Don Parker Blog

The Internet is something that will have always been there for our children. Unlike myself I was actually around to see the Internet evolve into what it is today. It is a really wondrous creation, and has turned into something that is truly fantastic. That said, there are always those sick, loathsome people who for one reason or another put up extremely offensive content.

Question is what the heck can you do about it. Reality is that nowadays kids need the Internet for school, and for simple email amongst other things. Do you want you 10 or 11 year old seeing explicit sexuality on your computer? I know that I don't. There are no real good solutions. Many software programs exist which take a lot of that undesirable content out of the picture for you, but pornographers are a crafty lot. The most innocent Google search will invariably turn up some hardcore ponography sites.

One of the better solutions is to install something like Squid, and manage things from there. Not everyone though is computer savvy enough, or for that matter has the time to do so. For those who do not have the time or knowledge then s/w programs like netnanny plus some parental supervision should do the trick. Do any of you have some home solutions?

Web application security is always never far from the headlines in the computer security world. Makes sense really as the Internet is largely based upon websites. Those very same websites are more often then not the focal point of many attacks from various miscreants, both skilled and unskilled. Not just the websites themselves either, but often the back-end databases that support them. There is an incredible array of skills, and knowledge that one needs to be good at before you can competently practice web app security.

You need not only know all about PHP, ASP, PERL, Python, SQL, amongst others, but also the protocols that these transactions rely upon. This area of computer security can no longer really be called a niche area. It is becoming larger and larger every year as websites become more attuned to the online threats facing them. You would be a wise person indeed if you began to move your skillset in this direction. Doing web app security is not only fun, it can also be a very lucrative career. Any of you guys do it for a living?

So just how many of you guys who actually work in the computer network security field have a good handle on scripting? Whether that be PERL, or Python doesn't matter really. It is pretty much a key ability to have. There is nothing worse then doing monotonous, redundant, and boring stuff. It has to be done, but really a monkey could do it. Problem is, there is only you to do it. That is where the scripting comes in. For example, what about the massive amount of data that your firewall or IDS generates? You may have a frontend for them, but does it display what you want? Often for me it does not. Back to scripting and the need to know it once again. You don't have to be a master at it as long as you can do what you need. Building good, and effective regex's though is a seriously irritating task! Seeing that the script won't work, and trying to find the breakpoint in the regex can be a most onerous task. Bleh. Anyhow enough about that. Do any of you have some thoughts?

Identity theft we are told is where people with malicious intent get access to personal information that would allow them to impersonate you. Information such as credit card numbers, Social Security Numbers, amongst other key personal identifiers. This type of story often hits the headlines in the papers or online computer security portals when another online database is discovered to have been hacked. There is a great hue and cry over the latest threat to our personal information.

Is this a legitimate concern or is it another one of those Internet myths? Well there are documented instances of ill gotten database information being used by organized crime. Information such as the aforementioned credit card numbers. These are quickly jacked up by buying goods, and then discarded it seems. That is indeed one concrete piece of evidence that personal identity theft is an issue. Are there any others though? None that I can think of offhand really.

My wife was the victim of identity theft but of a more mundane type. She had her bank card information scanned into a phony setup, and also had her PIN number captured by what is assumed to be a well placed mirror. This was quickly brough to the attention of our bank, who then promptly took over the case. In reality for us this was a minor incovenience but was of course of greater concern to the bank.

To sum up, my feelings are rather ambivalent over the whole identity theft situation. I certainly don't think it has reached epidemic proportions, yet it is a real problem. Perhaps one cure is to heavily penalize companies who have thei

I was recently thinking of upgrading my main computer to an AMD 64 bit CPU monster with 4 GB’s of RAM amidst other high end toys. The thought occurred to me though that as always, was my present main box doing the work I required of it? Well after replacing the pooched CD-RW in it things were looking much better in terms of its serviceability to me. That plus I did recently pick up two 19″ LCD displays for my home computer office. It is quite nice now with the dual LCD’s sitting on my computer desk.

Question is though like many of us I often upgrade simply for the sake of upgrading. The old computer/iPod/other tech toy work just fine in reality. One of the biggest things holding me back though I think is the lack of software for the new 64 bit architecture for x86. Microsoft finally has XP for 64 bit and when Vista finally ships it will of course have 64 bit operability built into it.

For me specifically there really wasn’t a need to drop $3,500.00 on a new computer tower after giving it some sober thought. It is not that I minded doing so as I can claim some of it on my taxes due to being a consultant, but rather that the money could likely be better spent elsewhere. Maybe I might just pick up some other h/w for the home lab instead. Likely the best thing is to simply wait for another year before making the planned upgrades. All I know is that I will certainly get my next computer custom built rather then buy a name brand.

The worst problem with buying a name brand computer at your local retailer is that you must further customize it to suit your individual needs. Also

It was rather alarming to me when I heard that renowned online exploit archive site www.frsirt.com was no longer going to make public and freely downloadable the exploit code they hosted. The FrSIRT site is much more then simply an exploit code repository, however it is best known for the exploit code that it hosts.

The reason given by the site is that in order to comply with French law they were forced to no longer offer free and public access to the exploit code. You can still however have access to it should you be a subscriber to one of their services. It really is rather sad when one of the oldest democracies in the world comes to this.

Having such a quality central repository for exploit code was very handy, and of value to the computer security community. I for one went there all the time, and downloaded some of the code to play with in my lab. Sadly for me this will no longer be the case. That said I have no intentions of paying for a service so that I can still get it from them. There are still many other sites out there which host exploit code.

The only problem with some other sites is that often the code hosted is purposely obfuscated so that it does not compile. This is normally simple to fix, but for those out there without basic programming knowledge you are out of luck. Should you be in that situation then you may want to post on www.security-forums.com asking for help in getting it running. Forcing websites to remove exploit code is not a cure for anything, much like suing exploit researchers only makes things worst for computer security.

Is it just me or do some of you also feel like you are on a hamster wheel when it comes to work. For those of us lucky enough to be working in the field of computer security, it sometimes feels like a neverending whirl of events. There is the need to stay abreast of changes in the industry, whether that be new operating systems, exploits, tools, the list goes on. We much like other jobs have a continually evolving workplace, and it can be sometimes be overwhelming to stay current.

How do you relax then one has to wonder. You cannot risk burnout as your employer won't really care that you are feeling burnt out. I have found the answer to this is; you really need to "get a hobby" as they say. Even if there is not a hobby of particular interest to you, how about a favorite television show. You need to enjoy something that is not related to what you do for a living.

As much as we enjoy computer security, and being a practicioner of it we also need something to do which is not related to it. Should you not find that something then odds are you will sooner then later begin to feel a burn out. This is something to be avoided. I felt that way after one of my certifications. Didn't really feel like doing anything for about six months.

Personally for me I very much enjoy watching Battlestar Galactica on the Space Channel. That show is absolutely fantastic and is an incredible remake of the original series. While I watch this show the last thing on my mind is computer security or writing. I am able to completely immerse myself in the show, and when it is finished I actually feel re

Well it was great fanfare that Apple announced that they have reached the 1 billion download mark for their music service. This is indeed a milestone, for Apple and a watershed moment for the music industry. With the advent of the Internet and the fact that technology has uncorked many things never possible like ripping CD's and the such the music industry has been in a tizzy to stick the cork back in.

Well you may be asking yourself though just what the heck does Apple ITunes and their billionth download have to do with warez? Good question indeed! It is one though that I think that most network security practicioners could answer. For the remainder though it is one that does not make a whole lot of sense. Think of it this way. Most everyone working nowadays has direct Internet access via their workstation terminal at work. Quite a few of those people also use P2P schemes such as Grokster, EMule, and the such to download music, movies and who knows what else while at work.

While that may not seem all that big of a deal rest assured that it is. Would you want your company being server court papers courtesy of RIAA, DMCA or other such body? Odds are your bosses, owners would not be in the least bit impressed at being named in a multimillion dollar lawsuit for downloading copyrighted material. If your company is publicly traded odds are that the stock share price would take a hit. That definitely would not bode well for your job security as the network security analyst.

Whether or not we agree with recent court rulings we must realize that they are the law of the land. It

Well it seems I have finally fallen like many before me, and am now a blogger. It is a pretty fun way to share thoughts I may have on computer security, and other peripheral subjects that relate to it. I look forward to receiving feedback, and engaging in interesting debate with my readers. There is already something that caught my eye that is of interest to me, and hopefully to you as well. To that end I shall write my thoughts on it shortly. Till then!