My Security Planet » Items by Mark Curphey

Items by Mark Curphey

Mark Curphey - SecurityBuddha.com

Software for Humans is Live

Posted: March 12th, 2011, 12:44am CST by Mark Curphey

Tags: [edit]

My new side project is now live.

Check us out at [www.softwareforhumans.com]
OWASP : slipping back into the project shadows (again) and stepping up to build better community software

Posted: March 2nd, 2011, 12:22am CST by Mark Curphey

Tags: [edit]

Every few years I pop my head up and re-engage more actively with OWASP. This year I saw a bunch of chatter coming from the OWASP Summit about the need to be more developer centric and my interest was piqued again. I posted here and here. After a week of some healthy discussions it is time for me to slip back into the OWASP shadows again. I will be speaking at the AppSec USA conference in September (OWASP’s 10th birthday). More on that in due course.

OWASP holds a special place in my heart but I am not convinced that the new momentum around ‘developers’ that I had hoped was going to emerge is actually fundamentally different from what is being done today. Why slip into the shadows and not try and influence it to be what you want it to be? If I have learnt anything about community its that the majority drives a good community and if you want to influence the majority who aren’t aligned to your way of thinking you have to invest a lot of time and energy to do it. I just don’t have that time or energy for the topic right now. People often say “I hope you prove me wrong” but don’t really mean it. I do. I really do hope that @JonWillander and crew prove me wrong and get a thriving developer community engaged but it seems to me that there is still a very strong prevention (or discovery) of vulnerability centric approach as opposed to being focused on security as an enabler (the builder metaphor). It’s valuable stuff but simply not where my personal interests are or what I believe is needed and so it’s time to slip back into the OWASP software security shadows for me for a while longer. I am sure I will surface again in the future.

Now that said what I did discover over beer and email is that there are a LOT of people passionate about OWASP but also think that things could be a lot better with some changes to the way the community works. I agree. For instance @sourcecodesec told me that he would like a democratic way to run a local chapter meeting. He wants to be able to propose a meeting, have active local community members vote on what presentations are given and have attendees get to vote on presentations / presenters. This would effectively democratize the chapter meetings process and avoid any local chapter leader having too much control over what happens at chapter meetings. You would effectively get a facilitator / organizer and the local community democratically making decisions. I have thought quite a lot about this and I think as well as democratizing the chapter management process a rewards system can actually ensure the good facilitators / organizers are recognized and rewarded. Chapter management is a problem I have heard a number of times in a number of locations so I am convinced this isn’t isolated and I am convinced that an innovative social software solution could benefit all chapters and the project as a whole. I have also heard about other challenges like OWASP members who would like to submit and read tools reports and even security reviews but do so anonymously. This is also an interesting problem. How do you share data that you can trust without revealing identifies and source? I have some ideas on this as well.

I am partnering with Marius Grigoriu on a side-project we are now calling Software for Humans which is setting out to build an online community for people interested in online community and explore exactly these kinds of community & social challenges across the spectrum of online communities. We plan to push the boundary on building social software and using the community to drive feedback and direction see if our collective ideas might work in code as well as on paper. We plan to go live with our site later this week (hopefully Thursday). Our software won’t be open source but is built on Ruby on Rails an integrated with many social platforms like Twitter and FaceBook. It seems to me building better community software is the most valuable contribution I can possibly make to OWASP while also fueling my passion for building social software. Cool eh ?
Egyptian Head Gear for Riots

Posted: February 28th, 2011, 10:01pm CST by Mark Curphey

Tags: [edit]

This was sent to me by someone today and had me in such hysterics I had to share.

Your classic 1979 ‘Tribottle rag’ helmet – a must in any type of combat

A late 80’s ‘boxhat’. The bloke next to him doesn’t appear too sure of its effectiveness

A renaissance period piece of brickwear teamed with a black and cream scarf. Textbook

I’m not sure about the tuna sandwich he is about to lob…
Old school 80s broken bin helmet.
I personally love the fact he needs to lift it up to see –
does he spend the rest of the time walking in to things?

Textbook saucepaning with lifejacket combo. He does not take, ANY!!

And the winner by 100 miles.

This bloke is going to war with 2 baguettes strapped to his ears and a ham salad roll
sellotaped to his forehead. I’d def wanna be behind him if someone lobs a load of bricks at me.
More Thoughts on OWASP 4.0

Posted: February 23rd, 2011, 5:31pm CST by Mark Curphey

Tags: [edit]

There is a lot of good chatter about what I have learned is being called OWASP 4.0. A fourth generation project no doubt! I posted here and Michael Coates posted here which seems to be stimulating some good debate.

Ahead of meeting Dinis Cruz for what will undoubtedly be too much beer tonight I wanted to jot down a few thoughts on how we could organize OWASP 4.0. There are only so many beer mats you can assemble into meaningful diagrams in a brewery! This is very similar to Michael Coates excellent suggestions but with some subtle and I think important differences.

First I think its important to have a community for people who are engaged in planning and managing software security. These people range from the CSO’s to the scrum masters. There are a lot of important topics not covered at OWASP to day ranging from broad sweeping like application security scorecards and metrics to detailed issues such as how to estimate security during Agile planning.

Second I think its important to have a community for the architects and software developers. In this track you would cover the software design issues such as how to to AuthN and AuthZ, how to design secure WS*’s etc as well as code level implementation topics.

Test should cover the traditional security testing but also include topics aligned to the much bigger and more mature software QA discipline.

Finally Operate would be for those whose primary role is in deploying, monitoring and defending against attacks. There are really important topics in deployment and monitoring that I don’t think are well represented today.

The taxonomy or nomenclature is both trivial and actually very important. People who are consuming content (educational, documentation or tools) need to be able to easily identify with their role and navigate to material that they relate to. There clearly needs to be co-ordination across the verticals and over-lap may occur but for the most part projects should fit.

Across each of the sub-communities you would have a collection of high value projects that could generally fit into people (or education projects), Process & Documentation projects and Tools / Technology projects. Coding guidelines for Ruby for instances would fit into the Design & Dev community under the Process & Documentation bucket. App HoneyPots would be in the Operate community under the monitoring focus area.

Some communities would have more of a bias to build tools (Design & Dev and Test for example) and others move of a bias on documentation and process (Plan & Manage).

Underpinning the buckets is a need for commonality and reuse. This is where guiding principles fit, taxonomies and definitions. This ensures some degree of uniformity across the OWASP community.

There are some obvious gaps such as where do browsers fit and what about R&D / security researchers? Security researchers would scare most software QA people IMHO but I don’t have any magical suggestions.

I will follow-up tomorrow with a detailed post of what I would specially drive inside the Design & Develop community. That would include a set of GitHub repo’s, a CI environment and a set of AWS instances to start with. Dev’s need dev stuff to code with!
OWASP – Has it Reached a Tipping Point ?

Posted: February 19th, 2011, 3:50pm CST by Mark Curphey

Tags: [edit]

It’s an amazing time to be writing about software and social change. I am sat in my favorite Seattle coffee shop with nothing but my MacBook (plus a coffee and chocolate croissant of course). Using nothing but my free Wi-Fi connection I can spawn up a super-computer on the fly using Amazon Web Services. I was just chatting on my cell via Twitter to a guy in South Africa that I have known for years and would regard as a friend but have never met in person. The middle East is in violent protest, governments have been over-thrown, cyber spy novels are being played out online by hackers in the wake of Wiki-Leaks and Facebook is now worth an estimated $60B. Its a crazy, crazy, crazy world…and I love it.

When I started OWASP nearly a decade ago it was without a plan (or frankly even much thought) but it was with a premonition that the Internet was going to revolutionize the world, web technology would be at the forefront of the revolution and that security would be a critical attribute in the mix. I haven’t been actively involved in OWASP for a number of years but will always claim it as my baby and passionately watch it evolve. It is my social science lab. I had always hoped that the community would develop into a community of developers that were interested in security rather than a community of security people that were interested in software. I wanted to be part of a community that was driving WS* standards, deep in the guts of SAML and OAuth, framework (run-time) / language security and modern development practices like Agile and TDD rather than people seemingly obsessed by HTTP and web hacking techniques. Ask your average OWASP member how to federate identity across the Internet and reckon you will be met with a blank stare but ask them how to check for XSS and I bet you would be greeted with a smile. Thats a problem. That is not to say that people who live and breath HTTP security isn’t incredibly valuable but it wasn’t what I wanted or what I really care about. It like focusing on a patients cold sores when the patient has lung cancer. To someone with just cold sores they need research scientists developing medicine but I think there are bigger and more important problems in the world that I care about. Looking back in hind-sight it isn’t surprising that security people gravitated to the project. Lets face it the first call to action was sent out to a security mailing list that I was moderating at the time. Why would you expect anything different? When I look back to the early years it was when the likes of Ingo Struck, Zed Shaw, Steve Taylor and Alex Russell drifted away that the writing was on the wall for me and I walked away (well moved to the sidelines) shortly after. Those guys were hard-core developers. Over the years the project has grown to be the de-facto and de-jure online source for web security and I am very proud to have planted that seed (very proud indeed) but the desire to have a community for developers interested in the type of security I am interested in has never faded and as far as I am concerned no community exists today for people with this interest.

I have always believed that in order for security to become an inherent part of software development it must come from within the development community itself.

We can’t have security people who know development. We must have developers who know security. There is a fundamental difference and it is important.

Last week I noticed some tweets coming from the OWASP Summit in Portugal that got me very concerned about the state of OWASP. The summit is an awesome idea. OWASP gathers a bunch of bright people from around the world into a hotel on the Algarve once a year and they drive projects, ideas and have fun. The tweet that caught my eye was “Developers don’t know shit about security“. After a few mails to a few people and a few off-line discussions I started to wonder if actually OWASP is at a Tipping Point where it will either evolve to the project I had always originally hoped or a new project will emerge made up of “developers who know security”.

I hope it is the former and I certainly don’t want to encourage revolution (just evolution) but in order for this evolution to happen at OWASP rather than another community forming (which I am hearing mutterings of on the grapevine) I think OWASP needs to adapt pretty dramatically. Before you read my suggestions (which are very direct and generally negative) remember that I think OWASP rocks. I 100% get that some people will be offended and maybe hurt by these comments but they are not personal. Read to the end before firing of poop-o-grams to me!

1. Manage the Project Portfolio – When I look at the OWASP site today its hard to see it as anything else but a “bric-a-brac” shop of random projects. There are no doubt some absolute gems in there like ESAPI but the quality of those projects is totally undermined by projects like the Secure Web Application Framework Manifesto. When I first looked I honestly thought this project was a spoof or a joke. Its been created by people who in my opinion have no idea about what development frameworks do, how they are created and certainly no idea about how to get requirements into engineering teams developing them. If you really think an important thing a development framework should do is to provide support for pluggable anti-automation (whatever that really is) then seriously …… If you go to the engineering team of a major framework with that document you won’t get far. The OWASP Guide also hasn’t been updated since 2005 and the .NET guide is a bunch of broken links or seriously outdated advice! These are key documents that are integrated into many corporate application security policies yet the Guide hasn’t been updated for 5 years. Thats .NET 1.1 / 2.0 and Java 1.5 people!

OWASP has to put controls in place over project quality and develop a project portfolio strategy. It has to focus on quality and not quantity and has to kill a large number of projects that have been created today if it wants to remain credible. It has to focus its key resources on key projects.

2. Industry Engagement and Communications – Over the years I have had many frustrating dialogs with people at OWASP about the way they have engaged with me as a corporate sponsor (direct sponsor or behind the scenes). I have seen random email after email come in, many contradicting each other or written in a tone that frankly no company would want to partner with. I totally get that there is no one voice but when an active community member openly criticizes a company they are speaking on behalf of “OWASP” wether you like it or not. There have been so many cases I have heard about where the project seems to be biting the hand that they are asking to fed it. I don’t get it. Why ask and complain in the same hand. Take a stance cause. You can’t have your cake and eat it to. One year I heard grumblings that OWASP were very frustrated that they couldn’t navigate a big software company so offered to help. After two reminders of the offer the only time I then heard from them was a year later asking for money to renew membership. Serious partnership could be made with serious funding that could drive serious projects if it was approached in the right way. Hand-outs is not the way, partnership is.

OWASP has to re-think its engagement and communication model to get to the next stage in it’s evolution.

3. Ethics / Code of Conduct – The O in OWASP is for Open. Open + Source, Open + Respectful and Open WhatEverIsAppropriate. That was a cornerstone of the project from day one. In the early days I fought with a few individuals who in my opinion were trying to circumvent the power of the project for their own personal agenda. It was a fight I was happy to make and would do so again in a heart-beat. An individual who shall remain nameless wanted OWASP to recommend a specific tool that wasn’t licensed with an OSI license. I dug in and refused; in fact I doubled-down and set guidelines on vendors abusing the brand project. That person banded together with a few other lily-livered sheep and tried to have me banned from moderating a mailing list I ran. They probably don’t know it but I have the copy of the mail they sent complaining to the company that hosted the list. I know who they were and exactly what they said. The same people later decided to form their own project that they controlled. I have a copy of a private email between a few of them in which they talk about “…..beating OWASP at its own game so we can influence the messaging that app scanning really is effective” (for completeness that mail forwarded to me by someone on the thread in disgust is in an archive somewhere and so I am paraphrasing). It was a set of douche-bag moves by people with douche-bag standards but the blood and guts have and will remain private as they have no possible positive part to play on the project. There is clearly a balance in ensuring that people who contribute to the project are rewarded. They should be and should be allowed to get something back for their hard work but the mechanism in how that happens is important and will always be a gray area. I have been amply rewarded in my career by my association with OWASP. I have been invited to speak all over the world, been asked to contribute to books and been able to talk to an incredible set of people. I have had jobs as a direct result of OWASP. When I formally transferred OWASP to it new leadership I was compensated for money I had spent in the initial years on hosting, significant personal travel and other things. In those days we never had sponsorship and I funded it all from my own pocket. I still don’t know if I feel 100% good about that but I do feel good that I only got back what I had put in (my wife tracked it meticulously) and I turned down a more than six figure offer at the time to turn over the project to a security firm that I know didn’t have the communities interest at heart. I feel very good about that! OWASP was never mine to sell but that didn’t stop other OSS projects like Nessus.

Ethics is a tough topic and riddled with subjective opinions. It’s a minefield. From an individual perspective its probably easy. Can you look at yourself in the mirror and feel good about what you have done? What pains me today is that I see people riding the OWASP band-wagon that I struggle to understand how they look at themselves and answer that question with a “yes”. Let’s take Cenzic as an example. This is a firm that was founded by the same people that founded HB Gary. Yes the same firm that has been exposed to have been plotting a campaign to discredit wiki-leaks. Cenzic also have a patent for web fuzzing. Now I am not a lawyer but this patent appears that it could be applied against OWASP projects like WebScarab at any time. This is the same firm that used to claim in their marketing that they scan for the OWASP Top Ten. Thats right using HTTP they scanned for insecure crypto! These are my personal opinion but this is not a firm with good ethics yet is actively involved in OWASP.

When I was at OWASP EU in Amsterdam earlier in the year I hears stories about a firm in the far east that was using the OWASP name to organize very well attended chapter meetings and essentially turning them into sales events for their technology. I heard several OWASP community members tell me that they felt that OWASP has lost its way and been hi-jacked by people who are serving their own interests (personal or company) and not those of the project.

For several years I have been concerned that the people speaking at conferences are not the same people that are actively working hard on projects and in some cases have been the very same people who wanted to “beat OWASP at it’s own game”. This is not a good thing for the community. Its rewarding the wrong behavior and the wrong people. So how does an open project rationalize those things and let them sponsor events yet alone contribute to projects? How can you trust that their contribution will be impartial or ethical? Its a tough one and I don’t claim to have any magic answers but I do know that the current ethics and code of conduct appear to be broken.

OWASP has to re-think its ethics policy and code of conduct.

4. Engaging Developers – If you have gotten this far then you will want to know the guy who pricked my conscious to write this post in the first place is called Jon Wilander. I have never met him but I know we would get on well. He gets on well with people I like (Dinis) and from what I can tell from his writing we are very similar. He has recently taken a job with a bank in the development team. I once moved my office from the security building to the development building to sit with the developers. Good patterns are timeless! His post talks about how to engage with developers and given a number of twitter comments and emails I am hearing about a growing tidal wave of people that think OWASP needs to be by developers for developers. My original vision. Maybe its coming full circle ?

There are huge gaps in OWASP today for developers. Where is the advice on writing security related BDD tests, integrating security into Agile, tools that plug into CI servers and IDE’s ?

I can see several ways of doing this but am adamant that this is not a matter of trying to heard the security people to develop content and projects for developers. The definition of insanity is to do the same things twice and expect a different result and while OWASP has made amazing strides in the security industry I think we need to acknowledge that security is not a Pri0 agenda item in the development culture after a decade of the project.

I think a different approach is needed and it is time for a change.

The good news I think is that I think there is room for both approaches and I think OWASP could play a leading role in both camps. Maybe Software Security is for developers and Application Security is for security people. The first persona is the builder and the second persona the breaker. One is concerned with assessing security posture and the other architecting and creating secure software. OWASP could easily pivot its work (and web site) around those two key personas. Developers best understand what they need and want, security people best understand what they need and want. Maybe the Security Web Application Framework Manifesto that I think is not well conceived (as a builder) is really useful for breakers.

I genuinely hope that what I see as a Tipping Point means OWASP will evolve rather than break apart. It’s an awesome project with awesome people.

- Mark
4HB Experiment 1 “Recomposition” – Week Two Summary

Posted: January 25th, 2011, 7:56pm CST by Mark Curphey

Tags: [edit]

I am going o move to weekly summaries of my 4HB experiment. This post is the first of those covering the first two weeks. Daily posts felt like a food diary and despite my intent to do a weekly video diary I have just not been able to get organized.

Overall the first two weeks have been surprisingly easy. I went from 223lbs to 215lbs so a drop of 8lbs in body weight. The most noticeable thing for me was actually surprising. I typically get very light headed if I haven’t eaten and have noticed that following the diet seems to normalize the food cravings and mood swings. Equally dramatic was the protein I was able to consume on the diet. While training for the last marathon the major dietary issue I had was the sheer amount of calories I needed to consume in order to meet my daily protein targets. I was taking protein bars and protein shakes but all provides around 20g of protein for around 200 calories. On the 4HB diet I can typically consume 1600 calories a day and get 180g’s of protein. It will of course be very interesting to see how the diet stacks up for me when I start running again; next week!

There are certainly a set of habits that it is worth breaking. For me not drinking enough water is one that I am working hard on but still not as effective as I know I should be. Reverting to drinking lots of tea (and yes with milk for a double whammy has been my downfall). I need to re-red the book as the fluctuations in my weight after the binge day seem to be excessive. I seem to remember a suggested normalization mid-week but this has been Thursday or Friday for me. I think I took the binge day too seriously. This week I plan to closely target a specific amount of food and watch the effects. I have also found it very tough to keep the amount of calories constant during the week. This is partly due to work (food choice and quality at Microsoft is really not great at all) and partly due to bad planning on my part. In the first week I took lunch to work. I need to start doing this again.

I will draft another summary on Sunday and then each Sunday moving on until I get to the magic 200lbs (23lb target loss) or resign !
5 Basic Things Any Blogger Should Know About SEO

Posted: January 24th, 2011, 6:17pm CST by Mark Curphey

Tags: [edit]

Before you read this post you should know that at some point someone will say “All well and good but you don’t practice what you preach!”. I know. This blog is currently hosted on WordPress and I am using an SEO plugin which covers the basics but is far from ideal. I plan to move this blog to a custom written blog engine at some point and so investing time in tweaking this blog is not a priority. What I have learn’t about SEO is driving features of the custom written blog (discussions) engine in development right now. Now with that out of the way…….

If you are like me you will have heard the term Search Engine Optimization or SEO and associated it with the sleazy side of internet spam and messages like “Be Number 1 on Google Guaranteed, Click Here Now”. I knew that a large portion of any blog traffic is driven from search but I had decided in my mind that it was something I didn’t need to deal with. I know realize that was a big mistake! The epiphany came when I first started looking into SEO casually and had a discussion with my friend JD Meir over lunch. JD runs a very popular blog called Sources of Insight (hosted on WordPress) yet had some basics missing. When he fixed the issues he saw a significant jump in his traffic. Just last week I was exchanging email with a friend who is the CSO of a top company and told he he only gets just 50 page views a day on his blog. I have spoken to many people about SEO and it is suprising how little people know so here are the 5 top things that I think all bloggers should know about search engine optimization and therefore optimize users finding your content and driving up your traffic. It is certainly not exhaustive and certainly not an original list. If you want to “Pass Straight to Go” I suggest buying the Art of SEO by O’Reilly. Awesome series of books

My top 5 are:

1. Register with Google and Bing Webmaster tools

2. Generate a sitemap.xml

3. Understand Keywords

4. Install Analytics

5. Run Free SEO Analysis Tools
Register with Google and Bing Webmaster Tools
Google and Bing (which now including the Yahoo search traffic) account for the vast majority of internet search traffic (somewhere in the ballpark of 85%) and so making sure that those search engines can find your content is absolutely critical. Both sites have tools for webmasters that allow you to register your site and ensure that the search bots can crawl it. They then provide suggestions for basic optimization and allow you to monitor any issues the search engines maybe having. They also allow you to view the keywords they see on your site and queries that users searched for which they then referred to your site. I’ll focus on the Google webmaster tools here but the Bing experience is pretty similar.

You will first need to go to Google and sign in at [www.google.com] with your Google ID. Once you are in you will need to add your site and do some basic configuration. When you add your site you will first need to prove that you own the site. There are several options such as adding a verification code into some HTML but the easiest way in my opinion is to add a DNS TXT record to your domain. You copy the verification code from the webmaster tool and create a DNS TXT record at your DNS provider. You then go back to the webmaster tools and verify the domain. Google queries the DNS, checks the verification code and voila ! After a few more clicks you are now registered and can poke around on the site and see how Google see’s your site . It is all very self-explanatory. Don’t worry if at first Google doesn’t appear to know much about you. Registering is the first step in letting then know you exist. You need to systematically go through each suggestion, fix issues and then let the crawlers update their indexes and reflect the updates in the results. It can take several weeks even after making changes to see results.
Generate a sitemap.xml
One of the items the site master tools will check is for the presence of a sitemap.xml file. This is a file that is added to your site and acts as the primary front-door for the search engine crawler. You can find out more in this Wikipedia article. Having a sitemap.xml is essential. Given that your site content will change you really need your site to be abel to update the sitemap.xml file as new content is published. If you are using wordpress there are several tools that will do this for you. Some simply allow you to generate a file and manually re-submit it to the search engines. I use the Yoast WordPress plugin today.
Understand Keywords
Search engine keywords are essential to understand two fundamental things. The first is the keywords that the search engine sees on your site. Think of it as the content that the search engine sees as available to match to potential users. The second (and often over looked) is the keywords that users are searching for. Google allows you to look at keywords and view the amount of times users were looking for content that matched with those words. As an added bonus they conveniently provide a nice interface to compare the supply of keywords and the demand to advertise against them and the amount of people searching against them. This allows you to look for areas with your target topics where users are crying out for content and where little is available today. You can also predict the amount of traffic this would generate if you were able to fill that gap in the market. A useful tool is the Google Adwords tool. Sophisticated SEO software often uses the Google Data API’s to get similar data programmatically.
Install Analytics
Whats that phrase “if you can’t measure it you can’t manage it?”. While webmaster tools will provide basic data about queries and keywords the more sophisticated analytics tools will allow you to capture rich data. You can even instrument scenarios such as a user moving through a registration wizard to find out where they drop off or so A/B variant testing to compare experiences or articles. I am using the Google analytics. Similar to the webmaster tools you will need to register your site and prove ownership, after which you will be given a piece of JavaScript that you call from every page on your site. I use a nice free iPhone app called Analytics Agent Lite to track my stats on my phone.
Run Free SEO Analysis Tools
Finally there are a number of things you will want to configure ranging from ensuring you have meta-content tags, individual page titles, encoding to ensuring you use H1, H2 etc HTML elements. A really simple free tool that I have found is WooRank. Just type in your domain and let it generate a report. Simple, quick and free.

So there it is, 5 Basic Things Any Blogger Should Know About SEO and that could have dramatic effects on your traffic. If this has been useful and you get results please let me know in the comments!
Heroku Vulnerability Security Notice

Posted: January 21st, 2011, 11:46am CST by Mark Curphey

Tags: [edit]

Summary
=======
On January 16th, 2011 at 10PM PST Heroku was notified of a
security vulnerability by David E. Chen, a long-time customer.
We deployed a fix to our production environment the following
day, January 17th, 2011 at 2pm PST.

We have done extensive analysis and have no reason to suspect
this vulnerability was exploited. However, we believe it is
important to let the community know about the situation and what
we are doing to prevent similar issues in the future. As a
precaution, we are working with add-on providers to change all
credentials. We also recommend that users should change any
manually set credentials in their apps as well.

Details on Vulnerability
========================
The vulnerability was a window through which an unauthorized
user could potentially gain read-only access to an app’s deployed
code and configuration variables.

We confirmed the vulnerability, determining that it was
introduced on December 28th. The underlying bug was fixed on
Monday January 17th, the day after we learned about it. It is no
longer possible to exploit this vulnerability. We do not believe
that any customer data was accessed or changed. We have
thoroughly audited our logs for that period and have found no
evidence that anyone exploited this vulnerability.

Consistent with best practices for security incidents, to
minimize the risk of a 0-day exploit, we waited 5 days to notify
the community and work with our add-on providers on a
precautionary mitigation plan.

Precautionary Actions
=====================
We believe it is important to take all prudent steps to ensure
the safety of apps. Heroku uses environment variables to provide
configuration information to apps. These variables often include
things like database passwords, API tokens, and credentials that
are used to access add-ons or other third-party services.
Although there is no evidence that these were compromised, we are
taking additional steps to protect users.

Actions Heroku Is Taking
————————

Our add-on partners have been notified of the problem and advised
to update the credentials for all Heroku apps. You can track the
status of credential changes for all add-on providers
at http://status.heroku.com/20110116-credentials. We expect all
add-on credentials to be updated within the next week.
We have already started rolling credentials for all Heroku hosted
PostgreSQL databases and expect to complete the update
this weekend.

The process of updating credentials will require restarting all
apps. While we do not expect any apps will have issues with the
update, if you do run into any issues please open an urgent
support ticket at <http://support.heroku.com>.

Actions App Developers Must Take
——————————–

Some apps may make use of hard-coded credentials in either their
source code or manually set configuration variables. As a
precautionary measure, we recommend that you update these
credentials.

Some examples of hard-coded credentials may include:

* Amazon RDS credentials - http://docs.heroku.com/amazon_rds#changing-your-credential
* Amazon S3 credentials - http://docs.heroku.com/s3#updating-your-s3-credentials
* Heroku username and password, often used by automatic scaling plugins. Visit <https://api.heroku.com/account> to change your password.

We have enabled advanced releases (http://docs.heroku.com/releases)
on all apps for free for the next 2 weeks, providing rollback
capabilities and a log of changes made to your app. To use,
update to the latest gem (`sudo gem update heroku`) and run
`heroku releases`.

If you need help or have further questions about the incident,
contact us at <http://support.heroku.com/>

Preventative Changes
====================

We are making several changes to our process and technology
architecture in an effort to prevent this type of security
regression in the future. First, we have introduced automated
regression testing to specifically check for permission issues.
Second, we have expanded our security audit review process for
all changes on the platform. Third, we are increasing the
frequency of both internal and external security reviews to help
ensure that we are continually following the industry best
practices. Finally, we are testing a new environment for
isolating customer processes from one another that will provide
a second layer of protection beyond filesystem permissions.

Reporting Security Issues
=========================

We want to thank David E. Chen for his contribution to our
community by helping us to identify this issue and working with
us to resolve it. Heroku is committed to continued improvements
to our trust and transparency. Any individuals who believe
they’ve identified a security issue within Heroku should contact
us at security@heroku.com

Sincerely
- Heroku Security Team

================================
This email was sent to mark@curphey.com.
If you do not wish to receive service notices you can unsubscribe:
http://lists.heroku.com/t/r/u/ydtlujy/tkolylyh/
4HB Experiment 1 “Recomposition” – Day 16

Posted: January 19th, 2011, 11:20pm CST by Mark Curphey

Tags: [edit]

Notes: Tried a protein shake when I woke up this morning and worked well. Trying consciously to shift the balance of the calorie intake to earlier in the day. Weighed in at 216.6 lb this morning so close to pre-binge weight but it’s Weds! Planning to binge less this weekend (1.5 normal calories as opposed to over 2 x).

Breakfast : 2 scoops of protein shake mix (Whole Foods Soy Protein) mixed with water , scrambled eggs and bacon – 751 calories

Lunch : Beef – 350 calories

Afternoon snack : Shrimp, tomatoes, salsa and teaspoon of almond butter – 280 calories

Dinner : 2 egg omelet, eggology, large helping of chopped bell peppers and ham – 390 calories
4HB Experiment 1 “Recomposition” – Day 15

Posted: January 19th, 2011, 1:12am CST by Mark Curphey

Tags: [edit]

Notes : Late for work so skipped normal breakfast and substituted for an Odwalla protein monster. Thanks to comments in the blog (Hoff) who suggested a 30g protein shake and then mid-morning snack. Plan to try that. Spoon of peanut butter tonight and checked ingredients. Despite organic labeling it had sugar. Need to get some almond butter from whole foods which is nothing but almonds! Another low calorie day, need to meal plan better.

Weights : 218 lbs

Breakfast : Odwalla protein shake – 400 calories

Lunch : prime rib and green beans – 494 calories

Dinner : beef salad – 474 calories

Evening snack : teaspoon of peanut butter – 100 calories
4HB Experiment 1 “Recomposition” – Day 14

Posted: January 18th, 2011, 8:09pm CST by Mark Curphey

Tags: [edit]

Notes : Weighed in at 218.6 lbs and felt very guilty at gain after binge day. Very low calorie day (around 1200). Need to get a consistent calorific input during week so need to do some better meal planning. Need to figure out how to make breakfast the big mea of the day but do it so I can have something when I wake up and something else mid-morning when I get to work. Any ideas? Fallen back into the habit of a few cups of tea each day with milk. Need to stop that and need to focus on more water. Took a Camelbak water bottle to work which worked well.

Weights : 218.6 lbs

Breakfast : ham and eggs – 362 calories

Lunch : Mixed salad, shrimp and cottage cheese – 343 calories

Dinner : Shrimp and avacado salad – 400 calories
4HB Experiment 1 “Recomposition” – Day 13

Posted: January 18th, 2011, 8:02pm CST by Mark Curphey

Tags: [edit]

Fell off the wagon in the afternoon (but not that badly). Wen’t out for lunch and tempted by cupcakes which led to a bottle of wine in the afternoon which led to ……

Weight : 220 lbs

Breakfast : ham and eggs – 362

Lunch : Beef and shrimp (Boom Noodle, Capitol Hill) – 480 calories

Afternoon snack : Coconut Bunny cupcake from Cupcake Royake – 500 calories

Bottle of Syrah – 750 calories
4HB Experiment 1 “Recomposition” – Day 12 (Binge Day)

Posted: January 18th, 2011, 7:51pm CST by Mark Curphey

Tags: [edit]

Weighed in at 215.5 lbs. That was a loss of 7.5 lbs in the first two weeks (which included my birthday). Good progress. Feeling good and getting into a rhythm. Less concerned about shorter term gains and more concerned about making it sustainable plan that I can stick to for a while. Had a running lesson in the morning.

Weight : 215.5 lbs

Breakfast : 2 bowls of cornflakes with whole milk,

Morning snack : chocolate croissant

Lunch : 2 whole foods burgers with rolls

Dinner : Pizza + ice cream

Evening snack : Bottle of pinot noir and a few vodka and oranges

Lost track of time (and calories), woke up with a hangover! Probably gorged on other things in the evening
Rock, Paper Scissors – Early Thoughts on Game Theory and Community

Posted: January 17th, 2011, 2:56am CST by Mark Curphey

Tags: [edit]
“Game theory” is one of those phrases that I have heard many times in my life but never understood what it was. Most British computer science courses have an elective and I am sure most mathematics undergraduate degrees include it in the curriculum but I did my Masters degree in a mathematics department and my undergrad degree in an engineering department so missed out. It’s never too late to learn so a few weeks ago I got a book called Rock Paper Scissors with the intent of trying to understand if there was a correlation between game theory and how humans behave in social networks and online communities. I think I am onto something and while it’s early stages of really understanding the topic I suspect game theory could be used to explain and understand many patterns of why people do what they do and how to effectively structure incentive and plan for conflict. More importantly it may offer a very real blue-print for effectively motivating and rewarding online communities to work better together.

The first chapter of the book discusses the “Tragedy of the Commons” and what is often known as “The Prisoners Dilemma”. This simple theory is having such a profound effect on my thinking that I wanted to share it incase anyone else was in my shoes and interested in game theory and online community. John Nash was portrayed in the Hollywood film A Beautiful Mind as a paranoid schizophrenic and shared the Nobel prize in 1994. One of his greatest achievements was the Nash Equilibrium.

Assuming we don’t want to go into the math above (I don’t and probably can’t) the theory has been turned into numerous scenario based examples to help mere mortals understand it. One such example is called the Prisoners Dilemma and of course there are many variations on the story but imagine this.

Two thieves are arrested. They are both carrying concealed weapons, a crime which caries a sentence of at least 2 years. There is no solid evidence but they also just committed a burglary where the mandatory sentence for an armed burglary is 10 years. There are several options how the scenario might play out;
- If they both keep their mouths shut they will both get 2 years each or a total of 4 years of punishment.
- If they both confess they will both reduced sentences of 4 years or a total of 8 years.
- If one is convinced to ‘grass’ on the other and in doing so plead guilty to the armed robbery he might a reduced sentence of 4 years and the other the maximum sentence of 10 years (14 years total).
- If they are both found guilty without confessing they will get 10 years each or a total of 20 years of punishment.
As you can see it is in both of their interests to keep their mouths firmly shut (morals aside). You can read more about how these scenarios can be depicted in matrix tables and the variations in the book and on Wikipedia.

The interesting thing here from a social science perspective is that the optimum solution for both prisoners relies on two fundamental things. Both parties must agree the strategy (keep their mouths shut in this case) and both parties must execute that strategy. As soon as either party deviates form the strategy both parties will suffer. How bad either party suffers depends on the deviation.

This not only sets a great framework to explain why people should co-operate but sets the basis for how to create online schemes where working together is rewarding and working against each other punishes the community. As I mention this is early days for me but I plan to capture my learnings in the community wiki I am building and look at how game theory may explain why some communities thrive and others die. I suspect there are core patterns in the way community members are recognized and rewarded that are key to the success or failure of groups.
Barefoot Running – 3 Things I Learnt at My First Born To Run Clinic

Posted: January 15th, 2011, 10:26pm CST by Mark Curphey

Tags: [edit]

Today I took my first barefoot running lesson at Born To Run. Born To Run is a new barefoot / minimalist running shop set up around the principles of the barefoot running movement and the Born To Run book (Barefoot Ted, one of the characters in the book is involved in the shop). I am lucky enough to live near their first shop and over the holidays noticed they are running barefoot running clinics so I signed up. For $50 an hour you get 1:1 tuition on barefoot running form and how to effectively and efficiently run barefooted. Despite some scheduling hiccups today it was a great intro. and I plan to make it a monthly event to work on my running form. This is what I learned today:

1. Lean

2. Lift Your Knees (Don’t Jump)

3. Relax the Ankles

Lean – By leaning forward you use gravity to go forward. If you think about it imagine running downhill. When you want to slow down you lean backwards and if you want to go fast you lean further forwards. The same works when level. We practiced slowly falling towards a wall to get the feeling and then using the same technique to lean forward when running.

Lift Your Knees – Try running on the spot. Chances are you will do what I did, which is to jump from foot to foot. When you do this you are bouncing your entire body weight on each stride. Needless to say this is very inefficient. I pranced around the shop like a show pony just lifting my knees and walking to get used to it. I was asked to pretend I had rods through my ankles and I had to lift my legs to make sure I didn’t trip. This was surprisingly effective.

Relax Your Ankles – A relaxed leg leads to your foot landing correctly. I had previously been focusing on landing on my forefoot. Dan the instructor explained that he doesn’t teach fore-foot striking, instead focusing on people having relaxed ankles and forefoot striking naturally.

We went outdoors for a quick trot and put it all together. I can honestly say that in an hour I have not learned as much about running as I have in days of reading. It explained why I have been getting very sore calves (I prance on my feet) and why my achilles has been inflamming.

Next lesson in two weeks.

NB : It turns out I can bring others to the lessons for no cost. Let me know if you are in Seattle and want to join!

- Mark Curphey
Why Run Barefoot ? – My Story

Posted: January 15th, 2011, 5:56pm CST by Mark Curphey

Tags: [edit]

This is the story about how I came to embrace bare-foot running and what I have learned along the way so far.

I have been jogging on and off for the last two years but never considered myself a runner. Last March I was in Buenos Aires, Argentina speaking at a conference. I was traveling with two girls from work who were both training for a marathon. One of them had lost a friend the previous year to Lukemia and was running with Team in Training raising money for Lukemia research. I went out for some glorious runs with them in the sunshine around Buenos Aires and it’s wonderful parks. One evening over beer in Argentina I decided to do the marathon as well and joined them on the Spring Team in Training (TNT) Season for the Seattle Rock’N'Roll marathon. Thanks to generous friends and Microsoft’s gift matching I quickly raised over $3,000 dollars and settled in to focus on the training. TNT make it easy with a planned training schedule and group runs. I started running in the morning before work during the week and attending the longer group runs at the weekend. Despite the cold Seattle weather training was enjoyable and I found myself really enjoying the running. I found running to be a combination of a mental and physical challenge and I found that I had a very high tolerance for mental pain that I could translate to physical endurance. I felt great, weight came off, I felt alert and happy and generally more inclined to eat well. I hated running as a child and have nasty memories of dreading cross-country at school in the cold British winters but here in my middle-age I had discovered a sport that offered the mental challenge and physical rewards I was looking for. After my first half-marathon distance I got a mini-boost of confidence and eased into the longer distances until one Saturday on an 18 mile training run disaster struck. I felt a pain in the shin of my left leg after around 15 miles, dismissed it as a “twinge” and ran back. Over the weekend the pain increased to a point where I struggled to walk. Ibuprofen and constant ice packs were having little effect and so on the Monday I visited a physical therapists and was immediately referred to the hospital for an MRI. While on the table getting the MRI the problem became obvious. An area on my leg was lighting up like a match on the screen. I had picked up a stress fracture.

What followed was what I suspect is the typical way doctors treat this kind of injury. I was prescribed a leg brace, crutches and strong anti-inflamatory drugs and told in no uncertain terms that I would not be running a marathon anytime soon. I was referred to a series of physical therapy three times a week and referred to a podiatrist for a gate analysis. The physical therapy consisted of a set of exercises to improve mobility and flexibility along with a set of yoga poses to improve core strength. I bought ankle weights to work at home, although frankly didn’t use them much. After a month or so the podiatrist put me on a treadmill and had me run while they took a high speed video and looked at how my feet hit the ground. My feet were put in a machine that took a 3D mould with a laser and I was prescribed custom orthotics to go inside my running shoes. I was told to go and get specific balance shoes to compensate for my pronation (bow legs to the average person). The orthotics were horrific, they looked like the sort of thing old people wear and I became very skeptical that they were the answer. A week before seeing the podiatrist and at this point missing running I picked up a book called Born to Run (Amazon link here). Both to Run is the story of a journalist who stumbled across a tribe called the Tarahumarha in Mexico’s Copper Canyons that were ultra-distance runners. They would cover hundreds of miles in nothing more than thin soled sandals often home-made from car tires at incredible speeds and on a very limited diet. The book follows the story of the search for a fabled American who had gone to the Copper Canyons and was now living and running among the Taraumahra and how he realized a crazy idea to pit the worlds best endurance runners again the tribe. The book is a wonderful read for it’s story but contained a powerful message that most of running injuries in the modern world have happened since the birth of soft spongy running shoes in the 70′s and 80′s. People have been running barefoot for thousands of years chasing down animals on foot for food and that there was living proof in Mexico of all of this in the form of the Tarahumara.

I was immediately drawn to the mantra of the book. It just made sense. I had never even thought about my running form, the type of shoes I was wearing or my bio-mechanics so I started researching the web and the more I read the more it made sense. A distractor for me had been the rise of Vibram Five Finger shoes (which ironically I now wear). Many geeks could be seen wearing them in normal life and they certainly aren’t flattering (especially on over-weight hairy geeks!) but I read Born to Run twice and decided to give it a go. After a struggle to by a pair of the new (at the time) running Five Fingers called Bikila’s due to over-demand I spent a few weeks running 30 minute circuits around the grass sports field at work in my lunch hour. I got some crazy looks from people playing football and frisbee but soon got comfortable and found myself steadily able to run barefooted with no pain. The feeling of running with no cushioning is strange at first but rapidly becomes natural. Over the course of the late summer I got my Five Fingers, built up my distance and decided to enter the November Seattle marathon. A serious of unfortunate work pressures kicked in and for whatever reason I could never seem to pull together a reasonable training schedule. Four weeks from the marathon I was running just a few miles a week and so I decided to drop the the half-marathon as a pre-caution. I new that I wasn’t even prepared for this but with a strong mental capacity I figured that I could go out and run and deal with some stiffness after the event. Foolishly I decided to go out two Saturdays before the event and run 12 miles. It was a very cold day and wet on the ground, so I put on my Saucony Kinvara’s. Kinvara’s are a minimalist running shoe but still look and feel like a traditional shoe. It was simply too cold for FiveFingers and I wanted to run (I have since bought Injinji socks and am planning to try some TerraPlana Evo’s soon). I had a great run around Lake Union, my heart rate was actually dropping after 2 hours and I felt great, but as I turned into my road at home I felt my achilles tightening. The inevitable had happened. Low distances and then just going out and running a half marathon and I had picked up another injury! The November marathon came and went and work got in the way of a new training schedule but it’s the new year and I am more determined than ever to not only complete an official marathon this year but tackle an ultra marathon. I am also hoping to get some trips to run in cool places like the rim of the Grand Canyon or maybe some deserts. The Pacific NorthWest has some great trail running as well on my door step.

The evidence for me has been compelling and I can’t see myself ever going back to running shoes at this point. I have been injury free while running bare-foot but each time I put on running shoes I get some sort of injury. Why would I do that to myself? And that right there is why I run barefooted. This morning I had a bare-foot running lesson at Born To Run. When I got home my seven year daughter was laughing hysterically; “Why does a 42 year old man need to learn to run?”. It’s simple. I know that running barefoot seems to allow me to run injury free. I know the evidence and history supports that evidence all boils down to a key factor being running form. It’s running form that helps you avoid injuries, run longer, faster and use less energy. I am now looking to find out how to optimize my form to improve my running and remain injury free as I do it.

- Mark Curphey
4HB Experiment 1 “Recomposition” – Day 11

Posted: January 14th, 2011, 10:34pm CST by Mark Curphey

Tags: [edit]

Notes : Just one day to binge day. The binge list has grown to include chocolate croissants, a burger and fries, bagels and Kerrygold butter, cornflakes, pizza and cookies. Well see! Down to 216 lbs a weigh in this morning so 1lb away from my target for the week. I have a running lesson (bare foot running coach helping me with my running form) tomorrow morning so can’t go to crazy for breakfast.

Weight : 216 lbs

Breakfast : Ham and eggs – 262 calories

Lunch : Beef and Shrimp bowl (Baja Fresh) – 450 calories

Afternoon : Wheat beer (office event) – 320 calories

Dinner : Ham salad – 150 calories

Evening snack : Tbl spoon of peanut butter and coconut water drink – 240 calories

This is the weight loss and calories graph so far.

- Mark Curphey
4HB Experiment 1 “Recomposition” – Day 10

Posted: January 13th, 2011, 10:15pm CST by Mark Curphey

Tags: [edit]

Notes : Big weight loss today. Almost certainly due to low calorie yesterday. Stuck in a few meetings and fired up DailyBurn and interesting to see the graphs of weight loss. Decided to plat out the calories against the weight loss as well as protein, carbs and fat. Will be interesting to see if the delay in loss etc. Getting a little obsessed by measurement and thinking about measuring water intake using a flow-meter and measuring that. Another low calorie day but finished with a steak and wine so can’t be bad. Encouraged by comments in blog. Keep ‘em coming. Been thinking about ways to make breakfast the biggest meal and dinner the smallest (blog comment) and bought some binge food while shopping (Pepperidge Farm cookies and cornflakes). Plan to binge on pizza (Tutta Bella) and chocolate croissants this weekend.

Weight : 216.6 lbs

Breakfast : Omelet made with 3 organic eggs, eggology egg whites and ham – 361 calories

Lunch : mixed salad with shrimp and edamame – 280 calories

Dinner – Organic New York Strip Steak (which I way over-cooked!) and 2 big glasses of Pinot Noir – 821 calories

- Mark Curphey
4HB Experiment 1 “Recomposition” – Day 9

Posted: January 13th, 2011, 10:05pm CST by Mark Curphey

Tags: [edit]

Notes : Very low calorie day but awesome dinner. Shrimp with garlic, ginger, coriander and chili mixed with edamame in a pan (dash of olive oil). Touch of honey and bam! May have over done the chili but ……Can’t seem to get into the habit of video diary and definitely not drinking enough water. I need to take a water bottle to work.

Weight : 219.4 lbs

Breakfast : Ham and eggs – 453 calories

Lunch : mixed salad with shrimp and tofu – 277 calories

Dinner : Shrimp, ginger, garlic, chili, coriander, onion and edamame – 394 calories

- Mark Curphey
4HB Experiment 1 “Recomposition” – Day 8

Posted: January 11th, 2011, 10:50pm CST by Mark Curphey

Tags: [edit]

Notes : Felt pretty good all day. Not hungry at all but then hardly surprising after gorging at my birthday dinner on a steak the size of my face. Had shrimp, edamame and tomatoes for dinner tonight which was superb and very low calories, high protein (see photo below). May become a staple. I just love edamame beans. Tim Ferris has been tweeting some photo blogs today from others with impressive results here and here. Made me more determined to kick it up a notch! Setting myself a mental goal to be 215 lb by next binge day (Saturday). That will be an 8lb loss in two weeks. Crazy snow in Seattle tonight so that will mess up any running.

Weight: 221 lbs at 6:30 am

Breakfast : 5 slices of organic ham – 200 calories

Lunch : 5 slices of organic ham and raw spinach – 236 calories

Dinner : Shrimp, edamame, tomatoes and salsa – 550 calories

Evening snack : Hefeweizen beer – 159 calories

- Mark Curphey
4HB Experiment 1 “Recomposition” – Day 7

Posted: January 11th, 2011, 12:43am CST by Mark Curphey

Tags: [edit]

Notes : Birthday today and dinner with Mrs. C at Metropolitan Grill so didn’t stick to diet in the evening. Heck, it’s my birthday! Got a copy of Final Cut Express so should be able to edit the video blog content better.

Weight : 219.8 lbs

Breakfast : Organic eggs and organic ham

Lunch : Odwalla Protein Monster and tablespoon of Hummus

Dinner : Massive rib-eye steak, fries and creme brulee, washed down with half a bottle of pinot noir. Gave up counting calories (but was worth it, at least worth it tonight)!

- Mark Curphey
4HB Experiment 1 “Recomposition” – Day 6

Posted: January 10th, 2011, 8:49pm CST by Mark Curphey

Tags: [edit]

Notes : After binge day I was not particularly hungry but probably went under on calories. Short run in the morning. Nothing else of interest. Birthday tomorrow so I suspect the diet will get broken. Not found time to edit up the video diaries yet.

Weight : 220.8 lbs

Breakfast : Organic bacon & 2 eggs – 356 calories

Lunch : Bison Steak and peas – 376 calories

Afternoon : Sliced roast beef – 369 calories

- Mark Curphey
4HB Experiment 1 “Recomposition” – Day 5 (Binge Day)

Posted: January 8th, 2011, 10:51pm CST by Mark Curphey

Tags: [edit]

Hooray for binge day! Waking up to cornflakes and milk was a real treat (but check out the calories when had with whole milk) !

Weight : 218.4 at 7am (thats 4.6 lbs lost in the first 5 days)

Breakfast : two bowls of cornflakes and milk – 670 calories

Morning snack : croissant – 320 calories

Lunch : Baguette (Macrina bakery) and Kerrygold butter, 2/3 of a Trader Joes 3 cheese pizza washed down with two Haywire Hefeweizen beers. – 1077 calories for lunch and 336 for the beer

Dinner – Homemade pizza by Hana (aged nine) and Ben and Jerrys Creme Brulee ice cream - 858 calories

After Dinner : bottle of Inkerry Shiraz and Hefeweizen – 818 calories

That’s 4064 calories for the day !!!

- Mark Curphey
4HB Experiment 1 “Recomposition” – Day 4

Posted: January 8th, 2011, 6:40pm CST by Mark Curphey

Tags: [edit]

Notes : Voice much better today. No more weight loss and ended up taking strong pain-killers last night for the back pain. Really really looking forward to the binge day tomorrow. Top of my list are chocolate croissants and cornflakes with milk. Amazing how many calories in those Odwalla protein drinks!

Weight : 219.6

Breakfast : Organic ham and 2 poached eggs – 384 calories

Lunch : Large mixed salad with cottage cheese, chicken and ham – 427 calories

Afternoon snack : Odwalla protein monster – 400 calories

Dinner : grilled chicken breast with a black bean salad (organic black beans, tomatoes, coriander, white wine vinegar and sweet corn) – 519 calories

Evening : Handful of pistachio nuts and 2 glasses of Shiraz – 250 calories

- Mark Curphey
4HB Experiment 1 “Recomposition” – Day 3

Posted: January 6th, 2011, 10:51pm CST by Mark Curphey

Tags: [edit]

Notes: Woke up with cold and having lost voice. Worked from home all day. Felt very weak. Nagging dull ache around kidneys all day. Could be from sleeping funny (have Tempurpedic mattress) but suspicious given crazy amount of protein. Working from home was much easier to eat well (stagger food).

Weight: 219.4

Breakfast: Cold beef and raw carrots - 192 calories

Lunch: Grilled chicken breast, home made guacamole (one avocado, garlic glove, fresh coriander), black beans and organic salsa – 760 calories

Dinner: Organic ham and 2 poached eggs – 302 calories

Two glasses of Stump Jumper Shiraz- 244 calories
4HB Experiment 1 “Recomposition” – Day 2

Posted: January 5th, 2011, 9:24pm CST by Mark Curphey

Tags: [edit]

Notes : Much better day today. Breakfast was very good and dinner just superb (see below). Went to Trader Joes at lunchtime and bought some organic pastrami and a veggie drink. Veggie drink tasted like liquid celery (not nice). Had a mild head-ache all day so convinced it’s caffeine withdrawal. Stopped on way home and picked up organic salsa (with nothing bad in it), avocados and coriander. Made home made guacamole which was awesome but was half the calorific value of the meal! Didn’t drink as much water during the day as I probably should have. Need to bring a water bottle to work. Video diary becoming more natural and easy to do. Need to think about editing them in a video blog this weekend.

Weight : 219.4 lbs

Breakfast : 4 slices of black forest ham (organic, nitrate free) with three fried eggs – 510 calories

Lunch : Pastrami and Veggie drink – 380 calories

Dinner : Grilled chicken breast, home made guacamole, black beans and salsa - 1005

Snacks : Carrots

[tonights dinner]
4HB Experiment 1 “Recomposition” – Day 1

Posted: January 4th, 2011, 10:47pm CST by Mark Curphey

Tags: [edit]

Notes : Tough day today. Learning a lot of hard lessons about choosing the right food. I made the same mistake again about far too long between lunch and dinner. I don’t get home until around 8pm which is an 8 hour gap between lunch and dinner. I wen’t way under on calories. Way under! Going to step up to 4 meals a day from tomorrow. Found myself thinking about various foods and struggling to figure out if they are OK. Shrimp ? Heinz Baked Beans ? I think I will go out later and get some cold meat (ham and pastrami) to have with fried eggs for breakfast. Need carrots as as snack. Did my first video blog entry today and happy with it.

Weight – 220.6 lbs (6:45am)

Breakfast - 2 organic eggs (boiled and cold) and a bowlful of raw spinach (horrid) – 152 calories

Lunch – Baked tofu and raw spinach – 212 calories

Dinner : 3 fried eggs, two teaspoons of edamame hummus, bison steak and half pound of peas - 812 calories

[tonights dinner]
4HB Experiment 1 “Recomposition” – Day 0

Posted: January 3rd, 2011, 11:16pm CST by Mark Curphey

Tags: [edit]

Today is the first day of my 4HB “recomposition” experiment. During the week I will just make rough notes and record data like this post.

Notes : Very tired all morning but probably due to late night last night. Toughest thing today has been not drinking tea. I would normally have 3 cups in the morning and 4 or five in the evening with 3 cups of coffee during the day. Just stuck to water which was tough. Need to look for a sustainable alternative. Looked up online and one coffee seems OK so had a double espresso in Bauhaus but I need a sustainable hot drink. Green tea ? Made the mistake of meeting friend at coffee shop this afternoon 2pm and not getting home until gone 8pm so was very hungry. Need to prepare better. Baking some tofu in the oven which I can take to work tomorrow with salad leaves. Need to find a list of what food is and what isn’t OK. Used garlic in dinner tonight. Anyone have such a list? Total calories so far (it’s 9pm now) is around 1,250 (way low) so will try and find a snack in a while. Didn’t do any video today. Found it weird (pretentious) trying to talk into a laptop, especially in a coffee shop. Will do some video diary tomorrow. [10 pm added baked tofu snack and handful of pistachio nuts]

Weight – 223 lbs (7:30am)

Breakfast - 2 organic eggs, some eggology egg whites and a cup of edamame beans (soy beans). Note bad but a bit bland. 333 calories

Lunch – 6 oz (approx.) beef, large helping of mixed frozen organic vegetables. 445 calories

Dinner : 8 oz (approx.) beef, asparagus, fresh garlic and basil. 480 calories.

Evening snack : Baked tofu and hand-full of pistachio nuts.

I opted not to take pictures of my body as recommended by Tom Ferriss. TMI!
4HB Experiment 1 “Recomposition” – Day Minus 1

Posted: January 2nd, 2011, 11:38pm CST by Mark Curphey

Tags: [edit]

My Four Hour Body (4HB) experiment gets underway tomorrow. Experiment One is the Slow Carb diet and I just got supplies for the first week from Whole Foods and Trader Joes (supplies later).

These are the things I plan to measure. The more data the better. I am not going to get hung up on daily fluctuations but use the overall data to track trends and results.

1. Weight – In pounds using my Tanita scales

2. Body Fat – Using Slim Guide Skin Fold calipers (just ordered on Amazon)

3. Calories (Intake) – Using DailyBurn

4. Calories (Outtake) – Garmin 405 CX for runs

5. Cholesterol Levels – Dr. blood tests

6. Other blood composition such as vitamin D3 (I live in Seattle!) via the Dr’s blood tests

7. Resting Heart Rate – Garmin Forerunner 405 CX

8. Distance – Garmin Forerunner 405 CX (although this will be VERY low mileage in the first diet month as I nurse back an achilles injury)

I may add more vitals as I go along and learn more.

I will start measuring in the morning (or later in the week when things like the calipers arrive).

One interesting calculation to consider is the Basel Metabolic Rate (BMR), the amount of calories your body needs just to function (if you stayed in bed all day). I just used the Discovery Chanel online BMR calculator and it came in at 2,130 calories. Much like the comments from Chad Fowler in the 4HB if I make the big assumption that 4,000 calories is approx. 1lb of body weight and I run for 30 mins 4 times a week (I just looked at my Garmin Connect account and a 30 min run is around 400 calories) then I should be able to notch up a decent loss (not taking into account any of the principles of the slow carb diet)

Weekly BMR = 2,130 x 7 = 14,910

Weekly Calorie Intake (assuming 1,750 a day) = 7 x 1,750 = 12,250

Weekly Calorie Burn from Running = 4 x 400 = 1,200

Net Effect (Before taking into account normal daily activity) is a reduction of 12,250 (14,910 + 1,200) = 3,860. That’s pretty close to 1lb a week. It’s clear where the big gains will come. Food not exercise. I just checked and my last 10 mile run burnt up less than 3,000 calories. Don’t get me wrong 4 of those a week would be awesome (although I know I eat to compensate) but I won’t be at that level of fitness until the summer.

Even before the mass assumptions the calculations above will be nothing more than of passing interest given the nature of the 4HB slow carb diet. The weekly day of binging for example to raise your metabolism etc. don’t lend itself to conventional diet tracking.

The Food ?

I just spent $15.61 in Trader Joes on frozen vegetables and $79.50 in Whole Foods on frozen vegetables, meat, eggs, tinned beans (black, pinto and red) and supplements. We have an organic vegetable box delivered each week from New Root Organics so this is really just to stock the freezer with vegetables for easy consumption. All frozen vegetables were organic. I got frozen chicken breasts, fresh steak and frozen bison. For supplements I got some Magnesium and Potassium. I already take Calcium (after fractured leg last year) and Vitamin D3 (I live in Seattle and we don’t get enough sun for the body to manufacture the right amount). I have an array of other supplements I was taking while training such as Flax Seed oil and St. Johns Wort which I will probably continue until they run out and re-evaluate.

The Video Diary

Looks like I have recruited at least one guinea pig (I mean volunteer) to join me, Andrew Becherer. I am waiting to hear from one other. Anyone else is welcome to join and share the results. The plan is for us to maintain video diaries and edit them into a weekly documentary style video blog. The more the merrier, especially the more people from diverse backgrounds and locations!
Guide to Building Online Communities (Wiki)

Posted: January 2nd, 2011, 1:28am CST by Mark Curphey

Tags: [edit]

I have started drafting a “Guide to Building Online Communities” (provisional title) using a wiki. The work will be published for free under a Creative Commons license as part of a community I plan to launch in a few weeks. This initial draft is really to provide something for the community to “hack on”.

If you have experience in creating, participating or running online communities and have some words of wisdom to share then please get in touch (blog comments or email).

The provisional Table of Contents can be found here.
My 4-Hour-Body Video Experiment

Posted: January 2nd, 2011, 1:15am CST by Mark Curphey

Tags: [edit]

I got a copy of the 4 Hour Body for Christmas. If you haven’t heard it’s an unconventional guide to health and fitness. The author Tim Ferriss has gone out of his way to experiment on himself without pre-conceived notions of what works and what doesn’t, and then captured his findings (and those of his army of disciples) in the book. It’s riveting reading and gave me an idea for something I have been thinking about for a while.

Last year I took up distance running and got hooked. Hooked that was until I picked up a stress fracture while training for my first marathon. After physical therapy and a three month recovery I then got injured a second time with an achilles issue. After the first injury and a bunch of research that lead me to the great book Born to Run, I became sold on the merits of barefoot running. The stress fracture was almost certainly caused by “heel striking” and the achilles injury happened when I put shoes on for the first time in the fall and went for a 10 miler around Lake Union in Seattle.

The 4-Hour Body has three really interesting sections that have caught my attention. The first is loosing weight. Since I stopped running I have put on 15 lbs and was (at least) 10lbs overweight anyways. The second is reversing permanent injuries (obvious reasons above) and the third is endurance running. They have a training schedule to go from 5K’s to 50K’s in 12 weeks using 400M circuits among other things.

For a while I have wanted to have an excuse to experiment with video so I have an idea. I am going to start the 4-Hour-Body diet on Monday and video my progress in a weekly video blog. The book claims typical results of loosing 20 lbs in 30 days, it’s a little wacky with a repetitive diet of meat and vegetables (more next week) and a weekly binge day where you are encouraged to eat massive amounts of anything you crave to boost your metabolism.

Let’s see if it works! If anyone is interested in joining me (experiment and video) let me know.
The Best and Worst Quotes Ever Used in the WorkPlace

Posted: December 31st, 2010, 7:54pm CST by Mark Curphey

Tags: [edit]
A friend (who shall remain anonymous) collects quotes used at his workplace (which for the record and to be 100% clear is not my workplace) and send me his “list of the last decade”. These were the best (or worst):
- Take what we know, double it, and add 50%
- How did you get to be this old being this stupid?
- Do I look like I have a flipper growing out of my head?
- He knows the cost of everything and the value of nothing
- All Diplomacy is enlightened self-interest
- I’ll start being nicer as soon as you start being smarter
- Don’t piss on my leg and tell me it’s raining
- Give me ambiguity or….. give me something else
- If you want a friend in that office, get a dog
- The road to hell is paved with good intentions
- Beatings will continue until morale improves
- Put down the crack pipe or pass it over
- Alert the authorities- he’s depriving a village somewhere of a perfectly good idiot
- Do you need me to write it in crayon for you?
- It had an engineering slant that made it annoying
- I heard that, now say it again in less words so we can understand
- Stick with the plan, you really aren’t that smart
- If you come to the meeting to read email and smile, don’t come- we can use the air and the free space
- I think… you do
- The crack you’re taking may be legal in your country but it’s not where I stand
- There is no patch for stupidity
- You’re the problem
- Even a blind squirrel finds a nut now and again
- Don’t boil the ocean
- We’re over here making chicken salad out of chicken shit
- He uses an eye dropper to empty the bathtub
- I just eat my peanuts and do my tricks
- We don’t plan- we improvise
- Change is inevitable… growth is optional
- This horse is dead so I’ll try to get off
- I don’t mean to throw a dart in your handbag, but…
- Your priorities are my nights & weekends
- We’re the Shit filter for the Sausage factory
- I know you’re already working smarter, could you start working harder?
- The Q4 dustbowl is over
- I just want to do business with someone who’s in business
- Never wrestle with a pig- the pig likes it and you just get dirty
- She looks at the world through shit colored glasses
- Which is worse- ignorance or apathy? I don’t know and I don’t care.
- There are at least 1,000 ways to say No and only 1 of them is No
- I don’t know the answer to your question, but I admire the problem
- Don’t confuse activity with results
- That number is accurate but misleading
- That’s our plan unless we step in the lucky shit
- He doesn’t know what he doesn’t know and what he does know is done poorly
- He does precision micro-managing
- When you’re in the hole, put down the shovel and stop digging
- I’ll start doing your job when I start getting your pay
- Don’t open the kimono unless there’s something good to see underneath
- Maybe we need different “top people”
The Importance Of Side-Projects

Posted: December 31st, 2010, 12:33am CST by Mark Curphey

Tags: [edit]

I think side-projects are very important for creative people. They allow you to;

1. Define Your Own Destiny – For many people ‘work’ means working for someone else (person or company). That means largely taking into account the interests of the thing you are working for and first and foremost doing what’s right by them. You have responsibilities and accountabilities that constrain your free thinking and decision making process. Side-projects free you from those constraints and allow you to be in charge of your own destiny. You answer to yourself.

2. Take Risk – The cost or ramifications of failure is usually significantly less in side-projects. If the side-project fails you’ll still have your day-to-day life. That doesn’t mean to say people are any less committed but it does mean that people working on side-projects can take more risk that they can with their day-jobs. They can experiment. The irony of course is that experimentation and controlled failure breeds success.

Thomas J Watson : ” Would you like me to give you a formula for… success? It’s quite simple, really. Double your rate of failure. You’re thinking of failure as the enemy of success. But it isn’t at all… you can be discouraged by failure — or you can learn from it. So go ahead and make mistakes. Make all you can. Because, remember that’s where you’ll find success. On the far side. “

3. Create Your Own Structure – Side-projects can sustain teams of people that typically won’t survive commercial projects. Companies typically need a mix of rocket-scientists and “steady joes” to succeed. Without the need to have a guy to make sure the bills are getting paid or that the Mr X isn’t an HR violation, side-projects can create working environments where people can truly be themselves. People can form teams of rocket scientists and choose to work only with people they want to work with rather than people they have to work with.

4. Don’t Worry About Breaking the Rules – Side-projects don’t have to worry about breaking any rules because they make their own rules!

Even forward thinking companies are embracing side-project philosophies like Googles famous 20% rule.
Online Community Patterns

Posted: December 28th, 2010, 6:21pm CST by Mark Curphey

Tags: [edit]

I have been looking for a meaningful new side-project for a while and have now been actively working on an idea with a “partner-in-crime” for a few months. We plan to launch a web-site sometime early in the new year and we will start blogging and tweeting about it soon.

The last big side-project I started was OWASP (which now has thousands of “partners-in-crime”). Looking back the time I spent working on OWASP was one of the most motivated and creative times of my adult life. When we first started the project there was no goal or rule book to follow. There was a set of ideas and a collective passion for web application security. That was it. Everything else got figured out along the way as a community. A community that had no definition, no initial structure and no governance. I don’t think anyone even recognized it as a community for a year! Probably most importantly was that there was a feeling that there were no-rules and no-limit to what could be achieved if a few like minded passionate people came together. While I haven’t been involved in OWASP in any meaningful way for a number of years and so can’t take credit for it’s phenomenal success over the last decade, it ignited my interest in something that I think is quite profound. In truth while there will always be software security in my DNA it was the community aspect of OWASP that I enjoyed and learned from the most. I read a lot and often find myself relating passages in modern online social science books like Getting Real (Re-Work), The Long Tail, Groundswell and Here Comes Everybody to what I have observed happened (and is happening) at OWASP. It has been a very good online social science lab!

Of course at the time certain patterns of behavior or actions weren’t calculated. They just happened by luck (lucky timing I guess) but several years on and way too many hours spent online I am utterly convinced that there is a very strong correlation between key patterns in online social science and organizational theory which when combined with design patterns in social software are strong indicators of the success or failure of online communities.

The way people organize themselves, the types of people that are involved, who makes decisions (and of course how decisions are made), how community members are recognized and rewarded and how disputes are resolved are all critical patterns. The type of software communities embrace is also vitally important to success. Social software be it a wiki enabling collective editing, a mailing list enabling seamless discussions or a blog enabling friction-free publishing work with different degrees of effectiveness depending on the community.

Most fascinating of all of this of course is that no one size fits all. There are clear patterns but not play-books and that’s what makes it so fascinating.

So my next project will a community for community organizers and developers!
How To Create a CI Environment for BDD for a Ruby on Rails Project : Part 1 – The Introduction

Posted: October 27th, 2010, 11:56pm CDT by Mark Curphey

Tags: [edit]

My head is frankly spinning at the moment from Ray Ozzies Dawn of a New Day memo a few days ago. I have a few “big bets” in the brew at work, some crazy things going on in my personal life (in touch with my dad after 20+ years) and trying to find time to work hard on a side-project focused on building better community software…….and then there is training for a half-marathon in a few weeks which isn’t optimal at this point). I rest my case your honor about why blogging has been slow….

One of things that has been very interesting about the side project I am working on is learning how to do Behavior Driven Development (BDD) and the freely available options to create a Continuos Integration (CI) environment. I think my learnings make for a great series of blog posts about the various services (for the most part open source and free) and how you can use them to set up your own end-to-end continuous integration environment that supports behavior driven development. We are using Ruby on Rails but this equally applies to other technologies so this post is the introduction of the series to follow. I plan to follow up with three more detailed posts covering;

Part 2 – User stories & task tracking (Pivotal Tracker & Story Mapper), UI mockups (Balsamiq) and test driven technical specs (cucumber)

Part 3 – TDD (RSpec, Cucumber, Webrat and GitHub)

Part 4 – CI – Hudson and Heroku

Our basic environment looks like this.

Part 2 - User stories & task tracking (Pivotal Tracker & Story Mapper), UI mockups (Balsamiq) and test driven technical specs (cucumber) will follow early next week!!
A Shot in the Dark – Trevor Curphey

Posted: October 21st, 2010, 1:36am CDT by Mark Curphey

Tags: [edit]

A total Shot in the Dark but if anyone knows the whereabout of Trevor Curphey (Hugh Trevor Curphey), last known to play a lot of golf at the Monmouth Golf Club then please get in touch.
You work at Microsoft yet have an iPhone, MacBook and build software in your spare time using Ruby on Rails. What gives?

Posted: October 20th, 2010, 11:09pm CDT by Mark Curphey

Tags: [edit]

In the coming year I plan to post about a new side project I am working on with some friends. It’s a long term fun thing and very much a side-project to our day jobs. We have decided we think there should be better software for online communities and have decided to have a go at putting our code where our thoughts are. We will be developing our site using Ruby on Rails (using behavior driven development (BDD) and continuous integration (CI)). I recently bought a MacBook Pro to do my development on and love it. While tools exist on Windows, my observation has been that any serious Rails developer looks for TextMate, Git, MySQL and other tools that are somewhat native to *nix based OS’s. In short Cygwin drove me up the frigging wall!

During the day I work at Microsoft and so the obvious question has come up in conversation. ”You work at Microsoft yet have an iPhone, MacBook and build software in your spare time using Ruby on Rails. What gives?”.

Here is my opinion:

1. “Different Horse for Different Courses” – There is a great English phrase meaning that some race horses are better in the flat and some better over hurdles. If you look at the eco-system for social software a significant portion has grown up from open source roots. The Ruby eco-system with GEM’s like OminAuth for instance is rich with lots of Lego blocks for us to use for the type of site we want to build. It’s a good horse for our course. Conversely if I was building a corporate app with integration into corporate infrastructure I would be looking to a different horse, .NET. It’s true you could build either type of software with either type of solution (let’s face it StackOverFlow is built in .NET) but for what we want to build, Ruby and Rails makes sense.

2. You Can Learn a LOT with an open Mind – If it wasn’t for exploring Cucumber and Behavior Driven Development I would not be driving these techniques back into my work at Microsoft. I have always believed that you can learn a great deal but looking at what others are doing in life. Using Git (and GitHub), Cucumber, RSpec, Heroku, OSX, TextMate etc. is a great learning experience.

3. “I bet all the workers at Rolls Royce don’t drive Rollers to the shops!” – I once did some security work at Coca-Cola. Employees were really sensitive (actually they were damn right rude) to anyone seen eating or drinking competitors food. It seemed like such a short sighted view of the world I used to joke “do you think Rolls Royce assembly workers drive a Roller to the shops?”. At work we make sure our sites run just as well on Chrome and FireFox as they do on IE. To do that you drive Chrome and drive FireFox.

4. Getting Away From Work – When you work long hours, sometimes the last thing you want is to get home to your hobby and for it to feel like work. “All work and no play makes Jack a dull boy”.

I don’t feel I need to justify why I am using OSX, a Mac and building Ruby on Rails apps for a hobby but figured I would at least explain for anyone who is interested.
The Medici Effect

Posted: October 20th, 2010, 12:17am CDT by Mark Curphey

Tags: [edit]

I rarely recommend a book before I have finished it but rarely does one come along that captivates me like the Medici Effect.

The Medici Effect is a book after my own heart. It’s all about innovation and how we can develop and advance various disciplines by learning from other seemingly unrelated fields; then apply new principles with a fresh perspective to achieve true advancements and innovation. I have long thought that information security will benefit from this approach. I know some research has been done in the field on various topics but think about the cause and effect of the propagation and control of viruses. In the UK they grow organic watercress and the waste water feeds organic trout ponds from which the fish don’t need any feeding. In France they use flowers to indicate the health of the vines and in many cases ward off specific insects and pests. The propagation and control of disease and plagues, viruses, the study of battle tactics and financial risk management. The list could go on.

You can download a free PDF eBook of the Medici Effect here.

Very inspiring!
Security Best Practices

Posted: October 19th, 2010, 11:47pm CDT by Mark Curphey

Tags: [edit]

Best practice
An idea that has no evidence to support its merits, and that probably doesn’t work, but that you can attribute to someone else when things go horribly, horribly wrong.

Sample Usage: Don’t worry about the noise from that flaky Geiger counter; this plant complies with all best practices.
Counting What Really Counts

Posted: October 19th, 2010, 11:46pm CDT by Mark Curphey

Tags: [edit]

The original article was published in Interface in December 2001.

Scene one. You are picnicking by a river. You notice someone in distress in the water. You jump in and pull the person out. The mayor is nearby and pins a medal on you. You return to your picnic.

A few minutes later you spy a second person in the water. You perform a second rescue and receive a second medal.

A few minutes later, a third person, a third rescue, and a third medal. And so on through the day.

By sunset, you are weighed down with medals and honors. You are a hero. Of course, somewhere in the back of your mind there is a sneaking suspicion that you should have walked upriver to find out why people were falling in all day. Then again, that wouldn’t have earned you as many awards.

Scene two. You are sitting at your computer. You find a bug. Your manager is nearby and pins a “bug-finder” award on you. A few minutes later you find a second bug. And so on.

By the end of the day, you are weighed down with “bug-finder” awards and all your colleagues are congratulating you. You are a hero. If the thought pops up in your mind that maybe you should help prevent those bugs from getting into the system, you squash it. Bug prevention doesn’t win nearly as many awards as bug hunting.

What you measure is what you get

B.F. Skinner told us fifty years ago that rats and people tend to perform those actions for which they are rewarded. It is still true today. In our world, as soon as developers find out that a metric is being used to evaluate them, they strive mightily to improve their performance relative to that metric—even if their actions don’t actually help the project. If your testers find out that you value finding bugs, you will end up with a team of bug-finders. If prevention is not valued, prevention will not be practiced.
S = ƒ ( ___ )

Posted: October 19th, 2010, 11:43pm CDT by Mark Curphey

Tags: [edit]

S = ƒ(°WFF)

Degrees of Warm Fuzzy Feeling

S=f(p,d)+Rn

(Prayer, Denial) + Number of Days till Retirement

S=f(n)

Where n is the number of security guys you know

S=f(1/n)

Where n is the number of security standards documents you have read

S = ƒ(#B*#FCA)

Number of people you can blame multiplied by the number of friends you have that can cover your back-side

S = ƒ(Bu : Br)

Builders : Breakers

Feel free to add your own by way of comments!
Web Application Firewalls – Let’s call a Fig a Fig

Posted: October 19th, 2010, 10:56pm CDT by Mark Curphey

Tags: [edit]
[Originally posted on my securitybuddha blog on 6/11/2007]

I am writing the first draft of the OWASP Web Security Evaluation Criteria this month and need to consider the role of the web application firewall or WAF. I have long been troubled by the marketing surrounding web application firewalls and especially troubled by the PCI DSS’s implicit endorsement of them. They make an assertion that is just plain wrong by implying that a web application firewall is comparable to a code review. You can choose to have either with the PCI DSS. Because of this and the “vendor fest” that has ensued around PCI DSS, I have been expecting mails like this one on the webappsec mailing list for a while. It is misguided at best.

The view of a respected VC investor given to me in private was this. ‘The market never materialized the way people thought, the enterprise and CSO’s doesn’t like or believe in them; the network teams do but don’t control the applications and when Cisco, Juniper, CheckPoint and anyone else that matters don’t seem to think its important enough to buy one then we are left with a lot of small niche firms and unhappy moneymen. That said the PCI (DSS) may just be the savior everyone is hoping for but most people still seem to think its like putting a plaster over a flesh wound.’

Ivan Ristic, the creator of ModSecurity gave an accurate view of web application firewalls at an OWASP London meeting a few years back. It was a pleasure to listen to such a balanced and articulate view from someone who clearly understands the technology, market space and has a big personal stake in the game. He essentially put forward a view that they can have a place to play in protecting from a specific set of web application security attacks but are nor ever will be a panacea. My view is similar, they could be a useful part of a defense in depth strategy but you need to understand their limitations.

Cut through the marketing BS and you will find in general there are two types of WAF; protocol analyzers that operate on HTTP traffic looking for signatures in the data stream and a new breed that additionally operate on the application stack at run-time. The second approach has some clear advantages but still has practical limitations.

If you take a step back and look at the range of web security issues we are facing you can order them into a security frame like the one below.
- Authentication -How users and components authenticate
- Authorization – How authorization decisions are made
- User Management – How are passwords stored, reset etc
- Data Validation -How is data validated to protect from XSS, SQL injection etc
- Data Protection – How is data stored and passed around securely
- Security Monitoring – What is written to logs, how are exceptions handled
- Infrastructure Management – The OS, FW etc
- Configuration Management – CAS, JRE etc
I am not going to cast everyone with the same brush but in general what I see is that what much of the WAF marketing assumes is that the attack vector for all attacks come in the front door and that a web application is likely a single or small cluster of hosts.

Here is a dose of reality. An enterprise web site usually look like this.

<image here>

A single checkpoint security pattern (see Yoder) will not give you a high level of assurance. Ignoring the vast range of attack patterns, attack vectors and the reality of modern architectures (I have not even touched on the implications of SOA and REST here) would leave business with a false sense of security.

In the OWASP Web Security Certification Criteria we will be calling a “fig a fig”. A WAF can have a place to play in protecting from a specific set of web application security attacks but are nor ever will be a panacea.

Side-story: I had dinner a few weeks back with a guy from a well known code review tools company. Actually he invited me for dinner and then his credit card was rejected so I ended up reaching into my pocket which was a fitting end to a disappointing dinner. He stated blatantly with a smug smile (para-phrasing as I can’t remember the exact words) ‘we think PCI is fantastic, we have both a web application firewall and code review tools so either way we get to make a sale’. I lost all respect I had for that company that night. I thought they had a pedigree and could be trusted in the software security space.
The Long Tail of Information Security (Part 2)

Posted: October 19th, 2010, 10:54pm CDT by Mark Curphey

Tags: [edit]

[Originally posted on my securitybuddha blog on 8/05/2007]

My last post The Long Tail of Information Security (Part 1) described why I think information security exhibits Long Tail economic characteristics, outlined the three forces of long tail markets and discussed the first, democratization of tools for production. The intent is to provide an insight into what the future of information security may look like. Part 2 discussed the Democratization of Tools for Distribution and The Connection of Supply and Demand.

Democratization of Tools for Distribution

We all know there is no shortage of security information on offer. Mailing lists, BBS’s, blogs, community sites and professionally authored content is abound. There is also no shortage of technology with open source and commercial tools competing for security dollars produced by professional teams and hobbyists alike. In today’s economy the distribution of information is key. Making information relevant is a primary objective and one of the key forces behind the success of Google, iTunes and Amazon. This is especially true in a world where the blur between what was traditionally called professionally authored and amateur created content is not clear.

For a long time I have been dropping reading articles in the like of eWeek. Why? The press generally writes articles so they can sell more advertising. Bloggers generally write articles so people will read them. That is a subtle but important difference. If I read an article in the press chances are there is commentary from an “industry insider”. Usually these are people who tell the reporter what they want to hear and almost always they aren’t people that I want to hear the opinions of. Blogging allows people to filter their views to the people they trust.

This trend is of course prevalent throughout the new economy and will become more and more important to information security. A practitioner at the heart of the industry is better at reporting (more knowledgeable and more in tune) than an observer.

The Connection of Supply and Demand

Perhaps the biggest changes we will be in how “security next.o” connects people, process and technology. Search, ontology (information architecture) and communities will all play important roles.

In 2000 I started the Open Web Application Security Project OWASP. Today it has half a million page views a month and several thousand people meet up all over the world every month to exchange ideas. This “crowd sourcing” will play a big part in the future of information security. The advice from the Long Tail is that people will tell you what they like and don’t like. Don’t predict, measure and respond.

Of course recommendations, reviews and ranking are key components of what is called the reputation economy. These filters help people find things and present them in a contextually useful way. Today few information security tools attempt to provide contextually useful information. What we will likely see emerge are tools that combine these techniques. A code review tool that finds a potentially vulnerability may match it to crowd-sourced advice which is itself ranked by the crowd and then provides contextual information like “50% of people who found this vulnerability also had Y vulnerability”. Filters like ratings and ranking will help connect the mass supply of information with the demand.

Long tail markets rarely are bound by geography and perhaps the biggest changes may come when someone finds a low cost distribution method for services. Today when you call a 1800 number you may well find yourself talking to a call center in Bangalore. In the future low cost distribution and technologies that connect supply and demand may automatically route the IDS alert of the vulnerability alert may be automatically routed half way across the world to an analyst based on cost, speed or quality. A system may process a code vulnerability and determine that Heinz in Germany is the highest ranked user in the world for providing code workaround for esoteric issues in .NEt 6.5 code.

These two posts have been somewhat thrown together. My apologies. I simply don’t have the time at present to organize my thoughts. They also only touch upon what the future may bring. Long Tail economics has gripped me for a few weeks and I wholeheartedly recommend you read the book. I think it has compelling theories and may have a significant impact on the future of the information security industry.

Again don’t forget to link to these posts to create a long tail!
The Long Tail of Information Security (Part 1)

Posted: October 19th, 2010, 10:54pm CDT by Mark Curphey

Tags: [edit]

[Originally posted on my securitybuddha blog on 8/04/2007]
I have just finished reading the Long Tail by Chris Anderson (editor of Wired). It is brilliant and the best book I have read in several years. Its in the same class as Freakonomics and The Tipping Point. I highly recommend anyone who reads my blog reads the Long Tail if they haven’t already done so. I think it is extremely important when its theories are considered along-side the information security industry. It presents an insight into opportunities for the future, product strategies and opportunities and even presents a glimpse of what the future itself will look like.

In this post I am not going to summarize the theory beyond an amount needed to explain the context to information security. There are many sites that provide good summaries including Chris Andersons own blog The Long Tail, Wikipedia’s Page, and the original article that appeared in Wired. I want to instead highlight some of the books key points and suggest ways they may explain or influence information security trends.

The Long Tail theory suggests that a distribution curve for products and services looks like the image to the left. It shows there is actually a greater total demand for products and services considered to be niches and not main stream (the yellow)that hits (the red). This explains iTunes, blogging, YouTube, social networking and many other Internet economy trends. Again I recommend reading the book cover to cover.

I fundamentally believe information security is a long tail market. Three facts support this statement;

- every business has multiple processes

- processes that are similar in name between business are actually highly customized (i.e no two businesses are the same)

- there is a large number of processes unique to small clusters of users

One focus of the book is the notion that there are three main forces that explain long tail markets, there are;

- Democratization of Tools for Production

- Democratization of Tools for Distribution

- The Connection of Supply and Demand

Part 1 (this part) covers the introduction and Tools for Production and Part 2 covers Distribution and Connecting Supply and Demand.

Democratization of Tools for Production

Like blogging tools have democratized publishing and Garage Band has democratized music production, tools will democratize information security. In fact blogging tools already have a significant affect. Just today I read a blog post from the Matasano Chargen folks about the facts of the Black Hat debates over rootkits which provided a much clearer picture than an article in eWeek quoted a so called security analyst who was claiming they hadn’t done their homework.

Tools differentiate mankind and new types of tools have the power to advance the information security industry significantly. What will they look like? First lets consider the key characteristics of other tools that have have democratized production in long tail markets.

Microchunking is a term used where products are designed to be delivered to the user in the way the user wants them. The book uses the example of music that used to be delivered in CD form only. These days its CD, online, ringtone and re-mixes. Microchunking is at work in security tools today. In tomorrows world users will of course want to be able to run software online or installed but will want to be able to remix. They may want the best scanning engine from vendor “A” combined with the best set of signatures from Vendor “B”.

Customers are looking for “And” not “Or”. An underlying trend for tools is that one size does not fit all. This is a common theme from almost all corporate security people I talk to today. Lets take a hypothetical threat modeling tool. The key to mass appeal will be to support all types of threat modeling methodologies right up to and including the users own. Tools that force a user to do something a very specific way will have a very limited appeal. Plotting geo-data overlaid with vulnerabilities and processed with visualization tools might help us see hotspots in a complex virtual world; “the wood from the trees”. Alexa type tools overlaid with vulnerability information may help us make better risk decisions based on business performance data. In an industry with a notoriously high noise and low signal ratio we will likely see tools that can better produce high signal strength information faster, cheaper and more efficiently than ever before. I have been dreaming up an idea to build a security advice distribution tool that can help analysts process information from the mass sources more efficiently for instance.

What this says is that the key to tools will be platforms. By definition a “platform” is a system that can be reprogrammed and therefore customized by outside developers and users and so it can be adapted to countless needs and niches that the platform’s original developers could not have possibly contemplated, much less had time to accommodate. A security platform will allow people to build the tools they want to solve the problems they have.

If you link to this blog post you will be creating a Long Tail about Long Tails. Please do! Ironically if you buy the book which you should you will be further creating a best seller or “hit” which is partially what the book is about dispelling!
Why Risk Management is Like Eating Lettuce

Posted: October 19th, 2010, 10:50pm CDT by Mark Curphey

Tags: [edit]

[Originally posted on my securitybuddha blog on 1/30/2008]

On Sundays it’s a British tradition to wake up with a hangover, get a copy of the Sunday Times and watch the morning politics shows on the beeb. This Sunday past was traditional for me. Data breaches and privacy are hot political topics in the UK after the national fiasco overseen by Alistair Darling. I do feel a sarcastic letter coming on “Dear Mr. Darling, your name is such an Irony” but I will leave that for Wine’O'Clock sometime. The last but few national fiascos was this;

Two compact discs containing bank details and addresses of 9.5 million parents and the names, dates of birth and National Insurance numbers of all 15.5 million children in the country went missing after a junior employee of HM Revenue and Customs sent them in the mail, unrecorded and unregistered.

Rumours on the grid are that the doppy bastard forgot to send the disk, lied to his boss to cover his tracks and within days a storm in a tea-cup was well and truly the size of Amy Winehouse’s drug habit. The police are looking for the man in the photo. The MOD then lost records of 600,000 people who were interested in becoming canon fodder in the middle east and now to to pit all the national institution Marks and Spencer’s has fallen victim. For my American friends M&S is where everyones granny buys their knickers and slippers but has always sold fantastic food. The “Gastro Pub Steak and Ale Pie” and the “Goan Prawn Curry” are my current favourites.

All of a sudden experts (pronounced “ex” as in past and “spurt” as in drip) offer an array of advice on the TV about how to secure data and how simple it is to take basic measures. It’s a media frenzy and I plan to keep my head right down for fear the industry will accelerate into FUD Factor 4 and people thing I am part of it.

I am however pleased to say we have may have now turned a corner and data loss may no longer in vogue.

It is being replaced by RISK MANAGEMENT.

Yes it seems the UK tax authority have recommended that thousands of high profile people should not submit their tax returns online. This has caused up roar among some who think everyone should be treated the same. Consumer groups are complaining and security experts I have never heard of are crawling from the woodwork to claim their 15 mins of fame.

It’s bloody common sense. Is basic risk management. People with a higher profile or with more money will be at a greater risk and so appropriate controls should be applied. If that means pulling the plug (it seems extreme but but so be it), get over yourselves. The decision clearly doesn’t mean that Stan the milkman from Wolverhampton shouldn’t be “safe enough”. News Flash: Very few businesses are in business to be secure, they are in business to be secure enough. Few people live to be secure, they want to be secure enough. We are all different. That’s what makes the world go around don’t you know.

This does however bring me to the salacious title of this blog post. It’s hard for anyone to disagree that Risk Management is the holy grail of information security. The challenge has always been and always will be bridging common real life scenarios to security controls via the discipline of risk management. We have all seen or heard about risk assessments that everyone agrees with but are effectively useless academic exercises because the analyst couldn’t tie the findings to consequences and actions.And so to my point, Risk Management is like eating lettuce. Until my wife comes up with a tangible formula such as “eat 5 leaves a day and your blood pressure will improve by 2% and you will loose 2 lbs in 4 weeks” I am happy to acknowledge that lettuce is probably good for you and it makes sense to eat it but I will still continue to pick it out of my sandwiches whenever I find it.

Note: There are some interesting frameworks evolving like FAIR that are attempting to bridge the gap.
More On Checklists

Posted: October 19th, 2010, 10:48pm CDT by Mark Curphey

Tags: [edit]

[Originally posted on my securitybuddha blog on 6/12/2008]

Alex Hutton posted this follow up on my first post about checklists. He is of course spot on. Checklists in my humble opinion can provide a State of Nature, but can’t provide a State of Knowledge or a State of Wisdom (nice phrases). They certainly don’t do computation or analysis but what they do is frame a set of activities you might do in order to consistently obtain the State of Nature; from which you can determine a State of Knowledge and Wisdom. That’s a very important function and in my humble opinion the importance of it is being over looked by the general perception that checklists try to do the analysis work (so the expectation of what a checklist is doing fails) and quite frankly by the crappy checklists most of us have to deal with today. PCI (yeah I know I promised I wouldn’t mention the three letter acronym in public again and let it pass but I just can’t help myself) is a classic example of this. Many of the numbered items are so ambiguous that you can easily pass or fail depending on your intent. I am sure everyone has seen the approval letters floating around on distribution lists signing off instantiations of Foundstones Hacme Apps and OWASP’s Web Goats as secure and PCI compliant for instance.

Lets be clear here. “Passing a checklist doesn’t mean that you don’t have a problem, while failing one is a strong indicator that you do”.

Checklists are about human patterns. When people glance in the rearview mirror when driving a car every few seconds they are more aware of their surroundings and so less likely to have an accident. That’s a fact, period. This is why driving examiners (in the UK) have a checklist to validate that the driver is exhibiting this behaviour. Would you prefer he got back to base and then tried to remember all of the characteristics that he personally thinks exist in a good driver (and guess the ones he forgot to record). Of course not: I hope not any ways! A checklist can capture a set of patterns that are agreed up by a group and allow teams to check against them. They don’t have to be paper or physical but usually are until memorized. Even then if you read enough psychology books you’ll appreciate that people change things in their sub-conscious all the time without letting their conscious memory know, meaning the pattern gets out of sync unless it’s stored outside of the brain and referred to or updated. “Of course I was going to do the lawn today dear, I just ……..”. Neuro Linguistic Programming or NLP is fascinating if you haven’t explored it.

In most cases checklists should be written to allow people to easily make clear and simple observations or follow a specific path with specific outcomes. Checklists don’t have to be traditional word lists. Visual aids are superb. Here is a genuine one from a flight checklist to illustrate that point.

“Before raising the fuselage, check the hydraulic pressure gauge shows green”.

Many pilots have been killed by raising the wheels on their planes as they take off, never to be able to lower them and therefore safely land again.

All I know is this. I have seen thousands of technical security assessment reports from hundreds of security consulting companies. The deviation in what they did and didn’t look for is simply incredible and there is significant room for improvement. We will never codify a set of complete activities into a checklist but I do believe that well written, well designed checklists can play a significant supporting role in improving the base consistency and quality of many security processes in the future.
Checklists Are Not For Dummies, Dummy!

Posted: October 19th, 2010, 10:47pm CDT by Mark Curphey

Tags: [edit]

[Originally posted on my securitybuddha blog on 5/24/2008]

At the OWASP Conference in Belgium this week I had a slide about checklists.

This is the story behind the slide. My boss at Microsoft has a friend who is a pilot. He did his pre-take-off checklist and was cleared to taxi onto the runway by air traffic control. He consulted his checklist one more time which told him to look left and right. He did. A plane was ploughing down the runway at a few hundred miles an hour. The checklist saved his life.

For many years checklists have been used by fighter pilots, A&E surgeons and many other highly evolved disciplines staffed by incredibly intelligent people. It’s beyond me that some people in the security industry seem to be arrogant enough to think they can ignore lessons learned in other industries. I suspect the quality and format of the lists is a big contributing factor but not an excuse.

The Medici Effect is a great related book.
Fitting AA Cells – An Accepted UX That is Just Mad

Posted: October 17th, 2010, 10:37pm CDT by Mark Curphey

Tags: [edit]

One of the most ridiculous user experiences in the world today is fitting AA cells into a household device. If you have ever tried (and if you are reading this blog then I would estimate that there is a 99.99999% chance you have) then why on earth would designers think people want to grapple with which way up cells go? Why would designers want to torture people who can’t remember if the flat end is the +ve or the -ve? Changing the wiring in a device so all cells line up the same way is trivial. Industrial designers should know and should do better.
Great Business Models

Posted: October 17th, 2010, 1:26pm CDT by Mark Curphey

Tags: [edit]

About a month ago I got to spend a superb day with my nine year old son and his Scout troop white-water rafting down the Tieton River in the Eastern Cascades. Each year they let out billions of gallons of water from a reservoir at the head of the river and thrill seekers get to ride it down. Half way down the three hour trip we all spotted a girl sat on the bank waving at us with a camera and a big lens. The first thing that enters your mind is “Why is she waving at us and why does she want to take our photo?”. The next thing you know you are hitting a rapid and hanging on for dear life and forget the girl in an instant.

Of course it’s at that very moment that the girl on the bank snaps the best action shot of the day and when you get your breath back you know someone just captured it on camera. What a business model! Put yourself at a place where people are having an amazing time, in a position where you get a better view of the action that even they do and deliver a service that costs virtually zero to produce that they couldn’t deliver themselves but will pay good money for.

There must be many other business opportunities like this just waiting to be exploited. It’s genius!

BTW That’s me at the front left corner of the boat!
What Would You Include in the The Internet Operating System?

Posted: September 7th, 2010, 9:09pm CDT by Mark Curphey

Tags: [edit]

I have an interesting personal project brewing looking at ways to build better community software and am exploring emerging thinking about the next generation of web applications. Tim O’Reilly wrote a seminal blog (part one and part two) describing the Internet as THE new operating system. In the post he uses the analogy of traditional operating systems like Windows or Unix and the computing services they provide (file storage, networking, user management etc.) and then describes the Internet as an Operating System providing information services to distributed applications. There are some obvious fundamental differences in thinking about building scalable applications on the Internet Operating System such as binding together distributed services. There are also a number of less obvious but fundamentally important things to consider such as the fact that there will be many choices for common services such as authentication (Google, Yahoo, LinkedIn, Twitter, FaceBook Connect etc.) and smart application designers will need to adopt new architectural and functional models that provide the user with their preferred choice and not just one option as is the norm with traditional operating systems.

As I have started to think about the model I started to capture the potential services you could consume in a diagram (below). Its a first pass that I plan to update. The simple rule I am operating under is that to be considered a service there should be a published API in which to connect.

What else would you include?

My Security Planet » Items by Mark Curphey

Feeds

Items by Mark Curphey

Posted: March 12th, 2011, 12:44am CST by Mark Curphey

Tags: [edit]

Posted: March 2nd, 2011, 12:22am CST by Mark Curphey

Tags: [edit]

Posted: February 28th, 2011, 10:01pm CST by Mark Curphey

Tags: [edit]

Posted: February 23rd, 2011, 5:31pm CST by Mark Curphey

Tags: [edit]

Posted: February 19th, 2011, 3:50pm CST by Mark Curphey

Tags: [edit]

Posted: January 25th, 2011, 7:56pm CST by Mark Curphey

Tags: [edit]

Posted: January 24th, 2011, 6:17pm CST by Mark Curphey

Tags: [edit]

Posted: January 21st, 2011, 11:46am CST by Mark Curphey

Tags: [edit]

Posted: January 19th, 2011, 11:20pm CST by Mark Curphey

Tags: [edit]

Posted: January 19th, 2011, 1:12am CST by Mark Curphey

Tags: [edit]

Posted: January 18th, 2011, 8:09pm CST by Mark Curphey

Tags: [edit]

Posted: January 18th, 2011, 8:02pm CST by Mark Curphey

Tags: [edit]

Posted: January 18th, 2011, 7:51pm CST by Mark Curphey

Tags: [edit]

Posted: January 17th, 2011, 2:56am CST by Mark Curphey

Tags: [edit]

Posted: January 15th, 2011, 10:26pm CST by Mark Curphey

Tags: [edit]

Posted: January 15th, 2011, 5:56pm CST by Mark Curphey

Tags: [edit]

Posted: January 14th, 2011, 10:34pm CST by Mark Curphey

Tags: [edit]

Posted: January 13th, 2011, 10:15pm CST by Mark Curphey

Tags: [edit]

Posted: January 13th, 2011, 10:05pm CST by Mark Curphey

Tags: [edit]

Posted: January 11th, 2011, 10:50pm CST by Mark Curphey

Tags: [edit]

Posted: January 11th, 2011, 12:43am CST by Mark Curphey

Tags: [edit]

Posted: January 10th, 2011, 8:49pm CST by Mark Curphey

Tags: [edit]

Posted: January 8th, 2011, 10:51pm CST by Mark Curphey

Tags: [edit]

Posted: January 8th, 2011, 6:40pm CST by Mark Curphey

Tags: [edit]

Posted: January 6th, 2011, 10:51pm CST by Mark Curphey

Tags: [edit]

Posted: January 5th, 2011, 9:24pm CST by Mark Curphey

Tags: [edit]

Posted: January 4th, 2011, 10:47pm CST by Mark Curphey

Tags: [edit]

Posted: January 3rd, 2011, 11:16pm CST by Mark Curphey

Tags: [edit]

Posted: January 2nd, 2011, 11:38pm CST by Mark Curphey

Tags: [edit]

Posted: January 2nd, 2011, 1:28am CST by Mark Curphey

Tags: [edit]

Posted: January 2nd, 2011, 1:15am CST by Mark Curphey

Tags: [edit]

Posted: December 31st, 2010, 7:54pm CST by Mark Curphey

Tags: [edit]

Posted: December 31st, 2010, 12:33am CST by Mark Curphey

Tags: [edit]

Posted: December 28th, 2010, 6:21pm CST by Mark Curphey

Tags: [edit]

Posted: October 27th, 2010, 11:56pm CDT by Mark Curphey

Tags: [edit]

Posted: October 21st, 2010, 1:36am CDT by Mark Curphey

Tags: [edit]

Posted: October 20th, 2010, 11:09pm CDT by Mark Curphey

Tags: [edit]

Posted: October 20th, 2010, 12:17am CDT by Mark Curphey

Tags: [edit]

Posted: October 19th, 2010, 11:47pm CDT by Mark Curphey