Monday, December 30, 2013

Recent Web Site Improvements

You may have noticed the look and feel change of this site from a dark to a light content format.  The dark format is professional in appearance but not very practical.  It's hard for my eyes to frequently switch between light and darker formats.  I'm betting if it's tough on my eyes, it's tough on the eyes of others as well.  Additionally, I upgraded the site to a wider 3-column format.  I may still make a few more improvements over the next few days but I hope you find these improvements welcome.


Monday, December 16, 2013

Google Purchases Boston Dynamics Robot Company

Google has a keen eye for technologies with recent purchase of Boston Dynamics.  In a previous post I included a video demonstrating Boston Dynamics technology - amazing!  I can't help being creeped out by iRobot scenarios.  I read too much science fiction.


Friday, December 13, 2013

Microsoft's "Scroogled" Campaign

I read an interesting post by Preston Gralla, "Microsoft 'Scroogled' campaign gets early holiday gift: Google evangelist calls privacy an 'anomaly'".  Microsoft's Scroogled campaign is firing some shots at Google.  Check out Microsoft's Scroogled store site.  My first impression was Scroogled is a Christmas holiday gag based on Charles Dickens classic, A Christmas Carol, as in...
Scrooge + Google = Scroogled

Apparently, I'm approaching this with far too much thought as it appears to be more like...
Screwed + Google = Scroogled

To test if the store was real I figured I would try to buy a t-shirt to see what would happen.  Sure enough, this is real!  To my amazement, after I selected a t-shirt and clicked the Checkout button I was prompted to enter my Microsoft Live account credentials - lol!

Evidently, privacy is not a concern with the Scroogled campaign it's the monetization of private information that's bad.  Tough to keep these definition subtleties straight.  I would have been more impressed with the Scroogled campaign if I could purchase my t-shirt in Bitcoin.  ;o)


More XKCD Brillance!

Keep your personal information safe from marketers.  XKCD has it all figured out, see here.  Almost as good as the legendary Robert Tables.


Monday, December 9, 2013

Worlds Largest Companies Call for Surveillance Reform

The following is a public and global outcry for government surveillance reform from some of the
worlds largest companies: Aol, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo!

My concern is that while the data under discussion belongs to the preceding companies, the information belongs to us, it's all distinctly our most private personal information under discussion.  The principles described by the web site are a good starting point but they need to be written from the perspective of consumers -- consumer privacy expectations.  Global consumer privacy expectations must be applicable to both businesses and governments alike.  It seems doubtful addressing one without the other will have the desired positive outcome on consumer confidence.

For more information about business drivers behind privacy reform see, A Crisis of Confidence Costs Real Money.


Thursday, December 5, 2013

Movie Review, Terms and Conditions May Apply

movie logo

The movie Terms and Conditions May Apply takes a hard look at personal privacy in the Internet age.  The movie explores many controversial areas of privacy like erosion of corporate privacy policies and laws, monetization of personal information, and continued indifference by governments to defend citizen privacy.  Additionally, a number of important but perhaps lesser known concerns like disposition of personal subscriber information after corporate closures and acquisitions are covered.

The documentary alternates between expert interviews following with commentary to navigate viewers through the rich maze of subject matter.  The movie illuminates shared electronic information addictions of corporations and governments.  A soft point made by the movie is that nothing is "free".  To service consumers with free products they desire, corporations monetized personal information and traded it like a commodity.  Also post 9/11 era the trend with nation states, increased Internet surveillance provides valuable intelligence for preventing terrorist attacks and crime.  The line between government and corporations grows more fuzzy as governments desire to extend their reach into corporate information stores, private VOIP phone conversations, text messages, email, etc.  An analog is drawn by the documentary with one of my favorite science fiction movies, Minority Report.  In Minority Report, Tom Cruise leads a law enforcement Pre-Crime Unit.  The main goal of the Pre-Crime Unit is to prevent crimes before they occur.  While the technologies in the Minority Report movie and today's Internet surveillance are different, and I will not spoil the movie, the goals are ironically similar.

"So while it may be an acceptable form of civil disobedience to burn an American flag on the White House lawn, typing *bomb* in a Facebook post may result in a SWAT team visit to your home."

The movie elevates awareness to concerns like, Third Party Doctrine.  In Third Party Doctrine individuals abdicate their privacy rights upon disclosure of their personal information to third parties like Facebook, Pinterest, or other such Internet service providers.  Confiscating your personal diary with your most sensitive thoughts and feelings from your nightstand drawer requires authorities submit to various checks and balances like search warrants.  However, obtaining the very same sensitive information and opinions expressed on Facebook or other sites requires no public checks and balances.  And in fact, information requests are often accompanied by gag orders prohibiting service providers from publicly disclosing requests made by authorities.  At issue, 4th Amendment constitutional rights do not apply broadly to personal information and their is a rift in privacy expectations between those that use Internet services, companies, and governments.

The movie wraps up with some specific cases where individuals have been "red flagged" by government agencies, detained, and interviewed.  So while it may be an acceptable form of civil disobedience to burn an American flag on the White House lawn, typing *bomb* in a Facebook post may result in a SWAT team visit to your home.  The reaction seems somewhat inconsistent.  The movie interviews a few individuals with interesting stories to share about their experiences with authorities.  I find it interesting law enforcement agencies believe what they read on the Internet at all.  Knowing communications are actively monitored provides a powerful advantage to influence the thoughts or actions of adversaries to desired outcomes.  Earlier this year Brian Krebs described his SWATing experience in his Black Hat session, Spy Jacking the Booters around 11:25 minute mark.  Influencing authorities to shake down or otherwise inconvenience targets of interest is the modern pranky equivalent to doorbell ringing when I was a kid.  But it proves information is a powerful tool to manipulate advisory behavior.  Perhaps this is nothing new for governments but the power of the Internet has given this attack a whole new life and perhaps broadened the pool benefactors.

Several experts are interviewed throughout the movie.  Most noteworthy, famous entrepreneur and technologist Ray Kurzweil, singer/musician Moby, and previous Facebook and Google employees are interviewed.  Perhaps a criticism is that is easy for movie viewers to get lost in the details and miss the larger points and challenges in the domain of privacy.  Nevertheless, Terms and Conditions May Apply is a great movie to raise your privacy IQ.  For those knowledgeable in privacy, the movie provides some details regarding specific surveillance tools (Carrier IQ, FinFisher/FinSpy, Kapow, and more), cases, techniques and capabilities used by nation states (Spyfiles) across the globe.

Personally, I'm unconvinced increasingly broad Internet surveillance is a valuable tool to prevent attacks, crime, or it provides more good than harm.  Irregardless of anyone's opinion, it's certainly the trend.  My opinion, I'm an optimist, I think the rift between our privacy and our expectations of privacy will close in the not so distant future.  Not necessarily because citizens desire better privacy but because it's more prosperous for society at large.  See my previous post, A Crisis of Confidence Costs Real Money.


If you have any personal experiences in these areas (privacy incursions, swatted, or otherwise) or know about some great security/privacy movies feel free to send me a note.  Love to hear about this stuff.  Thanks!

Friday, November 15, 2013

A Crisis of Confidence Costs Real Money

Updated October 5, 2015


Updated November 18, 2013

Where does Marissa Mayer (Yahoo CEO) stand on security?  See for yourself.


Original Post November 15, 2013

All too frequently the public is surprised how their electronic personal information is shared or used by online service providers and governments.  Service providers contend disclosure policies are clearly described in terms of service and require acceptance by users prior to use.  Governments claim unfettered secret access to personal data is required to protect a nation.  Whatever the reasons, it's clear personal information is often the victim of progress.

Strong security programs are useful to protect assets against abuses and communicate confidence.  But security programs are ineffective preventing intentional privacy abuses and most terms of service are not useful for managing anyone's expectations.  A concrete example, secure browser connections and strong passwords do nothing to prevent service providers from using photos of you to sell products to your friends.  Or providing information without your knowledge to governments.  Many terms of service cover these subjects softly, if at all, with any salient points buried deep in pages of legal chaff.  Most people trust security controls too much and don't scrutinize the wordplay of service terms enough.  The combination of security controls and terms of service is designed to place privacy concerns to rest and claim plausible deniability when they erupt publicly. 

Lately businesses are learning security is more than a confidence game, a strong security program must be executed with integrity.  And not only businesses, but government agencies must operate without even the slightest perception of impropriety with full transparency and accountability in everything they do.  Clearly this is not happening today but what is the result?  The online publication Quarts reported, "Cisco's disastrous quarter shows how NSA spying could freeze US companies out of a trillion-dollar opportunity".  Jeopardizing world confidence in technology is costly in an information driven economy.   Without strong, immediate, and public actions the cost of business operations will increase significantly.

"Forcing service providers to keep data within each countries national boarders sets a precedent for destruction of the cloud services model across the globe."

Thinking beyond the questions of whether the National Security Agency (NSA) is acting in the best interest of Americans or even which stories may be true.  Public news stories about alleged NSA behavior are impacting revenues of the worlds largest multinational corporations.  Recently Bloomberg reported possible new requirements from the government of Brazil, "...Google and other providers of online services to keep local-user information in data centers within the country".  In Brazil's case, lack of confidence in Google's ability to ensure the privacy of end-user data from the US government fuels mistrust.  Without restoring confidence in government checks and balances, it's likely other nations will require their countries data not leave their borders as well.  Forcing service providers to keep data within each countries national boarders sets a precedent for destruction of the cloud services model across the globe.

On October 31, 2013 in a letter to a senate subcommittee, AOL, Apple, Facebook, Google, Microsoft, and Yahoo called for, "...critical reforms that would provide much needed transparency and help rebuild the trust of Internet users around the world".   I suspect we will see some reforms soon.  While improvements may be born out of negative impact to business change is also likely to provide benefits to individuals broadly.


* Photo Kitty Goggles, artist unknown

Tuesday, November 5, 2013


AppSec USA 2013 (@appsecusa) security conference is right around the corner.  Oracle's Chief Security Officer, Mary Ann Davidson (@heenaluwahine), is presenting a keynote.  For anyone attending and interested, I'm also providing a session on Java security, "Making the Future Secure with Java".  Feel free to send me a tweet(@spoofzu) if your attending.

Thursday, October 31, 2013

In the Dark on Privacy - Use Lightbeam

If your a Firefox user there is a new add-on available called Lightbeam.  Lightbeam is useful for understanding how personal data is shared on the Internet like web browsing habits, sites you frequent, etc.  Lightbeam works by recording sites you visit and also recording any included third party sites that may be required by the sites you visit.

Lightbeam does not reveal how companies leverage your personal data for their business uses or if they even store your personal data.  A good general rule of thumb, if someone has the capability to snoop your personal data assume they are.  This way you will not be unpleasantly surprised at the next big privacy headline in the media.
"A good general rule of thumb, if someone has the capability to snoop your personal data assume they are.  This way you will not be unpleasantly surprised at the next big privacy headline in the media."
To get a better look at Lightbeam, double-click my thumbnail picture (top) to view an enlarged photo.  You will notice in my browsing history, I visited 37 sites which referenced 149 third party sites.   Third party sites are sites included by the site you visited and most likely, many without your knowledge.  Some might argue without consent as well but most of us click through those 60+ page licensee agreements anyway (don't we).

The Lightbeam user interface allows you to move nodes around, toggle controls on/off, etc.  In looking over my results, some common third parties emerge like Google Adsense and DoubleClick.  Many sites use Google advertising on their pages so nothing too surprising here, we see ads everyday.  However, you may have not considered the implications of third party content on the many pages you visit.
photo: Paros Proxy, HTTP Request

To best illustrate what's happening between the web browser and server, on the left is a screen fragment from a tool called Paros Proxy.  Paros sits between your web browser and sites on the Internet you wish to view.  When you request site content, Paros intercepts the HTTP request, displays it, and forwards the request on to the server.  Paros facilitates request introspection or even modifies requests en route if you wish.  For our purposes, we are interested in viewing HTTP requests.  In this example, I visited the web site but many sites access Google services.   To begin, requests a third party Google syndication link, first red circle.  In the second link, also circled in red, the web browser specifies a Referer.  The referer is part of the HTTP protocol and sent to the site to specify which page the browser was on before the link was clicked.  Said a simpler way, the web site your navigating to knows the web site you came from.  Often it's another page on the same web site like switching between tabs on a news site but it could be from an entirely different web site like one of your browser bookmarks.

The concern is that when site content is loaded, the third party site is notified of the site you browsed previously.  In this case, since Google content is ubiquitous so it means Google knows which sites you browsed even if you didn't get their via their search engine or web browser.  There are many more ways to leak information than the referer so it's only part of the problem and referer does have legitimate uses.  Cookies and URL rewriting are also combined to make your browsing experience personal or tied directly to you as an individual.

What is or should be private is evolving and everyone has an opinion.  Internet service providers desire more access to end-user personal information.  Individuals are continually surprised to see how their private information is shared between companies.  Whatever your views, Lightbeam provides provides transparency about personal data shared between third parties in a way many can understand.  Lightbeam is released at a time when the public concerns about privacy and transparency are at an all time high.  It will be interesting to see if the tool gains traction with the public.


Monday, October 28, 2013

What Does the Fox Say?

Ok, I know what the fox says but no idea what the fox means.  I asked the Barista at Starbucks if he watched the video and everyone in line within hearing distance broke into conversation.  I place this in the same class as UFO phenomena.  I witnessed an event with 170 million others and I don't feel like I'm any closer to an answer.  According to the Barista, the Fox is the most popular Halloween costume this year.  I'll have to accept the information at face value since my fashion sense is style blind.  A word of warning, while the song makes no sense whatsoever, it's catchy.  You will probably have this tune stuck in your head for days -- remember I warned you.  Dare to listen to the fox.

Thursday, October 17, 2013

So You Want to be a Security Professional?

Photo: Revenge of the Nerds movie, 1984
Are you ready to trade in your Prada sunglasses, Farrgamo shoes, and True Religion jeans for glasses with tape in the middle, Converse sneakers, and Levi's with holes?  The appeal of joining other geeks in Jolt cola fueled midnight hacking sessions is overwhelming you?  So you still want to be a security professional?

Hollywood is excellent at conjuring images of security professionals, Matrix and Swordfish movies come to mind, but what's the field of security really like?  What career paths are available and which best match your interests?  What are some of the benefits and challenges in the field?  What is the compensation like?  One thing is for sure, once you become a security professional you take the "Red Pill" (enter the rabbit hole) and there is no going back.  Your mind is irrevocably altered.  Even if you return to your previous profession, you will view the world through different eyes. 

Many don't realize but all security jobs are not created equal, there are specialties within the field.  Experts in one security domain may have only a cursory knowledge of other security domains.  The security field is still growing, defining itself, and maturing.

Following are some of the more popular security roles your likely to encounter in the field.  Don't be distracted by my abbreviations, they only serve to save time typing and make for easier reading.  Also I thought it would be more useful to up-level some of the skills so your not going to find the resume power words like, ArcSight, NMAP, NetWitness, EnCase, etc.  You can find in ten minutes on Monster and up-leveling makes the skills makes them a little more understandable by those newer to the field.

Chief Security Officer (CSO)/ Chief Information Security Officer(CISO) - CSOs are top security leaders for an organization.  CSOs/CISOs typically have a technology background combined with a focus on business.  At the CSO level, very important risk based decisions are made around security.  It's essential to have a skilled CSO that understands security, technology, and how they apply to solving business problems.  To provide an example, as an individual we all make risk based choices every day.  You may leave the windows on the second floor of your home open on a hot day when you leave for the grocery store.  Unless there is an easy way to get to the second level of your home it's an acceptable risk.  So the risk of home invasion is not precisely zero but it's low enough or what you may consider within acceptable limits.  This is much like applying security to business challenges.  Security resource is finite and must be placed where they provide the most impact, bang for the buck if you prefer.  It takes real expertise to allocate these resources or be brave enough to ask for more if it's necessary.  Background for a CSO may be business or technology but as the top leader they typically have formal training and mastery over business, technology, security, as well as other areas like privacy and compliance.  Skills: Advanced education is typical, excellent communication skills, business and technology, compliance, privacy, knowledge of applicable laws (which vary between types of business), deep knowledge of several security domains and IT domains, and often well-known throughout industry.

Network or Software Security Architecture(SA) -  Security Architects influence secure system design from the start of a project.  Think of SA like drafts persons or architects who create blueprint designs for our homes and office buildings.  Drafting a change to an existing blueprint to move a wall outlet to a different wall location is an easy change to accommodate.  Moving the buildings foundation three feet to the left when the roof is going up -- disaster!  Building a large software product or infrastructure driving many products (like a cloud provider) has similar challenges.  This is why it's so very important to have security thinking across all stages of system design.  Security influence up front is essential, it's far easier to change a bad idea at the start of a project than one million lines of software code supporting a bad idea at the end of a project.  Establishing the benefit case for SA is challenging since project success is only loosely related to the work performed (by the SA) or level of resource investment.  For instance, it's easy to measure output or workload of SA but far more challenging to prove conclusively how SA influenced projects to more successful outcomes.  SA specialties in applications or network infrastructure are typical.  Skills: A deeper understanding SSE, SecOps, NSE, skills sets, IT background, and well-known throughout the company and sometimes industry.

Security Operations(SecOps) - SecOps are the techies who have "eyeballs" on the networks or system watchdogs.  SecOps is watching data center perimeters, servers, and data, to see when bad guys are knocking on the doors.  Sometimes SecOps spot checks security patching on servers, and checks for infected laptops.  Infected laptops are quarantined and report to IT for reimaging.  A benefit of SecOps domain is that it's usefulness is easily quantifiable to business.  For example, we fixed N number of infected laptops, discovered malware in N payloads, found N unpatched servers, etc.  It's easy for business leaders to imagine what would happen if the SecOps program was not in place (or properly staffed).  An aside, if you have high remediation and mitigation numbers it looks great on reports.  But perhaps investing in more SA resources will provide better application and network infrastructure up-front, lead to deeper project review, and there will be less vulnerabilities in the first place.   SecOps employes a battery of tools to accomplish their efforts, commercial and open source tools, lots of in-house scripts for targeted analysis.   Skills: OSI stack, in-depth protocol knowledge, scripting languages, programming languages are helpful, open source tools, commercial tools, Windows and *NIX command lines, and various operating systems, and peers are usually IT groups within company.

Security Compliance(SecComply)  - Compliance staff are the policy watchdogs.  Compliance reports organization conformance to established policies.  For example, when staff develop software, build or deploy systems they sometimes cut corners to finish on deadline.  If one of the areas being cut is security it will impact the product and may negatively impact the business.  It's worth noting that good compliance is not the same as good security.  It's possible to have a great compliance program and horrifying security.  Sadly, it happens all the time.  The key is to carefully establish a set of corporate policies and technical controls comprehensive enough to meet your goals.  Compliance is a powerful tool to understand your corporate readiness if implemented correctly.  Luckily there are some "gold standards" to leverage when drafting your security policies like ISO17799.  Even if you don't wish to be ISO17799 compliant, the standard provides a good framework or grab bag of information to leverage.  Incidentally, there are also good risk management frameworks like NIST 800-30.  Again, you may not desire the heft of a government level risk management program but it's an excellent grab bag of ideas you can leverage or combine with other risk approaches like FRAPS.  Skills: policy management, IT compliance, internal/external audit experience, risk management experience, and works closely with business leaders and technology leaders within company.

Forensics - Throughout the course of business it sometimes becomes necessary from to collect electronic evidence from information systems.  Evidence suitable for use in a court of law requires special handling to ensure it's free from tampering or alteration.  Even if your only collecting evidence for internal investigations there's much to be aware in way of laws and individual privacy rights.  There are also a cadre of digital forensics tools for imaging and storage of data.  Typical cases range from disgruntled employees, compromised applications (e.g., databases), accidental destruction of data, and more.  Skills: scripting languages, open source tools, commercial forensics tools, Windows and *NIX command lines, various operating systems, and works closely with security leadership and IT leadership within company

Software Security Engineering (SSE) - SSE are skilled programmers specialized in one or more programming languages.  Working knowledge of security algorithms like hashing, encryption, or developing application or infrastructure security models are typical.  This is my background so I thought it would be helpful to share some personal experience.  As an SSE, I transitioned from programming business applications to writing application security infrastructure.  Applications security infrastructure is the foundation or plumbing leveraged across many software applications in a suite or enterprise.  It's a bit of an abstract concept so a practical example may be helpful to explain.  Consider your company has ten software applications.  If you have to sign-on or authenticate to each application it's bothersome for end-users.  Just like cloud apps, you want to authenticate once across all applications.  Similarly, if you create a document in one application and assign permissions you want those same permissions to be visible across other applications.  So a job run in a scheduler application may produce output reports visible in a document viewer application.  Administrators may have access to the job to alter schedules but only business units have access to the output data.  Application security infrastructure, as you can imagine, makes a system more secure since the security model is centrally managed and shared across business systems.  And more importantly, it makes for a positive end-user experience within the application.  It's always a bonus when security and the user experience can be improved together.  As an SSE, my expertise was developing enterprise class role-based access control systems (NIST RBAC 92) and interfacing them into existing security systems like Microsoft Active Directory, LDAP v3, Windows LAN Manager, etc.  Creating these is considered somewhat old school today since many popular open source projects and protocols are available.  Still it provides some idea for the type of work an SSE may do.  Skills: programming, scripting languages, OSI stack, deep understanding of protocols, and works closely with security leadership and IT leadership within company.

Network Security Engineer (NSE) - NSE is the network analog to the SSE.  NSE manage network security technology to protect our software applications and data.  Typically NSE review new equipment and schedule for installation, apply security maintenance, and adjust firewall security rules.  Interesting enough, NSE and SSE are coming closer together since some devices to protect applications like application firewalls like Imperva require expertise from both domains.  Skills: OSI stack, in-depth protocol knowledge, scripting languages, programming languages are helpful, open source tools, Windows and *NIX command lines, various operating systems, and commercial network hardware.

Cryptologists - Cryptologists are academics highly proficient in mathematics with an interest in security.  The purpose of cryptography to devise algorithms protecting information from unauthorized disclosure and tampering.  Once algorithms are created and peer reviewed they are generally implemented by SSEs for use in hardware and software products.  Cryptologists may also perform the converse, that is decipher an encrypted message or alter a message in transit in such a way as to evade notice.  It's likely most cytologists work for the government, universities, or larger vendors.  If you want to look at a cryptologoists leader in the field take a look at Bruce Schneier's site.  Bruce has the tech chops but is also a skillful communicator.  Skills: advanced mathematics background, cryptographic theory.

Penetration Testers(PT) - PTs try to find the security vulnerabilities in systems and see if they are exploitable.  PTs are the spot checkers and some know how to program and some do not.  Most have a solid understanding PT tools, commercial and open source tools, and writing scripts.  Penetration testing is a highly specialized skill that takes training.  At least if your good.  Some are self-taught and their are some excellent places to learn these skills like SANS InstituteSkills: OSI stack, in-depth protocol knowledge, scripting languages, open source tools, commercial assessment tools (dynamic/static analysis), Windows and *NIX command lines, and various operating systems.

Ethical Hacking Teams(EHT) - EHT are essentially PT but having the word "ethical" in their title helps to drive the point home that security ninja skills are used only for the purposes of "good".  Also some refer EHT in the purest sense since there is a formal certification for Ethical Hacking.  So some would say you cannot be EHT without the certification.  I consider EHT like PT, good guys kicking the tires of systems looking for security holes.  EHT teams are great asset and usually companies with more security maturity invest in these teams to help with spot checks.  Some companies use a the "Red" and "Blue" team terminology.  Red team are the EHT trying to break into systems and Blue teams are the defenders.  Essentially, the idea is pit one team against the other and by continual evolution of these exercises application security posture improves over time.  Skills: same as PT

Security Education/Trainer - Depending upon your role in our digital society there are more or less things you need to know about security.  As a consumer, you need to understand how to keep your personal information safe.  Managing privacy settings in your social networks, deciding to use them at all, protecting your financial information, etc.  Software developers have much more to learn to defend information systems from adversaries.  Business leaders making security decisions about the level of investment in security need different types of training.  As an instructor, the more you know about security and and information technology the wider appeal and more useful you will be.  I like to think of a instructor as a "whole package".  Meaning some instructors are stronger in presentation and communication but a little less technical or perhaps limited in their scope or depth of knowledge, others present like Ben Stein but are super technical.  Presenting as either will polarize your audience.  To the extent you can be both engaging and knowledgeable -- you will be destine for greatness.  Skills: communications and training, public speaking, creative thinking (making content interesting to different audiences is essential), broad knowledge of different areas in security, in-depth knowledge is good as well.

A great place to see the security positions and skill requirements is to check out job postings or join security groups on LinkedIn.  Keep in mind, the previous positions are some of the positions your likely to encounter but every employer or business is different and some combine multiple roles into a single job position.  Also there are various levels of technical and management leadership I have purposefully omitted like Manager, Sr. Manager, Director, to make for an easier read.  My list is purposefully light in the way of compliance or privacy positions which are evolving into entirely separate domains of expertise.  In fact, in many large organizations, compliance and privacy are entirely separate domains.  Following are some of the larger benefits and challenges in field of security.

Benefits in the security field...
  • The work is rewarding and there is always something new to learn.
  • Due to the nature of the work and level of trust required mid to senior level positions are not likely to be sent off shore anytime soon.
  • The field is small so you can reach out and touch your heroes.  As you attend various security conferences it's likely you will meet some of your security heroes.  If your brave enough to engage them in conversation, you will discover they have a passion for what they do and love to talk shop.  Engaging other knowledgeable professionals is essential to challenging and changing the way you think and self-improvement.  At it's core, Security is a way of thinking.  It's more than the technology or tools.  It's not a way of thinking that comes natural to most people but it can be learned.
  • Compensation is excellent and there is more work than skilled professionals.  This is good news if your looking for work but also frustrating if your looking to hire security professionals.  I'm guessing security is a probably the top 1% of IT organizations so there are comparatively few security professionals throughout the field.  I'm sure the numbers will creep higher as the field matures.  It's a very healthy balance and tipped slightly in favor of workers (at least since I can recall).  For some objective data, I found a report by InformationWeek related specially to security professionals, 2013 InformationWeek U.S. IT Salary Survey: Security.  The paper is free to download so long as you share your personal information but I'm sure your accustomed to such requests.  Isn't that right, John Doe?  You can also Google the report title for commentary which you may find more informative anyway.
  • The security field is tremendously misunderstood and there is much opportunity for improvement.  There is plenty of room for bold improvements and the field is wide open for bright minds and new heroes. 
Challenges in the security field...
  • The largest challenge by far in security is awareness and education.  This is the single biggest failure.  When we are sick we see a doctor.  When our car is having engine troubles we go to the dealer.  Unfortunately, there are many making decisions about security should consult a professional.  Such projects are doomed before they start.  The lesson hear is that everyone needs security education for their role -- not just the techies.
  • Security is not a money maker for business (unless your a security company).  The Return on Investment(ROI) case for security is next to the plans for the free energy machine and directions to the Fountain of Youth.  Don't waste your life trying to find an ROI case.  Most organizations treat security like dental hygiene -- they know they need it but they don't like to do it.
  • It can be challenging to communicate the precise amount of security to apply and consequences if not applied.  For example, we know we need to brush in circles but why do we have to floss?  What happens if we only floss every other time we brush?  I wonder what my dentist would say if I asked that question?  I think of it like this, not everyone has the same level of appreciation for dental hygiene that hygienists do.  These are analogs to the kinds of questions you will receive in security.  Never assume what is so plainly obvious to you is obvious to someone else.  Every opportunity is an opportunity to educate.
  • Favoring compliance over security.  In deciding between compliance and security, compliance always wins.  On the low-end, a compliance failure means embarrassment for the business.  On the high-end of the spectrum, big fines and someone wins a permanent unpaid vacation.  Easy consequences to understand.  Unfortunately, good compliance is not the same as good security as I noted previously.
  • Almost all security professionals master some other field and transition into security.  To be expert at security implies mastery in more than one domain, security and something else like systems administration, network administration, programming, privacy laws and regulations, etc.  Yes, compensation is good but the bar is high.  The point here is that security takes some investment on your part.  You need to build out your primary skills first (and the more experience the better) prior to considering security.
Most people trust implicitly unless they have a reason not to trust.  In security speak, these people are sheep (or sheeple).  It's not a very kind label, but I think it's born out of frustration from watching one jump off the security cliff and seeing the rest follow.  Meaning, we may learn from our history but we don't always learn from the security mistakes of others.  Security awareness and education are key to making the best possible decisions in our personal or professional lives.

Nobody in the security field today went to school for security.  It's a completely new field born out of necessity for our dependence upon information technology.  Security is one of the toughest jobs you can ever do but it's also the most fascinating and rewarding.  The field is constantly changing.  What was secure yesterday is no longer secure today.  Areas that were a concern are no longer a concern.  Our society is forever changed.  There's no doubt security professionals will be even more important in the future than they are today.  If you are already a security professional you may wish to review a related post, "Power-Leveling Your Computer Security Career".  Best of luck!


Tuesday, August 27, 2013

OWASP AppSec EU 2013 Trip Report

OWASP AppSec EU 2013 was held in Hamburg Germany at the Emporio.  The session line-up featured key speakers from all over the world.  As usual, the OWASP conference provides terrific value for your money.  OWASP is also noteworthy among security conferences since it focuses heavily on defending web applications.

The longer I'm in the business of security, the more I appreciate speakers who communicate in terms of solutions as opposed to raising conundrums.  Now that's not to say pointing out problems is unimportant.  Conferences that teach offensive techniques help us all understand better how to defend our assets.  They also serve well to shock the entire industry to change.   Still after 0-day sensations fade away, it's up to the defenders to pick up the pieces and secure their application assets.  This is where OWASP comes in.  While OWASP dabbles a little on both sides of the fence with both offensive and defensive session content, I see its real value in defensive measures -- helping an entire community solve tough security challenges.  Along the lines of defense, a couple of sessions standout from among the pack.

OWASP Top 10 Proactive Controls by Jim Manico (Twitter: @manicode), White Hat Security.  Many security professionals are familiar with the OWASP Top 10.  The Top 10 brings attention common security problems or "gotchas" many organizations encounter writing software.  The OWASP Top 10 Proactive Controls are somewhat the converse, security measures we should apply to protect our information systems.  From a security maturity perspective, OWASP Top 10 helps us spot common security problems and Top 10 Proactive Controls helps us address our security concerns.  I really like follow through and where this effort is heading.  Especially, thinking in terms of positive action we can all take helps move the industry forward.

New OWASP ASVS 2013 by Sahba Kazerooni (Twitter: @ShahbaKaz), Security Compass.  For those not familiar, the OWASP Application Security Verification Standard (ASVS) project, establishes security test cases by major domain.  Specifically, ASVS defines the security requirement areas or major domains of security as: Authentication, Session Management, Access Control, Input Validation, Cryptography (at Rest), Error Handling and Logging, Data Protection, Communication Security, HTTP Security, Malicious Controls, Business Logic, Files and Resources, and Mobile.  Within each of the domains various security tests cases are provided.  The idea is that you can choose the domains applicable to your product and review the test cases so you don't overlook any.  Sahba's presentation covers a refresh of the ASVS standard to bring it current to 2013 challenges.  If your charged with creating security test cases or even implementing security controls the document is a helpful resource worth a review.

Aside from the conference sessions, I take some time out to talk with colleagues.  The security landscape changes fast so it's good to keep up to date.  In this conference, I spoke with Dinis Cruz (Twitter: @DinisCruz) the O2Platform project lead.  O2 provides some really cool means to generate security test scripts fast.  An ancillary platform feature I really liked is you can take these scripts and compile them to standalone Windows executables.  This is great if you want to share a binary you create with others without requiring a grab bag of supporting components or even the O2 platform.
Photo: OWASP AppSec EU from left,
Dinis Cruz, Steven van der Bann, and Milton Smith

In considering scripting features, the O2 platform seems to have some practical uses even if your not interested in security.  I'm still learning about O2 but it's interesting technology I would like to investigate further.  Ok, a couple of tips if you get to meet Dinis.  Be up on your coffee since he talks really fast.  Next, Dinis does not wear shoes so don't step on his toes.  Steven van der Bann (Twitter: @vdbaan) joined our discussion.  Steven helps organize OWASP Capture The Flags (CTF).  He will be heading up a CTF at AppSec USA in NYC.

On Friday, I provided a session at the conference on Java security, Making the Future Secure with Java.  In my session I covered some background around Oracle security policies.  Covering policies is not very exciting but I have discovered if omit it entirely I inevitably receive questions like, "Hey why don't you guys discuss X,Y,Z with the public"?  I also provided an overview of remediation progress and recent security features delivered since many are unaware of our progress.  I believe the OWASP events team is planning to make session media available to the public but I'm not sure when.

A few thoughts on the location.  Hamburg is a refreshingly beautiful port town and bustling center of commerce.  In the summer, the climate is very similar to San Fransisco California and made complete by occasional fog.   While residents are quick to report winters are cold the conversation is warm and the people are inviting. 
Photo:  Hamburg panoramic from 23rd floor of Emporio

You will be challenged without a command of the German language but you will not be lost.  A significant number of signs provide an English translation less prominently under the primary German message.  ATMs and public transit ticket machines are localized in English.  There's a significant population that understand some English and remainder are surprising tolerant of visitors like me who don't know anything about the language.  It's always humbling to be immersed in a room full of people where you don't understand the discussion.  

Photo: OWASP AppSec EU from left,
Dalibor Topic and Milton Smith
Thanks to Dalibor Topic (Twitter: @robilad) for taking time away from his evening and family to show me around the city.  Dalibor is local to Hamburg so it's always great to visit a new place with a friend -- many thanks!  Dalibor is a leader in the OpenJDK project.  If you want to see what Dalibor's up to check out the OpenJDK project. 

Also perhaps only loosely related but the timing seems appropriate.  Thanks to Jim Manico and Michael Coates (Twitter: @_mwc) for assisting me with reviewing JavaOne session submissions for our new security track, Securing Java and for your participation.  J1 is almost here, phew time fly's.  I should have mentioned this in my presentation.

Tuesday, August 20, 2013

Java Spotlight Episode 142: Milton Smith on the JavaOne Security Track @spoofzu

Recent interview I provided Roger Brinkley on security for Java Spotlight Episode 142.  In the featured segment I discuss the new security track added to JavaOne 2013 San Francisco.  I also provide an update on Java platform security.


Saturday, August 17, 2013

Cats in the House -- Here Comes LittleDog!

Check out the LittleDog video from Boston Dynamics.  These guys have serious toys.  Somehow I don't think they are trying to build a better Roomba that climbs over kids toys (although that would be priceless).  Check out LittleDog's bigger brother.

Sunday, August 11, 2013

Presenting on Java Security at AppSec EU in Hamburg Germany

OWASP LogoPresenting on Java security at AppSec EU August 20-23, Emporio, in Hamburg Germany.  I noticed some friends are speaking.  Always good to visit old friends as well as meet new friends.  Thanks to the OWASP team and conference leads for accepting my presentation.  Looking forward to visiting Hamburg for the first time.

Wednesday, August 7, 2013

Black Hat 2013 USA and DEFCON 21 Trip Report...

This years computer security conference Black Hat 2013 USA was held at Caesars Palace in Las Vegas Nevada.  DEFCON 21, a follow-up security conference was about a block away at the Rio hotel.

I have attended a number of security conferences over the years but I must admit I'm a bit of Black Hat and DEFCON noob.  In any case, many people asked if I was attending so I though I should experience these events myself firsthand.  By pure happenstance, the Black Hat staff asked me to present (my previous post) about a month prior to the conference.  I only mention the session briefly since some have criticized me for the closed session.  Please keep in mind, the summit rules are not my rules.  I was privileged to be invited and I will respect their rules.  It's also the first time I have ever been invited.

There's a few things I noticed immediately as a new attendee.  Both conferences are a little rougher or raw around the edges.  Often a heckler in the audience would belch out a contrary opinion to the speaker or even obscenities at times.  In one case, a speaker retaliated telling a heckler to "-uck off".  There were a few uncomfortable moments where I considered slipping down into my chair and low crawling out the door.  I was not sure what was going to happen next.  The leader of the National Security Agency,  General Alexander's, keynote presentation was a great example of the electric atmosphere at Black Hat.

Photo:  Mohawks at DEFCON21
A few impressions from a first-timer, one of things you will notice is that the crowd is a little different than some of the conferences you may be accustomed.  But a little background first, over the years I have developed what I affectionately call the, 1000 yard gaze.  The 1000 yard gaze, shared by most Californian's, is simply the blissful indifference to shocking sights and sounds.  So for example, if you want to walk around me with a purple mohawk and sparklers for ear rings it's OK.  I will pretend I don't notice and you can feel like we all have purple hair.  Even with a trained gaze, there are a few sights you are likely to encounter at these conferences that will test your abilities.  Also presenters, while undeniably experts at what they do, are sometimes not the best communicators, lack of eye contact, mumbling, etc.  One would think communications ability is a requirement for presenting at a conference but you might be wrong.  My impression is innovative content is sometimes favored over presentation ability.  It's a tough tradeoff for conference planners I suspect but I can understand how that makes sense for these innovative conferences.  Still during a couple sessions, I had to tap a fellow attendee on the shoulder and ask what the heck the speaker just said, only to receive a shoulder shrug.  I wondered if anyone in the room understood what was said at the time.  It's definitely the exception rather than the rule but it surprised me.

In the end, the raw edginess (if that's a word) gives these conferences their charm.  Both conferences were super fantastic and I should have attended them many years ago.  Following are a few highlights from the conferences to challenge what you know about the state of the art in security.

Mobile platforms are a security nightmare
Most security professionals realize the tools for mobile security are woefully inadequate.  In fact, intrusion detection and prevention tools are simply not available to consumers.  Mobile consumers are running on the "trust me" security model.  One particular presentation at DEFCON21 stands out, Do-It-Yourself Cellular IDS Sherri Davidoff & Panel.  They demonstrated how to turn a femtocell into a Intrusion Detection System (IDS).  The project was a considerable effort by a team lasting almost a year.  Incidentally, there are a few ways to sniff your mobile traffic like connecting your phone to a local WIFI network and sniffing outbound traffic with standard tools.  The limitation with the approach is that you can't see IP traffic going back through the carrier networks.  The presenters claimed around 50% of the audience phones were infected, ouch!  Also that some malware allows listening to conversations or viewing what is happening in a room -- downright creepy.

Hardware hacks
Photo:  Hardware hacking lab
There were a ton of good hardware hacks and spy gear.  ACE Hackware was selling a device called the r00tabaga for penetration testers.  The device is self-contained computer, smaller than a pack of cigarettes running a modified Linux kernel.  It's mostly for executing remote pentest assessments, surveillance, and Man in the Middle(MITM) attacks.  The device appears to be a 3G mobile hotspot, exploited, and reflashed with a modified version of OpenWRT.  The device is a little too polished to be manufactured by a niche vendor in my opinion.  Nevertheless, whatever it is it's great and the price at the show was $110USD.  There are other popular long standing competitors like the Pineapple.  Likewise, Raspberry PI maybe a good contender for such a project but I'm not aware of any flash images/plans for ready to go solutions.

The lock pickers also had a strong presence.  If I knew they had a Lock Pick Village maybe I would have considered bringing my picks.  Although, I'm done with traveling abroad with my picks

Exploitation of office equipment
Stepping p3wns: Adventures in Full Spectrum Embedded Exploitation by Ang Gui and Michael Costello showed how an entire office environment may be exploited by an adversary.  In his demonstration, Ang exploited an HP printer to gain a foothold in a mock office environment.  The printer was used for office reconnaissance to find other IP enabled devices.  An attack from the printer was launched to exploit a Cisco IP phone and other devices were captured.  The presentation crescendo was a denial of service attack against a Cisco 2851 router by the printer rendering it useless.  The point of the presentation was that many common office devices are IP enabled.  These devices may have interesting information (e.g., phone numbers last dialed, contacts, last document scanned), valuable platforms for reconnaissance, or even to launch attacks.  Given the proprietary nature of hardware these devices are difficult to secure.  Ang mentioned some technology he's developed to help secure these legacy environments.

Trading privacy for security
ACLU and EFF had a strong presence and generated interest from attendees.  These groups highlighted many of the current issues(e.g., Snowden, FISA courts) and the need for more privacy and transparency.  The greatest challenge presented was how can the government ensure the safety for American's without violating their privacy?  Unfortunately, there didn't seem to be any satisfying answers for attendees.

Celebrity appearances
Brian Krebs (Krebs on Security) and Lance James session Spy Jacking the Booters covers Brian's SWAT'ing ordeal.  For those who don't know SWAT'ing is, it's like it sounds.  Bad guys fabricate a story to bringing the SWAT to your home.  Unfortunately, SWAT don't have a good sense of humor so it's guaranteed to inconvenience the victim for an evening.  Not to mention the price for door repair which, according to Brian, some cities don't cover.  The lesson learned here, it's no fun to be SWAT'ed.  Interestingly, I did get to shake Brian's hand as he was walking out the door.  He was in a hurry so we did not talk long but it was fun to watch his expression as I introduced myself.  Anyway, I enjoy reading Brian's articles.  Maybe someday I will be able to communicate so expertly.

Will Smith appeared at DEFCON21.  I really have no idea why he was attending the conference.  I didn't notice him on the schedule.  Maybe his giving up movie making for life in security?  I didn't see him at the conference myself but I saw a few Tweets.  If anyone has details feel free to drop a comment on this posting or send a tweet.

Equipment failures
Photo:  Crashed phone system?
I noticed a rather higher than usual occurrence of failure for hotel hardware at the event.  I really have no figures to back up my feelings, consider it a hunch.  First was the phone in my room.  Take a look at the screen in the photo, "Server Unreachable".  I'm not sure what that's trying to tell me but it does not look good.  The next event was a fire alarm at the Rio hotel during DEFCON.  There were flashing lights all throughout the halls and audible warnings followed by a voice message.  The alarm sounded for at least 10 minutes.  Following the alarm termination a voice indicated it was a test.  I don't ever remember tests like this in any fully occupied hotel during a large event.  The last time I heard a flashing lights and sounds like that Halon was about to dump and I was sprinting out of the data center.   If anyone has any hardware failures please share them.

A parting thought...
Evidently there's not much you can't do in Vegas.  Including shooting fully automatic weapons -- geek bait.  I wonder how many attendees tried this?  Send me a Tweet or something if you got to shoot any of these firearms.

Photo: The Gun Store

Tuesday, July 23, 2013

Black Hat 2013 USA, Oracle: On Java Security

Invited to speak at Black Hat USA 2013 Executive Summit on Java security.  Very much looking forward to my first Black Hat conference,  #BlackHat

Thursday, May 30, 2013

Thursday, May 23, 2013

JavaOne 2013 -- Security Track Sneak Peek

This year for the JavaOne 2013 San Fransisco conference we added a new session track -- Securing Java.  For those interested, I thought I would share some information about the new track and a sneak peek at some early session acceptances.

Last year at JavaOne 2012 San Fransisco, I was surprised by the number of non-Oracle security presentations at the conference.  I didn't have any hard data at the time but my informal impression was security is important to the entire Java community.  There were many presentations across many subject areas like, security features and fundamentals, security expert panels, Glassfish security, Java Card, secure coding standards, and much more.  When submitting my session I had some difficulty determining under which track to submit.  I settled on submitting my security presentation under, Core Technologies.

Upon conclusion of the JavaOne conference, I confirmed my suspicions around community interest in Java security with some session metrics.  I thought with all the security content why don't we add a security track.  I approached the JavaOne conference team with my information and suggestions, and they provided their approval -- Securing Java was born.  Kudo's to the JavaOne team, Sharat Chandler (Twitter: @sharat_chander) and Stephen Chin (Twitter: @steveonjava) without their support this track would be just another good security idea that never got off the ground, my heroes.  It all sounds so easy and in fact it was.

Now for the early invites, drum roll.  Congratulations to the following JavaOne Securing Java track early acceptances (presented in no particular order).  It's a small example of what you will see at JavaOne.  Keep in mind cancellations are infrequent but they do occur. 

CON2021 "REST Security with JAX-RS", Frank Kim (Twitter: @thinksec)

CON3122 "Anatomy of a Java Zero-Day Exploit", David Svoboda (Twitter: @david_svoboda)

CON2570 "Don't be that guy! Developer Security Awareness", Markus Eisele  (Twitter: @myfear)

BOF5847 "Web Security Vulnerability Remediation in Legacy Java Web Applications", Gopal Padinjaruveetil, Wilson Rao

Many software developers will never visit a security conference or event.  The new addition of the security track for JavaOne provides a unique educational outreach opportunity.  If you are unable to attend media is usually available online a short time after the conference.

The number of sessions, quality of sessions and presenters, and topics covered is even better than last year conference.  My expectations were definitely exceeded for a first time event.  I'm positive the track will be well received and we will all have an opportunity to learn much more about Java security.  Many thanks to everyone who submitted!


Monday, May 6, 2013

Java Platform Security - Job Opportunity

It's on 97% of desktops, 80% of mobile platforms, 125 million television sets, 1 billion downloads per year.  Join me in the most relevant computer security work ever - Java platform security!

Wednesday, April 24, 2013

Mission 360 ~ Pedaling with a Purpose from Santa Cruz to Malibu!

Photo:  Laura Smith
Not long ago, my wife was seriously injured in a bicycle riding accident.  When I tell the story I always clarify riding to include -- bicycle.  If I only say riding accident, people assume motorcycle, and bringing the conversation back to bicycle requires more explanation on my part.  In any case, she's much better now, finishing up physical therapy, and looking forward to her next biking adventure.  Yes, you heard me right, she's getting back on her bike.

Laura is riding for Team World Vision in a 360 mile event starting in Santa Cruz, California and finishing in Malibu, California.  She's named her journey, "Pedaling with a Purpose".  She has a Team World Vision web site to collect donations for their charitable causes for any interested,  Laura's Team Vision Website.

Team Vision noted on their main site, as riders achieve their physical goals it also helps Team Vision achieve their charitable goals.  Donations go directly to Team Vision.  Of course, these are tough times financially and we realize everyone's financial condition is not the best.  Please don't donate anything you do not feel comfortable to donate.

To readers at the office, notice the riding jersey -- Oracle!  Next, we need to convince the sales staff at the company store to make some Java jerseys with Duke's.


DISCLAIMER:  In case you missed it, Laura is my wife.  Yes, I am biased.  ;o)

Thursday, April 11, 2013

Devoxx UK 2013 Trip Report

Devoxx UK 2013 conference was my first Devoxx experience and my first trip to London.  Alright, I have been to London before but I don't count the inside of Heathrow airport a London experience.

The weather was super cold, compared to California.  I thought to check the weather before departing but it's tough to consider how cold 34 degrees fahrenheit really is until you experience it.  Lesson to me, bring some gloves and a hat.  My ears wanted to fold inside themselves, brr!  Enough about my ears.

The conference was great!  There was a lot of ground covered.  I enjoyed "Accelerated Lambda Expressions" by Stuart Marks.  I was thinking the discussion may be a little deep for me since I was really interested in an introduction but it was very informative.  If your experienced with Java but perhaps not Lambdas don't be intimidated.  Incidentally, Devoxx posts their conference sessions free on  Even if you attended Devoxx the videos are great because often there are some overlap between sessions so it's difficult to choose which to attend.

The Devoxx media team was busy interviewing presenters throughout the conference.  I notice my security presentation is not up on Parleys yet but the interviews have been posted to Youtube by the media team(my interview shown right).  It's a short interview and I touch on some key points around Java security and discuss my presentation.

Most valuable experience of all was speaking with all the leaders.  I have been programming for many years but I never feel too old to learn something new.  There's a lot of people, experts in their areas, and it's great have access to them and to knowledge share.  I had some really great discussions with Martijn Verburg(Twitter: @karianna ) from JClarity.  Martijn provided a presentation, "Java and the Machine".  The room was standing room only and I arrived late as usual.  Also big apology Martijn, I was the jackass who's phone rang in your presentation and excused myself fast -- duty calls. ;o)  I did get to listen to a better part of your presentation and it was great.  Thanks for the invite to present and attend!  I also had an opportunity to speak with Markus Eisele (Twitter: @myfear).  Thanks your time, the good conversation, and for your thoughtful advice!  And thanks to everyone at Devoxx.

Finally, some parting travel advice.  Don't travel with your lock picks.  Interesting enough, lock picks are not on the Banned Items list in the UK but they still raise questions passing through airport security check points.  I was detained for awhile, bag searched carefully, every item removed.  Even my box of Altoids (breath mints) was opened.  Airport security really does not have a sense of humor these days.  I guess we can't blame them.

When ask why I was traveling with lock picks I responded, "are lock picks on the Banned Items list"?  The agent replied, "No".  I said, "Any concerns"?  The agent said, "No".  And with that I was on my way.  I'm surprised that worked actually.  Anyway, better off leaving the lock picks at home next time.

Friday, March 29, 2013

New JavaOne Security Track - CFP is Open!

JavaOne has a new track this year, "Securing Java".  Call for Proposals is open.  Get your security session submissions in now! 

The number of sessions at JavaOne 2012 San Francisco demonstrated the level of community interest around Java security.  Check out the new Securing Java track and description at,  Whether your a software programmer, architect, security practitioner, or have data center responsibilities, you find something interesting to learn.  Security is a big challenge and touches everyone.  Take a break from the Internet baddies, come hang out with some good security guys who also love Java.  

I look forward to meeting everyone at JavaOne this year!


Wednesday, March 20, 2013

Devoxx UK 2013

Invited to speak at Devoxx UK on Java security next week.  Looking forward to my first Devoxx event, meeting some familiar faces, as well as new faces.  Devoxx is the only web site where my computer fan turns on.  Wow, those space ships are really cool.  ;o)

Share It!