Network Security Blog

Here’s the lowdown in the 5 minutes I have between events down here at the Portable Media Expo:  I’ve hooked up with Micheal Santarcangelo and Dan Kuykendall from the Security Roundtable for a few hours, I’ve managed to meet Randal Schwartz, and I’ve had a short spot on the Slice of SciFi podcast (Dan was invited, I tagged along and dragged Micheal with us).  I’ve met so many podcaster’s that I’ve only heard before, like almost all of the members of Friends in Tech.  And I lost $20 in the Podcast Pickle poker party in less than an hour last night.  At least I wasn’t the first one out at our table.  Now I’m off to the Podcast Awards. I’ve got a stack of cards about 3″ thick to go through over the next week or two when  I get back. 

Now back to your regularly scheduled paranoia.

Ed Felten is presenting to the House Administration Commmittee today and has posted a written copy of the testemony on his site.  The thing I find most amazing about Diebold is that they’ve been leveling the same accusations against Professor Felten and his students that they did against Avi Rubin and his students several years ago.  And they’re the same specious arguments, with no validity.

Quit attacking the messenger and listen to the message, Diebold.

I’m off to the Portable Media Expo in an hour or two, but I wanted to get a quick group of links that caught my attention.

• Security Ripcord’s feedback on the Security Roundtable - I’m still digesting what Cutaway has to say
• Your guide to Citizen Journalism - Not security related, but definitely blog related.
• HP Execs were warned about their spying - Why did they need someone to tell them that this was a bad idea?
• Antagonizing the TSA isn’t a good idea — But you don’t give up your right to freedom of speech just because you’re in an airport

Fellow Computerworld blogger Eric Ogren has an excellent article evalutating the current (version 1.1) Payment Card Industry (PCI) requirements.  He not only lists what he thinks of the current requirements, he also has several good suggestions for improving PCI in the future. 

Tooting my own horn a little, he missed one resource for discussing PCI best practices, the PCI_Standards Yahoo group.  It’s a very low traffic group I started about 6 months ago, but we now have over 100 members and when a question is asked there, it usually get’s a well thought out response very quickly.  If you are involved in the implementation of the PCI requirements, stop by and ask a few questions.

Technorati Tags: security, mckeay, PCI

I kept it short tonight, since I’m off to Southern California in preparation for the Portable Media Expo this weekend.  I’m going down a couple days early to visit family, which means I have to leave the house before 5:00 am to avoid the worst of the traffic.  I’ve been varying the length of the podcast a lot lately, short when it’s just me, longer when I have a guest, and occasionally much longer when they have something exceptional to say.  If the variable length bothers you, speak up and let me know.  If the variable length is fine with you, speak up and let me know. 

Astaro Security Gateway - Not only my sponsor, but one of the subjects of tonight’s podcast.  I’m looking for feedback from anyone who’s tried their product
Brave New Ballot - Avi Rubin’s book on dangers of electronic voting machines, especially Diebold
PCI Security Standards Council - Brought to you tonight by Appendix B

Network Security Podcast, Episode 45, September 26, 2006

Time:  18:24

Tonight’s music: Heroes by Jack in the Pulpit

Thanks again to my sponsor Astaro Corporation. Visit their site and sign up to receive your free demo Astaro Security Gateway

According to F-Secure the real patch is out for the VML vulnerability in Internet Exploder … er Explorer is now available.  I have to give Microsoft some credit for releasing a patch out of the normal cycle.  I wonder if they would have released it if it wasn’t for the ZERT third-party patch?

Technorati Tags: security, mckeay, internet explorere

One of the problems with setting up your network with scavaged/old equipment is that occasionally it goes out for a little while.  I’ve been having a lot of problems with one of my hubs (yes, hub) in the DMZ of my network just locking up every once in a while.  A quick power cycle and it’s good to go again, but I’m not always there to deal with it.  Maybe that’ll be one of my ‘capital expenditures’ from the household budget next month.

I no longer feel so special about having Bruce Schneier on the podcast.  He’s a self-professed media slut.

Actually, interviewing Bruce was a lot of fun and I hope I can have him on the show again when I’ve gotten a lot better at interviews.  He’s worth interviewing again in six months.

Over at Securosis there’s a long article explaining to non-geeks what Digital Rights Management is really all about.  He goes about it the long way, but in the end he comes down to the real reason companies are pushing so hard for DRM:  they want to control how we experience content.  The content companies are trying to erode the concept of fair use because they want us to buy new copies of the content for each piece of equipment, each place we consume the content and eventually ever single time we consume the content.  I couldn’t find the quote, but at least one of the music execs eventually wants each and every use of a song to be a new revenue stream for the company. 

Windows Media Player 11 is a great example of how DRM is being used to limit our rights.  Backing up your media, not allowed.  Moving it to a different computer, verbotten.  Importing your content to a non-Windows player?  Yeah, right.  The worst violation of the new DRM contracts is that the companies, Apple and Amazon, as well as Microsoft, is that the companies retain the right to change the contract without any notice or recourse from the users.  How many contracts have you ever entered into that can be changed on the fly without notification or recourse?  I can only imagine that the insurance industry is drooling at the thought:  “We hearby revoke the hurricane clause for all homes in the New Orleans are for 14 days”.  Oh, wait, they do some of that already.

I blog a lot about privacy, which I’m sure a lot of you know.  And sometimes I’m a little critical of the government.  I’ve been wondering for a while if any of my activities have been bringing me to the attention of anyone in the federal government, and if so what they might be collecting about me.  Now, thanks to the Security Monkey, I might be able to find out.  But the chance is apparently pretty slim if they’re actively watching you now.  If I get anything back, I’ll share anything that I don’t find too embarassing with you.