You can take the quiz by clicking here.

(You can also direct your browser to http://kuhfeldt.net/nessusdrules/ if you prefer.)

The syntax works by using accept or reject on a line that has not been commented out (i.e. Using # at the head of the line,) and then the IP address or IP range of systems to be affected. (You can use CIDR notation) This can also be refined to skip various ports by adding a port number or range after the IP address. To accept select hosts or ports in a protected range, you would need to place the accept before the reject statement.

Examples:

• Reject a single system:

reject 192.168.1.1

• Reject port 80 on that system, but allow other ports to be scanned:

reject 192.168.1.1:80

• Reject ports 400 to 600 on that host:

reject 192.168.1.1:400-600

• Reject a range of hosts:

reject 192.168.1.0/24

• Reject port 443 on those hosts:

reject 192.168.1.0/24:443

• Reject ports 3000 to 5000 on those hosts:

reject 192.168.1.0/24:3000-5000

• Reject every host in the 192.168.1.0/24 range, except for 192.168.1.45

accept 192.168.1.45
reject 182.168.1.0/24

The nessusd.rules file is an essential tool to help shape your active Vulnerability Assessment protocols, and can also be used when Nessus is being used in conjunction with Tenable’s SecurityCenter product, providing a local safe guard against scanning fragile devices with a scan that is not specifically tailored to those devices. (That is to say, you should be scanning and patching or hardening everything on your network, but some devices need TLC to identify issues or are production systems and don’t fit in with your daily Vulnerability Scanning regimen.

I have a hard time believing that any technology fits along the Dystopia or Utopia scale. Granted we have seen implementations that are less than optimal,and have been exploited to the point as to make them useless.

If we look at SCADA, a control system standard for industrial equipment was implemented when networks tended toward the LAN and not globally connected. The technology was based around implementation and troubleshooting without many layers of security (in most cases, no security at all beyond limiting physical access to the network.) It has been implemented in utilities, HVAC systems, and other industrial environments where a central control needs to manage a process over a large area. In this it is successful, however it fails to protect these process from malefactors intent on disrupting the process. These networks relied on security conceits that had pretty much would have failed against any slightly inclined attacker in the modern global network environment. In this case, new technology (WAN/Global networking) overtook the protections built into an old technology. In this sense we may be able to say that technology expresses a Darwinian attitude of natural selection.

In another example, hospitals use a variety of portable technologies to provide maximum portability for doctors who must be able to cover their patients from admission/ER to discharge. This is fantastic, it means that doctors can see more patients and have a higher likelihood of having the correct patient, (with more ways to verify who they are seeing,) but data in motion can be intercepted, misrouted or otherwise delivered to a person who is not supposed to gain access to that data. We get the advanced technology but some advanced uncertainty.

In my final example, I hold in my hand a modern smartphone. I have applications that allow me to navigate, to see if my friends are in the area, and see what is around. I can network with people with the same interests, locate new resources and explore new places and experiences. The trade off is anyone with access to those data sets knows where I am, whether I am home, and who I am with. In some cases, this can be a boon to society and in others it can be turned to a more detrimental effect. I think it is interesting to think about how various points in history would have been altered with the amount of granularity we have on a person’s movements and behaviors. I am fairly certain the wrong people would have had too much access then as I am fairly certain the wrong people have too much access now.

I was reading Bruce Schneier’s blog yesterday and the concept he came up with spoke well to me.  His words were, “The Internet is what we make it, and is constantly being recreated by organizations, companies, and countries with specific interests and agendas. Either we fight for a seat at the table, or the future of the Internet becomes something that is done to us.”

I honestly think technology is what we get it to do for us lest we get it done to us.  We have a say in how technology is used and it is not always by the manufacturer’s recommendations.  If I want to take my digital camera and convert it to catch infrared, I should be able to learn to do so.  If I paid for my phone, and want to turn it into a terminal for my home theatre system, by all rights I should do just that.  We are not limited by other’s constraints on our ingenuity and we will always find a novel way to use  a technology that it hadn’t been envisioned.

Rule: It’s yours until you share it.

LARP is about collaboration. When you have an idea and share it, you have invited change or interpretation of your idea. Be sure that you effectively communicate your basic idea, but be prepared to accept that others may have input that will refine or improve it. Once you let it loose, it stops being yours and becomes ‘ours’ which can lead to great things.

Corollary: Be ready to change up and roll with it.

LARP is about building a consensual story. Runtime events may change the flow of the story or someone may be more clever than you anticipated. This is an opportunity to draw them in and build something larger than your original plan. It may draw in more people than you expected and change further, but it is entertaining a wider audience and that is a hallmark of success.

Corollary: It isn’t your ball anymore.

You have a choice when something changes. You can roll with it or you can leave. The drawback to leaving is that you shared your idea, and it has become property of the group. As an adult, you should be able to let go and let others continue playing with the idea. You agreed to collaboration when you shared the idea, and you do not get to pick and choose who plays and who doesn’t when it doesn’t match your expectations. Put on your big LARPer pants and let play continue.

Rule: Be Nice.

As a LARPer, whether you are playing, writing, adjudicating or even just doing logistics you are working with people. People can be hard to take for some of us, but not being nice just makes it harder. No one gets paid a salary for most LARPs and are in the hobby for the love of entertaining their friends and fellows.

Corollary: If you cannot be nice, be prepared for consequences.

There comes a time when something is unresolvable between people. It happens. Sometimes, it is about food, or a small detail; other times it is about the direction of the story. You have a choice at that point: Be Nice or Not Be Nice. If you have reached a conclusion that it time to be not nice and rather than discuss it rationally decide to be abusive or try to cause turmoil over your displeasure, be prepared to be asked to leave. This means no backboard whisper campaigns, above board mutiny, or abusive behavior. Your momma was right, if you don’t have anything nice to say, you probably shouldn’t say it. However if you do shoot your mouth, keyboard or random communication device off, you should accept what happens next. If you have a repeated pattern of this, it will eventually catch up with you and people will stop associating with you. You don’t get to make excuses. “I was off my meds” or “I was having a bad day” only gets so much play. More than once or twice means you should evaluate your behavior and probably should make some changes.

Rule: Beware Geek Social Fallacies

There has been a lot said about the list at http://www.plausiblydeniable.com/opinion/gsf.html and I think this is a valid list. You don’t get to be a jerk because of any personal choice you made. No one has to accept it, nor do we have to accept any of the things on that list. If your friend is a jerk, we will think poorly of them and later of you if you continue to slam them down our throats when they continue to be a jerk. Even incorporated LARPs can refuse service to disruptive individuals, and while they may not have a war chest to go to court over it, their right should be respected and members of that community should feel empowered to let someone know that certain behaviors are not tolerated.

Corollary: It takes time to figure out a social circle.

Just because someone is a jerk the first time you meet them doesn’t mean they mean it. They may be trying to sort out how things work and the customs of your community.

Corollary: If you don’t fit, move on.

There are a ton of groups out there. If you are consistently unhappy or feel like you don’t fit, (or just plain don’t fit,) don’t expect the group to change for you. Find one that will accept you and is more as you expect. It is part of being an adult.

Also playing into that is the damage from the 1996 derecho that took out the large maple that anchored the front yard, forming a partition between the “sandbox” and firepit from the drive way.  Dad did what he could with the place, but it was never the same cool oasis that it had been before then.  He rebuilt the house from the disrepair and vandalism that had been done to it in the early 90′s, again changing the character of the house, which stayed roughly the same, but not quite.  Gone was the barnwood interior and rough cut pine, replaced by decent but not the same paneling.  The river had eaten more of the large trees along the bank and the lot between the cabin and the neighboring lot was deforested by beavers, making it less private.

While I think I could eventually acquire the property, I think it would be far more effective to look more in the West Virginia/Northern PA/Southwest Virginia areas for something that invokes the same feeling of calm and quiet and something dad would really dig.  Prices may be higher, but it would make for a convenient weekend hideyhole as needed.  I wouldn’t have to contend with the poverty of the area and the lack of work if something happens to the company I work for here, (Which I love and hope nothing does occur to make things go south.) So the looking begins anew.

I have been smoking a lot of shisha lately, and while I will admit some of it is selfish enjoyment, much of it is testing products for that Labor Day LARP.  I don’t serve crap to people I like.  Even the bad for you stuf has to be worthwhile.  I may post a review of the various flavors and brands in the near future. Needless to say, while Starbuzz is still the gold standard for easy smoking shisha, Al Fahker made a really strong showing.  Fantasia sucks beyond belief.

http://kellysue.com/2012/08/07/winters-tale/

Basically, in a nutshell she is going to write a comic book for this little girl to draw, and has invited us to draw along.  I think it would be spiffy keen to all play along at home, and create digital versions that Kelly Sue could forward to Winter.  (And we could trade among ourselves!)  Anyone in?

The official Tumblog is at http://winterstales.tumblr.com/ and you can play via Twitter (or on tumblr only but I suspect Twitter is going to be more responsive.)

If everyone were a little more like Ms. DeConnick, the world would be a much grander place.

Thank you Kelly Sue!

I have been rapidly coming to the conclusion that there needs to be a more secure method of authentication to websites and an accreditation standard similar to the PCI standard (or more strict) for sites that accept any user information. Perhaps a multi tier guideline that grades on a scale of how many best practices are fulfilled? This would go a long way toward forcing some compliance and keeping providers from becoming complacent. What is it ultimately? I have no idea.

Perhaps an independent two factor platform that puts the control in the user’s hands? A three factor platform incorporating the random number, a password and a certificate that is on a usb type key? A usb key that performs one use passwords and has a certificate or hardware authentication built in? In any case, there needs to be a heck of a step forward in the very near future, since we cannot go on with the current state of security on the Internet.