I had to chuckle when I read the CSO blog posting by Jeff Bardin, Schneier on the Shnive.  Jeff is one of those top CISO/ex-CISO types I try to stay in touch with because of his keen insights.  Jeff’s keen insight yesterday was that Bruce is a tool who doesn’t understand risk management based on his recent commentary and shouldn’t be calling himself a security professional.  It occurred to me that Bruce Schneier is the information security industry’s litmus test.  We are an industry divided against itself, one house that believes Bruce Schneier provides the most valuable insights and one house that thinks he is a waste of time - it’s just like the IDS debate we used have!  It isn’t the junior people in the industry who have these strong feelings, it is our leadership, who either think Schneier has aged like fine wine or expired milk.  I think there is unanimity that Schneier is one of the sages of cryptography, it is when he steps into risk management and many of the other complexities that make up our industry that we see the Crypto-Gram Effect.  (My stance? at the end of the post)  I do enjoy free-wheeling thinking that can lead to breakthroughs, on the other hand I do believe in a meritocracy and expertise in one domain is not necessarily transitive to another.

As I read Bardin’s post, I realized that neither Barack Obama nor John McCain have taken a clear position on the Bruce Schneier issue.  I think that responsible information security professionals in the United States need to sit this election out until we get more clarity on this issue.  Would they: a) appoint Schneier to the Supreme Court, b) shoot him into a permanent fixed orbit, or c) appoint him to the head of TSA?

As with most blogging, I bet the unwritten backstory is more interesting, the blog in my head is always a lot better than what I write because of my duty to protect my friends.  Come on Jeff, let us in on it!  Did you encrypt something in Blowfish and forget the passphrase?  Did Counterpane miss a Chinese hacker on your system?  Food poisoning at a Minneapolis steakhouse?  I am making dinner reservations on Wednesday night at RSA 2009 for myself, Bruce, Jeff and Dr Phil (who I think is really pissed off with Bruce).

Bruce Schneier uses botnets as a tip calculator.

P.S. I think Bruce Schneier is

—–BEGIN PGP MESSAGE—–
Version: PGP Desktop 9.0.6 (Build 6060)

qANQR1DBwU4DwNqRcpCeuzUQCADnck+INDPvMfrg6T4ibF0eG5pCF3SKwNHhPIt7
lw7qvcQNbguUZoatG6+VPtbN2XOul5xy1QP08TZlMOe5+QmHku4NWere8Us/p6aK
ZdE8OR65EKSW6VzGH5OnBJ5ERXjJ70KIMi+vfLRf5BXN7wgjojPhTdIHdn6dWheW
3V9g0jkKcZojHTK2ck8PhjrF6TKWKnKgmHzix7LcffYjGednXkn5IbPfJTIn7U5X
GRMlOfYFVY34fo0Lh+E+rbhVets1lIe0nr1PgQ/6FN1qNFL+nRwy+4GA/TEF9okq
Ey/GK601xGsOjQm0m87OsVJpowG4oh6+uR4dFmj/oDW9bg9PB/9Syt0BnJ47tX6j
S3MXgbld1vOyKcDvw1livleQZPkVNX6BhellqRMco6nQin+Y1UbfSkbL1njQNYz+
LPtCmv9rLD4sre/2sKVo3Yo61Ky3fT/0N4Y3gijVhibjhhnWr4N65CWtrHgDf//P
faGqHZ9fySJ3RS2lXUPC98MqRPy6Fv1y074ZvwRSkDhb8pPB/d5KPRdjWM+qyga1
QrGlpqbgkNsNGcHS1sS+pp+vRGozs6DOG05JSsMnmKsph1bjRbjeG7xsiidXV5KL
QAzjBDqlEpWqWhwpalT5FpdqcUoaws0nlpDi07OlD/Uw5EvgjNCGySBpaWEgLgOp
kLk61a300qUBV5ISxL7QI+lNdT+1Q8vBCNOletV/JE9VVljwwpyva3ec+GJLqdbO
62gZMMZRt+lrMh4ijDOFCK4Xt5Pu/8juiM0MP3IuoBFmwMiKmjP9fhKF4eJ2SzUa
M8MdsXX2e91//g8tkDV3Guq//RQ88D3Zo7aZVobNYR92J6nKfkcW8fseXsrD8i4F
FRvGpZMK2ThycgjjsUdMZVf7vns1b4Qf2SQI2SI=
=Ni0s
—–END PGP MESSAGE—–

Microsoft released a patch and advisory today out of the normal cycle, so you know it is going to be a fun day.  This is a remote execution vulnerability that is very wormable and can enable all varieties of bots and trojans.  The unfortunate catch-22 is that bad guys jump on these special releases and develop attacks quickly.  We are already seeing some activity, so get cracking!

MS 08-067

MS Malware Protection Center

Hmm, I wonder if any of the US election balloting machines are vulnerable…

I am trying not to spend too much time following the crisis on Wall Street and the world’s financial markets.  It’s not so much the precipitous drops in the market indices that I find hard to take, it’s the contact sport of pointing fingers.  While seemingly 3% of the interested parties are trying to find a solution to the mess, the other 97% are assigning blame.  The reality of the situation is that the blame can be distributed far and wide, from politicians and regulators that sought to ease credit restrictions, to corporate management who sought to profit from it, to the speculators and consumers who got in over their heads trying to benefit from it.  Your politicians and mine, all are culpable for either being involved from the beginning or failing to heed the warning signs.

What I want to know is, why did our controls fail us?  Wasn’t Sarbanes-Oxley intended to institutionalize the type of corporate governance that would allow us to steer clear of these lemming leaps into irresponsibility?  What about the GRC framework, that seeks to align Governance, Risk Management and Compliance objectives in a way that maximizes profits, but only a responsible way?  The ability for publicly traded financial institutions to accurately manage risks will properly be scrutinized for their role in this mess.  Why did risk management fail?  Risk management is not easy, but it should have been possible to do much better.  However, enterprise risk management breaks down when it is not comprehensive.  And it cannot be comprehensive if we do not have alignment between the risk to a financial institution and that financial institution’s officers.  That is a section I would like to see in every 10-K filing: what is the personal risk to the corporation’s directors and officers for a failure in their business?  If they have none, that should worry us all. If we cannot account for the risk to our corporate leaders pursuing dubious quarterly targets, what will we really have learned from this mess?

This posting by RSnake is pretty troubling.  A Denial of Service (DOS) vulnerability found by two Swedish researchers is bad.  Really bad.  In fact, so bad that the researchers seem paralyzed about revealing details, which in this case is a good thing.  It seems that the vulnerability is pretty common in TCP/IP stacks, meaning that it is basically everywhere.  An exploit actually threatens not only the target, but intermediate systems, creating intriguing attack scenarios.  Weaponized code is serious business these days, honestly if I had something like this on my hard drive I wouldn’t be telling anyone, and if word got out I would hire a bodyguard 7×24.  Let’s hope these researchers can keep the secret under lock and key until the vendors can patch their stacks.  I have visions of the movie 28 Days Later and the rage virus.  Mommy!!!