Sunday, August 5, 2007

Advice from Marc Andreessen on IT Start-ups

Anyone interested in launching their own IT startup may find Marc Andreessen's blog a valuable resource and/or reality check. In his article, "The Pmarca Guide to Startups", he shares his experiences and "lessons-learned" from the perspective of a Silicone Valley insider and also as a co-founder of three companies, Netscape (sold to AOL for $4.2B ), Opsware (formerly Loudcloud, sold to HP for $1.65B), and now Ning. In addition, his broad range of experience includes working for and with large companies as well as 40 - 50 other startups in one capacity or another.

Part 1 - "Why not to do a startup" (also check out the closing metaphor):

Part 2 - handling risk
Part 3 - discusses VC funding
Part 4 - what matters most; team, product, or market
Part 5 - his perspective of working with large companies and the dynamics of decision-making on any issue in a big company
Part 6 - appropriate amount of funding for a startup
Part 7 - the initial business plan or lack thereof ("...the ability to rapidly adapt is more important than having everything figured out at the start")

Tuesday, July 10, 2007

Network Security Tools

As a follow-up to previous discussions on network security, data management, and regulatory compliance (HIPAA, SOX, PCI), I'd like to share a few security tools with those who may be interested in learning more about securing and monitoring of these areas.

The Nessus active vulnerability scanner is an open source tool that runs on multiple platforms and is provided free of charge by Tenable Security. It is widely used by security professionals, endorsed by the SANS Institute and discussed in many of their security training classes. It features "...high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis..." of data and network security. It can scan a local LAN, DMZ, and remote networks across a WAN link. Nessus also provides a variety of plug-ins for customizing each scan. For more information or to download the tool and plug-ins:

Tenable also provides a passive network scanner (open-source, free). Unlike an active scanner, a passive tool has a negligible impact on network performance but still provides many of the same discovery features as Nessus. For more information or to download this tool:

To help your company comply with HIPAA, SOX, and PCI regulations, consider a tool developed by the researchers at Cornell University. Spider is an open-source forensics tool that runs on multiple platforms and is used to scan networks for sensitive and unprotected information such as credit card or social security numbers. They provide an excellent step-by-step tutorial for installing and using the tool. For more information:
Download from:

CYA and get written permission before using these tools.

Sunday, July 1, 2007

What is Web 2.0?

Andy Gutmans, the co-founder and VP of Zend, discusses the meaning of Web 2.0 and the supporting technologies such as Flash, AJAX, RIA, SOA, and web services.

Thursday, June 28, 2007

Web 2.0: The Machine is Us/ing Us

This video illustrates the power of Web 2.0 and its many features available to developers and non-developers alike. According to Wikipedia, "Web 2.0, a phrase coined by O'Reilly Media in 2003...refers to a perceived second generation of web-based communities and hosted services — such as social-networking sites, wikis and folksonomies..." In short, Web 2.0 is a term to describe a framework of various technologies which facilitates the collaboration and sharing of applications, reusable components as well as data between users. Enjoy!

Wednesday, June 27, 2007

InfoWorld Video on Web 2.0: Mashups in the Enterprise

Eric Knorr of InfoWorld interviews the CEOs of Kapow, StrikeIron, and Teqlo. They discuss their use of mashup technology and its value to their respective enterprises. (April 18, 2007)

Friday, June 22, 2007

Layer 2 Encryption

From Tech Republic (June 20, 2007): "OSI Layer-2 Encryption: Security goes one layer deeper"

Take away: "Encryption over Ethernet is emerging as a new solution for powering secure networks. Increasingly being adopted for military and critical networking infrastructures, Layer-2 encryption helps offload complexity and reduce maintenance charges...Now, networking companies are offering solutions that encrypt data right down at the packet level. 256-bit Advanced Encryption Standards and other cryptographic algorithms are being used to secure data packets traversing across sites (i.e. Metropolitan Ethernet and Wide Area Networks)."
Short post with more information:

From Tech News World (June 19, 2007): "Ethernet's New Security Layer"

Take away: "The ability to apply the Advanced Encryption Standard (AES) across every data packet traversing a network is a powerful attraction of Layer 2 data encryption, particularly as stringent information security standards have now been mandated by a variety of legislative actions...In addition to 256-bit data encryption, one of the biggest benefits of the latest generation of Layer 2 encryption standards is the low impact they have on network performance." Full story here:

Thursday, June 21, 2007

Wireless Security

Many of the wireless security problems we hear about have to do with the use of weak encryption standards such as WEP. Although the newer WPA2 standard has made a significant improvement in wireless security, additional weaknesses in wireless devices do exist and remain a security issue if not patched such as the vulnerability in Wi-Fi device drivers. Aruba Networks has released a free Wi-Fi driver vulnerability assessment tool that helps you determine how secure your wireless devices are and which Wi-Fi clients need to be patched. The tool will search your PC or the entire network using the WMI (Windows Management Instrumentation) API and identify every PC with a vulnerable wireless LAN device driver. For more information:

Additional free tools and information for assessing wireless vulnerabilities:

To check for SSID broadcasts and open or rogue access points, use NetStumbler:

A more powerful tool is Kismet, a wireless network detector, sniffer, and intrusion detection system all in one:

Ethereal (now called WireShark - is also for testing wireless traffic but must be used in conjunction with AirPcap: (

Bluetooth devices (mobile phones, PDAs, wireless keyboards, etc.) are susceptible to eavesdropping and attacks. To test the security of your devices, consider using BlueScanner for Windows ( or BlueSniff for Linux (

For penetration testing, auditing, and patch management, security managers should be aware of the Metasploit Framework, which is a collection of tools, libraries, modules, and user interfaces that automates testing or exploitation (depending on which hat you wear):

For more information on security, check out the SANS Institute ( They have an extensive collection of free resources (white papers, video/podcasts, RSS feeds) and they offer a variety of security training classes. For example, their GSEC class discusses most of these tools.

One final note...this article, "Practice 'safe surfing' with public Wi-Fi signals," will help you assess the risks of using a public Wi-Fi and more importantly, it provides a step-by-step guide for configuring your laptop and limiting your risks when connecting to a wireless hotspot:

Stay safe!

Friday, May 4, 2007

Conserve Your Web Site's Bandwidth

In a recent article by Reuters, "Survey: Google draws 64 percent of search queries" , the story confirmed what the majority of web surfers already knew; Google is the top search engine. Quoting from the March survey conducted by Hitwise, Reuters reported that the top three search engines account for 94.5% of all search queries on the web. Google, as the market leader, holds a commanding share of 64.1%, followed by Yahoo's 21.3%, and MSN Search with a 9.1% share of search queries. Now this may not be big news to most web users, but for the marketing folks, advertisers, and webmasters alike, it may mean the difference between a site’s success or failure and the report may also help them decide where to concentrate their resources.

As a webmaster, I am often concerned with conserving bandwidth on my web sites and each being available to the customers and clients that I hope will generate income for me. From the Reuters' story, I know that 94.5% of all web queries are conducted by only three search engines and as a result, I should get "more bang for my buck" if I focus more of my resources on just them. In terms of conserving bandwidth, I recently posted a comment on a site: "How I Invented the Free Lunch" , where I addressed a question (#57) that was raised by one of the readers: “How did you avoid the search engines from slurping up all your bandwidth?” One of the easiest ways to restrict the activities of search engines on a site, yet often overlooked by webmasters, is through the use of a Robots.txt file.

My response on line #82 was:

Most webmasters use a Robots.txt file and a Meta tag to control the activities of search engines. For example, I use the following Meta tag on some sites:


and a Robots.txt file in the root directory that limits the access of search engines to only the major ones I want, such as Yahoo and Google. For example:

User-agent: Googlebot
Allow: /
User-agent: Inktomi Slurp
Allow: /
User-agent: *
Disallow: /

I can also restrict the content that search engines may access on my web site by using the Robots.txt file. For example, to prevent Google or others from indexing web site images thus conserving bandwidth, I use the following lines in my robots file:

User-agent: Googlebot-Image
Disallow: /
User-agent: *
Disallow: /images/

If anyone is interested, I would be happy to post an example of a Robots.txt file that you could edit yourself to meet your own needs.

Sound too simple to be true? I know from the use of web stats software that each site is crawled only by the search engines I want and they only access the content I allow. So I can only conclude that the Robots.txt file does indeed work. For more information and tips on using Robots.txt files, please visit:

Wednesday, May 2, 2007

Stephen Northcutt responds to the SecurityFocus article...

In response to the SecurityFocus piece:
I have the following personal comments and opinions.

In terms of research into assessment and certification, we have learned a lot at GIAC through the years. And the process of applying for ISO certification has been really educational.

I think we all know and agree there are limits to what we can do with multiple choice tests. However, those of you that have been with the GIAC program for a long time have probably noticed measurable improvements in test quality. There are a large number of psychometric scripts running behind the scenes evaluating quality in a number of ways. A year ago, I would have dismissed psychometrics as voodoo, now we are paying for training to get a number of our staff educated to work at the practitioner level.

In addition, the Director of GIAC, Jeff Frisk, has led the charge to bring in scenario questions. We are monitoring these carefully, but they do allow you to test more than regurgitation. They allow you to test knowledge.

I believe GIAC is doing better than any other family of security certifications in actually testing the job someone might do. This is becoming known as role based training and role based assessment or certification and it is important.

What job does the CISSP test your qualification for, what job does CISSP training prepare you to do? Now, to be sure, it makes sense to have an exam for minimal competence, can you speak the language of security, do you understand the core concepts of security. The Common Body of Knowledge does a fine job of that and when they developed it they were far ahead of their time, there were clearly men and women of vision associated with the ISC2 to lead that charge.

We feel the same way about GIAC Security Essentials Certification, though it is not a job per se, we feel it establishes the minimum baseline for the knowledge, skills and abilities that a person with hands on responsibility for system should know from a security perspective.

However, the GSEC is only one of over 20 GIAC certifications and the overwhelming majority of GIAC certifications are based on a role, a set of tasks that one actually accomplishes in the workplace. For instance, when I was doing work for the Missile Defense Agency (BMDO) I was helping them with their perimeter and also with their intrusion detection. So I had two primary roles and there is a GIAC certification for both roles.

Further, there is a need for more senior people to demonstrate mastery and integration of multiple roles and that is the GSE, GSM, GSC and so forth.And those certifications are not just multiple choice, they are hands on,and require discussion of theory as well.

But you always want to do more, to push the envelope, that is why I am really excited that at Network Security 2007. In conjunction with White WolfSecurity, we will have our first Marathon Capstone. It is a cyber exercise, not a capture the flag event, but rather a multiple day hands on event where participants will have one role and they will be evaluated on their performance in their role. A seasoned ( all GIAC certified ) set of penetration testers will provide the attacks against the various stations.We have already formed an advisory board to determine what "passing" is and they will start to work as soon as we finish with all the legal paperwork.Participants that pass will be given a certificate with a joint GIAC/WhiteWolf Security trust mark.

Permission is granted to forward this note, post this note on blogs etc, so long as it is attributed to Stephen Northcutt, speaking as an individual, not speaking for GIAC, as I am no longer the Director or GIAC and that the note is not edited or modified.

Stephen Northcutt - Writer, speaker, security thought leader
(808) 823 1375

Tuesday, May 1, 2007

Free virtual CD-ROM drive tool from Microsoft

Like most IT professionals, I often download large software distributions from vendors that are typically packaged as ISO files. Once downloaded, I use CD burning software to extract the data files from the ISO image and then to burn the package to a CD for use. Fortunately, Microsoft has released a free virtual CD-ROM tool for Windows XP users called the "Virtual CD-ROM Control Panel v2.0.1.1". This tool allows a user to view and work with the ISO data files directly on the hard drive without the need to extract and burn the entire package to a CD.

The Microsoft Virtual CD-ROM Control Panel download is a self-extracting archive file. The file can be downloaded directly from Microsoft at:

When the archive is extracted, a new folder is created that contains three files: the application's front end (VCdControlTool.exe), the virtual CD driver (VCdRom.sys), and a readme file with instructions for the installation and use of the tool. Please note, however, this virtual CD-ROM tool is unsupported by Microsoft.