Total Pageviews

Monday, April 20, 2015

Black Hat 2014: The Ten Commandments of Modern Cybersecurity

There should be more accountability — and less legal leeway — for the software vendors and their technology's source code. 

 BY HILTON COLLINS / AUGUST 7, 2014

     At the Black Hat USA 2014 conference at Las Vegas' Mandalay Bay Resort and Casino, security is the main event. And in that vein, Dan Geer, the chief information security officer of non-profit investment firm In-Q-Tel, shared 10 cyber security policy recommendations during his keynote speech on Wednesday, Aug. 6. Geer, the conference's first and only keynote speaker, framed his recommendations within the context of today's confusing, precarious cybersecurity landscape amid diminishing personal privacy and increased government spying and surveillance. He read an hour-long essay to thousands in attendance, addressing a crowd who represented, in his opinion, an industry that's becoming more and more prominent in public policy because of software's ubiquitous presence in every facet of modern life. The security of the technology that supports society is something no one can ignore, but cyber threats are so constant and pervasive that accomplishing total privacy and security seems futile RELATED Are People Too Trusting With Their Cybersecurity? Cybercrime's Evolution is Forcing the Public Sector to Adapt Carnegie Mellon University Engineers Aim to Unmask Surfing Software Los Angeles County Moves to Require Computer Encryption After Medical Data Breach Geer opened his talk by reading aloud the abstract for his speech, which summed up the importance of cybersecurity policy, even as strong cybersecurity itself seems almost impossible to achieve. "Power exists to be used. Some wish for cyber safety, which they will not get. Others wish for cyber order, which they will not get," Geer said. "Some have the eye to discern cyber policies that are, 'The least worst thing.' May they fill the vacuum of wishful thinking." Geer's cybersecurity advice was comprehensive and called for more accountability — and less legal leeway — for the software vendors and their technology's source code. Geer said that the following 10 policy proposals were his and his alone, based on his experience in the industry. He also gave a verbal disclaimer that listeners were free to disagree and attempt to prove him wrong on these ideas, in the interest of greater legal and personal agency in the never-ending cybersecurity effort. 

1. Create a mandatory reporting system for severe breaches, similar to how the United States Centers for Disease Control has a mandatory reporting system for medical diseases. If the breaches are less severe, then reporting should be voluntary.

2. Offer Internet service providers one of two net neutrality options. Providers can charge customers for service, but that also makes the providers responsible for the harmful content within that service. Providers can alternatively choose a "common carrier" option that frees them from liability for damaging content, but they're unable to inspect or act on the contents of what they carry. 

3. Make software developers legally liable for their source code. Under the regulation procedures, developers should give buyers the ability to disable pieces of code they don't want to use, and the developers are held liable for any damage their software causes under normal usage. 

4. Strike back at attackers when necessary with cyber counter attacks or targeting campaigns to truly identify the attackers. The ability to do this, however, will require entities to share infrastructure and resources because not every organization has the power of Microsoft or the federal government.

5. If people have no way to remotely shut down computer systems when necessary because those systems are too deeply embedded, then those embedded systems should be designed with the ability to self-terminate after a fixed amount of time has passed, and computer systems that can be remotely controlled should be designed with the ability to refuse certain remote commands for security purposes. 

6. The government should pay people competitively for finding vulnerability exploits, and then make those exploits public. 

7. Uphold people's right to be forgotten and operate autonomously, even as a connected society makes this increasingly more difficult, and give people the ability to misrepresent themselves online under certain circumstances to confound those who would "watch" them digitally.

8. Voting online is a bad idea because it opens the process and results up to cyber manipulation. 

9. Software code should be open sourced after companies discontinue it and stop releasing updates for it. The open source community can patch and update software code for the greater good if companies decide that the code is no longer useful. 

10. Critical infrastructure systems' dependence on the Internet and electrical grid leaves them open to cyber attack, so their managers and network administrators should find ways to operate them off the grid, if necessary. 

Geer concluded his speech by espousing political realism. The international world is anarchic when cyberspace is involved, and governments are the most important players in the digital world. 

"States' investment in offensive cyber is entirely about survival in such a world," he said. "States are driven to this by the dual, simultaneous expansion of what is possible and what their citizens choose to depend on." 

Hilton Collins | GT Staff Writer By day, Hilton Collins is a staff writer for Government Technology and Emergency Management magazines who covers sustainability, cybersecurity and disaster management issues. By night, he’s a sci-fi/fantasy fanatic, and if he had to choose between comic books, movies, TV shows and novels, he’d have a brain aneurysm. He can be reached at hcollins@govtech.com and on @hiltoncollins on Twitter. 

http://www.govtech.com/security/Black-Hat-2014-The-Ten-Commandments-of-Modern-Cybersecurity.html

Saturday, February 25, 2012

Where do Bugs come from?

I am a tester. I should think. Where do the Bugs come from? Have I thought about it before? Never!

I am busy finding bugs and reporting them. Verifying them if they are fixed. If they are fixed, I am closing them.

I never find time to think as to where do Bugs come from. For a moment, let me forget everything and just concentrate on one thing; the origination of bugs.

Wow! Now I get a great feeling. I am slowly getting into the grove of the situation of my thoughts on the origination of Bugs.

After all, where do the Bugs come from?

I am now smiling. My thought process has started. I am everywhere. My mind is everywhere.

I close my eyes. I think. My eyes are still closed as my mind wanders about everywhere.

The Bugs can come from anywhere.

• EOI – Expression of Intent
• RFP - Request for Proposal
• Proposal
• SOW – Statement of Work
• Requirements
• Design
• Code
• Integration
• Network
• Interface
• Database
• Web
• Browser
• Keyboard
• Mouse
• Family
• Friends
• Health
• Attitude

The list goes on.

What a funny list of “groceries” for testers?

I probed myself once and mostly found that the grocery list is real and it is growing further.

Now do YOU know where Bugs come from?

Groceries List?

Sunday, January 15, 2012

Bugs will not come to you; you will have to go behind bugs...

Have you found bugs in your life? What a silly question to ask. Who hasn't found bugs? Everyone would have found bugs in their lifetime. Not testers alone but everyone.

How simple...you see something different and you call it unusual. You see some issue, and you call it a problem. You expect something and you get something and you call it a BUG. When BUG is found, you call yourself a TESTER.

Don't we know it's common for testers to find bugs? If testers don't find bugs then who else will?

Well that's not the point here. The point is not to find the found bugs. The point here is to find the unfound bugs; those bugs that are found after digging deep; those bugs that are found after lot of trials; those bugs that give the developers nightmares and those that give the testers a sense of pride.

My dear tester folks! go after such bugs that will make you stand out in the crowd. Find bugs which will be an example to others, such bugs that can get fixed only by a top developer, such bugs that get deferred due to its complexity.

Finding hidden bugs will always earn you respect. Dig deep and you will find so many un-thought bugs, so many un-explored bugs.

Such Bugs will not come to you; you will have to go behind such Bugs...

Monday, November 21, 2011

Nothing to do

I never knew life was so easy. Imagine someone telling you “Hey, you don’t have to do anything”.

Feeling good? Who doesn’t?

Today, on a rainy Friday evening, I thought I will do some reading online. You will be thinking that this guy starts by saying about doing nothing and does something else.

Well, unplanned activity sometimes yields great results. Just like those un-planned leaves give me brickbats from my people above me.

I was reading a Blog (don’t ask me the name) and that lead me to a website (don’t ask me the name again) which had lot of information on Testing. I could read it online or download a zipped file. I was destined to do the latter and never knew something was in store for me that I had not seen it before. Not sure how many of you have seen this.

I clicked on the “Download Zipped File” icon and there came a File Download dialog staring at me, asking me if I want to Open, Save or Cancel.




I chose to “Open” the zipped file. I could find a PDF File inside which could expectedly be a treasure trove of information.




Instead of Opening or Copying the PDF file, I Cut the PDF File and pasted on my desktop. To my surprise, I saw something I have never seen before.




Two dialogs appeared. One said “Deleting From Archive…” with a “Cancel” button, but I really could not understand what was getting “deleted” and where from did the “Archive” come into picture. The other dialog gave a smile on my face as if someone was running a feather on my ears. This dialog is very close to my heart as it said “Nothing to do.”





Nice to see “something” asking me to do “nothing”. But the dialog had a title “Compressed (zipped) Folders Error” and told me to do nothing with an OK button. I was curious and dying to click the OK button to know what could happen next.

When I clicked OK, something disturbed me even more. After seeing the above two dialogs, I thought I was in for some trouble. But that was not the case, thanks to my planetary positions on a Friday evening. The PDF file was actually saved on to the Desktop. If you see my desktop Cats, even they are surprised to see the saved file. Don’t they look surprised?




Wow…What a Bug I encountered on a rainy Friday evening when all other testers had gone home to spend a time with their families and friends.

You know what, sometimes it pays to stay back on Friday evenings and explore the un-explored. Having said this, a meeting with two campus minds a few days back, comes to my mind. I met them and spoke to them and trust me, I was talking to a campus mind for the first time so closely. It gave me a feeling that these minds are our future. They have all the energy and raring to go. They made me feel so happy with their presence. I spoke to them at length and told them that they had made the best move by choosing Software Testing as their careers as they seemed very passionate about testing.

After seeing the above Windows Bug, our Campus Minds will feel that they have made the right choice of becoming Testers. Testers of today could be Testing Legends of tomorrow.

Will anyone dare say “Nothing to do” to these legends?

Sunday, October 09, 2011

Communication leads to Test Coverage, not just Requirements.

How many of us thought that Test Coverage is important? And Test Coverage comes just from Requirements?

We are always behind Requirements...Requirements...Requirements and just Requirements. We expect the Requirements to be in the form of a MS Word doc and may be a PDF and may be a PPT and may be an Excel and nothing else. We are so used to these few things that we see nothing beyond these.

What else could lead to Test Coverage?

We often ignore Communication. Communication is a tool, an important tool for your test coverage. Oral Communication, Written Communication and sometimes, even SMS could be a communication medium to record the Requirements for test coverage.

Not all Requirements could come from Requirement docs, not always at least. There are instances when customers have emailed the stakeholders with some additional requirements that were not covered in the actual requirements document.

Usually, we have calls with our Customers to discuss so many things. The Customers could be from across the geographic locations. Understanding them, their voice, their language, their accent etc. makes the difference and how well we convert them into our understanding for the test coverage, matters most. I have even had a chat conversation on a communicator to discuss things that have been possibly be a "Requirement".

The medium of communication is not important here. What's important is how well we gather the "communication" and document it and then share it as just "Minutes of Meeting" or a Word doc or a Scenario/s or even a test case/s.

There is no right or wrong way of understanding requirements as long as it suffices the Business Needs of the Customer.

Monday, August 15, 2011

16 August - Indian Software Tester's Day - Sounds Good ?

Happy Independence Day to all Indians across the Globe.
And Happy Independence Day to all Indian Software Testers across the Globe.

What does freedom mean to all? Freedom to do anything within the purview of the Law. In the software testing context, freedom to a tester means to do anything within the purview of the scope of testing, and sometimes, beyond that.

Any software tester needs that freedom to achieve a goal. Goal is Quality. Tester needs freedom to explore everything and unearth bugs. Tester needs a free hand to explore, experience and experiment the application under test.

I am somehow against holding a tester responsible for duplicate or rejected bugs. That's against the freedom of a tester. What's the big deal with a duplicate bug or a rejected bug. The customer is equally responsible for the quality of application. The tester is not responsible when the requirements are not frozen (freezed)(finalized)(baselined), the customer is.

The customer or the stakeholder should understand that a tester is there to test the application and find bugs, not to face enquiry committees for duplicate bugs, rejected bugs, leaked bugs.

Unless the tester is a free bird to test what he wants, how he wants, any barriers would discourage a tester to do a good job in testing. Let alone do a good job, a tester would think twice before plunging into a testing job.

16 August should be called as INDIAN SOFTWARE TESTER'S DAY, a day after the Freedom day of all Indians.

Thoughts?

Jai Hind!!!