But he’s a financial guru with a solid track record. Some dismiss him because he’s known as “Dr. Doom”, but that was probably going on in 1929 as well.

The scariest part about all this to me is the unrest. I firmly believe that’s coming. We’re about to fall as a superpower. We’ll soon be a third-world country with various pockets of wealth speckled about. I give it 5-10 years, but I wouldn’t surprised if we saw the first major breakdowns of society in the coming months.

Go pack your “oh shit” bags.

[ Worse Than the Depression ]

Through all this talk about whether McCain or Obama is a better candidate on foreign policy we’ve forgotten a key piece of information.

McCain thinks Bush was right about Iraq. Obama thinks he was wrong about Iraq. So who’s the tie-breaker? How about Military voters?

From the AirForceTimes:

During the reporting period, Paul — a former Air Force surgeon who broke with his party to vote against the Iraq war — received the most military contributions, with $201,271.

That’s significantly more than the presumptive Republican nominee, Sen. John McCain from Arizona, who received $132,133 from military donors, according to CRP.

Think about that. A non-interventionist, anti-war candidate received the most support in the election from the Military. Keep that in mind when evaluating Obama vs. McCain on foreign policy.:

–
Edit: A commenter noted something interesting. The candidate who got the second largest share of campaign contributions from the Military was also anti-war. It was Obama.

We become more secure as a country by minding our own business and being kind to others. This way 95% of the world loves us. Then, when the 5% does pose a threat we are not only free to go and obliterate them, but we do so to a standing ovation.

be688838ca8686e5c90689bf2ab585cef1137c
999b48c70b92f67a5c34dc15697b5d11c982ed6d7
1be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 -

At RSA this year I caught a talk by a Google executive that discussed what makes Google’s Information Security team so unique. I found the talk quite informative and thought it was worth sharing. It would be great if more companies had this perspective.

Everyone on the Security Team is a Programmer

Read that again. Every single person on the team is a coder. This is beautiful. How many times have you heard a security guy say, “Hey, this is code. I don’t know how to code. Send this over to the programmers to look at.” Great, send it over to someone who has no idea whatsoever about security.

It’s my opinion that the security group should be elite within an organization. They should have the most IT experience, the most talent, and the most interest. Why should they not understand code as well? What about programming is so scary that it shouldn’t be included in the high standard that security needs to meet?

Nothing. I think Google is approaching this absolutely correctly. Security engineers should understand programming principles and should be at least moderate programmers themselves, ideally in at least the core languages and frameworks in use at the time.

Google’s Security Team Writes All of Their Security Libraries

Who better to write secure code than the security team, right? You know all of their authentication libraries? All their authorization stuff? Input validation? Output Encoding? Yeah, all of it is done by the security team. All the programming knowledge, all of the security knowledge — all in one place. Then you have the code review.

All Code is Reviewed by Peers

One way to ensure standards is to have not only QA look at your code, but your programming peers as well. While it likely introduces a lot of pressure it also brings a certain social element to the development process. You’re more likely to try and produce quality stuff if you know it’ll be under a microscope later. Not only can bad code be part of your evaluation but it might get you razzed in the cafeteria.

How They Test Code

One of the most interesting things I heard during the talk was a description of how Google tests code before it’s deployed. They essentially capture attacks being thrown at their applications and put them all into a database.

And here’s the cool part — they run the whole list of attacks against their new code while it’s in QA. So, in order to ensure that their new code isn’t vulnerable to ANYTHING they’ve ever seen, they run all the previous attacks against it. Awesome.

But that’s not all. They’re also constantly monitoring production and constantly updating the attack database. So when you test your code in QA you’re not just testing old attacks but rather all attacks they’ve ever seen up to the present. That’s sick.

Summary

Google is insanely successful, and the second best thing to being genius is following the path cleared by it. Anyone interested in doing security right should at least take a look at Google’s approach.:

From this article at InfoWars:

Federal law enforcement agencies co-opted sheriffs offices as well state and local police forces in three states last weekend for a vast round up operation that one sheriff’s deputy has described as “martial law training”.

This is just the paranoia in me speaking, but wouldn’t this be the way to prepare for a Gulf of Tonkin incident after which the government plans to declare martial law?

Yes, that sounds crazy, but at this point I don’t think certain people in our government are above it. Not our entire government, mind you — it’s not that organized or evil despite what conspiracy theorists like to believe — but it only takes a few key people.:

As those performing attacks against corporate IT assets become more professional we’re going to start seeing more of the following types of attacks:

• Bribery
• Extortion
• Blackmail

Think about who’s increasingly behind the information security attacks these days, and think of how they could more effectively attack an organization given large amounts of money and their willingness to engage in standard, physical crime.

The Problem

How hard is it to find out who works in IT in a large organization? How difficult would it be to make contact with someone who can disable or modify the anti-malware systems at one of these fortune 500 companies? And what would happen if someone with an Eastern European accent offered Bob, the mediocre (but dangerously knowledgeable) IT guy, the following sorts of propositions:

I’ll give you $50,000 cash to drop this piece of malware on your network. It’s undetectable by all of your malware detection and will remain so because this is the only place we’re going to use it. It will give us information we can use to silently extort your company’s C-level execs, and nobody will ever know how we got the information. They’re millionaires anyway. Think about it — all your debt instantly gone — plus a new home theater system that’ll be the envy of the neighborhood.

…and if/when Bob says no…

You’ll take the money and be happy or me and my meth-selling buddies will start getting real cozy with your wife, and we might accidentally burn down your house, too, or hurt your daughter. Don’t bother calling the police; we’re an international crime syndicate and that will just annoy us. Trust me, take the money and everything will go smooth. How about a new car?

Then there’s the blackmail angle if they’re willing to do some research and/or some setups. The point is that all they need is to get an internal employee to drop some of their highly specialized and virtually undetectable malware onto the internal LAN.

In short, the game is to overcome the internal employee’s fear of being caught using either fear or greed. And that’s precisely what this new type of traditional, organized criminal player is good at. They’re already into the classical elements, e.g. drugs, guns, violence and prostitution, so leveraging those resources to reap profits in the cyber world seems more inevitable than far-fetched.

This isn’t just movie plot stuff; there really are very organized criminal groups, with millions of dollars of backing, getting into the business of pulling the IT jewels out of top U.S. companies. And when they start figuring out that shmuck-boy the IT guy is the thing standing between them and a multi-billion dollar company’s most sensitive information — the games will begin. In fact, I’m willing to bet they’ve already started.

The Information Security Response

There are predictable ways that we in information security will react:

1. Increasing the types of background checks required to get into IT. Debts and overall life stability will be increasingly scrutinized, much in the same way it is for those with clearances in the intelligence community. In fact, clearances may become a new standard for certain IT shops.

2. Separation of duties, least privilege, and auditing will start to get taken far more seriously by everyone. Everyone from the companies themselves to the groups that are auditing them are going to be looking very hard at how to limit the damage individual employees are able to do if they were to go bad.

3. Additional outsourcing of sensitive roles due to the specialized requirements of IT in the future. If clearances are needed, as well as training in how to deal with these types of threats, that’s just going to be that much more reason for companies to outsource the whole operation to external experts.

4. Additional professionalization of IT due to the newer, more stringent requirements. More requirements for college and/or certification plus the initial and ongoing background checks will raise the bar for entry into the field. This will further exacerbate any existing IT labor issues and complicate the discussion of using foreign-born workers.

So, is this movie-plot fiction or a real possibility?

So I’m trying out a new anti-spam combination:

1. Re-captcha
2. Akismet

If you have any problems with the CAPTCHA software, just reload the image or try the audio option. What I like most about the re-captcha system is that it doesn’t dump your post if you don’t get the CAPTCHA right. I tried another implementation a while back that did this, and got several emails threatening my safety.

Another cool thing about the re-captcha system is that every time you use it you’re helping a good cause. The re-captcha system is part of a project to digitize books, which is done using OCR software. Well, when the computer has a problem reading in a given piece of text it needs a human to help determine what the word is.

That’s what this system does — it’s using us to identify what the computer couldn’t do. And that just happens to be a good way to also keep those same words from being easily guessed by a computer. Or, to put it another way, if the words were easily guessed by computers (hence making a CAPTCHA text) they wouldn’t be in the system in the first place. Pretty cool.

Anyway, spam seemed to be picking up quite a bit recently and I needed to switch tactics due to the overhead of managing it. Let me know if this is unbearable, however, and I’ll adjust as necessary.

I just posted my first comment using OpenID (that worked). I’ve tried a few other things that use OpenID with my own server as my endpoint and I’ve had limited success. But Blogspot seems to be on top of things.