Renderman has linked to video of his Defcon talks, both of which I ended up missing despite really wanting to go. I didn’t even know about his room size problems until just now, so I suppose I saved myself some frustration in missing that talk. Rather than download and open a local copy of his slides, Kaminsky has embedded them in a post of his own.

I got an urge to install the MultiBoot-ISO I recently posted about. I picked up a cheap 8GB USB stick from Newegg. In order to install the .iso file to USB, I needed UNetbootin. I really like instructions, even if the steps turn out to be simple, so I’ll detail my adventure below.

I’m using Ubuntu 7.10. Download UNetbootin to the Desktop. I did this via the torrent link, which took almost a week to download at 4 GB in size (I used Azureus, which appears to now be named Vuze). There are two dependencies that need to be installed before running UNetbootin: mtools and p7zip.

cd Desktop
sudo chmod +x unetbootin-linux-275
sudo apt-get install mtools p7zip p7zip-full
sudo ./unetbootin-linux-275

This starts up the rather simple GUI. Select the radio button for a Diskimage ISO install. Navigate to and select the MultiISO-1.0.iso in the GUI. Down lower, make sure USB is selected.

Inset the USB stick and let Ubuntu mount it. I need to find this mount point, and Nautilus isn’t imediately helpful as it tells me /media/PATRIOT. Thankfully mount will give me what I need.

sudo mount
…
/dev/sdb1 on /media/PATRIOT …

Back in the UNetbootin GUI, select USB Drive as the type and /dev/sdb1 from the Drive dropdown. Reverify everything to avoid accidentally installing to the local disk! Click OK to start. For such a long download and large file, the install takes maybe 4-5 minutes, which is mercifully nice.

I don’t read Schneier’s blogs. Why? Because everything cool he says will get linked or sent over by other people I read. So it was with Schneier’s latest essay on security ROI. An excellent article, although it echoes what others in the industry (including myself) have really kinda known for a few years now. But he concisely brings up the issues we have when trying to value threats, risks, and countermeasures in formulating ROI.

Before I get into the details, there’s one point I have to make. “ROI” as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It’s an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn’t make sense in this context.

In the end, this is just all so much guesswork and the only things you can count on are using such measures as a general guideline and trying to be as consistent as possible when measuring and using them.

As usual for Bruce’s blog, the comments are many and fairly well-informed. Skimming through them reveals just how difficult the idea of security ROI or security cost really is, and possibly how non-universal every “answer” is.

So, we harp about FUD, but isn’t that what you have to do in the face of a lack of ROI? Is that how insurance sells itself, whether spoken or just subtly implied?

I posted about Mythbusters vs RFID a few days ago. In the interest of equal representation of stories, I wanted to post this one I saw that suggests the Mythbusters chose on their own to not pursue an RFID security episode, rather than the report they capitulated to lawyer demands.

MythBusters co-host Adam Savage is stepping back from public comments suggesting that legal counsel from several credit card companies led the Discovery Channel to pull the plug on an episode dedicated to security holes in RFID.

Where does the truth really lie? Who knows. Savage may have just come to his own erroneous conclusions or he might have been pressured to clear the air. I doubt we’ll ever really know when it comes to media and media relations and that whole public song-and-dance.

No surprises here, Google Chrome is out (beta). Their terms of service are sketchy (albeit a generic TOS). I used to love Google back when Yahoo went public and I no longer trusted Yahoo or found their site as useful. Now Google is public and I just can’t trust that “Do no evil” will ever again trump “Make more profit.” I’ll likely try Google Chrome at some point, but I expect Google to harvest all the data they can from its users. And thus, I just don’t at this point trust it.

(Hell, it already annoys me that Firefox 3 makes constant checks to Google’s safesearch by default…)

By the way, does this mentality of distrust automatically make me more old school in IT security? 🙂 There’s a lot of wishy-washy business-kool-aid drinking people around these days… Distrust, full disclosure, researching on personal time…these things still seem like somewhat necessary traits for a healthy security culture?

The first rule of using RFID is don’t talk about RFID issues! At least, that may be the gist of this story I read from Dan Morrill on how the Mythbusters are prohibited from airing an episode on the insecurity of RFID chips. This was over on engadget as well as other places, just to throw some links around. If you have to supress information on insecurity, you have problems to fix!

You know, if a credit card company could implement RFID properly and securely and openly have it vetted and tested and beaten against, they might find some value in that. Knock-offs and theft aside, everyone should strive to be secure enough where full disclosure would not break the entire product/system down.

Netflix is one of the sweetest services in years and I love them. Then tonight I decided to try their instant viewing option. I have a very untouched Windows system that I use for gaming and nothing much else; no security crap or anything. I tried to watch Ghost in the Shell SAC volume 4 (out of 7). I clicked Play next to the selection in my queue, and I am taken to the very first episode on volume 1. I actually have to click through 12 episodes to get to where volume 4 starts.

Sadly, clicking through without watching the whole damn thing means the Netflix player randomly thinks my connection has an error and throws up. I then have to start the whole thing over.

It feels like flipping a coin and hoping for heads 13 times in a row.

Nonetheless, if I just wanted the first title (like most movies they offer on instant play), it was slick, quick, and decent enough quality! I just happen to have some trouble trying to skip to the middle of a series.

Much like a baby is comforted by the rhythmic heartbeat and protective arms of a mother, so too am I comforted by monitors, logs, throughput graphs, scrolling shells; the dull background thrum of my infrastructure, all speaking the steady pulse of the network.

Mogull has posted a guest editorial from Jesse Krembs which is a rather excellent read about the MBTA/MIT incident. I suggest checking it out and posting some feedback. I posted some of my own thoughts, but like most people, I’m open to how others think, especially as I’m not strongly inclined either way. Actually, I’m pretty strongly inclined to sit in the middle rather than gravitate to either side. Not uncommon for an INFP. 🙂

I’ve actually had some time to do some reading this morning; look out! I read over Joel Spolsky’s latest INC.com article: “How Hard Could It Be?: How I Learned to Love Middle Managers.”

But they also said that Michael [co-owner] and I did not seem to them to be approachable. If you wanted to talk to management, you had to coordinate a time when both founders were available, and frankly, a lot of people were too scared to do that. This surprised me, because my door is always open, and people seem to come in constantly to ask me questions. I didn’t realize that some of the newer people were intimidated.

Joel chose to tackle this issue several ways, most prominently by appointing leaders (pseudo-middle managers) who are more comfortable approaching the CEO then the newer guys. Yeah, that’s a way to go, but it really doesn’t solve the intimidation problem, does it? It just abstracts it a layer away.

To me intimidation always starts out as a perceived thing and it can come from a few conditioning factors. (Note: I’m using “intimidation” as more like an employee being timid, as opposed to an employer being actively menacing and intimidating.)

1) The employee’s previous workplace was highly authoritative and the managers really were actively intimidating or controlling. Hit a dog enough, and it will cower any time anyone moves towards it suddenly. Only time fixes this.

2) A natural sense that an authority figure is of some higher stature or importance and won’t consort with buddy-buddy talk with lower employees. Can the CEO really relate to my Rock Band hobby? The authority figure can fix this.

3) A utilitarian sense that the value of an authority figure’s time is too important to spend listening to an employee. (Really, just think how much a minute your CEO likely makes…that’s intimidating). The authority figure can fix this.

4) A perception that any time spent in front of an authority figure is judgement time; every movement, word, and tic is being judged by the authority figure and may get you on their negative side. The authority figure can fix this.

I wonder, however, if there is a better way: make some time to buddy-up to the new employees. Take them out, get dirty and play paintball, sit down and join in with some video games and trash talk, go out for beers Friday night and check out the game or the girls. Basically, bridge the gap of friendship and familiarity.

Don’t make this a fear-inducing lunch outing with the CEO on Friday (“am I being fired?”), but rather something that doesn’t make someone question whether they’re acting properly for the CEO, nor forced like it is the CEO stooping down to rub shoulders in the trenches….while he wears his suit and tie and cuff links and checks the time on his next appointment.

To the outside world, be the CEO. But to the inside intimate company, be just another guy who knows the answers.

(Disclaimer: I’ve never been a manager, so I may be full of shit. 🙂 )

At Defcon 16, I missed an unscheduled talk by Anton Kapela and Alex Pilosov on stealing the Internet. I quickly learned that they had leveraged BGP to route traffic from the Las Vegas con over to one of their servers in New York, and back to the con again, with no one the wiser.

Kim Zetter over on Wired has an article discussing this eavesdropping attack. While it doesn’t sound new or innovative (kinda like I can prank call you on the phone because, get this, the phone lets me call you!), it is still a decently big deal.

The attack is called an IP hijack and, on its face, isn’t new.

…

Pilosov’s innovation is to forward the intercepted data silently to the actual destination, so that no outage occurs.

Ordinarily, this shouldn’t work — the data would boomerang back to the eavesdropper. But Pilosov and Kapela use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.

Kim has a follow-up post with more information that didn’t make the first one.

A list of 25 tools for a USB stick. Several years ago I made an attempt to maintain a disc of tools for work and home, but it’s just a pain in the ass to keep things current and small enough to fit on media back then. But now that USB sticks are comfortably large…the linked list may give some good ideas.

In other livecd news, I see there is one geared towards the web app testing crowd: the Samurai Web Testing Framework v0.1. I can’t comment on the quality since I’ve never seen or heard about it, but might be interesting to someone. Looks like it might be put up by some Intelguardians guys.

Update: Low and behold I found more info over at the actual website for the Samurai Web Testing Framework site! Stolen from their post:

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

It’s been a long time since I just randomly browsed other security-related blogs, checking them out, finding their own list of friends or links, clicking on them, and just doing that for a few hours and linking my way around to all sorts of new sites and people.

In seeing Mubix’s post about Defcon tools on his blog, I saw he tracks others who link to it. Nice! For a post like Defcon tools, it is both popular and pretty security-related, which means every one of those links is likely another fellow who has similar interests.

Hell, I should get around to harvesting my own web logs for such trackbacks…

Sticking to a week of Mubix reposts, he has mentioned the release of a LiveDVD consisting of various security-related LiveCDs from badfoo.net. The file is just over 4.0 GB in size, but sounds intriguing as an all-purpose boot disc/key for flavors like Backtrack 3, Knoppix, and MPentoo. Sounds like a great excuse to finally bump up into the higher USB sticks.

I swore I’d seen something similar a year or so ago, but can’t for the life of me find it. I might have gotten confused with blog “round-ups” of various live cds…