Daniel Miessler's Blog, page 101

I spent lots of time on typography, so you should read this article in its original form at DevOps as the Art and Science of Deliberate Practice

—

The best definition I’ve ever heard for DevOps is the ability to practice often.

I prefer DevOps to DevSecOps because I feel security should be part of both development and operations, but I also see the merit in calling it out where this isn’t regular practice.

I think there is a powerful analog here to professional team sports, and I want to capture a few of the ways they’re similar.

Can you imagine being successful in a professional team sport if you only practiced together twice a year?

Professional teams get and stay at peak performance through constant practice. And it’s not just repeating the same drills over and over—it’s based on continuous iterative improvement, which has multiple components.

Practicing a particular activity
Playing mock games against each other
Playing scrimmage games against other local teams
All practice is recorded
Coaches watch all recordings and notice what worked and didn’t work
Coaches watch the competition play other teams
Based on those observations, they change how the team practices
Then the go and execute in the next real game

In DevOps the practicing and execution are basically condensed into a single step, but otherwise we still have the same activities taking place: we automate our tasks, we monitor everything, we execute in terms of building and deploying software, we review the logs, we make adjustments, and then we do the process again.

This methodology also closely resembles OODA Loops, where you observe, orient, decide, and then act. These are all forms of extremely fast improvement cycles, and they all require that you execute often in order to capture mistakes so you can make adjustments.

In the military I heard a great example of this where patrols encountering IEDs on the ground in Iraq would report their findings to West Point each day, and the classes would change daily based on the new tactics being seen in the real world.

There are lots of definitions for DevOps, but perhaps the best one is “The Art and Science of Deliberate Practice” when building and deploying software.

I hope this definition gives someone clarity on the topic the way it has for me.

Notes


Many thanks to the customer team down in Brazil who invited me to speak at their DevOps conference. It was at one of their presentations that I first heard this concept of constant practice as the central concept of DevOps.

—

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at Analysis of the 2018 F5 Threat Intel Report

F5 just released a threat intel report that covered 433 breach cases spanning 12 years, 37 industries, and 27 countries.

When companies release reports like these I go through them and extract nuggets for those who don’t have time to look at the full report. You will find the extraction for this report below.

Applications were the initial target in 53% of the breaches.
Identities were the initial target of 33% of them.
The apps are evidently the target, but you have to be cautious about this message because F5 is selling WAFs. So much of this kind of research is done in DIRECT coordination with the marketing and product teams, so I am always weary when someone discovers a trend that happens to help their exact product.
86% of the U.S. population has had their SSN compromised. Interesting stat.

Root cause analysis

38% breaches by web app vulnerability, 19% by phishing, 12% stolen assets, 8% unauthorized access (not sure what that means exactly), and 6% credential stuffing. When I read lists like this I think about what fundamentals would solve these issues. For web app vulns it’s an appsec program, clearly, phishing is hard because you need a multi-layered defense and the attacks are constantly evolving, and the stolen assets piece is mostly just good asset management and organizational discipline.
They break down the web vulnerabilities in a strange way. They don’t use OWASP or any other main classification, but rather mix the software type (forums) with vendors, e.g., vBulletin. Using that system they come up with forum software being #1, with SQL injection being second. This is strange because one is a target and the other is a vulnerability. In other words, if you have broken forum software, that means it’s vulnerable to XSS, or SQL Injection, or some other thing. So I think they’re mixing apples with hatchets here. Not super useful.
Also wondering where XSS, CSRF, XSRF and other web vulns are in the list.
The industries that were attacked the most were Healthcare, Technology, Online Gaming, Financial, Online Forums, Government, and Social Networks (the list continues).
But in terms of impact, those hit hardest were Retail, Government, Technology, Financial, and Online Gaming. The thing I see in common here is a strong requirement for availability.
Then if you look at the number of records breached, it’s a different order again: Technology, Cybercrime, Social Network, Adult, Retail, Financial, Online Forum, Government, and the list continues.
Out of the 433 cases, 42 of the companies had no idea they were breached for years.
Credentials are rising in popularity as targets relative to credit cards because credentials are often used elsewhere and therefore add additional value, whereas there’s so much credit card data out there that the prices are lower.
Most companies are still using weak hashing mechanisms to protect passwords.
Lots of fake people are being made and used to do various things.
Third party breaches are hurting companies as well.

Great work to the F5 team on this research! If you liked the summary, consider going over to read the entire report.

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at Practical Security Principles

There are many great lists of security principles out there, including those from NIST, IEEE, and perhaps the originals from Saltzer and Schroeder.

I was helping some new security professionals recently and was looking for the best of these lists to provide, and I found them lacking. The Saltzer and Schroeder list is excellent, but it’s a bit abstract and quite dated. And the NIST and IEEE lists have their own issues.

Eric Cole was invaluable for me in conveying these types of concepts when studying for GSEC early in my career.

So I quickly made a list of my own that incorporates the best ideas from all of them and then added several others that I’ve heard from various sources over my 20 years in the industry.

Security means “without worry”
Our goal is functional resilience
Pursue acceptable risk, not the elimination of risk
Make security either invisible or usable
Maintain an evergreen inventory of what you’re protecting
Minimize attack surface
Reduce components and complexity as much as possible
Assume compromise and focus on detection, response, and recovery
Parsers are evil, and more so if they’re listening on a network
Design for zero trust in all environments
Don’t trust unfiltered input
Implement defense in depth
Don’t write your own cryptographic algorithms
Protect access and secrets with least privilege
Filter at each layer
Use secure defaults
Secure sensitive data at rest and in transit
Monitor and enforce secure configuration
Fail securely
Do not rely obscurity/OPSEC as the single layer
Ensure attribution / non-repudiation
Protect the integrity of transaction evidence

This is a rough pass, and I’m not sure what (if any) form it’ll eventually take, but if you have any ideas on how to improve it, let me know!

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at Learn the Difference Between Real and Fake Machine Learning

There are few technologies as misunderstood right now as Machine Learning. Some think it’s 100% hype, sales, and marketing, and others think it’s humanity’s Messiah in the form of math and code. Unfortunately, there’s currently not a lot of space between those two extremes.

Here’s how I think about it.

Machine Learning is much like Love and Sex. If you take the time to learn about them, in their true forms, they truly are MAGICAL. But if you see someone lead with them— when they’re trying to sell you something—you can almost guarantee they’re lying to you.

I think machine learning should be thought about a lot more like statistics in the sense that they:

Can be both simple and complex
Are both interesting and boring
Are often executed well and poorly
Can deliver magic, truth, lies, or all three simultaneously

Machine Learning isn’t much different in these regards. It’s an approach to looking at, and modeling, the world. If it’s done well it can yield tremendous insight and even prediction. And if it’s done poorly—or unethically—it can take us down an unlit and dangerous path.

So it’s like any powerful tool really.

Even if it’s implemented correctly, you might also need to ask if it’s implemented ethically.

But for any powerful tool that’s in its infancy, you need to learn the difference between those who are talking alchemy and those who are talking chemistry. Alchemists always come first, and you must be cautious of them not because they’ll always be wrong, but because they’ll be right sometimes—and sometimes not—which is often worse.

Do not discard machine learning as foolish, or hype, or a fad. It truly is one of the most powerful technologies every invented, and ignoring it will put you at a major disadvantage against competitors who do implement it.

But also avoid getting involved in products or solutions just because ML is part of the pitch. At this stage there’s a significant chance that they’re doing it just to say they have, and there’s little guarantee that it’s even needed, or that it’s being implemented correctly.

In short, machine learning really is messianic in its capabilities and potential, but because it’s also a buzzword being used by every marketing department on the planet the industry is permeated with garbage bearing the name.

Learning the difference will benefit you greatly.

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at Unsupervised Learning: No. 116

This week’s episode of Unsupervised Learning is now available. Subscribe below and get this episode’s podcast and newsletter.

This week’s topics: Chinese at CanSecWest, Applebees POS, Palantir, Poisoning, TensorFlow DoD, Amazon laughing, Google 72-qbits, Amazon FinTech, Android P, and more…

Listen to this week’s Podcast

Become a Member to Get This Week’s Newsletter

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at The Two Kinds of Privacy Loss

I like to think about our impending loss of privacy as two separate issues.

The first type is against the will of the victim and is caused by malice and/or negligence on the part of the entity with your data. This is where you trust your data to a company, and they sell that data to a number of unscrupulous third-parties just so they can make money. Alternatively, they’re so bad at data security that they leak it through sloppy transactions or allow it to be stolen through poor security hygiene.
The second kind is where the data is given willfully—by the user—to a number of trustworthy vendors, who then share it with other trustworthy vendors, who then share it some more, and the whole process continues for many years until your data ends up saturated throughout the internet.

Let’s call the first Involuntary, and the second Voluntary.

Importantly, both end up yielding the same result—your data spread across the internet like ashes in an ocean. Once the decision is made, either knowingly or unknowingly, to provide rich data to a series of data-centric companies, it’s a one-way function. It goes in, but can never come back.

But although the results are the same in both cases, I see these two situations very differently.

I believe that the loss of privacy is inevitable because the internet of things will be powered by personal data, and we know from experience that people—especially young people—will gladly sacrifice privacy for functionality.

The internet of things, machine learning, and big data are all extreme cases of this tradeoff. The more data you give, the better peoples’ experiences with technology will get. Their assistants will anticipate their desires. Restaurants will bring your favorite dishes without asking. The world will basically be customized for each of us.

I believe the loss of privacy is inevitable, and I’m actually quite optimistic and forward-leaning on the issue. But I still want to avoid giving my data to companies with incentives misaligned to my own.

Companies with free services, for example, are not really free. Instead, the service itself is the hook, and the data that you provide the service is the actual product. This is true for Facebook and largely for Google as well.

So even though I know my data will inevitably be leaked due to the porous nature of the internet of things and machine learning powered services, I still want it to happen the slow way, through companies I trust to care for my data and only share it with other companies that have the same values or with my permission.

It’s not that I think this will stop the inevitable, but at least the inevitable will happen more on my own terms.

If you want to learn more about what I believe the Internet of Things will look like, you can read my book on the topic.

I guess the point here is that there’s a bit of cognitive dissonance here on my part, or at least it seems like there is sometimes. I am for digital assistants. I am for machine-learning-powered services. I am for an adaptive and personalized internet of things. And I believe that if you’re in cybersecurity you should accept the inevitability of the death of privacy, and work to make people comfortable in a post-privacy world.

But at the same time, I want to control that transition—using vendors that I trust—as much as possible.

Perhaps I’ll change my mind in one way or another, but that’s my current position.

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at How to Download the Data Facebook Has on You

People are becoming increasingly worried about the data that Facebook and other social media sites have on them.

Luckily, the platforms make it fairly easy to download that data to see for yourself.

For Facebook, here’s the process.

1. Go to any Facebook page and hit the down arrow in the corner.

3. Click “Download a Copy of Your Facebook Data”

Start Membership

Thank you,

Daniel

I spent lots of time on typography, so you should read this article in its original form at The Reason Software Remains Insecure

There are myriad theories as to why software remains insecure after we’ve spend decades trying to solve the problem.

Some say it’s the lack of will to secure things, the lack of vendor liability, the insecure languages we use, insufficient developer training, not enough security products—and the list continues…

But there’s a far simpler and more powerful explanation, which is best demonstrated in a visualization like the one above: the existence of insecure software has so far helped society far more than it has harmed it.

Basically, software remains vulnerable because the benefits created by insecure products far outweigh the downsides. Once that changes, software security will improve—but not a moment before.

Consider the mystery solved.

These failures are likely to start, by the way, largely due to the explosion of the Internet of Things.

When we start having complete and long-lasting internet outages, companies being knocked offline for days or weeks and going out of business, and—most importantly—large numbers of people dying, then we’ll see a serious push for secure software.

In the meantime, quickly developed, quickly deployed, and insecure code will continue to perform miracles for human civilization, and will therefore continue to be welcomed into businesses and society.

In short, don’t expect change until we see the downsides of insecure software start to rival the benefits. And it’s currently not even close.

I spend between 5 and 20 hours on this content every week, and if you're a generous type who can afford fancy coffee, please consider becoming a member for just $5/month…

Start Membership

Thank you,

Daniel

You'll like the typography better at Apple’s Biggest Weakness is Siri, and It’s Becoming a Problem. —

Many think voice assistants are still in the toy category, but I’m convinced that they’ve recently become part of the underlying trust fabric for the Google, Apple, and Amazon brands.

Apple is known for its product quality, and up until now Siri has not been considered part of that equation. I think that’s changing, though, and it’s changing very quickly because she’s being compared to Assistant and Alexa who don’t make near as many mistakes.

Siri is far behind Google Assistant and Alexa in terms of the emotional trust she’s earned and squandered—and that’s about to become a serious handicap.

The first few times Siri made a catastrophic error, it was funny. You ask for pizza and she gives you Apple Map locations that are 2,500 miles away in Idaho—for an Indian restaurant. Or you ask to hear “Mars Volta”, and she gives you a list of web links related to dog kennels.

At first it’s funny. Then it’s less funny. Then it’s annoying. Then you’re simply not going to use her anymore. And if Alexa has better answers she’ll become the new default without you even making a conscious choice.

The problem for Apple is that someone preferring Alexa to Siri isn’t a digital assistant rejection—it’s a brand rejection.

Siri isn’t a feature of a few products; she’s the personification of Apple itself. And if she can’t answer basic questions, or does so in a noticeably worse way than the competition, then it’s going to cheapen every product that Apple makes.

As a long-time Apple fan and advocate, and someone who thinks digital assistants are the future of computing, I really want to see them aggressively attack the personal assistant space.

It’s not a toy. Not anymore. A brand’s digital assistant is its spokesperson at this point. The ever-present representative. Apple can’t afford to get lapped in this area. It’s too critical to overall brand trust.

I hope they massively improve Siri in a way that completely overtakes the competition. And I hope they do it soon.

— I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month… Begin Membership… Thank you!

You'll like the typography better at Success in Life is Determined Most by Parental Culture, Not the Quality of Schools. —

I think one of the least know truths in liberal circles is that family culture determines educational and financial success far more than school quality.

I was born and raised in the San Francisco Bay Area, and we’ve been raised to believe that good schools have lots of resources—like new textbooks, better teachers, etc.—and that students in poor schools fail because they don’t have these things.

Many learning centers like these are sustained exclusively by Asian families

It made sense to me, and as a liberal it made me angry. When I looked around at all the people without a good education, who were struggling through life in low-paying jobs with no benefits, I blamed the system for keeping the best schools for the rich.

But this isn’t just an incorrect understanding of the world—it’s poisonous and destructive one.

By Asian I mean both East Asian and Indian.

The truth is that Asian families have been going to the same schools as poor Whites, Hispanics, and Blacks for decades, but they’re absolutely thriving where others fail. A study looked at educational attainment and poverty between White and Asian students back in 2014 and found that Asians did far better in school despite being poorer, which they attributed to motivation and work ethic.

The poverty rates of Chinese and Vietnamese are higher than they are for whites. However the disadvantaged children of Chinese and Vietnamese immigrant families routinely surpass the educational attainment of their native-born, middle-class white peers.

Source: Study examines achievement gap between Asian American, white students

They then talked about what is now understood to be the growth vs. fixed mindset.

Asian and Asian American youth are harder working because of cultural beliefs that emphasize the strong connection between effort and achievement,” the authors wrote. “Studies show that Asian and Asian American students tend to view cognitive abilities as qualities that can be developed through effort, whereas white Americans tend to view cognitive abilities as qualities that are inborn.

Source: Study examines achievement gap between Asian American, white students

They went on to capture the elements of upbringing that made the difference.

Qualities such as attentiveness, self-control, motivation and persistence may be as important as cognitive abilities in positively affecting academic performance,” the authors wrote. “Asian American parents may engage in parenting practices that better cultivate these qualities that, in turn, enable their children’s academic success.

Source: Study examines achievement gap between Asian American, white students

Cultural differences

I believe this is a matter of software (culture) and not hardware (race).

If we look at larger social behaviors between these cultures, we see profound differences in behaviors that are well-known to be associated with success and failure. Here are the unmarried birth numbers by group.

Then here’s educational attainment.

And here is income.

What we see here is that Asians are superior in every single measure: stable families, educational attainment, and then income. And they’re starting from the same elementary and high schools as everyone else.

What’s the point exactly?

Many at this point are checking my name to see if I’m Asian. You’re looking to see if I’m some sort of Neo-Conservative who’s about to talk about family values and the GOP. Or maybe there’s some other bias that will allow you to dismiss what I’m saying.

Please don’t do that.

The goal here is not to beat up those who don’t succeed educationally or financially. The goal is not to blame them. The goal is not to take blame away from bad schools and bad teachers. All those things are factors and should be improved.

The goal here is to realize that there is a solution to the achievement problem. It’s a solution that Asian families have been using for decades right in front of our eyes. The solution is to be frugal, to maintain a stable family, and to emphasize educational attainment as a prime directive.

It works. The numbers illuminate the path. It’s like a magical, all-powerful secret that nobody is paying attention to—either because it’s too obvious or because it requires hard work and it’s easier to blame external factors.

Summary


Asians are dominating all other groups in educational achievement and income.
They are doing this despite often coming from very poor upbringings.
Studies show that this is due to the values that parents give their children, namely grit and a growth mindset.
We therefore already know how to make all other groups successful as well: they simply have to emulate and adopt the same cultural software being used by these Asian families.

The problem isn’t external, it’s internal. The problem is bad software. The problem is bad culture.

And the solution is equally simple: we need to emulate what we know works. We need to run the same cultural software as the Asian families that are succeeding.

This should not be an open secret for the top 10% of families. Everyone should know about this software so that they can run it for their families as well.

Notes


I use Asians the example here because they’re exemplary in their achievement, but this same concept really applies to the entire educated and successful class. Anyone who has two educated parents who are demanding that their children be educated as well, and then guiding them into lucrative careers is also utilizing this same secret. And it’s wrong for it to be kept to just the top n%. This should be public knowledge and taught to every would-be parent.

— I spend between 5 and 20 hours on this content every week, and if you are the generous type and can afford fancy coffee whenever you want, please consider becoming a member for just $10/month… Begin Membership… Thank you!