Security Musings

Security Musings

Information Security Travel Guide

Stephen Northcutt, an Information Security Researcher, United Airlines 1k, Writer and Instructor, documents the struggles of the travel and hospitality industries as we all face continually increasing energy costs. He and his peers share their travel experiences and give you quick tips and short reviews of the companies they do business with as they travel. If you came across this article because of a Google search, what you want is probably here, just use find with your browser (CTRL - F), it is easier than reading from top to bottom; however, you may get some useful tips if you stick around and read. Each major cluster of trips is documented in a separate file.

Other Related Articles in Information Security Travel Guide


Information Security Travel Guide: September 2008, Kauai to Las Vegas


By Stephen Northcutt
Aloha, I am Stephen Northcutt and this blog is called the Security Travel Guide. This segment is about a conference trip where Kathy and I left our home in Kauai to spend 12 days in Las Vegas for the SANS Network Security 2008 conference. I am a security researcher, author and instructor who also travels a lot. We will talk about security, safety, travel experience, and of course, restaurants. I am also interested to hear about your experiences. You can reach me at stephen@sans.edu. The way this blog works is that the most recent material is at the top. If you got here via a Google search, what you are looking for is probably here, the easiest thing to do is use the find untility in your browser - just hit CTRL F on most browsers.

[October 8, 2008]
Are Security Certifications worth the paper they are printed on? Somebody wrote the following stirring and quotable words and blogs are picking it up left, right and sideways. While I've been traveling, my mailbox has been filling up with these things.

"In my humble opinion, most certifications today are not worth the paper they are printed on. Certifications were originally conceived as a means to help weed out fictitious resumes, or to verify that someone claiming to have '10 years of experience' is not someone who really has 'the equivalent of one year of experience, times ten.'

However, the fact that so many certifications are so lame that anyone can buy a book, memorize it, and take and pass an exam, shows how critically broken is the certifications process. Most certifications today do not show that you are capable of DOING anything except memorizing mostly useless and dated facts."


Well, let's take this one step at a time. I understand that Foote Partners is making essentially the same claim. First, what does a security certification prove? Security certifications prove that the candidate meets a minimum standard. How do you know what a certification is worth? By making sure you understand what the minimum standard is and what the quality of a certification is.

Let's do the quality part first. Anybody and his brother can go out and write some questions and pretend to offer a certification. But, when they do that, there is no quality review, and that gives people like the original blogger an understandably bad taste in their mouth. So, the first step is to find out if the certification provider has undergone, or is undergoing IS0 17024 certification for certifications. That doesn't prove their content is perfect, but it goes a long way towards assuring their process is repeatable and solid.

Now, let's address the "minimum standard" part of a security certification. Quality and respected Security Certification providers like (ISC)2, ISACA and GIAC, develop a Job Task Analysis for their certifications. Here is a nice discussion of a Job Task Analysis (JTA) that has nothing to do with Security. Each and every certification should have a JTA desribing the knowledge, skills and abilities required for that particular job. The more detailed and fine-tuned the JTA, the easier it is to address the minimum standard assured by the certification. For instance, the CISSP is so broad you can really only say it proves you know the basic theory and terminology of security. The CompTIA Security+ is similar; it says you know enough theory and terminology of security to be entry level. The GIAC GSEC is pretty much in the same boat; it says you know essentially the same theory and terminology of security as the CISSP, but you also know some pragmatics (what tools to use and when, operating system basics, some hands-on experience). In all three cases the minimum standard is a broad understanding of security; none of these certs demonstrate deep knowledge, but all of them assure employers you have the foundation to understand security. This may sound trite at first, but all three also demonstrate that you can read, write, reason and memorize, which are, in fact, important skills.

In order to go beyond "memorizing mostly useless and dated facts", the JTA has to get more specific. If I was an employer looking for a quality measurement tool for potential candidates, I would look for a security certification that has quality and is specific to the job I am trying to fill. For instance, SecureWorks, probably the best IDS/Log Monitoring Outsourcing contractor in the industry, requires Intrusion Detection certifications. Currently they require the GCIA, but I am sure that they would accept a resume from anyone with a quality certification in the same field.

Now, to be sure, a multiple choice exam, no matter how specific, can only take you so far. What our industry needs is to add performance based testing, actually doing hands on tasks, to the certification. You would not want to have a brain surgeon cut you open if the only proof of qualification was a multiple choice test. The best known security certification with performance based testing is the GSE, though I am sure that most of the quality certification providers are working on adding performance testing to their certifications.

The bottom line, it is easy to make statements like, "most certifications today are not worth the paper they are printed on". However, that is also a bit misleading. I can understand the original writer's frustration and agree that there should be a lot more rigor in the security certification industry. The good news, is that more and more people are taking note of the situation and I hope that folks like the CEH will get their ANSI 17024 certification and that all of the providers will aspire to performance testing. As an industry we need to demonstrate minimum performance standards. Let's face it, we charge a lot of money for our services. A penetration test can easily be more than $100k, the client has a right to know that the testing team is qualified. In addition, it is a step towards professionalism. Those of us who work in information security are not professionals in the same sense that doctors, lawyers, CPAs and Professional Engineers are.

To be considered professionals we need state or federal government approved standards of practice for our JTAs and that includes performance testing. We also need an industry wide code of ethics and and enforcement board. We are on our way, (ISC)2, ISSA and GIAC have all ratified a code of ethics, you can examine it here. My sincere hope is that the day is coming where not only will our certs be worth the paper they are printed on, but we will truly be considered professionals.

[October 7, 2008] United flight back to Kauai. The flight back was uneventful, we got to McCarran airport early (I think it is named after Pat McCarran, senator from Nevada, perhaps best known for being a Democrat that voted against the "New Deal").

== Travel Tip
: It can take over an hour to clear security at McCarran Airport especially on Saturdays
However, for us, the security line was just opening and we breezed through. I don't think they were checking very hard, it turns out I had a wine corkscrew with a tiny knife in my carry-on (something I try to avoid) and Kathy almost always gets stopped because of her camera gear (she is a professional photographer and carries a LOT of gear). No harm though, the connection at SFO had about an hour, so we popped into the United Red Carpet Lounge (if you travel a lot, spending some of your miles on a membership is highly recommended). Unfortunately, United closed the Red Carpet Club lounges in Atlanta, Baltimore, Dallas and Minneapolis as of Sep-01-08. We decided to try the new Westin Renewal Section of the Lounge at SFO. This is a no-talking/no-cellphone area with nature scenes on a wide screen TV. Normally I go to the business area and pound on my email, but after a long travel run and only having 45 minutes, this hit the spot. The flight to Kauai was on time, we did get upgraded to first class, yay, and even got seated together! They served breakfast on the flight: Kathy had the omelet and I had the fruit plate. They no longer give you yogurt with the fruit plate, it is just a small plate of fruit, so I will probably switch to eggs in the future. They did have 2% milk so got my calcium that way.

The inflight movie was Swing Vote with Kevin Costner. I think he carried his part well; at one point they have him up on stage playing music and it turns out, he really is a musician and just released an album. This counts as a really stupid movie, but with the timing of an election where McCain blames Obama for the recession even though the Republicans have been in the White House for eight years is perfect. I really liked the one commercial in the movie where the Democrats were claiming to be Pro-life, that was too funny. The subplot of the movie seems to be tell any lie you want, winning the Presidency is all that matters and that seems to be what is going on with the current campaigns. We landed, took a cab home, then I checked my email; it was a Kona day and the office was really warm so we knocked off and went swimming at Lydgate Park, it was not crowded and felt really good to be back in the ocean. I only have a few days on the ground until my next trip to Houston, so I will try to go swimming in the ocean at least once a day before getting back in the air.

I also read a book, Behind the Screen by Mark Stone, there is a sample chapter here. This is a techno-fiction work and is Mark's first novel. It is a blend of sex scenes, some quite innocent, lots of kissing and some getting a bit on the extreme side such as Ray and Travel Chick at the Bellagio in Vegas. There is a nice information security technology weave, in fact, it is the first time I recalled reading a fictional work talking about take an intrusion detection class from the SANS Institute. They also mention the CISSP. I particularly enjoyed the numerous examples of using intrusion detection type technology to monitor the email use of employees at DesertFinancial. Having been in the monitoring business for much of my life, I thought that part was well done. Also, if a reader should learn one thing from reading the book, it is that just about everything you do on a computer can easily become public knowledge. The protagonist is Johnathan Davis, who is called John throughout the book. There is drama, and it builds nicely leading to a murder plot. And of course. since this is a novel, I cannot tell you the ending. It is great to see a book with an information security focus and I hope Mark keeps writing. If this had been done as a adult comic book, it would have been five stars with the right illustrator.

Tips for the future:

  • Keep working on character development. Mark, before you write your next book, do some character sketches to really help your characters come to life. You are consistent with your characters, that is great. But I found myself unable to visualize them. Now, granted, a lot of the communication is by email ( great work on the email ), phone, and instant message, but it helps me to know the hair color, the style of dress, what do they smell like.
  • Engineer your ending. At SANS we say, "know your intro and your outro, before opening your mouth." The intro worked, certainly gets the reader's attention and even though we leave the two abruptly, you weave them in later. However, the book seems to climax before the climax. If sex is a big part of things, save Tara and John's consummation for later and then make use of all the pent up desire you have been building; my guess is that would be the time to get graphic.
  • Consider writing a short story, if it is educational and not too steamy, we could even help you publish it.
[October 7, 2008] China Security Travel Tip: keep your politics to yourself, focus on your reason for being there. Someone at Caesars apparently made an error on Oct 2, and they put a bag with a Wall Street Journal and New York Times newspaper on my hotel room door. It didn't happen before or after, one of the odd things about living in a casino is no newspapers. I treasured those newspapers, most hotels give them to you, but Caesars does not for some reason. I read every page several times, having a news source was wonderful. One of the stories is about a Chinese effort to monitor Skype messages in China wth buzz phrases like:
Tibet, Wen Jiabao, quit the party, Nine Commentaries, milk powder

As you can see by clicking on any of the links above, there is a story for each word or phrase. Bottom line, if you are traveling in China, avoid politics. If it is a vacation, go walk the Great Wall; if business, get the job done, but keep your political opinions to yourself, at least for now. Here are some supporting links:
http://online.wsj.com/article/SB122291621892397279.html?mod=googlenews_wsj
http://www.greatfirewallofchina.org/
http://www.thedarkvisitor.com/2008/10/detailed-report-on-prcgov-monitoring-tom-skype/

[October 6, 2008] Final night in Caesars Palace, Travel Security Tip: Hotel ISPs. I was working on NewsBites and I read an interesting story. Most Hotel Internet Connections for Guests are Not Adequately Secured (October 3, 2008). A study from the Cornell University School of Hotel Administration found that most hotels do not take adequate security precautions on the internet connections they provide for their customers. The study compiles data from 147 written survey responses and from visits to 46 hotels. Twenty percent of the hotel networks use simple hub topologies, making them unsecured networks. Most of the other hotel networks channel guest traffic through switches or routers, which are more secure than hubs but still make users susceptible to man-in-the-middle attacks. The researchers recommend that the hotels set up Virtual Local Area Networks (VLANs) to best protect guests from Internet threats.

http://www.gcn.com/online/vol1_no1/47290-1.html?topic=security
http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html

The report ends with the following recommendations for safe internet access from hotels:

  • "Only send important information over the internet if you ascertain that the connection is secure. For browsing the web, make sure that the address in the address bar says “https://” rather than simply “http://”. The extra “s” means there is a “secure socket layer” between your computer and the website, meaning all information traveling over the network is encrypted. If possible, set up your email client to allow you to send using secure sockets, also, as this will encrypt the email information and disable it from being sniffed by an intruder.
  • Make sure that up-to-date personal firewall software is installed. In any situation where someone is on the same network as you, you are open to attacks which exploit common computer program vulnerabilities. Running a firewall will help prevent any intrusions.
  • If it is possible, always use VPN connections when doing anything on the internet, especially if it involves sensitive data. If your company does not supply a VPN connection, use an online service such as http://www.hotspotvpn.com or http://www.publicvpn.com to create a secure connection.
  • Never connect to any “ad-hoc” or “peer to peer” wireless networks. These are almost always attackers disguising themselves as legitimate access points."
Source: http://www.hotelschool.cornell.edu/chr/pdf/showpdf/chr/research/oglewagnerITreport2.pdf?my_path_info=chr/research/oglewagnerITreport2.pdf
Also, some hotel ISPs track where you go on the Internet for marketing purposes, you can read about that here.

[October 3, 2008] SANS Technology Institute's 3rd Graduation. That really was a special event for me. Ed Skoudis gave a speech on the importance of keeping the curriculum current, to stay in alignment with the needs of industry. Dr. Johannes Ullrich gave a speech on the research opportunities available to the student body. One of the things the students have asked for is more access to the faculty and the best way to accomplish that is to get involved in the things we are doing and the thing that most excites the STI faculty is research. Dr. Eric Cole gave a speech on the importance of teamwork, the fact that we are all in it together and that while he is very strong in technical security, if someone asks him a question, he is confident he can answer it. He may not be the worldwide expert in intrusion detection, but he knows he can call on Mike Poor or George Bakos. Eric may not be the top expert in penetration testing, but he knows he can call on Ed Skoudis or Jay Beal. He may not be the best web security person, but knows he can call on Kevin Johnson or Jason Lam. He may not be the best exploit writer, but knows he can call on Stephen Sims or Eric Conrad. He may not be the best forensics investigator, but knows he can call on Rob Lee or Michael Murr. As Eric pointed out, what makes SANS special is that not only do we have top ranked subject matter experts in the various disciplines of security, not only do we have multiple topped ranked experts or fast rising up and comers, but we are willing to help each other; we are a team. Eric's speech really made me smile. One of the distinctives of STI is our regalia. Most schools' gowns reserve 4 stripes for the office of the president, at STI each of the core officials of the college that wear regalia have four stripes, this is a team effort. We could not do what we do without each other. One day, as we grow, we may need to use three and two stripes, but for now, it feels great to be part of a team.

[September 29, 2008] InGuardians Party. The high end penetration testing company formerly known as IntelGuardians is changing their name to InGuardians. I think it has something to do with trademark issues, but whatever, from all of us at STI, we wish you well with your new name and brand. Also, they announced that Lara Corcoran, former co-director of the GIAC certification is now a Vice President with the firm. Congratulations, Lara!

[September 28, 2008] STI Student Project Jim Beechey and Emilio Valente.
I got to hear their report from their group assignment. As part of their second Residential Institute, they were asked to research desktop endpoint security since anti-virus is not providing the protection that we need. The students did a good job and selected Whitelist vendor Bit9 as their recommended tool.
http://www.sans.edu/resources/student_projects/200809_01.doc
http://www.sans.edu/resources/student_projects/200809_01.ppt

[September 25 - October 06, 2008] blur mode at Caesars Palace. The flight to Vegas was uneventful, everything was on time, the United folks treated us well. We arrived at Caesars Palace and our room was ready, it was clean and comfortable and the housekeeping staff honored our Do Not Disturb signs; we do not open the room for cleaning until 1:30 PM. Forgive me if this is "Too Much Information", but I need to leave tips for developing SANS security instructors. In the past, I would finally get a break and want to use the bathroom in my own room instead of the public bathrooms on the conference floor, it is more private and sadly some of those stories you hear about the instructor that forgot to turn off his mike are true. So, I would go racing up to my room in my 15 minute break and of course they would be cleaning my room - every time. So, we leave a tip, (here is a good article on tipping, how much, and why), and a note that says please clean the room after lunch, usually about 1:30 PM.

We ate on property three nights. First we went to Neros Steak House. We shared the Ribeye Cote de Boef for two. The entrees there tend to cross the 40 dollar mark (the Harrahs description is dated I think). But sharing the steak got us to the thirty dollar level and there was PLENTY of steak for both of us and I am a meat lover. It was done to perfection, the service was excellent. Here is a site with candid ratings for the steak house; I would go back.

Next we ate at Rao's, the Italian restaurant at Ceasars. I ate there the last time I was at Caesars and had the lemon chicken and it was good. We probably should have made the reservation through the Diamond club people, they put us outside by the pool, it was a bit hot, but otherwise fun; you see wedding groups doing their photography and the like. Kathy had the Salmon, I had Prosciutto Pasta, both were OK, not great, Kathy's was better; I honestly do not believe the ham in my pasta dish was actually Prosciutto, I think it was regular ham and that was heart breaking at the price point. The service was terrible though: we were at the table for twenty minutes, nobody came by, not even water, and tipping those jokers 15% was the hardest thing I have done in a long time. We did get a bottle of wine, Primitivo, that was the bright spot of the night.

Finally, we ate on property at Bradley Ogden. I love Ogden's. Organic food, expertly prepared. We did the fixed price menu, what ever Kathy odered, I did the opposite and it was just short of fantastic. Well worth the money and the service was mostly great. One complaint, stop the hard sell for bottled water and drinks. I had to go back to work at 7:00 PM, so cocktails, wine and so forth are not an option. I got asked three times and once fairly firmly, BO got a good tip based on everything else.

We also ate at two restaurants in the Forum Shops. The Wolfgang Puck Asian Fusion and Joes. To quote Vegas Popular, "Puck goes Asian at Chinois, with a menu full of Chinese, Japanese and Korean flavors, created with a French influence. There is even a sushi bar at this Caesars Palace favorite." I had the Kurbota Pork Chop, Kathy had some Vegetarian something or another. I enjoyed it, some of my pork was slightly pink so when Kathy couldn't finish her dish we got it all to go, we have a microwave in the room, so I can bring the pork to temperature that way.

Joes was the highlight of the trip (at least so far, we have tonight as well ). Kathy had the King Crab prepared tableside and I had the Stone Crab Claws, just awesome. Service was great, no complaints, loved it, may go back tonight. If you ever get a chance to visit the original, do so. I tried to research this, but perhaps you remember cartoons when you were a kid saying "Eat at Joes", I think this is the Joes they are talking about, check out the cookbook in the link I just tossed you.

The last night we went to Bill's Steak House across the street from Caesars. It was nice getting a bill for less than $100.00 for two people, but don't get the seafood, get the mesquite grilled steaks. They must cook their seafood in aluminum pans with acidic ingredients, I got the scallops, Kathy got the sea bass and the bitter taste was a real turn off. Great service though and I enjoyed the tableside spinach salad for two for $11.00.

But of course, I was not at Caesars Palace for fine dining. This was one long Security Conference. The ICE II games went well, good experience for both the attackers and the defenders. I still think they need work on the audience piece, but the amount of progress between last year and this year has been AWESOME. Here are a couple of great writeups:
http://edge.i-hacked.com/integrated-cyber-exercise-ii-review
http://pauldotcom.com/2008/10/ice2-games-lessons-learned-fro.html
http://www.whitewolfsecurity.com/ice2.php
I am very impressed at the Fortinet system’s performance. It really took guts to insert themselves into the traffic flow and they did quite well. They will be able to take the traffic they captured and make their good product even better. I think this may prove to be a bit of a guantlet for some of the other IPS vendors that do not have sufficiently stable platforms to insert themselves into traffic this hostile, especially the other Unified Threat Management type systems. I hope there is an ICE III and I hope more IPS vendors show up. The ImmunitySec folks were on the offensive team and I heard good things about their work on the games. Caesars really is an excellent location to host a conference. From Chef De Cuisine Banquets Darin Lopez rendering a custom oatmeal on request to adapting to the needs of a conference that ran 12 days the food was awesome. That required mixing up the menus to avoid repeats. Engineering was great, shipping and receiving was great. Security was awesome as always. The bathrooms were always clean. Everything worked. There was enough space to do whatever we needed to do and more besides. The elevators were even snappy. Caesars Palace is one of the best conference hotels in the United States and if anyone should know, I should know, because at least for the present, I spend a lot more time in hotels than I do at home.

[September 25, 2008] Lihue Kauai (LIH) to Vegas (LAS). I always get a bit tense before I fly, took two melatonin last night to help me sleep. I know, I know, you have tried melatonin and it did not work for you. I would suggest you try again; the latest research cited in this well-researched article says melatonin is really good for you, but the benefits occur only if you keep taking it. It also works better on older people than younger, so if you tried it ten years ago and it did not work, try again for a week or two and see if, not only, you sleep better, but how you feel during the day. When you travel, you get exposed to all sorts of bad stuff and anything you can do to keep your health up is important. One of the things that drags you down is jetlag. There are all sorts of opinions on managing jet lag from travel; myself, I try to make sure my hotel curtains are open so I can get up with the morning sun.

I got an invitation to speak, or more correctly, to submit a security proposal to speak at RSA 2009, April 20 - 24. I submitted an informatiion assurance proposal to discuss Defense in Depth for 2008 and got put on an alternate list, then I did not hear from them again; I still consider defense in depth to be an important topic. I have a bunch of speeches lining up in 2009 so will try to think about what makes the most sense. Meanwhile, we are working on the cover design for SANS 2009 in Orlando FL. That is right, we are already putting the package together in September 2008 for a conference scheduled for March 1 - 9, 2009. So, if you write me trying to get a speaking slot a month before the event ( and that happens all too often ) there is nothing I can do.

I hope to organize a trip to Machu Picchu in Peru for Kathy and me after the conference in Orlando. We found a travel tour guide that has decent ratings. They say we need travel insurance, which is probably a good idea. The first one I found was CSA Protection, but when I tried to do due diligence on them, this is what I came up with: http://www.epinions.com/finc-Insurance-All-CSA_Travel_Protection/display_~reviews. There are two five-star reviews and a number of people with bad experiences. Whew, this means more research. If you have traveled to South America and have advice on travel insurance, I would love to hear from you (stephen@sans.edu). I found a website, http://www.insuremytrip.com/ that seems to be focused on helping mix-and-match travel security policies. The only two companies I recognize that offer travel security policies are AMEX and AIG. Since AIG is under government receivership, I asked AMEX for a quote.

Kathy and I are also making our travel arrangements for SANS Cyber Defense Initiative 2008, our next major event coming up December 10-16 in Washington, DC. What were we thinking when we scheduled DC in December? I’ll be checking out nearby outlets for parkas, electric socks and nose warmers. What I’m really looking forward to at CDI is Dr. Eric Cole’s new course, Security 501: Advanced Security Essentials - Enclave Defender (http://www.sans.org/info/33453) and the talk he’s going to give on Pen Testing Tips and Tricks (http://www.sans.org/info/33458). It always fascinates me seeing how people respond to him. People have been asking for a follow on to Security Essentials, SEC 401 leading to the GIAC GSEC certification, which is one of the 8570 approved certs, we will see how this goes.

[September 25, 2008] still preflight to Vegas, checking travel plans to Houston. I am also looking forward to coming to Houston, October 15 - 19. There is the issue of the hurricane, but the people that I have spoken with feel the press overstated the damage and the people of Houston appreciated the fact we did not cancel, several wrote me notes. I wrote one of them and said I knew Houston would bounce back, but feared for Galveston. Here is Joanne's reply: "Galveston is not ruined...by a long shot! The foresight of the 17' seawall, sloped inwards on the land-side, with the raising of the city itself by 1902 was actually an incredible stroke of genius. It had been voted down by its famous weathercaster Isaac Cline in 1891, however. It took over 11 years to build after the big storm. The Balinese room and a couple of the grand old hotels were opened in 1910 to show the world that Galveston was back in full force. The seawall this time definitely saved thousands of lives, as 20,000 people stayed ON-island this time. It could not save the structures directly facing the waves and wind combined, however. The loss of so very few lives this time (and at least three to CO poisoning from generator fumes AFTER), is in stark contrast to the 6000-8000 of 1900 - and yes, that is startling to have that connection with Kathy's grandmother (My wife Kathy's grandmother saw her family swept away in the 1900 flood)!

The ship Elissa survived with only minor damage. Next door to that is the theatre for the "Great Storm of 1900" multimedia presentation. (There is also a database to search for immigrants who entered via Galveston - the 2nd largest part of entry in the U.S., after Ellis Island - with ships registers. Not sure how it fared, but a good link for geneaology is http://www.cyndislist.com/portsentry.htm#Galveston ) Here is a link for the 1900 aftermath, courtesy of a TV station site, http://www.click2houston.com/hurricanes/5003099/detail.html

But note that "only 4 cameras were in existence" at the time. Also see http://www.1900storm.com/index.lasso put up by Galveston - (one section with films taken by an assistant of Thomas Edison). The rebuilding section is http://www.1900storm.com/rebuilding/index.lasso - this page is interesting. It will be interesting to see how this website evolves in the next year. http://www.awesomestories.com/disasters/galveston/galveston_storm_ch1.htm http://en.wikipedia.org/wiki/Galveston_Hurricane_of_1900 If the telegraph in 1900 was back in a week, and the saloons were open within 3 weeks...and today we're already seeing Home Depot, Kroger, (Wal-Mart, I think he said), a few gas stations, and homeowners flowing back in - in 12 days - they'll be back. Galveston will be back." Well said Joanne! Well said!

[September 24, 2008] packing for Vegas. I got a note asking if I would bring a video camera to film a code review meeting. We have a Canon semipro HD, but it is huge, so I am packing the Sony HandyCam DCR-PC108. It is lightweight and has served well. On our last trip, Kathy and I packed a bit heavy, it made sense because we were out for six weeks, but it got to be laborious. I have been thinking about John McDouall Stuart, the first man to cross Australia. "Stuart led six expeditions to the interior. He was the first European to gaze upon the Red Centre. He opened up thousands of square miles of sheep country. And, stubbornly refusing to be beaten, eventually became the first man to cross the continent from south to north and back." According to Longitude131, the reference I am using for this section, he was quoted saying: 'I advanced a few yards on to the beach, and was gratified and delighted to behold the water of the Indian Ocean.' The Indian Ocean from Australia is truly beautiful, Kathy and I spent a week at Rottnest Island and really enjoyed the snorkeling, Wikipedia describes the trail. Two things Stuart did that allowed him to succeed when many others failed: search for water and follow the line of water; and, travel light and fast. On this trip to Vegas, Kathy and I are going to travel light and, hopefully, fast. I will have to check two bags; the college I work for, the SANS Technology Institute is having a graduation ceremony and I have to pack my regalia. It isn't a weight thing, it is a bulk thing, graduation gowns are huge!

[September 23, 2008] Mailbag. I got a note from Tim Rosenberg about ICE II,

If you will be at this year's Integrated Cyber Exercise II (ICE II) October 1 - 3 at Network Security 2008, I think you are in for a great experience. ICE II will feature Paul and Larry of pauldotcom.com in a Hacker throw-down to see who is the best network attacker and defender. Paul and Larry will each have a major network to defend while they also attack each other. The event is open to all SANS Las Vegas attendees. Players can pick a side, defend their own network, attack at will or view and snipe from a distance. This year’s event will feature more hardware, including VoIP and SCADA. Enhanced scoring visualization and 3D graphics and even a complete traffic generator to hide the attackers. Come hang out in the spectator room and be eligible for random prize drawings sponsored by ThinkGeek, AirScanner, Syngress, CACE Technologies and Lone Pine Embroidery. Watch as phones, servers, cameras and even our own power grid are attacked and defended across three nights of fun, education and mayhem. Fortinet will be providing complete IDS monitoring and reporting, with Core Security and Immunity demonstrating in the Red Cell room. Should be fun, expect a full report from pauldotcom.

[September 22, 2008] Back on Kauai. We got back from a six week travel trip this Saturday. The weather is excellent and I hope to hit the beach. I was surfing the web and saw an article about Tanya Baccam, another SANS Instructor, posted by eweek.com. Here is a snippet of the article:
"
I think that the best expert on Oracle Security is Pete Finnegan, but if you want a clear explanation of the problems and solutions no one is better than Tanya in her course, Securing Oracle, GSOC certification. When you first look into Oracle Security, you learn about so many problems ranging from default settings to exploits that the knee jerk response is that they really need to clean up their act. However, this is much more of an attack surface problem. Oracle is huge and that is why they have problems, if you have a software system that big, you are going to have problems, at least until we as a community learn to write better, safer software.