AMQP (Advanced Message Queueing Protocol) is an open standard that applications can use to communicate routing and queuing information over IANA-assigned port 5672 (TCP, UDP, SCTP). It includes two-way authentication and message receipts with network-level event notification. Wireshark has an pre-alpha AMQP dissector written.

It covers both very high performance pub-sub (with speeds of up to 150k messages/second through a single broker) and high-reliability messaging (with guaranteed delivery no matter what). There are several open source AMQP implementations including iMatix’s OpenAMQ.

The connection life-cycle and message flow can be found in the Specification v. 09, which calls AMQP a “General-Purpose Middleware Standard”.

A movie called James’ Journey to Jerusalem centers around issues of identity as they relate to economic prosperity and security. The lead actor does a great job bringing the viewer on a path of evolution from missionary to mercenary. Here is the Rotten Tomatoes synopsis.

In the imaginary village of Entshongweni, very far from western civilization, the young James is chosen to undertake a mission–a pilgrimage to holy Jerusalem. But Israel is no longer the Holy Land that James and his people imagined. At the airport, James is suspected of trying to infiltrate the country in order to work illegally. He is jailed and destined for deportation. Inside the dark cell, as James prays to God to allow him to complete his mission, a miracle occurs. A mysterious stranger posts bail for him. But it soon becomes clear that James’ freedom has come at a price–his savior is a manpower agent, who rescues illegal migrant workers in exchange for employing them in hard labor jobs. From then on, James’ journey to Jerusalem turns into an unpredictable journey through the cruel heart of its economic system. With good teachers, a bit of luck and some lateral thinking, James learns the tricks of the game and plays it towards an inevitable end.

A human trafficking story in Al Jazeera just brought this to mind because the accused is an Israeli national.

Last year, Mordechai Orian, the head of the labour firm that had recruited the Thai farm labourers, was arrested and charged in a federal court with forced labour conspiracy.

In lawsuits filed on Tuesday, the EEOC said that Global Horizons Inc, Orian’s Beverly Hills-based company, had recruited the labourers to work on six farms in Hawaii and two in Washington state between 2003 and 2007.

[…]

The EEOC says that the workers were being subjected to fees until they had almost no income left at all.

“They were nickeled and dimed to the point where they really didn’t have any pay,” said Anna Park, regional attorney for the EEOC Los Angeles office.

The EEOC says that some of the workers were forced to live in crowded conditions, and their quarters were infested with rats and insects.

Workers of other nationalities on the same farms were not subject to the same conditions, Park said.

Officials also said that the workers had their passports taken from them, and were threatened with deportation if they complained.

It sounds just like the movie, but with a very different ending.

Dan Guido’s SOURCE Boston presentation is called Exploit Intelligence.

He suggests that the over-emphasis on vulnerabilities and a failure to assess threats will result in poor risk management. With so many vulnerabilities, it is best to prioritize based on threats — focus on the most likely exploits. Or you could say spend your defensive resources on making the known attacks less likely to work. That might mean using controls other than just patching.

This is an old song but still a good one. PCI DSS has tried to push the same message for a couple years now. But Dan has put some nice data together to illustrate his point and he seems very adamant about change. I particularly liked the part when he said

This analysis process and data should be picked up by the security industry and used effectively. AV companies have been doing you a disservice by not doing this in the past. They should start now.

They should have started a long time ago. But we also should be careful what we demand from vendors.

If we leave service definitions fairly open to interpretation and then force AV vendors to offer attacker capability evaluation (e.g. threat analysis or “kill chain models” if you must call it that) it will probably show up as a new $30/year premium subscription upgrade option with not much else changed.

Oh, wait, he included a “data should be…used effectively” clause. That always works.