An Information Security Place

I just read this story over at SC Magazine about Julie Amero’s sentencing being pushed back for a month.  I think this is a precursor to a victory, and I am psyched at the number of supporters Julie has behind her from the IT and blogger world.

While I read the article, I started thinking about this on the line of the old “stupid user” issue that some of us Catalyst Community bloggers have been fighting against (see here and here).  Now we all know Ms. Amero is not stupid, but it struck me that this is really a gigantic case of IT geeks and security folks rallying behind one of these “stupid users”.  I think this is nothing short of miraculous, and I hope this is a start to a big push towards end-user and home-user education in security.

I wonder if Ms. Amero even knows that she is quickly becoming the “poster child” for those people who think education is a better path than making fun of end users?

Vet

Why do Alan and Mitchell call the Still Secure, After All These Years blog and podcast “SSATY” instead of “SSAATY”? 

Is there a conspiracy against the letter “A”? 

Do they not like the letter “A”?  I would think not since it starts Alan’s first name and also starts Mitchell’s last name. 

Does it help Alan cut costs to leave out the extra “A”?  Maybe so since he has recently announced a very successful quarter at his blog.

Did the blatant pursuit of fame and fortune drive the “A” away?

Did the “A” drive away in a cab after Alan pelted it with racist comments?

I should probably just ask Alan and Mitchell, but that would be too easy.

Vet

I am mortified at this story.  Kathy Sierra at Creating Passionate Users has been receiving very graphic death threats on her blog and other blogs.  She doesn’t know if she is going to post anymore (I am sure she will come back from this), and she has cancelled all her speaking engagements.

I have to say that there are some really screwed up people out there.  And when it comes to driving someone away from their passion and their life, then I just feel like throwing up.  I was happy to see this post and this exchange of comments as well, but I am still just completely disgusted at some of my fellow human beings.

Vet

Here’s a comment I made on a post over at Riskanalysis.Is.  The post was about how best practices should not be followed on blind faith, and it turned into a small (bit good) debate about the reasons behind compliance.  Alex didn;t know about the history of HIPAA, so I decided to turn to my alter-ego, “The Enlightener”, to help out.

Many people think HIPAA is just about securing health information, hence the common misspelling - HIPPA - which people thinks stands for Health Information Protection and Privacy Act or something like that. If that was all HIPAA was about, then I would agree it is essentially useless. But in reality HIPAA stands for “Health Insurance Portability and Accountability Act” (nothing about “information” in there), and it was an attempt to standardize health records to reduce cost and fraud for Medicare and to protect American workers from the “pre-existing condition” issue in health insurance. The infosec piece came to be because of the realization that all this health information floating around could be misused (and that is NOT only information in electronic format - the privacy side of HIPAA deals with paper and the like).

It was actually fairly visionary for the government to think about the dangers of what they were doing. That’s not saying the regulation is worth a crap. But it proves that HIPAA was truly born from risk analysis / tolerance.

A good source of HIPAA history: http://www.hipaadvisory.com/regs/hipaahistorybyzon.htm

I have known so many people in the healthcare industry that didn’t know this little bit of history.  And I am not talking about the janitors and the cooks who didn’t really need to know (though I would argue that to some degree).  I am talking about executive level and director level individuals running a healthcare organization.

Vet

The blog is fixed.  For those of you familair with Wordpress, you can change the format of your permalinks to reflect dates or numbers or whatever.  I have mine set to dates (click on the title of a post and then look at the URL to see what I mean).  For some reason Wordpress got confused, and those links weren’t working.  I looked at my personal blog to see if it was ok, and it was fine.  But I noticed that the permalink format was set to default, which is pretty much just nonsense (to humans anyway), so I changed it to the date format I love so much.  Then I got the bright idea to just change the format on this blog, then change it back to the date format to see if it would get kicked into gear.

Well, sure enough, it worked.  Not sure what happened, but I think I will change my passwords just in case. I probably need to anyway.  Now if I can find my post-it notes so I can “document” my new password. 

Vet

Thanks to Kurt for letting me know there are some problems with the permalinks on my blog.  For now, if you click on the link to a spcific post, you will get a 404.  Looks like links to comments are also screwed.

I think this has to do with my theme being old and I am now on WP 2.12.  The author of this theme has a beta out, but I don’t want to screw with that.  So you might be seeing a new theme here soon.  I am uber-busy with a proposal and some afternoon meetings coming up, so I will look into this evening.

Vet

I having been mulling over adding another contributor to my blog. My main strength is network security, and I have some good experience in compliance and security management. However, I am very weak when it comes to application security, and I would like to have someone who has strengths in that area to add to this blog.

If you are interested, shoot me an email at m1a1vet - @ - infosecplace.com. Send me some info about your background in application security, your resume, and some samples of your writing. To applicants and my readers, I will retain control of this blog and its content. This will merely be a contributing role, and it will not be a paying gig. It is a chance to get your voice out there. Not that my blog is just filled to the gills with readers, but I do OK, and I think it is a decent start for anyone who wants to start blogging. Also, this is not JUST for those interested in getting into blogging. If you are already blogging but would like to just simply help me out in the area of app security, I will be happy to consider you as a contributer as well.

Anyway, I have to get prepared for the mass rush to my doorstep because of this invitation.

Vet

Well, if Mark at securityBuddha can do it, so can I?  What am I talking about?  Well, I am going to make this blog a more pure infosec blog, and I am going to start a personal blog.  It will be called My Tangential Mind.  It will still be at infosecplace.com, but I am adding a subdomain for it.  Nothing is there but an intro post right now.  I will eventually put more work into it.  I am not hooping for it to be some great success.  I just wanted a place to put down personal and random thoughts.

Vet

Just a link for now.

Vet

 Going for Bluecoat WAN Op training today.  Kinda funny because I was out at a client’s yesterday working on a POC, and one of the network guys started asking me if I could help him with a Bluecoat WAN op problem he was having.  I told him he was a day early, since I had not played with it before.

That is one of those times where, in the past, I would have looked at it and pretended to know something simply because I work for a VAR that sells Bluecoat.  Now, I tell ‘em point blank I don’t know it.  Sometimes I can’t tell whether they think I suck or respect my honesty, but it is better than them finding out that I don’t know it after I pretended to know it.  SE’s can’t know everything!

Vet

And BTW, since Cutaway and Rothman are talking about their blog birthdays, I think I will follow along.

I hit the big number 1 on Feb 24.  Here’s a link to my first post (the original post was on Blogger).  It was a post musing about where security was going (and I have to say that it was not a bad job at trying to look into the future).  It was right after RSA 2006, and right after meeting Mr. McKeay, who was my inspiriation for blogging and has since become a good friend.  Thanks, Martin, for helping me get this blog noticed.  I owe you a lot.

I also want to thank Alan Shimel and Mike Rothman for helping put my blog on the map back then.  They were also inspirations to me.

Also, all you who read my stuff, the most thanks goes to you.  Like Alan says, I am amazed that people actually give a crap about what I think, but please keep coming back.  Makes me feel all warm inside.

Vet

There is a lot of stuff going on this month.  I am hoping we are going to make our first big deal down here.  It will be an wireless / NAC deployment.  I’m psyched.

Anyway, I am letting everyone know that I will be posting sparingly.  I will try to keep up with my CW blog as much as I can.

Vet

The recent uproar, pandemonium, mayhem, hubbub, bedlam, and other synonyms caused by “The List” has taken us security bloggers in a direction that we might just need to help us look at the security industry and ourselves in a new light.  Take a second to read Mark Curphey’s post about the issue over at SecurityBuddha.com.

Here are some excerpts from the post:

Last Friday I decided to leave the Security Bloggers network… 

…for me the Security Bloggers network had a low signal to noise ratio and some of the other members were not folks I want to be associated with. This came to a head when ITSecurity.com produced a blog baited list of the top 59 most influential security people. The list is farcical in so many ways; no Dan Geer, Mike Howard, James Gosling, Andy Jaquith, Phil Venables, Spafford and so on.

This first point about leaving the security blogger’s network was disconcerting to me at first.  I am a member of the Security Blogger’s network, and I am proud of it.  But Mark’s point came through that he just thought the bad stuff is outweighing the good stuff on the network.  I admit that I do not always read the feed coming from the network (I subscribe, but I usually pick out individual blogs), so I can’t say that I agree or disagree.  But Mark’s comment that he did not want to be associated with some of the members is hard stuff indeed (there’s nothing wrong with the statement, by the way).

But the above statements were also referring to the list, so let’s carry on with that.  Another excerpt:

The noise of self congratulation for “falling f0r for it” became deafening and very annoying. Over the last month I have also read some ridiculous blog postings about PCI from people who I honestly doubt have ever held a corporate security job in their lives and just don’t have a clue (and yes, I am happy to debate you charlatans on a public stage at a conference of your choice about that topic if you have the balls).

Some speakers and projects seem to spend more time telling you about why they are such experts and “thought leaders” than they do producing anything of value.

Well then.  That makes the first excerpts look like child’s play.  These words are harsh and hard-hitting.  And when I read them, I had to take a step back and look at my thought processes on blogging about security.  Of course, my low self esteem kicked in, and I thought I might be one of those charlatans.  I had posted a good deal about PCI in the last few months, so I had to self reflect to make sure I was on track and had not tried to misrepresent at all.  Also, it made me think that I was one of those that was happy to be on the list (I’m a sucker that way).  While I also publicly stated that it was obviously a ploy to generate traffic to IT Security’s site and was not very representative of the true influencers in IT security, I still admit that I patted myself on the back a bit.  And that leads me to my ultimate point, and I’ll start make that point by quoting myself (how’s that for conceited).  Here’s some of what I said on my comment to Mark:

That is a very bold statement, and I was going to comment to your post by saying that you need to call out the charlatans instead of just posting that statement. But by your reply to Alan [blogger's note: read the comments for context], it looks like you are going to do just that. I don’t think the security blogging world and the security industry as a whole would be hurt by some kind of shakeup, and if you feel like the one to do it, then I say more power to you.

I have stated this before on private conversations to other bloggers, but I think the security blogging family is getting somewhat incestuous, and we are possibly breeding malformed kids (everyone seems to want to jump on the security blog train). Of course, as Alan said in his comment, I also think that most of these will be weeded out eventually.

So what do I mean by “incestuous”?  Simply, I think security blogging has become a huge fad in the industry.  That’s not necessarily a bad thing, and there are a lot of people saying a lot of good things out there.  But when you have this many people blogging about so many related subjects, it gets kinda crazy.  There are only so many issues to blog about, and people start feeding off of other people, and you inevitably get those who really never say anything original or do say stuff that is original but is plain wrong.  And you get events like the blogger’s gathering at RSA (which was a great event that I vow to attend every year it is held) where we all get together and pat each other on the back and tell each other how cool we are.  I just think it all has the propensity to lead to many of us becoming legends in our own minds, and I think we all need to make sure that does not happen.

We all just need to take a step back, think about where we are in security as individuals, where we are in security as an industry, and where we are in security as a community of bloggers.  Are we making a difference?  Are we putting out good information?  Are we posting just to post so we can grow or maintain our readership and be part of a group for ego’s sake, or are we trying to help?  And notice that I am using the word “we” throughout.  I am not exempting myself from this reflection and honest appraisal of my worth to the security community. 

As for whether a blog is good or bad, honestly, I am not of the mind to start judging blogs.  As was said in the comments to Mark’s post, if bloggers write good stuff, then their readership will grow.  If not, people will unsubscribe, and eventually the bad ones will die on the vine.  But we also have a duty to call out those that misrepresent for selfish purposes or those that simply post from a faulty foundation.  The former would be the ones that need to be drummed out.  The latter need to be shown the error of their ways.

Again, please don’t think me arrogant in this posting.  I truly believe this is something any industry needs after a while.  Honest self reflection is always a good thing, and we might just bring about some honesty and good direction for the security industry.

And a last couple of points:

First, I am impressed by Mark Curphey’s blog.  He hits hard, but he calls ‘em like he sees ‘em.  LoverVamp called it when he commented on Mark’s latest post: “For being new to blogging, you have a particular clarity and honest rawness to your postings. You could have fooled me!” 

Second, his Security Bullshit cartoons are genius.  I am sure someone has already made the connection, but this guy just might be the Scott Adams of security.

Vet

Anyone else using Akismet having problems?

Vet

Here’s a thought.  Everyone that was on the list of 59 should form a gang called ”The Listers”.  We can all get tattoos with a picture of a stylish “59″ inside of a flat panel monitor, buy black motorcycles with the same logo on the fuel, and seek out rude cab drivers to pelt with racist comments.  Then maybe we’ll get some respect. 

Look, I know this dang list was a bunch of crap.  I know that it was a machine created to drive traffic to the IT Security website (dang it, I linked to it again).  I know me being one of the top influencers in IT Security is about as real as me being an influencer in Britney’s decision to shave her head (of course, she did go to high school in my hometown, so maybe I did influence her decision - **GASP**).  But really, is it such a bad thing?  Like LonerVamp says, “No matter what, that list is still a great resource to plunk all those sites and blogs into your favorite RSS tool and keep up with our industry.”  Of course, he was really dissing “The Listers”, even though he said for us not to take offense.  You’re on our list, LV!! (pun intended)

So I am going to be honest and say, “I like being on the list,” even if it was thrown together and has about 50 typos.

And to all you “non-listers”, don’t get on our bad side.  We don’t want to have to use our influence to squash you.

Vet (A.K.A. Lister 16)

OK, where in the H-E-double-hockey-sticks have I been that I have never read the Layer8 blog?  The latest post about annoying your pentester made me blow orange juice out my nose!

And since I have blown orange juice out my nose a few times in the last week (see here and here), I am officially creating the Information Security Place Orange Juice award.  Whenever someone writes something that is so friggin’ funny that I blow orange juice out my nose, the award will be given.  There’s no prize money, but the honor in receiving the award should be enough (especially since I am # 16 of the 59 Top Influencers in IT Security - I guess that humility didn’t last long). 

And to add to the announcement, I am starting a contest!  For you Photoshoppers and generally creative people out there that have some free time, I need some type of picture that will represent my new Information Security Place Orange Juice Award.  I worked something up real quick below using Paint (I suck at that stuff), but please don’t let that crappy thing stifle your creativity.  I need all submissions by mid-April.  If you win, you will have my undying gratitude, a mention in my blog, and credit whenever I post the award.  If no one submits anything (which is likely going to be the case), then you will be subjected to this crappy picture every time I give out the award!  No one needs to see this thing more than once, so please submit something!

[Update] Guess you need somewhere to send it.  Here’s one of my many email addresses (obfuscated of course) : m1a1vet-(@)-gmail.com

[Update2] You probably also need a better picture to work from.  Click here for Ol’ bullet head.

Vet

I made the list of “The 59 Top Influencers in IT Security”.  Me?   I am humbled and honored to be in the list, but I have NEVER thought of myself as having this much influence.  I think maybe my connections with Martin, Mike, Alan, and others on the list got me noticed, and I think my opinions and ideas are decent, but I don’t think I am one of the 59 Top Influencers.

That being said, don’t take me off the list!  Maybe the extra traffic will make my blog uber-profitable like Alan’s, and I can get bought out!  Get the contracts ready, Chris!  Man, I’m seeing dollar signs already!

Vet

If you read this blog (I guess you do since you are reading this) or my Computerworld blog, you know about my feelings (here and here) on the attempt at de-privatizing Social Security numbers in Texas.  But when I read this post by Mordaxus @ the Emergent Chaos Blog, I had to think about what he was saying for a second.  Basically, he thinks the law is a good thing because county clerks shouldn’t receive jail time for giving out public documents with SSN’s printed on them.  He makes this statement in making his point: “not everything that’s bad and needs to stop has to have jail time and fines on it.”  Well, hmmmm.  I guess my Texas notion of justice doesn’t quite fit that statement, but I’m open to other opinions on that.  However, the extreme measure that the law takes is ridiculous.

The social security number of a living person is excepted from the requirements of Section 552.021, but is not confidential under this section and this section does not make the social security number of a living person confidential under another provision of this chapter or other law.

Well, I don’t know about anyone else, but this seems a tad bit over-the-top just to protect some county clerks.  Here’s another section of the same law:

The county clerk is not criminally or civilly liable for disclosing an instrument or information in an instrument in compliance with the public information law (Chapter 552, Government Code) or another law.

So why isn’t this section enough to fulfill what Mordaxus is looking for?  Can’t we just exempt the county clerks without deprivatizing SSN’s?  Of course, the potential for abuse by county clerks is on the crazy side with just this section.

Here’s some more:

Other than the duty to redact an individual’s social security number as required by Section 552.147, Government Code, the county clerk has no duty to ensure that an instrument presented for recording does not contain an individual’s social security number.

Then who the @#%! does have the duty?  Sheesh.

Basically, this is a law that goes too far to protect a few individuals because those individuals have power and influence and wanted some protection.  I get the desire to be protected, but this law is just too much.

Vet

Mike throws out some good advice for VARs here.  Basically, do what is right for your customer, and you will have a loyal customer.

Some more advice: VAR’s have bad reps.  Don’t be a VAR.  Sell stuff, but be the advisor that Mike talks about.  If all you do is show up every year when maintenance is due, you are  not a partner.  And remember, customers don’t have to buy maintenance through the same company where they bought the product. 

You want to keep selling?  Get to know your customer.  Be their friend.  Be their advisor.  They will remember it.

Vet

My web stats went out the roof yesterday (well, out the roof for me).  Still looking into it.  Anybody write something about me that I wasn’t aware of?  Maybe my CW post about Spire Security and the Texas SSN issue helped.  Hmmmm….

BTW: The 13 Mar stats aren’t complete yet since I am writing this on 13 Mar.

Vet

I guess I am a corporate whore now, but this webinar looked very interesting to me.  I’m sure there will be some of the usual  vendor stuff, but our PCI compliance manager will be on the talk, and I guarantee you this guy knows PCI very well and will not BS you.  Anyway, if you are interested, click the link at the bottom of the announcement and sign up.

Special Webinar:

Demystifying PCI Compliance: Simplifying The Path To Protect Your Brand And Your Network

        

Recent reports on the sharp rise in credit-card theft and large-scale security breaches have increased security concerns among consumers, banks and government agencies alike. As a result, every retailer needs to reconcile the urgent need for PCI-compliant security with the equally essential need to increase sales and reduce costs through mobile applications. Now, see how you can achieve just that with this special online event that brings together experts from every essential domain, including a leading security researcher, a PCI auditor and a retail mobility authority. During this event, you will:

-     Discover how PCI compliance does not have to be complicated or costly.  
-     Learn about the recently revised PCI v1.1 data-security standard and specifically what you need to do to comply.
-     Hear real-world examples of a step-by-step migration path to PCI compliance across wired and wireless retail networks.
-     See best-practice examples of what security experts consider a PCI-compliant retail store network.
-     Learn about these essential security considerations before deploying new in-store applications designed to boost productivity and enhance the in-store experience.

Date: March 22, 2007
Time: 2pm ET/11am PT
For more information and to attend, go to www.chainstoreage.com/arubawebinar

Vet

This is what happens when you rely on soft porn to sell your product and then don’t back up the business with good support.  Between this current issue and them pulling security site domains, these guys pretty much suck.

Vet

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

I am not going to post about DST.

Vet

Martin McKeay posted today about the Texas House voting for a law that would allow SSN’s to be released with other public data like marriage licenses, court abstracts, etc. (H.B. No. 2061).  My knee jerk to this is that someone needs to be smacked, and after some investigation, I think my knee jerk is correct. 

Besides the obvious issue with SSN’s being made public with no one being held liable, here’s are some issues I have:

The article says:

Many local officials had interpreted the current law, which was designed to prevent identity theft, as a suggestion more than a requirement. But Attorney General Greg Abbott clarified last month the numbers must be removed before a document is made public. After his ruling, county clerks rebelled, saying they didn’t have the staff nor money to redact all the numbers right away.

I definitely get practicality.  Attorney General Greg Abbott “gave county officials a 60-day reprieve from the requirement”, and I don’t know that this is enough time to put in place the resources necessary.  However, I also know that a lot of government jobs tend to be (let’s see - how can I put this) cush.  So I would think it wouldn’t be too much of a stretch to get them to do some more work (no offense to government workers).

And a point brought up to me by Cutaway is this: do these same clerks screen themselves and politicians before their docs go out?  Hmmm….

Also, Rep. Jim Keffer says this is just a temporary fix so the courthouses can keep doing business.  He says this issue needs to be revisited later.  But how many laws get on the books and then get revisited?  Oh, let’s see… I would say about zero.  Once this gets put on the books, everybody is going to forget about it. 

Now, there are actually some good points to this proposed law. 

• It allows Texans the ability to refuse to include SSN’s or driver’s license numbers on forms (unless the information is required by law for that form)
• It requires a notice in the office itself that states that this kind of info is not required on the forms
• It instructs the clerk offices to include a bold-faced notice on all forms that the individual can strike SSN’s and drivers license numbers from any forms on record (unless the information is required by law for that form)
• It specifically says that clerks cannot refuse a form that does not have this info on it (unless the information is required by law for that form).
• Citizens can request that this type of info be redacted from forms in the clerk’s care (unless the information is required by law for that form)

That’s all fine and dandy, but it DOES NOT instruct the clerks to change their forms to take out these fields, so most people will probably still fill out the information.  It is relying on the bold-faced announcement and the notice posted in the office to draw the citizen’s attention to the fact that they don’t have to put their info on the forms.  Why not take out the fields AND post the notices? Of course, that makes too much sense.  Also, you have to know the form specifically from which you want your SSN redacted.

And one more thing.  The section below was in the last part of the bill: 

SECTION 3.  This Act takes effect immediately if it receives a vote of two-thirds of all the members elected to each house, as provided by Section 39, Article III, Texas Constitution. If this Act does not receive the vote necessary for immediate effect, this Act takes effect September 1, 2007.

Uhhhh, I wasn’t raised in Texas, so I never took a state government course here.  So maybe this is normal language in a bill (I noticed it in a few other bills as well), but this scares me.  This sounds like this is going to happen no matter what.  Can anyone help me out with this puppy?  Can the Governor veto this (not that I have a lot of faith in him right now)?

Either way, this is bad, and all of us Texans need to get on the phone NOW.  If you are a citizen of Texas and don’t know who your Senator is, go here, enter your address, and your Senators will pop up.  Heck, even if you aren’t a Texan, just pick one.  Feel like calling your reps and telling them they are stupid for passing this?  Go here.  Also, call your local TV and radio stations and let them know.  These people are putting practicality over our safety.  This needs to be stopped. 

Vet

I just finished a post at my Computerworld blog about grassroots security. Basically, I am talking about securing the Internet by securing the typical user. So now, I am goign to say much the same thing, but I am going to use a different metaphor. It is in the title, but I will draw it out a bit here.

Have you ever worked at an organization that takes safety seriously? Or have you ever been a firefighter? What is one of the things they teach you about putting out a fire? That’s right - you aim at the base of the fire. Spraying water at the tips of the flames don’t do jack!

So this is what the Security Catalysts group is all about. A part of that initiative (actually, a really BIG part) is teaching the regular user what is going on with security and how they can secure themselves and help secure the community. So, starting out this initiative is Michael Santarcangelo’s first production of a series of vidcasts called the Family Security Series.

This is a very important first step in a very important project. Please think about ways you can help this effort, even if it is a local and independent movement. But I would also ask you to consider joining the Security Catalyst forums so we can pool our efforts. And even think about applying to join theTrusted Security Catalystss as well. It doesn’t cost anything. All you need is a good security background and a passion for security.

We are trying to make a difference. Consider joining the team.

Vet

Another reason to blow orange juice out of my nose.

Vet

OK, I just about blew orange juice out my nose when I read this.  And the comments are almost as funny.  The combination of comments 9 and 10 is hilarious.

Vet

I know I am a little late to this game, but I have to say that it absolutely drives me insane that HID is trying to push Chris Paget around.  Just like it drove me nuts last year that ISS caved to pressure and caused one of their last real talents (Michael Lynn) to quit because he dared to reveal a Cisco flaw.

I am all about responsible disclosure.  I am all about letting the manufacturer know of the issue before revealing it to the public.  But neither of these cases involve something that is not known already.  So basically this is effectively doing nothing but hampering security research.  And the reason is because security has become uber-productized.  Everyone has a product they want to sell to everyone to make a buck, and you will be strung up with red tape and lawyers’ neckties if you find a flaw and try to disseminate it to the public.

Don’t get me wrong.  I am a capitalist to the core.  I am all about making the money.  I don’t work for free.  If I was smart enough to start a company and make a few million, I would have already done it.  But I will say that if I made a security widget of some sort and Mr. Paget or Mr. Lynn or Mr.  Whoever told me there was a problem with my product, could demonstrate it to me, and that they were going to show it at BlackHat, I would walk on the frickin’ stage with them, put my arm around them, and say this guy is da’ bomb.  I would push out a damn press release that said what I was doing to fix the problem, and I would probably try to hire the guy who found the flaw so I could get some better QA.

AAAAAAAAAAAHHHHHHHHHH!!!!!

This is the height of ridiculousness.  People that do security research such as these two gentlemen deserve praise, respect, and adoration, not lawsuits.

And sorry to Alan and all other bloggers about the little bit of cursing.  I am not a guy normally driven to expletives, but this has me fired up.

Vet

Doing some JUNOS training today and tomorrow.  We haven’t dug into it yet, but I can tell you one definite strength right now.  JUNOS is one code train versus Cisco’s 8000 versions.  Cisco used to make my head spin trying to figure out what code rev I needed.  JUNOS doesn’t have all that.

The first router Juniper came out with was the M40 many years ago.  You can take their latest code level and put it on that old M40, and it runs with no problems.  Try that with Cisco.

Vet