36 Chambers – The Legendary Journeys: Execution to the max!

May 28, 2014

Stratfor: Disband the CIA and NSA, it’s all the intelligence gathering you’ll ever need!

Filed under: (In)Security, Specific Stupidity — Tony Demchak @ 2:01 pm

A friend pointed this out to me on another website. We have this brilliant tagline:

Best-selling author George Friedman founded Stratfor in 1996 to bring customers an incisive new approach to examining world affairs. Under his direction, Stratfor taps into a worldwide network of contacts and mines vast amounts of open-source information. Analysts then interpret the information by looking through the objective lens of geopolitics to determine how developments affect different regions, industries and markets.

So, they Google stuff on the internet and watch CNN. And calling geopolitics “objective” is hilarious.

Their vision:

Stratfor’s vision is to be the foremost provider of predictive geopolitical-based intelligence services.

Stratfor’s core philosophy is that transformative geopolitical events are neither random nor unpredictable. Building on nearly 20 years of experience as the world’s premier geopolitical intelligence firm, Stratfor develops constraint-based narratives for key trends around the globe — placing today’s events in context and forecasting tomorrow’s new developments well before they appear in the headlines.

This reminds me of this Dilbert comic. Wally has a ponytail because he’s discovered it makes people give him venture capital. Ah, 1999.

The core philosophy is bold, I’ll give them that. I love the idea of “constraint-based narratives,” which makes me think of unconstrained narratives. “We predict that giant robot whales will develop nuclear technology, but we think Aquaman will try to calm them down, until he realizes whales are mammals and not fish. ESPECIALLY robot whales, who are clearly robot mammals.”

Of the three experts they champion, the one thing they all have in common is that they’ve sold a lot of books. That means they’re good at convincing people to believe their bullshit, which is not the worst qualification for running a geopolitical intelligence firm, you have to admit.

You can check out their methodology, which successfully proves that they have at least one graphic artist. Oh, one of the award winning reports they author?

The very first sentence is complete horseshit.

Like nearly all of the peoples of North and South America, most Americans are not originally from the territory that became the United States.

Since you’re using “are” — indicating present tense — I would argue the exact opposite: most people who are Americans did come from the United States since, you know, no matter how bad illegal immigration is, it has yet to reach over 50%. Even if you include legal immigrants, it’s still way less than 50%. According to the Brookings Institution, it’s actually less than 20% (although it is not clear whether or not this figure includes illegal immigrants, they link to a paper I could read if I cared to break it down.)

It takes a special kind of stupidity to achieve almost complete incoherence one sentence into a flagship paper. One more insane sentence, which leads off the second paragraph:

The American geography is an impressive one.

“One?” One of what? Are you trying to say, “The American geography is an impressive geography?” Because that’s moronic. “Geography” — specifically, the science of studying the earth, or physical location on the earth of some natural feature — cannot be impressive. Would you call the “Grand Canyon an impressive geography of America?” No. You could say “the Grand Canyon is an impressive feature of American geography.” But geography, in and of itself, cannot be impressive. I’m theoretically paying damn good money for your nonsensical advice. Try to make it coherent nonsensical advice!

Oh, and a free tip (the next one is $100,000): nothing is inevitable, in a historical sense. Only Marxists think that. Wait a minute… you aren’t a big Commie, are you, Stratfor?

May 18, 2014

BlueHat Security Briefings: Fall 2013 Sessions | Channel 9

Filed under: (In)Security — Kevin Feasel @ 3:13 pm

http://channel9.msdn.com/Events/Blue-Hat-Security-Briefings/BlueHat-Security-Briefings-Fall-2013-Sessions

Blue Hat is a Microsoft-sponsored security conference.  If you do anything with Powershell, this is your lucky day.

April 13, 2014

New Presentation: SQL Injection

Filed under: (In)Security, Database Administration — Kevin Feasel @ 6:00 pm

I will be presenting for the PASS Security virtual chapter on Thursday, April 17, 2014 at 1 PM Eastern.  Attendees can go to the link to register for the webinar.  The talk is entitled “Understanding and Eliminating SQL Injection” and here is the abstract:

Over the past several years, hacktivists, criminals, and people just “out for lulz” have managed to find sensitive data owned by organizations like Sony, Yahoo, NASA, and the U.S. army, among many others. In all of these cases, the attackers exploited websites using SQL injection attacks.

SQL injection is at the top of the Open Web Application Security Project (OWASP) top 10 list and is an important part of one of the SANS 20 critical security controls. This talk will go into what SQL injection is, how attackers can use it, and how to secure your sites so that your CIO and CISO never show up on the evening news.

Although the talk will focus on using the Microsoft stack (IIS, ASP.Net, and SQL Server), the lessons will apply to all web systems everywhere.

April 11, 2014

Heartbleed

Filed under: (In)Security — Kevin Feasel @ 6:00 pm

So…it turns out that OpenSSL has been broken for a couple of years.  Most UNIX-based servers are going to be affected.  If you use OpenSSL on a server, get this fixed now.  Many of the big companies are doing so now.  If you don’t, you’re probably going to get several “Hey, you should change your password” e-mails over the next several days.

Bruce Schneier has more.  For a humorous take, check out The Daily WTF.  Several people there make the argument that we shouldn’t use C or other languages without boundary protection for…well, pretty much anything.  Given how easy it is for a good developer to make a catastrophic mistake and for it to sneak by code reviews for years, I think they have a point.

April 9, 2014

Going To Derbycon

Filed under: (In)Security, Where's Poochy? — Kevin Feasel @ 6:00 pm

I will be going to Derbycon for my third straight year.  This year, I’m taking Carlos Perez’s training course on using Powershell for defense and post-exploitation.  The last couple of years, I branched out into parts of security in which I had no experience; this is coming a lot closer to my wheelhouse.

I also have submitted a paper for their CFP.  Here’s my title and abstract:

A Gentle Introduction to Security Economics

Why do software manufacturers release software known to be vulnerable? Why are 419 scammers’ e-mails often so poorly written? Is making software open source better for security–or could it actually be worse? These are all questions which we can answer using economic tools. Economics is, at its core, the study of human behavior; given that security is fundamentally a human problem, marrying economic concepts to security analysis can give security researchers a better perspective on the problems we’re all trying to solve.

This talk assumes little to no knowledge of economics among attendees and will feature exactly zero Lagrangian calculations.

This talk is somewhat far afield of your standard Derbycon talk—which tends to be either highly technical or advocacy-related—but with luck, the committee will select my paper and I’ll have a chance to present in front of a brand new audience.

March 30, 2014

Derbycon Tickets On Sale This Week

Filed under: (In)Security — Kevin Feasel @ 1:50 pm

Derbycon 4.0 tickets go on sale April 3rd.  I’ve booked a room at the Hyatt and plan to snag a ticket.  This is one security conference I make a point to attend each year.

March 9, 2014

Intelligence Community Fooled Again

Filed under: (In)Security — Kevin Feasel @ 7:30 pm

It appears that U.S. intelligence had no idea that Russia’s military was going to invade Ukraine.  If only they had spied on the other 2/3 of Americans’ calls, they certainly would have gotten this one!

February 16, 2014

Kickstarter hacked

Filed under: (In)Security — Tony Demchak @ 7:48 am

Yeah, you might want to change your password if you have a Kickstarter account.

(Also, it feels weird stealing Kevin’s category like this.)

February 15, 2014

No Security Allowed

Filed under: (In)Security — Kevin Feasel @ 6:00 pm

Bruce Schneier has been all over this NSA mess.  This includes a number of essays, including this one from about a month ago.  He also testified before Congress on the issue.

January 22, 2014

This Year’s Conference Schedule

Filed under: (In)Security, Computinating, Database Administration — Kevin Feasel @ 6:00 pm

I’m looking at a pretty busy conference schedule this year.  Here’s what I’m looking forward to:

February 8 — Powershell Saturday 007, Charlotte, North Carolina.
March 22 — SQL Saturday #277, Richmond, Virginia.
May 16 — May 18 — CarolinaCon-10, Raleigh, North Carolina.
June 14 — SQL Saturday #299, Columbus, Ohio.
September 6 (?) — SQL Saturday, Raleigh, North Carolina.
September 24 — September 28 (?) — Derbycon 4.0, Louisville, Kentucky.
November 4 — November 7 — PASS Summit 2014, Seattle, Washington.

I might be able to sneak one or two more conferences in there, but going to seven conferences across three major domains is pretty nice for me.  I might also be able to attend the 2014 Raleigh Code Camp if the time is right.

Older Posts »

The Silver is the New Black Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 97 other followers