Network Security Blog

Someone asked me about blogging today and I realized I missed my own 5 year anniversary. Not my wedding anniversary, that’s next week, but the fifth anniversary of the day I wrote my first blog post “Here goes nothing“. I’d had a site about security for quite a while before that, but it was all manually coded HTML, it was ugly and, quite frankly, nearly impossible to update in anything resembling a timely manner. Then I found Movable Type, fought with it for about a week to get it installed, suffered the ridicule of my co-workers and started writing. Or maybe it was started writing and then suffered the ridicule, someone ask Ron Kehoe. Either way, it was definitely the start of a long and interesting journey.

The journey has definitely been worth it. I can say, without conceit, that I am one of the top security bloggers. Don’t believe me? Type “security blog” into Google and see for yourself. In the same vein, if you enter “security podcast“, the Network Security Podcast is the first entry you’ll see. I guess I should beware of hubris, since Google is a fickle mistress and that could change in a moment. I’ve been told the name of the blog was a brilliant stroke of SEO, but then I had to have search engine optimization explained to me, since I’d never heard the term before.

But blogging and writing was never about where I sit in the search results. It’s always been about learning for me. I had ideas when I started blogging, and even then I knew some were good, some were bad. I wanted to throw some of my ideas against the digital wall and see what would stick and what would stink. I’ve had a lot of ideas that people have agreed with, more that people have let flow by without comment and a few that have caused people to tell me that I’m an idiot at best. And some days I agree with them.

There’s three things about blogging that I’m thankful for. The first, and least important, is what it’s done for my writing skills. I never was a bad writer, but just writing on a daily basis has helped my writing immensely. I’m still an informal writer and never will be asked to write a book or anything, but five years of writing on a nearly daily basis has enabled me to at least express my thoughts in a way that most people can understand. I was good enough that Computerworld invited me to blog for them for a year, which would probably still be going on if other factors in my life hadn’t intervened. I like writing and blogging gives me a chance to do it on a regular basis.

The second thing I’m thankful for is some of the opportunities that blogging has opened for me. I already mentioned Computerworld, but there have been a lot of other doors that opened simply because I put myself out there with the blog. I never would have had an opportunity to work with Alan and Mitchell if Alan hadn’t contacted me after a particularly interesting blog post (I wish I could remember which one). I’ve been to RSA, Defcon, Black Hat, Shmoocon, IANS and more because I got press passes or people wanted me to see what they’re offering. I got an chance to do some video blogging for Podtech, which quite frankly was a heck of a lot more work than I ever thought it could be. A couple of years ago Symantec even flew me down to SoCal for a day trip to their headquarters, which just happen to be a couple of blocks from the Playboy office. It’s amazing what you find when you wander around in SoCal. And let’s not forget the annual RSA Security Bloggers Meetup, which I somehow ended up helping host!

But the most important thing about blogging is some of the friends I’ve made along the way. First off is my co-host, Rich Mogull. Without Rich there to keep me in the game, the podcast probably would have died a year ago, even if the blog continued. It’s hard to do a weekly podcast and having someone to take part of the load, to bounce ideas off of and just have a little energy when your tired can’t be overstated. With Rich’s help I hope to be blogging and podcasting for years more to come and maybe one day we can have a cage with Leo and Steve for a show on NPR. I’d bet on us; Leo’s getting old and Steve would probably get distracted by something bright and shiny mid-fight.

I’ve made more friends than I can list thanks to blogging, but I’m going to try anyways: Michael Farnum, Cutaway, Chris Hoff, Mike and Melina Murray, Jennifer Leggio, Jeremiah Owyang, David Mortman, Mike Rothman, Michael Santarcangelo, Rob Fuller, Alan Shimel, Mitchell Ashley, Michael Henry, Ryan Russell, Adam O’Donnell, Jack Daniel, Andy Willingham, Lori and Don MacVittie, Dan Kuykendall, Robyn Tippins, Paul Asadoorian, Larry Pesce, Ron Gula, Brian Krebs, Jennifer Jabbusch and Michael Dahn, just to name a few. I’ve probably missed as many as I’ve included and I apologize to those I left out; it’s been a long week and it’s only Tuesday. But I never would have met most of these people if it wasn’t for the blogging. I put myself out there for the world to see and these are some of the people who’ve responded with friendship. I actually get a little choked up thinking about it. Seriously.

Blogging has helped me grow as a security professional and as a person. I’ve put my ideas out there and people have responded. I’ve been able to use that feedback to learn and grow. People have recognized the willingness to communicate and opened doors that I never even knew existed before. And I’ve made such a wide ranging, supportive group of friends that I know I never could have made without the blogging. I’m truly thankful, if not exactly humbled.

I’m looking forward to blogging for the foreseeable future. It feels like I blinked and five years have gone by. I hope I’m still blogging in another five years, but who knows what the future will bring. If it’s anything like the last five years, I can’t imagine where I’ll end up, but it’ll definitely be an amazing journey. And I’ll learn a lot along the way.

I was on the road today and let Rich handle this week’s podcast, a decision I may regret if it earns us an ‘explicit’ tag in iTunes!  Rich has posted our twelfth and final interview from the Black Hat/Defcon adventure, and appropriately this is an interview with Rich and everyone else from the panel he was on.   There was drinking (and Larry) involved, so some of the language might be a bit more than we usually use on the podcast.  It was a ton of fun and I might just be recovered by this time next year.

Show Notes

Network Security Podcast, Episode 116

 

 Standard Podcast [24:17m]: Play Now | Play in Popup | Download

It’s anecdotal, but the judge in the MBTA case was apparently told that by stifling the research done by the MIT students he was breaking their First Amendment rights, to which he responded that “I’m going to let my ruling stand anyway.” The latest thrust in this fiasco is that the MBTA lawyers were trying to get everything associated with the research, hardware, software etc, which the MIT guys are failing to comply with.

My thought is that they MBTA lawyers are less looking for further information on the hack and are more looking for any clues they can find to nail the students and accuse them of actually getting free rides for them or their friends. What better way to teach these kids to never embarass the MBTA again?

It’s not comprehensive, but the PCI Standards Council has published a summary of the changes you should be expecting in version 1.2 of the PCI standards. A couple of the big changes I noticed at first read through:

• WEP encryption will no longer be acceptable on new implementations as of March 31, 2009 and not acceptable anywhere as of June 30, 2010.
• Every OS must have AV (or a compensating controls worksheet to explain why you don’t have it)
• Patching will be risk based rather than within 30 days
• Plenty of other clarifications and updates.

According to this document, the full release is due October 1, 2008. This is only a few pages long and worth taking the 10 minute to read.

Let’s face it: we don’t have the tools available to tell us what’s really been happening in the ‘cyberwar’ between Russia and Georgia. The information coming out on the story have been little more than rumor and accusations, with little or no real data available to make a clear call. And, after writing up a lot of innuendo, most reporters have come to the same conclusion.

We don’t have a clear definition of the term cyberwar. Even calling it a war is misleading in and of itself. Unless the power grid is being attacked, causing potential threats to people’s lives, what we call ‘cyberwar’ is really nothing more than a denial of service attack. It’s an attack on a country’s communications network, but do we call taking out the telephone’s in a country ‘telewar’? No, we just look at it as a strategic move in the larger picture of war.

I like Ethan Zuckerman’s take on cyberwar: It’s just a DDoS attack and calling this war is like calling hackers terrorists. Sure, ‘cyberwar’ garners more headlines than ‘Denial of Service attack’ does, but in the end, it’s misleading and sensational. Not that I expect that sort of headline grabbing to stop soon, but at least some people out there know beter.

And now for an off-topic Saturday morning rant:

In the last week there was an interesting meme led by Robert Scoble (what a surprise) about tech bloggers and PR people. It’s been an interesting back and forth even though it’s only tangentially important to me, it’s still something worth commenting on.

I read almost every press release and PR note that I receive. It may not be a top to bottom read, but I do read enough to make a judgment call as to whether or not the email is of enough interest to me to read further. Often I try to acknowledge that I received the email by responding to the PR folks who sent it, though this has been happening less lately as my time becomes more constrained by travel. If someone’s sending me press releases that have nothing to do with security, I’m more likely to respond and explain to them what I do and write about so that they won’t waste their time and mine telling me about stuff that is of no interest to me. And it’s surprising how many PR folks appreciate this feedback.

A prime example of folks who get how to interact with security bloggers is Connect Public Relations. They send me a two to three sentence email pointing me to a client’s blog post, usually Symantec. Here’s a recent example:

Hi Martin,

I wanted to let you know that Kevin Haley has entered a blog post about some survey results from Symantec on how security professionals are using social networking. Are they like everybody else? You can see what Kevin had to say about it here: https://forums.symantec.com/syment/blog/article?message.uid=343671

That’s it. They’ve sent me something relevant to me, haven’t wasted a bunch of my time with a long email, asked me for my opinions and let me get back to my life. I usually go and scan through the blog posts even if I rarely use them as fodder for my own posts. It’s not that I don’t find the posts interesting, it’s just that as often as not, I either don’t have the time or just don’t find anything that resonates with me enough to elicit a blog post of my own.

What I hate receiving is the long, drawn out, mass produced, hype-filled, product announcements. There’s maybe one in a hundred of these that I can read past the first paragraph. Quite frankly, most of these announcements are just hype with almost no real substance to them. If you don’t care enough to figure out why your product might apply to me personally or professionally, then why should I?. There are some exceptions when people are inviting me to participate in beta programs or are honestly looking for feedback, but those are rare. I wish I had the time and energy to take advantage of more of the betas, but work, blogging, podcasting and family are more important to me than checking out a new tool I would rarely or never use otherwise.

I don’t want to be broadcasted to or towards by PR agencies, and I doubt many other security professionals do either. I know I don’t have the sort of draw someone like Robert Scoble does, not many people do. I don’t expect to be included in the A-list that’s told before everyone else; but I do want to feel that the person at the other end of the email has take a few moments to at least understand who I am, what I write about and why their message might be of interest to me.

So if you’re a PR person sending me email and press releases, please know that I’m probably reading what you sent me, even if I only skim the email. But also be aware that I’m probably going to spend the same amount of energy or less on reading the email than you spent sending it. So if I’m just part of the 10,000 person mailing list you send to on a weekly basis, don’t excpect much in return. But if you’re actually treating me as a real person instead of another field in your Excel spreadsheet, the chances are I’m listening, even if I don’t respond.

P.S. You could always try giving me a call. My cell # is on the About page for a reason.

I’m playing with the site some, adding some ads, removing others, getting rid of some of the features I added a while ago and never use. I don’t exactly hope to make a fortune from the ads on the site, but beer and pretzel money is always good to have. Or at least money to replace the next piece of equipment I spill coffee on.

Please let me know if/when I cross the line from mildly annoying to driving you from the site. The ad money is worth less to me than my readers are.

On a related note, Rich and I are starting to discuss the potential of sponsors for the podcast, at least for special events like RSA or Black Hat/Defcon. We’d love to be able to follow Paul and Larry’s lead and create some t-shirts and bumper stickers to hand out at the events. Feedback and ideas on this are also appreciated.

One more thing (any Jacki Chan Adventures fans out there?) Rich and I still have some books to give to readers/listeners, but we haven’t been happy with how we’ve done it before. Any suggestions on how to give away books in a way that will draw in more listeners and readers? I received an extra copy of Raffael Marty’s book Applied Security Visualization and I’d love an excuse to get it out of my library and into someone else’s.

I know this is popping up all over the place, but I had to add it too!

It’s funny, I overheard the students who were researching the MBTA vulnerabilities say this at Defcon: By placing the initial report in the court documents, the MBTA was releasing more information than would have been shown in the presentation itself. They’d planned on keeping some of the information that had been in the report to keep people from making their own passes, or at least slowing down the effort. What I hadn’t realized at the time was that Jennifer Granick from the EFF has warned the MBTA of this and they went ahead with it anyways. They ignored her warnings and published the final keys needed to take the talk from theoretical to possible.

Not that this temporary restraining order was all that effective in any case. The presentation slides had already been distributed to more than 7000 attendees with the Defcon DVD. Rumor has it that the entire preso with the missing checksum information had alreay been sent to the Full Disclosure list. And a presentation that would have been well attended suddenly became important news for weeks to come. I think they call that the “Streisand Effect”.

Some people never learn.

Alan Shimel is back in the blogosphere and has something to say about the travails his been through over the last few days. Rather than being bitter about the experience, Alan has learned a lot, not just about securing his site, but also about the value of having good friends in places high and low.

And if you know Alan, then you know this is just the start of his commentary of the whole affair. He might not be able to talk much about the event specifics, but he will talk about what he’s learned about security on a personal level. It hasn’t been fun, but it’s defnitely been educational.

Welcome back, Alan.