Me electric bill is “teh suck”

I was ripping up my floor when it happened. I, for one reason or another, bent down at the now bare concrete wall, pulled the pile of wood pieces from the previous flooring and reached under the drywall, the edge of which was now exposed.

I was shocked.

There was nothing there. Not a stitch of insulation. Just drywall glued to cinder-bloc. Not even a frame. Nothing. I almost choked. “What kind of low rent building did I buy into?!?” and that’s what started this project.

First step, rip the drywall out, fill the HOLES in the cinderblock (Let’s put it this way, I could see sunlight coming through the wall), frame everything, then spray foamed the hell out of it. That was a very quick way to burn through a grand in materials, but it cut 1/3rd off my electric bill from last year, where my biggest bill was $1200. I shit you not. For a one bedroom apartment. But I still don’t understand WHY it was still sitting at $300 a month for a 1 bedroom apartment, which, btw, I only use one room of.

This building has HVAC units. If you’ve ever had the displeasure of owning one, you’ll know what I’m talking about. Essentially HVAC stands for “Heater/Ventilation/Air Conditioner” which is an acronym which describes exactly the things it’s really really shitty at. For heat, these things are essentially a heater coil and a fan that blows hot air up at the ceiling. Very useful when you want to heat the air over your head. They don’t come with thermostats, so essentially if you want to adjust the temperature, you have to turn the knob. More blue or more red. Not “71 degrees fahrenheit”. And the way they work IN the apartment is basically there’s a giant hole cut in the side of the building directly into your apartment where they push these things in with a really shoddy seal.

Even better.

So, back to being green.

I stopped using my HVAC units. All three. And I sealed the hole between the exterior of the building, and the HVAC by putting fiber board insulation, and then adding pink insulation all around the HVAC and then stuffed it tight by any means necessary. As a replacement, I bought a Vornado heater/fan unit. This thing is neat. It’s sort of a space heater, looks like a fan, doesn’t get hot to the touch and has this phenomenal futuristic technology called a “thermostat”, which, unlike the HVAC don’t require you to dial “more red or more blue”.

This thermostat technology is going to be HUGE! You can actually just set this thing at a temperature… say… 71 degrees fahrenheit, and it’ll maintain that room temperature. It’s saved me hundreds this winter. Fantastic.

But my electric bill was STILL 300 bucks.

Damn it!

So I took this green tech thing even more seriously. I went Belkin power conservation crazy. First I bought a Belkin Conserve switch. It’s essentially a power strip with a remote that you can completely power off all the things that are vampire sucking power when still powered off. Examples being the surround sound processor, floor lamp, the subwoofer, the Xbox, the TV and one of my switches.

While I was at it I purchased a Belkin Conserve Insight unit. This puppy plugs into the wall, then the device in question plugs into that. And what it gives you is this really cool little display of how much power that device or devices plugged into it consumes, as well as what it costs on a monthly/yearly basis. And so I’ve gone around the house trying to identify  wtf is consuming over $300 in electricity. I’ve found that the Vornado heater uses between $75 and 100$ per month. I also found that my computer only costs me about $20.00 a month, and that was before I configured my computer to sleep at 1am each night and come back at 7am. No need to be online at that time. I’m not running SETI at home.

On the same Belkin train, I purchased the Belkin Conserve Socket Energy-Saving Outlet. Plug it into the wall. Plug a device into it. Then set your time at a half hour, three hours or six hours. When you need to use it, press the button. So what’s the use case? I set one at 30 minutes, and into that I plugged in my kitchen appliances on a power strip. When I need to use the microwave, or anything else plugged into that little nugget, it’s as simple as pushing a button and it stays on for 30 minutes, then automatically powers off. When I want to power my cordless drill, dremel, etc. I plug them in and let them charge for 6 hours. No need to leave it charging forever.

Finally, I bought a boat load of LED spotlight (G10) bulbs from various vendors. They consume between three and four watts per bulb. In my bathroom alone I have six lights. So, consider this, six lights in the bathroom times 35 watts per bulb is 210 watts being used. With the LED bulbs I’m now using 18 watts. That’s a MASSIVE decrease in power consumption! And I did these all through the house! They are dimmable, they use less power than the previous bulbs and lastly, they last 25 years.

I’ll get my power bill at the end of the month. Thus far I’m still scratching my head as my Belkin Insight isn’t telling me who the big culprit is, however, I’m hoping to find the sneaky bastard sucking up all my power, and with it, banish my electric bill down to 1/3rd of its current amount.

I’ll keep you updated.

My Audi Q5 review

I woke up this morning to find the earth cold and precipitation had blessed us with some snow. Sorta.

Now all of last year I was driving a Dodge Charger SRT. She’s a big girl. 450HP, 6.1 Liter HEMI. All balls, no cock.

She was something of a spectacle in the snow. Rear wheel drive meant I could spin her in circles, drift for days and floss my “mad” Yankee skills in the snow.

I didn’t give much of a rats ass about how much snow was out there. I drive that car through anything.

A year later my Audi S8 is in the shop for a number of tweaks and upgrades. Tires. Rims. The lot.

So today I was in fortune of driving a loaner from Audi, the Q5.

Its not a massive SUV. It’s mini. It’s big enough for a small family and small enough to not be a gas monster. “cute”. Dare I say even “soccer mom-ish”.

But with the Audi Quattro all-wheel drive transmission, I was chomping at the bit to go a little snow crazy.

And so I did.

The verdict? I love the little bastard. The full glass sunroof from front to rear let’s the light in and makes the interior feel larger than it is. Though it’s really quite roomy. Enough for kids, strollers and groceries… Or dogs, tools and bags of concrete.

Either way works.

The 2.0 liter turbo is more than enough “go” for city and country driving. The suspension is bumpy but not “bounce you out of the truck” bumpy. The truck rolls with the punches, sticks and moves and doesn’t offer any apologies.

The interior is basic plastic and leather with faux wood trim, but integrated iPod/iPhone integration makes it feel more elegant because your own personal theme music is then an integrated part of the experience.

All in all, I’ve enjoyed my limited time with the Q5. It makes for a great round town vehicle and not a bad day-trip car either.

Good enough for the family, or the guys, regardless of rain, shine or some rare October snow, she’s versatile and flexible enough for all.

10 days of Blackhat/Defcon: Two ends of the same [exhausting] spectrum.

I can tell that I’m getting old. I know this because I felt like an old man at Defcon. I couldn’t help but feel like it’s turned into a fashion show. A tourist attraction to helpdesk employees and wannabe’s. Out of the maybe 100 people I spoke to perhaps 10 of us actually know/do/understand some aspect of security. So wtf were those other 90 people? I’ll let you ponder that.

Lamest ResponseI shouldn’t complain, though. I loved it. I loved every minute of it. Though I wish I was as popular as Bijoux during DefCon, it felt great to see some friends. It was great to talk tech, ponder the future of netsec, and laugh at Dan Kaminski’s expense. (Does ANYONE know why DK was wearing a leather coat in the desert? I fear we’ll never know.)

People have often asked me what’s the difference between Blackhat and DefCon. I’ve heard others say that Blackhat is corporate and DefCon is “real”. But I’m not sure that’s true. In my own humble opinion, Blackhat and DefCon are two ends of the same spectrum.

Blackhat is organized. Each talk is on time. Each break is on time. Each class runs for exactly the amount of time set aside. It’s professional. It’s corporate, private sector, public sector security. It’s the big picture. And you pay for that. The cost is aimed at the corporate budget and is almost prohibitively expensive for the individual nerd. The fun stuff is limited to the Pwnie awards and a workshop or two.

DefCon, on the other hand, is the opposite of that. It’s young. It’s chaotic. It’s less than $200 bucks for 2.5 days of madness. It’s up to 2 hour lines to hear speaker talks. I can proudly say that the black t-shirt uniform was in full swing. It was heavy heavy on the side of caucasian males conforming to non-conformity. It was the love of security at the nearly matrix level granular detail. This specific buffer overflow. This specific exploit. This specific vulnerability.

DefCon Beard Moustache Competition

And there’s fun at Defcon. Lock picking, Capture the flag, video games, scavenger hunts and a glorious beard/moustache competition hosted by Red Beard himself.

The vendor areas are so vastly different that they almost can’t be compared.

Blackhat vendor booths: Firewalls, IDS’s, Security hardware/software and vulnerability assessment/pen testing services.

DefCon vendor booths: Long range wireless antennas, lock pick sets, old school hardware, stickers and black t-shirts.

After nearly 10 days of Blackhat and DefCon I can tell you that it was a blast. I wish I’d seen/done more at DefCon. I wish I’d gone to more parties and met more people. I wish I’d kicked Moxie in the knee. Next year I’ll attempt to partake in more DefCon. More social activity. More convos with real hackers, with real netsec nerds and real digital gangsters. But in all it felt like home. Both sides of the same spectrum. Blackhat and DefCon.

Until then I’m glad it’s over, but I’m already yearning for next year.

Disaster Recovery and The Cloud: A Recipe for Success

Cloud Disaster Recovery – ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Cloud computing and disaster recovery are like peanut butter and chocolate – two great flavors that taste even better together. There are several companies that have recently entered the “Disaster Recovery in the Cloud” arena, offering services such as data backup, business continuity and disaster recovery services for MSPs packaged together into a single suite. Before jumping on that bandwagon, let’s deep dive into these three topics with a bit more detail.

When businesses hear the phrase “Cloud Computing,” their initial question is (understandably) how much control they will retain. There is the fear and uncertainty of added risk as well as the fear of losing control of their data. This is a common thought pattern, and is completely justified.

So why move to the cloud?

The promise of cost savings derived from cloud computing is very attractive, but concrete financial returns are not always quickly achieved. Except, perhaps, when it comes to disaster recovery.

Cloud Computing, by nature, is a distributed concept with some backup already available. However, the concern of the reduced reliance on local infrastructure on physical hardware, and the subsequent perceived risk of trusting another vendor with the business continuity of your business certainly gives some organizations pause. With due diligence and an understanding of the available feature-set, though, cloud disaster recovery is a very attractive solution. The additional cost savings doesn’t hurt, either.

At the end of the day, cloud-based disaster recovery allows you to add important capabilities to your IT infrastructure at a reduced cost—especially when you consider your alternative options.

Companies that have balked at the cost of building out their own disaster recovery infrastructure often find the cloud more cost effective. Offloading the expense hardware, software and network infrastructure to be a “what-if” solution can be very expensive. Think about it: your primary and secondary gear as well as the maintenance and support of lot can be tough to swallow, especially considering failover gear just sits in standby until something fails. Why pay for a room full of gear with the sole purpose of waiting for a failure?

Many companies do in fact use an outside vendor for disaster recovery, so a move to the cloud isn’t much of a change.

Here are some major points you should keep in mind when thinking about your approach to cloud disaster recovery:

1. Make sure your cloud provider offers business continuity as a necessary service, and that it’s part of your SLA.

2. The cloud provider should be in the know about its hardware/software and any sort of managed gear for failures. They should have multiple datacenters in multiple locations in order to quickly move data around or bring up backup and additional VMs if necessary.

3. Choose business continuity. Backup solutions are wonderful, but take it a step further with business continuity. Although they sound one-in-the-same, the key difference is offline backups vs. online, or online-accessible at a different location. Simply flip the switch, and you’re back in business.

While one of the key drivers for cloud computing is reduced cost and more feature-set, restoring data in the cloud is also much quicker than other disaster-recovery scenarios, and there’s no hardware to buy. A full disaster recovery solution at a reduced cost will sweeten the pot. Cloud computing and disaster recovery, much like peanut butter and chocolate, have a tasty future ahead of them, with the sweetest part coming when you see the savings on your bottom line. So, if you choose to dip your spoon into cloud security, these points can be your key ingredients for a delicious recipe that saves your organization money and offers a safe, more secure situation with greater accessibility.

The Haj of Netsec Nerds Worldwide: Blackhat Las Vegas

I arrived yesterday, ready for Blackhat again. Since this time last year, I’ve attended Blackhat: DC, Blackhat: Abu Dhabi and Blackhat: Europe. And here I am again. Blackhat Las Vegas.

It’s bar none my favorite show of the year. This is the big show. The haj of netsec nerds worldwide. This is our mecca. This is Blackhat/Defcon. The anticipation began to creep up a few weeks back when I came to Las Vegas for Cisco Live, which too, was a great show. But it’s not like this. Cisco Live is a networking event supported by sponsors. Blackhat is about the nerds. It’s about we who live and breathe security. It’s about the blackhats and the whitehats. And a bit of grey in between. This is a show for nerds by nerds.

Setup happened today for the training which starts tomorrow. I’m excited. Tomorrow is BackTrack training and rumor has it, BackTrack5 is being released. That’s really exciting as Backtrack is the premier penn testing tool used worldwide by hackers and security engineers worldwide.

This may sound like a shock to you, but I’ve seldom used BackTrack. My personal style has involved online tools to mask my identity. Online tools to do hours and hours of recon to craft my attack long before the trigger is pulled. I’ve always had the impression that BackTrack was more or less a brute forcers dream. So, I’ve never taken the plunge. I’ve used Metasploit, and Wireshark and a host of other recon and/or attack tools, but never once have I used a suite such as BackTrack to take a run at a network, hack hosts or take down applications. It’s such a different animal to me.

There’s a difference between hackers and penetration testers. Much of it comes down to time, but time plays a big part. A Pennetration Testers job is based on an hourly rate or by a salary. But he can’t take 6 months to penn test a network. So generally Penn testers go in, run through their checklist of ports to probe, OS’s to fingerprint and SQL to inject. Or the salary employee will try to push through the task as fast as possible to finish as fast as possible.

But the reality is… that’s not how hackers do it. When you hack… time is on your side. Time is your friend. You have lots of it. You’re not in a rush. Low and slow is the saying, and its never been more true than it is now.

As time goes by, I find myself saying that phrase quite a bit more lately than previously. “Low and slow.” And I can’t help but feel like it comes down to one basic thing that’s prompting that.

There are several technologies on the market today which are ridiculously expensive, and I can’t help but feel like they are nothing more than Dumbo’s feather for Security Architects and CISOs who don’t know any better. It gives them a false sense of confidence, OR they lose complete confidence in security due to the constant number of false positives being received.

Tomorrow starts the BackTrack course I’m auditing. And I’m excited to get started.

I’ll post more on how it goes, my thoughts on the tool and the teaching.

Bose Quietcomfort 15 headphones: Noise canceling like wow.

If I were to sit down and go through some boxes to figure out how many pairs of headphones I have in the house, I’d probably come up with five or ten pair. Maybe closer to 15. I don’t know. I just know that I’ve tried everything from Sony to Shure to Apple to Bang & Olufsen. But as of this moment, I’ve found the holy grail of headphones.
The Bose Quietcomfort 15.

Oh. my. god. There’s no way on earth to make the entire earth disappear in one flip of a switch. HVAC? Gone. Road noise? Gone. Dryer? Gone. Dishwasher? Gone. Annoying neighbor talking to you? Well, they’re not gone, but at least you hear them less.

If I were to recommend a pair of headphones… THESE would be the ones.
I have a pair of Sony noise canceling? Bose shit on these headphones.
I have a pair of Bang & Olufsen headphones? They are fancy, but sound like crap.
I even have a pair of Bose “passive noise canceling” headphones. What a joke. It just cups your ear.

These Bose headphones are so serious that when you flip the switch it feels like someone has dunked you into a deprivation chamber. Your ears feel pressure. Your mind thinks you’re at high altitude. But you’re not. You’re in your own world, free to enjoy your time in isolation enjoying music, a good book and/or a life without the neighbor. at least a little bit.

The new iPod Nano: Oh, you sexy little beast.

The hot shit from the year 2000 - 32 megs. bam!My first MP3 player, back in 2000, was a Casio G-shock. It was ahead of it’s time. 32 megs. It was slick. Almost held an entire cd on it. Back then people said “WTF is an MP3?”. It came in the form factor of a watch. It sat giant on my wrist, the headphone cord running up my shirt to my ears.

Fast forward 7 years.

Commuting from San Francisco to San Jose on my motorcycle, I had a faithful little nugget called the iPod Nano. It clipped to my belt, and gave me 1gb of music all the way to work. Fantastic battery life. Just set the playlist and off I went.

Fast forward to now. The new iPod Nano. Color screen. Radio. Pedometer. And 16 gigs of music. What a wicked little machine.

Though it’s impossible to change music wearing motorcycle gloves on the actual device. Perhaps with the headphones with the button I can. But blasting down the highway may prove to be a challenge. It’s loud if you want it to be but it’s clear. Crisp highs. Solid lows. It’s amazing audio in a very very small form factor.

In the 6th generation of the iPod nano, apple has really put something together that is fantastic.

There are a ton of accessories available for the nano including something that hits close to home. A bit of nostalgia. It’s a watch band that will make the nano into a watch… Much like that first mp3 player I had. The gshock, but better.

In 11 years we’ve gone from 32 megabytes of music in a watch to 16,384 megabytes.

Where will we go next?