***UPDATE***
For those wondering where DVL is, read this note here
********
I just got an email from my web host that I now have unlimited traffic, which means no worrying about overages and no worrying about extra fees. As a result... I've re-enabled the DVL mirror, DVL 1.5 is available here
When I started this site I did something called the daily link list. Back then I had time to gather links of interest articles every morning and share them with some comments. I don't have that kind of free time anymore... but I noticed I've got a number of open tabs and decided it was time to read them and that I might as well share everything that was open.
VMWare Authorization Service Haunted by DoS Vulnerability
This is an interesting one because I've always wondered why VMWare Workstation opens listening ports by default. It just feels like a bad option but given how hectic my day is, I've yet to have time to really play around. I'm glad someone is looking and is starting to show why maybe it isn't necessary. If I were writing malware, I'd be paying attention to these types of attack and writing my malware to target systems on the network. It might be a little noisy but depending on circumstances it'd be an easy way to eliminate VMs used to analyze malware.
Downtown Santa Rosa eatery damaged in blaze
This isn't something I'd normally even read. It's a shame to lose a business like that... but a coffee shop in Santa Rosa doesn't really affect me. The reason this is open and that I read it though was the mention that Windows Update may possibly be to blame.
To Vendors Everywhere: If your product is driven by a computer, please treat it like a computer... ensure that it can be properly updated and all security patches can be applied. I don't care if it's a CT scan, a coffee roaster or a giant billboard. These systems are just as likely to be affected by a worm and help the malicious software propagate as your accountant's desktop computer and are more likely if you don't update them due to failed interoperability. Make your software work properly and solve the problem!
Another Denial of Service and while it may simply be my fascination with DoS, I thought this was worth pointing out. The vendor quickly pushed out fixed software. This is the response that I wish we'd see more of from vendors. It's a welcome change.
The Month of Facebook Bugs Report
A wrap up detailing what was found during the month of Facebook bugs. Some of the numbers are interesting and if you haven't seen this, definitely worth the read.
Varkens hacken computersysteem (Pigs computer hacking)
It seems that pigs are smart enough to figure out how to beat RFID sensors... a humorous video to watch.
Snow Leopard guest account bug deletes user data
How could I not include this one? Given the Apple fanboys love of their product, this simply had to be pointed out. How do you get this far in your operating system and introduce a bonehead bug that wipes out all of a users data when they log in and then out as Guest. On top of that, how do you fail to resolve the issue in the first update you push for the system? I'd have to say this one takes the cake on stupid bugs of the year.
Windows TCP/IP Denial of Service Attacks (Sockstress)
From what I've seen, no details on the actual sockstress attack have been released before. So for me, this was the first time I'd seen a detailed explanation on the topic. I'm not in a position to verify the validity, but it seems reasonable.
Ont. researchers tout cheap eHealth alternative
For those outside of Ontario, we've spent $1 Billion (with a B) on a secure online medical records system that will connect all the doctors and hospitals. It has come under review and there has been quite a bit of discussion on the overspending. Researchers with a piece of medical records software that is open source say their software could have been used for only $20 Million. I see a big problem when one of the developers of the OSS states that there was no need to build an expensive secure network. This is my health information... I'd much rather see my tax dollars go to building a secure network to share my health records on, than a number of other things it could be spent on. Was there overspending... sure, but what government project doesn't overspend? I also like the comment on OSS being "free from viruses" when compared to the "more common software we're familiar with". How much common software ships with viruses these days? His comment is technically inaccurate for a number of reasons... I know what he meant but that's beside the point... I'm not sure he knows what he meant. It has been proven time and time again that OSS isn't free and that it has operating costs associated with it, many times operating costs that are more expensive than their commercial alternatives. In other words, I don't agree with this article at all.
Thawte discontinues Web of Trust for free SSL certificates
thawte is discontinuing it's personal email certificates. Nothing big, but worth pointing out. If you hold a valid thawte personal email certificate right now, you can sign up with Verisign for a free 1 year email certificate.
And those are the open tabs in my browser that I will now be closing.
For my 500th blog post, I figured I'd share something amusing.
From time to time, my wife and I order from Swiss Chalet and the order it pretty standard, quarter chicken and a baked potato. The one thing we've always found is that they don't provide enough sour cream with the baked potato but luckily, for $0.25, you could add an additional container of sour cream. Recently however, they've removed that option. The item is still on the menu, and you can still visit the page, however the 'Add this to your order' button was removed. This weekend, while we were ordering I decided to see if Firebug could assist me in ordering my extra sour cream.
I guess it's time for that post SecTOR write-up. Time to share every little thing I can remember... which, luckily for you, isn't much. I'm going to divide this up in sections to make it easier to organize my thoughts (or for you to skip parts).
Canadian Information Security Awards
Kudos to the organizers for attempting this, but it was a bust. I don't think it should be abandoned though. I just think we need improvements for next year. So few products are limited to one country for contribution that I wonder if a lot of people didn't vote because they didn't know what counted. I'd like to suggest new categories for next year:
Those are things I'd be interested in voting on and I think the prize of a netbook is much better suited as an individual award.
Speakers
Once again SecTOR had top notch speakers, some returning and some new. I have to admit though, that I didn't see nearly as many talks as I wanted to... I spent to much time chatting with people in the vendor area, keynote hall and hallways. I took in three talks the first day and that was the extent of it. I saw Raf's Web 2.0 talk... I love the look on people's faces when he mentions Native Client. I also took in RSnake and Hoff's sessions. I had intended to see two or three more sessions but other commitments kept me away from those. From what I heard, everyone enjoyed what they saw... and the complaints were few and far between, if they existed at all.
I definitely enjoyed being able to meet up and chat with a few of the speakers, at the speakers dinner and sitting around the bar afterward. I was able to share some stories and hear some at the same time. While Toronto has a strong security community, it's nice to expand the contact list and network until you can't even hold your beer, and even then you can simply pass over the business card as you fumble with your pint.
Reception & Speakers Dinner
While I preferred the reception in previous years with the open bar in the keynote hall, I was fairly impressed with the reception at Joe Badali's. The food was good and the drinks were free. We filled tables and chatted and had a great time.
Even though I'm in Toronto, I had never been to Joe Badali's before so I wasn't sure what to expect from dinner. I was surprised by how good the food was. I opted for the vegetarian option (pasta) and it was incredible. I will say that the last thing I expected to see at the speakers dinner was a lap dance... but at least it was good for a laugh (video I recorded coming later).
Vendors
Vendors are great because their money helps keep your ticket price down. I had the opportunity to chat with a number of vendors this year and while the talks were interesting... everyone's always interested in the swag, so let's give a run down of that.
In the 'best geek swag' category, eSentire had password keeper Post Its at their booth, unfortunately I didn't stop by and get any... they were pretty cool looking though but beyond the humor not overly useful.
In the 'best over all' category, I want to give it to nCircle, but people might call me biased. We had the only t-shirt give away and the slogan was my idea... so I need to vote for it 
We also had caffeinated chocolates that were mighty tasty.
Beyond that, most of my swag didn't even make it home... I've got a ForeScout stress cube that survived and I gave away my Tripwire flashlight because someone asked for it (always a nice offering, although when I first saw it I was hopeful for a laser pointer). I took a couple of pens, which weren't bad but unfortunately there were limited offerings of notepads and papers, one of my favourite conference take aways... I did manage to snag some Post Its from Rapid7 but that was about it.
In the, 'I thought it would be cool but it wasn't' category is the travel alarm clock from Sentry Metrics. They had mentioned to me that the clocks were a rush order, so they can't be held responsible but the company that was peddling the clocks originally definitely had a horrid product. I actually have pictures from a table at Lonestar with the clock spread out in pieces. The hinge came out of the box broken, the open button worked once and the instructions reminded me that "PM is displayed in the afternoon". It was good for a laugh over beer and that was about it.
Socializing
The best part of SecTOR was the social scene... just like it usually is. Whether it was chatting at the con, or afterward at the bar, it was a great time. I got to put faces to names that I've chatted with and never met but also gather with people that I don't get to see often enough. We had some great conversations, some ideas for interesting concepts/research to put together and a whole lot of fun.
I'm already counting the days until SecTOR 2010, it'll be a great time!
Tomorrow is SecTor and I'm rather excited. There are so many talks I want to take in that I, unfortunately, can't see them all. On top of that the speakers dinner and meet-up at the Loose Moose should be awesome.
nCircle will have a booth this year and will be giving away T-Shirts and chocolate. So stop by and say hey to everyone there. I'll be floating around but I still haven't finalized my schedule (too many good talks, too many people to see, the conference needs a third day to fit everything in).
Anyways, ping me on twitter (@treguly) if you're floating around and want to meet up to chat or grab a drink. If I'm not around, it means I'm rushing to finalize my slides for the SSLFail.com panel.
I remember one day in elementary school when we were dressing up for our future careers. I don't remember why they had us perform this ridiculous act, but I do remember it happening. I got up that morning, got ready for school, dressed up in nice clothes and picked up my "brief case", in reality it was a cassette carrying case with the dividers removed but it served it's purpose. I was going to be a teacher. Then when I was old enough to see the looks in my teachers faces in high school... the face palms, the head shakes and the rolling of the eyes as they dealt with student after student, I quickly changed my mind. After about 20 other options, I settled on IT and then narrowed the field and ended up in IS.
I can't say that I've never looked back and had a "what if" moment. In fact, I had many "what if" moments over the years and I always told myself I'd make a great teacher. Unfortunately, no matter how many letters I sent to the Ontario College of Teachers, they were convinced that computers were not a "technology" course but rather general education... which meant a university degree (something I don't have) is required to teach computers. So teaching was always put on the back burner, something I would do as soon as I went back to school to turn my three year diploma into a degree.
In the end though, it turns out I can teach... I just can't teach high school. Where do you put someone you don't feel is educated enough to teach teenagers? In college . Earlier this year I was contacted to develop a new course on computer security, and after the course was submitted I was asked if I was interested in teaching it. I jumped on the opportunity and I'm now a teacher.
So now I'm sharing it with all of you... why? Because my students are required, as one of their assignments, to blog on the course and what the learn... I figure I should be subject to the same requirements (and it's another excuse to find time to blog).
I have to admit that on that first day, I was scared shitless... still am really but I'm having a lot of fun. So far it's been pretty basic stuff, setting up VMs, installing some tools, talking about malware and playing with python but it's been really good. There's something great about watching someone figure out the next line of code in a small python script or getting back thoughtful discussion comments to questions you pose. I'm really looking forward to seeing where the rest of the semester goes.
There are a few things to get used to though. One of those is that not everyone is at the same level, some people need more help and some people don't want help. I should have remembered this from when I was in college, but somehow it had slipped my mind. The really odd thing is being called 'sir'. I'm sure the last time I was called sir, it was followed by, "Would you please leave, you're making a scene." I'm from the same generation as a lot of my students, so hearing 'sir' actually feels rather awkward. That being said, it's a small price to pay to do something I've always wanted to do.
So, that's my story... I teach 6 hours a week, and probably spend another 20 hours working on class related material (sending emails, reading labs and thinking about what we're doing next). And on that note, this Friday we cover reverse engineering and I've got some prep to do.