uncompiled.com

Update: So as you can see from the comment section, Chris Kohlhardt, the CEO of Gliffy took the time to reply and set the record straight from their end. Their login process is SSL-enabled for all, despite their statement of “Secure SSL login” only for Premium accounts is apparently an error in… semantics? It’s not really up to me to figure out whether the person who wrote that site copy is unaware of what the difference between a ‘secure SSL login’ and ‘secure browsing’ is, but I’d at least say to get that changed and not expect consumers to view an HTML source to find out the truth.

As I was logging into Gliffy today for the first time in a few years, I noticed that there were two buttons to submit the login form with: one for a ‘basic’ login and one for a ‘secure’ login. To me, a secure login in 2010 is a basic login. The people behind Gliffy however believe that protecting your login credentials is worth at least $5/mo to you.

In a business model that offers both free and paid accounts, I feel that a company should make you pay for added features, storage, or accessibility to data that you are using their site for. I, like most people, realize that ad-based sites aren’t the preferred option. A site like Gliffy allows for many areas to make users pay for ‘more’. The number of documents you are able to store, file upload size limits, the number of users allowed to access your files. With all of these major points of wanting to upgrade, why nickel-and-dime our security?

It’s appreciated whenever a company offers free service, of any magnitude. What’s not appreciated, however, is when a company feels that they should charge you to securely give your username and a password to a form. The sharing of data networks is only continuing to grow and as-such, a vast majority of web sites (reputable ones, at least) at the very least encrypt your login credentials. Whether they encrypt all data during your session is a whole different matter, but most can agree that protecting credentials is a general necessity.

This isn’t meant to be a launch point for ‘well SSL is useless anyways’. SSL for credential logins is useful in the vast majority of situations people actually deal with every day. At this point in the Internet and networking, not allowing someone to choose to login securely with personal credentials for a reputable and fairly well-known (for the context) company, is ridiculous.

Lastly, I am not complaining that the Gliffy site doesn’t run in SSL for all content, merely that an SSL login should be provided, free of charge, to anyone using their service. This is a standard practice for most web sites and Gliffy should step-up and do the right thing for everyone’s privacy.

It’s been a while since the stars aligned and I had made it out to NOTACON. More importantly than the conference though, are the people who make the conference more than just another U.S. technology “to-do”. NOTACON is, has been, and I hope will continue to be, one of most interesting mixture of talents and brillance you can ask for. When I last had attended the conference, I was still working with the core team to put the whole weekend of insanityfun together — this time, I was just a presenter and attendee.

This year’s conference really gave me a smack on the head. It reminded me of not only how many friends and colleagues I had missed, but also the blast of energy you get by seeing so much passion for such a diverse group of topics in one short weekend. NOTACON allows someone like myself to speak about education, while another person is showing off their electronically-infused clothing, and another to do demos of PDF exploitation. Few places short of a local hacker-space will you find such a menagerie of content.

Presentations That Rocked
To start, I thought Sacha DeAngeli’s presentation called “Mine’s Smaller Than Yours: Nanotechnology and Chemistry in a DIY Setting” was super interesting and appropriate for this kind of conference. He combined not only live chemistry on a topic most people were fairly captivated by, but also integrated the message that we really need to save chemistry experimentation as a culture. He had great parallels between ‘hackers’ and chemists (hobby and professional), invigorating at least my opinion that saving chemistry as something that everyone should dabble in as part of their youth is important. Toss it up there with music education as something that is being cut out of schools in lieu of safer and cheaper alternatives — computer simulated chemistry. Boring.

It was really fun to see int eighty (who’s the rapper for Dual-Core) drop the mic, so to speak, and instead give a really easy-to-follow explanation and demonstration of how to deconstruct PDF files and look for potential malicious code streams. His presentation had great structure and provided the tools to follow-along with his demonstrations, making for an interactive presentation that was really fun to watch. He was both humbled by the work of other’s in this field (such as the often mentioned Didier Stevens) and highly competent on the topic, making for an enjoyable hour. It was great to see someone I’ve watched rap so many times really come into his own in another light.

Saturday started early with Adrian Crenshaw covering aspects of Anti-Forensics. While I had personally heard a lot of these areas in a previous Cybercrime class, it was nice to get a more technical overview of some techniques. He provided some interesting notes about ‘data recovery’ and I really enjoyed his muted humor throughout. Seems like a really nice guy in general, too.

Later in the day, I was really impressed with James Arlen, Chris Clymer, Mick Douglas, and Brandon Knight’s skit-based presentation called “Social Engineering Security Into Your Business”. It was a collection of situations in which they demonstrated the right & wrong ways to have security people interact with various members of their company/organization. In one example, they showed how and how not to speak with a developer about an XSS issue. Another, they spoke to management about purchasing a new product to help their infrastructure. I found their examples and dialogs both realistic (at least 90% of it) and accurate to situations I have been in. Frankly, some scenes were uncanny! They did a great job of integrating humor and reality. I think they certainly got a message across which is very important: don’t be an asshole if you want to get stuff done.

The end of the day comprised of “Surviving the Zombie Apocalypse”, another in the series of conference talks put on by Tom Eston, Chris Clymer, and Matthew Neely. Hilarious as ever, and now with costumes, props, and a cast of zombie actors. A great 30 minutes of just pure fun and energy. Might I add, this was just prior to my own presentation so I appreciated not only the relaxing fun it provided for me, but also that they were done way before my presentation which gave me extra prep time.

My presentation, “What’s a Linux?: Creating & teaching college courses at 24″
I was pumped to be able to speak to what was quite a large crowd in the palace east room of the hotel. While it was the smaller of the two rooms, it seemed to be quite filled which was great. I’d guess probably 40+ people showed up and they were all really attentive, appreciative, and fun. It seemed like everyone enjoyed my random humor and appreciated what I had to say on education in general. It was a really rewarding experience. I hadn’t spoken at NOTACON since 2005 so I was both glad to be back at the conference as an attendee, but pumped to have had another opportunity to talk about something I was passionate about. A sincere thanks again to everyone who attended my presentation as well as was wearing my uncompiled.com stickers throughout the weekend!

As promised, here are my presentation slides in PDF and if anyone has any questions or follow-ups, feel free to give me a shout. My e-mail is mark.stanislav@gmail.com and my Twitter is mstanisl. It was great seeing so many of you guys again and even better meeting a lot of great new people as always. Feel free to send me any pictures or video you have have from my presentation; I appreciate it.

See everyone next year!

Today, Eastern Michigan University’s Information Assurance program worked with the local technology company Compsat to bring together students, businesses, and government employees to learn more about the evolving landscape of information security in the United States.

This month is National Cybersecurity Awareness Month but the rally-cry of this event and others like it is that idea of being proactive on our computing infrastructure should be year-round, without exception. As one of the presenters stated early on into the day, “This is not an event, it’s a lifestyle change”.

A majority of the event was framing security around Industrial Control Systems (ICS). ICSs represent technology in our elevators, amusement park rides, energy systems, and other relevant components to the modern life of all people. Much of the content throughout the day was relating ICS installations to that of typical information security with computer networks. ICS deployments have themselves a massive amount of protocols, interfaces, and other technical aspects that make the comparison between general IT and ICS fairly obvious. That said, it was presented that the real differences come in at an operational level.

Much of the discussion regarding ICS security was presented by Bryan L. Singer, whose company Kenexis deals heavily in this space for industries all over. Through his original backgrounds in both the military and information security, Bryan understands better than most the relevant differences of ICS vs. general information security of computer networks. While an information security specialist may want to throw an IPS into a situation, Bryan speaks to the fact that false positives that may shut down ICS deployments, even temporarily, is unacceptable in most cases. While much traditional IT thought applies, it doesn’t always apply in a direct way.

In ICS, milliseconds matter more than easily deployed security systems. For instance, password-protecting a safety shut-off control may risk lives. In IT security, password-protecting everything is common. This and other examples showcase where the overlap ends and business needs begin between IT security and ICS security.

The Department of Homeland Security also has created a tool called CSET which helps organizations examine their security for control systems. More so, they will come help do free assessments for organizations who want to be proactive to security.

The event was a success for many reasons. Foremost, many students got to enjoy technical presentations on topics they may of not otherwise had any clue about. Secondly, the university was able to network with businesses to help place students for internship and co-op positions. Lastly, the event was a great place for networking with other people in the industry and share experience and make new contacts.

After deciding to bring back uncompiled.com my first decision to make was “where do I host it?” In 2002, the decision for a random web site I was learning how to do web programming with was simple: put it on my home server. Seven years later, I’d like to believe my purpose is stronger and so is my budget. That said, my budget was still less than $20/mo as I highly doubt this will net me any revenue.

Being that I fancy myself a system administrator, the idea of using a generic web hosting account was kind of sickening. My only real choice at this point for the price I was looking for was to get a VPS (Virtual Private Server) account somewhere. I immediately thought “Cool! But wait, I’ve never bought one — who do I even go through?

So began a search involving copious Googling, firing off Tweets and Facebook posts hoping for advice, and generally, a feeling like I was wading through the endless supply of hosting companies. I decided to put together a basic list of what I wanted from a VPS company and see what I could find.

My VPS Company Wants

1. Based in the USA
2. $20/mo or less
3. In business a few years
4. Positive reviews online
5. Competitive features
6. Simple process
7. A decent web site (yes, really)

While I did receive a slim amount of recommendations, I found that the pricing for the average “big name” VPS company was a bit much for what they offered. Once I cut-away the forest of VPS brand names, I started to compare & contrast about 10 smaller companies, each with their individual perks and price points. One decision that I had not yet made was “What OS do I really want to run?“. This question was mostly settled for me when I found that FreeBSD VPS companies were fairly expensive for the features they were offering. I decided on just going with Debian as it was a fitting choice for a low RAM box (as VPS allocations generally are).

This is where things really got gritty: deciding which of 5 VPS providers, seemingly with very similar services and pricing are set apart from each other. As I started to narrow, fivebean.com started to stand on its own.

A Michigan-based company near Grand Rapids, I was immediately pulled-in for a geographic pride to support a company local to my home state. That being said, pride does not out-weight quality and pricing. Starting to do some quick research (read: googling) I noted quite a number of positive reviews for them. Snippets about great customer service, quality VPS deployments, and fair pricing had me ready to buy almost immediately.

Being the pragmatic technology purchaser I am, I dove further through their own site, admiring the clean design, no non-sense pricing, and direct access to relevant FAQ material and contact information. A technology company who understands how to be marketable for these reasons are going to have a better sense of how to provide top-tier customer service as well. Sometimes it is the small things that really matter.

I ended up finding a suitable VPS package for my current hosting needs, filling-out their simple checkout (PayPal or Google Checkout, nice!), and within seconds, received a litany of e-mails covering everything from my purchase invoice to my server’s IP & credentials. I was floored. Everything was completely automated and worked without a hitch. I was on my VPS in minutes after signing-up and had nothing to complain about!

The administrative interfaces for your account and VPS are simple and easy-to-use. I immediately changed my nameservers and started to host my DNS with their servers and also was able to immediately configure reverse DNS on my IP address. My VPS statistics were clearly laid-out for me, and all of the relevant information I needed was at a finger’s touch.

Magically, I did find a reason to contact customer service a few minutes later. I had read about a promotion regarding some free VPS upgrades by doing an affiliate mention. I shot-off a quick ticket to their customer service and had a reply within an hour. If an hour sounds long to you, I should mention I set my priority to low on the ticket for them, as it was nothing critical. Most companies barely can seem to do 24-hour replies. The reply that I did receive was friendly, personable, and took care of my ‘problem’ before I could finish reading the response.

It’s been a few days now and I am still completely happy with my experience with fivebean.com. For what it’s worth, there was no deal for me to write this about this, nor any compensation sought. I just really appreciated the experience I had from browsing, to sign-up, to deployment, to customer service. I highly recommend them for VPS needs of all sizes.