November 2008 Archives

Just a quick 90-second post on this, the American Thanksgiving holiday. Take a moment, if you will, to consider all that there is to be thankful for. If you have a job, then be thankful, even if it's the worst job in the world. If you're getting a paycheck and making the rent, then things aren't probably all that bad. If you're healthy, then be thankful, because there are millions who aren't. If you're a civilian, then be thankful for our troops. No matter what your opinion is on Iraq, et al, there is no denying the thankless service these men and women provide for our country and the world. Lastly, be thankful for the resources and freedom we have. Sure, net neutrality would be nice, as would a final solution to spam and the DNS security problems. But, for the most part, we should be very thankful that we're generally dealing with electronic attackers who are costing companies time, money, resources, but not lives. We could have it much worse. Lastly, be thankful for the freedoms we have in this country. Be thankful for the EFF and ACLU helping stand watch over those civil liberties, and be thankful that we're finally nearing the finite end of an abysmal administration.

Happy Thanksgiving!

If you're a CISSP, please read on here. If not, you can disregard this post.

CISSPs, it's that time of year again - time to vote for your ISC2 Board. I wanted to take a minute and publicly endorse Dan Houser. Erik Heidt at Art of InfoSec has done a good job describe Dan's qualifications here. I think he's spot-on with the description and, knowing Dan a little bit myself, I agree that he would be an excellent addition to the ISC2 Board.

Greetings, one and all. Apologies on not blogging as much lately, but life is busy! I wanted to share a few pieces of news from around the industry, on the off chance you missed it.

First and foremost, the former Chief Privacy Officer from AOL, Jules Polonetsky, has formed a new non-profit org called Future of Privacy Forum. From their about page: "FPF advocates for privacy advances that promote transparency and user control in a manner that is practical for business to implement to ensure personal autonomy for all who seek to embrace the benefits of our digital society." This is very interesting news, and it should be noted that one of their first objectives will be to put forth privacy policy objectives for the new Obama administration.

The second bit of big news is that NetWitness has announced the free availability of their Investigator software. If you're not familiar with NetWitness, then you really need to take a look. The software bit is just one component of their overall solution. It's actually rather difficult to describe what they are, because they draw from many different genres. The sniff traffic, but they also record full packets, and then they provide excellent analysis tools, including making use of their own metalanguage to look at and describe data. It's pretty powerful stuff.

In more mundane news, I spoke on a panel at CSI 2008 this week. My part of the panel discussion was "information classification." We had fun presenting and I think some people found it somewhat useful - as much as one can call a 15-minute preso useful. For me, this is an important milestone because it's the first time I've spoken at a major infosec event.

And, last, but certainly not least, I wanted to call out the other thing I became involved with this week: the ABA SciTech section's latest committee, e-Discovery and Digital Evidence. We held the kickoff meeting for the committee in DC yesterday and today, and I have to say, it was a very interesting and inspiring group. There is a lot of opportunity for outreach, growth, and improvement around these topics, including around records management. I'm very eager to continue my involvement in this committee going forward.

That's my news from around the beltway this week (so far). :)

According to a new study:

"After 26 days, and almost 350 million email messages, only 28 sales resulted," says the research paper.

Yet even with this apparently abysmal response rate of less than 0.00001 per cent, the researchers still estimate that the controllers of a network the size of Storm are still bringing in about $7,000 (£4,430) a day or $3.5m (£2.21m) over a year.

I'm sure everybody would love to make an extra $3.5m/yr for doing not much of anything. And we wonder why the spam problem is so pervasive. How much do we spend on anti-spam efforts each year? Does it outweigh the benefits seen by the perpetrators?

Hat tip to Marginal Revolution.

Found and forwarded by a colleague on the ABA InfoSec Committee, following is an excellent source listing international laws that impact use of cryptography:
http://rechten.uvt.nl/koops/cryptolaw/

If you've ever heard people complain about their insurance provider, either for medical or dental or vision, but never quite understood why that might be, then I'm here to provide you an explanation.

My wife recently had a crown made and installed into her mouth. We had to pay our estimated portion at the outset - a few hundred dollars. The insurance specified that it would cover 60% of the cost of the work ("major restorative" is covered at 60% while repair is 90% - the crown was to repair a tooth cracked by an old filling). We thought the price was rather absurd, but paid it because the alternative was not particularly appealing.

Last week, then, I received a bill from my dentist's office. I call today and inquired about the additional charge. The answer? Apparently there is a cheaper type of crown (gold) that could have been installed instead of the high-quality one my wife got (high-quality one will last longer, not to mention that it won't look ducky). The insurance company (MetLife) apparently has fine print in their coverage that they will only reimburse at the cheaper rate if such an alternative exists. Thus, though the crown was already order and installed, the insurance company has said after the fact "sorry, we'll only pay for the cheaper crown, you customer get to pay the difference."

The dentist's office went on to explain that they have this problem with fillings all the time, too. They use a non-toxic filling that blends with the tooth instead of a metal amalgam that may contain mercury, which is toxic and his been found to poison people with mercury gas over time. Nonetheless, because the amalgam filling is available, the insurance companies will only reimburse at that rate and the customer is, once again, left paying the difference.

This is a perfect example of what is wrong with the insurance industry today. I'm sure you have your own stories, too.

Thanks to Kottke for pointing this out...

"House keys left out on table + telephoto lens at a distance of 200 feet + SNEAKEY key duplication software = perfect working copies of your keys. Eep. The system also works with crappy cellphone camera photos."

So, this means from a physical security perspective, it's probably best not to leave your keys sitting in plain site - especially if they are keys to anything remotely valuable!

Also noted by Schneier last week here.

I love Fall. It's my favorite time of year. The weather has that wonderful chilly bite to it, the humidity generally drops away, and then there's the folliage! This Fall, here in Northern Virginia, has been the best of the best. We've never seen colors like these in the last 5 years, and friends who've lived here much longer say they don't ever recall a Fall like this, either. So, suffice to say, I'm rather pleased with the outside world.

Fall, however, is about more than just pretty colors. It's also about the cycle of life. In the grand scheme of things we typically associate Fall with the dying throes of life, Winter with the period after death, Spring with the emergence of new life, and Summer with the peak of living. Putting aside the somewhat morbid aspects of this life cycle, I have to wonder how many organizations apply similar thinking to themselves? How many decisions have - or should have - a life cycle? I would think pretty much everything should be evaluated accordingly, but it doesn't always seem to be the case.

A quick poll for you, if you'll indulge me. I don't have a polling widget, so responses will have to go into comments. What are your thoughts on full vs partial RSS feeds? This site uses partial feeds that display the first few lines, but then requires you to click through to read the entire post. Please let me know what you think, because if enough people say it sux0rs then I will revert back to the full feeds. Thank you!

Announced by our fearless leader, you can get a 35% discount for the SC World Congress December 9-10 in NYC at the Javits Center thanks to the conference partnering with the Security Bloggers Network for promotion. For one-day passes, uses promo code "Blog1" and for two-day passes use promo code "Blog2". That's all you have to do!

This is an amazing video by one clever and musically talented dude. It takes movie theme songs and combines it into a lovely compilation with Star Wars tribute lyrics. Check it out! :)

Today I give you my 500th post. I've been mulling over for a few days what to do with it, and I've come to a conclusion. It's the single most important thing I can tell every American citizen that will listen: Vote on November 4th.

I'm not going to tell you who you should vote for at this point. My preference is clear from my blog, and the vast majority of people have made up their minds already. However, that being said, it is incredibly important that you, as an eligible American voter, exercise your right and get out to vote. It's what defines this country as a Democracy, and it's precisely this value that the current administration has wantonly disregarded. Make your voice heard tomorrow.