I made an error in the how-to on configuring the system to automatically boot to persistent mode.

Instead of 'Default 5', it should be 'Default <label>' where label is the text following the 'label' line for the menu option you want to boot. In my case it looks like 'Default ubnentry5'.

I apologize for the confusion and the how-to has been updated.



Hi there folks.

With the final release of Backtrack 4 Final right around the corner, I thought I would get ahead of the curve and update the how-to. I have access to the pre-final via the Informer.

The updated version is where the original Beta instructions used to live. I have copied the Beta instructions to a new page. They can be found here.

So here you go.



Top 25 Coding Errors Released

by kriggins on January 12, 2009

in Educational, programming, Tools

In today's Bits post, I mentioned that a top 25 coding errors report was going to be issued today. Well, it's happened. From the SANS website:

Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime.

The web page listing all the information about the project is here.

There is good stuff there that should be looked at by all who are involved in information security, not to mention those involved in developing programs.


, ,

Reblog this post [with Zemanta]


@hevnsnt posted the following message to Twitter this morning.

hevnsnt watching Strand's hacker vids at

There are some nice videos there. Here are the titles of a few with direct links:

Definitely worth spending some time on.


, , ,


Taxonomy of coding errors…

by kriggins on July 16, 2008

in Educational, General, Tips

A quick note about something that @cji tweeted about.

Fortify has a taxonomy of coding errors that affect security. The really cool thing is the examples in many different languages.

Its right here, go check it out.


What is the Security Catalyst Community?Community

The Security Catalyst Community is a forum where individuals who are interested in or work in the Information Security field can come together and leverage each others strengths and experiences. There are several things that make this forum so great:

  • Everybody uses their real name. That may seem like something odd to bring up, but in my opinion, knowing who you are talking to is part of what it means to be in a community.
  • Very high signal to noise ratio. I would go so far as to say there is no noise on the forums.
  • Very knowledgeable people. When you post something, you are guaranteed to get responses from individuals who have a significant amount of knowledge and experience and are very willing to share it with you.

Where is it?

It is right here! One note, in order to read the forums you will need to register first.  So go do that now and come back when you are done.

What kinds of things get talked about?

Instead of talking about topic areas and what different aspects of Information Security are discussed, let's take a look at a few recent posts:

Don Weber posted a question about how to measure whether a security team is overburdened or not. A great discussion followed with helpful tips on how to gather metrics that can be used to answer the question.

Allen Baranov is in the unenviable position of inheriting a couple of IPS devices and was looking for some guidance on best practices on managing rule sets. Again, several folks stepped and shared their experiences which provided a good base to start from.

Jay Benson was looking for diagram of how WPA2 actually works for a presentation he is giving and the theme of folks helping out continues as a couple folks pointed him to some resources that might be of help.

Fred Donovan posted an observation about, "Hacker Safe" and a letter sent our to customers regarding their site being hacked last month. A very interesting discussion followed that is worth reading.

The last item I would like to mention is one that was also posted by Don. It was posted in October of last year, but has seen some recent activity. It poses the question "How do you do Email?" A great set of posts follow in which people share their strategies for dealing with our overflowing inboxes.

Who participates?

Here is a bunch of folks who participate and have blogs. Yes, it is a long list, but it is worth your while to visit these blogs a regular basis.

The Security Catalyst (Michael Santarcangelo) |
The Network Security Blog and Podcast (Martin McKeay) |
Security Ripcord Blog and Podcast |
Education Security Incidents (Adam Dodge) |
An Information Security Place (Michael Farnum) |
Andy, IT Guy (Andy Willingham) |
Andrew Hay |
Scott Wright (Security Views) |
Security Renaissance |
Marcin Wielgoszewski |
John Biasi |
Chris Hoff |
RioSec Security WebLog (Chris Byrd) |
James Costello |
Harlan Carvey, CISSP |
Jon Robinson |
Chris Harrington |
John Gerber |
Steve Mullen |
Rory McCune |
Rebecca Herold |
Randy Armknecht |
Didier Stevens, CISSP |
Amrit Williams |
David D Bergert, CISSP, CISA |
Justin Clarke |
Andrew Storms |
Lori MacVittie |
Rob Newby |
Andrew Mason |
Andy Steingruebl |
Security Thoughts (Allen Baranov) |
Jeff Stebelton |
Brad Andrews | Brad on Security
Anton Chuvakin |
Eric McMillen |
Dana Hendrickson |
Tyler Reguly | &
Keith Kilroy |
Peter Giannoulis |
Walt Conway |

Um..this post is long, how do I join again?

Simply go to and click on the register link. You will not regret it.

Kevin Riggins


A few weeks ago I wrote about participating in Cyber Defense Competitions as a Red Team member. This weekend I had the opportunity to do so again. This time with a bunch of High School students.High School

This weekend was the annual IT Olympics event that is put on by Iowa State. The event is an opportunity for the High School students who participate in the IT-Adventures program to get together and compete. There are three competitions:

  1. Robotics
  2. Game Design
  3. Cyber Defense Competition

While the robotics and game design competitions were very interesting, I was there for the CDC.  The Red Team didn't actually get to start attacking until Saturday morning, so I volunteered to show up on Friday and help the students with anything they might need during the setup period.  These kids are amazing.

Twenty-fourish teams showed up and we had about 20 Red Team members. In my previous post I mentioned three ways in which you can provide value to the students when participating in this type of event:

  1. Keep good notes
  2. Write down remedies
  3. Attend the debrief

I am happy to say that we accomplished all three goals.  Probably the best decision made was to setup a Wiki with pages for each team where we could all keep notes as the contest progressed.  These notes then became the outline for our talks with the teams in the debrief.

If you have never had the opportunity to work with kids that are interested in IT, I highly recommend you find a way to do so.  It is truly a rewarding experience.



F-Secure has been involved in a course being offered by The Telecommunications Software and Multimedia Laboratory.

While that is interesting in itself, the cool part is that all of the coursework, slides and homework have been put on-line for free.

Don't be discouraged if you go to the labs main site and don't speak or read Finnish. Just click on the on-line link above. The course material appears to be in English with the exception of the WebTopi stuff. I haven't gotten far enough in to see if the hand-on stuff a) works or b) is in English.

I also have only done a cursory peak a couple slide decks.



Meaningful Conversation

by kriggins on March 24, 2008

in Awareness, Educational

Scott Young over at PickTheBrain writes in this post about a couple of ways to improve the quality of the conversations we have with people.

He points to two basic rules that can help make conversations more meaningful.

  1. The conversation is not about you.
  2. You need to give trust to get trust.

I will leave it you to explore his take on these two tenets from a general conversational perspective. However, it strikes me that if we, as Information Security professionals, would incorporate these rules into our conversations with our respective constituents, we might be met with a little less resistance. Of course, I am speaking from the perspective of being a corporate drone.

Having a conversation with the Information Security dude or dudette is viewed with a certain amount of trepidation by many who are "forced" to deal with us. In my experience, most of this trepidation is caused by us and not the poor supplicant 🙂 Why do you think they feel this way? Let's look at number 1 above first.

1. The conversation is not about you.

Pretty simple statement. Harder to put into practice than it appears though. Let's change it a little; the conversation is about them. They are looking, whether they know it or not, for the best method of accomplishing their goal in the most secure manner available that is appropriate for the business risk they have chosen to accept. Which, by the way, is a topic for another post. If we approach things from this perspective, it becomes a collaborative endeavor, not an adversarial one. Of course, I am not suggesting that there will not be times when we are required to tell people they can't do something in the manner they desire. But as long as we avoid just saying no and try to help them find a way that is also acceptable from an infosec perspective, we have still remained their helper and not their roadblock.  If they view us as their helper, they will be less concerned when they need to talk to us.  They will involve us earlier and finally will be more likely to share more information with us.

2. You need to give trust to get trust.

This one is even more difficult. Why should they trust you? Do they know you? We have to build relationships with the people we work with. For those of us who work in the corporate world, this is a little easier. I talk to the same folks day after day and we have the opportunity to get to know each other and build trust.  I have to trust that they believe I have their best interests at heart and they have to trust that I am not out to "get them" or stop them for being successful.  Following rule 1 above goes along way towards building this trust.  Those who don't have the luxury of long term relationships with the folks you are dealing with have to find some way to establish that trust quickly and right at the beginning.  Again, approaching it from a rule 1 perspective will help a great deal.

So there is my two cents worth about something that has been a problem in several companies for which I have worked.

I have not done the subject matter justice, but it was on my mind so here it is.


Too focused

by kriggins on March 22, 2008

in Educational, General, Security testing

I am a big fan of Seth Godwin's blog which can be found here:

If you are not familiar with Mr. Godwin, I highly recommed perusing his blog. While not an infosec blog, his insights into marketing and perception are useful in many ways.

He had a post that pointed to this YouTube video. Watch the video and then read on:

Did you watch it? It's important that you did for what follows.

I was reading a discussion about Risk Assessment methodologies on the CISSP forum the other day. In it, many many different methodologies were referenced/pointed out. Obviously, having a number of methodologies to choose from is great since just about every assessment seems to be different than the last. But watching the video helped me to remember that when we are using a methodology or using questionnaires or otherwise performing an assessment, we need to be careful that we are not be blinded by watching for the passes.

{ 1 comment }