Archive for the ‘Humor’ Category

Cool, a package! Oh noez! It’s from Attrition!

November 25th, 2013 Comments off

AttritionThis is a long overdue post, and has nothing to do with security, and everything to do with slow, simmering dementia and madness among us. I received a package from a certain “Brian Martin” a few months back. My schedule got a bit hectic, the package was set to the side, and I have finally gotten back in the US and cleaned up my office. What I found in this package, my friends, was nothing short of disturbing. I’ll list the contents, with my general impression of what they may mean.

  1. Numerous information security-related stickers: This is really the most “normal” thing in the shipment.
  2. An Attrition business card/thing and a wristband. Again, cool. No worries here.
  3. A Leonard Cohen CD. Now, undeniably, there’s something cool about Cohen. In fact, a lot cool. But…who would PART with such a thing? This is just the beginning of the insanity.
  4. Two wine cork/tops (one cork, one screw-off). Why was this still hanging around? Why were they saved to send on to me? Hmmm.
  5. Several small foam balls. Likely ripped mercilessly from the faces of stuffed clowns, which is creepy. Heading deeper into CrazyLand, for sure.
  6. Numerous keys from computers or other electronic equipment. Very likely ripped apart in a frenzied Mescaline-induced rage.
  7. Several small rubber discs. From what, I have no idea. Cryptic.
  8. Two plastic dinosaurs. Despite my intrinsic pleasure at receiving two small plastic dinosaurs, again I ask…who would PART with these?
  9. One shiny stone. Shiny.
  10. A discarded bank keychain. Junk.
  11. Most horrifying of all…a staggering stack of periodical renewal pullouts that span an awe-inspiring range of topics – science, history, geography, psychology, women’s anatomy, general nerdiness, and more. And going back to at least 2005. Where were these ACQUIRED? And why were they KEPT, in a long-term fiendish plot to send them on to an unsuspecting victim? This represents a deeply depraved character, without any doubt.

If you’ve read this far, you likely know that this is satire. I personally found this mixed bag o’ shit to be hilarious, and knowing that I have crazy-ass friends like Brian is oddly comforting. Isn’t that half the reason we’re in this business? To share in the crazy?

Cheers, folks, and happy Thanksgiving to all in the US.

Categories: Humor, Musings Tags:

We’ve Been Outed!

June 29th, 2011 1 comment

With apologies to my friends and fellow panelists, this was too hilarious not to post:

Categories: Humor, Information Security Tags:

The 13th Requirement

September 1st, 2010 Comments off

Now, at long last and after much personal expense and toil, I am proud to bring to you the fabled 13th Requirement of PCI DSS. Long rumored to exist, I recently managed to wrest these from the dank basement stronghold of a Masonic Lodge in Milwaukee, while dodging capture by their roaming guard of free-range chickens (those things are DANGEROUS!).

Just as you would expect, this is essentially the Rosetta Stone of PCI. All the confusion, all the gray areas that weren’t clear, all the ambiguous references to technology and technical specifications – cleared up with one section that the Council did not want you to ever see. So, without fail, I give you – Requirement 13.

Requirement 13: It’s somebody else’s problem.

13.1 PCI Merchants and Service Providers, under no circumstances, should take responsibility for sound information security practices and satisfactory compliance status.

13.1.1 PCI Compliance is the QSA’s problem. Never admit that you’re doing anything wrong, or that your practices are not sound.

13.1.2 If a passing ROC cannot be obtained from your QSA, attempt to discredit him/her and their organization.

13.1.3 If a passing ROC is obtained, but is completely bogus (see section 13.2.2, “Rubber Stamping”), and an incident/compromise occurs, attempt to discredit him/her and their organization.

13.2 Qualified Security Assessors will claim to be objective, but in actuality will be subjective based on prior knowledge, perception of customer, and QSA consulting firm contracts and business needs.

13.2.1 PCI Compliance is the customer’s problem. Never imply that anyone but the customer is directly and wholly responsible for all facets of PCI compliance, regardless of whether the QSA has a clue about the technology, business processes, or CHD flow.

13.2.2 As long as sufficient “evidence” of controls can be provided, keeping the customer happy and paying the bills should be the QSA’s primary concern. This is often referred to as “rubber stamping,” and is often encountered when merchants and service providers prioritize compliance over actual security measures that meet best practices.

13.2.3 Neither the PCI Council nor the payment card brands will offer the slightest assistance throughout the course of the PCI assessment. Verbal “blame shifting” is acceptable when clients demand specific answers.

13.2.4 In the case that a client is compromised, or experiences a breach of CHD, a QSA must never admit fault. Disavow all knowledge of the technical or procedural shortcomings that may have led to the breach, and strongly insinuate that the client may have been “hiding” things during the assessment.

Well. Hope this clears things up. 🙂

Categories: Humor Tags:

Your Hardest Infosec Problem: Getting People to Give a $@%&

September 8th, 2009 1 comment

123-editSo, this post is totally inspired by a Tweet I saw from Zach Lanier (aka @quine). He came! He scanned! He found vulns! He dutifully sent them off to the various IT folks who manage systems and applications! And….(crickets chirping). Nothing. No one cared.

So, this post is meant to give you infosec folks some shiny new ways to get those beloved admins and dev teams to actually RESPOND TO YOUR EMAILS AND PHONE CALLS! Here we go:

  1. As if by magic, several cases of Mountain Dew appear in said admin’s cubicle. You could even add a little sticky note – “Call me. I’ve missed you!”
  2. Hack your admin’s boss’ computer and change the screensaver to the BSOD! This will create some good humor in the department, and you can conveniently drop by in the throes of this madness and bring up your list of issues!
  3. Somehow tie the remediation of those vulns to a free T-shirt. God knows that highly-paid IT professionals will actually engage in physical violence to get a free T-shirt.
  4. Send a meeting invite with the subject “Donuts” or “Pizza”. Works every time.
  5. Pull the classic “ARP Cache Poison your Coworker” trick! Mwahahaha – no more “ThinkGeek” or “Slashdot” for you! Redirect their HTTP requests for geek Web sites to the Barry Manilow Fan Club site. This will get frustrating. Then, when their entire day is ruined, swing by to hear their tale of woe. Mention how you can “look into the problem” with the network folks. Once things are working again, cash in your “grateful points” to discuss the vuln list you sent.
  6. Make a contest out of fixing vulns, or maybe just replying with a reasonable response…? Sure way to get attention? The prize is any-*#$%-thing with XKCD content.

These are just ideas to get you started. Granted, most are silly, or even (gasp!) highly unethical, but hey! Gotta think outside the box here.

Categories: Humor, Information Security Tags:

Shack – Rejected!

February 10th, 2009 2 comments

So today, I have the pleasure of seeing my first LinkedIn network invitation REJECTED. Now, let me explain why I am blogging about this. Because my feelings are hurt? Nah. I have pretty thick skin, so that’s not it. Why, then?

The reason, quite simply, is because I am NOT one of those people that just tries to get as many connections/friends/twitter followers/whatever as possible. I connect with people for two reasons:

  1. I have a bitch of a time keeping up with business cards and such, and I need some way of keeping track of people. Tools like LinkedIn have actually been a Godsend for me for this reason alone.
  2. Most of my interesting opportunities in life have come from my connections to people. In fact, I have only gotten ONE job or consulting gig from an advertisement or job site. Every other one has come from connections to people and industry groups and associations.

To make my point of why and how this is useful, I’ll refer the erstwhile reader to Guy Kawasaki’s blog post about using LinkedIn to find jobs.

So let me turn this to the infosec field I live and breathe. Our field is one of those that is a bit easier to find employment in at the moment, at least if you have some skills that are marketable. Most infosec folks I know are employed, this of course is not an absolute. But folks – this doesn’t mean we can take this for granted. You should be looking to connect in some way with people you know, interesting people that THEY know, and others in your field that are related via industry groups. This is exactly what I do with LinkedIn – most of my connections I know or have met, some are just compelling or interesting people that have been introduced to me or have introduced themselves. I always check them out, make sure they seem to have some relevance to me or my field, and then typically connect with them if they do.

So I sent an invitation to a fellow instructor in this little training organization I work with. This is a small group of people, only around 50-60 folks in the whole world. This guy is international, and we’ve never met in person. But I clearly identified myself as being connected to him via this particular group, and I am sure he looked at my profile. And he declined to connect with me. Why? I’m not sure. I’m inclined to think maybe the guy’s just an uptight douchebag. Shocking as it may seem, this sometimes happens. 🙂

Regardless, to anyone reading this bit of drivel – my advice to you is simple: Don’t do this. If someone takes some initiative and tries to connect with you on a professional level, you should probably accept that invitation. Unless, of course, you’re a douchebag.

Categories: Humor, Musings Tags:

Weekend Round-up: Google Issues and a Sad-but-True Comic

February 2nd, 2009 Comments off

Well, the weekend was not without PANIC (!!) and CONSTERNATION (!!). Saturday morning found me sitting at my desk, getting a little work done, and needing some information from the Oracle of the Internet. Looking for some info on Cisco switch commands, I was presented with a list of search results that were <GASP> all infected!!!

Imagine my sheer horror. The Internet was surely coming to a complete halt. Some evil mastermind had taken over all sites on the Web. Game over. To console myself, I went to Twitter to see who I could complain to at this early hour, and found that others were experiencing the same problem, albeit with a slightly lowered panic quotient. Hmmmm….the problem ACTUALLY could be Google, not a widespread evil plan to overthrow the Internet. Fast forward an hour, Google was operating just fine again. Thank Goodness!

The moral of this blurb: I am a pathetic little man. Losing Google for one hour actually caused me some frustration. You may not cook it in a spoon and inject it, or smoke it in a little glass pipe, but Google has successfully accomplished the Internet equivalent of addicting people to drugs. Ouch.

The next comment from the weekend is about a great old comic I saved from 2006 in Computerworld. I couldn’t find it anywhere online, so I scanned it in (apologies if it’s a little grainy, tried to keep it small). Given that my name is, well..Dave, I absolutely love this one. Just remember, folks, every time you connect to a WiFi hotspot you don’t recognize, God kills a kitten.


Categories: Humor, Information Security, Rants Tags:

Bruce Schneier FTW!

January 8th, 2009 Comments off

Short post: I just HAD to share this with everyone, has to be the funniest list of crypto-geek humor I have ever read, all at Bruce Schneier’s expense. Thanks to Anton Chuvakin for pointing this out to me. Enjoy!

Categories: Humor, Information Security, Musings Tags: