What Schools Don’t Teach

“Every student in every school should have the opportunity to learn to code.”

We couldn’t agree more!

As you probably know, the United States has constantly lagged behind in global math and science scores. As the New York Times reported this past December, “In the United States, only 7 percent of students reached the advanced level in eighth-grade math, while 48 percent of eighth graders in Singapore and 47 percent of eighth graders in South Korea reached the advanced level. As those with superior math and science skills increasingly thrive in a global economy, the lag among American students could be a cause for concern.”

I would argue that a substantial part of the issue is what we’re not teaching. In 41 states, coding courses do not count toward high school graduation. This is a terrible oversight for several reasons:

1) The backbone of computer programming is … math and science.

2) Computers have become a necessity in our culture, on par with food, water and shelter. Global and national business transactions, online connectedness to family and friends, mobile applications, web-based games and social media are all computerized elements that are daily fixtures for most Americans.

3) Because of the computer industry’s relative youth (we’ve only been using the internet for a little more than 20 years) and still untapped potential (mobile and cloud for example), possibilities for growth are virtually endless.

So wouldn’t you think the leaders of our educational system would start putting two and two together, identify this huge opportunity and create a game-plan to proactively solve a problem that is as crystal clear as bottled water? The stats are available for all to see. Here’s what we’re looking at:

Infographic Coding

Thankfully, the non-profit, Code.org, has taken notice and is dedicated to growing computer programming education. It’s time we engage our legislators, youth and education professionals to make the changes necessary to embrace computer science as the present and future of math and science.

And if you have a couple minutes, check out Code.org’s video, “What Schools Don’t Teach,” starring a who’s who of the computer industry, including Bill Gates, Mark Zuckerberg, Jack Dorsey and many more.

Holding your phone wrong is … right?

A big joke in the cellphone industry was the excuse Apple gave for the “antennagate” issue upon introduction of the iPhone 4: “you’re holding it wrong.”  Funny enough, holding it wrong may be the way to go in the future.

You’ve probably seen published lists of the most commonly used PIN numbers, including such creative numerology as 1111 or 5683 (spells out LOVE). Security experts look at those lists and shake our heads wondering what people were thinking when they hit “1” four times and thought their phone was secure.

Of course, at least they’re using a PIN of some sort in an effort to protect their phone. Even if the PIN is considered “weak,” the stark reality is most people don’t use one simply because PIN codes are inconvenient and take time to enter. In fact, most people don’t use any means of data protection at all.

Thank goodness you’re not one of those PIN-less cellphone users, right?

Well, what if I told you your PIN, no matter how cleverly created, is now trivial to hack?  And that nifty complicated thumb sliding lock pattern you came up with that would require the hacker to be double-jointed to pull off?  Even easier.

There’s a new PIN and lock pattern proof-of-concept hack from Dr. Adam Aviv and his team of researchers at the University of Pennsylvania that uses the accelerometer in your phone to detect how it moves in space specifically during the unlock process.  As you move your thumb to hit the PIN numbers or trace the unlock pattern, this hack track the accelerometer data and matches it against its database of known patterns. They’ve been working on this attack vector for a few years now. Their previous approach utilized the gyroscopic sensors which lead to very imprecise measurements, but this new approach uses the accelerometer sensor in a “high bandwidth” mode and the results are pretty spectacular. In controlled settings with the subject seated they were able to guess the PIN number used 43% of the time and the unlock pattern 73% of the time.  When the subject was walking, the accuracy dropped greatly due to the additional movement noise introduced to the sensors that resulted in only 20% of PINs and 40% of patterns guessed.  They also mention the possibility of utilizing machine learning to determine text-based passwords as well, but mention no collected data against it.

I suspect long key presses for alternate characters may be difficult to decipher from the accelerometer data, but they do briefly mention key permutations (each key having multiple values from long presses), which increases the number of guesses required to get a four number PIN combination. If one were to use a very complicated password or random characters you could make it highly unlikely to guess your password using this method. Of course, you would also be spending the bulk of your time on your Smartphone entering an unlock password.

Another possible solution is to change the orientation of your phone (i.e. holding it wrong). Since Dr. Aviv’s team is only reading the accelerometer values and not the gyroscope values, which track pitch and roll of your phone, one could throw their data off. If they accounted for this circumstance and polled the gyroscope to determine orientation values while polling the accelerometer, the data sets would be much more complex as a result.

So clearly the best response to this type of attack method is to boogie down, run, jump, etc. while unlocking your phone. Personally, I’m working on some sick dubstep and James Brown moves to go along with my android unlock pattern that should make it near unreadable.


Three Stories about Growing Up

There have been two stories in the media lately and one event on a private mailing list that have me thinking.  First, the stories.

1) Former NFL Quarterback, Jon Kitna, has become a high school teacher. He did this as a way to give back to the community.  However, the most important part of the story is how he is giving back. This is a story about someone trying to change his community by teaching children that their actions have consequences, even if those consequences result in the entire team losing.

2) A Canadian computer science student by the name of Ahmed Al-Khabaz was expelled from Dawson College for running hacking tools against a system that contained data for numerous students. He found a flaw, reported the flaw, but because he did not have permission to run the test, he was kicked out. He has since been offered opportunities with firms and other schools.

3) On my private mailing list, a friend expressed concern over an issue in which one of his students sent a PDF of a book to the entire computer security class. This book was a copyrighted work by someone else that we both know. This was clearly illegal and, by most standards in the security community, unethical.

So, what do all of these stories have in common? Fundamentally, they’re about young people making mistakes. What might be hard to see, though, is that they’re also about adults making mistakes. We tend, in the Security and Legal communities to see the world in black and white. Dawson College expelled Ahmed Al-Khabaz because, in their view, he was “no longer suited to the profession.”  There was discussion about expulsion in the private story as well, because of similar concerns. In other words, we have colleges taking a hard line on students that screw up and are kicking them out.

The problem, though, is that one of the best ways to learn is by making mistakes. Many of the best people we have in IT Security have checkered pasts. Many of the worst people we have in IT Security also have checkered pasts.  While my own past is cleaner than most, I did cross the line a few times in school and got a talking to. I quickly learned both what to do and what not to do, but more importantly, how to do.

Actions must have consequences. Without pain, we do not learn. However, if those consequences are too severe, we don’t learn either. We give up.

If we look at these issues as a society, we have people working defense who are trying things and, if they try the wrong thing with the wrong person, they’re kicked out. We also have people working as attackers. These are well-paid individuals (due to the high risks involved) and are often highly skilled because they are not hampered by people trying to get them expelled or fired for experimentation. In fact, the more we take a hard line approach to these sorts of issues, the more likely we are to identify our best learners (the young people who make mistakes) and drive them to unethical and illegal activities, as we close the door to legitimate work in their face.

In a world where the attackers are massively out-competing the defenders, I have to ask whether this is wise.

Instead, consider Jon Kitna’s story. He’s adopted hard line rules for his football players. If they screw up, they’re out … but not completely … just a game or part of a game. They’re not off the team, they’re not kicked out of the community. This still means a mistake is punished, but done so in a way where people learn from it. Those who made the mistake get the most punishment. Those who supported the mistake while it was being made get a lesser punishment, and all of them serve as examples to keep everyone else where they need to be.

As people, we learn and grow over time. Of these three stories, which supports growth?  Of these three stories, which people would you rather work with as adults?  Who would you hire?

I know, for me, I’d take the under-educated, low-income kids over the college students any time.  Why?  It’s about community. Lincoln High School is making better adults than Dawson College is. The graduates from Jon Kitna’s football team might not be the best educated kids. They might need a lot of hand holding and training to make it in the real world, but they’ll have character. If I’m working a security problem with someone, I need someone I can trust. That means I need someone who has been raised to be trustworthy. Improvement is iterative and if you’re not given the ability to learn and grow from your mistakes, you’re just going to wind up making the same errors over and over again. As a security person, a professional and, really, just as an adult, I need people who have made mistakes, owned up to them and, where possible, fixed them. I need learners and I need people who can see the shades of grey in the world. I suspect that you do too.

Sophos: Pushing the Boundaries

Several people have been asking me lately if I still prefer Sophos technology. After all, they recently released a bad update and Tavis Ormandy’s recent paper illustrated some design flaws in the product.

There’s spin on both sides. Unsurprisingly, Sophos is downplaying the issue and Tavis Ormandy’s tone in his second paper is much like that of his first. So I thought it would be good to explore the issues more fully.

I am disappointed in Sophos’s recent fumbles, but not disheartened. I still think that, for a great many companies, they have the best solution available.

There are two core problems here. The first is that of scaling. As companies grow bigger, they often become slower to react. Sometimes, they fail to adjust to their new reality. Sometimes, however, they get through it and become incredible companies. There are indications that Sophos is beginning the turnaround.

The second problem is industry-wide and has to do with market-splintering. Today, we are facing a splintering security vendor space and reports like the ones from Tavis are a symptom. Reports we’ve been getting for the past few years about AV and IDS being “dead” is yet another symptom.  There’s nothing wrong with these reports and it’s good that people are thinking about the issues. But unfortunately, they’re missing the big picture.

In a splintering space, there is an increasing deviation between what a product actually does and how it is branded. This continues until the vendors wake up and pivot their branding to better match what they actually do. This always takes longer than we’d like, because employees of a company are driven by their brand even more than their customers.

As I see it, the AV vendor space is breaking apart into four chunks:

  • Traditional AV – Focused on being lightweight and supplementing the protections built into an operating system.
  • Anti-Malware – Focused on monitoring and responding to bad and potentially bad things that can happen to an operating system.
  • Application Whitelisting – Focused on locking down an operating system to only allow known applications to run.
  • Malware Analytics – Focused on providing detailed data about events so human analysts can make appropriate decisions.

We are also seeing the attack space splintering as well. Specifically, we’re seeing a tiered structure emerging:

  • Background Radiation – A constant stream of trivial attacks, legacy viruses and worms that float about the internet.
  • Industry-focused Asset Attack – Attacks that focus on specific industries aiming to steal monetary assets. These often rotate between industries, “campaign” style. At present, Western banks are in vogue. Indications are that these attacks are run by organized criminal groups. If you have above average protection in this space, you gain significant competitive advantage as attacks are driven to those that do not.
  • State-sponsored IP Attack – Attacks that also focus on specific industries, but are run by better-organized groups suspected of being funded by state agencies. They aim to steal intellectual property. You get significant benefit from being above-average here too.
  • Industrial Espionage – Attacks focus on specific companies and likely come from other specific companies. There is no benefit to be gained from being above-average in defense, as that just creates rapid escalation in an arms-race pattern of growth.

The third splintering effect is familiar to those of you who have heard my talks or read my comic book.

In the defense space, we have two primary trends emerging based on complexity. Both are valid, but they are completely incompatible with one another (at least on the large scale).

  • Simplification – This trend involves firms who outsource much of their operations and infrastructure to managed SOC providers, cloud providers, SAAS providers, etc. The idea is that by focusing on their core business and finding trustworthy partners, they can become more nimble and therefore, more profitable.
  • Complexification – This trend involves firms who increasingly centralize their infrastructure through virtualization, log management, analytics, etc. The idea is by taking more control, you can better analyze the business and find regions of improvement.

So after this rather long diversion, what does it mean for Sophos? Well, their core strength is offering administrators a solution to rapidly and consistently provide a reasonable level of protection that gives early indicators of attack. This means they’re a great fit for anti-malware up to and including the State-sponsored IP attack tier and work best in simpler environments or in simpler subsets of complex environments.

I do not think that they’re the best solution for highly-targeted complex companies, as they are not an analytics tool. They’re also not the best solution for extremely simple firms that want “set it and forget it” technologies. Security takes work and if you put the work in, you get better security. You should pick a solution that allows you to put in more work than you currently do, but does not require that additional work for the product to still be effective.

Many of the critiques of Sophos tend to be at the edges. And Sophos doesn’t help these concerns by marketing as if they fit everywhere for everyone. I think they’ll eventually reach this goal, but they’re not there today.

If you’re in a highly complex environment that is facing constant incursion from well-funded foreign governments, Sophos better not be your only tool. You need Analytics, too.

If you want the cheapest solution out there that you can install and ignore, Sophos won’t work well for you either. That’s where Traditional AV and the ability to wipe and reload when it fails comes in.

Operationally, you need to figure out what sort of attack and defense space you’re in, so you can select the tool(s) that will provide the best protection for your business. If you overlap spaces, you’re going to need multiple tools. One of the biggest reasons I really like Sophos is because of their flexibility to play in overlapping spaces. They layer quite well with other security products, which is a great benefit for their customers.

Just remember: We live in a complex world. There are no magic bullets. Security requires thought.

Internet Theft and the Holidays

As many of you know, when I am not protecting people and their businesses, I’m often out taking pictures. My camera of choice has been the Nikon d300, which is over five years old now. As with all technology, when cameras age, they become increasingly unreliable and it became apparent over a year ago that my camera was experiencing legacy issues. The weather protection was weakening, the sensor was staring to fail and the batteries were draining faster and faster. If I am going to practice what I preach, it was time to ruthlessly eradicate legacy.

“Ruthlessly eradicate legacy” is one of my mantras when it comes to infrastructure management. Older systems take a surprising amount of resources to maintain and use. Modern technology is easier to update, cheaper to operate and easier for people to use. It also has modern features that can drastically improve capabilities. With servers, this means killing all that no longer get updates (Windows 2000, for example). With cameras, it means time to say goodbye to my old friend and look at other options.

This is not a camera post, however, so I’ll cut short the decision process and say that I settled on a d800 or d800E. For my purposes, there are no differences, so I went out looking for a good deal. After all, Black Friday is coming and now is the time to look for electronics. This, however, is where the story gets interesting.

In doing my research, there were indications that while camera accessories go on sale periodically, the high-end camera bodies and lenses I like only drop in price when a successor comes out. This means I’m stuck at the high end unless I buy used. Moreover, in the Nikon world, warranty is a huge factor and is significantly reduced when you buy used, so it only makes sense to look at that option if you are going to save over 20% off the purchase price.

Which is why, when I found a d800E on Amazon, I got a little excited. In fact, I got a little too excited. I almost got scammed.

The list price on a new d800E is $3,299.99 (which is why my d300 got to be five years old before I considered a replacement), but this camera listed on Amazon.com was just $1,836.73. 56% off is clearly a better deal than 20% … but the deal is a little too good. In fact, it’s so good that a lot of people are going to leap on the deal, so I had to move fast.

Or did I?

See, the deal was too good. I got suspicious. Luckily, the seller had a note in their little logo icon that said to email with questions, so I did… not before I did a bit of research, though.

Continue Reading