Chaordic Mind

This year has been full of surprises.  Life has taught me that you never really exist in a state of calm or unrest, but some stratified grey area in between.  When life gets rough I think back to the “in between” that is water.

I’ve received a few questions about the 2011 sexy infosec geeks list, and last year was such a hit as was the year before that I thought we should do it again.  It is hard to keep a list to just 10 people when you really have a list about 50 long.

A friend asked me how I compiled the list.  I told her it was based on the people I know and those referred to me.  I’m easily influenced by recommendations of others, as are so many people in this world.  I solicited input, averaged out the outliers, and once again used biased weighting to determine the final set.  Again, these are only my opinions.  I encourage you to make your own list as well. As always, feel free to disagree or add your own using the comments.

Without further commentary and tangent, I give you the Third Annual Top 10 Secy InfoSec Geeks for 2011.

10. Halvar Flake (@halvarflake)

Halvar has many skills. He was denied access to the US in 2007 and prevented from teaching a class at BlackHat – probably because the information was much needed. He specializes in math, reverse engineering, and making friends with people who recommend him for lists list this.

09.  Felix ‘FX’ Lindner (@41414141)

FX is a well known member of the German security team Phenoelit and Head of Recurity Labs.  He is a mainstay in the security world, who along with the rest of the Pheloelit team has brought many others into security.  He participated in C3, speaks on security, and is overall a nice guy.

08. Jayson E. Street (@jaysonstreet)

Jayson Street, much like Zaphod Beeblebrox, is “just this guy, ya know”.  Jayson presents at conferences around the world and people attend his talks because of how entertaining he is, regardless of the topic.  He frequently speaks on the topic of social engineering, is never without his vest of pockets, and amazingly somehow able to find a Pizza Hut and Pepsi in every country he visits. He has received several accolades over the ages.

07. Andrew Jaquith (@arj)

Aside from being an all around likable guy Andrew has severed in various CTO positions, co-founder of @Stake, and industry analyst positions. Andrew authored the book Security Metrics, started MetriCon, manages Mini-Metricon, and is a full-time pundit.  If someone mentions the words metrics they will probably quote something that Andrew has said.

06. Joanna Rutkowska

Joanna made a splash in 2006 with her Black Hat presentation on an attack against Vista kernel protection mechanism and a technique dubbed Blue Pill, that used hardware virtualization to move a running OS into a virtual machine. In 2010 she co-created the Qubes security-centric operating system based on Disposable Virtual Machine.  In this era of virtual machines, we need more people to promote the need for security in virtual systems.

05. Alex Hutton (@alexhutton)

Alex Hutton has been involved in so many risky things, he is most certainly an infosec bad-boy. He graduated from the Jack Jones school of Factor Analysis and Information Risk (FAIR), former Research & Intelligence with the Verizon Business RISK Team, author on the Verizon Data Breach Investigation (DBIR) and PCI Compliance report (PCIR), and organized (Security Metrics) Metricon 2011. Now that is one risky dude!

04. Michelle Klinger (@diami03)

Michelle may like infosec as much as she likes cats – and that’s saying something.  She co-organized BSidesDFW two years in a row.  She is an excellent cat herder who never likes the lime-lite but always does what it takes to get things done.  She has sarcasm and charm to spare.  In 2011 she was nominated for an RSA Blogger award due to her post, Security B-Sides Turned Me into an Adult.

03. Kyle Creyts (@hushedfeet)

In a DO-ocracy Kyle would be King (or close to it).  Kyle is founder of BSidesDetroit, an event he started to bring together people in the greater Detroit to Ann Arbor area.  At a youthful age he stood up a conference in one of the most diaspora cities and created a conflagration of like minded people.

02. Marcia Hofmann (@marciahofmann)

Marcia is a Senior staff attorney at the Electronic Frontier Foundation (EFF) focusing on helping ensure that modern technology is used for liberation rather than control. She liaisons with hackers at security conferences and help guide them on how to proceed with sometimes sensitive topics. She has the legal perspective that every aspiring hacker needs.

01. Joseph Sokoly (@jsokoly)

Joseph has been my ‘poster guy’ for Security B-Sides.  In 12 months he took a presentation on how hard it is to break into the industry (BSidesAustin) to a followup on all the support he received (BSidesBoston) back to his home town and co-founded BSidesDFW.  I’ve always enjoyed out long one-on-one conversations about life, people, and leadership.

Yesterday our friend Julie Michell, of CALIBER and ilivehere::sf, had her photos at Secession, a gallery/store event in the Mission.  We went and met a number of great people, one of which is the on-the-spot poet Silvi Alcivar.  She runs a portable business called The Poetry Store where she will create you a poem based on a seed thought/word/idea from you.

She has a cute, red ROYAL typewriter that she types them out on and some great little accessories to put your poem in, ranging from message-in-a-bottle to picture frames.  I chatted with her a while and it turns out not only does she pop up at events around town but also does weddings.  She is forward thinking enough to keep a carbon (literally) copy of the poem in the hopes of eventually publishing a book of them in the future.

Since I’ve been watching the drama-turn-soap-opera Dexter lately, I asked her to write me a poem about secret serial killers.  The following is what she created.

in the night
for mike

secret serial killers come out
with the stars, catching glimpses
of the moon on their knives. with
more stealth than cheetahs
they pierce the necks of their
prey, a tiny imperceptible bite.

silvi
2.12.10
secession

The best part of all is the nice, happy Little Rabbit paper, which looks strangely like Hello Kitty, that it’s typed on.

I cannot deny the fact that 2009 was less than optimal, which I hear is Fedspeak for “oh yeah, it sucked but we got through it.”  In fact, more than getting through it we have found a rebirth and I’d like to share a few of those with you.

1. New Blog. That’s right, I have a new blog wherein I write mostly personal information peppered with thoughts on the professional world around me.  My favorite sections are those no the topics of becoming fearless, becoming immortal, and the ever popular sexy geeks post.
2. Security B-Sides. In 2009 we completed two BSides events: BSidesLasVegas and BSidesBay.  We are starting 2010 with plans for 4+ BSides events: BSidesSanFrancisco, BSidesBoston, BSidesLasVegas, and BSidesAustin.  This is just January.  There are many more plans ahead. BSides is brought to you by the hard working people who make it happen.
3. New Job. I’ve taken a job that, for the first time, I can do from just about anywhere – not just in the US but anywhere around the globe.  That being the case, I am considering taking a page from the 4 Hour Workweek and taking this show on the road.  This year I have a rather lofty goal of ditching the home and living/working 1 month abroad in a country where the cost of living is less than San Francisco, which should not be too hard to find.
4. New Column. I found out today that I’ll be writing a new column for a yet-unnamed magazine.  I need to prepare an editorial calendar and much more.  This is really a small part of a longer term goal of mine which is to write several books.  I have stalled at this in the past but plan on using this new opportunity to spur my ideas.
5. New Conferences. I’m lucky/good enough to know some really amazing people.  This past year brought me to speak at ITWeb Security Summit in South Africa wherein those fun Sensepost guys enabled Hackers on Safari.  I want this year to be another of new events, places, and people.  For the first time I’ll be presenting/attending ShmooCon 2010 and hope to add many others to this list shortly.  (I hope to meet Heidi Potter and appreciate the 0wn the c0n talk.)  Stay tuned here and on twitter.
6. New Webmaster. I’ve taken the role of “webmaster” for the people I camp with (Barbie Death Camp and Wine Bistro) at Burning Man.  I uploaded 10 years of photos to Flickr and got the blog going at barbiedeathcamp.com.
7. New Laptop? Ok, I’m getting small here, but I have been pining over a MacBook Pro for quite some time.  The purchase was not in the stars for 2009 but I’m hoping this year will bring new possibilities. I actually don’t want one of the new Apple Tablet or netbook.  Call me old fashion but I just want a sleek, unibody laptop.

So let’s take a deep breath.  Take one last look back.  And plow ahead into the new year that lies before us.

Good luck and good night.

“Only after disaster can we be resurrected. It’s only after you’ve lost everything, that you’re free to do anything.”
– Tyler Durden (Fight Club)

Parents like to tell their children that bad things do not happen to good people.  When we grow up we learn this is not at all true.  In fact, people have been exploring why bad things happen to good people for centuries.  C.S. Lewis wrote an entire book on The Problem of Pain.

Only when you embrace that good/bad things are not directly related to good/bad people can you stop asking why and start planning your next steps.

In fact, bad times can be an opportunity to reinvent yourself.  When you are freed of the forces that bind you to your current path you are free to choose a new one.  Disaster can lead to despair or resurrection.  Where will it lead you?

The PCI SSC quietly released version 1.2.1 (July 2009) and some very minor wording changes.  The following is a list of those minor changes:

• Oct. 2008 | v1.2 |=> To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,” eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security Standard Summary of Changes from PCI DSS Version 1.1 to 1.2.”
• July 2009 | v1.2.1 |=> Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2.
• July 2009 | v1.2.1 |=> Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b.
• July 2009 | v1.2.1 |=> Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b.
• July 2009 | v1.2.1 |=> For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.”

So, pray tell what is that sentence incorrectly deleted?

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply.

This is a rather minor clarification.  Many people read the cardholder data matrix and think that all elements including the name and expiration date are considered cardholder data (CHD).  With this update from the PCI SSC we are reminded that these are only considered CHD if they are stored with the PAN.

Translation?  No PAN, no cardholder data!

This leaves us with only one remaining question…

Now that we are completing the In Place / Not In Place areas for requirement 6.5.b, what are the necessary validation steps?  Perhaps documentation review, observation of process/action/state, and interview staff.