Monday, June 30, 2008
#
I was busy last week, and didn't post, but rest assured I knew about the Heller decision about 4 minutes after it was announced. And yes, I did a happy dance. As i told my dad later, I never had the Supreme Court decide on something that I so strongly believed in, and it was a bit overwhelming when I heard the decision.
Where to start. Wow.
First, the biggest thing in the decision was the fact that all 9 justices, including the most liberal ones, agreed that the Second Amendment conferred an individual right, not a collective one. Let me say that again: All 9 justices unanimously concluded that the right to keep and bear arms as bestowed by the Second Amendment is an individual right, not tied to service in a militia or other organized group. The “collective right” argument was the mainstay of the anti-gun movement, so it's incredible that the court struck down that argument quite thoroughly the first opportunity it has had to address it.
Some interesting quotes I read throughout the week:
- The same folks who can read the Constitution and Bill of Rights and find an unassailable right to abortion and gay marriage can't find a right to possession of a firearm. http://justoneminute.typepad.com/main/2008/06/the-great-equal.html
(For the record, I support gay marriage and abortion. Because I'm a Libertarian. But the point is valid, given that guns ownership is mentioned as a right in the Constitution and the others are not.)
-
It's true that the dissenters' view of that right is somewhere between "minimalist" (to be charitable) and "incoherent" (to be accurate). But nonetheless, all nine Justices specifically said the right is individual, and thus rejected the "collective right" position on the Second Amendment, a position that's been the mainstay of gun-control groups, newspaper editorialists, and lower federal courts for decades, and one that was presented by those adherents as so obviously correct that those arguing for an individual right were called "frauds" and shills for the NRA.
Yet the collective right theory could not command a single vote on the Court when actually tested. It was, it seems, a paper tiger all along. (InstaPundit)
-
Of course, the originalism of both Justices Scalia's and Stevens's opinions are in stark contrast with Justice Breyer's dissenting opinion, in which he advocates balancing an enumerated constitutional right against what some consider a pressing need to prohibit its exercise. Guess which wins out in the balancing? As Justice Scalia notes, this is not how we normally protect individual rights, and was certainly not how Justice Breyer protected the individual right of habeas corpus in the military tribunals case decided just two weeks ago. (Wall Street Journal: News Flash: The Constitution Means What it Says)
-
Team Obama declared the DC gun ban as “constitutional” on November 20, 2007, during a period of time when he was busy sucking up to the hard Left and their confiscatory inclinations on the Second Amendment.
Suddenly, with the general election looming, Obama discovers that his campaign’s statement was “inartful“. This seems rather puzzling, because before he ran for public office, Barack Obama was supposed to be a Constitutional law expert. One might expect the “inartful” excuse on wetlands reclamation or some other esoteric matter of public policy, but the Constitution is what he supposedly studied at Columbia and Harvard. One has to wonder whether Obama has any competence even in his own chosen field to have seven months go by before realizing that he got the Constitutional question wrong. (Next in Bus & Driver: Obama’s position on guns)
-
On page 2 of Stevens' dissent, when referring to US v Miller and the National Firearms Act, he leads off with:
"Upholding a conviction under that Act, this Court held that..."
Of course, Miller was never convicted and US v. Miller certainly didn't uphold any convictions. That's just factually invalid.
How did Stevens, Souter, Ginsburg, and Breyer all miss that when US v Miller is the core precedent that the dissent was based on?
-
Ah, yes. The living constitution. Which is like a living contract between your mortgage company and you. I know we agreed on 6.5%, but the contract is living so now it's 19.4% and you're required to clean our local branch office.
The funny thing is that it is capable of evolving. The founders had a good first try, however not all their ideas have worked perfectly nor did they cover all the bases. They, being rather intelligent people, realized they couldn't be perfect so they came up with a pretty good system that allowed the people to modify the Constitution if the need arose. The modification wasn't to be done by a few judges, but by a vast majority of the people.
I don't know what I'm enjoying more. The fact that we actually moved a back a bit to the freedom this country was founded upon, or the fact that leftists' heads are a'splodin'. (Sharp as a Marble: When Historians Attack)
More later.
Wednesday, June 18, 2008
#
I know you're expecting a full-on expletive-filled rant about the quality of food one can get in the normal strip mall thai restaurant. And actually, when I made up my mind to try this place, located in the heart of Edmond, I thought that's the story I'd leave with too.
Instead, friends, what you are about to hear is a story about a guy named Crazy Nick, and his one-man Thai food empire, run out of the end of an average-looking (that is to say: run-down) strip mall in downtown Edmond. Doesn't take credit cards. Doesn't even have a phone.
I can't tell you the name of Nick's establishment. I can't tell you where it is. I can't even tell you how I heard of it, for reasons which will become clear as I tell the story.
So I pull up to the place, and the parking lot has one car in it, and that pulls away when I drive up. It looks deserted, and I wonder if they are even open. But the door is unlocked, so I stroll on in. In one corner is a couple chatting quietly, and towards the counter sits a young woman waiting a take-out order. No sign of any staff, and the place is devoid of customers aside from these two.
And speaking of the counter, there's a Mary statue on one side of the register, and on the other side there is a statue of Vishnu. My steps falter slightly as my brain tries to process that paradox, and I can feel the mental safeties flick off on my fight-or-flight impulse. People eat here, I tell myself, and they live to tell about it. Some of them, at least.
So I have a seat, and out comes this tiny little Asian guy with a happy gap-toothed grin on his face. He pours a glass of water, grabs a menu and strolls over to my table.
“Oh, I don't need that,” I tell him. “I'll have your phad thai, with chicken please.”
”Sure thing,” he says, as he turns and heads back to the kitchen. “Dead or alive?”
My brain jumps to 100% utilization trying to figure out what he possibly could have asked, because no sane person would ask me if I wanted my phad thai dead or alive. I laugh nervously, hoping he was just making small talk. But he turns to me, expectantly. Time to commit. Dead chicken or live chicken on my phad thai.
“Dead”, I say confidently, “This time.” Crazy Nick, as I would come to know him, smiles and heads back to the kitchen. That, apparently, was the right answer. Whew.
Not 5 minutes later, here comes Nick, with my food.
“I hear you make the best Thai food in town,” I say, as he sets the plate down in front of me.
”Who told you that?” Nick says suspiciously. Uh oh.
”Um, some guy on the Internet. I don't remember his name.” I try to look busy with my food, hoping he'd go find something to do. But, shit, he's not going anywhere. He's got nothing to do. HE'S GOT NO CUSTOMERS.
”Huh. Probably that Steve guy. I keep asking him to stop telling people about this place.”
”Seriously?”
”Yeah, it's just me here, serving, cooking, everything. Friggin 7 people came in earlier, ALL AT ONCE. Man, if they bring kids, I tell them to feed those kids down the street at McDonalds, I don't need to be cooking food for 6 year old kids. Those kids don't care what they're eating.”
And as I eat Nick's food, I come to realize that he's right. This food is wasted on children. It's so perfectly cooked and seasoned that it can't possibly be properly appreciated by the kids. If I were king, Nick would cook for me, and nobody else. The parents would be down at McDonalds too.
So while I wolf down the best thai food I've had in many years, Nick goes on to tell me his story. He works 20 hours a day, sleeping only 4. That's how he likes it. He closes the restaurant on Sundays so he can go tend the farm at the monastary. The restaurant is his hobby, and it's just as busy as he likes it, thank you. He said one or two tables is about right, any more than that and he's in the weeds. This guy's an Asian Howard Hughes or something, because he cares less about money than any restauranteur I've ever known.
Nick beams proudly when I tell him that my food was spiced perfectly, and I'd love to come back.
“Don't bring any friends,” he warns me. “And don't go telling people about me!“
“Ok, you got it.”
“I'm Nick,“ he says, extending a hand.
“Beau,“ I say, as I shake his hand.
“They call me Crazy Nick.”
”Well of course they do,” I smile wryly at him as I turn and walk out the door, leaving Nick to tend his empty restaurant.
Wednesday, June 04, 2008
#
I'm trying my hand at food writing, for something to spice up the otherwise dry blog.
My first submission, for your review, is a recipe I cooked up in my head this past week, when I tried desperately (and failed) to find fresh pasta where I live. So I converted what was a recipe for manicotti (using fresh lasagna sheets and rolling them up around the filling), into a recipe for stuffed pasta shells.
It works in a pinch, but I miss that fresh pasta.
I'm still working on my food photography, too. Throw me a frickin bone here.
Recipe follows:
- 1 lb fresh Italian sausage (I use mild, so I can control the heat with pepper flakes during cooking)
- 2 lbs fresh baby spinach
- 3 cups ricotta cheese
- 3 cloves garlic
- 1/2 of a small onion
- 1 lb jumbo pasta shells
- Chili flakes to taste
Set a pot on to cook the pasta. Once at a rolling boil, drop the pasta into the water and let cook for roughly 3/4 the directed cooking time before removing from the heat and draining.
Cook the sausage in a large skillet until browned, then remove from the pan. Chop the onions in a small dice and sweat them in the skillet that you just pulled the sausage out of. Add the garlic and sauté until fragrant. Add the spinach and cook until wilted. Stir the sausage back into the pan, kill the heat, and set aside.
Cover the bottom of a shallow baking dish with the red sauce of your liking (I use a home-made sauce of tomatoes, garlic, onion, basil, flat-leaf parsley and salt, all thrown into a food processor and obliterated until smooth). The goal is to have enough to submerge the shells about halfway into the sauce.
Fill each of the shells with a tablespoon's worth of ricotta (using a piping bag or a makeshift zip-lock piping bag will make this part easier). The add a tablespoon of the sausage and spinach mixture to fill. Then top with a little cheese (I used romano tonight, but use what you like. I'm not the boss of you.).
Stick the whole thing in a 400 degree oven until the cheese does whatever it's going to do (parm/romano gets kinda crispy, mozz will melt). About 15 mins.
Consume.
Saturday, May 24, 2008
#
I wasted my entire weekend last week catching up on The Adventures of Doctor McNinja. This comic strip started as a college project, but has matured dramatically, and was a competitor in the recent Eagle Awards for Best Online Comic (Order of the Stick won, another real gem in that genre, especially if you are a recovering D&D addict like myself).
If you have time to waste, trundle on over and read some of Doctor McNinja's adventures.
Here's a teaser. This is the Doc's dad (also a ninja, duh) explaining why he lit himself on fire to escape a pack of fake ninjas using an illicit drug to enhance their ninja-ness:
Heh. Great stuff.
Mike Rothman, of Pragmatic CSO fame, laid down one of the best one-liners of all time in a recent blog post:
It's about serving the business, NOT THE AUDITORS. If you protect information effectively (which is a key imperative for the business), then the auditors should be kept reasonably happy. And if not, screw them and fight them. Yes, the auditor can make your life a bit harder, but you don't work for them. Keep that in mind.
OK, technically, that's a five-liner, but you get the point.
I can't tell you how many companies I've seen spend a million dollars a year on auditors, yet spend 1/10th of that on actual security improvements.
That's bass ackwards. If you have your ducks in a row, security-wise (it *is* a key imperative of your business), the auditors should be in and out.
I'm a rather pragmatic security practitioner. If I think something is dumb, even if it's on someone's “Best Practices“ list, I'm not above calling it out.
Some examples: I think, in the majority of cases, antivirus on a server is dumb. I think renaming your Administrator account is dumb (almost all tools that attack Admin now do so using the SID). I think account lockouts are dumb (they are a crutch for weak passwords). I think writing down a strong, complex password is better than using a weak password if that's all you can reliably remember (no, don't then stick it to your monitor, that *is* dumb).
I also think Disaster Recovery is not a security function.
Yeah, I said it. Out loud. I've been saying it for years actually.
“But Beau,” I hear you saying, probably in an exasperated voice, “*availability* is one of the Holy CIA Trinity (Confidentiality, Integrity, Availability)!”
Yeah, and? Step carefully or I'll punt those other 2 legs out of Security too.
I've long held the belief that the Operations side of the house has far more responsibility when it comes to Availability than Security does. Hell, most IT operations teams are measured by their availability, and not a lot else.
If a disaster strikes, who is going to be putting the pieces back together? Security? Nope. Operations, and maybe some Network guys if the recovery site is raw. Security will be *involved*, of course, but only peripherally.
Security's role is making sure disaster planning is getting done by the appropriate people, and implementing supporting policies and controls.
Actually, that describes Security's role in the other 2 domains too. The people in the trenches on Confidentiality is the Privacy team (read: the lawyers). The auditors are the leads on Integrity.
Now is usually the time most security people get all woozy and I have to start passing out smelling salts.
So, imagine my surprise when one of the most respected security guys I know, Richard Bejtlich (he's the TaoSecurity link at the bottom of my BlogRoll to the right), posted pretty much my standing belief in this regard. From his post on Wednesday, entitled “Security: Whose Responsibility?”:
I assume readers of this blog are familiar with the "CIA" triad of information security: confidentiality, integrity, and availability. Having spent time with many companies in consulting and corporate roles, it occurred to me recently that two or even all three of these functions are no longer, or may never have been, the responsibility of the "security" team.
He demonstrates his vision using this graphic, which I have not previously seen:
He goes on to define what he feels Security's role is:
I believe this state of affairs leaves the Security team as the one group that has the proper mindset, subject matter expertise, and ability to implement defensive operations to preserve CIA. This mission is not one the Security team accomplishes by itself, if that ever were possible. Rather, Security will (if not already) need to pair itself with IT, Audit, and Privacy in order to be effective. One could say the same for and Compliance groups, Governance officers, and/or Physical Security teams, although I'm less worried about those ties right now.
It should be clear at this point that it doesn't make sense for the Security team to work for IT, given the role it must play. A Security team working for IT is likely to be stuck supporting the Availability aspect of "security" at the expense of the other CIA elements. Furthermore, it could be difficult for Security to build the necessary bonds with Audit and Privacy if those groups see the Security team as "just part of IT," or "technologists."
This second part is very interesting, because building those bonds with the CIA-supporting organizations is precisely what Gene Kim's new book, Visible Ops Security addresses. And it surely is a gap today, which is why I'm glad someone's making efforts to highlight it.
OK, give me back my smelling salts now. I'm going to go freak out some lawyers.
Thursday, May 22, 2008
#
On a recent trip to Nawlins, I left my RAZR's charger in my hotel room.
Which means, obviously, time to get a new phone.
Truth be told, I've had my RAZR (v2!) for several years, having purchased it way back when the first black ones hit the scene. It's been a great phone, and I really don't have any complaints about it. But sheesh, I've never owned a phone this long, and it's starting to bug me. The only problem I've ever had with it is the battery gave out about 2 years in, but that was easily remedied (hooray for field-replaceable batteries!).
I'm looking hard at the new Z9 that just came out in April. The video streaming and built-in GPS functionality intrigue me. I looked at the iPhone, but ruled it out because it a) won't take my existing company-provided SIM and b) can't use it as a wireless modem with my laptop (tethering). Oh and c) battery is not user-replacable (see previous experience with having to replace my RAZR's battery).
Anyone have any experience with the Z9, or have another phone to recommend? I don't need email/SmartPhone-type features, just solid phone features. Access to a full keyboard of some sort would be a nice bonus, but not required.
Friday, May 09, 2008
#
I'm sick of googling for this the few times per year I need it, so putting it here for future reference:
To identify stale computer account in your Active Directory, you can look at the last time they changed their passwords. Windows 2000 and later machines will change their computer accounts every 30 days by default. Machine accounts that have gone more than 30 days without changing their account passwords are probably no longer in use (or they have a problem preventing them from communicating with the domain controller(s)).
The easiest way to enumerate machine account password age is a free tool called NetPWAge by the folks over at SystemTools.com. Once downloaded, the syntax is simple:
NetPWAge /machines /domain:YOURDOMAINHERE /tabs > MachineAccts.txt
You can paste or import the results into Excel and do some fancy sorting to find out which machines need to get the boot.
Edited to add: I should mention that domain controllers themselves do not follow the 30-day rule, so don't go deleting them based on this scan. You know not to go deleting your domain controllers though, right?
Wednesday, May 07, 2008
#
Today I saw a picture so utterly horrifying that I cannot even bring myself to include it within this post. You'll have to click on it, and by doing so you hereby release me from any claims pertaining to damaged psyche, mental anguish, or anything else that tends to result from the vile desecration of things you allow into the ring 0 of your soul.
You've been warned: click.
More details here: http://www.prweb.com/releases/2008/04/prweb819754.htm
Sunday, May 04, 2008
#
I spent the week in Las Vegas, attending the CSI/SX and InterOp conferences.
If you don't leave Vegas broke, hungover, and tired.... well, you're doing it wrong.
Wednesday, April 16, 2008
#
2 of the ships responsible for damaging the undersea cables in the Middle East last February were caught with their proverbial pants down on satellite photos.
One was Iraqi, and the other was “Korean”.
Wait a second. Aren't there 2 Koreas? One that is relatively peaceful and the other that wants to blow our brains out with a nuke at their earliest possible convenience? I think it's relevant to distinguish between the two, don't you?
Story here: http://www.nationalterroralert.com/updates/2008/04/12/remember-the-undersea-cables-that-were-being-cut/
I have never actually used a modern Mac. My exposure to them is limited to the IIe-era, and I understand they've come a long way since then,
What I don't understand is why the majority of Mac laptop users I've observed have used the platform merely for running Windows XP in Parallel.
Case in point: Returning from RSA, I was sitting behind a Mac user that was using her vaunted MacBook Air to type a simple Word doc. In Windows XP.
Seriously? Folks, there is even a Mac version of Word. Does XP really present such a compellingly superior user experience that you cannot be troubled to run the Mac version of Word on Apple's own operating system?
I was left to conclude that the user had a MacBook Air just for the “cred”. For whatever reason, they felt compelled to do their actual work using XP.
I'll never get Mac users.
Tuesday, April 15, 2008
#
I've never told this story, not even to my family.
9/11 is why I'm in the security business. Corny as it sounds, when 9/11 happened, I decided that the way I could contribute to making the world a better place was to apply my IT knowledge to securing the world's Windows networks. I had flown out of Logan airport in Boston the day prior to the attacks. I was galvanized. I quit my job, put myself through a number of SANS courses, and focused my 15+ year old IT career towards security.
I even traded my BMW in for a Jeep, in a semi-rediculous gesture of patriotism (Jeep was subsequently acquired by Germany's Daimler Corporation, ironically).
To say that 9/11 was a defining moment for me would be an understatement.
Now the weird part:
Since 9/11, I've had a little “twitch”. A day rarely goes by when I don't look at a clock when it hits 9:11. Either in the morning or at night, my subconcious rarely misses the opportunity to note the passing of 9:11 by drawing my attention to a nearby clock at that hour. It's fucking creepy.
So tonight, as I fed “I Am Legend” into the DVD player, I glanced down at the clock and was surprised to see it read 9:12. Holy Christ, I made it through an entire day without marking 9:11. A rare thing.
A couple hours later, I logged into a computer in Seattle to service some waiting firewall tickets. Look down at the clock on the computer in Seattle, and guess what it reads.
Nine fucking eleven.
Sigh.
Never forget.
Now if you'll excuse me, I've got some firewall changes to make.
Friday, April 11, 2008
#
RSA is 50% learning and 50% networking. At roughly 17,000 attendees, it is far and away the largest gathering of information security practitioners and vendors. You make professional connections here that you cannot otherwise make.
The Peer-to-Peer sessions are networking gold. You have 20 people all struggling with some particular aspect of the business, and you generally leave with the personal contact information from at least half of them. The world's information gets more secure as a result of these short sessions, and the relationships we build after the event is over. Unfortunately, due to the small number of people permitted into them, they fill up quickly.
The Virtualization Security peer-to-peer session is a great example. I talked to one guy who told me about a network problem causing all his VM hosts to shut themselves down. I chuckled and said “Yeah, we made that mistake too.” I then told him about another hitch we had implementing VMotion that caused a similar problem, and by the fact that his eyes went wide when I described it to him, I'm guessing he's probably vulnerable to that too. Those are the little things that don't get discussed in the technical sessions.
Another great contact I made during the show was Gene Kim, author of one of my favorite books of all time, The Visible Ops Handbook. I saw him sitting at the book store, doing signings, purely by chance. I introduced myself, and told him we'd bought 30 copies of his book for our staff, and that I had won a corporate award for implementing a change management program based on his work, and he just gushed and said I made his entire week. He shouted over to one of his partners “Hey they gave this guy an award due to Visible Ops!“ I bought copy #31 from him on the spot so he could sign it (he wrote that my kung fu was awesome), along with his latest release Visible Ops Security, which I have not yet read. Gene's nervous about his new book, since he's not a security practitioner and is anxious about how the community will react. So he asked me to give him an honest review of it after I've had time to read it. Then he gave me his card, and wrote his cell phone number on it. Dude, I have Gene Kim's CELL PHONE NUMBER. How cool is that. Where the hell else would that have happened, but at RSA?
Here are some interesting links that I noted during RSA. These are mostly for my own benefit, but I won't tell anyone if you click on them. I'm not the boss of you.