May 2008 Archives

One of my dreams for at least a couple years has been to purchase a Metolius Simulator. It's a training board for climbing that you can use for hanging and pull-ups to build arm and hand strength. I'm proud to say that I now have one hung in our new home! Woohoo! And, not only that, but it turns out that I'm even able to do a wide grip pull-up, despite being at a bloated weight these days!!! Even better. :)

Though I wanted a blue Simulator, the only ones REI had were green, so I settled for a grey+green one, and I have to say that it actually looks quite decent. Once we get everything setup and settled, I'll go around and take some pictures of the place for everyone to see - and I'll be sure to include a picture of my newest toy. :)

Moving, Moved, On the Move

Just a quick note... we moved (locally) last weekend... quite the experience! Thank you a ton to Hanna's parents and friends Eddie, Yura, and Paul for lending a huge helping hand. Getting out of our 4th floor apartment (no elevators!) was quite the challenge. It left us wonder "where did all this stuff come from?!?".

As a result of the move, we will be without regular home internet service for a couple weeks. As such, don't expect too much from my in terms of publications. We're trying wireless broadband, but it's a bit expensive, so not something we're eager to use too much.

In other news, I'm also looking to be on travel a bit over the next few weeks. This helps alleviate some of my lack of broadband concerns, but also indicates that I'm entering a busy period that will also draw me away from writing.

And then there's all the unpacking at home... yeehaw! :)

Brief Thoughts on American Idol

Totally off the security topic, but let me just say that, for once in my life, I actually found the American Idol final to be somewhat compelling. Why? Because I didn't care which David won. David Cook (the winner) has been drawing many comparisons to Daughtry (though is clearly much more humble). I think that he'll do well in a Pop Rock career. David Archuleta is also a very good musician, despite the naysayers. If anybody out there is familiar with Josh Groban, then they'll understand how David A. can have a promising and successful career in the music biz.

My 2 favorite moments from the final:
1) Ben Stiller, Jack Black, and Robert Downey, Jr. playing the role of the "Pips" to back up Gladys Knight.
2) David Cook dragging all the other finalists up onto the platform with him while he sang out the final song upon winning the competition.

This is mildly a rant, but it's more about economics and politics and the negative effect meddling can have on the market and the citizenry. If you haven't heard, American Airlines has decided to charge $15 for your first bag checked. Combine this with the current TSA restrictions (aka "security theater" and "sheer insanity") and you're essentially going to get a new tariff on air travel. All the major airlines are already charging for the second checked bag, as of a couple months ago.

The underlying issue is allegedly fuel costs. Checked bags add weight, and thus increase the fuel required to travel a given leg. What's really at play, however, is that the old major airlines (Delta, Northwest, United, and American) are dragging massive boat anchors financially and simply are not overly competitive. United seems to have mostly figured out there problems, but it's patently obvious that American has not. What's interesting to note is that the relative new players in the market (Southwest, JetBlue, Virginia America) are not playing these games of extra charges.

superteacher.jpgAllow me loudly and proudly announce my admiration and congratulations to my lovely wife, Hanna, on becoming the regional 2008 Super Teacher Grand Prize winner in Virginia, as sponsored by the Virginia Lottery. For more information on the award, see the Virginia Lottery site. Also, watch their Drawings page for what will likely be a posting of the full essay submitted about her by a parent, along with a video clip of her receiving the award.

This award makes for a stellar month for Hanna, who also completed her Master of Education in Curriculum and Instruction, with a concentration in Literacy and Reading, just last week at George Mason University.

Three cheers for a well-deserved honor and an amazing accomplishment! think you need to launch a SYN flood against 25/TCP of a small server hanging off a home DSL line... Yes, this appears to be the cause of our email problems this week. Apparently, one of the world's biggest losers think s/he is 1337 and is thus running a SYN flood attack against SMTP. No, I don't know why, but I'd be very curious to find out. I wondered if it was retaliation for all the bounce-back spam I saw over the weekend. Of course, all the headers were forged on all the bounces that I received (which means I should not have received the bounces at all -- man do I hate improperly configured MTAs). Anyway... loser loser loser... that's what I think of the lame schmuck DoS'ing our server.

Rant: Why My ISP Sucks

There are many reasons, ranging from issues like moving to a new location in the same area counts as a "transfer" not "new service" and thus costs you big bucks for installs, or the fact that the apartment complex where I live is constantly oversubscribed (though the L1 techs love to say that DOCSIS eliminates this problem - which of course has nothing to do with the back-haul line, but anyway). What really gets me, though, are the stupid little things. Like right now, for example. My ISP blocks port 25 to everywhere but their mail relay(s). Ok, fine, I understand, they're fighting spam. But, it gets better. I just went to send an email, and low and behold, I can't send. I receive a "mail relay not allowed" error message. Hmmm. So, I call the L1 techs and ask if there is service underway. Sure enough, there is. Shocking. What is shocking is that they would either take all mail relays down at once, or in fact only have a single mail relay server. In either case, for an ISP to not have a redundant relay that all customers are forced to use is patently ridiculous, as is taking them all offline to do maintenance, rather than servicing them one at a time, thus not affecting the customer (me, in this case). I mean, seriously, build 2 boxes, take 1 down to service, return it to service, take the other one down, then bring it back up, and we're all good, right? Sheesh... it's like 1995 all over again or something...

Mail Problems, Busy Week

Howdy folks - just a quick heads-up, we're having some mail issues this week, thanks in large part to a ton of bounce-back spam. Mostly likely someone harvested my email address and is using it as a sending address. Suffice to say, this is rather annoying, and causing a serious disruption to our little server.

In other news, apologies on the lack of posts lately. Work has been very busy, and I've also been working on a couple writing projects, neither of which are ready for publication yet, but maybe soon. In addition, we're moving next weekend (locally) and have company coming, to boot, so I may be a bit scarce over the next couple weeks.

Hope you don't miss me too much. In the meantime, work on your kettlebell swings! :)

Lazy Friday Pseudo Link Love

It's Friday, I'm beat, and, well, I'm just feeling a bit lazy, to be quite honest. So, here are a scant few links to interesting stories from today, of all times. If you're curious about what I find most interesting during the week, then please subscribe to my Google Shared Items feed. Links after the jump...

I was introduced to a company a couple weeks ago that I think everyone should learn a little bit more about. Why? Well, for starters, their technology is really, really cool. But, being cool isn't enough (or, shouldn't be), and so I think it would be useful to go into a little more detail. The company in question is NetWitness.

NetWitness is essentially a combination between a packet recorder, a sniffer, and a layer 2-7 analyzer. They have their own metalanguage that is used to describe data, making it much easier to sort through what you've collected. Their appliances have 12 TB of storage (yes, that is indeed a 'T' there), which is a lot of disk. More importantly, they've built reasonably good tools for digging into that data, thanks in part to their metalanguage.

Over the last few months, I've been involved in a project to help address concerns over the end-to-end management of privileged passwords (root/administrator), with a particular focus on embedded passwords used by applications to connect to databases. It's very common today for applications to have embedded passwords, such as in configuration files, for accessing databases, including apps that need to access credit card data. While some tools, such as WebLogic Server, address this concern by encrypting the passwords in the configuration files at load time, this is not necessarily a universal solution. Additionally, the distribution of passwords to these systems is generally performed in a less-than-optimal manner.

To that end, I've found a couple products that seem to provide reasonable solutions to these problems. Following is a quick synopsis of those products and my quick thoughts on them. Please note that these comments are not compensated by either vendor. If you'd like to compensate me, buy a kettlebell! :)

Now that it's May and I've had a few weeks to recover, I've decided that it's time to finally post a thorough retrospective piece on my first attendance of the RSA Conference in San Francisco. Overall, I had a wonderful time, taking full advantage of the opportunity to meet lots of people. I approached the conference primarily as an opportunity to network with colleagues across the industry, secondarily to attend some training sessions, and thirdly to hit the vendor expo. As expected, none of the training sessions were overly technical. Conferences simply cannot have highly technical sessions because a certain portion of the presentation has to be spent on levelsetting with the audience.

You can see my day-of posts from the conference here, here, here, and here. Also, pictures from the week are available here.

I'm a fan, in general, of process improvement (PI) initiatives, particularly when they equate to defining and documenting primarily undefined processes. However, given that complexity is a threat to security, I get concerned when PI programs become so complicated that it's hard to understand what's going on. I also get concerned when groups independently define processes that are related or dependent, without the proper buy-in or collaboration.

I've just finished reading Dan Geer's Verdasys publication Economics and Strategies of Data Security. It's a very interesting read, though hastily printed without adequate proofing and editing (i.e. several typos). Overall, this is a good read, though it devolves into arcana at times in performing calculations on mean time before failure (MTBF) and cost-benefit ratio (CBratio). The first half of the book is well-targeted to infosec execs, while the last half is probably best left to infosec techies who aspire to be CPAs. You can see Richard Bejtlich's review of the book here.

As I like to do with non-fiction books, below are some quotes that I found particularly interesting from the reading.

2008 Goals: April Progress Report

"Life is a series of natural and spontaneous changes. Don't resist them - that only creates sorrow. Let reality be reality. Let things flow naturally forward in whatever way they like." (Lao Tzu)
Goodness gracious, where in the world did April go? It was a blur, to be sure. Part of the reason for the apparent acceleration is that I was on the road for 10 days, first with attendance of the RSA Conference in San Francisco, CA, from April 6-12, and then turning around and going through New Hire Orientation for work in Dallas April 14-16. It didn't help that I got extremely sick along the way, too, due it seems to far too little sleep while in San Fran. Oops.

Overall, April was not a very good example of how to achieve one's goals. It does show how one's life can get unbalanced, resulting in undesired consequences. Only now, at the beginning of May, do I feel like I'm slowly returning to a more "normal" rhythm. One good thing from last month is that I got promoted to Senior Consultant. I've also passed the 6 month mark in my new job, simultaneously realizing that volunteering and waiting for people to come to you for help does not work. Instead, it appears to be better to simply initiate projects to help the overall situation, getting buy-in at key points, and then worry about correcting course as necessary (call this a bridled version of "it's easier to seek forgiveness than permission").

There is still much to be done this year. We're moving to a new place in the area at the end of May, which means all the requisite change-of-address work. Our little miss is due the end of August. We'll have a bunch of company throughout the year as a result of our darling. Much needs to be purchased, we have birthing classes to attend in June, and so on. Hanna graduates from her Masters program later this month. And so on and so forth. I also need to read more, post a much-delayed RSA retrospective, and get back on track with writing. Oy...

What a Dud: Dani's Duds

Several friends and family suggested that we go to a consignment sale to look for baby stuff (we're expecting, if you hadn't heard). So, we got up earlier than normal this morning to hit the big annual Dani's Duds consignment sale. We had to pay $10 ($5/pp) to get in, because it was supposed to be such a big, good deal. Hanna had very high aspirations, hoping that we could find most or all of what we needed in big items (car seat / transport system, crib, changing table, rocking/gliding chair, high chair). for a couple hundred dollar or so. Or not.

SCO CEO Fails History

I don't know how many of you might have followed the alarmingly absurd and litigious organization that SCO became around 2001/2002, but there are some interesting examples of how to be stupid that can be identified. Case-in-point, SCO v Novell finally went to trial this week. One of the fundamental claims of SCO is that they own System V UNIX (Novell disputes this), and furthermore, that Linux is based in whole or in part on that code base. There's a great note on Slashdot today talking about how SCO's CEO, Darl McBride, has testified in direct contradiction of his own people to this effect.

The fact of the matter is that nothing could be further from the truth. Linux was developed from a completely independent code base on Minix back in the early 90s by Linus Torvalds while he was in school. Evidence of Linux code independence, at his own hands, is available from CMU, in which he states on 25 Aug 1991:

"PS. Yes - it's free of any minix code, and it has a multi-threaded fs. It is NOT protable (uses 386 task switching etc), and it probably never will support anything other than AT-harddisks, as that's all I have :-(."

What this means is that he wrote original code for everything, relying on standards such as POSIX, and modeling his approach around the GNU free UNIX approach.

Silly Darl... guess he should have spent a little more time studying history before he went off and started filing frivolous lawsuits...

Gloss over the fact that the story I'm linking to right here is for a political site, and click through to some of the reports referenced. Apparently the Internet is a threat to national security and will be the downfall of mankind. Or something like that, if you believe the FUD and hype. It's not the argument that bad people are using the Internet that I disagree with. Quite the contrary, I'm well aware of the role of organized crime and terrorists on the Internet. However, that being said, you don't throw the baby out with the bath water. The Internet has also had a democratizing effect on access to information, freedom of speech, and related areas of humanitarian concern and growth.

Inevitably, this saber-rattling will relate to building the case (this time by the State Department) to build their own cyber-security uber-group, just as the Air Force and DoD have done. If you'll recall, just last Fall the AF general in charge of cyber-warfare was making lots of noise about the terrible threats the government is facing (a good portion of which is substantiated and real), and low and behold, his unit received a nice boost in funding.

Bottom line: don't panic, follow good security practices (or hire me to help with that), and simply accept that, like any other large community, there will be malevolent forces at work against which you need to be prepared. Not so scary, right?

More Bad Math: Gas Tax "Holiday"

Emotional issues make for interesting debates. Take the impact of rising (dare I say skyrocketing?) fuel prices on people and the economy. Now, take all that emotional complexity and throw it out the window and look at the cold hard facts (yes, I know, this is not easy to do).

If you drive 300 miles per week in a car that averages 25mpg, over the course of the Summer, given a gas tax "holiday," you will save yourself roughly $33 dollars. Not per week or month, that's TOTAL. Try not to spend it all in one place. If your car gets 30mpg, then that figure drops to around $27. And if you only drive 100 miles per week in a 30mpg car, you're saving less than $10.

Now, look at the impact on the other side. While you're saving enough for an ok meal, the government is taking an estimate $9 BILLION hit for roads and bridges. It's estimated that this downside would account for a loss of up to 300,000 jobs, not to mention all the projects not completed (bridge work, anyone?).

So, the bottom line: is it worth saving $30 TOTAL over 3 months to see a loss of 300,000 jobs? Probably not.

Hat tip to Barack Obama

My Other Pages

Support Me

Support EFF

Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10