The Falcon's View

Due to pending inclement weather, I've bailed on my plans to attend ShmooCon this weekend. As such, my barcode is now available. Please ping me asap if you're interested!!

Thank you to The ISSA Journal editorial board and staff for this distinction!

Hey there conference attendees - it's time to find your groove and hop on the bandwagon for Security BSides. We have two events coming up VERY SOON - now's the time to act! Security BSides events are free to attendees, relying exclusively on the generosity of volunteers and sponsors.

Speaking of sponsors, we still need some, especially for BSides Austin! Wondering about the value proposition? Check out the Security BSides page on Sponsoring. Please let me know if you have questions or interest in helping out!

Continue reading "BSides or Be Square: San Francisco and Austin" »

This post has pretty much nothing to do with infosec, but rather comes on the heels of yet another Vikings OT NFC Championship loss. It's the only game I know of where so much emphasis is put on player skill and development, and yet comes down to the flip of a coin at the most crucial point of the game: Overtime (OT).

For those unfamiliar... in the NFL, and only the NFL, if the teams are even at the end of regulation, then OT commences as following: the ref flips a coin, the visitors call it, and whoever wins takes the ball, because it is immediately "sudden death" (that is, the first team to score wins). The inherent unfairness here is that 60% of the time, the winner of the coin flip scores and wins the game, most often without their opponent being given a chance to score (this is based on stats I'm too lazy to dig up a citation for). At all other levels, both teams are given a possession to attempt to score.

Continue reading "Simply Unfair: The NFL OT Rules" »

I finally bit the bullet and tackled some of my back-log of non-fiction reading. I've been spending most of my free reading time on the Discworld by Terry Pratchett. That being said, I've just zipped through a couple non-fiction titles of note, The 50th Law by 50 Cent and Robert Greene, and Managing Softly by Bertrand Jouvenot. Both are quasi business/life-skills type books. Following is a quick-hit summary of each.

Continue reading "Non-Fiction: The 50th Law & Managing Softly" »

Hold onto your hats, folks, cuz there's a PR/marketing storm sweeping the lands! It seems that Microsoft has decided to take the "bold" step of removing the IP address associated with a search query starting now at the 6-month mark. Ooooo how exciting. (that was cynicism) Actually, I could really care less. Well, ok, I think this is a good thing, but let's be honest here, it's so minor and trivial that it is just the thing for PR/marketing, not really the thing for actual meaningful privacy improvements.

So, what all my cynicism on the topic? Allow me to draw your attention to the AOL search data leak of August 2006. For a quick background on that story, check out these links (don't worry, I'll wait):
* Wikipedia
* TechCrunch
* EFF

Continue reading "Much Adieu: MS Search Data" »

Andrew Hay posted an interview with me today as part of his "Security D-List" feature. Check it out here:
http://www.andrewhay.ca/archives/1286

I was going to write a lengthy post on how I think that we give Google too much information, and that we trust them far too much. They are, after all, a for-profit enterprise. They have motivations just like any other enterprise, despite their alleged "do no evil" mantra. Add in the flawed perspective of their chief exec with his statement that "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place." (see here for more on that)

However, rather than waste a lot of bandwidth, allow me to just point you a recent Rich Mogull post that pretty much sums things up.
Securosis: Google, Privacy, and You

I've been saying it for a while now... IBM was the "bad guy" until Microsoft displaced them... Microsoft has been the "bad guy" for quite a while now, but they're quickly being displaced as well... Google is the new boogie man, and for very good reason. They have too much information, too much control, and they've asked us to have too much faith in their willingness to put "good intentions" over "profit." As with any enterprise, we should always look at the profit motive behind key decisions - whether it be turning HTTPS on by default for GMail, or threatening to withdraw completely from China.

Just sayin', fwiw.

Help me out, folks, cuz I'm at a loss here... I think there's something seriously wrong with DIRECTV's billing system... or maybe it's billing systems? The past couple months I received summary statements by email that said I owed $0.00. This was great - free TV, who wouldn't like that? So, just to be sure, I go online, and sure enough, the online statements say that I owe $0.00.

Then I get my credit card bill (yeah yeah misconfigured payment method sue me - actually, check that, it wasn't my fault, but anyway)... I have charges for the months of Nov and Dec - the very same months where the statements said I owed $0.00. ?!?!?!?!?! So, I start digging further and I find that, yes, the statements do in fact reflect a payment made in conjunction with the billing cycle. As a matter of fact, it turns out that the reason my bills said I owed $0.00 was because they were charging me on the same day that the statements were generated, which meant that my summary would zero out even though I'd just made a payment.

Continue reading "DIRECTV's Billing System of Doom" »

A man recently slipped through the airport security exit at Newark to accompany his girlfriend to the gate. TSA typically has a guard or two stationed at these exits, but in this case the guard had wandered away, leaving the exit unattended, leading to the "breach" of security. The man has since been identified and arrested, and he faces trespassing charges in the State of New Jersey. That's right, there's no federal violation here, nor is there in fact even a major violation of law. He simply ducked a rope and walked the wrong way so he could spend a few extra minutes with his girl.

The way the media tells it, you'd think he was the Antichrist bringing the Apocalypse. On the heals of the failed Nigerian Underwear Bomber the masses have already been whipped into a frenzy. This incident just takes that to the next level. Check out these news stories about the incident, paying close attention to the "average citizen" interviews at the end. Note the panic, the hysteria, and - in particular - how very low frequency events like this are met with shock, outrage, and outright hysteria. The mother escorting her son to his first international flight stood out for me as the most indicative of the problem. See Schneier here for his thoughts on the knee-jerk security theater reactions to incidents.

Continue reading "Newark Breach Hype to Hysteria" »