Review of Super Scratch Programming Adventure! Posted

Amazon.com just posted a joint review by myself and my daughter of No Starch's new book Super Scratch Programming Adventure!. From the five star review:

I asked my almost-8-year-old to share her thoughts on Super Scratch Programming Adventure! She chose five stars and wrote the following:

"I think it's a very great book. I love the storyline, but my main concern is that I could not find a trace of the Super Scratch folder.

How hard is it to draw the Mona Lisa? I have Scratch version 1.4, and I found it difficult drawing Le Louvre.

On the flip side, I learned a lot. Who knew you could make Scratchy move with 1) arrow keys and 2) a medium sized Script?

I enjoyed watching the Magic Star Web change colors.

Overall, I think it's a very great book, and I highly recommend it to anyone who is interested in programming."

I agree that this is a great book. My daughter wanted to learn how to program a video game, and I thought it would be a lot more difficult. Shortly after starting to read and apply this book, she coded a video game!

I'd like to thank No Starch for sending us a review copy.

Tweet

Read More

Washington National Guard: Model for Cyber Defense?

My friend Russ McRee pointed me to an article recently: WA National Guard focusing on cyber security. From the article:

The Washington National Guard is leveraging a decade of investment in cyber security at Camp Murray in Lakewood into projects that could protect state and local governments, utilities and private industry from network attacks.

The aim is to bring to the digital world the kind of disaster response the National Guard already lends to fighting wildfires and floods, said Lt. Col. Gent Welsh of the Washington Air National Guard.

“Just as ‘Business X’ needs the National Guard to come in and fill sand bags, ‘Business X’ might need to call the National Guard if it’s overwhelmed on the cyber side,” Welsh said.

The new task plays to a growing strength in the state’s National Guard, which draws on employees from companies including Microsoft and Amazon to provide special expertise in its network warfare units.

I first learned of this initiative when Russ Tweeted about it in June. In an email exchange he described his role in the Washington State Guard (WSG):

"The WSG is an all volunteer force that is a state defense force, with what is typically an emergency management mission. See Title 38 of the Revised Code of Washington (RCW). WSG is also authorized by Federal law, Title 32 of the United States Code.

We most often serve as liaison officers in support of the Emergency Support Function (ESF) 20 (defense support for civilian authorities) function per Federal Emergency Management Agency (FEMA) National Incident Management System (NIMS) / Incident Command System (ICS) guidance during major events (disasters, natural or human caused).

WSG remains a place where extremely experienced soldiers who have exceeded age requirements for active/reserve service can continue to serve as well as folks like me with no prior service who can't get the federal services to consider them for age reasons.

We can be called to active duty but in-state only. I was on active duty with orders for two days in June for a major statewide exercise. When we're called up for such activity we become peer in rank and responsibility to our National Guard counterparts.

I'll also be seeing some active duty time again in the immediate future in support of the initiatives mentioned in the article."

I think this is a great start on a journey towards applying private sector expertise to national digital security problems, but on a local scale. The News Tribune article mentions that the Guard (in all its forms) is working to figure out how it can provide help to besieged companies, from a legal and logistical perspective.

I think this line from the news article summarizes a key theme in this discussion:

"We're not going to wait for the feds to hand us everything," Welsh said.

In our Federal system, we should allow the States (per the 10th Amendment) the freedom to innovate, and thereby invent multiple approaches to fighting digital threats.

Tweet

Read More

Inside Saudi Aramco with 60 Minutes

I just watched a recent episode of 60 Minutes on CNBC and enjoyed the segment on oil production in Saudi Arabia. It featured a story from late 2008 on Saudi Aramco. You may recall this name from recent news, namely data destruction affecting 30,000 computers. A recent Reuters article said the following:

Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems.

"All our core operations continued smoothly," CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.

"Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus."

It is standard industry practice to shield plant operating networks from hackers by running them on separate operating systems that are protected from the Internet.

While watching the video I was struck by the following comments by the CEO of Saudi Aramco, giving Leslie Stahl a tour of their 21st century operations center (pictured here). From the transcript:

Abdallah Jum'ah, Saudi Aramco's president and CEO... gave 60 Minutes a tour of the company's command center, where engineers scrutinize and analyze every aspect of the company's operations on a 220-foot digital screen.

"Every facility in the kingdom, every drop of oil that comes from the ground is monitored in real time in this room," Jum'ah explained. "And we have control of each and every facility, each and every pipeline, each and every valve on the pipeline. And therefore, we know exactly what is happening in the system from A to Z."

Aramco engineers are making sure that not one drop of oil is overlooked: computers are receiving data, via satellite, from sensors mounted on drill bits that are burrowing deep into the oil fields all over Saudi Arabia. Engineers are sending instant messages that actually guide the drill bits.

"He is now directing that drill bit to go into the best areas of the reservoirs. And suck that oil from it, and not leave any oil behind," Jum'ah explained.

He says the drill bit is a bit like a snake, going down and following where the oil is. "And mind you, this is happening 400 to 500 miles from here geographically. And we are sending that drill bit also two or three miles in the ground."

The screen capture at right appears to show this control process in action on a Windows XP computer. (Remember, this show was filmed in late 2008.)

You can watch the segment (in two parts) for more details, if you like.

Now, it's entirely possible that the sorts of systems depicted in the video were not affected by the malicious code that allegedly struck 30,000 systems. Then again, it's not unheard of for malicious code to propagate from one enclave to another.

Hopefully we will hear more details on what happened, either to Saudi Aramco or apparently other companies. Again, from Reuters:

Qatar's natural gas firm Rasgas was also hit by a cyber attack last week, although it has not said how much damage was caused or whether Shamoon was the virus involved. Qatar, also a Sunni Gulf kingdom, has similar foes to Saudi Arabia.

Its parent firm Qatar Petroleum, which also owns Qatar's other main natural gas firm Qatargas, said it was unaffected but implied that other companies had been hit.

"Qatar Petroleum has not been affected by the computer virus that hit several oil and gas firms. All QP operations are continuing as normal," it said in an official tweet on Monday.

Tweet

Read More

Netanyahu Channels Tufte at United Nations

This is not a political blog, and I don't intend for this to be a political post.

I recently watched Israeli Prime Minster Benjamin Netanyahu's speech to the United Nations on Thursday. I watched it because I am worried about Iran's nuclear weapons program and the Iranian security situation, to be sure.

However, what really intrigued me was the red line he actually drew on a diagram, in front of the United Nations. In the video I linked, it takes place at approximately the 26 minute mark. The screen capture at left shows this event.

The reason this caught my attention was that it reminded me of the Best Single Day Class Ever, taught by Edward Tufte. I attended his class in 2008 and continue to recommend it.

I've since blogged about Tufte on several occasions.

Netanyahu's action, to me, seems like pure Tufte. The primary goal of his speech was to tell Iran, and the world, that Israel is setting a "red line" involving Iran's nuclear weapons program. To show that, he literally drew a red line on a diagram representing Iranian progress on uranium enrichment.

Now, there's some confusion about what that red line really means. The point is that people are talking about the red line, and that means Netanyahu at least partially achieved his goal.

This is the take-away for those of us who speak in public: rather than develop Yet Another PowerPoint presentation, determine 1) what message you want your audience to remember, and then 2) figure out how you can escape from flat land to grab your audience's attention.

If you want to learn more about these techniques, take Tufte's course!

You can read a transcript of the speech as well as see the video. Besides the red line segment, I thought it was a powerful speech. I'm convinced that unless Iran changes course, Israel will disable Iran's uranium enrichment capability.

Tweet

Read More

Celebrate Packt Publishing's 1000th Title

I'm pleased to announce a special event involving Packt Publishing. The company told me, as a way to celebrate their 1000th title, that those who have registered at https://www.packtpub.com/login by 30 September will receive one free e-book. To help you make your choice, Packt is also opening its online library for a week for free to members.

I'm interested in two recent titles:

Metasploit Penetration Testing Cookbook by Abhinav Singh

Advanced Penetration Testing for Highly-Secured Environments by Lee Allen

In a few months a third book will arrive:

BackTrack 5 Cookbook

At this point I don't have personal experience with any of these titles, but I plan to take a look.

Thank you Packt for sharing part of your library with us!

Tweet

Read More

Top Ten Ways to Stir the Cyber Pot

I spent a few minutes just now thinking about the digital security issues that people periodically raise on their blogs, or on Twitter, or at conferences. We constantly argue about some of these topics. I don't think we'll ever resolve any of them.

If you want to start a debate/argument/flamewar in security, pick any of the following.

1. "Full disclosure" vs "responsible disclosure" vs whatever else
2. Threat intelligence sharing
3. Value of security certifications
4. Exploit sales
5. Advanced-ness, Persistence-ness, Threat-ness, Chinese-ness of APT
6. Reality of "cyberwar"
7. "Builders vs Breakers"
8. "Security is an engineering problem," i.e., "building a new Internet is the answer."
9. "Return on security investment"
10. Security by mandate or legislation or regulation

Did I miss any subjects people raise to "stir the cyber pot?"

Tweet

Read More

Unrealistic "Security Advice"

I just read a blog post (no need to direct traffic there with a link) that included the following content:

This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents.

For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices.

This author is well-meaning, but he completely misses the bigger picture.

Against a sufficiently motivated and equipped adversary, no device is impenetrable.

Mobile devices are simply the latest platform to be vulnerable. There is no reason to think your corporate laptop is going to survive any better than your iPhone.

Now, I believe that non-mobile devices enjoy some protections that make them more defensible compared to mobile devices. Servers and workstations are generally "wrapped" with multiple defensive layers. Laptops benefit from those layers when connected to a corporate network, but may lose them when mobile. Still, even with those layers, intruders routinely penetrate networks and accomplish their missions.

One might also argue that mobile devices are more likely to be lost or stolen. I agree with that. However, full device encryption and passcodes can mitigate those risks. That's not the same as "zero-day vulnerabilities and clever exploitation techniques" however.

Despite these limitations, we still conduct work on computing devices. If we didn't, what would be the point?

We would be much better served if we accepted that prevention eventually fails, so we need detection, response, and containment for the incidents that will occur.

Software developers and security engineers should of course continue to devise better protection and resistance mechanisms, but we must remember we face an intelligent adversary who will figure out how to defeat those countermeasures.

Tweet

Read More