Friday, March 30, 2007

Welcome to First Life

I've posted a couple times now about Second Life. So I've got to show you the funniest parody I've seen. "First Life is a 3D analog world where server lag does not exist". Check it out for an end of week chuckle.


Labels: ,

Weekend geekery

I pre-ordered the LOTRO MMO game and will be click/slash/looting my way through middle earth this weekend. w00t!


Labels: , ,

Thursday, March 29, 2007

ShmooCon rawks!

ShmooCon 2007 is over, and what an awesome conference! There is just too much good stuff and not enough time. The talks were great, the networking in the halls was wonderful and usually led to deeper intellecutal discussions over coffee/lunch/dinner. The conference is well organized (well, a slight hiccup delayed registration a bit but not too bad overall) and as always, the parties were fun. Even the weather was fantastic. It is such a solid conference, I can't do justice to it in words. Suffice to say I'll be back again next year for sure. Snaps to the Shmoo Group for another great year.


Labels: ,

not everyone who owns a ski mask is a criminal

ok, so that is a ridiculous blog title. but it illustrates the dangerous oversimplification we tend to fall into when discussing societal issues.

Mike Rothman says anonymity is for cowards. To borrow a quote, I call bullshit on that. Anonymity is nothing more than a technique to promote privacy and safety. Do cowards use it to threaten and intimidate others? Yes. Do criminals use it to carry out illegal action? Yes. But that doesn't make everyone who tries to protect their privacy a coward or a criminal. People have a right to share their opinions without advertising their personal information to the world. Many people don't want their personal opinions to be misquoted or presented as if they are officially representing their employer – should they be forced to stay out of the public discussion of a topic as a result? Anonymity has often been used by people who fear retribution from those who disagree or disapprove of their statements or philosophies. All these people deserve anonymity and to not be called cowardly.

Being anonymous is a choice, one that becomes even more attractive when you see what has happened to Kathy Sierra. If she blogged anonymously, she might not feel in as much danger as she does now. Am I blaming her? Absolutely not. She has a right to speak her mind openly without being threatened and abused, and the people who have harassed her should be held accountable. I can't imagine being in her position, I'd be terrified out of my mind. But that is one of the reasons that I try to retain some anonymity.

The Kathy Sierra situation has ignited the blogosphere in a way that HD Moore and his new tool Torment haven't. Earlier this month HD announced a rough set of tools that allows anyone operating a Tor server to attempt to track the source of network data. Moore's goal in creating the tool was to track criminals such as child pornographers, and he says he plans to turn the tools over to law enforcement to use. Can his tool be mis-used and the personal privacy of legitimate Tor users be compromised? Yes, sort of. (read the entire article to see some of the limitations of the tool). Is everyone who uses Tor a criminal? No, that is not what anyone is saying here - and if you are, then shame on you for oversimplifying a complex social issue.

Until we establish a utopian nirvana where anyone can trust everyone, and honest disagreements don't result in retribution/bloodshed, there will always be a need for anonymity. The key is to find ways to work together to protect innocent users while making it possible to catch and stop the people who have figured out how to leverage anonymity and privacy tools for criminal or abusive purposes.


Labels: , ,

Thursday, March 15, 2007

A message from your friends at the Institute of Self Determination

- Do you feel like you lack control over your schedule?
- Have you had to cancel things in your personal life with short notice due to last minute business travel?
- Are you burnt out on conferences?
- Have you delivered presentations to low priority audiences in the middle of nowhere?

If you answered yes to at least two of the questions above, you might be asking how this happened to you and what you can do about it. You might be hoping leet haxors broke into your scheduling application to send you off to Boise at a moment's notice - you can simply rebuild your box and do a better job defending it in the future. But unfortunately, you my friend are victim to something far more nefarious. You are pwned by PR.

Our experts at the Institute of Self Determination have developed several strategies to cope with situations like this. Many of our clients lack the ability to simply tell their PR department NO to that next business trip. They don't want to look like an ass or be the bad guy. Or maybe they are not in a power position to say no without losing their job. Here are our four most popular self-help programs:

1. Cloning - send your replicants out to do the speaking engagements you don't want to do. This has become more difficult since went out of business. They were by far the most reputable of the Evil Villain cabals that thumbed their noses at political ramifications of scientific experiments on humans. Of course there are rumors that villainsupply has merely gone deeper underground to protect their plots for world domination. Unfortunately we cannot confirm or deny this rumor or we'd have to kill you later. Our clients have to find their own cloning firm, but once they do we'll help them train and store their replicants as well as deal with the psychological trauma of losing their sense of individuality.

2. Teflon - PR requests slide off you onto someone else. We can help you develop a strategy to find, mentor, and train a flock of lackeys to send off in your place the next time a travel request comes your way. Why be randomized yourself, when you can delegate that randomization to someone else?

3. White lies - the sick parent/pet excuse. While weak, sometimes it is just easier to feign personal obligations that require you to stay home. We can help you craft a believable story that isn't so complicated you screw it up and get caught. Note that this is just a temporary solution to the pwnership problem to buy you a reprieve.

4. Acceptance - the final stage of grieving. If none of the above options work for you, we can counsel you on ways to accept your PR biatch status. Lets face it, unless you use your spine, become utterly incompetent or quit your job, PR will keep pimping you out. It will be easier on you if you learn to accept your Media Whore situation and quit fighting it.

The Institute of Self Determination is accredited in multiple temporal dimensions, provides services worldwide, and offers a variety of payment plan options. Don't let your PR department push you around any more! Contact the Institute of Self Determination and start down the road towards a more self-determined life today!


hee hee hee. This is for a friend. He knows who he is.


Labels: ,

Wednesday, March 14, 2007

Happy Pi Day

It only comes once a year, what are you doing to celebrate?

Me, I'm having pie.


Labels: ,

Thursday, March 08, 2007

Justice Department, internet surveillance, and security theater...

Last week I read that the Bush administration has accelerated its Internet surveillance push by proposing that Web sites must keep records of who uploads photographs or videos in case police determine the content is illegal and choose to investigate.

First, there are serious privacy concerns here. To be clear, I am all for catching criminals, I just don't like the idea of this info being datamined under the very broad auspices of the Patriot Act. Think I'm paranoid?

Often invoking terrorism and child pornography as justifications, the administration has argued that Internet providers must install backdoors for surveillance and has called for routers to be redesigned for easier eavesdropping.

yeah, there is a reason I don't fully trust our government. Plus, most web businesses already have healthy data retention policies and have a strong track record of responding to subpoenas from law enforcement.

But I also feel like it is a no brainer to say this is little more than security theater, something that will inconvenience honest folks, and potentially invade their privacy and civil rights. Yes, some bad people will go to jail for child porn. But only those who don't do their porn uploads from a university or public library. That's right, the proposal excludes them. Why? Because they are safe already from such things? Because they already do user logging of uploads? no.

"There's a PR concern with including the libraries, so we're not going to include them," the participant quoted the Justice Department as saying. "We know we're going to get a pushback, so we're not going to do that."

That's right, too much pushback. So we won't do it.

If it isn't an important enough issue to force in libraries, why are we even discussing the issue anywhere else? Either it is important, or it isn't. Pick one.


Labels: ,

Techno Firefly Video

This morning I found this on YouTube. I think it ROCKS. If you haven't seen Firefly you might not get as much out of it though.

Wonder if I can find it with higher quality video somewhere... the special effects in the original footage are awesome but suffer in this format...


Labels: , , ,

A retraction

In my last post I asked Adam (the Emergent Chaos bandleader) to set up trackbacks on their blog. Why? because I'm lazy. I had no idea that 99% of the trackbacks they used to get were spam; I can see why they disabled them. Moderating that mess takes way more time than my crossposting occasionally, so I withdraw my request on the grounds that it is just too selfish even for me.

Damn spammers.


Tuesday, March 06, 2007

Does Social Engineering = Fraud?

With all the conference blogging I've been doing lately, I haven't blogged about something I read in February that I've been thinking a fair amount about. Mordaxus over at Emergent Chaos made a compelling argument to get rid of cutesy names for attacks like pharming, phishing, pretexting as they are exclusionary jargon that prevent people from understanding the issues at hand. Overall I totally agree with him on the exclusionary jargon ban, though I will miss saying w00t.

However, something in the post has been occupying my thoughts for some time now (obviously), and my consternation gets worse every time I hear another person toss out 'social engineering = fraud' with disdain and disgust, like only an uneducated plebe would use the term social engineering anymore.

Social engineering != fraud all of the time. Sometimes fraud is just fraud, like counterfeiting currency. And sometimes social engineering is just social engineering, like dressing nicely, smiling sincerely, and treating the ticketing agent like a human being so you stand out from the masses of annoying and frustrated travelers as a Nice Person That Should Be Upgraded To A Premium Seat Without Having To Ask. That isn't fraud, that is understanding something about psychology and sociology that you apply in human interactions to help yourself come out ahead. Social engineering is a concept, a practice if you will, that can be used for malicious purposes, but in and of itself does not require lying, misleading, deception or fraud!

So I would suggest that saying 'social engineering is a con job' is an oversimplification that contributes to shallow thought by the masses. Like calling all of these populations:
- people who find security vulnerabilities and report them
- people who write POC code
- people who reverse engineer security patches
- people who write/release worms
- people who steal your credit card number and passwords via keystroke loggers and a botnet


Too much jargon and exclusionary language is bad, but so is oversimplification. Should people be afraid of botherders? yes. Do they need to fear and revile security researchers? no. Well, not all of them anyway. (ha ha, it's a joke people)


(Adam, it would be super if you were able to hook up trackbacks on EC so I don't feel the compulsion to crosspost a comment on your blog to my own so it appears in both places. you know, with all your free time.)

Labels: ,

Monday, March 05, 2007

On deck... Security Opus

Black Hat Fed and EUSecWest are done, so the next big con coming up is Security Opus. Though to be honest, everyone I know is talking about ShmooCon. The Security Opus speaker agenda is decent - you know anything with Window Snyder has to be rad - but as far as conferences go it just isn't as big or as affordable as Shmoo. The Shmoo schedule and speaker list is now posted (though I'm told there is at least one more talk that is going to be added) and it looks like a great con. As usual, I always plan to attend way more talks than I actually make it to. Should be hella fun. And I have to say that the Shmoo organizers are fracking geniuses. That's right, once again they are wise enough to schedule the first speakers at 10am. Thank you, ShmooCon organizers, for recognizing that no one attending ShmooCon goes to sleep at a 'reasonable' hour.

Don't have a ticket for ShmooCon? There were a few on eBay this morning...

unofficial ShmooCon fangirl

Labels: ,

Monster Names