Dominic White - Life

Happy Birthday Dear Blog

nospam@example.com (Dominic White) — Sun, 05 Feb 2012 13:23:00 +0200

Today marks the 8th anniversary of my blog, and my official entry into infosec.

It's been a wild ride, with the move to SensePost the best decision yet. After the blog template got laughed at on the twitters, I decided to give it a new theme. Thanks muchly to confluence from atrum for the CSS n00b help.

This year wasn't quite as eventful as 2010 or "The Year I Got Slashdot'ted", but I think 2011 was the year of my highest quality content, with some long, hard-thought entries. So far the blog has 908 entries, with 872 public and 36 hidden because I got too scared. By comparison, I have vomited 8288 tweets into the ether since 2007.

Thanks to those that read it, and the feedback you give me. Here's to year 9.

Timesheets - You're doing it wrong

nospam@example.com (Dominic White) — Sun, 20 Nov 2011 20:00:48 +0200

When managing teams of "information workers", I believe the use of time sheets is indicative of a management failure. Here's why:

If you have to rely on a timesheet to know what your staff are doing - you're doing it wrong
If you can't trust your staff to work hard - you have problems a timesheet won't fix
If you believe you have too many staff to manage - get more managers
If you think anyone completes them accurately - you drank the kool aid
If you think the time it takes to actually complete them accurately is worth it - you hate your staff
If you manage your business from these inaccurate stats - you're making bad decisions
If your senior people have PAs complete their timesheets for them - you're a hypocrite
If you spent millions on a new timesheet system, but didn't make it any easier for the staff using the system - you just suck

Security Vendor Bingo

nospam@example.com (Dominic White) — Sun, 08 May 2011 20:56:08 +0200

Matt Erasmus came up with a great idea for taking the Security Bingo card from RSA, and making our own for the ITWeb Security Summit, and using it to generate some funds for Hackers for Charity. Last year, thanks to companies such as ITWeb, SensePost & Telspace we managed to send R15k over to HFC, and it would be nice to do it (or more) again.

I have a long standing bug-bear over the uselessness that security vendors seem to bring to cons in ZA. They respond to requests for "please don't pitch your product" by talking generically about the "outsourced next generation cloud-based firewall industry" as if that was some sort of legitimate field that didn't constitute only their product. They still send sales/pre-sales/product specialists with their EMEA marketing deck, rather than something of actual value. But as long as they're offering money, people take it, no questions asked. You'd think the empty rooms and people walking out of their presentations would send the message, but instead a local distributor finds a new vendor, or the vendor sends a new person, so the lesson is never learned.

That's not why Matt suggested the bingo, but it's one of the main reason's I helped. I want the vendor telling us that their product will block 100% of APTs to walk away feeling dirty and ashamed, and maybe even realise the error of their ways and turn into the next Charlie Miller. Also, I want to help Johnny, and the great work HFC is doing in Uganda (and Kenya).

So, as Matt already said. Find either he or I at the security summit (we'll be wearing I Hack Charities shirts) and give us R50 (or more, it's for a good cause) and we'll give you a security vendor bingo card (feel free to pre-print yours). Fill it out during the talks or on the con floor, optionally with the name of the vendor so we can tally a highscore list, then either return it to us in person, or mail it to the address printed on it, and we'll give you the results. There'll be some sort of prize if we can muster one, one for the person to complete first with the highest score, and one for the person who comes up with the best "other" phrase. Given that you could just tick them all off and give yourself a first high score, this will be a "Don't be a Douche" style contest.

Fraudsters: AAA Plumbing & Electrical

nospam@example.com (Dominic White) — Mon, 24 Jan 2011 10:05:10 +0200

Last night we lost power to all electrical outlets in our house. On checking the board, I saw that it was the earth leakage, which I was unable to turn back on. This is a story about AAA Electrical (also know as AAA Plumbing, or AAA Electrical or AAA Plumbing & Electrical), and how they tried to defraud me, and appeared to have done it to many others. Don't use them. If you need a reliable & honest electrician use:

Andrew: +27 82 443 7762

It was a Sunday night, the fridge was off, and the prospect of no espresso in the morning was galling. I phoned the first full page ad in the yellow pages mentioning my area and "no callout fees, free quotes", AAA Electrical. The lady who answered, Cynthia, was polite and efficient. However, neither her, not the two other electricians I phones were able to give me even a ballpark figure. 20 years in the business it said, evidently earth leakages are still too tricksy to hypothetical quote on.

An hour later, Kenny and his partner Eziechiele arrived in an Isuzu bakkie (GP plates, started with an S). He unscrewed a bunch of wires in my board, set his ammeter to them, and proclaimed he had found the short; "It was a surge from the grid" he said. That's strange, nothing blew, none of the flats around me were affected. I didn't believe him. He then phoned Cynthia at the "head office" and returned with a quote of just less than R5k! I asked how much it would be to just replace the earth leakage switch, and not "clear the short", just less that R2k! This was clearly outrageous, so I sent him packing, but not after paying their R395 "call out fee", oops, they mean "quotation fee", no wait the ad said they didn't charge that either, ok, it's an "analysis fee". I also asked that he put everything back the way it was...

I then phoned the next electrician, Willem, who balked as I did at the outrageous quote, and said he could do it for half i.e. R2.5k. Wow.

Finally, I remembered that a good friend used to manage several electrical contractors and I phoned him for advice. He gave me the number of Andrew, listed above, and said he'd trust him with his kids. Much better. I phoned Andrew at 8am the next day, and by 9:30 he'd been round, performed the trivial task of resetting the earth leakage (you have to push it down hard, my bad) and agreed to charge me nothing more than his basic call out fee. What he did point out, is that Kenny had left several wires improperly screwed, and the neutral wires completely unscrewed. The only thing he attempted to screw right, was me.

It's sad that these guys can't operate an honest business, and feel they need to make their money through quoting for radically unnecessary work and attempting to damage your electrics further. This is the definition of fraud I am using. It appears I'm not the only one who's had a run in with them, several, others got screwed much worse.

Orwell vs Huxley, Amusing Ourselves to Death

nospam@example.com (Dominic White) — Mon, 11 Oct 2010 13:18:09 +0200

In his ZaCon talk, Haroon Meer worked in a fascinating comparison, by Michael Anissimov, between the fears that drove George Orwell when writing 1984, and those that drove Aldous Huxley when writing Brave New World.

In summary; Orwell feared censorship and centralised control of information, while Huxley feared so much information that people wouldn't engage in what really mattered. In a South Africa with proposed legislation to allow the government to declare some information so secret that it cannot be covered by the media (even if it meets the criteria of in the public interest), proposals to start censoring parts of the internet and a media tribunal to circumvent the existing ombudsman, it's easy to think Orwell is right. In many ways he is, and provides a haunting view of the dystopia this could become. However, there's no dichotomy here; Huxley's view is an equally important reminder of what we should do with the freedoms we have.

Personally, I find I could spend a whole day on Twitter/Facebook/IRC etc. I don't believe just using those technologies is a waste of time, in-fact I believe they can provide many benefits. However, it is easy to get trapped into constantly checking them and the inevitable meaningless interactions this leads to. Of course not every minute of the day can be spent in a productive rapture, but I wonder how much more we could achieve if we used them to better our collaboration as much as we better our cognitive load shedding. A potent reminder that freedom is worth nothing if not used.

What's more, from a privacy perspective; while it's right to worry about oppressive regimes and creepy attempts at implementing the panopticon (Orwell), it's as right, if not more pertinent, to worry about the privacy invasion from the tools and companies we love (Gmail, Facebook, Twitter etc.).

Upcoming Talks, Workshops & Training - ZA / US / Emirates

nospam@example.com (Dominic White) — Wed, 22 Sep 2010 10:00:58 +0200

It seems my work on privacy has garnered some attention of late. Whether earned or not, I will be presenting at the Computer Security Institute's Virtual Conference CSIVX on the 28th of September. I will be on hand to answer questions, even though it will be some silly hour ZA time. This is technically the first "international" event I've ever "presented (see pre-recorded video for)" at, and it includes the likes of Ira Winkler, Amit Klein and Jeff Williams.

I'll also be presenting on privacy at IS' Internetix2010 conference in both Jozi & Cape Town. Internetix is a rocking conference organised by IS, and I'm chuffed to have been invited. It will be a nice chance to test the privacy stuff with a large non-sec crowd.

Next up, I'll also be presenting a workshop on Threat Modelling off the back of quite a lot of work we (my employer SensePost, and I) have done on it recently. If you want to get an idea of the content, have a look at the last set of slides. It's hosted by the ISF and will be held in Jozi on the 28th.

Finally, I'll most likely be giving the SensePost training at BlackHat Abu Dhabi in Nov. If we get over around 15 people I can justify someone smarter than me from SensePost joining us, so if you're keen for some training, please sign-up :)

Planet Fitness & Temporarily Legal Near-Extortion

nospam@example.com (Dominic White) — Wed, 22 Sep 2010 09:49:16 +0200

I was woken up by a message from Planet Fitness this morning, informing me that the contract I though had expired in Aug 2009 had happily been renewed each month and I now owed them a large sum of money. I was not informed of any of this, and have not attended a Planet Fitness gym since 2009. While the guy on the line agreed this was pretty dodgy, "It's in your contract," he says without having a copy of my contract. So, now I'm waiting to see this contract while they look for it. In the meantime, I was cheerily informed that if I rejoin the gym, then will write the debt off, or if I pay half I will get 6months "free" and the rest written off. Better yet, while the system says I owe Rxx.xx, the consultant through the use of his calculator assures me I actually owe Rxx.xx * 1.5. Nice to know their billing systems are as dodgy as their customer service.

Are Planet Fitness that desperate for money and customers that they will engage in sneaky money collection, and expect those affected to rejoin with them? I hear other gyms and service providers engage in similar dodgy tactics. Have you been affected, if so please comment with the name of the service provider so we can keep a list of these people. Thankfully, the soon to be passed, Consumer Protection Bill will outlaw this practise, but it appears at least Planet Fitness is looking for one last hurrah.

The Ignore Julius Initative

nospam@example.com (Dominic White) — Wed, 07 Apr 2010 09:50:09 +0200

Julius Malema has exploded into political prominence by making himself hard to ignore. Inheriting a platform that drew attention to the accidental outrages he tripped into, he quickly learned to stoke outrage and roar back at any responses he provoked. For the media, trying to gauge the state of the nation’s health from moment to moment, this makes him a much more attractive candidate than the business-as-usual official announcements of the ruling party proper. But Malema’s sound and fury signify little, and his disproportionate voice in South Africa’s public conversation is only hurting our ability to speak to one another, and to speak sense when we do. We think it’s time to ignore Julius, and invite you to join us.

For the week of 7-14 April 2010, we undertake to talk about this country, its challenges, its promise, its news, and to ignore Julius while doing so. Join us in this initiative. If you blog, join the roll. If you Tweet, add the hashtag #ignoreJulius to your daily output.

However you communicate, take a week off from Julius.

Here is the list of blogs that are participating in this initiative:

http://rwrant.co.za
http://zoem.co.za
http://www.thoughtleader.co.za/mariusredelinghuys
http://memyselfandkarin.wordpress.com/
http://robsramblings.co.za
http://antithesis.blognation.co.za/
http://singe.za.net/
http://blog.empyrean.co.za
http://www.pinkhairgirl.co.za
http://www.macgeek.co.za
http://www.futurechurch.co.za
http://www.cptawesome.co.za/
http://www.indigogirl.co.za/

Thanks to Jason van Niekerk for writing the above text, and Henno Kruger for suggesting and running with the blog initiative.

Responses to Criticisms

Ignore Him at Your Peril - I'm not suggesting we ignore him permanently, or ignore the political youth or the ANC YL. I'm hoping this will restore some balance so that we have less Heat-magazine-like reporting on Julius resulting in more balanced, less obsessive coverage of relevant political activities.

A Campaign to Ignore him isn't Ignoring him - This is a rather naive observation that several tweeters have penned as their pithy response. While I applaud your noticing of the words Julius in the campaign name, referencing the initiative isn't the same as the obsessive reporting on his every action. That being said, I have no desire for the #ignoreJulius hash tag to trend, and feel the success of the initiative would be in a marked decrease in the mention of him and a marked increase in "other voices," ideally positive ones.

On Year Six

nospam@example.com (Dominic White) — Fri, 05 Feb 2010 05:31:00 +0200

Today my blog turned six, and I tweeted that fact with the following:

My blog http://singe.za.net/ turned 6 today. The fact that I'm tweeting this rather than blogging it is probably significant.

While blogging remains more a more satisfying and useful means of exploring a thought, twitter let's you skip the work and move onto the conversation (sometimes) a bit sooner, but without any decent record of that conversation occurring (twitter's searchable memory is too short). I'm certainly going to continue blogging, but I don't see my throughput increasing much. Luckily, subscribing to an RSS feed is only a cost if there are too many updates ;).

That being said, I think there's been some fun stuff on the blog in the last year, my favourite posts have been:

Using Maltego to Data Mine Twitter
Conficker Claims it's first Human Life
My first guest post - Efficient extraction of data using binary search and ordering information
Deloitte -> SensePost for a personal milestone (there was another personal milestone, my marriage, but that wasn't much of a blog entry).

First Week at SensePost

nospam@example.com (Dominic White) — Fri, 08 Jan 2010 15:49:28 +0200

Today is the last day of my first week at SensePost, so far the number of:

Shiny new Macbook Pro's received: 1
Distrowars: 4
Foozball games played: 8
Collared shirts worn: 3 (what do I do with them all now?)
Black t-shirts worn: 2
Disco balls in meeting rooms: 1
Coffee machines per capita: 0.14
Timesheets completed: 0
HR forms to complete: 0
Kilometers traveled: 600 (the only downside)
Attempts colleagues have made to scan entire Internet: 1
Finally working at a company 5 years after first applying for a job there: Priceless

In short, it's been awesome. I haven't done much real work as yet, but that will start soon. The people are smart and easy to get along with, and they're all geeks, a nice change (on the geeks bit, my old colleagues are smart too :) ). I'm also enjoying getting to know "how they roll" and recon living up to it will make me a better security person.

As an aside, my new work e-mail address is available here (or sans popup).

Deloitte -> SensePost

nospam@example.com (Dominic White) — Wed, 30 Dec 2009 09:20:22 +0200

As of the 4th of Jan, I will conclude 4-years of service to Deloitte's Security & Privacy group in South Africa, and be moving to SensePost. I have lots to say about it, but didn't want my perseverations over what/how to say it to get in the way of marking the move. My relationship and view of Deloitte is very positive and I learned a massive amount from incredible people. However, I've long wanted to work for SensePost and a combination of a great opportunity offered by the Post'ers and a "time to move on" feeling at Deloitte sealed the deal.

What a Wedding!

nospam@example.com (Dominic White) — Mon, 04 May 2009 16:35:31 +0200

We loved every moment, if only there was more time. Some photos are up courtesy of our photographers. Our informal engagement shoot, and photos from the wedding.

In the meantime, we're off on honeymoon!

I'm getting married!

nospam@example.com (Dominic White) — Fri, 01 May 2009 21:57:12 +0200

In 17 hours. Finally, I can't wait.

Happy 5th Blogbirth Day

nospam@example.com (Dominic White) — Thu, 05 Feb 2009 11:06:13 +0200

Five years ago I started this blog to keep my then supervisor up to date on my academic progress. It's interesting that at the same time five years ago Facebook was launched, and I think the last five years have been particularly interesting for computer security, and it's been fun. I've also grown a lot over the years, and it's funny to read my early entries with hindsight.

I've never had a massive readership except for the odd case of big blogs linking to me (SANS, F-Secure and Washington Post were my most memorable). Although, the feedback I've received over the years has really helped to refine some of my stances and ideas, and hopefully a few of yours dear reader. For example Ben Nagy once scared me into a whole new tack leading from this to this. Last year was particularly fun with Roberto Preatoni and Dan Kaminsky both getting involved in some discussion. It also marked a return to more active blogging for me, after a drop off in the move from academia to consulting. I hope to keep it up.

To my regular readers, thanks for reading, to any new readers welcome. My goal has always been to encourage debate and discussion, so if you've never argued with me before but always wanted to, know that I welcome the chance.

Brand Plagiarism?

nospam@example.com (Dominic White) — Mon, 29 Dec 2008 02:21:16 +0200

While taking my drugs this evening I noticed something interesting; vs. . Is this rampant plagiarism? If so, somebody at SensePost better sue the arse off those Schering guys ;)

The Evidence

Update

mh has responded, and it seems these insidious brand copycat'ters have been plotting their attack from as early as 2000, from the response:

We opened doors in 2000, and i was hoping to find proof of these copycats having started like 2 weeks after us.. hmmm..

[snip ...]

Archive.org shows the logo in use at least back in 2000

This is obviously a targeted attack by an extremely capable hacker group. The careful placement of 'evidence' of SP (Schering Plough) existence way back into 1851 indicates infiltration of most of our public institutions and records. This could even be, the Illuminati.

On a different note, one of the army of analysts currenty tracking this attack has suggested that things could be even more nefarious; Sensepost could be a roach baiting front of Schering's designed to sell unsuspecting hackers 'lifestyle' drugs. When was the last time they offered you a drink?

P.S. And just because sometimes there are people out there who really don't get it. This is a joke, the logo's coincidentally similar, and the two companies not in competition in any minor or significant way.