Sunday, April 23, 2006

The wonder of PodCasts

I've had an iPod Nano for a while now and mostly used it for music and as a portable HDD. The other day one of my colleagues told me about the "IT Conversations" PodCast and I made a point of chasing down the recommendation.

Having evaluated it for about 4 days now I have to admit that this is truly an exciting and useful technology (part of this whole Internet Paradigm Super Shift). As a professional it allows me to stay abreast of all sorts of trends and developments while I'm on the move or at the gym. Off the bat I would like to recommend the following PodCasts (just search for them in the iTunes PodCast Store):

Security Now! (high quality and really easy to listen to)
Security - powered by PodTech (interesting snippets and industry news)
IT Conversations (not just security related, but daily, good quality features)

The past week was really a week of new, shiny toys in which I also received my first Windows Mobile 5.0 SmartPhone, the iMate SP5. What a wonderful piece of equipment. It turns out that this platform supports over-the-air PodCasts and PodCast updates. For those of you familiar with the iTunes/iPod paradigm this means that I can now download my PodCasts daily over-the-air onto my SmartPhone without the need to have a computer with iTunes at hand.
The products that I'm currently evaluating to do this are: and

The only downside to this approach is that GSM data (EDGE/EGPRS in my case) is more expensive than the DSL I have at home, and the fact that the SmartPhone only comes with 128MB of onboard storage (of which 64MB is ROM) compared to my iPod's 2GB of storage. Luckily it is possible to expand my SmartPhone's storage with a 4GB MiniSD card, which would immediately obsolete my poor 3-month-old iPod...

Racial consciousness

During this paradigm shift it really seems to me that we will most probably move to a form of racial consciousness. I'm a huge fan of Frank Herbert's Dune in which he refers to the ability of the Lisan al-Gaib to tap into this racial conscience, a type of a racial destiny - the race being the human race.

Facts will become more and more trivialised as our technology continues to develop and "knowing" something will become easier and easier. Technical as well as physical demands on humans decrease as our tools, our automata, increase in efficacy - this leaves the human mind free to ponder, philosophize, emote and interpret.

We can already see some of these elements today in how the Internet is delivering knowledge, content and skill at a speed, unfathomable a decade ago. In my own industry, the IT industry, learning technical know-how, troubleshooting and many other functions are really just a function of how well you are able to leverage the information already on the Internet. Of course experience speeds things up greatly, but given enough time and skill you can find most answers relating to IT on the Internet these days.

To add to these trends I read on Slashdot about a project that tracked the global mood through the blogosphere:
Using these types of tools we can gauge the mood of the race conscious, starting to add tangible elements to it.

Friday, April 21, 2006

Paradigm Super Shift

I have been doing a lot of research lately and, accidentally, fallen more in line with what I have just termed the Internet Paradigm Super Shift. This is not merely a "Paradigm Shift" it is a massive shift in the way that we deal with our world as we know it today. You will either "get it" and be part of the new information community, or you wont.

Even being a "geek" in the traditional sense will not mean you "get it", and I can speak for myself in this matter. Even recently things like Second Life, Podcasts, Flickr, etc meant very little to me. I knew they were new, very relevant to the Internet Generation and was of the opinion that maybe the fact that I had not grown up with the Internet meant that I would never "get" these concepts. Having spent a lot of time researching new things, trying out new disruptive technologies and services and generally attempting to educate myself I have come to the conclusion that it isn't necessarily relegated to the kids who grew up with the Internet.

Something has really caught my attention though: identity. As you move more and more of your life online you have to make some really hard choices regarding your identity and the value you place on your privacy. A decision also has to be made on how you intend to protect the identity that you choose to go forward with.

Authors have long used aliases when publishing books, for various reasons. Certain individuals prefer to fiercely protect their identities and go to great lengths to protect their privacy. A lot of us just "let it be", we divulge private information to 3rd parties without necessarily knowing much about the 3rd party involved. The last scenario works very much like the proverbial "genie and the bottle" - once the information is out there you have to assume that on some level its going to be accessible to 3rd parties that you might not have wanted to be privy to the information (regardless of what the 3rd party's privacy statement might promise in the form of protection).

With any luck we will never be in a position to attract undue attention from another party and have our privacy badly invaded by the information that is already out there, I'm of the opinion that - at least for me - the benefits of participating in the information community far outweigh the perceived risks of unintended privacy losses.

Protecting your online identity

To me the major concern is that once you let the "genie out of the bottle", that is, embrace the information community and move more and more of your personal life online, you have to protect that identity and reputation as far as possible. What does this mean?

1) Take measures to prevent impersonation in the digital era. You should consistently use proactive and repetitive actions that authenticate what you do online by, for example, signing all your emails, watermarking your digital content.

2) Only divulge personal information to reputable services. Anyone have a good idea how to benchmark this? There's an opportunity for a community driven service to rate a 3rd party's behavior when it comes to protecting their customer's private information.

3) Proactively monitor and protect your identity. Use something like Google Alerts and other tools to police when your identity, or private information is being used online.


The Internet is going to create a paradigm shift roller coaster for a lot of us over the next couple of years. We will do new and old things in ways that we had never imagined. Our privacy and concept thereof will change. Identity, and authentication thereof, will become more and more important every day.

I'm out of prose, so this is where I will end my soliloquy, if anyone has any comments to add please do so through the mechanisms provided by the Blogger service. Can you think of other clever mechanisms whereby to protect your own online identity?

(I'm off to research cryptographic signing of blog posts :-) I'll post my PKI public key as soon as I have one...)

Thursday, January 12, 2006

Vulnerability assessment - get permission first

Before assessing systems that are not 100% your own (ownership, accountability, etc) you should get permission to do vulnerability scanning. At least is you are an ethical hacker. While doing research I stumbled across this permission memo, courtesy of Ed Skoudis, I highly recommend that readers use this, or some other means, to get permission before starting any assessments on computers that you do not own. Even your employer's computers.

The Future Trends of Malware

Here is a link to a very interesting article:

I definitely see a "market" for cryptoviral extortion. Unfortunately, as the author mentions, the economics speak for themselves. Supply and demand.

Tuesday, January 03, 2006

IT Security Certifications

During the last 2 weeks I have been doing some research into the available IT Security Certifications, to summarize - the prominent ones seem to be:

CISSP (from - The CISSP seems to be most renowned and sought-after security certification available today.
SSCP (from - Can be seen as an intermediate certification for professionals not meeting the full requirements for CISSP yet.
Security+ (from - Security+ is seen in general as a very good entry-level course. It can serve as a good stepping stone on the road towards CISSP.
GIAC (from - Certifications from the SANS institute. Focuses more on hands-on technical experience, as opposed to a more theoretical approach taken by

I personally will start with the Security+ certification from CompTIA. Although one can jump into the "deep end" and pursue some of the more advanced certifications I like the idea of establishing the basic concepts and then re-enforcing them step-by-step, certification-by-certification. Some people will want to approach this differently - pursuing the certification more than the skills associated with it. I personally want to firmly embed the basics as I build a full set of skills.

Along the road, and coming soon to this blog, I am going to investigate a whole plethora of technical skills related to IT security. Expect to see some Assembler code as I investigate software vulnerabilities and develop the skills to write the exploits myself. I'll report on the tools I discover and my impressions on them as well as some short tutorials or step-by-step guides.

Hello 2006!

New year, new challenges and new opportunities.

Hello everybody and welcome to this periodical. My name is Stephan Buys, an ICT Security Engineer from South Africa. Professionally involved in IT since 1996 I have accrued experience as an IT Technician for, gasp, almost ten years now. The bulk of my experience is in email, Open Source (contributed heavily to Kolab) with my current thrust being into IT security.

In this blog, apart from the odd personal titbit, you will find information relating to my foray into IT security. I plan to publish links to interesting articles, impressions and more. I want to make this blog relevant, interesting and engaging - to that extent I welcome any feedback - so please dont hesitate to raise your voice.

So lets get to it shall we?