Thursday, July 21, 2005

Pete Ashdown for US Senate

Well in my two year stint in Utah I managed to meet Pete on several occasions. He is a great guy, understands technology; Xmission was to be one of the providers on the network I worked on, and had the public's general interest at heart when he spoke in front of several city council meetings concerning the project iw ass associated with. I wish him luck in his bid. If I still lived in Utah I would happily donate my time and money to help him.

Thanks to Boing Boing for letting me know about this.

Wednesday, June 29, 2005

Berks-Mont Newspapers - Kutztown Area Patriot - 06/23/2005 - 13 teens face felonies: "06/23/2005
13 teens face felonies
By: Dan Roman

Thirteen Kutztown Area High School students are facing felony charges for tampering with district-issued laptop computers.

According to parent testimony and confirmed by an otherwise vaguely-worded letter from the Kutztown Police Department, students got hold of the system's secret administrative password and reconfigured their computers to achieve greater Internet and network access.

Some students used the newfound freedom to download music and inappropriate images from the Internet.

(Via BoingBoing .)

Okay once again people are getting out of control with punishing for security violations.

I would like to first point out that "50Trexler" is a horrid password. No special characters and it is more than likely someone's last name. So the school administration's is already weak before we look at the student's poor behavior. The student's took advantage of their administration falling down on the job - no one was obviously looking at access logs, auditing the computers, or even tracking administration access over the whole year. I notice if someone new has attempted access on my network daily. Handing a tool to someone and then not teaching or monitoring the usage of the tool gurantees that the user will figure out other ways to "play" with the tool.

I am not defending the student's behavior. Was the student behavior right? No! Is it a felony? Well let RIAA decide that one - they like to prosecute old ladies and children. It's like having a substitute teacher in the classroom - you know to a certain degree things are going to fall apart - we all look for human weakness and try to use it to our advantage - high school students do this on a daily basis.

As a security auditor I notice regulary that even if you hand someone a written policy you are never guranteed compliance. However, if you demostrate to the user that there are reasons for the policy and that you are going to monitor their usage regulary - you have a smaller percentage of people abusing the policy. In my eyes the school dropped the ball - the students picked it up and played a game or two. The administration should have stopped the behavior at the first instance and enforced the violation with a solid slap on the wrist - jail might be a bit extreme. Even RIAA just tries to make you pay for violations - helps float the music companies that were robbed at gun point.

Friday, May 06, 2005

Noodling for Catfish

Growing up in North Carolina, not quite a redneck but definately not a city boy we were always looking for ways to entertain ourselves, be it chasing groundhogs with slingshots to shooting branches out from under squirrels so they would fall down into the middle of the girls sunbathing on the quad, but I don't ever remember my old man saying to me, "hey son, let's go grab some catfish by the lips and yank him out of the water. it'll be fun." (remember to say this with a good southern drawl)

Please remember no catfish has lips to harm nor do the people of North Carolina like to equate themselves at the lower social status of those from the armpits further south.

I ger-ron-tee that there are those of a different upbringing than me that will point out North Carolina's own mistakes in not being able to determine whose side it was on during certain 'portant battles of these here 'Nited States. To those I remind you that we still drink and eat our Budweezer and Moonpies or for the youngins RC Cola same as you folk do.

Gosh I sure do miss home.

Thanks to Boing Boing for the link.

Monday, May 02, 2005

I went and "switched" ...

This last week on the way home from the office I stopped off at the local Apple store and purchased a brand spanking new 15" Powerbook, with 100 Gig HD, 1 Gig RAM, and 128 Mb video card. About the only thing left would have been to get the 17" monitor which I see no purpose for.

So I started playing with it as soon as I walked in the door of my house - my wife's comment was something like, "you are more proud of that new laptop than you were when you got your little girl last year for father's day!" She's wrong, I love my little peaches but hey I am a geek and this is a brand new powerbook.

I didn't get Tiger - the guys at the store convinced me to hang on, and I agreed with them. Some great articles about Tiger have been in the news. The best being the Ars Technica article . I have read it three times and have finally gotten a solid understanding of what's going on underneath the hood. I like articles that make me think about how things work. I also picked up a copy of Mac OS X Panther for Unix Geeks. I'm not sure I am a unix geek but this book as showed me how to do things the mac way that I commonly do on all my other *nix boxs.

I have also installed SubEthaEdit, Fink, Ethereal, iTerm, iPodder, and NetNewsWire Lite. All of these programs are shareware utilities. My powerbook was more valuable to me in about 2 hours of work than the usual 4 hours of work it takes me to get my Windows XP boxes ready to go. Plus all of the utilities I installed didn't cost me another arm and a leg to Microsoft for them.

To understand what I mean check out the article I mentioned about comparing Apples to oranges-Dell . That article had a follow up today comparing Apples to IBM Powerbooks.

I am noticing things I need to do some research on: .png files not showing up correctly in Safari, some ASP pages don't behave correctly under Safari or Firefox, editor doesn't have all the options in Safari, have to convert old exchange to mbox then import into mail to import finally into entourage.

I will keep you updated as the machines joins my family of 9 other pcs. We counted them at lunch today.

Oh it already made a friend in my wife. I took my son's first soccer game, edited it with iMovie, and then burned it to DVD with titles using iDVD (5 copies, grandparents, and a dear friend, and of course a copy for mom and dad) all in about an hour. It made up for my sudden infatuation with a piece of warm aluminum.

Friday, April 29, 2005

Standing in the middle of Apple's Tiger Extravaganza

So i managed to get in the door within only about 15 minutes of it's release here in Colorado. Unfortunately I will not be going home with Tiger. I filled my paperwork out and mailed faxed it in this morning. I figure sometime next week I will see my copy of Tiger show up in the mailbox. Overall I think this release will be the one everyone talks about as the main reason they finally made the "switch". It is one of the final factors in why I decided to make the move. The IBM laptop will be made into a dual boot redhat/xp machine this weekend, and I will be a fulltime Mac user. Ahh the fun of belonging to a new cult.

Monday, April 25, 2005

Musings from Mars: Of Course Macs Are More Expensive... Aren't They?

This is a great article. When people start to take this into account and really understand what they are getting, things might change....

Redfaced professor made up scary story

The story just keeps getting better. As reports of the professors' threats circulated, we all waited with bated breath to only discover the thief could care less and there was very little reality to the whole story. Ah come on - nothing was real, darn it - here you had as all waiting for the Fed's to come swooping in, raiding a dorm on campus, turning up some ring of laptop thieves who stole professors notes to sell on the black market to people that actually cared what their professors were saying in the first place or in reality just wanted the easy A that was guaranteed by having a copy of the test and answers.

Penguins Not Harassed by DIA Security

Two flightless birds manage to get through security and catch their flight yet I have to stay and be interviewed every time. Next time I am wearing my tuxedo to the airport, maybe then I can cruise right through then.

Then again the birds have friends in high places, well on the tail of Frontier planes I saw some penguins. Wonder if they are related?

Scobleizer: Microsoft Geek Blogger

I have followed Scoble's blog for awhile. I like the fact that he puts a face on Microsoft. I spent an interesting two years working as a contractor for Microsoft as part of the Windows 2000 RRAS team. I loved it. M$ was a great place to work, the people were super friendly and the evil empire wasn't so bad. I worked on a hall that had several HP guys running HPUX, a SUN dude or two running Solaris, and an easy dozen Redhat fans, including myself with machines in their offices running various flavors of Linux. Since those days I have tried to not bash to hard on Microsoft. I saw the problems, knew what they were up against and then I saw the people and how hard they worked. I had a brief sting down at SUN land in Cali and saw the same thing. The same excitement about their products and where they were going. It's nice to see both Scoble and Alan see something that us low men on the totem pole had already figured out.

How to Build a Computerized Android Robot Head for $600.00.

Now this is cool. A little work, voice recognition, and I could probably get away with this sitting at my desk all day long answering questions for me while I was out fly fishing. As always BoingBoing delivers. Any Kerry Supporters On The Line? -- May. 02, 2005

Wow - so I am to gather from this as long as you don't admit you are a democrat you can play in the US Telecom arena. Bushie Bushie Bushie - you need to tone down your boys - these things can get ugly and then they start to effect your bank account, and we all know without your bank account you wouldn't be near as popular.

Friday, April 22, 2005

Ameritrade warns clients about potential data breach

Here we go again. A friend of mine compiled an interesting list of numbers yesterday. I will quote him directly on this:

... I've spent some time doing research on ID Theft thats happened since December '04 and came up with the following...

DSW: 1.5 million
LexisNexis: 320,000
ChoicePoint: 145,000
Bank of America: 1.2 Million
San Jose Medical Group: 185,000
California State University: 59,000
Boston College: 120,000
George Mason University: 30,000
Delta Blood Bank: 100,000
UC Berkeley: 98,000
UC San Diego: 3,500

TOTAL: 3,760,500

thanks Glen!

So then we throw in Ameritrade and a professor at UCB and we are approaching 4 million and 1 ID thefts in the first quarter of the year. Guess we can only get better from here. Right?

A Brief Tutorial on Reverse Engineering OS X -

Very interesting article. My penny jar is approaching the overflow which means I will be purchasing my first powebook at the beginning of next month. I have been waiting on my powerbook purchase until Tiger's release. Now it seems I will have to practice some techniques listed here to get back some features Apple has deemed I am unworthy of.

Airlines to deliver video to laptops, says Microsoft blogger | | CNET

Wow, so where will they keep the IT guy who will need to run around to everyone's seat and configure their wireless card. The stewards will be asking whether you would like coffee, tea, or IT support?

where oh where did my little laptop go

This cartoon puts it the best. After reading the story on Boing Boing yesterday I sat staring at my screen wondering exactly how this gentleman was allowed to teach the youth of tomorrow.

I have a huge respect for college professors. I look to them to be wise and all knowing (hey it's my dream and I can believe what I want.) However, what logic was the professor applying when he thought - hmm let's put all this research I do, and some IPO information, and well anything that is super secret all on this laptop and leave it sitting on my desk after class.

Yes, I know I am a bit biased because I work at security company. I know that I commonly apply to all my laptops, things like, BIOS password, system password, PGP disk. I also don't leave my laptop laying in public places - I fundamentally don't trust people.

Maybe I should call him and see if he wants a security assessment? Or he could just go on the web and find something easy to follow like this: Laptop Security Guidelines. I really like the one about a cable lock the best ;-)

It will be interesting to see how this story plays out.

Thursday, April 21, 2005

Where did my Google ranking go

So I had been telling everyone to find me all they had to do was Google me. I said this because for the last several months my blog was the top reference to who Ward Spangenberg was. Not anymore - what happened? what did I do? where do I go from here?

Another note I have discovered my Technorati ranking is 1,113,718. I am thinking this is probably bad. It also appears that no one cares what I say, because I have no links. A friend of mine Phil Windley, actually the whole reason I found out about Technorati, must be super high on the list as when you search his name you get about a million hits. Does this make me invisible? Do I matter? Am I matter?

I have a couple of new posts in the next day or so. Recaps of two different security meetings I attended. One is on Web Application Security and the other is on Incident Response and Digital Forensics. Maybe someone will care.

I have added a new little ticker on the right - courtesy of Symantec. It is kind of interesting look at what is going on in the security world.

Tuesday, April 19, 2005

Things I have been thinking about...

Internet Traffic Analysis: This has long been a major topic at NANOG. I have heard several interesting discussions concerning tracking where spikes in the infrastructure are coming from, and their destinations. Here and Here. I am more curious about a seismic like data concerning massed DDoS attacks. Symantec has a product called deepsight similar to what I am thinking about, not sure whether there are other vendors with similar products.

I am interested in seeing a database that has remote probes scattered across the internet colo'd at prime target destination subnets collecting and analyzing inbound traffic. The model looks like a worldwide IDS, learning about new traffic and attacks as they are being assembled. The idea needs some more work. Just rolling it around in my head at the moment.

Thursday, April 14, 2005

April's ISSA-Denver Meeting

Yesterday afternoon the local ISSA chapter hosted a very interesting speaker. The speaker was Patti Titus, the current Chief Information Security Officer, Transportation Security Administration DHS. I was going to link to her bio but it appears to not exist anywhere so I will just copy it and then go into my notes about her discussion.

Patricia Titus currently reports to the Chief Information Officer at Transportation Security Administration in Washington, DC, in the capacity of the Chief Information Security Officer and Director of IT Security. Her duties have been to develop and implement a new IT Security Office for TSA. She also reports and works for the CISO at the Department of Homeland Security. Prior to joining TSA in April 2002, Ms. Titus was assigned as a Technical Advisor to the Deputy CIO at the Department of Treasury. Since joining public service in March 2000, Ms. Titus has been assigned to various emerging technology projects and has worked extensively on the enterprise network security projects. Prior to public server Ms. Titus worked in small start up companies within the DC metropolitan area as Vice President of Sales and Marketing. She spent several years in the Information Technology industry in various capacities. Prior to this she spent 13 years living overseas on duty with the US State Department, Department of Defense and Swiss Government.

Okay so now you know who she is - here's what she had to say:

Patti had several points she wanted to convey to the crowd, anong the points she touched on
were Homeland Security Presidential Directive/Hspd-12, a policy for a Common Identification Standard for Federal Employees and Contractor. Basically the problem has come to light that there exist "Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). " Patti discussed the need for implementation of better biometeric solutions, PKI infrasturcture etc. She however did not comment on where the money was going to come from to finance these cool new gadgets for the government.

As previous user of biometrics this intrigues me - during a normal week I encountered no less than 20 false readings for a simple finger print scanner that allowed access to the lab I worked in. If we are going to utilize this technology in the government we really need to make things work - the common worker will not tolerate having to scan their finger 3 or 4 times every time they try to enter a room.

There was a brief discussion concerning IPSonar, an enterprise software consists of several interrelated discovery processes that find routes and routers, hosts, servers, wireless access points, operating system information, unauthorized connections or hosts, and perimeter leaks. This included how an intern was the one who actually deployed the initial testing launch of this program and how the resulting report of holes lead to the report being labeled - TOP SECRET - ONLY THOSE AT THE TOP CAN SEE THIS -

This is discouraging news to me. I would hope that our government would be running toolsets by now that allow them to accurately discover and gauge the risk that their network has to the outside world. To have an intern (Hats of to her for pointing out the silliness) come in and throw a product on the network that so accurately describes where water is pouring from the damn is not a building confidence for those security geeks who pay attention to these things.

We learned some interesting things about the TSA's luggage machines - no wonder I get yanked all the time - I must be getting the guy who isn't punching the threat button fast enough.

Patti discussed the convergence of CIO and CISO positions in the enterprise market. I agree with her on this one - the CISO position had little chance of survival in my eyes, typically you are stepping on the CIO/CTO's toes and something has to give. I will be curious to see whether we actually see the CISO blend with the CFO position. The advent of SOX puts the financial department on the hook for non-compliancy, with jail sentences following quickly behind that.

Patti left with a few thoughts, reminding us that We Do Not Negotiate with Terrorists, Cyber or Real! She also said something that made me wonder how soon till we see someone hunt down a "cracker" and put a bullet in him for cracking their systems.

All and all a very interesting speaker - I had an opportunity to have dinner with her the night before her speech and was happy to meet some one who was candid about her role within the current administration, the political appointees and what was right and wrong with our current behaviors.

Tuesday, March 08, 2005



So I am sitting in Fado's - Chicago. It's an Irish pub that has free wireless, so I can sit and work all while drinking a pint of Guinness. Very few things can get better than that in my opinion. If you happen to be in the neighborhood of a Fado, I would recommend the the Guiness Stew - good home cooking, and to wrap things up, you guessed it Guinness Ice Cream.

If you get a chance look try to end up in Brie's section - she doesn't own a computer but she really digs bloggers. Yes, I used dig and no, I didn't ask for her number my wife doesn't share well with other children

Now on to other things...

I registered for my CISA exam recently. This should be interesting. If I pass, and I plan to, I will have what the industry is considering the top two certifications going: CISSP and CISA. The next thing I have to figure out is what I want to be when I grow up. If you have any ideas let me know. Registering for the exam cost me a quick 500 dollars and then another 250 for study materials - somewhere I hear warning bells going off. The test is offered once a year, so I had better pass or suffer the abuse for the next twelve months.

And in other news...

Finally we have a virus for mobile phones. Uses bluetooth and MMS messages to replicate itself. I wondered how long this would take, ever since I started using the Audiovox 5600 (the same phone Scoble and crew love so much - side note i had mine before Scoble got his - nanner nanner). It is based on Windows SmartPhone so I know it will be the next platform for attack.

Firewalls' False Sense of Security
I have argued for both sides of this issue. A majority of the time I find that the deployment team behind the firewall believe that they have mitigated all future damage because of their firewall deployment. Conversations then lead to IDS, IPS - I have no idea where it will end - I do know that every time a new stop is added someone will look for a new way to get over the bump.

Now back to my regulary consumed beer.

Thursday, March 03, 2005

Squaw - what I would change?

Just got back from an extended weekend at Squaw valley. The resort's village is currently being operated by Intrawest, the same guys who did Whistler.

It was a great trip - a yearly 'boys' trip that has several interesting characters, including: Rick aka 'the Founder', Chuck aka 'Chuckles/Chuckalafucas', Andrew aka 'the Scotsman', Chris aka 'Mr. Goodlookin' and myself Ward aka 'Big Daddy'.

We had a wonderful time, there was good snow - nothing fresh - that didn't show till the last night and we got 7 inches of fresh powder - wanted to extend the trip by one more day for some pow pow but instead I got on the plane and flew back to Denver.

Squaw's new village - looks very similar to Whistler (why change a good thing?) - could use some help. As I said I was there for 5 days - while the mouse is away from the kitty he can play with other mice. We stayed exactly 22 feet from the Squaw one lift, and about 100 feet from the closest bar - yet - the nightlife was horrid.

I have lived in ski towns before - I remember the 1 woman to 12 guy ratio, and this was expected but I grew up in a more lively town smack in the middle of the bible belt - one bar closed at 9 pm on Sunday night. The drive thru liquor store the next county over in North Carolina would have still been open. Needless to say - the experience was repeated night after night for the entire weekend.

So I say to the intrawest guys - figure out beyond copying the buildings, how to create the same nightlife experience you have at Whistler or start preparing yourself for continued disappointment at Squaw.

On a side note - the little breakfast place at the end of the village - two wonderful waitresses (Bunny and ????) and one great owner (Lisa) made the week a little better.

Tuesday, February 22, 2005

This is great...

I have a new respect for Jon Stewart since he went after the CNN boys and his show continues to bring that liberal perspective forward so well.

Bloggers and the trouble they cause

Friday, February 18, 2005

Update on the Suse side of things

So I spent a hour or so screwing around with the problematic Suse install and discovered a couple of things:

Using the GUI to access the network card was doing next to nothing. If I added DNS entries they did not show up in the resolv.conf file, if clicked it off the file did not modify upon recieving a DHCP update.

Using the GUI, I could never create a default gateway, I had to add a default gateway via the command line. This should also be learned via the DHCP packet.

So basically somewhere in the process of the system/kernel update DHCP got screwed up. I can only grab a DHCP address, I don't appear to learn anything else from the DHCP packet - although firing up Ethereal shows that the information is contained within the packet.

I am not sure whether I really want to troubleshoot any deeper or whether I want to chunk the machine and try again. I would prefer to run Fedora, I know the OS better and seem better able to dig around within the file structure but then the company I am working for has their tool ported to Suse argh choices.....

Tuesday, February 15, 2005

Problems with Linux

So in an effort to keep my mind fresh I decided to set my laptop up to dual boot - Windows XP and Suse 9.2. This is a usual occurance for me. I have built dozen such laptops but I think I have finally reached my boiling point. I have an IBM Thinkpad R51, Pentium M 1.6, 768 Meg RAM, 40 Gig HD, built in ethernet, and 802.11b/g. This is a nice little laptop, shouldn't have any problems with Suse 9.2.

Where things went wrong - I decided to patch the box - patching is similar having your teeth pulled.

I began the patching process, everything appeared to go correctly, and then I did the reboot as I had also told YaST to upgrade my kernel. Well everything appeared to be working, so I decided to browse the web. It didn't work. It took me a couple of tries before the onboard ethernet grabbed an ip address. I still can't browse the web. I grab an ip address but DNS doesn't appear to work. I hard code DNS entries, still nothing, disable firewall, still nothing. Threaten to toss the laptop out the window, still ntohing. So I am left with an upgraded SUSE 9.2 professional that can't speak to the internet.

I used YaST, a tool that does always leaves me wondering what is really going on under the hood. A lot of people have commented on the efffectiveness of this tool. I miss some of the tools that RedHat has in comparison. I am going to have to take things apart now.

So where does this leave us? This points to the underlying probelm with why there aren't more Linux desktops - the complexity. I don't mind getting under the hood, but then my dad handed me a lawn mower engine when I was a kid so that I could understand how motors work. Most people want things to work, straight up. I didn't have that experience, in fact I mumbled under my breath at one point that I was either going back to Fedora or FreeBSD over the weekend. Why? They work, I have had little to no problems with upgrading them, and when I patch them things keep working. I also know that the whole problem could be somewhere between the brain and the keyboard. ;)

Thursday, February 10, 2005

Friday, February 04, 2005

Well that wasn't long enough

So I have become a Principal Security Engineer for a company called ReddShell. They have a neat software product and they have some really cool consultants working here.

I got back to Colorado on Sunday night, started the new job on Wednesday and was told on Thursday to pack my bags I would in Chicago for the next month. Needless to say the wife wasn't exactly happy with me and well I was a bit disappointed myself. I was looking forward to being home for a few weeks, I was even beginning to enjoy changing the little girl's diapers. Oh but the life of a consultant requires some sacrafice and so I must head off to Chicago in February.

I am diving headfirst into the world of VISA CISP and Sarbanes-Oxley. Should be fun, finally going to use that silly CISSP for something useful.

Monday, January 31, 2005

Leaving Utah

Well it has finally come to the end. January 28th was my last day with DynamicCity. I decided to leave the UTOPIA project for multiple reasons - all eventually leading to the betterment of myself as a person. My boss put it the best - refering to me as a Technological Gypsy. I like that, may spin that off into another blog line.

I leave my responsibilities in very capable hands. Right now I am sure he is questioning the logic of accepting my position but I believe he will find a strong supporting staff and make his name known. If you or anyone you know is looking for a job as a senior network engineer or sysadmin please contact DynamicCity or Dave.

I managed to get in one more CTO breakfast before skipping town. Phil as always is a wonderful host. If you find yourself in the area during one of the scheduled breakfasts please take the time to attend. I will be trying to schedule my own trips back occasionally for them.

It was nice to talk to people at the breakfast and discover that they understood my decisions to move on from the project. They understood that occasionally you stop growing in your position and you either need to get out or continue to be miserable. This led to some interesting discussions.

A vast majority of people are stuck in jobs, or towns or situations where they don't ever leave. They continue to live with the pain whether real or pyschological and do nothing about it. The worst case is our own perceptions of jobs - we call something we hate to do a job and then moan and whine about having to do it. When you start having problems getting up in the morning to go to the office then you need to stop and evaluate what the real problem is. Are you no longer happy where you are? If that's the case can you fix it from the inside or should you be moving on. I tried to fix my situation, didn't like the band-aids applied and decided it was time to move along. People don't do that - they live with the situation and allow it to eat them from the inside. Silly people!!!!

My new contact info is available for those that want it. Try my google mail wardspan at and I can forward it along to you.