Things I Learned Last Week: 12/12/2010 – 12/18/2010

by kriggins on December 20, 2010

in TILLW

Welcome to the weekly post where I take the opportunity to expound on just about anything. Never fear, there is always a dedicated Infosec portion for those that don't care about anything else :)

Here are a few links if you'd like to skip to a particular part of the post.

Thoughts
Infosec Stuffs
Non-Infosec Stuffs

Thoughts

"Courage is being scared to death, but saddling up anyway."
~John Wayne

I came across this quote earlier this week and it hit me again as I contemplated last Tuesday's Crossfit workout. Crossfit is an exercise regimen that is based on constantly varied, high intensity efforts across broad time and modal domains.

What in the world does that mean?

It means workouts are always changing and always intense. The changes are in the exercises performed and the time they are performed in.

That being said, there are certain defined workouts that are used to gauge progress. Tuesday's was just such a workout. It is affectionately named the "Filthy Fifty". If you are interested in the details of what that entails, you can check out this post from my gym's blog, but essentially it is 50 repetitions of 10 different exercises done for time.

Yup, that's a total of 500 reps.

It hurts...A LOT.

I knew it was going to hurt when I looked at it that morning.

I. Did. It. Anyway.

When faced with something frightening, hard, outside our comfort zone, or just plain intimidating we can be scared and hide from the challenge or, as Lady Macbeth said

Macbeth:
If we should fail?

Lady Macbeth:
We fail?
But screw your courage to the sticking place,
And we'll not fail.

Macbeth Act 1, scene 7, 59–61

Put your foot in the stirrup, grab a hold of the horn, and get yourself in that saddle. The only way to assure yourself of failure is to not try.

Infosec Stuffs

IPv6

IPv6 is coming whether we want it to or not. Here is a quick cheatsheet for some things IPv6.

Don't write it if you don't want it read

There was quite the bruhaha a week or so ago when it was learned that there had been a massive breach of Gawker's systems. So bad, that the individuals responsible were able to get access to quite a bit of really important information, like source code, internal usernames and passwords, chat logs, etc. This post at Forbes is an excellent synopsis of what happened.

There are a bunch of lessons in this post, but the one that we really need to take away is that putting usernames and password into clear text communications like chat and email is really really not a good idea. You never know when that type of stuff will become available to those you don't want to read it.

Open Source Security Testing Methodology Manual (OSSTM)

Version 3 of the OSSTMM (PDF)  has been released. From the introduction:

The Open Source Security Testing Methodology Manual (OSSTMM) provides a methodology for a thorough security test, herein referred to as an OSSTMM audit. An OSSTMM audit is an accurate measurement of security at an operational level that is void of assumptions and anecdotal evidence. As a methodology it is designed to be consistent and repeatable. As an open source project, it allows for any security tester to contribute ideas for performing more accurate, actionable, and efficient security tests. Further it  allows for the free dissemination of information and intellectual property.

The OSSTMM has been in development for quite a few years and this is the latest version. I am still reading through it, but you can't go wrong by giving it a read.

Get over it

Rich, over at Securosis, has a post up titled Get Over It. Go read it. I'll wait.

.

.

.

Back? Good.

That post sparked the following thoughts which are only loosely related.

Think about the last time you were meeting with some business people and they just didn't understand how dire the situation was.

Now, stop and think about this.

Was it really dire?

We as professionals in the information security realm tend to go straight to worst possible outcome. I think this is often a function of the mindset that Rich talks about. What happens if somebody keeps hearing about the worst possible outcome over and over, but it never happens? They will likely stop listening to you.

Try to see things from a space outside your own experience and you may find ways to both step back from the worst possible outcomes trap and communicate with your "outsiders" in a manner that breeds collaboration as oppose to ignoration. < Ha! That isn't a word, but it sure should be.

Non-Infosec Stuffs

Not a whole lot on the non-infosec front this week other than to say that I was introduced to an instrument I had never heard of this past weekend, the piccolo trumpet.

My wife and I, along with some friends, went to a chamber music concert where J.S. Bach's Brandenburg Concerto No. 2 was played. The piccolo trumpet is used during that concerto is absolutely wonderful to listen to, as are Bach's Brandenburg Concertos.

If you have never heard Bach's Concerto No. 2, you should really give it a listen.

J.S. Bach, Brandenburg Concerto II BWV 1047, Freiburg Baroque Orchestra

I. Allegro

II. Andante

III. Allegro Assai

Closing

That's it for this week. I hope you found something that piqued your interest.

As always, comments welcome below or you can email me at kriggins@infosecramblings.com if you prefer.

-Kevin

Previous post:

Next post: