Even geeks need to unplug and relax a bit. Security geeks probably more so (although I may be a bit biased there) with our constant battle to maintain acceptable security and the constant threat of our phones, PDAs, and Blackberries chirping for our attention. I read an article by Tom Hodgkinson titled “10 ways to enjoy doing nothing” (CNN) yesterday and wanted to echo a few points.

As a background, I have leanings towards zen buddhism and meditation. Not necessarily your traditional lotus position meditation, but just the ability to find peace and reflection where you are; and just mentally and spiritually relax. I’ll add a few other points below from my own experiences.

1. Banish the guilt. We are all told that we should be terribly busy, so we can’t laze around without that nagging feeling that we need to be getting stuff done….Guilt for doing nothing is artificially imposed on us by a Calvinistic and Puritanical culture that wants us to work hard. That’s true, right? Me, I tend to laze around and play video games. While that is still technically *doing* something, it usually is not something that directly adds to my life, ya know? The point is, don’t be guilty about doing things that don’t matter or doing nothing at all. Find a hobby, play a guitar, tinker with something, but never let it make you feel anxious or time-constrained or stressed when you do it. Just do it and flow with it like a babbling stream rather than a raging wave.

7. Lie in a field. Doing nothing is profoundly healing… Listen to the birds and smell the grass. Ever do this as a kid? I did. It’s beautifully calming and amazing. Ever do this as an adult? Me either, not nearly enough!

8. Gaze at the clouds. Don’t have a field nearby? Doing nothing can easily be dignified by calling it “cloud spotting.” It gives a purpose to your dawdling. Go outside and look up at the ever-changing skies and spot the cirrus and the cumulonimbus. You can even do this as you sit at Starbucks on the outside chairs if they have them. Or on the steps of your nearby library. Gazing up at the sky no matter what the weather is an amazing, heart-warming, thing that helps put so many things about life and our place and our thoughts into perspective.

And my own additions…

11. Gaze at the stars/sit out in the rain/sit out while it snows. I have an immense appreciation for nature; nothing in the world is or ever will be as perfect as a whole, even with its individual imperfections. Stargazing, sitting out in and watching/feeling/smelling/hearing the rain or snow are the kinds of things that make you know you’re alive; your senses assuring you of existence. You can even do this in your regular residential neighborhood (although seeing the stars might be a bit difficult without a good dark park or something) as long as the rest of the world is not too busy. Preferably without distractions, but I wouldn’t judge someone less if they mixed in some mood music as well (“new age” music or even minimalistic electronica adds to these moments).

12. Exercise. Many people bemoan exercise as boring or painful or just a waste of time. If you’re going to be doing something whether cardio or weights, you really should enjoy doing it; it’s good for the soul to be happy with the things you do. So rather than focus on the pain, focus on the good things. Focus on your breathing, not just the rate, but *how* you breathe (chest vs stomach; mouth vs nose…). Focus on the movements of your body, the contracting and relaxing of the muscles that move our limbs. Focus on the rhythmic beat of your heart. Focus on your posture and form. Focus on those points where you do feel real pain and be aware of your limits. If you need to, include music that you can focus on as well; minimal words, heavy on beat and instrumentation/sound, and longer than 3 minute sound-bytes-go for real trance/techno).

(via infosecramblings) Jennifer over at Security Uncorked has posted up a paper on why NAC is failing. It makes for a good read (pdf).
If you were to ask me before reading this paper what my gut reaction to NAC is, it would read:

• complex to manage in anything beyond a lab or small org with strict system policies, low speed of change, and few exceptions.
• can only exist with other foundational technologies like something to compare against (AV version, etc) and something to control access (managed switches, firewalls, proxy, etc). If you don’t have the foundations managed well, you have no business putting NAC in yet.
• can be a nice way to validate inventory and policies, every organization still has to manage the exceptions and guests. If you have inventory and policy-checking already being done, NAC’s only purpose is rogue isolation which you can do, to varying degrees of depth, in many other (even homebrew) ways.
• I always hear about messy, issue-prone installation attempts and have never heard of one real success story.
• orgs like McAfee already are trying to put all the pieces together anyway; it’s not a big step to take their huge suite of apps and just add in a control piece to their rogue detection/ePO/HIPS/NIPS conglomerate (for better or worse, since all of that rolled into one huge dungpile makes for a beast in administrative costs). But you still need the foundations set even outside such a “complete” (yay marketing!) security suite. This leads into the “it’s a feature not a product” argument which I don’t usually voice because it sounds way to “analyst-like” for my tastes. Besides, too many features = unwieldy product that is worth far less than the sum of the features!

It makes me a lot more confident in my impressions of NAC that Jennifer hit on these points and more (for instance I totally didn’t think about authenication/identity with NAC) in her paper. I’m also not sure I’ve ever read a more complete and understandable description of NAC in general!

One key quote I want to pull out is this one, which I think succinctly sums up some of my feeling.

A single NAC product will not, in any environment, scale or grow to a level
acceptable for widespread adoption. At the moment, the solutions are too difficult to implement and there are other alternatives that give organizations many of the features NAC can offer without the hassle involved with implementing NAC.

Often we do have to implement security technologies and apps that aren’t perfect and don’t provide 100% coverage no matter how much hacking we do on the side. But NAC is too big of a beast for many managers to swallow and still admit it only protects swaths X, Y,and Z systems/scenarios. Huge suites of varying quality (like McAfee, Symantec, Cisco, etc) that already have roots in what I consider the foundational aspects of an enterprise network already have their work cut out for them. It’s natural the NAC will absorb into them rather than be yet another boulder to massage into the corporate cyber landscape.

If I had one suggestion, it would be to include a sub-list in the exec summary under the technical challenges item, and quickly list the big technical challenges specifically, or word it in a way that my initial reaction to that item is not the question, “What challenges?”

A new version of wlan2eth has been released.

Just filing this story away as an example of why policies and computer restrictions are in place. Local admin rights, checking personal email at work,* local malware prevention, etc.

He allegedly sent the spyware to the woman’s Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital’s pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.

* This is getting stupidly hard, really. But everyone should still stop the big names, and then manual analysis of logs should pick up on regular use of smaller mail providers which can then be added to a blocklist. Sadly, this means staff-hours in a time when every company wants automated appliances to secure the world with little input.

Joel Snyder over on Opus1 has a couple white papers posted about evaluating IPS solutions. Granted, these are dated 11/2007, but they read well enough to stand valid still. The first paper lists 6 steps to selecting the right IPS (pdf).. The second paper lists 7 key requirements for IPS vendors (pdf).

I don’t have much to add to the first paper as it is pretty complete. The second paper has a few things I’d mention.

1. I still prefer calling an IDS/IPS just an IDS. Unless specifically configured (and you have the confidence in the device) to actually prevent attacks, they all work as an IDS instead. And this is good so no managers start thinking all attacks are being prevented even though 90% of the IPS device is working as an IDS device. It’s an expectations thing.

2. In the performance item (#1), I’d just briefly mention along with failopen capabilities, that the device should do so as seamlessly as possible, especially during an upgrade of the device/software. I don’t like patches/upgrades being disincentivized by downtime and off-hours work. That just leads to admins dragging ass. Same with power cycling the device if it isn’t very stable…

3. Item 2 in this paper should be read along with item #2 in the first paper; both deal with what sort of detection the IPS will be doing (rate, signature, anomaly, behavior…). Keep in mind that many IPS offerings doing all of them ends up doing all of them sort of watered down. If you already have netflow analysis efforts, you might value that the least.

4. Item #7 asks for some limited firewall capabilities. While noble to include, I don’t want to confuse network gurus in thinking they should be mucking heavily in these ACLs and IPS rules just because this is the closest device to the source traffic. In IDS/IPS shouldn’t be heavily leaned on for such duties, and thus arguably shouldn’t even begin to be leaned on.

5. I’d add item #8 to the mix and say that enterprise IPS should give the operators the ability to be informed and capture enough evidence in an alert to make an informed decision. No data = fail. 1 packet = fail. And so on. This should be part of the evaluation of the IPS and not something you take as truth just because a sales guy says so.

6. Additionally, the alerts an IPS gives should not only be clear and precise on the problem, but signatures should be viewable by analysts to compare why something was triggered. Bonus points if you have capability to craft new signatures, either fully new or using an existing one as a template.

A year ago I picked up a Cowon A3 portable media player (music and movies). My goal has been simplicity in my electronics; something the iPod/iTunes empire cannot give me. I’ve been exceedingly satisfied with the A3 in my year of use.

I have stuck with the Cowon brand and just yesterday received my Cowon iAudio 7 ($139). This little guy is basically the equivalent to an iPod Nano; meant to be stuffed in a pocket or worn on the arm. At 16GB, it fits the bill nicely for an on-the-go sort of device. It won’t hold all my music, by far, but it will hold most of the music I use for such purposes (hard rock, techno, breaks).

Using it the first time cannot be easier. Unpackage. Plug the USB cable into a computer. Drag-n-drop files into the Music folder just like any USB flash stick. Unplug, hit play. Done! I copied 13GB of music (3GB were large files) from a networked system to the iAudio in less than 3 hours, so that’s not terrible at all.

The playback is simple as before. Browse to a song to play, and hit play. You can then have the iAudio play back all the songs in that folder, or play all the songs in that folder and subfolders, or all songs on the device. All three of those options can be sequential or shuffled playback. You can loop through your chosen song or loop through the random/sequential setting. My use is to just browse to the folder of music I want (I only have 3 on this), hit play, and hit forward to get the first shuffled song. After that, I just let it go for days without needing to adjust anything other than a pause here and there.

There is rudimentary support for an on-the-fly playlist that you can build, but that’s not something I really use.

The controls take about 15 minutes of use to get used to, but after that are amazingly friendly. If you think they’re a bit sensitive, you can not only turn that down a bit, but also just set the Hold and all buttons will lock.

A few caveats. The device does not have a built-in loop for an armband (though it does have a small loop for a carrying strap). Armband use will require a special case (cheap). There is no AC power cable (it gets power off USB), but this can be bought cheap as well. The earphones are also normal fare (but decent sounding). If you plan on running or being active with them, you’ll probably want something that won’t fall out of your ear.

There are additional features on this than I expected. It has surprising sound recording quality with the built-in mic (not that I’ll use it). It has FM radio support. It does some bookmarking on music files (basically set a bookmark and you can always start the track on that spot; might be useful for full album rips or break sets). Supposedly it can also do some movie playback, but you’ll need to use the Cowon media software to encode the video in a format the iAudio can read. Nice to include, but shouldn’t be the point of this device.

Quite often someone’s first experience with evidence handling/collection and first-responder forensics is, well, during a live incident. It really helps to read (and later role-play either on your own or just pretend small-time incidents are major ones and go through the motions!) what someone *should* do in a real envidence collection situation.

Personally, I probably know enough to first evaluate whether the incident at hand will ever see the inside of a courtroom or will end in my HR or manager’s office. If a courtroom is possible, I’ll likely try to defer to an experienced professional, if possible. If not, document everything and get uncontaminated copies of everything before diving into the guts of your *copies.* Better yet, it might not hurt to video record the damned thing. It might be the most boring thing in the world, but someone may love you for it a year later.

Daemon is an excellent book (despite a couple minor annoyances on my part, which are very minor!). So I wanted a quick pointer over to Daniel Suarez interviewed on PaulDotCom episode 165. An excellent listen for anyone who enjoyed the book.

I’ve heard talk about movie rights, and it’d be interesting to see what comes of that. I’ll skirt around one issue I have since it is a bit of a spoiler, but I would most hope that this doesn’t fall into the PG-13 range and keeps the hard edge to it. There should be a certain adult gravity to this that just is not possible while maintaining that teen-friendly color (besides, who over the age of 13 doesn’t eventually see the good R movies anyway?).