May 2007
109 posts
Alex Hutton: Glen LaFortune! Get on AIM! (via Twitter / Alex Hutton)
Dayton Ohio Hackfest - Day-Con 2007!
My friend Brian Fite lets us know that Day-Con 2007 is going to be October 12-13th.
The Day-Con Website is here.
October 13th
-1 Day Hacking/Security Conference
-In Dayton Ohio at The Crowne Plaza Downtown
-Limited Number of Attendees (not to exceed 250)
-POOH Sessions (Point Of Origin Hacking)
-Tools, 0-days, and never before seen contracted presentations (no call for papers)
-PacketWars...
Alex Hutton: No rational reasons, but he remains a Windows bigot (via Twitter / Alex Hutton)
Alex Hutton: Jack is finally using Monte Carlo for Loss Magnitude Estimation! (via Twitter / Alex Hutton)
Alex Hutton: Apparently, it boils down to the fact that he worked supporting an “art” network, and hates artist arrogance, and now those people are mac u (via Twitter / Alex Hutton)
Alex Hutton: never mind he’s got 3 InfoSec Pros with Macbooks in a room (via Twitter / Alex Hutton)
Alex Hutton: only 10 minutes late, that’s good (via Twitter / Alex Hutton)
Alex Hutton: oh well (via Twitter / Alex Hutton)
Alex Hutton: Trying to make a Mac convert (via Twitter / Alex Hutton)
Hype Machine
Sometimes, I read the ole’ RSS and have to literally walk away from the computer. Because I’m such a nice, caring guy I thought I’d share with you.
STEALTH MALWARE!!!
The first one is from Gartner, found at “The Captain’s Blog” the weblog of Shavlik CEO Mark Shavlik. The hype is not his fault, this is what Gartner told him:
By the end of 2007, 75 percent of enterprises will be infected with...
Alex Hutton: Now I’m at Mill Run Panera Bread (via Twitter / Alex Hutton)
Virtual Ubiquity - Buzzword →
Online/Offline (Apollo) Word Processor. Tell me this doesn’t look like it rocks the mic
Lost Laptop/Smartphone Data
Via Microsoft’s Steve Lamb and the BBC:
4,073 laptops, 5,838 PDAs and 63,135 mobile phones were left in London taxi seats in a recent six month period according to a survey by the Licensed Taxi Drivers Association - according to the BBC that works out at three devices per cab on average.
So now all we need to find out is how many passengers with laptops, PDAs and/or mobile phones used a taxi in...
How Microsoft, People Like Chris Hoff and Security...
Chris Hoff, a friend of ours, apparently had a really slick demo of Vista last week and a heavy encounter with our compatriots at the Jericho Forum. He’s written an interesting if not excellent article on the death of network security.
He, like myself and a many others, see a gradual move back to a centralized host-based computing architecture. Not as rapidly as Sun Microsystems circa 1999...
How Can You Expect To Be, Taken, Seriously?
→
Pet Shop Boys criticise Live Earth
In Memoriam
(via RiskAnalys.is)
Alex Hutton: I’ve installed Tracks for GTD (iGTD has just gotten too, ah, bloaty) and now I’m trying to find some “themes” for my installation (via Twitter / Alex Hutton)
Alex Hutton: Trying to figure out how to customize the CSS of my new Tracks installation (via Twitter / Alex Hutton)
Alex Hutton: Locomotive for OS X rocks (via Twitter / Alex Hutton)
Alex Hutton: installing tracks!
http://tinyurl.com/28o78h (via Twitter / Alex Hutton)
Alex Hutton: woot! (via Twitter / Alex Hutton)
Risk Has Got To Have Probability Based on...
Hi there! Happy Friday.
I’m under the weather today, but thought I’d point some things out real quick.
Shrdlu at Layer8 talks about probability of action and motivation of attackers. It’s great to see probability of action and frequency of action being considered in risk analysis. Her blog post got me to thinking about something else I saw in my RSS Feeder.
There are some really cool...
Erlang The Movie - It’s Crescent Fresh!
There’s lots to talk about, but I’m just getting smashed by work and more work. You’d know about it on my personal blog (http://www.alexhutton.com) but Twitter via Jabber IM has been down for a while.
So here’s a totally Crescent Fresh link sent to me from Aaron Bedra (http://www.aaronbedra.com/)
It’s Erlang The Movie!
(via RiskAnalys.is)
Still An Idea I Wouldn’t (dot)Bank On…
Mikko has responded to the criticism leveled at his idea to make financial institutions pay $50,000 per for a .bank domain name. On this very weblog, I raised an issue with his proposal that he addresses in that response. Now if you recall, I wasn’t necessarily against the idea of a .whatever domain, but thought that the hefty price tag was unnecessary. Banks tend to be regulated, so there must...
Pragmatic Posting
So much catching up to do. I’ve been out of band the past few days due to the Mother Of All Ohio Security Events. I had a good time, meeting new folks and catching up with other friends - it’s just too bad that some of the better content was cut short, and some of the duller content was too long. But more on that later.
One of the best parts of the whole thing, for me, was the ISSA bringing in...
Alex Hutton: Went to Security MBA, Then Little League, Now Reviewing Cobit 4.1 (via Twitter / Alex Hutton)
Alex Hutton: The Panera Bread in Bexley has no outlets! (via Twitter / Alex Hutton)
Alex Hutton: done now, longing for the beach and wondering if Mingle will help our dev team (if they’re even interested (via Twitter / Alex Hutton)
Thoughts on Ruby/Rails and Maturity
(This is a non-risk/security post)
First, let me announce that we’ve yet again moved beta/demo servers. I know, this is not particularly pleasant, but we weren’t sure if the first installation was a hardware issue or not (it’s not - configuration change on our hosts side). If you can’t get on using your old username and password, let me know. I’m very sorry for the inconvenience, and...
Some Quick Stuff
First, interesting quote from Overcoming Bias:
Harry Truman famously longed for a “one-handed economist,” who would not say “on one hand, on the other hand.” … When economists choose between communicating (a) nothing, or (b) simplified but roughly accurate conclusions, they seem strangely to prefer (a).
Your task today? Replace “economist” with “risk analyst” - I’ll bet your business is...
Why Metrics Will Fail
Today’s Dilbert inspired me to put some thoughts down concerning Metrics. You have to ask yourself - how does Adams still keep content fresh? It’s genius.
On To Metrics
There’s quite a move towards “metrics” these days. Of course, back in my day, we didn’t have such newfangled things like “measurement” and “statistics” it was all me and Jed out back by the server room with nmap and grep,...
Alex Hutton: developing a statement of work (via Twitter / Alex Hutton)
Alex Hutton: brochures are fun (in pages) (via Twitter / Alex Hutton)
Alex Hutton: I think I just lost an hour of work, thanks Intertubes! (via Twitter / Alex Hutton)
Vulnerability Centrism
We talked yesterday a little about Marcus Ranum’s podcast (which I think he really should have named “Ranum’s Rants” or something more quirky and fun). One of the other things that Marcus (MJR) talks about in his podcast is the current state of computer security, and some of the dumb ideas that are perpetuated by the industry. One of those ideas he believes is dumb is penetrate and patch. And...
Post Of The Week
It’s early, I know, but the InfoSec blogo-sphere will be hard pressed to match Dutcher’s latest.
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture (via RiskAnalys.is)
Alex Hutton: Wondering about growing them in New Zealand (via Twitter / Alex Hutton)
Alex Hutton: Wondering about the market for avacado in China (via Twitter / Alex Hutton)
Mother Of All Ohio Security Events This Week
Hey,
Just a reminder that Thursday Eve. and Friday will be a huge event for ISSA/Infraguard/ISACA in central Ohio.
Mike Rothman will be there, and some folks who are very cool will be on a CISO panel on Friday about metrics that should prove to be crescent fresh.
(via RiskAnalys.is)
Alex Hutton: about to have our weekly monday software development meeting (via Twitter / Alex Hutton)
Thoughts On Ranum Podcast & The “Laws of Security”
In case you didn’t notice last week, Marcus Ranum has a podcast. He plans on keeping these things going, and, given that it’s Marcus, these ought to be in the very least, entertaining (Layer8 mentions it here).
His first podcast has some great stuff in it. He advocates a scientific approach (regular readers know I tend […] (via RiskAnalys.is)
FIRE JOE MORGAN: New Entries in the Worst Headline... →
Even more really bad headlines.
Post Of The Week
Belongs to Layer8
In Celebration of Mother’s Day…
(via RiskAnalys.is)
Semi-Arbitrary Probabilities
Sometimes it’s all about the reputation of those that give us their opinion in probabilities. From The Guardian:
…former Federal Reserve chairman Alan Greenspan issued a fresh warning that the world’s largest economy could be headed into recession… “This was a bad set of data, and throws a further question mark over whether the US […] (via RiskAnalys.is)
Royals To Get A Taste Of Angels' Colon →
That headline is just not right.
Pirate Bay Hack, Or The Most Useless Hacked Info...
The Pirate Bay, the (in)famous torrent site, got hacked.
They stole usernames and passwords.
Now it’s my humble(ish) opinion that if you’re using a real name and password on that site - you deserve what’s coming to you.
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance,...
Everything Counts (In Large Amounts)
Great News! For those of us who are into web application security (and you know who you are), we just got some “real” data!
Check out The Web Application Security Consortium’s Distributed Open Proxy Honeypots report. You’ll want to check out the .pdf towards the bottom of the screen, Web Security Threat Report, Volume 1: January […] (via RiskAnalys.is)
Needs vs. Requirements, Or The Subtle Semantics...
Rybolov has, in the past, accused me of being his biggest fan. Well, then:
Rah! Rah! Sis-Boom-Bah! Goooooooooo Rybolov!
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture (via RiskAnalys.is)
Alex Hutton: It looks like Yau-Man is in trouble, and I’m going to bed (via Twitter / Alex Hutton)
Alex Hutton: http://www.riskanalys.is might be blocked by China (via Twitter / Alex Hutton)