Recently I
have been giving electronic readers a working test (Kindle, iPad).
iDefense pushes volumes of written intelligence products to our
customers. Sometimes it is a struggle to keep up with it all. Like most
security practitioners, I fill downtime gaps (traveling, the 30-minute
gap between two three-hour meetings, lunch, listening to my wife, etc.)
with reading. Most of what I read comes in three forms: PDFs, Websites
and books. It turns out that the iPad is the perfect device for this
endeavor. The Kindle is great for books (so is the Kindle reader on the
Blackberry and iPhone), but it just does not handle PDFs that well and
it has no mechanism at all for reading Websites. The iPad does all that
with ease and it does it in color. I am sold.
But the chatter around the water cooler at iDefense is not so sure. You
have to remember, most of the people here at iDefense are deep water
geeks. What I mean by that is that on the scale of smart people, we
have:
Smart People | Nobel Prize Winners |
Geeks | | | | |
iDefense Geeks
In other words, you may not want these guys and gals to set any fashion
trends, but when it comes to figuring out cyber issues, they have an
opinion or two.
And they hate the idea of the iPad.
They hate it because it is a closed system. As you can imagine, these
folks love gadgets (like the LINUX operating system and the Android
phone to name two) because there are an infinite number of ways for
geeks to configure them. They will spend hours manipulating one of these
devices to automatically download toast recipes from the Internet daily
and run home-grown python scripts that engage steam-punk cooking
apparatus in an effort to have a new variety of toast prepared before
they wake up each morning. They don't do this because they need it. They
do it because it is cool. (And I have to say, having a steam punk
apparatus making my toast in the morning would be very cool indeed.)
But they can't do that with the iPad because Apple maintains a strangle
hold on how the system works. Geeks can not configure it. Oh, you can
probably buy a steam-punk application for the iPad that will make your
toast for you, but that is not the same thing. Geeks want the ability
and power to do it themselves. And that is where the problem lies.
If the geeks of the world have the power to endlessly configure their
toys, the bad-guy geeks of the world will leverage that. In fact, they
have been doing that for the past 20 years.
The simple fact is that most Internet users do not need all of that
power. Most do not even know what a steam punk engine is. I know. It is
hard to imagine, but it is sadly true. Most are like my mother-in-law:
consumers of information. They want to read their e-mail, read a Website
or two, play Farmville and exchange pithy one-liner status messages
with their friends on their social network of choice. Why would they
need all of that power that is inherent in an Android smart phone? The
answer is that they don't.
I am not saying that Apple's iPad is the device that everybody should
use. I am not even saying that the iPad is hacker proof. What I am
saying is that devices like the iPad are the safest and most secure
device today that will work for the largest Internet using population.
If my mother-in-law is using an iPad device and a banking application
designed for it by the bank that she uses (a closed system), she is much
less likely to get owned by a bad-guy-geek then if she did using the
latest incarnation of the windows operating system (relatively an open
system).
But the good-guy-geeks of the world will complain that they can't
configure it. That is OK. Besides being smart, the other thing that
geeks are good at is complaining. So, if I am king for a day, I would
give the geeks their toys to play with, but I would also give my
mother-in-law an iPad to protect herself.
I have been looking back through some of my previous blogs these past few weeks and I just happened to notice that I seemed to be on a minor rant about how security personnel present security information (in this blog and this blog). I told myself that I would pick another topic this week to avoid seeming like a broken record. Then, this story popped up in the New York Times called "We Have Met the Enemy and He Is PowerPoint." It is about how some of the leaders in the US military hate the use of PowerPoint as the default way to convey information up and down the chain of command. This quote sums the article well:
"The amount of time expended on PowerPoint, the Microsoft presentation program of computer-generated charts, graphs and bullet points, has made it a running joke in the Pentagon and in Iraq and Afghanistan."
According the article, most junior officers fill their time building slide decks for one meeting or another, with many affectionately referring to them as PowerPoint Rangers. (Full disclosure: When I was in the service, I was a qualified PowerPoint Ranger myself. Since I retired, I have upgraded my skills to PowerPoint Ninja.)
I love the New York Times quotes from the generals (especially the McMaster quote):
"It's dangerous because it can create the illusion of understanding and the illusion of control. Some problems in the world are not bullet-izable." -- Brig. Gen. H. R. McMaster
"When we understand that slide, we'll have won the war." -- General Stanley A. McChrystal referring to this slide that tries to convey the complexity of the Afghanistan war (I want to meet the Captain that put that slide together - he must have had a lot of time on his hands).
"PowerPoint makes us stupid." -- Gen. James N. Mattis of the Marine Corps.
It seems that these military leaders are of like mind with Doctor Edward Tufte.
"You will be interested to know that Dr. Tufte hates PowerPoint; at least the default way that most people use it: Title, 3-5 bullets of text, spinning doughnuts that have nothing at all to do with the presentation. In his seminar, Dr. Tufte does not use it. His famous example-- how NASA's engineers might have failed to prevent the Challenger Space Shuttle catastrophe in 1986 because a badly designed slide deck did not convince NASA leadership to scrub the launch-- is bone chilling."
Alas, PowerPoint is not to blame here. Presentation software, like PowerPoint and other software packages are merely presentation tools. Where the military, NASA, the commercial sector and, of course, the security community fail is how we all use the tool.
For what is PowerPoint good? It is good for conveying ideas to a large group of people - it is actually quite good at that.
For what is it not good? Summarizing very complex ideas - at least in its default use (reams of slides filled with indented bullet lists). Presenters can use the tool for good summaries, but the creator needs to back up the work with a longer narrative. This is similar to what we do at iDefense with our written products that cover the same topic at different lengths: Long Papers, Minis, Executive Summaries and One-Page Bullet Lists.
Where we all have failed is using the tool as the only vehicle to construct an original thought. PowerPoint has no method that I know of to convey subtlety or complexity; indeed, its creators did not intend for it to do so. I have come to believe that most PowerPoint decks should point back to a larger body of work or should accompany a resident expert. In most cases, the deck should not stand alone. How many times have you requested a copy of the slides used for a briefing that you thought was outstanding, but by the time you got around to reading them again, you found that you could not remember why you thought they were so good?
The bottom line is that many people are tempted to use PowerPoint as their only vehicle for organizing their thoughts. As General Mattis says, that "makes us stupid." Here is my recommendation for all the security geeks out there. If you are trying to convey your idea, before you resort to slide decks, write it out. Talk to your friends about it. Draw it on the white board or a handy bar napkin or your passed-out buddy's bald head. When done, write it out again and look for holes in your thinking. When you are done with all of that, you might be ready to pull out the PowerPoint program and work on your Ranger tab.
Actually, the slide that General McChrystal denounced in the New York Times article is the perfect slide that the presenter should have used. With one slide, General McChrystal instantly understood how complex the Afghanistan problem is. If that were the author's intent, then hoorah - the meeting would have been over! Doctor Tufte would be proud.
The title of this essay may sound like a blatant plug for iDefense, but since Richard Bejtlich of Tao Security asked me to participate on a panel on Commercial Intelligence Services for the upcoming SANS WhatWorks in Forensics and Incident Response Summits, I figured I would try to straddle the line between obviously commercial and relevant security commentary.
The summit itself will take place Dec. 9-10 in Washington, DC. My panel
is on Dec. 9 at 12:30 p.m. Panel members include my friend Jon Ramsey
(CTO SecureWorks), Wade Baker (Verizon Business), Gunther Ottman
(Damballa/botnet research) and Dave Harlow (cyber threat analyst at
Symantec). If you are in town, please come to the summit. Here is the
panel abstract:
"Commercial security intelligence service providers employ
researchers and operators to keep tabs on underground, criminal, and
other malicious activity. In this panel, participants will explain what
they are seeing, how they detect incidents, and how attendees can
engage them to better protect their organizations."
Bejtlich is brilliant. I love his blog;
it is normally a notch or two above standard security blogs out there.
I also love the way he organized this conference. My panel commences on
the first day; on the second day, another panel on non-commercial
intelligence shops begins. Putting those two panels together is an
interesting juxtaposition. I can hardly wait.
Now that I have committed to participate, I need to figure out
something coherent to say. I actually have a lot to say about this
topic. Whether or not it is coherent is another story. Let's start with
this:
I have been running iDefense operations for almost four years and
have always considered organizations that use iDefense and other
services like us as having made it to the big leagues. They have gone
professional; they have stepped up their games to play with the big
dogs.
Using commercial intelligence services is not for every organization
though. Outfits that can benefit from this must be mature; the internal
security leadership must be seasoned enough to recognize the value of
strategic security thinking as opposed to daily tactical issues. Users
of commercial intelligence services are big enough to consume the
volumes of information that flow once the spigot is turned on. They
have evolved past the stage of having "a guy" in the IT department who
reads lots of security blogs and keeps leadership informed. They are
nimble enough to consume the intelligence, consider the recommended
options and make decisions in a timely manner that can affect the
bottom line of a business. They understand the threat environment that
applies to their business so well that they can direct commercial
intelligence to even "darker" corners of the world in an effort to find
more granular intelligence.
Like I said, not every outfit can do this.
But if your outfit can, the world can open up to you. You will no
longer have to dig for relevant intelligence through the flotsam and
jetsam of Internet connections while trying to do the job that you were
hired to do. Instead, you will have a team doing that work for you -
experts in specialties and skills that your organization does not have
the time and, in some cases, the will to keep pace with. There are
plenty of free, open sources available to security professionals today.
Nobody has the time to read them all and, more importantly, make sense
of them all. A good, trustworthy, open-source intelligence shop can do
that for you, freeing you from that burden so that you can concentrate
on the larger security issues of your organization.
If you are using one of these commercial intelligence shops today,
welcome to the big leagues. If not, no worries. Amateur leagues have
good players too, but you know they all want to play in the big leagues.
Sean
Larsson, one of our Advanced Research Lab (ARL) analysts, and I traveled to
Seattle last week to participate in Microsoft's 9th annual Blue Hat conference;
a cornucopia of outside grey hat security researchers and inside Microsoft
developers all gathering to talk about the security issues of the day. The
Microsoft Office product guys specifically asked Sean to attend because they
have been amazed this past year at the number of high quality Microsoft Office
vulnerabilities he has shared with them. To be truthful, they were a little
perplexed that one guy could be so prolific compared to an entire Microsoft
team dedicated to the same purpose.
The Microsoft system is pretty impressive too. They have built this
distributing fuzzing framework that works sort of like the SETI@Home
(Search for Extraterrestrial Intelligence) project. For those not familiar with
fuzzing or the SETI project, let me elucidate.
According to the Open Web Application Security Project (OWASP),
"Fuzzing is a Black Box software testing technique, which basically consists in
finding implementation bugs using malformed/semi-malformed data injection in an
automated fashion." This technique has been around for years and is one of the
primary methods used by the iDefense ARL team. Three issues with this technique
make it a lot easier to say then to do. First, you have to write a fuzzer for
each application that you want to test. This is not trivial. Second, you have to
run it over and over again with crazy input data looking for the application to
choke (Crash). By over and over again, I mean thousands of times if not
hundreds of thousands of times. Finally, after all of this is done, the real
work begins for the security researcher. He must examine each crash location
within the code to see if there is a way he can leverage the problem that
caused the crash into a consistent and reliable exploit.
Microsoft is using the SETI project idea to help with the second issue. The
problem that the SETI researchers have is that they collect all of this data
from Radio Telescope observations and do not have enough computing power to
process it. Their solution was genius: convince people interested in the
research to use their own computers to chew on the data during downtime; i.e.,
when the computer goes into screen saver mode. They built a distributed
data-crunching network that works when the computer is idle. This is
essentially what Microsoft did for fuzzing.
Microsoft has hundreds of active products. Each development team develops their
own fuzzers for the code they are trying to test. The process management for
dealing with all of the bugs found was a mess. There was no consistency in
reporting, no standard method for collecting information and no coordination
between the teams about any progress made. Enter the Microsoft Distributed
Fuzzing Framework.
The Framework has two cool features. First, it is a web based system that
allows any developer to drop a fuzzer into the framework from any location
within the Microsoft network. Second, the framework keeps track of any
Microsoft computers that have joined the framework to participate in after-hour
fuzzing duties. These computers can come from anywhere: secretary desktops, developer
machines, lab machines, anywhere. All crashes found during fuzzing activity are
reported back to the framework and ultimately to the responsible developer for
action. Since the program started this year, Microsoft has found and fixed
millions of bugs. To be clear, these are not all security issues. In fact, most
of them are not. They are simply bugs in the code. In addition, to be fair,
there is a good chance that many of these bugs would never have seen the light
of day through normal use of the product because they were found with crazy
combinations of input data. But that is exactly where the security researcher
wants to travel; code locations that nobody knows about or understands that he
can leverage to run his exploitation code.
All of this brings us back to Sean. iDefense has discovered 12 Microsoft Office
vulnerabilities in the last year; most of these were Sean's work and most were
high quality discoveries with working "proof of concept" exploit code attached.
The Microsoft product team wanted to talk to Sean at Bluehat because, even with
the millions of bugs fixed in various Microsoft products this year with their
really cool and geeky distributing fuzzing framework, none came close to what
Sean found. They wanted to pick his brain about why he has been so successful.
So, Sean spent an afternoon with the Microsoft Office development team to help
them in their endeavors. After the session, Sean was nonplussed. He said that
the Microsoft team consisted of really smart and capable people, but they are,
for the most part, developers and not security researchers. From my
perspective, they don't have that special "X-Factor" that goes part and parcel
with being a white hat bug hunter; that instinct to go for the kill; that
deviousness to understand where one path is bloody brilliant where another is a
hopeless dead end.
Bluehat was a good conference and the Distributed Fuzzing Framework is a really
cool idea, but since Sean is still out-producing that automatic analysis,
perhaps we should point him in the direction of the SETI project. With his
go-for-the-kill X-Factor, we should find our first signs of Extraterrestrial
Intelligence before the new year.
It is iDefense Offsite time. You all
know what that is. iDefense's leaders gather the troops, take them to some
secret location, feed them a lot of food that is not good for them and try to
determine the future direction of the business. Of course, the exact moment
when a bunch of requirements are dumped on the team is exactly when the
leadership is away - but that's another story.
The story I want to talk about is an offsite discussion topic regarding a cyber
security intelligence taxonomy. A number of iDefense's customers have been
struggling with this notion for the past year and iDefense has been trying to
help. By taxonomy, I mean this: how do we, as intelligence professionals,
classify the information we gather so that we can decide what to collect,
prioritize our efforts, and make wise and well thought-out decisions with the
information collected?
Opening the iDefense kimono a bit, each of our teams monitors multiple sources
that pertain to their lanes of interest. For example, the Vulnerability
Aggregation Team monitors the Microsoft security site for any changes. But that
is just one of many sources it monitors. The last time I checked, the team was
monitoring thousands of such sources. All the other iDefense teams (Malcode,
Advanced Research Labs and International Cyber Intelligence) monitor other
sources that pertain to them. The first step to turning this raw information
into something useful is to sort it into useful categories - taxonomy.
When first tackling this subject, one might think, "Well, this is easy.
Only four or five big categories exist. What's the big problem?" And then,
after thinking about it for just five more seconds, one might come to the
realization that, "This is a lot harder than originally thought." One
is then likely to fall into a trap. That individual will find that it is very
tempting to try to classify the entire world and to build a comprehensive
taxonomy that can cover each contingency uniquely and precisely. But that individual
will quickly end up with dozens of categories that represent very thin ways to
slice the information. While this is an interesting drill to go through once
(left as an exercise to work out at home), one will finally realize that a
person does not need that kind of detail to make good decisions. One will also
realize that the more complex the taxonomy is, the more likely it is for that
person's team to make mistakes using it because it is too large to comprehend.
What is needed is a lightweight taxonomy that analysts can use to categorize
most situations.
The iDefense team will talk about this more in the coming year, but this is the
current iDefense Taxonomy:
Recently I
have been giving electronic readers a working test (Kindle, iPad).
iDefense pushes volumes of written intelligence products to our
customers. Sometimes it is a struggle to keep up with it all. Like most
security practitioners, I fill downtime gaps (traveling, the 30-minute
gap between two three-hour meetings, lunch, listening to my wife, etc.)
with reading. Most of what I read comes in three forms: PDFs, Websites
and books. It turns out that the iPad is the perfect device for this
endeavor. The Kindle is great for books (so is the Kindle reader on the
Blackberry and iPhone), but it just does not handle PDFs that well and
it has no mechanism at all for reading Websites. The iPad does all that
with ease and it does it in color. I am sold. 
But the chatter around the water cooler at iDefense is not so sure. You
have to remember, most of the people here at iDefense are deep water
geeks. What I mean by that is that on the scale of smart people, we
have: 
They hate it because it is a closed system. As you can imagine, these
folks love gadgets (like the LINUX operating system and the Android
phone to name two) because there are an infinite number of ways for
geeks to configure them. They will spend hours manipulating one of these
devices to automatically download toast recipes from the Internet daily
and run home-grown python scripts that engage steam-punk cooking
apparatus in an effort to have a new variety of toast prepared before
they wake up each morning. They don't do this because they need it. They
do it because it is cool. (And I have to say, having a steam punk
apparatus making my toast in the morning would be very cool indeed.) 
