Christophe Pradier on Security

Kevin@Exploitability: End of Year Tale, Yet a True Story

2012-01-02T21:29:00.000+01:00

This article is a translation of [FR] Petit conte de fin d'année, mais histoire vraie quand même, on Kevin's Exploitability blog. I found it an amazing example of how social engineering things is easier than technically cracking them. The author gave me his permission for this translation:

End of Year Tale, Yet a True Story
In this end-of-year period, let me propose you a little tale that goes beyond IT and security. Or not.

This story happened a few years ago and no name will be given.
So, once upon a time, there was a mall, just like so many others, with a jewellery store inside it. This jewellery store looked like an 'L'. The vertical stroke was open on the shopping arcade, with the cashier desk in the middle, and the bottom stroke had a second desk, dedicated to repairs.

   +-----+

   V |
A     |      V: victim
R     |      C: main desk
C   C    |      R: repair desk
A      |
D        `-----+
E    R|
      R|
   +-----------+

The week-end before Christmas, lots of people crowded the arcade and the jewellery store. As often happens, in order to be up to the mark for these additional customers, a few interims were helping with the sales. They were dressed with sober white shirt and black trousers.
Hereupon, with the help of an accomplice, I've sneaked to the top of the shop, also dressed up with a white shirt and black trousers, hidden by a sweater. I've soon noticed a customer holding out a repair bill for a jewel. Once out of my sweater, I approached her and asked her how I could help. Discussed, checked that her repair bill had been paid and let her wait patiently glaring at new year's new collection. Back in my sweater, I got to the bottom desk to ask for the jewel.
They gave me the jewel upon presentation and verification of the repair bill and I managed to discretely get out of the jewellery store on the side opposite to the customer. Thanks to the crowd, the customer did not see me leave, and the legit vendors did not catch the trick.
So I got out of the jewellery store with a splendid necklace adorned with rubies inside my pocket.
[Little notice for people concerned with my integrity: my honesty being limitless, I went back into the store to return the necklace to her owner, so this is a morale tale, with a happy ending :-)]

Being on an IT security blog, what can we tell?

I played the role of a rogue proxy between a client and a server, in order to intercept authentication credentials.
The end-of-year overload prevented detection of the rogue proxy (if you can't erase logs, just drown them!)
The customer did not consider authenticating the server. Think http"S" or typosquatting. Just a little reverse-engineering was enough.
Finally, the true server granted trust just because of a cookie (the repair bill). A double authentication would have been better: repair bill + national ID card, for instance. The bill, seemingly at the name of a woman, should have raised eyebrows. An authentication cookie for entering and making operations (asking for the status of the repair), with an additional authentication for the handover of the payload, remains an interesting option.
The extraction of the payload was hooded in a most standard data packet: me, a casual customer, with a grey sweater attracting no suspicion nor attention from legit vendors. To extract data, cypher them (SSL flow) !

Hereupon, happy new year and happy hacking! (and don't rush into jewellery shops to make drivel!)

Security ROFL 5

2011-12-23T15:58:00.000+01:00

[FR] Remotely hacking a car is possible!
[EN] Stop to the installing woes, 9€ to get your PC installed, in Romania
[EN] US Nuclear Chain of Command, xkcd comic strip
[EN] Manual Override, xkcd comic strip
[EN] Unpickable, yet again an xkcd comic strip
[EN] Technology organization leadership charts, on Michael Krigsman's blog
[EN] 3D Printer, xkcd comic strip about new forms of spam
[EN] Alarm Geese, blogged by Bruce Schneier

Can you afford NOT to invest in security in 2012?

2011-12-18T21:13:00.000+01:00

Crisis is here and it looks like many IT services will get a near-zero investment budget for 2012. I think it's high time that IT services reconsider information security and invest time (if no money) into it. My point is that any security project should open new areas for business expansion and with a positive ROI, like any IT project, security or not.

Security means new openings for businesses

IT services make benefit from selling services (hardware, networks, software, data) to customers, providing an added value to users. Correct security projects allow the expansion of both customers' and users' pools.

Users: users are reluctant to use services that are not secured. One good example is the sprout of commercial websites that could not have happened without a *security* measure: SSL.
Customers: certain customers desire not only security, they demand a warranty about security. That's something you get by two means. One is being sure of yourself and your services (are we up to what we are selling?) and the other one is independent assessment and/or normalization.

Positive ROI for security projects

In a world where security is seen primarily as a source of constraints, the very use of the letters ROI about security is often considered a joke. It's not. For a security project as for any other IT project, you need to invest time and money, there's no reason why security should go without an ROI calculation, and a positive result to it.

In a hard time like 2012, I'd say that you must concentrate on security projects that have an immediate positive return. It's time to focus on projects that cost very little money to implement: the review of processes, of security incidents and the implementation of those "long thought-about but we never had time". It's also time to focus on under-used capabilities of software and servers, instead of re-inventing a costly wheel.
A good security project for 2012 should show immediate returns: less theft of laptops/smartphones, better telecommuting allowing smaller transportation and accommodation costs, better supervision leading to a decrease in downtimes, etc.

As a summary, I think that in 2012 you just should leave out any project that doesn't show an immediate positive return, whether flagged as "security" or not. Just call it technical fussiness and wait for better times.

Switching Internet Explorer's NTLM Credentials

2011-08-01T17:39:00.003+02:00

I was looking for a way to have Internet Explorer, launched within user1's Windows session, authenticate against NTLM sites and proxies with the credentials of user2.
Using Windows Credentials Editor does work but, as said, it's no production tool.
I also found that using the runas command was problematic because you either create a Windows profile or not:

If you do create a profile, that means a profile and corresponding home folder will be created, which might not be desirable.
If you do not create a profile, that means user2 cannot save parameters in IE and cannot receive domain policies, bookmarks and so on.

Eventually I found a very short, built-in way to do it:

C:\>runas /netonly /user:my_domain\user2 "C:\Program Files\Internet Explorer\iexplore.exe"

Entrez le mot de passe de my_domain\user2 :
Tentative de lancement de C:\Program Files\Internet Explorer\iexplore.exe en tant qu'utilisateur "my_domain\user2" ...

That runas /netonly command lets you run IE with user1 privileges, profile and bookmarks AND authenticates at remote NTLM sites and proxies as user2.

This piece of code is especially convenient in situations where you want to do remote NTLM authentication as a given user but do not want to launch a full Windows session just for it.

Review: Windows Credentials Editor (WCE)

2011-08-01T17:00:00.005+02:00

Windows Credentials Editor is a small tool by Hernan Ochoa (Amplia Security), allowing to view and modify the NTLM credentials stored in memory at runtime (NTLM sites, MS proxies, fileserver shares, etc).

You can view NTLM credentials stored in memory, in hashed form:

C:\WCE>wce -l

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

my_user:my_domain:5E53612123437E22AAD12355B514EFEE:0235140F7474D2831690CE67D9AF535
my_pc$:my_domain:00000000000000000000000000000000:74B8A99562B6D50F5C7331248EB9511F

You can generate hashes for a password:

C:\WCE>wce -g my_passwd

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Password: my_passwd
Hashes: B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F

And you can switch credentials! To change the current user:

C:\WCE>wce -g new_user_password

WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Password: new_user_password
Hashes: B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F

C:\WCE>wce -s new_user:new_user_domain:B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of current logon session (0001B0FBh) to:
Username: new_user
domain: new_user_domain
LMHash: B251802AA879D28F354CC2EE630F4FB7
NTHash: 582A7D8A2EA026919589828D03F91F8F
NTLM credentials successfully changed!

All applications that rely on NTLM to authenticate the current user will now use the new credentials!
You can also explicitly specify which credentials to modify, which is useful if you have many NTLM credentials in use:

C:\WCE>wce -i old_user -s new_user:new_user_domain:B251802AA879D28F354CC2EE630F4FB7:582A7D8A2EA026919589828D03F91F8F
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

Changing NTLM credentials of current logon session (0001B0FBh) to:
Username: new_user
domain: new_user_domain
LMHash: B251802AA879D28F354CC2EE630F4FB7
NTHash: 582A7D8A2EA026919589828D03F91F8F
NTLM credentials successfully changed!

All this makes WCE a great tool to understand and debug NTLM applications. A great many thanks to Hernan Ochoa for the tool!

This is not a production tool for two major reasons:

Most antivirus do consider switching NTLM credentials as an attack.
WCE requires local administrative privileges.

Apart from that, it's been stable and functional as many times as I've used it.

Top-Down or Bottom-Up CISOing?

2011-06-11T23:32:00.003+02:00

What I thought, in my earlier years, to be a strategical choice now appears to me as a question of personal character of the decision maker: whether to take a top-down or bottom-up approach to the solving of a complex problem. When you're managing wide projects, you get to deal with many managers' characters and that may lead you to work with Single-Minded Top-Down Thinkers (SMTD) or Single-Minded Bottom-Up Thinkers (SMBU).

As a CISO, you have to solve complex problems: "get us compliance to that norm", "make sure that application is available 24/7", or even wicked problems such as "make us secure". And you have to deal with many decision makers among IT and more. So you cannot do without a prepared tactics to set a SMTD or a SMBU back on tracks.

SMBUs
If you let a SMBU deal with a problem alone, you'll watch him find a quick solution to the problem and apply it. But he'll forget to communicate about it, to document it for later re-use and, most of all, to compare it to the goals of the organization and ensure it's no hindrance to some other process of the company.

To deal with SMBUs, I take two actions:

I explain him what I intend to do with his solution to my problem. Not just the problem itself, I take the time to explain what's the goal and what my next steps are with it. So, he includes in his understanding of the problem all of my later constraints and does solve the problem and the later-on constraints.
I also take the time to recapitulate baseline procedures to communicate and document the problem/solution and I make sure he understands he'll be the one to clean up the mess if something was done unproperly.

Once you're accustomed, that doesn't take more than ten minutes.

SMTDs
SMTDs are usually more experienced people who have lost somewhere in the middle of their professional lives the idea that they must give results, not just thoughts. If you let a SMTD work a solution to a problem by himself, he'll give you diagrams of his view of the problem which he thinks is complete -or at least contains everything necessary- and he'll link your problem to a family of other problems that he has to solve and you'll get out of his office with ten times as much work as when you got in.
For instance, if you come in with a question about whether to purchase a new, different hardware, you'll get out with questions -and a few useless answers- about asset management, internal billing and wifi networks. And you'll realize that you don't have any clue to the answer about whether the company will buy it or not.

Over the years, I've developed a quick and dirty solution to deal with SMTDs:

Don't go into the long-term explanations of why you want to solve the problem, just stick to the short-term. That would last hours and would only worsen the depth of the SMTD's scope.
At the beginning of the discussion, do set, in accordance with the SMTD, a choice of as few as five objectives to be reached by the solution to your problem. This way, you'll be able to reduce the scope of his thoughts to what you agreed on. That is, you just need to split your problem and the surrouding areas in a five-item list.

prices,
main features,
delivery,
compatibility,
immediate satisfied customers.

When you're accustomed to it, you can prepare these five pieces before talking to the SMTD and that doesn't cost time, that saves you time.

Adverse Effects of a Security Measure: the Example of French Speedometers

2011-05-17T22:18:00.002+02:00

As far as analogies might go, I find the example of French speedometers a revealing example of security failure.

Automated speedometers have been installed in many places along motorways and also in town centers or in rural areas. Those devices take a picture of every car going 5% or 10% above the speed limit. The driver is fined a high penalty and even gets points removed from his driving license. The license is invalidated once 12 points have been removed.

That sounds good, but there are all kinds of problems. To name just a few design problems:

People brake a lot when they see one ahead of them. They risk provoking an accident on a motorway just because of that.
Whether they were "shot" or not, they' re angry about it and they then speed up a lot, knowing there won't be another speedometer in the next few miles.

People started knowing the exact locations of the speedometers or even invested detectors, bundled in iPhones, Androids or other specific devices. So the government sent the policemen roam the country with "mobile" speedometers.
And then came the social problems:

Tax money is used to put fines on the taxpayers. If that's only in case of danger, that's good. But if it goes into fussiness, that's parasitic!
After a short drop in the death rates of road accidents, the system reached its limit and the death rates started stagnating again. So the government intensified the pressure on policemen. They are now accountable for the number of fines given in their area. That measures the efficiency of the system on an irrelevant variable.
Additionally, citizens are exasperated by this overpressure, clearly conscious that it's not an efficient security measure anymore.
In a significant number of cases, policemen start to put fines in places where they can do it easily, whether there is a real danger or not.
All that of course leads to a vicious circle where citizens are angry about policemen and about the government and where the "measure" of efficiency becomes more and more irrelevant.
Eventually, the policemen are so pressured to put speedometer fines that they forget to put fines for other -actually efficient- reasons. For example, you'll find more cars in poor conditions (no light, flat tyres...) than a few years ago.

There's also the border effect:

Foreigners are "shot" by the speedometers, but the French state doesn't know to whom the fine must be sent. In the end, they dont' have to pay and they don't risk to have their license removed. And they often profit from our beautiful roads at speeds higher than 180kmph. So citizens feel as if foreigners are better treated than themselves.

There's the implementation problem:

In their rush to put fines, policemen just park anywhere, including dangerous locations! They are a factor of accident sometimes.

And finally, there are the typical VIP exceptions that plague any security measure:

Police cars themselves are not subject to these fines, so currently the worst drivers you can find anywhere whether in town or on motorways are: policemen!

All in all, I'm impressed if the government behind that ever gets re-elected.

Been doing some reverse engineering

2011-05-17T21:53:00.002+02:00

I've been reversing a Win32 PE executable lately, something I haven't been doing since I was 15. I found it quite easy. Much easier, indeed, than a few years ago. What's changed since then?

The tools have changed. At the time, I used to master WinDASM and SoftICE, which are no more fashionable. It even seems that WinDASM has disappeared from the market. This time, I used HeavenTools' PE Explorer, which is a clear improvement on the latter.
The PE format has not changed. Or, at least, nothing that matters in debugging.
Windows is more stable than at the time, saving you many reboots ^^
The compilers have not changed much. It seems that I could learn to recognize compilation styles of various compilers in very little time.
Most of all, I've not changed. I can now remember very precisely why I quit reverse engineering software back then: because I prefer working with the source code and I prefer working in design or implementation modes rather than in debugging mode. I can now remember that I quit reverse engineering software approximately the same time as I started using GNU/Linux on my desktop.

I can clearly validate this view years later: though I'm happy to be able to reverse a binary, I think programming is more rewarding.

Smartcard and PINorthe Increased Security of Just 4 Digits

2011-05-10T19:38:00.006+02:00

The French government is currently enforcing the use of what they call strong authentication, for all access to people medical data: smartcards protected by a PIN code, containing an authority-approved certificate. The PIN code sums up to just 4 numbers and the question came to me:

Why should I trust 4 little digits with my users' security? (when my password has 12?)

There are many subtle technical points within that question, but the main answer holds to only one key view of the problem: the reduction of possibilities, helping for the enforcement of good processes.

Compared to a password-based authentication, smartcards and PIN codes enforce the following:

Just one mechanism to integrate passwords and content on the card: that of the card itself.
Just one mechanism to ask for authentication: challenge. That removes the danger of "password comparison" mechanisms where you just have to look into computer's memory to get the cleartext password.
Just one administrator code capable of resetting the PIN: the SOPIN. That removes the danger of old, "unused" administrator accounts you find in most company directories.
Just numbers in the PIN code, no letters. Though this may seem like a weakness in the case of brute-force, that's on the contrary a strength, because that prevents people from setting their given name as password, or that of their son.
Additionally, users tend to remember numbers better. As a typical human being, you could name tens of likely alphabetic strings for your own password. But you remember only a few sequences of 4 numbers. So when you know one, that's for good.
Just three attempts, you can't easily brute-force it by usual means.
Just one logical place to deliver a smartcard: inside the company. You may send a password or even a PIN by mail, but you need to deliver a token, you can only do it physically and the only logical location to do it when you have dozens or thousands of users is inside the company's walls. That reduces the number of intermediates between the administrator and the user, and most of the time replaces external intermediates with internal ones.
Just one smartcard. 1/ If it gets stolen, you'll notice it. 2/ You can't share it with friends and still benefit from it at the same time. So you'll (at least) make sure you get it back.
Just one attempt to build the cards. I mean that the cost of a recall would be huge to change just a few security settings. For instance, if you choose to allow unlimited attempts instead of just three, changing it back to three will cost you a return of all cards back to the HelpDesk. This means that most smartcard-based project try to do the things right from the beginning, whereas many password-based projects start with "lower-level" security and try to improve on it and eventually give up about it.

All in all, PIN codes and smartcards seem a good choice.

Monthly ITsec Leadership Quotes and Articles: February and March 2011

2011-04-10T20:53:00.003+02:00

General IT and ITsec management
The true cost of non-compliance is ZERO* (*If nothing goes wrong), on the Uncommon Sense Security blog.
I Broke All Six Rules for Finding the Right IT Vendor, on the HBR blogs, with insights on "best" practices when choosing an IT vendor.
A Disruptive Solution for Health Care, from the HBR blogs. Though not IT-related, I think this articles applies well to IT in the healthcare domain.

Trends
Educating the CEO on Mobile Applications, on the Healthcare Info Security blog.
Signature-based antivirus not quite dead, but bigger problems loom, speaking of the inability to maintain signature based security systems, and citing whitelisting, a subject of much interest to me these times.
How Mobile Phones Can Transform Healthcare, also on the HBR blogs.

Personal Development, Career
Chief Security Officer, 21st century, on the Security Recruiter Blog.
4 Skills CISOs need now, on csoonline.com.
The Four Personas of the Next-Generation CIO, on the HBR's blogs.

An internal billing scheme for IT risks

2011-04-10T19:58:00.005+02:00

After meeting with a crowd of fellow hospital CISOs a few weeks ago, I had a sudden epiphany that the problem of billing IT risks inside a company is not just a peripheral one, but a primary one. And closely related to our inability to put figures on IT risks.

What about the idea of a CISO acting as an internal insurer for the IT service?

> Company board: regulates practices, if ever needed.
+----> CEO: checks correct operation.
+----------> CIO: acts as the customer of the insurance.
+----------> CISO: acts as the insurer.

The CISO would propose an offer made of:

Expensive insurance for inappropriately acquired or ill-maintained IT assets.
Cheaper insurance for IT assets that are acquired and maintained according to a set a constraints.

Security ROFL 4

2011-03-12T16:35:00.003+01:00

[FR] This is not the SSH 0day you're looking for, about a fake SSH exploit.
[EN] Flower sites hit hard by Valentine’s Day.
[EN] UK Immigration Officer Puts Wife on the No-Fly List.
[EN] An Update is Available for Your Computer, through [RO] That's how it goes with updates, the piece of comics below:
[EN] Unsecured IP Security Cameras, which I guess you can verify by yourself.
[FR] On mikropikol.net, the following comic strip:

Risk Management: Solving the CISO's Conflicts of Interests

2011-03-03T21:34:00.004+01:00

The CISO's Conflicts of Interests
Acting as a CISO is usually a difficult position, because the CISO is asked to act both as a comprehensive risk manager for IT and as an IT security expert.

Depending on whom the CISO is reporting to, either the risk management side or the IT security side will show most. Suppose the CISO is reporting to the CIO and he'll spend most of his time auditing, helping write good procedures, good RFPs and so on. Now suppose the CISO is reporting to the company's CRO, he'll spend his time compiling statistics, forging risk estimation methods and so on.

There seems to be a conflict of interests if the CISO is working under the CIO. How could he report about a major risk? How could he at the same time prescribe additional security requirements and be the one to implement them? And there may also be a conflict of interests between the CRO's calculated risks and the CISO's inner sense of what's risky in IT.

An illusionary conflict
However, I think that's just an apparent conflict of interests, an illusion. I think there's a continuum of risk management maturity from the "gut feelings" to the successful risk assessment and evaluation. And security programs grow in maturity the same way: They start with obvious things, sometimes pushed by a legal constraint, and they grow into wide security project inspired by comprehensive frameworks, and they eventually cover the whole IT perimeter with pondered security measures.

As I see it, all three of the CISO, CIO and CRO have the same three goals for IT:

Delivering good services to the customer,
Ensuring the conservation of the (information) assets they're trusted with,
Keeping reputation high and lawsuits low by not sharing those assets with unwanted people.

That is, they all three share the same goals: Availability, Integrity and Confidentiality. They're simply not held accountable for the same parts:

The CIO is usually accountable for part 1.
The CRO is usually accountable for part 3, especially the "lawsuits" part.
The CISO is accountable for some or all of them, depending on whom he reports to, and is especially accountable for the "confidentiality" part because of the required expertise.

So I think there's no real conflict of interests because the interests are, in fact, the same.

The path out of the illusion
The way to the disappearance of this illusionary conflict is an appropriate alignment of expectations between the CIO, the CRO and the CISO.
The CIO will want immediate technical solutions and the CRO will want risk models and ROI-like estimations.
The CISO's job is to make sure they both understand that there's no opposition between the two and that the maturity level of the security process will evolve to the point where they'll both be satisfied by the very same security measures, justified by the very same arguments.

Draft: A Step by Step Security Approach for SMBs

2011-02-04T20:18:00.006+01:00

Suppose you're a newly appointed CISO in a SMB. Suppose that position is a creation.

I've had to think about it as I'm currently advising a few fellow CISOs. They're in positions where IT security is just one of their responsibilities because the structure is not big enough to afford a full-time CISO. The rest of their time, they act as IT project manager, network administrator or company's archivist!

In this position, you may want to have a look at comprehensive guides/norms/references about IT security. But how to handle an ISO 27002? How to handle an ISO 27001 when it's a newly created job and you can't muscle into decisions? How to spread awareness that you don't want to do everything in those norms, but only the most important ones for a small structure?

I recommend the following steps, in the approximate order I give. (Experienced security people might be surprised that I don't place the policy and the charter at the top...)

First steps: gather documentation, work alone
You're going to write documents that will follow you everyday on your work and that you'll want to have at hand even in the corridors of your workplace. I call them the "Books of..." for this reason.

Write the Book of Activities in which you'll list every task that IT people think it's their job to do. You can do that by striding through IT documents, chatting with every IT people and doing a week in the Service Desk (or equivalent)
Write the Book of Services in which you'll list every Activity that's sold to the end-users (whether in speech or money). For each of them, list the description of the population of end-users and the arguments used to sell the service. For instance, "the firewall" is an activity but not a service because it's transparent to end-users. "Mailboxes" is both.
Write the Book of Legal Constraints in which you'll list the precise references to legal texts and their implications for you. You'll have to do it one day, so better do it from the beginning.
Write the Book of Classification in which you'll note what special kind of information deserves what special kind of treatment. For an SMB, I would suggest to only consider legally-constrained classification. For instance, classify medical data or military data, but don't go into making classified categories such as public, private, secret, top-secret, HR-only or anything so detailed.
Write the Book of Risk Analysis in which you'll create a grid (basically a sieve or even a checklist of threats that might occur to your information system) to think about risks whenever needed. That will be especially useful at the beginning of any IT project that you want to secure. You'll be more confident because you'll follow a long-time established list and people will trust what you say more because it won't have popped out of thin air.
Write the Book of Integration Requirements which you'll append at the end of any RFP, in which you'll list all of the technical conditions the chosen solution will have to fulfill. It will also be helpful if your company does some internal development, you'll just have to distribute it to developers. You can get that list by going to network and system administrators and asking them for what went bad in their past integration experiences. You'll get 90% of it in just 30 minutes of discussion.
Write the Book of Physical Security Requirements, which you'll forward to people in charge of electricity, building access control, fire prevention and so on.

Second steps: set up inventories, work with the admins
You're going to make sure you know your assets, you know your perimeter and you're going to make sure that IT people don't get lost into the mess of an IT service. (Tcha-tching!)
For these steps, you'll have to initiate the work but the admins will have to keep up on the long run.

See, that's not just writing docs, that's about having the right information to make the right decision when needed. That's about billing customers with exactitude. That's about enabling statistics on the activities.

Make sure you have an Inventory of Users, which may include all employees, contractors, providers and customers. Once you have that, you'll be able to work on identification and authentication. (Please ensure that an authentication project is never started before the identification is correct. Even if this sounds too stoopid to happen.)
Find or create the Inventory of Network Equipments.
Find or create the Inventory of Endpoint Computers (desktops, laptops, macs, iphones, huge display screens...) You'll usually find one or more partial inventories when you arrive in the company. It is part of the CISO's job to make sure that this inventory is not partial.
Find or create the Inventory of Printers (and other multimedia hardware).
Find or create the Inventory of Servers.
Find or create the Inventory of Server Software.
Find or create the Inventory of IT-Managed Endpoint Software.
Find or create the Inventory of Providers and related SLAs.
Find or create the Inventory of Network Flows and Zones. Internet, VPNs, mailing service, DMZs...
Find or create the Inventory of AntiVirus Software and AntiSpam Software (or the Inventory of Not-AntiVirused Flows and Not-AntiSpammed Flows if that's quicker).

When you've made sure the inventories listed above are up-to-date, you can say you've reached your cruising speed. You can start auditing, advising, collecting data to prove an intuition, intervening in a decision process, etc.

Third steps, cruising speed, work with strategy people
Now, you're aware of your perimeter, you have a good overview of the risks, you may even formulate a strategy. You'll want a few more tools to formulate it, have it approved and execute it. Listed below are the main tools of the CISO. They're in no particular order, contrary to above. You may use them at your convenience.

Metrics. Once you've decided a technical point, measure the degree of conformance to this decision. Once you've set your objectives, display your progression publicly.
Supervision and logs. Realtime supervision will give teams the power to act before the Service Desk gets a call from users. Logs will help the teams go back on an incident and prevent its re-happening.
Redundancy and High-Availability. If you've spotted a specifically sensitive point in the information system (like the central user directory, or the billing system), ensure they are redounded and can switch from one to the other within minutes. That alone saves your company days of lost work a year and saves the IT service days of cold sweat.
Software Update. A big risk is associated with old versions of software (not just vulnerabilities, I mean: bugs, difficulty for the Service Desk to master multiple versions, impossibility to remotely detect the version, longer phases of test for the integration of new software/hardware, etc.) So get a piece of software to detect installed software, versions, and remotely distribute updates.
User Charter. The users want to be told what to do plus they need to be told what not to do. Additionally, you gain immediate influence and respect of the Charter just by mentioning that someone actually is in charge of IT security. Try to make a new version every year, don't put too much but make sure the basics are never forgotten.
Information Security Policy. This document affirms, company-wide, the separation of responsibilities in terms of information security and this is the place where you can get the CEO or the Board to sign that you have the autority to do a specific thing. Usually, it's not made for anything technical, it's made to sort internal power struggles or budget affectation. It's boring for the CEO, so don't make more than one new version every two years but make sure you get support on the most difficult human and managerial issues you encounter.
Risk Management. A risk is a sum of money or time that the company loses because of the happening of a threat. When you know the threats, when you know their probability of happening, you can estimate a risk and treat risks in descending order. That's called risk management (I saved you a book!) A CISO usually gets that by gut feeling, but it's always good to confirm it with analysis and it's better to show that you don't decide on things just by gut feelings. You can see it as a way to help others make decisions about IT security (CIO, CEO, budget planner...)

The CISO's Perimeter (is Broader than the CIO's)

2011-02-04T19:44:00.003+01:00

Though provocative in some ways, this truth is known to any experienced CISO.

I don't know whether I had better call it the "security perimeter" or the "protection perimeter" or the "oversight perimeter", what I mean is that specific perimeter that surrounds the things the CISO must take into account before establishing a strategy. I don't say that it's deeper than the CIO's, but it's broader.

In that perimeter, you'll find those extra items:

Geographical locations of assets and users, which impact onto the risk of theft. For instance, a laptop is more likely to get stolen than a desktop. This means that the CISO has to take into account the homes and internet cafés and aiports and so on.
Electrical capabilities, whether the company's or that of its providers. You don't want to give out your data to a poor-infrastructured provider, even if it has great software.
On the same note: flood prevention, fire prevention... Note that these may not be the CISO's job and may be addressed by another person or service. But the CISO has to take them into account anyway.
Personal applications: you may lock up what the users install on their desktop inside the company. You may even lock up what they install on the company's laptops they bring home but won't ever lock up what they see in their browsers, on their smartphones, on their personal computers. For that matter, you won't even lock up what they do inside a legit application, some evil comes from regular powerpoint files, doesn't it? That's an area where the CIO just cares about deploying and doing more, and where the CISO cares about restricting and segregating...
Outsiders. The CIO typically cares about employees and shareholders. Hopefully about stakeholders. But that's the CISO's job to also look at outsiders, whether malevolent, benevolent or indifferent.
Barely-IT systems. Mostly embedded-IT systems and objects that have evolved from electronics to computers (phones, cameras, printers). Not all of them are managed by the IT service but all of them produce or consume information and have the typical risks. So they're inside the CISO's perimeter.

Monthly ITsec Leadership Quotes and Articles: January 2011

2011-02-03T22:23:00.005+01:00

I'm trying to add short descriptions, plus categories, for easier reading.

Team/Service management:
[EN] Engaging Your Staff in Security Requires Leadership – Not Free Coffee Mugs: a general note with items on how to get a team more involved.
[EN] Managing Nerds: a developed note about the way a nerd's intellect works. I find it quite revealing and I do commit with but one warning: a typical IT team is not only made up of nerds.
[EN] Facing A Crisis of Leadership: a good article on the risk of having a geek for a CIO and with one central idea that I mightily approve: "An [...] action that focuses on cost-centric or non-value-added improvement initiatives is nonstrategic and deserves scrutiny."
[FR] Herve Schauer Consultants' Newsletter N°77, January 2011: interesting editorial on the ill-understood and ill-applied ISO 27001 certification. Hervé Schauer goes in details about the way ISO 27001 is often thought of as a kind of "security-targeted ISO 9001". It's not just about documenting security, it's mainly about managing it (deciding, acting, spreading responsibility/accountability/ownership).

Log management field:
[EN] Top 10 Things Your Log Management Vendor Won't Tell You: a checklist against log vendors quacks. Would be a good reading if you're planning a logging project or -worse- if someone else is planning it for you.
[EN] 11 Log Resolutions for 2011: I would retitle this as "11 Steps to Initiate Logging". Concrete action propositions to make a step into the world of logging.

Personal development:
[EN] 25 Improv Tricks That Will Make You a Better Business Person: a nice, comprehensive list about behaviour at work. From a recruitment site. This one is worth sending to every colleague you have.
[EN] Move your security career forward by looking back: a personal guide to look back at 2010 and act for a better career development in 2011. Good pieces of advice, requires some time to think about it. Bookmark it and come back later.

Microsoft Office and ODF: Best Practices

2011-01-04T22:33:00.002+01:00

Sorry for yet another bookmark post, but knowing how often I hear about this kind of compatibility problem, I thought this article was rare enough to notice: Rob Weir details how to handle ODF (Google Docs, OpenOffice, LibreOffice...) in Microsoft Office, version by version, from Office 2000 to Office 2010.

Monthly ITsec Leadership Quotes and Articles: December 2010 and Happy New Year

2011-01-04T22:21:00.003+01:00

ITSM Professor's Creating a Metrics Program.
CTO/CIO Perspectives' One CIO’s “lessons learned” in managing others.
ITSM Portal's The Twelve Days of ITIL, which I completely assume not putting in my previous article.
CNET's DeepTech's It's time to embrace software's auto-update era, underlining the need for regular, automated updates of software, much like my free-software-accustomed vision.
ITBusinessEdge's Don't Forget: Service Desk There to Serve Customers, so obvious that people forget it.

Security ROFL 3

2011-01-04T21:36:00.002+01:00

Not meant to be funny, Michael Krigsman's Ten great software glitches for 2010.
Young Man in "Old Man" Mask Boards Plane in Hong Kong, on Bruce Schneier's website, good occasion to remind that Beyond Fear is a good reading, far beyond ITsec people.
[FR] Videos of a French senator trapped into answering IT questions asked by journalists. He doesn't know a clue about it, and he's in charge of the debate on the neutrality of the Internet...
[FR] Cartoon about airport security:

- Do you remember Thierry Shaker ?
- Sure, the boy who enjoyed frightening every girl out there, always trying to grope! What does he do now?
- He became an airport security guard...

The first truly honest privacy policy, underlined by many blogging sites.

Back on my 2010 security predictions

2010-12-11T16:11:00.005+01:00

For an ITsec worker, every year comes with some pieces of satisfaction and a lot of frustration. For instance, you'll hear about rocket-science ITsec techniques and observe that your neighbour's techniques are more snail-like, ostrich-like or dodo-like :-(

I did a few predictions at the beginning of the year of what would happen in the ITsec field, let's see if they actually happened.
What I wrote back then is given in yellow and today's comment is in white.

Linux systems will become an interesting target for hackers because of Google's OS.
The free software community will react fast to vulnerabilities. If Google is up to the task, they will integrate the changes very fast and it will result in Linux systems being the most secure. Competitors will finally be forced to take vulnerabilities more seriously. That's the optimist hypothesis. The pessimist one is Google not being interested in building better security and not reacting faster than the others.
Did not happen. There are traces of some attacks on Google's OS but nothing the depth of what happens on Windows. (so far)
Microsoft will (finally!) propose a centralized software installation and update manager, quickly adopted by the big software companies, reducing the number of heterogeneous installation modes, late updates and so on. Something apt-like, in a Microsoft-way, of course.
It's either this or Microsoft platforms will be progressively abandoned for integrated products such as iPhone or platforms with that functionality such as Linux (servers) or Mac OSX (clients).
Did not happen. But I hear Symantec is on the subject and it's quite promising.
Viruses will spread to Mac and iPhones up to the same level as that under Windows.
Clearly did not happen, though there are a few examples of such viruses.
Generalization of new authentication modes including smart cards with microchips, user/machine certificates, fingerprints on laptops, will happen.
There will be a fashion for it and a lot of blunders will be made in the beginning.
Happened. I saw many examples of considering fingerprints as a good means of authentication, which it often is not, and worst of all: some companies start relying on "private questions" to enable users self-resetting their passwords.
There will be reports about IT services clouding the wrong parts of themselves: critical infrastructure, already very profitable services, legally protected information...
Certainly happened, though those companies will not make a failure report before they've withdrawn, which is no easy thing ^^ The funniest story I heard (nothing written, sorry) is that of a web development company whose managers decided to cloud infrastructure, thus turning Apache settings, PHP settings and so on into read-only, contractual, data.
There will be an overflow of non-browser software using SSL.
Each of them has its own libraries and each blunder or vulnerability in the use of SSL will have to be addressed in each of these libraries. This is not addressable in a correct time. For this reason, there will be new products or services around gathering all this SSL traffic and forwarding it in an actually secure way.
Happened, even Microsoft got into the market.
Social harvesting will rise to unprecedented peaks. Because of poor legal harmonization (or even concern, for that matter!) in various countries, automated social harvesting services will be made available.
Happened, see Day's comment on the original article: pleaserobme.com, a site that harvests Twitter to guess whose homes are empty and easy to rob. One could also quote personalized ads or so many articles on the web.
Governments from developed countries will try to censor, filter and/or index the web. They will fail for two major reasons:
- The web is too huge for any current government to master it, or even understand it.
- The free software community will sidestep any technical measure towards censorship.
I don't know yet whether governments will fail, but the current wikileaks wars certainly are an example.
There will be stories, news, rumours, about Google having connections with the US intelligence agencies. Google's business is a source of information just too much important nowadays for intelligence agencies to neglect it. I won't tempt any prediction about Google's reactions.
Did not happen, so far as I'm aware.
PCI DSS-like standards (simple checklist, minimalist, technical, yet very efficient) will be published about various matters of ITsec. Or maybe I just read too many people interested in that.
Did not happen, I just read too many people interested in that.

And now a few wishes:

That people stop thinking I work on viruses when I say I work on ITsec.
There's certainly some change, but I can't identify it so far. People seem to start being aware of the "information-side", as opposed to the "technology-side"...
That IT managers (non-security) stop thinking there is a fixed list of requirements for security and each of them requires purchasing a "security product" and each of these products works standalone.
No change.
That service managers start budgeting time for service reviews and corrections, not only service implementations.
No particular change.
That Adobe distinguishes between PDF designed for review and printing and PDF designed for automated administrative tasks in complex forms. This may prevent a lot of problems to come.
They didn't, though they reacted by adding sandboxes to the software. Makes me think of old families that had many children to "avoid" child mortality...
That my government stops being such a liberty killer about IT.
Not happening before the next election...
[...]
That my readers consider the strange situation of using an Excel-controlled Visual Basic script to interact with an AS/400 terminal emulator, written in Java, inside a Citrix session running on a Windows Server "cluster" inside a VMware architecture. (You can have screenshots and photos of the AS/400 on IBM's website, for instance, there.) That was my only nightmare these last years. Does virtualization never end?
I don't know whether my readers did consider this situation. Did you?

Monthly ITsec Leadership Quotes and Articles: November 2010

2010-12-08T14:13:00.004+01:00

The New CISO: How the role has changed in 5 years, on the Security Leadership section of csoonline.com, about the more business-oriented nature of security positions these days.

[FR] Certification: mandatory way for CISOs (La certification, passage obligé du RSSI ?), forum chat on the certification of CISOs.

A security evangelist shares his best practices, on NetworkWorld, with good insight about what really matters when you're responsible for the security of a big, heterogeneous, sometimes hostile network... very much of what I would say on the same matter.

Jason Fried: Why work doesn't happen at work, on TEDtalks, about a better time management suggestion: just cancel your next meeting!
(via Windancer - Stairway to ...Heaven?)

The Value of Cyber-Awareness Campaigns, on Healthcare Information Security Blogs, about a subjet on which I have very little experience and I'm happy to read insights

Schneier's approach to changing passwords, rational, as usual.

Why Your Next CISO May be an Attorney, on Healthcare Information Security Blogs. Though I may not agree with the content, I think it's a good reading.

Relationships in Corporate Security, Do They Matter?, on SecurityRecruiter.com's Security Recruiter Blog, about the importance of human skills in security positions.

[FR] The era of the non-technical CISO (L'ère du RSSI non technicien), on the French community site Security Vibes, about the evolution towards management people in security.

"There are three ways to deal with climate change: Adapt, manage, or suffer.", Admiral Thad Allen, HBR Nov 2010.

"Make the objectives clear, but avoid micromanaging those who will execute on them.", Michael Useeem, HBR Nov 2010.

"Management attention is your scarcest resource.", Robert Simons, HBR Nov 2010.

"People think that focus means saying yes to the thing you've got your focus on. But that's not what it means at all. It means saying no to the hundred other good ideas.", Steve Jobs according to Robert Simons, HBR Nov 2010.

Internet Quarantine: Where IT Differs From Healthcare

2010-11-25T19:56:00.003+01:00

As Bruce Schneier goes on the subject of quarantining potential threats away from regular users of the Internet, I think it's interesting to point a big difference between IT diseases and human diseases: we have the code. We have the specifications for the computer.
For closed source, the software maker has the code, which means that diseases or weaknesses can be fixed with more efficiency than any human condition.
For opensource, it's even better: everyone has the code, which means that everyone can look for a solution to a problem.

That's not to say that every Internet user is a qualified-IT-physician, it's just to underline that comparing IT and healthcare may not be so promising. Compared to medicine, IT professionals can fix a problem in no time and no money. Although there are problems of copyright in IT, it's nothing compared to those in pharmaceutical industry. The whole plan of the human body and interactions is still to draw. And we can spoil many computers, hours of computing, lines of code, reboots, for research without an ethical problem.

Please NO MORE Top 10 Security Measures!

2010-11-10T20:01:00.006+01:00

I have a habit to collect web articles about security measures to apply for specific security situations. Those articles usually have a title like "Top 10 security measures for the administration of XYZ" or "Top 20 vulnerabilities in XYZ servers". And I now have a feeling that it's a bad thing to present a security approach that way.

Let's take a few examples:

What's good in these articles is that you can use them for what they are: a grid to think about your own security. But they don't provide exhaustiveness and, for that matter, they may not even be suitable for your own case.

That's a question of risk management (of course) but, putting away big words like these, you'd simply wonder why there are 5, 10 or 20 top measures and not 2, 6, or 11. The measures in these articles are gathered not to provide a level of security, or a level of security maturity, but to make for a long, publishable list. And that you should implement only the top 3 measures, or only measures number 2, 4 and 5 is left up to you. Not mentioning that you may not implement 2, 4 and 5 in this order but may very well begin with number 4 or 5.

What these articles lack is an identification of the precise risks addressed by these measures and the location of these measures on a security maturity scale.

Let's add an illustration to this (nasty) comment: Friends recently asked me to attempt penetration on a website that they wanted to secure. What I found was:

an easy access to htpasswd file,
obvious passwords that John the Ripper guessed in no time and
cleartext credentials to access the database.

If you look at the OWASP list, you'll find the corresponding measures at number 6 and 7. Yet, all Apache admins know that they are on maturity level zero. Furthermore, for that precise site, OWASP's number 1 (code injection) was almost irrelevant.

That's not to say that OWASP's work (or anyone's listed above) is not good. It is, and useful if used correctly. It's just to say that I'd prefer to see more "Beginner level 7 security measures for XYZ servers" or "What to do if XXX is critical for your company: From step 1 to step 4" articles.

Monthly ITsec Leadership Quotes and Articles: October 2010

2010-11-02T21:30:00.003+01:00

A little late (in love, keeps one busy!)

Incident or Event Management: Keep it simple but real!, on the IT Security and Compliance Thought Leadership blog.
25 Sure-fire Ways To Motivate Your Team Members, excellent reminder of the basics for team motivation and good atmosphere.
Security: Competence Never Compensates for Insecurity, aka Attributes of Leadership #17 on Joyce Schneider's blog.
[FR] A good security policy reflects the life of the company, by NetASQ's product director Jeremy d’Hoinne, addressing the future of firewalls, that is, something else, not firewalls. Traffic inspection, all-in-one appliances... Nothing new but I'm glad to hear that from NetASQ.
Transparency, accountability, and IT success (Michael Krigsman).
Help! No One Is Following Our Processes! on The Hitch Hiker's Guide to the ITIL Galaxy and Beyond.
How to Crush Dissent, on Rob Weir's blog.
Microsoft is a dying consumer brand, on CNNMoney.com, which is my feeling as, in very little time, Microsoft added up Vista, Zune, unwanted DRMs, Office 2007's frightening GUI, and missed the turn to smartphones and web applications...
"Companies up and down supply chains in numerous industries confront the same challenge: A well-intentioned individual action or demand aimed at making a business greener can create a long string of unanticipated consequences that collectively dwarf the benefits.", by Hau L. Lee in HBR, October. You could switch greener for any of: more secure, thinner, cheaper, more customer-friendly...
"Listen, don't broadcast", as a hint for a company's social media strategy, by Larry Kramer, same source
"One CEO I know fines people $1 for every e-mail he gets that he didn't need to see.", Rita Gunther McGrath, in HBR Onpoint, Fall 2010.
"If you think your people won't understand something, remember it's your job to explain it to them.", Stever Robbins, same source.
"[...] if things aren't going well, the teams are probably well aware of the problems. In fact, they've probably known about them longer than you have.", same author, same source.
"Most organizations penalize employees for the wrong outcome, even if they follow the right process. Perversely, others are rewarded for the right outcome, even when they flout the rules about process.", same author, same source.
"[...] the value of clear, honest, explicit communication rises exponentially with the size of the organization.", John Hamm, same source.
The whole article The Leadership Lessons of Mount Everest, same source, which I can't quote without reprinting it entirely. (Reprint R0109B)

Security ROFL 2

2010-11-02T21:23:00.002+01:00

A gang of thieves armed with a powerful vacuum cleaner that sucks cash from supermarket safes has struck for the 15th time in France.
Remote Printing to an E-Mail Address, Bruce Schneier notices that it's an opportunity for spammers :-D
xkcd cartoon: Exploits of a Mom
Pirated Software Could Bring Down Predator Drones, which were so funny it weren't so pathetic.
Finally, let's not forget a lolcat: Iz ok.. we’re Veeganz.

Firesheep and forcing SSL

2010-11-02T21:06:00.002+01:00

All that Firesheep buzz lead me to discover that a Firefox extension wraps your web traffic into SSL if the remote site supports it. Very simple, neat, idea. (Thanks to NetworkWorld and thanks you Jicé for first noticing.)

Leadership Learning 2: When a Security Measure Fails, Put it Away!

2010-10-28T19:45:00.003+02:00

Just a lesson of common sense: when some security tool or practice is useless because it was ill-designed or because it's broken, or because the rationale behind it has disappeared, it's better to just get rid of it.

Just two examples:

British Airways Chief Slams US Security Requests (Slashdot)
New Orleans Scrapping Surveillance Cameras (Bruce Schneier)

Fun fact: Facebook Bug in Handling Who Accesses Photos

2010-10-28T18:11:00.003+02:00

I just experienced a funny bug: Facebook lets me view photos of someone who is not a "Friend" anymore :-)
OK, it's not in every case, it's just when I had written comments on a photo and someone writes additional comments.

Say I have written a comment in March, on a photo by a friend named Alice (pseudo) :

And then Alice and I stop being "Friends" in Facebook. She doesn't allow anyone but her friends to access photos, so I shouldn't have access anymore. But today someone else writes a comment on that same photo and I receive a notification.

Let's click on the link to Alice's photo. Nice, I can view that old photo again! That I should be let in to see that photo and any additional comments is subject to discussion.

However, the big bug is that I can click on "Back to Album" and I get the complete album, which I certainly should not:

I don't know whether that's a common case or just a kind of local bug or exception...

A little thought about computing clouds and physical security

2010-10-14T21:19:00.003+02:00

Clouds are not so cloudy that they don't sit on God's green earth.
I was thinking that with so much data concentration, and data of so much value, what would prevent people to break physically into data centers to rob data?

After all, who says data banks says data hold-ups...

I can think of four reasons why they wouldn't make a hold-up to steal data from a data center:

It's probably easier to steal it online.
It's certainly safer to steal it online.
If you're breaking into a place you've never been, finding what you're looking for may be messier for a data center than for a bank.
The adoption rate of this kind of crime would probably be very slow: burglars are not accustomed to data centers and black hats are not accustomed to hold-up parties. They probably don't share a lot of "good practices".

Yet, these barriers do not seem to apply to States and polices. They can easily break into a data center, they do not fear any defence from the "victim", they have all the time they need, and they probably can gather people accustomed to both heated situations and computer hacking.

So I was thinking that data of interest to a State should probably not be stored within its reach.

However, I don't have a clue how the visibility of a criterion such as the geographical situation of data may evolve in the next years for the cloud customer :-|

Back on the technology SPOF: practical case

2010-10-09T17:34:00.002+02:00

A reader commented in private that the article about the technology SPOF was too abstract and lacked a few simple illustrations. The opposite would have been surprising ^^ The subject seems universal, which is no reason not to give a good example.

So, there I have it, example with an "all-in-one" security appliance, as is too often so often used in SMBs. It's mainly sold as a corporate firewall and serves many other uses.

The first SPOF is the hardware one. When the hardware fails, you've got a problem:

You can resolve that SPOF by adding another piece of hardware:

The second kind of SPOF is the network one. You have the backup hardware, but it's not available:

In this case, it's completely useless... You can solve this problem by making sure that the access to the redundant appliance is also redundant:

The third kind is the configuration SPOF. The backup is ready, working and available, but it's not used because clients are not configured to use it. For instance:

For this, you just have to configure the backup to be used in case of problem on the master or, if it's not possible, to setup an emergency procedure that switches from a configuration with the master to a configuration with the backup. That should look like:

Finally, and that the point in my previous post, you've got the technology SPOF, which means that both the master and the backup suffer from the same problem. This could be anything from "disk full" to "corrupted configuration file" ranging through "expired license". In this case, it's no help that you have a backup:

You just have to be sure about the list of the services you provide with that specific technology, and which of those are critical enough to require a reduced/degraded mode:

Monthly ITsec Leadership Quotes and Articles: September 2010

2010-10-05T09:15:00.005+02:00

Back from vacations in Tunisia ^^

"Managers spread powerlessness by limiting information", Rosabeth Moss Kanter in July-August HBR.
"The powerless retaliate through subtle sabotage. They slow things down by failing to take action-a form of pocket veto, in which a bill is killed simply because time runs out", Rosabeth Moss Kanter, same source.
"Drawing a line between strategy and execution almost guarantees failure", Roger Martin, same source. The whole article is a jewel. A must-read for many managers.
"Antagonizing the performance engine [vs the innovation engine] is a really bad idea. The performance engine always wins in an all-out fight. It is, quite simply, bigger and stronger." by Vijay Govindarajan and Chris Trimble, same source. So true about security if you take performance=IT and innovation=ITsec...
"I don't see the legal advisor as a fusspot, always waving his law-code book. On the contrary, he/she must escort the company through its development and minesweep the legal area.", Sabine Lochmann, in the French review "Management", issue number 179 (my own translation). I feel exactly the same about the company's security officer.
A disturbing disconnect between CSOs and CIOs
Put down the pink stickies to improve your career
Too Perfect to Be an Effective Security Manager?, follow-up to the previous one.
Do All Hospitals need a CISO?
Zero Trust Security – The Technical Discussion, good note on the now-obsolete MZ/DMZ model and the fact that silos should never be considered "safe".

An interesting use of Google Trends

2010-09-16T18:49:00.005+02:00

Google Trends is a nice tool that gives you statistics about the terms used in Google web searches, in the form of curves. For instance, you can compare the curves of iPod, iPhone and iPad:

But there's also another interesting part, on the right: it gives you links to articles that were published at the moment when a peak occurred. The moments are correctly chosen for buzzwords like in this example, not always as well chosen for less marketing-oriented products. Anyway, that's often a way to apprehend the history of a technology, idea or movement.

Have a look at these curves:

Security ROFL

2010-09-14T20:15:00.002+02:00

Let's have some fun about security.

Exploitability: Truecrypt will never be the same, ya dun goof'd!, an article about the use of a modified version of Truecrypt to recover passwords from the Truecrypt users.
[SP] Detenidos los gerentes de una empresa que vendió 'software' envenenado a 1.000 empresas, the managers of a company that sold software pre-programmed to fail have been arrested.
Hi & Lois cartoon, about children being smart about using the internet to unlock a parent-protected device ;-)
[FR] DNS-Rebinding : Accès aux interfaces d'admin des box Internet, from BlackHat 2010, using DNS to hack into ADSL boxes.
Film industry hires cyber hitmen to take down internet pirates, by DDoS attacks.
Is This the Most Ridiculous ReCAPTCHA Image Ever?, with a ridiculous captcha contest encouraged by the blogger.
[FR] CensorCheap, l'extension Firefox qui ambitionne de surveiller la censure du net, about a Firefox extension that allows to monitor government censorship of the network.
Security blunders 'dumber than dog snot', at NetworkWorld, self-explaining.
Buyer Beware: Lock Expert Picks High End Lock, Exposes Major Security Flaw, about a high-tech fingerprint lock that you can pick with just a needle. Be sure to watch the first video.

Zero Risk vs. Decision Making

2010-09-13T23:32:00.003+02:00

The ability to produce risk assessment, partly-innate, partly-acquired, is one of the most basic skills of successful managers.

While there is much value in the organized and systematic research for accurate information, the ability to assess risks in a situation where information is incomplete is a most valuable asset.

The first reason is that we often lose precious time in the gathering and precise analysis of data when approximate data would be good enough. To make it abruptly: you don't need to know where the arrow will hit to know that an arrow sent grossly in your direction is a bad thing. That's when you need someone with some instincts about risks.

The second reason is that some data can be impossible to gather, or hard enough to slow down the process of gathering it to the point of discouragement. For instance, if you want to pinpoint the ability to turn on a specific option of a specific security feature in a specific version of a specific software, which software you have not already bought and cannot test, you might get bored before you get the information. That's when you need someone with some culture and work connections, so as to get a better access to -or approximate substitute for- such information.

The third and most important reason is that management people delegate. In this case, the management would probably want to delegate data collection and make its own assessment from it and make a decision from it. That is, delegate the boring part and make the obvious decision (taking all the credit, Dilbert-like).

To be more precise, it is commonplace to see IT managers answer a question by another question, asking for more technical details when the staff come for more decision making. In this case, the staff ask the manager for his/her ability to fill in the gap between available information and complete information. (And the staff is probably aware of this gap.) So when the manager overlooks this request for decision and asks for never-ending technical or economical details, data or evidence, the staff feels like the manager is worthless. That is: once they have collected all the data, they can make the decision themselves, they're not stupid, thank you!

As a conclusion, I would say that Zero Risk is, of course, not reachable, but that managers should be aware that their staff regularly look for risk assessments from them, not for an indication that they should go and look deeper to reach Zero Risk. If they could, they would.

IT and ITsec books I've read these last years

2010-09-04T16:55:00.005+02:00

These last years, I've read a few interesting books about IT and IT security, so I list them down here, if you ever got a spare week-end ^^
The list starts with the language, name and author(s) of the book then, when possible, links to related blogs and newsfeeds. It's in no particular order.

[EN] The failure of Risk Management, Why It's Broken and How to Fix It, by D.W. Hubbard [BLOG] [RSS]
[EN] Applied Security Visualization, by Raffael Marty [BLOG] [RSS]
[EN] The Official (ISC)² Guide to the CISSP CBK, aka the CISSP CBK, by... the (ISC)²
[EN] Beautiful Security, by Andy Oram and John Viega
[FR] La fonction RSSI (The CISO position), by Bernard Foray [old BLOG] [old RSS]
[EN] The New School of Information Security, by Adam Shostack and Andrew Stewart [BLOG] [RSS]
[EN] Security Warrior, by Cyrus Peikari and Anton Chuvakin [BLOG] [RSS] [Cyrus Peikari's page, see "Articles"]
[EN] Security Metrics, Replacing Fear, Uncertainty and Doubt, by Andrew Jaquith [BLOG] [RSS]
[FR] Sécuriser ses échanges électroniques avec une PKI, Solutions techniques et aspects juridiques (Securing Electronic Flows with a PKI, Technical Solutions and Legal Matters), by Thierry Autret, Laurent Bellefin and Marie-Laure Oble-Laffaire
[EN] The whole ITIL v3 series
[EN] Geekonomics: The Real Cost of Insecure Software, by David Rice [BLOG] [RSS]

EDIT 09/06: Oh and I forgot the mythical The Mythical Man-Month, by Fred Brooks [Wikipedia]

Companies beware of SSL decryption in your proxy!

2010-09-02T19:25:00.006+02:00

The ubiquitous rise of SSL as a means of confidentiality pushes towards new security problems and new ways to manage it...
I guess we could have figured it out from the very definition of SSL, but to me it appeared only clearly at the beginning of this year. With this number of protocols using SSL, with this everyday HTTPS, with everyone buying things on the Internet, the SSL protocol spread to ubiquity and its use went from precise pieces of software and knowledgeable people to every kind of software and mainstream people. From this situation, I saw the explosion of:

bad implementations of SSL in all kinds of software,
attempts to attack the protocol, new (so to say) man-in-the-middle attacks,
bad uses of SSL (weak cypher, self-signed certificates for public use, etc)
impatience from top management about the inability of IT services to provide statistics about the SSL traffic of their employees.

For all these reasons, I made the bet 2010 would see the introduction of new tools to manage SSL, make statistics from it, filter it, assess its security and so on. I found that Forefront TMG (the name of MS ISA for 2010) does quite a part of the job by decrypting the SSL flows between the LAN and the Internet. Once decrypted, you can do all the usual with those flows: filtering, statistics, eavesdropping...

My point is: it's not a secure practice yet, and probably never will.

There are two parts in my argument, the first is the legal and compliance point of view. If SSL is encrypted, it's in order not to be read, as dumb as it may sound. The company might not be allowed, under the laws of the country, to listen to employees' encrypted traffic. For instance, in France, I wouldn't be allowed to listen to private connections to online banking sites. Plus it brings back the threat of the tactless/malevolent administrator.

The second part is the technological one. SSL is ubiquitous and, to some extent, that's a chance. It means that the client software may have a variety of vulnerabilities and weaknesses in the implementation of SSL. For instance, if the SSL traffic flows from three browsers, two media players, ten business applications, then a vulnerability would probably affect only one in fifteen pieces of software using SSL. The targetability of unproxyfied SSL can grossly be compared to the average of vulnerabilities of the various pieces of software that use it. The targetability of proxyfied SSL is that of the proxy.

Would you trust ISA better than Firefox? Suppose that you have an endpoint tool that examines SSL, if its security features are better than those of the proxy, you probably lose these capabilities during the decryption/encryption phase of the proxyfication.

Of course, SSL remains a cloudy mystery, threatening to some extent, but I think this is not the good way out of it. But let's have a look at these technos, because I'm sure we'll have to cope with them anyway.

The technology SPOF

2010-09-01T18:50:00.002+02:00

When I'm thinking availability, a lot my time and thoughts go to the careful search for SPOFs.

I do look for hardware SPOFs, like a unique machine doing an important job and requiring a backup in case of breakdown. [first step of a BCP]
I also do look for network SPOFs, like making sure the backup has the same network accesses as the master machine, so that it doesn't remain alone, useless. The same is true for firewall accesses and all kinds of filtering that network flows do undergo. [careful execution of the BCP]
I furthermore do look for configuration SPOFs. These consist of the rather funny case when the backup machine is up, reachable on the network, but the clients are not aware it's there and so don't undertake anything with it. This is usually the case when IP addresses are not switched automatically between the master and the backup or when a configuration screen allows only to type in one server, not two or many. Hopefully, this should not happen with MS Domain Controllers, the way they work (or we would hear this kind of SPOF more often). Anyway, it's still recurrent in many "small vendor" appliances and in the application world. [very careful execution of the BCP]
Nonetheless, a terrific SPOF remains: the technology SPOF. You have the backup machine, it's reachable, and others are aware that they should communicate with it. But the backup suffers from the same technological incident as the master machine did.
Say, for example, that the master breaks down because it fails to handle a large quantity of "client data" (or anything) that has to be treated. The backup will also break down under the same charge.
Let's take another example, the server is an application connecting to a database. The database received a minor software update that changes something that makes the master server go crazy. The backup takes the job and goes crazy too.
Third and last example, you have a nice application server with scheduled tasks that make needed job. One fails and the server goes down, unable to continue its work. At that moment, the backup goes up and launches the same scheduled task, failing also... [and that's outside the perimeter of most BCPs]

That's the time when you'd want to have another way to provide your service. That's the moment when you are forced to remember that the machine is not here just to be here and working, it's here to help provide a service. And that service may be provided otherwise. That's the time when you enjoy having a well-prepared DR plan, with forethought reduced/degraded modes...

Monthly ITsec Leadership Quotes and Articles: August 2010

2010-08-31T23:48:00.002+02:00

Second attempt, sequel to What's "a risk" anyway?, on riskmanagement.com.
7 questions that staff performance in small and medium-security for better, an industrial medicine article that applies well to IT management, to my mind.
Bob Carr on Leadership in a Crisis.
Michael Krigsman (that I quote often): Do large projects really fail more often?.
Also Michael Krigsman: Federal gov't gets serious about IT failures. I'm pretty enthusiastic when governments think IT is an important matter. But their actions (worldwide) seem to range from mere speech to strict costly compliance going through using IT as a fear-monger. I'm welcoming anyone with positive examples of government involvement in IT (I know there are, some).
If you're managing networks, go read a statistic-rich, worldwide survey of SSL by Qualys.
On SecurityRecruiter.com, they do care about how you write. I approve. Verbal and Written Communication Skills for Technology Professionals.
The Guerilla CISO's troll excellent article about Thought-Terminating Cliches and Infosec.
Seth Godin's "The fear tax" (reported by Bruce Schneier).
Carlos Ghosn's quote, about his conduct of the Renault-Nissan merger: "When you need people to work together, the last thing you want is a legal structure that gets in the way." We're so often concentrating on building a better work system, when we'd better concentrate on the people who work... There's no point in building an ISO system with many PDCA wheels and numerous policies and charts if the people that should action those wheels are not on the move.

Fun Fact: Wrong Sense of Rotation for Deming's PDCA Wheel

2010-08-05T18:09:00.003+02:00

Have you noticed how many times management consultants draw the PDCA wheel so that the way to climb up the hill is ACDP and not PDCA?

This picture from [GE] Paeger Consulting.

Enterprise-Size Authentication Is Not Just About Avoiding False Positives

2010-07-31T17:51:00.007+02:00

When you're setting up an authentication method for access to an enterprise information system or to the enterprise premises, you don't want to just worry about false positives. You need to worry about the false negatives also.

Think about the logon screen of an application or website, asking for your username and password. The biggest worry of IT people behind that screen is to make sure the wrong people do not access the system. I think they should also care about the number of times the right people can't access the system either.

That's no big math, but suppose you would change a logon screen with 0.1% of false positives and 1% of false negatives (each losing the company 0.5$ because of the time lost for work) for a new logon screen with 0.01% of false positives and 3% of false negatives. Additionally, suppose the logon screen is used by 10,000 employees five times a day, 300 days a year.

The change would represent a loss of:
2% of additional false negatives
x 0.5$ each time
x 10,000 employees
x 300 days a year
x 5 times a day
which equals 150,000 $ per year.

It makes sense to acquire the new logon screen (let alone its own cost) if dividing by ten the losses due to intrusions in this system saves you more than 150,000 $ each year, that is, if the losses due to intrusions are above 170 000 $ per year, roughly.

Monthly ITsec Leadership Quotes and Articles: July 2010 (and June too)

2010-07-30T20:00:00.000+02:00

Positive Leadership: Invest in People Building a Culture of Innovation.

Leadership Essay by former student Vince Fitzpatrick on the SANS Technology Institute's "Leadership Laboratory". The author comes back on the leadership he used when he was first appointed as CISO. It really reminds me of my own beginning.

Executives are Not Stupid on RiskAnalys.is, helpful to debug IT workers and ITsec workers when they think that everything is the management's fault.

Five reasons projects fail on Michael Krigsman's IT Project Failures.

'Wicked problems': collaboration, risk, and failure also on Michael Krigsman's IT Project Failures.

CISO and CSO Reporting Structures on the Security Recruiter Blog, on the shift of ITsec from defence to legal compliance.

Why "Doing ITIL" Doesn't Work (And How to Fix It): a direct, simple, summary of why ITIL is no silver bullet. Keep in bookmarks in order to cool down a manager, some day.

Can You Compete With the Next Generation of Security Leadership? (Yes, we can.)

Leadership learning 1

2010-06-23T22:08:00.003+02:00

Wisdom being to recognize wisdom when you hear or see it, let me put it down what I heard from a management old-timer :

When somebody asks you about the goals of a project, answer goals.
When somebody asks you about the ethics of a project, answer ethics.
When somebody asks you about the management of a project, answer management.
When somebody asks you about the deadlines of a project, answer deadlines.
When somebody asks you about the means or technology of a project, answer means or technology.

Notes: Profile for a CISO?

2010-05-27T00:02:00.003+02:00

I was at the 4th International Forum on Cybercriminality and there was a conference about CISOs' professional profile.

I just took a few notes and, seemingly, there are three major kinds of personalities for a CISO:

The pilot,
The architect, IT urbanist,
The administrator.

I have no particular comment on this, except that I think I am doing my best to be all three of these :-\

I was also interested in this definition they gave: "The CISO is the one who defends the ITsec budget."

Finally, they described an evolution in the profile of CISOs:

In the 1990's, people became CISO by opportunism,
In the 2000's, people became CISO through competition,
In the 2010's, people are becoming CISO by choice or by vocation.

I'm happy to record that I'm in the 2010's :-)

Monthly ITsec Leadership Quotes and Articles

2010-05-26T23:13:00.000+02:00

Everything I Need to Know About Leadership I Learned as a Patrol Leader on the TaoSecurity blog.
Forget ROI and Risk. Consider Competitive Advantage also on the TaoSecurity blog.
Let me add a number 4: "Boss-centric approach" (whether your boss is CIO, CEO or CSO...)
Security person: Hello boss. We need to implement our security program because it fits perfectly in your strategic points 1, 2 and 3 and helps you show just how well you deliver
Antons Chuvakin's My Best PCI DSS Presentation EVER! on the Security Warrior blog, contains good pieces to address communication with non-security people.
Survey about ITsec maturity criteria: What should be audited in order to evaluate an ITsec maturity level? Page 26 to 28 in this [FR] PDF, on the site Les Assises de la Sécurité et des Systèmes d'Information.
Joking as a way to get people closer to security: The BOFH-like excuses.

I'm getting more and more convinced that the leadership style of Bruce Schneier is what made him so popular. There is more of personality than leadership in his case. In fact, my way to answer about "the mixture of security and feelings" is very close to his. Two examples:

A few quotes heard at the 4th International Forum on Cybercriminality :

"Nowadays you learn more about someone from Facebook than from Edvige." (Edvige is a nominative information file used by the French police.)
"The problem is not adapting to the digital world, it's adapting to the border-less world."
"In healthcare, IT security is a deontological requirement."
"Estonia is ahead of us [ahead of France regarding ITsec]."

Oh, by the way, I finally got a hint on why do they all emphasize on "Information Security" rather than "IT Security": I think it's because they want people to understand that it's not an IT-only problematic.

Transparency the Next Big Topic? I Don't Think So :-(

2010-05-13T23:38:00.005+02:00

Here is a recent Bruce Schneier interview "If you don't understand the people you'll never understand security, says Schneier". I really appreciate Bruce Schneier for his stick_to_the_fact and be_smart_not_an_automate approaches.

However, when he says during that interview that the next big topic for security will be transparency, I think it's more of a wishful thinking. I can see three main reasons why the move to transparency will be very slow:

Good transparency requires transparency from both the vendor and the buyer. I think the buyer will never see the point of publishing data about (in)security. Even if that's more or less a kind of corporate social responsibility...
Some major players among vendors and some managers in whatever buyer's hierarchy do not want to play the game by the rules. They prefer it the way it is, especially if they have a good ROI/good wages and not too much stress. So, unless there is some interventionism, I think they will do their best to slow the move.
If you're going to publish things transparently, you might think of it as a possible bad advertisement for your company. And the weak point is: most companies, buyers or vendors, do not know where they stand among peers on the criteria of IT security. So they will not want to make the first move and risk publishing what might be seen as bad results.

To my mind, the whole business of IT security transparency is, as most of corporate social responsibility issues, a wicked problem. For this reason, it will require some good leaders to design new models and, probably, some interventionism from States and big corporate players. That is: it will move slowly (decades, to my mind).

Fun fact: Google search ratios about problems, by OS

2010-04-28T21:57:00.005+02:00

Search pattern	Number of results	Ratio of "problems"
"windows 98"	21,900,000
"windows 98" problem	6,770,000	30.91%
"windows millenium"	291,000
"windows millenium" problem	77,500	26.63%
"windows xp"	124,000,000
"windows xp" problem	61,400,000	49.52%
"windows vista"	80,900,000
"windows vista" problem	88,200,000	109.02%
"windows seven"	2,900,000
"windows seven" problem	551,000	19.00%

Monthly ITsec Leadership Quotes and Articles

2010-04-24T18:21:00.002+02:00

Influential Information Security Leader on the Identity Theft Awareness site.
The oldie but still goodie An Absence of Leadership on the official site of Geekonomics.
My excellent colleague Guillaume Deraedt, at a regional chapter of hospital CISOs: "A CISO handles non-conformity", as opposed to the compliance view of handling conformity.

Altering the philosophy of this blog

2010-04-17T17:58:00.004+02:00

I have long felt that responsibility in information security was a hard management job.
I have always known, through personal temper, that leadership is an asset in every management position.

Yet it never appeared to me until a few semesters ago how much responsibility in information security was a job that required, most of all, leadership skills. For this reason, I have chosen to more regularly publish articles on this site about the leadership of information security, including good readings about it, even uncommented.

Among the reasons that conspired to enhance my point of view, here are a few:

Working as responsible in this field for more than two years now.
Realizing that the job is a drop about team management, a bucket about upwards management and an ocean about transversal and stakeholders' management.
Realizing that security is a lot about conceptions and misconceptions, and that vendors are better at it than internal managers of any company. And that reacting to this situation takes a lot of communication towards the teams.
Having Anton Chuvakin summarize one of my articles by naming my job "expert in security leadership", which made me think a lot.
Reading books like "Geekonomics", by David Rice or "The CISO function [FR]", by Bernard Foray.
Seeing that everyone is capable of designing a highly sophisticated security framework in his head, but less often implement it.
Reading a lot of blog articles from security experts, and writing a few, complaining about people's behaviour and misconceptions and calling for help, for people to change.

In the end, I have decided that the best is to help myself, rather than wait for others to change or wait for "top management" to give full powers. Heaven helps those who help themselves, as is said on both sides of the English Channel.
So now comes the time when I emphasize on leadership.

Comments, praises and amazements welcome.

Hacking a speed cam

2010-04-17T17:13:00.003+02:00

France nowadays is full of speed cameras serving car owners huge fines and the ability to loose one's driving license faster than ever. The rebellious French all look for a way to sidestep those speed limitations. Here's a very clever one [FR], though it will never work. And it's a good laugh anyway.

Disk full : Moving a Postgresql database data folder

2010-04-13T18:54:00.003+02:00

For testing purposes, I set up a Postgresql 8.3 database on a Windows machine. The hard drive space was too little for the use, so I had to move the data folder to another location. (I could not use the saving mechanisms because the remaining space was not big enough even for the temporary files required for the operation.)

This proved to be quite easy. However, you cannot keep the database running.

You first stop the database service from the Windows from the Computer Management console,
Then move the data folder to a new location with more space,
Then modify the path in the config file postmaster.opts, in the data folder itself,
Then modify the path that's given to the service when it's launched by Windows : in the registry, edit the ImagePath string at key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pgsql-8.3
Then restart the database service from the Computer Management console.

iSEC recommendations following the Aurora attack on Google

2010-03-27T18:47:00.003+01:00

I finally found some time to read the iSEC Partners recommendations about the attacks on Google and other companies, originated in China, in January this year.

This post is just to underline the very good reading it is for people in IT. I like it because:

It does not look for a silver bullet but lists several points that need be addressed.
It points out, as so many posts on this blog, that you first need to human understand and monitor what you do, before implementing costly solutions.
It also points out that you need to work on the security of the endpoints (users' machines), especially on updating regularly client software.

Well, just go and read it, it's six page long.

Official proofreader appointed ;-)

2010-03-24T01:40:00.005+01:00

What is a CISO? [2/2]

2010-03-23T23:35:00.004+01:00

Security is not about putting an appliance somewhere into the network, it's about mastering what you do. It means strictness, control, review, enhancement. That's not what the typical IT guy wants to do everyday. He wants to serve users with the lowest amount of personal work, which at first glance means without security. That's why security may primarily look like a constraint.

But it's not. Security is not only a constraint, it's an enabling mechanism. When you have good security you can do more things. A simple illustration is that you can drive very fast on a motorway because you have good brakes. If you didn't have them, you'd never allow yourself to drive faster than 60mph.

So, when I talk about giving staff a sense that security is not only a constraint, I mean underlining to them how much you can achieve with security that you couldn't without. Let me draw a few examples from live situations I've seen in companies or heard about on the Internet:

When you have precise inventory management over computers and printers, you may be able to recharge other services more equitably.
When you have a precise 1 identity for 1 account policy, strictly implemented, you may go one step further by implementing an SSO.
When you are able to tweak and audit the work of your contractors for remote maintenance, you may be more willing to ask for remote maintenance.
When you have backup systems, up to the task, for all of your main services, you can grant your admins an additional week off.
On the same level, when you don't spend hours running after viruses, you can spend those hours on implementing new things.
When you have a solid web proxy and a sound policy for it, you can grant Internet access to more employees.
When you have an automated RBAC system, you can ensure users are served in a shorter time at their arrival in the company.

The thing is, security guys know this way of thinking about security but they most often communicate around obligations, constraints and legal requirements. That's why it looks as if security is a constraint. (Think about Dilbert's preventer, Mordac!)

(
That way of thinking is something I didn't see in Bruce Schneier's book Beyond Fear, however interesting that book is. (See Scott Granneman's notes about the book.) Bruce suggests a five step method to assess the value of a security measure:

What assets are you trying to protect?
What are the risks to those assets?
How well does the security solution mitigate those risks?
What other risks does the security solution cause?
What costs and trade-offs does the security solution impose?

But Bruce forgets about number 6: What do you get with that security measure besides protecting the assets?
That's why I think his view about a national ID card is flawed. When you live in a country with a national ID card as I do, you see that it allows businesses starting from the smallest shop to have a good idea about the identity of buyers, in case they would not pay. Sure the ID card is not impossible to fake, it's simply too hard for the passer-by to fake.
)

What is a CISO? [1/2]

2010-02-25T21:24:00.004+01:00

What is a CISO? Saperlotte ! [in French in the original text, ed.]
People have tough questions sometimes. Or rather tough Google searches, as it seems that people often stumble across this blog when asking Google for an answer to this question.

CISO, Chief Information Security Officer, is a management and leadership position that often reports to the CIO or to the CEO. There are also CISO positions that report to the CSO, to the CCO or to the CQO. Even sometimes to the CFO. That's merely a hierarchical view of the question because, most of the time, the CISO has to work with all of these people and reports to several of them depending on the occasion. As a summary, the CISO is a C-level who reports to C-levels...

He's a manager because he handles projects, teams, planning and budgets. He's a leader because he needs to get things done that are of primary importance only to him. Said otherwise, most people in an organization can get very successful at their work without ever reading a security policy, let alone understand it, let alone help enforce it. So the CISO has to play his cards with some subtlety and some charisma to achieve results.

He's in charge of multiple things, but I summarize it this way:

Integrity of data in the information system,
Availability of services provided by the information system,
Availability of IT services provided by external partners,
Confidentiality of exchanges,
Elimination of recurrent problems to decrease operational costs,
Durability of services provided by the information system, in provision for changes in technologies or business needs,
Conformity of IT practices with legal constraints.

The CISO has to write corporate policies and directions that support the previous goals, that need be approved by the board of directors. One hard part (for any C-level, I should say) is to propose long-term, innovative yet efficient, realistic, goals. And to communicate around it, because such documents are definitely not written to remain on a shelf.

The CISO has to deal with a number of "typical" phenomena about security questions, that happen in all organizations. Different CISOs react differently. Examples of such facts are:

Irrational fears and sudden irrational fears,
FUD used by vendors of security products,
What I call the "TV effect", with the words of the presenter having more influence on the final user than those of the CISO,
Over-enthusiastic users or managers,
"Security theatre", the use of illusions that give users a false feeling of security, very common in security products,
What I call the "side effect of security theatre", when users and, worse, managers ask for more security theatre because it feels great,
The 3rd of Clarke's laws, "any sufficiently advanced technology is indistinguishable from magic", which clearly applies to ITsec, which means that most people simply believe you're doing magic,
Managers rarely believing in magic as a profitable corporate asset,
Legal department of most organizations having no skill regarding IT laws[...]

Next article on insight, philosophy and giving staff a sense that security is not only a constraint.

Note: If you're any surprised that I wrote "he" and never "she", that's because I never met a woman in this position. But I'd be pleased to.

The US destroying the Internet?

2010-02-21T18:40:00.003+01:00

Every now and then I read or watch a scenario about the US destroying or dramatically altering the Internet, for security purposes or for commercial purposes. For me, even if that were feasible, that would be silly and I think that's never going to happen.
If the US were to destroy or reduce the availability of the Internet, others would rebuild it, anew, differently.

The US would get a considerable loss of earnings from a worldwide project probably not developed in English (Chinese?), not developed by American companies.
They would lose their technical skills. New skills would be required for the new technologies of the new network.
They would lose the target of their current spying methods, quickly moving to the new network.
They would not be able to create such spying methods for the new network, because they would not be the primary actor, centralizing infrastructure, skills and budget.

RSS feeds for IT and ITsec

2010-02-20T19:30:00.009+01:00

In bold characters those that I actually enjoy reading each and every time.

Security:

"General" IT:

Friends:

Blog de Jean-Christophe Lavocat [EN + FR]: Web technologies and search engine optimizations.
3R Technologic [EN]: Very active in web technologies and 3D technologies, though he doesn't post a lot. (If you hear me, yeah, that's a call.)
Gregory Colpart's blog [FR]: Mostly about free software and GNU/Linux systems.
/home/florian [FR]: Mostly about free software and GNU/Linux systems.

I also have my own feed Assaults on the Internet neutrality [*] gathering articles from all that I read on the web about governments and ISPs messing with the neutrality of the Internet.

Security predictions for 2010 and a few wishes

2010-02-20T14:59:00.006+01:00

As usual, nothing posted on this blog is related to my job at my employer. These are merely thoughts gathered from readings on the web and personal considerations.

(If you're wondering why I didn't post this in January, think that holidays spent in Sicily, Romania, Hungary and Serbia are worth being late. I really love the Carpathians.)

Linux systems will become an interesting target for hackers because of Google's OS.
The free software community will react fast to vulnerabilities. If Google is up to the task, they will integrate the changes very fast and it will result in Linux systems being the most secure. Competitors will finally be forced to take vulnerabilities more seriously. That's the optimist hypothesis. The pessimist one is Google not being interested in building better security and not reacting faster than the others.
Microsoft will (finally!) propose a centralized software installation and update manager, quickly adopted by the big software companies, reducing the number of heterogeneous installation modes, late updates and so on. Something apt-like, in a Microsoft-way, of course.
It's either this or Microsoft platforms will be progressively abandoned for integrated products such as iPhone or platforms with that functionality such as Linux (servers) or Mac OSX (clients).
Viruses will spread to Mac and iPhones up to the same level as that under Windows.
Generalization of new authentication modes including smart cards with microchips, user/machine certificates, fingerprints on laptops, will happen.
There will be a fashion for it and a lot of blunders will be made in the beginning.
There will be reports about IT services clouding the wrong parts of themselves: critical infrastructure, already very profitable services, legally protected information...
There will be an overflow of non-browser software using SSL.
Each of them has its own libraries and each blunder or vulnerability in the use of SSL will have to be addressed in each of these libraries. This is not addressable in a correct time. For this reason, there will be new products or services around gathering all this SSL traffic and forwarding it in an actually secure way.
Social harvesting will rise to unprecedented peaks. Because of poor legal harmonization (or even concern, for that matter!) in various countries, automated social harvesting services will be made available.
Governments from developed countries will try to censor, filter and/or index the web. They will fail for two major reasons:
- The web is too huge for any current government to master it, or even understand it.
- The free software community will sidestep any technical measure towards censorship.
There will be stories, news, rumours, about Google having connections with the US intelligence agencies. Google's business is a source of information just too much important nowadays for intelligence agencies to neglect it. I won't tempt any prediction about Google's reactions.
PCI DSS-like standards (simple checklist, minimalist, technical, yet very efficient) will be published about various matters of ITsec. Or maybe I just read too many people interested in that.

And now a few wishes:

That people stop thinking I work on viruses when I say I work on ITsec.
That IT managers (non-security) stop thinking there is a fixed list of requirements for security and each of them requires purchasing a "security product" and each of these products works standalone.
That service managers start budgeting time for service reviews and corrections, not only service implementations.
That Adobe distinguishes between PDF designed for review and printing and PDF designed for automated administrative tasks in complex forms. This may prevent a lot of problems to come.
That my government stops being such a liberty killer about IT.
[...]
That my readers consider the strange situation of using an Excel-controlled Visual Basic script to interact with an AS/400 terminal emulator, written in Java, inside a Citrix session running on a Windows Server "cluster" inside a VMware architecture. (You can have screenshots and photos of the AS/400 on IBM's website, for instance, there.) That was my only nightmare these last years. Does virtualization never end?

Have you heard about CSRF?

2010-02-18T22:44:00.005+01:00

Cross-Site Request Forgeries are probably the simplest kind of attacks against unprotected websites. It simply works with a site A that the attacker owns (hacked or hers) visited by the victim, making a request to a site B where the victim is authenticated. As the victim (or rather her browser) is already authenticated on B, the request succeeds and the site A gets the content, and is free to make whatever it wants of it.

For example, in one tab or window, you'll be having a look at your bank account (B). On another tab or window, you'll be visiting a random page, say a blogging page (A). The page A contains code that makes a request to the bank site. The bank knows you're currently connected and thinks it's a regular request. And responds to it. So A receives informations about your banking accounts and does whatever it's meant to do with it.

When I discovered about this kind of attacks, I couldn't suppress a roar of laughter. That's so easy that I wondered how dumb I was not to have thought about it myself.

I can remember two years ago foretelling my friend and former co-worker Gabi Popa that it would become a major problem in web apps. Now, both the OWASP (since 2007) and the MITRE put it in the top five of the worst problems of web apps.

I think it's a problem that's going to last for a long time because the source of the problem can be identified both in the web apps and in the web browsers, resulting in a "no-one moves first" situation (delaying the moment when the developers of one side will roll their sleeves up and act.)

Reduce the number of technologies, not providers of!

2010-01-20T21:40:00.007+01:00

In some of the companies I've visited over the years, there was an internal policy that seemed strange to me: when contracting with service providers or goods providers, employees of the company should try to keep the number of providers as small as possible.
It's not the policy in itself that seems strange to me, it's the fact that it is also applied to IT goods and services.

Basically, the policy relies on the two ideas below:

With fewer providers, you can purchase more of the same and negotiate a better price next time.
With fewer providers, you can establish true relations of trust and avoid gaps between what's asked and what's provided.

That would mean that the cost per unit decrease if you remain with the same provider:
However it relies on the three following assumptions:

Purchasing at a specific provider will impact the price of other providers only downwards, and that will be only a small impact. This is wrong in IT, because the cost of moving to another provider is very high, because of software and hardware incompatibilities.
You can negotiate with providers. This is wrong in IT, because you're always speaking with big international companies. If they allow you to negotiate, that's within an already well-thought area.
A true relation of trust brings a really better service from the providers. This is wrong in IT, because the hardest part is always the exploitation of a product or service, not its purchase. Good relation with the provider only marginally increases quality.

In fact, because of incompatibilities, once you've made a move toward a provider, the cost (not price) of moving to something else shoots up. It will require time, money and will probably require you to throw away what you made in the first place.
Knowing that you can't move anymore, the provider you chose has the hands free to increase prices.
That's what happens in reality:
So, to my mind, the policy of reducing the number of providers is detrimental to IT services.

However, the real difficulty coming from the integration of very complex technologies, very differently thought, born in in very different companies or universities, and best manipulated by people outside your company (either service providers or editors), I think it is a good policy to maintain a list of technologies that you use, the (in)compatibility links between them and to think carefully before adding one to the list.

1-factor authentication in the Matrix

2009-12-19T10:18:00.010+01:00

I just remembered the way Seraph tells Neo in the Matrix "You do not truly know someone until you fight them." and I was trying to sort the fight that follows into one of the typical categories of authentication:

Check what someone has.
Check what someone knows.
Check what someone is.

when I realized that in the precise context of the Matrix, in the case of Neo, categories 2 and 3 are the very same.

Neo is the One because he knows he is the One.
Being the One, Neo knows he is the best kung fu fighter.
Knowing he is the best kung fu fighter, Neo is the best kung fu fighter.

He is because he knows and he knows because he is. Seraph indeed performs a 1-factor only authentication to check Neo is the One.

-+- The little joys of security-thinking ! -+-

Vulnerability in VPN/SSL platforms: so what?

2009-12-03T23:12:00.004+01:00

The US-CERT points that using a VPN/SSL to access arbitrary web sites circumvents the security features of modern browsers.

I have an odd sensation of being in a troubled IT/ITsec world when I read that. What seems so strange to me is not the vulnerability, it's that it requires a US-CERT advice for people to notice.

I mean... For years the web has been struggling to build protocols like HTTPS (and to get the mainstream browsers support it correctly). And we hear every day that even though the protocol is a jewel in itself, it is not sufficient for security. That's why we have vulnerability reports for browsers, anti-phishing features, certificate authorities, etc.

Now we build a new tool that will handle web sites and forward them to and fro and we should think that it does not deserve the same amount of care and time to mature? No, no, no...
Big expert organizations like Microsoft, Google or Mozilla struggle at it, why should Cisco, Juniper or SafeNet have it right from the first time?

Pessimistic: It's always the same game. You build something strong and then you build it anew making the same mistakes. And every time you get surprised.

Optimistic: Now that the vulnerability is public (I thought it always was!) maybe the VPN/SSL makers will improve their products.

Realistic: If you use the intranet from the Internet, you should be prepared to handle the security of the intranet as if it were exposed to the public. That means, for instance, investing some time in understanding a VPN/SSL product before entering wildcards in its policies.

EDIT 12/04/2009: Cisco says it very well ^^

"Administrators are advised to configure clientless SSL VPN sessions so that only trusted internal networks are accessed using the VPN session. All other connections should be accessed without using the SSL VPN session."

Common antivirus products disabled within minutes

2009-12-03T23:03:00.003+01:00

It was the subject of a contest organized by the French IT (and other disciplines) engineering school ESIEA. Results are available as slideshows at this address.

Summarizing roughly, the most common antivirus products (McAfee, Norton = Symantec, Kaspersky...) can be disabled within minutes by a clever virus maker.

Shredding files mostly useless (review)

2009-12-03T22:37:00.003+01:00

Bruce Schneier points that filesystems sometimes get in the way of secure file deletion.

I blogged about that six months ago (second point in that bill) after checking my understanding of the question with the developer of Inferno.

I since heard about similar stories quite a few times, either from software like filesystems or recovery systems or from hardware like Flash memory putting the content of a file in arbitrary locations. It seems to be a fairly well known fact among people who spent time on the matter.

To my mind, apart from shredding entire drives when the hardware is disposed of or goes from an user to another, companies should not waste time on shredding.

Of course, I guess Bruce Schneier would argue about encryption, rather than deletion :-)

How would I steal IDs and passwords from people?

2009-11-24T22:27:00.003+01:00

I've been asked a question by a former classmate (or rather he challenged me) to give a proposal to steal IDs and passwords from people with little danger for me and little required technical knowledge from me.
Here's my proposal, I don't know whether it's new at all, I guess it's not. It's purely virtual, I've not tested anything like this.

I go to a place where people use laptops: train stations, a home apartment in a crowded city or a job place where the Internet access is not given to all employees.
I create an unprotected wifi access point, open to all. And I keep listening when someone does connect. It may take time, but that's not part of the given problem so I'm assuming I've got time.
I count on the fact that at least one service the victim will use is not secured via SSL or similar. So when that happens, I just take note of the login/password couple.
Then I go and try the login/password in other applications such as Facebook, Gmail, MSN, online stores and so on. As most people use the same passwords for many applications, I think it could be a correct ratio of success.

EDIT 01/24/2011: A few clues against public wifi here.

Friday liberty blogging - I'm French and that's something

2009-11-06T19:09:00.010+01:00

It might be an unknown fact to my non-French readers, the French government is currently flooding the media with questions about the French identity. What is it to be French?

They also use the fuss to cover up their shameless unprincipled immigration practices, but that won't be the subject of the present bill.

The subject is the French identity, I would like to elaborate about it, because I'm one of the lucky ones down here who have spare time and spare thoughts to ask such questions and try to answer them. When my friend Thierry Kakouridis wrote an article about the matter (FR), I thought I had to reply to it.

France is a melting-pot of people with various views and cultural heritage. It is not one. For instance, several values are deeply written in the culture of my natal region that are not always shared in other places in France:

Anti-clericalism: People can believe whatever they want as long as it does not encroach upon my life and my political freedom. If it does, they, not I, have to withdraw.
Ability to live on one's own: You will be well-considered if you don't require help. You'll still be welcome if you do require help, but you won't be thought of so highly.
Giving one's word: Something said is just as good as something signed in black and white on paper.

And I did inherit these values from my living there for twenty years. Yet, as I said, these are not prominent values everywhere in France. So which should be the values of the French? First of all, I think there is the freedom of ideas. Foreigners are often surprised at the way the French take the liberty to interpret non-negotiable things. Whether it be the law, the religion or the management theories, the French often only take what they want from it. And if you ask them why, they always have a good (yeah, or bad) explanation for it.

This is one the basic freedoms that people from occidental democratic countries enjoy. And that's a freedom that can only be removed from you if you don't use it enough.

For this freedom to be within reach of a humble citizen, it requires:

A culture that values culture above wealth,
A culture that values thinking above believing,
And the associated society that preserves and enriches this culture.

I think other freedoms are less important to the French. We cannot be French without allowing ourselves to think freely about things of interest.

We also use to have equality and fraternity in our national motto. This to me relates to two other main components of the French conscience:

The hatred of ubris. Not all the French believe in a God up-there but all the French agree that there is no God down-here. The excess of pride that leads to think of oneself as a God and to behave as such is un-French. It is considered a disease that can affect both individuals and nations.
For instance, the French renounced the death penalty. We mostly consider that a nation has no divine right to claim lives.
This it, to my mind, the meaning of the equality word in out motto: none of us is a God.
The meritocracy. While we enjoy the equality of people in rights and dignity, we clearly know that we are different and of different skills. And none of us can pretend to be good at everything. Yet, we believe in the need to live and work together. And this means that we have to know and reward the merits of each. And this goes, not through money but through respect and consideration from others.
This is precisely why the French are outraged at the idea of a film maker being treated as a usual burglar, or at the idea of their previous president being thrown in prison.
Sure, the law is equal for all, but in conjunction with the fact that all the French choose by themselves which laws to apply and which not, meritocracy is commonplace in France. You get "powers" from being known for your past achievements. In exchange for these powers, you have to continue to serve well the nation. We know that we are not working against each other, rather for each other.
That is, to my mind, the meaning of the fraternity word in our motto.

To answer Thierry's underlying questions:

Yes, one is first of all what he/she wants to be. And most of the French want to be French rather than regional or European or other. And that's precisely why there is such a fuss about national identity right now: the French do feel that their identity is at risk. (To my mind that's more because of the current government than because of the immigrants. And some people are thinking the wrong way, because of fear or ignorance. That part is indeed a French failure.)
There could be some confusion about Theodore Roosevelt's words. It could be misinterpreted as a call for "cultural purity". It's not. It's a call for everyone to adhere fully to the identity. And as such, the American president's words match my feeling about the French integration style. You can be more than French, but you cannot be half-French.
There is no room for hyphenated Frenchism, reduced Frenchism, but there is plenty of room for people to bring in additional cultures from whatever source nationality.

Why Windows 7 will not crush Linux

2009-10-31T20:23:00.004+01:00

Sorry, just a rant against a nonsensical piece "Why Windows 7 will crush Linux" from Ron Barret who, surprisingly, usually has good technical articles and a few interesting non-technical articles.

This one piece shows, very clearly, a lack of knowledge of how things work outside the Microsoft world. Let me comment point by point, before I make more general statements further down. Quotes are in italic.

Okay it is no secret that Linux has not been able to crack the desktop, either at the home or at the workplace. Not to ignored either is that Windows lost some desktops last year (a little over 3%),but let’s not panic just yet, Windows still owns over 88% of all the desktops according to leading research.

Why does Ron Barret concentrate on "crushing" Linux when he could attack the main marketshare grabber: Apple? Does he really think of panicking or is that just an expression?

[...]Windows 7 installs easier, has simpler configuration of user settings, greater availability of software, support (you could argue that all support is awful, which is probably true) Windows support is easier to get when you need help. Gaming, MP3’s,… I could go on and on.

Windows 7 installs easier, but by the installation you get only the OS, not the office suite, the usual programs, the good media players, the image manipulation programs, etc.
Windows 7 has simpler configuration of user settings. But simplicity isn't the only question since you can get the MacOSX perverse effect : too many hidden options, which makes that anything a little more complicated than usual cannot get done from the interface, you have to go commandline. So my question is quantity of settings VS simplicity VS good explanation VS automation of whatever can be automated. And here, if whoever has any precise comparison list, I am listening carefully.
Windows 7 has greater availability of software. Depends on what you want to do. When my WAMP solution claims that a WAMP is only for testing and that a production tool should be a LAMP, what should I do? I am also a firm believer in centralized depots, and I find that the way to install software under Linux (like Synaptic) is much more modern and efficient than Windows software install.

To real Linux die hards… terminals rule.

Yeah, conquering die hards is the crucial problem when you're getting after marketshares!?

So Powershell presents an interesting argument for Windows adoption by the Linux user.

The very idea that an experienced Linux user could switch from the Unix philosophy to the Windows philosophy "disguised" as a command line drains tears of laughter from my eyes. Words or icons are just means, but the Unix philosophy that transpires through bash, csh or perl is a cement stronger than any interface tool.

Some people want free software (even if support is limited or non-existent).

RedHat sales are going higher and higher, is that a coincidence or does support just exist?

Applications like Firefox, Open Office, MYSQL, GIMP… wait all these applications are now available for Windows.

OK but with the exception of Firefox, most of them still run better and integrate better under Linux than under Windows.

Moreover, they are easier to install in Windows then they are in Linux.

Complete idiocy: once you have installed Ubuntu, the applications like Firefox, OOo, GIMP... are already installed. Concerning MySQL, you just have to go to Synaptic, check the "mysql" checkbox and click "install". Far easier than under Windows.

Windows 7 has solved a long-standing thorn in Microsoft’s side, How to deliver a feature rich OS without killing resources?

Okay, so Ron Barrett just confesses that Windows has long lagged behind competitors in terms of resource usage. Fine. Thanks.

Linux users have no reason to hold back anymore. Windows 7 is well placed to crush and put an end to the penguin.

Except complete programming station, polyvalent kernel that puts it everywhere from DVD players to car computers to mainframe servers, freedom from unwanted "home calls", complete view on the software from the kernel to the application, ready and working middlewares such as Apache, very good support (with full source access) like those of RedHat, IBM, HP and others...

Now that I could calm down, seriously, why would anything change about Linux users? There are two major situations:

Those who were fed up with Microsoft or wanted specific freedom and they will not change anything because of Windows 7.
Those who use Linux because it's at work or because they have a specific technical reason and they will not change either. At best they will consider changing, but whether that will be worth the migration, I doubt.

Cloud Computing Too Costly in the Long Term?

2009-10-20T19:31:00.009+02:00

I welcomed the IDC study of the elevated cost of cloud computing in the long run (article at linuxfoundation.org).
There are a lot of articles about cloud computing, its cost and its risks, however, I would like to underline a single point that makes a lot of difference to me between cloud and non-cloud: cloud computing is a backward step for fair competition in IT services delivery.

I think that most of the savings made in the last years by the IT services of companies have been possible because of web 2.0. Not only because of the fact it helped interactive information sharing, interoperability, user-centered design and collaboration on the World Wide Web (Wikipedia def) but essentially because it forced companies to use open*, not vendor-specific, technologies.

This helped create a true fair competition between software developers, between hosting providers and between system integrators. They all shared a single range of technologies and could not justify high prices or low quality services just because of the technology itself.

PHP comes to my mind as a brilliant example of this fair competition revolution. It's very interoperable. They even made it capable of running on MS IIS servers! It's simple and free to use. It's improvable upon and its developers were very careful to listen to requests for improvements. And now see what it has become:

The thing is: big companies like those making cloud services today do not live on perfect competition, they live on the one hand on monopolies and on the other hand on market niches. And that's their business and I am very fine with that.
They cannot survive in a true perfect competition system, yet they want to participate in the web market which has been the number one development and services source in the past years and still will remain, I guess. Cloud computing is their attempt to build monopolies on the web and they sell it with three kinds of arguments.

The economical argument. They promise good services, for cheap price, and you pay by your fidelity. Okay, as long as they do provide it.
The ecological argument. I am a very skeptical environmentalist. Not skeptical about ecology but rather about first-movers on the corporate side of ecology. Seems like a lot of green paint.
The technological argument. They sell the idea that all hosted applications are harmonized to a single technology and that this means it will all be cheaper. VERY TRUE.

Awfully true. It will be cheaper, for them. But as soon as you get dependent on them, since each of them has completely different technology from the other (think not only programming languages but also file formats, database formats and associated skills), they will be able to increase prices without any competitor. If you want to take the data back, you will be unable to feed it to the next cloud provider.

I think it's time "interoperability" gets into corporate policies alongside integrity, confidentiality and availability.

EDIT 10/26/2009: When I say open, I mean that corporate players cannot close the market by artifacts. This means, among other things: ASCII, not binary programs, opensource languages because the developers are so much more productive, free common libraries to build upon, a unique network to share data and software, etc.

EDIT 11/5/2009: Bob Sutor also speaks about cloud interoperability.

F!%#¤ cryptic logs! [Bruce Schneier fun]

2009-10-01T18:44:00.005+02:00

I couldn't get an idea of what all that logfile meant. Not binary, but not readable... Until I backed out from the screen:

c:::c:ccoccccocooocCooCcocCooCCCCCCOOOCOOOCOO88COOC@888o8C:.:.          .....  .. ...   .  .    coo:@@8@8@8@888888888888
::cccc:cocccccccooCooCocCoooCCCCCCCOOOOOOOCOO@8COC@8OOCCOc:.   .        . ........ :.....  ..   . oo.@8@@8@8@888888@8888
::cc:cccocccccoooocoCCooCoCCoOOoOCCOOOOCOOOOO@OO8CCCoCo8o               .  .. .:::.::.::. ..     . . C88@8@@@8@@88888888
::cc:cccccoc:ocoooooCCcCCooCCOCCCCOO8OOCOOCOCOoOC:o8ooc:           .....::. ::..:::.o.::..:. . ... . o888888@@@8@@888888
:ccccccocccccoooooCoCCcCoCoCCOCCCCOO88COOCOOC8OCoC8oco:            ....::::.:.:.:::.::::::: .     ..::COC8@@@@@@@@@@8888
c:c::ccococcccoooCoCCcoOCCCCOCCCOOO88OO8OOOO@CoOCcCo:.       .  . .....::.:::.:.:c.::cc::o:.. ..  .   cCoO@@@@@@@@@@@8@@
:c::ccccccc:ccCooCoCCcCOCCCCCCCCOOO@OOC8OOOOCoCc:O8:  .  .  ......:::.:.::.:c:::.oc::cCc::::.....    ..oO888@@@@@@@@@@@8
:c::cccccccccoocoCoOoCOCoCCCCCCOCO8O8OOCOOCoCoOOCCC      ......c...:cccCccoccoc:o.:::oocc.:co:: . .... .cc@@@@@@@@8@@@@
c::cccccco:coCcoCCoOoOOCCCoCCCOCO888OOOCOO:oCC8CC.          ....:::::cccCcCoooOoCoo:ooocc:coc::.... ..   .@@@@@@@@@@@8@@
c:ccc:coocccoCcooCoCoOCcoOCCOC8CO88OC8CCOCcoC8@C:  .      .......:cCCcc:o:oCCoOOCoCcCCoCcccoc:::::..  .   o8@@@@@@@@@@@@
c::cccooccccoocCCCCCCOCoCCOOCOOCO888OOOOO.ooOCC     . .  ..... ..:ccoCCccoCOooooooCooCCoccc::::::.....     .O@@@@@@@@@
::cccccccccoocoCCCCoCOooCOOCOOCCOO8OO8o8ocooCO      .::.    ..:.:.:oCooooC:c::cO8OCcoCCcoCc::cco:.::::...   @@@@@@@@@8@
:ccccoccccooocoCooOcCCoCCCCC8CCOOO8CO@CC:cooC.       .   ...:..:c:::oCCooCCCCCcoCOCooCOooocooco:::c::::. .  @88@@@@@@@@
:cccccccccoooCCCoCOoOCCCCOoOCCO888COOCco:Ooc .     ..cc.:::.cCcc:::: oCOooCoCOCCCCOCoOoCCoCCoo:ococ:::.:.  ..O@@@@@
ccc:ccoccccCcCoCcOCOOCCCCOoOCCO888CCC8::cC:        ..:: ..:::ccco:coc ccCOCOoCCCCOOCOOCoCcCOCocoCCccccc:.... c8@@@@@@
cc:cococc:cocCooC8C8CCoOCOCOCOOO8OCO88::.::       ...    .::..:cCCocOC.::ooOooOOCCCOCCOCCoCCoccCocoCooo:::..  C@@@@@
cc:ococcc:ooooocCOcOCoCCoOO8C8OCOCOCC:..cc       . ....:. ...::cCCCCoCCCCoc:OoCCCOCOOCCCOCoooCCooooCcccc::..  :C8@@@@
c:cocooc:cooooooOC:CCoOCCCOCOOCOOCCoC...:    .     ..:cCo.  ..c:coCCocCoCOOooOCCCOCOOOCOOCCCOooCCooccc.::.::.  C@@@
c:coococccCoooooOCoOCoOCOCOCOOOOCCCCc ..    .    .. :::..:c. ..:::cooooCCCO8ooOOOCOCOOO8CCCCCCCCCococcccc::: .  @@@@
ccocccCccoOoocoOO:8OcOCCCCOC8OO8CCoo :       ...::.c::::coCCCCo:::oo:oCOCOCo8CCCCOCOOOOOOOOOCOCCCooooococc:::    @@
:cococcccCoooooOCCOCC8oOCCOO88OOOoc:..     ..:.:ccoCoCCCCOCO8O8Ooc:cooCCOOOCCOOO8OOOO8O8COOOOOCCCooCoooooccc:..  o8@@
cococccccOoooooOoOCoCOoCCOCOOO8OCc....     ..:ccoooCCOCCCOO888OO8CCooocooC8OOCOOO8OOOOOOOOOCOOOCCCooooCoocoC:...  @@@
cococooccCcCcoCOoOCoCOCCCOOOCOO8c..:       .c.ccooCoCCCOOOOOOOOOOCCCCCoooCCOOO8OO8OOOOOOOOOOOOOCCCooCooooCccc:... @@@@
cocccoccoooCooOCoOCCOCCCO88OOOCO..:.    ...occoooCCCCCOOOOOOOO8OO888OOCCoCOOO88OOO8888OOOOOOOOOOCCoooooCCCoc:...  @@@
occcccccocCooo8CoCCCCCoCOCOCOO@C.:.     .:cc:cooCCCCCOOOOOOOOOOOO8888OOOOCOO88OOO888OO88OOOOOOOOCCCCoCooococc:....C@
cccoocccooOocOOoCCCoCCCCOcCO8O@c:. .    :c:cccoCCoCCCCOOOOOCOOOOOO8OOO8OOOOO888888888O88OOOOOOOOCOCCooooooooCo::.. C
cccccoccooocoCoCOCCCCCCCCoC8O8O..     .::coccooCCoCCOOCOOOOOO8OO8OOO88888O888888OO88O888OOOOOOOOOOCCCoCCooooocc:... 8@
cccCoccooCooCOoCCCCCCCOOCOO8C@o. .    :::ccccooCCCCCCOOOOOOOOO8888O88888O8888888O88OO8O8OOOOOOOOOOOCCCoCCooooccc:.  :@@
ccococcooCooCCc8CoCoCOCCC8OOOO:: .   ..::coocoCCCCCCOOOOOOOOO88888888888888888888OO88O8O8OOOOOOOOOOCCCCCCCoooCcc:..  @@@
occccoocCocCCoCCoCCCCCCOC8OO@o.:     ..:cooocooCCCCCOCOOOO8OO8888888888888888888O88O88888O88OOOOOOOOCCCoCCoooCoc:.   O@@
ccccccocCoooC:CCCoCOOCCCOCOO8o .     .:ccooocoCCCCCOOOCOOOO8O8888888888888888888OO888OO8OOOOOOOOOOOOCCooCCCooCoc::.  o@
cccocoocCoCoCcOCCoCOOCCCOC888c.     ..::cooocCCCCOCCOOO8OOOOO8888888888888888888888888888OOOOOOOOOCOCCCCCCoooCoo:... :
cccocooCCocOCCCOCCCCCoCOOCC8C.       .c:oooo:CCCCCOOOOOOOO8888888888888888888888888888888O8OOOOOOOOOCCCCoCCCCCoooo.   @@
ccoccooOooo8COCCoCCCCCC8COCCc       ..c:ooCo:CCCCOCOOOOOOOO888888888888888888888888888888OOOOOOOOOOOOCOCooooCooco: .  C
ococcocCCooOCCOCCCCCCCCOCCOC:     . .::coooccCCCOOOOOOOOCOO88888888888888@888888888888888OOOOOOOOOOOOCOCCCCoCCCoo:. . C@
ooococooCcCOCCCCCCOOCCOCCCCO.       ...ccoocoCCCCOOCOOOOOO88888888888888888888888888888888888OOOOOOOOOCCCoCoCoCcoo .. o@
oocoooooCoOCCCCcCOCCCCCCCCC:        .::cooCccCCCOOOOOOOOO88888888888888888888888888888888888OOOOOOOOOOCCCCCCCCooc:... .@
cocoCoocCCCoCOCooCCoCOCCCC8.         .cocooccCCOCCOOOOO8O8888888888888888888888888888888888OOOOOOOOOOOCOCCoCCCoCc:. .  @
occocoCooCCoCCCCCCOCCOCCCC           ::ccoccoCOOOCOOOOOOO88888888888888@888888888888888888888OOOOOOOOOCCCCoCCCCCc::. . 8
ocoCoCoCCCooCCCCCoCCCCCCCO         . ::ccCccoCCCOOOCOOOOOO88888888888888888888888888888888OO8OOOOOOOOOOCCCCoCCCCoc::   o
cooooCcCCCoCCCoCCCCOCoCCCC           .:ccoocoCCCCCOOOOOOOO8O8O88888888888888@888888888888O8OOOOOOOOOOOOCCCCCCCCCcc :.. :
coocoocCoCCOCCcCCCCOCCCCoo          .:::cocooCCCCOCCOOOOO8OO8888888888888@8@@@888888888888OO8OOOOOOOOOOCCCCCCCCCCc  .. .
coCooocCCoCCoooCCCCCCCCCCo          .:.:coccCCoCOCOOOOOOOO8888888888888888888888888888888O8OOOOOOOOCOOOCCCCCCCCoc:. .  :
ocococoCCoCooooCCoCCCCOCCo           .::cocoooCOCOOOOOOOOO88O88888888888888888888888888O888OOOOOOOOOOOCCCCCCCCCCcc....
oocCCooooooCCoCoCCCOCCoCo            . .:coccCCCCOOOOOOOO8OO8O8O888888888888888888888OOOOOOOOOOOOOOOOOCCCCCCCoCoo:. ..
oocCocooCCoCCoooCCCCCCoCo            ...:cCccCCCCOOOOO8O8888888888888888888888888888O8O8OOOOOOOOOOOOOOOCCCCCCCCoc::  ..
ocoCcoooCoCCoCoooOCoCCCCc   ...      . .:ccccCoCCOOOO888O8888888888888888888888888888O8O8OOOOOOOOOOOOOCCCCCCoCooc:... 
ocoocooCooCooCoCCCCCCCCo:   ..         .ccc:cCoOOOOOO88O88888888888888888O888888888888888OOOOOOOOOOOOOCCCCCCCCoc::... .
ooCoccCooCooCCCCCCCoCCCo:             ..:c::oCOOOOOO88888888888888888888888888888888O888OOOOOOOOOCOOOOCCCCCooooc::..  ..
coocooCooCoCoCCoCCCCOCCC:             ..::.coCOOOO8O8O8888888888888888888888888888888O888OOOOOOOOOOOCOCCCCCCoccc.:.   
coocoooooCcCoCoCCCOoCCcC:             .::.:oCOOOO88888888888888888888888888888888888888888OOOOOOOOOOOCCCCCCooccc.:. ..
cooooCccooCocoCCCOCCCooo:      .     .:o:.COOcoCCOOOOO88888888888@88888888888888888888888O8OOOOOOOOOCCCCCCCCoc::...    .
cocoCocoocoocCoCCCoCooooc     ..     .cc:c8C:coCCCOOO8888888888888@@8@8888888888888888888O888OOOOOCOOCCCOCCCc::....    .
oocoocoooooccCoCCooCoCCoc.   ..     .:cc::c. occoCOCOOOOO888888888@@8@@8888@88@888888888888O88OOOCOCCCCCOCCoc.c. .    ..
cooCo:oocCocoCCCCoCCoCCc.     .     .:c:....ccCoccoCCocCCO88@888@@888@88@888888888888888888888OOOOOCCCCCCCoCc:: .: .  
ocooocoooCcoooCCCoCoooCc            .:::..:o::ocoCcooooooOO888888@8888888888@8888888888888O8888OOOOCCCCCCCoo::.  . . .
coCoooocooooooCCCoCocoo:    ..      .:c: ::..:ccCcc:ccccoooCC8O@88888888888888O8@8888888888OOOOOOOOCCCCCCoCo::.  .    .
coocooocCccooCCCCCOcoCo: .::        .cc  ::::::.::.Cc.c:::oocOOC888888888OO8COooO8OOCCCOOCOOCCooCOOOCCCCCoo:c..     :..
ooooocccocoCoCCCoCCcCCc:...  ccc   ..cc .coccCCc.....co:::cooo::888888888OoCCCoo@8ocoCCooOCCoCocoO8OOCCCooc:c. .  . ...:
ocococooccoooCCCoCooCoc:    :oCo    :o: :ccCCc..   . .. .ccooCCoOO88888888COC::COc.ccoCocoooooCocoO8OCoCoccc:.       ...
coococcoooccoCCoCCooooo.    :::o    :c:.cocoo.. :O8cc::co:o:cCCCOOOOO8888OOOOcoCc.coc::cccccCooccocCOOoCoccc:..    .  .
ooocccccoocooCooCCoCooo.. .  :::    :c.:ccccc.cCC@@.:   ::.o:coooOOC88OOOOCOOOCocc:ccoccCoocoocccc:coCcooocc:.    .   
cocoocccocooooooCCoooo:   o: .:c   .:c:ocoooc:oCC88c. @: Coco.coCOO88888OOOOCCooc:..cccco::cccoccccccocooccc::..  .   
cccooccccoooC:oooooooo:.  oo:ccc. . cccCooCoo:oCCO8::.  o@@8ooccoOO8888OOOCCoc:cocCc: .::c::.c:c:c:cccccccco.. ... .  .
ccccccoccooooocCCccococ: .CC.cCo. ::ocCoCoooc:cooCCo.coo.@8@ooC:oO88O88OOCooocCCoo.8C:o::..:c::Co:c:::occccC.  .:.  ...
ccccccoccoooocoCoccoocc. cOC.cC8. .cc:CCCcoCoccooooCCooccococoOccO8OO888OooCcOOo::C@:o.  ....ocoCoooc:oocccC..  ... ..
ccooccoccoooocoCocooccc. oCocco@  .cccCCoCCCCocoCoCoCOCoOoocoCOcoO888888CoOCoOocOO8Cc: ooCo8..ccCCCCc:ccccoo.   ..  . 
cocccccccoooooooocooccc. CcCoooc  :occCoCCCoooooCCCoCCCCOCCCOCOcoOO888OOCCOoOo:C88@oc  COo:@@  :ooCCCCc:cocc.   ..   .c:
ccocccccccooccoooooocc:c O:CCoCo. :ocoCCoCCCCCCCCCOCOOCCCoCCOoc:CCOOO8OOCCocOCCo:C8O:o.  :o88CcccoCoCCoccooc. . ...:ccc.
occcccccocCcoooooooCc:cc OO88OCO..oo:oooCCCCCCCCOCOOCCCCCCCCcoccCOO8OOOCoCooOOCCCOCoCc:::OOCoCc:oCCooCoccCC:. ....oCocoC
ccccccccccoccooooCooccco oC888O8..cocCCCCCOCCCCOOOOOOOOCCCCoooo:COOOOOOCooooCCoCoCoCCCoooCOCoocoooCCCCoocoo:.  ..:oc:cCo
cccccccccooccCccoocoocco oO8888@..occooCCCCCCOOOOOOOOOOOOCCCooccCOOOOOCCoCoCoCCCoCCCOC8OCoCCoo:ooooCCCoocoo:... .occCoCC
ccccccoccocccoccoococcoc c888888  :ocoCCCOCOOOOOOOOOOOOOOCCCoo:oOOOOOOCCCCoCCCOCCCCOOO8OCCCCooCCooCCCCCCoCo:....:ccooC88
ccccccccccoccooooocooocc :O88O88  cocoCCCOCCOOOOOOOOOOOOOCCoCocoOCCOOOOCCCoCOOCOOOCOOOOOCCCoooCCCCoCCCCCCCc:  . :.oCoCO8
ccccccccccccccooocooCocc..OOCO88 .oocoCCOOCOOOOOOOOOOOOOOOCooccoCOOOOCCCCCCCOOOOOOOCCOOCOCCCCCCCCCCCCCCCoCo: . ..cCOoC88
cccccccccccoCoooocooCocc..88OCO@  cccoOoCOOOOOOO8OOOOOOOOCooocoCCOOOOCCCCOCCC888OOO8OOOOOOCOOCCCOCCCCCCCooC: .:oCOOOCCOO
:cccccccccccoocooooCCooc. COCoCo.::ccCCCOOOOOOO888OOOOOOOooCo:oCCOCOOCCCCCCCCO88888O8OOOOOOOOOOCCCCCOCCCCoC: :oCCCOOOo8O
:cccccccccooccoococCoCoo. CCCOCo .:ocCCCOOOOOOO888OOOOOOOooCocoCOCOOOOooCCCCCO888OOOOOO88OOOOOOCCCCCOCCoCoC:.oo8CoOOOC8C
cccccccoccocccoococCococ: OcCOOO .oocoCCOOOOO88888O88OOOOoooccCCOOCOCCCCCOCCOOO888OOOO88OOOOOOOCOCCCCCCoooC::oO@OC88OC8o
c:cccccccoocccocooooooooo 8CoO88 :ccccCOOOOOO8888888OOOOOooocoCCOOOOOCoCCOCCOOOO888OO888OOOOOOOOOCCCCCCCCoCc.oO@8O88OOOC
cccccccccooccccccooooCcoo 8OoO8O .::coCOCOOOO888888888O88cocoCCOOOOOCCoCCCOOOOO88888888O8OOOOOOCCCCCCCoCooC:.CO@@8888OC8
cccccccccooccocooooooCooC 8CcOOC .::coCOOOOOO88O8O8888888cocCOCOO8OOCCoCCOCCOOO8O888888O8OOO8OOOCOCCCCCoooo..CO8@8888Cc@
c::cccc:ooccccocccCcoccCC.ooC88o.:.:ocCOOOO888888888888OoocCOOOO8OCOOOooOCCC88888888O8O88OOOOOOOOCCoCCoCooo..OOOO888OcC
c:cccccccocccccoooCooocoC:cCO88:. .:coCOOOO888888888OOOCoooCOOO8O8OOOCooCCCCO888O88888888OOOOOOOOCCCoooooo:.:88888OOOc@@
::cccccccccccocccoooooCCCcc8OCOc ..::oCCOOO88888888OOOOCooCCOCOO8OOOOOooCCCoO888888888888OOOOOOCCOCCCCooC:.:c8888CCCCC@@
:::c:ccccccoccoccCooooooCCoOCOOc ...:oOCOO888888O88OOOCoooCOOOOO8OOOOOCoCCCCoO888888888888OOOOOOOOOCCCooC:..cO88OCOOoC@
::c:cccccccocccccocoooooCocOOOOo. ..:oCOOOO88888O88OOCoooCCOOO8888OOOOCoCCOCoOOOO88888O88888OOOOOOCCoooccc..COOOoo8CcO@
::c:c::occcccccccoooooooCo:OCO8C  ..:cCCO88888888OOOOOoCoCCOO8@888OOOOCCCCOCoOOOO888888888OOOOOOOCCoCoCc::. CCCCCCCCc@8
:cc:ccccccccccccoccccooooC :888c ...:ooCCOOOOOOOOOOCOCcCCoCCO88888OOOOCOCOOCoCOOOOO888888888OOOOCCCooocc:.: O88OCo8oC8@
:ccc::ccccocccccocccocoooC  :8O . .:.:cOCOOOOOOOOCOCOCcoCcoCOOO88OOOCCCCOOOOoOO88OOO888OO8O88OOOOCoooo:c:.  888OOC8:888
c::c:ccccccccccoccocoooooC       .::.:oCOOCO8OOOOCCCCo:coocCOOOOOOOCOCCOOCOOoOOOOOOO888O888OOOOOOCcooo:c:.. 888OCCC:@@88
c::ccccccccccccccccoooooooc      .::.:CoCOCCOOCocooCo:c::c:cCOOOOCOCoCCCCCOCoCOOOOOO888888OOOOOCoCCccc::c.. @8O8CC:C@888
c::::cccccccccoccococoooocCCc..   .  :ccCoCoOc:.oOo:..c::.::cOOOOOCcoooooCccooCOOOOOO888888OOOOOooCccc..c.. 888OOC:@@888
ccc::cc:ccoccccocccoccoococoCc:     .::ooCOCo:.coc:...:...:ccCOCOocoCCoooccCcoCCCOOOO888OO8OCCOOC:occ:: .. .888O8Co@8888
::c:ccccccccccccccocccoccoccc:..   ..:Ccccccc:cc:::::::::.:cccooccCOoC:.co:.::cocCoCCOOOOOOOOoooCo:C:.. .. oOOOO8C@8888@
c:::cccccccccoccccoccoccccc:c..     ..o.cc.::..:::.::c:..:::ccCOoCOc:c:c::::c:c::CooCO8OOOOOOCcc::::c....  oCOOOOo88O888
:::c:c:cccccccc:ccoccoccc:....    ....c.::::.cc:c:::C:...:.coCoccoc::c:.:c:...:c.CooooCOCOOCCCoO::.:::.:.  OOCOOCo88888C
::cccc:cccccccccccoccoc:::::.:   . ..::::...::o:.:::o ::c..CCcc.:oc:c::..:c:: :o.:cco:ooCOCCCCoc:::. c .. :OOOOO.c888OOC
c::ccc::cccccoc:coccoo::::::. .      :.:c.::::c.:..:..:::::oo:c::::cccc:.:c:..:o..cocc:oOCooooco::... .   :8O88: O8888OC
::::::c:cccc:c:ccocco:::::..      . .:.:.:::::oOC.::.co ::c:cc:::.coccoc....:::c:.coooccoCCcCcC::...: .:.. c8O. C88O8OOO
::::c:cc:ccc:cccoc:::..::.       ... ...::.::cCc::oc::.::.:.Ccc::.cccco.:.: :..:c::cccc::oCccco.:...c.:...     C8O8OOOOO
c::c:cc:c:ccccc::.....           .. .::co:.:C::.cccC::o.:ooccocccOc:c:c::.:.:::::ccc::::cccc:::.:.:. . . .OCo8@8CCOO8COC
::c::cc:c::cccc::.:    ..        . ..::::. :::oCc:co.cocccc:oocccCc:co:::c.::c:.:cCc::Oc.:o:::: ..:.  .  :@8@OOOOOC8OOOO
::c:::cc:ccccc:....       .         ..::c..c::ccCCoo.ccoco.ccoooccCooC:c:c:::co:cco.:.cc:ccc:.c..... ... c@OOOOCCOCOOCCO
:c:::::cc:c:::....        .. .       .c:o.:c::cCoCCoo:o::oCcccCcOoCoco:ccoc:ocoCccC:cCcc.cc:::::. :.  .. o8OOOCOCOOCCCCO
::::::::::::::...    .:......        .:co.o::cCoCCCoooooo:coCoCoOcoCoooCoCoc:c:cccccc::c:.:.c..c: .:   . CO8OOCCCO8CCCOO
c::::::::::....:.    .:::..          .::::.:coc:oOCCoooCococoooCooOOCooo:::ccoCo:cc::.o::c:.:.:c:  ..    COOCCOCOOOCCCCC
:::::::......    .::                ...:c:.::coCCCOCCoooooCooooocoooooooOooooOOCoco:c:.o::::.:::..:. .. oOOCCOCCOCCCCCCC
::::::..... .   .oc             . ... ::o ..ccoCoCCCCCCooooOCCCooCoooCooooooCOCOOc.:c..o:.c: ..: ....   OCCOOCCCCCCCCCCC
c:::.........  :c.              :     :.c ...:cooCCOCCCCoooCCoCoCCooCoCoCoooOOCoCc::c:cc:..::..: . . . cCCOOCCCCCCOCCCCC
:::..  ..:.. .o:                :     :::.....cooCoCCCCCOCooCCCCCCCCCoooooCOOCOooc::oc.:::.o:.: ...  . CCCOCCCCOCCCCCCoo
::... .:..   :.                .:      ...   o:cooCCoCCCOCCoCCCCCCoCooCoCCCOCOOocCo.:c.:.: ...c .. .  :COCCCCCCCCCCCCCoC
......:.. ..:                  .c.     .::  :o::ccoooCCoCCCOCCCCCCCoCOOOOOOCCCoccCc.:::..:  ....  ..  CCCCCCCCoCCCCCCoCC
.. .... ::..                   :Cc     .. .. ..ooccoOccoococoCoooCOCCCOCCCCCooo::oo.:::::. .... .     CCCCCCCoCCoCooooCo
...  ::..         .     .    cC:     ...o  .: :::CoccCcoo:coooCcCCCCCoCOCoCooc:cc .:..:..  .     . .oCCCCCCoCoCooCoooo
.. . ...           ..          oCc    .. .....  : :ccccc:cc:cCooccooCcocooooo:co.c: ..:... .         oCCCCCCCCoCCCoooooo
.  ...   ..      ....        .oCo.    .  .: .... c:c:cc:coc:c:cccccccoccccc:c:::c.. ::   .. .     .cCCCCoooCooCCCoCoooc
     ...:..    ....   .... .:oCC.       .:... .c.c:.:c:o::co.cco:ccccccccoc:.::: : :o      .     cCoOooCoooCoCoooooocc
    .:.... ..... .. .:... .C.coCc   . ..:   . :: o. .::c..cc:::.:cccccc:ccc ...:.  .: . .      . cOoCCooCCoCoCCooooooo
      ........:::..::.:. :@8:oCCC:.  .. .. ..:. ...  .. .. .. ..::..:..::.:..:......       .  :.cooooooooooooCccoococc
      . . ...:cc.::c.. . @C:ooCCo.  .   : ::  ... ...:. :.   .... ....:. ..::: ..           cC.oCooooooocCooocCoooooo
     . ...::C:.:.:c... .8@@C:oCCCC.  .   . ..  .. .  co: o:  c.: .... .:. : ... :.           Oo:ooooccoooooooocooocooo
     ...:cc::.:c::...   @88OcCooCC.  ..    . . . . :::cc:.:  c..c:............  :.          cC:cooocooCooooccooooCcooo
.    ....::.:::..       @888coooCCc.  .   .... . ..cc:Oc:.:c.: cC:: : .... .:... . ..     .COo:oCccoooooooooooooocccco
       :. .:.:. .      C8@8o:ooCCOo       .... :.:.::cCcoo.C:c.:c.: c:.. ...:.   :        cCCo:occoocococoooooccccccoc
     .  ...        .. .88O8CoCoCCCo:.   .    .  .:ccoccC::o:.c: .:::o  .........       COCCo:cCcoCoocooccccccococcccc
                   .. c@88OooOCCCCO:.   . . .. . .c:.cCc:.::oo:..co:.. ......  . .    cOCCCo:coccoocooccccccocccccccc
                      8@8OO@oCCCCCCCo..  . .... . .:..o:c:..::o. oc.. :. .. ..         OCCCCo:ccoocoocccoooccccccccccc
                . .. o88C8@ooCOOoCCOc. ..  .   ...::.:.cc.. :o:.o::  o.  :...       :cOCCooC:cccoccccccooococcocccccc
                ...  @@88o@OoCCOOCCCCOc  . . . ...:.:..:::.:.cc.:o.: ... .....  .   :C8CCoCoCccocccccoccccococcccccccc
                ... :@88COOCCCOOOCCCCC:    .  . .  :: :.:cc .:.:o ..c.::. . :     .oOOCCCoOcoccccccccccococcccccccccc
                 .  8@88C8@CoOOOCOOCCCoCc:..    .. ... ..:c::.:.::...:.:.... .     OOOCCCCoC.occcccccccccccocccccccccc
.      .    .    ..  888@O@@oCOOOOOOOCCCocoo:  .. :   :.:.:::: ::.:. : .          COCCOCoCCOc .occccccccccccccccccccccc
.        . ..  . .. c@88@O@oCOOCOOOOoCooooCCc.  ..:. .. ..::..:.......:  . :    cOCCOCOCOCC: .occcoccccccccccccccccccc
   ..  ..:.    .. C@888@8@8oOCOOOOOOoCoooCCCOC      .: :.... :...... .. .. ... cOCOCOCoCCoC.  oococcc:cccocccccccccccc
  ...  ...   ...  @@@@88@@8oOOOOOOOOCoCooCCCC8C:.    . :.....:.. ..  . .   .ccoOCOOOCCCooCC   :ococccccccccccccccccccc
 .... ...   .  ..c@@8@8@@8COOOOOOOOOooCoooOCO88Oo:   . . :o..:: . .  ..  :oOOCCCOOCCOCCCCC.   occccccoocccccccccccccc
....  ..  .. ... @@@@@O@@8oOOOOOOOOOCoCoCoCOOOO8OOOC:.   ..  :.  ..  ...:COCCoOOOCOOOCCCoC.   cocccccccccccc:ccccc:cc
... . . . .  .... @@@@8@O@8OOOOOOOOOCCCcCCoOOOOO8888888888C:.:.:::::COCCOOOOOOOOOOOOOCCCco8     occccocc:c::::cc::c:cc
.  :.  ..... .. .@@@@@8O@OO8O8OO8OOOCCCCCCCOOO8O888888888888O88OOOOOOOOCOOOOOOOOOOOCCCoc8O .   .occcc:cc:c::::c:cc:c:
. .  . ....  .... C@@@@@88@OO88888OOOOOOCooCCOOO88O88O88O8OO8OO8OOOCOOOOOOOOOCOO8OCOOOCC:o8C      :c:ooccc:c:::c:cc::::
. .  ...   ..   @@@@8@8@@@CO8O8OO8OOOCCCCoCOOOO88888O88O8OO8O8OOOOOOCOCOOOCOO88OOOOOCCOoC8:       occcccc:ccc:c::::cc:
. ...     ... .. o@@@@@@8@@@OO8888888OOOOCOCCCCOOOO8OO8OOO8O8OOOOOOCCOCCOOCOO888COOOOCCOoOC8        :oc::cc:cc:cc:::::::
. .....   ...... @@@@@@@8@@@CO8888888OOOCCOOCCCOOOOOO8OO8OOOOOOOOOOCCOOOOCOOOOOOOOOOOOOCCCOC  .      :ccc:::::cc::::::::
.  .   ... .... C@@@@@@8O@@OO88888888OOOCCCOooCOOOOOOOCCOOOOCO8OOOOCoOOOOOOOOOOOOOOOOC@@CO           c:c:cc:c::::::::::
.:  ....    ..  @@@@@@888OOO888888888OOOCCOCoC88OOOOOOOOCOCO8OOCOCOOOO88OOOOOOOOOOoOOOc        .  cc:::c::::::::::::
.c ...  ...... :@@@@@@8@@COO888888888OOOOOOCCoOOOOOOOOOOO8OOCOOOCOOOOOOOOOO8OOOOOCC8OO.           .oc:::::::::::::::
.c...  .. ...  @@@@@@O@@@@OO88888888888OOOOOOOCoCCCCCCOOOOOOOOOOOOOOOOOOOOO8OOOOOCO@@COc              .c:::c::::::::::
Oo .  ...... C@@@@@@88@@OO88888888888OOOOOOOOCCCCOOOOOOOCOOOOOOOOOOOOOOOOOOO8OOO@CC8                .c:::::::::::::
oc .. . .....@@@@@@@88@@@O8888888888O8OO8OOOOOOCCOCOOOOOOOOOOOOOOOO8OOO8O88888OC@@CO88                 .c::::::::::::

Made with soft by Håkon Nessjøen from http://lunatic.no/img2aschtml.php.

Is a CISO an expert generalist?

2009-09-26T23:09:00.008+02:00

CISO = Chief Information Security Officer
The title "Responsible for the Security of the Information System" is prefered in Romance languages. The common abbreviation is RSSI.
Both titles relate to a quite new position in a company: the guy who cares about the security of the information system. Has to organize the work, set up objectives and, most of the time, provide technical knowledge to other IT teams. Has to know a lot about a lot of things to apprehend all situations in the information system. Kind of a generalist guy.

As this is a position I have much respect for (mine!), I was a little puzzled by Anton Chuvakin's post about the myth of an expert generalist, where it is argued that being someone who knows a little about everything is not a good career choice. Later on, Richard Bejtlich also questioned security careers and I came to ask me a fundamental question:

Am I becoming an expert generalist?

However, I reassured myself quite soon. Yes, the CISO works in all fields of IT security + physical security + management... but there is indeed a speciality in all this. The CISO has to know the information system of the company well enough to be able to answer whether a security practice/project/product is worth it.

In a company, the whole thing security is about is exchanging costly uncertainties for cheaper certainties. And the transition from one to the other has a price. The CISO has his primary skill in examining the benefits and implementing such changes.

While this may seem related to risk management, I think there is a real difference: risk management focuses on producing scenarios and estimations of risks. That is: speculating on the unknown*. This has been largely criticized recently in security blogs.
I prefer to see security as decisions made on known facts: costs, lost hours of work, customers' satisfaction, etc.

So to the question "Am I becoming an expert generalist?" my answer is no. My role is more on management, choices and strategies. And I love it. And I can still technically specialize on whatever field I like better.

*What do you actually know about the probability of a hacker intruding your databases? What do you actually know about the probability of HR data being leaked by mistake? What do you know about the probability of a server hardware crash? Now how do you calculate risks and prioritize them?

EDIT 10/01/2009: See also Richard Bejtlich's article "Risk-Based Security is the Emperor's New Clothes".

When I don't have a DNS

2009-09-26T12:03:00.004+02:00

It just happened to me that the DNS of my ISP was down. Under a Ubuntu Intrepid Ibex (8.10) in a place where I damn needed the web.
In this case, you just have to ensure that you have a replacement DNS server, for instance, the public 4.2.2.4, which works very well so far. Edit the config file /etc/resolv.conf.auto and add the following lines:

nameserver my.usual.dns.ip
nameserver 4.2.2.4

After that, restart the networking service by:

# /etc/init.d/networking restart

and the web works again.

Yahoo! and Microsoft

2009-07-30T10:06:00.004+02:00

Yesterday, Microsoft released GPL code, and we now know that there was nothing altruistic in that. Today, they ally with Yahoo! What now?

...

Search on the web is a wicked problem, so one typical methodology is to build multiple attempts of solution to the problem and let them evolve, compare... That was the case with multiple search engines.
Now we will have only two major ones: Google and Microsoft. I don't know if I should rejoice because the evolution has come to an end, or if I should cry because monopoly problems get in the way of solving the websearch problem.

...

Anyway, if Yahoo! ditch BSDs to favor Redmond technologies, they get onto my list of companies to avoid as much as possible.

Virus free OSes and Google Chrome OS

2009-07-10T17:56:00.008+02:00

It's been buzzing all around about Google Chrome OS. Google announced they would create a new Linux-based OS called Google Chrome OS and they said "[they would make it] so that users don't have to deal with viruses, malware and security updates".

A lot of articles have reacted to the news, and to the claim. Bruce Schneier was quoted saying that it was an idiotic claim to pretend it would be a virus free OS. And he explained later that it was an answer on the phone, to a journalist, and that he hadn't read the news in the original text by then.

Indeed, Google didn't claim they would produce a virus free OS, and they did well. If I am not mistaken, it is always possible to create a virus on a Turing machine or equivalent. And, as Schneier quotes from Fred Cohen (1986), it's never possible to create a perfect antivirus program.

Google's claim is much more subtle and quite interesting. They said that the user would not have to deal with viruses, malware and security updates. And that seems quite possible to me, or at least quite feasible to improve on, compared to the current situation.
In my imagination, Google wants to silently push all that's needed from the web directly onto their OS. OS patches, antivirus definition files, and why not also manual patches when needed?

Take the example of the handling of spam by Gmail. They have a set of rules, which they can modify very quickly, and even modify "by hand" for a singular point. In comparison, at the workstation level:

in a typical open source environment, you would need an update command. Even if that's quick, that would require something like:
# apt-get update; apt-get install last-spam-filter
in a typical closed source environment, it would require an update by hand.

Here, the rules, updates, patches, and even new versions of the soft immediately come through the browser. Even if the system makes no breakthrough in terms of fundamental security, you will get an excellent increase in overall security from the regular update of software. No more unpatched OS, unpatched browser, unpatched AV...

So far as I can tell, that would save companies big heaps of money on exploitation.

PS: That uncovers a lot of questions for me, such as: How will MS react? Why didn't MS try to do the same? How can competitors get a foot into the same market? Won't Google become a new empire of evil? Will Google's business survive to DoS attacks? How can any evil competitor prevent Google from getting into that market? How will the Google Chrome OS get onto the PCs in the first place, will it be shipped with PCs, or will users need to install it? Where do you set the limit between what Google remotely do and what they don't do? How will governments react? What about privacy of information? What about national spying issues?

Questioning marketshares of webservers

2009-07-10T17:08:00.002+02:00

Nothing developed here, just a question: aren't the statistics about the market shares of the various servers obfuscated by the use of front-end technologies such as reverse proxies, web accelerators, load balancers, etc?

Microsoft fallacious IE8 campaign

2009-06-27T18:33:00.040+02:00

Is the market of browsers so opaque, obscure, for non-technical people, that Microsoft think they can fool them with a simple table?

To summarize the history of facts, Microsoft once had a monopoly in web browsers because the software shipped with their operating system, Windows, which is ubiquitous. They then sat on their laurels for a while (roughly from the end of the nineties to 2006) and lost a part of their market shares to more secure, faster, more flexible browsers, such as Mozilla's Firefox. They finally reacted and released Internet Explorer 7 and Internet Explorer 8, fixing a lot, but, to many eyes, not climbing to the level of quality of their rivals.

And now, they try to get their market shares back by a marketing campaign, with an awfully simplified and fallacious comparison table.

Now, let's return to normal. Below is their table, with my remarks or modifications in orange.

I do not comment on Chrome, because I have used it too little.

	Internet Explorer 8	Firefox 3.0	Google Chrome 2.0	Comments
Security				Internet Explorer 8 takes the cake with better phishing and malware protection, as well as protection from emerging threats. And so can say anyone. But with intimate relations between the operating system and the browser, Internet Explorer puts the system at a greater risk against malware.
Vulnerabilities				The time to fix vulnerabilities once they are public is the shortest in Firefox. Internet Explorer has got the worst record of critical vulnerabilities, sometimes not patched long after they are public.
Privacy				InPrivate Browsing and InPrivate Filtering help Internet Explorer 8 claim privacy victory.
Ease of Use				Features like Accelerators, Web Slices and Visual Search Suggestions make Internet Explorer 8 easiest to use. Some might say it's a question of taste. I feel like Internet Explorer is rigid while Firefox is flexible.
Web Standards				Firefox and Chrome have more support for emerging standards like HTML5 and CSS3, but Internet Explorer 8 invested heavily in having world-class, consistent support for the entire CSS2.1 specification. I don't deny Microsoft made big improvements, but almost any web developer still frowns the eye at the very name of Internet Explorer. Yet, they did improve.
Developer Tools				Internet Explorer 8 has the most comprehensive developer tools built in, including HTML, CSS and JavaScript editing, but also JavaScript profiling; other browsers have developer tools available, but either require you to download them separately, or aren't as complete. You could also argue that the simplicity of XUL, Firefox's development language, is one reason it's been such a success.
Reliability				Only Internet Explorer 8 has both tab isolation and crash recovery features; Firefox and Chrome have one or the other. Only Internet Explorer crashes when too many pages are open at the same time.
Customizability				Sure, Firefox may win in sheer number of add-ons, but many of the customizations you'd want to download for Firefox are already a part of Internet Explorer 8 – right out of the box. I have never found for Internet Explorer precisely the equivalent of what I use in Firefox.
Compatibility				Internet Explorer 8 is more compatible with more sites on the Internet than any other browser. That's certainly true because of Microsoft long record of purposeful incompatibility which, in the past, encouraged developers to not develop for other browsers. However, I do not know one of the sites that I use today that is not compatible with Firefox.
Manageability				Neither Firefox nor Chrome provide guidance or enterprise tools. That's not true. With the tools provided by Frontmotion, you can achieve a similar manageability (for instance, centrally from an Active Directory server) and I would say you get a more precise customizability of what's managed.
Performance				Knowing the top speed of a car doesn't tell you how fast you can drive in rush hour. To actually see the difference in page loads between all three browsers, you need slow-motion video. This one’s also a tie. Whatever recent benchmark shows Internet Explorer as the last of the last browsers in matters of speed.

I was not the only one to notice that :-)

Savio Rodrigues (IBM) at his blog
also a post on Royal Pingdom

Some comments are worth reading.

EDIT 06/29/2009:
They're going to some extremities for their marketing... in my natal region, they advertise on pizza boxes, and also have a look at this one in the US:
http://www.browserforthebetter.com/index-htm.html#getie8:6qmoqjtZ9pH

EDIT 07/28/2009:
I have found some pictures of those IE pizza boxes here and here.

Raw unrefined suggestion about firewall rules

2009-06-26T02:04:00.002+02:00

Since now we see attacks from inside intranets, using zombie networks, I think it could be a good idea to turn on the firewalls on each machine in the network (including on Windows stations, which I know is sometimes a problem) and to set up a detailed set of rules for them.

My problem was: how to figure out which rules for such a complex problem, so many machines?
My suggestion: why not propose a standard for a single file giving the positive rules necessary for a software to operate?

One file per application, that would come shipped with the application, and would describe all the things that need be open, for the application to work. The file would not describe what set of rules to put on which firewall, but simply what needs to be open.

If we have a look at the TCP/IP layers

This picture from Wikipedia under the GFDL license.

we see that simple firewalls operate on the Internet and Transport layers. Modern firewalls and proxies also operate on the Application layer.
I guess a simple XML dialect could be created to describe which things need be let in and out, on which layer. If this gets standardized or at least RFC'ed, there is a good chance to see opensource software adopt it, both on the application and on the firewall sides. On which case, since opensource is biggest marketshare on infrastructure, others should follow.
(All that raw and unrefined.)

SEO game - Jeu référencement SEO

2009-06-26T01:10:00.003+02:00

This article relates to a website only available in French. If you can't read French, sorry this time, I will not translate the many pages into English. All that follows herebelow is in French.

Un jeu en français sur le référencement (l'optimisation de la position d'un site dans les résultats de recherche d'un moteur de recherche, typiquement Google) vient de commencer à l'adresse www.jeu-referencement.com. Il s'agit de 15 petites épreuves à franchir, chacune utilisant une technique liée au référencement. Je ne vous donnerai que deux indices :

Si vous tombez sur une erreur 404, c'est que vous devez continuer à chercher, pas abandonner.
L'épreuve 14 bugge avec certaines configurations logicielles, n'hésitez donc pas à la forcer de toutes les manières possibles, c'est le résultat qui compte.

Il m'a fallu à peu près une journée pour terminer les 15 épreuves (pas 24h de suite collé contre l'écran ! juste quelques heures en fait). Et je suis assez content, j'ai appris quelques trucs que je ne connaissais pas.

Tribute to Fravia

2009-06-26T00:11:00.005+02:00

I learnt yesterday that Fravia has died. He was a talented hacker and a jack-of-all-trades in IT, almost a master-of-all-trades I should say. He administered a site referencing a lot of resources for people to learn about computers, software and information systems. There you could find learning material from the beginner's tutorial to the master's last discovery.

I learnt a lot thanks to Fravia. I was studying on resources from his site when I first disassembled a binary piece of software to shift its behaviour, almost thirteen years ago. I found my way through WinDASM or SoftICE by following tutorials from his site.

I owe Fravia a lot and, though I never met him in person, I will not forget him. His site is still up, alas I can only hope for it to be continued, there is no certainty.

Geekonomics - Incentives for the States NOT to invest in opensource

2009-06-22T11:28:00.002+02:00

Third of the series of articles inspired by David Rice's Geekonomics. This article is not directly related with matters from the book, yet I got the idea while reading the book.

FLOSS = Free/Libre Open Source Software (as abbreviated by the European Union)

If you're like me and enjoy, use and promote FLOSS, you might be wondering why some States do not favour FLOSS in the public infrastructure.

Well, they do use FLOSS, as a matter of fact, because you can't build a whole infrastructure made only of proprietary software and if you tried, it would be extremely expensive [and potentially disastrous for compatibility issues]. So, you might be wondering why some States do not favour FLOSS more than they do, in the public infrastructure.

So far as I can understand it, most States are running a race to be in the first positions of wealth, military strength and fame. Things can be different for the top one, which would only want not to lose its rank. And things can be different for the bottom ones, who simply have too many matters to address before they will concentrate on a worldwide competition.

So, let's assume we speak about the countries in the top thirty of this world, except the very first ones. This group is made of countries like France, Italy, Germany, Russia, Brazil, India, South Africa... Why do these countries not publicly favour FLOSS more than they do?

To favour it more, they could:

Ask for documented, free to implement, data formats. This way, wars fought by software makers on purposeful incompatibility would be avoided.
Ask for more FLOSS inside all public agencies.
Ask for more education in FLOSS in the public education system.
Invest directly into FLOSS development, or make a policy that some public developments will be made FLOSS after some time.

All this would favour FLOSS, but all this would not necessarily favour the race of the State to wealth, military strength and fame. It would, of course, improve wealth, military strength and fame. But my point is: FLOSS does not improve the rank of a State in the international competition, because every improvement is available to all competitors as well.

By asking for documented, open, data formats, or by asking for FLOSS inside public agencies, the State would agree to spend money on a shift, that would probably be beneficial, yes, but the economic developments involved (more developers, maintenance contracts, etc) could be beneficial to people or companies located anywhere on Earth, because of the very nature of FLOSS. On the contrary, when a State signs with a precise, well-known, software maker, it knows where the profits will go.
By asking for more education geared toward FLOSS, a State agrees to turn its youth to an uncertain future. While the future is obviously uncertain, there is more certainty in teaching the youth how to use what's majority and paying than in teaching them what's still minority and looks like not-so-well rewarding. So, short-sighted politicians might see education in FLOSS as a bad investment for youth.
By investing into FLOSS developments, the State agrees to spend money on its own, while the fruit of this investment can be eaten by all. In a competition, it's bad invested money. It is more interesting, as a State, to invest in a proprietary development by a local company and see the licenses be paid by other countries.

All of these seem good reasons for a politician not to favour FLOSS when they seemingly can. Of course, on the long run, that's detrimental to us all :-(

Geekonomics - Criticism of Chapter 6 on opensource software

2009-06-22T10:24:00.007+02:00

Second of the series of articles inspired by David Rice's Geekonomics.

I am not totally satisfied with David Rice's take on opensource software in his Chapter 6: Open Source Software: Free, But at What Cost?

While he definitely has good points as a whole, and while I see his description of some of the hidden defects of opensource projects as accurate, I am sad that he forgets to mention about real big companies taking a part in opensource developments. Companies like IBM, Sun (now Oracle) or Apple all make some opensource developments, and you cannot tell that they act as beginners or non-professionals in their development methodologies.

And I am also a little surprised to see that the author compares opensource development projects to an "idealized" proprietary development project. For instance, he says it is possible that a part of an opensource software will go unmaintained because of a lack of interested people and forgets to say that even in big proprietary developments, such things also happen, because of mediocre management or because of periods of deep stress.

I would say that Chapter 6 holds some good points but my conclusion be:

Opensource software is not a radical change from proprietary software in the methodologies.
Opensource software is not radically more secure or of better quality than proprietary software by essence.
The "given enough eyeballs, all bugs are shallow" argument is valid, and those opensource software which have a high number of both users and developers actually get an improvement of their quality and security.

Geekonomics - Incentives for the States NOT to fix software quality problems

2009-06-22T00:09:00.004+02:00

First of the series of articles inspired by David Rice's Geekonomics.

As an introduction I would like to give two figures from the first chapters of the book.

An estimate of the US losses coming from software failures (both quality or security) at the scale of the whole country: $180 bn a year. (yes billion, not million)
Deaths occur from software failures. Multiple times per year, if they are not numerous enough to make statistics [yet].

David Rice's point
In the beginning of the book, David Rice argues that software developers have no incentives to make a better work. In chapter 5, Absolute Immunity: You Couldn't Sue Us Even If You Wanted To, David Rice shows that the US government is not making anything against software failures. On the contrary, the US gov gives developers the free hands and no responsibilities of any kind if they should get sued over damages resulting from the use of their software.

And he goes for a short explanation that the US system waits for citizens to become plaintiffs and sue software developers before any public authority will react. He quotes the typical reaction that you would get if you tried to make a law about software quality, through Ronald Reagan's words:
Government is not the solution, government is the problem.

My point
I quite agree with the author on the observation. The US gov does nothing, or goes against any initiative geared towards better software. But I don't agree with the far too simple explanation he gives. I guess a $180 bn issue would get a law if there were no incentives for not making a law. And I can see three reasons a country like the US wouldn't want to improve software quality.

"Don't worry, be crappy". This maxim by Guy Kawasaki summarizes well the way software companies get into the subject. They try to output something they can sell, whatever the quality. But this reasoning also goes for countries. Software is a global trade good, and a big software maker as the US doesn't want to slow down the sales by making quality restrictions. If a law were passed, it would probably impact the economy of the country. Same goes for other developed countries.
In the same train of thoughts, if a law were passed, maybe some development companies would offshore developments.
We are still in an early phase of software deployment. Though it is recognized that a big company now has to do better IT rather than more IT, it is still important for many countries, including the US, to do more IT, even at the cost of not doing it better. I mean, a country like the US gets a competitive advantage from doing more IT, getting more automated stuff in its services, agencies, its companies, etc. and would "competitively speaking" lose time by concentrating on the improvement of quality and security.
As is long argued in the book, there is an underground market for security vulnerabilities. This market is the fact of underground hackers, but if the underground does it, there are good reasons to believe that the "official" intelligence services do the same. If so, it is rather possible that intelligence services from the typical countries such as the US, France, Israel, Russia or China (which are coincidentally the biggest software developers) have good interest in keeping a high level of not public, unpatched vulnerabilities. They want to know the vulnerabilities themselves, be able to penetrate a lot of places, especially for industrial eavesdropping, and they absolutely do not want software makers to patch the vulnerabilities.

All of these seem better explanations to me for the lack of reaction of developed countries against bad software quality and security.

Articles about Geekonomics to come

2009-06-21T23:14:00.003+02:00

Following the return of my copy of Geekonomics: The Real Cost of Insecure Software, by David Rice, I am in the process of writing a few articles about the ideas from the book.

Go read the book if you're interested in understanding the phenomena around and beneath software insecurity and bad quality.

Since I do not want to plunder the author's content by making a detailed summary or quoting the most interesting excerpts, I am selecting a few subjects and trying to explore them a little further than the book. Which will be very hard since I do not have all the investigation sources that Rice may have had, nor patience, skills and experience. For short: I will give some opinions from my understanding of matters in or around the book.

Friday liberty blogging - Assaults on the neutrality of the network

2009-06-19T21:54:00.004+02:00

The Internet as we know it: a place almost free of control, with sites rewarded by audience proportional to their qualities, with a good anonymity protecting political dissidents, this place is under high fire from governments and ISPs.
While we might have thought this kind of attacks would come from very liberty killing countries such as China or Iran, they are now in the headlines even in most liberal countries such as France or Germany. To give just a few examples:

In France, giving as a pretext the fight against illegal downloaders of music and movies, the government is trying to install spywares on all citizens' computers.
In Germany, giving as a pretext the fight against child pornography, the government gets a law voted for a censorship policy, and stars building an architecture able to filtrate the web's content.
In England, judges rule that there should be no anonymity for authors of texts made public on the Internet.
In England, an ISP starts using bandwidth modulation to discriminate against sites helping its competitors' businesses.

As far as I know, most of my readers are probably aware of some of these problems. So, instead of commenting on each of these assaults separately, I decided that from now on I would keep a list up-to-date gathering all articles that I would read about this matter. Most should be in English, yet there could be articles in any of the languages I can speak (French, German, Romanian and variants).
The web page of the list is at this address.
You can also find an RSS feed at that address.

Small yet eternal lesson from a successful SQL injection attack

2009-06-10T01:35:00.007+02:00

I just conduced a penetration attempt on behalf of a site's owner. The site is the kind you use for home-grown, not critical matters. I wanted to try SQL injections first, because since I read Security Warrior, by Cyrus Peikari and Anton Chuvakin, I felt a kind of inner vacuum for never having done that. Here is how I proceeded:

My goal was to change an existing data of the site to add the mention "hacked". The site was a typical interface to a database, with the notions of "new item", "update item" and "view item" clearly visible.

From that, I deduced it worked with a database.

Looking at a targetable data, one that I would want to target and mark as "hacked", I saw that the URL contained a GET parameter ?id=20

From that, I made the assumption that there would be a database table with the field id equal to 20 for the element I wanted to mark as "hacked".

Looking at the main connection page to the site, I saw another GET parameter in which I tried to input a single quote. The server answered me with an error message including the path to a library file, with the extension .php, with an identifiable name. I typed that name into a Google box and found it was a fairly well known free software underlying library.

From the fact that this library was free software, and that the files were named .php, I made the assumption that the database would be a MySQL one, as is most often the case.

I used the normal way to create an element inside the software of the same kind as that of the element I wanted to change. Then I went to the modification page for this element and gave a single quote in one of the text field values of the element. The server returned me an error message with the faulty SQL request.

From this I learnt the names of the table and some of its fields inside the database.
From this, I validated that id was actually a field inside the same table, which I only assumed earlier.
From there, I guessed it would be piece of cake :-)

I crafted a request, using id='20', value of the targeted element instead of that of my legally owned element. I looked on the Internet to find that the comment marker for MySQL was hyphen-hyphen-space and not hyphen-hyphen. And I changed the name field of the attacked element from "dummy title" to "dummy title hacked". And I pressed the button and everything went well. I then used the normal way to visualize data and found the victim element to be called "dummy title hacked".

So, from all that, I conclude that it's important to hide programmer's data from the eye of the user. Especially, GET parameters should not be used unthoughtfully and the error messages from server or middleware should not be displayed to the user. A good polite "We encountered an internal error." is fair enough.

So, next time the webservers' admin or the web dev tells you such small details are not important, just kick him in the balls. I take complaints at cpradier _at_ gmail.com

Larry Page's law also for mobile phones and gaming consoles?

2009-06-09T01:38:00.004+02:00

Larry Page once said his thought that "software is going twice slower every 18 months". This became known as Page's law, and I suddenly wondered if the same was not true of mobile phones content and gaming consoles when I had to change my cellphone.

I asked a cousin working in the field of mobile phones and he gave me a spare good old Nokia 1600, saying it's one of the you-cant-find-them-anymore-nor-nothing-as-good.

When I first turned it on, I was overwhelmed by a feeling of quiet efficiency. It's not doing MMS, doesn't take pictures, doesn't allow you to surf the web, but damnit! it's fast. Well, indeed, I just don't notice that I am using a cellphone at all. It's just become plain transparent. Take your directory entry, push the button and that's all. A plain good old feeling of Fire-and-Forget.

And it reminded me how frustrated I got when friends invited me to play the new Street Fighter game on a Xbox 360. It's beautiful, it's respecting the design principles of the series, yet it's no way the same fun as in the old ones on the SNES.

I'd seem bitter if I concluded on a law like "every software or platform evolves to the point where usability suffers a lot from the number of functions, then evolves to the point where it's not usable at all anymore" or another Zawinsky-like law, yet I see no other conclusion.

PS: thx, couz'

ITsec in healthcare - ISO 27799

2009-06-09T00:52:00.004+02:00

I recently ordered a copy of the ISO 27799 "Information security management in health using ISO/IEC 27002" because I was curious of the content and I applied to some positions in health organisms. I am fully happy with it and I'll tell you why: it's going further than the ISO 27001 and 27002 norms, but it's also giving examples and diagrams around these norms. So, I think it would be a good read even for someone outside the field of healthcare.

Let me summarize it my own way. The big parts I would make:

Introduction on healthcare
Lexicon of concepts around ITsec and around healthcare
What's specific in the ITsec of healthcare?
An action plan for an ISMS "How to be concrete [and successful] in ISO 27001?"
A review of ISO 27002 control points and what's specific for them in healthcare.

Once that little summary done, here are my reading notes on what's so specific about healthcare:

Because hospitals and clinics are open places, because of mobility constraints, and because medical hardware is expensive, there is a high risk in threats related to physical security of the IS.
There is a very low level of homogeneity both in hardware and in practices for using the hardware.
There is a devoted and experienced staff, both in IT and in medics, making insider threats lower and making cooperation easier between IT and non-IT people.
As a good health diagnosis includes various types of data about the patient, the databases about patients are huge and thus, an extremely valuable target.
Because of the broad interdependency of functions, necessary for the good handling of health issues and making the IS and IT processes extremely complex, it's almost impossible to consider a security initiative on the whole of the IS at once. Or at least it's impossible to have it succeed.
Thus, definition of good domains of application for a security initiative are needed. Examples are given of adequate sizes for domains of application:

2 or 3 remote sites
50 employees
10 processes

Because of the importance of health itself and that of the public's opinion, cost in money of a project is rarely the first decision factor.

(I can't wait to get started.)

Friday liberty blogging - Time for European Civil Society

2009-05-29T23:56:00.003+02:00

By reading the news these days, I can't stop asking myself "Why don't they discuss those questions at a more European level?"

Problems of unemployment could be discussed better at a bigger scale. Problems of milk price should be discussed on multiple countries that produce milk. Problems of European universities versus giant universities from China or the US should be discussed among a council of university managers...

Indeed, Europe has working institutions, working agencies, awfully efficient lobbies, working-so-far agricultural policies... but we don't have a working civil society.

You could count famous European-wide NGOs, labour unions, newspapers, political forums... on the fingers of one hand! Few exist and most are unknown to Europeans.

OK, there are some problems to solve: languages, different definitions of words (like the English "liberal" very different from the French "libéral")... but I think those problems can be solved. I think the real problem is the hidden agenda of people with national interests and no transnational interests.

For this reason, I think it would be wise to encourage initiatives like "transnational regions", administrative regions that spread on two or more countries, for instance a region that includes parts of France and Spain, across the Pyrénées. The possibility to have a quantity of political power on transnational scale will help a new civil society emerge.

It's time for a European Civil Society!

Javascript and PDF

2009-05-24T23:44:00.006+02:00

Have a look at Google's answer when both "PDF" and "Javascript" are in the search box. When I did, I got 4 results out of 10 concerned with security faults.
So, here is my initial question: Why should Javascript be put inside PDF files?
Answer: it's in the ISO norm defining PDF 1.7, with no precise details, but at least references to more detailed documents.

It's long known to web developers that Javascript is a nest for problems, especially when it's not correctly documented. Yet Adobe looks to develop forward the possibilities of its software, its file formats and that's normal. However I would wish they did it differently. First, that they did not melt innovations under a unique "PDF" name, which refers to a format that users choose primarily because it's supposed to be portable, simple and solid like rock. Then, that they did not activate Javascript by default. Few users really require it and even they recommend to deactivate it.

Can new MS Office format replace correctly old MS Office format?

2009-05-06T12:09:00.006+02:00

A few friends of mine are concerned that the new MS Office format OOXML (discutably standardized as ISO/IEC 29500) might not replace correctly the previous one. Should they change their organizations' practices to the new OOXML or stay put with the old .doc, .xls, .ppt and so forth?

One assumption was that Microsoft would write the file format to allow for a correct representation of all the previous content. This was in their interest because they then could say to their customers that the transition would be seamless.

However they were criticized for including say "direct representation of old formats" rather than "complete representation" of the same data. Or more simply, they made OOXML represent the mechanisms of the old .doc and .xls, rather than provide something to represent the same information in a unique, coherent new architecture. This means that the OOXML format inherits a lot of the complexity and some bugz and patchz of the previous formats. But it's not my point today.

My point is that when doing this, they forgot things (due to the high complexity of the previous formats I suppose), which made a subcomitee of the ISO say that it is "impossible to fully represent some of the corpus of existing documents in [OOXML] ISO/IEC 29500". So to the questions of my friends about switching to OOXML, my answer is: wait and see.

If there is one thing I am sure about, it's that we have a lot to see from MS competitors: IBM has its own branch of office suite linked to OpenOffice.org, Oracle has just bought Sun's OpenOffice.org and Google will not let go of online edition.

If there is one thing I am convinced about, it's that OOXML is not a mandatory shift so far.

A rant against podcasts

2009-05-02T02:32:00.004+02:00

I'm fed up with the news articles that give you content in the form of podcasts*. I want text back.
* equals "recorded voice", for simple

Here is why:

The only advantage I get over text is the voice of the reader or the interviewed guy. It's not an advantage at all.
Text underlines what's most important. Voice gives me all, interesting and uninteresting. It's the sign of a lazy news reporter.
With text, I can rewind or go fast forward in a blink, without even a mouse click. I can read the same sentence three times if I don't get its meaning easily.
When I get a text, many paragraphs appear on my screen at once, so I can just take a two-seconds-look and tell whether the article is about a matter of my interest or not. With a podcast, I have to listen to it during thirty seconds or more to be sure.
If I am looking for a precise subject, I can press Ctrl+F and look for a word in a text. The same is not possible in a podcast. In most cases, I can search the content of the text directly from my search engine. The podcast is not integrated with search engines.
I am a fast reader, I can read and understand a text three times faster than a good speaker speaks it. (And if he spoke it so fast, I would probably not understand him...)
When I read news, I have ten tabs open at the same time, a RSS reader, a few PDFs loading... Podcasts are using my bandwidth for something that could be done in a few hundred bytes! I call it abusing my bandwidth.

I hope the fashion of reporting news in podcasts will decrease with time. Who knows?

Acrobat Reader blocks my audio system, WTF?

2009-04-29T15:12:00.014+02:00

I wanted to play a song (yes I have a legally bought copy from which I made the mp3) in mplayer and got the following result:

$ mplayer "01 - Adiemus - Karl Jenkins.mp3"

[...]

open /dev/dsp: Device or resource busy

After a few researches, I found:

# lsof /dev

[...]

acroread 32723 christophe 61r CHR 116,33 11606 /dev/snd/timer

acroread 32723 christophe 62u CHR 116,16 12023 /dev/snd/pcmC0D0p

An open document in Acrobat Reader was blocking my sound system. Why? No idea. I closed Acrobat Reader and opened it anew: no problem anymore.

For reference, it's a Ubuntu 8.04 on a PC, with a typical AC97 integrated chip. Package alsa-base is 1.0.16-0ubuntu4 and Acrobat Reader itself is 7.0.

EDIT1 30/04: I should say Adobe Reader, not Acrobat Reader, the former name.
EDIT2 30/04: The package acroread is version 7.0.9-0.0.ubuntu0.7.04+medibuntu2

Acrobat Reader dangerous target

2009-04-24T22:38:00.002+02:00

Acrobat Reader, the most common PDF viewer, is a lot targeted by attackers, in the form of specifically crafted PDF files. Through such attacks, access can be gained into the infected system and other threats such as botnets can occur. The security company F-Secure recommends to replace it with an alternative viewer. (the news from slashdot)

I remember foretelling this to colleagues six months ago.

Shredding files [4/4]: Additional details on shredding

2009-04-16T17:12:00.005+02:00

A link to the three previous bills, please read them first:

Then the matters I wanted to speak about.

First, the choice of the shredding software. Given the high number of vendors for that and the increasing number of rogue security software, I advise to take only software from a well-known vendor (from its official site or from a reseller) or opensource software.
I would bet that among all the software that claim to shred files, one quarter are rogue software.

Second, the views I gave in the three previous bills only take in consideration a part of the complexity of the question. For instance, different media (RAIDed hard drives, Flash memory...) may not follow the same behaviors as hard drives. Another example: filesystems are not considered. If the setup includes a rollback system at the filesystem level, then shredding empty space might not be efficient.

Third and final: let's think practical. There is no need to buy expensive software when you don't have a need for expensive functionalities. Most of the functionalities are covered by the tools included in a basic Linux distribution (thanks ketherius (RO) for the example). There is no need to shred everything everyday if you don't handle extremely valuable information (and even then...)

EDIT 22/06/09: If you can speak French, there has been an eXCellent discussion thread on the matter on linuxfr.org.

Discussing failures

2009-04-09T22:26:00.004+02:00

Excellent bill by Michael Krigsman arguing that we should discuss failures of IT projects and show them as examples of what not to follow.
If I should sum up, here are the five factors that I saw as the root of failures of IT security projects in organizations (companies + public sector), along the years. The examples are invented.

"Political" interests priming over "intelligent" choices. Such as buying a solution from one vendor because the salesperson is Mr Bigboss's friend or the vendor is Mr Bigboss's favorite brand.
Bad top-down communication of the goals and objectives, which results in the implementation of a solution that solves problem B instead of problem A. For instance, Mr Bigboss decides that the crucial point is to protect the integrity of the central databases, but doesn't communicate it well and Mr Smallboss implements a solution that protects the confidentiality of the data going out of the central database. (This one seems simple to avoid once explained, but if you look back, I guess you can find a real example pretty easily.)
Relying on/Trusting too much service providers, thinking that getting the hands dirty is not necessary. This one results in entire sides of the project being forgotten, because the consultants only do what they are asked to.
Bad theory training of the administrators who will use the security solution. They know how to manipulate it but they don't understand the principles and they make bad interpretations of results. They are also not able to react when something goes out of the plan. This is particularly true of "all integrated" products with a shining graphical interface, where some people only retain the location of buttons and screens, and not their actual meaning/behaviour.
Allowing exceptions for top executives of the organization. Once a plan has been decided, everyone must follow it, including them.

Yes, security is fun [sometimes]

2009-04-06T11:04:00.007+02:00

As matter of fact, security people need to watch carefully other people's security blunders so they indeed get a good laugh every time somebody falls in a known trap. (Less if the fallen one is their employer.) The problem is not to get some fun with security, it's to share it with normal, not-security people. XKCD comics takes the challenge, as is the case today:

Opensource revolution: a map for good!

2009-04-01T22:35:00.004+02:00

A dozen of free software personalities were gathered today in Marne-la-Vallée, near Paris, for a little mediatized meeting. The meeting took place in a little pub called "Billy Bob's". Richard Stallman, Eric Raymond, Linus Torvalds could be seen there, and there have been rumors about other personalities such as Alan Cox, Vincent-Xavier Jumel, Bruce Perens, the billionaire Mark Shuttleworth or even Andrew Tanenbaum.

The object of the meeting was to make a planning for managed discussions to settle all of the main ideological problems of the free software offer. Of course the first question was to draw a list of these problems. After easy jokes on the choice of VI or EMACS, the hackers (in the good meaning of the term) decided that a short list would be better, and that new items would be added up to this list if the meetings proved successful. They agreed on the following points:

Settle for a common communication around the issues of dual license and mixt products [auth: such as MySQL]. The various typical reactions of the GPL defenders should be limited so as not to lessen the progress made by these products that are, all in all, positive for free software.
Decide of milestones to generalize binary compatibility between all Linux distributions, FreeBSD and OpenBSD. (To non-technical readers, this means that a program compiled for one of the systems should work on the other.) [auth: I wonder if Andrew Tanenbaum's Minix is in the intended target ^^]
Update the Linux Standard Base to recommend the use of APT rather than RPM.
Decide of a weapon of embargo against constructors of videocards and other hardware that don't release opensource drivers.
Possibly include a Window Manager in the Linux Standard Base recommendation. [auth: this point was very debatted.]

This project, codenamed Opensource Map For Good (OMFG), is great news for all the users of free desktops. Linus Torvalds himself accepted to become the manager of this series of meetings. He said the complete report would be available on Monday. Let's wish them all good luck!

Shredding files [3/4]: Please shred the hard drive

2009-04-01T09:27:00.003+02:00

At this point, we don't shred files anymore and we shred the empty space when we have time and a motivation.

Now, the last important step is not to forget to destroy all of the data when the hard drive is disposed of. There is a lot of data that you must destroy, even if you destroyed your main "My documents": Internet downloaded files, drafts that you may have forgotten, saved passwords or connection parameters...

There are countless stories of companies being spied upon by use of their old hard drives. To get rid of this threat, you can use a hard drive shredder such as the one below.

OK. So, good practice is to establish a policy that forbids hard drives (including internal hard drives in the printers and xerox machines) going out before a shred. Don't donate, sell or dump an old hard drive before a shred.

Is Windows 7 closed-source?

2009-03-31T19:28:00.003+02:00

It seems easy for the people allowed to test Windows 7 to leak it. My question now: how easy is it for some insider to leak the source or parts of it? I would rather say it's quite possible for a project this size and a company this size.

Now, what about the argument of secrecy? Has security through obscurity twilight a meaning?

Shredding files [2/4]: Shredding empty space

2009-03-31T10:43:00.005+02:00

Once you understand that there are shadow copies of your files of value, you get it that it's useless to shred files, as is often recommended, though.

So what's next, how to ensure your files are not recovered? At this point in our reflexion, the problem is that there are confidential bytes in the "empty" space of the hard drive. So, some software provide a tool to "shred" the whole of the empty space. Here, we mean that it will browse the full length of the empty part of the disk and cover it with random patterns, to remove all chances of recovery of the previous data.

The good point is: theoretically it works. The bad point is: practically, it's unmanageable because it means using those random patterns on the size of the empty space of your hard drive. Like dozens of gigabytes. So it takes very long.

The good practice becomes: tell your top management to bring in their laptops for a good shred, before they go to a risk area (like travelling abroad to negotiate contracts). The bad practice is: present your executives with the tool and tell them to do it themselves regularly.

Five sayings about corporate IT security

2009-03-24T15:25:00.004+01:00

Compliance is not security, security is not compliance.
You never get anything secure if you don't reward and show respect to those who advise on security, as they deserve.
Just drop any paper, mail, PDF, blog entry, etc, from Microsoft or a Microsoft Certified Gold Partner dealing with security straight into the trash basket, in the Recycle Bin on the desktop or redirect it to /dev/null.
Adding layers and layers of protection doesn't change the facts: if the actual software that does the actual job can break the confidentiality or the integrity of the information, the additional layers won't change a thing.
If the security responsible doesn't get an effective power on projects (like saying no to a technology or delaying the implementation by two weeks for additional checks), he/she will only marginally increase security.

EDIT 31/03: As I was asked the question, the fifth point is not the result of some frustration gathered during my previous work experiences. It is merely a remark on what I heard from fellow security engineers and read on the web. Essentially, nothing posted in this blog relates to my work at my employer.

Why it's useless to "shred" files, most of the time

2009-03-22T22:39:00.006+01:00

It's becoming common knowledge that a file can be recovered from the hard drive even after being removed. The basic idea is that a file = a container + a content.

When you remove the file, the operating system (whether it be Windows or Linux or else) destroys the container but keeps the content. So the actual bytes of your file remain on the hard drive. And a myriad of software (most with a shareware license) have grown to sell you the idea that by writing zeroes or random patterns over the content, it will make it unrecoverable. That's theoretically true.

The problem is that the soft only destroys what you ask it to. So if there is another copy of the file, that you don't know about, that one will still be available for recovery. And that's the problem with all of MS Office software (and other office suites). These office applications create backup copies to recover if (ever) there is a crash.
And you don't ask the shredder to shred them, so they remain on the hard drive, even if you shred correctly the main file. (You can't shred them, because 1° they're necessary 2° you don't know where they are 3° that would be a long job.)

As a conclusion, if you use your shredder for office files such as .doc, .xls and so on, just drop it, it's useless.