I wasted my entire weekend last week catching up on The Adventures of Doctor McNinja.  This comic strip started as a college project, but has matured dramatically, and was a competitor in the recent Eagle Awards for Best Online Comic (Order of the Stick won, another real gem in that genre, especially if you are a recovering D&D addict like myself). If you have time to waste, trundle on over and read some of Doctor McNinja's adventures.  Here's a teaser.  This is the Doc's dad (also a ninja, duh) explaining why he lit himself on fire to escape a pack of...

Mike Rothman, of Pragmatic CSO fame, laid down one of the best one-liners of all time in a recent blog post: It's about serving the business, NOT THE AUDITORS. If you protect information effectively (which is a key imperative for the business), then the auditors should be kept reasonably happy. And if not, screw them and fight them. Yes, the auditor can make your life a bit harder, but you don't work for them. Keep that in mind. OK, technically, that's a five-liner, but you get the point. I can't tell you how many companies I've seen spend a million dollars a year...

I'm a rather pragmatic security practitioner.  If I think something is dumb, even if it's on someone's “Best Practices“ list, I'm not above calling it out.  Some examples:  I think, in the majority of cases, antivirus on a server is dumb.  I think renaming your Administrator account is dumb (almost all tools that attack Admin now do so using the SID).  I think account lockouts are dumb (they are a crutch for weak passwords).  I think writing down a strong, complex password is better than using a weak password if that's all you can reliably remember (no, don't then stick it to...

On a recent trip to Nawlins, I left my RAZR's charger in my hotel room. Which means, obviously, time to get a new phone. Truth be told, I've had my RAZR (v2!) for several years, having purchased it way back when the first black ones hit the scene.  It's been a great phone, and I really don't have any complaints about it.  But sheesh, I've never owned a phone this long, and it's starting to bug me.  The only problem I've ever had with it is the battery gave out about 2 years in, but that was easily remedied (hooray for field-replaceable...

I'm sick of googling for this the few times per year I need it, so putting it here for future reference: To identify stale computer account in your Active Directory, you can look at the last time they changed their passwords.  Windows 2000 and later machines will change their computer accounts every 30 days by default.  Machine accounts that have gone more than 30 days without changing their account passwords are probably no longer in use (or they have a problem preventing them from communicating with the domain controller(s)). The easiest way to enumerate machine account password age is a free tool called...

I spent the week in Las Vegas, attending the CSI/SX and InterOp conferences. If you don't leave Vegas broke, hungover, and tired.... well, you're doing it wrong.