Archive for January, 2013

Jan 29 2013

Network Security Podcast, Episode 301

Published by under Podcast

Rich goes missing again (but this time due to work [or so he says]). A slightly shorter show this evening, wherein Martin and Zach discuss upcoming events, like RSA, SOURCE Boston, BeaCon, etc., as well as — oh, look at that, already surpassed a 300th CVE entry for 2013. Oh, and it’s Ruby on Rails!

Network Security Podcast, Episode 301, January 29, 2013

Time: 29:57

Show notes:

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 301

Jan 22 2013

Network Security Podcast, Episode 300

Published by under Podcast

It’s here!  We finally did it!  Episode 300 of the Network Security
Podcast has finally been recorded, edited and posted! Sorry it didn’t
get published immediately, but it takes a while to edit over 2 hours of

So what did we do for Episode 300?  Martin flew to
Phoenix to record from Casa de Mogull and Zach dialed in from New York. 
We attempted to stream the show live during the recording, but the
spirits of technology, and UStream in particular, had other ideas. 
Which is exactly what we deserve for the amount of preparation we put
into the attempt.

It’s been a long, strange road that all three of
us have traveled to get to this point and we spend the show talking
about how security has changed in that time.  Vulnerabilities and
patching are, and probably always will be, one of the biggest news items
we talk about, especially since some of the vulnerability warnings we
have to talk about aren’t all that much different from the 00’s of
others we’ve talked about in the past.

Once again, we’d like to
thank our listeners for continuing to come back week after week to
listen to us.  Yes, we do the podcast in part because it’s fun, but what
really keeps us coming back week after week is the listeners.   Thank

Network Security Podcast, Episode 300, January 15

Time: 2:05:00

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Jan 10 2013

Morning Reading 011013

Published by under Hacking,Linux,Malware,Risk

It’s been an interesting week and start to the year.  Between the Ruby on Rails vulnerability and the Java zero day released today, we have some serious patching issues on our plates.  And if history is any indicator of future performance, the security technorati are already in the process of patching, which only leaves the other 98% of the population to get patched.  I’ve also had some interesting talks with folks about the idea of honey tokens, honey nets and other detective measures for the network.  On to the stories …

  • I’ve been saying for a couple years now that we need to change the way we think about security from the foundations up.  Apparently Art Coviello agrees and says we need to move to an intelligence-driven security model.  A lot of other professionals believe we need to rethink security architecture as well, according to Tim Wilson over at Dark Reading.  Always challenge the assumptions the leaders of the last generation made, especially in a profession as young as security.
  • The topic of honey tokens and all other things ‘honey’ started in part due to a lot of discussion around ‘offensive security models’.  The Washington Post has an article on salting databases with fake data, which if done right is exactly what a honey token is.  CSO Online says that deception is better than a counterattack; I don’t know if it’s ‘better’ but it’s something that you should be doing whether you’re considering offensive tactics or not.  And a fun new little tool to do some of this has been released, called HoneyDrive.  It’s a collection of tools on a VM, which is always a good toy to play with.
  • Continuing on the them of Monday’s post, Computerworld has an article on how to talk about security to everyone else.  I’m sure we’ll be talking about this again, since it’s one of the basics we seem to have a hard time with.
  • And finally, Cyber attack timelines from the second half of December.  There’s a few errors in the dates here, but I only know that because of my day job.  Let’s just say that there have only been two waves of QCF attacks so far, and that they started a little earlier than is being represented.  But overall, this is good data to keep aware of, especially with the recent rise in attacks.

And finally, for something completely different, a Linux-powered sniper rifle.  I’m sorry, ‘hunting rifle’. 

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Morning Reading 011013

Jan 07 2013

Rambling on writing

Published by under General

One of the main reasons I started blogging was to work on my writing skills.  Similarly, one of the main reasons I’m forcing myself to start blogging regularly again is also to work on my writing skills.  Yes, I learned to write well in high school and college, but those were both a long time ago and writing is definitely one of those skills that gets rusty when not used.  If there’s one skill that we, as security professionals, can’t afford to get get rusty, it’s the ability to communicate with the people who don’t share the same passion for risk, analysis and vulnerabilities we do.

I think the whole ‘learn to write’ meme is one we circle around to at least once a year, and there’s a good reason for it.  If you talk to people who frequently review RFP’s and other sorts of open calls for papers, you’ll find that many of them cringe when thinking of the quality of writing they encounter in the process.  I don’t know the exact percentages, but I’m led to believe that as high as 50% of the papers submitted get culled in the first round just for being poorly written and full of grammatical errors.  If you can beat 50% of your competition by simply using complete sentences and proper punctuation, why not at least start by giving yourself that much of a edge?

Another place where lack of English (or whatever your primary language is) skills show up is in email.  How often have you read an email, only to have to call the person just to find out what they really meant to say?  Think of the last time you had to go through a long email exchange only to find that the thing was a miscommunication that could have been clarified with one or two sentences early in the process.  So often we’re in such a hurry to simply answer an email and get it off our own plate that we sacrifice clarity in order to simply get stuff done.  How many times have you spent time trying to decipher a coworker’s rambling only to find out he or she actually wanted something totally different than they wrote in the email?  It’s easy to have happen when you’re more interested in getting the email out than you are in getting the right email out.

A few months ago a friend asked me about writing and one book I recommended him was ‘On Writing’ by Stephen King.  The book really is about half autobiography, but it makes for a good counterpoint to the why’s of his editing and usage of words.  If you’re a King fan, learning about his life and the roads he’s traveled makes for a good read, but even if you aren’t, it’s still a good in any case.  “Eat’s, Shoots and Leaves” is another good book if you’re just looking for something to remind you of all those annoying rules that teachers tried to force into your head all those years ago.  The rules are still annoying, but at least you can be slightly amused while remembering them.

One final thing to remember is what you write about isn’t as important as the fact that you’re writing.  I’ve written over 2000 posts for the blog, and I’d say 90% of them, including this one, are rambling diatribes that probably weren’t worth repeating (or retweeting).  But the 10% of them that actually came out clear, concise and with a few good points in them are worth the time.  And I never would have written that 10% (or 5% or 1%, depending on your point of view) if I hadn’t written all the drivel that came before and after the few gems in the rough.  So, rather than wait for the perfect moment of inspiration to catch fire in your brain, start writing now with the understanding that you’ll produce a lot of crap before you have the one good thought that you’ve been trying to uncover for months.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 03 2013

Morning reading 010313

Published by under General

In the spirit of my only ‘resolution’ for the new year, here’s a quick post on some of what I’m reading this week.  Like many security professionals, I read dozens of posts and articles each week, but only a few of them are worth retweeting or blogging about.  This week is the first of the year, so it’s likely many of the stories I read and rejected were about the way people looked back at the old year or looked forward to the new year.  Very few ‘prediction’ articles made it into my stream, though I did use a few of the stories to decide which sites to stop reading.  Hint:  Your ‘2013 Security Predictions’ are worth the paper they’re printed on.

  • DEFCON: The Documentary (a preview) – In his copious amounts of spare time (okay, maybe it’s what he does for a living) Jason Scott and a crew of videographers taped over 280 hours of video at DEFCON for it’s 20th anniversary.  He’s released a preview of the documentary, and it’s fun for me to see some of the people and places that are essential for this event to happen every year.  If you’ve never been, don’t be intimidated by some of the strange antics you see in the preview; people let lose at DEFCON in ways they won’t most of the rest of the year.
  • how the pci standards will really die – I was initially a fan of PCI when I started working in that portion of the field six or so years ago.  I was hopeful that it would spark change and force businesses to spend more energy (and money) on security.  It did, but the standards stagnated and really haven’t changed in any significant way since those early days.  PCI Guru points out a number of the fatal flaws with PCI and why it will be the card brands themselves that eventually kill it.  Which can’t come soon enough for me.
  • My 2013 Resolutions – Unlike me, SecJitsu believes in New Year’s resolutions and this is a pretty good list of them.  We have a habit of getting a bit insular in the security community and it’s important to remember from time to time that we’re part of a larger corporate culture.  I know I need to do a better job of this myself.

And some non-security reading for you as well.  

  • To my 13-year-old, an iPhone contract from your Mom, with love – I have two geek spawn who got phones for Christmas this year, so this resonated with me.  I especially like the end, “You’ll make mistakes, we’ll work through them.”  I don’t think my offspring exactly appreciated me sending this to them via Skype IM though.
  • Best of 2012:  Raspberry Pi Projects – I love my RPi’s.  I just haven’t quite figured out any long term projects for them yet.  This article has given me some ideas though.
[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Morning reading 010313

Jan 01 2013

Welcome to 2013

Published by under Blogging,General

I don’t generally do New Year’s resolutions.  The fact is, if I can’t work up the will power needed to do something the other 364 days a year, there’s no reason to think an arbitrary date of January 1 is going to make me any more likely to develop the needed internal strength needed to follow through on my commitments.  That being said, when you’re doing something public, like blogging, January 1 is as good a date as any to restart efforts.  Which brings me to this post, which is basically my New Year’s resolution to blog more. 

2012 was a very interesting year for me.  I stepped off of planes on four different continents during the year and flew nearly 140,000 miles on United alone.  I took on the role of Security Evangelist in 2011 and got to a point in 2012 that I feel comfortable in the role.  I can actually answer most of the questions people ask me about the inner workings of the Akamai platform, rather than having to say “I’ll find out” and asking our engineers.  I wrote several security sections for Akamai’s State of the Internet Report.  I presented at half a dozen conferences during the year and learned a lot about what I need to do to become a better presenter.  All in all, it was a very good year from a professional perspective and looking forward to 2013, things will continue to get better if how we closed out 2012 is any indication. And I’ve been told I need to cut back on the travel this year, which may make the year even better.

From a personal perspective, 2012 was a ‘more of the same’ year. The Spawn (as I call my children publicly) continue to grow at an alarming rate and my grocery grows at a similar rate.  Spawn0 is already as tall as Wife0 and Spawn1 is threatening to catch up to him before too long.  They both continue to expand their horizons and give me at least a little faith that maybe the next generation isn’t as completely hopeless as the current generation.  It’s that hope that keeps us from strangling them at birth, I suppose.  Neither Wife0 nor I changed much, other than gaining a little more weight and losing a little more hair.  Wait, that was just me, Wife0 is still the same beautiful woman I married 20 years ago.

What I really didn’t like about 2012 though was my blogging and podcasting schedule.  I resolved several times to write more, but didn’t follow through on it as much as I really should.  The podcast recording schedule with Rich and Zach was severely compromised much of the year, with all three of us being on the road more than we probably should have been.  We’ll be recording episode 300 of the Network Security Podcast in a couple of weeks and there’s a good possibility that we’ll be making some changes in order to make the podcast something that we can continue doing despite our travel.  It was either make some changes or quit podcasting, and all three of us have committed to another year of recordings, so plan on listening to us at least a little longer.  I wonder if we have it in us to make it to episode 500?

But it’s the lack of consistent blogging that really makes me annoyed with myself.   When I started writing in 2003, I could write about any story or just spew my thoughts on to the page randomly.  Everything was new and shiny and I had opinions on it all.  Now it’s over 9 years later and I’ve written well over 2000 blog posts; I’ve read and written on almost every aspect of security at some point.  It’s hard to think of anything that I haven’t already seen or been involved with previously that I want to write on, and so much of my thinking last year was based on just learning how to do my job the best I can, with little time left over for contemplation.  And what I do have time to contemplate creates more questions in my own mind about how we do security in the corporate world with few answers being obvious. 

So my resolution for 2013 is to write at least one blog post a week this year.  I’m not going to promise that the content of any of these posts will be spectacular or insightful, but one thing I learned from my early efforts is that sometimes it’s more important to write than to write the perfect post.  If you write enough crud, someone out there will sift through it to find the one or two kernels of wisdom that make it through the system.  Usually those kernels aren’t even what the writer was trying to express, but as long as they resonate with someone, it’s a positive.  Which is all I really want to do, create a positive impact on the security community one rambling post at a time.

With that said, this is my first blog post of 2013.  In August I will have completed 10 years of blogging.  Hopefully I’ll also have completed at least 40 or so posts by that time as well.  Maybe one or two of them will contain something you, the reader, find useful.  If not, I’ll keep writing anyway.  There are still too many ideas in my head aching to get out.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Welcome to 2013