May be of some entertainment interest to our gov/mil subscribers: A friend of mine, Eric Katzenberg, produced and directed a documentary on an international sniper competition held at Fort Benning. The show, Top Sniper, premieres tonight at 7 pm (with an encore at 9pm) on the Military Channel. Sniper teams from all over the world are competing so it should be a really entertaining hour of television. If any blog readers do watch, please let us know what you thought about it.

Do not pass GO, do not collect $200. Collect $195,000 instead! The FCC Chairman announced today that they will investigate claims that Comcast actively interferes with the Internet traffic of their subscribers. A "coalition of consumer groups and legal scholars" -- whatever that happens to be -- is recommending a fine of $195,000 for every affected subscriber. Not a bad rate of return for a $50/month cable modem, right?

Comcast's David L. Cohen (who pulls in just under $2 mill a year before stock options) contends that it does not block file sharing but rather just "delays" some of the traffic between computers that share files. From the Associated Press article back in October, it appeared that unsolicited RST packets were being spoofed from both ends of the conversation. Correct me if I'm wrong, but beaming RST packets back and forth doesn't constitute a "delay" of traffic -- it's a reset!

For most of us, the Netscape web browser was the first* web browser we ever used. It was the grandaddy of them all, making its debut in October 1994 to a pristine Internet free of pop-up ads, banner ads, and drive-by XSS attacks.

Sadly, the day has come for us to raise our mice in the air and bow our heads in silent appreciation for a friend that has passed away. AOL announced today that all development for Netscape will cease come February 1st, 2008.

* To be fair, NCSA Mosaic was the first browser I ever used, but it wasn't a particularly good experience. Once I got my hands on Netscape, it was the difference between DOS 4.2 command lines and Windows 3.1!

Am I the only one that doesn't want WiFi on my coast-to-coast flight? Isn't it enough that our co-workers, clients, and family can reach us via Blackberry at any time of the day or night? The sweet sanctuary of the airplane (even with its crying babies) was the only place I could be disconnected and not feel guilty about dropping off the grid.

Virgin America also provides an electrical outlet and Ethernet ports at every seat, so it definitely sounds like you're seatbealting yourself to your cubicle in the sky. Let's just hope Richard Branson springs for something better than a Linksys duct-taped to the drink cart.

A San Francisco-based Comcast subscriber has filed a lawsuit and is seeking class-action status against his Internet Service Provider for actively interfering with his ability to access the Internet. We all saw this coming, but I don't see how this can end well for Comcast.

Whenever I try to explain net neutrality issues to a non-techie, I always the analogy of the phone company. If you pay the phone company $50/month to connect you to the internet-work of telephones, you expect that you can call any telephone number and speak about any topic, right? They usually nod their head. Okay, now how about if you wanted to call someone else and talk about illegal activities, such as selling copies of copyrighted work--would the phone company allow that call to take place? Most certainly they would--they are a telephony service provider as much as Comast is an Internet service provider. The whole purpose of the utility (be it telephone, electric, or Internet) is reliable connection to said service. Once the utility company (service provider) begins filtering what you can and cannot do with the service, it becomes quite a different issue.

What do you readers think of the phone company analogy? Why is it incorrect or is it right on the money?

Yesterday morning Absolute Poker, an online poker room, released a statement that a 'trusted consultant' had compromised the system and was unfairly playing poker on the site. Essentially, the 'glitch' allowed this person--who has been linked to others within the Absolute Poker organization (can you say, conspiracy?)--to view the hole cards of other players (this means he was the only one who could see all the cards in the hand). The poker community has been blogging and sharing opinions on this issue for weeks, with plenty of uproar.

The only comment I have to these people is, "DUH"! C'mon, how can you take online gambling seriously? Obviously there has been quite a bit of attention to the fact that it is still illegal in the U.S., so the companies involved aren't the most upstanding and scrupulous. They are constantly dodging criminal prosecution and money laundering charges. So these are the people you think are hosting an honest game?

I am nearly convinced that BrickBreaker on my Blackberry cheats when I get too far in the game, so I think its only natural that humans would try and manipulate the system to make more money (obviously I was correct).

I have plenty of friends that have almost made a living out of playing online; however, when I think of online gambling I am reminded of the scene in Vegas Vacation where Clark Griswold goes to the Native American Casino and plays pick a number with the dealer. In my mind this is almost the same thing. How can one honestly believe that the Blackjack application is completely random? You cannot. At least in a real casino there are safe-guards and visual indications that the house only has a statistical advantage, not a technological one.

My only advice to the online poker players that are up in arms about this incident is to get a new hobby or drive your butt into a legal card room. While technology has made it easier to play cards online, it certainly hasn't made it more ethical.

Just a few weeks ago I posted on this very same blog that I would gladly pay for premium services from my broadband ISP if that meant that there would be no degradation of the basic service level. Now, I don't have false illusions that I am big industry mover and shaker, but really, did Comcast ISP have to go and do the exact opposite? According to an Oct 19th story by the Associated Press, Comcast--the 2nd largest ISP in the nation--is blocking traffic to file-sharing and peer-to-peer networks.

The article claims that 50-90% of Internet traffic is peer-to-peer applications. To me that sounds about 50-90% full of crap. While I do agree that ISPs have the right to shape their traffic, I find it hard to believe that access can be denied. Even worse, Comcast seems to be devious in their methods of blocking access, essentially resetting connections for file uploading. Shady tactics indeed!

Of course I'm sure they claim they are winning one for copyrighted material, however I use BitTorrent to download legal content. No seriously -- I do. In fact, I am downloading a live recording of Dave Matthews on my Time Warner connection right now. While I am probably in the minority of BitTorrent users it still doesn't change the fact that I want my live copies of Dave Matthews, or John Mayer, or OAR (I could go on for ages).

In all reality most Comcast subscribers won't be affected by this new policy, nor will they notice a difference (even with that 50-90% utilization freed up), but it sure would be interesting to see how many jump ship to DSL. It will be even more interesting when Comcast stops blocking everyone's access to the Special Ops Security blog, because the views expressed are not acceptable (even though they are legal and not copyrighted).

From the "who couldn't see this one coming" department...

Ticket demand crashes Rockies' computers

Paciolan--acquired by Ticketmaster this summer and located just minutes from Special Ops Security HQ in Irvine, California--provides venue ticketing services to the Colorado Rockies professional baseball team. A little more than an hour after online ticket sales started this morning, the crushing load of 8.5 million requests crashed the entire North American ticketing system (affecting all of Paciolan's customers). This, just days after they assured uneasy fans that because MLB.com hosts their website, they would be able to handle the demand. What they failed to mention is that MLB.com only hosts the links to evenue.net (Paciolan).

For the first time in the Colorado Rockies baseball team history, they make it to the World Series... and the network engineers didn't believe that there would be overwhelming demand??

Furthermore, the system wasn't properly isolated such that a failure for one customer (the Rockies) would be isolated from other customers. Again we see that you don't always need fancy SQL injection skills to bring a system to its knees... sometimes you just need to open up your web browser (with a few million of your friends).

Last week's New York Times had an interesting article (Who Needs Hackers?) on the differences between a network architecture failure and the more sensationalized "Hollywood" hacker attacks.

"We don’t need hackers to break the systems because they’re falling apart by themselves," said Peter G. Neumann . . . Steven M. Bellovin, a professor of computer science at Columbia University, said: "Most of the problems we have day to day have nothing to do with malice. Things break. Complex systems break in complex ways."

What sounds more interesting to you: hold a briefing that says "nasty hackers infiltrated the airline's reservation system and wreaked havoc" or the "DMZ was improperly isolated at layer 2 and rapid MAC address flooding from a bargain NIC caused the switches to fail?" In the former, the organization can blame the "evil-doers"; in the latter, the problem is a lack of proper planning.

You may find it odd that as an information security company that performs penetration testing, we're pointing out an article that says "hey, hackers might not be your #1 issue." Yes, you may find it odd, until you realize that we offer--and have offered, since day one--network infrastructure design and audit services. Ah yes, I can hear the cash register "ding" from across the office.

Friends (and potential customers), the truth is that without a solid review of your foundation, a penetration test alone will not provide you with the most accurate view of your organization's security posture. Let us pour through your massive stack of Visio diagrams and router ACL's and we'll provide effective and thoughtful optimization recommendations.

There is nothing like feeling like you are late to the game (4th quarter, up by 20 -- put in Shaw), but I had to chime in on the recent blog cage fight between CISSP'ers and GSEC'ers. Having the painful distinction of passing the CISSP on two occasions (more on that later) and being the fourth person to complete the GSEC (#13, but they started counting at 10), I have a little history on which to build my soap box.

The differences between the two certifications and the impacts they can, and likely will, have on a security professionals career are significant:

When I was doing IT contract work for the Navy in Charleston, I stumbled upon a relatively new organization: SANS. At the time, I had little functional knowledge of security and their GSEC track seemed like a great introduction to "usable" information security. The sub-sections included OS Security (Unix/Windows), encryption, and the use of specific tools (l0phtcrack). The lessons were at times rough around the edges, but I felt like my interests were piqued, which was what I needed to make a career change. I am embarrassed to reread my paper, but it is a good reminder of where I was in IT. When my GSEC finally expired, I didn't realize it, nor did I worry about it. The GSEC to me is more of a point in time achievement. It was a tool that helped me learn and explore the field. I approached the GCIH in much the same way. FINAL THOUGHT: If you are interested in information security, getting started in the field, or have a job related need to interface with infosec staff, the GSEC is a well-rounded certification that touches on numerous practical elements of information security.

Fast forward 2+ years and I am now pulling shifts for a managed security provider. I decided that while being hands on was something I enjoyed, my interest in management was equally as strong. It was at this time that I decided to pursue the CISSP. I knew that there would be very little that I would learn that would be applicable to my current job, but also knew that most hiring managers valued the certification. I decided to skip the boot camps and simply use a study guide. I opted for Shon Harris' CISSP All-in-One Exam Guide. A month later, I was certified. I won't go into the specifics of the test, as that is an entirely different discussion. What surprised me the most, was the difficulty I had (and continue to have) in obtaining the required number of CPE credits. The perfect storm of time with the family, time in the office, and a severely limited training budget resulted in an insurmountable deficit of credits. I realize that there are many ways in which to earn CPEs, but none of them seemed to fit my life's mold. After three years, I ultimately found it easier to retake the exam. I wouldn't wish that upon anyone, so I committed myself to keeping up with the required CPEs this time around. Well I am happy to say that after the first year of my new three year cycle, I have zero credits. Something has to change and I doubt it will be our company's training budget or the amount of free time I have. Any suggestions? FINAL THOUGHT: The CISSP is virtually a must have for information security managers and above. The certification won't help you implement technical controls to improve your environments security, but it will likely extend the boundaries of your security thinking.

So what does an infosec professional do to actually learn ways to improve the security of their infrastructure? I recommend vendor specific training, LOTS of reading (books, blogs, documentation), and late nights in the office or home lab. A couple thousand dollars spent on hardware, software, and/or books can do what no certification will -- give you the skills to excel in your field.

Side Note:
I have talked with many colleagues who are insulted when asked if they have, or would obtain, the CISSP. The feeling is that it is not an worthwhile reflection of their technical abilities. My question to anyone who feels this way is: does any one element of your resume reflect all of your abilities? Your college degree(s)? Your clearance? The answer is obviously, no. So why not enhance your marketability?