This site will look much better in a browser that supports web standards, but it is accessible to any browser or Internet device.

locks keep lawful people out...    

The Security Skeptic

Dave Piscitello's Security Weblog

Skeptic (sceptic): a person inclined to question or doubt accepted opinions.

Web www.corecom.com The Security Skeptic
Tue, 30 Jun 2009 00:00:00 00, 734
What RFC am I?

Facebook offers a ton of mindless distractions, from quizzes to surveys, fan pages to communities of interest. After seeing a long time IETF friend's result from taking the quiz "Which IETF RFC are YOU?" I could not resist taking the test myself.

The test purports to be "proven by scientists (and verified with supercomputer simulation) to accurately classify any human being to a single, conclusive IETF RFC". Nice, but slightly unnerving. I had nightmarish moments while answering the questions. Will I be one of the RFCs I wrote? Would I be an RFC affiliated with a technology I abhor (WHOIS/RFC954, IP over ATM/RFC1932, SMTP on X.25/RFC1086) or something classic (Telnet/RFC097, QOTD/RFC865, NTP/RFC1129)? Worst case scenario: would I be a MIB?

Happily, my result was RFC 791, Internet Protocol! My answers identify me as " a solid, dependable person, and more consistent than your peers. You value time-honored things in life and prefer standards over the latest fad. If you were an ice cream flavor, you would be vanilla: natural, elegant, and classic". YAY!

How wonderful to be associated with IP and by extension, its revered author, Jon Postel.

And how grateful am I that my result did not associate me with IPv6, RFC 2460:-)

Archived at http://www.securityskeptic.com/arc20090601.htm#BlogID734 by Dave Piscitello  


Wed, 24 Jun 2009 00:00:00 00, 733
Facebook

I finally created a Facebook account, but not for any of the conventional reasons folks join social networks.

I worry about impersonation and reputational harm.

Perhaps I'm too long in the security business, but I began to consider how easy it would be for someone with malicious intent to create a social networking account for a targeted identity. For folks who have considerable online "visibility", this isn't really that difficult. Let's assume I'm targeted. All a miscreant needs is an email account to which the membership confirmation email for Dave Piscitello is sent. Once he confirms the account, he can populate the newly created account with personal information he gathers from other sources: my personal page at SecuritySkeptic.com, bios at Core Competence. ICANN, and conferences where I've given presentations, etc. provide enough information for a convincing deception, especially if the deception targets colleagues over family. Next, the miscreant begins building a social network. Since social network sites constantly suggest friends to add, this is trivial. As the miscreant grows a friends list, he can use my Facebook wall or the walls of my colleagues, family and friends to post abusive, insulting or libelous comments, lies or misinformation. He can intimate that I'm unhappy with my employer, my wife or children. He can post photos that might be embarrassing, or for a truly worst case scenario, use the account for predatory or porn publishing purposes.

It's quite likely that someone who really knows me will undoubtedly contact me using one of my legitimate email accounts or phone numbers to read me the riot act or fire me. At this point, however, my Facebook situation is no different from any web defacement attack. I've been victimized and I'll have to take action to recover from the incident. I've got to contact the social network operator, provide compelling evidence of the impersonation, and get the page removed. And like all defacement attacks, my reputation is tarnished. Not a pretty picture, is it?

There are too many social networks to join purely for defensive purposes. Perhaps having *one* that is truly mine is somewhat comforting. At the very least, perhaps I will create a social network identity that is sufficiently mine to repudiate claims that an impostor might make on other sites. Or perhaps I should open a chocolate cafe near a local Starbucks and get out of this business before the paranoids come to get me.

Archived at http://www.securityskeptic.com/arc20090601.htm#BlogID733 by Dave Piscitello  


Mon, 05 Jan 2009 00:00:00 00, 713
Sebattical from blogging

The Security Skeptic went dark over the month of December. I didn't begin the month with the intention to neglect this activity, but on reflection, I really needed to devote time to family and personal matters. I'll also admit to feeling as if I'd lost my muse. I've become a victim of writer's block.

I characterize writer's block as a need to write but having nothing to write about. That's not exactly correct. For me, it's not simply a matter of having nothing to write, but having nothing that compels me to write. When I shared this notion with friends and colleagues, some replied, "you really can't find anything about Internet Security that compels you to write? Are you nuts?"

My answer through much of last month was that much of what you might write about Internet Security has been written and ignored, only to be revisited, discussed at length, and written again when an event or incident that might have been avoided occurred because the original message was ignored. Yes, I sound like my friend and colleague, Marcus Ranum. Tell me we are both wrong:-)

I don't believe we're wrong, but I can't see that Internet Security will improve if I and others don't continue to tilt at the windmills. So my resolution for the new year is to heed the advice so often given to anyone who claims to have writer's block.

I'll keep writing.

Archived at http://www.securityskeptic.com/arc20090101.htm#BlogID713 by Dave Piscitello  


Thu, 29 May 2008 00:00:00 00, 690
Tribute to Matt Spaulding

PFC and Army Medic Matt Spaulding of Bluffton, SC was awarded a Bronze Star with Valor for his bravery in combat in Afghanistan on June 9th 2007. Wounded himself when his unit's patrol vehicle was struck by an improvised explosive device, Matt aided a severely injured comrade, reviving him using CPR and stabilizing serious leg wounds until help arrived. A recent article in the Island Packet provide a detailed account.

Matt was a Bluffton wrestling teammate of my own son, Matt. They wrestled at adjacent weight classes, and I watched both boys wrestle and mature for many years at dozens of matches and tournaments in High School gymnasiums across South Carolina and Georgia. Matt Spaulding never shied away from a challenge. As quarterback of a first-year HS team, Matt took everything more experienced defenses could dole out. As a wrestler, he took his lumps as an underclassman but endured to become a state qualifier in his senior year. His actions come as no surprise to those who knew and watched him as a HS athlete. We are proud of you, Matt, grateful that you are still with us, and pray you will remain so for many years to come.

Archived at http://www.securityskeptic.com/arc20080501.htm#BlogID690 by Dave Piscitello  


Tue, 08 Apr 2008 00:00:00 00, 683
Which costs more: a donut or a gallon of gas?

Apparently, when in Ronald Reagan National Airport, the answer depends on where you buy your donut.

This morning, I queued to buy coffee from a kiosk called Primo Cappucino in anticipation of my DCA-CLT departure. The coffee was reasonably priced and turned out to be very good. The donuts however, were $4.00, which seems extraordinarily high, even for DC. I don't know if they were good because the ROI on a $4.00 donut seems small.

About one in three customers ahead of me were buying donuts. Glancing about, I noticed a Dunkin' Donuts cart not more than 25 feet from the cashier at Primo Cappucino. I'm still not interested in a donut, but I couldn't resist learning whether Dunkin' Donuts was (ahem) price competitive with Primo Cappucino. I'm imagining a sign that says, "Donuts, $4.00 each, $44.95 per dozen" and thinking of the rioting in the streets of Anytown USA if such a sign appeared anywhere but DCA.

$.78 for a donut at Dunkin' Donuts, or approximately 1/4 of the price you pay at a shop less than 10 yards away.

I walk to one of the standing tables to stir my coffee and people watch. I want to gauge the sorts of people who are buying donuts at each location. A woman in business attire approaches the table, coffee and a Dunkin' donut in hand and asks if she could share the table. I say, "Yes, but only because you were clever enough to buy a donut for $.78 instead of $4.00...".

She grins and says, "stupid is as stupid does..." and joins me in the donut watch.

We both lamented the fact that we could not stay long enough to learn whether the servers stroll over to Dunkin' Donuts when the supply runs out at Primo Cappucino...

Archived at http://www.securityskeptic.com/arc20080401.htm#BlogID683 by Dave Piscitello  


Wed, 04 Apr 2007 00:00:00 00, 605
Caricature

To complete the transformation of my blog personna from yodave to the Security Skeptic, I've replaced a stale photograph of Dave wearing a tie with a caricature by one of the fine artists at The Caricature Shop. After visiting many sites in search of quality, fair price, and unencumbered ownership of the product, I was delighted to find David Whorf and company.

A caricature is an exaggerated and often comic representation of a person, group, or event. Some friends have commented that this particular caricature depicts me as more sinister than skeptical. My wife assures me that neither the caricature nor I am the least bit sinister, and voted to keep this one. As is frequently the case in matters involving art and design, my wife casts the deciding vote.

Archived at http://www.securityskeptic.com/arc20070401.htm#BlogID605 by Dave Piscitello  


Sat, 03 Feb 2007 00:00:00 00, 589
Removing Wall Mirrors from Drywall

Remodeling is a journey not a destination. Our master bath has "evolved" from repairing the water damage to a 70s style popcorn ceiling to removing the textured ceiling, replacing the light fixtures and wall-width ceilings, replacing the plumbing fixtures, and finishing with new paint and wall paper.

Removing a popcorn ceiling is a simple but nasty business. Some of the sprays used contained asbestos and often a prior owner has painted the ceiling and made the texture resistant to the "wet removal" method. However, if you dodge the asbestos containment bullet and take your time, you can strip a ceiling quickly and you shouldn't have to spend a great deal of time applying thin coats of plaster to get the smooth texture ceiling you want.

The more challenging task in this project was removing three mirrors spanning 12 feet of wall space above double sink vanity. All of them had deteriorated silver, not at all unexpected since we have three large skylights above the vanity! Asking friends and consulting online DIY web sites, I learned that there were three ways one removes mirrors from drywall:

  • Whack away with a hammer.

  • Use a heat gun to melt the bonding agent.

  • Use a guitar string or fishing line to "saw" through the bonding agent.

The authors of all three methods recommend that you cover the mirrors with duct tape, wear protective eyewear, long sleeves, and gloves. I dismissed the hammer method as a last resort. Dodging and cleaning up shards of mirror seem are the kinds of tasks I instinctively avoid. I don't own a heat gun, but I do have guitars and even spare strings and this seemed like a cautious approach with a high probability of success so I wrapped the ends of the guitar string around two six-inch dowels, and began by removing the mirrored trim around the mirrors. I donned the protective gear, duct taped the mirror and went to work.

I found a gap between the leftmost and center mirror and worked from the upper left corner of the mirror down and to the right until I was able to get the string across to the upper right corner. At this point, I discovered that the guitar string was not long enough to continue the sawing motion I'd used to cut through the bonding.

I studied my progress. I decided to repeat my sawing effort, this time, first beginning at the upper right hand corner and proceeding clockwise around the mirror until I'd sawed through as much of the bonding I could reach with this method. Using multiple putty and spackling blades, I shimmed the left side of the mirror away from the dry wall. I used dowels as wedges and slowly and gently applied force to break the bond without breaking the mirror.

Using this method I was able to safely remove all three mirrors, intact. I attribute some of this success to the fact that the workman who installed the mirrors had applied the bonding agent in a series of six to eight circles of approximately 8 inches in diameter. I suspect that I would have had considerably more trouble if the agent had been applied more liberally or sloppily.

Some of the patches of bonding agent pulled away with the mirror, and left me with a fair bit of patching to do. Others had to be removed with spackling knives. I'll have to rough sand the areas where the bonding was applied and thin coat if I expect even primer to apply.

One danger of removing nearly 40 square feet of mirror is that you don't know what surprises lie beneath. The electricians who wired our home were not as professional as other subcontractors and I have several "exploratory" holes to patch. Overall, however, I'm pretty pleased to have completed this task without injury:-)

Archived at http://www.securityskeptic.com/arc20070201.htm#BlogID589 by Dave Piscitello  


Tue, 09 Jan 2007 00:00:00 00, 583
Farewall to Bill Hancock

Bill Hancock, a popular and talented security expert, died January 1st, 2007. He will be sorely missed, personally and professionally. "Dr. Bill" was a brilliant, humorous, sometimes controversial, and often flamboyant character. I met Bill in the mid 1980s. Years later, he helped me launch my Internet Security Conference (TISC) by keynoting, speaking, and contributing several articles to the TISC Insight newsletter I edited for many years(1, 2, 3). CSO online published a very nice eulogy - Security Community mourns the loss of a CSO - but the community should also remember Bill for his contributions in the worlds of firewalls, forensics, and secure network and data center design. Dr. Bill coined and frequently used the Twinkie as an analog for security. In both TISC and SANS presentations during 1999, Bill explained that, "Security is like a Twinkie: it's what's inside that counts".

If you would like to donate to Hancock's family, they can do so at any Bank of America by contributing to The Landreth Hancock Fund, ACCT 5860 0235 7369. You can also mail checks to: Trustee, The Landreth Hancock Fund, 15302 Hilltop View, Cypress, TX 77429.

Archived at http://www.securityskeptic.com/arc20070101.htm#BlogID583 by Dave Piscitello  


Thu, 04 Jan 2007 00:00:00 00, 579
Best Super Bowl Ad - Ever

Television advertising time for the American Football Super Bowl is obscenely expensive. Predictably, companies who buy time spend commensurate amounts of money to produce attention-grabbing commercials. And debating which of the broadcasted commercials is "the best" has become an annual event.

For my money, the best Super Bowl ad *ever* was Apple Computer's introduction of the MacIntosh in 1984. If you have never seen the ad, search for "1984.apple_ad.mov", download it, and enjoy.

Best Ad

Archived at http://www.securityskeptic.com/arc20070101.htm#BlogID579 by Dave Piscitello  


Mon, 01 Jan 2007 00:00:00 00, 577
Picture menus on request...

My family often visits our former Pennsylvania haunts during Christmas break. The trip is a formidable but doable one day, 700+ mile journey by automobile. However, our route forces us through a traffic triple whammy: Northern Virginia, Washington DC and Baltimore. The 1-, 2, and sometimes 3- hour delays we invariably encounter over this nasty 160 mile stretch are exasperating traveling North since we routinely cover the first 400 miles in just over 5 hours (God Bless NASCAR and 70 MPH speed limits). Recently, the delays are even more frustrating traveling South: by the time we begin our return leg, we've vagabonded our way through the Greater Philadelphia and New York areas visiting friends and family and are exhausted from our "vacation".

Today, we encountered abnormally bad traffic and weather, and crossed into North Carolina a good 2 hours later than expected. We stopped for fuel and decided to grab some dinner at a fast food restaurant. While I scanned the menu for something both low-carb and edible while driving (the bun-free, ground beef in a bowl is a fine example of an Atkins entre that cannot be safely consumed while driving), I discovered the following notice on the menu board:

Picture menus are available on request

This struck me as quite a curious and frankly absurd bit of signage.

Anyone who can't read certainly can't know to ask for a picture menu.

If the notice were offered in the spirit of bilingualism, anyone who can't read English can't know to ask for a picture menu.

My son observed, "We're in a fast food chain restaurant. The menu items are already depicted - and numbered!" I agreed, but thought that perhaps the picture menu offers both food and a depiction of a hand(s) with the appropriate number of fingers raised to order the item?

I asked for a picture menu. The manager looked at me and replied, "We don't have any. You speak English, why do you want one?"

I replied, "I was just curious to learn how it differed from the menu."

She paused for a moment and said, "What kind of sauce do you want with those nuggets?"

"No sauce, thanks, just extra catsup..."

Archived at http://www.securityskeptic.com/arc20070101.htm#BlogID577 by Dave Piscitello  


Sat, 28 Oct 2006 00:00:00 00, 563
A Celebration of Kaj Tesink

On Wednesday, October 25th 2006, Kaj Tesink of SAIC/Telcordia died following a long and hard-fought battle against pancreatic cancer.

The Internet and international communities lost a valued and energetic contributor to telecommunications and Internet standards. I lost as dear a friend as I could ever hope to have.

To the Internet community, Kaj leaves a legacy of enthusiastic and *constructive* participation. He also leaves his mark in 15 RFCs. Kaj published numerous articles in telecom and Internet journals and trade publications, and co-authored, with colleague Bob Klessig, a fine book on a pre-ATM broadband access technology, SMDS.

To his friends, Kaj leaves a wealth of happy and bittersweet memories. Kaj was more soft-spoken than outspoken, but rarely one to concede an argument without thoughtful deliberation. Kaj was as analytical a personality style as you'd ever expect to meet. He was also kind, thoughtful, and generous, never realizing he was "paying it forward". When Kaj was diagnosed with pancreatic cancer over a year ago, Friends of Kaj appeared seemingly out of nowhere to lend support, comfort and to help Kaj and his wife Elysia use the time he had to their maximum enjoyment.

Kaj loved board games, especially backgammon and cribbage; playing the latter, he was uncharacteristically competitive. Kaj would tell you he beat me in these games more often than not. I'd argue otherwise. The truth is lies in the middle. Nibbling on Dutch licorice was mandatory for these activities. Although I have not enjoyed that treat for many years, I know I will always think of my friend whenever the scent of licorice is present.

Born with Marfan's syndrome, Kaj never enjoyed the luxury of an entirely healthy life, yet he enjoyed biking, hiking, and other outdoor activities. A native of Holland, he led a lifestyle most Americans would consider traditionally European. He immersed himself in books more than television. He read newspapers, listened to BBC, and was better informed of international politics than most Americans are of their home town news.

Kaj is survived by his younger brother Winifred and his wife and soul mate, Elysia. I had the good fortune of serving as Kaj's best man when he and Elysia married. I recall I wished them a long and happy life together and ended the toast with "cient anni", a traditional Italian blessing that wishes the couple "100 years" of happiness together. I take comfort that part of my blessing came true. While their time together was too short, it was richly lived. Kaj was never happier than when he was with Elysia, and the feeling was mutual. Elysia was as resolute, resourceful, and completely committed a partner as any of us should hope to have when crisis and tragedy strike. Sadly, we live in a time when barely half of all married couples are willing to try to resolve the most trivial matters. Elysia serves as a role model of everything we promise when we say "in sickness and in health".

Elysia asked that donations be made in Kaj's name to the Nature Conservancy (the international branch). If you are so inclined, visit http://www.nature.org and make a donation in his name.

Archived at http://www.securityskeptic.com/arc20061001.htm#BlogID563 by Dave Piscitello  


Sun, 30 Apr 2006 00:00:00 00, 522
A quiet blog month...

My apologies for not publishing as often as I usually do. I've been recovering from traveling, traveling once again to teach Network Security, and busy on the home front.

My wife and I have been working sporadically for nearly three months on a painted kitchen floor that we hope even Debbie Travis would be proud to claim her own. We remodeled our kitchen recently, and having exceeded our original budget by a factor of three (3), we decided we could not justify a entirely new floor. The floor was wood veneer and after 15 years of wear, not suited for a refinishing other than paint.

We opted to hand sand the floor to minimize the dust. Nearly everyone thought we were crazy, but this turned out to be rather simple since nearly all the water-based polyurethane had already been stripped from the floor through wear. We had to do some patching since the cabinetry and island layouts were different in the new kitchen. We then applied two coats of latex primer and the Delft-blue base color (again two coats).

It took us nearly an entire weekend to lay out the diagonal checkerboard design. We used chalk-line and painter's tape (rolls and rolls of it). Molly mixed glaze and a darker blue for the second color and painted the 18-inch blocks. I followed her and did touch up.

This weekend, I finally completed the last coats (4) of sealing polyurethane. Paint and hardware stores carry a polyurethane applicator designed specifically for flooring, and it works extremely well. The hardest part of this process is the preparation between each coat: fine sand the finish, dry sponge the dust, and go over the entire surface when dry with a tack cloth. The last step is important and commonly not mentioned by do-it-yourselfers. The entire process, with ample time for drying, took two full days.

We began with a distressed floor and wanted a distressed look, with wood grain, separation lines, and (intentionally) uneven paint. We also wanted a tightly sealed floor that will hold up to typical kitchen and pet traffic. And we wanted to conceal the two unsightly patches. The result is exactly what we'd hoped for.

I now appreciate why painted floors can be more expensive than hardwood replacement flooring, especially if the customer and design are intolerant of the least imperfections:-)

I'll post pictures once we have the furniture in place.

Archived at http://www.securityskeptic.com/arc20060401.htm#BlogID522 by Dave Piscitello  


Fri, 03 Mar 2006 00:00:00 00, 509
Service Review: Stamps.com

Stamps.com is one of several Internet postage services I have been tempted to try. When I finally did give in to temptation, I decided to hedge my investment with a 30-day trial subscription. Stamps.com's Windows application installs cleanly, works fine, and is reasonably intuitive. Stamps.com sends you a starter kit so you can print stickie-backed stamps and shipping labels. Stamps and labels come in sheets. You provide the application with a serial number imprinted on a sheet and it remembers which stamp/labels have been printed from the sheet to simplify printing. You can also print a stamp on an envelope along with return and recipient addresses. You can add your company logo as well.

I am pleased with what Stamps.com provides. I think they could provide much much more:

  • Currently, there's no way to print a stamp on a pre-addressed envelope or an envelope with a transparent pane. I asked Customer Support about this and they simply echoed my complaint: "Thank you for your inquiry. Currently, there's no way to print a stamp on a pre-addressed envelopes. You must use the print stamps on pre-formatted sheets option". This is annoying for three reasons: you must purchase the sheets, you have to enter the recipient address, and you have to purchase envelopes. If Stamps.com chose to do so, they could easily modify the user interface to include a check box to "print stamp on envelope without return/recipient address". This would of course alter the company's revenue model which must be partly based on selling pre-formatted sheets of blank stamps. But riddle me this: If I have to buy sheets of blank stamps AND pay a monthly fee, why am I not simply purchasing rolls of stamps from USPS.com?

  • In this age of micropayments, why can't Stamps.com offer a graduated monthly subscription service? I've always hesitated using metered postage service because I don't mail that many packages and envelopes. In fact, the $15/month subscription fee just about doubles my postage costs. This isn't all that much to pay for the convenience factor, and I may be able to justify doubling the cost of postage for convenience's sake, but so many other potential customers won't. How hard would it be for Stamps.com to offer a casual/consumer rate, small business rate, and enterprise rate? Look at my numbers. As a casual snail mail sender, I must accept a 100% markup, whereas a small business operator or frequent eBay seller is probably absorbing between 5%-20%. If Stamps.com were to create a graduated monthly fee based on the actual monthly postage fees, I imagine they'd lure enough consumers to their service to more than justify the additional accounting and invoicing complexities.

Stamps.com should take lessons from financial institutions. Banks know how to grow mass markets for new services. Offer it free at first, wait until the service is deemed essential to the majority of the market, then impose a small surcharge. Increase the surcharge over time so that it remains tolerable to the majority of customers.

Will I keep Stamps.com? I depends on whether my experiments to print stamps without purchasing pre-formatted labels are successful:-O

Archived at http://www.securityskeptic.com/arc20060301.htm#BlogID509 by Dave Piscitello  


Mon, 06 Feb 2006 00:00:00 00, 503
Best Super Bowl Commercial

Since the 1984 Apple commercial introducing the Macintosh, Super Bowl commercials have been a huge marketing event. This year, my vote for best commercial goes to Budweiser for the Cyldesdale American Dream. The commercial is a heartwarming depiction of a young Clydesdale who takes up the halter of the Budweiser wagon and tries to pull it himself. Two full-grown Clydesdales observe him and quietly slip behind the wagon to offer a friendly push. The colt, believing he's pulled the wagon all by himself, whinnies excitedly. If you are a romantic at heart, love horses, or have watched children (especially your own) fulfill a fantasy, you can't help but love this commercial.

Budweiser offers download-and-play versions of the commercial from its web site. Find links for QuickTime, Windows Media and Real Player formats here.. There is also a big screen, which requires that you use IE and install Maven. Checking Maven's pedigree, Maven Networks is the software company that operates the AETN digital screener system. AETN claims that "Maven is not spyware, and doesn’t track a users’ computer behavior outside of the AETN application. Usage (playback of the video, shares and interactions) within the AETN experience is monitored by A&E Networks only and is kept confidential". If you're not comfortable with this claim, then use a player you trust.

If you want to read about Apple's 1984 commercial, visit The 1984 Macintosh Ad by Sarah R. Stein. If you want to view it in its entirety, open this link with QuickTime

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID503 by Dave Piscitello  


Wed, 01 Feb 2006 00:00:00 00, 498
Where do you go to learn?

An assistant publisher contacted me recently, asking how I keep pace with technology change; specifically, she asked:

When you want to learn a major new technical topic (new language, new operating system, new feature of a language, a new security threat, etc) where do you first go to learn (ask a colleague, do a web search, post your question to a newsgroup, go to an elearning environment you/your employer subscribes to, buy a book, .....)?

Why do you choose your first path of learning?

I've already blogged and written about how invaluable searches in general and Googling in particular serve my needs. By searching with successively fine-grained filters, I usually discover dozens of articles, reports and white papers. Gathering these in a separate folder of favorites, I next apply some speed learning techniques I acquired long ago while working at Unisys to coarsely filter the credible resources from the not-so-credible-how-could-anyone-think-to-publish-this material. I then read the articles. If they are good, I print or save a local copy, and highlight or e-comment the important facts. If they are really good, I add them to the Security Resource Library I maintain or mention them in my blog.

I also learn quite a bit by commenting and debating a subject via email with respected colleagues, either directly or by posting to private mail lists. These invariably prove to be the most informed and accurate sources. The lists are populated with technology grey beards who are familiar with a broad range of topics. Everyone is basically invited or vetted by other members. Most are industry pundits of one sort or another, an eclectic mix of engineers, scientists, tech attorneys, and independently wealthy folks who thrived beyond the dot bomb.

I lurk and post to some well-moderated mailing lists including Bug Traq, Pen-Test, and Firewall-Wizards. I also follow RSS feeds of security bloggers like myself (Adam Shostack, Bruce Schneier, Anton Chuvakin, Jiri's Notepad, Jaime Lewis, Mark O'Neill).

I'm fortunate to be on the courtesy copy lists of many publishers, and receive at least one book per week. I thumb through these and bookmark chapters I know I'll find useful later.

In parallel with my reading and bookmarking, I routinely compose outlines when I'm doing research for an article. In some cases, the outline evolves into a presentation rather than an article. If it's polished enough, I'll try to present it at a conference. Sometimes, if the interest is high, I'll accumulate enough related presentations and articles to build a day-long workshop. In the case of IP telephony (VOIP) security, a fair amount of this material found its way into the VOIP Security book I've co-authored with Alan Johnston.

I can't honestly say I chose this path for learning. It evolved over time.

Perhaps it chose me:-)

Archived at http://www.securityskeptic.com/arc20060201.htm#BlogID498 by Dave Piscitello  


Mon, 01 Aug 2005 00:00:00 00, 437
The outside of a horse

Teddy Roosevelt is attributed to having said, "The best thing for the inside of a man is the outside of a horse". Having completed an exhilarating week riding a spirited gelding while on vacation at a dude ranch in Wyoming, I feel I know exactly what Teddy meant. I'm rejuvenated, refreshed, and relaxed, but mostly full of regret that my path in life keeps me from spending months rather than weeks riding in the Grand Tetons.

After four visits in five years, I find I am happier in and around the Teton and Yellowstone National Parks than anywhere I've ever been. I've also concluded that my affection for this part of Wyoming is due in no small part to riding. God intended that we see the Tetons from the back of a horse (no sacrilege intended). Why? Well, when you ride a horse, you cover as much ground as you would driving. The stop and go pace of crowded park roads assures that driving is slower going than a long, comfortable trot - and yes, I'm finally a competent enough rider that I can actually use "comfortable" as an adjective to "trot". You also see more of the park than you'll see if you walk (unless you can walk about 10 miles, a mile and a half above sea level, over the course of 2 1/2 hours, twice a day.).

We encounter wildlife in its natural habitat, closer than if we were in a vehicle. How close? Less than one hundred feet. Elk run from an SUV, but allow riders on horseback to cut through the herd. There's no engine noise and emissions to prevent us from hearing how a calf and cow communicate to locate each other. The sounds and scents from horses don't spook elk, and apparently mask the stink of the omnivores astride their backs.

We circle a herd of nearly 300 American bison, and your horse instinctively maintains a safe distance. The bulls stare you down. We're close enough to see their breath in the cool morning air, and to note that bulls have straight horns while the horns of the cows are curved. We observe how the cows circle around their young, like wagons anticipating an Indian attack.

Our wrangler leaves the trail and blazes his own, in search of a bull moose, pronghorn antelope, even a brown bear (grizzly). Wolves now populate the Tetons, and we wonder if' we''ll catch a glimpse of the pack we heard howling the night before.

We stumble upon a coyote. It bolts, and our wrangler gives chase! Cowboy fox hunt.

Our daughter keeps a checklist of the animals we've seen in the Tetons: bison, elk, mule deer, pronghorn antelope, moose, eagle, great white owl, heron, pelican (really!), coyote, badger, beaver,ground squirrel, and red tail hawk. Many of these live in habitats unreachable by foot or vehicle.

Riding at this particular dude ranch, the Triangle X, is special. If you can ride, you *will* ride, as in trot, canter, and gallop. You'll climb foothills and cross ridges on trails narrower than anything most folks would dare cover on foot. Take a full-day ride, and you'll climb to Ram's Horn, about 10,500 feet. The trails here are narrow, rocky, *and* steep, but the view is incomparable. Imagine yourself at the top of the Sear's Tower, but from the tower you can see the Bridger Mountains in Montana, the Tetons and Yellowstone Mountains in the south, and in the distant south, the Jackson Hole and Gros Ventre Slide.

You'll gallop through the shallows along the Snake River to cool off, and your horse will prove beyond doubt that his breed is playful, intelligent and *competitive*. You'll jump gullies. You'll learn that there's no shame in grabbing hold of a fistful of mane when your horse shies from a shadow, or stump, or scary rock.

Our son Matt had the unique experience of swimming across the Snake River on horseback. You have to see the current of the Snake firsthand to appreciate how daunting an effort this might be if you swam alone.

The poorly kept secret is out: Dave loves horses.

BTW, Teddy was only partly right about horses. If you treat them well and earn their trust, horses are wonderful, reliable, and playful companions. The best thing for the inside of a man may just be the inside of a horse...

Archived at http://www.securityskeptic.com/arc20050801.htm#BlogID437 by Dave Piscitello  


Mon, 18 Jul 2005 00:00:00 00, 433
Setting COI issues to rest

A colleague forwarded me a link to a GNSO mail list thread with the Subject line of "Dave Piscitello". After reading the message, I feel obliged to set the record straight. The message body reads:

So this guy seems really apolitical. Certainly competent and well spoken.

My questions are; Now that he has a staff position how can he possibly avoid a conflict of interest when working for contractors with ICANN and working for ICANN? It almost seems incestual? Are Dave Piscitello and Crocker going to get along?

http://www.securityskeptic.com/weblogindex.htm

http://www.icann.org/

ICANN Announces New Staff Appointment 2 June 2005

First, I'll thank the author for the compliments. I appreciate being perceived as competent and well spoken.

Now, let me speak to the comment that I "seem really apolitical". I hope this was intended as a compliment: Isn't being politically neutral a requirement for my ICANN SSAC position?

On to the most serious concern: conflict of interest. For the record, my arrangement with ICANN is that I will discuss with general counsel before accepting any consulting work, to assure that no conflicts of interest exist. Before I joined ICANN, I disclosed my ongoing business relationships with Watchguard, Aventail, TRA, CMP, BCR, et. al. Everyone was satisfied that no COI existed prior to my hire, and we will all work to see that none arise while I'm employed by ICANN.

The final question, "Are Dave Piscitello and Crocker going to get along?" is actually quite amusing, so much so that I forwarded it to colleagues Marcus Ranum and Fred Avolio, who have worked with Steve at Trusted Information Systems and would appreciate the irony. I've known Steve Crocker for more than fifteen years, and had the good fortune to work with him while TIS was contracted by Bellcore for a secure SNMP project in the early 1990s: since I was the Bellcore project leader, I suppose he worked for *me*:-) I consider Steve a colleague, mentor, and friend.

I am confident that Dave Piscitello and Steve Crocker will continue to get along smashingly well.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID433 by Dave Piscitello  


Sat, 04 Jun 2005 00:00:00 00, 413
New format for future digests

Recipients of my monthly digest have complained that the digests don't provide a direct link to the blog entry. I have corrected this and in future digests, you'll see something like this:

Digest of Dave Piscitello's WebLog (http://www.securityskeptic.com/weblogindex.htm)

Mon, 23 May 2005 00:00:00 00, http://www.securityskeptic.com/arc20050601.htm#blogID410

Subject:Security's 4-legged Stool needs reinforcement

During a recent thread on the Firewall Wizards email list, one participant called...

I have overlooked this too long. Sorry for the inconvenience. I now understand why the page search is so frequently used!

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID413 by Dave Piscitello  


Wed, 01 Jun 2005 00:00:00 00, 411
Tilting at new windmills

I have accepted a fellow position at ICANN, the Internet Corporation for Assigned Names and Numbers, on the Security and Stability Advisory Committee, (SSAC). The official staff appointment is here.

SSAC charter is quite expansive, and includes such activities as "developing a security framework for internet naming and address allocation services" and "engaging in ongoing threat assessment and risk analysis of the internet naming and address allocation services to assess where the principal threats to stability and security lie, and to advise the ICANN community accordingly".

I have the privilege of reporting directly to Dr. Stephen Crocker, whom I greatly respect (Steve, along with Vint Cerf and Jon Postel, were part of the original IMP deployment team at UCLA). I am also excited by the prospect of working with an impressive group of experts from the domain name and internet address allocation services community.

I will still be active in Internet Security, and will still post here. As opportunities appear, I hope to write more about DNS and Internet naming security, along with the customary fodder you've encountered when you visit.

Archived at http://www.securityskeptic.com/arc20050601.htm#BlogID411 by Dave Piscitello  


Fri, 20 May 2005 00:00:00 00, 408
Does Wiley know something I don't?

I routinely receive review copies of security books from several publishers. Today, I received a copy of "The Unofficial Guide to Getting a Divorce, 2nd Edition". Aside from the possible ambiguity of one of the chapter titles - MAKING THE MOST OF IT - I don't see any reason why I might be sought out to review this work.

My immediate worry was that my wife might become upset, imagining that I had plans to bail just shy of our 20th anniversary. Fortunately, she laughed when she saw the book.

According to the review guide, nearly 1/2 a million marriages end in divorce each year. I assure you, Molly, that I am not eager to join that less than elite group.

Archived at http://www.securityskeptic.com/arc20050501.htm#BlogID408 by Dave Piscitello  


Fri, 29 Apr 2005 00:00:00 00, 394
96,543 web log errors is enough...

At the very top of the list of files my web visitors failed to find is "favicon.ico". For whatever reason, I never put a bookmark icon image in my home directory, but the pending embarrassment of rejecting more than 100,000 requests for *anything* made me feel negligent. I've correctly the oversight. I'm certain I'll sleep more soundly tonight.

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID394 by Dave Piscitello  


Wed, 27 Apr 2005 00:00:00 00, 392
Music to my ears... and finally, to my daughter's!

My daughter had a rather delicate surgery in January to restore hearing loss. The surgeon performed a a transdermal timpanoplasty, which is a skin graft to create a new eardrum. Today, her audiogram confirms a 100 per cent restoration of hearing in her left ear; prior to surgery, it had deteriorated after years of infections to barely 15 per cent.

Especially those of you with children can appreciate how exciting an event of this kind is. We don't actually expect the volume to turn down, as Taylor becomes a teen in a month, but at least now know she can hear, but chooses to listen to LOUD music (and being of the Woodstock generation, who am I to complain about that!).

Thank all of you who offered support and prayers.

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID392 by Dave Piscitello  


Mon, 18 Apr 2005 00:00:00 00, 388
Close encounters of the googlekind

My attention is often distracted by search results I'm returned when I use Google. While searching for the term used for the watertight hatches on a submarine so I could accurately use it as part of an analogy in a security presentation, I came across a luxury submarine, the Phoenix 1000, which "provides its owner with substantially more capability than a simple yacht".

The Phoenix is 213' long and costs approximately $78M US. Distracted from my original search, I decided to see just how much a 200 foot surface yacht might run. Oddly, Merlewood & Associates is brokering a 200 foot motor yacht, the Lioness, for - you guessed it - approximately $78M US.

Amazing the choices one has when one can spend $78,000,000.00 on a luxury item:-)

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID388 by Dave Piscitello  


Sun, 17 Apr 2005 00:00:00 00, 387
New look: columns without tables using style sheets

I like a multi-column, "newspaper page" look for web sites, but like many casual web developers, I struggle with nested HTML tables. Recently, I was directed to Ruthsarian Labs, where I found several layouts that use cascading style sheets to create multi-column layouts. Some of the style sheets are very fancy, and provide a masthead and footer. I've chosen one of these for the makeover of my site. Ruthsarian Labs' layouts are free to download and use. Thank you for the layouts and education in CSS!

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID387 by Dave Piscitello  


Tue, 05 Apr 2005 00:00:00 00, 384
Is this Dublin or Seattle?

I am teaching this week in Leixlip, Ireland, a village south and west of Dublin. Or is this Seattle, Washington, USA?

I ask because both cities have similar weather patterns, and in both cities, citizens cheerfully suggest that, "if you don't like the weather, wait a while and it will change".

Here's an example of just how much - and frequently - Dublin weather changes. During a three-hour period midday today, it drizzled; cleared and grew sunny; darkened and rained heavily; cleared to gray skies; darkened once again and hailed, turning to snow flurries; and finally cleared to party cloudy once again. Seattlans, doesn't this sound like *your* weather?

Archived at http://www.securityskeptic.com/arc20050401.htm#BlogID384 by Dave Piscitello  


Mon, 14 Mar 2005 00:00:00 00, 378
Unsettling figures - who the U.S. Senate "majority" might represent

If you visit www.senate.gov, you'll read that "To balance power between the large and small states, the Constitution's framers agreed that states would be represented equally in the Senate and in proportion to their populations in the House."

In a March 14 2005 New Yorker Magazine Talk of the Town comment, "Nuke 'em", Hendrik Hertzberg explains that state representation in the modern millenium may not exactly work out to the balanced power the Constitution's framers sought. Hertzberg explains that, as composed today, "Fifty one senators - a majority - can represent states with as little as seventeen per cent of the American People."

Numbers like these aren't much fun. The Bush administration declared that winning 51% of the vote in November 2004 gave them a mandate for the President's 2nd term. Now we see that 17% of the states - probably red ones - can vote on a bill, and declare that the passage should be viewed as a mandate.

If you're not happy with these figures, consider that to obtain the sixty votes necessary to override a veto, you need only obtain votes from both senators of twenty-four percent of the states.

Sigh...

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID378 by Dave Piscitello  


Wed, 02 Mar 2005 00:00:00 00, 373
Blog digest error

Apologies to those of you who receive my monthly digest email. I migrated my blog software from one PC to another, and in the process failed to import my old .ini file, where I had increased the default length of the blog summary length from 30 to 80. Thirty is simply too few characters to spark interest in a blog entry, even a rant.

Archived at http://www.securityskeptic.com/arc20050301.htm#BlogID373 by Dave Piscitello  


Thu, 24 Feb 2005 00:00:00 00, 369
When you can't see the apostrophe...

I'm listening to Savannah area Pop 40 "morning" show while driving my daughter to school today. One of the radio personalities begins chatting about a couples' shower she has to attend with her husband. I'm momentarily lost - either this woman has an entirely different notion of a .couple's. shower than I (fondly) recall from my younger, less inhibited days, or she's about to take the conversation in an even edgier direction than I want hear with my twelve-year old in the passenger seat.

I reach to change the station, and one of the male personalities begins to whine about how awful .couples'. baby showers are. I relax, and think about how easily one can misinterpret the spoken rather than printed word.

And how a one-character shift of an apostrophe in a word can change a really pleasant experience into a considerably less pleasant one:-)

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID369 by Dave Piscitello  


Thu, 17 Feb 2005 00:00:00 00, 364
Congratulations Vint!

It's not often a close friend is honored in such a manner, but Vint is no ordinary friend. According to the New York Times, The Association for Computing Machinery plans to announce that Vinton Cerf and Robert Kahn will receive the 2004 A. M. Turing Award for creating the underpinnings of the Internet.

Archived at http://www.securityskeptic.com/arc20050201.htm#BlogID364 by Dave Piscitello  


Thu, 13 Jan 2005 00:00:00 00, 352
The juxtaposition of memories and digital re-mastered music

My son bought me a CD for Christmas, an anthology of Neil Young's greatest hits. I finally had an opportunity to listen to it while driving. My vehicle has excellent sound insulation and, by my modest metrics, an equally excellent stereo with god knows how many speakers.

Is that really Neil Young?

Something's wrong. That's "Cowgirl in the Sand"? It sounds so sanitized. Without the scratching and hissing from my worn stylus, lame speakers, and poorly terminated copper wiring, I hardly recognize Neil's voice. The guitar licks are so exacting; they have a synthetic character. I don't remember those 3 notes at the beginning; I imagine they were worn away after the first hundred plays of my beloved vinyl LP.

It's more than this. My memory insists that, if this is really Neil Young, he *must* be played loudly; in my various dorm rooms, crammed and shared apartments; all night and through the wee hours of the morning; with candles and incense and traces if not clouds of smoke of the "not cigarette" kind; while cuddling with a coed on a lumpy sofa with a Mexican blanket in a time before anyone knew to call it shabby chic. Not, as I find myself, driving to the grocery store in mid-afternoon; in a smoke-free, leather-upholstered-and-heated seat vehicle that cost more than my entire four years of tuition, room and board; with my 12-year old daughter asking why we're listening to this CD and can't we listen to Avril Levine instead.

My reaction to digital re-mastered music is pretty much the same as "colorizing Casablanca". Ingrid Bergman was breathtaking in black and white. B&W movies had an ethereal quality that I've always felt stimulated my imagination and were closer to dreams than reality.

I don't know if you really distinguish dreams from memories (real and imagined) as you get older. I do know there are some cuts I'd rather listen to in their original, analog rendition than digitized.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID352 by Dave Piscitello  


Tue, 04 Jan 2005 00:00:00 00, 345
Before you buy yet another ringtone...

Consumers are spending nearly $300M/year on cellular phone ringtones.

Before the Tsunami, I thought, "Can't folks throw their money away on something more interesting than ringtones?"

If there's ever been something more interesting - and worthwhile - at which to redirect some of that $300M, it's got to be the victims of the Tsunami. CNN devotes an entire page to legitimate organizations who are providing aid to victims in South Asia and East Africa.

Before you visit qtones, katazo, or planetringtone, visit CNN

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID345 by Dave Piscitello  


Mon, 20 Dec 2004 00:00:00 00, 341
New member of the family

For about three years, my wife and I owned a hole in the ocean into which we threw money. Unnamed, inanimate, underused and expensive to maintain, our 21 foot Grady-White cuddy wasn't too hard to give it up.

We now own a horse, which only has "expensive" in common with the Grady-White. Paddy (officially, Bees My Sugar) is an eight-year old paint, approximately 16 hands, animated and intelligent, visited and ridden nearly daily.

As is the case with all our animals, Paddy is a rescue. Molly has nursed him back from a serious hoof ailment and months of isolation that nearly soured him to a point where he behaves well under an experienced rider. She and her trainer/instructor have begun Parelli exercises with him to get him in shape for other riders, including me. Wish us luck and wish Paddy continued health and recovery! I'll post photos soon.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID341 by Dave Piscitello  


Fri, 17 Dec 2004 00:00:00 00, 339
Bobcats Wrestling

My son Matt wrestles varsity for Bluffton High School. I host the Bobcats Wrestling web page at http://www.bobcatswrestling.com.

A photo of Matt pinning his Colleton County opponent made the front sports page of the Hilton Head Island Packet today.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID339 by Dave Piscitello  


Sun, 05 Dec 2004 00:00:00 00, 334
Peanut Butter and Isopropyl Alcohol...

Q:What do peanut butter and isopropyl (rubbing) alcohol have in common?

A:You'll find both in the auto detailers' toolkit.

Peanut butter removes the chalky residue that auto wax leaves on black trim. The composition of the peanut butter is abrasive enough to scrub and buff out the wax. No, you don't need chunky style...

A fellow who details cars for a living told me about rubbing alcohol. Sure enough, it's is the best way I've found to remove pine tree sap from auto paint finishes and (trust me) we have a *lot* of pine sap in the Carolinas. Ironically, you don't have to rub hard at all. All the commercial bug, tar, and sap removal agents I've used require far more rubbing. A bottle of rubbing alcohol is about a 3rd the cost or less - such a bargain!

After I remove all the wax residue, I apply ArmorAll or an equivalent product. After I remove sap, I generally wax my car(s). Even when I simply remove one or two spots, I will rinse where I've applied alcohol and spot-polish the finish.

Archived at http://www.securityskeptic.com/arc20041201.htm#BlogID334 by Dave Piscitello  


Fri, 05 Nov 2004 00:00:00 00, 326
Four more years - of exclusion?

As much as I try to avoid reacting to ten word sound bites, I admit haven't been able to avoid them since the election. After a week of victory crowing, many of the less-than-pithy post-election claims and promises are grinding me down.

They paint *such* a grim picture of the next four years.

Few would argue that the 2004 campaign was mean-spirited, at local, state, and federal levels. Candidates from all parties discredited, disparaged, and villified opponents. In the aftermath, the post-victory sound bites all suggest that 51% of American voters hold the other 49% in pretty low esteem.

We're patriotic; you're not...

We're strong; you're weak...

We have moral values; you don't...

Liberal thinking is evil!

We are as polarized a society as you could statistically imagine. I find it repulsive that anyone could suggest that the election results demonstrate that a majority of the U.S. population believes *Liberal Democrats* have no faith; are condemned to burn in hell for their rejection of Biblical law; harbor terrorists in their condos; and want the international community to dictate U.S. policy. I find it frightening that high-ranking party members and newly- or re-elected federal and state officials are espousing such thinking and flouting it publicly.

This is exclusionary thinking in the extreme. Exclusion is un-American. Patriots defend the rights of every American. The strong protect the weak. Those with moral values set examples. Liberal thinking tempers conservatism. If you don't agree, read the Constitution. And your Old and New Testaments.

Archived at http://www.securityskeptic.com/arc20041101.htm#BlogID326 by Dave Piscitello  


Wed, 20 Oct 2004 00:00:00 00, 318
The Stephen King of online IT resources

I've had a long and rewarding relationship with Watchguard Technologies. I like the products. I like the people. Scott Pinzon, LSS editor, reminded me recently that the feelings are mutual.

I host a general security library at my personal web site. After I'd invested some time hunting down spyware resources to fix my son's PC, I discovered I'd found so many resources - and good ones - that I would host and maintain a resource page on spyware.

The page is popular, and generates enough AdSense revenue from Google that a server upgrade is within sight! I realized that quality resource pages were both a service to the community and revenue producers (or expense offsetters). So I began carving out topic specific resource pages from my library. Over a period of about a month, I'd created 5 resource pages, and these are all among the most popular hits on my site.

One recent page is on VOIP Security. Having visited this page after three others he found interesting, Scott Pinzon wrote a piece on Watchguard's RSS feed, Wire. In it, Scott says some very kind things about my efforts:

"I am tempted to describe Dave Piscitello as "the Stephen King of online IT resources." Lately, he has been cranking out a prodigious amount of work reminiscent of Stephen King's four-novels-a-year pace. And, like Mr. King, Dave's offerings hit more often than they miss..."

There's more, and I want to thank Scott for helping me promote these initiatives.

The hardest thing about hosting resource pages is keeping them fresh. If you visit my pages and can contribute a resource, please do!

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID318 by Dave Piscitello  


Thu, 14 Oct 2004 00:00:00 00, 317
Presidential debacles

I honestly don't know why we have debates, or more precisely, why we call what presidential candidates engage in "debates". I cannot recall a single televised debate, in this election or any over the past 4 presidential elections, where candidates debated a topic, with well-formulated proposals and novel ideas. Instead, every candidate throws waves of party-pleasing platitudes and drones on about their opponents' dreadful track records. Given the long list of shortcomings, failures, questionable entanglements, and objectionable voting records each candidate flings at is opponent, I find myself asking, "why on earth would any rational being vote for either of these guys?"

Can candidates really present a strong case and a clearly articulated plan to solve the myriad of problems on the U.S. Federal government's to do list. Honestly, what can W or Kerry promise? Can either say,

"Hi, I'm your candidate. I'm influential, credible, and knowledgeable enough to overcome a divided congress that won't set aside partisan politics. I am a student and advocate of the U.S. Constitution, have no private agenda, and am thus eminently qualified to fill Supreme Court vacancies with judges who will see that our country's laws are consistent with what the Framers intended.

"I know how to satisfy constituencies on both sides of thorny issues like abortion and gay marriage. Under my administration, pro-life advocates will have the opportunity to adopt or arrange and finance adoption and care for any unwanted pregnancy. Gays can marry, but only in closets. Yes, folks, I'm kidding. Truth is, we have so many more serious problems, I just don't see these as being issues a president ought to put ahead of health care reform, improved education, disaster relief, and poverty in the largest and most economically viable country on earth.

"The 900-page tax reform proposal I wrote last night eliminates every inconsistency and reduces taxes for everyone yet adds nearly a trillion dollars to the budget each year. And that trillion dollars will pay for universal health care exceeding what members of the U.S. Congress receive; increase social security benefits; provide approximately $7000 per student for education for every state in the Union; amend insurance practices so that windfall profits are used to offset premiums; and provides tax relief for companies that pay employees salaries that exceed the minimum wage.

"I have spoken with diplomats and heads of state of every member of the United Nations, who now understand and trust me to make sound decisions regarding international matters..."

Back to reality. Neither presidential candidate can deliver on any promise made during an election campaign. It's simply not under his control! And this is what the Founding Fathers intended the office of the president to be! The office of the president (Article II) was created after Congress (Article I) and it's arguably the least empowered office.

Presidents with lasting influence are historically rare. Teddy Roosevelt awed and inspired. Thomas Jefferson was flat-out brilliant. People like these don't run for president any more. Then again, perhaps today's problems would deter them both as well.

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID317 by Dave Piscitello  


Mon, 11 Oct 2004 00:00:00 00, 314
Hurricane Relief

I'm back from a long weekend in Gifford and Vero Beach, Florida, where I helped re-roof the Gifford AME church. These communities were both seriously affected by back-to-back hurricanes. I posted a brief photo journal of our relief efforts (now on my Facebook page).securityskeptic.com/hurricane-relief.htm" target=_blank>here. I can't tell you how good it feels to help people in a very tangible way.



Living in a community that could easily suffer similar hurricane damage, the entire experience was sobering as well: life's precious, respect and enjoy it!

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID314 by Dave Piscitello  


Wed, 04 Aug 2004 00:00:00 00, 290
Sayonara, Eudora, ohayo-gozaimasu Pmail

I have been using Eudora email clients since my Macintosh SE days, so it's no small deal for me to be changing email clients. Why change after nearly two decades of use?

Things I love to hate about you, dora. I purchased Eudora 4.1 for Windows and subsequent upgrades, yet the program insists on asking me to register over and over again. It periodically asks me to reveal my user behavior. It processes hyperlinks badly (a symptom that has persisted from Windows NT through XP, on five computers). Filters have always been non-intuitive and clunky.

Never can say goodbye? For years, I've found excuses for not trading in or trading up. Version 4.3.2 supports whatever version of PGP I use, and I use the version that works with the folks in my keyring. I have a filter set, clunky and overly long, that mostly works. I know every power key. I know nearly all the files in the Eudora folder, and what I don't know about the .ini file, I can learn quickly from my colleague Fred Avolio or my partner, Lisa. I can resurrect folders from 1994 (if the floppies are still readable), the mail looks as if it's just arrived. I should be sittin' fat and happy, right?

Familiarity breeds contempt. For all that versions 4, 5, and 6 purport to have changed, they haven't really changed. I downloaded the trialware for each major version, and despite new skins and "new" features, it's still pretty much the same Eudora I've launched every day. I'm still using 4.3.2 because trial after trial, I just didn't see anything sexy or edgy enough to make me want to buy the new software, buy the PGP that works with it.

I realize that I still have that "email clients should be free" mentality that first attracted me to Eudora. Somewhere on the Internet, there must be some client that does what Eudora does, and is more secure.

What I found was David Harris' Pegasus Mail (Pmail). I've use it for only 24 hours, but am already very comfortable with it, largely because it's enough like Eudora in ways I find important, and different or better in features I found lacking in Eudora. For "unencumbered and free" it's a very complete piece of software. It installed cleanly, and didn't require a restart (always earns a smiley face). It's got a familiar and intuitive user interface, similar to Eudora in many respects. Filter creation is (for me) more intuitive than Eudora. Spam and content protection are built-in. Pmail has a shared-secret based email security for bulk encryption and digital signing, and it supports PGP. Fancy email editing includes font styles, ttables, picture insert, hyperlink embedding. Pmail client is also an LDAP, Finger, and PH clients. It has distribution list support, and works with Norton AntiVirus. And several folks have gone to the trouble of creating address and Eudora mail folder import utilities. It's also a much smaller executable than Eudora.

Pegasus mail is public service software. It's traditional Internet, with non-official support and FAQ sites, and developers who create plug-ins and interact on mail lists. It's community-ware, like the early versions of Eudora...

Still too early to tell, but pmail looks like a keeper. I'll keep you posted.

Archived at http://www.securityskeptic.com/arc20040801.htm#BlogID290 by Dave Piscitello  


Tue, 20 Jul 2004 00:00:00 00, 284
Exciting Lives of David Piscitello(s)

My name isn't that common. David is not a typical Italian "given name". So when I come across other David Piscitellos on the web, I take notice.

Detective David Piscitello of the Cheektowaga Police Department earned a for conducting an extensive investigation into the 1999 attempted murder of a truck terminal security guard. After "a difficult and painstaking investigation and at great personal risk" he arrested the two armed perpetrators and getaway driver at gun point. Two David Piscitellos, in different security worlds.

Another David Piscitello is still distance running and at least in 2002, still collecting top 10 finishes all over the MidWest, in the 40-44 Male category. He's run five kilometer races in an impressive 18:37. Andy Piscitello, presumably a relative of the Harrah, Oklahoma Dave, finishes in the Top 10 as well. They both must be taller, thinner, and endowed with more resilient backs than I.

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID284 by Dave Piscitello  


Fri, 16 Jul 2004 00:00:00 00, 282
Close encounter with a Hall of Famer

Stagg Newman, my former Executive Director at Bellcore, has a lovely horse farm adjacent to the Pisgah National Forest in North Carolina. I visited him this week, and went horseback riding through trails in and out of the forest. Stagg and his wife, Cheryl own and nurture five stunning Arabians. Arabians are beautiful horses, and the Newman's Arabians are exceptionally so, in no small part because they are endurance horses, trained for 25, 50, and 100 mile rides and competitions. Having observed Stagg and Cheryl for only a few days, I'm pretty certain the Newman's horses are special because they are loved and respected by very special horse owners. These horses aren't equipment, they're family...

I was thrilled to have the opportunity to ride any one of these beautiful, affectionate and intelligent horses. I was stunned and honored when Stagg let me ride Ramegwa Drubin, his 21-year old Arabian who was inducted last year into the AERC Hall of Fame. Drubin, who's just over 14 hands, has won dozens of competitions and earned numerous honors over his career, and still holds the record for most competition points in a single season. "Pony", as Stagg calls him, provided the most pleasurable experience I've ever had on horseback. I wish I were a better rider so that he might have had more than a tolerable time with me on his back:-) and I look forward to riding him soon. Thanks, Stagg and Cheryl!

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID282 by Dave Piscitello  


Sun, 27 Jun 2004 00:00:00 00, 275
If the sink fits...

When our part-Siamese kitten, Cookie, isn't ridding our lawn of moles and our attic of critters, he chills out in a "made-to-fit" oval sink in our master bathroom. Cookie is a Garfield wannabe: eat, sleep, eat, catch a critter, whack the dog... repeat...

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID275 by Dave Piscitello  


Fri, 18 Jun 2004 00:00:00 00, 268
Sympathies to the family of Paul Johnson, Jr.

The daily dose of hate, anger, evil, malice and destruction just keeps growing and my faith in mankind is withering. I'm certain Tim Berners-Lee and all those who helped invent the web never imagined it would host the horrifying content posted today by suspected al-Qaeda terrorists. My family will pray for Paul Johnson Jr.'s family and friends. Please take a moment and do the same.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID268 by Dave Piscitello  


Tue, 18 May 2004 00:00:00 00, 253
ReplayTV added to my network

I've always been a late adopter of technology. I love disruptive technologies but hate the "first with the boy toy" premium. When Amazon.com reduced the price of the 80-hour model 5500 to $226 including shipping, I figured, "it's time..."

To connect my ReplayTV to the Internet, I expanded my HomePlug network to three power line bridges. Since I'd just encountered wiring *issues* earlier this month, I verified my network expansion by connecting this third HomePlug directly to a laptop (rule of thumb when networking: never introduce more than one new variable - cabling, adapter, device, topology change, protocol, OS, application - at a time!). The physical path between the ReplayTV and office bridge provides 4.6 Mbps so here's an example of how HomePlug bandwidth vary depending on line quality.

ReplayTV does TCP/IP about as plug-and-play as you can imagine, using DHCP out of the box, but failing over to manual configuration if no DHCP server is discovered. My pool of DHCP served addresses is intentionally small, and I forgot to increase it before I added my 5500 to my network, so I manually configured Internet settings. I wanted to get a feel for the intended user experience, so I reset the device to factory defaults (remarkably, it's documented in the manual!) and the rest proceeds automagically.

Fifteen minutes after ReplayTV is installed, I am thinking, "how did I live without this?" The value add of ReplayTV for me and my wife is a simple proposition: 90% of TV programming on our 70+ channels is dreadful, and 5% of what remains is Law and Order. We figure we can program ReplayTV to record the 5% or less of what we would love to watch and play it when we manage to find an hour to relax before we crash.

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID253 by Dave Piscitello  


Sat, 15 May 2004 00:00:00 00, 250
Google AdSense

I am experimenting with Google AdSense. Google places ads of vendors and services that are relevant to the types of things I write about. If you choose to visit one of the ads, I receive a micro-payment. I hope to recover some of the time and thought I put into my blog through AdSense.

Google frowns on click-thru abuse, and I am a bit nervous about ad abuse and fraud. If you see an ad of a white paper you might find interesting, by all means visit it. Don't visit ads thinking you'll help Dave earn a Ferrari or pay for college tuitions: I don't need the ad revenue that badly.

During the first week of running AdSense, I've tried to confirm that the ads placed by Google are relevant to the content I've created. You'll find ads for firewalls on the firewalls category page, antispam products on the SPAM page, etc. One place where oddball ads may appear is my Rant page. I have the option of blocking ads I deem inappropriate, so if you encounter one, please email me the URL and I will blacklist that site.

By adding AdSense, I've now introduced a (Google) cookie into the equation. I realize some security people despise cookies. I believe the cookie is only created if you click through a link and will confirm this with a LAN analyzer shortly. I'm sorry the presence of a cookie if this prevents you from visiting my blog. Google explains their privacy policy at https://www.google.com/adsense/faq#privacy1, so I encourage you to read it if you're uncomfortable.

Do visit my AdSense links if it the ad and intrigue you. Some of the ads intrigue me. I'm careful to copy the URL and visit without the AdSense cookie so that Google has no reason to suspect abuse on my part (I suspect they filter my requests and will investigate.

Last point. I won't be modifying my content or restraining myself from expressing an opinion simply because I now have "sponsors". If a company complains about something I write, I'll add them to my AdSense blacklist (and tell you!).

Thanks in advance for your support and appropriate use:-)

Archived at http://www.securityskeptic.com/arc20040501.htm#BlogID250 by Dave Piscitello  


Thu, 04 Mar 2004 00:00:00 00, 215
PartyBingo dot com?

I subscribed to Virtual Press Office years ago so that I could get press passes for trade shows. I write freelance for trade pubs so I do in fact qualify. I never cancelled the subscription and VPO pushes email summaries of press releases.

Today was a slow press release day for security and wireless, so I glanced through release in the other categories VPO includes in the mail the send me.

This release caught my eye...

Mar 04, 2004 14:29

PartyBingo.com to Co-Sponsor the 16th Annual World Championship Bingo Tournament and

Gaming Cruise

CURACAO, Netherlands Antilles --(Business Wire)-- March 4, 2004 PartyBingo.com

(www.PartyBingo.com), one of the leading online bingo sites -- in association with Bingo

Bugle and Special Events Cruises -- will be the official co-sponsor of the 16th World

Championship Bingo Tournament and Gaming Cruise in 2004, along with Bingo Bugle. Bingo

Bugle has staged the cruise for the last 16 years.

This conjures images of a huge boatload of senior citizens arrayed along long rows of tables playing bingo 24x7 while the Carnival cruise ship, Conquest, makes its way to Curacao.

Of course, when everyone tires of Bingo, they can head to the slot machines. Aging gamblers in Paradise.

I pray I'll still be fit enough to ride and hike through the Grand Tetons.

Archived at http://www.securityskeptic.com/arc20040301.htm#BlogID215 by Dave Piscitello  


Thu, 26 Feb 2004 00:00:00 00, 208
Chance Encounters of the Best Kind

As I left for the San Francisco airport this morning, I met a fellow in the elevator of the Argent hotel, who related his harrowing elevator experience the day prior, when San Francisco had a major rainfall and near-gale wind "incident". We continued to chat, he on his way to the RSA Conference, and me to Starbucks. As we continued to chat, my anonymous companion mentioned he had participated in a session at the conference. He described his presentation, and mentioned his company, NetContinuum.

I only recently invited a fellow from NetContinuum to participate in a session at Networld+Interop, based on a submitted abstract and a background check among my colleagues. I asked my companion, "Do you know Kurt Roemer?"

After a more-than-hesitation-less-than-pregnant pause, he replied, "I *am* Kurt Roemer."

Hoodathunk? After our chance but very pleasant encounter, I'm looking forward to sharing a session with Kurt.

Archived at http://www.securityskeptic.com/arc20040201.htm#BlogID208 by Dave Piscitello  


Fri, 16 Jan 2004 00:00:00 00, 194
Editorial milestone (50)

My January editorial for Watchguard Technologies' LiveSecurity Service is the fiftieth I have written for the company, over a period of more than four years. I received a most gratifying letter of congratulations from the LiveSecurity directors and editors, past and present.

And some fabulous Washington State wine:-)

Nearly all of my past editorials are hosted at http://www.corecom.com/html/livesecurity.html

Archived at http://www.securityskeptic.com/arc20040101.htm#BlogID194 by Dave Piscitello  


Mon, 27 Oct 2003 00:00:00 00, 153
Security Crossword

If you've been faithfully reading my blog, you are ready to tackle YoDave's Inaugural Security Crossword Puzzle.

I will publish the solution next week.

Archived at http://www.securityskeptic.com/arc20031001.htm#BlogID153 by Dave Piscitello  


Fri, 15 Aug 2003 00:00:00 00, 103
What I want to do when I grow up...

My wife and I finished reading Monty Roberts' autobiography, The Man Who Listens to Horses: The Story of a Real Horse Whisperer. Our family has grown to love horses and Monty's real-life stories and insights into the language horses speak (one we can learn!) was a wonderful reading experience for us all. ISBN 0-345-42705-X, find it here at Amazon.com

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID103 by Dave Piscitello  


Tue, 05 Aug 2003 00:00:00 00, 95
Run for Governor

Stuart Vance, a former colleague and really good guy, has begun a campaign to derail the gubernatorial recall election in California. He's created a web site where you can learn how to add a candidate to the ballot. His objective is to basically launch a denial of election attack by exceeding the number of candidates that can conceivably fit on the CA ballot.

Stu's actually doing this for a good reason. Read the San Jose Mercury article about Stu's initiative; better yet, visit http://www.run-for-governor.org/.

Archived at http://www.securityskeptic.com/arc20030801.htm#BlogID95 by Dave Piscitello  


Mon, 28 Jul 2003 00:00:00 00, 91
Where's Dave?

I've been away with my family at an incredible Dude ranch in Moose, Wyoming, the Triangle X. While the ranch does accommodate people who want a slow and scenic ride through the Grand Teton National Park and along the Snake River, advanced riders trot and lope - and sometimes gallop - through prairie, on narrow mountain trails, and across river tributaries, gullies, and tumbleweeds.

My wife, an excellent rider who could be a wrangler herself, has managed to turn me into a decent rider. I can canter (seated or "up in the stirrups"), seat a slow trot, and occasionally post. My lead changes still suck - frankly, I can't recognize them yet - but I've grown to love riding.

Each evening, the herd of over 100 horses are "wrangled out" to pasture for the night. We are fortunate to have a log cabin adjacent to the path leading to the south pasture, so we watch at an enthrallingly close distance as the herd thunders by...

Molly and I rode with "Coyote" Bill, who earned this nickname from us by breaking the trail after a scraggly coyote and leading us on a wild chase over hell's half-acre. The chase was all the more exciting to me because I had just taken my camera out to shoot the coyote.

Until that moment I didn't realize I could gallop with reins in one hand and camera in the other!

Archived at http://www.securityskeptic.com/arc20030701.htm#BlogID91 by Dave Piscitello  


Mon, 09 Jun 2003 00:00:00 00, 64
Mission Work 2003

I've been away with my son on an Episcopal Youth Community mission trip to Sewanee, Tennessee since June 1st.

You can view a photo journal of the services we performed for an under-served and very poor appalachian community here.

As part of his community service, Dave swapped his laptop for a manly, heavy-duty ditch witch.

Archived at http://www.securityskeptic.com/arc20030601.htm#BlogID64 by Dave Piscitello  


Wed, 23 Apr 2003 00:00:00 00, 16
Corporate Speech: Why can everyone claim to be the "leading provider of "?

I love National Public Radio, especially Talk of the Nation<.

A heard a terrific program on TOTN on April 24,2003, Corporate Speech and Advertising, where the panel discussed the extent to which the speech of corporations is protected by the US Constitution's First Amendment and asked, "What's the difference between commercial and political speech? Why are corporations protected by the First Amendment?"

Clarifying what commercial speech is, and what companies may say and not say, is important to the US Supreme Court because it believes it has value in maintaining an informed public.

No argument here, but wouldn't it be nice if we could have a universal metric that (especially) technology companies must apply and satisfy before they to claim they are the industry leaders in "whatever"?

Listen to the program online, and support public radio.

Archived at http://www.securityskeptic.com/arc20030401.htm#BlogID16 by Dave Piscitello