Monday, September 24, 2007


The good folks at Wireshark have announced SharkFest '08, the first annual (I know, I know- "first annual" irks me, too) Wireshark event.
"CACE Technologies hosts the 1st Annual SharkFest Event March 31 – April 2, 2008 at beautiful Foothill College in Los Altos Hills, California USA. Join us for 3 days of training and discussions on network analysis, troubleshooting, security, Wireshark development, communications dissection and more!"
I hope I can make it, but it is only six weeks after Shmoocon, and it is a long way from Cape Cod.

Of course, getting my wife interested in a trip to the SF Bay area in April will be a lot easier than DC in February.

See you there?


Saturday, September 22, 2007

Pointless Security "Conversations"

There are many great sources of security information, but lately it seems that more and more of the commentary deteriorates to something equivalent to this:

It's a dog!
No it's not!
Is too!
I like kittens.
You just don't understand how dogs work.
Maybe if we feed it dog food...
And so on.

Meanwhile, dog or not, we're here looking for the paper towels, because we have to clean up after "it".

I don't want to discourage anyone from following blogs, forums, or any other source of information- but if you don't add your own BS filter, you will get frustrated and miss some great information.

My approach to dealing with this is twofold:
First, whenever commenting, I try to add to the conversation in a meaningful way and include relevant information where appropriate.
Second, I tend to skim over the pointless posts and avoid "feeding the trolls".

I will admit that sometimes I fall short and add incite instead of insight, but I'm working on it.


Wednesday, September 19, 2007

Microsoft Live Writer, Ultimate Blog Editor?

Microsoft has rolled out a beta of their Live Writer application- and it is great!  True WYSIWYG, including the themes, simple insertion of:

  • bulleted lists
  • numbered lists
  • links (with several options)
  • video
  • images
  • maps
  • tables
  • tags

Add offline caching and editing plus compatibility with Typepad, Blogger, Moveable Type, WordPress, LiveJournal and more- now you have a really good utility.

Not Open Source, but free (as in beer).


Monday, September 17, 2007

(Un)Common Sense

After grossly oversimplifying security issues with virtualization by saying that a little common sense could go a long way towards solving problems, it was suggested that I had
"fallen prey to some slick-willie marketing somewhere that suggests that "...a little common sense" is out of beta and ready for production. ;)."
At first I thought that my accuser was nuts, common sense is hardly rare and is certainly in wide scale production. Then I thought about the split between my "hobby" friends and the corporate world, it started to come together. Everyone has their moments of brilliance and stupidity, but join me at the next NE Blacksmiths Fall meet and you will see people who exemplify creativity, problem solving and yes, common sense. And they are really nice folks, too. What is it about the business environment that seems to drive common sense out of so many people? I certainly don't have the answer, but I think there is often a lack of "big picture" vision as we all focus on our own tasks.

Alone at the anvil, you are responsible for your work. Maybe that's it, bigger organizations blur the responsibility. I don't know for sure, but I do know that common sense is out there, just not always as much as we would like.


Another look at the IT community

As promised, here are a few of the local IT groups that I rely on for insight and incitement. They all have maillists, so you can participate even if you aren't really "local".

National Information Security Group, at
NAISG is a great group with a diverse membership- from students and teachers to law enforcement personnel, systems and network administrators, consultants and security entrepreneurs. The mail list is a good resource for technical information, but the real value of the list is often the insight into the "why" rather than just the "how". Join the maillist here.
[Full Disclosure- I have been an active member since shortly after NAISG's founding, I serve on the Board of Directors and I am Chairman of the New England Chapter]

The following are not security-centric, but are very good groups:
Southern New England Network Users Group, at
A fantastic resource for small to mid-sized business admins. Often MS focused, but a wide variety of topics come up. One of the best remaining resources for small business Novell gurus.

Boston Linux Unix Users Group,
From beginners to experts; Unix, BSDs and Linux; this is the place for *nix information and insight.

Boston Area Windows Server Users Group,
One of the largest Microsoft user groups, Windows Boston is also an affiliate of the Boston Exchange Server UG. All things Microsoft, and more.
[Full Disclosure- I'm an advisor to the Steering Committee]

Friday, September 14, 2007

Not that you asked...

But here are some random thoughts and mini-rants which may or may not have anything to do with Information security-

Making something more complex...
makes it more complex. More complex means more potential avenues of attack and makes it harder to understand and secure. More attack surface likely means LESS secure. If I add anti-virus, anti-spyware, host-based firewalls and IPS, NAC agents and more to my systems they have thousands (millions?) of additional lines of code that provide potential attack vectors (and real performance issues).

Often-violated business rule #1:
Make it easy for people to give you money.
(This mini-rant brought to you by the Cisco Service Contract Center).

Old InfoSec people are curmudgeons because they are tired of fighting the same battles over and over and over again. And because they aren't happy unless they aren't happy.

Often-violated business rule #2:
If you take someone's money, deliver what you promised them.
(This mini-rant brought to you by Symantec).

Breaking stuff is still fun. As is fixing stuff. And breaking it again.

Blatantly Obvious Business "Secret": Underpromise and Overdeliver.

Ubuntu is a great Linux distribution and the Ubuntu community is great, but they are in danger of becoming a religion. This would be a setback to Ubuntu, Linux and religion.

Vista both disappoints and scares me.

One of life's little mysteries: How can companies full of good people consistently deliver mediocre goods and poor service? (Insert your own sponsor, you know plenty of them, too).

Attention all engineers:
1) Please consider "It has to work" an implied specification for everything you do.
2) Building crap because you were told to does not relieve you of responsibility for the outcome.

If you "sell security", expect to be challenged.
If you fail the challenge, it is not the challenger's fault; thank them and learn from the experience.

Enough for now-


Wednesday, September 12, 2007

Security Anecdote Theater, episode 3

Ferris Wheel
Some years ago my wife and I took the kids to an amusement park and we decided to ride the Ferris Wheel. Curious as to how the thing worked, I started looking at the mechanicals as we waited in line- lots of big parts, but a pretty simple design. The drive system was a few large electric motors driving the steel outer rings of the wheel via automotive tires and wheels.

It looked like a good setup, well thought out and obviously designed with safety in mind- then the Ferris wheel stopped. The tires driving the wheel were retreads. An enormous and expensive machine, and they cut corners on the drive system to save maybe $100 on the tires. I immediately began to wonder where else they had cut corners. We rode anyway, but the ride was a lot more thrilling than a Ferris Wheel should be as we discussed the possible scenarios for a stunning and catastrophic failure.

You probably won't find retreads in your shiny new network and security devices- but when you look around you may find that some corners have been cut. Even if you can't perform code review yourself, you can and should look at the hardware for obvious weaknesses and poke at the system with tools like Nmap and Nessus.
Better to find and address issues before you put the systems in production.


Wednesday, September 5, 2007

Real Threats to Virtual Systems

As the Virtualization Craze begins to resemble a runaway train, it is really time to stop and think about the security implications of virtualization.

The most important thing to remember is that:
  • running software on OSes
  • which are running in software
  • on another OS
    • or maybe on a hypervisor- software- between the hardware and OSes
  • that is on hardware
ADDS complexity and attack surfaces, it cannot reduce exposures.

We are still susceptible to all of the vulnerabilities that already exist in physical installations- plus a new array of emerging vulnerabilities for the virtualization systems themselves.

The world of virtualization security is well beyond the scope of my blog, so I will refer you to the following resources to get started:
Now is the time to consider the security impact of virtualization and plan virtual deployments accordingly. That's right, we have the opportunity to plan and deploy an emerging technology wisely.


Tuesday, September 4, 2007

Shmoocon IV announced

Shmoocon IV has been announced- it will be February 15-17 at the Marriott Wardman Park.

Hmmm, Valentine's day is February 14, my 28th anniversary is February 16.

Honey, wanna go to DC for a romantic getaway?


Monday, September 3, 2007

Blog Etiquette and target="_blank

Housekeeping, not security, this time. I like to read articles online and follow links without losing the original page. If I'm at a desktop machine with Firefox, that is easy. It gets annoying on PDAs and other portables- so I wish more people would use target="_blank" in their HTML anchor tags so that clicked links open in a new tab or browser window. That's what I generally do on this blog, write the tag so that my blog stays open when you click a link.

It turns out that some people are annoyed by the target="blank" function. I don't really get the objection, but that's life. And this is my blog, so I hope you'll understand that I'm doing what I want with it.


CISSP, Magic Incantation or Nonsense?


Blood pressure is already rising at the mere mention of the word, but stick with me. I have held a few certifications through the years: from ASE Master Auto Technician and Master Heavy Truck Technician many years ago; to MCSE+I on NT 4.0 and CCNA later (one obsolete and the other lapsed); and for the past few years CISSP. I had different reasons for getting each cert, and each served its purpose- but I think the CISSP has been the most valuable.

Some people see the CISSP as a farce, held by people who make a career out of the tedium of security, not "real" security; others think having a CISSP makes you a genius and a security guru. Both are wrong.

The CISSP exam is long and tedious, and it covers a bewildering array of topics. That's the point, a wide-ranging view of information security, not a nuts-and-bolts technical view, not a C-level executive view- but a general grasp of numerous facets of information security.

So, where's the value? It is threefold
  • First and most importantly, you have to get outside of your comfort zone and think about ALL of information security to pass the exam. This can only be good.
  • Second, you "join the club" and get access to resources not readily available to others.
  • Third, it is a high-profile certification that many people recognize.
The resources of ISC² (seminars, conferences, career resources etc.) may be of value to you and the CISSP-only maillist can be a great source of information. What I find most valuable on a day-to-day basis is simply being able to append the "magic letters" to my name when dealing with corporate drones. Some know what it means, some only think they do- but they certainly do not expect to see them behind the name of the average small-business IT administrator. It is sad, but the CISSP has been a handy stick to use when trying to whack intransigent vendors. I don't always get the answers I want, but the BS factor drops dramatically when big business IT and security people think they have a worthy adversary. (I would rather be a valuable customer than a worthy adversary, but that's a rant for another day).

Information on the CISSP certification is available at the ISC² website.

Also, while not directly related, there was a recent bit of confusion about the nature of the CISSP- Daniel Miessler recently wrote a negative post on CISSP; I don't think he really understands the cert. Martin McKeay later responded with a good commentary on Daniel's post.