Archive for August, 2006

Aug 31 2006

How to approach bloggers about products

Published by under Uncategorized

I find this article by Dave Taylor very interesting right now.  Offering a blogger a product in the hopes he or she will review it is definitely on the rise, as is the sponsorship of blogs and podcasts.  What do you think?  Is it okay as long as the blogger or podcaster discloses the fact that they received the product from the company?  Or do you think bloggers should turn down this sort of offer?  I think as long as you disclose it’s okay, but I want to know what you think.

Speaking of which, I’m really enjoying playing with the Nokia 770 I was lent at Linuxworld by Nokia.  I still have some problems with stability and I wish I could run Kismet and a couple other wireless tools on it, but for light  Internet surfing and listening to online radio stations it’s pretty good.  I don’t think I’d spend the ~$360 one cost for the priveledge though.  Given that the laptop I just purchased only cost $1000 including tax and has more than ten times the processing power, I think the laptop is a much more reasonable purchase. Now if a successful port of Kismet is done and the tools to intergrate it with a bluetooth GPS become available, I might persuade my company to buy one.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Aug 31 2006

You never know what you might find doing a vanity search

Published by under Blogging

I thought this was funny.  I’ve been with Sonic.net, a local service provider and the largest independently owned ISP, for quite some time now.  And before I started blogging I created a couple of sites on their servers, one for my security links, one for my family site.  Neither has been updated in about four and a half years, but Sonic has diligently kept them up and running.  You can start off by looking at a flash animation I did one afternoon with some shareware product that I used the one time and then never fired up again at http://www.sonic.net/~mmckeay, they you can take a look at pictures from my graduation from college on the Family side of the site, and some of security sites I thought were important then on the Security side of the site.  I’m surprised how few of the sites on this list I still visit anymore.

I’ve said it before, and I’ll say it again:  it’s a good thing I’m a security expert because I’d starve if I was trying to be a web designer. 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Aug 31 2006

Audit, then audit again

Published by under General

I can’t agree more with today’s SANS Handler’s Diary.  Maybe it’s because I’m in an auditing class right now (and a SANS course at that), but I think it’s more because I’ve begun to realize how important auditing is.  People usually care about their jobs, but they’re less interested in doing the job right than they are about just getting the job done.  And that leads to mistakes and shortcuts that are just aimed at getting things done.  Which is why we need audits.  Internal audits are a great starting point, but familiarity breeds a willingness to overlook mistakes.  Or just being too close to the problem.  Which is why the external audit is so important.

A corollary of being too close to the issue, and part of why we need external auditors, is that an internal auditor can often be dismissed as being reactionary or overly alarmist, where as an external auditor is an expert in their field who’s opinions often carry more weight in the board room.  The external auditor will sometimes find the exact same issues that the internal auditor found, but be able to talk from an position of authority and express the issues in a way that makes management listen a lot closer.  After all, which of these is your senior management going to give more authority to:  “Joe from IT says …” or “Mr. Van Nuys (who we just paid $50,000 to audit us) says …”? 

Why is it paying someone to say something gives it the ring of truth?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 31 2006

(In)Secure Issue 1.8 is out

Published by under General,PCI

If you haven’t checked out (In)Secure Magazine before, this would be a good time.  Even though Mirko didn’t ask me to contribute this time, there are still a lot of good articles in the magazine; I am going to read the PCI related articles and then pass them on to my co-workers.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 31 2006

It’s about personal responsibility

Published by under Simple Security

Fellow Security Roundtable’r Michael Santarcangelo has a rant about why security breaches aren’t about tehcnology or legislation, they’re about taking responsibility for your own security.  I can’t agree more.  Michael is developing what he calls Security 2.0, a way of looking at security issues and helping the end users take responsibility for their own security, something I’ll be involved in as well.   

Technorati Tags: , , ,

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Aug 30 2006

Picture of the Black Pearl

Published by under General


The Black Pearl is docked a couple hundred feet from the front of my hotel.  Unluckily all I have with me is the cell phone camera.  That’ll learn me to keep a camera handy.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 30 2006

Not so secret disclosure secrets

Published by under Simple Security

Over at the securosis.com site there’s a pretty good article titled “The 3 dirty little secrets of disclosure no one wants to talk about“.  Except some of us really do want to talk about it!  The post lists three problems with whole idea of disclosure:

  1. Full disclosure helps the bad guys:  I agree, but I think it also helps the good guys.  I’m willing to cede that it probably helps the bad guys more, which is why I’m also willing to cede that full disclosure is not the way to go by default.
  2. It’s about ego, control and competition:  I’m not sure I can I can agree with this point.  There are elements of all three of these in many of the disclosures incidents, but I’m not sure if it’s even true in the majority of cases.  Ego is probably true about many of the security researchers, while the control issue is more of a concern with the vendors and competition is true of both groups.  I consider this to be a neutral issue, because there are very few people on either side of the argument that can say they really aren’t guilty of these sins somewhere along the line.
  3. We need the threat of full disclosure or vendors will ignore security:  This I agree with whole heartedly.  This is also why I can’t back any system where the vendor is the one who get’s to define ‘responsible disclosure’.  As long as the vendor get’s to be the one defining the terms, any disclosure that doesn’t meet with the vendor’s timelines is by definition going to be ‘irresponsible’, a setup that is almost as bad as no disclosure.

One more minor issue I have with the article is the use of security through obscurity:  while this works for a while, security through obscurity is the most brittle of all types of security.  All it takes is one hacker releasing his notes on your security vulnerability and what little security you had because of the lack of knowledge is gone.  I sure don’t want my bank relying on security through obscurity to protect my bank account.  Not that they’d get much right now, a couple of days before the end of the month.

Technorati Tags: , ,

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Aug 29 2006

Network Security Podcast, Episode 41

Published by under Podcast

I apologize in advance for the sound quality of tonight’s podcast.  I made a mistake somewhere in the sound levels and I don’t know how to fix it.  I promise I’ll do better next week when I’m at home. 

I had an opportunity to talk to Christofer Hoff, who is the Chief Strategy Officer for Crossbeam Systems and the blogger at Rational Security.  I wanted to know more about what UTM (Unified Threat Management) is and Chris is the guy to ask.  The interview is on the long side and would have been longer if I hadn’t had to pack. 

I’ve gotten a lot of listener feedback lately and I want you to keep it coming.  Here are a couple of the links I promised in the show: 

Network Security Podast, Episode 41, August 29, 2006

Time:  53:38

Tonight’s Music:  Flying Tom – Cheap Games

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Aug 29 2006

TSA has to learn to be consistent

Published by under Simple Security

I had to travel via plane this week for training, and I’ll have to admit I was a bit of a chicken and didn’t pack anything I thought might even remotely questionable by airport security.  Other than the fact that I had two cell phones, a Nintendo DS, a Nokia 770 and my laptop that is.  But they didn’t seem to care about all the electronics since I took them all out before going through the X-ray. 

But apparently another security professional wasn’t so lucky and has several points to share with us:  Dave Piscitello had no problems getting his deoderant to his destination, but when his time came to travel back, he had two very different experiences in short order.  He shares with us several lessons he thinks the TSA is sorely in need of learning, the most basic of which is be consistant.  On the other hand, I guess if regular travellers can’t make heads or tails of what the heck the TSA agents are going to flag, neither can the bad guys.  Security through idiocy?

Technorati Tags: , , ,

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 29 2006

Why didn’t anyone tell me Tenable had a blog?

Published by under Blogging

Ron Gula and Renaud Deraison are now blogging for Tenable about the company and Nessus.  One more thing to add to my blog roll.  I wonder if I’ve just missed this for a couple months or I saw it and forgot already.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Next »

7ads6x98y