Network Security Blog

Yesterday, Michael Santarcangelo, Dan York and I recorded the next episode of the Security Round Table podcast.  We chose OpenID as a topic several weeks ago, but given Microsoft and AOL’s recent support for OpenID,  it’s a very timely topic.  I’ve been doing some follow up on this and found a good screencast on how OpenID works and why you should be thinking about it on Simon Willison’s blog. 

When I’ve gotten my other 995 tasks finished, I’ll set my URL as my OpenID server, but for now, it’s just on the List of Things to Do (LoTtD).

Technorati Tags: security, mckeay, OpenID

Next week I’m traveling to Denver to visit StillSecure headquarters, since Monday will officially be my first day on the job.  I’m looking for some good, easily accessable pubs or restaraunts to have dinner at and meetup with any local listeners while I’m there.  I like a good microbrew, though I’m a bit of a light weight.  Heck, maybe we can even record Episode 63 or 64 of the podcast while I’m there.  I’ve kinda been itching to play with my new H4 Zoom, and this would be an excellent chance. 

Leave me a comment, send me an email at nsp_at_mckeay_dot_net (I hate having to obfuscate the email, but my spam filters are already overloaded), or leave me a voice mail at 916-231-9479. if you’re in the area and would like to have dinner.  One of the things I’m really going to like about the new job is the opportunity to meet listeners and readers.  It makes posting and podcasting feel more like talking to friends rather than shouting into the void we call the Internet.

Technorati Tags: security, McKeay, meetup

If you’re a vendor reading this blog, you need to think about this question:

Why can’t we start a campaign to get the vendors to
make a change so that the default password has to be
changed after the initial log in?

Andy asked this in a private mailing list, but it’s a damn good question.  I hope he’ll forgive me for asking it here without getting permission first.

Technorati Tags: Security, McKeay, password, default

Jeremiah wants to start a meme about how different people consume information on a daily basis.  I’m on my computer just moments after I get my first cup of coffee in the morning and it’s usually one of the last things I do before I crawl into bed for the night.  I’m never far away from one of the computers in the house, and now I phone that’s capable of surfing the ‘Net at a reasonable speed.

My Media Consumption Diet, from most to least used

Web:  Like Jeremiah, I get the vast majority of my news from my feeds.  I’ve used Bloglines for quite a while now and I have accumulated nearly 170 feeds.  I’ve been through the feeds once and eliminated 50% of them, but they’ve built back up to their current level.  My feeds are obviously dominated by security related sites, but I have a few other interesting sites like BoingBoing and guilty pleasures like Wil Wheaton dot Net: In Exile.  There’s also a hokey web page I created a long time ago to track the online cartoons I like at http://www.mckeay.net/comics/.

Music, Podcasts:  This one’s easy; I listen to RadioParadise, day in day out.  On occasion, like when the site is down or I just need a change of pace, I’ll listen to one of the many choices at SomaFM.  I have used Pandora, but it ends up being to much of a memory hog to listen to long term.  I used to listen to nearly 20 different podcasts, but I had to give those up just before Christmas.  I’m picking up the better ones again, but I’m only listening to a few regularly.

Communication:  Here’s one of the places Jeremiah and I differ significantly; we both spend a lot of time daily on email, but while he shuns IM, I usually have multiple IM clients running, with half a dozen different IM services, including Yahoo, Google, AIM Skype and SILC.  SILC is a encrypted IM client that I use to communicate with a group of other security professionals, hosted at the Security Catalyst site.  I frequently have 2-3 different IM conversations going at the same time.

Television:  Cartoon Network on Saturday night (Lots of Anime), Heroes, Mythbusters and Dirty Jobs.  What else matters?  I almost never watch live TV, since Tivo let’s me skip the boring parts.  I frequently go several days without watching TV at all.

Books: I’m a voracious reader, or at least I was before kids.  My wife and I have over 3000 books around the house in a dozen or so shelves and in storage.  I have one floor to ceiling book shelf that’s almost entirely dominated by security books.  I’ve even read some of them front to back, rather than just using them as reference material. 

Magazines:  I only subscribe to one magazine, Make:.  I have 3-4 monthly security magazines that I get for free, but in the last year I’ve even stopped resubscribing to those.

Movies, Newspapers:  What are those?  I’m lucky if I get to see one movie a quarter and I haven’t subscribed to a paper in over 15 years.  We subscribe to Netflix and used to go through at least a dozen movies a month, but that changed several months ago, we just got to be too busy to watch movies.

There you have it, my media consumption diet.  I suspect this is going to be changing in the near future, since I’ll be traveling a lot more in the near future.  I wonder if I can convince my wife to let me by a Slingbox?

Who’s the next victim of this meme?  I’m not going to call anyone out, but I am interested in seeing what Robert Scoble and Chris Pirillo have to say.

Technorati Tags: Mckeay, meme, media, Owyang

So Yuri  says “Congrats on your new job @ StillSecure – so what ya going to be doing for them?”

My initial answer was going to be, “Listen to Episode 62 of the podcast“, but that’s a bit of a cop out.  My official title at StillSecure will be Product Evangelist and I will be reporting directly to SS’s CTO, Mitchell Ashley.  I can’t tell you everything about what I’m going to be doing, in large part because a lot of what I’ll be doing is still evolving.  Like nearly every position I’ve ever had, there’s the job as it was put down on paper for HR, and there’s the real job you end up doing day to day.  Sometimes they’re similar, other times, they bear no relationship what so ever to each other.

I can’t tell you much about the product I’ll be supporting yet, it’s still in Alpha.  But if you want some clues about what StillSecure has in mind, read Mitchell’s whitepaper, Unified Network Platform.  I talked to Mitchell extensively about this before I took the position and I firmly believe that he’s on to something here. If you want to know more about it after you’ve read the paper and want to be involved in some alpha and beta testing, drop me a line and I’ll point you in the right direction.  It’s super, ultra, top secret.  Or not, since I’m hinting at it here on the blog.

My job as a Product Evangelist will be part marketing, part technical support, part development and part ear to the ground.  I’m going to be the one responsible for building a community around the new product and listening to the feedback that comes from the users to make our product better (still getting use to saying ‘our’ and not ‘their’).  I’ll be traveling a lot, going to the major shows to man the booth and answer questions, but I’ll also have the freedom to go to smaller events where I’ll just talk to people and find out what they think.  I’ll also be hosting meetups in the various cities I go to, so keep an eye out for when I’ll be near you.

One important distinction that was made early in this process is that though StillSecure is paying for my time, they have not purchased my blog, my podcast or my opinions.   I will blog about StillSecure here from time to time, but I’ll have the SS site to post about them on.  THIS IS MY SITE AND WILL REMAIN SO.  These are my opinions, and they’re not for sale.

I’m looking forward to working with Mitchell and Alan.  This is exactly the position I had in mind when I blogged about it last September.  A big thanks to all the people who told me I would get what I wanted, especially Jeremiah Owyang, one of my best supporters.  And thanks to Mitchell for offering me an opportunity I can’t let pass me by.

Technorati Tags: security, McKeay, StillSecure

I am going to be traveling a lot in the near future, so I’ve been trying to avoid discussing the TSA and their insanity lately.  No need to annoy ‘the Man’ before gearing up to fly.  But Cutaway caught a comment on Christopher Soghoian’s web site that really scares me; according to an anonymous commenter, airline employees have access to names, SSN’s, drivers license numbers and just about everything else needed to really perform some nasty identity theft.  What the heck (or stronger term, if you prefer) do the airlines need to have this information for and who inside the airlines has access to this information? 

If the commenter is right, thousands of people inside the airlines have access to this information.  I already feel nervous about the TSA having this sort of list at their fingertips, but at least this is considered to be part of their area of responsibility, and they hopefully have all the safeguards in place to make sure my personal data is safe and secure.  But when this database is opened to the airlines, I get nervous.  It’s not the job of the airlines to provide security at the airport, so what legitimate use could they have for the information?  I don’t want the person who’s checking in my luggage at the front counter to also be the person responsible for screening against terrorists; that’s what the TSA is supposed to do!

I’m not looking forward to learning the intimate details of the security theater that is our airport and airlines system. But it’ll definitely give me something to blog about. 

Technorati Tags: security, McKeay, TSA, travel

I’m sorry to have to say that the Astaro Corporation will no longer be a sponsor for the podcast.  However, it’s totally understandable, since I’m going to be working for a competitor of theirs and it would be a conflict of interest for me to continue to accept their sponsorship while working at StillSecure.  I’m looking for a new sponsor, if there’s anyone out there who’s in the security arena but not a competitor of StillSecure’s.   Of course, finding anyone who doesn’t have a product they’re labeling as a “NAC Solution” in the security sphere is a little difficult right now.  StillSecure won’t be sponsoring the podcast, since Mitchell and I agree that it’s important for me to have a venue to articulate my thoughts outside of the company.

Thank’s very much to Astaro for being a sponsor for the last 4-5 months.  They haven’t asked for their schwag back, so I’ll continue to give that out, and I’ll be adding some StillSecure schwag to the collection over the next couple of weeks.  Their contribution has helped me improve the hardware I use to record the podcast, which will make a lasting change on the sound quality.  Unless I continue to make mistakes like I did last night, that is. 

Technorati Tags: Security, McKeay, Astaro, podcast

#&*@^&!$#!

I accidentally recorded tonights at 8kbps instead of my normal 44.1 kbps.  If I didn’t have family in town I might have tried recording it over, but I do so I didn’t.  Hopefully next weeks show will be back up my normal editing standards.  I know what I did wrong, but it was too late to fix it.  The worst thing is, it didn’t even result in a smaller file size, since I upsampled the audio to equal the music.  I’m modifying the ID3 tags a little at the request of a listener, to put the information where it probably should have been from the beginning.

Tonight’s show is different than most of the podcasts I’ve done in the past; it’s about me.  I’ve had some major changes in my life over the last few weeks and talk about that in tonight’s podcast.  You’ll have to listen to the podcast if you want to know the details, but let’s just say I’m really happy to finally have a security job where I not only feel safe talking about my company, it’s a requirement of the job.

There’s going to be some unavoidable adjustments to the blogging and podcasting schedule over the next few weeks, but I plan on making it minimal.  I’m going to be traveling a lot which may disrupt the podcast schedule,despite any plans I may have.  I’ve got a MotoQ, so the connection to the internet will be there, it’s just the time I may not have in the near future.

• Privacy is Dead: Steven Rambam on privacy from HOPE 2006
• Pre-order Linksys WRT54G:  Paul and Larry from PaulDotCom are getting close to having their book ready for the publishers.  Congratulations guys!
• Interviewing Brian Hatch and the Security Blogger Meetup at RSA
• Mitchell Ashley:  Unified Network Platform whitepaper and High performance teams (He was talking about me and I had to blush )
• Michael Farnum and me on the PCI requirements at Computerworld
• Superheroes by [Munk]

Network Security Podcast, Episode 62, February 20, 2007

Time: 33:58

Sponsored by: Astaro Internet Security

Technorati Tags: security, McKeay, StillSecure

Okay, the blog post is great, but it’s the image that I really like.  Michael Farnum really wants to get Mike Rothman‘s attention, which is usually fun, but not always a good idea.  Rothman’s probably not really asleep, just dozing at his desk.

Michael has some good points, but from recent experience, I can tell you that some times you really do need to have someone come in and do a good review of your network/enterprise.  It’s not necessarily that you don’t know what you have going on in your network, but sometimes you haven’t been able to communicate your needs to management.  Mike Rothman would probably tell me that I wasn’t doing my job of delivering the message, but there really are times when you’re talking and no one’s listening.  An external assessment that costs $30,000 can have the necessary authority to open the minds that the local security personnel just can’t access.

There’s no one right answer for why or why not you need to have an external assessment of your work.  Personally, I’m one of those people who likes to get feedback and have a second pair of eyes review my work.  Depending on the day of the week, that’s either because I feel confident enough in my own work and want to have it validated; either that or I feel insecure and want to have someone else make sure I didn’t miss something.

No matter what, a good security assessment should teach you things you didn’t already know.  Once your network’s gotten beyond 10 or 20 computers, you can’t know everything about our network, unless you’re superhuman.  I value having that extra set of eyes looking over the systems to remind me of what I’ve forgotten and hopefully turn up some of the things I never noticed in the first place. 

On the other hand, a bad security assessment is never worth it, even if it’s free.  A bad assessment is one where you you don’t learn anything new.

Technorati Tags: security, mckeay, audit

Well, I can’t go, but if you’re on the East Coast and would like to go to Black Hat DC, the guys over at Help Net Security have some tickets to give away.   I wish I could make it out there, but I’ll be starting my new job right about then.  On the other hand, I’m almost certain to be at Black Hat as Vegas later this year.  In fact, I hope to be at a most of the major security events coming up and a few of the minor ones.  I’ll let you know where I’m going to be in the future, and maybe I’ll buy the first round of drinks.

Technorati Tags: security, mckeay, Black Hat