Short note:

Recently Chris Soghoian – who reached stardom after faking boarding tickets – signaled he has plenty more to offer! In fact I wonder he should consider moving into the comedy business!

"A slightly more laborious method would be to hack the software running on the BlackBerrys and flash the devices with a new serial number. While this is quite possibly a violation of the Digital Millennium Copyright Act (which prohibits most forms of phone hacking), it is unlikely that Research In Motion (which makes the BlackBerry) would sue the White House for engaging in such reverse engineering."

Why would the US Government hack the Blackberry firmware when they can simply ask RIM to insert such a simple feature on few of the devices? More important would be the fact RIM is a Canadian organization, rather than an American business.

You don't like DCMA? Fair! But… you know… well… never mind…

Is there anything more embarrassing than coming back from an enterprise content management training with 2 student booklets to which you have no source as PDF? Dear friends, nowadays Microsoft Office comes equipped with a semi-decent OCR software and ADF equipped multi function equipment are bloody cheap. Copying your materials isn't hard so please, save your patrons the trouble of scanning and conducting character recognition and provide them with PDFs!

Instead of trying to "protect" your intellectual property, be smart and promote your brand… Call your marketing dept and tell that your company is trying to reduce its carbon footprint by providing paper free training, find a good excuse, but PLEASE, save us from those horribly looking printed booklets…

The author spent few hours time shifting some training he attended, in other words, feeding his scanner's ADF with double sided pages with presentation printouts.

Chris Hoff has a very interesting post on the hype revolving around recent Cloud failures but reading the post I couldn't find answers for a few but important issues:

The Cloud model of business depends on highly-available infrastructure running software and hardware covered by limited liability warranties. Carbonite may try to sue Promise but anyone that reads the Limited Warranty offered by the vendor, knows that Carbonite will have troubles getting any compensation for their losses, other than hardware costs. It is in fact a funny situation where its SLA with the customer governs service availability while its contract with the technology providers does not offer any sort of warranty.

BTW: The Carbonite lawsuit against Promise is a perfect example on why bugs are negative externalities (and why the "No more free bugs" initiative is indeed a positive shift.)

Another interesting point is the reference to the IBM Cloud Certification Program; certainly one of the weirdest ideas I've ever heard but probably a great marketing opportunity... Let's start with the basic question, who would hire IBM, the Cloud customer or the Cloud provider? And, hey, it is an IT service provider doing auditing others…

If the customer is responsible for the hire, it would be incurring in expenses that would be latter used as marketing by the cloud provider. Not to mention the issue of having an ITO provider auditing its competitors. I can tell you from my own experience that it is possible to audit your competitor on a behalf of a common customer but this is a hell of a weird situation where results are bellow optimal, not to mention the clear conflict of interest…

So, the most probable outcome will be the Cloud provider hiring the certification agent as it currently happens with the ISO standards such as 27001, 9000, etc. Oh gosh, so after the PCI conundrum we are set for the "ISO/IEC XTC for Cloud Computing Quality Management System"? Freaky! VERY freaky! Think PCI! Now think Heartland! And now think RBS! Now try to go sleep…

What makes a professional? Is the income one earns? The knowledge one holds? The code of ethics one subscribes to? Maybe a title one holds?

Most of us, "security professionals" are members and subscribers to the "Code of Ethics" of at least one information security related body, such as the ISC², ISACA and the ISSA, as such, we commit to be "professionals" but curiously enough one question is seldom raised: What means to be a professional.

Looking at the CISSP Prep Guide Golden Edition or similar material, you notice a cookie cutter approach so common in certification preparations material, but surprisingly enough discussions about the subject are still rare and few are the certified practitioners seem to understand the implications of being a "professional".

But if the definition of profession and professional are already concerning, even more concerning is the lack of debate on what professionalization means to the information security market. In fact, most certified practitioners believe professionalization will lead to higher quality standards to the work conducted by its peers. Still the current market situation seems to prove the opposite.

The market we are part of, is almost a circus where one can easily find heralds of fear, compliance preachers, soldiers of fortune, marketers, über-hackers obsessed with the latest vulnerability research and risk gurus that know absolutely nothing about threats.

But what if the circus is eventually healthy? Perhaps yes, especially because I can't stop developing the impression that information security isn't a science, but an art where creativity is vital.

Sadly, during the process of professionalization and the occupational closure, the definition of a core body of knowledge and learning path, are built at the expense of a greater range of experiences and opinions. The suppression of diversity creates a more cohesive labor force, but also creates professionals with less experience from other areas other than IT, or as William Barrett points, the more specialized a professional; the sharper is its focus and shorter is its sight.

So instead of pushing towards professionalization, we should seek exactly the opposite, looking into other fields, promoting new ideas.

We depend more on the ingenuity of the criminal than on the resourcefulness of the security specialist but we can still try to forecast the troubles.

PS: It is important to point that this is not a critique on the certification industry itself, but on the aspiration of certain professionals in the industry to frame it within certain parameters. As unconventional friend of mine once said (in Portuguese), certifications are useful way of setting learning targets (as much as a degree).

Let's put it clear. I am a supporter of full disclosure, after all, criminals have motivation to detect and keep bugs to themselves.

But I must also say that I fully support the point defended Dino Dai Zovi and some of our peers when they say that researching security bugs should be a paid job.

As Camp and Wolfram noted bugs can be considered negative externalities, in this case, a situation where the producer weak quality control has negative "economic consequences for others for which there is no compensation". At the same time, economists agree that the originator of the negative externality will not take it in consideration unless prevented or discouraged, therefore producing more faulty software than it would, had it have to pay for the cost of testing it.

The problem isn't Dino Dai Zovi belief that he should be paid, he should. If he doesn't charge, companies will keep doing wrong and providing software improperly coded under the cloak of "innovation". Also it's not about greed, after all competition tends to reduce Dino's profit, no wonder the brilliant researcher is chasing after other subjects…

The problem is the lack of transparency on the vulnerability exchange markets.

Who buys the vulnerabilities? For what purpose?

Well… I'm not sure we want the answers.

In future there will be two different types of illiteracy: Those who are unable to read and those who are unable to use computers.

Do you agree? Well, nowadays the sentence is a cliché but imagine yourself spending your childhood hearing this exact sentence? No I wasn't raised by Arthur Luehrmann, I guess the issue is that my mom quickly realized that despite the modest adoption of computers in South America before the 90s, computing was the future and LOGO was the first step... (oh gosh, better change the subject).

Back in 2000 CFSEC Security Architects I've noticed the ascension of Windows based Automated Teller Machines and speculated about the creation of ATM specific worms would follow. My assumption was that although ATM are usually deployed on separated environments, criminals would be able to bypass segregation by collusion or by attacking fragile elements of the network, such as the communication facilities used by standalone Lobby Cash Dispensers. The idealized concept was a worm able to instruct De La Rue Talaris cash dispensers to "spit money" out of the ATM cash cassettes or dynamically reassign the cassettes denomination of the ATM system.

The first feature was clearly influence of the movies, while the second originated from a Brazilian student tale about an incident where an ATM started dispensing bills incorrectly, and customers formed a long queue to withdraw $20 and instead receive two $50 bills. The ATM was said to be located at the UFRJ's Computer Sciences building.

The concept led to a series of interesting off-record discussions with people from the banking industry but failed to go main stream until... Last week, when The Register reported about the discovery by Sophos of a malware targeting ATMs, another of my bizarre ideas came to reality.

Sadly enough the malware failed to achieve cinematographic status by relying on an effective but still boring strategy:

The malware just recorded the details of cards used on the ATM.

Blah... :-)

The polemic Ayn Rand once wrote:

"If there is any one way of confess one's own mediocrity, it is the willingness to place one's work in the absolute power of a group, particularly a group of one's professional colleagues. Of any form tyranny, this is the worst: it is directed against a single human attribute: the mind – and against a single enemy the innovator. The innovator, by definition, is the man who challenges the established practices of his profession. To grant a professional monopoly to any group, is to sacrifice human ability and abolish progress; to advocate such a monopoly, is to confess that one has nothing to sacrifice."

Those who want PCI DSS to be more prescriptive should reflect about what they want.

The same applies for those who think PCI DSS is fine as it is.

More about Rand's words soon.