Security Musings

Security Musings

Information Security Travel Guide

Stephen Northcutt, an Information Security Researcher, United Airlines 1k, Writer and Instructor, documents the struggles of the travel and hospitality industries as we all face continually increasing energy costs. He and his peers share their travel experiences and give you quick tips and short reviews of the companies they do business with as they travel. If you came across this article because of a Google search, what you want is probably here, just use find with your browser (CTRL - F), it is easier than reading from top to bottom; however, you may get some useful tips if you stick around and read. Each major cluster of trips is documented in a separate file.

Other Related Articles in Information Security Travel Guide


Information Security Travel Guide: February-March 2009, Kauai to Orlando, FL


By Stephen Northcutt
Version 1.3

Security Travel Guide Edition 8


[February 22, 2009] On Kauai, musing about my next trip, we are going to Orlando for SANS 2009.


Several people have written and asked that these blogs be posted oldest at the top, newest at the bottom, so your wish is my command. Looking forward to flying to Orlando next Friday. In the mean time, Ryan El just delivered a big load of top quality compost for Kathy's gardens.

Facebook and other's "I make more than you" Possible scam? Be careful!


I am still experimenting with Facebook. My biggest concern is that I am creating a network of both professional and personal contacts. Today, I noticed an ad on the right hand side, it says, "I make more money than you do". I clicked on the ad and pasted a string from the ad, "Get paid $5 to $30 for every website link that you post on Google. No one needs to buy anything from you or Google in order to get paid. Weekly paychecks. Can work from home computer, as long as you’re in the US, Australia, UK, or Canada." into Google.

I found this blog post:
http://www.google.com/support/forum/p/sites/thread?tid=5b4db5c73eb15712&hl=en

A Google employee answered:
No it's a scam and is not part of Google.
See: http://www.google.com/support/forum/p/base/thread?tid=731ed5d8320c6794&hl=en

Tom Wilson then answered and said it was a SCAM, check out:
http://www.ripoffreport.com/reports/0/421/RipOff0421372.htm

What ripoff report posted was chilling, "Beware! I saw an opportunity to make some extra money with Google Search - the Ad was Google Profit and it cost $1.95 to have the CD and instructions sent. Thought it sounded okay! Well a minute after I put in my bank account information I went to my Online Banking and found a charge of $197.00 by Marquilife and another of $1.95 from Marquilife...imagine my surprise! "

There is one more reply on the Google Forum, I would like to share with you, and then my point: "I'm becoming more alarmed by the minute....silly British bimbo that I am I have only gone and given this scam my credit card details...I should have done my research prior on emillionaire before signing up. But I smelled a rat when my log in details were rejected and the 1-800-309 6980 number doesn't appear to be accepting calls. Can anyone help me?...I'm in England and feel useless now and also foolish, but I saw the ad on Facebook and assumed it was legit...crikey feeling even more foolish now. I've reported the scam to facebook, but that doesn't ease my credit card situation and if I do happen to receive their software kit then I also expect to see a few pigs flying over my house too...lol, shouldn't laugh, maybe it's because now I'm nervous that my card details are in the hands of scammers. Please help soemone...if anyone has another number I can call these scammers on please. Many thanks Suzanne"

One sentence here has my full attention, "I saw the ad on Facebook and assumed it was legit." Surely Facebook knows this ad that has been running a log on Facebook is not legit. Surely they know their own customers are being ripped off if in fact it is a scam. What in the world is going on? Well, I do not know if it is a scam or not, but I have been throwing links since I first started this blog, and nary a nickel has been offered to me.

SANS is hiring! I put a job ad on Craigslist. Since it will only remain up for thirty days, I want to copy it in and then let's discuss something about help wanted ads:


= = =
The Kapaa Office of the SANS Institute does everything from customer sales and support, to managing the evaluation sheets students fill out for our multinational faculty. We are looking for a new office team member that is a detail oriented, Office Suite savvy self-starter to collect, summarize and analyze customer evaluations. The analyze part means you will look for trends or potential issues and report them to management, preferably with a recommendation. To change pace, you'll also become part of our Customer Support team probably one day per week.

The candidate we are looking for is not afraid to relate to management and be assertive when the truth needs to be told. We are not looking for someone so type A they feel they need to run the show, we already have a strong leader running the office. However, a great second in command mindset would be a plus! Did we mention the job is in an office? Yes, all SANS employees can work from home some of the time, but this is an office job, working from home would be a major exception. We are also looking for someone that enjoys working hard, when you meet our team we are certain the way we turn our attention to the task at hand will impress you. If you view life as a journey from the smoke break to the coffee break, you just will not be comfortable in our environment, nor will you last long. If your heart starts to beat faster when you hear the words "continuous process improvement" you could be our missing team member. We take equal opportunity seriously and have employees on the island from many walks of life.

The ideal candidate will have:
At least 2 - 4 years of experience in office environment; more is good!!!
Superior written and verbal communication skills;
Strong PC skills, particularly MS Office 2007;
Strong analytical skills;
Able to meet deadlines in fast-paced environment;
High degree of energy, motivation, flexibility and ‘get it done’ attitude;
Commitment to teamwork and ability to engage with a diverse and geographically dispersed set of team members;
Ability to work independently with minimal supervision in a dynamic, fast-paced, professional environment
Strong organizational and time management skills.

Required:
Bachelors Degree
MS Office proficiency

Benefits:
Medical and Dental Insurance
401K

If you are an alcohol or substance abuser thank you for not contacting us.
= = =

SANS doesn't primarily hire by help wanted ads, we usually approach someone that we want. However, sometimes this is what we need to do. I like using Craigslist, more modern people seem to use it and they do not limit the length of the ad. What I have tried to do is really frame what type of person we are looking for. A long time ago, I saw an HR note on the Cable and Wireless website employment section. I like their approach to HR. The note said that "ads that express vision draw higher quality applicants". So, I have been trying to express vision in help wanted ads ever since. By the way, you might want to check out their values section. Nicely done.

A lovely walk in Kapaa.


Kathy and I took a walk about 4 PM Sunday afternoon. It is just an incredible day, no rain, the ocean is truly clear and beautiful. By the time we got to Kealia there were two monk seals, a mother and a juvenile, playing near the shore. Monk seals are endangered, there are about 1,800 left, so it was great fun watching them. They are very playful. I have had the good fortune to swim with them several times. The rule is that you never approach them, but if you are in the ocean and they approach you, it is cool. Good thing they are friendly: an adult is six and a half to seven feet long and on the order of 500 pounds. When they are done gorge feeding, they haul out of the ocean and sleep on the sand. You must never approach them sleeping, if they go back in the ocean, exhausted, they are easy prey for sharks. If you see one on the beach call 808.651.7688 and a volunteer will show up to rope off the area and be available to answer tourist questions. When the monk seals finally went out deep today, we saw a pod of whales playing very near the reef; that was a treat because it is unusual for them to be so close to shore.

Blade Runner.


We saw Hunter's girlfriend at church this morning and she had her hair set up like Daryl Hannah in Blade Runner. That left me with an incredible urge to watch the movie. I knew I had purchased the Director's cut, but had never watched it. Gracious, that is a great job by Ridley Scott. I don't watch many movies, and no television, so this really spun me up. After the movie, I headed to the office to read email and update my blog. Took over an hour before the emotions started to subside. Whew! Great movie though.


[February 23, 2009] Still on Kauai, gearing up for Orlando.

A peek at the Suhosin logs


Seems someone in Italy has a bad attitude, these are two log entries out of a gazillion.
Feb 19 06:33:24 [5224] ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'id' (attacker '130.192.209.65', file '/srv/www/live/sans/public_html/link.php')
Feb 19 06:33:36 [9750] ALERT - configured GET variable value length limit exceeded - dropped variable 'id' (attacker '130.192.209.65', file '/srv/www/live/sans/public_html/link.php')

An email from BarackObama.com


I received the following email. This blog is primarily non-political, but I think every person in the USA is concerned about the ecomomy. The lesson from Japan in the 1980s is that taking no action is sure to cause problems. I do not think anyone, Republican or Democrat, is sure the stimulus package is the right thing to do, but inaction was surely the wrong thing to do. I will post the letter and then do some commentary.

= = =
Stephen --

President Obama launched the most ambitious effort to stimulate the economy in our nation's history when he signed the American Recovery and Reinvestment Act on Tuesday.

Your representatives need to hear from you when they vote for the change you mandated in November. Doing what's right can be thankless when the culture of Washington tries to make political games out of the issues that matter to everyday Americans.

You're part of a powerful grassroots movement that can change that dynamic. According to our records, you live in Hawaii's 2nd district.

Rep. Mazie Hirono, Sen. Daniel Inouye, and Sen. Daniel Akaka's votes were crucial to passing the bill and creating and saving jobs in Hawaii.

Can you pick up the phone right now to thank Rep. Hirono, Sen. Inouye, and Sen. Akaka?

Rep. Mazie Hirono
202-225-4906

Sen. Daniel Inouye
202-224-3934

Sen. Daniel Akaka
202-224-6361

Report your call.

Here are some suggested talking points for your call:

- I'm calling to thank [Congress member's name] for supporting the American Recovery and Reinvestment Act.
- I'll be watching closely online and in the news how taxpayers' money is spent in the implementation of this Act.
- I encourage [Congress member's name] to continue working with President Obama to lift America out of this economic crisis.

After your call, please record your feedback here:

http://my.barackobama.com/stimulusthanks

We still have a long way to go, but working together we were able to take this important first step.

With the plan in place, more than 2 million people will be lifted out of poverty, 20 million at risk of losing their health care will be protected, and 3.5 million jobs will be created or saved.

There will be plenty more ways for you to contribute in the weeks and months ahead.

Thank you for your continued support,

Mitch

Mitch Stewart
Director
Organizing for America

P.S. -- If you don't live in HI-02 or think you have a different member of Congress to thank, you can input your address here and find out whether your Representative and Senators voted in favor of the American Recovery and Reinvestment Act:

http://my.barackobama.com/recoveryvote

= = =

My political analysis is that neither the Republicans and the Democrats are happy. President Obama knows that he had to attempt to stimulate the economy. He also knows that the deficit is a killer. So now he has to look at cost cutting, but if he cuts too soon he stalls the recovery. This is a hard problem. He is going to have a hard time with both liberal and conservative extremes, his only chance is to keep the middle. When I got the email, I took the time to call. Grass roots, no matter what your political stance, is the best hope our country has. So, I encourage you to blog, to call your elected official, but make sure your voice is heard. (And preferably research the matter before your voice is heard).

The Consensus Audit Guideline


I saw an article by ZDNET with the following quote: "Alan Paller, director of Sans Institute, told ZDNet UK in an email on Friday that the list, also known as the Consensus Audit Guidelines (CAG), would spark "a complete revolution in federal and business cybersecurity". "I do not know of anything going on in security that will have the impact this initiative can have," said Paller. "If the nation (and the rest of the developed world) cannot make the CAG work we will continue to fall further behind the attackers, at an accelerating rate."

I got a peek at this in December. According to Federal Computer Week, "The team that crafted the guidelines was comprised of officials from the Defense and Homeland Security departments, the National Security Agency, The SANS Institute, GAO and labs of the Energy Department. The guidelines are part of an ongoing effort through the Center for Strategic and International Studies to implement the recommendations of CSIS’ Commission on Cyber Security for the 44th Presidency that were released in December. The recommendations also come during the Obama administration’s ongoing 60-day review of the government’s overall cybersecurity efforts."

According to Nextgov, "The guidelines are aimed at protecting against known attacks on federal agencies, financial institutions and retailers that have involved penetrating networks and stealing or changing data and applications. Often these attacks result in intruders gaining long-term access to the compromised systems without detection."

It has never been more important, according to Federal Times, "The recommendations come at a critical time for cybersecurity. Unauthorized intrusions and installments of malicious code on federal computer networks have more than doubled in the last two years, according to data from US-CERT. The Defense Department had been particularly hard-hit, as were many major defense contractors. The government does not publicly detail the number or types of attacks that succeed."

According to CIO.com, "A former Air Force CIO, Gilligan has become a strong backer of CAG, kicked off last autumn among some in the federal agencies, including the CIO Council, with help from Alan Paller, director of SANS Institute."

So what are they? According to Network World, "The proposed Consensus Audit Guidelines (CAG) are 20 security controls that begin with the concept of automated inventory-taking of authorized and unauthorized hardware and software for the purpose of assessing network security. Strongly oriented toward specific technical measures that could be automated, CAG is an effort to gradually shift the federal agencies off the annual security compliance effort known as Federal Information Security Management Act (FISMA), which Congress made law in 2003." Here are some of the relevant links:

Consensus Audit Guidelines Draft 1.0


[February 24, 2009]

I am going to be liquidated by e-Trade.


I received this note:

Dear Stephen Northcutt,
Account number ending in: XXXX

After long and serious consideration, E*TRADE Securities has made the decision to discontinue our family of proprietary index mutual funds. As a result, the E*TRADE S&P 500 (ETSPX), Russell 2000 (ETRUX), Technology (ETTIX), and International (ETINX) Index Funds will be liquidated on a date no later than March 27, 2009 (the "Liquidation Date"). Of course, even though we are discontinuing these funds, as an E*TRADE customer, you have access to over 7,000 funds to help you find the right alternative. Here are a few important points to keep in mind:

Effective as of the close of business on February 23, 2009, no purchases of the funds may be made and any applicable redemption fees or account fees charged by the funds will be waived. If you do not redeem your shares yourself, your shares will be automatically converted to cash equal to their net asset value on the Liquidation Date. You will receive proceeds equal to the net asset value of the shares you held on the Liquidation Date after provision for all charges, expenses, and liabilities of the fund. The redemption is treated as a taxable transaction, and you will have to pay taxes on the proceeds of the liquidation, even if your shares are automatically redeemed on the Liquidation Date.
Please be assured that this decision has nothing at all to do with the financial health of E*TRADE FINANCIAL, which has been, and continues to be, very well capitalized by every applicable regulatory standard.

View an important prospectus update with more detailed information about the liquidation. Enter the ticker symbol to access the prospectus supplement for your particular fund. You can easily find alternative funds with the help of our powerful screener or, if you have questions or would like help finding alternative investments for your cash proceeds, please call 1-800-ETRADE-1 (1-800-387-2331) from 7 a.m. to midnight ET. Or log on to your account and send us a Secure Message through the Online Service Center. As always, we appreciate your business and the opportunity to serve you.

Sincerely,

Elizabeth Gottfried
President, E*TRADE Funds

I think I should write back!

Dear Elizabeth,

Everybody keeps telling me not to panic, stocks will come back. It isn't really a loss unless you sell. Well, according to Bloomberg, U.S. stocks fell today, sending the Standard & Poor’s 500 Index to a 12-year low, as concern that the deepening recession will erode earnings despite the government’s pledge to give more capital to banks. So if you liquidate now at this lowest point, you force me to take a loss. Since you are costing me money, do you think you could at least share the reason you are ending the index fund that I invested in with your company?

Sincerely,

Stephen Northcutt
President, www.sans.edu

Joe Sharkey, New York Times, tells an interesting story


"Mr. Allen, business traveler extraordinaire, is off the road. “I don’t want to do it anymore. I’m going to be 61 in April, and I’ve had it,” he said. Mr. Allen is a consultant who often flew 200,000 miles in a year. He enjoys top-level elite status at airlines, hotels and rental car companies. I first met him four years ago at a Hilton Garden Inn across the road from Los Angeles International Airport." He goes on to say Mr. Allen is not quitting, he has figured out how to do his job with web 2.0 tools. If you have any tips to get me off the road with web 2.0 tools, be a pal and send them to stephen@sans.edu.

FAA is messing with Denver. If you are flying through Denver, this is one you want to track!


According toe CBS4, "Up until this month commercial jet flights into DIA came in on eight separate pathways known as Standard Terminal Arrival Routes or STAR routes. But according to an FAA memo obtained by CBS4, due to "safety concerns" and "airspace structure issues," the FAA ordered significant changes and the routes restricted as of Feb. 4." So what does that mean? The end of life as we know it; ok, not really. But more delays and higher ticket prices. As a guy who flies a lot, United 1k and all of that, I will put up with some delay if there is a significant safety gain. But this appears to have been bulled through. If you don't fly through Denver, you don't care; if you do, read the article and start asking questions.

Speaking of Denver news, "Jacque Levitch was walking her 75-pound Labrador retriever in the 3900 block of South Oneida when three coyotes approached them. She says two of the coyotes attacked her dog and she tried to intervene and one of the coyotes scratched and bit her."

And one more newsbit out of Denver and we are done, "New numbers out Monday show the Denver area may be starting to beat the recession when it comes to foreclosures -- the number of foreclosures is falling."

= = =

Help Wanted Analyst – Technical Analysis and Special Operations Team


Functional Duties: Analyze computer, communication, and network security events and exploits to determine security vulnerabilities and recommend remedial actions. Conduct malicious code, packet-level, hard drive and forensic analyses; provide comprehensive technical reports recommending countermeasures based on findings.

Desired Qualifications:

Education: A Bachelor’s Degree in Computer Science, Information Systems, Engineering, Telecommunications, or other related scientific or technical discipline; at least Four years of general experience (as defined below) may be substituted for the degree.

Experience: Four years of experience in network security with a focus on computer / network security, computer forensics and packet network analysis.

Certification: CISSP and strongly desire Global Information Assurance Certification (GIAC) Security Essentials Certification (GSEC), GIAC Certified Incident Handler (GCIH) and GIAC Certified Forensics Analyst (GCFA).

Specific team activities include but are not limited to the following:
  • Perform analysis of malicious code; packet level traffic analysis; reconstruct network traffic; support forensic analysis; hard drive analysis; Web log analysis; pattern analysis, trend analysis, and behavior analysis; provide remedial recommendations; and produce comprehensive report on findings.
  • Provide intrusion detection capability; build, test, and deploy customized IDS signatures; monitor specialized packet capturing devices.
  • Perform scripting (in shell, PERL or other language appropriate for the task) with the ability to output the results in a variety of formats and to repurpose the results for reports targeting various technical levels.
email your resume to VentriceDD@state.gov

Nice to see someone requesting GIAC certs for a job!

Facilities Tip


Just watched an awesome two part series on the data center of the future on YouTube:

Some facts from the videos to consider:
  • 1 degree Farenheight warmer allows 4% increase in efficency in your PUE (Power Usage Effectiveness )
  • Short Cycling is when the chilled air mixes with the hot air before it hits the servers
  • Hot aisles can reach 95 - 105 F.
  • Cybercrime is now at 1 Trillion dollars per year (and growing)
  • Water cooled cabinets are an approach to very high density (blades)
  • Ambient air, air from the outside that goes through a filter wall and then a fan wall is an alternative to chilled air in many locations
  • More and more organzations are using containers to house servers as a stop gap to capacity until/if the cloud becomes an option
Here are the videos, and they include John Pirc from IBM:
http://www.youtube.com/watch?v=trHZUI3XYv4&feature=channel_page
http://www.youtube.com/watch?v=BKgqbB5KHxM

While we are on the subject of facilities:
Digital Realty Trust, Inc. (DLR) has begun publishing energy efficiency data about its data center facilities using the Power Usage Effectiveness (PUE) metric. Digital Realty said it is now using PUE for measuring and reporting energy efficiency in its portfolio of 70 facilities spanning 12.6 million square feet across North America and Europe.

Microsoft is nearing completion on the first phase of its $500 million data center in Northlake, Illinois, and has announced plans for similar $500 million projects in Dublin, Ireland and West Des Moines, Iowa. The company has already opened huge new data centers in Quincy, Washington and San Antonio. Source Datacenter Knowledge.

When Google disclosed in October that its data centers had an average Power Usage Effectiveness (PUE) of 1.21, some people in the data center industry were impressed and others were skeptical. Source Data Center Knowlege

Google Webmaster Blog


I watched the video by Google on the state of the index. Lots of useful information. The best tip was Google Trends for Websites. Boy was that an education!! The most significant content is at the end, so don't decide you know it all and flash away, read to the end. http://googlewebmastercentral.blogspot.com/2009/02/state-of-index-my-presentation-from.html

Techtarget mentions Ted Demopoulos Security Certification website.


Ted wrote in to mention that Techtarget mentioned his website in their latest marketing email, here is a bit of the mail:

SECURITY CHANNEL PARTNER NEWS FOR FEBRUARY
Staff, SearchSecurityChannel.com

SecurityCerts.org chooses top three security certifications: Do you have these certifications? Find out which three certifications topped the list. http://go.techtarget.com/r/5942412/3030275

If you want to read Ted's take, visit this URL.


[February 25, 2009] Still on Kauai, thinking about Orlando, we fly Friday


The lovely sunny weather ended today with the arrival of cold blustering rain that makes you glad you aren't sailing. I worked late last night and tonight so we could sneak of of the office at 1:30 P.M. for our twice yearly dentist visit, we passed, yaaayyyyy. Then we slipped over to Home Depot's garden department and got some trees for the farm. I got a Cola nut, a Mangosteen, an Abiu, a White Mountain Apple and a Cupuacu. That ought to make the farm a bit more exotic.

Got a note from Bob Warren on how to fix the economy, who knows, might work


Department of the Treasury
Attn: Treasury Secretary Tim Geithner
1500 Pennsylvania Ave. NW
Washington, D.C., 20220

Dear Sir:
Since the government can now borrow money for 3.6% for 30 years in the treasury markets, why not borrow enough money to refinance all of the single family home mortgages with a 30 year 4% fixed rate. It would cost the tax payer nothing. It would put money in all of the home owners pockets to help the economy. It would remove most of the toxic assets and inject money directly into the banking system since they would get cash for the mortgages they hold and could relend the money. This would slow down the defaults and help not only the bad borrowers but the ones that are current on their mortgages.
Some type of credit could be given to renters with the difference in the 3.6% cost of funds and the 4% earned. Also for a short period of time, new mortgages (at this new low rate) could be offered to new home buyers to get the real estate market moving again. The net cost to the tax payer would be low and everyone would be helped. This would also create new jobs by getting the real estate market going again and the new spending by the lower monthly payment by home owners and renters.
Please let me know what you think of this idea.

Robert Warren

[February 26, 2009] Flying in about 30 hours


It is breezy, but the wind is not too bad and it isn't raining. Shoveled compost for about an hour revving up Kathy's gardens.

United is changing their award program.


As of July 1, 2009 a seat in the front of the plane will not just "cost" more miles, it will require a cash co-pay that could be as high as $500.00. As a 1k, I can get seat preferences if we book early enough, so I can get exit rows. Travel will be just a bit harder. From United's web site: "Effective July 1, 2009, we are generally reducing the miles required and will collect a co-pay when miles are redeemed to upgrade a United Economy ticket. (Upgrade awards requested prior to the effective date for travel after the effective date will not be affected.)

The co-pay amount will depend on the origin and destination cities, as well as the type of ticket purchased. If you upgrade from a higher class of service, your co-pay will be lower or even non-existent. Award upgrades from Business to First will not require a co-pay." This means going forward it is going to be much more important to pay attention to the class of ticket. Y and B class are what you are going to want to achieve.


[February 28, 2009] LAX layover headed for Orlando


United 68 wasn't a bad flight. Kathy and I got upgraded using 500 mile coupons, which is a rare thing. They did not have two seats together, but both our seats were aisle so it was easy to trade. The snack was a choice of cold chicken or a fruit plate, I took the chicken. The service was mediocre, the flight attendants for first class were more interested in talking to one another than checking on whether the passengers needed water. We had strong tail winds and got to Los Angeles early. At 4:45 A.M., the only thing open was McDonald's, so we grabbed an Egg McMuffin and milk apiece. The Red Carpet Club opens at 5:00 A.M. and there was already a line. We headed for the Westin Renewal area. Kathy scored the couch and got some sleep. I tried to work on email, but was just too tired. I put on my Authorized GIAC Grader fleece and crashed on the floor next to Kathy. Didn't really sleep, but closed my eyes. About 8 A.M. my brain was going too fast and I had to get up. Decided to take a walk and then come back and update my travel blog.

United has closed a lot of routes, that means there might only be one flight from Los Angeles LAX to Orlando MCO in a single day. That means Kathy and I are not the only ones with horrid five hour layovers. It means more than that. You have to have your bags checked by 45 minutes before the flight, if you do not you miss your flight. If you miss your flight, you might not be able to go until the next day.



[March 01, 2009] SANS 2009 has begun


The weather this morning was epic as the surfers would say. Very narrow focused storm front, rain was blowing sideways at one point. It either snowed (unlikely) or the wind was forcing some of the rain to act like snow falling down. By 2 P.M., the sun was shining and things were warming up.

The Andre Gironda Saga


Andre posted some not so accurate nor flattering posts to the SecurityFocus PenTest mailing list. Here is my rebuttal. My words begin with "= = ="


SANS doesn't sell tools. They sell training and certifications. In order to pass their certifications, it is more than often required to attend their training. Anyone who has passed SANS certs without the training, feel free to speak up about your experiences.
= = = For the record, SANS sells training. GIAC sells certifications. We will deal with the measure of quality for training in a bit, the measure of quality for a certification is the ISO certification for a certification, ISO 17024. Any one that takes a certification that is not ISO certified or at least well along in the process is probably wasting their money.

They make it sound as if they are the primary provider of training and certification for the US DoD when they reference the Department of Defense Directive 8570. They take sections out of the DoD docs and remove references to competitors. These and other anti-competitive practices shine a bad light on SANS in my eyes.
= = = As we will see in a minute, SANS is not anti-competitive. A note for another time, but I thank God for my competition, or should I say “coopetition”. We inked an agreement with IntenseSchool, they even used to license Security Essentials; we also work with RSA, BlackHat, CSI (I think) and others.
= = = On the 8570 stuff, when I type “DoD 8570” into Google, the first link I see is http://www.giac.org/8570/. When I look at it, I see a chart with CISSP, CISA, Security + and many others, only some of which are GIAC certs.

SANS works fairly exclusively with InGuardians for instructors, making their focus and scope rather limited.
= = = Er, not even close. I think four of the 80+ faculty are InGuardians, maybe it is five. Granted, they are some of our heavy hitters. You end up recommending IntenseSchool and they are a good outfit; I admire the work of the Kaufman brothers. However, who do they have on their faculty that you can put in the same league as Ed Skoudis, Josh Wright, Mike Poor, or Kevin Johnson (I stuck with InGuardians for a reason, I have a heck of a lot of bench strength left) who have written major security books, contributed proof of concept exploit demonstrations, spoken at major events, testified to congress, etc, etc.

BlackHat Training isn't even this exclusive.
= = = It is worth noting we provide training at BlackHat; neither they nor SANS are particularly exclusive, and we host other training providers in our construct as well. For instance, Scott Moulton, the guy that recovers data from drives that have bullets shot through them (do a search for him on YouTube, those videos are amazing), is presenting at SANSFIRE:
http://www.sans.org/sansfire09/description.php?tid=3032

I have seen the SANS training material and have compared it to many of the above material from other training sources. SANS is very low-quality, and who is to say that any training is better than any other?
= = = Andre, that is below the belt. SANS is “very low quality”? We can arrange for a public viewing of SANS materials at RSA by a panel of reasonable and qualified individuals if that is what it takes to prove you made a factually incorrect statement.

I come from a very unbiased approach to security training. The best security training I have seen comes out of Microsoft, and some of the best demo material I've seen has come from Security Innovation. Starting with these vendors and then focusing into specific areas with a security boutique is often the best approach for any sized organization if you really don't know where to start.
= = = I think you owe it to the community to prove you’re “very unbiased”, if your facts are not correct how can you be unbiased. You seem quite biased.

= = = Andre, it is fairly clear you must have had a bad experience somehow along the way with SANS. I am very sorry if something happened and would like a chance to make it right. Feel free to contact me stephen@sans.edu (yes, we also have a licensed postgraduate school) or 808.823.1375 after SANS 2009 is complete and let’s talk about it. I apologize for nailing you in public, but you made your inaccurate comments in public. If you are willing to accept a piece of advice from an old guy, talk with some reasonable and experienced people that you trust and consider a retraction and apology. What is posted on the Internet is available f o r e v e r. The preponderance of evidence will show your statements were not correct and your reputation will be tarnished. For your own sake, not for mine or SANS, put this to right. If you want to go off line and have me provide you more information so you have an opportunity to do due diligence, I am happy to do that.

= = = A last statement to all of this list. We are losing people and organized crime is winning. SANS does not have the capacity, CERT does not have the capacity, any of the providers of incident response thought leadership mentioned in this thread does not have the capacity to turn this around. For the record SANS/GIAC has trained and certified more incident handlers than any other provider:
http://www.sans.org/training/description.php?mid=40
but it is a drop in the bucket, spitting in the wind. I think we can all agree we have got to get past the petty distinctions and start making a difference. Let’s quit attacking one another and go put a criminal in prison. I can raise my hand and say yes, I helped put criminals in prison in my time as a responder. We each need to follow the example of Clifford Stoll, Shawn Carpenter, Tom Liston ( substitute your own hero ), what they did is exactly what we need to be doing as a community. No, ifs, buts or coconuts, we need thousands of us to be able to raise our hands and say, not with pride, but as someone that did what is necessary, yes, I helped put criminals in prison, NOT, I spoke badly of SANS, CERT ( substitute your thought leadership provider), OK?

Twitter as a security organization tool


Several of us are using our Twitter accounts to try to connect during SANS 2009. We are using the hashtag "#sans2009" I will report in a few days how well it works. To read more about hashtags, go here or here. We will see how it goes, sort of a new idea, but I expect it will be rocking by the time we all descend on RSA.


The Swan and Dolphin


The SANS 2009 conference hotel is the Dolphin, but the two are connected and interrelated. Last night after we landed, Kathy and I had dinner over at the Swan at Il Mulino, an Italian place. Kathy had salmon, I had the Red Snapper with bacon; very good, very filling, though a shade pricey, but that is what happens when you eat on property at a resort.


My room is nice, clean. Biggest problem is that the toilet runs; it ran all night and is noisy, some industrial system far noiser than a home toilet. They have sent people up twice to fix it. My room has an amazing amenity called a Keurig coffee pot. I try to be fairly green so the extra packaging for single cup of coffee solutions bothers me, but wow, how convenient. I do not drink coffee normally, I prefer green tea, but since studies are showing a relationship to coffee and delaying Alzheimer's diesease, I plan to start drinking coffee when I can. Speaking of Alzheimer's, the movie on the first leg of my flight out here was The Family that Preys. All in all a forgettable movie, Kathy Bates plays rich, older southern matriarch Charlotte Cartwright and does fine, but the film doesn't build the Alzheimer's part of her story well. The second movie was Sixty Six. Also, worth skipping; basically they make you sad and bored through 80% of the movie so you can rejoice that there is a happy, or at least an ending.

The Internet in the room is marginal, so I am using my Verizon card. They say they will switch me from the hotel VLAN to the conference VLAN, which will also put me behind the SANS firewall. For lunch today we dropped into the Fountain. It is kind of like a Denny's or Applebees. Kathy had the Grilled Salmon Salad, the salmon was done well; you might want to substitute a different dressing for the citrus dressing which was thin, and, most assuredly, get any dressing on the side. I had the Cuban sandwich on Fladen Bread. Pretty good, I am a sucker for pork, ham and pickles done Cuban style. The side salad was fine as well. I will try to give some more scoop on the Swan and Dolphin, but you can imagine it is going to get a bit speedy soon.


[March 02, 2009] Orlando at the Disney Swan Dolphin


We disabled the running toilet in our room by turning off the water flow at the wall. We called it into maintenance again, and then again. The door to our room does not lock, so we used the flimsy lock at the top of the door to secure the door. I know there are tools that defeat that. The Internet is so slow I am using my Verizon card. Lord, please give me the strength to get through these next few days.



[March 07, 2009] Orlando at the Disney Swan Dolphin, back to Kauai on Monday


The hotel never did get the toilet working quite right, we just keep turning the water off. Two doors to the room were not secure; Lana, our Conference Manager, finally had to bring hotel security up. Were they ever surprised when they just pushed on our front door lightly and it opened. We weren't at that great a risk because I take my laptop and Kathy takes her camera and laptop most of the time when we leave the room, and we also use security cables. We ate at Todd English's bluezoo a couple of times; I enjoy the food, but the upsell is almost as bad as Bradley Ogden in Vegas. My cousin Connie, her husband David Popper, and their very poised grown children came by to visit. We had a good time; we went to Fresh, which was OK, but not what it used to be. Tonight, Kathy and I get to eat dinner together, that should be fun. I set one of my alarm clocks forward an hour and will leave the curtains open in case something goes wrong.

Twitter at SANS 2009


Someone had the idea to use hash tags at SANS, to share/keep up with what was going on. The tag we used was #sans2009; you can read more about hash tags here and see how they are used here. I bet this gets really interesting at RSA! The guy who took it over the top from a reporting standpoint has a twitter handle of http://twitter.com/mosesrenegade This is just the beginning, but I see a lot of opportunity.

(614) 761-1584


SPAM, I received a call on my cellphone from (614) 761-1584 saying that was the second warning my vehicle was about to expire from warranty. I called and they had no idea what autos I had. Asked for the floor manager (Ana) and asked to be put on the don’t call list. Apparently they are a shady operation:
http://800notes.com/Phone.aspx/1-614-761-1584

Hunter Northcutt wrote a poem and explanation inspired by his tour in Iraq


It was a college English assignment, and I am prejudiced, but I liked it:

"Cryptic tales of shipwrecked sails,
Lost voyage dreams to distant reaches
Vessels done for loss of bails,
Leave empty, unclaimed destined beaches.

Darkness treads on trepid soul,
Blatant hate rises from unknown source,
Stomped on, met by miry shoal,
Lost faith, snuffed dream, captain changes course.

This is my first poem, I hope I am the poet that you said that I was. This was a college assignment, but was something I felt I needed to do after the first verse came to me during a lower state of mind while eating alone at Panera Bread. The first paragraph is about me and most others in life, sailing the sea of life, looking for their purpose, their calling. God speaking in the book of Jeremiah, talked about His planned future prepared for them while they were yet being made in their mother’s womb. Some find it, some reach it, most don’t- often because they shore on the wrong beach. That’s what makes the tale a cryptic one.


The second stanza and below refers completely to me. It’s a story of being thrown into a completely foreign culture in contrast to the gentleness I was raised in by my mother, as an only child.

The miry shoal is the deployment to Iraq and refers to my thought process when I got back. Some of the things that happened were the deciding factors that made me decide, “Screw this, I’m getting out to go to school”. I looked forward to developing more in the Marine Corps, was hoping I could really claim it as "my Corps". That hasn’t been an empty dream, but it didn't fully come to pass. The things I sought in the Marines were based on a value system no longer fully exercised in the Corps. I noticed this with others, they clearly had a great fervor and discipline at one time but now, some of that is lost, more than once I wondered why they continued if it wasn’t something they enjoyed.

The last line is entirely about me, kind of summing it all up and ending with a happy note. Today, I have a higher and more important rank than I had in the Marines, one that can only be taken away if I give it up. That rank is captain, naval captain. I am the captain of my ship. I direct her course, I set her sails. And although mine has gone through a battering storm, and the crew has even lost faith at times, we are not sunk. There is no need for a spirit of despair. Nothing has come across yet that is too strong to correct, nothing has sealed our fate. We are still operational, and I am still in charge of this ship. Now turn to and hoist the sails once more!"


[March 8, 2009] Orlando, one more day till Kauai


Teaching leadership competencies today. I always look forward to that, need to think about leadership as much as possible. Already got a reply about (614) 761-1584; a reader says he has been contacted twice and, both times, they claimed it was a second notice. Feel free to be abusive to these folks because they are using deceptive advertising, and if you give them money, I think it will surely be lost. So, pass the word, bloggers unite! OK, cannot delay any longer, I'm off to class. Twitter @dosa is in my class, I hope we have a good interactive session.

[March 9, 2009] 3 hour Layover at LAX, headed home


Our last night in the Dolphin we ate at the bluezoo. Kathy got the grouper, I got the monkfish. Very small portions on the monkfish. We were torn between bluezoo and Il Munino. Amazingly, we saw Christian, the manager of Il Munino, bringing a covered plate of food to bluezoo; it was good to see him, he runs an excellent restaurant. United flight 279 from Orlando to Los Angeles was delayed, first by a mechanical and then by the threat of rain in LA. No worries though, we had a four hour layover, and being late makes it three hours. Mike Murr was on the plane with us, this is home for him. The movie was The Day the Earth Stood Still. It was OK, not awesome. Service was OK, they actually came through with water several times. Since it was 9 A.M. California time, Wolfgang Puck was only serving breakfast, so we went to Baja Fresh. The pork carnitas burrito was OK, but they no longer have a salsa bar; too bad, I liked the salsa bar. I hope these long layovers are not a new trend, we had one on the way over. But, I used some of my miles to join the Red Carpet Club, so that gives us a place to fire up our laptops.

All the comments I have seen for the SANS 2009 conferernce were very positive; it looks like the conference went well. According to Slashdot, Verizon is going to sell the personal data it collects on users, possibly even the phone numbers they call. You can get more information here. I see that the draft NewsBites has arrived to the Inbox, I have just enough time to do my comments and then go board the plane.