Interviewed for the “What It’s Like” Series for CSOOnline

Posted November 23rd, 2010 by

Joan Goodchild interviewed me about some of my experiences in the big sandbox and how I was good enough at avoiding IEDs to make it there and home again–an abstract form of risk management. Go check it out.  And while you’re on the subject or for visuals to go along with the story, check out my Afghanistan set on Flickr, a random set of them are below….

Similar Posts:

Posted in Army, Risk Management | 1 Comment »

Evolving the Physical Hacking at Security Conferences

Posted November 22nd, 2010 by

There has been a fun evolution at hacker conference for the past couple of years: the inclusion of hackerspaces.  Hackerspaces fit nicely into the hacker ethos.  But I’ve also heard grumblings via the tubes about the relevance of projects that they bring to hacker conferences, something along the lines of “Why has every security conference turned into a Maker Faire” (TM OReilly or somebody like that).  The behind-the-scenes info is that each hackerspace has their own feel and what kind of projects they’re “into” and you get what the local hackerspace brings.  While I consider hackerspaces booths at security cons to be pretty awesome, I have some suggestions for steering things back on track.

Things I would like to see in a petting zoo (yes, an “Evil Petting Zoo” and this is by no means an exhaustive list):

  • RFID widgets and software
  • Mag stripe readers
  • Barcode readers/writers (Duh, I can help out here)
  • Wifi stupid pet tricks
  • Bluetooth
  • WRT Routers
  • Smartcards and readers/writers
  • Single-board/mini computers

Of course, if you’re into any of these and have the hardware, software, or know-how, there is nothing keeping you from teaming up with hackerspaces at conferences and bringing some of your toys.  Sharing is caring, y’alls.  =)

Similar Posts:

Posted in Hack the Planet, Rants, Technical | 1 Comment »

Coming Soon to a Cloud Near You…

Posted November 22nd, 2010 by

Considering that it’s a secondary source and therefore subject to being corrected later in an official announcement, but this is pretty big.  Requiring the Departments and Agencies to consider cloud solutions both scares me (security, governance, and a multitude of other things about rushing into mandated solutions) and excites me (now cloud solutions are formally accepted as viable).

However, before you run around either proclaiming that “this is the death of serverhuggers” or “the end is nigh, all is lost” or even “I for one welcome our fluffy white overlords”, please consider the following:

  • A “secure, reliable, cost-effective cloud option” is a very loaded statement very open to interpretation
  • They already have to consider open source solutions
  • They already have to consider in-sourcing
  • They already have to consider outsourcing
  • “Cloud” more often than not includes private clouds or community clouds
  • Isn’t this just another way to say “quit reinventing the wheel”?
  • Some Government cloud initiatives are actually IT modernization initiatives riding the bandwagon-du-jour
  • Switching from Boeing, Northrup, and SAIC beltway bandit overlords to Google, Amazon, and SalesForce cloud overlords still mean that you have overlords

Similar Posts:

Posted in Outsourcing, Rants | 2 Comments »

FedRAMP is Officially Out

Posted November 3rd, 2010 by

Go check it out.  The project management folks have been jokingly grilled over numerous times for being ~2-3 months late.

However, comments are being accepted until December 2nd.  Do yourselves a favor and submit some comments.

Similar Posts:

Posted in FISMA, NIST | 2 Comments »

Entrepreneurship and Government 2.0

Posted November 2nd, 2010 by

Catching you up here with some of the Gov 2.0 kids.  Steve Radick wrote an interesting blog post about Government 2.0.  And I’m thinking “damn, right on!”  Now don’t get me wrong here, sometimes I’m critical of the Gov 2.0 crowd because it seems like about half the time they’re throwing technology and data at people seeing what will stick instead of asking the non-IT program managers what information they need to have to do their job right.  But in this case, Steve’s blog post does have relevancy for Government IT security folks.

At this point, you’re probably thinking “But Mr Rybolov, how the heck does this relate to IT security and the Government?” and you’re definitely right to ask.  Well, way back in the halcyon days of last year, I came to a realization that tactical and technical security solutions come from the bottom and that compliance and regulation come from the top.  I even built a model about it.  One of the implied problem areas is that if your management model goes “top-down”, then it gets filtered through bureaucracy.

I was at an AFCEA awards banquet trying to pretend that I wasn’t really a reformed infantryman (think “professional troll”) when Roger Baker gave an awesome talk about “practicing random acts of defiance of the bureaucracy”.  I think there’s a bit of genius in that statement.  It’s one of the reasons why I blog: as a regular Joe not in the Government, I’m reasonably free to talk about the successes and failures of my friends in the Government where they can’t.

Hence my grand unified theory on life, the universe, and everything else: the InfoSec career field is a lot more like soccer or law enforcement than football and the court system–sometimes we depend on the most junior people who are operating semi-autonomously within their assigned sector.  But my point (I know, you’re wondering when I’ll get there) to this whole post is that if we’re going to have a decentralized industry, we also bear the responsibility to train our folks to operate independently and to have the skillset to be well-rounded enough to work in a wide variety of situations.

Similar Posts:

Posted in Rants | 2 Comments »

My Month of Entertainment

Posted November 2nd, 2010 by

So for those of you keeping track at home:

  • Indian firm Aiplex announced that they were launching Distribute Denial-of-Service (DDoS) attacks against The Pirate Bay. (the attack)
  • The collective wisdom (Anonymous) of the Internet decided that in turn it would DDoS Aiplex, the MPAA, the RIAA, and their international counterparts in Operation Payback. (the counter-attack)
  • Somebody has DDoS’ed the sites coordinating the attacks. (the counter-counter-attack)
  • I’m popping up some popcorn to wait for the counter-counter-counter-attack and to watch the backscatter.

May we all live in interesting times, to say the least.  Some random thoughts I’m having about the DDoS campaigns:

  • If people hate you enough to show up with signs outside your office to protest, they hate you enough to flood your network.
  • Activist/vigilante/mob rule/protest has evolved to a very viable DDoS platform using a wide variety of operating systems.
  • The DDoS campaign in 2008 against the Church of Scientology was called off by activist leaders, so now we’re seeing the unbridled fury of the Intertubez unleashed.
  • On the tools side of things, I’ve seen some good development and some really creative methods to let non-technical folks to participate in the DDoS.
  • Coordinating an activist army seems like the weak point in the model.

Similar Posts:

Posted in Cyberwar, Hack the Planet | 2 Comments »

Visitor Geolocationing Widget: