August 2009 Archives

Next SunSec - Tuesday Sept 1st!

SunSec is coming back to life! The next SunSec will commence following the next OWASP Phoenix Chapter meeting, which is this coming Tuesday, September 1st! Details:

OWASP Phoenix

3600 E University Dr # A1400
Phoenix, AZ 85034

Immediately following OWASP (7:45pm - ???)

Casey Moore's Oyster House
850 S Ash Ave
Tempe, AZ 85281-5624
(480) 968-9935‎/

Who? Farhad is a writer for

Why? Because he's apparently a total moron.

Uh, why is that? Well, he had a piece published today, "Unchain the Office Computers! Why corporate IT should let us browse any way we want." that is so ill-conceived and imbecilic that nobody can actually believe this guy is a paid author for a major online publication.

What's the problem? There are several problems, but the most obvious one is that he's clearly unqualified for the topic. He apparently thinks end-users should have full unfettered access to run anything they want on their work computers, and to be able to go anywhere they want on the Internet. He clearly does not have the first clue about IT management and his article is a blatant insult not only to IT professionals, but security professionals.

Rather than rant a lot, check out these responses in the comments:
"Clueless Idiots Shouldn't Write IT Articles."
"You clearly have zero IT experience"

w00t - Snow Leopard is out! :)

Unless you've been offline for a while or are a Windows user, you've probably heard that Mac OS X version 10.6 Snow Leopard
is out as of today. How exciting!!! I'm going to go order my copy right now. If you're running OS X, you should probably do the same. Woohoo!!! :)

Mac OS X version 10.6 Snow Leopard

My Jiu-Jitsu is Frustrating Me


I'm extremely ticked off tonight, partly at myself, partly at my school, and just overall in general. I've been training in Gracie Jiu-Jitsu (Brazilian JJ, generically) since October 2008 - so, less than a year, not a whole long time. I'm a white belt. Some day I would like to earn a belt of color, but for now I'm the level I should be.

So why am I upset? Well, a few reasons. First, I got hurt tonight, doing a move the wrong way, but because I didn't know any better. Second, I'm tired of guys from other martial arts coming in and not training or playing "nicely." Third, I don't feel like I'm progressing at all after a night like tonight, which makes me question why I bother. And, fourth, as per usual, I just can't keep my mouth shut sometimes and it just embarrasses the heck out of me.

Request FISMA Data Transparency

Per @rybolov: "...earlier this year, the Government started a website called ... However, it’s missing something very relevant to my interests: information security management data."

You can help out by going to and requesting that data. If you're willing to help, then read the rest of his post at the following link, complete with template language for the request.

If attending Defcon and meeting some of the hacker crews taught me anything this year, it's that we've pretty much already lost the war and are just squabbling in petty battles. That we continue to think and talk like there is a winnable case just delays the inevitable. It's not if your organization will be compromised, it's when. If you don't understand and accept this argument, then you're just setting yourself up for a lot of unnecessary pain and suffering.

As cynical as these comments may seem, the simple fact is that the security industry is not right. For that matter, business isn't all that right, either. Whether it be obsession with signature-based tools, or shoddy accounting practices, a fallacious belief that compliance equals security, or simply deluding yourself into not thinking you'd be a target, the outcome is always the same: exposure leads to compromise leads to loss. Yet why be bound by this outmoded way of thinking? Why simply accept that things are broken?

Tokenization: Someone Else Gets It

Apparently I'm not in fact insane, but do in fact know a little something about things that don't make much sense. One of those things is the mythical tokenization that has been heralded in marketing hype as the next greatest hope for compliance (see my previous posts on tokenization here and here). Tokenization is, at best, a kludge to fill the gap until proper controls can be implemented. While it has marginal utility in larger organizations that need to support legacy billing platforms, that utility should diminish with time.

Bugger me, I'm still exhausted from 6 days in Vegas. :) It doesn't help that I caught some sort of ugly nasty cold bug there (along with 100s of my closest friends it seems). Normally I'd call it a good exhaustion, and generally this is true, but being sick (not just "confluenza" as Niki7a termed it) certainly has taken some of the wind out of my sails.

Overall, for my first trip to BH/DC/etc, I was actually pleasantly surprised, despite thinking that my worst fears had been realized about half-way through things. In general, I hope that I didn't make too complete a fool of myself (I certainly did act foolish at times). This event certainly was positive enough to warrant adding it to my ever-increasing list of "must attend" events.

Quick Note...

Just an fyi, I am in fact back from Las Vegas and the Black Hat, Security B-Sides, and Defcon events. I'm also exhausted and sick (yay!) as well as swamped beyond belief. So, yes, I plan to post a recap piece on my experiences as soon as I can get my brain onto the task. And then I'll get back to more normal topics, like how to assess the risk of belly lint accumulation (haha). Until then, go read the following interview piece by Raf and panic about the end of the infosec world as we know it... :)
300th Post - 31337 Spotlight: "Anonymous"

Grad student Asad Imam at Newcastle Univ. is conducting a survey on cloud security, and he needs your help. Please go to the following surveymonkey and help him out - it won't take you very long at all.

For background on his research, see his case study "Cloud Computing: Prospects and Challenges" available here:

About this Archive

This page is an archive of entries from August 2009 listed from newest to oldest.

July 2009 is the previous archive.

September 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7