Archive for the 'Blogging' Category

Mar 20 2014

European InfoSec Blogger Awards

Next month is Infosecurity Europe here in London, taking place from 29 April until 1 May, as well as BSides London on 29 April.  I’ve never had the chance to go to either event and I’m really looking forward to my first time.  Another event that’s happening alongside both of these is the European Security Bloggers Meetup at the Teck Pub (appropriately named place for our group).  Many people may not know it, but I’ve been one of the people organizing the RSA Security Bloggers Meetup from the very start and I’ve been the MC for almost every single one.  So I’m very excited to see how the event translates to London and the European community.  I know it won’t be the same event, which is why I want to go.  Brian Honan is hosting with a little help from Jack Daniel and Tenable Security, which pretty much guaruntees this will be a most interesting shindig.

One of the aspects of the Meetup since the second or third year has been the recognition of bloggers and podcasters by the security community, the Security Bloggers Awards.  As one of the organizers of the Security Bloggers Meetup, I’ve always held my blog and my podcast as being out of the running for any recognition in the RSA version of these awards. I didn’t want there to be any potential conflict of interest with the awards, so it was easier to opt out of the competition all together.  Some people might say it’s because I feared folks like the Security Weekly Podcast and Exotic Liability taking the awards even with my competition, but I’m going to stick with my story of conflict of interests.  

But a funny thing happened last year; I moved my family to London.  Which means I’m now a European blogger and podcaster.  And since I have absolutely nothing to do with the European Security Bloggers Meetup or the European Information Security Bloggers Awards, I feel free to compete and do my best as a transplant to take whatever awards I can wrest away from the natives!  It also helps that the only ‘competition’ here in the UK that I know of are the Eurotrash Security Podcast and Finux Tech Weekly. And I’m pretty sure you have to have actually posted within the last year and you can’t have any pictures of WickedClownUK in spandex.  Not just can’t have them on your site, you can’t even be in possession of them.  Since the ‘rules’ of this competition are … well, non-existant, if I can convince voters of these requirements, it helps my efforts.

So go vote for Rich, Zach and me as the hosts of the Network Security Podcasts for Best European Security Podcast of 2014!  Sure, I’m the only one of the three of us that actually lives in Europe.  Yes, I’m not really European, I’m an American transplant.  But none of that is nearly as important as not letting Chris John Riley win the award!  So vote early, vote often, and just vote for the Network Security Podcast!  Or at least go vote, since I’m not really all that attached to winning an award, truth be told.

Hmmm, vote for the Network Security Blog as the Best Personal Security Blog too while you’re there.  Maybe I do care about awards after all.

 

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 06 2014

Still going to RSA

In the last couple of weeks Mikko Hyponnen from anti-virus company F-Secure announced that he won’t be speaking at the RSA Conference in San Francisco at the end of February.  His reasoning is that the company, RSA, colluded with the NSA for a fee of $10 million in order to get a weakened version of a random number generator included in the public standards, a move that makes the whole suite of encryption standards easier to crack.  As Mikko points out, RSA has not admitted to this accusation, but they haven’t denied it either.    So Mikko has pulled his talk and has publicly stated that as a foreigner, he doesn’t feel right supporting the conference.  I understand his sentiment, I see what he’s hoping to accomplish.  But I don’t think boycotting will do much, other than gain Mikko a little bit of attention short term and harm his reputation long term.

The first problem with boycotting the conference is that RSAC is, for all intents and purposes, a side company from the RSA corporation.  It has it’s own management structure, it’s own bottom line, it’s own profit and loss reporting.  And it’s only a small fraction of the overall revenue stream of the corporation. As such, any impact that boycotting the conference might have is going to be highly dilluted when it reaches the management of the central corporation.  Yes, at some point in a meeting it will be discussed that a speaker has withdrawn over NSA concerns, maybe even a dozen other speakers will join in a show of allegance.  But the conference organizers will simply pick from the dozens of alternative speakers of nearly equal capability and move on.  Senior management might lose two or three minutes of sleep that night, but nothing more.  And any impact that having a particular speaker boycott has can easily be written off as being from other, much larger changes that RSA is making to the conference lay out this year. 

The second problem I have is that while Mikko has stated he’ll be boycotting the RSA Conference, he’s said absolutely nothing about F-Secure boycotting.  As a vendor, I know that marketing departments have to commit to the conference at least a year in advance and I’ve heard that some commit to multi-year contracts in order to get better pricing.  The small booths at either end of the halls cost tens of thousands of dollars, while the big booths in the center of the floor cost the vendors several hundred thousand dollars when all is said and done.  If Mikko wanted to make a statement that would really be heard, he’d have F-Secure withdraw from the RSA Conference this year and for the next few years.  Except he can’t.  Any vendor that’s mid-size or larger in the security field has to be at the RSA conference.  In many cases, this conference is the keystone for the whole marketing effort of the year, and any talk of a boycott would be immediately quashed as an impossibility.  Quite frankly, if you’re a security vendor and you don’t have a presence at RSA, you’re not really a security vendor and everyone knows it.  

The third issue I have with the boycott has nothing to do with Mikko and is closely related to the vendor point; it’s become a popular meme since Mikko’s announcement for security professionals to say they’re going to boycott RSA as well.  I’ll be honest, I’ve never paid to go to RSA, I’ve always had a press pass, gone as a vendor, or gone as a speaker, more than once as all three at the same time.  But even if I was, the money I’d pay to go to RSA is still insignificant when you compare it to what the organization makes off of the sponsors.  It would take a huge number of attendees failing to show up in order to make an impact.  Given the growth rate of the converence over the last few years, it’s most likely that even a thousand people joining up in a boycott would simply lead to a flat growth rate at best.  Additionally, similar to vendors, most people who are attending and have their company pay for it have already purchased their tickets and a boycott at this point would be more detrimental to them than it could be to the RSA Conference.

If you think that NSA has been behaving badly and you really want to have an impact, go to the event and talk to people at the event.  If you’re a speaker, change your talk to include a slide or ten about what you believe RSA has done wrong.  You might be right or you might be wrong, but you’ll have a chance to tell your story to the several hundred people in your audience.  If you’re an attendee, go to the conference and talk to other attendees, tell them why you think the RSA Corporation has crossed the line and spread the word.  You gain almost nothing by throwing a temper tantrum and leaving the playground.  But if you attend, talk to people and raise awareness of the issues, you let others know that something isn’t right, something needs to be changed.

I wish Mikko the best, and maybe his boycott has raised awareness some.  But all the people who say “Me too!” aren’t going to have an impact.  They might feel better about themselves for a short period of time, but all their really doing is cutting themselves off from one of the biggest events in security.  It’s better to attend, be social and spread your opinions that opt out and leave your voice unheard.  I’m attending as a blogger, as a podcaster, as a speaker (panelist, really) and as a vendor.  It would have more impact on me and my career to boycott than it ever would to the RSA corporation.  

If you really want to send the RSA Corporation, quit buying their products and tell them why.  Now that’s a message they’ll hear loud and clear.

 

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

8 responses so far

Dec 12 2013

Annual Predictions: Stop, think, don’t!

One of my pet peeves ever since I started blogging has been the annual ritual of the vendor security predictions.  Marketing teams must think these are a great idea, because we see them again and again … ad nauseum.  Why not?  Reporters and bloggers like them because they make for an easy story that can simply be cut and paste from the vendor’s press release, a fair number of people will read them and everyone gets more page views.  And there’s absolutely no downside to them, except for angry bloggers like me who rant in obscure corners of the internet about how stupid these lists are.  No one actually holds any of the authors to a standard and measures how accurate they were in any case.

Really, the amazingly stupid part of these annual lists is that they’re not predictive in the least.  With rare exceptions, the authors are looking at what they’ve seen happening in the last three months of the year and try to draw some sort of causal line to what will happen next year.  The exceptions are either simply repeating the same drivel they reported the year before or writing wildly outrageous fantasies just to see if anyone is actually reading.  Actually, it’s the last category, the outrageous fantasy, that I find the most useful and probably the predictions most likely to come true in any meaningful way.

These predictions serve absolutely no purpose other than getting page views.  As my friend and coworker, Dave Lewis, pointed out, most of the predictions from the year 2000 could be reprinted today and no one would notice the difference.  We have a hard enough time dealing with the known vulnerabilities and system issues that we know are happening as a fact; many of the controls needed to combat the issues in predictions are either beyond our capabilities or controls we should already have in place but don’t.  So what does a prediction get the reader?  Nothing.  What does it get a vendor?  A few more page views … and a little less respect.

So, please, please, please, if your marketing or PR departments are asking you to write a Top 10 Security Predictions for 2014, say NO.  Sure, it’s easy to sit down for thirty minutes and BS your way through some predictions, but why?  Let someone else embarrass themselves with a list everyone knows is meaningless.  Spend the time focusing on one issue you’ve seen in the last year and how to overcome it.  Concentrate on one basic, core concept every security department should be working on and talk about that.  Write about almost anything other than security predictions for the coming year.  Because they’re utterly and completely worthless.

Remember: Stop, Think, Don’t!

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Aug 26 2013

A Decade of Blogging

Published by under Blogging

It’s amazing to look back and realize that it’s been a decade since I started blogging.  My life has changed so much since that I sat down and wrote that first “Hello World” blog post.  There was no way I could know what direction my life would take once I wrote that first post, but I knew I needed to write it.  It turned out to be one of the most influential decisions in my life, not far behind asking my lovely wife to marry me and deciding to have kids.

Why did I start blogging on August 14th, 2003,  I had a web site that I’d manually updated for nearly a year, adding stories I found to a page by manually editing the HTML code in a text editor and uploading it to my ISP via FTP.  My role at the time was administering a small cluster of IDS servers and once I’d been through the bulk of the previous night’s alerts, I had a lot of spare time on my hands to fill.  There weren’t the millions of blogs we have now, and there were only a handful of security bloggers, though it was Richard Bejtlich who initially inspired me the most.  Bruce Schneier wasn’t blogging at that time; he had already written his first book, he was writing articles and the blogging came later.  There are a number of other security bloggers from that era who are still around, but those are the two who first got me into thinking I might try my hand at writing.  It was, and still remains a hobby, but one that shall have a central role in my life for as long as I can maintain it.

Those first few [hundred] blog posts were horrible.  I was just linking to news stories I thought were interesting with a few lines of commentary, not adding much as far as opinion at the beginning.  That slowly changed and now people are more than used to me voicing my opinion, sometimes at great length.  Slowly, very slowly, I learned to think more clearly, communicate with greater clarity and expound upon the thoughts I had bouncing around in my head about security.  The first time I felt like I was actively adding to the conversation and getting the news out was the dust up between Michael Lynn and Cisco over a presentation he was giving at Black Hat.  I have now written well over 2000 blog posts consisting of over half a million words.  That’s a lot of time spent on a hobby, by anyone’s standards

And that was the main reason I wanted to start writing and blogging; I had a lot of book learning on security, I’d been active in the field for about 5 years and I knew the difference between a SYN and an ACK, but I couldn’t figure out much of the ideas that had led to the security technologies I was dealing with on a daily basis.  Not the tech itself, but the philosophy that had led people to design the tech.  I had ideas that I wanted to test and solidify by putting word to digital paper, organizing my thoughts in a way that I hoped others could understand.  And I wanted to have those thoughts challenged by people smarter than me, in the hopes that I’d learn to be a better security professional.  And, for the most part, it’s worked out well for me.

I’ve been challenged a lot on my writing, but more importantly, it’s given me an opportunity to speak out on numerous issues, from government voting, to privacy to PCI.  There have been a few things I’ve held back on, but for the most part I’ve spoken my mind, consequences be damned.  I’ve had to pay the consequences several times, but those have been mercifully few and far between.  They’ve been painful, but I’ve survived and ended up better for the experience each time.

I’ve had a number of successes and failures that I can attribute to the blog (and later the Network Security Podcast with Rich Mogull and Zach Lanier).  I had the opportunity to write for Computerworld for a year; having an editor made me a much better writer than I’d been before.  I also had an opportunity to do video blogging, which did not go nearly as well.  I’ve failed at several roles in security during that time, sometimes because the role and team was wrong, sometimes because I was just in the wrong place at the wrong time.  And at least once because I let my ego get the better of me.  I’ve gone through periods where I wrote several times each day and other periods where months have passed between posts.  And I’ve complained about burnout so many times even I got tired of talking about it, though that’s gone through cyclic changes as well.

A lot has changed for me in the last 10 years.  I’ve had half a dozen jobs in that time, only one of which lasted for more than two years.  My role as Akamai’s Security Advocate (recent title change) is nearly at the two year point and I don’t see myself changing companies any time soon, so if I can just survive a few more weeks, I’ll have another role to add to that list.  I am in the process of starting a new role within Akamai, concentrating on Europe instead of America with a smattering of trips to other regions, but I like my role and the team of awesome people I get to work with.

As I look back at the decade, one of the things that stands out the most to me is my discussion of privacy matters and the crossroads the US and the whole international community finds ourselves at.  I’ve spent a lot of time drawing attention to the issues around government destruction of personal privacy, to the point where even I was beginning to question if I hadn’t gone over the paranoid edge.  But what Edward Snowden has revealed about the intelligence organizations of the US and the stories that continue to surface about the erosion of any semblance of privacy concerning digital communications of any type scare the sense out of me.  I went from thinking maybe I was too paranoid to realizing I hadn’t been paranoid enough overnight!  Captain Privacy needed to ride again, but there was no way he could tackle the problems that exist in the world right now.

I hope I can still write a blog in another 10 years without worrying if my post will have the NSA or the local police knocking at my door, looking for a ‘terrorist’.  I said “I wasn’t paranoid enough.” once, I doubt I’ll be that naive ever again.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jun 01 2013

I’d forgotten why I write

Published by under Blogging

I’d forgotten why I write.

I don’t write just because I’m an attention monger or because I want to prove how smart I am.  I don’t write to promote myself or to promote others.  I don’t write to start arguments or rants.

I write because I have ideas banging around in my head and putting pen to paper or fingers to keyboard forces me to organize the ideas in such a way that other people might be able to understand them as well.  I write because I want to test those ideas and see how they mesh with or challenge the ideas other people have.  I like the idea of the ‘slow hunch’ and hope that something I write will click just a little with something banging around in someone else’s head.  I write because I want to contribute back to the community I live and work in, in however small a way.

Luckily, I’m starting to remember why I write.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Jan 01 2013

Welcome to 2013

Published by under Blogging,General

I don’t generally do New Year’s resolutions.  The fact is, if I can’t work up the will power needed to do something the other 364 days a year, there’s no reason to think an arbitrary date of January 1 is going to make me any more likely to develop the needed internal strength needed to follow through on my commitments.  That being said, when you’re doing something public, like blogging, January 1 is as good a date as any to restart efforts.  Which brings me to this post, which is basically my New Year’s resolution to blog more. 

2012 was a very interesting year for me.  I stepped off of planes on four different continents during the year and flew nearly 140,000 miles on United alone.  I took on the role of Security Evangelist in 2011 and got to a point in 2012 that I feel comfortable in the role.  I can actually answer most of the questions people ask me about the inner workings of the Akamai platform, rather than having to say “I’ll find out” and asking our engineers.  I wrote several security sections for Akamai’s State of the Internet Report.  I presented at half a dozen conferences during the year and learned a lot about what I need to do to become a better presenter.  All in all, it was a very good year from a professional perspective and looking forward to 2013, things will continue to get better if how we closed out 2012 is any indication. And I’ve been told I need to cut back on the travel this year, which may make the year even better.

From a personal perspective, 2012 was a ‘more of the same’ year. The Spawn (as I call my children publicly) continue to grow at an alarming rate and my grocery grows at a similar rate.  Spawn0 is already as tall as Wife0 and Spawn1 is threatening to catch up to him before too long.  They both continue to expand their horizons and give me at least a little faith that maybe the next generation isn’t as completely hopeless as the current generation.  It’s that hope that keeps us from strangling them at birth, I suppose.  Neither Wife0 nor I changed much, other than gaining a little more weight and losing a little more hair.  Wait, that was just me, Wife0 is still the same beautiful woman I married 20 years ago.

What I really didn’t like about 2012 though was my blogging and podcasting schedule.  I resolved several times to write more, but didn’t follow through on it as much as I really should.  The podcast recording schedule with Rich and Zach was severely compromised much of the year, with all three of us being on the road more than we probably should have been.  We’ll be recording episode 300 of the Network Security Podcast in a couple of weeks and there’s a good possibility that we’ll be making some changes in order to make the podcast something that we can continue doing despite our travel.  It was either make some changes or quit podcasting, and all three of us have committed to another year of recordings, so plan on listening to us at least a little longer.  I wonder if we have it in us to make it to episode 500?

But it’s the lack of consistent blogging that really makes me annoyed with myself.   When I started writing in 2003, I could write about any story or just spew my thoughts on to the page randomly.  Everything was new and shiny and I had opinions on it all.  Now it’s over 9 years later and I’ve written well over 2000 blog posts; I’ve read and written on almost every aspect of security at some point.  It’s hard to think of anything that I haven’t already seen or been involved with previously that I want to write on, and so much of my thinking last year was based on just learning how to do my job the best I can, with little time left over for contemplation.  And what I do have time to contemplate creates more questions in my own mind about how we do security in the corporate world with few answers being obvious. 

So my resolution for 2013 is to write at least one blog post a week this year.  I’m not going to promise that the content of any of these posts will be spectacular or insightful, but one thing I learned from my early efforts is that sometimes it’s more important to write than to write the perfect post.  If you write enough crud, someone out there will sift through it to find the one or two kernels of wisdom that make it through the system.  Usually those kernels aren’t even what the writer was trying to express, but as long as they resonate with someone, it’s a positive.  Which is all I really want to do, create a positive impact on the security community one rambling post at a time.

With that said, this is my first blog post of 2013.  In August I will have completed 10 years of blogging.  Hopefully I’ll also have completed at least 40 or so posts by that time as well.  Maybe one or two of them will contain something you, the reader, find useful.  If not, I’ll keep writing anyway.  There are still too many ideas in my head aching to get out.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Feb 26 2012

My todo list for RSAC

Published by under Blogging,Podcast

The RSA Conference is one of the most stressful times of year for me, as well as for thousands of other security professionals who descend on the Moscone Center every year.  It’s great to see all the friends that you may only see at RSAC because your paths don’t cross otherwise, as well as the friends you haven’t seen since some other event.  But to make that possible, there’s thousands of moving parts that have to all align properly or chaos ensues.  In my own case, I’m wearing three hats this year (press, speaker and vendor) and making them all work together has been difficult.  I think I’ve spent more time in the last month preparing for RSAC than I’ll actually spend at RSAC.

I’m glad to say that my employer, Akamai, agrees that the work I do podcasting is important enough that it takes first priority on my time at the convention, followed closely by my speaking engagements.  I still have work responsibilities and it’s possible you’ll find me in booth #851 from time to time, but mostly my co-workers will be taking care of booth duty for me.  Thursday morning I’ll be doing an Akamai webinar with Andy Ellis (@csoandy) live from RSAC, where we’ll, among other things, rate some of the tchotchkies we find at the show.  If you see some really interesting giveaways, stop by the booth.  I think we’ll be giving away coffee.

I’m speaking 3 times this week, twice on panels, once by myself at BSidesSF.  We’ve got a lot of new data for the stress panel, which I’m sure preparations for RSAC will leave people empathizing with.  The Data Mining panel should be interesting, because I fully admit I’m the new kid on the block, with the least experience with data mining of anyone on the panel; I’m there primarily to learn.  And my Fundamental Flaws talk seems to be resonating with a lot of people, so I’ll be giving that at BSides on Tuesday.

RSAC 2012: Stress and Burnout in the Information Security Community

Data Mining Methods for Enterprise Level Security

Fundamental Flaws in Security Thinking

Then there’s the interviews I have scheduled.  This is not an exhaustive list, but I think it’ll cover most of my interviews:  Good Harbor, Abaca, Dell Secureworks, Sophos, Adam Shostack from New School of Security, VSS, Checkpoint, and a few others.  In fact, I should probably add double-checking my calendar to the to-do list for today.  I’ll be getting a couple of these out Monday-Thursday, with any stragglers coming the week after RSAC.  The microcasts I do at RSAC are a lot of fun and introduce me to some interesting people and companies. 

Finally, there’s the parties.  I’m helping put on the Security Bloggers Meetup again this year, though Jennifer Leggio does most of the real work.  I’ve been nominated for a couple of Social Security Awards as well, for Best Podcast and Best Blog Post, so wish me luck on those.  Akamai has a small party, then there’s the dozens of other parties that are going on, primarily on Tuesday and Wednesday nights.  And we can’t forget the Securosis Recovery Breakfast on Thursday morning.  I will be attempting to drink lightly this week, since I’m going as a company representative for once, rather than having to take time off to attend.

So it’ll be a busy week.  Somewhere amongst the chaos, I need to find a little time to walk the showroom floor as well as socialize.  Looking at the slim gaps in my calendar, that’s going to be catch as you can.  By Friday, you’ll see thousands of very tired security professionals streaming out of San Francisco and SFO.  I’m lucky, I get to drive home Friday night, though I’m hopping on a plane again the Monday after.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Dec 12 2011

Open Tabs 12/12/11

Published by under Blogging,Government,Privacy,Risk

Usually I try to find the time to blog first thing in the morning, but today was way too busy to allow for anything nearly as relaxing as blogging.  I spent two days traveling to and from a client site last week and then two more days at the BayThreat conference, with only Sunday at home to relax and play Skyrim … I mean spend with the family.  BayThreat was a ton of fun; my co-worker Mike Smith gave a presentation called “Zerging is for Chumps” and another friend, Gillis Jones gave his first talk, “Show me the Money”, just to name a few.  It’s interesting to go to a convention where you can almost talk to every attendee if you put your mind to it.  And you know I gave it a pretty good try.  Anyway, I’m off for more flying around the country again this week and have a ton to do in the mean time, so this may be the only chance I get to post this week, other than the podcast.  Presuming I can get that done with Zach this week.

Open tabs, 12/12/11:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Oct 31 2011

Open tabs 10/31/11

it was a fun Halloween, or at least as much fun as it can be if you spend the whole day home working.  It would have been fun to be in the office today to see my co-workers in their costumes, but I had far to much to do to make the commute to my office.  Tomorrow, however is a different story.  We’ll actually have a podcast this week, since I sat down and talked to HD Moore and Josh Corman about “HD Moore’s Law”.  If you don’t know what that is yet, tune in tomorrow.

Open Tabs 10/31/11

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Oct 22 2011

Open Tabs 10/22/11

Published by under Blogging,General

The problem with having a body clock that thinks it’s on the East Coast even when it’s not is that I’m up early no matter what day of the week it is.  I’d like to sleep in, but once thoughts of CDN’s and presentations start dancing in my head, it’s time to get up.  Which is okay, since there’s a lot to do this weekend before I head to Miami and Hacker Halted on Monday.  I’m going to be presenting with my good friend and former colleague, Mike Dahn.  Then it’s back home for a few days and off to BSides DFW for a completely different presentation.  The next trip after that is with the family, so the only commitments I’ll have is keeping the kids out of trouble.

Open Tabs

A couple late additions, since I’m waiting on the next cup of coffee to be ready:

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Next »