A thriller by Kevin Slavin from TED talks about the risk from over dependence on algorithms. This parallels my presentation at BSidesLV 2011, where I warned of the dangers of automation for services/utilities (e.g. insecure cloud models).
Category Archives: Energy
Cloud Security Different, Says Okta
Okta has announced their series B financing today. It includes a recap of security in the cloud that reveals how they pitched it for money, and why it’s different:
The concepts of security, single sign on, user management and auditing are not new. They’ve existed since the first user logged into the first mainframe. Why is the problem different or the potential solutions better in the cloud?
- There are more services and applications available to users within an enterprise than ever before.
- The cost to build, deliver and sell the services is dramatically lower leading to more services available in the market. Literally, thousands of new SaaS start ups have spawned in the last 10 years.
- Companies aren’t limited by their ability to build infrastructure to deploy and maintain as many applications as they want.
- In addition to more services, there are more users. Each generation of technology, from mainframe to mini computers to client server to cloud has seen a 10X increase in the number of users. And each of these users is accessing the services in a variety of ways. Gone are the days of one desktop per employee. There are desktops, laptops, virtual desktops, tables and smart phones
- Finally, companies need to support a mobile workforce. They can no longer rely on securing the physical network perimeter with a firewall and selectively permitting VPN access. They need to have the same kind of rich authentication, authorization, auditing and logging for all their critical services.
Call me anal, or haiku-obsessed, but it looks like that lists boils down into the following:
- More services are available
- It costs less to build services
- Infrastructure costs are lower
- There are more users
- Users are mobile
Wait, let me try that again.
- More services now
- Can’t stop the mobile access
- Deployed for less dough
Coming up with definitions and finding differences is fun. Who doesn’t love isomorphism? When is a muscle-car a muscle-car? I mean if a Toyota Camry races a Pontiac GTO and wins, do we still get to call the GTO a muscle-car or does the Camry get the title? More to the point, if we accept the Okta explanation, clouds do not seem far ahead of traditional IT departments. What really stops on-premise IT from providing more services at less cost to more users who are mobile?
But there’s more to a muscle-car than just measuring horsepower (the 268 horsepower Camry LE is still a second slower than a goat BTW. Efficiency is another story). Okta could have highlighted the new cloud use-cases and security issues from cloud behavior.
Many more roles/identities with far more relationships and yet less permanence are cloud specific. Tracking identities and meta-directory data when it’s not clear who exactly should be the one to track identities, now that’s a different problem than on premise where accounts are doled out more carefully by a clear authority.
They also could have highlighted the tall and wide shadows of data created and then “destroyed” when accounts and services are spun up and down on short cycles because “owners” come and go. You thought keeping track of hires and terminations was hard before, try managing it for systems you can’t see or touch and only get a utilization report from. That’s another difference, a sort of opaqueness to their hidden services with their secretive SRE (service reliability engineers), which all may be completely untrustworthy.
Maybe it’s all coming in their next installment and I’m just jumping the gun.
For now, congrats go to them for round B. Perhaps it’s best to end by saying they are in a great market space — cloud providers clearly need identity management solutions like a GTO needs seat belts, air bags and a catalytic converter to control behavior-induced risk.
Guerrilla Greywater: Living Off the Grid
Tips from KALW news on some do-it-yourself waste management.
The process is pretty simple: the poo bucket is under the house. It gets emptied once a week into a larger rain barrel. Once it’s full, Laura covers it and lets nature take over. And in one year, voila! You have humanure.
And you might be wondering – what about the smell? Well, the sawdust, coupled with an air vent, creates an anaerobic process: it doesn’t smell. Laura’s bathroom actually smells clean, with a hint of cedar wood, thanks to the sawdust. And the urine? Laura collects that too, in a separate container which she uses as a fertilizer for her garden. Human urine is rich with nitrogen, which plants need to grow. She almost gets more excited about urine diversion than composting.
[…]
In Laura’s bathroom, there’s a large photo of a few ears of corn. Some were fertilized with urine harvested from her toilet; some were not.
ALLEN: You can see in the picture that the zero-urine corn is tiny – like two inches tall. And the cobs that received the most urine are big, yellow, and, like, eight to 10 inches long. So it’s very visual, how well it works.
Note: the group no longer calls itself a Guerrilla group to avoid association with other meanings of the word. I guess they decided it would be too hard to reclaim the word and strengthen the non-violent associations.
In 1999 we named ourselves the “Guerrilla Greywater Girls” as a tongue-in-cheek response to a draconian California plumbing code that discouraged the simple, low-tech greywater systems we promote. A few years later we changed our name to the “Greywater Guerrillas”, to reflect the multi-gendered composition of our collaborators. As we worked more closely with government agencies and regulators, and began collaborating with A Single Drop in countries where “guerrillas†has violent implications, we searched for a name that would represent our goals and strategies to a diverse and international audience. In 2009, we chose a new name— Greywater Action- For a Sustainable Water Culture—for our appropriate technology education projects. We’re also developing an umbrella group that connects the art, appropriate technologies, theater and cultural transformation around water.
Stuxnet: Anatomy of a Virus Sensational Video
I disagree with about 90% of this video, and find it annoying that they do not cite references — who says there were 20 zero-days? There were only 4, and even that is debatable, as I’ve said before. It’s a shining example of how speculation has filtered its way into to fodder for sensational videos.
Oooh, scary.
I do not understand how they can avoid mentioning that the guy who is credited with having the most detailed and first knowledge of Stuxnet — Ralph Langner — calls it “very basic”. He even explains how antivirus company researchers, infamous for hyping the threat, are wrong in their analysis.
Stuxnet attack very basic. DLL on Windows was renamed and replaced with new DLL to get on embedded real-time systems (controller). It was not necessary to write good code because of the element of surprise — only had to work pretty well
Nate Lawson gives probably the best and more authoritative explanation of Stuxnet available anywhere, which also contradicts the scary video. Unfortunately, he made a major marketing mistake. He called his blog post “Stuxnet is embarrassing, not amazing“. It’s a post with a modest and realistic view of the code.
Rather than being proud of its stealth and targeting, the authors should be embarrassed at their amateur approach to hiding the payload. I really hope it wasn’t written by the USA because I’d like to think our elite cyberweapon developers at least know what Bulgarian teenagers did back in the early 90′s.
What he should have called it was something like “What the next Stuxnet will look like” or “How Stuxnet could be 100x more powerful”. That would have given him the same level of buzz or even more than the nonsense peddled in the above video.
And what this video should have said is that Iran was infected by a low-grade attack because they had poor security management practices and were compromised by an insider. I mean what are the chances that the nuclear program would have succeeded anyway, given that maintenance failures and rust in thousands of centrifuges also was causing them problems? Or to put it the other way, what are the chances that a high-rate of failure of centrifuges was unanticipated, as explained by the Institute for Science and International Security (ISIS).
The destruction of 1,000 out of 9,000 centrifuges may not appear significant, particularly since Iran took steps to maintain and increase its LEU production rates during this same period. […] One observation is that it may be harder to destroy centrifuges by use of cyber attacks than often believed.
Although the attack was well planned and targeted to exploit a specific set of issues, it leveraged weak and known-bad controls such as unnecessary services, poor isolation/segmentation and no host-based monitoring. It is truly scary too see over and over again (for more than 10 years now) that nuclear energy companies rely on obfuscation and self-assessment more than a set of security best-practices to address risks. Calling Stuxnet sophisticated gives the Iranians far too much credit for their defences and just plays into the hand of those who want to escalate international political conflict.