Chad Perrin: SOB

3 November 2009

Think Security

Filed under: Cognition,Geek,Metalog,Profession,Security,Writing — apotheon @ 04:18

A few days back, I quietly launched a new security Weblog I’ve decided to call Think Security, for lack of a better name. The inspiration for this new Weblog was actually a case of turning lemons into lemonade, so to speak, because it grew out of the desire to do something I was essentially being told I couldn’t do any longer in the venue where I have done so in the past.

That probably seemed pretty cryptic. I’ll try to be a little more direct:

I’m the primary IT Security writer for TechRepublic. Some things have been changing there in terms of how the site and its contributing writers (like me) are managed, and the way TR presents itself to the world. I suspect some of this has something to do with the fact that TR’s parent company, C|Net, was bought by CBS. That network of sites is now grouped under the heading of CBSi, or “CBS Interactive”, along with the rest of the CBS online presence.

One of the recent changes — a change that was announced just last week, in fact, and was apparently effective immediately — was a requirement for increasing the percentage of writing that constitutes “actionable content” to at least 75%. By my understanding of things, “actionable content” is basically corporate buzzword code for “howtos and checklists”. Apparently, the TR format is moving a little further away from things like news, opinion, and discussion of principles.

It’s that last part that really bothered me. I take a principles-based approach to security, because I believe (as I stated in the About the Site page at TS) that it is important for people to learn principles that will serve them well in a variety of circumstances rather than just memorize rote behaviors that are considered “industry best practices”, to be used once and thrown away without thinking about what you are actually doing in each step of the process or why you do it that way. The moment your focus on security has been reduced to knee-jerk reactions based on popular practices indoctrination, you have begun losing the battle for security.

I posted a new TS article today: Update Cautiously. If you are one of my readers at TR, I recommend you add TS to your reading list as well. In the future, material that is not appropriate for a given article of mine at TR because it is not specifically “actionable content” will get shunted into TS instead. In some cases, where I would previously have written an article for TR about principles first and, later, written one about specific implementation practice based on those principles, I will now write the former for TS and the latter for TR. The idea is to create a mutually complementary relationship between my articles at TS and TR, so that each will benefit from traffic directed to it from the other — and to actually better focus the direction taken with my articles in each venue.

This will mean a substantial increase in the amount of time and effort I have to put into writing security articles, of course. I expect it to double my article writing workload. It’s something I feel I need to do, though, because I am not content to merely let the principles of security I feel a need to share evaporate just because there isn’t enough room in TR amidst the actionable content any longer.

That’s not to say that TechRepublic is necessarily doing anything wrong. Every site needs its business model (if it’s a business) and its subject focus (unless it’s SOB, apparently). Without that focus, it becomes too scattered and vague in terms of the content it provides to really grab a strong, core readership, or to set itself goals for refining policy. It’s not like I haven’t written howtos and checklists for TR in the past, anyway. The increase in percentage of the total that needs to be actionable content, however, leaves a type of writing that is very important to me largely unaddressed. With the addition of Think Security to my lineup of writing outlets, this is ultimately more of an opportunity than a bandaid. The cure is, in this case, better than never having had the disease in the first place, to mangle a metaphor.

Of course, a little bit of real thinking will still sneak into my howtos and checklists at TR, I’m sure. In fact, it’s likely that my next article there will contain some hints of what I already said in Update Cautiously at TS.

Now that I think about it, though, it would be nice if this didn’t happen concurrently with National Novel Writing Month. My writing output already at least doubles in the month of November each year, even when I’m just using NaNoWriMo as campaign preparation for a roleplaying game, like I am this year. I’m not as serious about cranking out the word count this year, though, so if one of TR, TS, and NaNoWriMo has to get neglected this month, it’s not going to be either TR or TS.

In fact, so far I’m just kind of keeping pace with the daily necessities of being on track to complete 50,000 words in 30 days. Last year, I tended to stay quite a bit further ahead of the curve than that. I guess we’ll just have to wait and see how it goes.

19 October 2009

I’m a Websense False Positive

Filed under: Geek,Metalog,Profession,Security — apotheon @ 01:42

Earlier today, I received word from a reader that the Websense filtering service is blocking SOB as a “Malicious Web Site”. There is, of course, nothing malicious about the code on this site. Some might consider some of my opinions “malicious”, or at least malevolent, in some ways — I guess. There’s no malware hosted here, though, or anything along those lines. In essence, there just simply isn’t anything to fear here as a security issue that isn’t a problem with millions of other WordPress sites across the Internet (stuff like “spaghetti code” and “PHP” — yuck).

I visited the Websense Contact Us Form (linked here so others can find it — it was an adventure tracking down this form), and sent a message to the Powers that Be at the Websense offices. I explained that I had heard about being blocked as a “Malicious Web Site”, that there’s no malicious code here, et cetera. I asked for any more information about the situation they can provide. I also asked, of course, for the site to be removed from the Websense blacklist for “Malicious Web Sites”. I guess we’ll see how they respond now, if at all.

Of course, if Websense doesn’t handle this in a professional, courteous manner, and help me resolve the problem one way or another, I can probably make some predictions about the future, like The Amazing Kreskin. Given stonewalling, rudeness, the run-around, or any willful misrepresentation, my prediction would be that Websense will receive some extra publicity.

You see, I’m the primary security writer at TechRepublic these days, and false positives in many types of “security” software is a big pet peeve of mine. False positives in communications software, leading to the loss of potentially important communiques from legitimate friends and business partners, can cause more harm than just sifting through the bad to find the good by eye. I’m particularly peeved by false positives when some attempt to communicate of my own, through some communication medium like the Web, is the victim of false positives.

Now . . . with a blacklisting service, I expect there to be occasional errors. In this case, the real acid test will be how they deal with the report of a false positive. If the problem is corrected quickly and professionally, all is well with the world. If not, Websense will deserve any poor publicity it receives as a result.

Obviously, a security writer for TechRepublic is not going to be as big a deal as a technology writer for the New York Times, in the minds of hidebound corporate middle management, but I’m pretty sure that a well-known and respected online resource for IT professionals like TechRepublic won’t fail to touch a few would-be customers of Websense.

I just want to help my readers avoid making a bad decision in their choice of security software and services, after all.


I’ve received a response from Websense. The company will, apparently, remove SOB from its filter list at some point in the next day. The problem has been solved.

22 July 2009

writing malware, kinda

Filed under: Geek,Security — apotheon @ 05:18

I’ve discovered today that I need to write what amounts to malware to test a security feature I incorporated in a Web script. It’s pretty simple, this security feature; the code I’ll have to write to test it will actually be more complex and annoying to write than the code I wrote for the feature itself.

Right about now, this whole thing seems a bit like an irony sandwich.

I’ll probably include such code in a security article at TechRepublic in the near future — both the security feature code and the testing code — especially if I can come up with a solution to the one minor fly in the ointment of using this security feature.

The concept behind it is basically a really simple sort of implicit Turing test, assuming that anyone who can see and edit a given field in a form is accessing the site improperly. Unfortunately, that’s not necessarily the case, because using a browser that doesn’t support CSS will have the same effect as accessing the form as a bot: you’ll see the field. At least the field won’t be visibly labeled for someone accessing the page in Lynx, so it’ll appear kind of weird and pointless and hopefully be ignored, but I’d prefer a way to more substantially prohibit or discourage using the field for non-bot visitors.


Older Posts »

All original content Copyright Chad Perrin: Distributed under the terms of the Open Works License