Network Security Blog

I interviewed Gary McGraw, CTO of Cigital Inc and author of Software Security for this week’s podcast.  This is part of my continuing effort to do less of the talking in the podcast and get ideas and opinions from other people.  We discussed software security and what’s being done about it. I tried to get Gary to spill the beans on the subject of his next book, but he was a little cagey on the subject. 

I forgot to mention it in the podcast, but if you have any feedback, you can drop me an email at nsp_AT_mckeay.net or leave me a voicemail at 916-231-9479. 

Network Security Podcast, Episode 29, May 30, 2006

Time:  37:51

• Cigital Security
• Silver Bullet Podcast

Last, but not least, check out the other projects I’ve been working on lately, the first episode of the Security Roundtable and the fifth episode of the Podcast Roundtable.

Tonight’s music:  Dark Side of Town by the Josh Kirkland Band

Technorati Tags: security, podcast, software

We finally got together and recorded the fifth episode of the Podcast Roundtable.  We’d had to put it off for a little while due to conflicting schedules, but it was worth the wait.  We’ve made some improvements to the sound quality and there are some interesting viewpoints on the value of face to face networking, monitizing your blog and beta software. 

Technorati Tags: podcast, networking

I thought that Adobe had fixed this years ago.  Apparently the attorney’s at AT&T didn’t realize when you cover up text in a PDF the text is still there to be cut and pasted from the document.  Which may not be important when your making the bowling league newsletter, but is something you’d better be aware of when you’re dealing with sensitive documents.  Oopsie.

The first episode of the Security Round Table is up and available for download!  Michael Santarcangelo of Security Catalyst, Larry Pesce of PaulDotCom Security Weekly, Dan Kuykendal of Mighty Seek and I talk about Email Security for almost an hour.  Unluckily, we had some background hum on the line but I think the content is well worth listening to.  Let us know what you think; you can send me an email at nsp_at_mckeay.net or you can leave me a voicemail 916-231-9479.  Sorry, comments are still down until I can come up with a defense from the comment spammers.

Technorati Tags: security, email, roundtable

I was just informed by Michael Santarcangelo, of the Security Catalyst, that my podcast is #70 of all Technology podcasts in the Apple iTunes store.  I don’t have iTunes on my laptop, but a coworker was able to show me on his computer.  Security Catalyst is #63, but I’m not jealous.  No, not at all. 

Technorati Tags: security, podcast, iTunes

Comments I made on my ComputerWorld blog were quoted today in an article on SearchSecurity about the Black Frog/Okopipi project.  After talking to one or two members of the project, I think I oversimplified the challenges Okopipi will be facing, but I’m still dubious abou the project.  It’s something that’s going to have to be handled with great care, and I’m not sure an open source project is the way to go.  Every unsubscribe link is going to have to be verified by a real person, not just a program, and I still see several ways spammers could turn this project to evil.  I don’t think this is reason enough not to at least try, but I don’t believe I’ll be participating in a distributed, P2P anti-spam solution any time soon.

Technorati Tags: security, Okopipi, spam

I went to the San Francisco Podcast Meetup last night at Sauce, a little place in downtown SF, of all places.  This was the third or fourth of these that I’ve been to and it’s always an interesting experience.   I got lucky and won a Griffin Radio Shark.  The question was “What does RSS stand for?”  Fellow Podcast Roundtable member Jeremiah Owyang showed up and we got to sit with Shel Holtz of For Immediate Release.  You can find pictures of the event by searching for SFPodcastMeetup in Flikr.  Thanks again, Michael, for organizing this monthly dose of chaos.

The Security Roundtable has made it to the banner on the front page of iTunes!  This is awesome.  You can’t buy this sort of advertising.  Literally. 

Thanks to Dan Kuykendall, not only for his work on getting our group on iTunes, but once again for being my co-host last night.  Dan was very patient with me as I struggled through a series of technical difficulties last night.

I want to start off by thanking my guest host tonight, Dan Kuykendall from the Mighty Seek Podcast.  Dan is a fellow member of the Security Roundtable, so hopefully you’ll be hearing more of us together in the future.  Dan is an application vulnerability tester by profession, and brings a significantly different point of view to security than I do.  I had more sound problems tonight, but at least Dan and I were able to record this, which is a big improvement over last week.  Sorry about the sound quality tonight, I promise it will be better next week. 

On a seperate note, I had to disable comments on the site temporarily.  Starting yesterday I’ve been hammered with comment spam and I had to shut down comments until I come up with a viable solution.  It’s not shaping up to be a good week.

Network Security Podcast, Episode 28, May 23, 2006

Time:  44:56

• Department of Veterrans Affairs loses 26.5 Million records (My comments at ComputerWorld)
• 38,000 Sites hacked by Turkish hacker
• Diebold Systems in trouble again

Dan had some interesting information about the PCI standards that I hadn’t heard before.  I’m glad that there’s people like Dan pushing hard for application security in the PCI standards.

Tonight’s music: Open Your Eyes by Telos

Technorati Tags: security

As always, Bruce Schneier hit this one right on the head.  The spokesman for Diebold, talking about the latest vulnerability in their election machines, said that there would have to be “some evil and nefarious election officials” for the latest vulnerability to be exploited.  And that’s exactly what we, as security professionals have to be looking out for.  It’s not some Joe off the street who’s the problem, it’s that corrupt election official we have to be on the look out for.  The Diebold spokesman is an idiot.

Risk mitigation isn’t about planning for people using your system in the way it was intended, it’s about trying to cover as many of the unintended usages of the system as possible.  It’s exactly situations like the use of system patching as an entry point for malicious code that you have to plan for and prevent.  Almost any security professional will be the first to tell you that the insider threat is many times more likely to happen and many times harder to prevent.  The insider has the keys to the kingdom, he doesn’t have to break in first.

Technorati Tags: security, voting machines, Diebold