Recently in miscellaneous Category

In Brief: InfoSec Island may not post what you submit, but instead grab text from your blog (whether authorized or not). When I filed a complaint, their first response was to threaten to delete the post, and they ultimately deleted my account (and then posted the entire email exchange to pastebin). If you post to their site, then don't be surprised if you and your post are abused. If you complain, expect to be told that you don't matter. In the end, despite being urged to reach out to me, they have not taken steps to resolve the matter.

Strong Recommendation: If you're a writer, I cannot urge you strongly enough to avoid or flee InfoSec Island. If you're a reader, then I strongly recommend that you not use their site any further. A business that profits from and exists because of the free contributions from people like me do not deserve continued patronage when they clearly disrespect the people who provide the content upon which they base their business.

Well, it's that time of year again... time for a look back at 2011 and a look forward at the year to come. Of course, the first thing that comes to mind (to me, at least) for 2012 is the pending Mayan calendar transition. It makes me wonder what sort of crazies we'll be seeing as the year progresses. I'm guessing right now that there will be at least one suicide cult identified before things have come and gone. So, pardon me while I ramble a bit in reflection on the past and coming years...

Since I've again been remiss in my own writing this week (hey, there's always tomorrow!;), I thought I'd highlight what I think are the best pieces of the week, if not of the year! :)

First up, you have to read Jack Daniel's "The Pandering Pentagram of Prognostication" as he absolutely hits the nail on the head as concerns the annual prognostications we see.

Next up, you have to watch the Chris Eng's sequel on "infosec thought leadership," titled "The Thought Leader... One Year Later" - it's so spot-on, it's almost eerie to watch. ;)

Happy Holidays! :)

I've felt recently like I've not had the chance to blog for a while, but it wasn't until I went and looked that I realized that it's been over a month already. Yikes! Sadly, it's not for a lack of blogging topic ideas, but because I've been pouring my energy into other projects more work-related.

Here's a wrap-up of some recent news, along with a promise to get back on the blogging beat very soon!

• LockPath officially announced my joining the company as Principal Consultant. I subsequently received a listing in the Kansas City Business Journal in the "People on the Move" column (funny since I'm a remote employee).


• My CRN byline "How to Manage Cloud Risk" was referenced in an article on FierceComplianceIT ("Five key elements in a GRC cloud program").


• LockPath was included in CRN's "10 Hot Emerging Vendors For November 2011"


• I was quoted in DarkReading's "2012 Compliance Checklist" this week.


• And... last, but certainly not least... burying the lead a bit... I am extremely honored to be included in Tripwire's "Top 25 Influencers in Security You Should Be Following" list (btw, it's sorted alphabetically, so don't get too excited about the order;).

Toss in a bit of travel, a holiday, and a heap of sickness and that pretty much rounds out the last month for me. More writing to come soon!

If you haven't heard already: Barnes & Noble is buying the Borders database. However, you have the option to opt-out of the data transfer. It's a 2-step process, and I was frustrated recently that I wasn't getting the second-step email. But, I figured it out, and I thought you might find the information to be useful - especially since you only have until November 2nd to opt-out.

Step 1: Go to http://www.bn.com/borders and enter the email address that Borders has/had on file for you. In theory you should have received an email with this info, but if not, there ya go.

Step 2: When you receive the confirmation email, click on the link contained within to confirm your opt-out selection. Failing to do this will almost certainly negate your effort in Step 1. You should get the confirmation email within a few minutes. If you don't, then it's time to do some sleuthing, which is what led me to write this post.

Are you a Google gMail user? If so, then login to the web interface and go to "All Mail" and see if the message is there. For some reason, gMail seems to be filtering out the confirmation message, preventing it from showing up in the main Inbox.

If it's not there, or you're not a gMail user, then the other likely culprit could be your spam filters. The emails appear to be coming from "borders@e.borders.com" with a uniq'd reply-to address that goes to "support-[some-random-string]@e.borders.com." You might need to add "borders@e.borders.com" to your allowed list or some such thing, depending on how your spam filter behaves.

Still stuck? That sucks, and I'm out of ideas. Maybe try submitting the request again to make sure you didn't typo your email address.

Assume for a minute that you could carve out a legally protected niche around legitimate (that is, non-black-hat) security research. How would you do it? How would you define "security research"? Assume for a minute that there's an opportunity to do just that, at least from the perspective of the American Bar Association. What sort of things would you consider in-scope for "security research" and would want to see explicitly protected? That opportunity is in front of you right now, and so - as the co-vice-chair of the ABA's Information Security Committee - I'm looking for your feedback in helping define "security research" in a useful manner, as well as in drafting a proposed resolution to flow up through the ISC to the SciTech Section and, by next Summer, to the overall ABA.

So, that said, what are the key criteria? I believe we would need a reasonably unambiguous definition of the following:
- "security researcher" - who, and by what practices/ethics?
- "security research" - what sort of activities?
- "responsible disclosure" - putting some reasonable parameters around it, without being too prescriptive or verbose
- "responsible vendor actions" (or a similar title/category) - what are the appropriate vendor responsibilities?

Are these the right main categories? Is anything else missing? And, most importantly, if this is right, then how define them? Please provide your responses in the comments and, if you want acknowledgement, please include your name. If you'd rather not post it publicly, please feel free to ping me on twitter @falconsview, or email me at tomhave(a@t)secureconsulting-dot-net.

Thank you!

I recently gave a firetalk at BSides Austin 2011 on the topic of "how not to suck at public speaking," which, ironically, flopped, and hard. There were a number of reasons the talk didn't succeed. First, the projector wouldn't handle 800x600 resolution, which was a bit of a problem since my Keynote preso deck was hard-set to 800x600 (as a side note: Keynote may be my design tool of choice, but it will *not* be my actual build tool of choice going forward - I'll be switching everything back to PowerPoint ASAP - it at least knows how to scale a preso to match screen resolution!). On a 1280x1024 display, 800x600 looked ridiculously small and unreadable. #FAIL Also, I hadn't had a chance to practice running through the deck enough, and so I didn't have my delivery timed out very well. To make matters worse, I was revved up and thus rushed through the slides. And, lastly, given the projector issues, it should also be unsurprising that the majority of my slides were simply not readable given both the size and some contrast issues.

So, rather than sit and cry about it for any (ok, much) longer, I thought I'd give it a shot at writing about this topic and see if I can't develop things better into a more humorous talk eventually. Or, maybe it'll just suffice as a blog entry for the foreseeable future.

This is just a quick update to let you know that the upgrade portion of my "Upgrade+Migration" project has completed successfully (yay!). I'm going to let things simmer here for a couple days to make sure everything is good before I move on to the next phase. In the meantime, you can find me in Austin, TX, Fri-Sat (3/11-12) where I'll be helping run - and speaking at - Security B-Sides Austin 2011! Yeehaw! :)

Just a heads-up, if this blog suddenly disappears from your feed in the next couple weeks, please check back to make sure your RSS link is correct. Those following on SBN or Feedburner should be unaffected, and I expect those directly linked to my feed will be unaffected as well. Nonetheless, I thought I'd let y'all know... just in case!

Just an fyi, I'm migrating email to a new platform. If everything works properly, then there should be no impact to you (if you're emailing me). Come Monday most DNS records should have flushed. If for some reason you can't reach me via email, then please resort to an alternative communication method (TXT, Twitter, FB, IM, non-secureconsulting.net address).

Thanks!