To the average person, the number of computers in my home is appalling. There are three computers downstairs alone, one for the other members of my family. Then there's my office.

One problem with the downstairs computers is that they all, without exception, have web filtering software on them. I am not under the delusion that they are a substitute for parental oversight--there's a reason the kids computers are in a public room--but it's nice to have something around to catch most accidental exposures to inappropriate material. Let's face it, when the kids are old enough, if they want to get around the filters, they'll figure out a way.

Meanwhile, I occasionally use the kids computers. Mostly it's because I like to go downstairs when the kids are trying to go to sleep. It's also nice to have a change of environment. However, the web filters end up creating problems for me when I try to, say, read my RSS feeds and people link to the latest cool video on YouTube. Or I want to check what's happening on Plurk or Twitter. Unfortunately, it means fighting with the web filter.

Now I suppose I cold buy a "better" web filter rather than rely on K9 Web Protection from Blue Coat, but I like the filter. It generally works, it's free, does a fairly good job of catching inappropriate or questionable websites, and doesn't try and do everything. It also helps that their CEO used to be in charge of the part of Nokia I worked for many, many moons ago, and I thought he was a nice guy.

The solution: a portable computing environment embedded in a flash drive. I could dual boot the computers, but that creates other problems. The flash drive solution is clean.

Linux is the only feasible OS one can install on a flash drive--at least easily. There are actually a number of different distributions you can install on a USB flash drive, many of which are featured--complete with step-by-step instructions on how to install it--on a site called Pen Drive Linux.

I wasted an evening on trying to get Ubuntu (along with various derivatives) installed on a flash drive, but ran into a problem where the distribution was failing to boot because it was trying to find the non-existent floppy drive on this IBM ThinkPad T43 I am using.

What ended up working the best for me, at least, was Slax. It is based on Slackware Linux, which has been around forever. It was one of the first Linux distributions I started playing with in the mid-1990s. It includes a number of modules, including a relatively recent build of Firefox 2 complete with Adobe Flash integrated. It's not set up the most optimally out of the box--for example, the default user runs as root, which is almost as bad as the default Windows behavior--but with a little bit of hacking, it works just fine without needing to run as root.

I now have my own environment complete with some local storage on a older 1 gigabit flash drive. I can stick it into any computer that is able to boot off of USB, and it should give me access to the Internet and a few other programs. Works pretty well for me.

photo credit: boredzo

As someone who spends an inordinate amount of time working from home, I always have to know where my SecurID token is. Without it and the six digits it provides, I will pound sand trying to get into the corporate network.

But the SecurID token is lame. Sure, it comes in a number of form factors, but I'd rather not mess with it at all. That being said, as a security person, I think it is a necessary evil.

I was excited when I initially read this article on SMS Text News about using SecurID with something I also need to know where is at all times--my mobile phone! Clickatell offers a service that sends those 6 digit codes over SMS to your mobile phone when you need to authenticate some place requiring strong authentication. You then provide that number--along with your PIN--to the remote server.

I like this solution because it requiers no software to be installed on the phone. It can be problematic when your provider has delays with SMS--happens more often than I care to think about, actually. That being said, it appeals to me greatly.

Every once in a while, the part of Nokia I work for announces new stuff. Today, it's a new piece of gear: the Nokia IP1280. Excuse the marketing speak, but I occasionally like to promote the things my part of Nokia is doing. :)

For some reason, I found the phrase "dealt deep layer enterprise security threats another blow" found in the press release announcing the Nokia IP1280 funny. I suppose it does that, since this 2U, quad-core Intel CPU powerhose can handle 24 ports, up to 14 Gbps of throughput with optional ADP modules, hot-swappable components, and a starting price of $39,995 USD. Yes, the IP1280 runs Check Point VPN-1, as most of the Nokia Appliances do.

As someone who works for the group that supports the Nokia Appliances, I would certainly appreciate it if when your company buys one of these platforms, you'd avail yourself of Nokia's First Call, Final Resolution support. At least that's what the marketing types have been calling it for many moons now.

I will admit to not testing the "forced" upgrade aspect of this, but I did download and install the upgraded iSkoot for my Nokia N95 this morning. While there is some information floating around in the clear, at least in my case, none of it was personally identifyable.

The vast majority of the communication between the iSkoot client and server now uses TCP port 443 and is encrypted with SSL. Visual inspection of the packet traces confirm that it's SSL traffic. No personal information in the clear anymore.

Nice job, iSkoot. Considering I zero-dayed you on a weekend, you did a great job of getting it fixed!

While it was, admittedly, not very nice of me to hand iSkoot a zero-day exploit publicly, on a weekend no less, there was a note on the iSkoot blog today explaining what happened and giving me credit for finding it. I realized my mistake shortly after I made the story public. And to be honest, I should know better, given that I work for a vendor and actually deal with security issues.

There is an ongoing debate among security researches on the subject of full disclosure versus responsible disclosure. Now having fully experienced both sides of the issue, I was conflicted over the weekend. Did I do the right thing in disclosing this publicly before talking to iSkoot about it?

On one hand, spreading the information publicly without going to the vendor first gives end users a heads up that they are at risk. On the other hand, the bad guys now know that this problem exists and can start looking for ways to exploit. But how do we know they didn't already know about this and weren't already using this information for their own personal gain?

On the other hand, had I held onto the information and talked with the vendor first, people wouldn't have panicked unnecessarily and hackers wouldn't have had access to the information needlessly. Of course, then it's possible the time to resolution could have taken longer than it did, putting people's Skype sessions needlessly at risk.

I don't think there's a "right" answer to this, personally, as even minds smarter than me can't agree on this topic. I think everyone involved understood my intentions were good, even though some could argue I should have done this differently. In the future, if I run into another zero-day exploit, I hope to keep this experience in mind.

iSkoot claims they'll have a new version out and pushed to users by Wednesday. Looking forward to seeing it for myself and verifying that I see SSL in those packet traces. ;)