Use of Language

I just finished reading a very entertaining post on Ars Technica on "The ten most hated words on the Internet." Though I'm in the field of information security, my undergraduate and graduate days in college were spent in the field of English Literature¹, so I always appreciate posts like the one from Ars Technica. After reading the post, I got to thinking about the various uses (and misuses) of the English language that drive me nuts, so I thought I'd post them here just for fun. I'd enjoy hearing about the words or phrases that drive you nuts. My feeling is that while it isn't necessary for a person to be a superlative writer/speaker, one should at least have a firm grasp of the fundamentals of their own language. Is that too much to ask? So without further ado...

Words and Phrases That Should Be Banned²

• ping - As in "I need to ping Bob about that meeting tomorrow." Grrrrrr.
• irregardless - This one makes my skin crawl. The word is "regardless."
• the misuse of "me" and "I" - Sadly, this one is so common, most people probably aren't even aware of the fact that it is often used incorrectly. Here's an example of misuse I just heard earlier today: "If you have any questions, give John or I a call." **shudder** Here's the trick I learned from my 6th grade teacher. If you aren't sure whether to use "me" or "I," drop the other part (in the above example we would drop "John or") and the answer becomes obvious. You woudn't say "If you have any questions, give I a call," so the correct word in this context is "me."
• iAnything - Personally, I thought this got old after iMac.
• moot vs. mute - As in "that's a mute point." Fortunately, I don't hear this one as often as I used to, but I still here it with some regularity. The word is "moot." A moot point is a point that needn't be decided as the result of a change in circumstances.
• incentivize - There are lots of words like this, where people tack on an "ize" ending and try to make a verb out of a noun. Don't do it. As soon as I hear someone use one of these made up *ize words, my first thought is "Oh, you're one of those."
• "blog" as a verb - I don't really care for this word at all, but I can deal with it as a noun, as in "Have you read my blog?" What I can't abide, though, is its use as a verb. "I'll have to blog about this," or "I blogged about that yesterday."

¹Specifically, Medieval English Literature, with secondary foci on Shakespeare and Classical Greek Drama. Not the most useful of skills by today's standards, but if you ever need to conjugate a verb or decline a noun in Middle English, I'm your guy.

²If not outright banned, at a minimum there should be penalty of a heavy fine and 20 hours of community service for each infraction.

The Anti-Mentor

I just finished reading an interesting article that brushed up against a theory that I've had for a while. In the article, the author refers to the "Anti-Mentor," a manager or boss that provides ample learning opportunities by way of what not to do. Specifically, the author gives reference to the "polished veneer" of his Anti-Mentor. In part, this comes down to integrity, which I discussed in a previous post. Beyond that, though, we move into the area of my theory: that such pathological disingenuous behavior is a form of psychosis. When that thought first occurred to me, it was very much tongue-in-cheek. After years of working in numerous environments, however, the facetiousness of that statement has steadily decreased. Consider the definition of psychosis from the Full American Heritage Stedman's Medical Dictionary : "A severe mental disorder, with or without organic damage, characterized by derangement of personality and loss of contact with reality and causing deterioration of normal social functioning." Speaking for myself, I can't count the number of times I've had one of these Anti-Mentors change personalities right in front of my eyes, or (my personal favorite) be helpful and supportive to me and then turn right around and try to sell me out in an attempt to conceal their own incompetence. It reminds me of a good ol' Southern phrase I heard a long time ago: "What do you expect from a pig, but a grunt?" I realize that a.) I am not a medical professional and am in no way qualified to make a diagnosis such as psychosis; and b.) I am stretching the definition of psychosis to (and probably past) the breaking point. Even so, it does help to cast the situation in a different light. These Anti-Mentors are infuriating to say the very least. However, it is probably worth viewing them with understanding and a touch of pity. When confronted with an Anti-Mentor, know them for what they are and expect that they will fundamentally always be true to their Anti-Mentor nature. Knowing what they are and what to expect from them makes dealing with them a little less painful.

Collaborative Incident Response

This is an idea I've had in my head for a while now, and in light of the recent DDoS attack against Estonia, I got to thinking about it again: the need for collaborative incident response and investigation. The attack against Estonia (which was significant enough to attract the attention of NATO) was effective and performed by individuals who were at least somewhat more sophisticated than your average script kiddie. Before going any further, let me provide a quick background on the idea of collaborative incident response.

Several years ago, I was in charge of designing, training, and implementing a Computer Security Incident Response Team (hereafter referred to as CSIRT) at one of the local hospitals, at which I was employed at the time. The team was well organized and broken into complimentary (and slightly overlapping) areas of expertise. Once everyone on the team was trained and familiar not only with their role but the roles of the rest of the team members, we began performing firedrills in earnest. Scenarios were devised that the CSIRT would address, first as simply roundtable exercises, and then finally real-time, live drills. The idea of the drills was not only to hone the skills of the team, but to identify areas of weakness that we would then attempt to address before the next drill (or actual incident). All told, the drills were effective, useful, and to be perfectly honest, fun. It was at this point that I was contact by our company's disaster preparedness person who told me that there was actually going to be a city-wide disaster drill, and wanted to know if the CSIRT wanted to be included. Naturally, I said yes. I was given the basic scenario for the city-wide drill (a plane crash at the local airport), and then I devised the CSIRT drill around that. Thinking on a city-wide scale really got the ol' wheels turning. What would we do in the event of a security event massive enough to exceed the resources and abilities of the CSIRT? If this was a city-wide (or larger) event, other organizations would potentially be in the same boat, and perhaps we would be able to assist each other.

The ideal situation would be to have local businesses and other organizations come together in a community CSIRT that could be called upon in the event of a significant security incident. Obviously I'm not talking about giving people from other organizations the keys to the kingdom. Far from it. What I am suggesting is having the community CSIRT function primarily in a research and logistical support capacity. In addition, in most cases it would be possible to do this without divulging too much about your inner workings. Let's consider an example. For the sake of our discussion, let's say that our organization, Company Q, is hit with a massive security incident. Key servers are unreliable, portions of our network infrastructure are up and down, workstations all over the enterprise are crashing in a cascading fashion. An event of this size would push the security of any organization to (and quite probably past) the breaking point. Here's where the community CSIRT could come into play. Folks from our organization would be able to sit down with the community CSIRT and begin to dissect the problem. We're in the heat of the battle, so having the assistance of some people who aren't directly affected could be very useful. The initial Crisis Action Meeting would consist not only of our people but key people from the community CSIRT. This would be particularly helpful in identifying the problem as different people from different organizations will bring with them their own experience which, by definition, will be unique. They'll be able to look at the problem in ways that we might not be able to. And if this is a large enough problem, what about fatigue? On the CSIRT that I put together, we implemented the rule that during an incident, a CSIRT member could only put in 10 to 12 consecutive hours before being required to stand down and get some rest. Don't ever underestimate the impact of fatigue during a prolonged engagement. Having some extra people who could be doing things like parsing logs and the like will allow our people to focus on mitigation and recovery, and, as needed, get some rest.

To be certain, there are a number of key points that would need to be worked out in advance. The idea is that it would be a mutually beneficial relationship for all involved. Company Q has an incident so they engage the community CSIRT which consists of Company R and Company S. A month from now, maybe Company R is the one having the problem, and we (Company Q) and Company S lend a hand. It works sort of like the way villages used to fight fires back in the old days; everyone came out to help, because the next house to catch on fire could be yours. Even if your competitors are part of the community CSIRT, they can still be valuable resources.

Obviously, the members of the CSIRT would have to hold themselves to an extraordinarily high ethical standard. Members would have to be chosen carefully. A good place to start my be the local InfraGard chapter. I am the Vice President of my local chapter, InfraGard Springfield. An advantage to starting with InfraGard is that each InfraGard member is vetted by the FBI. Not to say that only InfraGard members could be on the CSIRT, but it is as good of a place to start as any. With some effort, a community CSIRT could become the de facto hub for local IT security matters.

Remote log injection

I love a good, clever hack. In the past, I've espoused the virtues of OSSEC, and I use it in more interesting and creative ways on almost a daily basis. Recently, OSSEC author Daniel Cid posted a great paper on remote log injection entitled "Attacking Log Analysis Tools." I just finished reading the paper and found it very interesting and a little disturbing. I've tinkered with one of the vulnerable tools he mentions, DenyHosts, and thought it was actually a fairly handy tool. After reading Daniel's paper, though, I'll have no choice but to make sure that it isn't running on any of my systems until after a patch is released.

Nice paper, Daniel.

Just in case you weren't paranoid enough...

As I've mentioned previously, I'm a big fan of Richard Bejtlich's TaoSecurity blog. Yesterday, he made a post entitled "I Have Seen the Future, and It Is Monitored." The post is interesting and very, very disturbing. From the perspective of the Infosec professional, it is enlightening and provides ample material for further research. From the perspective of the gearhead, though, it scares me silly. Given the widespread use of National Security Letters, one doesn't have to be a conspiracy theorist or paranoiac with an Orwellian, dystopian view of the future to see where this could lead. The points both for and against the level of access described in Bejtlich's post are numerous and compelling. I certainly can see the need, but I'm also not comfortable with the potential ramifications. One would hope that such access wouldn't be misused, but human nature being what it is, I've got a dollar that says it would start being misused the instant it became available.