E-rant

Looking to learn something new?  Got some training cash that’s just dying to be spent before the end of the quarter?  Well, step right up, have I got a deal for you…  A “friend of blog” is leading SANS Security 560, “Network Penetration and Ethical Hacking”, this September through December.  Details are here.

Before you start calling me a sellout and a shill, let me explain.  I’m not one to go promoting stuff unless I’m absolutely bonkers over what it’s all about.  In fact, I learned that lesson the hard way by recommending this utter piece of crap before I actually used it.  Apparently this thing was designed by a pack of drunken monkeys and manufactured as part of a high school metal shop assignment by some illiterate, stoned dropout with a mullet.  Not that there’s anything wrong with dropouts - with or without mullets - it’s really just a lifestyle choice that doesn’t typically lend itself to precision engineering.  But I digress…

I’m not exactly “bonkers” over this class offering, but I do believe it to be one of the best the industry offers, if not the absolute best out there.  The point of posting this, however, is that Dustin agreed that I could let everybody know what they’re in for and provide some insight into who their mentor will be – in exchange for spamming it out to my vast collection of security cronies and plugging it on the blog to expose it to the throngs of humanity that rush to their computers daily to get their daily dose of Jovian ranting.  The best way to do provide insight into Dustin and his background is simply to point you toward his website, http://www.dustinvaughnlovesmileycyrus.info.  It’s chock full of what Dustin is all about.  

You can also reach him by email at dustin@dustinvaughnlovesmileycyrus.info, if you just want to share makeup tips or you know where there are cute shoes on clearance.  

“M”entor “C”lass.
“M”iley “C”yrus.

Coincidence?

And as a final point of clarification:  Dustin has nothing to do with this guy.  That guy wants to beat her, whereas Dustin wants to be her.

Cyber warfare is a crippling threat to our economy and security.  It has to be – everybody says so!  Our government is trying its darnedest to do something about it – whether it be to pawn it off on DHS (and now the National Economic Council, since they apparently don’t have enough to do, but that’s another rant) or to create and staff the Air Force Cyber Command.  Or go spin up the country on a new “cyber challenge“, (having the side effect of populating CIA/FBI/DHS watch-lists with the names of the participants, I’m sure).  And everybody knows there are cyber-spies in our electric grid!

And now it has been deemed that it’s more devestating than a nuclear bomb, according to the vice chairman of the Senate Select Committee on Intelligence.  That’s quite a statement, and by a group of big swingers to boot.  How often do you hear public officials clamoring to a microphone to blurt out the best way to defeat their country?   Were Achilles’ last words “Betcha can’t hit me in the heel, Paris”?  Did Samson ask Delilah for a little of the sides and top?  Did the Nazi’s say, here’s the Enigma machine and codebook, knock yourselves out?

Duh.  No, they didn’t.  Double duh.  You don’t go publicizing your weakest link.  But you certainly can pretend to - Disinformation is quite a useful tactic in war.  Operation Fortitude spread false information during WWII misdirecting German forces prior to the landing at Normandy.  Same with Operation Mincemeat, where British intelligence allowed a dead body carrying fake invasion plans to be recovered by the Germans.

Another angle on disinformation involves “dilution”.  I have a friend I’ll call Tom (short for Tomato Farmer) who has the “perfect coverup” to a murder.  Not that he’s committed one, or done this (to my knowledge), but it goes something like this:  Tom says to root through the dumpsters of a barbershop, nail salon, hospital, and butcher shop and collect as much miscellaneous human byproducts and waste as you can – nail clippings, hair, meat and blood.  Go commit your gruesome crime without regards to neatness.  Then go get your sealed up container of “dna”, bring it to your crime scene, and dump it everywhere.  Your own dna will simply be lost in the shuffle, as they try to find the hairy hemophiliac pig with a french manicure that was the apparent perpetrator.

So if you’re one of our nation’s enemies, and you’re reading this, please, please don’t launch a cyber attack on us.  Please don’t, it’d be simply dreadful.  Oh dear…

Sure.  Unless we really are just that vulnerable and incredibly stupid, to boot.

So which is it:  Social Reverse Engineering or Reverse Social Engineering? 

 Loading ...

Another DEFCON has come and gone.  Another weekend in Vegas.  Another 6 hours of pai gow and $20 to a slot machine.  But it wasn’t just any ordinary con, this one was run by a volunteer fed, and one that had a star-studded speaker list.  Among those that spoke were Rod Beckstrom (see Securing GovSpace for a good synopsis), Bruce Schneier, Bruce Potter, Richard Thieme, and the perennial faves, Johnny Long, Marc Weber Tobias, and Joe “Kingpin” Grand.  And Adam Savage of Mythbusters fame.  It’s the proverbial A-list of the information security industry.  Of course, there were the uber-geeks that displayed their wares, including a presentation on UCSniff by Viper Labs, Moxie Marlinspike’s SSL vulnerability presentation, a compendium of web 2.0 tools / methods, and a number of lockpicking presentations to boot. 

For the most part, I found the majority of the talks more thought-provoking than in years past.  I’d even say that the industry seems to be headed towards developing it’s own philosophy / science.  My friend Crash turned me on to this site, that poses a scientific model for IT security and cites both the work of Paul Feyerabend and the falsification theories of Karl Popper, tempered with Thomas Kuhn.  He met these guys at Blackhat.   Their site is a blog in support of a book that proposes a new view of the cyber-world, potentially changing the concept and perception of risk.  Their “manifesto”, in large part, is driven by their belief that Information Security field is an emerging “social science” and they are hoping to evolve the science to the next level.  At Blackhat, they presented the Mortman/Hutton Model for Expectation of Exploit use.  Pretty neat twist on the Gartner Hype model, and, I think, indicative of the dissatisfaction with the historical fireman or hero reactive approach to IT security.

Now to address what stayed in Vegas.  Since Mrs. Jupiter reads this blog as well, I’ll just provide a few of Vegas’ unwritten rules we picked up on this trip:

1. “Just past Caesars” means you really ought to take a cab.
2. Dog the Bounty Hunter doesn’t take cabs.
3. The Segway outside the men’s room that says “Security” on it is NOT an attraction.
4. Topless shows are free, you just need to hang out with the right tourists.
5. Mooning in the bar attracts the attention of the male security staff.
6. Pai Gow is a “frenemy”.
7. All male geeks have a crush on Carrie from Mythbusters.  Some have a crush on Adam. 
8. It’s not “Vegas Jail”, it’s “Clark County Detention Center”.

And finally, I have to take my hat off to one individual that shall remain unnamed.  Met up with this guy at the bar in the Riviera.  He chatted up a stunning blonde and left, heading up to his room with her.  I then spotted the same stunning blonde walking through the casino about 5 minutes later.  Another 5 minutes and he’s back in the bar.  Turns out she’s a hooker, and he talked her down from $500 to $175.  Then he told her to hit the bricks; the price was still too high.  After getting a 65% discount!  I shall now and forever more pay him homage whenever I use the term “Low Roller” by capitalizing it in his honor.