Presentation given to the Puget Sound ISSA in September 2008.

This presentation is not the full story of how to do risk assessments but is the basis or starting point of understanding for those that still use “Ghosts in the Graveyard” or FUD (Fear, Uncertainty and Doubt) as their model for convincing management that they need to implement better controls. The intent is to give you the understanding of doing quantitative or monetary risk assessments. It is one thing to preach regulations and requirements as your need for additional controls, but it another thing when you present hard dollar costs and present this as a model similar to the insurance industry. This presentation will also give you a very basic understanding of some of the terminology and tools that you might consider using to achieve your end goal which is convincing your management to spend the money on the controls and tools you need to effectively secure your environment.

Bruce Lobree, CISSP, CISM, CIPP

Mr. Lobree has worked in several industries including Utilities, Financial, Insurance and Software develop and currently works in the Gaming industry. He has worked in many levels of management within organizations from software development, application and network security up to and including executive positions responsible for Security programs for International Corporations. He holds degrees in Mechanical Engineering, Computer Science and Information Systems. He has co-authored books on security including the first CISSP manual and the first CISO manual and has spoken at local and national conferences on various subjects involving IT security and risk management.

Slides are available here:

business-impact-analysis

and his sample Risk Analysis spreadsheet is here:

blank-ra

“Spore” (Electronic Arts)

At the time of my writing this, the Amazon reviews are still abysmal because of the retarded DRM they’ve put in place.

I’m sure they’ll loosen up sometime soon.

In the meantime the reviews are pretty hilarious.

I should get around to playing it sometime soon.

Interestingly enough, the normal “off” with the Wii, is actually more like “standby” and is live on the network, checking for messages, and doing whatever Wiis do. This will be interesting a little later on.

While dorking around with my laptop in the living room doing some of my typical nerd things, I notice that I keep disassociating with my wifi network. There’s a bunch of competing wifi networks here, so I’ve become accustomed to a fair amount of fail related to it. Wifi is a convenience, but it was happening so much I thought that someone was using a deauthentication attack on my client.

I pulled the logs on my AP and saw this:

Well that looked a little slow for a typical attack. What else was happening?

The key was getting rotated every couple minutes and all the active clients were resetting their connections. What gives? What’s going on here?

Ok. So I threw laptop in passive mode and snooped on network traffic. So who’s this guy that’s flapping it’s connection every 10 seconds?

A Nintendo manufacturer MAC prefix? My Wii in suspended mode is breaking my WPA2 network? What the hell?

So apparently the Wii uPnP requests two TCP and one UDP ports on the router repeatedly, while in suspend mode, and the Apple Airport Extreme (that’s an 802.11n AP in mixed g/n mode) freaks out. This is clearly a new feature as I only updated my Wii’s firmware last week and would have been too annoying for me to miss previously.

In case you were wondering why your Wii was freaking out on your Airport or Airport Extreme network, hopefully you’ll have been able to find this and can troubleshoot further.

It might be the uPnP support for NAT port mapping, but my fix is to turn off the Wii fully when not in use. Hold down the power button until the LED is red instead of orange. I’m sure more people will complain and one or the other will update their firmware to compensate soon enough.

Since it’s so new, it’s not very well supported. Even the new chipset ethernet drivers (as of the beginning of August ‘08) are not yet in the linux kernel, so a simple install is problematic.

If I wanted to hack something all day long, I would likely go with ricer-linux. That’s not what I want to on a daily basis with a little mobile hackbox.

The default install is a debian variant, and I really distain Debian. Let me not take you to lame distro war forum, so I’ll just leave it at that. I’d be happier with a fedora 9 release, but they look like they’re never going to get it done right.

This leaves me with surprisingly few viable install options, but lots of promising hackability:

There’s an unused PCI-e slot which could be used for a 3G HSDPA card

There’s a space for a SIM card

There’s room for a 1.8 inch hard drive or SS

First is a Ubuntu EEE variant that supports the idiosyncrasies of the platform. Here’s the one specifically for the EEE PC 901.

Most of the other linux distributions are broken, poorly supported, or on the slow road to viability. Examples are the Suse variant, the fedora variant, and 901 specific hackint0sh builds.

I think a good example of the average user, one who shouldn’t bother with bleeding edge software, is here. Here’s another blog posting detailing some available options. Another user experience can be found here.

This should prove to be a good example of what options are available if someone isn’t served by Windows or the newbie linux distribution that comes installed on the platform when it ships.

So currently, the array.org tweaks to Ubuntu look to be the most usable project available. If you run into me roaming around Seattle, I’ll be likely to have it with me. By the way, ignore their USB install instructions and use the Fedora Project LiveCD Creator to make your USB installation media instead of having the dependancy of another linux system.

If they have a decent attention span and live in Seattle, I point them to the Seattle Bubble Blog. It does a great job of debunking a lot of the fluff that many people with a vested interest in selling something commonly tell prospective clients.

Without talking about market conditions just yet, let me give you my brief outline of why buying real estate might be an ok idea.

First, you the reader, should know that if you live in a nice city, you are likely better off renting. This is a fact unless you live someplace crazy-rural or you make way more money than most. You are better off just saving and investing your money than getting tied up in the never ending cashfest that is home ownership. Here is a New York Times calculator to play with that basically proves this if you use it correctly. Give it a try knowing that historical appreciation rates for property is under 5% and for the last two years it has been in negative numbers.

If you’re one of the few single or combined incomes that could use a large enough deduction from your income taxes and get a little bit of investment from it, lucky you. If you’re not sure, think about the following:

• The interest on your mortgage is deductible
• The added property taxes are not
• Neither are the costs for upkeep. (Note that repairs are not tax deductible, but improvements to a home are. This is why most people who can afford it add improvements instead of just remodeling.)

Basically the money you save by not paying rent needs to be greater than the total amount you pay out in closing costs, taxes, interest, and the amount “saved” by not giving it to the taxman. This is not most people. Most people are told that housing is a great investment, so they buy it anyway. This is part of why values of the housing market are falling like a stone right now.

So you’ve run the numbers. You understand the realities of taxes and financing. You’re considering that housing is not an investment, but a luxury that may possibly yield a profit in the end if you get lucky. How do you get the best deal? After having personally owned a couple of different residences and been involved in the transactions of several others, I have some suggestion that you may find useful.

1) Ditch your emotions and make the best deal you can.

Most buyers make impulse buys because a kitchen is pretty, the bathrooms have been remodeled, or there is a nice view. Don’t be that guy. Be critical and see it for what it is. It is a business decision. Make the best deal possible for you. This means buying the most value for the least of your money that you can. The only person with a vested interest in this is you.

Your real estate professional, if you are working with one, is motivated by the sale and the possibility of referral and repeat business. They have other commitments. They only have so much time to give you. Do not make the mistake of thinking that they will find you the best deal. They only want to find you a deal that you are happy with so that they can get paid. Romanticizing ideals past these simple motives does you no good.

Look at a lot of options yourself. Get a sense of what things are worth by yourself. Know how much you are willing to spend and your financial limitations.

2) Get the right tools for the job

If you don’t know what you’re doing, you’ll likely need to work through a full service professional to make sure you don’t get completely hosed. If you’re done this dance before, why pay for it? You will understand:

1. The bidding process and what conditions can be put into an offer
2. Inspection and conditions for sale
3. Closing details and games people will play with you
4. What can go wrong
5. The idiosyncrasies of the area

If you can handle these things, think about using a low cost broker or a tool like Redfin. The buyer’s agent commission is usually something like 3% of the value of the property. It can be more of a builder offers incentives because of their greater profit margin they have available to make deals, or less if the seller has stipulated so in the MLS listing. Sellers of moderately priced homes usually offer 3% so that buyers agents will bring prospective buyers to see the property. If the seller was offering 2.5%, the thinking is that they will get less interest because the agent wants their cash. It is perfectly sensible and is one of the many details of the experience that can be misunderstood.

If you use a site like Redfin, they capture about 1% of the deal and issue you a 2% rebate.

So, tools and resources that should be examined include:

• Brokerage sites such as Redfin
• Appraisal sites such as Zillow, Eppraisal, and Cyberhomes
• Foreclosure information sites if you want to take the added risks involved. These are usually funded by a monthly membership fee.

3) Spare no ones feelings

This is not a relationship. You are not dating or paling around with friends. This is a business transaction. Be brutal and fight for your best deal. Make low offers. What you do with your wallet is what a piece of property is worth. It is not your responsibility to fund someone’s retirement or otherwise give them a fat profit. You have enough to worry about without thinking about the goals on the other side of the table. Big money means that the details count for a lot.

4) The details are gold

Always get an inspection by inspectors that work for you. It is worth the money. Look at the tax records when constructing your deal. Try to know as much as possible as information is your friend.

5) Good luck

When you have done all of your homework and come up with a sound strategy for buying in a particular area, get your pre approval from for financier and start making offers. Finding the best deal on financing is also no simple matter and be aware of how referrals and business relationships may have vested interests.

If I’ve pointed you to this write-up after you’ve asked me about “so what’s the deal with buying a house,” let me know if it helped you.

Well this time, I saw this:

I can reply to a text to buy it? Yes please.

Now I can be a Nintendo fanboy without any effort at all. Sweet.

Mostly I view twitter as a noise application. It posts “microblogging,” a term which people with near zero attention spans seem to say a lot, updates everywhere, it uses the @username to respond to things. I view it as the ALL CAPS communication medium.

So I’m not in love, but I will use it via Twibble on my Nokia n95 to geotag myself and figure out where people I know are having fun when there are a few thousand people milling around.

There will also be flashmob like behavior coordinated by a con twitter id during the event itself.

I was really surprised at the quality of the event. Allow me to explain.

I’m used to these type of occasions being hosted in a filthy classroom or basement of a university or community college and attended by unwashed beasts that are fueled entirely by high fructose corn syrup and not really talking about anything of note besides arguing about what distro is better. This has been my past experience.

Thankfully, this was not one of those events.

This gathering was in a great facility provided by Speakeasy. They even threw down for pizza, salad, fruit and drinks. I’m in training and had none of it, but I appreciated the gesture.

A couple of the talks were particularly interesting as I haven’t been a day to day sysadmin for several years. It’s nice to be able to drop in on things and see some of the recurring problems solved in interesting ways.

First was a talk by Bryan McLellan about how he runs his infrastructure at Widemile.

The second that I found of interest was a demo of git, an alternative to code management systems such as subversion, by John Locke which showed how the compare, a demonstration of how it functions in routine situations, and a Q&A that focused mainly on what git does well and what subversion does not.

I’ll make sure to do my best to attend future meetings of this group. They’re a cool bunch.

If you’re looking for details, the details that were leaked, confirmed, retracted, and denied, here’s a description and a mirror.

So if you run your own DNS, upgrade already as you should have some time ago when you were first told to do so.

Perhaps I will switch to OpenDNS after all. In fact, I should have done this a while ago on most of the nets I deal with routinely.

The commentary in this posting is rather interesting as well. If you don’t trust OpenDNS, and I can’t say that I blame you, a comment poses a worthy option:

1. I run a local dns server that randomizes source ports whose network facing NAT does not derandomize source ports.
2. My local server resolves through the root servers. The queries are sent to a random root.
3. I limit my dns server to strictly use TCP queries and not to use UDP for queries.

Update:

Metasploit code now jupes entire domains.

I had no idea what she was talking about, so naturally I searched for “stardust trophies” and found that the Playstation network has finally added achievements, much like the xbox people have had for years.

So why hadn’t I noticed? I had been playing Metal Gear Solid 4 a few times this last week so I should have seen an update. What was going on here?

As it happens, the system update (v2.40) enables trophies and the related update to Super Stardust HD had been pulled because of widespread reports of it bricking Playstation 3 consoles.

Amazing.

It is said that v2.41 will be out midweek, but I find it seriously amazing that Sony would release an update that wasn’t tested enough to know that they would brick tons of consoles. Additionally, issues have been reported across all released hardware profiles, so it’s a comprehensive bricking update.

Nice work, guys.