StillSecure, After All These Years

I had every intention of blogging during the long holiday weekend. Catching up on email and work at some point was on the agenda as well.  However, this morning in the middle of email my laptop froze up.  I could not do anything with it and so had to power down.  On start up I got a missing media notice and it looks like my hard drive went kaput.  Luckily my Windows Mobile phone has everything I need to stay connected. Email, typepad blog platform, etc.  Well we went to my family in Hollywood Beach for a fireworks display and BBQ tonight.  I left my phone in a backpack, so I would not take it in the beach or water with me.  Great, it rained, the backpack got soaked and my phone is down now too! 

So I think it is God telling me to go off grid this weekend.  I am writing this on Bonnie's desktop machine. The kids are staying with my cousins and Bonnie and I are headed down to Key Largo for the weekend.  I have her spare pink Razor with my Sim card for phone calls, but that is it.  No email, no computers, no blogging!  Speak to you all Sunday night or Monday, enjoy your weekend!

Hopefully, I had one article written scheduled for tomorrow morning. I hope it publishes.

Rich Mogull has been writing a bit about his disagreement with a the SecurityRatty site posting his content (original posts here and here). These posts have set off a rash of comments and other articles on both sides of this issue. Finally Rich wrote his defining post on this topic here. Rich's position is that he owns his words. Ratty took them without his permission, ads nothing to the conversation or commentary at all and actually hosts the content rather than just linking to it. Now for those who don't know, SecurityRatty is a site allegedly owned and operated by some Russian CISSP dude. Basically, they claim they are an RSS aggregator and they just republish blog posts in their entirety. A couple of things to note though:

1. SecurityRatty does not usually add any content of their own or edit the posts in any way
2. They link back to the blogs or articles which are aggregated
3. They do appear to sell some advertising on the site
4. You can search their aggregated content on their site
5. At least recently they are removing content and feeds from their site if you request it.
6. They did not ask anyones permission that I know of before posting content

OK, now that the groundwork is laid, let me give my Shimel view on this. I disagree with Rich. Hey it is a big world and I think there is room for a dissenting opinion here. The reasons I disagree with Rich are:

1. Though Ratty plainly posts up others content, he does not hold it out as his own. He plainly gives credit to those who actually created the words and in fact links back to their sites.
2. Rich is publishing his data under a creative commons license, I am not sure if the meager ad on Ratty would qualify this as a commercial site.
3. Rich distinguishes what Ratty does from Google and other search engines (who clearly profit from Rich's content) by the fact that they just point to it. Not all together true. They also keep a cached copy of the content that you can go to as well.
4. The fact is that I have a tough time seeing any harm to Rich here. In fact if Ratty were not pointing back to Rich's site, if he did not make it as easy to see that it is just an aggregate feed or if Ratty were adding his own comments and not clearly delineating his from Rich's, I would feel differently. Some of this is directly in contrast to Rich who says that if Ratty did add his own views to Rich's, that would make it right by him.
5. Finally, I would go even further than Rich not being harmed by Ratty. I think Rich actually benefits from Ratty. It is yet another outlet for Rich's content and though not everyone reading it at Ratty may go back to Rich's site, they do know it is him and can go back easily. In fact if Rich did advertise at his site, I could understand him losing hits at his site. Otherwise if Ratty just pointed back, one could say the more hits Ratty generates, it could cost Rich more money. Much like people who link to graphics hosted elsewhere.

So, Rich I see that Ratty has stopped aggregating your content so that should be enough of a victory for you. In the long run though I think it is a Pyrrhic victory and you would have been better off with Ratty publicizing your words.

This post is intended to member of the Black Hat Bloggers Network and others who blog on security.  When we announced our affiliation with the Black Hat folks, we said that between now and the show in August we would pick topics of interest tied to presentations at Black Hat for us to "shine a light on".  With over 150 blogs in the network, if even a small percentage of us write on one particular topic that should be quite a concentration.  I am looking forward to see the many different tangents our members will take these topics. 

Our first topic comes to us from an SBN member who will be presenting at Black Hat. It is one of our resident big brains, Chris Hoff talking about virtualization and security. I asked Chris to give me a quick write up on what he is presenting and here it is:

This talk will clearly demonstrate that unless we radically rethink our approach, the virtualization security apocalypse is nigh!

• Some security things you do today are perfectly reasonable and work well in virtualized environments, others simply don’t work at all
• Virtualized Security can seriously impact performance, resiliency and scalability
• Replicating many highly-available security applications and network topologies in virtual switches don’t work
• Monolithic security vendor virtual appliances are the virtualization version of the UTM argument
• Virtualizing security will not save you money, it will cost you more

You can read more on this at Chris's blog here. So bloggers here is the deal.  You have what Hoff thinks, what do you think.  Wrap your heads around virtualization and security and lets hear what you have to say.  We will all be reading!  ON YOUR MARK, GET SET, BLOG!

First it was the EU looking at passing a law that would require bloggers to disclose their identity and affiliation. Now the AP is looking to enforce a new license that would require payments when a blogger puts an excerpt from an AP article in their blog.  My friend Kevin McLaughlin blogged on this over at Channel Web blog today. Basically the AP says that if you excerpt more than 5 words you need to start paying them fees.  Kevin reached out to me and I gave him my views on this one.

I think that it is a really short sighted move by the AP.  First of all it shows they really don't understand blogging.  Blogging is about taking an idea which often comes from another source and putting the bloggers own spin and ideas behind it. In this way topics are built on one blog at a time with each blogger adding a bit more to the conversation. Each additional blog on topic enriches those blogs and articles that preceded it.  As I said in the Channel Web article, it is like a jazz musician playing a riff on top of a line already laid down.

In real terms blogging on the AP content will only generate more views and interest in the AP content.  AP is just a dinosaur with this type of view and will soon go the way of dinosaurs if they try to enforce this. In the meantime bloggers can talk about an AP article, but don't link to it and don't excerpt from it. I suspect that the next thing is we will have a replay of the inbound links litigation we had 8 years ago.  In the meantime blogging will continue to march on with AP or not.

One of the nice things about having started the SBN was that I have gotten to meet (mostly virtually) many security bloggers from around the world.  Some of the most prolific contributors to the content of the SBN has been the members of the Belgian Security Bloggers Network.  I received word today from one of the authors of one of the blogs, belsec, that they are under assault by the EU government.  It seems in their wisdom, the European Parliament has decided that in the interests of "media pluralism", all blog owners should declare their ownership, affiliations and status of weblog authors.

The explanatory notes of the proposed regulation says this:

In this context the report points out that the undetermined and unindicated status of authors and publishers of weblogs causes uncertainties regarding impartiality, reliability, source protection, applicability of ethical codes and the assignment of liability in the event of lawsuits.
It recommends clarification of the legal status of different categories of weblog authors and publishers as well as disclosure of interests and voluntary labelling of weblogs.

As the belsec author points out, disclosure of their identities would effectively silence their voices.  There is no first amendment freedom of speech or freedom of press constitutional right in Europe. Of course if forced to do so, the Belgian authors could take up blogs based here in the US and escape the disclosure laws of the EU, but why should they have too.  The EU is a democratic, progressive entity.  Forcing these bloggers to make their "status and identity" public should not be mandatory here.

Blogs are todays pamphlets.  Basic freedom of expression, speech and press have been protected for hundreds of years. Forcing these bloggers to identify themselves is a violation of their rights.  What would Thomas Paine and others like him think of this restriction?

If you feel that this is an unfair and unjust restriction on bloggers rights, blog about it. It is our right and to do so and we should use the medium to do so.  If you are a EU citizen write to your representative and demand that this proposed regulation does not go into effect!

Do not take your right to blog lightly.  If you don't stand up for it, it can be taken away from you.

"The world is my country, all mankind are my brethren, and to do good is my religion." - Thomas Paine

I am such a nerd/geek (for a good discussion on what the difference is, check out Brad Feld's article here), that I read this post in Fred Wilson's blog on Zemanta and had to check it out for myself. I am using it on this post and the previous one on Starbucks being sued by T-Mobile.

So far I am really impressed with how Zemanta works. It gives you a whole bunch of content related that you can use on your blog.  Pictures, related articles, links and tags. It also makes it easy to reblog.  It works right in my Typepad blog editor.  The only thing I can think of is that I would like to see it work in Windows LiveWriter and Scribefire, the two blog editor that I use for most of my stuff.  But Zemanta is good enough that I don't mind using the Typepad editor to get this functionality!

So what do you think?  It is more noise or does it add value?  Leave a comment and let me know

I was reading an article in the Orlando Sentinel newspaper this morning (I know who reads newspapers anymore), about how so many companies are tracking unhappy customers by monitoring blogs and even twitter messages. It reminded me of a story that Chris Hoff had a while back about Southwest Airlines monitoring his Twitter message

The story in the Sentinel had two opposite corporate views on this. One was Comcast who quickly turned a negative blog post and experience into a positive one by reaching out to the customer and fixing their problem. The customer than ran an updated blog post to commend Comcast. Much the same way Hoff did in his post on Southwest. The polar opposite of this was Spirit Airlines, whose spokesperson according to the article said, "she wasn't concerned and that Spirit doesn't let blog posts affect its policies and procedures." Well a year later that article is still the number 3 search result on Google if you pull up Spirit Airlines. It has over a 1000 comments with many people saying they didn't fly Spirit as a result. I wonder if Spirit Airlines still feels the same way about not listening to blogs?

The article mentions a few other companies that monitor blogs and twitter and message boards. It also mentions a web site called getsatisfaction.com where over 3000 companies monitor to help consumers iron out customer service issues.

They always said the pen was mightier than the sword. In todays world maybe the keyboard is too.

I wanted to take a quick moment to welcome Samuel Colt Van Ryder to the blogosphere. I know Sam for a number of years now. He was a sales person here at StillSecure for a long time working both with channel partners and direct sales. During that time I got to know Sam pretty well.  He is an interesting fellow.  A genuine Texan, Sam is a descendant of the Colt 45 Colts.  He moved to Switzerland, where he met his wife.  They then moved back to Texas where he has raised his family and worked in the security industry.  Always a stand up professional, I have stayed in touch with Sam after he left our company and went to work at Alert Logic. 

It seems that Sam has grown tired of trying to get Misha to blog regularly on the Alert Logic blog, so he has taken it over himself.  He posted his first article today. Good for Sam and we will be reading to see what he adds to our community discussions.  Welcome aboard Sam!

Speaking of community, the Alert Logic blog was already a member of the Security Bloggers Network.  However, the network is over 135 blogs strong with a combined distribution of 50,000 feedburner subscribers!  You can subscribe to the combined feed of all of these blogs by clicking here.

Among the many appointments yesterday was a quick lunch roundtable hosted by Microsoft about blogging.  Some of the folks from the Microsoft research team wanted to better understand the art of blogging. Who better to ask than some members of the Security Bloggers Network.  Several of us had a chance to talk about why blog, what we think makes it successful and what Microsoft can do to make their blogs successful and useful. We will see what becomes of it.

The point for me is that Microsoft, the monolithic empire is really seeking to understand blogging and how to do it right.  This is a very different company and attitude from the we know everything attitude many of us saw from Microsoft years ago.  It almost makes you want to pull for them to succeed!  Lets see how it works out.

So I guess all of this back and forth on the NAC market and Lockdown has some people getting a little emotional. First, founder #4 (I wasn't even aware there was a founder #4) of Lockdown, Daevid comments on my last post taking me to task for having the audacity to moderate my comments, even after I require people to put in their name and email address in order to comment. I think Daevid is under the impression that I wouldn't publish comments critical of me and that this is cowardly of me. He thinks that this somehow gives me the courage to speak my mind.

Wow. First of all I guess Daevid has never had a blog before, so is not aware of the blog spam problem that forced many of us bloggers to install moderated comments. As I am sure most of you are aware, but for Daevid's benefit, I don't censor any comments to my blog, in fact I encourage them. I just won't allow spammers to use my blog. It has nothing to do with my courage or cowardice, it is more to do that I think blogs should be two way conversations. It makes blogging fun. It goes to blogging for the sake of blogging, something I am not sure Daevid quite understands. I do understand that this is a difficult time for Daevid. No one likes to see something they helped start not be successful. I am sure he thinks that I was not sensitive enough to the situation there. But anyone who has read my blog for a period of time knows that my views on Lockdown Networks have been pretty consistent for a long time. I am sorry if that ruffles his feathers, but I do blog for the sake of blogging and say what I think. One thing though, if I say something, I always have the courage to say I said it and put my name to it. Whether to your face or on this blog, I am pretty straight forward and don't hide behind anything.

Now, that leads me to a comment I read on another blog involved here. A really brave guy who signs himself in as James Kirk, leaves a comment and urges another vendor/blogger on NAC to "try and be as neutral to the industry as possible" and not be a new blogger "that blogs for the sake of blogging". He goes on to say some other things that my own paranoia makes me pretty sure he is talking about me. The neutral thing though is a bit naive, don't you think. If someone is blogging on a company blog, don't you think they are going to try and put their company in the best light and not be just neutral? Come on Kirk, you should have learned that in your first day at Starfleet Academy. You as the reader should be the arbiter of what is true, partially true or false. But the naievite of that comment pales in comparison to the second quote. Don't blog for the sake of blogging. James Kirk, to quote one of your friends, that is not logical. Why else should you blog, but for the sake of blogging? Bloggers blog because they want to hear themselves and they want the world to hear them as well. Blogging is singularly an ego-driven sport. Your total lack of understanding of this fact makes it clear why you did not have the courage to use your real name. You just don't get it. James Kirk maybe you should stick to fighting Romulans and leave the blogging to us.

Actually someone once told me the same thing about women and I am sure women say the same thing about men. But Tim Greene has an epiphany in a recent article about bad news for NAC vendors who rely on agents.

I think we all know that the last thing most enterprises want is another agent on their machines.  Heck, not just enterprises either, no one wants yet another agent.  The reasons for this are many and Tim lays them all out.  For me personally the biggest reason is that too many of these agents (and not NAC agents necessarily) are pigs.  They slow down your machine more than some of the widgets I used to use slowed down my blog page loading.

But Tim offers agentless NAC as a panacea. That it is not. In some cases agentless NAC works great, in others it severely limits what you can test for when and how fast.  Personal firewalls and other such technologies can wreak  havoc on agentless NAC.  You may still need credentials to get any useful information.  Over the years here at StillSecure, we have come to realize that in most real life situations, you need both agent, agentless and even web delivered methods of NAC testing, if you are going to be able to perform NAC against the entire spectrum of devices logging on to the network.  There is no one perfect way to do NAC. If there was, everyone would do it that way.  A good NAC solution should be flexible enough to offer multiple methods of testing.

One other thing I noticed was in the comments to Tim's article Dan Clark from over at Lockdown tried to make a comment and refer back to the Lockdown blog for his further commentary on this. The next comment though from Robert B I thought was priceless. It isn't that long, so let me just paste it in here:

Does anyone else find vendor blogs like nactalk.lockdownnetworks.com a little troubling? They appear as a neutral blog discussing a topic, except they only contain the vendor's point of view.

While they seem to allow comments, the one time I registered and tried to comment, it was never approved. I'm assuming that since none of their other "vendor patting themselves on the back" articles have comments, I am not the only one.

Hey Robert I agree with you. The Lockdown Blog is a pretty thinly veiled attempt at a cheap marketing outlet. A review shows they put up an article a month and never have any comments as Robert points out. That is not a blog, the same way many vendors who claim to offer NAC don't really have a NAC solution. However, I would hope that not all vendors who blog are painted with that same brush.  Besides myself, there are several excellent blogs authored by people who are also working for vendors. Not to say we are not biased, but I think there is a clear distinction there.

Ken Belva, a blogger in the SBN is starting a new InfoSec magazine in blog format. Below is Ken's post on the new venture.  I wish him and the team well and will be reading!

http://www.bloginfosec.com/2008/03/10/announcing-bloginfoseccom-an-information-security-magazine-in-a-blog-format/

Announcing bloginfosec.com, an information security magazine in a blog format. bloginfosec.com is written by professionals for professionals.
Our magazine delivers content for executives and practitioners written by working information security executives and practitioners.

Our columnists are respected information security veterans who hold influential positions at major corporations. bloginfosec.com prides itself on being free from vendor and commercial influence. Our columnists have an amazing flexibility to write their columns as they see fit with minimal editorial constraints.

Spotlight on Our Columnists
This week and next we will be spotlighting our columnists. We have some great column posts scheduled for publication.

        * Monday: C. Warren Axelrod - ROSI: Security Returns?
        * Tuesday: Frank Cassano - The core truth of risk
        * Wednesday: Allan Pomerantz - Our End Users: The Weakest Link
        * Thursday: Micki Krause - Core Program Practices: Assess, Implement and Monitor
        * Friday: Sam Dekay - Information Security: Orphan of the Org Chart?
        * Monday: Russell Handorf - Wi-Fu! Attacking the 802.11 Client
        * Tuesday: Derek Schatz - Are We Less Secure Now Than Before?

iPod Newsletter Raffle
Any corporate (.com, .net, .com.xx, etc.) or educational (.edu) activated email address registered between Monday, March 10th, 2008 and Friday, March 15th, 2008 on bloginfosec.com will have the chance to win a free 8G iPod Touch with video. We will mail the iPod anywhere in the world. Generic email addresses (such as yahoo.com, google.com, aol.com,
etc.) are not eligible to win. All entries are subject to our discretion. We will pick the winner and contact you via email for your physical mailing address.

Blogging from MISTI InfoSec World 2008
Stay tuned for posts, pictures and possibly video of InfoSec World 2008.
Point your feed reader here for all of the RSS action!

Qualified Writer?
Please review the columnist agreement. If qualified, please email us at authors()bloginfosec.com or contact the editors through the contact form.

For a long time I have been using the Scribefire plug in for Firefox as my blog editor.  I love the ability to split the screen in Firefox and write my blog article right under the page I am writing about.  Scribefire has gone through some changes over the years.  It was originally Performancing for Firefox, but when that was bought, it became a commercial product for a while and now appears to be open source without a corporate sponsor.  All I knew or cared about was that it worked (maybe there is a lesson there about open source software somewhere).

With the most recent update though a nasty little bug (nasty to me, but they don't think it is so urgent) was introduced where if you leave more than one space a nbsp; is added.  Not just a blank space but the actual letters and characters.  I am from the old school where I space twice at the end of a sentence. So at every sentence end I get one of these and than I have to go in and take them out by hand.  It is a major pain in the butt.

So I have switched over to Windows Live Writer. I had looked at it sometime ago and there were a few reasons I stayed with Scribefire.  But the latest release of Live Writer actually gives me tables and insertion of video that Scribefire doesn't.  I still miss the split screen, but I can launch it from Firefox. 

I will look at Scribefire again perhaps when they fix this bug.  But every day I use Live Writer I grow more comfortable with it. By the time Scribefire fixes their issues, it may be too late!

news·wor·thy /ˈnuzˌwɜrði, ˈnyuz-/ Pronunciation Key - Show Spelled Pronunciation[nooz-wur-thee, nyooz-]

–adjective - of sufficient interest to the public or a special audience to warrant press attention or coverage.

I wanted to come back and touch on something that someone wrote in a comment yesterday.  This has nothing to do with whether or not a government or service has a right to filter out content, they do.  So does just about any employer on their own network and machines.  For me the bigger issue was the comment "... and frankly blogs aren't newsworthy, the majority of them are just random points of view that wouldn't be cited, with any validity".  To me this is a clear sign of someone who has not spent a lot of time out among the rest of us lately.  What cave has this person been living in?  Whether we are talking about politics, science, music or technology, it takes some kind of special cretin to make and believe this argument about whether blogs are newsworthy. Part and parcel with this attitude seems to be the attitude that people who read blogs are bandwidth slurping slackers, who have nothing to do all day but avoid doing anything productive at work and read these extreme waste of times.

Do people really believe this?  Evidently so.  My view is this: blogs have become a major source of news and influence. They have revolutionized the media industry in a similar fashion to what the desktop publishing software market did to the the print industry. They have given voice to millions and put the common man on par with the hereinbefore omnipotent media reporter.  But really folks, is there really even a doubt in your minds on this?  If there is, here are some links that may help settle that question:

http://www.foreignpolicy.com/story/cms.php?story_id=2707&popup_delayed=1

Every day, millions of online diarists, or “bloggers,” share their opinions with a global audience. Drawing upon the content of the international media and the World Wide Web, they weave together an elaborate network with agenda-setting power on issues ranging from human rights in China to the U.S. occupation of Iraq. What began as a hobby is evolving into a new medium that is changing the landscape for journalists and policymakers alike.

http://news.bbc.co.uk/1/hi/technology/4976276.stm

The impact of blogging has reached a tipping point, argues Julian Smith, senior analyst at Jupiter Research.

This week's We Media forum was covered by the blogs

Anyone studying the media over the last few months might have noticed a sudden increase in concern about the growth of consumer-created content and the impact of blogging on business.

There are a lot more similar types of reports from "valid news sources" that I can show that proves this point, but I suspect for the majority of you that would be dulling the point.  But lets not forget the valuable lesson here.  There are people out there who blinded by their own beliefs do not see the forest as being made up of trees, but see something else entirely. 

But to the person who left this comment I ask: if blogs are not newsworthy and worth reading, what were you doing reading mine and wasting your time with a comment?  I think the answer to that will go a long way towards coming to grips with reality.

I have been thinking more about the RSA Bloggers Meet up that I wrote about yesterday. That got me thinking about how bloggers are so socially interactive and probably explains why we are such suckers for things like Twitter, Facebook, etc. Than I started thinking (I know a lot of thinking going on here, where it goes I don't know) about how blogging has changed in the years I have been at it. While blogging is bigger than ever, alot of the social network around has changed. For the most part, for the better I would add. However, one thing that has changed for me anyway, is Technorati.

When I first started blogging Technorati was the Google of blogs. In fact on the not too rare times that it took for ever to search on Technorati I would think it was being overrun with queries. Putting Technorati tags into my articles was elementary and mandatory. I used to check my Technorati rankings everyday and judged my blogs popularity by its "authority". I would eagerly comb the rankings to see who linked to my site. Then a funny thing happened. Technorati started making so many changes, when I would log in I couldn't find what I was looking for anymore. Than it would seem that no matter what I did, unless I went in and manually pinged my site, it would not update. After a while I got tired of manually pinging from Technorati and my authority started going down.  Frankly, I didn't even care. Then after a while, I couldn't even figure out where to go to ping my site manually on Technorati anymore. It has just lost all relevance for me as a blogger. The shame is I think the blogger community was what Technorati was about.

Instead, I think Technorati has gone after the blog reader community. I can see the wisdom there. There are a lot more readers than their are writers. However, I am not sure they do a great job on that count either. Both Google and Yahoo and even MSN do a good job of blog coverage now. So do blog readers have any allegiance or affinity for Technorati? Does it do anything for them? I don't know. What I do know if they would have done a better job of keeping me abreast of the changes to their site and showing me how to use it and get value out of the service, I would spend more time there and not find it so irrelvant as I do now.

This is something I am going to discuss with my blogger buddies at the RSA bloggers meet up. With a "who's who" of security bloggers in attendance, what would you talk to them about?

It is already the end of February and the buzz is in full swing for this years RSA Conference. I usually know that it is RSA time because it takes place around my wedding anniversary.  However, this past Monday was my anniversary and no RSA.  That is because this year RSA is a little later, taking place the 2nd week of April in San Fransisco.

Over the years I have come to really enjoy RSA as a chance to catch up on the industry, friends and of course, parties!  Some of my favorites are the SC Magazine Awards show and the RSA conference party itself.  Last year one of my favorite events was the bloggers meet up that I had a hand in putting together along with Martin McKeay and a few others put together and was sponsored by Microsoft and Fortinet. That party has become legendary with posts about it here, here, here and here among other places. We had a similar event at Black Hat last year and that was fun too.  There is something about getting together with all of the folks you virtually talk to all the time via the blogosphere and put a real face and voice to a name.  We try to keep these blogging parties confined to blogger and media types, so the that everyone is comfortable sharing and conversing without the "general public" there. 

For this years RSA conference we wanted to do a similar type of event. However, the blogroll of security bloggers attending has grown quite a bit and of course most security media types are blogging now as well.  So we wound up getting about 100 of the top security blogging crowd together and got Fortinet, Microsoft and StillSecure to sponsor.  It is shaping up to be the bash of RSA, for me anyway.  The buzz around it was so loud that before we knew it we had a logo, our own official blog on the RSA conference site and a full committee running invites, food, drink and logistics (OK so Jennifer Leggio does most of the work)!  I am just totally pumped to meet a bunch of the folks on the RSVP list and have a great time. Truth be told I am also proud as a peacock that I played a role in putting this thing together from the beginning.

If you have a security blog or podcast, are going to be at RSA and want to attend there is information on the RSA blog page on how to get an invite. For many of you reading this, I know you are saying to yourself, "great sounds like a cool party, free drinks and I can't get an invite because I don't blog".  Well you don't have to fire up that old free blogger page you started but never finished months ago.  Through the magic of modern technology you can party along with us virtually!

We are going to have live video streaming, live audio podcasting and a live Twitter feed.  The RSA site has more details on signing up for the Twitter channel we have set up to follow on the pre-party chatter (or is it twitter) you can follow that at @RSABloggers2008. Hey it will be almost like being there.  Anyway, hope to see as many of you as possible at the party and as many of you as possible virtually if you can't make it!

I am proud to say that this post is the one thousand and tenth post for StillSecure, after all these years!  I had meant to commemorate the 1000th post but was so busy blogging I missed it.  Over 1000 articles is certainly a body of work to reflect on. I was thinking what were some of my favorites. What were some of my least favorites.  I would be interested in what your thoughts as to best and worst articles were. Anyway as they say in the song, what a long strange trip its been!  My heartfelt thanks to you my readers who encourage me to continue blogging. There is nothing like meeting someone who tells me that they know me from reading my blog. Let me let you in on a little secret though.  As much as I enjoy the interaction with you readers, I love blogging because I it makes me feel good to express myself.  I think all people who blog for a period of time will agree that it takes a certain amount of narcissism to blog. I certainly have not shortage of that.  It is almost like you reading this is the cherry on top of the cake.

Anyway, I hope to keep blogging for a long time to come. I hope you continue to find my content interesting and worthy of your valuable time.  Most of all I hope it continues fulfilling whatever it is that it does for me that makes me like it so much.

Thanks for trucking along with me!

One of my friend Brad Feld's investments is a company called Intense Debate. The guys at ID are trying to bring order to the chaos that is blog commenting.  The guys over at ID are also working with integrating blog comments into the very fabric of the new social networking world order.

Over the last few months I have had fits and starts with trying to make Intense Debate work on my blog. Frankly, I was too busy to really dig in and make it work.  However, I tried activating it again tonight and I think I have it working pretty well.  If you would do me a favor leave a comment to this post and lets see how it scales. 

The idea behind Intense Debate is really pretty cool and I was talking to Brad yesterday about some ideas for using Intense Debate in some of the blogging networking stuff I am involved with.  Hopefully more on that later.  In the meantime check out how it works by leaving a comment if you have a moment and if you are interested you can get it for free on your own blog.

A couple of weeks ago I followed a link and wound up on a blog called Security Uncorked, JJ's complete unofficial guide to Infosec.  Though it was a fairly new blog, the person writing it obviously was a pretty hands on security practitioner who knew what they were doing and was doing a good job of writing about it. with some good tips and tricks.  Further investigation revealed that the blog belonged to Jennifer Jabbusch. I don't know a lot about Jennifer other than what she has up on the blog, but she is obviously very deeply involved in nuts and bolts information security and has a great writing style.

The first thing I did was contact her about joining the Security Bloggers Network, which she promptly did.  I thought she was an excellent addition to the network. Since then I follow her blog and though she doesn't write often enough, her articles are quality work.  I hope to have her as a guest on the podcast soon.  But I wanted to call this blog out to all of you to check out, it is good stuff.

Readers, I have to apologize for not blogging all week.  I think this is the longest gap I have had in over two years.  I had to take a trip to Europe on StillSecure business this week and frankly it kicked my butt.  I was so tired after returning from my meetings every day, I literally fell into the bed to sleep.  I didn't stay up on my reading or blogging.  I have lots of catching up to do this weekend and promise to get some stuff up really soon!

Somehow I remembered that today is the two year birthday of this blog.  What a long, strange trip it has been.  What started out as something of an ego-driven joke has become a major part of my life.  Below is a reprint from my first blog article, the usual "Welcome to my blog":

October 01, 2005

Welcome to my Blog

Hello and welcome to my blog! If by chance you have stumbled across this site, my name is Alan Shimel. I am the dad of 6 year old Landon and 4 year old Bradley.  My wife, Bonnie and I have been together for almost 20 years, 16 of those married!  I am the Chief Strategy Officer at StillSecure, a Louisville, CO based provider of a suite of network security software.  I live in Boca Raton, Fl, having moved here almost 4 years ago from Long Island, NY.  Pretty much everything you read on this site will have something to do with one or more of the people, places and things mentioned above.  Working for a company near Boulder, CO and living in Boca I think gives me a unique view of things, as you could not get two more different, yet similar places. It keeps me balanced I guess, though I spend an awful lot of time on the road across the US anyway.  Well I hope you will stop by and monitor the site and hopefully I will post something worth your time.

You know I try to never believe the hype, even about myself.  When that silly list came out with the top 59 most influential people in security and I was number 2, I had a good laugh.  When people recognize me in the street from the picture in my blog, I feel good and move on.  When people ask if my blog and podcast has helped StillSecure, I shrug my shoulders and say "I don't know, but I have a lot of fun doing it". Frankly, I am not the most technical person in the world. I consider myself a good business person who is passionate about security and what my company is trying to do to make networks more secure. But I am no celebrity. When I helped start StillSecure, I never imagined that one day I would be considered a "known person" in the security field.  However, it appears to be true.  In a corollary to the adage "imitation is the sincerest form of flattery", it seems some of the StillSecure competition are actually buying Google ad words keyed on my name.  Can you believe that?  How low can you go? Someone told me about it today and I tried it for myself and sure as you know what, there is a banner ad that a certain NAC vendor has taken out on the name Alan Shimel.  How cool is that?  Go try for yourself.

So that got me thinking.  Hey, maybe there is a cottage industry here .  I can sell or rent my name out to NAC companies that must be so desperate that they would hitch themselves to my name. You know the kind of companies that don't have a bona fide personality themselves and need to rent out someone like me.  Hell, I am thinking even bigger than that.  Maybe I can do personal appearances, webcasts and all kinds of stuff like that. Maybe, I could even do a blog for them. I might as well suck out as much cash as I can for my kids college education fund.  I even drew up my own Google Ad over on the left.  Of course I think it only fair that I get a piece of the action from their sales then too, right? 

But seriously, how much money is there to be made by buying ad words on my name. Maybe instead of trying to get more customers by cashing in on my good name, they should use the money they have left and get their development lab over in Israel fired up. They can perhaps write their own testing software, instead of relying on someone else's licensed software layered on top of a failed IPS.  This way they could be honest and upfront about how their product works.  Nah, that sounds hard.  Probably easier to hitch a ride on my name and live off of the crumbs of my table.  Geez, I feel like John Chambers.

One of the things that has made the SSAATY podcast enjoy any degree of success (in our own minds anyway) is the fact that rather than just me talking, I was smart enough to ask Mitchell Ashley to join me as co-host.  Originally Mitchell was sort of Ed McMahon to my Johnny, but over time our close personal friendship and interaction has resulted in our being equal co-hosts of the show.  I know that the energy we generate from our interaction is what powers our podcast and makes our guest interviews interesting as well.  The same goes for my friends Paul and Larry over at the PaulDotCom podcast (they actually have an even bigger cast and I have their new book, trying to find time to read it and review it).  So I am very happy to see that two friends of mine have teamed up on a podcast. Martin McKeay, one of my first friends in security blogging and whose podcast I first appeared on and Rich Mogull are teaming up with Rich as co-host on the podcast. The first episode was just posted.

I am sure that Rich will add much to Martins already great body of work.  I think they will both find that 1+1=3 when it comes to podcast co-hosts.  After so long of going solo, Martin will find having someone else to bang ideas, banter and thoughts off of is going to make the podcast much better.  Rich is a guy who has opinions on security for sure, but can tell a good story as well.  I wish both of them luck and if you get a chance, check out their show for sure!

Not sure how many of you have noticed, but if you are reading this article on my blog site, next to the title is a funny green icon with the word share underneath it.  For those of you who have not clicked on it yet, go ahead and see what happens.  Nothing bad I promise.  It is actually a new widget by a company called madKast.  madKast gives you some options on how to share blog content that my FeedBurner Feedflare does not.  It is actually pretty cool.

In case you have not clicked on the madKast link by now, let me give you a little background.  madKast is a company that came out of this summers TechStars program in the Boulder, CO area. My friend Brad Feld and some of the other VC and business community from the Boulder area have given rise to TechStars and it looks like a pretty cool idea.  madKast is just one of the cool companies from it.  If you get a chance check it out.

Also, let me know what you think of the widget and if you like, of course you can add it to your blog for free as well, really easily!

If you asked me this question, I would love to tell you it is known for its insightful analysis of the security industry and some of the good things I have written over the almost 2 years I have been at this.  But alas if you go by the numbers it seems my blog is best known for fat girls, ugly girls and big butts!  How is that you say?  Well my friends, the numbers don't lie.  In addition to my regular subscribers (well over a thousand now), I usually get about 500+ non-subscriber visitors a day.  While this sounds like a lot, a closer examination reveals that the overwhelming majority of these visitors come via the search engines and it is for one article/picture that I did in Sept 2006.  It involved poking fun at Rothman and Mogul about analysts always getting the fat, ugly girls.  Little did I know that this would become my claim to fame. I include a recent days visitor stats to show you what I mean.  All three of the most popular pages have the post in question contained in them.

What to do about this?  Well at first I will admit that I did not want "that kind of traffic" on my blog, so I removed the picture of the women in question.  Than people started writing me asking what happened to the picture.  So after some thought, I put the picture back up due to popular demand.  I rationalized this by saying that if even a very small percentage of these visitors saw something good in my blog, maybe they would subscribe to it.  Fact is I don't think any of them do, they are there just for the picture. 

So after almost 2 years of pouring my heart out on this blog, I am best known for pictures of ugly girls.  Oh the cruel fates of the internet!

My friend Chris Hoff is so mad that he is actually appealing to the inherent good he believes exists in all of us.  He asks that if you are going to write about something he wrote, have the etiquette to trackback to his post.  Not sure if that is to get the technorati rankings up or Chris is just dying to engage in dialog.  You would think that while he is out cavorting in city and town, Chris gets enough dialog, but maybe sober communication is what he craves ;-). Either way, he is right.  Leaving a trackback or commenting certainly keeps blogging as a two way communication medium.  To me that is the best part of blogging.  So for Chris's sake and the rest of us, trackback, comment and engage.

For many, many months I have used Performancing for Firefox as my default blog editor on my laptop.  I was a big fan of Performancing and the blogging community they established.  I used the Performancing metrics as well.  Then the leadership there fell apart and they discontinued the metrics.  Then the blog editor was bought by Scribefire and I have used the new updated version.  There really was not much new in the updated version, other then branding.  However, the same things that attracted me to the program in the first place kept me using it.

The idea of writing right in a split screen in Firefox, right below the articles I was linking to was appealing. I liked the ease of use. However, inserting graphics and adding categories was a problem.  So when I read Don Dodge's article today on the new release of Windows Live Writer, I thought I would give it a try.  I am writing this post in it now. 

I had tried Live Writer before and went back to Performancing. Not sure if this will last.  I also like using my Typepad mobile editor as well.  Anyway, I love to try new tools and wanted to see how it worked.  Let me use it a few weeks and get back to you.

God knows that when another company does some stupid marketing, I am the first one to jump up and down and call them on it.  Some companies and former friends have gotten upset with me for doing it, but I call them as I see them.  So it is with some regret that I have to stand up and say that we at StillSecure did some stupid marketing, that I have to apologize to my blogging brethren for.  It seems our PR folks, realizing the tremendous influence security bloggers exert (hey don't forget the most influential people in IT Security list), thought the best way to reach them was to send out a story pitch to all the people on our blogrolls. This is the same way they do to it in pitching to the traditional media. WRONG!  That's what makes blogging, blogging.  It was not cool, a mistake and we are all sorry here.  We will make sure that does not happen again.  Lesson learned and now on with the show.

Last week I wrote about an article by Bill Brenner over at SearchSecurity. It mentioned how Don Ulsch thought that personal blogging from work or mobile platforms could be "very bad".  Don was nice enough to take the time and write me over the weekend to further clarify what he meant. Don was not advocating that we ban personal blogging from work or mobile platforms, he sees that blogging has some redeeming characteristics.  What Don was trying to get across is that enterprises have to put clear blogging guidelines and policies in place.  He says it is necessary to keep employees from falling victim to social engineering scams that have them unwittingly leak confidential information.  Also, in case there is a case of an employee leaking information or doing something else, it is clearly spelled out what the companies position is. Don also acknowledges that the case cited in the Brenner article about DuPont really did have nothing to do with blogging, but with an employee with access and a mobile device.  Don did mention to me other cases where blogging has gotten an employee in trouble though.

The issue of corporate blogging policies is one that is being confronted by organizations across the board today.  Over at the Security Catalyst Forum (the Catalyst Forum and community is a great resource for lots of security advice) there is a great thread on this topic with some real world examples and advice on the subject. Here at StillSecure, we have had the conversation ourselves about how to limit liability and potential harm to the company, while still giving everyone a right to express themselves.  We have come up with some loose guidelines that we follow.  However, I am a big believer in common sense.  No matter what is written in a policy, employees need to exercise common sense when posting in public.  Blogging is just the latest incarnation. Before that it was bulletin and message boards, before that something else.  There is no substitute for common sense in any of these mediums.  If something you are going to say would disclose information about your company which should not be disclosed or would potentially harm your employer, you would think a good employee would exercise caution.  Nevertheless, I guess it is a good idea to have some policy in place for people to guide them.

That being said, I do not believe that Don's sinister view of cybergangs monitoring and running blogs for evil purposes is anything more than a very, very small percentage of blogging.  Also, with so much to say on the topic, Don really should blog. It may prove to be a great exercise in education and perhaps we can all learn.

StillSecure, After All These Years: Don Ulsch, keep the FUD to yourself

Bill Brenner over at SearchSecurity.com has an interesting article up today about how blogging from your corporate laptops is risky business.  He reports that Don Ulsch, technology risk management director at Jefferson Wells International says that people blogging from work and mobile platforms is "very bad".  Ulsch points out that there are 100 million blogs and he claims many of them are used by organized criminal outfits to push gambling and porn.  Ulsch further states that when employees do personal blogging on company machines and through corporate email accounts, "Digital miscreants can then use sophisticated data mining software to scan the blogs for proprietary information that may be sitting in some of those stored messages."  Ulsch said that companies need to put blogging restrictions in place and take this more seriously from a security prospective.

As "proof" Ulsch uses the DuPont case with Gary Min.  The funny thing here is the DuPont case has nothing to do with blogging at all.  A disgruntled employee downloaded and stole trade secrets. What does that have to do with blogging?  Further Ulsch seems to be confusing posting comments on blogs and articles with blogging.  All in all Mr Ulsch, get a grip for Gods sake man!  Your comments seem to show a total ignorance for what blogging really is.  You actually offer no proof what so ever that reflects on blogging at all.  All of your comments deal more with employees using mobile technology. 

Stop spreading FUD about this stuff and talking about things you obviously don't know a lot about.  If it were up to me I would make you start a blog and post an article every day from your company owned laptop.  Maybe if you got more into blogging y