Tuesday, January 30, 2018

Speculative Speculation

   Patch.

   NO WAIT!... DON’T Patch!

   It may cause unexpected reboots (as opposed to the expected kind???? J).

   It may cause system slowdowns.

   It may conflict with your other system controls.

   It sounds kind of like the “fine print” in one of those pharmaceutical adds… patching side effects may include arrhythmia, faintness, moderate to severe amnesia, flushing of the face, dry mouth, blurry vision, visual distortions or white spots, nausea and vomiting, constipation, muscle twitches, confusion, euphoria, sedation, itchiness, and increased anxiety, respiratory or cardiac arrest, coma, hypoventilation (inadequate ventilation), and possibly death.

   This whole Spectre/Meltdown thing has gotten so much attention lately. But the reports are loaded with misinformation, speculation (!), and even some facts.  I’ve have seen some uber-geeky explanations of what is going on.  If you haven’t seen the major rant by the father of linux Linus Torvalds, check this out.

   One thing that has been lacking is more simple, straightforward explanations of this complex topic.  I think Steve Gibson did a great job talking about this recently in his SecurityNow! podcast.  He actually explained the underlying mechanism of speculative execution years ago when he was talking about how modern processors work.

   Speculative Execution is really pretty cool.  It can be complex, but a good example is when there are two choices in how some code may execute, i.e. GO here or GO here, the processor does both!  And it executes steps ahead from where you are in the code now.  The overall effect is that the code executes faster.  It’s kind of like paying it forward with extra computing cycles.  Here's a great explanation.

   Here’s the point about this vulnerability… we’ve had plenty of named vulnerabilities.  They are all the rage these past few years – a name and a logo.  But most of these vulnerabilities are code or protocol problems.  Yes, some of those were very wide ranging.  However, this newly discovered problem is a vulnerability in the underlying architecture of nearly every modern computer chip created since 1995.  Everywhere.

   And while this has not been exploited in practice, that will happen.  The Fix is not yet in.  For now, the advice is to not panic, patch selectively and we’ll all watch and wait!

Tuesday, January 9, 2018

Meta-Predictions

   Well, it's a new year and we all know what that means... every security publication, and plenty of non-security publications, come out with their annual security predictions.

   I predict that this year's predictions will be as boring and vanilla as last year's.  And we don't even have to wait until the end of the year to see if I'm right!

   So, rather than adding to the noise, I'll save you some clicks.  Everybody's saying the same things... cybercrime, blockchain, cryptocurrency, breaches, yada yada.

   But some people went above and beyond to make the prediction reading experience special!  Here are my favorites:

   Best presentation.  Kudos on the production value of this prediction post by Watchguard.  Between the nice graphics and videos, I was engaged.  They didn't say anything new... but the way they said it makes it worth a look.
https://www.watchguard.com/wgrd-resource-center/2018-security-predictions

   Best use of AI.  This is a great idea... how about machine-generated predictions!  Great fun.  And I, for one, welcome our AI overlords.  Even the text that doesn't make sense makes more sense than some other predictions!  Well done Kelly and Medium.
https://medium.com/@kshortridge/2018-cyber-security-predictions-d493e25162e7

   Best prediction of the death of passwords.  Well, really they said that password-only authentication will decrease faster.  OK, either way, we've been down this road many times before and, unfortunately, passwords ain't goin' nowhere.  We're stuck with them.
https://www.csoonline.com/article/3242866/security/our-top-7-cyber-security-predictions-for-2018.html

   Remembering what we said in 2017 award.  This post doesn't say anything particularly interesting, but I like that they go back and grade their 2017 predictions.  Of course, those predictions were pretty bland but they only gave themselves a generous 9.5 out of 10.  http://resources.infosecinstitute.com/2018-cyber-security-predictions/

   tl;dr award.  I seriously did not even read this one.  Really Forbes?  60 predictions?  I guess all the ad networks you hit us with aren't enough?  I guess quantity wins.
https://www.forbes.com/sites/gilpress/2017/11/26/60-cybersecurity-predictions-for-2018/

   What are your favorite predictions?

   Here's to a great 2018!