Metcalf's Law states that a network's value increases exponentially with every node attached to it. This is true, a single computer sitting in a room by itself has minimal value in the real world. This concept describes the power of the internet and it can't be disputed. However, there is an aspect that has gone overlooked. For every node connected to the network, there has to be an operator of each node. Those operators can be one of three things, neutral agents, benevolent agents or malicious agents. While the majority of users are neutral agents, there will always be malicious agents present as well. Its much like the human immune system. Red blood cells exist as the neutral agents, serving the purpose of providing necessary nutrients for the body. White blood cells are the benevolent agents, fighting off the malicious agents such as viruses and bacteria. In the context of the human body, the benevolent agents normally greatly outnumber the malicious agents present. However, in the context of the Internet and computing systems, it seems that malicious agents far outnumber the benevolent agents. Therefore, while Metcalf's law applies to the value of a network, it also applies to the overall security of the network. For every node that joins the network, the potential security of the network decreases exponentially.

How does one prevent this, or even counteract it enough to make the network a sane environment? The simplest answer would probably be that its impossible. With the ratio of malicious users to neutral users, who may have no concept of security whatsoever being so lopsided, the malicious users on the Internet have made the network a highly infected and contagious system. The desperate shortage of benevolent agents (white hat hackers, penetration testers, etc) allows the malicious agents (black hats, hacktivists, terrorists) to basically run free. Not only do they go mainly unchecked in the system, they mutate at a rapid pace by creating new methods of taking advantage of people, programs, and network systems, making treating them a very difficult task. The only hope the system has is for more people to become educated in ethical hacking and become inclined to act as the white blood cells of the Internet. Ideally, ALL non-malicious users should have at least some security training to help protect the system in some capacity. While it will probably never be that every user connected to the Internet is a security-conscious, careful individual, everyone that can do their part should. Keeping your own systems clean of virii and malware to help keep the spread minimal, being educated about scams and hoaxes, and helping educate others about the dangers of online scams and hoaxes are great places to start that don't require you to work in security or even be highly trained.

Network security can be simply described by the following equation:

Where S represents the potential security of the system, Bh represents the malicious Black Hats, Wh represents the benevolent White Hats, and N represents the neutral entities. As the ratio of White Hats to Neutral agents increases, the impact by the Black Hats is decreased and the security of the whole is increased. The problem with the nature of the equation and the Internet is that while that ratio is increasing, so is the value of Bh, making it even harder for an equilibrium to be achieved. The security of computing systems relies on the same principles as the health of a living body, the malicious agents must be outweighed by the benevolent agents. This can never happen without people like YOU voluntarily becoming the benevolent agents. Don your white hats.

I know, some people think professional certifications are lame. The plain and simple truth is that if you want to be a security professional (or any type of IT professional) these days, you have to have certifications. One reason is, all your competition has certifications and it shows employers that the candidate that has certs has enough conviction to actually study for, spend the money on, and pass the tests. Other than that, PCI standards are very important to industry today and PCI requires that IT staff be certified. That being said, I found a great guide to CompTIA's Security+ certification, which has recently been recognized by the US Department of Defense (Directive 8570.1) so it does have some clout. Besides, no matter how leet you may be, you might actually learn something in the course of studying for the exam.

Given, this is the entry level security test, it really does give you a solid understanding of the ideas and principles behind the standard procedure for keeping systems as secure as they can be. While there is alot more to study to really be ready to do work like penetration testing or vulnerability assessments professionally, its a good gateway to more serious certifications like CISSP or ECCouncil's curriculum.

While you're at the Techtopia website checking out the Security+ guide, you might as well check out some of the other stuff they have. They have good guides on Ubuntu, openSuse, Ruby, MySQL, C#, PHP and a few other things.

These are like porn for hackers. Links galore to tools, news, tutorials, stuff you've never heard of, etc. These can be a great source of information.

• cybersniper Research Labs
• wiretapped

Now, we all know there are plenty of scams on the net. From the old standard Nigerian prince that needs to launder some money through you to the free 1000" TV you just won. Now, there are a couple new scams to be aware of. Both of which are fairly amusing for someone like me, who knows that there's nothing to be scared of.

The first is the African Yorkie puppy dog scam. These guys over in Africa are actually sending out emails threatening people that if they don't buy a Yorkie from them for $15k, they'll kill some Yorkies. For one, I'm a dog lover, I love animals, but Yorkies irritate me. Second, I can buy many, many Yorkies for $15k. Third, if you've been on the net as long as I have you can see this as a crap scam from a mile away. Think about it, Yorkies in Africa? What are they doing, roaming the savannah with the lions? Look people, don't fall for stupid crap like this.

The second scam is this one. It is a death threat stating that if you don't send some stupid amount of money to this person, they're gonna kill you. I'm a redneck. My response to this might be "bring it on, I'll be waiting with my shotgun". For some reason, I never get scam emails... damnit. I get left out of all the fun. Again, this is dumb. If someone wanted to kill you, they damn sure wouldn't email you about it. For one, that would give investigators WAY too much info to go on AND make it a first degree offense. No one's going to kill you if they email you about it. Calm down.

There's always someone wanting to make a buck without working for it. These lowlives that think they can push people around on the internet need to be ignored, don't play into their game.

But of course, I'm sure my readers know better. Tell your friends, though.

EDIT:: These scams have actually hit kinda close to home, I've heard of two people lately that have experienced these scams, one a peice. Read about it here. While you're at it, check out Steve Mallard's (who is mentioned in the article) technical blog, cool blog with lots of valuable information.

Something you might see in the realm of security is one-time pads. These are used alot in military operations and high-security outfits. Its basically a pad with a series of alphanumerical text chunks on it, each of which you will use to authenticate once then mark out. Once a block has been used once, it is not valid again. Ever. This page features a customizable one-time pad so you can play around with it and learn about the concept. It also has some good information on the process as well.

Many people worry about being tracked on the web. Whether its by their own government, another government, or any other 3rd party entity. There are plenty of reasons to stay anonymous, other than the conspiracy theory mumbo jumbo, too, and there are plenty of ways to make yourself *more* anonymous (no one is truly anonymous anymore).

The first method and probably the most popular amongst the popular crowd these days is The Onion Router, more commonly known as Tor. Tor takes advantage of open sourced technology originally developed by the US Naval Research Laboratory. It uses a peer to peer routing scheme that routes your communications through other Tor nodes to help protect your anonymity. There are vulnerabilities, however, and you can read about them on the Wikipedia article.

Another method is a little more old school, using SOCKS proxies. Usually, SOCKS is used in a LAN environment to proxy network communications through a single host on that LAN, but it can also be used on the Internet. You can find open socks proxies (LEGAL WARNING: be careful) and you can make your web communications look like they're coming from some other host. The reason I say be careful is, you never know exactly you're proxying through if you just find some random proxy on Google.

The final method I'll detail is web anonymizers. These are basically just websites that allow you to enter a URL, then that website goes to that page and caches it for you, then forwards ou that page that it just cached. You are probably already familiar with one of these, its called Google. Go to Google Image Search and search for anything, then click on an image and check the URL string in your browser, you'll notice that the TLD is still Google, and you have that Google frame. You're basically proxying through Google at that point.

Here are some more websites you should check out to learn more about being more anonymous on the net.

Anonymity Complete Guide

TOR Links

• Wikipedia Article
• Vidalia Project

Anonymizer websites

• FreeProxy.ca
• HideMyAss.com
• DZZT.com

No, sorry, I'm not giving you any SOCKS proxies, you can find them on your own and NOT hold me responsible for what you do with them :)

Yeah, right. Security on MySpace. The place *filled* with blindingly hideous profile pages, tons of women that are 'just looking for a good time', and phishing scams has never made me feel good about submitting any form data. It seems that others are not so worried though, here is a page that details a leak of 40,000 MySpace passwords and even tells you the frequency of the most commonly used passwords and what they actually are. Of course, it doesn't give you any usernames to go along with them but it wouldn't be hard for a devious individual to try some. Please, if you use MySpace and don't want your account to get hacked (again), go look. If you're using one of the passwords, or even one that's kinda similar, stop. Use a good password with random uppercase and lowercase letters and at least one number. And for God's sakes, don't use the same password on MySpace that you use on your banking websites or any other websites where you do financial transactions (like eBay).

The National Institute for Standards and Technology has a great online resource for learning about cryptography methodologies and algorithms. It covers everything from block ciphers to random number generation. A terrific resource for anyone learning about security systems and cryptographic mechanisms.

Link

There is a great post over on Security Focus detailing the methods available to hackers to bypass your IDS systems and exploit your network. While many of the basic attacks this paper covers are already addressed with Snort rules (and other IDS systems), the methods can be made more elaborate to trick your IDS rules. As a security professional, its important to understand how session splicing, fragmentation, and shellcode attacks take place and this paper underlines how each work (and a few more).

Read it Here

OK, for some reason, the CRC press let the University of Waterloo give away all the chapters in the Handbook of Applied Cryptography for free. You can still buy the book on Amazon for $85 though, so if you like the book and find it useful you should go pay for it so the author can get some cash.

This is a great resource for anyone curious about cryptography, especially those that intend on getting a career in information security. Subject covered in the book include cryptographic mathematics, public key infrastructure, hash functions and data integrity, digital signatures and much more. Really interesting (and informative) stuff, I suggest you go check it out.