Anyway, while doing this, I’ve been categorizing my RSS feed’s saved items – generally I store “interesting” things I have found so that I can refer back to them or use them in work/presentations/papers.  Normally, these are just for me (although I may email some to a wider audience.  However, the latest version of FeedDemon (my RSS reader of choice at the moment) doesn’t support their online Newsgator service any more in preference of Google Reader, so that’s where my saved items are going, as well as the online backup/cache of the feeds I’m reading.

Now, although I now work for Microsoft, and even more so work in Bing, I still like a number of Google’s products – I’m pretty non-partisan and will just use what works for me unless there’s something I can dogfood and make better.  This does give me an opportunity though to share these saved items which you can see in the new “Shared” box to the right.  I’m not sure, someone may find this useful, but it’s literally no work for me to add so why not.

As expected, there’s quite a lot currently on security, software engineering, technology, web, etc (ignore the gossip – tags and folders are both included in this tag cloud and that’s where my feeds like ValleyWag and MiniMSFT go ).

Main bag

I’ve spend ages (and lots of $$$) getting the “right” bag and I think this is the one for me.  I’ve had Oakley bags, Crumpler bags, Timbuk2 bags, but the Swiss Gear Synergy backpack is what I’ve used for well over a year now.  Some people have shoe fetishes; mine’s bags.  I keep getting/changing bags so often but the fact I’ve had and used this one for so long must mean something!

Comms

Currently I have have an ATT Tilt phone which does me very well.  Because of work I don’t have an iPhone (incompatible email – Blackberry or GoodLink – don’t even ask) which I guess I would consider, but I have to have email on my phone and I’m not carrying two devices.  When it’s available on a GSM provider (ATT or T-Mobile in the US) I’m really going to look at getting the Touch Pro 2.  In addition to the phone itself I always carry a spare battery just in case (after a long day of consulting, and especially IR work, batteries drain quickly – more reason not to go with an iPhone ) and a spare charger so I don’t have to remember to pick up the one at home each time.  For a headset, which I honestly don’t use all that much, the Jawbone 2 has been excellent.

Peripherals

I use a Kensington power supply with multiple tips for other devices I carry so I don’t have to pack multiple chargers.  Yeah, I know the cell phone charger is a separate one, but I’ve found I have to carry at least these two or I forget to charge my phone each night! Looking to pickup a Belkin power splitter so I can use/charge multiple things when there’s limited power outlets like in airports and some hotels.

I also carry a Kensington laptop lock which I always use because it’s just too easy to walk away with a laptop and have seen it many times.  I wouldn’t be all that worried about the data as I use SafeBoot and PGP VirtualDisks for client information, but being without a laptop would be a major PITA.

In the case is a headset/mic and a webcam.  I use the two for staying in touch with home when I’m traveling and conferences calls via Skype.  The choice for the Logitech headset was as much for the case as the headset itself – although the headset is good, having a solid place to put it and some other things at a squeeze, sold it for me as I’ve busted many others by not having having a place to protect them

Rounding out I have a general power converter (only needed when traveling international), a short USB cable (never know when you need one), and a Microsoft ARC mouse – a tad expensive for what it is, but has been the best travel mouse I’ve had in a while and folds up into nothing.

Entertainment

Sitting on a plane or in a hotel room can be boring.  I have a 32GB iPod touch with lots of music, a few audio books and no video (see later).  I’ll always have a separate media device as the last thing I want is to get off a flight only to find I’ve used up all the juice of my phone – if the iPod runs out, then I’m not stuck.  Pairing with the iPod I have a set of Sure SE210 in-ear buds.  I’ve tried the noise cancelling headsets and they make me feel like my head is underwater.  These are really light, great sound, and I’ve used Sure stuff for years so I know are good quality. 

I always have some book on the go (no Kindle for me for lots of reasons, but primarily when I’m done I like to pass my books on) and stuff some magazines into the bag as well (yes, that is Geek magazine – you got a problem with that?).  Not pictured is that I have a Tivo (a real one – not a crappy DVR) at home and a SlingBox so I can catch up with TV.  I also have a homeserver that I can grab videos off if I’m really bored, although that seldom happens; mostly the homeserver is for backups and offline storage and has meant that I can now ditch a USB hard disk I used to travel with.

GPS

Very recently I got a cheep TomTom.  This is pretty new to my travel collection as I got fed up with paying (extortionately) for one at the car rental when going to a new place.  I used to either use the GPS on my phone, or print out maps, but it’s good to have when you have to find a client’s office and also somewhere to have dinner in a place you’ve never been before.  I make use of a few Eagle Creek cubes to separate things out (I can grab what I need easier when I go, and though TSA if necessary) and to make my bag a bit easier to manage

Misc

In the “i don’t know what to class this under”, there’s a few other things I have in my bag.  A blow-up travel cushion helps me get some sleep on planes (I prefer to have a window seat where possible so I can prop myself up), as well as some ear-plugs if I’m not listening to my iPod. 

I try to be conscious that talking lots makes your breath smell, so I have some TicTacks or breath strips/mints.  An Oakley lanyard is useful sometimes for security badges and to hold keys so I don’t lose/forget them.  The Oakey vault case (did I say how much I love Oakley products) holds my sunglasses while in the bag so they don’t get crushed. 

Business cards are a necessity, as is my Moleskin notebook and Fisher space pen – my handwriting isn’t great so I don’t make that many handwritten notes, mostly I use my laptop, but in meetings I’m not a huge fan of peering over laptop screens and it’s easy to get distracted into the laptop rather than what is going on in the meeting.  There’s a multi-function screwdriver/light/etc that was a Foundstone freebie a while back that I’ve just never removed from my bag, and some Crystal Light (always Orange for me) that gives water a little bit more taste (I always grab a bottle of water before getting on a flight – you have no idea how often the trolley service is going to be).

Laptop

I don’t get much choice with the laptop other than going out an buying one myself.  As I can get though about one a year (which goes back to our fantastic Tim that swaps them for us and revives them back to life, good as new), I’m reluctant to get my own although I’d like a tablet like a Dell XT2 or HP TX2Z, depending on how well they fit with my home setup – has to support a external multi-monitor setup.  So, after all that explanation I have a Dell D630 which does me fine.

Case

The final thing is the main case that I use.  I hate checking luggage not only because of the probability of it getting lost, but the time waiting to pick it up at baggage claim, so I have a carry on.  I’ve had Samsonite cases for years – my old Oyster case has literally been round the world a few times and survived 4 years of constant touring and being thrown in the back of trucks.  I much prefer hard-side cases because they can take more abuse than soft sides and their zippers.  I can’t even remember the name of this case I have because I’ve had it for over 5 years (with one trip back to a Samsonite repair shop for minor fixes) – this thing is an absolute tank!  Generally I can easily pack for 1-1.5 weeks (or longer with a laundry stop) in here.  I won’t go into packing this case because it changes depending on where I’m going, the client, climate, etc, etc, but I’m sure you get the idea.

There’s a lot of plusses and minuses in consulting as Curphey pointed out in an old blog post.  Travel for some can be a no-go, but I’m pretty used to it from my previous career.  If anything, the thing that get me riled the most about having to travel as part of work is the notice part – for an IR gig I expect to be on a plane within a few hours, but other work I at least expect a couple of weeks.  Duration is a big thing as well with a lot of people, and I don’t think I could handle any more than 50% for a long duration.

However, travel can be fun, especially if you do it right.  Lifehacker has had a series on people’s “go bags”, but I guess this is slightly different – this is my travel setup, and although I guess in some way it is  my “day-to-day”, I know that in a different job without travel my bag would be very different.  These are the tips and technology that I travel with, and I would bet that many others have their own.  If you do and want to share, I’d love to hear about it either in the comments, or better your own blog post. .

Risk Tracker, CAT.NET, Anti-XSS, Threat Modeling Tool, which are all public (and even open source!), and some projects that are internal to MSFT that should make life easier for them. 

I certainly look forward to seeing Risk Tracker as I have some ideas in that space myself, as well as CAT.NET (needs improvement in scalability) and Anti-XSS (needs to be less aggressive in some contexts, although also like that SQLi vuln discovery is going to be added).

Nice to see that team has some good work coming out.  I met with Mark a week or so when he came up to Seattle looking for a place to settle and it’s clear that he’s really enjoying this role and the creative outlet.  Here’s to more of the above I say

As the image above hints at, I’ve headed home for xmas the the new year to spend with friends and family.  It’s certainly not been a relaxing trip as I’ve still been working (taking advantage somewhat of the timezone difference between the UK and US) and trying to squeeze in seeing friends and family.  If I haven’t had a chance to catch up with you I apologize as I just couldn’t get the time (I’m hoping to get back soon, which I’ll ping all the people that I didn’t get to see!).

This year has certainly been interesting, personally, work, and in the security field.  I’m working on a couple of (larger) posts on my thoughts on cloud security, trends (I think I might stay away from the predictions game, but will link/comment on ones I find interesting ), and have a series of webcasts pretty much in the bag on WebAppSec 101 – basic security reviews for webapps – ready to start posting early 2009.  As for that, there’s a fair few plans I have for 2009, some big, some small, some huge, which I’ll share as they become more fully formed.  One think I will be doing next year though is taking some vacation!  I’ve realized that my last "real" holiday (one that wasn’t a few days tacked onto a work trip) was in Sept 2006!  So, in April we’re heading down to Australia for the month – if there’s any recommendations you have, feel free to get in contact and share them as other than Sydney and Uluru, there’s a big country to explore with too little time to really hit even the highlights.

Anyway, I wish everyone a great new year and a prosperous 2008.

Tara and I were going out shopping today, and one of our friends wanted to tag along with us.  We thought out quota of excitement for the day would be a bunch of film trucks around the Seattle Library – once you’ve seen them around LA, they are hard to miss – so we stopped to see what they were up to (a car commercial for Toyota).  So, after that we headed down to the Southcenter mall.

We were all hungry, so headed directly to the food court.  Just as we had finished eating, and started having a chat, there was one very loud bang.  It sounded like something in one of the restaurant kitchens being dropped or malfunctioing.  Then, about 5 seconds later, another one – right underneath us where we were sitting.  Everyone paused, then hit the deck under tables.  It’s really strange that pause while everyone realizes what that sound was and equates it to gunfire.

I must say that security and police were really quick to respond.  Mall security and police were there in an instance detaining 2 people and clearing the area.  I got up to have a look around to see if we should stay put, or if people were evacuating (there was no more gunfire, or otherwise I would have done something different).  Initially it wasn’t clear where people were supposed to be heading, and there was lots of people wandering around, so I ushered us into a store, away from everything, while the staff locked the doors.

After a while it seems that it had calmed down somewhat.  People were being walked out on the 2nd floor where we were, while the 1st floor (where the shooting happened) was still under lockdown.  We decided that it’s probably best for us to leave while we could and there was a clear path for us to do so.  Seeing the food court was quite eerie; everything left, pushchairs, kids toys, chairs over turned.  I should have taken a photo or two, but it didn’t feel "right" (and didn’t want to hang around – photo above is one I found online – you can just about see something happening at the top)

King 5 has some good coverage of the incident.  I’m reading the comments and "witnesses" in various news and I love how some are saying 2 or 3 shots, while others saying 4-5.  It was 2 – I can’t see how anyone (that was there) would have not know that – it’s such a distinctive sound.  Also don’t get people saying that the mall security was slow and inadequate, and they should do something about this – this isn’t something that you can really protect from, it’s such a rare occurrence (or perhaps not at this place), and that the security/police that were there acted really quickly – I’m genuinely surprised at how quick a) the initial incident was covered and b) the number of responders got there in such a short space of time.

Took a quick peek while heading out and could see two guys cuffed on the floor with police standing over them, and one guy, clearly shot in the stomach, with paramedics working on him.  News reports are saying two people shot and the gunman still at large, but it seems that we could get out quite easily and there wasn’t any serious remaining threat or would have stayed put. I’m not going to say anything about the nature of the shooting as that would be just conjecture on my part (we heard a few people talking about it/why, but don’t actually know anything), and I’m actually quite pissed off with whoever would take a gun to a crowded mall – the level of idiocy there is astounding, and seem to be getting more common.

So, not the usual kind of security I normally write about.  Embed of local news below.

There’s a really good article up on some of the ballots that are being “questioned” by both Franken and Coleman’s campaign lawyers – A good number of the ones that are being “disputed” frankly are stupid.  I went through the list, made my own judgment, and thankfully came to the same decision of most of the people that answered the polls in that article.  Thank [deity] that there’s some common sense out there, and can some be given to the lawyers contesting these.  I appreciate that there’s a lot at stake, but arguing “intent” in a lot of these cases is just stupid.

Go to the page and play your own game of being an election judge.

Which brings up a question – does electronic voting help in this case?  I like one of the comments that followed that article

With paper ballots at least we know which people have problems understanding and completing the ballots

Exactly!  As least we know which people are (in some way or the other) too stupid to vote.  If you “spoil” a ballot, simply ask for another one.  I’m a little on the fence about this (and will probably get flamed for it), but I can appreciate the viewpoint that if you are too stupid/uninformed to vote (you can’t put a mark on the sheet, know or can find out where the polling place is, know what day you have to vote) you shouldn’t.  It in some ways takes away from the people that really do have some clue in what is going on in the world.

So, political views aside, what did I find interesting about the election.

First off, I was tracking the polls, etc using two sites – electoral-vote.com and fivethirtyeight.com.  IT’s pointless trying to track one poll, but both these sides aggregated data and did their own forecasts.  Generally, both were pretty accurate, but fivethirtyeight was right on the money – even calling what to look for in the first few hours of the polling offices closing.  Great job guys.

New technology was everywhere in the coverage – from MSNBC using Microsoft’s Surface to CNNs "hologram" (which I must say I thought was pretty poor, and all I wanted to say was "help me Obi Wan Kenobi, you’re my only hope).  Lots of HD studios though which looked really good on my big screen

A good friend of mine, Jon Pincus was doing his best to make sure that all voting counts (amongst other things, the activist that he is), which despite the usual problems doesn’t seem to have been nearly the issue it was in 2000/2004.  I don’t think things are "better" per se (I still have the belief that the UN should be call in to oversee the elections here sometimes as it can be pretty bad/partisan), but it was so clear what the outcome was going to be I don’t think it mattered as much as in other (closer) years.

The only other thing that I’m tracking is that Newsweek had reporters embedded into the campaigns, seeing how things went and having unprecedented access on the condition that they were embargoed until after the election.  There’s certainly some interesting news coming out of there from hackers (no surprise really – I don’t even think it’s worth more of a comment it’s that prevalent) to insider thoughts about the candidates, VP’s, and general strategies.  I’m certainly going to be tuning back in and looking out for more.

Around BlackHat time I was talking to Jeremiah Grossman about the whole WAF issue and we though it would be a good topic to present somewhere – the pros and cons of WAFs vs traditional software development (or the “penetrate and patch” approach to security if you want to be mean!).  There was a lot of FUD (and some nasty posts) spilling around, and the idea was to have a face off between different stake-holders or opinions. I wasn’t sure where the best place to put such a talk would go (I had some ideas) but JG wanted to submit it to BlueHat.

So, I’m pleased to say that I’m going to be talking on the last slot of the con – Panel Discussion – WAF vs. SDL Shootout.  Jeremiah unfortunately can’t make it (he’ll be laying on a beach in Maui – slacker), but I’m sure we’ll have a really good panel.  I’ll write more about it, and the other talks I’ll be going to, in later posts.

I’m really excited about going.  There’s tons of people that I want to meet, and now that I live in Seattle myself I’m wanting to “plug in” to the security community that is up here more.  If anyone that is attending BlueHat, reads this post, and wants to chat then by all means send me an email or just grab me at the con.  For anyone else that is in the Seattle area but wont be at BlueHat, I’m hoping to get out and meet more people, so please don’t thing you are out of the look – ping me (see the contact page, or use my work email which should be too hard to work out) and we’ll certainly hook up – I’ve tried (unsuccessfully I might add) to drop as much work-related activities for this week just so I can do more people-networking.

I have a number of meetings/conferences to go to this month which I will be posting about before and after so by all means drop me an email if you are going to be at any one of those events, or in the area.

So, without further ado, I’m going to get back online.

The first few tips are pure “security by obscurity”, and you should never “sanitize” user inputs – either they passes validation or is doesn’t.  Trying to clean up any data, like removing JavaScript, leads to being vulnerable for tricks like <scr<script>ipt>, where the app is looking for “<script>” and removing it.  It’s only until we get to tips 6, 7 and 8 that they start to actually provide value.

Although the article isn’t all that “bad”, the tips just smacked of someone who had just sat through the beginnings of some webapp security class (like UWH), and just misunderstood the structure and the risks of each of the ideas presented. 

Any class has to start off somewhere to introduce the rest of the material, and these “quick tips”, seem mostly pulled from the start of such a class – the “discovery” or “configuration” phases of a methodology if you will, instead of the “authorization” or “data validation” phases where the real risks often arise from. If anyone were to pick up these quick tips, and base their security upon them, they would vulnerable to some of the biggest mistakes out there.  What the author in the article says isn’t wrong per se, (redeems it all somewhat at the end) but just to focus on these tips when there are better “summary” documents like OWASP’s Top 10 (which aren’t perfect, but more accurately reflect the risks) is just security suicide.