Hello x-wap-profile I Didn't Notice You There
@ 2010-08-31 23:41:17.570601
Filed under: Code Tech Security Python
After reading about some of the stupid that some mobile companies do when proxying their mobile traffic I decided to look at what my phone gave up. Luckily I didn't find anything way out there in the headers but I did find out about a header I didn't know about: x-wap-profile.
Before I continue let me say that I didn't find anything new :-). This is simply my own 'oh wait, what is this?' moment when playing with my phone.
The contents of the header had a URL. In my case it was http://device.sprintpcs.com/HTC/APA9292KT/latest. To my sadness it is an XML document. XML is the overly chatty great grandmother of modern markups. It doesn't understand why why you don't understand it half the time. It also smells funny. Anyway, after a bit of python I could read the XML in a more human friendly form: YAML. Note, this is some ugly and inefficient code but it was written to nicely see the data ....
The code simply snags the XML from the URL and then uses some ugly parsing/hacks to transform it. Here is the output from my phones header:
After seeing all this information a few things came to mind. The first was not all the data was correct. For instance the OS version is wrong, The second was that it seems like a lot more information than should be shared by simply browsing a site. When browsing with a desktop/laptop/netbook you give up some information. For instance, the machine I'm using right now reports up that I'm using Linux on an x86_64 machine with the Chromium browser. Obviously, the phone gives up a lot more information. It states that (by default) the device has no antispam or antivirus. It also states the kinds of networks which can be used, versions of hardware components, hardware specs and even default installed applications (many which can not be removed). I don't know about you but this is more info than I like to give to sites I'm simply browsing. What if a vulnerability is found in one of those default apps which can be triggered via the browser or through downloads? What if the browser itself is vulnerable if it can decode certain formats? What if someone hard codes debug credentials in a certain software/firmware version? etc... It seems like this is a near perfect source of information for tailoring smart drive by exploits with.
If you want to look at other profiles see google search.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
The Business Is A Customer? ... Information Security? @ 2010-08-07 14:43:00.537043
Filed under: Philosophy Tech
Before I start let me give you this warning: I'm tired, cranky and need a nap. I also badly need a shower. Now enjoy my mad rambling ...
Many companies have implemented or are implementing the ITIL Framework within their organization. That usually is a good thing. If done right it brings a common, repeatable process that can be done and tracked for accuracy. Of course, this also can be done wrong which creates gates and bottlenecks, process for process sake, overhead, confusion and special cases in the name of pragmatism .. but I'm not going to talk about that here. I do want to talk about a common idea that seems to tie back with ITIL in many cases and that is IT is the vendor, the business is the customer.
When one thinks of the business/customer relationship usually one simple aspect of it comes to mind. That one aspect is that the customer gets what the customer wants (aka the customer is always right). If the customer is not happy they will go somewhere else. If the customer can get it cheaper elsewhere they will go elsewhere. Generally this is a good thing. It means that there is competition and the lowest price with the highest quality product or service will keep driving other vendors to match or find related services to enhance their products. But how does this actually fit with Information Security within IT and it's greater Business unit(s)?
The short answer is it does not :-) (surprise!). In some ways ITIL attempts to remedy (no pun intended) this with ITIL Security Management which holds true to the CIA triad and requires that InfoSec have documented policies that the company follows (among other things). ITIL Security Management can work, but what about the customer, do they want this?
Here is where things break down in my opinion. When it comes to purchasing a product or service in the real world the burden and effects are on the customer. For instance, if someone buys a chainsaw it will give them a warnings about how they should use it (and how not to use it). The customer can still cut his leg off, but that is the customers fault, the vendor is not responsible nor is hurt by the action (yes, there are exceptions where legal action is taken against a company who didn't provide a disclaimer or warning ...). Using a service example, if someone takes a taxi, opens the door in transit and falls out it's not the taxis fault ... the customer did the action and suffers the burden and effects of the action. It's easy to look at the examples and say they are simple and don't apply ... everyone knows not to fall out of a moving car or take a chainsaw to the leg. It's common sense not to hurt yourself! One could says the same thing about opening up that PDF from an unknown sender too yet business users do this all of the time. This is where the first issue comes into play: The Customer (aka the business) believes they know how to use the tools properly and safely. Of course some can, but a good many of them can not and fall in the camp of being lucky (or pwned and unlucky enough not to know). So how does a traditional vendor tell their customer they are acting risky? If it is a product vendor they will more than likely send a notice or a fix to the customer to let them know there is an issue. They can use the fix or continue using the problematic product at their own risk. If it is a service vendor then sadly the answer is they don't unless it also puts the vendor at risk. If it does put the vendor at risk the action is to usually cut service or, at the very least, cripple the service in such a way that the customer can not cause any harm to the vendor.I don't know about you but I can't see that conversation going well if it's IT as the vendor and the Business as the customer ... unless it's so painfully obvious that someones great grandfather could understand is an issue the customer will get their way. Even if one takes the product route of things, the customer still must use said fix but in the case of a company failure to use the fix can be disastrous to everyone, not just them.
The second issue is that of process. I'm going to use an ITIL implementation as an example but this can be for any process. Let's say that someone from a large printing companies InfoSec group has found an issue. To make things simple, let's say it's a public issue found in Adobe software (there have been tons of them in the last year or so). The company in question gets PDF's from reporters, advertisers, managers, spammers, etc.. This means the the member of InfoSec needs to put in a change request to get the software updated to a safe patched version. Problem is, this will take some time. In fact, it may never get done as the customer may complain they don't have time for petty upgrades ... they have "real" work to do. Putting aside that "real" work probably means 30-40% of their day surfing Facebook and Twitter, this is obviously a problem. The customer does not want to take the small inconvenience to protect themselves and the company. If this is something that IT can do without the need to involve the users then the change will likely be held up in process while it goes through multiple approval layers by people who don't really understand the issue at hand (either way meaning the fix will be delayed increasing the time of vulnerability), which brings us to the third issue.
The third issue is that of the education of those who make the decisions. A good manager understands what his people do on a day to day basis. They also understand the basics of how they do it and what the results mean. They understand more than just 'this is bad' or 'this is good'. In terms of Information Security, simple concepts like data exfiltration or why cross-site scripting is a problem are a must just like understanding basic economics is needed for a manager of a finance department. The problem lies in that as you go up, the understanding of basic concepts goes down. This is not because the people get dumber as you go up (well, hopefully not :-)) but because they have a larger amount of information they should understand. The natural response is to understand all of it in such a shallow manor that you essential understand none of it. By the time you hit those who are actually approving changes basic concepts may seem like abstract tech talk or, even worse, unintelligible alien language (run far away if this is the case ...). Add in that pressure from the customer and politics at this layer and things get tougher. How can any InfoSec engineer work in a situation like that and be productive? By the time the update is approved there is a good chance there is already one or more updates to the same piece of software that need to be applied. Get ready to go through the explanation process again even if it is the exact same issue.
There are more reasons I'm sure. I've been thinking about this for months trying to find a good way that it could actually work and I'm at a total loss. The only way I can see IT InfoSec and Business Units working in unison is if they work together and not in a vendor/customer or master/slave relationship. It seems I'm not the only one with this thought. For instance, Ivar Jacobson has written about breaking out of Business as the Customer mentality.
The next time the business as the customer asks for this:
and you catch them doing this:
... either cry and plan the funeral or smile and bring dead fish to throw in with them.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Terrified of Qik @ 2010-06-29 22:00:18.554564
Filed under: Personal Tech
For those who don't know what qik is, it's a mobile application for taking videos and uploading them to the net as well as a "live" stream service from your phone for people to watch. I put live in quotes as, since one would expect, there is a delay depending on bandwidth, processing and other factors (it seems to be between 10-20 seconds usually). It's quite an interesting idea and seems to work decently well. For many phones this is a downloadable app but for us Evo users it is preloaded an, without hackery, can not be removed. Of course, this is par for course when it comes to bundled apps, but it's still no excuse as to why the practice is still done.
Anyway, I've noticed quite a few odd videos showing up online through qik. Now, a lot of these videos show up in the recent videso section and then disappear off the site 15-60 minutes later. Some you really can't tell WTF is going on (like in this). While others seem like accidental recordings. Take this video for instance. A few seconds of a steering wheel while you drive? Kind of odd. Or this and this ... odd as one usually tries to record something when they record. This is a guy telling someone else how to use it as he reads the instructions on his phone. How about this one which is in someones bag or purse. Then, just for fun, take Monk's sarcastic didn't mean to record video.
While some of the videos are just odd I tend to think a number of them were accidental. Why would you record 15 seconds of your phone moving around in your bag? Why record nothing but a few random words and no image? Why else would the videos have default names such as "A qik snippet of my life"? Have I convinced you at least some portion of these were accidental recordings? Good. We can move to the next step ...
Where do people use their smart phones? At the airport? Yes. Walking down a hall? Of course. At a restaurant? Sure ... but let's think of where else many people use their phones ... the bathroom. Now before you start running off stating that no one does that or you don't do that just think about it. Not much else to do but read or get that phone out and be productive! If you go into (almost) any decently sized company and hang out in the stalls you will end up hearing the beeping, keyboard/feedback clicks and alerts from smart phones (assuming you don't get kicked out for being creepy).
One more thing before we bring this all together. Having a forward facing and a rear facing camera is common on this new generation of phones. Both cameras tend to be at least webcam quality if not much better. For instance, the rear facing camera on my EVO is amazing while the forward facing one is in the better than average similar to iPhone range.
So here it is, why I'm terrified of Qik: With Qik and the ease of accidental recordings it is quite possible that one could record themselves in the bathroom and have it uploaded to the net for everyone to watch without the user realizing it for 15-60 minutes (which is my very unscientific estimate for how long it takes someone to tell someone else they posted a recording they don't think was meant to be posted). This is very close to the dream many people have when younger: going to school naked. Sure, in this case you are not naked, but everyone gets to see you in a bit of a compromising position. To make it worse, there is an automatic "good job" post that happens on some videos as if to encourage you to make more ... if you accidentally posted yourself in the bathroom and were told good job .... yeah.
So I leave you with the closest video to what I've described. No, this person is not in the bathroom but it kind of seems like how the video would end up looking:
EDIT
I lied ... this one is closer (but done on purpose) and kind of creepy:
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
iPhone4 vs HTC Evo or She Doesn't Care @ 2010-06-29 09:59:43.261656
Filed under: Philosophy Comedy Tech
Warning: Strong Language
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
I Am No Longer F**kn' Up @ 2010-06-26 18:09:49.637923
Filed under: Linux Tech
After waiting what seemed like forever I was able to finally get an HTC EVO. Unless you wear iBlinders (seen below) you have heard of the HTC Evo. It wasn't very long ago that I found out I was "f**ckn' up" but not having one (see this). I am proud to say that is no longer the case!
iBlinders(R)(TM)(Patent No 1234567)
So here is the deal. About a week and a half ago I finally put myself on the Evo waiting list at the local Sprint store. I was told there was about 50 people in front of me. I went online to look to see if I could order direct from Sprint but they stopped taking orders until they could fulfill the current back orders (or so the graphic seemed to indicate). The only place I could find selling Evo's were Amazon and brick-and-mortar Sprint stores. Just to be safe I put in an order on Amazon -- it would take about 2 weeks to fulfill and I figured if one came through I should be able to cancel the other one.
Fast forward to today. I decided (on a whim ... I think) to drop in to the Sprint store and find out where I was on the waiting list. The friendly fellow behind the podium stated there was no more waiting list. Hmmm ... I thought about that for about 5 seconds and then responded saying that I never received a call over the last week and a half. He then informed me that if I could just hang out for a bit they could hook me up with one as 5 showed up not much sooner before I dropped in.
I stood awkwardly at the back of the store hoping that this would not turn out to be a mistake. I then saw a manager like fellow walk out of the back with an Evo box and take it to the guy who was behind the podium (now at a register helping a lady). I watched as he started to ring her up for an Evo when he called the manager back over and pointed at me.
Podium Guy: That guy over there is waiting on one too. He said he was on the waiting list but didn't get a call.
Manager: He is wrong. Everyone was called.
Podium Guy: Well, he didn't get a call.
Manager: Then he wasn't on the list
I started to get a bit frustrated. I was on the list ... or at least I was told I was on the list when I stopped in during my lunch break a week and a half ago. I stood there thinking that maybe I would have to fall back on my Amazon order and wait another 5 days before I would get my hands on the device.
The manager came back out from the bowels of the store (or maybe the left arm, it's hard to tell) and called me over. He asked me if I was waiting for an Evo and I told him that I was and that I stopped by a week and a half ago and got on the list but didn't get a call. His response was a friendly "If you were on the list, you got a call already and if you don't pick up then we take you off the list." I thought about arguing that point. I have a phone. It keeps track of who called me. They are Sprint. They can see who called me. I didn't get a call. I decided instead of getting upset I would give him a nugget of information so he knows I'm not trying to MBA (like BSing but being an elitist too) him out of a phone. I told him that I had come in a week and a half ago and was told there was about 50 people ahead of me on the list and that it was first come first serve. I also told him that the guy who took my reservation wrote my information down on a yellow legal pad and I'm not sure if that was the official list or a temporary one. I'm assuming something I said in there clicked with him because he told me not to go anywhere and he would go pull one of the last two out of the back for me ... and within minutes I was in process of getting my plan moved over for the new phone.
I've only spent about 30 minutes with the phone so far, but I am impressed. While the UI is not as polished as the Palm Pre, it is a very fast phone with a ton of options and abilities. It's also got some impressive hardware!! So far the only semi-negative experience I've had would be in getting the phone ... but then again I can't complain, I didn't get iPhone'd (or -- waiting hours if not days in attempts to get the hardware you preordered a month ago to work and then hopefully just work after that).
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Filed under: Code Tech Security Python
After reading about some of the stupid that some mobile companies do when proxying their mobile traffic I decided to look at what my phone gave up. Luckily I didn't find anything way out there in the headers but I did find out about a header I didn't know about: x-wap-profile.
Before I continue let me say that I didn't find anything new :-). This is simply my own 'oh wait, what is this?' moment when playing with my phone.
The contents of the header had a URL. In my case it was http://device.sprintpcs.com/HTC/APA9292KT/latest. To my sadness it is an XML document. XML is the overly chatty great grandmother of modern markups. It doesn't understand why why you don't understand it half the time. It also smells funny. Anyway, after a bit of python I could read the XML in a more human friendly form: YAML. Note, this is some ugly and inefficient code but it was written to nicely see the data ....
#!/usr/bin/env python
"""
Terrible but works way to find out info about mobile clients.
"""
import re
import sys
import urllib
import yaml
from lxml import etree
rx = re.compile('\{.*\}')
no_tabs = re.compile("[\t\n]*")
no_li = re.compile('li ')
xml = etree.XML(urllib.urlopen(sys.argv[1]).read())
results = {}
prev_key = None
for ele in xml.iter():
if type(ele.tag) is type(""):
tag = rx.sub('', ele.tag)
text = no_tabs.sub('', str(ele.text))
if tag == "Bag":
continue
if tag == "li":
try:
results[prev_key].append(text)
except:
results[prev_key] = []
results[prev_key].append(text)
else:
prev_key = tag
results[tag] = text
print yaml.dump(results, default_flow_style=False)
The code simply snags the XML from the URL and then uses some ugly parsing/hacks to transform it. Here is the output from my phones header:
$ python wtf.py http://device.sprintpcs.com/HTC/APA9292KT/latest AcceptDownloadableSoftware: 'Yes' AdvertisingCapable: N/A AntiSpam: 'No' AntiSpamVendor: N/A AntiVirus: 'No' AntiVirusVendor: N/A AudioCodecsForDecoding: - mp3 - aac - aac+ - eaac+ - amr-nb - amr-wb - qcelp - wma - evrc - midi AudioCodecsForEncoding: - AMR-NB - QCELP AudioInputEncoder: - gzip - deflate AudioJack: 3.5mm BitsPerPixel: '16' BrowserName: Android Browser BrowserPortalVersion: '' BrowserVersion: Eclair 2.0 CPU: ARM11 CamcorderResolution: 1280x720 CamcorderZoomCapable: 'Yes' CameraBuiltInFlash: 2x power LED CameraHighestImageResolution: 3624x2488 CameraMegaPixels: 8M CameraZoomCapable: 'Yes' CcppAccept: - application/vnd.oma.drm.rights+xml - application/ogg - application/smil - application/vnd.oma.drm.message - application/vnd.wap.mms-message - application/vnd.wap.multipart.alternative - application/vnd.wap.multipart.mixed - application/vnd.wap.multipart.related - application/vnd.wap.sic - application/vnd.wap.xhtml+xml - application/vnd.oma.dd+xml - application/java-archive - audio/aac - audio/amr - audio/imelody - audio/mid - audio/midi - audio/mp3 - audio/mpeg3 - audio/mpeg - audio/mpg - audio/x-mpeg3 - audio/x-mpeg - audio/x-mpg - audio/x-mid - audio/x-midi - audio/x-mp3 - image/gif - image/jpeg - image/jpg - image/png - image/vnd.wap.wbmp - video/mpeg4 - video/mp4 - text/plain - text/html CcppAccept-Charset: - ISO-10646-UCS-2 - ISO-8859-1 - US-ASCII - UTF-8 CcppAccept-Language: '' ColorCapable: 'Yes' CommerceCapable: N/A ConnectionManagerVendor: N/A ConnectionManagerVersion: N/A DataNetworkTypes: - IS2000 - EVDO - WiMax - WiFi Description: '' DeviceIdentifierType: - MEID DeviceType: Android Touch DiagnosticsClientVendor: CIQ DiagnosticsClientVersion: 3.2.18 DiagnosticsProtocolVersion: 3.2.18 DownStreamBufferSize: None DownloadableBrowserApps: - 'No' DownloadableSoftwareSupport: - application/java-archive EmailCapable: 'Yes' EmbeddedApplicationsCapable: 'Yes' ExternalMemoryMaxSize: 32GB SDHC ExternalMemorySlot: 'Yes' FirmwareVersionWiMAXRadioModule: 4.6.2.1 build22766 FixedVoIPCapable: 'No' FotaClientVendor: SmithMicro FotaClientVersion: '' FotaProtocolVersion: 1.5.1 FramesCapable: 'Yes' GLMSClientVendor: '' GLMSClientVersion: '' GLMSProtocolVersion: '' GPSChipsetModel: '8650' GPSChipsetVendor: Qualcomm GamingCapable: 'Yes' HardwareVersion: '1.0' IMVideoCallingCapable: 'No' IOTAProtocolVersion: N/A ImageCapable: 'Yes' InputCharSet: - US-ASCII - UTF-8 - ISO-8859-1 - ISO-10646-UCS-2 IntelligentSearchCapable: 'Yes' JVMVersion: - N/A JavaAppletEnabled: 'Yes' JavaEnabled: 'No' JavaPlatform: - N/A JavaScriptEnabled: 'Yes' Keyboard: TouchKeypad LBSCapable: 'Yes' MI-UICapable: '' MI-UIVersion: '' ManufacturerWiMAXRadioModule: SEQUANS MobileOriginatedSmsSupport: 'Yes' MobileTVORVODCapable: 'Yes' Model: '9292' ModelWiMAXRadioModule: SQN1210 MultimediaEncoder: Qualcomm Qcamcorder MultimediaEncoderDisplaySize: - '800x480 ' - '640x480 ' - '320x240 ' - '176x144 ' - 128x96 MultimediaEncodingSupport: '' MultimediaFileFormatForDecoder: - MPEG4 - 3GP - 3G2 - AAC - AMR - MID - MP3 - WMA - WMV MultimediaFileFormatForEncoder: - MPEG4 - 3GP - 3G2 MultimediaMaximumBitRateForEncoding: 5000 kbps MultimediaMaximumBitRateForPlayback: 5000 kps MultimediaMaximumBitRateForStreaming: 1200 kbps MultimediaMaximumFrameRateForEncoding: 24 fps MultimediaMaximumFrameRateForPlayback: 30 fps MultimediaMaximumFrameRateForStreaming: '30 fps ' MultimediaPlaybackSupport: '' MultimediaPlayer: 'Yes' MultimediaStreamingSupport: '' MultimediaVideoDisplaySize: - '800x480 ' NavigationSupport: - Touch Screen NumberOfSoftKeys: '0' OMADMCapable: 'Yes' OMADMVendor: SmithMicro OMADMVersion: '2.0' OSName: Android OSVendor: QUALCOMM OSVersion: QSD8650/Eclair OnDemandCapable: '' OnDemandVersion: '' OutputCharSet: - US-ASCII - UTF-8 - ISO-8859-1 - ISO-10646-UCS-2 PictureMailSupport: 'Yes' PixelAspectRatio: 1x1 PreferenceForFrames: 'Yes' PssVersion: 3GPP-R6 Push-Accept: - text/plain Push-Accept-AppID: - None - None Push-Accept-Encoding: - base64 Push-MsgSize: '4096' RDF: '' RadioCapable: 'yes' ScreenSize: 480x800 ScreenSizeChar: 25x21 SecuritySupport: - SSL-3.0 - TLS-1.0 Seq: - en-us - es-us SoftwareNumber: 3.26.651.6 SoundOutputCapable: 'Yes' SprintMcdVersion: 3.5.4 StandardFontProportional: 'Yes' SupportedApplications: - Album - Browser - Calculator - Calendar - Camcorder - Camera - Dialer - FlashLite Plug-in for Browser - Footprints - HTC Sync - Lock Screen - Mail - Messages - Microsoft Exchange ActiveSync - Music (integrate with Ringto Trimmer) - OOBE - PDF Viewer - People - Quickoffice - Settings - Social Network - Stocks - Windows Media Streaming Player - Teeter - Voice Recorder - Weather - World Clock - Amazon MP3 - Sprint Navigation - Remote Diagnostic - Sprint TV - NFL - NASCAR - Voice Dialer - Visual Voicemail SupportedBearers: - IS2000/rel0 TablesCapable: 'Yes' TextInputCapable: 'Yes' TotalDeviceFlash: 1GB ROM TotalDeviceMemory: 512MB RAM UpStreamBufferSize: None VOIPAnalogJacks: ZERO Vendor: HTC VideoCodecsForDecoding: - MPEG4 simple profile - H.263 Profile 0 - H.264 Baseline - Motion-JPEG VideoCodecsForEncoding: - MPEG4 - H263 VideoMailSupport: 'Yes' VoiceChatCapable: 'Yes' VoiceInputCapable: 'Yes' WapDeviceClass: C WapVersion: '2.0' WmlDeckSize: '' WmlVersion: - None XhtmlModules: - Mobule-based XHTML W3C Recommendation XhtmlVersion: XHTML-Basic/1.0 component: '' type: None
After seeing all this information a few things came to mind. The first was not all the data was correct. For instance the OS version is wrong, The second was that it seems like a lot more information than should be shared by simply browsing a site. When browsing with a desktop/laptop/netbook you give up some information. For instance, the machine I'm using right now reports up that I'm using Linux on an x86_64 machine with the Chromium browser. Obviously, the phone gives up a lot more information. It states that (by default) the device has no antispam or antivirus. It also states the kinds of networks which can be used, versions of hardware components, hardware specs and even default installed applications (many which can not be removed). I don't know about you but this is more info than I like to give to sites I'm simply browsing. What if a vulnerability is found in one of those default apps which can be triggered via the browser or through downloads? What if the browser itself is vulnerable if it can decode certain formats? What if someone hard codes debug credentials in a certain software/firmware version? etc... It seems like this is a near perfect source of information for tailoring smart drive by exploits with.
If you want to look at other profiles see google search.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
The Business Is A Customer? ... Information Security? @ 2010-08-07 14:43:00.537043
Filed under: Philosophy Tech
Before I start let me give you this warning: I'm tired, cranky and need a nap. I also badly need a shower. Now enjoy my mad rambling ...
Many companies have implemented or are implementing the ITIL Framework within their organization. That usually is a good thing. If done right it brings a common, repeatable process that can be done and tracked for accuracy. Of course, this also can be done wrong which creates gates and bottlenecks, process for process sake, overhead, confusion and special cases in the name of pragmatism .. but I'm not going to talk about that here. I do want to talk about a common idea that seems to tie back with ITIL in many cases and that is IT is the vendor, the business is the customer.
When one thinks of the business/customer relationship usually one simple aspect of it comes to mind. That one aspect is that the customer gets what the customer wants (aka the customer is always right). If the customer is not happy they will go somewhere else. If the customer can get it cheaper elsewhere they will go elsewhere. Generally this is a good thing. It means that there is competition and the lowest price with the highest quality product or service will keep driving other vendors to match or find related services to enhance their products. But how does this actually fit with Information Security within IT and it's greater Business unit(s)?
The short answer is it does not :-) (surprise!). In some ways ITIL attempts to remedy (no pun intended) this with ITIL Security Management which holds true to the CIA triad and requires that InfoSec have documented policies that the company follows (among other things). ITIL Security Management can work, but what about the customer, do they want this?
Here is where things break down in my opinion. When it comes to purchasing a product or service in the real world the burden and effects are on the customer. For instance, if someone buys a chainsaw it will give them a warnings about how they should use it (and how not to use it). The customer can still cut his leg off, but that is the customers fault, the vendor is not responsible nor is hurt by the action (yes, there are exceptions where legal action is taken against a company who didn't provide a disclaimer or warning ...). Using a service example, if someone takes a taxi, opens the door in transit and falls out it's not the taxis fault ... the customer did the action and suffers the burden and effects of the action. It's easy to look at the examples and say they are simple and don't apply ... everyone knows not to fall out of a moving car or take a chainsaw to the leg. It's common sense not to hurt yourself! One could says the same thing about opening up that PDF from an unknown sender too yet business users do this all of the time. This is where the first issue comes into play: The Customer (aka the business) believes they know how to use the tools properly and safely. Of course some can, but a good many of them can not and fall in the camp of being lucky (or pwned and unlucky enough not to know). So how does a traditional vendor tell their customer they are acting risky? If it is a product vendor they will more than likely send a notice or a fix to the customer to let them know there is an issue. They can use the fix or continue using the problematic product at their own risk. If it is a service vendor then sadly the answer is they don't unless it also puts the vendor at risk. If it does put the vendor at risk the action is to usually cut service or, at the very least, cripple the service in such a way that the customer can not cause any harm to the vendor.I don't know about you but I can't see that conversation going well if it's IT as the vendor and the Business as the customer ... unless it's so painfully obvious that someones great grandfather could understand is an issue the customer will get their way. Even if one takes the product route of things, the customer still must use said fix but in the case of a company failure to use the fix can be disastrous to everyone, not just them.
The second issue is that of process. I'm going to use an ITIL implementation as an example but this can be for any process. Let's say that someone from a large printing companies InfoSec group has found an issue. To make things simple, let's say it's a public issue found in Adobe software (there have been tons of them in the last year or so). The company in question gets PDF's from reporters, advertisers, managers, spammers, etc.. This means the the member of InfoSec needs to put in a change request to get the software updated to a safe patched version. Problem is, this will take some time. In fact, it may never get done as the customer may complain they don't have time for petty upgrades ... they have "real" work to do. Putting aside that "real" work probably means 30-40% of their day surfing Facebook and Twitter, this is obviously a problem. The customer does not want to take the small inconvenience to protect themselves and the company. If this is something that IT can do without the need to involve the users then the change will likely be held up in process while it goes through multiple approval layers by people who don't really understand the issue at hand (either way meaning the fix will be delayed increasing the time of vulnerability), which brings us to the third issue.
The third issue is that of the education of those who make the decisions. A good manager understands what his people do on a day to day basis. They also understand the basics of how they do it and what the results mean. They understand more than just 'this is bad' or 'this is good'. In terms of Information Security, simple concepts like data exfiltration or why cross-site scripting is a problem are a must just like understanding basic economics is needed for a manager of a finance department. The problem lies in that as you go up, the understanding of basic concepts goes down. This is not because the people get dumber as you go up (well, hopefully not :-)) but because they have a larger amount of information they should understand. The natural response is to understand all of it in such a shallow manor that you essential understand none of it. By the time you hit those who are actually approving changes basic concepts may seem like abstract tech talk or, even worse, unintelligible alien language (run far away if this is the case ...). Add in that pressure from the customer and politics at this layer and things get tougher. How can any InfoSec engineer work in a situation like that and be productive? By the time the update is approved there is a good chance there is already one or more updates to the same piece of software that need to be applied. Get ready to go through the explanation process again even if it is the exact same issue.
There are more reasons I'm sure. I've been thinking about this for months trying to find a good way that it could actually work and I'm at a total loss. The only way I can see IT InfoSec and Business Units working in unison is if they work together and not in a vendor/customer or master/slave relationship. It seems I'm not the only one with this thought. For instance, Ivar Jacobson has written about breaking out of Business as the Customer mentality.
The next time the business as the customer asks for this:
and you catch them doing this:
... either cry and plan the funeral or smile and bring dead fish to throw in with them.
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
Terrified of Qik @ 2010-06-29 22:00:18.554564
Filed under: Personal Tech
For those who don't know what qik is, it's a mobile application for taking videos and uploading them to the net as well as a "live" stream service from your phone for people to watch. I put live in quotes as, since one would expect, there is a delay depending on bandwidth, processing and other factors (it seems to be between 10-20 seconds usually). It's quite an interesting idea and seems to work decently well. For many phones this is a downloadable app but for us Evo users it is preloaded an, without hackery, can not be removed. Of course, this is par for course when it comes to bundled apps, but it's still no excuse as to why the practice is still done.
Anyway, I've noticed quite a few odd videos showing up online through qik. Now, a lot of these videos show up in the recent videso section and then disappear off the site 15-60 minutes later. Some you really can't tell WTF is going on (like in this). While others seem like accidental recordings. Take this video for instance. A few seconds of a steering wheel while you drive? Kind of odd. Or this and this ... odd as one usually tries to record something when they record. This is a guy telling someone else how to use it as he reads the instructions on his phone. How about this one which is in someones bag or purse. Then, just for fun, take Monk's sarcastic didn't mean to record video.
While some of the videos are just odd I tend to think a number of them were accidental. Why would you record 15 seconds of your phone moving around in your bag? Why record nothing but a few random words and no image? Why else would the videos have default names such as "A qik snippet of my life"? Have I convinced you at least some portion of these were accidental recordings? Good. We can move to the next step ...
Where do people use their smart phones? At the airport? Yes. Walking down a hall? Of course. At a restaurant? Sure ... but let's think of where else many people use their phones ... the bathroom. Now before you start running off stating that no one does that or you don't do that just think about it. Not much else to do but read or get that phone out and be productive! If you go into (almost) any decently sized company and hang out in the stalls you will end up hearing the beeping, keyboard/feedback clicks and alerts from smart phones (assuming you don't get kicked out for being creepy).
One more thing before we bring this all together. Having a forward facing and a rear facing camera is common on this new generation of phones. Both cameras tend to be at least webcam quality if not much better. For instance, the rear facing camera on my EVO is amazing while the forward facing one is in the better than average similar to iPhone range.
So here it is, why I'm terrified of Qik: With Qik and the ease of accidental recordings it is quite possible that one could record themselves in the bathroom and have it uploaded to the net for everyone to watch without the user realizing it for 15-60 minutes (which is my very unscientific estimate for how long it takes someone to tell someone else they posted a recording they don't think was meant to be posted). This is very close to the dream many people have when younger: going to school naked. Sure, in this case you are not naked, but everyone gets to see you in a bit of a compromising position. To make it worse, there is an automatic "good job" post that happens on some videos as if to encourage you to make more ... if you accidentally posted yourself in the bathroom and were told good job .... yeah.
So I leave you with the closest video to what I've described. No, this person is not in the bathroom but it kind of seems like how the video would end up looking:
EDIT
I lied ... this one is closer (but done on purpose) and kind of creepy:
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
iPhone4 vs HTC Evo or She Doesn't Care @ 2010-06-29 09:59:43.261656
Filed under: Philosophy Comedy Tech
Warning: Strong Language
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
I Am No Longer F**kn' Up @ 2010-06-26 18:09:49.637923
Filed under: Linux Tech
After waiting what seemed like forever I was able to finally get an HTC EVO. Unless you wear iBlinders (seen below) you have heard of the HTC Evo. It wasn't very long ago that I found out I was "f**ckn' up" but not having one (see this). I am proud to say that is no longer the case!
iBlinders(R)(TM)(Patent No 1234567)
So here is the deal. About a week and a half ago I finally put myself on the Evo waiting list at the local Sprint store. I was told there was about 50 people in front of me. I went online to look to see if I could order direct from Sprint but they stopped taking orders until they could fulfill the current back orders (or so the graphic seemed to indicate). The only place I could find selling Evo's were Amazon and brick-and-mortar Sprint stores. Just to be safe I put in an order on Amazon -- it would take about 2 weeks to fulfill and I figured if one came through I should be able to cancel the other one.
Fast forward to today. I decided (on a whim ... I think) to drop in to the Sprint store and find out where I was on the waiting list. The friendly fellow behind the podium stated there was no more waiting list. Hmmm ... I thought about that for about 5 seconds and then responded saying that I never received a call over the last week and a half. He then informed me that if I could just hang out for a bit they could hook me up with one as 5 showed up not much sooner before I dropped in.
I stood awkwardly at the back of the store hoping that this would not turn out to be a mistake. I then saw a manager like fellow walk out of the back with an Evo box and take it to the guy who was behind the podium (now at a register helping a lady). I watched as he started to ring her up for an Evo when he called the manager back over and pointed at me.
Podium Guy: That guy over there is waiting on one too. He said he was on the waiting list but didn't get a call.
Manager: He is wrong. Everyone was called.
Podium Guy: Well, he didn't get a call.
Manager: Then he wasn't on the list
I started to get a bit frustrated. I was on the list ... or at least I was told I was on the list when I stopped in during my lunch break a week and a half ago. I stood there thinking that maybe I would have to fall back on my Amazon order and wait another 5 days before I would get my hands on the device.
The manager came back out from the bowels of the store (or maybe the left arm, it's hard to tell) and called me over. He asked me if I was waiting for an Evo and I told him that I was and that I stopped by a week and a half ago and got on the list but didn't get a call. His response was a friendly "If you were on the list, you got a call already and if you don't pick up then we take you off the list." I thought about arguing that point. I have a phone. It keeps track of who called me. They are Sprint. They can see who called me. I didn't get a call. I decided instead of getting upset I would give him a nugget of information so he knows I'm not trying to MBA (like BSing but being an elitist too) him out of a phone. I told him that I had come in a week and a half ago and was told there was about 50 people ahead of me on the list and that it was first come first serve. I also told him that the guy who took my reservation wrote my information down on a yellow legal pad and I'm not sure if that was the official list or a temporary one. I'm assuming something I said in there clicked with him because he told me not to go anywhere and he would go pull one of the last two out of the back for me ... and within minutes I was in process of getting my plan moved over for the new phone.
I've only spent about 30 minutes with the phone so far, but I am impressed. While the UI is not as polished as the Palm Pre, it is a very fast phone with a ton of options and abilities. It's also got some impressive hardware!! So far the only semi-negative experience I've had would be in getting the phone ... but then again I can't complain, I didn't get iPhone'd (or -- waiting hours if not days in attempts to get the hardware you preordered a month ago to work and then hopefully just work after that).
digg it
seed it
del.icio.us
ma.gnolia
Comments: 0
