Security Musings

Security Musings

Information Security Travel Guide

Stephen Northcutt, an Information Security Researcher, United Airlines 1k, Writer and Instructor, documents the struggles of the travel and hospitality industries as we all face continually increasing energy costs. He and his peers share their travel experiences and give you quick tips and short reviews of the companies they do business with as they travel. If you came across this article because of a Google search, what you want is probably here, just use find with your browser (CTRL - F), it is easier than reading from top to bottom; however, you may get some useful tips if you stick around and read. Each major cluster of trips is documented in a separate file.

Other Related Articles in Information Security Travel Guide

Information Security Travel Guide: January - February 2009, Kauai to Las Vegas NV, Richmond VA,Toronto ONT, and San Diego CA

By Stephen Northcutt
Version 1.5

[February 14, 2009] Happy Valentines Day: Part 1.Woke up with the sun instead of an alarm clock, that was nice. I am usually moving pretty fast when on the road, but frittered around my hotel room, answering email, did a bit of reading. Headed to the airport earlier than usual, just do not want to hurry. Checked out of the San Diego Marriott Hotel & Marina, had to go to the front desk because they charged me for valet parking every day, except I did not have a car. They were nice about it, but it took ten minutes; if I had been in a hurry that would have been a stress causing event. Made my way to the airport. I am on American Eagle 3070 to Los Angeles. There is a cost of $15.00 to check the first bag, but it was free for me since this is a first class ticket. Not that I am something special flying first class, Diane found a first class fare on American that was cheaper than back of the plane middle seat on United, whoopeeee! Got through security and headed for that little snack bar at the commuter terminal. There are no power outlets along the floor, but if you can score the table closest to the microwave, there is a power strip behind the microwave; look for the slot along the side of the first glass window facing the interior of the snack bar. I will not stay here very long, the chairs are not comfortable, but it is a chance to chip away at the article.

The American Eagle flight before mine was running late with a mechanical and it was not full so I switched to flight 3044. I was concerned about cascading failure where one late flight leads to another, and after three weeks on the road, I want to get home. They put us in a holding pattern and so we circled around Los Angeles; not to state the obvious, but Los Angeles is a very big city, and I enjoyed myself staring out of the window at all the houses, pools, cars, freeways, beaches and ships. Speaking of Los Angeles, I read the weekend edition of the Wall Street Journal and they have a story about a group named Homeboys running a class to teach people who have been in prison to install solar panels on houses. This is good stuff, I wish them all well. You can help, Homeboys is barely hanging in there, visit their web site and consider making a donation. Here is a snippet from the LA Times, "Homeboy is one of this too-often-heedless city’s unambiguous municipal treasures – and it’s in trouble. We need to do something about that, and we need to do it now. The problem is simple: The economic catastrophe rolling across our country has dramatically pushed up demand for the kind of help only Homeboy provides. Despite the numbers of young men and women the community employs, and despite the others it has placed with private employers, its lobby is crowded with new applicants every morning. At the same time, the government and the private sources of funding on which Homeboy relies for most of its budget are cutting back as a consequence of the same downturn."

We landed and got off at the commuter terminal, then you have to take a bus to the main terminal. As we were headed for the bus, I saw a pilot and sped up to be right behind him. Sure enough, the bus door was just closing, but the driver saw the pilot and opened it back up; we got on board. I walked around terminal 4, both the restaurants and gate waiting areas, and didn't see many open power slots, so I bought a one day pass at the American Airlines Admirals Club. In this time of corporate austerity, I will eat the fee, but now I can be a good security travel guiide and let you know about the Admirals Club. It was quiet and uncrowded. I notice they do some upsell; on top of your club fee, they have Amora Fresh Food. The prices are not bad, a Cobb Salad is $10.00, as is a Rueben or Tuna sandwich with chips. A beer is between $5 and $6.

A decent glass of Cabernet Sauvignon (The Show) is $10.00, about a dollar less than you can buy a bottle for in a California grocery store, but it is a decent wine. According to Benito's blog, "It's made up of (deep breath now) 42% Monterey County Cabernet Sauvignon, 28% Paso Robles Cabernet Sauvignon, 10% Napa Valley Cabernet Sauvignon, 8% Monterey County Merlot, 6% Napa Valley Cabernet Franc, 3% Dry Creek Valley Petite Sirah, and 3% Napa Valley Petite Verdot."

They even have massage chairs for rent. Coffee and tea are free (though all they have is Lipton). They have a snack mix made of Cheez-Its, goldfish, mini pretzels and a lot of black pepper, that is not bad. I will take one more pass through the lounge before I jump my jet to make sure I am giving them a fair review, but all in all, I am glad I made my investment in the Admirals Club.

[February 13, 2009] San Diego, mission complete. I enjoyed teaching for AFCEA and it was awesome to catch up with Fred Rainbow again. Still working on the Information Security Magazine article, but making progress. I enjoyed my class and hope they do well on their certification; a number of the students are planning to certify for the GIAC GSLC. Had a few good meals here. Ate at Roy's twice, once alone, once with Karl Leray; great Hawaiian fusion, and the price is very fair for what you get. Also had a fun meal at Fred's Mexican Cafe. Friday night, the Gaslamp district really came alive, I ate at the Cafe Sevilla, a tapas place. A bit crowded, was there almost two hours, but it was very good food and had a nice dry glass of Spanish wine. It was raining, again, but more of a mist than a hard rain and I bought an umbrella at the hotel. Still making progress on my writing. Tomorrow I fly back to Kauai on American, haven't flown on American in a while so I am excited about seeing what it is like.

[February 8, 2009] San Diego, down day. Teaching starts tomorrow so I have today to get my bearings. Still have two writing projects that I must work on. One is an article for Information Security Magazine, I am working with Neil Roiter; the other is my presentation for RSA. I think I need to prioritize RSA. Woke up early, hungry; breakfast did not open till 6:30 A.M. The buffet is good, but it is $20.00, works out to $25 or more with tax and tip. Worse, no newspapers. No newspaper under my door (although it is Sunday and many hotels do not give you a paper on Sunday). But, $20.00 is on the high end for a good, but not great, breakfast buffet; I am just back from the Rio in Vegas, so I jolly well know that. And you look forward to that newspaper, especially when you are traveling alone, like I am.Will try to eat lunch away from the hotel. Got back from breakfast, trying to hit the RSA talk hard. RSA accepted my talk, but they want it done at the advanced level. They want demos! There are plenty things I can demonstrate, but that takes time, demos are really neat stuff, but if you ever time a demo and think about the facts per second, you realize the density is fairly low. I am thinking screen shots give the attendees the best value, they can run the tool and duplicate the screen shot, so it is more like a SANS hands-on lab exercise. However, to provide these screen shots, I need to go set them up and need to do it today. Spent the morning on the talk, it needs a touch of polish, but it is essentially there. On my way out of writing debt, hooray!

Some crazy problems with the Marriott hotel today. The first was partly my fault. I am playing with browser security and I needed hotel broadband bandwidth for the up and down loading needed to set things up. So, I plugged in the ethernet cable and was redirected, as advertised, to the Marriott page. But there was nothing to click on to buy Internet. This is because they are depending on a popup or similar and the browser security settings I was playing with on Internet Explorer killed that. I was able to read it on Firefox using NoScript. By the way, Marriott San Diego, that is a terrible web page. The picture is far too strong and you cannot read the text with either the IE or Firefox browser easily. Never let art overcome content when you are in business.

Next, the Internet pricing. After I finally got it in place, the web screen said if you only wanted one day of service, call the front desk to arrange it. So I did. After all, I am teaching Mon - Fri; today, Sunday, is the only day I can make proper use of the Internet. The person at the front desk sounded one step shy of a clue, so I called again.

TRAVEL TIP: If you call a hotel and you do not think you connected, consider calling again. They have people that are busy, people that are having bad days, people that have limited English; in other words, hotels employ people just like you and I! If you do not get though the first time, maybe you will on the second try. However, no plan is perfect. I didn't make any more progress the second time. My guess is that the Marriott people do not know the IBAHN people have that note on their pop-up screen. So, time will tell, did they charge me a full day for four hours or will they go for the whole banana and charge me for all the days I am here for four hours?
NOTE: This is early data, if you are part of my team, take no action at this time; until you see it on a bill, it is just conjecture.

Then, the phone. The phone by the desk did not work. After the third or fourth phone call that I could not answer, I called Maintenance. What is up with that? I always get calls on my cellphone, but this time, I get calls on the hotel phone and cannot answer. So I called it in and nothing happened. The housekeeper for the room was the salt of the earth so I asked her to call the "wires" department. A guy came up. All smug. "The phone by the bed works", he said. "True, but I am sitting by the desk", I replied. After checking that phone and realizing it was hosed, he seemed like a regular guy and he soon returned with a working phone. Good enough! I still like the Marriott a lot, I sense a true possibility of a conference hotel here. I learned long ago to note, but not sweat, the small stuff. I think the hotel management would need a serious service level commitment to work with our conference team, because I suspect they have not worked at our level often. But once in a while, tough medicine is a good thing, and we have one of the better conference planning and execution teams out there. Did I mention there was no one to contact at AFCEA at 5PM the day before the event? Or that the doors were locked so you could not preflight your classroom without doing a physical pen test? Maybe this is fantasy, but I have fond memories of this hotel and the convention center from the days before SANS. It would be fun to see it work. I will learn a lot more in the next five days.

Watched the Pro Bowl today. After the game, I went to the convention center to find my class. It was all buttoned up, guards everywhere, took me five minutes to find a way in. Avoiding the guards was harder, should have done this at half time. Found my class, it is set with a viewgraph projector. Hmmmmmm, when was the last time I gave a viewgraph presentation? Sometime in the 90's, but not the very late 90's. Left a note at GES and another at AFCEA registration. I also wrote the conference organizers by email. We do what we can, I am confident it will work out, GES has a lot of capacity and capability.

What a banner year, I got to see the Super Bowl and the Pro Bowl, and they were both good games. Maybe I can reinstate football in a year or two. I kind of needed to enter a veg state, life has been so pushy lately. For supper, headed out of the hotel and found a Hooters: an imported beer, spiced shrimp, a grilled Mahi sandwich all for $30.00. Healthy food in a delightfully tacky, yet unrefined environment. Finished my blog and it is time to turn in after reviewing the materials for tomorrow.

[February 7, 2009] San Diego.
Flew United from Richmond VA, to Dulles, to San Diego.Scored an aisle exit on the UA 231 cross country flight. The flight was almost totally full, but somehow the middle seat next to me stayed vacant; some days you just have to be thankful! It was a good crew, they came by with water multiple times. We came into San Diego just as the sun was setting. They have been having a light misty rain, and the combination of the mist and the setting sun on the unique San Diego architecture was striking. Staying in the Marriott Marina, check-in went smoothly, the room was clean. I am here to teach for a conference called AFCEA. My course is found here, #912. Spent a bit of time reading Dan Swanson's Security and Audit Blog, where does he come up with so many links? For food, I went to Roy's Hawaiian Fusion, San Diego. I had the Roy's Classic Trio, "Hibachi Grilled Salmon, Roy’s Blackened Island Ahi & Hawaiian Style Misoyaki Butterfish, A Sampling of Our Three Classics in Their Traditional Preparations." Maybe I was very hungry, but it felt more like an appetizer, it seemed small for a main; however, since I was dining by myself, I finished off the Edamame and that was enough food to be satisfied.

[February 5, 2009] CFI-CIRT event, Toronto. I dropped into Dan Geer's class, he has done a lot of analysis on the forces shaping information security programs. He points out the attackers make enough money to self-fund their research into exploit code. He also points out that the amount of information that organizations are saving is increasing and its value as an asset is increasing proportionally. I grabbed a turkey sandwich for lunch and ran into Jason Lam, and we had a chat. Then I gave my talk. I had really prepared, I gave the talk in my hotel room three times last night and twice this morning (sleep is vastly overrated). But I wanted to be prepared and it paid off. It was right after they ate, and the room was hot, so I elected to work from the floor with a cordless mike, instead from the dais. They had a clicker which made moving around a lot easier. As soon as the talk was over I was trying to get the heck out of there and head for the airport, and I am glad I did not dally. The Toronto Pearson airport was a piece of work. I managed to print my ticket at a kiosk, glad I was not checking bags, one more long line would have cut my flight close. They only had half a complement of U.S. Customs officers, so the line was double long. It took about 45 minutes to clear customs and then I still had to get through security, which was also dog slow. No doubt in my mind, some people missed their flights. I wanted to get some food before flying, but then I realized my gate was the kind you take a bus to another gate. I still had a bit of a cushion of time from not having to check a bag, but I decided to get the bus to the gate and and get food there. We waited ten minutes on the bus and then we drove off to the Air Canada regional jet terminal. The food there was awful; I got a stale roast beef sandwich where the roast beef was very salty, but it seemed like the least horrid choice. In the plus column they have little laptop desks, I am writing this from one of the desks. I am not saying I would never fly Air Canada again or fly though Toronto Pearson, but, if it is an afternoon flight, you might want to arrive 2.5 hours early.

[February 4, 2009] Toronto. The Groome came at 8:45 A.M. and I was off to the Richmond Airport. I am on an Air Canada (Jazz) flight, non-stop to Toronto. American Airlines issues the tickets, it is all very confusing, and I was not able to get the clerk to give me any frequent flier miles on either airline. The plane left about 25 minutes late. Short flight, under an hour. As we were descending, I looked out the window and saw snow; horrors, what is this Hawaiian boy doing here? Got Canadian money at an ATM and caught a cab to the Four Seasons. This is only my second time in life to stay at a Four Seasons, they are very nice. I am speaking at an event tomorrow, the Canadian Financial Institutions Computer Incident Response Team (CFI-CIRT) meeting. The Internet is fast here and that is a big plus. I met Peter Giannoulis at 7 P.M. and we went across the street to Mortons Steak House to talk about the Academy.

[February 3, 2009]
The little Richmond House II. Today we got up early. Kathy went shopping for new house necessities, I put in a work day at SANS. About two P.M. we took a break and went to pick up Norma to go antiquing. We have decided the theme for the house would be darker wood (walnut, mahogany and possibly cherry) antiques and original digital prints. I used one of the prints in my newest book. The first thing to get was two computer desks we are tired of computing on the kitchen table, makes it hard to eat. We also got a dresser for the mother-in-law suite that Kathy and I are going to make our primary part of the house. Then we went to Whole Foods and got some fish and scallops to cook Asian style for the family.

[February 2, 2009] The little Richmond House. Another late night last night, drove very carefully after the Super Bowl. I had touched zero alcohol, but was probably in the minority on the road. Got home, crashed, another late start of a day. But you know what? Sleeping late for me means 9 A.M. and I only do it a few times a year. If Kathy and I need to rest, we should rest. We made oatmeal again, went back to bed for ten minutes and got up several hours later. Then we went to Short Pump Town Center to open up a bank account at BB&T so we would have the ability to write in-state checks and also to get a massage at Massage Envy. I am not actually that big on massages, but all sorts of little things start to happen to you when you stand up teaching for hours on end, lug heavy bags around, and the like. Also, I confess I do not stretch as much as I should. After the massage, we grabbed some food to make Hunter and Norma supper, I was in the mood for Middle Eastern and it hit the spot. Hunter can certainly down some hummus. Left Norma's early, about 8 P.M., we cannot afford another late night, need to get into this time zone. I will set an alarm for tomorrow.

[February 1, 2009] Hardcrash. Kathy and I were probably up till 2 A.M. getting situated. We had purchased a bed from the Richmond Original Mattress Factory and fell into it as soon as we got sheets on it. Still haven't put the frame together. Anyway, we finally crashed. We woke up the next morning, made some oatmeal in the pan I packed in my bags from Hawaii. Then we went back to bed, didn't get up till 3 P.M. Even then we had to push to get up. I think this is the most tired we have ever been. We have been keeping a list of the things we need for the house, our plan is to be minimalist here, but we need a few things like food. We went shopping and I had the most amazing shopping experience of my life. I cook well and across many disciplines, and I have been to supermarkets around the globe, but this was my first Trader Joe's. Finally, after all these years, I got to shop at the home of "Two Buck Chuck". I am in love, wowed, amazed. They don't have every thing, this store isn't that big. Even so, how can you pass up on enough pre-cooked, seasoned rib of lamb to serve four, for $9.99? How about a goodly portion of cooked wild rice for $3.99? And outstanding wine values and pre-washed salads and flash frozen fish. Oh my! We met Norma and Hunter and took them to Kona Grill and then back to Norma's house to finish the Super Bowl. That was one heck of a game.

[January 31, 2009] Heading for Richmond VA. The car was on time, the bellman helped support us with our bags and we needed the support, we took advantage of being able to check two bags each and had brought some stuff from Hawaii to Virginia. The United flight 1267 was on time. It is a "Ted", even though United doesn't sell it that way any longer, so they are minimal service. They pour a drink of soda, but will not give you the can. Whatever! I brought a Hawaiian pizza from California Pizza Kitchen on board, not bad, but hard to eat on a plane, they have really big chunks of pineapple that fall off easily and try to put pizza sauce on your clothes. We got to Dulles to transfer to United Express 8006 to Richmond. We ate in the airport since we had a 10:05 P.M. flight, I didn't want to eat supper at midnight. Nice enough flight, sometimes they give you a soda or juice on that flight, other times they do not, this was a "not", but that is OK. One strange thing happened; they opened the door for us, but there are lots of shuttles, and there was no one to direct us to our shuttle. It turns out there are signs along the ceiling of the hall in the A4 - A6 gate area. After we finally found our plane and got seated, a gentleman got on looking very flustered; I guess he never found the signs and it is counterintuitive to look at the ceiling. We got our bags very quickly at Richmond Airport, and I rented a Smart carte because we had so many bags. We looked in front of the terminal, no Norma, no Hunter, no one was there to meet us. Plan B, instead of spending the night at Kathy's mother's house we would go on to our house. We took a Groome shuttle, the driver was nice and knew a lot about Richmond. We got home, all the keys were in my carry on. Found them, the first door was deadbolt locked, so we got into the house via what will become our apartment. The Groome driver stayed and kept his headlights on us until we got in the house so we could see what we were doing; I am going to use Groome again. It was only the second time we had set foot in the house since we bought it. Harry Williams has finished laying tile and updating the bathroom; it still needs a post construction cleaning, but hey, it is a place to sleep. We sat in the kitchen with our only piece of furniture, an antique walnut dining table and snacked on some nuts we brought with us; how nice to have a place on the mainland. Life is good, indeed.

[January 30, 2009] Finishing the job at the Rio. I like the Rio, I like Caesars also, but the food prices are lower and are a better value at the Rio. We ate at the World Buffet for several breakfasts and a lunch, very nice, huge selection. The Seafood Buffet (yes, it is a separate buffet) was awesome, I haven't had Stone Crab Claws in a long time. Gaylord Indian was excellent and accommodating; I had to give a talk that night and I needed to review it, so they let me plug in the laptop. VooDoo Steakhouse was a truly fun evening. We had the seafood appetizer for two and Wagyu beef for our main. The wine list is also very nice, but not scary. We went to VooDoo the only night I was not giving a talk and had a great date night. Finally, on our last night, we went to Buzios Seafood Restaurant. Nice selection, best rendition of Chilean Sea Bass I have ever had.

[January 25, 2009] The Rio, Las Vegas NV. Finished the second half of my security class, Security Policy, I think it went well. Then I met with Eric Cole with some suggestions for Security Essentials, from Jason Fossen. Next we attended the popcorn reception and I got to meet some of the attendees. As a special bonus, Laura Chappell from Wireshark University showed up. She was the life of the popcorn reception, a lady that can tear packets apart and keep conversations lively; awesome.
After the reception, Kathy and I went to the Rio Seafood Buffet. Oh my! King crab, Peel shrimp, Stone crab claw, mussels, clams, some sort of lobster and all the trimmings. Their Paella is on par with Hawgs Seafood Bar, and the price is incredibly low, we got out of there for under $100 for two. I like the Rio, and I think it is an excellent value as a conference spot.

Interlude: Dell Computer support misfires. We buy Dell support on all of our laptops. Until now, they have come through for us. Kathy's laptop died over a week ago, we reported, Dell outsources maintenance, and the company cannot seem to find a technician. A week went by so we flew without her laptop. This is going to cause some serious stress. I have bumped a contact I have at HP, we may move our business. Now that may sound petty, but I bought two HP laptops for family over the Christmas holidays and when I put them side by side with Dells from a features and performance standpoint, there is no contest, HP wins. Of course there is more to running a business to performance, there is also reliability and I have no idea how HP will do. If you have experience with HP business support for laptops, I would love to hear from you,

[January 24, 2009] Day one, teaching. I am teaching the information security policy course Management 404. I like my class; we have some interaction going and they are willing to work on the labs. After class, we went to RUB Barbecue at the Rio. I am a fan of slow cook hickory smoke barbecue and Kathy enjoyed the sides. It isn't the best I have ever had, but is is the best I have had outside of the South. Sorry folks, bbq is a Dixie specialty. We also signed up for the float ride at the Show in the Sky, that was kind of fun and the showgirls on our float were very friendly. Then we went to the Wine Cellar for wine flights (3 two-ounce tasting portions); I got the Zins, Kathy got the Cabs, we switched back and forth and headed to bed (after updating my blog of course).

[January 23, 2009] Vegas, baby. We took United 68 from Lihue. We got upgraded to first class, but into row 1 seats ( no legroom or space overhead, oxygen instead is in that compartment), so Diane was able to get us other seats, two windows on opposite sides of the plane. None of the passengers would trade so we could sit together. My seatmate, fat oriental male, was the seatmate from Hades. Wouldn't let me up to go to the bathroom, had to climb over him. Spilled stuff twice, may he live in interesting times, coffee stings a bit when it hits you. Good service from the crew, though, and got to LAX early. Good thing, that was a tight connection. Flight to Vegas on (formerly Ted) United 0353 only had 46 people. Neither my light nor the one next to me worked; when the seatbelt sign went off, I moved so I could read and Kathy could get some sleep. Suggestion for United: check the reading lights, that is lame.

Limo from the Rio All-Suites met us on time. One of my bags did not come through. Went to the bag claim area to report it and discovered that United did not give me claim checks in Lihue, fortunately the lady could look it up anyway. So, found that it had not been scanned in LAX. Then, off to the Rio. Very short line to check in. Friendly lady at the front desk said no rooms were currently available. Got on the phone with housekeeping, they found us a room, life was good. The room is clean, if you know all the things I check for, and it has a fun view facing Caesars. If you have been reading this blog, you know I like Caesars for conferences, but my first impressions of the Rio are also good. Kathy crashed out. United got my bag to the hotel five hours later, no harm, no foul. BTW, there is a 1k baggage number, so they are trying to take care of the people that fly them the most. Thank you!!! I got hungry and went to the regular buffet. Heavens that thing is amazing, it is the biggest buffet I have ever seen and they really try hard. I tried to eat healthy, but I am a sucker for eggs benedict. I can't wait to visit the seafood buffet on the other side of the hotel.

[January 22, 2009] We fly to Vegas tonight. Spent part of the night packing. I just read that Stephanie Fohn is a finalist in the Stevie Awards for Best Executive for companies up to 100 employees. She is the CEO of Whitehat Security. I asked her to give me the elevator pitch of what they do, and she said:

"Securing Web applications is a complex process that can be extremely expensive and difficult to manage. Large corporations typically have hundreds, and sometimes even thousands, of QA and publicly-facing websites to secure. New websites are constantly being created and existing sites change all the time – with very little security oversight built into the process. Add in the constantly evolving threat landscape and the challenge can seem overwhelming. New Web hacking techniques are being discovered all the time – at least one new sophisticated attack vector is published every week.

As organizations struggle to maintain a strong security posture with shrinking resources, WhiteHat Sentinel has become the solution of choice for total website security at any budget level. The entire WhiteHat Sentinel product family is subscription-based, so, no matter how often our customers run web application assessments, whether it’s once a week or once a month, their costs remain the same. This highly competitive and predictable cost structure simplifies and streamlines the budgeting process. In addition, as a SaaS solution, WhiteHat Sentinel is more cost effective because the customer does not have to invest in people, hardware, software, or additional infrastructure. WhiteHat bears all these costs, while the customer pays only the annual subscription fee.

WhiteHat Sentinel is the most accurate, complete and cost-effective website vulnerability management solution available. It delivers the flexibility, simplicity and manageability that organizations need to take control of website security and prevent Web attacks."

[January 19, 2009] Still on Kauai, but we fly on Thursday. Saw this in a press release: "Insight Investment has become the first investment management company in the UK to be awarded certification to the ‘gold standard’ in Information Security ISO/IEC27001. Certification of businesses is optional but is increasingly being recommended by the Information Commissioner’s Office and Financial Services Authority as evidence of a high level of corporate risk management." I do not know if it is true they are the investment management company, but certainly applaud their efforts. These days, loans and financial valuations get all the attention, but all of that information is kept in databases and on servers, so please join me in congratulating Insight!

New Scientist has an article on why the Mediterranean cables are a high risk part of the Internet. Of note: A 2005 study at the Swiss Federal Institute of Technology Zurich calculated that a nationwide internet blackout would cost Switzerland 1% of its GDP per week. I would have thought it was higher!

[January 6, 2009] Sunny day on Kauai. After I blog and do my Facebook updates, I am out of here! Picked up a link off Anton Chuvakin's blog to this great risk story about the Titanic, that it was fully compliant with all safety regulations. This should be a must read for anyone involved in compliance. Also Wired really scored with their writeup on Max Butler (AKA Max Vision) one of the greatest cyber-criminals of all time.

[December 23, 2008] Rainy day on Kauai. We are working hard in the office today, it is really nice to be able to work from the office after a long time on the road. We also have family here, my brother Jack and his wife Tamara and their son Sean Grant. We will have a dinner party tonight hosting some of my friends Rudy and Shanda who run everyone's favorite furniture store on Kauai, Two Frogs Hugging.

From the mailbox, I got a note from Robert Rounsavall about his experience in the SANS Mentor program. If you score 85 or higher on your GIAC exam, you receive a note from me inviting you to begin preparing to become a SANS instructor. It takes about three to five years to grow a new instructor. One of the first steps is the Mentor program. Here is the writeup on the program: Mentor is SANS' program for learning our courseware in ten-weekly classroom sessions right in your home town. Mentor gives you time to absorb and master the same material commonly taught at SANS six-day conferences, with the guidance of a trained network security professional. Mentor is your opportunity to participate in SANS training without the expense and inconvenience of travel or taking time out of the workday and the advantage of a small classroom setting. You also get the opportunity to network with other security professionals in your area.

And this is what Robert had to say, "I think being a Mentor gives you whatever you want to get out of it. You have to learn the material MUCH better than just having taken a course. It does help you build your brand. It helped me get what is seriously my dream security job and what would be almost anyone's dream security job because of the people I've met. All it costs you to be a Mentor is time and commitment. I know that I have struggled to fill Mentor courses in the past and that is probably a challenge for most people depending on where they are and what they do, but that helps you get better as well as far as marketing your class and marketing yourself. I've taken about 2 years off as a Mentor because of sheer workload and was gaining experience but thinking about jumping back into the fray and moving up the ladder to a community instructor and beyond."

All, I can say from my perspective is that it is nice to have a program to help these folks develop and grow. And it is nice to know there is a pipeline of instructors for the future as the current crop finally get tired of flying on airplanes.

I also got a note from Jim about the GSE, our most prestigious certification:

"Here is a topic near and dear to me. I, like Rich am planning to take the GSE in 2009. I have been pestering both Jeff Pike and Jeff Frisk for the past year about taking the test in 2009. This a goal I would really want to achieve, a test cancellation for 2009 would really disappointment me. Personally, I recently did the GSEC silver, I am in the process of doing the GCIH and then will do the recert for the GCIA. I am treating the tests as a dry run for the master test, plus the indexes I will use for the GSE multiple choice test.

Honestly, the backtrack tool used for the test should be in a museum. The current version is 3.0, and there is talk of 4.0 in the works. Backtrack does offer a class on the tool, I took it last spring to prepare for the test. The class was very good. I expect the training exercise to help me for the GSE exam. I took advice from formal SEAL Richard Machowicz - 'train to reality as close as possible because that is the only way to condition yourself during a real situation.'"

Judge makes the wrong call in Arkansas
I am sure you heard, the Wikipedia Huckabee saga continues. In 2007, MSNBC reported, the changes made to Wikipedia pages about the former governor, current Democratic Gov. Mike Beebe and others were made using state government computers, according to an analysis by The Associated Press of records from Wikipedia and the state. The AP found that five computer addresses within the state government network were used while editing information about politicians. Other computer users within the state network changed pages ranging from the rock group AC/DC, Soviet Communist Party boss Yuri Andropov and the city of Batesville, Ark., to a profile of Charles Manson.

From a security manager viewpoint we have two issues, one is simply the time waster issue, government employees on the tax payroll doing non-government work. The second is more serious, government employees probably have no business messing with politics. Now the plot thickens, according to NWANEWS, "A Pulaski County Circuit judge on Thursday derailed efforts by The Associated Press to determine which state employees changed information about former Gov. Mike Huckabee and other state officials on the Internet encyclopedia Wikipedia. The judge sided with the state's attorneys who said the information sought by the reporters would jeopardize the security of the state's computer network. Judge Marion Humphrey concluded a five-hour hearing by ruling that the location of specific state computers is exempt from public disclosure. "It's kind of a difficult issue that's presented to the court," Humphrey said. "For reasons of security, this information should not be obtained under the Arkansas Freedom of Information Act."

Another interesting part of the case is focused around the testimony of Thomas Welch, according to WTOP, "Thomas Welch, president and chief executive of Florida-based Bullzi Security, testified that computer networks are best protected by firewalls, employee training and intrusion-detector services - not "security through obscurity" by keeping the location of Internet Protocol, or IP, addresses secret." However, NWANEWS reported, "Thomas Welch, president and chief executive of Florida-based Bullzi Security and an expert witness for The Associated Press, testified that policy and training should be the front-line defenses of a secure computer system. He said the public disclosure of IP addresses isn't a risk since they have to be disclosed for the computers to work. Such addresses can be found using tools freely available on the Internet, he said. "Knowing these IP addresses is nothing," he said, dismissing the state's efforts to withhold the information as "security through obscurity."

The statements are similar, but not the same. Most news outlets have the WTOP version; it certainly would be nice to know the source of the alternate NWANEWS information.

While on the subject of Huckabee and appropriate computer use, you may recall about this same time SANS NewsBites also reported that former Arkansas governor Mike Huckabee had been hit with an ethics complaint for destruction of state property; Huckabee had computer hard drives from four servers and 83 PCs destroyed before he left office. Huckabee spokesperson Alice Stewart says the governor was acting on "recommendations from the Department of Information Systems (DIS) to destroy the hard drives." Huckabee stated in an email to Computerworld, "This is not about destroying state property, this is about honoring our obligation to protect the privacy of the thousands of people who had personal data on those hard drives." Arkansas DIS director Claire Bailey said they "backed up information from the servers but not the PCs, and gave the backup tapes to Huckabee's former chief-of-staff." Tampering with public records is a Class D felony in Arkansas. The Arkansas's attorney general's office "is reviewing the situation to determine whether any laws were broken."