Criminalizing Modern Security Research

My high school physics teacher quietly taught me that all locks have vulnerabilities. He was an “amatuer locksmith,” and while I never learned exactly how to pick a lock from him, he explained enough about how locks work that I figured it out. I took this skill to college where, with other like minded individuals, I become a minor part of a like-minded community of students called hackers. With our skills, we were free to roam just about anywhere. My favorite destination was the roofs of various campus buildings. It was a liberating experience.

If I had caused physical harm or damage as part of our “hacker” activities, who would be to blame? Based on the proposed updated law enforcement guidelines, then you may very well hold my high school physics teacher partially responsible for helping me understand the vulnerabilities in standard locks, how I could massage the internal tumblers of a lock until I found the correct sequence that would allow me to turn the cylinder to disengage the lock. When translated to cybersecurity, that same teacher, indeed any security researcher, could face 20 years in prison for disclosing a technology vulnerability due to changes that President Obama is proposing in cybersecurity law.

Microsoft, Please Open Source Windows XP

The day is now upon us. After a nearly 13 year affair, marked by manic periods of love and hate, we now face the inevitable conclusion of our relationship with Windows XP. We knew that our time together was only temporary, and many are applauding the end of an era that was probably several years past its prime. As much as I appreciated the time that Microsoft granted us, I recognize that it’s time to move on.

My acceptance aside, I believe that many others are forced to remain in denial. Consider that some reports continue to pin XP usage at anywhere from 10% to nearly 30% of all desktop systems. Combine these statistics with reports that 95% of all ATMs, many medical devices and cash registers run Windows XP. I’m not one to succumb to FUD (Fear, Uncertainty, and Doubt), but the numbers imply that we face a potentially catastrophic security condition once Microsoft ceases its support for the operating system. How many vulnerabilities are hiding out there, their hacker benefactors giddy as they wait for Microsoft to cease providing security patches for XP computers? I suspect that we’ll find out soon.

Microsoft can help by making the XP operating system core available as open source software. I think that it should.

The Critical Need for Liberal Arts in Security

"As we strive to create a more civil public discourse, a more adaptable and creative workforce, and a more secure nation, the humanities and social sciences are at the heart of the matter, the keeper of the republic - a source of national memory and civic vigor, cultural understanding and communication, individual fulfillment and the ideals we hold in common."

- The Heart of the Matter: The Humanities and Social Sciences for a vibrant, competitive, and secure nation; American Academy of Arts & Sciences; Retrieved on June 21, 2013 from http://www.amacad.org.

Security professionals often state that security is an art, not a science. This field demands a certain degree of finesse, elegance, imagination, creativity, and a find-grained understanding of technology. We characterize the act of securing assets and information as finding the right balance between people, process, and technology, the security triumvirate. Yet, look at any job posting in security over the past 15 years (about the duration of time that I've worked in the field), and you find this:

Education: Degree in Computer Science, Mathematics, or any comparable field.

Two-Step Verification (2SV) is not Two-Factor Authentication (2FA)

This week, Twitter became the most recent online service to move to 2-Step Verification (2SV). One high-profile intrusion recently sent stocks spiraling when an attacker posted false news of a White House bombing after gaining access to the Associated Press Twitter account (@AP) through a successful phishing attack. While Twitter had been reportedly working on a new authentication solution, the AP event likely accelerated those efforts.

Following Twitter's announcement, the media and supposed security industry pros once again continued to perpetuate confusion over what constitutes "Authentication" versus what constitutes "Verification." Bloggers over at CNET provide two fine examples of this confusion just yesterday in response to the Twitter news. First, at 2:44 PM PDT on May 23 (time stamped as of 5:00 AM PDT on May 24), Jason Cipriani posted, How to use Google Voice with two-step authentication. Shortly thereafter, at 5:29 PST (time stamped as of 5:00 AM PDT on May 24), Seth Rosenblatt posted, Two-factor authentication: What you need to know (FAQ). Jim Fenton, the Chief Security Officer for OneID, a company that doesn't even address either 2FA or 2SV, has the industry credentials to seem reputable, but fails to effectively convey the difference between the two methods in his recent posting, Two-factor authentication is a false sense of security.

Look around a little deeper at the companies that are implementing similar solutions, and the vocabulary remains a bit inconsistent. 

Are Mobile Carriers Killing Business Security?

Mobile service providers, including Verizon Wireless, AT&T, and Sprint, know something about your smartphone that you don't.  What is this little nugget of information?  Service providers have no problem with selling you a supercomputer (a.k.a. smartphone) that they have no intention to protect.  It's not that they make it a secret or that the information isn't readily available, it's just that they know that you don't care, and they're right.  That's killing the ability for organizations to protect themselves.

Defect Acceptance

Cybersecurity has been a hot topic for over a decade and only seems to be getting hotter.  When I meet new folks and mention being "in" information security, I cringe when I hear the standard response, "Oh, that's a really hot field.  I bet that there are a lot of opportunities for someone like you."  Well, yes and no.