Spy in Sky vs Spy in Pocket

drone-munition.jpg

It’s interesting that public sentiment around drone privacy incursion is far different than sentiment around Internet bellwethers like Google, FB, Apple, AT&T, etc. The underlying social theme, as long we don’t see the spy, or the spy does also does something good for us, then spying is tolerable. It’s my view, a DJI Phantom is less of an incursion on my privacy than a smartphone. A DJI Phantom flying over my property is likely a nosey neighbor – only one spy. On the other hand, a smartphone is a virtual Panopticon into my personal life. At the very minimum, smartphone monitoring includes: smartphone makers, telcos, social media, government, and law enforcement. Many constituencies are involved. My point is not to stir passions on privacy incursion but the difference in public perception about privacy threats. As a more tangible and compelling example, let’s pick on Amazon and their foray into dronespace.
Most American’s are anxiously awaiting Amazon Prime Air and 30-minute product delivery. I have found little in the way of tech specs for Amazon’s proposed drone aircraft but imagine for a moment, thousands upon thousands of drones combing the sky each day. What will be the disposition of drone sensor data? My bet is that gathering drone data along delivery routes will be too tempting for business to ignore. Although don’t install camouflage netting over your home just yet. There will be a initial greenfield period of data feasting but it seems likely privacy will find a balance.

Incidentally, shooting down a drone, even over your own property, is considered as an attack on an aircraft. Today NTSB investigates aircraft crashes of aircraft with tail numbers. Drones have no registration of any kind and investigation of drone crash incidents remains unclear. Laws around drones are evolving. Point being, work out your disputes peaceably if possible or contact law enforcement.

OWASP Board Candidate Interview on August 25, 2015

Today Tom Brennan (Twitter: @brennantom), Tobias Gondrum (Twitter: @tgondrom), and I (Twitter: @spoofzu) were all interviewed as candidates for OWASP’s Global Board of Directors.  I’m not planning to write an interview spoiler before the podcast is published but I want to follow-up with the points I introduced in the interview that make me unique as an OWASP board candidate.

Reduce gap between security practitioners and developers

For the past 3 years I have been leading security for the Java platform at Oracle.  Like many security leadership positions, my role was one of influence.  One of the improvements I made was to include a full security track at Oracle’s JavaOne conference.  Today security and development are largely considered two different disciplines and each with it’s own type of conference.  The challenge with the approach is that developers with limited budgets are not likely to attend a security conference.  After some thought, I considered the best way to close the gap was to bring the security conference to the developers – the security track at JavaOne was born.  The first year of the security track I asked OWASP leaders Jim Manico (Twitter: @manicode) and Michael Coates (Twitter: @_mwc) for assistance which they graciously provided.  I didn’t have high expectations for the first year since it takes time to build some momentum.  To my surprise, the security track did reasonably well in it’s 1st year with attendees and today it’s the 3rd most popular track at the conference.  According to Frank Kim (Twitter: @thinksec) at SANS Institute JavaOne is the first software developers conference to have a full security track.  I’m proud of the security focus at JavaOne but it’s my strongest desire we start a trend and continue across industry.  I’m not so sure moving a security track into every developer conference is the right way to go but I would like to explore different ideas to bring security closer to developers.  For instance, today B-Sides hosts smaller security conferences in the vicinity of larger security conferences.  Attendees at flagship security conferences can take in a B-Side conference by extending their stay slightly.  Fitting two conferences into one is a lot easier on the budget.  Based upon the reception of security within the development community at JavaOne, OWASP can host smaller conferences along side key developer events like JavaOne USBrazil, JavaZone, Devoxx, FOSDEM, and perhaps other venues where .NET folks hang.   These are the types of ideas I would like to explore with the board.
New directions for OWASP
OWASP must evolve in new directions.  I contend that if we educated all developers on security, provided many more helpful projects, it would not be enough to impact the quality of security throughout industry many of us desire.  Security is a business quality problem and it can’t be solved with more code or even better code.  At the moment, industry is positioned at a fragile juncture in it’s security journey.  Many security experts see increased government regulations on the horizon.  Others think cyber insurance will increase in popularity and the desire for the lowest rates will drive security improvements.  Still others anticipate future legislative changes imposing product liability on the technology industry.  One thing is certain, if industry fails to take action on security then they will also loose some control over their destiny.  As a trusted partner, OWASP is in a unique position to assist by forging new alliances with industry and governments.  OWASP will leverage it’s expertise to develop a voluntary industry wide security program.  The program will have means to encourage systemic improvement while remaining sensitive to industry concerns.  My initial plan is a security program emphasizing a practical amount of transparency with a focus on security quality or results.  Transparency is important to ensure industry maintains confident in it’s software supply chain risk profiles.  Next, a results based approach to security provides OWASP the opportunity to influence industry while providing member companies business agility and flexibility to achieve their security objectives.  Throughout the course of the program OWASP will measure the effectiveness of this new security program against progress of it’s members on security.  Based on the program effectiveness and industry security trends, the program will be improved as necessary.  Why will industry submit to a voluntary security program?  Industry must demonstrate leadership in security with remarkable improvements or industry will be lead.  Every day the cadence around exploitation increases.  Customers are demanding more visibility into development and delivery of software products and services.  In response, businesses are demanding more insight to their supply chain security.  “Trust us it’s secure”, is no longer acceptable.  There are also significant benefits for OWASP individual members like improved emphasis on security throughout member companies, more visibility in the board room, etc.  At first, the notion of any transparency seems unnatural but I have been working on this for 3 years with the Java platform team.  Java is largely open source we provide the public with a significant amount of information around the platforms vulnerability management.  The program fits well with OWASP’s approach for transparency in all it does but can be applied to industries benefit more broadly.  I shared some of my thoughts but I welcome your ideas as well. 
If you vote for me in the OWASP global board elections this fall you will be voting for someone who wants to bring security closer to developers and who desires to take OWASP in some new directions. It’s an ambitious effort for both myself and OWASP, certainly I will need some assistance, but the potential benefits for members and industry are large.

Ders Gold in Dem Dar Profiles

IMG_2487.pngI typically receive a few people a week outside of security that send me invitations to connect.  More regularly, the people that connect with me work in the application security and software development.  This week was unusual, I received ten connection requests from individuals employed by a company called Selling Simplified.  I had a sneaking suspicion my profile was being mined but I like to give everyone the benefit of the doubt.
To begin I thought I would investigate the companies home page.  The company does have a web page online.  I wanted to get some idea if this was a real company or not.  I checked out the jobs page.  I didn’t notice many job openings but there were a few.  Then I review their leadership page.  Several company leaders are listed with bios.  There are also many blog posts.  My initial impression is that it’s a legitimate business.  Next, I opened a couple of the Selling Simplified profiles.

linkedin-profile.png
Photo 2: LinkedIn profile detail

Photo 2 is one of the LinkedIn profiles expanded.  There’s a name, a position, some skill endorsements, but as I scroll down the screen no employment history.  I serious doubt this is a real LinkedIn profile belonging to a person.  It’s likely part of an automated tool to mine contact data.  I have about 2800 contacts but I don’t share them.

profile-change.png
Photo 3: LinkedIn protecting contacts

The company focus appears to be “lead generation”.  Apparently, my friends and I are targets to bolster Selling Simplified lead generation database.  I’m betting mining with bots like this is against LinkedIn’s terms of service.  Still there is no guarantee this activity is sanctioned by the company or the work of a script savvy sales agent.  In the event your profile gets minded, protect your professional contacts by adjusting the setting as shown in Photo 3.

You can also protect your contacts by only allowing your closest friends to join; however, I find this an impractical strategy.  I receive many connection requests from people I don’t know very well but like to follow security news.  If a close friend desires to be introduced to one of your contacts they can ask.  The lesson here is to be aware of your contact requests, follow your hunches, and keep contact sharing turned off on your profile.

Beneath DEFCON 23

IMG_2442.JPGDEFCON 23 was an outstanding event this year.  I was not originally planning to attend Black Hat or DEFCON this year.  As it usually happens, the event begins to draw near, I start receiving the vendor invites.  Then my friends start making arrangements to meet.  At the last minute, I cave in, make reservations, book a flight, and I’m on my way.  I should know better by now and plan on attending Black HatDEFCON and RSA every year.

This is the first time I purchased tickets directly at DEFCON as opposed to purchasing them at Black Hat electronically.  When you purchase tickets at the event you must wait in line and it’s cash only.  The line took me about 1.5 hours or so.  I was surprised the line went so efficiently since there were about 14,000 attendees.  I also made a few friends in line.  Always love to talk to people and learn what interests them, listen to their security war stories.

IMG_2409.JPG
Photo 1: DEFCON Mosh Pit

The start of the conference was chaotic.  The halls were super crowed.  Goons (crowd control) were screaming at the top of their lungs to establish rules of the road for the hall ways, stay to the right, pass to the left.  Although within a short amount of time order was established and the crowds moved efficiently between sessions.  In previous years the event was held at the Rio.  This year DEFCON was held at Bally’s and Paris.  I expected some confusion but the event was very efficient given the changes and number of people.   The Caesars venue would be better but it would be tough to keep the prices of the tickets down.  A DEFCON 23 ticket this year sets you back $230 US, a bargain for a technology conference these days.

Most of the value of the conference to me is spending time with my friends.  I follow the news and current events pretty closely so there’s not a lot that surprises me at conferences these days.  However, I’m always learning new things from my colleagues.  If you ever think your an expert, and you may be, you will be humbled when you meet other experts in their field at these events.  This was the case for me when I got to meet Renderman this year.  Renderman presented on ADS-B, an air traffic telemetry protocol, in a DEFCON 20 session entitled, “DEFCON 20: Hacker + Airplanes = No Good Can Come Of This”.  His work was particularly interesting to me since I did a similar project on the Raspberry PI platform, “Tracking Aircraft on the Raspberry PI”.  At the time I did my project I didn’t know about Renderman’s project.  Anyway, I got to meet Renderman and he introduced me to his friends.  I was shit tons of fun to hang at his table for a few mins and meet his friends.  That’s what DEFCON’s all about to me.  Meeting old friends, making new friends, and learning some new stuff.  I made another new friend purely by chance, Adam Shostack, Photo 2.

IMG_2419.JPG
Photo 2: Adam Shostack
Adam was meeting one my friends from Oracle’s Java Platform team I happen to be having lunch with, Eric Costlow.  Adam has an incredible book on threat modeling, “Threat Modeling, Designing for Security”.  This is the go-to resource for threat modeling and reference.  I have a copy on my shelf.  Adam was working for Microsoft at the time when he wrote his book but he’s now striking off on his own business venture.
IMG_2402.JPG
Photo 3: Robert Hansen

I also meet several vendors like Whitehat, Denim, and Cigital, and more.  Robert HansenPhoto 3, works for Whitehat these days but I’ve know him for years.  Interesting to learn about the projects and challenges everyone’s working on.  In a conversation with another unnamed researcher, I mentioned how I didn’t appreciate the US government using security conferences as a platform to push their political security agendas.  The researcher mentioned that he understood but said that many of the researchers are working or have worked for the government.  In fact, darktangent, the conference founder works for DARPA a government group.  Also that the government is comprised of many different agencies, each with different viewpoints and moral compasses.  There really is no single point of view.  He makes a good point but I’m not sure I subscribe.  Still we can’t give up on our government and we can’t acquiesce.  Security and privacy is one of the largest unrecognized social concerns of today.

As I mentioned I did not attend Black Hat this year but I did find the keynote online.  Interesting listening to darktangent and Jennifer Granick talk about the larger social issues around security and privacy.

There also a DEFCON documentary you may want to see.  Next, is probably the worlds shittest horror movie ever.  After returning from the conference I turned on the TV.  Purely by chance my TV was tuned to Chiller Tv and Feast 3: The Happy Finish (jump to 26:00mins) was playing.  How do you unwatch something?  Please tell me.  ;o)

DEFCON 23 Online Receipts

I end this post with a few funny or interesting photos from the event.  Incidentally, an artist by the name of Mar Willams does most of the art work for DEFCON.  Check out his web site, sudux.com.

OWASP 2015 Global Board of Directors Candidate

It’s official!  The OWASP organization announced my candidacy for 2015 Global Board of Directors.  If your an OWASP member vote for your candidates anytime between October 7th and October 23rd.  The results of the election are shared on October 28th.  To learn more about the election and process, see the OWASP site.

What’s OWASP?
OWASP (Online Web Application Security Project) is one of the world largest groups of web application security practitioners.  Essentially, we are people passionate about securing the software applications you use on the Internet everyday.  OWASP is most famous for the OWASP Top 10 Project which helps software developers understand common weaknesses when programming software applications.  Other projects like the ASVS Project provide a basis for testing web application technical security controls.  OWASP provides conferences and user groups throughout the world to educate the public on application security.  OWASP provides many resources for security and engineering professionals engaged in building and protecting software applications.

Who are the 2015 candidates?
Abbas Naderi Afooshteh
Tom Brennan
Jonathan Carter
Michael Coates
Bil Corry
Tobias Gondrom
Nigel Phair
Josh Sokol
(and me) Milton Smith

I am excited to be considered a candidate for the 2015 Global Board of Directors.  But most of all the opportunity serve the community of developers, security practitioners, and industry at large.