Network Security Blog

I’m mildly annoyed, but I find it hard to get too worked up over this issue: Jim Brady from WashingtonPost.com wants to know who the people are who are leaving comments on his site. He wants to know who the real person is making comments, not so he can track them, but so that he can make them accountable for their comments. That’s a laudable goal, but does this guy really have any idea how the Internet works?

Mr. Brady laments the fact that people are as anonymous as they want to be on the Internet and that the people who comment on his site are leaving nasty, bitter, derisive comments. He wants to have some sort of tracking system where he can positively identify everyone who comments on his site and block the problem children. As he sees it, this sort of accountability is the only way to ‘raise the level of discourse’ on his site. As if accountability would somehow accomplish this goal. Does he understand human psychology any better than he understands the Internet?

This isn’t a privacy issue; without major changes to the Internet, Mr. Brady’s wish is never going to become a reality. There are too many built in safeguards and too much complexity on the Internet to make positive identification of his commenters a reality any time soon. The WashingtonPost.com site has already experimented with blocking IP blocks and found that’s a good way to block large chunks of the Internet from his site. They’re experimenting with other technologies, but that’s not enough for him. I wonder if they’re looking at OpenID at all to solve his problems.

Online identity is a huge issue, one that’s not going to be solved because some editor wants track his commenters, even if it is the Washington Post. Mr. Brady has bigger problems though. First, he obviously doesn’t understand the Internet if he thinks there’s much possibility of reliably tracking users on the Internet. Anyone with even a modicum of computer knowledge could probably find a way around any tracking technology the Post puts in place. Even if they can’t, I’d be willing to bet there’d be a Firefox plugin or other application that gets around the technology. Oh, wait, we already have BugMeNot.

The second problem is that Mr. Brady is trying to solve a social issue with technology. This is the same trap we often fall into as security practitioners, trying to solve a people problem with more applications. And he’ll probably find out the same thing we keep finding over and over: technology fixes for people problems don’t work. People are going to find ways around the technology if it’s stopping them from doing what they want, period. If someone wants to be anonymous, they’ll find a way. We’ve found that with almost every technology that’s ever been used to secure a corporation. You put a block on a website, your users find a proxy. You try to keep users from installing software, they find a friend in IT to help them. They will find a way around technology if it gets between them and what they need/want to do. The technology is just a speed bump, and its an annoying one at that.

The real problem for WashingtonPost.com is that it takes people engaged with their readers to deal with this problem. It requires having someone monitoring the comments, deleting inappropriate posts and replying to the ones that are appropriate. He’s not going to get his tracking mechanism any time soon and rather than lament the lack of accountability, he needs to understand the real problem and deal with it as a human issue. People have been commenting anonymously to newspapers for as long as they’ve existed. How many of the letters the Post gets on a weekly basis have no return address and no indication of who sent them? The difference between the real world and the virtual one is that the editor has to consciously pick which comments get printed in the paper. That same power exists in the virtual world, it just takes human interaction in the form of comment moderation. Funny to think that the more things change, the more they stay the same.

It’s pretty certain that WashingtonPost.com is spending a fair amount of money on technologies to combat aggressive, insulting commenters on their site. They’re probably spending more on technologies and the people managing them then it would cost to hire one or more people to be responsible for moderating the comments. It’s easier to ask for the money to purchase a magic technology that will solve a problem than it is to ask for more people to get actively engaged. After all, technologies have a very clear cut reason for existing where as people have all these nasty issues that come with them, like personalities and mistakes. But if you want to solve a people problem, only people can deal with it.

By the way, does anyone really believe the Washington Post and other sites wouldn’t use all the identity information they collect for marketing if Jim Brady had his way? Me neither.

Something is going on with Feedburner; yesterday my stats showed the highest number they’d ever shown, today they’re less than half that. I expect them to fluctuate some, but over the last month I’ve seen drops of over 1000 subscribers in a day, to be back up to their normal levels the next day. Today’s drop was nearly 2000 subscribers overnight.

Paperghost claims it’s got something to do with Netvibes, but I’m not sold. This has been happening to me a lot and for over a month, so it’s not too likely to be a single point causing this much fluctuation, unless that point happens to be part of Feedburner. There’s been very little written on this so far, so I’ll be very interested in seeing if Feedburner addresses the problem on their own. I suspect it has more to do with the integration with Google than anything else.

Anyone else seeing this type of fluctuation in your Feedburner stats? Or are you a little less stats obsessed than I am and only look at your subscriber numbers when there’s a reason? Hopefully there’s someone from Feedburner looking for posts like this who can answer my questions about stats fluctuations. Or maybe I need to tweet about it and hope they’re looking at Twitter too.

Welcome back to the world of blogging, George. After a brief haitus, George Ou has rejoined us with his appropriately titled George Ou’s Blog: Technology for Mortals. He has a co-author on the site, Justin James, and already has more than a few posts up. George’s short write-up of a computer he built for just over $400 is nice, since I’m contemplating building another computer my self. Of course, I’m always contemplating building a new computer, it’s just getting buy in from the wife that’s a problem. I also think George and I will be taking different sides of many PCI-related stories.

One of the things I have always hated about blogging is having to administer the web site. Moving to a hosted solution (Bluehost) earlier this year made life much easier, but there are still some issues I have to manage. One example is upgrading the Wordpress version, which Bluehost helps with by providing Fantastico and SimpleScripts to do scripted updates. Fantastico is good, but they’re a little slow to provide updates. SimpleScript also looks good, but the verbiage in the update makes it sound like they overwrite the whole directory, not a good thing. So I found a Wordpress plugin that handles all the messy stuff for me, Automatic Upgrade.

I’m not a total wimp when it comes to this sort of upgrade, but I’d rather have it done by a script that hopefully won’t hit the wrong key at the wrong time, something I’m prone to do. I like the fact that it backs up both the Wordpress directories and the database for you before proceeding with the upgrade. It was good at disabling all of the other plugins I had running on the site, but was no where near as good about bringing them back up. That was a minor concern and gave me a good reason to update all the plugins too.

With a vulnerability in the Wordpress 2.x installation that can result in admin access to your site, you’ll want to get upgraded as quickly as possible. I like my hosting company, but I can’t expect them to make upgrades to my site their first priority. So I have to make it one of mine.

If you use Twitter as much as I do, you’re bound to learn something from “Tweeting for Companies 101“. I don’t twitter for my company, but I still learned about a couple of features that I hadn’t known twitter had. I know this has nothing to do with security, but I want to be able to find it in a couple of months. You did know the blog is really my back up memory, didn’t you?

Ever wanted to be on a podcast but don’t have the time or energy to start one of your own? Are you already producing your own podcast but want to bring in a bigger audience? Or do you just want to take some time to express your own opinions? If any of those apply to you, take a couple of minutes to contact your favorite blogger or podcaster and ask if you can have a guest spot on their show/blog. It really is that easy, especially if your asking directly and not having your PR department doing the contacting.

What brought this on? After a couple of weeks on the road I finally got a chance to catch up a little on some of my RSS feeds. With about 150 feeds and a two and a half week backlog, this can take a while. So I skim a lot of articles and frankly just ignore the majority of them. But one that caught my eye was “6 Ways That Bloggers are Like Rappers“. I’ve never wanted to be a rapper, and don’t ever ask me to sing if you value your ears, but there’s a lot in this article that resonated with me. I’m prolific, my blog is my personal brand, I’m a member of the Security Catalyst Community as well as several others and I’ve definitely got a style all my own. Rich and I often do interviews, but one thing we only do rarely is have guests on the podcast as participants. There have been a couple notable exceptions lately, with Mike Murray and Tim Krabec most recently.

I’ve been a guest on a number of different podcast, especially Pauldotcom Security Weekly (why do I always want to spell it ‘weakly’?). Every time I do this it introduces me to a new potential audience and makes me think a little differently about how I do the show and security. I learn something, which is the biggest reason I started doing blogging and podcasting in the first place. I enjoy being on someone else’s show nearly as much as I do my own. And all it’s ever taken to be a guest is reaching out to the host and asking if they would mind me being a guest for a show.

I know this isn’t about security, but one of the things I’ve been giving a lot of thought lately is how we reach a wider audience. Not just Rich and I, but security professionals in general. For the most part, we’re preaching to the choir; the people who read our writing and listen to our rants are other security professionals. This is a great audience and what makes me come back to the microphone week after week, but it’s not the group that’s going to make changes to the larger world. In order to reach the wider world, we need to talk to people who are outside of our comfort zone, people who don’t have the same mind set but might be able to teach us something and learn something in return.

So if you’re new to blogging or podcasting and want to build an audience, ask one of the people who inspired you if you can be on their show. If you’re an established blogger or podcaster who wants to reach a bigger audience, ask one of our peers, or better yet, ask someone outside the security sphere. If you want to be a guest on the Network Security Blog or Podcast … you guessed it .. just ask. The worst thing that could possibly happen is you get back a ‘no’. But in all likelihood, the answer will be closer to “When are you available?”

Update: This post was republished on the RSA “Developing with Security” blog. This site is being contributed to by fellow security bloggers who continue to contribute to the security community even when there’s not a Meetup coming up.

Ah, RSA. An event that is equal part excuse to meet friends, endurance test and serious security exercise. It’s one of those events that I look forward to for months, while also dreading the exhaustion I know will set in by Thursday evening. Days are spent trying to find the nuggets of truth amongst the marketing propaganda while the nights are spent wandering from party to party, drinking the same companies’ alcohol. To put it bluntly, it’s both the best and worst parts of the security sphere.

I’ve got so many friends coming to town this week, many of which I only see at RSA. We’ve got the Security Bloggers Meetup Wednesday night, from which Rich and I will be streaming live video. There are several lunches, breakfasts and dinners with friends, as well as the chance meetings that happen every couple of steps on the showroom floor. And then there’s all the friends I just haven’t met yet that will be at RSA. If you’ve never guessed by reading the blog or listening to the podcast, I’m a social creature; I’m at my best in a crowd. I love the opportunity to reconnect with my existing friends as well as making new ones.

The endurance test comes in somewhere around Wednesday evening or Thursday morning. Tuesday night is the first of the big parties, with everyone from Microsoft to Sourcefire to RSA themselves throwing parties and having dinners at every available venue within several blocks of the Moscone Center. I have nearly two dozen different invites for Tuesday night, only a fraction of which I can even try to make. I almost forgot about the speaker’s dinner, something I get to go to for the first time this ever. Wednesday night is the Security Bloggers Meetup, and if I make it through that I’m going to buy Jennifer Leggio (aka Mediaphyter) more than a few drinks for all her hard work in putting it together. But not so many that I miss my own panel, Avoiding the Security “Groundhog Day” (BUS-302) Thursday morning. A hearty dinner and lots of water should help a lot with that.

Rich and I will be ‘micropodcasting’ from the event. We’re going to post at least two short interviews each day, Tuesday, Wednesday & Thursday. We’ll also be meeting for a recap each day to relate some of the more interesting technologies and people. The micropodcasts will be short, with a quick intro and outro, hopefully no more than five minutes apiece. They’ll be available in the same RSS feed as the main podcast, so if you’re subscribed in iTunes, you’ll be getting them already. And we’ll be streaming the video from the Security Bloggers Meetup, which is going to be episode 100 of the podcast. I’ll be posting the link for the live video stream right before the event on Wednesday. I’ve never done live streaming video before, so the thought of gremlins in the machines has me a little spooked.

I sometimes make fun of marketing/PR folks, but without them there would be no RSA event. Their efforts to sell security products, to gain attention for their companies, to talk to as many press/blogger/podcaster people as possible is what drives the security industry. There is a dark side to marketing and public relations, but I’d be an idiot to believe that the industry could survive one reporting cycle without them. But hopefully I can help see through some of the hyperbole and ask the questions that will get through to what these companies are really offering. I don’t want to hear “Our product will solve all your PCI problems, make your company secure and make you a sandwich while you get a well deserved rest!” I want to know what your can really do. And what you can do now, not with the next product release.

I’ll be twittering some, I’ll be blogging when I can and I’ll be reconnecting with friends as much as possible. RSA 2008 is going to be a blast. Friday, April 11th will be the crash afterwards.

The RSVP list to the Security Bloggers Meetup closed earlier this week. We have space for 100 people and we already have significantly more signed up than that. If you’re not on the list already, please don’t try to show up that night and hope to get in. We don’t want to shun anyone, but we’re seriously overbooked already. Another thing to note: this is not a ‘+1′ event. You won’t be allowed to bring in a guest.

I’ll be putting up more information about the video stream this weekend. I am afraid of gremlins, but I hope that I have enough backup plans to defeat any of the little buggers that decide to rear their ugly heads. Having said that, I’m now even more paranoid about technical problems.

Earlier this week Stephen Toulouse reminded me via twitter of an event that was precursor to what is now the RSA Security Bloggers Meetup, a lunch for bloggers put on by Microsoft and Sunbelt Software. It wasn’t a real meetup, but it was one of the first times a company like Microsoft recognized bloggers at a major event such as RSA. Given the growth we’ve had in blogging by security professionals since then, I can only wonder what next year’s event will be like! Just make sure to RSVP early next year; we had to close the doors because we’re already full and then some for this year’s event.

Security Bloggers Meetup in 2008: The Seed was Sown in 2006

Hope everyone’s having a good Easter. Time to take the family out to the coast and fly a kite. Or at least have a picnic.