I got to go to LA for CISSP training.  It was nice although I didn't get to explore much.  Deckard would be proud...

A nice shot of the Bradbury Building:

I have passed my CompTIA Security+ exam and I'm now Security+ and MCSA:Security 2003 certified!

Trust is an reliance on the integrity or nature of a entity.  It does not protect you.  Just assures you of its virtue of topic.  So, you can have trust of identity, trust of intent, trust of protecting your credit card number, etc.

Validation is what is used to determine the state of trust.

Website use SSL certificates to provide a level of security for users.  The nature of those certificates is built upon a "chain of trust" that emanates from their root certificate, held by some other entity usually.  So the reason you don't need to fear someone seeing your email on gmail is not that it has been encrypted per say, but that the only entity that can see that traffic is actually Google.  If Google sold their SSL certificates private key, they would risk exposing everyone's email to that buyer.  Hmm...quite a lucrative market there I bet.  :)

 Trust is a odd thing.  If you have to prove it did you have any to begin with?  So why call it trust, why not call it something else like Validated Identity Recognition - "I see that certificate and I have determined it to be proof of your identity so lets talk in private now".  You have essentially validated Google's identity in the example above, not placed trust in them.  Hey, they may not have a clue how to protect their servers or customers.

So why mention this distinction?  Well it seems that there is one current problem with open source - a lack of trust.  I don't play with guns because I don't trust them in the situations I would place them in; Leaving them unsecured for hours a day, etc. Trust isn't the only thing encouraging someone to buy a product though.  There are lots of reasons.  But I suspect companies see things differently.  Users (and companies) don't trust this stuff just because they could take a look at its code.  Most users have no clue how to review code.  They also have no reason to trust something based on its existence.  That's like trusting a bomb because you see it.  Exactly not what you would do.

So the point I'm making here is that somehow it becomes important to increase the amount of trust related to open source projects.  It therefore becomes necessary to give "outsiders" a standard method of accepting (or refuting) the measure of trust of a open source project.

So why not start creating a trust based solution for open source projects.  A way of saying "I've reviewed the project or part of it and I can validate it does what it is supposed to".  Repeated hundreds of times for a project and you can begin to see how "supporters" and developers" begin to assign levels of trust to specific people.  I trust ProjectX so therefore I trust developer John.  Or vice-versa.

Using things like certificates as a identity placeholder, you can associate Trust Points in some public manner that enforces the notion of trust in open source projects.  So as you gain Trust Points in general you may be generally more accepted regarding your input to a project.  This is kind of like the forum policing that moderators (and user) perform, but in reverse.  Don't focus on tearing a person down.  Instead focus on building up trust.  Those that continue to fail in that regard will not achieve much trust.  The same for projects.

I can see modules being implemented similar to blogs posts using Captcha, but signing with a public cert.  Since you can only sign once, re-signing is irrelevant and easily blockable.  Getting around the system becomes difficult and only coersion is a concern.  So could you either convince or force others to sign?  Of course.  That is certainly a risk here, but no more then other repudiation systems.  You could be notified and have the ability to renounce a signing (with limited options) and an impact on your Trust Status.

I think this idea of Project Trust has merit and could even be implemented in companies on a much smaller scale for internal projects.  More or less rated on their quality of work rather than the trust that they aren't putting backdoors in, but both are still relevant.

So validate the code, then trust the code.

I've been looking at getting a cell phone that can handle all my needs, including calendaring.  Well, the problem is I'd like to sync my personal calendar and my work calendar without publishing my personal calendar to work.

I use Outlook 2003 at work (Exchange 2003) and home.

So there are several Outlook sync apps out there, but they all seem to require the use of Outlook categories.  You then select which categories to sync and in which direction.  This allows granular control.  So in order to separate my personal calendar from my work calendar, I have to at least identify ALL of my personal calendar items with a category.  Not so bad to manually change them once.  But I would have to manually set a category for every calendar event I create!  Ah, but I can just set a default category so I never have to think about it, right?  No, the silly problem is that there is no easy way to have a default category set on your calendar items.  OK, so now you're saying "this guy has no idea what he's talking about."  Go and check...I'll wait here.  OK, now onward.  ;)

How on Earth could Microsoft have been releasing this Outlook product and be considered the premier product without such a seemingly simple setting (Set a default category for appointments and/or contacts)?  Apparently, just by never doing it.

So here is:

How to set a default category for all Outlook appointments :

1. Open Outlook 2003 or higher.
2. Open (select) the default Calendar folder or create a new folder for calendar items.
3. While the correct calendar folder is selected, click "Tools/Forms/Design a form"
4. Select Appointment from the "Standard Forms Library".
5. The Form Designer will open the "Appointment" template.
6. Click on the Category button in the lower right of the Appointment tab.
7. Select (or create) at least one category to use as the default for all items in this calendar and click OK. You can choose multiple categories if you want.
8. Click "Tools/Forms/Publish form as".
9. At the top left, select the "Personal Forms Library", then provide a useful name for your form (such as PersonalAppt or WorkAppt) and click Publish.
10. Click File/Close.  Do NOT save changes.
11. Right click the calendar folder you wish to use this new "default category" on and choose Properties.
12. Change "When posting to this folder" to use the form name you created in step 9.  (You may have to browse by choosing Forms...)  Click OK.
13. Now create a new calendar appointment in this calendar.  Note that it should automatically have the category (ies) that you set in the template.  If not you may have not selected the correct form or saved it on the properties window.

This same process can be performed for any pre-existing form type such as contacts, appointments, notes, etc.  just make sure to change the correct folder to use the new form you created. Enjoy!

So the new is that a whole bunch of information was declassified by the US government at midnight 12/31/2006.  These types of information declassifications always seem to be meaningless when you don't know everything else that may have been learned.  The expected (perceived) value of government information is accountability and truth.  But how do we know that no one twisted the information's focus over time or transcribing generations?

http://politics.slashdot.org/politics/07/01/01/1657224.shtml

I've been pondering this problem and I thought that a public system that tracked the thumbprints of various documents and information (of any digital format) would help to assuage the publics fear of misinformation without releasing any information for use by foreign intelligence.  This being one of the primary concerns of governments secrets.  The system would also be key in assuring the governments people that there government wasn't abusing its knowledge or trying to obfuscate its meaning.

A "secret sharing" system that was certified by appropriate international organizations and reviewed by information security bodies could achieve this goal if well designed.  Similar to a Nuclear materials review, a "shared secrets" review could be performed to assure that the related procedures were being followed.

I can see a digital system managed in part by organizations such as the U.N. and monitored universally by peoples such that more accurate criticism can be leveled at participating governments.

Any form of this system would place personnel at risk since information without witnesses is pointless.  I see a multitiered system of witness lists, references, etc such that the individual personnel who may have obtained the information (field agents) may be protected.  Of course information itself may not be needed to determine its focus.  Sometimes simply a datestamp can be enough evidence to direct foreign intelligence to its content.  This can easily be misdirected (counter-intelligence style) by claiming minutia of information, such as "The sky is cloudy today" and recording these in the system as well.

Now, I certainly understand (being in IT and all) the potential amount of information (and misinformation) being gathered here, which is why these "shared secrets" would cost money to the governments listing them.  In addition a multitude of processes (checks and balances) would need to be formalized and protected in various ways, including technological means.

As an example a field agent discovers an assassination plot against the US President and they document this as a "secret" in a system, either indirectly or directly due to exposure concerns.  Presumably a superior ranking professional will receive this "reported secret" an in turn acknowledge its existence and its origin.  this creates definitively the first "digital secret", with a full record of its contents (video, email etc) with several digital signatures stored in public fields (its Digital Secret Signature or DSS) using approved protocols, etc.  Any forwarding (presumably digital) of this information would result in further (automatic?) acknowledgement of secret sharing and result in a digital trail of evidence which is stored in the "Secret Sharing System" of the US government. This "database" exposes its DSS lists and they are synched with external systems in "real time".  Each acknowledgement of secret reception results in a new entry associated with the original secret (perhaps its DSS only?) and therefore there is a fairly reliable breadcrumb trail.

Now, of course this whole system relies on a lot of process and technological innovation that doesn't exist quite yet.  With technology becoming more pervasive in our daily lives, is it too much to expect that government employees would need to comply with participation in such a system?  This may mean extensive monitoring of the work environment and all communication devices owned, as well as GPS tracking, microchip-under-skin, etc.  Essentially until there is such encompassing auditing of persons, this would merely be a Orwellian future.  Not to mention the petabytes of information to be stored to audit all of this.

There would never be a need to demand release of information.  Anything that was deemed releasable could be.  It would validate that the information released was factually represented in the past and provide accountability for any mistakes.  Now you at least have names tied to information in a formal manner.  If people aren't willing to take the accountability for the information they handle they should not be a government agent.  Prescribe jail time and related sentences to those who fail to abide by the universally accepted law.  Now you have a globally backable justice system brewing...no need for a UN court, just make the various goverments courts abide by international laws when treating related cases and you have provided transparency to government sourced injustice.

But you see what I mean, right?

"Well, I must say having an OS choice other than Micro$loth seems really cool, like I'm not trapped by the system! I'm glad I've installed RedHat on this old box I had layin around. This should be fun!  I'll come back in five minutes and continue my foray into Linux..."

<5 minutes pass>

"Ahh, ready to go again...just wiggle the mouse to get the screensaver off..."

<mouse pointer wiggles like a dying bug>

"oh, I must have to click the keyboard."

<click, click...CLICK!CLICK!CLICK!>

"What the #%^@? OK, I'll just reboot by pressing the ever handy Reset button."

<Reboot starts. Spiels of text flow past until...>

"Hey, what does this mean " Corrupt XF86Config; Initialization Failure "? Oh, I'll just go in to the command prompt and fix this there."

<click click,click>

"Uh, nothings wrong with this config...it hasn't changed a bit! I'll just call a old friend. He'll help."

<beep, beep, beep,beep,beep,beep,beep....ring,ring>

"Uh, hullo?"

"Hey Lloyd, it's Scott. Remember me?"

"Uh, no."

"OK, well I have this problem with my Linux XF86Config. I think the system just hosed up for no apparent reason."

<chuckle, chuckle>

"Hey what're ya chucklin at Lloyd? Find something funny on the web?"

<silence>

"So, Scott have you tried to edit the config file?"

"Yeah, it seems fine."

"OK. Have you reinstalled the drivers through the config util?"

"Uh, what?!?! I have to reinstall the friggin drivers??!?!?!"

<sigh>

"Have you tried editing the timings for the Horiz. and Sync modes?"

"Uh, I have no idea how to read that stuff, it's like in PigLatin binary or something!"

<oy, vey!>

"OK, Scott what you need to do is go to Borders and buy a book."

"Oh, is there some book that's good for troubleshooting this kinda problem?

"Yeah, it's called Computers For Dummies."

<Click....brrrrrrrrrrrrrrrrrrrr>

"Uh Lloyd, I think we got disconnected...."

Needless to say I have not ventured back into the RedHat zone even though I have decent Unix skills. And I'm still trapped by the system. Oh, Neo when will you come rescue us?

"I can't seem to get into my place."

OK, first- what type of place do you have? Is it a apartment? A House? A tent in the woods?

"I don't know, it's got windows....."

OoooooooK. <preparing to become frustrated> Well do you have a key to get in?

"I have a bunch, but none of them work. The one marked Ford fit but it wouldn't open the door."

Nah, nah, nah, that one DEFINITELY won't work. Did you get one from a person who helped you buy the place there?

"Yeah, I think..."

OK, let's try that one. Now before I start [BEEP,BEEP,BEEP....]...What's that noise?

"Uh, nothing. [BEEP,BEEP,BEEP....]"

No, WHAT IS THAT NOISE? I NEED to know. [BEEP,BEEP,BEEP....]

"I think I have some kind of security alarm." [BEEP,BEEP,BEEP....]

[SLAP!!!!] <Techie slaps his forehead hard>

OK, STOP what your doing! Listen to me, try putting the key you got, from the person we mentioned, in the keyhole and turn it clockwise. [BEEP,BEEP,BEEP....]

[BEEP,BEEP, bee...] "Hey the noise stopped! Wow thanks!"

Alright, have you pushed the door open now?

"Left handed or right handed?"

It doesn't matter.

<techie makes the "duh" face>

[chhk] "Hey thanks for getting me in. Hey while I've got you, could you tell me what that box out front is for?"

The mailbox?!?!?

"Is that what it's for? How do I get my mail?"

Ummm.<dreading a longer conversation> I'm not sure. Could I get in touch with you----<click....RRRRRRRR> (phone dialtone appears)

Had some good riding with some friends.  Probably the last ride of the season.

Ride with Rob stats:

Ride with Rob Vert Profile:

Google Maps track of the ride with Rob.  Google Earth track of the same.

Ride with everyone stats:

Ride with everyone vert profile:

Google Maps track of the ride with everyone.  And the Google Earth track of the same.

Here are the details:

The track is here .  And here is the Google earth view .

Here is the track from 9-24-2006.  Some great challenges for the beginner I was with.

The Google Maps GPS track (without track splits)

A view from Google Earth.

The elevation profile:

Went out both days this weekend and had a lot of fun riding. 

The overall stats:

 Heres a set of tracks.

Here is the Google Earth view. (save to disk first)

Here is the elevation profile:

I have fixed a couple of annoying bugs with this version.  Now it works cleanly.  Download here.

Nice ride with a co-worker.  (its Google Map, so you can zoom in on the track via the control)

Yikes, read this post on a Microsoft forum and it has scared me a little bit about Vista's BitLocker feature.

http://windowshelp.microsoft.com/communities/newsgroups/en-us/default.mspx?dg=microsoft.public.windows.vista.security&tid=9550eb1d-edd7-4905-8e8a-fcaa997faa99&lang=en&cr=US&sloc=en-us&p=1

This essentially means that your system "may" have a significant failure because of a single bit error on a drive.  Now I know I'm sounding a little brazen here, but this is a legitimate concern for users, especially corporate users - the ones most likely to implement this feature.

The only workarounds to this problem are:

1. Don't use BitLocker - Less security is safer?
2. Perform regular backups of your system - this may help but a typical user won't be capable of restoring their system without administrative intervention.  So you end up taking a user down for a day to get their system restored or rebuilt from image - great, just great.

I guess we'll just have to wait for a RAID-able solution.  or some type of parity option.

I'm posting from inside Windows Vista, the next OS and I must say its pretty sweet.  I've encrypted my main partition using BitLocker and messed around with a featureful firewall.  Too bad the firewall and its associated parts needs some work.  It says that it will notify me when something is blocked, but I never received a single alert for anything.

For more on Vista --> http://www.microsoft.com/windowsvista/

Here is an updated Dryer Road Park trail guide that has numerous mistakes due to GPS inaccuracy (?), but I wanted to get this posted as there are many more trails.

Enjoy!  Be aware that it can be very slow to load.

Rode here a couple times this week.  Almost 8 miles of technical riding.  Click the pic for the interactive Google map.

Here is the profile of that trail (careful! - its huge so you can see the most detail).  The way we rode this trail it goes in a figure 8, starting at the bottom right and going across to the bottom left, then to the upper right, across to the upper left, then down to the bottom right.

Here is a Google Earth version, with altitude data included so you see a wall indicating the trail altitude.  Clearly not great accuracy, but probably somewhat close.

Other then riding at Dryer Road Park, which rocks, there is another place to ride near Rochester.  Royal Coach Parkland, which is public property as far as I know.

Royal Coach Parkland race course

I made this with GPS based on my rides at Dryer Road Park recently..click pic for the full experience.  Click trail names to blink them.  See my updated version.

Like it?  I title it "My Day 5-19-2006".

I easily passed the 70-299 exam today!  :)  That makes me a MCSA.  Next month I'm gonna try the "ISA 2004" exam for my MCSA+Security.

Got my GPS yesterday, but had to wait a whole day to play because I HAD to study for my 070-299 MCSE exam (Windows 2003 Security).

Check out this nice map of my first GPS track, my location is not visible.

http://ydns.no-ip.com/blog/track.html