October 2008 Archives

Prime Example of Extremist Wackos

A possible top answer to the rhetorical question "what the heck is wrong with people?!?" Glad to know we're not short of complete wackos in this country (as if you had to look farther than the White House to see that).

ATF says it has disrupted plot to assassinate Obama, kill 102 black people

MS Releases Critical Patch Out-of-Cycle

Just a quick heads-up, though I'm sure everyone has seen this already. Microsoft has release a critical patch out-of-cycle as of today. From the SANS link below, "The update addresses a vulnerability with RPC calls which can be referenced from SMB connections." It's implied that there is a remote code exploit for this bug, and the out-of-cycle nature of the patch suggests that there may be an emerging or active threat.

Primary links:
http://www.microsoft.com/technet/security/bulletin/ms08-oct.mspx
http://blogs.technet.com/msrc/archive/2008/10/22/advance-notification-for-out-of-band-release.aspx
http://isc.sans.org/diary.html?storyid=5227&rss

Additional coverage:
http://voices.washingtonpost.com/securityfix/2008/10/microsoft_to_issue_emergency_s_1.html
http://securosis.com/2008/10/23/microsoft-critical-update-today-link-to-4-pm-et-webcast/
http://www.securityfocus.com/brief/844?ref=rss

Refuting Falsehoods vs Blind Zealotry

I recently de-friended an acquaintance on Facebook because I could no longer tolerate the open disdain and hatred he showed toward a particular presidential candidate. He would constantly post links to extremists sites purporting to have the inside scoop on this candidate's hidden agenda, hidden religious bias, and other alleged secret plans. While it was true that I supported this candidate, this fellow attributed my refutation of his assertions as mania for the candidate instead of an attempt to debunk the myths he was perpetuating. In the end, he even mocked me for walking away, because he again saw my fact-checking and push-back as blind zealotry and not an earnest attempt to put aside rumor and innuendo in favor of what is widely held as the truth (it should be noted that he opposed both main-party candidates, yet only saw fit to bash the one, ironically).

It's struck me in reflecting on this situation that this sort of conflict arises very often. The political season seems to bring to life some of these age-old debates, but at their core we find behavior that plays out in the average enterprise every day. It is these hobgoblins of foolish consistency, about which Emerson warned, that plague many IT departments, and really businesses at large, in dealing with issues of security, privacy, and business continuity.

Choosing Good Passwords :)

Just when you think the Bush administration can't make a mess of anything else, you run across this little story about how the Bureau of Land Management has decided to reject the direction of Congress and declare itself free of oversight in order to authorize uranium mining just outside of the Grand Canyon. Lest you think this is a tree-hugger moment about saving a national treasure, bear in mind that this mining would impact the Colorado River, which provides drinking water for about 25 million people. No big deal, right? Sheesh...

xkcd - "Steal This Comic"

An excellent diatribe on why DRM is evil incarnate.

Contributing Writer: Truth to Power

As of this week, I'm an official core guide for "Practical Security" on a new collaboration site, Truth to Power (T2P). So, what is T2P? From their "About Us" section:

"Truth to Power is about the control of information. It is based on the premise that information is truth, and knowledge is power—both in business systems and in our heads. It is dedicated to helping IT, business, legal, and audit managers unlock the potential of information, allowing companies to dramatically improve performance and reduce risk."
Put more concisely, "Truth to Power is about connection: people to people, people to ideas, ideas to action."

I hope that you'll join me on T2P. And, if you're interested in contributing, please ping me in the comments and I'll introduce you to one of the founders of the organization. Also, while you're checking it out, please take a read through my first post, Treating Security Like Speed Limits, and let me know how you liked it.

If you've read this blog before, you know I'm a wee bit vexed by the current state of corruption and lunacy in the US Government. Here I offer a few more examples of just how scary-crazy things are getting.

Illegal warrantless wiretapping. Our brilliant Congress has gone ahead and provided indemnification for the cooperating telcos. So, how bad is it? Well, it turns out that it's about as bad as we feared, with Americans' Constitutional rights being violated regularly.
ABC News Exclusive: Inside Account of U.S. Eavesdropping on Americans

Perhaps more disturbing is the presence of an Army brigade on US soil under the relatively new "Northern Command" - a command that provided intelligence and military support for the oppression of demonstrators in St. Paul during the RNC, and now who may support any number of illegal military operations at home. Ugh.
Is Posse Comitatus Dead? US Troops on US Streets

It seems that even the US Army (or at least this retired Col.) agrees that things are getting ridiculously bad in this country.
The End of America?

And now for a couple articles highlighting why the McCain/Palin ticket cannot be allowed into power. They criticize Obama for his loose connection to people like Bill Ayers, yet look at the insanity that Palin brings to the party. Yikes!
The Witch Fighter Anoints Palin

The Palins’ un-American activities

Out with TMDA, In with Spam Assassin

I hate spam. I really, really, really hate spam. Most people do. None of this is probably a shock, given that I'm a security professional and heavy IT user. That being said, I've finally hit the wall with TMDA. For those not familiar with it, TMDA intercepts messages before they hit your inbox and quarantine them unless you've whitelisted the sender, or they confirm their message. In theory, this is an excellent way to go because people you know only need to confirm their message once, and after that they'll not get bothered again (unless they change email addresses).

However, in practice this doesn't work. Why? Mainly because not everybody gets it, no matter what you might put in the bounce-back confirmation message. Meaning, I end up having to go through my pending queue on a daily basis to see if mail has arrived from authorized sources that I may not have whitelisted (recruiters are a perfect example).

There's another problem, too, and one that has really driven me to the brink. TMDA is great for stopping mail from getting to my inbox, but it also facilitates bounce-back spam. Over the past couple months, I've detected a major increase in Russian-language spam where the intended recipients are listed in the "FROM" field, on the assumption that TMDA will bounce the message with a legitimate confirmation message - a message that also includes the spam. I am, then, unwittingly making the problem worse. And, for that reason, I'm done. TMDA is disabled, but I'm not letting the spam win.

Instead, I've fixed the simscan scans being run as part of our qmail setup. All messages are now getting scanned with ripmime, clamAV, and Spam Assassin, and messages over a certain threshold are going to get dropped silently. If I find legit mail is disappearing into the void, I'll then have to increase the threshold (or decrease it if too much bad stuff gets through). However, all told, I'm hopeful that this approach will be much more effective. And, for non-IT users, much less confusing.

We'll see how this little experiment goes. Hopefully it works out. I'd be curious to hear what others are doing for spam and how effective their solutions are.

Congress: A One-Trick Pony

Ok, maybe 2 tricks - the other being "roll over." Look, our lack-luster House leader wants another economic stimulus package. Because the last one did so much for the economy, solving all problems. Oh, wait, no it didn't. Idgits.
Speaker Pelosi Calls on Bush to Support Stimulus Package

Not that politicians cared much once the earmarks came out. A good read nonetheless.
Sudden outbreak of democracy baffles US pundits

Unless you've been living under a rock the past couple weeks, you've heard about the much-maligned "bailout" (er, sorry, "recovery" - not!) package that the US Congress has been kicking about. The plan originally allocated US$700B to the US Treasury Dept., at the discretion of the SecTreas, to buy a bunch of bad, overpriced paper from financial services companies that are acting greedy and are unwilling to neither disclose how much bad paper they have nor reduce the price of the paper to incur a loss. Despite massive outcry from the public (you know, those fabled "constituents" who allegedly elected these elected officials), Congress has gone ahead and approved it today, with a few "sweeteners" added to bribe over the few hold-outs (about $110B in earmarks and tax credits - see here).

A few things have struck me about this entire ordeal and its similarities to life in enterprise security.

This is a great video - pass it around - and don't forget to get the vote out!! :) And visit VoterForChange.com if you haven't already registered to vote!


Greetings folks. Just a quick FYI, I've had an article, titled "Key Management: The Key to Encryption", published in the October 2008 edition of EDPACS. More information is available here. The article is based on an earlier blog post. Please ping me if you don't have access to EDPACS and would like to see the article.

Our wonderful US Senate delighted constituents by ignoring their demands for opposition to the bailout package (you can call it a "rescue" if you want, but the bill is actually listed on the docket as a "bailout"). Why ever would these greedy, self-serving, ego-centric prats do such a thing? Might it be because of $110 billion in earmarks and tax credits (aka "pork" aka "self-serving crap") contained within the bill (see also here? Well of course it did, silly. These Senators weren't elected to serve their constituency, right? They're serving at the pleasure of fat-cat lobbyists and Wall Street. They're generally a bunch of wealthy old men who may or may not have worked an honest day's work in the last 30 years (politics is not an honest day's work).

American citizens: Call your US Representatives ASAP and demand that they vote NO on the ill-conceived bailout!

See here on why the bailout is such a bad idea:
John Cochrane on Why the Bailout Plan Would Be a Disaster

Snow on Mars!

Well, it's almost that time of year to think about waxing the board and riding the mountains. You'll be pleased to hear, then, that it appears that it is snowing on Mars. Now there's a freeride no human has tried yet! :)

SciAm: The white stuff: Falling snow spotted above Mars

I think I've figured out the timing of the financial "crisis" from the White House. It was designed to distract us from the expiring ban on offshore oil drilling. And now, thanks to our incredibly spineless Democratic Congress, that ban is done gone, despite significant opposition from its own constituency. Argh!

Why this is idiotic: offshore drilling will provide no appreciable benefit for at least 10 years. In the meantime, it distracts energy companies from focusing the majority of their time on alternative energies. Not to mention that it opens the door for unstudied environmental impact.

More info:
Colbert Parodies Big Oil’s Greenwashing Propaganda (Watch this one first!!!)

U.S. House votes to lift ban on offshore drilling

House lifts offshore drilling ban in passing $630B spending plan

Congress Allows Offshore Oil Drilling Ban to Expire

Excerpted from an ISC(2) announcement yesterday:


In support of the month, ISC(2) has launched Cyber Exchange where you can download original cyber security awareness materials at https://cyberexchange.isc2.org. The Cyber Exchange houses free security awareness tools from around the world, designed to be used by any organization or individual that wishes to promote online safety at work or within their community. It can also serve as a support tool for private and public sector organizations required to meet cyber security awareness training requirements under directives such as the Federal Information Security Management Act (FISMA).

(...)

Commemorated by the U.S. Congress, the goal of National Cyber Security Awareness Month is to heighten public awareness of the critical role each citizen plays in protecting information assets. We have expanded Cyber Security Awareness Month to include all of our global members because they are among the top security experts in the world and are the perfect candidates to spread the word about cyber safety. To find out more about ISC(2)'s involvement with the month and its efforts to address cyber security awareness on a global scale, please visit www.isc2.org/awareness.

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10