It’s official!  The OWASP organization announced my candidacy for 2015 Global Board of Directors.  If your an OWASP member vote for your candidates anytime between October 7th and October 23rd.  The results of the election are shared on October 28th.  To learn more about the election and process, see the OWASP site.

What’s OWASP?
OWASP (Online Web Application Security Project) is one of the world largest groups of web application security practitioners.  Essentially, we are people passionate about securing the software applications you use on the Internet everyday.  OWASP is most famous for the OWASP Top 10 Project which helps software developers understand common weaknesses when programming software applications.  Other projects like the ASVS Project provide a basis for testing web application technical security controls.  OWASP provides conferences and user groups throughout the world to educate the public on application security.  OWASP provides many resources for security and engineering professionals engaged in building and protecting software applications.

Who are the 2015 candidates?
Abbas Naderi Afooshteh
Tom Brennan
Jonathan Carter
Michael Coates
Bil Corry
Tobias Gondrom
Nigel Phair
Josh Sokol
(and me) Milton Smith

I am excited to be considered a candidate for the 2015 Global Board of Directors.  But most of all the opportunity serve the community of developers, security practitioners, and industry at large.

Take a look at these Google search terms people use to locate my site.  Securitycurmudgeon.com, is appropriate.  Traffic lights, makes sense since I had an article about hacking traffic lights.  Think outside the keyboard, getting colder.  Null, freezing cold.  People searching for null find my site?  Seems more believable it’s a Google search or Blogger bug.  Hum, what can we do with this?

–Milton 

I have been blogging for about two years now and written one-hundred published posts on all matter of security and privacy subjects.  In fact, this is post one-hundred.  I enjoy writing on the side so I took up blogging mostly as an experiment.  If your interested to learn more about my experiences security blogging please read on.

Following are some of my top articles over the last two years, some figures related to readership, and some lessons learned along the way you may find useful for your blogging.  Feel free to send me any of your lessons learned or ideas for improvement.  Any lessons I don’t have to learn painfully on my own are welcome, i’m serious.

Top 5 Pageviews

Following are the top blog articles with the highest number of pageviews and a small synopsis for those interested.

1) Tracking Aircraft on Raspberry PI
Hardware and software project combining Raspberry Pi micro-controller, RLT software defined radio, and dump1090 software into an ADS-B commercial aircraft receiver

2) So You Want to be a Security Professional?
Information about the security profession those exploring a new career in security.  Various roles in security and challenges common throughout the profession are covered

3) The Most Difficult Thing About Raspberry Pi
My experience building a Raspberry Pi micro-controller with 2.8″ TFT

4) Measuring Internet Connection Throughput
Java program to measure Internet connection bandwidth over time

5) Google Hacking — Blast from the Past
Use of Advanced Google commands to find information of interest.  Has helpful implications in day to day searching but I also provide some thoughts and examples what Internet adversaries can do.

Chart: securitycurmudgeon.com pageviews permo

Monthly Pageviews

The chart (on left) shows the pagesviews since July 2010.  I think the chart is not entirely accurate for a few reasons, 1) I didn’t start blogging about security until a couple of years ago, 2) I moved the site to WordPress for a short period (gap in coverage), 3) pagesviews in last 30-days top almost 6000.  Still it’s useful to get some idea for an overall trend.

Lessons Learned

There are many lessons learned about building an operating a web site and I will share some of them.
Link Allergies
Readers don’t like to navigate too deeply for content.  The lesson learned, if you want readers to see something then place all the content on a single page.  Pageviews drop precipitously with each degree of separation from the primary post.

Cross-Referencing Related Content
Often readers may not know about other related content.  Including a link or two to other related articles or follow-ups is sometimes helpful to readers.  Everything must be considered from the readers perspective.

Small Posts Published Regularly
Most people prefer small regular posts as opposed to massive multi-page articles.  It makes sense given the amount of competition for reader attention.  Sometimes a post of only a few sentences at the right moment in time can have tremendous positive impact.
More Posts = More Views = More Readers
You may think that readers read only the new content but you would be surprised.  Readers also read older content.  With search engines, readers can land on any of your posts and often do.  Each post developed is one more reason readers have to visit your site.  Consider each post an asset with a long shelf life.

Do Something
Personal opinion is great but reader attention is a precious commodity.  Readers like news, technical articles, projects that have practical value or at least interesting to them.  Some amount of personal opinion provides style for your site but too much is perceived as fluffy, not useful, and perhaps even a waste of reader time.
SEO & Promotion
Promotion sucks but it’s unfortunately absolutely essential.  Without some promotion even the best articles in the world will go completely unnoticed.  Promotion is messy business, especially self-promotion, since it’s a complete turn-off to readers.  Expanding your reach by providing presentations, articles, and books is an investment since content may be long lasting and boost pageviews to your blog.  You need to be concerned with SEO or the search engines will forget about your site.  Yoast makes a SEO plugin for WordPress but they also provide some information information about SEO in general.  It’s worth educating yourself.

If you have a passion for security and like to write then blogging is a powerful tool.  If your mostly interested in fame and fortune and driving Ad revenue to pay your bills you will need to choose a subject with broader appeal or at least it would be safer bet to do so.

At almost 6000 pageviews per month and growing, securitycurmudgeon.com is far better than I ever expected for a defensive blog on application security.  Outside of the world largest security conferences like RSA, Blackhat, DEFCON, Gartner, etc.  Many security conferences have less than 2000 attendees and many even less than that.  I try to image everyone at a conference like that reading this blog, phew, crazy.  Of course, pageviews is not the same thing as number of readers.  Some readers read more than a single page so the 6000 pageviews is definitely less readers.  Still even if number of monthly readers is half the number of pageviews it’s far more readers than I ever thought would be interested in security and privacy.

The only reason I care about pageviews is that it’s a rough gauge of reader interest in securitycurmudgeon.com.  It’s every writers desire to craft content readers find interesting and relevant.  Security and privacy is a passion of mine and likely yours if your reading.  Thanks for following along over the years and I look forward to continue for many more.  It’s been a pleasure to write for you, sincerely!

–Milton

My quest for TLS on Blogger continues.  CloudFlare indicates their product supports HTTPS with Blogger.  Yes, it does support Blogger but not out of the box and not completely securely.  If you desire a secure solution with HTTPSTLS you will need a different solution other than the ProPlan.  It’s not even clear to me their other solutions would work either.  For those interested in the details read on.

Photo 1: CloudFlare page rules

CloudFlare setup for HTTPS was easy enough.  After making a few DNS changes the night before, hold my breath, I created a couple of easy page rules to switch over to HTTPS.  Page rules are used to identify areas of your site are applicable or within scope of a particular CloudFlare feature like redirects.  CloudFlare does not provide support for regular expressions but they do provide basic wildcard asterisk (e.g., *) support, photo 1.  After I entered the rules shown most of my site was using HTTPS.  Shortly after I applied the new rules I received some mixed content warnings from readers.

Photo 2: OWASP Zap Proxy

To identify the mixed content, I used OWASP ZAP Proxy to review the content being loaded.  ZAP Proxy is an OWASP tool that runs on your desktop to monitor HTTP(S) network traffic between your web browser and the web servers.  ZAP allows you to view HTTP requests, responses, and edit them if you wish.  Note the results from my ZAP run in photo 2.  Shown are several unprotected blogspot.com and blogblog.com These are URLs loaded by Blogger and not being rewritten by CloudFlare.  Nothing broken yet since the blogger URLs don’t fit my page rule spec.  You might consider to fix this you could add a page rule to those in photo 1 like, http://*.blogspot.com but you would be wrong.  Any combination of wildcards with the asterisk up front ends in disappointment.  Contrary to instructions leading wildcards are not supported in ProPlan at all.  To work around this I created a test rule like http://1.bp.blogspot.com/.   This page rule did not work either.  When the rule is entered CloudFlare produces a warning to indicate rules must apply to your site, securitycurmudgeon.com in my case.  At this point I contacted the company who returned a prompt response.   CloudFlare’s advice was not very helpful since Blogger site admins like me don’t have the level of control over their site URLs required to fix this.  Unfortunately, mixed content security is even more dangerous than no security at all since it sets a false expectation of security.  If someone else has an idea please ping me but I don’t think this is an easy fix for me.  I need to figure out something else.  I’m tempted to run my own server but that comes with some IT headaches of it’s own.  Back to the drawing board.

–Milton

A short administrative message about this site, only for those interested.  Over the years readership of Securitycurmudgeon.com has grown significantly.  I have been particularly concerned about lack of transport security (e.g., HTTPS) available on Blogger, keeping readers computers secure, as well as ensuring the content I develop is the content delivered to readers desktops.  I decided to give CloudFlare a try.

With CloudFlare the browser session is protected via HTTPSTLS between the user’s web browser and the CloudFlare cloud service.  The connection is unencrypted between CloudFlare and Blogger web servers.  CloudFlare calls this their Flexible SSL encryption option, which is really TLS.  Of course, the best solution is to have the entire transport path encrypted but it’s not possible at this time.  TLS to users desktops mitigates most Man in the Middle security concerns from most attackers.  The solution does not defend against attacks on Internet infrastructure like intrusion from Internet service providers and governments.  Still some security is always better than no security.

Perhaps with Google’s emphasis on HTTPS, increased priority on HTTPS sites with their search engine, they will someday consider moving Blogger to HTTPS.  Also I’m not trying to disparage Google for lack of HTTPS support on their free service.  I’m interested in mitigating my security concerns.  With the low monthly price of CloudFlare I decided to give it a try.  If something is broken or not working as expected I have information on my About page you can reach me.  This is work in progress.  If anyone has any tips on CloudFlare or otherwise feel free to send along.

–Milton