I've got to say that I find this a little humorous - aside from the fact that most all Wired articles are written for the non-technical, what's the benefit of this?

Consider: encrypting communications from your computer to Google's servers (or your bank, or Facebook, or anyone) only protects your information from inteceptors with the most pervasive access. That includes nation states and your Internet service providers. Unless one of those is attempting to steal your bank login creds, it's really a risk with very, very low probability of happening.

But yes, your credit card payment site will say that you're 110% secure with SSL. Quite the mis-direction, if I say so, since your information is stolen directly from your computer, or theirs, not in-between.

It's hard to find time to write pointers, but even worse when you've got a head cold like I do today. I blame it on hackers, we all should.

RSA is only five weeks away - shoot me a message if you'll be out there!

Zero Day over at ZDnet has a good breakdown/FAQ about the Google/China issue, written by Dancho Danchev. I appreciate the detailed information and most of the insight, but I've found a critical flaw in Mr. Danchev's rationale. In the final page of the discussion, Mr. Danchev airs his doubts that the Chinese government would actually have taken an active role in the incursions into Google and the 30-odd some other American companies. The reasons are plausible: setting an agenda for 3rd parties but saying on the sidelines will risk-forward the results of the activity to "hacktivists" while still gaining benefit for the overall government agenda.

The flaw I see, though, is that these attacks aren't, as reporting has stated, something of the standard hacktivist modus operandi. We're not talking about website defacements. We're not considering rival non-governmental social or political groups. We're not even discussing white or gray-hat hacker teams. The attacks aimed to acquire proprietary information from the companies compromised. This leaves open the implication that it could be industrial espionage from within China, except for one thing - the added incursions into human rights activists' email accounts. That's something outside the goals of industrial espionage. Theft of commercial technology and monitoring of those opposed to specific planks of the Chinese Communist Party's agenda.

If I were you, I'd start looking at who stands to benefit the most from this activity.

No notice of Clear in Baltimore just yet. Have a feeling they'll make a show of it when it happens.

Anyhow, here's those scans I promised a while ago. We've got... Fedora 11, Ubuntu 9.10, FreeBSD 7.2, and Windows 7. Full port reference scans of default installs. I had to open the ssh service in FreeBSD so I could, you know, log in. I also opened the FTP service, so.. forget those.

Revenge is a dish best served cold. Or with candid wedding reception pictures and a little video post-production.

I just read over on the Baltimore Sun's tech rumor page that some XOHM customers have it on good authority that the move to Clear Broadband's infrastructure should happen on or about December 2nd. The current customers have speed problems now, but if they rave about it after December, I'm on board.

Read more about the technology. It's bigger outside of the US, particularly in places where a wire/fiber infrastructure is too costly or inefficient to build. Think developing parts of the world: Africa, rural India and Asia.

Oh, Cavalier, how embarrassing. I know you're traversing Verizon's infrastructure, but are you now outsourcing your local transport management to them? Avoid their routers, please.

The "high speed" Sprint EvDO service on my cell phone is running faster than my DSL. I'm cursed when it comes to broadband access. So, I can't even play HL2 because Steam won't connect to verify me. What now?

How about we install Fedora 11, FreeBSD 7.2 and Ubuntu 9.10 (x64) in VirtualBox running over my current Windows 7 (x64) install. We'll see how well that acts as a host O/S running on an Intel quad-core, 8GB rig. Maybe someday I'll portscan the systems, see how accurate the newest version of Nmap is, and see if we can't force this post up onto the Internet...

I booted "Myspace" for Facebook a little while ago. They're right, it's much better. Anyhow, when I ask some people if they have an account, I often encounter the "I don't want people to find me" / "don't want my information on the Internet" excuse. On it's face the excuse sounds reasonable, but it doesn't stand up under minor scrutiny.

The logic is typically based on the horror stories we hear regarding employers checking up on you online, elementary school teachers' drinking tirade photos being posted, and other such self-inflicted digital embarrassment. Here's something to ponder: There's information you can control, and there's information you can't control. Don't concern yourself directly with what you can't control, but can use the information you do control to influence what you cannot. If you post embarrassing pictures or create the persona of an immature person, you get what you deserve. If you actively cultivate the image of a responsible, upstanding citizen, you'll benefit from those times when your future employer, romantic interest, news outlet, or law enforcement agency check up on you.

So, go get that Facebook account. Mind your pictures. Police your comments. Control what you can, and the rest will fall in line. The things you truly don't want out there may or may not show up, but only in places you can't control. Remember Larry Ellison: Privacy is dead. It has been for a long, long time.

Homestarrunner.com finally made a brief animated documentary on my high-school years. Wonderful.

Now I know what I'll be doing in the airport this weekend: WPA is partially broke. Oh, well. I know people that still don't lock their APs down as-is, and I'm not talking about my neighbors, although they're big offenders. Thanks to Jason for the link.

Papers to read on the plane: The Ghost in the Browser: Analysis of Web-based Malware, Highly Efficient Techniques for Network Forensics Attacks. Not to mention a stack of magazines and journals that have been steadily piling up. I'd like to opt-out of the boring ACM articles, please.

Two new books en-route: The Web Application Hacker's Handbook and Murach's Java 6 SE.

Pictures of Natalie & Justin and Karin & Chris' weddings have been added to prove that yes, I have a life... but still lack a date to these kinds of events. Considering the above, it's not much of a mystery.

I was back at Penn State this weekend for a wedding (pictures later), and much needed non-home-game-football-weekend visit to University Park. While there I planned to find an updated version of the O'Reilly Java Cookbook - figured there's a good chance of finding a used copy of the newest edition cheap since, well, it's a large university. Wrong. They still rip students off. Not only could I not find that particular book, but all the books for the Java and C programming courses were insanely overpriced. I'm talking about $89 for a used book. $110 new. $80 for an INFOSEC book that couldn't have been more than 150 pages long.

Considering the shelf life of technology literature, they should really take a long, hard, look in the mirror and figure out how they sleep at night.

Anyway, that's what Amazon is for, I guess. My 72 hour furlough to Penn State had a profound effect on me (much as our football team had a profound effect on Wisconsin during Saturday night's game). So much so, I painted my front door blue today. Yes, that is how I roll, and I sleep very well at night.

I just came across a spectacular example of using "Google Hacking", more professionally known as OSINT, or, Open Source Intelligence gathering, to reveal some nasty truths about the Chinese involvement in the 2008 Olympic games. Over at Stryde Hax blog page he details the steps he used to do a little research on He Kexin's age. If you don't follow any news about the Olympics or otherwise live under a rock, there's been some controversy surrounding her age. Minimum age to participate: 16. Media claiming true age: 14.

Stryde found some very incriminating documents within the Google cache that strongly point to the Chinese government lying about her age (gasp!). He goes on to point out the disturbing fact that as he outs the information, much of it starts to be removed from the Google cache.

Interesting.

Remember Google - do no evil. Liars.

Ok, this is just too great not to mention. Rebuilding my laptop with Fedora 9, I search through the YUM cache for a particular program I find useful. Let's see if you can find it:

snoop@localhost ~]$ yum search seahorse
Loaded plugins: fastestmirror, fedorakmod, kernel-module, refresh-packagekit
================================ Matched: seahorse ======================================
seahorse.i386 : GNOME2 interface for gnupg
seahorse-adventures.noarch : Help barbie the seahorse float on bubbles to the moon

I built a telecom closet for my house - ran all the CAT5e, coax cable, and PSTN to a single location for digital distribution throughout my house! It took a little while, but here's the info. Check it out and drop me a note if you're venturing into something similar yourself.

For about 30 minutes today it looked as if I was going to Blackhat 2008. I'm not.

Not security related, but of interest anyhow. When Google's webmaster tools want you to place an meta-tag or randomly-named HTML file for proof that you own a site - keep it there. Or you'll do it again. Apparently it checks back on occasion and gets really annoying if it can't find what its looking for.

Ok, so now I'm not going to DefCon 16. Now I'm going to Key West for JD's bachelor party and some primo lobster hunting. That's right - hunting.

Speaking of hunting, here's some interesting security pointers:

• Apple software is full of vulnerabilities. It's just as unsecure a platform as Windows, save the fact that exploits haven't been widely written (ostensibly because few people use a Mac, so there's little cost benefit.) I know, we all know this, but these past few weeks, well... they're just getting a lot of bad press.
• I really missed the Storm worm... oh, great, there's a replacement! And guess who sends spam email? You do.
• And finally, do you see that little lock icon in the bottom right corner of your window when you're on that super-safe banking site? Yeah, the one that everyone tells you proves your "safe"? Doesn't mean anything, never really did - particularly when your bank decides to fumble a disk with all your data on it.

Yes! I held off posting here for close to 10 months. That's dedication. All that crap about past RSA conferences, parties, and vacations is off to the archives, where it belongs. My house is completed (May 2007-December 2007), and I've only got two scars to show for it. Neither in cool places. I'll be at DefCon 16 later this year in August - I'm excited, to say the least.

I've dumped Verizon in favor of Cavalier Telephone. I don't remember what a "telephone" is, but it's got to be better than Verizon. I can say right now that I hate Verizon. I have nothing but righteous indignation for that company. I'll detail that out some other time when it's not so late.

New consulting company to keep an eye on: VeriSpect, LLC.