a hyper-connected world aiming to facilitate everybody’s daily stuff, but will the need for discipline and caution lead system administrators (and other computing professionals) to start de-hyper-connecting?

report on AIFS

Thanks to a draw run by the Greek Chapter of the ISACA, I got to attend the 3rd Athens International Forum on SecurITy (AIFS). This was the first time in years that I used a benefit offered by the Greek Chapter, which makes me regret that I had not taken more advantage of my membership previously. I guess I’ll have to make some time and fix this though.

AIFS – day 1

Since I did not pay for the event, I tried hard to attend most of the presentations and keep some notes on the talks that I liked. David Greer gave an interesting presentation on Security Strategies, the various definitions of Cyberspace (according to the point of view) and how in the cyberspace battlefield technology is an equalizer (in contrast to the kinetic / traditional warfare) covering everything from the Internet to powergrids to automated and interconnected devices that find their ways into our houses and then present a possible leverage for an attacker to use.

Spiros Liolis gave a fantastic and provocative presentation on how we people in the IT security sector are chasing a “chimera”: (1) no one is really in charge (2) there exists policy confusion (3) information classification is problematic (4) people think that technology will solve everything (5) BOFHs treat users like cattle and how you treat people bites back and (6) management is not really involved in the process. He also posed a very interesting question for those organizations that move on the “cloud”:

– Who audits the cloud?

Dr. Stefan Frei gave a presentation on the dynamics of (in)security. A presentation in which he analyzed over 30000 vulnerabilities reported in the CVE and in a way that makes one think “Why did not I think of that?”. Well as in all things it does not matter who thought of what and when, but who actually did something. And Stefan Frei did (and promised to continue doing) an extraordinary job. For example, ten years ago the top-10 vendors were responsible for half of the vulnerabilities. Today they are responsible for 20%. The insecurity gap can be more frightening. An exploit can be in the wild for 200 days (and more) prior to disclosure. I am looking forward to newer versions of this report to see how this trend evolves.

Lucas Cardholm gave a presentation on the cost benefit analysis of information security. This was accompanied by a whitepaper which I suppose will show up on the Ernst & Young web site sometime. For the impatient, a similar presentation describing the same methodology, and using high school math, is available here [pdf].

AIFS – day 2

George Simos talked about “All you need to know about ISO27001 in 30 minutes” and he managed to do it in less. One can spend hours days talking about ISO27001. However in his 30 minute talk he managed to get the message through: ISO27001 is not a technical document, it is a management document. It is about Information and therefore above and beyond IT. When implementing it, one should be careful enough to implement only the controls that are needed and have repeated assessments which should produce comparable results.

George Raikos (from the ISACA Athens Chapter) gave a quick review of the newest set of standards from ISACA, the RiskIT (which is based on COBIT). A variation the given presentation is available here [ppt].

Joshua Leewarner gave a complete account of social engineering, why it works, the psychological factors used, how it works and examples of audits that he has performed that included social engineering, with and without the use of technology. From him I learned about PhishMe, a really interesting service if you want to “test drive” and educate your users.

Matthew Pemble talked about corporate and personal privacy on Facebook (and other social networking sites). Of particular interest to me was his reply to a question about the cost that is to a company an employee’s time on Facebook:

– I do not know; how much is the cost of a smoker employee versus a non smoker?

[ A friend faced a similar situation recently. His new CEO instructed that Facebook and Youtube be blocked and that he makes sure that the administrators actually do that. I told him that blocking sites does not lead to a productivity boost. People will find other ways to procrastinate, and what is even more funnier you will not know what they are and you will be forced to find out. ]

Matthew also pointed out that from a company perspective an employee’s Facebook activity might be relatively harmless (and therefore preferred) when compared to P2P, surfing porn, etc.

I think Daniel J Blander gave one of the best two speeches that I attended. He is one of the few speakers in IT that I have heard that clearly know the difference between the social network and the social network platform. IT people tend to think they are the same, because they did not think of networking much before the rise of the platforms. Which, at least for Greece, is weird given that “meso” and “vysma” describe getting stuff done, exactly because you know a key person or someone who knows a key person. Some advice that came out of this presentation is that you should join, use and understand social networks and platforms. The “instant” distribution of the medium should always be in your mind, plus the fact that the network never forgets. As an example he mentioned that one of the oldest posts that he had made still lives on and it was about firewalls. Indeed.

Was it worth it?

I have to admit that had I not been lucky in the draw, it would have been difficult for me to attend. I am satisfied that I attended though and now I am looking forward to the next AIFS. I regret that I did not sit around during the breaks and lunches, but work was withing walking distance and there was stuff that needed attendance.

What I did not like: I was really surprised that no one in the Security Metrics session mentioned the securitymetrics mailing list or the LinkedIn group. I was also surprised that one of the speakers recommended COPS and SATAN. Today? Only three people in the audience knew about Koobface. People doing security policies and processes need not be so detached from the “running code” reality. Your work translates to running code too.

Presenters who exceeded their time slot. If you wonder why the best presenters are always in time, it is easy: They are the best because they do not lose track of time. Rehearse your presentation. Think when you are in the audience: How long can you stay focused on a presentation? That long is how your presentation must last, for there is nothing that guarantees you that you are a better and captivating speaker. If you plan on saying that 70%-80% of the breaches come from insiders, please cite raw data and not another analyst’s report. If you plan to join the crowd that devotes a slide or two on the Russia vs. Georgia cyberwar, please find something new or a novel way to say what we already know. If your presentation is a survey (you know when it is) try to have at least one slide with something new. Do not spend half of your time-slot telling the audience of your past achievements. If you are that good either we know you already or we will look you up thanks to the amazing presentation that you will give (you did not).

Did I learn anything with regards to security? Depending on who asks the question I am tempted to answer no. However this was neither a trade show, nor an academic conference (which I like most because of either running code and/or theory). Did I learn useful things about my job? Of course I did! When trying to persuade management about an investment, do not talk about the cost of failure (for they will risk running with the legacy or unpatched system). Tell them instead about the cost of success. Executives love four color slides and “traffic light” coloring (green, amber, red) when identifying risk. You have to learn to place correctly the question. You are allowed to do guestimates on numbers, because that is what the other departments do too. Always try to show the positives when seeking for budget. Identify all the stakeholders and get them on your side. Learn to use Annex A of ISO27001. And a whole lot of details that connected “dots” in my mind (“ah, so that’s how it is done” flashes).

It becomes clear to me that security people need to read about Cybernetics. And emergence. Yes, that includes you the system administrator too. You too have to understand the dynamics of the organization you work for, not just the network. Awareness training was preached around, but I’ve established before why I believe it does not work. If you do not like to pay for the ISO27001, use the ISF standards.

I am changing my mindset on how I am thinking about these things and AIFS helped a lot (that or I am getting older). Do not forget: Conferences are about networking and exchange of ideas and I missed the “hallway track”.

That being said, I look forward to AIFS 2011.

PS: Angelos thanks for the coffee.

new battery (iPod)

Today my new battery for my 4th generation iPod arrived. I just finished installing it and as the instructions write, the hardest part was opening the iPod. The iOpener however is a remarkable tool that leaves no scratches on the iPod’s surface.

Right now the battery is charging, so any experience about its uptime will be written here after charging it for the second time.