Being your own best competitor or how I learned to love the Samsung.

I wouldn’t go so far as to call me an Apple fanboy. But to a degree it’s true. If I were to tell you my daily online activities are all via iPad, iPhone or MacBook, I’d not be telling a mistruth.

I don’t own a single Android device (short of a really really shitty android phone two years ago while spending nearly a month in London). But since then nothing.

Now most Apple fanboys are arrogant about it. Elitist. Lord knows I was when it wasn’t the norm to have Mac. Back when every windows asshole have the generic response “oh, they [macs] are good for graphics but that’s about it.” -spoken like a true ignorant asshole.

But today you’d think Blackhat was an Apple press release at the Moscone Center. Apple has become the norm. What was once conforming to non-conformity has become conformity. What was the underdog is now the supreme overlord. Apple runs shit.

But let’s be honest. Did anyone think the last few years of apple devices were on the side of underwhelming?

iPad and iPhone changed shape. Wow.
Faster CPU. Great.
Thinner by millimeters and lighter by smidgens of a smudge. Fantastic.

Apple was once known for pushing the envelope constantly. Apple announcements meant new awesomeness every time. Now we just get different shaped iPhones, iPods and iPads. Remember the first MacBook Air? The first Iphone? The reaction? It was massive! Now? Womp womp.

Steve Jobs was once quoted as saying “you have to be your own biggest competitor”. How right he was.

Apple has lost it’s edge. It’s short on competition. It’s dragging ass.

So I’m excited about about Samsung. I’m excited about Googles Android platform. I’m excited about all the other vendors pushing technology forward and hopefully putting pressure on Apple to once again step it up.

I don’t want to own an Android phone. I don’t want to run Windows. I don’t want anything Samsung in my ecosystem. But capitalism loves competition. And hopefully Apple will step it up.

What was the last Apple product that blew your mind?


AppleTV, you underwhelm me

Everyone who knows me knows I’m an Apple Whore. I have just about one of everything they’ve made in the last 10 years (minus that stupid boom box and the apple battery charger).

I had the old AppleTV. Which, to me, was a step forward. A movement in the right direction. A glimpse of what was to become. And that was because I had a full understanding of the iPhone. Of the potential for applications being written around the AppleTV. About how this could be a game changer.

But thus far, I’m underwhelmed.

I have two of the Circa 2010 (or was it 2009) AppleTVs. One for each TV. I use them for perusing content that’s stored out on my NAS, using the radio functionality and Netflix. Great. For $99 bucks, I’m not going to lose a kidney.
But after this weeks “update” I sit here thinking “Um. What the fuck.” Underwhelmed is an understatement. So much so I don’t actually know what word to use. What’s worse than underwhelmed.

Help me, Apple, understand WHY we are where we are with this thing.
And here’s a list of my current frustrations.

1. Why do I STILL not have a keyboard to use with this effin’ thing. Bluetooth? Wireless Keyboard? This isn’t rocket science. It will save me the aggravation of having to input my user/pass with that idiotic iddy-biddy remote each time it “forgets” it.
I use alpha/numeric/special char passwords that are no less than 14 chars long. It’s a 20 minute process to input all that crap. wtf. For fuck’s sake, at least give me T9!

2. Since we’re on the topic of a human interface device, WHY can’t I just use the keyboard on my iPad/iPhone to input data into the AppleTV? That doesn’t make sense? We can push content to it, but we can’t use it to enter data easier? Do you think I like searching for movies, etc using a single button remote circa 1998? This is idiotic. Sure, the iPhone Remote app gives me some of that, but fuck me, it leaves a LOT to be desired!

3. Since we’re on the topic of inputting information INTO this thing, help me understand WHY I can’t search my content. I have nearly a thousand movies. And on this interface I can’t just input a couple letters? Instead it’s scroll scroll scroll scroll…

4. The update gave us a new GUI. But what’s the benefit. How is this the killer app if I can’t add any apps? Apple, you tards, you own the fucking ecosystem. Help me understand why I can’t put apps on my AppleTV! I mean, wtf, even my Samsung TV has apps! It might be the worst user interface on earth but they at least have apps! Help me help myself!

Apple, I’m really hoping you are going somewhere with this. Thus far, I’m completely underwhelmed.

Me electric bill is “teh suck”

I was ripping up my floor when it happened. I, for one reason or another, bent down at the now bare concrete wall, pulled the pile of wood pieces from the previous flooring and reached under the drywall, the edge of which was now exposed.

I was shocked.

There was nothing there. Not a stitch of insulation. Just drywall glued to cinder-bloc. Not even a frame. Nothing. I almost choked. “What kind of low rent building did I buy into?!?” and that’s what started this project.

First step, rip the drywall out, fill the HOLES in the cinderblock (Let’s put it this way, I could see sunlight coming through the wall), frame everything, then spray foamed the hell out of it. That was a very quick way to burn through a grand in materials, but it cut 1/3rd off my electric bill from last year, where my biggest bill was $1200. I shit you not. For a one bedroom apartment. But I still don’t understand WHY it was still sitting at $300 a month for a 1 bedroom apartment, which, btw, I only use one room of.

This building has HVAC units. If you’ve ever had the displeasure of owning one, you’ll know what I’m talking about. Essentially HVAC stands for “Heater/Ventilation/Air Conditioner” which is an acronym which describes exactly the things it’s really really shitty at. For heat, these things are essentially a heater coil and a fan that blows hot air up at the ceiling. Very useful when you want to heat the air over your head. They don’t come with thermostats, so essentially if you want to adjust the temperature, you have to turn the knob. More blue or more red. Not “71 degrees fahrenheit”. And the way they work IN the apartment is basically there’s a giant hole cut in the side of the building directly into your apartment where they push these things in with a really shoddy seal.

Even better.

So, back to being green.

I stopped using my HVAC units. All three. And I sealed the hole between the exterior of the building, and the HVAC by putting fiber board insulation, and then adding pink insulation all around the HVAC and then stuffed it tight by any means necessary. As a replacement, I bought a Vornado heater/fan unit. This thing is neat. It’s sort of a space heater, looks like a fan, doesn’t get hot to the touch and has this phenomenal futuristic technology called a “thermostat”, which, unlike the HVAC don’t require you to dial “more red or more blue”.

This thermostat technology is going to be HUGE! You can actually just set this thing at a temperature… say… 71 degrees fahrenheit, and it’ll maintain that room temperature. It’s saved me hundreds this winter. Fantastic.

But my electric bill was STILL 300 bucks.

Damn it!

So I took this green tech thing even more seriously. I went Belkin power conservation crazy. First I bought a Belkin Conserve switch. It’s essentially a power strip with a remote that you can completely power off all the things that are vampire sucking power when still powered off. Examples being the surround sound processor, floor lamp, the subwoofer, the Xbox, the TV and one of my switches.

While I was at it I purchased a Belkin Conserve Insight unit. This puppy plugs into the wall, then the device in question plugs into that. And what it gives you is this really cool little display of how much power that device or devices plugged into it consumes, as well as what it costs on a monthly/yearly basis. And so I’ve gone around the house trying to identify  wtf is consuming over $300 in electricity. I’ve found that the Vornado heater uses between $75 and 100$ per month. I also found that my computer only costs me about $20.00 a month, and that was before I configured my computer to sleep at 1am each night and come back at 7am. No need to be online at that time. I’m not running SETI at home.

On the same Belkin train, I purchased the Belkin Conserve Socket Energy-Saving Outlet. Plug it into the wall. Plug a device into it. Then set your time at a half hour, three hours or six hours. When you need to use it, press the button. So what’s the use case? I set one at 30 minutes, and into that I plugged in my kitchen appliances on a power strip. When I need to use the microwave, or anything else plugged into that little nugget, it’s as simple as pushing a button and it stays on for 30 minutes, then automatically powers off. When I want to power my cordless drill, dremel, etc. I plug them in and let them charge for 6 hours. No need to leave it charging forever.

Finally, I bought a boat load of LED spotlight (G10) bulbs from various vendors. They consume between three and four watts per bulb. In my bathroom alone I have six lights. So, consider this, six lights in the bathroom times 35 watts per bulb is 210 watts being used. With the LED bulbs I’m now using 18 watts. That’s a MASSIVE decrease in power consumption! And I did these all through the house! They are dimmable, they use less power than the previous bulbs and lastly, they last 25 years.

I’ll get my power bill at the end of the month. Thus far I’m still scratching my head as my Belkin Insight isn’t telling me who the big culprit is, however, I’m hoping to find the sneaky bastard sucking up all my power, and with it, banish my electric bill down to 1/3rd of its current amount.

I’ll keep you updated.

10 days of Blackhat/Defcon: Two ends of the same [exhausting] spectrum.

I can tell that I’m getting old. I know this because I felt like an old man at Defcon. I couldn’t help but feel like it’s turned into a fashion show. A tourist attraction to helpdesk employees and wannabe’s. Out of the maybe 100 people I spoke to perhaps 10 of us actually know/do/understand some aspect of security. So wtf were those other 90 people? I’ll let you ponder that.

Lamest ResponseI shouldn’t complain, though. I loved it. I loved every minute of it. Though I wish I was as popular as Bijoux during DefCon, it felt great to see some friends. It was great to talk tech, ponder the future of netsec, and laugh at Dan Kaminski’s expense. (Does ANYONE know why DK was wearing a leather coat in the desert? I fear we’ll never know.)

People have often asked me what’s the difference between Blackhat and DefCon. I’ve heard others say that Blackhat is corporate and DefCon is “real”. But I’m not sure that’s true. In my own humble opinion, Blackhat and DefCon are two ends of the same spectrum.

Blackhat is organized. Each talk is on time. Each break is on time. Each class runs for exactly the amount of time set aside. It’s professional. It’s corporate, private sector, public sector security. It’s the big picture. And you pay for that. The cost is aimed at the corporate budget and is almost prohibitively expensive for the individual nerd. The fun stuff is limited to the Pwnie awards and a workshop or two.

DefCon, on the other hand, is the opposite of that. It’s young. It’s chaotic. It’s less than $200 bucks for 2.5 days of madness. It’s up to 2 hour lines to hear speaker talks. I can proudly say that the black t-shirt uniform was in full swing. It was heavy heavy on the side of caucasian males conforming to non-conformity. It was the love of security at the nearly matrix level granular detail. This specific buffer overflow. This specific exploit. This specific vulnerability.

DefCon Beard Moustache Competition

And there’s fun at Defcon. Lock picking, Capture the flag, video games, scavenger hunts and a glorious beard/moustache competition hosted by Red Beard himself.

The vendor areas are so vastly different that they almost can’t be compared.

Blackhat vendor booths: Firewalls, IDS’s, Security hardware/software and vulnerability assessment/pen testing services.

DefCon vendor booths: Long range wireless antennas, lock pick sets, old school hardware, stickers and black t-shirts.

After nearly 10 days of Blackhat and DefCon I can tell you that it was a blast. I wish I’d seen/done more at DefCon. I wish I’d gone to more parties and met more people. I wish I’d kicked Moxie in the knee. Next year I’ll attempt to partake in more DefCon. More social activity. More convos with real hackers, with real netsec nerds and real digital gangsters. But in all it felt like home. Both sides of the same spectrum. Blackhat and DefCon.

Until then I’m glad it’s over, but I’m already yearning for next year.

Disaster Recovery and The Cloud: A Recipe for Success

Cloud Disaster Recovery – ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Cloud computing and disaster recovery are like peanut butter and chocolate – two great flavors that taste even better together. There are several companies that have recently entered the “Disaster Recovery in the Cloud” arena, offering services such as data backup, business continuity and disaster recovery services for MSPs packaged together into a single suite. Before jumping on that bandwagon, let’s deep dive into these three topics with a bit more detail.

When businesses hear the phrase “Cloud Computing,” their initial question is (understandably) how much control they will retain. There is the fear and uncertainty of added risk as well as the fear of losing control of their data. This is a common thought pattern, and is completely justified.

So why move to the cloud?

The promise of cost savings derived from cloud computing is very attractive, but concrete financial returns are not always quickly achieved. Except, perhaps, when it comes to disaster recovery.

Cloud Computing, by nature, is a distributed concept with some backup already available. However, the concern of the reduced reliance on local infrastructure on physical hardware, and the subsequent perceived risk of trusting another vendor with the business continuity of your business certainly gives some organizations pause. With due diligence and an understanding of the available feature-set, though, cloud disaster recovery is a very attractive solution. The additional cost savings doesn’t hurt, either.

At the end of the day, cloud-based disaster recovery allows you to add important capabilities to your IT infrastructure at a reduced cost—especially when you consider your alternative options.

Companies that have balked at the cost of building out their own disaster recovery infrastructure often find the cloud more cost effective. Offloading the expense hardware, software and network infrastructure to be a “what-if” solution can be very expensive. Think about it: your primary and secondary gear as well as the maintenance and support of lot can be tough to swallow, especially considering failover gear just sits in standby until something fails. Why pay for a room full of gear with the sole purpose of waiting for a failure?

Many companies do in fact use an outside vendor for disaster recovery, so a move to the cloud isn’t much of a change.

Here are some major points you should keep in mind when thinking about your approach to cloud disaster recovery:

1. Make sure your cloud provider offers business continuity as a necessary service, and that it’s part of your SLA.

2. The cloud provider should be in the know about its hardware/software and any sort of managed gear for failures. They should have multiple datacenters in multiple locations in order to quickly move data around or bring up backup and additional VMs if necessary.

3. Choose business continuity. Backup solutions are wonderful, but take it a step further with business continuity. Although they sound one-in-the-same, the key difference is offline backups vs. online, or online-accessible at a different location. Simply flip the switch, and you’re back in business.

While one of the key drivers for cloud computing is reduced cost and more feature-set, restoring data in the cloud is also much quicker than other disaster-recovery scenarios, and there’s no hardware to buy. A full disaster recovery solution at a reduced cost will sweeten the pot. Cloud computing and disaster recovery, much like peanut butter and chocolate, have a tasty future ahead of them, with the sweetest part coming when you see the savings on your bottom line. So, if you choose to dip your spoon into cloud security, these points can be your key ingredients for a delicious recipe that saves your organization money and offers a safe, more secure situation with greater accessibility.

The Haj of Netsec Nerds Worldwide: Blackhat Las Vegas

I arrived yesterday, ready for Blackhat again. Since this time last year, I’ve attended Blackhat: DC, Blackhat: Abu Dhabi and Blackhat: Europe. And here I am again. Blackhat Las Vegas.

It’s bar none my favorite show of the year. This is the big show. The haj of netsec nerds worldwide. This is our mecca. This is Blackhat/Defcon. The anticipation began to creep up a few weeks back when I came to Las Vegas for Cisco Live, which too, was a great show. But it’s not like this. Cisco Live is a networking event supported by sponsors. Blackhat is about the nerds. It’s about we who live and breathe security. It’s about the blackhats and the whitehats. And a bit of grey in between. This is a show for nerds by nerds.

Setup happened today for the training which starts tomorrow. I’m excited. Tomorrow is BackTrack training and rumor has it, BackTrack5 is being released. That’s really exciting as Backtrack is the premier penn testing tool used worldwide by hackers and security engineers worldwide.

This may sound like a shock to you, but I’ve seldom used BackTrack. My personal style has involved online tools to mask my identity. Online tools to do hours and hours of recon to craft my attack long before the trigger is pulled. I’ve always had the impression that BackTrack was more or less a brute forcers dream. So, I’ve never taken the plunge. I’ve used Metasploit, and Wireshark and a host of other recon and/or attack tools, but never once have I used a suite such as BackTrack to take a run at a network, hack hosts or take down applications. It’s such a different animal to me.

There’s a difference between hackers and penetration testers. Much of it comes down to time, but time plays a big part. A Pennetration Testers job is based on an hourly rate or by a salary. But he can’t take 6 months to penn test a network. So generally Penn testers go in, run through their checklist of ports to probe, OS’s to fingerprint and SQL to inject. Or the salary employee will try to push through the task as fast as possible to finish as fast as possible.

But the reality is… that’s not how hackers do it. When you hack… time is on your side. Time is your friend. You have lots of it. You’re not in a rush. Low and slow is the saying, and its never been more true than it is now.

As time goes by, I find myself saying that phrase quite a bit more lately than previously. “Low and slow.” And I can’t help but feel like it comes down to one basic thing that’s prompting that.

There are several technologies on the market today which are ridiculously expensive, and I can’t help but feel like they are nothing more than Dumbo’s feather for Security Architects and CISOs who don’t know any better. It gives them a false sense of confidence, OR they lose complete confidence in security due to the constant number of false positives being received.

Tomorrow starts the BackTrack course I’m auditing. And I’m excited to get started.

I’ll post more on how it goes, my thoughts on the tool and the teaching.

Bose Quietcomfort 15 headphones: Noise canceling like wow.

If I were to sit down and go through some boxes to figure out how many pairs of headphones I have in the house, I’d probably come up with five or ten pair. Maybe closer to 15. I don’t know. I just know that I’ve tried everything from Sony to Shure to Apple to Bang & Olufsen. But as of this moment, I’ve found the holy grail of headphones.
The Bose Quietcomfort 15.

Oh. my. god. There’s no way on earth to make the entire earth disappear in one flip of a switch. HVAC? Gone. Road noise? Gone. Dryer? Gone. Dishwasher? Gone. Annoying neighbor talking to you? Well, they’re not gone, but at least you hear them less.

If I were to recommend a pair of headphones… THESE would be the ones.
I have a pair of Sony noise canceling? Bose shit on these headphones.
I have a pair of Bang & Olufsen headphones? They are fancy, but sound like crap.
I even have a pair of Bose “passive noise canceling” headphones. What a joke. It just cups your ear.

These Bose headphones are so serious that when you flip the switch it feels like someone has dunked you into a deprivation chamber. Your ears feel pressure. Your mind thinks you’re at high altitude. But you’re not. You’re in your own world, free to enjoy your time in isolation enjoying music, a good book and/or a life without the neighbor. at least a little bit.

The new iPod Nano: Oh, you sexy little beast.

The hot shit from the year 2000 - 32 megs. bam!My first MP3 player, back in 2000, was a Casio G-shock. It was ahead of it’s time. 32 megs. It was slick. Almost held an entire cd on it. Back then people said “WTF is an MP3?”. It came in the form factor of a watch. It sat giant on my wrist, the headphone cord running up my shirt to my ears.

Fast forward 7 years.

Commuting from San Francisco to San Jose on my motorcycle, I had a faithful little nugget called the iPod Nano. It clipped to my belt, and gave me 1gb of music all the way to work. Fantastic battery life. Just set the playlist and off I went.

Fast forward to now. The new iPod Nano. Color screen. Radio. Pedometer. And 16 gigs of music. What a wicked little machine.

Though it’s impossible to change music wearing motorcycle gloves on the actual device. Perhaps with the headphones with the button I can. But blasting down the highway may prove to be a challenge. It’s loud if you want it to be but it’s clear. Crisp highs. Solid lows. It’s amazing audio in a very very small form factor.

In the 6th generation of the iPod nano, apple has really put something together that is fantastic.

There are a ton of accessories available for the nano including something that hits close to home. A bit of nostalgia. It’s a watch band that will make the nano into a watch… Much like that first mp3 player I had. The gshock, but better.

In 11 years we’ve gone from 32 megabytes of music in a watch to 16,384 megabytes.

Where will we go next?

Evaluating Cloud Solutions – What Type of Cloud is Right for Me?

Evaluating Cloud Computing Solutions – Public vs. Private Clouds? Hybrid Clouds? Which is Right for Your Business?

The first known reference to the “Cloud” as it related to computing was in Douglas Parkhill’s 1966 book The Challenge of Computer Utility. Parkhill explained his conception of a “Private Computer Utility.” He compared computing with the electrical industry and its extensive use of hybrid supply models. When the electricity grid was built, private on-site power generators were quickly cycled out. No longer did local businesses have to build, buy and maintain the hardware to create electricity, which was expensive both from a hardware as well as a human resource perspective. While it did carry some risk, electricity as a utility made sense in terms of finance and risk management. In the world of Cloud Computing, there are three different types of “clouds” – public cloudsprivate clouds and hybrid clouds. Depending on what type of service or data you’re dealing with, you’ll want to compare the different options of what private, public and hybrid can offer. In most cases, the most important variable is the degree of security and management the hardware or application requires.

While we as an industry like to think that Cloud Computing is new, it’s not. The concept was coined forty years earlier.

With that said, it’s time to figure out which cloud architecture is right for you.

Private Cloud

A private cloud is one in which the services and infrastructure are maintained on a private network—generally a local datacenter within an organization. These clouds offer the greatest level of security and control, but they still require the company to purchase and maintain all the software and infrastructure, which can significantly reduce cost savings. A private cloud is the obvious choice when:

·   Data is your business, so security and control are paramount on your list of requirements.

·   Your company is large enough to run a hyper-scalable cloud datacenter efficiently and effectively on its own. This generally implies large enterprises.

·   Your business is bound and gagged to conform to strict security and data privacy issues as well as compliance mandates like PCI-DSS and SOX.

Some vendors use the term “Private Cloud” to describe products and services as “cloud-like”, or that are described in their market-ecture as the ability to “emulate cloud computing on private networks.” These products are often virtualized solutions that have the ability to host applications and Virtual Machines in a company datacenter. Frankly, I see little value in “Private Clouds” as they’re more focused on virtualization than cloud computing.

Don’t get me wrong, I think virtualization has its place as well. It’s certainly used in cloud computing, but that doesn’t make cloud computing what it is. Virtual technologies are valuable to businesses but often tend to obscure the full capabilities of cloud computing. The term “private cloud” borders on deceptive advertising; it fails to deliver on the potential of cloud computing and those who attempt to use it are hanging onto the coattails of the cloud.

Depending on your industry, though, private clouds do offer some benefits including shared hardware costs, quick recovery from failure and upscaling/downscaling depending on demand. And that’s fantastic. But the organization still has to buy, build, support and manage the infrastructure. This solution doesn’t benefit from up-front capital costs and it lacks the economic model that makes cloud computing so compelling in the first place.

Public Cloud

A public cloud is one in which the services and infrastructure are provided off-site over the internet. At its essence, “Cloud Computing” refers to the public cloud. These clouds offer the greatest level of efficiency in shared resources as well as efficiency in cutting spending. However, they are also more vulnerable than private clouds. A public cloud is the obvious choice when:

·   You need incremental capacity, or, the ability to add computer capacity for peak times. When the proverbial crap hits the fan, you’ll have capacity available to handle that, but those resources can be used by other VMs for their own tasks when not in peak capacity mode.

·   Your standardized tools and applications are used by many employees. Examples include e-mail, contact management systems or a company intranet site.

·   You need a sandbox to develop applications across geographic locations. Development and testing are a great use case for Cloud, especially when collaboration is needed.

·   You have a SAAS (Software as a Service) application which is offered from a vendor who takes a hard line approach to security.

Public Cloud as a computing concept offers cheap, commoditized computing resources which outweigh the benefits of in-house resources that have limited added value (no capex, access to resources everywhere at any time, minimal support costs and employees for maintaining the resource, shared overall costs and no peak load concerns).

But one of the concerns associated with public clouds is security and reliability. Make sure you have your security and compliance/governance strategies well planned as the short term cost savings could become a long term nightmare.

Hybrid Cloud

A hybrid cloud offers a variety of public and private options with multiple providers. By using a hybrid approach, you’re able to spread things out over a number of providers to keep each aspect of your business in the most efficient possible environment. The major downside here is having to keep track of multiple security platforms and make sure all aspects of your business can communicate with each other. So, if the following situations describe your environment, then the hybrid cloud may be the best option for you:

·   Your company uses a SaaS application, but has security concerns. Private clouds are often used with VPNs (Virtual Private Networks) for additional security.

·   When your market is multiple verticals, you may be in a situation where you want to use private clouds for client interaction, but their sensitive data is kept in a Private cloud. This is an optimal use case for Hybrid Clouds.

When managing private, public and traditional datacenter models all at the same time, management can become complex. Maintaining a tool which will federate these separate pieces for the sake of SLAs and troubleshooting becomes the challenge.

Most of what people are calling “private clouds” share a number of qualities with public clouds and can thus be classed as a “hybrid cloud” architecture. Most large enterprises will be looking to run a hybrid architecture for several years to come (though many early adopters have already taken the plunge). The waters are tepid in different clouds for different reasons.

In summary, Public, Private and Hybrid cloud environments can all viable solutions based on your use case. Public clouds offer the greatest cost savings, but the least amount of security and control. Private clouds offer just the opposite, with costs being much higher due to hardware/software and maintenance costs; however, security and control are supreme. Hybrid is the best of both words, but can often be very complex to manage.

Take a step back, identify your use cases and requirements and then take the plunge. Cloud is not just the future. It’s today.