Thanks to Angry Alien Productions for providing links to 30-Second Bunnies Theatre. If you have never watched these collection of movies re-enacted by animated bunnies in 30 seconds, more or less, follow the links. If you enjoy the episodes, support the creative effort by buying the recently released DVD through Amazon.

For geeks, and those who love them, Kreg Steppe and Douglas E. Welch have written a story that you are going to love, “A Geek Christmas Story.” To quote the site, it is the story of “Mattie Stevens, a young boy of the early 80’s, dreams of owning a Commodore 64. He sets out to convince everyone this is the perfect gift. But, along the way runs into opposition from his parents and everyone around him including old Santa Claus”

Take a look at the all star cast of players from the podcasting community:
Narrator: Kreg Steppe – Technorama
Harvey Stevens: Dad – Kevin Devin
Mandy Stevens: Mom – Susie Murph – How to Grow your Geek Podcast
Mattie Stevens: Son – Daniel Devin
Sandy Stevens: Little Brother – Spencer Holden
Curtz Eisenberg: Friend to Mattie – Harrison Steppe
General Beringer: General – Douglas E. Welch
Lieutenant: Steve Holden – Tech News Radio
Mrs. Little: Katie Floyd – Mac Power Users Podcast
Santa’s Helper: Chuck Tomasi – Chuckchat.com
Santa: Larry Pesce – Pauldotcom.com Podcast
Judge: Victor Cajiao – Typical Mac User Podcast – Typical Shutterbug Podcast
Andrew Carnagie: Andy Helsby – Absoblogginlutely!
J.P. Morgan: Grant Bichocco – Mr.Grant.com
UPS Guy: Paul Asadoorian- Pauldotcom.com Podcast
Skipper: Rylie Starcher

Not to leave anyone out, because they have all done such a great job, the show was produced by:

George Starcher – Typical Mac User Podcast
Victor Cajiao – Typical Mac User Podcast - – Typical Shutterbug Podcast
Steve Holden – Tech News Radio - Jersey Boys Podcast – AztecMedia.net

The folks at FiT do fantastic, creative, stories around Halloween and Christmas (Server Room of Horrors – Halloween 2005; A Geek Christmas Carol – Christmas 2005; Server Room of Horrors – Halloween 2006; Lucky the Reindeer and the Island of Misfit Geeks – Christmas 2006; It’s the Great Server Chuck and Kreg! – Halloween 2007). Take the time to listen to this year’s Christmas story. You won’t be disappointed.

The Pragmatic Programmers

This podcast is good for people doing development work in IT. While not all topics will be of interest, that is the nice thing about podcasts. You can always listen to the beginning of the podcast and skip those that do not grab your interest. The podcast focus is on the books the publisher produces and will feature interviews with the authors. A great podcast that would be of interest to most anyone (verses the podcast where the author’s book is on a specific language or platform) is Andy Hunt on Pragmatic Wetware. Andy discusses the Dreyfus model of skill acquisition, lateral specialization in the brain, mindmaps and more. It is a fascinating discussion.

CERT’s Podcast Series

This is a podcast I highly recommend to security professional. The speaker’s focus tends to be at the the enterprise level and offer good security discussions at that level. Nowadays, it is so important to not only speak tech, but also business. This is especially true when it comes to security. The security professional has to be able to step away from the details and discuss implementation at an organizational, and sometimes international, level. One of the recent podcasts is “Getting to a Useful Set of Security Metrics.” Clint Kreitner, president and CEO of the Center for Internet Security (CIS), talks about the CIS new project. To quote from the summary, Clint “discusses the challenges and opportunities in creating a common set of widely accepted security metrics that business leaders and security professionals can use to make better informed decisions.”

The Silver Bullet Security Podcast

Gary McGraw is well known and respected in the web application security area. Gary serves as host and is able to feature leaders in the security world as guests. For example, Gary has an Interview with Bill Cheswick, who is credited with coining the term “proxy” in 1990 with reference to firewalls. To quote from the description of the podcast, “Gary and Bill discuss whether we’re winning or losing the computer security war, how security threats have evolved from pimply-faced teenagers to organized crime, whether we should move security into ‘the cloud,’ and whether re-naming ‘Christmas lights’ to ’solstice lights’ would bypass NJ holiday decoration ordinances.”

Enterprise Leadership

I often find myself surprised by this show, because normally “enterprise leadership” is not a phrase that sparks much interest in me. Now I know, it is important that security people learn to talk to business leaders. Otherwise, you end up with non-technical managers setting themselves up as the translator for IT. Frequently, IT loses when that happens. This show frequently turns out to be very pertinent to the security professional. I will warn you, the show can be somewhat depressing. It may just reveal how badly your organization is being managed, even from the business side. Tom Parish does a great job interviewing top guns from across many industries.

A really good podcast to start with is the more recent interview with Warren Bennis. Warren is the author of “Transparency: How Leaders Create a Culture of Candor“. He is also Distinguished Professor of Business Administration at the University of Southern California. What I particularly liked is Warren stressing the importance of the people within the organization. He even uses the phrase, “1 plus 1 equals 3.” The idea is that together we can produce more than what we can do by ourselves. The show addresses the implementation of social networking, not for the sake of the “neatness factor” but to serve a purpose and benefit the company.

Here is a brief description: “Together Bennis, Goleman, and O’Toole explore why the containment of truth is the dearest held value of far too many organizations and suggest practical ways that organizations, their leaders, their members, and their boards can achieve openness. After years of dedicating themselves to research and theory, at first separately, and now jointly, these three leadership giants reveal the multifaceted importance of candor and show what promotes transparency and what hinders it. They describe how leaders often stymie the flow of information and the structural impediments that keep information from getting where it needs to go. This vital resource is written for any organization–business, government, and nonprofit–that must achieve a culture of candor, truth, and transparency.”

Also, the interview with Toby Redshaw, Global CIO of Avia Group, was very good. Initially I thought, “another ROI” discussion. What interested me was Toby’s discussing his role to make sure IT operates at the right pace, with the right resources, and with the right talent. Nice to hear people matter. To quote the episode’s description, “In this podcast, Toby Redshaw, the global CIO of the Aviva Group, talks about three areas that IT needs to improve: keeping an eye on the bottom line, trying to innovate ahead of competitors, and keeping the current talent base engaged and focused on the company’s goals.” The point is, it is not just about innovation.

IT Conversations

There are some really good podcasts posted under IT Conversations. I’ll confess, I end up skipping many of the podcasts because of limited time. If I made the time to listen to all of these podcasts, I have a feeling that I would a better IT professional. We do what we can. Let me point out some recent podcasts.

Jimmy Wales, creator of Wikipedia, talks at O’Reilly Media Open Source Conference. The podcast just brings up the idea of making things open source verses security through obscurity. It got me thinking about the heavy use of automation in security verses including people. Jimmy uses the example of wanting to open a restaurant. First step, we need to design the new restaurant. One thing we decide is to serve steak. In order to eat steak, we will need to give people knives. We know people sometimes stab others with knives. So, do we design the restaurant where each patron is put into a cage to prevent them from stabbing or being stabbed? Think of it this way, the cage idea is putting security at the end of the process, where you may only have bad possible choices. Now if security is designed into the process, better solutions are likely to be available. Wikipedia is possible because it was designed so changes could be rolled back. Sometimes to operate, there will be some acceptable risks. Before deciding what is an acceptable risk, you have to be aware of what those risks are and what possible solutions exist. Wikipedia is also designed with the idea of including people to make the product better. How might security utilize this philosophy?

Nat Torkington talks at OSCON is a very humorous talk. To quote IT Conversations, “Using black humor and irony to convey a noble idea, Nathan Torkington, the chair of OSCON, lightens up the mood, frequently throwing his audience into fits of laughter, as he hurriedly wraps up three key messages into the time allotted for one.” His talks is for just thirteen minutes. I wish I could of seen the slides. Still very funny. Listen to it for pure enjoyment.

Speaking of Security

This is done by RSA. Normally, I don’t care for vendor produced podcasts. RSA cover good security practices in a short, to the point, podcast. I like listening to these podcasts to help organize in my mind security topics as selling points to business managers. In the podcast I listened to today, Rod Nelsestuen from the TowerGroup talked about business continuity. Of importance to me is that he ties in security and risk management to the evolution of business continuity planning. It is a simple idea, but have you run into a business person who just doesn’t get IT security? You have to learn how to relate security to something they do understand and cannot dismiss.

FLOSS Weekly

Randal Schwartz is one of the people on IT I like to keep an eye on. Outside of his focus on open source solution, Randal has a keen instinct for interesting and useful IT technology. Plus, like Leo Laporte, he is a genuinely nice guy. Since I could not decide on just one episode, below are a few of the recent podcast topics I found particularly interesting. If you do any open source development, you need to listen to FLOSS Weekly.

The interview with John Roberts, CEO of SugarCRM is a great introduction to this open source customer relationship management (CRM) software. To quote from the SugarCRM website, “Sugar easily adapts to any business environment by offering a more flexible, cost-effective alternative than proprietary applications. SugarCRM’s open source architecture allows companies to more easily customize and integrate customer-facing business processes in order to build and maintain more profitable relationships. SugarCRM offers several deployment options, including on-demand, on-premise and appliance-based solutions to suit customers’ security, integration and configuration needs.”

In the interview with Jacob Kaplan-Moss on Django, they discusses this Python-based Web framework that “encourages rapid development and clean, pragmatic design.” Leslie Hawthorn from the Google Open Source Blog wrote this concerning Django, “We love Django, making use of it extensively in products like Google App Engine, so it was a pleasure and privilege to give back to this community.” Randal and Leo on a later podcast interviewed Jeff Robbins on Lullabot and Drupal. Lullabot is a consulting company specializing in Drupal. They also produce a weekly podcast focused on Drupal and building web sites.

Finally, check out the interview with Brian Aker of Drizzle, a lightweight fork of the MySQL database. To quote the Drizzle site, “the Drizzle project is building a database optimized for Cloud and Net applications. It is being designed for massive concurrency on modern multi-cpu/core architecture.”

Network Security Podcast

This is a podcast for security professionals. I started listening to this podcast when Martin McKeay flew solo. He did a great job. When Martin added Rich Mogull, the podcast got even better. The podcast consist of Martin and Rich discussing major news and topics in security. Frequently they will be joined by major players in the security field. Martin and Rich will also do special podcasts from security conferences. They went to Black Hat and Defcon, so I didn’t have to. My travel budget appreciates it. These guys do great straight security. With their different backgrounds, they really compliment each other.

Red Monk Podcast

Red Monk is like FLOSS, but with a whole gang of Randall Schwartzes. The co-hosts are Michael Cote and John Willis, who are joined by special guests. Sometimes I have no clue what they are talking about. That is a good thing. You get exposed to a bunch of topics from a bunch of people. For example, in their most recent podcast “Jane Curry Evaluates Nagios, OpenNMS, and Zenoss,” they discuss Jane’s paper. This is a 148 page draft paper titled “Open Source Management Options.” The podcasts also contain discussions of news and topics affecting IT professionals. Their podcasts tend to go over an hour, but are filled with content. Listen to the podcasts when you have some time to concentrate on what they are discussing. You will learn a great deal.

This WEEK in LAW (TWiL)

There might be something seriously wrong with me. I love to listen to lawyers talk. They are fascinating. Lawyers use the English language like IT folks will use computer languages. They will dissect points like the best debuggers I have ever met. While TWiL does not come out regularly, it is a true treat when it does. If you do not share my fascinating with lawyers, TWiL still will cover very relevant IT topics that should be of interest to anyone in the IT field. For example, check out the episode “Cloud Computing And EULA Law.” The podcast does tend to go longer than an hour, but cover a great deal of ground. It is so very important to be exposed to the laws that are affecting topics of importance to the IT world. The really great thing is, you get to listen to lawyers and it costs you nothing. Still, do consider donating to the folks who create these great podcasts.

Grammar Girl

While this podcast is not security, IT, or even business focused, it could prove most beneficial for anyone in the IT field. I grew up in New Jersey and I got into computers at the age of twelve. Those are two strikes against me when it comes to grammar. I am thankful for the tips that Grammar Girl provides. Disclaimer: if you find grammar mistakes on this site, which I am sure you will, just imagine how bad it would be if I never started listening to this podcast. You may also want to check out “the Public Speaker” podcast. Both podcasts are short, lasting less than ten minutes. That makes them easy to listen to while going about your day.

Parting Words

If you are wondering, “What about …”, take it easy. No insult was intended to your favorite podcast. This is not a “Top 10″ list. A friend asked me to recommend some security podcasts. This post is meant to discuss some of the great content that is out there. Since security should be integrated into the organization, I included some business and IT focused podcasts. Hopefully a few of these podcasts are new to you. Being told what you already know, while possibly providing some ego boosting, does not expand your horizons. That is the danger of group think. Break free! The power of podcasts are that they can introduce you to people who are in different positions, organizations, sectors of the industry, and even different fields.

One of my favorite stories of Abraham Lincoln involved the McCormick-Manny case of 1855, which I included in my post, “Herding Cats.” Since I enjoy the story so much, I am going to share it again. W. M. Dickerson, one of the Cincinnati lawyers, wrote, “Mr. Lincoln had prepared himself with the greatest care; his ambition was to speak in the case and measure words with the renowned lawyer from Baltimore. He came with the fond hope for making fame in a forensic contest with Reverdy Johnson. He was pushed aside, humiliated and mortified.” Edwin M. Stanton, the Baltimore lawyer, pretty much told Lincoln that he did not need Lincoln’s help. Stanton did not think well of Lincoln, describing him as “a long, lank creature from Illinois, wearing a dirty linen duster for a coat and the back of which perspiration had splotched wide stains that resembled a map of the continent.”

After the trial, Lincoln told Ralph Emerson, a young lawyer who was present at the trial, “I am going home. I am going home to study law.” Emerson asked, “Mr. Lincoln, you stand at the head of the bar in Illinois now! What are you talking about?” Lincoln replied, “Ah, yes, I do occupy a good position there, and I think that I can get along with the way things are done there now. But these college-trained men, who have devoted their whole lives to study, are coming West, don’t you see? And they study their cases as we never do. They have got as far as Cincinnati now. They will soon be in Illinois.” Emerson stated Lincoln turned to him, his countenance suddenly assuming that look of strong determination which those who knew him best sometimes saw upon his face, and said, “I am going home to study law! I am as good as any of them, and when they get out to Illinois, I will be ready for them.”

As you know, Lincoln was to become President of the United States and Stanton would become his Secretary of War. A mutual respect, loyalty, and trust would develop between these two very different men. The moral of the story is to continue to strive to improve and always remember that the greatest service is done by that which challenges us.

I spent the past weekend traveling. When I travel, I listen to podcasts. Traveling is my time to catch up on some great content. I’ll post more on that later. I wanted to draw attention to FLOSS Weekly Episode #26 interview with D. Richard Hipp, creator and lead developer of SQLite. Randal Schwartz and Leo Laporte always do a great job with these interviews. What is so interesting about SQLite? Take a look at the features:

• Transactions are atomic, consistent, isolated, and durable (ACID) even after system crashes and power failures.
• Zero-configuration – no setup or administration needed.
• Implements most of SQL92. (Features not supported)
• A complete database is stored in a single cross-platform disk file.
• Supports terabyte-sized databases and gigabyte-sized strings and blobs. (See limits.html.)
• Small code footprint: less than 250KiB fully configured or less than 150KiB with optional features omitted.
• Faster than popular client/server database engines for most common operations.
• Simple, easy to use API.
• Written in ANSI-C. TCL bindings included. Bindings for dozens of other languages available separately.
• Well-commented source code with over 99% statement test coverage.
• Available as a single ANSI-C source-code file that you can easily drop into another project.
• Self-contained: no external dependencies.
• Cross-platform: Linux (unix), MacOSX, OS/2, Win32 and WinCE are supported out of the box. Easy to port to other systems.
• Sources are in the public domain. Use for any purpose.
• Comes with a standalone command-line interface (CLI) client that can be used to administer SQLite databases.

Those features should be enough to make one take notice. SQLite is also small, compact, portable, efficient, and serverless. It is designed so it can be plugged directly into programs, scripts, or web applications. This provides programs with a lightweight relational database engine that has no external dependencies.

SQLite is very different from MySQL and PostgreSQL. Yet, frequently developers can end up using a full fledge database when something much smaller and effecient could be used. Unfortunately, there are no current comparisons in performance to MySQL and PostgreSQL. The page off the SQLite site, “Database Speed Comparison” does state that the document “describes a speed comparison between an older version of SQLite against archaic versions of MySQL and PostgreSQL.” Still, at least in the past for some operations, SQLite demonstrated impressive speeds compared to PostgreSQL and MySQL:

• SQLite 2.7.6 is significantly faster (sometimes as much as 10 or 20 times faster) than the default PostgreSQL 7.1.3 installation on RedHat 7.2 for most common operations.
• SQLite 2.7.6 is often faster (sometimes more than twice as fast) than MySQL 3.23.41 for most common operations.

The list of folks using SQLite is impressive: Google Gears, Firefox’s mozStorage, Apple (Safari, Mail, Core Data, Aperture), smf framework in Solaris 10 is using SQLite as its data store, PHP, yum, monotone, AOL email client, Skype, McAfee, along with many additional companies. There are extensions allowing SQLite to be used with languages such as Perl, Python, Ruby, PHP, Java, TCL, .NET, Smalltalk, and many other languages. SQLite compiles and runs on Windows, Linux, Mac OS X, BSD, Solaris, AIX, HP-UX, Symbian, WinCE, VX Works, OS/2, and the NetBSD toaster. SQLite databases are binary compatible, which means they work natively on all systems without any need for conversion. At this point, you are probably beginning to understand why SQLite is so interesting.

Richard has done a talk over at Google TechTalks that provides a good overview of SQLite.

SQLite is made to be easy to setup and use. If the above information has made you somewhat interested, the below instruction on how to setup SQLite should help get you started.

Installation

Each operating system will be somewhat different when it comes to the binary installation. While there will be different filenames, the idea and ease of installation is the same across OSs. For example, there are two files for use under Mac OS X (see the SQLite site for the most recent files):

Installation can be done by using the binaries supplied from the SQLite site. Generally, you do not need to install SQLite on its own. It will either comes installed with the OS or extensions to programming languages will come with SQLite. This is the advantage of being so small. It is easy to include SQLite.

Below is an example of how to install SQLite binaries under Mac OS X. Mac OS X does come with SQLite installed (sqlite3) by default.

root# cd /usr/local/src /usr/local/src root# mkdir SQLite /usr/local/src root# cd SQLite /usr/local/src/SQLite root# wget http://www.sqlite.org/sqlite3-3.5.7-osx-x86.bin.gz /usr/local/src/SQLite root# wget http://www.sqlite.org/sqlite3_analyzer-3.5.4-osx-x86.bin.gz /usr/local/src/SQLite root# gunzip sqlite3-3.5.7-osx-x86.bin.gz /usr/local/src/SQLite root# gunzip sqlite3_analyzer-3.5.4-osx-x86.bin.gz /usr/local/src/SQLite root# chmod u+x sqlite3-3.5.7-osx-x86.bin /usr/local/src/SQLite root# chmod u+x sqlite3_analyzer-3.5.4-osx-x86.bin /usr/local/src/SQLite root# ./sqlite3-3.5.7-osx-x86.bin SQLite version 3.5.7 Enter ".help" for instructions sqlite>

Below are instructions for installation via source code, which would be applicable for non-windows OSs:

root# cd /usr/local/src /usr/local/src root# mkdir SQLite /usr/local/src root# cd SQLite /usr/local/src/SQLite root# wget http://www.sqlite.org/sqlite-amalgamation-3.5.7.tar.gz /usr/local/src/SQLite root# tar xzf sqlite-amalgamation-3.5.7.tar.gz /usr/local/src/SQLite root# cd sqlite-3.5.7 /usr/local/src/SQLite/sqlite-3.5.7 root# ./configure /usr/local/src/SQLite/sqlite-3.5.7 root# make /usr/local/src/SQLite/sqlite-3.5.7 root# make install

SQLite and Perl

To provide an example of how to use SQLite below are instructions on installing and using SQLite with the Perl language. As previously discussed, SQLite can be used with many languages. Perl was chosen in honor of Randal Schwartz. While Randal can probably program in all the languages listed above, many first became aware of Randal through Perl. You will find SQLite is just as easy to install and use with your favorite language.

The SQLite extension for Perl contains its own version of SQLite. There really is no need to compile and install SQLite beforehand. While SQLite is binary compatible, different version of the database may not be compatible. The Perl module DBD::SQLite uses an old SQLite database format. DBD::SQLite::Amalgamation uses the most most recent SQLite database format. If you get the error message “SQL error: file is encrypted or is not a database,” this might be caused by different database versions.

To install DBI and DBD::SQLite::Amalgamation using CPAN:

 root#  perl -MCPAN -e shell
   cpan> install DBI
   cpan> install DBD::SQLite::Amalgamation

To install DBI and DBD::SQLite::Amalgamation using source code.

root# cd /usr/local/src /usr/local/src root# mkdir perl /usr/local/src root# cd perl /usr/local/src/perl root# wget http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-1.604.tar.gz /usr/local/src/perl root# wget \ http://search.cpan.org/CPAN/authors/id/A/AU/AUDREYT/DBD-SQLite-Amalgamation-3.5.6.tar.gz /usr/local/src/perl root# tar xzf DBI-1.604.tar.gz /usr/local/src/perl root# tar xzf DBD-SQLite-Amalgamation-3.5.7.tar.gz /usr/local/src/perl root# cd DBI-1.604 /usr/local/src/perl/DBI-1.604 root# perl Makefile.PL /usr/local/src/perl/DBI-1.604 root# make /usr/local/src/perl/DBI-1.604 root# make test /usr/local/src/perl/DBI-1.604 root# make install /usr/local/src/perl/DBI-1.604 root# cd ../DBD-SQLite-Amalgamation-3.5.7 /usr/local/src/perl/DBD-SQLite-Amalgamation-3.5.7 root# perl Makefile.PL /usr/local/src/perl/DBD-SQLite-Amalgamation-3.5.7 root# make /usr/local/src/perl/DBD-SQLite-Amalgamation-3.5.7 root# make test /usr/local/src/perl/DBD-SQLite-Amalgamation-3.5.7 root# make install

Create Database

To create a database sample.db, issue the commands:

 root# cd /usr/local/code
 /usr/local/code root# /usr/local/bin/sqlite3 sample.db
SQLite version 3.5.7
Enter ".help" for instructions
sqlite> .quit

Create Table

Creating the table “event” can be done via the command line:

 /usr/local/code root# /usr/local/bin/sqlite3 sample.db "create table event (id INTEGER
                  PRIMARY KEY,odate DATE, description TEXT);"

Inserting Data Into the Table

To insert data into the table via command line:

 /usr/local/code root# /usr/local/bin/sqlite3 sample.db "insert into event (id, odate, description)
       values (1,'2008-04-03 17:59:26','Created entry into SQLite event table.');"

Retrieve the Data From the Table

To retrieve the information via command line:

 /usr/local/code root# /usr/local/bin/sqlite3 sample.db "select id, odate, description from event;"

Creating Database, Insert Data, Retrieve Records via Perl

Below is a Perl program that will create and enter data using DBI DBD::SQLite:

#!/usr/bin/perl

   use DBI;

   # Connect and create database if it does not already exist
   $dbh = DBI->connect( "dbi:SQLite:data.dbl" ) || die "Cannot connect: $DBI::errstr";

   # Create table
   $dbh->do( "CREATE TABLE authors ( lastname, firstname )" );
   $dbh->do( "CREATE TABLE books ( title, author )" );

   # Insert into tables
   $dbh->do( "INSERT INTO authors VALUES ( 'Conway', 'Damian' ) " );
   $dbh->do( "INSERT INTO authors VALUES ( 'Booch', 'Grady' ) " );
   $dbh->do( "INSERT INTO books VALUES ( 'Object Oriented Perl', 'Conway' ) " );
   $dbh->do( "INSERT INTO books VALUES ( 'Object-Oriented Analysis and Design',
                                             'Booch' ) ");
   $dbh->do( "INSERT INTO books VALUES ( 'Object Solutions', 'Booch' ) " );

   # Display data from tables
   $sth = $dbh->prepare( q( SELECT a.lastname, a.firstname, b.title
                                           FROM books b, authors a
                                           WHERE b.title like '%Orient%'
                                       AND a.lastname = b.author ) );
   $rc = $sth->execute();
   if ($rc) {
     while (my($lastname,$firstname,$title) = $sth->fetchrow_array()) {
        print "Name: $lastname, $firstname\nTitle: $title\n";
     }
   }
   else {
     print "Problem with SELECT statement: SELECT a.lastname, a.firstname, b.title
                FROM books b, authors a WHERE b.title like '%Orient%' AND a.lastname = b.author\n";
   }

   # Disconnect from database.
   $dbh->disconnect;

Please note that there is a know issue between DBI and SQLite where a warning message “closing dbh with active statement handles” might be generated. For now, there is no resolution. The code does work. It is only a warning message involving closing the database. You may want to keep an eye open for future resolution.

Additional Information

Mike Chirico has done a nice tutorial on using SQLite, titled “SQLite Tutorial.” While this posting has used a few examples to demonstrate how to create a database, create a table, insert values into the table, and read values from the table, please view Mike’s tutorial for additional commands and more in-depth explanations.

Mike Owens has written a really good book on SQLite, titled “The Definitive Guide to SQLite.” Mike has also made available his presentation for OSCON titled “Programming with SQLite.” The presentation covers “SQLite’s design, operation, capabilities, and limitations, providing developers with a better idea of how, when, and where to best put it to use in their applications.”

Conclusions

There are many more tools and much information available on SQLite. Firefox even has a add-on, SQLite Manager, that allows you to manage SQLite database on your computer. The truth is, I am not sure where I am going to use SQLite. There are plenty of places where I am now thinking I should be using SQLite. I know that I am glad to have it as a tool that I can use. I hope this introduction has captured your interest. Thanks to Randal Schwartz and Leo Laporte for doing the FLOSS Weekly podcast and making me aware of this valuable tool. A special thanks to D. Richard Hipp and Dan Kennedy for developing such a powerful tool.

The Center for Education and Research in Information Assurance and Security (CERIAS)

CERIAS provides a very informative area for finding information on security. The information can ranges from purely technical issues (e.g., intrusion detection, network security, etc) to ethical, legal, educational, communicational, linguistic, and economic issues, and the subtle interactions and dependencies among them. The research available on the site is centered on eight subject areas:

• Risk Management, Policies, and Laws
• Trusted Social and Human Interactions
• Security Awareness, Education, and Training
• Assurable Software and Architectures
• Enclave and Network Security
• Incident Detection, Response, and Investigation
• Identification, Authentication, and Privacy
• Cryptology and Rights Management

The site offers news, blogs, papers, and podcasts. Of particular interest to me are the podcasts, because mostly they are vidcasts. Here are a few recent postings:

• “What are CSO’s thinking about? Top information security initiatives for 2008 and beyond …” by Anand Singh, Target Corporation
• “Electronic Voting: Danger and Opportunity” by Edward W. Felten
• “Tor: Anonymous communications for government agencies, corporations, journalists… and you” by Paul Syverson & Roger Dingledine
• “Security in a Changing World” by Eric Cole
• “CANDID: Preventing SQL Injection Attacks using Dynamic Candidate Evaluations” by Ventkat Venkatakrishnan
• “Wireless Router Insecurity: The Next Crimeware Epidemic” by Steve Myers
• “Security, Soft Boundaries, and oh-so-subtle Strategies:How to Play Chess While the Board is Disappearing” by Richard Thieme

The research conducted through CERIAS includes faculty from six different colleges and 20+ departments across campus, all being made available for free. CERIAS offers a great opportunity to keep well informed on all security subject areas.

CERT Coordination Center (CERT/CC)

Off the CERT site, you can find the most up-to-date material on security issues. Like CERIAS, information is available in whatever form you prefer (documents, podcasts, video, research tools). In short, it is a fantastic source for security information. I wanted to draw particular attention to the CERT Virtual Training Environment (VTE). It is a resource for information assurance and incident response and computer forensic training. The site contains over 500 hours of material. Some of the VTE material requires membership or affiliates to certain organizations. Still, there is a great deal of video content available for free. VTE “blends classroom instruction with self-paced online training, delivering training courses, anytime access to answers, and hands-on training labs all through the Internet“. Here are a few of the most recent publicly available courses:

• FAA 2008 IT/ISS Conference presentation slides
• IPv4-IPv6 Comparison
• IPv6 Addresses
• Vulnerability Remediation
• Vulnerability Assessment Reporting
• Best Practices for VA Tools
• Vulnerability Assessment Best Practices
• Errors During Vulnerability Analysis
• Vulnerability Analysis
• Vulnerability Assessment Methodology
• Vulnerability Assessment Basics
• DEMO: Hack Calculations

I cannot help by point out that CERT also provides some great podcasts in the areas of governing for enterprise security, measuring security, privacy, risk management and resilience, security education and training, threat, trends and lessons learned, and tips from the trenches: areas of practice. I have posted links off this site on a few of these top notch security podcasts.

The Academy

Andrew Hay, a Canadian security professional and co-author of the upcoming book OSSEC Host-Based Intrusion Detection Guide, recommended I check out the Academy. I am glad he did. Registration is required to view the videos. The site brings together videos from various security sources, such as TippingPoint, SANS, IronPort, OSSEC, Cisco, Insecure, Tenable, Nokia, and FortiNet. The Academy current videos cover the following security subjects:

• Anti-Spam – contributions by IronPort
• Content Filtering – contributions by FortiGate
• DLP – contributions by McAfee DLP
• Firewall – contributions by CheckPoint, Cisco PIX & ASA, Nokia, FortiGate
• IDS/IPS – TippingPoint, OSSEC
• Network Access Control (NAC) – Insecure
• SANS Institute
• VA/Pen Testing – contributions by Nessus, Nmap
• Wireless – FortiGate

Key contributors are Peter Giannoulis, Adam Winnington, Andrew Hay, and Jason Ingram. SANS is sponsoring the site. The academy does request that “if you have an idea for a video please forward it to us or simply make the video yourself and send it through. Contact peter@theacademy.ca for a list of guidelines to follow when creating your contribution. If you believe you have something to say please send in an article submission for posting on the website. Any security related topic will do.” The site has some talented security professionals and a great security organization backing it. To quote Andrew, “The Academy is a user driven community and videos are created at the request of its members. Vendors can also leverage the site to showcase the features and capabilities of their products. The Academy is an ideal place to find and share knowledge with others practicing or interested in the information security field. The Academy is an ideal place to find and share knowledge with others practicing or interested in the information security field.”

Google and the Rest of the Web

Of course, I should point out that SecurityMonks does have a presentation area where slides and videos done by experts in the field are posted. On the LifeHacker site, Wendy Boswell has done a posting “Technophilia: Get a free college education online” in case you are interested in subject matters other than IT security. For each his own, though I can see taking a break now and then. In which case, the University of California, Berkeley has posted a few their classes on Google Video. There are plenty more from various universities. To access, simply type “lecture genre:educational” into the video search box. Google has several genres, if you have a specific interest.

To return to the more geeky side of life, if you are interested in lectures given at the Googleplex, Google have made those available. There are TechTalks, designed to “disseminate a wide spectrum of views on topics ranging from Current Affairs, Science, Engineering, Humanities, Business, Law, Entertainment, Medicine, and the Arts.” Authors@Google is a “speaker series where thought-provoking, Zeitgeist-making, trend-setting authors come to the Googleplex to read from their works and share their thoughts.” You can view those videos on Google Video, or YouTube Talks@Google area. Finally, there are also miscellaneous videos that include marketing videos, recruiting videos, lectures, and more.

To return to the genres of educational security, type into the video search box: “genre:EDUCATIONAL IT security.”

Google, to help folks learn how to use Google Code, has posted some courses under “Google Code for Educators.” There are a few security video lectures:

• “Introduction to Web Security” by Neil Daswani
• “How to Break Web Software” by Mike Andrews
• “What Every Engineer Needs to Know About Security and Where to Learn It” by Neil Daswani

Of course there are many more fine sites. SecurityDistro, started by Spyro contains a tutorial section that has some very good material. Of course there is the SANS Webcasts archive area. I just came across the “Learn Security Online” site that offers free and paid membership levels. Even TechVidSite has video presentations on security topics, if you can navigate through the site. A search on “IT” and “Security”, for example returned over 7k matches, while “metasploit” returned 25. The above information and links are meant only as a starting place. I hope I have managed to stay true to Einstein and provided the conditions in which we may all learn a little more about the world of information security.

Many of the security issues we are beginning to see with Web applications are issues that we have seen in some form with traditional client/server applications. Unlike the Phoenix, the Web application security issues are not rising from the ashes of traditional client/server applications. Client/server security is still very much alive. The Phoenix just provides better imagery then the Hydra, where if you cut the head off the Hydra two came back in its place. In the old days of the Internet (a few years ago), everything was done on the server. When you think about vulnerabilities in ftp, mail, and Web servers, it was the infrastructure groups responsibility for fixing it. Fixes were done by doing such things as setting up firewall rules, patching systems, upgrading server software, etc. With Web 1.0, the intelligence was pretty much on the Web server. Your Web browser would simply talk to your server where the applications resided.

Asynchronous JavaScript and XML (Ajax) changes the traditional model by having the application running on the browser where more of the work is done. The JavaScript engine runs on the browser, talking to the server and third party sources on your behalf. This is not unique to Ajax. Anywhere you have Rich Internet Applications (RIA), there will be this interplay between the server, third party sources, and the client. State information has to be shared between the client and server. Unfortunately, one of the lessons we have learned over the years is that you cannot trust the client. Outside of client side certificates, there really is no way for the server to know who is talking to it.

Shreeraj Shah, the author of Web 2.0 Security – Defending Ajax, RIA and SOA; Web Hacking (Stuart McClure and Saumil Shah co-authors); and Hacking Web Services, did a presentation at the HITB Security Conference titled “Web 2.0 hacking, keeping focus on Ajax and Web Services.” In the presentation, Shreeraj discusses the vectors of change between Web 1.0 and Web 2.0. In Web 1.0, the entry points were structured, there were limited dependencies, the vulnerabilities were on the server side (typically through injections), and there were server side exploitations. In Web 2.0, everything changes. You have scattered and multiple entry points. There are dependencies on multiple technologies, information sources, and protocols. Vulnerabilities can be exploited on Web services through payloads and on the client side through such exploits as XSS and XSRF. Exploits exist for both server and client.

More worrisome is that in many organizations, security remains solely network focused while developers are left untrained and unaware. Up until now, developers have not had to deal seriously with security problems. Add to this changing environment, pressure on developers to meet deadlines and develop code quickly. Some developers main goal is simply getting their application not to crash. It is easy to understand how due to lack of exposure and the need for quick code turn around, developers can fail to put security measures in place sufficient for a Web 2.0 world. Ross Anderson and Tyler Moore add some great insight into the software development environment in their paper, “Information Security Economics – and Beyond.” Ross and Tyler wrote:

In many markets, the attitude of ‘ship it Tuesday and get it right by version 3’ is perfectly rational behaviour. Many software markets have dominant firms thanks to the combination of high fixed and low marginal costs, network externalities and client lock-in noted above, so winning market races is all-important. In such races, competitors must appeal to complementers, such as application developers, for whom security gets in the way; and security tends to be a lemons market anyway. So platform vendors start off with too little security, and such as they provide tends to be designed so that the compliance costs are dumped on the end users. Once a dominant position has been established, the vendor may add more security than is needed, but engineered in such a way as to maximise customer lock-in.

In some cases, security is even worse than a lemons market: even the vendor does not know how secure its software is. So buyers have no reason to pay more for protection, and vendors are disinclined to invest in it.

Another outstanding article is by Sergey Bratus in the July/August 2007 IEEE Security and Privacy magazine titled “What Hackers Learn that the Rest of Us Don’t: Notes on Hacker Curriculum.” Sergey makes the following comparisons between developers in the academic programs to those in the hacking community:

• Developers are under pressue to follow standard solutions, or the path of least resistance to “just making it work.”
• Developers tend to be implicity trained away from exploring underlying APIs because the extra time investment rarely pays off.
• Developers often receive a limited view of the API, with few or hardly any details about its implementation.
• Developers are de facto trained to ignore or avoid infrequent border cases and might not understand their effects.
• Developers might receive explicit directions to ignore specific problems as being in other developers’ domains.
• Developers often lack tools for examining the full state of the system, let alone changing it outside of the limited API.

No one said it was going to be easy. The first step is to recognize that there is a problem. Actually, there are multiple issues to deal with when getting into application security. Just keep reminding yourself, one step at a time. The second step is to reach out and seek help. To help us on our road to security recover, Billy Hoffman and Bryan Sullivan have written the book Ajax Security. Billy has an interview on IT Conversations Technometria titled “Ajax Security” where he talks about Ajax in general and reviews some of the specific security issues most likely to occur. He also gives a number of examples of where security is likely to be a problem.

Richard Bejtlich provided the following very favorable review of “Ajax Security:”

Ajax Security was the last book I read and reviewed in 2007. However, it was the best book I read all year. The book is absolutely compelling and every security professional and Web developer should read it. It’s really as simple as that.

I am not a Web developer. I was not very familiar with Ajax (beyond its buzzword status and a vague notion of functionality) when I started reading Ajax Security. I attended the authors’ Black Hat 2007 talk and was thoroughly impressed and disturbed by the security implications they presented. I expected Ajax Security to be a good book, but one can never be sure if talented hackers and presenters can transfer their skills to the written word. Ajax Security gets the job done.

This is extremely high praise considering Richard’s background and the number of books Richard reviews.

Billy has done some outstanding presentations at Black Hat. In 2006, he presented Ajax (in)security. In 2007, Bryan Sullivan and Billy Hoffman presented “Premature Ajax-ulation“. If video is more to your liking, Bill presented “0wn3d: How AJAX Makes Web Hacking Easier.” In the presentation area of this site, there are a couple very interesting talks on Ajax:

• Why AJAX Applications Are Far More Likely To Be Insecure (And What To Do About It) by Dave Wichers
• Ajax Security by Andrew van der Stock
• Ajax Security Concerns by Rohini Sulatycki
• Hacking Ajax and Web Services: Next Generation Web Attacks on the Rise by Shreeraj Shah

Borrowing from Dave Wicher’s presentation, security issues that need to be dealt with include secure communications, authentication and sessions, access control, data protection, input validation and output encoding, error handling, logging & intrusion detection, availability, and concurrency. Not a simple task. Is Ajax applications less secure then other Web applications? Ajax, in and of itself, is neither secure nor insecure. The OWASP 3.0 Guide chapter on Ajax and “Other” Rich Interface Technologies states, “AJAX applications face exactly the same security issues as all other Web applications, plus they add their own particular set of risks that must be correctly managed. By their complex, bidirectional, and asynchronous nature, AJAX applications increase attack surface area.” Because of the increase attack surface area of Ajax applications, one can argue these applications are less secure. The truth is that other Rich Internet Applications, such as Flash, Java applets, and Active X controls can be just as insecure.

How do you go about securing Ajax applications? Borrowing from Rohini Sulatycki presentation, you need to validate all inputs, all client side validation must be backed up by server side validation, do not implement business logic validation client side, implement whitelist validation, do not trust third party source (filter it out), identify valid data and reject everything else, no direct cross domain call back, and encode all outputs. Do not cripple Web development in the name of security. Instead, organizations need to make sure developers know the security issues. Get security involved on the application side.

Expanding from securing Ajax applications to moving your organizations toward software security and application security, Gary McGraw wrote a nice concise article titled “Four ways to kick off your organization’s software security initiative in the New Year.” Read the article along with everything Gary writes. To summarize the four methods:

• A top-down framework approach…perform a gap analysis between where you are and where you want to be from a software security perspective. Then build a plan to address the gaps….
• The portfolio risk method takes a more business-oriented approach to the software security problem. The idea here is to assess the entire application portfolio according to some risk criteria agreed on in advance. …
• The training first approach to software security is more grounded in the technical world. This approach helps developers who love to do the right thing but just don’t know what the right thing is when it comes to security. …
• The lead with a tool approach, meanwhile, makes sense for an organization that has already purchased and attempted to roll out a security analysis tool….

Gary also does the Silver Bullet Security Podcast, where on broadcast titled “Show 021 – A Panel Discussion with Cigital’s Principals“, the principals at Cigital discuss the best ways for large companies to get started with software security.

Gunnar Peterson is his post titled “Go Wide and Deep, Incrementally” makes the point that the best method for an organizations depends on “what you are trying to do, your company culture, and the people’s skills who are working on software security.” Gunnar suggest a fifth method, “namely decentralized specialized teams, or centers of excellence in PHB speak.” He makes the important point that “to deploy any of the current cutting edge stuff in software security at scale, requires technical depth and deployment width. This automatically limits your resource pool of who can deliver this stuff.”

Gunnar offers additional advice in his post titled “Phasing Security into the SDLC – A Comparison of Approaches.” He suggest four main ways to get started: top down, testing and validation, start in the middle, and training. Gary and Gunnar favor a mix approach of top down and bottom up, “that approach often leads with the creation of a special ops execution team that becomes the software security group. By far, this is the most impressive approach in terms of results and the one that is the most effective in well-run enterprises” (Gary quote). They will not get any arguments from me.

Moving an organization towards an environment where secure code can be produced, let it be Ajax or any RIA, is not an easy endeavor. Like the software development life cycle, an iterative, incremental delivery is the way to go. You do what you can. You work the program, one day at a time. This way, you take the needed steps to a secure recovery.

In the posting, “The Many Faces of Podcasting,” I talked about a few of the security podcasts I find consistently interesting. Podcasts can provide insight into a variety of areas. Budgets and time constraints might keep you from being able to attend training and conferences. Through listening to podcasts, you are given the opportunity to hear leaders from the industry discuss cutting edge technologies and approaches in managing information technology. People are no longer constrained by their location, department’s budgets, or even work sector. A world of opportunity has opened up for those willing to listen.

I started listening to podcasts after meeting with the CIO of Idaho National Laboratory (INL). I went to INL as part of a two man team to help INL’s security folks rework their cyber security program policy (CSPP). The reality is, the CIO wanted to shake things up a little. Show what could be accomplished and light a fire under his people. I learned an interesting lesson. In order to effectively talk to a CIO, you need to learn his language and develop the ability to see things from his point of view. Now you may think the CIO should understand your point of view and be able to talk your language. Let me ask you this, in a miscommunication between yourself and your CIO, who is going to come out on top? My money is on the CIO. Learn to talk his language. It will save you many headaches down the line. Podcasts offer an opportunity to hear about industry trends and find information on all aspects of business. You can even find interviews of CIOs discussing various aspects of their work.

Below are a few of the podcasts I found particularly pertinent this month. There are many interesting podcasts not listed. The below podcasts are listed because they were particularly relevant to issues that I have been dealing with. I am listing the podcasts not as a “best of” but more as an example of the quality podcasts that exist. I am continuously amazed and thankful that there are so many podcasters giving their time so we may learn from, or simply enjoy, their shows.

CERT’S Podcasts: Security for Business Leaders

Resiliency Engineering: Integrating Security, IT Operations, and Business Continuity

This might just be me, but I find security frameworks fascinating. The resiliency framework is no exception. The framework is relatively new allowing it to incorporates the best security practices. Whether you are interested in the framework or not, the areas the framework cover still need to be addressed. I particularly agree that some of the problems facing security management is that security is often viewed as a technical problem resulting in security getting bolted on as an afterthought. Plus, poorly defined and measured goals continues to create problems when talking to business managers. Resiliency engineering is one approach at taking on these issues.

Description: As threats proliferate, organizations have a choice: They can scramble to fix vulnerabilities one by one, or they can increase their overall resilience so that even unexpected threats have less impact on their ability to fulfill their business mission.

It can seem daunting to embark on an enterprise-wide business resiliency project, however.

In this podcast, Lisa Young, a senior member of CERT’s Resiliency Engineering Team, discusses what resiliency engineering means – and how organizations can put it to practical use to resist threats more effectively.

CERT’S PODCASTS: A More Compelling Argument for Information Security

Business Resilience

I am continuously amazed at the professional quality of CERT’s podcast. I have heard some folks say, “I don’t listen to podcasts. Too much chit chat.” CERT’s podcasts are always focused. The very important topic concerning discussing security to business leaders is addressed. At times I have been frustrated at how some business leaders seem incapable of understanding something I see as fundamental. While I understood that I needed to learn to speak in business terms, there is a point where I have questioned what approach and terms I should use. This podcasts addresses those questions.

Description: A language gap often separates information security officers and business leaders. Return on investment is one potential argument for bridging this gap in economic terms, but the numbers can be hard to pin down. Another argument involves business resilience, which is easily understood by both business leaders and information security officers as a vital part of the organization’s ability to fulfill its business mission.

In this podcast, Scott Dynes, a senior research fellow at the Center for Digital Strategies within Dartmouth’s Tuck School of Business, discusses how best to make the argument for business resiliency, why mutual education is key, and why the chances of bridging the communication gap in this way are good.

IT Conversations: Rasmus Lerdorf

PHP on Hormones

Rasmus Lerdorf does a great job of reminding us how difficult good development can be. Not that PHP is hard to program in. To develop in any language, Rasmus demonstrates how good developers can increase efficiency by analyzing what the code is doing and taking such actions as dropping the number of SQL queries called to access a page down. A good developer team also knows about various security attacks and can help make code considerably more secure. I purposely use the phrase “development team” verses developer. It is great if you can do it all. I have met many who think they know it all. Some of the folks have been quite good. I have yet to meet anyone who really knows it all. Rasmus might, though he describes himself as not being a good detailed focused programmer. There lies the strength of a team and some of the development frameworks discussed in other podcasts. If your people can do it all, that is amazing. Have people learn in depth knowledge and then have them interact and share their knowledge. Rasmus provides a great talk on quite a few topics.

Description: In 1993, when Rasmus first saw the Mosaic Web browser, he knew that the Internet would be the platform of choice. But his employer, a Brazilian company, did not pay heed so he quit to return to Canada to do consulting work. During this six-month period, he found himself repetitively writing the same CGI programs in C. To avoid repetition, he collected his library of C programs and added a template parser that parsed HTML and made calls to his C routines. Thus was born the first version of PHP.

Rasmus believes there are four kinds of programmers. First, the pragmatic ones who are just after solving their own problems. The second kind finds programming as a means of self-expression, like an artist finds self-expression in his art-work. The third are the real programmers who enjoy programming for its own sake because it creates a hormone called oxytocin in them, and the fourth are the open source zealots who wish to change the world. He claims to be of the first kind. He programs to solve his problem and then moves on. He confesses that he created PHP purely to serve his own interest, to solve his own set of problems. He made the source publicly available so others could benefit from it. That set the ball rolling. Today, PHP runs a considerable number of some of the largest websites on the planet.

Hear the story of the evolution of PHP from being a purely procedural language to its current state of a full-fledged object oriented language, from its creator Rasmus Lerdorf. In this presentation, Rasmus also talks about the performance of PHP, profiling, security issues and vulnerabilities that websites are prone to, how to tackle them to some extent, and about his love for API. The slides for this session contain code snippets of the old and new PHP versions and also of the Flickr and Yahoo! Maps API examples.

IT Conversations: Bruce Johnson, Google, Inc.

Google Web Toolkit

Vic Gundotra, the new head of Google’s developer programs, recently stated, “In the next year we will make a series of announcements and spend hundreds of millions on innovations and giving them away as open source.” Vic is an interesting fellow. He came to Google from Microsoft, where he spent 15 years. Dan Farber reports that “Google believes that innovation on the Web has been lacking. XML and HTTP Request were innovative technologies in 1998, but it took until April 2004 for an application, Gmail, to really take advantage of them, Gundotra said.”

Vic goes on to say, “Google was born on the Web. Larry and Sergey and the rest of Google built Google on the Web and with open source. They want to give back.” Google open sourced Google Gears. Google Gears Javascript and SQL Lite to provide offline access to their cloud-based application data. Vic characterizes Google Gear as “a milestone for us.”

I am going to make a statement that will not win me any Nostradamus awards. Google is a company to watch. Phil Windley and Scott Lemon do a great job talking with Bruce Johnson. Anyone in the information technology field needs to keep an eye on what is going on with Google. A toolkit that is an “open source Java software development framework that makes writing AJAX applications like Google Maps and Gmail easy for developers who don’t speak browser quirks as a second language” is something worth learning a bit about. Afterwards you are going to want to check it out.

Description: Recently, Google released from beta its Google Web Toolkit. Google Web Toolkit (GWT) is an open source Java software development framework that makes writing AJAX applications like Google Maps and Gmail easy for developers who don’t speak browser quirks as a second language. Phil and Scott talk to Bruce Johnson, one if its co-creators.

GWT lets you avoid many of these headaches while offering your users the same dynamic, standards-compliant experience. You write your front end in the Java programming language, and the GWT compiler converts your Java classes to browser-compliant JavaScript and HTML. Bruce talks about how he got involved with the project. He states that while he has always been in development, he believes that the user interface is tremendously important.

Bruce also gives a number of examples of projects that took advantage of GWT. While the discussion is often technical in nature, Bruce is able to clearly define what GWT can do for developers.

Jon Udell’s Interviews Ned Gulley

MATLAB Programming Contest

Some shows don’t initially grab my interest. I have to confess, I have not been using MATLAB, so I did not have great interest in this podcast. Still, I started listening and found this show surprisingly interesting. The evolution of cooperation between the programmers is fascinating. As Ned talked about the different methodologies tried, it reminded me of genetic algorithms. An enlightening interview.

Description: Ned Gulley is a software designer at The Mathworks and the architect of the company’s semi-annual MATLAB programming contest. Since 1999 he’s watched contestants exhibit a unique blend of competition and cooperation. Winning solutions are woven from the contributions of ten or more players, and go beyond what any individual could normally have accomplished working alone.

To design a game that harnesses collective intellect in this way, Ned Gulley says, you have to frame a problem that appeals to would-be players just as a flower appeals to bees. This notion of “flower design” can guide us, he thinks, as we begin to explore more general uses of online games in educational and work settings.

Jon Udell’s Interviews Dmitri Williams & Jake Vickers

Social Dynamics of Online Games

This was one of those podcasts that I did not think was very applicability to me. Jon Udell always does a good interview, but I avoid online games. They are just too addictive and I know myself well enough to stay clear. I was taking my dog on a long walk, and did not want to listen to anything requiring too much thought, so I let it play. I was very surprised to find the the podcast covering very interesting topics about how we interact with each other. A very interesting topic. Within an organization you have generation gaps. Frequently the leader of an organization might have taken decades to reach his or her position. They surround themselves with an inner circle of advisers that often are similar in age, and frequently point of view, as the leader. The idea of the gaming world bringing together people from different walks of life, economic situations, and age is very interesting. Add the concept of these people having to work together, organize, and accomplish tasks seem to have implications that someone studying team dynamic management will tap into someday.

Description: Dmitri Williams is a 35-year-old academic who studies the social dynamics of online games. He’s also a committed member of a World of Warcraft guild in which George Vickers, a 17-year-old college student, plays a key leadership role.

In this conversation, Dmitri and George reflect on the ways in which leadership and organizational skills can be developed in an online multiplayer game.

Technometria: Scott Lemon, Ben Galbraith

Millennials and Tweens

One has to love a podcast that discusses the new terminology “millennials” and “tweens.” I have been working with computers since I was twelve, and one aspect I have always enjoy about technology is the every changing use of technology. While I am not one to jump on the latest fad, I do find it interesting the reluctance I sometime encounter by folks to change. I expect it from “normal” people, but not the IT crowd. We’re the people that have to keep on top of all this stuff. When there is a better mousetrap that is easier to use, I find it hard to understand why IT people will cling to the old ways. It might be human nature, but so is sleeping and spending time with loved ones. We forgo those luxuries. This shows discusses some of the psychology difference between generations.

Description: This week, the group discusses a variety of topics, including some related to conferences attended by Scott and Ben. Scott reviews two conferences held in conjunction with the Digital Life Conference in September. One dealt with the topic of “Millennials”, people born between 1982 and 2000, while the other involved “Tweens”, children between seven and twelve. Scott talks about how these young people have a completely different attitude towards technology and online activities. They are also being examined closely for clues as to how they relate to advertising. The group assess a couple of websites that are good examples of how young people are being targeted by advertisers.

Ben also reviews his visit to Norway to attend Javazone 2007. He talks about the status of flash-based applications compared to Ajax. The group discusses how the browser has become an old concept and that online applications are now considered part of the total computer experience. Scott also reviews Adobe AIR and how it can be used to build internet desktop applications.

Technometria: Shane Pearson, Marketing and Product Management, BEA

Interacting with Internet Information

Technometria is Phil Windley’s podcast that “tries to make sense of the technology that surrounds us through exploration, analysis, and, hopefully, reason.” Phil is usually joined by Scott Lemon and Ben Galbraith. These guys are good friends and it shows. Back in the 1930’s, there was an informal group of writers that met, called the Inklings. J. R. R. Tolkien and C. S. Lewis were key members. I have often thought how interesting it would have been to listen to these great authors discuss issues. Technometria reminds me of that; good friends, all experts in the IT field, talking about technology. What is not to like? In this show, they talk with Shane Pearson, Marketing and Product Management, BEA about a variety of topics.

Description: In these podcasts you’ll find discussions of Web 2.0, programming and software development, open source, identity, new media, enterprise computing, and many other topics.

The Internet has always been known as a way for individuals to retrieve information. Shane Pearson, VP of Marketing and Product Management for BEA, believes that the Internet is now a place for individuals to interact with information. He also believes that many of these ways can be used by enterprises and businesses to better run their organizations. He joins Phil and Scott to talk about how “people centric” interaction.

Shane gives a number of examples of social interaction tools used by the general public and discusses how these methods can be used in business. He also reviews how government agencies can particularly take advantage of these tools. He assesses how the organizations can adapt the tools for use. He discusses how security is an important part of this process.

He also talks about the upcoming Defrag Conference. A number of the speakers at the conference have appeared on Technometria. The sponsors describe the conference as “a gathering place for the growing community of implementers, users, builders and thinkers that are working on the next wave of software innovation.” Shane’s information clearly shows how the information to be presented at Defrag can be important for the future.

TalkBMC Travels

BMC UserWorld 2007 Vancouver

Ynema Mangum is the executive producer of TalkBMC. I have been a long time listener and fan of the show. BMC’s utilization of podcasts and blogs to demonstrate the capabilities of their consultants has been most impressive. Today, Ynema has posted the following eight short discussions:

• The CMDB Architect’s Kit: Podcast interview with Paul Buffington, senior technical instructor.
• Advanced Asset Management: Podcast interview with Sydney Dent, instructor.
• Growing Your I.T. Intelligence: Podcast interview with Julie Hawkes, senior education consultant.
• ITIL Face-to-Face: Podcast interview with Anthony Orr, global best practices director.
• Business Service Management and the Mainframe: Podcast interview with Nick Pachnos, senior manager for worldwide marketing operations.
• Designing IT Education: Podcast interview with Terry Vyas, director – instructional design and development.
• Customizing IT Education: Podcast interview with Lenny Warren, education assessment consultant.

That gives you a taste of what TalkBMC is about. I don’t see how any business manager would not be interested in checking out these podcasts further. Everyone working in the corporate world should listen to Peter Armstrong discussing business service management. Brilliant job.

Description: It’s your I.T. world. What is happening in it now and what is going to happen next? That’s the theme for BMC UserWorld 2007. In case you missed it, TalkBMC travels to Canada to bring you interviews with IT educators, strategists, industry experts, and consultants about what’s important in your world. This list of audio interviews will be updated frequently, so check back often to see what you’ve missed.

TalkBMC: Mike Lunt

Agile Development

The IT skeptic had an interesting post. Today business is focused on various frameworks. I believe different frameworks can do a great deal of good in helping a business operate better. Still, the IT Skeptic makes a very valid point when he states, “What matters is that we actually pay attention to staff, ask them what they think, get their buy in, fire them up, and run a concerted program to get everyone to understand how things really work and to get everyone on the same page, i.e. we build a new consistent culture.” Agile development is a very intriguing development method. What I find most interesting is that it is a much more employee involved method. Mike Lunt does a great discussing this methodology.

Description: Why is Agile so important and who’s doing it well? Traditional development methodologies like “waterfall” aren’t flexible and don’t allow for changes in features or functions as the software is being developed. Using the Agile approach, developers at can produce enterprise software in half the time, with more flexibility to market needs. But, that’s not all that happens with Agile. Development teams become more productive, costs go down, and quality goes up. Everyone wins with the Agile approach.

FLOSS with Randal Schwartz and Leo Laporte: Jay Shirley, Catalyst evangelist

Catalyst for Perl

Randal Schwartz talks with Jay Shirley about Catalyst for Perl. What is not to love? Leo Laporte is part of the interview, but Leo steps back and allows Randal and Jay really get into discussing Catalyst and frameworks.

Description: Ruby on Rails isn’t the only application framework, or even the best. Catalyst for Perl is an MVC framework that’s being used for Vox, and other big sites.

How WOA Meets Guerilla SOA

BriefingsDirect: Roundtable SOA Insights

Most people have heard the term “must see tv.” Dana Gardner’s BriefingsDirect should be must hear podcasting to all IT business leaders. Back in the 70’s there was a show, Kung Fu, which had flashbacks to a young student training in a Shaolin temple. Master Po, would continuously show the young student, Grasshoper, how much Grasshoper had to learn. There were also other Shaolin monks to teach Grasshopper various lessons. When I listen to BriefingsDirect, I feel like Grasshopper with much to learn from such IT masters as Dana Gardner, principal analyst at Interarbor Solutions; Tony Baer, principal at onStrategies; Jim Kobielus, principal analyst at Current Analysis; and JP Morgenthal, CEO of Avorcor. Different shows will have different IT masters. On this show the IBM Information On Demand 2007 Conference, from this past week, is discussed. There is also a very interesting discussion on the relationship and tension between enterprise-wide SOA and more discrete Web-Oriented Architecture. Like I said, must hear podcasting.

Description: The latest BriefingsDirect SOA Insights Edition, Vol. 26, provides a roundtable discussion and dissection of Services Oriented Architecture (SOA)-related news and events with a panel of IT analysts and experts.

In this episode, our group examines the relationship and tension between enterprise-wide SOA and more discrete Web-Oriented Architecture — what we like to call Guerilla SOA. We also look at the probable acquisition of Business Objects by SAP, and the recent Information On Demand conference from IBM.

Stanford: Center for Internet and Society: Fred von Lohmann

RIAA v. The People: Four Years and Counting

The RIAA is a fascinating association to keep an eye on. The RIAA brings up the classic question of how does a business treat its customers? Following the RIAA, one cannot help but be reminded of Davey and Goliath. BTW, sometimes I will use normal links to such areas as Wikipedia. Generally, I try to find links that might prove a little more interesting. When I use a person’s name, if they have a blog, I will link to that. Jasper Fforde fans should recognize my Goliath link. If you don’t know who Jasper Fforde is, do check him out. From my point of view, wikis should be factual. With blogs, you get to express yourself. That is not only with the words you write but with the links and images you use. Don’t fall into the “Roses are Red” trap of thinking; be expressive.

Anyway, while I might be on a tangent, there is a rhyme and reason to it all, beyond me wanting to sneak a song title into this post (in honor of the RIAA). One can make many comparisons between the Goliath Corporation and the RIAA. The RIAA tale is a story of a well financed organization taking on people who don’t have much. Fred von Lohmann tells some really interesting stories which will get you very angry. Still, there are some time when people need to get angry. While the RIAA has the right to “protect its assets”, for now, to pursue the legal course they have taken is extremely bad business. The only reason the RIAA can pursue their current course of action is because they are forcing people, who do not have the power to fight, to pay the RIAA funds that they then use to force others to pay. Talk about a terrible snowball effect. I grew up in New Jersey. Back there we had a term for folks who operated this kind of business model.

Description: Four years ago, the recording industry inaugurated an unprecedented campaign of lawsuits against individuals who use peer-to-peer (P2P)file sharing networks to share music. Nearly 30,000 lawsuits later, has it worked? If not, what should be done instead? And what have we learned about the mechanics of federal civil litigation against thousands of unrepresented individuals?

Drawing on a recent EFF report summarizing the first four years of the recording industry litigation effort, Fred will discuss the recording industry’s tactics and describe alternatives that may be on the digital music horizon.

Stanford Center for Internet and Society: Auren Hoffman

Portable Identities and Social Web Bill of Rights

Identity management is one of the biggest challenges that face the future Internet as more and more of our data get put up on the web. Frequently I will hear from folks a desire to throw out technology in the name of privacy. That is unrealistic. The best way to protect one’s privacy is not by avoiding, but ensuring your privacy is legally protected and/or you have opt out options. That is what makes the Social Web Bill of Rights such an interesting topic. Please, I am not interested in starting any IT religious wars. What I am saying is whether or not you agree with the Social Web Bill of Rights methods, think about the problem it is trying to addressing. Exposure to ideas and arguments is what podcasts are all about. Auren Hoffman provides very interesting supporting stories.

Description: The future world of portable identities, reputations, and social graphs has many pluses and concerns. These portable systems could make the benefits of personalization, once only relegated to science fiction, a reality. The Social Web Bill of Rights makes the claim that users have the right to portability. But there are privacy implications to take into account as well. We will discuss an opt-out vs. and opt-in approach on data collection, privacy, and portability.

Podcast List

I am frequently asked, “What podcasts do you listen to?” The answer depends. The above listing gives you a good idea of what I find interesting. I do listen to many other podcasts. Below is a listing that includes most of the podcasts. I say “most” because the list changes. If you choose to give any a try, I have one major piece of advise. Like the Nike advertisements say, “Just do it.” Frequently I listen to podcasts while doing all sorts of things. I operate on the theory that it is better to be exposed to a topic even if you are not giving the podcast your full attention. If you wait until you have time to listen intently, you will never get around to it. While I may not be listening with notebook in hand (though I do carry around a small notebook in my pocket, just in case I ever need to jot something down), I learn a great deal by just being exposed to a topic. Below are the podcasts likely to be found on my MP3 player:

• Slashdot Review
• Risky Business
• A Series of Tubes
• Between the Lines
• Security Wire Weekly
• Linux News
• Perlcast
• Adventures in Security
• Sound Policy
• CERT
• Google Code – Updates
• Silver Bullet
• Might Seek
• Security Catalyst
• IT Skeptic
• The Rear Guard Security Podcast
• StillSecure, After all these years
• BriefingsDirect
• CERIAS Security Seminar Podcast
• Technorama
• Valid Syntax
• Network Security Podcast
• O’Reilly FOO
• Distributing the Future
• SploitCast
• Geek News Central
• BriefingsDirect
• InfoWorld SOA Report
• Crypto-Gram Security Podcast
• TalkBMC
• Rules for the Revolution
  
• This Week in LAW
• CyberSpeak
• FLOSS
• Mike Tech Show
• Gartner Voice
• EnterpriseLeadership
• In the Trenches
• Windows Weekly with Paul Thurrott
• This Week in TECH
• Controlling Chaos
• The Project Management Podcast
• IT Conversations
• WordPress
• Security Now!
• PaulDotCom Security Weekly
• Geek Muse
• Net at Nite
• Tripwire
• Nosilla
• Mac Roundtable
• The MacCast
• Ruby

Now that I have answered the question, “What are you listening to?” it does not look like I fit in with Spock, Darth Vadar, B-9, or Gollum. I think that is a good thing, except for the fact that their selection of listening entertainment seem more mainstream than mine.

On April 3, 1860, a lone rider set out on horseback carrying saddlebags filled with our nations hopes and dreams. He raced against nature’s cruel elements and rugged terrain. The riders journey would end ten days later, some 2000 miles west. So began the legendary pony express, which proved “a unified transcontinental system could be built and operated continuously the year around.” An 1860 California add for riders was reported to have read, “Wanted. Young, skinny, wiry fellows. Not over 18. Must be expert riders. Willing to risk death daily. Orphans preferred.” Even if the add is not true (a little too honest), you have to love the “orphans preferred” component. Now that is what makes a legend. The reality is, the pony express would close just eighteen months later, on October 26, 1861; just two days after the transcontinental telegraph system was completed.

Technology is always advancing. I hope by highlighting a few of these podcasts I have demonstrated what valuable information is available to anyone with an Internet connection, computer, and MP3 player. Even my parents have expressed interested in listening to podcasts. Times are a changing. A year ago when I talked about podcasts, I would frequently be told, “I don’t have an iPod.” Nowadays, I never hear that. It is not because iPod sales have been that great. People are better informed. It ’s a small world after all and the world is getting smaller every day. Oh heck, I am no good at coming up with song titles to make my point. I have spent too much time listening to podcasts and not enough time listening to music. What I am trying to say is that people across the glob are willing to give up their time in order to teach those willing to listen and learn. One just need to be open to the opportunity. So, I ask you, what are you listening to?

This weekend, storytellers from around the world gathered at Colonial Williamsburg to participate in the Third Annual Storytelling Festival. Art Johnson, a historical interpreter, talked with Lloyd Dobyns, host of Colonial Williamsburg podcast series. Art brings up a very interesting point when he states, “Listening to a good storyteller, or listening to somebody you are interested in hearing what they’re telling you about, you get wrapped up in their voice. Their voice will lead you to a place that you forget about where you are and what you’re doing; you’re in their world. That’s the difference between a good storyteller and somebody just talking to you in front of an audience.”

Where is the connection to IT? No, nothing to do with making up meaningless metrics to impress the CEO. Storytelling can be about real facts and events, just told in an engaging manner. The real connection is that both storytelling and IT deal with handling and interpreting information. This can be done both through the written word or through speech. In other words, through blogs or through podcasts.

Dr. Rohit Khare, director of CommerceNet Labs, had a discussion with Jon Udell on “Syndication-Oriented Architecture (SynOA).” Dr. Rohit points out that rapid innovation of “Web 2.0″ syndication and social collaboration tools are spurring enterprise leaders to implement syndication as a core component of their Service-Oriented Architectures. The increased volume of unstructured data is overwhelming employees, customers, and customers. Businesses are challenged with finding a way to connect relevant and actionable information with the people that drive business. Dr. Khare states:

You do in some ways centralize the information flow, but you get the benefit of decentralized awareness — it’s an interesting paradox. If I have one syndication bus that’s responsible for delivering information to all of my users, and everyone in the community, then that same piece of software is in a very good position to detect patterns and emerging trends. If you think about meme trackers that can report, hey, this is a hot story that’s come up in the last few hours, that’s going to be really powerful when it mainstreams.

Dr. Khare goes on to say, “Syndication standards are no longer just formats for relaying headline news. Now they can enable ‘information agility’ for all of the knowledge flowing inside and outside the enterprise.” This basically is the idea of “RSSifying” everything, then putting all the feeds through a “syndication bus.”

Dr. Khare points to Facebook as an example of a syndication-oriented application. Facebook users are constantly interpreting and publishing events onto a syndication bus while at the same time subscribing to aggregated feeds published by their friends who interpret and publish events. On and on it goes. What data gets delivered to the individual and how it gets presented depends on what their friends decided to publish and how their friends interpret the event. In other words, people are the storytellers.

Now consider Art Johnson words:

Storytellers tell their stories their way. Those who are more creative, who can create stories, they definitely tell it their way. The way they tell it, and if you listen to them, they could tell you the same story three different times, in three different ways. If you were to put them all together, you’ll hear there are a whole lot more likenesses than there are differences.

Personalization is exactly what both storytellers and the subscribers of Facebook are doing. SynOA is meant to guide a wide range of services. Under SynOA, information overload is broken up into five layers of increasingly sophisticated capabilities: Publication, Subscription, Distribution, Personalization, and Collaboration.

Tom Kelleher and Barbara M. Miller did study for the School of Journalism and Mass Communication, University of North Carolina at Chapel Hill, titled “Organizational Blogs and the Human Voice: Relational Strategies and Relational Outcomes.” They evaluated the potential advantages of organizational blogs over traditional Web sites. What they found is that blogs are a good place to speak candidly with a conversational style. This conversational style, “may be an important part of the process of building and maintaining computer-mediated relationships. Among the most important findings of this study are that:

1. blogs were perceived as more conversational than organizational Web sites
2. this conversational human voice correlated positively with other previously-identified relationship outcomes.

The perceived personal nature of organizational blogs, in this case, is related to relationship indicators.” They go on to state, “To enter the market conversation, Web sites need to have a voice, express a point of view, ignite a dialogue, and give access to helpful people (Searls & Weinberger, 2001). It all starts with having a voice. Expressing a point of view in a personal tone in a blog is likely a good way to get a conversation started.”

Christopher Locke, Rick Levine, Doc Searls, and David Weinberger write in their book, “The Cluetrain Manifesto: The End of Business as Usual“, “the best of the people in PR are not PR Types at all. They’re the company’s best conversationalists.” The point being, one has to engaged the reader or listener. That is a key attribute of an effective storytellers.

I have heard from some busy people how they prefer RSS feeds over podcasts, because podcasts can get a bit off topic and chatty. With RSS feeds you can scan for information. There lies a potential problem. Nielsen Norman Group researchers did a study involving newsletters. They found that the average time allocated to an email newsletter after opening it is just 51 seconds. People scan the text, with only 19% of newsletters being read fully. Eyetracking observations of users reading RSS news feeds showed that people scan the headlines and blurbs in feeds even more ruthlessly than they scan newsletters.

Having people scan posting and read only 19% or less of what is written does not seem an effective way to engage the reader or listener. Michael Stelzner, in his posting, “Using Voice to Engage Readers, A Case Study” makes some interesting points. When he was a sales manager at The Sharper Image, they found that if they walked around the store with an expensive product in their hands and showed folks how it worked, the sales of that product grew dramatically. Michael experimented by recording a voice snippet that auto played after a few seconds, when someone visits the website for his book, “Writing White Papers.” The recording just told visitors how they could hear a sample chapter of the book by clicking on a link. While the link had been there all along, Michael reports that, “Indeed people did follow my voice instructions significantly more AFTER I asked them to click on a special link.”

The moral of the story is that one has to engage the reader. Some folks are just going to want the facts. Their limited time might make them less inclined to care about the personalization and collaboration stage of SynOA. These folks are like that manager I wrote of earlier, who was so busy he did other work while in meetings. I would caution that there is a real danger in not taking the time to listen to others and learn how to communicate effectively. I worked with a guy once who was a very hard working and intelligent individual. Because he was so hard working, he was promoted to the point where he had several people working for him. The problems was, he valued his own abilities so much, he never saw the value in others. He never developed effective communication or collaboration skills. There comes a point where no matter how brilliant and hard working you might be, there simply are not enough hours in the day. People have to rely on each others to get complicated jobs done. We can learn from each other. On a good team, each member brings their own perspective. It the classic story of the blind men and the elephant. It is through the collaboration phase that we gain knowledge of the larger picture. If you cannot communicate your knowledge, good team work is impossible and your effectiveness is severely limited. This is why IT needs good storytellers.

When the Brooklyn Bridge was constructed, one of the first thing the engineers had to do was to securely anchor the bridge’s two towers on the solid bedrock. The problem was, the bedrock was under many layers of mud below the East River. The solution decided upon was to use a huge wooden caisson, which was assembled on land, towed to the site of the tower, and sunk. Compressed air was pumped into the chamber to prevent water from leaking in. The caisson’s false floor was then ripped out so the workers could dig up the river bottom.

The EyeWitness to History.com website described the working conditions of the caisson as follows:

The working conditions within the caisson resembled a scene from Dante’s Inferno. The tremendous pressure, the suffocating heat, the lack of oxygen and the noise all combined to limit a worker’s time within the caisson to a maximum of two hours. As they ascended through the compressed air to the top of the caisson, the workers were threatened with the crippling and painful effects of the bends – an imbalance of nitrogen in the blood caused by a too rapid ascension out of the compressed air.

Initially, 80 of the crew’s 352 sandhogs were affected by the agony of the bends, and 15 died. Work continued with slower ascent times.

Sandhogs continue to do their work, and die, under New York. Most people do not realize that New York City has a $6 billion water tunnel project that has claimed 24 lives, endured six mayors and survived three city fiscal crises.

The sandhogs have my utmost respect. My great grandfather was a coal miner in Scranton, PA. My gramma would tell about him coming home completely black from coal dust. Only his eyes remained white. They knew the coal mines would kill them one way or a another. They did what they had to do to take care of their families. It is an amazing quality in people. They will sacrifice themselves for the hope of the future. The people who are left behind also demonstrate such courage in continuing to live and by not allowing the sacrifices to be in vain.

I grew up in Rutherford, New Jersey. As a child, I could see the skyline of New York City from my bedroom window. My childhood home was within fifteen miles of the World Trade Center. My family attended St. Joseph’s church in East Rutherford where Father Mychal Judge, affectionately known as Father Mike, was a friar. Father Mike was the Fire Department chaplain killed six years ago today following the World Trade Center attacks. He was one of the first to die when struck by falling debris as he anointed a firefighter and a fallen office worker.

People much more eloquent than I can post tributes concerning 9/11. I just wanted to take a moment and remember those whose lives ended and the many more people whose lives were permanently altered by the events of September 11, 2001.

Back then I was working at a government facility, many states removed. I first became aware that something was wrong when my mother called to tell me that a plane had flown into the tower. Just to be clear, I was not working in intelligence or any organization within the government that should have been aware of what was going on. As I headed to an area where a television was located, I ran into people who had heard the news on their radios. We arrived and had been watching the news for only a few minutes when the second plane hit.

There was a married couple working at this location. The husband had flown out that morning to DC. I was scheduled to fly to DC for a meeting the next day. Fortunately, the husband was able to get a call through not long after the plane crashed into the pentagon. To say the wife was relieved is an understatement. My brother was working in Time Square for an engineering firm. My mom talked to him after the towers collapsed. The engineers were in shock. The towers were suppose to be able to withstand a plane crash. It would be a long day for my brother.

Fortunately, no one close to me died in the attack. I do mourn those I once knew. My life’s path was altered. Not surprisingly, security became much more important to me. Like many, watching and listening to the news started taking up a decent amount of my spare time. I found some news programs better than others and I would go off to web sites for more in depth coverage. I began having my computer record programs off Internet radio. It seems like a lifetime ago. I use to copy these recorded programs to rewritable CDs. Fortunately, I soon switched over to an MP3 player. To some degree, wanting to get my fix of news helped me start regularly working out before work. I was pretty serious and lost seventy pounds.

Later, I realized that knowing what was going on in the world, while good, was not real helpful in daily life. Sure, one could sit around at parties and make other people feel dumb. But I was never one to take satisfaction in that. Besides, anyone could bring out Trivia Pursuit and turn the tables completely around on me. I have lived a fairly focused life and I am terrible at trivia. At that time, I became aware of podcasts. While I did not have an iPod, I learned I could still listen to podcasts on my MP3. I started putting my listening time towards security and information technology podcasts.

Tom Bishop, of BMC Software Inc, talked with Ynema Mangum on Technology Trends. They talked on various trends, and it is another great TalkBMC podcast. When they brought up Google Reader, I found their comments particularly interesting and accurate. When you describe Google Reader to someone as a “web-based feed reader to keep up with blogs and news,” people respond, “big deal.” It sounds so simple. It is when you start using it, you realize how fundamentally important it is.

Recently, I was talking with folks about good sites for security information. These folks were saying, “Yeah, I go to this site, and that site…” As I listened, I was transported back to a time when I had to go off to one endless progression of sites on a daily basis just to keep up on news and information. I was trapped in IT hell. That was before RSS saved me. I knew I had to help these poor people. So I climb up on my soap box and start evangelizing about RSS. They cried out in despair, “But my company will not allow RSS through the firewall!” I enlightened them about Google Reader’s ability to pull all the feeds into one location, all accessible via the web. They could even pull the postings down and go off line. They rejoiced.

If this blog seems a bit rambling, it was intended to be so. Remember the subject is “Winding Paths.” Life is full of decisions and pathways to take. As Johann Wolfgang von Goethe points out, “Mountains cannot be surmounted except by winding paths.” I wanted to do a post today that reflected on paths I have taken and paths others have taken for me. Fortunately I am not working five hundred feet below New York City. Yet, I have clean drinking water. Nor do I come home each night covered in coal dust. Yet I have heat, air conditioning, and electricity. When alarms go off and people are evacuating a building, my job is not to rush in to put out fires or help get people out. I am one of those people who is helped out. Nor am I overseas serving in dangerous theaters of operations. Yet, I benefit so greatly because of their service. I might spend a little too much time working, and fail to get much sleep, but those are minor inconveniences. I am thankful for paths that have brought me to where I am. I am thankful for those people, past and present, who sacrifice so much. Thank you.

Bernard of Chartres wrote, “We are like dwarfs standing upon the shoulders of giants, and so able to see more and see farther than the ancients.” The answer to many problems in life are within our grasp if only we change our perspective. We just need to build upon the knowledge of others. This is one of the most powerful aspects of podcasts and blogs. Experts in all different fields are volunteering their time to provide valuable information.

Eric Cole put it well while talking with Gary McGraw on the Silver Bullet Security Podcast:

To be a good practitioner in network security, you really need to be creative. In the past, security were alway the people who said “No”. “Can we do this?” “No, no, no.” If someone comes to you, and all you keep telling them is “no”, they just will not ask you anymore. Today security is all about saying “yes” in a creative manner. You really need to have that creative juices flowing, coming up with really unique solutions. You also have to have that thirst of knowledge because there are always new problems and issues.

I was surprised while talking to some fellow security professionals to hear them state they do not listen to podcasts. We all suffer from chronic lack of time. I knew a manager who would always come to meetings late, spend the whole meeting reading papers (today it would be on his laptop), and then at the end of the meeting ask questions requiring folks to repeat material already discussed. Many people viewed that manager as incredibly busy. They admired that about him. Now I liked the guy, but I hated attending meetings with him because he would waste my time. For me, podcasts provide an opportunity to slow down and listen to people talk about subjects they are passionate about. Sure, alot of times I may be half listening. Still, I feel I gain from slowing down and listening to people talk.

Recently, I had to do a bit of driving. I spent twenty six hours driving in a ten day period. This provided me the opportunity to listen to a good deal of the podcasts I had fallen behind on. While I will post podcasts of interest under “Recent Podcasts” (bottom right), I wanted to focus on a few of these podcasts.

Silver Bullet Security Podcast

A consistently strong podcast is the Silver Bullet Security Podcast by Gary McGraw. The podcast comes out just once a month. I have already mentioned the most recent episode with Eric Cole in two blogs. Here is a description (from the site) of Eric’s Interview, “Gary talks with Eric Cole, CEO of Secure Anchor. Eric has written seven books on computer security, including books on steganography and network security. Gary and Eric discuss how to demonstrate security ROI in different types of organizations (ranging from government to corporate), the academic approach to security versus practitioner certification models, and what kinds of training makes for good network security practitioners. They also discuss the difficulty of certifying software developers.”

CERT’s Podcast Series: Security for Business Leaders

This podcast comes out once every few weeks and is a must listen in my book. I really enjoyed the “Tackling Security at the National Level: A Resource for Leaders” episode featuring Jeff Carpenter and Julia Allen. One outstanding aspect of this podcast are the show notes. Pulling from the executive summary, this episode discusses how “Not all information security incidents can be handled in-house. Some require coordination with third-party forensics firms or law enforcement personnel, others with external partners or suppliers, and still others with national or global organizations. In these latter types of incidents, the expertise of a national CSIRT (Computer Security Incident Response Team) can be a valuable resource for business leaders … In this podcast, Jeff Carpenter, the technical manager of the CERT Coordination Center, discusses how national CSIRTs work and how business leaders can make use of national CSIRTs’ expertise to handle large-scale, critical situations as smoothly as possible.”

ITRadio.com.au

It might seem odd going to Australia for security news, but there is something about the two shows on ITRadio.com.au that I simply enjoy. I don’t think it is only the accents, though I do appreciate the hosts greatly. ITRadio.com.au produces two enoyable shows:

• Risky Business, the weekly IT security podcast produced and hosted by Patrick Gray
• A Series of Tubes, the networking and integration podcast with Ian Yates.

Patrick Gray is the founder of ITRadio.com.au and a freelance journalist specialising in IT security. Ian Yates is a veteran IT journalist who has won two awards for his opinion columns; Consensus IT Writers Awards Most Entertaining Writer and MediaConnect IT Journalism Awards Best Technology Columnist.

The most recent “A Series of Tubes” podcast is titled “Backing it up.” I really enjoyed this episode, which might indicate I need to get out more. To quote the site, “Freelance journalist Adam Turner, who writes for The Age and The Sydney Morning Herald, brings us up-to-date with the latest news in networking and systems integration. Greg Wyman from StorageCraft talks about the benefits of snapshots. Clive Gold from EMC reminds us not to forget the data hiding on desktop PCs. Analyst Kevin McIsaac from IBRS warns us not to believe everything we hear. Ronnie Altit from Dimension Data says offsite is safest.”

The most recent “Risk Business” podcast is titled “Embassies pwned, adware suits and APEC.” The episode, to quote the site, covers, “Host Patrick Gray and ZDNet Australia editor Munir Kotadia discuss the week’s headlines. RSA Security’s country manager discusses secure telecommuting. PC Tools chief executive Simon Clausen does a postmortem on the failed adware company lawsuit against his company and Kaspersky labs. Robert Lording, Verizon Business Security Solutions network security manager discusses the telco’s role in preventing the spread of malware.”

Security Round Table

This podcast does not occur at any kind of consistent schedule. When it does come out, it brings together an all star cast from the security field. The latest episode, “The Security Round Table for August 2007 – Security Career Success” brought up many points that I found myself thinking about. Particularly the idea of a career verses a job. I will not say anyhting further, you will need to listen to the podcast. The site describes the show as having “assembled an expert panel to explore the keys to a successful security career – and how you can find the perfect job for you. We recorded this discussion on Tuesday, August 14th 2007 and present it now for your listening pleasure.”

CyberSpeak

Bret Padres and Ovie Carroll, two former federal agents “talk about computer forensics, network security and computer crime” on their podcast. These guys are just great to listen to. They know what they are talking about. Their shows have not been too regular lately. I am amazed that podcasters who can keep regular schedules. Enjoy the shows when they come out. The shows will generally cover recent news and then be followed by an interview. I believe on their CyberSpeak 29 July 2007 episode, they discussed Apple forensics; a very interesting topic to me.

IT Conversations

IT Conversations is one of those podcasts that is somewhat difficult to describe. They descibe themselves as “an online publisher of recordings of spoken-word events such as conferences, lectures and meetings as well as shows hosted by experts in their fields.” Phil Windley is the executive producer. If I had more time, I would listen to all of IT Conversations podcast and would be a much more rounded IT person. As it is, I’ll listen to as many as I can and regrettable skip over some.

An example of a recent podcast was with Chris Sacca titled, “Unlicensed Spectrum: Tales from the Lamppos.” This episode was described as, “as more and more services and opportunities become available on the World Wide Web, the gap between those who are connected and those who aren’t is becoming an increasing problem. Access to the internet is certainly not yet ubiquitous, and where it is accessible the costs are often high, and the choices for service low. In this talk, Chris Sacca, the Head of Special Initiatives at Google, Inc., explains some of the trials and tribulations that Google faced while installing its free Wi-Fi network in Google’s hometown of Mountain View, California.” I, along with Greg Cole, many many years ago were principal developer for the community network for the Knoxville Oak Ridge Regional Network (KORRNet). It is interesting to hear the same battles are going on. Fortunately, Google’s war chest is a bit larger.

Another great episode was with Andrew Jaquith and Dan Geer. Phil Windley has a consistently informative show on IT Conversations titled Technometria. A recent episode titled “Technometria: Security Metrics” can be described as “in The Book of Risk, Dan Borge writes that ‘the purpose of risk management is to change the future, not to explain the past.’ The subtitle of Andrew Jaquith’s book is ‘Replacing Fear, Uncertainty, and Doubt‘ and that is a clear description of the purpose of security metrics. Phil and Scott are joined by Andrew, as well as Daniel Geer, Vice President and Chief Scientist of Verdasys. The group discuss the concepts and purpose of metrics in security management. Andrew and Dan first review their backgrounds and what led them to become involved in technology security. They talk about how they quickly discovered that it was important to quantify security issues, particularly as a way to better predict future problems. Jaquith also discusses his book in detail, starting with the concept of the ‘Hamster Wheel of Pain’. They assess why people fail to properly measure security as well as what makes a good metric.

Gartner Voice

This podcast can be a hit or miss with me. I keep an ear on business, but there is much about business that does not interest me. Their show, “A Conversation with Michael Oxley” was a grand slam. This show provided an opportunity to listen to Michael Oxley, former U.S. Congressman, co-author of the Sarbanes-Oxley Act and Vice Chairman of the NASDAQ, elaborate on his career.

Enterpise Leadership

Tom Parish does a good job interviewing “industry thought leaders and innovators.” I like to listen to CIO talk because these are the folks I need to explain why and how security need to be implemented within the company. The show describes itself as, “a collaborative site dedicated to sharing knowledge about IT, business, and the business of IT.” Having worked for DOE, I enjoyed the episode “Charlie Catlett: Stretching the Boundaries from TeraGrid to Second Life.”

Concluding Remarks

There are many more great podcasts. Since I want to finish up this post and get to bed, I’ll refrain from spotlighting any more. Please do look at the podcasts listed under “Recent Podcasts” and the “Podcast” page on this site.

As for the answer to the quoted riddle that started this blog, follow the link. Always remember, I do not blog because I love to read my own words. Those words are rambling around my head all the time, so I get to hear them continuously. My postings are about the links. If you follow the riddle’s link, you will find yourself at a very interesting site, SharpBrains. The site states its mission is to raise public awareness of science-based cognitive and emotional training research and programs. If you follow the link on the photo, it will take you to Mycoted which is a UK based company that specialises in Creativity and Innovation.

We live during a fascinating time where so much knowledge is at our fingertips. Sure, there are dangers. That is why I so enjoyed hearing Eric Cole. I know of many security professionals that express total disdain for technologies being developed today. I understand; it would make the life of the security engineer so much easier if we could just say “no.” Interconnecting all these people from different walks of lives and countries was an extremely risky thing to do. What ever were we thinking? For the sake of security, would it not be easier to just say “no” to the Internet? That is not our job. Our job is to support business requirements. If to help our business operate more efficiently, the business needs to collaborate and share information in innovative ways, than we need to know the technologies. We also need to be figuring out how to secure these new technologies. To do this, we need to listen and learn.

Normally, I am pleased with myself if I can complete one post a week. Still, I had to put in that extra effort this week in order to get James Turner comic up. The cartoon is bound to become a classic. Well, maybe not among the masses. Okay, maybe just among an elite group of people who can identify languages by the animals on their O’Reilly book covers. Still, that is a pretty special group of people.

Since I am posting a comic strip involving Ruby and Perl, I figured I would add a few pointers of interest. If you are an old time Perl programmer, you will want to check out Jonathan Scott Duff’s posting on, “Everyday Perl 6.” Perlcast, a podcast focus primarily on the Perl programming language, has posted a podcast on “Learning Perl 6.” The presentation was done by Brian D Foy at the Nordic Perl Workshop 2007. Slides along with the audio podcast of the presentation are available.

Not to show favoritism, on the Google Code Blog, they did their fourth podcast where Mark Limber talks on Google SketchUp. To quote the Google SketchUp site:

Developed for the conceptual stages of design, Google SketchUp is a powerful yet easy-to-learn 3D software tool that combines a simple, yet robust tool-set with an intelligent drawing system that streamlines and simplifies 3D design. From simple to complex, conceptual to realistic, Google SketchUp enables you to build and modify 3D models quickly and easily. If you use Google Earth, Google SketchUp allows you to place your models using real-world coordinates and share them with the world using the Google 3D Warehouse.

Ruby is the scripting language that is used in SketchUp. Sorry Perl.