Fun Times, InfoSec, and No Wind in Chicago

I just returned from a brief trip to Chicago, where I attended and presented at Thotcon, as well as attended BSides Chicago.

Thursday: After a two hour delay due to “mechanical” issues, I arrived in Chicago. I am a bit surprised, as the flight crew in Denver did not give us a lot of confidence. We were told a “switch” needed to be replaced and it wasn’t switching or something. This led to them telling us that they would have to “rewind” the engine, which doesn’t seem logical. From the airport, a long and slow taxi ride made me late for the THOTCON speaker dinner at the Northdown Cafe and Taproom. This is where I found the ‘Curmudgeon’ beer pictured below. There is something very satisfying about ordering a ‘curmudgeon’ at a bar and getting a bottle. After the dinner, Space Rogue, Josh Corman, Banshee, and I went out looking for some good Blues music. We started at Kingston Mines but found the music to be too upbeat. Across the road at B.L.U.E.S. we found exactly what we were looking at. I had told my companions that I wanted a guy sitting on stage singing and playing the guitar, and it delivered. The $1.50 Jägermeister shots appealed to Space Rogue greatly.

thotcon-01-curmudgeonthotcon-02-blues1thotcon-03-blues2

Friday: As happened a few times, the day began with or included a packed cab ride. The immediate surprise was the venue. The Ravenswood Event Center sounds like any other hall for a convention, but in reality is a unique space. Around the main conference room were a variety of old sports cars in immaculate condition. The third floor space reserved for speakers had high glass walls for a bright room with good views. Courtesy of THOTCON staff, the speakers could use this as a lounge for talk preparation, free booze, and a hosted lunch. I ran into Jeff Jarmoc again who delivered on his promise to bring us a jar of peanut butter for a stage prop. The picture of the Jif alongside the THOTCON wireless information was proof for Advanced Threat who doubted my presence in Chicago. Not to be outdone by Jarmoc, Banshee produced a stuffed squirrel who could enjoy the jar.

thotcon-04-cab_squeezethotcon-15-venuethotcon-05-corman_pbthotcon-06-jif_wifithotcon-07-squirrel_jif

The first keynote of the day was by Bruce Schneier, who treated the audience like a bunch of eight-year olds, going into the very basics of social contract by stretching it out 30 minutes via the speaking method of “repeat yourself using different words seventeen times”. Josh and I were both groaning throughout his presentation and I opted to take a ‘meta’ picture by photographing the event photographer. Of course, any InfoSec conference needs drama, and THOTCON’s was in the form of someone complaining about the “race card” that was being passed around. Of course, it had absolutely nothing to do with race, and everything to do with Mario Kart racing, but that didn’t matter. I thought the cards were hilarious. The other sticker that came with registration was potentially a trigger, but everyone seemed to love it as well as the shirts that said “Fork My Dongle“. Shortly before my talk, I jumped over to Track 2 to see James Arlen present on how to do a better presentation. His very brief talk was a boiled down version of a much longer workshop he gives, and it should be required viewing by anyone presenting, especially in InfoSec.

At 3:00PM, Josh Corman and I took the stage to give our “Cyberwar: Not what we were expecting” talk. With some new slides and updated material, I ran a bit longer than I should have causing Josh to hurry through the last bit. We really should have boiled it down a bit, or bribed someone for a 90 minute speaking slot. Part of the delay though, is fully on Corman’s shoulders. While I was talking, he quickly put on a squirrel mask and hopped across the stage at me. No, this was not staged. The main reason it “blue screened” me as Josh put it, is that I own one of these masks. I certainly wasn’t expecting to see it hopping across the stage at me mid-presentation. Well played Corman.

thotcon-08-metathotcon-10-race_cardthotcon-09-fork_my_donglethotcon-11-arlenthotcon-16-squirrel-surprise

For dinner, we headed out looking for whatever was good and close to the venue thinking we’d return quickly for the closing bits. Instead, we were lured into a long and hilarious German dinner at Laschet’s Inn. Our waitress JoJo, an “Irish-German-Texan” with a healthy southern drawl was hilarious and energetic. The group we ended up dining with, all coworkers at the National Association of Realtors®, were great hosts. They got the ‘boots’ of beer started immediately, before waves of appetizers and outstanding authentic German food. In the end, they graciously took care of the tab as well, completely shattering the image of Chicago being full of gun-toting thugs. As usual, a three hour meal about security, food, and everything between was as educational as it was fun.

thotcon-12-bootthotcon-13-sprog-bootthotcon-14-corman-boot

Saturday: We began the day at a ‘Recovery Breakfast’ organized by SecBarbie, at the Little Goat Cafe. From here most of us used the Zack Fasel cab service to get to the Abbey Pub for BSides Chicago. I had reservations going into this, as a ‘pub’ sounds like a small cramped venue for a bigger BSides conference. Upon arrival, I quickly noted how it was a perfect venue. Several rooms segregated to avoid noise issues, an upstairs overlooking the main speaking room for the CTF setup, and two bars to deliver libations all day long. Shortly after arriving, Space Rogue, Josh Corman, and I offered to do an impromptu ‘talk’ (a research project really) to gauge how alternate sources of information such as Twitter, IRC, or vendor press releases were picked up by more mainstream media. I will be writing a blog on the conclusion of that in a few days, stay tuned. After a great day at BSides, Josh and I headed to L2O Restaurant for an epic dinner.

bsideschicago-DSC_0529

Sunday: After a leisurely morning and sleeping in, William Knowles took me to Lou Malnati’s for some authentic deep dish pizza, before a ride to the airport. Fortunately there were no delays due to sequester or switchy thingies this time. While I am not a fan of travel, this ended up being a great trip with good friends, new and old. THOTCON’s reputation for being a great con is well deserved, and the organizers are great. A special thanks to Nicholas Percoco for the outstanding hospitality given to THOTCON speakers.

Advertisements

Fine Dining, A Learning Experience

I have had my share of good meals, and truly enjoy them. I tend to go out of my way to eat a nice meal every so often. Locally, it generally means a meal at one of the three Richard Sandoval restaurants he has in town. In Vegas, it may mean one of Gordon Ramsay’s restaurants. These are certainly nice places with accomplished chefs. Until this weekend, I considered them fine dining.

That changed with a trip to L2O in Chicago by Josh Corman and myself. Operated by chef Matthew Kirkley, he describes the dining experience as “… exploring the intricacies of fish and shellfish in artful compositions enhanced by the best ingredients available from land and sea.” The name L2O stands for “Lake to Ocean“. Last year, he earned 1 Michelin Star for his restaurant, and gained 2 stars this year. It is important to note that while Gordon Ramsay has been awarded 15 stars and currently holds 14, it does not mean that any came from his work at the restaurants I ate at. So dinner at L2O was significantly different.

The first and most important difference in this meal is that it is a tasting menu. You basically order one of two things; the Prix Fixe menu, or the Tasting menu. Rather than an appetizer, main course, and dessert like a traditional restaurant, you are given a variety of courses selected by the chef. For our dinner, the tasting menu included three courses that were not on the menu. Further, we opted for the wine pairing for our menu. Another major difference is that the meal is as much about presentation and ritual as it is about the food. The staff play an elaborate dance of formal movements, coordinated delivery, and scripted descriptions. Last, while I enjoy wine from time to time, I cannot emphasize the value of a sommelier putting together a pairing specific to the dish. Instead of relying solely on taste, they also play to the texture of a wine as much as the flavor profile.

In the spirit of truly enjoying our evening, we opted not to be like the stuffy people we saw around us (including one couple that was obviously in the middle of a loveless and emotionless marriage). While the restaurant “suggests” jackets for gentleman, I quickly lost mine when I noticed the guy next to us was only wearing an Izod and jeans. In addition to novice questions about the meal, I found myself throwing a wrench in their timing and delivery almost every course. Josh equated my questions and comments to a Denial of Service attack against their routine, but for sport. The banter Josh and I delivered certainly entertained the staff as much as it did us.

The (enhanced) menu we had is listed below, including the items that were not listed on the web page. The first few courses made us wonder if we’d leave the restaurant with a full stomach. By the end, especially with wine pairings and bread, we were both waddling like penguins.

  1. [amuse-bouche, not on menu]
  2. mussel tart, lemon, parsley
  3. geoduck clam, manila clam, lime
  4. langoustine, osetra caviar, cauliflower, poppyseed, meyer lemon
  5. nootka sound oyster, green apple, noilly prat, celery
  6. crab chip, old bay
  7. maine lobster, foie gras torchon, turnip, clementine vinaigrette
  8. crispy bass, escargot, pearl onion, chartreuse butter
  9. turbot, grilled squid, guanciale chips, scallion
  10. stuffed quail, sunchoke, smoked cherry, 23-flavor gastrique
  11. [Champagne granata, not on menu]
  12. lime parfait, avocado, tarragon, cara cara orange
  13. chocolate crémeux, lemon curd, brioche, olive oil
  14. [sweet snackies, not on menu]

While amuse-bouche is not technically a course, it is also something I wasn’t familiar with. Josh had to educate me on the term. This was called “Fruits of the Sea” and each was a melon ball container that had a distinct center, such as salmon for one. The first course officially on the menu was the mussel tart with lemon and parsley. Served on a cup of tiny intricate sea shells, Josh was quick to remind me not to eat them. In the low light, they did look like snacks. Third, we had Geoduck clam and Manila clam with a hint of lime. I don’t recall the exact method of preparation but it did not have the consistency of a clam at all. Fourth, we had langoustine, Osetra caviar, cauliflower, poppyseed, with meyer lemon. The picture below shows the cauliflower was dehydrated and mostly for show, but it still added to the flavor. As best I can recall, this was my first time having caviar, and I found it quite nice. It was not salty or potent as has been described to me in the past.

l20-01-Amuse-bouchel20-02-mussel-tartl20-03-geoduck_claml20-04-langoustine

Fifth on the list was a Nootka Sound oyster with green apple, Noilly Prat, and celery. The combination of the two shells were well done and remind me that I need to broaden my horizon on oysters. The sixth course brought us absolute joy. Not only for that tasting, but for the rest of the night. It also gave us tremendous respect for the chef. The menu listed a simple item; a crab chip dusted with Old Bay seasoning. The two crab chips were a reflection of chef Matthew Kirkley’s roots as he grew up in Maryland. What wine do you pair with crab chips? None. Instead, Kirkley insisted that it be paired with a Pabst Blue Ribbon. Yes, a good old fashion cheap PBR. While the sommeliers, both of them employed by the restaurant, seemed a bit offended and would have opted for wine, the one serving us most of the night admitted that she agreed on the pairing. After giving her much grief, she laughed and agreed to pose for a picture as well. Josh and I both appreciated that in addition to honoring his roots, he was clearly thumbing his nose at pomp and pretense.

For the seventh, we had maine lobster, foie gras torchon, turnip, with clementine vinaigrette gelee (close-up picture). Despite seeing it on TV and in articles, this was also the first time I had foie gras. The eighth course was a dish of crispy bass, escargot, pearl onion, with chartreuse butter (close-up picture). The escargot was the third new food for me that evening.

l20-05-oystersl20-07-crab_chipl20-06-Sommelier_pairingl20-08-lobsterl20-10-crispy_bass

For number nine, we had turbot topped with grilled squid, guanciale chips, and scallions (close-up picture). The tenth course was a stuffed quail with sunchoke, smoked cherry, and a “23-flavor gastrique”. The presenter told us it was “23 flavors” and that we could “think about it”. Josh Corman immediately chimed in, “Dr. Pepper!” For those not familiar, Dr. Pepper has a reputation for its 23 mysterious flavors. Tasting one of the three dark dots pictured below (or close-up picture) certainly brought the flavor to mind. Josh commented that by not giving answers and just teasing the guests, it becomes a treat for the observant. He equated it with hidden Easter eggs within the menu. The eleventh course was a frothy Champagne granita, not listed on the menu. At this point, our sommelier brought out a second can of PBR on a small silver platter, so we could enjoy a nice cheap-beer break. This was an amusing touch and showed us that she was having as much fun as we were.

l20-12-turbotl20-14-quaill20-15-frothy-unknownl20-15-pbr-redux

Twelth on the list was a lime parfait with avocado, tarragon, and Cara cara navel orange. Despite the appearance, this was not an overly sweet dish and was a good lead-in to the next two dessert courses. Next up, the thirteenth course was a chocolate crémeux with lemon curd, brioche, and olive oil (close-up picture). This was perhaps the most rewarding course; not because of the wonderful dessert, but due to the banter and harassment. Upon seating, we were asked if we had food allergies or dietary restrictions. We said no, because as a diabetic I carry my insulin and take it according to the food I eat. Hours later, the last server who delivered this was not told of any restrictions obviously. After setting it in front of me, the conversation went like this:

Brian: “Does this have any sugar in it?” (said with a straight face)
Staff: “Heh heh, just a bit!”
Brian: “No really, I am a type 1 diabetic. Does this have any sugar in it?”
Staff: “Uh… heh heh, no you aren’t!” (clearly a bit nervous at this point)
Brian: “Yes, I really am, does this have sugar in it?” (I asked as I showed her the insulin kit)

With this, she covered her mouth, stepped back and looked as if she was going to pass out. I quickly reassured her that while I am, I was expecting the dessert and it wasn’t a problem. Josh is pretty sure she may have had a small heart attack. Anyway, the fourteenth and final course was a mix of macaroons, fresh caramel, exotic gum drops, and some other sugary delight that was also served with previous courses.

l20-16-lime-parfaitl20-17-choc-cremeuxl20-18-snackies

At several points of the dinner, Josh noted that despite the differences in our professions, we could see some kinship with the chef as do those of us who take our trade so seriously. Hard work, pursuit of excellence, attention to detail, with a good dose of some hidden humor.

With this, we were done. We sat down a bit after 5:45P and walked out of the restaurant just shy of 9:45P. Yes, a 4-hour dinner and night of entertainment. For me, a dinner like this rarely comes along, and I am glad I took the opportunity to experience it. The final touch? One of the staff that had been helping us all night escorted us out to ensure we got a cab and thanked us for dining with them. Overall, and incredible experience.

This post and the extensive details are dedicated to my mom, who would have really enjoyed it, and wishes she could have been there.

Brief Glimmer of Hope for the Human Race

The amount of suffering inflicted upon animals these days is utterly depressing. Every so often I read an article where humans go the extra mile to give an animal a second chance. Of course, the imbalance of one animal receiving life-changing help doesn’t begin to approach the number that are abused and mistreated. However, it does give me the brief glimmer of hope that our humanity, what sets us apart from apes, is still in tact. Here are a few fine examples of why I haven’t given up on society. Yet.

Chris P. Bacon


Backstory on Chris P. Bacon, and him without wheels.

Flipper


Flipper suffered a spinal cord injury during birth. The vet reached out to a local high school to see if they could assist Flipper in getting around, rather than giving up on the cat. Backstory.

Floaty Goldfish


There isn’t much backstory, just the Youtube comments. Here is another video of the wonderful owner hand feeding the fish.

These are but a few examples of humans stepping up to care for animals that have been displaced by the evolution of civilization. Search around you and will find more stories of cranes, parrots, rabbits, turtles, and more.


2013-05-27 Update:


Uploaded on Jun 20, 2011: Incredible Features Exclusive Story – Naki’o is the first dog to be fitted with a complete set of bionic paws that work naturally to allow him to run, jump and even swim. Nakio received the paws after his own were severely hurt from stepping into an ice puddle as a puppy. The prosthetics were designed and fitted in a pioneering procedure by Martin Kaufmann, founder of Orthopets. Read more here: http://www.incrediblefeatures.net/blog/2011/06/nakio-the-first-dog-with-four-prosthetic-paws/

America; Not a Country, a Business

I watched “Killing Them Softly” a week or two ago. The movie got bad reviews, and I see why. All the right intentions, good cast, just fell short in many ways.

The best part of the movie, comes in the last few lines delivered by Brad Pitt, after killing three people the previous 24 hours and arguing over the pay owed to him.

I’m living in America, and in America, you’re on your own. America’s not a country. It’s just a business.

At some point during the last decade, I think society has become numb to how true this is. Lobbying congress is a multi-million-dollar industry. Corporations are people. PACs dominate unlimited anonymous spending to influence those in power. Companies use tax loopholes to pay pennies on the dollar, if anything at all.

Corporations and retail outlets are light years ahead of where the average consumer understands. Psychologists and lawyers are a stronger presence in marketing than anything else. Our laws are plagued with crafty wording that can be selectively abused, where crude oil is conveniently labeled as “diluted bitumen” so billion dollar companies don’t pay the same taxes, nor are they required to pay to clean up the mess they make. And it doesn’t matter that said company already admitted it was heavy crude.

We continue to spend staggering amounts on wars we can’t win; whether it is the war on drugs, Iraq, Afghanistan, or Terror doesn’t matter. Try to truly grasp those numbers and understand that war is an industry, and friends or family of our elected leaders profit heavily off these wars.

Meanwhile, our country lags in education, has millions in poverty or face hunger, maintains the biggest disparity in distributed wealth, and imprisons more people than any other country.

Our country is a business, and profit trumps all else. Until that changes, we are doomed to failure.

The Madness after the Boston Madness

The last few days have once again shown how utterly ridiculous parts of our society are. In the wake of the Boston Marathon bombings, we saw news outlets fumble over themselves, eager to announce the next terror, while feigning disgust. Another device found! A controlled detonation! No, a fire! CNN led the way in pathetic reporting. A timeline of CNN’s inept coverage is as amusing as it is disgusting. A Fox news affiliate is a definite runner up, naming one suspect Zooey Deschanel instead of Dzhokhar Tsarnaev. No wonder hundreds of thousands listened to the Boston Police radio live feed and took to Twitter for faster, and more reliable updates.

Of course, pundits, armchair experts, and every dimwit around lent their own conspiracy theories, further blurring facts and needlessly enraging sheeple that want to believe.

While the police response to this tragedy was certainly swift, I can’t help but think how premature everyone involved seems to be. The Boston Police tweeted that the terror is over after taking a second suspect alive:

CAPTURED!!! The hunt is over. The search is done. The terror is over. And justice has won. Suspect in custody.

President Obama went on national television to remind us that such statements are premature, saying that “a chapter” in this tragedy was closed, but the investigation is ongoing. How can the Boston Police, who were unable to question one suspect, and have not had a chance to question the second, know that they were the only two involved? What if the two suspects are part of a larger group, with active members still out there ready to do harm?

How far does this have to go before society collectively realizes the madness we’ve descended into? At what point does the rational side kick in and make the masses aware of how pointless and counterproductive the response has been? Unfortunately, I know the answer to these questions, as the response from society to any and every tragedy has steadily gotten worse. With that follows knee-jerk responses from all walks of life, especially lawmakers.

The frustration of seeing society spiral downward, while being powerless to effect change, is maddening.

“Threat Intelligence”, not always that intelligent.

I’ve been in the security arena for some time now, like many of my friends and colleagues. For over a decade, we have been presented with several vendors that deliver yearly reports summarizing various attributes of the industry: vulnerabilities, hack attacks, spam, malware, breaches, and more. They are typically delivered in summaries that can be read by any level of an organization. More recently, they center around ‘infographics‘ that attempt to convey the major points in an aesthetic fashion.

Most reports are released with a lot of fanfare; news articles that praise the report, hem and haw over the findings, and tell users things are bad. What we rarely see is any establishment, news or otherwise, challenge the data. The few that do are typically lost in the mass of blogs and are given as much scrutiny as the articles they debunk. Even when data is out there to quickly refute such a report, the people seeking to do so are few and far between; even when it is their job to do so.

The reason? Security companies, professionals, and journalists are complacent. They are happy to get the numbers that help them. For some, it sells copy. For others, it gets security budget. Since it helps them, their motivation to question or challenge the data goes away. They never realize that their “threat intelligence” source is stale and serving up bad data.

All of this came up again with today’s release of the Symantec Internet Security Threat Report (ISTR) [Full report – PDF]. Note that I am an officer of the Open Security Foundation (OSF), and we track two of the many general data points that Symantec does. We run a vulnerability database, and we run a database that tracks breaches. Symantec has previously used OSF breach data, but recently stopped after being informed that it was not acceptable to do so commercially without a license. I believe this is the first report that uses their own. And it shows. That said, I am only going to focus on vulnerability data, as that is my real area of interest and where I spend a majority of waking hours.

In addition, Symantec maintains one of the world’s most comprehensive vulnerability databases, currently consisting of more than 51,644 recorded vulnerabilities (spanning more than two decades) from over 16,687 vendors representing over 43,391 products.

Given the number of vulnerability databases (VDBs) out there, at least ones that could be considered sizable by any measure, this is technically true. However, the rest of the quoted material reminds us that they are not even close to comprehensive, and their numbers are in line with specialty databases that focus on a specific purpose or type of information. According to the report, they cataloged 6253 vulnerabilities in 2010, 4989 in 2011, and 5291 in 2012. To put that into perspective, that is 2877 less than IBM/ISS X-Force, 4485 less than Secunia (note: their abstraction will result in duplicates and a higher count to some degree), and 1289 less than CVE/NVD, which is the “no child left behind” of VDBs. Seriously, Symantec isn’t even keeping a 100% mapping to CVE, and they call their database “comprehensive”. Symantec’s 5291 vulnerabilities in 2012 is approximately 58% of the vulnerabilities cataloged by OSVDB. As one project moderator said, a generous professor might even round that to a D-.

Looking further, Symantec’s report says they cataloged 14 ‘zero day’ vulnerabilities in 2010, 8 in 2011, and 14 in 2012. In this context, ‘zero day’ means “A zero-day vulnerability is one that is reported to have been exploited in the wild before the vulnerability is public knowledge and prior to a patch being publicly available.” This is basically the same definition OSVDB uses for our “Discovered in the Wild” flag. However, our numbers differ from theirs: 39 in 2010, 31 in 2011, and 25 in 2012. Note that tracking this specific statistic is very difficult for any VDB. I can say with certainty that we have not flagged all of the vulnerabilities that fit this bill, but we have made a considerable effort to do so based on the information available.

Several reports including Symantec, IBM / ISS X-Force, and others have recently started highlighting statistics surrounding the vulnerabilities in web browsers. This probably seems simple to most people, even many security professionals. I can assure you, that is not the case. As a recent example, Carsten Eiram of Risk Based Security (a sponsor of OSF / OSVDB) has spent the last three months doing extensive analysis and reworking of WebKit vulnerabilities. WebKit serves as the central rendering engine for several browsers including Google Chrome, Apple Safari, RIM / BlackBerry, and soon Opera. This generally means that any vulnerability in WebKit will likely affect the four browsers mentioned, and more. In the real world, due to vendors not playing well with others, we see Apple release vague vulnerabilities attributed to WebKit months after Google Chrome does the same. Carsten’s digging and analysis has found a considerable amount of duplicate CVE assignments as a result. In addition, he has found many additional vulnerabilities that were either silently patched by vendors, or remain unpatched currently, simply by using the same resources as the developers. With this in mind, the Symantec statistics are more revealing:

symantec-browser-vulns

In 2012, they show 38 Apple Safari, 30 Google Chrome, 21 Mozilla Firefox, 7 Microsoft IE, and 4 Opera vulnerabilities. Given that OSVDB has cataloged 219 vulnerabilities in WebKit in 2012 alone, that means the Symantec statistics are worthless. Those 219 vulnerabilities largely affect both Chrome and Safari, as well as other browsers. Even if we switch to look at vulnerabilities specific to Google Chrome we see 221, and for Apple Safari we see 66 distinct vulnerabilities. This kind of oversight in browser statistics is, for lack of better words, amateur hour.

[Update 6/7/2013 – As pointed out in a comment below, I misread this as # of vulns rather than percentage. I am leaving the paragraph above in full for posterity. However, please note that all of my comments would also affect their percentages as well. I certainly screwed this part up, but their stats are still wrong. =)]

Another hot topic the last two years are vulnerabilities in SCADA (Supervisory Control and Data Acquisition) systems. These are the systems that run vital parts of the world’s infrastructure, including electric, gas, sewage, and more. According to the Symantec report:

In 2012, there were 85 public SCADA (Supervisory Control and Data Acquisition) vulnerabilities, a massive decrease over the 129 vulnerabilities in 2011.

These statistics, if used for any guidance in SCADA facilities, should be criminal. OSVDB cataloged 167 SCADA vulnerabilities in 2011, and saw it jump to 211 in 2012. We’ve already cataloged 66 SCADA vulnerabilities in 2013, due to increased diligence in monitoring SCADA vendors for reports that may not make their way to ICS-CERT.

Toward the end of the report, in their “Looking Ahead” section, they give some general predictions of what is to come. “More State-sponsored Cyber Attacks”, “Social Media Will Be a Major Security Battleground”, “Sophisticated Attack Techniques Trickle Down”, “Attacks Against Cloud Providers Will Increase”, “Websites Will Become More Dangerous”, and “Increasingly Vicious Malware”. These are hardly ground-breaking or interesting, as they have all been the status quo for many years. What I find interesting is that the statistics they offer show a drop in vulnerabilities, both overall and in specific sectors such as SCADA. Symantec’s numbers don’t support their predictions very well.

I think it is fair to say that Symantec has lost sight of the real value of such reports. Instead, I envision Symantec planning meetings about the graphics, presentation style, and narrative they’re presenting. Vulnerability statistics are not easy; in fact, they are exceedingly difficult to get right. You would think that a company with the resources and longevity of Symantec could figure that out. Unfortunately, the report has become the focus, not the reliable data that should drive it.

Your Favorite ‘News’ Site is Likely Just A Shitty Blog

Ten years ago, your favorite tech-centric site was an online news portal. Meaning, it was run by, edited by, and written by news professionals. Old school journalists and editors, brought up through the system we all know and expect. At some point, that changed for the (much) worse, and very few realize it.

If you relied on sites like C|Net or ZDNet for news, you used to get it. A story would break, a journalist would investigate. They would send emails, make phone calls, talk to sources, consult experts, and write it up. It would then be edited by one or more people with experience editing, a demanding and precise skill. That process would ensure that articles you read were reasonably researched, accurate, and generally contained no error the journalist was directly responsible for.

Just as print newspapers fell victim to technology, so did the digital news outlets that replaced them. Instead of a new technology, they fell victim to new uses of existing technology, including the dreaded social media. Why wait 24 hours for your favorite site to publish a 500 word article, when you can get 5,000 words written by 1000 people in a matter of hours. Some of those words from people you know and trust!

This caused the same cycle; do it cheaper and faster while calling it better. Online news outlets have not been able to monetize much beyond ad revenue. Subscription models never came around, so all these years and we still don’t pay for our news. That means fewer journalists, fewer editors, and cutting back the entire process that produced quality news. Investigative journalists are a dying breed. Most chase the low hanging fruit; stories that write themselves and do not take research or follow-up. Quantity has become entirely more relevant than quality.

In keeping with that, the traditional editing process has been replaced. Journalists can update their site via their own blogs, that fit seamlessly into the ‘news’ site. There is a post-now, edit-later mentality that dominates current sites. Where “edit later” is a rare occurrence. Despite this tragic decline in journalistic standards, many of us would be fine with it if the journalists actually updated an article when required. However, that does not happen as it should.

Several months ago, all of the above was perfectly demonstrated by Charlie Osborne and Zack Whittaker at ZDNet. In an article titled “Hacker, Verizon duel over customer record claims“, the authors detail a data breach where Verizon allegedly had some 300,000 records of customers stolen by a hacker. The article was updated later the same evening, and again the next day to provide more information, but mostly speculation and he-said / she-said. The two updates, in conjunction with the original article, should make it clear to any journalist that something was suspect. The story and details changed enough in a 24 hour time period to make any skeptical person question the original source.

After the article was published, before the final update, Space Rogue did his own research into the incident. He is known for being skeptical and cautious, something journalists were once known for in the past. His research led him to write a blog titled “Anatomy of Hype” in which he debunked the ZDNet piece. During this time, he also tried to contact the authors and editors both, providing them with information and perspective. Despite that, no further updates were posted, and the article remains as-is to this day.

This transition from legitimate news to glorified blogger has been a slow, but steady transition. It has been mostly transparent to readers, both casual and devoted. With this, it is absolutely critical that their readership be aware of the journalistic standards in place, or the lack of. Remember, these news sites are fundamentally no different than a shitty blog, except they enjoy a much bigger audience.

When information aggregation scares and baffles me…

I’ve been around the block. I am familiar with most of the ways companies and web sites track data. I am familiar with aggregation techniques, know the real value of the most ‘harmless’ things (e.g. clicking ‘Like’ on Facebook), and know the power of modern databases. In my mind it is a simple fact that computers with badass (i.e. scary) algorithms can link two people through a slew of random bits of information. When I read an article about how companies are using, linking, and aggregating this data, it is business as usual.

Today, all of that didn’t matter, as I am still trying to figure out the phone call I just received.

“Yeah is Elgin C there?” (note: they used full name)
“Uh… wrong number.” I replied, since 95% of voice calls to my cell phone are spam or wrong numbers.
“You sure you don’t know Elgin C?” This question triggered my “credit collection agency” radar.
“Well, kind of, I knew him over 20 years ago. He was my boss at a job I worked at.”

So here’s the gap I can’t figure out. When I knew Elgin, and we were friends off work as well, I did not have a cell phone with service in my name. We lost touch a year or so after I left the job as our interests / hobbies were very different. Eventually I moved out of Colorado, bounced around for work, and came back. Once back, I got a new cell phone and have had the number for going on 9 years. The only other ‘contact’ was an email I sent to his publicist (he’s an aspiring actor) asking that they pass on my email address, sent on Dec 5, 2011. The mail was from jericho@attrition, and signed ‘Brian’, no last name, no cell phone.

So how does this guy get my number associated with Elgin C? It was clear that the file he was accessing indicated we knew each other and were likely friends. After I cleared it up (by relaying some of the above), he said he wasn’t sure how the investigative team got my number but assured me it would be removed from the file.

No contact with Elgin, other than the one mail to his publicist which went unanswered, in almost 20 years. Yet somehow my current cell phone number got linked in such a way that they thought they could reach him via it, or via the person who answered it.

Color me baffled, and a bit scared, because I am either missing something not-so-obvious, or the aggregation algorithms have evolved more than I realized.