[ The Moon, Venus, and Jupiter via iPhone | dmiessler.com ]

I love Google’s new Chrome browser. When the OS X version drops it’ll likely replace Safar as my default at home.

But damn–why do I have to switch to another browser to see if a given site has a syndication feed? Really? That’s silly, Google. Please help. ::

[ IBM ManyEyes | ibm.com ]

1. Audible NYTimes Best Sellers
2. iTunes Audiobooks

Examples

See what version you’re at:

gpg --version

List your keys:

gpg --list-keys

Import some keys:

gpg --import pubring.gpg
gpg --import secring.gpg

Sign a file with ASCII armor (prevents mangling in transit):

gpg -sa file.txt

Sign and encrypt with ASCII armor:

gpg -sea file.txt

Decrypt:

gpg -d file.asc

Main Functions

Commands:
 
 -s, --sign [file]             make a signature
     --clearsign [file]        make a clear text signature
 -b, --detach-sign             make a detached signature
 -e, --encrypt                 encrypt data
 -c, --symmetric               encryption only with symmetric cipher
 -d, --decrypt                 decrypt data (default)
     --verify                  verify a signature
     --list-keys               list keys
     --list-sigs               list keys and signatures
     --check-sigs              list and check key signatures
     --fingerprint             list keys and fingerprints
 -K, --list-secret-keys        list secret keys
     --gen-key                 generate a new key pair
     --delete-keys             remove keys from the public keyring
     --delete-secret-keys      remove keys from the secret keyring
     --sign-key                sign a key
     --lsign-key               sign a key locally
     --edit-key                sign or edit a key
     --gen-revoke              generate a revocation certificate
     --export                  export keys
     --send-keys               export keys to a key server
     --recv-keys               import keys from a key server
     --search-keys             search for keys on a key server
     --refresh-keys            update all keys from a keyserver
     --import                  import/merge keys
     --card-status             print the card status
     --card-edit               change data on a card
     --change-pin              change a card's PIN
     --update-trustdb          update the trust database
     --print-md algo [files]   print message digests

Options:
 
 -a, --armor                   create ascii armored output
 -r, --recipient NAME          encrypt for NAME
 -u, --local-user              use this user-id to sign or decrypt
 -z N                          set compress level N (0 disables)
     --textmode                use canonical text mode
 -o, --output                  use as output file
 -v, --verbose                 verbose
 -n, --dry-run                 do not make any changes
 -i, --interactive             prompt before overwriting
     --openpgp                 use strict OpenPGP behavior
     --pgp2                    generate PGP 2.x compatible messages

Links

[ GPG Mini HowTo | gpg.org ]

Anyway, I expect problems.

Please let me know if you see anything funky with the site itself or with my syndication feeds. And any input on differences noticed would be great, e.g. if the site is slower now, or faster, or whatever.

Here are my feeds in case you don’t have them…

[ dmiessler.com Syndication Feeds ]

I’ve had some time to think about my take on Whole Foods and other elitism-inducing environments, such as Starbucks. I’m no longer convinced they are negative–or, to put it a better way–I’ve realized they’re no more negative than any other positive thing.

That’s confusing; allow me to clarify.

Anything that makes you feel accomplished or positive in some way can have two effects: it can either drive you in a positive way and encourage you to try and help others achieve the same thing (positive), or it can serve as a reason for looking down at others (negative). This applies to any number of accomplishments, including having a high salary, an advanced education, etc.

I believe it’s the same with Starbucks and Whole Foods. Some people go because it makes them want to improve their own lives. It puts them in the mood to excel at life. Others go so that they can look down on those who don’t.

Broken Windows

This is related to a study that just came out that showed that ones’ surroundings affects their behavior. The study found that when there was litter or graffiti in an area, people were far more likely to engage in roguish behavior themselves. In other words, if a person sees that a place is already trashed, it inspires trashiness within themselves as well. It’s called the “broken window” theory.

Well, Whole Foods and Starbucks are the same exact phenomenon, but in reverse. In short, being in these places make me want to be a better person. Being in Whole Foods made me want to work out, watch the Food Network, and make my own organic food while getting a Masters degree. It accomplished this in exactly the same way that being in a ghetto makes me hostile. Once again, it’s the understated power of environment.

Thoughts? ::

Links

[ Graffiti and Litter Lead to More Street Crime | newscientist.com ]

[ A bit NSFW in parts ]

Anyway, I just had an interesting idea about how this will intersect with another idea I read about in a book called Down and Out in the Magic Kingdom, by Cory Doctorow.

The Personal Daemon

The PD idea is simple: you have a computer with you at all times (think 5-20 years from now) that broadcasts your personal daemon at all times (opt-in, of course…err, hopefully). The daemon is wireless-based and has a limited range of about a 100 yards or so. The daemon presents a number of things to other people’s daemons that are nearby (and to the Internet as a whole through interaction with the building you’re in, as we’ll see later).

The types of things that you’ll be “pushing” are pretty standard, and will of course depend on what you want to publish:

• Name
• Age
• Gender
• A picture
• Favorite foods, films, books, hangouts, music, etc.
• Occupation
• Organization affiliations
• Status (looking for love, work, etc.)

So it’s basically your MySpace/Facebook/Blog in terms of advertising yourself, but surrounding you at all times. Most importantly, though, the daemon works over standard protocols (XML-based) that are semantically aware and know how to interact with other daemons. This is where the magic happens.

Use Cases

You go into your favorite coffee shop and you hear a ding in your ear. This means someone in range has a match for top three favorite movies (you told your computer to notify you when that happens). Or maybe you’re gay, and you want it to make a sound when another gay person is in range. Or hockey fans, etc.

Imagine the adult applications. There’ll be a separate portion of the daemon that requires age verification to be read from, and this will include all sorts of social information regarding favorite positions, adult pics of oneself, etc. Again, all of that is constantly being compared to those around you, and your computer assistant (which will have a name) will have specific instructions on how and when to notify you regarding matches.

Wuffie

Anyway, that’s a whole post in itself. Here’s the idea I just had. Wuffie is a concept created by Cory Doctorow that roughly translates to Internet respect. On Reddit and Slashdot it’s karma. It’s basically a score that indicates what others think of you in terms of quality.

Naturally, wuffie/karma will be one of the primary things that gets broadcasted by a Personal Daemon. And once we’re able to layer virtual views on top of reality we’ll be able to see people’s karma numbers floating above their heads and such, or perhaps give them better colors based on it, etc.

Ooops–tangent.

Total Karma Ratings for Popular Locations

The next logical step is for restaurants and coffee shops and bookstores to pull the karma scores of everyone in their shop and send that number to the cloud, including stats like highest karma, average karma, etc.

So imagine opening up your browsing interface when choosing where to hangout. You see yourself on a map, and you overlay the karma layer on your city. Boom! Certain restaruants light up big-time with large numbers above them. 40,000 karma? Who is that? So you drill down and see that iJustine or Steve Wozniak or Randall Munroe is at the bookstore across town.

Essentially, it’ll become a metric for how popular a given place is. You’ll be able to instantly tell where the cool places are based on how cool the people are that hang out there. And of course there will be different karma ratings. Some will be teen-oriented, tech-oriented, swinger-oriented, etc. Luckily there will be many services that pull all of those and build aggregate scores for you. And you can tune your system to only look for the ones you care about.

–

I have so much to write about this kind of thing. If you haven’t read my Lifecasting piece you should check that out too. Anyway, any thoughts? ::

I really think I’m going to continue using Chrome as my primary browser. I don’t do it at home, obviously, since there’s no OS X version yet. But I do use it as my primary at work.

Yes, I miss plugins. But I like a clean, fast experience even more. I don’t use plugins enough that it pains me to open Firefox for something if I need it.

I just prefer the browsing experience with Chrome. Anyone else? ::

[ Data Loss Database | datalossdb.org ]

Why? Because a place like that is a nice place to live.

Conversely, when the opposites of those are true, i.e. they don’t accept any checks because they assume they’ll bounce, and you have to pay before you use cash to pump gas, etc.–you know that you are in an area full of low-quality people.

The concept here is trust–a society’s trust of its own people. When it doesn’t exist you live in a dump. I live in a dump. I’m a nice part of it, but the bad part is awful close, so it’s a dump. I carry a gun at night because it’s a good fucking idea.

So here are a few questions:

1. How has this trust level changed over the last 100, 50, 25, 10, or 5 years? Are things getting better or worse in America overall? I realize that my anecdotal reality is worthless, so I seek real data.
2. For the areas that still have these high-trust indicators, what does the area look like? What about it should be emulated? Is it the government? The culture? The people? What about it allows it to maintain its high trust level?

I just want to live in a place that doesn’t assume I’m a criminal. The fact that everyone does, because not doing so will hurt them, is an indication that I need to move. ::

And here’s her channel on YouTube:

http://www.youtube.com/user/MRirian

The world is a strange place. ::

Information Systems Security Architecture Professional

Recognition for Advanced Expertise in Information Security Architecture

This concentration requires a candidate to demonstrate two years of professional experience in the area of architecture and is an appropriate credential for Chief Security Architects and Analysts who may typically work as independent consultants or in similar capacities. The architect plays a key role within the information security department with responsibilities that functionally fit between the C-suite and upper managerial level and the implementation of the security program.

He/she would generally develop, design, or analyze the overall security plan. Although this role may typically be tied closely to technology this is not necessarily the case, and is fundamentally the consultative and analytical process of information security.

The Six Domains

• Access Control Systems and Methodology
• Cryptography
• Physical Security Integration
• Requirements Analysis and Security Standards, Guidelines and Criteria
• Technology Related Business Continuity and Disaster Recovery Planning
• Telecommunications and Network Security

Links

[ Is Whitelisting Going Mainstream? | cnet.com ]

What scares me most about the economic crisis is not that I think we are unable to do what we think we need to do, but rather that what most people think we need to do is wrong. We’re struggling to get where we shouldn’t go.

Most people think we’re simply not spending enough money, due largely to a lack of confidence, and that we need Obama to show up and convince us that everything is o.k. so we’ll be able to get back to the good ol’ days of 5 years ago. This is wrong.

America needs two things right now economically:

1. We need to create more
2. We need to eliminate debt and save more

We in this country have been subscribing for decades to a ludicrous proposition: the notion that our economy must grow by x percentage per year in order to remain healthy. Pursuing that end with no view of other metrics is childishly one-sided, and dangerous.

In short, we don’t need Obama to convince us to spend everything we have so that the economy will grow again. We need him to tell us that spending isn’t always the answer, and that right now we need to get back to the basics of overall economic health. We need to focus on what we’re offering to others, on not being in debt, and having some money in the bank.

Most importantly, we need to be convinced that the discomfort that will come from this change in lifestyle is necessary for health–like exercise or the consumption of medicine–rather than a sign that something’s wrong.

We need to realize, as a people and as a country, that the goal isn’t more stuff. The goal isn’t to spend more and have more. The goal is to create not just more, but better things. Things that revolve around exploration and learning that will help us grow as humans. Things that will improve the lives of others–including ourselves.

That may sound too squishy for us shallow Americans, but I think we (especially in the younger generations) will be able to embrace this new approach to life if we’re shown the way by a strong leader. Hopefully Obama can be that person. ::

Oh, and cool Nokia ad.

[ Do Guns Reduce Crime? | intelligencesquaredus.com ]

I’ve not spent a lot of time thinking about this, but here’s how the CloudSec variables move in my mind.

• The current state of Security in most environments is horrendous (let’s say 3/10)
• The ability to secure, say, Google’s cloud offerings, is like (8/10)
• The likelihood of a compromise is far lower
• The impact of a compromise is significantly higher
• As the security of in-house-managed infrastructure increases, the CloudSec advantage diminishes

Once vendors are releasing products that are harder to break, even when managed by incompetent and overworked infosec staff, the balance will once again tip toward in-house management. But right now I think the risk of higher impact is going to be worth it for many organizations, given the lower likelihood of compromise combined with being able to focus more attention on their mission. ::

What follows is a list of questions for use in vetting candidates for positions in Information Security. Many of the questions are designed to get the candidate to think, and to articulate that thought process in a scenario where preparation was not possible. Observing these types of responses is often as important as the actual answers–especially when interviewing for customer-facing positions.

I’ve mixed technical questions with those that are more theory and opinion-based, and they are also mixed in terms of difficulty. A number of trick questions are included, but the goal there is to expose glaring technical weakness, not to be cute. I also include with each question a few words on expected responses.

–

Where do you get your security news from?

Here I’m looking to see how in tune they are with the security community. Answers I’m looking for include syndication feeds for solid sites like liquidmatrix, packetstorm, rootsecure, secguru, astalavista, whitedust, internet storm center, etc. The exact sources don’t really matter. What does matter is that he doesn’t respond with, “I go to the CNET website.”, or, “Steve Gibson’s home page”. It’s these types of answers that will tell you he’s likely not on top of things.

If you had to both encrypt and compress data during transmission, which would you do first, and why?

If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or do they enjoy the challenge and think through it? I was asked this question during an interview at Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then encrypt. If you encrypt first you’ll have nothing but random data to work with, which will destroy any potential benefit from compression.”

What’s the difference between HTTP and HTML?

Obviously the answer is that one is the networking/application protocol and the other is the markup language, but again–the main thing you’re looking for is for him not to panic.

How does HTTP handle state?

It doesn’t, of course. Not natively. Good answers are things like “cookies”, but the best answer is that cookies are a hack to make up for the fact that HTTP doesn’t do it itself.

What exactly is Cross Site Scripting?

You’d be amazed at how many security people don’t know even the basics of this immensely important topic. We’re looking for them to say anything regarding an attacker getting a victim to run script content (usually Javascript) within their browser.

What’s the difference between stored and reflected XSS?

Stored is on a static page or pulled from a database and displayed to the user directly. Reflected comes from the user in the form of a request (usually constructed by an attacker), and then gets run in the victim’s browser when the results are returned from the site.

What are the common defenses against XSS?

Input Validation/Output Sanitization, with focus on the latter.

What’s the difference between symmetric and public-key cryptography

Standard stuff here–single key vs. two keys, etc, etc.

In public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which function?

You encrypt with the other person’s public key, and you sign with your own private. If they confuse the two, don’t put them in charge of your PKI project.

What kind of network do you have at home?

Good answers here are anything that shows you he’s a computer/technology/security enthusiast and not just someone looking for a paycheck. So if he’s got multiple systems running multiple operating systems you’re probably in good shape. What you don’t want to hear is, “I get enough computers when I’m at work..” I’ve yet to meet a serious security guy who doesn’t have a considerable home network.

What is Cross-Site Request Forgery?

Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired answer: when an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action, e.g. http://foo.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically).

How does one defend against CSRF?

Nonces are an accepted, albeit not foolproof, method. Again, we’re looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you’re hiring for.

What port does ping work over?

A trick question, to be sure, but an important one. If he starts throwing out port numbers you may want to immediately move to the next candidate. Hint: ICMP is a layer 3 protocol (it doesn’t work over a port) A good variation of this question is to ask whether ping uses TCP or UDP. An answer of either is a fail, as those are layer 4 protocols.

How exactly does traceroute/tracert work at the protocol level?

This is a fairly technical question but it’s an important concept to understand. It’s not natively a “security” question really, but it shows you whether or not they like to understand how things work, which is crucial for an Infosec professional. If they get it right you can lighten up and offer extra credit for the difference between Linux and Windows versions.

The key point people usually miss is that each packet that’s sent out doesn’t go to a different place. Many people think that it first sends a packet to the first hop, gets a time. Then it sends a packet to the second hop, gets a time, and keeps going until it gets done. That’s incorrect. It actually keeps sending packets to the final destination; the only change is the TTL that’s used. The extra credit is the fact that Windows uses ICMP by default while Linux uses UDP.

If you were to start a job as head engineer or CSO at a Fortune 500 company due to the previous guy being fired for incompetence, what would your priorities be? [Imagine you start on day one with no knowledge of the environment]

We don’t need a list here; we’re looking for the basics. Network diagrams. Visibility touch points. Ingress and egress filtering. Previous vulnerability assessments. What’s being logged an audited? Etc. The key is to see that they could quickly prioritize, in just a few seconds, what would be the most important things to learn in an unknown situation.

As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities?

This one is opinion-based, and we all have opinions. Focus on the quality of the argument put forth rather than whether or not they they chose the same as you, necessarily. My answer to this is that vulnerabilities should usually be the main focus since we in the corporate world usually have little control over the threats.

Another way to take that, however, is to say that the threats (in terms of vectors) will always remain the same, and that the vulnerabilities we are fixing are only the known ones. Therefore we should be applying defense-in-depth based on threat modeling in addition to just keeping ourselves up to date.

Both are true, of course; the key is to hear what they have to say on the matter.

Describe the last program or script that you wrote. What problem did it solve?

All we want to see here is if the color drains from the guy’s face. If he panics then we not only know he’s not a programmer (not necessarily bad), but that he’s afraid of programming (bad). I know it’s controversial, but I think that any high-level security guy needs some programming skills. They don’t need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required.

What are Linux’s strengths and weaknesses vs. Windows?

Look for biases. Does he absolutely hate Windows and refuse to work with it? This is a sign of an immature hobbyist who will cause you problems in the future. Is he a Windows fanboy who hates Linux with a passion? If so just thank him for his time and show him out. Linux is everywhere in the security world.

What’s the difference between a risk and a vulnerability?

As weak as the CISSP is as a security certification it does teach some good concepts. Knowing basics like risk, vulnerability, threat, exposure, etc. (and being able to differentiate them) is important for a security professional.

Cryptographically speaking, what is the main method of building a shared secret over a public medium?

Diffie-Hellman. And if they get that right you can follow-up with the next one.

What’s the difference between Diffie-Hellman and RSA?

Diffie-Hellman is a key-exchange protocol, and RSA is an encryption/signing protocol. Blank stares are undesirable.

What kind of attack is a standard Diffie-Hellman exchange vulnerable to?

Man-in-the-middle, as neither side is authenticated.

What’s the goal of information security within an organization?

This is a big one. What I look for is one of two approaches; the first is the über-lockdown approach, i.e. “To control access to information as much as possible, sir!” While admirable, this again shows a bit of immaturity. Not really in a bad way, just not quite what I’m looking for. A much better answer in my view is something along the lines of, “To help the organization succeed. ”This type of response shows that the individual understands that business is there to make money, and that we are there to help them do that. It is this sort of perspective that I think represents the highest level of security understanding—-a realization that security is there for the company and not the other way around.

Are open-source projects more or less secure than proprietary ones?

The answer to this question is often very telling about a given candidate. It shows 1) whether or not they know what they’re talking about in terms of development, and 2) it really illustrates the maturity of the individual (a common theme among my questions). My main goal here is to get them to show me pros and cons for each. If I just get the “many eyes” regurgitation then I’ll know he’s read Slashdot and not much else. And if I just get the “people in China can put anything in the kernel” routine then I’ll know he’s not so good at looking at the complete picture.

The ideal answer involves the size of the project, how many developers are working on it (and what their backgrounds are), and most importantly — quality control. In short, there’s no way to tell the quality of a project simply by knowing that it’s either open-source or proprietary. There are many examples of horribly insecure applications that came from both camps.

What’s the difference between encryption and hashing?

Encryption is reversible, as long as you have the appropriate key/keys, and the size of the cyphertext roughly matches the size of the plaintext. With hashing the operation is one-way, and the output is of a fixed length that is usually much smaller than the input.

Who do you look up to within the field of Information Security? Why?

A standard question type. All we’re looking for here is to see if they pay attention to the industry leaders, and to possibly glean some more insight into how they approach security.

Bonus: Scenario Role-Play

For special situations you may want to do the ultimate interview question. This is a role-played scenario, where the candidate is a consultant and you control the environment. I had one of these during a Google interview and it was quite valuable.

So you tell them, for example, that they’ve been called in to help a client who’s received a call from their ISP stating that one or more computers on their network have been compromised. And it’s their job to fix it. They are now at the client site and are free to talk to you as the client (interviewing them), or to ask you as the controller of the environment, e.g. “I sniff the external connection using tcpdump on port 80. Do I see any connections to IP 4.2.2.2?” And you can then say yes or no, etc.

From there they continue to troubleshooting/investigating until they solve the problem or you discontinue the exercise due to frustration or pity.

–

Feel free to contact me if you have any comments on the questions, or if you have an ideas for additions. ::

Image from cracked.com

That’s not Photoshop. That’s a real animal. Yeah, I didn’t believe it either. Here’s the video:

Someone asks you a simple question and you send them a link to this site with the question they asked. Then they feel silly.

Example:

How many feet in a mile?

Answer:

[ How Many Feet in a Mile | letmegooglethatforyou.com ]