Tales of Ordinary Madness

http://www.postgazette.com/pg/11286/1181855-100.stm

This is becoming a disturbing trend in Pittsburgh. My thoughts today are with the family, friends and fellow officers of Derek Kotecki.

My dad had a variant of this poem framed when I was growing up. I always found it very moving and it is appropriate for today.

A police officer stood at the pearly gate,
His face was scarred and old.
He stood before the man of fate
For admission to the fold.
“What have you done” St Peter asked,
“To gain admission here?”
‘I’ve been a police officer sir,’ he said,
‘For many and many a year.’
The pearly gates swung open wide
As Peter touched the bell.
‘Inside,’ he said, ‘and choose your harp.
You’ve had your share of hell.’

In this case, I’m the hairless monkey and the teacher was Matthew Beckler and Andy Leer of HackPittsburgh. Matt is one half of Wayne and Layne which is a company that produces open source hardware kits. Andy Leer, on the other hand, is 100% of Andy Leer.

When I signed up for the class I wasn’t sure what to expect. My experience with a soldering iron was limited to ruining my Dad’s iron by repeatedly melting my little green army men and filling the basement with the toxic black smoke of molten plastic.

Luckily, in the able hands of Matt and Andy, I was able to turn my toy soldier torturing abilities into a useful skill. The entire class assembled and soldered the Tactile Metronome kit from Wayne and Layne. I left the class with a functioning “Syncopation machine.” Both Matt and Andy spent enough time circling the class and making sure that everyone one was on the right track and even took the time necessary with each individual if they needed a little one-on-one attention.

I left the hackerspace with a big smile on my face and a new toy in my hand. If you are looking for a good beginner’s soldering kit, I can’t recommend the Tactile Metronome enough. The kit was easy enough for a newb like myself, but also a complete enough project that I felt like I was leaving with a finished product.

Special, thanks to Matt and Andy for being such patient and able teachers.

If you are a newbie solderer or even if you’ve never touched a soldering iron before — I’m confident that a beginners soldering class at Hack Pittsburgh can get you melting tin in no time.

I have always held Verizon’s Business Security division in rather high regard, primarily because over the last several years I’ve found their Data Breech Investigations report a useful and very telling document. I’m often in the situation in my career of explaining the “real” threat that X poses. This document has always provided something for me to point at and say here is why you, Mr. BusinessMan need to care about securing your enterprise. Having Verizon’s name tied to it gave it some additional weight.

However, this morning I read the article entitled “Redefining Security Researcher” by Wade Baker. In this blog posting the author suggests that the InfoSec community suffers from the “ridiculous yet long-standing inability to distinguish the good guys from the bad guys”. I have several issues with Wade’s terminology and his logic.

First, as Wade suggests the headlines do often read “Security Researcher Breaks This” and “Security Researcher Exposes That”. However, the author of the article or his/her editor picks that headline not the “Security Researcher”. Just like the television reporter gets to decide if the term “World’s Number One Hacker” appears underneath Gregory D. Evans when he mugs for CNN. We in the industry have only limited influence over the terminology used. A perfect example of this is death of the term “cracker” and the changing of the word “hacker” to be synonymous with criminal.

Also, let’s not forget that even the Narcissistic Vulnerability Pimp is doing research. It’s not like they have some secret vulnerability hole where they can pull vulnerabilities from. While you might object to their methods of disclosure, that doesn’t mean that their efforts are due anything less than being called a “Security Researcher”. They are in fact researching security issues.

Finally, as Wade points out in his later comments on the post, several analogies do fall flat when used to further explain disclosure. Admittedly no analogy is destined to be a perfect fit; however I do feel that I’ve found an analogy that works well enough – Bullet-Proof vests. Imagine someone discovered that a certain brand of 9mm ammunition could easily pierce a standard bullet proof vest. They contact the manufacturer and inform them that the vest fails to stop this particular brand of bullet. The manufacturer says “we don’t believe that to be a real issue”. How should this be handled? Hundreds perhaps thousands of vests with this vulnerability are deployed in military, police, and civilian circles. If the bad guys get wind of this, you can be sure this brand of bullet will become the round of choice. I think the only responsible thing to do is go public with this information. This allows each person to make an educated decision when they put on a vest – like wearing some additional layer of protection. Hopefully the public outrage will force the vendor to look into the problem and fix the issue.

Vulnerability disclosure is a touchy subject and will always be a balancing act between being responsible and doing what is best to protect the consumer, allowing the consumer to make an educated decision about what software provides the level of security and functionality necessary to get the job done.

These are too damn funny. No idea why I’m just discovering these guys now…

Here he/she is — the first public viewing of our new little peanut. I think he/she has my eyes.

So I’ve been slowly (that is VERY slowly) re-arranging my office to make some additional room for some additional computers. My goal is to create a security lab that will allow me in my spare time to work on my web assessment/penetration skills. My intention was to utilize either VMWare or Sun’s Virtual Box to give me some additional flexibility and hopefully keep my electric bill somewhere below the GDP of Micronesia (which in case you are wondering is about 232 million USD). Well while poking around today, I found this great article that covers Virtual Appliances, with a specific focus on those that would be of interest to the security professional. Now many of these would have nothing to do with my web application penetration testing, but they are still some pretty neat appliances. It’s worth a read:

Virtual appliances for the security professional

Okay, when you put it that way, I guess they just might be. Great job Redditors!

http://blog.reddit.com/2009/04/redditors-receive-homo-heros-honor-for.html

I knew I missed something when I was in the UK. I missed an opportunity to purchase a Certificate of Debaptism from the National Secular Society.

Debaptism Certificate