Mornings With Mark

Facebook held its annual F8 developer conference this week and—in addition to the usual product updates—they repeatedly talked about creating and enabling private spaces.Mark Zuckerberg wants to shift Facebook, WhatsApp, and Instagram to a privacy-first set of services while still maintaining profitability and a strong economic future for the company.What's stopping them? 15 years of poor information management.Most organizations have a binary view of information management. Folks internal to the organization can see most of the org's data and controls are in place to prevent external access.But in 2019 and moving forward, we need better than that. Not just for compliance to things like GDPR but in order to properly secure that information in the first place.References;F8 day 1 keynote, https://developers.facebook.com/videos/f8-2019/day-1-keynote/more on Dunbar's number, https://en.wikipedia.org/wiki/Dunbar%27s_number

The NBA playoffs are in full swing and there's a huge rules controversy around one superstar's—James Harden—jump shot. Basically it boils down to whether or not the actions that Harden takes are against the rules. Is he pushing the rules to draw a foul on the opposition? Is he fouling the defence? Is it a non-call? The answer isn't relevant here (though critical to this playoff series). What is relevant is that the rules as written will be pushed to the breaking point and maybe beyond. There are two sides to this coin. The first is when employees in your organization are trying to get their work done and the cybersecurity rules in place prevent them from accomplishing their goals. In this case, people bend the rules to accomplish a positive outcome. The second side of the coin is when a company pushes their own rules to the detriment of others. We see this time and time again with social networks. The rules state one thing, their public messaging another. When push comes to shove, they hide behind the rules,

The Fortnite developer teams at Epic Games are working in a perpetual "crunch time" situation. That's not sustainable by any measure...and from all reports, things are bad over at Epic. But they are not alone. It's not just game development—though by all reports, that industry's culture leans that way—it's the valley and in cybersecurity. Specific to cybersecurity, this type of overtime and crunch culture isn't sustainable. We also know that there is a massive skills gap, there simply aren't enough people to do the cybersecurity work as it currently stands. This mountain of never ending work can easily lead to burnout. But even if you don't burn out, if this an effective way to work? Are you and your teams working efficiently? Instead of simply putting more time in, why not optimize the work you are doing? Shouldn't that be your first step?!? References: Colin Campbell for Polygon on the culture of the Fortnite development team at Epic Games, https://www.polygon.com/2019/4/23/18507750/fortnite-work

Facial recognition is becoming more and more common. In some cases, it's used to make existing procedures more efficient or to connect existing data points together. While that seems like the community has already consented to these use cases, people often have a visceral reaction to hearing that new technology is being applied. Regardless of your opinion on facial recognition technologies, it's undeniable that it raises a number of issues that should be discussed in the open BEFORE implementation. This is the real challenge around the technology, discussing its use in a practical and pragmatic way. There needs to be a balance between your right to privacy, the community need for various processes, and even commercial desires. None of this will be sorted without ongoing discussions... References; Catalin Cimpanu writing for Zero Day/ZDNet on the EU's desire to collect a massive database of biometric information, https://www.zdnet.com/google-amp/article/eu-votes-to-create-gigantic-biometrics-database/ Emily B

Since May of 2016 Facebook has been prompting some new users for their email passwords. Yes, their email passwords. WTF? Apparently as a means to "verify" their email accounts, Facebook prompts users for their email passwords. That means they log in, verify the receipt of an email in order to setup the account. The idea here is also to provide the option to import your email contacts in order to setup your initial experiences on the network. I can't even...but I try in this episode. Lots of reasons why this is flat out wrong. References; Rob Price has the story for Business Insider, https://www.businessinsider.in/Facebook-says-it-unintentionally-uploaded-1-5-million-peoples-email-contacts-without-their-consent/articleshow/68930320.cms e-sushi the researcher who called it out on Twitter, https://twitter.com/originalesushi/status/1112496649891430401 more on passwords in general, https://www.sans.org/security-awareness-training/blog/nist-has-spoken-death-complexity-long-live-passphrase

Thomas Brewster, writing for Forbes, highlighted a recent case by the DEA. The case itself isn't out of the ordinary. What is interesting is the issues raised by search warrant request for LogMeIn.com...parent company of LastPass. This password management service is used by the accused and is potentially a treasure trove of information for investigators. Not the passwords themselves, those are securely stored, hashed and salted, but the METADATA around the service's usage. Metadata and aggregate data is often ignored and overlooked by security and privacy evaluators. It's a complicated problem but one that absolutely needs to be tackled. A little bit of information from each can lead to a significant exposure. References; Thomas Brewster for Forbes on the case, https://www.forbes.com/sites/thomasbrewster/2019/04/10/what-happened-when-the-dea-demanded-passwords-from-lastpass/#5883c8877ebe search warrant request from the DEA, https://www.documentcloud.org/documents/5812557-DEA-Asks-LastPass-for-User-Data-in-Da

It's tempting to search for the perfect solution to a problem. The challenge? That "perfection" rarely exists. But time after time, we seek out these perfect solutions. With this week's Google Next 2019 announcements, this came up again around Google Cloud Run. The popular debate was if it was a replacement or improvement on functions as a service like Google Cloud Functions, AWS Lambda, or Microsoft Azure Functions...but that's not the best debate to have. Nothing's perfect. Security is far from perfect. The goal with security is to find the best solution for the organization given the current context and constraints. Don't search for perfect, it'll never happen. References; Twitter discussion around Google Cloud Run, https://twitter.com/kelseyhightower/status/1116055726953074688 details on the very cool Google Cloud Run, https://cloud.google.com/run/ Google Next 2019 developer keynote, https://www.youtube.com/watch?v=W16iHlo2TuE

Serverless architectures are a fantastic solution to a lot—not all—design challenge. The benefits they bring are substantial and they can reduce the overall ops and development burden for a lot of teams. But when we're talking about serverless, are we all talking about the same thing? I see three distinct definitions of the term "serverless" in use everyday. The challenge is when it comes to security, you better be looking at the entire architecture and not just one piece of the puzzle. We're well past the days where security is siloed. Serverless presents a fantastic opportunity to move security forward by treating these solutions like the distributed systems they are. Reference: Dr. Vogel's keynote from the 2019 AWS Summits, https://www.youtube.com/watch?v=vWfkbGF6fiA

A recent report from the Canadian Commission for Complaints for Telecom-television Services (CCTS) saw a dramatic increase in complaints with billing being one of the top reasons. That's not especially noteworthy in an industry known for poor customer service...until you dig a little deeper. Most providers have ancient, complicated billing backends with massive amounts of technical debt. Internally, it would be hard to justify the resource spend to update these systems because of the scale of the problem but also because the metrics are off. This technical debt manifests itself in customer service metrics, not IT metrics. Cybersecurity is general a code quality and operations issue. Technical debt contributes directly to risk but we—cybersecurity—also have this issue of being disconnected from the metrics that would highlight the risk associated with these decisions! References; CBC News articles on the CCTS report, https://www.cbc.ca/news/business/telecom-television-complaints-increase-mid-year-report-2019-

A recent study by NCSU found that there are way more API keys and tokens uploaded to GitHub than previously thought. In fact, there's almost a near constant stream of secrets being exposed...why?!? It boils down to operational security. Automated build pipelines and access to cloud services that amplify what your team is capable of. Moving faster without some smart guardrails can lead to these issues. The good news? The same tool sets that are exposing this lack of opsec can help address it. Automated checks for secrets, tools specifically designed to handle secrets, and education around these issues can help reduce the likelihood of recurrence or prevent it from happening in the first place. References; the research page from NCSU (PDF), https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_04B-3_Meli_paper.pdf recent MongoDB issues via Brian Krebs, https://krebsonsecurity.com/tag/mongodb/

Google recently announced a new, all-in-the-cloud gaming service called Stadia. For gaming fans, there's a lot of potential that—fingers crossed—hopefully pans out. But the design of the system is an implementation of a pattern we use in securing high sensitivity data as well. It's long standing and previously the user experience—particularly around bandwidth and latency—hampered adoption. Has this pattern's time finally arrived? References: Tom Warren for The Verge covering the announcement, https://www.theverge.com/2019/3/20/18273977/google-stadia-cloud-game-streaming-service-report the keynote from GDC announcing the service, https://www.youtube.com/watch?v=nUih5C5rOrA&t=2959s Amazon Workspaces, https://aws.amazon.com/workspaces/ Microsoft Windows Virtual Desktop, https://azure.microsoft.com/en-ca/services/virtual-desktop/

An interesting op-ed from Dr. Egginton at John Hopkins University highlights some efforts underway in the US to declare learning to code the equivalent of learning a new language. Both are equally important. Languages help with understand and communication and everyone should learn as many as they can. But programming computers is not the same exercise. Programming languages are all about logic and structure. But similarly, anyone in cybersecurity should learn at least the basics of coding. The reason is the same as learning a second (3rd, 4th, etc.) human language: understanding. Learning to code (even just the basics) will give you a better understanding of the trades off necessary in cybersecurity. A better understanding of the challenges of successfully building and running a system that solves problems for customers. A better understanding of your colleagues. When it comes to cybersecurity, a broader perspective is a better perspective. Learning additional skills within the IT sphere is never a wasted ef

A recent survey from RightScale showed a lot of confusion around cloud computing costs. The common take away? Organizations are surprised at how high their cloud bills are. Similarly, the community was surprised at the size of Lyft's commitment to AWS (around 8 million per month). But the root of this problem isn't what you think. It's not that cloud costs are high and rising, it's that organizations had little to no specific awareness of just how much they were paying in a traditional environment. Sure, there was a top line item for IT but no breakdown on specific costs per application. That makes security extremely challenging. Not knowing the value of the data or the cost of the system processing that data means that security decisions are made largely in the dark. References: ZDNet's coverage of the RightScale survey, https://www.zdnet.com/article/cloud-cost-control-becoming-a-leading-issue-for-businesses BusinessInsider covering the Lyft IPO, https://www.businessinsider.com/lyft-ipo-amazon-web-services-

A recent tweet called out a user's perception about Grammarly, a SaaS-based grammar and writing tool. They accused the service of being predatory (due to it's license) and a keylogger. While the points are off base (but not insanely so), they do raise a bigger issue: the user perception about a service vs the actual privacy risk. When you use a cloud-connected service, do you truly understand the boundaries of where you data and data about you exist? Do you know what is being sent to the service's backend and how that data is being managed? In my experience, most people don't understand the technicalities, nor the potential impact to their privacy. References; the originating tweet, https://twitter.com/sebmck/status/1104132993893904386 Grammarly's ToS, https://www.grammarly.com/terms

RSA 2019 in San Francisco was great. Lots of fantastic talks, keynotes, and discussions. One thing I always try to do at the show is to check out the exhibition. It's a great way to take the pulse of the industry. With around 740 exhibitors, this year was no exception. As always, there were some organizations taking a pragmatic view and others who were so far out to field it was crazy. But if you were just starting to try and understand the problem space, a CEO or CIO working to better grasp the challenges facing your organization, how would the industry look? Would you be able to spend wisely? To make decisions taht would actually improve the security of your organization? Based on my experience, it would be extremely difficult to make any informed decisions, we (the cybersecurity community) have a lot of work to do...

We rely on some digital services for critical functions around security and privacy. Trusting those services is paramount to their success and ours. But it can be difficult to trust when you don't know what's going on behind the scenes. Gag orders from the courts can amplify those trust issues. The idea of a warrant canary can help to ease your concerns about government and law enforcement snooping but it's far from a perfect solution. CloudFlare recently added new warrant canaries to their transparency report. Others have also adopted the practice but is it effective? Does this tactic add value to a transparency report or just another seed of doubt? References: CloudFlare's explanation of why and how they use warrant canaries, https://blog.cloudflare.com/cloudflare-transparency-update-joining-cloudflares-flock-of-warrant-canaries-2/ Zack Whitaker covering the issue for TechCrunch, https://techcrunch.com/2019/02/26/cloudflare-warrant-canary/ Reuters story on Reddit deleting their canary 3 years ago, https://

Websites, apps, and even your desktop applications may be tracking a how lot more of your behaviour than you think. The reason in most cases is simply to deliver a better application from a technical perspective. But sometimes, it's more insidious. The Wall Street Journal recently called out a few applications for sending sensitive information to Facebook without their users being aware. Facebooks App Events service is geared around building advertising profiles but what about other popular telemetry services like Hockeyapp.net from MIcrosoft, Apple's TestFlight, Google Analytics, just to name a few. How should developers balance the need to support their creations with user awareness of telemetry and user privacy? References; original call out by the Wall Street Journal, https://www.wsj.com/articles/you-give-apps-sensitive-personal-information-then-they-tell-facebook-11550851636?mod=article_inline follow-up by the WSJ, https://www.wsj.com/articles/eleven-popular-apps-that-shared-data-with-facebook-115510551

You're building out a digital identity for you kids almost from the day they are born. But it's not just you, the clubs they belong to, schools they attend, and sports they play are all contributing. What's the impact to your child? To their digital future? Social media is hard for adults to handle and the more data we gather the more disturbing the findings. What is the impact of this world on our kids? Looking beyond social media, there are a lot of challenges in children's privacy with other digital sharing tools. "Private" links and shared passwords aren't secure but most people believe they are and use those techniques to protect content involving their (and other) children. We need to have these discussions out in the open and decide how we collectively want to manage the digital identities of our children. References: AMAZING article by Taylor Lorenz for the Atlantic, https://www.theatlantic.com/technology/archive/2019/02/when-kids-realize-their-whole-life-already-online/582916/ Wired on the

There has been a significant increase in DNS hijacking attacks over the past couple of months...and why not? It's a simple, direct way for cybercriminals to take over an organizations identity or to intercept critical communications. The US Department of Homeland security issued an emergency directive on the matter and several cybersecurity companies have published research on these attacks in the last month. DNS is often overlooked but it's a critical piece of your IT infrastructure. There are some simple steps you can take to help protect your organization's DNS information. Learn more about the issue and what you can do about it in this episode. References: fantastic article from Brian Krebs on the problem os DNS hijacking, https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/ the alert from DHS, https://cyber.dhs.gov/blog/#why-cisa-issued-our-first-emergency-directive research from Cisco's Talos group, https://blog.talosintelligence.com/2018/11/dnspionage-campaig

You agree to new contracts all the time but you probably don't think of them as contracts, they are simply the "Terms of Service". A recent study found that most of these agreements are essentially unreadable. That sets up a one-sides relationship between the services and their users. Fine for the services, not so much for the users...and we're only just starting to see the impacts of this at scale. These agreements don't just cover websites and web services but also applications, your internet connections, and other critical areas. References: the study itself, "The Duty to Read the Unreadable", https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3313837 an article for Motherboard by Dustin Patar covering the study, https://motherboard.vice.com/en_us/article/xwbg7j/online-contract-terms-of-service-are-incomprehensible-to-adults-study-finds Google's ToS, https://policies.google.com/terms?hl=en Facebook's ToS, https://www.facebook.com/terms.php, Twitter's ToS, https://twitter.com/en/tos