Beautiful Security

Posted May 11, 2009 by mcurphey
Categories: Software Security, information security

I have just got a few copies of Beautiful Security though the mail. Always nice to see your name on the cover of a book and your work in print.

http://oreilly.com/catalog/9780596527488/

Make Web Not War

Posted May 7, 2009 by mcurphey
Categories: Humor

Probably only really funny if you are a softie and know who the people are but……

Don’t forget I am experimenting with Twitter. You can follow me at http://www.twitter.com/curphey

Caved to the pressure and got a Twitter account……

Posted May 4, 2009 by mcurphey
Categories: information security

The Future : Regulation is Futile – Market Forces Will Prevail

Posted April 28, 2009 by mcurphey
Categories: Information Security Economics, Long Tail Security, Microsoft, Platforms, Royal Holloway ISG, Second Life, Security 2.0, Security Industry, Security Platforms, Security metrics, Social Networking, Software Development, Software Security, Technology Commentary, Working at Microsoft, information security, open source

39,000 ft over yet another ocean ……

I just watched an old Bill Joy talk from Ted 2006 via iTunes. Two key paraphrases struck me as prophetic.

“You can’t regulate the problem away”

“What we need is better networks”

In 2005 I did a series of public speaking events using a theme Naked security in which I stripped back the marketing hype and hopefully injected a dose of reality about the security industry. It take me a year to get a good pitch finely tuned and I then milked it for a few years. Last week I did the first speech on my new meme at a conference in Dubai. It’s called “Cogs and Levers” and is based on the chapter I have done for the O’Reilly book Beautiful Security.

“Cogs and Levers” talks ways we should harness critical social, economical and technological trends to create a secure digital world for the future. Those things are;

  • Systems Thinking
  • Social Networking
  • Business Process Management
  • Super crunching
  • Platforms
  • Identity

image Systems Thinking – Most security people are analytical. Analysts decompose a problem or a technology into discrete parts and then understand how that part works (or doesn’t); then re-assembles it with a new found knowledge of how to improve it. In doing so they generally pay little regard to the overall system in which the component lives. Think about software security where software security analysts (code reviewers) analyze the source code but not the social environment in which it was developed, the physical environment in which it is deployed or the host environment on which it executes. Without a shift to systems thinking we are fooling ourselves that we can design real solutions because we probably don’t understand the real problems. Only by understanding systems will we know where to get the best returns on our investment.

image Social Networking – The old school says social networking is a the scourge of society and dangerous to our civil liberties. “People expose too much information” and" they cite the edge cases of crime or corruption while ridiculing friends who spend their lives getting “Poked” or send “Starfish” on Facebook. I agree, FaceBook drives me mad. How do you not accept friends requests without offending people you know in passing. How do you tell a parent at your kids school that exchanging a pleasant “good morning” is just fine but you don’t want to know what they do in the evenings and weekends. 

What we know from history be it through trading or through war is that when people connect big things happen. Bill Joy talked about the need for networks to fight global terrorism. Useful Social networks for information security will not look like FaceBook. They will connect distributed knowledge bases, real-time and historical data from security tools and connect people to match, aggregate, filter and exchange information.

image Business Process Management – Workflow software enables the flat world. BPM technologies will allow us to divide work and parcel it out to the flat corners of the world where it can be processed cheaper AND | OR faster AND | OR or better. The automated code scanner finds a potential bug in an old but of VB code and parcels it off to the hippy living on a beach in Asia for his analysis. The IDS system sees an attack coming from China against a bespoke router, sends off the payload to the Chinese translators, sends off the attack signature to the peer-to-peer social network for analysis and the attack trace to the only two remaining engineers who really know if the router was vulnerable.

Super Crunching – Regulations will not work. “You can’t regulate the problem away”. Market forces drive economic change and when the cost of security becomes something everyone considers, people will act on Fact and not FUD. In order to get to a place where people can make informed decisions; you know like “what’s the real likelihood that this XSS will actually get exploited or show up in the media” or “How many security bugs per KLOC is an acceptable ratio” we need to be able to perform detailed analytics. This means data warehousing and mathematical analysis. The reason an insurance actuary can provide a price for me to drive a Ferrari is that there is empirical data to show that a rich middle aged man who goes out and buys a Red Ferrari is more likely to wrap it around a pole (showing off to his blonde bimbo mistress) within a few months than a middle income guy who chooses to drive an Aston Martin DB5 and just loves cars. Market forces (insurance) will drive change. Market forces require empirical data to provide a framework in which to trade.

image Platforms – The reason why super cool apps like the app on my cell phone that allows me to punch in a location where I parked my car and at any time in the future get walking directions to find it again is because of a platform or several platforms. GPS platforms, mapping platforms, the app store distribution platform and the iPhone execution platform. If the author had to create all of these things in order to fulfill the basic requirements of a “find the car for ‘captain compass’ it would never get built. If you want to build an app to do some security management stuff you have to build it all yourself. Wiring tools together, correlating data, executing workflow etc…..in the future platforms will exist that can be used in mash-ups to do super crunching, social networking, technology connectivity and much more. 

image Identity – is about so much more than user entitlements and user roles. What experiences can I share, how can I find someone with specific skills or knowledge and how do I trust that what this thing is saying is true all all tough problems to solve. Identity will play a key role in the future of systems (social and technological).

I think you can sum up a lot of what is wrong with the “security circus” today with an old Chinese proverb : When the wind blows some people build high walls while others build windmills.

I just love Ted talks. Inspiring stuff. This is the first meaning full post on this blog in about 6 months. I think someone should get a Ted type conference together for the “Future of Security : Ideas worth Sharing”. If someone (like Kleiner Perkins or a VC that invests in the future) will back it I will organize it. How’s that? I would invite (to start with);

  • Dan Geer
  • Pete Lindstrom
  • Gunnar Peterson
  • Dinis Cruz
  • Fred Piper
  • Phil Venables
  • John Viega
  • Rich Mogull
  • JD Meier (How to Organize Information and Thinking!)

Who would you invite?

PS Yochai Benkler’s Ted talk on Open Source Economics (2005) is also quite superb! I continue to be a huge fan of the open source model.

S = ƒ ( ___ )

Posted April 24, 2009 by mcurphey
Categories: Humor, Security Bullshit, Security Industry, information security

S = ƒ(°WFF)

Degrees of Warm Fuzzy Feeling

S=f(p,d)+Rn

(Prayer, Denial) + Number of Days till Retirement

S=f(n)

Where n is the number of security guys you know

S=f(1/n)

Where n is the number of security standards documents you have read

S = ƒ(#B*#FCA)

Number of people you can blame multiplied by the number of friends you have that can cover your back-side

S = ƒ(Bu : Br)

Builders : Breakers

(Credits to MikeH, GlennP, AndrewL and DennisG)

Feel free to add your own by way of comments!

Moving to Seattle

Posted March 19, 2009 by mcurphey
Categories: Working at Microsoft

While I have been trying to find the time to code up a spiffy new blog (and wasting far too much time finding too many basic and serious security holes in all the popular open source ASP.NET blog engines I looked at to make much progress) my boss has persuaded us to relocate to Redmond.  It was a tough call with the kids blissfully happy at a brilliant school and all of us loving living in Brighton but it’s a great opportunity at the “mother ship” and in this economy it’s hard to turn down a good offer….plus much closer to Hawaii for some radical kitesurfing!

We expect to be there by July.

Risk Management Software

Posted March 19, 2009 by mcurphey
Categories: Humor, information security

This Blog Is Changing – Watch This Space

Posted February 25, 2009 by mcurphey
Categories: Blogonomics, Books, Security Blogs, Security Industry, Working Life, Working at Microsoft, kite surfing, kiting

Posting has obviously been slow over the last few months. I keep meaning to post a long reflective article about why I have decided to make some big changes about what and why I blog but I just never seem to find the time. In short I have become rather bored making general security commentary; it feels sometimes a bit like I am part of the same old “security circus” that I have grown to really dislike so I am going to start a “life blog” (new URL TBD) and start a “security tools community” on which I will have a blog dedicated to the laser focused topic of building and using security tools. My related chapter for a new O’Reilly book is due in print on April 10th so I’ll probably try and co-ordinate a few things!

As a family we also have some big life news probably to announce but as the kids now Google in their ICT lessons at school that will have to wait a while as they don’t yet know!

I have a bit of work to do before the blog and community site are ready to go so here are some “life blog” pictures of interest!

IMG_8826

IMG_8815

IMG_8824

Series of Static Analysis Posts

Posted December 22, 2008 by mcurphey
Categories: ACE Team, CISG, Information Security Economics, Microsoft, Software Security

If you haven’t downloaded it here (or here if you run 64 bit) and run it against your .NET code you probably should.

To support the CTP release of CAT.NET Andreas Fuchsberger (developer on CISG) and Ben Livshits (Microsoft Research) will be posting a series of blogs over the next few weeks about the work behind CAT.NET (Merlin) and static analysis in general.

They should be a great series of posts. You can subscribe to the RSS here.

The World Has Started to Slope Backwards

Posted December 17, 2008 by mcurphey
Categories: Espionage, Information Security Economics, Security Industry, hacking

‘….A few months ago, a major Bangalore-based infotech company lost out on a $8 million contract. The company was expecting a business delegation to visit India before signing the contract, but 15 days before the date set for the deal, the meeting was abruptly called off.

The same team went to China instead. When the Indian firm investigated the matter, it discovered a gaping hole in its security. The computers of several of its top executives had been compromised by Chinese hackers and privileged information leaked to a Chinese competitor, who walked away with the deal by quoting a lesser price.

Welcome to war of another kind – corporate espionage. Chinese companies are increasingly spying on the Indian IT industry, the only major business area where India leads the Chinese by several years. With many companies reportedly becoming victims of Chinese espionage, Indian intelligence officers are beginning to take a close, hard look at the influx of Chinese nationals into Bangalore, India’s IT hub…..’

To read the complete article see: http://www.dnaindia.com/report.asp?newsid=1213993&pageid=0