- I enjoyed following the AusCERT conference over the Net – mainly on Twitter. How long before we can attend conferences from all over the world without having to leave home? As raised also by @Kinshasha on Twitter. Just pay for the sessions you want to view from the world’s best conferences and away you go. (I suppose in Australia it would help to have a better network but it could still work). I don’t think it would kill attendances at conferences. In fact, it would open up whole new potentially large revenue streams for the organisers. Only a matter of time I suppose before this becomes standard. While on the subject of AusCERT, photo time! :)

- Craig Balding at cloudsecurity.org with his thoughts on Sun creating a UK cloud security group. You really have to wonder if there is any substance to this once you scratch the surface. Craig raises some valid points.

- The best PCI DSS roundup on the worldwide web for those of you that want the latest news and opinions consolidated into one site. Anton’s commentary as always is interesting: http://chuvakin.blogspot.com/

- Seriously take some time out and have a look at nodecity. It is a not for profit organisation. The video in the link is Donal speaking with the CEO of Deloitte Digital and the Chair of Future Summit 2009. More on what nodecity is all about here.

- Patrick at Risky.Biz has a heap of AusCERT 2009 presentation podcasts plus his usual weekly Risky Business podcast. Check it out.

- A few people have asked how this one is progressing. We’re getting there and thanks for the feedback from everyone – those who posted and the score of emails I got about this.

- Latest updates to the Australian IT Security Blog Directory.

Posted in: news

“It is likely to be re-activated in the future, however no decision has been made on timing” I have been told.

While the intentions were good as documented here, it never really picked up a critical mass of support by non-government critical infrastructure sectors. According my sources, attention is now focused on the “CERT within Government” program. Any potentianl impact to AusCERT with this current “focus” you have to ask? For most, as long as the annual Gold Coast conference remains, all is good.

Posted in: news

Interesting looking at the latest Crime Insurance Renewal forms I’ve been sent. A hot topic from a discussion perspective a few years ago in regards to being a potential driver of better IT security practices in business, but it fell off the radar somewhat in recent years. I have to ask, has it finally seriously arrived (at least here in Australia)? Has this quietly snuck up on us and is now about to be the next “PCI DSS”?

Obviously if you had good IT security practice before, PCI DSS compliance wasn’t a pain, and if you’re PCI DSS compliant now, then Crime Insurance requirements won’t be a pain….but if you haven’t got the first and second ones under control, well here’s another concern to add to the list. And, for those of you that were not required to be PCI DSS compliant, you’re now probably going to feel the pain you thought you were lucky to miss out on.

Now this one could be the biggest of the lot. Read on…..


Reposted (post accidental deletion).

On the phone last week to a CIO friend of mine discussing his organisation’s new “critical” business application that ties together much of their business into one, somewhat central entity (ERP if you like to a degree). He wanted to talk about securty testing the “application” before it went live.

I asked the obvious and was told it was due to go into production in 4 weeks. He knew what my response would be so pre-empted it with; “I know, I know…we should have done more security homework and testing sooner than this, but with the business pushing it, and they ["the business"] not really wanting to listen to concerns about security, but rather focus on deployment deadlines to fit in with business marketing strategy, my hands were tied!”. (Typical I thought and no need for further comment from me here, as you know what my thoughts are).

After learning a bit about this application from him, I directed him to this post: “System” view security vs. “Application” view security and suggested he have a read. (He did recall reading it before but I think it didn’t sink in). Read on…


How to get PCI DSS compliance right! This is the most awesome piece of journalism that has hit the Internet for a while. If you are one of the thousands of organisations hit by the burden of becoming PCI compliant, look no further than this article for the hot tip on kicking it. For those that have been through it, I bet you wish you had something like this when you were doing it:

Many thanks to Mike for highlighting this one. :-)

I’ve posted quite a few times on this topic over the years but things change over time and I don’t think we’ve (the industry) ever been more fragmented in terms of what we think is right or wrong about this topic? I am really keen to hear what people think, in their opinion, is right and what is wrong about vulnerability disclosure. Please post your thoughts.

Some of us had to work so AusCERT was out of the question this year for me as I mentioned. Well actually, I had made my mind up a long time ago that I wasn’t going to go this year. A personal choice based solely on the fact that while I have a great time at each AusCERT (from a catch-up/networking perspective), I am left feeling a bit flat after the event. I’m not the only one – many people tell me the same but, I also acknowledge that for many, they’re feeling the exact opposite.

The reason I do feel this way post event is that it’s a downer seeing that we’re not progressing much as an industry (in terms of what we’re in this for). You walk out of a great presentation, excited by what you’ve heard, straight into a wall of vendor stalls, most filled with sales people who have little interest in our industry and whose only focus is to flog their products – generally not really caring or knowing themselves much about those products. It’s a case of extremes at events like this and you wonder when things will start to make some headway into actual value and improvements from what we as an industry are trying to accomplish.


A big thank you to all those people who took the time out to post on Twitter during AusCERT 2009. For those of us not there, it was great to hear about the presentations and goings on. Even remote correspondents in Poland were involved and kept the laugh factor at high for most of the time. No updates from Day 3 from Pete and The Knuckle as yet as I believe they are still hiding under their beds from the storms…..Can someone go and knock on their doors to make sure they’re okay.

Twitter: https://twitter.com/#search?q=%23auscert

Posted in: news

Let’s start here: https://twitter.com/DDrazic/status/1852928932

If you’ve been a reader of Beast or Buddha for a while, I’d like to think that you think I am somewhat fair in my assessment of “security” product vendors. I call a spade a shovel where required and I am happy to save my client’s money vs. snake oil BS.

I look at it this way; if you know I am not talking about you with my comments (i.e; you know you’re good and you know you are supporting our industry), you’re not going to be offended because you know I am talking about other organisations, (that could be your competition), that you know yourself they are dodgy!…..And, I know this, because you tell me. So….let’s talk about those insecure sales/pre-sales/marketing….hey, why not add some AusCERT vendor stand dudes. Click to read on…..maybe worth a laugh:


Posted in: Dumb Security, WTF

This is what happens when you have guys in the field getting into the spirit of the conference with little regard for deadlines. :) Late or no submissions. At least Pete finally got something to me. No sign of Knuckle as yet and it’s 3:00pm.

Good value following the Twitter updates here. A few interesting posts during last night’s awards also. Some not so happy people with some of the winners, but overall, seemed like a great night for those in attendance:



Older Posts »