For that non-believer: My postcard from the Soviet Space Station MIR

This is a “QSL” card which is typically used to confirm that a communication has taken place over Amateur Radio frequencies.  I connected to the space station using my home PC (386SX I think), a device called a Terminal Node Controller (a sort-of modem), a Yaesu VHF radio running 45 watts, and an old modified fire department antenna on my roof.  The protocol was AX.25 at 1200 baud.


Posted via email from ken5m1th

A coffee cup with a felt handle, seen at #starbucks

NH Motor Speedway Panoramic from Sylvania300 #NASCAR

Panoramic of the New Hampshire Motor Speedway on September 19 at the Sylvania 300. Photos and photo stitching by Matt Francis (my Brother-in-law).

Posted via email from ken5m1th

Ok, car thermometer says it's still summer

Yeah, that's 90F.

Posted via email from ken5m1th

Another HDR experiment, Sunset at NH Motor Speedway #NASCAR

Sunset at NH Motor Speedway in HDR. Taken with iPhone 3GS using the Pro HDR app.

Posted via email from ken5m1th

It's worldwide day of play on Nickelodeon till 3 today

No programming, get the heck outside and play!

Posted via email from ken5m1th

Three wheel NE Patriots vehicle 'CHEEZ' spotted at Revere Beach #patriots

I just saw this at Revere Beach in Revere MA.

Posted via email from ken5m1th

"What would my QSA say?" - Why this is the wrong question to ask yourself #pcidss

Many aim to please their QSA and get "approval" (the use of that word is a topic for another post) of things like compensating controls.  When something comes up that requires some real thought as to whether it meets the expectations of PCI DSS, they ask themselves this question:

"What would my QSA say?".

The question you should be seeking the answer to is quite a bit longer: [warning run-on sentence]

"What would a team of QSA's that know nothing about my business or my environment who have just been sent in by the card brands and are working elbow to elbow with a forensics team because we have just had a breach say about this?"

Posted via email from ken5m1th

HDR photography with the iPhone, some examples

This first image (of the North End in Boston) was taken with the normal iPhone camera application.

This next image was taken using Pro HDR for the iPhone.

As you can see it does improve the image, brightening up the dark (underexposed) areas, while equalizing the bright (overexposed) areas so that you get the detail you are looking for. The HDR process takes two images, so you may see things like the same car in two different places. Something to be aware of.

This is a very basic example of HDR, and the image was created with software that runs on the iPhone.  This software only takes two images, one underexposed and one overexposed.  Most HDR pro's take at least 3 images.  You can do some pretty amazing things with a real camera and some real image editing software or HDR software.  For some amazing images, take a look at this Google Search for HDR Images.




Posted via email from ken5m1th

Rules of thumb for determining if entity is a Service Provider #pcidss

It's sometimes very difficult to determine who qualifies as a "Service Provider" according to the payment card companies. Especially when you are talking about complex third-party relationships in which payment card information might be exchanged.

After some in-depth research I did on this topic, and conversations with an acquirer, I put together these two rules of thumb. These have helped me to understand where the card brands are coming from in their determination of service providers.

  • If the organization takes orders for a third-party firm and then passes on payment information to that third-party and that third-party uses their own merchant ID to process the transaction, then the organization is probably a 'service provider' according to card brands rules.  
  • If the organization acts as a repository for payment card information and a third-party obtains this information from the organization in order to process transactions and the third-party uses their own merchant ID, then the organization is probably a 'service provider' according to card brands rules.

These are, of course, rules of thumb and not the actual rules of classification. For formal guidance and requirements for Service Providers, you may find these helpful.




Posted via email from ken5m1th

Boston Application Security Conference: OWASP One Day Conference Nov 20 (free) #owasp <~Just Registered

I will be attending this event, thought you might be interested…. KEN

The Boston chapter of OWASP (Open Web Application Security Project) is holding a free, one day informal conference on web application security on Saturday Nov. 20, 2010 at Microsoft New England Research and Development Center, Cambridge, MA. The conference is intended for both people new to web application security and those experienced in web application security. You can find out more at

You can register at

If you would like to submit a paper, see the instructions at

There will be 2 tracks: Basic Web Application Security and Advanced / New Research in Web Application Security.

Each track will have 50 minute presentations. There will be a 30 minute keynote.  The conference is intended for both people new to web application security and those experienced in web application security.

And registration is now open at

We need people to register so we can judge the food order as well as make sure we do not exceed the allowable room capacity.

Posted via email from ken5m1th

"Starting a business is easy" A few things I took away with me from MIT Startup Bootcamp #sb2010

A few of the takeaways from the MIT Startup Bootcamp I attended on Saturday September 11 at the Kresge Auditorium.  There were all kinds of lessons within the speakers presentations.  I’ll write up more on that later.  For now these were some of the obvious ones:

Starting a business is easy

Growing a business is hard

Recruit only A-Players, because:

-          A-players “recruit” A-players

-          B-players hire C-players

-          C-players hire D-players

Three things that cause startups to fail (I made these the three F’s to remember them easily)

-          Founders ego

-          Focus strays

-          Funding, lack thereof

Posted via email from ken5m1th

Don't SUQ at doing your SAQ

The PCI DSS Self Assessment Questionnaire, or SAQ, is supposed to be fairly simple way to report on your organizations compliance with the PCI DSS requirements.  For those of us that have been working in PCI for a while, completing an SAQ is a simple task.  Comparing an organization to the complete PCI DSS requirements is another thing completely and can be fairly complex.  But for people that have not been exposed to PCI, even completing an SAQ accurately can be daunting. 

There are a few different types of SAQ, each aimed at a specific organizations based on their total amount of annual transactions.  The questions are high level and more basic than those in the full PCI DSS requirements and aim to confirm that the organization is following what’s prescribed in the 12 sections of the full standard without requiring that all organizations perform an audit against the entire PCI DSS requirements. 

Having helped many organizations with their security and compliance initiatives, I have seen many SAQ’s that were not completed accurately.  There are a lot of bogus SAQ’s floating around out there.  Here are some tell-tale signs that your SAQ probably SUQ’s.

  • You have no idea what a DMZ is, but you watched someone setup DNS once and figured you must have one.  So you answered Yes to the questions in section  1.3
  • Your whole encryption key management process is ... a guy.  And you figure that since he’s pretty brilliant then you can answer Yes to all the questions in section 3.6
  • It took less than a day to complete your SAQ Form D
  • The very first time the organization completed an SAQ it scored all Yes’s
  • Your SAQ is signed by the person who fixes the printers at your organization
  • You answered Yes to everything because your POS vendor told you they are "PCI compliant"
  • For all you know OWASP could be a bug spray, but you still answered Yes to the questions in section 6.5

If you don't truly understand the questions then you shouldn't be completing the SAQ yourself.  Do yourself, your customers, your company, and the rest of the world a favor.  Hire some outside help. 

Finally, your organization should be performing a gap assessment using the latest version of the full PCI DSS as your guide, not just the SAQ.  The SAQ is really a document for you to attest to compliance.  In my next post I’ll talk about how passing the SAQ shouldn't be your goal.   

Posted via email from ken5m1th