March 2012 – Yvan Boily

Working in security I spend a fair amount of time reviewing and looking at work other people do. Turns out when you do that for 10 years, eventually people start seeing you like this:

While some of the things I have seen make [2] me feel that way, the reality is that I have tried to spend most of my career helping people to try to do things better, not to stop them doing new and cool things.

I have lost count of the number of times someone has said in a meeting “We can’t do that, security won’t let us!” with me sitting right there! Ok, fair enough, sometimes it’s true, but most of the time we are really trying to say “Not like that!”. You need a remote access solution? Sure, but lets but that RDP service behind a VPN. Need to install a new, untested web service on our domain? Ok, but why don’t we do some testing and maybe some fuzzing on it first. You want to ship all of our employee data to that 3rd party? Lets have a chat with them first so that we can make sure their security practices are reasonable first.

If I am talking to you about a security issue and you think I just said “No”, make sure you listen the rest of the “t like that!” because I am probably trying to help you[1]!

[1] The exception to the rule is if you are talking about PHP or Perl. Then I mean no.

[2] Circa 2016, I started to come around on WordPress, as the automatic update features and PHP’s overall maturity started to improve.

HR wants your password? Be careful…

There have been a number of articles recently covering the practice of prospective employers requesting access to social media sites, personal email accounts, or other deeply personal stores of information.

Despite this being an egregious violation of privacy, it is a growing practice, and one that requires clear guidance and regulation or legislation to protect users. The good news is that the tech industry doesn’t need to wait; most of the major players have clearly defined policies which forbid this practice.

Facebook asks its users to commit not to share their passwords or accounts as part of their “rights and responsibilities” which stands in place of the terms of service. LinkedIn has a similar requirement in theirs. I am not going to do an exhaustive survey, but it is highly likely that these terms are included in most others as well.

These service providers should clearly and publicly respond to this usage pattern and inform businesses that if they continue this unethical (and potentially illegal) activity, they will be blocked from accessing the services.

There is not much of a motivation for them to do so, but Social Media sites should also take technical measures to detect and actively warn users that are granting access to 3rd parties that they may be violating the terms of service.

A few strategic short-term bans on users who grant this type of access would create a a world of hurt for recruiters and compel users to refuse to participate in this behavior.

#BSidesSF 2012 videos are up…

The BSidesSF 2012 videos are up on BrightTalk; you can watch my presentation below; the slides to accompany the video can also be found here.

If you have any questions about the content, feel free to contact me (my contact info is on the last slide).

On Splitting Hairs…

This probably isn’t as constructive as it could be, but arguing that something is or isn’t a concern based on multiple definitions of a word is generally ineffective when the root cause of the argument is over the multiple definitions of the word.

“Without wanting to have the same arguments again (not the point of this thread), there are two overlapping uses of the verb ‘discriminate’.”

and

“I support the legal definition of marriage which is the voluntary union for life of one man and one woman to the exclusion of all others. I oppose any attempt to redefine it.”

Considering the source for the modern “legal” definition of marriage in most of the “Western World”, I think that is far to narrow an attempt to define it. For the judeo-christian perspective, please consult this handy chart:

Security Conferences are making me sad…

Over the course of my career I haven’t had the opportunity to attend many security conferences, for two reasons:

the organizations I worked for didn’t really support sending staff
I tend to be socially awkward, and have difficulty talking to people

When I started at Mozilla I was super excited about both attending and participating at conferences since not only could I actually attend them, but pretty much everything important that we do at Mozilla is done in the open! Since presenting and participating in security conferences would help me work on the social anxiety bit, and I would learn stuff, it was a huge win!

The conferences I attended several years ago left me inspired, excited, with a pile of ideas for problems to tackle, and tools to develop. The conferences I have attended in the last year have left me thinking “That was a really great rehash of stuff that has already been done to death, with a minor twist at the end.”

To a certain extent this is likely the result of the degree of advances in the field. Ground-breaking, revolutionary new attacks are going to become increasingly rare; you can read more about why here, but basically, IT Security and InfoSec is starting to mature as a research field. Another reason why is the increasing desire to extract direct value from security research; if it can’t be used for marketing, or sold explicitly in a vulnerability market, the it is a trade secret that can be rehashed as special consulting secret sauce. Coupled with the proliferation of security conferences of varying degree of quality, and the glut of “me too” presentations, I think this is going to get worse before it gets better (at least for offensively focused conferences)

Despite my concerns on this, I have continued to attend because I still want to build a better network; first, because sharing ideas and info is fun and cool, and second, because we have a bunch of neat open jobs, and talking to smart people about Mozillas mission and work is a great way to try to recruit people! Unfortunately this also makes me sad. At virtually every conference I have been to, it is virtually impossible for me to ‘meet people’ and ‘network’. I blame myself for this because of the reason listed above, but it is also the result of the cliquey nature of communities.

There are some exceptions to my conference malaise, and those were the BSidesSF events; even though the talks were less engaging[1] this year than they were in 2011. The BSides events were very interesting because although there were still cliques, they were easy to mix into. The groups were small, and the attitudes of people generally more positive, and everyone I spoke to was interested in chatting and getting to know people.

Rather than just complaining about it, I am going to try to do something about it. A few years ago I had the opportunity to present at a cool conference, but my employer at the time interfered. Now that Mozilla is actively promoting our mission, and supports pushing the security component, I am going to push hard to complete two distinct research projects over the next year, and aim to present the results and tools. Although either of the topics would likely be suitable for a major “mainstream” security conference such as BlackHat, RSA, (Can|Pac|Eu)Sec, I will aim to present at smaller regional conferences, or conferences that are focused on open communities such as MozCamp, OWASP, or BSides events.

My Projects

The first one builds on the Garmr tool that Mozilla released earlier this year, and will help security teams to perform low to moderate risk assessments at scale. I aim to present these application security tools at a conference in Q3 of 2012, with a tool release in late Q2 or early Q3. The focus of this tool will be implementing some the concepts and ideas I wrote about when I joined Mozilla, with the aim to enable teams to perform security work at scale.

The second one will be an attempt to combine some of the AppSensor / Attack Aware Application work that OWASP published with some really cool new technologies to take security event monitoring in a different direction. This is a joint project with another person and will not be ready until sometime in 2013.

I hope to see people at future conferences, and will continue to chip away at building a better network and meeting people, but I really hope that shifting focus can help me to recapture some of the inspiration I used to get from the security community!

[1] YMMV! Several of the talks touched on areas I have done work in the past, so there was not much new ground covered for me.

Voicing an Opinion

Mozilla is a fascinating place to work. I am surrounded by brilliant people who inspire me on a daily basis.

One of the great bits about brilliant people is that they usually have a some very well thought out opinions or beliefs, and most people tend to be very vocal about them. Because we are an open community at Mozilla, we also have many ways to share information, including Mozilla-hosted and personal blogs, social networking tools, etc, etc, etc, and we also host an aggregator for this content at planet.mozilla.org.

Yesterday a prominent member of the Mozilla community posted a call to action for his particular set of beliefs that was picked up by planet and shared with the entire Mozilla community, and a huge “discussion”[1] ensued.

“I may not agree with what you say, but I will defend to the death your right to say it.” – Voltaire

So let me be 100% clear. Gerv’s comments were his own. The are based on his world-view, and to many people, they are patently offensive and discriminatory. That said, Gerv has every right to voice his opinion. His opinion is offensive to liberal minded people, but suppressing offensive speech or writing is a dangerous first step to oppression. Consider this: if the gay rights movement, or the black civil rights movement, or the women’s rights movement didn’t have the advantage of freedom of speech, those nascent movements would have been killed before they accomplished the laudable goals they achieved.

Because the people who launched these movements in the west had (for the most part) the luxury of freedom of speech, the voices of the individuals who opposed the advancement of human rights were drowned out by the voices of those pushing for freedom and equality.

“A great many people mistake opinions for thought.” – Herbert Prochnow

Suppression of offensive opinions or beliefs (I hesitate to call them ideas, because it implies there is something innovative, new or original about the opinion) is not the correct approach. Keeping things in the dark is a great way to allow a subculture of hate and fear to grow, and silencing a hateful voice pushes it into hiding.

Do not silence someones opinion through censorship, instead, drown out the voices of hate and discrimination with shouts of support, and calls for equality and freedom.

And on an additional note, it is important to note that throughout the history of humanity, anyone who stands opposed to equality and human rights is on the wrong side of history.

[1] and by discussion, I mean shitstorm.

Opening Identity, BSidesSF

I gave a talk on federated identity protocols at BSidesSF last week, and again here in Vancouver yesterday. The slides for the talk can be found here

The talk can be watched online here:

Here are some other things I mentioned during the talk: