Cloud 2

A plethora of security articles has appeared in the mainstream IT press over the last few weeks that makes me believe that security is one of the new buzzwords that you can expect to hear a lot more about in 2016. As a security practitioner and someone who has done this for well over fifteen years it's bizarre how something that we do as business as usual is now getting some attention. For over a decade we were the people you didn't talk to, or if you did you did it through gritted teeth knowing we would try to hold you to a better standard or a greater ideal for the common good.

Any and all focus on security best practice is welcome. As we all witness the explosive growth of container based cloud provisioning gather pace it's circumspect to hope that this due diligence around security will filter down through programs in organisations to build in security as a de-facto standard building block and process rather than retro fitted to shore up poor code or poor deployment / management practices.

That's not to say by having the best security folk and best practices you can't get hacked from internal or external threat or fall prey to a security vulnerability. What it does mean is that you have the plan as to how to react, how to behave during an outage, what steps to take during a fix process and how you learn from that experience, growing from it. Sharing that knowledge is even more important in the Open Source space.

Please though don't fall into a trap. Having a CISSP does not make you a security professional. Having a CISSP on board your staff says you have someone who can pass an exam and who has an understanding of how a proprietary network environment and elevated threat levels and reaction capabilities to someone hosing your Cisco / Juniper / (add other vendor kit here) will have on your ability to provide service.

Any qualification that allows it's students to keep qualified by collecting points attending conferences is devalued by stupid brand marketing folk who allow such a practice. I've met some great people who also had CISSPs and I've also met some self styled pen testers, auditors and "security professionals" with CISSPs and other exam qualifications who communally couldn't find their arse with both hands. Those same people also knew how to pass exams but who had never had actual realtime experience in the trenches with developers and operational datacentre folk to get up to speed with emerging threat.

Certification is important. Want to hire good folk or get your CISSP folk up to speed with real life threat from bleeding edge threat actors that impact actual platforms now ? Get them to sign up and study for the CCSK exam. Amazon get their staff to, so do Microsoft and HP and I personally rate the material and the exam and it will allow you to get your staff to be at a point where you have a proper belts and braces ability to deal with threat and react realtime rather than a post mortem. No this isn't an advert for the Cloud Security Alliance or a trolling attack on CISSPs it's a call to arms to employers to look outside the box because sadly the hackers are better qualified than ever before,

So while you're eating your Thanksgiving meal or preparing for a quiet Christmas think about how you can increase your security skills and also maybe think about joining an Open Source project to see how security issues and vulnerabilities are managed in the wild.

Happy Thanksgiving 2015 and have a great time with your families.

Sadly I have to announce that my hetero life mate John-Mark Walker has left Red Hat for pastures new. This pains me because I've known for an age, probably longer than anyone else, that he was leaving and I've had to keep it a secret. It's weird because although he's left Red Hat he and I still carry on as per normal, we've been friends since the term Open Source was coined through the mists and time of companies no longer trading or long since committed to the history of Linux. We've seen it all. I'm three weeks and two days older, two inches taller and can't get away with wearing Salmon Pink jackets like my buddy John Mark.

We've presented radio shows together, trying not to cry with laughter, I've censored him more times than I care to think about, drunk too much beer, visited countries and broken bread with the man so many times. Will I miss him ? Nah. I'll still see him at events, I'll still talk with him almost daily and he's part of my life for the long haul.

I will miss him at Red Hat. Such a shame he was never harnessed properly.

Until then here is a short outtake of a video we shot over two years ago now at a hotel in London. We'd just sat and watched my football team get beaten at Wembley (from a bar in London) and we'd eaten food, drunk beer and then and only then rolled the camera.

Here's John-Mark and I on top form.


So I've been quiet while I've been flat out wearing my fedora on Red Hat stuff I've also found time to work with external cloud bodies and this week I can go public on some of that stuff. As of now I am managing the external facing social media for the Cloud Security Alliance globally.

So a lot of the threat management that I normally do talking for example about emerging threats such as Heartbleed will now go to a wider global audience amongst the leading financial institutions and business verticals across the globe across every industry embracing cloud.

Also, at last, the podcast will be coming back. Yesterday the first pilot episode of a new format of radio show went into the peer review system at Red Hat and looks to have been greenlit. I am extremely excited that we're able now to put together a new format of radio show for a global audience that like my past podcasts will be available syndicated by Stitcher, iTunes, PodFeed. I appreciate the feedback and the messages of support here and on social media but we had to get the format and editorial context right in order to storyboard and agree on how a weekly show would take shape. A lot of work goes into planning the shows, recording them, mixing them and getting them to broadcast quality ready for a discerning audience. So rather than reinvent the wheel I am borrowing the NPR This American Life format of show which is no mean feat given Ira Glass is my hero. Setting the bar extremely high from minute one leaves me no safety net.

Don't believe me ? Lol.. you can even hear some of the ideas I've been working on with my voiceover team for the intro and exit for the show by clicking here. Tell me your thoughts, I'd welcome it.

It was great to sit in the studio this week with the familiar comfort of headphones on facing a microphone and baffle and then realising when the red light went on that, alone with my thoughts and no notes that it was business as usual.

Thanks to Bryan Che for his belief and his support. I owe you everything.

Two years ago I sat in an auditorium and watched an enraged  Mikko Hypponen of F-Secure on stage at LinuxCon Edinburgh talking with passion about the double standards of the intelligence communities dealing with their stance on encryption. He was beyond furious at the methodologies and underhand ways that the US and UK intelligence services had burrowed into undersea cables and broken into communications at many of the technology and internet companies that we take for granted daily, with impunity.

Now heres the thing. I am the only member of the open source community - in the entire world, who has gone on the record on tape with somebody from the White House to ask them, openly, about their stance on post Snowden world for handling things like Heartbleed, like encryption and their relationship with industry and inter agency and inter ministerial responsibilities when handling security issues. I interviewed Richard Clarke now former Senior Cybersecurity Advisor to POTUS and former senior security advisor to four previous Presidents of the United States, the week of Heartbleed and he volunteered information that I never even asked for in a candid interview on my radio show (still available on Stitcher by clicking here).

So imagine my surprise this morning when I sit up in bed and read an article on the BBC news portal with Rob Wainwright from Europol who is complaining about the stance that technology companies are now having to endpoint security, to key management and to proper end to end, in transit encryption of data in the cloud. The point Europol make is that by the proper management of SSL traffic and the more intelligent use of encryption in AMQP and other protocols it makes it harder for the intelligence services to listen to potential terrorist traffic.

Now I have to be very circumspect and proper here in how I write this article to avoid arrest. I have signed the Official Secrets Act. I have worked within GCHQ. I have been involved with the design and implementation of secure communications and encryption endpoints to Top Secret and above. I do know where the bodies are buried with regard to the weak and lax vendor acquired devices that have formed the basis of government, agency and defence spending for the last seven years.

The fact that the current and former UK governments (and their US counterparts) alongside many industry partners across multiple verticals buying the same kit have overpaid for  weak industry acquirable catalogue standard run of the mill technology. Badly written, badly managed by their vendors (for once not the governments fault) and walked blindly down alleys. This has allowed accreditors with weak understanding of cipher management and underlying dependent libraries, binaries and protocols have allowed literally hundreds of millions of pounds to have been spent on devices with less security certification than an iPhone6. These devices sit in frontline daily use today across the EU and the US. It's farcical that many governments have approved catalogues where they have approved vendor lists for devices, many of which are so badly broken and so compromised in their design and implementation that the poor accreditor or purchasing manager armed with a requirement,  an accredited service catalogue is therefore buying an outdated inferior product for four times the cost of building it properly using current shipping available code. There is NO liason, co-operation, upstream engagement, engineering or security engagement between these vendors and their outdated OS source. None. At all. Can I make this any clearer. The people shipping the boxes running the embedded Linux that powers and protects our end points reliant on nation state security DO NOT talk to the people releasing and developing it. If you were not scared before you have every right to be now. I've got the actual sources (from the vendors with their consent under GPL compliance) of a few of these devices numbering the tens of thousands in their deployment and it's beyond scary. If you were to go back in time via Distrowatch to January 2009 you would see more current, more valid sources to base your security on.

It's terrifying, if not vaguely criminal, certainly deeply unethical, that these vendors have been allowed to make hay while the sun shone, and have not engaged with the upstream OS vendor, the SSL community nor had the brains to understand the downstream implication to their government customers and have now put at risk the entire infrastructure and emergency response capability of their customers reliant on their devices.

Even when warned in writing those government agencies and accreditors because they are hamstrung by weak upstream advice on SSL and encryption ciphers and key material, through ambivalence, have instead walked hand in hand into one of the biggest potential security nightmares they can imagine. Worse there is nothing today they can do other than rip it out and start again across UK, US, EU and many member state governments whose assumptions around encryption at the core of many services is broken.

If Europol are serious then it's time they worked upstream to secure the devices that have formed the basis of the planning and infrastructure of their government partners. Instead of moaning about not being able to watch us, they should actually be asking, who is watching us ?

You can't have it both ways. We react as an industry because we form best practices. The eyes of the community are on Open-SSL to race to make sure that the fixes that have come out since Heartbleed (I was the first person to get the Heartbleed story to ZDNet the night it broke) are stringent. The fixes that have come out in three tranches since October to further harden basic function calls reinforce that. Expect to see more in the coming weeks and months as further scrutiny is poured on older functions and calls. As the implementation of PKI across Cloud and across telecommunication products and services is hardened to enforce customer security and reduce risk of man in the middle attacks and the likely attack on weak endpoints then it reduces the attack vectors and the threat fabric.

In the Open Source community we are entirely open, practical and totally enshrined on ensuring that we release early and release often and that we work stoically to get patches out to protect people reliant on secure auditable code. We don't always get it right but it's therefore even more shocking how badly many companies who then take that code to build devices forget why and where and how it came to be. Thats especially true of many supplying sensitive areas of the target market where the threat fabric is larger and the attack vector surprisingly large.

Expect the bad guys to go after the soft targets, if you're an Android user then security through obscurity, e.g throw out your phone and tablet every seven or eight months and replace them given your vendor is probably clueless (unless its Google or Samsung), if you're an Apple user you can sleep easy as long as you don't use a myriad of apps any one of them that could be handling a listening function to a service harvesting your information or device credentials.

We aren't reacting, as an industry, to lock out police and intelligence services, to state that is beyond stupid. We are reacting to protect ourselves and our customers because of the ham handed, without recourse manner that GCHQ and the NSA and other government agencies have behaved and now we're locking down upstream and mainstream services to assure companies and individuals that they do have the security they always assumed they have.

What Europol should be doing, if they understood how to engage - which clearly they don't, would be sitting down to work with us to understand how and why and where and to foster better working practices. Until that day happens then its back to the old days of seizure of devices only now the issue is that they can't read, open or interpret them, even under warrant, even with industry partners or complex rootkits.

Sadly, gloss will be painted over the fact that the technology that they've acquired themselves is so 1998 in it's design and implementation that as I pointed out it should be more worrying as to who is watching them, and more focus should be spent on fixing that in the short term. Only issue they have there is that the vendors can't help them as the vendors have only one focus, revenue. The vendors themselves don't talk to the OS vendor. How do I know this ? My phone hasn't rung and we've never spoken to them. They're too busy making money from shoddy reimplemented badly coded, badly repackaged outdated insecure code selling it to governments who accredit it secure.

This is fixable. Issue is that the right people don't sit down to fix it or to emerge from the tunnel into daylight able to even understand the core problems. They're too busy making blanket procurement decisions to buy the wrong kit from the wrong people. I'd be more worried about your own infrastructure decisions than technology companies doing their job right to circle the wagons and lock you out.

Now for those who question my authority to make these claims remember it was my security invention that protects and ensures the online safety of millions of people every single day globally, from school children across the UK and US school districts to retail businesses, hotels and motorway service stations and the myriad of devices and platforms that took their lead from our sources. For fifteen years I've made a career out of keeping people safe and doing it openly and trying to do the best I possibly can to get people to play nicely. It would be nice if someone listened and sat round a table and did something practical.

Who wants to bet nothing changes ?