Wednesday, 21 May 2014

Stick by Your Guns – or Die by Your Marketing!

Stick by Your Guns – or Die by Your Marketing! 

'No more drama'; I clearly remember me saying this at the end of BsidesLondon.  I also remember saying that if 'you disagree with someone, then that's fine too'.  No more name calling though.  So, I get to live by my rants and stand by them. 

Let's get this out of the way; I disagree with F-Secure and Mikko Hypponen.

Now, just so we are all very clear, I actually have a lot of respect for Mikko, as do many in our industry.  However, what has played out IMHO over the last few months has been at best confusing, and at worst incredibly contradictory.  A short time-line of events that have led the way to this personal opinion of both Mikko and F-Secure are as follows: -


Let me connect the dots here.  Mikko and F-Secure took a stand about the allegations that RSA took money to purposely back-door some of their security products.  Mikko, as most of you will know was a regular speaker at the RSA conferences, took objection to what he and F-Secure thought was unacceptable and cancelled his talk(s) with them.  This engaged the 'cyber-media-firetrucks' and the circus came to town.  As that stood, I personally thought he had the right to do this and ask questions.  Let's say a win for Mikko and F-Secure here.  Now, you know what would be a good idea here?  Another bloody conference in San Francisco at the same time as RSA, because you know, we have the flights and shit we should totally go and hold some type of awesome conference in protest!  Errrr, guys you know BSidesSF is an awesome conference that is about people connecting and contributing?!?  That seemed to be a moot point, as another conference started its cyber-engines, in my personal opinion!

Fast forward to about two weeks ago; Mikko, F-Secure, and David Hasslehoff come to Berlin to talk about how the Hoff is a privacy campaigner and has been for twenty-years (I know, it surprised me too, but a man's gotta eat I guess) and they want to produce a 'Digital Freedom Manifesto', followed by a wee sing-song about 'Looking for Freedom'.  The only thing I'm looking for is why on earth you need a gimmick for a subject matter so large?  Still, I guess we can call it a win here for Mikko and F-Secure, although personally the cyber-media circus around the initiative is beyond me.  Hey, you know they don't build statues to critics, so I'll wind my neck in on this!

To recap, RSA bad for working with the NSA, Digital Freedom needed, and you know what else we need?  Malware scanning on Facebook!  Well yeah, I guess, I mean, Malware is bad voodoo and a lot should be done to fix it, but I thought you, Mikko and F-Secure, didn't like it when they worked with NSA partners!  You know, Digital Freedom, and what not? 

F-Secure announced today that they will be partnering up with Facebook to help its users scan for Malware and give them a scanner if they detect anything that could be malicious.  There is thus a real chance that mom and pops will actually have some protection from those evil malware authors (no, I don't mean the intelligence services around the world, I mean the bad dudes!).  I guess this is a win for Mikko and F-Secure also.  I might add, not bad business getting your brand out to that many Facebook users. 

In total, that adds up to three wins in the column for F-Secure and Mikko.  You see this is where it gets difficult for me, it just doesn't really add up.  The journey from RSA being the bad guys, and all the attention that came from that, to launching a digital freedom manifesto wrapped up nicely by working with Facebook.  I just can't get my head around RSA==BAD, FB==GOOD.  They've both taken flak from the Snowden leaks, they've both been accused of assisting the NSA to spy on foreigners (that's non-Americans like Mikko and myself, if you're wondering).  There are some differences though between the two organisations.

RSA and Facebook, both big names?  No, not really.  RSA is big in industry, but Facebook is a big name to EVERYONE.  Even those that know RSA, know Facebook.

Both RSA and Facebook have used customer data to make money?  Grey area here, Facebook is definitely not known for loving the gods of privacy and in fact, their business model sort of precludes them from it.  Whereas, RSA sell actual products for securing people (although this is the area of issue, back-dooring security products is just out and out wrong), although, I suppose selling back-door access could be argued as supplying customer data. 

Both RSA and Facebook have had relationships with the NSA.  Now here comes Mikko's response to this when I tweeted him about it:

'I have no proof of FB volunteering their data to any intelligence agencies.  Do you?'

To which I responded;
'So, did you use the Snowden leaks as proof for the payment to RSA'

Technically speaking, I'm wrong; Mikko didn't use the Snowden leaks as proof, he used Reuters, which referenced a Snowden leak.

'On December 20th, Reuters broke a story alleging that your company accepted a random number generator from the National Security Agency, and set it as the default option in one of your products, in exchange for $10 million.'

'Documents leaked by former NSA contractor Edward Snowden show that the NSA created and promulgated a flawed formula for generating random numbers to create a “back-door” in encryption products'

Now, to justify what I've said, and my burden of proof that Facebook also spied on people for the NSA doesn't come from Reuters, it comes from the New York Times I'm afraid, however Reuters reference them, so I'm sure it's cool for me

'The companies that negotiated with the government include Google, which owns YouTube; Microsoft, which owns Hotmail and Skype; Yahoo; Facebook; AOL; Apple; and Paltalk, according to one of the people briefed on the discussions. The companies were legally required to share the data under the Foreign Intelligence Surveillance Act.'

So to be fair, Facebook had to do it!  Yeah, well they could have joined Twitter and made it hard for them to spy on foreigners (like Mikko and me).  I guess you can argue either way on them 'volunteering' their data to intelligence agencies, but I'm going to go with; YES, I BLOODY DO!  If the burden of proof used to damn RSA was leaks, then the burden of proof for Facebook should be the same.

Now, I've gone a long way around to say this but here is crux of it;
If you damn one for the sin, then damn them all!  It's contradictory to attack RSA and yes, give Facebook a pass for the same thing.  RSA couldn't give a mailbox (I believe in some of the posts they call it a back-door) feature similar to the one offered by Facebook to the intelligence agencies, so a flawed encryption algorithm which acts like a back-door might have been their own choice too. 

It seems that the real argument is going to focus on what your definition for 'volunteering data' is.  For me, it's painfully simple that publicly attacking RSA for badness, whilst ignoring that data is being given, with the knowledge of Facebook, who didn't fight against it, unlike Twitter, is at best a confusing stance.  I fail to see how you can campaign for 'Digital Freedom' when you've partnered up with someone given a portal by Facebook to invade our privacy without our knowledge.    

So yes, this post is a bit trolling, I know, but hey, I thought you did the right thing with RSA, I just thought you were shitty with BsidesSF.  I personally think gimmicks are for other vendors incapable of making a lucid, valid argument, something I'm sure F-Secure is capable of doing.  Moreover, if you give a position publicly, then for the love of God, stand by it!  You have a chance to lead by example, and at best you've changed a position about working with people who break our trust in our privacy. 

You wouldn't want people to think that the steps taken over the past few months have been more about publicity than freedom.


Tuesday, 13 May 2014

Part Three - Linux Tag and Droidcon – Berlin

Bring forth the neckbeards and sandles! Well, maybe not the sandles! Actually very cool TBH with you, the Snowden privacy thing seems not to have poisoned our Linux brethren, well it has, but its not all about privacy. Some very cool talks, and some, well, err confusing and painful. For starters, slides, please think of your audience, we love you. Don't hurt us with slides and __VERY__ small terminal fonts. Come on peeps, you can do this, go to YouTube, you've worked so hard only to blind your audience with millions of bullet points, terminal screen shots and stuff that frankly makes no sense.

Still, in some cases I got to have a seat and update my twitter which let's be honest, is good.  All in all here's some notes, I actually found some KDE users. It had to be Berlin of course, but yeah, people still use it! I learned that OpenSUSE is actually still a thing, and I met all four users of it. Then I shocked the OwnCloud guy when I told him I used Arch in a work environment because it's more stable than Ubuntu. Amazon Linux has a goal of releasing security patches within 24 hours of disclosure, which I doubt is a service level agreement, but it is a real nice effort from them.  Also 4 hours from the HeartBleed disclosure to a patch being pushed out. Oh and again, can people stop using QR codes! I learned I am in no way suited for Android development. That some Android developers seem to think the internal network is safe and doesn't require security, even if it is bloody home automation. That Kinko could be a very good project for email security but my gut says wait and see. That patent trolls have struck again and have patented the term 'Crypto Stick©'.  Thank god they haven't patented a term I think about them that rhymes with it!

FX did a very interesting keynote, that I thoroughly enjoyed. If its been recorded, give it a watch.  Plus he throws some pain Cisco's way, which is always fun.

All in all a very enjoyable time.
Next Stop Re:Publica – Into The Wild – Berlin

Part Two

Social Media baby, it's what makes the world go round! No, it really does! I swear, I was at a conference and it was clear to me! Come on, give me a break! It's important! So yeah, I went to one of those social media things and you know what, it was actually interesting. Granted privacy was on the agenda (you'd be surprised if it wasn't). I'm glad that Snowden hasn't trademarked his name yet, otherwise that man would be uber-rich to say the very least. My conference started for me with Sarah Harrison and Alexa O'Brian doing some 'interview' sort of thing. ZOMG!!! Snowden, you know!!! The US, OMG WTF!!! I'm sorry, I found myself getting more vexed by this talk/interview than I had imagined, which trust me, is an achievement. Whoever told Sarah Harrison they're doing 'scientific journalism' at Wikileaks should maybe cover the scientific part as well as the journalism part. Causality and Reaction is not absolute fact, and because a government couldn't prove 'X' in a court of law doesn't make 'Y' a fact. If I followed their logic I could equally argue that snowploughs are responsible for snow, owing to the fact that cities with lots of snow have more snowploughs. Which is true, but correlation 'facts' don't mean anything other than correlation between items. Also if you're going to interview someone, you ask the questions and then wait for the answers. Still feel safe in the knowledge that these people have your thoughts at heart! Oh, I was going to go off on the whole 'redaction' thing, but seriously, I'm using LibreOffice and I'm not sure that Free Software can handle my RAGE!

This was followed by Jacob Jake Applebaum and his AIDs and Privacy talk; few could pull of something like this, and praise where it is due, Jacob Jake did a very good job. It comes from the time at 30C3 were he said something along the lines of; 'if you don't use encryption you're barebacking with the internet'. The crux of the talk is basically we could learn a lot from harm reduction strategies and then he linked that to privacy issues. Granted a condom is probably easier to use than PGP, but a point well raised. I've said for a good while, 'we don't do risk eradication, just risk reduction'.  The Hoff and Mikko! NO. JUST NO. NO, I mean NO!!!! Sorry, this was as craptastic as it sounds. You know if you can't find a decent train crash to watch then look for this talk. On stage was one person very comfortable with addressing large audiences, the other was David Hasslehoff.  I have no idea what prep Mikko gave The Hoff, but it wasn't enough, trust me! Also, when most of the audience leaves half way through, this is the cue for you to start singing 'Looking for Freedom'.

Why, Oh Why, did I go to a 'security' talk at non-security conference? I'll tell you; understanding how people talk about security not in a security arena is a good thing. Be prepared, however, for me to question some premises if you do this, such as; 'Open Source software is MORE secure'! The many eyes, shallow bugs line! I love that one, it's beautiful in it's honesty. Yes, more people looking at code will probably make it less buggy, this doesn't mean jack when it comes to security though.  You know OpenSSL (_*starts singing heartbeat*_), you know, many eyes yeah! Also, OpenSSH, bloody thing has a SDL, each line of code is verified, and its got 'Secure' in the title. Well, it still gets exploitable bugs in it from time to time. Also, be very prepared for me to ask you; 'many eyes yeah? You run Linux I guess, ever read the 10 million lines plus of code?”. What I particularly loved about this was then being told that I had made the common mistake of thinking that 'Open Source Software was MORE secure'. Which was strange given it felt like I had asked why they said that, in fact I was pretty sure that's exactly their opening gambit in the first 5 minutes of the talk.  This was also followed by; 'well I prefer having access to the code', so to this Vodka is more secure than Gin because I like it, and I have access to it. However, the overall message was a good one IMHO. Keep your important data on systems you control. This is a message that is very much needed at social media related conferences.

Lets not talk about QR codes, lets just say the message hasn't got out about QR codes. Scan all teh thingz at conference. NO, for the love of god, NO!

Lots of other pretty cool stuff happened too. The crypto currencies talk, was well, errr about BitCoins. Enough said. The Craftvisim talk was thought inspiring, and I enjoyed it very much. All in all pretty cool tbh with you. Now, let's wrap the whole thing of with a great big singsong of “Bohemian Rhapsody” and we have the makings of a pretty cool conference! Superiorly, it was cool.

Part Three To Follow
Four Conferences Later

Security, Social Media, Linux and Android – Part 1

As a good friend once said to me, “Your industry is basically built out of conferences!”. Hard to argue with the logic, given the fact that I had just completed a two week trip away from home that covered two European capitals, four conferences, and exposure to countless geeks of all kinds talking about a variety of subjects! In this trip I learned a lot, not all  intentionally, not all of it practical, but educational none the less.

So, my journey starts back in the UK at BSidesLondon; a must for anyone in the European Security community. In one way, shape, or form, I have been involved with BSidesLondon since it started 4 years ago. 3 talks, 2 Rookie tracks, and a workshop later, I've watched the conference grow, and boy has it grown! Bigger doesn't always mean better, but in this case, its hard to say that it isn't.  Two years of 'officially' being crew has been both rewarding and educational. For me, the most rewarding aspect of BSidesLondon has been the 'Rookie Track'. Sometimes (and just sometimes!), really good things can come from ranting and this is a case in point. Taking people who have never given a talk, and giving them the platform, coupled with the correct support, has gone on to produce not only excellent talks, but speakers who  understand how to help new, fellow speakers of the future. Yet again, this year's rookies set a standard showing that just because you've never spoken before doesn't mean you can't own the stage like you were born for it.

My day at BsidesLondon started off as a speaker with a lightning talk, a very under prepared lightning talk I might add, but nonetheless I stood up and talked about Crypto Parties (and no, the 90's didn't call and ask for their keys signed!). I know a lot of people find it surprising that someone with my cynical nature would be involved with them, but personally I believe that hands on grassroots help for people not involved in security is a must. Put simply, our industry must roll its sleeves up and help. I then followed the talk with a short workshop on presentations, or moreover, how not to kill your audience by slide deck (Death by Powerpoint anyone?). I'll put this out there for the record; “Our industry SUCKS at presentations”. Granted it's a difficult task, but if you want to deliver a message to people and in doing so poke them in the eyes with a horrible PPT don't moan that no-one took anything from it! This theme of “let's stop sucking at slides” is a theme you're going to see played throughout these posts for a while. Back to the workshop though, this seemed to go down very well, and like all good experiences, I learned from it too. It seems there is salvation for our 'sucky' slide deck community after all! Finally, the workshop was followed by my talk on detection system fails. Yeah, I'm still talking about that subject, you know why? We still fail!

London was then wrapped up with 44Cafe, followed by the EU Security Bloggers Awards. I'm going to put this out there as well; “STOP PLAYING HEARTBEAT WHEN YOU TALK ABOUT HEART BLEED!!!!!”. I don't want to hate you, but you make it bloody hard not too! The EU Security Bloggers Awards were fun, this year we beat last years record and managed to come third in a one horse race, which for me is personal best. Congratulations to Martin McKay, and his NetSec Podcast. To the Eurotrash guys; 'Mwhahahahaha, that's how it feels boys!'. I also managed to grab dinner with the 'grandfather' of British Security Mr Pete 'Grandpapa' Wood, which is always a pleasure. He didn't talk about the war, or being on any sinking boats for the navy which is a win, but we had such a laugh. I always love spending time with him, he's been a great friend over the years and frankly a good role model for any young upstart in security. Also, Dan Raywood of IT SecGuru coined the 'before and after look' whilst 'Grandpapa' Wood and  myself were at the bar.  Thanks Dan ;)