Monday, December 13, 2010

The most wonderful time of the year


No, not that “most wonderful” time of the year.  Shmoobus season is approaching.

This will be the fifth SecTwits road trip, and the third annual Shmoobus trip- a pilgrimage from the Boston area to Shmoocon in Washington, DC.

What is a Shmoobus?  It is a hacker road trip, a way to get to DC and see the wonders of the New Jersey Turnpike and much more.  I generally rent a 28-30’ RV, folks sit around the table, or on the couch.  It is a mini-con on the way to/from the con.  The route is from the Boston area (a couple of pickup spots) to Shmoocon.  There is a possibility of stops along the way, but I don’t think I want to battle NYC traffic in the RV again.

The nice folks who keep me around for entertainment, Astaro, will once again be sponsoring the Shmoobus.

The last Shmoobus was pretty close to capacity, so we need to start planning now.  We have a few options, such as chartering a bus instead of renting an RV, but that would mean no table for conversations, card games and workspace.  Also, no generator to power all those laptops and other toys.  On the other hand, We could step up to two RVs, but that means we need to find another driver willing to handle the task.  But then we could caravan.  Twice the fun?

Interested in joining us?  Drop me a line at work, jdaniel [at]



This would warm my heart, if I had one

Michelle Klinger has a post on her blog that made my week- she tells about her path to becoming a community leader.  Check out her post, “SecurityBSides Turned Me into an Adult”.



Thursday, December 9, 2010

Comment induced follow up post

I love comments, and I should make them more often.  Three comments on one of my recent posts kicked a few thoughts free, so I’m dropping them here.
Marisa Fagan’s comment helped me clarify an idea.  We often see inappropriate spending on security, and frequently shrug it off with the acceptance that “at least they’re doing something, maybe next time they’ll get it right”.  I am a proponent of accepting small victories, but if the “defense” is wrong, that is not a victory of any kind.  For any challenge, we have a finite set of resources we can use to address it.  If resources are spent on the wrong things, that is not “just” a waste of resources, it removes them from the pool and reduces (or possibly eliminates) what is available for valid solutions.
Danny pointed out a very real, but theoretical, threat.  Some would call it a “movie plot threat”, but I am growing tired of that phrase.  Risk analysis needs to consider a wide variety of risks, then categorize them and prioritize mitigations.  Even unlikely attacks deserve to be considered in the process, especially if the consequences would be high. In the context of the post, I feel that it would be inappropriate to worry much about a potential threat when there are active attacks we are not adequately addressing.  For example, you don’t see anyone in InfoSec focusing their efforts on traditional network security to address browser exploits, do you?  That would be silly.  Hmm, wait, we seem to be getting uncomfortably close to glass house syndrome.
christiania, glass house, august 2007
(photo credit seier+seier , Flickr)
Finally, Dave Kennedy’s comment included this gem:
“Report: FBI arrests Holland America passenger for releasing ship's anchor”
which highlights a real battle we sometimes face.  We are all aware of “usability vs. security” challenges, this one is a “security vs. security” challenge.  Or maybe a “safety vs. security” challenge would be more accurate.  Sometimes you need to drop anchor, and fast.  It isn’t common, especially in a modern vessel such as the cruise ship in the story- but when you need the anchor down, you need it down.  Therefore, the harder it is to drop anchor, the “less safe” the ship may be.  In this case I do think there needs to be a level of security above “some drunk can drop an anchor”.  This kind of incident is a good study in risks, threats, probabilities and outcomes, and it is visceral enough to get people’s attention.


Tuesday, December 7, 2010

BSides Updates

Out of control, but in a good way.  It was an idea kicked around on Twitter eighteen months ago.  Then the first event happened, and went amazingly well.  And then more happened. And the growth continues.  It is a simple idea, really.  Get people together, bring in good content and engaged participants.  Have fun, learn, share, repeat. 

There have been twelve events in eleven cities in the past eighteen months.  From a few dozen to several hundred people have participated in the various events.  Dozens of companies have sponsored in amounts ranging from a hundred dollars to those who have provided tens of thousands. There are at least eight new cities planning BSides events in the next several months, plus second year events in more.

The most recent event was in Ottawa, that was the first one outside of the US- and there are at least two more locations planned for Canada next year.  Later this month, BSides Berlin, BerlinSides will be the first European BSides- but there will be one in London in the spring.  Another is in the planning stages for New Delhi.

Head over to for information on upcoming events, and to see where we’ve been.  The next events on the horizon are:

Berlin during 27C3 (27c3 is now sold out).  There are even a couple of speaking slots open if you submit quickly you could get on the schedule- and as always there will be space for breakouts, impromptu talks, and private discussions.

Minneapolis/St Paul, at the Wabasha Street Caves, January 7.

The second BSides San Francisco will be February 14 and 15, registration and call for papers are still open, location will be announced soon- and it is a great one.

Then the second Austin event will be Friday and Saturday, March 11-12.  As with San Francisco, the location is going to rock, and will be announced soon.

There is even talk of a SkiSides, a BSides at a ski resort.  Keep an eye on the BSides wiki for all the details of upcoming events.  There is bound to be one near you.  And if not, you can help make one happen- send a note to info (at) to find out about organizing an event.

Finally, sponsors make it possible, and BSides provides unique opportunities for organizations to promote themselves and support the community.  info (at) is the address for sponsor info, too.  Or email me directly (you can find the address somewhere up there ^ from the blog header), I’ll be happy to answer questions about BSides.



Monday, December 6, 2010

If you have to ask, the answer is yes.

In case you missed it:
Alan Shimel wrote a good, but really depressing post over on his Open Source column at Network World, "Is There A Sexual Harassment Problem In The Open Source Community?".  Alan and I are both “old white guys” who are heartily sick of sexism in our industry, and Alan’s latest piece addresses and links to some pretty appalling things.
It really is way past time to act like responsible adults in this business.  And I may just have to act very childish at an event or two next year to make that point.  Stay tuned.


Wednesday, December 1, 2010

Invoking 9/11, lies, and ignorance.

This one has been stewing for quite a while.  It was triggered by an event that happened while I was on vacation late this summer, but I have held off on writing about it until now.  First, I didn’t want to write about it in the hype-cycle leading up to the anniversary of the September 11 attacks and look like I was riding the hype wave.  Then it was election season, with all the hype and invocation of 9/11 that brings.  Now, maybe I can get this off my chest safely.

I took an Alaskan cruise this summer.  I’m not really a “cruise” kind of guy, but the Inside Passage cruise is as stunningly beautiful as most people say it is.  One day the cruise director was talking about DVD tours of the ship and mentioned that it was the only way to see the bridge or engine room since… that’s right, the tightened security after 9/11.  Because we simply can’t have any more cruise ships flying into skyscrapers.

This is pure BS, and is actually a complete failure to grasp the nature of the threats.  Worse, it misdirects defenses and perceptions away from the real threats in a maritime environment, which are very different from the aviation world.

The “lesson” of 9/11 was that the passengers and crew of airplanes were no longer the only objective; the planes themselves were objectives- so they could be used as weapons.  Applying that “lesson” to cruise ships is stupid and dangerous for several reasons, a few of which follow.

First, there’s the matter of physics.  The navigation space of aircraft are much less restricted than ships (the sky is very large, even if some of the edges are hard), combined with the speeds of modern aircraft, the number of possible targets for an airplane attack are myriad.  Ships could be used for ramming attacks, but it just isn’t that practical- especially when you consider how tricky many approaches are to ports.  There’s a big reason harbor pilots are used to guide ships into port: tides, currents, shifting shoals are all in the way of getting to the berth- or of ramming a target.

Then there is the practicality of maritime safety.  There is none, it is almost exclusively vigilance that defends shipping.  When an airplane leaves the runway, the number of practical threat vectors narrows.  At 36,000 feet I am not worried about a guy with a rocket propelled grenade on the ground, or someone forcing the door open from outside.  When a ship leaves a harbor, it loses the protection of monitoring from on shore and adjacent vessels’ crew, it is alone and approaches to the vessel become easier, not harder.

But those details miss the larger point, the “lesson of 9/11”, the use of vessels as weapons, isn’t just impractical in the maritime environment, it downplays the very real and actively exploited threats to ships.  Piracy is rampant in parts of the world, and not just off the coast of Somalia- and that is much more like the pre-9/11 view of airline threats: hijacking and kidnapping.  It is wrong to make any statements which in any way divert attention from the piracy crisis; it diminishes the significance of both 9/11 and the scourge of piracy.

And for the specific threats posed by tours of the bridge and engine room- I completely agree that the bridge should be off limits at almost all times, but that is common sense and safety.  The bridge is no place for stray people when a ship is underway.  The same could be said for some of the engineering areas.  But when the ship is in port I have a hard time believing tours can’t be given safely.  Even if you do buy the idea of a movie-plot threat, remember that passengers and their luggage go through metal detectors and x-rays, similar to airport security (pre-nudie scanners and freedom fondles).  Defend against the real threats.

That’s it. No InfoSec angle. 

Alright, if you really need an InfoSec angle, I’m sure you can extrapolate something about misidentifying threats, and using that wrong information to create the wrong defenses, thus ignoring or even weakening viable defenses.  But we would never let that happen.  At least we don’t usually deal with dead people over our mistakes.