Archive for September, 2010

Sep 28 2010

Network Security Podcast, Episode 214

We’re all back on the air and Mad Mike Rothman has been put back in his cage.  Okay, maybe not his cage, but between Rich, Zach and Martin, there’s not room for one more loudmouth this week.  Besides, we actually getting the three of us around the virtual coffee table to kvetch.  Zach is on the road, so he phones it in this week and Martin gives a quick review of the PCI Community Meeting without actually revealing anything that went on.  That would be against the rules. 

Network Security Podcast, Episode 214, September 29, 2010
Time:  40:40

Show Notes: 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 214

Sep 25 2010

In defense of the PCI “No social media” policy

Published by under PCI

I know it’s odd coming from me, but I have to take a few minutes to defend the PCI Council’s decision to ban social media from the PCI Community Meeting this week and at every community meeting.  Yes, a large part of the real reason for the ban is so that they can control the message and so that they aren’t getting a lot of criticism floating out from the sessions, but the reasons they state for the ban are valid as well; the Community Meeting is an opportunity for merchants, service providers and everyone else to comment and speak freely and the threat of being tweeted or blogged about would place a chilling effect on the conversation at the event and the questions asked in the meetings.

Let’s be honest, my letting loose with a few tweets during a meeting probably wouldn’t have any affect on the vast majority of the people attending, since only a few of them even know what twitter is, let alone monitor it.  The thought of a blogger or podcaster sitting in the audience is a bogeyman to many of attendees, social media is something they’re aware of but don’t understand so they’re afraid of it.  By stating that no tweeting, blogging or podcasting is allowed from the event, the PCI Council has made a large swath of the audience feel much better at the expense of annoying a very small, but vocal, minority.  And in theory they’ve stilled the voice of criticism, or at least delayed the criticism until it’s too late for it to have any affect on the PCI Standards.  The criticism will come soon anyway, but that’s beside the point.

The reason I do feel the need to defend the ban has nothing to do with the meetings though.  Quite frankly, I think the majority of convention presentations at an event like this are worthless; most of the information revealed had been out and available for a while, or the hour long meeting could have been summed up in five minutes by saying “It depends” or “we’ll address that soon”.  There’s really not that much that’s being said, it’s a sad, honest truth of most conventions, not just the PCI Community Meeting.

So why is the ban on social media important?  Because of the meetings that go on in the halls between talks.  And the conversations that are happening in the lunch room.  And the drunken brainstorming that goes on after hours and leads to new alliances and relationships between individuals and companies.  The PCI Community Meeting is no different than any convention in that it’s what happens in the interstitial spaces between the organized meetings is often more important than what goes on in the meetings.  What is different is that sometimes these meetings lead to changes in the infrastructure of the the credit card industry or business deals that can move millions of dollars from one pocket to another.  And you can’t have this sort of dealing going on when you’re looking over your shoulder to wonder if someone’s listening in, about to tweet what you just said

The group of people that meet every year at the PCI Community Meeting don’t have the chance to meet like this anywhere else and don’t have the direct access to the PCI Council and the card brands at any other time.  So it really is important to preserve some of the expectation of privacy they bring with them.  I don’t like the decision to ban social media personally, but I do see that it adds some value for the people who are paranoid about such things.  And it does an excellent job of delaying the criticism as well, so it’s an all around win for the PCI Council at the expense of annoying a few folks like myself and Branden Williams, who’d tweet, blog and otherwise publicize the event if they’d let us.  And speaking of Branden, take a couple of minutes to read his “Review of the 2010 ____ ____ Meeting“.  His comments on a better way to treat social media at events like this is also worth a few minutes to peruse.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

7 responses so far

Sep 19 2010

Defcon 18: The PCI Panel

Published by under PCI,Video

Waking up on the Sunday morning of Defcon to be on a panel about PCI after having been in Las Vegas for 5 days takes a lot of commitment.  Waking on Sunday morning to attend a panel on PCI, takes something else entirely.  Which is why I was so surprised to see a ton of people looking back at me from the audience when I took the stage with Jack Daniel, Dave Shackleford, Josh Corman, Alex Hutton and James Arlen.  And a book by Anton Chavakin (you have to watch the video to understand).  I consider every one of the gentlemen on stage with me to be a friend and it was a great honor to be in front of the crowd with them. Even if we do look like a bunch of hung over, middle age, geeks.  There was more interest in PCI and what it means to us than I would ever have expected.  With any luck we’ll be able to get this gang together to talk again, perhaps without the hangovers.

DEFCON 18: PCI – Compromising Controls and Compromising Security from James Arlen on Vimeo.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Sep 18 2010

Logical fallacies in forums

Maybe it’s a little egotistical to reprint something you sent to a forum, but I thought I did a pretty good pointing out some of the fallacies I see all to often on forum mailing lists.  I doubt that I’ll actually influence the people most guilty of these fallacies, but the people who are borderline may be salvageable.

Good morning dear colleagues,

I wanted to take a moment to make everyone aware of a very useful site I found several years ago that’s helpful when getting involved in argumentation of any sort.  It is the Nizkor Project listing of logical fallacies.  I find it helps me a lot to be able to identify and call out specific logical fallacies, at least to myself, and it helps in forming the response to these logical fallacies.  As is often the case in online forums, the person guilty of the fallacies is either unaware of committing the fallacies in the first place or mistakes these fallacies for honest communication.  In either case, conversations with this sort of individual often devolves into appeals to emotion or ad hominem attacks.  I wanted to take some time this morning to point out a few of the fallacies that seem to be more common on this forum:

First, the ad hominem attack itself:
This is an attack on the person who’s making the argument rather than the argument itself, aka name calling.  This is also mirrored by the personal attack fallacy ( where the person claims that any argumentation is a personal attack against them.  This is also related to the appeal to pity, aka ‘They’re picking on me, therefore they must be wrong’

The second fallacy I often see is the red herring (  The answers that are sent to the forum have little or no relation to
the question that was asked.  This can be an innocent case of missing the point or it can be an example of purposefully leading the conversation away from the subject that was originally brought up.  If you see “you’re missing the point” in a reply, this is often the fallacy that was committed.

Another common fallacy on this forum is the appeal to authority (  We’re all experts of one level or another in this forum, otherwise we should never have been awarded our CISSP’s in the first place.  However, we sometimes try to falsely extend our authority in one area to cover areas that are tangential to our areas of expertise in was that are not appropriate.  Another example of this is citing vague articles or standards as supporting our cause when they really don’t have any direct bearing on the argument.  For example, just because Bruce Schneier is a respected author and cryptographer, he could not by any means be considered an expert on securing an Exchange server.  Another part of this fallacy that’s common is expecting that just because we hold certificates in certain disciplines, that we’re actually experts in that discipline.  A doctor who graduated at the bottom 5% of his class still graduated after all.

A final fallacy to think on, not because it’s especially common on the forum, but because it’s especially common in our lives in general is the appeal to common practice (  Everyone is doing it, so it can’t be that bad, can it?  This is a fallacy that should be avoided in every aspect of life, not just security.  As parents have been asking their kids for eons, “If every one of your friends jumped off a cliff, would you jump too?”.  Everyone has a firewall at the perimeter of their network; does that make a firewall a best practice or does that just mean that it’s what people are doing because everyone else is doing it?  It may be the best thing to do in your situation, but unless you evaluate it based on your circumstances rather than what others do, you’ll never know.

I try not to make the mistake of ad hominem attacks, I try to attack a person’s argument whenever possible.  This is not always possible as the number of fallacies in a response rise and overwhelm any content that may be contained in a response.  Rather than continue down a path of personal attacks and appeals to emotion, I try to bow out of the conversation at that point.  But I’m not perfect. Next time you send a reply to the list, take a few minutes to check your logic and see if you’re committing any of these common fallacies.  It will help make your point and increase your standing with your colleagues.  Failure to do so can hurt your standing in the community greatly.

Thank you,


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Logical fallacies in forums

Sep 15 2010

Market leadership through lawsuit?

I am not a lawyer and I don’t even pretend to understand the complexity of our patent system when it is applied to software, but I’m always astounded when company’s file lawsuits based on broad, over-arching technology solutions.  I find this especially distressing when it affects a market that is, in itself, a fairly simple idea, like database encryption.  So when I received a press release from Protegrity stating they’d filed suit against Ingrian, Safenet, NuBridges and Voltage this morning, it did not sit well with me.

I’ve seen too many companies over the last decade that are nothing more than patent trolls who acquire patents specifically for the purpose of lawsuits.  Protegrity clearly is not a patent troll, they’ve been very active in the database encryption market and likely have every right to file this lawsuit.  I’m more concerned in a number of ways with the turn our patent process has taken since software patents were allowed than this particular lawsuit, but I’m hoping that Protegrity isn’t using a legal attack to take out some of it’s biggest competitors in the field of database encryption.  Only time will tell if it has that affect, whether it’s intended or not.

The other thing that really worries me is the affect this will have on the still young end-to-end encryption market space.  Will the potential of a lawsuit based on these or other patents related to E2E have a chilling affect on new technology that shows the potential to make huge improvements in credit card security?  Or is there so much money to be made in the E2E field, so many big names backing the smaller players, that the potential of a lawsuit will be overcome by the potential to make a profit?  I suspect the potential lawsuits will make companies think twice, but in the end the potential profit will quickly overcome any worries about lawsuits.

As always, read the press release, read between the lines and make your own decision.  I’ve included the entire press release below the break for your review.

Continue Reading »

2 responses so far

Sep 14 2010

Network Security Podcast, Episode 212

Published by under Podcast

With Zach back in Boston, but Rich still out, the crew is completed once again with Mike Rothman.

Network Security Podcast, Episode 212, September 14, 2010
Time:  39:15

Show Notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 212

Sep 13 2010

What skills should a geek kid learn?

Published by under Family,Hacking,Social Networking

In a few weeks HacKid will be coming up in Boston at the Microsoft NERD Center.  Flying cross-country to attend with my family didn’t quite work out, but it did get me thinking some about the skills I’d like my two boys to master before they’re too old to learn to learn anything from their father or any adult, which I figure is about 15.  I don’t mean the stuff they learn in school, which while valuable are not necessarily the skills they’re going to need to survive on a daily basis.  I was wondering about the geek skills, both technical and non-technical.  Since I’ve recently started playing with lock picks, I decided that would be one of the first of these skills, but I turned to the wisdom of Twitter to add to the list.  Below is a compilation of the list I started and some of the suggestions I got from Twitter.

Here you go:

  • Lock picking (physical security being taught at HacKid)
  • How to social engineer a password from someone
  • Fix a printer (or at least replace the paper/cartridge and pull out jammed paper)
  • Martial arts/Self-defense (also being taught at HacKid)
  • Electronics/soldering/circuit boards (I’d have to learn more about this one myself)
  • Amateur (Ham) radio
  • Fast reading/Critical thinking (they’ve got the first handled, I can barely keep these kids in books)
  • Conflict management
  • How to build a tree fort
  • How to build a home network
  • How to build a computer
  • How to change a tire (This one will wait until they’re a little older)
  • How to repair a consumer device, how to fix a motor
  • How to improvise to build what they need (aka Duct tape foo)
  • Role playing games (so this one will do more harm than good, it’s still fun)
  • Basic self-reliance (which our society seems to want to train out of us) [ireadit]
  • Basic carpentry and plumbing skills [ireadit]
  • Debate skills [Matt Summers]
  • Rope skills: how to make, how to coil without kinks, how to tie knots [Chris J]
  • Bike maintenance [Robin]
  • Basic navigation, both with and without a compass (my kids have been orienteering since they were in diapers) [Robin]
  • Juggling (fun, but essential?) [Robin]
  • Coin/close up magic, handy for social engineering [Robin]
  • How to swim [Norbert]
  • Learn to play an instrument [Robb]
  • How to play all major sports [Robb]
  • Basic cooking skills [Peter]
  • Basic first aid (Like ‘Call 911!’?) [Peter]
  • Linux & Windows command-line fu, a programing language (Does Scratch count?) [Chris]
  • And?

Leave comments and I’ll add to the list

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

16 responses so far

Sep 11 2010

Still thinking about frameworks

Published by under PCI

Last month when I wrote my post “How would I write a framework to replace PCI?” I had the kernel of an idea that I just had to get out in some form.  It’d been bouncing around in my head for several weeks and rather than continue to let it ricochet off the inside of my skull, I put the beginning of the project in the post and figured out the rest of it would just flow naturally from there.  Except when I started writing some of my ideas down in iThoughts and having conversations with folks like Josh Corman and Andy Ellis, I realized how big a project I was really starting on and how complex the whole thing is.  I also received some very insightful comments on the original post that gave me even more to think about.  And one of the things I’ve realized is that this isn’t something I can do in one or two posts, it’s something I’m actually going to have to plan out and write with some forethought.  Which is not my usual mode of expression at all.

One of the basic precepts I put forth for myself was to focus on the desired results rather than controls.  Yet I also stated that I wanted everything to flow from policy, which seems to be directly in opposition to focusing on results.  Policy is never a result, it’s a series of base controls we put in place to tell us the results we hope to work towards.  So from the very start I’m contradicting myself and not living up to my own goals.  The only thing I can say to that is policy, when done right, sets the expectations of the results we want the business to establish.  In other words, I think of policy as a way of setting up the rules for the game of PCI and security, which is why I think they should be the very first thing a business does when they want to improve security. 

I’m not much closer to having the next article in this series than I was when I wrote the first one.  Every time I talk to someone about PCI and how it can be reformed, I walk away with more questions than answers and have to wonder if it’s even possible to have a framework that is usable for such a large, diverse cross section of the industry.  We’ve been working on security as an institution for three to four decades now, but firewalls and anti-virus seem to be the best we can come up with.  I’m under no delusion that I’m going to be able to fix or even significantly improve the situation. 

I’m still thinking about how to move PCI forward, I still plan on writing more on the subject, but I need to plan it out and talk to more people about how this can be done.  It may be a couple of months before I can write the next steps in this series.  But I’m still thinking about it and will get back to it. And I’m hoping it’ll be worth the wait.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Sep 09 2010

Just for fun, part 2

Published by under CISSP/ISC2,Humor

Here’s the CISSP Song by Rob Slade.  I’m not going to try to sing it, but I hope someone does.  And I hope that someone sends me the recording to play on the podcast.

Thanks Rob!

Lyrics by Rob Slade

Sung to the tune of “The Major General’s Song,” from
“Pirates of Penzance,” by Gilbert and Sullivan [1]

CISSP (solo):
I am a Certifiable Security Professional
I’ve countermeasures physical, administrative, technical
I know the ports of TCP and backdoors with malign intent
And survey risk analysis to prove the safeguards wisely spent
I’m very well acquainted, too, with matters of the blackhat crew
Attendance on the IRC phrack channel makes my colleagues stew
With viruses and zero days I’m teeming with a lot o’ news,
With many cheerful facts about the weaknesses in Usenet news

CIO Chorus:
With many cheerful facts about the weaknesses in Usenet news (etc.)

I’m very good at ACLs and mandatory access modes
I know the disassembled names of CPU compare opcodes
In short, in matters physical, administrative, technical
I am the very model of an infosec professional!

In short, in matters physical, administrative, technical
He is the very model of an infosec professional!

I know our mythic history, LaPadula, Biba, and Bell
I know the biometric facts, memorized CERs as well
I understand the lattice, roles, rules, and discretion base
And pseudorandomize my keys to maximize the address space
I’ve tokens, tickets, one-time passwords, smart cards and a kerberos
And Centralized Remote Authentication to remove the dross
I’m proof against the DoS, Man-in-the-Middle and brute force attacks
My proprietary off-the-shelf stuff’s licenced and it never cracks.

His proprietary off-the-shelf’s all licenced and it never cracks.

My audit logs are analysed, detect intrusions evey time
My legal counsel’s up to date with all the best computer crime
In short, in matters physical, administrative, technical
I am the very model of an infosec professional!

In short, in matters physical, administrative, technical
He is the very model of an infosec professional!

In fact when I know what is meant by “data link” and “twisted pair”
When I can tell a fibre optic cable from a trigger hair
When Internet Explorer I no longer use the Web to surf
Or let my users chat on IRC on all my network turf
When I have learnt that firewalls can filter out the packets bad
When I know that the guy with foreign bank accounts might be a cad
In short when I’ve a wee bit of professional paranoia
You’ll say a better CISSP has never addressed yuh.

You’ll say a better CISSP has never addressed yuh.

For my security training, managerial though it may be
Lacks practical direction and real-world applicability
But still, in matters physical, administrative, technical
I am the very model of an infosec professional!

But still, in matters physical, administrative, technical
He is the very model of an infosec professional!

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Sep 09 2010

Just for fun, part 1

Published by under Humor,Social Networking,Video

Last week I joined Chris Hoff, aka Beaker, and Team Squirrel down in Palo Alto to play v0dgeball for the evening.  I can’t say I was of much use, but it was awesome to watch Kim shimmy and twist her way out of almost every ball thrown at her.  And when it came down to the final game, Trey Ford did an awesome job of taking on the other team by himself.  Truly an epic performance.  For more video and pictures, you can visit Virtual Geek.  In the mean time, here’s a small sample of what we went through.  Great game guys!

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Just for fun, part 1

Next »