mostly useless crap from me

This one is not quite safe for work, but it’s very funny:

Live Chat Help

Currently experiencing network delays, one moment please….
Network connection re-established.
Adam Brooke: Do you work for the IRS?
Kamyar: Thank you for waiting Sir. Unfortunately we cannot access your password, however we can reset it, which enables you to access your account change the password right away.
Kamyar: Would that be acceptible?
Adam Brooke: Thanks, that would be great
Kamyar: Very well Sir. In order to process your request, please provide us with the answer to your secret question :
“How long is you cock?”. This is for authentication purposes and is part of our security policy.
Adam Brooke: Very or long
Currently experiencing network delays, one moment please….
Network connection re-established.
Kamyar: Thank you. I will accept that. The exact answer we have on file is “Very!”. Your temporary password is reset to “brooke”.
Kamyar: Please try to sign in again and kindly confirm once you are signed in.
Adam Brooke: I really hope you are laughing too. Thanks for being so professional.

http://www.fixfactory.co.uk/airline-chat/

p.s. I use random security questions (if possible) and random answers stored in a password manager. It’s the only safe way to avoid being pwned. Good luck trying to answer “What’s your mother’s maiden name” with me! It could be n,;Ug~RolDE0?RP>A{Y/ or worse.

Wow –  that was quick.

I have three OLPCs in my office. I need to go sort out some US power plugs for them so I can charge them, but they’re here!

Phew.

Obviously, the default theme fails a bit when you see only two rows of topic activity. Will really need to make that work a whole lot better. However, the actual rendering is perfect. Yay! One less task to be done.

Peter Quodling. an old friend, e-mailed out of the blue last week. I have a lot of time for Peter as he’s one of the few Australian IT architects that really knows his stuff, plus he’s a really nice guy. He is involved in OLPC in the PNG region. Last Christmas, I nearly bought an XO under the Buy One, Give One program so Mackenzie could have a cool first laptop … and somewhat more honestly, so I could play with the OLPC until she’s old enough to type let alone talk. However, circumstances prevented toy purchases of that magnitude, and I forgot all about the XO until this week.

I thought through my various abandoned projects (for I have many), trying to work out which would help the OLPC project and kids all over the world. I’ve had an itch for a while to do something for the One Laptop Per Child project (OLPC), but never really had a substantial idea that would help transform kids’ lives rather than my own. But now I think I have just the project.

So I put in a proposal for two laptops to help develop GaiaBB (which is UltimaBB++ (sic gloria transit), which is XMB++, which is awful) into a OLPC specific product.

My current plans are:

• Get GaiaBB.com back up and make it OLPC centric. Revitalize the Sourceforge project.
• Finish OWASP ESAPI for PHP. I need it for this project.
• Port GaiaBB to the OLPC, porting the database to sql lite, and probably using LightHTTPd. I could use Apache + MySQL as per now, but these are huge compared to SQL Lite and LightHTTPd, and on a device with limited NAND memory, every byte counts.
• Ensure GaiaBB works properly with Browse, the XO browser. I might need to turn the nested tables into CSS templates a bit sooner than I intended
• Beg, borrow or steal a graphic designer to come up with a GaiaBB theme that works well with the dual color display (it’s both black and white and color and more wide than tall), and possibly work out how to detect the XO’s current screen state from the web page so I can dynamically choose a grey scale or a color theme.
• Simplify the product so that it’s more manageable by young ‘uns without dumbing down too much or removing some of the depth and surprise features of the product
• Write an installer that makes it easy to install on the OLPC. I want kids to be able to create their own social communities and for them to easily share their forums with their friends.
• And this is where it gets fancy… write a web service that allows authorized folks to replicate their version of the forum with other versions of the forum … without causing major security issues. That way when you’re at home and have no Internet service, you can still read the forum and write new posts and then sync when you’re at school. This is where I will have to significantly change the way GaiaBB works as right now, it’s a single database deal and assumes that there are trusted administrators.
• Go through the code with a fine tooth comb, replacing all the crappy security bits with ESAPI for PHP. Some parts are truly ancient (circa 2000) and need refactoring. As part of this, I will ensure the code is easily modifiable. I learnt how to code by changing other folks’ code and then starting to write my own, and I want kids to modify the heck out of this forum so as to create a new generation of coders excited about programming and IT in general.
• Lastly, possibly write a OLPC School Server centralized GaiaBB hub for schools to run “their” forum which students can sync with in a safe fashion.

The proposal has been approved, and the laptops are on their way. They are sending me three XO’s! Awesome. Better get cracking!

Well, that’s been a rotten few days…

• My friend TJ, 43, passed away from diabetic related complications and worse than third world access to basic health care in a first world country – the USA.
• My USA credit card expired.
• This domain expired and failed to auto-renew using my USA credit card.
• Tanya had to go to hospital twice after a fall in the back room… on my birthday.

Some of these things are important, others not so much. So apologies all who might have tried to mail me and for this site to be down for more than 24 hours, but I had other things on my mind. Please re-mail anything if you haven’t heard back from me.

TJ – rest in peace mang. I just wished you could have migrated to any other first world nation and gotten the basic meds and help you needed instead of dying so, so young from completely and utterly preventable and manageable diseases. I’ll miss you and remember you.

Richard Bejtlich at his TaoSecurity Blog makes a very strong assertion that we’re all idiots for wanting to protect data, rather than the container.

I’m not going to play a semantic game about protecting data versus the thing the data is in at the moment, but honestly, I think he misses a really strong point as to why we’ve moving away from the failed network-centric strong border / soft center protection racket to a more secure data-centric protection scheme.

I will not disagree with Richard that we secure the containers, not the data, but we secure the containers BECAUSE of the data, not the other way around. For far too long, we’ve thought about the enemy outside the gates, when its actually the folks inside that cause many breaches.

The weakest link in any protection scheme is the humans.

• They have weak passwords
• They (rightfully) share information about themeselves to their friends and (not so rightfully) to the Internet at large, making password resets untenable.
• Folks accidentally disclose data assets all the time. Laptops, backup tapes, USB sticks, brief cases containing the data.

Should we care if I lose my phone? It contains my address book, which I can sync again to the next phone, and little else. But to a CEO with e-mails, internal VPN access, browse history, contacts, calendars and more. What differentiates my container (my iPhone) from the CEO of Apple’s container (Steve Jobs’ iPhone)? In a Richard world, nothing – they should be protected equally. But it’s really about the data the container holds and what data the container has access to.

Data in and of itself is intangible, and generally cannot be secured if it wants to get out (see WikiLeaks for an incontrovertible example). I think Richard and I agree with this bit. Where I stray from Richard is to ignore the data is to miss the point of information security entirely, which is why I take umbrage at his ad hominem attack.

• If you have backups, you’re changing the data’s container, but you’re protecting the asset (the data) and not the container by doing backups. We’re planning for a complete loss of the container.
• If you have a DR site, protecting the container is secondary to protecting the data
• If you have a distributed cloud, protecting the container is nigh on impossible as you don’t control them.
• If you’ve printed previously encrypted data, the container and its protection controls have changed. The need for protection hasn’t changed, just how those controls work.

Lastly, it comes down to classification. If we ignored the data, we would protect the most expensive containers, rather than the business critical data.

• The CEO’s high-end home desktop would get more protection than a USB stick containing next quarter’s results. I bet I know which the company would fret about more.
• The WAF would get more protection and monitoring than the HR server as the WAF costs 10x as much as any one commodity server
• The SAP system would probably gain some attention as it would consume a chunk of change from the IT budget, but would you put it in a data center or in a closet?

We’re not idiots for promoting protection of the data. The containers and pipes BECOME valuable and we protect them because of the data sitting in or passing through that containers and pipes. We only protect those tangible assets because we pay enough attention to the data’s classification and its various requirements for the data’s protection.

Really, we don’t need to call each other names to try and bring us back to the failed border centric fold. We can disagree with each other as gentlefolks and not call each other names. I’m amazed that Richard has gone down the attack path as I normally agree with 99% of all his blog posts.