More On Free SSL Certs

Earlier this week, I blogged about Let’s Encrypt, a new, free certificate authority.  Let’s Encrypt looks like a great service, but it’s not out yet and I’m not sure if it will be generally applicable.  For example, if I want to host my website on Azure, I might not be able to use this service to generate an SSL certificate.

Fortunately, Troy Hunt already came to the rescue, showing us how we can use StartSSL to get a free certificate for Azure.  You still need to pay extra for Azure to allow you to use an SSL certificate ($9 a month at current prices), but it’s great that you don’t need to pay big bucks for an SSL certificate, especially if you’re running on a smaller site which doesn’t have much (or any) revenue.

Stratfor: Disband the CIA and NSA, it’s all the intelligence gathering you’ll ever need!

A friend pointed this out to me on another website. We have this brilliant tagline:

Best-selling author George Friedman founded Stratfor in 1996 to bring customers an incisive new approach to examining world affairs. Under his direction, Stratfor taps into a worldwide network of contacts and mines vast amounts of open-source information. Analysts then interpret the information by looking through the objective lens of geopolitics to determine how developments affect different regions, industries and markets.

So, they Google stuff on the internet and watch CNN. And calling geopolitics “objective” is hilarious.

Their vision:

Stratfor’s vision is to be the foremost provider of predictive geopolitical-based intelligence services.

Stratfor’s core philosophy is that transformative geopolitical events are neither random nor unpredictable. Building on nearly 20 years of experience as the world’s premier geopolitical intelligence firm, Stratfor develops constraint-based narratives for key trends around the globe — placing today’s events in context and forecasting tomorrow’s new developments well before they appear in the headlines.

This reminds me of this Dilbert comic. Wally has a ponytail because he’s discovered it makes people give him venture capital. Ah, 1999.

The core philosophy is bold, I’ll give them that. I love the idea of “constraint-based narratives,” which makes me think of unconstrained narratives. “We predict that giant robot whales will develop nuclear technology, but we think Aquaman will try to calm them down, until he realizes whales are mammals and not fish. ESPECIALLY robot whales, who are clearly robot mammals.”

Of the three experts they champion, the one thing they all have in common is that they’ve sold a lot of books. That means they’re good at convincing people to believe their bullshit, which is not the worst qualification for running a geopolitical intelligence firm, you have to admit.

You can check out their methodology, which successfully proves that they have at least one graphic artist. Oh, one of the award winning reports they author?

The very first sentence is complete horseshit.

Like nearly all of the peoples of North and South America, most Americans are not originally from the territory that became the United States.

Since you’re using “are” — indicating present tense — I would argue the exact opposite: most people who are Americans did come from the United States since, you know, no matter how bad illegal immigration is, it has yet to reach over 50%. Even if you include legal immigrants, it’s still way less than 50%. According to the Brookings Institution, it’s actually less than 20% (although it is not clear whether or not this figure includes illegal immigrants, they link to a paper I could read if I cared to break it down.)

It takes a special kind of stupidity to achieve almost complete incoherence one sentence into a flagship paper. One more insane sentence, which leads off the second paragraph:

The American geography is an impressive one.

“One?” One of what? Are you trying to say, “The American geography is an impressive geography?” Because that’s moronic. “Geography” — specifically, the science of studying the earth, or physical location on the earth of some natural feature — cannot be impressive. Would you call the “Grand Canyon an impressive geography of America?” No. You could say “the Grand Canyon is an impressive feature of American geography.” But geography, in and of itself, cannot be impressive. I’m theoretically paying damn good money for your nonsensical advice. Try to make it coherent nonsensical advice!

Oh, and a free tip (the next one is $100,000): nothing is inevitable, in a historical sense. Only Marxists think that. Wait a minute… you aren’t a big Commie, are you, Stratfor?

New Presentation: SQL Injection

I will be presenting for the PASS Security virtual chapter on Thursday, April 17, 2014 at 1 PM Eastern.  Attendees can go to the link to register for the webinar.  The talk is entitled “Understanding and Eliminating SQL Injection” and here is the abstract:

Over the past several years, hacktivists, criminals, and people just “out for lulz” have managed to find sensitive data owned by organizations like Sony, Yahoo, NASA, and the U.S. army, among many others. In all of these cases, the attackers exploited websites using SQL injection attacks.

SQL injection is at the top of the Open Web Application Security Project (OWASP) top 10 list and is an important part of one of the SANS 20 critical security controls. This talk will go into what SQL injection is, how attackers can use it, and how to secure your sites so that your CIO and CISO never show up on the evening news.

Although the talk will focus on using the Microsoft stack (IIS, ASP.Net, and SQL Server), the lessons will apply to all web systems everywhere.

Heartbleed

So…it turns out that OpenSSL has been broken for a couple of years.  Most UNIX-based servers are going to be affected.  If you use OpenSSL on a server, get this fixed now.  Many of the big companies are doing so now.  If you don’t, you’re probably going to get several “Hey, you should change your password” e-mails over the next several days.

Bruce Schneier has more.  For a humorous take, check out The Daily WTF.  Several people there make the argument that we shouldn’t use C or other languages without boundary protection for…well, pretty much anything.  Given how easy it is for a good developer to make a catastrophic mistake and for it to sneak by code reviews for years, I think they have a point.

Going To Derbycon

I will be going to Derbycon for my third straight year.  This year, I’m taking Carlos Perez’s training course on using Powershell for defense and post-exploitation.  The last couple of years, I branched out into parts of security in which I had no experience; this is coming a lot closer to my wheelhouse.

I also have submitted a paper for their CFP.  Here’s my title and abstract:

A Gentle Introduction to Security Economics

Why do software manufacturers release software known to be vulnerable? Why are 419 scammers’ e-mails often so poorly written? Is making software open source better for security–or could it actually be worse? These are all questions which we can answer using economic tools. Economics is, at its core, the study of human behavior; given that security is fundamentally a human problem, marrying economic concepts to security analysis can give security researchers a better perspective on the problems we’re all trying to solve.

This talk assumes little to no knowledge of economics among attendees and will feature exactly zero Lagrangian calculations.

This talk is somewhat far afield of your standard Derbycon talk—which tends to be either highly technical or advocacy-related—but with luck, the committee will select my paper and I’ll have a chance to present in front of a brand new audience.