dm1z and MacBook Air: a quick pre-review

Since this came up on Twitter, I thought I'd mention two recent purchases: the HP dm1z $400 netbook and the Apple MacBook Air $1000 thing.

The ethical problems of the CISSP and (ISC)2

This article from Attrition.org and InfoSecIsland.com is a good discussion about the ethical problems of CISSP/(ISC)². I thought I'd add my own 2 cents, since the ethics problem with the CISSP certification are pretty grave.

It’s just an analogy, get over it

We in the cybersec business explain technically difficult concepts by using analogies with things people are familiar with. For example, we say “cyber security” to convey the notion that what we do is similar to physical security (armed guards, bank vaults, keys to you front door) but in cyberspace.

But these are just analogies. You really can’t take them to far without looking the fool.

Those who don't know the state-of-the-art are doomed to repeat it

I was reading this article about Microsoft's "Network Inspection Engine" or "NIS". It attempts to solve the problem of false-positives in IPS by using more application level protocol analysis that keeps track of protocol state, message structure, and message context.

Welcome to state-of-the-art, 1999, when I released the first IPS, BlackICE Guard (now sold as IBM Proventia). McAfee's and Palo Alto Networks' IPS products also do a lot of protocol analysis. A lot of bad products give a bad reputation to the industry, but that doesn’t mean there aren't good products.

Undersea Cable Map

Here is an awesome site for viewing the map of undersea cables: http://www.cablemap.info/

Don’t get sucked into conspiracies

Dr. Neal Krawetz is the best source for image analysis (that I know of). His work is awesome. Recently, when I visited his blog, I noticed that he got sucked into two conspiracy theories.

Space Shuttle: good riddance

Today was the 135th and final launch of the space shuttle. Many are crying over the end of an era. But the project has been a boondoggle from the start, sucking the life out of space exploration. At $1-billion per launch, it costs 10 times as much to launch something with the Shuttle than with another spacecraft, which is why we buy so many launches from the Russians these days. Over its 40 year life, NASA has spent $211-billion (inflation adjusted) in the program that has no notable accomplishments.

Chronic Threats: SQL injection

What is the reason for the recent rash of hacking? Why was LulzSec able to take on high-profile victims like Sony, the FBI, and the CIA?

The answer is this: hackers aren't necessarily smart; the problem is that the victims are stupid. Hackers like LulzSec exploited "obvious" problems in the victim websites. But for all their obviousness, we (as an industry) still don't know how to fix them.