First things first, let me state that I'm quite sick and this may come out as garbled sick speak. So if it does.. ignore it and move on.
I have grown a little bit surly with my IT department. I pretend to be an information security consultant for my day job and require a fairly powerful system with unfettered access to the target environment as well as my underlying system. I've been fighting my IT department for many years now and finally gave them the old heave ho. I put their stupid corporate image into a VM and rebuilt my work system with Vista Ultimate (yes I know it's not a real man's OS, but I believe it will meet my needs on a daily basis and that is all an OS needs to be for me).
For those that may be trying to do something like this at home, I used the vmware converter application to take my running windows installation and smash it into a VM. I then copied that VM to my new installation and brought it up. Somehow it just worked. I had to tweak out the NICs a bit, but otherwise I was highly impressed. Leave comments if you have questions on this and I'll see what I can do. I'll also post about my trials and tribulations with pen testing in the Vista host environment. I'm mostly an application security guy, so your mileage may vary.
On other topics, I want to take a moment and rant about SAS70, PCI, HIPAA, and other useless regulations and requirements that the government, corporations, and other standards bodies put out. In general, these specifications are extremely loose and weak and there are about 1 billion loop holes in them. Additionally, they never specify anything solid, in favor of simply saying things like "Has firewalls in place.". WTF?! Come on. There are far too many people out there that take these things as the gospel and think that as long as their network or systems are SAS70 and PCI secure they don't need to have any real assessments completed. Wake up and smell the holes in your boxers boys, cause yer wide open and flappin in the wind.
That is all for today. I'm going to go break this web app and call it a day.
I'm such a dichotomy of ideas at times. Like right now.. I just steeped a wonderful cup of Gui Hua Oolong tea to have a nice relaxing morning in the office. I sat down at my laptop, fired up the web browser and turned on Howard Stern. Howard Freakin Stern. I hated this damn show for the last 10-12 years. I used to listen to him when I was a freshman in college and then one day decided he was a complete idiot and never went back.. until last week. Now I'm addicted to his crazy banter and somewhat witty commentary. I still get repulsed and am half tempted to turn the channel when he inevitably goes into the gutter, but when he's got an interesting guest on he isn't half bad.
Onto information security topics:
All I have to say about the Acunetix and NetworkWorld fued is... WHO CARES. This is simply yet another case of some idiot opening their mouth and some other idiot trying to shove a foot in it. I even quit reading the posts half way through as it is just so worthless. I know JG and RSnake are interested in it, and that's fine, they can report on it. I just don't see the reason to really care here. It'll die out quickly just like all of the other little pieces of drama that have come before it.
Other than that.. not a whole lot of interesting things to report. I'm currently working on a presentation for a few conferences and peer reviewing a white paper due out shortly. We'll see what goodness will come out of these, if any.
I read a lot. And I mean A LOT. So as a service to those who enjoy a good book, both fiction and nonfiction, I will do a periodic book review as I complete my latest tome.
The latest book I finished is called "Rat Bastards: The Life and Times of South Boston's Most Honorable Irish Mobster". The basic plot of the story is about one of South Boston's most notorious mobsters, John "Red" Shea, and his mentor, the undisputed king of the South Boston Irish Mafia, Whitey Bulger.
The story chronicles the life of Red Shae as he rises in the group to be the second in command to Whitey, all the while not being aware that the entire time he was listening to the advice of his mentor, Whitey, Whitey was an informant for the FBI. When everything hit the fan, there is only one thing a guy can hang on to and that's being a stand up man. One of the laws of the mafia is not ratting on your fellow man. Red Shea did just that, he wouldn't rat no matter how much time he would have to spend in federal prison.
I can't help but draw the parallels to the movie "The Departed". There are far to many similarities to be a fluke. What is also interesting is that Mark Whalberg, who starts in "The Departed", wrote the forward for the novel and also reportedly has purchased the rights to the film. Overall I thought the book was only mediocre. There is only so much you can say about being a standup guy, and with the lack of interesting plot line after Red is put into jail, I was quickly bored by the prose. There are a few interesting anecdotes, but the second half of the book is a snoozer. I do applaud Red for standing up for what he believed in, but get someone better to help you put it into writing, your editor stunk.
All in all this book gets a 3/5 donkey rating. Read it if you don't have anything better lying on your bookshelf.
I spent an hour or two conducting a peer review of the OWASP Top Ten 2007. The document was rewritten by Andrew van der Stock, Jeff Williams, and Dave Wichers and is currently open for reviews.
Overall I think this top ten list is a significant leap forward from the previous list. One great improvement is that we now have a list of vulnerability classes as opposed to the previous mix of threats/vulnerabilities/classes/etc. I've always griped at the original Top Ten list due to the fact that things like "Input Validation" was listed. This is a root cause of a number of issues and isn't really a Vulnerability in the traditional sense.
I made a few comments here and there where I thought some additional detail would clear up any misconceptions, but overall this document is more technical, more detailed, and largely stands up on it's up. I'm impressed.
Cheers OWASP. Keep up the good work.Welcome to Donkey On A Waffle. This is my latest and greatest attempt at a blog. I've been through way too many blogs to even remotely think that I will use this after the novelty wears off. However, I'm going to give it yet another go. From this point forward all posts to my LiveJournal and other assorted blogs will be aggregated here.
The topics will tend toward the geeky and philosophical. They will talk about computer science, information security, photography, and anything else that I may be into at the moment. If you enjoy the blog, great, and if not.. you figure that out.
