What's the opposite of "Icing on The Cake"??

From Cloudsecurity.org Interviews Guido van Rossum: Google App Engine, Python and Security:

cloudsecurity.org: What security principles did you follow for App Engine?

GvR [Guido van Rossum]: While I can’t share any specifics on what we’re doing to secure App Engine, I can say that the main principle we’ve followed could be called “defense in depth”. We’re not relying exclusively on a secure interpreter, or any other single security layer, to protect our users.

cloudsecurity.org: Please provide some examples of how those principles played out in terms of the current implementation?

GvR: Sorry, we don’t divulge such information.

cloudsecurity.org: How do you contain an attacker that exploits bugs in App Engine from exploiting the underlying OS and potentially interfering with other users processes or attacking backend systems?

GvR: You are correct that there are strong measures in place, but I’m not at liberty to discuss details.

Now, there's already been discussion about this article on the Daily Dave list, which I still haven't felt up to posting on. My thoughts, from the very second I read the article, were the same as everyone else; that Google's answers in this article is nothing but blatant security through obscurity. Now it's been suggested that this is not because of Guido, it's because of Google PR. That really doesn't make a bit of difference to me. I didn't assume that it was Guido's choice to not mention any details what so ever about the security model of Google App Engine (GAE), I assume that's Google's public stance and that he is, understandably, toeing the company line. What bother's me is that Google, a company known for it's openness and sharing, is attempting to use this tactic.

Now I have no doubt that there has been significant work to secure the GAE. It's a significant risk putting up a service like GAE, and I'm sure Google took that into account and took actions to limit their risks while expanding functionality. That fact makes me more frustrated by Google's actions regarding the security plan of GAE. Being Google I imagine there are plenty of interesting techniques being applied, and it could benefit many other projects to understand what techniques are being used by Google. Additionally it's a good check for Google, to be alerted by the multitudes of programmers and security experts to potential problems, hopefully before they become real problems. It's a model that's worked for open source software for a long time. Additionally it makes it more complicated for application programmers to write the most secure code possible, as they have no idea how their decisions may affect the overall security of the application.

Unfortunately Google took the other route. Close it down, don't share information, make people go look for it. Not being up front about it doesn't mean people won't find out intimate details of how GAE works and how it's security is being implimented. To the best vulnerability researchers it just makes the process take a little longer, but it won't stop them. Microsoft doesn't provide details to most of their software, yet vulnerabilities are found in it every month. What's most ironic is Google is beginning to clam up about security issues, while Microsoft, a company known for keeping security information under wraps, has spent the past few years reversing that image. This role reversal is disconcerting at best. Regardless, as someone debating creating and releasing an application on GAE or a standalone Django deployment, I'm concerned at the idea that under GAE my application's back end security is documented as a series of "I can't share any specifics" and things that "can't be divulged" instead of being clearly and openly documented.

The Alpha Hacker Dilemma

Watch enough cliche movies about growing up and it becomes quite obvious that, at least in Hollywood, a guy growing up has a choice to make: be an Alpha male or not. I'm not sure of the science behind it, though I know in many primates there is some truth to this, but I think it's safe to say there is something of a divide. According to Encarta (yeah, I was surprised it's still around too):

al·pha male (plural al·pha males) noun  

Definition:   

1. dominant male animal: a male in a pack of wolves, or a similar pack or troop of animals, that other members submit to and follow and that takes priority in mating with females 

2. dominant man: a man who controls the activities of a group and to whom others defer ( informal ) 

In typical society the alpha male is confident, athletic, probably good looking, the guy who gets the girl, who can do anything. Experience tells us this is largely a mask, underneath it they're likely very different, a scared little puppy, but that's the perception. There is often an inner drive and societal encouragement to be the alpha male; or at least the supposition that getting what you want in life, be it fame, money, or women will be easier as the alpha male.

In the culture of folks who do IT there is definitely the concept of the alpha geek. This is the guy who disdains Windows, these days likely uses OSX or Ubuntu, but there was a day he rolled his own Linux distro or perhaps used Gentoo and took pride in the fact that he complied everything from source. He's the guy you go to for answers, who can do binary/hex/octal conversions in his head, and has coded in every language under the sun. If it's worth knowing he likely knows it.

This trend gets even more specific: The alpha hacker. While others are content to use Metasploit or wait for PoC to be released, he writes his own exploits and probably has a stack of 0days "just in case" but would never release them. He is the alpha geek with a malicious twist. He can debate the various debuggers/disassemblers, and knows exactly who he prefers IDA Pro to Softice. He walks around Defcon with an air of superiority, though without condescension, because while your neat new XSS or IDS evasion technique is cute it will be patched soon, and there's no patch for what he is capable of. You patch the exploit he used yesterday? Fine, he has more sitting around just waiting, and the day he runs out of them he'll just take a weekend or two and write a few more. He is the attacker you don't stop; you can try to frustrate him, attempt to piss off him, annoy him enough to get him to go for a weaker target, but he can't be stopped, not 100%. He's the kind of hacker the script kiddies wanna be like, at their keyboard every night, codin' in the glare of the monitor light.

It is at the impasse of this that I find myself. I am competent, I am in fact quite good as a hacker/security professional. I understand the attacks, I know their defenses, I can execute many of them. I've presented at a few security conferences, and hold an important position with a leader in the information security field, protecting hundreds of other companies. I am in a prime position in many ways. The biggest question at this point is the route to take: the alpha hacker's path or the security professionals path. 

Following the first path is a trail of reverse engineering, vulnerability research, coding, reading assembly, and attempting to own everything in sight. This position will earn the respect of many others in the industry, the chance to do important work that directly influences the actually security of those using the Internet, perhaps even the security of countries. This is the path of technician, the operator, the person creating the technology. This comes with a price, a ceiling. This isn't a ceiling of creativity, or acclaim, or glory; those things can be continuously earned every year. It is a monetary ceiling. Technicians are, by their very nature, a dime a dozen, and even at the top there may be many others striving to the same heights, and the alpha hacker is only as good as his last program, his last hack, his last vulnerability. A big payday, from this position, is rare.

Along the other path is little more technical knowledge, instead focusing on how to apply technology, integrating solutions, and selling products. It is the path to sales, management, and consulting. It's not about deeply knowing the technology, it's about superficially knowing much and being able to sell it. It is the path that is about knowing people and businesses. It rarely holds the glory of the alpha hacker, rarely the respect from those on the front lines. It does provide the chance to win the respect of the decision makers and C-Level execs, and as a result has the possibility of a big payday, either as a part of a sales team or working with a smaller company as an entrepreneur. 

Personally I'm torn. I have a passion for technology, and I love knowing the things no one else knows. The idea of learning to be the unstoppable wraith that is the worst nightmare of someone defending a system, and who is able to understand what applications are doing at the deepest levels, and understanding how to take advantage of it. On the other hand I am a people person, I converse well with others, both technical and non technical, and can explain complex concepts in simple ways, and I'm sure with a little bit of work would have no problem explaining and selling solutions. I'm on the cusp, able to go either direction, sales engineer or reverse engineer, and I simply don't know. i

In many ways this is even more fundamental, it's the question of what's more important, doing what you love or doing what pays the bills? Is it worth enjoying your time at work a little less to enjoy your time away from work a little bit more? I don't know, but I'm starting to wonder if there's a third option...

The OS is always greener...

I'm not quite sure why it is, but among 75% alpha geeks that I know there comes a time, usually once ever three or four months, that causes them to question their operating system of choice. Like clockwork. There really needs to be a name for it. 

My friend the Windows admin starts thinking about all the reasons he hates Windows (who can blame him) and blows away a laptop or desktop and installs Fedora, or at least runs Knoppix for a week or so. I have a panic for a few hours that causes me to shun my beloved OSX and a morning pricing out Dell laptops or Thinkpads and cursing the whole experience. I've had a friend who went full out, sold off his treasured Mac, and bought expensive x86 laptop and ran nothing but Solaris for a few months before switching back. 

It's a common occurrence and it needs a name. It also begs for an explanation, a method to the madness.

I've had a number of reasons. It used to be all about the hardware. Much as I enjoy my Macbook I often wish I had something lighter and smaller. Then Apple went and announced the Air, which while a bit under powered for my taste does do most of the things I've wanted from a laptop, and will probably be my next purchase. That leaves the OS. Hardy Heron from Ubuntu looks really nice, very friendly, and is the most well integrated version of Linux I have ever had the pleasure of using. Better than OSX 10.5? No, probably not. On par with OSX 10.3? Probably. 

It's not about that really. I know, in my head, that I prefer and will get more done with less effort on my Mac, that's why I got it in the first place. Ultimately that just means it's a case of wanting what you don't have. Testing to see if the grass really is always greener, or just looks that way. I think sometimes alpha geeks want a change, even if they know, usually through careful evaluation and consideration, they're already using what works best for them. Now I just need to remember to reread this next time I start thinking how nice Gnome can look and remember how Amrok, while surprisingly nice, still doesn't hold a candle to iTunes and gEdit, however modded, is no TextMate.

InfoSec vs. Coding

The job hunt is a long and onerous thing, full of hope, trepidation, and frustration. It's somewhat bizarre how it can all work out. Jobs that I've wanted haven't returned my emails, jobs that I never wanted have insisted on interviewing me (and in fact flying me out to the West Coast to meet with them) have turned out to be poor matches, just as I originally thought they were. Most notably recently, the job I was somewhat interested in, that turned out to be something completely different, that gave me an offer I never expected.

Sadly though I find myself, at least at this moment, somewhat disenchanted with infosec as a career. I know it's temporary, it always is, but that's where I find myself now. Security is an uphill battle, our successes are par for the course and hardly ever recognized, our failures are monumental catastrophes with dire consequences. It often feels in many ways you can never do anything right, only avoid mistakes. I don't think this feeling is unreasonable, simply the state of things. The only way to "win" the security game is to be someone breaking, not protecting.

I find, as a result, I rarely know what I want to do in security, a question I'm asked often, as you'd expect. Developing exploits sounds fun, but I haven't done it before, and the barrier to entry feels high, though I'm trying, at least on and off, to learn it. I have a certification in Incident Response, but I've never done any of it, though I feel like I should, so that's a draw, but again, it's essentially a janitors position, cleaning up others messes. General consulting is a mixed bag at best, fun and interesting one day, but dull and monotonous the next, though the money is often desirable. I know one thing I don't want to do is continue in the security monitoring area, it's too limited, like seeing someone about to get mugged, but being unable to do anything except yell at them to run, knowing they probably won't hear you.

I'm not saying it's driven me to it yet, but I totally understand why my friend al3x has moved from doing security work to building great software like Twitter. I can see the appeal of creating something, nurturing it, having it become something good, and winning, in some small way, a victory in seeing an idea become a reality. I haven't decided to make any moves out of information security, not close, but I admit many hours I used to spend trying to learn assembly (for reversing) or C (for writing exploit code) are now trying to work on skills to build my Python or Cocoa coding. I know all of these things are self supporting, knowing assembly will make me a better Cocoa coder, and python skills will be useful in infosec, but still, it's something of a shift in priority.

In short; I don't know. I'm frustrated and confused, but I know I'll work through it.

Things I Liked in 2008

Copying directly off of Brittany I'm putting together my list of things from the past year that I've been into:

I. Products

• iPhone
• Shure E110 Heaphones
• OLPC XO-1
• Hoodies
• Specialized Langster Chicago
• Moleskin Notebooks
• North Face Surge Backpack

II. Software

• OS X
• Textmate
• Handbreak
• Omnifocus
• Ubuntu
• Tomboy
• EVE Online

III. Internet

• Tumblr
• Google Reader
• Twitter
• Google for Domains

IV. Entertainment

• The Office
• Entourage
• Transformers: The Movie
• Non-fiction

V. Food & Drink

• Red Mei Pad Thai
• Great Divide beers
• Murky Classic Cappuccinos
• Pho
• Scharffen Berger 70% Cocao Chocolate
• Red Wine
• Elijah Craig Single Barrel 18 Yr Reserve Bourbon

VI. Miscellaneous

• Penn State Football
• Text Messaging
• Urban living
• My dog Guess
• Virtualization

Yet Another Blog

Yeah, I've started another blog. Terrible isn't it? I think I have enough of them. My hacking/security blog: Vulnerable Minds, my joint beer blog 3Beers, and even a big blog somewhere, prolly by mistake or something.

So why this? Why Toga Foam Party? Well, the name came from joke with my buddy 5dots, and I guess I just stuck with it. I've had Toga Foam Party as a domain for awhile, mostly as the location of my Tumblr, but I've found myself wanting more option to blog, and by linking a Blogger to my Tumblr I allow that. What am I going to blog about? Nothing serious, I promise. Really. If I want serious I'll blog for work, blog with my security group, or write a novel. I just want to be able to post whatever, from interesting Python clips I find to how stupid I'm finding "Live Free or Die Hard" which is quite a bit.

So yeah... that's that.