The Falcon's View

Now that it's May and I've had a few weeks to recover, I've decided that it's time to finally post a thorough retrospective piece on my first attendance of the RSA Conference in San Francisco. Overall, I had a wonderful time, taking full advantage of the opportunity to meet lots of people. I approached the conference primarily as an opportunity to network with colleagues across the industry, secondarily to attend some training sessions, and thirdly to hit the vendor expo. As expected, none of the training sessions were overly technical. Conferences simply cannot have highly technical sessions because a certain portion of the presentation has to be spent on levelsetting with the audience.

You can see my day-of posts from the conference here, here, here, and here. Also, pictures from the week are available here.

Continue reading "Reflections on the 2008 RSA Conference" »

I'm a fan, in general, of process improvement (PI) initiatives, particularly when they equate to defining and documenting primarily undefined processes. However, given that complexity is a threat to security, I get concerned when PI programs become so complicated that it's hard to understand what's going on. I also get concerned when groups independently define processes that are related or dependent, without the proper buy-in or collaboration.

Continue reading "Process Improvement: Overcomplicating the Simple" »

I've just finished reading Dan Geer's Verdasys publication Economics and Strategies of Data Security. It's a very interesting read, though hastily printed without adequate proofing and editing (i.e. several typos). Overall, this is a good read, though it devolves into arcana at times in performing calculations on mean time before failure (MTBF) and cost-benefit ratio (CBratio). The first half of the book is well-targeted to infosec execs, while the last half is probably best left to infosec techies who aspire to be CPAs. You can see Richard Bejtlich's review of the book here.

As I like to do with non-fiction books, below are some quotes that I found particularly interesting from the reading.

Continue reading "Non-Fiction Review: Economics & Strategies of Data Security by Dan Geer" »

"Life is a series of natural and spontaneous changes. Don't resist them - that only creates sorrow. Let reality be reality. Let things flow naturally forward in whatever way they like." (Lao Tzu)

Overall, April was not a very good example of how to achieve one's goals. It does show how one's life can get unbalanced, resulting in undesired consequences. Only now, at the beginning of May, do I feel like I'm slowly returning to a more "normal" rhythm. One good thing from last month is that I got promoted to Senior Consultant. I've also passed the 6 month mark in my new job, simultaneously realizing that volunteering and waiting for people to come to you for help does not work. Instead, it appears to be better to simply initiate projects to help the overall situation, getting buy-in at key points, and then worry about correcting course as necessary (call this a bridled version of "it's easier to seek forgiveness than permission").

There is still much to be done this year. We're moving to a new place in the area at the end of May, which means all the requisite change-of-address work. Our little miss is due the end of August. We'll have a bunch of company throughout the year as a result of our darling. Much needs to be purchased, we have birthing classes to attend in June, and so on. Hanna graduates from her Masters program later this month. And so on and so forth. I also need to read more, post a much-delayed RSA retrospective, and get back on track with writing. Oy...

Continue reading "2008 Goals: April Progress Report" »

Several friends and family suggested that we go to a consignment sale to look for baby stuff (we're expecting, if you hadn't heard). So, we got up earlier than normal this morning to hit the big annual Dani's Duds consignment sale. We had to pay $10 ($5/pp) to get in, because it was supposed to be such a big, good deal. Hanna had very high aspirations, hoping that we could find most or all of what we needed in big items (car seat / transport system, crib, changing table, rocking/gliding chair, high chair). for a couple hundred dollar or so. Or not.

Continue reading "What a Dud: Dani's Duds" »

I don't know how many of you might have followed the alarmingly absurd and litigious organization that SCO became around 2001/2002, but there are some interesting examples of how to be stupid that can be identified. Case-in-point, SCO v Novell finally went to trial this week. One of the fundamental claims of SCO is that they own System V UNIX (Novell disputes this), and furthermore, that Linux is based in whole or in part on that code base. There's a great note on Slashdot today talking about how SCO's CEO, Darl McBride, has testified in direct contradiction of his own people to this effect.

The fact of the matter is that nothing could be further from the truth. Linux was developed from a completely independent code base on Minix back in the early 90s by Linus Torvalds while he was in school. Evidence of Linux code independence, at his own hands, is available from CMU, in which he states on 25 Aug 1991:

"PS. Yes - it's free of any minix code, and it has a multi-threaded fs. It is NOT protable (uses 386 task switching etc), and it probably never will support anything other than AT-harddisks, as that's all I have :-(."

Silly Darl... guess he should have spent a little more time studying history before he went off and started filing frivolous lawsuits...

Gloss over the fact that the story I'm linking to right here is for a political site, and click through to some of the reports referenced. Apparently the Internet is a threat to national security and will be the downfall of mankind. Or something like that, if you believe the FUD and hype. It's not the argument that bad people are using the Internet that I disagree with. Quite the contrary, I'm well aware of the role of organized crime and terrorists on the Internet. However, that being said, you don't throw the baby out with the bath water. The Internet has also had a democratizing effect on access to information, freedom of speech, and related areas of humanitarian concern and growth.

Inevitably, this saber-rattling will relate to building the case (this time by the State Department) to build their own cyber-security uber-group, just as the Air Force and DoD have done. If you'll recall, just last Fall the AF general in charge of cyber-warfare was making lots of noise about the terrible threats the government is facing (a good portion of which is substantiated and real), and low and behold, his unit received a nice boost in funding.

Bottom line: don't panic, follow good security practices (or hire me to help with that), and simply accept that, like any other large community, there will be malevolent forces at work against which you need to be prepared. Not so scary, right?

Emotional issues make for interesting debates. Take the impact of rising (dare I say skyrocketing?) fuel prices on people and the economy. Now, take all that emotional complexity and throw it out the window and look at the cold hard facts (yes, I know, this is not easy to do).

If you drive 300 miles per week in a car that averages 25mpg, over the course of the Summer, given a gas tax "holiday," you will save yourself roughly $33 dollars. Not per week or month, that's TOTAL. Try not to spend it all in one place. If your car gets 30mpg, then that figure drops to around $27. And if you only drive 100 miles per week in a 30mpg car, you're saving less than $10.

Now, look at the impact on the other side. While you're saving enough for an ok meal, the government is taking an estimate $9 BILLION hit for roads and bridges. It's estimated that this downside would account for a loss of up to 300,000 jobs, not to mention all the projects not completed (bridge work, anyone?).

So, the bottom line: is it worth saving $30 TOTAL over 3 months to see a loss of 300,000 jobs? Probably not.

Hat tip to Barack Obama

Love the Hoff
You know you want to
    Unconvinced?
His poetry will sway you

I realize that I've been a bit light on infosec subjects lately, so thought that I'd better get back on topic. :) There are three bits out today that I've found particularly interesting.

First, more information has been released by the Payment Card Industry regarding their DSS 6.6 requirement on application security. It's a very insightful read and should help calm the nerves of those doing compliance.

Second, TippingPoint has broken into the Kraken botnet, to the tune of potentially controlling 25,000+ compromised hosts. They're now debating the ethics of using the infection to clean and secure the infected hosts. This issue is not nearly as simple as some might imagine. For one thing, to do so could be illegal. For another, who knows how much liability could be involved, especially when considering the law of unintended consequences.

Third, it's been disclosed that Microsoft has been providing law enforcement with free USB pendrive toolkits for forensics response purposes. It's not clear what all is on these devices, though one might assume many of the SysInternals tools are included (MS bought them a while back). Some have raised questions about the quality of evidence collected using these tools, since many of us doubt that write protection is enabled, etc. These devices appear to be designed for live response and requires physical access to the box. I am curious about how they're bypassing the login screen, where they're capturing data to (is MS playing custodian for network-based data capture?), and what toys they've included. Hopefully there aren't any secret backdoors that will be subsequently exploited. :(