Absent those who have gone gaga over the iPad, the top news for the past two weeks has been the earthquake and disaster in Haiti.  The concern, the outpourings of support (and, yes, the malware and phishing sites that have been attempting to capitalize on the crisis) are all reminiscent of the tsunami, Katrina, and other events stretching back in time.

Haiti has been different.  The major factor has been the total breakdown of infrastructure, and the consequent difficulty in getting the help to those who need it most.

Those of us in the security communities are always interested in disasters.  We are forever dealing with crises, both large and small, assessing risks, planning and comparing mitigation strategies, and looking at the management of it all.  So, I recall that, when Katrina struck, there were endless discussions of the latest details, the structures, the organization (and lack thereof) in the followup efforts.  One person made a donation to a charity, and challenged the group to match his gift.  I upped the stakes.  I challenged everyone to get trained for disasters.

Unfortunately for the point I’m trying to make, I am speaking from a position of privilege.  Canada has the best emergency structure in the world.  (Our disaster response team is in Haiti at the moment, and is always one of the first on the ground whenever there is a major incident, anywhere.)  British Columbia has the best emergency response management system in Canada.  (No, I’m not volunteering at the Olympics.  But for the past year, I’ve been working with a group that has been planning for the fact that, with the big event in town, even a minor crisis is probably going to mean that we may have to provide emergency lodging for a few hundred people.)  And the North Shore, where I live, has the best disaster training regime in BC.  (The group lodging thing isn’t done by VANOC: it’s an effort by the ESS volunteers from the North Shore, Vancouver, and Richmond.)

Emergency response, in a major disaster, is not simply a matter of having water, generators, blankets, and rescue dogs.  It has to do with organization, co-ordination, management, and, particularly, trained people.  Most of them volunteers, since nobody can afford to pay for a full-time staff of all those you need to have ready in an emergency.

That’s where you come in.

Get trained.

There is some emergency measures organization that covers your area, regardless of where you live.  Your local municpality probably has an office.  And they probably need volunteers.  And they provide training.

If you volunteer, you will probably get trained.  For free.  (You may also get additional perqs.  I get my flu shots paid for every year, since I’m an emergency worker.)

First of all, you’ll probably get trained on what you need for you and your family.  What do you need to survive the first 72 hours following a disaster?  Do you know how much water, what type of food, etc, you need, in the event of a total failure of utilities and other factors we rely on?

Then there are the skills you need to help other people.  Sometimes this might relate to first aid, or structural assessment of buildings after an earthquake, etc.  However, there are many necessary skills that are not quite so dramatic.  Most emergency response, believe it or not, has to do with paperwork.  Who is safe?  Who needs care?  Do families need to be reunited?  Documentation of all of this is a huge effort, which goes on long after the bottles of water and hot meals have been distributed.

Then there are management skills, to co-ordinate all of the other skills.  An awful lot of “charity” gets wasted because some people get too much help, and others don’t get enough.  Someone needs to oversee the efforts.

Training in all of this is available.  And, in an emergency, having trained people is probably more important than having stockpiles of tents.  Trained people can make or improvise shelter.

Maybe your municipality or county doesn’t have a formal emergency structure.  In that case, there are organizations covering the gap.  In Canada, the government doesn’t do it all.  The Red Cross and Salvation Army are two of the groups that have been working on this for years, and have specialists.  In BC we have courses provided by the Justice Institute in a number of areas.  The provincial government has created a marvelous structure, ensuring consistent organizational layout for all sizes and types of disasters, and all types of response.  But we don’t bother reinventing the wheel.  In our formal training curriculum, a number of the courses are prepared, provided and run by the groups that have been doing it for years, and know it best.  If your government doesn’t have the courses available, go to those who do.  They are around.

(For those who have security related certifications, like the CISSP, ongoing professional education is a requirement.  A constant complaint is that training is expensive, and getting the credits costs too much.  I get all kinds of training related to business continuity and disaster recovery.  I get almost all of it free.)

Get trained.  Volunteer.  You’ll get a wealth of experience that will help you plan for all kinds of events, not just for major disasters, but for the minor incidents that plague us and our companies every day.  You’ll be ready for the big stuff, too.  You’ll be able to keep yourself and those near to you safe.  You’ll be able to make a difference to others, certainly reducing suffering, and possibly saving lives.  If and when something major happens, you will be a part of the infrastructure necessary for the response to be effective.  You’ll be part of the solution, rather than part of the problem.

Rev. 6:6, OCD [1]

“Then it was as if I heard a voice saying: And they shalt go into the storehouses, and look there for the snack foods made from corn [2] which the hands of men have made into hollow cones or cornets [3].  And they shall go unto the Save-On, and unto the Shoppers Drug Mart, and unto the Safeway, and even unto the Zellers, which is the store of last resort when old stock is being cleared out.  And they shall find them not.  And, having no proper snack foods for the parties of the new year, the new year shall come not, and thus shall be the end of times.”

[1] Old Canadian Deviant translation, as opposed to the New American Standard

[2] Some ancient manuscripts add: “And this is not that barelycorn which was known even in Ur of the Chaldees, but that which came from the land newly found by him who gave his name unto a seventies TV detective show, but of whom we may not, at this time, speak”

[3] Scholars debate the meaning of this word.  Most believe that it is simply a reference to “little objects made from corn.”  However, some feel that it is similar to the word for “trumpets,” or, possibly “bugles.”

I am a bit freaked.

Last month I received an email message from American Express.  I very nearly deleted it unread: it was obviously phish, right?  (I was teaching in Toronto that week, so I had even more reason to turf it unread rather than look at it.)

However, since I do have an Amex card, I decided to at least have a look at it, and possibly try and find some way to send it to them.  So I looked at it.

And promptly freaked out.

The phishers had my card number.  (Or, at least, the last five digits of it.)  They knew the due date of my statement.  The knew the balance amount of my last statement.

(The fact that this was all happening while I am aware from home wasn’t making me feel any more comfortable with it …)

So I had a look at the headers.  And couldn’t find a single thing indicating that this wasn’t from American Express.

(I had paid my bill before I left.  Or, at least, I *thought* I had.  So I checked my bank.  Sure enough, that balance had been paid a couple of days before.  However, I guess banks never actually transfer money on the weekend or something …)

A couple of days later I got another message: Amex was telling me that my payment was received.  That’s nice of them.  They were once again sending, in an unencrypted email message, the last five digits of my card number, and the last balance paid on my account.

Well, I figured that it might have been an experiment, and that they’d probably realize the error of their ways, and I didn’t necessarily need to point this out.  Apparently I was wrong on all counts, since I got another reminder message today.

Are these people completely unaware of the existence and risk of phishing?  Are they so totally ignorant of online security that they are encouraging their customers to be looking for legitimate email from a financial institution, thus increasing the risk of deception and fraud?

Going to their Website, I notice that there is now an “Account Alerts” function.  It may have been there for a while: I don’t know, since I’ve never used it.  Since I’ve never used it, I assume it was populated by default when they created it.  It seems to, by default, send you a payment due notice a week before the deadline, a payment received notice when payment is received, and a notice when you approach your credit limit.  (Fortunately, someone had the good sense not to automatically populate the option that sends you your statement balance every week.)  These options may be useful to some people.  But they should be options: they shouldn’t be sending a bunch of information about everybody’s account, in the clear, by default.

(There are, of course, “Terms and Conditions” applicable to this service, which basically say, as usual, that Amex isn’t responsible for much of anything, have warned you, and that you take all the risks arising from this function.  I find this heavily ironic, since I knew nothing of the service, don’t want it, and got it automatically.  I never even knew the “Terms and Conditions” existed, but in order to turn the service off I’ll have to read them.)

(In trying to send a copy of this to Amex, I note that their Website only lists phone and snailmail as contact options, you aren’t supposed to be able to send them email.)

What with twenty years experience in reviewing AV software, I figured I’d better try it out.

It’s not altogether terrible.  The fact that it’s free, and from Microsoft (and therefore promoted), might reduce the total level of infections, and that would be a good thing.

But even for free software, and from Microsoft, it’s pretty weird.

When I installed it, I did a “quick” scan.

That ran for over an hour on a machine with a drive that’s got about 70 Gb of material on it, mostly not programs.  At that point I hadn’t found out that you can exclude directories (more on that later), so it found my zoo.  It deleted nine copies of Sircam.

Lemme tell ya ’bout my zoo.  It’s got over 1500 files in it.  There are a lot of duplicate files (hence the nine copies of Sircam), and there are files in there that are not malware.  There are files which have had the executable file extensions changed.  But there are a great number of common, executable, dangerous pieces of malware in there, and the only thing MSE found was nine copies of Sircam.

(Which it deleted.  Without asking.  Personally, for me, that’s annoying.  It means I have to repopulate my zoo from backups.  But for most users, that’s probably a good thing.)

Now, when I went to repopulate my zoo, I, of course, opened the zoo directory with Windows Explorer.  And all kinds of bells and whistles went off.  As soon as I “looked” at the directory, the real-time component of MSE found more than the quick scan did.  That probably means the real-time scanner is fairly decent.  (In my situation it’s annoying, so I turned it off.  MSE is now annoyed at me, and continues to be annoyed, with big red flags on my task bar.)
MSE has four alert levels to categorize what it finds, and you have some options for setting the default actions.  The alert levels are severe (options: “Recommended action,” “Remove,” and “Quarantine”), high (options: “Recommended action,” “Remove,” and “Quarantine”), medium (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”), and low (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”).  Initially, everything is set at “Recommended action.”  I turned everything down to the lowest possible settings: I want information, not strip mining.  However, for most people it would seem to be reasonable to keep it at the default action, which seems to be removal for everything.
I don’t know where it puts the quarantined stuff.  It does have a directory at C:\Documents and Settings\All Users\Application Data\Microsoft Security Essentials, but no quarantined material appears to be there.

(I did try to find out more.  It does have help functions.  If you click on the “Help” button, it sends you to this site.  However, if you click on the link to explain the actions and alert levels, it sends you to this site.  If you examine those two URLs, they are different.  If you click on them, you go to the same place.  At that location, you can get some pages that offer you marketing bumpf, or watch a few videos.  There isn’t much help.)
You can exclude specific files and locations.  Personally, I find that extremely useful, and the only reason that I’d continue using MSE.  It does seem to work: I excluded my zoo before I did a full scan, and none of my zoo disappeared when I did the full scan.  However, for most users, the simple existence of that option could signal a loophole.  If I was a blackhat, first thing I’d do is find out how to exclude myself from the scanner.  (There is also an option to exclude certain file types.)

So I did a full scan.  That took over eight hours.  I don’t know exactly how long it took, I finally had to give up and leave it running.  MSE doesn’t report how long it took to do a scan, it only reports what it found.  (I suspect the total run was around ten or eleven hours.  MSE reports that a full scan can take up to an hour.)

While MSE is running it really bogs down the machine.  According to task manager it doesn’t take up much in the way of machine cycles, but the computer sure isn’t responsive while it’s on.
When I came back and found it had finished, the first thing it wanted me to do was send a bunch of suspect files to Microsoft.  The files were all from my email.  On the plus side, the files were all messages that reported suspect malware or Websites, so it’s possible that we could say MSE is doing a good job in scanning files and examining archives.  (On the other hand, every single message was from Sunbelt Software.  This could be coincidence, but it is also a fact that Sunbelt makes competing AV software, and was formerly associated with a company that Microsoft bought in its race to produce AV and anti-spyware components.)

Then I started to go through what Microsoft said it found, in order to determine what I had lost.

The first item on the list was rated severe.  Apparently I had failed to notice six copies of the EICAR test file on my machine.

Excuse me?  The EICAR test file?  A severe threat?  Microsoft, you have got to be kidding.  And the joke is not funny.

The EICAR test file is a test file.  If anyone doesn’t know what it is, read about it at EICAR, or at Wikipedia if you don’t trust EICAR.  It’s harmless.  Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.

It shouldn’t delete or quarantine all copies it finds on the machine.

MSE also said it quarantined fifteen messages from my email for having JavaScript shell code.  Unfortunately, it didn’t say what they were, and I wasn’t sure I could get them back.  I don’t know why they were deleted, or what the trigger was.  MSE isn’t too big on reporting details.  I don’t know whether these messages were simply ones that contained some piece of generic JavaScript, and got boosted up to “severe” level.  Given the EICAR test file experience, I’m not inclined to give Microsoft the benefit of the doubt.

After some considerable work, I did find them.  They seemed to be the “suspect” messages that Microsoft wanted.  And when I tried to recover them, I found that MSE had not quarantined them: they were left in place.  So, at the very least, at times MSE lies to you.

(I guess I’d better add my email directory to places for MSE not to scan.)
MSE quarantined some old DOS utilities.  It quarantined a bunch of old virus simulators (the ones that show you screen displays, not actual infectors).  (Called them weird names, too.)

MSE quarantined Gibson Research’s DCOMbob.exe.  This is a tool for making sure that DCOM is disabled on your machine.  Since DCOM was the vector for the Blaster worm (among others), and is really hard to turn off under XP, I find this rather dangerous.

OK, final word is that I can use it.  I’ll want to protect certain areas before I do, but that shouldn’t be too much of a concern for most users.

You might want to make sure Microsoft isn’t reading your email …

As part of some research into the security risks of social networking, I did an ego search on myself.  (Hey, it’s legitimate research, all right?)

On Altavista, the first hit was the Wikipedia page someone created about me.  The second result was http://www.robertslade.com/ which I hadn’t known existed.  As well as correctly listing his published books, this page informed him that me that I was mentioned on the Wikipedia entry for the RISKS-Forum Digest (which is a definite ego boost).  It also provides a photograph of someone else.  As well as two pictures I didn’t take, and three videos I have nothing to do with.  Two different boxes provide links to buy books, some of which are mine, and most of which aren’t.

I expected to find entries that weren’t me: I know there are a lot of Robert Slades on the net.  But it’s a bit weird to find out that there is a domain about me that I didn’t know about.
I also found the church I’m buried in, so currently I’m not feeling too great …

This system has had some discussion in the forensics world over the past few days.  Here’s an extract from Science Daily:

“Computers have made it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview. A lost cell phone can expose personal photos or text messages. A legal investigation can subpoena the entire contents of a home or work computer. The University of Washington has developed a way to make such information expire. After a set time period, electronic communications such as e-mail, Facebook posts and chat messages would automatically self-destruct, becoming irretrievable from all Web sites, inboxes, outboxes, backup sites and home computers. Not even the sender could retrieve them.

“The team of UW computer scientists developed a prototype system called Vanish that can place a time limit on text uploaded to any Web service through a Web browser.

[Perhaps a bit narrower focus than the original promise, but it is a prototype - rms]

“After a set time text written using Vanish will, in essence, self-destruct.  The Vanish prototype washes away data using the natural turnover, called “churn,” on large file-sharing systems known as peer-to-peer networks. For each message that it sends, Vanish creates a secret key, which it never reveals to the user, and then encrypts the message with that key. It then divides the key into dozens of pieces and sprinkles those pieces on random computers that belong to worldwide file-sharing networks. The file-sharing system constantly changes as computers join or leave the network, meaning that over time parts of the key become permanently inaccessible. Once enough key parts are lost, the original message can no longer be deciphered.”

However, given the promise to clean up social networking sites, and as I started to read the paper, an immediate problem occurred to me.  And, lo and hehold, the authors admit it:

“We therefore focus our threat model and subsequent analyses on attackers who wish to compromise data privacy. Two key properties of our threat model are:
1. Trusted data owners. Users with legitimate access to the same VDOs trust each other.
2. Retroactive attacks on privacy. Attackers do not know which VDOs they wish to access until after the VDOs expire.
The former aspect of the threat model is straightforward, and in fact is a shared assumption with traditional encryption schemes: it would be impossible for our system to protect against a user who chooses to leak or permanently preserve the cleartext contents of a VDO-encapsulated file through out-of-band means. For example, if Ann sends Carla a VDO-encapsulated email, Ann must trust Carla not to print and store a hard-copy of the email in cleartext.”

So, this system works perfectly.  If you only communicate with people you trust (both in terms of intent, and competence), and who only use the system properly, and never use any of the information in any program that is not part of the system, it’s completely secure.

How often have we heard that said?

The default to privacy aspect is interesting, and the automatic transparency for the user as well, but this simply moves the problem one step back, as it were.  In terms of utility to social networking, the social networks would have to be completely rewritten to adher to the system, and even then it would be pretty much impossible to ensure that nobody would have the ability to scrape data and keep or publish it elsewhere.

(Plus, the data is still there, and so is Moore’s Law …)

On Monday, it’ll be 40 years since a man first walked on the moon.

Big deal, some of you will say.  I imagine that most of the people who read this weren’t even born then, so all your lives were lived after man walked on the moon.

And, really, it wasn’t a big deal.  We came, we walked around a bit, we left.  We never went back.  This week we sent an unmanned spacecraft back, and it took some pictures of the places we once landed.  Big, brave us.

In the 40 years since then, what did we do?  We spent money on wars (and rumours of wars).  “Greed is good” became an acceptable business motto.  We had innumerable economic crashes (mostly due to greed).  Science has become a political football (with politicians and business telling scientists that facts aren’t facts because we can’t afford them).

We did invent the Internet, and personal computers.  We mostly use them now for porn.
So, to all of you kids who don’t remember the great event, accept as a video clip of ancient history:

You’re right.  Big deal.

Gloria pointed out an article in the Vancouver Sun and, just in case it disappears in a few days, I found the author’s blog.

The main thrust of the article is on the risk/benefit of a lack of privacy, as practiced in social networking.  This (absent the social networking) reminded me of David Brin’s “The Transparent Society,” and if you haven’t read it, I recommend it.

Over the past few days, both the Vancouver Sun and the Ottawa Citizen have published (basically the same) story about “Toronto-based Ancestry.ca.”  From the articles, this appears to be related to such public institutions as the national archive and Library and Archives Canada.  And the price is right: “A two-week free trial period that began June 10 allows users to search for and download documents at no charge.”

I tried it out.  Giving minimal information about him brought up over 6,000 hits, the second of which was my grandparent’s marriage certificate.  Pretty good.

Unfortunately, that is not the whole story.  If you want to actually see anything that the search finds, you have to register.  And, if you pay attention, and actually read the “Terms and Conditions” (and look at the full screen, not the portion that shows when the box first pops up), you find that you are registering with “an Internet service (the “Service”) owned and operated by The Generations Network, Inc, an American company incorporated in Delaware, USA, and whose registered address is 360 W 4800 N Provo, UT 84604, USA.”  In order to register you have to provide a credit card.  After 14 days (and it isn’t clear whether that is 14 days after June 10, or 14 days after you register) “[i]f you wish to terminate your subscription you must notify us at least two (2) days before the Renewal Date by calling (800) 958-9073 Member service is available from Monday to Friday 7:00 am to 4:00 pm MST, or by sending an email to cancel@ancestry.ca providing the following information: Given name and surname, Username, Subscription type (UK/Ireland collection, etc.), Email address used when subscribing, Phone number including country code, Country.  If you fail to respond to the notice, your subscription will be automatically renewed,” and, of course, your credit card will be charged.

So, read carefully, people.  Are you dealing with a public institution, or a private company?  Are you dealing with a company in your country, or another?  And, is your “free trial” an “opt-out” contract for the company to start billing your credit card?

OK, this has got nothing to do with computers (except that the SkyTrain is completely automated).

For the past three years, Cambie Street, a major thoroughfare with at least four different shopping and business areas on it, has been almost completely shut down for the construction of the RAV (Richmond-Airport-Vancouver) SkyTrain line (aka Canada Line).  (Since it is located almost dead centre in Vancouver, the city has been pretty much bisected for that time, and the traffic hassles have been enormous.)  Originally the line was supposed to be a tunnel, but that was going to take too long and cost too much, so they dug up the entire street.  For three years.

Most of the businesses along Cambie have gone bankrupt in that time: others have moved.

Now a lawsuit for damages has been won by a business owner.

This will, of course be a precedent, and will undoubtedly lead to more judgements (I think other cases are already before the courts) and more lawsuits.

I’ve got to admit to an uncharitable glee over this turn of events.  The RAV line was not prompted, but the decision to actually build it was undoubtedly influenced, by the 2010 Olympics.  The provincial government has been absolutely gaga over having the games here, and has launched a number of “vanity” projects and other measures.  (Latest on the list: for the games, security personnel won’t have to undergo the minimal training and licencing that already exists.  They can get a special certificate which seems to merely verify that they are breathing.)

According to ITWorldCanada, C-level executives are pushing for greater access to social networking sites and facilities, while even IT managers and security specialists are unprepared to deal with the full range of risks from this type of activity.

In order to get some traction with senior management on this issue, you might want to remind them that, when they take off with funds they’ve obtained via fraud, it’s best not to post boasts on Facebook.

Continuing from Hiring Hackers - as speakers (part 1):

Are those who conduct breaches and intrusions of computer systems important sources of information?

I suppose it seems intuitively obvious that the answer is “yes.”  After all, these are the people who are breaking into the things we want to protect: surely they know how.  However, with a little consideration, the “obvious” answer evaporates.

First of all, in purely logical terms, it is not necessary that those who break into systems know all possible ways to do so.  In practice, it is true that many attacks these days involve multiple vulnerabilities, but logically it is only required that the attacker knows one.  This truism is well known, in slightly different form, in relation to testing and systems development: testing can be used to prove the presence of bugs, but never their absence.  Or, as I frequently point out in relation to system security, the attacker has a much easier job than the defender.  The defender must be correct in every single instance and activity.  The intruder only has to be right once.

Therefore, the interloper has the easier job, and can afford to be lazy.  If they can be lazy, they probably will be lazy: that is human nature.  (After all, a number of people would argue that blackhats have already shown themselves to be morally lazy.)  As the proverb has it, everything is always in the last place you look.  Once you’ve found it, why keep on looking?

(Oh, curiosity, you say?  Well, curiosity is great: it keeps us learning.  But it is hardly the exclusive preserve of those on the wrong side of the law  In addition, properly identifying, researching, and documenting what you find, in such a way that it will be useful to others, tends to require a lot of boring work, and discipline.)

So, at the very least, we can say that attackers have no advantage in terms of scope and a comprehensive view of vulnerabilities, and may be at a disadvantage.

Do intruders have any advantage in depth of knowledge?  This is almost impossible to answer in any meaningful way, of course.  Individuals vary in knowledge, comprehension, analytic ability, and creative or imaginative thought.  Despite years of attempts to create testing instruments and metrics for cognitive processes, we have only the most general ability to predict a specific person’s accomplishments in the real world.  We do know that ability varies widely, and it would be foolish in the extreme to contend that all whitehats would be as able as any given blackhat.

However, that said, I would suggest that it should be possible to assert that, collectively, security professionals are more knowledgeable than intruders.  This is due to my earlier argument: those people who have had more demands (even sometimes arbitrary demands) placed upon them will have more discipline (and more background) to address the problem.

The argument is sometimes made that we should study “successful” exploits.  The hypothesis here is a bit harder to dissect: after all, a “successful” exploit is simply one that works.  It is true that certain attacks are more effective in a given environment, and that intrusions or infections which work over very large numbers of systems tend to involve a number of factors, not all of them technical.  Historically, though, it seems to be that the most astounding and newsworthy of attacks are as much a surprise to their authors as they are to the rest of us.  It is unlikely, in the extreme, that our adversaries have these events fully planned, or understand all the determinants of an overpowering offensive.

It is a truism that two heads are better than one: this is recognized by fields as diverse as auditing and extreme programming.  This statement is formalized, in the open source community, by Linus’ Law: with sufficiently many eyeballs, all bugs are shallow.  Most systems professionals would recognize that the more people examine a system, the better (in terms of identification of vulnerabilities).  The “Hire a hacker” crowd tends to jump on this in advancing their cause: why not listen to the attackers when they come up with a new exploit?

This, however, is a spurious argument.  There is no choice between listening to an intruder or not knowing about the vulnerability at all.  Once a vulnerability is known, it can be explained by anyone who understands it, and can present it accurately and clearly.

Which brings up a final point.  As I said in the earlier piece, blackhats tend to have more-than-healthy egos.  Yet their opinion of their own prowess is seldom supported by the materials they produce in evidence.  I’ve read a great many “zines” produced by those in that community (and even the occasional book ostensibly written by a reformed or active hacker) and almost never have I found anything worth reading either for the technical content, or in regard to readability.  (Yes, those who have read my book reviews will know that I don’t think highly of all technical books, but sometimes I do find one worth reading.)  And, in fact, reading the books by professional authors who base their text on “as told to” information from those on the dark side gets to be very boring as repetitive as well.

Writing is a skill, and not everyone can do it well.  Teaching is a skill, and not everyone can do it well.  (Presenting at conferences is a slightly different skill and, as anyone who has ever attended a conference can tell you, not everyone can do it well.)  Both writing and teaching require, as well as certain technical competencies, a feeling and empathy for a large and often ill-defined audience.  Since criminal hackers have clearly demonstrated, by their actions (and continue to demonstrate, in subsequent interviews long after their intrusions, conviction, and even release), a lack of consideration for their victims, it is unlikely that they would make good teachers.

Or conference speakers.

By the time you read this, CIO magazine will probably have already done its “In Cloud We Trust” Webcast.

The ISSA, ready to provide links to any security related activities, inadvisedly advertised the Webcast.  I say inadvisedly, because the Webcast, or at least the promotional material, features Kevin Mitnick.  This juxtaposition created a bit of a furor over the fact that a prestigious security institution was promoting a former computer criminal.  (It is entirely possible that Kevin Mitnick rather enjoyed the discomfiture of ISSA, since ISSA had the affrontery, in 2003, to turn down Kevin Mitnick’s application for membership.)

All of which sparked yet another debate, in at least one venue, over the advisability of hiring or attending to (for the purposes of security), those formerly convicted of computer crimes.

Feelings are strong, and tempers rather short, when this topic comes up for discussion.  Passions are surprisingly high on both sides of the debate.  However, I would like to attempt to present some opinions on the matter.

(I’m not going to speak about the Webcast itself.  As chance would have it, I’ll have to be getting on a bus at about that time in order to go downtown.  To speak to an ISSA meeting.)

Those who feel that hackers can and should be hired suggest that those best qualified to protect systems are those who have broken into them.  We, in defence of our systems, should not let foolish moral quibbles stand in the way of gaining the best information and advantage that we can.

I am on the side that opposes the use of former criminals.  I do not disagree with the risk management analysis of those on the pro side, but I feel that it is based on faulty assumptions.  My objections to the hiring of hackers are practical as well as moral, and, in terms of ethical analysis, lies in the area of practical morality.

In order to address the practical issues, I have to clarify, and separate, the different types of help we think we are going to get from cybercriminals.  Do we employ them for security management and administration?  Do we hire them for penetration testing?  Do we use them as security consultants?  Or do we just listen to them in seminars, webcasts, and conferences?

This last is the most difficult to oppose.  What is the harm in listening?  Should we not take every opportunity to learn all that we can about security?  Why block ourselves off from an important source of information?

So, I’ll address this first.

What is the harm in listening?  Well, we aren’t just listening, are we?  First off, most “reformed hackers” aren’t exactly doing this out of the goodness of their hearts.  Those who are on the lecture circuit generally make pretty good money out of it.  A lot of them make more than most legitimate security researchers, analysts, and consultants.  Then there are the spin-off benefits in books, workshops, and just plain advertising for John Q. Hacker’s Security Consulting.

Money isn’t the only benefit, though.  I’ve always been interested in the social side of technology, and for more than twenty years I’ve been studying those on the dark side.  Most of these people are charter members of Egos-backwardsR-Us.  Not all of them, but certainly enough to make it pretty much a defining characteristic.  Given a choice between money and a chance to grab the limelight, they might have to stop and think about it.

Regardless of whether we are paying cash or just stroking egos, one thing we are definitely doing is tacitly promoting the importance of what they have done.  We are saying that it is better, in the sense of obtaining security information, to break into systems than to study in other ways.

And I’ll address that later.

Dinosaur that I am, it never occurred to me that long URLs were a major problem.  Sure, I’d gotten lots that were broken, particularly after going through Web-based mailing lists.  But you could generally put them back together again with a few mouse clicks.  So what?

So the fact that there were actually sites that would allow you to proactively pre-empt the problem, by shortening the URL, came as a surprise.  What was even more of a surprise was that there were lots of them.  Go ahead.  Do a search on “+shorten +url” and see what you get.  Thousands.  http://bit.ly/ http://tubeurl.com/ http://www.shortenurl.com/index.php http://urlzoom.org/ http://ayuurl.com/ http://urlsnip.com/ http://url.co.uk/ http://metamark.net/ http://8ez.com/ http://notlong.com/ http://shorten.ws/ http://myurl.si/ http://dwindle.me/ http://nuurl.us/ http://myurlpro.com/ http://2url.org/ http://tiny.cc/

I would not, by the way, advise visiting that last.  .cc is a domain used by those on the dark side.  In fact, I wouldn’t recommend visiting many of those: I have no idea where they came from, except that a search pops them up.  Which is part of the point.

Are URL shorteners a good thing?  Joshua Schachter says no.  Therefore, in opposition, Ben Parr says yes.  There are legitimate points to be made on both sides.  They add complexity to the process.  (Shorteners aren’t shorteners: they are redirectors.)  They make it easier to tweet (and marginally easier to email).  They disguise spam.  Some of the sites give you link use data.  They create another failure point.  They hide the fact that most Twitter users are, in fact, posting exactly the same link as 49,000 other Twitter users.

URL shorteners/redirectors are going to be used: that is a given.  Now that they here, they are not going away.  Those of pure heart and altruistic (or, at least, monetary only) motive will provide the services, have reasonable respect for privacy, and add functions such as those providing link use data to the originator (and, possibly, user).  A number of the sites will be set up to install malware on the originator’s machine, to preferentially try to break the Websites identified, to mine and cross-corelate URL and use data, and to redirect users to malicious sites.

If you are going to use them (and you are, I can tell), then choose wisely, grasshopper.  There are lots to choose from.  Choose sites that offer preview capabilities.  If someone doesn’t use the preview options, you can still add them.  http://tinyurl.com/a-short-url-that-expands is the same as http://preview.tinyurl.com/a-short-url-that-expands : you just have to add the “preview.” part.  http://is.gd/ is even easier: just add a hyphen to the end of the shortened URL.  I’m hoping that one of the sites will start checking the database for already existing links, and returning the same “short form”: it’d make it easier to identify all the identical tweets.  (With the increasing use of the sites, it will also ensure that the hash space doesn’t expand too quickly, which would be to the advantage of the shortening sites.)

What could be worse: a vague and hastily thrown together mashup of security protections masquerading as a security framework or standard, or having the government get into the act?  Now you don’t have to choose: you can have the worst of both worlds!  Follow the US Congress hearings on PCI!  Or, follow the commentary into the hearings on Twitter (which is fairly random and noisy, but probably makes just as much sense).

Those in the Australian state of Queensland are having a cull of cane toads, a pest.  I don’t know whether it would work, but the mass reduction of a pest population is, generally speaking, a good thing.  It may not eliminate the problem once and for all, but a sharp decrease in population is usually better than a constant pressure on a species.

So, is there any way we can get some support going for a mass cull of computer viruses?  Most currently “successful” viruses are related to botnets, and botnets are often used to seed out new viruses.  Viruses are used to distribute other forms of malware.  Doing a number on viruses would really help the information security situation all around.  (I have, for some years, been promoting the idea that corporations, by sponsoring security awareness for the general public, would, in fact, be doing a lot to reduce the level of risk in the computing and networking environment, and therefore improving their own security posture.)