Chaordic Mind

Yesterday our friend Julie Michell, of CALIBER and ilivehere::sf, had her photos at Secession, a gallery/store event in the Mission.  We went and met a number of great people, one of which is the on-the-spot poet Silvi Alcivar.  She runs a portable business called The Poetry Store where she will create you a poem based on a seed thought/word/idea from you.

She has a cute, red ROYAL typewriter that she types them out on and some great little accessories to put your poem in, ranging from message-in-a-bottle to picture frames.  I chatted with her a while and it turns out not only does she pop up at events around town but also does weddings.  She is forward thinking enough to keep a carbon (literally) copy of the poem in the hopes of eventually publishing a book of them in the future.

Since I’ve been watching the drama-turn-soap-opera Dexter lately, I asked her to write me a poem about secret serial killers.  The following is what she created.

in the night
for mike

secret serial killers come out
with the stars, catching glimpses
of the moon on their knives. with
more stealth than cheetahs
they pierce the necks of their
prey, a tiny imperceptible bite.

silvi
2.12.10
secession

The best part of all is the nice, happy Little Rabbit paper, which looks strangely like Hello Kitty, that it’s typed on.

I cannot deny the fact that 2009 was less than optimal, which I hear is Fedspeak for “oh yeah, it sucked but we got through it.”  In fact, more than getting through it we have found a rebirth and I’d like to share a few of those with you.

1. New Blog. That’s right, I have a new blog wherein I write mostly personal information peppered with thoughts on the professional world around me.  My favorite sections are those no the topics of becoming fearless, becoming immortal, and the ever popular sexy geeks post.
2. Security B-Sides. In 2009 we completed two BSides events: BSidesLasVegas and BSidesBay.  We are starting 2010 with plans for 4+ BSides events: BSidesSanFrancisco, BSidesBoston, BSidesLasVegas, and BSidesAustin.  This is just January.  There are many more plans ahead. BSides is brought to you by the hard working people who make it happen.
3. New Job. I’ve taken a job that, for the first time, I can do from just about anywhere – not just in the US but anywhere around the globe.  That being the case, I am considering taking a page from the 4 Hour Workweek and taking this show on the road.  This year I have a rather lofty goal of ditching the home and living/working 1 month abroad in a country where the cost of living is less than San Francisco, which should not be too hard to find.
4. New Column. I found out today that I’ll be writing a new column for a yet-unnamed magazine.  I need to prepare an editorial calendar and much more.  This is really a small part of a longer term goal of mine which is to write several books.  I have stalled at this in the past but plan on using this new opportunity to spur my ideas.
5. New Conferences. I’m lucky/good enough to know some really amazing people.  This past year brought me to speak at ITWeb Security Summit in South Africa wherein those fun Sensepost guys enabled Hackers on Safari.  I want this year to be another of new events, places, and people.  For the first time I’ll be presenting/attending ShmooCon 2010 and hope to add many others to this list shortly.  (I hope to meet Heidi Potter and appreciate the 0wn the c0n talk.)  Stay tuned here and on twitter.
6. New Webmaster. I’ve taken the role of “webmaster” for the people I camp with (Barbie Death Camp and Wine Bistro) at Burning Man.  I uploaded 10 years of photos to Flickr and got the blog going at barbiedeathcamp.com.
7. New Laptop? Ok, I’m getting small here, but I have been pining over a MacBook Pro for quite some time.  The purchase was not in the stars for 2009 but I’m hoping this year will bring new possibilities. I actually don’t want one of the new Apple Tablet or netbook.  Call me old fashion but I just want a sleek, unibody laptop.

So let’s take a deep breath.  Take one last look back.  And plow ahead into the new year that lies before us.

Good luck and good night.

“Only after disaster can we be resurrected. It’s only after you’ve lost everything, that you’re free to do anything.”
– Tyler Durden (Fight Club)

Parents like to tell their children that bad things do not happen to good people.  When we grow up we learn this is not at all true.  In fact, people have been exploring why bad things happen to good people for centuries.  C.S. Lewis wrote an entire book on The Problem of Pain.

Only when you embrace that good/bad things are not directly related to good/bad people can you stop asking why and start planning your next steps.

In fact, bad times can be an opportunity to reinvent yourself.  When you are freed of the forces that bind you to your current path you are free to choose a new one.  Disaster can lead to despair or resurrection.  Where will it lead you?

The PCI SSC quietly released version 1.2.1 (July 2009) and some very minor wording changes.  The following is a list of those minor changes:

• Oct. 2008 | v1.2 |=> To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,” eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security Standard Summary of Changes from PCI DSS Version 1.1 to 1.2.”
• July 2009 | v1.2.1 |=> Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2.
• July 2009 | v1.2.1 |=> Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b.
• July 2009 | v1.2.1 |=> Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b.
• July 2009 | v1.2.1 |=> For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.”

So, pray tell what is that sentence incorrectly deleted?

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.

This is a rather minor clarification.  Many people read the cardholder data matrix and think that all elements including the name and expiration date are considered cardholder data (CHD).  With this update from the PCI SSC we are reminded that these are only considered CHD if they are stored with the PAN.

Translation?  No PAN, no cardholder data!

This leaves us with only one remaining question…

Now that we are completing the In Place / Not In Place areas for requirement 6.5.b, what are the necessary validation steps?  Perhaps documentation review, observation of process/action/state, and interview staff.