Thursday, November 22, 2012

Do Devs Care About Java (In)Security?

In September InformationWeek published an article titled Java Still Not Safe, Security Experts Say. From that article by Matcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365w J. Schwartz:

Is Java 7 currently safe to use?

Last week, Oracle released emergency updates to fix zero-day vulnerabilities in Java 7 and Java 6. But in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Java 7 fix, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new version allows an existing flaw--spotted by security researchers and disclosed to Oracle earlier this year--to be exploited to bypass cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Java sandbox. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, while fixing some flaws, Oracle opened cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 door to anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r one.

In light of that situation, multiple security experts said that businesses should continue to temporarily disable all Java use, whenever possible. "There are still not-yet-addressed, serious security issues that affect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most recent version of Java 7," said Adam Gowdiak, CEO and founder of Poland-based Security Explorations, which initially disclosed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploited vulnerabilities to Oracle in April. "In that context, disabling Java until proper patches are available seems to be an adequate solution," he said via email.

A month later I read a new article in InformationWeek titled "Oracle's Java Revival," also available as Two Years Later: A Report Card On Oracle's Ownership of Java by Andrew Binstock. The article appeared in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 29 October 2012 issue of InformationWeek, at a time when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security community continued to reel from repeated hammering of Java vulnerabilities.

I expected some mention of Java security woes in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article. About halfway through, with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word "security" not yet in print, I found cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

In 2011, Oracle did not fare much better. The welcome release of Java 7 was marred by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 revelation that it included serious defects that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company knew about.

Ok, maybe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be some expansion of this idea? Shouldn't a terrible security record be a major factor affecting enterprise use of Java and a reflection on Oracle's handling of Java? Instead I read this:

I'm inclined to agree with James Gosling's revised opinion of Oracle's stewardship, that it's been good for Java...

However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 record is mixed in ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r areas...

Oracle's ambiguous relationship with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 JCP and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OSS communities remain two ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r weak points.

That's it? Security pros continue to tell enterprise users to disable Java, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 development community is more concerned about features, personalities, and community relations?

I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Java development community, and especially Oracle, must reevaluate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir responsibilities regarding security. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y may find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves coding for a platform that enterprise users will increasingly disable.

Sunday, October 14, 2012

Review of Super Scratch Programming Adventure! Posted

Amazon.com just posted a joint review by myself and my daughter of No Starch's new book Super Scratch Programming Adventure!. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 five star review:

I asked my almost-8-year-old to share her thoughts on Super Scratch Programming Adventure! She chose five stars and wrote cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

"I think it's a very great book. I love cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 storyline, but my main concern is that I could not find a trace of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Super Scratch folder.

How hard is it to draw cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mona Lisa? I have Scratch version 1.4, and I found it difficult drawing Le Louvre.

On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 flip side, I learned a lot. Who knew you could make Scratchy move with 1) arrow keys and 2) a medium sized Script?

I enjoyed watching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Magic Star Web change colors.

Overall, I think it's a very great book, and I highly recommend it to anyone who is interested in programming."

I agree that this is a great book. My daughter wanted to learn how to program a video game, and I thought it would be a lot more difficult. Shortly after starting to read and apply this book, she coded a video game!

I'd like to thank No Starch for sending us a review copy.

Tuesday, October 09, 2012

Washington National Guard: Model for Cyber Defense?

My friend Russ McRee pointed me to an article recently: WA National Guard focusing on cyber security. From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article:

The Washington National Guard is leveraging a decade of investment in cyber security at Camp Murray in Lakewood into projects that could protect state and local governments, utilities and private industry from network attacks.

The aim is to bring to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital world cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kind of disaster response cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Guard already lends to fighting wildfires and floods, said Lt. Col. Gent Welsh of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Washington Air National Guard.

“Just as ‘Business X’ needs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Guard to come in and fill sand bags, ‘Business X’ might need to call cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 National Guard if it’s overwhelmed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cyber side,” Welsh said.

The new task plays to a growing strength in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state’s National Guard, which draws on employees from companies including Microsoft and Amazon to provide special expertise in its network warfare units.

I first learned of this initiative when Russ Tweeted about it in June. In an email exchange he described his role in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Washington State Guard (WSG):

"The WSG is an all volunteer force that is a state defense force, with what is typically an emergency management mission. See Title 38 of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Revised Code of Washington (RCW). WSG is also authorized by Federal law, Title 32 of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United States Code.

We most often serve as liaison officers in support of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Emergency Support Function (ESF) 20 (defense support for civilian authorities) function per Federal Emergency Management Agency (FEMA) National Incident Management System (NIMS) / Incident Command System (ICS) guidance during major events (disasters, natural or human caused).

WSG remains a place where extremely experienced soldiers who have exceeded age requirements for active/reserve service can continue to serve as well as folks like me with no prior service who can't get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 federal services to consider cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for age reasons.

We can be called to active duty but in-state only. I was on active duty with orders for two days in June for a major statewide exercise. When we're called up for such activity we become peer in rank and responsibility to our National Guard counterparts.

I'll also be seeing some active duty time again in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 immediate future in support of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 initiatives mentioned in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article."

I think this is a great start on a journey towards applying private sector expertise to national digital security problems, but on a local scale. The News Tribune article mentions that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Guard (in all its forms) is working to figure out how it can provide help to besieged companies, from a legal and logistical perspective.

I think this line from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 news article summarizes a key cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365me in this discussion:

"We're not going to wait for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 feds to hand us everything," Welsh said.

In our Federal system, we should allow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 States (per cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10th Amendment) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 freedom to innovate, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365reby invent multiple approaches to fighting digital threats.

Thursday, October 04, 2012

Inside Saudi Aramco with 60 Minutes

I just watched a recent episode of 60 Minutes on CNBC and enjoyed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 segment on oil production in Saudi Arabia. It featured a story from late 2008 on Saudi Aramco. You may recall this name from recent news, namely data destruction affecting 30,000 computers. A recent Reuters article said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following:

Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y ran on isolated and heavily protected systems.

"All our core operations continued smoothly," CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.

"Not a single drop of oil was lost. No critical service or business transaction was directly impacted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 virus."

It is standard industry practice to shield plant operating networks from hackers by running cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m on separate operating systems that are protected from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet.

While watching cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video I was struck by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following comments by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CEO of Saudi Aramco, giving Leslie Stahl a tour of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir 21st century operations center (pictured here). From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 transcript:

Abdallah Jum'ah, Saudi Aramco's president and CEO... gave 60 Minutes a tour of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company's command center, where engineers scrutinize and analyze every aspect of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company's operations on a 220-foot digital screen.

"Every facility in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kingdom, every drop of oil that comes from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground is monitored in real time in this room," Jum'ah explained. "And we have control of each and every facility, each and every pipeline, each and every valve on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pipeline. And cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365refore, we know exactly what is happening in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system from A to Z."

Aramco engineers are making sure that not one drop of oil is overlooked: computers are receiving data, via satellite, from sensors mounted on drill bits that are burrowing deep into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 oil fields all over Saudi Arabia. Engineers are sending instant messages that actually guide cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 drill bits.

"He is now directing that drill bit to go into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best areas of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reservoirs. And suck that oil from it, and not leave any oil behind," Jum'ah explained.

He says cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 drill bit is a bit like a snake, going down and following where cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 oil is. "And mind you, this is happening 400 to 500 miles from here geographically. And we are sending that drill bit also two or three miles in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ground."

The screen capture at right appears to show this control process in action on a Windows XP computer. (Remember, this show was filmed in late 2008.)

You can watch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 segment (in two parts) for more details, if you like.

Now, it's entirely possible that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sorts of systems depicted in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video were not affected by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malicious code that allegedly struck 30,000 systems. Then again, it's not unheard of for malicious code to propagate from one enclave to anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

Hopefully we will hear more details on what happened, eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to Saudi Aramco or apparently ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r companies. Again, from Reuters:

Qatar's natural gas firm Rasgas was also hit by a cyber attack last week, although it has not said how much damage was caused or whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r Shamoon was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 virus involved. Qatar, also a Sunni Gulf kingdom, has similar foes to Saudi Arabia.

Its parent firm Qatar Petroleum, which also owns Qatar's ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r main natural gas firm Qatargas, said it was unaffected but implied that ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r companies had been hit.

"Qatar Petroleum has not been affected by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 computer virus that hit several oil and gas firms. All QP operations are continuing as normal," it said in an official tweet on Monday.

Saturday, September 29, 2012

Netanyahu Channels Tufte at United Nations

This is not a political blog, and I don't intend for this to be a political post.

I recently watched Israeli Prime Minster Benjamin Netanyahu's speech to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United Nations on Thursday. I watched it because I am worried about Iran's nuclear weapons program and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Iranian security situation, to be sure.

However, what really intrigued me was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 red line he actually drew on a diagram, in front of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 United Nations. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video I linked, it takes place at approximately cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 26 minute mark. The screen capture at left shows this event.

The reason this caught my attention was that it reminded me of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Best Single Day Class Ever, taught by Edward Tufte. I attended his class in 2008 and continue to recommend it.

I've since blogged about Tufte on several occasions.

Netanyahu's action, to me, seems like pure Tufte. The primary goal of his speech was to tell Iran, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world, that Israel is setting a "red line" involving Iran's nuclear weapons program. To show that, he literally drew a red line on a diagram representing Iranian progress on uranium enrichment.

Now, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's some confusion about what that red line really means. The point is that people are talking about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 red line, and that means Netanyahu at least partially achieved his goal.

This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 take-away for those of us who speak in public: racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than develop Yet Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r PowerPoint presentation, determine 1) what message you want your audience to remember, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n 2) figure out how you can escape from flat land to grab your audience's attention.

If you want to learn more about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se techniques, take Tufte's course!

You can read a transcript of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 speech as well as see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video. Besides cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 red line segment, I thought it was a powerful speech. I'm convinced that unless Iran changes course, Israel will disable Iran's uranium enrichment capability.

Friday, September 28, 2012

Celebrate Packt Publishing's 1000th Title

I'm pleased to announce a special event involving Packt Publishing. The company told me, as a way to celebrate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir 1000th title, that those who have registered at https://www.packtpub.com/login by 30 September will receive one free e-book. To help you make your choice, Packt is also opening its online library for a week for free to members.

I'm interested in two recent titles:

Metasploit Penetration Testing Cookbook by Abhinav Singh

Advanced Penetration Testing for Highly-Secured Environments by Lee Allen

In a few months a third book will arrive:

BackTrack 5 Cookbook

At this point I don't have personal experience with any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se titles, but I plan to take a look.

Thank you Packt for sharing part of your library with us!

Wednesday, September 26, 2012

Top Ten Ways to Stir cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Cyber Pot

I spent a few minutes just now thinking about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 digital security issues that people periodically raise on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir blogs, or on Twitter, or at conferences. We constantly argue about some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se topics. I don't think we'll ever resolve any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

If you want to start a debate/argument/flamewar in security, pick any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following.

  1. "Full disclosure" vs "responsible disclosure" vs whatever else
  2. Threat intelligence sharing
  3. Value of security certifications
  4. Exploit sales
  5. Advanced-ness, Persistence-ness, Threat-ness, Chinese-ness of APT
  6. Reality of "cyberwar"
  7. "Builders vs Breakers"
  8. "Security is an engineering problem," i.e., "building a new Internet is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer."
  9. "Return on security investment"
  10. Security by mandate or legislation or regulation

Did I miss any subjects people raise to "stir cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cyber pot?"