Welcome to the Blogosophere

September 29, 2006

I wanted to throw out a quick entry to welcome Bill P to the blogosphere. Bill’s a security genius, and, while I get to hear his brilliance each day at work, I genuinely can’t wait to read his rants up on the new blog.

There’s not much content up there yet, but this should definitely become part of your RSS feeds – Bill’s got some great things to say.

Long live IDS

September 27, 2006

Today, nCircle sent out a press release that announced their newest patent – it patents the combination of IDS and Vulnerability Assessment.

This is the technology that was developed back in the way old days at Hiverworld – when the scanner was called Swarm, the IDS was called Mantid and the management console was known as Ansible.

What’s most interesting about the granting of this patent now is that there are a lot of other systems that are doing this exact type of correlation: Sourcefire is doing it with RNA, Tenable is doing it in Security Center and I know that there are others I’m forgetting.

While I could get into a rant about the futility of the patent system, what’s more important is that I’m incredibly happy to see this technology getting talked about – IDS has been languishing with horrible false positives for a long, long time, and I’ve always believed in the technology that came from the Hiverworld timeframe – the “target-based IDS” idea was brilliant then, and it’s brilliant now.

Congrats, nCircle guys… it’s nice to finally see this patent get granted.

Lean and Six Sigma

September 26, 2006

I sat in a meeting today, and I listened to a senior manager discuss Lean Six Sigma, and I realized how few people genuinely understand the difference. The manager described them badly, and generally seems to have missed the point by setting up Lean and Six Sigma as completely separate and un-correlated processes, when they’re actually completely complementary, and doing one without the other is generally going to lead to a bad result.

Lean is the process of removing waste from a process system – it means eliminating steps that are unnecessary, repetitive or provide limited value. The goal is to produce a speed/agility-optimized process that gets the maximum value for the least investment.

Six Sigma is the process of eliminating variance from a process. It causes you to do the same process (presumably the one that produces a good product) repeatably, thus eliminating defects from your process. The goal is to produce nearly perfect products every single time.

The difference is very much the distinction between efficiency (“doing things right”) and effectiveness (“doing the right things”). You could create an extremely lean process by eliminating all of the compensating controls that provide you with a quality product, but that would be against your Six Sigma goals. You could have a very high-quality process by triple-checking every single step, but that would be against the goals of agility.

Lean and Six Sigma are complementary processes that achieve a balance between speed and perfection, keeping the parts of the process that maximally achieve quality and ONLY those parts.

I’ve blogged about this before in a previous life.

ATMs and Stupidity

September 21, 2006

Over at Matasano, they’ve been talking about the recent Tranax ATM discovery. Their blog was the first that I’d heard of it, and Dave was excited that he legally obtained the User Manual that had the default passwords in it in less than 15 minutes.

What’s scary is how trivial it is to obtain the appropriate user manual. And not only does the user manual have the default passwords in it, it has the default SAFE combination. And this is stupidly easy – unlike what some people are saying, it does not appear to require access to a swipe card to enter the machine.

So, what can you do from the screen with the default password? Hmm… change the denomination of the bills that the ATM thinks it’s dispensing? (You can change it from $20 to $1… so, if you take out $100, the machine gives you 100 $20 bills). How about just removing the surcharge so the owner makes no money? Or perhaps (as a competitor) jacking up the price so that nobody would ever use the ATM (would you use an ATM with a $30 surcharge?)

It baffles me that these “DIY” ATM companies are trying to make the system so utterly turn-key that they manage to create massive risks for their customers. Especially when most customers aren’t going to be tech savvy enough to change many of these passwords or combinations. Perhaps they figured that these manuals would be “kept in a secure place”. I don’t know, but if Dave from Matasano and I can both read them, I’d say that they’re not so secure.

I’ve been around long enough that this shouldn’t surprise me. But I’m an idealist, and I guess I really am surprised when people do something this utterly stupid.

Now, if you’ll excuse me, I have some banking to do and a vacation in Tahiti to take.

Taking the Long View

September 21, 2006

My good friend Linda posts an incredibly interesting blog entry about taking the long view of things:

I wonder how their lives would be different if they were required, as part of their education, to conceive and begin a project that would be completed by their children’s children. I wonder how their sense of the world would change if they had to make real, practical plans to begin something on that scale. I wonder how their sense of happiness would change if it included the impact of their actions two or three or ten generations from now.

This is an issue that I often struggled with at my last company. Being in a start-up environment, the whole world exists on an incredibly short timeframe – the company has been around less than 7 years, and, given the bent for consolidation in this industry, will probably last less than 10 years total.

My experience of the start-up (both nCircle and elsewhere) was that decisions are made on a 3-9 month timescale – anything past that is far too uncertain to really consider. Who knows if the company will radically change in that time? The time horizon for most projects is less than a quarter, and some of them are scoped in terms of weeks rather than months.

Contrast that to where I am now – the company has been around for a century. Decisions are made that ensure that the company survives for the long term – we talk about projects that have time horizons measured in years rather than weeks.

It’s a significantly different game, and it often reminds me of Carse’s description of Finite and Infinite Games. A finite game is a bounded game, with a beginning and an end – much like the concept of a “start-up” contains built-in within it the concept of an “exit strategy”.

On the other hand, some companies are infinite games – the main goal of the game is to ensure that we continue to play.

What about your company? Is the game finite or infinite? And on what timescale do you make decisions? How would it change it if you moved it farther out or closer in?

I love consolidation

September 20, 2006

Over at Security Incite, Mike Rothman posts about the new LURHQ/SecureWorks merger. And I think that his analysis is right on – this one’s going to be good for the combined company (which is taking the name SecureWorks).

As a former LURHQ employee, I’m incredibly happy for those guys – they’re a heck of a team and a group of brilliant security minds.

And unlike Mike Rothman, I do know what LURHQ stands for…. and I’m not telling.

Quiet on the Eastern Front

September 13, 2006

I’ve been quiet for the last week or so – that’s mostly a factor of being incredibly busy getting my life in order. Moving to a new country, and all of the various and sundry things that go with it – buying a car, unpacking huge numbers of boxes, disposing of insane amounts of packing material, etc.

I’m settling in to the new job – I’m alternately awed and overwhelmed by the sheer size of the organization. My life has been in small companies to this point – it’s much like the feeling of my first year biology class at U of T that had 3000 people in it – the professor was at the front of the auditorium with a big screen behind him, and nobody ever really met him. I imagine I’m going to have a similar relationship to the CEO here – that is, no relationship at all.

It’s very different than nCircle, where I could walk in to Abe’s office and talk.

But size has its benefits, no doubt. More on that over the coming year.

Chicken Little

September 2, 2006

After all of the discussion that we had about me overreacting, it looks like we just may end up with a worm on MS06-040 after all.

Risk: Pigs and Sharks

September 1, 2006

Over at his super-cool new blog, Anton Chuvakin quoted Bruce Schneier:

‘More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.’

As much as I respect Bruce, I would have to say that he’s confusing local and global risk – he’s mixing up logical levels. “Muddled thinking”, as Gregory Bateson would have said.

Let me explain. First, a review of the definition of risk: “Risk = Vulnerability X Threat X Potential Loss”.

In layman’s terms, that means that risk increases proportionate to your ability to be attacked, the number of entities that want to attack you, and the amount you stand to lose from the attack (“attack” here meaning “loss causing event” without any implication of intent)

In those terms, let’s think about pigs and sharks. Considering that we’re talking deaths in each case, the amount you stand to lose is the same – namely, 100% loss, so all we’re talking about is vulnerability and threat.

Interactions with pigs: relatively low vulnerability to to attack, and many human/pig interactions.

Interactions with sharks: extremely high vulnerability to shark attack, relatively few shark/human interactions.

While we may have few interactions with sharks, we intuitively know that if we have an interaction, we’re going to end up with significant loss. However, in a large number of interactions with pigs, we’re relatively unlikely to experience loss – so, we don’t worry about them.

Bruce is being confused by the difference between global risk and local risk. Global risk is the cumulative risk to all people from all pigs and sharks, while local risk is the risk to any single person from a given pig or shark.

Given the choice between an interaction with a pig or shark, I’d say that every human would choose pig. And, from a risk management perspective, they’d be right to do so (because local risk is significantly higher when interacting with a shark). Which would mean that, globally, we’d end up with more risk from pigs (because there is more threat opportunity).

Humans are excellent at intuiting risk – we understand well what can potentially cause us loss on a local level. But we don’t think about global risk very well – it’s the same kind of thinking that leads individual companies to pollute the environment – they consider the local risks well without acknowledging the global risks.

• Subscribe

  • Subscribe to RSS
  • Comments

• Recent Posts

  • Suppressing Dissent
  • Byron (and influence through the media)
  • Influence and Failing Kindergarten
  • Return-to-Barry-White Human Exploitation
  • NLP for Social Engineers
  • Hacker Halted Redux
  • Recap: The Hope Symposium
  • Social Engineering Abounds
  • Greed as a prime motivator
  • Constraints and The Bandwidth Problem

• Categories

  • Business
  • Career Skills
  • Hypnosis
  • Management
  • Marketing
  • NLP
  • Personal
  • Security
  • social engineering
  • Uncategorized

• Archives

  • July 2010
  • June 2010
  • May 2010
  • November 2009
  • October 2009
  • September 2009
  • July 2009
  • April 2009
  • March 2009
  • January 2009
  • December 2008
  • October 2008
  • September 2008
  • August 2008
  • July 2008
  • May 2008
  • April 2008
  • March 2008
  • February 2008
  • January 2008
  • December 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006

• Links

• Meta

  • Log in
  • WordPress
  • XHTML