From jericho at attrition.org Fri Jul 2 16:47:51 2010 From: jericho at attrition.org (security curmudgeon) Date: Fri, 2 Jul 2010 16:47:51 -0500 (CDT) Subject: [attrition] InfoSec, Sun Tzu and the Art of Whore Message-ID: http://attrition.org/security/rants/fsck_sun_tzu/ InfoSec, Sun Tzu and the Art of Whore Fri Jul 2 14:42:30 CDT 2010 swtornio & jericho Lately, you can't swing a dead cat without hitting someone in InfoSec who is writing a blog post, participating in a panel or otherwise yammering on about what we can learn from Sun Tzu about Information Security. Sun Tzu lends the topic some gravitas and the speaker instantly benefits from the halo effect of Ancient Chinese Wisdom, but does Sun Tzu really have anything interesting to say about Information Security? In "The Art of War," Sun Tzu's writing addressed a variety of military tactics, very few of which can truly be extrapolated into modern InfoSec practices. The parts that do apply aren't terribly groundbreaking and may actually conflict with other tenets when artificially applied to InfoSec. Rather than accept that Tzu's work is not relevant to modern day Infosec, people tend to force analogies and stretch comparisons to his work. These big leaps are professionals whoring themselves just to get in what seems like a cool reference and wise quote. "The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable." - The Art of War This seems to make sense on its face. If you focus on making your systems and networks invulnerable to attack, then you don't need to worry about attackers. So, on any modern network where people actually need to get work done, can you make systems invulnerable to attack? If not, does this particular advice tell us anything useful? Maybe Sun Tzu was trying to say that we need to spend more and more money on IPS/SIEM/firewalls/antivirus, even if we don't see a particular need to upgrade or improve those areas. [..] From jericho at attrition.org Wed Jul 14 13:49:38 2010 From: jericho at attrition.org (security curmudgeon) Date: Wed, 14 Jul 2010 13:49:38 -0500 (CDT) Subject: [attrition] Security Con Media Collection on eBay Message-ID: http://attrition.org/news/content/ebay/dc-media/ Security Con Media Collection on eBay Wed Jul 14 01:41:54 CDT 2010 It's that time again, we need to make room for more beef jerky, potable water and ammo. Out with the old, in with the gold we like to say. OK, Cancer Omega likes to say that, because he has been pawning off his gold teeth lately. After incredibly successful break-even auctions of Lazlo's Flasks and hacker stickers, it is time to put up our next box of crap. This time, the focus is on media from past hacker security conventions including DefCon, BlackHat and even shmoocon. After each con it became ritual to quickly shove dead trees and polycarbonate plastic in a file folder, hit the shower to wash the stench of "con" off and proceed to drink a lot more to avoid a hangover. Eventually, that file folder turned up and it was time to pass it along. What you will get.. [..] http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=260635249209 From jericho at attrition.org Tue Jul 20 01:39:14 2010 From: jericho at attrition.org (security curmudgeon) Date: Tue, 20 Jul 2010 01:39:14 -0500 (CDT) Subject: [attrition] reminder: Security Con Media Collection on eBay Message-ID: One day left! Bid and support the Open Security Foundation and attrition.org, rumor is we're to be named in a lawsuit by Gregory Evans any day now. =) http://attrition.org/news/content/ebay/dc-media/ Security Con Media Collection on eBay Wed Jul 14 01:41:54 CDT 2010 It's that time again, we need to make room for more beef jerky, potable water and ammo. Out with the old, in with the gold we like to say. OK, Cancer Omega likes to say that, because he has been pawning off his gold teeth lately. After incredibly successful break-even auctions of Lazlo's Flasks and hacker stickers, it is time to put up our next box of crap. This time, the focus is on media from past hacker security conventions including DefCon, BlackHat and even shmoocon. After each con it became ritual to quickly shove dead trees and polycarbonate plastic in a file folder, hit the shower to wash the stench of "con" off and proceed to drink a lot more to avoid a hangover. Eventually, that file folder turned up and it was time to pass it along. What you will get.. [..] http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=260635249209 From jericho at attrition.org Thu Jul 29 00:44:57 2010 From: jericho at attrition.org (security curmudgeon) Date: Thu, 29 Jul 2010 00:44:57 -0500 (CDT) Subject: [attrition] Open Security Foundation Launches New Cloud Security Project Message-ID: ---------- Forwarded message ---------- From: Richard Forno Open Security Foundation Launches New Cloud Security Project Posted by jkouns 12 hours ago http://blog.osvdb.org/2010/07/27/open-security-foundation-launches-new-cloud-security-project The Open Security Foundation, providing independent, accurate, detailed, current, and unbiased security information to professionals around the world, announced today that it has launched Cloutage (cloutage.org) that will bring enhanced visibility and transparency to Cloud security. The name Cloutage comes from a play on two words, Cloud and Outage, that combine to describe what the new website offers: a destination for organizations to learn about cloud security issues as well as a complete list of any problems around the globe among cloud service providers. The new website is aimed at empowering organizations by providing cloud security knowledge and resources so that they may properly assess information security risks related to the cloud. Cloutage documents known and reported incidents with cloud services while also providing a one-stop shop for cloud security news and resources. "When speaking with individuals about the cloud, to this point it has been a very emotional conversation. People either love or hate the cloud," says Jake Kouns, Chairman, Open Security Foundation. "Our goal with Cloutage is to bring grounded data and facts to the conversation so we can have more meaningful discussions about the risks and how to improve cloud security controls." Cloutage captures data about incidents affecting cloud services in several forms including vulnerabilities that affect the confidentiality and integrity of customer data, automatic update failures, data loss, hacks and outages that impact service availability. Data is acquired from verifiable media resources and is also open for community participation based on anonymous user submissions. Cloud solution providers are listed on the website and the community can provide comments and ratings based on their experiences. Cloutage also features an extensive news service, mailing lists and links to organizations focused on the secure advancement of cloud computing. "The nebulous world of cloud computing and the security concerns associated with it confuses many people, even IT and security professionals," says Patrick McDonald, a volunteer on the Cloutage project. "We want a clearinghouse of information that provides a clear picture of the cloud security issues."