This site's about to go through a bit of an off-topic addition... I've been spending much time, effort, and money on acquiring property in Baltimore City, and now I've got a project on my hands. I'm rehabing a rowhouse in Baltimore, including a complete gut-out and re-build. I'm doing all the work except for that which I can't do legally (e.g. HVAC, electrical, plumbing). Check back soon for that nfo.

In the mean time, go check out Cinco de Mayo pictures from Chris' party!

Sorry for the delay in closure, but I arrived back in Baltimore at 1:30am in 27-degree weather to find that a water pipe on the 2nd floor of my house burst sometime while I was gone, and over the past few days gutted my kitchen (walls, ceiling, appliances, etc.) and filled the basement with a few hundred gallons of ice cold water. Now I'm dealing with that.

Anyhow, I've summarized my experiences pretty well below. Would I return? Not if I'm working in the capacity I am currently. If I were a middle-management-type looking for some enterprise-scale solutions to well known and obvious problems, then sure, I think there's some value. As a security and networking researcher, the conference was overall too basic and high level. It's geared for a non-technical audience, or people that used to be technical but now simply manage technical people.

Now I'm playing catch-up. I forgot a pen yesterday morning (serious, how do I collect 8 pens a day and forget to bring at least one every morning?).

No one wants to hear anything about the fundamental security changes in Windows Vista, so they put that session in one of the smaller rooms. They also turned away about 100 people after the room was filled. Duh. I was #2 person turned away. But, I think it's a good thing - I wandered myself into an ethics discussion panel chaired by a former Microsoft VP, with the heads of (ISC)2, ISACA, SANS, and another training/certification group. Fantastic discussions - I ended up talking to consulting firm partners, magazine writers, engineers, and hearing from Microsoft's chief counsel. Is it ethical to allow known criminals to associate with our professional world? Where and when do parents have to bear the responsibility of what their children do online? If someone is defrocked for an ethics violation, should the other organizations be notified? How do global cultures' view of ethics effect what we deem appropriate? I threw another grenade on the floor when I asked the panel their feelings on how a strict code of ethics impacts personal innovation in unsecurity.

I'll paraphrase my question. I got my first computer at the age of 10. By age 12 I was using a hex editor to modify games and using a war dialer to find all the modem pools in Wilkes-Barre, Pennsylvania. Flash forward to today, and I wouldn't do that, being clearly unethical and illegal, but junk like that really got me to where I am now. If I want to continue my personal innovation, in, for example, Bluetooth security, I can't go out and buy every Bluetooth phone on the market and try to crack their implementations open, but I sure can sit in large rooms of techie people and seek out their gaping open Bluetooth Blackberries [at this point I looked around the room and said "and there's at least five open devices in here right now" - we'll come back to this]. I believe the real innovation in security is still coming from the individual, not the large corporate entities. How is a single person supposed to be expected to innovate if, by our ethical standards, you need to own, be in control of, or otherwise have explicit permission to test the hardware or software applications you'd like to test?

The answers ranged from knowing your own personal boundaries to utter resignation and agreement that it's a real gray area that's hard to even try to answer. In this respect some codes of ethics seem almost hypocritical to the personal innovator: you must act ethically, morally, and legally, and at the same time you must advance your field. Does this imply that only large, monied entities are truly allowed to advance the field? If history is a guide, the large entities are the worst at doing just that. You can't fix a problem until you find it, and better we find it before the "bad guys" do.

Anyhow, it turned out that Bluetooth comment was a bigger grenade than I intended it to be. Later on at the Codebreakers Bash, which was awesome, I ran into a freelance reporter that was attending the ethics session. She said that people were coming up to her afterward with comments, concerns, and gripes about my (in their estimation) shaky ethical footing. The biggest concern being that if I was seeking their (e.g. the attendees') Bluetooth devices in that room (see how all of a sudden it's personal?) that I was performing some nefarious activity. She (e.g. the reporter) had to explain to them that seeking a device and actually doing something to it are very, very different things. Two concerns here: first, none of these people approached me for a discussion on this - I'd welcome it, but apparently they're either simply spineless or afraid that some l33t retribution will be inflicted on them. Second, if these are really 'security professionals', then why did they need someone to describe the simple activity of Bluetooth seeking? That's chapter 1, paragraph 1 of 802.15 security, people! Either way, it saddens me to see timid, spineless, uninformed people appointed to protect our networks and data. Trust me: the malicious actor is neither spineless nor uninformed.

The take:

• Pens: 1 (because I needed it)
• Cozies: -4 (donated)

"Invest in your gray matter, because someday it may matter" - Deltron 3030

Not such a good start to today - the seams came apart on one of the presentations here and showed that there are tracks that are downright insulting to a truly technical person. "Advances in Wireless Security" - what does this tell you? Ok, maybe someone will drag out WPA or working authentication back to a RADIUS server, but beyond that, at the world's foremost meeting of security professionals, you'd expect some gee-whiz ideas. Not there, unfortunately. I think it was more the fault of the presenters than the conference itself. This particular presentation informed a steadily thinning audience that they should use "encryption" and perhaps only deploy as many APs as they need to cover their intended area. Rocket science. I slammed them on the session feedback form.

Attended a very good session on exploiting web services as another entry point into enterprise architectures. In all honesty, this isn't something I've thought of myself - I rarely think in the application exploitation world - but sure was fun. Most web services are put together ad-hoc, and don't typically follow any particular security convention. Often the WSDL is left exposed for any attacker to review for the service's parameters. Nice. Beyond that, talking to the service itself (I'd guess by dropping a proxy between the application and the service to make your own custom XML entries) can yield some serious access opportunities. XML data injection: change any auto-generated parameters before they go back to the service. SQL injection: stuff some SQL into the returned XML and see what falls out.

Otherwise, I attended a great small "Peer2Peer" session where we discussed the large-scale approach to mobile computing. We had service providers (read: Sprint) in the room, and service consumers (read: global corporations) in the room. The conversation turned to whether or not carriers should allow hosts on their network if they lack the proper [patch level/virus defs/...]. Forget about the fact that determining that for all combinations of software, hardware, operating systems, etc., is and intractable problem, I threw a grenade on the floor and asked if service providers even care about the health of the nodes they're connecting. As long as it's not impacting that ISP's hardware, they'll gladly pass bad bits from point A to point B. And that's really the way it should be, data-agnostic. Provide access, let the end users and software providers figure out how to deal with life in the wild. Understand - this too could be a result of net neutrality.

(I'm watching Ray Kurzweil speak right now - he really looks like Woody Allen)

Also ran into one of my old professors from Carnegie Mellon - Dr. Tom Longstaff. He was hanging out at the CERT/SEI stand. I got a pen. Speaking of which, Secure Computing was hosting an anti-crap bucket. If they fill it with other companies' give-aways, they'll donate $10,000 to the San Francisco Children's Hospital. I gladly donated all I got today, except the pens.

• Shirts: 3 (all donated)
• Pens: 6
• Travel mugs: 2 (both discarded)
• Boxes of Mints: 1
• Bottles of Honey: 1 (seriously. Donated)

I didn't have time for lunch today, so I'm floating on coffee and whatever random raw vegetable I see on scattered tables. (ISC)2, granter of my CISSP, is holding a reception for members tonight in about 30 minutes. I hope the "fare" isn't as light as they advertise.

Busy day today. After erroneously ordering the Skip Scramble at the diner across the street (never order the Skip Scramble), I made my way to the keynote opening sessions with Ze Frank, Bill Gates, the EMC and RSA top brass, and about 4,000 other conference attendees. While they jockeyed for another cup of free coffee, I got about six rows back from the stage. Yes, this is a geek rock show.

Some great small sessions today, too. The first was the The Application Security Debate: Tools and Techniques. There was little debate, per se, and less tools or techniques, but that didn't mean there was no good conversation. Caleb Sima seems to think cross site scripting is the biggest threat to web apps today, and going to be the most widely used. Sure, I see it, but general mis-configurations of servers themselves and poor coding in the app space seems to be the root cause of the issue. One interesting point made was that of database encryption... Your web app has to be trusted by your database (or whatever mediator you may have in between), so if that's compromised, then all the encryption in the world on resting data won't do a thing to keep that information safe - the data will be decrypted as it's served back to the app, and to the attacker. Ouch.

Eugene Kaspersky (the namesake of the same AV company) gave a great overview of how virus and malware writers have modified their tactics over the past 15 years. He believes traditional virus writing is a dead art, to be replaced by "crimeware" type goals in the future. Why do it for fun or bragging rights when you can do it for cash? Good point. He also noted that the rise in malware in the 2002-2003 timeframe coincided with the explosion of computer technology and communication across China. Biggest things to look out for now and in the coming days: expanded use of encryption to hold a user's data for ransom, and more malware that directly attacks anti-virus software, disabling, corrupting, or removing it completely.

By far, the best talks are the interactive demonstrations of tools and exploits. And nothing tickles me more than some good Bluetooth cracking. This is nothing too new (although there are some new tools and exploits rumored to be coming out at Shmoocon this year - which is sold out, BTW), but still dangerously overlooked. We scanned up some devices, enumerated them, smurfed them, hijacked an earpiece (and eavesdropped on it), and all sorts of fun stuff. Funny I saw this... over the past 48 hours I've been doing my own sweeps of BT devices around the conference, for kicks. I've got up to 20 at one time, and never less than 5. I need to go check out Car Whisperer and BTCrack, two tools I haven't looked at.

Johnny Long was doing the Hollywood Hacking presentation again, but since I've already done that one (see the REBL conference in the archives!), it was skipped.

Spent much less time at the expo floor today, so the take is a little off:

• Pens: 6
• Shirts: 2
• Self-retracting CAT5 cables: 2
• Cozies: 1
• Misc: 2 (including a chocolate bar and a magazine)

I turn down Frisbees and any of those squishy stress-squeeze things. On the bright side, I've been invited to the Secure Computing RSA Executive Reception, and that's worth at least two shirts and a bag.

I call it "Day 0" because, well, that's how you start to number an ordered set, but also because today wasn't really a full conference day. Vendors were mostly arriving this morning, participants during the evening. The day wasn't even close to lost, though, as I attended a multi- talk and hands-on workshop with the people from the Trusted Computing Group. This group, if you've been living under a rock for the past few years, is working to create and publish standards for "trusted computing" building blocks to be adopted by vendors on all levels of the software and hardware development chain.

You might have heard about the TPM - Trusted Platform Module - a chip that is most likely in your new laptop that acts as a small co-processor and storage medium for things like passwords, cryptographic primitives, and certificates. Why is this important? Because it's taking security into the hardware layer of your computing platform. This can be extremely powerful and difficult to circumvent if deployed properly, or extremely painful and difficult to correct if someone finds vulnerabilities in its implementation. They've also developed standards for protecting data at rest, network access control (now simply called NAC), mobile devices, server protection, and software implementations.

Demonstrations included (I attended the networking track...) the ability of a network device to request from a TPM chip on a host the current configuration of a PC. If the PC was running software it wasn't supposed to (like malware), not running some software (like an AV client), or had something connected to it (like a USB drive) that shouldn't be there, it could drop it from the network or shove it off in a highly restricted part of the net until a corrective action was taken. They even demonstrated how having a non-authorized device connected to a host would prevent it from booting up - using Fedora, no doubt.

Anyhow, before all that Roger Kay gave the keynote for this half-day session, espousing the good of the TCG and refuting any corporate or institutional nay-sayers. I asked him after the keynote what he thought of the State Department's canceling of many a Lenovo PC order when they realized the company was one of Chinese ownership - e.g., if those machines had TCG standards, and the State Department didn't trust the manufacturer, doesn't that mean they can't trust TCG standards any more than the implementation? Answer: It was all political (he suspects HP of planting the seeds of doubt, too).

On the swag tip, we got first shot at the vendors' expo floor tonight, along with food and booze about every 40 feet. Here's tonight's take:

• Pens: 8
• Shirts: 5
• Cozies: 3
• Bags: 2 (one laptop bag!)
• Books: 1 (Enemy at the Water Cooler, Syngress Press)
• Misc: 3 (including a 128MB USB thumb-drive)

Yeah, only 8 pens. I'll never reach 100 by the end of the week, but I got sucked into "the hard sell" a few too many times.

Looking forward to tomorrow - Keynote Bill Gates, and oh, did I tell you? Ze Frank is here! No kidding! He's helping open the show tomorrow! Holy crap!

Colin got married, and I have the pictures to prove it. Go check them out here, and see if you can name all your favorite information security celebrities! Remember, if you want full-size or high resolution shots, drop me an email and I'll send them along. Good luck to Colin and Julie, and I hope they're enjoying their well deserved honeymoon.

I'm attending the RSA Conference in San Francisco this week, leaving tomorrow. How many vendor pens/key chains/badge holders/shirts/bags/etc. can I get? We'll know soon.

Happy New Year! I've been doing well keeping up with the social experiment over at MySpace for the past month and a quarter - the blog function is fun because I can blather on about anything I want, and leave the security stuff to rest a bit.

I'm currently reading The Art of Deception: Controlling the Human Element of Security by one Mr. Kevin Mitnick. Thus far the examples and scenarios described, as well as the psychology behind them, are solid. The scary part is that I now realize I sometimes use the same tactics to get what I want when dealing with others. Sketchy. This book is Kevin's first foray into the legitimate world of security consulting after his not-so-short stint in federal prison late in the 1990s. I started reading about Mr. Mitnick around the same time, in a book titled The Fugitive Game: Online with Kevin Mitnick. A seemingly balanced book, it let me decide for myself that Kevin is/was a serial trespasser, and that John Markoff is indeed a opportunist. What's this you say, Greg? Someone from the New York Times sucks? Say it ain't so.

Anyway, new pictures and videos up over in the stuff section - much craziness was had down in Orlando/Tampa over new year's and during the Outback Bowl. Enjoy.

Ok, so everyone has a MySpace page. My sister, my friends, people I don't know, professionals I respect. So I've given in an made one for myself. Here's how I'm rationalizing it: I cram this place with INFOSEC and Information Assurance noise, so the MySpace joint will hold more content on non-geek stuff. Deal? Knew you'd like it.

I'm over at this link.

CNBC had a great special on this past weekend called Big Brother, Big Business. The man Johnny Long was on for a bit talking about finding private information with Google (that is, "Google Hacking"). I like these shows - they make the point to the general public, but the only disappointment is that by the time they're produced and aired, the dirty tricks they're showing are so old that the real bad guys have moved on to new tactics. Not that these new tactics aren't publicly known, but the average "news" media outlet doesn't talk about them until it's old hat.

Just voted.

I love electronic voting, but looking at it from the prospective of a non-tech person or generally an older or uneducated inner-city citizen, I'd be confused, too. The Diebold machines aren't visually intuitive when it comes to listing directions (or anything for that matter), and the voting judges gave ME the smart-card to insert into the machine and return to them when I was done - full control. Wouldn't be tough to swap it out or make a copy or generally screw with it while in my hand.. I'm assuming there's some sort of cryptographical security on it, but considering Diebold's record, I may be assuming wrong.

One more Power Point presentation and I swear, I'm going to implode.

I saw a Microsoft employee today, a real, live Microsoft employee. He talked about root-kits. What's this? A paid employee of Microsoft talking about the Windows operating system getting infected with bad, bad things? Actually, Mr. Kurt Dillard was one of the most frank, well-versed, and highly knowledgeable representatives of a 'vendor' we saw this week. Most vendor reps come to ultimately sell you something or poke holes in others' products, but Kurt was actually discussing the attack vectors against his own company's products.

So, what's a root kit and why do I care? Simply put, it's a piece of software that hides malicious software, activities, and processes from you, your computer's operating system, and anti-virus/malware/spyware programs. Some of the more widely used include Hacker Defender, FU, BluePill, SubVert, HE4Hook, and of course Sony's own - distributed on their music CDs, installed without your knowledge, and the most successful root kit implementation to date (this is what class action lawsuits were invented for). These particular packages are great for hiding spam-reflecting software, illicit files, attack software, spyware engines, etc., and run the skill scale from script kiddie to professional programmer.

Hacker Defender seemed to be the most widely deployed package, but Kurt had some interesting comments on it. In particular, you can either purchase a full version or download a 'trial' version - the free version has an interesting bug. Most all root kits will hide the fact they're running from your system processes menu, hide any open ports they're listening on, hide their files, and even go as far as forcing the file system to mis-report the amount of free space on a drive (to hide other files you may have under the protection of the root kit). The free version of Hacker Defender doesn't prevent it's startup activity from being written to your system log, though, a clear no-no when trying to be stealthy. This also goes to show that port scanning your own boxes once in a while is a good practice, too - even if a kit hides ports it's opened on your machine, a scan against you from another machine will reveal those ports. Nice.

I also want to give a shout out to Navid Jam, a friend of mine that attended CMU at the same time - he presented some fantastic vulnerability research he's done on video conference systems today. I happened across his presentation at the national labs, so I don't think he'd mind me linking to it here.

Ok, I'm off to start tearing at my new DSL modem. Did I mention that I've dumped Comcast in favor of Verizon? I'm a fan of neither, but their consumer wireless AP and DSL modem device is giving me a new project. (hint: it's one of the least secure network devices I've recently seen on the market - I'd say Verizon is almost negligent in selling this under their name - more on this later!)

Now this was an intellectually stimulating day (and not just because Lost is on tonight).

Alan Paller gave the opening keynote this morning. I've conversed briefly with him in the recent past regarding the cyber-extortion research from back in the day, but was pleasantly surprised to see that a good deal of his current focus deals with researching illegal internet activities (and extortion). The Billion Dollar Cyber Crime Wave: What it Can Teach Us About How Government Systems Will Be Attacked. There's no way I can summarize the entire hour-long discussion here, so I'll use some magical HTML bullet-list goodness to highlight the more interesting points:

• Asian crime on the Internet (mainly from Southeast Asia) has spiked. Some of these cultures consider stealing money from U.S. entities an almost noble venture. Understand this and you'll understand it equates to a growth opportunity in those geographical areas.
• Since two years ago the going cost of infecting a bot (zombie, p0wn3d box, etc.) with spyware has fallen from $.09-$.15 to $.03-$.06 per infection. Zombies can be rented for about $1 per week for use in directed DDoS attacks. Does anyone else see the scale of economy effect in the first scenario?
• Application vulnerabilities, application vulnerabilities, application vulnerabilities. Forget trying to circumvent firewalls and operating system or kernel-level security, there's an abundant amount of vulnerabilities in the applications we run. Web services and/or web-applications are the best way to enter networks.

Ok, none of that is really earth-shattering, but it's good to see that someone is paying attention. And, the audience needs to see this. Hell, they need to see it again.

In another thread Johnny Long from johnny.ihackstuff.com gave an amazingly entertaining presentation on "Hollywood Hacking". We all know this - if you think movies like Enemy of the State or Hackers or (God forbid) Swordfish even begin to portray our world then you probably believe Ice Age II was a documentary. Mr. Long took an hour to tear apart these Hollywood flights of fancy six ways from Sunday - and it was great.

Oh, and don't forget kids, if you don't capitalize on your education, you'll end up voting for someone like John Kerry.

Today's presentations were unfortunately cut short - for me. Had to return to work for a meeting, so the afternoon was shot.

The most interesting comment today (from a very prominent INFOSEC professional) was that the accreditation processes in use by the federal government (and by extension most large organizations in the world) actually act as a detriment to the fast and efficient securing of the very systems they intend to accredit! The CISSP focused a large area on certification and accreditation work, responsibilities, and players. Even there a casual observer could tell the entire concept could easily fall prey to the trappings of bureaucratic layers and organization. This was echoed not as a warning, but as a reality today.

And I couldn't agree more. Some (most) of the discussion that my panel back at CMU had a few weeks ago centered on the effects of legislation and consulting on the security and cost of security for both private and publicly owned information systems. In one case (certification and accreditation as a concept) the amount of paperwork required is overwhelming. In the other (C&A as a product) you enter the realm where those selling the services begin to view the concept as a revenue stream to be nurtured for further benefit - I believe they say that they don't want to "leave money on the table", yes?

Tomorrow Alan Paller, of the SANS Institute, is on the agenda. I've got high hopes.

Happy Halloween - I dressed up on Saturday, along with half of Baltimore - it was good. Real good.

Whoa, over a month? Sorry about that. I've had a watershed past few weeks, so I've fallen a bit behind on the semi-regular postings. It doesn't excuse me, but hopefully it explains. Recently I was a panel member at this year's Carnegie Mellon alumni reunion. Our topic was Controlling Cybersecurity Costs: How much should it cost? I'll post more later on this subject when (if) I get the pictures from the alumni relations staff.

Anyhow, I'm currently attending this year's REBL Symposium at Johns Hopkins Applied Physics Laboratory here in Maryland. The symposium is a collection of discussions, presentations, and keynotes by information assurance professionals who focus on securing the data, networks, and resources of federal government information systems. This includes civilians, contractors, and military. REBL is a mash-up (I can't believe I just used that phrase) of REd Team/BLue Team.

I was ecstatic to see Lance Spitzer was on the agenda today - the fact that I got to hear the founder of the Honeynet project discuss the current state of Honeynets and Honeypots made the entire week worth it for me. If you're not familiar with this project - you should be, I've mentioned it in the past (read this book!!) - head over to their website and read up a bit. It's what drove me set up my own honeypot back in grad school to catch an automated (and successful) attempt at taking over a poorly-protected computer.

Summary? The time to compromise for an unprotected computer attached to a network falls between 8 to 15 minutes. Think about that one for a while.

An interesting thing happened to me while recently traveling on business: I realized that some hotels still provide PCs in a small office setting for business travelers who may not have a laptop. Great service, but I had to explore a bit to find how their security is set up.

A reasonable approach would be one that is typically seen at well-run internet cafes and gaming centers: The PC remains logged-in under a restricted account that is only allowed to use specific designated applications (such as a web browser), temporary files and Internet histories are cleared at regular intervals, and deleted files and "empty" disk space is securely cleared. This, respectively, keeps normal uses from installing their own software (or allowing a nefarious email or website do the same), restricts access from installed applications that shouldn't be used, and keeps files the user may have temporarily left on the disk from being snooped through by others. This is not a scheme that's difficult to set up. Honestly, this is how most corporately administered PCs used by employees should be administered, too. Unfortunately, that's not what I found.

The machines were set up as most home user's PCs are: logged into the administrator account with full rights and privileges (the administrator password was actually written on the monitor). Antivirus software was installed and updated, but that's where it ended. I sat down to find three toolbars installed in Internet Explorer, four different IM clients, random downloaded files scattered on the desktop, and someone had entered their personal email credentials into Outlook Express. There was a Spongebob Squarepants game installed. Meeting notes and information on proposals were saved in files accessible to me, who had no business seeing that stuff. Finally, there was a long history of visited websites. From that single cache I learned that almost half of the browsing was done to Internet dating sites - there's some lonely travelers out there.

No way was I going to even log into my web mail account (one word: keyloggers) without making some security tweaks first. Why not? There was no acceptable use policy posted in the room, on the computer, or as a logon banner - another small but useful item for publicly used computers. So, I did the Hilton Corporation and it's guests a favor by cleaning up the PC before I used it myself. Here's what I did, and what I suggest you do, too, if you find yourself in this situation:

• Uninstall any applications that are inappropriate (sorry Spongebob), out of place, suspicious, or outright shady. This includes strange browser add-ons, unknown IM clients, and sketchy search tools.
• Check the freshness of the virus scanner update software. If it's stale, update it and run a scan. If no antivirus software is installed please abort the mission immediately, and scowl at the people behind the desk on your way back to the mini-bar.
• Reboot. Check Windows Update for needed security patches (assuming it's a Windows PC). Reboot. Wash, rinse, repeat.
• Download Spybot Search and Destroy and AdAware, install, update, and run.
• Clear the browser history and cache (temporary files). Have some fun first by peeking at what others have been doing on that Internet connection. Point and laugh as appropriate.

At this point the machine should be safe enough for casual browsing and checking 'o email, but I'd avoid any sensitive work. Remember to clear your browser cache and history again before you leave, any maybe even log out when you're done to let the operating system clean up any artifacts from your profile.

On another note I partied out in NOVA last night with the guys from Geekpad.com - they've got a beer pong table engineered with an automated ball-washing machine!

The US Department of Homeland Security is now offering a set of classes on-line targeted at emergency management, first responder, and community security minded people. They're free, short, and aim to get people involved in these types of activities speaking the same language when it comes to dealing with emergencies. Check out IS-22 to be an upstanding citizen or IS-100 if you really might work these issues.

It's part of the Emergency Management Institute on the FEMA site right here. Thanks to Captain Dick Squitieri for the link.

My father recently pointed me to a site that was advertising FastMovieDownloads, asking me if it was better than Vongo, and more importantly, if it was legal. Although I shouldn't be, I was a little surprised these kind of sites are still around. They're quasi-social engineering sites that lead you to believe you can legitimately download copyrighted material, any kind, for a small fee. They don't specifically say it's mainstream media, but you tend to believe so since the site is so pretty and flash-animated and you've paid for their movie download software. Just another scam to make you pay for otherwise free P2P software, then point you off to Bittorent sites, or the like, to break the law like everyone else.

Security-wise, this is a problem. Unknown software on your computer, your email address and whatever information that software is reporting back to the mothership in someone else's hands, and now the evil MPAA or RIAA can come take away your wheelchair. But, this is a good reason to do a little breakdown of what happens, and look through this particular scammer's FAQ. Email response: my text in blue, the scammer's in black.

Here's what this is... you sign up, you pay for a membership or something, then they provide you with their free "movie download" software. That software is just a slightly modified (or not) Bittorent or other P2P software. Then, they'll tell you to go find movies, or maybe point you to some sites that host bittorent trackers.

You're probably asking yourself, "why pay for that when bittorent software is free and I can find the trackers on my own?". Because this is a scam.

Legally speaking, they're not breaking the law unless they actually provide you with trackers or links to illegally copied movies/files/music. All they're doing here is giving you some software that the Supreme Court already ruled has significant legitimate uses.

Let's take a walk through their FAQ:

What movies do you have? The network has almost everything you could want - over six million files! If it's interested someone, somewhere, chances are, it's on the network.

... are they affiliated with any studios? Can you name some of the films, please? Who owns this "the network" on which these movies reside? In comparison, take a look at Vongo's website, or Movielink, or Netflix (they'll be offering downloads soon). They've got titles of the movies plastered across their homepages (no doubt through some Hollywood studio payola scheme), the first question on their FAQ is "how much does it cost?", and the cold, hard reality of DRM is evident when they tell you that you can only make one physical copy, etc.

How long does it normally take to download a file? It really depends on the speed of your connection. With a regular 56.6 Kbps modem, a three megabyte file will take about seven minutes to download. Larger files will take more time to download.

... and a three megabyte file gets you barely a low-quality MP3 file. A compressed movie is between 700MB up to 4GB. This language shows that they're targeting people that haven't done this before.

Is my registration secure and confidential? Your privacy is very important to us. We'll never share your information with other organizations or individuals.

As Penn & Teller would say: Bullshit.

When I open the software, it does not want to connect to the server. This is due to firewall software on your computer blocking the network traffic. The program cannot connect if your firewall is blocking access. If you have Windows XP, disable the XP firewall in the systems settings in the control panel. To do so, simply follow these directions...

WHAT?!?!

England, what a trip. I just returned last night from a week-long work related adventure through Great Britain. Most notably we did not make it to London, although we flew in and out of Heathrow. The country itself is beautiful, like Pennsylvania dotted with castles, keeps, and ornate churches (well, more churches, anyhow). Hoping to escape the brutal heat of Maryland, I was actually looking forward to overcast and/or cool weather. That didn't happen. And no, no air conditioning to be found. Theakston's Old Peculiar took the edge off, to be sure.

Driving on the "other" side of the road is easier than catching on to local slang and the entire country's insistence at using different nouns for common objects. Lorrie = truck, hired = rented, petrol = gas. By way of example: We needed to call a lorrie to tow the hired car to the garage after I filled the petrol tank with diesel. Hey, in the US the green handle is diesel, everything else is normal gas. In the UK it's the other way around... I'm a very visually oriented person.

The pictures are over here.

I got the official email from (ISC)2 yesterday - I passed the CISSP exam. Awww yeah. But, can't use the designation until my credentials come in the mail in about two week. Ok, cool.

Don't you hate it when you want to print out some material from your ACM Portal online library to read on a trip, but their site stops responding? Then you run out of printer paper? I hate that, too.

Oh. My. God. I'm listening to some old Kraftwerk and just realized that Electric Cafe (from the album of the same name) is the theme music SNL used for Sprockets!

Austin was fantastic, as usual. We did well in the Silicon Labs relay marathon, besting 23 other teams such as Chicas and the Man, Intergalatic Stumblers, and D's Nutz, with an overall time of 4:04:07 at a 9:19 pace. Check out the pictures here or click on the below photo for the week-long goodness. Thanks to Natilie for getting UTAC as our corporate sponsor.

No word yet on the CISSP, we won't find out until about the 12th.

Ok, I had to take a day there to re-power before even considering using this strange "computer" technology all the kids are down with these days. That exam kicked me squarely in the taint, but I'm hopeful. I've got to be, because there's nothing I'd change on the studying I did... I'm going to say something contradicting: You must prepare for the CISSP, but nothing will prepare you for the CISSP. Those $100 books? Yeah, they help a bit, but you should know most of that through your experience as a security kung-fu master. I'm not going give any question examples (that's against the rules) but forget about questions that seem to have more than one right answer. Fear the questions that seem to have no right answers. Observe:

No, there are no addition questions. I ran into more than one of these "there's no best answer" types. 250 questions, and they seem to go from the mundane to the ludicrous. The "tester" questions that didn't count seemed pretty obvious (If classical string theory dynamics are described by a conformally invariant 2D quantum field theory, how are p-brane world volume theories described?).

On another note, what the hell is up with Homestarrunner? They haven't posted an update in over a month now... I'm dying for a Bubs fix.

** Update ** Gotta check out this video. Who else is sick of Comcast and their crap? Oh, if you're downloading something large or streaming some media and the connection just dies and refuses to restart, just let a nice stream of ICMP echo requests flow toward Comcast: ping -t www.comcast.net. That'll keep your streaming or downloading working until you're done...

I'm sitting for the CISSP exam tomorrow, and here I am typing away at this website. What's that all about? Information overload, so I decided to rip my new Gnarls Barkley CD (thanks WTMD!). And type this. I've been known to forget how to type over the weekend and end up fumbling around my keyboard at work on Monday, so I consider this activity career-enhancing. Let's list off the ten domains of information security:

• Access Control Systems and Methodology
• Applications and Systems Development Security
• Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
• Cryptography
• Law, Investigation and Ethics
• Operations Security
• Physical Security Security
• Architecture and Models
• Security Management Practices
• Telecommunications and Network Security

So which one is my favorite? They're all my children, so I can't pick favorites. But I like architecture. And crypto, but who doesn't? What's the deal with certifications, anyhow... like a person's education and experience don't speak for themselves.

Driving to work last week I pass a speed trap. Police car pulls out behind the car that's behind me and pulls them over. The very same day, returning home, I pass another speed trap. Same deal, but this time the person behind me attempts to get in front of me and somehow hide their Buick in front of my car. Surprisingly, the police officer sees them, and a little dance ensues at fifty-five miles per hour while the soon-to-be-ticketed driver attempts to dip in and out of other lanes. Not smart, pulled over. Thanks for playing. If the police can drive unmarked cars, we should be allowed to drive police cars. Let's make a game out it.

Believe it or not after I redesigned the page Google completely dropped me from their listings... I guess PageRank doesn't really care for splash/menu pages, even with metadata. Whatever. So, comments are back on the front page so stalkers, ex-girlfriends, lonely surfers, and the curious can find me again.

Speaking of ex-girlfriends, it seems that women, when they leave me, have taken to leaving me with ties. I acquired an excellent tie from Amy shortly before she fled the United States. I remembered this when I was hanging up a tie I received on my birthday in March from my now ex-girlfriend. I'm starting to think that I'm okay in the tie department. Maybe next time I'll start hinting about electronics or even a simple cash pay-out when things seem to start sliding.

On a lighter note, I present you with pictures from my phone (which I recently hacked, thanks to MotoModders) For your enjoyment I present the worst named Indian restaurant on earth, or at least in Silver Spring, Maryland, and what I'd deem a bad choice in tattoos. I like to think the symbol is "dunk".