It's a well-popularized piece of trivia that during the State of the Union, one cabinent member stays behind, and doesn't attend, just in case someone manages to kill the first 17 or so people in the line of succession. 2 days ago (Jan 27, 2010), Shaun Donovan (Secretary of Housing and Urban Development) was the designated survior. As an aside - he wouldn't actually have been sworn in, as Secretary of State Hillary Clinton was in London and hence would have succeeded. (One must wonder about the logistics of who gets to have a nuclear football in times like those.)
Anyway, several years ago I interned at Bare Necessities (semi-NSFW) where I absorbed a wealth of information about female undergarments that seems out-of-context and creepy today. But besides learning the difference between a G-String and a Thong, I learned something about Operation Management. Apparently one day, the entire tech team (5-6 people) went out for a sit-down lunch, and when they got back the site was down and had been for about an hour. After that, there was a semi-joke, semi-serious rule that the entire tech team could not go out to lunch together.
Reddit learned that lesson yesterday. To summarize the post, 3/4 of their tech team was at google interviewing Peter Norvig, and the other 1/4 was in NYC going to meetings. The site suffered an ad attack followed by an outage - and the best the could do was huddle in Google's lobby working on laptops to fix it.
At my current job, there are around 2 dozen people who have access to production, split amongst Database Guys, Development, and Infrastructure. We have on-call lists, with priorities running down, and automated alerts - we're pretty good about it. But then I realized - what's the one event, that usually (not always, but usually) manages to incapaitate >85% of the entire tech team? That's right - Company Party. It's never come up, to my knowledge, but the thought of my bosses, slightly-to-very intoxicated, huddled around the single guy who brought his laptop to the party - all wanting to just rip it out of his hands and do it themselves - well, it amuses me.
Before I decided to major in Computer Science, I looked at schools for Architecture. And while I obviously never majored in it, I still am drawn to it. I eventually ran across a blog called Scouting NY a year or so ago, and it instantly became one of the feeds I would look forward to in my feed reader. The Scout's job is to scout locations for films, and in doing so he blogs about some of the interesting things you can see in NYC if you actually pay attention. He's shown me some amazing sights in New York - and even better he's taught me to open my own eyes and find them for myself. I thought I would pay him some homage and show three buildings that have struck me while I'm staying in Buenos Aires.
Firstly, I have this building - which I know nothing about. It's on Belgrano a few streets south of Plaza de Mayo - and as far as I know it just an apartment building. But compare it to the buildings next to it - it's clearly an order of magnitude more impressive. Take a look at the facade - the tiny faux-balconies, the columns running down it, and the bay windows at the corner.
And then there's two incredible sets of ornamentation. First is the statutes. In Buenos Aires they're refered to as Las Caras - literally The Faces. Each seems to be supporting the weight of the building on his shoulders, and each is slightly different - one is holding a pickaxe, another a chain.
The other piece of ornamentation is the eagles near the top of the building. Above the eagles, there is what appears to be a private balcony - and above that are the towers. It looks like one of the spires has a crown on top and the other a weathervane. The bottom of the building is shop or restaurant space that is for sale.
The next building is about as opposite as you can get - but I still love it. It's an all-concrete structure built in the 60s or 70s. It's located in the banking district - near Buenos Aires' Wall Street equivalent, with narrow streets that make it impossible to get a good shot of the entire building from the street. As we move down towards the front door you can see the structure of the building opening up into a sunk-back front door. Complete with an amazing meeting room above the street.
The last building is the most beautiful building I think I have ever seen. I'll give you the glamour shot and just get it over with.
This is one of three buildings for the School of Engineering at UBA (University of Buenos Aires). The building began construction in 1912, it has a segment on the Spanish Wikipedia. The architect was a man named Arturo Prins, and there's some intrigue as to his death - my Spanish is not that great, and google translate does its best but isn't perfect - the rumor is that he committed suicide because he wasn't able to complete the building due to funding and construction miscalculations. In fact, I'm unable to determine the provenance of this photo but if you were to take it at face value - the building is only half as tall as it should be!
As you move around the building, the most striking feature to me is the dual balconies. (I'm actually not entirely sure they are balconies - they may be inaccessible except for climbing through windows - but I would find that difficult to believe.) The first balcony is immense - large enough for a snazzy cocktail party overlooking the street. It reminds me of Gaudí's immense plaza above a plaza in Park Güell in Barcelona. Above that is smaller balcony that reminds me of the elite of the elite looking down on their subjects. (Okay, actually, it reminds me of the balcony scene in the first Spider-Man.)
Slide around the corner, and you see another balcony running along the side of the building. If there was ever a place to hold a fancy reception on a Spring Evening - this would surely be it. Looking at it from the back, we can see that it is rather massive. However, it has also acquiesced to time. A giant tower projects out of it, and it is in poor repair. Grass grows out of its roof, the entire thing needs to be repointed to repair the brickwork (and having looked into that for a building much smaller - I can tell you that's a >$10m project), and I'm not sure why but there are support beams protruding from some corners and areas. There seems to be a large family of cats living in its backyard also.
I don't know what will happen to this building - The Engineering School has two other, much newer and much larger buildings. This particular building is in a very nice area of town, with a lot of shops and even more apartment buildings, next to a park, on a major street. Taken all together... it wouldn't look good. I don't know if it's protected by any laws, if it's being repaired, or any rumors regarding its fate. But I sincerely hope it gets repaired, and in a manner that preserves the look of it (specifically the brick coloring). In closing, I'll leave you with my favorite place to be in all of Buenos Aires.
Every so often I run into some simple (or not-so-simple) cipher and I'm curious what it means. And every time I end up writing the same PHP scripts to shift all the letters and try various vigenere keys. I figured I might as well just write them well once and be done with it. ("Well", is of course, relative.) They're not all that sophisticated, and they're not designed to be "fire-and-forget", they require you to do some analysis yourself and find what fits. But maybe they'll help you with the newspaper cryptogram.
The code is available on github.
Also, to my 12 rss readers, who were inundated by a complete push of all my old articles - I apologize. I redid the guids for the posts, when I rewrote my site this weekend (yes, again), so they were pushed to you as duplicatess.
Bruce Schneier is wrong. There, I said it. Specifically, he's wrong in one of his recent essays Reacting to Security Vulnerabilities, and he's wrong in the suggestions he makes.
He states there are several reasons to "do nothing. ... Don't panic. Don't change your behavior. Ignore the problem, and let the vendors figure it out." They are:
- It's hard to figure out which vulnerabilities are serious and which are not. ... The press either mentions them or not, somewhat randomly; just because it's in the news doesn't mean it's serious.
- It's hard to figure out if there's anything you can do. ... Some vulnerabilities have surprising consequences. The SSL vulnerability mentioned above could be used to hack Twitter.
- The odds of a particular vulnerability affecting you are small. There are a lot of fish in the Internet, and you're just one of billions.
- Often you can't do anything. These vulnerabilities affect clients and servers, individuals and corporations. A lot of your data isn't under your direct control -- it's ... in a cloud computing application.
He then gives a list of steps you should take to protect yourself client-side: anti-virus, updates, proper configuration, common sense, and backups. Those four points aren't wrong, they're all true. But his conclusion to ignore vulnerability reports is downright careless.
For the elements (servers, people, services, etc) within your sphere of influence - you should be keeping an eye on the vulnerabilities that can affect them.
Consider a recent flaw found in IIS. If you're vulnerable, it's a pretty serious hole you have open - lots of bad things can happen. Fortunately, three things are on your side, two of which Bruce stated: the odds of you meeting the criteria are small and if it does affect you the odds of someone finding and exploiting you are small. Furthermore, good to excellent sysadmins would already be protected from this (it's a subtle/tricky thing to protect against but still oft-advised.)
But none of these things matter after you get hacked. Then it's your data on the internet, it's your ass on the line, and it's you that I want to punch in the face after you leak my credit card. You can't claim "I was waiting for the vendor" - Microsoft isn't going to apologize and make everyone's credit cards come back home. You can't stand in front of the CEO and say "The odds of this happening were so low we didn't think it was worth protecting against."
The fact of the matter is the tradeoff of reviewing vulnerabilities and at the very least being aware of what you're vulnerable to is low-cost/high-reward. Let's take a look at the cost: Add a few firehoses of information into google reader and skim through them in 5 minutes a day while having your coffee.
- Do I use the app/protocol that's vulnerable? That knocks out about 95% of the reports.
- Is it a client app? VLC? Windows Media Player? Don't care. These are all relegated to either social engineering exploits (Click this link! Watch this video!) or fall into the category of things you can't fix (besides trying to bar people from using the app)
- Is it a public-facing service/protocol/app I care about? Go read the damn vulnerability. You're probably at about 5-10 of these a week by now - tops.
- Is it fixed in a new version? Do I use the new version? Since you're hopefully staying on top of updates this will probably knock out a third of them.
- How do you exploit it? E.G.: If it involves uploading a file - do you allow file uploads anywhere? No? Awesome, you're safe! You don't know? Then... how are you managing the server if you don't know what it does? (Seems like you ought to work with your colleagues a little closer.) Or lets say the way to exploit it is really complicated or not explicitly stated, like the HTTPS vulnerability. Well, the fix for it will either be easy with little to no consequences (like disabling HTTPS renegotiation or adding 17 characters in a php file to protect against a Wordpress vulnerability) - so bloody do it and don't worry about it - or it will not be so easy.
- Okay, so it seems to be vulnerable and the fix isn't that easy. This probably comes around like once every 3 months. Send out an email "I think hackers can X our Y" - that'll be sure to either A) Get people to respond that you're wrong and you're safe or B) That this is serious and you're now given the resources to get it investigated and fixed. No one wants to be the guy who says "Yea, I heard we might be vulnerable, but I asked him not to investigate it."
At this point, you're probably spending an hour a week doing this. And let me tell you - there is nothing more impressive to your boss than when he comes to you to ask about something he saw in the paper or in his feedreader and you can say "Yea, I looked at that vulnerability already and [we're not vulnerable/I closed the hole]."
I didn't pull these numbers out of thin air - I manage a half-dozen web apps and a few servers in either a semi-professional or professional capacity. If you're spending significantly more time you're probably doing it in a capacity where it's a formal part of your job in which case there's nothing to complain about. Bruce Schneier is wrong - it's our responsibility to stay on top of vulnerabilities and mitigate them when we can to protect our computers, businesses, and our clients' data.
The most important thing is that it's your job to keep your stuff secure - not anyone else. If it was their responsibility - it'd be their stuff.
It's so much fun to optimize but it's neither deterministic nor logical.
RSS Feed
