Sunday, January 31

Flash, time for you to die

I've been reading a lot of hubbub about the new Apple iPad not having the capability of displaying Flash.  Of course!  It stands to reason that it can't, it has the same OS as the iPhone, which, also can't display Flash.  Which leads me to think, why do we need flash?

Answer is, we don't.  Not anymore.  90% of Flash usage is for audio or video on the Internet and HTML5 can handle <audio> and <video> tags.  It can do Canvas. (Oh and a TON more, I'm just illustrating a point.)  Some of the major browsers have adapted most of these technologies.  Webkit (Invented by Apple, powers Safari, Webkit, and Google Chrome [amongst others], and Presto (The rendering engine that powers Opera) have supported more than the other two majors (Gecko -- The engine that powers Firefox and all of it's kin), and Trident (The engine that powers Internet Explorer).  The last being the worst adopter.  Surprisingly.

I read somewhere (I can't find it now), about most browser crashes come from plugins.  Flash, Java, etc.  Why can't we eliminate these plugins and go with the native protocols?  That's what HTML5 is attempting to do for the most part, and I, for one, am glad for it.

Apple has always been about killing off technologies and moving onto what is on the horizon (killing off serial, going for USB, killing of Diskettes, going to CD, Killing off CD's (Macbook Air), moving more wireless (Airport), Killing off displayport, hdmi, dvi, vga, going with Mini Displayport).  They have never been afraid to just "move on" to the new thing.

I believe they said to Flash, die, HTML5 is here.  Then they turned to web developers and said "fix your stuff".  How did they do that?  Rolled out the iPhone, which has become the largest mobile browsing platform on the planet now.  Slowly and surely, what's happening?  Websites are changing away from Flash.

Unless, you know, of course, you are a band or a restaurant.  (Seriously?  What is with bands and restaurants and your use of Flash?)

I don't even need to get into the security issues of Adobe's Flash.  Look, there is one small part of Adobe working on Flash.  The entire internet is working on HTML5.

Flash (and Silverlight) is dead.  Get over it.


100% of the statistics in this post are made up.  ;)

Thursday, January 28

One thing I forgot to mention about the iPad

People are already criticizing it because it doesn't have Flash on it (it runs the iPhone OS). I say to those people, GOOD.

Flash is, as the last year has shown us, a horrible piece of programming and it needs to die. HTML5 will kill it off for the most part, and it needs to stay dead. I don't think that Flash will be around much longer, and frankly, I'm not sad about it.

In the next few years, now that the iPhone is as big as it is, iPad will be all over the place (I think), flash will be dead, and developers will be rewriting their webpages to use things like H.264 and HTML5. There will still be things like the "Punch the monkey" banner ads that need to use flash (and various other games), but those people that develop those games, welp, looks like it may be time to move on.

iPad, why it's interesting

Yesterday, as everyone -- including me -- expected, Apple introduced their first big foray into the tablet computing market (if you don't count the iPhone as a tablet) called the iPad.

Which, even I, as an Apple fan, has to admit-- is a stupid name.  iSlate, or even "Tablet" would have been better, but, whatever.  (Plus, Fujitsu owns the "iPad" trademark, so we'll see what it winds up being -- remember "iTV" changed to "Apple TV" at launch.

Am I interested in one?  Yes.  I am interested because it's just enough for me to NOT have to carry around my laptop bag anymore.  Potentially eliminating the need to carry anything outside of a jacket. (Using a jacket like the Scottevest line: -- which is just handy, all those pockets.)  90% of my work could be done a device like this, and I'm just happy about that.

I don't think people are overwhelmed by it right now in this iteration because people feel it's just a big iPod Touch.  Well, fine.  I have to kind of agree with that idea, but look at how far the iPod Touch has come along since it's release.  It's not about the platform people, it's the APPS.  We'll see what happens in 60 days before it's release.  We'll see what happens in a year.

There is going to be a completely different class of Apps developed for this thing.  I fully expect even people like Microsoft to develop a version of Office (or maybe use the online office) for this thing.

Think of the possibilities for a couple markets:

A) Schools.  Imagine school children, colleges, high schools, etc with this thing as a standard issue device.  Think of what is going to come about as far as accessibilities to text books, not having to carry them around anymore.  Think about taking your quizzes and tests online, doing your homework online.  The elimination of the wasteful use of paper is coming in a big way.

B) Medical application.  Think of a doctor being able to walk around a hospital, every patients records, xrays, results, insurance cards, everything.  Accessible with their fingers.  Think about the Doctors being able to make notes right into the patients online chart.

These are just a couple examples I can think of off the top of my head about the possibilities for a device like this.


Now, how should we treat this device from a security perspective?  It's a mobile device, but it's not a phone, it can't make phone calls.  (Native phone calls, not through Skype.)  It's not a laptop, it's more mobile than that.

I would have to say that'd we'd need to treat this device as a phone.  For the most part, it's a platform that has near ubiquitous access to the internet.  Any Starbucks, Barnes and Nobles, etc.  Then with the cheap 3G access available on it, I think there is going to be a whole class of people (maybe the sub-20 year old demographic) that would use this as a computer.  They don't need anything else for the most part.  My wife doesn't need anything more than this device.  Will you be able to print from it?  Probably not, but that's really the only thing I see that needs to be added from a software point of view for this to replace most computers.  My parents would use this instead of regular computer, most people would, if all they did was process email and read web pages on it.

This is the perfect couch device, this is the perfect "train" or "plane" device. There are a ton of possibilities for this thing, not necessarily at launch, but in a year/two years from now, this may be the computing platform that we are all using.

I'm really only disappointed in one thing.  No face forward video camera for teleconferencing?  Hm.  Well, let's think of this thing sitting on your lap.  Ideally the camera would need to be up higher, level with your face, otherwise people on a video conference with you would be looking up your nose the whole time.  Yes of course you could prop it up, but that's not going to happen all the time.  That's really my only disappointment.

We'll see..

Saturday, January 23

This week was busy

This week, we at Sourcefire had our annual Sales Kickoff meeting. Basically a good look backwards at 2009, and what we did right and wrong, a look ahead and goals for 2010.

Obviously most of what we talked about is corporate confidential, but I think we all left with a good idea about where we are going this year. That we should be pumped up, because we are doing good things and will continue to do so.

Also this week I was placed on a list of people to call for radio stations about the Haiti relief scams, this has been quite an adventure as well.

I've done about 20 interviews, some live, some recorded, for all kinds of radio shows, morning, evening and day shows all around the United States.

All the interviews were about 5-10 minutes long, and I've been repeating myself a lot, but it's been fun. Hopefully that will wind down this week and things will get back to normal.

Friday, January 15

Haiti domain registrations on the rise

Over the past couple days I've been reporting over on the Internet Storm Center about the number of domains that have been registered (either legitimately for good use, or for malicious use) concerning the Haitian Earthquake disaster.  Read the original article here.

Like I said in that article, we're assuming that these domains are being registered for legitimate and helpful use, but we try and keep our eye out for the illegitimate ones, just in case someone wants to put some malware on a site, or try and trick you into giving up your credit card numbers or donating money via Paypal to a "cause" that never donates the money to Haiti on the backend.  We saw this with Hurricane Katrina, we saw it with the Tsunami disaster, and now, we are seeing it with the Haitian Earthquake.  (See the article here.)

But the number of registered domains is on the rise.  We saw 38 on Wednesday, 445 on Thursday, and today we saw 680.   (So, well over 1,000) It's practically impossible to check these domains by hand, so we are working with a couple partners in the Internet Space to take a look at these domains with us to ensure that they are clean.

Please exercise caution when visiting these sites, and please, donate money for the cause.  But please be extra cautious about who you are donating money to.  You know you can donate to legitimate sites like the RedCross, but do you also know you can donate to these other organizations:

(Thanks Kevin for those links)

Wednesday, January 13

Haitian earthquake news

Today, I posted an article on the Internet Storm Center about the fact that sometimes domains are parked and used for malicious use when a disaster occurs.

Domains like haitiearthquake2010 and haitiearthquakerelief and various names like that.

Well, because this is of such a large concern, I was contacted by no less than 5 news organizations today. Newsweek, ABC news, CBS news, SCMagazine, and All wanted comments and news about the Haitian disaster and the monitoring that we have taking place in order to protect people from getting scammed.

A couple of the articles I was mentioned in can be found above at my "in the media" link.

I think it's great that news organizations are taking an interest in protecting the World against these predators.

Always remember, the safe bet is to donate money via an outlet like

Please donate.

Article about Sourcefire's 4.9 release

Recently Sourcefire (the company I work for) released the newest version of our system.  Version 4.9.  While I have personally enjoyed working with it over the past few months (in beta, and now in production), it seems others out there have a great view of it as well.

Check out an article about it here.

Monday, January 11

Firefox 3.6rc1 is out

Mozilla has put out Firefox Release Candidate for version 3.6 of the browser, and as always, it's publicly available via their website.  Just a reminder that this is an RC, not a full version upgrade or anything, and it's essentially beta code, so your milage may vary.

The list of bugs that go into 3.6 that are fixed are pretty significant, even several security updates.

Which tells me that the release of 3.6 isn't far behind.

Firefox keeps up upgrading, and while it's by far the favorite browser of my blog readers, I can't help plugging Chrome, even in it's Mac Beta/Dev status, it's a great browser.  I am of the opinion that Chrome is much faster than Firefox.  Firefox still feels bloated and slow to me.

One of my favorite features is that Firefox will warn you of out of date plugins, while it did this pretty reliably to begin with, I can't help but think this is better.  This is pretty important for things, obviously, like Flash.

Go to the first link above, check out the release notes, give it a download.  See how it handles, and if you feel like it, report back here and let me know your results.  I'll stick to Chrome for now.

PulledPork 0.3.4 released

I know plenty of you that read my blog are interested in Snort Rules, and are always open to the management of Snort rules in an easier fashion.  Often, in the past our (our being the 'Snort Professionals') recommendation has been "Oinkmaster".  Perl program, pretty stable, kept rules up to date and such.  Well, Oinkmaster kind of died in terms of support so one of our own guys at Sourcefire stepped up for the community and put out, for free, Pulled-Pork.  (Originally called "Baconator", but we asked him to change the same so that Wendy's didn't sue.)

Anyway, JJ, the author of Pulled-Pork, a fellow Sourcefire employee, and the guy that runs released version 0.3.4 of Pulled-Pork today.  It has some very significant updates that we hope Snort users will be keen on.

For some time, within the Sourcefire interface, you can start off the creation of your policies (and the further updating of your policies) from one of three "bases".  Connectivity, Balanced, or Security.

Connectivity focused on Connectivity over security, less interruptions from the IPS and more dropping of traffic that is obviously evil

Balanced focused on a good balance of the above and below.

Security focused more on the Security of the network the Sourcefire sensor was providing more than people getting to Facebook.

VRT makes these categories up, and they make up which rules go into which categories.  In the Sourcefire product, if you are "inline", each one of these above standard bases have a certain number of rules that are set to drop by default.  Obviously, less at the Connectivity over Security, and more set to drop in Security over Connectivity.

The way that we get this information out to the Sourcefire customers is through "metadata" within a rule.  If a rule is written as so:

"alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:4;)"

See the section I have in bold above?  That's the metadata, it tells, in which of the three categories I named above, what the rule should do in that instance.  In this case, since this rule is looking for traffic that is exiting the network and going back to an attacker, we want to drop this at all costs.  So that's what the metadata says.  First the name of the policy, then the state.

This feature has been reserved for the automated (notice automated) use for our Sourcefire customers, but has always been available for our open-source Snort users.  Until now.

Pulled-Pork 0.3.4 allows the Open-Source users to use these three policies automatically, of course, you have to choose which policy you want to use with the "-I" command parameter.

If you were using pulled-pork in the past, you can't just copy over the pulledpork.conf file into this new instance, you'll need to use the new .conf file that comes with this release, but, in a matter of about 5 minutes, I had the new pulledpork up and running and my Snort instance is now running the "-I security" policy, PulledPork generated a changelog for me, and restarted Snort via a HUP (which you can specify in the pulledpork.conf file).

So, someone that is familiar with Snort, and .conf files, you should be up and running a great security policy in about 5-10 minutes.

Good job JJ and the VRT!

For further information, please go to JJ's blog post on the release and download it at the link he has there on his blog.

iPhone compatability

When I moved to the current theme, I received a couple emails telling me that the theme is hard to read on an iPhone.  So I fixed that.  If you browse to the blog on an iPhone you will now receive a completely different screen and interface, one that is very iPhone compatible, user-friendly, and still allows you to use all the features of the site (commenting, emailing, etc) as you normally would.

So here's what it will look like now when you navigate to the site on an iPhone:

You notice the drop down at the top right of the screen?  This allows you to view the site via RSS, sort by category, even Email me directly from the blog.

If you don't like how the page looks on the iPhone, you can turn this feature off by scrolling down to the bottom of the page and flicking the switch, as seen below:

This is all made possible by the WPtouch theme.  Thanks Wordpress.

Reviewing ModSecurity 2.5, the book

Currently, I am reviewing a book for Packt Publishing, it's entitled "ModSecurity 2.5: Securing your Apache installation and web applications" by Magnus Mischel.

Consequently, I am playing with ModSecurity a bit, and I will try very hard to NOT break things on the blog.

So far it's a good book and it's been quite awhile since I've used ModSecurity (back in the 1.x days) and the configuration has completely changed.  So I'm on a quick learning curve as well.

Friday, January 8

Verizon Wireless's Fail

Several months ago I ditched my AT&T 3G Card that I was using for mobile Internet and bought a Mifi from Verizon.

A) Verizon has better connectivity in New York (I was spending a lot of time in New York)

B) Verizon has better connectivity on trains than AT&T.  (Not faster, just a more persistant connection.)

Well, in order to manage your account, you have to sign-up for a website called, which, in order to complete the sign-up, asks to text message you your pin/password to verify your identity.  So, I laugh to myself, as the Mifi doesn't have a screen or any way to receive a text.  So, I get a hold of Verizon, and they tell me that their VZwireless software allows you to see the txt's send to the Mifi, okay, fine..

I fire up the software, no "txt".  It's not in the Mac Software, it's only on the Windows VZWireless software.  Hilariously irritating, so the alternative is, they mail you a pin number.  Physically mail you, using snail mail, a pin number.  What a waste of trees.  Anyway..  I arrive today at getting my pin number via the mailbox, I sit down, type in the temporary password (pin number) on my login page, and finally, I get to reset the password.

So, there's 3 blanks on this page, and a drop down.  First -- New password, second -- as you guessed it -- verify new password.

Now, here's where it gets good.  Drop down "Select the phrase to remind you of your password".   Your typical "Challenge/Response" thing right?

Here's the drop down:

Yup, seriously.  No questions for the "Secret Question" -- I mean, if the questions are secret...

Last drop down was the answer to the "Secret Question".

Okay, so, what have we learned here?  Verizon.  You are making life extremely painful to me.  FIX YOUR SIGNUP METHOD.

Oh, and your webpage.  You are DOING IT WRONG.

Monday, January 4

A friend of mine and fellow co-worker at Sourcefire started something pretty exciting this year.

Brad Pollard decided this past year to write 140 songs, each 140 seconds long (his inspiration was Twitter) in a year.  So far he's doing pretty good and I've been subscribed to the podcast on iTunes in order to grab them all.

If you like Indie music, or if you don't, either way, go check out Brad's stuff and give him some feedback.  Good job Brad.  Check out the website here.