Wednesday, September 19, 2007

about firewalls and bonds

If you're lucky enough to not be involved in the drama of the computer security industry, you've probably not noticed the near-flame wars going on about de-perimeterization and the Jericho Forum.

I won't get into the details, because, as in most flame wars, they don't matter. But one thing in the latest salvo really got my hackles up. Not for the arguments, but for the disclaimer:

I work for a vendor of network perimeter security appliances. But, keep in mind, I would not be working for a perimeter defense company if I did not truly believe that the answer lies in protecting our networks. If I believed otherwise I would work for a de-perimeterization vendor, if I could find one. :-)
Poppycock. People change jobs all the time. Do you believe it when a CEO leaves a Fortune 500 company "to spend more time with his family"?

Part of my reaction comes from not being in marketing. An engineer is allowed (hopefully expected) to have a nuanced view of things. If a marketing person does, they're not really doing their job right. And engineers move across sectors a lot more, too. Non-competes play a part, of course, but after a period of time a given segment stops driving our curiosity; moving around keeps us fresh.

Over the past 10 years, I've built product for security companies selling all sorts of things: penetration testing, scanning, auditing, recording, DDoS defense, network profiling, remediation. I'm currently doing interesting work for a UTM vendor (just like the poster of the above disclaimer, although he won't call it that), which would seem to put me in the "network-based" defense category. But I'm also personally building some host-based defense mechanisms.

Which of those are the "best" way to secure your computers? It's a foolish question. Most people need a mix of those solutions, and just which mix depends on your situation. I currently deal with a lot of SMB (small- and medium-sized businesses, if you're not up on the lingo), which makes sense since I'm working for a UTM vendor, and that's the nice sweet spot for UTM's. Those customers have limited internal expertise and limited dollars, so an all-in-one package does a great job.

Occasionally customers will ask me if they should get rid of their host-based defenses, like antivirus software. My answer always comes down to "are you happy with it?" For most people, they don't care, so they leave it alone. But other folks get really pissed off by Norton Anti-Virus.

It's true that host-based defenses can open up new holes. You can read the argument of a maker of network-based defenses on why. (The points are valid, but just remember that you're reading the page of a vendor biased against host-based solutions, who avoids mentioning that network-based solutions can create vulnerabilities too.) However, there are threats that network-based defenses just can't deal with, like malware on removable media or encrypted connections.

For a lot of people, these threats don't matter, or are so small compared with their network threats that they'll just deal with them as is. But it's incorrect to try to wave away these threats, such as saying "well, they should have policies against that" or "no one really does that any more."

I'll close with a quote I think I got from financial analyst Allan Sloan, but couldn't find. "When Bill Gross (manager of the world's largest bond fund) talks about stocks, he's really talking about bonds." So when a marketer of product X talks about Y, he's really talking about how Y is inferior to X.

Saturday, September 15, 2007

How I became a reddit war criminal

So I found myself on Reddit Friday night, and I saw a post about the size of the stars in the universe.

You can see right on that page what caught my eye:


JelloShotz had done a good old ASCII Art picture of Fry (done with Unicode characters, of course).

I had been wondering just what kind of nonsense one could put into a Reddit title. People have put a few clever Unicode things into them before, like the right-to-left character.

So would this work as a Reddit title in its own right? I didn't think so; I'd probably have to do something weird, like submit 30 titles all at once, to build it all up.

So I tossed a post together quickly, submitted it, and my heart skipped a beat as my screen refreshed showing everything working perfectly.

I expected the submission to look like a bunch of garbage and quickly disappear from sight. But it worked on the first time. (Reddit titles don't allow carriage returns, AFAIK; it worked because the width of each row was enough to force one "word" per line.) And right in your face, too.

You can't un-ring a bell.

I thought about deleting it right away. But when I checked my votes, I had 3 upvotes. People had noticed already, and if I removed my entry, someone would just create another one, now that they realized how it could be done. So I left it there, unsure of just how the community would react to it.

I made two comments, hoping to throw myself on the mercy of the crowd. I asked if I should feel bad, and another pointing either credit or blame (depending on your opinion of my submission) to the original artist. Stealing credit is bad.

I watched it spend the next few minutes accumulating upvotes, with an occasional downvote. So, it seemed to be going fine.

It would hit #1 just after an hour. And most people were cool with it. The little pieces of animus were pretty funny, especially the charges comparing me with a kid pointing a gun at a friend. The best gave me a title for this post.

The reaction as I went to bed was decent; 905 upvotes and 385 downvotes. I had to go on a Cub Scout hike the next morning so I didn't get to check things until Saturday afternoon, at which point I was at 2134 upvotes and 1926 downvotes. While the Friday night crowd may have enjoyed it, clearly the Saturday morning crowd wasn't having any of it.

I got some questions from colleagues and commenters so I just put them all here:

Q. You linked to cats in sinks? WTF?

A. I needed a URL, so I just looked through the ones saved in my browser. a common testing URL I use for my project. I figured it was nice and innocuous. Despite the fact that this could've been a huge driver of clicks, I passed up on pimping my own personal project, because 1) it's definitely not ready for a reddit effect, 2) it would practically be an invitation for people to try their own Unicode-ART, and I haven't set up any defense against it, and 3) if this pissed people off, I didn't want them to find themselves on my doorstep.

Q. Dude. What the hell.

A. Sorry. I can't say that if I could go back and in time that I'd do it any differently, but I get why people would be pissed about it showing up at #1. If it's any consolation, hundreds of people voted to put it there.

Q. What if everyone does this?

A. Anything annoying can't get into the top page, pretty much by definition. I did have this chill run down my spine in the few seconds after I realized I had successfully posted: what if we're gonna get a whole bunch of titles like this?

The "new" page could definitely become a wasteland, but this is already true with people posting plain old spam links. The defenses against those posts would work against these ASCII art type posts.

Q. Did you consider telling the Reddit founders about it first?

I did consider that; and in the past I informed them about a particular nasty way of submitting things that could really piss people off without anyone being able to track down who did it. They handled it very professionally, which would encourage me to do it again.

(I've yet to publicly release that flaw -- a new baby tends to occupy one's time -- but they've already fixed it. I'll get around to it at some point.)

I'm not sure what I could've said to them, though. "People can be dicks when submitting stories"? I think they know that one. ;)