In 2005 when I joined Foundstone, one of the conditions that I set was that they would sponsor me for my GC, there wouldn’t be the usual 6-12 months “probationary” waiting period, and that there would be no “lock-in” period after I had finally got said green-card.  So, pretty much as soon as I started, Mark sent emails off to McAfee’s HR and signed some forms for me to kick the process off.

At the start, things went quite smoothly.  One of the first things that has to happen is you have to get your labor certificate, to show that there are no qualified US workers able/willing to do the job you are applying for.  Well, in my case there’s a good few people who would like my job, but a) few that actually can do it, and b) if they are out there, we’ll hire them anyway.  What is required though is to advertise the job, and for your employer to document that they are at least paying you the prevailing wage

A quick aside here - working out an equitable salary is part-and-parcel of negotiating a new job and GlassDoor.com is one site that a few people seem to like.  I however like FLCDatacenter.com because it lists actual salaries rather than ranges, including position and hire date.  Several employers don’t like this, but it has to be published (the labor cert and the “prevailing wage”) and is public data.  It only holds data for people applying for labor certs (H1B’s, green-cards, etc), and is anonymous, but in a small company it can be pretty easy to match people up based on their hire date, and for larger companies that have well-defined “levels”, it will give hard data on what is actually being paid for that job.  As I said, several employers and HR departments don’t like this, but knowledge is power I say

Anyway, back to the main topic.  I was lucky enough to get in on the new PERM process, which is much more streamlined than the old labor certification process.  It would have been quick(er) of course, if it wasn’t for McAfee screwing it up. 

Part of the process is advertising the job so that US workers can apply for the “no qualified US workers able/willing to do the job” part.  It has to be advertised in various ways (see here for more details), for at least 60 days (which was done), and then if no applicants were found the process can continue.  However, someone forgot to advertise my position in our office (not that it would really matter), but that had to be re-done.  By the time that McAfee HR had realized this, and re-did it, 4 months had been wasted.

In any case, all the documents finally went in, and in September 2006 (while on vacation in Hawaii funny enough), I got a call from the immigration attorney saying that the labor certification was successful and we can move onto the next step.

What happens next is that based off the labor certification (there’s no US worker that wants/can do my job) a petition for immigration is made (known as the I-140 from it’s form number).  This sets out what “category” you will be processed in based on your skills/education.  I’m fortunate to have a PhD which placed me in the EB2 category (Professionals Holding Advanced Degrees), which is the 2nd highest category and at the time of my application didn’t have a backlog (current status is listed here).  I’m also fortunate to not come from China, India, Mexico or Philippines, as each of those areas often have a wait until the Adjustment Of Status (AOS) can be filed (the date is the applications they are currently working on).  If it says “C” in your category, for your nationality, both the immigrant petition and the AOS (I-485) can be put in together.

This meant that we had to work quickly to get all the documentation together for our application, and there’s a lot of it to gather, and here’s just some to give an idea…

• All previous residences
• Employment for the last 5 years
• Original/full-copies of birth certificates
• Proof of marriage/divorce
• All entries/exits from/to the USA
• All previous notices and immigration documents
• Completed medical exams (immunization records help if you can get them)
• Application photos

The other thing I really like in filling this info out is the “Part 3″ section of the adjustment of status form.  Go and have a look, just to see what you have to answer - I would love to meet the person that checks “yes” to any of those boxes

Well, the fun one for us was the medical exams. 

Part of the medical exam is to be tested and be clear of tuberculosis (TB), but as Tara and I are from the UK we’ve both been immunized with the BCG vaccine.  One of the things a lot of doctors that perform the green-card medicals know is that they can’t do the skin test form of the TB indicator because it shows a false-positive (via the vaccine), and often they skip directly to the chest x-ray which should definitively show if someone is carrying TB or not.  That’s what our doctor did (skipped the skin test and did the chest x-ray, showing us both clear), and gave us our results in the usual sealed envelope.

Off goes our entire life history, first to our immigration attorney, and then off to USCIS.  A good few months pass (6-7 I think), and I get an email status update from USCIS (sign up for these BTW) that they are sending us a letter.  We think it’s good news, but when it arrives it’s a Request For Evidence (RFE) - turns out that the USCIS wants the skin test results anyway for some reason!  Even though if the person looks just 2 inches to the right, the x-ray results are there and it says “clear”.  Our doctor isn’t very happy (keeps muttering “unnecessary procedure”) and actually phones up to complain.  We get the medicals re-done and send them back off.

After 5 months (in the mean-time the I-140 has been approved - yay!), I get another email saying a decision has been made on our case (the emails, or website for that matter, don’t have any other info, which from a security aspect is fair enough).  Finally we think it’s all over, but the attorney emails us saying that the USCIS has denied our application - the letter is a notice of denial :0

Turns out that the letter says the Request For Evidence wasn’t fulfilled within the 90 days allowed - USCIS didn’t get our updated medical tests with the TB skin test results.  This can’t be right, as our attorney has a FedEx receipt of someone at the Texas Service Center (where our case should be) signing for it well before the deadline.  There’s no appeal against this decision, so a “motion to reopen” has to be submitted, and within 20 days.  A mad rush by us, and the attorneys to get all the documentation together ($385 just to file the form, plus attorney fees - thank heavens that McAfee are paying for all of this), and we get it all in, and confirmed receipt.

It now goes very quiet.  USCIS wont give us any updates on what is going on, and our attorney can’t find anything our through her channels either (even going via the liaison committee).  3 months go by, and we hear that they are sending out another Request For Evidence - it’s a request for medicals again (would appear that they don’t have them!  It’s suspected they are lost somewhere and haven’t reconnected with our files).  A month later I get the following emails in quick succession

• Case reopened or reconsidered based on USCIS determination, and the case is now pending
• [+2 days] Card production ordered
• [+1 day] Notice mailed welcoming the new permanent resident

Finally looks like I’m approved :D  Tara’s case however is still sitting at the “Case reopened or reconsidered based on USCIS determination, and the case is now pending” status.  Our attorney has some luck and gets a call from a USCIS officer about another case and is able to ask about what is happening with ours.  Usually it seems that USCIS people don’t know (or don’t want to know) about cases that they aren’t assigned to, but this person is actually pretty helpful and looks up Tara’s case.  They don’t have the medical records!  Can’t believe we have to go through this all again (this is the 3 time they are “lost”), but between the USCIS person, their supervisor, and our attorney, they accept that it’s USCIS’s screw up and if our copies of the records are faxed to them they will press the “approved” button.

Hurrah! we are finally done.  Just under 4 years in the making (which still isn’t too bad) and we should have our cards, but there’s two last little gems to come.  First one is that my card doesn’t turn up (Tara’s does, but nothing for me).  Seems they are sent out using regular US postal mail, with no tracking or anything (which I still can’t believe - one of the most important documents I’ll have, and it’s just sent regular post).  No problem, just apply for replacement card (ker-ching - more $$$).  “Lost” card turns up 3 weeks later in the post, so we cancel the production of the replacement.  Also, Tara’s medical records get sent back to our attorney with the note “case closed, not required” with the date stamped on them saying they got them 20 days before the original (1st) RFE deadline!  Clearly someone had them on their desk - left hand, right hand and all that - resulting in our denial.  Reminds me of the saying “to really screw things up takes a government”

Anyway, we have our cards now, and have had for a while (as I said above, this post is a little late).  They are white (not green - the color/design changes every so often) and means that we can stay for 10 years and can work/do what we like (but not vote :().  We’ll probably take citizenship in 5 years (after the waiting period) as there doesn’t seem to be many downsides to that (UK people can hold dual-nationality).

This has certainly be a stressful and long process, which we wouldn’t have been able to get through without the expert help of Petra Tang Bloom of Berry, Appleman and Lieden.  Not only was Petra so good at helping us, but Sara Tinati fielded a lot of our questions and kept the ball rolling during the last (most difficult) phase.  Jose Duran also from the BAL team helped kick the process off.  I can’t say how great the people of BAL were, and David Berry even stepped in to assure us things were going to come out OK.  I’m grateful for my employer in paying (another benefit I suppose), but even saying that BAL were certainly worth it and I have no reservations at all in recommending them (certainly the team I worked with).

As for other resources, another immigration law firm, Murthy, have some good pages and information.  I’ll finish this post with a few links that I have not used above, but could be useful to anyone also going through this process - the internet was good for me to lookup what was happening in my case, learn (probably too much) about immigration law/process, and find out about other peoples experience(s), so I hope that this is useful to others as well. 

• Green-card process, and BAL’s FAQ
• New info for the TB test
• Wikipedia article on the permanent residence card, including process details, links, etc
• Another law firm that has some good info
• Of course, Google is your friend for a lot of other links.

Best of luck and quick processing to anyone else that is going through this.

Security is much more than finding/fixing defects

The first post I saw on this was from Ivan Ristic, where he says…

Underneath all our security issues lies our inability to write defect-free code. Solve that and we’ve solved the security issues. Focus on the security alone and we won’t solve anything.

This sort of follows from a really old post on the Microsoft SDL blog from James Whittaker - Reliability Vs. Security.  Defects are defects, functional or security, and we’ve been working on the former for some time.  Our techniques are better, and we’ve learnt a lot, but we still can’t write error free code, and there’s a lot of prior art/knowledge in the functional side that the security side has to catch up with.  One of my favorite (old) quotes is from Chris Mason, ex-development manger for MS-Word, who said “Since human beings themselves are not fully debugged yet, there will be bugs in your code no matter what you do”.  This leads me to the most recent post on the topic that I saw (also on the SDL blog) from Michael Howard.

Security is bigger than finding and fixing bugs

This isn’t any deep insight or rocket science, but it seems that some people have to be told it anyway.  Yes, currently there’s a lot of security issues being found after products are released, and they often track back to implementation issues (leaving aside for the moment if there were any security requirements), so people think if you patch the issues and/or look at the code then that’s 80% of the work.  This might be true for now, but so much of these things could get caught at the design or even implementation stage.  Also, I would bet that over time implementation flaws are going to start to go away as we code up defenses in frameworks, languages, API’s, etc, much like buffer overflows are much less of a worry in managed code.  Even if we get to that point there will still be vulnerable system out there because of poor design decisions, failed logic, and other problems that are simply not associated with the code at all.  Focusing on the code (and therefore testing/fixing just the code) is IMO the wrong approach.

MBTA vs MIT Students

Talking about flawed design, here’s a good example that I’ve seen lots of posts about.  The best intro is from Chris at Veracode here and here.  Basically, the Massachusetts Bay Transportation Authority (MBTA) is (was?) suing some students to stop them from presenting about a flaw that they discovered in their payment card system (turns out many other transit authorities the world over also use the same system, and thus vulnerable the same way).

I first can’t believe how basic the vulnerabilities are (which surely would have been caught in requirements/design than the much-more-expensive delivered system - once again, testing/code is not the answer), and second that anyone would defend what the MBTA is doing in suing the students (even though I understand it’s “risk prevention” on their part - this is not the right place to do that).

This leads me to something that has been going on for some time in the functional world, and perhaps needs to from a security aspect as well - software warrantees.  When someone purchases a physical item there’s an expectation of “fitness for purpose” - if it doesn’t work you can take it back for a refund, and if it blows up in your face (during “normal” use) you can sue the manufacture.

It’s extremely rare to find any warranty for software products, and the EULA is often the “get out of jail” card for the implied warranty.  I’m not sure that we’ll ever see true software warrantees because of push-back from software producers and the additional cost it would (could?) add.  However, having enforceable software warrantees would both force vendors to ensure that their software is “fit for purpose” (which in the MBTA case it clearly isn’t) and allow the purchasers of said software some rectification - I’ve had my fair share of clients that I’ve worked with that have had real problems in getting fixes to vulnerabilities I’ve found in fixing them in a timely manner because they don’t really have to.  For some purchasers (government(s) being a good example as Schneier points out) forcing these (because of their purchasing power) would force an improvement in quality, both functional and security, that would benefit everyone even if it’s only in one version/variant that you could buy if you wanted that level of expectation.

In any case, I’d like to know anyone’s thoughts on this.

(As a further resource, badsoftare.com is a site an old colleague of mine put together a while back that might have some interesting information for people.)

There’s some good summary points that I’ll make in a bit, but I was actually quite surprised at some of the numbers - there’s a few companies in there that are making a lot of noise, and very well respected, but aren’t making all that much money.  I’ll leave it to you to figure out who I’m probably referring to.

Security tools are certainly growing, and the numbers that Watchfire and SPI sold for are in the ranges I’ve heard mumblings about.  I’m still concerned at those valuations though as whenever I’ve used these tools I’m always disappointed with the results - they seldom find stuff a good pen tester can find in a few hours.  I guess their benefit comes off through regression testing and when (if?) they are "trained" on the app.  There’s a huge investment in getting these testing tools to any kind of reasonable level, although I still thing they have a *long* way to go.

Good to see that Gary has included the services side of the space in here as (he notes) it’s really hard to track.  I’ve heard more that one person say that the west-coast is doing a lot of business in pen testing whereas the east-coast is doing code reviews / threat modeling / architecture type work.  I’m not sure that I see it as that cut-and-dried, but it’s an interesting observation if Gary is seeing it (and he would see it more than I would with all the connections he has).  In any case, I would agree that pen testing is a good *starting* point as clients get a lot of "bang for their buck" and it’s a way of pointing out how broken things are.  What is necessary then is to build backwards into why the software/system got like that in the first place.  The danger however is when the pen tester doesn’t find all that much which provides very little leverage towards taking a deeper look - clients consider systems "safe" if nothing major has been found in the 2 weeks someone might have had to have a look, whereas it’s been well documented that attacker can take a very long time to get to know a system before attacking it.

Finally, in summary, I think there’s good news in the software security space.  Despite the looming recession in the USA (which face it, if it does happen the rest of the world will inevitably feel some consequences), the space is continuing to grow nicely.  The reason I think is just as one poster on the MFE Yahoo message board put (I don’t know why I go there because it’s full of crap) - most companies are defensive, and just because a recession is coming you don’t lower your insurance premiums.  Companies know that their weak points are more and more their software, so they are attempting to protect them.  For people in the space that’s good as skills are in great demand - pretty much every security company I know is trying to hire, but having problems in finding good people.

I guess this is a "wait and see" situation, but it’s good for Gary to gather and put together these numbers outside of the hugely expensive Garner reports.  It does however look like security in general, and software security specifically, is getting the attention that it deserves.

While onsite with the client we went to a users desktop and was doing some things when the user popped back and was watching us work.  He was fine with it and all - a good communication had gone out around the company explaining what was going on, the systems that were being shut down, and allowing us access to whatever we needed (I can’t tell you how rare that is - many companies continue to try and operate as “business as usual”, but this one really did come to terms quickly and take the appropriate action - kudos to them for that).  However, in introducing me to the user the client IT person simply said “this is Mr. Wolf - he solves problems”.

The quote obviously is from Pulp Fiction, and got me thinking on how apt that introduction was.  When on incident response engagements it’s rare that when I, or one of the other Foundstone guys, get called in we have specific skills that the client’s IT staff do not have - after all, they are the ones that look after the systems day in, day out, during normal usage.  What we do bring though is a cool head, an assessment of the situation from previous experience which leads to a plan, very good general knowledge about all the systems/technology/thing going on and how they affect the current environment/situation, and most importantly contacts.

The cool head is important - often the local guys may be very stressed out (it’s their systems under attack after all) and oftentimes have been working long hours trying to address the problem before they have called us and we are onsite.  The plan is equally important because otherwise people are running around doing “things” which may not be productive at this very moment and there’s no idea of progress.  But the key is access to contact that are very highly specialized in particular areas.

It would be really nice to be an expert in everything, but with today’s computing technologies there’s just far to much for any one person to know.  I may be an expert in the web and web application software, and it’s useful for me to be put on those kinds of IR engagements where possible.  I can also reverse engineer viruses, look at SQL databases, understand WireShark traces, look at Solaris boxes, etc, if necessary, but I’m not as good as people who do this every day and have labs setup to work any issues in these environments (on site it’s usually me, a laptop, and sometimes some additional hard-disks or other “gear” to capture what is going to be useful later).

So I thought that was a really insightful analogy (and thanks to that person - you know who you are).  Mr Wolf doesn’t necessarily have any skills that Jules and Vincent don’t have, and the actions he gets them to do are nothing that they couldn’t have done (or thought of) themselves if they were level-headed.  The single thing that he did have that they probably didn’t is the contact at Monster Joe’s Truck and Tow.

The Foundstone guys already have a new nickname for me, and a little skit [warning, some language in the link some may not appreciate].

And no I don’t dispose of body parts.

http://yro.slashdot.org/article.pl?no_d2=1&sid=08/08/05/1539231

It’s still unbelievable to me that so many place that store “sensitive” data, especially on “mobile” data like laptops, CDs, etc aren’t encrypted.  Seems like a sensible precaution and a no-brainer.

After getting half unpacked there was a UWH class in DC that I had to go and deliver.  Never been to DC before, so that was going to be good even though I didn’t like leaving the new apartment half full with boxes.  Class was an odd Tuesday to Thursday (it’s ususaly Mon-Wed, or Wed-Fri in my experience), so headed off to SeaTac for my first trip out of there.

SeaTac is a bigger and busier airport than John Wayne that I used to fly out of in SoCal, but there’s better facilities there and seemed to get through security quicker.  If the airport ever gets a Clear line I might consider getting one (don’t tell me about these - I know they don’t do anything for security and it’s even more info the govt can track you on, but if it means saving me time at the TSA queue in the morning all the better).  Depending on the route out and the side of the plane you are sitting on there’s a great view of Mt. Ranier.

Class went really well, and had some good engaged students.  Sometimes there’s the “wrong” level of people in the UWH class - programmers that find a lot of the material basic, which to be fair a lot of WebAppSec is and they only really start getting into the interesting stuff for them at the end of day 2/beginning of day 3.  This class was mostly network guys so it was meaningful from slide 1.

Had a few evenings to walk around the capitol.  The White House was obviously first stop (my hotel was only a few blocks from it) and I was somewhat surprised about the size of it - it was as tall as I was expecting, but I thought it was wider and a lot more rooms.  In any case, that was interesting and I walked all the way around.  From there it was a choice to either walk up the mall to the Lincoln memorial or to The Capitol.  Decided on The Capitol as I could pop into the air and space museum as it was open late that night.

Once again, though the air and space museum was small as far as museums go (been spoilt somewhat with the museums in London), but had some excellent pieces in there.  Got to see (in no particular order) the Apollo 11 capsule and door, a moon buggy, Moon lander, Space Ship One, an X15, and lots of other bits.

After class finished on Thursday, I went out to see an old friend Gary McGraw and stayed overnight at his gorgeous place.  I don’t think I could ever live as remote as that, but to have that much land, horses, peacocks and a river (which we spent ages sitting at talking about all sorts of things) must give him his inspiration to write all his books.

Got back for the weekend and then had to head back out on Monday to work in Torrance - SoCal can only miss me for so long it seems!  Nothing really to report there other than I went to see one of my work colleagues, Alex, and his Dad+Brother play in their band “The Flying Smolenskys“.  Usually this kind of thing is just going along for moral support, but these guys ROCKED!  It was such a good night.

So, that’s about it for me now.  Nothing all that interesting going on other than the usual work (which on a side note I’m getting a little fed up with having to keep fighting clients on if something is a finding or not).  Back in Seattle now for what looks on the schedule to be a few weeks of remote work, so going to try and catch up with a few people here and get out and explore the place.

Day 1

Movers turned up at 8am with, as usual, a giant truck.  I’m always impressed (even after seeing what these drivers can do for so many years while touring) at how they can back these huge things around obstacles and down small spaces.  The guys (3 + driver) had everything that we hadn’t boxed like furniture wrapped in moving blankets and down in just 2 hours.  Worrying how all your life can disappear onto the dance-floor of a truck (the slightly raised area of the trailer where it attaches to the hitch on the cab) and look so insignificant.

Once everything was signed, for both moving and to release the apartment, we were on our way.  Got past LA pretty quickly and past Malibu, which we hadn’t really ventured past before.  The landscape changed dramatically, from palm trees everywhere to more “normal” flora, which was a present surprise.

Got to San Luis Obispo at about 7pm and met up with Eric (old work friend at FS) and Kim.  They were really good at giving us a whirlwind tour of the town, which isn’t complete without having a look at the Madonna Inn and Bubblegum Alley!  Also, Eric had picked up a fantastic gift for us of some (signed by the artist) Serenity posters, which just blew us away and I really am lost for words at how grateful and thoughtful that present was.  Had dinner with Eric and Kim and then crashed out

Day 2

Got up early so we had time to visit Hearst Castle.  It was very good, but what is it with very rich people and a) their complete lack of taste, b) wanting to model their houses on “European” style (read - of course all us Brits live in castles with huge tapestries on the wall!), and c) they never really come from “nothing” - even if they didn’t have specific support from how they made their money, they very seldom don’t come from successful families in some way or the other.  Perhaps it’s just in the genes.

Really wanted to head up to Big Sur, but couldn’t because of the fires in the area.  We were actually in this area on the 8th, but this has a good map of the area - see the other posts in this blog for a good update on what is happening.

Went to Santa Cruz, mostly for one picture in the sand!  Don’t ask!  Was the usual run-down seaside amusement town, so didn’t really stay all that long. 

Stopped both sides of the Golden Gate bridge for a loo-break and some photos, then pushed on to Santa Rosa.  Had an excellent dinner at the Toad in the Hole pub, and saw a statue for Snoopy (who Tara is  *big* fan of) - we had completely forgotten about the museum in the area so it was serendipity that we stumbled upon it.  We’ll take a look tomorrow before we head off again.

Day 3

Today we rested up in the hotel in the morning until the Charles M. Schulz Museum opened.  It’ only a small museum, and unless you are a fan of Peanuts/Snoopy, then there really isn’t all that much there.  However, for us (who are Snoopy fans), it was a good stop-over.  After visiting the shop and stocking up on some merchandise, we were back on our way.

If we are going to do this route again, or anyone else is thinking about it for a sightseeing trip, it’s best to go from north to south (instead of the way we are going) because all the best views, stopping places, etc, are on that side of the road.  It’s not that we are missing out on lots, but it would certainly be easier.

On the way up, we took a detour from the 101 to drive the Avenue of the Giants.  Words, pictures or video (of which we used a lot of all three) do not do this place justice.  It’s just superb.  Winding around these huge trees, many of which have been around for ever (well, hundreds of years) was just so picturesque.

We then booked it up the 101 to Eureka pretty quickly so we could get dinner early and relax in for the night.  Tomorrow is a big push through the mountains (and more redwoods) to Portland.

Day 4

Ok, so it’s getting very prosaic (one of Tara’s favorite words at the moment!), but the scenery on this drive is just stunning.  We left the coast road for route 199 going through the mountains into Oregon which went through another redwood forest and seemed to follow a river.  Stopped off at a few places to take more photos/film and just enjoy the countryside. 

Stopped off in Grants Pass for lunch and to refuel the car.  At McDonalds (ok, we were stuck for choices and couldn’t be bothered to look around any more) there were 3 young (I guess around 9-10) that were just being absolute bitches - generally playing up everything, like how one of them didn’t like their cheeseburger and sent it back for another one (much to the prompting of the one that was clearly the “queen bee” of this group).  I had really thought that we’d left this attitude behind, but clearly girls aspire to The Hills (seriously, they were talking about it!) even if they do live in po-dunk no-where.

The drive onwards to Portland was long, perhaps the longest leg so far, which not much to stop off for, but it was I5 all the way so I just stuck the car on cruse control and sat back.

Day 5

Rest day in Portland - didn’t have to drive anywhere today :)  Spent the time exploring the city, doing some shopping, and caught Hancock.  Good to see Los Angeles again, even if they do take liberties with the geography (Alameda is nowhere near LAX, and there’s not a Mercy General Hospital in downtown by city hall), but that’s pretty normal :)  Overall enjoyed the film a lot.  It’s a little slow in places, but well worth it.

Day 6

Well, this is it - final leg.  Made the drive from Portland to Seattle pretty quickly.  Have great weather in the NW at the moment - clear blue sky, 70-80F - so had fantastic views of Mt Hood, Mt St Helens and Mt Ranier all the way up.

Got the keys to the apartment, unloaded the car, and went out to get supplies - it’s amazing how much basic “setup” stuff costs to restock your home, but it’s a necessary expense (no point in keeping things like cleaning supplies, etc).  The apartment is very bare as still waiting on the moving truck to arrive with everything which should (fingers crossed) be Tue or Wed.

So, I guess that’s about it - our trip up to Seattle.  Actually quite miss SoCal at the moment (Tara a lot more than me), but it sort of “feels right” - very much like the UK both of us keep saying.  It certainly feels a slower pace of life at the moment, but I’m sure I’ll post more about the area and our “adventures” over time.  For now though, signing off as there’s lots of things to get done like connecting utilities, getting us back on the net (this post courtesy of some nice person who as left their dlink wifi open :))

ETA: Posted some pictures up and linked to them.  Will be editing the video when we have more time after our stuff has turned up, so will add that here when done.  One last photo for the trip - it’s a long way back, even by the “quick” route (which we certainly didn’t follow :))

(b)  For purposes of Subsection (a)(1), obtaining or
furnishing information includes information obtained or furnished
through the review and analysis of, and the investigation into the
content of, computer-based data not available to the public.

The very basics of this law is that if someone “reviews, analyzes, or investigates” any “information”, then they need security clearance, which as a contractor/consultant, means a private investigators licence.

Now, I am not a lawyer, and an opinion piece from the legislator is available here [pdf], and there’s an interesting write-up and interview here, but it appears to my reading that network/software security testing = ok, whereas forensic work = need Texas PI licence.

There’s a really murky area in there where say you are investigating a network/webapp/etc, and you find a vulnerability, what happens about showing an exploit or data, or even if the client asks you to see if the vulnerability has been taken advantage of?  I’d love to know other people interpretations of this.

In any case, the community should be aware of this new law, and the potential ramifications of it (even if it’s not specifically written for/against computer security work that isn’t forensics).  Otherwise “Violators of the new law can be hit with a $4,000 dollar fine and up to a year in jail”.

Don’t mess with Texas!

This is really very cool, and as RSnake says, a big step in the right direction - programmers will always make mistakes, and any methods we can help protect against buggy software from being exploited (even if only temporarily) is a benefit.

I’ve been doing some research for an upcomming talk, and I must say though that mozilla’s proposal for a Site Security Policy goes a step beyond this.  The negatives are that a) it’s an incomplete add-in, whereas the IE guys have hard plans (and code it seems) to incorporate XSS protection in the next version they ship, and b) that developers have to actually set the policy or it defaults to no protection (whereas IE will always provide some, even if it is not “full”).  I really like the ability to say that “I’m not going to have any executable JS in this page”, and “If I do have JS, it’s going to be delivered from here” - totally removes the potential for the browser to load “untrusted” code.

What I really hope is that both browsers put their differences aside on who created what, or who supports what, and actually implement both solutions in a cross platform way.  If that happens, we very may well say goodbye to one of the most prevalent webapp vulnerabilities and the web will me a much safer place for people in general.

[EditToAdd] Found this blog post that details the additional security features IE8 is going to have.  Looks pretty cool

Week of War on WAF’s: Day 1 — Top ten reasons to wait on WAF’s - As it says on the tin, reasons to wait and not deploy a WAF.  I guess, that this is the post that I disagree with the most out of the series because of some of the items on the list, but that’s beside the point - it’s a good place to start the argument.

Week of War on WAF’s: Day 2 — A look at the past - To show that the argument against has been going on for quite some time, a copy of an email from OWASP to the Application Security Consortium (PCI) in 2004 is presented.

Week of War on WAF’s: Day 3 — Language specific - Points out that differences in how languages/frameworks (PHP, Ruby, ASP.NET, etc, etc) parse CGI variables may leave open holes.  For example, if the WAF is written in C/C++ and parses URL’s one way, the target script may parse it differently (despite what the RFC says) because of canoncalization issues.

Week of War on WAF’s: Day 4 — Closer to the code - Argues that validation should be closer to the code and that there are methods that this can easily be added (one way put forward is Aspect Oriented Programming)

Week of War on WAF’s: Day 5 — Final thoughts - Identifies some short-term alternatives to using a WAF without going through a full SDLC.