Network Security Podcast, Episode 128, November 18, 2008

Show Notes:

• Battered but not broken:  understanding the WPA crack 
• Practical attacks against WEP and WPA 

No time for any music or fancy stuff like that. 

                         

George Ou has done a good job of writing up his experience from Tuesday.  George and I have different priorities, so it was good for him to ask questions I wouldn’t have thought of.  We were all impressed by the statistics concerning the no-fly list:  there are only approximately 2500 names on the true ‘no-fly’ list and another 20,000 on the extra security list.  And of those, only 10% are American citizens according to Secretary Chertoff.  For such a small list, it sure has created a big stir.

Added:  Of course, minutes after I posted this, I found out that Andrew Storms, the guy pictured to the right of me, wrote up his own experience.  I think between the excellent posts by Andrew and and George, I don’t need to feel guilty about not having time to write up my own experience. 

Deborah Gage at SFGate wrote up her impression of the conversation, which captured most of the points of the conversation rather well.  I’m just disappointed she referred to us as ‘Silicon Valley bloggers’ instead of mentioning names and blogs.  Plus, technically, only George Ou is a Silicon Valley blogger, I’m over 100 miles away in the North Bay and Andrew Storms isn’t much closer.  Still a good write up.  I have to wonder if SFGate.com has something against linking out to bloggers since we’re sometimes direct competition. 

I only took a couple of pictures as I was much more interested in taking part in the conversation and live tweeting it.  Luckily Andrew Storms caught a number of good shots of Secretary Chertoff.  And the back of my head, definitely not my most photogenic parts.  I hope to see Andrew’s take on the conversation soon.  Here are a couple of the photo’s I took of Mr. Chertoff, Andrew Storms and George Ou.  I’ll post a bit more on the meeting as time allows.  Which probably means not today.

  

I was impressed by Secretary Chertoff; he speaks plainly, with only a little of the evasion I’d expected from someone in a position like his.  I don’t agree with all his arguments and ideas, but he was very open to discussing them publicly.  I almost feel bad that he’s going to be gone come January.  I tried to tweet the whole thing as much as possible, but it’s easy to get distracted in a situation like this.  I captured the entire conversation on my little iRiver 795 and here it is so you can listen for yourself. 

Network Security Podcast, Episode 127, November 11, 2008 - Blogger Roundtable with DHS Secretary Michael Chertoff

I’m posting a copy of the live tweets in the comments, along with the replies.

• Express Scritps warns of potential large data breach tied to threat - Extortion, plan and simple.  
• A Crazy idea regarding the Obama administration and security - If you’re abut change, lets make some that might have impact
• Chinese hack into White House Network - No wonder the WH staff can’t manage to keep any email for judges to review
• Wanted:  New Antispam tactics - Aren’t the one’s we’re using working?
• Study shows how spammers cash in - Making money on one fool in 12.5 million
• I can haz TCG IF-MAP support in your security product, please... - Where’s my secret acronym decoder ring when I need it?
• A privacy agenda for the new administration - Hey, maybe the next Prez will be okay with me having some privacy
• DHS Blog Round table - Rocky came up with some of the best questions for DHS Secretary Chertoff.
• Don’t leave a trace:  Private browsing in Firefox 
• Bonehead moves - I’ve never done anything like this, honest.  I’ll share my bonehead story later this week.
• The Security Chef’s ‘Better Bird Turkey’ - Ask a question on twitter and you get answers.  Funny how that works.  Grilled turkey for Thanksgiving!

Is that enough?  I think so.

Mr. Chertoff is on his way out due to the change in leadership our country is going through, but he’s held a highly political and thankless job for some time now.  He has a unique view of the security of not only our nation, but every nation in the world.  So what would you ask the man who’s been responsible for ‘homeland security’?  What do you want to know about how we’re doing security at the highest levels?  What burning questions about the TSA and your shoes are eating away at you?  If it was you going to talk to Mr. Chertoff tomorrow, what’s the one question you’ld ask?

I have a number of my own questions, but I know that you can come up with even better.  Leave a comment on this post with the question you’d ask.  Keep it short and concise, make it topical to cybersecurity.  I won’t be asking any ‘attack’ questions, but I’m perfectly willing to ask some of the hard questions.  Personally, I want to know what it’s like to be placed in charge of Homeland Security without any real power to affect change?  Except that most security managers already know what that’s like.

We’re allowed to bring cameras and audio equipment, but no video.  Most of my equipment is for close up interviews, but I’ll do the best I can with what I have.  I’m just hoping the Secret Service doesn’t decide that some of my equipment isn’t acceptable.  Or decide that I’m a security risk at the last minute.

This happened when I was first learning to admin UNIX boxes. Another
SysAdmin and I were working on a shell script to lowercase the file
names of 30-40 million image files. They were on an NFS mount that was
used by several servers. These images were part of detail listings of a
relatively busy web site and we were right in the middle of the day.

Now that the background of the mess are fully explained, the story
gets going. We went through several revisions and were testing against
a directory on a desktop system. Nothing destructive happened during
testing and we were getting fairly comfortable with the “safety” of the
script.

We finally thought we had a working script, so we moved it to the
prod server. Then we noticed a “minor” change that needed to be made on
it. We made the change then decided that since this was a such a small,
little tweak we could run it on the live NFS mount without any further
testing. Fire in the hole!

The script took off and we watched it run. All was well. Then my
phone rang from the NOC. A panicked operator was on the phone saying,
“Hey what’s happening with listing images from xyz.com? They are all
coming up as 404s!” I killed the script while thinking some thing like
“oh crap, oh crap, oh crap!” Sure enough the script had wiped out about
50% of the images. Amazing how fast a shell script can delete when it
goes haywire.

We pointed the web servers to a backup copy of the images, then
started to recover to the production mount. The backup was a couple
days old, so our image processing guys had to re-upload the missing
work. I was lucky that the online backup was there. I had taken it for
reasons unrelated to this event. The next day I got to explain to the
CIO what had happened.

The moral of the story was backup first and test your script until
it is golden before going live. Then test it again and again and again.
Make sure you are doing at the proper time, then go to production. We
didn’t have change control, so I’d add get all the approvals now too.
Cover your butt.

It was a good lesson. I’ve never done anything like that again in the last 7 years.