TKO - Built for disaster

OK... I don't know what to think about this . Exactly where does Intel position McAfee in their portfolio? I guess I will see a ton of posts on this in days to follow. But right now I have not got a clue... Update 2010-08-24: Thank you, arstechnica, coming to my rescue and bringing some sense into the acquisition. Quote: "The company thinks that they can do security better than a software vendor alone could, and they believe this because they know that security is about systems—not just hardware or software, but services, practices, policies, and user experiences and expectations." By keeping McAfee as a branded subsidiary they probably feel they will have an edge owning the whole chain up to the customer. But what happens if AV becomes the weakest link in the chain, if McAfee loses momentum and some other AV manufacturers run much faster? Are the customers bound to stick to McAfee/Intel products because they are so closely knitted together?

Lately there has been debate and discussions on Wikileaks and the controversy of publishing information on US Force's behavior in Afghanistan. The leak has been pointed out as Bradley Manning, a US Army Intelligence Analyst. Now new informations has come out saying Adrian Lamo, who turned in Manning, is a member of the highly secretive organization called Project Vigilant . How credible they are, I can't answer, but it seems they have been given a huge mandate to work "behind the scenes" and the leaders of this pack are Homeland Security, NSA, DOJ etc seniors... Makes you scared, huh? But I when I was directed to this interview on BBC , which includes commentary from the beforementioned hacker Adrian Lamo, my heart truly skipped a few beats. What if all the voluntary guys and gals are like him? What do they get fed? I can't think their fringe benefits can be healthy...

VISA set a deadline for smaller companies for PCI compliance to yesterday in the US. Bigger dragons have until September 30th to comply. It is not an easy task to comply to the 230 (approximately) requirements in the PCI-DSS. Not for your local news dealer at the corner, nor for the huge department store downtown. What if the energetic guy selling cigarettes and magazines since 40 years for your dad and you actually cannot understand or is not capable (moneywise or otherwise) of complying? Weird stuff in that self assessment document, strange words... Does this mean a lot of these smaller shops will disappear? Will there be any more local stores thanks to this? It is a sad thought. I love to get my papers and bread from a local dealer. On the other hand what if they won't comply? The story tells that small businesses are a bigger target than the larger ones in hacking. Logical, since the smaller ones are probably not as aware of patching or updating, or firewalls or viruses or...

I was just thinking about why people are so stubborn. When I went, for the first time, to Amsterdam as a teenager my dad said fine, go there, but don't go near the Red Light district, you'll be robbed. So I went down to Amsterdam, and coming out from the central station I walked down the street looking for a cheap place to stay. I found a youth hostel called Bobby's (which I later discovered was quite legendary), checked in, left my back pack behind the reception and asked for the directions to the Red Light District. So much for the good advice from my dad. I didn't get robbed, but I soon discovered that there were ladies sitting in the windows, offering the time of my life for a special price. As I was window shopping a number of guys (always guys) came up to me offering the time of my life with a little help from different substances. Well, I wasn't there for either of those, even if a few of the guys really insisted that I needed what they had to offer and wou...

I found this photo article and it made me sad. I like to think that we, in the western world, have a sane view on most things humanitarian. I know, there are many things and laws and issues we need to change or learn from, but all in all I believe we have pretty fine rulesets to live by. Americans have some hilarious bylaws that we all laugh about, so does a lot of European countries. I have close relations to Australians and sometimes I have to catch my breath when some of their laws become known to me. But still, I get worried when a whole country is degraded and shot back to medieval ages because of religion and beliefs. I can not understand how this can be good for mankind, or the citizens of Afghanistan. I just can't...

Most of you will notice (not that there are so many reading this blog) that the design has changed to a slicker, more sophisticated, design. Thought I would see how I like this, and what blogger new design "engine" has to offer. Just need time to play around with it.

Found a very good blog today. Written by Reach 364 , captain and C-17 pilot in the USAF, and he shows great insight when looking at his own cyberworld and gaining understanding on how it works. He also writes about his findings in a very good way so laymen at all levels can follow. It will be very interesting to follow this guy's path to greater knowledge of the darker side. Also the comments are giving away great links to resources if you want to dive and learn more of computer security.

I don't know what to think about this mail sent out on Ubuntu development list. I have been living in Sparc-land for well over 10 years, mainly running SunOS on servers, hundreds of them. Whatever I think of the development in days gone by I have grown attached to them, kind of a love-hate-affair we have. I run Ubuntu on several PC's on Intel platforms, both stationary and laptops, and I am fairly happy about them. I don't do heavy development anymore so performance is not the main issue, functionality is. All in all I'm pleased with the environment when it's tweaked to please my eye and behavior. What worries me more than anything else is that this might be one outcome of the Oracle acquisition of Sun Microsystems. That Larry Ellison decides he wants to keep things close to him and change the fairly open atmosphere Sun started to market in the latter days. Not only Ubuntu will suffer from this, more importantly OpenSolaris will. If OpenSolaris dies Solaris will p...

I believe this is something worth watching. CERN is launching a series of webcasts with experts giving their thoughts and tips on how to secure your computers. They call it CERN Security Day and takes place 10th of June 2010. Due to the location of CERN (border of Switzerland and France) some of the speeches given are in French, but as I understand it these will be subtitled in English at some stage. The full program for the event is to be found here . Note: Times are Zürich local time.

25 years has passed since Hackers was published. Based on true stories he made a significant impact on tech savvy kids, as did the movie . O'Reilly has an interview with the author where he's reflecting on what it all was about and how things ahve come where they are. O'Reilly also published a revised version of the book.

Every once in a blue moon someone comes up with indisputable statistics and presents them in pie-charts leaving very little to the imagination. Here's all you need to know to know that you're not alone doing these every day chores et al.

I've been using Linux since the olden golden days of before 1.0. In the beginning Slackware came on 1.44 floppies and the stack grew on me from approximately 12 of those to over a hundred... tedious work to load all those upon installation. Today it's a bit different with information super highway connections from home and a gazillion of different distros to choose from. My flavor for the day is Ubuntu, mostly because it just works and I like to think I have more interesting stuff to do than fiddle around with libs and compilers more than I do at work. Long gone are the days with building up a 386 from bits and pieces. Today Linux is used for more demanding stuff, like being in top 500 of supercomputers... actually 91% of the top 500 runs on Linux of some kind.

Yeah, I know. To go rock'n'roll you need drinks. And if they aren't already in the fridge you need some help. Enter the Rapid Blitz Chiller , and after approximately two minutes you're good to go with your first cold choice of beverage. Although, someone pointed me at a free version of rapid cooler courtesy of Mythbusters, which is made of a bucket filled with water + ice + salt. Took them five minutes to reach cold beer (38F/3C). Cold enuff :-)

Who said PCI wasn't fun? Join this fast and furious magical country carpet ride for a quick lesson in PCI-DSS, presented by the PCI Council! PCI Data Security Standards Rock

I get a lot of questions from people who want to know what the best security program to install, and which one is the best. And then they get frustrated when they learn that I can't answer their question. There is only one answer, you can't. Yeah, my credibility as "the security guy" just was lowered to a place near zero, if not six feet under. Once again I must revert to the long answer which is, there is no program designed to do that alone. It is you, as a human being, that protects your data best. Your computer is just a thingie that contains your data. You probably don't give a rats ass if your computer is hacked, or compromised in other ways. What you really are concerned about is your data. People just don't realize this. So that's the pre-requisite. To move along from there you need to protect your data through this computer's perimeters. Let's just face it first, you will never get it 100% secure. In order to do that you need to put a ...

How about this for an alternative style of living? Knowing the British quality of building and their lack of knowledge on how insulations work, or that it even exists, makes me wonder what kind of a number the heating bill carries... Nonetheless it is an astonishing conversion, and I wish I was as handy. A couple of friends from days gone by re-modeled a smaller country side chapel into a two apartments twenty years ago and I wanted that too, but this brings things up to a totally new level.

Just happened to stumble upon (not via the StumbleUpon service) this series of videos from Purdue campus with Dr. Charles P. Pfleeger where he goes through a few ideas in computer security history that in hindsight could have been thought through maybe once or twice before making reality of them. I like the analogy where he states that in many projects the security guy is involved in a late stage, when everything is almost marketed, shrink wrapped and sold, to bring his little bag of security miracle dust and sprinkle it over the product in order to make it safe... Haven't we all seen that happen!?

Upgrading this computer to Ubuntu 10.04. Don't know how that will end. The last upgrade gave a whole new collection of grey hair and I learned a few new cursing words along the way. Didn't lose anything except patience during those days of agony and fear. This time the Ubuntu guys promised me nothing could go wrong... oh wait... didn't they do that the last time too? Reports to follow. Update: OK. Took its time alright... and scared the crap out of me upon reboot. The GDM came up OK, 25 sec boot time, but then it was all black, just a cursor. Console revealed a lot of GdkPixBuf errors... but nothing that should be causing X the hiccups. So I logged out. Logged in failsafe. All is fine. Nothing in the error log. Weird. So login again normally. And yes. All seems to be fine. Good thing. Only thing that was annoying: the minimize, maximize and close button were on the left hand side. Not working for me. So changed them back to where they "should" be: Alt-F2 gco...

Yeah... blame porn for the recession McAfee SuperDAT Remediation Tool Hackers and social networking: A love story Richard Clarke's Cyberwar at Wired

Android on your iPhone

There will always be budgets. And budgets will similarly always be targets for cuts. The first article gives you a couple of tools to manage those requirements. Strengthen security on a smaller budget Fireshark finds malicious code on web sites Marc Maiffret - the quick rise of a teen hacker 10 lessons to learn from Pwn2Own contest iPad is childs play but not quite magical

Sorry, just couldn't resist on commenting on this article . I don't know how this guy/researcher comes up with these numbers and conclusions. Maybe he can blame it on sleeping while taking statistics classes, or his mother dropping him head first on the kitchen floor in the early days? I will not fight him about the numbers presented, they are I'm sure as accurate as they can be. But I must strongly disagree with the conclusions. Of course you need to change your password frequently, or rather infrequently, but at least once every 90 days (my recommendation is every 30 days). Cormac Herley, the top Microsoft researcher who wrote the report, makes the comparison of losing your keys to your apartment for instance. Would you not notice that as soon as you try to get into your household, at the latest? Would you then change the locks? Probably if you had your name and address tag attached to your keys. Or it just might happen that your household was raided already. So when it ...

This story is good and I'll tell you why. Well, there's a downside to it too. The latter is that it is aimed at the social networking audience. The good news is that it is easily translatable to the Internet as a whole. Follow these guidelines given for anything you do with a computer that will be or is connected to any kind of network and you will have a good primer for keeping things at an everyday secure level.

I just thought I would share a picture taken at our Operations Center of the guys who are responsible of the daily PCI log parsing. Don't worry about the patches on their shirts, these guys are known for their Easter pranks!

Oracle and Microsoft has released new patches. Makes Jack a less dull dude. An interesting story on nuns practicing Kung Fu, news to me at least. And of course I'm thinking of Lucid Lynx, due to be released in 14 days. The last upgrade made me curse or a few days since one of my laptops refused to give back my files afterwards. After changing of underware I finally managed to get hold of the files again. Backup, you say? Yeah right... for whimps, I say! Microsoft Security Bulletin for April 2010 Oracle CPU Advisory April 2010 Nepal nuns go Kung Fu Spotify denies being cheap PCI logging HOWTO (Part I)

I'm sure everyone is very thrilled and eagerly awaiting every random post with my deep insights and comments on happenings and news around the IT global warmings. Sadly enough it seems I have a lot of time on my hands daydreaming and developing structured thoughts and solutions for the tiniest problems. Even more sadly enough my fingers does not do the walk at the same pace as my mind. So blogging apparently takes its toll. In order to bring some order to this I have to choose from two evil things: to completely stop posting these blogs, or to simply cut down on elaborating thoughts and only serve links to pages I have found interesting since the last post. And I opted for the latter... hopefully I can keep that promise at least. So here goes: Breach on apache.org - passwords lost And more on that from Apache blogs PCI database security primer Flat-file databases overlooked Did the right thing - got fired

Every now and then a surprise is a good thing™ but when the surprise is the same every morning it can't really be considered as one. For Homer Simpson-like characters maybe it is ok to bang your head against the wall and everytime it hurts, with a surprised "DUH!" as a result, you go on banging in hope for a different result. But one would think people working in an office full of University degrees and what not could behave differently. Let's take a real life example of this (any resemblance to my employer's office is pure coincidence). Every morning coming to work we have to walk by the front desk, most of us say good morning to the security guard, and proceed to the gate. In order to pass that we have a two-way authentication procedure to attend to. Place the ID-card in front of the magnetic card reader, and punch in a personal code. This is the same, every time we need to get into the office, whether it is in the mornings after passing the front desk, entrance...

I am a bit worried about how certificates are handled in today's applications (I guess the olden days weren't any better). Or, actually, there is so little knowledge among average users abut how certificates work and why they are there. This of course makes PKI-world a heaven for hackers and other dark elements in society. Talking about average Joe doesn't cover it all though. Apple seems to think it is OK to download certificates from here and there and quite happily recognize them as valid . Even helping the user to validate them: "Go for it! This seems like a legitimate thing to do". In my mind iPhone has been a cool gadget to have, but with technology from days gone by... (no MMS, mobile camera with baaaaad resolution etc etc) and now they give up security too. But then again, wasn't it supposed to be un-breakable, like the PS3 and Titanic? And I really shouldn't rant since don't own one anyway. Good morning!

This morning, just after I had gotten to work, I found a frustrated project leader waiting at my desk. I had just left the kids in school for another day in the office, looking forward to breakfast and a warm cup of tea whilst reading RSS-news feeds before my first meeting. Instead this guy, not very well known as the sharpest knife in the drawer, was standing by my desk, demanding that I would sanction openings in the DMZ firewall. - Why would I open the DMZ firewall? I asked as I saw my breakfast window shrink and most likely disappear in the horizon like Lone Ranger and Tonto. There are a few fairly good reasons why we put a firewall there and closed access to almost anything. And absolutely none from DMZ to the inside network. - We need it for penetration testing, and we really need the openings ASAP, said the beforementioned project manager. I suddenly felt very fortunate not chewing on my cream cheese bagel with hot tea an inch from my face. What the hell was the man suggesting? ...

That is probably the most ridiculous recommendation in a long time... ABA (American Banker's Association) recommends a separate computer to do your bank business on-line. That is, no web browsing or e-mail stuff. And yes, I am aware of the fact that the recommendation points to small businesses, not private persons. But the fact remains that this is stupid. ABA still says doing bank business on-line is safe and this is where the questions start popping up in my head. If it is safe for small or mid-size businesses, why not for large? How about private banking, or is it too petty to worry about? Why aren't the ABA focusing on securing perimeters and infrastructure on the bank's side, instead of pushing security concerns out to the customers? What's next? Someone clever comes up with the idea that on-line banking isn't so secure anymore and a new recommendation emerges. Please do not transport your money bag in your day-to-day car on your way to the bank. Consider hi...

The King would have been 75 today. Happy birthday - wherever you are!