Happily Ever 3X09_3X10

When my spirits are down nothing quite perks me up like a neat new tool. And today *sniffle* I needed the boost granted me by Dnscat. Ron, I owe you a beer and a chest bump *tap tap*. -Pk

Bill Brenner of CSO Magazine started a thread at LinkedIn asking what the community felt the most worthless security technologies (not ideas) were and why. The one early answer is based on difficultly and time to implementation (e.g. NAC and PKI). While that's one perspective I'd like to look at the bad ideas in general regardless of deployment logistics. Three technologies come to mind immediately:

• Single-factor authentication: Passwords will forever hold the place as the worst security technology ever. And while they're what we have it didn't need to be this way. Instead of having spent decades talking about good passwords, password management, etc. we should have been implementing open and cross-industry two-factor authentication schemes. Not to mention the endless stream of bad salting, hash algorithms, ROT13, and American Express style character limitations.
• WEP: WEP in-and-of-itself served only one purpose. To really REALLY prove the point that Electrical Engineers should not be designing security solutions alone. And unfortunately I think that lesson was lost within minutes. Crap. Little known fact, WEP is also the alternate way of saying "I surrender" in French.
• Clientless SSL VPNs: SSL VPNs in general get my hackles up but the clientless ones were just an ingenious way to crush the spirits of security professionals. I'm convinced clientless SSL VPNs were designed by network engineers as revenge for somebody blocking ping at a inopportune time. Problems have varied from URL rewriting, XSS, MitM, difficult endpoint control, and generally exposing yourself to all the subject browser vulnerabilities as well.

That's the short and snarky. I'll write something more proper for LinkedIn and update here. -Pk

In yesterday's post I introduced a basic long-standing trend that continues to eat at our collective souls. We stick with what we know or our chosen path of enlightenment. Customers enable us for their own comfort level in a hope not to feel stupid. That's my story and I'm sticking to it!!

I'm not going to waste time trying to figure out why we deceive ourselves and continue to sabotage our potential for success. We could have an Security Twelve-steps program nationwide and still not figure that one out. What I'd like to ramble on about is communicating the needs of Security to our customers. Specifically some tactics I've successfully used to ensure the customer keeps coming back to ~ask~ for my input as opposed to just annual planning.

And I just realized I'm a huge fan of bulleted lists.

• Demonstrate the complexity of the problem in relation to the complexity of the system. You can plot the total number of exposure points over time. Customers get startled to see the rapid increase in network ingress and egress points. The number of unknown filetypes on your storage arrays. The number of social networking sites and real-time messaging tools being used on your network. The number of vendor identification strings you find from USB devices. The number of smartphones, CrackBerrys, laptops AND the matching trend in business travel. Take a lesson from Edward Tufte and find a way to show as much of this as feasible on a high-resolution plot.
• Present real-world data for the time-to-exploit of new popular systems. Google Buzz, Twitter, and Adobe AIR come to mind. I suggest referencing Honeynor for older but relevant data.
• Always put your customers at ease when (there is no if) they get taken. Don't preach, don't roll your eyes, don't show panic, and don't complain about being up all night. Consider them your medical patients who are coming to you with a lump on their widget. They're already scared, don't encourage them to self-diagnose by being unapproachable. And let Finance and Legal be the only VPs of "No" in the organization. Because if you join that ranking you'll have all the resentment and none of the executive backing. Present alternatives to enable their business needs, don't question the need (too much).
• And most importantly make your customers feel successful when they succeed. Don't just take credit because you educated them. Positive reinforcement when they get it right never gets old. And yes, I do realize these last two bullets are all about raising children. And you know what? Deal. You're in a cloak-and-dagger industry and, lets be honest, we're really not special enough for fake Passports and silenced weaponry. You need to be more like Mr. Rogers (without the creepiness) as opposed to Jason Bourne. I'm not kidding, you can be a BOFH amongst your peers but you better be Handy Manny with your customers.

Is that enough to think about? I'm coming off as very preachy and condescending myself but I sincerely think we all need to think like this more. And it is all related to my things you didn't learn post. -Pk

[ I'm going to scrub some data and post PDFs on some ways I've presented the first two bullets. -Pk ]

[ NOTE TO SELF: You didn't re-read this before posting so don't forget to do that later. -Pk ]

A trend I've noticed growing in security is what I like to call the CYA Syndrome... Cover Your Arse and Choose Your own Adventure. It can be described as the inability of an organization to look beyond what they know or what they want to know in choosing and deploying security solutions. For example, if an organization is stacked with former network engineers as their security staff then network-centric solutions will get the most attention and budget. Or if an organization has a few folks that want to become investigators and move elsewhere then solutions and budget lean toward non-technical forensic tools (anything but badware Bub!). This failure of vision and planning is due to poor leadership to be sure but it's also something I find enabled by the customer base. Customers like simple point solutions and want to believe in consistency in solutions and evolutions in known models. Does that make sense?

And this practice really does fulfill both CYAs.. if something fails you can blame somebody else because you've implemented the system you know best for what is was meant to do. All of the sudden you don't remember pitching it as a panacea. And you also get to play with the toys of your choice regardless.

More on this tomorrow.... -Pk

[ UPDATE 02112010: OOMPH! I didn't see it getting quite that ugly. -Pk ]

With respect to my last post I thought I should get together a collection of papers on risk modeling across a variety of industries. Some of the papers are hardcore actual modeling, some are talking about the use of models, some are talking about the effectiveness of models retrospectively. I've come to two high-level conclusions about risk modeling:

1. Risk modeling is a combination of science, math, history, and art. This unfortunate combination makes it equally as likely to produce FUD as reliable information.
2. I can safely conclude what I thought I knew about risk modeling was bunk. Go me!

For the sake of relevancy and to reduce annoyance I'm going to skip over Credit/Finance risk modeling. It was by far the most consistent and dry reading. And as some people have noted the credit models may have failed us or have been completely ignored as evidenced by the past few years of global financial turmoil. For the record I subscribe to the later, these models were bloody mature but people blatantly ignored them in the industry and in politics.

• A high-level historical retrospective on liability risk with regards to California earthquakes. It touches are all areas that contributed to the liability risk models without being technical. This interested me mostly from two perspectives: 1) The amount of money involved here is enormous and they continue to struggle and refine models and 2) You would think the availability of cyclical data pertaining to hurricanes would come into play here too?
• Two papers on Terrorism that I think should be read twice and back-to-back. The first from RAND on the actual modeling and the second from the perspective of ROI and insurance. I had many moments of Freakonomics and Bjorn Lomberg whispering in my head. The RAND paper is long and I'm going to have to give it a proper second and third read but my first impression is that it's worthwhile to establish an idea of ~goals~ in your risk modeling.
• "Cyber Security for Power Infrastructure" might sound like the first thing you want to read but if you're already biased either way by the Thor/Wright challenge it might not be edible. And I really couldn't appreciate just the slide-deck but could not find any associated presentation video.
• And finally a mixed group of non-technical outlooks and perspective on pharmaceuticals, food, and uranium. Sometimes referred to as India, Mexico, and Iran but that's another post.

My feelings expressed in the below post remain the same. It's senseless to propagate more FUD or absolutism when we should be taking cues from other industries and working to refine our risk models. And for the academics to do that they need the practitioners to play nice. For the practitioners to play nice the academics need to stop standing behind pomp-and-circumstance. (I don't know if that even makes sense but I really wanted to say pomp-and-circumstance.)

However, I have to say after reading the material above, Dr. Wright is going to get throttled in any honest challenge. Which is unfortunate because I really think it's tantamount that the community help him as opposed to vilify him. I know, I know, he didn't help his own cause in his responses after being clobbered with Mjolnir but can't we all just get along? -Pk

[ UPDATE 02112010: OOMPH! I didn't see it getting quite that ugly. -Pk ]

So Dr. Risk (Dr. Dooms distant cousin), a Meteorologist, Dan Kaminski, and Ayatollah Basmati walk into a (juice) bar. You already know this isn't true because Kaminski would never goto just a juice bar. I'm waiting for the flag on the play? Anyone? Anyone?

By now you've probably read "Thor vs Clown" over at Tao... and it may be easy to just laugh off Dr. Craig Wright. Based on the comments it sure seems like throwing insults, calling names, and basing the prospect of risk calculations on your inability to stop bad things from happening is the medicine of the day.

The challenge issued by Dr. Wright wreaks of equal amount of virility and disgust BUT I sure hope to see a major panel come out of this. I hesitate to say Thor is wrong because, well, Thor... and Dr. Wright clearly needs some humility lessons too.

Here is my problem with this debate, in this fashion, at this time.. YOU'RE SQUANDERING YET ANOTHER OPPORTUNITY TO ACTUALLY PRODUCE PEER REVIEWED METHODOLOGY WITH DATA THAT WILL HELP LEGITIMIZE OUR INDUSTRY. Face it, if you think information security has reached mature legitimacy alongside other comp.sci areas of practice then I have a stick that will find water, gold, and wine for you.

Let me put it to you another way...

People like me, the fairly unimportant practitioners, can afford to look childish and foolish on occasion. Directors, Doctorates, and highly respected researchers that are closely watched and trusted cannot.

I propose a new rule when mailing list and blog debates get hostile. The Dr. Daniel Geer rule... no ridiculous monetary challenges, no contracts to be drawn up, no cursing, insults, or otherwise foolish behavior reserved for me. You all book a flight to the same campus setting, with huge whiteboards and projectors, and you start sensible discourse and set aside your struck nerves and egos. And phrases like "you're wrong", "you're a charlatan", etc. are penalized with timeouts wearing a Homer Simpson mask. If both sides continue to hurl insults and speak in only absolute terms you resign your current positions and both go work for Dr. Geer until you grow up.

[ I don't know why I chose Dr. Geer really, I think it's the cool facial hair. -Pk ]

And don't give me that garbage about having the brains and real-world results to backup your behavior. That's leftover locker-room sh*t so get over it.

Pot, kettle, black.. err. -Pk

[ UPDATE 02102010: The point is that people who are far more important decision makers than Bejtlich, Thor, and Wright probably listen to just one or two of these InfoSec Rock Stars. If you ostracize any of them you'll likely lose part of your important audience that you NEED to understand you. So get together and come to at least an amicable and polite disagreement so people will continue to take you seriously. And let the research continue. ]

Every few weeks I check BOINC hoping to see some really intriguing project that solves impossible problems... like women, the perfect salsa, or pitching for the Red Sox. And I continuously try new projects only to end up back on SETI.

So I'd like to call out to SourceForge, Fortify | Ounce | Coverity, and the community to develop a distributed software assurance system for Open Source software. The idea would be that checked-in code would automatically be queued up and distributed in functional units to participants. All the same Distributed.net concepts with teams and some monetary award from sponsors could apply. The vendors who participated would also get valuable testing feedback and earn karma points with the community that would carry into the closed workplaces.

Add on top of the basic functionality the opportunity for education! Throw all the automated findings in a public queue for registered SourceForge users to review and generate patches or identify false-positives. Let users rate solutions up and down and you've got a treasure-trove of information for the comp.sci crowd.

Screw this.... I want in! Who came up with this idea? Are they looking for contributors? When did I start dash-ing everything? -Pk

A former colleague asked me to recommend some reading material for incident response during active attacks. I'm sorry to say I can't possibly be happy with this post because I know him, his environment, and his unique challenges. And if I drop specifics I might end up in a Legal tussle with a Rhino.

With that said let me throw a few things out there...

• A response is best begun when you're sure you can respond thoroughly and continuously. A panicked response will cause you to lose footing and give away certain operational advantages. To that end the first order of business should be covered in the basic CERT CSIRT resources.
• Make sure you readily create attack trees against your own infrastructure. And read "Chained Exploits" and "Malware Forensics" as soon as feasible.. relating and refining your own attack trees. Get your team and other resources lined up and run through whatever fire-drills you can. I suggest talking to your industry peers to setup competitive exercises if feasible. [ UPDATE 02052010: Two people complained about Chained but the point of that book is to understand combined threats used in tandem. Not just one-off really clever and interesting exploits. Which is why I linked it to attack trees in this context. -Pk ]
• If you're always in an Incident Response it just means you finally know what's going on. I'm only half-joking...
• The SANS WhatWorks in Incident Detection/Response series will always be useful in this regard but unfortunately I'm unaware of video recordings of the sessions. However, take a look at the agenda for 2009 and you can search backwards using the speaker names and topics. Register for 2010.
• The Tracking GhostNet presentation is definitely worth reviewing and is still fairly current in the broad sense. I expect many vendors and companies to come forward with their own APT stories shortly so setting a Google News/Blog alert is a good idea too.
• And then tons of stuff and links off of the FIRST Best Practices and Security Reference sections. If you're a FIRST member there is even more tasty goodness on their site.

I'm sorry to say I can't really narrow it down more than that... there isn't just a short list that jumps out at me as comprehensive or even reasonable per given event *shrug*. Cheers, -Pk

My my, it has been only fifteen years... err.. it's been fifteen years already?

Sometimes it seems like something that happened before I was born but nevertheless, Mitnick was the defining hacker identity for quite a few years. Like it or not.

So I think BlackHat, DEFCON, ShmooCon, CanSec, etc. should all have Sweet 16 reviews of the industry with Mitnick as host. Get some other, pardon the expression, old-timers up on stage too..... I'd love to see Zimmerman, Ranum, and some semi-retired characters up on the stage. Mitnick should have to wear a Disney princess costume for at least part of it though. -Pk

Every major industry goes through various phases of maturation. Once fairly mature they repeat cycles of next best biggest thing. To get to that point all industries go through a phase I call "deity" worship. I was reminded of this last night when trying to help a friend in the UK who repeatedly insisted everything should be fine because he was following Richard Bejtlich's suggested practices. While Bejtlich is clearly an accomplished and wonderful mind to have in the Security realm he is hardly a one-stop source for everything. He himself wouldn't ever claim to be... so why do we do this to ourselves and our industry?

I know it's tempting to take explicit direction from HD Moore, Halvar Flake, Dan Kaminsky, etc. etc. but is it really necessary to setup a Church or altar to them? It's not a coincidence we finally have a name for our Satan, APT/APA, and now the lines are being drawn for the holy security warriors behind their chosen Gods.

I hate this step in the life-cycle of industry but at least we've finally reached it and after eighteen months or so I expect it to be forgotten. Think C++ or Java... RISC or CISC.. these were all states in their sectors until multi-paradigm evolutions of each were the result. So hold on a bit longer, try not to worship too much, and get ready for the eventual amalgam of practices and beliefs.

The best part is, in the end, it'll be like a Presidential election... nobody will actually claim that they ever rooted for anyone. -Pk

I've often been asked by interns and recent graduates what they still needed to learn after they have their degree, certificates, and a few CONs under their belt. I felt like sharing with all two of you today.

• You never learned how to read code. You have a little C, Java, and Python under your belt and you likely studied secure programming principles. Maybe you had the fortune of working with Fortify or Ounce. However, at the end of the day you need to understand Code Reading. While you're at it make sure you understand various SDLC methodologies. The more you know the more likely you'll be invited closer to the development cycle instead of having to force yourself in. As an added bonus you might get to participate in actual product development and save your customer the embarrassment of developing an insecure product.
• Start reading The Economist and The Intelligence Daily at a minimum. Learn what makes the world and geopolitics tick. Understand corporate espionage, global and local partnerships, export and import controls, active contracts, and technology offset agreements. This bullet is all about operational business awareness. If you're ever in Defense or Energy space you'll have to learn to love technology offset agreements and export controls. It'll be the most stressful thing you didn't think of otherwise. I promise.
• You think you're a Network Engineer. You're not. Network Engineers think they're firewall guys. They're not. Come to terms with this and at least start trying to appreciate routing protocols, know exactly what backbone technologies you're using, be specific about what ~possible~ routes traffic can take, etc. Look, it'll be too late to explain you didn't know the backup lines worked on priority routing but were live for explicit host-to-host routing once the badness has already setup their internal extrusion pathway. And the default route or gateway of last resort? Make sure it's a network security device.
• Learn how to OSInt fingerprint your environment, your customers, and your adversaries. I've already covered the general idea in this post. Beyond that initial post Google Hack or Maltego for leaked network diagrams, information about your network included in documents now available via FOIA, and the lovely employee-student who gave their class all your architecture diagrams.
• Physical security means more than just jello on the fingerprint reader. Crawl spaces, wireless signal leakage, delivery docks, procedures for tracking and repudiating service personnel, lock-down procedures during fire or crime emergencies, DoS through electrical or cooling outages, exterior window visibility, transport for off-site tape storage, and offering education and implementation suggestions for the telecommuting contingent. Consider studying up on Classified area security requirements and see if you can get your local FedEx or Hospital security manager to share some of their own experiences with you. And understand a bit about TSCM but don't think you actually know anything about it yet.
• What was the development and maintenance life-cycle of the hardware and software you brought in the door? Who designed it? Where? Where does your core file go when you send it off? How solvent are these people? It's really a b*tch to find out your core or failed hardware is heading to India. Especially when the next week the vendor is closing its doors because they were already swimming in blood when they were brought in-house.
• You fail to understand you're not the business and rarely ever will be. Security has to be usable and you can't fight every next big thing customers want to bring in the door. They're going to use social networks, they're going to use Internet file sharing services, and they're going to lose their laptop or BlackBerry. So be ready to deal with anything instead of preaching about how wrong somebody was or stupid some idea is. I get it, we're all the Vice President of NO!.. but before you say no make sure you have some alternate suggestions that don't include trying to tell the customer they don't really need to be doing whatever it is they're asking you.

This is just a high-level generic list. If you don't understand something I've said above feel free to grab my contact information from the About page. If you've got all of the above covered I've got ninety three others for you too. Seriously, I'm blogging here and not writing comprehensively but I don't mind sharing interactively.

And I'm too tired to proofread my scratch. -Pk

[ Man I can come off as a pompous pious BoFH. Ping me via IM or email if you actually want more pointers. I'm not trying to infer you're a neophyte. Except you over there. Yeah, you. -Pk ]

[ UPDATE 01292010: A former intern reminded me I insisted they learn more about side-channel attacks. Indeed, that should be in the Top 7. -Pk ]

[ UPDATE 01302010: Thanks for the feedback via Twitter. @Barkybree reminded me that communication skills aren't a high-point for ITSec professionals. He used the term "madman" which is fairly accurate. We do have a tendency to be fatalistic about everything. And communication includes learning about metrics and data presentation. @Crabbyolbastard talked about managing your manager which is a varied art. If your manager is an immovable object, say like a Rhino, then go with at least a .416 Rigby. See, both readers responded. -Pk ]

Today has been a bizarre day but I did come across and start futzing with Groundspeed. It's a Firefox add-on for webapp penetration testing. Take a gander..

On a related note, take a look at the right-hand column and you'll see a Bitty Browser to Security Database Tools Watch. Sometimes I wish everything was on freshmeat.net but alas it doesn't work that way.

Anyhow, update your Tor/Vidalia installation and get on Groundspeed. Cheers, -Pk

[ BWAHAHA! might be (tm) @Jedimercer. -Pk ]

Dr. Ross Anderson is the closest equivalent to Dr. Richard Feynman that I've seen in the Security space. I don't say that lightly as Feynman is a regular hero in many Physics and Engineering departments. Feynman's lectures and work on the Challenger disaster are required study for being a human being.

Dr. Anderson already wrote one on the best tomes in Security space. And his department at Cambridge also has a fantastic blog that should be bookmarked. Twice.

His latest published collaboration is on the 3D Secure system used by Visa and MasterCard SSO authentication for online transactions. The paper, alternately titled How Not to Design Authentication, is like reading about kicking puppies. It's just painfully wrong and you wonder how such a thing could happen.

I'm pretty sure I stole kicking puppies from @Barkybree. Hrmm. I'm in a linking and phrase thieving mood. -Pk

[ UPDATE 01292010: The authors have a follow-up blog post on the topic. -Pk ]

While the 'I'm kind of a big deal' crowd and antimalware companies define, redefine, and take credit for APT (Advanced Persistent TALK), there is also a movement underway to demonstrate there is conflicting evidence China took part or takes part in cyberespionage. Herein lies the bigger problem with defining APT. APT is not an entity either.. APT is not China or Russia or the USA.

APT is a classification encompassing a generation of tactics, economics, metrics, mindsets, geopolitics, and partnerships.

• The tactics of APT include target selection, mission planning, personnel training, technology acquisition, etc. Very much in the Military and Intelligence mindset. This is no longer about massive botnets hoping to grab data all along the way.
• The economics of the APT have to be clear before starting operations and not just fiscal economics. Resource economics at all levels. APT knows its ROI.
• The metrics of APT are not unlike the traditional war-fighter or intelligence operative. Value of the information, plausible denial, patsies, useful data acquired versus total data transmitted, compression and encryption effectiveness, etc.
• The mindset of APT is probably the most variable because some are mercenary in nature, some are soldiers, some are privateers and pirates on their own. All are highly motivated and skilled, if they're not, they're not APT.
• The geopolitcs of APT parallel track the traditional geopolitical landscape. Period.
• The partnerships in APT are complex, buried in tradition sometimes, impossible to untangle, and these are ties that bind even more than traditional weaponry. Making a few hundred RPGs disappear for a ally is a lot easier than gigabytes of data, logs, lines of codes, and mouths. Yes, mouths... the cyberoperative still talks a lot more than the traditional one.

I'm throwing this concept out there to be ripped apart but in my tired mind that's a good view of what APT means. APT is everywhere people, get use to it. It has been around for a few years now, welcome to the party.

I've met APT, and you my friend are no APT. -Pk

[ UPDATE 03032010: APT as an acronym or anything meaningful is dead. It's now purely marketing jargon with "automated" and "accurate" tools for isolating and defending against APT. If it's automated and accurate then there is no A left in APT. And beyond that the number of variants, bitching about Cleared personnel ignoring Uncleared personnel (TRUE!), etc... it's just, *sigh*, a dead issue. I am now at the point where if APT ever had a meaning I don't even know what it is anymore. I hear those three letters and I cringe. Ugh. -Pk ]

Today we salute you Tcpreplay!

Armed with a pcap file you daringly split traffic into client and server until every last packet is accounted for.

DDoS, fuzzing, or hijacked Postscript.. you handle it all and replay it over-and-over to within a heartbeat of insanity.

Sure, nobody puts you in their top three tools list but nobody is a nobody and doesn't matter anyway.

So crack open a capture of this mornings SQL injection, because somebody has to do it, and rest easy knowing you're providing only the best in modern day network playback.

We salute you Tcpreplay!

...

In all seriousness, unlike the Bud Light ((tm) or something?) commercials, I'm not making fun here. Tcpreplay has figured me out some problems many times! Slainthe! -Pk

I wish TrackingTheThreat.com was more current and had some equivalent sites maintained for APT and other cybercharacters and cybertheatres. There are some private offerings that provide good cyberintelligence but are in serious need of visualization tools.

I think Paterva and FMS need to get busy and produce some offspring. Beer might help. -Pk

When reading the coverage of the Google/China dispute I was surprised that one of the biggest questions was still how did China know who to target? Going so far as insinuating it must be an inside job. Does anybody beside UN*X sysadmins remember finger? Remember for umpteen years we've been turning it off? Well, you can't turn it off now.

Between LinkedIn, Facebook, StumbleUpon, JetBytes, Twitter, TripIt, instant messaging, MMORPGs, Xfire, Filebox, Torrents, YouTube, VideoJug, any number of mailing lists, PassiveRecon, Maltego, MemeStreams, Google, Factiva, Data.gov, US Patent Office, and tens of other social networking and data sources it's impossible ~not~ to know who to target. You'd have to be a complete jester not to have done your homework to maintain cover, improve signal-to-noise, and keep your handlers/customers happy. [ Links intentionally excluded. -Pk ]

Your most valuable people are awarded, named in Patents, give talks, attend conferences, then they network with their peers, respond in mailing lists, etc. and all quite publicly. I do it, it's easy as sin to figure out how best to reach me or catch my eye. People get calls all the time claiming they've been suggested by so-and-so that they met here-or-there. Organizations are all too eager to educate their users about these risks during financial closings or mergers and acquisitions. This awareness has to become a permanent fixture with risks labeled and decisions based on data.

End-user education is a baseline but I'm strongly suggesting companies take their Competitive Intelligence departments and train that OSInt bend straight into their Human Resources departments too. Help HR help their customers (employees) know when their at higher risk and why. This is not a call to end all networking and Internet posting so don't start scrutinizing your employees personal lives. That's silly, I know from experience, .. this is about enabling your intellectual property workers with the same OSInt you give the Board.

Organizations also need to stop trying to hide who their most valuable employees are from their peers and competitors. We all already know who they are, get over it. Share this information during security cooperatives and cross-organization incidents. If they hit your Uber-widget Engineers then they'll go after your partners and peers same Uber-widget personnel. Knowing what they're after during a given frame is important. They might rotate attacks on clusters of similar organizations. Either way it's important to start sharing data while the patterns are simple (NOW!) so you can be prepared as attack patterns increase in complexity.

I'm half-asleep and I don't remember what triggered this rant *shrug*. -Pk

[ UPDATE 03032010: And with the recent news that the US Military is encouraging and allowing more social networking and even blogging from the front-lines this is more important to consider. DoD contractors and other shops that use the DoD and NSA as examples for restrictive policies are going to succumb to their end-users sooner rather than later. So start building those personnel intelligence programs and change end-user education modules. -Pk ]