I get a lot of emails from Cisco every week.  A whole lot.  They aren’t spam, really.  It’s just that the frequency with which they arrive in my mailbox makes me think of them as such.  Here is how the subject line of each and every message reads:

End-of-Sale and End-of-Life Announcement for the <Insert Latest Product Being Kicked to the Curb Here>

For example:

Nobody plows through products like Cisco.  They release and kill products faster than a developing fetus churns through cells.  It’s ridiculous, really.  Because I view our industry with a tiny pinch of cynicism I often find myself a teeny bit disenfranchised with Cisco over such things.  Their products tend to cost some noticeable duckets.  And they tend to get EOL’d pretty quickly.  Combining those two truths together means that Cisco is always wanting me to buy new gear before I’ve gotten sufficient ROI (Return on Investment) on what I’ve got.

But that’s part of the business model for Cisco.  The big players, the one’s with really deep pockets, can afford to keep up with Cisco’s shennanigans.  In fact, because the checks getting written aren’t usually having any impact on the paychecks of the people writing them they often don’t care one way or the other.  What’s a hundred grand here or there?  I mean, really?  It’s the smaller businesses that can’t hang.  Dropping $4K on a switch is a major deal for a small business.  Being told that it is end-of-life a year or so after you buy it stings more than just a little bit.  But this is the nature of the business.  Things move on.  Technology develops .  Features evolve.  Stockholders need dividend checks.

Don’t get me even a little bit wrong.  I straight-up LOVE capitalism.  I don’t believe that the big boys should have to play nice to give the little upstarts a chance.  That’s crap.  Crush them if you can.  Because if you don’t, they will crush you.  If I was Cisco, I would crush everyone.  Every Friday my employees would wear shirts to work that read “Cisco” on the front and “Monopoly” on the back.  I’d have custom Monopoly board games made where the objective was for Cisco to dominate the board, crushing all competitors.  Well, that’s the America I want to live in, at least.  It’s better to be the crusher than the crushee, of course.  And it sucks to be you if you find yourself getting smooshed.

I have a word for small businesses who want Cisco gear but don’t want to pay premium prices.  Either get out your checkbook and try to keep up or do what this word implies.  Pick a path and follow it.  I can tell you this because I am a small business.  I know what it is to want the toys of the big boys but have the bank books of an upstart.  I don’t like this word any more than you do.

So what’s the word?  You already know it.  You don’t like to say it.  It’s like buying bo-bo brand sneakers or Sam’s Choice Cola.  It’s buying Hyundai because you can’t afford Mercedes.  It’s like buing Inspiron because you can’t afford XPS.   As much as you don’t want it to this word shouts out to the world, “Hey, I can’t afford it!”

The word:  Linksys.

Cheers,

Colin Waver

Last summer Dan Kaminsky got everybody all a-tingle over an ever-so-simple vulnerability in DNS.  Mad props to him for figuring it out, of course.  But a big kabong in the head for the rest of us for not seeing it earlier.  DNS is over 25 years old and is core to the functioning of the Internet.  The fact that something so obvious made it so long without getting discovered is a lesson for us all.  You can read about the Kaminsky vulnerability here (http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky).  Wired magazine, despite being way more liberal than I can usually stomach, does a good job on articles like this.  Good back story, etc.  Anyway, it’s worth the read.

If you want to know more detail about the vulnerability I suggest you give a serious 20 minutes to Steve Friedl’s description of the Kaminsky DNS vulnerability.  Steve does a really good job of breaking things down so I’m not going to repeat what he already said so well. Go check out his schtick.  Seriously.  Go.  Read it.

The current solution to the problem is termed by most to be temporary.  It take the chances of successfully executing the attack from 1 in 65,535 to a much larger 1 in 161 million.  I’m calculating this number by multiplying the number of possible source ports (65,535-1,025) by the number of random ports chosen by a patched Microsoft DNS server (2,500).  64,510*2,500=161,275,000.  This means that there is a 1 in 161 million chance that someone will be able to poision the cache using Kaminsky’s technique.  The real problem is not yet fixed.  The solution was to up the odds on someone being able to acutally succeed.

And I almost agree.  A 1 in 161 million chance is a big-time long shot.  But the odds of winning the Mega Millions Jackpot is 1 in 175 million.  That means you have a slightly better chance at winning the Kaminsky DNS poisoning lottery before you get to retire after picking all five numbers plus the powerball.  What gets me is this:  Someone wins the lottery every week or so (sometimes a bit longer).    The fact that someone has to win means that people still play.  Motivated attackers know this.  If they play long enough they still have a chance to win.  And play, I suspect, they will.  After all, it’s not costing them a buck a pop to do so.  And, oh my, what a payday!

While the solution is simple and reasonably effective it seems that it has no capacity to be a long-term solution (Which has already be admitted over and over.  DNSSEC anyone?).  It also seems that we need to limit the number of times someone gets to play.  Enter Intrusion Prevention Systems and shunning.

My lasting impression from this little lesson in security is that there is always something lurking under the covers.  And it’s often hidden inside things we think we know and understand very well.  How cool is this line of work?  I love it.

Colin Weaver

I have submitted an additional dictionary definition suggestion to Merriam-Webster and to the folks over at dictionary.com.

They currently define a ‘moron’ as a “person of sub-normal intelligence”.  I’d like to add to that.  The additional definition should read, “a person who follows hyperlinks in emails.”

Not obvious enough for you?  It should be.  If you receive an email that contains a hyperlink and you click on it, you are a moron.  It’s non-negotiable.

But what if the email is from someone you know and trust?  Sorry:  moron.

• Even my mom?  Yep.  Moron.
• Even from Colin (e.g. me)?  Yep.  Moron.
• Even from your boss?  Yep.  Moron.
• Even from myself?  Oooohhh, yeah!  Especially if it’s from you, ya’ moron!

Email is so easily spoofed and users are so easily fooled that it doesn’t make sense to try and educate them on how discern if the soure is legit.  Phishing filters, hyperlink hovering, SPF records in DNS, spam filters, the list goes on… all are great but they don’t eliminate the possibility of being duped by a spoofed email.  There is only one way I can think to do it.  Make it a practice to NEVER click on a hyperlink in an email.

Here’s a better idea.  Let’s all become part of the solution by never SENDING an email that has a hyperlink in it.  People who know me well know that, no matter how badly I want to see something, I refuse to watch anything that is on a VHS tape.  If I watch a VHS tape it allows for the continued existence of the medium and I won’t be party to that.  I must now extend this philosophy and say that here, today, it starts with me.  From this day forward I will never send another email that has a hyperlink in it.  Doing so only allows for my legitimate recipients to continue to think it’s okay to click on them.  No more.  It stops here.  I should have done this years ago…

Join me.

Colin Weaver