October 3, 2009
Now that I’ve got a new work computer (a nice Lenovo W500), and sending my previous one back to Foundstone (goodbye Dell D630, you’ve done me proud), I’m getting all my software, settings, etc, installed. I can never fathom out why, but it takes me forever doing this task and often a fresh OS image a few times to get things “just right”.
Anyway, while doing this, I’ve been categorizing my RSS feed’s saved items – generally I store “interesting” things I have found so that I can refer back to them or use them in work/presentations/papers. Normally, these are just for me (although I may email some to a wider audience. However, the latest version of FeedDemon (my RSS reader of choice at the moment) doesn’t support their online Newsgator service any more in preference of Google Reader, so that’s where my saved items are going, as well as the online backup/cache of the feeds I’m reading.
Now, although I now work for Microsoft, and even more so work in Bing, I still like a number of Google’s products – I’m pretty non-partisan and will just use what works for me unless there’s something I can dogfood and make better. This does give me an opportunity though to share these saved items which you can see in the new “Shared” box to the right. I’m not sure, someone may find this useful, but it’s literally no work for me to add so why not.
As expected, there’s quite a lot currently on security, software engineering, technology, web, etc (ignore the gossip – tags and folders are both included in this tag cloud and that’s where my feeds like ValleyWag and MiniMSFT go 
).
Posted in Misc 
No Comments »
October 1, 2009
Trying to get out from under the multiple firehoses right now (getting to know the people, the architecture, and the way forward), but at least I’m not drowning and starting to see open skys 
More to come, but this via one Michael Howard pointing to an article by the “other” Mike Howard on campus, who are strangely both work in security. A little different, but an interesting article and we use the same language and similar approaches.
http://www.securityinfowatch.com/Cover+Focus/no-size-fits-all
Posted in Microsoft, Security No Comments »
September 20, 2009
Well, first week down. Off to a reasonably simple start with NEO which was basically going over the corporate culture (relaxed but focused), benefits (wow), and other basic things like websites to get started on things like parking, commuting, email lists, etc, etc. Even though I’ve know Microsoft for some time through friends there, it’s still eye-opening the scale and facilities the company has at it’s disposal.
Met some of the people I would be working with on Tuesday, but as I have no direct reports (as of yet – I’m an IC, Individual Contributior, initially but that may change), my manager introduced me to a bunch of people while walking offices, corridors and being placed in various meetings. I was pleased that the very first one I was placed in I had quite a lot to contribute so off to a good start I hope. The number one item for me is to figure out where I need to be plugged in as it’s really apparent that I could easily spend too much time on “interesting stuff” but which would really be using me most effectively.
I think I’ve done all the mundane, but necessary, Start@Microsoft things like elect benefits, HR forms, Legal, order laptop, etc. I have a nice desktop already, and it’s very different going into an office every day than working from my home office. Not sure I totally like having to get up earlier and the 20min commute rather than the 20ft I had previously (and being able to work in my undies if I want to – I don’t think my new colleagues would like that!), but there’s no question that I’m getting exposed to more learning and involvement/leadership opportunities already.
Starting to understand the main architecture of Bing and I really get now why they are calling it a “decision engine” rather than a search engine. I’ve liked the general results I’ve got from using it since launch, but there’s so much more than just indexing pages – things like “answer pages” to give you back the info you need when there is a definitive answer out there the system knows about. I think that people are very much stuck with how search has always been (throw keywords in and return matching results), that a new approach might be a little “jarring” to some. In many ways I kept thinking about a graph (and thesis) I had when doing my PhD.
There’s certainly some way to go (perhaps I’m joining at the equivalent of “windows 3.1 for workgroups” for Bing with “Win7” somewhere on the horizon) and lots of interesting things I’ve seen even in my first week. It’s a real hive of work there with no-one treating this as a “solved” problem and one person or company has it “right”. I certainly see where I can contribute and drive security (already have some responsibilities and “commits” set – my manager doesn’t hang around )
All-in-all, a really good first week and settling in nicely. Thanks to all the people that commented/blogged/twittered offering congrats and best wishes when I announced the move – means a lot to me
Posted in Microsoft No Comments »
September 11, 2009
I’ve not been blogging very much recently, and why should be apparent after the end of this post. I hope to possibly up my frequency in the near future, as more people may perhaps be a little more interested, but once again I’ll have to “feel the water” in the ongoing days/months ahead. In any case, on to the details.
Since about January, I’ve been transitioning out of the Foundstone Professional Services team and into one of the McAfee product teams (as I hinted some time ago). This was a good move for me, as although I absolutely love the guys I work with in FSPS, and the work certainly was interesting (getting to see how a lot of companies and their security, or lack-thereof in some cases, and helping them get better), I longed to “get in deep” with a problem which, due to the very nature of the kind of consulting I was performing, seldom happens – usually it’s work with a client to do some testing/auditing/evaluation of where they are currently, find what things they are missing, report on the impact/issues/reasons of the delta, recommend how to move forward, and then be on your merry way. Normally one doesn’t hear anything until the next engagement other than maybe some quick email exchanges or conference calls for clarification or review as the client is bringing you in for a specific purpose; once that is done, remediation and on-going work is done by their internal staff because paying continued consulting rates would, in many cases, be cost-prohibitive (and thankfully there’s lots of work out there still, so there’s always that next client to start the cycle again with).
In transitioning to a McAfee product team meant that I could really get my teeth into a problem, look at the requirements, devise an architecture to move forward, and slowly develop and overcome issues with implementing the final delivery of the product (I’m sorry I can’t be any more specific at the moment, but when it’s released I’ll post again about the project and sing the praises of the people I worked with). It was pretty clear that this is what I really missed doing – researching a problem and devising solution(s) – and what was only going to be a sabbatical to the product team for a specific technology/release was panning out to be a full time position. I was welcomed onto the team with arms wider than I could have possibly hoped for, and was settling into working with some great people and a roadmap that could have kept me interested for years.
But then I got an email and went out for a coffee with an old friend from the STAR conference circuit. He was back working for Microsoft in a cool group and was looking for people – there was a need for a “security guy” and I came with good recommendations.
I guess I’ll have to say at this point, to be fair, that I had begged off from ever going to Microsoft. I had interviewed there a few times in the past and my experiences were “mixed” at best. I had seriously doubted myself after a few of the loops, and had just about had enough – it was clear that for whatever reason I wasn’t a “fit” so had crossed it off the places where one day I might have seen myself.
Anyway, I talked to some of the people there, met the director for the group, and after what I thought were just informal “get to know you / what we do” kind of meetings (although there were some obligatory “whiteboard” questions), it was clear that they wanted to hire me. Sort of sunk in when on the way out, Mr Director (I’m not going to mention any names as-of-yet because I don’t know how happy they are about having their names out there, and as a security/privacy guy, I’m very much for “opt-in” ) said “I’m going to ask HR to extend you an offer”!!!
So, here I am with a bit of a conundrum. I’m currently working with a great team at McAfee, in a product that I believe in and can make and impact, and a roadmap of things that I could work on (and most importantly be super interested in) for years. On the other hand I’m being offered a role to help set the direction for all of security testing at Microsoft’s Bing.com platform as a senior SDET/security test architect.
I’ll let that sit for a while. I had to as it was a difficult decision, so take a breather
I really wasn’t looking to leave McAfee/Foundstone – the company has treated me very well, I have great colleagues there that are just plain *friends* now and hopefully will always be, and I feel the company is heading in the right direction with some fantastic management that I’ve had from the top to bottom. However, on the other hand, what a great opportunity to work on such a big, strategic site such as Bing, and to have that on my resume. Microsoft were great in that they didn’t pressure at all and gave me a few weeks to think about it, including setting me up to have some time for very open talks with various people to know what life on the team looks like and how my role would pan out (which, if I can, I’d like to write more about as I get further into the job). It was night-and-day different from my other experiences with Microsoft.
So, positives…
- Having the opportunity to work on something at this scale, in my field, and with such a spotlight is rare (clearly, only one other place) and (as long as Bing doesn’t get hacked up and it’s my fault!) as a colleague said “this would not be a career-limiting move”.
- Despite the haters out there, Microsoft clearly “gets” security now, and has attracted some top talent in that field. Getting the chance to work with some of these people would be fantastic.
- Even inside Bing practically every big computer science problem is touched upon somehow, and if for whatever reason I don’t want to work in that field/team any more, inside Microsoft you could do everything from designing mice, through to games, and obviously so many different types of software technologies/platforms – there’s plenty of growth opportunities there.
semi positives…
- Microsoft are just outside of Seattle, which is where I’m based now and have wanted to live in this area for a long time. Being able to go into an office and interact with people I think gets much more done than via email/phone. Now, in consulting where you are doesn’t matter much – the internet and an an airport close by works well as you are onsite with clients lots. The McAfee product group were flying me in every month and a half or so for a week of really productive meetings and stuff, and I’m quite happy working remotely (and I’m actually very productive in my home office), but you do in some way get “isolated” and not involved in conversations/meetings as much as I’d like to be.
- I won’t have to travel nearly as much – both for professional services (every few weeks) or in the product group (every few months). I don’t mind travel (in fact I quite enjoy it), but it’s hard leaving family at home and sometimes trying to schedule even little things like meeting up with friends or going to a concert can have unexpected changes (although to be fair, Foundstone was always really good with me sorting anything like this out, but I just hate having to bring it up as it feels like “shirking” work if I need to turn any travel down).
negatives…
- In taking the job with Microsoft, I don’t get to “see out” the product I started building. It would be hubris to say that I’m needed on that team to complete it or for it to be a success – the guys clearly can do a great job – but I like to finish what I start, feel I have plenty more to add, and if nothing else would be a benefit to the team as another resource to get things done and meet deadlines. There’s never a “good” time, but I guess this is “non-optimal”.
- I’ve built up some level of “goodwill” at McAfee and know many people there. There’s no question that at Foundstone/McAfee I’m treated very well and have a great working relationship with people there. I’ll have to start that again at Microsoft and be somewhat a “small fish in a very big pond” again. Not so much of a negative as I like building relationships, but certainly having to start again, and I’m really going to miss the guys I’ve worked with.
- Simply the “new”. Each company works differently, and I’ve never worked for such a big enterprise before. I’m sure I’m going to have to learn a lot, and quickly, in what it takes to really thrive in such an organization.
In taking everything into consideration, I think this is a fantastic opportunity and something I’d be stupid to turn down. It’s really going to up my game, give me new learning experiences, and allow me to work on something at a scale that I’ve never been able to before. In many ways it’s both exciting and daunting at the same time!
So, today is my last day at McAfee/Foundstone. As of Monday I’m a Microsoft employee and the joys of NEO – New Employee Orientation (or where you get your chip implanted and force-fed the corporate kool-aid ). I’m certainly going to continue posting about general security trends and news I find interesting, but hopefully can add a slant on what it’s like working in Microsoft and on a property such as Bing. All that after I know how the land lies – I don’t after all want to get fired soon after I get there! So, don’t expect very much in the short term as a) I’m going to be really busy getting up-to-speed on the platform and technology, and b) get to know what is on and off-topic.
Well, stay tuned, and hopefully I’ll have some interesting things to write about.
Posted in Microsoft, Personal 6 Comments »
July 24, 2009
SSLLabs have just released two quite interesting resources – their SSL Server Rating Guide and the Public SSL Server Database. As web server and application security are heavily tied to both the use of, and the strength of SSL, it’s nice to see these two things released and giving information on correct configuration.
Now my two issues (you knew they were coming )
First, I’m not sure I like the idea of a publically available database of SSL configurations, especially if I can’t control what data is in there about my own sites. It seems that anyone can institute a scan on any other site (which to be fair anyone can do with other tools), but that data is logged for all to see. Querying can be done only on domain name at the moment, but I would guess there’s nothing to stop the site being changed to “show me all the sites that use cipher XXXX”, which could be used maliciously, or doing a “name and shame”. Disclosure: Foundstone’s site is there with an ‘F’ after one of my esteemed colleagues put in “foundstone.com” (not “www.foundstone.com”, which is where the certificate points to). I believe this is a bit of a bug as it doesn’t take into consideration redirects, although I admit that there’s some risk (depending on the site configuration) and this is really splitting hairs.
In any case, although it’s clear to see that this info is being logged, and it’s “public” info, I’m sure that many people won’t like it being so prominently logged, especially without the site owner being notified of their data being added (which is where I see the “premium” site coming in – here sir, for this small fee…). For those that want to assess the SSL configuration of their servers without sending data to someone else, may I point you to Foundstone’s SSLDigger which has been around for ages.
Second, other than the cert mismatch issue, I have a small bug-bear with scoring of SSL ciphers. There’s a known flaw with SSLv2 known as the “downgrade attack” ([PDF] link to good doc explaining various SSL attacks). Basically, because there is no MAC on the SSL handshake in SSLv2 someone performing MITM can remove “strong” ciphers from the handshake leaving only weak one behind that the browser accepts, but can also be broken in a “reasonable time” by the attacker, thus leading to a break in confidentially.
The thing is, all modern browsers have SSLv2 turned off by default, so this flaw isn’t going to affect the average user. Sure, in an assessment we have to warn about it, but it’s a really low risk. I’ve not seen any released tools to perform this attack either (although some netsed foo should handle the job) which further limits the potential exposure to this attack.
In any case, I think it’s great to have the server rating guide out there, as well as another tool that people can use to simply audit their settings. I guess that the privacy nut in me doesn’t like having data out there that I potentially don’t know about.
Posted in Security 5 Comments »
July 20, 2009
The next episode of WebSec101 which covers the topic of authorization has been posted to the Foundstone site.
http://www.foundstone.com/websec101/
Although not talked about as much as SQLi or XSS, authorization is the number one flaw you have to make sure your app is not vulnerable to. Not a lot of technical discussion in this webcast, but a few ideas on how to test for authorization flaws and things to look for that might be an indication of a weak authorization system.
Posted in Security, WebSec101 No Comments »
July 8, 2009
News is everywhere about Google’s new desktop operating system. About the best headline I’ve seen is TechCrunch’s “Google Drops A Nuclear Bomb On Microsoft. And It’s Made of Chrome.”
It’s somewhat good news – having alternate operating systems encourages competition in the marketplace and makes sure companies innovate. However, I’m very worried about this news not being a Microsoft/Linux fanbox or a Google hater — there’s just some very disturbing aspects to both this specific product and the potential way Google is heading.
First up, the competition. The idea it seems behind a “browser based OS” is pretty cool, and certainly applicable to the target market (netbooks) Google is initially aiming at. Out of the two competitors for running the desktop, I think that Linux is likely to suffer more than Microsoft. Linux (IMO) is suited to the “try new stuff” people and they will most likely be the early adopters. There’s certainly going to be some loss in Microsoft’s market share – netbooks is a growing market and Windows 7 is trying to target that. However, unless netbook manufactures are going to factory install Google’s OS (something that Microsoft is likely to fight hard against happening, and/or unless buyers give the netbook manufactures overwhelming requests for the option), there’s an inertia that has to be overcome. Everyone knows Windows, how it works, that no matter what you can share with practically everyone else, and the number of tools, utilities, plugins, etc, etc, available – that’s a mightily large incentive you have to displace. Also, as Google is finding to their benefit right now, even if you have a “better” product, lots of people still won’t switch purely out of habit.
Next, security. OSes are notoriously difficult to write and to secure. Google is making the task a little easier by narrowing the focus down (just get one application, the browser, to run and have everything else execute on top of that), but we’ve been seeing browser bugs forever so even that approach isn’t totally effective. Having an OS that that is a) as homogeneous as a single application to target and b) by definition always connected to the public internet is just a scary target IMO. I would guess that Google is going to look at using their native code technology, and the fact that Mark Dowd (a God amongst us in the security industry and who’s word carries a lot) has “blessed” the project as secure means a lot, doesn’t spell the end of it – the guys that were part of the security contest looking at the code only had 3 months which sounds like a long time but with any large, complex, codebase time gets eaten up quickly just understanding all the things that it does and how it does them, let alone finding all the edge cases (and this is even considering that the people working on the contest were “full time”, with I highly doubt many, if any at all, were). So, I believe that unless Google is really careful, and there’s no reason for me to think they wont be, it’s a) going to be a nice target (web+connected to the internet+homogeneous+know problems with web/browser applications) and b) going to take considerable time/effort to get right.
My biggest concern however is the principal behind it. Writing such an OS (or any major technology for that matter) takes a lot of time and effort. In a company, that costs “mucho dinero”. The stated plan is to use Open Source principals/development, but it’s rare that people will do things out of the goodness of their hearts. So, what are the people developing OSS-fashion are going to get? Probably the same as Linux dev, but without the distro’s (which people can sometimes make money off) – credibility, bragging rights, skill/experience, etc. Google, what do they get? Other than hating Microsoft and going after another of their sacred cows, this is where it gets really scary for me.
Google you see is not a search engine company. It’s not a software company either. It’s an advertising company. That’s how it keeps everything it does free to the consumers by placing ads. The (considerable) software development and operational costs it takes to bring you search results, GMail, Google Maps, etc, etc, is offset by them bringing in advertising dollars. Fantastic I say – the fact that they have found an alternate revenue stream, can bring such products to consumers for “free”, and make lots of money themselves is just genius. However, to make these ads that are pushed out more meaningful and targeted (and therefore ask a higher price to the advertiser because of better conversion rates), Google needs to know a lot about you. Either through simple stuff like what page you are looking at (context), what you’ve done in the past (history), who you interact with (social graph and shared likes/interests), etc, etc. The more that is collected, the more ads can be targets, the more valuable those ads become.
Now, I thought Google Voice was scary enough when it was announced a while back. Being able to track who you are calling, who’s calling you, and the content of the calls is just frightening (yes, I know it’s opt-in but I’m not going down there right now). However, add the opportunity of tracking your every move while working online in a web-OS, gathering data on likes, dislikes, things you are working on, sites you visit, how often you are on and when/where you buy stuff online – I’m not sure that a company who’s goal is finding out that info could resist seeing some of that data. Unless it was a non-evil company, which Google obviously is, otherwise they wouldn’t have it on their mission statement. :p
Here’s the problem with that. Microsoft, Linux, Apple, etc, all produce an operating system but their primary motivation is to sell you that OS and keep you on the platform so that you will buy/use their other products (and sometimes services, but it’s a lot less of a simple tie-in). A company that makes 90%+ of it’s profits on knowing about it’s users patterns has, I believe, a different motivation. I’m not saying it’s their sole motivation, or maybe not even a motivation at all (right now), but there’s somewhat a conflict of interests going on.
So, I’m not saying that there’s malicious intentions going on in Google’s collective mind, but there’s certainly another “opportunity” to gather more data here, which is something they love to do. In the 80’s/90’s Microsoft was known as the evil empire and rumors abounded that they were spying/listening on the users of their software. I hope that Google doesn’t get the same reputation, although the train is going really fast down those tracks. The marketplace and security issues are a concern, but the biggest is the privacy and potential interests of being in a totally different revenue stream. I think Google should silo off this OS to the other “data gathering efforts” they have going come out as well as come up with a work-class “open” privacy policy (and perhaps have 3rd party verification?), and not just warm-and-fuzzy statement of “not evil”, “open source”, and “published privacy policies”, in order to nip any potential of the general public thinking that way in the bud.
Posted in Industry 1 Comment »
July 6, 2009
The next episode of WebSec101 which covers the topic of authentication has been posted to the Foundstone site.
http://www.foundstone.com/websec101/
As ever, enjoy, and if you have any feedback/comments you know were to look.
Posted in Security No Comments »
July 4, 2009
Went to the opening night of the Green Day tour at the Key Arena last night and had a great time. I have to say that it wasn’t quite as good as the last time we saw them (Orlando in 2005), but it was a great gig those guys really know how to rock a crowd. I think as it was the opening night the show wasn’t as “tight” as last time, but other than playing some of the songs from the new album, it was quite similar.
Some videos from the show I’ve dumped here.
Ah, brings back memories working on gigs like that. Still amuses me being in an audience full of teen-age Americans singing their little hearts out to American Idiot and not quite getting that it’s a warning for which many of them are becoming:)
Posted in Fun, Personal, Trip Report No Comments »
June 30, 2009
Looks as if Facebook are having a few issues with click-fraud. No surprises really, every major online advertiser faces the same problems. Just as spam followed the popularity of email, click-fraud is going to follow advertising budgets onto the web.
What I’ve found interesting in this case is who benefits from click fraud. In the case of Google’s AdSense or the Yahoo publisher network, or the many different others, when you share the revenue of click-through’s of ads with the people that host them, there’s an incentive to drive clicks either via legitimate (increasing traffic), semi-legitimate (SEO techniques), or illegitimate (click-fraud) means. More people going though the ads you get served up, the more money you make. What is interesting on Facebook’s current issues is that they are hosting on their own site, and aren’t sharing revenue (well, they are with application developers, but for brevity I’ll ignore that instance as I believe it’s manageable). So in that case, who’s doing the click-fraud and for what purpose?
On TechCrunch there’s an excellent post on how click-fraud may be working against Facebook. In a nutshell, advertisers are probably click-frauding each other to drive their competitors out of the market by using up their budget and/or spiking the prices. If this is actually what is happening (I’ve seen no hard evidence out there one-way-or-the-other yet from crawling around the web doing some research before putting this post up, but stealing a link from one of the TC comments there’s a lot of freelance work available out there to game the system), then it’s pretty much exactly the prisoners dilemma playing out in real life – the only winner is Facebook as they are getting revenue, but even then only over the short-term as advertisers can get pissed-off and leave (and are). All the ad networks take quality of CTR’s seriously because it’s their bread-and-butter, but what can they do?
So, going into the main topic of my post – how do you combat click-fraud? For the advertiser there’s advice out there on a few things they should do, but for the purposes of web security that I hope will become clear later, let’s just focus on the ad networks themselves in how they can address click-fraud.
1. Firstly, the ad delivery network (what I’ll call the “system” from now on) has to keep stats on what was served and clicked for their clients. Any unusual spikes or patterns in these stats could cause concern (could because their may still be many legitimate reasons) and need to be investigated. This is no different than security monitoring and historically reviewing log files to look for anomalous behavior.
2. Ads are usually targeted at users and are supposed to be in some way randomized so the user doesn’t see the same ad all the time, and multiple clicks on the same ad shouldn’t be counted if it’s from the same person. Mostly, targeting is done geographically and/or based on characteristics of the user – age, interests, demographic, etc. In order to access the ads the fraudsters have to be able to come off as “real” users that match those characteristics (and enough real users so that it doesn’t trigger the abnormal pattern detection, or the “real vs bot” detection that I’ll talk about below) so as to enact the clicks. The geographic part is pretty easy – there are shared proxies and VPN solutions, public and private, that allow you to look like you are in any country you like (I use such a service sometimes to watch the BBC iPlayer and catch up on shows at home). Obtaining legitimate users matching a demographic can be achieved either with automated sign-up tools, or simply paying low-cost labor. This is very much the CAPTCHA arms-race we are going through now, and there’s even systems out there that will “nourish” and “grow” an account, much like a real user would add pictures, wall posts, etc, so it’s not as obvious that it’s an account used just for click-fraud and face being shut-down at some point if it’s discovered.
3. To the people gaming the system, the risk/reward ratio currently is very much in their favor, whereas the risk/reward ratio of, say, robbing a back is low – there’s a good chance of getting caught, banks often don’t lose that much money in such an incident, and the punishment if the robber does get caught is high. In order to re-balance the risk/reward ratio, many companies are going after the perpetrators click-fraud, much like they have been know to go after spammers or hackers. This is done in the hope that it drives the perpetrators away from the system that is going after them, or the activity in general.
4. Lastly, the system has to make a determination of what is a “real” user clicking on an ad vs. some automated program (bot). There’s various ways this could be done – IP address, speed of viewing/clicking, browser version, referer header, cookies, etc, etc – and the method(s) are kept very close to the chest because they could all be spoofed and gamed, especially if you know what the rules are. The corollary with webappsec here is that we have very much the same issue with session management and session hijacking – we’ve had to load something on top of HTTP (cookies) to provide state and user identification which may be spoofed so we might not have any idea who the “real” user is. HTTP by design doesn’t support the level of user identification that would really help and I very much doubt that it ever will (based on the backlash against tracking cookies and per-machine IDs – client-side certifications would be a similar approach, although like with Intel, there’s big privacy issues to overcome), but it sure would be helpful to identify users uniquely on the web.
So, I think that click-fraud has many parallels with web security and has some really big shared interests. However, I don’t think advertising click-throughts are ever going to be that reliable and will always have this fraud arms-race going on. Really, advertisers aren’t interested in their ads being clicked, but what people do after they have seen them, and why Cost Per Action (CPA) is where things are heading. Sure, there’s going to be fraud attempted there as well, but the economics are a lot more solid when you’re paying for an end-to-end transaction with a user rather than paying them just to visit some webpage.
Posted in Musings No Comments »
