Some videos from the show I’ve dumped here.

Ah, brings back memories working on gigs like that.  Still amuses me being in an audience full of teen-age Americans singing their little hearts out to American Idiot and not quite getting that it’s a warning for which many of them are becoming:)

Flights

First thing to mention on this trip was that we booked our LAX to SYD flight(s) with V Australia.  I’m a big fan of the Virgin brand, and this was a new carrier – they had only started operations in February.  Not only was the flight really comfortable (and we lucked out with it not being busy both ways so we had window+isle with a seat free between us), but the red in-flight entertainment system is just simply excellent.  Both directions Tara and I managed to get a fair bit of sleep, and haven’t suffered nearly as much jet-lag as we thought we would based on the time difference (+17 hours).  Not to leave the best bit of info until last, but return flights were about ~$800 each, which was super cheap!

Sydney

Our first stop was Sydney, where we stayed 5 nights at the Marriott in Circular Quay.  Because through work I get loads of hotel points, this was practically free   First night we wandered around The Rocks, across the bridge and over to the Opera House (which was a little smaller than I imagined it would be, but impressive none-the-less).  In no particular order we went out to the blue mountains (rainy that day ), Jenolan Caves (very enjoyable), Bondi (disappointing), Manley (much better beach/town), Taronga Zoo (what is it with hopping animals in Oz?), and various other places in the city.

Uluru/Kata Tjuta

Next stop was out into the red center to see the big rock in the middle of Australia.  As the photo’s show, there really is nothing else!  Stayed at the Desert Gardens in the Ayres Rock Resort (there’s absolutely no-where else to say out there other than on of the places in the resort, so it’s a bit “captive audience”, with all the connotation of that).  The place was clean and of a good size though (initially I was a little worried about a few complains on TripAdvisor), so nothing to worry about other than the previously mentioned. 

We went with Discovery Eco Tours for our trips out because just seeing the rock(s – we did the sunrise Uluru and sunset Kata TJuta) isn’t right – the stories and use of the place are the interesting parts, at least for us.  The tour company as well only take small groups, so you aren’t just bussed around, but get to spend time with your guide and have a much better time.  Our guide for Uluru was Leroy who was fantastic – he was really knowledgeable, had fun with us, and absolutely made the tour special.  In fact, I think we probably stayed out over an hour more than we should have because we were having fun and Leroy didn’t seem to mind or have anywhere else he wanted to go.  That’s one of the things to bear in mind; other than the resort center and the rocks, there’s nothing else to do out there, so 3 days was more than enough for us.  A few tips if you do think of heading out.  First, I’ve never seen the night sky so clear before (the milky way is just spectacular without the light pollution and steady, cloudless skies), so head to one of the lookout points for stargazing when it gets dark.  Second, the Pioneer Outback is where it all happens at night – although it’s the “low cost” option, it’s the bar where all the backpackers and resort staff end up, so you have much more fun there than in any of the other hotels.

Melbourne

Another big city, but I didn’t enjoy Melbourne as much as Sydney.  As cricket fans, Tara and I had to go a do a tour of the MCG.  Went out to St. Kilda, and drove out to the Great Ocean Road (much like the NorCal and Oregon coastlines).  Visited Cook’s house, and over to the Crown entertainment complex at night, but nothing too special to write about.

Hamilton Island

The “main” part of the holiday though, and the one I splashed out a little on, was a week on Hamilton Island.  To make it a little more special, I had booked us into the Beach Club hotel.  I can’t say how great our stay was there, from getting picked up at the airport by Karina (who we became friends with and I must keep in touch) and giving us the guided tour, our room which was literally balcony-pool-beach-reef, and the friendly service of all the staff (they will even shuttle you around the island on their little golf cart buggies or come get you if necessary, although for us we rarely used that service because the place is so small it’s easier, and sometimes nicer, just to walk).

As that was the “relax” part of the trip, mostly it was laying on the beach, wandering around the island, etc, etc, but we did go out sailing (on the Banjo Patterson) out to Whitehaven Beach and to the reef where we did some snorkeling.  The wind was up that day, so it was a little rough on the way out (2.5m swell, ~25 knots wind), but we all survived.  Donning “stinger suits” to protected from the jelly fish, even though we were just out of season (better safe than sorry – gave us a little more protection, but made us all look stupid), we went off snorkeling.  Because of the wind, etc, there was a lot of sand in the water so the reef wasn’t as clear as it could have been, but still was a once-in-a-lifetime experience.  Tara managed to cut her finger on the reef, and despite one of the sailing staff cleaning it up and putting iodine on it, she was still terrified that some minute bit of corral would grow, go septic, and her finger would drop off!  Serves her right I guess for reading up and being scared of all the horror stories you can find on the net   After talking to the pharmacist the next day while getting some more dressings and hearing that if it wasn’t clean, and something was wrong you would *really* feel it within 24 hours, we calmed down and stopped worrying a little less)

Tara did catch me though doing some “work” on the balcony :\  I guess I can’t live without it for too long.

Brisbane

Only had a day in Brisbane to connect up with the homeward flight.  From what we saw of it, it’s a really nice city.  The Queen street district reminded us very much of back in the UK with a good “town” feel with all the shops, restaurants and nightlife centered around a couple of streets.  While there we went to see Star Trek (really good film) during the day, well before any of our friends in the UK/US going to midnight showing – man, we are such geeks.

So, we had a really great time and would certainly recommend both going to Australia, and all the places, trips and hotels we used.  It is nice to be back home though, with all the creature comforts, and I get itchy feet if I’m “away from it” for too long, although I’m sure that Tara could stay on vacation for ever

As the image above hints at, I’ve headed home for xmas the the new year to spend with friends and family.  It’s certainly not been a relaxing trip as I’ve still been working (taking advantage somewhat of the timezone difference between the UK and US) and trying to squeeze in seeing friends and family.  If I haven’t had a chance to catch up with you I apologize as I just couldn’t get the time (I’m hoping to get back soon, which I’ll ping all the people that I didn’t get to see!).

This year has certainly been interesting, personally, work, and in the security field.  I’m working on a couple of (larger) posts on my thoughts on cloud security, trends (I think I might stay away from the predictions game, but will link/comment on ones I find interesting ), and have a series of webcasts pretty much in the bag on WebAppSec 101 – basic security reviews for webapps – ready to start posting early 2009.  As for that, there’s a fair few plans I have for 2009, some big, some small, some huge, which I’ll share as they become more fully formed.  One think I will be doing next year though is taking some vacation!  I’ve realized that my last "real" holiday (one that wasn’t a few days tacked onto a work trip) was in Sept 2006!  So, in April we’re heading down to Australia for the month – if there’s any recommendations you have, feel free to get in contact and share them as other than Sydney and Uluru, there’s a big country to explore with too little time to really hit even the highlights.

Anyway, I wish everyone a great new year and a prosperous 2008.

In any case, first time I’ve been to Boston and I really liked it.  Hooked up with John Steven from Cigital and a few other people at a restaurant the first night and had a good talk about the state of the industry (I really must find time for a likely long post on my thoughts about this).

I knew I was suffering before I even headed off to Boston, so didn’t venture out from the hotel or congregated with the other conference delegates that much so as not to make myself feel worse (and not have anything left for my talk later in the week), and to desperately try not to spread the lurgy to anyone else.

Anyway, I have to say, for me at least, the conference was a bust.  Only 12-15 people turned up for my talk about Cross-Site Request Forgeries (what they are, how they work, how to stop them).  There’s full presentations with audio available from the conference organizers, but I’ve put my presentation deck up here for anyone that is interested.  Overall, I thought the talk went quite well, the topic/material seemed to be what they were after and the people in the (small) audience were interested/engaged.  However, I think it was the wrong presentation for that conference.  I believed (wrongly it seems) that a talk about a big problem many sites have, how to test for it and how to mitigate that vulnerability (so it wasn’t just a "magic show", but real discussion of programming out of the hole) would go down well at that conference (web is after all one of the largest development platforms).

I didn’t go to that many more talks (feeling crappy and not wanting to spread it around), but those I did go to (mostly people/process/management or specific technical talks) were interesting but not core to my main work.

Overall it was a good con (and from many accounts smaller than it has been – clearly the economy is hitting lots of areas of our industry), but I didn’t make the best of it what I should.  I put that down to a mix of a difference in expectations from myself, and not being 100%.

Tuesday
Although the conference didn’t truly start until Thursday, there was a speakers dinner held on Tuesday night.  It was a small gathering at a restaurant in Seattle and allowed us to mingle with the other presenters and people from Microsoft that put the conference together.  I got to meet a few people for the very first time that I was really looking forward to talking to.  Ashley Allen and Bryan Sullivan were the first to welcome me after Jeremiah Grossman and myself talked him into letting us do a panel (in reality, Bryan thought it was a great idea) and Ashley organized everything for us (which for once was really easy for me as I didn’t have to travel or get a hotel to go to a con – score!).  Spent a lot of the first part of the evening talking to Adam Shostack about the state of the internet, current development practices, and how MSFT is addressing them (and can help other devs/orgs in the future).  Also had a great discussion with Dave Weinstein about vulnerability vs exploitation (does it really matter if things aren’t getting exploited?  If a tree falls in the forest and there’s no-one around, does it make a sound?  How much are we getting exploited?)  Dave has some great stats on the exploitation of Word of Warcraft and how criminals are profiting from it quite easily (it’s as close as you can get to a victimless and low-risk crime).  Talked to the internet security celebrity of the year, Dan Kaminsky, for some time and turned out that not only did we get on really well (he has very much the same personality as I do), but discover there’s lots of tenuous links between us of people we know, places we’ve been, etc.  Starting to see this "6 degrees of separation" thing more and more – it’s even less in small community like computer security.

Wrapped up the evening hopping between a number of different conversations – please don’t feel left out if I don’t mention you here – I talked to a *lot* of people over the course of this week, and I’m only going to have space to write about a small subset of even the few I can still remember

Wednesday
Despite booking most of the week off from work so I could go to some meetings and meet/network with more people, guess what – still had work to do for Foundstone.  Ah the joys of billable hours and last-minute scheduling difficulties   In any case, another party in Seattle.  Spent time with Danny Dhillon and the CSS guys – David Lindsay, Gareth Heyes and Eduardo Vela Nava as well as Alex K -  on what seems to be the theme for me this week – "why the hell does it allow that".  From triple encoding an attack (for filter bypass) and the browser triple decoding, then executing the result!, invisible iframes, a:link CSS being allowed to have ‘expression(…)’ and calling out to a remote site, etc, etc.  All of these things I couldn’t think of a single legitimate use of (these guys couldn’t either), and therefore the only usage is a malicious or unnecessary one.  Finished off the night in a small loft where some of the guys at the party had invited us back to listening to Frank Heidt explain the intricacies of the financial market, reselling non-existent "things", and how it was plainly obvious that this was all going to come crashing down, it was just a matter of when.  Smart guy Frank, and looking forward to hanging out with him more.

Thursday
First day of the conference proper. Iftach "Ian" Amit’s talk on modern crimeware was interesting, but being related to that field (listening to the McAfee guys) nothing that I didn’t already know. 

Roelof Temmingh’s talk was about how much information you could glean from public sources, often just starting with an IP address / network footprinting.  Once again, I had some idea, but Roelof’s tool really did open my eyes.  There’s a stunning amount of info out there, and with a good tool and visualization techniques, it’s possible to pull a lot of thing together.  This is certainly a demo to watch.

Dan’s talk (the DNS flaw) I had seen before, but I always find it entertaining to watch him.

The CSS guys seemed to have a hard time of presenting – not because they weren’t good, but this was the first time that they had ever physically been in the same place!  The joys of the internet meant that they were able to research together for quite some time, and didn’t have the opportunity to be able to rehearse or get everything together quite as smoothly as they might have liked (multi-presenter talks are hard).  In any case, they had some cool things to show, but I couldn’t help keep thinking "why do browsers support this" – it’s clearly a malicious use of the spec, and I can’t see why some of the things are in there anyway.  Certainly drew awareness of the fact that turning Javascript off isn’t the end of it and a means of protection, and that CSS has to also be restricted in some way.

The last two talks – Richard Johnson and Ian Hellen – talked about visualization and code characteristics to find defects.  I only partially caught these two talks from the remote display in the speakers green-room as I caught up with old-time friends Jeremy Dallman and Dave Ladd.

Throughout the day I was with Alex Smolen, friend and fellow Foundstone consultant, so we went out for some dinner, talked about various work stuff, and then headed out to the last MSFT BlueHat community dinner/party.  This event I spent quite some time with Frank from Leviathan and some of his team/colleagues/friends, and also got to spend some time with one of my "security hero’s" RainForestPuppy.  This was a really nice meeting as RFP was one of the first guys on the webapp security trail and got me thinking differently – certainly helped me take the first few steps in my security interests.  RFP was far nicer (and younger) than I imagined he would be.  Ending the night I managed to get a few words with Andrew Cushman and Jon Pincus, mostly about "normal" life, blogging and the election – a nice (and welcome) change of topic.

Friday
Day 2 was focused towards the "building" rather than the day one "breaking" theme – Mark Curphey would have been proud

Danny and Adam started off the talks with quick discussions of how EMC and MSFT do threat modeling.  It certainly looked like there were lots of obvious similarities between their two approaches.  Adam highlighted the differences, and why EMC or MSFT chose to go down those routes because of different lines of business or process/security/developer maturity.  Adam also showed the next version of MSFT’s threat modeling tool (which we were talking about at the first party), which is very cool and should make a big impact in the ease of threat modeling.  I would still like to see a "wizard based" approach which non-security aware developers could use if only to get started, but as Adam suggested it would be a bit "boring" and "heavy-weight" to see that many questions, and just didn’t interest him in going down that path.  Instead, users draw out the system and the tool suggests threats and things that haven’t been put into the drawing.  After seeing this demoed, I think it’s a much better approach.  The tool is internal for now but should be released free to the public in ‘09.

Matt Miller’s talk focused a lot on how technologies like GS, DEP, ASLR, etc helped mitigate against exploitation, even if a vulnerability was discovered – layered defenses are certainly a must-have.  This was another talk I only caught some of remotely in the speakers room or in the corridors while catching up with people.

Scott Stender and Alex Videgar from iSec Partners talked abut concurrency attacks in web apps [PDF].  At first I wasn’t too interested in this – it’s really hard to do any kind of deterministic testing on a webapp, so attacking concurrency (where timing is everything) is simply a difficult place to go.  These guys showed how most web frameworks are not thread safe, and multiple users hitting a server can cause the traditional "lost update" race hazards.  Lots of perf graphs showing the performance hit of locking, transactions, etc (and thus the potential of DoS if "done correctly, but with a performance hit") got the point across.  Takeaway – most web frameworks are not thread safe (and don’t warn you about that fact) and it’s something not many people think of.  Also, because of database settings and transactions, doing this may not actually safe you!

A bunch of guys from MSFT talked about fuzzing.  I didn’t learn a whole amount technically here, but was interesting to see how MSFT does fuzzing, and some of the stats – there’s some "break even" points or "guidance" on the number of iterations vs bugs left to find, but it seems that there’s no top limit.  Some tools are better than others (no surprise there), but there’s no one great tool (although SAGE seemed to be the best and won the "fuzzing olympics" – medals were handed out ).  Random fuzzing is better than "intelligent" fuzzing (where the tool knows the file/protocol structure), which is certainly unintuitive, but something I learnt quite some time ago.

Vinnie Liu talked about the trade-offs in tools (and humans) during a code review/pen test.  Once again, nothing new for me – I’ve learn and preached all these lessons, but was a fun and engaging talk.  I’ve asked Vinnie for a copy of his slides because there were some great classic humor slides in there – I’ll post (and comment) on them if he does send them to me.

Finally, and closing the conference, was the WAF vs. SDL Shootout panel.  Myself, Nate McFetters, Gareth Heyes and Kevin Overcash (poor guy – he was to "defend" WAF’s, but ended up being just as critical as all of us!) fielding questions from Bryan Sullivan and the audience.  The main questions were…

• Earlier this year, over one million sites fell victim to an automated SQL injection attack. The vast majority of affected pages were classic ASP pages. While we don’t have statistics, it can be assumed that many if not most of these pages were no longer being actively developed. If you were called in as a consultant by one of these sites to fix the problem, what do you do? Do you recommend a WAF or a change to the code? Or both? Would your answer to this question change if the site in question was still being actively developed?
• Five years ago, black-box scanning was the “magic pill” that would solve security problems. Then source analysis became more popular. Pentesting has always been important. While none of these approaches are perfect, they each have definite benefits, and more to the point: each of these activities is now part of the SDL (at least the Microsoft SDL). Should we end the feud between the SDL camp and the WAF camp by mandating WAF usage in the SDL?
• Imagine that someone invents a perfect WAF. It blocks all known attacks with a 0% false negative and 0% false positive rate. Do we now abandon previously mandated secure coding practices like validating input? If not, how do you justify spending developer time on this activity? How would you justify spending tester and pentester time on security testing?

The discussion went all over the place, and I can’t remember all of the answers or points that each of us raised (although I did pull out the "silver bullet and Jack and the Beanstalk" allegory at one point).  I hope there’s some audio somewhere as there was some good well-reasoned arguments.  If I can find some time and anyone is interested (i.e. the audio doesn’t go up), I see if I can come back and fill this in a bit more.

There was one final party hosted by IOActive, but by then I was far to knackered for another night on the town (and I’m told that the IOA parties can get a bit out of hand!) so headed home and crashed out – nice to (finally) get to bed in the same 24hrs in which you woke up, but there’s still the mountain of emails and RSS items I had to dig out of over the weekend. 

Thanks to all the people that I met and had great discussions with.  Also a big thanks to Bryan for the invitation and Ashley for organizing everything for the speakers.  I had a fantastic time, and confirmed one of the reasons that I moved up to Seattle – meeting interesting people and being engaged in the community again – really was worth it.  I look forward to seeing all these people again, and if anyone is in the area, visiting, or has time to chat, and wants to hook up, by all means get in contact.

While onsite with the client we went to a users desktop and was doing some things when the user popped back and was watching us work.  He was fine with it and all – a good communication had gone out around the company explaining what was going on, the systems that were being shut down, and allowing us access to whatever we needed (I can’t tell you how rare that is – many companies continue to try and operate as “business as usual”, but this one really did come to terms quickly and take the appropriate action – kudos to them for that).  However, in introducing me to the user the client IT person simply said “this is Mr. Wolf – he solves problems”.

The quote obviously is from Pulp Fiction, and got me thinking on how apt that introduction was.  When on incident response engagements it’s rare that when I, or one of the other Foundstone guys, get called in we have specific skills that the client’s IT staff do not have – after all, they are the ones that look after the systems day in, day out, during normal usage.  What we do bring though is a cool head, an assessment of the situation from previous experience which leads to a plan, very good general knowledge about all the systems/technology/thing going on and how they affect the current environment/situation, and most importantly contacts.

The cool head is important – often the local guys may be very stressed out (it’s their systems under attack after all) and oftentimes have been working long hours trying to address the problem before they have called us and we are onsite.  The plan is equally important because otherwise people are running around doing “things” which may not be productive at this very moment and there’s no idea of progress.  But the key is access to contact that are very highly specialized in particular areas.

It would be really nice to be an expert in everything, but with today’s computing technologies there’s just far to much for any one person to know.  I may be an expert in the web and web application software, and it’s useful for me to be put on those kinds of IR engagements where possible.  I can also reverse engineer viruses, look at SQL databases, understand WireShark traces, look at Solaris boxes, etc, if necessary, but I’m not as good as people who do this every day and have labs setup to work any issues in these environments (on site it’s usually me, a laptop, and sometimes some additional hard-disks or other “gear” to capture what is going to be useful later).

So I thought that was a really insightful analogy (and thanks to that person – you know who you are).  Mr Wolf doesn’t necessarily have any skills that Jules and Vincent don’t have, and the actions he gets them to do are nothing that they couldn’t have done (or thought of) themselves if they were level-headed.  The single thing that he did have that they probably didn’t is the contact at Monster Joe’s Truck and Tow.

The Foundstone guys already have a new nickname for me, and a little skit [warning, some language in the link some may not appreciate].

And no I don’t dispose of body parts.

After getting half unpacked there was a UWH class in DC that I had to go and deliver.  Never been to DC before, so that was going to be good even though I didn’t like leaving the new apartment half full with boxes.  Class was an odd Tuesday to Thursday (it’s ususaly Mon-Wed, or Wed-Fri in my experience), so headed off to SeaTac for my first trip out of there.

SeaTac is a bigger and busier airport than John Wayne that I used to fly out of in SoCal, but there’s better facilities there and seemed to get through security quicker.  If the airport ever gets a Clear line I might consider getting one (don’t tell me about these – I know they don’t do anything for security and it’s even more info the govt can track you on, but if it means saving me time at the TSA queue in the morning all the better).  Depending on the route out and the side of the plane you are sitting on there’s a great view of Mt. Ranier.

Class went really well, and had some good engaged students.  Sometimes there’s the “wrong” level of people in the UWH class – programmers that find a lot of the material basic, which to be fair a lot of WebAppSec is and they only really start getting into the interesting stuff for them at the end of day 2/beginning of day 3.  This class was mostly network guys so it was meaningful from slide 1.

Had a few evenings to walk around the capitol.  The White House was obviously first stop (my hotel was only a few blocks from it) and I was somewhat surprised about the size of it – it was as tall as I was expecting, but I thought it was wider and a lot more rooms.  In any case, that was interesting and I walked all the way around.  From there it was a choice to either walk up the mall to the Lincoln memorial or to The Capitol.  Decided on The Capitol as I could pop into the air and space museum as it was open late that night.

Once again, though the air and space museum was small as far as museums go (been spoilt somewhat with the museums in London), but had some excellent pieces in there.  Got to see (in no particular order) the Apollo 11 capsule and door, a moon buggy, Moon lander, Space Ship One, an X15, and lots of other bits.

After class finished on Thursday, I went out to see an old friend Gary McGraw and stayed overnight at his gorgeous place.  I don’t think I could ever live as remote as that, but to have that much land, horses, peacocks and a river (which we spent ages sitting at talking about all sorts of things) must give him his inspiration to write all his books.

Got back for the weekend and then had to head back out on Monday to work in Torrance – SoCal can only miss me for so long it seems!  Nothing really to report there other than I went to see one of my work colleagues, Alex, and his Dad+Brother play in their band “The Flying Smolenskys“.  Usually this kind of thing is just going along for moral support, but these guys ROCKED!  It was such a good night.

So, that’s about it for me now.  Nothing all that interesting going on other than the usual work (which on a side note I’m getting a little fed up with having to keep fighting clients on if something is a finding or not).  Back in Seattle now for what looks on the schedule to be a few weeks of remote work, so going to try and catch up with a few people here and get out and explore the place.

Day 1

Movers turned up at 8am with, as usual, a giant truck.  I’m always impressed (even after seeing what these drivers can do for so many years while touring) at how they can back these huge things around obstacles and down small spaces.  The guys (3 + driver) had everything that we hadn’t boxed like furniture wrapped in moving blankets and down in just 2 hours.  Worrying how all your life can disappear onto the dance-floor of a truck (the slightly raised area of the trailer where it attaches to the hitch on the cab) and look so insignificant.

Once everything was signed, for both moving and to release the apartment, we were on our way.  Got past LA pretty quickly and past Malibu, which we hadn’t really ventured past before.  The landscape changed dramatically, from palm trees everywhere to more “normal” flora, which was a present surprise.

Got to San Luis Obispo at about 7pm and met up with Eric (old work friend at FS) and Kim.  They were really good at giving us a whirlwind tour of the town, which isn’t complete without having a look at the Madonna Inn and Bubblegum Alley!  Also, Eric had picked up a fantastic gift for us of some (signed by the artist) Serenity posters, which just blew us away and I really am lost for words at how grateful and thoughtful that present was.  Had dinner with Eric and Kim and then crashed out

Day 2

Got up early so we had time to visit Hearst Castle.  It was very good, but what is it with very rich people and a) their complete lack of taste, b) wanting to model their houses on “European” style (read – of course all us Brits live in castles with huge tapestries on the wall!), and c) they never really come from “nothing” – even if they didn’t have specific support from how they made their money, they very seldom don’t come from successful families in some way or the other.  Perhaps it’s just in the genes.

Really wanted to head up to Big Sur, but couldn’t because of the fires in the area.  We were actually in this area on the 8th, but this has a good map of the area – see the other posts in this blog for a good update on what is happening.

Went to Santa Cruz, mostly for one picture in the sand!  Don’t ask!  Was the usual run-down seaside amusement town, so didn’t really stay all that long. 

Stopped both sides of the Golden Gate bridge for a loo-break and some photos, then pushed on to Santa Rosa.  Had an excellent dinner at the Toad in the Hole pub, and saw a statue for Snoopy (who Tara is  *big* fan of) – we had completely forgotten about the museum in the area so it was serendipity that we stumbled upon it.  We’ll take a look tomorrow before we head off again.

Day 3

Today we rested up in the hotel in the morning until the Charles M. Schulz Museum opened.  It’ only a small museum, and unless you are a fan of Peanuts/Snoopy, then there really isn’t all that much there.  However, for us (who are Snoopy fans), it was a good stop-over.  After visiting the shop and stocking up on some merchandise, we were back on our way.

If we are going to do this route again, or anyone else is thinking about it for a sightseeing trip, it’s best to go from north to south (instead of the way we are going) because all the best views, stopping places, etc, are on that side of the road.  It’s not that we are missing out on lots, but it would certainly be easier.

On the way up, we took a detour from the 101 to drive the Avenue of the Giants.  Words, pictures or video (of which we used a lot of all three) do not do this place justice.  It’s just superb.  Winding around these huge trees, many of which have been around for ever (well, hundreds of years) was just so picturesque.

We then booked it up the 101 to Eureka pretty quickly so we could get dinner early and relax in for the night.  Tomorrow is a big push through the mountains (and more redwoods) to Portland.

Day 4

Ok, so it’s getting very prosaic (one of Tara’s favorite words at the moment!), but the scenery on this drive is just stunning.  We left the coast road for route 199 going through the mountains into Oregon which went through another redwood forest and seemed to follow a river.  Stopped off at a few places to take more photos/film and just enjoy the countryside. 

Stopped off in Grants Pass for lunch and to refuel the car.  At McDonalds (ok, we were stuck for choices and couldn’t be bothered to look around any more) there were 3 young (I guess around 9-10) that were just being absolute bitches – generally playing up everything, like how one of them didn’t like their cheeseburger and sent it back for another one (much to the prompting of the one that was clearly the “queen bee” of this group).  I had really thought that we’d left this attitude behind, but clearly girls aspire to The Hills (seriously, they were talking about it!) even if they do live in po-dunk no-where.

The drive onwards to Portland was long, perhaps the longest leg so far, which not much to stop off for, but it was I5 all the way so I just stuck the car on cruse control and sat back.

Day 5

Rest day in Portland – didn’t have to drive anywhere today   Spent the time exploring the city, doing some shopping, and caught Hancock.  Good to see Los Angeles again, even if they do take liberties with the geography (Alameda is nowhere near LAX, and there’s not a Mercy General Hospital in downtown by city hall), but that’s pretty normal   Overall enjoyed the film a lot.  It’s a little slow in places, but well worth it.

Day 6

Well, this is it – final leg.  Made the drive from Portland to Seattle pretty quickly.  Have great weather in the NW at the moment – clear blue sky, 70-80F – so had fantastic views of Mt Hood, Mt St Helens and Mt Ranier all the way up.

Got the keys to the apartment, unloaded the car, and went out to get supplies – it’s amazing how much basic “setup” stuff costs to restock your home, but it’s a necessary expense (no point in keeping things like cleaning supplies, etc).  The apartment is very bare as still waiting on the moving truck to arrive with everything which should (fingers crossed) be Tue or Wed.

So, I guess that’s about it – our trip up to Seattle.  Actually quite miss SoCal at the moment (Tara a lot more than me), but it sort of “feels right” – very much like the UK both of us keep saying.  It certainly feels a slower pace of life at the moment, but I’m sure I’ll post more about the area and our “adventures” over time.  For now though, signing off as there’s lots of things to get done like connecting utilities, getting us back on the net (this post courtesy of some nice person who as left their dlink wifi open )

ETA: Posted some pictures up and linked to them.  Will be editing the video when we have more time after our stuff has turned up, so will add that here when done.  One last photo for the trip – it’s a long way back, even by the “quick” route (which we certainly didn’t follow )

First up, driving out to Santa Monica we noticed that Rodeo Drive was shut with lots of people milling about.  Intrigued, we parked up and had a look.  Turns out it was a classic car show (with some modern cars) so we drooled over some of the cars and walked up and down Rodeo (why is it called ro-day-o rather than ro-dee-o?) for the first time ever – it’s just not our “scene”.

We then headed out to Santa Monica and walked around the shops, went on the pier, and got some fab Belgium chocolates.  Grabbing a coffee, we noticed a lot of police cars heading up the street and wondered what all the commotion was – turns out a taxi had knocked a biker off his Ducati, who promptly took off his helmet and attacked the taxi driver!  A bit overkill with 8 cars, 2 bikes, 2 EMTs, and blocking the road off (many are out of shot in the pic), but I guess there’s not much for the police to do on a Sunday afternoon there

A must for the day was to head up to our favorite place in LA – Griffith Observatory.  Both of us love that place so much if we lived any closer we’d be up there all the time.  Grabbing a drink and watching the sun go down from this place is a must-do experience.

Finally we headed out to the Sunset Strip for dinner and a few drinks at the Rainbow Room.  The Lakers were playing a must-win game, so the place was pretty packed.  At the table next to us was Billy Zane, who was really nice and wasn’t getting hassled at all, and Justin Hawkins (from The Darkness) arrived just as we were leaving.

So, that might be about it (unless we make it up again on the July 4th weekend) for LA for us – lots of packing and other things to finish up.  To all of our new friends and work colleagues who made us feel welcome, our eternal thanks – I’m sure we’ll be back and will certainly stay in touch.  To all of the rest of the wannabees in OC/LA, I’m glad I won’t have to put up with you for much longer

Anyway, as mentioned in previous posts, my wife and I have been in Singapore for one week (I had work there), and then on the way home we stopped off in Hong Kong for 5 days for a bit of vacation time.  I’ve been to both before, but only flying visits, so didn’t really get time to explore and see either of these places so it was nice to have a few free days to have a look around.

Singapore was excellent.  We stayed in the Conrad Singapore which is a fantastic hotel.  Bit pricey (although not fantastically so for a top-class hotel in a major city), but with corporate rates and lots of Hilton points we had a good room overlooking the fountain of wealth.  The one thing I will say about the hotel, and service in Singapore in general, is that it’s really good – so good in fact it borders on stalking!  The staff grab backs off you immediately, escort you to your room, if you need anything they are on it straight away, it’s all “sir”, “madam” – for someone like me that just doesn’t get on with that it’s a little off-putting.

Having 3 days over the weekend to myself before work give us time to explore the city a little.  The joke of Singapore is that it’s the only shopping mall that has a seat on the United Nations, which when you get there it sort of becomes apparent why – everything seems to be a shopping mall of some description.  All the major buildings were full of shops, and full of people.  Apparently there’s two reasons for this.  1) is that a lot of Singapore’s income is from retail and tourist shopping, and 2) that it’s just too humid outside to walk around so everyone uses the malls to navigate and stay inside the nice air-conditioning   We didn’t do a lot of shopping (and for some reason there’s a lot of UK shops there like M&S), but picked up a few things to bring home.

That’s not to say that Singapore has nothing to offer other than shopping (although there’s certainly a lot of that to be had!).  I always find that the best thing to do when in a new city is to see if there’s an open-top bus tour as it’s a very simple and quick way of finding out where everything is, and get a narrated history.  Hippo Tours was directly over from the hotel, so we grabbed tickets and saw the city highlights as well as the heritage tours encompassing the major districts of the city like Little India, Chinatown and Kampong Glam.

Other than exploring the city, the highlights (other than once again meeting the guys I was working with – hi if any of you are reading this ), lunch at Raffles was, as expected, simply fantastic, as well as Singapore Slings in the Long Bar in the evening (which were really nice drinks, and not as “strong” as I thought they would be based on the ingredients in them).  While I was working, Tara got to explore a little further including going out to Sentosa for the day.  Summing up, I really like Singapore as it’s a really nice mix of both Western and Asian cultures.

As I haven’t really had any “real” vacation time in something like 18 months, we decided to take a few days in Hong Kong on the way home.  Hong Kong was “interesting” – I don’t mind busy, as I have spent a fair amount of time in New York, but HK is just totally off the scale.  There’s a even greater divide of the “have’s and have-not’s” there as just within a few blocks (and sometimes even on the same block as areas get “gentrified” and redeveloped) the buildings go from new steel and glass to broken, dilapidated and stained concrete.  We weren’t staying directly in the city, so I must admit I didn’t exactly like where our hotel was straight off, but it was quite safe and right on one of the tram stops.

Talking about the trams, we found they were a great way of getting in and out of the city.  We certainly got some looks using them (seems that it’s mostly “locals”), but for HKD$2 (about 25 cents!) you could go as far as the tram will take you.

Generally, we just explored the city during the day – the markets, the peak, etc – as well as the smallest Disneyland I’ve ever been in (there really was very little there, but we had to visit as that means I’ve been to every Disney in the world!).  At night we headed to Lan Kwai Fong for drinks and food.  Bit of a tip there – go to the main restaurants rather than the ones on the street(s) – I ate at one of them last time I was there and thought it was “ok” – this time though the quality of the meat was, well, dubious, and although we hardly ate anything that night we both felt unwell for the next few days.

The day before we headed home we went out to see the world largest sitting Buddha.  It was a really nice (long) day which included a huge (sometimes scary) cable car ride, and a nice ferry ride from Mui Wo back to Hong Kong.

Once again, in summary, pleased that we had some time in Hong Kong, but didn’t enjoy is as much as Singapore – it’s a little too busy, the “attitude” of people there riled me a little (although, to be fair, if you have to live in such density, personal space probably just goes out the window), and although I usually like Chinese food, it was a little too “variable” in that we really had to look out for what/where we ate and unfortunately after that night in LKF, we just stuck to “western” establishments to try and settle our stomachs. If we were to head back there again, I’d probably want to venture out of the city more (like on our last day) and go to the New Territories and seem more of the “real” Hong Kong/China.

Anyway, back to work I suppose.  Put a small selection of photos up here if anyone is interested.