I've received several good comments and questions on recent Blog posts. Here are my public replies, in case you've had the same thoughts as those who have emailed me at taosecurity at gmail dot com.
A gentleman from Dallas was reading my book and wondered if I'd seen this document on building your own network taps. I am very suspicious of such devices, for the reasons I outlined in a post to focus-ids in February. I recommend re-reading that post for details. If you can verify that the device is working and you use it over short distances, it's probably acceptable. If you haven't verified how well it sees and passes traffic, I recommend doing so soon.
In response to my post on the Source Code Club, an engineer from the Arctec Group had this to say:
"If we accept the arguments from the closed source community about their products being more secure due to lack of availability of source, then once the source becomes available [like the releases we have seen recently] we have the worst case from both scenarios. Source available to the attackers, but which has not been audited by the community and is not patchable except through the vendor.
If we take the view that the publicly reported sources available represent the tip of the iceberg, then there are even more risks to running software which is only patchable and audit by a single, centralized source."
I agree with this sentiment. Other reasons I prefer using open source includes the ability to see just how a program works, the chance to modify a program to suit my needs, and the fact that individual programmers are held personally accountable when CVS and other systems track their code check-in actions. (I believe this promotes higher-quality code as opposed to a closed binary with no one's name on it other than the vendor's.)
Finally, another Blog reader asks:
"Have you ever thought to create a ISO boot CD with Sguil and BSD? People are creating all sorts of these things and they are very popular/effective. One example is the NST project. Any chance you might do this, or encourage one of your fans to pursue this project?"
If I have fans, I'd love for one of them to work on this. :) Actually I created a live CD using FreeBSD 5.2.1 and FreeSBIE in July but it remained very "alpha." Now that FreeBSD 5.3 is out I will probably try again. The live CD I made had the Sguil 0.5.0 client and other NSM tools. I haven't tried putting a full sensor - server - database - client installation on a live CD as it isn't practical to run something like MySQL entirely from RAM. It might be ok for demos though.
The guys who make Helix have the Sguil client on their live CD. Also keep an eye on the Sguil downloads for future developments.
If anyone else is interested in helping out the Sguil on FreeBSD cause, I would appreciate having a mentor guide me through the process of creating a FreeBSD port. The task is complicated by the lack of proper releases of software like Incrtcl, since I have to check out their code from CVS to build a proper client. Patching of code from Snort and soon Barnyard is also required. Anyone with the skill or interest please email me at taosecurity at gmail dot com.
Thank you for your feedback!