Will Another President Call?

I read with interest the New York Times article Lose the BlackBerry? Yes He Can, Maybe. It mentions how "like legions of other professionals, Mr. Obama has been all but addicted to his BlackBerry. The device has rarely been far from his side..." It brought to mind another new administration, and another set of requirements.

Late in 1992, DARPA contacted one of its contractors, Trusted Information Systems, Incorporated, in Glenwood, MD. TIS had previously, and was at the time, working on DARPA projects, as well as projects for NSA and NIST. DARPA basically wanted to know if anyone at TIS knew anything about Internet Firewalls. Well, it just so happened that both Marcus Ranum and I had recently left DEC for TIS, bringing our experience with the DEC SEAL (Digital Equipment Corporation Secure External Access Link) to TIS.

It seems that the incoming (Clinton) team was used to using laptops and Internet email, and found in the Bush (George H. W.) "IBM Selectric Typewriters." The question from DARPA was basially, could we propose a way to secure the administration's laptops and desktops, and could we put the White House on the Internet? (I know this seems quaint now, but Intenet Firewalls were relatively unknown in 1992 except for the handful of places and people actually playing with and developing them.)

A very small team of us drew up the design and achitecture and very small band of programmers coded it (originally 1, Marcus, and then 2-3 others were added). The design for the whole system proposed is in the February 1994 paper, A Network Perimeter With Secure External Access. As with all good research, after it was done the operational customer—the White House—only made use of the firewall gateway.

Reading the above-cited NYT article, I cannot help but think that some of what President-elect Obama wants (I almost wrote "needs") is able to be done. Organizations like DISA and DARPA know what COTS solutions would be required. But, I suspect that it will never come about. Too much government in the way, I suppose. It is not a technical problem that will require President Obama to hand over his Blackberry®.
Further reading:

There is still a boarding-pass loophole

Three years ago, I blogged about the uproar when someone actually used a home printer to fake a boarding pass. I was dismayed that in the uproar, it was clear that this was news to lawmakers and the TSA. I wrote, "Only the computer illiterate will be surprised that the boarding passes you print out on your home printer can be faked. I don't expect members of Congress to be computer or technology experts, but even if their eyes and brains don't tell them this, don't any of them have smart, computer-savvy aids with a clue?"

Well, apparently they are close to Closing that Boarding-Pass Loophole.

Three years. A lifetime in government programs.


More on Phishing from Dave Piscitello

Previously, I've "promoted" work by my friend and colleague, Dave Piscitello. I mentioned both him and Radio Free Security in Router Rooter

Recently, in Dave's blog, Security Skeptic, he has talked about phishing in Making Waves in the Phishers’ Safest Harbors and Phlavors of Phishing


The world is shocked! The Washington Post was biased towards the Democrat!

I just found this amusing in a "no duh, Sherlock" kind of way. (Yes, I know that's not really the phrase.) The Post's Ombudsman, Deborah Howell, just reported, "An Obama Tilt in Campaign Coverage during the period November 11, 2007 through November 11, 2008.

I look forward to reading what they intend to do about it going forward, but it is kind of like someone noticing that NPR is biased towards liberal, Democratic candidates.

"Risk" defined

In the network and computer security field, we frequently discuss threats, vulnerabilities, and risks. (I have always liked Dr. Peter Tippett's "Risk Equation," which I lay out in NetSec Letter #33.)

In its Special Publication 800-39, NIST defines risk thusly:
A measure of the extent to which an entity is threatened by a potential circumstance or event. This extent is typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. Information system-related security risks are those risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
The definition is in the current drafts of SP 800-39 and SP 800-30 Rev 1. What do you think of it?


Security is still a chain

"Security is a chain; it's as strong as the weakest link. Mathematical cryptography, as bad as it sometimes is, is the strongest link in most security chains. Our symmetric and public-key algorithms are pretty good, even though they're not based on much rigorous mathematical theory. The real problems are elsewhere: computer security, network security, user interface and so on." Bruce Schneier reminds us of these facts in a recent Wired column, Quantum Cryptography: As Awesome As It Is Pointless.

We get excited about new technologies and cool new features and devices. And then we ignore security policies and procedures, use and reuse weak passwords, and still don't encrypt computer drives.

He closes by saying, "... as a product, it has no future. It's not that quantum cryptography might be insecure; it's that cryptography is already sufficiently secure." Maybe quantum crypto will keep foreign powers from reading our critical national information. But for the rest of us, what we have is good enough. If only we would use it.


Metrics Madness

I hate metrics discussions some of us have in the IA world. On one side there are people who think that we should be able to come up with hard numbers by which to measure security. ("May I have a pound of security, please?") On the other side are those of us who know that it is always going to be impossible to nail metrics down and we have to be satisfied with more squishy measurements of what "good enough" is. In the middle, I suppose, are those who want to please those in the first group, know what the second group knows, and chose to ignore it to please those
in the first group.

But, "good enough" usually is 1) better than what we have and 2) pretty darn good.

My New PDA: iPod Touch

Background. In iPod Touch as a PDA, I mention my "requirement" for a PDA, how I've been a happy user of a Palm computer for years, and have been very happy with the apps for the Palm. I also mentioned that it wasn't the frustration of my sometimes very long sync times that made me look for something else, but that recently my Palm Tungsten E2's battery started to behave erratically. And it is a replacement battery! (It almost never completely charged, and when it did it lost much of its charge quickly. And when using it would slip from quarter charge to "recharge soon" to "recharge now!" to quarter charge again. And the long syncs continued. (By "long," I mean I would go to bed at 10PM and at 5:30 AM it was still chugging.)

What I got and general impressions. On Friday, October 10, 2008, I bought a Apple® - iPod® touch 32GB MP3 Player. Why the 32G? I did go back and forth on that. The Palm I am replacing only has 32MB (that's an M). I also have a 30GB iPod Clickwheel. (It was originally a 20GB, but replace the drive when it crashed a few years back.) It is still working. I also have a 1GB iPod nano. So, while I didn't need the 32 G, I had the money (from a recent consulting gig) and figured one is never sorry for more space. So, now I am looking to farm out my other 2 iPods.

Impression? Very intuitive to use (no user manual, though there is one at manuals.info.apple.com). It just worked. iTunes walked me through registration and then syched my music, Contacts, Events, and Mail settings. It charged very quickly via the USB connector. (It, of course, came with a USB cable, but I just used the one from my other iPods. Those are the same (though not all things are, as I will mention). I then set up the wireless settings (a slight pain given my long key and lack of skill with the virtual keypad on the touch. After that... everything worked!

Meeting my needs? I laid out my needs/wants in the above-mentioned blog entry. This is what I wanted and what I found:
  • Bible—I copied the free Bible Reader and free Bibles via the App Store from Olive Tree Bible Software.
  • ereader—I copied the free eReader app from eReader. The app itself allows one to download eBooks, so I just copied the books that I previously had on my Palm. I did this by putting them on a web page and pointing to them.
  • iCal sync (including birthdays)—It is standard, and if you show Birthdays in iCal on your desktop they will show up on the handheld.
  • Calculater—Standard app.
  • Address book sync—Standard app.
  • wireless access—As I said, it works great and I use it for email and web (and a lot more).
  • Notes or memos—Well, it has a Notes app, but it is not syncable. That rots. I found and downloaded the demo of Phoneview. The demo works fine. I am hoping that Apple provides syncing of Notes sometime. Notes sync in 3.0! :-)
  • email—Works great.
  • To do/iCal Tasks—Missing. Not a show-stopper. I am hoping Apple fixes this lack, also.
  • expense tracking—I cannot find a simple replacement for the simple, free expense program my Palm had.
  • Secret!—I've found a number of lockbox programs. I want one I can populate through a copy from my desktop. It need not be fancy. Secret! was very simple. I want to any information in free form and have the option to encrypt the file (with 256 bit crypto or stronger). I will keep looking.
  • As I said, "I have Documents to Go on my Palm, that reads and writes Microsoft Offices files. I don't really use this much." Their web site says "Coming to iPhone/Touch soon."
  • It seems very stable. Apps and syncing just work, although it helps if the Mac iSync process has finished what it does.
  • There are bunch of free or inexpensive apps and more keep coming.
  • When in iPod play mode, I can still read mail or do other things while it continues to play.
  • When I get up in the morning, instead of booting my PowerBook, I click on my Touch, touch the Mail button, and have emails in my hand in short order.
  • Some email attachments display fine on the iPod touch (text, images, PDF, Word doc files, Word docx files).
  • As I mentioned, no sync of Notes without using a 3rd party product. Added with version 3.0!
  • No keyboard option. (Maybe someday? Palm has attached and Bluetooth keyboards.)
  • No Copy/Paste. I'd like to copy a URL from a web page and email it. Or copy something from my Contacts book and paste it into a web form. I cannot. And my short-term memory is not what it used to be.
  • If I receive a meeting invitation, and I click on the attachment, Mail does nothing with it. I want it to add it to my calendar, as it does on my Mac. I assume they will add this functionality.
  • I really, really want a replacement for Secret! so I can securely carry my account information and passwords with me.
  • While the same USB cable that works for my old iPods work on this, the car and home chargers do not. I have to buy a new car charger for long trips (the new ones work in all iPods). I probably do not need a wall-charger as even if I travel overseas, I have my PowerBook.
Overall. Over all, it rocks. Syncing no longer takes all night. It has good to great battery life. And wireless use is very easy. And it is fun to use.

The thing that used to really kill me was when I would do large Contact list changes. I organize my address book into different books (like categories): APL, Business, Personal, Press, Restaurants, etc. My biggest address book category is my church directory, with 1736 entries. I just updated it by deleting all the entries in the category and then importing the updated list (from a tab-delimited file). Next, I told the Sync process to "Sync Now," which gets its head right. Then I clicked Sync in iTunes after first clicking Contacts under Advanced. This replaces the information on the iPod with the desktop information on the next sync. It worked perfectly and quickly. I'm very happy.


Gmail "Bad Bahavior"

In Mail and Gmail, I reported how I changed things "to have my avolio.com email hosted on Google."

Mostly all was well. Mostly. Then one day, I sent a message to a mailing list I am on. And I did not get a copy of the message in my Inbox. See, here's what is supposed to happen:
  • My email client connects with Google, authenticates, and transfers the mail.
  • Google accepts it, does the DNS magic to decide where it is for and connects to that mail exchanger (email server). Let's say it was for mylist@lists.example.com.
  • The, in this case, Mailman list server, changes the Subject, adding the prefix [MYLIST], adds some footers about how to unsubscribe, etc., and
  • then tries to send to every list member.
And I never got the mail. Other people had, because I got replies. But, their replies went to Me, and to mylist@lists.example.com, so I was not surprised I got a copy. But, why wasn't I getting from the list?

I had the system administrator of lists.example.com check the mail log. The log showed Google accepting the messages. I just never got them. I sent messages to postmaster@gmail.com. I sent to postmaster@avolio.com (also, Google, now). I went to the help page and followed the steps and sent in a report complete with mail headers. No response.

Then I looked at the discussion groups and found a bunch of others with the same problem of Not receiving emails sent by myself to discussion list. Hmmm.

As I posted, in part, to the forum
Now, I see that Google throws away email that seems to be some percentage identical to email I sent.

As a previous poster pointed out, it is *not* identical. The Subject line is changed (at last with a Mailman server) to put the list name in brackets in the subject line, headers are added, and footers are added. I suppose Google thinks this is a feature but it certainly is incorrect behavior in the email world. And, of course, I as a sender get no confirmation that the list server is working correctly.

This really is not as bad as I thought -- I thought I could get no email from the lists. It is, however, bad.

How exact is exact, Google? You are throwing away mail that is sent to

"Don't be evil." This is close.


Happy Anniversary Firewall ToolKit!

The TIS FWTK was delivered via FTP to DARPA 15 years ago today. The next day we delivered it to DUNSnet. We did change the firewall industry with its delivery. And then we changed firewall pricing as Steve Walker and I, doing a "back of the envelope" SWAG decided on $15K for software only, $18K with hardware. Other vendors, with pricing at over $50K dropped their prices within a week.

Best wishes to its daddy, Marcus Ranum.

It's still the most fun I had in a job, my own consulting gig a close second.

Read something historic at Firewall TookKit.

As early as v1.0, the firewall toolkit had "application intelligence," also known as "application awareness," and "deep packet inspection." We just weren't marketing guys.


iPod Touch as a PDA

I've mentioned in the past in this blog how I really rely on a Palm handheld computer. When I first moved to Mac from Windows, I said that one of my criteria was
Interoperability with a Palm handheld. I use it a bunch for everything it does including the obvious (calendar, etc.) and the less obvious (eReader, Documents to Go, Expense).
I've used my Palm, with the aid of The Missing Sync for Palm OS. It works... good enough. But, sometimes it drives me crazy. I have about 2500 entries in my address book. Sometimes it messes up, losing data. Sometimes it takes hours to sync. In fact, it might get caught in a situation where when I will start syncing at night, I wake up the next morning and find it is still going. I'm tired of it. I'm tired of trying to sync and finding that I have to interrupt it to take my Palm and go off to work.. the next morning. I don't know if it is Apple's iSync of The Missing Sync's fault. I understand it is complex to do the mappings (categories on the Palm to groups on the Mac), but I don't care. I want to stop dealing with it and just use it.

As I said previously I don't really want an iPhone. But, iPod Touch and PDAs made me see that there is a viable alternative. Yes, the iPod Touch is not sold primarily as a PDA, but it might just give me what I need and want.
(You wouldn't know it from Apple. Mostly, all they talk about are the games and music, which are the things that make them money. But, I already have a 30G iPod. I need a more reliable PDA. I went crazy to try to figure out whether it had a Note pad application.)

Here's what I need (and I think "need" is correct). First, the "must haves":
  • Bible—I do regularly read the Bible and am used to having an electronic Bible in my Palm. The same company, Olive Tree Bible Softwarehas a mobile product for the Touch. I do not want to have to depend on an Internet connection.
  • ereader—I have numerous books I want to carry around. eReader has a free iPhone/Touch version.
  • iCal sync (including birthdays)—of course I want to sync with iCal. It
    claims to do it.
  • Calculater—yes, of course.
  • Address book sync—again, of course.
And "like to haves":
  • wireless access—it has it. I want it for email and web.
  • Notes or memos—I have Memos on my Palm. I don't think there is anything that is a direct replacement. I am hoping that Notes are syncable.
  • email—I have it with the Palm and want it with something new. The
    Touch has it.
  • To do/iCal Tasks—I am not sure, but I think I read that the newest
    version of iCal for the Touch does include To Dos/Tasks.
  • expense tracking—The little application that comes
    with the Palm is nice to track mileage and expenses and will produce a spreadsheet. It seems that there is a free app for this.
  • Secret!—this product from LinkeSOFT stores all my confidential data encrypted with a password of my choice. It uses 128 bit IDEA encryption. I really depend on this to
    store my passwords. It looks like a free application, LockBox, will do this.
    Or,maybe one of the other applications mentioned in Review: Secret keeper apps for the iPhone at Macworld.
I have Documents to Go on my Palm, that reads and writes Microsoft Offices files. I don't really use this much. I can do without. So. I still don't want an iPhone. I like my family plan with Verizon. But, I really would like an iPod Touch: not to replace my iPod, but to replace my Palm Computer.

I found this blog on the subject from March 2008


More on Mail and Gmail

In Mail and Gmail, I discussed the settings I used in Mail. Some are different than what Google recommends in Recommended IMAP client settings. I want to explain why.

First. Drafts. I did not select store messages on server as Google recommends. I have now changed that. Google recommends: "Store draft messages on the server > checked." I don't usually leave draft messages around. I usually write and send. But, I think storing on the server is a good thing. If I am writing email and need to come back to the draft to finish later, I can do it from my Mail client or—if away from my computer—from the web interface.

Sent. Google recommends "Store sent messages on the server > do NOT check." I'm sticking with "DO Check." Google's reason is that all email sent through their server will automatically be put in the Sent box. I believe this, but I am not sure of the harm in putting mail into Sent in the Mail application. Google suggests it will cause duplication of messages. I've not seen this. In Mail, I often Move a message from Sent into a project folder. For example, today I received an email message regarding an interview for a graduate school program. I replied to it. I was at my day job, so using the Gmail web interface. I labelled both the received message and the reply "Grad School. The messages were still in my Gmail Inbox, but labeled. So, I clicked, "Archive." The result when I got home and used Mail? The messages were in my "Grad School" folder. Brilliant. :-)

Trash. Google says "Move deleted messages to the Trash mailbox > do NOT check" and "Store deleted messages on the server > do NOT check." Google's reasoning is that it makes no sense to delete. Google says, "Messages that are deleted from an IMAP folder (except for those in [Gmail]/Spam or [Gmail]/Trash) only have that label removed and still exist in All Mail."

But, (I assume) since that was written, Gmail has created a "Delete" button, which puts deleted messages in the Trash. There are some messages I do not wish to save. There are some messages no one wants to save. No matter how cheap disk space is. My set-up allows me to delete things I really want to delete, putting them in the Gmail Trash. . Further, they say "Do NOT save deleted messages to your [Gmail]/Trash folder because this will delete a message in all folders." Correct. When I delete I mean delete!

Junk mail and spam. Google says, "Do NOT enable your client's junk mail filters. Gmail's spam filters also work in your IMAP client, and we recommend turning off any additional anti-spam or junk mail filters within your client." The way I have things set up in Mail allows me to tag spam that Gmail's spam checker misses and have Mail move it into the Spam folder.

No regrets about the move to Gmail nor about using Mail with Gmail.

Now I remember why someone suggested not saving drafts on the
server. Every time the draft automatically saves, you end up with another
copy of the draft. You can see this in the screen shot I captured
looking at my Trash. On the other hand it is just in Trash, and so will be deleted

Hawaiian Shirts

My observation... not just for Fridays anymore.


Mail and Gmail

In commenting on David Strom's column Ten years of email, I said,
I've long ago switched from POP to IMAP, but cannot imagine having to rely on Internet access to read or manipulate e-mail. I'd love for you to talk about the changes that doing that requires. I just cannot imagine.
He replied (see it in my entry Strom's Ten years of email) and it got me thinking.

Of course, I have used Google's mail (gmail). But, I never linked it to my avolio.com email, except to forward email to my gmail account to my avolio.com account. E-mailing back and forth with David convinced me to try it, but I wanted to do more. Dave is almost always connected. So, he just uses Google's webmail interface. It suits his needs and he likes the interface. I like using Apple's mail application (cleverly called "Mail"). So, I decided to use it to read Google Mail and go one step further: to have my avolio.com email hosted on Google. My avolio.com email was hosted by a "true friend". Google, with Google Aps, gives clear directions for setting up a Gmail account for a domain. In fact, you can start immediately using it, even before MX records are changed through temporary gmail email addresses. The MX record change took about 10 minutes, because Google automates it's side and my domain records are run, as I mentioned, by a true friend. That is to say, email to "username@avolio.com" started showing up on username's email box on Google. Coolness! It was working. (Now, almost nothing in DNS-land is immediate; information needs to propagate. So, I did check my old server location some that transition day.)

Set up on the Google side was easy and I set it up to be an IMAP server. (The major benefit is that it is stored on my client and on the server and I can access it from anywhere on the Internet.)

The next step was to set up my Mail application. Before I did anything else I backed up my email.

Google recommends setting for Mail and the Internet has many comments about the "best" settings. These are mine and my reasons.
  • I set the incoming and outgoing servers to be as Google instructs.
  • I set the IMAP Mail Prefix to be "[Gmail]" (This is under Advanced for the Account in Mail.)
  • The Trash mailbox showed up under my account in Mail. I selected it, went to Mailbox, and Use this mailbox for... Trash. I made similar settings for the Google Spam mailbox (use for Junk) and Sent.
  • I don't store drafts on the server.
  • I store Sent messages on the server.
  • I have Junk processing enabled. I do this so that the Junk mailbox shows up. Mostly, Google does a great job of Spam catching. When it doesn't Mail might. When it doesn't, I can click on the Junk button and off it goes.
  • I set "Move deleted messaged to the Trash mailbox" and Store on the server. (I know Google has this store everything forever, but there are some things that I want to delete: notices from the library when my requested books are waiting, Facebook notifications, "Send this to all everyone you know" email, etc.) See the Mailbox Behaviors.

I started moving IMAP mailboxes from my old account to my new (Google-based) account. I found that I needed to move one mailbox at a time. I have a lot of mailboxes and folders of mailboxes (see MailFolders, and I found that while the Labels were being created on Google (more on that in a minute), not all mail transferred. This should never happen, but it did. I am not sure if it is a client or server problem. A word about Google mail and storage. Google mail stores all the mail in one big mailbox called All Mail. It uses labels to organize email messages. So, when one "archives" a message, Gmail removes the "Inbox" label; it stays in All Mail. If I have a message in mailbox "Accounting," it is labeled "Accounting." (See Labels.)

There was one thing that really bothered me. My PowerBook now has 2 copies of every email message. Gmail doesn't; Mail does. Here's why. When I move a message from my Inbox to, let's say, "accounting," the files associated with that email message get moved in my directory hierarchy; the file(s) get moved. Gmail sees this as one file with 1 or 2 labels. When the client syncs with the Gmail IMAP server, I will end up with 1 copy in the place I moved it and an additional copy in "All Mail." Because the client sees the message in 1 mailbox and it sees another message in All Mail. It has no way to link them. Hence, 2 messages on my PowerBook. This really bugged me. Until today. What changed? Nothing. I just said, "Oh, what the heck." Disk space is cheap, and my email takes up less than 1G of disk space. I still delete some mail rather than keeping everything. I have started Archiving mail, which in my Mail application means moving it to "All Mail." Eventually, my local storage may become a problem. But, not today.

I mentioned Dave Strom's help. Check out a video he made How to become master of your domain for less than $20 a year in which he touches on some of the things to do. Consider buying his other video tutorials. (This one is free.)


Social Networks

I'm relatively new to FaceBook. I got a FaceBook account a few months ago in order to be able to download a song from a friend's band. (I had a Myspace account briefly for the same reason, but abandoned it after I started to get friend invitations from girls who only had first names.) Yeah, I felt that maybe I was too old for FaceBook.

I was, and am, surprised at what a time sync it can be. But, I generally check it out once or twice a day (early morning and then evening). And I am trying not to obsess with following every potential link to every comment or tag in a photo. On the other hand, it's an easy way to keep tabs on "friends" and I have found that some people prefer writing on "Walls" (which are pubic) to sending private email. I wonder if it is the feeling of community: we're all sitting around in the same coffee shop or family room and overhearing each other's conversations, etc.

I was thinking of these things when something from writer Kevin Kelly came up on my radar (news aggregator) screen. He talks about something he calls " Friendability." (I think there must be a better word. I'm trying to think of one that doesn't cause hurt feelings or insult.) He's asking the question, "Are all these 'friends' really friends?" Here's his breakdown:
  • Friend: Most of the people that Facebook calls "friends" I call Acquaintances.
  • Actual Friend: Someone whom I've had a meal with, or has visited my home.
  • Real Friend: Someone who would drive me to the airport at 6 am.
  • True Friend: Someone who would get me out of jail.

This all reminds me of a song or two from my formative years. The first, is a Simon and Garfunkel song, "Old Friends" (you can look up the lyrics in the Internet), about the old men they saw in NYC neighborhood parks. The song ends, "Old friends. Memory brushes the same years. Silently sharing the same fears."

It also reminds me of Harry Chapin's song, "Let Time Go Lightly," that has the bridge, "Old friends, they mean much more to me than the new friends, Cause they can see where you are, and they know where you've been." I have some old friends.

And, finally, I am reminded of the unattributed quote, "A good friend will help you move. A really good friend will help you move a body."

I actually have a few really good friends. And they know who they are.

A friend commented:
After reading your post, I first took the opportunity to invite you on Facebook. Then I wondered which type of "friends" we may be.

We never met, never had a phone talk, exchanged a few emails, chatted a few times, ... but we've been knowing each other for 15 years. We first became aware of each other back in the early 1990s, at the FWTK, Gauntlet and TIS days. Or let's say, that I learnt your name thanks to comments in the FWTK code and some of your security talks or presentations.

As of today,
  • are we "Friends"? yes for Facebook, but I agree that a better word is "Acquaintances"
  • are we "Actual Friends"? no, as we've neither had a meal together, nor has visited each other's home.
  • are we "Real Friends"? yes, according to the definition: I would be happy to drive you somewhere even at 6AM if you happen to come to visit Europe! I'd wake up even earlier, just for being able to meet you and chat.
  • are we "True Friends"? yes, according to the definition: I would be happy to do my best to get you out of jail (even though I hope you'll never be in such a situation)!
As I believe you expected me to say "no" to the 2 last questions, maybe a 5th category is missing. I am grateful for what you did, and your added value to the Internet and security communities.

So let's call that 5th category "fans" or "aficionados".

Best regards,
Well, Olivier, maybe "friends" is sufficient. :-)


Strom's Ten years of email

In a recent posting, David Strom, who might be trying to rejuvenate sales for his very excellent, but old, book he co-authored with Marshall Rose, Internet Messaging: From the Desktop to the Enterprise , discusses Ten years of email. I recommend reading it for the history, for a sense of how far we've come, and to be disappointed that we've not progressed further. Then check out my Secure E-mail Collection

I commented the following to David's post:
I've long ago switched from POP to IMAP, but cannot imagine having to rely on Internet access to read or manipulate e-mail. I'd love for you to talk about the changes that doing that requires. I just cannot imagine.
David replied:
About two years ago, I lost some saved emails using T-bird, and I decided to look carefully at what I was doing and what I could to ensure that didn't happen again. I saw that 99% of the time when I am composing messages, I am sitting online, usually in my office, or someplace else where I have a Net connection. I had heard about Gmail and took a look and was immediately hooked. There were four things that motivated to switch over (and these might not be as important to you as they were for me):

First, I don't have to worry about saving and storage of messages Google does it for me. And as their mailbox keeps getting bigger faster than I need, it is limitless as far as I am concerned. Now others may have run up against this limit, and now Yahoo email is truly infinite, but I hate their UI. I think I have about 2 of GB of mail, and as I mentioned in my post Gmail is above 7 GB and adding more every day. At the time, they didn't have IMAP, but now that they do it makes for some choices here.

Second, they did a great job with labels, making it very flexible to store messages in multiple buckets. The latest versions of Outlook also do this, and I haven't checked the Mac, Vista, and T-bird versions lately but at the time I switched they didn't do as good a job. If you do use IMAP and have lots of labelled messages, you will find this vexing however.

Third, I use multiple machines, both PC and Mac, and having all my email and contacts in the Gmail cloud is a real plus for me. I don't miss having local email on my desktop at all.

Finally, they did a great job with groups of contacts, and making it easy to organize my contacts is really at the heart of what I do with my email. I can have one contact as a member of multiple groups, to make it easier to find and communicate with people. Again, the newer versions of many email programs all support this, but at the time I was switching this wasn't the case. I usually have two windows open in my browser at all times the Mail and Contacts windows.

There are some issues with Gmail, however, not enough to make me switch at this point. First, the numerous outages over the past few weeks that is troubling. Second, the latest UI doesn't work with the large volume of contacts and the many groups of them that I have I still have to run the older UI, luckily they have a switch to "older version" that I use. And exporting your contacts doesn't export the groupings, so once again I am captive to Gmail until I can figure this out.

Since I switched Gmail supports now both POP and IMAP access to their mail store, and there are programs like Cemaphore.com's MailShadow for Google Apps that can synchronize an Outlook/Exchange account with a Gmail one. That makes the line between online/cloud email and local email more blurred. It all comes down to what UI you like, and where you want to keep your contacts, and how much offline composition and contact lookup you do: in my case, very little, and these days just about everywhere I go I can find a connection.

The other thing going for Google is that Google Apps is free to host your email for your domain, so you have the best of both worlds -- you have the large online storage, the Gmail UI, and your own domain dot com -- plus I think up to 100 mailboxes -- all for free. It used to take a few days to get this going, but last week it took about an hour to setup, switch my MX records, and I was good to go. I don't see why anyone would want to host their emails anywhere else.

Of course, this gives me a single point of failure with Google now, so I might keep that Yahoo email box around a bit longer :-).


iPod Problems

It has been a bad week for removable storage for me. I had problems with back-ups on my FireWire drive, I talked about in Time Machine is Working Again (which turns out okay, as you can tell by the title. :-)).

Podcast trouble.
The other day I noticed that some of the podcasts on my iPod weren't working. That is to say, they would play for up to 20 seconds and then stop. I tried fast forwarding past that point. No joy. So, I did what Apple always says to do. I did a soft reset. Still no good. Music played fine, but podcasts would not. Now I know that they are handled differently, so I wasn't surprised. Just annoyed. So, I went to the next step. And this was an error—my first mistake. (We'll come back to what I should have done later.) The step I took was to click "Restore" in iTunes. This restores the iPod to its factory settings. No worries. I have all the songs backed up in multiple places. So I did it. And I connected it again to iTunes to have it restore all my settings and music. I plugged in the iPod.

Problem with the iPod?
I saw this:

Not good.

Arrg. Not good at all. I looked and looked on the Internet. I listened to my iPod as it spun up and failed. "Oh, no!" I thought. "Another failed iPod!" (I had replaced the disk in this 20G iPod last year with a 30G disk.) I have a 1G iPod Nano. So, I figured I would have to use it and swear off iPods. So, I plugged in the Nano. And... (you are head of me here, aren't you?). Same error. Whoa. Hmmm. My iPod has a USB cable and a FireWire cable. Try the FireWire.

Bad cable.
Success! It was restoring! The iPod's USB cable was bad! (I knew the USB port itself worked, as I use it for other things, such as synching my Palm handheld.) So, another early mistake. I should have tried the FireWire cable or another iPod USB cable. While it was restoring, I checked something I should have checked way earler: what do the podcasts sound like played in iTunes?

They had the same problem. (Again, not all, just some.) I'd start a podcast that said it was 45:34 in length and it stopped after 34 seconds or so. Again, I had not moved through the correct, diagnostic sequence.

So, why the bad podcasts? I think I now knew. Recall, as I mentioned above, I previously reported on probems with backups to my FireWire drive. Recall, Dave Nanian of Shirt Pocket had pointed to problems from other devices plugged into the FireWire drive, especially an iSight camera. I asked Dave, "Any background as to why having another device plugged into the FW port of my FW drive would cause this?" He replied, "It's mostly the iSight. It's bus-powered, and gets into weird states where it starts causing the voltage on FW to go completely nuts, which causes other devices to generate errors."

I think that this was the cause of some flakiness in some of the podcasts. With the exernal iSight unplugged (where it will stay until needed), I re-downloaded the podcasts. No problems. Lessons learned.
  1. See if the problem is the same in iTunes as on the iPod. The iPod's data is only as good as what iTunes gives it. I would have switched from looking at the iPod to looking at the data in the iTunes library.
  2. Try a different cable if you have a connection problem. It might not be that but cables are easy to check. And if the cable is bad it is cheaper to replace than an iPod.
  3. Don't plug other things into the FireWire port of you external disk besides another daisy-chained disk of the same type. Especially don't plug in an external iSight Camera.


Time Machine is Working Again

Recently, I blogged that Time Machine Failed Me. You can read it there, but there is a bit more to the story.

I had turned Time Machine off. After all, every time (yes, every) it tried, it failed. (In an earlier post, I mentioned an error that occured when I didn't check the state of my PowerBook before shutting it down. That was my error.)

But, I still used and relied on SuperDuper!. And then the unthinkable happened. For the first time, SuperDuper! failed. Red type in the SuperDuper! window told me, "SuperDuper!: Failed to copy files from Macintosh HD to firewire."

I looked at its log file. The log file is fascinating. I'm... um... seasoned, I suppose is a good word for "old." I've been around a while. I remember doing backups onto 9 Track Mag Tape. You did that with "everything" on the system stopped. Even in more modern times, Backups have given trouble if the system was trying to write anything. SuperDuper! clearly keeps trying and trying. (And, yes, I have booted from and recovered files from my back-up volume.) But, I digress. The last line of the log said this:

| 05:50:20 PM | Error | SDCopy: utimes /Volumes/fredpb2-boot-leopard/ System/Library/Automator/Apply Quartz Composition Filter to Image Files.action/Contents/Resources/English.lproj/main.nib: Invalid argument\n: Invalid argument
So, I tried again. Same error, different place. I ran DiskUtility against the FireWire HD. No problems. I ran it against the system HD. Again, nothing to repair. So, I wrote to Shirt Pocket's feedback address at 17:57:53 -0400. I got a response from customer support (I am joking a bit... "customer support" is the owner and operator, head programmer, and perhaps the only employee, David Nanian). A few hours later I got this response:
It looks like your destination volume failed during the backup. Please power off both the Mac and the backup drive. Wait a few minutes, and then simplify the FireWire bus to just the drive (if there was anything else attached - especially an iSight, iPod or hub).

Power back up, and then use Disk Utility to repair the destination volume (use the buttons on the right side of the Disk First Aid tab, not the left side "repair permission" buttons). Repeat until there are no errors indicated.

When that's done, give it another try, and let me know if that helps!
"Especially an iSight," eh? Darn. I do have an iSight which I cleverly plugged into the FireWire socket on the back of my external drive (since it took the only FireWire port on my PowerBook).

I unplugged the iSight camera, started a backup, and went to bed. This morning I found that it had worked without an error.

Which brings me back to Time Machine. I figure that same iSight camera might have been the problem. So, I restarted Time Machine. And it worked throughout the night (and throughout today) also. So, I'm using Time Machine again. But, I am trusting SuperDuper! Apple has... Steve Jobs, somewhere. SuperDuper has David in Weston, Massachusetts, who wrote the thing and responds to email late at night. Even when he is on vacation!


E-Mail Cleanup

While this series of articles is Mac-specific and Mail-specific, most of the tips offered can be used with other e-mail clients on other platforms. It is all about productivity. I know people who have no such scheme and are burdened by the guilt (or just stress) of hundreds (or more) unread or "undealt-with" e-mails in their inbox. As the waiter in the 1971 television advertisement for Alka-Seltzer urges his customer, "Try it, you'll like it." Unlike the customer, trying these suggestions should lessen the need for an antacid.

Here are other excellent resources for getting a handle on e-mail. And, as you probably know, handling ths problem is very important. (See the comment in Hi-tech is turning us all into time-wasters, that says, "Even the beeps notifying the arrival of email are said to be causing a 0.5 per cent drop in gross domestic product in the United States, costing the economy $70bn a year.")

So, the additional resource:
Both are from Merlin Man.



I like to write. I journal. I blog. I don't do either enough. I write, sometimes, for my day job. (But, writing for government contract deliverables—and who else even talks like that?—is something completely different, and can be life-sucking to a writer. But, I digress.) I just can't seem to schedule a regular time to write, and this bugs me. So, I need to find a way. All that to point to an excellent column by Kurt Vonnegut. If I read this correctly, he wrote it in 1999. It popped up on a newsreader and I am pointing it out to you. It is How to Write With Style. If you write, please read it (it is very short). His summary:
  1. Find a subject you care about
  2. Do not ramble, though
  3. Keep it simple
  4. Have guts to cut
  5. Sound like yourself
  6. Say what you mean
  7. Pity the readers


Time Machine Failed Me

I'm disappointed in this "run it and forget it" thing. Others have seen this. Most probably have not. I mentioned it in Time Machine Error. Well, it continued to happen. Sometimes it would fail with a pop-up message saying, "Time Machine Error. Unable to complete backup. An error occurred while creating the backup directory." Very helpful. What am I supposed to make of that, let alone Mom and Pop or Aunt Ida? So I opened Time Machine and clicked the red "i" in a circle, assuming it meant "information." And that pop-up said... the exact same thing.

I turned off TM. I used Disk Utility to Verify and Repair. It would not verify or repair. Now, Disk Utility helpfully tells you, "Click Repair Disk. If the repair fails, back up and erase the disk."

Back up where? And why? It is bad. Why back up a bad disk. So, I have no choice but to erase it and start Time Machine captures again. Why? Why not? I am glad I routinely back up on another volume using SuperDuper! Oh, and I need to select "Change Disk..." in Time Machine and pick the same, now zero-ed out, disk. And I'm fairly smart. Again, how could Mom and Pop or Aunt Ida do this?

Help on my Mac turns up a topic entitled, "Time Machine stops backing up to external disk." Promising? No. It says to 1. Open Disk Utility and 2. Click the Partitions Tab.

Funny. No such Tab.

Apple, this rots.


E-mail "Stationery": Just Say "No"

Short version: using e-mail 'stetionery' is evil. Don't do it.

In my posting Leopard: The Good Stuff I say
One feature Mail could have done without: stationery. Stationery is terrificfor hand-written mail. All it does is add an image attachment that may or may not be seen as a "background" to the e-mail. (Many times it will not show upit depends on the e-mail client. The user will then click on the attachment to see it and it will make them wonder why you send them a fabric swatch.)
I have repeatedly suggested against it every time someone has mentioned it in the Apple discussion forums. I've written, "As I've stated before on these forums, just because it looks good in your e-mail client does not mean that it will display correctly in someone else's. Sometimes the 'stationery' will be transmitted as an attachment. The recipient will get your e-mail and an attachment. They will have to click on the attachment to see it. And they will see the 'stationery' only. It would be like sending a postal letter with the words written on a plain white sheet of paper, and sending along with it a nice piece of colored stationery."

A friend sent me e-mail the other day. He "signed his name" at the bottom with a GIF image of his handwritten name, "Joe." It, was, of course, an attachment. It showed up fine in e-mail, but when I forwarded the message, I forwarded his plain text e-mail plus the attachment with his name.

Someone else consistently sends me e-mail with a fancy signature image, containing her company logo. Every time I reply—and include the e-mail—the fancy signature is sent along. She replies, and now there are two copies if it, and so on.

You, the sender, have no control over what the recipients' e-mail client can and cannot view. Sticking to plain text e-mail means that you can communicate with the greatest number of people. If you must have fancy fonts, and colorful backgrounds, send it in a PDF.

Plain text is best.

Use Rich Text if you must.

But, don't use stationery (unless it is in hard-copy, postal mail).

Data Classification

I provided some input into an article by writer Mathew Schwartz, who quotes me in the article Classify This! 10 Best Practices to Jumpstart Your Data Classification Program.

I've often pointed out, here and elsewhere, that there is, as the writer of Ecclesiates says, "nothing new under the sun." Mr. Schwartz wrote about this last week (and it is timely and too few of us are doing it). And I wrote these words in February 1999 (almost 10 years ago).
Security policy planning entails starting with the mission needs. Identify the crown jewels through data classification. Classifications might include "dont care," sensitive, financial, competitive, legal, privacy-related, etc.
Re-read my old article at Foundations of Enterprise Network Security.


It's not just who you are, it's who your friends are

I've saved this clipping in my "BlogMe" mailbox since February. How to Hack Into a Boeing 787. In a nutshell (in case the article is gone or you don't want to bother) all variants of the jetliner "have three on-board computer networks. One network is for flight safety and navigation, a second is for administrative functions and the third handles passenger entertainment and Internet access." You know the punch-line, right? All three are linked. (Probably, were, as Boeing says the design has been fixed.)

It reminds me of a story.

It takes place in 1992 or so, DARPA was funding a small computer security company to securely connect The White House (really the Executive Office Building) to the Internet. They came to this security company and asked "Do you know anything about 'Internet firewalls?'" People at the company did. After lots of talking and planning someone with a clue said, "We need to do a network survey." "Why?"

"We need to see what else is connected to your network." Now remember, this was 1993, before everyone including your Aunt Tilly was on the Internet. Long story short, the company did the network survey and found that the White House network was already on the Internet. They were connected via NASA Goddard, which, at the time, was well-known in the local IP community for poor network security. They would have had a firewall in their front door with an unlocked back door.

Back to the jetliner. People tend to make these mistakes. Why, or why in the world are—sorry, were—the networks interconnected? I don't know but experience tells me it was probably to save some copper (or fiber). No matter how smart you are (and the Boeing engineers are smart), always, always, always bring someone else in to look at your plans. And make sure some of those people know something about security and risks.

I heard from someone "in the know," who shall remain nameless.
"How to hack into a 787" was erroneous from the very beginning. It was a scare story launched by someone with no actual knowledge of the systems in question.

While there are connections between the sub-networks on the B787, the interactions between the passenger-accessible network and the rest is strictly firewalled and sandboxed. The only data connection between the cabin network and the flight network is a very limited one that allows the cabin crew to talk to the flight crew over the IP-based interphone system.

Having actually read the Specification Control Documents (SCDs) which control the design of the system, I can tell you that they were designed with data security issues very much in mind.

Well, certainly good news, but my point remains. These are the times when you don't just bring in application experts, or networking experts, but also security experts.

Other Cocktails

As I have previously mentioned, a gin Martini is my drink of choice, "up," with an olive. I prefer Gordon's, not because it is Bond's gin of choice (and anyway, the Gordon's of the original novel's time was a higher proof), but because I like the taste. I do enjoy other cocktails at times.

Another favorite is a gin Gimlet, a very nice cocktail, made with 2 oz. of gin and 3/4 oz. of Rose's Lime Juice. There are sweeter versions, but this is the ratio I prefer. (In Raymond Chandlers The Long Goodbye,Terry Lenox tells Philip Marlowe A real Gimlet is half gin and half Roses Lime Juice...") Again, very cold, up with a lime quarter.

And when I am in a very quiet, contemplative mood, it's a Vesper. In the novel Casino Royale, Bond ordered thusly:
"Three measures of Gordon's, one of vodka, half a measure of Kina Lillet. Shake it very well until it's ice-cold, then add a large thin slice of lemon peel.
Alas, you can't get Kina Lillet anymore and that's arguably a lot of booze. I go with the recipe in my signed hardcover copy of Cocktail: The Drinks Bible for the 21st Century.
  • 2 oz. Gordon's gin
  • 1 oz vodka (I don't care what kind)
  • 1/2 oz. Lillet blanc
  • a dash of bitters (to simulate the Kina Lillet and to give a light pink glow)


More on Big Bang Mark2

Right, not really. Previously, I blogged about 'Big Bang' project put off to 2008. Well, holy moley, it is 2008 and time is running out! So, I was amused by Some fear debut of powerful atom-smasher. ("Atom-smasher." I like it.) "Obviously, the world will not end when the LHC switches on," said project leader Lyn Evans. But, what really got me laughing is:
David Francis, a physicist on the collider's huge ATLAS particle detector, smiled when asked whether he worried about black holes and hypothetical killer particles known as strangelets.

"If I thought that this was going to happen, I would be well away from here," he said.
Well, really how far away could one get from the Earth being swallowed by Switzerland? (And no, I don't really think CERN will cause a black hole. Just the same, imagine the insurance they have to carry!)

Notes from a Boring Meeting

Every meeting can start with a contest. Everyone "plays" or demonstrates what his or her phone sounds like when it "rings." The one with the most obnoxious one wins. Second place wins for the most embarrassing. These ratings are assigned by the group.

In the Beginning

I had to chuckle. No, it really was an "LOL," as my kids text. I read Hints of 'time before Big Bang,', in which we read, "A team of physicists has claimed that our view of the early Universe may contain the signature of a time before the Big Bang."

Okay, let me get this straight. The Cosmos as we know it did not explode into existance from nothing at the event we know as "The Big Bang." It exploded from something? What? The Cosmos-1?

There is this very basic, foundation of... what? sense versus nonsense? "Ex nihilo nihil fit." Out of nothing, nothing comes. It doesn't really matter how many big bangs there were. You either believe in an eternal self-existant cosmos or... No, we'l leave it at that. A cosmos that has existed for eternity past is so much safer.

Easy Spam Filter

I just need to figure out how to code this up: IF
  • The From: address is all in capital letters
  • The word "widow" is in the message body
    and either
    • The Subject is "greetings in the name of the lord!"
    • The Subject: is in Hebrew (this won't work for everyone, I know)
it is spam.

Conventional Wisdom vs. Wisdom

In February, Dark Reading published, The Myth of Conventional Wisdom. I posted a comment. A rebuttal really. It is no longer on the website. (No comments or discussions are for the article.) I think the discussion—what Tim wrote and my opinions—might be useful to present here. So, read his piece (let me know if the link no longer works; I saved a copy). And then read what I suggest, below.
I believe you've misused the term "conventional wisdom." Conventional wisdom are things that are generally accepted as true by most people, not by experts in the field. I suggest that if you ask experts in the field—and for grins, let's stick with people who have been in the business for more than 2 years—you will find that none of the things you mention came as surprises. In fact, they could have been, and have been, predicted. But, using the correct definition of conventional wisdom, I agree with your assessment of conventional wisdom in the info security realm. You write, "The problem with IT security is that it's not a conventional discipline. It changes with the nature of the business and the nature of the threat." No. Particulars change, but fundamentally there is nothing new in the attack space, and has not been in years. Neither of the examples you give of zero-day attacks (are we really surprised that attackers go for the low-hanging fruit?) and identity fraud surprised experts in the field. The public believes that because loss of 100,000 credit card names and numbers will lead to more people exploiting more cards. The expert knows that you are still more likely to have you card number taken and used by the young waiter who served you last night.

And what network or security expert said that "DNS systems were unassailable"? Steve Bellovin discovered flaws in DNS almost 20 years ago and security extensions to DNS started in the late 90s. But, yes, "conventional wisdom"—which we see is no wisdom at all—would say otherwise.

"IT security 'wisdom'" is far from "fleeting." We just continue to forget the past, and believe that everything is new and needing new solutions. "The security pro" who forgets the basics and neglects what has worked before "will surely be the first one attacked tomorrow."


The More Things Change...

I was interviewd for Access Control and Security Systems Magazine. The article makes me sound smart and old. Okay, I guess I'd like to think I am smart, and I am, after all, getting on in years. (I am only 10 years old in "dog years!") The article is The More Things Change….

Time Machine Error

As I mentioned in System Back-ups, I have and do use SuperDuper! for backups, but since installing Leopard, I also let Time Machine do it's thing. Today, it was showing an error condition. When I queried Time Machine (I opened it then clicked on the little "information" icon, next to the error) it helpfully told me "Unable to complete backup. An error occurred while copying files to the backup volume." I tried again. Same thing. I used Disk Utility to check the disk. No problems.

So, first I did a back-up using SuperDuper! I use a different partition for that. Then I queried the Internet, which, as we know, knows everything. I found the solution.

Apparently, Time Machine was interrupted during the last time it was run. Now, a power outtage can do that, and we had one today. But, this was user error. I turned my machine off last night when going to bed. And I did not check to see if it was running. It was a simple fix. I found it, via a search for the error message, at the MacCast Forum. The answer, from forum user "karinlord," was:
If Time Machine gets disrupted for any reason during a backup (e.g., hard drive unplugged, power failure) it seems to get stuck. Occasionally it gets stuck for reasons only known to Leopard. It's a known bug on the Apple discussion boards. What has worked for me is the following:
  1. ensure hard drive is powered on and connected to computer
  2. turn off time machine
  3. go to your backup volume, backups.backupd, "your computer name", and then select and trash "In Progress" or "Latest" (it will be the last one in your backup folder listing)
  4. turn Time Machine back on
  5. either wait for the next backup cycle, or what I do to be sure things are working right: force an immediate backup (control-click on TimeMachine, select "backup now").

This worked for me.

Comcast Anti-spam Measure

Apparently, in it's never-ending battle to thwart spam, Comcast (apparently) recently started to require that connecting e-mail servers have a valid PTR record so Comcast's email servers can do a PTR (pointer) record lookup. This allows a look-up on your IP address to see if the IP address and the value returned—it should be the computer's domain namematch.

Now, I am not sure of a different way to do it, but Comcast chose a way that many choose. They returned it in a bounced error message.

Providentially, I knew this was coming. For some reason, I checked the mail queue on the server. This is what I saw.
242C7AFEC0D2 9406 Thu Jun 19 12:25:40
listname@example.org (connect to mx1.comcast.net[]: server refused to talk to me:
554 IMTA08.westchester.pa.mail.comcast.net comcast Comcast requires that all mail servers must have a PTR record with a valid Reverse DNS entry. Currently your mail server does not fill that requirement. For more information, refer to:
Later, one of the errors was returned to the list owner (me).
<delta4@comcast.net>: delivery temporarily suspended: connect to mx2.comcast.net[]: server refused to talk to me: 554 IMTA01.emeryville.ca.mail.comcast.net comcast Comcast requires that all mail servers must have a PTR record with a valid Reverse DNS entry. Currently your mail server does not fill that requirement. For more information, refer to: http://www.comcast.net/help/faq/index.jsp?faq=SecurityMail_Policy18784
Now, I am fairly Internet, DNS, and SMTP e-mail clueful. What would (what do) the average person do with this error message? They should go to the indicated URL. It suggests going to your email administrator. Many people stop right there, eyes glazed over.

The funny thing in this case? Although the server was not in a Comcast address space, the server domain is a customer of Comcast. I'm thinking the error message could have been clearer.


New Firewall Technology? Maybe.

I read Startup Launches New Firewall Line posted by Andrew Conry-Murray. He claimed it was innovative. It sounded to me like an application gateway firewall from the mid-90s, only faster. I asked him about it, and he replied, "It's not an application gateway... it's not proxying the applications. The company uses signatures to identify applications rather than try to recreate every app that admins want to allow through." In a traditional application gateway firewall, proxy software that mimic various application servers (usually in a secure fashion) provide the security. He pointed me to From The Labs: Palo Alto's Firewall Appliance.

So, instead of writing proxy software for "550 applications," Palo Alto has "a signature-based system that allows for matching network traffic against a database of more than 550 applications."

It does sound innovative. Check it out and see if you agree.

Router Rooter

I've praised the Radio Free Security, Watchguard's security podcast, before. The June offering included Dave Piscitello on how to "Prevent Domain Hijacking." The basic idea is that "Router-based rootkit shows some old attacks are new again." It reminded me of a column I did for WatchGuard in 2002! As Scott Pinzon writes on their blog page
Attacks on routers are not new. Before Trojan horse and virus attacks became so devilishly easy to launch, attacks against the basic protocols in the Internet were accomplished through routers and their undying and exact support of those protocols, built-in weaknesses and all. And if you appreciate that last sentence, you may want to read the article that I stole it from. Fred Avolio's concise steps toward "Basic IP Router Security" was written in 2002, yet … every word is still useful today. If you were ordered to harden your routers, would you know what that means, and more importantly, what to do? Check out Fred's article, which is suitable no matter what brand of router you use. Then, for extra credit, take a look at the Cisco paper, "Guide to Harden Cisco IOS Devices."


Internet Safety

Recently, I responded to a posting on Apple's discussion list asking if she needed to get 3rd Party Security Software. Someone posted and gave the opinion that "OS X has all the built-in security that anyone would need." I agreed, but reminded that "you have to use them."

Let me expand a bit on what I wrote.
  • You have a firewall (in Windows or OS X); use it!
  • Speaking of firewall, turn on application access. (See this Macworld article for some good recommendations.)
  • Regularly back-up your data! TimeMachine is fine. So is something else. See what I wrote in my blog, System Back-ups. And back things up before you install updates.
  • Both Safari and Firefox have antiphishing mechanisms. Use them.
  • Keep your brain engaged.
    • You have no need to click on a URL in an email from a bank in which you don't have an account!. I mean, really. Do you have that many bank accounts that you cannot remember that you do not have one at Barclays Bank?
    • Even if you really do use E-bay a lot, E-bay doesn't send emails about problems with your account with URLs on systems in Korea
    • And no one, no one, no one wants your help to get at $15M. No widow in some foreign country has heard of what a kind-hearted, trustworthy person you are, no matter how kind-hearted and trustworthy you are.
    • No, you did not win a big Internet e-mail address lottery.
    • Did you really do business in another country and forget that they still owed you $75,000? (As I told a friend, "Holy cow! How did I forget that? At my standard rate that is 6 weeks of work! Maybe it was a fixed price contract.")

Still Love and Hate Mail

I am still enjoying a love/hate relationship with Apple Mail. (See Mac E-mail Again, 08 Mar 2006.) I'ved not lost any email, but there are many times that I've deleted or foldered e-mail, only to have it turn up again in my Inbox. Grrrrr.

Then I noticed others in Apple's discussion forums complaining. (For example, see Mail repeatedly downloading items.) Ther have been problems with Apple's own .Mac site as well as BT Yahoo.

I decided to try Thunderbird again. It did not misbehave! But, for some reason I couldn't save sent mail to a Sent mailbox. Grrr again. And Mail has other features I mentioned in the above-cited entry. So, I wait and hope for a fix now that it is more than just me.


Martinis Are Good for You!

Well, that's what I hear.

007 Had It Right with the Martinis, from NPR.

The paper referenced is Shaken, not stirred: bioanalytical study of the antioxidant activities of martinis by Trevithick C C Trevithick, M M Chartrand, J Wahlman, F Rahman, M Hirst and J R Trevithick. Another interesting paper that references the first, is The Dry Martini: Chemistry, History, and Assorted Lore written by George B. Kauffman.

And, this for fun:


Ready to Give Up on iChat to PC

I spoke to my friend, networking expert Dave Piscitello, who said
It sounds like the Westell does port-based NAT (PNAT). You are actually performing PNAT twice. Since when you only have the ADSL router, you can video chat anywhere, I suspect you can't PNAT the connections twice. (This is the case with IPsec.)
Today, I did the following, per his suggestion:
  • Put the Westell aDSL modem/router into bridge mode
  • Let the Netgear Router make the authentication to my ISP
(Dave had pointed me to How do I set up a Netgear router with a Westell?)

With and without UPnP selected in the router, the result was almost the same as it has been. The connection with test-user rjinwipc just sat there saying, "Waiting for a response from rjinwipc." A connection attempt to ichatavtesting resuled in ""Failed to start video chat because: Frederick M. Avolio did not respond." I could get to appleu3test0, no problem.

I think I am ready to give up.

Although I do thank Dave, Ralph John, and Frèdèric in France.

These are some recent comments from an Apple discussion thread on the subject of iChat video with AIM. Let me just point out, they summarize my experiences.
"but my basic conclusion based on what I have seen is that there are issues with video chat between AIM 5.9 and iChat AV, and there isn't much i can do about it for now"

"I can no longer in good conscience recommend iChat AV to AIM 5.9 for cross platform video conferencing as there are just too many issues"
If any of you try to connect to test—and that would be fine if I am around, please do e-mail if it failed. Or send an IM text note. I don't want anyone to think I hung up on him!. (30 minutes ago someone connected for a video-chat. I accepted, we connected, I saw his smiling face, and BAM! Gone. I didn't get his name and am not sure what when wrong.)

(Does iChat log these video attempts?)


Revisited: From Zero to Expert in Your "Spare Time"

In June of 2001, I wrote a column for WatchGuard Technologies called From Zero to Expert in Your "Spare Time", a "Foundations" piece. Recently, editor Scott Pinzon asked me to update the thoughts for a podcast of Radio Free Security. I told him "Sounds like fun," and not being one to waste effort, I'm turning it into this blog entry. (The XML to the newsfeed is Radio Free Security. The direct link to the mp3 is How to Learn Network Security)

Things have changed little in the world of network security support from 2001. (Yes, that is not a "typo"—little.) I still think many of us are transitioned from "network support person" to "security guru" fairly quickly. Sometimes, we seek this ourselves, wanting something more "interesting to do." And sometimes we seek glory and honor. At the end of the day, people will still hate you. What people? It depends. Whoever is trying to do something "vital to the mission," and who forgot to talk to you about security until the last minute. This list can include software product developers, sales executives, program managers, product managers, network engineers, etc. But, you did ask for it, now didn't you?

Before I get to updating my old column, a warning: you, dear reader, want to hear new, exciting, interesting, and jazzy things to learn. And, indeed, there is some of that. But, I fear you will be disappointed that I will point to some old books and papers and old things to learn. Take heart. If this was a theology course, we would still look at old texts. As Paul Simon reminds us, in his song "Old," "God is old." (I lost some of you by mentioning Paul Simon, right? "Avolio is old," you thought.) Let me put it another way: If you study and use calculus or Boolean algebra, you don't only look at breakthroughs in those disciplines from the past few years. So, you'll have to trust me. You'll want to jump to the new and jazzy. You will do yourself a great favor by studying some old things, as well as new. You'd do it in physics or mathematics. You should also do so here.

One more warning: if your employer will send you to "CISSP school," in which you get trained to pass the CISSP exam, take them up on it. But, you will still need to do more. I know CISSPs who, by definition, passed the exam, but also clearly have no practical knowledge or experience.

First Steps.

As I said a few years back, "first off, you will have to exert some effort. You'll have to work. My idea is to give you work you can do in a reasonable amount of time, while still employed. ... You need to do some basic reading. Not all at once, and not in every area. Some excellent books and papers will provide a good start. I am only going to point to a few of these, because you are supposed to be able to do this without taking six months off."

You'll need to learn terminology around security, but that will come as you peruse the Internet, making use of Google and Wikipedia. Start with learning the technology in your current area of responsibility.

For security basics, let's start with WatchGuard, and not just because they asked me to do this. Their education page is easy to navigate and has information for Jedi masters as well as the padawan learner. Bookmark their "Network Security Glossary." Spend some time reading their White Papers. (They are free with a registration. They will not spam you. Scott promises.) Most of what they have--papers, podcasts, and videos--are 99% unbiased with 1% advertising. (Scott has to eat, too, you know.) Their "IT Managers' Security Resources" are for anyone wanting to come learn more about network and computer security, not just for IT folks and certainly not just for managers. These provide practical advice for securing the corporate network from user to servers, along with an occasional technical "deep dive" piece. As you move towards Master from Learner, you will want to try your skills in "The Dustin Barnes Mystery Series," also found on their web page. Check out their instructional videos (fun but no fluff, I promise), and, of course, subscribe to their Radio Free Security podcasts. (You might find their case studies of interest, but these do seem to have the look and feel of marketing communication glossies.)

Next stop, Techtarget's SearchSecurity site. They also have excellent whitepapers and reports. Their main page is a "security portal" of sorts, gathering infosec news as well as security papers grouped topically. (Most of these papers are produced or sponsored by vendors and require registering.) While there, you should also subscribe to some of their RSS newsfeeds, such as Security Wire Daily News (or Weekly) and Network Security Tactics. Also, there, you can subscribe to Information Security Magazine. You can also read some of the articles in the latest issue here.

Next steps.

In addition to the "portals" mentioned above, we can drill down a bit into these particular areas.

This includes antivirus and spyware. Really, there aren't many books to recommend to come up to speed on Spyware. For antivirus I recommend Hacking Exposed 5th Edition (Hacking Exposed), though it covers a great deal more than that. Otherwise, peruse the malware topic area in the Searchsecurity papers (with the warning of vendor sponsorship I previously made). Actually, I'd go to WatchGuard's education area and watch the "Malware Analysis Video: Drive-by Downloads"

As for other things, the National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database

Oh, and for goodness sake, read about the Morris Worm..

For firewalls, I believe the early papers are still the best, and the technology has not changed substantially since their authors wrote them. Three of the first and best papers are:

The best books on the subject are also the earliest ones: Intrusion Detection Systems
If you need to come up to speed on "intrusion detection," start with An Introduction to IDS. If you need something more in-depth, see Rebecca Bace's whitepaper, "An Introduction to Intrusion Detection and Assessment." She also wrote the book Intrusion Detection (MTP). Another excellent book is Terry Escamilla's Intrusion Detection: Network Security Beyond the Firewall.

This list has not changed since 2001. The best books on the subject of cryptography for computers and the Internet are: VPNS
You need to learn about virtual private networks, and, again, one of the best introductions is an "old" book, from 2001, Virtual Private Networks: Technologies and Solutions, by Ruixi Yuan and W. Timothy Strayer.

Secure E-mail
If you need to learn about e-mail security:

And just for fun, check out some famous attacks.


How in the world will you keep up to date on changing technologies and events while still keeping your job (and maybe even having a life)? The answer is "automate." Sign up to an RSS news service (mentioned earlier). Spend a half hour of each day checking news items and bulletins.

Start poking around NIST's Computer Security Division's Computer Security Resource Center. There are some useful papers and guidelines here. There are also things that look surprisingly like they were written by someone getting paid by the word. (They were not. But, one of the mottos of big government agencies seems to be, "Never say in 10 words what you can say in 100.") Their "Guide to NIST Information Security Documents" is 36 pages.

There are security-related magazines to read, and my favorites both have electronic and print versions:

Even without having six months to take off, you might be able to get some outside training for on-going growth and development. My favorite security-related conferences are:

Are We There Yet?

In this column, I briefly suggested and pointed to resources to help you move from beginner, towards "expert." This has not been exhaustive; undoubtedly, I have left out some excellent resources. Treat these suggestions as a starting point. Most of these resources will lead to others. With some reading and some trying this and sampling that, you will start down a path that can, eventually, lead you from novice to expert.


Leopard: The Good Stuff

I'm just going to touch on a few things, as Apple certainly has—with greater flare—shown off Leopard's features. (Note, this now points to an introduction to Snow Leopard. Google Videos has the older version here.)

First, almost everything worked. I had a few glitches, as I describe in Leopard: The installation and Leopard: Problems.

SuperDuper! had already provided Leopard support, and it worked. Although I can see using Time Machine, to recover the state of individual files, I like having a complete, bootable image that I control. This may change over time. (No pun intended.)

Time Machine. It is cool, neat, etc. As I just said, I can imagine the need and using it. I have only played with it.

Spaces really helps my productivity. Under Tiger, to avoid some clutter, I used to have my desktop display be my "main display" and my Powerbook display be my secondary. It sat off to my left as you can see here. With Spaces, I just keep my PowerBook lid closed and don't use that display.

As you can see (click for larger image), I have 4 spaces set up. In the image, space 1 has my Mail program and a web browser showing. Space 2, my instant messenger windows. Space 3 has my iCal. And in Space 4, I have a few X-term windows up, connected to different systems.

Mail and iCal now work more closely together. Mail allows you to create "To Do" items, which show in your Mail, but also show up in iCal. Here is an example: I miss the side drawer display in the old version of iCal.

To Do Items are show on the side (as before), but details appear in a pop-up window. More on that in a bit. Mail also recognizes content that might be a calendar event. This is very nice. Here are two examples. First, I received e-mail that had information about a university commencement. Note the option it gives me. I did select Create New iCal Event, which brought me to here. In another e-mail, someone invites me to meet for breakfast. I "hover" my mouse over the text, pick Create New iCal Event, and create the event in iCal. As I said, I miss the way iCal used to display information in a side panel. Now one needs to double click on the even (just like the To Do Item, earlier) to be able to see details and edit the event.

One feature Mail could have done without: stationery. Stationery is terrific—for hand-written mail. All it does is add an image attachment that may or may not be seen as a "background" to the email. (Many times it will not show up—it depends on the e-mail client. The user will then click on the attachment to see it and it will make them wonder why you send them a fabric swatch.)

Finder changes. The jury is out on the changes to the sidebar. I find it a bit cluttered and haven't had time to figure out how to fix this. Networked systems that are reachable and "shareable," show up under SHARED. Much of the time. But, just this morning as I wrote this, everything had disappeared until I connected (via SMB or NFS) again to the linuxserver. Then it showed up there again. Of course, I like Quick Look, and I am sure I will like it more as I use it more.

Oh, and Dock and its "reflective 3D" look? I turned it off. Too much candy upsets my stomach.

Right after I talked about SHARED in Finder, all the systems disappeared. This is a complaint in many forums and discussion groups on the Internet. I bet if I went to my local Apple Store I'd see all the systems on their net. I just wonder how? Remember the picture above with local systems showing under "SHARED" in Finder? Now, nothing. And when there is nothing in SHARED, SHARED doesn't even show up. And a day later? All back.

With regard to Spaces... At work, at APL, I am still running Tiger on my 15" MacBook Pro. I wish I was running Leopard. Today on a conference call, I needed to have about 6 documents open. I wish I had separate work Space available in which to group the documents I needed for the call, while still being able to jump back to a space with my e-mail and browser. As it was I had to have all of them opened on the one "space" I had.