Planet NYLUG

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

Near my parent’s house there is a small home that has a metal workshop and he’s there every day even if there’s nothing to do. Honestly I don’t know what his real name is though his nickname is Paquico and everyone knows him by that name.

As a personal project I decided to take a couple of photos of his workshop because I find it quite interesting and the workshop has all of these dark spots that really come out well with the industrial and gritty side that it comes with the working on metal side.

I decided to go with B&W for this project as it would pull that same feeling I get when I go in there and because of this I went with Ilford HP5+ on my Kiev 88CM medium format camera and because this film isn’t found locally I had to order it online.

Continue reading the rest of Paquico’s shop

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

Via 2 4 Flinching, check out these photos of the New York City Subway circa the 1980s: filthy, graffiti-ridden, dangerous, dark, cold, primal, raw, real. This is a New York City that, unless you were born in that era of the 1970s/1980s and grew up in or very near the city, you can only currently see in movies and TV shows, read about in books, or hear the vibe of in the music from that era. Our

I want to put a new template on my blog, as I feel that the old template is simply not cutting it visually. So for the time being, things will look a bit off-kilter while I fix that. I'll try not to take too long with that, but now getting ready to move is going to cut into my free time a bit. If you have some good design know-how and any friendly advice to give in that matter, give me a holler.

...No, although I have heard rumors that it might be a good idea too, I am not talking about the kind of exercise that involves push-ups or running a mile before breakfast. I am talking about exercising emergency plans before they are actually needed.

Today I was able to get the entire IT management team together to run through a tabletop exercise of the IT business continuity plan. The exercise was received very well and I think the participants not only had fun going through the scenario that I set out for them, I also think it boosted their confidence, worked towards increasing team spirit, and (of course) identified some areas in which we need to improve our processes.

Those of us who have played tabletop role playing games such as Dungeons and Dragons (go ahead, admit it!) will feel right at home in a tabletop business continuity exercise. The goal of a tabletop is to practice policies and procedures without having to break out the big guns, pull staff from their normal routine, or disrupt production processes. As a result, tabletops can be a relatively cheap, but still effective way to go over a scenario.

The chain of events was fairly simple. I set the story to emulate a small fire in a main server room to take out a core switch, which took with it remote connectivity and some telephone services. The fire was small and contained relatively fast, but it was not possible to do a full damage assessment as a result of a Fire Marshall declaring the site off-limits for investigation.

For myself, I had set the following training goals:

- Train the participants to recognize when 'events' turn into something bigger and some form of emergency operations need to be activated.

- Train the participants in the decision-making process that leads up to formally declaring an incident.

- Train the participants in designating emergency roles and responsibilities

- Train the participants to communicate fully, clearly, and unambiguously, not only within the technology team, but also with the user community at large.

Because many of us in IT are so used to dealing with end-user emergencies all day long, it often takes time to recognize that something bigger is going on and that a response must be escalated. As always, that turned out to be the case here too, but lessons were definitely learned and I am confident that we will do much better next time.

All-in-all, I think we had a good exercise and, once again, we are better prepared for when events really take place.

Adam Gandelman
- on -
DRBD and Pacemaker: Open source disaster recovery and high availability clustering
Wednesday, August 18, 2010 @ 6:30 -8:00 PM
** Please note important information about this meeting **

DRBD stands for Distributed Replicated Block Device and allows block
devices to be replicated over a network in a RAID-1 fashion. Since Linux
Kernel 2.6.33, DRBD has been accepted into mainline and with its ever
growing user base defines itself as the de facto Linux data replication
solution. DRBD acts as a block device and can be transparently inserted
underneath virtually any Linux application. Alone, DRBD’s replication
can be leveraged as a robust disaster recovery solution ensuring data is
kept geographically diverse between nodes, data centers or continents.
Coupled with other Linux clustering technologies (Pacemaker, Heartbeat,
RHCS, etc.), DRBD’s shared-disk semantics become the foundation of a
free, open-source high availability (HA) clustering stack used to
provide complete hardware and service level fault tolerance. From
databases to virtualization to centralized storage, DRBD and Pacemaker
provide a completely free, open-source availability and redundancy
solution using commodity, off-the-shelf hardware.

This talk will first provide an introduction to DRBD: what it does, how
it works, and some live demonstrations of replication-in-action. Basic
HA concepts will be covered as well as an overview of Pacemaker and the
Linux HA cluster stack as it relates to DRBD. To give a sense of its
flexibility, common and interesting use cases will be presented ranging
from simple, locally deployed HA clusters to geographically dispersed,
cross-site disaster recovery installations. Finally, attendees will see
how the current Open Cluster Framework (OCF) standards provide users
with a generic and easy way of integrating their own custom applications
into a highly-available environment using freely available open-source
software.

Attendees are expected to have some system administration experience
related to storage and networking. Knowledge of the Linux kernel and
other shared storage technologies is helpful, but not necessary.

More information:

• DRBD
• Pacemaker
• Heartbeat and Linux HA Project

About the speaker:
Adam is an expert in open-source clustering and high availability.
Originally from New England, Adam lives in Portland, OR where he has
been working at LINBIT, developers of DRBD and maintainers of Heartbeat.
Aside from providing top-level Linux High-Availability and Disaster
Recovery consulting for customers in the Americas, he also leads LINBIT
training courses in the US, doubles as a technical writer and regularly
contributes to related open-source projects. Adam enjoys his R&D work
creating new and exciting methods for DRBD integration into the fastest
growing arenas; cloud, virtualization, HPC and distributed computing
environments.

After the meeting … Join us around 8:30 PM or so at

TGI Friday’s
After the meeting … You may wish to join up with other NYLUGgers
for drinks and pub food. This month we’ll be over at TGI Friday’s
(677 Lexington Avenue & 56th Street, second floor, northeast corner), but we are also evaluating
other options for the future and welcome your suggestions.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

I was the leader for Costa Rica in the Scott Kelby’s World Wide Photowalk that happened on July 24th and I planned for this instance to visit the “Plaza de la Cultura” in San Jose. This boulevard is pretty much the heart of San Jose as it’s the one that sees the most people walking by any given day.

During the weekends and holidays there are street performers and clowns entertaining people as they walk by and daily you see a lot of people selling from cheap toys to pirated DVDs to leather belts and wallets to original audio CDs to paintings, most of which are done right there on the boulevard, and these are people that usually come from other countries to make a living out of selling these things because they can’t find other jobs.

The photo above was taken around the Melico Salazar theater and it’s the area where the most street performers gather.

Continue reading the rest of La Plaza de la Cultura

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

Markets are quite common in come areas of the world whereas others are just something you hear once in a while. In Costa Rica, for example, it’s quite common to have a market in every major city and they don’t just sell fruits and vegetables they also sell pots and pans, toys, meat, spices and a lot of other things.

Back in the old days people would visit these places a lot more often than nowadays because a lot of the things found in the markets can be easily found in the supermarkets and people would rather go there than to a dark and dirty market. Recently I paid a visit to the market that’s located in Heredia and even though I don’t really like eating there, I’ve done this once, I like to visit it and walk around because there are a lot of different smells and sounds coming out of every corner.

A barber shop can be found in one of the many entrances that this market has and right next to a fruits and vegetables stand.

Continue reading the rest of The market in Heredia

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

Service announcement:

If you plan on bringing a computer to Defcon and/or Black Hat, think twice about plugging it into the conference network or connecting to the conference wireless networks.

If you do insist on bringing a machine to the conference floor, you had better take a pristine image without any form of even remotely sensitive data on it.

Do not communicate any authentication information at all, unless you are POSITIVE that it is protected.

If you rely on a VPN-like connection to tunnel your traffic, make sure that you authenticate BOTH SIDES of the tunnel.

Do not forget to turn off the WiFi and the Bluetooth settings on your mobile devices. Leave that iPad at home or in the room.

I am not too worried about using the hotel's network at Ceasar's, but don't even consider plugging it in if you stay in the Riv.

Seeing as how I've never used it, I decided to download Arch Linux and see what it's all about. My test subject machine for Arch is an Asus Eee PC 2G Surf, with an 800 MHz Celeron CPU (underclocked to 571 MHz), 512MB RAM, and 2GB SSD. I downloaded the netinst ISO of the latest release (2010.05 at the time of this writing), burned to CD, and installed with minimal effort. The SSD was divvied up

Coding Workshop/Hacking Society Meeting: 7/9 6-8 PM

NY Public Library, Hudson Park Branch
66 Leroy St.
New York, NY 10014
Calendar & Directions

Coding Workshops/Hacking Society: This is a group of people that wants to learn about and work on coding in Python, Smalltalk, C++, and other languages, and hack on code. Sometimes they go out to eat afterward. Bring something to show off and discuss! The workshops meet every other Tuesday, at the NY Public Library, Hudson Park Branch. 66 Leroy St. NY NY from 6:00 PM – 8:00 PM

With the end of July close by and the beginning of August looming at the end of my calendar, the Black Hat and the Defcon conferences are rapidly approaching. For me, it is the time of year where I get to hang my suit and put on simple clothes to go hang out with many of my friends in the security arena. As an added bonus, I get to attend some world-class caliber talks about new types of attacks, new tools and generally a new refresh about what we are up against. Anyone who is serious about making a career in information security should attend both conferences at least once.

The stuff I do for a living is guiding my organization to be successful at keeping its valuable information assets secure. To do that, my days mostly revolve around a combination of meetings in which we talk about developing and implementing security strategy, setting and implementing policy, working on things like vulnerability scanning, patch management, network situational awareness and managing security incidents. There is a lot more, but that's not all that relevant right now ;)

Whenever the big summer conferences approach, the technical side of my starts to speak up more. Suddenly, I want to be more involved with activities such as penetration testing, forensics, real-time log analysis, etc. I typically start annoying the people who are responsible for daily operations when that happens, but as it is the law of the land, I generally win those fights and I get to scratch my itch.

This year is no different, but as things go, I just cannot find the time to get my hands dirty. The closest I was able to do was throw out a few Tweets in which I stated that solving non-tech challenges is rewarding, but in the end it comes down to hard core tech. No CISO should ever forget that. I also said that a well-designed and well-built network in a poorly run organization still has a chance of being secure. The other was around not so much. In a private tweet, I also said that developing and implementing policy is critical too, but that having a great policy without the technology to back it up is a guaranteed fail, which having a good technological infrastructure to work on, technology without policy will work for a while.

Now, to pull out a cliche, as a CISO, it is my job to balance technology, processes and people to navigate my organization to a point where its residual information security risk is of an acceptable level. It is important to realize that all three P's are necessary to be truly successful, but if I had to pick, I would much rather work in an organization that has great technology and knows how to use it, but may be weak on the policy/people end, than work in an organization that is driven by handbooks, policy and procedures, but is weak in technology and people.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

Gabriella Coleman, James Keenan, Jon Stanley
- on -
Debian & Debconf 10, Rakudo*, and New Fedora Performance Tuning Features
Wednesday, July 21, 2010 @ 6:30 -8:00 PM
** Please note important information about this meeting **

Professor Coleman will tell us about Debconf 10 which will be held August 1st through 7th right here in New York City. This will be the first time the conference is being held in America, so it is a great opportunity for us to participate and learn. She will cover some of Debconf’s history and update us on the schedule of events and talks. This will also be a chance to volunteer to fulfill some remaining roles that could help make the conference even better for our guests.

On July 29, Rakudo* (pronounced “rakudo star”), the first user-friendly
distribution built around an implementation of the Perl 6 programming language, will be released. In this talk, James Keenan will provide a brief introduction to Rakudo*:

• What is it?
• How does it differ from Perl 6 itself?
• Who is its intended audience?
• How do you get it?
• How can you learn it?
• What does that asterisk in its name mean?

Fedora has some great new performance analysis features that can help you obtain the best performance from your hardware possible. Jon Stanley will introduce us to some of these tools such as perf, latencytop, and systemmap in a hands on demo. He will also make an overview of Fedora 13 features.

More information:

• DebConf 10 NYC
• Rakudo*
• Fedora

About the speakers:
Trained as an anthropologist, Gabriella (Biella) Coleman examines the
ethics of online collaboration/institutions as well as the role of the
law and digital media in sustaining various forms of political
activism. Between 2001-2003 she conducted ethnographic research on
computer hackers primarily in San Francisco, the Netherlands, as well as
those hackers who work on the largest free software project, Debian. She
is completing a book manuscript “Coding Freedom: Hacker Pleasure and the
Ethics of Free and Open Source Software” (under contract with Princeton
University Press). She is the recipient of numerous grants and awards,
including ones from the National Science Foundation, the Woodrow Wilson
Foundation, the Ford Foundation, and the Social Science Research
Council. She is on leave during the 2010-2011 academic year at the
Institute for Advanced Study in Princeton, NJ.

James E Keenan has been hacking Perl since 2000. He is the author or maintainer of 15 distributions on the Comprehensive Perl Archive Network (CPAN). He has co-led Perl Seminar New York since its founding ten years ago and has spoken or led workshops at numerous Perl conferences and user groups in the United States and Canada. He is active, principally in testing, in the
Parrot virtual machine project, one of the underpinnings of Rakudo Perl. Jim first attended NYLUG in 2000 and spoke at NYLUG in October 2006. He is a senior software developer at a leading email services and campaign management provider in New York City.

Jon Stanley is a longtime Fedora contributor and is currently a member of the Fedora Board. He has previously presented at NYLUG. He is currently most aligned with the Fedora Infrastructure team, where he keeps the servers that make Fedora possible running 24/7. He can be found on IRC as jds2001 in various Fedora channels and #nylug on Freenode.

After the meeting … Join us around 8:30 PM or so at

TGI Friday’s
After the meeting … You may wish to join up with other NYLUGgers
for drinks and pub food. This month we’ll be over at TGI Friday’s
(677 Lexington Avenue & 56th Street, second floor, northeast corner), but we are also evaluating
other options for the future and welcome your suggestions.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

I have recently been invited to teach my introductory computer and network security class in the Spring semester. The class is a "high 300"-class, and I'm looking forward to refreshing my material.

For as many years as I have been active in this field, I have observed a serious disconnect between technical information security practitioners and the material that is taught at colleges and universities.

As it happens to be, I will be heading out to Las Vegas at the end of this month (July) to attend the Black Hat Briefings and some of Defcon 18. At the risk of launching is understatement of the year, I am fairly sure that it should not be too hard to find security practitioners with an opinion at those venues,

So, consider this post as a call to action.

If you want to help me out by sharing your thoughts on what a full-semester 3 credit undergraduate class on computer and network security should look like, please hit me up and tell me exactly how you feel. The class is targeting a mix of computer science majors and management of information systems majors.

You can reach me via the feedback option at the bottom of each page on this site, but using the comments fields, or by contacting me on Twitter. My handle is @leune. I look forward to hearing anything from technical skills that should be taught, reading materials that I should review, or even conferences that I should send people to. Any feedback is good feedback!

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

I’ve been terrible at blogging lately and have yet to blog 2 sessions I did during the month of June; but just as a preview of those sessions I’ll post these photos which were taken on film. These photos are black and white because they were shot with Ilford Delta and HP5 film.

The photo above is from the Bet-Shalom concert that took place in San Jose and you can read more about it here. I took the chance to shoot a couple of frames from their concert on my trusty Nikon FM10 using the excellent Ilford HP5 film, which I must say that it’s my favorite film to shoot with and I’ll be definitely using it a lot more.

Continue reading the rest of Film photos from previous sessions

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

Coding Workshop/Hacking Society Meeting: 7/9 6-8 PM

NY Public Library, Hudson Park Branch
66 Leroy St.
New York, NY 10014
Calendar & Directions

Coding Workshops/Hacking Society: This is a group of people that wants to learn about and work on coding in Python, Smalltalk, C++, and other languages, and hack on code. Sometimes they go out to eat afterward. Bring something to show off and discuss! The workshops meet every other Tuesday, at the NY Public Library, Hudson Park Branch. 66 Leroy St. NY NY from 6:00 PM – 8:00 PM

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

Recently I had the opportunity to meet up with Bet-Shalom, which is a Costa Rican reggae roots band, and attend one of their concerts that took place in San Jose, the capital of Costa Rica, as part of the “Fiesta de la Musica” that was organized and included several concerts throughout the big cities in Costa Rica.

Earlier that day we had a portrait session for the whole group and I also took the chance to take photos of them during the concert they had that day. Despite the great amount of rain that fell that afternoon there was quite a crowd that came to the concert.

Continue reading the rest of Reggae Roots Band Bet-Shalom

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

On one of my recent trips back from New York City to my office, I had to spend some time on Penn Station to wait for my train to arrive. Invariably, whenever that happens, I end up in a book store. Although, I usually do not end up buying anything, this time I picked up a copy of Atul Gawande's The Checklist Manifesto. In the book, Gawande presents example after example to explain why just about any procedure can be improved by using checklists.

Checklists provide the minimal steps required to execute a procedure successfully. They do not have to always be written in full, and should not go into extreme details describing every step to take, but they should focus on certain key steps that should always be followed. Arguably, the most well-known form of checklists are the ones used by pilots. These checklists cover routine circumstances, but specific exception checklists also exist. The checklists typically do not focus on how to do things, they do provide a form of reflection to whomever uses them to ensure that the what has been done.

Information security practices may also benefit from checklists. Keep in mind the lesson from the book: checklists should be simple to understand, focus on critical steps, describe what needs to be done and not how to do it, and most importantly, be used consistently.

In my security practice, I often use very simple checklists. Common items include:

☐ Notify CIO

☐ Inform Helpdesk

☐ Create tracking ticket

☐ Activate CSIRT

These checklist items are simple to understand, do not assign specific responsibility for who should execute the steps, and do not provide any guidance about how they should be executed. Yet, they are unambiguous, and when steps are omitted from them, it may come back to haunt you.

Some of the common objections against using checklists raised by critics are:

• "I do not need a checklist to tell me how to do my job." Maybe, but remember that the checklist does not specify how to do a job. They provide reminders of all the steps that need to be gone through, and they will provide whoever is using them with the assurance that all steps were followed. Especially with highly repetitive jobs that are executed dozens of times a day, it is easy to miss a step or to cut a corner. Conversely, procedures that are invoked very rarely run the risk of being executed incorrectly. Checklists will ensure that defined processes are executed completely and consistency, rather as shot from the hip. I find that incident response work typically benefits from checklists.
• "Checklists slow me down." That is part of the whole idea. Checklists will stop people from going on autopilot and force them to actually think about what they are doing and how they do them.
  
• "I do not see the value of checklists". Completing checklists will provide job metrics, especially if exceptions are noted. In addition, they may provide a documentation trail about the work that is done. Finally, the first time that a checklist actually catches an omission before it turns into an incident in its own right, their value will be made obvious.

The book was a very pleasant read, and I highly recommend it. Pick it up here (hardcopy) or

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

And that's no lie! Until May 24th, Portal is free for download from Steam, as a celebration of the Mac OS X version of the popular gaming store and service. So grab yourself a slice of delicious cake and grab Portal for free! :)

Rob Spectre
- on -
Open Source Television with Boxee
Wednesday, June 16, 2010 @ 6:30 -8:00 PM
** Please note important information about this meeting **

The living room remains the final frontier of open source
software. With wide adoption from home office to enterprise, from
datacenter to dining rooms, consumers all over the world rely on OSS
daily to run their lives. However, the third screen that has
dominated eyeballs for the past sixty years has been the exclusive
dominion of proprietary, monolithic black boxes. With the average
American consuming eight full hours of television per day, one New
York startup aims to change this paradigm of closed software in the
single room in the house where most waking time is spent.

Boxee’s free, open source, downloadable media center software is
changing the way consumers experience media. Lead Apps Developer and
Community Evangelist Rob Spectre will discuss Boxee’s open source
heritage, hacker culture, and open API as well as answer your
questions and unload T-shirts a-plenty.

About Boxee:
Boxee is changing the way people experience home entertainment by
bringing TV shows, movies, videos, and music from the Internet to the
TV. Boxee's free software can be easily downloaded to any computer or
embedded into TVs, Blu-Ray players, game consoles, and set top boxes.
Boxee has quickly established itself as the best way to bring
entertainment from different sources into one place – anything from a
local collection of movies, TV shows, music, and photos, to streaming
content from websites like Netflix, MLB.TV, Pandora, Last.fm, and
flickr. Users can also discover new entertainment from their friends
and share recommendations with social networks like Facebook and
Twitter. More than a million people use Boxee to enjoy their
entertainment. Learn how you can join them at www.boxee.tv.

About Rob Spectre:
Rob is the Lead Apps Developer and Community Evangelist for Boxee
with the worst haircut in open source software. An eleven year Linux
user, he serves the Boxee family as the passionate advocate for the
open source community armed with over a decade of experience in OSS
and a hefty supply of hairspray. In what little spare time he has,
Rob likes to go to punk rock shows, speedcube and maintain his
unInternet service laughotron.com.

More Information:

• Boxee
• Developer's Site
• Developer Blog

After the meeting … Join us around 8:30 PM or so at

TGI Friday’s
After the meeting … You may wish to join up with other NYLUGgers
for drinks and pub food. This month we’ll be over at TGI Friday’s
(677 Lexington Avenue & 56th Street, second floor, northeast corner), but we are also evaluating
other options for the future and welcome your suggestions.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

A couple years ago, I setup my first gigabit Ethernet network. I wanted to test just how fast it could go with the equipment I gave it (that is, the NICs, cabling, and switches it operated on). Gigabit Ethernet, theoretically, can operate at 1000 Mbit/sec. This translates to 119.209 MiB/sec, units your OS typically displays when doing downloads (1000 Mbit/sec / 8 / 2^20). How close is your network setup to that maximum? Copying files between PCs, while being a very “real world” test, will be limited by how fast your disks can read or write. A specialized tool is needed.

While many system benchmark suites include network testing tools, most are not easily separate from their suites, and are not easy to install and use.

Enter NetStrain. It’s a very simple C application for Linux and MacOS X designed to stress network connections. Unfortunately, it’s not included in most Linux distributions or MacOS X, so you need to download and compile it yourself.

After compiling, use is simple. One machine acts as a server, and another machine acts as a client. Start the server first with:

This starts a server using IPv4 networking on port 9999 (use a different port if you know this is in use; remember to pick one above 1024 if you’re not running as root). On your client machine, start the client connect to the server (assumed to be running on IP 192.168.1.2 and port 9999):

NetStrain will then try to send as much over your network connection as it can as long as the client is running. NetStrain is very spartan, so there are not a lot of options. In addition to sending, you may want to test receiving, as well simultaneously sending and receiving. Check NetStrain’s README for details.

Most likely, you will not get anything near 119.209 MiB/sec—but hopefully, you’ll get better speeds than a normal 100 Mbit connection to make everything worthwhile.

What if you want to make things faster (without buying newer, better hardware)? There are many parameters you can tune on your operating system’s networking stack. However, in most modern operating systems, most of them are already set, or are automatically configured (e.g. TCP window scaling). The one major tunable is something called MTU (Maximum Transmission Unit).

Data is transferred over Ethernet in packets; the MTU defines the size of those packets. A larger packet size means fewer packets are needed to send the same amount of data, reducing the amount of processing that needs to be done by your computer, switches, and routers. Your computer’s NIC, switches, and routers need to support large-size MTUs, a feature often advertised as “Ethernet jumbo frames.” Jeff Atwood wrote an article on the promise and perils of jumbo frames that you may want to read if you’re interested.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

The weekly meeting was held in the #sahana-eden IRC channel on irc.freenode.org. Present were: Mark, Gavin, Michael, and of course whatever spectators:

What was discussed:

• We removed some of the question types from the functional specification to simplify things
• Discussed how michael did the ADPC _next stuff and how it can be applied to this project
• Gavin suggested localization -- a suggested implementation is specified -- this is a "Nice to Have" as it's outside the scope of this project for GSOC.
• Will discuss on the mailing list how best to generically support "wizard" like uis within S3 elegantly.

What's on the agenda for the next couple weeks (this week will be scarce):

• Noodle over ways to generically support "wizards" in S3 elegantly
• Implement the "Template" stage (page 1 of the wizard) [first milestone as per my project plan timeline]

Resources relevant to this meeting for the purpose of this summary:

1. The functional spec
   
2. The project plan timeline
   
3. Meeting log [meeting ends at 0109 as per the timestamp in the logs]

Cheers!

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

SOURCE Boston is one of my favorite information security conferences. It is not to say that  other conferences are not good, but SOURCE has the benefit of being relatively close by (New York - Boston is not that far), and the conference is not massively large. As a result, there is excellent interaction between the crowd and the speakers, which is something I appreciate a lot.

Unlike last year, I will most likely not be presenting a full talk. Instead, the organizing committee has asked me to design and moderate a workshop on professional development. Of course, I accepted this invitation gladly, and we are now working to design the session.

To get started in the information security field is not easy. As shrdlu put it recently, information security is a highly specialized craft and practitioners need to get their feet wet before they can truly transition into it. The session at SOURCE Boston will be highly interactive. We'll begin with a  15 minute panel session that should set the stage for the remaining time.

The remainder of the time will take the form of a workshop in which we'll discuss topics like setting realistic goals, identifying relevant work opportunities and building a personal network. We'll also talk about what it is like to be a mentor, and what it takes to be successful as one.

We hope to cover an audience that may range from graduation college seniors to individuals who have been established in a professional environment. If you are interested in learning more, or if you have suggestions to make this session even better, please drop me a line and we'll talk.

More information about SOURCE Boston is available on its web site.

With the summer approaching rapidly, it is time to start working on my next strategic plan. As a refresher from business school: strategic planning is the process by which an organization's long-term goals and objectives are identified and documented. Exactly how long "long-term" actually is depends on your environment. In my case, working of a three year strategic plan seems to make the most sense.

Goals are much like policies; they should be broadly defined, describe a desired outcome, be to the point, and (in most cases) be technology-neutral.

Information security strategic plans must not exist in a vacuum. Instead, the information security organization is typically part of a larger unit (IT, Internal Audit, etc.), which in turn is part of the overall organization. Any goals and objectives that are defined in the information security plan should be in alignment with those organizational goals.

In order to develop an effective information security plan that will be carried by the organization as a whole, it is often best to develop the plan top-down. In other words, start with the organization's goals and derive your information security goals from them. It is completely acceptable to identify some information security goals that are not derived directly from your organization's strategic plan, but the information security goals should never be in conflict with the organization's goals.

Goals are made specific by defining realistic and measurable objectives. Each objective typically leads to one or more initiatives that play a role in achieving the objective. By measuring how well initiatives are achieved, a picture forms of how well goals are realized.

I have found note taking to by my way of staying at a relatively stable level of sanity.

The first key to successful note taking is that all my notes go into one (Moleskine) book (get them at your local Barnes and Noble stores). It has a hard cover and heavy paper and goes with me wherever I go. Because I have a tendency to capture complex thoughts in diagrams, my choice is the book with blank paper (no lines), but pick what suits your fancy. Each book has 240 pages, which is enough to capture between 6 months and 9 months of my notes.

Colleagues in meetings lovingly refer to it as my little black book (with the DefCon sticker on the front). Because all your notes will be in the book, you'll always have them all.

The second key to successful note taking is to find a good pen. Don't use the $.79 disposable one, but pick one that really is set to your hand. I use Parker Sonnet fountain pens with black ink and a medium-sized nib. Because the Moleskins have heavy paper, the ink doesn't bleed through the pages.

Next, note taking etiquette. Mark every meeting with the title of the meeting (e.g. CIO briefing), the date and a page number (with total page count). Even if you don't take any notes during the meeting, you'll have record of the fact that you attended.

Here are some tips that I have found useful:

Hyphenated list elements: reserved for items I need to bring to the table. For most meetings, I reserve one page ahead of time. While I do other things, I may add list items to the page reserved for that meeting before the agenda actually comes out (if there is one).

Square boxes: reserved for action items I need to follow up on. When the action item has been completed, check it off. Flipping back through the most recent pages of your book will always give you your latest action items that still needs to be addressed.

A typical note page will look something like

-------------------------------------------------------------------------------------------------------------
Managers Status Updates     04/01/2010    1/2

- update: MS OOB
- Vulnerability scan results sucked.
- Firewall is on fire most of the day
- web coding must be improved; XSS are not part of the func. requirements
- please don't hack us next week, as we'll be on vacation

sysadmins: unexpected outage of internet uplink, failover worked

[ ] get details to rule out DoS

desktop grp: antivirus keeps on triggering false positives

[ ] schedule product review and eval alternatives during summer

cio: budget requests approved

[ ] go party
-------------------------------------------------------------------------------------------------------------


Keeping the notes brief and to the point will be enough to trigger your memory, but serves as record of what happened. Labeling them with the date and the title will allow you to quickly find the meeting that you are looking for and the page numbering is just good housekeeping.

Let me know how it played out:)

Hey Folks,

I needed something simple to get up to speed with Sahana Eden and a Task Manager is simplest. I was able to bang it out in a few days from start to finish. Web2py is an easy framework to work with, and many code examples exist within Sahana Eden that I was able to copy/paste.

You can mosey on over to the demo site and play with it yourself. Just register and you should be set. Do not worry, you won't be spammed and your information will be sold.

I faced one small problem once I saw everything was setup: I couldn't figure out how to get the widgets to select a user (who both started and finished the task -- these could be two different users). The gears were spun and spun and spun until an ah-hah moment occurred: the following function in 00_tables.py in the models directory:

def shn_user_represent(id):

  if id:
      user = db(db.auth_user.id==id).select()
      if user:
          user = user[0]
          name = user.first_name
          if user.last_name:
              name = "%s %s" % (name, user.last_name)
          return name
  return None

Helped me to see where I needed to be and once I read this code and understood it, it all made sense to me. The following is how you render a drop-down box containing all registered users:

table.started_by.requires = IS_NULL_OR(IS_IN_DB(db,db.auth_user.id,lambda id : shn_user_represent(db.auth_user.id)))
table.finished_by.requires = IS_NULL_OR(IS_IN_DB(db,db.auth_user.id,lambda id : shn_user_represent(db.auth_user.id)))

Where table represents the database table for your model and started_by and finished_by are the fields; the rest is validation. That's it! It was that simple.

Now next week on Monday, May 24 -- the official start of the program begins. At that point and time, this project will take a back burner and I will attempt to post AT LEAST a weekly -- if not every other week about all progress that is made throughout the duration of the program.

Regular updates will be posted to the Sahana Eden mailing list.

You can follow progress via the launchpad bazaar branch.

I have been accepted to Google Summer of Code 2010 for the third year running! This summer I will be working with Sahana Eden.

The Sahana Free and Open Source Disaster Management System was conceived during the 2004 Sri Lanka tsunami. The system was developed to help manage the disaster and was deployed by the Sri Lankan government's Center of National Operations (CNO), which included the Center of Humanitarian Agencies (CHA). A second round of funding was provided by the Swedish International Development Agency (SIDA). The project has now grown to become globally recognized, with deployments in many other disasters such as the Asian Quake in Pakistan (2005), Southern Leyte Mudslide Disaster in Philippines (2006) and the Jogjarkata Earthquake in Indonesia (2006).

The project is now being ported to Python as an experimental fork a replacement for Sahana Agasti so that the software can be extended. Sahana Agasti is written in PHP.

I will be working with Sahana Eden to create a tool to create, enter, and manage surveys. This should be a lot of fun!

While assessing my infrastructure, I came to the conclusion that it is time to start making work of a few things:

• increasing operational efficiency by selective and targeted automation of log review, thereby freeing up valuable human resources to work on more interesting projects;
• increasing (near) real-time situational awareness of my infrastructure;
• increasing the ability to conduct log-based forensics;
• increased scrutiny and enforcement of log retention policies.
  

Note that compliance is missing in this list. Partially that is because doing these things well will lead to an increased compliance posture, and partially it is caused by the fact that I do not have compliance regulations that require me to implement technologies like this.

Anyone familiar with the field will see that this a textbook use case to start looking for a log management solution, an event management solution, or maybe even a full SIEM.

Since I have done SIEM projects in a previous job, I was a little reluctant to start a new one. SIEM projects typically involve many operational groups, which makes them complicated to execute, and the SIEM market is generally on the pricey side. Adding a SIEM will also add a layer of complexity, if done wrong.

However, after some consideration, I decided that it was time to do start a new project. In order to avoid wasting my time, I built several go/no-go decisions into my expected timeline.

Like many IT projects, a SIEM project is not something that can be rushed. From the point of project initiation, I decided to take 1 year to go through the process of research, budget acquisition, requirements formulation, scoping, vendor presentations, contract negotiations, etc. to the point where a product has been purchased and implementation could start.

Twelve months is a long time, but it is necessary to take the time and to do it right. Once you commit to a SIEM product, you had better take it serious, or else it will fail.

While I am now at about 3/4 of my project, and my potential vendor list has been narrowed down quite a bit, I have not yet made a final selection about which product/vendor to select, if I select one at all.

After an overdose of sales rep speak ("single glass pane", "drill down", "30 thousand feet overview", "customizable dashboard", etc.), I can say that most products that I have reviewed have made some nice progress since I looked at them 5 years ago. Interesting to see is that, while I followed the same evaluation process back then, the outcome is completely different this year. That difference can be explained by a combination of market movements, a different workplace, SIEM technologies maturing, and a better understanding on the implications of doing something like this on my part.

The SIEM market seems to be developing nicely, and is slowly reaching a level of maturity.

It seems that I am not the only one thinking about these things lately. The guys over at Securosis have been posting a nice series of posts on SIEM selection, as has Rocky DeStefano over at Security Operations by Visible Risk. In the midst of this, Andrew Hay takes a job at the 451 Group as the Senior Analyst primarily responsible for the SIEM, Log Management, GRC, Forensics, Vulnerability Analysis, and Penetration Testing portfolios; the Gartner Group decided to release is 2010 magic quadrant for Security Information and Event Management; and LogLogic announced that they are cutting their pricing in an attempt to push the market towards a more cost effective solution for SEM/SIEM.

We live in interesting times.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

This is a test post from , a fancy photo sharing thing.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

I have recently gotten into taking photographs using film, despite popular believe film is not dead, and I wanted to get a great camera. After quite a bit of investigation and talking with fellow photographers in the film area I fell in love with the Kiev 88CM. I bought one off of eBay in a brand new state with upgrades applied. This is a photo of the camera itself

This camera looks old, like it had been built back in the 60′s or something but it was actually built somewhere between 1999 and 2004 in Kiev, Ukraine. The company Arsenal, who mostly specialized in the creation of weapons and was funded by the Ukraine government, got into the business of creating film cameras and this is one of their last models, or so my research has said, and it’s an update to the Kiev 88 model. The design of the Kiev 88 and Kiev 88CM was based off of the Hasselblad 1000 and 1600 models.

Continue reading the rest of Kiev 88CM

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

Wietse Venema
- on -
Postfix: past, present and future
Wednesday, May 19, 2010 @ 6:30 -8:00 PM
** Please note important information about this meeting **

In the 12 years since its initial release by IBM, the open source
Postfix mail system has become part of the email infrastructure.
The system has proven itself on personal systems and on ISP
infrastructures with 10s of millions of mailboxes. After Postfix
reached completion by 2006, the focus of development has moved from
building new functionality towards making the system more extensible
and more survivable in the face of changing threats and requirements.
In this presentation Wietse will review lessons learned, current
developments, and some speculation about the future.

More Information:

• Postfix Homepage
• Homepage of Wietse Venema

About Wietse Venema:
Wietse Venema is known for his software such as the TCP Wrapper
and the POSTFIX mail system. He co-authored the SATAN network
scanner and the Coroner’s Toolkit (TCT) for forensic analysis, as
well as a book on Forensic Discovery. Wietse received awards from
the Free Software Foundation, the System Administrator’s Guild
(SAGE), the Netherlands UNIX User Group (NLUUG), as well as a
Sendmail innovation award. He served a two-year term as chair of
the international Forum of Incident Response and Security Teams
(FIRST). Wietse currently is a research staff member at the IBM T.
J. Watson research center. After completing his Ph.D. in physics
he changed career to computer science and never looked back. In his spare time he enjoys hiking and cycling with his wife, Annita.

After the meeting … Join us around 8:30 PM or so at

TGI Friday’s
After the meeting … You may wish to join up with other NYLUGgers
for drinks and pub food. This month we’ll be over at TGI Friday’s
(677 Lexington Avenue & 56th Street, second floor, northeast corner), but we are also evaluating
other options for the future and welcome your suggestions.

The crew over at Offensive Security has taken the time to produce and publish a 17 minute technical video describing a summarized version of an actual penetration test. While several mistakes were clearly made by the target network, none of the errors were unheard of, even in well-managed corporate environments.

This is probably one of the best examples of penetration testing that I have seen in quite a while. The story is told by "muts" from Offensive Security, which is a training and consultancy company that I highly respect.

Offensive Security's training offerings are high quality for a low price, and definitely something that I highly recommend to look into (Disclaimer: I hold the Offensive Security Certified Professional Certification).

While the course content may not be 100% state-of-the-art, the attacks and exploits in it are still highly applicable in many organizations. Furthermore, the way-of-thinking that is introduced by this class is unparalleled.

After viewing the video, I think you'll have a whole new perspective on these things.

The month of April was a month in which I had three public speaking appearances. It started out on April 16 when I addressed the New York Higher Education Technology Forum at Hofstra University. The talk tried to drill home the point that all this Cloud stuff is all nice and fluffy, but that we, as cloud consumers, must make sure that our vendors deliver better service for less money. If we fail to do that, we are not making any progress, and Cloud will just be another concept that is doomed to fail.

The second talk was on April 20 at SOURCE Boston, where I was in the fortunate position to mentor a panel about career development, and especially about the role that mentors in that process.

In the third and final talk, on April 29, I addressed a gathering of non-technology people about the risks of social networking, and how to mitigate the risk for themselves. The most important point that I tried to make in that presentation was that on social networks, people may actually read what you write.

Both presentations are available for download, although they might not do you much good without the narrative.

SOURCE Boston has been over for almost a week. Looking back at the event, I can only come to the conclusion that, once again, the level of the presentations exceeded my expectations. While the conference is fairly small, with only between 250 and 300 persons in attendance, the talks were of high quality and the people who attended just about all mattered. Despite the fact that several speakers were stuck in Europe as a result of the volcanic eruptions in Iceland, it was still very worth while to attend.

As the talks are posted online in a few weeks, I'll let you form your own thoughts about them and I'll make sure to publish a reminder when the do become available.

This year, I was in the fortunate position to host a panel session on Wednesday night. The panel discussion revolved around the usefulness (or lack thereof) of mentors in furthering careers in the information security field. Some very interesting comments were made during the session, and we are going to try spinning something up again next year.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

Yes, it's absolutely, positively true! I thought the day would never come, but it did! A hacker by the name of planetbeing has posted a video on YouTube of what appears to be either Android 1.5 or 1.6 running on the iPhone. Before anyone says, "This looks shopped!" or "Fake!", read his blog post about this first, then watch the video of it in action (linked below). According to planetbeing,

Two things you never want to hear (especially on the same day):

* From an IT director to the CISO: "There is no need to involve your group in the project yet-- we have not even decided on the product!"

* (overheard) Admin: "Do you think we should tell the security officer about this?" Manager: "no, he did not get in."

Now, I could do a full writeup about how important it is to include information security officers from before the planning stage of every project, and how even the slightest sign of unusual behavior should be brought to the attention of a security person, but I will not do that. These two quotes should speak for themselves.

---

Follow us on twitter | Find us on Facebook | Follow us on Tumblr | Contact Us

© lmurillo for Code|Beta Photography, 2010.

These pictures were taken using the FxCamera app for Android on my phone. The lomography setting in the app is amazing, with tons of options and flexibility. Personally, I am absolutely enamored with lomography now, and want to buy a camera. Click the images to view them in full-size.

Today, I will present "Information Security In The Cloud" at the New York Higher Education Technology Forum. The presentation will deliver a high-level overflow of some things to keep in mind when moving to a cloud-based infrastructure.

The one point that I hope to get across is that, in order to create real value, CIOs must hold cloud service providers to at least the same levels of expectation as they hold their internal IT organization. In other words, when a CIO expects an uptime from 99.99% from the internal IT group, a cloud offering should be able to deliver the same. If a CIO expect to run an infrastructure component for $25,000 (all-inclusive), the cloud offering should be at most the same price. If the CIO expects regulatory compliance and performance monitoring from the internal groups, he should do the same from a cloud offering.

Too often, business are willing to accept a lower level of quality from cloud offering. For example, some of the cloud providers that I have worked with directly typically do NOT promise an minimum uptime, or when they do, it is at most 99.9%. Taking such of offering would often reduce the quality of the end-user service offerings.

The presentation outline is as follows:

- Introduction
- Assumptions
- Traditional information security
- Cloud Considerations
- Top Threats (based on the Cloud Security Alliance report of March, 2010)
- Recommendations
- Conclusions

After I have done the presentation, I'll post the slide deck and I may even record an on-demand version for those who are interested. Don't expect a technical talk, or one that goes in great depths: that would be unsuitable for the audience, and I only have 45 minutes (including discussion).