Friday Summary- October 30, 2009
This week’s Friday Summary is sponsored by Evilsquirrel Enterprises, your World Domination Specialists. My absolute favorite holiday of the year is Halloween. More than Christmas (possibly because I’m a non-practicing Jew), more than my birthday, and even more than Talk Like a Pirate Day. Halloween is the ultimate geek holiday. It’s the one time of year we have an excuse to pull out our table saws, microcontrollers, and pneumatics as we build wonderful devices to soil the underwear of all the neighborhood children. I knew I was finally getting it right the first year a group of kids carefully approached our home, then ran off screaming as the motion sensor tripped and the effects kicked in. Between the business and the baby I haven’t really had tine to build anything new this year, but I did finally invest in some commercial-grade fog machines. Fog, light, and sound are absolutely essential for setting a good scene, and go a long way further than any actual decorations. I’ve previously used the cheap foggers from Party City or the Halloween stores, but never managed to get them to last more than 2 years in a row. I’m hoping this commercial unit will be a bit more reliable… and the 20,000 cubic feet per minute of fog it kicks out can’t hurt. This is the 13th year, 4th location, and 2nd state for our annual Evilsquirrel party. It’s a bit smaller than the “Squirrel Wars” year where we had 300 people show up and 4 live bands, but that’s what happens when everyone runs off and starts careers and families. Needless to say, my friends and I are all tremendously amused that the whole “squirrel” meme is so big these days. Now we don’t seem quite as weird. On to the Friday Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted in The Register on Microsoft’s new anti-exploitation tool. Adrian on The ABCs of DAM at Dark Reading. The Security and Privacy Conundrum. David Mortman spoke last week to the Ohio CIO Forum about security and privacy risks in the cloud. Rich and Martin on The Network Security Podcast, Episode 171. Favorite Securosis Posts Rich: Mort’s post on IDM. Adrian, Meier and Mort: Most developers don’t know what anti-exploitation measures are, which in an odd way is why Rich’s post to Add Anti-Exploitation to Applications You Didn’t Write is important. We’ve got to start somewhere… Other Securosis Posts Penetration Testing Market Grows and Matures, but Faces Challenges Penetration Testing Market Update, Part 2 Amazon RDS Announced IDM: Identity? Favorite Outside Posts Rich: This Wired article on the anti-vaccination movement. It’s an extremely important article, but here’s the money quote for us security folks: “Looking back over human history, rationality has been the anomaly. Being rational takes work, education, and a sober determination to avoid making hasty inferences, even when they appear to make perfect sense. Much like infectious diseases themselves – beaten back by decades of effort to vaccinate the populace – the irrational lingers just below the surface, waiting for us to let down our guard.” Adrian: Jeremiah’s post on Black Box vs. White Box. QA professional have used this ‘threshold of stability’ approach for years to gate software releases, but it seems counter-intuitive to security professionals. Mortman: Detecting Malice Released Only halfway through and it is completely awesome. Best tech book I’ve read in ages. (I second that -Rich). (Meier thirds it: “Anyone I bring it up to first complains about the $40 eBook, but it’s the best technical book I’ve bought in a while.”) Meier: Amazon Lets Shoppers Pay With a Phrase This is just dumb. First we have a phrase that’s verifiably known to be taken and second I bet if someone did research on any web authentication mechanisms that are identified as “PIN” you could map the majority of those users bank PINs to their other PINs. I don’t get it. Oh and, to change your PayPhrase you have to log in anyway. Way to go, Amazon. Rich (2): I can’t help myself, I had a tie this week. This article from Ivan Arce at Core Security is a month old, but well worth the read. Special – Worst Link of the Week “Women In IT Security Project Management”. This paper is beyond terrible. Not only is it poorly written (which it is), but it doesn’t make a lick of sense. Case in point – check out this bit from the first page: In this study, I have tried to determine if IT security project management is a viable career choice for women. If so, do they have what it takes to be a successful IT Security Project Manager? I would like to emphasize that IT profession cannot be generalized based on gender. No conclusion has been drawn to indicate if one sex is better than the other in any of the subsets within IT field. Isn’t it great how the author, Gurdeep Kaur, simultaneously tells us that she’s going to investigate whether one gender has the ability to do a job, and then claims that you can’t generalize on the basis of gender? You really shouldn’t read the paper, but if you do, it goes downhill from there. The analysis is shallow and suffers largely from citing lots of studies that demonstrate the problem while providing little in the way of solutions. The few suggestions provided are insulting to say the least. I’d quote more but I can’t bring myself to do it. I am amazed that SANS actually posted this to their reading room and granted the author a “Gold Certification”. Top News and Posts China expands cyberyspying. Duh… I hope we are too. Is Your Data Really Secured? by Nati Shalom. Some overlap with our Cloud Data Security series, and worth a read. CISCO acquires ScanSafe. Threat Level’s story on the 2006 Walmart Hack. Hackers foiled by their own installation of L0phtcrack! Nice post on Threat Modeling from the Matasano team. Indeed, software would be great if it wasn’t for the users! Microsoft’s response: Engineers vs. Ninjas on the Microsoft SDL Blog. AV Researcher published AV Tracker tool. NSA to