Here’s the start of a few pics from Austin that are either Al’s or Amanda’s favs.

Texas capitol building in Austin

Al's fav .. Austin and Apple

Fantastic Food almost for Free

Ok, here’s the house rules for the Austin pad .. in Barton Creek.  Y’all are expected to know and adhere to the rules.  No exceptions.  Even for me.

1. Wireless access is at  HFA-Guest  /  <password listed on the fridge>  .. no the password is not “password listed on the fridge” .. don’t bitch about the password, it’s free WiFi bro!
2. Don’t adjust the temperature!  If you’re cold, put on a sweater, tuque (beanie if you’re south of the 49th parallel).  If you’re hot, have a drink with ice, and if that doesn’t help, then piss off.
3. Austin tunes over-ride. Period. Don’t care you want to listen to some wimpy East Coast, West Coast, Popular rock or Northerner crap. Doesn’t mean country. Let me repeat …
4. If there is a NFL game on, then the game is ON .. don’t expect much else.
5. Don’t suck up *all* the bandwidth in pr0n, dude. Really? I know it’s you. Remember what I do for a living?? Yes there are “proxies” on friend’s free Internet connections. Duh.
6. GPS (aka TomTom or Garvin) HIGHLY recommended for out-of-town-ers.
7. GPS (aka TomTom or Garvin) HIGHLY recommended for in-towners.
8. Be energy conscious. Rinse your damn dishes (don’t be lazy) – that’s what the drying rack is for. Duh.
9. You consume the last bottle of _______, REPLACE it. Damn, there is a Tarjay (Target for our American friends), or H-E-B, or Randall’s within walking distance!
10. Do NOT put your drinks on my Red’s Porch tab. Food is negotiable.
11. You MUST have a valid reason to go to another joint than Red’s
12. Yes, it IS a shower curtain rod like Marriott’s.  No, I didn’t steal it. Nice, eh? That’s another 5.5″ of room in the shower!!
13. No you don’t have to come run with me in the morning at 5am.  Nor do I .. but sometimes I’d appreciate the encouragement out of bed.
14. Recycling bin is in the pantry.  Just cuz y’all are too lazy to actually walk outside and dump your junk in the recycle bucket out back. Just sayin’. By the way .. organics hit the bucket at the BACK .. if you give a cr@p about that stuff.
15. Yes, I do offer a taxi service at 5am to the AUS airport.  It’s $50,000 per one way.  Your choice, but it’s COB bud.
16. Don’t touch the Henkle knife (knives) .. I have to sacrifice  goat entrails to keep it sharp.  Pretty sure you don’t want any part of that. Just sayin’. You get the steak knives.
17. NEVER turn off the Cranberries or AWOLNATION. EVER. See rule #3.
18. Whoever gets to the music remote wins. Except when Rule #3 applies. That means Al wins. All the time. Damn dude don’t cry.

Ok, you get the point. Be responsible. Recycle. Use less energy. Don’t be lazy. Book your stay. (It’s only uncomfortable for those of you who don’t and wind up sleeping in the same guest bed .. y’all are NOT sleeping with me).

Oh .. ya, I’m sure you’ll have fun here .. no problems, mate. Yes the lights in the back yard are a secret. DON’T tell Amanda.

Just finished a trip to Maui and had the good fortune of diving again with the crew at Mike Severns diving. The crew this time included dive masters AJ and Warren (as usual) but I also had a chance to dive with dive master Seth too. As usual, Andy did a masterful job as the captain!

Kihei Boat Launch

Al, Seth, Dani and Andy

Two quiet days in October and the weather was fantastic. Day one I got to dive with AJ and Warren, while the second day I dove with Seth. The fact that every single time I head out with these guys, they have outstanding customer service and attitude .. and that’s not just the awesome sticky buns they consistently provide.

Day one was a great day in the Molokini crater where we saw lots of coral creatures including an extremely large lobster. The second dive at Puu O’Lai had great visibility and lots of turtles and several amazing (apparently rare) fly-bys of four Spotted Eagle Rays.

Spotted Eagle Rays

Bubbles off back wall of Molokini

Day two we hit the back wall of the Molokini Crater with the (literally) breath-taking 350′ expanse of coral and creatures. Dive two on the second day was at Wailea Point with more very friendly turtles.

Thanks again guys – hopefully we’ll see you in another year.

Few human made disasters in recent history have had a larger impact on the United States, North America, and in fact the western world than the attacks on the World Trade tower buildings. I encourage my friends and acquaintances to visit the 9/11 Tribute Movement website and pledge their memorial activity.

Remembrance of those who lost their lives and those who gave their lives in the line of duty is an important act that we all should honor.

 We will be doing our most difficult cross country mountain bike ride and will give a minute of silence at the top in honor of those who lost their lives as well as in support of the survivors.

Visit www.911day.org and tell the nation what you’ll be doing on 9/11/11.

Update: At 6,398′ on Moose Mountain, we gave a moment of silence.

You’ve just taken over as an information security director, manager, or architect at an organization. Either this is a new organization that has never had this role before or your predecessor has moved on for some reason. Now what? The following outlines steps that have been shown to be effective (also based on what’s been ineffective) getting traction and generating results within the first three months. Once some small successes are under your belt, you can grow the momentum to help the business grow faster or reduce the risk to their success (or both).

Now what do we do?

Apply a tried and true multi phase approach .. assess current state, determine desired target state, perform a gap analysis, implement improvements based on priority. Basically we need to establish current state, determine what future state should be, and use the gap analysis as the deliverables of the IT security program. There may be many trade-offs that are made due to limiters like political challenges, funding constraints and difficulty in changing corporate culture. The plan you build with the business gives you the ammunition needed to persuade all your stakeholders of the value in the changes you’ll be proposing.

1. Understand the Current Environment

For a manager or enterprise architect to determine where to start, a current state must be known. This is basically an inventory of what IT security controls, people and processes are in place. This inventory is used to determine what immediately known risks and gaps from relevant security control frameworks exist. The known risks and gaps gives us a starting point to understand where impacts on the business may originate from.

Take the opportunity to socialize foundational security concepts with your new business owners and solicit their input. What are the security related concerns they have? If there has been any articulation of Strengths, Weaknesses, Opportunities, and Threats (SWOT), obtaining that review can also give you an idea of weaknesses or threats that are indicative of missing controls. In the discussions with your new constituents, talk to the infrastructure managers and ask them what security related concerns keep them awake at night – there is likely some awareness but they don’t know how to move forward. Keep in mind most organizations will want a pragmatic approach versus an ivory tower perfect target state.

Some simple questions can quickly give you a picture of the state of security controls. For example, in organizations I’ve worked with, the network administrators could not provide me a complete “layer three” diagram – a diagram that shows all the network segments and how they hang together. It wasn’t that they didn’t want to, the diagrams simply didn’t exist. With over 1,500 network nodes over two data centers and two office complexes, the network group had the topology and configuration “in their heads”. Obvious weaknesses and threats include prevention of succession planning or disaster recovery, poor security transparency, and making nearly any change to the environment higher risk than necessary.

Another example is an organization that had weak asset control. At any point in time it was nearly impossible to determine if unauthorized network nodes existed, since the workstation, notebook, server, virtual machine, switches, firewalls, printers and any other network connected equipment were tracked separately, if at all. No regular audits were performed to reconcile what the organization had purchased was actually what was connected to their networks. This points to weak change control and weak asset control. Without strong asset control, it is difficult to offer assurance to the business owners that serious vulnerabilities have been mitigated to a level they can accept.

Ensure you’re asking questions that will allow you to develop future metrics, such as:

• Do security controls that are in place generate measurable performance statistics?
• How many user accounts are added, disabled, deleted per day/week/month/quarter?
• What volume of inbound email is spam/malware?
• Does the operations team have baselines of normal network, system, application activity?
• Profile of user accounts – how many are inactive (say 90 days)
• How automated is the new hire, dehire, change process? Is there room for manual error?
• How many administrator accounts are there (percentage of all accounts)
• What degree of individual user accountability is there? Are there signed acceptable use agreements?
• Are there accurate network topology and security zone as-built diagrams?
• Is there clear segregation of assets that contain high value data?
• Are content filtering and malware controls deployed?

All these identified issues can then be dropped into a mind map or even a spreadsheet to visualize the highest risks. More on this in a minute.

Read the rest of this entry »

<Updated Aug 18, 2011 after a successful PVR rollout>

Technology has evolved since the last MythTV PVR I built, as chronicled here.  Here’s the latest techniques and tech that I’ve used to (start) build(ing) my current PVR. I’ll update this article as I go, as there’s been some bumps along the way, so completion of the project has been slower than I anticipated.

Requirements for my new PVR include:

• Linux operating system for cost and flexibility reasons
• Quiet! Fan-less operation if at all possible, external power supply ok
• Small form factor, black case to fit in with my current home theater gear
• Video capture with MPEG-2 hardware acceleration to help keep the CPU needed as small as possible, in an expansion card format for the most compact physical footprint .. additionally there must be at least two independent tuners
• Analog tuners, but would be good if they were capable of digital for when I eventually move to digital/HD
• IR receiver and transmitter capability for easy remote control and ability of the PVR to use my current set-top box as a source (gives me all the cable company movies and channels that are not available via the basic cable connection
• Ability to schedule at least 10 shows and retain 5 episodes of each show .. also ability to schedule based on show name alone
• Ability to perform post-recording processing, such as removing commercials or changing formats
• Should be able to use a pre-packaged distribution for most if not all of the functions .. I know it’s a home-brew, but I’m tired of messing with individual packages, firmware, and custom codes to make it work. Using a distribution package makes it easier to maintain through updates.
• Want to purchase the parts from the same supplier if possible (ended up using newegg.ca)

Since I already run MythTV, it was an obvious starting point and given I don’t have an affinity to a specific Linux distribution, I looked at Mythbuntu and Mythdora since I’m familiar with and already run both Ubuntu and Fedora distributions.

After downloading the Mythbuntu 10.10 ISO disk image, I discovered I didn’t have my USB DVD drive, so I wanted to create a bootable USB flash disk.  I followed the excellent instructions at https://help.ubuntu.com/community/Installation/FromUSBStick and successfully burned a bootable Mythbuntu disk on a 2GB USB flash disk via a Ubuntu VM running on my MacBook Pro.

The Hardware

The hardware that I chose to use included:

• An Antec ISK-300-65 case, good for fan-less operation
• ASUS AT5IONT-I mainboard dual core Atom D525 CPU
• Hauppauge WinPVR-2250 dual tuner PVR card with MPEG-2 hardware acceleration (PCI-express)
• 4GB DDR3 SO-DIMM memory (2x 2GB)
• 2x 750GB 2.5″ SATA HDDs
• My existing Microsoft MCE USB IR receiver/blaster and remote

I evaluated the very cool and potentially high performance hybrid HDD/SSD disks, but there were too many experiences users expressed that were sub-optimal, most stating the technology is too new. Having a terabyte 2.5″ disk with 4GB of SSD would be sweet, but for now I’m just sticking with 750GB 7200RPM 2.5″ SATA disks. Since I changed my mind and I’m not going to put a DVD drive into the case, I chose to put another HDD in and mirror them up (since there are two SATA adapters on the mainboard and space in the case for two HDD).

The ASUS mainboard is designed for fan-less operations, and coupled with the Antek case as one massive heat sink, it is incredibly quiet. Video outputs are all handled by the mainboard versus the video capture card and include DVI, HDMI and component video outputs. On initial power on, I was somewhat underwhelmed, since although the power on button turned on the blue power light on the mainboard, then spun up the disk and fan, no joy on the mainboard BIOS POST. After some Googling, I found the Asus board uses the very finicky Intel memory controller that is used with the Atom CPU. I purchased a pair of KVR1066D3S7/1G (Kingston 1GB 204-Pin DDR3 SO-DIMM DDR3 1066 (PC3 8500) Laptop Memory) to boot the AT5IONT-I far enough to get the BIOS updated. See the forum thread here for other people’s experiences. Version 312 of the ASUS BIOS did not support the 2GB DIMMs so I was a bit annoyed that I had to purchase 1GB DIMMs (Kingston KVR1066D3S7/1G) in order to get into the BIOS.  I downloaded the 316 BIOS ROM image from the ASUS website and put it onto a FAT formatted USB memory stick, thinking I’d have to go through the pain of booting some form of Windows or DOS to run some lame BIOS updater utility. I was pleasantly surprised to find a BIOS update utility built into the BIOS! All I had to do is plug in the USB stick and select the option to update the BIOS. It worked! Not only the most painless BIOS update I’ve ever done, now the 2GB memory DIMMs work (anyone want to buy my 1GB DIMMs for the cost of shipping?). On to the installation of Mythbuntu.

I originally wanted to have a slim DVD drive to play DVDs but then realized that I don’t even have any movies on DVD any more.  All the oldie goldies that I had, I now have copies in iTunes. Since the mainboard only supports two SATA interfaces, I chose to reserve one for a future redundant HDD (as it turns out I just ordered the extra disk when I purchased the 1GB DIMMs).

The Hauppauge card is a dual-tuner analog/digital that has an IR receiver and blaster – so it can change channels on a cable set top box. The 2250 also has dual tuners so that the conflicts that I often encountered with a single tuner can be avoided. 

OS Install

I tried a couple of All-In-One distributions (Mythdora and Mythbuntu) and even a couple of versions of each.  Seemed like I ran into issues with both distros in different areas. Mythbuntu 10.10 wouldn’t save the Video Sources. Mythdora had a better setup interface than Mythbuntu 10.10, but would not setup a default route for some reason – all the subsequent updates and package installs would obviously fail.  Sigh. Doing a base install of Fedora 14 then installing from ATrpm repositories would go better for the OS install (including full mdadm mirroring of the two SATA drives), but compiling the Hauppauge HVR 2250 analog driver from Steve Toth’s excellent support site would fail with usb_ function call mismatch errors. Apparently the usb_ memory function definitions have changed in recent 2.6 kernels. Arrrg!

Fortunately I set this aside for a while and in the mean time, Mythbuntu came out with release 11.04 … would it work??

So now it works for analog .. exactly what I wanted. Ironically I don’t need the digital tuners for a while yet.

Read the rest of this entry »

Well, here's a shout out to Mike Severns Diving in Maui .. (808) 879-6596. As usual, the crew including Warren, AJ, Michelle and last but certainly never least, skilled and fearless (or at least never speechless) captain Andy, managed to provide two superb days of diving in the Molokini crater in Maui. Even with poor visibility on the coast during my second day, the extra time in the crater was well worth it. 

We scoped out the Molokini reef three times and also did the Tank to the Landing craft drift dive. Saw a number of firsts for me on Thursday, including a small octopus, frogfish, flounder and nudibranch.

Other finds included a sponge starfish, a wire coral and a spiny urchin.

Thanks very much for another great diving trip to Maui guys! The Severns crew including AJ, Michelle, Andy and Warren were as usual, spectacular dive masters – knew where to look for the interesting bits and were really down to earth. Their dive boat can take out up to 12 divers, so it's a smaller group allowing more interaction with the crew, compared to the larger 20+ diver boats.

See you in another year!

For those odd times where you need to reset the password for a user on a Mac (OS X 10.5 Leopard) and you don't have access to the / an administrator account, this is a procedure that will work if you have physical access to the system and can reboot it. No boot DVD is needed if you can boot the system off the internal hard disk.

We boot into single user mode off the internal hard disk, then reset the target user password.

1. Boot into single user mode (press Command-S at power on)
2. Check the root filesystem first
   fsck -fy
3. Mount up the root filesystem
   mount -uw /
4. Load system directory services
   launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist
5. Edit user information
   dscl . -passwd /Users/username password (replace username with the targeted user and password with the new password)
6. Reboot then sign in with the new password.
   reboot

No laughing matter, prostate cancer. The guys at AESO have joined together to form team Mo Lecious to raise money for prostate cancer research. Movember is moustache month .. each team member needs to grow a moustache to raise funds.  No connection of side burns to the moustache .. that's a beard.  No connection of both ends of the moustache .. that's a goatee.  All else is fair game.

My Movember page here

In addition, I'm offering up a shiny new iPod Nano to the person who donates the single largest amount.

Please consider donating some money .. it's for a good cause.

Thanks,
AP

So I get a call this morning from a family member who is freaking out over a six hundred dollar iTunes invoice. Fortunately I knew this person didn't have an iTunes account (they use mine), so I knew right away it was a fraud. On inspecting the invoice, there were so few errors it's chilling. If this had of been an invoice from the (Acme Widget Company) that I do have an account with .. it's possible it may have worked. 

This is particularly evil, since it's associated with the Zeus trojan that steals banking credentials

The quality of phishing emails have dramatically improved as the quality assurance by malware miscreants improves. 

On closer inspection, there were three very subtle errors made on this iTunes phishing attack:

1. No street address was shown.  iTunes receipts always have your street address listed and spamming dirt bags don't have that (we hope).
2. Receipts (that I've paid attention to) come with an American style date format .. month / day / year.  Canadian or European formats are typically day / month / year or year / month / day.  This one is  day / month / year.
3. Modern corporate invoicing systems don't include leading zeros. Also the quantity and dollar amounts don't add up.

Every web hyper-link in this invoice except for the Apple Store Support and the Apple Legal links point to a non-Apple site.  All the links in iTunes invoices point to Apple.  In this case, the infected domain was  medicineni.com . This is particularly evil, since it's associated with the Zeus trojan that steals banking credentials. Bogus LinkedIn invites have also been confirmed to be coming from the Zeus botnet.

We still need to stay awake to the attacks by these malware miscreants, because they are getting better by the month.