Just recording some notes on my Nook Color here. For starters, the Nook Color can be easily rooted by heading over to NookDevs.com. The process (I did an AutoNooter rooting, which leaves the original software intact rather than fully replacing it with Android Froyo/2.3/Honeycomb…) is straight-forward once you start doing it. In fact, the hardest part is simply getting the microsd card inserted into the awkward slot in the corner of the Nook. Other tricky parts include making sure you have a Google account on hand as well as an open (or easily-connected-to) wireless network for the device setup. You won’t have a chance to get the MAC address during setup, so if you use MAC whitelisting, be sure to harvest that item first.

Whenever rooting a device, there is usually that risk of turning it into a brick, but with the Nook Color there is very little risk since you can factory reset the device including the original software. Basically, why wouldn’t you make a try of it?! I personally used the AutoNooter tool so that I can still at least have the default software running, but with the extra capabilities of installing apps from the Android Market, and beyond.

Also read this post (or this original location) that goes through the initial process, but also details some great “next steps” to do after rooting the Nook Color. Specifically, follow the suggestions for SoftKeys and Advanced Task Killer so you can refresh the installed apps list (Extras) without a full reboot. Since this post is hosted on a public education site, I’ll be quoting portions of it below for my own future reference in case the original goes away. That link also reminded me that I can play movie files on the tablet, and includes some suggested settings in Handbrake to encode files in playable format. Score!

Lastly, I’ve been trying out some of the games on the android market. While I find app games to be pretty and kinda fun to control with touch, none have really been nearly as solid or exciting as games I’ve been able to get on various dedicated gaming consoles or handhelds. Yes, Angry Birds is addicting, but it’s not a fulfilling game for a hardcore gamer; I’d even prefer to fire up SMB3 or FF1 all over again. So I’ve gone ahead and installed Nesoid, SNESoid, and Gameboid, to start out. Pair this up with all my ROMs on the microsd card I leave in the Nook, and I’ve now got a nostalgic and gorgeous handheld gaming system to play ‘golden age’ games! The touchscreen controls take time to get used to, and just won’t ever feel good in some games, but most of the time that is forgivable. Now to just get a controller and stand…

(Aside: The NookColor comes with an unused Bluetooth radio, so it does have the potential to become enabled and start attaching Bluetooth controllers! Would also enabled the use of microphones/headsets…)

Video conversion for Nook Color (to unprotect DVDs or rip them local, I use AnyDVD):

[paragraph formatting has been removed for space] The trick with Handbrake is figuring out what settings are best for a particular device. Lucky for you I’ve already done this for the Nook Color. Note that Hadbrake will not convert any videos that you have purchased on iTunes, as these are copy protected and only work with Apple devices. When using Handbrake to encode video from a DVD or other (un-protected) video file, set Handbrake up as follows: On the main page, set the Video Codec to “MPEG-4”, check the “2-pass encoding” box, and set the “Average bitrate” to “1000”, as you see below: Next, click on “Audio” and set the first track to a bitrate of “128”, then disable any other tracks you see: Finally, click the “Picture” button and set the width to “512” (the height will adjust automatically).

Fixing Extras (because it won’t refresh and list newly installed apps until you reboot…or do this!):

If you decide to install Advanced Task Killer, you’ll need to change a few settings to get it to do what we want. Once installed, launch Advanced Task Killer, then tap the menu button, followed by Settings. Scroll the page up and tap “Security Level”, then set to “Low”. I also uncheck “Show Notification” because I don’t like having an advanced task killer icon in my notification bar, but that’s up to you. Press the back button twice to close Advanced Task Killer, then re-open it. You should now be able to see com.bn.nook.applauncher in the app list. Hold your finger on com.bn.nook.applauncher and select “Kill” from the menu that appears. The next time you open Extras, it will reload the launcher and refresh the list.

Via Twitter (@jaysonstreet) I opened up an article by Dan Goodin (TheRegister) with the sensational title, “How is SSL hopelessly broken? Let us count the ways
“. This just begs comment.

1. It’s still a human problem. I’m not sure I would go so far as to call SSL hopelessly broken. Then again, I’m not writing a story aimed to be sensational and gain views. What we have here is the age-old problem of human involvement in a well-meaning system. All of the weaknesses presented in the article center around poor implementations, user convenience (which strangely is not what EV SSL changes did), and a drive for profits in the CA industry. All of these are not a problem for SSL to solve, but rather for groups of people to solve and make better choices. Good luck with that.

We often get wrapped up saying security is a human problem by beating “users” over the head, and maybe even including administrator mistakes. But implementation decisions and poor oversight are just as much a human problem as a user who opens every Adobe email attachment they receive.

2. Silly questions. Should browsers not trust every CA root cert (and probably give errors by default, which will suck)? Should CAs do far more to only issue truly valid certs (and pass that cost to whom exactly)? Should CAs beef up their OCSP infrastructure (and cause my corporate software to make even more strange call-outs to unexpected places) so that it can be made a critical path for trust (even when 99% of the certs probably won’t be revoked)?

I don’t think there are easy answers and maybe not even any answers for these questions. So maybe this does say that SSL is hopelessly broken. But would *any* alternative ever be better? Money, convenience, and profits will always beat up against security, so I’m not sure. It’s still an implementation/human issue. Should CAs be held accountable? I don’t like that approach, but I don’t really have a good argument off the tip of my fingers for why…

3. Identity. I’ve been reading some Gunnar Peterson lately, and I’ve seen him talk about identity-based security being the future (or now). I don’t completely follow or understand that yet, but I can see that SSL infrastructure has the same problem.

4. Strange article points. Don’t get me wrong, this article is necessary and good, but it does have some absolutely strange moments. The comparison of CAs to CitiGroup and AIG is just bizarre and nonsensical. The implication that browser-makers should play traffic/moral cop with which CA roots to include in their browsers is dumb (especially when the example of Google/China/CNNIC is doubly based on rumors). The article also focused way too much on the recent Comodo affair, for no real benefit to the central hypothesis.

And one missed point about poor certificate implementation/issuance in the predictability of PRNGs in OpenSSL which some CAs, I believe, were using. I can’t find reference to it other than OpenSSL in general, though.

But this begs the question of just how much attacking should CAs do to themselves in order to prove their adequacy? I’ve grown more sympathetic to the realistic approach that you do what you can, but you *have* to set yourself up to detect and respond and fix any issues someone else finds in the future. If you wait until you’ve achieved perfect security, your product/company will fail.

Yeah, that sounds a lot like, “Just Enough Security.”

A bit of a personal update, since I’m avoiding work on a beautiful Friday… Much of my free time has been devoted to really three major areas recently.

First, this cam watching the nest of a pair of bald eagles and their 3 newly-hatched eaglets is absolutely fascinating. I am a closet naturist (my first major in college was Environmental Studies until I realized that has more to do with water dynamics and even engineering than biology and ecology…) and love me things like this. The eaglets are still tiny and awfully adorable, having all 3 hatched over the last week and a half. Oh, and they’re in Iowa.

Second, I’ve recently, FINALLY, bought into the smartphone market (and android market and e-book reader market…) with my HTC Thunderbolt on Verizon as well as my Nook Color which I have rooted to allow the installation of market apps and such. The phone is really cool and fills some gaps in my ability to be connected and use things away from a desk. Laptops are great, but admittedly bulky and so 2002. Netbooks are fine, but for being just a little bit too bulky, they end up having far less power than I hope. Even with proper expectations and usage, netbooks just feel weak (I personally believe it is the bloated and needs-rebuilt-badly OS on top of them). I just found I didn’t use the Netbook much. But, the Nook Color is one of the best things I’ve bought in some time and am completely happy with it; I’m pleasantly happy reading books on it as well.

Third, I still play WoW, and I still don’t raid. I just level up my toons, run instances, gear up, and do heroics until I’m satisfied. Basically, for a casual player like me, my characters are done when they can run through all the heroic 5-man content without too much problem.

My healers are an 85 shaman and an 85 aa/disc priest. I really absolutely love the heal role, but since they’ve both done all the heroics with no issues anymore, I don’t play them much. I have done holy and that’s fine, but I really like the mechanic of the smite/shield focus for the aa/disc priest. No, I don’t get excited about the dps; I rather just like the amount of busy-ness it affords and how it sets up everything else and has good mana-management. The shaman is a busier healer (especially when using lightning bolts to regen mana), but I feel the priest is the easier one.

My tanks are an 85 warrior, 81 death knight, and 39 druid. The warrior was a surprise for me; an old bank toon, I got bored waiting for Cata so leveled him up almost exclusively tanking instances from level 24 up. He’s only done 2 heroics, but I’ve also only ever tried 2 heroics on him. Surprisingly, I found him fun and somewhat easy. Just last weekend I started in on the death knight and am only now getting my head wrapped around blood tanking. Other than having issues getting AoE threat with out-of-control PUG DPSers, it’s been an experiment. My Bear tank is my original worgen whom I am leveling up with a friend, and has gotten behind as our schedules haven’t matched up lately. Eventually the druid will also dual-spec as a healer, just so I can see what rolling hots is like on a druid.

My sole dps toon is my original toon, an 85 warlock. Even with all the changes in Cata, my afflication warlock still plays roughly the same as he always has, which has caused me to get bored pretty quickly with him once I hit 85. I’ve not taken him into a heroic yet, since I’m not even geared for one…plus he’s still only teasing 7-8k dps, which is my personal cutoff for being able to be successful in a heroic (7k dps or higher).

I don’t keep up with some blogs like I used to. So it has come as a pleasant surprise to me to see the rather busy Command Line Kung Fu blog has (yes over a year ago!) added a PowerShell section to their little challenges. Well, shit! If you work with Windows at all as a server dude or even in security, it would behoove you to be familiar with PowerShell.

Last year Gucci had some drama in their networks as a former employee wrecked some havoc in their systems after being terminated. This brief from the New York DA’s office goes over the quick details.

What I find interesting is that Yin had enough rights to make himself a fake employee account before the fact, and then used that fake account to remotely connect to the network and do his thing. Being able to track and stop that sort of thing is definitely a step up from the obvious recommendation to disable/audit terminated employee accounts.

You need to track changes and map those changes to valid requests.
You need to regularly audit accounts to make sure they’re needed and legit. (ask boss?)
You need to audit VPN access to make sure they’re allowed.
You need to catch any weird VPN setups, like a regular user mapped to servers or a service account appearing in the list.
You need to audit any users who aren’t locked into certain targets for VPN access (i.e. their existing desktop or a virtual system).
You need to educate help desk persons on SE and procedures/challengebacks.
You need to monitor and audit VPN logs on access/activity.
You need to regularly change service account passwords (those can be usurped too!).
You need to regularly audit any account with elevated privs (domain admins!)

As a privileged person, myself, sitting back and wondering at all the ways I can sneak in a fake account to pose as a fake person in the absence of my normal access is quite intriguing. Definitely don’t forget that I have the ability to create service-type accounts in addition to regular users, or have access to service-level passwords!

The RSA breach details will spark discussion and armchair quarterbacking for years, that’s a given. But I can at least pile on a little bit more here and there, yeah? The SANS ISC weighed in on some of the RSA details, and I wanted to pull out small bits to tackle briefly. Here’s what I consider the prefacing assertion:

There are just too many ways to circumvent the perimeter, spear phishing being just one.

1. “The thing is I don’t think this new paradigm is so new. Many have been advocating for years moving the prevention and detection closer to the data.” – We wouldn’t be *quite* (important word!) as concerned about the circumvention of the perimeter if we didn’t have such awfully porous technologies sitting on the desktops. Yes, you, web browsers and attending tech (Flash), Adobe, and Office. You’ve all become too bloated to be secured anymore, and it’s your own damn fault. Just think if these were much better secured by default. We’d have less updates which should mean better ways to keep them updated on desktops, etc. (Some may argue that others will just take over the role, and perhaps that is the inevitable result…but you can’t ignore that these porous softwares are making things worse. The insecurity of the interior is making the security of the perimeter worse. If you improve the middle, the perimeter is better valued…from a certain perspective.)

2.”There are a lot of approaches that can be used here, but in my mind it begins with segregating servers from the desktop LAN and controlling access to these protected enclaves as thoroughly or better as we do our perimeters today.” – This is one area where the “cloud” is actually useful; it moves data away from these workstations…sort of. One could still argue that access is access, whether you have 3 firewalls or 0 between them. But any push to get users better segregated from servers when so many are in a shared network by default, is a good thing. If nothign else, this can push better documentation on data flow needs. This should also include better egress controls…yeah, I’m looking at you FTP-exflitration. (Of course, lock that down, and even more people/devs will just use 80/443 more…)

3. “It means classifying your data and installing protection and detection technologies appropriate to the sensitivity of the data.” – I imagine the most common way of classifying data in an SMB is saying it’s all secret. Classifying data is great and makes a lot of sense, until you get into the reality of *gasp* actually doing it. This is where the CISSP hits the road and suffers the knee and elbow scrapes.

4. “It means installing and tuning Data Loss Prevention (DLP) technologies to detect when your sensitive data is leaving your company.” – Just don’t fall into these three traps with DLP: First, don’t expect to plug it in, do a few hours of tuning, and then forget about it. It’ll need ongoing love. You will have false positives and small incidents constantly, or it’s not tight enough. Second, don’t think you can tackle DLP without first coming to terms with data calssification, or at least doing *something* to identify your data and flows. Third, don’t think that DLP will block/detect everything. Does it interrogate 443? Should it? And so on…

5. “It means instrumenting company LANs and WANs so a network baseline can be determined and deviations from this baseline be detected and investigated” – This is another idea I find compelling, but the cloud isn’t helping, nor are consumerland technologies that just spray garbage into your baselines and everyday traffic patterns. Still, if someone FTPs a large amount of data to an external source you’ve not seen before, you really want to know that happened. But again, this is just a part of a blended network security posture and not something to even do until you’ve a maturing security team/process.

The end result of all of this is: SECURITY IS HARD. And it’s only getting harder.

Since I started the ball rolling, I guess I’ll continue logging references to the recent RSA hack. Finally, RSA has started talking about the actual incident progression itself in a blog post. This is a great thing! I tweeted my thoughts, but I’ll repost here for posterity.

1. Kudos for posting more information, and being detailed about it! I was a bit surprised, but I appreciate it.

2. Sadly, the blog post rambles. Remove the historical/contextual crap about APT. Remove the historical examples. Describe APT in another blog post, or in a separate section of the blog post. That way I can skip that useless crap and not feel like I need to skim it because what I want to read is interwoven with it.

3. There’s no reason, so far, to even include the term “APT” into this post. APT is a reference to the ATTACKER. If you’ve not identified the attacker, you can’t name them an APT. This would have simplified the entire blog post and focused it very nicely if no mention of APT had been made. There is plenty of time to do so if you need to, but later. Use attacker(s), hacker(s), cracker(s), whatever. It was just not useful to use APT right now, except to try and deflect any blame by tying it to some genius attacker(s) whom Google didn’t even stop, blah blah blah. Let the mass media do that, not you.

4. I loved the start with mentioning your own internal CIRT and detection. I know it’s a dig and sort of jerking yourself off to talk about your own products and response time when so many others don’t detect this shit at all, but IT’S FUCKING TRUE! So, props for starting the conversation moving forward, though I’d still love to hear more details on the detection. So far, for all we know, this runs into the category of, “user reported ‘weird’ system issues, desktop support checked on it and thought things looked weird, found Poison Ivy, queue CIRT.” That’s not the same as, CIRT notices FTP data egress, opens incident. One shows luck, the other security maturity. Still, great, great start to that discussion, and I hope to see more!

5. APT is not new. I really bristled in the few moments in the blog post where it was implied or outright stated that “APT” is new. APT is not new, in practice. Again, drop the APT crap for now. These attacks are not new. The existence of 0day is not new. SE is not new. Yes, they may be on the rise and increasing in use and exposure, but that’s not new. If you’re in security, you hate those moments in blog posts like this. It’s awkward, it makes you feel like the author is a newbie (or so far removed that this stuff *is* new to him), and it detracts from the usefulness. You’re not a special snowflake, but no one is saying your baby is ugly. Stop being defensive up front. That’s for PR drones and legal vultures.

Lots of people are whining and complaining and throwing stones at RSA, and I think justifiably so, but only on the basis that they’ve been unforthcoming with answering my basic two questions:

1. As a customer, tell me enough about how this impacts me so that I can manage my risk and talk intelligently to my boss. RSA is still failing at this, even in a twofold manner. By not telling me anything useful, they’re allowing rumors to run rampant, which are damaging to them and me.

2. As a security geek, tell me enough to understand the progression of the attack, how the attackers worked, moved around, eggressed data, and how they were found, handled, investigated. Both the good and the bad. Lessons, people!

For lots of other people who complain, I wonder if they’re just doing so to complain. Are there any conditions that would appease your complaints that RSA can meet? If not, then shut up and stop wasting your time and energy.

Today’s article rant comes from ComputerWorld’s article titled, “Failure to encrypt portable devices inexcusable, say analysts.” The quote from the article is actually, “‘”There really is no excuse for not encrypting laptops …'” In this world of smartphones and mobile devices, that’s a *huge* distinction, especially since you’re still being told, “good luck,” when it comes to smartphone encryption (Droid Pro being an exception).

Also, it’s annoying to make such blanket statements about inexcusable security measures. It’s inexcusable that orgs not do a risk analysis of their mobile devices and determine whether device encryption is going to be worth their time and money. It may not be.

But I do wonder if executives and managers are vastly naive about the sorts of data their employees are storing on laptops. Many such leaders have verbal expectations that sensitive data is protected and not placed on laptops and how their employees are smarter than that, and so on, but that’s getting back to management by belief, which is a gamble you will eventually lose.

Sometimes it makes me wonder. We trust employees to make proper choices, but then we want employees to be innovative and get their tasks done and be creative. Those values can be just as at odds with each other as security and usability.