There are way too many news sites and blogs out there that I want to read. I’m at a phase in my career where I’m just sponging up everything I can. I have a growing list of sites that I use for resources and news and new stuff.
The problem is trying to manage it all. As I have gotten older, I have realized the grim reality of managing one’s time. In my youth and even in college, I had a lot of free time to just while away doing nothing much. Now, I find I have to sacrifice a lot of that “nothing much.” Thankfully, I shed the whole “tv watching” thing back in college, and unless it is a movie, my TV gets zero use.
Likewise, unless I’m relaxing for a few many hours on a weekend with my computer, a hot drink, and some calm music, I don’t get a chance to check all the blogs I want to check or network with the people I want to network with or try all the new things people have posted about or created. Ugh!
I’ve tried keeping my own private blog with a list of all the interesting links and then posting about the tidbits I wanted to keep available or braindump about. The posting part has been working amazingly well and I love it. But the links part, which ends up being just a web page of bookmarks, in essence, is something that I have a bit of a problem with.
Reading the news requires clicking on each one. Being that I want this page to remain private, reading at a hotspot or at work can reveal its presence, and I have to take extra coding measures to obfuscate the redirect trackback. This is just a little bit annoying. And if I ever did want to share its existence with someone else, that would mean also sharing my home web site, since they share the same IP (and box). Moving it to hosting is a bit of a chore as well, since I use a smaller, lesser-known perl publishing tool for the site content. Ideally, I would have a second IP just for this site…maybe in the future.
But reading the news there is still less than ideal.
I’ve tried out standalone RSS readers, and I settled on using RSSReader for a while. Unfortunately, I find that I’m not always on my home laptop in such a fashion as to pull up the app and read the news. Sometimes I’m at work, sometimes I’m in a live cd doing something else, and sometimes I just want one big long page with all the news right there so I can just scroll on down effortlessly. The one good thing I like about RSSReader? If I have populated it beforehand, I don’t have to have an Internet connection to read the content later. That’s really a big plus as sometimes I want to go someplaces that don’t have open wireless and sometimes I just don’t want to fuss with locking myself down a bit more at a hotspot.
I just started a Bloglines site yesterday and have begun populating it with news and blogs and vulnerability advisory sites. While I like the idea of a one-stop website I can go to for news, this still does tie me down to an Internet connection. I also have not been happy with the presentation of the feeds either. I like to have full content (unless fully overridden by the feed itself), I like to have posts parsed chronologically (not by site only), and I like to have them all displayed for at least a week back for blogs and less for others. With Bloglines, I’ve found I have to click a few times to get the Week view, and they never arrange in full chrono order. Hrmm…but I do like it for one-stop news while at work and at a hotspot. I can also maintain some anonymity there.
Maybe I should recheck RSSReader for some more view options. Other than at work, it really is a good option, as I really love the freedom to unplug somewhere like a park, and just browse news there.
The big downsides to RSS feeds? Easily, I dislike the oddball blogs or sites that have no RSS or non-compliant RSS. Some, I understand, are a functionality choice that was consciously made by the author, and that is fine. It is just hard on someone like me to remember that that site is an oddball. A new downside that is growing in popularity is the trust that apps and sites and people put into parsing RSS feeds that can possibly allow malicious code in feeds.
Someday, I also need to find a good way (on Windows and preferably without iTunes) to automatically download podcasts and load them to a folder that I can sync with my iPod. Yeah, I know, I might still be behind the times, but iTunes originally was not something I trusted on my box, so I always stuck with winamp to manage my iPod. For now though, I’m content with my site of links to pod/vidcasts and downloading them manually.
Forums I truly love. I like the usually informal and discussion-like format of a forum. Maybe it just reminds me of IRC days, but forums have a special place in my heart. Sadly, finding a well-populated one with useful information is definitely not easy to find. My list of forums is woefully small, and half of even them are filtered at work.
My last major source of information has been mailing lists. I started out getting on a number of busy mailing lists a few years ago with a gmail account, but found the web mail interface and my own lack of time very disappointing and as such I stopped reading them. I have only recently renewed my reading by pulling that gmail data down to Thunderbird and abusing filters to sort out the mailing lists. This has worked pretty well for me, but I still have yet to really work mailing list reading into my daily or weekly routine. I need to read them for a while, cull the useless ones, and settle down there. Having mailing lists post directly to a forum or blog (with thread REs being placed into comments) would be awesome, even if just for my own private viewing.
Anyway, these are just some ways I’m attempting to usher myself through this sponge phase of my career, and I can already feel it coming to a climax and settling down for me, which is very good.

Today I happened to get called a “black hat” on a blog comment simply because of some off-the-cuff comment I made that, admittedly, is not necessarily a straight-laced, stick-in-the-mud, ne’er-do-wrong practice. However, me being called “black hat” is about as laughable, as, well, anything else I’ve experienced this week so far…
But it illustrates to me one of my other big pet peeves in security: hat color.
Fashionistas aside, some people are pretty obviously Black Hat. The rest of us are pretty much stuck in a quagmire of uncertainty and greyness that really has no definition. What seems like grey hat to some may be very black hat to others; what may be white hat to some may be grey hat to others, and so on.
All of this is just so much drawing lines in the sand, only to have someone else wipe it away and draw their own line in the sand, and another person wiping it away and drawing their own line in the sand. It is all about ethics and morals and how you conduct yourself. And if anyone has taken any academic coursework or even any casual discussion on the subject of ethics, one will quickly realize there are no hard and fast lines. It is all very relative and all very undefined to such a degree that arguing about it is a complete waste of time.
As it is, I have no problem with most “black hats” or “white hats” or anyone in between. Each can live their own life and that is fine with me. But what really incites my pet peeve is when people get so ensconced with rage and prejudice and blind ignorance about the whole issue of ethics that it manifests into nearly fanatical knee-jerk reactions to any hint that there might be an ethics or hat color discussion arising… That is just shallow.
White hats have to live up to a certain level of ethics and morals, right? Well, how do they feel about speeding when driving? If it is a 30mph zone and they drive 32mph, do they feel guilty? Does that guilt adjust their behavior back down to an apologetic 30mph? Do they regularly bump 10mph over the limit, whether in residential or on the freeway in the throes of a 10 hour road trip?
This is the dilemna. This is the grey area.

A career in information technology is a career in lifelong learning.
A career in security is a career in lifelong learning.
Sometimes the obvious things are just not consciously obvious, and once they become obvious, things just “click.” That was a click there for me this morning, for some really odd reason. And I’m just glad I love learning both academically and on my own.

The old adage can ring true for online habits: “Don’t do anything you wouldn’t want your grandmother learning about.” Long hailed as a place to conduct oneself with a wide measure of anonymity (read how bold kids can be in chat rooms or online games when they don’t have to face people in person), we’re all starting to feel the creeping implications of data retention policies, particularly illustrated recently by AOL’s search data release.
It is a bit sobering. I have been online in some form or other since the early-mid 90’s when I was barely into high school. Granted, Google was not around, but AOL sure was. And I used it, and searched using a number of search engines available at the time. How could someone like me know that 10 years later, data retention and search engine query analysis could reveal some dirty little secrets?
Not that I have much to hide, but it is still offending to have that sort of privacy illusion (?) yanked away. Have I searched for porn online? Yeah, I’ll admit it. Have I searched for some not-so-legal things such as hacking or bomb-making just to see if I could find it? Probably. Have I done an ego-search looking for my own name? You bet. And have I done all of those, in some combination or other, from the same IP? Considering I’ve had only a handful of IPs in my online life (not counting AOL dial-up in high school), the chances are really darned good.
Scary. Just think the dirt that may be dug from such databases on politicians 20 years from now. Our president in 40 years may have an old MySpace site still lingering there, waiting to explode with traffic from mudslingers.
Step back and take that one place further. What about spyware/adware apps which remain dormant and diligently reporting user surfing habits to central servers, maybe years while users just silently huff and deal with their slowly ailing computer speeds. Or ISP traffic records that might be kept some day. Just think of all the places visited from just the one location. This now includes work-related websites, sites for stores in the area (ever look for the most local Mitsubishi dealership or the working hours for the local Papa Murphy’s Pizza?), and even the things you’d not want your grandma to know you were viewing online. Even people like me who maintain a moreorless anonymous presence in security/hacking venues would be outed.
Then again, some may argue this can be good for the morality of the Internet. I remember a long time ago a study was done where people were put into a room to socialize. Later other people were also put in the same situation, only this time the lights were turned off. You can imagine the remaining senses were used, but they were used to a degree that almost all of the people in the room wouldn’t have used them in broad daylight. Use your imagination. 🙂 Maybe with the veil of anonymity removed, people will behave better? Naa…I just think they’ll try all the more passionately for anonymous services, onion routing, VPNs, and privacy standards.

At first there was innocence, ignorance of the needs of security in networks during the days of the open networks, where network downtime and intrusions were borne more by discovery and accidents. Then there came playfulness, where security was beginning and attackers made more curious, playful attacks, toying with users or just crashing systems to see the effect.
Then came adulthood, maturity. Now, attackers are not necessarily interested in downtime or playing around. They have an agenda and they have profitable goals. Suddenly, we have maliciousness…

I have a more private site that I keep as my own private little portal to security news, virus information, resources, tools, links, papers, and on and on. Every now and then I add a few sites to my links and remove a few defunct sites.
But every now and then while browsing news, I read on some site that “so and so” has more information, or “from the site of such and such.” And I end up following 5 links deep to 5 different sites all reporting on the same news tidbit. Then I realize what has happened and I say to myself, “wow, there’s a ton of blogs and news sites for tech news and opinions” (as I type one out here myself!). I wonder how cut-throat some of these link-relationships get? I’ve seen blog wars where someone feels they didn’t get credited or where people of differing views post in their blogs their reactions and then wield their viewers and commentors like some botnet to swoop on the other and comment-spam them, escalating the all-out blogosphere war. Ugh.
It is sobering the effect of the web as a way to express oneself, to self-publish, to create, to share, and share with. Even the most stubborn hermit still has that need to share his or her thoughts with at least one other receptive person, and the web is such an easy outlet to masses. There are times when I feel like heading out to the mountains, just me, nature, spirituality…and an Internet connection. 🙂
I used to run online gaming league/tournament/community sites, and I know the amount of effort and dedication it takes to keep something popular on the web. It was tough 5 years ago when I finally “retired” from that, and I can’t imagine how much tougher it is now, especially when you’re not just offering up something unique and fun like digg.com. Then try to find all the digg copiers or slashdot wannabes or every other blog out there that tries to act very self-important and get fans and followers. People like me who add that blog to their short (but growing) list of weekly visits. I can’t imagine how tough it might be to always put up meaningful content, opinions, and original substance on a technical blog or tech site…especially for me, someone who does not yet have something unique or original to share (someday, I think so).
But then I look back and see why I post here or even on my personal site. It is much the same way I might keep a journal (girls call it a diary, journal is more manly) next to my nightstand or in my backpack. It is a way to document my thoughts, and also comment on and document news stories. When 9/11 occurred and every blog in existence posted comments, it was not all because they wanted to be part of the news megasphere or get readers or even self-publish. That was an important event in their lives, more than worthy of being in the journal…only today’s journals are more able to be public and commented on. I definitely need to lighten up on my lashback of the blog effect on the web.
At any rate, there are blogs and tech news sites all over. There are weekends where I grab something warm to drink, and spend the morning or evening following the blog links. It is much like roaming down an unknown state park path, taking in the sites. Click a link, check that person out, look at his or her link list, pick another that looks interesting, and just roam randomly. Sometimes I pick people from Iowa, sometimes security/hackers (I love wandering into the sites of people whose names I might recognize from the scene, but who have grown up or moved on and their site remains as it was 5 years prior…), sometimes just random people with cool site designs or ways of writing. Sometimes I am looking for new people to add to my bookmarks, sometimes just checking out site designs for inspiration, sometimes just bored.
I wish I could keep up with such a huge community, but there are not many jobs that pay for that kind of a hobby, and in all honesty, I wore out my “online life-living” back in high school and college with IRC, IM, forums, gaming, and other things not worth mentioning, and it really never got me all that far anyway. As it is, I am one of those people who just looks for useful and meaningful blogs and sites to bookmark on my private page, to visit again over the months and perhaps even pipe in and comment to the author, perhaps making a friend or colleague in the process. It is always a sad event when one of my links gets removed, either from lack of updates or lack of updates that are useful to me as either I or they have moved on to other topics or phases of life.
For those that know what it means, I’m feeling just a bit QQ today. 🙂

David Maynor and Johnny Cache presented at Black Hat last week about an exploit against wifi drivers in an undisclosed but likely large number of wireless cards and operating systems. This has caused a minor furor amonst, well, pretty much everywhere somewhere.
Some argue that the duo are sellouts because they did not fully disclose who was affected at a “full disclosure” conference. Some argue they were protecting companies. Some take cheap shots at the video-taped demonstration for various reasons (which was done to prevent users from capturing the attack over the air and using it).
Last year Michael Lynn challenged Cisco and even his former employer ISS when he gave his presentation on a big Cisco vulnerability, after Cisco refused to fix it or even acknowledge it for quite some time.
Lynn’s example brought up the age-old argument I see far too often in information security: disclosure. What is proper disclosure? Should it be full disclosure? This year it is back. Should Maynor and Cache have revealed the affected chipsets and vendors so that users could stop using them until a fix was in place?
I don’t think there are any right answers, but the vultures that love to peck and squabble and argue for no real reason are back at it.
Bottomline, if these two found this problem, there are likely other people who have found out and kept it secret or sold it in private. This exploit was probably found via fuzzing of some type, since that is turning up lots of fun stuff lately. And I can only imagine the fun you could have as a spook or criminal with this sort of exploit in your hands and no one knowing about it…

I’ve been pretty conscious lately of where my personal information goes. I’ve been interested in staying anonymous for a blog and mailing lists, so my mind is kinda turning that problem over. In addition, with this year’s heightened problems with indentity theft and disclosure of personal information from places like the VA, every time I fill out a web form, my mind flitters over the thought that here is yet another place my personal information resides, ready to be indexed, stored, stolen, and used.
Just yesterday I submitted a job application to a company in the Seattle area, and at the bottom was a credit report disclosure form complete with social security number field. I immediately glanced up and noticed that the site had no SSL functionality on this particular form. I was a bit annoyed, but at least I was completing this form from my home network. If it had been somewhere else, I would have fully aborted that half hour of effort.
I order books online and provide credit card numbers. I renew my World of Warcraft account online, and there is more information. I submit less information to many sites that require logins, including job sites and corporate sites that want me to log in just to store my resume (so they say). All of this is like trying to hold so much sand in one hand…just think, all it takes is the least secure online store to be broken into and the data siphoned away…such as that site I ordered incense from recently. I wonder if that non-chain, local store has a security guru making sure their site and data are secure?
In the end, I just become more sympathetic to removing the “convenience” of sites “remembering” my account information so I don’t have to put it in again for subsequent purchases I may or may not make. I think data retention of that nature should be disallowed, and transaction logs in databases expunged on a regular basis or just stored on offline, secured media. If I only had to worry about the actual transfer of the information from my system over my network, my ISP, the Internet, to the vendor, I would feel a lot better than to have account and login and payment information stored by said vendor… How often do I let a restuarant keep a copy of my credit card and signature so that I can realize the convenience of not having to reach into my pocket to get it out, wait for the return of the waitstaff, and sign the slip?

It is a statement about the security of Windows that I have a series of apps I install on any personal Windows XP build that I perform, just to secure it more. I won’t leave home naked, and a Windows box by default being naked exemplifies what is wrong. I was going to post them for my own edification, but have decided to expand this to a listing of some of my favorite tools that I pretty much have on any XP system I build.
First, the initial security, after patches. I use ClamWin Antivirus because it is free. I use a cracked version of Sygate Personal Firewall instead of the XP firewall. I have also recently started trying out an app called WinPooch for digital integrity, ala Tripwire only free (I expect this to be bought up). I also install Mozilla Firefox and Thunderbird (with Enigma for PGP), not so much for esoteric purposes as for security purposes anymore. While investigating a friend’s hijacked AIM account two years ago, I discovered a version of the HTA exploit in IE (still unpatched, I think), and thusly conversed with the hijacker directly about it before getting my friends AIM acocunt back. Since then, I’ve never trusted IE at all. That was the breaking point. The only way to notice of stop that web-based attack against IE was to be running a personal firewall, at the time Zone-Alarm. Otherwise IE was rootable with no user intervention or notification.
In other apps, I have moved from my purchased version of Trillian over to Gaim, due mostly to having used Jabber in my last job and Trillian was slow to adopt. I use a pirated copy of Microsoft Office 2003 (includes everything, Visio, Word, etc). I always move over a bunch of Sysinternals tools as well (pstools, process explorer, tcpview, regmon, and filemon). A cracked version of WinZip 9 gets slapped in pretty quick, as does a free copy of WinAmp (classic mode please). WinDump, WinPcap 3.1, and Wireshark also get installed.
If this is a wireless laptop, I always throw in Netstumbler and Cain. If I am at a wireless hotspot, you can bet I am running Cain in the background (and for this reason, I am very aware of what I myself do at hotspots because I’m not a special hacker or something, I’m a regular guy and if regular guys play with gleaned myspace and email accounts…).
After that, my toolbox gets a bit more murky depending on the uses for the particular box, but pretty much all of the above are part of the ‘settling in’ process of a new system. Of my few cracked products, someday once I am out of the ‘cash-strapped college boy’ phase and into a solid, fair-paying job that keeps me happy, all of those may be replaced with legit copies.

DefCon and Black Hat have become the premiere security events of the year. Not only are they amazingly fun and informative, but some of the biggest security and insecurity news of the year is now coming out of the minds of those in the culture.
In the last couple years, the dotcom bust gave way to the slow maturation of web-based application delivery, and it is now shooting off quite rapidly. Web-enabled apps have been the buzzword in development for the past two years. In addition, the browser wars with phishers, spammers, and scammers has heightened and browsers are more and more under the guns and fuzzers.
And now, it’s happened. Javascript has been demonstrated to be able to not just screw with a local system, but also penetrate the local network that system is on.
Wow.
Ha.ckers.org made an excellent post that beats anything I could say. But I will add that if someone has presented it to us now, there is little doubt that these techniques have already been in use by the underground.

“Well, you know, it’s a toolbox, I don’t care. You put the tools in and do the job, that’s all.” – Sam, Ronin, when asked what kind of gun he favors.
This is not so much a security pet peeve as it is a general geek pet peeve. I really do not mind discussions about operating systems and the benefits and drawbacks of each, but the eventual bashing and impassioned arguments that can result from talking about Windows vs Mac vs Linux vs Debian vs OpenBSD are amazingly unnecessary and unwanted.
When it comes down to it, the biggest factor in the security of each OS lies in the operator. I think they each have their own place. And I dislike seeing a Windows user completely refuse to learn Linux just as much as I hate seeing a Unix/Linux user be completely useless in Windows.
And let’s face it. All of these are going to be part of a security or IT person’s life at some point and we’ll have to at least be exposed to Macs, Windows versions, Linux boxes, etc. So basically live with it, and move on. My current job is 99% Windows, but my last job had a couple Macs, many Windows boxes, and some of our critical infrastructure systems were Linux (firewalls, DNS servers, monitoring servers, syslog…).
On a more personal note, I have used Windows versions since 95 (all but ME) and still run Windows XP today for the most part, pretty much just for easy wireless and World of Warcraft. However, I love tinkering and learning Linux versions (especially security live cds) and my next computer purchase will be a Macbook Pro. Someday after I get my Mac, I will convert a third oft-used laptop or desktop to be a permanent and oft-used Linux box so that I can really learn that as I also learn Mac. Eventually, I want to use Linux or Mac full-time, and only move to Windows for my work machine (most likely anyplace I work will provide only Windows XP, I bet), for gaming, and just to keep current on Windows (such as when Vista releases). Of course, my lab will always have a number of Windows boxes performing various roles.
I applaud how far Apple and especially Linux have come over the years to bridge the gap so that the only things I will not be able to carry over to Linux from my Windows world will be games. Even wireless is getting to be easy enough…

I just received email from a vendor I have dealt with in the past, ScriptLogic, whose simple tagline got me thinking: “Can you prove your IT environment is safe?”
I think I need to post that in my workspace at home and use that question as a basis for what I do in security as I move forward.

May as well get this one off my chest early, and try to keep it short and simple. I really dislike when people spit out that “security through obscurity is worthless.” I’ve read this a lot and heard it in person a lot too, but it is often misused. What is really meant is “security through obscurity alone is worthless.” Defense in depth benefits from security through obscurity. In a way, one could argue that passwords and theoretically reversible encryption is just harder-to-guess security through obscurity. The biggest benefits of security through obscurity would be twofold:
1) Eliminate a lot of the casual kiddies and scripted attacks. Running a vulnerable web server on port 1800 does not make the web server less vulnerable, but does limit all the scripts and kiddies who only look for web servers on port 80. You can at least limit your threat exposure.
2) Force determined threats into expending at least a little bit more energy and time to find the obscurities and work through or around them.
Alone, though, security through obscurity is more of a false sense of security than anything, even though the above two benefits are still there, no one should ever sit back and breatht easy by having security only through obscurity.
(Points for me to think about: Does this mean brute-forceable passwords and encryption is, in the end, worthless? Where easy passwords and DES were years ago “unbreakable” they are now accepted as flawed…as processors continue to speed up, will today’s standards eventually be scoffed at the same way? What can stand the test of time, biometrics? Or are passwords or at least encryption the standards we will always have to live with? As long as we have networks that have to communicate and trust, will there always be hashes or an exchange of keys that at some point is vulnerable?)

Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore

Law #2: If a bad guy can alter the operating system on your computer, it’s not your computer anymore

Law #3: If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore

Law #4: If you allow a bad guy to upload programs to your website, it’s not your website any more

Law #5: Weak passwords trump strong security

Law #6: A computer is only as secure as the administrator is trustworthy

Law #7: Encrypted data is only as secure as the decryption key

Law #8: An out of date virus scanner is only marginally better than no virus scanner at all

Law #9: Absolute anonymity isn’t practical, in real life or on the Web

Law #10: Technology is not a panacea

This was a nice read about job interviews. I believe Google also did this sort of interview tactic, especially the “impossible question” part. The biggest takeaway from this for me is the Smart and Gets Things Done. I think this is something I, and many people I know in IT, lose sight of sometimes. Get things done.