NetAssassin.com

iCloud - Reese Witherspoon warning is very timely

Reese Witherspoon

Last night on the MTV Movie Awards, Reese Witherspoon warned fellow celebrities to cover their faces when taking nude photos of themselves (assumption made using their cell phones) and asked them to try to be more classy.  I can't speak much about the second half of that, but I agree it would be a pleasure to see more people being classy.  This may be in response to the large number of female celebrity nude photo leaks due to hackers breaking into their email accounts.  And that leads us to why this warning may be unwittingly timely given today's events.

Today Apple CEO Steve Jobs presented iCloud in his keynote for WWDC 11.  We all know the iPhone is hugely popular among - well everyone.  And celebrities have them as well.  It seems in iCloud most everything you do on your i-Device will be auto synced to the cloud.  Yes, you guessed it... take a photo with your iPhone, iPod, iPad, iWhatever and instantly the image is uploaded via "Photo Stream" directly to the iCloud so you don't have to worry about your i-Device being stolen, broken, lost, etc.  Granted, it's only the last 1,000 images.  But can you imagine?!  

Currently hackers gain access to Hotmail, Yahoo!, and other similar email accounts.  There they find email in the sent logs that contain attached images, and they leak them to the world.  Embarrassing to say the least, but as @HemanshuNigam (Hemanshu Nigam) wrote on his blog last week the iPhone itself wasn't hacked in the possible case of Blake Lively's recent hacker / maybe her nude photos.  As he states, the phone itself is quite secure and would ultimately require physical access to the phone or some super sophisticated malware.  But how secure is the future iCloud where all the content from your iPhone will be instantly backed up for recall?  Well, as secure as the password you used on your account is hard to guess of course.  Given the rash of guessed passwords on celebrity email accounts, I predict a lot of compromised photos in the future.  Let's all hope that it is device specific, and has some means of DRM keeping only your registered devices and computers as being able to decrypt and use that data.

Years ago my friends would all say "Evidence!" joyously after snapping a photo of someone at a party.  That can't be more the truth these days.  It's becoming common place for employers to review the Facebook, Twitter, etc. accounts of prospect employees.  And we aren't talking all nude photos being the issue here at all.

That night of drinking in Vegas with the girls/boys where you let your hair down - well it is now saved forever for the world to see.  Perhaps we are all too critical of each other.  We all know everyone relaxes and has fun, but perhaps we should take Reese Witherspoon's second bit of advice to heart... keep it classy.

How not to get hacked -

Hacker

Thanks to @jeremiahg for the link to Depth Security's blog posting for "How to get Properly Owned." I like this posting for several reasons:

1.) It is brilliantly written from the perspective of all the things that will happen if you don't do what you should be doing.

2.) It doesn't pull any punches.

Be honest with yourself, all you system admins and programmers out there I do mean you, if you don't follow best practices and take extra time (yes slows you down and costs more) you will spend exponential time, costs and resources fixing your mistakes later. Not to mention damage to your brand-name, corporate image, fines, and other unpleasant things. Security, at times, is about keeping your company's name out of the newspaper in a way that will cause your PR department grief. At times, if you do exceptionally well, you can get named in the press as the "good example" or "expert" and that does exactly the opposite with your PR department. They may even take you to lunch.

But try to always think about the bigger picture. Life isn't about making things too easy, and the example used for the CxO's who often have "exemptions" from the policy is a bad practice anyway you look at it. First, they are huge ripe targets. Anyone and everyone can find their names, email addresses, etc. Email addresses normally relate to login IDs, such people normally have extensive access or even when limited access to very valuable information, and you are only starting to draw the picture. Second, lead by example.

Advanced home firewall usage...

Biometric

Yea! You bought a firewall (aka "router") from the local electronics store and now you are secure! Really?! You got a default firewall that block inbound traffic, and you are now secure? Secure?! What about the outbound traffic? What happens if you get hit with a worm, trojan, malware, etc. and it starts connecting your home computers to control servers and/or it starts pumping all your keystrokes, PII, and usage information to an outside source?

Well, yes, you are right you can install and keep up-to-date your anti spyware, malware and virus systems. Which is good, and you should probably be doing that anyway... you are doing that, right? No, really you... yea you... go update now and come back and read this later.

Okay for those of you just returning, welcome back and glad you now have updated systems, and for those that have kept reading from the last paragraph, congrats on keeping things up to date or just lying about it. For those still disillusioned and believing that running properly configured firewalls and patching systems is just silliness, I draw your attention to the Sonly Playstation Network. 'Nuff, said... let's continue.

Let's talk about advanced home firewall usage. Like, for instance, outbound filtering. Yes... you read that right, limiting what goes out of your network. This seems like crazy talk, I know, but trust me you have the time to do this. And I know what you are thinking, "Hey! I have a personal firewall on my desktop that limits what apps I have permitted to speak to the Interweb!" You mean a local firewall application on the computer that is infected with a virus? Yea, because while the software you are infected with can turn off your A/V software it doesn't adjust your personal firewall. (That was sarcasm.) Time to do it on a secondary secure device that isn't controlled by your workstation. We don't call firewalls "bastion hosts" for nothing. Well, those of us who have been doing this for a long time might still call them that. I date myself and digress.

To that point... step one, if you have UPNP port mapping enabled on your firewall... go turn that off and never, ever, EVER turn it back on again ever. I realize it makes your life easy and your Xbox and computers and stuff can just magically modify your firewall and things work out the the blue. But um, think about that for a second... it really isn't that smart of a thing to do unless you are say my parents and you aren't going to touching the firewall. Come to think about it, I should probably go fix their firewall. Besides, it won't hurt for you to actually learn how to manually make the firewall allow traffic to/from Xbox for playing online games. You might actually understand how a network works... how the game works... and you never know where that will lead you! (Like working for a game company building secure networks and helping invent modern day MMO network architecture. Big finger pointing to me.)

Step two, get a firewall that has outbound rules. You are going to need the ability to make a few rules and not just one or two (some firewalls only permit you to write a couple...do research), so you might want one that is designed for people with a frontal lobe and not the plug-and-play mass lemming, I mean "consumer", model firewall. If you have some free time, I suggest going and getting m0n0wall or it's offshoot and probably more fun (e.g. feature rich) pfSense If you are already using IPFW or IPChains to run your own firewall on *NIX, then you get +10 Geek Points and you are reading this only to kill time apparently. If you aren't into modifying old PCs, buying mini solid state system to install cool systems on, or just are lazy... go buy a consumer-level firewall that has advanced features. Warning: Most all do not have these features. This is in great part due to the consumer market not demanding them, and this is mostly because people are ignorant of the benefits of having these features.

Step three, how to setup outbound filters. There are two schools of thought on this. Let's call them "paranoid" and "cautious." Paranoid means you create a list of allowed protocols and then a catch-all rule that states "deny all." So, for instance, you would enable ports 80, 443, 25, 20-22, and maybe a few others that you use. "Super paranoid" would also restrict the destinations for those protocols. I don't recommend this to anyone not already writing their own manifesto, wearing tinfoil hats and probably seeing and hearing things that the rest of us don't know about. But if you are that guy, go for it! Then there is "Cautious." Cautious is allowing all outbound and then blocking specific protocols and hosts that are known to be "bad." This might include, and listen up parents, blocking the ports used for BitTorrent and other P2P systems especially if the country you live in now has laws allowing your ISP to cancel your account and fine you. (France, Australia, etc.) Or, more useful, might be blocking all traffic to IP addresses of servers known to be master controllers for botnets, etc. For example, there are three IPs known to be the controller servers for CoreFlood. By blocking all the traffic to those three, and enabling logging for that rule you could not only stop the traffic but be alerted if any of your machines are infected because they tried to connect to those servers or services (ports) on the Internet.

Protect our kids! Yes parents, you can control what happens with their computers... and not have to touch their computers. (Assuming their computers stay in the house... this goes for their iPhone, iPad, Android, etc. using your wifi.) Nor will you need to buy extra software... unless of course you wanted the other features of monitoring what they did, seeing what they saw, etc. For that, you can run a network monitor and I might write about that in another blog. See, I am saving you money and helping you keep your kids safe. Martha Stewart would consider my blog a "Good Thing" I bet.

So back to protecting our children. If your child is young, let's say under eight, and they are already playing on the Internet you might want to enter a rule in the firewall that permits their computer (isolated by either MAC address or by assigning the computer a static IP) only access to the specific URLs and IP addresses they are to use. E.g. allow access to Disney, the server that their toys need to access, etc. Conversely, maybe your daughter is a tween (children unlike, Schrödinger's cat, have new degrees of childhood that have been wedged between child and teenager... we didn't have this when I was a kid.) Anyway... you don't want little Mary going onto Facebook until she is perhaps forty-five or so. But right now, you can make those decisions. Again, you can install software on her computer... which she will indubitably get around thus proving she is more adept with the computer than you are, or you can do this at the firewall and prevent her (and anyone else) you want from getting to Facebook.

For even more protection and assistance with the kids and your overall security, you can set many of these rules to run only during specific times. Yea, I know... your head is really working on uses for this now. You could actually finally have the ability to get little Johnny off of the Internet when he is grounded, or when he is suppose to be doing chores, sleeping, interacting with other live human beings to work on his social skills, etc. (I am so old fashioned.)

Bottom line, the firewall is a tool. But much like any tool, there are cheap ones, good ones, handyman and professional grade ones. You want to have the "Craftsman" level of firewall in your home. Or if you are like me, and the super expensive tools in my garage speak to this, you don't settle for anything other than professional grade... even if it is to drill the very infrequent hole in something or for that one time when you needed to cut a board in half... you get my point.

InfoSec, how it helps get around limited usage

print lock

Not sure about you, but I really dislike when someone else decides how I should (or more directly shouldn't) use a gadget I own or a service I subscribe to. Now before you get all excited, I haven't joined the Dark Side and I am for sure not hinting about DRM or content that I subscribe to. I am talking about using my physical stuff in ways that make sense. Here are some examples:

My iPhone- I get twitchy if I don't have it or can't check it. I am cognitive about smartphones being used as social crutches, and I always do my best to ignore the thing when interacting with another person. But it takes a good bit of willpower on my part, especially when the other person keeps checking their phone. And I haven't jail broken it, yet, as I need it to work and just can’t risk it. But it really irks me that it can't play content on my NAS, or remotely store data, etc. right out of the box. I can play movies and music stored on the phone and have them displayed or played on my AirShare devices like my AppleTV 2, but not the other way around. And of course that device too can't access content on my NAS without being hacked. It's annoying. I am locked into iTunes and two things I want to use to access my iTunes server can't see it because they don’t allow it to use a streaming server.

So bring on the 3rd party work-around. I run a ReadyNAS pro. It makes me happy and it runs like a tank. So recently, despite all its streaming services that are useless to my non-hacked iPhone and AppleTV, I found a solution to stream media to at least my iPhone. Orb, it's a free service, has both a streamer and inline transcoder for my ReadyNAS, and a $9.99 app for my iPhone. So I decided to try it out. (There is a free trial version of the app as well.) For a how-to on setting up the Ready NAS with Orb, see this link

After a few minutes of a very easy and quite automated install, my NAS was now a streaming transcoding Orb sever. And my iPhone had a new application. Time to test!

It's both fast, and very amazing. I had no problem steaming 7GB HD movies from my NAS to my phone on wifi and via 3G. That is, until my test today while using inflight wifi (GoGo). Seems they don't want you streaming video while in the air. (They have similar issues with using Skype.) So they block the stream. Ok, this is one of those “irk me and I will just do it anyway” kind of moments for me. Orb runs a matching service that allows your subscribed clients / devices to connect to your servers. This is nice, as I can do it from anywhere using only the Internet. Of course, except on the airplane which allowed the matching (I could connect to my server and see my content) but would not allow the stream to initiate for the viewing. I guess they have a “look but don’t touch” policy. Opening an IPSec tunnel from my phone back to my world headquarters (aka "layer of awesomeness / Castle Franc") I got around their content filter. (ps. This will get you around most all filters, and bonus points your traffic is encrypted and thus private.) The best part, it works amazingly well. Now this also speaks a lot to the phone. It's running a VPN, encrypting and decrypting packets, and is playing video and audio without breaking a sweat to be honest.

So let’s talk personal VPNs. I use IPSec, and while this works through almost all networks and is brilliant, it requires a bit of know-how to setup both the server and the client. And in some cases, it requires special client software. PPTP is another great, and far less technically challenging, type of VPN server and client to setup to do this same thing. Just remember, in both cases, you don’t want to “split” the tunnel, you want all your traffic to traverse the tunnel and thus hide (secure) everything you do. And by securing your connection, you get the awesome byproduct of being able to do whatever you could normally do from the network you are remotely connecting to, rather than the restricted allowances of the network you are actually locally connected to at the moment.

So here we have had two things getting in my way… First, the device itself doesn’t allow normal (e.g. things I already had employed and are more main stream) streaming media reception. Second, a network I paid a good amount of money to use (when you consider my flight was only three hours long) restricted what Internet services I could use for the premium price they were charging me.

And now, you have an example of how security can be used to make your life easier. Enjoy!

Smart phones, and privacy

Yesterday, for the second time in about as many weeks, the word was put out into the press that iOS devices such as the iPhone, iPad, etc. keep a record of what cell towers and wifi APs you have been using. They also track your altitude, and some other items. Given this data, it's a bit trivial to show where and when you were in any given place. And at the word of this in the media, this time, people went off the deep end for a bit. But let's pause, take a deep breath and think about privacy.

First, nearly everyone who doesn't truly care about privacy checks-in from locations using various social networking applications. And from the looks of it, that's basically nearly everyone. From Facebook to Twitter, people post where they are, who they are with (e.g. others are telling everyone else where you are just because you are with them and we don't have a cultural logic loop that would point out they should ask your permission first.) and they even get to see who else is already at the same place! Great... so if I stole you iPhone I might be able to see where you were... but if I just follow you on Twitter I get to see where you are NOW. Which is more stalker-like and creepy.

So let's think about all the things that keep a track of where you have been. Your GPS, that gizmo that is always recalculating too slowly and telling you to turn on the street you just passed doe this as part of its programming. Yep, that's right kids! I can pull the data from your GPS and find everywhere you have driven using it. Dates, times, speeds you traveled at etc. All the same info I can get from your phone. Creepy? I dunno, how may times have you caught someone downloading information out of your GPS. See, no so bad.

OnStar, if you have it... they know where you are right now, let alone where you have been. ATM cards, credit cards, general use of "dumb phones" while traveling about, yep you can be found and tracked by those too.

The bottom line, we all carry, use and have multiple devices that can be used to track us or review where we have been. But the one that has everyone on edge is their phone.

Apple doesn't pull this data off of your computer. For now it seems to just be recorded on your device and then backed up to your workstation when you sync it. Apple even allows you to encrypt the backup (it's a happy little check-box on the sync page, and I recommend checking it for all time.) But wait!, you say. Yes I know, if someone steals your phone they can sync it to another computer and get the same data off of it... or can they! First you can't sync an iPhone or iPad that is locked to a new computer. The iTunes application will demand that you enter the PIN to unlock the device. So, now you now how to defend your self.

I suggest going and getting the iPhone Configuration Tool (You can find it at this link. With this groovy tool you can do a few fun tricks: (I only suggest those among you with keen iPhone/pad typing skills and a good memory do this.)

1.) You can enable the ability for your iPhone to self destruct (reset to factory state) and while I know you can do this on the phone itself, you can set the number of failed attempts using this tool unlike the fixed number of attempts being "10" on the phone itself. I suggest setting it to three, unless you have little kids or a nosy significant other... and then perhaps five.

2.) You can set the password to being longer than four characters and you can set it to be alphanumeric! Oh yes, you read that right. You can use real big people words! Mine is all kinds of ISO / SAS compliant and forces me to use at least eight alphanumeric with at least X of those being a number. I even have mine set to force me to change the password every ninety days.

3.) Use MobileMe... I'm not selling the service, but honestly you need to be able to blow up your i-device, lock the screen or find the darn thing if you misplaced it or it was stolen. It's imperative. The other features make the cost of the service seem like I am getting something extra.

So back to the data that the phone has on it, especially now that I hinted at the MobileMe ability to tell you where your phone is located... did you think it did that with the GPS? No... it does that by the cell towers, and WiFi that the phone can collect at the time. The reason is quite clever, it may be in a building and there is no line-of-sight to the sky so GPS won't work. The real hack, seeing if you can feed false data into that file and make your phone show that you were somewhere else entirely! (won't hold up in court though, someone smart like me will subpoena the cell tower records.) Anyway... it's fun.

Okay, that's all for now.

0 Day, and other, predictions for 2011

Hello, and welcome to 2011. This is the second year of the second decade of the second millennium. Yet it is the first day of the first month of the eleventh year. I know! Craziness. (For those confused by "second" I offer you this advice from my high school chemistry teacher: "Don't treat zero as if it is nothing.")

So seeing as we just had a total eclipse of the moon, the date is all kinds of poetic and I have a head cold due to globe trotting over 100,000 miles in the last two months across hemispheres, seasons and whatnot to the point I am not even sure what time of year it is... let's begin!

Overall, i am predicting a lot of cool hardware hacking. Some of it for the awesome purposes of designing your own operating systems and tools for locked appliances, and others for just being clever and thus annoying to the rest of us.

Prediction:
This past year we have new fandangled TVs and other appliances with direct connect Ethernet, CPUs, and embedded operating systems. Prediction: Some clever person will figure out how to DNS spoof the update patch to my Samsung TV (for instance) and after flashing the entire OS on the TV will make it so I only ever see a youtube streaming video of some adorable kitten doing something exponentially cute with it's little paws. Good thing I can flash the TV using the USB port. (Oh, perhaps that will be how this is done then... )

I think it is far more likely that there will be a hack that prevents specific channels from being displayed. E.g. censorship done as a means of hactivisim. Either way, it will be interesting to see. No pun intended. I can't wait to see what happens with my dish washer, HVAC thermostat, electric meter, refrigerator, etc.

Prediction:
DRM will be different, instead of being a means to try to prevent illegal copies it will instead be morphed into a system that allows one to use all the quickly emerging devices to watch and listen to licensed content on all your devices agnostically. Central rights management systems will go into effect like massive PKI architected CDN-driven masterpieces. It's a pipe dream, I mean I work to protect content. But really, there is no need to pirate in the enlightened world if we get to this point.

Prediction:
Cell phone OS exploitation will increase exponentially. Why not?! there are millions, tens of millions? of these things out there and what better way to show how cool and clever you can be. We have to be at the point where there are more cell phones than there are personal computers. And really, modern "phones" are almost all the personal computer one needs for almost all casual usage. Never did we see people (the average person) sit at a lunch table and type on their laptop. But EVERYONE does this with their phones... watch anyone, they can't go an hour or more without touching the things. The computer gaming industry will drive CPU and GPU (and thus battery) development in these devices the same way they did for the home PC market. Consumers will demand hand-held systems capable of more and more. And thus, we will see them being hacked. Perhaps entire bot nets of phones using 3G and 4G, when not on wifi, connections. Stealing processor time on these devices, and of course the most obvious item... identity theft and spyware so big it will shadow anything we have seen with PCs. After all, phones are being used to process credit cards, work as debit systems directly to bank accounts, house all your IM, Email and other text / video based conversations, etc. And maybe we will see the wisdom in Apple not supporting Flash at this point. Who knows!? But I bet it will be epic. I am keeping an old HTC smart phone I have running a linux kernel just for when this happens.

Prediction:
Mobile app will be used to hack corporate networks. With the growing popularity of smart phones, and the allowance to use them on corporate wifi network, I foresee both worms that are initiated by the smartphone app on the corporate infrastructure, or the phone itself being used as a remote host on the network and thus a shell / host for a remote hacker.

Prediction:
Social network worms. Stalking to an entire new level. Half or more of the people out there make it too easy by "checking-in" to locations, listing who they are with, etc.

Prediction:
IPSEC and other VPNs will be infiltrated and virtual private networks will be compromised as a means to gain access to the ever more secure perimiter-controlled network. Private networks, which are far more expensive, will only go up in demand and cost. But I fully predict that more corporate and sensitive items will be moved off of the Internet over the next ten years.

Prediction:
Game console modifications! Why? Because they can. The private keys in the PS3 have just been found, and the sky is the limit when you have a multi CPU / core computer for cheap.

Prediction:
Sandboxing finds a home in computer gaming starting with MMO games. I tried to push this one at EA five years ago. A bit ahead of the times really, and thanks to Google, FireFox and even IE (due in part to Microsoft's purchase of Green Border), this is a more acceptable practice. I also suspect Microsoft will incorporate it into Office tools soon as well. (E.g. the main purpose of Green Border.)

WikiLeaks... how security process failed

This is my eleven-foot pole because I said I wouldn't touch it with a ten foot pole I guess.

The issue: WikiLeaks posted documents that were stolen from the US Government.

The cause of the problem: Failure of security process, technology and controls at the US Government.

The result: We are doing one heck of a job not focusing on the real issue.

Let's review -

Pfc. Bradley Manning, presumably, provided WikiLeaks with classified diplomatic cables that he stole much like he did with the "Afghan War Diary" and the "Collateral Murder" video. So for 14 hours a day, while in Iraq, this Private in the US Army had access (apparently quite unrestricted) to a vast amount of confidential data. Why a PFC needs access to diplomatic cables in the middle of a desert I have no idea, but not my call to make on what he did and didn't need access to. Someone should have had that job though. He brought in CDRW disks, with "Lady Gaga" written on them... which he then wiped and CSV split and compressed confidential data onto those disks. Um, why is there a CDRW drive in a computer that has access to confidential information? Why are people allowed to bring any type of media into a secure area with confidential digital information? Again, there might be a reason and it isn't my job to review this... but someone has that job. And what with the one-dimentinal security? We just have a hardened perimeter and forget the other layers? I can think of several commercially available and inexpensive endpoint security solutions that would have either prevented this or given a bit of notice that something was amiss when over 1.6GB of data was being burned to a CDRW drive by the same person over a period of time. I bet he wasn't allowed to bring bottled water onto an airplane though!

So if this was a SOX audit... we had no segregation of duties, no process for accounting of activity, and total failure to perform review and check for accessibility to critical data, nor approval process for the creation of backups an copies, mandated encryption on said backups, lack of physical controls, etc. I think this would be a full-on failure. Surely, if this had been a publicly traded company with similar issues they would be sitting in front of Congress letting the CIO, CEO and CFO explain where they left their brains. But I digress...

Now he gets the data to WikiLeaks. Who, totally fail as well if you think of them as a group of journalists... which they are not. So not being a group of journalists, they publish the data intentionally broken out to provide the best long running impact on the news market. They burn every person who gave them data (again not journalists), and put at risk the lives of countless people by not redacting names or other identifiers from these documents. To their credit, they did ask the US Government if they wanted to do this bit of work... but they should never, as a fellow human being, have posted such information that would put in jeopardy the lives of so many people and their families. Did they commit a crime? I have no idea, and there are people far smarter than I am that are looking into this. Be sure, if they didn't there will be new laws that close this loophole. Whistleblower vs. treason... a fun discussion for the pub, but not one I will engage on in my blog.

The US Government issues orders to all its employees that they are not to review, download, or otherwise access the data both at work and when away from work. They then take steps to block access to such sites from their own networks so people can't access the data while using US Government networks. Okay... so far, this sounds quite normal. If this were any other employer the part about what you can view while off from work would be asinine... but it is the USG and people who work there are covered by employment agreements that carry criminal consequences and they have all consented to this. So to the media, really... lay off, they all agreed before starting. And while on that vein, if en employer blocks access to Internet content it does not believe needs to be access from inside the workplace, that too is quite normal. Stop reporting on dogs that bite men.

So the real news story, the one that hasn't gotten enough press is "how security process failed."

Compliance: If it's what you are doing all the time, you are wasting our time.

No one is saying you need to be an HD Moore or Jeremiah Grossman, but if all your resources and efforts are focused on compliance you are missing the point and wasting time. Even if you are spending 20% of your resources and efforts on compliance you missing the big picture.

Security is about securing something. In most cases, it won't take much for you to identify that "something" at your place of employment. Maybe it's the network because you sell that, maybe it's the formula for making what ever it is you make. But thinking that the end-all be-all of security is that SOX compliance audit you have once a year means you are missing the intent of that audit.

You define what should be secured, how it should be, how you will check it, etc. Compliance audits simply validate you are following your own process. If you are spending your time fabricating methods to prove you are doing something then you are working too hard at looking busy, and not working very hard at all on your work.

Let's use a real life example, that doesn't involve security. You have some house guests coming in a week's time. You want the house to be in the best state for presentation. This means you want it clean, organized, and all the little projects you have in various stages to be complete by the time the guests arrive. Now, given this example most people would realize it's time to get down to business and get things done. But this is how it works out for a compliance situation for most companies:

Get the vacuum, mop, broom, and various cleaning brushes and tools out and strategically place them around the house to give the perception that you are always cleaning.

Make sure everyone in the household knows what their jobs are. E.g. the kids know they are to get their rooms in order, the garage is a family project requiring all hands, the kitchen is the domain of the chief in the family, the long honey-do list of incomplete DYI projects probably the husband's, etc. Document all of this.

Establish separation of duties. Your daughter shouldn't clean your son's room, and vice versa. (Actually, you might want to do this part... and add things like no wives in the garage, no husbands mucking about with craft equipment, etc. You can thank me later.) Oh yes, document this.

Okay, now also make sure you create a history of how often in the past you have cleaned. Document all of this too.

Great! We are ready for the audit, I mean visit. Your guests arrive... the carpets are dirty, but the vacuum is on display. The tile on the kitchen floor has a spill still on it, the mop is poised in the corner, but no one had documented who was suppose to clean the floor in such an event, or who should have been notified. The living room, because you forgot to review it, is a mess of sneakers, toys, and dirty dishes from last night's pizza and movie event. Your preparation could almost be considered flawless, but since that is all you did with your time... you failed miserably on execution.

So please, do us all a favor and clean your house...

BIND, all bound up again...

Vuln: ISC BIND 9 'RRSIG' Record Type Negative Cache Remote Denial of Service Vulnerability - ISC BIND 9 'RRSIG' Record Type Negative Cache Remote Denial of Service Vulnerability [Bugtraq]

More issues with BIND. Time to switch to DJBDNS? I did years ago. Something about only maintaining one simple flat file to do all my DNS and having it securely replicate to the secondary. KISS.

Chinese Cyber Army... shh! No talkie!

Wayne Huang, CTO of Armorize, an application security company with R&D operations in Taiwan had his talk on the "Chinese Cyber Army" pulled from the upcoming BlackHat conference in Vegas. While everyone in Asia knows about these groups, right down to the style of training etc., I guess they didn't want to wake the Sleeping Giant. E.g. the majority of people in the US who have no clue what happens unless it is glamorized on the "news."

Geek-news feeds are a buzz with the pressure the Taiwanese Government put on Mr. Huang and his company to pull a talk that he has given, in similar format, many times in the past all throughout Asia. Was there some earth-shattering new nugget of information in this presentation, or did they simply not want it presented in the United States? For now, no one is talking.

I for one would like to see our universities start to teach classes and offer degrees in offensive computer security... e.g. "warfare" vs. the vanilla degrees in information assurance. We are a bit behind the times, but perhaps someone out there will change that. Maybe when I retire and get to teach full-time I can stand in front of my class wearing my tweed jacket with those cool leather patches on the elbows chewing on my tobacco absent pipe with my gray hair tossed about irreverently and enlighten a few minds.

"Shall we play a game?"

"Love to, how about Global Thermonuclear Warfare..."

Syndicate content