Happy New Year 2013

Archive for the ‘General’ Category

Happy New Year 2013

Posted by

We did it. We beat the Mayans. Welcome to 2013.

Read less, do more. That is my New Year’s Resolution. It might sound cynical or uninformed. After all, a good book can tell you a good deal about anything. Moreover, I have been and continue to be a proponent of continued learning. And yet I think it is time to put down the books and get to work.

There are many reasons.

The first reason is the wide gulf between reading about a thing and doing a thing. That first dawned on me while shivering in the mountains, wearing wet clothes and lacking sufficient food. Hey, I read about hiking! Why is this so hard? A more recent example was an OWASP hacker challenge that I completed on cross-site scripting. I read about cross-site-scripting. I know this. It took me three hours. I mentioned it to the founder of OWASP Detroit who, after much prodding, revealed how long it took him. Five minutes. The difference between doing and reading is wide and deep.

The second reason is found in the old saying: writers write. They don’t read books about writing. They don’t attend workshops about writing. They don’t talk about writing. You can readily identify a group of people in writing or any field who are procrastinating by reading, talking, planning, preparing. But not doing. Writers write. Coders code. Security professionals secure.

I have therefore queued up some exciting projects for this year. (Read that Wolfgang exciting, not normal exciting, which is an entirely different form of excitement.)

Professionally, my team and I are architecting and purchasing equipment for our third generation of private cloud computing. We are also revamping our business intelligence platform and adding self-service features.

Personally, I have two development projects in the queue. I released #incog last year for covert channels and steganography. This year, I will release an update adding new channels and a PowerShell interface. I am also working on a hacker capture-the-flag toolset called Botori. I plan to release Botori mid-year along with several example CTF challenges.

Collaboratively, I have been invited to work on the PoshSec project. PoshSec is a PowerShell Information Security project started by Will Steele, who sadly passed away this past Christmas from terminal cancer. The project lead is Matt Johnson, and other members of the team include Rich Cassara. I look forward to working with these sharp people and contributing to Will Steele’s legacy.

As I said, I will be doing more in 2013. There is lots to do and little time. But before wrapping up this article, let’s take a look back.

 

2012: A Year in Review

  • This blog celebrated its tenth anniversary. The website saw its highest readership to date: 35,361 unique visitors and 46,853 page views in 2012.
  • I did two case studies: a Microsoft case study on my firm’s second generation private cloud, and another case study on our new reporting SaaS.
  • I was mentioned in the press a few times on topics like cloud computing, risk management, and DevOps.
  • I spoke at a few different conferences and user groups on topics like — you guessed it! — cloud computing, risk management, and DevOps. I also did a handful of talks on covert channels and steganography.
  • I volunteered for BSides Detroit and collaborated on everything from sponsors to speakers, as well as recording a 23-episode podcast series for the conference.
  • I was recognized with an InfoWorld 2012 Technology Leadership Award for my firm’s private cloud and DevOps initiatives.
  • And I read a lot of books.

Done. Now, onward!

Happy New Year 2012

Posted by

Welcome to 2012, and welcome back to my blog. Has the world ended yet? No? Still with us? Yes? Good.

Fifteen years ago, I was building high quality IT systems. Ten years ago, I was building high quality IT platforms. During the past five years, I have been building high quality IT teams.

This blog has evolved over the years along with my role in IT. My original focus in 2002 was on technical tips for Citrix, thin computing, and overall IT security. This shifted into business continuity and risk management in 2007. I focused on network architecture as a path for network security in 2009. Most recently, I have been writing about the management side of the equation.

In 2012, I will dig deeper into team work and team management. How do group dynamics play out in the technology field? What can we do, as a team, to deliver IT solutions with a high degree of quality and security?

I will also be doing more collaboration and group projects. This means more involvement with the #MiSec security group, working with the SE Michigan community to put on theBSides Detroit conference, doing a weekly BSides chat on the Rats and Rogues podcast, and presenting in West Michigan at GrrCon. Further, you can expect a new release of the SimWitty security tool.

Good things are in motion for 2012. Please keep your hands and feet inside at all times, and enjoy the ride.

Six notebooks, three controls, and a third of a presentation

Posted by

Protecting the organization’s ability to execute on its mission, this should be the driver for security controls. At the same time I was giving that message, a series of events re-enforced the need for focus.

Here is the tale. The back story of my GrrCon talk. It is a tale of six notebooks. It is a tale of six security pros. And it is a tale of security being out of sync with mission.

Notebook one. My help desk provided me with a travel notebook, which I loaded up with my slide deck. I also made a copy on USB flash drive just in case. At the last minute, I decided to leave the notebook at the hotel room. After all, I thought, this was a hacker con. Did I want to expose the notebook to that risk? No, I decided, and opted for a little physical security.

Notebook two. Notebook two turned out to not be a notebook at all. See, the conferences that I have spoken at provided a notebook loaded with slides at the podium. I arrived early, checked the room, tried the mic and the notebook. Looked good, I thought. I later learned that the con had not provided notebooks. Why? “Um, Wolf, this is a hacker con.” Right. Physical security.

Notebook three. Turns out that what I thought was a con provided notebook was actually the speaker before me. She packed up, and I realized the mistake. Too late to return to the hotel now. I was on deck.

Notebook four. Infosec_Rogue and the #misec crew came to my rescue. Infosec_Rogue could not read my USB drive, of course, because his OS was locked down. (Good method of avoiding USB malware, btw. I lock USB down on all my Windows 7/2008 computers.) So we passed to the next notebook. OS security.

By this point, I had started in on my presentation. I apologize for not catching the names of the other folks that pitched in.

Notebook five. The fellow could read and copy my slides. Being a reasonably paranoid security guy, however, his Open Office was locked down. We have the slides! But we cannot show the slides. App security.

Notebook six. Copying the files from notebook five to a USB drive that could be read on notebook six, we were able to get the slides onto a computer with Office 2007. Bingo. We are in business. About a third of the way into my deck, my slides caught up with me. Score!

It was a funny but powerful reminder. The control environment: physical security; OS security by means of driver lock-down; application security by means of locking down Open Office. The impact to the mission: I gave a third of my talk with no slides. This was a talk on gearing security controls to the organization’s mission. Hmm, irony, much?

When I get back to the office, I am taking a hard look for security controls that get in the way of people getting their work done.

Cheers,

Wolfgang
Once again, thank you to the #misec crew for helping me out. You guys rock.

A business IT enabler

Posted by

The term “business enabler” gets thrown about in IT from time to time. We in IT see ourselves as partnering with people in other business units to enable new functionality, to solve problems, to speed up delivery, and so on. That is the upside. The downside is the increased support costs to maintain the solutions we create.

Now other people have different ideas of what an enabler is. An article on substance abuse this week had me thinking of other definitions of “enabler”. Are we enabling the business to overspend on IT? Let’s make a light hearted comparison between IT and the article.

 

Article: “Provide money that may be helping fund their substance abuse?”
IT manager: “Build a business case that may be helping fund their IT use?”

Article: “Allow the addict to come back and live with you even though he isn’t complying with addiction treatment?”
IT manager: “Allow the business unit to come back and run new IT services even though he isn’t complying with policy?”

Article: “Provide transportation to places where he may be engaging in substance abuse?”
IT manager: “Help get the organization to fly the employee to conferences where vendors will encourage him to engage in IT use?”

Article: “Continue to help with legal troubles related to the addiction?”
IT manager: “Continue to help with legal troubles related to IT?”

Article: “Keep quiet when the person is disruptive or abusive?”
IT manager: “Keep quiet when the person is disruptive or abusive?”

iPad for the office

Posted by

It has been a bit over a year since I tossed paper and went with the iPad. I now use my iPad with stylus at all meetings and brainstorming sessions. I also regularly use it to check a project status and read documentation (with Safari and SharePoint), and occasionally to unwind with a movie. Below are the apps that I use and recommend.

 

Productivity:

  • WritePad // Natural handwriting notes with Boxwave stylus. I spend about 70% of my iPad use in this app.
  • Adobe Ideas // Whiteboarding ideas. I spend about 15% of my iPad use in here.
  • SharePlus // Requires SharePoint, but a great way to get documents onto the iPad securely. 10% of my iPad use.
  • OmniGraffle // Flowcharting app
  • iThoughts HD // Mindmaps app
  • All Purpose Calculator // Handy because it keeps a running tally of your operations.
  • Dropbox // A great way to get documents onto the iPad if you do not care about security.
  • Logmein // Remote control of computers, requires a LogMeIn account.
  • WinAdmin // Windows RDP client that supports multiple connections
  • TouchTerm SSH // Linux/Unix terminal over SSH

Reading:

Relaxation:

Others that people have recommended to me:

  • Evernote // Popular with my team, but I like WritePad better
  • Instapaper // Popular with the Lifehacker set, but I like Viigo on my BlackBerry

Egpyt’s Mubarak fined for Internet cut-off

Posted by

Interesting.

In February, President Hosni Mubarak disconnected the Egyptian people from the wider Internet at the peak of the protests.

In March, Libyan leader Muammar Gaddafi followed suit. Libya, too, went dark on the ‘net.

Both Egypt and Libya came back online. But lest we think this is a third-world government thinking, note the US congress was debating the “Internet kill switch” bill during this time.

Hopefully clearer heads will prevail. That seems to be the case in Egypt, anyways, as today news broke that the government is fining Mubarak for the Internet cut.

Crime and criminals (sans cyber)

Posted by

A criminal is a criminal regardless of the means of the crime. That is something that I have grumbled about in the past. When the term hacker is used in place of criminal, or when cybercrime is used as a unique category, the message becomes murky. For example, a hackerspace becomes confused with a den of thieves. Other silly mistakes can be made, such as thinking something that is a crime is simply a cyber nuisance.

It is nice to see that others removing this unnecessary distinction.

http://www.circleid.com/posts/kidnapping_theft_and_rape_are_not_cyber_crimes/

A criminal is a criminal. A crime is a crime. If it is on a computer or on the freeway, on the Internet or in a back alley, breaking the law makes you a criminal. Calling a criminal a hacker is a misnomer. Labeling a crime a cybercrime is a distinction without a difference.

Happy New Year and how I spent Y2K

Posted by

Happy New Year! Thank you for bringing in the new decade with me.

Ten years ago, we thought, just maybe, this Y2K thing would cause widespread computer system breakdowns.

I was with an IT consulting firm and was working on New Year’s Eve. (What!? It was a Friday. Cut me some slack.) I had my young son with me at the office. We had hooked up analog call forwarding to send incoming calls to the vice president’s house, and we had armed him with a stack of paper work-orders and an analog fax machine. The idea being, should pandemonium ensue, people would call firms such as ours. The VP would get a signed agreement and send in the techs. I was on-call for second level support.

Before I left, I shut down the network and PBX and disconnected power. You never can be too safe, right? After all, who knew how bad it would get. (Actually, we were doing much of this in a tongue-in-cheek fashion.)

My son and I drove home early. We picked up my wife, then very pregnant, and went to see a movie. It might have been Pokemon. It might have been Wild Wild West. None of us can quite remember and agree which movie it was now. Anyways, we were in the Krafft 8 movie theater standing in line when the first call came in.

I answered my trusty Nextel, fearing the worst. It was not even close to midnight but you never know. What had happened?

On the line was Thailand. My good friend had called to wish me a happy new year. Life was still going, he assured me, with no disruptions in Tokyo or Bangkok. We had a good laugh and chat.

My family enjoyed the movie. Then we dropped my son off at his grandmother’s. They had their party, and my wife and I had ours. The night passed quietly. Then the weekend passed quietly. Then my daughter was born and I forgot all about Y2K.

And before I knew it, it was 2010. Somewhere along the way, we hooked back up the firm’s computer and telephony equipment. Other bugs came and went. But Y2K, for me, was the dog that did not bark.

Food for Thought: Brain Train Smoothie

Posted by

Since the work of a technologist is primarily mental, I am always on the look-out for ways to boost mental capacity. One way is thru food. Below is my recipe for a “brain train” smoothie. The drink provides a number of nutrients recognized for improving memory and cognition.

The smoothie weighs in around 500 calories. It equates to two servings of fruit and a half serving of vegetables. Consuming two smoothies daily fulfills the FDA recommended allotment of fruit and veggies.

Feedback is welcome, drop me an email. The drink is very much a work in progress.

 

Ingredients

1/2 cup or about 12 frozen dark sweet cherries (1/3 frozen package)
2/3 cup frozen blueberries (1/4 frozen package)
1/2 cup frozen chopped spinach (1/2 frozen package)
2 cup low-fat yogurt (1/2 large container)
1 raw egg
2 heaping teaspoons Soy protein powder
1 heaping teaspoon cinnamon
4 shots espresso, or 4 oz strong coffee, chilled

 

Directions

1. Make shots of espresso and chill it.
2. Use the food processor to thoroughly chop the cherries, blueberries, spinach, soy protein, and cinnamon.
3. Use the food processor to mix in the yogurt and egg.
4. Use the food processor to whip in the espresso.

 

Additional information

Complete nutritional information is available in an Excel spreadsheet.

http://www.jwgoerlich.us/papers/jwg-brain-train-smoothie.xlsx

 

Blueberries

“University of Redding have shown that eating blueberries may ‘increase powers of concentration by as much as 20 per cent over the day.’”

http://www.telegraph.co.uk/health/healthnews/6168870/Blueberry-is-food-for-thought.html 

Caffeine and coffee for boosting focus, energy, and possibly growing neurons.

 

Smith, A. (2002), Effects of caffeine on human behavior, Food And Chemical Toxicology
http://www.ncbi.nlm.nih.gov/pubmed/12204388

Borota, D., and Murray, E. (2014) Post-study caffeine administration enhances memory consolidation in humans
http://www.nature.com/neuro/journal/vaop/ncurrent/full/nn.3623.html

Korkotian, E., and Segal, M. (1999), Release of calcium from stores alters the morphology of dendritic spines in cultured hippocampal neurons, Proceedings of the National Academy of Sciences
http://www.ncbi.nlm.nih.gov/pubmed/10518577

Caffeine clue to better memory
http://news.bbc.co.uk/2/hi/science/nature/472473.stm

Cinnamon extends the effects of the smoothie by leveling out the blood sugar.

Spoonful of cinnamon helps blood sugar stay down
http://www.reuters.com/article/healthNews/idUSCOL07026020070620
Hlebowicz, J. (2007), American Journal of Clinical Nutrition

 

Choline

The smoothie provides choline from yogurt, spinach, and soy protein. “A new research study done at MIT suggests that a combination of choline, omega-3 fatty acids with the uridine improved memory and learning in gerbils, and may have benefits for Alzheimer patients.”

http://www.fasebj.org/cgi/content/abstract/22/11/3938
http://www.cholinebaby.com/cbblog/2008/07/choline-omega-3-and-uridine-bo.html

 

Excerpted from Alzheimer’s Disease, Cognitive Decline and Nutrition Newsletter

Egyptian Radio in the 1930s and Cybersecurity

Posted by

Here is an interesting article that dovetails 1930s radio legislation with the Obama administration’s Cyberspace Policy Review:

“Seventy-five years ago today, on May 29th, 1934, Egyptian private radio stations fell silent, as the government shut them down in favor of a state monopoly on broadcast communication. Egyptian radio ‘hackers’ (as we would style them today) had, over the course of about fifteen years, developed a burgeoning network of unofficial radio stations. They offered listeners an unfiltered, continuous mix of news, gossip, and live entertainment from low-powered transmitters located in private houses and businesses throughout Cairo.”

Read more of How a Resilient Society Defends Cyberspace.