Breaking news: "Internet Lawyer" clueless

by Bill Sempf 28. July 2009 13:03

I have started and deleted this post three times because I am so fired up.  I ended up just making a comment on this guys blog, but I thought I would post it here since there is exactly 0% chance he will approve it.  The post is by an internet lawyer and points out how 'nasty' Defcon is and that it should be 'shut down' if it doesn't 'clean up it's act'.  I am tense.  Very, VERY tense.

OK, here is my comment:

Imagine you are in charge of infosec for a large bank, running Oracle. There are 3,000 developers - most of them contractors - working with various databases inside your firewall. It's you, with nothing, versus 3,000 people you don't know backed potentially by 22,000 Russian and Chinese criminals with the latest 0day exploits. What are you going to do?

Well, first, you are going to go to Defcon, where without telling them which bank you work for you will learn the latest on these exploits from hackers who would be glad to give the information away nearly for free (since Oracle rarely does anything about them). This way, you know what you are faced with from the people who aren't so open. We usually call those people the criminals. I am sure you have heard the term.

Second, you are going to use Metasploit to test said database. Why? Because it is a framework for penetration testing with all of those exploits already in place. You can make sure that your database can't be compromised by those nameless criminals (there's that word again), all due to the VERY hard work of just a few extremely smart ... wait for it ... hackers.

You, my "internet lawyer" friend, have completely failed to get the point. You mention "finding an alternative approach for sharing knowledge and information away from the public eye." All of this information is already out there for those who care to find it. Defcon makes it available to the overwhelmed many who are tasked with protecting what we have. And that's a bad thing exactly how?

Thoughts are welcome from the peanut gallery.  Remember to read his post first, and the comments.  I do give him credit for allowing a few comments through.  Gah, sorry, I am just astounded that there are people still like this in the industry.

EDIT:  Ok, I was wrong.  He actually did publish my comment and published his own rebuttal, and my respect for him increased somewhat.  Nonetheless, it's that old argument: if you make owning a gun criminal, only the criminals will own the guns.


Biz | Enterprise Architecture | Rants

MVC3WPF Launch on Thursday - use the MVC pattern with WPF successfully!

by Bill Sempf 21. July 2009 07:11

As posted earlier by Brian Prince and Stephen Giffin, the MVC4WPF project will be launched to CodePlex on Thursday.  We will be having a spash at the Columbus Microsoft office in the morning - if you would like to attend, please RSVP here.  I'm actually quite proud to be involved in this effort,, even if jsut as a tester and tech writer.  The thought that went into this product is very impressive.  If you are doing large WPF projects you certainly owe it to yourself to check it out.

A little about MVC (from the Developer Guide): Model-View-Controller is a pattern for software development.  It doesn't provide development tools of its own, but is rather an agreed-upon way to go about developing software.  It builds upon the concept that divides the basic functions of a contemporary application into component parts:

  • The model, which represents the underlying data;
  • the view, which represents what the user sees; and,
  • the controller, which manages the business logic and communication between the view and the model.

The three parts of the software communicate with the use of agreed upon contracts that define communication between the parts, and property bags that hold configuration values and data objects. 

MVC works well with WPF because Microsoft has done some of the heavy listing for us in the division-of-duties arena.  Like ASP.NET, the View code is physically segregated into a code file all its own with hte XAML file (ASP.NET of course uses the ASPX file).  This basic architectural decision makes things appropriate for MVC.

MVC4WPF has a ton of automation to make development much simpler than many other MVC environments.  It is appropriate for junior developers, and is very forgiving to work with.  It is rather open ended, and will cut you if you don't read the recommended usage.  The project will come with a boatload of documentation (some of which I wrote) that will help a lot.

Keep an eye on the codeplex site, and come on up Thursday if you get the chance to see what I am talking about.  Should be a good time.


Biz | C# | Enterprise Architecture

Bing is filtering searches they suspect of being for crackers

by Bill Sempf 20. July 2009 16:43

So I posted a search on Bing today, so check some statistics , like I would with Google.  You know, you search for a unique term, and then search for it in conjunction with another unique term, and you look at the denla, and you learn something.

Well I learned something alright.  Lo and behold, Bing didn't like my search.  Instead of results I got a plain white page that said:

We are seeing an increased volume of traffic by some malware software. In order to protect our customers from damage from that malware, we are blocking your query. A few legitimate queries may get flagged, and for that we apologize. Please be assured that we are hard at work on this problem and hope to get it resolved even better as soon as possible.

Imagine my suprise.  I wonder if there will be a large collection of blue towncars and Bill Gates dressed like Wolverine in my driveway in the next ten minutes.  Seriously, if I vanish, check for pieces of my DNA in Steve Ballmer's bathroom.

This is a lesson to those of use looking to the Internet to be the be-all and end-all of storage devices.  Remember, you don't OWN crap.  Jason Scott said it best in his blog post Fuck The Cloud, so I won't repeat it here.  Be warned that if you post something that someone doesn't like, and they own the box, no law on earth is going to keep them from doing damn well what they want with it.

For now, my default search engine is Google, and I publish my information to servers I can touch.


Biz | Rants

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

Find me on Mastodon

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites