Wednesday, January 18, 2017

Man I am happy - is putting together a GSEC course

SANS GIAC is one of those organizations that is viewed as a kind of premier provider of services.  In this cases training and certification of information security personnel.  The have a number of training courses and associated certifications and their certs are viewed very highly.

Here is the problem - they are majorly expensive.  Training is somewhere around $5600 for a 4 or 5 day course and the exams for the cert are about $700 each.  Self study is almost impossible because there aren't any materials available unless you can find someone selling theirs on ebay even then course books can go for $800.

These guys have a stranglehold and they wring every possible dime out of it.  So imagine my joy when I signed onto and found they are putting together a GSEC course.  (GSEC is one of GIAC's entry level certs that meet the DoD 8570 requirements for Level II IAT).  I have some materials from work and other sources, so with this course I am hoping to be able to put together a decent self study program and knock out this exam.

Tuesday, January 17, 2017

Chelsea (nee Bradley) Manning's Sentence Commuted

To be released 17 May.

I have to say, even though I argued earlier this week that Manning's sentence should be commuted instinctively this pisses me off.

Oh well, I'll live with it, and the country will survive.

Monday, January 16, 2017

8 Men As Rich As Half The World. Are Any Looking For A 52 Year Old Moron To Adopt As Their Son? - What I Am Reading 1/16/2017

Seattle Times - Stark inequality: Oxfam says 8 men as rich as half the world -
DAVOS, Switzerland (AP) — The gap between the super-rich and the poorest half of the global population is starker than previously thought, with just eight men, from Bill Gates to Michael Bloomberg, owning as much wealth as 3.6 billion people, according to an analysis by Oxfam released Monday.
I'm not sure I believe these numbers, but even if I did, I definately don't accept Oxfam's contention that it is immoral for people to accumulate large amounts of wealth.
“It is obscene for so much wealth to be held in the hands of so few when 1 in 10 people survive on less than $2 a day,” said Winnie Byanyima, executive director of Oxfam International, who will be attending the meeting in Davos. “Inequality is trapping hundreds of millions in poverty; it is fracturing our societies and undermining democracy.”
Maybe there is such a thing as too much wealth. But what is driving inequality is not the fact that these men are successful.  It's government policies that actively loot from the population.  It's governments holding one group of people in thrall while another enjoys all the advantages of their work.  It's policies like blocking GMOs for use in feeding starving populations or blocking effective mosquito eradication programs to prevent malaria and yellow fever.  It is a host of diverse complicated issues and what is immoral is targeting people like Bill Gates as the cause.

The Register - Google reveals its servers all contain custom security silicon: Even the servers it colocates (!) says new doc detailing Alphabet sub's security secrets -

Revealed last Friday, the document outlines six layers of security and reveals some interesting factoids about the Alphabet subsidiary's operations, none more so than the disclosure that: “We also design custom chips, including a hardware security chip that is currently being deployed on both servers and peripherals. These chips allow us to securely identify and authenticate legitimate Google devices at the hardware level.”
That silicon works alongside cryptographic signatures employed “over low-level components like the BIOS, bootloader, kernel, and base operating system image.”

Quick read was pretty interesting.  It looked like I could pretty easily match most of their controls to the top 5 of the SANS 20 Critical Security Controls.

Ars Technica - Apple in Trumpland: How the new administration could upend Apple’s business -

As one of America’s biggest companies, Apple will continue to find itself singled out by Trump. Apple provides a good case study for the ways in which Trump’s stated economic and trade policies could benefit and damage large, multinational tech companies. Those policies combine typical Republican orthodoxy about low corporate tax rates with Trump’s bellicose proclamations about import tariffs. Depending on the way things break, Trump’s policies are going to be a double-edged sword for Apple and any company that relies heavily on overseas manufacturing and the global economy.
The gist of the article is kind of "Trump is an idiot, but Apple has to work with him."  They are far more diplomatic of course but that's the general feel.

Sunday, January 15, 2017

What I'm reading 1/15/2017 - And just to let you know it's 21 degrees F and Sunny here up from 13 when I got up this morning. Spring has arrived! (Global Warming my shivering ass)

SANSCritiques of the DHS/FBI's GRIZZLY STEPPE Report -
The White House's response and combined messaging from the government agencies is well done and the technical attribution provided by private sector companies has been solid for quite some time. However, the DHS/FBI GRIZZLY STEPPE report does not meet its stated intent of helping network defenders and instead choose to focus on a confusing assortment of attribution, non-descriptive indicators, and re-hashed tradecraft. Additionally, the bulk of the report (8 of the 13 pages) is general high level recommendations not descriptive of the RIS threats mentioned and with no linking to what activity would help with what aspect of the technical data covered. It simply serves as an advertisement of documents and programs the DHS is trying to support. One recommendation for Whitelisting Applications might as well read "whitelisting is good mm'kay?" If that recommendation would have been overlaid with what it would have stopped in this campaign specifically and how defenders could then leverage that information going forward it would at least have been descriptive and useful. Instead it reads like a copy/paste of DHS' most recent documents ? at least in a vendor report you usually only get 1 page of marketing instead of 8.
We read this report at work, and while we took what action we could based on what it contained almost everyone was confused on how the attribution portions played into the conclusions.  It was not a well put together effort. 

Ars Technica - Congress will consider proposal to raise H-1B minimum wage to $100,000 -
One major change to that system is already under discussion: making it harder for companies to use H-1B workers to replace Americans by simply giving the foreign workers a raise. The "Protect and Grow American Jobs Act," introduced last week by Rep. Darrell Issa, R-Calif. and Scott Peters, D-Calif., would significantly raise the wages of workers who get H-1B visas. If the bill becomes law, the minimum wage paid to H-1B workers would rise to at least $100,000 annually, and be adjusted it for inflation. Right now, the minimum is $60,000.
The sponsors say that would go a long way toward fixing some of the abuses of the H-1B program, which critics say is currently used to simply replace American workers with cheaper, foreign workers. In 2013, the top nine companies acquiring H-1B visas were technology outsourcing firms, according to an analysis by a critic of the H-1B program. (The 10th is Microsoft.) The thinking goes that if minimum H-1B salaries are brought closer to what high-skilled tech employment really pays, the economic incentive to use it as a worker-replacement program will drop off.
This will help, but what is really needed is to a) decrease the number of slots available by 10% per year over 50 years, make employers certify that they have looked for qualified American workers, under penalty of perjury and hold the CEO personally criminally responsible, and require a bond on every H1-B that can be returned when the worker is replaced by an American.  Also make the visa follow the person after 2 years so companies can't hold workers hostage and deflate wages.

The Verge - AMC and the BBC are teaming up to adapt John le CarrĂ©’s Spy Who Came in From the Cold
The Spy Who Came in From the Cold is le CarrĂ©’s third novel. First published in 1963, it follows a British agent who is sent to Germany to try and undermine an East German intelligence official at the height of the Cold War. The novel was an immediate success, and was adapted as a film two years later.
I read the book and saw the movie.  This is not a James Bond film.  Actually it was dense enough that a multipart TV show may be the best way to do it justice. 

Backchannel - Where Weird Facebook is King: How a College Kid Does Social - not much here unless you have a teen who you want to harrass on social media.  In that case so valuable.

Two for the Marines

The head of the US Marines wants to recruit about 3,000 troops skilled in online warfare and espionage to make sure the Corps is ready for 21st-century battle.
On Thursday, General Robert Neller told the Surface Navy Association's annual convention that he was looking to raise his numbers from 182,000 to 185,000 in the next Defense Appropriations Bill – and wants to use the extra heads to beef up online and electronic warfare capabilities.

The problem here is that most of the people who are interested in stuff like this are not the type of people the military wants.  This is going to be a really hard sell on both sides.

Officers at the Marine Corps Warfighting Laboratory/Futures Directorate in Quantico, Va., came up with the idea last year to host a sci-fi contest to spur creativity, as well as get uniformed Marines to conceive of threats in a different way. A total of 84 entries were narrowed down to 18 finalists, who were paired with professional sci-fi writers—including “World War Z’s” Max Brooks—during a workshop co-hosted by the Atlantic Council. After months of editing, the top three stories were collected in “Science Fiction Futures: Marine Corps Security Environment Forecast 2030-2045″ and published online [PDF].
No comments - just thought you guys might enjoy this one.

Friday, January 13, 2017

On Chelsea Manning and Commutation

It's 13 degrees here in Vancouver WA, and I am basically stuck inside because I screwed up my foot walking to the store the other day.  Given that I have been in a position to do some thinking about Chelsea (nee Bradley) Manning.

When Manning was arrested I was one of those who was for a full bore prosecution, up to and including the possibility of the death sentence.  It seemed to me at the time that the damage he (now she) had potentially done was so drastic that severe measures were warranted.    As time went by and details of what was released became known I began to moderate my views a bit.  Yeah there was some damaging material but most of it was just embarrassing.  I didn't think Manning should go free but I definitely thought that the real bad guy here was Julian Assange.

Now it's 6 years later.  Manning has been in prison, much of it in solitary confinement (suicide / harm prevention).  Her ability to do the US further harm is nil and no matter what her life is ruined.  I say commute the sentence to 10 years.  It's enough to serve as an appropriate punishment.  It allows Manning to try and salvage something and it allows us to move on from some of the worst feelings of the last 16 years.  If Obama doesn't do it Trump should.

Also - people quit calling her Bradley and He.  I know you think you are making some sort of point but you just come off as bigoted and stupid, even if you don't accept the idea of Gender Identity Disorder, it costs you nothing to call someone by a name they prefer.

Saturday, January 07, 2017

Some more NIST Thoughts (mainly revolving around the Risk Management Framework)

Earlier this week I posted about NIST SP 800-181 the Draft NICE Cybersecurity Workforce Framework.  I had a few criticisms, but one of the things I didn't really discuss was the fact that NIST specifically mentions that they intend (or intended whatever the proper tense should be) for this publication to be used by organizations to help develop certification exams that employers can directly tie to a job role.

Not a bad idea, in my opinion at least, if the Roles, Tasks, Knowledge, Skills, and Abilities can all be kept up to date and relevant.  I have my doubts about that.

Be that as it may however, discussing that with a couple co-workers led back to a discussion that we have had a couple times.  The under-utilization of the NIST Risk Management Framework in the educational process.

NIST has a pretty extensive set of publications dealing with just about every facet of information security.  The part I am particularly interested in is Risk Management,  Business Continuity, and Disaster Recovery.  Not only do they have publications available on various topics in those fields but they have built out an entire framework - aptly named the Risk Management Framework.

The issue that I have seen is that there isn't any sort of real formalized instruction on the process.  I have taken a number of classes on Risk Management, Business Continuity, and Disaster Preparedness and while individual features of the Risk Management Framework are presented, it isn't presented as a coherent whole.

Maybe this is just my experience, but talking with co-workers I don't really think so.

So, you're asking, what's my point?  Well, it's actually a proposal.  We have two, I think, fairly well thought out frameworks.  The CSF and the RMF.  They have also been mapped too each other, although I think that could be done better, and hopefully will be in upcoming revisions.  What we need now is people skilled in implementing them.  I think that just like the NSA has their educational Centers of Excellence NIST / DHS  should implement similar designations for programs that really dig in on the Cybersecurity and Risk Management Frameworks.  They should also help with developing curriculum materials and make them available.  It would also be nice if there was a vendor neutral risk management certification program, sort of like the Project+

(I know it took me a long time to get here for little payoff but I am trying to keep simple and at least partially coherent, basically I am just spitballing an idea)