Blog-ified Tweetstorm

I dumped this on Twitter as a tweetstorm, but it is worth sharing here in one place. Those who have followed me for a while have probably noticed that I rarely get technical here anymore. My world, and world view have changed. I still play with stuff, but it tends to be specific to the nice folks who pay me, or esoteric stuff for personal use. Or for @SecurityBSides networks and labs. I believe that right now I can do more good by supporting our communities and the people in them (that means YOU) than by focusing on technology myself. The past few years have not been fun for me. My wife had a 2.5 year battle with cancer which ended a year ago this Friday, I've spent the past year discovering what it means to be without her after 40 years together. (Also, this "being single" thing is bizarre, now I get what you kids have been complaining about- but that's a story for another day, or a stand-up comedy set) Thank you all for all of your words and acts of kindness, large and small. It has meant a great deal...
Read more

Doing it wrong, or “us and them”

I was arguing with the wiring in a little RV over the weekend and it was the typical RV  mix of automotive wiring, household wiring, and What The Expletive wiring. I fell back to my auto mechanic days and set about chasing the demons through the wires. Basic diagnostics: separate, isolate, test, reconnect, retest, repeat, until a path becomes clear. In this quest I used an old trick of mine (although I assume many other have used it) in using crimp connectors the “wrong” way. This made me think of being called out for it many years ago, “you’re doing it wrong you idiot!” or something like that. I tried  to explain that I was just using the common butt connectors in a different way for a different situation, but he wouldn’t hear of it. “That’s not how you use them” was the answer. This was long before my computer and hacker days, but the mindset is there in many car guys. “You’re not supposed to do that” is a warning to most, but an invitation to many of us. I hate to say we can’t teach that, but with a lot of folks you either...
Read more

I thought everyone knew this by now

But apparently not. I just saw some “Security Awareness Training” that gave the bad old advice of “look for the padlock” in your web browser. Here’s my answer to that: In a world where most of us face a constant threat from phishing we need to better educate folks, and we need to make it easier to be secure. And since the latter isn’t that easy, we need to teach better. Also, “don’t click stuff” really defeats the point of the web, so while I understand the sentiment, it is not practical advice. The padlock can mean a variety of things, but what it really signifies is that your web traffic is encrypted. It does not mean that all of the traffic on the page is encrypted, or that it is encrypted well. It also doesn’t assure you that the traffic isn’t being decrypted, inspected, and re-encrypted. Or maybe it isn’t encrypted at all and someone just used a padlock as a favicon on the website (this varies somewhat by web browser). The padlock doesn’t prove the identity of the site owner unless it is an...
Read more

Where’s Jack?

As I mentioned in a post earlier this year I am traveling extensively this year, connecting and reconnecting with a lot of people. And thanks to a lot of wonderful people inside and out of the hacker and security communities I am doing very well after a rough few months. So, it’s time to share my plans and encourage folks to come and chat with me if our paths cross. I know I have a reputation of being a cranky old bastard, one which is well deserved, but I’m really not a miserable person- truly, seek me out and tell me stories, ask questions, whatever. If I can help you I will, or maybe I’ll point you to someone who can help if I can’t. I meant what I said in my recent post about the loss of Becky Bace and others, they set an example for those of us who knew them and I’m not about to let InfoMom down. So, here’s my schedule as it looks from here: Tomorrow, Friday March 24 I’ll be speaking at BSidesOK in Tulsa. Yeah, short notice, but there it is. I’ll be speaking at the North Florida ISSA...
Read more

On loss and responsibility

We have lost more great figures in our world of InfoSec, and we are diminished by their loss. Spaf has written eloquently on the passing of Kevin Ziese, Howard Schmidt, and Becky Bace. I never met Kevin, and I only met Howard a couple of times, but I know of them and their impact on our industry and people in our field. Becky had become a friend over the past several years, and her loss has hit me hard. Becky has a long and storied history in InfoSec and cybersecurity (and damn, could she tell great stories). Becky was instrumental in nurturing the fledgling fields of network analysis and IDS when she was at NSA, but more importantly than her technical work she was  a great friend and mentor to so many in our field that it is hard to overstate how many people she touched in her life and career. For a glimpse into what Becky was like, check out Avi’s very personal and touching remembrance of meeting Becky. Once again, we take time to remember lost friends. While natural to mourn their passing we...
Read more

A few words about ovarian cancer

Cancer sucks. The number of people who are touched by cancer is terrifying, it is rare to find someone who hasn’t had friends or family attacked by cancer if they’ve avoided it themselves. Sometimes, as with my bladder cancer, it’s not that bad- for me I get a rather uncomfortable exam regularly, and sometimes get a small tumor or two removed, no big deal. That makes me lucky, few who face cancer get to shrug it off as a mere annoyance. Since I’ve recently learned a lot more about ovarian cancer than I ever expected to know, I’d like to share a few things with everyone. Remember, I’m not a medical professional, these are my observations and ideas formed over the two and a half years of my late wife’s struggle with clear cell ovarian cancer. First, routine tests and doctor visits are unlikely to detect it early. Second, it’s insidious- many women develop ovarian cancer around the time of menopause, and many of the symptoms of the cancer are also expected conditions that accompany menopause. There is a blood test which looks for a marker, CA 125, which may help detect ovarian cancer but...
Read more

“Thank you” is not enough

A few weeks ago I made a very personal, and very public announcement- that I had lost my wife to cancer a few days before Christmas. I debated how to share the news, especially since we had largely kept it quiet- she was as private a person as I am public. I decided to share the news on Twitter and Facebook, and the response was overwhelming. Literally overwhelming. The outpouring of love and support I received was humbling and deeply moving. It made me want to be a better person (although a dear friend cautioned me against making any rash decisions). The words “thank you” are not enough, especially tossed out here on my neglected blog, but it is a start. Thank you- to friends old and new, acquaintances, and complete strangers. I am truly humbled by your support. For those who had not heard the news or our story, my wife and I met when she was 14 and I was 15, we started dating a few months later and never stopped. Below is a photo of us from 1976 (and yes, it is one of the last known photos of me without...
Read more

Wrong About Presentations

But first- this series is a bit off-the-cuff and lacking in polish, but I’ve been meaning to do it for ages and if I wait, well, this blog continues to look abandoned.  So please forgive the rambling and read on. Today let’s start talking about presentations. I have heard and read that they are all too long, except the ones that are too short.  That talks are simultaneously too technical and too high-level.  Oh, and all panels suck.  Ted-style talks are the best, except that they are hollow, empty, and don’t work for highly technical content.  And you should never let vendors speak because we’re all just sales weasels, except for the events where only “sponsors” get to speak. Let me once again venture into crazy talk: it really depends on who you are and what you want.  I don’t like vendor sales pitches, but apparently some folks find them a good use of their time.  I’d rather avoid those kind of talks, but that’s me (and probably you, too, but whatever).  If sales presentations are a good use of your time, that’s OK with me.  I do hope you do some homework before whipping out...
Read more

Relevant to my rants

Before I resume my rambling on conferences and presentations, here’s a great article I came across via Tales of the Cocktail, a site you would expect me to link to from my, ahem, travel blog. This article is specifically about submitting a cocktail seminar to Tales of the Cocktail, but several points in the list of seventeen items apply to a wide variety of events, regardless of topic or venue. Also, it has been said many times by many people and in many ways- one of the best tips for getting your proposal accepted at any event is to follow the rules. Really, read the rules/guidelines for submission, and follow them.  Also, submit early.  Most event reviewers are volunteers and do it in their spare time, something which gets scarce when the deadline approaches.  Submit early and you’re more likely to get non-bloodshot eyes looking at your paper.   Jack
Read more
Page 1 of 3123