5/2009: Schneier and Ranum Face Off
Techtarget interviewed Bruce and myself when we were at RSA. See it Here and another Here.
4/2009: How to Make Turkish Delight
I've loved the stuff ever since I was a kid and used to always load up on it at the Algerian food-sellers near B'd Saint Michel in Paris. It turns out to be insanely difficult to make well. But I unleashed the scientific method ("controlled trial and error") and figured it out. I share the method here.
3/2009: The Anatomy of Security Disasters
I wrote this paper nearly two years ago - before it was fashionable to blame executives for everything. In truth, however, management needs to (and deserves to!) take its share of blame for security disasters. (PDF) (Powerpoint slides from Source Boston 2009)
3/2009: Guarding Your Backsides, the Grognards!
I've reactivated the Rear Guard Security Podcast, for at least a couple episodes. Episode 4: Debunking "cyberwar". Episode 5: A Conversation with Dan Geer.
3/2009: How to Shoot Stock Photography
A short article on photo stock for Deviantart.com users; includes some hints and suggestions on studio lighting, gear, creativity, and a bunch of other random stuff.
12/2008: Stock Photography
One of my hobbies is shooting stock photography for artists to play with. It's a tremendous amount of fun! Francis Tsai - a very cool artist - said some cool stuff about my stock in an article in this month's ImagineFX. If you are an artist looking for my stock gallery, go here. If you're interested in my personal artwork, go here. If you've found your way to my site because you're interested in computer security, just pretend you never saw this.
I'm blogging periodically about security on Tenable's blog.
I Love The Command Line
Compared to a point and click interface, the command line is much faster and less likely to give you carpal tunnel syndrome. But I'm actually referring to the podcast! They interviewed me a couple weeks ago.
I Fall for The Hype
...it just took 4 years. After spending a lot of time enjoying great podcasts by some of my favorite people, I decided to try my hand at producing an intermittent podcast of opinion pieces on computer security. For reasons that should be obvious, I've named it The Rear Guard. I've got a whole slough of fantastic guests lined up and I hope to keep things real and interesting for a while.
The Ultimate Firewall Revisited
I used to brag that wire cutters were the ultimate firewall. But then it occurred to me that if people are going to use cute little "firewall" icons on their powerpoints, they should have one that looks more interesting.
Contrarian? No I'm NOT!
An article about physical security merging with network security says very kind things about me.
Interview with Marcus on IDC Website
This spring I am keynoting three conferences for IDC in Eastern Europe. Mark Yates from IDC did a phone interview with me.
The Vulnerability Disclosure Game: Are We More Secure?
For 15 years, the vulnerability pimps have been telling us that disclosure helps. Strangely, the state of software security hasn't improved much. But the guys playing the disclosure game have gone from being relative nobodies to - well, nobodies on CNN. Article I wrote for CSO Magazine.
My Web Site Defaced! Search-engine Stuffing Hack
Web site defacement is so... '90's, isn't it?? But sometime between when I uploaded my execution control article and this morning, someone added a bunch of hidden crap to my main index page. Apparently, this is some new trick to manipulate search engine rankings. Have I mentioned that I think hackers suck?
Execution Control: Antivirus bites the wax tadpole!
For years I have been railing about how stupid "default permit" execution architectures are, and how there are no decent tools that allow a Windows system administrator to build a system in "default deny." I tried Windows execution control, and one commercial product - but right now I'm getting great results from a tiny piece of freeware.
Old Dog: New Tricks
I got a chance to experiment with the state-of-the-art in source code security analysis tools, and ran it against my fifteen-year-old firewall toolkit (FWTK) code-base. Much to my horror, I discovered that my old code had a number of buffer overruns. I also ran the analysis tool against sendmail, Imapd, syslog-ng, BIND, and postfix.
Update: Readers are already taking exception to my use of the phrase "vulnerability pimps" in my article. It's amazing to me the kind of contortions of self-justification that some people will go to when you point out that what they are doing is harmful to others and that they should take responsibility for the consequences of their actions.
Point/Counterpoint: Is there "Strategic Software"?
From my point/counterpoint column with Bruce Schneier.
Marcus Interview with Gary McGraw on "The Silver Bullet"
Gary called me up and pestered me with questions! Available as an MP3 or podcast.
Hard Disk Encryption Revisitted
I have no idea why I was lazy about setting up hard disk encryption on my laptop. After a bit of research and a relatively simple bit of data wrangling, I've protected my laptop's data. What too me so long? This stuff is really easy!
Two Great Articles
Richard Feynman and Chuck Spinney wrote the two best analytical papers I've ever read. We can look back at their impact and see that, in spite of clear, incisive, and brilliant explanations - their observations and advice remain unheeded.
An Utter Failure
Steve Bellovin forwarded me a link to an excellent article that assets that computer security is an utter, sucking, fetid, smoking, wreckage of intellectually bankrupt failure. Tell me something I didn't already know!
Songs of the Damned
A friend forwarded me a link to a corporate motivational song for one of the largest computer security companies in the industry. To say it's horrible is an understatement. This is the kind of thing they play in hell, because the satanic marketing department thinks it'll improve staff morale.
Engineering Discipline (MP3 - Audio Dinner speech, IANetsec Forum 2006)
This was an improvised dinner address, delivered without powerpoints and after a few too many bottles of beer. I must make an apology and correction to this talk - I mentioned James Buchanan Eads as the architect of the Golden Gate Bridge, which was wrong. I had Eads, who designed the Mississippi bridge confused with Joseph Strauss, who designed the Golden Gate. The objective of this talk was to take the high ground with respect to treating computing as an engineering discipline, instead of the kettle of kludges that it has become. I realize it's very very idealistic stuff.
Do-It Yourself Dealy
Conspiracy experts talk about how hard it would have been for Oswald to have made the crucial shot that killed Kennedy. Oh, Really?
Making a Satellite-Dish Gazebo
A silly weekend project gone horribly over the top.
Baby Food Bomb?
Can baby food, when mixed with an oxidizer, be made to explode?
The Six Dumbest Ideas in Computer Security (originally written for certifiedsecuritypro.com)
After years of reading about "this great new idea" or "that new cool technology" I finally realized that there are some anti-smart ideas that are so powerful that they can turn perfectly good ideas into dumb ideas. Read 'em and weep.
Enabling the Complaint Department
Junk email bugs the heck out of me. Back in the day, I used to complain by responding with a uuencoded copy of /unix. Obviously that didn't work. A company called Blue Security is enabling and facilitating email users' complaints - is it a denial of service attack? Or is it legitimate? Some thoughts on the topic.
What is "Deep Packet Inspection"?
The latest evolution of firewalls combine intrusion detection system (IDS) rules into the processing logic of a firewall. That's not a bad idea, but a lot of customers are much more impressed with these technologies than they should be. What do you get if you take a switch, put a "stateful" firewall rules engine, and 31 IDS signatures in the same box? You get a Deep Packet Inspection firewall - that's what! Can you tell me what is so "deep" about knowing how to block 31 attacks? "Stateful" packet firewalls have always been pretty lame; this new generation takes the cake! I wrote this article for one of my consulting clients that was considering buying one of the new DPI devices.
Who Needs an Enemy When You Can Divide And Conquer Yourself?
I wrote this article as a frustrated rant while stuck in an airport departure lounge. It got published by COMDEX' LOOP online journal and USENIX ;Login:. Now all the open source advocates think I am an enemy of open source but, as George Jones said, "I was Country When Country Wasn't Cool". Anyone who knows my history can't call me an enemy of open source; I am an enemy of stupidity.
Inviting Cockroaches to The Feast
A lot of smart but short-sighted people are arguing that we should allow liability litigation for software defects. I think that it's a really dumb idea unless you're a cockroach, err - lawyer.
Stupid About Software
The computing industry is addicted to throwing good money after bad, and has created the most amazing self-justifying circular logic to continue doing so. Do you work for a company where some senior exec doesn't allow you to use freeware? Make sure you read this.
Have you ever sat through a stupid corporate "rah!rah!" event? I have. I think they're stupid.