Secure the future – have a change of mind!

guard_cat_on_dutyThe future of the enterprise can be secured provided that it is properly organized and operated with full understanding of its economics. The current concentration on “profit here and now” is extremely harmful to the survival of the economy of the world as a whole and every given enterprise in particular.

Why is that? There are two parts to the problem. The first part has to do with the short-sightedness of the typical management of the companies and the second part – with the isolation of company parts from each other and the requirement that everything brings profit by itself. Under these conditions the security becomes an unwanted “fifth leg” that brings nothing but unjustifiable costs to the company. I tried to find a solution within this extremely limited view and there ain’t any. However, the situation looks completely different if you take a long-term systemic view of the enterprise.

In the long term, we absolutely need security as we need quality and many other things besides money to ensure that the enterprise survives. Once we understand that, we shall realize that we already have the knowledge, technology and tools to actually secure our products and we will apply the research where we see them lacking.

To illustrate, let’s look at how the simple economic model of the well-known game “Civilization” operates.

“Civilization” is a strategic game with a simplified economic model of cities, countries and the world. In this highly simplified model of the economy, describing the behavior of an entire civilization, the parameter “money” is not the only one that leads to success but rather it is used to serve other areas of society. For example, when you build a library you go to the cashier and convert money to scientific knowledge. The theater is also not built for profit but for spending money on the culture. Almost all of the buildings that do not bear a direct destination “hack loot” represent a direct loss: football stadiums, churches, and tank factories – those just consume money, not make profit, but instead they produce something else: contentment for people, culture, or the tanks.

civ-v-screen

In principle, you can try to concentrate everything in the world on getting more money – but experienced players will tell you that this option is only meaningful on the finishing spurt – when there is a race to win, when you are actually in the military conditions “it’s either us or them.” At other times, you can not ignore any sections of public life – it is necessary to make sure that the culture is taken care of and the science is at a level not far behind (so that foreign tanks don’t overwhelm your chariots), and your production facilities allow you to produce anything you might need, and that the cash account allows to support the whole caboodle.

Once again, it is important to note that most of the objects in Civilization are obviously unprofitable and that’s fine – they give non-monetary income and in most cases they determine the success or downfall of the player. You build a theater, a library or a tank, pay for them and don’t complain that they need money. Money is produced by special objects replenishing the treasury – they are important, of course, as an integral part of society but their main role in the game is to support the work of other objects – let the society work and move forward the progress, culture, carry the flag of the country. Only in a single case it makes sense to be “in the money” – when you want to win politics through buying of votes from neutral city-states. In all other cases, a large cash balance, on the contrary, is rather an indication that you are doing something wrong.

civ-attack

So, why are we talking about that? Money in Civilization is a tool and that what it should be in real life, at least in theory. Therefore, if you have excess money, it is best to invest immediately into something that moves forward some real aspects of life – culture pushes the boundaries of your country, science is discovering all the new electric cars, cavalry and navy are bringing the light of truth to infidels. Since everything around is continually evolving, then the funds should be regularly put into circulation – not in the sense of “revolve in the bank” but through investments in the real sector – because conventional 100 coins in the ancient world is not the same as even in the era of feudalism, even in the absence of inflation. Just to save money has no special meaning – it means that you could invest it in any business but did not – for example, you could mount an expedition to another continent but instead you are wasting away over your gold. Yes, the money can be useful to respond to changes in the situation in a rush – but that usually does not come with a huge effectiveness; for example, you can immediately buy up a bunch of soldiers in the case of the Mongol invasion; but if you act wisely, it is much more effective – including in monetary terms – to prepare them in advance; albeit soldiers are all loss and no profit, yes.

In the real world, it is much more complicated. Yet, somehow it turns out that in a simplified toy world simulator “father of the nation” the different effects of a particular aspect of human activity are taken into account, while in our advanced and such a diverse modern society, it all comes down to one parameter – money. Look at what is happening in the world or in your company – the terms are reductions of this and that, because of the “inefficiency”.

In purely totalitarian economies societies somehow engage in culture, science and other things, and only in our purely “liberal” economy and culture, we force the culture, science, and almost the military … to make money. But, after all, this is nonsense in terms of governance!

There seem to be two important aspects at work:

1) The atomization of society and the economy also applies to the enterprise. In a singular society and company things can be divided into “earning” parts and “wasters” of money, as was done in the traditional family – husband works in the field, a wife at home on the farm, and that’s fine. Under the conditions of atomization one is forced to survive as best one can. The science and culture in the society and security and quality in the company are forced to earn profits, losing their original essence. Every single part is required to perform, basically, all of the elements of the whole without any regard to its original purpose to survive. The security department now has to “sell” its services, engage in marketing campaigns and calculate its “efficiencies”.

2) Extremely short time horizon has become the norm. Where the top management was supposed to keep a very long-term perspective and support the activities that would cause the company to exist in the distant future, now we are dealing with a non-stop pressure to deliver everything today.

In general, the reduction of all aspects of life and work to make a profit in the monetary sense immediately leads to many fun things.

There are many aspects to our work as a software company producing and selling software products but if we simplify the model we can say that there are a few factors that are involved in long term survival and prosperity of the company. One of the factors is the features of the software. That is your “money production” part, the thing that gets software sold and brings in the money. Too much concentration on this part is dangerous, however.

There are other important parts. We will live aside many of them for the purposes of simplicity. Let’s look at the quality. Ensuring the software quality is pure cost, it does not sell as such, it does not bring money. Should we stop spending money on quality? You would be right to assume that we will not. But why? Because the quality of our product influences the future sales, it is not here-and-now but in the future that we will see indirect benefits, often not quantifiable. Still most of us understand that destroying the product quality will lead to deterioration of the market sales, company image, decline of revenues and eventual crumble of the company. So somehow over the years we realized that a completely non-profitable activity is necessary for the enterprise survival.

The same applies to security. Most companies ignore security nowadays. Security is nothing but cost and costs even more than quality. Security is even less visible and its impact is even further in the future. Many managers show short-sightedness and ignore security to concentrate on what brings money in today and tomorrow. But is that a good idea? Security is like your army in “Civilization” – it is pure cost and you may never actually use it directly but it is a good idea to have it unless you want to see your cities overrun by the American war chariots. Security is a cost that an enterprise must take on to ensure its long-term survival. It is as necessary as other costly things – quality, specialist training, research etc.

So when a company puts the security in a position where the security department has to justify its existence by proving with numbers in hand that they are somehow “profitable” – that’s pure lunacy on the part of top management. This concentration on the “money aspect” is going to pay off in the short term but will learn to a crash in the long term. The balance is as essential to a healthy company as it is essential to an empire in the game of “Civilization”. One cannot ignore the money aspect and risk running out of money at an unfortunate moment. One cannot concentrate on money and ignore everything else either. We must accept that security is one of the realities of life and it is necessary to have because otherwise “their tanks will crash our chariots”.

I hope we are clear on that now.

You may only need a sword once but you must carry it every day.
– Japanese proverb

Kinkakuji_Temple_Kyoto_Japan

More on WordPress xmlrpc denial of service attacks

disable-xmlrpcThe attacks on WordPress using xmlrpc.php service are rather common. I already mentioned that you could filter out unwanted user-agents using the redirect capability of Apache. That would, however, take care only of obvious cases, where you see that this particular user-agent could not possibly be your reader. What do we do if the user-agent looks normal?

Well, if you do not need your xmlrpc services, you could block it off completely with mod_rewrite for all access:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_URI} ^/xmlrpc.php.*$
 RewriteRule .* - [F,L]
 </IfModule>

This will return a 403 for all requests. It is basically equivalent to what you did with “files” directive where you specify “Deny all” for a file path. This will block all access to xmlrpc completely though, for all purposes, so you will not be able to use the service at all. Which is not always acceptable.

But the good news is that the set of rules is extensible with other conditions and you could block only the requests with particular user-agent again now. For example:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{REQUEST_URI} ^/xmlrpc.php.*$
 RewriteCond %{HTTP_USER_AGENT} ^.*NET CLR.*$ [OR]
 RewriteCond %{HTTP_USER_AGENT} ^.*Mozilla/5.0.*Windows.*NT.*6.*$
 RewriteRule .* - [F,L]
 </IfModule>

And so this becomes an extensible list of rules. You check your logs, see suspicious requests and add them to the list of rules. Stack the additional rules with [OR] flag at the end of the condition line.

Now we have a set of rules that blocks some of the accesses to the xmlrpc based on the user-agent reported by the attacker. We could also add filtering by referrer or IP ranges and so on. The arms race, you get the picture.

Dark alleys of cybersecurity

polar-bear-facepalmThe security of the so-called “cyberspace” has deteriorated beyond belief. Some people tell me that my stories are far-fetched and that I view the security and computer industry with some sort of a depressing negativism. I disagree. The problem is, I am trying to stay positive and optimistic. My tales rarely go to the full extent of what is happening. The reality is much worse and scarier. Why do we tend to think then that Internet reality is all cheerful and pink? Because our judgement is severely distorted by our perception of the Internet world.

When you walk around town, you come across various parts and you are usually able to assess the dangers in a valid way. You walk on a wide street, there are sufficiently many people around but not too many to invade your personal space. The street is well lit or it’s day time. There is a policeman on the corner… What do you feel like? Your body tells you it is all safe. Your image recognition and other parameters are assessed automatically and provide a relaxing feeling of “it’s all right.”

Now imagine you are walking at night through a dark part of town. Small streets, poorly lit, the people are scarce. You are approaching a dark alley, it smells funny, there are some indistinct shadows moving ahead. A police siren wails in a distance… How do you feel? You tense up, ready your “fight or flight” reflex you inherited from stone age that keeps you alive in situations like this. Your body sends a clear signal: this place is dangerous. You have assessed your situation correctly.

dark alleyLet’s now go onto the Internet. We can do it from various places with various devices but let’s stay traditional for the this example. You sit at home, at your desk, wearing comfortable home clothes, your slippers are on, the evening is outside but inside it is all warm and cozy, you have your cup of coffee at your elbow and you visit a website. A bad one. One from the dark alleys of the Internet.

What do your senses tell you about the website you are visiting? Or even about the state of your own computer? Well, basically, nothing. Your standard human senses are dealing with the standard stone age parameters: you are at home, in safety, it’s warm, you feel protected, there is food, no danger. The body is sending you the signal to relax. However, that signal has nothing to do with what you are doing at the moment. You assessment of the situation may be completely wrong.

And therein lies the problem. We are not equipped to recognize the dangers of the Internet. Whatever we do at the computer screen, our feelings of comfort and safety are not influenced at all by our actions. Therefore, we cannot rely on those most basic instincts of whether something is safe to do or not anymore. Not when we are in cyberspace.

The only way to assess adequately the dangers of the Internet is to learn to think about them logically. To perform a logical assessment of the danger of entering a website you must intentionally exclude the cozy bodily feeling from your equations. The equations will also require education and practice. You must learn logically what a good behavior is, what a bad site might look like, what a suspicious activity is and so on. Just the way you learn to drive a car. It takes knowledge, training and cool logical thinking to drive the car without causing accidents all the time. Training and education will over time result in a new kind of situational awareness that will allow you to assess your situation and your actions on the Internet correctly.

Failing that, think of the Internet as a dark alley full of indistinct but dangerous looking shadows. It might help. Or, better, ask someone who knows to help.