Security

Lets meet up in Vegas, at Black Hat!

30 Jul , 2007  

Tomorrow I hop on the plane for the short flight from Denver out to Las Vegas for the Black Hat conference. StillSecure will have a booth and I’ll get a chance to network (the person-to-person kind) and talk with a number friends from around the industry.

If you are attending Black Hat this week, please plan to stop by the booth so we can meet in person. I talk with so many people digitally these days, it will be nice to connect in person rather than just talking through bits and bytes.

See you at Black Hat.

General

Comedy parodies life

30 Jul , 2007  

I’ve never been a huge Weird Al fan, or better put, I like his stuff the first time I see it and that’s usually enough. (Michael Jackson’s "Eat It" was an exception.) This one though, I have to admit, I watched a couple of times. I guess it hits too close to home, like one of those stray baseballs that decides to break one of the neighbor’s windows when you were a kid.

Anyway, my sister sent this to me, so I guess you now know what she thinks of her older brother. Truth is funnier than fiction.

So, here’s to all my fellow nerd friends… enjoy this Weird Al rap video, White and Nerdy.

Podcasts, Security

Podcast #43 – 2007 NAC Survey w/Current Analysis and Network Computing

30 Jul , 2007  

MicrophoneTime again for the next in our series of podcasts, and of course we’re covering more  network access control (NAC). This week we are joined by Andrew Braunberg, research director for enterprise security at Current Analysis, and Andy Dornan, author, journalist and senior technology editor for Network Computing.

Current Analysis and Network Computing teamed up again this year to do an extensive NAC survey of IT organizations. During our interview we focus on some of the meaty and most important insights from the data. In many ways, things have changed since the survey last year. Alan and I had a chance to review the survey data at Interop so we were able to dial into some of the most interesting insights.

I think you’ll enjoy what is discussed here and the full survey is available from Current Analysis. It’s great to have both of these gentlemen on the show. And in case you missed last week’s podcast #42, Microsoft and Trusted Computing Group were on the show to talk about Microsoft’s support for the Trusted Network Connect efforts. Be sure and check out podcast #42 if you haven’t already.

I’m heading off to Black Hat this week in Vegas so we give a little pre-view of some of the goings on coming up in Vegas. If you are going to be there, definitely stop by the booth so we can say hello and meet in person.

Please send any questions or comments to podcast@stillsecure.com. Thanks for listening and we’ll see you soon.

 

Icon_enclosure_music_7mp3 file

General

Summer of Strat project is complete

29 Jul , 2007  

Last week I finished up building my dream Stratocaster and here it is, the official unveiling of my first Strat project.

Ashley_strat_outsideThe project has been about a year in the making, at least that’s when I got serious about doing something about my first guitar building project. About 4 months ago I started ordering parts, beginning with the body and neck. From there the rest of the parts came together, with the pickup selection being one the toughest choices to make. This guitar was to be all about tone and the pickups had to be just right along with the selection of wood combinations for the body, neck and fretboard.

Well, I’m very pleased to say I couldn’t be happier with the entire guitar, especially the Fender Custom Shop Fat 50’s pickup I ended up choosing. It has such an unbelievable sweet tone with lots of complementary overtones. This guitar will just take off and wale like none I’ve ever had. It gets that classic Gilmore/Pink Floyd sound (The Wall solo was one of the tones I wanted to be able to get) and John Mayer Continuum classic Strat sound.

The pau ferro bretboard (the first non all maple Strat neck I’ve had) gives it a really nice "spank" tone that I really love. And the Fiest Red body set off by the classic aged mint green pickguard and gold hardware give the the guitar a rich, classic look. The flame maple "tiger stripe" of the neck and headstock make a statement that this guitar is high quality and is all about tone and hot looks. As you can probably tell by now, I’m extremely pleased with how the project turned out.

This guitar will become my "main" for quite some time, followed up by my current Jeff Beck-like Strat as my "second". The pictures don’t do the body color justice. Fiesta Red is one of those colors that reminds you of a ’50s creme and orange-red Thunderbirds. It can also come across with a coral red-like color in certain lights too. A very unique but classic look and the gold hardware says "class" all the way. Someday when I have a chance to record I’ll put up a few mp3’s of how this guitar sounds.

For those guitar gearheads out there, here’s a complete component list from the project.

  • Warmoth alder body, 3 lb. 10 oz. weight (prior to painting), painted Fiesta Red
  • Warmoth AAA flame maple neck, modern construction with compound radius, vintage aged clear gloss finish, and traditional truss rod with headstock adjustment.
  • Pau ferro fretboard, 22 Dunlop® 6105 narrow jumbo frets, mother of pearl dots, bone nut cut for D’Addario EXL 120+ 0.0095 strings, and Fender licensed Stratocaster headstock.
  • Fender American gold bridge tremolo, 3 spring setup
  • Fender Custom Shop Fat 50’s Strat pickups with Fender aged white pickup covers and knobs (gold lettering)
  • Pickups wired with 5 way switch, volume control, neck/middle pickup tone control, and bridge pickup tone control
  • Fender mint green 3-ply (w/b/w) shielded pickguard – very light mint shading, more towards a classic aged white color (not as white as it looks in these pictures).
  • Sperzel gold inline, staggered height, locking tuners.
  • All gold hardware: 1/4" output jack and jackplate, classic style string tree, strap locks, neck plate, and neck, pickguard, and pickup mounting screws.

Here are some additional pictures and close ups. Click the thumbnail to see the full-sized image.

Ashley_strat_body_front_2

Ashley_strat_body_back_2

Ashley_strat_nect_headstock_2

Ashley_strat_neck_back_3   

Ashley_strat_pao_fero_fretboard

Dsc00854_2

Network, Security

Good chemestry for Aruba and wireless IPS

24 Jul , 2007  

Aruba’s purchase of NetChem’s wireless IPS technology is not a surprising move but actually one I think has been long in the coming. It’s a natural fit for the wireless gateway management products to extend their product lines into wireless intrusion prevention.

The question is will Aruba start to embed more of NetChem’s IPS technology into their existing product line over time to further differentiate them in market, or continue with a parallel product line of wireless IPS products. Integration makes sense but selling separate boxes for gateway and w-IPS needs could be a hassle for customers who want fewer boxes (but could be more profitable). This could signal a buy of other w-IPS vendors AirDefense, AirMagnet and AirTight (but I’m not so sure of that yet.) Either way, this is a good move and we’ll wait to see what Aruba does.

General

Every manager needs a periscope – quality training

23 Jul , 2007  

A friend sent me a post by Will Herman about the impact of software bugs during the sales process. I’m sure many a salesperson since the first software sale ever made could relate to that. It reminded me of the importance of total quality management (TQM), something I was fortunate to have training in (Florida Power and Light TQM) back in the 90’s. I use much of what I learned still today. It’s especially important in any software development environment but also very important in security, or any management discipline.

By applying quality principles, it enables something TQM leader Edward Deming said in his 14 principles of management; Management should lead, not supervise. When asked by new managers, "what’s this job really about", I always tell them your job is about two things, getting the team or organization operating at a repeatable and effective state for what ever you do (software, security, service, etc.). In other words, creating the engine of producing what you are there to produce.

But that’s only half your job. The other half is manning the periscope. Even today’s high tech submarines  with the most sophisticated navigation and surveillance systems in the world still have a periscope and a conning tower on them. Why? Every once in a while you just have to raise periscope to look around and make sure your instruments are telling you the truth, and adjust when they aren’t. You have to look above water to see how you are doing, study the readings and then make adjustments. Yep, that really is a rough patch of water ahead so we better prepare now. This information helps a manager to either help the team get to the next level, or avoid an impending pitfall no one has their eye one because they are too busy running the engine.

Deming called this process The Deming Cycle – PDCA; Plan, Do, Check (or Study) and Act. It’s a constant process, one you repeat over and over. But there’s an equally important component. You can’t improve what you don’t measure. That’s another very important saying I recall from training and it’s so true. Often teams get into a repetitive cycle but only look at problems and improvements within each cycle, rather than across them. The real value in quality occurs when you are on your 3rd or 4th (or more) repetition. That’s when the data starts talking to you and jumping up and down with pointers to more systemic problems. The ideas from TQM can be applied in so many ways. I just find that they can help you see what you can’t, and give you factual references to what you suspect is going on. In either case it is an extremely valuable tool for any manager.

I hope you find this information valuable. Here’s Deming’s fourteen principles of management, courtesy of the Value Based Management.

  1. Createconstancy of purpose for improvement of product and service(Organizations must allocate resources for long-term planning,research, and education, and for the constant improvement of thedesign of their products and services)

  2. Adopt thenew philosophy (government regulations representing obstaclesmust be removed, transformation of companies is needed)

  3. Ceasedependence on mass inspections (quality must be designed andbuilt into the processes, preventing defects rather than attemptingto detect and fix them after they have occurred)

  4. End thepractice of awarding business on the basis of price tags alone(organizations should establish long-term relationships with[single] suppliers)

  5. Improveconstantly and forever the system of production and service(management and employees must search continuously for ways toimprove quality and productivity)

  6. Institutetraining (training at all levels is a necessity, not optional)

  7. Adopt andinstitute leadership (managers should lead, not supervise)

  8. Drive outfear (make employees feel secure enough to express ideas and askquestions)

  9. Breakdown barriers between staff areas (working in teams will solvemany problems and will improve quality and productivity)

  10. Eliminateslogans, exhortations, and targets for the work force (problemswith quality and productivity are caused by the system, not byindividuals. Posters and slogans generate frustration andresentment)

  11. Eliminatenumerical quotas for the work force and numerical goals forpeople in management (in order to meet quotas, people will producedefective products and reports)

  12. Removebarriers that rob people of pride of workmanship (individualperformance reviews are a great barrier to pride of achievement)

  13. Encourageeducation and self-improvement for everyone (continuous learningfor everyone)

  14. Takeaction to accomplish the transformation (commitment on the partof both [top] management and employees is required).

Network, Security

Oooo free stuff, and you can help with product design

23 Jul , 2007  

We’ll be doing tests of the Cobia and Strata Guard IPS module user interface designs at Black Hat (August 1-2) and LinuxWorld (6-9). If you are interested, please send your contact info (email, phone number) to cobia@stillsecure.com.

Strata_guard_module

Oh, yes. There is some free stuff for those who participate. Thanks!

Security

Is the GPL under attack? Will it survive? Can we still recognize it?

19 Jul , 2007  

There’s been a very interesting dialog and discussion overthe past month or so about what it means to be open source software. First theOSI telegraphed that they are going to more actively police vendors who makeclaims about being open source but don’t meet the OSI’s definition (a narrowand non-market savvy position from my viewpoint, btw.) Keep in mind too thatthe OSI can only do this through informal peer pressure as the OSI doesn’t have“teeth” to enforce their open source definition. I blogged previously aboutthis and the pink elephants no one is talking about – vendors who modify theGPL by imposing their own conditions and interpretations of the GPL. (I’mreferring to GPLv2 here.)

The new controversy brewing around open source isSourcefire’s move to change, or in their words “clarify”, the licensing inSnort. Alan’s done a good job of discussing this on his blog and while Iusually try not to cover the same ground I think there are a few more things tosay about this situation. In summary what Sourcefire has changed is removingthe ability to license Snort under GPLv3 (previously allowed),Sourcefire-favorable interpretations (but not backed up by any industryinterpretations) of the GPL laid out in a preamble to the license (intending tocurb commercial offerings without a separate commercial Sourcefire license),and assignment of full rights to Sourcefire of any code contributed to Snort bythird parties. Added to the controversy is Sourcefire’s recent blanket changeof the headers to existing code to limit the licensing to GPLv2, includingnon-Sourcefire open source developers’ work contributed to the code base, andmaking claims that rights to contributed code were granted to Sourcefire all along,and you’ve got a real brewhaha on your hands.

I’m actually very familiar with what Sourcefire wants to dohere with the most of these license changes (excluding of course the changingof file headers and claiming rights to prior contributions – I will share mythoughts on that in a bit). Much of their goals are very similar to theStillSecure Community License we created for Cobia . Basically, use it as muchas you want for free, here’s the source to change/modify/contribute back if youlike, and here is a commercial license for those who would like to use Cobia tomake money. And btw, we would love you to do any and all of these things. But,there are also some very important differences worth discussing.

There are many ways to achieve an outcome such as thelicensing in this situation. We actually considered taking a similar approachfor Cobia licensing; use the GPL, add or “re-interpret” our own stipulations tothe GPL, and then try and walk this fine line of using the GPL while deviatingaway from it when it didn’t suit our needs. The problem with that approach, atleast for me, is it just didn’t seem like that approach was being faithful tothe GPL. But the biggest issue is that it just creates confusion and isn’tconsistent with our values in how we deal with customers and partners. Ratherthan taking a perfectly good round peg and wrapping a bunch of duct tape aroundit to make it force fit some square hole, I believe it is better just to bestraight forward with people, even if it means a few might chose not to use thesoftware because it wasn’t licensed under the GPL or some other OSI license. Itis more important to me to be very up front and clear about licensing a productthan to come up with a convoluted way to use the GPL, making no one happy inthe end. And don’t get me wrong, we took some hits for calling Cobia opensource by those who only want open source to mean software under an OSIapproved license. Open source is much broader than that narrow definition andthat’s one we’ll just have to agree to disagree on.  

If you are going to slide down the slippery slope ofsplitting hairs with the GPL, are you really GPL anymore or is the GPL just ahollow label because the details are really in the fine print? It may quacklike a duck, but if in the end it doesn’t really walk like a duck any longer,it ain’t a duck. If every vendor adds their own “interpretation” of the GPL tosuit their own narrow interests then the GPL becomes diluted and everyone willsimply discount it and jump right to the fine print, assuming you can alwaysfind the fine print. If you’ve been involved in open source or follow thecommunities that develop around open source projects, the one thing you learnvery quickly is that more than just the software has to be open. You must beclear and consistent with your intentions and your communications. Any attemptsto slip something by, or even the appearance of being disingenuous with thecommunity, immediately breaks down trust, causing hostility and suspicion. Andgoing dark when there’s controversy or when you need to explain your actions orintentions really causes problems.

Those considerations went not only into the StillSecureCommunity License we developed for Cobia, but also creating a complete licenseFAQ and explanation web page. We took all of the most commonly asked questionsabout our license, is it open source, is the license OSI compatible, when can Iuse the software for free, when do I have to have a commercial license, whatservices can I offer without a commercial license, etc., etc., and put it rightthere on the web site in plain English language. (Try to get the lawyers to dothat!). The idea behind all of this is we want to be transparent. We are a forprofit company, we are giving a lot of things to you for free (including theproduct and the source code), here’s how we make money and (just as important)here’s how you can make money if you want to. Nothing is hidden, we don’t couchthings in funny legal terms or split hairs by applying our own funky definitionto something everyone knows means something else.  

But there’s another significant difference for us. Westarted Cobia under this license from the beginning as a for profit company,rather than trying to turn the ship of an existing GPL project and morph itinto a for profit product. What Marty and Sourcefire are trying to do, whilevery worthy and appropriate business goals, is also very difficult withoutdoing damage to the trust built up over the life of the project. For example,yes, you can place requirements that future contributed code also include abroad license of rights. But you can’t change history and change the license,or on your own say that a grant of rights was in place all along. That ‘s thekind of stuff you want to be very intentional about, or else it looks like therules are being made up as you the game is being played. There is no eminentdomain under the GPL that says because you started the project or contributedthe most code you can change or usurp code under a license change midstreamthat impacts the contributions of others. Quantity of contributed code doesn’tmatter – every contributor has the same rights under the GPL. The person whocontributed three lines of code has the same rights as someone who contributesa thousand. Frankly, it’s a tough thing Sourcefire is trying to do here and Idon’t envy their position or necessarily agree with the approach here. It hasall the signs of one of those situations where every option creates problemsyou’d rather not have. Sometimes you’d like to rewind the tape and start allover but in life and business that’s not usually possible.

This situation gave me the opportunity to reflect back onthe decisions we made around Cobia licensing and the choice not to try andre-interpret the GPL. Trust, clarity, communications and transparency arethings which are very important to creating a product, technology and communityaround Cobia and I hope we can continue to adhere to those goals in the future.I think this is an important topic to discuss and not let go unnoticed. I knowAlan proposed having a podcast with those involved in the Snort controversywhich I think is a great idea. I hope they chose to participate and even ifthey don’t, I think we should move forward and have this conversation on one ofthe upcoming podcasts.

Security

Microsoft UI design flaw can create email confusion

18 Jul , 2007  

A few months ago I began using Vista on one of my laptops. OverallI’ve been reasonably surprised by how well I like Vista (I know, youaren’t supposed to say good things about Microsoft but I have to tellit like it is.)

Today I encountered a confusing design flaw in the security settingspresented in the user interface of two Microsoft products, Outlook 2007and Windows Mail (the replacement for Outlook Express that comes withVista.) I say confusing design flaw because it affects your filteringof junk, spam and phishing emails which could result in either of theseprograms doing just the opposite of what you intended with junk mail.The problem has to do with confusing differences in the menu design forthe Junk Mail options between the two products.

Office_2007_block_sender_menuOutlook 2007 lists the Add Sender to Blocked Senders List first in the menu options under the Junk Mail menu.Since I use the Outlook 2007 client for most of my business mail (wherethe bulk of my email arrives), I’ve become quite accustomed toselecting this option when I receive unwanted, suspicious orpotentially harmful email. Right-click on the email item, slide down toJunk Mail, and select the first option on the expanding menu, Add Sender to Blocked Senders List. Done. On to the next email.

Today while using Vista’s Windows Mail, which I use for many of mypersonal email accounts, I went to filter out some unwanted email andhappened to pause when a dialog box appeared asking if I wanted to addthe email sender I had just selected to the Safe Senders List. Windows_email_block_senders_menuMy first reaction was to click the checkbox not to show me this dialogbox any longer since I frequently add spam and other junk email sendersto my blocked senders list. But I happen to catch the words Safe Senders List.Huh? You know how a dog lifts an ear or crocks their head when theyhear something strange? That’s probably what people in the office thought about me whenI saw this. Errrt!?

ErrrtAtfirst I thought I must have fat-fingered the menu selection but afterexamining the same Junk Mail menu options between Outlook 2007 andVista Windows Mail I discovered the blocking senders and safe sendersoptions were flip-flopped in the two products. (See the menus to seewhat I mean.) How confusing! And how many times have you just clickedon some random OK dialog box after performing an operation. I have toconfess that I haven’t actually read every Ok dialog box presented tome over my lifetime.

It may be an oversight on the Microsoft UI design team’s part, butthis can be pretty annoying and could create some confusion for userslike myself who use both products. While not an expose worthy ofappearing on CNN, I hope pointing out this little flaw helps you if youare an Outlook 2007 and Vista Windows Mail user or support other userswho are. 

Podcasts, Security

Podcast #42 – NAC/NAP”spec-TAC-ular”with Micorsoft and TCG!

18 Jul , 2007  

MicrophoneWell, we pulled it off; Microsoft and TCG on a podcast talking all about TNC and Microsoft NAP interoperability. We went straight to the guys in the know about Microsoft’s TNC support announcement from back at Interop LV. It’s an all-star lineup as Amith Krishnan, senior product manager for NAP at Microsoft, and Steve Hanna, co-chair of the TCG’s Trusted Network Connect workgroup and distinguished engineer at Juniper, join us for the podcast. Wow, we have a great time discussing NAC, NAP, TNC, Server 2008, Windows, Linux and all the ins and outs of this announcement. The entire podcast is dedicated to the interview with Steve and Amith so I know you’ll really enjoy this show.

And where’s Cisco you might ask? (Sounds like "Where’s Waldo" to me.) We tried, boy did we try but to no avail. Mysteriously no matter how many weeks we gave them, it just wasn’t enough notice to have a Cisco representative show up on our ‘lil ol’ podcast with "Al and Mitch". Hmmm. Seriously, we would really have liked for someone from Cisco to join since they’ve been very silent since the Microsoft NAP and TNC announcement. Maybe that’ll happen in a later podcast. Cisco – you have a standing invitation to join us anytime.

Thanks for listening and enjoy the podcast. Please send any questions or comments to podcast@stillsecure.com.

Icon_enclosure_music_7mp3 file