Personal

There comes a time when we realize there is too much stuff in our lives. I have been blessed to not need for anything beyond a smile and love. As many of my loved ones know there is a strict “no gift” policy for me. If I need something in life I go purchase it. My holiday memories are not bound to the boxes or cards opened, but rather by the love and warmth felt there. The long and short of it is that I feel that we should be refocusing our gift-giving. The commercialization of holidays and the abundance of crap we fill our lives with must stop. We simply have no need for more. What I am trying to say is that I would ask that no one send me cards or gifts for holidays. I appreciate the thought, but you can send it to me via email and have the same effect. It means so much to me that people (who didn’t find my birthday listed on Facebook) still knew it was happening and sent me a reminder for things. It just doesn’t need to happen. If you feel so compelled to do SOMETHING then I would ask that you donate to the following charities instead of a card/gift. The charities take donations in any amount so before you plunk down 5 bucks for card+postage, why not just donate online? ...

Google News is full of articles on the pro’s and con’s of the new application, Color. Overall it is a pretty dumb application if you ask me, but it does show that the onslaught of “hyper local” social networks is coming soon. What started as a way to actually test the Color app showcased how much fun it would be to check-in to places. Steps to GPS spoof: ...

Someone in /r/netsec posted a question about what advice us old sages would have for a new ISSO. The below was my response that I hope is useful to my readers in a two-fold way. ISSO that are coming into the field Managers that are trying to hire or understand your staff Without further ado… Whatever industry you are in there are policies that dictate compliance. Learn them. PCI, DIACAP, NIST, FIPS, ICD, DCID, JAFAN, NISCAP, etc. Learn the policies NOT in your industry as background knowledge. It will help make you a better decision maker. Document everything. If it isn’t written down it doesn’t count. Security practice without policy is fictional Embrace your geek system admins. Find the weird guy with the binary clock and buy him lunch. Without the support of your admin staff you will die on the vine Being an ISSO means that you are upward reporting, downward enforcement. Present well and be consistent with your message. You are no ones friend and therefore must form alliances to ensure your success. Also don’t dress like a hippie unless your company encourages that. Most days the ISSO is in a weird in between place where you aren’t a suit and you aren’t a sysadmin LEARN THE ARCHITECTURE. You will loose the respect of your teams as soon as you incorrectly state how SSH, PKI, IPSEC, or any other key security terminology works. If you are the ISSO of a group that does mostly web apps you better know web services inside and out. Security guys must know it soup to nuts Be humble, but be firm. You are the enforcer and dictator of all that is securing 1’s and 0’s for your teams. Accept that since you are new you will not know everything. Let people see that you are humble and willing to hear both sides before making a ruling Get active in your local security groups. Hackers, B-Sides, Con’s and whatever else can serve as an excellent networking tool for you to see how your peers are practicing security The fact you came to /r/netsec shows you are trying to learn. Keep learning. Subscribe to mailing lists and RSS feeds and block out portions of your day to read them. You are there to ensure someones ass or data doesn’t get stolen/chewed. As the ISSO you are expected to be ahead of the curve Compliancy sure feels good, but without it actually enforcing good security it will only make you feel good. Let your company or group get hacked and see how much leeway you are given for an ATO or compliance checkbox If you cant recite port #’s out of memory or explain basic PKI, MFA, Defense in Depth, packet theory, or how different protocols work then you need to move along. Study up quick or write your resignation and hand it over. Security has no time for people who lack basic knowledge. Eventually it will catch-up with you Good luck and welcome to the community!

With the release of 3.0.1 of BitlBee you can now chat from your favorite IRC client with the peace of mind that your protected. Since the OTR portion is still very new I wanted to put together a quick howto. I am going to assume you are running Debian Lenny (sid has 3.0.1 in the packages already) and that you really are a security nut: Download source from http://get.bitlbee.org/src/bitlbee-3.0.1.tar.gz sudo apt-get install libotr2-dev libotr2-bin ./configure –prefix=/usr –otr=1 make make install make install-etc Done! Now once you start bitlbee (/etc/init.d/bitlbee start) for the first time it will generate your OTR keys. I am going to assume that you are going to use the Question and Answer verification for OTR keys. With our other secure buddy we do the following: ...

When Digg migrated to Microsoft for advertising a few years ago, I took a personal stand and left. I was desperate to find a home on the internet again and came across reddit.com The site spoke to me! Clean, unobtrusive, geeky, and best of all…open source. In 2007 there wasn’t as many of us around and while the community was great it pales in comparison to 2010. The diggv4 snafu has increased the communities size and the old-timers made sure to welcome them. Posts were created outlying the type of culture fostered here rather that from which they were coming. To all who joined this year…thank you…the threads below epitomize your willingness to join us in being Good Geeks. We often get a bad wrap, but for the most part we are a cheerful crowd. Here is some proof from 2010, but this isn’t even close to being the full list. Feel free to leave me comments here or on the intertubes where you found this: ...