When you blog a link to poetry:

[The man watching] is a poem by Rainer Maria Rilke, that i picked up from a talk by Tim Oreilly during his [recent talk] where he chided the audience for focusing on trivial banalities while leaving bigger problems un challenged. A subsequent speaker picked up the theme, and likened it to abandoning NASA to work on DisneyLand.

I think the sentiment is grand, and the poem is inspiring.. and in particular the following lines, are probably going to keep me up nights for a while:

What we choose to fight is so tiny! What fights us is so great!

When we win it's with small things, and the triumph itself makes us small.

Winning does not tempt that man. This is how he grows: by being defeated, decisively, by constantly greater beings.

/mh

EC2 is now out of beta, and supports windows based ANI's. [Big Day for EC2]

EC2 blows my mind, and from a bazillion miles away, i was truly surprised the Amazon got the jump on Google/MSFT/Apple/* with their offerings..

/mh

PS. how i managed to write on this as opposed to the [Stack based, pre-auth, wormable windows RPC overflow is anyones guess]

PPS. Actually.. in part its because im miffed. I just wrote a diatribe on how the fact that we werent goign to see another code-red / worm scare anytime soon was going to hurt us (ala aitel.owasp08) and this bug shuts me up for a bit - stay tuned for "is the industry still running on code-red?"

The full videos from the OWASP NYC Conf have been posted.

At least one BlackHat re-run, but some look well worth the watching.. Most people can grab the videos and slide decks [here], SensePost'ers (except for those actually currently living in NY) can grab selected talks locally [here]

Good news to all the blah'ers out there! The BETA version of BiDiBLAH 2 is available for download here. As you probably know, [a real quick and easy] registration is required, and version 2 of BiDiBLAH runs on dotnet framework 2.

./frankieg

Gegroet

just a quick note on VM.

Google is now offering Google Blog Search Beta and I thought it interesting to see who is blogging on vulnerability management.Some of the output includes:

i) "Vulnerability Management" = 6,330 hits

ii) "Vulnerability Management" + Dummies = 314 hits

iii) "Vulnerability Management" + ineffective = 16 hits

iv) "Vulnerability Management" + effective = 314

Probably 90% of all hits came from vendors and it was also evident that they were punting the "successes" of VM, utilising their products and services.

It was also interesting to note how popular the Qualys "Vulnerability Management for Dummies" is, hence my search in that regard: 314 hits. Note corresponding hits for "VM + Effective". What Qualys has done is to punt effective VM without leaning too much towards their own solutions. The reference is however there and without a real contender in this space they obviously have the lead.

For infosec guys that need to kick-start a VM process in their companies there is not a lot to lean on apart from product punts and associated solutions.  It also requires access to research companies such as Gartner and Burton Group to really get solid information - at a price of course. This obviously leaves a gap for people to post or publish really effective and non-partisan VM research and ideas.

Evert.