Monthly Archives: December 2011

Poetry, Security

Deep Thoughts on Convergence

Leave a comment

A security expert asked me last night what I thought of Moxie Marlinspike’s Convergence, which aims to remove the need to rely on a Certificate Authority. It uses the phrase “choose who you trust”, for example, in its marketing.

I admit I was a bit facetious in my retort but I had to ask “why should I trust Moxie, is he claiming to be some kind of authority?” Get it?

Indeed, I recommend to everyone that they wait until their peers adopt it because they should choose who to trust with caution. I certainly wouldn’t trust an authority on not trusting authority, would I?

I also noted this phrase in their marketing.

The ability to easily choose who you trust, & revise that decision at any time.

…because trust is all about being able to quickly reverse your decisions about trust. Trust me on this one. No don’t. Yes, trust me. No don’t…

Security

Crouching Pterodactyl, Mandiant Dragon

Leave a comment

Mandiant has an entertaining and on-going series of presentations called “State of the Hack”. In the latest episode they offered a series of slides on the threat of intellectual property and brand theft, naturally starting with the U.S. Air Force.

Corporate espionage is a serious problem globally. The Mandiant program is far more focused, however. They ignore all theft perpetrated by everyone other than China from America. I won’t try to guess why they fixate, but I also can’t help but point out that in their zeal to demonstrate the connection they mistakenly label the following image as a “China Dragon”:

Kudos to them for putting a link to the original source in their slide. I always try to do that myself and really appreciate seeing attribution. So I went to the link in their slide and right away noticed, prominently displayed at the top of the photo, the following phrase:

This is what the pterodactyl looks like

Oops. That’s no Dragon.

I guess they also don’t want you to know the photo is by Sharon.

Then I did the side-by-side comparison that they recommended, with images of the Predator B, and I noticed many clear differences.

Also not a Dragon

Maybe I see differences instead of similarities because I’m too far into the trees/details of things and missing the big-picture forest from Mandiant’s view.

I suspect if you pull back far enough not only does the word “pterodactyl” look a lot like “dragon” but eventually everything looks like it comes from China. Bada bing. I’ll be here all week.

The presentation as a whole is still worth a watch. A celebrity defense argument that comes later that is far more interesting to me. Or maybe I can digest it more easily because it doesn’t go into claims of the motives of the attacker. I find that I agree with their assessment of defensive measures, not least of all because I presented on this issue at the RSA SF Conference in 2010 and earlier at CSAS — social networking exposure parallels the lessons from celebrity exposure.

So I can guess that on most security theory I would likely agree with the presenters. But when they head down their path of focused attribution it leaves me cold, which only makes an obvious error even more difficult to ignore.

Sailing, Security

BayThreat Images: A-Cat

1 Comment

A couple people have asked to see again the photos I used in my presentation last week at BayThreat. It was called “Sharpening the Axe” because I discussed how to be as efficient as possible when pentesting cloud and virtual environments. I thought I should perhaps just post the photos here for convenience. Here are the first two, showing efficiency in modern sailing with an the International A-Class Catamaran. Both are a custom Bimare XJ built by Ben Hall.

Downwind, North American Championships in Islamorada, Florida

Upwind, club race in Santa Cruz, California