Network Security Blog

I find this article by Dave Taylor very interesting right now.  Offering a blogger a product in the hopes he or she will review it is definitely on the rise, as is the sponsorship of blogs and podcasts.  What do you think?  Is it okay as long as the blogger or podcaster discloses the fact that they received the product from the company?  Or do you think bloggers should turn down this sort of offer?  I think as long as you disclose it’s okay, but I want to know what you think.

Speaking of which, I’m really enjoying playing with the Nokia 770 I was lent at Linuxworld by Nokia.  I still have some problems with stability and I wish I could run Kismet and a couple other wireless tools on it, but for light  Internet surfing and listening to online radio stations it’s pretty good.  I don’t think I’d spend the ~$360 one cost for the priveledge though.  Given that the laptop I just purchased only cost $1000 including tax and has more than ten times the processing power, I think the laptop is a much more reasonable purchase. Now if a successful port of Kismet is done and the tools to intergrate it with a bluetooth GPS become available, I might persuade my company to buy one.

I thought this was funny.  I’ve been with Sonic.net, a local service provider and the largest independently owned ISP, for quite some time now.  And before I started blogging I created a couple of sites on their servers, one for my security links, one for my family site.  Neither has been updated in about four and a half years, but Sonic has diligently kept them up and running.  You can start off by looking at a flash animation I did one afternoon with some shareware product that I used the one time and then never fired up again at http://www.sonic.net/~mmckeay, they you can take a look at pictures from my graduation from college on the Family side of the site, and some of security sites I thought were important then on the Security side of the site.  I’m surprised how few of the sites on this list I still visit anymore.

I’ve said it before, and I’ll say it again:  it’s a good thing I’m a security expert because I’d starve if I was trying to be a web designer. 

I can’t agree more with today’s SANS Handler’s Diary.  Maybe it’s because I’m in an auditing class right now (and a SANS course at that), but I think it’s more because I’ve begun to realize how important auditing is.  People usually care about their jobs, but they’re less interested in doing the job right than they are about just getting the job done.  And that leads to mistakes and shortcuts that are just aimed at getting things done.  Which is why we need audits.  Internal audits are a great starting point, but familiarity breeds a willingness to overlook mistakes.  Or just being too close to the problem.  Which is why the external audit is so important.

A corollary of being too close to the issue, and part of why we need external auditors, is that an internal auditor can often be dismissed as being reactionary or overly alarmist, where as an external auditor is an expert in their field who’s opinions often carry more weight in the board room.  The external auditor will sometimes find the exact same issues that the internal auditor found, but be able to talk from an position of authority and express the issues in a way that makes management listen a lot closer.  After all, which of these is your senior management going to give more authority to:  “Joe from IT says …” or “Mr. Van Nuys (who we just paid $50,000 to audit us) says …”? 

Why is it paying someone to say something gives it the ring of truth?

If you haven’t checked out (In)Secure Magazine before, this would be a good time.  Even though Mirko didn’t ask me to contribute this time, there are still a lot of good articles in the magazine; I am going to read the PCI related articles and then pass them on to my co-workers.

Fellow Security Roundtable’r Michael Santarcangelo has a rant about why security breaches aren’t about tehcnology or legislation, they’re about taking responsibility for your own security.  I can’t agree more.  Michael is developing what he calls Security 2.0, a way of looking at security issues and helping the end users take responsibility for their own security, something I’ll be involved in as well.   

Technorati Tags: security, Mckeay, Santarcangelo, Security 2.0

The Black Pearl is docked a couple hundred feet from the front of my hotel.  Unluckily all I have with me is the cell phone camera.  That’ll learn me to keep a camera handy.

Over at the securosis.com site there’s a pretty good article titled “The 3 dirty little secrets of disclosure no one wants to talk about“.  Except some of us really do want to talk about it!  The post lists three problems with whole idea of disclosure:

1. Full disclosure helps the bad guys:  I agree, but I think it also helps the good guys.  I’m willing to cede that it probably helps the bad guys more, which is why I’m also willing to cede that full disclosure is not the way to go by default.
2. It’s about ego, control and competition:  I’m not sure I can I can agree with this point.  There are elements of all three of these in many of the disclosures incidents, but I’m not sure if it’s even true in the majority of cases.  Ego is probably true about many of the security researchers, while the control issue is more of a concern with the vendors and competition is true of both groups.  I consider this to be a neutral issue, because there are very few people on either side of the argument that can say they really aren’t guilty of these sins somewhere along the line.
3. We need the threat of full disclosure or vendors will ignore security:  This I agree with whole heartedly.  This is also why I can’t back any system where the vendor is the one who get’s to define ‘responsible disclosure’.  As long as the vendor get’s to be the one defining the terms, any disclosure that doesn’t meet with the vendor’s timelines is by definition going to be ‘irresponsible’, a setup that is almost as bad as no disclosure.

One more minor issue I have with the article is the use of security through obscurity:  while this works for a while, security through obscurity is the most brittle of all types of security.  All it takes is one hacker releasing his notes on your security vulnerability and what little security you had because of the lack of knowledge is gone.  I sure don’t want my bank relying on security through obscurity to protect my bank account.  Not that they’d get much right now, a couple of days before the end of the month.

Technorati Tags: security, Mckeay, Security through obscurity

I apologize in advance for the sound quality of tonight’s podcast.  I made a mistake somewhere in the sound levels and I don’t know how to fix it.  I promise I’ll do better next week when I’m at home. 

I had an opportunity to talk to Christofer Hoff, who is the Chief Strategy Officer for Crossbeam Systems and the blogger at Rational Security.  I wanted to know more about what UTM (Unified Threat Management) is and Chris is the guy to ask.  The interview is on the long side and would have been longer if I hadn’t had to pack. 

• Crossbeam Systems
• Rational Security (or Irrational, depending on your point of view)

I’ve gotten a lot of listener feedback lately and I want you to keep it coming.  Here are a couple of the links I promised in the show: 

• RSS Feed for the main site - I maintain an atom feed also
• Podcast only feed -  I’ll make an effort to make this more obvious when I do a site redesign (eventually)
• Andy, IT Guy - Ah, the perils of working in a small shop.  I remember like it was only last week.  And will be again next week. But for now I have some training.
• SANS Audit 507 - The aforementioned training

Network Security Podast, Episode 41, August 29, 2006

Time:  53:38

Tonight’s Music:  Flying Tom - Cheap Games

I had to travel via plane this week for training, and I’ll have to admit I was a bit of a chicken and didn’t pack anything I thought might even remotely questionable by airport security.  Other than the fact that I had two cell phones, a Nintendo DS, a Nokia 770 and my laptop that is.  But they didn’t seem to care about all the electronics since I took them all out before going through the X-ray. 

But apparently another security professional wasn’t so lucky and has several points to share with us:  Dave Piscitello had no problems getting his deoderant to his destination, but when his time came to travel back, he had two very different experiences in short order.  He shares with us several lessons he thinks the TSA is sorely in need of learning, the most basic of which is be consistant.  On the other hand, I guess if regular travellers can’t make heads or tails of what the heck the TSA agents are going to flag, neither can the bad guys.  Security through idiocy?

Technorati Tags: security, McKeay, airport, TSA

Ron Gula and Renaud Deraison are now blogging for Tenable about the company and Nessus.  One more thing to add to my blog roll.  I wonder if I’ve just missed this for a couple months or I saw it and forgot already.