divisionbyzero

If you’ve noticed (probably not), recently the server has been unreachable. A few weeks back this was due to a bad hard drive. I finally transferred everything over to the new hard drive and got the sites back up and running thanks to a few friends and The Planet.

Then this weekend, the data center that hosts this server exploded. The site is back up and running now, but there should be a few more hours of downtime on the horizon as they install and integrate a permanent electrical infrastructure to the data center.

Also, I’ve been selected to speak at the Linux World Expo in San Fransisco this year! My talk is “Network Introspection with Open Source Tools.” If you’re going, please stop by and heckle me!

I may start updating this blog at some point.

In our first installment, we looked at some solutions to provide a hospitable environment for proxy evasion. Today, we’ll dig deep into how to do this with my favorite protocol of all time, SSH.

OpenSSH is a glorious implementation of a critical network protocol. Most networks have disabled and banned the use of telnet, rsh, and ftp in favor of the more “secure” SSH protocol. OpenSSH runs on every platform I’ve encountered (using CygWin on Windows). SSH provides an encrypted channel for data transfer. Usually that’s Keyboard Interactive Sessions or Files (using SCP), however SSH is capable of setting up multiple channels and acting as a SOCKS4 or SOCKS5 Proxy.

Read the rest of this entry »

The American Populace is being inconvenienced, spied on, stripped of Constitutional Rights, and taxed without any idea where that money is going. The perpetrator is not some foreign, militant, activist group, it’s our own Government. There’s no outcry. All of these treacheries are being committed to increase security while the fact remains that all of these drastic measures have failed miserably. The one constant is the relentless pursuit and protection of these programs by our elected officials. They should be the voice of the populace, and perhaps they are. Perhaps, ‘Security Theatre’ is good enough for the masses.

Read the rest of this entry »

As you may or may not know, I am gainfully employed by the Federal Government in the area of Information Security. Recently the Bush Administration responded to media hype to issue a Federal Mandate requiring all government owned laptops use encryption technologies to encrypt their data.

There are two interpretations of this memo.

• Encrypt the ENTIRE disk.
• Encrypt just the files containing the data.

So, what’s a lowly security administrator to do?! Choices are bad! Obviously you encrypt the entire disk! Right?! no? Why not?
Read the rest of this entry »

Bruce Schneier always has spot-on posts. Here’s his editorial on last week’s terror plots.

It’s really that simple. Stop being terrorized. Stop being scared to live. Stop taking life so seriously, you’re never gonna make it out alive. We don’t need billions of dollars of security screening software/hardware. Anyone with a week of spare time will be able to circumvent it anyways. This security is just a show, and I’m not entertained in the slightest.

I’m not flying again until these ridiculous regulations stop. We know we’re accepting a risk getting onto a plane. We’re 30,000 feet in the air, and if something mechanical fails, that’s a LONG way down. You’re accepting even more of a risk when you get in your car to go to work. You’re a billion times more likely to die in a car accident than a terror attack. So why aren’t we campaigning against ridiculous bullshit by insurance companies and state legislations that waste your tax dollars to make them money instead of fixing problems with automobile safety?

It doesn’t sell papers.

Update: It now appears that some people with some experience in Chemistry have questioned the plausability of the terrorist plot.
Update 2: More information about the acquisition of the information that led to the arrests and wide spread media terrorism.

Most of the organizations I’ve been a part of, the IT staff usually has exemptions from IT policies if not significantly escalated privileges. This distances them from their users. I also happen to know and test MANY different ways to circumvent the policies and controls in place on the network. You can’t push policies and haphazardly grant exceptions to those policies to the group in charge of making them.

Read the rest of this entry »

As a programmer, I’ve had the concept of “DON’T EVER TRUST YOUR USERS” beaten into my head. For programmers, this concept is incredibly important. Users almost always exceed your expectations for creativity with your new application. By planning for unexpected input, and properly cleaning all variables you can theoretically account for abuses of your system by malicious users and provide a graceful failure for users attempting to enter in bogus data.

This concept is key to PROGRAMMING. What I find astounding, is a large majority of corporations are adopting this practice for ALL IT related issues, and it’s even saturating into HR and other areas of employment. Working as a Security Administrator, I’m surprised that most employers have decided to not trust their employees. If you can’t trust them, then why would you hire them?

Read the rest of this entry »