Wednesday, March 30, 2011
Tuesday, March 29, 2011
"Cyber" and "hacker": I’m taking them back
I use the word "cybersecurity" on the Twitter partly because it annoys people for being tragically un-hip.
But mostly I used it because it’s the word that most people will understand. If I go on CNN and talk about [IT-, information-, computer-, network-, system-]security, the audience won’t understand me as well as "cyber".
The advantage of "cyber" is precisely its impreciseness and lack of definition. My audience doesn't really want to know what the word means -- they simply want that I mean the same thing as everyone else who says "cyber" on CNN. It’s the transitive property of language. If "a=1", and "a=b", then "b=1" -- you don’t need to understand "a" or "b" to understand the equation.
Experts often use the "correct" words incorrectly anyway. They use "information security" when they mean "computer security". Or they "network security" when they mean "system security". Either these words mean something nuanced and specific, or they are no better than "cybersecurity".
Technical people have the hubris to believe they own language, and that words means what technical people want them to mean. That’s fine for words like "pi", but it doesn’t work for higher concepts. A good example is ESR's definition of "hacker" in his hacker dictionary. He insists that it means some sort of computer enthusiast, technical expert, or problem solver -- and that it should not have any "cybercriminal" connotation.
But he’s wrong. A dictionary doesn’t tell people how they SHOULD use words. Instead, a dictionary reflects how people DO use words.
Consider the American Heritage entry on "nuclear". It notes that among the many pronunciations of this word is "nukular", like how George Bush (and many other Presidents) have pronounced it. It goes on to say this pronunciation "occurs with some frequency among highly educated speakers, including scientists, professors, and government officials, it is disapproved of by many". The dictionary isn’t telling you the "correct" pronunciation -- just what pronunciations are common.
It’s funny watching journalists cover "hackers" for the first time. After they release their first story, they get deluged with comments telling them they used the word wrong (and offensively), that they should use "crackers" instead, and refer them to ESR's "dictionary". The journalists dutifully comply, and use "crackers" for a couple stories before they realize it’s stupid, and go back to using "hackers".
So, I’m using these words not necessarily how the digerati want them to be used, but how everybody else uses them. I'm taking them back. I think I have the gravitas to pull it off. I’m a cybersecurity expert -- I invented network Intrusion Prevention Systems (BlackICE Guard IPS aka. IBM Proventia IPS). I’m also a cyber-insecurity expert: I reverse engineer binary code, write exploits, and pen-test systems.
So when you see me on the inter-tubes using these un-cool terms, this is the reason why.
But mostly I used it because it’s the word that most people will understand. If I go on CNN and talk about [IT-, information-, computer-, network-, system-]security, the audience won’t understand me as well as "cyber".
The advantage of "cyber" is precisely its impreciseness and lack of definition. My audience doesn't really want to know what the word means -- they simply want that I mean the same thing as everyone else who says "cyber" on CNN. It’s the transitive property of language. If "a=1", and "a=b", then "b=1" -- you don’t need to understand "a" or "b" to understand the equation.
Experts often use the "correct" words incorrectly anyway. They use "information security" when they mean "computer security". Or they "network security" when they mean "system security". Either these words mean something nuanced and specific, or they are no better than "cybersecurity".
Technical people have the hubris to believe they own language, and that words means what technical people want them to mean. That’s fine for words like "pi", but it doesn’t work for higher concepts. A good example is ESR's definition of "hacker" in his hacker dictionary. He insists that it means some sort of computer enthusiast, technical expert, or problem solver -- and that it should not have any "cybercriminal" connotation.
But he’s wrong. A dictionary doesn’t tell people how they SHOULD use words. Instead, a dictionary reflects how people DO use words.
Consider the American Heritage entry on "nuclear". It notes that among the many pronunciations of this word is "nukular", like how George Bush (and many other Presidents) have pronounced it. It goes on to say this pronunciation "occurs with some frequency among highly educated speakers, including scientists, professors, and government officials, it is disapproved of by many". The dictionary isn’t telling you the "correct" pronunciation -- just what pronunciations are common.
It’s funny watching journalists cover "hackers" for the first time. After they release their first story, they get deluged with comments telling them they used the word wrong (and offensively), that they should use "crackers" instead, and refer them to ESR's "dictionary". The journalists dutifully comply, and use "crackers" for a couple stories before they realize it’s stupid, and go back to using "hackers".
So, I’m using these words not necessarily how the digerati want them to be used, but how everybody else uses them. I'm taking them back. I think I have the gravitas to pull it off. I’m a cybersecurity expert -- I invented network Intrusion Prevention Systems (BlackICE Guard IPS aka. IBM Proventia IPS). I’m also a cyber-insecurity expert: I reverse engineer binary code, write exploits, and pen-test systems.
So when you see me on the inter-tubes using these un-cool terms, this is the reason why.
Monday, March 28, 2011
Verifying the Comodo Hacker's key
In order to prove his identity, the person claiming to have hacked Comodo published the private key of his forged certificates. I've verified that they key is valid. This post describes how.
Interview with ComodoHacker
I had an e-mail exchange with the ComodoHacker. The original was one e-mail request, followed by an e-mail response. I've interleaved the two, but otherwise I haven't edited the questions/answers. Original statements from him are posts at http://pastebin.com/u/ComodoHacker. Note that I've verified the private key matches the public key, so this is the hacker (beyond a reasonable doubt).
Sunday, March 27, 2011
The Comodo hacker releases his manifesto
http://pastebin.com/74KXCaEZ, decompiled code here http://pastebin.com/DBDqm6Km, and account database here http://pastebin.com/CvGXyfiJ. As a pentester who does attacks similar to what the ComodoHacker did, I find it credible. I find it probable that (1) this is the guy, (2) he acted alone, (3) he is Iranian, (4) he's patriotic but not political.
Thursday, March 24, 2011
A brief introduction to web "certificates"
In case you are confused by SSL, and don’t fully understand the recent Comodo hack, I thought I’d write up a brief explanation for you. This is drastically simplified. I’m skipping a lot of steps in the process. I’m just trying to explain the essentials without getting lost in the details.
Wednesday, March 23, 2011
No reason to believe Comodo attack came from Iranian Government
At the bottom of the recent Comodo advisory is this line:
This is not the only logical conclusion.
All of the above leads us to one conclusion only:- that this was likely to be a state-driven attack.
This is not the only logical conclusion.
Tuesday, March 22, 2011
Risk management: what do it mean?
Alex Hutton has bizarre response to my last post, full of ad hominem attacks, even implying I’m a bad pen-tester. It’s a bit weird.
Monday, March 21, 2011
Fukushima: Too soon for hindsight?
According to this tweet, it's too soon to use the crisis in Japan in a risk management article:
This is a fallacy. The opposite is true, it's probably too late to write a good risk management article.
Friday, March 04, 2011
Japanese WiFi Stumbling
I'm in Japan, so I turned on my WiFi survey tool. Here are the results that interest me.
Subscribe to:
Posts (Atom)
