I have been puttering about in captivate and decided to see how many folks were paying attention to my nessusd.rules post, and wound up creating a 9 question quiz.
You can take the quiz by clicking here.
(You can also direct your browser to http://kuhfeldt.net/nessusdrules/ if you prefer.)
The nessusd.rules file is important to know about and understand when using Tenable’s Nessus and SecurityCenter products. It allows the administrator to protect or skip fragile systems or ports as well as exclude individual plugins from running regardless of what is provided in the scan policy or scan definition.
The syntax works by using accept or reject on a line that has not been commented out (i.e. Using # at the head of the line,) and then the IP address or IP range of systems to be affected. (You can use CIDR notation) This can also be refined to skip various ports by adding a port number or range after the IP address. To accept select hosts or ports in a protected range, you would need to place the accept before the reject statement.
- Reject a single system:
- Reject port 80 on that system, but allow other ports to be scanned:
- Reject ports 400 to 600 on that host:
- Reject a range of hosts:
- Reject port 443 on those hosts:
- Reject ports 3000 to 5000 on those hosts:
- Reject every host in the 192.168.1.0/24 range, except for 192.168.1.45
The nessusd.rules file is an essential tool to help shape your active Vulnerability Assessment protocols, and can also be used when Nessus is being used in conjunction with Tenable’s SecurityCenter product, providing a local safe guard against scanning fragile devices with a scan that is not specifically tailored to those devices. (That is to say, you should be scanning and patching or hardening everything on your network, but some devices need TLC to identify issues or are production systems and don’t fit in with your daily Vulnerability Scanning regimen.
This week we were tasked with reviewing and classifying a small library of material and asked to build a picture along a few axes. (Dystopia vs. Utopia, Web Native vs. Web Immigrant, and determinism and free will were primary focuses.) We were shown several videos with various points of view, and assigned several readings.
I have a hard time believing that any technology fits along the Dystopia or Utopia scale. Granted we have seen implementations that are less than optimal,and have been exploited to the point as to make them useless.
If we look at SCADA, a control system standard for industrial equipment was implemented when networks tended toward the LAN and not globally connected. The technology was based around implementation and troubleshooting without many layers of security (in most cases, no security at all beyond limiting physical access to the network.) It has been implemented in utilities, HVAC systems, and other industrial environments where a central control needs to manage a process over a large area. In this it is successful, however it fails to protect these process from malefactors intent on disrupting the process. These networks relied on security conceits that had pretty much would have failed against any slightly inclined attacker in the modern global network environment. In this case, new technology (WAN/Global networking) overtook the protections built into an old technology. In this sense we may be able to say that technology expresses a Darwinian attitude of natural selection.
In another example, hospitals use a variety of portable technologies to provide maximum portability for doctors who must be able to cover their patients from admission/ER to discharge. This is fantastic, it means that doctors can see more patients and have a higher likelihood of having the correct patient, (with more ways to verify who they are seeing,) but data in motion can be intercepted, misrouted or otherwise delivered to a person who is not supposed to gain access to that data. We get the advanced technology but some advanced uncertainty.
In my final example, I hold in my hand a modern smartphone. I have applications that allow me to navigate, to see if my friends are in the area, and see what is around. I can network with people with the same interests, locate new resources and explore new places and experiences. The trade off is anyone with access to those data sets knows where I am, whether I am home, and who I am with. In some cases, this can be a boon to society and in others it can be turned to a more detrimental effect. I think it is interesting to think about how various points in history would have been altered with the amount of granularity we have on a person’s movements and behaviors. I am fairly certain the wrong people would have had too much access then as I am fairly certain the wrong people have too much access now.
I was reading Bruce Schneier’s blog yesterday and the concept he came up with spoke well to me. His words were, “The Internet is what we make it, and is constantly being recreated by organizations, companies, and countries with specific interests and agendas. Either we fight for a seat at the table, or the future of the Internet becomes something that is done to us.”
I honestly think technology is what we get it to do for us lest we get it done to us. We have a say in how technology is used and it is not always by the manufacturer’s recommendations. If I want to take my digital camera and convert it to catch infrared, I should be able to learn to do so. If I paid for my phone, and want to turn it into a terminal for my home theatre system, by all rights I should do just that. We are not limited by other’s constraints on our ingenuity and we will always find a novel way to use a technology that it hadn’t been envisioned.
I built a little video demo for Nessus 5′s HTML5 interface with a Unix Compliance scan. The new interface kicks the compliance check results to a dedicated tab for easy analysis without having to resort to filters. Technically, this should eliminate the need to turn off plugins for compliance scans unless you are going for a faster scan time. (If you have a large network, you should probably be using Tenable’s SecurityCenter product and provisioning Nessus Scanners on every subnet for best performance.)
In the last 8 (holy crap) years, I have been part of a few LARP communities and have begun to try to live by a few rules, which I think it is time to share, and maybe some can comment on and improve.
Rule: It’s yours until you share it.
LARP is about collaboration. When you have an idea and share it, you have invited change or interpretation of your idea. Be sure that you effectively communicate your basic idea, but be prepared to accept that others may have input that will refine or improve it. Once you let it loose, it stops being yours and becomes ‘ours’ which can lead to great things.
Corollary: Be ready to change up and roll with it.
LARP is about building a consensual story. Runtime events may change the flow of the story or someone may be more clever than you anticipated. This is an opportunity to draw them in and build something larger than your original plan. It may draw in more people than you expected and change further, but it is entertaining a wider audience and that is a hallmark of success.
Corollary: It isn’t your ball anymore.
You have a choice when something changes. You can roll with it or you can leave. The drawback to leaving is that you shared your idea, and it has become property of the group. As an adult, you should be able to let go and let others continue playing with the idea. You agreed to collaboration when you shared the idea, and you do not get to pick and choose who plays and who doesn’t when it doesn’t match your expectations. Put on your big LARPer pants and let play continue.
Rule: Be Nice.
As a LARPer, whether you are playing, writing, adjudicating or even just doing logistics you are working with people. People can be hard to take for some of us, but not being nice just makes it harder. No one gets paid a salary for most LARPs and are in the hobby for the love of entertaining their friends and fellows.
Corollary: If you cannot be nice, be prepared for consequences.
There comes a time when something is unresolvable between people. It happens. Sometimes, it is about food, or a small detail; other times it is about the direction of the story. You have a choice at that point: Be Nice or Not Be Nice. If you have reached a conclusion that it time to be not nice and rather than discuss it rationally decide to be abusive or try to cause turmoil over your displeasure, be prepared to be asked to leave. This means no backboard whisper campaigns, above board mutiny, or abusive behavior. Your momma was right, if you don’t have anything nice to say, you probably shouldn’t say it. However if you do shoot your mouth, keyboard or random communication device off, you should accept what happens next. If you have a repeated pattern of this, it will eventually catch up with you and people will stop associating with you. You don’t get to make excuses. “I was off my meds” or “I was having a bad day” only gets so much play. More than once or twice means you should evaluate your behavior and probably should make some changes.
Rule: Beware Geek Social Fallacies
There has been a lot said about the list at http://www.plausiblydeniable.com/opinion/gsf.html and I think this is a valid list. You don’t get to be a jerk because of any personal choice you made. No one has to accept it, nor do we have to accept any of the things on that list. If your friend is a jerk, we will think poorly of them and later of you if you continue to slam them down our throats when they continue to be a jerk. Even incorporated LARPs can refuse service to disruptive individuals, and while they may not have a war chest to go to court over it, their right should be respected and members of that community should feel empowered to let someone know that certain behaviors are not tolerated.
Corollary: It takes time to figure out a social circle.
Just because someone is a jerk the first time you meet them doesn’t mean they mean it. They may be trying to sort out how things work and the customs of your community.
Corollary: If you don’t fit, move on.
There are a ton of groups out there. If you are consistently unhappy or feel like you don’t fit, (or just plain don’t fit,) don’t expect the group to change for you. Find one that will accept you and is more as you expect. It is part of being an adult.
This site now is using google two factor authentication!
Since my dad passed away last year, I have been grappling with the (probably) usual thoughts of missing him and wanting something to hold on to. Yes, I have memories, a handful of momentos, and photos. (And a cat, who is full of personality and pretty much my Ideal Cat.) When he moved into the senior community in Muskegon, he and his brother sold the cabin, which is where I grew up and he lived on and off for as long as I knew him (and longer.) If there were ever golden memories of any place, that is the place. Despite the near poverty of our lives there and the less than state of the art facilities (no running water and an outhouse,) I would regard my childhood happiest when I was there. I had been toying with the idea of finding the new owner and feeling out a price which would make it mine. This hasn’t been done for a few reasons. 1) the house has been sitting and already broken into once between the time he left and the time he died, meaning it would have to be watched constantly, which I cannot do from the center of the Governmental Universe. 2) I have 50K of failed student loans to contend with, 3) I would also need to build a modern home near the road to manage living there even if I could work from home, (Which my company is less than inclined to allow happen, despite having a liberal attitude for some positions working remotely when I started. If he were still alive, it might be a possibility to move back and take care of him, but that ship has sailed.)
Also playing into that is the damage from the 1996 derecho that took out the large maple that anchored the front yard, forming a partition between the “sandbox” and firepit from the drive way. Dad did what he could with the place, but it was never the same cool oasis that it had been before then. He rebuilt the house from the disrepair and vandalism that had been done to it in the early 90′s, again changing the character of the house, which stayed roughly the same, but not quite. Gone was the barnwood interior and rough cut pine, replaced by decent but not the same paneling. The river had eaten more of the large trees along the bank and the lot between the cabin and the neighboring lot was deforested by beavers, making it less private.
While I think I could eventually acquire the property, I think it would be far more effective to look more in the West Virginia/Northern PA/Southwest Virginia areas for something that invokes the same feeling of calm and quiet and something dad would really dig. Prices may be higher, but it would make for a convenient weekend hideyhole as needed. I wouldn’t have to contend with the poverty of the area and the lack of work if something happens to the company I work for here, (Which I love and hope nothing does occur to make things go south.) So the looking begins anew.
I swear there’s something about a short deadline that energizes work. Dealing with a very short deadline at work, working on Project B (Which won’t actually see light here, but will be able to be experienced at Xanodria’s Medieval Fantasy LARP in October) as well as offshoot Project B1 which is going down at the Labor Day Xanodria event.
I have been smoking a lot of shisha lately, and while I will admit some of it is selfish enjoyment, much of it is testing products for that Labor Day LARP. I don’t serve crap to people I like. Even the bad for you stuf has to be worthwhile. I may post a review of the various flavors and brands in the near future. Needless to say, while Starbuzz is still the gold standard for easy smoking shisha, Al Fahker made a really strong showing. Fantasia sucks beyond belief.
Kelly Sue tells a touching tale of the past, bring it to the present and asks us to help in the future:
Basically, in a nutshell she is going to write a comic book for this little girl to draw, and has invited us to draw along. I think it would be spiffy keen to all play along at home, and create digital versions that Kelly Sue could forward to Winter. (And we could trade among ourselves!) Anyone in?
The official Tumblog is at http://winterstales.tumblr.com/ and you can play via Twitter (or on tumblr only but I suspect Twitter is going to be more responsive.)
If everyone were a little more like Ms. DeConnick, the world would be a much grander place.
Thank you Kelly Sue!
With the disturbing hack of a blogger via Apple and Amazon’s shoddy practices, the internet has been confirmed as useless for security minded individuals. This incident is really nothing new, but a further confirmation of what most folks in the network security industry have known for a while. With companies such as Yahoo! failing to actually even attempt to provide account security, to the general lack of good two factor authentication on financial related websites, (to say nothing of nearly every blog service and webmail provider,) the internet has become even more of a risk for private individuals who want to use the service as an information, entertainment, and communications platform. Nearly every site requires creating an account with a username, email address and password. (Even this one, sadly.) What are those sites doing to protect that information? Hashing and salting passwords only goes so far until either the hash is broken (if not using salting,) or the salt is discovered and the hashes again are broken. Changing passwords is only so effective as I have literally dozens of passwords and sites to remember that I use on a regular basis, not to mention those one off sites that lurk in the grey shadows of my internet history. I don’t want to tie everything to a single point, but increasingly I have been using google and Facebook to do just that, since I can two factor those services. Even that is not fool proof and it is just a matter of time before they are circumvented. Even RSA keys have been proven to be breakable, as many of us recall.
I have been rapidly coming to the conclusion that there needs to be a more secure method of authentication to websites and an accreditation standard similar to the PCI standard (or more strict) for sites that accept any user information. Perhaps a multi tier guideline that grades on a scale of how many best practices are fulfilled? This would go a long way toward forcing some compliance and keeping providers from becoming complacent. What is it ultimately? I have no idea.
Perhaps an independent two factor platform that puts the control in the user’s hands? A three factor platform incorporating the random number, a password and a certificate that is on a usb type key? A usb key that performs one use passwords and has a certificate or hardware authentication built in? In any case, there needs to be a heck of a step forward in the very near future, since we cannot go on with the current state of security on the Internet.