Network Security Blog

Kai Roer has been doing a weekly Security Profile and asked me to be last week’s target.  Kai has interviewed several of other security bloggers you may be familiar with, such as Ted Demopolous and Mike Rothman.  I’m still not use to being the one interviewed, but I like the email format as it gives me some extra time to think about making my answer sound intelligent. 

Did you know that, since 1986 the government has had the legal right to read your email without getting a search warrant? That’s the year the Stored Communications Act was passed. A ruling this week by the 6th Circuit Court of appeals changed this, deciding that email holds the same expectation of privacy that telephone conversations do.

Captain Privacy strikes again!

Technorati Tags: Stored Communications Act, expectation of privacy

One of the things I’ve been working on for Cobia is a number of use case scenarios showing how it can be used in a home or small business.  The first one I created is a simple layout for setting up Cobia as your firewall and DHCP server with a WRT54G wireless AP/router.  This one was pretty easy, since I needed to set up this exact configuration for my own home network. 

During the process I found out that the WRT54G won’t pass DHCP requests to the Cobia server if you plug Cobia into the WAN port.  On the other hand, if you plug it into one of the switched ports on the router, it’ll pass the requests along, since the DHCP request is a broadcast.  You learn something new every day.

As most security professionals know, passwords are a losing proposition. We use them because the capability comes with your operating system, but their weaknesses are many. Here, Dana Epp talks about the capabilities of token-based authentication, as well as some of the weaknesses. He hopes that some day in the not-too-distant future we will control our own digital identity rather having a different identity with each and every merchant or server.

When I heard that Dana was going to be at Linuxfest Northwest in May, I wasn’t going to miss a chance to talk to him. Dana was one of the first security professionals to start blogging, and he’s been a personal inspiration for my own blogging. I caught up with him after he gave a talk on strong authentication, and just before he headed into another talk on OpenID.

And if you haven’t already taken the Podtech survey for me, I’d really appreciate you taking a few minutes to do so now.

Technorati Tags: Dana Epp, Authentication, security

My wife and children are currently somewhere in the greater Northwest; Idaho, I think.  They’re with my in-laws, participating in a three week road trip that I couldn’t attend because I have to work.  I have to tell you I was heart broken to not have that quality time with the whole family.  Okay, maybe not. 

The kids called and sang their own song, “Happy Father’s Day”, a very thinly veiled version of “Happy Birthday”.  We talked for a few minutes and then they got back on the road for their ultimate destination, Minnesota.  I, on the other hand, was able to fire up the computer and play games for several hours uninterrupted.  I love the family, but having the time for something as mindless and stress free as arresting supervillains for an afternoon was probably the best present they could have given me. 

I miss my wife and children, and I hope they miss me too, but it’s nice to take a break once in a while.  Especially considering the kids just started their summer vacation and were already wrecking the house.  Last year we flew to New Mexico and drove through half a dozen states and over a dozen national parks.  Next year’s summer vacation may be a trip up to Canada, if all goes well.  And yes, I’ll be going too.  Maybe we’ll drop the kids off at the grandparents on the way up.

I finally got episode 4 of the Cobia Community Podcast edited and up last night.  I was going to do it this morning, but I realized that my memory of my flight to Denver today was off by 12 hours.  So instead of leaving at 6:00 PM, I had to be at the airport this morning at 6:00 AM.  I’m not a happy camper this afternoon, running on about 5 hours of sleep.

Mitchell and I are joined by Cobia user Jason Huggett for this episode of the Cobia Community Podcast. Jason traveled to Las Vegas to spend a couple of days with the entire Cobia crew at Interop, meeting people, talking about Cobia and just having a good time. He shared his experience and enthusiasm with us and explained how he first got introduced to Cobia and why he thinks it’s such a powerful idea.

We’ve got Black Hat coming up at the beginning of August and would love to have another one or two Cobia users join us at the event. If you’d like to spend a couple of days at the event, drop me a line (martin_at_stillsecure.com) and we just might be able to make something work for you.

If you’ve been missing the sound of my voice, here’s a quick fix for you.  Blogging and podcasting professionally have been putting a damper on  doing the same for fun.  I’ll have some more on that later today, but let’s just say, I have just a few more minor adjustments to make and I can hopefully get back on a more regular schedule.

The EFF has gotten a judge to order the FBI to reveal the contents of National Security Letters after it was revealed that there was serious evidence of abuse of these letters by the FBI.  The FBI is being ordered to release 2500 pages worth of these pages and another 2500 pages worth every 30 days.  That’s a lot of information to process, both in creating the pages and in digesting them when the EFF gets them.

I expect to see this appealed almost immediately, if it hasn’t been already.  If an appeal doesn’t work, I expect for the White House to step in and either simply refuse to disclose the information or claim some form of Executive Privilege.  Either way, I don’t think we’ll really be seeing this information any time soon.

Isn’t it great to live in a country where your central law enforcement agency can force anyone who has records on you to provide that information without ever telling you?  Not only that, if someone, say your ISP, does disclose that you were investigated, they can be imprisoned for it.  I’m such a biiig fan of the Patriot Act.

And yes, I’ve slipped into my role as Captain Privacy again.  Luckily my super suit is jeans and a t-shirt, not tights and a cape.  Even I shudder at the thought of me in tights.

I have a big favor to ask of everyone:  Please take this survey by Podtech for me.  They’re trying to figure out what the Network Security Blog’s audience demographic is, and quite frankly, I’d like to know too.  The survey should only take you about 5 minutes, 10 if your like me and you have to figure out that you have to temporarily allow the site to run in NoScript. 

Thanks.

David Whitelegg may have started something when he wrote up how he got into a career in security, if the posting over at elamb.com is any indication .  I challenge other security professionals out there to talk about how they got their start in security.  Michael, Cutaway, Andy, Santa, you listening?  And if you’ve already written your background, point us to it again.

There’s a related thread in the Security Catalyst Community forums, “The Absolute first step“.  I put my own two cents worth on the topic, but I’d like to see some more ideas about what the first step in a security career should be.  I think it’s developing the right attitude (paranoia), but maybe someone has a better idea.  I’ll be interested in seeing how people’s idea of a first step line up with the way they really got into security.

Edit: Cutaway just reminded me that there’d recently been a thread on this subject, named appropriately “How did you get your start?“. I even posted in the thread and still managed to forget about it.

Technorati Tags: security, career

One of the questions I get from time to time is how I got into security.  People are curious about me personally, but I think the real reason they ask is because they want to know so they can start pursuing their own security career.  I’m more than willing to help anyone get started on a security career, but the reality of it is, everyone I’ve met so far has had to find their own way in and what their passion in the security sphere is.

David Whitelegg has written up his own path to a career in security, and just as importantly, why he’s decided to blog about about security.   I like the fact that David considers himself an ‘average Joe’ as a security practitioner, since that’s almost exactly how I feel about myself.  Yeah, I have a couple areas I’m an expert in, but over all, there are a lot of people out there who know more than I do, and there always will be.  I think one of the biggest realization security experts have to learn is that no matter how smart you are, you can’t know it all.