Monday, March 31, 2008

Security Bloggers Meetup at RSA

I am looking forward to the Security Bloggers Meetup at RSA next week.  A couple of weeks ago at SOURCE Boston I got to put faces (not just avatars) to Twittering and blogging friends I only knew through online interactions- I expect to make many more face-to-face connections at the RSA meetup.  Given the reputation of RSA evenings in general and the Security Blogger Meetup in particular, I can't be sure that I will remember much- but I know there will be video to help jog my memory.

See you there?



Tuesday, March 25, 2008

SOURCE Boston Videos and 2009

SOURCE Boston just ended a few weeks ago and videos and slides are already appearing on the sessions page and the SOURCE channel.

And, plans are already under way for SOURCE Boston 2009.



Sunday, March 23, 2008

The Reluctant CISSP

Jack Daniel, Reluctant CISSP.  What the heck does "Reluctant CISSP" mean?

It means several things, sometimes it means I am reluctant to admit I am a CISSP because:

  • some people don't understand the CISSP certification
  • the attitudes and/or behavior of a few CISSPs give us a bad reputation
  • CISSPs tend to be managers, and mangers tend to be... managers
  • in some circumstances it sounds like bragging
  • sometimes the ISC2 seems to be headed in a different direction than I would like

It does not mean I do not value the certification, nor does it mean I do not respect others who hold the CISSP credential.  It also doesn't mean I have given up on ISC2, even if I would like to see some things change fairly significantly in the organization.

I have commented on the CISSP before and my opinion hasn't changed, just my tagline.



Astaro, RSA, Bloggers, and Beer

OK, this post is much more "commercial" than anything I've done before, but bear with me on this...

A handful of factoids:

  • The San Francisco RSA conference is coming up in a few weeks.
  • I'll be there covering the event.
  • Astaro will be there, promoting their new (and of course, current) product line.
  • I blog, and I work for Astaro.
  • Getting press credentials for RSA means you are solicited by everyone who wants press for their products and services.

Now to connect some dots. Several people have commented on the barrage of email invitations to schedule meetings and other such things. Some have commented on the cluelessness of some of the PR and Marketing people. I see two primary issues; first is that some PR and Marketing types don't have the time (or possibly skill) to do a good job (see this post at the Mediaphyter blog); second is that many people do not realize that bloggers and traditional press may have some overlap, but are generally very different people with different situations (see this post at Martin McKeay's blog).

I don't mind the mountains of email invitations. I'm getting into the event with a complimentary Press/Analyst pass and the vendors want to get their message out- that's how this works. I do think many of the messages and invitations are excessively verbose and hype-laden, but some are pretty well done. The well done ones are much more likely to get my attention, both before and during the conference.

Here's the Astaro connection: Astaro wants to get attention from bloggers and I think they are trying to do it right. Tuesday afternoon (you'll be ready to sit down, have a beer and jump on the Internet by then) there will be a "Beer and Blog" event at the Astaro booth; meet Astaro people including the CEO, see the products, talk about whatever you want. And beer. The invitations are short and to the point, and they are only being sent to bloggers. Yes bloggers, Astaro wants your attention, but they are trying to do it right. If you are registered as a Blogger for RSA you should get an invite- if you are interested please RSVP, it would be bad to run out of beer. If you don't get an invite, let me know. And let me know what you think.

Now, back to your irregularly scheduled blogging.


Sunday, March 16, 2008

SOURCE: Boston 2008 (updated)

SOUCE: Boston 2008 has just ended and it was great. Source is a little hard to categorize; it was part executive-level symposium, part hacker con, with a few other things tossed in for good measure.

I was only able to attend on Wednesday, but I kept up on things from my desk on Thursday and Friday by following a very active Twitter stream from the event.

Wednesday kicked off with introductions followed by a short talk by Tito Jackson*, the IT Director for the Mass Office of Business Development. Jackson's talk was very upbeat about the state of technology in Massachusetts (as you would expect), but some of the numbers really are impressive given the current economic situation. Jackson was followed by a keynote from Richard Clarke. Clarke is a very good speaker and started (after the obligatory Elliot Spitzer joke) with a recap of the history and current state of cybersecurity in the United States and recent events which have refocused attention on cybersecurity. Unfortunately Clarke started wandering away from his real areas of expertise and eventually jumped the shark and ventured into bogus generalizations and speculation. His strong statements on privacy violations could have brought him back from the brink, but by the time he suggested ideas like laws regulating secure code and requiring ISPs to clean up the Internet for us he had lost a large part of the audience and it was just residual respect and decorum which kept him from being heckled.

After the keynote the three tracks split up and the choices became difficult (always a good sign at a con). The tracks were loosely defined as "Business and Security, "Application Security", "Security and Technology" and not being a coder I wasn't tempted by much in the Application track- but I later heard there were some excellent ones, such as Andrew Jaquith's Anti_virus preso. I chose to hear Mike Rothman's "How Compliance Can Get You Killed"- but really wanted to see Roger Dingledine's "Making TOR Play Nice with the Internet" talk, too. I'll have to wait for the videos to see Roger's, but Mike was as entertaining and informative as always.

The next tough choice for me was between Michael Rash's "Advanced Linux Firewalls" and "Disruptive Innovation and the Future of Security" by Rich Mogull and Christofer Hoff. I couldn't pass up the dynamic duo and they didn't disappoint. It was their first pass at what is an evolving presentation- it was good and will improve with a little polish. They tried to cover more Disruptive Technology topics than would fit in the time allotted and that limited the depth of the presentation, but even in "rough cut" form it was a refreshing change from most of the mundane "Business of Security' kind of talks.

The tough choice for the end of the day was between Andrew Jaquith's "Anti-Virus, not dead but twitching..." and James Atkinson's “Telephone Defenses Against the Dark Arts”. I opted for the phone security session and spent the next two plus hours in the ultra-nerdly and technical preso. It was great- see my guest blog post about it on the SOURCEBoston blog.

The evening's reception was fantastic as a large crowd gathered on the sixteenth floor to eat, drink and talk. The conversations continued throughout the evening and eventually moved downstairs and went on until the small hours of the morning.

Although I didn't get to attend on Thursday or Friday, the Twitterfeed had a steady stream of news. Wednesday's keynotes by Dan Geer and Steven Levy received rave reviews, as did Friday's L0pht Heavy Industries' "reunion" panel (There is was a somewhat-confirmed baseless rumor that L0pht is getting back together in some form or another- See Space Rogue's comments below).

Where is this "confirmed rumor" coming from? Basically Symantic owns all the L0pht IP, they even have the domain name. I suspect if we tried to doing anything under that name they would probably have something to say about it, not to mention that Silicosis still works there.

I suspect that there may be some individual collaboration between a few ex-l0pht folks in the near future but getting back together as a full group just ain't gonna happen.

- SR

It is clear that I missed many very good presentations, the full list is at

A special bonus at SOURCEBoston was the chance to meet several other Security Twits in person for the first time, notably "old friends" Ryan Naraine from eWeek and Jennifer Leggio, Keeper of The List.

Now I'm waiting for word on next year's conference.

*"Tito Jackson"? Poor guy, going through life with a famous name like that- what were his parents thinking?

Jack Daniel

Saturday, March 8, 2008

The security implications of "Digital Natives"

Wednesday night I attended an interesting talk at the Boston Area Windows Server User Group, "The Social Web and Digital Natives: Understanding the Expectations of Tomorrow's User Base".  Presented by Anthony Pino of the Digital Natives project at Harvard's Berkman Center.  What is a Digital Native?

Digital natives, a term made popular by Marc Prensky, are young people whose use of technology is completely ingrained in their lives -they have grown up always-on and constantly-connected. Unlike those even a little bit older, these Digital Natives didn’t have to learn to “be digital,” they learned in digital the first time around.

It was a very good presentation, and the audience (mostly Windows systems and network admins, none young enough to be digital natives) was engaged and participated in a good discussion.  While the topic was Digital Natives, their attitudes and expectations, and the impact they will have on the workplace- it got me thinking (not surprisingly) about the security implications of their arrival.

Here are a few thoughts on what will they bring to the workplace and what will they will expect to find.

One thing we already see, mostly in Web 2.0 applications, is the notion of the perpetual beta.  Instead of the traditional software model of spending years developing and testing software and the releasing it as a completed project, the perpetual beta mentality gets a project to a functional state and releases it for use with the idea that the project will evolve with user feedback.  Digital Natives expect this kind of feedback loop because they have grown up with it.  This model can lead to an improved user experience since real-world user feedback is part of the development cycle. ( is an example of a site which does this well).  Unfortunately, the constant cycle of release-feedback-revise-release can also mean code gets out before it is fully reviewed and secured.  For a perpetual beta system to work securely, security can not be "bolted on" at the end of a project, it really has to be an integral part of the development process from the beginning.

Mashups (web applications resulting from combining data and functions from multiple sources) and other hybrid applications can also be problematic.  If all of the components aren't locked down, a "connect the holes" situation may develop.  I think the most like scenario is data leakage, but who knows where it could lead.  Think about Facebook and all of the applications being thrown at it.  If we believe that Facebook is trying to protect our privacy (play along with me here, OK?), what keeps all of those add-on applications from leaking your information or spying on you?  Yes, the correct answer is: nothing.  Now we need to trust multiple sources of code, and some of those sources may be obfuscated in the mashup.  A less-than-ideal situation.

It would be underestimating the Digital Natives to assume they won't respect the privacy of others or the confidentiality of sensitive data- but it would be naive to overlook their very different views of public and private information.  Employers will need to reconcile Digital Natives' attitudes with business and regulatory demands to prevent problems from developing.

A final thought, just because they have grown up with technology doesn't mean they are all tech-savvy.  We still have to teach technology to this new generation: the ability to customize a MySpace page does not make someone a web developer; nor does the ability to connect all of their computers, game and entertainment systems  make someone a network engineer.  My son, a real Digital Native and a small-business network and systems admin, frequently bemoans his peers' lack of technical (and security) skills- usually when fixing their computers. 



Wednesday, March 5, 2008

Misconfigured networks create huge security risks

My friend Bill Brenner had an interesting article over at SearchSecurity today.  It isn't interesting because the idea that Misconfigured networks create huge security risks is new or groundbreaking, but that it got press at all.  Mundane misconfiguration and poor maintenance don't get the attention that cool new vulnerabilities and exploits get- but are more likely to result in systems getting compromised than any of the "sexy" stuff.  This is especially true in small business, and Bill points this out.

Anyone who reads my blog or has heard my rants knows that I have been saying this for years, it is good to see someone else saying it.



Monday, March 3, 2008

The end of an era

In case you missed it last week, Jimmy Bedford will be retiring at the end of this month. After over forty years at the Jack Daniel's distillery, the past twenty in the role of Master Distiller, Jimmy has decided to retire. He is only the sixth person to hold the position of Master Distiller in the history of the distillery.

Thanks, Jimmy.


Sunday, March 2, 2008

The Social Web and Digital Natives

This week's Boston Area Windows Server User Group meeting will feature a presentation which sounds especially interesting:

"The Social Web and Digital Natives:
Understanding the Expectations of Tomorrow's User Base"

Presentation by Anthony A. Pino of Harvard College

Emerging modes of social production such as blogs, wikis, social networks, tagging, folksonomies and mashups have changed the face of the internet and hold important considerations for those developing and implementing the next wave of applications. As "Digital Natives", those who have grown up in a digital world and for whom connectedness is taken for granted, mature and both forge the online space into a more social one and become mainstream users of software, it is important to understand how they interact with technology, information, and with each other online. We'll look at the concepts and tools that form the "web 2.0" buzzword with an eye towards helping administrators who will be responsible for implementing technology platforms in the future. The talk will include a primer on blogs, wikis, tagging and social networks; the importance of a feedback loop for users; the merits of peer review and the wisdom of the crowd; why we all need to "set our data free" so it can be "mashed up" with other data, services and visualizations; and how to stay abreast of these new happenings. The presentations aims to be informative to those already familiar with the expectations and assumptions of Digital Natives as well as those who are curious about the changes afoot in the way people are using technology to communicate and manage information.


Boston Area Windows Server User Group meets at Microsoft's offices on the sixth floor of 201 Jones Road in Waltham, MA.  Meetings begin at 6:00 pm, this presentation is scheduled for 7:00-8:00.



Saturday, March 1, 2008

Sharkfest is coming.

I know I'm repeating myself, but I want to remind people that Sharkfest is around the corner. I won't be able to make it, it is a week before RSA and I just can't do it.
"CACE Technologies hosts the 1st Annual SharkFest Event March 31 – April 2, 2008 at beautiful Foothill College in Los Altos Hills, California USA. Join us for 3 days of training and discussions on network analysis, troubleshooting, security, Wireshark development, communications dissection and more!"
The latest info on the event:
  • See Dr. Vinton Cerf talk about network neutrality
  • Mingle with fellow Wireshark users and developers
  • Experience one or more inspired Wireshark University Trainings with Laura Chappell and various networking industry consultants and pundits for a fraction of the cost
  • Learn how to optimize use of the Wireshark open source network analyzer
  • Learn how to influence the future direction of the world's most popular network and protocol analyzer
  • Learn how to increase the effectiveness of your wired or wireless network management application
  • Learn how to write packet dissectors for Wireshark
  • Learn how to address network security issues through network forensics
  • Learn how to effectively deploy WinPcap
  • Get the latest on WLAN security
  • Meet Gerald Combs (Mr. Ethereal/Wireshark), Loris Degioanni (Mr. AirPcap), Gianluca Varenni (Mr. WinPcap) and partake in a variety of April Foolishness!
Maybe next year...


Diebold Leaks 2008 election results

From the Onion:
(This would be funnier if I had not just seen the E-Voting presentations at Shmoocon)

Diebold Accidentally Leaks Results Of 2008 Election Early