Chuvakin has a great post over at his blog where he talks about what skills you should be focusing on, such as skills that help land you jobs or skills that help you do jobs. I think I agree with all the points made.
Getting past an HR filter to land a job is a sort of small-time thing. You can apply for 20 jobs and you just need to get through and hired once. After that, you have, usually, several years to either prove your worth or get booted out for not being able to do the work. The bottomline is you need to be able to do the work.
I also believe that the deeper and more versed one becomes with the "skills that help you do your job" the easier it is to demonstrate those skills to someone else. For instance, it might seem hard to demonstrate a web app weakness to a manager...unless you've done it so much you can pretty much spot them on sight (insert some allusion to MagicEye pictures that often take a lot of work to see the first time, but once you get it, you can get it faster and faster).
You know you're good with a router or firewall or load balancer when someone throws you a strange question and you figure out some interesting way to do it that wouldn't have been obvious without a few years of experience. That skill might not get you a new job, but it will certainly cement your place in a current job!
by michael 07.29.10 at 9:00 AM in /general - comments(0)
Just read (and had to re-read several times) a quick vulnerability announcement over on US-CERT for how Windows handles LNK files. From the sounds of this, all you need to do is view the location of the malicious LNK file to have it execute code. It's still not entirely clear if this means viewing the containing folder in Windows Explorer, clicking the LNK file (duh), or something else.
This might be interesting, as it is not uncommon for users to mistakenly attempt sending .LNK files via email, rather than attaching the actual target file of their silly shortcut. And LNK files litter corporate network shares...
If this is just viewing the file sitting in a folder is enough to trigger this, it's kinda reminiscent of older issues with Windows Explorer displaying certain files like DLL files on network shares. Just the act looking in the direction of the file was enough to cause issues!
by michael 07.16.10 at 10:49 AM in /general - comments(0)
Why your network diagrams suck (and they do, which is sad because it's a fundamental IT need):
1. You don't have any.
2. You pooped them out last week.
3. You tried to put everything on one drawing (VLANs, servers, network gear, port-specific connections, IP addresses, serials, virtualization...).
4. You didn't include enough info to answer questions the diagrams are meant to answer.
5. You have too many diagrams and they conflict. (Also see next.)
6. You don't update them as you make changes (if you update them at all).
7. You auto-generate them from some network scan tool or inventory tool, and they just look like ass no matter what you do (or don't say enough to be meaningful).
8. They all look and feel completely different because 4 different people maintain their own diagrams for what they control.
9. You don't make diagrams from the viewpoint of the intended audience. What works for you won't work for your contractors, auditors, developers, security/comliance, customers.
by michael 07.12.10 at 11:12 AM in /general - comments(0)
Just perused on DarkReading an article about a social networking experiment centered around fake profile "Robin Sage." I know the article is maybe a bit sensationalist and simplistic, but I fail to see why someone accepting a friend with a fake profile is a Big Deal.
(Disclaimer: I didn't know about Robin Sage nor have any interaction with this experiment. I'm feeling left out!)
There *are* some interesting aspects, and I hope the forthcoming BlackHat USA talk will expond on some of these issues, and leave alone the silly issue with "omg I friended a bot" aspect. This is a lot like saying someone is dumb because they looked down when you pointed and said their shoe is untied.
1. People put stupid (and valuable) stuff online. Sure, Facebook and other places may seem like they're private, but really they're not when you don't properly vet friend requests. Once you have more than 50, you simply can't keep them all properly identified and you'll likely start getting into the 2+ degrees of separation; i.e. the friends of your friends, and so on. So putting even your day-to-day boring diary bits out there can be revealing when you're, say, in the military. Hell, you can even get closer to home and post that you're out of town for a weekend, which can lead to a break-in by someone close to you. Or be stalked by someone obssessed with you. Sure, most of the time nothing will happen and certainly few people are truly targets of interested parties trying to piece together information from 1,000s of sources like a nationstate espionage net, but there is still risk in throwing such activities to the digital winds.
Passive credibility.I think this is far more interesting! If you want to gain some instant "credibility" in social networks, you don't start pestering people when you have 0 followers/friends/connections. You start going after the ones who auto-follow you back. Then target the ones who seem to have so many, that there's no way they can closely monitor them all. By then, you'll have plenty of "names" that others will recognize, which can lend some immediate "credibility" for people who superficially check you out. And you can just slowly work from there. This is really all old hat, but effective.
Take Ligatt's twitter account, for instance. At least early on, almost all of his followers were celebrities or other accounts that only follow-back out of politeness. He might have 500 followers, but 490 of them were never reading a thing he wrote. Likewise look at some of the #LIGATT infiltrators trying to redeem the company's services through twitter posts. They scream "fake" because of the sub-2 followers/followees.
How does a spy not look like a spy? By having a presence in the community and with friends/neighbors such that they appear to be an average citizen. Not some loner, curmugeon who looks over his shoulder constantly and only does yard work at night or only get visitors who look like they're Russian army castoffs.
Not so much these days, but certainly in the earlier decades of the Internet we all had this ability to take on a fake persona and build up a "brand" around it. Back then it was called having an online nick/handle/screenname. Today, we have so many average people using their real names online that seem so very surprised, shocked, that such subterfuge happens! TO those of us that have done these things in the past, this is certainly not new or surprising or even that hard.
3. Assets. Sure, most people don't have anything to worry about. But plenty of people should be aware of how potentially valuable they may be to foreign agents (foreign being different/opposed to you, whether it be national or corporate). There have been decades of work done on turning assets in the meatspace of espionage, and much of that work is far easier in the online realms.
by michael 07.07.10 at 4:25 PM in /general - comments(0)
If you're looking for a new security-related e-zine to read, check out SecurityActs. They just released their third issue (pdf). If you go to their site and want to check the previous two issues, you can fill in fake subscription info (once you find where to go), or just click first, second.
via InfosecRamblings.
by michael 07.02.10 at 10:25 AM in /general - comments(0)
Earlier this month a wave of IIS/asp.net web sites were popped via SQL injection and started serving out malicious files. Most of the attention was given to the 0day Adobe Flash exploit being used, among other methods. But I'm interested more in the initial attack (being that my developers code in asp.net). The initial attack was an automated attack to find vulnerable SQL injection targets, poke around enough in the MS-SQL backend to find locations to inject, and then inject page data.
The links below give good info to the first half of this wave of attacks: attacking the server/app.
armorize
sucuri
nsmjunkie
by michael 06.21.10 at 8:30 AM in /general - comments(0)
The folks at Metasploit have announced the release of Metasploitable, a virtual machine that is pre-built with holes, missing patches, and vulnerable applications which can be used as test targets for Metasploit attacks.
Many Metasploit users run their own virtual labs with various older versions of Windows for easy testing and practice. This is usually time-consuming to set up and maintain, especially when you also include Linux distros.
Metasploitable is an Ubuntu build, so gives many testers a new target to attack than a traditional Windows box missing a few keystone patches.
I wouldn't be surprised to see this expanded further and used as the basis of a lab for training purposes...
by michael 06.21.10 at 8:22 AM in /general - comments(0)
Insecure 26 is available, and as usual, has plenty of interesting articles such as a lengthy one on analyzing Flash content for vulnerabilities.
by michael 06.18.10 at 4:10 PM in /general - comments(0)
I cannot count how many times I get blank stares when I talk to asp.net developers about application domains and recycling (troubling, indeed). This is just a really quick link for myself on some neat information about app recycling.
by michael 06.14.10 at 1:59 PM in /general - comments(0)
Via Beijtlich, I see this month's copy of Hakin9 is availabble for free online in pdf format. Heck, you don't even have to submit any sort of fake registration!
by michael 06.14.10 at 1:28 PM in /general - comments(0)
Wanted to point quickly over to an article at nCircle by Chris Pawlukowsky talking about Detecting TLS Legacy Session Renegotiation. I think Chris does a good job describing the issue in text form. Check the bottom of the article for even more technical details.
I expect this to come up a bit more. "Easy" findings like this make auditors squeal in delight to put something on their external non-web-app-pentest scan report. Kinda like the entries that force us to drop SSLv2 and weaker ciphers because they're, well, weak. Even though the attack itself is exotic and the probability is pretty damn low I'll ever see this in action in my lifetime.
The TLS renegotiation thing is a bit more interesting, but you gotta admit it is still a bit exotic and still does require weakness in the app itself (unless the attacker can drop down to a weaker cipher or non-encrypted channels). Sounds like something that should be added to The Middler (if it doesn't do it already). Real attacks would likey need to be tailored to each web app, but I bet there is a universal request that can be made that will throw back an error or something to prove the existence. Should *I* worry about this? No. Should someone working at a place with far higher security interests? Yes. Especially when it can be fixed easily.
by michael 06.14.10 at 1:11 PM in /general - comments(1)
Ahh yesterday's 0day has predictably re-opened the "going-nowhere" debate on disclosure. I'm pro-full disclosure. I'm not anti-responsible disclosure, though, when appropriate.
The bottom-line for me: I'd rather know about the issues and have them exposed so I can deal with them, than to have them stifled or hidden or the exposure delayed. Disclosure improves our security (responsible or full).
(While I am happy to respect responsible disclosure folks their opinions, there isn't really an argument that would change my mind, just like I expect no argument of mine would change their ideas or those of the "no disclosure" camps. It just is as it is. I'm happy with the current state of vulnerability disclosure. Kinda like abortion rights, I think this is one of those areas where staying on the fence is the right choice, versus standing on one side or the other without any real clear, inarguable reasons [short of any bias, like the 'duh' of a vendor preferring anything *but* full disclosure...].)
by michael 06.11.10 at 11:45 AM in /general - comments(0)
If you haven't yet, I'd suggest reading up on the details of this announcement this morning on the full-disclosure mailing list. By leveraging a flaw in Microsoft Windows' Help Center, code can be executed by anything (I presume) that can invoke Help Center.
Big deal? Not a worm or anonymous remote attack, but this is as big a deal as any recent IE, media, or document problem that leads to arbitrary code execution. In other words, a big deal, but not a drop-the-coffee-on-your-lap-and-shut-all-communications-down-deal. Honestly, I'd hope effective security folks wouldn't worry too much about this, as there should be other mitigations in place already (like running as non-admin and the like) which lessens the impact of sudden discoveries like this. Yeah...in an ideal world, right? :)
by michael 06.10.10 at 2:05 PM in /general - comments(0)
Liquidmatrix pointed me over to the Wired article on the growing drama between WikiLeaks, Bradley Manning, Adrian Lamo, and the Army. This has stoked a few thoughts...
Part I: Dumb Criminals, Smart Criminals
Manning came to the attention of the FBI and Army investigators after he contacted former hacker Adrian Lamo late last month over instant messenger and e-mail. Lamo had just been the subject of a Wired.com article. Very quickly in his exchange with the ex-hacker, Manning claimed to be the Wikileaks video leaker.
I'll start out by not even commenting on the morality of what has transpired in the above article. I'll start elsewhere.
There are dumb criminals and there are smart criminals. Smart criminals are the ones we (people in general, but also law enforcement) fear the most. Especially smart criminals with financial backing doing 'white collar' types of premeditated (or even random opportunistic) crimes...those are difficult to pursue!. They're typified by not being dumb enough to necessarily get caught. Not all smart criminals get away with what they do, but they tend to be the ones to get away with it if anyone does.
Dumb criminals get caught. Much like your general hacker criminals, they tend to do dumb things, have spotty skills, and more likely end up talking about what they've done by making dumb decisions or having dumb associations and misplaced trust.
Manning did a dumb thing: he talked to someone. Not only did he talk to someone, he talked to someone with a level of celebrity status (for better or worse), who has ties to the FBI (for good or bad), and has an interest in not harboring national security secrets for another criminal. Ouch.
A smarter criminal would not have talked, or if he did, he would do exactly as Liquidmatrix mentioned: either nut up or shut up.
Another thing: Just how long and how much could have been disclosed had Manning not been dumb and talked to someone? How many not-dumb Mannings are lurking in your network?
Part II: Challenges in Organizational Security
“If you had unprecedented access to classified networks 14 hours a day 7 days a week for 8+ months, what would you do?” Manning asked.
I knew before reading the article that I wasn't going to be impressed with how Manning exfiltrated the videos (and thousands of other files) from secure locations.
The sobering thought on this is...Manning had no real beef with what he was doing. He wasn't getting paid, he didn't seem to have some external motivation. He performed what I consider a crime of opportunity. Thankfully, that's "all" it seemed to be. Sure, it was performed over many months of time and repeatedly, but I still consider all of that to be opportunistic as far as crimes go.
But this is why espionage (both national and corporate) scare me more than even anonymous Internet-borne crime: they physically influence and turn a real, living asset who has access into your secret network and information, and leverage that relationship to siphon out information. Or worse, actually perform active sabotage or other planting of access for others. This is why "cyberwar" doesn't scare me as much as rogue insiders, depending on the organization in question.
What if a nation-state had targeted and turned Manning successfully? Someone like him truly is a goldmine worth the cost to acquire.
And don't make the mistake in thinking Manning is an outlier. He's just another face on the crowd, not much different at all from the rest. The sort of guy and white-collar crime that can be really scary to address.
I haven't even touched on the fact that Manning had the warning signs of being a disgruntled worker. (Though how many people *wouldn't* have those signs to some degree, who knows, but it should increase the level of organizational paranoia nontheless!)
Part III: Information Just Wants To Be Free
“He would message me, Are people talking about it?… Are the media saying anything?” Watkins said. “That was one of his major concerns, that once he had done this, was it really going to make a difference?… He didn’t want to do this just to cause a stir…. He wanted people held accountable and wanted to see this didn’t happen again.”
Part of the underlying 'hacker ethic' deals with the tendency of information to be free, much in the same way that electrons tend towards chaos or water tends to fill whatever form it can that presents the least resistence.
Perhaps Manning will ultimately be hailed as a moral whistleblower who is exposing secrets that should be made available to the public, for the good of the public.
Perhaps...
But at least think about that when thinking about what should be held secret by a company and what effort may be needed to keep that "tendency toward freedom" that information tries to flow. (And how powerful it may make a third party who suddenly has possession of such valuable information, like WikiLeaks reportedly may be now.) If your organization truly wants to emulate the, "Do no evil," mentra, then there shouldn't be many terribly damaging pieces of information (other than patents and trade secrets and the like) inyour possession, right? Mistakes, sure, but is it better to bury them or be transparent with them?
by michael 06.09.10 at 2:20 PM in /general - comments(0)
One thing I don't do enough is make a mention when I add new (or missed!) sits and blogs to my link menu on the right. Certainly, not even *I* keep up with what is over there, let alone anyone else, despite it being a great place to spend a Saturday morning filling up your own RSS feeds with my links.
So here are a few new additions to my links and feed reader:
www.attackvector.org
securitythoughts.wordpress.com (not to be confused with securethoughts.com)
beechplane.wordpress.com
What are my requirements? Well, for my own personal feeds list, the blog has to add something to me or my knowledge. Honestly, I'm horrible with my feeds right now as I have 1000s of items unread (a few high-traffic feeds boost that up, btw, like the once-amusing "my life is average" feed), so adding more has become a small question-raising thing these days. Kinda like buying a new book. Will I really read it? Will it be worth reading? Will it then be worth keeping around after I have finished? (sectioning off one's time is one of the two big components to what I call actually growing up!)
For links on the left side, I tend to add anything that pertains to info security, including personal blogs of people who are in security but don't always talk security. I don't remove much unless it may be a blog that hasn't been updated for 5 years or a site that is simply dead and gone. Other, lower links are things I find interesting or may find interesting to reference in the future.
I also don't make a huge list of all the actual "news" sites out there. I try to get the important ones and the basic ones that end up giving me all the news I really need. Adding tons more just ends up with lots of sites all saying and linking to the same things.
by michael 06.09.10 at 12:52 PM in /general - comments(0)
Robert Graham over at ErrataSec has a post in response to Securosis and Microsoft regarding secure development lifecycles. I'd have commented there, but they don't allow anonymous comments...and I've been conscious to not browse around the web while logged into my usual account (something about correlation and tracking nonsense). And I look dumb posting as lvnewsreader. :) So here's my response:
Disclaimers: I've not thoroughly read the links Robert provided, so apologies if I sound dumb. I agree with everything Robert said in his post, so this isn't really an argument so much as it is a situational "next-step."
An SDL (or really any preventive security) really plays back into the great gamble of business; gambling with the risk of being breached or not (in whatever form).
But I think there *is* a case where prevention can demonstate a save of money: assume the risk of a breach is absolute. For Microsoft, I think we can safely say they will have weaknesses and thus patches to roll out. I'm pretty sure they can play the game of valuating the impact of those incidents, and probably spend on prevention and feel ultimately good about it. With Robert's "sale" analogy, this would be the situation where your wife *was* going to buy that item today regardless of the sale, but she did actually save money (though possibly by sheer luck).
Assuming an incident is inevitable is easy to say, but hard to act on. Most organizations have years of no apparent critical security issues, and their mgmt will have a hard time accepting that suddenly the sky is falling. Just the same way many people think their home is secure, just because they've not witnessed someone wriggling the windows.
Side note: I really like Robert's "sale" analogy. That's actually a small pet peeve of mine. Sales aren't meant to save someone money who is already buying something. It is meant to make a sale right at that moment that would not have been made anyway (or getting someone into a store to make other ancillary sales).
by michael 06.07.10 at 10:07 AM in /general - comments(0)
This post is just a small collection of related thoughts, mostly pulled from Twitter posts. I don't consider Twitter something to re-reference later on, and a poor choice to save thoughts. Much of this is inspired by recent media-whoring about Facebook and privacy issues. A recent XKCD comic illustrates an aspect of my feelings about the subject.
I have a long-standing distrust of people and corporations in general, especially public companies. This is pretty much wrapped up in one of the more dangerous of the seven deadly sins: Greed. I turned away from Yahoo when they went public and started focusing more on money than on users. The same goes for my feelings on Google. Social networking is pretty much in the same boat.
social networks are the leftovers from the dotcom boom; the ones that got users (the first step). But they're no more successful, yet.
The dotcom boom came with lots of interesting ideas, but busted when they were exposed to not be very viable as a business, and in many cases simply didn't get enough eyeballs on their ideas (grocery deliver service? awesome! but not scaled up enough). There is still a latent boom-bust situation going on for the past 10 years in the form of social networking. Social networks and other "social" playgrounds online have garnered enough eyeballs (or clicks, hits, attention, whathaveyou) to survive despite having business models that are as shaky as anything from the actual dotcom boom. Sure, some of them can probably make money, but they certainly have to be careful to do so without killing themselves by driving away their users. How many people think Hulu or YouTube will still be relevant if they charge subscriptions? Or news sites?
(Aside: It's funny how important these services have become to the Internet masses; how deeply they will defend them, but how detested they become when money is requested. Some may call users fickle. Some may say this is the essence of competition, since someone will always host things for free. But does that mean large centralized social networks are inviable and only smaller, self-sustaining, splintered groups can thrive? I'm sure there are parallels to be drawn with music, movie, and software pirating...)
Z[uckerberg] is doing web startups wrong. You make it free, get popular, get money, then sellout b4 privacy and a biz plan blow [you] up.
This is my opinion. If you can't be viable in the long-term without lots of soul-searching and probably stepping on your own users, you're probably better off building up your value and getting out while its high. Kinda like how Kevin Rose probably should have unloaded Digg.com. Or MySpace unloaded, or YouTube. If you found a company or site, get your user base huge, get your value up...you're probably better off cashing out before it cashes you out. Zuckerberg should have gotten out by now before the house of cards started wobbling.
yes, zuckerberg, there is a simpler way to control your info. stop trying to weasel it out of people to support your business model.
This is part of why I distrust public companies, or companies that are looking (maybe desparately) for profit: They will do whatever they can get away with. No Facebook user should be surprised about Facebook privacy issues, or how Facebook tries to weasel around the issues and keep their access into your life while trying to make it look like they're helping your privacy. They're not. How else do you think they're making money? Same goes for Google with searches and everything else they try to do. Invading your privacy is their business model. This has always been a business model, only these days we have very automated and highly technical and highly hidden ways of being victimized by it (networked appliances reporting back to motherships, what programs you watch, sites that index and analyze your information, search logs, tracking cookies, spyware, and so on...)
I dislike someone who complains about privacy when they dig or have dug themselves deeper into something like Facebook (either it's important enough for you to do something about it, or it's not important enough for it to chew up your energy and time to worry about). Or complain about privacy when they're the damned owner of the damned site. Privacy is not hard. The hard part is maintaining the illusion of privacy while trying to maximize your penetration of it. (Kinda like getting that bar slut drunk...)
by michael 05.25.10 at 9:41 AM in /general - comments(0)
I'm not sure why I've not seen this story before, but this is a downright fascinating diamond heist article over on Wired.
by michael 05.19.10 at 9:32 AM in /general - comments(0)
Chief Monkey has linked to an excellent case study in corporate banking fraud. The story takes a few pages to work into the juicier details, but it is worth the burn to get through it.
The network still has a perimeter, but the business and its users have less of a perimeter. If you can check email from any system, than your email password can be snarfed by any of those systems if they've been victimized by a drive-by trojan. This can often lead to further attacks, even up to logging into a VPN session from a remote location! People like to think of one-time attacks and siphoning of valuable data, but few think about an attacker looking over your shoulder and reading your emails and data continually.
I wonder if the VP in the story had any personal fraud attacks against her as well, or if the company account was the juicier target. In the end, yes, home users (and their systems and networks) elevate my nervousness considerably.
My only bit of caution would be to anyone who starts crucifying banks too much about their security. There is no measure that will magically protect against fraud. It is entirely a scale between security and usability. Some banks fall low on that scale and get burned (hopefully!) for it. Other banks may slide up the scale too far only to get burned because they're slowing down, flagging, or outright blocking abnormal but legitimate transactions for important customers. What do you do in those cases? Given different perspectives, I think most people would opt for the least economically costly options from their respective perspectives. Just think about that for a while... People complain about bank security, only up to a point where it inconveniences them too much, then complain more when it still fails, and so on. That's not a rhetorical game I like to play...(maybe I just like to play a few more moves ahead, I dunno...)
I'm not trying to defend lax, or even negligent, bank security so much as I want to attack overzealous sunday morning security quarterbacking that just perpetuates the problem of a wildly swinging security pendulum that can't find any peaceful middle ground.
by michael 05.18.10 at 3:21 PM in /general - comments(0)
Mogull over at Securosis has posted, "Is Twitter Making Us Dumb? Bloggers Please Come Back." He makes great points on the usefulness of blogging (the great PCI debates are a recent occurrence of "blog debates" spilling into real life), and some of the comments make great points as well, such as how Facebook steals away some of the energy.
Behind on my rss feeds
My own observations are slightly similar, although I admit I've had less time these days to keep up with my rss feeds and make interesting posts here. I still troll Twitter and other places, but typically those are not necesarily surrogates to a good blog or even cross-blog discussion, and I typically can participate in Twitter without much actual commitment time and attention-wise.
Maybe we're all just reading blogs less often, which in turn reduces the emphasis on blogs and our own opportunities to start cross-blog discussions.
Conferences
One area I've seen grow considerably in the last couple years is discussion and participation in security conferences. Perhaps all those discussions and talks is tiring, but also serves the same purpose that blog discussions may otherwise have given. Why blog when you're at a conference having the same discussions every 3 weeks?
Less new faces
I've also seen a drop-off on new blogs to follow in the security space. This may be a function of my lacking of time and energy put into reading my rss feeds, and I agree that I tend to gravitate to the same feeds over and over. This doesn't mean security is dwindling, especially as I've talked to plenty of interesting people on Twitter that I didn't know previously.
It is possible we ask a lot of new faces in security. Where, in the last 4 years, having any content on a "security" blog was enough to get you followers, today do you need to be dropping news, novel new ideas, or 0days every week? I'd hope not. We really need generic discussion as much as or more than the jaw-dropping stuff. But it's that generic discussion that may be getting satisfied elsewhere.
Look at podcasts and conference roundtables or Twitter discussions or mailing list questions. We still have a huge capacity and energy to talking about the "generic" stuff; even stuff that has no real correct answer, but impassioned opinions on either side. It just seems to be taken to blogs less and less often.
Inherent broken records
"Cloud" notwithstanding, perhaps we just have less interesting topics to talk about. I myself am guilty of this, as I often have ideas tumbling around in my mind, but I'm well aware they're ideas that not only have *I* had for a while now, but others have had and voiced as well. Security is not a game to win, and we're going to have some of the same inherent deficiencies for years, decades, to come. You can really only bring them up so many times before you get sick of the obvious.
One other thing I'm guilty of: commenting vs blogging
Every time something like this comes up, I'll have a minor discussion with myself. Do I make a long-winded comment on someone's blog to join or initiate discussion (which maybe only he and I will see) or do I post on my blog here under the haughty assumption that my blog is worth their time to read for my viewpoint, or that they'll even see it?) Or should I engage them more directly rather than wait for them to find my little slice of opinion? How will both of us remember to re-read the comments to see if an update has been made? (This is one reason I tend to have many web browser instances open, some are just open for me to refresh for comment responses!)
This is why I am still partial to being a forum and chat (or, in a sense, Twitter) regular. A forum is essentially a dynamic, central RSS feed of ongoing discussions and blog posts. Unlike blogs where only new topics percolate to the top, hot topics percolate to the top on a forum. And if you have one central place to go for participation, it becomes rather natural (which is also why I suggest less sub-forums).
by michael 05.18.10 at 1:46 PM in /general - comments(3)
|
