Come Fly With Me

I got my first snail-mail scam today. I won two round-trip airline tickets to anywhere in the United States!

The masterpiece arrived in a regular letter envelope and was addressed by hand. The regular first class self-stick stamp was postmarked in Phoenix, AZ

(Click on the pictures for full-size PDFs)

Scam Letter Envelope

Inside, the document had a letterhead for 'US Airlines". I'm guessing this is to bank on the confusion between US Airways and American Airlines. The letter was addressed to me by name and was also signed by hand.

Scam Letter

The letter reads as follows:

NOTE: You must respond no later than November 25th, 2011.

Dear Christopher,

I am pleased to inform you that you have qualified for an award of 2 roundtrip airline tickets. Congratulations. These tickets are valid for travel anywhere in the Continental U.S. from any major international airport. The retail value of this award is up to $1,400.00. Certain restrictions apply.

We have attempted contacting you several times without success. This is our last attempt. If we do not hear from you soon, we may need to issue the ticket vouchers to the alternate.

Please call me today at 1-866-351-2044



Valerie Fay

Vice President


I'm sure anyone who reads my blog is smart enough to not fall for this anyway, but it was certainly an anomaly in my mail box.


UPDATE [11/19/2011]:

Commenter "Scmmer" did a little research and added:


I called the number.  Was transferred to a young sounding woman who essentially repeated everything in the letter then told me that its a new Travel Agency that is looking to build their business.  You have to visit their office located at 2002 N Lois Ave. in the Westwood Center.  Then she explianed that this was for married or cohabitating couples.  When I asked what the agency name was she pointed me to '"airfareanddealsdotcom".  Doing a quick google search turned up the IP address which turned up 4 entries on he BotScout website.
A Whois search shows they are out of Provo, Utah.
Thats about all I can find online but I am interested in seeing where this goes.

My response to “6 Reasons Why You Should NOT Work With Information Security”

Today, several folks have tweeted & retweeted about an article written by "Adriano" at The original article may be read here:

I'm not sure if the original post was meant to be funny or cynical. If it was, the intention did not translate very well into text.

I have been working as an infosec professional both in the public and private sector for over 10 years. I am by no means "seasoned" or an expert in anything. I've seen a lot of things, worked with a lot of people, and had my share of experiences both good and bad. I can't say that any of the points made in the original post ring true for me at any point in my career. I also think that the topics discussed can easily apply to anyone in any field of the service industry.

I will address each of the original topics one-by-one and provide my own commentary based on my experiences in the infosec field.

6. Working Long Hours, forever

I work hard every single day, and yes, sometimes I work extra hours. Things do go wrong. Security incidents do happen. This is why I have plans in place and teams on which I can rely. I go to sleep at night knowing my team and I have done the best job we could with the resources available to us. We have the detective controls in place to help ensure that if something does go wrong, we can quickly and efficiently respond to it. 

When I first started, I did work long hours. I did shift work on a 24/7 SOC watch floor. My shifts were 12 hours long, and often I would be back at work before the calendar flipped to the next day. Some might not like it, but I loved it. It allowed me to see everything and learn a whole lot. Having a good attitude early in my career is what allowed me to advance and not have to work long hours forever.

5. People Only Remember Of You When Things Go Wrong

If this is the culture you have bred, then I totally agree. Again, this goes back to attitude. You have a lot of control over how people remember you. Be a security catalyst. Be proactive. Build a culture in your organization where colleagues feel comfortable coming to you to ask questions before they do something or start a project. Help people. Save one group from audit-hell because you saw something and helped them do it the right way before a project went live. How will you be remembered then?

There's not a patch for everything, and you can never be 100% secure. You can however put forth your best effort by implementing good security programs and technology. Set management's expectations. Things will go wrong. Prepare your management so they judge you not on the fault, but rather on how well you respond to the fault. Many companies are in the news recently with breaches and other security issues. What's more interesting to follow… the actual breach, or how well (or bad) the company responded to it?

4. Study, Study and More Study

Why is this even part of the original post? The infosec field gives you an opportunity to continuously self-improve. Once again, it's about attitude. You could sit around, not read, not learn, not try for certifications or higher education. You'll be stuck doing the same thing every day, or worse, not having anything to do at all. 

My experience so far has been that companies are fairly generous when it comes to self improvement. Book reimbursement, on-site training, tuition assistance, certification vouchers are some of the perks I see. An uneducated you does no good for your company.

3. There Is A Limit For Growth To Your Career

Not true at all. Here I am again talking about attitude. Your career is not constrained to the company for which you work. Sometimes moving up means moving on. You probably can't do either if you're not doing point #4. The original post asks "What are your chances of becoming the CEO of the company you work for?" and "Now, let’s ask our CEO what sort of background he has." Do you really *want* to become the CEO of the company for which you work? Certainly not if you want to stay within the infosec field. Unless you work for a security company, the chances are probably pretty low that your CEO's background is in information security. If you *do* work for a security company and some day want to be the CEO, keep a good attitude and never stop learning. For the rest of us, finishing out your career as a CISO, CSO, CIO, or CTO is not too shabby either. Others are perfectly content staying in the weeds and remaining engineers. 

2. No Room For Mistakes

I don't know about you, but I make mistakes all the time. As a security professional (or just being a grownup for that matter), you have to make decisions and take responsibility for those decisions. There were only two months in my adult life when I didn't have to make any decisions. That was my Navy boot camp. Everything was decided for me.

Your attitude dictates how you deal with mistakes — made by you and others. The outcome of mistakes drive changes to your infosec program. You may never have considered something a possibility to defend against until someone in your environment did something wrong. Recognize the mistake. Adapt. Overcome. Adjust your security program to account for it. Everything bad that happens in this field is made possible due to someone's mistake. Patches correct programming mistakes. Baselines correct configuration mistakes.

1. People expect you to crack their exes Gmail passwords, wireless networks, and combination locks.

Really? This isn't 1995 anymore. I don't have much to say on this topic. Apart from skiddies on IRC, I can't say I've encountered this very much. I think it comes down to others' lack of understanding of what you do. Calmly explain what you do and they'll get bored and move on.


I guess you could say that the original post struck a nerve with me. My impression is that the author has a bad attitude and can't move up and hates his job. If the original post was meant to be satire, I was too thick to get it.

The Future Of Cloud Is Assured

evil_steve linked this on #centos this morning…

Why Business Loves The Cloud

OneFTE has now been added into my daily reads.

Not Safe For Math Majors

Saw this posted in IRC today…

Flag Question From My Dad

My Dad wrote an email asking the following:

Dear Folks,

Does anyone know the position of a second flag on a common halyard?
I fly the US flag on top and the POW MIA flag beneath.
A few years back, I wrote a letter to the Flag Code organization in Pittsburgh and did not get an answer.
I have heard various comments relative to that positioning. I can not find it in my code booklet.
I heard originally that it should be a flag height break between flags. I also heard that the flag below the US flag should not be touched by the hanging US flag. I cannot find anything in print with either of those comments.
I was also told that you were not to fly any other flag with the US flag. I know that is bogus according to the flag code. All I could find in the code is that the US flag flies on the top. It just does not seem to specify details of separation. That is what I am looking for!

What’s on your (ideal) border?

If you had a beefy Linux box with plenty of storage hanging on to your border router that can see all of your network’s ingress/egress traffic, what would you put on it? Why?

Let me know in the comments or via twitter!

I’m thinking some sort of netflow collector, maybe a layer 7 re-assembler. Full packet capture/logging perhaps?

That Shrimp Damn Near Melted My Face Off

My wife and I went out for a grown-up night. We planned on hitting up the Brass Tap, but they were way too crowded. We decided to try Prime Bar instead. Prime Bar is located in the Wiregrass Shops in New Tampa across from the Brass Tap.

We both just wanted a beer, but the menu had a few unique items. After looking it over a few times, we finally settled on the Habanero Shrimp Tempura. I expected to receive a paper-lined plastic basket with some soggy battered/fried shrimp with some wing sauce on them. I was pleasantly surprised.

The shrimp was plated on a large tortilla on a bed of lettuce. There was a separate bowl for the ranch sauce, and a few carrots and celery sticks. I took a bite of the shrimp expecting a mediocre flavor. I was immediately wowed. This was the spiciest dish I had at a restaurant in recent memory. The sauce was super spicy with the perfect balance of tangy. The tempura was delicate and very crispy.

I ordered a Rogue Dead Guy ale at the same time as the shrimp. It turned out to be the perfect compliment to the dish, both for flavor as well as cooling down the experience.

Altogether, the atmosphere at Prime Bar was kind of dead, but the food and beer were spot on. The decor and furniture arrangement reminded me of a hotel bar. If they work at bringing in the customers while at the same time not compromising the bold flavors, I think they might have a good thing going.

Today is cookie-baking day

I thought I’d share a cookie recipe I’ve been baking for a few years. My grandma used to make these. It’s a sweet, buttery cookie that crumbles apart.

Fourteen Ingredient CookiesFourteen Ingredient Cookie


  • 1 cup butter
  • 1 cup oil
  • 1 cup brown sugar
  • 1 cup granulated sugar
  • 1 egg
  • 1 cup oatmeal
  • 1 cup Rice Krispies
  • 1 tsp cream of tartar
  • 1/2 tsp baking soda
  • 1/2 tsp salt
  • 1 cup coconut
  • 1 tsp vanilla
  • 1/2 cup chopped nuts
  • 3 1/2 cups flour


Preheat oven to 350 degrees F.

Cream together the butter, eggs, and sugar. Add the oil & mix well.

Add dry ingredients.

Drop onto ungreased cookie sheet.

Bake for 12-15 minutes

Yield: 4-5 Dozen

New Direction For This Blog

I’ve been trying to stick to strictly SCAP-related posts, but there’s so much more to write about. Having recently deleted my FaceBook account due to the new privacy policies, I will now use this blog as my general purpose outlet. I’ll be using my new domain from now on. The old domain will still work.

Article: The Best Way To Remediate

My colleague Aharon was recently published in SC Magazine with an article on SCAP and Vulnerability Management.

… A fortuitous byproduct of implementing the Security Content Automation Protocol (SCAP) within the organization is that we no longer have to rely on tracking security patches to address vulnerabilities. …

Check it out!