Saturday, February 28, 2009

Another reason to attend SOURCE Boston

Remember the first time you used l0phtcrack to pop a password? Then, remember when you heard the project was going away under its new corporate overloads?  Wouldn't it be cool if the old l0pht crew revived it and brought it back from the grave?  Darn Skippy it would be cool.

Maybe you want to wander over to - from the site:

"L0phtCrack is back! At a special information session at SOURCE Boston (Thursday, 10:15am), the team that brought you L0phtCrack will be releasing version 6 of the highly-acclaimed Windows password auditing tool. Come to the session to learn about this release, its new features and platform support, and the story of the product from the days of the L0pht, to @stake, Symantec, and finally back to the L0pht."



Tuesday, February 24, 2009

Shortcuts to 201 CMR 17.00 (and all other) compliance

Really? Of course not. There are no shortcuts. Well, maybe one- if you already have a secure environment, supported by appropriate policies and practices, then the path to any compliance project will be easier.

OK, returning to the real world, let's assume the worst case (and most likely) scenario- you are pretty much starting from scratch.  Where to start?  That's easy, stop doing it wrong.  I don't mean you have to immediately fix everything you are doing wrong, but you need to stop heading in the wrong direction.  You may need to change the way you store data, and you may need to develop a training program, and those will take some time.  Any new projects, however, you can start right- so stop and think before any new purchases or projects.  My wife has a saying for this kind of situation- "when you are in a hole, the first thing to do is stop digging" (that's pretty good advice for a lot of situations).

I'll offer up more practical suggestions in future posts, but this one really is a pretty good starting point.  Stop doing it wrong.



Monday, February 23, 2009

What's on your calendar?

Next week on Tuesday, March 3, the Boston Network User Group is holding the rescheduled 201 CMR 17.00 talk (weather permitting, of course).  given by David A. Murray, General Counsel and Gerry Young, MIS Director of the Massachusetts Office of Consumer Affairs and Business Regulation.

The following night I will be presenting on a variety of topics at the Boston Area Windows Server User Group.  It will be part vendor preso (NOT a sales pitch, though), and part incoherent ramblings on a variety of topics ranging from 201CMR17.00 (of course) to FoI to who knows what.

And, SOURCE Boston is on the horizon.


Monday, February 16, 2009

ShmooBus Debriefing

I was going to try to come up with some witty post about the ShmooBus experience, but that really isn't necessary- it has already been "documented" on Twitter and elsewhere. While a simple Google search will find plenty of hits for shmoobus, I would suggest checking out the following:

It was a blast, thanks to everyone who rode along, even those who "rode" vicariously via Twitter- and of course, big thanks to Astaro for sponsoring the madness.

I'll post a few stats later (after I do the expenses), if anyone is interested in all the gory details, logistics, and mistakes made, I'll be happy to share what I have learned from doing two of these mad trips.


Friday, February 13, 2009

Mass Data Protection Law delayed and amended

As expected, the Massachusetts Data Protection Law, 201 CMR 17.00 has been amended and delayed again.  I'll post a more detailed look at the changes later, but for now, the Commonwealth has posted info here and the amended law is here (95kb PDF).

Key points are

  • All deadlines have been extended to January 1, 2010
  • Third-party contract/certification requirements have been eased significantly
  • Wireless encryption is only mandated when personal information is transmitted wirelessly.

I think this is a good compromise, it gives businesses more time to do what they should have been doing all along- but allows for the financial burden in this economy.  I also think the easing of third party requirements was a good decision, it would not have been feasible for every company to meet the earlier requirements.

AIM, the Associated Industries of Massachusetts, has a good resource page for businesses working towards 201CMR17.00 compliance.

And, yes, there will be Shmoocon and ShmooBus wrapups coming soon.



Tuesday, February 3, 2009

BNUG Meeting cancelled

Tonight's Boston Network Users Group (BNUG) meeting on 201 CMR 17.00 has been cancelled due to inclement weather.  The presentation will be rescheduled, but no date has been established yet.



Monday, February 2, 2009

Random Stuff

A few quick items...

Happy Groundhog Day. Really, it is a great American holiday. A very corny and campy holiday, but great. You should go to Punxsutawney at least once (once is probably enough for most people) to see the spectacle. Several thousand very cold people on a pre-dawn hillside, chanting Phil!, Phil!, Phil! is a sight to behold. And, yeah, Groundhog Day is a great movie, too.

Tonight (Monday Feb. 2) there is a SOURCE Boston Security Night event with Andy Jaquith and Chris Wysopal at the Seaport Hotel in Boston. It should be great, I'm sorry I will miss it.

Tuesday, Feb. 3, the Boston Network Users Group will have a presentation on 201 CMR 17.00 given by David A. Murray, General Counsel and Gerry Young, MIS Director
of the Massachusetts Office of Consumer Affairs and Business Regulation.

Thursday morning, the Security Twits ShmooBus hits the road for the pilgrimage to Shmoocon. There will be plenty of documentation, maybe even video- but people usually pay the hush-money I demand to keep the vids off the Internet, so I can't promise anything. As with the first SecTwits Road Trip, this one is sponsored by Astaro Internet Security. (I hear some nice folks work there).