stacksmash.org

Today I read a review on Threat Level tearing apart Richard Clarke’s new pile of hardbound bullshit.  I really hate Richard Clarke.  At least when it comes to cyber-anything, he’s full of shit and I don’t know why anyone considers him any kind of expert.

Rather than my usual obscene rant, I’m just going to provide some choice video clips.  These are my two favorite segments from the PBS Frontline titled “Cyberwar” from a few years ago.

Update:  I found a photographic record of Richard Clarke and his brave three hundred pushing enemy packets off the edge of the internet.

"Those packets look thirsty, boys!"

But don’t take my word for it — take Ross Anderson’s.

I bought Crysis so I could play a Mechwarrior mod with it.  When I tried to start it, a window popped up saying:

A required security module cannot be activated. This program cannot be executed (5003).

One of my friends located the explanation.  Indeed, I had IDA Pro running in the background.

Good job, guys.  That will really prevent piracy, a lot.  You are great at what you do.

I’ve ranted about Verified By Visa before.  Since then, I’ve had the good fortune of having no dealings at all with the idiotic system – until tonight.  Since I’m using a different Visa card for a purchase, it’s harassing me to create myself a new Verified By Visa account which includes my Social Security number for some fucking reason.  And when they prompt me for a password?

Passwords must contain at least one lower case alpha character, one upper case alpha character, and one numeric value. Special characters and spaces are not allowed.

You fucking idiots.  Go fuck the devil in hell.

A while back I wrote this on another blog.

An open letter to websites that require your registration, then email you your details, including the password, in plaintext.

Read more…

While I wade through my CISSP study guide and take practice exams, I can’t help but wonder how much useful information I would’ve learned in the past month if I had studied, say, rootkits.  Instead of bullshit.

These people are basically telling me that if I don’t know – off the top of my fucking head, mind you, even though the answer is always a four-second Google search away – details of the token ring standard, and what class of fire extinguisher belongs with what fire, then I can’t possibly be an Information Security Professional.

I just took a practice quiz for a Body Of Knowledge I haven’t started to study yet, just to see how I’d do.  It’s the Application Security section.  I figured it’s the one I’d know offhand more than any of the others, y’know?  Because, I actually work with applications.  And their security.

Nope.  The practice questions were all about Software Capability Maturity Models and Database Design Principles and which features of prototypes are (ISC)2′s favorite.  So I only got 50% of the questions right.  I guess I’m a Certified Information System Security Retard, because the test said so.

I can’t imagine how many people are making money hand over fist just to have their heads up their asses and come up with this.  It’s college all over again.

Update: I decided this post’s original title, “More journalism FAIL,” was unwarranted.  The fail in the story is more due to the “security experts” interviewed.

Yesterday’s fail just wasn’t stupid enough.  Today, Computerworld brings us a delicious banquet of stupid, each morsel more stupid than the last: “Security experts scramble to decipher Twitter attack.“  I don’t know whether to attribute the stupid to each individual interviewed in the story – maybe it’s not their fault; maybe they were asked really stupid leading questions.  All I can do is ruthlessly mock it.

Read more…

Caroline McCarthy, of CNET News, “a downtown Manhattanite happily addicted to social-media tools and restaurant blogs” whose “pre-CNET resume includes interning at an IT security firm and brewing cappuccinos,” wrote a story about this week’s DoS attacks on Facebook and Twitter.  A nice story, with a good timeline and interviews with some experts.  Nice until the end:

There has been no indication that a single party, or groups of hackers in tandem, was responsible for the Facebook and Twitter attacks, or whether there was any connection to the other DoS attacks on smaller sites earlier this week. But it’s probably not a coincidence that they all happen to coincide with the annual Defcon hacker convention.

This is not attributed to any of the experts interviewed, probably because they wouldn’t say something that stupid.  The linked story doesn’t make it any better, either – it’s just some random CNET story about the Defcon badges.

There were some attacks (not DoSes) that were explicitly related to Blackhat and Defcon – they targeted the sites of some prolific security researchers.  But these DoSes?  Against Consumerist, Twitter, and Facebook?  I don’t see any connection, except that the conferences are about hacking and the use of botnets for DoS may or may not involve some measure of hacking.

Either throw in some evidence to back up that idiotic suggestion, or throw it out.

They’re shit.  Use Amazon instead.

Updated with less obscenity and more details:

1) I get a B&N gift card.  It’s a nice gift.

2) I use it to order a copy of Malware Forensics: Investigating and Analyzing Malicious Code.  Since B&N prices are at least $10 more than, say, Amazon prices, I order through B&N from a different seller and save money.

3) The seller confirms my order, payment, and shipping information.  I throw away the card.

4) Three weeks pass.

5) I get a notification that my order actually is canceled, and I’m getting  a refund.

6) I go to order the exact same thing, because I want the damn book.

7) Since I already threw away the card which now has the gift amount restored on it, I call customer service to have them clear it up.  They explain that I may either be mailed a new card, or I can place my order over the phone and refer back to the canceled order to have the card’s balance transferred to the new order.

8) I do the latter, because I want to get the book, not wait a few weeks and then get the book.

9) They explain I can’t order from other sellers by phone.  I have to order direct from B&N, where their price is the list price and their shipping is more expensive.

10) Result: I get the same amount of book, only more than a month later and for more money/gift card value.

Here’s what should have happened: back at Step 7, they should have said “We’re terribly sorry about that; we do our best to help our customers get along with other sellers smoothly.  Can I help you find another copy at a comparable price, and order it for you right now?”

I’ve had similar experiences with two other major sites that act as used/third-party marketplaces, Amazon and Half.com.  Both of them have processes in place to deal with fraud and mistakes.  And if a reseller confirms an order, then waits three weeks and fails to deliver, it reflects poorly on that reseller when other buyers consider buying from them.  I didn’t get a chance to review this customer experience or anything.

In summary, B&N gives me the lowest buying power and its service reps care the least of any major bookseller I’ve dealt with.  Screw them.  Go with Amazon.

P.S.  It was still a nice gift and I still appreciate it.  Ty, bro.

The assurance that the components are enforcing the abstract idea of the reference monitor is proved through testing and functionality.

– Shon Harris, All-In-One CISSP Exam Guide 4th Ed., p. 328

Nnnnnnnno, actually testing can’t possibly give that kind of assurance, and I’m not sure what “functionality” is supposed to mean here – it runs fine, so it must be working as expected?  The Third Commandment of the Reference Monitor, which had just been given in the text, is that it must be small enough to be completely verified.  That verification is the assurance.