Curious about SSL Best Practices? Qualys has a regularly-updated “SSL/TLS Deployment Best Practices” file with some good information. I like that the best practices include mention of practical concerns in additional to security ones. For instance, not to use private keys larger than 2048. I’ve forged forward on my own to use 4096 keys, and I can attest to significant performance issues due to it. Also, I’m glad for the very brief EV SSL mention; I’m not sold that it’s useful enough to talk about. I personally recommend not spending the money on them unless your customers are asking for a green browser address bar…

The only thing I wish this doc contained would be more insight into common secure and insecure cipher suites. Now, I know SSL tools will do this and many systems rename ciphersuites into weird names for no real reason, but it would be nice to just get a dumped list. For a doc that is useful to slam down on a CIO or developer or sysadmin desk, it would be welcome. Props, though, to suggesting SSL eval tools, which will help a sysadmin do the same thing, just with a little bit of sweat and time expense.

I feel dirty linking to Wired these days, especially since the article isn’t very informative beyond this blurb:

…Nosal never was accused of traditional hacking. Among other things, what the jury concluded was that he coaxed, sometimes through monetary payments, his former colleagues at Los Angeles-based executive search firm Korn/Ferry International to access the firm’s proprietary database and provide him with trade secrets to help him build a competing firm. Those associates cooperated with the government and were not charged.

…Say what?

A few weeks ago a new physical attack against Cisco phones was announced [YouTube clip]. A few days ago, this was detailed further in a 29C3 presentation by Ang Cui and Michael Costello [YouTube clip]. And even just today, this news has hit the mainstream news waves because of how cool it is to watch a phone be pwned and be turned into a silent eavesdropper, recording conversations without any indication the mic is engaged. And this, of course, means questions from non-technical people who sometimes are important enough to need some pragmatic answers quickly!

The 29C3 preso is excellent, but very technical. The shorter vid up above is nice, but doesn’t quite give enough information for a proper risk assessment. (There are a scattering of other articles on this topic, but nothing that brings anything new beyond talking about the mic issues, and really not anything worth mentioning from any incident response/vuln announcement outlets… Cisco has an advisory or two, but I don’t have the time at the moment to look that up.)

To me, there is one major issue, which then can be leveraged in 2 attack scenarios. There are actually more issues, but for anyone who is not a pen-tester or Cisco, there is really just one main one to look at. If the others are important to you, then you’re going to be technical enough to digest them from the preso.

• The big issue: privilege escalation/kernel exploit where someone with access to the phone can become root and run whatever they want on the phone.
• Physical attack by plugging a device into the rear ethernet jack on the phone and then executing arbitrary code to own the phone, leveraging item #1.
• Local network (“remote”) SSH authentication bypass by impersonating the TFTP server the phone interrogates for authorized SSH user keys, and then leveraging item #1. (skip to 38:00 in the preso.)

This distills down to a few talking points.

• The physical attack is neat, but has a few components to it. First, the attack hasn’t (to my knowledge) been yet made public, so many people know this is possible, but don’t have the tools (yet) to do anything about it. Second, Cisco will certainly be working to patch the issue. Third, leveraging item #1 above requires some sort of access, either physical or local network, to a target phone.
• Even if the “eavesdropping mic” attack is successful and the attacker turns on the mic, the recorded data still needs to be sent somewhere for the attacker to listen to or retrieve. This is possible in many ways, but keep in mind the above presentations pretty much avoid that hurdle.
• These phones are basically little computers. If an attacker can take control of it, they can do the same things from it that they could by using a rogue or compromised system on a network. The “eavesdropping mic” is just one of many ways the compromised phone could be used.
• Physical security is still paramount, even for phones placed in semi-public locations.
• Keep unauthorized devices off your network so they aren’t able to do things like impersonate TFTP servers or make SSH attempts to your phones. In addition, make sure your network monitoring is set up to let you know when even someone authorized tries to do suspicious things. This isn’t new.
• It’s up to Cisco to fix the privilege escalation and other various issues in their firmware.
• Always be vigilant and report any strange devices, electronics, dongles, or other things hanging off phones, systems, or plugged into jacked that aren’t normally used or have not been sanctioned/installed by your local IT. And even then, question what things are in case an insider is planting devices.

The tough part of assuring security for phones like this is their closed nature. Do we have logs shuttled somewhere to watch for events like firmware replacements, for instance? How do we know firmware has been replaced? Or when the Flash/ROM has been tampered with? Or when audio data is going to a weird place on the network? Basically, similar questions we have of any device we can’t properly manage quite as deeply as a server, or have our management abstracted out to someone else’s centralized management that probably has not accounted for these sorts of questions.

And to throw what many non-technical people will claim is FUD (and is mentioned in the preso, kudos!), this issue has been present for 6 years. Go ahead and think about that one for a bit! 🙂

News has passed around about a BusinessWeek article talking about getting rid of the “Reply-All” button in email programs. I think this is an interesting discussion topic.

Is the problem a reply-all button, or the behavior of workers to pass along stupid information? Is that a failure of management to control it and teach employees? Should it even be a problem to worry about? Also, is there *any* value in the reply-to-all function? I know I use it for work-related stuff.

A user is mentioned in the article about being proud of having a verbal agreement not to use the reply-all button, but is that a passive-aggressive way to blame a silly function on a human problem of passing on garbage? Shouldn’t you have talked to your employees and made a gentleman’s agreement to not abuse the email system with garbage? Be direct on the problem, don’t sidestep it and blame the reply-all button. Be smart and look at your damn recipient list. There is plenty of time between when “reply-all” is pressed and the moment the email is completed and then sent.

You can probably fix a lot of it by reporting those emails and creating custom rules to deny certain key phrases, but that’s a lot of custom work for your mail admin(s).

Is it a corporate culture thing? Would there be less spam if users knew that their managers could read their email?

Is the problem email in general? Email sometimes feels so outdated, but it’s still a great “push” mechanism for information. Today’s socially collaborative settings can vote down (or just not vote up) such unnecessary garbage, but then we get into all sorts of popularity issues with long-term usage. And this whole “like” but no “dislike” thing makes us all just too timid. (Or conversely, only leaves childish YouTube comments as the non-timid crowd.)

Anyway, it’s an interesting discussion point. Automation, which is ultimately what “reply-all” is (makes it faster to input all the participants in an ongoing discussion), makes needed actions easier, but also makes boneheaded actions easier.

I sometimes post my thoughts on major games I’ve played recently, and I notice I hadn’t said boo about WoW: Mists of Pandaria. I may as well say something!

I had taken quite a break from WoW last November when Skyrim, SWTOR, and D3 all hit in succession. And by break I mean, hadn’t logged in at all. But I’m back with MoP and enjoying WoW for what it is: a well-polished and solid game/experience. I play plenty, but I long ago put the raiding behind me (pre-Wrath, in fact), so my time is just leisure time spent gaming. That said, I tend to just do fun things with my guild and other relatively autonomous things like running 5-man Heroics and such. I have 5 toons at 85-90 (Shaman and DK are 90), a Druid sitting at 60, and a Monk in his 40s, I prefer healing/tanking over DPS (my only true DPSer is a Warlock), but when solo-questing I’ll of course offspec as DPS.

The Bad

The Farmville/Cooking Timesink – I’m one of those players who *tends* to max professions when it is practical (primaries yes, cooking usually, fishing sometimes, archeology not a chance). So it is a bit annoying at how convoluted the whole MoP cooking progress is with its 89 dailies and such. Bleh. Thumbs down.

Mess of a Skill/Talent System – In short, the talent/skill system is a mess. You have spells in a spellbook, more stuff in a glyph system that feels more like a tumor than a valuable feature, and a talent system in another spot. This makes organizing what you do and who you are a mess. The old system was just fine where you spend points. The D3 system was brilliant because it made multiple builds viable rather than just one “acceptable” build. But the MoP system is still fraught with “if you’re this class, you still need to pick things this way.” For most classes, the playstyle has changed almost not at all since Cataclysm (which is good for some classes!), so the net change is just annoyance. Likewise, leveling a new character is not as satisfying when you don’t get points to spend but for every 15 levels, and instead things are just handed to you on a platter. Boo to that. Like I said, I get the changes and what Blizz kinda wants to do (allow for multiple playstyles even if you play the same class as someone else), but the talents and glyphs usually don’t allow it. For instance, all healer Shaman will basically pick the same talents, because the other choices are for PVP or for the other builds.

5-man Heroics are Too Easy – Last night my 85 Disc Priest healed an 87 Fury tank through the starter normal 5-man with no issues and me rusty as all get-out. These new 5-mans are quick and, dare I say it, easy. Cataclysm 5-mans had character; you needed to execute what you needed to do, usually needed Crowd-Control on trash, and the balance at the start between difficulty and gear was brilliant. MoP 5-man heroics are a joke. There’s a few mechanics, but where a mistake in Cata would cost a death, in MoP it costs about 10% health, unless you are standing in something for 15 seconds. I get that there’s now Challenge Modes for these, but those are way more difficult for a casual player like me, and you can’t just queue for them with other random players. Honestly, Wrath heroics were more interesting and “harder” than MoP heroics, and that’s saying something since Wrath heroics were also easy.

Really, even for a casual player like me, I find most of this game is pretty easy these days.

Loot Rooling Table – This table just plain sucks. And I swear I see more asshats rolling on things they shoudn’t because of it. I just want to see the queued choices easily before I make my pick, and not in a window that keeps changing on me.

Female Pandas have Fox Tails – Not all of them, but the option is there. It’s telling, though, that almost every single female panda in the starter zone has a normal panda nub of a tail. The fox tail is just stupid.

Grinding Dailies for Rep – Never been a fan of these; really loved when I could wear tabards in dungeons to earn rep automatically, since those are fun. MoP? Nope, I have to grind rep by doing endless dailies. Boring and annoying. (It’s hard for me to get too down on it though, being from Classic I remember old school Timbermaw and Winterspring rep grinding and even Aldor/Scryer grinding in BC…)

Story Moments are a bit Sappy/Obvious

– The underlying story and underlying evil of MoP is this bad spirit that awakens because the Alliance and Horde “find” Pandaria and, as they are wont to do, start fighting with each other. It’s hand-fisted and obvious that the point of the expansion is to exagerrate the silly hostility between Alliance and Horde, point out how that bad karma fuels this underlying evil spirit (Sha), and how there should be middle ground, blah blah. A fundamental concept (and poignant in an election year) but it just feels a bit childish, ya know? Simple. And it’s not even fully fleshed out yet in the game progress…

The Good

The Game – First of all, having played SWTOR and even some GW2 in the past year, I appreciate all the things Blizzard does right with WoW, which is really most everything. It’s a solid piece of work and worth the money I pay for it. The game looks great, plays great, and so on. Also, the voice acting is excellent; not SWTOR-quality, but good.

LFG/LFR – The Looking For Raid tool came out just as I was taking my break from WoW, so I never got to use it. I still haven’t used it since I’m skeered (ok, it’s on the plan this weekend), but the idea that I can casually queue for a raid (as well as 5-mans) is absolutely awesome. It might not be as smooth and fair and awesome as a guild raid, but at least this is on MY time and not making me a SLAVE to someone else’s time. Win. (This option is one of the 3 things that crippled SWTOR.)

Pandas are Cute but the Game Didn’t Dumb Down – When pandas were announced for MoP, fans decried Blizzard for selling out to be more family-friendly. Yes, they’re cuter, but I’m happy that I don’t feel like I’m playing a game trying to attract kids. It has its dark moments and still has its dark humor, so I really *mostly* feel like I’m playing the same game I have been all this time. There are a few exceptions, but they’re fleeting moments.

Transmog – I know, Transmog came out just before I took my break, but it’s a game-changer to me. Transmogrification allows me to change any piece of gear I own to visually look like another piece of gear that I own. This means that armor set I earned 4 years ago raiding, while it is outdated and I can’t wear it and be a viable player today, I can make my current gear LOOK exactly like it. I’ve always said since BC that our gear will always be replaced and improved; the happiness is just in how badass you look in the moment. And now my toon can look relatively unique compared to others. (Especially since my Priest still has Benediction, which is no longer attainable.) This means I can also casually spend my time…

Old Raids Are Easy – Many old raids and 5-mans (and achievements) are now soloable or duoable. In fact, most everything pre-Cata should be duoable. Last weekend I sent my 90 DK into Gruul, Mag, TK, Hyjal, and BT and solo’d every boss. This is great to gather up some gear to transmog and look cool. (Nope, didn’t do SSC because it has some tricky parts and I only ever went through it a few times at level, so I don’t really know it.)

Class Playstyles – Despite the messy skill/talent system, the classes still play solidly, though that is more due to changes in Cataclysm than in MoP, but it’s to MoP’s credit that many didn’t change. My Shaman heals the same (though Teluric Currents returns less mana now). My Disc priest plays the same (though I miss the mana regen). My Blood DK mostly plays the same (less button-mashing). Prot Warrior plays the same. Warlock…ahh the warlock is my biggest changer and he’s lost his long-time staple Shadow Bolt, but at least as Affliction there is no getting away from the DoT mania. I’ll miss the SB but I appreciate that he’s truly differentiated now. In fact, all three trees are tightened up a lot to play differently. Nice.

Pet Battles – Yeah, not everyone thinks these are worthwhile, but it’s really fun and cool and interesting. Thumbs up to the throwback Warcraft 1 & 2 music. I’ve never played Pokemon, which is a bit of a travesty since I grew up with and loved and still love turn-based RPGs, so turn-based combat is a nice addition. I’ve not wasted much time in it (and make no mistake, it’s a time-waster!), but it is nice to know I have that to do if I want.

Population Sharing – I didn’t really think of it as a problem, but Blizzard implemented a way of getting players from different servers to be able to play in otherwise low-populated zones together. This means rather than leveling a character and being utterly lonely in Silithus, you probably will now run into plenty of other players leveling or hanging out in Silithus on other servers. That’s kinda neat to help out or just to socialize. Like I said, didn’t think it was an issue, but you do notice it now.

Tavis Ormandy and Sophos are being mentioned again in the same headlines, particularly for Tavis releasing a security report on Sophos Antivirus [pdf], a Sophos response, and a CSO.com posting dropping the, “says the product should be kept away from high value information system,” faux-quote.

Whew! There’s never any winning in situations like this. Either a company patches too quickly and recklessly, or patches too slow, with “slow” being an entirely subjective term. Software has bugs and shouldn’t be trusted as secure, but yet all software has issues eventually. Response is the key, but again we dive into subjective terms.

Either way, consumers benefit from the knowledge being out there and progress being made, both from researchers poking at systems and companies improving because of it. I think it’s a bit melodramatic to suggest for others to not use a product, but that’s an opinion that can be weighed along with one’s own risk judgement.

My lunch routine is pretty standard and well-known. I go to a Barnes & Noble and pick up a latte over lunch and read magazines that I don’t purchase. I’ve literally done this for years. Clearly I’m a store member and carry a card which I swipe every day for 10% off.

A few weeks ago I took immediate note of the missing card swipe device on the counter and asked if someone had broken their swiper. I got the response that HQ had come in and pulled them all off. Being the savvy person that I am, bells went off, I tuned them down, and went about my business.

As I’m catching up with security news today, sure enough I see word that B&N suffered a POS security breach. Every day that went by without the POS device at the store(s), was further indication that something bad went down and it wasn’t just an upgrade/replacement or glitch.

(Of note, like a good security geek, I don’t use credit cards willy-nilly, especially for tiny purchases like a latte; I’m all about cash for anything but huge purchases, so I wasn’t even at high risk of this.

These breaches always make me curious and I always have the same round of questions that will never be answered, because no one shares the information, not even in professional circles.

1. What did the attack consist of? Taking apart and adding something to the POS device? Skimmer over top? Code update?

2. Only 1 compromised device in each of 63 stores? Why only 1? Did the device/attack store up credit card info? Did it beam it out realtime via an Internet connection? Did it have access to penetrate the internal network/databases?

3. 63 stores affected in varied major metros. Sounds custom and targeted.

4. How did B&N find out about this? Someone else bring it to their attention? Monitoring? Why or why not?

These are questions not intended to cause legal issues or backpedaling or lay blame. They’re more about learning from mistakes so that I can be better informed and do a better job in my own security endeavors. PCI Guru has a nice follow-up piece.

(Yes, the title makes me feel dirty as well, for using ‘cyber…’) I’ve been waiting on this case with PATCO Construction v Peoples United Bank to offer up some resolution for a while now, since I think it may set some important precedents. Alan Shimel weighed in earlier this month on it, particularly on the topic of individual accountability. (Disclaimer: I didn’t listen to the audio accompaniment.)

Toward the end, I was struck by:

Perhaps having breach insurance is the prudent, responsible business way to handle this? Does your organization even have breach insurance? Breach insurance is one way of managing your risk, but all it can do is replace money lost. Some breaches are hard to put a price tag on.

I can understand the PATCO situation, or maybe even the bank’s situation. But in the other example offered in the post, that of Wyndham Hotels and Resorts losing customer credit card information, how does insurance help those whose data is lost by a third party? Does it pay for credit monitoring (nearly useless)? Does it repay with gift cards that can be spent only with the negligent party (ridiculous)? I don’t think having a safety net is necessarily a solution for all parties involved. In fact, insurance may allow business to take less responsibility since it’ll just get a payout.

Ultimately, the idea of taking responsibility for security is a good one, but it cuts contrary to how the culture of America has evolved in the last 50 years to blame everyone else for anything that goes wrong.

The Chief Monkey (honestly, I never know how to address him) has a great post up, How Your #Naked Pictures Ended Up on the Internet. The post illustrates a few key things.

1) Security question weaknesses.
2) You *are* sharing your information with others.
3) You *are not* just keeping files secret on only your phone.
4) You can’t trust other services/people, de facto. You have to put some thought into it.
5) What gets on the Internet and is tied to your name/identity, will haunt you.
6) Facebook is a great place to stalk people.
7) All of these weaknesses are borne out of making things easier for you, the user.
8) Staying safe and secure and yet still using all these technologies and services *requires* work.

As a warm-blooded guy who has internet access, I can attest to the uptick in porn sites featuring what are obviously pilfered personal pics from phones.

At some point, digital picture facial recognition is going to both help (to find out who people are to warn them) and explode (tie bad pics to your name forever) this problem.

Bopping through Lifehacker articles, I found a gem speaking to interview questions: “The Interview Question That’s Always Asked and How to Nail it.” (Ironically, Lifehacker has so much noise in its rss feed, I really feel only 1 in 100 articles is worth clicking into…)

When I first looked for a job after college, I would really have nothing to say after being asked, “Do you have any questions for us?” I usually didn’t. I didn’t know what I liked, what I wanted, what was out there, or what to even ask. I had such little experience, that I didn’t know what I didn’t know!

These days I know better and use that question to my benefit. It lets me fill in gaps in my knowledge of the company, open questions on why I should work there, whether I’d like the job/people, and demonstrate a bit of interest in the position without sounding like a jerk. Truly, I’m not usually looking to get in good with the interviewer and demonstrate that I’m a critical thinker or something, but really there are always questions about the job, company, manager, people, and expectations such that they should be asked before making such a big decision as a job opp.

The article itself has a few suggestions, two of which I’ve used regularly in the past: “What is the immediate need on your team that you are hoping to fill with this position?” and “How would you describe a typical day on this team?”

I only realized/found out today that World of Warcraft’s next expansion, Mists of Pandaria (MoP), is set to released in late September. That seems pretty quick. My gaming situation is a bit stagnant at the moment where I’m really only playing a few games, and not as much of them as even I’d like. I went from WoW casual to Skyrim when it released, and then Star Wars The Old Republic (SWTOR) when it released, and then Diablo 3 when it released. I’ve really not gone back to any of them since. I’ve only moonlighted in a few other games, and my XBox Live account has probably lapsed since I last logged in; I’m just not in front of my television at all (have not watched television in about 10 years, so it’s just movies and gaming).

Diablo 3, unfortunately, is just not the same crack it used to me. I mentioned my thoughts previously, and I think the points all still stand. The one exception is that I just don’t think the loot is quite the same for a variety of really small reasons that add up in the end. I have not had a single set piece drop. I’ve seen 3 uniques. The rares (yellows) are just random names with random stats, most of which I don’t want so it’s trash. None of the gear seems memorable enough, and doesn’t drop quite enough to justify further grinds just for it. I think I might ultimately blame the Auction House (AH) for that. Also, after years of social FPS and MMO games, D3 just isn’t that social and the attempts it has made just aren’t that compelling. I don’t know how you fix that, since D2 really was similar. As it is, I have a few toons, my Wizard is level 60 and basically bogged down near the end of Act 2 Inferno (I don’t expect to have an easy time of it with the end boss, so I’ve just drifted away).

TL;DR: Diablo 3 isn’t really beckoning me to play it unless it’s with a few friends in coop.

SWTOR is a great game with great stories and I really like the gameplay. The problem is still twofold as I’ve mentioned from launch: underpopulated servers and lack of Looking For Group (LFG) tools. LFG is coming in the next major patch, but it’s really freakin’ late. I should get back to this game, but it would just to achieve the bragging rights of finishing my Smuggler’s story arc and getting the last few levels to 50. The social part of SWTOR just never hooked me, though that’s hard to do when you don’t raid or care much for guild affiliations anymore.

WoW MoP will get me back to WoW, but I’m not sure if that will be lasting. The content doesn’t much excite me, but the biggest draw of WoW has always been the guild/social factor, as well as catering to both hardcore players and casual players. I’ve been in both boats, and I have exceedingly fond memories of both, but I really love the idea of just wasting time with virtual friends in a casual manner.

Skyrim. It has its faults and it’s strictly single player, but of all the games I’ve played in the last year, I think Skyrim is the one that beckons me the hardest to get back into. It’s huge, long, varied, fun, and deep. I just feel a bit lonely when I play (single player), and sometimes you hit walls that are frustrating (killing a priest/dragon combo as a thief-type is maddening). But it’s a beautiful game.

Hopefully MoP is fun and hopefully Elder Scrolls Online is Skyrim+social MMO, which would be amazing. SWTOR did most everything right, in my opinion, but two glaring issues really have held it back (and some smaller ones that were actually fixed in earlier patches).

Via New School of Information Security, I wandered over to a surprisingly hotly debated article on CSOOnline from Dave Aitel, “Why you shouldn’t train employees for security awareness”. Really, what the headline should be is, “Why the dollars spend on security training are better spent on something else.” Heading over to the article, I already knew there was some debate going on, but I was a bit shocked at the comments. (Truth be told, very few of the detractors had any decent point to their comments…)

Especially since Dave has a point.

No, he’s not completely correct, but he makes a point; the sort of point that requires hyperbole to make it, ya know? (strictly speaking, I don’t actually see where Dave’s points echo exactly the sensational headline CSOOnline decided to give him, though I can see where one will take the 1/4 step to connect to the dots…)

Too many people lean very heavily on security awareness activities; essentially saying we’ll be more secure if people make smarter choices. This makes sense, but the reality is rarely quite so nice. People still make mistakes. *I* still make mistakes, and *I* should know better. People may willingly make mistakes. I’d much prefer my business dollars spent in a way that I have a technological safety net under me.

Security awareness is useful when you don’t think the whole purpose is to improve your security by a palpable amount due to your training. Security training helps the rest of the business understand why you have security policies. Give the ones who care some knowledge to make better (not correct, but at least better) decisions. Prepares them for when you have to investigate something, offer an opinion, review something, or otherwise finger the brakes of reckless progress. Among other political and soft reasons…

In the end, I agree with people who feel that you should have a mix of security awareness and technological controls, but still trust the technological controls more. I’ve probably said that for a decade now, and there’s nothing that has moved me from that stance. Awareness yes, but rely on those technological controls more.

Oh, and I do “get” the problem of expecting perfection otherwise something is useless. I think that’s an unfortunate extreme position that Dave *mostly* walked into. Because a few attacks still work, doesn’t mean awareness is worthless. But we may be able to have technological controls enough to mitigate, if not outright stop, the mistakes that happen. That’s where we talk about “defense in depth” and doing various things to help limit risk/damage…

PCI is an easy horse to beat when looking for impassioned discussions with other security profressionals. Sadly, too many discussions just talk about “how-it’s-not-perfect-so-it’s-dumb” vs “I-didn’t-have-budget-before-but-I-have-it-now” points, and don’t get down in the trenches of the issues, as it were. Mr. PCI Guru has a lengthy, deeper post, “The Failure of PCI?” which hits many points I sympathize with, like this:

A lot of QSAs are great technologists, but would not know a good or bad control environment if it bit them in the posterior. Fewer QSAs and most ISAs know controls, but would not know a proper firewall or router configuration to save their lives. And finally, there are a very, very few QSAs and some ISAs that know the technology and controls. Unfortunately, the PCI SSC has not found the way to winnow out the QSAs and ISAs so that only the ones that know both technology and controls remain.

General media is a problem when it comes to security. Security is a nuanced, complicated topic to talk about, and media, even IT/security media, doesn’t have the patience or expertise to usually talk properly about it. Instead we get dumbed down and overly simplistic headlines and quotables like how PCI works if you follow it or PCI doesn’t work because a breach happened. None of it does anything except stir the pot and makes those who quote the quotes (read: poor CTOs) look idiotic in front of their (maybe) talented staffs.

Or maybe better yet, the PCI Council/DSS is in a weird position of trying to defend itself while also wipe its hands clean when necessary. That’s an unfortunate position, but is a PR/positioning problem. (Actually, this *may* end up being a legal/insurance/CYA problem at the root…)

But that’s not a PCI problem, per se, rather than overall security.

Via Securosis, check out Krebs’ (seriously, I don’t have a bromance, he’s just the best security journalist out there…) article on CloudFlare’s CEO’s email hack from the other week. Check CloudFlare’s blog for an image of the visual timeline of the incident. Talk about involved!

Some web filters will flag that image location as bad, but the barely-readable preview was enough for me. Hopefully that link persists. If not, right-click the image and try to view it directly.

What’s fun is the CEO wasn’t the target, nor was CloudFlare. Apparently, the target was a client of CloudFlare’s, from what I gather. Bottomline, an attack can come from anywhere and try to get anywhere else. It’s not just targeted stuff that’s all about you, or APT that cares about you. Maybe you’re just peripheral to other goals, either as a company or as employees at a company. I hear a lot of talk about threat modeling and such, and that’s fine, but do threat models pick up things like this any better than general best practices, diligence, and education? Not sure, there.

Been playing Diablo 3 since it released, and I think I’m far enough to dump out some thoughts. My female Wizard hit level 60 this weekend and also finished Act IV Hell. I dipped my toes into Inferno difficulty (the highest) last night. Here’s a hopefully quick list of some good and bad things about the game. Overall, this is a great game and satisfies the action/loot RPG itch perfectly. (For background, I played D1 when it was out and D2 later. I played almost every class up to level 90+ in D2 [didn’t like the assassin], and did the requisite farming on my sorc [meph runs ftw!].)

THE GOOD

1. The Skills.Skill trees and skill points are gone, and in their place are skill assignments you can bind to 1 of 6 hotkeys, and runes which bring minor changes to those skills. I wasn’t sure how this would play out, since skill trees and spending skill points is always fun and a staple of RPGs these days, but holy damn did Blizzard nail this one. My Wizard has 23 skills with 5 runes to augment each, making for 115 skills at my disposal. That sounds like a lot of filler, but I’ve found very few of those skills are such. The ability to tailor my playstyle so much is absolutely brilliant. Which leads to…

2. Skill Balance. Blizzard made it a goal to do skills in a way that didn’t result in players heading to the web to find the one “uber class build” they should go for in the endgame. Blizzard succeeded (with some combo exceptions that have been patched). There are three subpoints for this. A) I’ve really never had a game where I can use a skill buildout where I might get pwned against a boss, then switch things around and try new stuff, which leads me to be the pwner. And it’s not because of skill imbalance, but rather changing my character build to accommodate the situation and how I play. B) Some skills do seem like filler with certain builds, but really many of them are meant to synergize with others for completely new builds. For instance, there’s no reason for me to add to my fire damage when I’m dishing out arcane damage instead. C) In the hardest difficulty level, I’ve seen vids of players using a wide variety of skills and playstyles, and it’s awesome that so much is viable. Which segues nicely into…

3. Endgame – Challenge. Diablo 2 was not really that hard, even in Hell mode. D3’s difficulty is tweaked far better. Normal mode is an easy introduction to the game, but from there things ramp up nicely. While the biggest bosses have some disappointments, finally I feel like champion packs and rare packs are given the respect they deserve in this game. In short, shit’s challenging once you get up there, and that is a welcome piece of endgame enjoyment!

4. Endgame – Replayability. If you played through normal mode in D2, you played the whole game. The only things that saved the game from being useless were the randomized dungeons and random champion/rare encounters and random loot drops. D3 still has the above, but at least this time there are quite a number of random events that you can find in the world, and the random champion/rare packs are more vicious, tougher, and fun. So, while not for everyone, it is a step up from D2. (Too bad the bosses aren’t exciting after the first time around….)

5. Feels finished. I played Torchlight and was highly annoyed that it felt unfinished. D3 feels like a solid, tight, finished game, and I’m very happy with it. It looks beautiful, sounds great, and plays like a dream for the most part (I am a twitch gamer, so sometimes when I try to stick-n-move the game doesn’t register the up-key and instead keeps me standing and firing…)

6. All the little things you didn’t know were annoyances in D2 are fixed. No more identify and town portal scrolls*; you can just do this stuff. In fact, no scrolls/tomes at all. You pick up gold by walking over it. Gems are a bit simplified. Charms are gone. No more mules, since your stash and gold are shared across characters. Every item only takes up 1-2 inventory slots (this is good and bad, as all weapons feel the same as opposed to the old school 6-slot spears, etc, but does save room!). No trapped chests/bodies, though sometimes a zombie or skellie pops out of a jar.

7. Heath pot cooldowns. I was skeptical of the changes to health restoring from D2, but I think it is an integral component to the challenge and strategy of the game. Small change, big positive effect.

8. Followers have been improved. The no-name followers from D2 that were simply forgettable meat shields are replaced with actual characters who never die and have back-stories. That’s kinda cool. While I wish I could equip them with more things, they do a much better job about being an important part of the action in solo games, especially since you can slightly tailor their own special skills (choose 4 of 8 available skills as they level up).

THE BAD (or rather, the NOT-SO-GOOD)

1. Endgame – Level Grind. The level 99 grind from Diablo 2 is gone, replaced by a relatively easily reachable level cap of 60. I never did have a level 99 in D2; the grind from level 91 and up is insane, and even in my free-time-college-years I didn’t have the patience for it. But some people did. I really wish that was back, as it was pretty important to always have something to gain from time spent.

2. Some bosses are lame. The Act 2 and Act 3 bosses, at least for a Wizard, are laughably dumb. I dislike the Act 2 boss mechanics (from being cheap with constant adds to just standing in place and slamming tentacles onto the ground). And the Act 3 boss I think I am 3 for 3 against because he does all ranged stuff that is avoidable if you move. Badly underwhelming. The Act 1 and Act 4 bosses, however, are super fun, though a bit simplistic once you have a rhythm. Still, they’re better than just beating on Duriel like D2 Act2…

3. The story. Diablo games are not known for their deep, resonating, and twist-filled stories, but yet they are pretty immersive and interesting. D3 attempts to be more complex with the storyline, but it’s either filler, easily predictable, or simply underwhelming. Or it simply feels like a retelling of D2 (start in Tristram, go to desert…deja vu?).

4. The voice-acting. Maybe I’m hugely spoiled by Skyrim (despite the heavy actor re-use) and Star Wars: The Old Republic (amazing voice acting), but the voice actors and the lines they use in this game. Are. Awful. A few work, like some of the bad guys, Cain, and a couple classes, but for the most part, they’re painful. For instance, my Female Wizard comes off as an arrogant bitch and I really hate hearing her voice or the things she says. (Side note: I am, however, amused by some of the background banter, which changes based on who your companions are or even what zone you’re in.)

4b. My character has a voice. I don’t recall my player talking all that much in previous Diablo games (see also the simplistic story), but it badly draws me out of the immersion when I hear my character’s voice, especially if I don’t like it and she has a terrible tone and attitude. Other classes are even worse.

5. The music. Wait, what music? The music in Diablo games is memorable and part of the immersion and experience. The D2 music is absolutely superb, and even thinking about it makes my skin tingle. My first hour of playing D3 immediately had me noticing the lack of music. The “music” in D3 is mostly just ambient stuff that you don’t really consider music. I’m greatly disappointed in the lack of a worthy soundtrack to my pwning. When music does kick in, it’s not very interesting nor really helps the tone. It’s like they went way too ambient and then way too pom-and-circumstance in later levels, rather than the perfect in-between of D2.

6. Very little social support (so far). There is coop play, and it’s really done well, but that’s been largely it for social support in this game. The chat rooms of D2 are replaced with an Auction House (an improvement), but there’s very little chance to meet new people in a social setting like a typical MMO RPG. We have drop-in-drop-out public games with random people, and we now have a mandatory general chat with a max of 99 other random people, and friend lists. While this is all a step up in most cases from D2, I seriously think Blizz is dropping the ball on support for better social ability. No leaderboards? No chat rooms at all? It might be cool to be able to join a game to watch. Etc.

7. Game world lack of persistence. In D2, if you left your game, but then went back into it, the game world would persist for a short period of time. So if you lagged out or wanted to trade an item to your mule, you could get back in and be ok. If you leave the game in D3 and try to get right back in, you may be back at the same spot you were at, but the layout will be new and the monsters respawned. Yes, that means you can lag out, come back, and be immediately set upon.

UNDETERMINED

1. Endgame – The Loots! Since I’m new to Inferno, I’m still not sure how well the loot grind from D2 will feel in D3. So far the items don’t feel quite so legendary or special, though I’ve only dropped 3 legendaries so far. I think it’s maybe the higher rate of drop on rares (yellows) that deadens my excitement? Not sure yet.

2. Auction House. The real-world-money AH isn’t out yet, but I’m still unsure about the current AH. It’s clunky, it’s filled to the brim with items. But it’s a huge (huge!) step up from the chat rooms and nervous in-game trading/bartering from D2. Still, there’s something social-wise to be missed about offering 10 SOJ for a top-stats Windforce.

3. No more stat points. I’m torn on this one, and ultimately probably won’t miss it. In D2 you assigned your own vitality, str, int, dex points. This game allocates them automatically as you level up. While this simplifies things and prevents me from being stupid, it does take away a small bit of tweaking you could otherwise do.

4. Will I look like a badass? I’m not sure yet whether a character’s look is the same based off gear tier, or whether I’ll look relatively unique when I find cooler things. Not that it is a huge deal, since the character is typically pretty tiny on screen….

5. Secret doors? Maybe I’ve not seen any yet, but I miss the occasional secret door you can find in dungeons.
* Of minor note, you can’t stash a town portal at the start of every level that you can race to when shit hits the fan. The town portal ability has an interruptable cast time. This means some dungeons have no way out but a game restart, if you run into a bad champion pack.