3x09_3x10

If only I believed in random overzealous patenting. Until then, here is a suggestion for RSA...

1. Take a SecurID SID800, add a bigger chunk of flash memory to it
2. Make a model that is bootable and maybe one that has a VM on it
3. In that bootable environment or VM include Terminal Server, SSH/X, and NX clients
4. Make it so the device will only pass the OTP while within the boot or VM
5. And don't forget step two.five to add a VPN client or three
6. Advertise it as a malware proof enhanced RAS solution and partner with MS, Red Hat, Citrix, etc. to enhance integration for remote printing, etc.
7. Make loads of dough (whole grains please)
8. Press out some pasta (I suggest adding basil like my lovely wife does)
9. Enjoy your meal as the money rolls in

In a later revision develop a system whereby the core OS on the device can be updated live after confirming the OTP and some enterprise provided management code.

Oh, and for step ten you can give me some money. And have it all done by morning. Thanks, -Ali

It's depressing to me how I can be so scattered while other people can create pentesting trees for the masses. Available in a poster too. I think I'll make it a homework assignment for myself to spend time contributing to that tree soon.

One completely disorganized and random thought is to include scoping out the closest airport and coffee shops that employees of a given organization frequent. I have found it's much easier to footprint a typical client or passively gather information about a network by utilizing an employee's off-site asset as a proxy. Provide an 'open access point' near them and voila! Cheers, -Ali

ScienceDaily has a story on pharmaceutical industry advertising expenditures relative to R&D. If the research is anywhere near validated, which I believe it will be, then this should become the first Michael Moore sequel. (I think I'm going to need some sort of pill mentioning that man but still.)

Those World Series, Super Bowl, and Oprah spots don't come cheap. Did I say just say Oprah? -Ali

I was fortunate enough to be given an iLiad for the past six months. At first I couldn't believe my luck and loaded many books and PDFs onto it, in some cases giving away the hard-copy versions I had to save shelf space. Woe is me... wwwoooooeeeeee is me... *groan*

Before you get the wrong impression let me say the iLiad was a great recreational book reader while on travel. The screen was good, features adequate, battery life sufficient, and a great space saver.

I seem to have turned some friends onto commercial intelligence services inadvertently. However, there is a huge breadth of (potentially better) resources open to anyone and everyone. Some tools and tutorials, a decent blog, and a loud mailing list that should all be seriously considered. Then your own bookmarks, RSS, etc. will eventually be your mainstay. Cheers, -Ali

The US, China, and many others called the North Korean nuclear disclosure delay a minor hiccup. A much more accurate description of the situation exists. -Ali

Over the past eight years I've toyed with various software updaters that range from hose-the-system-bad to hose-the-system accuracy and quality. In the past week I've had better luck on my extended-family systems using Secunia PSI. Give it a try on your family use Wintel machines and save yourself a few phone calls in the future.

Where are the single-quotes and *boggles* and misplaced apostrophes? It's been a long morning. -Ali

In no particular order:

• Mobile malware will be responsible for toll call fraud. Somebody, somewhere, is working on a mobile network botnet infrastructure to disrupt services. Somebody else, who owns the building the first somebody pays rent to live in, is working on a mobile network botnet to accommodate organized crime telephone fraud.
• The end of the ITSec independents. We'll see the end of the smaller shops as they're absorbed into larger companies, private management firms, and other shops that have many more lawyers, proposal writers, and Government contacts for contracts. Either that or In-Q-Tel will expand their operations significantly to make sure some of the smaller innovators get the appropriate guidance without getting lost in the mix of old timers. Remember 2006? I think 2008 will be at least twice as big as companies start seeing new regulations and cyber panics squeeze out from under the doors of Industry and Government.
• The 'Great Firewall of New Hampshire' goes online. While I doubt New Hampshire, being the Free State and all, will be the first but I expect State legislatures to start going down the naive road of more ISP filtering and monitoring. This will lead to a lot of other genius initiatives like State control over IDS, DRM, QoS, etc. Actually, I'm being naive, this will almost certainly come down from the Federal level first. And, mark my words, part of the justification will be to defend against foreign adversaries whose networks are more closed to us therefore to protect ourselves we need to close our networks. Sound familiar?
• Power usage will become a competitive factor. Expect to see vendors start advertising their battery friendliness, low overhead, small footprint, and operating costs including power usage. Some already do but I think 2008, with continued pressure in the Energy sector, will cause most customers to seriously look at all computer asset overhead. An AV that uses 10% less power will get scored higher in corporate reviews. Don't ask me how they'll prove it but you know they will.

There is obviously bigger news today but I have been wanting to post this article for a few days now.

"For the US, the financial stakes are huge. With its wide continental margins, it stands to gain economic control over additional territory larger than the 48 states combined, with an estimated value of $1.3 trillion in minerals, oil, and fish."

Could you imagine national flags alongside major oil and mining company flags on the bottom of the seafloor? Deep sea exploration just got a huge infusion of funds and entrepreneurs. Cheers, -Ali

You think all the electronic gadgets for the Holidays are just a sign of the times? Oh no, there is something far more sinister going on! -Ali

The tenants of MAD still apply mostly to the Nuclear world but I've often wondered when MAD will become synonymous with a series of botnet deployments. And at what point does a botnet become the next Cuban Missile Crisis? When do Kaspersky and Symantec become Blackwater?

I found some reading from Schneier and John Robb on the topic (be sure to read the comments). Cheers, -Ali

(The last two personal posts have been deliberately removed.)

So it's been a few days, err.... months... well almost a full year but that's beside the point. I'm back and better tha.... err. Umm. -Ali

I tend to start a lot of books in parallel and then misplace them for a few months before remembering to go back and finish them. Not many books can keep my full attention from cover-to-cover. “Shame” by Sam Cohen is among the rare exceptions where I simply can’t set a book down until completed. Cohen was part of the Manhattan Project and the first proponent of the neutron bomb. His work with and for such luminaries as Oppenheimer, Teller, von Neumann, and the notorious Jess Marcum gave him a front-row seat to military science and policy in the 20th century. While the view of the theater was good the script was almost tragic; his dealings with the US Congress, black comedy.

What if nuclear weapons development and military policy was in the hands of naive and unqualified men? What if RAND didn’t give good advice? What if the scientists bickered and argued like teenagers? What if the math behind nuclear weapons was half wrong? What if leading Congressional officials didn’t know what a neutron was? And what if all your allies go into early retirement at the hands of politicians?

I have long held that attacking Iran is impossibility. I expect specific tactical actions by Israeli Special Forces with the discreet assistance of the US. I don’t expect any further escalation as the economics of such action would be disastrous for too many world powers. Not to mention the logistics of any Iran invasion are currently unimaginable and no military commander, no matter how dedicated or blinded, would actually attempt such a thing. They’d tell President Bush to pound sand (no pun intended) and they’d take the next C-17 to a non-extradition country.

Unfortunately I may be wrong and reading opposite perspectives is sobering. -Ali

It’s hard not to show at least the smallest amount of admiration for whoever decided to pull this compromise off. The social aspect alone is hilarious as some of the visitors to the site are likely either already on the road or about to head to Miami. I hope, for their sake, they turn off their computers before they head to the airport.

Da Bears! Cheers, -Ali

Verizon is getting hardcore this year with an EV-DO Rev A network and a worldly BlackBerry. Granted the later is still rumor but it’s a heckuva a rumor. I’m a CrackBerry addict and a Verizon customer so I’m delighted at the prospects. Although I’m generally satisfied with my 8703e and renting international phones as necessary I’m always depressed when I’m without proper connectivity while traveling.

I have a lot of gadget desires for 2007: An AVCHD camcorder, some home automation, a hybrid vehicle, and a Red Sox themed laptop. All reasonable desires, ‘eh?

Outside of gadgets I have some home improvements to schedule for my new place (waiting for the new-construction warranty to expire first). I’m installing Medeco locks, garage floor sealant, proper water filtering, and various LED lighting. If I’m really ambitious I’ll go ahead and improve the master shower and build some expansive shelving. I’ll resist the pinball machine urge for now.

If anybody has some suggestions on alternatives to X10 or anything related to the above random items please comment. Cheers, -Ali

Cox & Forkum never fail to entertain me when I'm looking for a laugh. I wish they were Libertarians. -Ali

OK, OK, I’m being stupid man silly. Seriously though, VideoJug is pretty nifty. If you haven’t already meandered in that direction you should do so. Even security has a bit of video coverage. –Ali

“We contacted the boat owner and gained access, quickly determining that the emitter was a commercially available VHF/UHF television antenna with built-in preamplifier. The antenna was powered by an AC/DC adapter plugged into boat AC power. The preamplifier was thus powered all the time, even when the TV was not on. In fact, the TV was seldom on, and most of the time the TV antenna was in a paint locker inside the locked boat. From this interior location, its emissions jammed all of Moss Landing Harbor and an area at least 1 kilometer out to sea.”

*boggles* -Ali

I’ve recently had the privilege of supporting a friend in their journey toward sobriety. I attended Alcoholics Anonymous (AA) meetings with them last week and over the weekend. I had many misconceptions about the sort of organization and the types of people that participate in AA. Many many horribly naïve and arrogant misconceptions. I can only say I am embarrassed by my prior ignorance and appreciative of my newfound understanding.

I should have known better as my father always referred to AA and Narcotics Anonymous (NA). He has never consumed alcohol or an illicit drug, much less battled addiction, so I always found his knowledge of the organizations curious. Now I come to find out he himself has assisted numerous people over the years through the programs.

For those of you who will never have the opportunity to immerse yourselves in AA let me let you in on a few secrets. Members of AA are your family, your friend, your boss, your trusted technical resource, your broker, your grocer, the football hero, .. members of AA are honest, non-judgmental, full of wisdom, lively, and a joy to be around. Members of AA are no more troubled than the rest of us and generally more enlightened as they’re facing their demons and honestly taking inventory of their lives. Members of AA are Atheists, Christians, Muslims, Pagans, Agnostics, .. members of AA are young, old, and of all races and ethnic backgrounds. There are a lot of members of AA and for that we should all be thankful. These people have taken a deadly disease by the horns and are wrestling it to the ground.

AA gives back to each and every one of us and we don’t even know it. -Ali

I was going over a few old escape reports I wrote and concluded that I needed a good psychologist more than I need another security architect or engineer. I can’t, for the life of me, figure out what most end-users are thinking when they click-through warning dialogs, answer sensitive questions to complete strangers, put sensitive documents on unsecured media, and get involved with Swallows. Even in my daily life I sometimes pause just ~after~ clicking something or answering a question. We’re all prone to it........

I decided to search some job sites and see if anybody was recruiting psychologists for security related positions. I didn’t find much of anything but I’m sure defense and intelligence shops must have people on-staff. Determined not to be empty-handed I decided to search for evidence that IT security penetration testing services and firms used psychologists for more enhanced customer recommendations. What I mean is not just the social engineering norms but finding out what particularly unique aspects of a given organization may be leading users to insecure behavior not normally noticed. See what I mean?

In the process of my searching I thought about “Security and Usability” (which I highly recommend) and then came across some good old posts by Tom Vogt (one, two). If you take his security aspect mindset and combine it with the technical goals of the Jericho Forum you have a pretty complete picture of what’s to come in IT security.

Along with a few good psychologists. -Ali

UPDATE 02012007: Looks like Schneier is on the case too.

Intel isn’t frequently thought of when trying to solve problems other than number crunching. It’s easy to forget they’re a huge organization with all the same problems any of ‘us’ have in other industries. Thankfully they’re not selfish and have shared a great article on layered security and another article on mobility and securing the mobile workforce. Neither article is technical but they are filled with clear language and crisp diagrams perfect for management. And if you’re like me you lust over anything that helps you communicate upstream easier. Take a gander and print a copy for your boss. -Ali

Muddle me that.. who is afraid of the big black bat?

I kid you not, that was written on a wall in the San Juan airport over a Bacardi Mojito advertisement. I find that humorous for some reason. Even funnier now that I'm on my way home! –Ali

UPDATE 01192007: The music in the TV version of the advertisement is quite catchy.

I’m completely losing my marbles over this lack of connectivity. If I had come expecting isolation and brought camping gear, baseball gear, and books I’d be happily occupied. At this point between the lack of hot water, noise level, and dirty room I strongly recommend you avoid the Villa Montana. Although I understand that I’ve been shoved in a corporate room and the beachfront rooms and service is much better. Isabela does have beautifully clean water and beaches so next time I’ll bring my girlfriend and trunks and stay extra days. I miss her immensely and want to sneak away and catch the morning flight. –Ali