Most of the streams in the  NoVA region have healthy populations of Redbreasted Sunfish.  This particular fish was taken from a small urban stream within walking distance (OK, my walking distance) of Tyson’s Corner.

• Sunday Fish Picture
• Friday Flyfish Post
• Falling Springs Branch
• Almost Time to Fish the Potomac
• Friday Flyfish Picture #3

This is an article I wrote last year for The Global Flyfisher.  It’s amazing to fish the Potomac because you are 10 miles away from downtown DC, but you never would know it.

Skip’s Dad

• Friday Flyfishing Post–Trout Bums and Fish Porn
• Rag Worms
• Friday Flyfishing Post–Kiwi Camo
• Almost Time to Fish the Potomac
• Friday Flyfish Post

Maybe it’s just the DC area.  Every good security person I know here is very confrontational.  We just like to argue.  Some days I feel like it’s a slow morning, so I just walk around and stir the pot, knowing that some good conflict will rise to the top.

I think it has to do with the following factoid: security is the conflict between economics, paranoia, and useability.  We have to be able to manage the tradeoffs between these 3 corners of the triangle.  The good people understand the nature of this and realize that sometimes it’s not really a security problem–its a client education problem, it’s an auditor problem, it’s a personality conflict, etc.

So how do we conclude an argument?  Well, I know 2 people right now that when I’m around both of them, we can talk for hours debating the particular merits of one viewpoint or another.  The way we stop the disagreement is to mention risk.  Once we do that, the game is over.  Once I can pin the actual risk (versus the perceived risk, but that’s another story), then there is nothing to talk about anymore–we have rounded the corner on that topic and there isn’t anything else to debate.

• Core Belief #2 — Risk Management Uber Alles
• MREs and Bad News
• You Didn’t Outsource Your Responsibilities
• Another Day, Another Vendor
• Security Assessment Economics

Even if you’re a manager type, you need to watch these so you understand what you’re up against:

Metasploit with db_autopwn video on milw0rm.

Metasploit Framework eXploit Builder video on milw0rm.

• It’s Still not Too Late
• My Inbox This Morning–Metasploit
• Aspen Summit Videos
• Government-Wide Monitoring? ‘Bout Time.
• Do You “Do It” or Do You “Get It”?

Best presentation slides I’ve seen, ever.  It’s been making the rounds, and finally arrived in my inbox.

How to Win the War in Al Anbar. (warning, political content)

This guy understands the problem.  Too bad an IED got him.

• Some Thoughts from a Week or so of Being “Proposal B*tch”
• It’s a Problem of Scale!
• Bacn–It’s Cooked Spam
• Transparency in Government: Just Give us the Data!
• On Government Employees, Culture, and Survivability

With regards to Ian whose idea this is….

If you do a sizeable amount of security/penetration testing, build a “hack bag”.  It’s suspiciously similar to what you would take to a LAN party.  Leave it on your shelf and when you need to go on a top-secret mission, take it along.

Mandatory contents of a hack bag:

• Extension cable and power strip
• SoHo switch/hub (hub is better) and power supply
• Various cat-5 cables (at least one 20-footer or longer)
• Crossover adapter
• Live linux pen-testing CDs (backtrack, knoppix-std, etc)
• USB drive
• Spare notebook and pens
• Multi-pliers

Optional contents:

• Headphones
• MP3 (*cough* ogg) player
• Music CDs
• Blank CDs
• Extra laptop and/or phone power supply
• Digital camera
• Headache pills
• Drinks
• Spare USB cables and/or hub
• Locksmith tools
• Network tap
• Toolkit
• Ethernet tap
• Serial console cable
• Other tools disks

• Internet in the Remote Desert
• NIST and SCAP; SCAP @ Large Part 2
• Backtrack 3 USB Slides
• Digital Forensics: Who should make the keys?
• Hack Disaster Relief