China's High-Tech Military Threat and Air Sea Battle

Two months ago Bill Gertz published an excellent article titled China's High-Tech Military Threat. I wanted to share a few excerpts that resonated with me. [I]n November 2011, the Pentagon conducted an unusual rollout of a new military unit called the Air Sea Battle Office... The concept calls for the Air Force, Navy, and Marine Corps to integrate forces and other capabilities to defeat what the Pentagon has labeled “anti-access and area denial...

Read More

Bejtlich's Thoughts on "Why Our Best Officers Are Leaving"

Twenty-two years ago today I flew to Colorado Springs, CO and reported for Basic Cadet Training with the class of 1994 at the United States Air Force Academy. I took the oath of office pictured at left the following day. I left the service in 2001 because I could no longer fit my military intelligence and computer network defense career interests within the archaic, central planning commission-like personnel system the ruled Air Force assignments....

Read More

More Disclosure of Vulnerabilities in Attacker Tools

Two years ago I wrote Full Disclosure for Attacker Tools, where I wrote in part: The idea of finding vulnerabilities in tools used by attackers is not new. It's part of the larger question of aggressive network self defense that I first discussed here in 2005 when reviewing a book of that title. (The topic stretches back to 2002 and before, before this blog was born.) If you follow my blog's offense label you'll see other posts, such as More Aggressive...

Read More

Charting Procmon network output with .NET 4.0 and Powershell

Lots to work out in this post. Powershell v 3.0 CTP2 or Beta.  Procmon is Mark Russinovich's flagship tool for diagnosing Windows activity. It normally runs from the (admin) command prompt:procmon /noconnect /nofilter /minimized /quietFrom Powershell admin prompt you can run thus:start-process .\procmon.exe -arg '/LoadConfig JustNetwork.pmc' /quiet -verb runas -window hiddenwhereupon a hidden procmon would run in the background capturing network...

Read More

What Gets Measured, Matters

I received the latest issue of my alumni magazine, Checkpoints, today. It's graduation season, so the content included statistics about the latest graduating class as shown at right. This relates to a recent post, Whither United States Air Force Academy?, where I said the skill most needed to help grow the nation is digital defense.The statistics the Checkpoints editors chose to print, however, reminded me of the Academy's current focus. Notice...

Read More

Flame Hypocrisy

I liked Kurt Wismer's post Flame's Impact on Trust. He says: if you haven't watched it yet, i encourage you to check out the video of chris soghoian's talk at personal democracy forum 2012. the TL;DR version is that, because it compromised the microsoft update channel, the flame worm damaged our trust in automatic updates and that's a bad thing because automatic updates have done so much good for consumer security. mikko hypponen is even reported...

Read More

Whither United States Air Force Academy?

From TaoSecurityThomas Ricks' post Does the Air Force Academy have ‘the least educated faculty’ in the country? inspired me to write this post. Mr. Ricks cited a story by Jeff Dyche, a former USAFA professor who cited a litany of concerns with the USAFA experience. I graduated from the Air Force Academy in 1994, ranked third in my class of 1024 cadets, and proceeded to complete a master's degree at Harvard in 1996. In my experience, at least in...

Read More

Charting ordered Hash Data from the Security Event Log

# RMF Network Security Friday, June 08, 2012  PS CTP3V2# See http://thinking-about-network-security.blogspot.com/2012/03/evtsys-actually-auditpol-and-auditusr.html for auditpol configuration to accumulate (Security) Kernel counters.# where do.txt:# New Process Name:# Destination Address# See MS Charting derived Function 'Chart-hashdata'if ($HashData) {rv HashData}; if ($ArrayData) {rv ArrayData};[array[]]$ArrayData=get-winevent -log...

Read More