Thursday, February 16, 2012

0-days and cowboys

(I post most of the stuff I see on Twitter now, it's such a seamless way to share information. But I just wrote a long post and thought this article was funny/worth mentioning)

In February 2012, Chris Soghoian called for "reining in" the 0-day researchers and adding regulations or other mechanisms to prevent people from buying/selling "weaponized exploits". He also calls people cowboys and a "ticking bomb" which I think is a bit FUD-oriented. His basic theme that there's a large, opaque market that could go wrong some day is generally a legitimate point (I was surprised how fast/loose people could be there) but I'm not sure how on earth legal restrictions would be constructed to do that effectively. The biggest problem out there now is the lack of transparency and trust between buyers and sellers... if it was brought to light buyers like Google and Facebook could continue to improve their products, commercial vendors can get what they are looking for and researchers could be paid for their work. Hard to picture some senator effectively putting that into legislation or some regulation...

Some questions that come to mind:
  • Who would define what an exploit is? Does it matter if it's "weaponized" or not? What, exactly, is he proposing to ban/regulate?
  • Who defines what is legitimate or not? If the FBI wanted to buy one to compromise some mafia machine, is that OK with him? Or it was a government? 
  • Is Metasploit/Rapid7 bad? Isn't that what Metasploit is, a "weaponized exploit" framework? What about Canvas and all the other penetration testing tools?
  • If Congress can't even figure out how to regulate copyright violations without breaking the Internet, who on earth would even dream of suggesting they wade into a domain that's significantly more complex? 
  • His concern that Anonymous was going to hack some organization that bought an exploit, and use it is just a little silly. If they are able to hack into the organization that's buying "weaponized exploits" in the first place, it's pretty likely they don't need much help to wreck havoc. 
Can't spend too much time on silly suggestions or poorly thought out ideas in our community as you'd have a new full time job, but some deserve to be called out! Doesn't mean thoughtful dialog on how to improve the situation isn't useful (one could argue, necessary!) but adding FUD to the mix isn't helpful.

[Sep 2016 Update] Sounds like the US State Department and the Wassenaar Agreement folks agreed with his argument and proposed some disastrous rules making penetration testing and research tools export controlled. (So if you go to Blackhat and present on some new vulnerability with a POC and foreigners are in the audience you could be fined or go to jail!) Rapid7 has a politically correct writeup about some of the issues.  And of course Dave Aitel was writing about it non stop through the process on his mailing list and cyber security policy blog.  Fortunately the Wassenaar rules died, although I'm sure it will return again in some other form, just like Internet regulations have.

Starting a defense-focused cyber technology company

My posting frequency seems to have declined precipitously, both due to busyness and the usefulness of Twitter to share interesting technical news/articles. (If you're not already on you should be!)

Thought I'd write an article about what I've learned while starting Siege Technologies. I started the company in 2009 with my friend Sam Corbitt who I'd known since I was a rookie engineer. 2011 was another successful year and we continue to grow at a great pace. That growth has been exciting but definitely limits my ability to write up interesting stuff as much as I'd like but the experience might be interesting to read about for those contemplating a similar move (you know who you are!), or who  started down the path recently (Hello Digital Operatives, Apogee Research, Exception Technologies, and Trail of Bits!)

One of the principals behind the company was to implement what Jim Collins calls the Hedgehog Concept. That is, to figure out what you are passionate about, what can you be the best at, and is there a market for that skill? Find the intersection of those factors and focus exclusively on that. So many times when I was at DARPA I would be approached by business development types from companies (who I will leave nameless to protect the guilty!) and I would ask them that question, "What are you the best at?", or "When I think of x, I should think of you guys." Far too frequently they either couldn't answer or would smile coyly and say "We're good at whatever you want us to be good at!"

At the same time, I saw (mostly small) companies that focus on excellence getting snapped up. SI Government Solutions got bought by Raytheon. Crucial Security was snapped up by Harris. I'd already watched Ravenwing bought by Boeing and saw first hand Alphatech acquired by BAE SYSTEMS. And there were many others. Most of the big companies wanted more "cyber" in their lives and often didn't really know how to build it from a technical perspective (or, what to do when you had it on your hands!) Some tried hiring people with "cyber" on their resume or buying any company that had computer & security somewhere in their capabilities description. (Raytheon dominated the acquisition field though, going from practically no real capability to owning SI Govs, Pikewerks, BBN, Tek Associates all in a couple of years, an impressive run! Unfortunately they scattered them across competing business units, a problem that big firms encountered - not unique to them!)

Simultaneously, these and other companies were bought and integrated while new, innovative firms were birthed and the natural corporate life cycle continued. Siege was formed to concentrate on innovative technology development to solve cyber/CNO/computer security problems. We would aspire to be the best in the country at low level computer security technologies. To build those, we'd integrate hacker type software engineers/researchers with PhD-style researchers who can still implement technical solutions. Our team would focus on supporting government and commercial customers looking for advanced technical solutions.

To be the best, we had to have some unique advantage or combination of advantages that were unique. I decided to combine a focus on talent (and provide a corporate culture to enable recruitment and retention of said talent) with a focus on idea generation/innovation, customer support and corporate flexibility. We were originally going to be in two places, Boston (actually the nice and much less crowded suburb of Manchester, NH!) and DC but also opened up an office in Rome, NY because of a really talented guy I really respected who wanted to join but didn't want to move.

We put a lot of stuff in place (benefits, bonuses, recruitment avenues, etc.) to support bringing in great engineers and scientists. We turned down lots of work that wasn't centered around R&D (IT security, software development, etc.) to maintain our focus on innovation and high end talent. We turned down work that was R&D, but out of our "swim lane" to maintain our focus on cyber security. We really encourage new idea creation, both as a culture and as a business and have dozens of ideas we've generated. That allows us to pursue only the ones that have impact or capture a partners attention and treat ideas as commodities to be utilized and explored, rather than a few precious gems to hide from the world lest it be stolen or compromised in some way.

Another approach that has been key has been building relationships through the process. I asked CEOs of companies I admired to serve as advisors and whenever they were permitted they agreed to do so. Also, we built informal relationships with people who provided great advice. One of the best pieces of advice came from Chris Ramming, who advised us to focus on bringing in work first and not getting lost in the details of starting the firm/infrastructure. Build the base first, and the rest will get figured out later... but there will be nothing without customers.

We built strong relationships at bigger firms (including Boeing, Lockheed Martin, Northrop Grumman, Raytheon, and others) that looked to cultivate small, innovative firms in a mutually beneficial arrangement and had some great partnerships with other small/medium sized firms as well. And we interacted with the larger business/support community, receiving help from the ABI Innovation Center, to our local bank and even Senator Shaheen early in our development to resolve a major government paperwork mix-up that threatened to sink the firm. We tried using the SBA, the SBDC, and various other small business/entrepreneurial support groups to no avail (although the SBDC gave a little feedback on an early business plan and has a nice filter to find government opportunities off the terrible FBO site.)

Doing all of that, while maintaining my priority (my family) and maintaining healthy growth was not easy but it's actually gone pretty well.  The credit goes to the people outside of Siege who've helped us along the way and especially the people who decided to join Siege, build the tech and make it the company it is now. And most all, the graciousness of God, who allowed market trends/career movements/people to coincide perfectly and made it all come together. I'm just along for the ride, my job is to try to make sure I don't screw up a good thing while it's going!

I'll probably include some more stories in the future with the normal cyber stuff. Would like to highlight some of the cool people/organizations that've been part of the process.