Thursday, November 25, 2010

NoScript + gmail = NoLove


Hard to pin down, but some combination of Firefox, NoScript, and a dozen or so other FF plug-ins trashed gmail for me for a couple of weeks. Chat stopped working completely and I lost the ability to create filters.

Following as many security lists as I do, I need to create filters just to keep may gmailbox in order. You can just tell when a Full Disclosure thread is going to go Full Troll (like this one) and I really don't need that bullshit. After deleting plug-ins, and even removing NoScript, those particular features were still broken, so I moved all my gmailing over to Chrome.

Then, after a few days, there was a NoScript update and everything was fine again.

I can't really blame it all on NoScript because I have other FF browsers with NoScript and the problem never affected them. Just one browser on one machine.

And during this same time period Google had one of its worst vulnerabilities that hit all their apps.

Just makes you want to say what-the-fucking-fuck.

Saturday, November 20, 2010

Sic Transit Gloria Mundi


Thus passes the glory of the world.

Three years ago this month the Salt Mines got their first Chief Security Officer.  At the time I was busy with other things, most notably My Very First Websense Hack.  I didn't get around to mentioning the re-org until several months later, at which time I made a prediction that the newly formed Security Group would eventually dwindle down to  four to six people.

As usual, I was right, although the motivation for hacking the team to shreds was not layoffs (or was it?).  The stated reason is that we are moving to a Managed Security Service Provider.

In my gut, I know this is not a Good Thing, but I'm told I will remain on the team (no doubt to train a replacement), and so I shall, but no amount of reassurance is ever going to give me a Warm Fuzzy about this situation.

Having been a consultant in a previous life, I know how these guys work.  They're going to look at the salaries of the Team (including the CSO or CISO or whatever they're calling him these days) and see an untapped revenue stream.  So, I'll be watching my back in the months to come.

With that in mind, I have ordered this book.  From the reviews, it sounds like so much pop-psych bullshit but I'm leaving it on my desk in a position of prominence just for shock value.  In essence, it's a stage prop, only there to be seen.  Whatever people take from its presence will come from their own minds.

(If you're wondering, I'm not mentioning the title because I don't want this blog post to end up in any search results specific to the book.  FWIW, as a companion piece I have also ordered this book, which I have previously read but I foolishly lent it out to a jerk who never gave it back.  It is a great book, not pop-psych and people never read the subtitle, so they always get the Wrong Impression, which is exactly my motive.)

No, I'm not paranoid.  People are out to get me.  People who, until lately, were part of my trusted group of co-workers (the clowns who got removed from the Security Team).

Yes, I was, as they say, being thrown under the bus.

No, I'm not paranoid!

Hinky is a gullible, good-hearted guy, trusting in peoples' stated motivations and assuming good intentions from all; your typical, self-deluded man on the street.  But this time I was shown I was being thrown under the bus.

Luckily, I lived to tell blog about it.

Coincidentally, I was also recently involved in an investigation into someone else getting thrown under the bus.  It's very difficult to explain without going into too much detail, but I was exposed to both sides of a situation similar to my own near-encounter with the nether regions of public transportation.  On one side were people making a mountain out of a mole-hill and on the other were people desperately trying to make a mole-hill out of a mountain.  Vested interests on both sides, with Hinky in the middle.  Soon there will be rolling heads, but I lost a lot of sleep (literally) being involved in this.

It was this that began my preoccupation with lying, and ordering the books.  Wikipedia has an excellent article on the subject.  In fact, although my personal motto (stolen from Firesign Theater) is "I never lie and I'm always right" I see a lot of myself in this section.

A friend of mine—now deceased—was a near pathological liar.  He was an expert.  He never used his talents against me—that I'm aware of—and often practiced his white (-ish) lies in front of me. 

These days you might call him a "social engineer" (yes, there's the security hook).

His masterpiece was The Great Display Case Massacre.  He single-handedly threw all of his co-workers under the bus.  We worked together in sales at a high ticket retail shop.  He accused the entire sales staff of a highly plausible practice: selling merchandise out of the display case instead of out of the stock room.  Proof?  No merchandise in the display case and empty boxes in the storeroom.  Case closed!

He had everyone going on that one, including the owner and management of company, who weren't too concerned because, after all, items were still being sold.  Or so they thought.

Of course, no one was selling out of the display case and it was him stealing the company blind, although they were clueless the entire time.

I found out the truth because I asked him about it, years (Statute of Limitations years) later.  He freely admitted it and we both got a good laugh out of it (the company owners were bastards who ended up screwing the sales staff anyway—which doesn't make it right, but there was no one left to care).

I don't believe reading books will ever make me good at spotting the lies that count, but as long as people think I'm a Grand Inquisitor I have an edge I can leverage.

Yes, I'm living in interesting times.