mostly useless crap from me

I read Jakob Neilsen’s post on password security, and although he has a point, there are several issues as to why this is a monumentally bad idea.

First, passwords are a fundamentally bad idea for all data risk classifications. Instead of trying to make passwords more usable, how about getting rid of them?

Second, exposing folks’ passwords in a shared environment will expose them in more ways than one. For example, most folks use the same password everywhere. I used to do this when I was 16. Then I migrated in 1989 to having low, medium and high security passwords. Then about five years ago, I migrated to using long random passwords for nearly everything. I do not know my password for my blog. I cut n paste my passwords from a password manager. I’m ashamed to say that I still use the low security password from 1989 from time to time – mostly to recover access to long lost internet sites. So if your social networking site – where you’ve evaluated YOUR risk to be low, well… that user uses the same password EVERYWHERE, including high risk sites such as Internet Banking, for tax, for their insurance login, etc.

Third, malware that currently snaps screens when used with visual keyboards (security theater!) will have a bonus time with this scheme, or any scheme like it (think iPhone where the last character typed remains on the screen for a second or so and then becomes a bullet). However, if you have malware, you have more interesting problems than just clear text passwords.

I am all for killing passwords. They are crap. They are insecure. They are hard to remember. IT Security folks with NO UNDERSTANDING of human nature or how this terrible usability costs the business ask us to change them every 30 days and you can’t have the same password for the last five years and the password must not be a dictionary word and must contain punctuation and numbers and upper and lower case characters. The only people who can do that without ringing the help desk are the tin foil hat people like me who use password managers with long random passwords. I love going to sites with those sort of rules – the passwords are nearly universally on post it notes or written on the cubicle wall or dry erase board. Dumb!

So how do we improve the situation? I strongly believe that for the average user, the browser should take over the credential for the user. A nice auto-generated certificate login managed basically transparently by the browser’s credential manager makes the most sense. This should be able to export to a standard file format that all the browsers agree upon so that users can upgrade their machines, and move amongst them. Obviously, Apple already has MobileMe to help sync those credentials around, and this will help folks like me with more than one computer. If you’re out and about and need to log in remotely, you log in to MobileMe (or similar), and approve the site you want to log on to for (say) 10 minutes from the computer you’re currently on. Then you go to the site you want to go, like Wikipedia or Travelocity with your full strength credential… that will not stay on that machine and will not work after a few minutes.

For value transactions, the use of SMS transaction signing and two factor transaction signing should be mandated where PII, finanical or health data is concerned.

Then we can put passwords out of their misery, and folks never need to remember their passwords ever again. Jakob is right – passwords suck. It’s time for them to die.

This is disgusting.

http://www.newscientist.com/article/mg20227086.200-comment-dont-criticise-or-well-sue.html

If you’re in the UK, stand up to the legal bullies. Ask your MP to change the libel laws to reverse the burden of proof, and only allow actual UK citizens (and not companies or associations – foreign or not) the ability to sue.

I was once sued for defamation and had to settle as I had zero resources to fight it, and so had to apologize. I know how hard it is to state something you believe (or know) to be true and win in such cases.

Reputation is hard won, and I know how damaging hurtful or factually incorrect statements are, but the UK libel laws are legal censorship instruments, abused by anyone with enough money to sue.

In this particular case, it looks like observable facts, peer reviewed studies and a valid opinion based upon those observable facts and studies will lose. It’s a sad day for the UK when facts are not a valid defense.

I feel sorry for folks trying their hardest to be something they’re not.

It’s time for me to put something down I’ve been saying at conferences for years. If you’re not a programmer or developer by trade, please don’t write software or web apps. Dreamweaver does not maketh you a programmer. Ajax is not a magic path to studly geekiness.

You’re simply unqualified. Get someone who can do it right, the first time. Sadly of course, lots of developers are in the same boat, but at least they know what the tools of our trade look like.

I wouldn’t dream of doing marketing, cooking a meal for 300 Z-listers, ripping out a squidgy bit from inside someone else, arguing a case in front of judge (although I do play a lawyer in the lunchroom), or doing a corporation’s taxes in a zillion years.

Why does the opposite seemingly rarely apply?

SHAME! SHAME! SHAME!

Texas’ Board of Education will be ridiculed by pretty much everyone (including me in this post). I would make more fun of them if the consequence of their gross incompetence didn’t lead directly to irreparable harm to the next ten year’s worth of students who will be unemployable in any medical, bio medical, biology, DNA testing, stem cell research, drug research, geology, paleontology, farming, animal husbandry, crop research, or pretty much any field which requires them to understand the basics – or indeed, fine detail – of evolution.

Modern medicine, to name but just one field, doesn’t make ANY sense except if evolution is true. It’s as simple as that. There’s about as much doubt regarding evolution as there is doubt the planet is round and is orbiting our sun.

In my view (and IANAL), these students have due cause to sue the asses off the Board of Education for future earnings loss. What does a specialist medical doctor make per year? Half a million? Million per year? Multiply by all the number of students in each of these fields… whoa that’s a lot of moolah.

I call on all biology text book authors to refuse to allow “updated” editions to be issued with the forthcoming Texas changes. If the schools can’t buy any books, so be it. They can use the ones they have today that have the facts, instead of sowing doubt. Scientists everywhere should make it incredibly clear to their congress critters and senators, as well as their local Boards of Education, that this decision is about as dumb as they come.

I’m actually struggling to understand how “educated” folks, charged with the incredible responsibility of educating their state’s children could be so abusive. They should be sacked immediately and this terrible position stuck down for all time.

When I left for America, I was surprised at how few places accepted electronic payment methods compared to our experience in Australia. By the time we left the USA barely two years later, that was not a problem – almost everywhere took cards.

Except … now, we’re back in Australia, and things have gone backward. Few places have EFTPOS now. It’s actually hard to pay electronically. Where I live, it’s impossible to buy coffee using EFTPOS, debit or credit cards.

I bet it is because the local Big 4 banks are cutting their noses off to spite themselves. It leads me to believe we are entering the downward spiral into luddite non-use of electronic payments. We may have seen “peak” EFTPOS rollouts, and it’s all downhill from here.

We’ll be a cash society soon, and this is incredibly bad. So many things that were once trivial to do require effort to do. It will cut economic output. Folks like me who refuse to pay the “disloyalty” fees at ATMs just will not buy at places without card machines when I run out of cash.

This is bad news for the local economy, bad news for the banks, and bad news for employment. And bad news for me because I do not get a good cup of coffee and I’m pissed off.

In other news, all my talks for OSCON were rejected again. Why did I bother? I should have paid attention my last year’s rant. Most likely, I will have to give up on submitting papers to certain open source developer’s conferences as honestly, why bother doing the work of doing the research, creating the paper and slides only to be rejected? Luckily, two of my submissions were from colleagues, so I didn’t squander a lot of resources on those talks, even though for example, I’m working on porting ESAPI to PHP, which is the subject of one of the rejected talks.

I’ve identified the following security talks for those security folks still considering going to OSCON (although I’d recommend saving your money for OWASP USA as we already have a schedule of 45 web app sec talks in three tracks, and two full days of tutorials, including several two day courses where you’ve got an actual chance of learning something. Just saying.)

• Securing the PHP environment with phpsecinfo, by Ed Finkler. This should be good – I’ve used it before and it’s a pretty cool way to tie down PHP properly. And Ed has contributed Inspekt to OWASP, and therefore he’s cool by me.
• PHP: Architecture, Scalability and Security, by Rasmus. Rasmus knows what he is talking about, but I don’t know how deep the security aspect will be. Hopefully, enough as it’s a three hour talk.
• PHP Taint Tool: It ain’t a parser, by Luke Wellings, a friend of mine from Australia who now lives with his lovely wife in Columbia MD. I’d love to see this tool in action.
• Hack this App! PHP security workshop, the usual sort of scare the punters talk common in talks at conferences I attended about 5-10 years ago. I really hope there’s some solutions in this one. There’s no point in saying you have a problem unless you have a solution, which is what all three of my submitted talks were. Especially the one on securing PHP apps and ESAPI for Java (although we have a completed .NET and soon a PHP port now)
• Perl Security, three hour talk by Paul Fenwick, also an Australian of my acquaintance
• How to improve quality and security automatically in your open source projects with static analysis, by David Maxwell (Coverity). Hopefully, this is just not a vendor plug, but even if it is … it is about solutions, and I like that.
• Security 2.0: Emerging Trends in Web Application Security, by Chris Shiflett. Also a friend, but sadly, not Australian.

So five talks and two three hour longer talks. Here it is in graphical format for you:

A couple of the talks are likely to not offer that much in the way of solutions. Sadly, no Ruby, Python, administration, database, emerging topics, or people security talks. Worse, there are no Java security talks, which for an semi-incomplete track, I found sort of astounding, especially as I submitted two Java security talks and one PHP talk. The official “security” track has two three hour talks, both detailed above. Even if you look at it from the point of view of OSCON having 16 tracks, hopefully with equal time for all of the tracks assuming there was a lot of competition for speaking slots, there should be 215/16 = ~ 13.4 security talks, not 7.

Although I am glad my friends are accepted whilst talking about security, I think OSCON needs a new program committee. This one is broken.

What is it with “sporty” coupes and their drivers? We were nearly killed coming home from the hospital by 8CR J60, a Black Infinity of some description. There’s a complete fucktard behind the wheel, who will hopefully get a nice moving violation from the police tomorrow.  I hope with all my heart that this is the last few points on his license so they are off the road for a few months. Honestly, why drive if you’re going out there to kill yourself and others?  

A little while ago, I wrote a dejected post saying that OSCON, Black Hat, and Defcon all missed the greatest opportunity to speak to the right folks about securing their apps. Well, with the final schedules of Black Hat and Defcon up, we have:

• Fear – Pretty much every talk
• Uncertainty – you betchya
• Doubt – doesn’t the security industry work on creating doubt? Yep.
• Solutions – 10 out 444 talks == 2% of all talks

  We have to move past this. I am not asking for solutions to be even 50% of the talks, but dammit, it should be over 10% and it should be over 25%.

  The CIOs and CTOs and mid-level junketeers in our industry (who go to these events to pick up chicks of negotiable affection*) and go: “WHOA! I’m so screwed! What do I need to do to protect my assets from all this badness?” And the snake oil sales puke from the large security ISV will go: “let me show you this bridge I have for sale over here…”

  At Black Hat 3 of 5 potential security solution talks are the 20 minute turbo talks. How much can you learn in 20 minutes? Enough to be scared, or enough to learn a URL? In Defcon, there’s just one talk on using a tool as a shield around your crap. Of course that’ll work. Like anti-virus or IDS “works”. Not.

  The CIOs and CTOs and high level business folks don’t want horror stories. They get that enough of that from the snake oils sales pukes. They want solutions that work. They want to know what to do right. These solutions should not cost the earth and should be effective. None of which they’ll learn about at these conferences. Will this stop them going to conferences? Of course not! It’s Vegas, baby!

  The conferences will have to start being relevant or they’ll end up like being CES. CES started out small, grew immensely, changed to be vendor friendly, and no one came. They cancelled it. Now everyone goes to E3. They’ve changed the rules to be more industry friendly… and it’s only a matter of time before it, too, dies. “Our” industry conferences on the outside seem more popular than ever, but they are dead. I will not be submitting any more talks to them as they are irrelevant. They do not support solutions, only fear.

  * And occasionally, chicks with dicks of negotiable affection. But what happens in Vegas, stays in Vegas, eh baby!

I am at the SANS GSSP second face to face in Chicago (photos soon). SANS have chosen a nice hotel, the W Lakeshore right on Lake Michigan.

Until 10 pm tonight, it was awesome. But then at 10 pm… It was spoiled by the Richter level 4.0-4.9 bass drivers (seriously! – we’re feeling it in our waters – constantly – my diet Pepsi has ripples in it). It’s 1.30 am. I have to get up at 7.30 am – on a Sunday, a miracle not often seen – even with a good night’s sleep.

This hotel has forgotten its core duty: a good night’s sleep for ALL of its guests. We are the ones paying nearly US $400 per night, not the young things paying $10 for a drink at the nightclub.

Never come here – spread the word.

In 2035, I will be 65. Most likely, unless I was to take up photography or cat breeding, I will most likely still be in this industry doing pretty much what I’m doing today.

Why?

I submitted a bunch of “how to fix” talks to OSCON (the unconverted) and Black Hat (the converted). I’ve spoken at both before, and I know I don’t suck too badly at speaking. Knowing that you suck more than other folks is the first step to being a good speaker, and I learnt that many years ago and have been learning ever since. Nowadays, I get good reviews from my customers, got good reviews and write ups for my last talk at OSCON. Black Hat provided me with my feedback which indicate that most of the folks who returned the forms liked what I had to say and how I said it, although there is room for improvement. When I train professionally, I am probably my harshest critic. That said, everyone – including me – can always learn how to present better, and make presentations that don’t suck. But let’s put that aside for a moment, and look at our industry’s premier developer and security conferences.

Why you will not learn solutions at any major event this year

I know this might come across as sour grapes, but seriously, when the biggest “security” conference rejects my talk (which will show how to scale code reviews in large enterprises, a huge problem for the Fortune 500, government and defense types, who just happen to send a bunch of folks to said conferences) in favor of the same theoretical root kit talk as we saw last year and a meta-theoretical anti-root kit talk targeting that specific theoretical root kit talk, they’ve lost the plot. When the largest *developer* conference rejects three of my talk suggestions, two of which are teaching developers how to code more securely (including a advanced level 300 class – I’m sick of teaching “hey, this is htmlentities(). He’s your friend”), they’ve lost the plot, too*.

OSCON’s security track is a paltry seven talks, basically most of one day out of five. And only one, by my friend Chris Shiflett, will teach you how to avoid the most common problems in web apps and another reports on the use of a source scanning tool by the open source community. Each of those talks is less than an hour. The chance you’ll learn something you don’t already know about PHP security is pretty small. At Black Hat, so far, there’s plenty of announced talks, but it will take you until day two before you learn how to do something useful. There are no other how to fix talks at Black Hat. That’s very, very sad.

There are some fine speakers at each event, for sure. But some have been seen before. And before that, too. But when you’ve seen ten theoretical root kit talks, or the fiftieth hundred buffer overflow talk (the same attack since 1988? kill me now), or yet another XSS talk or eight, we get it. Software sucks.

How do we fix it? Show me the money!

Do I want to be fixing SQL injections, buffer overflows or cross-site scripting issues when I’m 65? Hell no. These are solved problems. We know the solution. They MUST be burnt into the APIs so that programmers (no matter what skill) CAN’T do it the wrong way. There are some fine researchers working in the field, and you’re not going to hear them talk about fixes at Black Hat or OSCON. It’s Fear Uncertainty and Doubt. Scare the punters so you’ll buy their products or services. That security sales method is so 1995 when we thought firewalls were kinda neat.

That sucks.

It’s the reason the security industry is little more than snake oil modulo a few gems here and there. Why don’t A/V vendors go white-list? Spend 10 minutes telling your computer about the programs you use and white list the behavior of those probably very common apps? No more virus infections as everything else is untrusted and doesn’t run. That’d kill their shakedown revenue stream.

To be a smart security vendor today, you provide value to the customer by showing them how to architect a secure solution, how to build secure software (by training their devs – we can’t write all the software), how to test and review software (or indeed provide these services as an external audit function), so they don’t have to worry about spending *more* money on useless controls or worse case, notifying the regulators and their customers that they’ve screwed up and “gee, we’re sorry! we tried our best. Here’s $100 bucks”. Value folks, value. We’re here to provide secure business, not scare money out of folks. Once the horse has bolted, it’s far, far too late. That’s why I think forensics and a lot of compliance is a total WAFTAM. Dead money.

Providing solutions is exactly what we’ve been doing at OWASP. We provide value. Some of the solutions are actually getting towards voting age. We just need to get it out there so you don’t make the same mistakes, time after time. I’ve dedicated the last four – five years to researching, describing and educating how to fix things at OWASP. And yet, we don’t get no love at major conferences. And here’s why – they don’t want to tell you how to fix it. They want headlines in the meeja. The meeja only know about attacks, “hackers”, and people losing money to organized crime gangs, or their daughters to the nasty pedos across state lines. So the conferences provide that. We all lose with this approach. Luckily, with OWASP, we run the conferences, so this year, I will speak, and hopefully it will be useful to those who attend.

But realistically, the folks we want to talk to are at BlackHat and OSCON, not at OWASP (yet). So let’s learn …

How to write a successful talk submission

First off, and foremost, be honest about why you’re going. You’re a conference whore, and so am I. The hallway track is their raison d’etre, and best experienced with booze and lots of it. But how to get there… write a submission!

0. The title must be snappy. “Attacking OMG PONIES!111 2.0″ All good talks have 2.0 in them somewhere.
1. Subject matter must ONLY be about attacks, exploits, or bragging. The more esoteric the subject of your attacks, the better. I’m talking to you, side channel attacks.
2. Reading poetry to the attendees is only acceptable if it’s accompanied by images of death and you’re dressed in a funny hat, so try to come up with a reasonable approximation of how much your new tool (P0NIE PWNER) haxxors the badness (OMG PONIES!!111) you claim to attack. You don’t need to provide the tool, just claim it exists. No tool / exploit == no attendance.
3. Don’t include anything – ever – about how to fix the problem. That’d ruin the the “hacker” image of the conference.
4. Profit!

Conclusion

So screw them. See you at Black Hat. I’m the one who looks like a trans-gender lady of negotiable affections and I’m lovin’ it.

–

* OSCON has a talk on PHP security, by Zeev Suraski, one of PHP’s founders. The talk (PHP Security: Fact and Fiction) which sounds pretty defensive. Hopefully, it will say something like “gee, sorry about that!” to all the attendees. I’m very hopeful about the claimed agenda – it talks about what is changing in PHP to fix their previous stupid insane security decisions and lack of a security architecture. PHP *must* move in that direction, and fessing up to current and past indiscretions is the first of at least 12 steps to resolving the issue. Look at ASP -> ASP.NET. Same thing.