For the last little while, Christopher Soghoian has attempted to highlight the dangers of the zero-day exploit market. The basics are that some vulnerability researchers are selling exploits to make money, without vetting who the end user will be, and in some cases knowingly selling them to militaries (he phrases it as governments, but the implication is that they aren't using them for defence). Soghoian, as I read it, is trying to highlight this trade, and get some sort of legislation passed to regulate it. (A darker reading would make it seem that he has a more, aggressive agenda, but let's leave that aside for a moment.)

The worrying thing here is neatly summed up by Haroon: 

The scariest thing about you, is how certain you are that you are right. Regulation is a scary instrument

Today marks the 8th anniversary of my blog, and my official entry into infosec.

 When managing teams of "information workers", I believe the use of time sheets is indicative of a management failure. Here's why:

• If you have to rely on a timesheet to know what your staff are doing - you're doing it wrong
• If you can't trust your staff to work hard - you have problems a timesheet won't fix
  
• If you believe you have too many staff to manage - get more managers
• If you think anyone completes them accurately - you drank the kool aid
  
• If you think the time it takes to actually complete them accurately is worth it - you hate your staff
• If you manage your business from these inaccurate stats - you're making bad decisions
• If your senior people have PAs complete their timesheets for them - you're a hypocrite
  
• If you spent millions on a new timesheet system, but didn't make it any easier for the staff using the system - you just suck

Last night we lost power to all electrical outlets in our house. On checking the board, I saw that it was the earth leakage, which I was unable to turn back on. This is a story about AAA Electrical (also know as AAA Plumbing, or AAA Electrical or AAA Plumbing & Electrical), and how they tried to defraud me, and appeared to have done it to many others. Don't use them. If you need a reliable & honest electrician use:

Andrew: +27 82 443 7762

It seems my work on privacy has garnered some attention of late. Whether earned or not, I will be presenting at the Computer Security Institute's Virtual Conference CSIVX on the 28th of September. I will be on hand to answer questions, even though it will be some silly hour ZA time. This is technically the first "international" event I've ever "presented (see pre-recorded video for)" at, and it includes the likes of Ira Winkler, Amit Klein and Jeff Williams.

I'll also be presenting on privacy at IS' Internetix2010 conference in both Jozi & Cape Town. Internetix is a rocking conference organised by IS, and I'm chuffed to have been invited. It will be a nice chance to test the privacy stuff with a large non-sec crowd.

Next up, I'll also be presenting a workshop on Threat Modelling off the back of quite a lot of work we (my employer SensePost, and I) have done on it recently. If you want to get an idea of the content, have a look at the last set of slides. It's hosted by the ISF and will be held in Jozi on the 28th.

Finally, I'll most likely be giving the SensePost training at BlackHat Abu Dhabi in Nov. If we get over around 15 people I can justify someone smarter than me from SensePost joining us, so if you're keen for some training, please sign-up :)