Wednesday, December 28, 2005

Matt McAlster Dotcom Prediction Generator

This is just a humoros online tool for those who are going crazy with the "year end predictions": Matt McAlster :: My Dotcom Prediction Generator - Just automate this whole prediction business :-)

openBC Profile for Anton Chuvakin: Again, Privacy vs Promotion

I am a fan of business social networking sites, such as LinkedIn and (in the past) Orkut. Here is a new one: OpenBC, based in Europe.

Whenever I see a site like this, I think about how they balance privacy vs marketing the professional. I happen to think that since they contain just about the same info as a typical personal website, they are not a huge threat to privacy.

Friday, December 23, 2005

Predictions, forecasts, crystal balls, stuff

It is the time of the year to post predictions for what will happen in the next year (for example), catch flak for failed predictions for this year (here) and (but of course!) attack predictions of other people (like some smart folks do here).

So far, I am holding and not posting my own stuff, but I am making a collection of what others already predicted. Check out this tag "2006" in my del.icio.us feed: http://del.icio.us/anton18/%222006%22


Antivirus Problems May NOT Lead To Sea Change In Antivirus Industry :-)

Folks will write a paper to say that a certain antivirus software's "antivirus library is prone to multiple heap-based buffer overflow vulnerabilities, which attackers could exploit to compromise computers running applications that use these libraries for virus protection."

How is it a surpise??? Puleeeease! All software is buggy, period. You can be 0wned thru pretty much anything you run, and, yes, antivirus and personal firewall too.

Welcome to AppSIC :: The Application Security Consortium

Lots of folks seem to have a malign hobby of founding security consortia, foundations, industry forums, etc.

Here is one more: AppSIC :: The Application Security Consortium: "The Application Security Industry Consortium is a community of security and technology experts united to establish and define the international cross-industry application security standards and measures"

Is this a real one, like WASC and OWASP, or a fake one, like SECMET and GAISP? Who knows...

It seems like the ones run by technical people survive (some thrive!) while others founded by those of more management pervasion seem to die off.

"Blame it on the technology!"

Even at technology companies with a lot of IT talent, you can hear things like this excerpt from Tom Evslin's bloook "Hackoff!": hackoff.com: Chapter 11 - Bear Hug, February 19: 25, 2002 - episode 3: '"Blame it on the technology", says Aaron.' when their conference phone is accidentally disconnected by their CEO.

Its so common to "blame it on technology", because I suspect that people are condition to expect little from computers in terms of stability.

Thursday, December 22, 2005

Watson by Intellext

I usually hate to say what software products I use [since you can be 0wned this way :-)] But I started using this Watson tool from Intellext (http://www.intellext.com) and it got me to realize that information access doesn't end with Google. What, you disagree? :-) This little tool uses a different metaphor from the Google-induced "search and you will find"; it just finds it based on what you currently do. And the thing is addictively useful!

Watson by Intellext. Watson provides context search on the desktop.: "Why go searching when you can have results found for you? We're changing the game. From Search. To Found. "

Firewall The Movie

Is security getting into mainstream or what? "Firewall" The Movie :-)

Wednesday, December 21, 2005

Schneier on Security: Sony's DRM Rootkit: The Real Story

In his summary story after the Sony malware fiasco, Bruce Schneier wonders: "What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers?"

Further, he is trying to claim that "this is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home."

Guess what? No! I think the dirty secret of the AV is that the answer is "no." I think every prudent computer user should run their computer(s) with an assumption that if they are hit with anything non-standard or innovative, their anti-virus will not save them.

In reality, it might save you sometimes, but you certainly cannot rely on it.

The Ins and Outs of Infosecurity - CSO Magazine - December 2005

OK, this really belongs on my security blog (see http://www.oreillynet.com/pub/au/1207), but its more of a rant than analysis, so here it goes.

Every time I see stuff like this (http://www.csoonline.com/read/120105/infosec.html), I wonder: just how much is this security industry is driven by fashion and personality and not by ROI, risk assessment, what have you???

Here is the blurb:

"IN: Intrusion “prevention” systems
OUT: Intrusion detection. Because wouldn’t you rather prevent the intrusion in the first place?

IN: Bots (remotely controlled worms). Armies of them. (See How to Tell If You Have Bots.)
OUT: Website defacements. One speaker called the idea “quaint.”

IN: “Designer worms,” made just for your company and likely to end up on your balance sheet.
OUT: Massive worms, targeted at everyone and likely to end up on CNN."

So, just try telling that defacements are "quaint" to someone whose site just got defaced... Further, "massive worms are OUT", does it mean I should just threw my antivirus off? :-)

Tuesday, December 13, 2005

On "company DNA"

What the heck is "company DNA"? How do you decode it? Where do you find it? How do you separate it?

All sorts of folks, from VCs to sales people to CXOs, talk about DNA: "this company has Oracle DNA", "he has his company DNA", etc.

I can obviously grasp the meaning of it, but I am getting more and more curious about this "DNA stuff"...

Ogre to Slay? Outsource It to Chinese

This one is gotta be
a)one of the funniest outsourcing stories of the day, and
b)one of the weirdest ways to make money: Ogre to Slay? Outsource It to Chinese!

eBay: 0-Day on eBay gift, autograph and contact email address (item 6588680836 end time Dec-19-05 13:21:23 PST)

Here is one more humorous (?) 0day post on eBay: eBay: 0-Day on eBay gift, autograph and contact email address (item 6588680836 end time Dec-19-05 13:21:23 PST)

On spies

I just started reading Ira Winkler's book "Spies Among Us" and its fun! A review will be coming soon.

And, reading the book finally cleared my head on the subject of ... oooh, so horrible ... "cyberterrorism." Intuitively, when you read about "cyberterrorism" you instantly think "what a load of bull", but the amount of press and "research" that you see coming about it, makes one wonder. Like, I was reading Dan Verton's "Black Ice" and it did sound believable, albeit sensationalist. As a result, I was somewhat confused about the subject.

Until now! Ira's book finally cleared it: at this stage, "cyberterrorism" is positively, absolutely, 100% "bull product." Here is why: computer failures are an accepted thing. "Everybody knows" that computers "are flaky", and might crash at any time, taking your work (or a billion-dollar Martian probe :-)) with them. Thus, computers do a pretty good job damaging themselves and things around them, and, thus, people will not be terrified if it happens due to malicious actions by whatever cyber-terrorists.

Now, the above obviously doesn't cancel the use of computers and the Internet by the terrorists. They gotta use it, just like everybody else...

Monday, December 12, 2005

Xooglers Blog

For those with nothing better to read (not me!), this seems like a fun blog to peruse: Xooglers

Thursday, December 08, 2005

LinkedIn Profiles: Privacy vs Publicity

When I was first invited to Orkut (www.orkut.com) and then LinkedIn (www.linkedin.com), I was pretty excited. And I was mildly surprised that some people said that such services raise privacy implications.

For example, my LinkedIn profile (LinkedIn: Anton Chuvakin) does not have anything that I would not have disclosed on my website. Thus, supposedly no additional privacy risks. Also, McNealy's famous "You have no privacy, get over it" does sound largely true in this "Google Age"...

In general, how do you balance a desire for privacy with a desire for publicity?

eBay: Brand new Microsoft Excel Vulnerability (item 7203336538 end time Dec-12-05 20:54:35 PST)

eBay: Brand new Microsoft Excel Vulnerability (item 7203336538 end time Dec-12-05 20:54:35 PST)

It probably belongs ion my security blog (see http://www.oreillynet.com/pub/au/1207), but this is more humor than security, IMHO.

ZoomInfo.com

Here is a fun site - either incredibly useful or unspeakably evil:
ZoomInfo.com. It appears to mine the web to coalesce information on people and fuse it into their distict profiles, that you can then search.

Check out whether it knows about you too! You might be surprised at the accuracy (I sure was!) You can then correct the info on yourself to enhance what their algorithms discovered...

hackoff.com: Chapter 9: The Fall, April 1, 2000 - June 30, 2000 - Episode 6

OMG, this is such a fun chapter! I can't comment further on it though :-)

Tuesday, December 06, 2005

Here is a bunch of book reviews

For those of you who are interested, here is a link to all of my Amazon book reviews: Amazon.com: Anton Chuvakin Reviews

I mostly review information security books, with an occasional stray title from other areas.

On birthdays...

Today, December 7, happens to be my birthday. Time to celebrate!!!

Some folks, for whatever weird reason, think that after a certain age one need to stop celebrating (and start mourning? WTF?) birthdays. What is that age? I'm guessing 200 :-)

Monday, December 05, 2005

On "The Game" book

Obviously, you've read "The Game" book by Neil Strauss ; if not - you should. Just a thought...

A fun article on sleep - "Good sleep, good learning, good life"

This one seems useful for just about everyone: Good sleep, good learning, good life Here is some advice from the paper:

"Napping advice:

Do not use the alarm clock! Contrary to popular belief, well-scheduled nap will not last longer than 20-30 minutes (at least in people with free running sleep)

Measure exactly the optimum length of the period between the natural awakening and the nap to maximize the effectiveness of a nap (see Fig. 1). The nap should come at the nadir of alertness. Napping beginners often miss the right timing!

Drink coffee or other caffeine drinks only after the nap

You can drink alcohol in only very subtle doses, and the best timing is shortly before the nap (see below for more)

If you nap for more than 40-50 minutes, you probably need more sleep in the night (check free running sleep section above!)

Avoid stress 2-3 hours before your nap. Even things you love can make you excited and make it harder to avail of the benefits of napping

Exercise is good. Try to finish your exercise at least 30-60 minutes before the nap

Meal before the nap is recommended. Your main meal of the day should actually come right before the nap! This is usually 5-9 hours after awakening

Sex before the nap is recommended

Stick to your ritual (e.g. stick to your best sequence: exercise, bath, meal, beer, quiet place, nap, music, or similar) ..."

In addition, it also have some "myths about sleep", such as the one that sleepi9ng before midnight is more beneficial.

50 Strategies for Making Yourself Work (for Writers)

Just saw this collection of tips to beat the "writers' block": 50 Strategies for Making Yourself Work. Now I just have to follow the advice contained in the doc to finish my book ... easy, huh :-)

On "The Wisdom of Crowds"

So, I just finished reading this book - "The Wisdom of Crowds" by James Surowiecki"- and a fun one it was :-) Some interpret his material on prediction markets as "a bunch of average people will always beat a few experts", but a reality is much more interesting (and a lot more complicated than that)....

Sunday, December 04, 2005

On space


I've been to Kennedy Space Center the other week (here is the picture - just to test picture-posting capabilities of this blog :-)), and the whole place has a distinct and somewhat sad feel of the past. As if the high point of the space program was the Moon flight - and then it went downhill from there...

Truly del.icio.us...

I've been using/playing with the del.icio.us site (http://del.icio.us/anton18) more and more lately. Here is my list of tagged pages: http://del.icio.us/anton18

You can find both security-related and other things there too...

On "Influential Spinning"

I was just driving from somewhere and listening to Kenrick Cleveland's awesome "Influential Spinning" course (see https://secure.maxpersuasion.com/display_p.php?session=&pid=6 for details). As far as persuasion material goes, Kenrick's have few rivals (and you know it is true when you consider that he trained some pretty "interesting people" in the past). And it is also fun to follow when you get it.

So, specifically, he was talking about "selling the frame". If you "sold the frame", everything that fits in it will get sold too, pretty much automatically. For example, if you succeded in framing yourself as an "expert" in whatever area, it is likely that your opinions about that subject will get received much more positively.

It is amazing how some people "sold themselves as experts", without possessing the expert knowledge. Or maybe I just did not buy their frames? :-)

On Hackoff! blook

Obviously, by now everybody knows about it, but still. A "Hackoff.com: An Historic Mystery Set In The Internet Bubble And Rubble" by Tom Evslin can be found here: http://www.hackoff.com

Its a very fun book (eh, blook) to read. I do start my every day from reading the daily installment.

It also reminds me how I was waiting for a next magazine issue when, in the old times, some SciFi novels were spread over dozens of issues of a magazine. The bastards also used to end the montly installment at some breathtaking moment (I still remember one: "And he raised his blaster and took aim...(to be continued next month)" :-))

Is Wikipedia a good thing or a bad thing?

Some of my friends do swear by Wikipedia (http://en.wikipedia.org/wiki/Main_Page), but stories like this (http://www.usatoday.com/news/opinion/editorials/2005-11-29-wikipedia-edit_x.htm) make one wonder: is it really as accurate as people make it out to be?

Yes, Wikipedia did seem to correct Britannica (see this: http://www.freedom-to-tinker.com/?p=675) on one occasion, but I have a sneaking suspicion that on the subjects that few care about the chance of error persisting for a long time is quite high...

Saturday, December 03, 2005

My non-security blog

I am starting this blog to talk about issues that do not relate to information security. For those, see my other blog at O'Reilly at http://www.oreillynet.com/pub/au/1207

I suspect my security blog will be much more active than this one...

Dr Anton Chuvakin