DHS says we don’t have enough security talent in the US

As if to reinforce my point over and over again:

Mark Weatherford, Deputy under Secretary for Cybersecurity for the National Protection and Programs Directorate (NPPD), called on the industry to work together to promote information security as a ‘cool’ discipline as he argued there is currently not enough talent in the industry. “We have a problem. There are not enough smart people in the public or private sector to help us defend our country”.

At Black Hat 2012 in Vegas, July 26 2012, Weatherford who advised he was representing Department of Homeland Security, argued that despite the perception that the government is “clueless in the cyber arena, it’s certainly not true”. He argued that the government is technologically advanced, and has a lot of smart people. They talent pipeline, however, is “drying up”, he said and asked the audience to raise their hands if they had all the talent they needed currently in their organization. Nobody raised their hand.

Is DHS and the whole USA ready to address the real issue? That issue is that Americans are paying attention. And what does paying attention prove? That business is the problem: American kids can easily see business exporting our jobs and technology.

They know business doesn’t give a damn about them and will throw their asses under the bus at the least provocation.

This works great for me and my few security students: we’ll have work for life. Not so well for the good ol’ USA, though.

They’re young and unemployed, but they think IT sucks

It’s the mismatch of a lifetime: young Americans who are unemployed or underemployed, and an IT field that needs tens of thousands of new people. Why aren’t masses of unemployed young people flocking to this area of demand and good pay?

Good question. CompTIA came up with one answer.

CompTIA’s Tim Herbert, vice president of research, reported on the findings of a recent CompTIA study to provide some possible answers to this question. The study – formulated with the responses of one thousand 13 to 24 year olds – revealed that many of these kids embrace technology and are facilitators, but often rule out an IT as result of a bad perception of the field and a lack of education about what IT careers are available. As Herbert explained, the category of “IT” is expansive and ill-defined, but research has shown that when teenager and adults are educated about the various career paths, there has been significantly higher interest.

Note the two reasons:

  1. A bad perception of IT
  2. Lack of education on available IT fields

Also note that CompTIA’s proposed response only addresses the second problem.

I think it’s much more important to ask: Why do young people think IT sucks as a career? Here the very business community that is crying for skilled workers can look in the mirror for the answer. To put it bluntly, young people have been paying attention, and what they’ve seen is companies jettisoning those “too expensive” employees and sending the work overseas.

Right here in Albuquerque, a friend of mine worked until recently as an engineer for the Chinese-founded and Chinese-operated Emcore. Most of his work involved frequent trips to China to train engineers. Surprise, surprise! Recently he was laid off, and Emcore is shutting down American operations. Its CEO returns to China having successfully exported our technology and our jobs.

With lessons like this in every daily newspaper, is it any wonder that young Americans cast a skeptical eye on technology jobs? Now that’s gotta be good for our country, no?

Spencer Ackerman confirms US spying violates our Constitutional rights

So. Spencer Ackerman tells us the “head of the U.S. government’s vast spying apparatus has conceded that recent surveillance efforts on at least one occasion violated the Constitutional prohibitions on unlawful search and seizure.” (http://www.wired.com/dangerroom/2012/07/surveillance-spirit-law/)

It appears that Sen. Ron Wyden (D-Ore.) is the citizen’s best advocate against this illegal activity. As DangerRoom tells us,

Wyden has been a lonely congressional voice against renewing the government’s broadened surveillance powers. Last month, he quietly used a parliamentary maneuver to stall the renewal after it passed a key Senate committee.

As a noted privacy and security authority suggested, this kind of power is necessary in an age of terrorism. But it is too easily abused and misused for citizens to rightfully trust it.

Uh, yeah: NSA chief asks Defcon hackers to help secure the Internet

Totally disregarding the open “secret” that the federal government illegally collects and retains information (http://www.wired.com/dangerroom/2012/07/surveillance-spirit-law/) and gee, hackers know about that, four-star General Keith Alexander told those same hackers, “You’re going to have to come in and help us.”

Cue the golf claps, and do as one hacker prepping for a capture-the-flag competition did, wave him away.

Attendees were respectful and gave modest applause, though several said they were concerned about secret government snooping and the failure of authorities thus far to stop foreign-backed attacks.

“Americans pay taxes so that federal agencies can defend them,” said a researcher who asked not to be named. “I see it as a hard sell asking a business entity to spend money for the common good.”

As a matter of fact the Feds have been anything but kind to any number of security researchers, and have generally alienated themselves through their own conduct. I personally operate from the principle that once you’re caught in a deliberate lie, you are a liar. As we say around here, por vida.

Taking questions screened by Moss, Alexander adamantly denied that the NSA has dossiers on millions of Americans, as some former employees have suggested.

“The people who would say we are doing that should know better,” he said. “That is absolute nonsense.”

Uh huh. Like I said.

Heading for Cyber Disaster?

Sometimes I sound like a doom and gloom fanatic. I promise you I am not, really; my friend Zoltan is the true king of doomsaying. But I am realistically very deeply concerned about, oh, a number of things, like SCADA systems accessible over the Internet, and custom malware for industrial controllers. So in a sense it’s reassuring to read in NetworkWorld.com that I’m not the only one.

The U.S. is headed toward a “cybersecurity disaster,” according to a Bloomberg Government study. The Ponemon Institute said that to stop 95% of the cybersecurity attacks, companies would need to spend nine times as much, which would “boost spending to a group total of $46.6 billion from the current $5.3 billion.”

Given the extremely weak private sector economy right now, and the impending economic disaster of tax increases and federal spending cuts, it’s not bloody likely that private enterprise is going to spend like that. My personal experience bears this out: everyone is holding off on spending, and getting buy-in on security is practically impossible.

If our infrastructure is being hacked is not in question. It is and has been for years. China is our bigtime cyber-enemy. A recent counterintelligence report basically said, “China and Russia cyberspies are hell-bent on espionage and trying to steal U.S. secrets in cyberspace.” Nation states have hackers who hammer away at us every single day.
(same URL)

Yes, that bears out: I’ve pored over too many logs, done too many reverse DNS lookups showing domains in Chinese universities in particular as the assailants. By no means should you take my word for it, but I personally am convinced that the Chinese are siccing their students on us to train them in cyberwarfare.

We’d better get our butts in gear if we plan on surviving. May I suggest a solution from a European colleague: disinformation.

Publicly available information: The Best Defense/Offense

The longer I work with ISECOM and the more deeply I understand its principles, the more I appreciate the occasional writer who seems to really “get it,” whether directly referring to ISECOM or not. A recent NetworkWorld article, “Open source offense could be our best defense against cyberattack,” offers a very good discussion of the current exploit/publicity cycle, in which prominent attacks immediately provoke a round of defense efforts.

As public and media attention get soaked up by the who and the why of the equation, vendors capitalize on the hype by tapping into the consumer fear factor and by shaping their product messaging around what’s hot in the news. Such marketing tactics draw in even more media and public attention, and so the hype cycle continues, building and building like a snowball. All this noise scares organizations into investing to fight off the bad guys.

But what good to an organization is any security program — expensive or not — if the organization doesn’t even know what it needs to protect or how vulnerable to attack they are to begin with?

I’m so glad to see them getting it.

A good IT audit checklist

Recently I gave a presentation at an international conference on the cloud, and gave it my usual emphasis on simplicity and clarity. I wasn’t talking to IT people, but to accountants, county managers, election officials and treasurers, so they were not highly technical folks.

Which doesn’t mean they can’t comprehend the cloud.

What seemed to impress people most was the eminent understandability of the topic. The issues are clear: cost, availability, productivity, compliance, security. All of these can be addressed, and in fact some good methodologies are being developed for cloud operations.

Check out one of them, “IT Risk: Your Audit Checklist” at

Your cell phone is a stooge for the police

Gonna party till the po-po shut you down? Better not take your cell phone.

Police departments are equipping themselves with advanced machinery that can capture ALL your cell phone data in one pass, which they are doing at normal traffic stops. So, you get a ticket for no turn signal, and the cops instantly have a “right” to complete geotracking records of your location, complete text messages, call logs, contact data, photos – everything on your phone, even stuff you’ve deleted in many cases.

Does that seem like a bit of overreach? An unreasonable search and seizure? A violation of privacy? It does to me, but the only reasonable immediate responses are: 1) don’t always carry my cell phone, or 2) swapping cell phones with a friend from time to time to invalidate geo-data. You mean your phone wasn’t always in your possession? You mean other people carried and used your cell phone? Gee, there’s no way to definitively prove you were anywhere, or did anything. That’s what the CIA calls Plausible Deniability, and it sure seems to work in court – for them.

Read more at http://geeknizer.com/how-police-can-tap-steal-phone-data/

Think the Apple App Store keeps you safe? Think again.

It seems a developer recently found a flaw in Apple’s App Store that could let a malicious app steal your contact data. Seem like no big deal? It won’t be, until your friends – and your clients – start getting nasty, infected messages. Or worse.

How did Apple reward him? By banishing him from the App Store for a year. This makes a good contrast with Google, which PAYS researchers who develop bugs. That’s what I think of as getting everyone’s motivations pointing in the same direction. By extension, researchers who discover Apple flaws are discouraged from revealing them to Apple. And then hmm, to whom are they going to reveal these flaws? Hmmm.

See more at http://articles.cnn.com/2011-11-08/tech/tech_mobile_apple-ios-bug-apps_1_apple-s-app-store-apple-app-store-ios?_s=PM:TECH

MariaDB, a drop-in replacement for MySQL

You do know that Oracle owns MySQL these days, don’t you? Forgive me if I’m insulting your intelligence, but I can’t help pointing out that when the world’s most expensive commercial database company owns the world’s preeminent open source database, something’s gotta give. I think of motivations as if they are arrows, and these two databases are pointed exactly 180 degrees from each other when it comes to their interests.

Especially since MySQL is such a great free database that it takes business from Oracle.

Concern over this issue has been growing among both users and the developer community. Recently Harlow Pinson sent me a link to a fork of the MySQL code, sponsored by some of the original MySQL developers: MariaDB. Is this a better choice than moving to PostgreSQL and learning a new platform? We’ll have to see. In the mean time check out http://mariadb.org/.