two factor authentication: cooler than disco

The Road-show - Places I'll be:

The Artist Currently Known As "Marcus Ranum" is the Chief Security Officer of Tenable, the world's leading vulnerability management and network monitoring company.

Thought of the Moment:

Do not irritate druids. They have ways.


News and Stuff :

Edgertronic Camera: Review
I've always had a love for slow-motion; don't know why, but I do. I recently finally managed to acquire a high-speed camera that does quality captures at an amazingly affordable price. Here's my review.

I Won't Speak at Conferences Unless They Have an Anti-Harassment Policy
The amazing John Scalzi did it before me, which is great timing because I was wrestling with this issue myself a few months prior. There are three communities I hang out in: computer security, science fiction, and skepticism - and in the last year every one of them has had a great big blow-up surrounding sexual harrassment at conferences. Being a popular conference speaker gives me a tiny bit of leverage with conference organizers, so I am doing what I can to help nudge things in a better direction. (more extensive posting about my opinions: here)

The Rearguard Has Fallen
I've decided to take down/discontinue the Rearguard Security Podcast. Why? Because I just didn't have the time to keep up with it; I spend enough time talking at conferences that I don't want to spend time at home sitting around rehearsing and editing audio of myself. And I'm too concerned with quality to just do quick and dirty recordings. The old site is here.

RVASec 2012

A Perspective on RSA Conference Marketing
From my perch atop a pair of platform shoes.

Update to "DIY Dealy"
This is incredibly embarrassing, but there was a technical mistake in my article on how easy it would be to make Oswald's shot. I was off by a factor of 3! 160 yards is not the same as 160 feet!

Hitler PCI Auditor
Sequel to the Hitler Cloud Computing video; now Dolph1 is checking out Heinrich's VLANs and log aggregation system. If you want to download it, or if Youtube blocks it, you can get it here.

Parsing Cyberwar
The good people at the Fabius Maximus website are publishing a series I'm writing on cyberwar.

I Have Joined The Dark Side
Let this be my public "I was wrong" - I have told a bunch of you "I will never use twitter" but instead I've decided to kill my facebook account and start using twitter to update mostly security/technical stuff, articles I publish, speaking engagements, and whatnot. I will not post about my bowel movements or what I had for lunch. I will occasionally post weird things. If you're into twitter, my page is here.

Some Thoughts about Same-Sex Marriage
It must be difficult to be homophobic; you're either forced to admit that you haven't got a leg to stand on, or you're stuck arguing that your opinion defines "normal" for the rest of us. I conclude with some personal observations about my own reactions to "gay porn".

Cyberwar - Once Again Putting Civilians on the Front Lines
Article in SC Magazine UK. If the militarists are serious that cyberwar is the next battleground, shouldn't they be getting off the civilian internet? Because, relying on civilian infrastructure amounts to hiding behind human shields: my data networks are not your military target.

RSA 2012: Cyberwar You're Doing It Wrong

Software Liability - debate with Bruce Schneier at RSA 2012

The Future of Cyber-Warfare (Voice of Russia)

CEO Optimism can be a security risk
Forbes Magazine - As a security practitioner, I don't know how many times I've participated in discussions around the potential for system failure when considering the adoption of a new technology. On one side is the security perspective: the new technology is unproven, unpredictable and could result in an expensive failure. On the other side is the proponent's perspective: the new technology will make things easier, save money and impress customers.

Cyberwar: You're doing it wrong
Interview with me at RSA 2012, by Tripwire

Why I have resigned from SANS NewsBites editorial board
The most recent issue of NewsBites had a short article added to it after the normal "editorial process" that contained some unsubstantiated hearsay. In the past, I have tried to encourage NewsBites to maintain a degree of journalistic integrity, inserting words like "alleged" or making it clear when the sources are not on record. I value my own credibility too highly to be listed on the editorial board, anymore.

EMCTV - RSA Conference Interview
My hair is a terrible mess. Don't tell me.

Interview at IctQATAR, Doha 2011

My Chernobyl Journal
I got a chance to make a field-trip to someplace unique: the blown up reactor at Chernobyl and the abandoned city of Pripyat. Who could say "no"?

Columns on Fabius Maximus website
Because of some trenchant comments I posted on the FM site, I've been invited to be a periodic columnist there, on the "cyberwar" beat. I'm not sure that I, a lefty-pacifist anti-statist really fit in with that crowd, but it's a site I enjoy reading so I consider it an honor to write for them.

It's about the ART damn it!
Interview with me at zillionarts.com, here.

Bank Information Security Podcast
Interview with me, here.

Shifting Creative Tracks
Recently, I've been experimenting with Henry Fox Talbot's ambrotype process. Why? Because it produces results that are unique. And it's fun for people who like to get their hands dirty.

Hitler Learns about Cloud Computing
This was Gunnar's idea. Really. I swear. I just did the video editing and wrote a lot of the script.
Update: Youtube may have taken this video down - but you can still see it here. Feel free to host your own copy if you like, just please credit me and Gunnar appropriately.

Interview with Northwest Florida Arts Association
We did this interview as an online chat, and it turned into a 3 hour long back-and forth. This version is edited down and decorated.

mjr@TEDx, Mid-Atlantic

When TED invited me to do a talk, I was in a bit of a panic. The initial request was that I do a talk about Department of Homeland Security, based on my rather unsuccessful book "The Myth of Homeland Security." I explained that if TED is supposed to be forward-thinking and optimistic, it would probably be a bad idea to stand up and say "I told you so" and point and jeer. So I asked if I could do a sort of historical talk, instead. The idea behind this talk has been in the back of my mind for the better part of a decade, ever since I started looking closely at FTP, and wondering "if the guys who coded that knew it'd be around for this long, would they have done it differently?" As Ray Wylie Hubbard says: "the most important thing about songwriting is, when you finish a song, to ask yourself if you still want to be playing it 25 years later." As I look at computing, I see these kind of simple "tiny" mistakes all over the place - and they are constantly costing us insane amounts of effort to maintain and deal with. We have become curators. Curators in The Museum Of Bad Software.

Cloud Computing Security

Everyone wants to weigh in about cloud computing and whether it's a security problem. After about the 200th time I got asked, I decided to produce a short little video spot explaning the real issues. As you can tell, I think cloud computing has some security implications but nobody really has a handle on what cloud computing even is.

White Hat World Podcast/Interview on Penetration Testing
It happens every time! Someone wants to debate me about my views regarding penetration testing and, about 20 minutes later, they realize that they're violently in agreement with me. The question remains one of method. We had a good discussion and you can hear the whole thing here.
Here's the problem in a nutshell: I say "current approaches aren't working," and everyone agrees. They then proceed to talk about how we need to amplify our efforts in pursuing the current approach. It remains obvious to me that evolutionary approaches to system security are doomed to fail; we need to turn problems on their heads - otherwise we're just riding on the gravy train of failure.

I keep repeating myself:

I've been patiently challenging the established "wisdom" that cyberwar is a "force multiplier" that nation states might reach for. Fear-mongering or attempts to dismiss the argument is all you'll get, usually. This video, done for AT&T, was shot in November, 2007.

5/2009: CyberWar is bull!*&$*#t
I gave a talk explaining why conventionally marketed cyberwar is nonsense; it wasn't a popular view. Oddly, however, most cyberwar proponents can't seem to refute my argument(s) - they just change the goal-posts, or definitions, or try to dismiss them as "what does he know, anyway?" (Other than reading about 60 metric shelf-loads of books on military history and theory, and serving in the army? Nothing) The talk is here. Some feedback is here.

(Older Stuff)