Category Archives: Security

Security

Crouching Pterodactyl, Mandiant Dragon

Leave a comment

Mandiant has an entertaining and on-going series of presentations called “State of the Hack”. In the latest episode they offered a series of slides on the threat of intellectual property and brand theft, naturally starting with the U.S. Air Force.

Corporate espionage is a serious problem globally. The Mandiant program is far more focused, however. They ignore all theft perpetrated by everyone other than China from America. I won’t try to guess why they fixate, but I also can’t help but point out that in their zeal to demonstrate the connection they mistakenly label the following image as a “China Dragon”:

Kudos to them for putting a link to the original source in their slide. I always try to do that myself and really appreciate seeing attribution. So I went to the link in their slide and right away noticed, prominently displayed at the top of the photo, the following phrase:

This is what the pterodactyl looks like

Oops. That’s no Dragon.

I guess they also don’t want you to know the photo is by Sharon.

Then I did the side-by-side comparison that they recommended, with images of the Predator B, and I noticed many clear differences.

Also not a Dragon

Maybe I see differences instead of similarities because I’m too far into the trees/details of things and missing the big-picture forest from Mandiant’s view.

I suspect if you pull back far enough not only does the word “pterodactyl” look a lot like “dragon” but eventually everything looks like it comes from China. Bada bing. I’ll be here all week.

The presentation as a whole is still worth a watch. A celebrity defense argument that comes later that is far more interesting to me. Or maybe I can digest it more easily because it doesn’t go into claims of the motives of the attacker. I find that I agree with their assessment of defensive measures, not least of all because I presented on this issue at the RSA SF Conference in 2010 and earlier at CSAS — social networking exposure parallels the lessons from celebrity exposure.

So I can guess that on most security theory I would likely agree with the presenters. But when they head down their path of focused attribution it leaves me cold, which only makes an obvious error even more difficult to ignore.

Sailing, Security

BayThreat Images: A-Cat

1 Comment

A couple people have asked to see again the photos I used in my presentation last week at BayThreat. It was called “Sharpening the Axe” because I discussed how to be as efficient as possible when pentesting cloud and virtual environments. I thought I should perhaps just post the photos here for convenience. Here are the first two, showing efficiency in modern sailing with an the International A-Class Catamaran. Both are a custom Bimare XJ built by Ben Hall.

Downwind, North American Championships in Islamorada, Florida

Upwind, club race in Santa Cruz, California

Food, Security

SF Health Inspectors Charged with Fraud

Leave a comment

Two San Francisco health inspectors have been charged with taking payments to falsify results.

Both Sanders and Stewart are former employees of the city Public Health Department. Each took hundreds of bribes of $100 to $200 apiece from restaurant managers and owners in 2007 and 2008 in exchange for allowing them to pass their food safety manager exams, District Attorney George Gascón said.

[…]

Gascón said the managers and owners who allegedly bribed Stewart and Sanders would not be prosecuted because many of them thought the payments were legitimate fees. For many of the managers and owners, English was their second language, the district attorney said.

“We believe that the greater culpability goes to the public employees,” Gascón said.

That policy, of course, encourages the managers and owners to turn in corrupt inspectors.