Tuesday, October 14, 2008

Spliced feed for Security Bloggers Network

Spliced feed for Security Bloggers Network

Landing Netsecurify [GNUCITIZEN]

Posted: 14 Oct 2008 04:53 AM CDT

Another tool is out of the door. I am happy to announce the official launch of the Netsecurify GNUCITIZEN initiative. In this post I am planning to give a bit of an overview of the system and also to explain what were are aiming to do with it.

Netsecurify

Netsecurify is part of GNUCITIZEN’s online security toolkit including tools such as Blogsecurify (Social Media Security) and Websecurify (Websecurity services, yet to be released)! The Netsecurify initiative was established to provide free network security services through our automated testing engine based on open source technologies.

The service is still in private-beta which means that we are only offering it for free to our friends, our clients and selected members of the public. We are also willing to open it for prime time use to organizations with low security budget, charity organizations and others who might be in need. Please, get in touch with us if you want to try it out.

As I mentioned earlier, Netsecurify is based on open source technologies and it does not differentiate much from the payed automated information security tests you get from respectful security companies. We have built a solid framework around these technologies which allows us to easily expand and produce even more quality results with minimum overhead. The engine is also designed to allow us to easily contribute back to the employed open source products and as such complete the circle of energy.

Why we are offering Netsecurify for free?

Because we can! Because it is noble. Because we want to change the world in our own way. Because we still learn how to defeat limitations and control the perception. Because it hasn’t been done before to the extend we are planning to do it. And because we have a good business plan.

Netsecurify certainly costs something. This service consumes a lot of manpower, time and computational resources. Every single one of these components costs something. It all adds up. However, we believe that we can still do what we want to do with a little bit of help from you, our friends and of course our sponsors and advertisers.

The Netsecurify platform provides ingenious, brand new form of advertising which interested companies and organizations can use to make the service better by providing additional value, to advertise and promote their services and products, etc. We believe that the platform is unique because we haven’t seen it implemented elsewhere. We also believe that our service provides one of the most targeted advertising technologies built so far.

For more information, please get in touch with us from our contact page. You can also read this excerpt over here, for more information regarding what you can do with the Netsecurify platform. Again, if you are interested in taking part of the trial period then just fill the invite form or better yet, get in touch with us directly.

---
gnucitizen information security gigs part of the cutting-edge network:

---
recent posts from the gnucitizen cutting-edge network:

Landing Netsecurify
Cards swiped under your nose
Spin Hunters is Back
Waving hand around for no reason.
Brute force WIFI with NVidia
Sing your way to online safety
We don't need NASL - OpenVAS
Let's bring back the Attack to the API
Frame Injection Fun
Put your hand out an see if you get cut.

Is it almost April already? [StillSecure, After All These Years]

Posted: 14 Oct 2008 12:13 AM CDT

rsa Hard to believe but we are already planning for the 3rd annual bloggers meet up at RSA Conference 2009.  The RSA Conference folks were nice enough to again give us our own blog to discuss the meet up. You can find it here. Its the usual suspects writing on the blog and planning the meet up.  If you don't want to be left out of what promises to be a great event, be sure to follow the instructions in the post on the blog.

Speaking of RSA and bloggers meet up, we also sent out an important email to the SBN members. Please respond as requested, time is running short. 

A horse's ass approach to virtualization security [Data-Centric Protection and Management]

Posted: 13 Oct 2008 08:52 PM CDT

The interest and excitement around virtualization is palpable. However, it seems like the security approaches in this area are similar to the constrains that a horse's ass put on the space shuttle design.

Virtualization security solutions today primarily focus on protecting the virtual OS, the virtual networks, or the hypervisor software itself. More specifically, most current virtualization security technologies are focused on preventing hypervisor root kits, providing intrusion detection, anti-malware, anti-virus, network security, etc. In the physical world, this is similar to individually protecting hardware, operating systems, and the networks that connect them. That is, the focus is mainly on protecting infrastructure and perimeter, not data. Protecting that data, however, should be the single most important aspect of virtualization security.

Here is why: Any execution environment requires four elements: devices/hardware/OS, networks, applications, and data. With the advent of virtualization, physical devices/OS are being replaced by flexible, on-demand virtual "devices," networks are being virtualized and applications are being streamed down from virtual environments. Therefore, the only remaining "constant" element is the data itself - which also has a longer lifetime than the ephemeral virtual environment. While protecting the virtual infrastructure is important, I believe the primary focus for protection should be the data – the true IT asset.

Virtualization is a game-changer for computing and has forced the IT world to rethink its infrastructure; now virtualization security has to be rethought as well. An information-centric approach to persistently protecting the data itself is the only way to really benefit from virtualization and keep the data truly secure.

Or thinking about it another way - why was Google's approach to navigate the web using search better than the initial Yahoo approach of hierarchical mapping? Coz Yahoo was mapping an old yellow-book approach to managing data, while Google took advantage of the new medium.

I shall try and elaborate on my thoughts in upcoming posts...

StillSecure SAT on the job [StillSecure, After All These Years]

Posted: 13 Oct 2008 08:28 PM CDT

sat_logo_small One of the challenges of using open source components as part of the mix in our products at StillSecure, is to show the value we add over "pure" open source.  This is especially true in our Strata Guard IDS/IPS, which uses a Snort engine. A question we always are asked is what about the Snort signatures.  Do we use the Sourcefire signatures?  Do we get them right away? Do we add any value over what Sourcefire does?

For many years I have spoken about the StillSecure Security Alert Team (SAT).  By the way, don't pronounce it S-A-T.  That is a test students take when applying to college.  SAT is how they like to call it.  Anyway, our SAT team is tasked with keeping all of the StillSecure products up to date against the latest threats and offering up to the minute protection.  It is a 24x7x365 operation.

It is a thankless job for the SAT team.  For the most part they work in obscurity.  In fact as long as the rule updates they write work and protect our customers, you don't hear about it. Usually only when something goes wrong, do you hear or focus on the SAT. 

When it comes to Snort signatures, we have always partnered with and supported some of the alternative snort communities.  Communities such as bleedging edge and more recently emerging threats.  So it was gratifying to see Matt Jonkman at emerging threats call us out for contributing a bunch of Snort signatures this week.

Anyway, kudos to the usually anonymous folks on our StillSecure SAT team.  Keep up the great work guys!

PCI v1.2's Sneaky Omission [Branden Williams' Security Convergence Blog]

Posted: 13 Oct 2008 05:08 PM CDT

Look out merchants, there is a sneaky omission to PCI v1.2 that does not seem to be making any headlines, and I'm wondering if this will just fly under the radar until someone like me stands up and points it out. All the discussion thus far has been around Anti-Virus, Network Segmentation (or lack of a requirement for), WEP, and firewall rules having a six month review (vs. quarterly). But, does anyone remember this little tidbit from the PCI v1.1 when trying to determine the scope of a PCI Assessment?

Any data repositories outside of the authorization and settlement environment where more than 500 thousand account numbers are stored [are in scope].

I've heard that this little loophole has saved many merchants from fines simply because they were able to take some non-compliant processes and get them under this threshold. Don't get me wrong, merchants would be liable for a breach if those non-compliant processes were linked to a breach, but anything below this threshold would technically not be material enough to show up in a Report on Compliance generated by a QSA.

Well, that whole provision is GONE from PCI v1.2. This means that merchants and service providers (small service providers could get hit hard with this) will have to do a better job of 1) defining where their data is, and 2) making those repositories compliant as they could be subject to the review of a QSA. Based on my interaction with customers, I think this is one of the more significant (if not the most significant) changes in the standard that people should worry about.

What do you think?

If you are worried about it, don't forget to ask a VeriSign consultant about our Data Discovery service that can help you map out all of this data (and other non-PCI data) across your enterprise.

I don't normally say this... [Carnal0wnage Blog]

Posted: 13 Oct 2008 04:37 PM CDT

But go feds!

http://blog.wired.com/27bstroke6/2008/10/darkmarket-post.html

"DarkMarket.ws, an online watering hole for thousands of identify thieves, hackers and credit card swindlers, has been secretly run by an FBI cybercrime agent for the last two years, until its voluntary shutdown earlier this month, according to documents unearthed by a German radio network."

Getting Down to the Business of P@55W0rd$ [ImperViews]

Posted: 13 Oct 2008 01:14 PM CDT

As the years move by, many researchers are trying to understand the magical mystery that is the End-User and, more specifically, End-User Passwords.

Most password cracking and bruteforce techniques are pretty advanced as they use different elements to discover behavior, probable words, and dates that might be relevant to a user.  And there are also the famous rainbow tables ...But would these techniques ever work on a real-life system administrator of any type?

Lets face it, the real reason for getting behind the wheel and trying to discover a password is to access a privileged account such as a Root account or a Database account that will let you gain access to restricted systems and information.

A Stroke Of Data Security Brilliance [Liquidmatrix Security Digest]

Posted: 13 Oct 2008 12:15 PM CDT

I stumbled across this article this morning while combing through my RSS feeds. This author used a little bit of ingenuity when disposing of an unwanted credit cards that were sent to them. Normally I, along with most folks, would cut up the cards and dispose of them in trash at a couple locations.

This person went that one step further.

From Parent Hacks:

We got new credit cards in the mail the other day, which necessitated disposing of the old cards. Normally, i cut up the card in several pieces so the card info cannot be retrieved by anyone looking to identity-thieve. Not only that, but I dispose some of the card pieces in one trash can and the rest in another. Well, i looked into the bathroom trashcan, saw a discarded disposable diaper, and a light bulb went off. i opened up the diaper (don’t worry, it was only a wet one), dropped the credit card pieces in, and wrapped it back up.

It might make you squeamish but, I know I wouldn’t go looking for anyone’s personal data there.

Article Link

Security Briefing: October 13th [Liquidmatrix Security Digest]

Posted: 13 Oct 2008 10:34 AM CDT

newspapera.jpg

Curious and curiouser, there is no news to speak of from DayCon - with the exception of Twitter news bursts. What happens at DayCon stays at DayCon, one surmises.

REDACTED COMMENTARY RELATED TO CIGARS AND BLUE DRESSES.

Good to see you back Dave, though the Digest is in good hands when you’re away. Really.

Signed,
the Intern

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

  1. 5 best Windows firewalls - Protect your privates!
  2. World Bank Hacked, Sensitive Data Exposed -What’s most shady is the Banks response, more contradictory than a speech in the Rose Garden.
  3. ATT kills pay as you go data pack for iPhone. Is anyone surprised by this? Pay as you go plans are going the way of T-Rex and his gang of bad ass homeys.
  4. Patch Tuesday aka Stock Dropper - No one will get rich from this, but it’s interesting nonetheless.
  5. The Partial Disclosure DebateWhat to do, what to do?
  6. Asus Eee Box PC shipped with malware Asus, oh Asus, growing pains suck.
  7. xkcd puts it all in perspective - I’d rather be a ninja…

EDITOR’S NOTE: Sometimes, copy and paste is a scary scary thing. Have a great Columbus Day everyone.

Tags: , , , ,

SecuraBit Episode 12 [SecuraBit]

Posted: 13 Oct 2008 10:21 AM CDT

Securabit Episode 12 Anthony Gartner Chris Mills Chris Gerling Chris G rides the Failbus with his FIOS connection IT Jobs: No “Widespread Worry” Air Force Cyber Command Cracking one billion passwords per second with NVIDIA video card BREAK Chris G talks about running VM’s in Vista Ultimate 64 bit The guys discuss home networking Soekris Box Netgate m1n1wall firewall 3E 2D3 AIG Executives Blow $440,000 After Getting Bailout Password [...]

This posting includes an audio/video/photo media file: Download Now

Uniformed 10 Release [Donkey On A Waffle]

Posted: 13 Oct 2008 09:22 AM CDT

Uninformed V10 has been released. As always the content looks top notch. I suppose it might have something to do with the authors (*GRIN*). Congrats guys on another piece of excellent work.

Uninformed V10

Can you find me now? Unlocking the Verizon Wireless xv6800 (HTC Titan) GPS
Using dual-mappings to evade automated unpackers
Analyzing local privilege escalations in win32k
Exploiting Tomorrow's Internet Today: Penetration testing with IPv6

How is security affected by the Credit Crunch - Post 2 (of many) [Mike Davies: Online Identity and Trust in EMEA]

Posted: 13 Oct 2008 08:49 AM CDT

The markets are up today, that can only be good news, but it would be a fool that would say we have definitely turned the corner.

There seems to be a pattern that you can follow when we have major incidents like this:

1) Panic
2) Attempts at a solution (which either individually or combined) eventually works
3) Assessment of how things have changed and what we should be doing now

I think we are edging towards number 3 now.

And if that is the case, what has changed? Well firstly consumer trust in banking has been badly knocked. These great institutions don't quite seem as solid as they did 6 months ago.

And it is wider than that, this article from computer weekly highlights how consumers and employees are not happy with the measures taken by big business when protecting their identity:

http://www.computerweekly.com/Articles/2008/10/10/232612/fraud-survey-highlights-business-security-failures.htm

As in banking, if you don't trust you don't do business.

So what should banks be doing? Well they need to regain the trust of their customers and one way of doing that is demonstrating they take their consumers security seriously, especially in the online space where confidence is already low.

I am not saying that this will cancel out all the mistrust that has been generated but building trust takes time and little steps can make a big difference.

Whats up with Google Alerts? [StillSecure, After All These Years]

Posted: 13 Oct 2008 07:53 AM CDT

Image representing Google Alerts as depicted i...

Image via CrunchBase

Something is up with Google Alerts.  I have alerts set up for a lot of key words around security technologies and companies.  This weekend I started receiving a whole bunch of alerts based upon news stories that were in some cases 2 years or more old. Does anyone know any reason for this?

Reblog this post [with Zemanta]

[Chinese]俞敏洪在北大2008年开学典礼上的讲话 [Telecom,Security & P2P]

Posted: 12 Oct 2008 08:05 AM CDT

俞敏洪真的是中关村大名鼎鼎的人物,其实不仅仅是中关村,在全国考托、考G的浪潮中,俞敏洪都是风云人物,全国各地的学子不远千里,到北京的新东方带着朝圣的心情住进新东方的宿舍。呵呵,很多人可能会有感触。北大原来从未邀请过校友在开学典礼上讲话,2008年开学典礼,北大邀请了新东方教育科技集团董事长兼总裁俞敏洪老师讲话,这是俞老师的一种荣幸,更是新东方的一种荣誉。

以下是英语系80级校友、新东方教育科技集团董事长兼总裁俞敏洪作为优秀校友代表发言(2008年9月21日)

各位同学、各位领导:

大家上午好!(掌声)

非常高兴许校长给我这么崇高的荣誉,谈一谈我在北大的体会。(掌声)

可以说,北大是改变了我一生的地方,是提升了我自己的地方,使我从一个农村孩子最后走向了世界的地方。毫不夸张地说,没有北大,肯定就没有我的今天。北大给我留下了一连串美好的回忆,大概也留下了一连串的痛苦。正是在美好和痛苦中间,在挫折、挣扎和进步中间,最后找到了自我,开始为自己、为家庭、为社会能做一点事情。

学生生活是非常美好的,有很多美好的回忆。我还记得我们班有一个男生,每天都在女生的宿舍楼下拉小提琴,(笑声)希望能够引起女生的注意,结果后来被女生扔了水瓶子。我还记得我自己为了吸引女生的注意,每到寒假和暑假都帮着女生扛包。(笑声、掌声)后来我发现那个女生有男朋友,(笑声)我就问她为什么还要让我扛包,她说为了让男朋友休息一下(笑声、掌声)。我也记得刚进北大的时候我不会讲普通话,全班同学第一次开班会的时候互相介绍,我站起来自我介绍了一番,结果我们的班长站起来跟我说:”俞敏洪你能不能不讲日语?”(笑声)我后来用了整整一年时间,拿着收音机在北大的树林中模仿广播台的播音,但是到今天普通话还依然讲得不好。

人的进步可能是一辈子的事情。在北大是我们生活的一个开始,而不是结束。有很多事情特别让人感动。比如说,我们很有幸见过朱光潜教授。在他最后的日子里,是我们班的同学每天轮流推着轮椅在北大里陪他一起散步。(掌声)每当我推着轮椅的时候,我心中就充满了对朱光潜教授的崇拜,一种神圣感油然而生。所以,我在大学看书最多的领域是美学。因为他写了一本《西方美学史》,是我进大学以后读的第二本书。

为什么是第二本呢?因为第一本是这样来的,我进北大以后走进宿舍,我有个同学已经在宿舍。那个同学躺在床上看一本书,叫做《第三帝国的兴亡》。所以我就问了他一句话,我说:”在大学还要读这种书吗?”他把书从眼睛上拿开,看了我一眼,没理我,继续读他的书。这一眼一直留在我心中。我知道进了北大不仅仅是来学专业的,要读大量大量的书。你才能够有资格把自己叫做北大的学生。(掌声)所以我在北大读的第一本书就是《第三帝国的兴亡》,而且读了三遍。后来我就去找这个同学,我说:”咱们聊聊《第三帝国的兴亡》”,他说:”我已经忘了。”(笑声)

我也记得我的导师李赋宁教授,原来是北大英语系的主任,他给我们上《新概念英语》第四册的时候,每次都把板书写得非常的完整,非常的美丽。永远都是从黑板的左上角写起,等到下课铃响起的时候,刚好写到右下角结束。(掌声)我还记得我的英国文学史的老师罗经国教授,我在北大最后一年由于心情不好,导致考试不及格。我找到罗教授说:”这门课如果我不及格就毕不了业。”,罗教授说:”我可以给你一个及格的分数,但是请你记住了,未来你一定要做出值得我给你分数的事业。”(掌声)所以,北大老师的宽容、学识、奔放、自由,让我们真正能够成为北大的学生,真正能够得到北大的精神。 当我听说许智宏校长对学生唱《隐形的翅膀》的时候,我打开视频,感动得热泪盈眶。因为我觉得北大的校长就应该是这样的。(掌声)

我记得自己在北大的时候有很多的苦闷。一是普通话不好,第二英语水平一塌糊涂。尽管我高考经过三年的努力考到了北大—-因为我落榜了两次,最后一次很意外地考进了北大。我从来没有想过北大是我能够上学的地方,她是我心中一块圣地,觉得永远够不着。但是那一年,第三年考试时我的高考分数超过了北大录取分数线七分,我终于下定决心咬牙切齿填了”北京大学”四个字。我知道一定会有很多人比我分数高,我认为自己是不会被录取的。没想到北大的招生老师非常富有眼光,料到了三十年后我的今天。(掌声)但是实际上我的英语水平很差,在农村既不会听也不会说,只会背语法和单词。我们班分班的时候,五十个同学分成三个班,因为我的英语考试分数不错,就被分到了A班,但是一个月以后,我就被调到了C班。C班叫做”语音语调及听力障碍班”。( 笑声)

我也记得自己进北大以前连《红楼梦》都没有读过,所以看到同学们一本一本书在读,我拼命地追赶。结果我在大学差不多读了八百多本书,用了五年时间(掌声)。但是依然没有赶超上我那些同学。我记得我的班长王强是一个书癖,现在他也在新东方,是新东方教育研究院的院长。他每次买书我就跟着他去,当时北大给我们每个月发二十多块钱生活费,王强有个癖好就是把生活费一分为二,一半用来买书,一半用来买饭菜票。买书的钱绝不动用来买饭票。如果他没有饭菜票了就到处借,借不到就到处偷。(笑声)后来我发现他这个习惯很好,我也把我的生活费一份为二,一半用来买书,一半用来买饭菜票,饭票吃完了我就偷他的。(笑声掌声)

毫不夸张地说,我们班的同学当时在北大,真是属于读书最多的班之一。而且我们班当时非常地活跃,光诗人就出了好几个。后来挺有名的一个诗人叫西川,真名叫刘军,就是我们班的。(掌声)我还记得我们班开风气之先,当时是北大的优秀集体,但是有一个晚上大家玩得高兴了,结果跳起了贴面舞,第二个礼拜被教育部通报批评了。那个时候跳舞是必须跳得很正规的,男女生稍微靠近一点就认为违反风纪。所以你们现在比我们当初要更加幸福一点。不光可以跳舞,而且可以手拉手地在校园里面走,我们如果当时男女生手拉手在校园里面走,一定会被扔到未名湖里,所以一般都是晚上十二点以后再在校园里面走。(笑声掌声)

我也记得我们班五十个同学,刚好是二十五个男生二十五个女生,我听到这个比例以后当时就非常的兴奋(笑声),我觉得大家就应该是一个配一个。没想到女生们都看上了那些外表英俊潇洒、风流倜傥的男生。像我这样外表不怎么样,内心充满丰富感情、未来有巨大发展潜力的,女生一般都看不上。(笑声掌声)

我记得我奋斗了整整两年希望能在成绩上赶上我的同学,但是就像刚才吕植老师说的,你尽管在中学高考可能考得很好,是第一名,但是北大精英人才太多了,你的前后左右可能都是智商极高的同学,也是各个省的状元或者说第二名。所以,在北大追赶同学是一个非常艰苦的过程,尽管我每天几乎都要比别的同学多学一两个小时,但是到了大学二年级结束的时候我的成绩依然排在班内最后几名。非常勤奋又非常郁闷,也没有女生来爱我安慰我。(笑声)这导致的结果是,我在大学三年级的时候得了一场重病,这个病叫做传染性侵润肺结核。当时我就晕了,因为当时我正在读《红楼梦》,正好读到林黛玉因为肺结核吐血而亡的那一章,(笑声)我还以为我的生命从此结束,后来北大医院的医生告诉我现在这种病能够治好,但是需要在医院里住一年。我在医院里住了一年,苦闷了一年,读了很多书,也写了六百多首诗歌,可惜一首诗歌都没有出版过。从此以后我就跟写诗结上了缘,但是我这个人有丰富的情感,但是没有优美的文笔,所以终于没有成为诗人。后来我感到非常的庆幸,因为我发现真正成为诗人的人后来都出事了。我们跟当时还不太出名的诗人海子在一起写过诗。后来他写过一首优美的诗歌,叫做《面朝大海,春暖花开》,我们每一个同学大概都能背。后来当我听说他卧轨自杀的时候,嚎啕大哭了整整一天。从此以后,我放下笔,再也不写诗了。(掌声)

记得我在北大的时候,到大学四年级毕业时,我的成绩依然排在全班最后几名。但是,当时我已经有了一个良好的心态。我知道我在聪明上比不过我的同学,但是我有一种能力,就是持续不断的努力。所以在我们班的毕业典礼上我说了这么一段话,到现在我的同学还能记得,我说:”大家都获得了优异的成绩,我是我们班的落后同学。但是我想让同学们放心,我决不放弃。你们五年干成的事情我干十年,你们十年干成的我干二十年,你们二十年干成的我干四十年”。( 掌声)我对他们说:”如果实在不行,我会保持心情愉快、身体健康,到八十岁以后把你们送走了我再走。”(笑声掌声)

有一个故事说,能够到达金字塔顶端的只有两种动物,一是雄鹰,靠自己的天赋和翅膀飞了上去。我们这儿有很多雄鹰式的人物,很多同学学习不需要太努力就能达到高峰。很多同学后来可能很轻松地就能在北大毕业以后进入哈佛、耶鲁、牛津、剑桥这样的名牌大学继续深造。有很多同学身上充满了天赋,不需要学习就有这样的才能,比如说我刚才提到的我的班长王强,他的模仿能力就是超群的,到任何一个地方,听任何一句话,听一遍模仿出来的绝对不会两样。所以他在北大广播站当播音员当了整整四年。我每天听着他的声音,心头咬牙切齿充满仇恨。(笑声)所以,有天赋的人就像雄鹰。但是,大家也都知道,有另外一种动物,也到了金字塔的顶端。那就是蜗牛。蜗牛肯定只能是爬上去。从低下爬到上面可能要一个月、两个月,甚至一年、两年。在金字塔顶端,人们确实找到了蜗牛的痕迹。我相信蜗牛绝对不会一帆风顺地爬上去,一定会掉下来、再爬、掉下来、再爬。但是,同学们所要知道的是,蜗牛只要爬到金字塔顶端,它眼中所看到的世界,它收获的成就,跟雄鹰是一模一样的。(掌声)所以,也许我们在座的同学有的是雄鹰,有的是蜗牛。我在北大的时候,包括到今天为止,我一直认为我是一只蜗牛。但是我一直在爬,也许还没有爬到金字塔的顶端。但是只要你在爬,就足以给自己留下令生命感动的日子。(掌声)

我常常跟同学们说,如果我们的生命不为自己留下一些让自己热泪盈眶的日子,你的生命就是白过的。我们很多同学凭着优异的成绩进入了北大,但是北大绝不是你们学习的终点,而是你们生命的起点。在一岁到十八岁的岁月中间,你听老师的话、听父母的话,现在你真正开始了自己的独立生活。我们必须为自己创造一些让自己感动的日子,你才能够感动别人。我们这儿有富裕家庭来的,也有贫困家庭来的,我们生命的起点由不得你选择出生在富裕家庭还是贫困家庭,如果你生在贫困家庭,你不能说老爸给我收回去,我不想在这里待着。但是我们生命的终点是由我们自己选择的。我们所有在座的同学过去都走得很好,已经在十八岁的年龄走到了很多中国孩子的前面去,因为北大是中国的骄傲,也可以说是世界的骄傲。但是,到北大并不意味着你从此大功告成,并不意味着你未来的路也能走好,后面的五十年、六十年,甚至一百年你该怎么走,成为了每一个同学都要思考的问题。就本人而言,我觉得只要有两样东西在心中,我们就能成就自己的人生。

第一样叫做理想。我从小就有一种感觉,希望穿越地平线走向远方,我把它叫做”穿越地平线的渴望”。也正是因为这种强烈的渴望,使我有勇气不断地高考。当然,我生命中也有榜样。比如我有一个邻居,非常的有名,是我终生的榜样,他的名字叫徐霞客。当然,是五百年前的邻居。但是他确实是我的邻居,江苏江阴的,我也是江苏江阴的。因为崇拜徐霞客,直接导致我在高考的时候地理成绩考了九十七分。(掌声)也是徐霞客给我带来了穿越地平线的这种感觉,所以我也下定决心,如果徐霞客走遍了中国,我就要走遍世界。而我现在正在实现自己这一梦想。所以,只要你心中有理想,有志向,同学们,你终将走向成功。你所要做到的就是在这个过程要有艰苦奋斗、忍受挫折和失败的能力,要不断地把自己的心胸扩大,才能够把事情做得更好。

第二样东西叫良心。什么叫良心呢?就是要做好事,要做对得起自己对得起别人的事情,要有和别人分享的姿态,要有愿意为别人服务的精神。有良心的人会从你具体的生活中间做的事情体现出来,而且你所做的事情一定对你未来的生命产生影响。我来讲两个小故事,讲完我就结束我的讲话,已经占用了很长的时间。

第一个小故事。有一个企业家和我讲起他大学时候的一个故事,他们班有一个同学,家庭比较富有,每个礼拜都会带六个苹果到学校来。宿舍里的同学以为是一人一个,结果他是自己一天吃一个。尽管苹果是他的,不给你也不能抢,但是从此同学留下一个印象,就是这个孩子太自私。后来这个企业家做成功了事情,而那个吃苹果的同学还没有取得成功,就希望加入到这个企业家的队伍里来。但后来大家一商量,说不能让他加盟,原因很简单,因为在大学的时候他从来没有体现过分享精神。所以,对同学们来说在大学时代的第一个要点,你得跟同学们分享你所拥有的东西,感情、思想、财富,哪怕是一个苹果也可以分成六瓣大家一起吃。(掌声)因为你要知道,这样做你将来能得到更多,你的付出永远不会是白白付出的。

我再来讲一下我自己的故事。在北大当学生的时候,我一直比较具备为同学服务的精神。我这个人成绩一直不怎么样,但我从小就热爱劳动,我希望通过勤奋的劳动来引起老师和同学的的注意,所以我从小学一年级就一直打扫教室卫生。到了北大以后我养成了一个良好的习惯,每天为宿舍打扫卫生,这一打扫就打扫了四年。所以我们宿舍从来没排过卫生值日表。另外,我每天都拎着宿舍的水壶去给同学打水,把它当作一种体育锻炼。大家看我打水习惯了,最后还产生这样一种情况,有的时候我忘了打水,同学就说”俞敏洪怎么还不去打水”。(笑声)。但是我并不觉得打水是一件多么吃亏的事情。因为大家都是一起同学,互相帮助是理所当然的。同学们一定认为我这件事情白做了。又过了十年,到了九五年年底的时候新东方做到了一定规模,我希望找合作者,结果就跑到了美国和加拿大去寻找我的那些同学,他们在大学的时候都是我生命的榜样,包括刚才讲到的王强老师等。我为了诱惑他们回来还带了一大把美元,每天在美国非常大方地花钱,想让他们知道在中国也能赚钱。我想大概这样就能让他们回来。后来他们回来了,但是给了我一个十分意外的理由。他们说:”俞敏洪,我们回去是冲着你过去为我们打了四年水。”(掌声)他们说:”我们知道,你有这样的一种精神,所以你有饭吃肯定不会给我们粥喝,所以让我们一起回中国,共同干新东方吧。”才有了新东方的今天。(掌声)

人的一生是奋斗的一生,但是有的人一生过得很伟大,有的人一生过得很琐碎。如果我们有一个伟大的理想,有一颗善良的心,我们一定能把很多琐碎的日子堆砌起来,变成一个伟大的生命。但是如果你每天庸庸碌碌,没有理想,从此停止进步,那未来你一辈子的日子堆积起来将永远是一堆琐碎。所以,我希望所有的同学能把自己每天平凡的日子堆砌成伟大的人生。(掌声)

最后,我代表全体老校友向在座的三千多位新生表一个心意,我代表全体老校友和新东方把两百万人民币捐给许校长,为在座同学们的学习、活动和成长提供一点帮助。(掌声)

ClickJacking - A Perspective Problem [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 12 Oct 2008 01:19 AM CDT

While ClickJacking is the latest apocalyptic threat in IT Security, I wanted to point out something yet again, as I did back when Dan Kaminsky reported his DNS flaw and it because catachlysmic for its 15 minutes of fame.

I've been reading interviews, insights, write-ups and blogs on ClickJacking and I've had so many discussions with some of you my head spins trying to remember it all but something I saw a couple of days (weeks maybe?) ago is staying with me so I looked it back up and wanted to briefly talk about it.

This quote from Jeremiah Grossman, is disturbing.
"Recently we're [Grossman & RSnake] told we've been told that its been known by the browser vendors since 2002." [CGI Security interview, 10/5/08]

Why is this disturbing, do you ask? Think about it. If this statement isn't stretching truth (and I haven't found Jeremiah to be a sensationalist) then this has been an open, the-sky-is-falling-drop-everything issue for ~6 years. Not 6 days, months but YEARS. So the question we have to ask ourselves [but already know the answer to] is why in the world is it still an issue in 2008?

I'd love to know a few things:
  • Why did we [security professionals] not freak out about this in 2002?
  • Why haven't IE7+ and Firefox (at least?) resolved this issue dead?
  • Why hasn't the standards body [the W3] taken this up as a standards issue?
The answer is simple, so painfully simple. Functionality wins over "vulnerability" every time.

Now, if you'll excuse me I'm going to go cancel my Internet connection, put a sledge-hammer to my computers and walk around aimlessly.


EDIT: Sun. Oct 12, 2:02pm CDT

I just read Jeremiah's comment, and then started reading the link he posted to the Bugzilla post on the bug Jesse Ruderman posted first in 2002, and Robert O'Callahan's (from Mozilla) continued stance against his views. I think it is important for everyone interested in security to read that thread to really understand what we [security professionals] are up against in the world of technology. Understandably functionalit has always been, and will always be the antithesis of security.

There is a much, much deeper conversation to be had here. If any of you are going to InfoSec World in Orlando in March, I'd like to get a "thought group" on this topic together. Email me directly and we'll put it together. I'm not saying we're going to solve anything - but maybe come up wth a better way to think this through as a community.

Verizon Punts On Data Security [Liquidmatrix Security Digest]

Posted: 11 Oct 2008 11:07 AM CDT

When it rains…

From Network World:

This should be a vendor’s first rule when inviting 1,200 IT pros to a seminar about securing data and protecting personal information: Make sure you protect the personal information of the 1,200 professionals you’re trying to impress.

How did Verizon do in that regard on Tuesday? They failed miserably … and not just once.

David Williams, technology coordinator for a Texas school district, alerted me to the situation because he had read my recent post — “Run-amok Verizon robo-caller torments 1,400 customers” — which recounted the nine phone calls in 24 hours that were received at my house last month.

So what, you may ask, did they punt on? Well, they sent out numerous spam emails to the attendees in advance of the seminar with all of their email addresses in the…

…wait for it…

“To:” field.

I shit you not.

Then some more fun from the article,

Verizon again: “We (are) having issues with our (Microsoft) Exchange server and I am working with our help desk to correct the problem. I apologize for the inconvenience.”

Verizon’s “Secure the Information” lecture series includes a segment called, “Are you prepared for data loss?”

So, Exchange was responsible for the email addys in the “To:” field?

Er, no. That would be the duplicates but, it does give the impression that they are trying to duck the whoops by invoking the spectre of an errant mail server. I would assume that Verizon staffers will be attending their own seminar en masse then?

Oh, and just to flog the dead horse once again…one installment in the series is called, “Are you prepared for data loss?”

Um, yeah, FAIL.

Article Link

Gmail Gets A Breathalyzer [Liquidmatrix Security Digest]

Posted: 11 Oct 2008 10:25 AM CDT

credit unknown

This great posting showed up on Ars Technica a couple days ago. Mail Goggles is an add-on that is designed to save you from yourself should you find yourself in front of a computer at 3 am and decide, via fuzzy wobbly brown pop logic, that now would be a great time to answer emails. This add-on for gmail will do a WORLD of good for some of my friends.

From Ars Technica:

How many times have you stumbled home after a long night out with friends, only to plop down in front of the computer and start sending e-mails that you would wake up regretting the next day? OK, maybe some of our older readers in the crowd have never moved beyond “drunk dialing,” but many of us are probably more familiar with the embarrassing phenomenon, a technological evolution of the drunk dial.

This is a great tool because before you can send out emails in an altered state you have to tackle some mental gymnastics.

If you have Mail Goggles installed—which you can do by going to the “Labs” tab under your Gmail settings and turning them on—it will force you to answer a series of math questions before sending out any new messages.

Bloody brilliant.

Thankfully those days are behind me now.

‘Mafiaboy’ Writes A Book. And I Don’t Care. [Liquidmatrix Security Digest]

Posted: 11 Oct 2008 09:53 AM CDT

Seriously does anyone care about this bit of news? I missed this when it hit the wire but, thanks to Serge for forwarding me the link.

Now, “Infamous Canadian hacker ‘Mafiaboy’ breaks silence with book release” is a title that I have a problem with. He was a 15 year old kid and playing with a DoS. The major difference between this kid (at the time) and anyone else launching a denial of service was one of two things. 1) He was bereft of the intelligence that said “hey, bad idea” and/or 2) Far too mentally challenged to not get caught. I hardly consider a DoS ‘hacking’ so much as a giant nuisance. Sure the instigator can offline a system for a while and cost the target money but, it is by no means indefinite. When you really boil it down it is a pointless endeavour.

From Canada.com

In Mafiaboy: How I Cracked the Internet and Why It’s Still Broken, the hacker, now 23, explains that he was not a computer whiz kid but that he quickly gained knowledge of computers and got to know other young hackers.

“After spending years trying to learn everything about how my PC worked, and enjoying every second of learning DOS commands and other technical information, I felt a strange kinship with these nameless, faceless programmers and online rebels,” he writes in an excerpt made available by the publisher. “How did they create these programs? How many more of them were out there? How could I learn to write programs? To me, they were the coolest kids in cyberspace. I wanted to hang with them. I wanted to be a hacker.”

I’m sorry but, could someone grab a mop and bucket?

My head just exploded.

credit unknown

Article Link

Say It Ain’t So Sarah! “People Who Live In Glass Houses Shouldn’t Throw Stones, You Betcha” [Vincent Arnold]

Posted: 10 Oct 2008 10:08 PM CDT

Panel: Palin abused power in trooper case

ANCHORAGE, Alaska (CNN) — Republican vice presidential nominee Sarah Palin abused her power as Alaska’s governor and violated state ethics law by trying to get her ex-brother-in-law fired from the state police, a state investigator’s report concluded Friday.

“Gov. Palin knowingly permitted a situation to continue where impermissible pressure was placed on several subordinates in order to advance a personal agenda,” the report states.

Public Safety Commissioner Walt Monegan’s refusal to fire State Trooper Mike Wooten from the state police force was “likely a contributing factor” to Monegan’s July dismissal, but Palin had the authority as governor to fire him, the report by former Anchorage prosecutor Stephen Branchflower states.

Source

SecTor 2008 Pics [Liquidmatrix Security Digest]

Posted: 10 Oct 2008 08:05 PM CDT

This week was a wild ride. The culmination of a great deal of work from a diligent group came to a head with the second annual SecTor conference. Based on the feedback that I got from attendees, it rawked.

The morning crowd was quite something on day one for the sessions. I have to tell you I was quite pleased with the turnout. I should note that due to my limited time this year I was only able to snap a few pics. James had the camera clicking away so I would imagine that we’ll see some postings from him.

I was pleased to sport my “staff” badge for the limited time I was actually able to attend this year. Sadly, I did not, er, plan well for the conference from a personal perspective. Next year I’ll make sure that I book them time off.

The lunch hour panel session was an interesting affair. Chris Hoff set the tone of the panel and fell on his sword as the token American in the process. I was very happy to see him showing off the tats and jeans. The number of suits on the stage was a little disconcerting. But, what are you gonna do?

I’m really pleased with the feedback that I’ve received from speakers and attendees alike. I’m sorry that I didn’t get to meet a bunch of people that were there. But, glad to everyone who made it out. I’m hoping that I’ll be able to continue with Sector to help it grow for next year. Oh yeah, and book the damn time off.

As if I wasn’t run ragged enough already, I managed to squeeze in a gig with the boys last Saturday night at the Pilot in Toronto.

And miles to go…

OWASP APPSEC 2008 Conference Videos Online [Carnal0wnage Blog]

Posted: 10 Oct 2008 05:54 PM CDT

OWASP APPSEC 2008 Conference Videos are online

http://www.owasp.tv

Closing thoughts for a Friday [Digital Soapbox - Security, Risk & Data Protection Blog]

Posted: 10 Oct 2008 04:47 PM CDT

Hey folks - just some closing thoughts for a Friday. Hope everyone's had a decent week, and by now you've got a cold one in hand. Here are some thoughts I had as this week tails off into another weekend.
  1. Has anyone paid attention to the sheer stupidity of public services lately with regard to data loss/theft? I mean, seriously! I have a Google Alerts "as it happens" notification set up for "security breach" +data and if you haven't paid attention there have been an absolutely stupifyingly overwhelming amount of data breaches that involve our government or its entities in some way. Foreign governments, schools, social services - all losing laptops, getting hacked and the toll is mounting. Last count we're somewhere in the 2MM+ records lost in the past few weeks. When will the carnage stop? (More on this in a future post as I have some serious research to do. If you'd like to help ping me directly.)
  2. Cloud computing... so I was talking to a colleague and friend over at PureWire, and he is absolutely religiously convinced that in a short period of time (and I quote) ... "Everyone will be doing it [in-the-cloud security], it's inevitable". I tend to disagree, in fact - I think "In the Cloud" security is a bit of a scary proposition - but I'm hoping to have a 20-questions type of interview posted here on this blog with the folks that are running the gears over at PureWire.
  3. I'm finally going to get around to posting that interview I did with a "semi-ehtical-DarkSEO dude" in the next few weeks when thing settle down at the ranch a little. It's been sitting on my desktop, and everyone's been killing me to publish it - problem is - it's huge (10+ pages of good info, I think). Does anyone know where I can post it? I'll post part of the interview to the blog here as a teaser, and the rest to a site somewhere, as a PDF/paper. Your suggestions are welcome.

No comments: