October 24, 2008
Ok, this is running rampant around the net, but I I’m going to post it here because not only is it pretty cool, but also I’m a big fan of AC/DC.
http://www.acdcrocks.com/excel/
I could say all sorts of things here about security, software, how it works (the authors are nice enough not to protect the macros so by all means take a look), Easter eggs, etc, but I’m not going to – this is just worth enjoying as it is.
Posted in Fun 
No Comments »
October 19, 2008
Microsoft’s internal security conference BlueHat finished on Friday. I posted earlier that I would do a write up about it, so I’ll briefly discuss the presentations I went to, and some of the other comings-and-goings of the conference. I’m told that some of the presentations will be up on TechNet later, so look out for those and I’ll try and come back to this post and edit them in when they are available.
Tuesday
Although the conference didn’t truly start until Thursday, there was a speakers dinner held on Tuesday night. It was a small gathering at a restaurant in Seattle and allowed us to mingle with the other presenters and people from Microsoft that put the conference together. I got to meet a few people for the very first time that I was really looking forward to talking to. Ashley Allen and Bryan Sullivan were the first to welcome me after Jeremiah Grossman and myself talked him into letting us do a panel (in reality, Bryan thought it was a great idea) and Ashley organized everything for us (which for once was really easy for me as I didn’t have to travel or get a hotel to go to a con – score!). Spent a lot of the first part of the evening talking to Adam Shostack about the state of the internet, current development practices, and how MSFT is addressing them (and can help other devs/orgs in the future). Also had a great discussion with Dave Weinstein about vulnerability vs exploitation (does it really matter if things aren’t getting exploited? If a tree falls in the forest and there’s no-one around, does it make a sound? How much are we getting exploited?) Dave has some great stats on the exploitation of Word of Warcraft and how criminals are profiting from it quite easily (it’s as close as you can get to a victimless and low-risk crime). Talked to the internet security celebrity of the year, Dan Kaminsky, for some time and turned out that not only did we get on really well (he has very much the same personality as I do), but discover there’s lots of tenuous links between us of people we know, places we’ve been, etc. Starting to see this "6 degrees of separation" thing more and more – it’s even less in small community like computer security.
Wrapped up the evening hopping between a number of different conversations – please don’t feel left out if I don’t mention you here – I talked to a *lot* of people over the course of this week, and I’m only going to have space to write about a small subset of even the few I can still remember 
Wednesday
Despite booking most of the week off from work so I could go to some meetings and meet/network with more people, guess what – still had work to do for Foundstone. Ah the joys of billable hours and last-minute scheduling difficulties :) In any case, another party in Seattle. Spent time with Danny Dhillon and the CSS guys - David Lindsay, Gareth Heyes and Eduardo Vela Nava as well as Alex K - on what seems to be the theme for me this week - "why the hell does it allow that". From triple encoding an attack (for filter bypass) and the browser triple decoding, then executing the result!, invisible iframes, a:link CSS being allowed to have ‘expression(…)’ and calling out to a remote site, etc, etc. All of these things I couldn’t think of a single legitimate use of (these guys couldn’t either), and therefore the only usage is a malicious or unnecessary one. Finished off the night in a small loft where some of the guys at the party had invited us back to listening to Frank Heidt explain the intricacies of the financial market, reselling non-existent "things", and how it was plainly obvious that this was all going to come crashing down, it was just a matter of when. Smart guy Frank, and looking forward to hanging out with him more.
Thursday
First day of the conference proper. Iftach "Ian" Amit’s talk on modern crimeware was interesting, but being related to that field (listening to the McAfee guys) nothing that I didn’t already know.
Roelof Temmingh’s talk was about how much information you could glean from public sources, often just starting with an IP address / network footprinting. Once again, I had some idea, but Roelof’s tool really did open my eyes. There’s a stunning amount of info out there, and with a good tool and visualization techniques, it’s possible to pull a lot of thing together. This is certainly a demo to watch.
Dan’s talk (the DNS flaw) I had seen before, but I always find it entertaining to watch him.
The CSS guys seemed to have a hard time of presenting – not because they weren’t good, but this was the first time that they had ever physically been in the same place! The joys of the internet meant that they were able to research together for quite some time, and didn’t have the opportunity to be able to rehearse or get everything together quite as smoothly as they might have liked (multi-presenter talks are hard). In any case, they had some cool things to show, but I couldn’t help keep thinking "why do browsers support this" – it’s clearly a malicious use of the spec, and I can’t see why some of the things are in there anyway. Certainly drew awareness of the fact that turning Javascript off isn’t the end of it and a means of protection, and that CSS has to also be restricted in some way.
The last two talks – Richard Johnson and Ian Hellen – talked about visualization and code characteristics to find defects. I only partially caught these two talks from the remote display in the speakers green-room as I caught up with old-time friends Jeremy Dallman and Dave Ladd.
Throughout the day I was with Alex Smolen, friend and fellow Foundstone consultant, so we went out for some dinner, talked about various work stuff, and then headed out to the last MSFT BlueHat community dinner/party. This event I spent quite some time with Frank from Leviathan and some of his team/colleagues/friends, and also got to spend some time with one of my "security hero’s" RainForestPuppy. This was a really nice meeting as RFP was one of the first guys on the webapp security trail and got me thinking differently – certainly helped me take the first few steps in my security interests. RFP was far nicer (and younger) than I imagined he would be. Ending the night I managed to get a few words with Andrew Cushman and Jon Pincus, mostly about "normal" life, blogging and the election – a nice (and welcome) change of topic.
Friday
Day 2 was focused towards the "building" rather than the day one "breaking" theme – Mark Curphey would have been proud
Danny and Adam started off the talks with quick discussions of how EMC and MSFT do threat modeling. It certainly looked like there were lots of obvious similarities between their two approaches. Adam highlighted the differences, and why EMC or MSFT chose to go down those routes because of different lines of business or process/security/developer maturity. Adam also showed the next version of MSFT’s threat modeling tool (which we were talking about at the first party), which is very cool and should make a big impact in the ease of threat modeling. I would still like to see a "wizard based" approach which non-security aware developers could use if only to get started, but as Adam suggested it would be a bit "boring" and "heavy-weight" to see that many questions, and just didn’t interest him in going down that path. Instead, users draw out the system and the tool suggests threats and things that haven’t been put into the drawing. After seeing this demoed, I think it’s a much better approach. The tool is internal for now but should be released free to the public in ‘09.
Matt Miller’s talk focused a lot on how technologies like GS, DEP, ASLR, etc helped mitigate against exploitation, even if a vulnerability was discovered – layered defenses are certainly a must-have. This was another talk I only caught some of remotely in the speakers room or in the corridors while catching up with people.
Scott Stender and Alex Videgar from iSec Partners talked abut concurrency attacks in web apps [PDF]. At first I wasn’t too interested in this – it’s really hard to do any kind of deterministic testing on a webapp, so attacking concurrency (where timing is everything) is simply a difficult place to go. These guys showed how most web frameworks are not thread safe, and multiple users hitting a server can cause the traditional "lost update" race hazards. Lots of perf graphs showing the performance hit of locking, transactions, etc (and thus the potential of DoS if "done correctly, but with a performance hit") got the point across. Takeaway – most web frameworks are not thread safe (and don’t warn you about that fact) and it’s something not many people think of. Also, because of database settings and transactions, doing this may not actually safe you!
A bunch of guys from MSFT talked about fuzzing. I didn’t learn a whole amount technically here, but was interesting to see how MSFT does fuzzing, and some of the stats – there’s some "break even" points or "guidance" on the number of iterations vs bugs left to find, but it seems that there’s no top limit. Some tools are better than others (no surprise there), but there’s no one great tool (although SAGE seemed to be the best and won the "fuzzing olympics" - medals were handed out :)). Random fuzzing is better than "intelligent" fuzzing (where the tool knows the file/protocol structure), which is certainly unintuitive, but something I learnt quite some time ago.
Vinnie Liu talked about the trade-offs in tools (and humans) during a code review/pen test. Once again, nothing new for me – I’ve learn and preached all these lessons, but was a fun and engaging talk. I’ve asked Vinnie for a copy of his slides because there were some great classic humor slides in there – I’ll post (and comment) on them if he does send them to me.
Finally, and closing the conference, was the WAF vs. SDL Shootout panel. Myself, Nate McFetters, Gareth Heyes and Kevin Overcash (poor guy – he was to "defend" WAF’s, but ended up being just as critical as all of us!) fielding questions from Bryan Sullivan and the audience. The main questions were…
- Earlier this year, over one million sites fell victim to an automated SQL injection attack. The vast majority of affected pages were classic ASP pages. While we don’t have statistics, it can be assumed that many if not most of these pages were no longer being actively developed. If you were called in as a consultant by one of these sites to fix the problem, what do you do? Do you recommend a WAF or a change to the code? Or both? Would your answer to this question change if the site in question was still being actively developed?
- Five years ago, black-box scanning was the “magic pill” that would solve security problems. Then source analysis became more popular. Pentesting has always been important. While none of these approaches are perfect, they each have definite benefits, and more to the point: each of these activities is now part of the SDL (at least the Microsoft SDL). Should we end the feud between the SDL camp and the WAF camp by mandating WAF usage in the SDL?
- Imagine that someone invents a perfect WAF. It blocks all known attacks with a 0% false negative and 0% false positive rate. Do we now abandon previously mandated secure coding practices like validating input? If not, how do you justify spending developer time on this activity? How would you justify spending tester and pentester time on security testing?
The discussion went all over the place, and I can’t remember all of the answers or points that each of us raised (although I did pull out the "silver bullet and Jack and the Beanstalk" allegory at one point). I hope there’s some audio somewhere as there was some good well-reasoned arguments. If I can find some time and anyone is interested (i.e. the audio doesn’t go up), I see if I can come back and fill this in a bit more.
There was one final party hosted by IOActive, but by then I was far to knackered for another night on the town (and I’m told that the IOA parties can get a bit out of hand!) so headed home and crashed out – nice to (finally) get to bed in the same 24hrs in which you woke up, but there’s still the mountain of emails and RSS items I had to dig out of over the weekend.
Thanks to all the people that I met and had great discussions with. Also a big thanks to Bryan for the invitation and Ashley for organizing everything for the speakers. I had a fantastic time, and confirmed one of the reasons that I moved up to Seattle – meeting interesting people and being engaged in the community again – really was worth it. I look forward to seeing all these people again, and if anyone is in the area, visiting, or has time to chat, and wants to hook up, by all means get in contact.
Posted in Industry, Security, Trip Report 4 Comments »
October 19, 2008
I desperately try to keep both politics and religion off this blog – it’s a personal thing that I don’t mind chatting about with people that ask, but as this is public, no-one really coming here really wants to read about my personal views on these subjects. However, the following email landed in my non-spam (i.e. not very public) email box, I just have to comment. It is not for or against any side – if the opposing person was used in this way I would have exactly the same response.
Anyway, for those that want to see this, and my reply email. Read on…
—
From: [withheld]
Sent: Wednesday, October 15, 2008 12:18 PM
To: ME!
Subject: What does Obama prefer to read?
"The Post-American World". It is Muslim’s view on the fall and collapse of the United States as a Super Power. WAKE UP AMERICA !!!
—
I just cant stand this type of ignorance. READING IS NOT A CRIME! There are plenty of topics I expect Mr Obama and Mr McCain do not know about, and I EXPECT them to seek out more information, be that from books or subject-matter experts. If it’s possible to read/learn about "the other side" of a topic, is it not prudent to seek that out as well?
In any case, I just couldn’t hold myself back so sent out the following reply…
—
From: ME!
Sent: Wednesday, October 15, 2008 4:21 PM
To: [withheld]
Subject: RE: What does Obama prefer to read?
I have no idea who you are, or why you are sending me this email. If you know anything about me, you know that I can’t vote in the US elections this year, so this is totally pointless.
However, I do have something to say, since you sent me this unsolicited.
Since when has reading a book, especially to get a viewpoint on another topic/situation/strategy/people, ever been a "bad" thing? This is a problem that the current US administration has had since the beginning in that "they know best, and know everything". I wish people will have some hubris and know that they don’t know everything (thus reading isn’t a bad thing), and there are people out there that are smarter than you (especially in certain areas).
I don’t know the book you’ve pointed out, but just a cursory glance in Amazon or Wikipedia tells me that the only the only evidence that it’s "a Muslim’s view of the collapse of the USA" is the name of the author (who BTW is "not a religious guy" - http://en.wikipedia.org/wiki/Fareed_Zakaria#Personal).
I’m not for or against any of this stupid propaganda BS on either side - if McCain was walking around with "The World is Flat" would you be saying the same thing, but replacing Muslim with "old white guy"?
Whatever your political affiliations are, by all means campaign on them. But stupid stuff like this, *on either side* just shows why America is on the decline.
Cheers,
Mike.
—
That made me feel a little better. To the guys credit he replied and said he mixed up the emails (his friend was the old owner of this domain – not sure I buy that as it was an old baseball camp) but I accept his apology, and him at least having a look and "have[ing] read and digested your reasoned response".
I really don’t mind people having differing views/politics/feeling/etc – that’s what makes us as a species so varied and interesting. What gets at me is if we start picking on each other over stupid things, and trying to be more informed about the world is one such example.
Posted in Personal, Rant No Comments »
October 13, 2008
This week Microsoft are holding their semi-annual internal security conference which they call BlueHat. It’s invite only for external people, and space for internal people runs out very quickly, so all-in-all it’s a good event – lots of people to talk to, and great presenters talking about current topics from both inside and outside MSFT.
Around BlackHat time I was talking to Jeremiah Grossman about the whole WAF issue and we though it would be a good topic to present somewhere – the pros and cons of WAFs vs traditional software development (or the “penetrate and patch” approach to security if you want to be mean!). There was a lot of FUD (and some nasty posts) spilling around, and the idea was to have a face off between different stake-holders or opinions. I wasn’t sure where the best place to put such a talk would go (I had some ideas) but JG wanted to submit it to BlueHat.
So, I’m pleased to say that I’m going to be talking on the last slot of the con - Panel Discussion – WAF vs. SDL Shootout. Jeremiah unfortunately can’t make it (he’ll be laying on a beach in Maui – slacker), but I’m sure we’ll have a really good panel. I’ll write more about it, and the other talks I’ll be going to, in later posts.
I’m really excited about going. There’s tons of people that I want to meet, and now that I live in Seattle myself I’m wanting to “plug in” to the security community that is up here more. If anyone that is attending BlueHat, reads this post, and wants to chat then by all means send me an email or just grab me at the con. For anyone else that is in the Seattle area but wont be at BlueHat, I’m hoping to get out and meet more people, so please don’t thing you are out of the look – ping me (see the contact page, or use my work email which should be too hard to work out) and we’ll certainly hook up – I’ve tried (unsuccessfully I might add) to drop as much work-related activities for this week just so I can do more people-networking.
Posted in Industry, Misc, Security 1 Comment »
October 12, 2008
In the film War Games, Joshua/WOPR asks "would you like to play a game"? David (Matthew Broderick) of course wants to play "Global Thermonuclear War" (and I’m sure you would to – chess or tick-tac-toe is just so boring – we want those cool graphics!). Because of this choice the world (in the film at least) is pushed to the brink of annihilation. Today the game seems to be that of 20 questions wrapped up in the guise of "Responsible Disclosure" and a lot of people (the press mostly) are making it seem that each "bug" that is discovered by the top-named security researchers is going to mean the end of the internet.
Just before BlackHat we had the whole "DNS is broken" fiasco. Not knocking Dan for his research and discovery of the problem – sure, as many people say, the underlying flaw was at least identified a long time ago – but what what he did was make the underlying vulnerability into a workable exploit and kudos for that.
Next up we have the TCP flaw which if we are led to believe can bring the internet to it’s knees with the use of just a simple tool. Once again there’s speculation that this isn’t a new issue, but something quite old brought new again.
Recently we have "clickjacking" which, once again, the industry press are pushing out to be the next major threat. I’m a little closer to this field than the others (networking not really being my "thing"), so when Jeremiah and Robert’s talk at OWASP was pulled (thus raising the interest level) I had a look and immediately understood what they were going on about. Again, it’s not brand-new – there’s been talk about iframe injection and click stealing in the past – but these guys have improved the exploitability of the flaw and are raising awareness.
I’m not out to knock any of these guys doing this work. I think it’s great that they are researching into security issues (and yes, I am a little jealous that they get the time to look into these things) and even more happier that they are getting the message out. At the very least in the case of clickjacking RSnake had been very clear in where the previous work and the impact (they didn’t pull their talk BTW – they were asked to), and Dan had to walk a very fine (and high) tightrope in order to get more people to patch, but there’s very little "sexyness" for journalists (or blog authors for that matter) in writing anything level-headed. When these news articles go out CISO’s come round, article in hand, asking what they can do and getting back blank looks – no-one knows what the issues are, the drawbacks/side-effects/risks of patching vs not patching, or where to go for more information/advice. This just leaves both sides frustrated.
There’s lots of smarter people than me adding their $0.02 worth (including the researchers themselves), but "responsible disclosure", especially when it’s associated with someone revealing details about the issue at a conference is turning out to be more like "partial disclosure" as other smart people play their own 20 questions game and in turn figure out at the very least a rough approximation of the issue. It is right to do the whole responsible disclosure thing and work with vendors to get things fixed before it’s common knowledge but saying "I know something you don’t know" just makes other people want to know that information to, and our industry is full of bright people that given the motivation (which very may well be showing the rest of the world how bright they are, or stealing the limelight, not to mention the black-hats out there) are plenty capable of working it all out.
I guess what I’m asking for is if you do find a vulnerability, by all means work with a vendor to get it fixed, but (and I know this can be very difficult with the fame and fortune just around the corner) using it as a "PR" event for you/your company or scheduling the big reveal with a major conference all the while holding the details back I feel is a recipe for disaster partial disclosure. If too many people go down this route, and it appears that it’s becoming more and more common, it’s going to end up like the boy who cried wolf – when there is a major vulnerability everyone is going to be so de-sensitized they just aren’t going to care.
Posted in Musings, Security No Comments »
October 12, 2008
After lots of speculation, Google has been working on a browser (for a number of years). All very cool and slickly done, from the comic-book user-guide to the "look" of the browser to the long piece in Wired all coinciding with the release.
Usually, I like competition, especially in the technology marketplace – the more people offering products/technology, (generally) the better those things have to be to survive and gain users – modern day Darwinism. However, in this case I’m quite apposed to another browser out there for various reasons.
I didn’t know this proverb until Jeremiah shared it, but it makes sense…
"There is a proverb that illustrates the way to quickly determine whether or not someone is sane. The individual is shown a river flowing into a pond. He is given a bucket and asked to drain the pond. If he walks to the stream to dam the inflow into the pond he will be considered sane. If, instead, he decides to empty the pond with his bucket without first stopping the in-flow then he would be considered insane."
If I can use the analogy, what we have here in Google Chrome is adding more water into the pond we are trying to drain. The water, if you want to follow the analogy, are the vulnerabilities in web browsers, badly written or just plain malicious websites that users are trying to protect themselves from (often via plug-ins), and the usual issues with web development we all have when trying to get a site to "just work" simply with all the current versions of browsers that are already out there. With Internet Explorer and Firefox slugging it out, Safari and Opera distant runners up, we were sort of, slowly, gaining ground on addressing the issues. Between IE and FF, lots of good security work was being done making these browsers more resilient and we were getting a good handle on the overall problem. An additional browser, with what one expects to be a growing market share just because "it’s Google", puts a hole in the dam and water is filling up the pond again.
I understand the monopoly argument, and buy why it’s not always such a good thing, but there are exceptions. Office/Word is one exception – the ubiquity of Microsoft Word, either the product itself, or that many other bits of software can read it’s file format, is good – I can send a document to someone and know with a very high probability that they can do something with it. With two (plus change) browsers out there, we know what "issues" each have and ways to mitigate/work around them. Granted, Chrome is based on a common and open-source rendering engine (same one used in Safari), but it’s another platform that a site or security issues need to be tested on.
So that’s one point. The other point is that it seems that all the mistakes that other browser vendors have been through haven’t been learnt in the development of Chrome. In the first few weeks, numerous vulnerabilities were reported (which should be listed here, but I don’t see a "security" tag, so this list will have to suffice), many of which have been previous issues with IE/FF. I think this is common with Google, as IMHO they still have a "start up" mindset instead of one of a mature software company where the quality of what they put out really matters. Thankfully, I’m not the first to say this – David LeBlanc says pretty much the same, RSnake takes it further. Rushing to market is one thing, but it’s totally different when you make more work for people (and potentially the web a more dangerous place to those not expecting it).
The flip side is that it’s "beta software", and releasing it now exposes it to the world so we can tear into it, finding the bugs/issues/vulnerabilities, and the software gets better. That’s good – it’s a common way of releasing software. However, track records need to speak for themselves where almost half of all Google products are (still) in beta. Until something becomes a full product (and often even-numbered versions – apparently it works for films as well) they shouldn’t be considered "fit for everyday use".
The main reason for these problems though is I feel an underlying reason that many people forget about Google – they aren’t a software company, but an advertising company – pretty much all of the money they make is via pushing out ads, which has very little relevance to the quality of their software. That’s not to say that the guys writing and testing the software there really don’t care – I know that they do after being invited up to do a talk – but it has very little relevance to the bottom line. Just ask Microsoft on how even the perception of a buggy/bloated bit of software can affect them – it slows down sales and adoption. Microsoft’s money is made off software (and predominantly just a few titles) so they have to be good at that. I can’t help feeling that in Google’s case their software is a side distraction – a stepping stone to another goal. As long as people are still hitting their search engine and embedding ads with adsense, I fear the worst kind of "good enough" software development, as evidenced to some degree by the continued "beta" status.
I really try to like Google, and have even toyed with joining them a few times - the people there are really smart, some of the most friendly guys in the industry, and they have huge reach with interesting problems to address. I also thing that the web is the operating platform of the future, and therefore all the software/technology they are developing is the way to go. With Chrome they have architected security principals into the system which will I’m sure pay off later, and it’s clearly a technology base for future things. When it comes down to it though their objective is gathering information from as many different places as they can and using it for their main business purpose – pushing ad’s. Finding things in the EULA (even if by mistake), and a potential prospect to use the browser to access even more of the web (although the toolbar does much the same job), doesn’t make me feel all that comfortable and instead reaching for my tin-foil hat.
Perhaps I’m being way too harsh here (Matt Cutts gives his take here), but I feel that this is a step backwards for web security (in the short-term at least) more than anything else.
Posted in Musings, Security No Comments »
October 12, 2008
Well, it’s been over a month since I last posted here. I could give various reasons, from work, other side projects, even having family out to visit for most of the month, but it’s really been down to me not finding the time or inclination to post. There has been various things that I wanted to comment on, and will do in the next few posts, but what is good about waiting is that new info/posts are now up that really are worthwhile pointing to and having the time to mull over and reset some thoughts has been worthwhile.
I have a number of meetings/conferences to go to this month which I will be posting about before and after so by all means drop me an email if you are going to be at any one of those events, or in the area.
So, without further ado, I’m going to get back online.
Posted in Misc No Comments »
September 7, 2008
Strange how a photo jogs your memory to do something. Tara took this pic as we headed back from Vancouver over the weekend and it reminded me that I said I would write up our green-card process once we were all complete. It’s been a frustrating ride, and one I wanted to share with people going through the same process. In any case, here it is in all it’s gory details. It’s going to be a long post, so if you aren’t interested in US immigration law, and how screwed up it can be, by all means skip this post!
In 2005 when I joined Foundstone, one of the conditions that I set was that they would sponsor me for my GC, there wouldn’t be the usual 6-12 months “probationary” waiting period, and that there would be no “lock-in” period after I had finally got said green-card. So, pretty much as soon as I started, Mark sent emails off to McAfee’s HR and signed some forms for me to kick the process off.
At the start, things went quite smoothly. One of the first things that has to happen is you have to get your labor certificate, to show that there are no qualified US workers able/willing to do the job you are applying for. Well, in my case there’s a good few people who would like my job, but a) few that actually can do it, and b) if they are out there, we’ll hire them anyway. What is required though is to advertise the job, and for your employer to document that they are at least paying you the prevailing wage
A quick aside here - working out an equitable salary is part-and-parcel of negotiating a new job and GlassDoor.com is one site that a few people seem to like. I however like FLCDatacenter.com because it lists actual salaries rather than ranges, including position and hire date. Several employers don’t like this, but it has to be published (the labor cert and the “prevailing wage”) and is public data. It only holds data for people applying for labor certs (H1B’s, green-cards, etc), and is anonymous, but in a small company it can be pretty easy to match people up based on their hire date, and for larger companies that have well-defined “levels”, it will give hard data on what is actually being paid for that job. As I said, several employers and HR departments don’t like this, but knowledge is power I say
Anyway, back to the main topic. I was lucky enough to get in on the new PERM process, which is much more streamlined than the old labor certification process. It would have been quick(er) of course, if it wasn’t for McAfee screwing it up.
Part of the process is advertising the job so that US workers can apply for the “no qualified US workers able/willing to do the job” part. It has to be advertised in various ways (see here for more details), for at least 60 days (which was done), and then if no applicants were found the process can continue. However, someone forgot to advertise my position in our office (not that it would really matter), but that had to be re-done. By the time that McAfee HR had realized this, and re-did it, 4 months had been wasted.
In any case, all the documents finally went in, and in September 2006 (while on vacation in Hawaii funny enough), I got a call from the immigration attorney saying that the labor certification was successful and we can move onto the next step.
What happens next is that based off the labor certification (there’s no US worker that wants/can do my job) a petition for immigration is made (known as the I-140 from it’s form number). This sets out what “category” you will be processed in based on your skills/education. I’m fortunate to have a PhD which placed me in the EB2 category (Professionals Holding Advanced Degrees), which is the 2nd highest category and at the time of my application didn’t have a backlog (current status is listed here). I’m also fortunate to not come from China, India, Mexico or Philippines, as each of those areas often have a wait until the Adjustment Of Status (AOS) can be filed (the date is the applications they are currently working on). If it says “C” in your category, for your nationality, both the immigrant petition and the AOS (I-485) can be put in together.
This meant that we had to work quickly to get all the documentation together for our application, and there’s a lot of it to gather, and here’s just some to give an idea…
- All previous residences
- Employment for the last 5 years
- Original/full-copies of birth certificates
- Proof of marriage/divorce
- All entries/exits from/to the USA
- All previous notices and immigration documents
- Completed medical exams (immunization records help if you can get them)
- Application photos
The other thing I really like in filling this info out is the “Part 3″ section of the adjustment of status form. Go and have a look, just to see what you have to answer - I would love to meet the person that checks “yes” to any of those boxes
Well, the fun one for us was the medical exams.
Part of the medical exam is to be tested and be clear of tuberculosis (TB), but as Tara and I are from the UK we’ve both been immunized with the BCG vaccine. One of the things a lot of doctors that perform the green-card medicals know is that they can’t do the skin test form of the TB indicator because it shows a false-positive (via the vaccine), and often they skip directly to the chest x-ray which should definitively show if someone is carrying TB or not. That’s what our doctor did (skipped the skin test and did the chest x-ray, showing us both clear), and gave us our results in the usual sealed envelope.
Off goes our entire life history, first to our immigration attorney, and then off to USCIS. A good few months pass (6-7 I think), and I get an email status update from USCIS (sign up for these BTW) that they are sending us a letter. We think it’s good news, but when it arrives it’s a Request For Evidence (RFE) - turns out that the USCIS wants the skin test results anyway for some reason! Even though if the person looks just 2 inches to the right, the x-ray results are there and it says “clear”. Our doctor isn’t very happy (keeps muttering “unnecessary procedure”) and actually phones up to complain. We get the medicals re-done and send them back off.
After 5 months (in the mean-time the I-140 has been approved - yay!), I get another email saying a decision has been made on our case (the emails, or website for that matter, don’t have any other info, which from a security aspect is fair enough). Finally we think it’s all over, but the attorney emails us saying that the USCIS has denied our application - the letter is a notice of denial :0
Turns out that the letter says the Request For Evidence wasn’t fulfilled within the 90 days allowed - USCIS didn’t get our updated medical tests with the TB skin test results. This can’t be right, as our attorney has a FedEx receipt of someone at the Texas Service Center (where our case should be) signing for it well before the deadline. There’s no appeal against this decision, so a “motion to reopen” has to be submitted, and within 20 days. A mad rush by us, and the attorneys to get all the documentation together ($385 just to file the form, plus attorney fees - thank heavens that McAfee are paying for all of this), and we get it all in, and confirmed receipt.
It now goes very quiet. USCIS wont give us any updates on what is going on, and our attorney can’t find anything our through her channels either (even going via the liaison committee). 3 months go by, and we hear that they are sending out another Request For Evidence - it’s a request for medicals again (would appear that they don’t have them! It’s suspected they are lost somewhere and haven’t reconnected with our files). A month later I get the following emails in quick succession
- Case reopened or reconsidered based on USCIS determination, and the case is now pending
- [+2 days] Card production ordered
- [+1 day] Notice mailed welcoming the new permanent resident
Finally looks like I’m approved :D Tara’s case however is still sitting at the “Case reopened or reconsidered based on USCIS determination, and the case is now pending” status. Our attorney has some luck and gets a call from a USCIS officer about another case and is able to ask about what is happening with ours. Usually it seems that USCIS people don’t know (or don’t want to know) about cases that they aren’t assigned to, but this person is actually pretty helpful and looks up Tara’s case. They don’t have the medical records! Can’t believe we have to go through this all again (this is the 3 time they are “lost”), but between the USCIS person, their supervisor, and our attorney, they accept that it’s USCIS’s screw up and if our copies of the records are faxed to them they will press the “approved” button.
Hurrah! we are finally done. Just under 4 years in the making (which still isn’t too bad) and we should have our cards, but there’s two last little gems to come. First one is that my card doesn’t turn up (Tara’s does, but nothing for me). Seems they are sent out using regular US postal mail, with no tracking or anything (which I still can’t believe - one of the most important documents I’ll have, and it’s just sent regular post). No problem, just apply for replacement card (ker-ching - more $$$). “Lost” card turns up 3 weeks later in the post, so we cancel the production of the replacement. Also, Tara’s medical records get sent back to our attorney with the note “case closed, not required” with the date stamped on them saying they got them 20 days before the original (1st) RFE deadline! Clearly someone had them on their desk - left hand, right hand and all that - resulting in our denial. Reminds me of the saying “to really screw things up takes a government”
Anyway, we have our cards now, and have had for a while (as I said above, this post is a little late). They are white (not green - the color/design changes every so often) and means that we can stay for 10 years and can work/do what we like (but not vote :(). We’ll probably take citizenship in 5 years (after the waiting period) as there doesn’t seem to be many downsides to that (UK people can hold dual-nationality).
This has certainly be a stressful and long process, which we wouldn’t have been able to get through without the expert help of Petra Tang Bloom of Berry, Appleman and Lieden. Not only was Petra so good at helping us, but Sara Tinati fielded a lot of our questions and kept the ball rolling during the last (most difficult) phase. Jose Duran also from the BAL team helped kick the process off. I can’t say how great the people of BAL were, and David Berry even stepped in to assure us things were going to come out OK. I’m grateful for my employer in paying (another benefit I suppose), but even saying that BAL were certainly worth it and I have no reservations at all in recommending them (certainly the team I worked with).
As for other resources, another immigration law firm, Murthy, have some good pages and information. I’ll finish this post with a few links that I have not used above, but could be useful to anyone also going through this process - the internet was good for me to lookup what was happening in my case, learn (probably too much) about immigration law/process, and find out about other peoples experience(s), so I hope that this is useful to others as well.
Best of luck and quick processing to anyone else that is going through this.
Posted in Personal 1 Comment »
August 16, 2008
What with the IR gig I’ve been on, work just being out of control at the moment, as well as the usual flurry of posts after BlackHat/DefCon, I haven’t been able to keep with my reading, let alone posting. There’s been a lot of interesting things going on which have received plenty of coverage that I would just add to the noise to as I’ve nothing more to say than everyone else has. However, there are two things that I have seen that I want to comment on.
Security is much more than finding/fixing defects
The first post I saw on this was from Ivan Ristic, where he says…
Underneath all our security issues lies our inability to write defect-free code. Solve that and we’ve solved the security issues. Focus on the security alone and we won’t solve anything.
This sort of follows from a really old post on the Microsoft SDL blog from James Whittaker - Reliability Vs. Security. Defects are defects, functional or security, and we’ve been working on the former for some time. Our techniques are better, and we’ve learnt a lot, but we still can’t write error free code, and there’s a lot of prior art/knowledge in the functional side that the security side has to catch up with. One of my favorite (old) quotes is from Chris Mason, ex-development manger for MS-Word, who said “Since human beings themselves are not fully debugged yet, there will be bugs in your code no matter what you do”. This leads me to the most recent post on the topic that I saw (also on the SDL blog) from Michael Howard.
Security is bigger than finding and fixing bugs
This isn’t any deep insight or rocket science, but it seems that some people have to be told it anyway. Yes, currently there’s a lot of security issues being found after products are released, and they often track back to implementation issues (leaving aside for the moment if there were any security requirements), so people think if you patch the issues and/or look at the code then that’s 80% of the work. This might be true for now, but so much of these things could get caught at the design or even implementation stage. Also, I would bet that over time implementation flaws are going to start to go away as we code up defenses in frameworks, languages, API’s, etc, much like buffer overflows are much less of a worry in managed code. Even if we get to that point there will still be vulnerable system out there because of poor design decisions, failed logic, and other problems that are simply not associated with the code at all. Focusing on the code (and therefore testing/fixing just the code) is IMO the wrong approach.
MBTA vs MIT Students
Talking about flawed design, here’s a good example that I’ve seen lots of posts about. The best intro is from Chris at Veracode here and here. Basically, the Massachusetts Bay Transportation Authority (MBTA) is (was?) suing some students to stop them from presenting about a flaw that they discovered in their payment card system (turns out many other transit authorities the world over also use the same system, and thus vulnerable the same way).
I first can’t believe how basic the vulnerabilities are (which surely would have been caught in requirements/design than the much-more-expensive delivered system - once again, testing/code is not the answer), and second that anyone would defend what the MBTA is doing in suing the students (even though I understand it’s “risk prevention” on their part - this is not the right place to do that).
This leads me to something that has been going on for some time in the functional world, and perhaps needs to from a security aspect as well - software warrantees. When someone purchases a physical item there’s an expectation of “fitness for purpose” - if it doesn’t work you can take it back for a refund, and if it blows up in your face (during “normal” use) you can sue the manufacture.
It’s extremely rare to find any warranty for software products, and the EULA is often the “get out of jail” card for the implied warranty. I’m not sure that we’ll ever see true software warrantees because of push-back from software producers and the additional cost it would (could?) add. However, having enforceable software warrantees would both force vendors to ensure that their software is “fit for purpose” (which in the MBTA case it clearly isn’t) and allow the purchasers of said software some rectification - I’ve had my fair share of clients that I’ve worked with that have had real problems in getting fixes to vulnerabilities I’ve found in fixing them in a timely manner because they don’t really have to. For some purchasers (government(s) being a good example as Schneier points out) forcing these (because of their purchasing power) would force an improvement in quality, both functional and security, that would benefit everyone even if it’s only in one version/variant that you could buy if you wanted that level of expectation.
In any case, I’d like to know anyone’s thoughts on this.
(As a further resource, badsoftare.com is a site an old colleague of mine put together a while back that might have some interesting information for people.)
Posted in Industry, Musings 2 Comments »
August 12, 2008
On my trip out to DC a few weeks back I stopped over to see Gary McGraw for a bit. On of the things he showed me was some numbers of security companies revenue and growth. I can’t say I was sworn to secrecy on this, but he did say he was going to write something about it so stay tuned. True to his word, Gary pinged me today with a link to the article - Software [In]security: Software Security Demand Rising.
There’s some good summary points that I’ll make in a bit, but I was actually quite surprised at some of the numbers - there’s a few companies in there that are making a lot of noise, and very well respected, but aren’t making all that much money. I’ll leave it to you to figure out who I’m probably referring to.
Security tools are certainly growing, and the numbers that Watchfire and SPI sold for are in the ranges I’ve heard mumblings about. I’m still concerned at those valuations though as whenever I’ve used these tools I’m always disappointed with the results - they seldom find stuff a good pen tester can find in a few hours. I guess their benefit comes off through regression testing and when (if?) they are "trained" on the app. There’s a huge investment in getting these testing tools to any kind of reasonable level, although I still thing they have a *long* way to go.
Good to see that Gary has included the services side of the space in here as (he notes) it’s really hard to track. I’ve heard more that one person say that the west-coast is doing a lot of business in pen testing whereas the east-coast is doing code reviews / threat modeling / architecture type work. I’m not sure that I see it as that cut-and-dried, but it’s an interesting observation if Gary is seeing it (and he would see it more than I would with all the connections he has). In any case, I would agree that pen testing is a good *starting* point as clients get a lot of "bang for their buck" and it’s a way of pointing out how broken things are. What is necessary then is to build backwards into why the software/system got like that in the first place. The danger however is when the pen tester doesn’t find all that much which provides very little leverage towards taking a deeper look - clients consider systems "safe" if nothing major has been found in the 2 weeks someone might have had to have a look, whereas it’s been well documented that attacker can take a very long time to get to know a system before attacking it.
Finally, in summary, I think there’s good news in the software security space. Despite the looming recession in the USA (which face it, if it does happen the rest of the world will inevitably feel some consequences), the space is continuing to grow nicely. The reason I think is just as one poster on the MFE Yahoo message board put (I don’t know why I go there because it’s full of crap) - most companies are defensive, and just because a recession is coming you don’t lower your insurance premiums. Companies know that their weak points are more and more their software, so they are attempting to protect them. For people in the space that’s good as skills are in great demand - pretty much every security company I know is trying to hire, but having problems in finding good people.
I guess this is a "wait and see" situation, but it’s good for Gary to gather and put together these numbers outside of the hugely expensive Garner reports. It does however look like security in general, and software security specifically, is getting the attention that it deserves.
Posted in Industry No Comments »
