google-communitiesI have been experimenting with Google Community pages for a little while.  I have a community page that’s open to everyone interested in security.  My blog is a great tool for me to communicate news or thoughts on security but the blog is not the best collaboration tool.  I wanted a community page to facilitate posting photos, videos, questions, opinion polls, and more.  Another reason for a community page is that there are sometimes little gems of news too small for a full blog post but still interesting for everyone.  Google Communities platform fills an interesting gap, a little more room for expression than Twitter but with a better interface over Facebook.  Feel free to follow along or post your cool content.
happynewyear-by-rones-2400px

I am a little early for the new year but I have been thinking about 2015.  I noticed I made 62 posts in 2015 not counting this post.  I thought I would review some posts throughout the year for those that may have missed them.


OWASP Security Logging Project

owasp-sec-logging.pngWhat is it?  Open source SLF4J compliant security logging API for application.  Use it with log4j or logback in your applications.

Benefits?  Extends popular logging systems and adds specific functionality for security like message classification (e.g., secret, confidential, public, etc).  Catches sensitive information developers log by accident like passwords.  Extend to catch SSN or other types of personal information and more.

Future Thoughts?  Improvement code proposed to log information like thread information, heap space, etc. using a background thread at regular intervals for diagnostic/forensic purposes.  Currently under review.  We have many more so check out the project web site.

Links: project announcement, project roadmap

Multi-Rotor Aircraft Project (aka Drone)

IMG_2718.JPGWhat is it?  Ongoing project to build a flying robot

Benefits?  Build a 100+mph(158+kmh) multi-rotor flying aircraft from scratch.  Fly this high speed carbon fiber aircraft beyond line of sight using a video system that transmits to VR goggles worn by the remote pilot.  Two builds are provided, a hexcopter and quadcopter.  Follow me on my adventures and learn about the systems and principles of fly by wire technology and robots.  Advanced project.

Future Thoughts? With basic aircraft complete, I plan to focus on building a microwave ground station in a backpack.  The man packable ground station uses larger batteries, duel receivers, and high gain antennas to improve video reception.

Links: DIY Drone Bootcamp Learning to Fly, DIY Drone Bootcamp Build Log, Drone Flight Training Continues, Drone Flight Training Continues 3, Drone Flight Training Continues 4ZMR250 Quad Racing Drone Build Log

DeepViolet Project

dv-window.pngWhat is it? SSL/TLS DAST tool

Benefits?  Open source Java source code and binaries to introspect a SSL/TLS connection to identify weaknesses.  Works like a web browser, type in a HTTPS URL, point and click.  Enumerate the servers cipher suites to spot weaknesses, display site certificate information, CA trust chains, HTTP/S headers, DNS information, and more.  When your done save scan reports to ASCII files for offline viewing.  Alternatively, run headless from command line and script your stairway to heaven.

Future Thoughts? I am considering including some support for Certificate Transparency.  I also like the idea of including support for flagging certificates that are about to expire.

Links: Public source code and binaries in GitHub, background and screenshots of GUI and command line.

Noteworthy Articles/Events
The Case of Symantec’s Mysterious Digital Certificates, Symantec certificate flap.  The story of a certificate authority too big to fail.

Java Security Track Highlights by Yolande Poirier and David Lopez

HTTPS Party at Blogspot, Google includes HTTPS support for the default domain.  No support for offered for custom domains.

Webdriver Torso, super strange videos.

Media/Memes

AppSecIWantToBelieve.jpgApplication Security, I Want To Believe,  a spoof I developed based upon the UFO poster in Fox Mulder’s office from the X-Files TV show.

PathologicalSecurity.pngPathological Security, if a model for constructing towns and buildings are helpful for software design patterns then why not apply them to security?

Intelliformix-Ad-Spoof.pngThe Future of Software Security?  Ever seen a TV advertisement for prescription drugs in the United States?  Essentially, 45-second rants on every negative effect known with no discussion about intended purpose or patient benefits.  Are you confused?  American’s are too.  I tried to imagine how this technique could be applied to security.

IMG_2367.JPGApplication Security Complaint Department, a special behind the scenes look.  A friend passed this along since it say’s “Milton” on the desk.  I have no idea where this photo comes from.  It’s not mine but funny.

your-computer-is-listening-t-shirt.jpgMy DEFCON 23 T-Shirt, the front and back of my t-shirt I made for DEFCON 23.  CustomInk is so cool.

Hacked Meme, is my frustration at the card industry and retailers around their response to mass customer exploitation.  Often retailers offer identity theft protection as a remedy for a time period after the incident.  The problem with the approach it does not address customer concerns – prevention.  Retailers provide no idea what went wrong or even why customers should trust them again.

operating-room-appsec.jpgApplication Security Meme, the point here is that many people make judgement calls on security that should be consulting a professional.  A business leader who “thinks” they understand security can destroy a security program before it even begins.  If you can’t afford a professional perhaps you can find some free advice or work a deal to get some ideas for future positive directions.  Be a detective, find a pro on OWASP, and message them on LinkedIn.  Sure, we all need to eat but almost all my friends don’t mind answering a free question or two to see someones project move in a positive direction.  Security professionals are like doctors in the sense that we are cyber health professionals and promote application health for the betterment of society.

Article image: Happy New Year! by Rones on ClipArt.com

Take a look at these Google search terms people use to locate my site.  Securitycurmudgeon.com, is appropriate.  Traffic lights, makes sense since I had an article about hacking traffic lights.  Think outside the keyboard, getting colder.  Null, freezing cold.  People searching for null find my site?  Seems more believable it’s a Google search or Blogger bug.  Hum, what can we do with this?

–Milton 

I have been blogging for about two years now and written one-hundred published posts on all matter of security and privacy subjects.  In fact, this is post one-hundred.  I enjoy writing on the side so I took up blogging mostly as an experiment.  If your interested to learn more about my experiences security blogging please read on.

Following are some of my top articles over the last two years, some figures related to readership, and some lessons learned along the way you may find useful for your blogging.  Feel free to send me any of your lessons learned or ideas for improvement.  Any lessons I don’t have to learn painfully on my own are welcome, i’m serious.

Top 5 Pageviews

Following are the top blog articles with the highest number of pageviews and a small synopsis for those interested.

1) Tracking Aircraft on Raspberry PI
Hardware and software project combining Raspberry Pi micro-controller, RLT software defined radio, and dump1090 software into an ADS-B commercial aircraft receiver

2) So You Want to be a Security Professional?
Information about the security profession those exploring a new career in security.  Various roles in security and challenges common throughout the profession are covered

3) The Most Difficult Thing About Raspberry Pi
My experience building a Raspberry Pi micro-controller with 2.8″ TFT

4) Measuring Internet Connection Throughput
Java program to measure Internet connection bandwidth over time

5) Google Hacking — Blast from the Past
Use of Advanced Google commands to find information of interest.  Has helpful implications in day to day searching but I also provide some thoughts and examples what Internet adversaries can do.

Chart: securitycurmudgeon.com pageviews permo

Monthly Pageviews

The chart (on left) shows the pagesviews since July 2010.  I think the chart is not entirely accurate for a few reasons, 1) I didn’t start blogging about security until a couple of years ago, 2) I moved the site to WordPress for a short period (gap in coverage), 3) pagesviews in last 30-days top almost 6000.  Still it’s useful to get some idea for an overall trend.

Lessons Learned

There are many lessons learned about building an operating a web site and I will share some of them.
Link Allergies
Readers don’t like to navigate too deeply for content.  The lesson learned, if you want readers to see something then place all the content on a single page.  Pageviews drop precipitously with each degree of separation from the primary post.

Cross-Referencing Related Content
Often readers may not know about other related content.  Including a link or two to other related articles or follow-ups is sometimes helpful to readers.  Everything must be considered from the readers perspective.

Small Posts Published Regularly
Most people prefer small regular posts as opposed to massive multi-page articles.  It makes sense given the amount of competition for reader attention.  Sometimes a post of only a few sentences at the right moment in time can have tremendous positive impact.
More Posts = More Views = More Readers
You may think that readers read only the new content but you would be surprised.  Readers also read older content.  With search engines, readers can land on any of your posts and often do.  Each post developed is one more reason readers have to visit your site.  Consider each post an asset with a long shelf life.

Do Something
Personal opinion is great but reader attention is a precious commodity.  Readers like news, technical articles, projects that have practical value or at least interesting to them.  Some amount of personal opinion provides style for your site but too much is perceived as fluffy, not useful, and perhaps even a waste of reader time.
SEO & Promotion
Promotion sucks but it’s unfortunately absolutely essential.  Without some promotion even the best articles in the world will go completely unnoticed.  Promotion is messy business, especially self-promotion, since it’s a complete turn-off to readers.  Expanding your reach by providing presentations, articles, and books is an investment since content may be long lasting and boost pageviews to your blog.  You need to be concerned with SEO or the search engines will forget about your site.  Yoast makes a SEO plugin for WordPress but they also provide some information information about SEO in general.  It’s worth educating yourself.

If you have a passion for security and like to write then blogging is a powerful tool.  If your mostly interested in fame and fortune and driving Ad revenue to pay your bills you will need to choose a subject with broader appeal or at least it would be safer bet to do so.

At almost 6000 pageviews per month and growing, securitycurmudgeon.com is far better than I ever expected for a defensive blog on application security.  Outside of the world largest security conferences like RSA, Blackhat, DEFCON, Gartner, etc.  Many security conferences have less than 2000 attendees and many even less than that.  I try to image everyone at a conference like that reading this blog, phew, crazy.  Of course, pageviews is not the same thing as number of readers.  Some readers read more than a single page so the 6000 pageviews is definitely less readers.  Still even if number of monthly readers is half the number of pageviews it’s far more readers than I ever thought would be interested in security and privacy.

The only reason I care about pageviews is that it’s a rough gauge of reader interest in securitycurmudgeon.com.  It’s every writers desire to craft content readers find interesting and relevant.  Security and privacy is a passion of mine and likely yours if your reading.  Thanks for following along over the years and I look forward to continue for many more.  It’s been a pleasure to write for you, sincerely!

–Milton