One quick note before we get started.  A quick read would have noticed the name change to "The Digs".  I find it laughable now (the wonder of hindsight) that I had such high hopes for being able to do this every day.  Truth be told there's far too many things elsewhere and too little time.  Here's your new SLA: "The Digs" will appear on average 2-3 times per week catching up between posts.  And now, on to the digs...

First up is Gunnar.  I like Gunnar 1) because what he says is most often highly cogent and 2) because he has to deal with cold shitty winters too.  Thanks Gunnar.  Oh and thanks for finally bringing up APT.  There's a point in the post about the $6 billion in arms we're sending to Taiwan that will, likely, impose sanctions of what China buys from us in the future.  Here's my reply:  "Dear China, How's it going?  Don't worry about that whole Taiwan thing.  I've seen the shit we were selling to Taiwan a few years ago and you've got no worries.  Really, it's kind of like the toy you get out of a Cracker Jack box (because it'll all be yours eventually anyway).  If you don't understand the Cracker Jack thing I'm sure there's an article on Wikipedia.  Later China!".
[APT - The Sonny Response or the Michael Response?]

I like hardware.  Except when it sucks.  I'm often confused why small (and even medium sized) businesses buy hardware from large vendors (like those that start with a 'C' and end with an 'isco' - don't get me wrong, there is a time and a place along with an OC-12) when all they want to do is bring in some simple routing functionality, with a sprinkle of firewall and maybe, if they're feeling saucy, some IPsec on top.  So when I saw this new Netgear appliance and it's awesome price of roughly $275 I said to myself: "Wow, that underpowered old Linux kernel that will rarely ever be updated is just up my alley!".  OK, I didn't say that.  But, really, if you want that sort of thing people just pay someone to deploy and manage some pfSense boxes for you.  But if you're really still interested, by all means...
[Netgear Releases New Gateway Security Appliance]

OK, full disclosure here: I am the whipping boy over at Securosis (aka 'the intern').  But I'm glad someone said it (thanks Adrian!).  To all you big guns out there scrapping what you've got in house and churning out your next big thing - Agile & Scrum sux0r for your security.  Yeah.  SUX0R (with a capital zero).
[Firestarter: Agile Development and Security]

I laughed when I saw this next one.  Make sure you defrag your "Secure End Point Management (SEPM) server boys and girls!".  Well, for starters that implies it's probably running some old version of Windows.  Oh yeah, they state 2003 in the article.  Maybe it runs on Windows ME though, you never know.  Oh, and it's x86.  Awesome.  SEPM jokes anyone?  The article title just makes it sound incontinent or something.
[Defrag Your SEPM Server Regularly]

I'm not going to say much about this next gem I found over at NetWitness other than the fact that if you really think IDS started "several negative trends that are still affecting the psyche of security personnel today" then maybe the blue pill really is for you.
[IDS Legacy is Institutionalized Failure]

So last year I had a conversation with someone about IE6.  To preface - I know of a special place I visit on a regular basis during the week that still has IE6 as part of their base workstation build.  Anyway, so I had a conversation last year about when this individual thought IE6 would be irradicated from the environment.  And their answer was around 2012 or 2013 when XP wouldn't be their base OS.  I proceed to choke on my coffee.  They, on the other hand, were serious.  So I love to spam people like this with all of the love in the air for IE6 as of late.  Because, really, you thought even Microsoft could save such a fine piece of work?  Fat chance.
[Tide Turns Against IE6 as Usage Drops]

Let's round out our first post for 2010 (and hopefully not the last) with another great one that has to do with China.  The EFF has an article up about how US based companies need to shore up selling products that "selling Chinese authorities the surveillance equipment used to commit or facilitate human rights abuses".  This assumes that 1) China hasn't already ripped off IP from these companies which could be used to, well, remanufacture them and 2) that China doesn't have the upper hand from a monetary perspective right now.  Just food for thought.  Wasn't Cisco's source ripped off a few years ago anyway?  China could just always run a big virtual network with GNS3 anyway, right?  :)
[Seven "Corporations of Interest" in Selling Surveillance Tools to China"]

We'll leave you with these final links...  Thanks for reading!

[New Laws Close in on Hackers] - Seems rather timely, no?
[Cable Modem Hacker Faces Potential 40 Year Prison Term] - The Internet just wants to be free, what can I say?
[Researchers Uncover Security Vulnerabilities in Femtocell Technology] - Where "technology" should say "hardware" because, surprise surpsrise!  Your shitty embedded Linux hackery was reversed.
[Adobe Flash Security on Menu at BlackHat] - As if to say any Adobe technology hasn't been on the menu for the past, what, 5 years?  Keep on keepin' on Mr. Mike Bailey!

First up is an interesting analogy of cracks to Microsoft.  The "dorky tale" can be had over at EvilFingers and is, well, lighthearted in nature.
[Patching the Patches]

It seems to me as if Firewire is always ripe with authentication bypass flaws.  Help Net Security has a paper that you can download to read all about it.  What OS are we talking about here?  None other than the shiny new Windows 7.
[Firewire Based Physical Security Attacks]

There's not a whole lot to say about this one because Rich Mogull said most of it already.  If you haven't already read the open letter to Robert Carr you'll want to.
[An Open Letter to Robert Carr]

From the are-you-completely-stupid-bin we pull out the misunderstandings of non-technical government officials.  This time, however, the stupid policies being pushed aren't originating out of DC!  Belgium wants to keep all email traffic for two years.  Supposedly this will help in some way, shape, or form to combat criminal activity.  Because, there's not fabulous free encryption out there or anything.
[Belgium Would Like to Track Your Email for Two Years?]

I'm jealous.  Joel Esler was raving about the SourceFire Exploit Development class today.  He makes the comment about those typical classes where 80% of the content is rather trivial and the other 20% you could have figured out anyway and how this class is not that type.  Again, I'm jealous and might actually take this class later this year if I can swing the time off in December.  Thanks Joel!
[SourceFire's Exploit Development Class]

Think you know enough about ERP, dB, gain, etc. with regards to 802.11 antennas?  Well, then you probably haven't a clue on the changes in 802.11n antennas.  There's a great article on SearchNetworking today with links to a few other antenna references.
[Understanding 802.11n Wireless Antennas]

Your organization still running IE6?  That's too bad, maybe you should inject some code into the front page of their site displaying your disgrace for the browser that just won't die (but kills machines).
[IE 6 No More!]

Oh, joy -- pretty much every Linux kernel running on the planet is broken, and can allow remote exploitability.  Yes, pretty much every kernel since early 2001.  This will be a great exploit for time to come!
[Bug Exposes 8 Years of Linux Kernel]

We leave you this week with some great key size explanation by Luther Martin of Voltage.  If I could sum it up as well as his post was written I'd do just that, but it's easier for you to read his explanation.
[Comparing Key Sizes]

Have a great weekend everyone!  We'll be in touch with some of the things we talked about earlier in the week.

--windexh8er