From jericho at attrition.org Sun May 8 17:14:11 2011 From: jericho at attrition.org (security curmudgeon) Date: Sun, 8 May 2011 17:14:11 -0500 (CDT) Subject: [attrition] Over Reliance on Social Network Friends in Zynga Games Message-ID: http://attrition.org/~jericho/works/misc/zynga-social_pressure/ Over Reliance on Social Network Friends in Zynga Games Re-thinking Game Design for Character Advancement Sun May 8 17:13:37 CDT 2011 Abstract: Zynga is a commercial company that produces free games that are played via the Facebook social network. Per Zynga's mission, they seek to "connect people through games". This is readily apparent in their eagerness for you to play games with your friends through a number of game designs and technical mechanisms. In recent months however, the means for which they intend to connect with people via their 'Virtual World' games have become irritating and counterproductive to their enjoyment. This article will outline some of these game design problems and suggest alternative methods for achieving the same goal, while reducing the social burden on players. [..] From jericho at attrition.org Thu May 19 13:38:14 2011 From: jericho at attrition.org (security curmudgeon) Date: Thu, 19 May 2011 13:38:14 -0500 (CDT) Subject: [attrition] New Charlatan on Errata Message-ID: http://attrition.org/errata/charlatan/htbridge/ High-Tech Bridge / HTBridge High-Tech Bridge SA is a Swiss InfoSec company that claims to be experts in ethical hacking / penetration testing services. They proudly wave the Swiss flag and Swiss shareholder capital as a sign that they are "vendor neutral". Claiming to be led by Swiss security experts, HTBridge has released a flood of pedestrian security advisories in products most people have never heard of. These advisories are riddled with errors and omissions and serve as a stark warning to would-be clients. HTBridge's leadership has no discernible record before the company was founded, despite claims of being in the industry for 10 and 15 years. [..] From lyger at attrition.org Sat May 21 19:16:05 2011 From: lyger at attrition.org (lyger) Date: Sat, 21 May 2011 19:16:05 -0500 (CDT) Subject: [attrition] article: Information Security and Professional Wrestling: "Working" In An Industry Message-ID: May 21, 2011 19:13:43 CDT Lyger Introduction The worlds of information security and professional wrestling really aren't all that different. On the surface, the preceding statement may seems absurd to some, but looking at each realm from the perspective of an observer with a decent working knowledge of both "industries" can provide several examples of parallelism. In general, both center around conflict resolution as an end-game. Aiming toward that end, both also provide various levels of vulnerability management and incident response that occur during any particular situation (also known as an "angle" or "program" in pro wrestling parlance) and often involve different levels of drama, strife, and of course, entertainment. As the Internet became more mainstream in the early to mid-1990's, many professional wrestling fans who were privy to behind-the-scene knowledge congregated on USENET's rec.sport.pro-wrestling (aka RSPW) to discuss current and potential storylines, in-ring action, and the politics involved with the business side of the industry. Perhaps ironically, RSPW was one of the more popular newsgroups during this time even though the "typical" professional wrestling fan had (and still has) been stereotyped as being of lower-than-average intelligence with a slim chance of being able to communicate effectively, especially over a medium like the Internet with providers as complex as AOL and Compuserve (*cough*). Much like today's Twitter, where information security professionals and enthusiasts share news and short bursts of wisdom (or idiocy) in a public forum, RSPW subscribers were highly active on a daily basis, and at times the conversations mirrored the tone and attitude of professional wrestling itself. Over time, some newsgroup posters evolved into personas, emulating the "faces" (good guys) and "heels" (bad guys) similar to the protagonists and antagonists in professional wrestling itself. The information security industry has gone through something similar over the past several years. As previously mentioned, Twitter has become one of the industry's favorite ways for companies, organizations, researchers, and enthusiasts to communicate in near real-time about dozens (hundreds?) of subtopics on an hourly (per-minute?) basis. The increase in frequency of communication has often times led to an almost free-for-all feel to the infosec Twitter community, and it's probably not much of a stretch to assume that certain social "roles" or personas have either intentionally or unintentionally been assumed by some security professionals, whether as an accurate reflection of their true personalities, an extension of their personalities into exaggerated personas, or flat-out (again, to use a professional wrestling term) "gimmicks" to increase their popularity (certainly @attritionorg has been known to intentionally add some flair to their tweets). [...] From jericho at attrition.org Fri May 27 04:44:37 2011 From: jericho at attrition.org (security curmudgeon) Date: Fri, 27 May 2011 04:44:37 -0500 (CDT) Subject: [attrition] A Curmudgeonly Reply to an Anti-Curmudgeon Rant (in two parts) Message-ID: http://attrition.org/~jericho/works/security/curmudgeon.html A Curmudgeonly Reply to an Anti-Curmudgeon Rant (in two parts) Fri May 27 04:29:16 CDT 2011 Bill Brenner wrote an article titled "Take the word curmudgeon and shove it" in which he makes relatively sweeping statements about the "people in security [that] call themselves curmudgeon". As one of the long-time security curmudgeons, I took offense to his article, calling it pathetic. Brenner was intrigued by that response and others and asked for a counterpoint post, something that was already in the works. [..]