Tuesday, April 15, 2014

Heartbleed - the most dangerous bug you will see this year - and the emails coming out from companies are almost criminal.

This "heartbleed" issue really shows how ignorant a world we live it at so many levels. It also shows how much we trust. After explaining the issue to my tech team, one of the things I told my tech team was to think about where this issue is in the whole stack and what that means. If you understand that, then you can respond to all the FUD and mis-information that is out there.

Simply put, the problem is/was with the OpenSSL library. The OpenSSL library basically sits between the Kernel and the Server (remember, server is SOFTWARE, not HARDWARE). When there is the overflow request, it dumps memory as the output. As you are not hitting a server, the server is not logging the request. This means that your web server, your ftp server, or your ssh server is not seeing it. Since it is not seeing it, it isn't logging it. The kernel is seeing it, but it doesn't log what it sees (under 99.999% of the scenarios) at this level, so it doesn't log it. Get details at many locations. Once such location is http://en.wikipedia.org/wiki/Heartbleed#Claims_of_possible_knowledge_and_exploitation_prior_to_disclosure; another such location is http://heartbleed.com/

So, what kind of FUD and dis-information is out there... let's see:

  1. Change your password. While it is good to regularly change your password, to have distinct passwords for each service, and all that; this is NOT the first line of defense that people should be taking. This is the equivalent of putting your stack of $20 bills in the front seat of your 1967 mustang convertible, making sure the windows are up and the doors are locked and then walking away. Did you make sure the top was up? NO. Therefore, bad person reaches over the window and takes your $1,240 and laughs and laughs and laughs. The first thing you should do is make sure that the server has been patched and is no longer vulnerable. Once this has occurred, then change your password, make sure that each service has a distinct password, uses multiple forms of authentication, and whatever else will ensure that you can sleep at night knowing that your facebook, twitter, or email account is safe and secure.
  2. Currently, we have no indication that any of customers’ information was compromised. Of course they don't. Nice marketing; doesn't mean squat and in fact is mis-leading almost to the point of criminal.

Wednesday, February 26, 2014

NIC Maryland finalist for Tech Company of the Year


Annapolis, MD – February 21, 2014 – The Chesapeake Regional Tech Council (CRTC) today announced the finalists for the upcoming 9th annual TechAwards 2014: Get in the Game, honoring the region's rising tech companies, outstanding innovators and all-around top "geeks."


The Tech Company of the Year Award is awarded to an enterprise that has proven its dedication, vision and ability to work with a sustained, strategic business plan and to steadily grow into a prominent player in the Annapolis-Washington-Baltimore tech industry. Finalists include:

Maryland Interactive LLC - Annapolis, MD
Established in 2011, Maryland Interactive LLC, an Annapolis, Maryland-based subsidiary of the eGovernment firm NIC Inc. (http://www.egov.com), is the premier provider of the award winning Maryland.gov official government website and more than 23 online and mobile apps and secure payment processing solutions for the State of Maryland.  

Wednesday, July 17, 2013

Who talks about your work says a lot about its importance.

Who talks about your work says a lot about its importance.  The work we do in Maryland and the other twenty-some-odd states is important.  One of the things I like about Maryland, however, is that the executive branch embraces technology and embraces the work that we do.  In the video below(http://youtu.be/oEhOG17qLak) you won't hear my company mentioned.  This is as it should be. We are the people behind e-government ™. 

Who talks about your work?

Monday, February 18, 2013

Network Assurance Exam

Recently I cam across the Domestic Preparedness site for the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) which can be found at http://www.teexwmdcampus.com/.  I passed the first exam, Network Assurance.  Here is my certificate.