Please Realize That Piracy is a Service Problem.
NEW YORK, NY - JANUARY 18: Protesters demonstrate against the proposed Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) on January 18, 2012 in New York City. The controversial legislation is aimed at preventing piracy of media but those opposed believe it will support censorship. (Image credit: Getty Images via @daylife)
The full article is a bit wordy, and manages to avoid lecturing about how the media industry failed at "service" when it came to view tapes and DVDs, how they objected even those turned out to be immensely profitable. We all know that and we all know that despite the opportunity for profits that just about everyone else in the world seems able to cash in on, the RIAA etc seem to want to shut it down.
Well if they did there would be outcries not from all the people who had minor copyright infringements from quoting one another, but from all the businesses that were loosing customers, not just from direct action but from the word-of-mouth style propagation, reviews, snippets that had nothing to do with them but caused shut-downs and lockouts. A ripple effect. The Laws of Unintended Consequences doing what it always does, biting in the ass.
Yes, if the media industry provided the service that customers want piracy wouldn't be an issue. As the article says, look at the economics.
It’s not a physical product that’s being taken. There’s nothing going missing, which is generally the hallmark of any good theft.
There's a corollary to that: if the media companies were selling on the net their cost of reproduction is zero. They can sell the same movie hundreds of times over and it doesn't cost them any more.
With VHS and DVD there is the cost of production, shipping and retail mark-up. There's that for every sale. And those are costs that are going up year by year. And if there's a mistake in estimates about volume then either there are lost sales for lack of product, or waste as it gets remaindered.
But with a 'Net based distribution scheme there is only the cost of storage and bandwidth, and those are going down.
Its as if the RIAA have it exactly backwards.
So it costs, what, lets say $20 to buy a movie as a DVD.
That's my budget. If I got to the store and found the movie I wanted was $5, then I'd be inclined to buy some more. Maybe at $5 a shot I'd spend more than $20 as I found other movies that I marginally considered. Now suppose that I didn't have to drive to the store? Many people I know buy more books at Amazon than they ever did in a bricks-and-mortar store. many bricks-and-mortar bookstores are shutting down. Lower the cost of a movie to $1 and make it available on the 'Net, mail buyers about new releases and packages the way Amazon does and there will be more impulse buying. See low-res, high-res and super-high res/HD, alternate endings, have consumers write reviews ... you know how it goes, Amazon does it well.
Amazon have shifted from selling books to selling e-books. No more packaging, inventory or shipping. Instant gratification.
The RIAA are not just stupid, they are extremely stupid.
A stereotypical caricature of a pirate. (Photo credit: Wikipedia)
Related articles
- A Peek at a Few Trends (laf.ee)
- Software piracy in Canada exceeded $1.1B in 2011 (ctv.ca)
- What's the true cost of piracy? (infographic) (venturebeat.com)
- US mistakenly seizes a music domain - and holds it for 18 months (art2science.org)
- Study: BitTorrent music piracy increases album sales (electronista.com)
Upside and downside: How I hate Journalists
And this doesn't actually stop them form making use of 'insider information' they just have to declare it within 30 days.
No, wait, sorry ... you mean that the legislators are saying that legislators shouldn't do something that is illegal anyway? Or that, if they do something that is already illegal, it is OK as long as they declare it within 30 days? ...
It gets worse:
I'd like to claim the system is rigged so 'the rich get richer' but if I did that some people who claim they are right wing would accuse me of being left wing. Indeed, this tells me that their political outlook has not progressed since 20 June 1789. This one-dimensional view fails to describe the rich variety of political attitudes in the Washington, never mind the rest of the USA and points elsewhere on the physical compass.
http://en.wikipedia.org/wiki/Pournelle_chart
http://en.wikipedia.org/wiki/Nolan_Chart
Just those two show we need more that 4 axes to describe a political stance. But as I mentioned in a previous post, journalists are simple-minded and expect the rest of the world to be as limited in outlook and understanding.
http://en.wikipedia.org/wiki/Political_spectrum
Try this test:
http://www.politicalcompass.org/
How does this all relate to InfoSec, you ask.
Well part of that Political Compass is a view of 'how authoritarian'.
And that gets back to issues we have to deal with such as Policy and Enforcement, Do We Let Employees have Access to the Internet, and the like.
Hans Eysenk pointed out that the right wing (e.g. Fascism and Nazism) had a lot in common with the left wing (communism). Both are repressive, undemocratic and anti-Semitic. So on these issues, at least, the left-right distinction is meaningless.
How many more such simplistic distinctions such as those foisted on us by journalists are equally meaningless.
Some while ago my Australian fellow ex-pat Les Bell, who apart from being a CISSP is also a pilot, pointed out to me that the method of 'root cause analysis' is no longer used in analysing plane crashes. The reality is that "its not just one thing", its many factors. We all know that applies in most areas of life.
I suspect most people know that too; its not restricted to the digerati.
There is the old ditty that explains how because of a nail an empire was lost, but no-one is proposing that we fix the failing of the "American Empire" by manufacturing more nails.
Except possibly Journalists.
Related articles
- Is your political compass OK post the election? (greenwichlib.wordpress.com)
- Political Compass: May (spinelessliberal.wordpress.com)
- The downsides of experience (cdevroe.com)
- The US Election - 2012 (www.politicalcompass.org)
The Death of Antivirus Software
http://www.infosecisland.com/blogview/19386-The-Death-of-Antivirus-Software.html
The real issue here isn't Ubuntu, or any other form of Linux.
Its that AV software doesn't work.
PERIOD.
There are over 50,000 new piece of malware developed and released daily. The very nature of the AV software models that John McAfee foisted on the industry simply can't cope.
This isn't news. Signature-based (and hence subscription based and hence that whole business model) AV is a wrong headed approach. As Rob Rosenberger points out at Vmyths.Com, we are addicted to the update cycle model and its business premise is very like that of drug pushers.
What's that you say? Other types of AV? Like what?
Well, you could have a front-end engine that checks all downloads and all email and all email attachments and all URL responses by emulating what would happen when they run on any PC or in any browser or any other piece of software such as any of the PDF readers you use, or any of the graphical display software you use or any of the word processors you use
or any of the spreadsheet programs you use or any music players you use ... and so on.
Many people in the industry - myself included - have proposed an alternative whereby each machine has a unique cryptographic ID and the legally and properly installed libraries are all signed with that ID, and the program loader/kernel will only load and execute correctly signed code.
Yes, Microsoft tried something similar with ActiveX, but that was signed by the vendor - which can be a good thing, and used PKI, which can also be a good thing. But both can be a problem as well: go google for details. A local signature had advantages and its own problems.
The local signature makes things unique to each machine so there is no "master key" out there. If your private key is compromised then do what you'd do with PGP - cancel the old one, generate a new one and sign all your software with the new one.
The real problem, though, is not in having the key compromised but is the problem that has always existed - its the user. Right now, we have many remote code execution blockers. Your browser might be able to block the execution of Java or JavaScript, but does it? Most people either don't bother setting their defaults to "no execution" or just say "yes" to the pop-up asking them to permit execution.
No technical measure can overcome human frailty in this regard.
Related articles
- Avira antivirus upgrade wreaks 'catastrophic' havoc on Windows PCs (techworld.com.au)
- How can We Detect Viruses Without Antivirus Software? Built In Antivirus in your Browser 🙂 (shanicomputers.wordpress.com)
- Intel and McAfee unveil plans for unified security future (go.theregister.com)
- John McAfee, antivirus pioneer, arrested by Belize police (networkworld.com)
- GlobalSign Develops Free Tool to Simplify Code Signing Process (prweb.com)
- A Modest Proposal: Please Don't Learn to Code Because It Will Damage Your Tiny Brain (inventwithpython.com)
- Why Authenticity Is Not Security (leviathansecurity.com)
- Certs 4 Less Announces Support For Individual Code Signing Certificates (prweb.com)
- 'Catastrophic' Avira antivirus update bricks Windows PCs (go.theregister.com)
- Avira fixes antivirus update that crippled many PCs (neowin.net)
- Free Anti-Virus Software Fails To Charm Enterprises (informationweek.com)
- Backpack Algorithms And Public-Key Cryptography Made Easy (coding.smashingmagazine.com)
- Cryptography pioneer: We need good code (infoworld.com)
- Contrary to Popular Opinion, Encryption IS the Hard Part (blogs.gartner.com)
- Public Key Cryptography Explained (q-ontech.blogspot.com)
Using ALE … inappropriately
Like many forms of presenting facts, not least of all about risk, reducing complex and multifaceted information to a single figure does a dis-service to those affected. The classical risk equation is another example of this; summing, summing many hundreds of fluctuating variables to one figure.
Perhaps the saddest expression of this kind of approach to numerology is the stock market. We accept that the bulk of the economy is based on small companies but the stock exchanges have their "Top 100" or "Top 50" which are all large companies. Perhaps they do have an effect on the economy the same way that herd of elephants might, but the biomass of this planet is mostly made up, like our economy, of small things.
Treating big things like small things leads to another flaw in the ALE model. (which is in turn part of the fallacy of quantitative risk assessment)
The financial loss of internet fraud is non-trivial but not exactly bleeding us to death. Life goes on anyway and we work around it. But it adds up. Extrapolated over a couple of hundred years it would have the same financial value as a World Killer Asteroid Impact that wiped out all of human civilization. (And most of human life.)
A ridiculously dramatic example, yes, but this kind of reduction to a one-dimensional scale such as "dollar value" leads to such absurdities. Judges in court cases often put dollar values on human life. What value would you put on your child's ?
We know, based on past statistics, the probability that a US president will be assassinated. (Four in 200+ years; more if you allow for failed attempts). With that probability we can calculate the ALE and hence what the presidential guard cost should be capped at.
Right? NO!
Fwd: How Quality Drives the Rise and fall of hi-tech products
I'm dubious.
On the one hand I recall a book titled "In Search of Stupidity", which I strongly recommends reading, its about the hi-tech years that this article covers and takes a different view of how "quality" addressed market share.
On the gripping hand, I also lived though the years that book describes and can add detail. One detail is this. MS-Word was crap. Most offices/secretaries preferred WordPerfect, but MS-Word outsold WP by aggressive marketing - nothing else. The quality of MS-Word was the pits and its still full of bugs. Each release formatted historic documents in a different way, which is no-no in the legal (and other) profession. Its handling of nested indents in style sheets is a mess, so much so that many industries such as MILSPEC contractors simply don't use style sheets.
I'm dubious about his claim that Linux has fewer add-on products.
Heinlein has a comment about democracy being like adding zeros.
If you look at those supposed products or Windows you'll find many of them are "me-too" duplicates. We haven't reached that stage yet with portable devices but we are getting there. When you get there, yes you do have one market leader; when people are spoilt for choice like that then a review or a friend's recommendation can trip the balance, and that too can propagate. This has little to do with 'quality' and a lot to do with a cross between humans 'herd instinct' and the way crystals form in a super-saturated medium.
Related articles
Mistaken Thinking – Risk not threats
Image via Wikipedia
Via a LinkedIn posting in the Infosecurity magazine forum titled
"Internet Threats Posed By Mobile Devices: How Can We Prevent Them?"
I came to
http://www.mxsweep.com/blog/bid/65075/Internet-Threats-Posed-By-Mobile-Devices-How-Can-We-Prevent-Them
OUCH OUCH OUCH!
The mobile devices don't pose threats.
The mobile devices represent risks.
Threats are external. They are not under your control.
The article title is clearly confusing THREATS with RISKS.
There are aspects of risks which ARE under your control.
You can control how EXPOSED you are to threats and how they will IMPACT you - or more specifically your assets. In this case the mobile devices.
You can't prevent threats, you can only mitigate their IMPACT.
You can instigate preventive measures.
Mobile devices and the data on them are ASSETS, not threats.
Correct terminology leads to correct thinking.
Eliminating misunderstanding and confusion leads to effective results.
Related articles
- The threat facing Android (Hint: It's not Apple) - Fortune Tech (tech.fortune.cnn.com)
- Mobile threats increased during first half of 2011 (preternaturalpost.com)
- 5 Ways To Fight Mobile Malware (informationweek.com)
- Malware risk on Android devices growing, report says (sfgate.com)
- Mobile Device Security: Questions to Ask for Creating Policy (pcworld.com)
- Mobile app malware menace grows (go.theregister.com)
- Securing Mobile Devices (enhancedtech.wordpress.com)
- Cyber criminals targeting mobile devices (premierlinedirect.co.uk)
The Question of Residual Risk value
People keep asking questions like
If the risk equation I use is Impact * Probability, when it comes to calculating the residual risk value do I still need to consider the impact of Loss of confidentiality, integrity and availability of the asset afterwards ? My understanding us that the probability value may decrease after applying some controls to mitigate the risk, but how does does the impact change?
Personally I don't like the use of the generalization "Impact". It hides details and it hides seeing where the control is being applied. Assets are often affected by more than one threat or more than one vulnerability. You really need to recalculate the whole thing over again after the controls have been applied - don't try for short cuts.
I'd further suggest looking at
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
I discuss this kind of over-simplification at
http://infosecblog.antonaylward.com/2010/02/28/fbi-risk-equation/
Related articles
- Planning means planning for success and for not-success (herdingcats.typepad.com)
Compliance? What Compliance?
Image via Wikipedia
Sometimes I wonder why we bother ...
Related articles
- Recently Updated "Securities Law Deskbook" - A Resource to Help Achieve Compliance and Avoid Regulatory Problems, From Bradford Publishing Co. (prweb.com)
- SEC: Bigger potential payouts for whistleblowers (marketwatch.com)
- LATEST FEATURE: Compliance: A hybrid marital troika? (ecmplus.wordpress.com)
In praise of OSSTMM
In case you're not aware, ISECOM (Institute for Security and Open Methodologies) has OSSTMM3 - The Open Source Security Testing Methodology Manual - http://www.isecom.org/osstmm/
There's an interesting segue to this at
https://www.infosecisland.com/blogview/14651-How-to-Pen-Test-Crazy.html
Skip over his ranting about the definition of "hackers"
This is the meat:
Wewrote the OSSTMM 3 to address these things. We knew that penetration
OSSTMM Logo
testing the way it continued to be marginalized would eventually hurt
security. Yes, the OSSTMM isn't practical for some because it doesn't
match the commercial industry security of today. But that's because the
security model today is crazy! And you don't test crazy with tests
designed to prove crazy. So any penetration testing standard, baseline,
framework, or methodology that focuses on finding and exploiting
vulnerabilities is only perpetuating the one-trick pony problem.
Furthermore it's also perpetuating security through patchity, a process
that's so labor intensive to assure homeostasis that nobody could
maintain it indefinitely which is the exact definition of a loser in the
cat and mouse game. So you can be sure it also doesn't scale at all with
complexity or size.
I've been outspoken against Pen Testing for many years, to my clients, at conferences and in my Blog. I'm sure I've upset many people but I do believe that the model plays up to the Hollywood idea of a Uberhacker,
produces a whack-a-mole attitude and is a an example of avoidance behaviour, avoiding proper testing and risk management such as incident response good facilities management.
I've seen to many "pen testers' and demos of pen testing that are just plain ... STUPID. Unprofessional, unreasonable and pandering to the ignorance of managers.
In the long run the "drama-response" of the classical pen-test approach is unproductive. It teaches management the wrong thing - to respond to drama rather than to set up a good system of governance based on policy, professional staffing, adequate funding and operations based on accepted good principles such as change management.
And worse, it
- shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
- has no guarantees about what collateral damage the outsider had to do to gain root
- says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
- indicates that your management doesn't understand or make use of a proper development-test-deployment life-cycle
Yes, classical hacker-driven pen testing is more dramatic, in the same way that Hollywood movies are more dramatic. And about as realistic!
"Crazy" is a good description of that approach.
Requirements for conducting VA & PT – Take 2
Soe people ae under the mistaken impression that a Pen Test simulates a hacker's action. We get ridiculous statements in RFPs such as:
The tests shall be conducted in a broader way like a hacker will do.
LOL! If a real hacker is doing it then its not a test 🙂
Seriously: what a hacker does might involve a lot more, a lot more background research, some social engineering and other things. It might involve "borrowing" the laptop or smartphone from one of your salesmen or executives.
Further, a real hacker is not going to be polite, is not going to care about what collateral damage he does while penetrating your system, what lives he may harm in any number of ways.
And a real hacker is not going to record the results and present them in a nicely formatted Powerpoint presentation to management along with recommendations for remediation.
Requirements for conducting VA and PT tests
On one of the lists I subscribe to I saw someone make this alarming comment:
There may be better and cheaper ways, but I suspect that an outsider
walking in and gaining root on your core database is much more
convincing than an auditor pointing out the same vulns.
That is a very sad situation to be in, since it
- shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
- has no guarantees about what collateral damage the outsider had to do to gain root.
- says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
- indicates that your management doesn't understand or make use of a proper development-test-deployment life-cycle
Yes, it is more dramatic, in the same way that Hollywood movies are more dramatic.
Security and efficiency
You gotta love the low-tech solution. It's really never NOT about people, is it? 🙂
Darn tooting right!
Its always people. Any way you look at it.
Which is why I go on about The 11th Domain.
Why the CBK places so much emphasis on technology when the (ISC)2's motto is "Security transends technology" and why the "people" aspect, social structures of organizations, behavioural psychology, group psychology and lot more, all of which are "about people" and probably have a greater leverage as far as InfoSec "Getting Things Done" (Especially in a stress-free manner_.
As I said previously, I think we're doing it wrong; and I don't mean just Risk Assessment!
IT AUDIT VS Risk Assessment – 1
We were discussing which should be done first and someone commented:
Many times, we find that the Control Objectives and controls become
prominent before an ISMS is properly established. Where can a SOA stand
if the assets are not identified and risk is not assessed and approved
by the ISMS Management.
As I've said, I think this is a fallacious argument.
If you buy a house or a car there are locks already installed.
They are installed regardless of any specific threats or any knowledge of the assets contained. Many (new) houses come equipped with additional security features such as alarm systems, steel-cased doors
and frames and such like. These are BASELINE features that are implemented without any identification of assets or any formal Risk Analysis or approval process.
Please note: I am not saying that a house owner might not institute additional controls such as an insurance policy that identifies specific assets or a guard dog that is taught the boundaries (aka 'scope') it has to protect.
What drives the RA? Need or Fashion?
A colleague in InfoSec made the following observation:
My point - RA is a nice to have, but it is superfluous. It looks nice
but does NOTHING without the bases being covered. what we need
is a baseline that everyone accepts as necessary (call it the house
odds if you like...)
Most of us in the profession have met the case where a Risk Analysis would be nice to have but is superfluous because the baseline controls that were needed were obvious and 'generally accepted', which makes me wonder why any of us support the fallacy or RA.
It gets back to the thing about the Hollywood effect that is Pen Testing. Quite apart from the many downsides it has from a business POV it is non-logical in the same way that RA is non-logical.
Cell phone risks
- Image by Getty Images via @daylife
I hope somebody's thinking seriously about the implications of this:
http://www.theregister.co.uk/2010/12/14/us_army_smartphones_4_all/
Israel has already seen some consequences of soldiers with cellphones.
Here in Toronto we have a law against driving and using a hand-held cell phone. I note that researchers are reporting that even hands-free pones are distracting enough to be a major risk. never the less, I have stood back fro the kerb at an uptown intersection and seen drivers turn against the lights and narrowly miss pedestrians because they were on the phone. The drivers, that is. (I'm still on the look out for pedestrians using phones and being oblivious to their surroundings causing accidents.) Perhaps I need to use my own phone and make videos of this and upload the to YouTube 🙂
So I'm very cynical about the use of distracting technology in the battlefield. Use of the smartphones 'in barracks' is one thing; using them in the field is another.
There seems to be a big mental hole here.
The idea of a coms system that has a central control or the cell/tower model is inherently vulnerable; no less so than GPS if you think about it, and probably more so; you don't need a rocket launch and EMP capability to take out cell phone towers and the phone system.
But the kind of Wifi system that allows the nodes to mesh and forward and heal (WiMax) is just the kind of thing the cell phone companies don't want.
WiMax - http://www.open-mesh.com/ - may assume an internet backbone
connecting the various meshes, but in a battlefield scenario the local mesh would be adequate. Its simply uses different "smartphones" and software. Maybe there is a back haul WAN, maybe it can download satellite or surveillance images or the front-line commanders.
But OTS cellphones ... I can see too many high risk scenarios in a military setting.
Related articles
- Cell Phones Responsible for Traffic Deaths (cellphones.org)
- Cell Phones Significant Part Of Traffic Deaths (informationweek.com)
- Do Cell Phones Cause Cancer? (everydayhealth.com)
- Vietnam: Cell phones and students (textually.org)
- Do You Have These Cell Phone Accessories Yet? (socyberty.com)
- Cell phone concept phones blow, kiss and touch to make talking intimate (textually.org)
All Threats? All Vulnerabilities? All Assets?
One list I subscribe I saw this outrageous statement:
ISO 27001 requires that you take account of all the relevant threats
(and vulnerabilities) to every asset - that means that you have to
consider whether every threat from your list is related to each of
your assets.
"All"? "Every"?
I certainly hope not!
Unless you have a rule as to where to stop those lists - vectors that you are going to multiply - are going to become indefinitely large if not infinite. Its a problem in set theory to do with enumberability.
See
http://infosecblog.antonaylward.com/2010/05/19/the-classical-risk-equation/
for a more complete discussion of this aspect of 'risk'.
See
http://www.bloginfosec.com/2010/08/23/why-the-risk-threats-x-vulnerabilities-x-impact-formula-is-mathematical-nonsense/
in which Jeff Lowder has a discussion of the "utility value" approach to controls
Because its the controls and their effectiveness that really count.