The Firing of Singletary

Well we all saw this coming. A lot of us saw this coming weeks ago. And because the NFC West was so dreadful, the 9ers still had a shot at the playoffs even if they were 5-9. Too bad, Singletary should have been gone weeks ago. It’s a shame really. When he took over, he seemed to light a fire under the team. It took some time but they had a spirited finish. Like in 2006, it was a mirage. Last year there was modest improvement to 8-8. Again, just a mirage.

I REALLY, really wanted to keep an open mind about Alex Smith. And who knows if he might have been successful if he’d had talent around him when he first started out and the same coaches each season instead of the coaching carousel he endured. But the team this season seemed to always be out of control, no discipline to them. The offense sputtered. Even when it looked like it was pulling together Smith would throw an interception or fumble or miss a receiver. Some people think the 9ers should have drafted Aaron Rodgers now. The 9ers did Rodgers a huge favor by not drafting him over Smith. Rodgers would likely now be the dud, instead of being the Packers’ QB of the future. So now Smith like Singletary will be gone too.

Yesterday’s game was a microcosm of how this season went horribly wrong. Missed passes, costly turnovers, defensive and special teams lapses. But what was telling was Singletary’s yanking Troy Smith late in the game. Even Montana would have hard pressed to pull that game out with only 8 minutes left. That was a bizarre move. If Singletary felt Troy Smith wasn’t doing it, he should have put Alex Smith in much sooner or not replaced Troy at all. To me, that screamed desperation. Of course Smith seems to play best when his team is behind. Or should I say WAY behind. He brought the team back vs New Orleans, only to have the defense allow the Saints downfield and kick the winning field goal. There were countless times this season we all saw stuff like this happen.’

Hopefully Singletary goes back to being an assistant somewhere, learns how to actually employ offense and gets another job as a head coach somewhere. Hopefully he learns from his mistakes here and is successful. Just like I wish the best for Alex Smith somewhere else. Although he is doomed I feel to be a backup elsewhere.

So once again the 49ers need a new coach (and quarterback). I’m not confident things will get better any time soon.

Thanks goodness for the Giants this season. At least they provided the Bay Area with some joy. I’ll post about them soon.

OWASP Bay Area Meetup

Yesterday morning, I drove over to Palo Alto to check out the OWASP Bay Area Summit. They do these once a quarter and unfortunately I missed the last two. I got there late due to traffic on the freeway (I forgot about the Murphy’s law corollary that when you’re running late you always hit extra traffic) and arrived an hour late. No matter because the summit was running half an hour late. So I saw some of the first program about “Drive by downloads.” This has become a real issue in security.

You’re told “DON’T click on funny looking links!” Well, some still do and then deal with the consequences. Heh I’ve been tempted to do it, just to see what happens, but then again I don’t have the time or energy to reformat my hard drive! 🙂 Others have wised up, but so have the malware authors. You can click on what appears to be a legit site and download bad stuff. Well doh. Gotta hand it to the malware authors. They’re a creative bunch. Fascinating talk, at least what I saw of it. Since I was late, I thought I was two programs ahead and realized hours later that I had seen some of this talk. Hopefully, I can catch up on what I missed when the PDF presentation is posted to the OWASP site.

The woman sitting next to me commented on how it seemed the summit was not very well run. This was my first one, so I don’t know if the glitches we encountered were a one-time thing or not. I consider myself lucky that it did run late but it does bother me the programs ran later than they were scheduled to. OWASP has a kind of “open source” feel to it, but that doesn’t mean the summits should be run the same way.

But enough rants. I saw a couple of entertaining programs, including one called Cloudy with a Chance of Hack. The speaker used humor to make some of his points. Not that anyone needs to be Chris Rock to keep people awake, but it was much easier for me to absorb the information after a little laughter. Some of his points were unintentionally funny. Near the end of his presentation, he unveiled his five myths of security, including “Oh we test our web software once a year!” What’s truly scary was the person sitting next to me saying, “Some companies don’t even do it that often!” Yikes.

I ran into one of my classmates from CCSF security classes during the day. We both were surprised our instructor wasn’t there. I told him he had attended COT a couple days before and expected to see him at this event. No matter. When I see him I can tell he missed a fun time.

They provided a nice choice of food for lunch. Lots of different sandwiches and salads, along with beverages. After lunch, I settled in for a talk about Application Tradeoffs. Except that the speaker for some reason just didn’t grab my attention. He obviously knew the topic but his presentation lacked some kind of spark. Also, he didn’t have any screen slides for about the first fifteen minutes of his talk. I found it difficult to pay attention. I left when I thought I heard him say something to the effect that in security, you should “keep the good guys in and the bad guys out.” I clearly missed something there because I kind of thought that was the idea of security in the first place!

Granted OWASP does these summits free of charge to attendees and the old adage “you get what you pay for” holds true. You take the good presentations with the ones that aren’t quite as good. And the program speakers donate their time to come and talk with the rest of us, which is a very good thing. I’m told OWASP does these every quarter, and I plan on attending the “fall OWASP summit.”

Been a busy and interesting week. I got to attend two quality info sec conferences and a Giants’ game on Wednesday where I talked about info sec and web design with the guy I went with, a former neighbor and part time web designer. Too bad the Giants lost, but you can’t have everything. Have a great weekend everybody.

Cornerstones of Trust Conference

I attended this conference yesterday (called COT for short) and had a fun time. It’s always good to mingle with other security professionals, find out something about what’s going on in the field and try to see if I can get past vendors’ buzzwords and see if anything they’re saying actually makes sense. In fact, I ran into one of my instructors at CCSF, where he commented about the same thing. I think he commented about how vendors sell you security solutions that tend not to work, then a year or two later try to sell you more stuff that likely won’t work. But as I’ve said before, it’s always fun to get promotional swag which I did. Even if I’m going to have to clear out one of my dresser drawers and give away some promo shirts I have that I never wear!

I attended three programs. I missed most of the keynote speakers. Either I was trying to familiarize myself with the surroundings since I was a volunteer liason for an afternoon program or just schmoozing with vendors or other security folk. I attended a Networking program early on which was quite good. Even if the speaker’s jokes at times were forced, he made some great points. Especially about “giving something of value” to those you talk with. Another program attendee commented on those who talk with you for 30 seconds, then move on and leave you with nothing. No one likes them.

There was a panel discussion about revising your security strategy. Security managers from Adobe, Juniper and NASA spoke about the fact that the “bad guys” have infiltrated companies’ systems, so what can be done to make sure once they’re in, they’re unable to transmit info back to their own systems, “phone home” as it were. One attendee commented that we all need to coordinate better intelligence efforts so we get a better idea of who the “enemy” really is.

The last program was about malware and fraud. The speakers made an interesting point about how malware is like open source software. It’s created, folk add to it to make it better. Hey just like Open Source! Quite a concept..Open Source malware..but sometimes that’s what it really is.

I had a lot of fun yesterday. I was looking at the Twitter account of one of the organizers this morning. He called COT the “best SecConf you can attend.” While my preference is BSides (amazing what I learned there), he’s not too far off in his description of COT. I’m looking forward to next year’s conference.

On Thursday, I’m heading to OWASP’s meetup which looks to have some interesting program topics of its own.

Facebook and Privacy (again)

It seems like once every three months or so Facebook finds itself embroiled in another privacy controversy. The latest one is their Instant Personalization thingie (or at least whatever it’s being called). This started when FB users discovered when they went to other sites like CNN that CNN already knew who they were or who their friends were and what stories CNN thought they’d like to see.

Since this person didn’t know they’d already “opted in” to this FB service (apparently FB didn’t feel the need to let users know they were doing this), they were understandably not happy. FB did the usual spin control on it by saying they would meet about it and once again work to ensure users were satisfied with the amount of privacy they had on their accounts. OK, I’m paraphrasing here of course but essentially they were saying “yeah sure we’ll work on this.”

Funny thing about FB. They keep changing their privacy settings and I try to keep changing mine too, but they seem intent on making the process as difficult as they can.

Yesterday I found out about this site: http://www.reclaimprivacy.org/ . It has a button you can add to your browser toolbar that scans your privacy settings when you log into Facebook. So I installed it, logged into FB and ran the scanner. I didn’t do so bad..4 out of 6 settings they ran were fine. The other two were not so good and when I tried to fix them, I had to wade through two of three levels to change the setting.

I can’t speak for anyone else but I find it interesting FB chose to bury these important settings two or three levels down. I felt like they were trying to make it difficult for the average user to change them. So it appears that not only is FB not informing users of privacy changes they make, but also they appear to make it difficult for all but the more savvy users to change them. Hmmmmm.

Facebook keeps getting bad press about their privacy issues and they don’t seem to really care. Are they that clueless or are they only interested in selling your private information to the highest bidder?

Inquiring minds not only want to know, they need to know.

Oh MacAfee I hardly knew ye

Yeah yeah every blogger in creation had a field day with this story, about how MacAfee AV flagged an innocent ol Windows file as malware, causing computers everywhere to suddenly reboot over and over and over. Imagine how annoying that would be to a PC user. Imagine what a disaster it must have been at countless businesses that depend on MacAfee AV to keep their puters safe from malware.

No one expected of course that MacAfee would be the one to bring all of their computers to their knees instead of some evil software.

One problem with AV of course is that it is reactive instead of proactive. Wouldn’t that be nice..AV that anticipates what future malware will be like. It’s fantasy of course.

Wouldn’t it be nice if AV would actually FIND malware instead of marking a non-malicious program AS malware. I spoke of this before. One AV program I tried installing found 240 instances of malware on my system. Somehow I realized if I really had that much bad stuff on my machine it wouldn’t run. At all. Or the AV that marked two of my previously presumed innocent programs as malware. Somewhere the malware creators are probably smirking. They couldn’t have planned this any better. An AV update brought computers everywhere to their knees. And tomorrow help desks across the US and the world will continue to be silently cursing the company called MacAfee.

It will be interesting to see what spin they put on what happened today.

Changing Passwords

I’ve often wondered how effective changing your password every six months was. Apparently it isn’t. There was n article online I saw last week that studied the effectiveness of this policy and discovered it didn’t really work. Go figure huh? I mean nowadays passwords of any kind can be figured out pretty quickly. The best defense I suppose is to make passwords long and cumbersome. If you do that, you’ll make the break-in more difficult for someone. You’ve also made it much more difficult for you to remember that cumbersome password. Your mileage may of course vary.

On that same topic, I recently came across the security blog called CodetoCoffee.org. One post mentioned how certain non alphanumeric characters still weren’t allowed to be used in creating passwords. Ones like single or double quotes or backslashes. My question is why the hell not? Seems like if you can’t use alphanumeric characters what are you supposed to use? I know, it doesn’t matter if someone really wants in. But isn’t it best to be able to use every line of defense? Or am I just pissing in the wind?

San Francicso Giants

A year ago, the Washington Nationals baseball team had the misfortune to get uniforms that were spelled “Natinals.” it seems the company that makes major league team uniforms didn’t learn anything from that debacle. Yesterday, one of my beloved SF Giants’ players sported a uniform that said “San Francicso” instead of San Francisco. Ummmm do the workers need magnifying glasses? Or are they doing this just to see if anyone notices? Inquiring minds want to know. 🙂

The Titanic and Business Continuity Planning

Last night I attended the Pacific IT Pros monthly meeting. I chatted with one guy who commented that the Titanic and Business Continuity Planning (ie Disaster Planning) had a good deal in common. Interesting concept..you take one of the biggest cruise ship disasters in history and compare it to something all businesses should do. He told me a few things I never knew about that disaster…ranging from inadequate testing (thanks to the outdated rules in effect at the time) to gross miscommunication (ie ignoring an iceberg warning because the warning apparently didn’t apply to the Titanic) to striking the iceberg itself. And apparently the iceberg didn’t even really gash the Titanic all that much. But it clearly was enough!

He also pointed out that enough things had to happen in order for this disaster to occur. But it was the combination of poor design, bad communication, poor safety guidelines in addition to hitting the iceberg that did in the Titanic. Is there a moral? I’m not really sure. I would assume (but we all know what happens when we assume right?) that having good plans in place will not prevent a tragedy from occurring but will likely greatly lessen the impact of it.

Being Secure and being “Secure-less”

I read a few computer security blogs. One is Uncommon Sense Security which is written by “security curmodgeon” Jack Daniel. He looks like one of the guys from ZZ Top. I got to chat briefly with him at B Sides a month ago where he told me San Francisco & Rekjakiv (sp?), Iceland were his favorite cities. His latest blog talks about what not to do at a trade show (ie wearing your badge all over town esp if your in a strange city). It’s the same as saying, “Hi I’m a tourist and I’m just waiting for you to roll me.” I hadn’t thought about that, but it makes perfect sense. Trade shows are good for networking, schmoozing with vendors for free swag and maybe even learning a thing or two while you’re there. It’s also a time for big parties at night. Hey you’re out of the office and you can party like it’s 1999 (except of course it’s 2010 but I digress) at night. Too many people figure “ah nothing bad will happen to me.” Uh yeah right. You just keep thinking that way and sure enough something bad will happen. Amazing how often we leave common sense at the door when we need to be careful. I’m reminded of visiting NYC in the mid 90s for 12 days. Before I left, friends regaled me with tales of horror about the “roving gangs that robbed tourists” and “brutal heat & humidity.”

Yeah it got hot and muggy while I was there (this was in August), but it was not intolerable. it didn’t feel too different from what I encountered every once in a while here in the Bay Area. I also tried to act like I had a clue walking around Manhattan. I dressed like a slob too. And then I realized likely half the people there were ALSO tourists and also had no clue. When I realized that, I relaxed a bit. I had a great time, met some cool folk and saw virtually all of the NYC landmarks. All because I used a bit of common sense. I still employ that in downtown SF sometimes.

Another blog I read is called Securosis. The author did a piece a couple months back about the amount of personal information Google can get on you via all their various apps. I’m sure a lot of you (myself included) think GMail, Google Docs, Google Calendar, Google Maps and all the other Google apps totally rock right? And they do when you need to check email, collaborate online on a document, need to check your schedule and/or get directions to the venue where the Red Hot Chili Peppers are playing.

You may think “Gosh those Google folk are swell, they provide these really cool apps that are easy to learn and use.” What is not so cool is the possibility (and I want to be VERY clear about this..the POSSIBILITY..NOT reality) that Google is using this info for less than positive means. Is it such a good idea as this other blogger points out for one company to have all this information about you? Not saying it is or isn’t, just something to think about the next time you fire up your Gmail account.

Spring Cleaning

It almost seems a cliche but when the weather starts getting better around this time of year, we then decide it’s time to clear out our spaces. Unless you’re one of those folk who hoard everything. I lived near someone like this 20 years ago. Things got so bad one Super Bowl Sunday his attic caught on fire and the local fire department had to send a truck out to extinguish the small fire. Or live way up north where spring arrives sometime in May and it starts getting cold again in October. But I digress.

Lately I’ve been on a cleaning jag. I’ve managed to clear out years of old tax forms I didn’t need, old receipts and all kinds of paper junk. I’ve kept our recycling bin full for about a month now with paper, old cardboard boxes I’ve cut up and who knows what else. And now I’ve managed to clear out some books. I have 4 or 5 bookshelves full of books. It drives my wife nuts sometimes. But I love books. Some of the books I have are computer books. Since I’m a high tech professional, that sort of goes with the territory. One good (or bad, depending on your outlook) thing about computer books, they tend to go out of date after three years or so. One notable exception are UNIX books. They never really go out of style. I have one such book I’ve had since the late 1980s. I still look at it every so often. So I’m generally able to get rid of those after a certain date. Or if a title I have comes out with a new edition.

My local library has a book store, comprised of titles that have been donated by people like me. The store sells them and makes a little money which goes to programs sponsored by the library. Since I live in California ANY money they get is a very good thing. Plus people feel good about recycling their books. It’s all quite green, don’t ya know. 🙂

I figure I’ve donated close to a bookshelf worth of books to this library’s book store over the last decade. If I hadn’t, either I’d be buried under books by now or the local landfills would be filled by all my castoff titles. Thing is that I can decide to donate 10, 12, 15 or 20 books and yet my shelves remain full. Quite an interesting phenomenon.

I’ve noticed whenever I create some space it quickly disappears. There must be some scientific method or theory attacked to this. I’ve had to learn that in my haste to clear things out I have to give the appearance that no new space has been created, otherwise it will be gone as soon as I cleared it out. Very strange.

Perhaps I can get some scientist or high tech person equally addicted to books to explain it all to me. Or more likely they’ll tell me it’s explained in great detail in their latest book, which they’ll ask me to buy.