God and Security

Capsaicin Headaches - A Cure?

2009-02-22T13:32:00.002-07:00

Okay, "cure" might be a bit optimistic, but permit me to relate to you the events of the last two days:

I took my family out to Old Chicago. Now, I have not been avoiding restaurants which have hot food because I don't ever want to be "that person". You know, the one where you have to watch what you serve because he doesn't eat fish (which I don't), doesn't eat Chinese (which I don't), doesn't eat meat (which I do!), or has some other dietary restrictions which always seem to be imposed on those around him.

Buuuut, after trying to get my family to go to Three Margaritas or another fine Mexican restaurant (knowing I'd have to probably eat off the kids menu), we decided on Old Chicago. For those who are unfamiliar with it, it's an awesome pizza-and-beer joint.

I ordered their "Double Deckeroni" pepperoni pizza. No big deal.

I took my first bite, and *hot*. Yes, it was too hot to be spiced with Italian spices. I knew right away there were some peppers in it which would cause me a massive headache, but I also know that it only takes a few drops, so I was screwed already.

So I finished that piece.

Then I asked the waittress what is in it. She responded "Oh, they sprinkle quite a bit of Frank's Red Hot in there...".

Crap. Well, that explained it. (The menu only says that it has a "spicy sauce", not that it's Frank's or Bruce's or whatever).

This time, unlike any other, I was determined to head off the impending doom. I immediately took 2 Benadryl. Every 4 hours afterwards for 36 hours I took 2 more. (This exceeded the daily recommendation, I should mention).

HOWEVER, now it has been over 40 hours and I have had no headache! Typically one would start from 4 to 20 hours later.

Now, the trade-off is that Benadryl puts me to sleep. Soooo, I'm not going to be adding red peppers back into my diet, but I now at least know that if I slip up then I am not doomed to a dozen hours of "holy @%@%$ my head hurts".

Now, dare I say it, I need to test this twice more. Once to set off a headache again with a known food, and NOT treat it, and then set off yet ANOTHER but treat it as I did this one.

I hope this info helps someone.

Capsaicin Headaches, Take 3

2009-02-12T00:05:00.002-07:00

Okay, now we're at 4 1/2 months. I've seen an allergist (who is supposed to be an expert at allergies and intolerances) and MAN was that worthless.

Me: I've had headaches on and off for the last 6 years or so, all year round. Over the last year they increased in frequency to almost daily. Then, in October when I stopped eating capsaicin, they disappeared overnight.

Doc: Hmmm. Since they disappeared at the end of allergy season I don't think it's capsaicin. It's probably your grass allergy.

Me: Did you catch the fact that it's been going on for SIX FRIGGIN YEARS????

Anyway, a few interesting tidbits...

Now, when I *do* have something hot (to test it) I now have NO tolerance for hot sauce! Man, even the lamest, mildest seasoning is hot to me.

My impression is also that my intolerance is getting significantly worse. Early on (November), I was able to have 4 drops of Cholula sauce on Mac and Cheese to no effect. It would take a bit more for me to get a mild headache. Now, the dreaded 4 drops and I'm in significant (though not quite debilitating) pain about 4 hours later. In fact, I'm going to test this weekend to see if the trivial amount of capsaicin in Doritos is causing me a problem...

*sigh*, I miss my burritos, but not my headaches. Soon, though, I'm going to try to test it after I take a few allergy meds (which I don't take regularly right now). maybe if I load up on Zantac or Benadryl before I eat it will help. Of course, this will only work if it's an ALLERGY, not an INTOLERANCE.

Capsaicin Headaches, Take 2

2008-12-30T22:44:00.004-07:00

Well, now I am at about the 3 month mark in my experiment (eliminating capsaicin from my diet) and I have had a total of 4 headaches in the last three months and all but one were deliberately triggered. This is fascinating to me, as I wonder how many people are suffering the same as I am!

...and I'll tell you what, the idea of taking a capsaicin spray and sticking it up my nose as a "cure" scares the crap outta me. I sure hope it works for other folks who are having a different problem than I, but for me I think I would prolly be in so much pain I would but a bullet through my skull.

Short update, and I'm grateful. I feel SOOOOO much better. 4 months ago I would not have even dared to dream I could be headache free for even so much as two weeks in a row...

Capsaicin Intolerance

2008-10-28T21:06:00.004-06:00

Okay, so this is neither about God, nor is it about security, but it's too important for me to not post, so here goes.

I have had debilitating headaches for years. Probably 6 or 7. They would typically hit one side of my head, often behind the eye, or to the side at the temple. My neck would sometimes hurt as if it were "out of whack". For years I had a "cure." I would take 3 Advil and one red Sudafed pill, then I would lie on my back for 45 minutes. It seemed that, usually, at the 45 minute mark I would feel my sinuses crackle and drain, and my headache would go away.

Recently, about a year ago, this stopped working. I'd still do it, in hopes that it was lessening the pain, but it became a case of having to wait them out. This was unfortunate, as they used to also disappear without treatment overnight. Now, they would last for over 24 hours with alarming regularity. They were also happening much more frequently. What used to be an occasional (every month) occurrence became every week and then many times per week. They weren't always debilitating, but half of the fear was knowing that it *may* turn into a killer suicidal OMFG headache.

I went to the doctor, and we tried Butalbitol. Some luck keeping the killer ones at bay, but I still had headaches, now more often than not (this was over this last summer). When my perscription ran out, I was screwed.

Then something strange happened: Someone at work mentioned allergies. I did some searches, but couldn't find anything that seemed to be what I wanted. Allergies involve an immediate reaction to the stimulus. I had seen no pattern of even vaguely immediate feedback. I would get them just before heading home frequently, no matter what I had (or didn't have) for lunch.

One article, however, mentioned "intolerance" factors. I looked them up, and they seemed focused on things like lactose intolerance and such which manifest as gastrointenstinal problems.

Not me (or, at least, not my primary problem). They *did* have one interesting factor, however; timing. Intolerance issues would regularly be hours to a day and a half later. Still, these didn't point to headaches.

One site (wish I could remember which) had a side note about capsaicin intolerance. You know, that chemical that makes chili peppers hot? One result of this was -- Ta Daaa! -- headaches.

My life is hot food. Most mornings, I would get a breakfast burrito at my local joint and it would be HOT. My wife makes the best green chili in the world. I love the Armadillo, Three Margaritas, Q-Doba, Chipotle and many local Mexican food joints.

I put Cholula, Frank's, Bruce's, and Louisiana style hot sauce on darn near everything except cold cereal.

But I stopped cold turkey a month ago.

No headaches. None. Nada. Zilch.

Damn.

Last Friday (3 and a half weeks into this) I put it to the test: Three steak soft tacos from Chipotle Grill for lunch.

A tickly Friday evening, and a headache all day Saturday. Not a debilitating one (after all, I didn't put hot sauce on them, and I ordered them mild) but the chipotle marinade seems to have been enough to set off a minor headache.

I will give updates, but I wanted to post this as I could find no one else who seemed to share my problem. For someone out there, I hope my discovery will help you, because I was getting near my wits end.

Now I feel great!

-B

Hacking Exposed and Customer Focus

2008-05-29T00:20:00.005-06:00

Recently (yesterday) I had the opportunity to chat over a meal with George Kurtz, a Senior Vice President and general manager in charge of McAfee's Risk and Compliance unit. (whew, that's a mouthful). In attendance were a small number of other CSO's (or equivalent) and we listened to George, also a co-founder of Foundstone, the premier vulnerability scanning solution.

We also bounced some ideas back and forth and generally shared information like good stewards of our respective enterprises.

So, keep in mind that McAfee is a vendor. They sell products and services. I found it fascinating that one of the most common themes to the questions was not technology, rather it was something relating to the "human" side of information security. Question such as: how can we justify headcount? who dictates policy? how do we show value to management?

I find this interesting for two reasons.

One: security people often tend to be caricatures of other IT folks. Even more "black cave" oriented, less social, creepy, etc...etc... and yet this group had the presence of mind to recognize that, though we would prefer to be "tools" to be wielded by others (to paraphrase a coworker, who hates the "political" side of security), we recognize the need to interact, "sell", and justify. These ubergeeks recognize the human side.

Two: McAfee is an odd company to ask these kinds of questions of. These questions would clearly fall "outside the scope" of any implementation. Still...I think they were well founded and well targeted. After all, McAfee is, in the end, interested in selling us their solution just as we are interested in selling management our "solution" as CSOs. George gave an example of something they did for a customer which wouldn't fall under "best practices", but did fall under the scope of "serving" the customer. They chose to accept the risk, a concept that amateur IS professionals still seem to struggle with.

For all that we discussed, I received a good lesson on identifying, understanding, servicing and even measuring our "customers". My customers are the HR and legal departments, as well as the business units who rely on me to keep them safe while keeping them running. The "A" in the CIA model (Confidentiality, Integrity, Availability). Though it's redundant, I like to add "U" for "utility". Sure the data is there, but can our customers *use* it?

So, although I tend to be merciless with vendors (I was one, once, and I *still* have no sympathy for them!) I learned that these guys see the breadth of security implementations that I do not, and they may actually have a good idea or two.

Even if it's outside their product line.

PS...thanks to Sam Van Ryder for reminding me why I like to do this stuff.

CISSP

2008-05-28T18:23:00.002-06:00

Okay, so after years of putting of taking the CISSP examination (read: trying to get someone else to pay for it) I finally scheduled my exam and took it in April. There are plenty of posts about it, and I don't want to duplicate what others have said, so I'll just put in this small bit:

If you can regularly pass the FreePracticeTest exams online with an 80 or higher, then you are most of the way there. I don't think I ran into a single question on FreePracticeTests(FPT) that was on the actual exam, but they give a *great* fell for what to expect. This means, however, that just learning the answers to FPT won't do you any good.

In my case, I had 10+ years of dedicated info security experience by the time I took the test, plus years of consulting and SA/SE work prior to that, so there was little on there to surprise me. What I did was go out and buy Shon Harris' excellent book and read the chapter titles to see what areas I seemed lacking in (based on the FPT). Really, I only had one weakness, and that was the Orange book stuff, so I read that chapter a few days before the test.

The night before the test I read each of the "quick tips" sections (there is one at the end of each chapter starting with chapter 3 or 4) which are a few pages of...um...quick tips.

That's it. Finished answering well before the 3 hour mark, and finished my double-and triple checking shortly after the 3 hour mark. (I only rechecked questions I wasn't 100% sure about, which was somewhere on the order of 50 or so out of the 250...and in some cases other questions on the test gave these answers.)

One of my peeves is when you are experienced in your field but you have no idea how well that experience will translate to a test. In my case, at least, a half-score of years in IT security seemed to translate well, as I passed my first try.

Good luck to you, if such is in your future!

Oh, and it *did* feel grueling! I was wiped out afterwards. :-)

Security Incident Cost BS

2008-02-11T10:15:00.000-07:00

Sometimes the obvious isn't. Apparently.

An organization I'm familiar with recently had a small "virus" outbreak. It wasn't really a virus, but I'll call it that for simplicity. This "virus", though it infected over a score of computers, was largely held at bay due to defense-in-depth. It couldn't communicate with the outside world because of our firewalls and some local policy stuff on the workstations, but it *did* infect them in such a way that McAfee couldn't find them. It took an analysis of firewall logs to track the compromised systems down.

All well and good. Nothing new.

Now, we have an estimate of how much this incident "cost" the organization. I was peripheral to the cost calculation, but it seemed based on a simple I-CAMP model (here's a good article on it from 2002) where you take the time people put into remediating the issue, and multiply by their wage. Thus, 5 administrators who each put in 10 hours at $50/hour would show a cost of (# of administrators) X (# of hours) X (hourly wage) or 5 X 10 * $50 = $2500.

(Yes, I know, very simplified as each administrator was receiving the same pay...I'm lazy, what can I say).

Now, David in the article above goes to great length to defend this formula (granted it was in 2002, so he may have recanted...I don't know) and even goes beyond it to state how hard it is to calculate losses such as reputation, revenue and insurance deductables.

Hello? Sounds like a good use for this.

Do any of these people actually have jobs? I've been involved in countless insidents, and you know what? I've rarely received an unbudgeted dime for my involvement, and yet I know that I am *always* calculated into the "cost" of the incident.

When I was at (insert telecom company here), we had the Code Red outbreak, and my hours were figured into the cost. Guess what? I was doing my job. Oh, and those things that didn't get done because I was working on Code Red? Oh, THERE WEREN'T ANY, because I still had to get them done. Thank heavens I got paid overti....oh, yeah I didn't. I just had to do my flogging job.

And somehow this was wrapped into an incident cost. Was it used to justify more headcount (which would have made sense and turned it into a real cost)? Nope. Just a great number to flash around.

Now, I'm not a Kevin Mitnick fan (nor am I a detractor...I just don't give much of a rip) but for all of the "losses" his exploits caused there was a great similarity to the "losses" we had sustained from Code Red.

Not a single SEC filing showing actual loss.

Don't get me started on "losses" regarding governmental incidents. Governments (local, state, federal, etc) have captive audiences, so they aren't worried about "revenue loss". When they can show me costs associated with unbudgeted items (snowplow rental, contract employees, or overtime paid to employees) associated with an incident, then I'll believe them.

Otherwise, it's just a bunch of people working a little harder at their jobs.

Skeptical on Skepticism

2007-10-06T14:57:00.000-06:00

For every post here on God And Security, 20 posts go never make it out of my head, and instead go "unposted". Throughout the weeks, many items catch my fancy, thoughts come and go, and my job gets in the way (I need to post from home, ya see...).

Today, one escaped. Here are some thoughts on skepticism.

Many of todays atheists prefer to be called "skeptics". I suppose this is because "atheism" sounds like (and, indeed has largely become) a religion. Skeptics (in this context) are people who proclaim non-theism in light of the lack of proof, and then take the stance that the lack of proof (or acknowledging that they won't likely prove a negative) is reason enough to take a contradictory stance.

These pseudo-scientists seek to show that a lack of first-person, verifiable positive feedback (i.e. proof) is reason to take a stance on (or, more specifically, against) an item. In this case, the case for God.

I say "pseudo scientists" because real scientists throughout history have often taken an idea that seems preposterous in comparison to popular belief and searched for a reason to believe, rather than a reason not to. The skeptics seem to focus their skepticism solely (or primarily) on God, rather than on so many other earthly things.

For example, this article talks about a scientist who may claim to have created a brand new life form in a laboratory. I take a skeptical position only because the history of scientific breakthroughs is dubious at best. For each huge breakthrough, there are 10,000 utter failures, and in today's media those utter failures garner some significant attention. Despite this, these same skeptics who approach any possible proof of God as fraud are silent when "their team" comes up with a (unlikely) scientific breakthrough, such as artificial life.

Don't get me wrong. God has given us to tools to do amazing things, and I think that we *will* be able to "create life" some day, and it will be interesting to see where theology goes at that time. I'm just making a call out to my skeptical friends to realize that they aren't "skeptics" when their only focus is God. They're "atheists".

Or, maybe we can just call them "targeted skeptics", or "double-standard skeptics". I suppose, however, that we should show some compassion, though. Interestingly, many of the skeptics I know appear to be that way because someone, at some time turned on them in their church. Someone who didn't accept their lifestyle, maybe.

That someone was *not* God. That someone was another flawed human being, quite likely being a poor steward of the faith, just as Woo-Suk Hwang was a poor steward for science, cloning and stem cell research.

But skeptics don't want to hear any comparisons, for they have an axe to grind and logic and comparisons have no place.

Ironically.

Rather than focus on the existence of God, I have a suggestion for skeptics. This suggestion is based on my experience that the skeptics I have known believe that the belief in God is a negative force, causing war and strife. Something I disagree with, but that's not the point. I agree with this person.

Instead, how about if the skeptics (who are *not* likely to convert people) enter into philosophy and theology to help those who "misuse" God's (or god's or gods' or Allah's) name(s) to help them understand why (deity of choice) doesn't support that view.

Just a thought.

The New Athiests

2007-07-16T21:44:00.000-06:00

I don't have much to add to this. Many interesting point here.

Peter, as with many people taking an apologetic view (if you're not familiar with my use of "apologetic", follow the link) don't have the time or space to fully cover the issues, but he does an excellent job of providing some first arguments (which means there are a dozen counter-arguments and counter-counter arguments) to some interesting issues, as well as his classification of what makes the "new athiest", which is what I found the most interesting.

Oh NAC, We Hardly Knew Ye...

2007-06-12T15:09:00.000-06:00

...before ye were corrupted by the Forces of Evil(tm).

An acquaintance of mine just returned from Interop with a drawerfull of information which he showed to me. Having spent 18 months doing NAC deployments around the country and overseas, I was bummed at the direction many of the security^H^H^H^H^H^H^H^Hsoftware companies are taking this technology.

Let me clarify NAC (Network Access Control) for you. NAC is:
-Verifying the security posture of a system and the identification of a user to allow the user to use the system to gain access to the appropriate network, such as the enterprise, management or guest network. (Authorization may then allow the user to access resources on said network).

NAC is not:
-Anti-Virus (A/V)
-Anti Spyware (A/S)
-Endpoint (personal) firewall (E/F)
-posture/profile control (blocking USB devices, for example)
-A patching system

Once upon a time, NAC was a tool independent of the desktop security posture components (A/V, A/S, E/F, etc...) used to verify the functionality of these tools. A NAC posture server would communicate with the endpoint to test the endpoint to ensure that all of the requisite components were in place.

Now we have the SAK (Swiss Army Knife) "security" companies who make entire suites of products entering the NAC game. I have no problem with this.

I *do* have a problem with them verifying the integrity of their own suite.

Here's why: one common thread to most of the NAC installations I did was that the A/V tools consistently give false positives on their own deployment to the tune of 5% to 10% of the time. Translated, this means that for every 100 computers on an enterprise, 5 to 10 of them report as having A/V, BUT DO NOT HAVE A FUNCTIONAL A/V SOLUTION IN PLACE. This may be for a number of reasons, but my point is that if McAfee (in one example) has just mis-reported 800+ computers in an enterprise of 10,000 as having anti-virus when it is NOT installed and running, then I do NOT want to use McAfee as a tool to verify my security posture!

I want a tool unrelated to the system's security posture to verify everything else.

Don't get me wrong McAfee having an 8% false positive rate does not put the "suck" label on them. To the contrary, it puts the "typical" label on them! Symantec and Trend fared no better. Additionally, tests we ran on the success of MS SMS changes fared slightly poorer. In cases where SMS was used to push out an application, we typically had a 10-20% failure rate, and many of the failures reported as false positives.

Don't let the SAKs influence you. Simply adding a NAC component to a suite you already have deployed is shortsighted thinking (or it's "shut up the auditor" thinking...been there...done that). Do it right, and let NAC stand alone. Think of it as the programmatic equivalent of separation of duties.

PGP Primer

2007-05-24T14:55:00.002-06:00

I recently saw a posting in which the blogger answers a question about "how PGP works." I have no real context for why the question was asked (there's a reference I didn't follow at the beginning) but I found the description of PGP (Pretty Good Privacy) a bit brief.

So I'll give something more lengthy. Anyone who knows me knows that being verbose is *not* one of my gifts. However, I'll shoot for something between a brief one-line definition and a Wikipedia article.

First, PGP's primary uses:
Encrypting messages and files
Digitally signing messages and files

Encryption - Many people are familiar with a basic way to encrypt something on a computer. You put a password on it, and anyone who knows that password can read it. PGP is novel in that it uses a different paradigm. Rather than give you the specifics on how it works, I'll give you an illustration on how it functions:

You have an unlimited number of safes (as in a safe you would put money or documents into). You give these safes to all of your friends. In fact, you may put your safes out on a street corner where anyone who knows where to find them can get them.

These friends can put anything in the safe they want. The catch? Once they lock the safe, only *you* have the combination.

That's effectively how PGP encrypts things. You have a public key (the safe you distribute to anyone) and a private key (the combination). Anyone can take a message an "put it in your safe" (encrypt it to the public key) but only you can unlock it (decrypt it, which is only possible with the private key...and the NSA). Make sense? Even when your friends can put stuff in the safe, they cannot then open up the safe! Once it's in, it's in until YOU pull it out.

Digital Signing - Now, we're going to change the example a bit. THIS time, you have all of the safes, and they are transparent. You still are the only one who has the combination. You wish to send a document to Cheryl, and Cheryl needs to know it came from you and no one else. You put your document in the clear safe and send it to Cheryl. She receives it and cannot "open" it, but she can do two critical things:
She can read the message (it is in a clear safe, after all)
She can verify that it is *your* safe an no one elses, because she knows only you have the key to this safe. Furthermore, she can "verify" the safe is yours, because she take take one of the non-clear safes (from the previous example) and verify that they have the same combination (though she can't tell what it *is*, only that they match).

This whole thing with "safes" and "combinations" is done with some killer mathematics. This math is what allows one person to encrypt a message (to the public key), but not to decrypt the message. The "decryptor" must have the rest of the mathematical formula, which is the private key.

There is a factor that makes or breakes PGP: the web of trust. Basically, when you receive your safe from Bob (a safe for you to put documents into to encrypt them so only Bob can read them), there needs to be a process by which you verify *beyond*a*shadow*of*a*doubt* that it did, in fact, come from Bob.

You look on the bottom of the safe, and it has some special numbers. You call Bob, and ask him to tell you what numbers *should* be on the bottom of the safe (kinda like a serial number). If they don't match, then someone *else* sent you a safe claiming it was Bob. This is bad, because it means that once you put your stuff in the safe, Bob can't read it! Only the person who *actually* sent you the safe can read it!

Since the numbers are an integral part of the math, someone else cannot "forge" a safe with the wrong numbers on it.

Lastly, and to dive into the web of trust further, it can become a pain to have to call or meet with *every*single*person* with whom you wish to exchange encrypted information. Thus, you can pick a person and "trust" them to a certain degree. Thus, Cheryl (who knows Bob is a security professional, for example) trusts him and tells *her* system that any key that Bob has verified, she should view as verified as well. Bob, knowing that Cheryl is a bit of a n00b, may not reciprocate and may decide that he trusts only Cheryl's key, but any other key he gets through her must be verified by him explicitly.

In this way, companies who use PGP widely can set up an "office of trust" (or, a Corporate Signing Key) and they can verify the keys of all employees for all other employees. It is, after all, HR's job to check IDs and stuff before people start work. Employees then can choose to trust the Corporate Signing Key, and then each employee does not need to verify every other employee.

Make sense? No? Post!

Airport Security Part II: Anticipation is Making Me Wait

2007-05-23T12:22:00.000-06:00

Over the last three years, I have probably had to go through an airport security screening line on average of once per business day. I've seen *many* things.

While its popular to attack airport screening, and I suppose it's apropos considering some of the lameness we've seen from the TSA, I'd like to take a turn at defending it...a bit.

I've read articles about people who have had all kinds of problems. Most of them involve the elderly, the young or the handicapped. I'm not making a judgment call, I'm just relating what *I've* seen and how I feel it probably extends to the world beyond me.

My first observation is that the bulk of issues I see at the screening points surround people not being aware of the rules. Let's pick one simple rule that, from my experience, makes up way over half of the "issues" at the TSA checkpoints: liquids.

Now, take a walk with me. We're going to start at the ticket counter at Denver International Airport, and swing around a corner, then another corner and hop on the moving walkway towards Terminal A security checkpoint. At least one time during that walk, the PA system *will* play a notification about restrictions on liquids. Now, halfway down the hall, you are forced to leave the moving walkway. There is a table here, and a large poster board telling you about liquid restrictions. There's also a box of plastic baggies to put your less-than-3-oz-liquids into with full instructions. You may not notice it, of course, because you are distracted by the television which has a looped video (with the volume at about "8") telling you about the restrictions. Somehow you make it past this point still ignorant (and sucking down your "Dasani") and you make it to the checkpoint where there are no less than three signs telling you of liquid restrictions.

And yet, you would not believe how many people B&M when they find out they cannot bring their water bottle through. "I just bought this!"

During Spring Break this year, I saw a family go through and the father saw one of the signs and he threw away his drink. Good dog. Then, when his family of 5 went through, the TSA people pulled out a dozen water bottles from their bags! "You've *got* to be kidding," he says. "When did this come about?"

"Way before you read the sign and threw yours away," I replied. He gave me a sheepish look, because he and I knew that he knew and still chose to "test" the TSA. Fine, but don't bitch about it when you get caught.

Okay, no big deal. What about the horror stories I've witnessed? A young child (3 years old or so) ripped out of his grandmother's arms and forced through the security gate without her! Well, I'm sure that's how granny tells it. The TSA made reasonable requests (you may carry her, or you must send her through separately) and she had a hissy fit. "I'm too old to carry her! Blah blah blah She can't walk through by herself!" So much so that I looked up and noticed police and other TSA people calmly make their way over to the area where the ruckus originated (and continued for quite some time.)

The child? She walked through, turned around and looked at "freaky old grandma" having a fit like a big girl.

I've seen people in wheelchairs ask if they can stand up, and I've seen them (or their proxy) respond "No, she has just had hip surgery" or something to that effect, and the TSA person moves to Plan B. No problem, right?

Following one of these families past the checkpoint, the conversation was something like "I can't believe they even asked you to stand up" and by the time we made it to the concourse the male in the group (the wheelchair-bound lady's son-in-law, I believe) was relating on the phone how "they were trying to make her stand up!"

One blogger commented that some airports require shoes to be removed, others do not, and then bemoans the lack of consistency as a problem.

I'll tell you what; take of your frigging shoes, toss any liquids over 3oz into the trash, put others in a 1qt baggy, take off your metal (watches, belts, etc) and leave the knives and scissors at home.

Reeeeeallly. This isn't difficult. The TSA can't say it, because it's not politically correct, but I'll say it: I've yet to see an issue in the security line that wasn't caused by a moron, and that moron has yet to be wearing a TSA uniform.

Know Thine Enemy

2007-05-23T08:14:00.000-06:00

I know it's politically incorrect to generalize about a group of people. A small percentage of Mexicans enter this country illegally, and all Mexican-Americans feel the brunt of criticism. Similarly, when I was in college, if you were white and had a shaved head, you were probably a racist in most people's eyes even though I'd bet that "skinheads" were the minority of bald white men.

At what point is something a problem? Recent census information shows about 41 million Hispanics in the US. With somewhere between 6 and 10 million illegal Hispanics in the country, that represents about 15% to 25% of Hispanics being here illegally (with the understanding that the percentage could be lower, as I have no numbers on how well the illegal aliens were counted in the census numbers, and therefore may add to the 41 million, instead of being a part of it.)

If I were Hispanic (which I am) and I knew that some double-digit percentage of "my bros" were illegals, that would piss me off. They are making me look bad.

But this isn't about that.

If I were a Muslim (which I'm not, though there is rumored to be an Arabian up my family tree somewhere) I'd take note of this study which shows that 26% of young-adult *American* Muslims believe that suicide-bombings of non-Muslim civilians are justified. Read the article, there is some interesting information about the wordsmithing around the study.

Now, I hate to tell my Mexican brothers and sisters this, but the biases against us are justified, and until we "take care of our own", problems and bad reputations will continue to plague us.

As for the Muslims of this world (who, by and large, scored higher percentages than the American Muslims), I don't want to hear about your "religion of peace" until you perform your own little "cleansing".

Lenox Financial

2007-05-20T20:37:00.000-06:00

Okay, you've heard the annoying commercials on the radio with the tagline "the biggest no brainer in the history of Earth." When it came time for me to refi (a few years ago), I decided to give them a shot, skeptical though I was.

They did everything as advertised, to my great surprise!

Why am I putting this in my blog? Because when I was researching them, I couldn't find anything about them. I couldn't find anyone who had blogged or posted or anything about them. So here you are, I used them and am happy.

On an interesting side note, a local company ran a *brief* counter-ad which had the line "don't be fooled by no fee gimmicks..." That ad didn't stick around long, presumably because people are learning that they aren't "gimmicks".

Well, at least mine didn't appear to be!

The Countdown to Copycats

2007-05-10T16:37:00.000-06:00

Let's review the situation

With 105,000 + K-12 schools in the United States, I'll venture to say that we see at least one copycat by the end of this school year. By copycat, I'm saying that some student somewhere will claim to see a few suspicious people with the hopes of shutting down school for a day. Whereas a bomb threat is a felony, and most students know it's a _big_deal_, others might not realize that such a claim as a suspicious intruder can still land them in a comparable world of ...badness.

It's Not What You Know...

2007-05-10T09:48:00.000-06:00

Well, actually it is.

"What you know" is critical here, because this is a security post. "Whom you know" (who? whom?) if *far* more important on the religious side of my blogging :-)

Information Technology (IT) is a fascinating industry. As people jockey for position, I now see and older generation of IT people (35+ years old) and the young upstarts go head-to-head on issues. The "oldsters" say that they have all the experience, and the youngsters say that anything they learned in IT over 5 years ago is of little or no value.

While I agree that the fact that I remember how to low-level format an MFM drive from the machine language monitor (debug;g=c800:5 or g=cc00:5) is of absolutely no value today, the same cannot be said for security knowledge.

I was reading a random article I picked up from my daily trip to Infosyssec (www.ghosthip.com) which posed an excellent question: "What basic security knowledge should be expected from security professionals?" (paraphrased). While some people disparage certifications in general and security certs in particular, this seems an excellent way to identify mastery of security fundamentals.

The problem is I'm not sure they necessarily do.

The CISSP (Certified Information Systems Security Professional), for example seems to be an excellent measure for a security officer in a corporate environment, but if one were to rely on CISSP-level knowledge for a security program, there would be significant gaps. As with any certification, it is subject to being both out-of-date and not-dated-enough.

What is needed in a security organization is a combination of good "old school" knowledge (think WarGames), best security practices, and leading-edge vulnerability awareness. Many medium to large companies have modem pools, and yet too often the security team is more focussed on the "sexier" side of security with IDSes rather than wardialing their DID (Direct Inward Dial) space. Inasmuch as IDS probably provides a far better ROSI (return on security investment) than wardialing, too often the old-school telephony stuff doesn't even make the list of concerns.

That *may* change as companies move towards IP telephony. I can see it now; a security engineer is evaluating VOIP solutions and has an ephphany:
"Hmm, I wonder if you can 'scan' VOIP numbers like you can IPs"
"You know, I'll be there's a way to cycle through these to see if a computer answers!"
"WE GOTTA DO SOMETHING!"
Yeah. It's been called "wardialing" for a few decades now...

What other fundamentals need to be known? I'll be thinking about this, and I'll post a simple quiz in the near future.

Idea Explorer: Security

2007-05-07T12:28:00.000-06:00

In his blog, Brad Jarvis identifies six of the approaches to maintaining effective security. These approaches are not IT-centric, but rather are for personal and civic security. They are:
Offense
Defense
Containment
Alliance
Assimilation and
Retreat.

Specific descriptions may be found at this link: Idea Explorer: Security.

I tend to look for "universal truths" as often as I can. In this pursuit, I looked at Bradley's list and attempted to put it towards IT (Information Technology) security. Truly, all of these approaches may be seen, even "alliance" and "assimilation", in the IT world. While I was going to spend some time expounding upon the parallels, I became enamored with one in particular: offense.

Offense, as Bradley identifies it, involves "attacking (destroying) someone perceived as a threat".

I have worked in numerous computing cultures, from WFO (Wide Friggin Open) to military and financial uber-controlled. I currently work in an environment that has a medium-high level of control; a rather restrictive working environment. This is defined (by me) as restrictive web browsing, to the point that webmail is blocked, and entertainment sites (NFL.com) and even most news sites (cnn.com) are blocked or heavily restricted.

Similarly, I have worked where companies allow employees who use corporate laptops to install personal software and otherwise use it for personal use so long as the basic security posture (antivirus, firewall, file integrity, anti-spyware) is maintained at all times. Some of these companies back this policy up by implementing NAC (Network Access Control) to ensure that laptops re-entering the enterprise (after a trip home) are still secure.

Other institutions prohibit any personal use of the laptop. I'm not going to discuss the pros and cons of each argument, rather I'm going to discuss this in light of Bradley Jarvis' "Offensive" security approach.

In this case, restrictive environments seem to take the stance that "attacking someone perceived as a threat" means attacking the end user by saddling them up with procedures and prohibitions to keep them from inadvertently infecting the corporate network, and to keep them from allowing a data leaks. We prohibit personal emails, attachments, and we sometimes disable wifi capability and even prohibit the interface from acquiring a new address (for example, to be used at home).

Why has it come down to viewing our own employees and coworkers as the greatest threats to our corporate security?

Because they have always been such, whether we've known it or not.

Mitt Romney is the Antichrist

2007-05-06T20:11:00.000-06:00

...and I shouldn't use hyperbole in a blog post title.

In a previous post, Dishonesty in Religion, I talk about my concerns with having a Mormon as the President. I few comments on the blog and a few discussions with friends have helped me to amend this position.

I would have a problem with Mitt Romney as President.

First, let me give you some of my assumptions:
-Most things a politician says, s/he says with an agenda in mind.
-Most politicians are interested in garnering as much of the vote as possible

My problem is that when Mitt presents himself to Christians, he tries to present himself as one of them (see Dishonesty in Religion for why this is a problem). I believe, however, that he is not only being dishonest in how he presents his beliefs to Christians, but I believe he is subtly reaching out to other demographics in dishonest ways.

When asked what his favorite novel was, Mitt stated that it was Battlefield Earth, a sci-fi novel by Scientology founder L. Ron Hubbard. Later, after receiving criticism for this pick, Romney stated that the Bible was his favorite book and that B.E. was his favorite novel.

First, let's talk about Battlefield Earth. Slate says you have to be some kind of weird to like it. I've read it, and it's quite good (and I'm some kinda weird, I guess). I've read *many* blog posts and articles that claim that it is crap, and that nobody reads the book except "Scientologists and smartasses who want to giggle at Scientologists." People who say that haven't read the book. If you like sci-fi, you'd probably enjoy Battlefield Earth. It's not nearly as good as his massive, 10-volume Mission Earth series, but it is good. I can see how it would be someone's favorite novel (even someone other than famed Scientologist John Travolta).

However, based on my two comments above, I believe this book was specifically chosen as his favorite to help Mitt appeal to Scientologists, and by extension, some of Hollywood. Think about it. Most people aren't going to know the link between B.E. and Scientology (well, they are learning about it now...this is catching an amazing amount of buzz). Even though Mitt later said he "wasn't in favor of the religion, by any means," he has still probably managed to garner a little support from that camp. He only made his "not in favor" comment after he realized that people saw into his little game.

But his appeal to Scientologists isn't my biggest problem here. It's his flip-flop that the Bible was his favorite book. Why is this a problem? He's either lying (in which case I don't want him for President) or he actually believes it, in which case he's a piss-poor Mormon, and shouldn't be campaigning as a Christian *or* a Mormon.

Why do I have a problem with this claim that the Bible is his favorite book? According to Mormonism, the Bible is a flawed book (search this page for the word "flawed"). Really, so your favorite book in the whole world is messed up according to your religion? Of course, it would have been political suicide to claim that the Book of Mormon was his favorite (ewww, he's a Mormon), so he basically put himself in a position of needing to lie because of who he is (a Mormon).

Yet, somehow, the Pat Robertsons of this world are being taken in by this man. I wonder if Pat will change his website's stance that Mormonism is a cult. Of course, this is Pat Robertson playing politics, a place where Pat wants to be, but shouldn't.

I'll be if Pat *did* run for office, though, he wouldn't go tell all the Utards that his faith is fundamentally the same as theirs. (Really, "Utards" isn't in my spell-checker? I'll need to fix that...) Well, maybe he would.

Maybe I should ease up, though. After all, Nancy Reagan, the First Lady to the Great Communicator, relied heavily on Astrology, and not in the way the Wise Men did, either. I was only in high school at that time, and I knew this was not consistent with Christianity.

But I can't ease up. Mitt may be a good politician, and may actually believe (politically) in much of what I do (I don't know, and I'm afraid to check). The truth is, he's selling out at every turn, and he cannot be trusted.

As I said before, I'd sooner vote for an athiestic Democrat than Mitt Romney, because such a Democrat would mobilize Christians into action. Mitt would be the lukewarm water in the Whitehouse that will be spit out.

-Brian

Death to Security Companies

2007-03-28T12:32:00.000-06:00

Well, that's what Art Coviello from RSA would have us believe. To quote Art, "With the exception of a few exceptional start-ups, there will be no standalone security businesses within three years." There's no way he's just making this comment because RSA has joined forces (read: been absorbed) by EMC, the network storage giant.

That is not to say that I disagree with all Art says. He comments that the security industry is too focussed on its own problems, and not enough on trying to perfect security. I wholeheartedly agree. Having worked with and for a number of pure security players, I can safely say that they are focussed on the "business" of security and not the "ideal" of security.

Does that make them wrong? No, but it isn't encouraging, either. This particular problem, however, doesn't go away because security vendor "A" has now been purchased by larger corporation "Z". Now, EMC has a cute little security arm (RSA), just like IBM has one (ISS) and Computer Associates (well, about a half-dozen of them). Those cute little security companies are *still* focussed on the business of security. Now, however, they are focussed on the business of security with regards to increasing the bottom line of a larger company with a relatively myopic view of the product space (translated: How does the security stuff integrate with *our* stuff?)

I believe that the pre-integrated security vendors (security companies who are a part of a larger company) will wither but not-quite-die. RSA is now en EMC whore, and I'm interested in them primarily if I already have EMC onsite. Same with ISS. I believe independent security players are more motivated to integrate with other products (security or otherwise). In fact, I worked for one company who had the "problem" that they were often *too* willing to do some "gap engineering" to integrate their products.

This is how it should be.

Oh, and if you followed the link to my former employer above, you'll probably see that they brag about having "3 of the top 12 IT security influencers" at their company. Now, it's a great company with great products and people, but vendors aren't influencers, they should be influencee's! If they truly were influencERS, then we'd all have NAC up and running already. NAC is the wrong product to hang your hat on, no matter what "3 of the top 12 IT security influencers" tell you.

Despite that, I anticipate that security company to flourish without being sucked up by some bigger company. They will survive because they are a pure security play.

Then again, I say that because *I* am a pure security play. I'm not a systems administrator who also does security. Maybe that has colored my vision to the extent that I project it onto the marketplace.

Or maybe I'm just right.

TMI

2007-03-05T16:43:00.000-07:00

"Too Much Information"

No, not another "Shave the Cheerleader, Shave the World" kind of post, rather it is a comment about the current headline over at the FBI.gov website. The interesting part begins with "So, what happens when...someting is amiss? First, our local WMD coordinator (there's one in each of our 56 field offices)..." and so on.

Really, it's an interesting read on how the government will react should, say, a bunch of birds fall dead in Austin.

Now, I'm not one to normally advocate "Security by Obscurity", but doesn't there come a point in time when we decide to not tip the enemy's hands on exactly what we would do during a crisis? "The key for us is that conference call..." Great. If I'm attacking, I now know to take out the local field office (or at least disrupt the local the WMD coordinator).

Just because of who I am, I have two theories about this article:
1. It's all PR to make people think they have a plan. Image is everything. So long as the American people think we have a plan, they won't panic and send the economy into the crapper.

2. They are simply moronic enough to show their hand. HOPEFULLY, there's quite a bit more to this hand (such as local law-enforcement heads having access to the WMD Directorate at FBI headquarters, thus removing the single-point-of-failure in the local WMD coordinator).

I'm hoping for the optimistic side of #2.

-Brian

Shave the Cheerleader, Shave the World!

2007-02-20T11:41:00.000-07:00

Sorry, bad Heroes pun. I'm a huge Heroes fan.

I will forego any other potential puns (and there are quite a few!) regarding Britney and her chrome dome. Suffice it to say that I have an opinion, and it is related to neither God nor security (though I'm sure God loves her).

She's an attention whore.

Of course, anyone who wishes to succeed in front of a camera or mike would do well to be an attention whore, but Britney is special.

Things I wonder:
-Did she fear that Anna Nicole Smith was hogging her limelight?
-Did she think she had the potential to look good this way?
-How many girls (I use the term "girls" advisedly) will see the sheer volume of attention this generated, and even the sympathy and concern, and will duplicate the feat?
-How long before other Hollyweirdos condemn the media for talking about how "ugly" Britney is with no sensitivity to cancer patients? I'll bet we see a few of them shave their heads, not in support of Britney, but in support of a real, non-self-centered cause.

Maybe I'm an optimist in hoping stars turn their eyes from themselves. I wouldn't mind seeing a few shaved heads in support of something, rather than a cry for help.

Of course, in Hollywood, if a star shaves her head she can still have the best of both worlds. "Look at me...I mean what I did to show support for cancer!"

I'm not saying this is a bad thing. Unless, of course, Lacey Chabert does it. Then it's bad.

Religious Dishonesty and Politics

2007-02-14T11:02:00.000-07:00

Of course, if I had said "Political Dishonesty..." that would have been redundant.

First off: Time for a "worldview check". My worldview is basically that anyone who accepts Jesus Christ into their heart and acknowledges Him as their Lord and Saviour will, through the grace of God, find salvation. As such, many Mormons should fit into this. The question here is that the Jesus that Mormons believe in isn't necessarily the same one I believe in, so I don' t know how that will work.

Now, on to the post. In this article, Mormon and former Massachusetts governor Mitt Romney tries to ally himself with the Christian Right of the Republican party. He does so by trying (in a nice ecumenical spirit) to point out critical areas of agreement between his beliefs and those of Christians. Unfortunately, while he may use terms that sound familiar, they carry different meanings.

1: “I think I’ve found that people across this country want a person of faith to lead the country, and they don’t particularly care as much about the brand of faith as they do the values the person has. And my values are as American as you can imagine”

A: I will not presume to speak on behalf of the Body of Christ ("Christianity" to the layman) but the brand of faith *does* matter. There *is* and issue that people of faith must come to terms with, and that is where to draw the line. Do Sunni's draw the line at Shiite's, or elsewhere? As Methodist, I call my Lutheran, Baptist, Pentecostal, Anglican and (even) Catholic friends "brothers and sisters in Christ". Keep in mind, I'm only speaking to the issue #1 above. I want a person of faith leading this country, and that person needs to be someone who can recite the Apostle's Creed with a straight face. Unfortunately, this would exclude some people in the denominations I mentioned above, but it would not exclude one who follows the *teachings* of their denominations.

2: “I believe in God."

A: Joseph Smith, the Mormon prophet, claimed that God was once a man as us, and is now exalted. Mitt may believe in a god, but it's not the god of Christianity. Furthermore, Mormons believe they will become gods themselves (well, the men do. The women need to have their secret name called by their husbands to reach the highest level of Heaven. No husband? Sorry...)

3: "I believe that all the men and women in this country are children of God"

A: For Christians, we are children of God being his creation. For Mormons, it's a literal "children of God" who procreated (as Adam) on Earth and is our literal penultimate grandfather.

4: "The kind of values which I have in my heart are the kinds of values which America needs."

A: This may be true, but I prefer them to not be represented by one whose faith contains many articles I would consider a heresy. It is important to me our leaders share a worldview that we may hold them accountable to, and that worldview must furthermore make sense and be for the benefit of the country. A man who wishes to be a god is not a man I want leading the country.

I'll make a bold statement. I would sooner vote for a man of no faith than an Mormon. A man of no faith who is a secular humanist has a worldview that has internal consistency and, though morally corrupt and held to no higher standard, would be preferred over one who has picked his higher standard, and it is to be a God.

-Brian

Teacher Accused of Porn

2007-02-13T20:12:00.000-07:00

Surfing it...not doing it. (Just thought I'd clarify!)

This article is *definitely* worth a read. It's MSNBC, so it's safe for work.

To sum it up, she checked her email before her (seventh-grade) class (she was a substitute, by the way), left for a moment to the restroom, and came back to find kids surfing on the computer viewing a website on hairstyles. She chased them away, and later during the day the graphic images started popping up on the screen. She tried to click them away, but they kept returning. Furthermore, she had been given strict orders to not turn the computer off.

Furthermore, she claimed to have little knowledge of computers.

The defense claimed that malware caused the images to appear. They furthermore posited that the students had went to what they thought was a hairstyle site, and were redirected to a porn site.

I was going to jump in and defend this woman, as I feel she is likely the victim of some drastic injustice (she faces up to 40 years in prison!).

Then, as I typed and cooled down, I realized that there are other problems here. Make no mistake, her 40 years is the biggest problem here, but that problem came about because of another problem.

But first, let's talk about the article. One of the last comments is "...pop-up blockers that can prevent so-called porn storms are now in wide use."

First off, this sounds like a subtle accusation against the teacher. Second off, it's inaccurate. I have run numerous pop-up blockers, and anti-malware applications and still I occasionally get pop-ups. I'd venture to say that if I were to select a few choice sites, I could still be the victim of a "porn storm". Pop-up blockers and anti-malware tools are reactive, which means that there is generally an exploit or mechanism which comes to light first, then the tool determines how to block it.

Frankly, this case should have been simple to resolve. This brings us to the second problem.

Note: I do not know the people who did the investigative work. I may be missing something here.

HOWEVER, the problem I see is that it seems everyone and thier dog thinks they know how to do computer forensics. Many (many, many) people in IT would leap at the opportunity to perform some PC forensics, and without being properly trained they could screw up something like this.

Let me give you an idea of the things an experienced forensic analyst would have presented to the court:
The exact sites the kids went to
The exact sites the sub went to
The exact site the kids were redirected to (if that's what happened)
The exact times sites were accessed (to help determine who actually went where)
The exact exploit (malware or pop-up) that brought the images forth
Likely the entire web-surfing and file-openning history of that computer

With this kind of information, truly there would be little doubt as to the teacher's innocence if her story is true. If it's not, things get a bit more difficult.

Did they preserve the state of the machine (e.g. did they ensure that nothing was writen to the drive after the "incident"?) If not, they should throw the whole case out. If they *did* preserve it, get someone in there who knows what they are doing.

I will be following this story.

School and Drugs

2007-02-10T07:49:00.000-07:00

Ah, yes. I remember it well.

Northeast Junior High (wtf is a "middle school"?), circa 1981-ish. One of the students at scholl (whom I didn't know) was caught with acid-laced stamps. I didn't know what acid was, save that it was some kind of illegal drug. I don't recall how big my school was, but my guess would be that the seventh through nineth grade school had over 400 students. Probably way over 400 students.

So, when the local newspaper ("The Sentinel") ran the story, they interviewed the Principal (Mr. Albi) who said something to the effect of "there are only twelve students in this school who use drugs, and I know who every single one is." I recall commenting to my parents (they asked if this was true) that I could probably point out twelve kids in many classrooms that did drugs. I don't know if this was a principal in denial, or someone trying to minimize the perception of a problem to save his job. See my "Soliciting A Minor" article for another example of a person in power likely trying to cover his butt by lying to the media.

My memory is a little fuzzy from back then, but you get the picture.

Now, we see a vaguely similar situation appear, though in Canada this time. To sum it up, apparently a "large number" of students are attending school stoned for at least a portion of the day.

Makes sense to me. The more things change, the more they stay the same.

Unfortunately, this also seems to apply to teachers. The quote that caught my attention (it was actually used as the headline on Fark, which is how I found the story) was, "Every school in Vancouver, and I would say in the province, is struggling with a significant number of kids coming to school stoned."

My definition of "significant" must be different than his. Even as one who never did drugs (really!) I knew plenty who did. The good news is that in Canada, "significant" apparently means roughly one- to two-percent. The bad news is that we have another administrator who likely has no idea how bad his drug problem really is.

"It could be that any large high school of say 1,000 or 1,200 kids could easily have anywhere from 15 to 20 kids that would have shown up for part of the day under the influence."

Wow. Maybe school has changed significantly. I didn't go to an inner-city middle school, I went in the suburbs. I would say it was fairly typical. While my comment of "twelve in every classroom" is a dramatic overstatement, I would bet that 2% of students stoned in secondary school in Canada is probably a dramatic understatement.

It's COLD up there.

Don't Forward That Email

2007-02-08T16:26:00.000-07:00

Awright, I'll admit it. It's a peeve of mine.

I often get the same junky emails from friends that you probably do. Virus alerts, funny stories, scary stories, facts about this or that politician, whatever. Being a Christian who is active in his spiritual community, I also get many prayer requests, anecdotes and studies.

95% crapola.

I'm going to make a few statements which may tick you off. If you're a Christian brother or sister, it may tick you off bad! Still, give me a chance to explain.

I promise that:
There are no hypodermic needles tainted with AIDS in McDonald's ball pits
(there, that wasn't so bad, was it?)
George W Bush Jr doesn't have the lowest IQ of any modern day president
That shark isn't really attacking that helicopter flying low over the water
There isn't a conspiracy with Dr Pepper regarding the Pledge of Allegiance
Bill Gates isn't going to pay you squat to send emails. (and no one else will, either)
Still with me? There's more, and it gets worse
The is not, and will never be, a GOOD study showing prayer helps people heal.
(ouch!)
That kid who wrote that thing about Heaven then died isn't actually a good story, he's a plagurist!
No one discovered a "lost day" that coincides with a story of the Bible
Many of those cool things you hear about Psalm 118 and the center of the Bible are not true.
Christians were NOT miraculously spared from a Tsunami
(well, not necessarily...but it is likely fiction)

The list goes on and on. Check out Snopes for more (and check it often, when YOU receive an email with a story, promise, fact, or study)

I would urge all people to hesitate before forwarding any emails, unless they are jokes. (I'm always up for a good joke!). Most of the "information" you have been sent (even by well-meaning Christian friends!) is actually "misinformation" and only serves to make us look bad.

And, how can I say there is not, and will never be, a GOOD study showing prayer helps people heal? Lemme amend that. Anonymous intercessional prayer will never be shown IN A STUDY to help people heal. Not that it doesn't help, but (read this carefully, and a few times over) GOD WILL NOT ALLOW PROOF OF HIS EXISTENCE TO BE REVEALED.

God was revealed through His Word, and is revealed through our lives, but PROOF would undermine the very foundation He has created for acknowledging His love and sacrifice through FAITH. The lack of proof here is not a statement on a failure of prayer, rather it is part of God's design.

Skeptics will say, of course, that this argument serves no purpose other than to justify the lack of proof. Were I a skeptic, I'd say the same thing. I rest comfortably knowing that this argument of mine is consistent with the Christian worldview and theology.

One last warning, and this time on Snopes. DON'T ASSUME THAT THIER SUMMARY RATING IS ACCURATE! I have seen them rate something as "false" and yet when you read the description, it seems more true than false. They pick on certain facts in interesting ways to the extent I believe they have an anti-Christian bias (though they may do this with other stories, as well, I don't know). Still, regardless of the rating they give a story, their research is of the highest quality.

God loves you. That I promise, too.

Soliciting A Minor

2007-02-08T09:46:00.000-07:00

Accurate thinking. How many people are able to examine a statement and logically deduce the likelyhood of its truth? I'm talking about more than being a "lie detector", rather I'm talking about evaluating statements to determine if what was said logically makes sense.

Here's an annoying example. Apparently the Chief Privacy Officer from Facebook, a teen site, claims that a recent incident is the first time Facebook has been used to contact a minor for predatory reasons.

Really? (another reference) Somehow I doubt that this first person who was caught was also the first to use this site. Facebook has been around since February of 2004 and has amassed over 8 million members.

One of the requirements for Facebook membership (it's not open to everyone) is that "users must be members of one of the 30,000+ recognized schools, colleges, universities, organizations, and companies within the U.S, Canada, and other English-speaking nations. This generally involves having a valid e-mail ID with the associated institution." (Note: quoted from the mashable.com article referenced in the link above).

Wow, I sure am glad pedophiles don't gravitate towards educational institutes. It's not like we ever hear of teachers molesting students or anything like that.

I love the concept that "if it's the first time I've seen it, it must be the first time it has happened." It's like the 4-year old who says "look, Daddy, the moon is following us!" It disgusts me that the "Chief Privacy Officer" has sold his soul and made such a lame statement. Okay, okay. I'll be fair. I'm looking for more information just in case he actually has grounds to say this. Still, I cannot imagine how he can justify making it, save because his job demands that he do so.

I suppose one reason I'm particularly hot on this topic is that fact that recently a local radio personality, Scott Cortelyou, was picked up not once but twice on soliciting a minor online. This one fascinates me because I used to work with Scott's wife (a wonderful lady) and I just cannot imagine him A) thinking he can get away with it (his wife is in IT! You know he can't hide it forever!) and B) needing to look beyond his lovely wife for gratification. Sorry to be so crude, yes, but it's a crude topic. Lastly, of course, is the fact that I've actually met this person. I've got to admit that having worked with his wife (albeit 8 years ago) this still haunts me. More than any case I've come across (and I've been directly involved in some cases) this one haunts me because of the human angle. When it's someone you've met and shook hands with, it's kinda creepy. When you worked side-by-side with the spouse for a few years and had some insight into their lives, it's very creepy.

My prayers go out to her. And him.

This brings up my question. It appears we have approached the time when "virtual kiddy porn" is becoming a reality. So, if there's no true exploitation of a minor (it's a computer construct), should it be illegal? What if we were to provide Scott with a near photorealistic, interactive tool would that reduce his "predatory" instincts?

You will be hearing this argument soon, so I'd get ready for it. Reality doesn't matter to proponents of virtual kiddie porn, so if they can just make you *think* that it will save some children by providing their potential attackers with, um, "distraction" then they will use that argument.

I'm no expert in addictive behaviour (heck, I don't even know if that's the right term) but I'll venture that this kind of outlet may actually help some, but will probably make it "too easy" for others and they will continue to obsess over it, eventually to the point of breaking.

I would venture that if you searched Scott's computer, you would find porn. I would venture that if you searched every computer for every child molester (or potential child molester), those who had the ability had some kind of pornography. This does not, to me, speak well of the role pornography plays in the minds of those who eventually commit crimes. I don't see a pedophile going "you know, I never look at porn". Yet the flip side, someone who doesn't look at porn (but who has access to it) is obviously far less likely to become a sex predator.

So, what is the answer? Do we need to break these people of multiple habits (kiddy porn and porn-porn) or can they function having only given up one (child porn) and keeping the other ("regular" porn)?

I've got a feeling that like with AA, the answer will be complete abstinence from solo exploitive sex (i.e. pornography of any kind).

Take My Privacy...please!

2007-02-05T17:36:00.000-07:00

Okay, I'll be the first to say it: I think the whole "privacy" thing is overblown.

Well, not the *whole* privacy thing, but much of it. I am *very* interested in protecting individual information, such as credit card numbers, health records, phone numbers and such. I am getting less and less concerned about other matters of privacy, and I believe that many of the pro-privacy advocacy groups are going to be blocking technologies that will make our lives better.

What good is an "anti-paranoid" security professional? I dunno.

What will transportation look like in the future? Probably automatically-controlled vehicles a-la half the sci-fi movies you watch nowadays. Many people don't give this a second thought, but let's think about a logical step towards that:

Black boxes.

Did you know that your recent-model automobile likely has one already? How do you feel knowing that, should you get in an accident, a law enforcement officer may collect this data as evidence for (or against) you?

Great, now how about on a routine traffic stop? "Officer, I was only going 55" (try 70). "Your speed radar must have been pointed at someone else."

Or, before a traffic stop. [Officer Dannon looks at his redout] "Hmm, that car ahead of me was racing along at 90 before I pulled behind him..."

The two last scenarios are not likely right now, as the process for utilizing these is deliberately not one that may be readily available to a traffic officer. This isn't likely to change in the near future, as there are serious legal implications to these items.

You can read these articles to see what's collected, but the data will only get more invasive. It's conceivable that black box data and cell phone data (GPS) could be correlated to reconstruct accidents better. Heck, it may be correlated with past driving habits independent of whether there was an incident to see the likelyhood of your taking certain actions.

Frankly, I'm all in favor of an accurate reconstruction of any accident I'm involved in. Then again, I'm an honest guy, and I'm not subject to road rage or other idiocies of the American road.

The privacy problem is, in my mind, a matter of knowing where to draw the line. I perceive that most educated people do not trust those in power (governmental or corporate) to draw that line for us. Similarly, I don't trust us to draw the line for us. (Okay, really I don't trust you to draw the line for me).

These very technologies will eventually form the foundation for some of the wonderful future we've seen in the movies. With fully-automated cars we will save fuel and time, for example.

It's just that the steps to get there are so unpalatable to us, that we will be digging in against these advances every step of the way.

So for now, put a black box in my car if you must. Record every action I take, from drinking coffe and eating my Big Mac to calling my mom on my cell.

Just make sure you don't:
Record video or audio of me
and make sure you DO:
Put one in everyone ELSE's car, as well. I'm not up for being a lone sacrifice.

This way, when there's an accident, it's not about who lies best, but the facts will determine who was in the right, and whose insurance goes way up.

Fine by me.

MySpace "Hacked"

2007-01-29T16:14:00.000-07:00

There have been a small number of phishing attacks against MySpace users. The latest round gathered some 56,000+ login names and passwords. Now, every security guy in the world is blogging (and blogging more) about peoples' crappy choices for passwords.

Similar to websites that poll you about various hot topics, there is a fundamental flaw to this password analysis. Go to a news site with a story about Hillary Clinton, and there's a decent chance there's a sidebar poll asking you if she has a chance to win her party's nomination (or the Presidency). This poll will inevitably identify itself as "unscientific", but readers still put some stock in it.

All that poll will tell you is what percentage of people who would read an article about Hillary Clinton actually think she will get nominated or elected. Furthermore I posit that the most likely people to read that article are ones who are in favor of her, and therefore the poll results should be skewed towards an optimistic view.

(Of course, if you don't buy that premise, you'll think my whole post is balogna)

Similarly, the MySpace password analysis is similarly flawed. They are commenting on the poor quality of passwords selected by people who were duped into going to a phishing site. In other words, people who will tend towards being young, inexperienced netizens, or others who aren't ready to be ranked amongst the net-wise.

I would guess these passwords to be of suspect quality.

Similarly, I'll bet that the passwords of those who do NOT fall for the phishing scam are generally far better.

But it's an easy target for a "security professional" to aim at.

More to come...

Watching Sneakers Again

2007-01-27T22:17:00.000-07:00

I prefer Wargames, but Sneakers is cool. Much to my surprise, the kids love it. They don't like me pausing and explaining stuff, but they love it.

My New Favorite Toy

2007-01-27T21:31:00.000-07:00

Okay, I have a new favorite toy. It's called Engarde Secure Linux. This secured Linux distribution goes beyond the normal SELinux capabilities with a restricted root and true Mandatory Access Controls (remember your CISSP training?) Why do I care?

A few years ago I was tasked with building a secure file transfer system that was built on existing tools which a "partner" company could acquire and tie into, and it had to be easily automated. Based on the requirements (and taking a guess at what regulatory requirements were going to pass legislation) I built a system running on a Solaris box that SCPed data to- and from- partner companies. This data was PGP encrypted (if we were sending it) to the customer's PGP key, or it was received from the partner and automatically decrypted via PGP command line.

This posed a few problems. The enterprise version of PGP command line (from Network Associates at that time) required that the passphrase be read from a text file, stored in an environment variable, or be "" (blank, in other words). None of these are particularly desirable for my new system, but I didn't have much to work with for the old one.

This is a problem with automated systems like this. Even though we can do some good public/private key work here, it still comes down to a passphrase to unlock the data, and that passphrase must be available to the system. There are tools to "obfuscate" passwords in text files, but they suck, and are easily reverse-engineered.

The best answer we had at the time was to try our best to secure the device. We put it in a DMZ, gave it local protection (IPFW, Tripwire, and logging).

I'm thinking that with something like Engarde I can provide better controls. While I will still have either a passphraseless key or a passphrase stored in a text file, I can better limit access to these because of how Engarde works. I am no longer so concerned about a root exploit allowing a malicious user to gain access, because root itself will not have access to these files. Only the specific system account which executes the decryption command will have access to it. This isn't perfect, but it's a huge step forward.

In fact, it may be worth the risk of adding a second layer of protection. In case someone physically accesses the system, we can go ahead and encrypt the filesystem. Encrypting swap would be a good idea, as well.

On top of that, we can choose to NOT store the passphrase in a file, but rather require the passphrase to be entered one time only at system startup. Hopefully, this means that the passphrase will only be accessible via the context of the decryption account (and it will be lost at shutdown, since it's in non-swappable RAM, I hope). Depending on the availability requirements of the system, this may be practical. For my application, this will probably be just fine, so I'll probably require someone to manually enter the passphrase at system startup, and just make sure I have a good "uptime" monitor.

You'll notice that I have few good links in this post. There's still a bit of research to do (I'm checking out the source code for PGP command-line right now, or I may go with GnuPG) and when I've done it, I'll publish the whole thing here. I'll probably make it available on the Engarde site, as well.

Anyway, I've got another idea I'm working on, as well. This one is an anti-spam idea. I worked up an idea a few years ago, and my boss told me "it's a bad idea". Six months later, IBM announced a project leveraging the exact same idea I had had. Just a few days ago, I posited a new idea to a new boss, with a similarly cool reception.

THIS time, I'm gonna build it before IBM does. You'll read about it here, as well.

TTFN. -Brian

Past Performance Is An Indicator...

2007-01-27T10:24:00.000-07:00

of future results.

Quick rehash: Iraq kicks out UN weapon inspectors. Eventually, we get ticked off enough to do something about it. (For a brief post on this issue, look here.)

Now, Iran has banned UN nuclear inspectors. By my count, they have either 11 years of cushion here, or until the next Republican majority in the House and Senate coincide with a Republican president.

There is a part of me that would like to think that Iran is actually just trying to get nuclear power power for the pipples (if you don't get that reverence, post and I'll 'splain). It would be nice to stage a power plant in a good neutral country and "ship" power over to Iran, but there just aren't very many good neighbors to Iran that we (the US) are likely to trust with nuclear power.

Anyway, I digress. We are at a weak point internationally, and this is not helped by the Democrat-controlled legislature. Iran will not back down until there is a legitimate threat of invasion, and that is at minimum one election away, and definitely not a good idea until we can back out of Iraq.

So, brace yourselves. Sometime in the next 4 to 11 years, we *will* be attacking Iran. That is, unless we change our policies, or they change theirs.

Thus beginneth the attack.

Christian Rock Doesn't Suck...

2007-01-26T19:55:00.000-07:00

...anymore. Heaven knows it did, at least to someone with tastes like mine. I spent quite a bit of time in the "gaming" community (Doom, Quake, Unreal Tournament, and now XBox games) and for some strange reason this interesting form of "melodic heavy metal" is immensely popular there. For those of you who don't know what I'm talking about, the best example I can give you is Evanescense.

When Evanescence came out, they were quite popular, and most people thought they were a novel new sound. Those in the Internet communities I hung around knew about tons of bands who had been doing this female-led heavy metal for quite a while. It is these secular bands that I have had a hard time getting away from. Bands like:
After Forever, Nightwish, Edenbridge, Lacuna Coil, Darkwell and Within Temptation. Other bands with similar (albeit male lead) sounds include Gammaray, Stratovarius, Therion, Luca Turilli/Rhapsody, and others.

If you want a fun tool to see what bands you may like based on one you enter, try this web site. I'm trying to populate some of the good Christian bands on this site.

Which brings me back to my post. I have found (until recently) very few (read: zero) good Christian bands that I would go out of my way to listen to. The "oldies" in the rock category like Stryper and Petra never did it for me, and others that came and went were one-hit wonders like D.C. Talk.

While discussing music with a friend who is active in his church, he noted the bands I liked and said I may like this band called Saviour Machine.

Wow. This band quickly became my favorite. In the process of tracking down their hard-to-find CDs, I came across another band called Plumb. This band had a better-than-Evanescence sound, and I heard them of all places on Revolution satellite radio. When I came home, I was trying to track down THAT music, and I started finding other wonderful stuff. First came Barlow Girl, then SuperChick, then Gretchen (a Christian band who plays secular music), and lately FireFlight, who is the closest to After Forever I've heard on the Christian scene, and every bit as good.

It's amazing how the memory plays tricks on you, though. Well before any of these groups crossed my path (even the secular ones!) I discovered a Christian artist who sings secular music named Rachel Farris. A wonderful person (heck, she even answered a few of my emails!) and a killer voice (think Susanna Hoffs from the Bangles (the childlike voice) meets high-energy rock). I guess in retrospect it was she who made me realize that there were talented Christian artists out there who weren't satisfied doing more of the same generic Christian music.

Coming soon, I'll tell you about some of the awesome Christian authors I've run across!

Oh, The Irony Of It All!

2007-01-16T12:00:00.000-07:00

First, we hear that Tom Cruise is actively pursuing the Beckhams (specifically, Victoria Beckham) to join his profitable little Scientology cult. This spiritual change on Victoria's part was the subject of rumors as to why the Beckhams were looking at moving to L.A.

Now, it appears that David chose to bring his family to LA to get the best care available for his son, Romeo, who has epilepsy.

If this new revelation is true, I applaud David and Victoria for their move. Furthermore, this is the kind of exposure that helps raise awareness (and money) for these kinds of medical conditions.

Buuuut, I am concerned about Cruise's attempts to drag the Beckhams into Scientology. With any luck, the Beckhams are South Park fans and have an idea as to how wacky the cult is. Maybe it would help Victoria if she were to read this. Or this.

I understand that David and Tom are close friends, but if my "close friend" tells me to forego medicine for my epileptic kid (because he's just got some bad "engrams") I'm going to look elsewhere for advice...

Oh, and for clarity, my definition of a cult? A religion where they don't tell you what you need to know "up front". In this way, at least, Scientology may join the ranks of the Jehovah's Witnesses and Mormonism.

The difference? JW's and Mormons are still likely to have acknowledged Jesus as their Lord and Savior which, cult or no, puts them in good standing in my worldview.

(It will be worthy of another post as to why many of the JWs and Mormons are "covered" in the Christian worldview, despite their decidedly heretical teachings.)

Reading List

2007-01-15T21:16:00.000-07:00

Here are the books I picked up in the last few weeks. "Picked up" means I already own them, and I found need (or desire) to reference them. I haven't bought anything new for the last few months. For those of you uninterested in religion, I'll list the secular stuff first:

Applied Cryptography - Bruce Schneier. (I would recommend "Secrets and Lies" to every IT person on the face of the Earth. It's that important). This book is actually a good read, despite the dry subject matter.

How The Mind Works - Steven Pinker. Self-descriptive title. I read this beginning-to-end years ago, and found need to reference it again. I need to give it a full read again so I can remember exactly why I found it so interesting! In the mean time, I needed to verify some ideas I had in a discussion with my teenage daughter.

Surfing Through Hyperspace - Clifford Pickover. This book does an awesome job of explaining multiple dimensions in laymans terms. Unfortunately, though this is a secular read, I did it for religious purposes...

It's Not Funny If I Have To Explain It (A Dilbert Book) - Scott Adams. Really. There are so few great comic artists in the world, and they create things like Dilbert, Bloom County, Fox Trot, Order of the Stick (a Web comic) and some others. These are people who consistently put in double- and triple-punchlines in their strips.

No Two Sexes Are Alike (A B.C. book) - Johnny Hart. If an eel lunges out, and it bites off your snout, that's a moraaaaaay!

Religious Stuff:
Handbook of Christian Theology - Donald Musser and Joseph Price. I received this as a gift from a United Methodist minister, and it has proven an invaluable tool in my collection.

Systematic Theology - Wayne Grudem. This is a book about how to apply systematic theology (the process of evaluating scripture to support a particular premise) which is about the first 5% of the book, and then the rest are examples. Another good example of "dry reading" that I nonetheless continue to find fascinating.

"Do you really believe...

2007-01-11T21:30:00.000-07:00

...what you believe, or do you have doubts?" -text message

This is the single most thought provoking question I have been asked in the last week or so. Don't laugh, I get a ton of thought provoking questions at work and at home. This particular one came from someone very close to me who does not share my worldview (he is "skeptical" about religion). My immediate answer was "no". Furthermore, I amended that I struggle with people who do have doubts. Not personally, I just don't understand them. Didn't.

Now I am doubting my answer. Thought provoking.

I truly do not have doubts about my faith. I haven't for quite some time (ten-plus years). Of course, I will concede that in that time I have lead a rather charmed life. Great wife, great kids, great parents and siblings. Great friends, and great jobs. No unexpected deaths, and my critical job loss was followed up with a miraculous series of job offers over a *very* short period of time. There are a few stories in there, but they'll have to wait.

What I'm doubting about my answer is the *meaning* of my answer(s). By saying "I do not doubt my faith" does that make me a mindless zealot? Have I lost all objectivity? To my skeptic's credit, if God ever knocks on his door, he'll reconsider. He's open-minded.

I'm not, and I must ask myself why?

Fifteen years ago (or so) I chose to come back to the church. I grew up Catholic, but I felt a need to research everything. Maybe it's the culture I grew up in, but after research it was fairly simple to exclude a number of world religions (Islam, Buddhism and others) and pseudo-Christianities (Mormanism, JW) and the pseudo-religions (Scientology, Athiesm). With a small mountain of data, I made my choice and spent many years reviewing my choice, and indeed challenging it.

I know, I know, stuff you don't care about.

I realize that I don't doubt my faith, but I do question aspects of it. I am constantly revising my thinking on various theological issues, but I do so firmly grounded in my chosen worldview. I frequently examining items that challenge my worldview. I even read things that are outright attacks grounded in ignorance and inaccuracy. I suppose one of my biggest challenges is that I feel that Christianity is poorly defended (at least anywhere I see it being defended...)

So, what does all of this mean? I don't *feel* like a right-wing close-minded religious nut, but I feel they are playing a "better safe than sorry" game that seems a cop-out to examining religious issues and examining the Bible and society with an open mind to ascertain God's word, rather than to try to mold scripture to fit certain preconceived notions.

With all of that being said, they're in better shape than the skeptics. There are many levels of wrong. Heck, my worldview has a good place for many of the pseudo Christians (as theirs does for me, I might add).

So why don't I doubt my faith? I suppose because it was not based on feeling or experience, but rather was a choice I made from the information I gathered. I never had a "God" moment that turned me around (which so many Born Agains think is so critical), but rather it was a process that has lead me to where I am...which saves me from doubting some experience or words whispered in the dark.

And after this decision was made? The God experiences started coming. Sure, I hear all of the skeptics saying "self-fulfilling prophecy" as they read this, and I understand why.

And I don't doubt whether they are right or not.

I know.

Future (Present?) of Privacy

2007-01-07T20:55:00.000-07:00

You have no privacy.

You can take my statement one of two ways: the ramblings of one who fears God and knows that God knows all that has been, is, and will be, or you can view it as the ramblings of one who has faith that we will not destroy ourselves (completely) before we develop amazing new technologies in the next 1000 years.

Your choice. For the sake of this argument, however, I'm going to focus on #2 (which is what some of you may think this article is...a bunch of #2)

As I did with my post "The Future of Christianity I", I will first look to the past to predict the future. Furthermore, I shall explain the present.

Can you imagine being a murderer and getting away with your crimes (let's say Jack the Ripper) and you have someone from the future approach you and tell you that they were able to solve the murders using a technology that was unheard of (indeed, undreamt of) in your time? The "Jack the Ripper" case may be a far out example (for now) but there are more and more cases that are being solved in ways that we are starting to take for granted (DNA, the OJ trial notwishstanding) that were unheard of only a few short decades ago.

What does this have to do with privacy? Only to illustrate the leaps in technology that we have seen in recent years and to extend the idea behind Moore's Law to cover technology in general, not just raw computing power.

In simple terms (with some literary license thrown in) it states that computing power will double every two years. Over the course of the last 40 years many (including Gordon Moore himself, the law's "creator" and namesake) have proclaimed it "dead" stating that we have run up against the limits of the laws of physics relating to computing power, but we have only barely begun to see a slowing of this awesome phenomenon.

So where does this put us with regards to privacy?

First, let me state that you have no privacy from the future. Using the "cold case" example above, I believe it is only a small leap to claim that future generations will be able to reconstruct amazing details of our current lives, even to the point of being able to "view" events of the past. Maybe it will be quantum computers that allow for the massive calculations necessary to determine what chain of events caused matter to be in its current state (i.e. what did we in the past do to create what the future "present" is like). Maybe it will be something so pedestrian as a giant telescope transported to the edge of the galaxy at super-light speeds and pointing back at us to watch the streets of a historical Earth.

Whatever. The point is, what you do right now (good thing you're at *this* site, and not some *other* website...) is subject to being viewed by future generations.

Are you comfortable with that?

I used to say that we only have privacy from our contemporaries. After all, the Super Telescope Peering Into My Bedroom isn't going to be invented in time for my great-grandchildren to see. Then again, who is to say that future generations will not also be "resurrecting" my contemporaries? Maybe it will be one of my very good friends (say, Ryan) who plays a part in making this viewer into the past possible after he is "regenerated" in the year 2567.

Discussions of life essense and spirit aside, are you comfortable with future incarnations of your neighbors knowing all about you? We all may find ourselves (in a scientific worldview) resurrected at some date in the future where our pasts are all open books. Are you living a life such that you are comfortable with that?

Maybe Dogbert (or is it Dilbert?) is right that God is only the result of our combined intellects as the Internet brings us together into a great "hive mind". That god truly is one to be feared!

1984 is gone, but 2984 promises to be far more interesting, and quite possibly far more disturbing.

And I believe (one way or another) you and I will be around to see it.

-Brian

What Your Director of Information Security Wishes S/He Could Tell You (Part I)

2006-12-22T10:21:00.000-07:00

A long title deserves a long post:

Information System Security Directors (and Managers) must be adept at balancing corporate policies and business objectives with the ideals of security, and the idealistic security engineers who drive them. The most obvious example is when the Director must discern whether or not to recommend a particular system. Justification should be based on the return on security investment (ROSI) but follow-on discussions will be either to management in terms of costs, or to the technical team for the “cavernous holes it leaves in the infrastructure” as one security engineer put it. If one picks a middle road, one only serves to piss off both camps.

When dollars are measured against subjective risks, it is understandable how different experts will come up with different recommendations, ROSI formulae not withstanding. The adroit Director of Security will be prepared to defend his specific position in the face of any management or technical opposition, and yet be professional enough to reconsider based on new information or priorities.

Security professionals understand that it is sometimes necessary to sacrifice security for revenue. What is harder to swallow, however, is sacrificing security for convenience.

Many security vendors take great pains to minimize user impact. Some companies have even formed around making security friendly to the end user, such as single-sign on systems and federated identity tools.

Some security tools interface only with security or IT professionals, such as vulnerability management or IDS/IPS systems. Others impact everyone yet are nearly transparent, such as firewalls and some antivirus solutions.

What happens, however, when a security implementation is changed for convenience? Let me illustrate:

A few years ago, I was tasked to perform a penetration test against a large mid-sized company. The rules of engagement were simple: do not use information unless it can be shown to be available from outside the company, and the target (the “flag”, if you will) was the password of a specific executive.

I had two weeks.

The next day, I delivered the “prize”. When asked how I did it, I explained the simple technique I used (today we would call it “phishing”, a term which didn’t exist in the late 90’s) and the reply was “that’s not ‘hacking’, that’s ‘subterfuge’”.

The first thing your Director of Information Security wishes he could tell you is, “not all hacking can be stopped with tools. Training and awareness are key components to security corporate assets, no matter what size the enterprise.” The unfortunate follow-up is the concession that it is extremely difficult and time-consuming to implement an effective security awareness program, and it is far from full-proof, but it should still be required.

Having been downgraded to a “leet subterfuger”, I set out to perform a more technical penetration test. The result was a remote access connection that was brute-forced (actually the password of an executive was guessed by me after a total of fifteen tries while I was in the process of recompiling my RAS password grinding engine), and an unpatched internal system which provided the launching point for a reverse tunnel and some serious network scanning.

Two days later, I delivered the “prize”. It should be noted that the first “prize” looked remarkably like the user’s last name sans capitalization. The second time, the user had cleverly appended “01” to the end, thus completely befuddling any brute force tools in existence prior to the late 70’s. “If I make it too difficult, my secretary will forget it,” was the rationale provided. This may be the subject of another article.

In security, as in Perl, the motto “There’s more than one way to do it” applies, maybe with the addendum, “but where should I start?” The above scenario drove the right questions, but failed by hitting only a few of the answers, and hitting them wrong.

Any competent security professional that had access to the entire scenario above would see a number of places where security should be shored up. Vulnerability scanning would be a good start, since a vulnerable internal system provided the jump-box necessary for the full-scale attack. An intrusion prevention system on the dial-up network or on the server subnet would have provided warning, if not blocked it. Remote endpoint compliance wasn’t an option back then, but it would have provided a key component to prohibit my penetration. The system I compromised through the RAS connection was a desktop which did not match the corporation’s security policy. Endpoint compliance would have identified that this system didn’t have all the appropriate patches (which allowed my penetration) and would have shown that it also didn’t have up-to-date signatures for the anti-virus product, which would have prevented my loading a reverse-tunnel application.

What was the solution of choice? It was strong authentication (in the form of SecurID fobs) for ~~all~~ many remote users. Understanding that this was only a starting point (read: better than nothing) the Director moved forward with this solution. It was palatable to the company, despite the cost, because many of the approved remote users already had fobs for access to critical internal systems.

Then the “convenience” shoe hit. The VIPs of the company chose not to participate in this program. While it was understood that the “gateway” to the corporate network hack had been a bad password, and that password was that of an executive (a different one this time) the VIPs could not be expected to carry one of those “fob things” around.

This brings us to the second thing your Director of security would like to tell you, “Exceptions to security for the convenience of a few undermine the security for everyone.” Or, to be (slightly) more succinct, “If you are asking for an exception, you are likely part of the problem.”

It would be worth noting that I built a simple tool that spidered websites (well, performed automated search engine lookups, actually, since they already did all the spidering I needed) looking for the name of the company, and two consecutive capitalized words in the same sentence. My tool then compared the capitalized words against name databases and attempted to form first/last name pairs. Out of the 300+ unique pairs it formed, roughly 90 were actual employees at the company. These formed the username list I was going to use for grinding the RAS passwords. Based on that information, do you think these 90 people were low-level people, or high-profile people at the company? Against an attack like this, therefore, whose passwords need to be strongest? If you said, “the very ones who asked to be exempt from the system,” then move to the head of the class.

That easily guessed password wasn’t much of an anomaly. After all the password audits I’ve done at numerous companies, human nature shows obvious patterns when it comes to password selection. In this case, the numbers (and lack of password strength enforcement) were in favor of me blindly guessing some passwords. With a little effort, discerning even more passwords was simple.

For example, while having a discussion with a VIP at a large company over security issues, he turned to his system and entered his password to unlock his screen. My habit is to not just avert my eyes, but to turn my body away. He chuckled and said, “If you wanted to learn my password, you would have to watch me type it, because you sure aren’t going to guess it.”

Keep in mind this was an exceptional event, but it still bears telling. I looked around his office, at his posters and models, and awards, and took a shot. “67 Vette”?

“Well,” he harumphed, “how would you spell it?”

My purpose with that visit was to make some recommendations, but I realized this person may not have paid attention to previous security guidance. My final words on behalf of your Director of Security are, “trust your security staff. If you can’t, then hire ones you can,” especially if your eyes glazed over when I started talking about vaguely technical things such as spidering websites.

That’s not to say that an executive need bow to every recommendation, but consider that each recommendation has been carefully thought out, and even though it may impact your user experience, it’s your assets that are on the line.

The Future of Christianity I

2006-12-13T19:34:00.000-07:00

First, a disclaimer: I am not a prophet. I do not claim to possess any special revelation from God. I also do not claim that we have any future beyond this moment which has been given to us. For this discussion I rely solely on the facilities that God gave me, and for them I am thankful! This article is best read with the understanding that "it" all could come to an end at any moment, thus making this whole shebang moot.

Also, understand that I'm not taking a stand on issues herein, such as gays in the ministry. I'm merely using them to make my point.

There are many debates within Christianity today. Some of them are things that ancient Christians probably couldn't even imagine. From questions about the ministry (the role of women and professed, practicing homosexuals) to the science of a flat earth and a heliocentric solar system.

My question for you is this: what sociological and scientific changes are likely to occur which will impact Christianity? Furthermore, are some of these so drastic as to call into question the need for Christianity?

Sound drastic? Try telling a first-century Christian that the Earth (the home of God's chosen people) is not the center of the universe, nor the galaxy, nor even the solar system. That might shake their faith, after all wouldn't God put us at the center of all things?

Where is the future leading to? Stay with me, this is going to get weird.

Let's start with human cloning. We can fight it all we want, but eventually it's going to happen. Not every country is against this technology. My question is: what is the status of the soul of these people?

Easy enough. They have been awarded a soul by God. Cha-ching.

Now, how about completely synthetic humans? I'm not talking androids, rather I'm talking lab created humans, built from DNA lying around the lab with no fertilization happening, with DNA pulled from multiple sources. Simply taking the DNA code and building a human. Completely feasible (someday).

Let's get crazy. Looking far into the future, how about a genetically engineered half-human, half creature (say a bear) by an unethical regime for the purpose of creating a race of super laborers? Do they have souls? Does the grace of God extend to them? What about a 1/4 human? 1/8 human? Where will God draw the line?

Along the lines of grace, how about aliens? It's not unrealistic to think that we may discover intelligent life (I'm not betting on it, but this fits in with my premise here). If they look like us, great! No problem. Buuuuut, what if they don't? If we were created in God's image, how do we reconcile intelligent bug-eyed grasshopper aliens with God's image? Do we deny them salvation (as the Jews tried to deny it to the gentiles before Paul came around), or must we revisit scripture to justify the fact that our new alien friends are not hell bound? What will ol' bug-eyes say when they find out their saviour was a soft, squishy human, and not a strong exoskeleton-possessed beetle with extra limbs and no facial hair?

What about reanimating deceased people? Future science may well be up to the task of taking dear-old-grandma's corpse and literally rebuilding her. Is this the same person or a different one? If it's different, is she saved if the "old" one was, or must the new one become baptized in the Holy Spirit?

We (as Christians) cannot even agree on the simplest of items, such as the benefit (and scriptural support) for women in the ministry, or the need to dunk people during baptism. Heck, we can't even agree on things where the scriptures aren't so vague! How will future Christians handle what's coming to them?

I don't know, but I have faith that it will work out just fine :-)

-Brian

Religion and Politics I: Making Statements

2006-12-12T08:43:00.000-07:00

(Caveat: This article was written with the understanding that the "swearing on the Bible" is more of a tradition than anything else. The actual swearing in is apparently done on the floor of Congress)

Keith Ellison, a Muslim from Minnesota elected to Congress, is making waves because he has chosen to be sworn in with his hand on a Quran, not a Bible. This article does quite a good job of covering the issue, as well as lambasting Dennis Prager, a conservative columnist and radio personality, for taking issue with this fact.

Both men make good points (really, read the article for Clarence's view, which summarizes some of Dennis' points) but I'm not here to talk about it from a constitutional standpoint, nor from a politically correct tolerance perspective.

One of my pet peeves is "making a point" at the expense of others.

Bear with me for a moment and an example or two.

I must admit that if I were elected (as a Christian) in a Muslim world, and I was asked to put my hand on the Quran to be sworn in, I would give a resounding "no". The Quran holds no meaning for me (well, no *positive* meaning, anyway).

So how can I be intolerant of Keith Ellison's choice without being a hypocrite?

Let's flip around my comment, and pose it as a question to Muslims: What does the Bible mean to you? I think many Christians (and, unfortunately some Muslims!) may be surprised at the answer.

What does the Bible mean to the world of Islam?

For those who choose not to follow the link, it discusses the Quran's own oft-repeated view of the validity of God's word as brought to us in the Old and New Testaments. There is some debate in the Muslim world on this, just as some Christians reject much of the Old Testament, or claim it no longer has any pertinence.

Now, I shall pose a new hypothetical situation. I (a Christian) am elected to a position in a Jewish nation where I am required to be sworn in with my hand on a Torah. What would I do?

What would Jesus do? (Sorry, I couldn't resist...hmm that's actually a very good question!)

I would have no qualms about swearing in on a Torah, as it is considered Scripture to me and a part of my history as a Christian. Now, I *may* choose to swear in on a Bible, but that would serve no purpose other than to make a point. My hypothetical point? In this example, I guess it would be that I'm a Christian in a Jewish nation representing Christians.

So now to bring it home, according to my logic derived from the link above and my reasoning, it would seem that Keith is a Muslim who is interested in representing Muslims, not Christian Americans. Therefore, he has turned his back on much of his constituency (dare I say a majority?). Keith could use the same logic I did to justify his swearing on a Bible as I used for swearing on a Torah, but he chose to make his point, instead...

...and I think we got his point.

Quick note on Saddam and Iraq

2006-12-08T23:11:00.000-07:00

So, popular opinion is now going against the War in Iraq. Even those in favor are wishing it had come out differently.

I've got a quick story/question for you: A known armed robber is lurking outside a 7-11 with a hood on and his hands in his pockets. A policeman pulls up and asks to see his hands. The robber refuses, but says he doesn't have a gun. How many times is the robber allowed to deny the officer's request before the officer takes more drastic measures?

Somehow everyone seemed to forget that Saddam was acting guilty. I'm surprised that in the years since the War in Iraq started this simple fact has not been brought up by the proponents to defend their actions. I'm not a warmonger by any stretch, but after Saddam turned back the U.N. inspectors so many times and we finally invaded, I think most reasonable Americans were wondering "what took so long?"

Yeah, maybe it didn't work out the way it was supposed to, but if one has a history of crime and is acting like a crook, it's time to stop talking, and find a set of handcuffs.

Now as to whether or not that was our job or not...that's a worthy debate. To those who say it's a war about oil, I think if it were we would have acted far sooner. We had the excuses at the ready.

-Brian

Terrorists Amongst Us

2006-12-08T22:37:00.000-07:00

No sooner did I post my "Airport Security Part I" comment when I saw in the news a foiled terrorist attack on a mall in Illinois. I am not surprised that "they" (being "us") caught an individual without any direct ties to a known terrorist group. Is he any different that the abortion-clinic bombers of the Christian right? He doesn't need a "group" to tell him what needs to be done, he simply plans and carries it out himself.

We will be seeing many more of these. Some will truly be operating alone, and others will be more like Dick Reid (the "Shoe Bomber") who had some help, but are more of a small, expendable operation.

Now here's where we get to the kicker. My intent was to say that the biggest difference between the Christian who bombs an abortion clinic and the Muslim who crashes a plane is that the Christian community condemns the Christian, while the Muslim community praises the Muslim.

I felt confident saying this because we have heard so little (e.g. nothing) from the Muslim community expressing outrage over the events. Rather, we see Muslims cheering on CNN.

Then *gasp* I did an Altavista search (Oh, Altavista, why doth though sucketh so much since being purchased by Yahoo?) and to my surprise, the Muslim community not only reacted with outrage over the tragedy of 9/11, but they did so immediately! Funny how this never made any of the news shows I was watching. I think had this actually made American news channels, popular opinion may have helped dictate a different series of events...Look for my next post on Saddam Hussein.

As a security expert, I see too many holes that are there of necessity because of the society we have created for ourselves. We will never cover them all, and to get that last 10% of coverage (see, I made another number up) for the airports will cost a disproportionately large sum of cash; a sum that would be better spent getting other "holes" covered 90%, *especially* since we cannot, with our society, get to the kind of security people want, but without the inconvenience.

The *only* security you will ever have is to make sure that when it's your time to go to the ticket counter in the sky, you're covered. Bring a friend.

Airport Security Part I: Security Lines

2006-12-07T20:52:00.000-07:00

Airport security is much maligned in this country. Everyone from the joe standing in the security line wondering why he must throw away his water bottle and take off his shoes to the well respected security professional who has written tomes on everything from cryptography to hacking has besmirched the process.

I must confess that I found myself in this crowd more often than not. As I stood in line sans shoes and liquids I'd glance around at the facility about me and identify a few ways a do-badder could beat the system depending on their funding, patience and goals.

Inevitably, I would mentally get whatever items I needed through the screening process with a fair enough likelyhood of success that I felt quite comfortable joining the throngs of critics.

Then, one day while I was on the road I had an epiphany: "Some of the best minds (don't laugh) have come up with this system. What am I missing?" Therein lay the key question.

I had been mentally compromising airport security from the mindset of a terrorist who was willing to throw their life away for their cause. This is the wrong approach. Being willing to throw one's life away for Jihad is *very* different from being willing to get caught and rot in our legal system for the rest of your productive life. There is no glory in jail, only in death.

So now, what I had considered plots with a reasonable success rate (say, 3 out of 4 times) now suddenly became very risky. Even plots that I estimate would have a 90+ percent success rate don't seem worth the risk of me (the fictional terrorist) rotting in jail and not being able to bring Allah's righteousness down upon the infidels (that, apparently, is the rest of you). Allah wants me on earth being productive, or dead through Jihad, not tossing someone's salad in prison (if you don't understand it, don't look it up. Seriously).

This changes the security game. While security is (unfortunately) 90% reactive and 10% proactive (I made those numbers up) airport security screening as it is defined today (and as it is implemented in larger airports) is a necessary and effective step towards securing our airports. We don't need to eliminate threats, we just need to make them risky enough so that a terrorist isn't willing to risk their chance at death through jihad through the air carriers. In this case, "risky enough" could simply mean the possibility of catching them 1 in 10 times.

I believe we have accomplished this. So much so, in fact, that we have virtually guaranteed that the next attack will come through a different venue. The *only* reason they may continue to risk a shot at the airlines is because of the "bang for the buck" (pardon the tasteless pun) with regards to the impact it had on our economy.

I have faith, however, that the same minds that came up with our security (knowing every little detail about it and the odds of circumvention) are pondering that next possible attack.

And dare I say they have probably already foiled it.

P.S. Yes, there are still tragedies happening around the world related to this, such as the Tube and bus bombs in England. I am fully aware of these, but they only strengthen my position belief in the sufficiency (for the cost) of our airport security systems.

Now, my mental attacks are focussed elsewhere...for the most part.

-Brian

Introduction

2006-12-07T18:21:00.000-07:00

At one time I thought that I was some wierd anomaly, an intelligent person in information technology who was also a devout Christian. In 2005 and 2006 I had the opportunity to visit many companies and get to know the people heading up IT security at some of America's largest and most influential enterprises, and I discovered that many of these security departments were headed by active Christians. Not just "yeah, I believe in God and Jesus seemed kinda cool" Christians, but people who ( in their non-existent spare time ) are pastors and assistant pastors, youth leaders and praise band members.

It's funny, but as much as these "hard core" Christians seem to get slammed in public, when it comes down to Corporate America (or even Governing America) needing to find someone with integrity to head up Information Security, they frequently find themselves choosing men and women of God.

This blog (nay, ramble!) is where I can bring together (when appropriate) my two passions of Security and the Lord. Often, they won't intersect, save to color my perceptions, but I anticipate most of my posts to be either God or Security, but rarely both.

-Brian