FUD Makes Security Harder

The US government’s illogical screeds against better personal encryption for data and communications is well documented. Then comes this reported communication:

Department of Justice: iPhone encryption will lead to the death of a child

I’m hoping the quote given in the article is completely out of context. However, previous statements, including by the FBI Director, don’t give me much hope. What the government is waging is a campaign against encryption using FUD (Fear, Uncertainty, and Doubt). However, what the powers that be seem to keep missing is this simple fact:

If you (FBI, state and local law enforcement) can decrypt it, so can the criminals.

Therefore, the campaign being waged makes us less secure overall. It puts more people at work. And, incidentally, it will lead to more cybercrimes meaning more law enforcement are tied up in those cases. More law enforcement being pulled for cybercrime work means less law enforcement available to do things like prevent murders. Yes, I’m stretching the bounds of logic with that line of reasoning, but less so that the one that says, “Encryption will directly result in a child’s death,” which is what the article reports a DoJ official claiming.

Here’s something else they are missing: if we want better security, we need better awareness. We’re not going to get better awareness by attempting to get people to believe in boogeymen. The first time they realize they’ve been fooled or the threat has been exaggerated, they lose trust in the security (to include law enforcement) community. That one incident may be all it takes for someone to “check out,” and then we’re in a mess. Keep it up, as this FUD campaign is doing, and the majority of people will lose trust and check out. That means they won’t listen. That means they won’t learn. That means they will become more vulnerable than they are now.

Don’t believe me? How often do we talk about the colors of the terrorist threat level nowadays? That’s right, we don’t. Why? How often did we see any validity to the changing of the colors? We didn’t? That means people eventually started ignoring any news about a color change. It didn’t apply. It didn’t affect them. And while it may have been reasonable initially, people stopped listening.

None of that is good.

If we want security to be taken seriously, we’ve got to kill the FUD.

More on that Cyberwar

As a follow-up to my post on being at war, cyberwar:

State Department Hacked

If the experts are correct, this trend is only going to continue. Reading the article and others on the same situation, they all note that the unclassified email had been hacked, but not classified. That’s a bit of good news, but it’s still not all that great. There’s a lot of useful information in unclassified email, especially for a department like the State Department.


We’re at War – Cyberwar

In case you’ve not been following the news with regards to *government* breaches:

All three of these news articles released within the past few weeks. The reality is that our networks are being probed and attacked regularly. This isn’t a FUD (Fear, Uncertainty, and Doubt) post. Rather, it’s an awareness post. Typically you have to be aware of a problem to be able to deal with it successfully. Every first world nation is aware of the level of warfare that’s going on nowadays. However, when talking with folks who aren’t in IT security, I get a sense that most “regular” folks don’t. That needs to change.

America_the_VulnerableThe reason it needs to change is because part of what allows the attackers to be successful is our own ignorance and lack of action to take reasonable steps to tighten things down. By the way, none of this is new. There’s a whole host of books on the topic, like America the Vulnerable, which cover previous breaches… at least what’s been publicly reported. The amount and type of data that has been stolen is simply astonishing.

The attacks are not going to slow down. In fact, as we tighten down certain parts of our infrastructure, attackers are going to look for an easier way in. That’s potentially why the USPS and NOAA were hit. Also, nation state players are not going to stop at military and diplomatic secrets. Industrial and economic espionage is important, too. If I, as “Big Bad Nation,” can assist my own country’s industries by passing on the secrets my government operatives stole from other corporations, why wouldn’t I? After all, if I am already okay with sending attackers after those corps, I won’t have a moral conflict with sharing the stolen information with my countrymen.

Which all means we need to continue to be serious about security, seek ways to tighten things down that make sense, and in general become better educated and more aware. It’s easier to prey on an ignorant, unaware adversary than one who is watching and ready to fight back. That’s common sense. It behooves us to transform our organizations to be that aware and ready opponent.

Speaking at SQL Saturday #354 – Charleston, SC

If you’re looking to warm up for the winter, come on down to Charleston, SC, on December 13, 2014. Charleston will be hosting its second SQL Saturday. Why Charleston?

And, oh yeah, SQL Saturday! But outside of SQL Saturday, here’s a great link to see all the places to hit and see in Charleston.

As for me, I’ll be giving a security talk:

What You Absolutely Must Know about SQL Server Security

There are so many security tips out there for SQL Server. Almost all of them are rated as a best practice.What do you listen to? What do you focus on? In this session we’ll break down what you absolutely must know about securing SQL Server. We’ll look at the things to look for within SQL Server, including some of the nooks and crannies an attacker might use but what are rarely audited. You’ll leave with a checklist of what to investigate and a set of scripts to run on your own systems.

Generalists vs. Specialists

I’ve stated quite often that being a generalist has generally been beneficial for my IT career (pun intended). That’s why I developed the professional development presentation, The Swiss Army Knife of DB Pros. It is also why I continue to bounce back and forth between technology areas rather than deep diving. For instance, I’m back primarily as an Active Directory and security architect. I still touch SQL Server day-to-day, but I’m back more on the infrastructure side these days. When you look at my career, about the only place I’ve not spent a lot of time in is networking. I hope to change that eventually.

However, I’ve not been successful at expressing why I believe generalists are better. Don Melton (blog | twitter) has expressed it very well in this talk.

“I would rather have a whole team of generalists than just a few specialists. Generalists can reapply what they know to new problem domains.” – Don Melton

And there you have it. Because we don’t specialize, we are constantly having to face new problem domains. Typically, we become active, important members of teams because we’re looking at our existing skills and knowledge and seeing if any of them can be brought to bear in the new domains. Some specialists are able to do this, too. However, some aren’t, because they haven’t had to do so. Generalists must in order to survive.