[SecurityRatty] tag: youth

Support Web Wise Kids if you can.

Tue, 25 Nov 2008 12:16:07 +0000

This is a great non profit organization that has a great record for helping kids recognize the dangers of being online.

Web Wise Kids Creates New National Teen Advisory Board

Web Wise Kids has announced the creation of a National Teen Advisory Board. The board will consist of student representatives from middle and high schools or local communities in 10 states initially. The mission of the National Teen Advisory Board is to assist the non-profit Web Wise Kids in empowering today’s youth to make wise choices online.

Game on!

Tue, 04 Nov 2008 21:00:00 +0000

In my last blog, we looked at increasing complexity on the part of both the “good” guys who are building legitimate businesses and on the part of the “bad guys” who are building a “dark network” of sorts that is remarkably like the first. Today, I’d like to dig into that and look at a system for explaining this; and I thought I’d use the phrase we used playing street hockey in my youth in Canada when the cars cleared the road, and the game got serious again: game on!...

Microsoft combats cybercrime in Nigeria

Tue, 21 Oct 2008 20:00:00 +0000

Paradigm Initiative Nigeria (PIN) and Microsoft have partnered to educate the country's youth on cybercrime and to provide opportunities for them to use their computer skills positively.

Gonzo: Two Thumbs In and Up

Thu, 17 Jul 2008 06:10:12 +0000

Just saw the Hunter S. Thompson movie - Gonzo, and if you are a fan you should to. Lots of good stuff in there, the film links various part of his life and career, and gives a pretty unvarnished view of the high highs and the low lows. Weaves in writing, politics, and fame seamlessly. I have never really had as much fun as early on in my career in the early-mid 90s I was a web programmer in Aspen, hacking CGI/PERL. Among the most fun things was building and running HST's site. My boss, Ed, was his neighbor. Ed was also seriously allergic to bees. One day he was alone in his house and got stung. He was dying. Luckily Hunter was due over to his house to watch a basketball game, walked in and called 911. My boss woke up in the ambulance with Hunter pounding on him chest and screaming at him. Ed said - "Waking up to that face screaming at me, I didn't know if I was alive or dead." Seeing the movie it was also great to see a lot of the Woody Creek folks again like George Stranahan, who lovingly said about Hunter - "my friend and neighbor who never paid his rent, broke up my marriage and taught my children to smoke dope. " Of course, there was no way he could match his early productivity and this is true of almost all artists. Most of the last two decades were wasted from a writing standpoint. However his piece written on 9/11 is as good as its gets:

The towers are gone now, reduced to bloody rubble, along with all hopes for Peace in Our Time, in the United States or any other country. Make no mistake about it: We are At War now -- with somebody -- and we will stay At War with that mysterious Enemy for the rest of our lives.

It will be a Religious War, a sort of Christian Jihad, fueled by religious hatred and led by merciless fanatics on both sides. It will be guerilla warfare on a global scale, with no front lines and no identifiable enemy. Osama bin Laden may be a primitive "figurehead" -- or even dead, for all we know -- but whoever put those All-American jet planes loaded with All-American fuel into the Twin Towers and the Pentagon did it with chilling precision and accuracy. The second one was a dead-on bullseye. Straight into the middle of the skyscraper.

Nothing -- even George Bush's $350 billion "Star Wars" missile defense system -- could have prevented Tuesday's attack, and it cost next to nothing to pull off. Fewer than 20 unarmed Suicide soldiers from some apparently primitive country somewhere on the other side of the world took out the World Trade Center and half the Pentagon with three quick and costless strikes on one day. The efficiency of it was terrifying.

We are going to punish somebody for this attack, but just who or what will be blown to smithereens for it is hard to say. Maybe Afghanistan, maybe Pakistan or Iraq, or possibly all three at once. Who knows? Not even the Generals in what remains of the Pentagon or the New York papers calling for WAR seem to know who did it or where to look for them.

This is going to be a very expensive war, and Victory is not guaranteed -- for anyone, and certainly not for anyone as baffled as George W. Bush. All he knows is that his father started the war a long time ago, and that he, the goofy child-President, has been chosen by Fate and the global Oil industry to finish it Now. He will declare a National Security Emergency and clamp down Hard on Everybody, no matter where they live or why. If the guilty won't hold up their hands and confess, he and the Generals will ferret them out by force.

Good luck. He is in for a profoundly difficult job -- armed as he is with no credible Military Intelligence, no witnesses and only the ghost of Bin Laden to blame for the tragedy.

One unintended lesson I take away from Hunter's life is how important patience is. Obama is a politician and may yet disappoint us all, but I gotta believe Hunter would be seriously impressed. If he had waited another couple of years, he may have seen a lot of the stuff he fought for in 1968 and 72 come to fruition. Sometimes you are just 36-40 years ahead of your time and you have to be ok with that and figure out how to deal if possible. (Note - it sure sometimes feels this way in software security). Speaking of security:

Security

by Hunter S. Thompson (1955).

Security ... what does this word mean in relation to life as we know it today? For the most part, it means safety and freedom from worry. It is said to be the end that all men strive for; but is security a utopian goal or is it another word for rut?

Let us visualize the secure man; and by this term, I mean a man who has settled for financial and personal security for his goal in life. In general, he is a man who has pushed ambition and initiative aside and settled down, so to speak, in a boring, but safe and comfortable rut for the rest of his life. His future is but an extension of his present, and he accepts it as such with a complacent shrug of his shoulders. His ideas and ideals are those of society in general and he is accepted as a respectable, but average and prosaic man. But is he a man? has he any self-respect or pride in himself? How could he, when he has risked nothing and gained nothing? What does he think when he sees his youthful dreams of adventure, accomplishment, travel and romance buried under the cloak of conformity? How does he feel when he realizes that he has barely tasted the meal of life; when he sees the prison he has made for himself in pursuit of the almighty dollar? If he thinks this is all well and good, fine, but think of the tragedy of a man who has sacrificed his freedom on the altar of security, and wishes he could turn back the hands of time. A man is to be pitied who lacked the courage to accept the challenge of freedom and depart from the cushion of security and see life as it is instead of living it second-hand. Life has by-passed this man and he has watched from a secure place, afraid to seek anything better What has he done except to sit and wait for the tomorrow which never comes?

Turn back the pages of history and see the men who have shaped the destiny of the world. Security was never theirs, but they lived rather than existed. Where would the world be if all men had sought security and not taken risks or gambled with their lives on the chance that, if they won, life would be different and richer? It is from the bystanders (who are in the vast majority) that we receive the propaganda that life is not worth living, that life is drudgery, that the ambitions of youth must he laid aside for a life which is but a painful wait for death. These are the ones who squeeze what excitement they can from life out of the imaginations and experiences of others through books and movies. These are the insignificant and forgotten men who preach conformity because it is all they know. These are the men who dream at night of what could have been, but who wake at dawn to take their places at the now-familiar rut and to merely exist through another day. For them, the romance of life is long dead and they are forced to go through the years on a treadmill, cursing their existence, yet afraid to die because of the unknown which faces them after death. They lacked the only true courage: the kind which enables men to face the unknown regardless of the consequences.

As an afterthought, it seems hardly proper to write of life without once mentioning happiness; so we shall let the reader answer this question for himself: who is the happier man, he who has braved the storm of life and lived or he who has stayed securely on shore and merely existed?

A ship is safest at port, but thats not why we build ships.

Using Content Verification on Public Websites to Track My Sons Soccer Team Standings

Wed, 21 May 2008 09:49:53 +0000

If any of you have spent time on the phone with me here in the ScienceLogic Support department this spring you probably know that my son Max plays youth soccer here in Virginia…a lot. Can you believe that there are rankings of youth soccer teams at this level?

Well, it makes sense once you realize that the ranking is done by the company that sells the software that runs many tournaments. The software “phones home” the results so that there is a steady data stream of teams and scores. They’ve put together an algorithm and whereas there may be logical holes, it is a baseline and therefore you can measure.

Anyway, I saw the ASC Knights FC’s page and that they had 637 points from the algorithm. When I viewed the source of the page I could see the point total in plain text, so it was a good target. I needed to be sure that the page wasn’t redirecting or SSL or any other such thing, in other words, the URL that you use on the Content Verification policy needs to be the URL that will provide the string that you are looking for. EM7 can deal with SSL and proxies, but it takes more careful configuration.

I built the CV policy on a virtual device (didn’t want a production machine going red for a personal CV check):

And sure enough, just this morning, a couple of days after our heartbreaking loss in the semi-finals of the State Cup the CV check was red…the point value had changed. The team had gone up to 757 points and dropped from 2^nd to 3^rd in Virginia, but risen to 54^th in the country.

But there is a dark side to CV policies on public websites! Recently many machines in a development environment were checking the same site every five minutes, and those eagle eyes admins at Slashdot noticed. Suddenly no one at ScienceLogic could reach Slashdot, our source of snarky geek news had been cut off!

Naturally, we stopped the CV checks and explained the situation to CmndrTaco and all is well once again.

That’s all for now, thanks for reading.

ShareThis

Using Content Verification on Public Websites to Track My Sons Soccer Team Standings

Wed, 21 May 2008 09:49:53 +0000

I built the CV policy on a virtual device (didn’t want a production machine going red for a personal CV check):

Naturally, we stopped the CV checks and explained the situation to CmndrTaco and all is well once again.

That’s all for now, thanks for reading.

ShareThis

Stupid hacker tricks, part two: The folly of youth

Tue, 06 May 2008 09:00:00 +0000

Sociopathic youngsters who have behaved very, very badly -- and paid for it.

Teen bomb maker stopped in his tracks in South Carolina.

Thu, 24 Apr 2008 22:58:00 +0000

The parents of Ryan Schallenberger undoubtedly saved a lot of lives when they turned in their son as a potential bomber. Authorities said he had all the components he needed to make several deadly bombs.

Ryan Schallenberger had used E-Bay to order 20lbs of ammonium nitrate from a supplier in Kentucky. The teen has been described as being "mad at the whole world". In a search of the family home, Law Enforcement officers discovered hate filled writings in which he praised the Columbine killers.

Having just returned from a Threat Assessment workshop at UCLA put on by Gavin De Becker Associates, I was able to identify many of the same characteristics that we looked at when examining other teenage killers who have wreaked havoc in schools across the U.S. Teens like this tend to have a "chip on their shoulder" and feel like they need to cause grave damage in order to "get even" or "teach people a lesson". Unfortunately, the "copy cat" phenomenon is a common denominator and these troubled teens seem to look up to those who have killed previously.

We all have a part to play in keeping schools safe. More parents need to emulate the Schallenbergers, who were willing to turn their own son in, knowing that he will most likely be locked away for a very long time thereby ensuring the safety of others. Class mates who hear rumors need to alert guidance counsellors and teachers and not be so quick to dismiss their fears and concerns. We need to get rid of any feelings that might suggest:"this could never happen at our school".

It is a sad fact that this terrible trend looks set to continue and violent behavior is capable of happening in any school where adequate security precautions are not taken. Whether it is from television, video games, broken homes or any other contributing factor, our youth are being exposed to higher and more toxic levels of violence every day. Perhaps we can do a better job at home and help to nip this evil trend in the bud before our classrooms begin to resemble battlefields.

From warzones to strip clubs, the truth comes out for a former First Lady and a Pastor.

Sun, 30 Mar 2008 16:57:00 +0000

Last week in the Washington Post, "The Fact Checker" awarded former first lady, Hillary Clinton, four "Pinocchios" (real whoppers)for claiming to have come under sniper fire during a photo op. in Bosnia. On Thursday, Michael Dobbs once again awarded Senator Clinton another "poker" of Pinocchios.

This time she took heat for claiming that her trip to Bosnia was the first visit to a "war zone" by a first lady since World War II. Her claim is considered completly inaccurate, since Pat Nixon made a trip to Saigon in July 1969. At the time, South Vietnam was an actual, not a "potential" war zone in the aftermath of the 1968 Tet offensive.

The article also made mention of Barbara Bush's visit to Saudi Arabia in 1990, two months before the Persian Gulf war began. Speaking about Senator Clinton's claim that her aircraft made a tactical landing back in 1996, the pilot of the aircraft had a different memory. Retired Air Force Col. William Changose said that it was not true that they took evasive measures to avoid sniper fire. The Colonel went on to say that: "not only were there no bullets flying, there wasn't even a bumblebee flying around".

It seems that Senator Clinton is not the only one in the public eye to suffer from Pinocchioitis. Apparently the Police in Riverside, Ohio found a Pastor who had gone missing from his home in western New York, since Wednesday the 26th of March, after telling his wife that he was going to Best Buy to have his computer fixed. Officers found the Pastor at a strip club called the "K.C. Lounge", partying like a New York Govenor.

We often hear people in the media complaining about the negative effects that Rap music has on our youth. One wonders why we are now not hearing more complaining about the so-called role models getting caught with their pants down, so to speak. At least with the likes of rappers and other "bad boy" entertainers, what you see, is what you get. It's little wonder that so many people are comfortable telling lies during interviews and embellishing resumes in order to get hired and get ahead.

When I was going to school, the "dog ate my homework" excuse was used but not believed. Also, it tended to get used by children who had not yet reached their teens. I think that even children of that age these days will be able to see through these poorly constructed falsehoods that our "role models" would have us believe.

Unbelievable.

Sitting on your hands is not an option - FUD, Compliance, what will it take to sell security?

Wed, 12 Mar 2008 21:17:43 +0000

Michael Farnum has a good post up today about a customer of his over at Accuvant. In a real life reenactment of every security vendors dream (come on, admit it), while the customer was procrastinating about whether to spend the money on security or not they were pwned. Michael says this is the second time this has happened since he has been at Accuvant. Obviously nothing loosens up the purse strings like a real live security "incident". However, we can't as an industry rely on a security breach happening at the moment a customer is contemplating a security purchase to drive the sale through.

What does drive the security sale? Over my years in security I have seen the answer change from FUD to compliance. There was a time when to sell security you would ask your customer, what would happen to your business if your network was brought down? What would happen if your IP was stolen? What would the negative publicity of a security breach cost you? Of course some of these questions could be turned on their side into the infamous Security ROI argument. But whether or not security can show a true ROI is highly questionable and I am from the school that it does not really exist. Than about 5 or 6 years ago, we started to see compliance becoming the driver. The first big driver in compliance for me was the Graham-Leach-Biley Act for the financial industry (when was the last time you heard that as a driver for security). Then always on the horizon and promising more than it actually delivered was HIPAA. Of course as Ilena Armstrong says "...HIPAA, say it with me now, "had no teeth." After HIPAA, California's breach notification law served as a model for many other states and finally brought some real compliance drivers to business outside of finance and health. FISMA brought the fear of God to the federal space.

Of course these all paled in comparison to the twin giants and darlings of the security industry, SOX and PCI. Have there ever been two sweeter words to the security industry. I remember speaking to security consultants who would relay how in their sales pitch to C-level execs they would tell them that failure to do something now about SOX could put them in jail. How did they look in stripes? PCI is still driving the merchant world security business and I don't think we have seen it peek yet. Yes, how sweet it is.

But what is next for the security industry? What is going to make people buy security next. Can we rely on the next gimmick or sales angle? Will there be a new statute, rule or regulation? Will a security breach scare the rest of us into doing something. Should we just wait around for our customers to get pwned and than come in like the cat that swallowed the canary with the magic bullet (even if there is no such thing as magic bullets). Or maybe as Bruce Schneier says people will just start expecting security as part of what they buy, not as a separate entity. They don't need to buy products that secure their network, they buy a network that is secure. Bruce says it better than I here:

Honestly, no one wants to buy IT security. People want to buy whatever they want -- connectivity, a Web presence, email, networked applications, whatever -- and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear. It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling.

It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry.

To be fair Mike Rothman has preached a similar heresy for sometime as well. I use the term heresy because writing this article I feel a little like Jerry Maguire having a moral epiphany. However, the more I see and hear and learn, I become more convinced that StillSecure's emphasis on convergence is actually an off shoot of this truth. People are going to want secure networks, secure endpoints, secure products. Not products that secure them. Security companies that recognize this fact will succeed in the years to come, companies that do not will be the dinosaurs of tomorrow.