What's in a name?

Well.... when it's a crappy one a whole lot.

I'll be honest (this is somewhat for you cDc guys if you still check in, you had some good points on the topic) I really hate this "nim/handle/nick". I mean I'm an ego driven guy, but even I don't think "Mr Smooth" is deserved by me. I do alright with the ladyfolk (Thanks for the nice comment martie) but Mr. Smooth is not a reference to my prowess with the fairer sex.

Its actually a reference to a game of Halo. In particular a particularly spectacular (and I can admit) lucky maneuver that occurred one night after a few too many rounds of Blood Gulch up on the projector. I'll spare the details, as the trials of war are too gruesome to mention, but suffice it to say it had something to do with me, an energy sword, my friend Tim in a Ghost, a long long jump, and some especially good timing on the part of yours truly. My maniacal (really, I'm good at it) laughter demanded a response from my unfortunate victim who's first response was: "Well who do you think you are? Mr Smooth!?"

I didn't. But I wasn't going to let him know that. Sure enough the next day when Halo time rolled around (I managed to keep very relaxed in college, and also got very good with a Warthog) I had a black Halo character, with white accents, named Mr Smooth. It stuck, in Halo at least, just out of the sheer amusement of Tim's response. You had to be there.

Around that time I started this blog. Mr Smooth was the first thing that came to mind. I didn't really like it, but hey, it seemed to work a little. I was very conscious of my identity and wasn't sure I wanted my true name out in the world, so I went with the first nickname that came to mind. It sufficed I supposed.

Soon though I began reading many of the noted security columnists who I've mentioned, and sometimes refuted. They published as security professionals, using true names, not using handles as though they were still members of the blackhat community. I had a realization. As much as I enjoy the blackhat side of infosec it has never been my home. I've taught myself offensive theory, but I never defaced my friends Geocities pages when I was 12, I never reversed games to find serial numbers, and I never published a variant of some worm. I'm as much a blackhat as I am a juggler (and let me tell you, I can't juggle a lick).

I realized then that I should be publishing my thoughts and research in the manner that other people in the position I want to be in have published. People like Richard Bejtlich, Thomas Ptacek, and Bunnie Huang (I think that's right I didn't check) write as themselves, not as semi secretive alter egos. Maybe when I go to Defcon (thats my plan for this year) I'll use a name like that. From now on though in my writings and online presence I plan on being proud of them, right or wrong though they may be, and not hide behind some veil of secrecy that I neither need or really have, and be recognized, as myself, for those opinions.

From now on I'll be publishing at a new Blogger address: vulnerableminds.blogspot.com. Expect the same fun, excitement, and crazy opinions with less obscure scifi referencing handles.

* Note: Since this will also be my move to the new Blogger Beta server I'll be losing most of the posts I've made so far. A few of my favorites I'll move to the new site, but most of it is prolly only going to be for a month or two left for this world. Enjoy.

You down with JT? Yeah he knows me...

John Thompson, CEO of Symantec, has a new article up on InfoWorld where he states:

"The attacks that we see today are more targeted and more silent and their objective is to create true financial harm as opposed to visibility for the attackers." - John Thompson

Hey, that sounds a lot like:

"It is my belief that these types of attacks, created not for mass exploitation but to achieve one definite objective, will become increasingly prevalent, as security architectures and defense get better and more varied." - Me

Hey, I'm just as surprised as you are that he reads my fine blog (or at least my post on the computer threat evolution). Or maybe he's getting his information somewhere else. Never know. Either way it's an interesting read.

Does retaliation to retaliation make it vengence? - Or I <3 IDS

The answer to my question is actually no. This is Vengeance, one of al3x and Timoni's two new cats (along Justice).

I do however truly Daves List - lots of monkeys staring at a screen....security? => TaoSecurity - Response to Daily Dave Thread => Matasano Chargen - Richard Bejtlich Sticks Up For IDS. I Retaliate.

There you go, you're caught up to speed now. Now before I start this whole thing I'd like to put out a Disclaimer: All these people are smarter than me. Significantly. I am the low man in this group, and I aspire to be as well regarded as all of them are. And yet I've always found the best way to get better is to challenge yourself with the level you wish to be at. (Except in the original Mario Bros. If you went straight to world 8 you'd just get ripped up. Those warp zones didn't help anyone.)

Round 1: Me vs. Dave

So lets start at the beginning: Dave's List by Dave Aitel:

My feeling is that IDS is 1980's technology and doesn't work anymore. This makes Sourcefire and Counterpane valuable because they let people fill the checkbox at the lowest possible cost, but if it's free for all IBM customers to throw an IDS in the mix then the price of that checkbox is going to get driven down as well.

A couple things to note here. First the money question. I have no idea how much these companies make/are worth/spend. Neither does Dave I expect. It's a question that begets an answer, but I'm an infosec guy, not financial guy, so I'm gonna let it slide.

Second of all Managed Security Services aren't solely reliant on IDS for detection. There are many different security devices that managed/monitored/active security providers such as Counterpane accept connections from (and indeed if you go check their various websites they will all brag endlessly about the range of devices they support, from IDS to HIDS to Firewalls to.... look if it's on your network someone will probably have a way to monitor it).

I do have to mostly disagree with Dave's Third insinuated point: People only get security providers and/or IDS technology to comply with some piece of oversight. I have no doubt in some cases he's correct. I'm sure lots of companies only purchase such services/devices in order to meet a requirement. But to say that as a universal truth is like saying every company that buys fire extinguishers does so only to fill a requirement, and then shoves a crate of the things in a warehouse, never to be deployed or used when needed. I don't doubt that in the course of corporate America there hasn't been a company that did just that either. And yet I'm sure there are many who have deployed their fire extinguishers as recommended and they have been used to keep a small fire from becoming a large one. In the same way I know that there are many companies who have thoughtfully deployed Intrustion Detection Systems that have functioned exactly as expected, given them a greater visibility into their own security situation, internally and externally, and been used to thwart active threats.

Round 2: Me vs. Richard

And now to Mr. B:

That's hasn't been true for a while, even if you're talking about Snort. Sure, there are tons of signatures, but they're certainly not just for content matching. If you're thinking about Bro, signatures aren't really even the main issue -- protocol anomaly detection is.

These "offense guys" as you refer to them Dave, aren't as uninformed as you seem to imply. Infosec is like any other two sided competition, and it's as important to understand what the other guy is gonna do as to know what you're going to do. IDS evasion, though not as effective as many people seem to believe, is still considered a necessary skill for pentesters. Give them their due.

I have to agree and expand on his second point. Signatures are still an important part of an IDS detection. Just like AV certain attacks have fingerprints, and with properly written signatures those fingerprints can turn into definite kills. That being said there are plenty of poorly written signatures, or attacks where the commands themselves are somewhat ambiguous. I with Mr. Bejtlich, it's not simply enough to know that a strange string passed through an open pipe. Sometimes it's a normal string going somewhere it doesn't normally, or at a faster rate than it normally does, or any number of nuanced things.

The problem is that anomaly detection in it's infancy. I used to focused mainly on IA research and as my interest in security grew I began considering combining both into joint projects, but was dissuaded by a number of grad students in the AI lab I was involved in, all of whom believed such techniques were not ready for something like network monitoring. Could they have been wrong? Sure. Do I still believe that AI isn't ready? I do. Could I be wrong? You bet.

The solution? All those "Monkeys" as Mr. Aitel so... tactfully () put it. Does it require a whole lot of brilliance to do that job well? Yes, but with the right tools any fairly competent operator can successfully act as both a signature and anomaly based detection engine, making up for the limitations of automated correlation engines, and making IDS a useful tool. As advanced as network security devices can be there is still no better correlation engine than a properly trained and equipped human mind. I'm the first one to agree that an IDS, with a baseline set of signatures, set up and never looked at is a glorified paperweight, but properly deployed, managed, and monitored and it is a valuable tool that gives visibility that no other device can, short of having someone who can read and analyze Wireshark dumps in real time.

I'll conclude by saying that I agree with Dave about "monkeys" staring at screens.

This is where I got totally frosted with Richard's response. I have read one of your books. Correct me if I'm wrong but it did seem fairly directed at those "Monkeys" and their type of work. So what am I supposed to take from this? You peddle knowledge that you don't believe to be effective as long as it sells copies? I certainly hope not. That your own time as a "Monkey" was wasted years of your life, where you added no protection, didn't alert anyone to anything relevant, and failed in your mission to protect the infrastructure of our nations military? I certainly hope not. This is your area of expertise. Few can argue you on this topic, so stand up for it, and if you can't than I recommend you take your books off the shelves because you're giving people a false sense of hope.

Round 3: Me vs. Thomas

And as for Thomas Ptack I've gotta say he asked many questions and gave many responses that I would have given to Mr. Betjlich's arguments, but I still want to comment on a few of Thomas' thoughts.

Richard says, “it saved my bacon all the time at Ball Aerospace”. Alright, Richard, now tell us a story. And if the story ends in “so I scrubbed the infection off the desktop and nobody ever had to think about it again”, please find another story.

Come on. I know I can't, and I'm reasonably sure Richard can't, comment on failed or successful attacks against any group (private, Fortune 500, or military) under my, or his, protection. No one gives away that type of information in detail. Richard has been around the block. I'm sure he's seen every attack under the sun, and if he says his bacon, ham, or any other pork product has been saved as a result of an IDS I'm going to give him his due and believe him.

This should be an easy one to knock down. But all you say is, “this sounds like the ‘Snort is worthless’ argument”. You’re a smart guy who thinks about this stuff all the time, Richard. Can you actually address the argument I really made? I know a whole bunch of my readers can (and probably will, with expletives).

YES!! And excellent point. I asked the same thing. I'm not sure I can address it very eloquently, at least not as eloquently as Mr. Betjlich could, and should have, but I can say it simply: I use intrusion detection systems everyday and they work. A firewall is a great tool, it does provide protection (call it access control if you want) but an IDS provides visibility. It allows you to see attacks before they become full attacks. Attacks can fail before they start because and IDS allowed the operator to see the lead in vulnerability scan before the attack was even fully developed, and then initiate the right firewall rule to keep that attacker out. Is it fool proof? No. Will it keep out absolutely everyone? No. Will it keep out 95% of the "1337 Hackers" on the Internet? You bet.

Conclusion

I don't believe any security technology is fool proof. HIDS, NIDS, IPS, Firewalls, Anti-Virus, all of them can fail and routinely do. A dedicated, properly skilled attacker can circumvent all of them. I have always believed (and this has no basis except my gut instinct) that 75% of attackers can be stopped with a decent firewall and a little bit of attention to what you have exposed. The next 22% of attackers are more competent than that, but even they can be stopped with a dedication to security, a properly protected environment, and a responsive team of people ready to deal with what happens. The top 3%? They can't be stopped. They will find a way if you have what they want. So what can you do? You can slow them down, you can dissuade them, you can convince them to go find easier pastures, lower hanging fruit, and get them to pick someone else who's going to be less effort. Does that mean we give up completely since we can't stop everyone all the time? Not at all. An IDS can't detect every single attack on a network. Does that mean it's useless? I don't believe so, and I've seen that demonstrated day in and day out. Is it worth improvement? Certainly. Will I rely on one solely? Not a chance. Would I set up a network without an IDS? No way.

So my final responses:
Dave: Until Canvas is undetectable to an IDS you don't have the right to consider them useless. And until Canvas can be used against any team of "monkeys" successfully then you've still got work to do.
Richard: Stand up for your own work. Give yourself some credit. Don't bow to these attack guys. They're good and creative, but they don't hold all the cards. Sometimes they hold aces, but sometimes they're bluffing.
Thomas: Well... I don't know. I mean, you never really proved or disproved anything. You had some good points, but you didn't make me doubt anything.

Cute cats weren't they?

God's Justice Rides Again....

...on the Metro. Seriously this took guts. Or a divine decree from on high.

Just another night out in Washington DC.

Malicious Code: The Next Generation

Ok, my intro was kind of misleading, I don't really think this is the next generation. It's really more kind of like Deep Space 9 . Not even that really. More like the weird points kind of after Deep Space 9, I don't know, it was in one of those bad Star Trek movies I haven't seen. And all of this chronology really depends on if I'm counting Enterprise , which I liked but didn't last long.... anyway I digress.

My point: The nature of security threats is changing, and quickly. You knew that of course. We are close however to entering a new era as I see it. Evolution is about to take a big step forward. It won't be sudden, it's slow and gradual, but it's beginning, and this article from Internet Storm Center is a perfect example of what it will be like.

Lets look at where we've been:

• In the beginning it was nothing but privilege escalation. Huge numbers of users existed on mainframes, running on terminals, connected to nothing, but with many users worth of information in one place. So began the quest for /, the desire to be root, super user, to see everything from any user. PrivEscl ruled all. A mainframe might be an island unto itself, but if you were able to get root you were the ruler of that island. In time though administrators figured out better and better ways to protect themselves and other users, never fixing every problem, but mitigating many of them.
  
• Soon this paradigm changed as mainframes were connected, quickly forming networks. These networked computers, servers, soon started offering services to smaller computers, clients. Bulletin Board Services were early on, quickly followed by the birth of HTTP, and so the world wide web began. Hacking (cracking... whatever) quickly followed, changing along with it. This was the days of server attacks. Remember web defacement? O it was awhile ago but think back, you know you remember finding a friends Geocities site with "OMG U G0t 0wnz3rd by 1337 ub3r m3g4 haX0r$ from somewhere east of Pittsburgh but not quite all the way to Philadelphia but...". If it was exposed to the network (and it all was) someone was attacking it. *A small caveat is that while these types of attacks have largely fallen off as things like SQL Server, IIS, and Apache have been improved quite a bit we're now seeing a rise in attacks against the applications these servers run, attacks like XSS, SQL Injection, and HTML Injection.
  
• This was also the start of the Denial of Service attack. With servers exposed it was quickly realized they could be jammed up, given too much input and suddenly unavailable. The early to mid 90s were largely before anyone had deployed things like load balancers and high availability clusters. Enough of the right packets could take down nearly anyone on the Internet. The Half Connect (Syn Flood) DoS was a favorite, although on a personal note I'll always love the Smurf and the Fraggle.
• DoS attacks quickly became harder and harder for a single host to do successfully as networks became more robust. Spamming was on the rise, but single hosts were far too easy to blacklist. Server exploits were becoming harder to find, and the focus shifted to finding exploits in client software (remember Netbios?). The only problem with clients is that they're far less stationary, there would be many of them, as opposed to considerably fewer servers. A new attack had to be devised, allowing for many many hosts to be compromised together, even automatically. The network worm was born. Exploits connected to payloads that not only controlled a compromised host, but also attempted to exploit others, usually without direction. This period of time gave us some of the greats like CodeRed and Blaster, giving sysadmins much more to worry about as it wasn't just servers that could cause issues anymore. This was a time that continued and is still going on, though it's obvious when looking at the impact of the current generation of network worms, such as Randex.GEL, that their effectiveness is largely mitigated.
  
• As the days of the worm begin to draw to a close a new attack has begun to emerge. Servers are largely running vetted software that, while not impervious to attack, required increasing effort to find new bugs and holes that could be exploited (with the possible exception of anything written in PHP). Clients are locked down, ports are firewalled, OS updates are pushed quickly and effectively, and AV software is installed and updated every 26 minutes. Mostly true. The server attacks are tough, worms are still possible but quickly mitigated. A new breed needed to give rise. In that vain 2006 will largely be remembered as the year of Microsoft Office exploits. Monthly (at least through October) a new 0-day was released for some member of the Office Suite. These files easily slid through firewalls, anti-virus, intrusion detection systems, never noticed until they took advantage in flaws found in these applications. This has largely been an untapped area of exploit development, and every different file format, every different application that reads them, has a chance for unchecked input to commandeer a system. The many many browser attacks that were seen in 2006, ranging from Internet Explorer to Firefox , also fit this category nicely.
  
• An interesting point to be made about these client side attacks is that they seem to be the start to a new era of attacks. Many of these new exploits for Office, as well as a couple for other applications, were first found when used in very specifically targeted attacks, custom exploits created for one attack against one target. This is a sharp departure from most exploit development, where the focus always seems to be creating attacks that can compromise any system of that type connected to the Internet. It is my belief that these types of attacks, created not for mass exploitation but to achieve one definite objective, will become increasingly prevalent, as security architectures and defense get better and more varied. The difference between getting locked out or compromising an organization may be the correct attack against a single misconfigured device, or getting one employee to open one attachment with the correct network specific payload. I expect this realm will encompass all of the others into specific situations. A privilege escalation attack customized to one network server, a DoS attack meant only to blind an organizations security monitoring capability, customized server exploits meant to take advantage of small, one off misconfigurations, and customized worms that would only work in the specific target environment.

So there's my take on the past 40 years of computer security. Certainly a lot to take in and many twists and turns. But where is it going next? I have my theories, but honestly I'm curious about yours (Yes, you cDc guys too). Hardware level attacks, exploiting flaws in NICs and Processors? Attacking virtualization, such as Blue Pill? Mobile devices? Embedded appliances in a "OMG someone owned my toaster!" kind of way? My own thoughts, probably shaped by yours, should be a good post to come.

Does this sound Scripted?: My Love/Hate Relationship

Let me just be up front so my bias is evident:

• I hate Perl. Hate it. Like I hate liver and onions .
• Ruby is nice, but a bit too esoteric for me. I want to learn it, I just never get through it.
• Python I'm getting to know, and it's not so bad so far.

Every relationship I've ever been in goes through a few phases. According to this Wikipedia article on relationships the phases are: Contact, Involvement, Intimacy, and Deterioration. This may be odd to say, but I have a relationship with many scripting languages, but most notably the three above. Many people I know have been curious about possibly, or are already in the process of, starting relationships with these languages, as a good friend I just want to give my two cents, how these given relationships were or are going for me.

Perl:

• Contact: As I began delving into Linux starting my senior year of high school Perl was part of my introduction, as well as the first scripting language I got interested in. In the beginning I thought of it as the sustaining language, great for automating and creating apps rapidly.
• Involvement: Most of my involvement phase, getting to know the language, was through the very very good Learning Perl book from O'Reilly, which really sets the standard to me of how a programming guide should be. We slowly and thoughtfully got to know each other, with many sample programs throughout the way, but nicely separated, to allow us to really see how well we knew each other.
• Intimacy: Perl and I were actually fairly intimate for a long time, but I was never really happy in the relationship. Perl was easy to get to know, and I knew it well, so it was quick to be my choice for small projects where another language was specified. Perl helped me develop a number of small but functional applications, and was the language of the Metasploit Project, a security project I contributed to on a couple occasions.
  
• Deterioration: It was actually down hill the whole way with Perl. After getting through involvement I never really enjoyed Intimacy with Perl. It was ugly, it was difficult to work with, and it was often very confusing to look at, even Perl I'd created myself. Perl also felt very behind the times, and even newer versions seemed to add few things to keep Perl looking modern and attractive.
  
• Conclusion: Perl may be attractive to some, but this really seems to be a first impression thing. Perl remains slow, behind the times, and frankly the more you get to know it, ugly. Perhaps this is simply it's unique beauty since I know many people who love Perl for it's "flexible syntax" and many many ways to accomplish the exact same result, though in my mind it just makes Perl difficult and confusing. O and every other language on earth can do Regex's, really, not that unique.
  

Ruby:

• Contact: My initial contact with Ruby, like my contact with many cutting edge web technologies, came from the ever edge cutting al3x. This crazy lil language from Japan, I was told, was totally Object Oriented (and I do <3>
• Involvement: Here is where Ruby got tricky for me. Ruby and I had a hard time getting to know each other. My guide was Why's Poignant Guide to Ruby, an amusing tome (and tome really is an appropriate word in this case) that completely failed to allow me to really get to know Ruby well enough for Intimacy to bloom. So much time was spent just learning each others ins and outs, obscure datatypes, little tricks, as taught by cartoon foxes (really, I kid you not), that reaching a time of Intimacy, actually coding some Ruby, never arrived, and more than once I gave up before getting to that point.
• Intimacy: Never reached, and while it seems like many others have enjoyed it I never go the chance. I blame the lack of practical examples during the Involvement phase.
  
• Deterioration: D.O.A. really.
  
• Conclusion: Ruby is a great language, there's no doubt about it, and for many it has lead to the creation of a lot of awesome applications. We just never had it though. It seems like a great thing for a lot of people, just look at those crazy fellows (and ladies I'm sure) at 37 Signals and all their rockin' stuff. I'd recommend it, but we just didn't have the knack.
  

Python:

• Contact: Python was always "the other scripting language" to me. I knew very little about it actually, and I'm just now really starting to become familiar. It's been the language of choice of many, but never one I got into especially. Lately though with my lacking affection for Perl and inability to get to know Ruby, Python has becoming increasingly attractive.
  
• Involvement: Well our involvement is just getting started, but so far it's been going well. Python and I have been getting to know each other over Dive Into Python, which seems to be a very nice guide to this fairly simple to understand language. It's got the OOPiness of Ruby, and being a whitespace aware language it's fairly good about keeping a consistent and easy to read style. I'm really enjoying it so far.
• Intimacy: Haven't quite gotten there yet, but I have a feeling we'll be there soon, and I think it'll be pretty amazing. Not to get too kinky, but al3x might be involved too. I'll be sure to post updates and maybe even pictures (wow, let it be said I have taken personification to a disturbing end).
  
• Deterioration: Well I'm not gonna say we'll be together forever, but the end is not yet in sight, but I'll be sure to post updates.
  
• Conclusion: It's yet to be seen, but I have high hopes. I'll still hold off my judgment until we make it out of the Honeymoon Phase.

But hey, as far as relationship options, these aren't too bad. I could be stuck with some fat, bloated, slow possibility like C# or Java.

What hapens on the Internet stays on the Internet

It's constantly beyond me how people seem to think that once something goes out into the ether of the Internet it's gone for good. This is never the case. I could editorialize at length about it, and may say a few more words about it, but just so we know what we're talking about, let me provide a few examples.

InfoSec:
Code auditing with Google
Static Code Analysis Using Google Code Search

Dating (or something vaguely resembling it):
Your chances of getting laid through Craigslist: A Bloggasm case study

Politics:
Foley Resigns From Congress Over E-Mails

The long and short of it is simple: If you put it on the Internet it will be there, probably for much longer than you ever intend. And if it's on the Internet, especially if you don't want it to be found, someone will probably find it. So if you're not ready for the world to read it keep it on your own computer, though even that might not be enough, keep it in your head.

Hold On: A feel good story

First of all I don't think there's enough positive news, and I'm as guilty as anyone, so I'm putting this one out there.

Secondly I enjoy fashioning myself as something of an amateur sociologist and enjoy looking people and how they interact (which is a vague definition of sociology I know, but it's late/early, I'm allowed to be redundant).

Thirdly (or maybe just third since I'm not sure "thirdly" is a word) I am on the verge of a relationship myself and I've got to say the aspect from this article is one I have enjoyed a bit so far and look forward to continuing to enjoy.

This article from the venerable New York Times brings to light the physiological and, more interestingly in my mind, sociological implications of handholding. I've got my thoughts, but I've exposed enough of my personal feelings for today, so I'll simply say read it. You'll learn stuff, it'll be good for you (like the handholding is apparently), and the world will be a bit sunnier. Really... It will be.

Cultured Read(ing/er)

Want to know the stuff that I read in a day? No? Didn't think so.

But if you do then just link to here (or here for an RSS feed) and see what articles I've been reading from my long list of daily RSS reading. All of this brought to you by Google Reader.

I've been using Google Reader for some time now, mostly due my inability to install any applications at work. Up until about a week ago Google Reader was functional, but dumb. It surrendered quite a lot in the way of features to practically any system based RSS client and was just barely enough to get the job done.

With the improved Google Reader deployed on Sept 28th that gap was largely filled. The interface is much cleaner, much more like a desktop based reader. Organization of feeds improved dramatically. In addition features like "Shared Items" (linked to above) and the ability to create feeds to add to a website (like those you'll now see on the right side of this page), gives it abilities that even the most featured feed reader can't match.

Is it for everyone? No, I doubt it. I can't speak for the PC, but on OSX NewsFire is still a great application that has almost every bell and whistle a news hound could want, and I'm sure there are similar clients for Windows and Linux. But is Google Reader worth looking at (or looking at for a second time)? Absolutely.

For more info take a look at Google Readers own blog post about the upgrades.

The Analysts Life: You do what all day?!

And so it begins...

Alright, this isn't actually the beginning, this is my second post on this topic, but here comes the good stuff, the meat, the reason you come to my odd little place on the internet.

So I've said before I was going to explain what it is I actually do all day at work. Well that was only somewhat the case and the point needs to be cleared up. As an astute reader might assume, or a cleaver person simply take from my last post, it isn't a day job. There are times it's 9am to 5pm to be sure (and let me tell you, they're simply wonderful) but there are many other times it's 11pm to 7am, or 3pm to 11pm, or even (if you're really lucky) 7pm to 7am on a Saturday night. This seems like it would be difficult, and often it is. There are days I get to run errands at 10am while "real people" are all busy at work. There are days I get to sleep until 3pm just for the fun of it.

These are topics for later in the week however as today we're simply talking about the job itself. To review I have previoiusly state that I am a Security Analyst for Managed Security Services. Understanding the second part is really essential to understanding the first part. A number of different groups do what we do, so I'm going to give you a few different definitions.*

One goes something like:

Managed Security Services provides the real-time monitoring, correlation and analysis of your security infrastructure and critical, high-risk applications for rapid response to known and unknown security threats.

Another goes:

...Managed Security Services are designed to allow enterprise IT organizations to cost-effectively outsource their security management, monitoring, and response needs. Our comprehensive service offerings leverage the knowledge of Internet security experts to protect the value of your organization's networked assets and infrastructure.

And yet another:

...24/7/365 protection and expert management, monitoring and escalation for enterprise networks spanning firewall, intrusion prevention, antivirus, antispam, content security and VPN capabilities.

A lot of amusingly long winded ways of saying what's fairly simple: Managed Security Services is basically letting security specialists do a job that it takes a security specialist to do, and allowing that company to do what they do well. For instance say you're running a company that makes something, we'll say widgets. You've worked hard to be good at widgets. One day, congradulations, you're the biggest widget maker on earth. As the biggest widget maker though life is suddenly much more complicated than just making widgets. You've gotta run computers, for your staff, to run a website, to run your widget factory (I hear they're very complicated), to have your online store, to talk with the people who sell you widget materials, all kinds of stuff. At that point, to put it simply, you don't want someone, a rival widget maker, someone who's anti widget, or someone who just doesn't like the country you make your widgets in/for, to do anything to disrupt your widget making, and since your computers are now important to your widget making. So what do you do?

Well if you wanted you could hire someone who doesn't know the first thing about widgets, but does know how to keep computers from getting attacked, which will keep your widget factory running smoothly. However one person usually isn't enough, it usually takes lots of people, and a lot of people get expensive. So whats another solution? An economist will tell you that specialization is the key to productivity (I'm paraphrasing, but I promise that's the general idea, or so both my college economics classes would suggests (then again, I think my best grade in either one was a B- so maybe I shouldn't be trusted in this regard, but humor me). So if specialization is the key then you need to find a group who specializes in protecting all of your computers. Thats where Managed Security Services comes in.

Managed Security Services (MSS), in it's many forms across many different companies who do it, seeks to be those specialists. They are all setup to allow widget makers to make widgets, without having to divert nearly as much of their attention towards security. Most MSS providers divide this into a couple parts, notably management and analysis. Management has to do with the sensors used for doing protection and detection. They change settings, do installs, update things, and basically keep the security computers (firewalls, intrusion detection systems, etc) that protect other computers functioning in working order. But this is only the first half of the battle. Many of these security computers generate alerts, messages explaining things that could be bad, that could represent someone trying to break into your widget company and keep you from making widgets.

The comprehension and proper handling of these alerts is where MSS really shines, and is the current forte of yours truly. I look at these messages, these little security love notes if you will (and if you won't it's my blog so tough), and determine their legitimacy, their severity, who needs to be informed, what they need to be informed of, and often make "expert" recommendations as to how to remediate things in the event of something that could be a risk to continued widget production. It is my job to be up to date on current security threats, understand what typical network traffic looks like, and be able to identify possible risks to a customer. This means that acting as an analyst for MSS isn't only about understanding security and network traffic, but also conducting research, communicating with customers, and due to it's 24/7 nature and sheer volume of work necessary at times working well in teams.

Now that you understand a bit more about what it is we do I'd like to explain what the rest of this series of posts will be about. It isn't about network security, monitoring, or anything like that. You already have gotten as much information about those things as I care to give. The rest of this series will be about the resulting affects on life style that being an analyst imposes, highlighting and giving suggestions to maximize the good ones, and in many cases giving ways to counter some of the negative aspects.

These topics will be:

• How the 24/7 schedule affects sleep.
  
• What affects working in an operations environment has on diet.
  
• How fitness is easily neglected, incredibly necessary, and accomplished.
  
• The ways that working on random Friday nights, Sunday afternoons, and any other time directs your social life.

So if you're a friend of mine wondering why it is that I'm sometimes available for lunch any given day during the week sometimes but can't go out that night stay tuned. If you're considering a job as a security analyst for an MSS provider (for the record a job I very very highly recommend) and want some ideas what to expect then look for more in the next week. And if you're someone who wants some suggestions relevant to anyone in a computer or operations job looking for some tips and tricks to maximizing your time, energy, and health then good times are ahead.

And if you're from the cDc, well, nice to have you reading anyway.

* Names have been changed, or simply outright avoided, to protect the innocent, and even more so, me.

...and next up: The Iron Man

Lance Armstrong just doesn't seem to stop. According to Breitbart.com (Via Digg) Lance Armstrong is preparing to run in the New York City Marathon. Think what you want about him, and not knowing the guy I won't throw my opinion out there, but no one can deny he is one of the most gifted athletes on earth (drugs blah blah, you take whatever hormones you like and win the Tour de France 7 times then come talk to me).

I mean the guy is a machine. There's just no other way to say it. Just imagine where this could be headed. If he can swim half as good as he cycles he's bound for a triathalon. How would you like to line up for an Iron Man competition and look to your left and see Lance Armstrong gearing up? Your only hope would be in the water, because it's a fair bet he's not gonna be a slouch (even in that crowd) running, and you've gotta know you're gonna get eaten alive on the bike.

O, and check out this awesome ESPN ad, it also proves he's got a sense of humor.

And now after all this inspiration lets see if I can't manage to actually get out and go running this week.

Arrgh... and Analysts Life for me!!

Note: The title of this post was made in honor of yesterdays National "Talk Like a Pirate" Day, which I completely failed to indulge in and almost forgot about until my 5 year old cousin, who has extended the holiday spirit into today, reminded me. Consider the title of this post my participation in this glorious holiday.

As a recent college grad anytime I meet with someone I haven't spoken with in awhile, and anyone I meet in the DC area, I'm always asked about where I'm working, what I do, etc. For friends and family this it genuine interest. From the people I meet in DC it's simply the default question everyone asks, much in the same way I assume "What's your sign?" was in the 70's. I of course answer as simply as possible with my job title. "I'm a Security Analyst for a Managed Security Services provider" I tell them. This usually only leads to more questions as barely anyone knows what Managed Security Services (MSS) is, and Security Analyst in the DC Metro is so ambiguous that I may as well say "I work with stuff". I then have to go through a difficult and awkward time of trying to explain what I do, usually attempting to use as few geek phrases as possible. It ranges from an analogy about being an Internet "Rent-A-Cop" to saying "I catch hackers" to saying "I am a hacker" (the last not totally being a lie but it's not really what I do at work).

What I do tends to be less of interest to people in the end than how it affects me outside of work. My group works 24/7/365 (That's 24 days a month, 7 months a year... wait, you know what I mean), and as such it has an affect on us that reaches far outside of work. I've been thinking about this a lot lately, its affects both long term, and short term, and decided to take a few blog posts to examine this life I currently lead, how it affects me away from work and what it is I do. Hopefully this will help me convey to friends, family, and perhaps to understand it a bit better myself, what it is I do, and what it does to this life I now lead.

So stay tuned and be prepared, it's gonna get wacky from here.

Now this is Information Security

Because sometimes information security doesn't just mean keeping your data secure on your latptop. It means beating the living tar out of the guy who's trying to steal it using your laptop.

Reason #87 why my coffee shop rocks

Ok so maybe I'm a bit odd but this really made me laugh. Due to credit card policies and fees Murky Coffee has a $5 limit on using plastic. As I'm rarely with cash I'm usually forced to buy two of my usual Iced Carmel Lattes. Upon leaving in a rush today I was given this amusing coupon to make up for my purchased but not yet created drink. I chuckled. My friends smiled and laughed. Hopefully you'll do the same.

There. That's my glass half ful post of the week.

P@ri$ H1Lt0n

So I know I haven't blogged much lately. I know I said I'd be better. I've had a bunch of ideas, both on personal and public matters, but nothing had yet opened the floodgate to begin this outpouring of web journalistic aggression. Finally, that issue, that straw that would break the camels back, is upon us.

THE CDC IS MAKING PARIS HILTON AN HONORARY MEMBER!!!

I mean, wtf doesn't even begin to explain it. Don't get me wrong, I never had respect for the cDc. I've met a couple of their members, heard a bunch of them speak, partied with them, and even subscribed to their RSS feeds for sheer curiosity. I've never respected them though. Even as a lame lil script kiddie I could tell they were like that kid in high school who always had a "really hot girlfriend, but she goes to another school", the kid who has to tell you how cool he is, not realizing it only provides more proof that he's not. Now as a security professional I read their rolls as a group of has-beens and never-weres, a social club for the great hackers of the late 80s and early 90s who just can't walk away from the scene yet and their hangers on.

But now they've added Paris Hilton for her "hacking exploits" trying to mess with another celeb princess via caller ID spoofing. This isn't even borderline phreaking, it's just sad. Now my lack of respect has turned into the opposite of respect. Even disrespect doesn't count. Disdain, disgust, dis.... whatever you want.

Seriously, cDc, if you want to be taken seriously in a community that has more than enough wannabes then do something worthy of respect. Smashing two open source projects that you didn't even create together (Tor + Gaim != innovative) and saying your saving the world doesn't impress anyone. Adding tech knowhowless debutantes to your membership makes you look like fools. And by the way, when you have to link to your own Wikipedia article in your communications should be proof enough to you that you're out of date, unknown, and irrelevant.

Addendum:
Yes, for those of you who think my previous rant was a bit over the top I do wish to clear one thing up. I realize this move by the cDc was a joke. Tongue in cheek. An inside joke released to the public at Paris Hilton's expense (I hear she can afford it). But seriously, come on, it's like your grandfather making a joke about going out to a club with you. It's sorta funny, but pathetic when part of you wonders if they aren't just the slightest bit serious, if they aren't that desperate to be just a little bit cool for the first time in awhile. As usual my good friend al3x put it best:

Yes, i know they're trying to be funny, but this shit is sad. But we warned: they might hax0r your gibson!

tests

test

This message was sent using PIX-FLIX Messaging service from Verizon Wireless!
To learn how you can snap pictures with your wireless phone visit
www.verizonwireless.com/getitnow/getpix.

To learn how you can record videos with your wireless phone visit www.verizonwireless.com/getitnow/getflix.

To play video messages sent to email, QuickTime� 6.5 or higher is required. Visit www.apple.com/quicktime/download to download the free player or upgrade your existing QuickTime� Player. Note: During the download
process when asked to choose an installation type (Minimum, Recommended or Custom), select Minimum for faster download.

Testing

Test 1 2 3

Another Update... really

I do however regret that it's been just over a month since I last updated, so here goes nothing. The blog hasn't been forgotten, just a bit slow. So hear's a quick update.

Job: Same as before. The work is very interesting. We've dealt with the new worm for MS06-040, Wargbot (I'd link to it but just do a search) and the Iranians, as well as the usual suspects. Floating schedule is still kinda rough, butit's too much fun and too unique not to enjoy.

Professional Development: Joining some local groups to get involved. ISSA-Nova and NovaSEC (which is still getting started) are my two main networking haunts. Also trying to make myself a bit more marketable I'm giving my CISSP a try. Not exactly a walk in the park.

Personal Development: Working out has been much more enjoyable since a climbing gym membership was set up to suppliment my Gold's Gym membership. Along with my crew of climbing rats (which I'll hopefully be able to expand with al3x's imminent addition (he just doesn't know it yet)). On a mental level I've recently began exploring the GTD (Getting Things Done) methodology of personal organization. Next on the list is on the spiritual level, as I begin the search for a decent church around here.

And the million dollar question that many people seem to be asking me: Do I have a girlfriend? Well I'm workin' on it. More details after this weekend.

More posts to come, I hope. I've got some projects in mind, some ideas to float, some things I'm thinkin' of. So don't take this out of that blog reader qutie yet.

Well... at least someone has some H.O.P.E.

Well now that everything has settled the midsummer lull is upon me. I'm in a comfortable routine of work, spending time with friends, hanging out at some regular haunts, and sleeping... all too little. It's nice, but in my usual way it's just when I get settled that I start feeling bored. To that end this weekend I'll be leaving my beloved new home to return to the home of some of my fondest memories: Penn State and State College Pennsylvania. My brother and I will venture forth, go our sperate ways, and enjoy a midsummers jaunt into college life again. I'll be hanging out with the usual supects, though if you're in the area and know how to find me please feel free.

The bigger question mark is next weekend (that would be the 21st to 23rd of July). Many of my closest associates, namely our favorite 70's throwback guy, are planning to attend H.O.P.E. 2006. I'm not gonna beat around the bush, I'm skeptical. I went to HOPE 2k4 and can only say it was a fun time in NYC with the always amiable al3x, (thought I was gonna keep going didn't you?) it was a sad showing for a hacking conference. The only session that was truly enjoyable was hearing Woz, the technical brains behind Steve Jobs at the start of Apple computer. Woz to this day fashions himself a hacker and was both entertaining and informative. The other keynotes were less than stellar. Kevin Mitnik, though every scriptkiddies dream, is a poor excuse for a hacker, and seemed to make light more of it his jail time than anything technical. Others fawned, 3 and I yawned, and managed to make our way out into the city, the way we spend most of that weekend.

This was a good time to be sure, but I'm not really sure if I'm so inclined to do it again. No more than two or 3 of the talks are even vaguely amusing and aside from my own cadre (of which only one is confirmed) I don't know of anyone else headed to HOPE. I'd a delima. Lets see how much money I have left after this weekend.

The network is the computer.
- Scott McNealy

A lot of quotes in history have only been correct in context. This gem is definitely one of them, but not nearly in the way that this Tech Titan, and supposed raging jerk, must have intended it. We've moved far beyond the idea of thin clients as Sun once hoped and Java is not the thing that's brought developers dreams to reality. I could spend the few hours of work I have left giving my own take on how this happened and how it's turned out, and I actually planned on that, but perhaps it's late, or perhaps I've just realized that I'm probably not fully qualified to be dissecting the idea of AJAX, RSS, Social Networking, and all of that. So instead this is just going to be a list of the modern, "Web 2.0"-ish applications that have changed the way I use the Internet and every computer I use.

The Applications:

• Gmail : One of the first big AJAX based web applications, Gmail has set a new standard, both in usability and for web mail applications. Hotmail and Yahoo may have come first, by years, but no one was prepared when Gmail came out. For the first time a web application acted almost like a true desktop application, running only out of a web browser. Adding to this unprecedented level of interactivity was an amount of storage that no one had ever seen, taking webmail from 4megs (if you were lucky) to 2743mbs of space and search rather than folders. Since then Google has added features allowing email consolidation (my account focuses 7 other email accounts into one place), a featureful address book, and even integration with Google's Talk , jabber based instant messaging. It was this application, that even as a power user, allowed me to move mail off my desktop, making it mail, and chat, accessible no matter where I am. A great mobile interface even makes it possible to use this great email setup on the go, via my Q.
  
• Keeping with the Google theme (I'll be keeping it for awhile) is one of Googles newest offerings: GCal. Now as an Apple fan and a generally unorganized person I quickly became a fan of iCal . There was very little not to like about iCal. It handled multiple calenders well, subscription based calenders, sending and receiving invitations, and always looked good doing it. It integrated with Apple Mail, Address Book, and the Internet. What could be better? How about the same thing, running on any machine on earth, and shared with more people than just a segment of the OSX using population. Just as iCal integrates well GCal integrates with Google's other offerings, like the Google Personalized homepage, but most notably Gmail, giving it nearly all the same features as iCal. Throw in some shared calenders and you've got it all.
• The last (major(I think)) Google application I use on a daily basis is the ever wonderful Google Reader. I've gotta be honest, it's missing features, not always as attractive as I would like, and isn't quite the unified feel I want from an RSS feed reader. It does have one thing that more than makes up for what it lacks (and I'll give you a hint, it's something all these applications have): it's everywhere and consistent everywhere. Here's the picture I need to paint: I read RSS feeds at home, at work, and on the road, it's simply the most efficient way to take in information from websites, bar none. What frustrated me was constantly rereading stories between my RSS reader at work and my RSS reader at home. Maybe I'm a nerd (if this post didn't already convince you of that) but the stuff I do at work is a large part of what I'm interested in on a personal level. Google Reader allows me to keep one reading list no matter where I am. I can save stories to read at home (just by marking them as unread), or keep long term favorites (with stars), and never get out of sync. This one is also wonderfully mobile compatible.
  
• For really extreme personal organization I don't think there's currently anything better out there than Backpack by the brilliant folks at 37 Signals. Online organization probably can't get much better than Backpack, allowing users to combine text, pictures, links, todo items, and nearly any other form of web accessible data into legible, combined, organized pages. I have got to say nothing made my move down here easier than my Backpack page. It combined pictures of the buildings I was looking at, lists of todos, tables of directions, prices, names, addresses, you name it. Since then however I've found I hardly use it. I try to be organized, but I rarely need to be that organized, and my pages are more and more often turning into little more than todo lists. Backpack does those very well, but so do a lot of other programs. I'm thinking I might end my Backpack subscription and move to something lighter weight, and free, such as 37 Signals other product TaDa List or Orchestrate for my task keeping needs in the future.
• Writely gives me hope for the Internet. Ok, not really. But it gives me hope that I can have a personal productivity environment that isn't Microsoft Office. It's not that I don't like Office, I loath it, despise it, I would search a thesaurus for more words describing how I dislike it. It's slow, it's kludgy, it's got features that would even make God go "How do I use this and what does it do again?". It's gotten so big and complicated that it nearly gets in the way of itself, making things like basic document creation more of an ordeal than they need to be. Doubt me? I have one word for you: Klippy. 'Nuff said. I want Notepad+ not an annoying friend who always thinks he's knows how to do everything I want even when he has no idea (I have one of those already). OpenOffice is a possibility, but like many open source projects OO is trying so hard to be MSOffice that it's picking up all the problems of Office, notably being slow and bloated. Writely to the rescue. This online document composition tool couldn't be nicer, giving me the features of Office I want without the problems that I don't. Basic formatting, from fonts to alignment to lists, is all there. Collaboration is even better than MSOffice, allowing multiple people to share versions of a document, working on it at the same time, across multiple operating systems. Writely has recently been purchased by Google, and when combined with Google's new Spreadsheet webapp Google is now only a presentation component away from taking on MSOffice.
  
• I had endless puns running through my head about how to bring up this next app, but frankly it's too awesome for a pun so just go check out Del.icio.us if you haven't already. This site has caused me to stop bookmarking things in my given browser on my given operating system (always an issue). Through the beauty of Tagging (one of Web 2.0's favorite things) you can quickly organize your bookmarks, and by adding a social component (another Web 2.0 tenant) you can also see what other people have tagged, leading you to mountains of links along the same lines as what you're interested in. As always handling all these things with a site and not an application means they are available on any computer, wherever you happen to be a the time. Don't believe in this extreme awesomness (that's a patent pending term) then just check it out here: http://del.icio.us/ub3r11ama

As you can guess by now mobility is a big deal for me. I work in an environment where I can't install anything, yet need lots of tools that are often not available, so having tools available through an application I already have (notably Firefox) is a dream come true. In addition I bounce between computers quite frequently, from my iBook to PC Desktop, to my work system, to my Q Smartphone, and having the same information synced up between all these devices, and any others I might stumble upon in a day makes a lot of things much much simpler.

Well...Has the net missed me?

Well it's been a little bit since I've managed to make time to be on the net for blogging, lately ranking some between searching eBay for stuff I won't buy and searching Facebook for people I haven't talked to since third grade. O... and a few other things happened:

• I moved down to Alexandria, VA. Quite a big move for a guy who's spent most of his life stuck in suburban hell.
• I've put school on the back burner a bit. I have 10.5 more credits left to finish up to complete my educational journey as an undergraduate. They will be finished over the course of the next year though a combination of research, independent study, and hopefully some leniency on the part of the administration.
  
• I've got a real job for a major security vendor. It's kind of crazy, but I actually got a job doing (close to what) I want to do, living where I want to live, and having a good time doing it.
• New apartment. New Car. All the fun of being an adult. None of the required maturity.

Life is finally starting to settle down though. After the craziness of the move, getting the apt, car, furniture.... all that. My schedule continues to be erratic (occupational hazard), but life has become a pleasant combination of work, going out with friends (which I'm lucky enough to have more than a few of around here), hanging in coffee shops (notably: Murky VA), and getting altogether too little sleep.

But hey, isn't that the fun of being 22..?

SubEthaEdit + MacZot = Nice Tuesday Present

As a power user my Mac is important to me. It helps me get stuff done with, in my mind, the best operating system, applications, and general amount of awesomeness on earth. As a college student I'm poor; so cheap, especially cheap as in free, is important to me in my continued desire to be productive, as well as to afford to eat. It's sad how rarely these two things (Mac & Free) tend to come together. So until someone decides to buy me a MacBook Pro out of the goodness of their hearts I'll have to look for less ambitious Mac/Free oppertunities.

Well lucky me someone has heard my pleas and answered them in the form of BLOGZOT 2.0 on MacZOT.com. I'm not sure of the total details (sorry, I got distracted listening to those Serious DJs and didn't read it all) but I know MacZOT and TheCodingMonkeys will award $105,000 in Mac software if enough people blog it. So here's my contribution.

Why am I giving in to this commercial bribery by plugging a group I'm not associated with so shamelessly on my own site? Well first of all the above reasons of course; it's two great tastes that taste great together. Secondly SubEthaEdit from CodingMonkeys is easily one of my favorite and most used applications on the Mac. If you haven't played with it check it out for the trial period. SubEthaEdit isn't just your usual notepad, though it does fill that function well. Syntax highlighting, multiple languages, blah blah blah. SubEthaEdit really shines being one of the best collaborative tools on OS X, allowing note taking and coding by multiple people on different machines, locally via Bonjour, Apple's Zero Config networking standard, or even across the Internet. Unless you've done it you can't understand the usefulness and the power of that kind of collaboration.

SubEthaEdit was freeware until a few months ago when CodingMonkeys changed their minds, prolly once they realized that they were sitting on one of the premiere notepad applications and that people would pay for it. I've been wanting to, but due to that whole cheap/free thing (see above) I've still been using my old freeware version. So I will plug away, both to recommend it as a product to my friends and associates and to hopefully score myself a free registered copy.

It worked for AppZapper in BLOGZot 1.0 at least...

Maybe I should take back those things I said about Pittsburgh

This past Friday I received a very interesting phone call from CERT, the United States Computer Emergency Response Team. For those not familiar with this group:

CERT is a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. We study Internet security vulnerabilities, research long-term changes in networked systems, and develop information and training to help you improve security.

Needless to say this group includes some serious computer security ninjas and thus I felt flattered when asked to interview for one of their analyst jobs. Thankfully they were very understanding when I told them about my approaching start with a major security vendor. I was in fact very kindly congratulated and asked if I had any other colleagues to recommend to them (if you're interested contact me).

After this conversation I got curious about all the things CERT does, since while I knew of them I didn't really know much about their goals and operations. I poked around their site, read some of their whitepapers, and generally enjoyed their resources. My personal favorite, and the one I most wanted to share, was the CERT Survivability and Information Assurance Curriculum.

As someone who tried, with mixed success, learning Information Assurance at a major university I can say it's incredibly difficult. Classes tend to miss out on many things that are important, when working in network security especially. Professors are often out of touch with what it takes to survive in the work force and those focused on Information Security are often the farthest out of touch. They get caught up in current, or even slightly out of date, technologies and fail to teach basics like advanced networking, the C programming language, operating system architecture, and secure coding, the very things that need to be the core competency of an information security professional. By far one of the best resources I've found for plugging these educational gaps is the CERT Survivability & Information Assurance Curriculum. This curriculum includes many things like networking, basic information security and infrastructure protection, and even a complete set of labs to add a practical component.

This is my new favorite resource by far for basic learning, and I'm quickly finding, for review. I began looking through the CD image included to see if it would be worth suggesting as a resource to some of my fellow researchers at school and ended up going in depth with it. I'm now using it as my own review to prepare for my own start in Corporate America as a security analyst. So if you're interested in getting into Computer Security, Network Security, or general Information Assurace give it a look.

How I dream...

People talk a lot about dreams. What they mean, what they say about us, whatever. I don't know any of that, I'm usually bad at describing my dreams. Here is the closest thing I can show anyone to one of my dreams.



Ok, maybe not a dream. Maybe its more of a fantasy.

Seperated at birth?

Has anyone noticed the startling similarity between the toolbar in World of Warcraft and the dock in Apple OSX?

World Of Warcraft:

Apple OS X

Someone get Apple's lawyers on the phone...

Does this mean I deserve my own Security Podcast??

Regardless of what my friend Steve may say about Steve Gibson's comments in the latest installment of Security Now! it sounded to me like Gibson was very much advocating the use of One Time Pad based Two Locks Encryption. For those not familure with One Time Pads go read the Wikipedia link, it'll do a better job than I will. The two locks technique it comes from a very old, pre computer way of keeping things protected at all costs. Chest locked by the sender is sent to the reciever. The reciever, who doesn't have the key to the lock, puts on his own lock the chest and sends it back to the original sender. The first sender then removes his lock and sends the chest back to the original reciever.

This is a fairly secure system, in the physical world, and has been advocated to be used with One Time Pads as a way to make up with the biggest problem with OTP, key passing. This was the basis for an encrypted instant messaging project I worked on freshman year. Needless to say it wasn't the most secure system ever, but the little bit of security it had was shattered in the same way Mr. Gibson's "interesting solution" can be shattered.

My Explaination:

And I think that clears that up.

That's Dvorak dot Com slash SHUT the %*!# UP!!

Is it just me or is the This Week In Tech nothing but a bunch of 30+ year old tech guys like Leo Laporte and John C. Devorak plugging their own crap and that of their cronies? It gets worse every episode. 

Can't just talk about tech without having to mention everyone's website, pet project, or Dvorak's inane blog? Diggnation can do that. Proof we need Kevin Rose on more often.

O well... at least Episode 47 didn't have Mitnik.

EarJams for Jammin' Ears

I'm not the audiophile I wish I was, nor am I near the audiophile that many of my friends are. That being said I do appreciate a nice listening experience and do feel my standards are slightly higher than average, even if my bank account can't always support that.

I'm the first one to say the headphones that come with any iPod leave much to be desired. The sound, while acceptable to many (including the masses that have flocked to Apple's venerable player) has left something to be desired for many, including yours truly. Not to mention anyone who's worn Apple's earbuds for longer than 20 minutes knows that they were obviously not designed to be worn by human beings. I'm sure this was done as a protecting to keep us for blowing out our eardrums but I don't know anyone who's ears don't ache before getting to the end of a playlist.

The response of course is new headphones. This becomes a test of audio dedication and bigotry. Those with the highest combined total of those traits drop hundreds, getting Shure or even more obscure brands of headphones, while others go for simple $30 or $40 Sony or Phillips offerings. I went this route for awhile and was really quite pleased. Though the model escapes me I had a great pair of white Phillips headphones that fit nicely and comfortably in one's ears, even when working out. Soft but firm silicon ear pieces made this happen and nicely channeled sound and did a bit to minimize outside noise. These worked out fairly well until I lost one of each set (large and small) ear pieces and was unable to find a place to purchase new ones.

At this point I was up the creek without a paddle and was forced to move back to my reserve pair of iPod headphones that came with my Shuffle. Not a good move as the sound quality was noticeably worse, exterior noise was distracting, and my ears felt as though someone was attempting to jam their thumb into my ear as hard as they could. In an attempt to alleviate this issue I made my way to the local computer store to see what they had to offer. As I found it was with mouses (another post perhaps) their selection was less than expansive, leaving me few options. I ended up settling on the Griffin Technology Ear Jams over a selection of much more expensive but not very well rated Sony earbuds.

What do I think? Well That's tough to say. True to Griffin's claims they do deliver MASSIVE bass. I mean, it's far more bass than one would expect to get out of $8.95 plastic add-on's to a set of regular iPod headphones. The impressive low end comes at the expensive of a muddy middle range and a nearly non-existent range of higher frequencies. Now it's try that nothing else was promised on Griffin's website besides MASSIVE bass, but one at least expects additions promised to improve audio improve it in general, not sacrifice 2/3 of the audible range to marginally improve the other 1/3. That being said the make the Ear Jams do make the normally painful iPod headphones downright comfortable making it easy to listen to two or three full podcasts without any discomfort. Equally pleasent is the noise dampening affects of the Ear Jams, drowning out the chatter, machine noises, and endlessly repetitive Starbucks soundtrack.

The package doesn't include too much more than what you see. A nice little case is included and while I tried to use it for awhile it quickly ended up sitting on my desk and not in my laptop bag. Also included are two other sizes of ear inserts, one set larger and one smaller, giving a lot of options for finding whats comfortable for each individual. So if you're looking for some improved sound, and especially some improved comfort, from the normal iPod headphone without spending a lot more on top of your new iPod give them a try.

Clientless VPN is one thing, but serverless?

It's not too rare for things to not make sense to me. Many things baffle, miff, confuse, and otherwise ellude me. Women fall into this catagory, I can't say I have the first idea how they work.

This post is not about that. Apple is not a company that often confounds me. I love my Mac mostly because it usually makes sense. It's logical, well thought out, and does what I expect. Recently been fighting with VPNs. Any Apple people will now be saying "But Scott, Apple has a nice VPN client built in, why not just use that?" It's true, they do.

Starting in OS X 10.4 Apple introduced a very nice addition to their Networking preference with the addition of a L2TP over IPSec VPN client and a PPTP VPN client. In typical Apple fashion this client is clean, simple and easy. Fill in the basic information, it pops up in your menu bar, and you're a go. Simple easy, no problem. So why am I complaining?

Where on earth is the server software? I realize this isn't something most people complain about, but seriously, I'm not a fan. Apple includes a VPN server in OS X Server but who wants to pay for that? No one makes a compatible VPN server to install on OS X Client edition surprisingly. More surprisingly no one has made an even remotely easy to install open source VPN that functions easily, or even somewhat easily with the Apple client, either installed on OS X or on another Linux Box. PopTop has so far been the closest I've come, even managing to get it installed, but the configuration documents were insanely vague and the deziens of their IRC channel were less than eager to help. OpenSwan has also been less than helpful, proving easy to get IPSec configured, but lacking any explaination of the L2TP configuration.

So what's the answer? I don't know. I'm frustrated and at my wits end. The answer prolly involved me spending another 6 hours beating my head against my keyboard, but this is St. Patty weekend and I have other things to do. Perhaps next week. But I'm open to suggestions.

And now I don't have to say it!

This article by Damien Barrett is by far the best description of how the Mac community should be reacting to the current spat of security problems and articles. I recommend it to anyone wondering about OSX security, and anyone looking for more concrete ways to argue with the doubters.

I Never Did Follow the Script

So from time to time I get it in my head to create some project that I think will just generally be awesome. Typically this doesn't involve just writing some useful little tool for me, as that would be too easy. I want to take some little geeky utility that all my contemporaries remind me I could write in next to no room in under 20min and make it useful to the masses. This usually leads me to a huge fuss where I read a lot, put out some pseudocode, make something usable, but not to the masses, and put it on the backburner until "later" to finish it. This is one of those times, and my struggles with it.

One of my biggest regrets is that the rapid development language I know best is Perl. I don't mean to rip on perl, but it sucks. To begin with it's ugly. I mean very ugly. The syntax, while in someways very sane, is utterly impossible to read no matter how well formatted a given bit of code is. It's not OOP. I mean I know it can be, I know the object stuff is there, but it never seemed well integrated, so I never really learned it. It's also extremely limited as to how tightly integrated it is with the host operating system. Except on Linux systems Perl always feels like an after thought, like a second rate citizen, like it wasn't meant to be a part of an OS, but tacked on for something extra. I think much of this comes from the fact that on Windows (where I've done most of my big Perl development projects) requires ActivePerl or something similar and the fact that most IDEs, even tightly integrated ones like XCode, don't support it. Still, it's what I know and it's what I'm fairly good at so I use it, begrudgingly, more often than I'd like.

This project, which I'll discuss in depth in another post, I'm trying something different. I wanted some to use some functionality in OS X that requires a bit integration with the OS than most languages allow. Originally I planned on using Automator but that quickly proved too limited. I can't say I understand how Automator was designed. It seems to be too featureful and advanced for the average user, yet far too limited to be useful to anyone with even limited development experience. The lack of objects for even the most basic control structures, like looping and conditional statements. Even these very slight additions would make Automator dramatically more useful and add a minimal amount of extra complexity. Yet they are not available, even in the third party packs and have moved on to teaching myself Applescript. 

Applescript has proved a fickle beast. Everyone who's used it before is quick to tell me how easy it is, how surprisingly simple and elegant the solutions can be. I'm sure this is the case, however the incredible lack of getting started documentation was frustrating at first, but I'm beginning to get the hang of it, and hopefully I'll be one of those "O, it's just like English" people soon. I'll be interested to see how it turns out myself and I plan on posting more about this battle of the scripting languages.

Tryin' Again

As seems to be my typical way I fell off the blogging wagon for awhile (though was I ever really on the wagon). Last semester was as busy as could be, and I was barely able to get my work done, let alone all the little side projects I was interested in. Things involved with being a senior at a fine place like Penn State, the tragic end of my HoleInTheBox free hosting, the job search, and other things simply put blogging on the bottom of the list, and I can't say I desperately missed it.

At least for awhile....

Slowly but surely things kept creeping up that I wanted to talk about. Links I found interesting, events I felt compelled to discuss, rants I needed to..... rant. So here goes nothing again.