Tuesday, October 14, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Landing Netsecurify [GNUCITIZEN]

Posted: 14 Oct 2008 04:53 AM CDT

Another tool is out of the door. I am happy to announce the official launch of the Netsecurify GNUCITIZEN initiative. In this post I am planning to give a bit of an overview of the system and also to explain what were are aiming to do with it.


Netsecurify is part of GNUCITIZEN’s online security toolkit including tools such as Blogsecurify (Social Media Security) and Websecurify (Websecurity services, yet to be released)! The Netsecurify initiative was established to provide free network security services through our automated testing engine based on open source technologies.

The service is still in private-beta which means that we are only offering it for free to our friends, our clients and selected members of the public. We are also willing to open it for prime time use to organizations with low security budget, charity organizations and others who might be in need. Please, get in touch with us if you want to try it out.

As I mentioned earlier, Netsecurify is based on open source technologies and it does not differentiate much from the payed automated information security tests you get from respectful security companies. We have built a solid framework around these technologies which allows us to easily expand and produce even more quality results with minimum overhead. The engine is also designed to allow us to easily contribute back to the employed open source products and as such complete the circle of energy.

Why we are offering Netsecurify for free?

Because we can! Because it is noble. Because we want to change the world in our own way. Because we still learn how to defeat limitations and control the perception. Because it hasn’t been done before to the extend we are planning to do it. And because we have a good business plan.

Netsecurify certainly costs something. This service consumes a lot of manpower, time and computational resources. Every single one of these components costs something. It all adds up. However, we believe that we can still do what we want to do with a little bit of help from you, our friends and of course our sponsors and advertisers.

The Netsecurify platform provides ingenious, brand new form of advertising which interested companies and organizations can use to make the service better by providing additional value, to advertise and promote their services and products, etc. We believe that the platform is unique because we haven’t seen it implemented elsewhere. We also believe that our service provides one of the most targeted advertising technologies built so far.

For more information, please get in touch with us from our contact page. You can also read this excerpt over here, for more information regarding what you can do with the Netsecurify platform. Again, if you are interested in taking part of the trial period then just fill the invite form or better yet, get in touch with us directly.

gnucitizen information security gigs part of the cutting-edge network:

recent posts from the gnucitizen cutting-edge network:

Landing Netsecurify
Cards swiped under your nose
Spin Hunters is Back
Waving hand around for no reason.
Brute force WIFI with NVidia
Sing your way to online safety
We don't need NASL - OpenVAS
Let's bring back the Attack to the API
Frame Injection Fun
Put your hand out an see if you get cut.

Is it almost April already? [StillSecure, After All These Years]

Posted: 14 Oct 2008 12:13 AM CDT

rsa Hard to believe but we are already planning for the 3rd annual bloggers meet up at RSA Conference 2009.  The RSA Conference folks were nice enough to again give us our own blog to discuss the meet up. You can find it here. Its the usual suspects writing on the blog and planning the meet up.  If you don't want to be left out of what promises to be a great event, be sure to follow the instructions in the post on the blog.

Speaking of RSA and bloggers meet up, we also sent out an important email to the SBN members. Please respond as requested, time is running short. 

A horse's ass approach to virtualization security [Data-Centric Protection and Management]

Posted: 13 Oct 2008 08:52 PM CDT

The interest and excitement around virtualization is palpable. However, it seems like the security approaches in this area are similar to the constrains that a horse's ass put on the space shuttle design.

Virtualization security solutions today primarily focus on protecting the virtual OS, the virtual networks, or the hypervisor software itself. More specifically, most current virtualization security technologies are focused on preventing hypervisor root kits, providing intrusion detection, anti-malware, anti-virus, network security, etc. In the physical world, this is similar to individually protecting hardware, operating systems, and the networks that connect them. That is, the focus is mainly on protecting infrastructure and perimeter, not data. Protecting that data, however, should be the single most important aspect of virtualization security.

Here is why: Any execution environment requires four elements: devices/hardware/OS, networks, applications, and data. With the advent of virtualization, physical devices/OS are being replaced by flexible, on-demand virtual "devices," networks are being virtualized and applications are being streamed down from virtual environments. Therefore, the only remaining "constant" element is the data itself - which also has a longer lifetime than the ephemeral virtual environment. While protecting the virtual infrastructure is important, I believe the primary focus for protection should be the data – the true IT asset.

Virtualization is a game-changer for computing and has forced the IT world to rethink its infrastructure; now virtualization security has to be rethought as well. An information-centric approach to persistently protecting the data itself is the only way to really benefit from virtualization and keep the data truly secure.

Or thinking about it another way - why was Google's approach to navigate the web using search better than the initial Yahoo approach of hierarchical mapping? Coz Yahoo was mapping an old yellow-book approach to managing data, while Google took advantage of the new medium.

I shall try and elaborate on my thoughts in upcoming posts...

StillSecure SAT on the job [StillSecure, After All These Years]

Posted: 13 Oct 2008 08:28 PM CDT

sat_logo_small One of the challenges of using open source components as part of the mix in our products at StillSecure, is to show the value we add over "pure" open source.  This is especially true in our Strata Guard IDS/IPS, which uses a Snort engine. A question we always are asked is what about the Snort signatures.  Do we use the Sourcefire signatures?  Do we get them right away? Do we add any value over what Sourcefire does?

For many years I have spoken about the StillSecure Security Alert Team (SAT).  By the way, don't pronounce it S-A-T.  That is a test students take when applying to college.  SAT is how they like to call it.  Anyway, our SAT team is tasked with keeping all of the StillSecure products up to date against the latest threats and offering up to the minute protection.  It is a 24x7x365 operation.

It is a thankless job for the SAT team.  For the most part they work in obscurity.  In fact as long as the rule updates they write work and protect our customers, you don't hear about it. Usually only when something goes wrong, do you hear or focus on the SAT. 

When it comes to Snort signatures, we have always partnered with and supported some of the alternative snort communities.  Communities such as bleedging edge and more recently emerging threats.  So it was gratifying to see Matt Jonkman at emerging threats call us out for contributing a bunch of Snort signatures this week.

Anyway, kudos to the usually anonymous folks on our StillSecure SAT team.  Keep up the great work guys!

PCI v1.2's Sneaky Omission [Branden Williams' Security Convergence Blog]

Posted: 13 Oct 2008 05:08 PM CDT

Look out merchants, there is a sneaky omission to PCI v1.2 that does not seem to be making any headlines, and I'm wondering if this will just fly under the radar until someone like me stands up and points it out. All the discussion thus far has been around Anti-Virus, Network Segmentation (or lack of a requirement for), WEP, and firewall rules having a six month review (vs. quarterly). But, does anyone remember this little tidbit from the PCI v1.1 when trying to determine the scope of a PCI Assessment?

Any data repositories outside of the authorization and settlement environment where more than 500 thousand account numbers are stored [are in scope].

I've heard that this little loophole has saved many merchants from fines simply because they were able to take some non-compliant processes and get them under this threshold. Don't get me wrong, merchants would be liable for a breach if those non-compliant processes were linked to a breach, but anything below this threshold would technically not be material enough to show up in a Report on Compliance generated by a QSA.

Well, that whole provision is GONE from PCI v1.2. This means that merchants and service providers (small service providers could get hit hard with this) will have to do a better job of 1) defining where their data is, and 2) making those repositories compliant as they could be subject to the review of a QSA. Based on my interaction with customers, I think this is one of the more significant (if not the most significant) changes in the standard that people should worry about.

What do you think?

If you are worried about it, don't forget to ask a VeriSign consultant about our Data Discovery service that can help you map out all of this data (and other non-PCI data) across your enterprise.

I don't normally say this... [Carnal0wnage Blog]

Posted: 13 Oct 2008 04:37 PM CDT

But go feds!


"DarkMarket.ws, an online watering hole for thousands of identify thieves, hackers and credit card swindlers, has been secretly run by an FBI cybercrime agent for the last two years, until its voluntary shutdown earlier this month, according to documents unearthed by a German radio network."

Getting Down to the Business of P@55W0rd$ [ImperViews]

Posted: 13 Oct 2008 01:14 PM CDT

As the years move by, many researchers are trying to understand the magical mystery that is the End-User and, more specifically, End-User Passwords.

Most password cracking and bruteforce techniques are pretty advanced as they use different elements to discover behavior, probable words, and dates that might be relevant to a user.  And there are also the famous rainbow tables ...But would these techniques ever work on a real-life system administrator of any type?

Lets face it, the real reason for getting behind the wheel and trying to discover a password is to access a privileged account such as a Root account or a Database account that will let you gain access to restricted systems and information.

A Stroke Of Data Security Brilliance [Liquidmatrix Security Digest]

Posted: 13 Oct 2008 12:15 PM CDT

I stumbled across this article this morning while combing through my RSS feeds. This author used a little bit of ingenuity when disposing of an unwanted credit cards that were sent to them. Normally I, along with most folks, would cut up the cards and dispose of them in trash at a couple locations.

This person went that one step further.

From Parent Hacks:

We got new credit cards in the mail the other day, which necessitated disposing of the old cards. Normally, i cut up the card in several pieces so the card info cannot be retrieved by anyone looking to identity-thieve. Not only that, but I dispose some of the card pieces in one trash can and the rest in another. Well, i looked into the bathroom trashcan, saw a discarded disposable diaper, and a light bulb went off. i opened up the diaper (don’t worry, it was only a wet one), dropped the credit card pieces in, and wrapped it back up.

It might make you squeamish but, I know I wouldn’t go looking for anyone’s personal data there.

Article Link

Security Briefing: October 13th [Liquidmatrix Security Digest]

Posted: 13 Oct 2008 10:34 AM CDT


Curious and curiouser, there is no news to speak of from DayCon - with the exception of Twitter news bursts. What happens at DayCon stays at DayCon, one surmises.


Good to see you back Dave, though the Digest is in good hands when you’re away. Really.

the Intern

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. 5 best Windows firewalls - Protect your privates!
  2. World Bank Hacked, Sensitive Data Exposed -What’s most shady is the Banks response, more contradictory than a speech in the Rose Garden.
  3. ATT kills pay as you go data pack for iPhone. Is anyone surprised by this? Pay as you go plans are going the way of T-Rex and his gang of bad ass homeys.
  4. Patch Tuesday aka Stock Dropper - No one will get rich from this, but it’s interesting nonetheless.
  5. The Partial Disclosure DebateWhat to do, what to do?
  6. Asus Eee Box PC shipped with malware Asus, oh Asus, growing pains suck.
  7. xkcd puts it all in perspective - I’d rather be a ninja…

EDITOR’S NOTE: Sometimes, copy and paste is a scary scary thing. Have a great Columbus Day everyone.

Tags: , , , ,

SecuraBit Episode 12 [SecuraBit]

Posted: 13 Oct 2008 10:21 AM CDT

Securabit Episode 12 Anthony Gartner Chris Mills Chris Gerling Chris G rides the Failbus with his FIOS connection IT Jobs: No “Widespread Worry” Air Force Cyber Command Cracking one billion passwords per second with NVIDIA video card BREAK Chris G talks about running VM’s in Vista Ultimate 64 bit The guys discuss home networking Soekris Box Netgate m1n1wall firewall 3E 2D3 AIG Executives Blow $440,000 After Getting Bailout Password [...]

This posting includes an audio/video/photo media file: Download Now

Uniformed 10 Release [Donkey On A Waffle]

Posted: 13 Oct 2008 09:22 AM CDT

Uninformed V10 has been released. As always the content looks top notch. I suppose it might have something to do with the authors (*GRIN*). Congrats guys on another piece of excellent work.

Uninformed V10

Can you find me now? Unlocking the Verizon Wireless xv6800 (HTC Titan) GPS
Using dual-mappings to evade automated unpackers
Analyzing local privilege escalations in win32k
Exploiting Tomorrow's Internet Today: Penetration testing with IPv6

How is security affected by the Credit Crunch - Post 2 (of many) [Mike Davies: Online Identity and Trust in EMEA]

Posted: 13 Oct 2008 08:49 AM CDT

The markets are up today, that can only be good news, but it would be a fool that would say we have definitely turned the corner.

There seems to be a pattern that you can follow when we have major incidents like this:

1) Panic
2) Attempts at a solution (which either individually or combined) eventually works
3) Assessment of how things have changed and what we should be doing now

I think we are edging towards number 3 now.

And if that is the case, what has changed? Well firstly consumer trust in banking has been badly knocked. These great institutions don't quite seem as solid as they did 6 months ago.

And it is wider than that, this article from computer weekly highlights how consumers and employees are not happy with the measures taken by big business when protecting their identity:


As in banking, if you don't trust you don't do business.

So what should banks be doing? Well they need to regain the trust of their customers and one way of doing that is demonstrating they take their consumers security seriously, especially in the online space where confidence is already low.

I am not saying that this will cancel out all the mistrust that has been generated but building trust takes time and little steps can make a big difference.

Whats up with Google Alerts? [StillSecure, After All These Years]

Posted: 13 Oct 2008 07:53 AM CDT

Image representing Google Alerts as depicted i...

Image via CrunchBase

Something is up with Google Alerts.  I have alerts set up for a lot of key words around security technologies and companies.  This weekend I started receiving a whole bunch of alerts based upon news stories that were in some cases 2 years or more old. Does anyone know any reason for this?

Reblog this post [with Zemanta]

[Chinese]俞敏洪在北大2008年开学典礼上的讲话 [Telecom,Security & P2P]

Posted: 12 Oct 2008 08:05 AM CDT










我也记得我的导师李赋宁教授,原来是北大英语系的主任,他给我们上《新概念英语》第四册的时候,每次都把板书写得非常的完整,非常的美丽。永远都是从黑板的左上角写起,等到下课铃响起的时候,刚好写到右下角结束。(掌声)我还记得我的英国文学史的老师罗经国教授,我在北大最后一年由于心情不好,导致考试不及格。我找到罗教授说:”这门课如果我不及格就毕不了业。”,罗教授说:”我可以给你一个及格的分数,但是请你记住了,未来你一定要做出值得我给你分数的事业。”(掌声)所以,北大老师的宽容、学识、奔放、自由,让我们真正能够成为北大的学生,真正能够得到北大的精神。 当我听说许智宏校长对学生唱《隐形的翅膀》的时候,我打开视频,感动得热泪盈眶。因为我觉得北大的校长就应该是这样的。(掌声)

我记得自己在北大的时候有很多的苦闷。一是普通话不好,第二英语水平一塌糊涂。尽管我高考经过三年的努力考到了北大—-因为我落榜了两次,最后一次很意外地考进了北大。我从来没有想过北大是我能够上学的地方,她是我心中一块圣地,觉得永远够不着。但是那一年,第三年考试时我的高考分数超过了北大录取分数线七分,我终于下定决心咬牙切齿填了”北京大学”四个字。我知道一定会有很多人比我分数高,我认为自己是不会被录取的。没想到北大的招生老师非常富有眼光,料到了三十年后我的今天。(掌声)但是实际上我的英语水平很差,在农村既不会听也不会说,只会背语法和单词。我们班分班的时候,五十个同学分成三个班,因为我的英语考试分数不错,就被分到了A班,但是一个月以后,我就被调到了C班。C班叫做”语音语调及听力障碍班”。( 笑声)





记得我在北大的时候,到大学四年级毕业时,我的成绩依然排在全班最后几名。但是,当时我已经有了一个良好的心态。我知道我在聪明上比不过我的同学,但是我有一种能力,就是持续不断的努力。所以在我们班的毕业典礼上我说了这么一段话,到现在我的同学还能记得,我说:”大家都获得了优异的成绩,我是我们班的落后同学。但是我想让同学们放心,我决不放弃。你们五年干成的事情我干十年,你们十年干成的我干二十年,你们二十年干成的我干四十年”。( 掌声)我对他们说:”如果实在不行,我会保持心情愉快、身体健康,到八十岁以后把你们送走了我再走。”(笑声掌声)









ClickJacking - A Perspective Problem [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 12 Oct 2008 01:19 AM CDT

While ClickJacking is the latest apocalyptic threat in IT Security, I wanted to point out something yet again, as I did back when Dan Kaminsky reported his DNS flaw and it because catachlysmic for its 15 minutes of fame.

I've been reading interviews, insights, write-ups and blogs on ClickJacking and I've had so many discussions with some of you my head spins trying to remember it all but something I saw a couple of days (weeks maybe?) ago is staying with me so I looked it back up and wanted to briefly talk about it.

This quote from Jeremiah Grossman, is disturbing.
"Recently we're [Grossman & RSnake] told we've been told that its been known by the browser vendors since 2002." [CGI Security interview, 10/5/08]

Why is this disturbing, do you ask? Think about it. If this statement isn't stretching truth (and I haven't found Jeremiah to be a sensationalist) then this has been an open, the-sky-is-falling-drop-everything issue for ~6 years. Not 6 days, months but YEARS. So the question we have to ask ourselves [but already know the answer to] is why in the world is it still an issue in 2008?

I'd love to know a few things:
  • Why did we [security professionals] not freak out about this in 2002?
  • Why haven't IE7+ and Firefox (at least?) resolved this issue dead?
  • Why hasn't the standards body [the W3] taken this up as a standards issue?
The answer is simple, so painfully simple. Functionality wins over "vulnerability" every time.

Now, if you'll excuse me I'm going to go cancel my Internet connection, put a sledge-hammer to my computers and walk around aimlessly.

EDIT: Sun. Oct 12, 2:02pm CDT

I just read Jeremiah's comment, and then started reading the link he posted to the Bugzilla post on the bug Jesse Ruderman posted first in 2002, and Robert O'Callahan's (from Mozilla) continued stance against his views. I think it is important for everyone interested in security to read that thread to really understand what we [security professionals] are up against in the world of technology. Understandably functionalit has always been, and will always be the antithesis of security.

There is a much, much deeper conversation to be had here. If any of you are going to InfoSec World in Orlando in March, I'd like to get a "thought group" on this topic together. Email me directly and we'll put it together. I'm not saying we're going to solve anything - but maybe come up wth a better way to think this through as a community.

Verizon Punts On Data Security [Liquidmatrix Security Digest]

Posted: 11 Oct 2008 11:07 AM CDT

When it rains…

From Network World:

This should be a vendor’s first rule when inviting 1,200 IT pros to a seminar about securing data and protecting personal information: Make sure you protect the personal information of the 1,200 professionals you’re trying to impress.

How did Verizon do in that regard on Tuesday? They failed miserably … and not just once.

David Williams, technology coordinator for a Texas school district, alerted me to the situation because he had read my recent post — “Run-amok Verizon robo-caller torments 1,400 customers” — which recounted the nine phone calls in 24 hours that were received at my house last month.

So what, you may ask, did they punt on? Well, they sent out numerous spam emails to the attendees in advance of the seminar with all of their email addresses in the…

…wait for it…

“To:” field.

I shit you not.

Then some more fun from the article,

Verizon again: “We (are) having issues with our (Microsoft) Exchange server and I am working with our help desk to correct the problem. I apologize for the inconvenience.”

Verizon’s “Secure the Information” lecture series includes a segment called, “Are you prepared for data loss?”

So, Exchange was responsible for the email addys in the “To:” field?

Er, no. That would be the duplicates but, it does give the impression that they are trying to duck the whoops by invoking the spectre of an errant mail server. I would assume that Verizon staffers will be attending their own seminar en masse then?

Oh, and just to flog the dead horse once again…one installment in the series is called, “Are you prepared for data loss?”

Um, yeah, FAIL.

Article Link

Gmail Gets A Breathalyzer [Liquidmatrix Security Digest]

Posted: 11 Oct 2008 10:25 AM CDT

credit unknown

This great posting showed up on Ars Technica a couple days ago. Mail Goggles is an add-on that is designed to save you from yourself should you find yourself in front of a computer at 3 am and decide, via fuzzy wobbly brown pop logic, that now would be a great time to answer emails. This add-on for gmail will do a WORLD of good for some of my friends.

From Ars Technica:

How many times have you stumbled home after a long night out with friends, only to plop down in front of the computer and start sending e-mails that you would wake up regretting the next day? OK, maybe some of our older readers in the crowd have never moved beyond “drunk dialing,” but many of us are probably more familiar with the embarrassing phenomenon, a technological evolution of the drunk dial.

This is a great tool because before you can send out emails in an altered state you have to tackle some mental gymnastics.

If you have Mail Goggles installed—which you can do by going to the “Labs” tab under your Gmail settings and turning them on—it will force you to answer a series of math questions before sending out any new messages.

Bloody brilliant.

Thankfully those days are behind me now.

‘Mafiaboy’ Writes A Book. And I Don’t Care. [Liquidmatrix Security Digest]

Posted: 11 Oct 2008 09:53 AM CDT

Seriously does anyone care about this bit of news? I missed this when it hit the wire but, thanks to Serge for forwarding me the link.

Now, “Infamous Canadian hacker ‘Mafiaboy’ breaks silence with book release” is a title that I have a problem with. He was a 15 year old kid and playing with a DoS. The major difference between this kid (at the time) and anyone else launching a denial of service was one of two things. 1) He was bereft of the intelligence that said “hey, bad idea” and/or 2) Far too mentally challenged to not get caught. I hardly consider a DoS ‘hacking’ so much as a giant nuisance. Sure the instigator can offline a system for a while and cost the target money but, it is by no means indefinite. When you really boil it down it is a pointless endeavour.

From Canada.com

In Mafiaboy: How I Cracked the Internet and Why It’s Still Broken, the hacker, now 23, explains that he was not a computer whiz kid but that he quickly gained knowledge of computers and got to know other young hackers.

“After spending years trying to learn everything about how my PC worked, and enjoying every second of learning DOS commands and other technical information, I felt a strange kinship with these nameless, faceless programmers and online rebels,” he writes in an excerpt made available by the publisher. “How did they create these programs? How many more of them were out there? How could I learn to write programs? To me, they were the coolest kids in cyberspace. I wanted to hang with them. I wanted to be a hacker.”

I’m sorry but, could someone grab a mop and bucket?

My head just exploded.

credit unknown

Article Link

Say It Ain’t So Sarah! “People Who Live In Glass Houses Shouldn’t Throw Stones, You Betcha” [Vincent Arnold]

Posted: 10 Oct 2008 10:08 PM CDT

Panel: Palin abused power in trooper case

ANCHORAGE, Alaska (CNN) — Republican vice presidential nominee Sarah Palin abused her power as Alaska’s governor and violated state ethics law by trying to get her ex-brother-in-law fired from the state police, a state investigator’s report concluded Friday.

“Gov. Palin knowingly permitted a situation to continue where impermissible pressure was placed on several subordinates in order to advance a personal agenda,” the report states.

Public Safety Commissioner Walt Monegan’s refusal to fire State Trooper Mike Wooten from the state police force was “likely a contributing factor” to Monegan’s July dismissal, but Palin had the authority as governor to fire him, the report by former Anchorage prosecutor Stephen Branchflower states.


SecTor 2008 Pics [Liquidmatrix Security Digest]

Posted: 10 Oct 2008 08:05 PM CDT

This week was a wild ride. The culmination of a great deal of work from a diligent group came to a head with the second annual SecTor conference. Based on the feedback that I got from attendees, it rawked.

The morning crowd was quite something on day one for the sessions. I have to tell you I was quite pleased with the turnout. I should note that due to my limited time this year I was only able to snap a few pics. James had the camera clicking away so I would imagine that we’ll see some postings from him.

I was pleased to sport my “staff” badge for the limited time I was actually able to attend this year. Sadly, I did not, er, plan well for the conference from a personal perspective. Next year I’ll make sure that I book them time off.

The lunch hour panel session was an interesting affair. Chris Hoff set the tone of the panel and fell on his sword as the token American in the process. I was very happy to see him showing off the tats and jeans. The number of suits on the stage was a little disconcerting. But, what are you gonna do?

I’m really pleased with the feedback that I’ve received from speakers and attendees alike. I’m sorry that I didn’t get to meet a bunch of people that were there. But, glad to everyone who made it out. I’m hoping that I’ll be able to continue with Sector to help it grow for next year. Oh yeah, and book the damn time off.

As if I wasn’t run ragged enough already, I managed to squeeze in a gig with the boys last Saturday night at the Pilot in Toronto.

And miles to go…

OWASP APPSEC 2008 Conference Videos Online [Carnal0wnage Blog]

Posted: 10 Oct 2008 05:54 PM CDT

OWASP APPSEC 2008 Conference Videos are online


Closing thoughts for a Friday [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 10 Oct 2008 04:47 PM CDT

Hey folks - just some closing thoughts for a Friday. Hope everyone's had a decent week, and by now you've got a cold one in hand. Here are some thoughts I had as this week tails off into another weekend.
  1. Has anyone paid attention to the sheer stupidity of public services lately with regard to data loss/theft? I mean, seriously! I have a Google Alerts "as it happens" notification set up for "security breach" +data and if you haven't paid attention there have been an absolutely stupifyingly overwhelming amount of data breaches that involve our government or its entities in some way. Foreign governments, schools, social services - all losing laptops, getting hacked and the toll is mounting. Last count we're somewhere in the 2MM+ records lost in the past few weeks. When will the carnage stop? (More on this in a future post as I have some serious research to do. If you'd like to help ping me directly.)
  2. Cloud computing... so I was talking to a colleague and friend over at PureWire, and he is absolutely religiously convinced that in a short period of time (and I quote) ... "Everyone will be doing it [in-the-cloud security], it's inevitable". I tend to disagree, in fact - I think "In the Cloud" security is a bit of a scary proposition - but I'm hoping to have a 20-questions type of interview posted here on this blog with the folks that are running the gears over at PureWire.
  3. I'm finally going to get around to posting that interview I did with a "semi-ehtical-DarkSEO dude" in the next few weeks when thing settle down at the ranch a little. It's been sitting on my desktop, and everyone's been killing me to publish it - problem is - it's huge (10+ pages of good info, I think). Does anyone know where I can post it? I'll post part of the interview to the blog here as a teaser, and the rest to a site somewhere, as a PDF/paper. Your suggestions are welcome.

No comments: