Monthly Archives: July 2013

Energy, Security

Red Means Go, Green Means Slow

Leave a comment

While riding in late night taxis in Brazil I noticed they hit the accelerator through red lights. When we approached a green light, they would slow down and look around for people running the reds.

I had to ask why. The drivers said this is a risk mitigation strategy.

Because of assault danger, Brazilian drive through red traffic lights during night, just as a warning.

Since stopping at a red light, especially late at night, makes you an easy victim for car-jacking or robbery…we didn’t stop.

And because everyone there knows drivers run red lights to stay safe, drivers with green lights slow down before crossing an intersection.

Just another example of why we should seriously reconsider stop-lights and their overall impact to risk (inefficiency of idling, yellow-light behavior, etc.)

Security

The anti-virus age AIN’T over

Leave a comment

Graham Sutherland wrote a provocative blog post titled “The anti-virus age is over.” I hear this a lot and I often argue against it, as I did recently in a Twitter thread with @jeremiahg and @adamjodonnell.

I noticed Graham argues against his own title. His blog concludes:

Now don’t get me wrong, AV still has its place in the security world

Is an age over if there is still a place in the security world? I say no.

Cory Doctorow apparently does not come to the same conclusion, and instead used Sutherland’s opening argument in his Boing Boing post called “When advanced black-hat hacking goes automatic, script kiddies turn into ninjas” to promote a fictional story of his own.

[The anti-virus age is over] was the premise and theme of my novella Knights of the Rainbow Table (also available as a free audiobook).

I confess I haven’t read much by Doctorow since he ranted against American Airlines data collection practices. At that time I wrote the following response to his predicament:

I have always observed that wise travelers provide no more than the information that is directly relevant to the question being asked — the “most accurate” answer — which has neither too little nor too much detail. It’s a fine balance, but part of the usual business of crossing International boundaries, obviously compounded by different cultural views of what constitutes suspicious or risky behavior.

Although I hate to question Doctorow’s risk management vision again, it seems to me the anti-virus age will be over when we no longer see any place for anti-virus.

The age isn’t over because our defense against polymorphic threats does not mean we should completely remove black-lists for non-polymorphic threats. Sutherland concedes this in the final text of his blog.

To put it another way, should we stop using seat-belts because we can get sick from bird-flu? Obviously not.

I tried to make this risk distinction in my 2012 RSA Conference presentation “Message in a Bottle: Finding Hope in a Sea of Security Breach Data.” Here is how I laid out the age of seatbelts (sorry about the RSA template colors):

2012 RSA SF Conference Slide - Seatbelts

This view of history suggests to me that anti-virus software will become more integrated into the cost of our systems (like seat-belts became de-facto for cars and eventually a law). It will become less visible as it becomes integral.

So where are we headed? Analytic ability with data collection is what comes next, like air-bags were added to seatbelts. But the seatbelt analogy doesn’t really work with intelligent, adaptive threats, as I also illustrated in my 2012 RSA Conference presentation (based on “Dr. John Snow’s map-based spatial analysis and algorithm” for germ theory).

2012 RSA SF Conference Slide - Ghostmap

To follow Snow’s footsteps our discretionary spend will shift towards data collection, anomaly detection and advanced response capabilities (e.g. big data security analysis). We will get better at finding and responding with new tools, while still using computer anti-virus and other old tools.

Energy, Food, Sailing, Security

#HeavyD and the Evil Hostess Principle

Leave a comment

At this year’s ISACA-SF conference I will present how to stop malicious attacks against data mining and machine learning.

First, the title of the talk uses the tag #HeavyD. Let me explain why I think this is more than just a reference to the hiphop artist or nuclear physics.

HeavyD
The Late Great Heavy D

Credit for the term goes to @RSnake and @joshcorman. It came up as we were standing on a boat and bantering about the need for better terms than “Big Data”. At first it was a joke and then I realized we had come upon a more fun way to describe the weight of big data security.

What is weight?

Way back in 2006 Gill gave me a very tiny and light racing life-jacket. I noted it was not USCG Type III certified (65+ newtons). It seemed odd to get race equipment that wasn’t certified, since USCG certification is required to race in US Sailing events. Then I found out the Europeans believe survival of sailors requires about 5 fewer newtons than the US authorities.

Gill Buoyancy Aid
Awesome Race Equipment, but Not USCG Approved

That’s a tangent but perhaps it helps frame a new discussion. We think often about controls to protect data sets of a certain size, which implies a measure at rest. Collecting every DB we can and putting it in a central hadoop, that’s large.

If we think about protecting large amounts of data relative to movement then newton units come to mind. Think of measuring “large” in terms of a control or countermeasure — the force required to make one kilogram of mass go faster at a rate of one meter per second:

Newtons

Hold onto that thought for a minute.

Second, I will present on areas of security research related to improving data quality. I hinted at this on Jul 15 when I tweeted about a quote I saw in darkreading.

argh! no, no, no. GIGO… security researcher claims “the more data that you throw at [data security], the better”.

After a brief discussion with that researcher, @alexcpsec, he suggested instead of calling it a “Twinkies flaw” (my first reaction) we could call it the Hostess Principle. Great idea! I updated it to the Evil Hostess Principle — the more bad ingredients you throw at your stomach, the worse. You are prone to “bad failure” if you don’t watch what you eat.

I said “bad failure” because failure is not always bad. It is vital to understand the difference between a plain “more” approach versus a “healthy” approach to ingestion. Most “secrets of success” stories mention that reaction speed to failure is what differentiates winners from losers. That means our failures can actually have very positive results.

Professional athletes, for example are said to be the quickest at recovery. They learn and react far faster to failure than average. This Honda video interviews people about failure and they say things like: “I like to see the improvement and with racing it is very obvious…you can fail 100 times if you can succeed 1”

So (a) it is important to know the acceptable measure of failure. How much bad data are we able to ingest before we aren’t learning anymore — when do we stop floating? Why is 100:1 the right number?

And (b) an important consideration is how we define “improvement” versus just change. Adding ever more bad data (more weight), as we try to go faster and be lighter, could just be a recipe for disaster.

Given these two, #HeavyD is a presentation meant to explain and explore the many ways attackers are able to defeat highly-scalable systems that were designed to improve. It is a technical look at how we might setup positive failure paths (fail-safe countermeasures) if we intend to dig meaning out of data with untrusted origin.

Who do you trust?

Fast analysis of data could be hampered by slow processes to prepare the data. Using bad data could render analysis useless. Projects I’ve seen lately have added weeks to get source material ready for ingestion; decrease duplication, increase completeness and work towards some ground rule of accurate and present value. Already I’m seeing entire practices and consulting built around data normalization and cleaning.

Not only is this a losing proposition (e.g. we learned this already with SIEM), the very definition of big data makes this type of cleaning effort a curious goal. Access to unbounded volumes with unknown variety at increasing velocity…do you want to budget to “clean” it? Big data and the promise of ingesting raw source material seems antithetical to someone charging for complicated ground-rule routines and large cleaning projects.

So we are searching for a new approach. Better risk management perhaps should be based on finding a measure of data linked to improvement, like Newtons required for a life-jacket or healthy ingredients required from Hostess.

Look forward to seeing you there.

Energy, Security

Diesel = Winning

Leave a comment

The Economist in 2011 made a salient point about the future of gasoline vehicles:

For Toyota, taking BMW’s diesel engines is a tacit admission that its hybrid strategy does not cut it in Europe.

That means a gasoline-hybrid strategy is failing. A diesel-hybrid strategy, however, would have worked.

Two years later, today, the Economist admits the race is over. Diesel has won. Gasoline is dying.

The Toyota Prius hybrid? A lowly twentieth on the league table of the most economical fuel-sippers, with 4.2 litres/100km, along with higher emissions of carbon dioxide. The 19 cars having better fuel economy than the Prius hybrid are all clean diesels.

It really makes you wonder why we don’t have a hybid-diesel option instead of a hybrid-gasoline in America. At least GM has finally taken the lead domestically by releasing a passenger-car diesel option. It’s not the car they talked about in 2008, but it’s a start.

The Economist, however, is still thinking about the past. Instead of pointing out modern diesels already are available in America, they tell us diesels are on their way and Mazda is “leading”. This sounds like nonsense to me:

Later this year, Americans will get their first chance to experience what a really advanced diesel is like—and why Europeans opt for diesels over hybrids, plug-in electrics and even petrol-powered cars. [Mazda’s] diesel has 30% better fuel economy and provides oodles more pulling power. Good as the petrol version is, motorists who choose it over the diesel will miss out on a lot.

I’ll tell you why their “first chance” talk is nonsense. Look at the Economist analysis of what has changed.

“What marks this latest generation of diesel engines from even their ‘common-rail’ predecessors of the late 1990s…”

That’s a 20-year old reference — too far back to talk about predecessors. Several major generations of engine have hit American shores in-between the “late 1990s” and today. Why not compare current engines with those Americans have been driving in the 2000s?

Most notably was a major shift in 2004 when California regulated small passenger diesels out of the state (politics prevented regulation of the larger engines until later). Another major point was in 2008 when they re-appeared. This was no secret to the Economist. They wrote about it in an article called “Diesel’s second coming.”

America’s first chance to experience new diesel engine technology was around 2005 (when new VW TDIs were introduced) and then again in 2008 (when VW’s diesel won car of the year). I would call 2004 and 2008 models the predecessors, taking us into the late-2013 technology.

So much for America’s “first chance”.

Perhaps it is fair to say some people haven’t really been excited by diesel engines since the 1990s (the Economist gave Fiat Research an award) but who cares if those people have been asleep at their wheel since then. The Economist is not excused from doing research on the past decade of innovation.

It has been clear over the past ten years that diesel has achieved a pole position for increasing mpg while reducing emissions and providing performance and power. Combined with an electric motor, we’re talking over 100 mpg and a fun driving experience. Volvo sold-out every diesel-hybrid targeted for France before they even left the factory.

Still, some are confused. Editors at Forbes offer us this non-prediction:

…it’s not yet obvious whether electric vehicles, diesels, or even compressed natural gas vehicles (there are millions in countries such as Iran and Brazil) will ultimately take the checkered flag in the race for efficiency

Millions in Iran? Never thought I would hear Forbes suggest Iran as a model of efficiency. Experts on Iran seem to paint it in the opposite light, a study of waste and unsustainable inefficiency:

…poor resource management have contributed to rapidly growing energy consumption and high energy intensity for the past decades.

What Forbes is really saying is “let’s study engines in countries with domestic natural resources”. This is NOT a good equation. No wonder Forbes is confused.

To me there is no question. The race for efficiency is really a race for freedom from resource dependence, related to national security. Diesel = winning.

The answer is obviously diesel-hybrid, given American driver habits/needs. No other engine competes when it comes to sustainability. As I have written here since 2005, it is the safest, easiest to deploy, most-resilient and yet best performing of all. It is no coincidence the military prefers diesel.

Natural gas presents an interesting alternative to the pollution of coal plants but, as the Economist itself has written in the past, it fails miserably with a car engine. It gets about the same mpg as gasoline with far less performance. Same problem as ethanol. That means a significant cost added to manufacturing with marginal benefits.

Electric vehicles are great performers, perfect for urbanites, yet they lack range and cost far too much to enter the market at a broad base. They also have major additional costs to factor such as battery maintenance and replacement, not to mention the occasional unexplained explosion and fire (e.g. even Boeing claimed they didn’t see it coming).

Both natural gas and electric also require an overhaul to American infrastructure to enable vehicles with special engines. That’s a pipe-dream (pun intended) and about as likely as hydrogen. When you think about how long broadband has taken to be upgraded in America, and how inexpensive that infrastructure is compared to fuel lines…

I wouldn’t bet against diesel-hybrid.