The Security Skeptic

PFC and Army Medic Matt Spaulding of Bluffton, SC was awarded a Bronze Star with Valor for his bravery in combat in Afghanistan on June 9^th 2007. Wounded himself when his unit's patrol vehicle was struck by an improvised explosive device, Matt aided a severely injured comrade, reviving him using CPR and stabilizing serious leg wounds until help arrived. A recent article in the Island Packet provide a detailed account.

Matt was a Bluffton wrestling teammate of my own son, Matt. They wrestled at adjacent weight classes, and I watched both boys wrestle and mature for many years at dozens of matches and tournaments in High School gymnasiums across South Carolina and Georgia. Matt Spaulding never shied away from a challenge. As quarterback of a first-year HS team, Matt took everything more experienced defenses could dole out. As a wrestler, he took his lumps as an underclassman but endured to become a state qualifier in his senior year. His actions come as no surprise to those who knew and watched him as a HS athlete. We are proud of you, Matt, grateful that you are still with us, and pray you will remain so for many years to come.

Archived at http://www.securityskeptic.com/arc20080501.htm#BlogID690 by Dave Piscitello  

Apparently, when in Ronald Reagan National Airport, the answer depends on where you buy your donut.

This morning, I queued to buy coffee from a kiosk called Primo Cappucino in anticipation of my DCA-CLT departure. The coffee was reasonably priced and turned out to be very good. The donuts however, were $4.00, which seems extraordinarily high, even for DC. I don't know if they were good because the ROI on a $4.00 donut seems small.

About one in three customers ahead of me were buying donuts. Glancing about, I noticed a Dunkin' Donuts cart not more than 25 feet from the cashier at Primo Cappucino. I'm still not interested in a donut, but I couldn't resist learning whether Dunkin' Donuts was (ahem) price competitive with Primo Cappucino. I'm imagining a sign that says, "Donuts, $4.00 each, $44.95 per dozen" and thinking of the rioting in the streets of Anytown USA if such a sign appeared anywhere but DCA.

$.78 for a donut at Dunkin' Donuts, or approximately 1/4 of the price you pay at a shop less than 10 yards away.

I walk to one of the standing tables to stir my coffee and people watch. I want to gauge the sorts of people who are buying donuts at each location. A woman in business attire approaches the table, coffee and a Dunkin' donut in hand and asks if she could share the table. I say, "Yes, but only because you were clever enough to buy a donut for $.78 instead of $4.00...".

She grins and says, "stupid is as stupid does..." and joins me in the donut watch.

We both lamented the fact that we could not stay long enough to learn whether the servers stroll over to Dunkin' Donuts when the supply runs out at Primo Cappucino...

Archived at http://www.securityskeptic.com/arc20080401.htm#BlogID683 by Dave Piscitello  

To complete the transformation of my blog personna from yodave to the Security Skeptic, I've replaced a stale photograph of Dave wearing a tie with a caricature by one of the fine artists at The Caricature Shop. After visiting many sites in search of quality, fair price, and unencumbered ownership of the product, I was delighted to find David Whorf and company.

A caricature is an exaggerated and often comic representation of a person, group, or event. Some friends have commented that this particular caricature depicts me as more sinister than skeptical. My wife assures me that neither the caricature nor I am the least bit sinister, and voted to keep this one. As is frequently the case in matters involving art and design, my wife casts the deciding vote.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID605 by Dave Piscitello  

Remodeling is a journey not a destination. Our master bath has "evolved" from repairing the water damage to a 70s style popcorn ceiling to removing the textured ceiling, replacing the light fixtures and wall-width ceilings, replacing the plumbing fixtures, and finishing with new paint and wall paper.

Removing a popcorn ceiling is a simple but nasty business. Some of the sprays used contained asbestos and often a prior owner has painted the ceiling and made the texture resistant to the "wet removal" method. However, if you dodge the asbestos containment bullet and take your time, you can strip a ceiling quickly and you shouldn't have to spend a great deal of time applying thin coats of plaster to get the smooth texture ceiling you want.

The more challenging task in this project was removing three mirrors spanning 12 feet of wall space above double sink vanity. All of them had deteriorated silver, not at all unexpected since we have three large skylights above the vanity! Asking friends and consulting online DIY web sites, I learned that there were three ways one removes mirrors from drywall:

• Whack away with a hammer.

• Use a heat gun to melt the bonding agent.

• Use a guitar string or fishing line to "saw" through the bonding agent.

The authors of all three methods recommend that you cover the mirrors with duct tape, wear protective eyewear, long sleeves, and gloves. I dismissed the hammer method as a last resort. Dodging and cleaning up shards of mirror seem are the kinds of tasks I instinctively avoid. I don't own a heat gun, but I do have guitars and even spare strings and this seemed like a cautious approach with a high probability of success so I wrapped the ends of the guitar string around two six-inch dowels, and began by removing the mirrored trim around the mirrors. I donned the protective gear, duct taped the mirror and went to work.

I found a gap between the leftmost and center mirror and worked from the upper left corner of the mirror down and to the right until I was able to get the string across to the upper right corner. At this point, I discovered that the guitar string was not long enough to continue the sawing motion I'd used to cut through the bonding.

I studied my progress. I decided to repeat my sawing effort, this time, first beginning at the upper right hand corner and proceeding clockwise around the mirror until I'd sawed through as much of the bonding I could reach with this method. Using multiple putty and spackling blades, I shimmed the left side of the mirror away from the dry wall. I used dowels as wedges and slowly and gently applied force to break the bond without breaking the mirror.

Using this method I was able to safely remove all three mirrors, intact. I attribute some of this success to the fact that the workman who installed the mirrors had applied the bonding agent in a series of six to eight circles of approximately 8 inches in diameter. I suspect that I would have had considerably more trouble if the agent had been applied more liberally or sloppily.

Some of the patches of bonding agent pulled away with the mirror, and left me with a fair bit of patching to do. Others had to be removed with spackling knives. I'll have to rough sand the areas where the bonding was applied and thin coat if I expect even primer to apply.

One danger of removing nearly 40 square feet of mirror is that you don't know what surprises lie beneath. The electricians who wired our home were not as professional as other subcontractors and I have several "exploratory" holes to patch. Overall, however, I'm pretty pleased to have completed this task without injury:-)

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID589 by Dave Piscitello  

Bill Hancock, a popular and talented security expert, died January 1^st, 2007. He will be sorely missed, personally and professionally. "Dr. Bill" was a brilliant, humorous, sometimes controversial, and often flamboyant character. I met Bill in the mid 1980s. Years later, he helped me launch my Internet Security Conference (TISC) by keynoting, speaking, and contributing several articles to the TISC Insight newsletter I edited for many years(1, 2, 3). CSO online published a very nice eulogy - Security Community mourns the loss of a CSO - but the community should also remember Bill for his contributions in the worlds of firewalls, forensics, and secure network and data center design. Dr. Bill coined and frequently used the Twinkie as an analog for security. In both TISC and SANS presentations during 1999, Bill explained that, "Security is like a Twinkie: it's what's inside that counts".

If you would like to donate to Hancock's family, they can do so at any Bank of America by contributing to The Landreth Hancock Fund, ACCT 5860 0235 7369. You can also mail checks to: Trustee, The Landreth Hancock Fund, 15302 Hilltop View, Cypress, TX 77429.

Archived at http://www.securityskeptic.com/arc20070101.htm#BlogID583 by Dave Piscitello  

Archived at http://www.securityskeptic.com/arc20070101.htm#BlogID579 by Dave Piscitello  

My family often visits our former Pennsylvania haunts during Christmas break. The trip is a formidable but doable one day, 700+ mile journey by automobile. However, our route forces us through a traffic triple whammy: Northern Virginia, Washington DC and Baltimore. The 1-, 2, and sometimes 3- hour delays we invariably encounter over this nasty 160 mile stretch are exasperating traveling North since we routinely cover the first 400 miles in just over 5 hours (God Bless NASCAR and 70 MPH speed limits). Recently, the delays are even more frustrating traveling South: by the time we begin our return leg, we've vagabonded our way through the Greater Philadelphia and New York areas visiting friends and family and are exhausted from our "vacation".

Today, we encountered abnormally bad traffic and weather, and crossed into North Carolina a good 2 hours later than expected. We stopped for fuel and decided to grab some dinner at a fast food restaurant. While I scanned the menu for something both low-carb and edible while driving (the bun-free, ground beef in a bowl is a fine example of an Atkins entre that cannot be safely consumed while driving), I discovered the following notice on the menu board:

Picture menus are available on request

This struck me as quite a curious and frankly absurd bit of signage.

Anyone who can't read certainly can't know to ask for a picture menu.

If the notice were offered in the spirit of bilingualism, anyone who can't read English can't know to ask for a picture menu.

My son observed, "We're in a fast food chain restaurant. The menu items are already depicted - and numbered!" I agreed, but thought that perhaps the picture menu offers both food and a depiction of a hand(s) with the appropriate number of fingers raised to order the item?

I asked for a picture menu. The manager looked at me and replied, "We don't have any. You speak English, why do you want one?"

I replied, "I was just curious to learn how it differed from the menu."

She paused for a moment and said, "What kind of sauce do you want with those nuggets?"

"No sauce, thanks, just extra catsup..."

Archived at http://www.securityskeptic.com/arc20070101.htm#BlogID577 by Dave Piscitello  

On Wednesday, October 25^th 2006, Kaj Tesink of SAIC/Telcordia died following a long and hard-fought battle against pancreatic cancer.

The Internet and international communities lost a valued and energetic contributor to telecommunications and Internet standards. I lost as dear a friend as I could ever hope to have.

To the Internet community, Kaj leaves a legacy of enthusiastic and *constructive* participation. He also leaves his mark in 15 RFCs. Kaj published numerous articles in telecom and Internet journals and trade publications, and co-authored, with colleague Bob Klessig, a fine book on a pre-ATM broadband access technology, SMDS.

To his friends, Kaj leaves a wealth of happy and bittersweet memories. Kaj was more soft-spoken than outspoken, but rarely one to concede an argument without thoughtful deliberation. Kaj was as analytical a personality style as you'd ever expect to meet. He was also kind, thoughtful, and generous, never realizing he was "paying it forward". When Kaj was diagnosed with pancreatic cancer over a year ago, Friends of Kaj appeared seemingly out of nowhere to lend support, comfort and to help Kaj and his wife Elysia use the time he had to their maximum enjoyment.

Kaj loved board games, especially backgammon and cribbage; playing the latter, he was uncharacteristically competitive. Kaj would tell you he beat me in these games more often than not. I'd argue otherwise. The truth is lies in the middle. Nibbling on Dutch licorice was mandatory for these activities. Although I have not enjoyed that treat for many years, I know I will always think of my friend whenever the scent of licorice is present.

Born with Marfan's syndrome, Kaj never enjoyed the luxury of an entirely healthy life, yet he enjoyed biking, hiking, and other outdoor activities. A native of Holland, he led a lifestyle most Americans would consider traditionally European. He immersed himself in books more than television. He read newspapers, listened to BBC, and was better informed of international politics than most Americans are of their home town news.

Kaj is survived by his younger brother Winifred and his wife and soul mate, Elysia. I had the good fortune of serving as Kaj's best man when he and Elysia married. I recall I wished them a long and happy life together and ended the toast with "cient anni", a traditional Italian blessing that wishes the couple "100 years" of happiness together. I take comfort that part of my blessing came true. While their time together was too short, it was richly lived. Kaj was never happier than when he was with Elysia, and the feeling was mutual. Elysia was as resolute, resourceful, and completely committed a partner as any of us should hope to have when crisis and tragedy strike. Sadly, we live in a time when barely half of all married couples are willing to try to resolve the most trivial matters. Elysia serves as a role model of everything we promise when we say "in sickness and in health".

Elysia asked that donations be made in Kaj's name to the Nature Conservancy (the international branch). If you are so inclined, visit http://www.nature.org and make a donation in his name.

Archived at http://www.securityskeptic.com/arc20061001.htm#BlogID563 by Dave Piscitello  

My apologies for not publishing as often as I usually do. I've been recovering from traveling, traveling once again to teach Network Security, and busy on the home front.

My wife and I have been working sporadically for nearly three months on a painted kitchen floor that we hope even Debbie Travis would be proud to claim her own. We remodeled our kitchen recently, and having exceeded our original budget by a factor of three (3), we decided we could not justify a entirely new floor. The floor was wood veneer and after 15 years of wear, not suited for a refinishing other than paint.

We opted to hand sand the floor to minimize the dust. Nearly everyone thought we were crazy, but this turned out to be rather simple since nearly all the water-based polyurethane had already been stripped from the floor through wear. We had to do some patching since the cabinetry and island layouts were different in the new kitchen. We then applied two coats of latex primer and the Delft-blue base color (again two coats).

It took us nearly an entire weekend to lay out the diagonal checkerboard design. We used chalk-line and painter's tape (rolls and rolls of it). Molly mixed glaze and a darker blue for the second color and painted the 18-inch blocks. I followed her and did touch up.

This weekend, I finally completed the last coats (4) of sealing polyurethane. Paint and hardware stores carry a polyurethane applicator designed specifically for flooring, and it works extremely well. The hardest part of this process is the preparation between each coat: fine sand the finish, dry sponge the dust, and go over the entire surface when dry with a tack cloth. The last step is important and commonly not mentioned by do-it-yourselfers. The entire process, with ample time for drying, took two full days.

We began with a distressed floor and wanted a distressed look, with wood grain, separation lines, and (intentionally) uneven paint. We also wanted a tightly sealed floor that will hold up to typical kitchen and pet traffic. And we wanted to conceal the two unsightly patches. The result is exactly what we'd hoped for.

I now appreciate why painted floors can be more expensive than hardwood replacement flooring, especially if the customer and design are intolerant of the least imperfections:-)

I'll post pictures once we have the furniture in place.

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID522 by Dave Piscitello  

Stamps.com is one of several Internet postage services I have been tempted to try. When I finally did give in to temptation, I decided to hedge my investment with a 30-day trial subscription. Stamps.com's Windows application installs cleanly, works fine, and is reasonably intuitive. Stamps.com sends you a starter kit so you can print stickie-backed stamps and shipping labels. Stamps and labels come in sheets. You provide the application with a serial number imprinted on a sheet and it remembers which stamp/labels have been printed from the sheet to simplify printing. You can also print a stamp on an envelope along with return and recipient addresses. You can add your company logo as well.

I am pleased with what Stamps.com provides. I think they could provide much much more:

• Currently, there's no way to print a stamp on a pre-addressed envelope or an envelope with a transparent pane. I asked Customer Support about this and they simply echoed my complaint: "Thank you for your inquiry. Currently, there's no way to print a stamp on a pre-addressed envelopes. You must use the print stamps on pre-formatted sheets option". This is annoying for three reasons: you must purchase the sheets, you have to enter the recipient address, and you have to purchase envelopes. If Stamps.com chose to do so, they could easily modify the user interface to include a check box to "print stamp on envelope without return/recipient address". This would of course alter the company's revenue model which must be partly based on selling pre-formatted sheets of blank stamps. But riddle me this: If I have to buy sheets of blank stamps AND pay a monthly fee, why am I not simply purchasing rolls of stamps from USPS.com?

• In this age of micropayments, why can't Stamps.com offer a graduated monthly subscription service? I've always hesitated using metered postage service because I don't mail that many packages and envelopes. In fact, the $15/month subscription fee just about doubles my postage costs. This isn't all that much to pay for the convenience factor, and I may be able to justify doubling the cost of postage for convenience's sake, but so many other potential customers won't. How hard would it be for Stamps.com to offer a casual/consumer rate, small business rate, and enterprise rate? Look at my numbers. As a casual snail mail sender, I must accept a 100% markup, whereas a small business operator or frequent eBay seller is probably absorbing between 5%-20%. If Stamps.com were to create a graduated monthly fee based on the actual monthly postage fees, I imagine they'd lure enough consumers to their service to more than justify the additional accounting and invoicing complexities.

Stamps.com should take lessons from financial institutions. Banks know how to grow mass markets for new services. Offer it free at first, wait until the service is deemed essential to the majority of the market, then impose a small surcharge. Increase the surcharge over time so that it remains tolerable to the majority of customers.

Will I keep Stamps.com? I depends on whether my experiments to print stamps without purchasing pre-formatted labels are successful:-O

Archived at http://www.securityskeptic.com/arc20060301.htm#BlogID509 by Dave Piscitello  

Since the 1984 Apple commercial introducing the Macintosh, Super Bowl commercials have been a huge marketing event. This year, my vote for best commercial goes to Budweiser for the Cyldesdale American Dream. The commercial is a heartwarming depiction of a young Clydesdale who takes up the halter of the Budweiser wagon and tries to pull it himself. Two full-grown Clydesdales observe him and quietly slip behind the wagon to offer a friendly push. The colt, believing he's pulled the wagon all by himself, whinnies excitedly. If you are a romantic at heart, love horses, or have watched children (especially your own) fulfill a fantasy, you can't help but love this commercial.

Budweiser offers download-and-play versions of the commercial from its web site. Find links for QuickTime, Windows Media and Real Player formats here.. There is also a big screen, which requires that you use IE and install Maven. Checking Maven's pedigree, Maven Networks is the software company that operates the AETN digital screener system. AETN claims that "Maven is not spyware, and doesn’t track a users’ computer behavior outside of the AETN application. Usage (playback of the video, shares and interactions) within the AETN experience is monitored by A&E Networks only and is kept confidential". If you're not comfortable with this claim, then use a player you trust.

If you want to read about Apple's 1984 commercial, visit The 1984 Macintosh Ad by Sarah R. Stein. If you want to view it in its entirety, open this link with QuickTime

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID503 by Dave Piscitello  

An assistant publisher contacted me recently, asking how I keep pace with technology change; specifically, she asked:

When you want to learn a major new technical topic (new language, new operating system, new feature of a language, a new security threat, etc) where do you first go to learn (ask a colleague, do a web search, post your question to a newsgroup, go to an elearning environment you/your employer subscribes to, buy a book, .....)?

Why do you choose your first path of learning?

I've already blogged and written about how invaluable searches in general and Googling in particular serve my needs. By searching with successively fine-grained filters, I usually discover dozens of articles, reports and white papers. Gathering these in a separate folder of favorites, I next apply some speed learning techniques I acquired long ago while working at Unisys to coarsely filter the credible resources from the not-so-credible-how-could-anyone-think-to-publish-this material. I then read the articles. If they are good, I print or save a local copy, and highlight or e-comment the important facts. If they are really good, I add them to the Security Resource Library I maintain or mention them in my blog.

I also learn quite a bit by commenting and debating a subject via email with respected colleagues, either directly or by posting to private mail lists. These invariably prove to be the most informed and accurate sources. The lists are populated with technology grey beards who are familiar with a broad range of topics. Everyone is basically invited or vetted by other members. Most are industry pundits of one sort or another, an eclectic mix of engineers, scientists, tech attorneys, and independently wealthy folks who thrived beyond the dot bomb.

I lurk and post to some well-moderated mailing lists including Bug Traq, Pen-Test, and Firewall-Wizards. I also follow RSS feeds of security bloggers like myself (Adam Shostack, Bruce Schneier, Anton Chuvakin, Jiri's Notepad, Jaime Lewis, Mark O'Neill).

I'm fortunate to be on the courtesy copy lists of many publishers, and receive at least one book per week. I thumb through these and bookmark chapters I know I'll find useful later.

In parallel with my reading and bookmarking, I routinely compose outlines when I'm doing research for an article. In some cases, the outline evolves into a presentation rather than an article. If it's polished enough, I'll try to present it at a conference. Sometimes, if the interest is high, I'll accumulate enough related presentations and articles to build a day-long workshop. In the case of IP telephony (VOIP) security, a fair amount of this material found its way into the VOIP Security book I've co-authored with Alan Johnston.

I can't honestly say I chose this path for learning. It evolved over time.

Perhaps it chose me:-)

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID498 by Dave Piscitello  

Teddy Roosevelt is attributed to having said, "The best thing for the inside of a man is the outside of a horse". Having completed an exhilarating week riding a spirited gelding while on vacation at a dude ranch in Wyoming, I feel I know exactly what Teddy meant. I'm rejuvenated, refreshed, and relaxed, but mostly full of regret that my path in life keeps me from spending months rather than weeks riding in the Grand Tetons.

After four visits in five years, I find I am happier in and around the Teton and Yellowstone National Parks than anywhere I've ever been. I've also concluded that my affection for this part of Wyoming is due in no small part to riding. God intended that we see the Tetons from the back of a horse (no sacrilege intended). Why? Well, when you ride a horse, you cover as much ground as you would driving. The stop and go pace of crowded park roads assures that driving is slower going than a long, comfortable trot - and yes, I'm finally a competent enough rider that I can actually use "comfortable" as an adjective to "trot". You also see more of the park than you'll see if you walk (unless you can walk about 10 miles, a mile and a half above sea level, over the course of 2 1/2 hours, twice a day.).

We encounter wildlife in its natural habitat, closer than if we were in a vehicle. How close? Less than one hundred feet. Elk run from an SUV, but allow riders on horseback to cut through the herd. There's no engine noise and emissions to prevent us from hearing how a calf and cow communicate to locate each other. The sounds and scents from horses don't spook elk, and apparently mask the stink of the omnivores astride their backs.

We circle a herd of nearly 300 American bison, and your horse instinctively maintains a safe distance. The bulls stare you down. We're close enough to see their breath in the cool morning air, and to note that bulls have straight horns while the horns of the cows are curved. We observe how the cows circle around their young, like wagons anticipating an Indian attack.

Our wrangler leaves the trail and blazes his own, in search of a bull moose, pronghorn antelope, even a brown bear (grizzly). Wolves now populate the Tetons, and we wonder if' we''ll catch a glimpse of the pack we heard howling the night before.

We stumble upon a coyote. It bolts, and our wrangler gives chase! Cowboy fox hunt.

Our daughter keeps a checklist of the animals we've seen in the Tetons: bison, elk, mule deer, pronghorn antelope, moose, eagle, great white owl, heron, pelican (really!), coyote, badger, beaver,ground squirrel, and red tail hawk. Many of these live in habitats unreachable by foot or vehicle.

Riding at this particular dude ranch, the Triangle X, is special. If you can ride, you *will* ride, as in trot, canter, and gallop. You'll climb foothills and cross ridges on trails narrower than anything most folks would dare cover on foot. Take a full-day ride, and you'll climb to Ram's Horn, about 10,500 feet. The trails here are narrow, rocky, *and* steep, but the view is incomparable. Imagine yourself at the top of the Sear's Tower, but from the tower you can see the Bridger Mountains in Montana, the Tetons and Yellowstone Mountains in the south, and in the distant south, the Jackson Hole and Gros Ventre Slide.

You'll gallop through the shallows along the Snake River to cool off, and your horse will prove beyond doubt that his breed is playful, intelligent and *competitive*. You'll jump gullies. You'll learn that there's no shame in grabbing hold of a fistful of mane when your horse shies from a shadow, or stump, or scary rock.

Our son Matt had the unique experience of swimming across the Snake River on horseback. You have to see the current of the Snake firsthand to appreciate how daunting an effort this might be if you swam alone.

The poorly kept secret is out: Dave loves horses.

BTW, Teddy was only partly right about horses. If you treat them well and earn their trust, horses are wonderful, reliable, and playful companions. The best thing for the inside of a man may just be the inside of a horse...

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID437 by Dave Piscitello  

A colleague forwarded me a link to a GNSO mail list thread with the Subject line of "Dave Piscitello". After reading the message, I feel obliged to set the record straight. The message body reads:

So this guy seems really apolitical. Certainly competent and well spoken.

My questions are; Now that he has a staff position how can he possibly avoid a conflict of interest when working for contractors with ICANN and working for ICANN? It almost seems incestual? Are Dave Piscitello and Crocker going to get along?

http://www.securityskeptic.com/weblogindex.htm

http://www.icann.org/

ICANN Announces New Staff Appointment 2 June 2005

First, I'll thank the author for the compliments. I appreciate being perceived as competent and well spoken.

Now, let me speak to the comment that I "seem really apolitical". I hope this was intended as a compliment: Isn't being politically neutral a requirement for my ICANN SSAC position?

On to the most serious concern: conflict of interest. For the record, my arrangement with ICANN is that I will discuss with general counsel before accepting any consulting work, to assure that no conflicts of interest exist. Before I joined ICANN, I disclosed my ongoing business relationships with Watchguard, Aventail, TRA, CMP, BCR, et. al. Everyone was satisfied that no COI existed prior to my hire, and we will all work to see that none arise while I'm employed by ICANN.

The final question, "Are Dave Piscitello and Crocker going to get along?" is actually quite amusing, so much so that I forwarded it to colleagues Marcus Ranum and Fred Avolio, who have worked with Steve at Trusted Information Systems and would appreciate the irony. I've known Steve Crocker for more than fifteen years, and had the good fortune to work with him while TIS was contracted by Bellcore for a secure SNMP project in the early 1990s: since I was the Bellcore project leader, I suppose he worked for *me*:-) I consider Steve a colleague, mentor, and friend.

I am confident that Dave Piscitello and Steve Crocker will continue to get along smashingly well.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID433 by Dave Piscitello  

Recipients of my monthly digest have complained that the digests don't provide a direct link to the blog entry. I have corrected this and in future digests, you'll see something like this:

Digest of Dave Piscitello's WebLog (http://www.securityskeptic.com/weblogindex.htm)

Mon, 23 May 2005 00:00:00 00, http://www.securityskeptic.com/arc20050601.htm#blogID410

Subject:Security's 4-legged Stool needs reinforcement

During a recent thread on the Firewall Wizards email list, one participant called...

I have overlooked this too long. Sorry for the inconvenience. I now understand why the page search is so frequently used!

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID413 by Dave Piscitello  

I have accepted a fellow position at ICANN, the Internet Corporation for Assigned Names and Numbers, on the Security and Stability Advisory Committee, (SSAC). The official staff appointment is here.

SSAC charter is quite expansive, and includes such activities as "developing a security framework for internet naming and address allocation services" and "engaging in ongoing threat assessment and risk analysis of the internet naming and address allocation services to assess where the principal threats to stability and security lie, and to advise the ICANN community accordingly".

I have the privilege of reporting directly to Dr. Stephen Crocker, whom I greatly respect (Steve, along with Vint Cerf and Jon Postel, were part of the original IMP deployment team at UCLA). I am also excited by the prospect of working with an impressive group of experts from the domain name and internet address allocation services community.

I will still be active in Internet Security, and will still post here. As opportunities appear, I hope to write more about DNS and Internet naming security, along with the customary fodder you've encountered when you visit.

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID411 by Dave Piscitello  

I routinely receive review copies of security books from several publishers. Today, I received a copy of "The Unofficial Guide to Getting a Divorce, 2^nd Edition". Aside from the possible ambiguity of one of the chapter titles - MAKING THE MOST OF IT - I don't see any reason why I might be sought out to review this work.

My immediate worry was that my wife might become upset, imagining that I had plans to bail just shy of our 20^th anniversary. Fortunately, she laughed when she saw the book.

According to the review guide, nearly 1/2 a million marriages end in divorce each year. I assure you, Molly, that I am not eager to join that less than elite group.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID408 by Dave Piscitello  

At the very top of the list of files my web visitors failed to find is "favicon.ico". For whatever reason, I never put a bookmark icon image in my home directory, but the pending embarrassment of rejecting more than 100,000 requests for *anything* made me feel negligent. I've correctly the oversight. I'm certain I'll sleep more soundly tonight.

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID394 by Dave Piscitello  

My daughter had a rather delicate surgery in January to restore hearing loss. The surgeon performed a a transdermal timpanoplasty, which is a skin graft to create a new eardrum. Today, her audiogram confirms a 100 per cent restoration of hearing in her left ear; prior to surgery, it had deteriorated after years of infections to barely 15 per cent.

Especially those of you with children can appreciate how exciting an event of this kind is. We don't actually expect the volume to turn down, as Taylor becomes a teen in a month, but at least now know she can hear, but chooses to listen to LOUD music (and being of the Woodstock generation, who am I to complain about that!).

Thank all of you who offered support and prayers.

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID392 by Dave Piscitello  

My attention is often distracted by search results I'm returned when I use Google. While searching for the term used for the watertight hatches on a submarine so I could accurately use it as part of an analogy in a security presentation, I came across a luxury submarine, the Phoenix 1000, which "provides its owner with substantially more capability than a simple yacht".

The Phoenix is 213' long and costs approximately $78M US. Distracted from my original search, I decided to see just how much a 200 foot surface yacht might run. Oddly, Merlewood & Associates is brokering a 200 foot motor yacht, the Lioness, for - you guessed it - approximately $78M US.

Amazing the choices one has when one can spend $78,000,000.00 on a luxury item:-)

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID388 by Dave Piscitello  

I like a multi-column, "newspaper page" look for web sites, but like many casual web developers, I struggle with nested HTML tables. Recently, I was directed to Ruthsarian Labs, where I found several layouts that use cascading style sheets to create multi-column layouts. Some of the style sheets are very fancy, and provide a masthead and footer. I've chosen one of these for the makeover of my site. Ruthsarian Labs' layouts are free to download and use. Thank you for the layouts and education in CSS!

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID387 by Dave Piscitello  

I am teaching this week in Leixlip, Ireland, a village south and west of Dublin. Or is this Seattle, Washington, USA?

I ask because both cities have similar weather patterns, and in both cities, citizens cheerfully suggest that, "if you don't like the weather, wait a while and it will change".

Here's an example of just how much - and frequently - Dublin weather changes. During a three-hour period midday today, it drizzled; cleared and grew sunny; darkened and rained heavily; cleared to gray skies; darkened once again and hailed, turning to snow flurries; and finally cleared to party cloudy once again. Seattlans, doesn't this sound like *your* weather?

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID384 by Dave Piscitello  

If you visit www.senate.gov, you'll read that "To balance power between the large and small states, the Constitution's framers agreed that states would be represented equally in the Senate and in proportion to their populations in the House."

In a March 14 2005 New Yorker Magazine Talk of the Town comment, "Nuke 'em", Hendrik Hertzberg explains that state representation in the modern millenium may not exactly work out to the balanced power the Constitution's framers sought. Hertzberg explains that, as composed today, "Fifty one senators - a majority - can represent states with as little as seventeen per cent of the American People."

Numbers like these aren't much fun. The Bush administration declared that winning 51% of the vote in November 2004 gave them a mandate for the President's 2^nd term. Now we see that 17% of the states - probably red ones - can vote on a bill, and declare that the passage should be viewed as a mandate.

If you're not happy with these figures, consider that to obtain the sixty votes necessary to override a veto, you need only obtain votes from both senators of twenty-four percent of the states.

Sigh...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID378 by Dave Piscitello  

Apologies to those of you who receive my monthly digest email. I migrated my blog software from one PC to another, and in the process failed to import my old .ini file, where I had increased the default length of the blog summary length from 30 to 80. Thirty is simply too few characters to spark interest in a blog entry, even a rant.

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID373 by Dave Piscitello  

I'm listening to Savannah area Pop 40 "morning" show while driving my daughter to school today. One of the radio personalities begins chatting about a couples' shower she has to attend with her husband. I'm momentarily lost - either this woman has an entirely different notion of a couple's shower than I (fondly) recall from my younger, less inhibited days, or she's about to take the conversation in an even edgier direction than I want hear with my twelve-year old in the passenger seat.

I reach to change the station, and one of the male personalities begins to whine about how awful couples' baby showers are. I relax, and think about how easily one can misinterpret the spoken rather than printed word.

And how a one-character shift of an apostrophe in a word can change a really pleasant experience into a considerably less pleasant one:-)

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID369 by Dave Piscitello  

It's not often a close friend is honored in such a manner, but Vint is no ordinary friend. According to the New York Times, The Association for Computing Machinery plans to announce that Vinton Cerf and Robert Kahn will receive the 2004 A. M. Turing Award for creating the underpinnings of the Internet.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID364 by Dave Piscitello  

My son bought me a CD for Christmas, an anthology of Neil Young's greatest hits. I finally had an opportunity to listen to it while driving. My vehicle has excellent sound insulation and, by my modest metrics, an equally excellent stereo with god knows how many speakers.

Is that really Neil Young?

Something's wrong. That's "Cowgirl in the Sand"? It sounds so sanitized. Without the scratching and hissing from my worn stylus, lame speakers, and poorly terminated copper wiring, I hardly recognize Neil's voice. The guitar licks are so exacting; they have a synthetic character. I don't remember those 3 notes at the beginning; I imagine they were worn away after the first hundred plays of my beloved vinyl LP.

It's more than this. My memory insists that, if this is really Neil Young, he *must* be played loudly; in my various dorm rooms, crammed and shared apartments; all night and through the wee hours of the morning; with candles and incense and traces if not clouds of smoke of the "not cigarette" kind; while cuddling with a coed on a lumpy sofa with a Mexican blanket in a time before anyone knew to call it shabby chic. Not, as I find myself, driving to the grocery store in mid-afternoon; in a smoke-free, leather-upholstered-and-heated seat vehicle that cost more than my entire four years of tuition, room and board; with my 12-year old daughter asking why we're listening to this CD and can't we listen to Avril Levine instead.

My reaction to digital re-mastered music is pretty much the same as "colorizing Casablanca". Ingrid Bergman was breathtaking in black and white. B&W movies had an ethereal quality that I've always felt stimulated my imagination and were closer to dreams than reality.

I don't know if you really distinguish dreams from memories (real and imagined) as you get older. I do know there are some cuts I'd rather listen to in their original, analog rendition than digitized.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID352 by Dave Piscitello  

Consumers are spending nearly $300M/year on cellular phone ringtones.

Before the Tsunami, I thought, "Can't folks throw their money away on something more interesting than ringtones?"

If there's ever been something more interesting - and worthwhile - at which to redirect some of that $300M, it's got to be the victims of the Tsunami. CNN devotes an entire page to legitimate organizations who are providing aid to victims in South Asia and East Africa.

Before you visit qtones, katazo, or planetringtone, visit CNN

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID345 by Dave Piscitello  

For about three years, my wife and I owned a hole in the ocean into which we threw money. Unnamed, inanimate, underused and expensive to maintain, our 21 foot Grady-White cuddy wasn't too hard to give it up.

We now own a horse, which only has "expensive" in common with the Grady-White. Paddy (officially, Bees My Sugar) is an eight-year old paint, approximately 16 hands, animated and intelligent, visited and ridden nearly daily.

As is the case with all our animals, Paddy is a rescue. Molly has nursed him back from a serious hoof ailment and months of isolation that nearly soured him to a point where he behaves well under an experienced rider. She and her trainer/instructor have begun Parelli exercises with him to get him in shape for other riders, including me. Wish us luck and wish Paddy continued health and recovery! I'll post photos soon.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID341 by Dave Piscitello  

My son Matt wrestles varsity for Bluffton High School. I host the Bobcats Wrestling web page at http://www.securityskeptic.com/bobcatswrestling.htm.

A photo my Matt pinning his Colleton County opponent made the front sports page of the Hilton Head Island Packet today.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID339 by Dave Piscitello  

Q:What do peanut butter and isopropyl (rubbing) alcohol have in common?

A:You'll find both in the auto detailers' toolkit.

Peanut butter removes the chalky residue that auto wax leaves on black trim. The composition of the peanut butter is abrasive enough to scrub and buff out the wax. No, you don't need chunky style...

A fellow who details cars for a living told me about rubbing alcohol. Sure enough, it's is the best way I've found to remove pine tree sap from auto paint finishes and (trust me) we have a *lot* of pine sap in the Carolinas. Ironically, you don't have to rub hard at all. All the commercial bug, tar, and sap removal agents I've used require far more rubbing. A bottle of rubbing alcohol is about a 3^rd the cost or less - such a bargain!

After I remove all the wax residue, I apply ArmorAll or an equivalent product. After I remove sap, I generally wax my car(s). Even when I simply remove one or two spots, I will rinse where I've applied alcohol and spot-polish the finish.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID334 by Dave Piscitello  

As much as I try to avoid reacting to ten word sound bites, I admit haven't been able to avoid them since the election. After a week of victory crowing, many of the less-than-pithy post-election claims and promises are grinding me down.

They paint *such* a grim picture of the next four years.

Few would argue that the 2004 campaign was mean-spirited, at local, state, and federal levels. Candidates from all parties discredited, disparaged, and villified opponents. In the aftermath, the post-victory sound bites all suggest that 51% of American voters hold the other 49% in pretty low esteem.

We're patriotic; you're not...

We're strong; you're weak...

We have moral values; you don't...

Liberal thinking is evil!

We are as polarized a society as you could statistically imagine. I find it repulsive that anyone could suggest that the election results demonstrate that a majority of the U.S. population believes *Liberal Democrats* have no faith; are condemned to burn in hell for their rejection of Biblical law; harbor terrorists in their condos; and want the international community to dictate U.S. policy. I find it frightening that high-ranking party members and newly- or re-elected federal and state officials are espousing such thinking and flouting it publicly.

This is exclusionary thinking in the extreme. Exclusion is un-American. Patriots defend the rights of every American. The strong protect the weak. Those with moral values set examples. Liberal thinking tempers conservatism. If you don't agree, read the Constitution. And your Old and New Testaments.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID326 by Dave Piscitello  

I've had a long and rewarding relationship with Watchguard Technologies. I like the products. I like the people. Scott Pinzon, LSS editor, reminded me recently that the feelings are mutual.

I host a general security library at my personal web site. After I'd invested some time hunting down spyware resources to fix my son's PC, I discovered I'd found so many resources - and good ones - that I would host and maintain a resource page on spyware.

The page is popular, and generates enough AdSense revenue from Google that a server upgrade is within sight! I realized that quality resource pages were both a service to the community and revenue producers (or expense offsetters). So I began carving out topic specific resource pages from my library. Over a period of about a month, I'd created 5 resource pages, and these are all among the most popular hits on my site.

One recent page is on VOIP Security. Having visited this page after three others he found interesting, Scott Pinzon wrote a piece on Watchguard's RSS feed, Wire. In it, Scott says some very kind things about my efforts:

"I am tempted to describe Dave Piscitello as "the Stephen King of online IT resources." Lately, he has been cranking out a prodigious amount of work reminiscent of Stephen King's four-novels-a-year pace. And, like Mr. King, Dave's offerings hit more often than they miss..."

There's more, and I want to thank Scott for helping me promote these initiatives.

The hardest thing about hosting resource pages is keeping them fresh. If you visit my pages and can contribute a resource, please do!

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID318 by Dave Piscitello  

I honestly don't know why we have debates, or more precisely, why we call what presidential candidates engage in "debates". I cannot recall a single televised debate, in this election or any over the past 4 presidential elections, where candidates debated a topic, with well-formulated proposals and novel ideas. Instead, every candidate throws waves of party-pleasing platitudes and drones on about their opponents' dreadful track records. Given the long list of shortcomings, failures, questionable entanglements, and objectionable voting records each candidate flings at is opponent, I find myself asking, "why on earth would any rational being vote for either of these guys?"

Can candidates really present a strong case and a clearly articulated plan to solve the myriad of problems on the U.S. Federal government's to do list. Honestly, what can W or Kerry promise? Can either say,

"Hi, I'm your candidate. I'm influential, credible, and knowledgeable enough to overcome a divided congress that won't set aside partisan politics. I am a student and advocate of the U.S. Constitution, have no private agenda, and am thus eminently qualified to fill Supreme Court vacancies with judges who will see that our country's laws are consistent with what the Framers intended.

"I know how to satisfy constituencies on both sides of thorny issues like abortion and gay marriage. Under my administration, pro-life advocates will have the opportunity to adopt or arrange and finance adoption and care for any unwanted pregnancy. Gays can marry, but only in closets. Yes, folks, I'm kidding. Truth is, we have so many more serious problems, I just don't see these as being issues a president ought to put ahead of health care reform, improved education, disaster relief, and poverty in the largest and most economically viable country on earth.

"The 900-page tax reform proposal I wrote last night eliminates every inconsistency and reduces taxes for everyone yet adds nearly a trillion dollars to the budget each year. And that trillion dollars will pay for universal health care exceeding what members of the U.S. Congress receive; increase social security benefits; provide approximately $7000 per student for education for every state in the Union; amend insurance practices so that windfall profits are used to offset premiums; and provides tax relief for companies that pay employees salaries that exceed the minimum wage.

"I have spoken with diplomats and heads of state of every member of the United Nations, who now understand and trust me to make sound decisions regarding international matters..."

Back to reality. Neither presidential candidate can deliver on any promise made during an election campaign. It's simply not under his control! And this is what the Founding Fathers intended the office of the president to be! The office of the president (Article II) was created after Congress (Article I) and it's arguably the least empowered office.

Presidents with lasting influence are historically rare. Teddy Roosevelt awed and inspired. Thomas Jefferson was flat-out brilliant. People like these don't run for president any more. Then again, perhaps today's problems would deter them both as well.

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID317 by Dave Piscitello  

I'm back from a long weekend in Gifford and Vero Beach, Florida, where I helped re-roof the Gifford AME church. These communities were both seriously affected by back-to-back hurricanes. I posted a brief photo journal of our relief efforts here. I can't tell you how good it feels to help people in a very tangible way. Living in a community that could easily suffer similar hurricane damage, the entire experience was sobering as well: life's precious, respect and enjoy it!

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID314 by Dave Piscitello  

I have been using Eudora email clients since my Macintosh SE days, so it's no small deal for me to be changing email clients. Why change after nearly two decades of use?

Things I love to hate about you, dora. I purchased Eudora 4.1 for Windows and subsequent upgrades, yet the program insists on asking me to register over and over again. It periodically asks me to reveal my user behavior. It processes hyperlinks badly (a symptom that has persisted from Windows NT through XP, on five computers). Filters have always been non-intuitive and clunky.

Never can say goodbye? For years, I've found excuses for not trading in or trading up. Version 4.3.2 supports whatever version of PGP I use, and I use the version that works with the folks in my keyring. I have a filter set, clunky and overly long, that mostly works. I know every power key. I know nearly all the files in the Eudora folder, and what I don't know about the .ini file, I can learn quickly from my colleague Fred Avolio or my partner, Lisa. I can resurrect folders from 1994 (if the floppies are still readable), the mail looks as if it's just arrived. I should be sittin' fat and happy, right?

Familiarity breeds contempt. For all that versions 4, 5, and 6 purport to have changed, they haven't really changed. I downloaded the trialware for each major version, and despite new skins and "new" features, it's still pretty much the same Eudora I've launched every day. I'm still using 4.3.2 because trial after trial, I just didn't see anything sexy or edgy enough to make me want to buy the new software, buy the PGP that works with it.

I realize that I still have that "email clients should be free" mentality that first attracted me to Eudora. Somewhere on the Internet, there must be some client that does what Eudora does, and is more secure.

What I found was David Harris' Pegasus Mail (Pmail). I've use it for only 24 hours, but am already very comfortable with it, largely because it's enough like Eudora in ways I find important, and different or better in features I found lacking in Eudora. For "unencumbered and free" it's a very complete piece of software. It installed cleanly, and didn't require a restart (always earns a smiley face). It's got a familiar and intuitive user interface, similar to Eudora in many respects. Filter creation is (for me) more intuitive than Eudora. Spam and content protection are built-in. Pmail has a shared-secret based email security for bulk encryption and digital signing, and it supports PGP. Fancy email editing includes font styles, ttables, picture insert, hyperlink embedding. Pmail client is also an LDAP, Finger, and PH clients. It has distribution list support, and works with Norton AntiVirus. And several folks have gone to the trouble of creating address and Eudora mail folder import utilities. It's also a much smaller executable than Eudora.

Pegasus mail is public service software. It's traditional Internet, with non-official support and FAQ sites, and developers who create plug-ins and interact on mail lists. It's community-ware, like the early versions of Eudora...

Still too early to tell, but pmail looks like a keeper. I'll keep you posted.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID290 by Dave Piscitello  

My name isn't that common. David is not a typical Italian "given name". So when I come across other David Piscitellos on the web, I take notice.

Detective David Piscitello of the Cheektowaga Police Department earned a for conducting an extensive investigation into the 1999 attempted murder of a truck terminal security guard. After "a difficult and painstaking investigation and at great personal risk" he arrested the two armed perpetrators and getaway driver at gun point. Two David Piscitellos, in different security worlds.

Another David Piscitello is still distance running and at least in 2002, still collecting top 10 finishes all over the MidWest, in the 40-44 Male category. He's run five kilometer races in an impressive 18:37. Andy Piscitello, presumably a relative of the Harrah, Oklahoma Dave, finishes in the Top 10 as well. They both must be taller, thinner, and endowed with more resilient backs than I.

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID284 by Dave Piscitello  

Stagg Newman, my former Executive Director at Bellcore, has a lovely horse farm adjacent to the Pisgah National Forest in North Carolina. I visited him this week, and went horseback riding through trails in and out of the forest. Stagg and his wife, Cheryl own and nurture five stunning Arabians. Arabians are beautiful horses, and the Newman's Arabians are exceptionally so, in no small part because they are endurance horses, trained for 25, 50, and 100 mile rides and competitions. Having observed Stagg and Cheryl for only a few days, I'm pretty certain the Newman's horses are special because they are loved and respected by very special horse owners. These horses aren't equipment, they're family...

I was thrilled to have the opportunity to ride any one of these beautiful, affectionate and intelligent horses. I was stunned and honored when Stagg let me ride Ramegwa Drubin, his 21-year old Arabian who was inducted last year into the AERC Hall of Fame. Drubin, who's just over 14 hands, has won dozens of competitions and earned numerous honors over his career, and still holds the record for most competition points in a single season. "Pony", as Stagg calls him, provided the most pleasurable experience I've ever had on horseback. I wish I were a better rider so that he might have had more than a tolerable time with me on his back:-) and I look forward to riding him soon. Thanks, Stagg and Cheryl!

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID282 by Dave Piscitello  

When our part-Siamese kitten, Cookie, isn't ridding our lawn of moles and our attic of critters, he chills out in a "made-to-fit" oval sink in our master bathroom. Cookie is a Garfield wannabe: eat, sleep, eat, catch a critter, whack the dog... repeat...

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID275 by Dave Piscitello  

The daily dose of hate, anger, evil, malice and destruction just keeps growing and my faith in mankind is withering. I'm certain Tim Berners-Lee and all those who helped invent the web never imagined it would host the horrifying content posted today by suspected al-Qaeda terrorists. My family will pray for Paul Johnson Jr.'s family and friends. Please take a moment and do the same.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID268 by Dave Piscitello  

I've always been a late adopter of technology. I love disruptive technologies but hate the "first with the boy toy" premium. When Amazon.com reduced the price of the 80-hour model 5500 to $226 including shipping, I figured, "it's time..."

To connect my ReplayTV to the Internet, I expanded my HomePlug network to three power line bridges. Since I'd just encountered wiring *issues* earlier this month, I verified my network expansion by connecting this third HomePlug directly to a laptop (rule of thumb when networking: never introduce more than one new variable - cabling, adapter, device, topology change, protocol, OS, application - at a time!). The physical path between the ReplayTV and office bridge provides 4.6 Mbps so here's an example of how HomePlug bandwidth vary depending on line quality.

ReplayTV does TCP/IP about as plug-and-play as you can imagine, using DHCP out of the box, but failing over to manual configuration if no DHCP server is discovered. My pool of DHCP served addresses is intentionally small, and I forgot to increase it before I added my 5500 to my network, so I manually configured Internet settings. I wanted to get a feel for the intended user experience, so I reset the device to factory defaults (remarkably, it's documented in the manual!) and the rest proceeds automagically.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID253 by Dave Piscitello  

I am experimenting with Google AdSense. Google places ads of vendors and services that are relevant to the types of things I write about. If you choose to visit one of the ads, I receive a micro-payment. I hope to recover some of the time and thought I put into my blog through AdSense.

Google frowns on click-thru abuse, and I am a bit nervous about ad abuse and fraud. If you see an ad of a white paper you might find interesting, by all means visit it. Don't visit ads thinking you'll help Dave earn a Ferrari or pay for college tuitions: I don't need the ad revenue that badly.

During the first week of running AdSense, I've tried to confirm that the ads placed by Google are relevant to the content I've created. You'll find ads for firewalls on the firewalls category page, antispam products on the SPAM page, etc. One place where oddball ads may appear is my Rant page. I have the option of blocking ads I deem inappropriate, so if you encounter one, please email me the URL and I will blacklist that site.

By adding AdSense, I've now introduced a (Google) cookie into the equation. I realize some security people despise cookies. I believe the cookie is only created if you click through a link and will confirm this with a LAN analyzer shortly. I'm sorry the presence of a cookie if this prevents you from visiting my blog. Google explains their privacy policy at https://www.google.com/adsense/faq#privacy1, so I encourage you to read it if you're uncomfortable.

Do visit my AdSense links if it the ad and intrigue you. Some of the ads intrigue me. I'm careful to copy the URL and visit without the AdSense cookie so that Google has no reason to suspect abuse on my part (I suspect they filter my requests and will investigate.

Last point. I won't be modifying my content or restraining myself from expressing an opinion simply because I now have "sponsors". If a company complains about something I write, I'll add them to my AdSense blacklist (and tell you!).

Thanks in advance for your support and appropriate use:-)

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID250 by Dave Piscitello  

I subscribed to Virtual Press Office years ago so that I could get press passes for trade shows. I write freelance for trade pubs so I do in fact qualify. I never cancelled the subscription and VPO pushes email summaries of press releases.

Today was a slow press release day for security and wireless, so I glanced through release in the other categories VPO includes in the mail the send me.

This release caught my eye...

Mar 04, 2004 14:29

PartyBingo.com to Co-Sponsor the 16th Annual World Championship Bingo Tournament and

Gaming Cruise

CURACAO, Netherlands Antilles --(Business Wire)-- March 4, 2004 PartyBingo.com

(www.PartyBingo.com), one of the leading online bingo sites -- in association with Bingo

Bugle and Special Events Cruises -- will be the official co-sponsor of the 16th World

Championship Bingo Tournament and Gaming Cruise in 2004, along with Bingo Bugle. Bingo

Bugle has staged the cruise for the last 16 years.

This conjures images of a huge boatload of senior citizens arrayed along long rows of tables playing bingo 24x7 while the Carnival cruise ship, Conquest, makes its way to Curacao.

Of course, when everyone tires of Bingo, they can head to the slot machines. Aging gamblers in Paradise.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID215 by Dave Piscitello  

As I left for the San Francisco airport this morning, I met a fellow in the elevator of the Argent hotel, who related his harrowing elevator experience the day prior, when San Francisco had a major rainfall and near-gale wind "incident". We continued to chat, he on his way to the RSA Conference, and me to Starbucks. As we continued to chat, my anonymous companion mentioned he had participated in a session at the conference. He described his presentation, and mentioned his company, NetContinuum.

I only recently invited a fellow from NetContinuum to participate in a session at Networld+Interop, based on a submitted abstract and a background check among my colleagues. I asked my companion, "Do you know Kurt Roemer?"

After a more-than-hesitation-less-than-pregnant pause, he replied, "I *am* Kurt Roemer."

Hoodathunk? After our chance but very pleasant encounter, I'm looking forward to sharing a session with Kurt.

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID208 by Dave Piscitello  

My January editorial for Watchguard Technologies' LiveSecurity Service is the fiftieth I have written for the company, over a period of more than four years. I received a most gratifying letter of congratulations from the LiveSecurity directors and editors, past and present.

And some fabulous Washington State wine:-)

Nearly all of my past editorials are hosted at http://www.corecom.com/html/livesecurity.html

If you've been faithfully reading my blog, you are ready to tackle YoDave's Inaugural Security Crossword Puzzle.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID153 by Dave Piscitello  

My wife and I finished reading Monty Roberts' autobiography, The Man Who Listens to Horses: The Story of a Real Horse Whisperer. Our family has grown to love horses and Monty's real-life stories and insights into the language horses speak (one we can learn!) was a wonderful reading experience for us all. ISBN 0-345-42705-X, find it here at Amazon.com

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID103 by Dave Piscitello  

Stuart Vance, a former colleague and really good guy, has begun a campaign to derail the gubernatorial recall election in California. He's created a web site where you can learn how to add a candidate to the ballot. His objective is to basically launch a denial of election attack by exceeding the number of candidates that can conceivably fit on the CA ballot.