Network Security Blog

Paul, Larry and Twitchy have been very vocal about their belief of the existance of a Apple wireless vulnerability.  They even did an incredibly funny video.  Now they’ve been proven right.  They’ll be insufferably smug until this whole thing dies away.

I had the opportunity to talk to Alan Shimel, Mitchell Ashley, Mike Farnum, Mike Rothman and Bobby Dominguez Monday night about selling up the ladder.  How do you get your management to take security seriously?  I was the least experienced in selling up the line, but that didn’t stop me from voicing my opinion.  The discussion was valuable enough that I’ve downloaded it to my iRiver and will be listening to it again today.  Bobby and Mike Rothman bring so much experience to the conversation that I’ll probably listen to it at least twice to try and incorporate some of their ideas into my own work with management.

StillSecure, After All These Years, Podcast #15

Technorati Tags: security, McKeay, sales, Alan Shimel

Stuff I want to complain about later today, if I have time.  It was worth sleeping in this morning, but it didn’t leave me any time to blog.

• Microsoft decides to make ‘fair use’ a thing of the past
• Is bad advice from you lawyer an excuse for an illegal act?   I mean you, HP.

Personally, I haven’t run into any companies that have a blogging (or podcasting) policy.  And I guess my experience isn’t too far out of line with what others are experiencing.  I’m sure this will start becoming more popular as more companies recognize the value and possibilities of blogging, but I’m afraid many businesses are going to overreact.  Already over half of the businesses that have policies ban blogging outright. 

My own policy is to blog whenever I have the time, but I don’t let it doesn’t interfere with my job.  I’ve made it very clear to companies I’ve interviewed with in the past couple of years that I’m a blogger, it’s part of how I keep myself educated and I’m not willing to work at a company that won’t let me blog.  I’m not certain, but I think this cost me at least one job possibility last year. 

I found this listing of security podcasts yesterday while looking at my Technorati rankings.  I’d never heard of about half of these, and the I’ve never had the chance to listen to half of the other half  (making it about a quarter of them I’ve actually listened to).  There’s a few of them that I’m not sure are even podcasting anymore (like LiveAmmo), but most of the sites are still being updated regularly. 

Here’s a list of what I listen to regularly:  SecurityNOW!, PaulDotCom Security Weekly, Security Catalyst, CyberSpeak and StillSecure After All These Years.  I regularly talk to the hosts of three of the five podcasts,  which makes me think it’s time to broaden my horizons.

And I just realized, the list is missing one of my personal favorites, the Security Roundtable.  I realize I’m part of the project, but I love some of the conversations we have as part of doing this podcast. 

Technorati Tags: security, McKeay, Podcast

My Computerworld posting from last Friday, “Diebold says ‘They’re poor researchers’” got picked up by the Brad Blog and called ‘brilliant’.  I’d never make a claim like that myself, but I’m not going to argue with someone else who says it.  I said what I considered to be common sense. 

Thanks, Brad.  I know you can’t see me but I’m blushing. 

Technorati Tags: security, McKeay, evoting

Okay, I don’t usually play Shockwave games, but this one is worth looking at, if just to read the rules of the game.  You play the part of an airport security screener and your job is to search passengers luggage.  You can’t let the wrong things get through, you can’t take away things that aren’t contriband and you can’t let the line get to long.  My favorite part of the game (which I don’t have the time to even try) is the difficulty levels:  Fickle, Arbitrary and Knee-jerk!  Talk about a little bit of realism in your games.

Airport Security, the game

Technorati Tags: security, mckeay, game, Airport

Professor Ed Felten has taken the time to respond to Diebold’s attack on the report he and his students wrote on Diebold’s e-voting systems.   Most of what Diebold’s arguments are either false on the face of it or has nothing to do with the issues that were actually brought up in the report. 

After talking to Matt Bishop, I’m more convinced than ever that we’re going about the evoting proposition all wrong.  We need to create the policies that govern evoting and derive our specifications from there.  Allowing companies like Diebold create evoting machines then trying to mold the process to allow their machines to be used is just wrong.  And I want my specifications to include a human-readable paper trail.

Technorati Tags: security, mckeay, evoting

How do you know what level of security assessment your service provider is giving you?  Are they just taking signatures someone else give them and applying them to everyone, are they tuning the system to your particular system or are they actually coming up with new exploits to test your systems.  Tate Hansen at ClearNet Security has a nice chart that shows exactly what the difference is between a basic, intermediate and advanced assessment.

Technorati Tags: security, mckeay, security assessment

Porn sites are targetting a new, unpatched IE flaw.  What a surprise.  As I understand it, that’s historically where a lot of 0-day attacks are seeded, since someone who’s going to one of these sites often lowers their shields to allow all the eye candy on the site to work.  And they’re less likely to get help cleaning their computer afterwards for obvious reasons.  I’m not against porn, everyone has to have a hobby, I just wouldn’t be using Intenet Explorer to do that sort of surfing.  Or actually any sort of web surfing for that matter.