Friday Summary: January 28, 2011By Adrian Lane
At Cal, even though my major was software, I had to take several electronics courses. When I got to college I had programming experience, but not the first clue about electronics. Resistors, LEDs, logic gates, karnaugh maps, and EPROMs were well outside my understanding. But within the first few weeks of classes they had us building digital alarm clocks and television remote controls from scatch. The first iterations were all resistors on breadboards, then we moved to chips and EEPROMs… which certainly made the breadboards neater. Things got much more complex a couple semesters in, when we had to design and implement CPUs – and the design not only had to work, but it actually had to meet design specifications for low power, low chip count, and high clock rates. Regardless, I loved the hardware classes, and I gave serious consideration to changing my major from software to hardware. But that pretty well died when I left college.
Over the last couple months I have been picking up some basic projects for fun. Little stuff like replacing light bulbs with LEDs in an old stereo receiver, putting automated light switches into some of the wall plates, and making my own interconnect cables. A new multimeter and soldering iron, and I was off to the races. Pretty simple stuff, but then I wanted to do something a little more complex. I had a couple ideas but wanted to see if other people had already done something similar. As with most projects, I consulted The Google, and that’s when I stumbled on the world of Arduino.
This little device keeps coming up on chat boards for all the projects I was looking at. I start doing my research I found the Arduino documentary which resulted in one of those “Oh, holy $#^!” moments. As long as I have been around software and participated in open source software projects, I had never considered the possibility of open source hardware. About 1/3 of the way into the documentary, they talk about physically creating objects from open source plans, using Arduino as the controller, and creating complex electronic control systems by assembling simple circuits other people have posted on the net. There are all sorts of how-tos on digital audio converters and, since Arduino offers the basic infrastructure to communicate with the computer through a USB port, it provides a common controller interface.
Technically I have been aware of Arduino for a couple years now, as I see them at DEFCON, but I never really thought about owning one. My impression was that it was a toy for instructional purposes. That assessment is way off the mark. I mean, screwdrivers and hammers are incredibly simple tools, but essential when working on your home improvement/car/whatever. This thing is a simple-to-use but very powerful tool for interfacing computers and other logic controllers with just about any electronic device. I am sure those of you who have been playing with these for a few years are saying “Well, duh!”, so I acknowledge I am late to the party. But if you are not aware of this little device, it’s a cool tool with hundreds of easy examples for learning about electronics.
So I just placed my order for a starter set, and am now looking for plans to build my own DAC for my iMac. I am hopeful it will sound better than the standard ones you can buy. Playing with malicious USB drives sounds interesting as well.
And don’t forget our Cloud Security Alliance training February 13th in San Francisco!
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Mike Rothman: Firewalls are Evolving.
- Adrian’s DB2 Security Overview white paper.
- Nice mention by Schwartz Communications.
Favorite Securosis Posts
- Mike Rothman: The Greenfield Project. I know it’s lame to vote for yourself. But this is a great thought experiment.
- Rich: Microsoft, Oracle, or Other. Not really about security, but Adrian does a great job explaining the current database market drivers.
- Adrian Lane & David Mortman: Intel’s Red Herring.
Other Securosis Posts
- React Faster and Better: Organizing for Response.
- Register for Our Cloud Security Training Class at RSA.
- Incite 1/25/2011: The Real-Time Peanut Gallery.
- Rich at Macworld.
- Friday Summary: January 21, 2010.
Favorite Outside Posts
- Mike Rothman: He Who is Not Busy Being Born is Busy Dying. What Gunnar said. Yes, we do security, but we need to get smarter about the business. Period.
- Rich: The New School on the Ponemon data breach study. While Larry’s methodology has improved significantly, I think the cost-per-record-lost metric is one of the most misleading in our industry. There is no way it will accurately reflect your own losses with such wide variation between organizations.
- Adrian Lane: Russell eviscerates the Ponemon study.
- Pepper: Android Trojan details. Multiple very clever and very naughty bits combine to ‘hear’ and exfiltrate spoken or punched-in credit card data.
- David Mortman: Seven Dirty Words of Cloud Security.
Project Quant Posts
- NSO Quant: Index of Posts.
- NSO Quant: Health Metrics–Device Health.
- NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS.
- NSO Quant: Manage Metrics–Deploy and Audit/Validate.
- NSO Quant: Manage Metrics–Process Change Request and Test/Approve.
Research Reports and Presentations
- The Securosis 2010 Data Security Survey.
- Monitoring up the Stack: Adding Value to SIEM.
- Network Security Operations Quant Metrics Model.
- Network Security Operations Quant Report.
- Understanding and Selecting a DLP Solution.
Top News and Posts
- Apple Taps Former Navy Information Warrior David Rice for Global Director of Security.
- Five men arrested on a charge of launcing pro-WikiLeaks DDoS attacks.
- Facebook hack apparently an API bug. Accounts were not hijacked.
- Exclusive: Q&A with hacker “srblche srblchez”.
- Android Trojan Collects Credit Card Details.
- “White Space” tracking database. Not security news, but an interesting look at some of behind-the-scene details on reuse of TV spectrum and Google’s thirst for data.
- Opera Security Flaw Fixed.
- Goatse Security Site Hacked.
- DHS to End Color-Coded ‘Threat Level’ Advisories. I know many of you are crying in a corner, asking how you can conduct yourselves without the big colorful fear-o-meter.
- Hacked Zuckerberg Facebook Page.
- Leaked: US government strategy to prevent leaks.
Blog Comment of the Week
What a load of crap from Intel. I love the “it’s not signature based, it’s completely radical”. I’m not holding my breath – sounds like it’s going to be heuristic, which sounds a whole like the original AV stuff that Norton got from Dr. Tippet oh 20+ years ago now.