I have had this rant on Twitter (if they had threading I would link to it). I have also had it in person a half dozen times at CSI Annual. And a piece of it was touched on a piece of the puzzle by Jack Daniel on his blog posting “The Fallacy of Penetration Testing”. 

We as “Security Professionals” have a big problem. We usually don’t have the power to make change. This has been a fight that every one of us has gone to bat for and usually lost. We are basically security guards without guns. We don’t have the ability to shoot that intruder if he trys to step up. Now, that is an over simplification, but you understand what I mean.

So we all want the power, but are we ready for the consequences that such power brings? Are you ready to loose your job or go to jail if someone breaks into your network? Again, an over simplification, and I understand there are things outside the control of all of us, but if you implement security policyes, and products, and they fail, why do we just go ‘oh well, lets mitigate and try to catch them the next time’. I don’t think that the security community as a whole is ready for such power or the consequences it brings. I know this is going to be a very controversial issue, so fell free to post your comments. Tell me why you think we are ready for the guns.

This is just a quick blurb because Tom from the Security Justice Podcast already has a great post about all the changes:

Check out his post here: http://spylogic.net/item/382

New link: http://www.spylogic.net/2008/12/maltego-201-released/

Gary Vaynerchuk of Wine Library TV made a post about Ego Searching. He describes in this short video that ego searching when you are trying to make a brand is simply caring about your audience:

Now even Leo Laporte, while being interviewed on the Geek Cred podcast said that as a broadcaster (which can be translated into “Content Producer”), your audience is the most important thing and your responsibility is to them.

Well, in this post I will show you a way to ego surf efficiently, taking it to a whole new level to save you time, without sacrificing the interaction that Gary V. detailed:

So lets start with Google Alerts. Google Alerts are a way to get an update whenever there is a new search result for a specific search. Instead of going on the Google’s Blog Search every day or every hour, you can get an email whenever there is a new result:

Search Terms: Whatever your brand is

Type: This is where it starts to get interesting, choose Comprehensive and it will search blogs, news, regular google, videos and google groups.

How Often: As it happens, daily or once a week updates

Deliver To: You can either get it as an RSS feed or straight to your email.

Well, here is the slight problem with that. You will be getting updates every time you post anything. Lets add some google hacking to these search results so we can get the most bang for our buck:

For example, my search would be:

• link:room362.com -site:room362.com

This would give me results whenever someone has a link to room362.com on their page, except when it’s on my domain (room362.com). Now, if you are looking at branding it can get much more complicated:

Here is one of my searches:

• mubix -site:room362.com -site:mubix.blogspot.com -site:hak5.org -site:mubix.vox.com_

This search gives me results whenever “mubix” is even mentioned except when it’s on one of the sites. And you can edit these results all you want. Upping your Google Fu is the name of the game.

You can use Google Alerts for all kinds of things. Another one that I have is “Call for Papers”. I have made added a lot of Google Fu to that search so that it just does security gigs, so customize the searches to what you want to see.

Now, if you want to take all of this to the extreme, check out MonitorThis.

Happy Ego Surfing Caring,

mubix

Unless you have been hiding under a rock, or just started reading this blog today. You have heard about GoPC. I featured it in my USB Goodies 2008 and I love their product. Now that they have entered into a “Strategic Alliance” with a company called ThinLinX. Now, the details of this alliance and the future it holds aren’t clear at the moment. And of course I have my own speculations. What are yours? 

To kind of get the ball rolling I’ll give you a brief intro to each company:

GoPC allows you to either through a web interface, or a portable app that you can have on a thumb drive, you can login to a virtual desktop. Having the ability to take a powerful machine with you whereever you go without having to lug around a laptop is a great experiance. I plug in my USB or surf to their site on an computer and I am instantly on my own customized desktop.

ThinLinX has incorporated the power and speed of NoMachine NX into a tiny box. These thin clients are set up to only allow the connection back to the mothership and connect you to your desktop. Making it a relatively safe enviroment for you to login to enterprise email, surf the intra and inter nets. 

Now, as a security addict, I tried to say away from word like “Cloud Computing” and “Secure”. Mostly becuase they have both become bad words in the industry. I plan on getting one and putting it through the ringers as it is the first thin client that I can afford at 99 bucks! 

I can’t wait to see what comes of these two companies.

Check out their press release at: http://www.gopc.net/blog/?p=40 – Archive.org link

I use gmail. Not really a big admission nor, very hard to find out. But the reason I use it is becasuse of it’s theading and archiving. For me those two abilities are unmatched anywhere else, both Outlook and Thunderbird fail horribly at this.

More to the point, I have reached a certain level of ‘zen’ with my GTD methods on gmail. I am in a constant battle for “Inbox Zero” and have “Starring” extremely useless for me. My problem lies in the fact that I have email threads that I am waiting on people to reply or I simply want to reply later. While keeping them in my Inbox is alright, it is a mental block in my quest for Inbox Zero to have to go to the next page of emails and work from there due to the first page being full of followups.

So, I thunked on the problem and came up with the idea of a snooze button. I would like a snooze button in gmail where I can click a email thread, and it asks me for a date and time period and possibly a note to tag along with it. And then, on that date or elapsed period of time OR a new email enters the thread, the thread reappears in my Inbox. I realize that you can Star, then archive, and then check your stars, but that doesn’t work for me, it is simply like making a second inbox to manage.

If anyone has any ideas on how to make this happen or a contact at google that would be willing to listen to the idea, please leave a comment or shoot me an email.

Alan posted this about the SBN:

Well there is not much sense keeping it a secret any longer, as others have already blogged on it. The Security Bloggers Network is going Lijit. Working with the folks who bring you Lijit search widgets, the Security Bloggers Network has a new home. You can find site at http://www.securitybloggers.net (thanks to Tyler Reguly of http://www.computerdefense.org) and at http://www.securitybloggersnetwork.com (this may still be resolving).  Either URL should work.  You can subscribe to the new feed here.StillSecure, After All These Years, Nov 2008

If you don’t know what the Security Bloggers Network is, it is a colition of security blogger’s feeds, allowing you the reader to only subscribe to one feed, while getting a dynamic set up updates from all kinds of bloggers.

I thought today’s dilbert fit me to a ‘T’:

Originally Posted: http://dilbert.com/strips/comic/2008-11-21/

Update – Shmoocon already had a list:

http://lists.shmoo.com/mailman/listinfo/shmoocon-roommates

Go with what your readers want right? Well I have recently been getting a lot of hits on finding room sharing at ShmooCon. I have done this before at cons and I have met some very interesting people. So I created the google group ShmooCon RoomShare. Post that you are looking, post that you have space. It’s all voluntary and you can sign up for email alerts so that you don’t have to check it all the time.

Plus, you don’t have to share for free, if you are looking to split a room, the conversation can start there.

Even if you have been to ShmooCon, something that alludes most con-goers is the Hack or Halo contest. Most of the time you will see it’s organizers at table near the registration desk getting people signed up. What you may not know is how the whole thing goes down. It’s after hours so, you aren’t missing the great content during the day, and it might save you a few dollars of money spending bar time. But the primary purpose of Hack or Halo isn’t to put money back in your pocket (and yes it’s free). The primary purpose is to get your game on be it gaming or hacking. Actually Chris Compton spells out what goes down really well on the Hack or Halo blog in his post called “In The Beginning”.

I would suggest that for a leg up on the rest of the contestants, you slap the blog in your RSS feed and follow them on twitter @HackorHalo. You never know, they might ‘accidentally’ release some pertinent information.

Primary excuses for not participating:

• I didn’t bring my tools

  • You are the tool, download BT3 VM put boot it up, update it, take diable the TCP/IP stack on your sisters laptop that you borrowed for the con and you are already better off than some of the other contestants

• I’m not go enough

  • If Zeff comes for Halo, or Chris Eagle is allowed to hack, you are right, you aren’t, but damn would you have some bragging rights if you kicked their arse.

• I’m doing something that night

  • No, you really aren’t… you know it, I know it.

Now that we got it all straight. See you there.

P.S. The picture is @Kym_Possible from the Hack or Halo squad. For most geeks out there, she will be reason enough to sign up. And yes, I may die tomorrow for posting this.

Many of you know who operat0r is, Darren in particular since operat0r pulled a magic trick on Darren’s ACER ONE (Archive.org Links) that turned it from brick to badass in less than 5 minutes. But what some of you may not know is that ol’ McCurdy (operat0r) has some other awesome side projects that run the same course as my style of apps. PORTABLE. But these aren’t the standard portable apps that I find on the net. Well… let me just get to the list. Oh and I’m not linking directly to the projects because the download links change as he updates the tools.

• w3af PORTABLE

• MetaSploit PORTABLE

• WebScarab PORTABLE

You can find all of these awesome McGoodies at operat0r’s site: http://rmccurdy.com/