Anyone interested in launching their own IT startup may find Marc Andreessen's blog a valuable resource and/or reality check. In his article, "The Pmarca Guide to Startups", he shares his experiences and "lessons-learned" from the perspective of a Silicone Valley insider and also as a co-founder of three companies, Netscape (sold to AOL for $4.2B ), Opsware (formerly Loudcloud, sold to HP for $1.65B), and now Ning. In addition, his broad range of experience includes working for and with large companies as well as 40 - 50 other startups in one capacity or another.
Part 1 - "Why not to do a startup" (also check out the closing metaphor): http://blog.pmarca.com/2007/06/the_pmarca_guid_1.html
Part 2 - handling risk
Part 3 - discusses VC funding
Part 4 - what matters most; team, product, or market
Part 5 - his perspective of working with large companies and the dynamics of decision-making on any issue in a big company
Part 6 - appropriate amount of funding for a startup
Part 7 - the initial business plan or lack thereof ("...the ability to rapidly adapt is more important than having everything figured out at the start")
Sunday, August 5, 2007
Tuesday, July 10, 2007
Network Security Tools
As a follow-up to previous discussions on network security, data management, and regulatory compliance (HIPAA, SOX, PCI), I'd like to share a few security tools with those who may be interested in learning more about securing and monitoring of these areas.
The Nessus active vulnerability scanner is an open source tool that runs on multiple platforms and is provided free of charge by Tenable Security. It is widely used by security professionals, endorsed by the SANS Institute and discussed in many of their security training classes. It features "...high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis..." of data and network security. It can scan a local LAN, DMZ, and remote networks across a WAN link. Nessus also provides a variety of plug-ins for customizing each scan. For more information or to download the tool and plug-ins: http://www.tenablesecurity.com/products/nessus.shtml
Tenable also provides a passive network scanner (open-source, free). Unlike an active scanner, a passive tool has a negligible impact on network performance but still provides many of the same discovery features as Nessus. For more information or to download this tool: http://www.tenablesecurity.com/products/pvs.shtml
To help your company comply with HIPAA, SOX, and PCI regulations, consider a tool developed by the researchers at Cornell University. Spider is an open-source forensics tool that runs on multiple platforms and is used to scan networks for sensitive and unprotected information such as credit card or social security numbers. They provide an excellent step-by-step tutorial for installing and using the tool. For more information: http://www.cit.cornell.edu/security/tools/spider-cap.html
Download from: http://www.cit.cornell.edu/security/tools/
CYA and get written permission before using these tools.
The Nessus active vulnerability scanner is an open source tool that runs on multiple platforms and is provided free of charge by Tenable Security. It is widely used by security professionals, endorsed by the SANS Institute and discussed in many of their security training classes. It features "...high-speed discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis..." of data and network security. It can scan a local LAN, DMZ, and remote networks across a WAN link. Nessus also provides a variety of plug-ins for customizing each scan. For more information or to download the tool and plug-ins: http://www.tenablesecurity.com/products/nessus.shtml
Tenable also provides a passive network scanner (open-source, free). Unlike an active scanner, a passive tool has a negligible impact on network performance but still provides many of the same discovery features as Nessus. For more information or to download this tool: http://www.tenablesecurity.com/products/pvs.shtml
To help your company comply with HIPAA, SOX, and PCI regulations, consider a tool developed by the researchers at Cornell University. Spider is an open-source forensics tool that runs on multiple platforms and is used to scan networks for sensitive and unprotected information such as credit card or social security numbers. They provide an excellent step-by-step tutorial for installing and using the tool. For more information: http://www.cit.cornell.edu/security/tools/spider-cap.html
Download from: http://www.cit.cornell.edu/security/tools/
CYA and get written permission before using these tools.
Sunday, July 1, 2007
What is Web 2.0?
Andy Gutmans, the co-founder and VP of Zend, discusses the meaning of Web 2.0 and the supporting technologies such as Flash, AJAX, RIA, SOA, and web services.
Thursday, June 28, 2007
Web 2.0: The Machine is Us/ing Us
This video illustrates the power of Web 2.0 and its many features available to developers and non-developers alike. According to Wikipedia, "Web 2.0, a phrase coined by O'Reilly Media in 2003...refers to a perceived second generation of web-based communities and hosted services — such as social-networking sites, wikis and folksonomies..." In short, Web 2.0 is a term to describe a framework of various technologies which facilitates the collaboration and sharing of applications, reusable components as well as data between users. Enjoy!
Wednesday, June 27, 2007
InfoWorld Video on Web 2.0: Mashups in the Enterprise
Eric Knorr of InfoWorld interviews the CEOs of Kapow, StrikeIron, and Teqlo. They discuss their use of mashup technology and its value to their respective enterprises. (April 18, 2007)
Friday, June 22, 2007
Layer 2 Encryption
From Tech Republic (June 20, 2007): "OSI Layer-2 Encryption: Security goes one layer deeper"
Take away: "Encryption over Ethernet is emerging as a new solution for powering secure networks. Increasingly being adopted for military and critical networking infrastructures, Layer-2 encryption helps offload complexity and reduce maintenance charges...Now, networking companies are offering solutions that encrypt data right down at the packet level. 256-bit Advanced Encryption Standards and other cryptographic algorithms are being used to secure data packets traversing across sites (i.e. Metropolitan Ethernet and Wide Area Networks)."
Short post with more information: http://blogs.techrepublic.com.com/tech-news/?p=687
From Tech News World (June 19, 2007): "Ethernet's New Security Layer"
Take away: "The ability to apply the Advanced Encryption Standard (AES) across every data packet traversing a network is a powerful attraction of Layer 2 data encryption, particularly as stringent information security standards have now been mandated by a variety of legislative actions...In addition to 256-bit data encryption, one of the biggest benefits of the latest generation of Layer 2 encryption standards is the low impact they have on network performance." Full story here: http://www.technewsworld.com/rsstory/57910.html
Take away: "Encryption over Ethernet is emerging as a new solution for powering secure networks. Increasingly being adopted for military and critical networking infrastructures, Layer-2 encryption helps offload complexity and reduce maintenance charges...Now, networking companies are offering solutions that encrypt data right down at the packet level. 256-bit Advanced Encryption Standards and other cryptographic algorithms are being used to secure data packets traversing across sites (i.e. Metropolitan Ethernet and Wide Area Networks)."
Short post with more information: http://blogs.techrepublic.com.com/tech-news/?p=687
From Tech News World (June 19, 2007): "Ethernet's New Security Layer"
Take away: "The ability to apply the Advanced Encryption Standard (AES) across every data packet traversing a network is a powerful attraction of Layer 2 data encryption, particularly as stringent information security standards have now been mandated by a variety of legislative actions...In addition to 256-bit data encryption, one of the biggest benefits of the latest generation of Layer 2 encryption standards is the low impact they have on network performance." Full story here: http://www.technewsworld.com/rsstory/57910.html
Thursday, June 21, 2007
Wireless Security
Many of the wireless security problems we hear about have to do with the use of weak encryption standards such as WEP. Although the newer WPA2 standard has made a significant improvement in wireless security, additional weaknesses in wireless devices do exist and remain a security issue if not patched such as the vulnerability in Wi-Fi device drivers. Aruba Networks has released a free Wi-Fi driver vulnerability assessment tool that helps you determine how secure your wireless devices are and which Wi-Fi clients need to be patched. The tool will search your PC or the entire network using the WMI (Windows Management Instrumentation) API and identify every PC with a vulnerable wireless LAN device driver. For more information: http://labs.arubanetworks.com/projects/wifidenum/
Additional free tools and information for assessing wireless vulnerabilities:
To check for SSID broadcasts and open or rogue access points, use NetStumbler: http://www.netstumbler.com/
A more powerful tool is Kismet, a wireless network detector, sniffer, and intrusion detection system all in one: http://www.kismetwireless.net/
Ethereal (now called WireShark - http://www.wireshark.org/) is also for testing wireless traffic but must be used in conjunction with AirPcap: (http://www.cacetech.com/products/index.htm)
Bluetooth devices (mobile phones, PDAs, wireless keyboards, etc.) are susceptible to eavesdropping and attacks. To test the security of your devices, consider using BlueScanner for Windows (http://www.bluescanner.org/) or BlueSniff for Linux (http://bluetooth.shmoo.com/).
For penetration testing, auditing, and patch management, security managers should be aware of the Metasploit Framework, which is a collection of tools, libraries, modules, and user interfaces that automates testing or exploitation (depending on which hat you wear): http://metasploit.com/
For more information on security, check out the SANS Institute (http://www.sans.org/). They have an extensive collection of free resources (white papers, video/podcasts, RSS feeds) and they offer a variety of security training classes. For example, their GSEC class discusses most of these tools.
One final note...this article, "Practice 'safe surfing' with public Wi-Fi signals," will help you assess the risks of using a public Wi-Fi and more importantly, it provides a step-by-step guide for configuring your laptop and limiting your risks when connecting to a wireless hotspot: http://WindowsSecrets.com/comp/070614
Stay safe!
Additional free tools and information for assessing wireless vulnerabilities:
To check for SSID broadcasts and open or rogue access points, use NetStumbler: http://www.netstumbler.com/
A more powerful tool is Kismet, a wireless network detector, sniffer, and intrusion detection system all in one: http://www.kismetwireless.net/
Ethereal (now called WireShark - http://www.wireshark.org/) is also for testing wireless traffic but must be used in conjunction with AirPcap: (http://www.cacetech.com/products/index.htm)
Bluetooth devices (mobile phones, PDAs, wireless keyboards, etc.) are susceptible to eavesdropping and attacks. To test the security of your devices, consider using BlueScanner for Windows (http://www.bluescanner.org/) or BlueSniff for Linux (http://bluetooth.shmoo.com/).
For penetration testing, auditing, and patch management, security managers should be aware of the Metasploit Framework, which is a collection of tools, libraries, modules, and user interfaces that automates testing or exploitation (depending on which hat you wear): http://metasploit.com/
For more information on security, check out the SANS Institute (http://www.sans.org/). They have an extensive collection of free resources (white papers, video/podcasts, RSS feeds) and they offer a variety of security training classes. For example, their GSEC class discusses most of these tools.
One final note...this article, "Practice 'safe surfing' with public Wi-Fi signals," will help you assess the risks of using a public Wi-Fi and more importantly, it provides a step-by-step guide for configuring your laptop and limiting your risks when connecting to a wireless hotspot: http://WindowsSecrets.com/comp/070614
Stay safe!
Friday, May 4, 2007
Conserve Your Web Site's Bandwidth
In a recent article by Reuters, "Survey: Google draws 64 percent of search queries" , the story confirmed what the majority of web surfers already knew; Google is the top search engine. Quoting from the March survey conducted by Hitwise, Reuters reported that the top three search engines account for 94.5% of all search queries on the web. Google, as the market leader, holds a commanding share of 64.1%, followed by Yahoo's 21.3%, and MSN Search with a 9.1% share of search queries. Now this may not be big news to most web users, but for the marketing folks, advertisers, and webmasters alike, it may mean the difference between a site’s success or failure and the report may also help them decide where to concentrate their resources.
As a webmaster, I am often concerned with conserving bandwidth on my web sites and each being available to the customers and clients that I hope will generate income for me. From the Reuters' story, I know that 94.5% of all web queries are conducted by only three search engines and as a result, I should get "more bang for my buck" if I focus more of my resources on just them. In terms of conserving bandwidth, I recently posted a comment on a site: "How I Invented the Free Lunch" , where I addressed a question (#57) that was raised by one of the readers: “How did you avoid the search engines from slurping up all your bandwidth?” One of the easiest ways to restrict the activities of search engines on a site, yet often overlooked by webmasters, is through the use of a Robots.txt file.
My response on line #82 was:
**********
Most webmasters use a Robots.txt file and a Meta tag to control the activities of search engines. For example, I use the following Meta tag on some sites:
META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"
and a Robots.txt file in the root directory that limits the access of search engines to only the major ones I want, such as Yahoo and Google. For example:
User-agent: Googlebot
Allow: /
User-agent: Inktomi Slurp
Allow: /
User-agent: *
Disallow: /
I can also restrict the content that search engines may access on my web site by using the Robots.txt file. For example, to prevent Google or others from indexing web site images thus conserving bandwidth, I use the following lines in my robots file:
User-agent: Googlebot-Image
Disallow: /
User-agent: *
Disallow: /images/
If anyone is interested, I would be happy to post an example of a Robots.txt file that you could edit yourself to meet your own needs.
**********
Sound too simple to be true? I know from the use of web stats software that each site is crawled only by the search engines I want and they only access the content I allow. So I can only conclude that the Robots.txt file does indeed work. For more information and tips on using Robots.txt files, please visit: http://www.robotstxt.org/
As a webmaster, I am often concerned with conserving bandwidth on my web sites and each being available to the customers and clients that I hope will generate income for me. From the Reuters' story, I know that 94.5% of all web queries are conducted by only three search engines and as a result, I should get "more bang for my buck" if I focus more of my resources on just them. In terms of conserving bandwidth, I recently posted a comment on a site: "How I Invented the Free Lunch" , where I addressed a question (#57) that was raised by one of the readers: “How did you avoid the search engines from slurping up all your bandwidth?” One of the easiest ways to restrict the activities of search engines on a site, yet often overlooked by webmasters, is through the use of a Robots.txt file.
My response on line #82 was:
**********
Most webmasters use a Robots.txt file and a Meta tag to control the activities of search engines. For example, I use the following Meta tag on some sites:
META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"
and a Robots.txt file in the root directory that limits the access of search engines to only the major ones I want, such as Yahoo and Google. For example:
User-agent: Googlebot
Allow: /
User-agent: Inktomi Slurp
Allow: /
User-agent: *
Disallow: /
I can also restrict the content that search engines may access on my web site by using the Robots.txt file. For example, to prevent Google or others from indexing web site images thus conserving bandwidth, I use the following lines in my robots file:
User-agent: Googlebot-Image
Disallow: /
User-agent: *
Disallow: /images/
If anyone is interested, I would be happy to post an example of a Robots.txt file that you could edit yourself to meet your own needs.
**********
Sound too simple to be true? I know from the use of web stats software that each site is crawled only by the search engines I want and they only access the content I allow. So I can only conclude that the Robots.txt file does indeed work. For more information and tips on using Robots.txt files, please visit: http://www.robotstxt.org/
Wednesday, May 2, 2007
Stephen Northcutt responds to the SecurityFocus article...
In response to the SecurityFocus piece:
http://www.securityfocus.com/columnists/443
I have the following personal comments and opinions.
In terms of research into assessment and certification, we have learned a lot at GIAC through the years. And the process of applying for ISO certification has been really educational.
I think we all know and agree there are limits to what we can do with multiple choice tests. However, those of you that have been with the GIAC program for a long time have probably noticed measurable improvements in test quality. There are a large number of psychometric scripts running behind the scenes evaluating quality in a number of ways. A year ago, I would have dismissed psychometrics as voodoo, now we are paying for training to get a number of our staff educated to work at the practitioner level.
In addition, the Director of GIAC, Jeff Frisk, has led the charge to bring in scenario questions. We are monitoring these carefully, but they do allow you to test more than regurgitation. They allow you to test knowledge.
I believe GIAC is doing better than any other family of security certifications in actually testing the job someone might do. This is becoming known as role based training and role based assessment or certification and it is important.
What job does the CISSP test your qualification for, what job does CISSP training prepare you to do? Now, to be sure, it makes sense to have an exam for minimal competence, can you speak the language of security, do you understand the core concepts of security. The Common Body of Knowledge does a fine job of that and when they developed it they were far ahead of their time, there were clearly men and women of vision associated with the ISC2 to lead that charge.
We feel the same way about GIAC Security Essentials Certification, though it is not a job per se, we feel it establishes the minimum baseline for the knowledge, skills and abilities that a person with hands on responsibility for system should know from a security perspective.
However, the GSEC is only one of over 20 GIAC certifications and the overwhelming majority of GIAC certifications are based on a role, a set of tasks that one actually accomplishes in the workplace. For instance, when I was doing work for the Missile Defense Agency (BMDO) I was helping them with their perimeter and also with their intrusion detection. So I had two primary roles and there is a GIAC certification for both roles.
Further, there is a need for more senior people to demonstrate mastery and integration of multiple roles and that is the GSE, GSM, GSC and so forth.And those certifications are not just multiple choice, they are hands on,and require discussion of theory as well.
But you always want to do more, to push the envelope, that is why I am really excited that at Network Security 2007. In conjunction with White WolfSecurity, we will have our first Marathon Capstone. It is a cyber exercise, not a capture the flag event, but rather a multiple day hands on event where participants will have one role and they will be evaluated on their performance in their role. A seasoned ( all GIAC certified ) set of penetration testers will provide the attacks against the various stations.We have already formed an advisory board to determine what "passing" is and they will start to work as soon as we finish with all the legal paperwork.Participants that pass will be given a certificate with a joint GIAC/WhiteWolf Security trust mark.
Permission is granted to forward this note, post this note on blogs etc, so long as it is attributed to Stephen Northcutt, speaking as an individual, not speaking for GIAC, as I am no longer the Director or GIAC and that the note is not edited or modified.
Stephen Northcutt - Writer, speaker, security thought leader
(808) 823 1375
http://www.securityfocus.com/columnists/443
I have the following personal comments and opinions.
In terms of research into assessment and certification, we have learned a lot at GIAC through the years. And the process of applying for ISO certification has been really educational.
I think we all know and agree there are limits to what we can do with multiple choice tests. However, those of you that have been with the GIAC program for a long time have probably noticed measurable improvements in test quality. There are a large number of psychometric scripts running behind the scenes evaluating quality in a number of ways. A year ago, I would have dismissed psychometrics as voodoo, now we are paying for training to get a number of our staff educated to work at the practitioner level.
In addition, the Director of GIAC, Jeff Frisk, has led the charge to bring in scenario questions. We are monitoring these carefully, but they do allow you to test more than regurgitation. They allow you to test knowledge.
I believe GIAC is doing better than any other family of security certifications in actually testing the job someone might do. This is becoming known as role based training and role based assessment or certification and it is important.
What job does the CISSP test your qualification for, what job does CISSP training prepare you to do? Now, to be sure, it makes sense to have an exam for minimal competence, can you speak the language of security, do you understand the core concepts of security. The Common Body of Knowledge does a fine job of that and when they developed it they were far ahead of their time, there were clearly men and women of vision associated with the ISC2 to lead that charge.
We feel the same way about GIAC Security Essentials Certification, though it is not a job per se, we feel it establishes the minimum baseline for the knowledge, skills and abilities that a person with hands on responsibility for system should know from a security perspective.
However, the GSEC is only one of over 20 GIAC certifications and the overwhelming majority of GIAC certifications are based on a role, a set of tasks that one actually accomplishes in the workplace. For instance, when I was doing work for the Missile Defense Agency (BMDO) I was helping them with their perimeter and also with their intrusion detection. So I had two primary roles and there is a GIAC certification for both roles.
Further, there is a need for more senior people to demonstrate mastery and integration of multiple roles and that is the GSE, GSM, GSC and so forth.And those certifications are not just multiple choice, they are hands on,and require discussion of theory as well.
But you always want to do more, to push the envelope, that is why I am really excited that at Network Security 2007. In conjunction with White WolfSecurity, we will have our first Marathon Capstone. It is a cyber exercise, not a capture the flag event, but rather a multiple day hands on event where participants will have one role and they will be evaluated on their performance in their role. A seasoned ( all GIAC certified ) set of penetration testers will provide the attacks against the various stations.We have already formed an advisory board to determine what "passing" is and they will start to work as soon as we finish with all the legal paperwork.Participants that pass will be given a certificate with a joint GIAC/WhiteWolf Security trust mark.
Permission is granted to forward this note, post this note on blogs etc, so long as it is attributed to Stephen Northcutt, speaking as an individual, not speaking for GIAC, as I am no longer the Director or GIAC and that the note is not edited or modified.
Stephen Northcutt - Writer, speaker, security thought leader
(808) 823 1375
Tuesday, May 1, 2007
Free virtual CD-ROM drive tool from Microsoft
Like most IT professionals, I often download large software distributions from vendors that are typically packaged as ISO files. Once downloaded, I use CD burning software to extract the data files from the ISO image and then to burn the package to a CD for use. Fortunately, Microsoft has released a free virtual CD-ROM tool for Windows XP users called the "Virtual CD-ROM Control Panel v2.0.1.1". This tool allows a user to view and work with the ISO data files directly on the hard drive without the need to extract and burn the entire package to a CD.
The Microsoft Virtual CD-ROM Control Panel download is a self-extracting archive file. The file can be downloaded directly from Microsoft at: http://download.microsoft.com/download/7/b/6/7b6abd84-7841-4978-96f5-bd58df02efa2/winxpvirtualcdcontrolpanel_21.exe
When the archive is extracted, a new folder is created that contains three files: the application's front end (VCdControlTool.exe), the virtual CD driver (VCdRom.sys), and a readme file with instructions for the installation and use of the tool. Please note, however, this virtual CD-ROM tool is unsupported by Microsoft.
The Microsoft Virtual CD-ROM Control Panel download is a self-extracting archive file. The file can be downloaded directly from Microsoft at: http://download.microsoft.com/download/7/b/6/7b6abd84-7841-4978-96f5-bd58df02efa2/winxpvirtualcdcontrolpanel_21.exe
When the archive is extracted, a new folder is created that contains three files: the application's front end (VCdControlTool.exe), the virtual CD driver (VCdRom.sys), and a readme file with instructions for the installation and use of the tool. Please note, however, this virtual CD-ROM tool is unsupported by Microsoft.
Monday, April 2, 2007
Windows Desktop Search Tool
One of the new features available in Windows Vista is the Instant Search tool. Rather than navigating through a file hierarchy searching for files, Vista users can simply type keywords in the search field on the Start menu to find documents, e-mail messages as well as programs and photos.
For the users of XP and 2003, Microsoft provides a similar tool called the Windows Desktop Search and it can be downloaded from Microsoft free of charge here:
http://www.microsoft.com/windows/desktopsearch/default.mspx
For the users of XP and 2003, Microsoft provides a similar tool called the Windows Desktop Search and it can be downloaded from Microsoft free of charge here:
http://www.microsoft.com/windows/desktopsearch/default.mspx
Tuesday, March 27, 2007
Thursday, March 22, 2007
The open source community has revised and improved the remote access tool VNC. Take a look at this article from Tech Republic: "How do I... Configure TightVNC for remote access?"
The article discusses downloading and installing this free tool.
The article discusses downloading and installing this free tool.
Wednesday, March 21, 2007
Encryption software from the TrueCrypt organization:
"Free open-source disk encryption software for Windows Vista/XP/2000 and Linux"
"Free open-source disk encryption software for Windows Vista/XP/2000 and Linux"
Friday, March 16, 2007
If you manage Cisco routers, take a look at this article from Tech Republic: "Prevent IP spoofing with the Cisco IOS"
Good information in this article for network administrators: "Choose a network management tool that can also help secure your systems"
Monday, March 12, 2007
Friday, March 2, 2007
In this article, David Davis compares Vyatta's open source routers against Cisco's routers: "Will an open source router replace your Cisco router?"
Network running slow? Check out this article from Tech Republic for a few tips: "Is your network for work or for play?"
Tuesday, February 20, 2007
Friday, February 16, 2007
Thursday, February 15, 2007
This article from Tech Republic provides step-by-step instructions for installing Windows Vista and XP in a dual-boot configuration.
Tuesday, February 13, 2007
Friday, February 9, 2007
Thursday, February 8, 2007
Wednesday, February 7, 2007
Monday, February 5, 2007
The Secunia website is a good reference for finding malware-removal tools and other related information.
Friday, February 2, 2007
Thursday, February 1, 2007
Tuesday, January 30, 2007
For those who are confused by the many choices...
"Windows Vista Editions--there's only one real choice"
"Windows Vista Editions--there's only one real choice"
Friday, January 26, 2007
Tuesday, January 23, 2007
Monday, January 22, 2007
Friday, January 19, 2007
Thursday, January 18, 2007
Have you hugged an engineer today?...
Tuesday, January 16, 2007
Monday, January 15, 2007
Saturday, January 13, 2007
Friday, January 12, 2007
Wednesday, January 10, 2007
Tuesday, January 9, 2007
Monday, January 8, 2007
"10 things you should know about privacy protection and IT"
Privacy protection and guarding personal data should be taken seriously by all...
Privacy protection and guarding personal data should be taken seriously by all...
"Microsoft to kick off 2007 with eight security patches"
Security issues include Windows, Office and Visual Studio...
Security issues include Windows, Office and Visual Studio...
Thursday, January 4, 2007
Wednesday, January 3, 2007
Subscribe to:
Posts (Atom)