My BlackHat Plans

I’ll be speaking twice at BlackHat. First on the “Smashing the Future” panel with Bruce Schneier, Marcus Ranum, Jeff Moss and Jennifer Granick (10AM Wednesday, main hall). My second talk is also on Wednesday, on a new game, Control-Alt-Hack. I’ve been helping Tamara Denning and Yoshi Kohno create Control-Alt-Hack, and we’ll be speaking Wednesday at 2:15 in Palace 2.

Also for your BlackHat edification, why not check out one or more of Bill Brenner’s Black Hat, DefCon and B-Sides survival guide, 2012, TK’s Advanced Survival Guide to Blackhat, or my own Black Hat Best Practices, which have remained remarkably stable over the years.

Aitel on Social Engineering

Yesterday, Dave Aitel wrote a fascinating article “Why you shouldn’t train employees for security awareness,” arguing that money spent on training employees about awareness is wasted.

While I don’t agree with everything he wrote, I submit that your opinion on this (and mine) are irrelevant. The key question is “Is money spent on security awareness a good way to spend your security budget?”

The key is we have data now. As someone comments:

[Y]ou somewhat missed the point of the phishing awareness program. I do agree that annual training is good at communicating policy – but horrible at raising a persistent level of awareness. Over the last 5 years, our studies have shown that annual IA training does very little to improve the awareness of users against social engineering based attacks (you got that one right). However we have shown a significant improvement in awareness as a result of running the phishing exercises (Carronade). These exercises sent fake phishing emails to our cadet population every few weeks (depends on the study). We demonstrated a very consistent reduction to an under 5% “failure” after two iterations. This impact is short lived though. After a couple months of not running the study, the results creep back up to 40% failure.

So, is a reduction in phishing failure to under 5% a good investment? Are there other investments that bring your failure rates lower?

As I pointed out in “The Evolution of Information Security” (context), we can get lots more data with almost zero investment.

If someone (say, GAO) obtains data on US Government department training programs, and cross-correlates that with incidents being reported to US-CERT, then we can assess the efficacy of those training programs

Opinions, including mine, Dave’s, and yours, just ain’t relevant in the face of data. We can answer well-framed questions of “which of these programs best improves security” and “is that improvement superior to other investments?”

The truth, in this instance, won’t set us free. Dave Mortman pointed out that a number of regulations may require awareness training as a best practice. But if we get data, we can, if needed, address the regulations.

If you’re outraged by Dave’s claims, prove him wrong. If you’re outraged by the need to spend money on social engineering, prove it’s a waste.

Put the energy to better use than flaming over a hypothesis.

Lives, Fortunes and Sacred Honor

Around the 4th of July, some smart, public minded folks put forth a “Declaration of Internet Freedom“. And while it’s good in a motherhood and apple pie sense of good, wholesome fun for the whole family, it lacks the punch and panache of the Declaration of Independence to which men pledged their lives, fortunes and sacred honor. As Randy Barnett points out in “The Declaration of Independence Annotated“, signing that document was a substantial and real risk to those who did it.

So where the Declaration of Independence got awfully specific about what they were objecting to (in that long list of grievances that no one reads as closely as they should), here we get “Don’t censor the internet.” But are the signers objecting to censorship of women without veils in Saudi Arabia? Nazis in Germany? How about Lese-majeste in Thailand?

We get things like “Protect the freedom to innovate and create without permission.” Does that mean that Apple should open their app store to all the malware that makes it into the Google store? Does that mean that someone like Amazon needs to publish Kindle APIs? That any API in a system is fair game, even if it’s officially not supported? If I use an unsupported API, does my freedom to innovate trump the creator’s freedom to innovate, and lock them into supporting that API in the future?

Whatever it might mean, it might mean different things to different people, but the unwillingness of the authors to really press into specifics might even make it meaningless.

Which is a shame.

"Quartering large bodies of armed troops among us.."

So following up on our tradition of posting the Declaration of Independence from Great Britain on the 4th, I wanted to use one of those facts submitted to a candid world to comment on goings on in…Great Britain. There, the government has decided to place anti-aircraft missiles on the roof of a residential building near the Olympic park, and the residents objected.

However, the courts have ruled that such a decision is not subject to judicial review. (“London tower block residents lose bid to challenge Olympic missiles“) I think it’s a bit of a shame it didn’t happen here in the US, where it would be a rare opportunity for a bit of third amendment law:

No soldier shall, in time of peace be quartered in any house, without the consent of the owner, nor in time of war, but in a manner to be prescribed by law.

It’s not clear that a missile battery is a soldier, nor that on a house is equivalent to in a house, and I suspect those are two of the few remaining words in the Bill of Rights that haven’t been hyper-analyzed.

The Evolution of Information Security

A little while back, a colleague at the NSA reached out to me for an article for their “Next Wave” journal, with a special topic of the science of information security. I’m pleased with the way the article and the entire issue came out, and so I’m glad that the NSA has decided to release it.

The core of the article how to evaluate the investments we make in security, today and at low cost, if only we choose to take advantage of it.

The entire article is available here: The Next Wave: Security Science and I’m happy to be able to make my article available as a separate (high quality) PDF: “The Evolution of Information Security

we mutually pledge to each other our Lives, our Fortunes and our sacred Honor

declaration-of-independence.jpg

In CONGRESS, July 4, 1776

The unanimous Declaration of the thirteen united States of America,

When in the Course of human events, it becomes necessary for one people to dissolve the political bands which have connected them with another, and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation.

We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. –That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, –That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness. Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn, that mankind are more disposed to suffer, while evils are sufferable, than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security. —Such has been the patient sufferance of these Colonies; and such is now the necessity which constrains them to alter their former Systems of Government. The history of the present King of Great Britain [George III] is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States. To prove this, let Facts be submitted to a candid world.

He has refused his Assent to Laws, the most wholesome and necessary for the public good.

He has forbidden his Governors to pass Laws of immediate and pressing importance, unless suspended in their operation till his Assent should be obtained; and when so suspended, he has utterly neglected to attend to them.

He has refused to pass other Laws for the accommodation of large districts of people, unless those people would relinquish the right of Representation in the Legislature, a right inestimable to them and formidable to tyrants only.

He has called together legislative bodies at places unusual, uncomfortable, and distant from the depository of their public Records, for the sole purpose of fatiguing them into compliance with his measures.

He has dissolved Representative Houses repeatedly, for opposing with manly firmness his invasions on the rights of the people.

He has refused for a long time, after such dissolutions, to cause others to be elected; whereby the Legislative powers, incapable of Annihilation, have returned to the People at large for their exercise; the State remaining in the mean time exposed to all the dangers of invasion from without, and convulsions within.

He has endeavoured to prevent the population of these States; for that purpose obstructing the Laws for Naturalization of Foreigners; refusing to pass others to encourage their migrations hither, and raising the conditions of new Appropriations of Lands.

He has obstructed the Administration of Justice, by refusing his Assent to Laws for establishing Judiciary powers.

He has made Judges dependent on his Will alone, for the tenure of their offices, and the amount and payment of their salaries.

He has erected a multitude of New Offices, and sent hither swarms of Officers to harass our people, and eat out their substance.

He has kept among us, in times of peace, Standing Armies without the consent of our legislatures.

He has affected to render the Military independent of and superior to the Civil power.

He has combined with others to subject us to a jurisdiction foreign to our constitution and unacknowledged by our laws; giving his Assent to their Acts of pretended Legislation:

For Quartering large bodies of armed troops among us:

For protecting them, by a mock Trial, from punishment for any Murders which they should commit on the Inhabitants of these States:

For cutting off our Trade with all parts of the world:

For imposing Taxes on us without our Consent:

For depriving us, in many cases, of the benefits of Trial by Jury:

For transporting us beyond Seas to be tried for pretended offences:

For abolishing the free System of English Laws in a neighbouring Province, establishing therein an Arbitrary government, and enlarging its Boundaries so as to render it at once an example and fit instrument for introducing the same absolute rule into these Colonies:

For taking away our Charters, abolishing our most valuable Laws, and altering fundamentally the Forms of our Governments:

For suspending our own Legislatures, and declaring themselves invested with power to legislate for us in all cases whatsoever.

He has abdicated Government here, by declaring us out of his Protection and waging War against us.

He has plundered our seas, ravaged our Coasts, burnt our towns, and destroyed the lives of our people.

He is at this time transporting large Armies of foreign Mercenaries to compleat the works of death, desolation and tyranny, already begun with circumstances of Cruelty and perfidy scarcely paralleled in the most barbarous ages, and totally unworthy the Head of a civilized nation.

He has constrained our fellow Citizens taken Captive on the high Seas to bear Arms against their Country, to become the executioners of their friends and Brethren, or to fall themselves by their Hands.

He has excited domestic insurrections amongst us, and has endeavoured to bring on the inhabitants of our frontiers, the merciless Indian Savages, whose known rule of warfare, is an undistinguished destruction of all ages, sexes and conditions.

In every stage of these Oppressions We have Petitioned for Redress in the most humble terms: Our repeated Petitions have been answered only by repeated injury. A Prince whose character is thus marked by every act which may define a Tyrant, is unfit to be the ruler of a free people.

Nor have We been wanting in attentions to our British brethren. We have warned them from time to time of attempts by their legislature to extend an unwarrantable jurisdiction over us. We have reminded them of the circumstances of our emigration and settlement here. We have appealed to their native justice and magnanimity, and we have conjured them by the ties of our common kindred to disavow these usurpations, which, would inevitably interrupt our connections and correspondence. They too have been deaf to the voice of justice and of consanguinity. We must, therefore, acquiesce in the necessity, which denounces our Separation, and hold them, as we hold the rest of mankind, Enemies in War, in Peace Friends.

We, therefore, the Representatives of the united States of America, in General Congress, Assembled, appealing to the Supreme Judge of the world for the rectitude of our intentions, do, in the Name, and by the Authority of the good People of these Colonies, solemnly publish and declare, That these United Colonies are, and of Right ought to be Free and Independent States; that they are Absolved from all Allegiance to the British Crown, and that all political connection between them and the State of Great Britain, is and ought to be totally dissolved; and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do. And for the support of this Declaration, with a firm reliance on the protection of divine Providence, we mutually pledge to each other our Lives, our Fortunes and our sacred Honor.

The signers of the Declaration represented the new states as follows:

New Hampshire

Josiah Bartlett, William Whipple, Matthew Thornton

Massachusetts

John Hancock, Samual Adams, John Adams, Robert Treat Paine, Elbridge Gerry

Rhode Island

Stephen Hopkins, William Ellery

Connecticut

Roger Sherman, Samuel Huntington, William Williams, Oliver Wolcott

New York

William Floyd, Philip Livingston, Francis Lewis, Lewis Morris

New Jersey

Richard Stockton, John Witherspoon, Francis Hopkinson, John Hart, Abraham Clark

Pennsylvania

Robert Morris, Benjamin Rush, Benjamin Franklin, John Morton, George Clymer, James Smith, George Taylor, James Wilson, George Ross

Delaware

Caesar Rodney, George Read, Thomas McKean

Maryland

Samuel Chase, William Paca, Thomas Stone, Charles Carroll of Carrollton

Virginia

George Wythe, Richard Henry Lee, Thomas Jefferson, Benjamin Harrison, Thomas Nelson, Jr., Francis Lightfoot Lee, Carter Braxton

North Carolina

William Hooper, Joseph Hewes, John Penn

South Carolina

Edward Rutledge, Thomas Heyward, Jr., Thomas Lynch, Jr., Arthur Middleton

Georgia

Button Gwinnett, Lyman Hall, George Walton

Image: Washington’s copy of the Declaration of Independence, from the Library of Congress.