Zombie Apocalypse – Economic armageddon using Gresham’s Law

I was heartened to find out that someone was given grant money for a study that demonstrates that the fresh brains market in a zombie apocalypse would peter out after six months. Afterwards, the earth would be either empty (most likely) or a wasteland with few zombies.

So that gave me an idea. Gresham’s Law, crudely stated, says that bad money drives out good money. My thesis is that the market for high quality security assessments (=”good money” e.g. skilled manual review) is being driven out by the prevalence of low / unknown quality security assessments  (=”bad money”) in a rush to the bottom in terms of fees. This correlates with an increase in business loss as attackers stop putting up alert boxes and start stealing (brains) from the population.

So is there any hope? Do we need hope? Could we have a market in the post-trust Internet?

Let’s have a thought experiment – what would the Internet look like post zombie apocalypse (or if you’re Paul Fenwick, a post singularity AI overlord who turns out not to be our friend). Could commerce exist and in what form if we totally (and I mean totally debased) the security market to the point that there is no trust on the Internet?

Of course it would look like this:Let+Me+Show+You+My+Pokemans+pokemanscover

 

What would that look like for traders in an all lolcats world?

In my view, the signs of a post-zombie apocalypse are:

  • The market would mainly consist of small unregulated trades, much like drug deals today you see on TV crime shows;
  • There will be a limited market for large trades, and large trades would be highly regulated in a walled garden;
  • There is very limited to no trust;
  • Trades would be done in places that are not particularly consumer friendly (ether “friendly” to mall owners like Amazon or Etsy, or dark places like the Silk Road);
  • There would likely be an arms race of sorts between the main actors in the market, such as targeted phishes of oppressed ethnic minorities or other outgroups;
  • There would be little to no enforcement as there’s basically no detection;
  • There would be minimal to no proactive security measures being undertaken, where this “technology” is essentially unknown the market or deeply hoarded by those who actually know.

In my view, much of the signs are starting to crop up now, with the dark net market of malware, infected machines, and illicit substances traded for virtual currencies.

We are at a turning point for trust. Either we must support the market in a way that punishes weak security or bad money, and rewards leading security practices, or we give up and embrace the smaller and more diverse dark market. There’s still money to be made – for some – in the dark market.

What do you think the future of the security market looks like?

Curation

I have taken the step of finally splitting the cut-n-paste import from my blog at Advogato into the days they actually occurred. All that content was here previously, but in some cases bunched together over many thousands of lines in single massive multi-month postings.

Some early permalinks are gone, but that’s okay, you can search for the content. The content I’m talking about dates back more than ten years.

Argumentum ad antiquitatem

This post is not in Latin, but essentially a call to the Information Security industry to end policies based upon argumentum ad antiquitatem, which includes:

  • Password change, complexity and length policies and standards that simply don’t make sense in the light of research and tools that show that we can crack ALL passwords in a reasonable time. It’s time to move on to two factor authentication, alternatives such as OAuth2 (i.e. Facebook/Twitter/G+ integration) or Mozilla Account Manager, and random long passphrases for all accounts.
  • “Security” shared knowledge questions and answers. These are commonly used to “prove” that you have sufficient evidence of identity to resume access to an account. We see these actively exploited continuously now. Unfortunately, most familiies including ex-spouses have sufficient knowledge of the identity and access to the person’s identity documents that such questions, no matter how phrased (like “What was your favorite childhood memory”), are simply unsafe at any speed as more than ONE person knows or can guess the correct answer.
  • That requiring authentication is enough to eliminate risks in your application. Identity and access management is important, but it’s only part of the picture.
  • That enforcing SSL or access through a firewall is enough to eliminate risks in your application. Confidentiality and integrity of connection is vital, especially if you’re not doing it today, but it’s only part of the picture.
  • That obfuscation is enough to deter hackers. Client side code is so beguiling and the UX is often amazing, but it’s not safe. Business decisions must be enforced at a trusted location, and there’s little business reason to do this twice. So let’s get that balance right.

What are some of your pet “argumentum ad antiquitatem” fallacies?

Securing WordPress with obfuscation

So in a fit of security through obscurity, I renamed my WordPress database tables and promptly broke WordPress with a highly informative “You do not have sufficient permissions to access this page.” error message when accessing wp-admin.

Changing the prefix is easiest done with a new installation, but my installation dates from the very first versions of WordPress when the dinosaurs roamed. Due to WordPress’s design, changing the database prefix (‘wp_’) is not as straightforward as you would expect.

Edit wp-config.php

In this exercise, we’re going to change from the default “wp_” prefix to “foo_”. If you’re doing this for security through obscurity reasons, don’t use “foo_”, use something you made up. Trust me, my prefix is NOT “foo_”. In wp-config.php, change:

$table_prefix  = 'wp_';

to

$table_prefix  = 'foo_';

Once you’ve saved the file, your WordPress installation is now officially broken. Move fast!

Rename your tables

use myblog
show tables

and for each of the tables you see there, do this:

rename table wp_options to foo_options;

At this point, your blog will now be viewable again, but you will not be able to administrate it. Accessing /wp-admin/ will say “You do not have sufficient permissions to access this page.”

Fix WordPress Brain Damage

Let’s go ahead and fix that for you:

UPDATE foo_usermeta SET meta_key = REPLACE(meta_key,'wp_','foo_');
UPDATE foo_options SET option_name = REPLACE(option_name,'wp_','foo_');

You’re welcome.

Installing Fedora 18 (RTM) to VMWare Fusion 5 or VMWare Workstation 9

I always live in hope that just one day, the folks over at Fedora will actually have a pain free VMWare installation. Not to be. Here’s how to do it with the minimal gnashing of teeth.

Bugs that get you before anything else

On VMWare Fusion 5, currently Fedora 18 x86_64 Live DVD’s graphical installer will boot and then gets stuck at a blue GUI screen if you have 3D acceleration turned on (which is the default if you choose Linux / Fedora 64 bit).

  • Virtual Machine -> Settings -> Display -> disable 3D acceleration.

We’ll come back to this after the installation of VMWare Tools

Installing Fedora 18 in VMWare Fusion / VMWare Workstation 8

The installation is pretty straight forward … as long as you can see it.

The only non-default choice I’d like you to change is to set your standard user up to be in the administrators group (it’s a checkbox during installation). Being in the administrators group allows sudo to run. If you don’t want to do this, drop sudo from the beginning of all of the commands below, and use “su -” to get a root shell instead. 

The new graphical installer still has a few bugs:

  • Non-fatal – On the text error message screen (Control-Alt-F2) there’s an error message from grub2 (still!) about grub2 file not found /boot/grub2/locale/en.mo.gz. This will not prevent installation, so just ignore it for now (which the Fedora folks have for a couple of releases!). Go back to the live desktop screen by using Control-Alt-F1
  • PITA – Try not to move the installer window offscreen as it’s difficult to finish the installation if even a little off screen. If you get stuck, press tab until you hit the “Next” button – or just reboot and start again
Update Fedora 18

Once you have Fedora installed, login and open a terminal window (Activities -> type in “Terminal”)

sudo yum update
sudo reboot
sudo yum install kernel-devel kernel-headers gcc make
sudo reboot

Fix missing kernel headers

At least for now, VMware Tools 9.2.2 build-893683 will moan about a path not found error for the kernel headers. Let’s go ahead and fix that for you:

sudo cp /usr/include/linux/version.h /lib/modules/`uname -r`/build/include/linux/

NB: The backtick (`) executes the command “uname -r” to make the above work no matter what your kernel version is.

NB: Some highly ranked and well meaning instructions want you to install the x86_64 or PAE versions of kernel devel or kernel headers when trying to locate the correct header files. This is not necessary for the x86_64 kernel on Fedora 18, which I am assuming you’re using as nearly everything released by AMD or Intel for the last six years is 64 bit capable. Those instructions might be relevant to your interests if you are using the 32 bit i686 version or PAE version of Fedora 18.

Mount VMWare Tools

Make sure you have the latest updates installed in VMWare before proceeding!

  • Virtual Machine -> Install VMWare Tools

Fedora 18 mounts removable media in a per-user specific location (/run/media/<username>/<volume name>), so you need to know your username and the volume name

Build VMWare Tools

Click on Activities, and type Terminal

tar zxf /run/media/`whoami`/VMware\ Tools/VMw*.tar.gz
cd vmware-tools-distrib
sudo ./vmware-install.pl

Make sure everything compiled okay, and if so, restart:

sudo reboot

NB: The backtick (`) executes the command “whoami” to make the above work no matter what your username is.

No 3D Acceleration oh noes!1!! Install Cinnamon or Mate

Now, all the normal VMWare Tools will work. Unfortunately, after all the faffing about, I didn’t manage working 3D acceleration. I ended up installing something a bit lighter than Gnome 3.6, which requires hardware 3D acceleration.

  • Activities -> Software -> Packages -> Cinnamon for a more modern desktop appearance or 
  • Activities -> Software -> Packages -> MATE for old school Gnome 2 desktop appearance
  • Apply 
  • Logout 
  • From the session pull down, change across to Cinnamon or Mate and log back in
When VMWare updates support Tools to support Fedora 18 or vice versa, I’d still suggest Cinnamon over Gnome 3.6. Gnome 3.6 sucks way less than earlier Gnome 3.x releases, but that’s no great compliment. YMMV and you may really like Gnome 3.6, but without 3D support, it’s going to be painful. 

Time to update knowledge

This might be telling folks to suck eggs, but if you are doing secure code reviews and your development skills relate to type 1 JSP and Struts 1.3, it’s really time you got stuck into volunteering to code for open source projects that use modern technologies. There’s heaps of code projects at OWASP that need help, including helping me with code snippets that are in a modern paradigm.

I don’t care what technologies you choose, but your code reviews will not be using Type 1 JSPs or Struts for that much longer – if at all. Time to upskill!

I suggest:

  • Ajax anything. Particularly jQuery and node.js. GWT is on the wane, but still useful to know
  • Spring Security, Spring Framework and particularly Spring Web Flow are essential skills for any code reviewer doing commercial enterprise code reviews
  • .NET 4.5 and Azure are killer skills at the moment, particularly as Windows 2012 has just been released. Honestly, there is a good market to be a specialist just in this language and framework set, as it’s literally too large for any one person to know.
  • Essential co-skills: Continuous integration, agile methodologies (you have updated your services to be agile aligned, right?), and writing security unit tests so your customers can repro the issues you find.

It’s important to realise that good code reviewers can code, if poorly. Poor code reviewers don’t code and have never written a thing. Don’t be a bad code reviewer.

I do not suggest Python, Ruby on Rails, or PHP as these are rare skills in the enterprise market, but if they scratch your itch, go for it, but be aware that these skills do not translate out to commercial code review jobs. The fanbois of these languages and frameworks will hate on me, but honestly, there’s no reason to learn these languages except for the occasional job here and there, and if you’re any good at the list above, PHP in particular is easy to pick up. Fair warning, it’s a face palm storm waiting to happen.

PTV iPhone app – worst public transport app ever, or just pure evil?

I take the train between Marshall and Southern Cross Station, a terminus station with 14 or 15 platforms and hundreds of V/Line country, suburban and bus services daily. I had an app that worked (the old MetLink app). That wasn’t stellar, but it worked well enough that I didn’t need to get a paper timetable.

So imagine my continuing frustration that the most basic of use cases just doesn’t work in the complete re-write of the new app:

I cannot find my station when standing on the station platform (!) using location search or by searching for the station in the default “Trains” mode the app comes in from the AppStore.

It cannot find the terminus of all V/Line services – Southern Cross Station. I’m serious. In “Train” mode, you cannot search for V/Line services or stations. In “V/Line” mode, Southern Cross is not even a station (!!). You cannot find it by clicking on “Find my location” icon whilst in the station (!), and you cannot choose it from the map, and you cannot search for it. Epic fail of all epic fails. It’s like the PTV app designers chose not to walk the 40 m from their office block to the biggest and busiest station in all of Victoria and test it out.

Modality. It’s nearly impossible to work out you can change the mode of transport you’re looking up by clicking the word “Trains” at the bottom of the screen. I am catching a “train”, but not the default type of “train”. Who knew? The thought that there are multiple types of trains obviously never entered to PTV’s UX designers. There’s no button shape or indicator, it’s just in a button bar by itself, which usually means that there are no other choices.

Honestly, PTV need to test their apps:

  • You should be able to find all the services within 500 m of where you are standing. Just list them all and let the filter function narrow things down in one or two keytaps.
  • You should be able to find ANY station or service or transport mode via text search. It’s just not that hard. There should be no difference between a regional bus, a metropolitan tram, an intercity V/Line service, or a station or bus stop. List ‘em all, and let the filter work its magic in a few keystrokes.
  • Get rid of modes. I don’t think of modes and I use at least two every day. Free up that wasted screen real estate and replace it with a search function that works across all modes, and services.
  • You should be able to view a line’s entire timetable with no more than two or three clicks. Timetables -> scroll to the timetable or tap in enough to narrow things down -> voila. It’s not rocket science. Allow it to be a favorite.
  • Planning a multi-mode trip is not rocket science. This is just not possible with the current PTV app.
  • The old app had notifications for the services / lines you were interested in. Please bring it back. This feature may actually be in the PTV app – I simply don’t know because I have not been able to find my station or the station at which I get off.

This app is terrible. It must be withdrawn.

OWASP Guide 2013 – Developers needed!

The Developer Guide is a huge project; it will be over 400 pages once completed, hopefully written by tens of authors from all over the world, and will hopefully become the last “big bang” update for the Guide.

The reality is our field is just too big to do big bang projects. We need to continuously update the Guide, and keep it watered and fresh. The Guide needs to become like a metaphorical 400 year old eucalypt, all twisty and turny, but continuously green and alive by the occasional rain fall, constant sunlight, and the occasional fire.

If you are a developer and have some spare cycles, you can make a difference to the Developer Guide. I need everyone who can to add at least a paragraph here and there. I will tend to your text and give it a single conceptual integrity and possibly a bit of a prune, but with many hands, we can get this thing done.

Why developers? Many security industry folks are NOT developers and can’t cut code. We need developers because we can teach you security, but it’s difficult to instil 3 years of post graduate study and a working life cutting code. I am not fussed about your platform. Great developers know multiple platforms, and have mastered at least a couple.

I am installing Atlassian’s Greenhopper agile project management tool to track the state of the OWASP Developer Guide 2013′s progress.

Feel free to join the mailing list, come say hi, and join in our next status meeting on Google+.

Speaking at Linux.conf.au 2013

I’m glad to say that I’ve been accepted to speak at linux.conf.au 2013.

My talk is how to apply the OWASP Developer Guide 2013 to your open source project.

The Open Web Application Security Project (OWASP) Developer Guide 2013 is coming soon. In this presentation, you’ll learn about the major revision to one of the major open source code hardening resources.

The new version will encompass not only web applications (although that is its primary focus), but also general advice for all languages, frameworks, and applications through the use of re-usable architecture, designs, patterns and practices that you can adopt in your code with a bit of thought.

Learn about:

  • The latest research in application security
  • How to apply new patterns to eliminate hundreds of security flaws in your apps, such as the bizarre world of race conditions, distributed and parallel artefacts. Few apps can afford to be single threaded any more, and yet these subtle flaws are easily prevented if you only knew how
  • Challenges of documenting bleeding edge practices in long lived documents
  • How to pull together a global open source document team whilst holding down a day job

If you code web apps, or write apps that need to be secure, this is a must attend presentation!

Come see me! Challenge me! Make the Guide better for non-web apps!

mostly useless crap from me