May 2008 Archives

Paul from pauldotcom.com suggested in Ep 108 Part 2 of his podcast that EDU folks should not publish their email addresses. (The mention isn't in the show notes, but I figured I'd give props anyway.)

While I understand Paul's reasoning - it makes it too easy for harvesters to glom up lists of folk to spearphish - I disagree. I have an email address because I *want* people to contact me. If only people inside my org can look up my email address, my address is partially useless. How else are non-UW people supposed to contact me, or even know that I exist? I don't want telephone calls from people - in fact, sometimes that wouldn't work anyway, since I'm generally 9am-5pmish (ok, as early as 7 and as late as midnight) and if it's somebody in Europe or SE Asia - and yes, I've gotten cold emails from people in those time zones that I actually wanted to read - then I just won't ever hear from them. And that would make me sad.

I suppose you could say *I* can publish my email, but our organization shouldn't allow somebody to harvest tons of addresses, but in practise most people put an email address on their web page, or they use it somewhere else, or whatever. Post to newsgroups or online, say. Pow. A bit of frobbing and scripting there, and we all know captchas don't work, and I can get the same list. Granted, not as easy, but... I could do the same thing lots of other scriptable ways too.

Security through obscurity doesn't work, and we mock those who attempt it. Non-public email addresses is just obscuring things, and it won't work. If the problem is naive people clicking on links sent to them, then we have a human problem, not a technological problem. You will rarely solve a human issue with technology.

Damn Stars, yet another reason to hate them - they cost me 10 points in the pool. And who'd have thought the Flyers would go down so easily?

Penguins - Wings, tough series to call. But I think in the end, old age and treachery win out over youth and enthusiasm. Detroit in 6, although if Pittsburgh win it I won't be too disappointed.

Maybe I'll even liveblog these ones, given that I've been claiming the Pens as "my" team in the playoffs the last couple years.

I thought I'd set up a small Ubuntu 8.04 machine at home under VMWare Fusion, and had some problems getting the tools compiled. Like many others, I found the instructions here invaluable.

I had plans this weekend to collate my notes from the conference, finish off a few more posts, upgrade my webserver, and maybe work some hockey stats.

Instead, we took our eldest cat to the vet twice today; the first time to have her looked at as she'd been moving slowly and wasn't her usual self, the second time a few hours later, to leave her behind for good. I guess the other stuff will wait.

I just returned from SANS Toronto 2008 SEC504, and it was great. There were ways it could have been better (most courses are like that), but overall, no complaints - UW's money was well-spent.

One comment I made a couple of times was I thought there should be more "this is what you can expect to see in your [log files | tcpdumps | whatever]", maybe at the cost of some of the slides on things like format strings and buffer overflows. While I realize that those are important for people to know about, I think the course title would be better reflected by a bit more "this is what you'll see" instruction and a bit less technical-but-not-very type instruction. Not a major change, maybe a dozen slides or so.

Being me, I had to point out a few typos and such, although I have to say the slides themselves and the supplementary comment was generally extremely well-edited.

Oh, and it didn't hurt that I won two books during the Capture the Flag competition today - one for being the first to find a flag on one of the Linux boxes, and the other for getting the final flag first. So I have a copy of Malware: Fighting Malicious Code and Counter Hack Reloaded, the latter signed by Ed Skoudis and Bryce Galbraith (my course instructor).

Everything people say about SANS courses being like drinking from a fire hose is correct though; there was a lot of material covered in 5 days. (It's a six day course, but the last day is the CTF lab.) While it's true that you don't need (m)any Linux skillz for this one, trust me - it helps, you're not wondering what he's talking about and trying to figure out syntax. The fellow behind me hadn't touched a Unix machine in 8 years, and was having a hard time of it; part of the reason I got the secret stuff first was I didn't have to fumble about just trying to remember how to cat a file or work gcc. Hardly l33t, but it's easy to forget how tricky that can be to somebody who's also trying to take in tons of other new material.

Now I need to take a day to rest my brane, and then organise my notes so I know what to start whining about at work.

The second round was a little better for the home team - scored points in 3 of 4 series, and called two of them in the correct number of games to earn more in the second round than I did the first. (Can you compliment yourself backhandedly?)

At any rate, I think it will be an all-Eastern TZ Finals, good news for those of us who lurk there after the last couple of years.

Series A: Detroit vs Dallas - Detroit in 5.

Series B: Pittsburgh vs Philadelphia - Pittsburgh in 6.