Michael N. Dundas

After school, my first employment opportunity came in the financial services industry.  I worked for a bank and was initially responsible for a group of firewalls that separated the Internet from the internal bank network.  It was a little more complicated than I am describing as there were technically several networks with different ‘trust levels’ and the firewalls deployed policy in an attempt to enforce these levels of trust.  Aside from my role of ensuring the policy accurately reflected the business requirements, I spent time ‘looking’ for anomalies, potential attacks or issues.  This work involved writing lots of Perl scripts to parse and correlate logs, analyzing packet captures, running vulnerability and penetration tests and the other typical functions a security analyst performs.   While it sounds very proactive, the amount of actual proactive work was in reality minimal.   You get bogged down with other projects, meetings, lack of resources, a deadline here or a emergency there.  I eventually switched to a different team that designed the networks and security.  My new manager who till this day I have the utmost respect for and who is now retired wanted to have myself and another individual be given permission to spend a week or so of dedicated time to snoop around the network, servers, and systems.  We would attempt to gather what information we could obtain authorized or not. We would be given free rein to see what we could gather.  The only restrictions were no DoS attacks or causing outages and we were to remain stealth.  We would put all this information in a confidential report for management.  He presented this, but was told no.  I was very disappointed.  The project sounded very exciting and fun and I was so looking forward to it.  My manager was disappointed as well, although he said he expected that response and shared with me why that decision was made.  He is a very smart man and was ahead of his time.

Over the Easter weekend, I had the opportunity to speak to a friend who has worked for the federal government for over 30 years.  My friend was telling me about a security team who’s  sole responsibility is to be proactive.  This team searches the network looking for vulnerabilities or attacks that are in progress, usually under the radar using a variety of open source and other tools.  My friend was very positive about them, indicating the team has done really good work and produced excellent results.  I was happy to hear that a large organization such as the federal government had a full time team dedicated to this purpose.

In my years consulting for many different industries both large and small, I have seen a very obvious increase in proactive security monitoring, analysis, and investigation.  Most financial industries have teams in place today as well as other large organizations.  Unfortunately, in some cases, these teams are not dedicated full time, rather it is one part of their many responsibilities.  In my opinion, this is where a mistake is being made and the effectiveness of having proactive security teams starts to be a problem.

One of the biggest reasons that proactive security analysis teams are not present, or only part-time is cost and lack of measurable valid metrics.  How do you measure the effectiveness?  It is possible the team might go for weeks, not finding any big vulnerabilities.  Maybe there are not currently any attacks present on the network.  Maybe there are active attacks, but they are currently not looking in the right places?  Maybe they don’t have the expertise required to see the attack in progress?   From a financial perspective, one sees large sums of money for the team of experts and you may or may not get tangible results.  It is a tough justification.  If money gets tight within the organization, this problem often worsens.  Research often falls into very similar circumstances.  There is an intrinsic value to having these types of teams, but how does one represent that financially?  I haven’t figured out an answer to this yet.

For industries that provide infrastructure or financial services, or deal with data that is sensitive, I believe that regulation from government is necessary for this type of activity to be provided with guarantees.  I think as a society we will eventually get there, but it will be a long battle with industries pushing back indicating that they can self-regulate.  Given the types of attacks that are now prevalent, proactive analysis with expert people is absolutely necessary.

If you ask any organization large or small they will all state they take information security very seriously.  But would you expect a different answer?  I have spent the last 8 years consulting, and this has given me an insight into those statements.  In my experience, the reality of those statements contain quite a bit of variance.  From my Consulting engagements in many different parts of the world, I find that this is somewhat geographically based.  If you head over to the middle east for example, I have found that proactive security is present in many organizations and it is not new.  The attitude is different as well.  Proactive security is expected, from senior management down and if you mention the idea of not having it, the reaction is to look at you as if you are nuts and in most cases that reaction is a truthful one,

How serious is your organization about security?  Do there actions match their statements or are they just words?

We own a 2007 Equinox built by General Motors.  Besides being a little heavy on gas usage by today’s standards, it is a good vehicle.  It is comfortable, handles well in winter, has plenty of room.  I have never been a fan of North American vehicles.  I personally tend to favour Acura, Audi, and Mazda, but the Equinox at least got me feeling better about GM vehicles.  Then I had to change the headlight.

The passenger headlight was no longer working.  When I went in to get the oil changed, one of the technicians informed me that it was out.  I asked if they changed light bulbs.  He said they do, but not on this vehicle as they did not stock the bulb.  What he said made sense and I knew he wasn’t lying, but something about the way he said it bothered me.  A couple days later, my Mazda was at Canadian Tire getting the brakes done and the summer tires put on.  I asked the mechanic if they could replace a light bulb on a 2007 Equinox.  He said they could but it would be at least an hour in labor charges.   How hard could this be I thought to myself?  So I purchased the light bulb for $10.00 and thought I could put it in myself.  The manual had a single page with 3 diagrams and 4 steps each a single sentence.  With instruction manual, light bulb and required tools I was Clear to go …. or so I thought.

In order to get at the light bulb to change it, I had to remove 11 screws, one of which is way down through a tiny hole that you can barely get your arm in, let alone the ratchet tool needed to undo it. The first 8 screws loosen the front grill, so you can bend it back, so you can get at the light.  You have to loosen and pull the light unit out to replace the bulbs.  The actual bulb replacement was easy, took 2 minutes.  Then you get to put everything back together.  Needless to say I was happy I accomplished it, but frustrated it was so much work.  I now understand why mechanics charge an hour of labour to replace a headlight.

I think something went wrong during the design of the Equinox, they lost the perspective of the end user.  I expect to have to do certain tasks to maintain my vehicle in good working condition.  The end user will have to put gas in it, check the oil level, check the washer level, check the tire pressure, change light bulbs. When designing a vehicle these things should be easy to do.  Removal of an entire front grill, reaching to find screws in small confined places to remove a headlight assembly are just silly.  Where was the person that during the design process said “Wait a moment.  The end user will not be able to replace a burnt out light easily. We need to re-think this.”?

This whole situation reminds me of the security industry I am a part of.  So many of us are paranoid, constantly trying to ‘lock’ things down, create multiple steps that a user has to go through to get access or maintain access to networks and data, often to the point of inconvenience and annoyance.  One of my first managers, now retired constantly complained about this type of behaviour.  He was a very smart person and I learned a lot from him technically.  I also learned a lot from him about large financial institutions and people.  One example was the password requirements.  It was required that every 3 or 4 weeks, you had to change your password.  The password had to have so many characters, including a numerical as well as a ’symbol’ character or two.  He kept changing between two passwords.  Then someone in security got the brilliant idea that in order to increase security, they would remember the last 30 passwords so that users would be forced to create new ones.  That would increase security right?  He was so annoyed that he changed his two passwords to a single password with the month and year on the end.  Every time he needed a new password he would simply change the month and year.  Problem solved.  It was unique and predictable.

If we are designing vehicles, applications, network security, or procedures it is important to include in the design the answers to typical human behaviour.  How will end users will respond and react to design decisions?  Is this response what we wish?  What ways could it be mis-used?  If you are not satisfied with the answers, you should re-consider the design.  In the case of security, it is important to accurately assess what you are protecting and design security accordingly.  By attempting to enforce more security than is necessary, you may actually increase and not decrease the risk of what you are trying to protect.

One thing for sure, the next time I purchase vehicle, I will be checking how much work it is to change a headlight.

Linchpin by Seth Godin was a really good book and was released at the perfect time in my life and career.

Linchpin discusses many topics including how it is necessary for individuals to exert emotional labour while at work, the need to stand out and be indispensable, how our brains are wired to naturally resist becoming a linchpin.  How management, history, and school has taught us to follow the rules, work hard and you will be rewarded and why this no longer will ensure a happy and prosperous future.   These and other concepts are tied together very well, and give the reader a new perspective.

For some it will drastically change their perspective on work and their interactions with others in all areas of their life.  For others that are already on their way to becoming a linchpin, it will provide guidance and ideas for growth and improvement.

While I believe that many industries will and do resist the ‘Linchpin way of thinking’ due to historical concepts of what worked in the past, eventually it will take hold in all industries.  It has to, and this becomes more and more obvious as you read the book.  The previous and in some cases current ways of running businesses, working with customers, and fellow employees are no longer viable.  Clear real world examples are given as well as science to back up the concepts and ideas presented.

Although the entire book was excellent, two sections that ‘registered’ with me on a very intimate level were More cowbell and Honest signals in every day life. More cowbells is something that I have realized my mother taught me growing up.  Basically, if you are going to do something then do it.  Don’t do it half way, or partially, do it.  Honest signals in every day life discusses concepts such as micro-expressions and the basic idea that we as humans naturally detect who is honest and sincere and who is not and we react accordingly.  The non-verbal communication registers with us much more than what is said.

A few of my favourite quotes:

When your people do what they do because they love it, it works. Even if they’re not as technically adept as the competition.

The reason start-ups almost always defeat large companies in the rush to market is simple: start-ups have fewer people to coordinate, less thrashing, and more linchpins per square foot.

It is okay to have someone you work for, someone who watches over you, someone who pays you. But the moment you treat that person like a boss, like someone in charge of your movements and your output, you are a cog, not an artist.

People are not going to follow you because you order them to …. Linchpins don’t need authority. It’s not part of the deal. Authority matters only in the factory, not your world.

People follow because they want to, not because you can order them to.

The linchpin is able to invent a future, fall in love with it, live in it — and then abandon it on a moments notice.

Management, entrepreneur, leader, worker, mother, father, or spouse there is a message for everyone.  All in all this book is about growth.  Learning to become a linchpin while respecting the needs and concerns of others.

In addition, here are some great quick videos, where people speak about Linchpins.

Have you ever seen the Verified by Twitter logo.  It is suppose to give the public assurance that the person that holds the account is the real person and not someone pretending to be them.  Off and on over the last few weeks I have been trying to find out what the procedure is? What are the requirements?  How to they prove the individual is who they say they are?  Does Twitter intend to role it out to everyone?  I have had no luck.  Any queries seem to go into a vacuum.  They have this page which says:

To prevent identity confusion, Twitter is experimenting (beta testing) with a ‘Verified Account’ feature. We’re working to establish authenticity with people who deal with impersonation or identity confusion on a regular basis. Accounts with a Verified are the real thing!

The first and last statements are what interests me, “To prevent identify confusion” and “Accounts with a Verified are the real thing!”.

I have always been a fan of the music group The Corrs.  One of the members, Sharon Corr has gone out on her own and is creating some songs and getting ready to release an album.  I have been following her on Twitter. She has a Verified by Twitter account. Her twitter ID is @Sharon_Corr.  If I look at her account, from the picture and links to her website and videos I can be reasonable certain it is her.  However, what if you were looking for a different Sharon Corr.  There must be more than one Sharon Corr in the world.  So I randomly tried @SharonCorr.  This person appears to be someone who writes poetry.  But is her name really Sharon Corr?  What if it is and she applies for a Twitter verified account?  Will Twitter verify it and give her the Verified by Twitter logo?  If her name is Sharon Corr, then they should.  But that might confuse someone like myself, looking for the singer Sharon Corr, so maybe they won’t.

How does Verified by Twitter make me feel safe as a user of Twitter?  If they fully roll this program out, they will encounter multiple people with the same name that all have verified accounts.  Maybe they use the URL on the profile page as the key.  If I see that the URL points to Sharon Corr’s website and there is a Verified by Twitter logo I can be certain that the person that has the website URL, also owns the Twitter account.  Of course that would confirm the relationship between the twitter account and the website, not the actual person Sharon Corr.  This of course assumes they know what I am looking for?  How do they know which Sharon Corr I want?

I looked up Taylor Swift for fun.  Her account is Verified by Twitter.  Her ID is @taylorswift13.    There is also a @taylorswift13x.  If you look at the two accounts they are very similar.

Taylor Swift’s real account (I think)

The website doesn’t help, because the URL points to itself.  We know Taylor Swift is popular so if you look at the followers count and combine that with the tweets and news articles you can conclude this is her account … maybe.

A fake Taylor Swift account (I think)

This is probably the fake one because of the follower count.  But then again, maybe this persons name is Taylor Swift and maybe this is the person I am looking for, not the popular one.  I am very confused now and Twitter said in their statement above that they were going “To prevent identify confusion”.  In order to do that, you actually have to know what identity I want to find, you can’t just guess. But that is what they are doing ‘guessing’ what I want based on popularity.  I think Verified by Twitter is just security theater.  The verified account doesn’t help.  Verifying someone is a complex problem and  putting a logo on a page just doesn’t cut it.

Maybe the logo should really be “Twitter verifies this to be the popular person you might be looking for logo”?

Ever wonder if you were being compensated appropriately?  Maybe you are being under paid or maybe you are being overpaid.  Being under paid or over paid is often typical.  In the first case, you might have been in your current position for 2 years and the cost to hiring an individual in your role with your skill set has increased significantly.  Often times since you have been at the company for a while, you have received the standard increase in salary of x percent which is less than the current market rate.   In the latter case, the market value of someone in your position with your experience has dropped.  New hires are cheaper, but the employer typically doesn’t drop your salary, they just give you the nominal x percent raise per year.

I know one individual who was at a company for a number of years.  He moved within the company to manage a new team.  He was surprised to learn the amount of money his team members were making compared to his salary.   He then became really upset when he learned that an individual that now reported to him was making more money than he was.  The company rectified the situation of course, but these things happen.  Salaries get out of alignment with the market.

I have been trying to determine my market value lately.  I hate the money part, I always have.  I like doing interesting stuff with cool people.  For me the money is secondary, tertiary or even further down the list, it always has been.  That being said, you have to pay the bills, and you want to be treated fairly. In order to know that you are being treated fairly, you need to have some data to compare and contrast.  I have tried several methods including on-line databases, research reports on salaries for people in technology.  I found them to vary widely regardless of the factors.  I didn’t trust the the data I was getting.  The results were all over the board.

I have however found the answer.  My solution was to query my network.  Via E-Mail, face to face conversations and Twitter, I asked a selected variety of individuals in the technology field.  Some managers, some directors, others owners of companies for input based on a few simple criteria including years of experience, location, and type of opportunity.  The responses were great.  They varied in detail and some included bonus and wages but information was very consistent across the network.   I am now much more comfortable with the market value for myself.

Personally, I have always wished that people were more open with their compensation.  Not to be nosy, but I think the openness would help many people and the industry in general.  Unfortunately, it is considered a very ‘private’ matter.  Most companies of course have explicit rules that say you can not discuss your compensation.  You can understand why they do this of course, it is to their advantage not the communities.

I’m realizing more and more that my personal network has a lot of untapped value. I need to harness it more and I also need to ensure I give back even more as that is what keeps it going. To all the individuals that responded to my query thank you.

Do you know what you are financially worth in your market?  Is the value accurate?

photo credit

Have you ever sent an email from a personal email account at work such as Hotmail, Gmail, or your personal account at your service provider?  When you do that you might assume that since you are sending the email from a central system it would not be possible for the recipient to obtain information about you beyond what you give them and an email address.  Unfortunately this is not true.  Information is leaked in many ways.  SMTP, DNS, HTTP all can leak information about a particular individual or organization.  In my experience, most people know this is possible, but fail to grasp the ease with which information about a person or company can be discovered.

Here is a simple example to illustrate.  I have found when speaking to many users of email, they feel that their location could not be determined by the recipient in an email unless they specifically give it, or it would be at least difficult to find out.  They even feel more comfortable with this statement when they are using their personal email from a terminal at work or a Internet cafe via a browser.

I was recently corresponding with a friend of mine.  She has a Rogers email account that she uses for her personal email.  She sent me a response to an email.  By looking at the email itself, there is no information that would give away where she was located.  However, if I look at the email headers a wealth of information is available.  Let’s focus on one piece.

* headers not required for purposes of entry have been removed and others edited as required to protect identities

The ‘Received:’ header above displays an IP address.  Taking that IP address and doing a ‘whois’ (shown below) reveals the company name where the email originated.

* removed ISP information and edited company info to ensure privacy

How could this information be used?  If someone wanted to surreptitiously gather intelligence on a target, one could send a email to a target asking an innocuous question.  By responding the target has unknowingly revealed their place of employment.  A few searches on Google, a picture on Facebook of yourself and family members … you get the idea.

This type of information gathering has valid uses.  Determining a time-line of a target and their actions from a corporate or legal investigation, determining if your spouse is cheating on you, or your teenage child is lying are some examples.

I am not suggesting that you should try to hide this or not use the Internet.  I am also not suggesting it will be fixed anytime soon, if ever.  I am suggesting to be aware.  Be aware that in todays world, data about yourself is being leaked all the time and any determined individual or group can find out what you are up to with minimal effort.  Be aware that even the most common activity leaks data.

How secure or anonymous do you feel when using the Internet?

photo credit

I live in Canada.  The current Winter Olympics of 2010 are in Vancouver B.C. which last time I checked was in Canada. According to NBC I am not permitted to view the Olympics due to Copyright.  The 2010 Winter Olympics in Vancouver B.C. Canada is restricted to viewers within the United States.

Of course I was able to view the videos.  Amazing what you can accomplish with a simple proxy plus some software to save the video to disk for normal viewing.  This is the Olympics – where the world comes together to compete share and all that.  Yet there is copyright being applied nationally.  Just silly. Geo-IP is silly as well for this type of enforcement.  When it comes to content delivery networks, Geo-IP is very beneficial to delivering data efficiently, but its use for copyright between borders needs to go away.

Normally I wouldn’t bother to tune in specifically to listen to Tiger Woods apologize, but I happened to be somewhere where it was on the radio so I listened.  I watched his apology again last night.  To me it didn’t feel sincere, it felt scripted, controlled.  I admit that would be a tough thing to do without some preparation, that isn’t what really bothered me.  What really bothered me about his apology I have been bothered with before.  I have observed it previously in other apologies, interviews and statements from individuals in the public eye.

Tiger was upset about the media probing his family and following his daughter to her school.  He made statements such as:

“what we say will remain between the two of us”

“everyone one of these questions and answers is a matter between Elin and me”

“these are issues between a husband and wife”

I have seen this many times before and here is the thing; when you choose a path which moves you more in the public eye, you loose some of your private life, period, full-stop.  It has always been this way.  More specifically, if you choose to become a politician, police officer, actor, sports professional, appear on a reality TV show, CEO of a major company, popular blogger or anything else where you increase your exposure in the public eye, you choose to sacrifice some if not all of your private life.  This choice extends in different degrees to your family, friends and anyone else connected to you.  Grasp, think about, and understand this concept.   Seriously consider it and the possible repercussions.  Now make your decision.  Choose wisely, because you, your family, and everyone involved with you will live with this decision.

While I understand the frustration this probably causes these people to feel, and I personally feel bad for Tiger’s daughter, I do, Tiger made that choice.  Consciously or not, when Tiger decided to pursue a career as a golf professional he made that choice for himself, his family, his daughter and anyone else involved in his private life.  Right or wrong that is what happened.

Especially in todays world of the Internet, blogging, twitter and other social media, the expectation of a private life that remains private is just silly.  Loosing some or all of your private life is part of the choice when you decide to do something that puts you more in the public eye, and it is not negotiable.   If you have made a choice to be in the public eye then when you apologize to the public, don’t expect a private life.  To me it shows a lack accepting responsibility for your choice and maybe a little bit of stupidity.  Instead, consider the public eye a risk factor when making decisions and give it the appropriate weight because it is a factor and this factor is not in your control.  Deciding where to go with your wife for dinner, where to take your family for vacation, what dentist to use, what school to send your daughter to, purchasing your son that Iphone, having an affair, or whatever the decision is, all require a risk assessment of the public eye factor.  Assess the risk and decide accordingly.  Yes, that probably sucks, but you chose that when you chose to be in the public eye.   Ignoring, downplaying, pleading or trying to control it won’t make it go away.  When you use your credit card, you accept the terms of service.  Even if you didn’t read them, they don’t go away.  The credit card company will still hold you to them.  It is the same when you choose something that will knowingly or not put you and your loved ones in the public eye.

I personally do not care about Tiger Woods’ private life.  I have enough trouble keeping up with my family and friends lives.  I typically don’t read gossip articles or posts.   I have no real interest in private lives of people that I do not have a relationship with.  I do feel bad for his daughter.  For her that must really suck.  I dislike the paparazzi and could never do that job and feel good about myself.  I hope Tiger as her dad has learned to factor his daughter into his decisions in the future.  But don’t expect a private life when you make a choice that puts you more in the public eye.  That is just silly and history shows that it never works.

photo credit

Once again I have been experimenting with the Tor network.  In doing so I have set up some Tor nodes. I have received a few notifications that my computer ‘may be infected’. Google for a brief period of time requested I enter a capcha to confirm I am human.  These are all expected minor nuisances when running Tor as an exit node. My main reason for setting up Tor this time, is to obtain a better understanding of what happens to behavioural and static detection when a Tor exit node is present.

If you want privacy or anonymity on the Internet, there are many things you can do. Proxies, Tor, encrypted tunnels, compromised systems, and many other techniques are available.  None of these will guarantee you anonymity or privacy, but they each help and the more you can do the better.  There are caveats of course and in several cases while consulting I have come across scenarios where a client thought they were being anonymous but were in fact not as anonymous as they thought.  When you are trying to be anonymous, use of monitoring techniques and system checks really help.

I’ve realized that running a Tor exit node but not using it yourself gives you anonymity.  I’ve always known this inherently, but I’ve realized that it is even better than I thought.  Say you are an evil person doing something evil on the Internet.  If your activities were being tracked by your service provider due to a warrant from law enforcement or laws were put in place that required all service providers to track and retain your Internet surfing activities for a period of time, they would be recording the surfing habits of every connection that selected your Tor node as its exit node.

If they accused you of illegal activity, you could easily say that was not me, it must have been someone using my Tor node.  While this is not a guarantee the criminal would not get caught, it would increase the cost of the investigation significantly.  More investigation time, more forensics to prove that the suspect is the criminal.  Add in anti-forensics on your terminals and systems you use for the crime and the costs for investigation again will increase, forcing them to assess if it is worth the time, money, and resources required.

If countries are going to deploy the retention laws similar to the above, it will only be a matter of time before they will have to outlaw services such as Tor in order to make them effective at catching the serious criminals.  From a Tor network perspective, these laws might help increase the node count of the Tor network on the Internet which is a good thing for them.

I wonder if law makers consider these questions when suggesting these laws?

There are some interesting events and decisions happening in the restaurant, finance, and healthcare industries.  These and similar events of course affect any companies in other countries such as Canada with international customers in these industries.  A part of me hates to say this, but these data breaches are a good thing.  Breaches force laws which in turn force companies to spend appropriate time and monies on security research, secure software development, secure network architecture, secure deployment and proactive monitoring that should be done.  It puts financial and legal obligations on private companies, which causes the risk factors to change when assessing security.  Far to often, security is one of the first things to be ‘adapted’ when costs get higher than expected or time lines become critical.  If you ask any company they will say security is a primary consideration at all points in the development and release process and in some cases they are being truthful.  However, in many cases the minimum bar with security needs to be raised significantly.  Simply running your code through some basic buffer overflow checks, installing a IPS or firewall, and checking off your ITIL checklist is not enough, not even close.

The private sector has a long way to go with security in software development, network infrastructure, and international laws.  Security breaches force laws and public scrutiny, which in turn holds corporations and individuals accountable.  They are a catalyst which unfortunately I believe is necessary for appropriate change to occur in this area.  What I sincerely hope is that these and similar events cause large corporations and software vendors become much more proactive when it comes to security than is currently the case.  If done properly and pro-actively, less government regulation will be required.   I believe the choice as to how this plays out is with the private sector.  If private sector companies continue doing the minimum, than I suspect regulation will eventually be forced upon us.  I hope that too much regulation is not required.

Does your company lessen security requirements due to costs or project time-lines?

photo credit