Monday, December 29, 2008

Hackers and Brand Marketing

Stray thoughts about something not directly related to security...

Some people "get" branding, and some don't.  And some that get branding don't even know that they get it, and certainly wouldn't call it "brand marketing" or heaven forbid, "personal branding"- but they do a better job of establishing and promoting their identity than some marketing professionals do with their products.

If you go to a hacker event- such as DefCon, Shmoocon, Day-Con, etc., you will see a lot of people who exhibit distinctive identities through a variety of means.  Specialized areas of expertise, diverse opinions, unique fashion statements, "interesting" personalities and more make people stand out, even in a crowd of hackers.  Most hackers also have a passion for technology and an eagerness to share information.

Unique identities, passion, sharing information- those are assets which can really "build brands".  Some hackers do these things out of ego, but it seems to come naturally to most.  Now think about how many professionally driven brands could really use some individuality and passion.

That's nice, Jack, but so what?  We often have to sell ourselves and our ideas to achieve our goals (or to simply get our jobs done)- and just like in traditional sales and marketing, if the brand is established and has a good reputation, it is easier to make the sale.  I'm not suggesting resorting to Media Prostitution, but it can't hurt to stop and think about "brand image" occasionally.



Monday, December 22, 2008

Free Information Security Training (and it is good!)

 FEMA, the people we think of when disaster strikes in the US, has a lot of good emergency preparedness training resources- which you would expect.  Check out their Emergency Management Institute for the course catalog of on-site and self-study courses for disaster prep; you can find general purpose training for individuals here.

What you might not expect is that FEMA would offer Cyber Security training- but they do, and it is good.  Information is at the Act Online site, including schedules for on-site training and the list of self-study courses.  From the site:

"ACT Online is an evolution of the Information Assurance program offered by the University of Memphis Center for Information Assurance. A partnership with Vanderbilt University and SPARTA, Inc. expands the proven classroom instruction into a fully capable web based method of instruction.

ACT Online provides a unique combination of expertise and capabilities and we leverage the background of a successful academic program in information assurance uniquely recognized by US Department of Homeland Security.  Our nationwide program uses a comprehensive approach to prepare professionals in identifying assets, recognizing vulnerabilities, prioritizing assets and implementing protection measures in cyber infrastructure."

They currently have four courses up and five more are in various stages of development.  The course catalog lists courses for general/non-technical, IT technical/professional and business professionals- from basics to ethics and forensics. 

OK, I need to pause here- yes, it is the same FEMA that underwhelmed us in the aftermath of Hurricane Katrina.  And yes, they are under DHS, the same folks who oversee TSA- the folks who run airport "security" in the US.  Don't hold that against them, FEMA is really trying to do some good work, and this is only one example of the new face of FEMA.  It is good stuff, and they are good people.

There is real content in these courses, and the testing isn't simple- the "Information Security Basics" pre-qualifying test made me think about things I haven't considered since taking my CISSP exam.  You can actually learn valuable things, and you can even turn trainable end-users (if there is such a thing) loose on the "Information Security for Everyone" course and raise their awareness.  The courses can also be used for running your own formal training sessions with the available training coordinator and reporting functions.

Note: You must be a US citizen to take advantage of this training.  I suppose you could lie about your citizenship, but if you do- I suggest you to skip the Cyber Ethics course.



Monday, December 15, 2008

Microsoft gets it wrong, again.

Nope, not what you are thinking- not a security rant, not a dumb reaction to something, not product quality, not even pricing or licensing.  It is how they treat the people responsible for their success- the admins in the trenches who make Windows work, the partners and developers- and their odd logic about getting your hands on a copy of Windows 7.

I have been a TechNet subscriber for many years, I can't imagine running a Windows shop without a subscription.  Others look on their MSDN and Action Pack subscriptions similarly. None of us get a copy of Windows 7 yet, but we can play a game of begging to get a copy- anyone can who finds the right links and is willing to play the game.  Sure, Microsoft will say they want people to provide feedback and contribute to the product, and they want control over distribution of beta code.  Nonsense.  The people so dependent on Microsoft technologies that we are willing to pay for the content, that's who should get their hands on early semi-public beta software, because we will make it work, and the more advanced look we get, the better job we will do of making it work.

Windows 7 is getting some good press, and it should- it is what Vista should have been.  Stuff works.  Stuff that doesn't work responds to the same fixes developed for Vista.  It is lighter, faster, and less annoying, but without losing the usability enhancements Vista brought.  I can confirm some of this because a friend bent some rules to get me a copy- which I can't use much longer because I can't get a license key.  That means I won't be able to do as much pre-release compatibility testing with key vendors' products before launch, nor document interoperability, or even tell people what I really think about the product.  This also means I won't have confidence in the product for longer after it is in the wild and will probably have to give the advice we have all given forever- "wait for Service Pack One before deploying", instead of "the beta process was so thorough, it's safe to start limited deployments".  That is stupid, and a symptom of what is wrong with Microsoft.  (Microsoft is one of those companies, you know several of them, full of great people who rarely let you down- but as an entity is most likely to disappoint you).

The security implications are clear, too.  For all it's problems, Vista is more secure than its predecessors, and Windows 7 should be more secure still.  The faster we get people off of older versions of Windows the better for all of us.  Vista was a disappointment; Windows 7 has promise, but if the roll-out is fumbled we'll continue to see XP, 2000, and even older systems out there, sitting ducks for attackers.



Saturday, December 13, 2008

SC World Congress follow up

I attended SC World Congress earlier this week, I need to put some research and thought into several things and write about them later- but for now here are some thoughts and observations.

  • It was a pretty good show, especially for a first event.
  • The Jericho Forum never wanted to steal our firewalls.  (but you knew that).
    • Besides De-perimeterization, they are contemplating the nature of collaboration, and they are steeling themselves to face the "cloud".
  • A drinking game involving the word/prefix "cyber" would kill any human in under ten minutes at a keynote at such events.
  • From a vendor perspective, people are still buying, but not a lot, and they are paying attention to what they buy.
  • The folks at Core Security are still cool.
  • I like to ridicule and criticize DHS and FEMA as much as most sentient beings, but they are doing something very good- free security training.
    • Go to to see the course curriculum, four courses are online and five more are in process.
    • There are courses for non-technical people, technical professionals, and business professionals.

And not directly related to SC World Congress, except that it was in NYC:

  • I'm not normally a big sushi fan, but Blue Fin, in the W Hotel in Times Square could change that.
  • Rm Fifty5 at the Dream Hotel in the Theater District is a fancy "hole in the wall" (that is a good thing, at least as far as I'm concerned), even if they can't make a decent Mojito.

I wish I could go to 25c3, but I won't make it, so I'll just have to wait for Shmoocon and SOURCE Boston for my next conference fixes.



Monday, December 8, 2008

A few relevant articles

Bill Brenner has an interesting article over at CSO Online about Fortify's announcement of the "death" of Pen Testing (hey, aren't those the folks who trash Open Source software at least annually, and have those embarrassing "booth-babes" at conferences- why, yes they are), and Alex Hutton posted his response to the idea on his Risk Analysis blog.

And, while at CSO I spotted this article on fighting piracy.  Some good points, but I think that we may have simply grown too soft to deal with it effectively.  Many people seem to have lost touch with the danger inherent in going to sea, and are unwilling to apply the needed harsh responses to maritime terror which will be required to control the problem.  By the way, it would be grossly oversimplifying the issue to blame containerization- but when large crews of men manned ships to load an unload the cargo, this kind of small-crew piracy would have been a lot harder to perform.



Thursday, December 4, 2008

The Fallacy of Penetration Testing

Prepare for sacrilege.  But please read to the bottom before flaming me.

Penetration testing is a farce and largely a waste of time and money.

There, I feel better, I've said it. Come on, there are really only two possible outcomes to a penetration test:

  • ONE: You confirm something you already know, that you are vulnerable to a sufficiently skilled and determined attacker.
    • If you don't know this already, abandon hope.
    • Really, just go into sales.
      • If you are that good at lying to yourself it will be easy to lie to others.
      • Just kidding.
        • Mostly.


  • TWO: The Penetration Tester you hired isn't good enough.
    • Or more likely, you prevented them from doing their job.

We don't even agree about what "Penetration Testing" is, and most people are totally Testing Pensclueless about it.  Sure, you know what it means and so do I- but I bet it means different things to us.  It is a term that is used for everything from a cursory Nessus or Saint scan, to a full-blown attempt to penetrate and compromise any or all aspects of a system or environment by any method.  Whatever that means.  And not enough people agree on the meanings for the phrase to be valuable.  And, yes, you start every engagement by teaching the manager/customer/whoever exactly what *you* mean by "Penetration Test".  Just like every other good Pen Tester, and you all contradict each other, at least a little.  That doesn't help.

Another problem I have with the "Pen Testing Industry" is the offensive and ignorant term which accompanies it: Ethical Hacker.  Or, heaven forbid, Certified Ethical Hacker.  If what that implies about real hackers doesn't infuriate you, we probably really disagree about what hacker means. And you are wrong.  This one isn't just my opinion, people you should respect feel the same way.

Possibly most damning, Penetration Testing has taken on a life of its own, independent of the greater business- always a mistake in the greater scheme of things.

Does this mean we shouldn't test things, challenge systems, push limits until things break?  Of course not, but it needs to stop being a stand-alone, bolt-on afterthought. 

The answer certainly isn't as simple as "building in security" as some people claim.  First and foremost, I think it should be obvious that "building security in" from the beginning isn't that simple.  That needs to be a goal, but people make mistakes and deploy things poorly, threats evolve and new ones emerge.  We need to test and challenge systems to make sure they are secure, and to find holes so we can address them.  The key is that we need to integrate the efforts to get things right the first time with continued testing and corresponding remediation- in alignment with and in support of the needs of the business.  Consider that the Pen Tester often knows more about securing systems than the people trying to secure the information because they moved "up" from administration positions into their "security" roles- and so the people most able to secure the systems are only responsible for finding the problems.  Don't even start with the "we write great reports detailing remediation best practice yada, yada, yada".  Those reports are sitting right next to the audit reports and policies which haven't been seriously reviewed or updated since the last time something forced that.  I know that it isn't always as ugly as I've presented it, but it often is.  Maybe even "almost always" that ugly.

Pen Testing isn't going away anytime soon, nor should it.  It isn't going to be absorbed into the larger security process quickly, either.  But the sooner it is integrated into the overall security and business needs of the enterprise, the more secure our information will really be.  And that's the goal, right?  At least it is my goal.



Wednesday, December 3, 2008

Two more security podcasts

A couple of my journalist friends have relatively new security-focused podcasts which are now regulars in my commute listening rotation:

Fellow NAISG board member Bill Brenner is a Senior Editor at CSO Online and produces the CSO Security Perspectives Podcast.  In the Security Perspectives podcast Bill talks with a variety of industry experts on a wide range of security topics. (Bill did lower his usually impeccable standards once and interviewed me for an episode).

Brenno deWinter is a journalist and podcaster- but most of his content is in his native Dutch. Brenno has now started posting his English-language interviews as a separate podcast, The Security Update, for those of us who don't speak Dutch.  (Brenno also does the Laura speaks Dutch podcast for those English-speakers who want to learn Dutch).




Monday, December 1, 2008

Not hit by train, and Shmoocon tickets

A couple of quick notes-

I'm fine and I was not hit by a train- unlike this unlucky gentleman from the Boston area named Jack Daniels. (FWIW, I'm not that old yet, and there's no "s" at the end of my name). Thanks to those who checked to make sure it wasn't me.

Also, noon today, round two of Shmoocon tickets go on sale. They won't last long.

[Looks like they had some "issues" with ticket sales, details at the Shmoocon website]

I can't promise anything specific yet, but there will be some form of road trip from the Boston area to Shmoocon.


Sunday, November 30, 2008

The two-headed serpent of SLAs

We all know we should read EULAs (End User License Agreements) more carefully than we usually do, and we feel a little guilty every time we blindly click through one without reading it carefully.  Even with patience and tools like the EULAlyzer on our side, we don't always realize what we are getting ourselves into (or what rights we are giving up) when we break the seal, click, or do whatever signifies our acceptance of the EULA.  But we know we should worry about them, and that's a start.


But SLAs (Service Level Agreements) are different, right?  We use SLAs to hold our vendors and service providers accountable to us, what could possibly be lurking in them to bite us?  Some things are obvious, like the phone company needs access to the premises to fix some problems- and if we don't give them access we can't hold them to their SLA.  But what if the phone company (or anyone else) needs access to an area where confidential data is stored? That could be a problem, but you have a policy for that.  Well, at least you have thought about it.  OK, you should think about it.  What about support for hardware, network systems, operating systems, and application software?  There are potential problems in the SLAs associated with these, too.  Need service on a bit of hardware?  What information is exposed when you send it out or a tech comes in?  Some network gear acting up and the vendor needs traffic captures to diagnose the problem- what will they see in that traffic?  Problems in software and the vendor requires access to the systems for troubleshooting- there's another exposure problem.  Don't want to give the vendor access or information?  Or you can't give access due to policy or compliance issues?  You may be violating your responsibility as defined in the SLA, relieving the vendor of their responsibilities you thought the SLA guaranteed.  And really, the requirements usually make sense- how good are you at diagnosing and repairing systems you can't access? 

Sounds like we need to read the fine print, identify potential problems, and come up with a plan for resolving conflicts before we get bitten by the other end of the SLA serpent.



Friday, November 21, 2008

Julie Amero case finally over, justice is not served

The infamous Julie Amero case is finally over.  She deserves better, but she didn't get it.  The school district, police, prosecutors and many others deserve another round of public humiliation for gross incompetence.

You remember, the poor substitute teacher who allegedly exposed her students to pornography- on a school PC which did not have up to date anti-virus software on a network without web filtering- and has spent years battling a felony conviction over the incident.

The story is here, and more from Rick Green on Julie Amero's case here.  Alex Eckelberry at Sunbelt has been involved, here is his take on it.  Amrit Williams summed it up well in this post.

It is simply not right.  If you don't know about this case, please take some time to learn about it.  As Alex Eckelberry said, "We can’t have another Julie."



NAISG Presentation online

Slides and video of my presentation to the Boston Chapter of NAISG on 201CMR17.00, the new Massachusetts data protection law, are now online at the NAISG presentation archive page.



Career tips from the Massachusetts State Police

I have noticed something interesting on my ridiculously long commute lately- there are Massachusetts State Police on the roadsides performing traffic enforcement regularly, especially in high-traffic (and thus high-visibility) areas.  In case you aren't familiar with Massachusetts roadways, State Police on traffic duty are not a common sight except on certain roads and at certain times.  Why now?  You don't have to be a cynic to think the looming state budget cuts might be forcing the State Police into more visible duties to justify their positions- it is just a logical conclusion.

I am not suggesting that the State Police have been sitting around doing nothing.. Given the condition of state and local budgets, the State Police have plenty to do- it just isn't all as visible as traffic enforcement tasks.  Nor am I suggesting the officers in the cars make the deployment decisions- those are management decisions, and management must feel it is time to make a display.  [Of course, the bizarre Massachusetts practice of requiring police to secure construction sites is sadly the highest-profile work police agencies in Massachusetts have- but that is a no-win rant and not directly relevant to this post.]

If you think about it one way, the better job law enforcement does, the less visible they are.  Sure, you see them around, but there isn't much drama- and if something bad does happen, they swoop in and get things under control quickly.  Hey, wait, that sounds a lot like a well-run IT or security department.  Does that mean IT and security could be targeted for cutbacks because of our frequent low profile?  Yes, it does.

If you have to "look busy' when cutbacks are looming, it is too late.  You need to regularly make your contributions known to management, not just at crunch time.  Don't overdo it or play the martyr, but make sure people know the contributions you make, especially when you step up to added work or accomplish something noteworthy.



Tuesday, November 18, 2008

References for Mass 201 CMR 17.00

Here is a list of references for my discussion of the new data protection law (and for insomniacs everywhere):



Monday, November 17, 2008

Finding an audience

Do you have some knowledge you want to share? Maybe you just discovered a tool which makes your life easier, or maybe you just discovered something ugly and want to warn others before they face the same thing.  Possibly you want to share a success story, or maybe a failure story.  Someone wants to hear it.

But where do you find an audience? There are plenty of venues in search of content, it is a matter of matching your information to the audience.

Technology and security groups are everywhere and most are frequently seeking presenters.  For security issues, local NAISG chapters around the world are a good option.  Depending on the specifics, Linux user groups are a good audience for talks on Linux and other Open Source projects, including integrating them into production environments.  You may also be able to find a group through Culminis.  Join the mail lists of prospective groups and contact the leaders, many will work with you to help you get your message heard.

Is it something that would work well in print?  Think about the print and online resources you read, if there is one where you would expect to see an article like yours- ask them about submissions.

Want a bigger audience?  Everyone knows about the big conferences like BlackHat and DefCon- and most are intimidated by the thought of presenting at them.  There are plenty of smaller events which are more likely to work with you in tuning your presentation and proposal- Shmoocon and SOURCE Boston to name two.



Discussion of new Mass. data protection law at Boston NAISG meeting

I will deliver a presentation and then lead a discussion on the new Massachusetts data protection law, 201 CMR 17.00, at this month's meeting of NAISG's Boston chapter.  The presentation and discussion will explore the new law, its impact on businesses, and approaches to compliance.  Details of the meeting are at the NAISG Boston website.

Massachusetts "201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth" is one of the most far-reaching and specific state laws governing the protection of personal information.  It is important to note that the law applies to

"persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts"

So- you do not have to be in Massachusetts for this law to apply to you.

NAISG Boston meets at Microsoft's offices in Waltham, MA, directions here.  Please join us if you are in the area.  Meetings are free and open to the public, but we would appreciate an RSVP so that we have enough pizza for everyone.

Some of us will be heading over to the local Uno's for "refreshments" after the meeting to continue the conversation. Or something...


Sunday, November 16, 2008

Not so private "private browsing"

The "Incognito" mode of Google's Chrome browser and Microsoft Internet Explorer 8 beta's "InPrivate" mode can leave significant footprints in the system. It has always been the case that disk forensics (or even simple undelete tools) could dig up information on these private-mode browsing sessions, but in some circumstances it is a lot easier than that.

Under the right (or more likely wrong) circumstances, entering "http" in the Start > Run dialog box will offer a list of visited web media URLs.  The key is that when the browser launches Windows Media Player, it pushes the URL into Windows history (even if the Media Player is set to not store history).  Interestingly, to clear this you need to clear history in Internet Explorer, even if the Media Player session was initiated by Chrome.

Remember, "do it yourself" forensics are almost always a bad idea for any situation where there is a chance of ending up in court- but if you are just looking for information, don't overlook the easy stuff.


Friday, November 14, 2008

Security Bloggers Network

Missing your Security Bloggers Network feed this morning?  Blame Google's assimilation of FeedBurner and abandonment of blog networks.

Alan Shimel has the story here. Don't worry, it will reappear.

Here's a copy of the full SBN OPML file in case you need a fix or are looking for a specific blog.


Wednesday, November 12, 2008

SC World Congress

I'll be attending the SC World Congress in NYC on December 9-10.  I know it is fairly late notice, but if you are interested in attending- they are offering a discount to readers of the Security Blogger Network and affiliated  blogs. (Yes, I know- I should move my feed over to Feedburner be all "official" and stuff).

If you are interested in a 35% discount , just register at and use the discount code BLOG1 for a one day pass or BLOG2, for, well, you know- two days.



Tuesday, November 4, 2008

A Short Reflection on Voting Security

I am pleased to present the following guest post, authored by a friend and coworker:

We all know about the darker side of voting: voter fraud, vulnerable electronic voting systems, social engineering among others.  There is one topic that is very often overlooked in the United States - Personal Security.

My wife and I left for the polling station mid-morning toting my one year old son.  The biggest things that we were thinking about were "where is the carton of Fishies[tm]" and "we need a copy of the lease to register, where is it?"  We left the polling station after 15 minutes, successfully registering and voting.  I dropped my small family off and headed for work.  On the way to work, while listening to a history lesson on NPR, I began to reflect on what I had just done. 

In less secure and stable parts of the world, people have to vote in makeshift bunkers for fear of bombings.  People are shot, maimed or worse for voicing their opinion.  This is not even a second thought in the US.  The worst thing that I was looking forward to was finding a parking space. 

My reflection: Among all of the normal topics of discussion, I would like to add a congratulations to the people that make the process safe for US voters.  I would Also like to reflect on the fact that as a security buff, I know that this has not been, nor will it always be the case - Vote with pride and care.

Please take a moment to reflect on this and other issues for a moment if you are frustrated with the banter on the major networks.

-Voter 1749, Ward 8 Nashua, NH.

Your civic duty...

For those in the US, there are bake sales being held in schools, churches and town halls throughout the land today.  Please do the right thing, step up and buy something from the bake sale table, the money goes directly into making a difference in a lot of little ways.

And, while you are there you should vote.  Rumor has it that can make a difference, too.



Monday, November 3, 2008

The dangers of short URLs

It is a minor thing, but it vexes me so...

It isn't news to anyone that clicking random links in email or on web pages can lead to Bad ThingsTM- malware infestation, launching various scripting attacks, or even the dreaded Rick Roll.  But what about things you want to click, but can't see where they lead due to the ubiquitous URL shortening utilities?  The tools are great, especially in platforms like Twitter where you are limited to 140 characters- but you don't know where you are going until you get there, and by then Rick Astley is already singing.  There is a simple answer, enable previews- but every utility doesn't offer the option.  TinyURL offers the options to both create preview URLs and set your preferences to  always show a preview of the full URL.  Their approach isn't perfect, the preview URLs are considerably longer than their regular URLs because they add "preview." to the beginning of the URL, but it is something.  There are some other utilities ( and among others) which allow you to request previews, but you have to do it for every utility and on each computer you use.

There is an experimental add-on for FireFox, PreviewLink, which will allow you to preview links from most shortening utilities, but it is still experimental and therefore requires registering for an AddOn account before you can install it.  I just started using PreviewLink, and it seems promising.

I guess the best bet is to only click obfuscated links on someone else's computer (with the speakers off) until we come up with a better way to solve the problem.



Sunday, November 2, 2008

Hackers for Charity and The Academy

Want an easy way to give a buck to Hackers for Charity without taking it out of your own pocket?  The Academy is donating a dollar to HfC for every registration (registration is free).  This post has the details.

[Yes, the nice folks who regularly give me a paycheck have a relationship with The Academy.  No, this has nothing to do with that.]


Wednesday, October 29, 2008

It's about the hall. That's where it happens.

As mentioned previously, I was at a great blacksmith conference a couple of months ago. Not mentioned was the fact that they missed one key element, one that most conferences miss: some of the most valuable information comes from the side conversations, not always from the planned presentations.  This is true in almost every conference I have attended, from IT and security events to auto dealer conventions, large events to small- the schedules and facility hinder impromptu discussions instead of encouraging them.  I understand that the event organizers are trying to put on great events packed with content, but they seem to miss the fact that attendees are a key part of the event, not just passive observers.

One shining exception is PodCamp Boston.  Last year, an impromptu gathering in the hall was one of the most significant social media events of the year- this year "the hall" was extended into a large room with plenty of tables and chairs (and power outlets and wireless Internet access) and people were encouraged to use the space for:

  • follow up to presentations
  • informal meetings on topics not covered in scheduled events
  • general socializing and networking
  • putting what they learned to work immediately
  • whatever else seemed appropriate

To their credit, DefCon did have speaker rooms for follow-up after presentations this year, but they weren't always readily accessible, and they were only available for a limited time after presentations.  On the other hand, Black Hat didn't even have enough hall to use as a hall this year.

So, how do we do this better?  It needs to be easy to have a productive side conversation without disturbing presentations or other attendees, and that means convenient space needs to be readily available- ideally with plenty of power outlets and wireless Internet access.  The event schedule needs to allow enough time to pause briefly between sessions and not force attendees (and speakers) to sprint from one room to another. And everyone needs to be encouraged to use the resources available to get the most out of the event.

The evening events at SOURCE Boston this year produced some great conversations, and they are making additional space available during the conference next year to facilitate more- now we need to spread the word and hope more events recognize the value of "the hall".

[Full Disclosure bit- I am a SOURCE Boston volunteer]



Tuesday, October 28, 2008

Conferences and Road Trips

So, RSA Europe is this week, Halloween is Friday and ChicagoCon is this weekend- then into the holiday season. But it isn't too early to start thinking about next year's events-

I am working on Road Trips for a couple of these, likely Shmoocon and Source.  Details to come, film at eleven, etc.



Friday, October 24, 2008

I just don't get it.

I just don't get it. Microsoft issues a critical patch out of cycle and people are running around like mad, the sky is falling and stuff- but every month we deal with up to a dozen patches and take it in stride.  Yes, there are exploits in the wild. Yes, it could be ugly if something exploiting this got loose in your network.  We have the tools to make this relatively painless, so what's the problem?

I suppose there may be situations where the patch breaks things, but since this seems to overlap a previous patch- probably not too many.  I know reboots of some systems have to be scheduled and can be tricky to arrange. 

I suppose it is even possible that there are networks without patch management tools, but there isn't really an excuse for that in most environments.  I even have a workaround for this one- grab an evaluation copy of some nice patch management software and use it.  Really, some are pretty simple to set up and run.  I have been a big fan of Shavlik's tools for many years, if you don't know where to look, start there.  You just need a spare machine running Windows 2000/XP/2003/2008 (but not Vista)- and that's right, it doesn't have to be a server OS.  After you scan your network and do some test deployments, schedule the rest of the deployments and relax.  Pay attention, but relax.  And when that's done, scan your network and see what else needs patching.  Any of the commercial tools do more than just Windows OS patches, (Shavlik really shines here) and some can also manage application deployment- so testing the trial version may show you enough to justify the expense of buying the product even in these trying times.

I could even go off on the Patch Management vs. Vulnerability Scanning rant, but that's a post for another day.



Thursday, October 16, 2008

Security Twits Road Trip Photos

Sunset on the highway 

Photos and video are out on the Security Twits Road Trips Flickr Group.  A few more photos and videos should be up soon.

Join us for the next trip?



Tuesday, October 14, 2008

Day-Con II Wrap-up

Day-Con II was great, and I'm already looking forward to next year.  Staring with Tyler Durden's "Viral Art: Writing a Blender Virus" and Robert Hensing's "Targeted Attacks" on Friday night, the event began with solid technical content- and it continued throughout the day on Saturday.  A full list of presenters and abstracts can be found here.  It is hard to pick out high points- several members of the ERNW team gave very good presentations, the lovely and talented Chris Hoff reprised his "Four Horsemen" talk, and many more.  And there was the ninja- who gave his presentation without speaking (he used text-to-speech synthesis to read slides and notes, and used his katana as a pointer).

Then there was the after-party.  If you missed it, you missed something out of the ordinary.  Just ask the Flabongo.

Of course, getting there is half the fun, but that is covered in my Security Twits Road Trip posts, a summary to come soon.



Saturday, October 11, 2008

We made it to Day-Con

We made it to Day-Con II, saw some very good presentations this evening, and are ready for the "main event" on Saturday.  Photos from today's drive are at the link in the previous post- starting with a lovely sunrise over Best Buy.


Thursday, October 9, 2008

Security Twits Road Trip

We're on the road.  Well, actually, we're in the parking lot.  Somewhere in Sterling, Virginia.  The day started out rainy, but after picking up the first crew member we fueled up the RV and then hit Starbucks to fuel up ourselves, then the sun came out.  Either that, or the caffeine kicked in and my eyes opened.  The splendor of Interstate 95 in the fall... oh nevermind- we drove more or less south most of the day.  Photos over there at Flickr.nj

Astaro is sponsoring this inaugural Security Twits Road Trip, it wouldn't be happening without them.  (Thanks boss!)






Tuesday, October 7, 2008

The Internet is not broken again.

That's right, in spite of what some have said about the Louis/Lee/Sockstress- Latest Thing to Break the InternetTM, the Internet is not broken again.

The Internet is still broken. Broken again implies the existence, however brief, of a state of unbroken-ness, and that is just silly. 

But, even though it is broken, bus it still works.  Like one of the busses you see in travelogues of impoverished foreign lands, we all know the Internet is unsafe and could break at any minute- but everyone (including the thieves) hopes the bus keeps on trucking, because we need it to.  So, until the Internet really does fall off a cliff on a winding mountain road- you, I and everyone else in IT and security will keep putting on our coveralls and keep playing mechanic to the Internet. And hoping for the best.



Into the Breach

I am not inclined towards book reviews, and my thoughts on user education tend to be somewhat fatalistic (I'm a big fan of Robert Heinlein's quote: "Never try to teach a pig to sing; it wastes your time and it annoys the pig") but here goes...

I just finished reading Michael Santarcangelo's book, "Into the Breach", a small volume, heavily footnoted, with a unique view of information security. Michael, the "Security Catalyst", offers a pragmatic approach to security which focuses on many of the overlooked aspects of security programs- little details, like the people who have to make it work, and the impact of the "security process" in those people's ability to do their jobs.

Michael's approach is actually a bit conspiratorial, based on getting support from the trenches with crazy ideas- ideas revealed in quotes like these:

"Make it easy for people to do the right thing"

"Efforts can be evaluated with a simple question: Is this going to make it easier for people to do their jobs?"

But he isn't naive about it, Michael recognizes that:

"Keep in mind that when an executive or outsider asks questions about how people do their jobs, the answers given may not be accurate"

"What people do when no one else is watching ultimately decides when and how technology is going to be used and information protected"

Of course, there are no easy answers, and there really has to be a desire and commitment to really improve- if all a company wants to do is fill some checkboxes, nothing will help. I tend to be a little cynical, so I wonder how many companies really want to change, but those that do would be well served to consider Michael's advice.

Besides the book, Michael has a lot going on, he has done his own podcast and does the Security Roundtable Podcast with Martin McKeay, he hosts the Security Catalyst Community, and now Catalyst on Tour (where he packs the family into their RV and tours the country for his consulting and speaking engagements). He takes the Catalyst moniker seriously, so if you get a chance to meet him, talk to him and see where the conversation leads.


Monday, October 6, 2008

Well, that's awkward.

So, yeah- for years I have recommended Security Now to people interested in network security.  I did put an asterisk next to the podcast the last time I ran down my podcast list, but I still recommended it.  I may scream at the dashboard of my faithful Jetta when Steve Gibson's voice comes out of the speakers saying things like cross-site request forgery is the same thing as cross-site scripting, but I get that to his target audience, both fall into the broad category of "scripting in browsers can do bad stuff"- so even though it infuriates me, I get over it.  Overall, the show gets generally accurate information out to an audience in need of education.

[NOTE: Steve corrected himself about CSRF in SN Episode 166]

But now, I have a problem.  You know where I work and that my employer and Security Now have the longest running advertising relationship in podcasting.  It is a good relationship for both Astaro and Security Now, but I'm in an uncomfortable spot now because Steve Gibson screwed up royally, and Leo LaPorte let it stand.

In the latest episode, Steve talked about the Latest Thing to Break the InternetTM, the Louis/Lee Sockstress TCP DoS attacks- and got some things wrong and slighted the journalist who had the scoop on the story, Brenno deWinter.  I was lucky enough to meet Brenno at DefCon this year after one of his great presentations, and we have stayed in touch since then (primarily via the magic of Twitter). 

I listened to Brenno's podcast as soon as I found out about it (via Twitter, of course), then listened to Security Now a couple of days later.  I had to go back and listen to Brenno's  podcast again, because Steve and I seemed to have heard similar, but significantly differing things.  I don't pretend to know much of anything, certainly nowhere near as much about TCP/IP and network-based attacks as Steve Gibson- but I really think he got a few things wrong.  I'll ask you to listen to both shows if you are interested in judging for yourself, but I think the one thing that both Steve and Leo got completely wrong was not crediting Brenno for his work in the interview and podcast (or CIO article, or the research that went into everything).  That is just not right, especially from Leo, who has been such a driving force in podcasting and knows about the world of journalism.

The show notes at GRC now reflect a little more complete and accurate version of things, and credit Brenno- but the podcast is all that most people get, so I hope Steve "tidies up" a few things at the beginning of the next show.

So, yeah- listen to Security Now, just make sure you apply the appropriate filters for your own knowledge level, and do a little follow up yourself when it seems appropriate.  And roll up the windows in your car before you yell at Steve and Leo, your fellow commuters do not take kindly to being stuck in traffic next to raving lunatics. Or so I have heard.



Even Homer Simpson doesn't trust e-voting

Sunday, October 5, 2008

CiderDays Sweet and Hard Cider Festival

This *really* has nothing to do with security, but is one of the things I really look forward to every year.  Great people, a good time, interesting conversations, great food and drink- at the CiderDays Sweet and Hard Cider Festival in Franklin County Massachusetts.

See you there-



Friday, October 3, 2008

Pirates, continued

Another quick post- the latest news on those troublesome Somali pirates is that they may be willing to accept "only" five million dollars in ransom for the ship full of tanks and other weapons and the remaining crew, but everyone is bickering and no real progress is being made.

And, to add a little Cold War-style pressure to the situation, the Russian Navy has dispatched a frigate to the Somali coast.  That should calm everyone down.  The good news is that they will probably act before the US Navy, thus vaporizing the pirates and a potential PR nightmare for the US in one shot (so to speak).

Again, no relevance to Information Security, we never hide from problems until they explode- and we would never let giant superpowers in our industry get into uneasy standoffs.



California makes it a crime to 'skim' RFID tags

Just a quick rant: An article over at Network World reports that California makes it a crime to 'skim' RFID tags. pillory

Yes! Another stupid and pointless law.  Since the potential misuse of a cloned RFID is to commit fraud, theft or some other crime, isn't this redundant?  And how about making it illegal to make stupid and vulnerable "security" products?  At least bring back the pillory for companies who write their own crypto and/or implement crypto poorly?  Please?  I want to run the rotten tomato concession stands.



Tuesday, September 30, 2008

Cooperative Pirates

In an attempt to prove me right, Somali pirates have made headlines around the world again, this time by capturing a freighter full of tanks and other weapons.  The New York Times' original article has the details, and several follow up articles are on their Piracy at Sea page including the pirates' motives and the current standoff with US warships.

As I said in an earlier post, I've seen our modern destroyers and cruisers up close, and I know what comes out of the "box on the bow", this could end with a bang. A big bang.

Why haven't we solved this problem?  I still don't know, but maybe this will give the needed impetus to the global community to do something.



Monday, September 29, 2008

CSO Podcast

I was Bill Brenner's guest on this week's CSO Security Insights Podcast, we talked about a few of my favorite topics- such as the dangers of simple misconfiguration as opposed to "sexy new hacks" and we briefly talked about FOI.  It was a good conversation, a distillation of a few years worth of conversations Bill and I have had about balancing the value of hard-core security research with stepping back and simply covering the basics.

I did have a failure of my own, I meant to return to FOI but didn't- so I didn't credit Andy Willingham for coining the term, nor did I give Michael Santarcangelo credit for fueling the FOI discussion.  Sorry guys.



Compliance for Hackers

Some people spend their professional lives working with compliance issues and the minutiae of complicated regulations- but in small business, compliance is usually an occasional tormentor to be dealt with and then ignored as quickly as possible.  What a terrible waste of an opportunity.

Personally, I haven't had to deal directly with compliance issues since changing jobs last year, but I do still occasionally work with customers and clients as they battle the dark forces of the demon checkboxes.  But that is the wrong attitude; compliance is a pain, but we need to look at the issue in a different light- how to exploit it for our own purposes.  Besides simply checking off boxes, you can spin this to push through real improvements.  I've used compliance audits to initiate improved password policies, beef up backup systems (except I had to call it "disaster recovery"), improve physical security for HR files, and more.  Of course, you still have to do the work required for whatever compliance project you are facing, and you can't get too crazy with the tangential projects.  And, as a bonus, the smug satisfaction you get from subverting the process for your own goals can really make the rest of the project much more palatable.



Friday, September 26, 2008

Lies, Damn Lies, and Vendor Lies

Most of us need to work for a living, and no matter what we do, everyone is in sales.  Selling your product, selling your ideas, selling yourself, you are selling something.  And, there's nothing wrong with that.  Marketing and PR are a part of sales, getting the right message out to the right audience.  The right message highlights the strengths of your product, service, idea, or yourself.  That's OK, too- as long as you are honest about it.

Today I had the misfortune of enduring a webinar by some people who were either ignorant or dishonest.  Probably a bit of both.  [It is sad when giving someone the benefit of the doubt means you assume they are ignorant].  This vendor sells network security hardware and software, so you might expect them to have some understanding of layer 2.  Imagine my amazement when I heard them say that ARP cache poisoning could only be used to  sniff traffic, not to reroute traffic or for man-in-the-middle attacks.  Please don't tell the people who wrote Dsniff, Cain and Abel, or many other ARP spoofing tools, they would be disappointed to hear that.  That statement shows either an alarming ignorance of ARP spoofing and layer 2 networking or it is a blatant lie.

They also made other "inaccurate" statements in the presentation, like calling their product something it isn't and ignoring the lack of key components- and they have some really hair-brained ideas about virtualizing network security devices in a small business environment, but other than that...

Now here's the real problem, people were listening to them and believing this nonsense.  And the folks who believe this vendor are less secure because of it.

Sure, we are all responsible for validating what we hear, especially from folks trying to sell us something- but the fact that you are selling something does not make it OK to spread misinformation.

Buyer beware, indeed.



Wednesday, September 24, 2008

Grasping for Humor

It isn't funny. Really, it isn't, this whole political-economic crisis and bailout fiasco.  But these are bitterly amusing:




Tuesday, September 23, 2008

OOOOOhhh! Pretty pictures!

It is alive!  You no longer need to get a pre-release version of Nmap to get the topology mapping utility.  That's right, Zenmap (the graphical Nmap interface) can now literally draw you a picture of your network.  There are also multiple performance enhancements in the latest version, many based on developments made during Fyodor's "Scan the Internet" project.


Zenmap will not replace the command-line version of Nmap for daily use, but I will occasionally have a real reason to use the GUI now.



Saturday, September 20, 2008

Treasury Secretary Paulson, immune from prosecution

Good thing it is a chilly evening, my blood just started to boil.  Background: if you are on Twitter and have any interest in the US economy, you need to follow Christopher Penn, @cspenn (there are plenty of other reason to follow Chris, but his economic insights are the focus tonight).  A snippet of the bailout bill reads:

"Decisions by the Secretary pursuant to the authority of this Act are non-reviewable and committed to agency discretion, and may not be reviewed by any court of law or any administrative agency."

Go read Chris' blog post at  It contains the full text of the bailout proposal and some commentary.  Short version, Treasury Secretary gets to make the law, and is therefore above the law.

Sleep well.



Wednesday, September 17, 2008


Yes, pirates. iStock_000006906495XSmall

But not Talk Like a Pirate Day kind of pirates, that's all good clean (well, maybe not always so clean) fun.


And certainly not pretty-boy Johnny Depp in "Pirates of the Caribbean" kind of pirates, either.

And what's with the beard? He doesn't even have enough of a beard to braid, anyway. (I assure you, I have expertise in this area).


No, I mean real pirates. Modern pirates, like these nice gentlemen who hijack, steal, kidnap, ransom, rape and kill.

Yes, piracy is a very real threat to modern mariners, private and commercial.

You may remember this story about the idiot pirates who opened fire on two US Navy vessels, a guided missile destroyer and a guided missile cruiser. (Having sailed past some of those ships in Norfolk, I cannot imagine how drugged or stupid you must be to screw with one of them- to take on a pair is beyond comprehension). Maybe you saw this recent story about the rescue of a couple of French sailors by French commandos. Those are the good stories, the rare ones with happy endings and criminals brought to justice. A quick Google search for "modern piracy" yields several enlightening results- as you might expect, Wikipedia has a decent primer, but I think the "Daily Vessel Casualty and Piracy Report " and this presentation on modern high-seas piracy from the law offices of Countryman & McDaniel are some of the best references. Although the presentation is now a bit dated, it still holds some very good information, and scanning the casualty reports for acts of piracy is chilling, especially factoring in that only about 10% of piracy is reported.

What amazes me is that piracy is still allowed to exist on a large scale. A unified, global effort could make a real difference, and quickly. When China chose to crack down on piracy several years ago (starting with a large and widely-publicized group execution of convicted pirates), it had an immediate impact in and around Chinese waters. One bit of hope comes from the above story of the French rescue, France has been a world leader in battling piracy and French President Nicolas Sarkozy has called for EU and UN action to curb piracy, especially in the waters around Somalia.

Piracy has always been a violent and dangerous vocation, and it has been suppressed when the pirates were put in more danger than their victims. Given the nature of the maritime environment, "hunt them down and kill them" has been a common (and effective) approach to piracy. I think with modern resources our goal should be to track and capture pirates, but the inherent danger of dealing with violent criminals at sea does mean that little quarter can be shown for those unwilling to surrender quickly.

Of course, there is no relevance to information security in this post- as we clearly have no serious or under-reported problems which we simply refuse to address in our industry. Arrr.


Monday, September 15, 2008

FOI follow-up

My original FOI (Failure of Investment) post was picked up in a private forum and sparked a little conversation. I let the thread take its course and then posted my thoughts. Since it was a reasonable follow up, I have excerpted it below:

It is interesting to see where this idea has gone in the past week or so. It started out with my frustration over the use of ROI and TCO as accurate *predictive* measurements. It think today's activity on Wall Street (and beyond) underscores the old adage that "Past Performance is Not Necessarily Indicative of Future Results". I am not arguing against looking back to try to analyze and learn from the past, but I have little faith in predictive technologies in a relatively new and continuously evolving industry- especially those necessarily based on guesses. You simply cannot account for all tangential and unexpected impacts. Centralizing management of your desktop anti-virus is obviously a good idea and a good investment- until your vendor issues a bad pattern and your IT team gets to repair or re-image all of your workstations. How did you predictively figure that cost into your ROI/TCO/OAA? (OAA = Other Abused Acronym)

To put this in context (I read somewhere that was important), my background is in small business IT- where it is unlikely that the people in the trenches have the time or knowledge to perform thorough generation and analysis of data- and the decision makers are unlikely to have the time to expertise to act on such data if it were presented to them. In this environment it usually takes a failure to get focus on an problem, and if budget is allocated to solve the problem, it had better stay solved. If the same issue returns after the investment, that is much worse than a new problem because you have failed on multiple levels. Thus introducing the metric "Failure of Investment".

As I said in my post, in IT we are judged primarily by the overly-simple question "does it work?" (Really, we are- and if you do not believe that, it may explain why you are currently unemployed- the "A" in CIA is a trump letter). FOI adds "did you keep *that* from happening again?" to the measurement. Like it or not, that's a real improvement in security metrics for most people.

I never believed this situation was limited to small business, and feedback and commentary seem to confirm my suspicions.

Also, since his original post, Andy Willingham did a video interview with CSI (the Computer Security Institute).


Tuesday, September 9, 2008

FOI, Failure of Investment

Last week, right before heading into the Catskills for the blacksmith conference, I started an interesting conversation with some friends by tossing out the following acronym-laden opinion:

"Not that you asked, but IMHO: ROI and TCO are SWAG at best. And, they are rarely at their best"

Michael Santarcangelo (you know, the Security Catalyst) responded first, then a few others joined in- it was better than the normal "is there ROI on Security?" conversation- and since the smart kids were indulging me by considering my opinions I threw out this idea:

"The only viable measurement in security is failure."

Andy Willingham (you know him as Andy, IT Guy) took the idea and proposed the acronym FOI, Failure of Investment. And that's it, FOI, a real-world metric we can all understand.  In this post, Andy did a great job of explaining FOI.

In most of my IT career (small-mid business, auto dealers a specialty) I worked where margins are razor-thin and you really have to justify every expense.  Things aren't broken until proven broken, usually by a failure.  Firewalls, anti-virus, backup systems- these are just a few of the things I could only spend money on after an incident.  I call this the "I told you so" budget method.  Oh, yeah- and once you get that money, the problem had better not happen again.  Note that in this context, a new type of failure doesn't count as FOI unless you have invested in preventing that specific class of failure.

I've said many times that in IT we are judged primarily by the overly-simple question "does it work?".  FOI adds "did you keep *that*  from happening again?" to the measurement.  Like it or not, that's a real improvement in security metrics for most people.



Monday, September 8, 2008

A quick tip for IP name resolution

Ever have an IP address in your logs that you can't identify? No reverse DNS, ARIN/WHOIS come up useless, just can't figure it out?

Try opening a web browser and entering HTTPS://<IP address> into the address window.  With a little luck you will get a certificate error (due to mismatch, URL is an IP address, cert will have host/domain name)- look at the certificate and you have a domain and company name.  A little tedious, but very handy.



Thursday, September 4, 2008

Playing with Animoto

I'm on my way to the Atlantic Coast Blacksmith Conference this morning, so I thought I would leave you with this Animoto video of the New England Blacksmiths' Spring Meet.

Tuesday, September 2, 2008

If you aren't using the door, close it!

No, that's not latent fatherly advice, (and turn off that light!)- it is a reminder that a lot of systems have SSH ports open to the Internet, and the Internet is a dangerous place.

Yeah, we all know that- but did you remember to lock the door last time you used it?  I ask now because I have heard *anecdotally* (wink, wink, nudge, nudge) that lots of folks are getting SSH scanned heavily, including many login attempts.  Lines up well with this US-CERT advisory.  So take a minute to review what you have facing the tubes, and close what you can.

If you do need to leave SSH wide open, this might be a good time for reviewing keys and passphrases- and keeping an eye on logs.



Sunday, August 24, 2008

Security Twits Road Trip

It was a joke.  At first.  For several days Twitter was filled with comments complaining about the general and specific failures of modern air travel as people made their way home from Black Hat and DefCon- then it was my turn.  Upon arriving in Manchester, NH after a red-eye from Vegas to Cleveland and the early morning hop from Cleveland to Manchester, I commented that I would never fly again and suggested driving ROAD TRIPS for all future conferences.

It is happening.  The Security Twits road show begins.


ToorCon is too soon and too far for a first run. Sec Tor is very promising, but the thought of a border crossing (they act like Canada is a whole other country these days!) makes that a bit tricky.  Day-Con, however, has potential.  Ohio is another world compared to the East Coast, but there are no tricky border crossings.

I am shopping for a conversion van/minibus/motorhome rental for the trip and a few hearty souls to make the trip with me.  The nice folks at work (Astaro) have offered to help with the expense of the inaugural trip.

Day-Con's main program is on Saturday, October 11- with some pre-con presentations on Friday night.  Google Maps claims that with bladders of steel and no fuel stops Dayton is about 13 1/2 hours from Boston.  Depending on who wants to join the trip and where, we may need to start Thursday evening. Sunday is a recovery and travel day, so we should be able to get everyone back to their northeast starting points by that night.

A few brave Security Twits have stepped up, we need a few more- and then some input on scheduling and routing.  Any more Security Twits interested?  Let me know.

And stay tuned for more road trips- Shmoocon [February 6-8] and SOURCE Boston [March 9-13] could be next, and then...



Premier (Diebold) admits what everyone already knew

The Washington Post article "Ohio Voting Machines Contained Programming Error That Dropped Votes" notes that Premier Elections Solutions (formerly Diebold) finally admits that they have some problems.  Premier has already started downplaying the significance of losing votes- but this is still a big step forward for them to admit anything. From the story:

"A voting system used in 34 states contains a critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point, the manufacturer acknowledges."

Hmm, is that a problem? Still, it is progress, because:

"As recently as May, Premier said the problem was not of its making but stemmed from anti-virus software that Ohio had installed on its machines."

Which led to this xkcd comic on that topic.  One of the heroes in this story is Ohio Secretary of State Jennifer Brunner, she sought out expert help on the issue and listened to what she was told. (Shmoocon has been an outstanding source of info on this topic, including this year's presentation by the Penn State team consulting with Brunner).  But at least we've gotten this out of Premier:

""We are indeed distressed that our previous analysis of this issue was in error," Premier President Dave Byrd wrote Tuesday in a letter that was hand-delivered to Brunner."

Great! They've admitted there's a problem, and the jurisdictions using these systems have a couple of months to test and deploy patches to fix the problem before the upcoming presidential election. Right? C'mon, tell me I'm right. No, huh?

"Unlike other software, the problem acknowledged by Premier cannot be fixed by sending out a coding fix to its customers because of federal rules for certifying election systems, Rigall [Chris Riggall, a spokesman for Premier Election Solutions] said. Changes to systems must go through the Election Assistance Commission, he said, and take two years on average for certification and approval -- and that is apart from whatever approvals and reviews would be needed by each elections board throughout the country."

I guess I kinda get that. But, wait a minute! Isn't this the same rubber-stamp process that certified the crappy systems in the first place, missing multitudes of problems?  So much for my fleeting moment of hopeful naivete.



Saturday, August 23, 2008

The wisdom of Trolls

On a recent evening the infamous Bill Bilano, noted Internet troll, made an oddly insightful set of posts on Twitter:bill-mangay

  1. I think I am going to fuzz twitter.
  2. A
  3. AA
  4. AAA
  5. Hell with it, booring. This is secure. On to the next web app!

Amazing as it is, I think he may have captured a pretty realistic look at a big chunk of the IT world. The reality of security is that there's a lot of tedious work that has to be done, it isn't all sexy hacks and Internet fame- and many people just aren't up to the task.

[Note, my dear imaginary friend, Mr. Bilano, has called me out for some errors and omissions. To be clear, "troll" in this context refers to his alleged online behavior, it is in no way meant to malign his rugged good looks.  If you are interested in the wit and wisdom of Mr. Bilano carefully click here to see his "bloglog". Not for the faint of heart.]


Monday, August 18, 2008

DefCon 16 Badge

Originally uploaded by jack_a_daniel
OK, they are cool badges, and I did finally get one of my own (with ~8,500 people at DefCon this year, some were left out).

But I got tired of waiting and made my own hackable badge...

A couple of interesting articles via Techdirt

Neither of these is new, but I just wandered into them-

First, Japan has no laws against writing viruses. In 2008. I can't even begin to fathom that, but they managed to arrest a virus writer- for copyright infringement because he used copyrighted animation clips in his death-threat laden anti-peer-to-peer virus campaign. That's right folks, copyright-violating anti-P2P death threats were in his viruses. Go ahead and sit down, I can't take it either. I expect the druglords to get involved in this case- if reality is this screwed up, who needs their products?

That led to this gem, a new twist on the insider threat- a disgruntled computer tech (is there any other kind?) in Liechtenstein ( yes, it is a real country) who used his access to banking records to expose tax cheats to their home countries and reap substantial rewards for his efforts. It is reported that the Germans alone paid him "somewhere between $6 million and $7.3 million for the info". There's one to tweak the old ethics-ometer, the thief v. the uber-rich tax cheats.


Friday, August 15, 2008

xkcd on Premier Voting machines

Having ranted about voting systems for years myself (often triggered by the outstanding presentations on the topic at the last few Shmoocons), I now present xkcd's take on Premier (fka Diebold):

Thursday, August 14, 2008

Grown yes, but matured?

Like many people, I often find myself thinking some people should "just grow up". I sometimes even find myself thinking that about the entire "security industry".

<tangential rant> The fact that we need a ginormous security industry just proves the software industry needs to grow up. </tangential rant>

This week at BlackHat USA 2008 and DefCon16 there was a lot of childish behavior- here's a little sample:

By individuals:dc-16-logo

  • The guys who got arrested trying to break into the computer room at the Riviera.
  • The guys who got arrested for hacking the casino comp cards.
    • That's gaming fraud, which means the Gaming Commission- if convicted, those folks may be in Nevada for a while.
  • The French journalists who sniffed the wireless in the BlackHat press room and tried to get captured credentials listed on the "Wall of Sheep".
  • The people who hijacked, defaced, and later redirected Alan Shimel's blog and posted his private information to the Full Disclosure list.
    • Be aware that Alan's site was redirecting to graphic pornography as I write this.

By quasi-government agencies:

  • The MBTA (Massachusetts Bay Transportation Authority) for trying to suppress research into their failures to secure the "Charlie Card" fare system.
    • They got a restraining order and stopped the talk, but the presentation slides were already out on the Internet.
    • The MBTA's attempt to suppress the information backfired as the story was picked up by a multitude of news sources.

By security vendors at BlackHat:

  • Two words: Booth Babes. The Booth Babe thing is bad enough at the auto dealer convention (past life issues, still in therapy over it)- but at BlackHat?
    • Fortify Software gets a special mention here for gross lack of taste AND setting up their booth so that they added to significant traffic jams in the halls.
    • Fortify also gets clueless points for showing up at a security event and offending people just weeks after publishing a FUD "White Paper" on the dangers of Open Source software.

So here's where it gets weird- after this week I feel pretty good about the industry's maturity. Most of the people walking the halls, sitting in (and leading) the sessions, and participating in the competitions- they spend their days working to make the world's systems and networks more secure. From the C-level executives to the hobbyists to those of us in the trenches, almost all of these people are on our side. Sure, there are some disagreements on the best way to do things, and more than a few oversized egos- but we can work on that.

Of course there were some bad people there, and more than a couple of idiots- but in any group of ~8500 people you will get a few folks you would rather not be around.


Monday, August 11, 2008

Anatomy of a Subway Hack - Banned in Boston!

Ben Jackson has posted an excellent article on the MBTA's latest bit of stupidity on his blog at check it out at: Anatomy of a Subway Hack - Banned in Boston!

If you hadn't heard, the MBTA (Massachusetts Bay Transportation Authority), the folks who run public transit in and around Boston got a temporary restraining order against three MIT students who were going to present their findings about vulnerabilities in the MBTA's "Charlie Card" fare system at DefCon16.  So if researchers don't talk about a problem, it doesn't exist?  That's like a two year old playing hide and seek; cover your eyes and you're gone (I apologize to any two year olds I may have offended by comparing them to the MBTA).

Read the EFF's (Electronic Frontier Foundation) response here: