So, remember all the hubbub about WoW Glider – the automated “botting” tool that automates the playing of World of Warcraft?

If you missed the story, it went like this:  Blizzard (the folks who make the highly-popular World of Warcraft) sued Glider for circumventing “Warden” – their on-board protection mechanism designed to keep people from doing stuff like building botting software to violate their terms of service.  Anyway, Glider has been unable to continue selling their software for the purposes of playing WoW since 2007, as the case makes its way slowly through the appeals process.

The other day, a federal appeals panel upheld the decision that Glider violates the anti-circumvention provisions of the digital millennium copyright act.  It’s interesting.  Some folks hold that when you buy a piece of software that you should be able to do whatever you want with it.  It’s a position I generally sympathize with.  But it turns out that when someone puts a provision in to keep you from doing a particular thing, they have the voice of the law behind them.  No matter how well the technical underpinnings of the protection mechanism are or not implemented.

I’m not surprised this played out the way it did I have to say, but it’s interesting nevertheless.

Note: originally ran Dec 16, 2010

So, remember all the hubbub about WoW Glider – the automated “botting” tool that automates the playing of World of Warcraft?

If you missed the story, it went like this:  Blizzard (the folks who make the highly-popular World of Warcraft) sued Glider for circumventing “Warden” – their on-board protection mechanism designed to keep people from doing stuff like building botting software to violate their terms of service.  Anyway, Glider has been unable to continue selling their software for the purposes of playing WoW since 2007, as the case makes its way slowly through the appeals process.

The other day, a federal appeals panel upheld the decision that Glider violates the anti-circumvention provisions of the digital millennium copyright act.  It’s interesting.  Some folks hold that when you buy a piece of software that you should be able to do whatever you want with it.  It’s a position I generally sympathize with.  But it turns out that when someone puts a provision in to keep you from doing a particular thing, they have the voice of the law behind them.  No matter how well the technical underpinnings of the protection mechanism are or not implemented.

I’m not surprised this played out the way it did I have to say, but it’s interesting nevertheless.

Wow.  It hurts to be ACS:Law right now.  In case you don’t follow this stuff, they’re the firm going around targeting people for violating copyright on movies and songs.  Needless to say, they’re pretty unpopular in some circles for it… but at the moment, they’re reeling themselves instead of putting the hurt on others.

The backstory is that the other day these guys got DDoS’ed by folks from 4chan – again because of their copyright shenanigans.  At the time, we were surprised the other day about how cavalier these guys were being about the DDoS and we speculated how being a Luddite was working in their favor.

But now that’s all changed.  Somebody coincidentally (ahem) broke into their site, stole data, and subsequently distributed it publicly.  Turns out what they distributed was a database of the 5,300 people sharing adult films online.  Of course, the folks on the list are understandably a little PO’ed.  As to what motivated the attack?  Presumably the attackers did this because they weren’t getting traction on the denial of service front.

And this tactic – the disclosing the database approach – as it turns out was a pretty effective in causing a wall of pain to ACS:Law.  ACS:Law is not only facing questions by UK’s Information Commissioner,  but potential legal action from Privacy International and up to 500k GBP in fines as well.  Ouch.

This is of course all very interesting to those of us on the sidelines, but it does raise an interesting point that folks aren’t really covering.  Put aside for a moment the “stick it to the lawyers” on the one hand and the “but what about owner’s rights” on the other.  Consider instead what these events mean to the attackers. Specifically, what does it mean that an attacker – for the first time as near as I can figure – turned breach disclosure into a vehicle for direct financial attack against an enemy?

Think about it this way: you leak regulated data, you are culpable… potentially for fines, civil liability, public ill-will, and increased regulatory overhead (like additional PCI reporting requirements).  In other words, it’s a pretty hard financial hit.  Rightfully so in the case of a firm that’s negligent.  But what happens if the person attacking you is motivated by causing you financial damage?  In other words, your firm has controls and security practices that are industry standard (i.e. they suck but are no worse than the next guy) and you just happen to get hit because someone hates you…

What does it mean for industrial sabotage?  For extortion?  All of a sudden, circumstances are such that someone with an ill intent can directly cause financial damage to others…. damage that looks like it could be pretty significant.  All of that is pretty scary when you stop and think about it.

I’m wondering how many people are setting up black market services to do exactly this at this very moment?

So Protegrity says that they are suing a bunch of people – NuBridges, Safenet, etc. - for infringing on their database encryption patent(s).  It’s not entirely clear from the article on Network World as to which of their database encryption patents they’re fired up about, but it’s clear that they’re fired up about something.

Image Source: realitymod.com

Now, I’m not an attorney – and I don’t play one on TV.  But is it just me or is anybody else confused by this?  I mean, I don’t fault Protegrity necessarily – if I understand it right, they need to defend their patent in order for it to be valid.  But I’m not understanding why they would want to defend it in the first place.

Here’s my take on this.  I’ve been working in this field for a while, and a number of us have built solutions that do the same things that the Protegrity patents claim Protegrity invented. Years earlier.  I’m not bragging or anything.  It’s because they’ve effectively patented pretty much the only way to accomplish certain aspects of database encryption…

For example – Protegrity patent #7,490,248, “Method for reencryption of a database” is summarized as follows:

“…[a] method including the steps of detecting that a predetermined time period has elapsed, generating an unexpired encryption key, associating the unexpired encryption key with expiration information, scanning the database for an encrypted item, the encrypted item corresponding to a plaintext item, the encrypted item having been encrypted using an expired encryption key, and encrypting the plaintext item, using the unexpired encryption key, into a reencrypted item.”

How else could you possibly do this?  No… seriously.  Take a moment and think about it.  The scenarios is: you have a database with encrypted fields and you want to update the key.  What’s would be an alternative other than the algorithm they describe (determine that the key is expired, look through the data, decrypt under the old key, rencrypt with the new one)?

And this was patented in 2000, by the way… decades after both databases and encryption were in widespread use.  Contrary to traditional wisdom, there aren’t that many ways to skin a cat.  So when the guy down the street decides to patent: “… method for removing feline external covering through pressure applied from a sharpened blade against the interior surface of the skin”, your options for how to do it become severely hampered.

I don’t know.  I guess we’ll see where this goes.  I’m concerned about what happens to all the companies out there that follow this model that aren’t currently being sued by Protegrity – you know, like Microsoft, Oracle, and CA.  Oh… and folks who built in-house solutions that do similar things: folks like Bank of America, Visa, Washington Mutual, and AT&T.

Curious to hear from a patent lawyer on this one…

Welcome our newest candidate for “dark lord of the pit”, Dell. According to court documents, they knowingly sold faulty computers and covered it up for years.  Despicable.

What bothers me the most about this is the callous attitude that Dell had for the security, safety, and livelihood of the folks they sold to; from betanews:

Capacitors had been known to leak, and in some cases could pose a fire risk. The problems also posed a data loss risk, although the computer manufacturer made a concerted effort to play down any possible issues.

Nice. The NY Times continues the festival:

Crucially, in their complaints to Dell in the lawsuit, customers describe losing valuable information when their computers malfunctioned. Dell, by contrast, denied that that the capacitor issue had caused data loss.

So, Dell: putting us all at risk to cover their shame…  It’s just not right.

Interesting…  If you haven’t seen the coverage, the FTC forced Twitter to update its information security program after a slew of information security issues including password problems, breaches, and fraudulent claims about the security of the site (in other words,  claimed protection measures that just weren’t implemented the way they said they were).  Check it out:

In one case, attackers were able to exert administrative control over the site, which enabled them to deliver bogus tweets pretending to originate from the accounts of a number of well-known members, including President Obama.

Hah!  It’s never any good when you let shady characters post content as the president of the US.  Semi-related, but in epic bad timing, a researcher demonstrated XSS issues in the platform… that’s not good.

Anyway, this is interesting to me in that the FTC should choose to exercise its muscle for cleaning up Twitter. I mean, they’ve gone after others in the past – but this is one of the relatively few in that there wasn’t actual cash at stake.  So… props to the FTC for taking the situation seriously.  No question that there were some serious issues and failure to uphold their security claims.  But I’m surprised at how forward thinking this is of them – most regulatory bodies are fairly slow to react.  Good job, FTC.

So, next stop: farmville?  I hear it’s a seedy underbelly of animal cruelty and lax agricultural safeguards…

Cool reading over at wired. Turns out that the “DarkMarket” was an FBI sting. Wonder if that’ll throw of people who’ve been using this source to get information about the price of stolen data.

In case you haven’t heard, a bunch of folks in our industry are pretty fired up. They’ve gotten it in their head that the worst thing that could possibly happen to the noble institution that is CISSP is for college students to get certified. The contention is that CISSP is supposed to just be for security practitioners, and college students can’t have the type of real-world experience required in order to legitimately obtain the cert. ISC^2 retorts that they are not giving away *real* CISSP’s – but instead a sort of “CISSP-lite” that would be in place until the students got the experience required to move to the full-blown CISSP once they’ve cut their teeth.

All the brouhaha leads me to once again question the current certification process. Clearly there are issues, and all you have to do to see them is consider the “value” of the CISSP to the practitioner vs. the “value” of the CISSP to ISC^2. There’s a fundamental disconnect between what motivates people to get CISSP’s and what motivates ISC^2 to give it out. Look, the practitioner derives value from holding a CISSP due to its “exclusivity”; in other words, the fewer people that have the certitification, the more valuable it is to the credential holder – that’s why this issue with the college students is causing such a ruckus – it decreases the exclusivity of the cert. On the other hand, ISC^2 (as a for-profit entity) derives “value” from the CISSP due to popularity. That is, the more popular the cert is, the more people that they can get certified; the more people get certified, the more money they make – that’s why the college students thing seems like such a good idea to ISC^2. These two sets of goals, while balanced for the short-term, are at odds over the long-term.

Of course, the true malcontent would say that the value of the CISSP is neither about popularity nor exclusitivity, but is instead about utility. In which case, CISSP is already being eclipsed by yet another security certification – the most majestic of certs – the PI license. Umm… Yeah. See, since information security is (as a whole) an unlicensed discipline, practioners without CISSPs are just as free to practice as those with – CISSP may (or may not) increase your salary, but it doesn’t do bupkiss for your ability to do the work. However, a PI license is starting to be mandatory for some areas of infosec. Laughable though it may seem, some states such as Georgia are requireing infosec practitioners to have a PI license in order to provide expert testimony in a court of law. More specifically, when the case involves “acquiring evidence” (e.g. forensics and incident response), only the evidence of a licensed PI is acceptable. So Remington Steele, Magnum PI, or any other cheesy eighties dick has a better chance of getting a slot as an expert witness in a Georgia courtroom than a trained CISSP, CISM, CPA, CPR, CLAP, or any other combination of letters – unless that CISSP is really a CISSPPI (CISSP with a PI.)

So the question to ask if you want to get certified probably isn’t “how much experience do you have in security” but “do you look better in a tux or a hawaiian shirt?”

As a security guy, I’ve always viewed law enforcement as “brothers and sisters in arms” – I’ve always felt a close comraderie with the folks whose job it is to go out there and bring the bad people to justice. After all, isn’t that pretty much what we’re trying to do as security people? But recently it seems like law enforcement is making it tougher and tougher for us infosec folks to do our job.

Don’t believe me? Check out the recent prosecution of Eric McCarty for pointing out a web application security flaw exposing personally identifiable information on the University of Southern California. Here’s a guy who found a flaw in a public web app, brought it to the attention of the folks over there, and got arrested for his efforts. Apparently, PII was avialable through the webapp, McCarty noted this, anonymously divulged the information through a third party (with the intention of having that get back to the University), and because he looked at that data he was arrested. Now, it seems to me that if the University of Southern California makes subscriber data available through their own incompetence, the folks who happen to come around and look at it shouldn’t get arrested for doing so.

Ahem… So, Panda put out a press release last week that (unfortunately for me) intersted me enough to entice me to download and read a marketing whitepaper about TruPrevent. Now, I have nothing against Panda but lest anybody accuse me of endorsing the paper (trust me I don’t), let me assure you that the only reason that I’m bringing it up is that it drew my attention to a new acronymn that was used extensively within the paper. The acronymn was “PIPS” or “Personal Intrusion Prevention System”. Umm…. Yeah.

So for a while now we’ve had NIPS (Network Intrusion Prevention System) and HIPS (Host-based Intrusion Prevention System); now apparently, somebody thinks that we need a completely new acronymn. Now, rather than staying with the anatomy motif and choosing something like LIPS (that would have been my pick), they’ve elected to use “PIPS”. I’m not entirely clear on what makes it “personal” – allthough both Panda and Gartner seem to imply that the fact that it’s integrated makes it personal… Maybe that’s it, although it seems to me that saying “PIPS” is more confusing than saying “suite”.

Anyway, given the tendency for people to slap an -IPS suffix on random letters, I wanted to use this humble forum to go on record as reserving the “CHiPs” acronymn for future use. Yep, that’s right – “Consolidated Holistic Intrusion Prevention System”. CHiPs is the natural evolution of the market, and provides a robust framework for prevention of nefarious activity. You heard it here first. Here are the features that differentiatie a true CHiPs:

- The use of two agents working in tandem
- Uses lightweight, maneuverable “mobile” agents
- Ability to locate and investiate mobile threats
- Designed “to protect and to serve” both consumer and enterprise PC’s
- Half the footprint of traditional mobile agents

This is coming, and man is it going to be awesome when it gets here.