Rediscovery and Security News

First things first: Happy 2012 everyone.

So, this blog has been silent for a little while now. More astute readers might argue along the lines of “hey man! This is supposed to be a technical blog – where are all them technical articles? Have you ran out of material?”.

Take a deep breath, the dreaded, almost compulsory metablogging block after a long pause is coming …

The answer is a big NO! There is an abundance of material that I am proud of BUT a lot of this research has been done while solving problems for paying clients. The problem can be refined as “how do you tip-tap-toe around NDAs and do you choose to do so?”. Smart money says not to do it, so I am not. Keep this point in mind for the latter part of this post.

One of the design decisions for this rebooted blog was that it should confer an era of positivity, at least by security and research standards, which is not the happiest of domains. So, for better or worse, I decided to bottle the acid for some time, even if that meant leaving gems such as the following (courtesy of a well known mailing list) untouched:

I have problems with those that create malware – under the guise of
“security research” – which then gets used by the bad guys.

I’m not saying that one can never stop breaking into things. I just
don’t like the glorification of creating malware by the so-called
“good guys”. If all of that energy instead was placed into prevention,
then we would be better off.

[SNIP]
P.S. One might argue that a whitehat or security researcher can’t
change sides and go into prevention, or in other words, be a Builder
instead of a Breaker. They can’t because they don’t have the skills to
do it.

Finished picking your jaw off the floor? Good! While Cpt. Obvious is on its way with the usual “vuln != exploit != malware” reply, let’s get things moving with a pet peeve of mine that I have not seen addressed.

Almost every time a new security trend comes out, there is nary a hint that this might have been discovered some place else or sometime before. Given that security overlaps a lot with cryptography, I just cannot get around my head around the fact while rediscovery is a well accepted notion within the cryptography field (and this has been proved time and time and time again) that while something you are “discovering” might have been discovered (and countered!) before.

Enter infosec, an ecosystem where NDAs are ten-a-penny, the underground is more tight-lipped than ever, the general consensus is that confidentiality is a necessity and where a lot of “discoveries” are handled either via the black-market (and lack of morals implied therein) or via security brokers. It was all fine and dandy but the introduction of both fame-seeking researchers and “researchers” as well the very fact that infosec makes for entertaining and sensationalist headlines that actually “sell seats in the audience” and everyday we are constantly bombarded with “news” and “research” (use of quotes intentional if you haven’t guessed already) where it can fall into one of the following categories:

  • News from the obvious department. This one is getting more and more annoying lately but it is much too obvious a target
  • Less obvious stuff that falls below the radar of cargo-cult security but still way more likely to have been encountered in the field by serious practitioners who fall into one of the non-disclosure categories listed above
  • Actual new and/or insightful findings, which tend to be lost within the sea of useless information, the stuff that REALLY makes your day
  • Since there is a very fine line between 2 and 3 (again, 1 is way too easy of a target to make fun of or suggest anything) and one can never be sure in such a rapidly and secretive landscape, for the love of $DEITY, next time see something related to infosec findings, keep in the back of your head that this might be a rediscovery and dear reporters, PLEASE DROP THE SENSATIONAL HEADLINES.

    I am not holding my breath that this will ever happen but one can only hope …

    PS:
    Finally, an image courtesy of blackhats.com infosuck webcomic. Not exactly the point that I am trying to convey but the message is quite similar and in any case it is much too funny to be left outside the party.

    Some random thoughts on Greek startups

    [The article below is somewhat of a rant, read it at your own peril and yes I know this is not the proper way to resume blogging after months and months of inactivity]
    So it seems that the Greek IT market lately has seen an influx of “startups”. Their implied cause appears to be quite a noble one, “be not what is traditionally associated with the words “Greek IT” (or “get-rich-quick-or-die-trying” for the more pragmatic amongst you). However, the whole thing reeks of the “Johnny-come-lately” syndrome, at least for me. Below is a partial list of my pet-peeves:

    1) i-somethings will NOT make you a millionaire. Sure, there are more than enough success stories doing the rounds but the whole market is rather hit-n-miss, with the miss part taking the lion’s share. There is at least one book about it, read it please.

    2) Copying SF/CA lingo wholesale does not magically transform an economy (and its main constituents, the people) to a more advanced one. I have seen more Something-Ninjas lately that I did in my childhood (and boy, I was a HUGE Ninja flick fan, I have seen them all and took the Ninjutsu lessons to prove it, complete with a laminated “NINJA” card). People mean connections and connections might mean all the difference in the world

    3) In order for startups to flourish, you do not only need an idea and a shiny business plan, you need smart people (actually “smart and get things done!”, to somewhat narrow it down) to do the actual work. In fact, I will be more than willing to assume the somewhat controversial view that mediocre ideas with good execution will beat goodideas with mediocre execution. So the problem is, where can you find such smart people (even not in the Spolskean sense of absolute brilliance) and get them to work for your project on “Greek startup pay” (incidentally, we do not offer “Greek startup pay” or “Greek pay”, for the local standards we pay well)?

    3.5) To expand on the previous point using some anecdotal data, I am in charge of the second interview round (the technical one) for our project. I believe that I like to give people a chance, I do not care as much about experience as I care about actual ability to adapt and improvise.The hiring route is the “traditional” one (some generic ad posted plus whatever contacts one of the guys was willing to dig up). As of now, I have yet to see a candidate that blows me away and screams “INSTANT HIRE”. (Full Disclosure: we are not located in Athens, however we offset this one by being heavily involved with the local University, which is a good one). In fact, most of the (few!) applications we receive fail to pass the first round altogether, which can be summarized as “we buy you coffee, we REALLY WANT to hire you so please help us do so by demonstrating basic ability so we can see if you are up for the tasks at hand” (This one deserves a separate blog post).

    PS, you can wager that our hiring process is broken (which indeed it is in more than one place) but I see a lot of people relying on good-ole nepotism to get ahead, neglecting personal and professional skills. I will not even comment on so-called start-ups that will recruit anyone (elitism is a virtue if you are a startup).

    4) “You ain’t gonna need it” should be etched in the brain of every new start-up. Copying blindly the technology list (the buzzword parade, if you prefer) from other successful startups does not guarantee success. I am all for “bleeding-edge” technologies, however it is highly unlikely that a Greek start-up needs all of the following: five-nines,three-letter-agency-security, scalability that can rival Skynet of Terminator fame, all that made by two guys working for 900 Euros a month each (I have heard this figure quoted, as a “competitive salary figure”).

    5) Speaking of money, in order to make money, you need to spend money. Sorry, but say Google or Facebook, indeed got (and spent in all the right places, having been taught their lesson from the dot com bubble) some serious $$$ in their infancy to get the ball rolling. Efficiency and cutting some corners is one thing. Being cheap/under-resourced is another ballgame altogether.

    Is there a Greek startup that actually transcends the aforementioned shortcomings and already should have been in your radar for the past couple of years? Yes! But again, most “startup-ites/σταρταπακηδες” I know (you know them, the guys that come to work with a new idea every day that will make them millionaires and usually involves “buzzword of the month”) only got wind of it a few days ago when they got name dropped from the Greek Prime Minister)

    [Update Sun Sep 26 EEST 2010]

    While this post did not gathered the number of comments I would have like to have seen, there was a interesting conversation over twitter with dfunc. dfunc believes that I am overly harsh, quoting “regarding your startups-post, times are tough for everyone here esp. for the startups.”. Now first things first, indeed the article was a bit of a rant, and at least partially fueled by a conversation at a certain Greek startup site and some conversations with some 2nd degree colleagues. This post was not meant in any to disrespect the hard work and plain cojones (oops!, I guess I should have labeled this one NSFW or something), in fact I used the line “be not what is traditionally associated with the words “Greek IT”. So with this out of the way, I will offer some additional insight to my definitely not complete list of pet peeves.

    So, dfunc writes “Regarding the iSomething COs, they develop products so their startup period is much tougher than that of service providers.” Now, while this line is correct, is my biggest pet-peeve of all. For some reason or another, the iSomething is supposed to have a pretty low barrier of entry (notice the supposed, I do not personally subscribe to that train of thought, I believe that *any* software that has a degree of ingenuity and quality is far from trivial to design, implement, secure and deploy). This, by definition, leads to a hit-driven market, where you have a few hits and a zillion of misses. While you get the illusion that you have a “get-rich-quick” scheme, statistics imply that you are most likely to end up in the dustbin than being a high earner. And I will restate my assumption again: “In order to get $$$ you must spend $$$”. So, given the risk that goes with the territory, I fail to see why almost every other Greek startup out there is aiming for the iSomething market.

    Finally, “A new business should have a plan (“orama”) to where it’s heading. I agree with u on that some of these share an unrealistic plan” – Amen, even if I believe that “some of these” should have been “most of these”.

    The trouble with OSSIM

    If you fiddle with MSSP, then you will most likely have heard of OSSIM. While the software itself appears quite powerful, it lacks in the MOST critical aspect of all: there is little if any documentation. Most of it is outdated and sources of information include a forum and a blog/tweeter feed. Come on OSSIM guys, you have the ball rolling, now you have to make it a nightmare for us to use the (otherwise quite good) product? To their defense, they have an open job posting about writing documentation but looks like there are no takers.