Monday, January 12, 2015

Obligatory 2015 Blog Post

Wow, so 2014 is over apparently. And that means a new blog post. Every year I like to sit back and think about significant events and take stock of where I am and where I would like to be in the not too distant future.

I found late in 2014 that I had read a few books that really got my attention with me. I am not normally a big reader - at least of entire books. With my attention span matching Twitter more than the New York Times, unless it grabs me in the 1st chapter or so, I am not going to get very far. However the two books below were addictive reads for me and likely for other people in IT/InfoSec. So I thought I would share my two cents on them in the hopes that if anyone reads this post they might be led to read either of these two future classics - IMHO.

Countdown to Zero Day by Kim Zetter

I am very glad this book did not come out before I had written my master's thesis on Stuxnet. If the book had come out I would have been hard pressed to not simply use this book as a primary source and all of her references as secondary. Kim Zetter hit it out of the park with this book. Her writing and ability to tell a complex true story and cover both the facts as well as unpack some of the bigger issues that Stuxnet raised as far as that thing people call Cyberwar made this a page turner for me. The amount of solid research she did for this book is clearly massive, including interviews with those who were doing the analysis and putting pieces together - the Symantec duo and Ralph Langner and his team as well as VirusBlokAda who appear to have found the first sample and began to realize the complexity of the Stuxnet attack.

Spam Nation by Brian Krebs

Krebs is a celebrity/hero amongst InfoSec bloggers. A former IRL Washington Post journalist, he has been blogging on the underbelly of the Interwebz for a long time. He has been able to infiltrate forums and actually get acquainted with people who are involved in criminal activities using/abusing technology. The credit card black market for one, and the former kingpins of the spam world for two. His research and connections gave him enough material for an entire book devoted to the email scourge we call spam. In some ways it's a sad statement on modern life, how everyone has more or less accepted needing an email filter in 2014 the same way we need other defensive technologies such as firewalls/antivirus/etc. Sad to me in that from Krebs' point of view a significant amount of spam could have been stopped long ago if the right people/organizations got together sooner than they did. Suffice it to say the tales Krebs lays out in his book are fascinating, and the spam business is unlikely to go away. The fake pharmacy topic alone is enough to get you thinking and wondering about how the prescription drug problem is not going away soon, and why it is that the big drug companies seem unwilling to participate in significant efforts to stop people from buying versions of their drugs online - both legit versions that have the right active ingredient and others that do nothing and/or contain some scary ingredients no human being should ingest.

Well, that is all I have to say about the books above. I recently began Shane Harris' book @War and it looks to be a good read as well but until I get further into it I can't say much. If you want to know how/why the NSA got to where it did post-Snowden this one looks to have a lot of meaty goodness.

I wish all who end up reading this a wonderful year, no matter what year you read this ;)

Saturday, January 11, 2014

How did it get to be 2014 already?!?

My poor forgotten blog, ever since my ADHD met Twitter things just haven't been the same between me and this blog.

I hope and pray anyone who stumbles on this forsaken corner of blogger.com has a great 2014 (or whatever year it is when you read this.)

In reflecting on 2013 it was a pretty decent year. I finally finished my master's degree - Master's of Science in Information Assurance (MSIA) at Davenport University in the Spring. Overall I was pretty pleased with the program. I took the online route, and while I would have preferred to go to class and meet other people in person the convenience of online is hard to beat if you have a job and/or family or are busy like most people are. My thesis was about Stuxnet and the ways that a utility organization can prevent a similar attack from occurring in their control system/SCADA environment. Stuxnet is a fascination of mine as I work for a municipal utility, and our control systems are the crown jewels of our IT infrastructure.

My new year's resolution is to restart banjo lessons and to continue to grow in my knowledge/application of InfoSec. I know the latter is too vague, but I don't feel like writing about specifics right now. I'd rather kick back and listen to the B side of Bruce Springsteen's Born to Run, as the A side just ended. Plus my kids are chilling and they actually asked for more tunes from my little vinyl vault. Like the Kids in the Hall used to say, "Life is a pretty sweet fruit."

Peace out,
Doug

Tuesday, January 22, 2013

(Belated) InfoSec Predictions for 2013

Now that we are more than halfway through January I feel obligated to make my predictions for what will happen in 2013. Are you ready to have your mind blown?

MORE OF THE SAME!

I know, it is not a pearl of wisdom but with 2013 already bringing us a vulnerability in IE 6, 7 & 8 plus... [wait for it] yet another scary bad Java vuln, the year is off to a helluva start.

And let us not leave out our favorite whipping boy(s)/girl(s) at Adobe - Reader and Flash remain among the best ways to pop a box with our pals at Oracle and their Java write once debug everywhere platform.

So there you have it from the security equivalent of the armchair quarterback.
As they used to say on Hill Street Blues, let's be careful out there.

Peace,
Doug

Sunday, January 20, 2013

Welcome to 2013!

Wow, my blog is so very neglected. With Twitter fitting my attention span better, it isn't likely to see many new posts this year either. And I think I am OK with that.

Happy belated new year to all who stumble on this lonely blog. I pray 2013 will be a better year for you and yours. My new year's resolution is to be grateful and appreciate at least one person and/or thing every day. There's a lot of good to be happy about in this life if we open our eyes and make an effort to be aware of it.

Sincerely,
Doug

DefCon 20 (My 1st pilgrimmage)

The summer of 2012 was an eventful one for me - several camping trips with my better half the kids and of course the dog. Two new babies in the family tree - congrats to my brother and sister! Add to all of that my 1st visit to the mother of all InfoSec cons - DefCon XX.

I was very excited when the planets aligned and I received work and home management approval to attend. I've been wanting to go for as long as I can remember, so this was a bucket list-worthy item in my book.

DefCon did not disappoint. Met many new people from across the US and around the world: Brazil, Germany, Romania, and more. I even made a new friend from Canada of all places (hi Carlo!) from working on the scavenger hunt with some friends from Grand Rapids.

I went to a handful of talks each day and wandered around taking in all the other happenings - the contests, gaming areas, the DefCon private cellular network van... The standout talks for me were General Keith Alexander, Mark Weatherford from DHS, Wesley McGrew, and Cutaway - the ones related to critical infrastructure protection, vulnerability research on SCADA HMIs & how breakable many current 'smart' meters are.

I hope to return next year if possible and perhaps take in both Black Hat + DefCon.

Wednesday, April 18, 2012

Notacon 9 - Cleveland FTW!

So after visiting fabulous Cleveland last weekend I was inspired to make a blog post after almost a year. Blogging is great but unless someone is making me do it regularly it doesn't happen as much as I'd like. That, and the fact that Twitter is way easier b/c it is short and sweet. I tweet now and then as @nibbelink so if you want to know what I am thinking maybe a handful of times per month send me a request.

Back to Notacon - where to begin? Froggy and friends put on a conference like no other - literally. It is a very cool mix of InfoSec, IT, hackers, geeks and people who are fun to meet/talk to and hang out with. Met a guy who has the same Yamaha QY10 sequencer/synth that I have. That almost NEVER happens. Seriously, who had one of these but me - let alone remembers (not so) fondly doing MIDI step programming to put together a basic drum rhythm and bass line?
http://en.wikipedia.org/wiki/Yamaha_QY10

And then there are the talks at Notacon. I am biased b/c I got to present with my friend EggDropX but still - there were fascinating talks on everything from open source music making via algorithms to how to help your kids be good Internet consumers. You aren't going to get that at most other conferences that I've been to. And if you are like me either work won't pay for BlackHat/DefCon or you cannot afford it out of pocket.

And so, let me close this brief shout out with some advice - you owe it to yourself to checkout Notacon 10 in 2013, and also you need to go to GrrCON. It's what put GR on the InfoSec map. This is year 2 and it will blow your mind and if it doesn't there is free beer. Enough said.
www.notacon.org + www.grrcon.org = doubleplusgood

Friday, July 8, 2011

A Fresh Perspective

Biking in Iowa with my main man Ian
After returning from a nearly two week vacation I realized how important it is to take a break, get away, relax and recharge. While the first day back at work was a rather painful adjustment to the reality of work and not being able to do whatever I wanted for the day, on day two I realized that I had clarity on some things that had been rather fuzzy before vacation. It was like when the coffee kicks in on a morning after a good night of sleep and suddenly things make sense - only more so.

So my summer 2011 advice is get out of the house, get out of town if you can and spend time with people you love and who love you be it friends or family. Or, if you are so inclined get away for a few days alone. Do something fun, try something new, consider pursuing a hobby completely unrelated to your job. Leave the cell phone at home (or at the very least turn off the pulling of work emails.) I found camping where there is no cell signal whatsoever helps if self control does not allow a completely off the grid getaway.