The blog has moved…

November 9, 2008

After much thought and consideration, I decided to move my blog from to my own domain.  The decision has nothing to do with the service provided by I have never had any problems with this blog while it has been hosted by

There are other things I want to do with the blog that will be easier if I have more control over the software and how it is setup.

So, it now lives here:

If you are subscribed to the RSS feed via, you shouldn’t need to do anything.  The changes I will make to the feed should be transparent to you.  If you are are subscribed to the, you will either need to change to the feedburner feed or use instead.



Update: RSA Europe 2008 Blogger/SCC/SecurityTwits Meetup

October 13, 2008

Hello everyone.  RSA Europe 2008 is just around the corner!  Some of us have been talking about setting up a Security Blogger/Security Catalyst/SecurityTwits meetup and have settled on a date, time and location.  We will be getting together on Tuesday the 28th at 8:00 PM.  The Novotel London Excel bar is the location.  The hotel is part of the Excel conference center, so should be easy to track down, but just in case, here’s a map:

If you would like to join us or have a suggestion for a better location, please let me or Security4All know.  I can be contacted either by comments to this post or kriggins _at_ and Security4All can be contacted here.

Hope to see you there.

Update: I realized this morning that I was remiss in specifying who was paying for any food or drink you might have during this get together. Everybody will be responsible for their own tab for this event.

Update #2: Today’s the day! As indicated above, we will be in the Upper Deck Bar in the Novotel hotel.  We are going to do our best to carve out a corner to the right of the bar near the river.  Please see the About page to see a picture of me which may help you in picking out our group 🙂


What happens when there is no privacy anymore…

October 1, 2008

I am a huge fan of Masterpiece Theater‘s productions.  Almost without exception, they are well written, directed and acted. The shows they produce are separated into three themes:

  1. Classic – Shows based on classic literature and/or set in historic contexts.
  2. Mystery! – Mystery based shows. These may be set in historic contexts or reflect current times.
  3. Contemporary – This is a new theme this year. These are dramas set in more contemporary times, although not necessarily current times.

Now I am sure you are asking yourself “what has this got to do with information security?” Well, the first program in the Masterpiece Contemporary schedule is called “The Last Enemy.” It starts airing October 5th, here in the United States on your local PBS station. It’s a fictional story set in London about a man who finds out just how much the government knows about him, and everyone else, as he delves into the life of his brother who recently passed away.

I am looking forward to this show in hopes that it will help people realize that we need to be very careful when we start hearing that we need to surrender more and more of our civil rights in order to ensure the “safety” of everyone. Don’t get me wrong, I am not saying there is a huge conspiracy to track each and every move we make.  However, we could end up there very easily if we are not careful and as the saying goes.

“Absolute power corrupts absolutely.”
John Emerich Edward Dalberg Acton


It’s quicker, but don’t forget to fix it…

September 30, 2008

Good morning/afternoon/evening everybody.

Hope your day was/is/will be great! 🙂

Lori MacVittie over at DevCentral, who you should all read, wrote Which security strategy takes more time: configuration or coding? recently. It’s a good article with some very valid points, but it made me think of something else we need to be aware of when we make “time trade-off” choices.

I agree that WAFs, ACLs, black holing traffic, etc. are all good and
effective methods of mitigating risk and protecting against known
threats and in some case unknown threats. For example, how often have you whipped up a solution to a problem and slapped it into place?  You know it is not an appropriate long term solution, but you say to yourself, “I’ll come back and do that better when I have time.”

Fast forward 3 years and your quick fix is still in production causing all sorts of grief because it was never intended to be a long term solution and/or nobody knows what this things is doing and they remove it, again, causing all kinds of grief.

Maybe I’m stating the obvious, but we need to make sure we have effective policies and procedures in place to ensure that we are addressing things in an appropriate manner, independent of the “this is quicker” mentality. Again, I am not saying that quicker shouldn’t be used.  It has it’s place and often is the best short term choice.  I just want to remind everybody that we need to keep that long term horizon in sight also.

Agree, disagree, think I’m looney?  Leave me a note in the comments with your thoughts.


Image courtsey of jakeliefer

Secure system design that is impossible to break…

September 16, 2008

I just finished reading Cory Doctorow’s Little Brother. You can buy a copy here or read it for free here. Don’t let its classification as young adult deter you.  I really enjoyed it. If you are interested in privacy and government and how “it’s for your own good” can escalate out of control, I highly recommend giving it a gander.

In the book, there is a terrorist attack on San Francisco which results in draconian security measures being put in place. Our protagonist is Marcus, a 17 year old, who gets picked up by those enforcing the new security measures and is sorely mistreated.  Through the book, we follow Marcus as he fights for his rights and the rights of his friends as citizens using every means at his disposal, most of them being technical in nature.  He is able to circumvent many of the controls put in place because he is a savvy, technically astute individual who has the security mindset we talk about frequently and is in many cases smarter than those who designed the systems he fights against.

So what does all this have to do with a secure system design that is impossible to break? Well, first of all, it is impossible to design a secure system that is impossible to break 🙂 Further, as Bruce Schneier says in the afterword:

“Anyone can design a security system so strong he himself can’t break it.”

We see this same type of phenomenon in other areas. For me, it’s proof reading.  I have the hardest time proof reading my own writing because I know what it is supposed to say. My own brain gets in my way and I read text as I intended it to be as opposed to how I actually wrote it.

If we can’t design perfect systems and we are not able to sufficiently test our systems ourselves, how can we improve those designs to make them more robust and harder to break?

There are a lot of things we can do like build on the successes of other, use “best practices”, etc.  However, I can think of a couple things that can significantly improve our efforts:

  1. Peer review – We should have our peers look at our designs.  They will see things that we are blind to.
  2. Testing by a third party – Yes, I am promoting third party testing of our systems, preferably by more than one person. Again, the more eyes involved in reviewing a system, the better chance that weaknesses will be found. I am not proposing that every system get a third party review. It would be prohibitively expensive.  However, important ones probably should.

This also started me thinking about our risk assessment processes and procedures.  If we develop our risk assessment processes internally, aren’t we, in the context of the assertions above, creating a system that is destined to have built-in short comings?  Should we have our risk assessment processes “tested?”

I’m interested in your thoughts on both topics, so drop me a note in the comments.


Technorati Tags: ,

Men in Information Security…don’t be an a**

April 18, 2008

DonkeyStacy Thayer posted this on her blog about an experience she had at RSA. A short summary is someone was questioning the existence of competent women in information security. Stacy was called over by Jack Daniel to refute this particular “gentlemen’s” point of view. She was treated poorly and kudos to Jack for attempting to change a misconception.

I am not writing this to talk about all the great women who are involved in Information Security. There are plenty. I am writing this because I am really annoyed by the behavior of the individual who made the observation and then, as Stacy says “your first move is to objectify them.”

Gentlemen, don’t be an a**. It isn’t hard. Just treat women with the same respect and consideration as you would a man in a similar position. Notice I said the same respect and consideration you would show a man. Not more and not because she is a women.

Now I personally believe women should be treated with even more respect and consideration than a man. Heck, they have to put up with us.

Anyway, I’ll hop off my soap box now.