Being your own best competitor or how I learned to love the Samsung.

I wouldn’t go so far as to call me an Apple fanboy. But to a degree it’s true. If I were to tell you my daily online activities are all via iPad, iPhone or MacBook, I’d not be telling a mistruth.

I don’t own a single Android device (short of a really really shitty android phone two years ago while spending nearly a month in London). But since then nothing.

Now most Apple fanboys are arrogant about it. Elitist. Lord knows I was when it wasn’t the norm to have Mac. Back when every windows asshole have the generic response “oh, they [macs] are good for graphics but that’s about it.” -spoken like a true ignorant asshole.

But today you’d think Blackhat was an Apple press release at the Moscone Center. Apple has become the norm. What was once conforming to non-conformity has become conformity. What was the underdog is now the supreme overlord. Apple runs shit.

But let’s be honest. Did anyone think the last few years of apple devices were on the side of underwhelming?

iPad and iPhone changed shape. Wow.
Faster CPU. Great.
Thinner by millimeters and lighter by smidgens of a smudge. Fantastic.

Apple was once known for pushing the envelope constantly. Apple announcements meant new awesomeness every time. Now we just get different shaped iPhones, iPods and iPads. Remember the first MacBook Air? The first Iphone? The reaction? It was massive! Now? Womp womp.

Steve Jobs was once quoted as saying “you have to be your own biggest competitor”. How right he was.

Apple has lost it’s edge. It’s short on competition. It’s dragging ass.

So I’m excited about about Samsung. I’m excited about Googles Android platform. I’m excited about all the other vendors pushing technology forward and hopefully putting pressure on Apple to once again step it up.

I don’t want to own an Android phone. I don’t want to run Windows. I don’t want anything Samsung in my ecosystem. But capitalism loves competition. And hopefully Apple will step it up.

What was the last Apple product that blew your mind?

AppleTV, you underwhelm me

Everyone who knows me knows I’m an Apple Whore. I have just about one of everything they’ve made in the last 10 years (minus that stupid boom box and the apple battery charger).

I had the old AppleTV. Which, to me, was a step forward. A movement in the right direction. A glimpse of what was to become. And that was because I had a full understanding of the iPhone. Of the potential for applications being written around the AppleTV. About how this could be a game changer.

But thus far, I’m underwhelmed.

I have two of the Circa 2010 (or was it 2009) AppleTVs. One for each TV. I use them for perusing content that’s stored out on my NAS, using the radio functionality and Netflix. Great. For $99 bucks, I’m not going to lose a kidney.
But after this weeks “update” I sit here thinking “Um. What the fuck.” Underwhelmed is an understatement. So much so I don’t actually know what word to use. What’s worse than underwhelmed.

Help me, Apple, understand WHY we are where we are with this thing.
And here’s a list of my current frustrations.

1. Why do I STILL not have a keyboard to use with this effin’ thing. Bluetooth? Wireless Keyboard? This isn’t rocket science. It will save me the aggravation of having to input my user/pass with that idiotic iddy-biddy remote each time it “forgets” it.
I use alpha/numeric/special char passwords that are no less than 14 chars long. It’s a 20 minute process to input all that crap. wtf. For fuck’s sake, at least give me T9!

2. Since we’re on the topic of a human interface device, WHY can’t I just use the keyboard on my iPad/iPhone to input data into the AppleTV? That doesn’t make sense? We can push content to it, but we can’t use it to enter data easier? Do you think I like searching for movies, etc using a single button remote circa 1998? This is idiotic. Sure, the iPhone Remote app gives me some of that, but fuck me, it leaves a LOT to be desired!

3. Since we’re on the topic of inputting information INTO this thing, help me understand WHY I can’t search my content. I have nearly a thousand movies. And on this interface I can’t just input a couple letters? Instead it’s scroll scroll scroll scroll…

4. The update gave us a new GUI. But what’s the benefit. How is this the killer app if I can’t add any apps? Apple, you tards, you own the fucking ecosystem. Help me understand why I can’t put apps on my AppleTV! I mean, wtf, even my Samsung TV has apps! It might be the worst user interface on earth but they at least have apps! Help me help myself!

Apple, I’m really hoping you are going somewhere with this. Thus far, I’m completely underwhelmed.

Me electric bill is “teh suck”

I was ripping up my floor when it happened. I, for one reason or another, bent down at the now bare concrete wall, pulled the pile of wood pieces from the previous flooring and reached under the drywall, the edge of which was now exposed.

I was shocked.

There was nothing there. Not a stitch of insulation. Just drywall glued to cinder-bloc. Not even a frame. Nothing. I almost choked. “What kind of low rent building did I buy into?!?” and that’s what started this project.

First step, rip the drywall out, fill the HOLES in the cinderblock (Let’s put it this way, I could see sunlight coming through the wall), frame everything, then spray foamed the hell out of it. That was a very quick way to burn through a grand in materials, but it cut 1/3rd off my electric bill from last year, where my biggest bill was $1200. I shit you not. For a one bedroom apartment. But I still don’t understand WHY it was still sitting at $300 a month for a 1 bedroom apartment, which, btw, I only use one room of.

This building has HVAC units. If you’ve ever had the displeasure of owning one, you’ll know what I’m talking about. Essentially HVAC stands for “Heater/Ventilation/Air Conditioner” which is an acronym which describes exactly the things it’s really really shitty at. For heat, these things are essentially a heater coil and a fan that blows hot air up at the ceiling. Very useful when you want to heat the air over your head. They don’t come with thermostats, so essentially if you want to adjust the temperature, you have to turn the knob. More blue or more red. Not “71 degrees fahrenheit”. And the way they work IN the apartment is basically there’s a giant hole cut in the side of the building directly into your apartment where they push these things in with a really shoddy seal.

Even better.

So, back to being green.

I stopped using my HVAC units. All three. And I sealed the hole between the exterior of the building, and the HVAC by putting fiber board insulation, and then adding pink insulation all around the HVAC and then stuffed it tight by any means necessary. As a replacement, I bought a Vornado heater/fan unit. This thing is neat. It’s sort of a space heater, looks like a fan, doesn’t get hot to the touch and has this phenomenal futuristic technology called a “thermostat”, which, unlike the HVAC don’t require you to dial “more red or more blue”.

This thermostat technology is going to be HUGE! You can actually just set this thing at a temperature… say… 71 degrees fahrenheit, and it’ll maintain that room temperature. It’s saved me hundreds this winter. Fantastic.

But my electric bill was STILL 300 bucks.

Damn it!

So I took this green tech thing even more seriously. I went Belkin power conservation crazy. First I bought a Belkin Conserve switch. It’s essentially a power strip with a remote that you can completely power off all the things that are vampire sucking power when still powered off. Examples being the surround sound processor, floor lamp, the subwoofer, the Xbox, the TV and one of my switches.

While I was at it I purchased a Belkin Conserve Insight unit. This puppy plugs into the wall, then the device in question plugs into that. And what it gives you is this really cool little display of how much power that device or devices plugged into it consumes, as well as what it costs on a monthly/yearly basis. And so I’ve gone around the house trying to identify  wtf is consuming over $300 in electricity. I’ve found that the Vornado heater uses between $75 and 100$ per month. I also found that my computer only costs me about $20.00 a month, and that was before I configured my computer to sleep at 1am each night and come back at 7am. No need to be online at that time. I’m not running SETI at home.

On the same Belkin train, I purchased the Belkin Conserve Socket Energy-Saving Outlet. Plug it into the wall. Plug a device into it. Then set your time at a half hour, three hours or six hours. When you need to use it, press the button. So what’s the use case? I set one at 30 minutes, and into that I plugged in my kitchen appliances on a power strip. When I need to use the microwave, or anything else plugged into that little nugget, it’s as simple as pushing a button and it stays on for 30 minutes, then automatically powers off. When I want to power my cordless drill, dremel, etc. I plug them in and let them charge for 6 hours. No need to leave it charging forever.

Finally, I bought a boat load of LED spotlight (G10) bulbs from various vendors. They consume between three and four watts per bulb. In my bathroom alone I have six lights. So, consider this, six lights in the bathroom times 35 watts per bulb is 210 watts being used. With the LED bulbs I’m now using 18 watts. That’s a MASSIVE decrease in power consumption! And I did these all through the house! They are dimmable, they use less power than the previous bulbs and lastly, they last 25 years.

I’ll get my power bill at the end of the month. Thus far I’m still scratching my head as my Belkin Insight isn’t telling me who the big culprit is, however, I’m hoping to find the sneaky bastard sucking up all my power, and with it, banish my electric bill down to 1/3rd of its current amount.

I’ll keep you updated.

10 days of Blackhat/Defcon: Two ends of the same [exhausting] spectrum.

I can tell that I’m getting old. I know this because I felt like an old man at Defcon. I couldn’t help but feel like it’s turned into a fashion show. A tourist attraction to helpdesk employees and wannabe’s. Out of the maybe 100 people I spoke to perhaps 10 of us actually know/do/understand some aspect of security. So wtf were those other 90 people? I’ll let you ponder that.

Lamest ResponseI shouldn’t complain, though. I loved it. I loved every minute of it. Though I wish I was as popular as Bijoux during DefCon, it felt great to see some friends. It was great to talk tech, ponder the future of netsec, and laugh at Dan Kaminski’s expense. (Does ANYONE know why DK was wearing a leather coat in the desert? I fear we’ll never know.)

People have often asked me what’s the difference between Blackhat and DefCon. I’ve heard others say that Blackhat is corporate and DefCon is “real”. But I’m not sure that’s true. In my own humble opinion, Blackhat and DefCon are two ends of the same spectrum.

Blackhat is organized. Each talk is on time. Each break is on time. Each class runs for exactly the amount of time set aside. It’s professional. It’s corporate, private sector, public sector security. It’s the big picture. And you pay for that. The cost is aimed at the corporate budget and is almost prohibitively expensive for the individual nerd. The fun stuff is limited to the Pwnie awards and a workshop or two.

DefCon, on the other hand, is the opposite of that. It’s young. It’s chaotic. It’s less than $200 bucks for 2.5 days of madness. It’s up to 2 hour lines to hear speaker talks. I can proudly say that the black t-shirt uniform was in full swing. It was heavy heavy on the side of caucasian males conforming to non-conformity. It was the love of security at the nearly matrix level granular detail. This specific buffer overflow. This specific exploit. This specific vulnerability.

DefCon Beard Moustache Competition

And there’s fun at Defcon. Lock picking, Capture the flag, video games, scavenger hunts and a glorious beard/moustache competition hosted by Red Beard himself.

The vendor areas are so vastly different that they almost can’t be compared.

Blackhat vendor booths: Firewalls, IDS’s, Security hardware/software and vulnerability assessment/pen testing services.

DefCon vendor booths: Long range wireless antennas, lock pick sets, old school hardware, stickers and black t-shirts.

After nearly 10 days of Blackhat and DefCon I can tell you that it was a blast. I wish I’d seen/done more at DefCon. I wish I’d gone to more parties and met more people. I wish I’d kicked Moxie in the knee. Next year I’ll attempt to partake in more DefCon. More social activity. More convos with real hackers, with real netsec nerds and real digital gangsters. But in all it felt like home. Both sides of the same spectrum. Blackhat and DefCon.

Until then I’m glad it’s over, but I’m already yearning for next year.

Disaster Recovery and The Cloud: A Recipe for Success

Cloud Disaster Recovery – ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Cloud computing and disaster recovery are like peanut butter and chocolate – two great flavors that taste even better together. There are several companies that have recently entered the “Disaster Recovery in the Cloud” arena, offering services such as data backup, business continuity and disaster recovery services for MSPs packaged together into a single suite. Before jumping on that bandwagon, let’s deep dive into these three topics with a bit more detail.

When businesses hear the phrase “Cloud Computing,” their initial question is (understandably) how much control they will retain. There is the fear and uncertainty of added risk as well as the fear of losing control of their data. This is a common thought pattern, and is completely justified.

So why move to the cloud?

The promise of cost savings derived from cloud computing is very attractive, but concrete financial returns are not always quickly achieved. Except, perhaps, when it comes to disaster recovery.

Cloud Computing, by nature, is a distributed concept with some backup already available. However, the concern of the reduced reliance on local infrastructure on physical hardware, and the subsequent perceived risk of trusting another vendor with the business continuity of your business certainly gives some organizations pause. With due diligence and an understanding of the available feature-set, though, cloud disaster recovery is a very attractive solution. The additional cost savings doesn’t hurt, either.

At the end of the day, cloud-based disaster recovery allows you to add important capabilities to your IT infrastructure at a reduced cost—especially when you consider your alternative options.

Companies that have balked at the cost of building out their own disaster recovery infrastructure often find the cloud more cost effective. Offloading the expense hardware, software and network infrastructure to be a “what-if” solution can be very expensive. Think about it: your primary and secondary gear as well as the maintenance and support of lot can be tough to swallow, especially considering failover gear just sits in standby until something fails. Why pay for a room full of gear with the sole purpose of waiting for a failure?

Many companies do in fact use an outside vendor for disaster recovery, so a move to the cloud isn’t much of a change.

Here are some major points you should keep in mind when thinking about your approach to cloud disaster recovery:

1. Make sure your cloud provider offers business continuity as a necessary service, and that it’s part of your SLA.

2. The cloud provider should be in the know about its hardware/software and any sort of managed gear for failures. They should have multiple datacenters in multiple locations in order to quickly move data around or bring up backup and additional VMs if necessary.

3. Choose business continuity. Backup solutions are wonderful, but take it a step further with business continuity. Although they sound one-in-the-same, the key difference is offline backups vs. online, or online-accessible at a different location. Simply flip the switch, and you’re back in business.

While one of the key drivers for cloud computing is reduced cost and more feature-set, restoring data in the cloud is also much quicker than other disaster-recovery scenarios, and there’s no hardware to buy. A full disaster recovery solution at a reduced cost will sweeten the pot. Cloud computing and disaster recovery, much like peanut butter and chocolate, have a tasty future ahead of them, with the sweetest part coming when you see the savings on your bottom line. So, if you choose to dip your spoon into cloud security, these points can be your key ingredients for a delicious recipe that saves your organization money and offers a safe, more secure situation with greater accessibility.

The Haj of Netsec Nerds Worldwide: Blackhat Las Vegas

I arrived yesterday, ready for Blackhat again. Since this time last year, I’ve attended Blackhat: DC, Blackhat: Abu Dhabi and Blackhat: Europe. And here I am again. Blackhat Las Vegas.

It’s bar none my favorite show of the year. This is the big show. The haj of netsec nerds worldwide. This is our mecca. This is Blackhat/Defcon. The anticipation began to creep up a few weeks back when I came to Las Vegas for Cisco Live, which too, was a great show. But it’s not like this. Cisco Live is a networking event supported by sponsors. Blackhat is about the nerds. It’s about we who live and breathe security. It’s about the blackhats and the whitehats. And a bit of grey in between. This is a show for nerds by nerds.

Setup happened today for the training which starts tomorrow. I’m excited. Tomorrow is BackTrack training and rumor has it, BackTrack5 is being released. That’s really exciting as Backtrack is the premier penn testing tool used worldwide by hackers and security engineers worldwide.

This may sound like a shock to you, but I’ve seldom used BackTrack. My personal style has involved online tools to mask my identity. Online tools to do hours and hours of recon to craft my attack long before the trigger is pulled. I’ve always had the impression that BackTrack was more or less a brute forcers dream. So, I’ve never taken the plunge. I’ve used Metasploit, and Wireshark and a host of other recon and/or attack tools, but never once have I used a suite such as BackTrack to take a run at a network, hack hosts or take down applications. It’s such a different animal to me.

There’s a difference between hackers and penetration testers. Much of it comes down to time, but time plays a big part. A Pennetration Testers job is based on an hourly rate or by a salary. But he can’t take 6 months to penn test a network. So generally Penn testers go in, run through their checklist of ports to probe, OS’s to fingerprint and SQL to inject. Or the salary employee will try to push through the task as fast as possible to finish as fast as possible.

But the reality is… that’s not how hackers do it. When you hack… time is on your side. Time is your friend. You have lots of it. You’re not in a rush. Low and slow is the saying, and its never been more true than it is now.

As time goes by, I find myself saying that phrase quite a bit more lately than previously. “Low and slow.” And I can’t help but feel like it comes down to one basic thing that’s prompting that.

There are several technologies on the market today which are ridiculously expensive, and I can’t help but feel like they are nothing more than Dumbo’s feather for Security Architects and CISOs who don’t know any better. It gives them a false sense of confidence, OR they lose complete confidence in security due to the constant number of false positives being received.

Tomorrow starts the BackTrack course I’m auditing. And I’m excited to get started.

I’ll post more on how it goes, my thoughts on the tool and the teaching.