Hack The Planet

Security Engineers are in high demand and with the recent vulnerability found by Dan Kaminsky it is clear why there are just not enough of them out there. We can all patch our systems and keep them up to date with the latest hot fix or security update but the bigger issue is that patches only come out after a vulnerability or issue is found. How do you prepare for the unpublished vulnerabilities and unknown attacks? The answer is to build your environment with security in mind from the ground up, not as an after thought.

There are too many people who feel that security is an add-on or a nice to have so they don’t design it in to their environment. If more people would start with security in mind they would find that they had less risk and fewer incidents.

I am not a fan of bumper sticker wisdom but this sticker “Ignore your rights and they will go away” really hit home. With all of the news recently about Congress trying to push legislation that will let telecoms get away with illegally wiretapping the public for the government I thought it was a good time to post about our rights.

In America we have many rights. Some of these include our freedom of speech, our right to bear arms and our right to vote. Our rights are slipping away because We the People are not interested in knowing what our rights are or defending them when they get trampled.

How many Americans feel that voting is useless? I know many of my friends don’t plan on voting in the presidential election because they believe their vote doesn’t count. This is because there are no classes in school that teach kids how much their votes do count at every level of government.

There are American history classes in our public education curriculum but how many of them really teach what it means to be an American? I would guess none. I know that my American history class didn’t fill me in on it. This is all intentional. If we all become cattle we will all be easier to herd. Please take it upon yourselves to educate your friends and family as to what it means to be a citizen of America and why fighting for our rights and knowing what they are is our duty.

“If a nation expects to be ignorant and free, in a state of civilization, it expects what never was and never will be.” Thomas Jefferson

Chinese hackers destroy Earth…or they cause mass black outs…or it didn’t actually happen like that at all. The media is controlled by people that really want to make sure you hate the right people. For a long time it was Communists, then we went for a period without a common enemy, then it was terrorists (AKA Arabs), and when we figured out as a people that they weren’t the enemy China became the target of our fear. Sadly the majority of Americans are not willing to inform themselves so they will go on thinking the Chinese are the new enemy when in fact, it was many other factors that had nothing to do with the Chinese.

A buddy sent me this video of CSI NY knowing that it would break my brain. I don’t ask for much, just get a technical consultant if you don’t know what you are talking about.

I have a horrible time breaking away to keep this updated so if my posts always seem 4 days late…well they are.

After doing a lot of research on the Phlashing attack that is being discussed I find it interesting that everyone discredits it not because it would not be wildly successful, but because there is no money in it. There is no more illusion as to what being a hacker is anymore. You are either paid by the mob/organized crime or you are working to stop those paid by the mob/organized crime.

There don’t seem to be a lot of mystery seekers out there anymore. People that would work all night to get something to work, or to find something new. No one wants to know about hacks or cracks that are not directly tied to the purse strings of whoever they report to. It feels dirty.

There needs to be a restart button on the internet.

This has been pretty publicly beaten to death but I just thought I would throw my thoughts in on the whole Debian SSL key issue. This is crazy. How does this not get noticed for as long as it has been out (any keys generated between 09/06 and 05/08)? Which makes me wonder how many people already knew about this and were using it without the community at large being aware of the problem?

I hate to be the one to ask but is this caused by open source testing? Are people more forgiving of faults in Linux so they over look glaring defects? There doesn’t seem to be as much animosity as there would be if this were an issue in Windows. Maybe I am just more questioning now that I am running a macbook and every where I go mac folks are blaming everything but the macbook. “It isn’t your mac, it is that you want to run encryption. Just don’t use encryption.” Hello? McFly?

I just watched Untraceable with the wife the other night. It is the movie with Diane Lane where she plays an FBI cyber-crimes expert. The premise was a killer put up a website (killwithme.com) and the more hits the site got the faster the victim died. There was of course no way to track the killer via the internet because the killer was too intelligent. It is weird to me how often movies with very technical premises don’t really have a technical consultant to help make sure what the actors are saying makes sense. Also, if you show a character having a certain level of intelligence don’t take that intelligence away from them at later point when they could really use it. In the end, it was a good movie but you have to turn your brain off to accept some of it.

Time and again I talk with people that have purchased security products but never implemented them. It seems like a lot of people have this idea that just purchasing security is half the battle. It is almost worse to do this than to not buy at all because then they get a false sense of security. It is like all of these people that are buying Macs but never update them or configure their firewall. There may be less attacks against Macs than there are for Windows but it just takes one successful attack to ruin your day and your credit. Security isn’t really an option in today’s hyper-connected world. The only way to be secure is to be aware of what is out there and be working to minimize your risk.

Reading blogs is about as useful as watching the Bill O’Reilly show. I know that writing about blogs being useless on a blog is silly. I think that gathering information and reading other people’s opinion isn’t necessarily always bad but how do you determine the credentials of the person whose opinion you are reading?

I was forwarded a link to a blog earlier today and after reading it I was pretty disappointed that NetworkWorld would have someone blogging on their site that obviously had only worked in a sales or marketing role. Not that there is anything wrong with sales or a marketing person but let’s be honest, they don’t necessarily know everything there is to know about actually implementing a solution.

This specific person is the same guy that in 2002 said that IDS/IPS was a failed and dead technology, then a year or so later goes and works for a IDS/IPS company. Obviously he is a man of vision. Anyway, it just made me think of how many people may read this person’s blog and get a very incorrect view of NAC and what it does and what it is capable of.

Be careful what you read because who knows who wrote it.

I was out at Interop the last few days and I thought I would just throw a few of my impressions out into the ether.

There is something very disturbing about how rude people are when you try and talk to them. Not everyone at Interop was rude but there were some folks that were just straight up jerks. I know everyone working in a booth is just trying to do their job but aren’t we all there to inter-operate or what not? To communicate and show how we can work together?

It is similar at most shows I have been to. People working the booth don’t want to discuss what they are doing or even just how the current show is going. I stopped by the Foundry booth and the lady that greeted me turned into a stone cold bitch when she found out I was a partner and actually already used Foundry gear. That is the way to keep partners or keep me recommending your gear. Not that I have amazing say in what people purchase but I talk to a lot of folks and I make sure to mention other companies that have gear or software I like. Maybe the person buys, maybe they don’t but they have heard a positive reference to the company.

The issue is the people that are sent to shows. The company I went with sent the right people, a good mix of marketing, sales and engineers. I didn’t notice anyone at our booth blowing folks off or being like “You’re a vendor, go away!” The booth staff even lent some of our gear to other booths just because.

In contrast to the Foundry witch the Solar Winds folks were great. I chatted with them for a bit and have a customer of mine looking into using them to monitor system utilization. Having a positive outlook on a company greatly increases my desire to recommend their product or even just work harder to make it work well with ours.

All in all Interop was a good show. I just think companies need to stop hiring folks to work the booths that A) aren’t really employees of the company and B) don’t have any idea what the company does.