Mythic Monday – Hubris

I made the mistake the other night of watching Blade Trinity. The movie, as a whole, is irrelevant to this point (and all others, really). However it occurs to me that the evil villain, Dracula (yeah, that’s original), suffers from a flaw that is common in many stories. Basically, he is so confident in his skills that he ignores the fact that the hero of story already defeated two movie worths of baddies.

To be fair, other major villains suffer from this same problem: Darth Vader, Lord Voldemort, Lord Sauron… as do heroes: Oedipus, Gilgamesh and Dr. Gregory House. The problem with them all is that their overconfidence leads directly to their eventual downfall. Sometimes, it is dramatic and impressive, other times (like this) it just involves a lot of bright shiny pixels that fly every which way until the filmmaker’s budget is used up.

The lesson to learn, I think, is that hubris kills… often at an appropriately-delayed climactic plot point. Here in the real world, of course, we tend not to have impressive glorious pixely deaths, which just leaves the problem of supreme overconfidence.

In I.T. Security, this sort of thinking often manifests itself as a general feeling of invulnerability against attack. This can be due to an existing investment giving a greater feeling of security than actual security. It can be due to a belief of general supremacy that is undeserved. Most often, though, it is due to a fundamental misunderstanding of the enemy.

Just as Lord Voldemort couldn’t conceive of a bunch of school kids as a threat, and Oedipus allowed himself to think that he had outwitted fate (never, never wise), if you ignore I.T. threats, you render yourself vulnerable to them and, through them, invite your inevitable comeuppance. If you accept your business in all it’s flaws, you’ll know where to protect yourself. If you do not, you may well go out in a blaze of shiny glory that is just as logically inexplicable as Dracula’s shape-shifting powers in this horrible movie.

Mythic Monday – Bulgarian Scope Creep

There is a Bulgarian creation myth where in the beginning, the earth was just a tiny island. Cohabitating on this island were God and the Devil (guess they were more friendly then). One day, perhaps following an Oscar and Felixian roommate dispute, the Devil suggested that God take a nap, planning that whilst the almighty creator was slumbering, he could be tipped into the ocean. I guess that, in Bulgaria, one can be omnipotent and omniscient, and still somehow fail to gain their B.S.C and S.S.C..

Anyway, as the Devil attempted to push God off the island, the island magically expanded in each direction (it’s clear from this story that the Devil wasn’t omniscient), so that nary a toe got dampened. The shoreline simply grew in each direction and, by the time the Devil gave up, the island had expanded to the size of our current Earth. Which basically means that the state of the Earth today is due entirely to Devil-induced scope creep.

It explains a lot, doesn’t it?

Scope creep is a danger in all projects. It doesn’t matter whether you’re developing an application, enacting a security program or just shopping for groceries, scope creep can blow both your budget and deadline. It’s tempting when you’re working on something to just add a little piece here and there because it will make future work easier. Unfortunately for the business, integer math insists on summation, and so long as businesses are profit-focused, integer math is going to be important. From a security perspective, scope creep is additionally dangerous because it complicates things. Complicated things are harder to secure than simple things. The simpler you can keep a project, the better you can understand it, so the easier it is to secure.

Scope creep, of course, is most dangerous when shopping. A while back, I stopped by the store to pick up some basics (apples, bananas, yogurt, etc), and I noticed that winter squash was on sale… so my scope expanded a little bit and two squash wound up in my cart. Later, once I got home I realized that I had no idea what to do with them (other than the basic roast squash, which is boring). After consulting one of my cook books, I discovered that I needed a few more things. After another shopping trip that involved carrots, celery, onions, garlic and broth, I soon had two soups a simmering. Regrettably, the last step for each soup involved a blender, and the blender I had was incapable of dealing with the increased complexity of my soups. It quickly suffered what I must refer to as a catastrophic containment failure which necessitated another trip to the store to get a new blender.

All told, my initial scope creep of two impulse-bought squash cost me over a hundred dollars in ingredients and blender replacement, not to mention the ridiculous amount of time wasted in the endeavor. While I am thankful that I was able to find the blender-related security hole and believe that I have effectively mitigated the risk, life would have been much simpler had I not needed to.

I’m blaming the devil.

Mythic Monday – The Creation of the Aztec People

According to Aztec myth, after the previous inhabitants of the Earth had been turned into fish, the gods wanted to make more people.  Now, one would rationally expect that if the gods liked people so much, they wouldn’t have flooded the Earth in the first place and turned all the previous people into fish, but the Mesoamerican myths don’t seem to be much for rationality and forethought.

Anyway, to create the people, the gods need the magical bones where were guarded by the Lord of Death. After a fairly typical quest followed by a challenge and the reneging by the Lord of Death on the deal, the hero carrying the bag of bones fell to the bottom of a pit and the bones were broken. That, of course, is why the people come in a variety of shapes and sizes.

Of course, we are quite lucky that the Aztec hero was such a klutz. The numerous variations in humanity have rendered us resistant to various plagues. (Technically, this is only partly true as there is evidence that humans are more genetically identical than most animals (except for cheetahs), but we’re ignoring that here.) The more variation there is in a genome, the greater the resistance to threats. Though similar concern has been raised about the ongoing homogenization of our food supply and how it renders us vulnerable to threats. this blog is about I.T. and business security.

For quite some time, I have been arguing against homogenization within certain businesses. The current practice of having all systems identical makes things very easy to manage. It makes it easy for auditors to verify that proper security standards are in place. It also can tie into automatic patching plans and keep everything up to date. However, it means that every person in the organization has adapt themselves to the same software and that if an attacker manages to get into one system, they can march right into every other one.

Like all things, using system images is a tradeoff. It seems that many organizations implement imaging just because it’s best practice. Sure it solves some problems, but any change also creates others. Often, an imaging project identifies numerous applications to drop out of the environment. This is great for general security, as it reduces attack surface, but often many of these are there because they make the business more effective.

Given that the whole point of “the computer revolution” was that we are now able to adapt technology to our lives are very small levels. It seems like questionable logic to take devices that are capable of enhancing individual abilities and compensating for individual flaws and turn them all into identical machines and then force people to match them. Richard Bejtlich gets into this in more depth over in his post Let a Hundred Flowers Blossom.

My point isn’t that imaging is bad. In some environments, it’s a necessity. (Mostly regulated environments or those lacking a technically-skilled workforce who can select the appropriate applications to enhance their productivity.) It just shouldn’t be a goal without consideration of the total business impact.

After all, people are all different. If the technology is all the same, it obviously won’t work as well for some people than it will for others. The question to ask is whether the benefit of uniformity outweighs the cost of productivity.

Mythic Monday – The Lion, the Mouse, and the Fox

In case you haven’t figured it out, I fall back to blogging about an Aesop fable when I’m stuck for other things.  In this case, I am stuck underneath a cat and all of my mythological references are about half a meter out of reach. Luckily, many of Aesop’s fables are available online. Like, for example, this one.

In this story, a sleeping lion is startled awake when a mouse runs across his nose. Looking all around for whatever woke him up, he checks all over his cave and finds nothing. A fox observes this behavior and, knowing that he can outrun a sleepy lion, makes fun of him for being afraid of a mouse. Attempting to safe face, the lion claims not to have been afraid, but more affronted by the bad manners.

As usual, Aesop completely missed the point of his story. Instead of being a droll observation of class structure of ancient Greece, it’s obviously a better lesson for dealing with initial network probes. Probes are a fact of life on the Internet. All sorts of attackers on the Internet want to take over your systems. The first step is to send out a small probe and uncover various things about the potential targets. This is part of what firewalls are supposed to prevent.

A lion needs a few things as it sleeps. Air, probably being the most important. However, if it wishes to stay asleep, it helps to have a way to keep the mice out of the lion cave.

As an aside, I personally question how common it was for lions to sleep in caves. Modern lions don’t seem to do this… though perhaps that has less to do with lion slumber preferences and more to do with a general lack of caves in subSaharan Africa.

So, if you have a lion that wish to keep vermin-free, it would help to put up some sort of chicken wire fence over the “cave”, thereby allowing in air and preventing mice (and rats… it’s a twofer!). In much the same way a firewall keeps out known malicious traffic so your servers can crunch their numbers in piece. Admittedly, our firewalls block worms. Worms are smaller and trickier than mice, which is why the firewalls are more complex and expensive than chicken wire.

Running without a firewall would be like trying to coax a lion into sleeping while they are being trampled flat by a veritable cascade of members of the family Muridae.

Mythic Monday – The Aging Lion and the Fox

Another one of Aesop’s fables that isn’t that well known is that of the aging lion and the fox. You can click the link and read it, but for those of you that are linkaphobic, here’s a short version:

A lion was getting old and having trouble hunting. He decided, instead, to pretend to be sick and went back to his cave, moaning all the way. Over time, as each of his neighbors stopped by to check on him, he ate them.

Then, one day a fox came by and asked how the lion was doing. The lion moaned and asked the fox to come closer. The fox then observed that the footprints all led into the cave, and none came out.

Clearly, the fox is the fable animal to be. He’s smart. He’s observant. He’s… umm… red and furry? (Are Greek foxes red? . . .  Yes, after googling a bit, it seems that the red fox is global, and the grey fox is only native to the Americas… which has nothing whatsoever to do with this blog entry.)

No, the point of this blog entry is that of evidence. If the lion had been wise, he would have either wiped the tracks after each meal or (more preposterously) fabricated tracks going back out. The fact that he didn’t, is what allowed the fox to escape and presumably tell the other animals what the lion had been up to (and Aesop, since he wrote it down). So, not only was the lion caught, but he lost his lovely little racket and probably starved to death shortly thereafter.

Most attackers are aware of this story (sorta), and do take some effort to reduce evidence. A burglar usually wears gloves, a bank robber usually wears a mask, and a hacker usually clears system logs. So, if we want to make it hard for the lion to wipe away the footprints, we have a few options. The first is to replace the dirt outside his den with fast-setting concrete… which would prove somewhat troublesome if you analyze this ridiculous analogy too far. The second is to set up a camera trap and record everyone who enters the cave. (For those purists who would point out that there were no cameras in ancient Greece, let’s just say that Hephaestus is there cranking out a vase for each animal. (Happy now, picky people?))

In the modern world, we actually use both of these techniques. Instead of fast-setting concrete, we have a hard drive technology called WORM, or Write Once Read Many. With this drive, you can store the logs in such a way that they cannot be altered. They are, however, quite expensive and can be difficult to set up properly. Instead, we generally prefer to use the camera/vase trap system. For this, we use one of many remote-logging technologies. The simplest is probably the venerable syslog server.

This solution simply involves setting up a dedicated server and installing one of the many syslog systems on it. Then you do a bit of configuration on each of the other servers you have and basically tell them to go log over there. Whenever there is an event, it goes over the network and is stored off the server. That way, if an attacker gets in, even if they wipe their own traces, there is a backup elsewhere that is (in theory) a lot harder to alter.

Of course, you still have to actually be the fox and look at the logs now and then, but at least you’ll be safe from a smart lion.