http://motherboard.vice.com/2011/12/16/dear-congress-it-s-no-longer-ok-to-not-know-how-the-internet-works I mean, they are currently debating how they can engineer a solution to redesign DNS on the Internet! These guys are geniuses! I am proud to be able to have these people represent me!

When you purchase something like professional services of a new system, you need to make sure that throughout the process you are receiving and own all the code and documentation and have at least a high level overview of what is going on. Too many people just say "Make this XYZ system for me, heres money to do it" and then expect to be barely involved with the process from there on until the product is done.

Military uses user based certs. This means that every time a user throughout the entire DoD organization is fired/quits/change jobs/changes names/etc. They have their certificate revoked. This means they are probably revoking hundreds of certificates per day. Generally, you need to update your CRLs about once a week at a minimum, though they prefer that applications use OCSP, where a query is sent in real time to the CA to see if the cert has been revoked for this reason. So, flashing isn't a very reasonable thing to do once a week or more, especially when the product takes an hour to flash.

Yeah, this has been my experience as well, it is amazing how quickly you get a person who knows what they are talking about. It is a fresh relief from the usual "did you try turning it off and on". Half the time you are thinking, I know more about your product then you do kid! Red Hat is not at all like this. They get you to someone who knows everything about some little facet that you are having an issue with.

If you ask nicely enough maybe they will do something about all their problems. What needs to happen is Mozilla needs to get with Microsoft, Chrome, Apple etc and say unless you submit yourself to an INDEPENDENT audit you will be revoked from our default trusted root certs. SSL has been destroyed, not because of protocol problems but because of the companies running the show. It was a race to the bottom from the beginning. Who could provide the cheapest service and make the most profit off of it. This model doesn't mesh well with Security and never will. Once one company operates their systems cheaply, everyone else must follow so as to maintain low prices.

As someone who has gone to Defcon myself and work in the security industry I don't think I would send my (presently non-existent) kids to this. While I have no qualms about Defcon teaching these items I feel like kids don't have the ability to understand the ramifications of their actions, which is why we try them differently in court. Once they get out of this class what are they going to be able to do with their new found ability to pick a lock? They can't get a job as a pen-tester or some other legal activity so the only thing that they will use this skill for is illegal. Also, the general atmosphere for Defcon isn't very conducive to children with the whole hotel being drunk, loud music playing and people partying all night. Maybe I am not even a father yet and I am already too conservative.

Dont even need to do the math, if it is in the national news, by definition you shouldn't worry about it. Car crashes no longer make it on the national news, therefore it happens so often it is no longer interesting. That is all you need to know.

Here are some sites that I have used for malicious sites: http://www.malwaredomainlist.com/ http://www.malwareurl.com/ http://iblocklist.com/lists.php https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist http://mtc.sri.com/live_data/malware_dns/ Also if you use Snort you are able to use the rules created over at Emerging Threats as well as others: http://emergingthreats.net/rules/emerging-drop.rules

Ryan Phillipe played Milo in Antitrust..... A movie that portray Microsoft as a big evil corporation that was killing Open Source developers... Maybe there is something more to this. A hidden secret perhaps? To paraphrase: "In this industry you are either a 1 or a 0.... alive or dead".

This attitude works if you are some joe blow user worried about being part of some zombie attack, but fails miserably if you are some high value target such as a bank or a military. You can't rely on reports of known malware because a real attack isn't going to be "known". OS X does have these issues. It is far from perfect and when you have a web browser that allows drive by downloads for two years, I really have a hard time trusting them with the security of the rest of the system.

Wow.... What a surprise. Just when I thought Microsoft was starting to get better. We really need to get away from these binary formats anyway... A LOT of security vulnerabilities come from binary formats.

Microsoft is putting their customers at risk every time they half ass these standards like they love to do. Companies spend a lot of time and money to develop these lovely web apps that only work for IE version X, then find out that because IE X+1 is trying to finally conform to standards their current app is broken. Whether we like to admit it or not, IE is getting better at security issues, but many of their customers can't upgrade b/c they built the POS that is IE 6. I have seen this again and again in organizations. No one wants to upgrade because application Y breaks when you upgrade so everyone stays with the more vulnerable IE 6. Microsoft needs to stop putting it's customers at rish in the name of vendor lock in.

Look at contractors working for the government. In my experience that is where a lot of the jobs are. I know where I work, they are always looking for talent.

http://maliciousnetworks.org/top20c.php Who is the number one haven for malicious machines? The US. Not that I disagree with this. I do think it is a step in the right direction. We need to start working together as a world to combat threats on the Internet. If it takes cutting off funding, then I am for it. I would like to see if go further and have the companies who are "supporting" this to agree to NOT send work to these countries. The reason cheap labor exists in a lot of these countries is due to the lack of regulations.

Monitor heavily! Set up a Snort box or some commercial equivelant at multiple points in the network and religously watch it (if you are large enough then you can hire a dedicated team, if you are small then it should be someones job to look at it on a regular time interval). This allows you to respond to incidents faster and ensure that an incident doesn't get out of hand. This can be the difference between a piece of malware is on 1 machine or the entire network. Don't let vendors sell you on an IPS and all it's glory. If you want to buy one as a good Defense In Depth strategy, fine, but an IDS is far more important then an IDS. So if I could only pick one due to budget constraints I am going to pick the IDS every time. IDSes have the benefit of being able to trigger on things that may be incidents and not on it definately is an incident. It is then up to some human to decide whether it is or not.