[ Spiny Thing You Can't Look Away From ]

I enjoy doing a little trick whenever I can with strangers. Whenever the opportunity arises, I like to ask complete strangers to put their faith in me when there is something at risk for them.

Example. The last time I got a haircut I realized at the end that I had no cash, and the place didn’t take cards. I was able to convince the lady in a couple of seconds, while she was cutting someone else’s hair, that I’d be right back. From the time I told her I didn’t have any money to the time I convinced her I’d be right back was roughly 2 seconds. She was very uncomfortable as I quickly left.

I loved it. It was a perfect set up. The game is to get people to feel as if their trust in humanity just caused them harm, and then turn around and come through for them.

The look on her face when I returned, and on the faces of the other people in the shop, were very pleasing to me. It was obvious that that they were stressing and probably discussing the fact that I was never coming back. And when they saw me return roughly 10 minutes later their smiles said something very clearly:

Wow, it is still o.k. to trust people…

Try it. It feels good to raise others’ faith in humanity.:

I am still very happy with my first generation iPhone, but I can’t wait to upgrade. Here’s a short list of things I hope it has, sorted by “mandatory” and “would be nice”. These are in addition to the things we already know are in the 2.0 software release.

Mandatory

1. Video Recording
2. True GPS (to supplement the GeoLocation)
3. Battery Life (At least as good as the current generation)
4. Better Camera (4MP minimum, 6MP would be excellent)
5. iChat
6. MMS
7. Copy and Paste
8. 16GB-32GB of Storage

Would Be Nice

1. Flash
2. File System Access / Browser
3. A QUERTY shortcut option on the Contacts menu (autocomplete)
4. Video Chat (rumored; would be nice)
5. Voice Recording
6. Text to Speech / Speech to Text
7. TV Show Purchases / Rentals through iTunes
8. Bluetooth Sync
9. Wireless Calendar Sync with Google Calendar
10. Bluetooth Keyboard Functionality
11. 64GB of Storage

What are the features you want to see?

[ Stikis.com ]

So I just started using the PIP service from Verisign to handle my OpenID. It’s a pretty solid OpenID implementation from what I’ve seen and has the added bonus of supporting two-factor authentication via the token seen above.

But I was having a problem with delegation, which is where you can enter your own URL for your identifier (think username) when signing in to an OpenID-enabled site.

I was told to use this:

<link rel="openid.server" href="https://pip.verisignlabs.com/server/" />
<link rel="openid.delegate" href="http://username.pip.verisignlabs.com/" />
<meta http-equiv="X-XRDS-Location" content="http://pip.verisignlabs.com/user/username/yadis" />
<meta http-equiv="X-YADIS-Location" content="http://pip.verisignlabs.com/user/username/yadis" />

…but that doesn’t work when signing into certain sites, such as the Identity Gang Wiki. You can sign into it using your full PIP URL, but not using delegation with the code seen above.

So I talked to the nice folks at Verisign and was put in touch with Gary Krall. He was most helpful. We determined that my delegation code wasn’t quite what it needed to be.

He suggested the following, which worked great:

<link rel="openid.server" href="http://pip.verisignlabs.com/server" /> 
<link rel="openid.delegate" href="http://username.pip.verisignlabs.com" />
<link rel="openid2.server" href="http://pip.verisignlabs.com/server" />
<link rel="openid2.local_id" href="http://username.pip.verisignlabs.com" />
<meta http-equiv="X-XRDS-Location" content="http://pip.verisignlabs.com/user/username/yadisxrds" />

That worked for me and should for you as well, but I got curious and decided to see if I could optimize that at all. As it turns out, the OpenID 2.0 Spec located here allowed me to trim down the required code significantly:

<link rel="openid2.provider openid.server" href="http://pip.verisignlabs.com/server"/>
<link rel="openid2.local_id openid.delegate" href="http://username.pip.verisignlabs.com"/>
<meta http-equiv="X-XRDS-Location" content="http://pip.verisignlabs.com/user/username/yadisxrds" />

This also works and has the added benefit of the first two lines coming from the official spec. Plus, it’s only three lines total. The third line might still be a bit of an imperfect hack, but I couldn’t get it to work using the official recommendation.

Anyway, that last snippet should get you working with delegation and Verisign PIP with the least amount of the most compliant code possible. That is, at least until I figure out how to do the XRDS bit properly according to the 2.0 spec.

[ Edit: Please note that some sites like LiveJournal still use the 1.0 specification and will fail with the trimmed down version. I re-added the 1.0 bits and the code below is the final version I have running. ]

A humorous look at the type of drugs being pumped out to U.S. consumers.

[ Panexa ]

[ Related Posts: The Pharmaceutical Industry is Criminal ]

What a week. This is the view from my chair in the lobby at the hotel Kabuki where I’m staying this week. A very nice place, by the way. I recommend it to anyone coming to San Francisco.

Blogger’s Meeting

So anyway, the 2008 RSA Blogger’s Meet-up was excellent. It was very cool finally meet all these people that I’ve been interacting with for so long. Got to shake hands and briefly mention an idea to Bruce Schneier, which was cool from a groupie/fan perspective. The idea I asked him about will be the subject of a future post.

Jeremiah Grossman

I saw Jeremiah (webappsec guru and founder of WhiteHat Security) give his CSRF talk yesterday. Highly excellent. I knew most of the stuff already but he showed some interesting examples. The best part of it was just seeing him give the talk and interact with the crowd. I got to see people go from, “what the hell is this guy talking about” all the way to, “holy crap!”. The sad part is that most people in the crowd probably thought Jeremiah just came up with this. They seemed to mostly be out of the loop.

I later saw Jeremiah roaming the expo floor and I went up and introduced myself and had a short chat about Jujutsu and a potential business opportunity. Very cool dude. Web App Security expert and he’s almost a purple belt in Jujutsu — nice combo. :) Precisely where I’m heading myself, although the webappsec stuff will come first for me by far. Anyway, the whole thing was quite cool.

Gladwell Keynote

Today I was able to see Malcolm Gladwell speak. It was quite good — even better than I expected. He spoke about concepts from his book Blink, but I wasn’t disappointed even though I’d already read that book. In fact, he talked about a concept related to Blink that I either missed when I read it or that he didn’t include in the book.

The idea is that experts’ judgement is highly fragile, and that overwhelming expertise with too much information can severely damage it — even to the point of making it non-expert, or even worse. In other words, in order to get the most benefit from an expert, one often has to remove information from their view. Too much or the wrong types of input can turn an expert into a mouthbreather.

As one would expect, I was mapping the model to my discipline of information security. What came to mind instantly was Richard Bejtlich’s NSM tenet of getting fewer information sources. The “quality” issue is a bit nebulous given the fact that certain kinds of info can cloud our ability to apply expertise, but it’s clear that we can easily approach a point of information overload. Linking this concept to the SEM space is pretty easy to do, and it’s helping me to re-think some of my ideals of a perfect SEM deployment.

And it raises questions. Should we capture everything at some point, and then only do analysis on certain kinds of events? Like only sending certain types of events to ArcSight? Only showing analysts certain kinds of events because too much information will kill their ability to provide a human benefit? And if so, what are those best types of information? Malcolm mentioned a study of the best types of information to give an ER doctor for determining whether pain was heart attack or heartburn. Surely there are similar “golden” information types for doing Security Monitoring as well.

The Knife

Finally, I bought my knife tonight. It’s a piece I’ve wanted since I learned about it and it’s a significant upgrade from my current piece. It’s a William Henry Gentac piece, with a damascus blade. Insanely beautiful. I’m selling my old one on eBay this coming week and should get a good portion of what I paid for this one back. William Henry does very well on eBay, and the fact that I didn’t pay full price for the Gentac helps a lot.

The biggest impetus for this was the fact that my current knife doesn’t have a clip on it, but rather a sheath. It’s kind of cool in a way, but it got old pretty quickly. The extra sheath piece and the lanyard are just unnecessary and kind of annoying most times — especially in dress slacks. I’ve known since I got my current one that my next knife would have the clip. I’m just glad William Henry listened and went with the clip on certain pieces. Here’s what the new one looks like:

• Blade length: 3.17″
• Overall length: 6.81″
• Frame/Bolster: Aerospace grade titanium
• Scale/inlay: Carbon fiber
• Blade: Stainless ‘Dot Matrix’ damascus - Devin Thomas
• Gemstone: Sapphire
• Carry system: Reversible titanium pocket clip - blue

This knife doesn’t upgrade. The next time I get a knife I’ll be adding to this one, not replacing it like I am now. This thing is unspeakably awesome.

Blogging

I’ve had a ton of ideas while out here at RSA. Tons of ideas for things to do on the site, and many ideas about things to write about. Just a couple examples on the former, I’m looking at redoing my CSS soon and going to a white background. I’m also looking at redesigning my logo and adding print and mobile stylesheets. I’m also going to be working with my bandwidth consumption. My site loads too slowly just because I’m not doing things very efficiently.

Anyway, lots to do and lots to think about. And once I make all my changes myself I’m going to outsource (hat tip to Tim Ferriss) the work of getting my whole site up to the new standard. Clean-up, adding the new styelsheets, etc.

Anyway, lots to do and I’m excited about it.:

Thanks to Ken for the link.

A few things are interesting to me here at RSA 2008. Most of them I’ve known about for a long time, but it’s great to be able to see them up close and talk to SEs for as long as you want. Here’s the short, highly raw list of the stuff I’m getting excited by:

1. Google Message Security (Formerly Postini)
2. ArcSight
3. WebSense
4. WhiteHat Security

And there are many more I’m missing. I’ll mention them later.

But the thing I’m most enthused about right now is Splunk — a system for searching through logs.

Not very sexy, right? Lots of tools search through logs. ArcSight, LogLogic, any SEM really. True, but Splunk makes it sexy, and sexy in a useful way. It’s an Ajax interface instead of legacy HTML or Java, and powered by Flash-enabled graphing it has a really pleasing presentation.

But the most important thing is the searching. First, it’s fast. And with the ajax stuff and the way it indexes it feels even faster. It auto-completes as you type in search queries, based on what it has in the index.

Then there’s the fact that you construct and modify just by clicking on things in the results. So you see a thing that says “apache” in some log. Well, you can click on that word “apache” and choose to add it to the query explicitly, or even to show you everything WITHOUT “apache” in it.

And so it goes…you just keep adding things to the query as desired, and results come back quick — as I mentioned. Then you can do cool stuff like send these queries to different types of dashboards, and you can even create an RSS feed from the query output.

Ok, now the wicked part. It’s a free download and free to use, in your enterprise, for up to 500 megabytes of data per day. That’s confidence, and I can’t wait to play with it.

[ Splunk ]

Some people just get lucky and become famous. For this guy it was inevitable.

Behold.

[ No Comments »