Best Book Bejtlich Read in 2009

It's the end of the year, which means it's time to name the winner of the Best Book Bejtlich Read award for 2009! Although I've been reading and reviewing digital security books seriously since 2000, this is only the fourth time I've formally announced a winner; see 2008, 2007, and 2006.2009 was a slow year, due to a general lack of long-haul air travel (where I might read a whole book on one leg) and the general bleed-over from my day work into...

Read More

Every Software Vendor Must Read and Heed

Matt Olney and I spoke about the role of a Product Security Incident Response Team (PSIRT) at my SANS Incident Detection Summit this month. I asked if he would share his thoughts on how software vendors should handle vulnerability discovery in their software products. I am really pleased to report that Matt wrote a thorough, public blog post titled Matt's Guide to Vendor Response. Every software vendor must read and heed this post. "Software...

Read More

Difference Between Bejtlich Class and SANS Class

A comment on my last post, Reminder: Bejtlich Teaching at Black Hat DC 2010, a reader asked:I am trying to get my company sponsorship for your class at Black Hat. However, I was ask to justify between your class and SANS 503, Intrusion Detection In-Depth. Would you be able to provide some advice?That's a good question, but it's easy enough to answer. The overall point to keep in mind is that TCP/IP Weapons School 2.0 is a new class, and when I...

Read More

Reminder: Bejtlich Teaching at Black Hat DC 2010

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. First up is Black Hat DC 2010 Training on 31 January and 01 February 2010 at Grand Hyatt Crystal City in Arlington, VA. I will be teaching TCP/IP Weapons School 2.0. Registration is now open. Black Hat set five price points and deadlines for registration, but only these three are left.Regular ends 15 JanLate ends 30 JanOnsite starts at the conferenceSeats...

Read More

Favorite Speaker Quotes from SANS Incident Detection Summit

Taking another look at my notes, I found a bunch of quotes from speakers that I thought you might like to hear. "If you think you're not using a MSSP, you already are. It's called anti-virus." Can anyone claim that, from the CIRTs and MSSPs panel?Seth Hall said "Bro is a programming language with a -i switch to sniff traffic."Seth Hall said "You're going to lose." Matt Olney agreed and expanded on that by saying "Hopefully you're going to lose...

Read More

Notes from Tony Sager Keynote at SANS

I took a few notes at the SANS Incident Detection Summit keynote by Tony Sager last week. I thought you might like to see what I recorded. All of the speakers made many interesting comments, but it was really only during the start of the second day, when Tony spoke, when I had time to write down some insights. If you're not familiar with Tony, he is chief of the Vulnerability Analysis and Operations (VAO) Group in NSA.These days, the US goes to...

Read More

Security as Interdepartmental conflict...

I received this message in my hotmail this morning:Why does Microsoft get dinged for this type of presentation? Why does it happen? On a small scale it was probably because the hotmail Calendar team wasn't talking with the hotmail Security team.  But that doesn't answer much.  Computer security is still, in almost all industries and architectures, and "add-in".  It is overlaid on top of existing products and architectures.  The...

Read More

Keeping FreeBSD Up-to-Date in BSD Magazine

Keep your eyes open for the latest printed BSD Magazine, with my article Keeping FreeBSD Up-To-Date: OS Essentials. This article is something like 18 pages long, because at the last minute the publishers had several authors withdraw articles. The publishers decided to print the extended version of my article, so it's far longer than I expected! We're currently editing the companion piece on keeping FreeBSD applications up-to-date. I expect to...

Read More

Thanks for a Great Incident Detection Summit

We had a great SANS WhatWorks in Incident Detection Summit 2009 this week! About 100 people attended. I'd like to thank those who joined the event as attendees; those who participated as keynotes (great work Ron Gula and Tony Sager), guest moderators (Rocky DeStefano, Mike Cloppert, and Stephen Windsor), speakers, and panelists; Debbie Grewe and Carol Calhoun from SANS for their excellent logistics and planning, along with our facilitators, sound...

Read More

Troubleshooting FreeBSD Wireless Problem

My main personal workstation is a Thinkpad x60s. As I wrote in Triple-Boot Thinkpad x60s, I have Windows XP, Ubuntu Linux, and FreeBSD installed. However, I rarely use the FreeBSD side. I haven't run FreeBSD on the desktop for several years, but I like to keep FreeBSD on the laptop in case I encounter a situation on the road where I know how to solve a problem with FreeBSD but not Windows or Linux. (Yes I know about [insert favorite VM product...

Read More

Cell Tracking

This is the link to an absolutely extraordinary post  on privacy by Christopher Soghoian:http://paranoia.dubfire.net/2009/12/8-million-reasons-for-real-surveillance.html . Mr. Soghoian's post describes the evolution of "Cell Tracking", an issue the EFF has discussed for a number of years at http://www.eff.org/issues/cell-tracking. An exceptional video on current status of the law  for "cell tracking"  and "mobility tracking" can be found here:  http://www.youtube.com/watch?v=YFo2VcfWCBQ&feature=channel/The information reminds...

Read More

Let a Hundred Flowers Blossom

I know many of us work in large, diverse organizations. The larger or more complex the organization, the more difficult it is to enforce uniform security countermeasures. The larger the population to be "secure," the more likely exceptions will bloom. Any standard tends to devolve to the least common denominator. There are some exceptions, such as FDCC, but I do not know how widespread that standard configuration is inside the government. Beyond...

Read More