There’s a really good article up on some of the ballots that are being “questioned” by both Franken and Coleman’s campaign lawyers – A good number of the ones that are being “disputed” frankly are stupid.  I went through the list, made my own judgment, and thankfully came to the same decision of most of the people that answered the polls in that article.  Thank [deity] that there’s some common sense out there, and can some be given to the lawyers contesting these.  I appreciate that there’s a lot at stake, but arguing “intent” in a lot of these cases is just stupid.

Go to the page and play your own game of being an election judge.

Which brings up a question – does electronic voting help in this case?  I like one of the comments that followed that article

With paper ballots at least we know which people have problems understanding and completing the ballots

Exactly!  As least we know which people are (in some way or the other) too stupid to vote.  If you “spoil” a ballot, simply ask for another one.  I’m a little on the fence about this (and will probably get flamed for it), but I can appreciate the viewpoint that if you are too stupid/uninformed to vote (you can’t put a mark on the sheet, know or can find out where the polling place is, know what day you have to vote) you shouldn’t.  It in some ways takes away from the people that really do have some clue in what is going on in the world.

Anyway, for those that want to see this, and my reply email.  Read on…

—

From: [withheld]
Sent: Wednesday, October 15, 2008 12:18 PM
To: ME!
Subject: What does Obama prefer to read?

"The Post-American World". It is Muslim’s view on the fall and collapse of the United States as a Super Power. WAKE UP AMERICA !!! 

—

I just cant stand this type of ignorance.  READING IS NOT A CRIME!  There are plenty of topics I expect Mr Obama and Mr McCain do not know about, and I EXPECT them to seek out more information, be that from books or subject-matter experts.  If it’s possible to read/learn about "the other side" of a topic, is it not prudent to seek that out as well?

In any case, I just couldn’t hold myself back so sent out the following reply…

—

From: ME!
Sent: Wednesday, October 15, 2008 4:21 PM
To: [withheld]
Subject: RE: What does Obama prefer to read?

I have no idea who you are, or why you are sending me this email.  If you know anything about me, you know that I can’t vote in the US elections this year, so this is totally pointless.

However, I do have something to say, since you sent me this unsolicited.

Since when has reading a book, especially to get a viewpoint on another topic/situation/strategy/people, ever been a "bad" thing?  This is a problem that the current US administration has had since the beginning in that "they know best, and know everything".  I wish people will have some hubris and know that they don’t know everything (thus reading isn’t a bad thing), and there are people out there that are smarter than you (especially in certain areas).

I don’t know the book you’ve pointed out, but just a cursory glance in Amazon or Wikipedia tells me that the only the only evidence that it’s "a Muslim’s view of the collapse of the USA" is the name of the author (who BTW is "not a religious guy" – http://en.wikipedia.org/wiki/Fareed_Zakaria#Personal).

I’m not for or against any of this stupid propaganda BS on either side – if McCain was walking around with "The World is Flat" would you be saying the same thing, but replacing Muslim with "old white guy"?
Whatever your political affiliations are, by all means campaign on them.  But stupid stuff like this, *on either side* just shows why America is on the decline.

Cheers,
Mike.

—

That made me feel a little better.  To the guys credit he replied and said he mixed up the emails (his friend was the old owner of this domain – not sure I buy that as it was an old baseball camp) but I accept his apology, and him at least having a look and "have[ing] read and digested your reasoned response".

I really don’t mind people having differing views/politics/feeling/etc – that’s what makes us as a species so varied and interesting.  What gets at me is if we start picking on each other over stupid things, and trying to be more informed about the world is one such example.

It seems to me that some people here have trouble enough driving, but pretty much insist on having a phone clamped to their ear 24/7 – I even saw someone out on their horse the the other day paying no attention to anything other than whatever was on the other end of their phone.

Perhaps I’m being a little over sensitive here, but this is just typical of Californian’s “me-first” attitude (another sweeping generalization here, but I’m sure that all the people I’m throwing under the bus here know exactly the kind I’m talking about) – they just seem be totally ambivalent, and that’s being generous, about anything going on around them other than what they are doing.  Just like an opera singer warming up -  ♫ “me, me, me, me, meeeee” ♫ .

In any case, I’m really looking forward to seeing the cops line people up down the street giving them tickets because I’m sure this new law isn’t going to change a thing.  Some people are going to get a shock though as although it says first office is $20, and subsequent ones are $50, when admin fees, etc, are added on they come out to $76 and $190 respectively.  However, even that isn’t going to stop some of the people that simply put, have more money than sense, or just don’t care.

Please people, put the phone down for a little while (and that includes texting), or buy one of these for a little more than the cost of that first ticket.  In a strange way I’m sad that I’ll only see a few days of this and wont be able to hear the teens/push-chair-moms bitching about it in the mall.

</rant>

This is a really old article, written by a very well respected security professional back in 2005.  Although certainly some points are bang on the button, there’s good chunks of this that simply don’t stand up today.

#1 – Default Permit.  Yes, is certainly correct, although how many times have you actually seen people do this, especially today?  This might have been the case in 1999 (perhaps even 2005 when this article was written, but I doubt it), today however pretty much everything respects this ideal – especially firewalls that Marcus points out.  The thing missing I suppose is where these default permits are – taking firewalls as an example, ingress default permits are as dead as a dodo now, but egress permits are still wide open from my experience, so there’s a valid point there.

#2 – Enumerating Badness.  Ah, the old white-list vs black-list.  Whenever was this really a good idea?  I get the point about anti-virus companies "enumerating badness" with their virus/malware libraries, but this is a bad example.  I have to tread really carefully here, as in a round-about way I work for one of the big AV companies, but the "paying other people [monthly fee's] to enumerate all the malware your system could come in contact with" is more of a business model than anyone trying to be really secure.  If, for example, an AV company said "here, install this product once, no updates required, and it will just protect you", how do they justify the monthly subscription model?  This is actually pretty close to my heart as at FloridaTech, I actually designed this system, but that’s a sore-point in many aspects I’m trying to move past.

#3 – Penetrate and Patch. Once again, a good point, but misses that fact that software is complex and you are never going to get things 100% right.  Relying on penetrate and patch for your whole security, bad, having to use it when holes are inevitably found, good.  I just love the quote "Unless your system was supposed to be hackable then it shouldn’t be hackable" in the article – this sort of assumes the "enumerating badness" argument in that we’ll either design software that can’t be hacked (limit the functionality to things we know work correctly), or we’ll protect the system from "bad" things happening.  This assumes that we can tell "good" from "bad" (in contrast from #2, "bad" from "good"), which over time as research gets done we have to shift out knowledge.  In the article the example of network being designed not to be hacked is a reasonable one, but it just doesn’t, IMO, work as well in software.

#4 – Hacking is Cool.  Ah, my favorite point in the whole article.  This is the dumbest thing written here.  If you think "hacking" is learning a bunch of exploits, then you are seriously mistaken.  Hacking, in it’s traditional sense, in learning and understanding a system and then going about making it do things it was never designed to do.  Running metaspolit is not hacking.  Executing some "script" is not hacking.  If (as some of the commenter’s on Digg point out) if wasn’t for "hackers" trying things out on their own systems and telling everyone their findings then we’d have systems (like WEP, web forums, stack/buffer overflow "guards", etc) that we "thought" were secure, but really weren’t. You actually do want to "give the hackers stock options, buy the books they write about their exploits, take classes on "extreme hacking kung fu" and pay them tens of thousands of dollars to do "penetration tests" against your systems" because they have knowledge and insights that are rare, that are often not in your organization, and have different views that the people that built/maintain/operate the system.  Replacing "hacking is cool", with "engineering is cool" might very well be the way of the future (look up enrolment rates in computer science/engineering degrees to be very disheartened about this "future), but we need hackers to keep pushing the state-of-the-art and the boundary of good vs bad forward.

#5 – Educating Users. I’d sort of agree here – one of the things Michael Howard said ages ago was if we had totally secure systems, the attackers would simply go after the users.  This point however assumes we can solve all the issues with technology, which clearly we can’t.  Attachments is one issue that is a difficult balance between usability (and the ability for people to do the work they have to do, simply), and security.  If the balance is incorrect, it either pisses people off, or they work around it.  Phishing is another good example where technology just isn’t working (or at least not as well as people would like), but education seems to work.  I’d love to think that technology can solve any problem – I’m an engineer after all and sort of have that view built into me.  The reality is though that some problems are intractable, at least for now, and we still have to educate users.  Otherwise, why do we have driving licenses when we should just wait for the cars that drive themselves?  Which is a good link to the final point….

#6 – Action is Better Than Inaction. Network guy to CEO – "We’re under attack".  CEO to network guy "Hold on, let me think about it for a while".  I agree with the "don’t install the latest wizz-bang device/software", but evaluate, gather feedback, trial and slowly deploy argument, but the "do nothing" approach" is just myopic.  If it’s possible for you to wait, then by all means wait and do it "properly".  In the mean-time though, users are complaining that they can’t do xyz, like connect to the network via their laptops and show the boss something during the 2 minutes they might only have in the hallway.  Security guys often find it far to easy to say "no" and cite concerns than to say "yes" for the benefit of the users and figure out what the risk is and try to mitigate it as much as possible.

Based on these points, I’m actually surprised that "defense in depth" isn’t in the list for me also to tear apart.

I’d like to add that some years ago I’d probably have read this article from my academic ivory tower and agreed with all of it.  However, out there in the trenches, things are very different.  It would be great to have everything "perfect", and do thing "exactly the right way", but the world and business in general just isn’t like that.  It’s great to strive for total security like the pot of gold at the end of a rainbow.  However, as a great mentor said to me, while we are doing that we have to be "secure enough" to support the real work of the business.

This page apparently this has been “vulnerable” since Feb 2005 based on the revision history of the page (if the HTML comments are believed to be correct – another reason why you scrub them from production sites and there was some interesting info in there)!

The Dept of Corrections were notified of the issue, who then tried to fix it by doing a case-sensitive search/replace!

I really hope that the database connection string / DB user the webapp uses has “read only” permissions, but I very much doubt it.  Much more likely is that they are connecting with an admin login!  So, perhaps via a CSRF link even, someone could be added to the DB!

Sometimes I wonder about my job – how much “shelf time” there is in the webapp security field, where things are heading, how much work is out there for people like myself.  When I initially moved to Foundstone I figured that I might have a good few years before having to move to another field (nothing wrong with that) as everyone would have secure webapps as it’s not exactly rocket science after all (validation being 90% of the problem I believe).  Whenever my “faith” is tested however, stuff like this, and the misguided comments on the session expiration issue from a previous post always comes up – as a discipline we’ve got such a way to go. 

This may sound odd, but I would like to put myself out of work!  I want all the websites out there to be secure, that all the devs (and management) know about secure code so as not to make the obvious mistakes, and for the technologies/platforms to help protect developers (as well as the applications themselves) not “shoot themselves in the foot” and do “unsafe” things.  If that were to happen, there would literally be nothing for people like me to do other than the boring “3rd party validation/verification/compliance” testing.  How possible this is I have my doubts, but it’s a worthy goal to shoot for.

Guess there’ll be work for people like me for a long time to come!

Going through my local regional airport, sometimes the queues get long to go through security.  No big deal there – I always get to the airport with plenty of time just for these situations.  For some reason or the other, the TSA guy watching the x-ray machine monitor wanted a “bag check”.  I know this because he screamed it at the top of his voice, then stood back and did nothing… for a good few minutes.  All the while the queue I was standing in was stalled.  Obviously no one with “bag check” privileges was around, so we stood there for about 10 minutes, maybe more, while none of the TSA people did anything other than look at us.  Some of the other passengers got a little “ansy” because they had less time for their flights, and asked if the bag couldn’t be put aside so as to let the rest of the people go through.  Clearly this isn’t general operating procedure, so we stood there some more.

Once the person with “bag check” privileges did turn up (shouldn’t there be at least a few of these on duty all the time?), the TSA guy(s) were obviously was pissed off with some of the passengers complaining, so were pulling people for having “contraband”, “too much toothpaste” or other toiletries – I kid you not.

Anyway, you’ve read this far, and this isn’t unusual, so perhaps are now wondering why I’m writing this post.  Well, as they say in comedy, here’s the punchline.

After I’m through air-side, there’s something like 3 teams of teen-age cheerleaders, obviously flying home from their successful competitions.  Perhaps everyone wins something at these events, as each team had trophies of some kind or the other.  A few were small, but I saw at least two trophies which, once again I kid you not, were at least two feet tall.  Nice big large things – marble base, gold (plated obviously) column, big ball on the end with a cheerleader in pose mounted on top. (I would have taken a photo, but thought it would have been considered “pervy” to take a cellphone picture of a bunch of cheerleaders ).

So let me get this right.  3.4 ounces of toothpaste (and it’s the .4 that’s the worrying part let me remind you) and you get a “telling off” by the TSA.  Big trophy that could easily be used as a weapon – nope, that’s fine to take on as hand luggage.

Stupidity I tell you.

Ok, the term "Influential" could be slightly loaded (influential to who?), so this is how the list is introduced…

It’s never easy to come up with a definitive list of IT professionals with the most influence on the way we secure desktops, networks and mobile devices. And limiting the list to 15 hackers is a near-impossible task, but, in my mind, these are the folks who stand out today as stirring the imagination and forcing us to rethink our approach to security in an always-on world.

So, this is the list of 15 "hackers", with the most influence in the way we secure desktops, networks and mobile devices.  Sorry, but this list is a joke.  There’s a good few people on the list – some that I "know", some I "know of", and some I’ve never heard of in my life.  This last group worries me somewhat (am I missing an area I should be paying attention to?), but just as important, how about the people that have been left out of the list?  In no apparent (and incomplete) order, as well as going completely off-base/over the line/too controversial for most people, here’s what I think of the list

Michael Howard:  Well, pretty obvious choice there.  Lots of us rely on Microsoft’s software, and security-wise it’s been getting better and better.  Mike is one of the first to admit that it’s a team effort, but he’s clearly one of the most visible people from Microsoft and the SDL, so props to him for getting on the list.

Bronwen Matthews: Staying with Microsoft, Bronwen Matthews apparently "manages the vendor selection process for security researchers, penetration testers and expert instructors".  It’s an important job no doubt, and I’m sure that she is excellent at it, but I don’t get why it’s "influential".  Ok, Microsoft has some budget to spend on pen testing, and Ms Matthews holds the purse-strings to that account, but so do a lot of other people doing very similar jobs in other companies all around the world.  Why aren’t they on the list?

Tavis Ormandy:  Um, excuse me?  Who?  Are these supposed to be "influential people", or just people "working in security at big companies" list?  Sorry to pick on someone inparticular (I don’t know this guy, although I’m sure he’s a fine individual) but being first on the list I was expecting a little, um, "more"? Tavis has an impressive list of vulnerabilities he’s discovered, but IMHO, it’s not all that difficult to find buffer overflows in old(er) open-source code (just search for strcpy and trace the inputs back).  Good use of his employers 20% time though I suppose, although I’d much rather see him fixing more of the lots and lots and lots and lots of stupid security vulns in Google’s products.

The MOAB Hackers: These guys deserve props for showing their "month of apple bugs" in that the darlings from Cupertino aren’t all that hot when they have been saying that they have much better security than anyone else out there.  Viruses on an Apple machine – no, can’t happen, never, never, never.  If you are going to call out one of the "month of …", why not others like the "month of search engine bugs", "month of MySpace bugs", "month of PHP bugs" (scratch that – Stefan Esser is on the list – phew!), etc, etc.  Apple certainly have a lot of users, but I would argue that some of the one’s I’ve just listed, and others that I’ve not, are just as "influential" to a greater number of people.

Chris Paget: Smart, cool, and a nice guy.  However, listing Chris from IOActive and forgetting Dan, is just too much of an oversight if you ask me.

HD Moore:  Should certainly be in a list somewhere, but metasploit is getting old, and as far as I can tell, HD doesn’t actually do all that much to add to the tool any more (the iPhone additions were from some other guys, but I may very well be wrong – that’s just what I hear "out there").

John Pescatore:  From a company spend point of view, no question that he should be on the list as "influential" (for good or for bad).  "Hacker", probably not

Window Snyder: …

Dave Aitel: One of my "must meet" people.  I’ve used a lot of his tools, know his work, and think his book is pretty good.

All the others:  I’m sorry, who are you?  Why is what you are doing "influential" to me?  Obviously I don’t get something here, but why are people with "in prototype" hardware, someone with an electron microscope, and some guys I’ve never heard of (and I doubt you would either).

Ok, let’s look at who missed out on the list.  I’ve shortened this for brevity   There’s a small bias towards web security, as that’s my field, but as it’s by far the most dominant technology platform now, I’m quite happy about that.

RSnake (and Jeremiah Grossman): Ok, I link to these guys a lot, and would consider them friends as well, but seriously, why are they not on the list?  Between them, these guys have done more to move web security forward than ANYONE else out there – people on this list included. As more and more code (and vulnerabilities) are moving to the web, I think I’d consider that pretty influential.

Any of the OWASP guys perhaps?  Either the management steering team, project leaders, founders, or collaborators?

Bruce Schneier: Oh, come on!  The guy is the most read security blogger, and clearly is influential in the industry

Joanna Rutkowska:  Perhaps not "influential", but her work certainly has got people talking the the virtualization field.  As virtualization takes off, and malware gets more advanced, this is someone that’s certainly worth listening to.

I’m sure there’s others that I’m missing (that I haven’t linked to above), but this is a first stab to get something out and rant on my displeasure of this list.  I have no idea who Ryan Naraine is, but I very much doubt that he follows the security industry all that closely.  Certainly, the "Mike isn’t happy because he (or someone he favors) isn’t on the list" argument could be thrown back at me here, but "fame" (for want of a better word) is not why I’m writing this post, blogging, or doing any "community activity" – I don’t want any recognition, you just do it because you want to "give back" in some way, just like donating to charity.  It’s nice when people say "thanks", but that’s about it.

Coming up with any kind of "Top XX" list is incredibly hard, and some people are obviously not going to agree on everything, but some of the list I feel in this instance is widely off the mark.