The Folly of a Scheduled Patch Release Cycle

A number of years ago, Microsoft led the charge by moving away from a dynamic patch release schedule to a monthly patch release schedule, essentially creating an imposed monthly patch cycle for their customers.  Since then, many other vendors have followed suit.  There are opinions and arguments supporting both a release schedule philosophy as well as a release upon completion philosophy, and today I’m going to outline where I stand [...]

The Problem With the Liberty Dollar

I’m not going to talk about their underlying quest to end the Federal Reserve (with which I wholeheartedly agree), or about their multi-site raid by the FBI last year where all of their current inventory and all of the metals backing the Liberty Dollar warehouse receipts (paper currency) were confiscated.  No, I’m not going to talk about any of their politics or their legal troubles; what I am going to [...]

By |2008-12-07T19:36:59+00:00December 7th, 2008|economics, finance, opinion|0 Comments

How NOT to Write a Protocol Specification

For the last week or so, I’ve been tasked with implementing Application Simulators in the BreakingPoint product for the OWAMP and TWAMP protocols, RFC 4656 and RFC 5357, respectively.  These are honestly two of the most poorly written protocol specifications that I’ve ever read.  Luckily, they’re rather short.  Not only are many parts vague and ambiguous, but some parts read like a stream-of-consciousness dump directly to a text editor. [...]

By |2008-11-17T16:48:08+00:00November 17th, 2008|opinion, rant|0 Comments

Formal Degrees vs. Certification

I’ve never been a fan of most certifications.  I’ve always been even less a fan of formal degrees in education, at least for technology-centric industries.  I’ve always argued that my body of work is my credential, and if a potential employer were to reject my application on the basis that I didn’t have a certain piece of paper, that short-sighted employer wasn’t the type that I wanted to work for [...]

By |2008-08-18T15:10:48+00:00August 18th, 2008|education, opinion, technology|0 Comments

DEFCON 16

DEFCON is always entertaining as it’s the largest hacker conference in North America. Back to back with it’s corporate counterpart, Black Hat, it generally draws thousands of hacker-type people to Las Vegas every summer. The related parties, shenanigans, and drama surrounding it are legendary, and this year was no different. Below are my thoughts on the talks I was able to attend. […]

How to Really Fix Your DNS

Obviously the first thing everyone should be doing is to apply the patches that the major vendors rolled out, and do it quickly.  It is no longer the time for debate in regard to whether or not you really do need to patch… the answer to that question is quite clear; Yes.  Yes you do. Stop reading this, go to your vendor right now, and get the patches. Then apply [...]

Padding the Numbers: Vulnerability Duplication

Recently the OSVDB Blog had an interesting article regarding vulnerability duplication via the “hazard of 0day” wherein a vulnerability being exploited in the wild was mistaken for a new vulnerability when in fact it was not.  This caused many of the vulnerability database vendors to issue new IDs, send out threat warnings, bring in the livestock from the impending storm, and so forth.  The resulting fallout from realization that it [...]

CSI-SX 2008

CSI-SX is the new branding for the CSI NetSec conference, which is co-located with Interop Las Vegas, and is essentially the security-focused portion of the overall conference. As with the annual CSI conference, this conference targets a different demographic than I’m used to speaking for as the attendance is usually comprised of very large enterprise and government employees and I usually speak for conferences targeted at the research and hacker [...]

By |2008-04-30T09:57:22+00:00April 30th, 2008|conference, opinion, security|0 Comments

ToorCon Seattle 2008

The ToorCon organization puts on some of the best conferences in my opinion, and this last weekend was version 1.0 of their Seattle conference (beta was last year, which I also attended). Friday night was entirely 5-minute lightning talks and then Saturday was entirely 20-minute turbo talks. Sunday was workshops, which unfortunately I could not attend since I had to fly back to Austin mid-day. Last year was invite only [...]

CSI 2007

CSI 2007 was the first time I’ve ever attended a CSI conference. I was actually a CSI member way back in the day when I was running my own consulting firm and needed as many business development avenues to explore as possible, but after closing my consultancy and going back to work for The Man(tm) I didn’t keep up my membership as I really wasn’t getting much out of the [...]