Network Security Blog

A friend of mine recently complained in Twitter that, according to his count, nearly 80% of all talks given at the security conferences he’d looked at recently were now non-technical.  It might be in part because he’s @ramblinpeck on twitter, aka Daniel Peck, Research Scientist or something like that at Barracuda Networks.  Which is my way of saying his idea of a technical talk might be a little more technical than many peoples’.  But whether you’re at his level of technical expertise or mine, I think he’s got a valid point in saying that at most security conferences, the majority of the talks are less about the technical aspects of security and more about the philosophy or generalities of security.  And that’s probably the way it should be.

Why should most talks be more about principles of security and less about the technical aspects of security?  The first reason is that, with a few exceptions, the whole reason that conferences exist is to get butts in seats and to a place where vendors can get at them.  Even community led events like the BSides movement are about getting people to attend and mingle, the goal is still to create an atmosphere that draws people into the event and around other like minded individuals.  And many technical talks are counter to that goal, not in their content, but in who they pull in.  For example, a talk about a bug in a compiler on a OS X box is great for the few individuals in the crowd of attendees who a) work on Apple b) are worried about bugs in compilers and c) have enough technical knowledge and interest to travel the distance to attend an event.  But for the other 98% of the people interested in security who might be willing to travel to an event, they’ll take a look at the subject matter and decide it’s not for them.  Finding the right audience for any deeply technical talk is an art form at best and in most cases is more closely akin to guesswork than anything resembling a science.

A second reason it’s hard to have technical talks at security conferences is because of the wide variety in skill levels attained by security professionals.  I’m fairly smart, I’ve been in security for a long time and I understand at least the basics behind most of the technologies that make the Internet tick.  There are even one or two aspects of security that I can do the deep geek dive with almost anyone.  But when a talk is given that assumes a level of expertise that may not exist in more than a dozen people worldwide, I’m going to be left out and leave the talk annoyed and confused.  Or worse, if a talk was advertised as being technical but I find out when I attend that it’s a primer level of technical and I already know most of what’s being presented, I’m going to be annoyed, probably vocally so, and tell people that the talk was mislabeled.  It’s very hard, if not impossible, to create a presentation that captures multiple levels of technical background and it’s even harder to look at an abstract for a talk and decide what level of technical expertise it’s appropriate for.  Which, again, makes it less likely that the talk will be selected for a conference.

The third, and possibly most important, reason we’re talking about the philosophy behind security more than the technology is that so many of the assumptions that have gone into building the technology are wrong!  Security isn’t something that was designed into the Internet and corporate networks from the start, it was bolted on after, the cracks were spackled over and huge loads of duct tape were wrapped around the whole thing and it was called ‘secure’.  Or, more often, security has simply been ignored as a cost center until a compromise happens and data is lost.  Instead of building a cohesive, multilayered approach, we’ve built a collection of point solutions, few of which actually deliver on their promises and even fewer of which are properly configured to fully deliver what they’re capable of.  Given some of the compromises we’ve seen over the last year, we have every reason to believe what we’re doing isn’t working.

We’re at a point where we need to re-examine the fundamental thinking that underlies how security works.  It’s not an issue of flipping the evil bit off in a packet, it’s an issue of engineering a new set of solutions from the ground up.  The technical aspects of these solutions will be vitally important, but unless we can understand the underlying assumptions we’ve made, we’re going to make the same mistakes again on an even larger scale.

Security professionals come in all levels of technical expertise, but all of us benefit from a better understanding the philosophy that underlies our decision making processes.  I think that understanding where your decisions are coming from is even more important than the technical details of how those decisions are implemented.  I’ve seen many technical decisions made that looked good in the short term, but led to dead ends both in terms of the technology and the opportunities that the decisions limited.

This is all my way of saying that I believe an 80/20 split of non-technical to technical talks is probably appropriate for most security conferences.  The majority of people aren’t going to care about a specific technology because it simply doesn’t affect them directly.  But so many of us want to understand the underlying foundations of our chosen field.  It’s great to dig into the deeply geeky details of a protocol, but the vast majority of professionals will never need to do that for fun or for profit.  But every person who works in the security field needs to understand the philosophy that goes into making security decisions at all levels.

PS.  I’ll be giving a related talk, ‘Fundamental Flaws in Security Thinking’ at BSidesSF on Tuesday, February 28th at 1pm.  Come tell me how I’m wrong.

If you follow the blog, you may remember several months ago that I built myself a standing desk out of some cheap lumber and plywood I had in the garage.  It took an afternoon to build and was a proof of concept as to whether or not I’d actually like working at a standing desk.  The funny part of the project was that it took me longer to draw it up in Google SketchUp than it did to actually put the desk together itself.  After several weeks of working on the desk I decided I really liked it and wanted a more permanent version of the desk that I could feel was an actual piece of furniture and not just something that looked like an escapee from the lumber pile.

The first week or two that I had the desk, there was some definite back and foot pain as I transitioned from sitting 12-14 hours a day to standing for the same amount of time. But it was very apparent after I’d made the adjustment that a standing desk was the right decision for me.  I felt better at the end of the day and there’s a certain mental energy that comes from standing and walking around the office that I never had while sitting.  It’s hard to describe, but standing seems to put me in a slightly different state of mind than sitting does.  And, along with walking 2-3 miles a day, I’ve lost nearly 10 pounds since the beginning of the year, though I attribute that more to the walking than the desk. Oh, and there was one problem which was created by playing MineCraft for about 6 hours straight over the Thanksgiving weekend, but I don’t blame the desk for that.

There were a few things about the desk I wanted to change after working on it for two months.  The first was the top shelf; the original shelf was six inches shorter than the desktop on each side and while it fit two monitors fine, I wanted to add a third so I can put my work laptop on it as well.  Making it the same width as the desktop was the perfect solution, all three monitors fit perfectly on the shelf.  I can check work email, personal email and twitter with just a glance.  I also wanted the bottom shelf to be lower, since the space underneath it was wasted and I hoped to add another shelf.  Finally, I wanted it edged, sanded and finished so it actually looks like a piece of furniture.

All of this is why I asked my father in law to help me build version 2.0 when he came down for Christmas week.  He’s not a professional carpenter, but he does woodworking for fun like I do computers and security for fun.  Except he’s been doing the woodworking since before I was born and experience counts for a lot.  We went shopping for wood, picked up some decent 2×4′s and 4×4′s, cabinet grade plywood and a really big can of stain/polyurethane mix for me to put a finish on with.  At which point I gave him my plans from the original, the changes I wanted to the design and got out of his way.  He came back with an offer to add a pair of drawers to the design, something I wanted, but didn’t have the skills to make myself.

When I made version 1.0, it took a Saturday afternoon; when my FiL made version 2.0, it took five days to complete the desk and another week for me to put two coats of stain/poly on the supports and 4+ coats on all the other parts of the desk.  I got slightly carried away and put six thin coast on the front of the drawers.  And because the desktop is two pieces of 3/4″ plywood together, it took calling my younger brother in order to manhandle the desk into the office.  But once everything was in place, it was worth every bit of the effort we’d put into it!

So there you have it, my experience in building a standing desk.  I’d say it was worth it, but maybe I’ll write more on it in a year or so.  I have a lab stool to sit in when my feet start to hurt, but I only use that about 15 minutes a day, maybe a little more if I decide to play any games on my PC at the end of the day.  I get a little confused once in a while when the mouse doesn’t work, until I realize I’m using the wrong mouse and have to take a step to left or right.  I also had to put a piece of stained wood under one of my monitors, since they’re not the same height.  And version 1.0 wasn’t dismantled, it was moved into the garage where it will spend the rest of it’s life as a workstation for playing with arduinos, Lego Mindstorm and occasional light soldering.  And maybe a little locksport as well.

Still feels a little funny to be putting the ’12′ in the year column, doesn’t it?  I’m sure the feeling will go away by March or April.  And it’s getting started as an interesting year already, with Symantec’s source code and courts approving warrantless GPS monitoring.  I bet neither of those were captured in the “Top 11 Predictions for 2012″ so many pundits and bloggers put out at the end of the year.

Personally, I’m starting the new year with a ton of writing to do.  Despite my best efforts, I didn’t blog as much as I would have liked to in the last few months, but I know that has to change.  I have to start writing for the Akamai blog, I’ve got information for the Security Bloggers Meetup to post and I get several offers a month to write for other publications.  Then there’s the internal projects that are in motion, at least one of which is requiring me to think in new and interesting ways in order to get concepts on a page properly.  Plus I’ve got lots of interesting toys at work to play with; what questions would you be looking for answers for if you had access to the logs for a significant portion of the Internet?  That’s actually a serious question I have to blog about some day soon.  I’d like to hear what people want to see in a report.

And speaking of the Security Bloggers Meetup, I was nominated for two Social Security Awards last week.  Rich Mogull, Zach Lanier and I were nominated for the work we do on the Network Security Blog and I was nominated for Best Post for my “Curing the Credit Card Cancer” post.  Rich and I both sit on the committee that puts together the Security Bloggers Meetup, though neither of us works on the Social Security Awards, so before this year, we’d ruled that everyone on the committee was not eligible to be nominated.  Alan Shimel changed the rule this year; he felt that since we had nothing to do with the SSA’s, it was unfair to exclude us.  So, go vote for us. I’d love a chance to beat PauldotCom and the other contenders for Best Security Podcast.  I’ve read the other blog posts, I don’t have much of a chance for the Single Best Post. 

Open Tabs 01/09/12

• Lax security exposes voice mail to hacking, study says – Yes, using an easily spoofed phone # as your single method of authentication sucks.
• Kuwait wants to put an end to anonymous accounts on twitter – So they can put dissenting voices in prison.  I wonder if our politicians will follow?
• 440,783 “Silent SMS” used to track German suspect in 2010 – There may be a common thread to what I find interesting lately.
• Boot Hezbollah from Twitter or we sue, group says - Wha??  It would be censorship if it was the government asking for this.
• Stuxnet weapon has at least 4 cousins: Researchers – Who would have suspected that Stuxnet was only the first wave? (Hint: think everyone)
• No warrant needed for GPS monitoring, judge rules – This one worries me a lot.  You’re home may still be your castle, but your car definitely isn’t.
• Why Twitter’s “verified account” failure matters – Because, no matter what they do, identity is malleable and hard to prove.
• Defensive search-and-destroy ‘virus’ delivered to Japanese government – Maybe not directly related to Stuxnet, but the same general idea.
• Lilupophilupop SQL injections attack top 1 million infected URLs – Don’t try to pronounce the name of this attack.
• Symantec confirms hackers accessed source code of two enterprise security products – Two older products, but still in use in some locations, I’m sure.

Christmas is over!  I hope yours was good, but I personally find the whole build up and let down stressful and I’m glad when it’s done with.  Especially the part where my kids are home from school for a week and whine every time I tell them to get out of the house for a little while before I have to hurt them.  Not that I’d actually hurt my kids, but it’s sometimes the only threat that will get them moving. 

There have been some interesting stories leading up to Christmas and it’ll be interesting to see what’s been happening behind the scenes while the majority of us have been chomping on candy and ripping open our presents.  I have nothing to support the theory yet, but I strongly suspect most of the bad guys left their tools running while they took some time off, so their might be reports of compromises in the not too distant future.  After all, there were a couple of reports that came out before the weekend, perhaps hoping to get ignored and bypassed in Christmas craziness.

A quick thought on the boycott of GoDaddy over the SOPA legislation.  GoDaddy is such a minor player in this realm and probably signed on to the legislation like a little brother following his older brother, Big Media; they wanted to sound and act cool in the eyes of everyone else without having the faintest idea that what they were doing had real world consequences.  Boycotting GoDaddy is like bullying the little brother when what you really want to do is punch the elder brother in the eye!  It’s ineffective, both in the long run and in the short term, to boycott GoDaddy when what we should really be doing is making the larger players behind SOPA aware this is an evil and unacceptable way to try to regulate the internet.  A crowdsourced version of the list of supporters on the list is available as a Google doc.  If you really want to do something important, boycott some of the big boys on the list and quit going to their movies and buying their products. 

Open Tabs – 12/26/11

• Chinese computer hackers hit U.S. Chamber of Commerce – I wonder what our hackers are doing to the Chinese behind the scenes.  Not the vocal ones on the con scene, the ones employed by the Three Letter Agencies.  Never mind, we don’t do that, do we.
• LOIC (Low Orbit Ion Cannon) – DoS attacking tool – The tool is old news, but this is a pretty good writeup.  If you want to know more though, one of my co-workers could tell you a few things more about how it works.
• The Thought Leader … One year later – Chris Eng’s further harpooning of the information security thought leaders.  I know about half of the video applies to me at least as much as it does anyone else. 
• How hackers gave Subway a $30 million lesson in point-of-sale security – There’s another meaning for POS, especially when you don’t bother changing default passwords and trust owners to follow procedures.
• The Dark side of B-Sides – I’m staying out of this fight, since I know all the players.  But I know there’s a lot of truth to both sides of the stories, and the sooner this can be opened up and the aired out, the better for everyone involved.
• Hackers steal data on millions of Chinese net users – No need for nefarious government hackers when criminals will hack into Chinese sites because they data they hold might be worth something.
• Insurance against cyber attacks expected to boom – Let’s just insure our systems rather than taking the time to secure them!  Because the insurance companies won’t place caveats on what’s ensured and what constitutes a breach of contract to include poor maintenance control, will they?  “What do you mean our insurance doesn’t cover this?” is a phrase I expect to hear once cyber insurance (I shudder at the name) becomes common place.
• Congress calls on Twitter to block Taliban – Oh yeah, because it takes so much to set up another account and tell everyone to go there instead.  And because censorship should always be one of the first tools used by a free, democratic system.  These people spend too much time thinking in hyperbole and too little time thinking in reality.

This week’s podcast conversation with HD Moore and Josh Corman was a good thing.  Getting the ideas of “HD Moore’s Law“, the security poverty line and security debt out there so other people can beat on the ideas, examine them for flaws and hopefully incorporate portions of the concepts into their own thinking.  This is, after all, the whole reason I started blogging and podcasting in the first place.

Open Tabs 11/03/11:

• An open letter to Chris Dodd:  Silicon Valley can’t help Hollywood if you first cripple it with bad regulation – More on the horrible legislation that’s currently being considered.
• Debating human rights in the IT industry – The last few years have shown us exactly how important the Internet and computers are to basic human freedoms in the 21st century.
• Anonymous cancels Operation Cartel as Los Zetas track hacktivists – Good call.  The government isn’t going to kill you and hang your body from a bridge; these guys will.  I hope it wasn’t too late of a call. 
• Researchers flood Facebook with bots, collect 250Gb of user data – People were more willing to friend someone who’s got a hot picture?  Color me unsurprised.
• Kill Switch – Still more on the horrible idea of the Protect IP law.  Yes, this topic annoys the heck out of me and scares me with it’s ignorance.
• BayThreat speakers announced – Last year’s event was great, I have to believe this year’s will be even better.
• HouSecCon going on now, BSidesATL tomorrow and I’m closing out BSidesDFW on Saturday!  What a full weekend!

it was a fun Halloween, or at least as much fun as it can be if you spend the whole day home working.  It would have been fun to be in the office today to see my co-workers in their costumes, but I had far to much to do to make the commute to my office.  Tomorrow, however is a different story.  We’ll actually have a podcast this week, since I sat down and talked to HD Moore and Josh Corman about “HD Moore’s Law”.  If you don’t know what that is yet, tune in tomorrow.

Open Tabs 10/31/11

• Hackers press the ‘Schmooze’ button – Explaining social engineering to non-security people.
• GCHQ Chief reports ‘disturbing’ cyber attacks on UK - Gee, ‘thousands of attacks per year’.  Wonder how they calculated that number?
• Unmasking the criminal hacker – Yeah, genetics explain it all perfectly.  If only it was that simple.
• Met police using surveillance system to monitor mobile phones – I hope these systems have some heavy duty auditing capabilities as well.
• China denies it is behind the hacking of US satellites – I have to admit, I think it’s the Chinese AND it’s just a play by the people writing the report to get political cred.
• Outsmarted: Captcha security not much of a gotcha – Botnet or social engineering, they’re just a speed bump.
• Brad Smith, aka Nurse, had a stroke at Hacker Halted – If you can contribute a few dollars to help defray his hospital bills, it would be appreciated!

          

I’ve wanted a stand-up desk since I was a kid.  Except then they were called ‘drafting tables’ and they weren’t set up for computers, they didn’t have a place to put the monitors and they were slanted to make drawing easier.  I work from home more often than I do from the office, which means I have my computer at home and work on it for 8-10+ hours a day, which I previously spent sitting in the same chair.  I spent even more time sitting in the chair since the same office space is also my play area in a lot of ways.  I record my podcast, I surf the net and play video games all on the same set of systems, and controls.   Which means I was really spending 12+ hours every day sitting in the same exact desk.

I am not great carpenter, funds are tight at the moment and I couldn’t honestly say that I’d like using a standing desk, so I decided to make one that was quick and dirty out of a 4′x8′ sheet of 5/8″ plywood I already had and picked up 3 8′ 4×4′s and 6 8′ 2×4′s.  I probably could have done it with a couple less 2×4′s if I’d planned the cuts better, but I didn’t.  The planks cost me $40 total at a local Home Depot and the plywood probably cost around $25 when I purchased it, so essentially the standing desk cost me about $65 to build.  I had a lot of 3″ screws from various other projects, since I am a homeowner and have had to use them on plenty of other projects.  I used couple of squares, a long straight edge, a pair of saw horses, a miter saw, a Ryobi cordless saw and drill and a small orbital sander.  My first big problem was making sure that the miter saw was square, which took quite a bit of tinkering.  Oh, I also used a countersink to drill all the screw holes.  I don’t think any of these are tools that the average homeowner doesn’t have, except for the miter saw.  It’s hard to saw through the 4×4′s without it, but a hand saw will do if you’re very careful.

Two decisions drove most of the design of this desk:  How high should the desktop be and how high should the monitors be?  I did a fair amount of research (well, a couple of hours at least) and most of the sites I read say the top of the desk should be within a few inches of the level of your elbow.  I went a little lower with mine, which is how I ended with a desk top height of 42″.  My elbows aren’t at a 90 degree angle, but they’re not too far off.  My monitor is 19″ tall and my reading suggests that the top of the monitor should be at the top of your head level or slightly below, so the shelf for the monitor came in at 53″, placing the top of the monitor at 72″, about 4″ below the top of my head.  This gives me a slight downward angle to a lot of the things I look at on screen, which seems to work pretty well so far.

The middle shelf I put in for a number of the things I need space for but don’t access on a daily basis, such as my printer, my subwoofer and my mixer.  I extended the ends of the shelf over the supports by 6″ and placed my computer on one end.  The plywood is strong enough to support my computer easily, it get’s the computer off the floor and solves a lot of my dust problems.  Actually, the desk and the fact that it’s so open below solved a number of dust problems I’d had for years and gave me a lot more access to the space under and around the desk.  The fact that my monitors and mixer don’t take up desk space gives me a much more effective space to work with and relives the need to clear space when I want to work on something that doesn’t require a keyboard.

One thing I had in mind from the beginning but didn’t put in until the desk was in my office was the foot rest in the front of the desk.  I’d put it in the original design (comic sketch, really), but decided not to put it in at first.  But a couple hours of standing at the desk made me realize I needed it there in order to help both with changes in my stance and to give the desk a little more stability.

So far, I really like the desk.  My back is not in great shape and I have to take a fair number of small breaks during the day to let it rest, but the recovery time has become noticeably less already.  Finding a chair that is tall enough to allow me to sit occasionally and continue to work has not been easy.  I finally found one online, the LabTek Drafting Chair that looks like it will be tall enough for me to use without having to look up too drastically at the monitors.  There a number of changes I’ll make when I have the time (and help from my father in law) needed to create a finer version of this desk.  The biggest thing will obviously be much nicer wood than what I have now.  Cheap 2×4′s and plywood is nice for a prototype, but for something long term, it won’t do.  The second change will be to extend the top shelf the full width of the desk and maybe even a little beyond.  I’d like to be able to fit a third monitor on the shelf.  I’ll then be able to fit my work laptop and monitor on the desk, rather than having it on a second desk like I do now.  I do a lot of my communication with co-workers on my personal system rather than the work system, a side effect of using Skype a lot.  A few other potential changes are:  raise the desktop an inch or two, put in adjustable feet and use a brass footrest like you see in a bar.  I’ll also round most of the edges, which I did with the orbital sander on this version, but I’d use and actual round over bit in my router next time.  The power tool, not the thing built by Cisco.

In order to draw up the desk, I asked the Twitterverse what program I should use to draft it.  The reply that came back from a number of people was Google Sketchup.  The program was a little frustrating at first, but once I gave up and actually watched the first few primers, it ended up being a fairly easy project to do.  You can see a jpeg created from the program below, or you can download Sketchup and my sketch here.

Let me know what you think.

Update:  I was asked to add some of the links I’d looked at in making the desk and I have start by saying I was remiss in not stating that the real impetus for my creating my own standing desk was Leigh Hollowell’s post “Making My Standing Desk“.  Leigh is a friend who made a desk using a pair of Ikea chests and a beech desktop.  I looked at the Ooda chests she used and they were too short for what I wanted and something of the appropriate size for me was almost $200 each, much more than I wanted to spend.  And as we discussed on twitter, I’ve had to learn a lot more carpentry than she has, since I own an older house. 
Links:

• Jeff’s Handcrafted standing desk – My desk probably owes this one the most in it’s basic design.  Mine’s not as pretty, but if I’d taken the time to stain it, mine would be.
• How to build a standing desk – I thought about finding a ready made counter top like this one uses.  I also thought about using some melamine I have.  Left it bare instead.
• Stand-up desk – Anything that makes it on Instructables is worth taking a look at.
• Why and how I switched to a standing desk – I wanted to know more about why people used them before i built one myself.
• 17 standing desks that will help you live longer – This one was mostly for flavor, to see some of interesting things people have made.
• Workspace Planner - Just found this one, thought I’d throw it on the end of this.

It was a good week.  I took off Monday for Miami and the Hacker Halted conference where I caught up with a number of friends and enjoyed some good talks.  George Kurtz from McAffee was very educational, first because of his subject matter, “Have we lost the war on Security”, but also because he’s a very polished and experienced presenter.  I haven’t done a ton of presenting and I appreciate any chance I can get to see someone who’s at the top of his game at it.  It also helped create minor twitter storm, which I also enjoy.  On day 2, I got to present with my friend, Mike Dahn, which went off extremely well if I do say so myself.  Mike and I don’t practice our presentation, but we’ve got a good back and forth between us that keeps the energy high.  And to top everything off, I got to have dinner at my favorite Cuban restaurant in Miami.  Which is not saying as much as you might think, since I’ve only eaten at a couple Cuban places in Miami.

Open tabs 10/30/11

• Facebook is looking for a Security Outreach Program Manager – Not for me, but maybe someone who actually uses Facebook might be interested.
• U.S. firm acknowledges Syria uses its gear to block web – Now they’re admitting it at least.  I have it on good authority that their software licensing is so poorly implemented Blue Coat really doesn’t have any idea where their systems end up.  Good excuse.
• Dolphin HD browser snared in security breach – “We fixed it in the latest patch.  What?  That patch didn’t fix it?  The next one will, we promise!”
• DSD wins US Cybersecurity Innovation award – They had me up until they said “Whitelisting”.  That’s a great idea that almost never works when it comes to the real world implementation.  Seriously, in nearly 15 years in the industry, I’ve never run into a fully implemented whitelisting program, or even a well run partial implementation. 
• Online hackers threaten to expose cartel’s secrets – A member of Anonymous was kidnapped, so Anon replied by stating “Release him or we’ll release everything there is to know about you.”  Finally, a good use of the power of Anonymous.
• Top foreclosure firm threw homeless themed Halloween bash – Not security related, but this is the most tasteless, reprehensible and disgusting example of a firm that puts greed first and to hell with anyone not able to defend themselves.   If these guys weren’t already undergoing several investigations, this would hopefully open a few.
• Skype goes after reverse-engineering – I’m not certain this is an appropriate use of the DMCA, but I guess that’s part of why I’m not a lawyer.
• My own wikipedia article – Thanks to the guy who started this Wikipedia page on me, even though a number of the ‘facts’ about me aren’t quite right.  I did correct a couple things, but in the spirit of ‘don’t write your own bio’, I’m trying to stay away from it and just seeing what happens. 

I spent the week at the Hacker Halted conference in Miami and had a great time.  Except for the part where my iPad gave me an error message stating it needed to be restored from back up and commenced a reboot cycle.  Which lasted until Wednesday afternoon.  Nothing like being at a security convention and having mysterious issues with your electronics.  Talk about having your paranoia spike off the chart!  My talk with Mike Dahn on Compliance in the Cloud (it really is about more than just PCI) was well received and we should see our interview with Tony from InfoSec Island within the next couple of days online.  I’m glad to be home with the family for a little while before hitting the road next week to speak at BSides DFW.  I actually get to give the closing presentation.  No pressure there.  But in the mean time, I have an appointment to keep with my coworker Josh Corman and Rapid 7′s HD Moore to talk about Josh’s idea, “HD Moore’s Law”. 

Open Tabs 10/28/11

• Op-ed:  The shocking strangeness of our 25yo digital privacy law – Why can’t we write laws that are broadly applicable?
• Who else was hit by the RSA attackers – One hell of a list.  And one hell of a wake up call for the industry as a whole.
• #SecBiz or the better answer to Martin’s question – I’m glad the Down the Security Rabbithole podcast I’ve been doing with Rafal Los has sparked some thought.
• First Circuit finds that fraud mitigation costs … – Long title to say that at least one court believes you should be able to sue to recoup your personal mitigation costs after a breach.
• Where is your Chaos Monkey? – It’s an interesting idea to purposely fail some of your infrastructure at random intervals to make sure your stuff works.
• Disastrous IP legislation is back … and it’s worse than ever – I got to speak to Kevin Bankston from the EFF at Hacker Halted.  When an EFF lawyer tells you something is the worst piece of legislation he’s ever seen, you know it has to be a steaming pile of crud.  Please, please, please contact your legislators and let them know this can’t be allowed to pass!
• Looks like Congress has declared war on the Internet – A lot more information on this atrocious legislation

Yesterday was a very productive day, and I’m more than a bit proud of myself.  I’ve working from home for more than a few years now and I’ve gotten progressively bigger and bigger and in worse and worse shape.  I’ve been in worse shape than I am right now, but it’s been a downward trend recently, something I haven’t been doing enough to combat.  So I decided to quit researching stand up desks and make a prototype standup desk for myself, something i can use to decide if I want to invest in the wood to make something more polished and longer lasting.  With the help of my father in law, who actually has decent skills at woodworking, something I’m sorely lacking.  I’ll write up the desk in a week or two when I’ve had a chance to use it for more than a few hours.

Open Tabs 10/23/11

• Anonymous hackers take down child porn websites, leak users’ names – I hate the users, but I still have a hard time with vigilante justice.
• Metasploit Community Edition – Time to fire up a couple VM’s and play!  Good chance of having HD Moore on the podcast soon, with Josh Corman to explain ‘HD Moore’s Law’
• Dropbox’s Mobile API gets a security boost – It’s about time.
• iOS tip: putting Newsstand in a folder – I hated having Newsstand take up space on my iPhone and iPad screen! (Thanks @dszp)
• A Friday rant on cybercrime legislation – Great rant by Nick Selby on why knee jerk legislation concerning computer crimes is going to do more harm than good.