January 30, 2007

The Universal Agent

Category: Security Information Management,UNIX Security — Raffael Marty @ 12:18 am

I am still waiting for that one company which is going to develop the univeral agent!

What am I talking about? Well, there is all this agent-based technology out there. You have to deploy some sort of code on all of your machines to monitor/enforce/… something. The problem is that nobody likes to run these pieces of code on their machines. There are complicated approval processes, risk analysis issues, security concerns, etc. which have to be overcome. Then there is the problem of incompatible code, various agents running on the same machine, performance problems, and so on.

Why does nobody build a well-desgined agent framework with all the bells and whistles of remotely managed software. Deployment, upgrades, monitoring, logging, etc. Then make it a plug-in architecture. You offer the most important functionality already in the agent and let other vendors build plug-ins which do some actual work. You would have to deploy and manage exactly one agent, instead of dozens of them.

Well, maybe this will remain wishful thinking.

January 28, 2007


Category: VI — Raffael Marty @ 7:01 pm
I haven’t written about VIM in a long time. Although I am using the editor daily. Finally, I fixed some HTML errors on the VIM page and added some comments about the new features in Version 7 of VIM.
January 23, 2007


Category: Visualization — Raffael Marty @ 11:05 pm

I thought I would start sharing my del.icio.us links. Especially people that are into visualization might enjoy some of the links. I will keep posting good links and discussion entries here and on secviz.org

But I thought this was kind of fun thing to do 😉

January 7, 2007

Solving the Trivial Problems Over and Over and Over Again

Category: Log Analysis,Security Article Reviews — Raffael Marty @ 1:24 pm

I read a lot of research papers and security articles. I am getting so tired seeing all these tools, research papers, and new algorithms that propose new approaches in computer security and then as a proof, they are solving one of the “old” problems: Detecting worms, portscans and finding peer-to peer traffic. Guys, it’s been done. We don’t need any more tools to do it. It’s easy and nothing to show off with!
Show me that other use-cases can be solved with your new approch. That will not only tell me that you actually thought about the problem space, but it will help the security community at large to tackle new problems (maybe some that they were not even aware of)!

January 6, 2007


Category: Uncategorized — Raffael Marty @ 3:52 pm

Anton Chuvakin just blog-tagged me. What that means is that I have to write five things about myself that not many people know and then list five other people that should do the same thing. Well, here ya go:

1. I used to be heavily involed in crossbow shooting. I was Swiss champion, was shooting in the national team for about 6 years and was the coach of the youth team for about 2 years. A great time which is responsible for a lot of what I am today.

2. I have a passion for bridges. I love taking pictures of them. I should probably start posting them 😉
3. I guess this is well known: I am Swiss. I grew up in Switzerland. In 1999 I came to the Silicon Valley for an internship, left the US again and then moved back to San Francisco in 2003.
4. My interest in security came about during my cryptography lessons in college. I was phascinated by the concepts and how they can be put into practical solutions. That initial phascination led to an internship and then later my master thesis at IBM Research in Zurich.

5. VIM: I am a huge fan of VIM. Some people hate me for using VIM for all my writing; Anton? I write my emails in VIM, I write my books in VIM, and much to the annoyance of my co-workers, I set my shells to VIM mode (set -o vi). And who is responsible for that? I am pretty sure it was Dhawal during my internship at Cylink.

So, who am I tagging?

1. Jian Zhen

2. Jan P. Monsch

3. Michael Rash

4. Deigo Zamboni

5. Axel Eble

January 5, 2007

Certifications and Years of Experience

Category: Security Article Reviews — Raffael Marty @ 11:49 am

Are you one of those people who read the ISSA articles by first checking out the title and then the little bio about the author, posted at the end of the article? I am! What is funny to me is that the acronyms after the name are getting more and more. Is there a list of accepted certification acronyms? What do you put there? Does everyone really know what they mean? And is more better?
The best one I have seen is RSA. What’s that? Is this guy certified in public key crypto? Can he do it in his head? Is he certified in RSA secure IDs? What is it? No idea. Is it really cool to put a CCNA and MCSE certification after your name? I would almost be ashamed 😉 I keep wondering whether more certifications is really better. To be honest, when I get resumes, I am a bit alarmed if someone has too many certifications. Doesn’t that mean that the person spends more time on certifications than doing real work? I’d rather have someone who knows his stuff hands-on than through certifications. But that’s just me.

January 4, 2007

Linux Auditing – ISS Article Review

Category: UNIX Security — Raffael Marty @ 6:08 pm

Well, I was travelling again and I read my way through some of the ISSA magazines that stacked up on my desk over that past months. I have to admit, the quality of articles I read has actually improved. That does not mean that I don’t have any comments…

I read this article in the March 2006 issue of the ISSA journal about Auditing on Linux/Unix. While I like the article and how it outlines what you can do to harden a UNIX box, it is yet another article which fails to mention how hard it is to enable real auditing on Linux. I have yet to find a comprehensive guide about how to enable the auditing you really need on a Linux box. Not a single word was spent on the pam modules. The article mentiones process accounting via accton but does not really mention how that can be used and how this could be handled in a distributed logging environment. How do you get all of this data into syslog instead of looking at it via lastcomm?

Maybe these things could be addressed in a follow-on article?