Blog Redirects

I've never been a big fan of people who post blogs that just point to another blog posting, essentially reiterating the original point. I've always thought the motivations behind these can too often be lame attempts at name recognition, increase hit-counters (ad-counters), or just the "I want to be part of something bigger" that I feel permeates the blogosphere.

I do feel there is some merit in linking to a blog if you're refuting someone else's blog entry, or referring to them to enforce a point of view, but all too often I feel these "blog redirects" are just an attempt to increase hits, with little to no additional substance involved.

This is one of the reasons I haven't put ad-banners on my page. I decided to blog as an outlet, not as a money maker or for industry recognition - hell, I don't even use my real name. The anonymity is something I enjoy, not because I can say stupid shit without people being able to hold it against me (those of you who know me socially know this is the last thing I worry about when my lips move). I write these little tidbits so that I can share some thoughts that otherwise would need to be sensored for various reasons, or I just believe I have something valuable to contribute.

I will admit to having a bit of a soft-spot for humour though (shameless redirect to something that had me laughing http://www.vitalsecurity.org/2007/03/browser-condom-opinion-split.html). I think sharing someone else's great (and especially funny) idea is good, and it gives credit to the person who came up with the original content. I am NOT going to provide links to the type of content I'm talking about - that would be somewhat hypocritical - but if you're reading this site (which gets very little traffic) then you read enough blog entries to know the type I mean.

My point is this:

If you blog, and you are talking about someone else's article, please make sure you have something MEANINGFUL to add, don't just rehash (sometime badly) what the original author wrote, then link to it. Alternatively, if you really liked an article, a nice suscinct intro to a "good article about..." is usually enough - don't try to make the idea yours.

rG0d

New Toronto Security Conference

In the past, Toronto has hosted a bunch of Security conferences, but most of these, like InfoSec Canada, are essentially technology trade-shows. Surprisingly, there hasn't been anything like CanSecWest in Toronto which focuses on showing people new and interesting ways that they may be attacked, and not simply pimping their products - essentially, educating the security geeks (like me) on the newest & ugliest things that will can hurt me. Instead I've always needed to pay (or convince my company to pay) for flight and hotel for a few days to go to CanSecWest, BlackHat/Defcon, Shmoocon, etc.

As it turns out, that's about to change with a new conference this fall in Toronto: SecTor, which stands for "Security Education Conference - Toronto".

Thought I'd share this with everyone out there since I'm involved with helping set this up. Before the "self-serving" idea pops into anyone's head, I'm not getting any money out of it - I'm spending my own cycles on helping out with the conference because I think it's a GOOD IDEA, and much needed in the GTA technology space. (Okay, I'll probably get a free pass out of the idea, but mostly I'll be on-site lending a hand with setup, etc.)

The conference will be held on Nov 20-21, 2007 at the Toronto Convention Centre. There are already a couple few good speakers lined up including Mark Russinovich, Joanna Rutkowska, Johnny Long, Dan Kaminsky, Mark Fabro, and Ira Winkler.

Currently, there's a call for papers on the site, and registration should be opening in the next couple of days. (If you're a vendor, SecTor is also looking for sponsorship to help cover costs, so you can either hit the link on the website, or you can drop me a comment)

http://www.sector.ca

If you're in the Toronto area (or plan to be around that time), check out the site. If there's any other info not on the site, please let us know - again, there's contact info on the site, or you can drop me a comment.

Whitehouse Directive 2

SANS just posted more info - there are now links to these documents which didn't exist up to yesterday (I've been checking daily).

UPDATE: FLASH REPORT ON THE WHITE HOUSE SECURE CONFIGURATION MANDATE
The White House posted a second memo last night, confirming its mandate that all federal agencies must use secure configurations if they choose to deploy systems that run Windows Vista or XP. The latest memo was signed by the top executive in US government management, Deputy Director of OMB, Clay Johnson and is posted at the White House site, http://www.whitehouse.gov/omb/memoranda/fy2007/m07-11.pdf . The original (March 20) memo from Karen Evans to Federal CIOs is now posted at http://cio.gov/documents/Windows_Common_Security_Configurations.doc .

This initiative matters because it provides the incentive ($65 billion in US government IT purchasing each year) and confidence (agreed upon
configurations) to allow every software vendor to ensure and affirm the software they sell works on the secure configurations. That takes the pain out of secure configuration and rapid patching.

On April 11, federal CIOs and their senior staff will be briefed by the Air Force and OMB and NSA seniors on how to take advantage of the new mandate, and the lessons learned in the Air Force pilot implementation involving 575,000 computers. We will ask permission to make the essence of those briefings available to the entire security community, because this initiative will affect every medium and large buyer of computers running Windows software.
Alan

Also, the "SSLF" configuration standards referred to in the original SANS posting are for the "Specialist Security - Low Functionality" security templates produced by Microsoft for both XP and Vista.

Links to both the "Windows XP Security Guide" and "Windows Vista Security Guide" can be found here: http://www.microsoft.com/technet/security/guidance/default.mspx

Whitehouse Directive: All systems acquisitions must run on Hardened Configurations

I can't seem to find a link at either DHS or Whitehouse.gov sites yet, but SANS released this information yesterday:


FLASH ANNOUNCEMENT: The White House just released (at 9 AM Tuesday, March 20) a directive to all Federal CIOs, requiring that all new IT system acquisitions, beginning June 30, 2007, use a common secure configuration and, even more importantly, requiring information technology providers (integrators and software vendors) to certify that the products they deliver operate effectively using these secure configurations. This initiative builds on the pioneering "comply or don't connect" program of the US Air Force; it applies to both XP and Vista, and comes just in time to impact application developers building applications for Windows Vista, but impacts XP applications as well. No VISTA application will be able to be sold to federal agencies if the application does not run on the secure version (SSLF) of Vista. XP application vendors will also be required to certify that their applications run on the secure configuration of Windows XP. The benefits of this move are enormous: common, secure configurations can help slow bot-net spreading, can radically reduce delays in patching, can stop many attacks directly, and organizations that have made the move report that it actually saves money rather than costs money.
The initiative leverages the $65 billion in federal IT spending to make systems safer for every user inside government but will quickly be adopted by organizations outside government. It makes security patching much more effective and IT user support much less expensive. It reflects heroic leadership in starting to fight back against cyber crime. Clay Johnson and Karen Evans in the White House both deserve kudos from everyone who cares about improving cyber security now.
Alan PS. SANS hasn't issued a FLASH announcement in more than two years. IOW this White House action matters.

This is hugely significant to the security industry. This means that any application that wants a hope in hell of selling their product to US Federal Agencies of any sort must certify that their software will run under the US Gov'ts secured platform configurations. While I believe June 30, 2007 is too short for many existing projects to possibly accomodate (some acquisitions will occur that don't fulfill this directive), this is a MASSIVE step in the right direction - sorry, I just can't emphasize enough how I feel on this topic :)

This will have a direct impact outside US Gov't as well, especially enterprises who typically use many of the same tools as government, and might (gasp!) finally allow Microsoft to have their default installations applied in a truely hardened mode - currently they still "tone down" some settings for compatiblity or end-user usability issues.

I whole-heartedly agree with Alan Paller" "Clay Johnson and Karen Evans...deserve kudos from everyone who caresw about improving cyber security now"

...Let the vendor-scramble begin... :)