Ogio Metro

This is a wonderful bag. The price is a bit on the high end (though nowhere near a Timbuk2), but so is the bag. Right off the bat a number of things are noticeable about its design. The outer material is a fairly rugged cloth, but it has a plastic coating applied to the inside of the fabric to weatherproof it (good ol’ Scotch Guard will help even more). The zippers are similarly weatherproofed, as is the audio port to run a headphone cable through. The bag exudes compartments, with an externally accessible laptop compartment that is well padded and very easy to access (easily holds a 15″ or smaller machine, 17″ may be possible but check the dimensions), a side compartment for an umbrella on one side, and two smaller compartments on the other (I keep my travel mouse in one, and my Zune, DS, and phone chargers in the other), a nice compartment on the bottom that I use for power bricks, two pouches at the top that both have access to the audio port (one is for a cd player, the other a smaller mp3 player- I use the cd player pouch for sync cables and other miscellaneous stuff), a large compartment for books and the such, and a smaller front compartment for pens, sterno pads, paperbacks, and other smaller things. This is a bag where organization is easy.

It is, however, huge. You can hold a lot of books in it, great for college students toting around many textbooks. I found the main compartment very accommodating for a second laptop in a sleeve, a computer book, and magazines. My wife now uses the bag and thoroughly pushes how much it can hold (she is a grad student, so has her laptop, her own textbooks, folders of student work and tests that needs to be graded, stacks of scientific papers she is reviewing, a brick of a TI-86, etc). So far the bag has not been bested by her.

The shoulder straps are well padded and there is a sternum strap between them. After a good deal of heavy use (I bought mine while still at MS, so several years ago), the bag shows almost no wear. It may retail for around $80, but it will last you a good deal of time. There is a padded grab handle at the top, which makes it convenient to carry.

All and all I can find very little to complain about. Almost all of my criteria are met by this beast, however I did stop using it. It is a heck of a thing to complain about, but the bag is actually a bit too big for me personally. I travel enough, and it can be a tight fit if I have to put it under an airline seat (it will fit, but your legs won’t), though it will fit fine in most overhead bins. I don’t need all of the space it offers, so I end up with needless bulk. I suspect the smaller Ogio backpacks would be better for me.

Pros

• Well made bag, great material, weatherproof, wear resistant, at a decent price
• Compartments for all your gadget needs, clearly intended for the technophile
• More room than you know what to do with
• Comfortable

Cons

• More room than you know what to do with
• Drab colors

Conclusion – Grade: A

This is a great bag, but you likely should pick a model a bit smaller unless you *really* need all of the room- my two day hiking packs have fewer cubic inches of space. Other than the size, and drab colors that may not appeal to everyone, I have nothing bad to say about this bag. It is a great Geek bag, and you can find previous year models on eBags for $40 at closeout (though usually its because the color scheme is being cancelled, often with good reason).

~Joshbw

Thinkgeek Bag of Holding

Thinkgeek Bag of Holding

This bag is true to its name. It holds a ton of stuff, a deceptively large quantity. The canvas build isn’t very bulky, so unfilled the bag seems pretty small, but the tiered comparment design allows you to put a whole lot into it. The name and front logo also give it some pretty big geek cred. The laptop compartment is reasonably padded and accessible independent of the other compartments, which makes it great for airline travel, and it easily held the Dell D820, a brick of a 15″ notebook (17″ might be a little snug). My current work laptop and personal laptop (14″ and 12″ respectively) are swallowed by the space, and there is more than enough room in the other compartments for me to carry a second laptop in a laptop sleeve.

After a year of use, build quality is holding up well. The canvas isn’t as resilient as the ballistic nylon or cordura that Timbuk2 uses, but with a couple cans of Scotch Guard it has held up well. It is a little disappointing that there isn’t protective flaps over the laptop zipper to keep moisture out, but pretty much the rest of the zippers are covered by the main flap. Unlike Timbuk2, the main flap is the sole seal for the bag, with each compartment also having a zipper, except for the very front pouch that is held by velcro. This last bit always bothered me, because it only velcros in a small spot in the very center and I was always afraid of things jostling out along the edges. The main flap is closed by two snaps rather than clips, which makes it easier to open. I was a bit afraid they may wear out, but after a year they are holding up strong.

While there are several compartments, a lot of them spacious, there isn’t a lot of organization options for smaller electronics, which was a little surprising considering the demographic that shops at Thinkgeek. I can’t imagine I am the only one that carries a DS, MP3 player, cords, chargers, and other sundry electronics in the bag- I suspect much of the Thinkgeek staff does as well- so I feel like considerations should have been made in the bag’s design. I think if one was carrying a lot of large books (generously- textbooks, realistically- game books) this bag would be great.

The strap is pretty crummy. It holds up, but isn’t very padded. What drives me insane though, is how easily it becomes unadjusted. I am not a large person, so have it adjusted pretty small. Under moderate load it slips back into a larger size pretty easily, which is annoying. It also attaches to the bag with elongated D rings, which slip out of place and get twisted up very easily.

Pros:

• Really is a bag of holding- it is deceptively spacious, but isn’t bulky
• Not a bad price, though it is made of canvas
• holds up well to use
• External access to laptop compartment

Cons

• Spacious, but not organized. Smaller items will easily be swallowed by this behemoth
• Strap sucks- it has no padding and constantly becomes unadjusted
• Canvas is less weather resistant, though Scotch Guard can rectify this

Conclusion – Grade: A-

This was my primary bag for quite a while, and it came so close to being ideal. If it had better organization for smaller items and a better strap I would likely have settled on it. I could carry around just my laptop for the day and the bag seemed pretty small, but I could also cram two laptops, my other gizmos, and a couple of days clothes in it when traveling. The canvas didn’t really bother me, and it seems to hold up fine, and the price is hard to beat. Also, by its very name it is obviously targeted as a Geek bag.

~ Joshbw

Timbuk2 Messenger

The Timbuk2 laptop messenger is a high quality laptop messenger bag from the company that brought messenger bags into mass market appeal. The build quality is top notch, and the ability to customize the colors and fabrics is pretty appealing, but you will pay for both. It comes in three sizes to accommodate your laptop needs, with the largest size accommodating a 17″ MacBook Pro reasonably easily.

In general I think there are a lot of parallels with the Apple Design philosphy- with this bag you are really paying for style and quality, but style trumps functionality. The bags hold a lot, but they focus on large, open compartments to capture the classic courier bag feel. It has a smaller front compartment with some pen organizers, and a couple small pouches, as well as a larger pouch in the main area, but mostly everything jumbles together. This is less than practical if you want to keep the bag organized with a multitude of stuff, such as I carry. It is easy to get into the bag, as it really just has one big flap that connects with clips, but as a result it doesn’t form any real seal. I found this very concerning with a laptop, especially when I commuted by foot in Pacific Northwest weather.  Also, it would have been trivial to add a water bottle holder on the side, it practically begs for it, but alas, that wouldn’t capture the true courier feel so it is not present.

I could easily carry a second laptop in a laptop sleeve, and it would hold most everything I needed, but I sort of felt it was like my mother’s purse, with just a bunch of junk floating around needing to be dug out. I also resented that I had to pay extra for a strap pad, though it is pretty comfortable. If you customize a bag, it is pretty easy to end up with a $150 (or more) contraption. That said, the strap pouches for music players and cell phones, while also pricey, are pretty nice, and I have used them on multiple messengers and even a backpack that had a convenient place for them.

Pros

• Well made, of high quality material
• You can customize the bag and get just the look you want
• laptop padding is pretty effective
• Holds a ton of crap

Cons

• Pricey
• Doesn’t offer a lot of organizational space for the gadget heavy
• I worry about it keeping the elements out with its single flap design, even after using it for quite a while

Conclusion – Grade: B

If it was a bit cheaper I would rate it higher, and I dig the customization. You can get it a bit cheaper if you buy a premade one (especially if you buy it from a source other than Timbuk2 directly), but I think that really defeats the draw of Timbuk2 (get the bag exactly how you want it). I didn’t like how disorganized the bag was, but I did like the space it offered. I could carrying everything pretty comfortably, even if the constant sense of chaos within it bothered me. If you want a high quality bag, built how you want it, and don’t mind a bit of disorder, are willing to pay the price, and live in a place you aren’t worried about being out in the elements in, this is a good bag for you.

~ Joshbw

eBags Downloader

The eBags Downloader is a fairly cheap laptop backpack (you can regularly get it for less than $40 on sale) with two primary compartments, plus side pouches and a small additional pocket on the back. One of the side pouches can be used as a water bottle holder if left open. It has a small water resistant opening to allow headphones out of, and a lot of internal organization pouches. The laptop sits in the largest primary compartment and has padding on three sides. The back padding is reasonably comfortable. I managed to squeeze a 15″ Dell D820 into the laptop compartment but it fit really tightly against the top and had no padding on the upper portion. I’d recommend 14″ and smaller machines for this pack.

This is probably a good bag for a student who carries one or two text books with them plus a laptop. It does fill up very quickly though, and can be a bit uncomfortable when full. The audio holder can hold a portable CD player (are those still made), and as MP3 players slide around a lot in it. It worked for me on a day to day basis, but just wasn’t accommodating enough for travel with all of the stuff I carry. I was making a decent number of compromises, and the straps wore out pretty quickly with the load I usually carried.

This is definitely a “value” bag, where they tried to offer nice features, but cut corners doing so. The zippers are exposed, rather than having a small flap covering them, and aren’t great quality. The straps are entirely mediocre- some more padding and sturdier material would have been welcome, as would a sternum strap. It has some laptop padding, but not all around.

Pros

• Very Reasonably priced (eBags has it on sale fairly often for around $40, and you can get it for $30 at the right sale)
• Offers a fair amount of organizational pockets within each compartment
• Nice bright colors

Cons

• Strap wore out after less than a year
• Fills up quickly, and uncomfortable when full
• Audio pouch allows too much movement of player
• Questionable water resistance as a result of exposed zippers
• Laptop holder doesn’t offer great padding, and is horrid if you need to get a laptop out at security gates.

Conclusion- Grade:  C

You get what you pay for. This bag will last you a while, but isn’t a bag for the long haul. It is cheap, but you can see where they kept the price down. It offers some organization, but certainly doesn’t meet my needs. I’d recommend the bag for teenagers who are going to want another bag next year just because anyway.  That said, if you can find it for $30, its worth $30.

~ Joshbw

For years I have been on a quest to find the perfect Geek Bag to haul all of my crap around in, whether I am heading out to visit friends, running down to the local coffee shop, commuting into work, or suffering the tedium of airline travel. I have looked high and low for the perfect catch all bag, the irony being that in my search I have acquired more bags than if I purchased separate bags for specific use scenarios. Much like gadgets, all in one solutions may seem attractive, but rarely excel at any purpose, a lesson I seem to keep in mind with gadgets but refuse to acknowledge with bags. The reason, I suppose, is because I hate transferring stuff from one bag to another, so switching back and forth between bags isn’t practical (nor is just having duplicates in each bag practical with the level of crap I carry).

So in a multi-part series, not at all related to my security ramblings, I shall outline my quest and what I have thought about each bag along the way. To begin with, I will talk a bit about my usage scenarios, so that my particular opinion is understandable. To put it bluntly, my bag is the dream for would be muggers, though I myself am not (having lived in some bad places I am one of those people who habitually notices the movement of everyone around me and can spot threats fairly easily). At any point I am carrying at least one laptop, either my work laptop or my personal one, and often times I am carrying both, especially if traveling. Fortunately both of my laptops are rather small, as I prefer machines I can actually open up on planes with the whopping 12″ of total space they give you between your seat and the seat in front of you (do you know how much a pain in the ass it is to find small laptops with good resolutions and decent hardware?). Along with the laptops comes their associated power supplies (fortunately also pretty small), a wireless Microsoft travel mouse (death to touchpads, death to mouse nubs), a USB flash drive, and a Micro -> mini -> full SD adapter. Also, my personal laptop is a tablet, so I carry a spare stylus for it.

On top of that I have my Zune, plus the associated premium headphones (its nice that MS actually includes decent headphones for free), and syncing cable, as well as a 12″ 1/8″ to 1/8″ cable so I can use it with the aux jack in my car or in rental cars. I have my cell phone (at the moment an HTC Touch), sync cable, and charger. I have my Nintendo DS, games, and power adapter. Plus miscellaneous pens, some pain killers (my knee and back used to kill me on plane flights as a result of a car wreck, but surgery actually worked), usually the most recent issues of some combination of Discover, Scientific American, or Smithsonian magazine, possibly a computer book that I am reading (though I try to get ones that come with eBooks on a companion CD so I can just read them on my tablet PC), keys to my storage unit and desks (I don’t like them on my primary key chain, but also don’t want to forget them), and a novel (though I will soon get a Kindle to save space).

So I have a ton of crap, and holding it can be a challenge, especially if I want to maintain any semblance of order in the bag. Moreover, as I used to fly often, and now do so again, it is important that I can get my laptops out quickly while going through security, while still having padding for them, and it is also important that the bag doesn’t take up *too* much space, since tiny little commuter planes are my most common ride out of the hell hole I live in now (here is your 4 cubic inches of overhead space sir, unfortunately someone else is infringing on it because they bought three body bags on the plane and we didn’t speak up).
Various leather (or plether), formal looking business bags are right out. I’m not a business type so I don’t care for the look, but moreover the bags are rarely designed for ergonomic comfort, and take up a constant amount of space no matter how full they are. If I am carrying less stuff I like a bag that can compress down a bit. I tend to bounce back and forth between backpacks and messengers. Backpacks are more comfortable when loaded up with a decent amount of weight, but are more bulky in general. A backpack with crappy straps is usually still tolerable, while a messenger lives and dies by the quality of its strap. The benefit to a messenger strap is that can be loaded up with various gadget holders, bandolier style, and allow for them to be more accessible (Timbuk2 makes pretty good strap pouches that mount on messenger straps), though at the cost of also making them more exposed.

I am unopposed to walking, and especially if I am visiting the office in Chicago I will forgo a rental car and just travel on foot and commuter rail, so I do prefer a bag I can comfortably carry for a decent period of time, and water resistant in case I am caught in the rain. So in short I want a bag that can hold a lot, but has a compact footprint and allows for easy organization; a bag that allows easy access to possibly two laptops, while also offering padding; a bag that is comfortable and waterproof; and a bag that will hold up to continual abuse. Is that asking for too much? We shall see.

~ Joshbw

Johnny Long has a great auction of stuff available for his I Hack Charities organization. There is some good stuff, and it is a good cause.

- Joshbw

RSnake has a post on Google’s new image orientation test to detect humans (or computers, depending on your point of view), and quite correctly he points out that it is simply a probability game to break it. When it comes down to it, I don’t think we can definitively tell a computer and human apart with a specific cognition test, as it is just a matter of time before computational power and algorithmic cleverness solve that cognitive test. However I also believe we are thinking about CAPTCHAs the wrong way- we shouldn’t try to identify an automated script but rather we should make it too expensive for the script to be practical. Encryption can be broken with sufficient time, it is technically possible to just brute force AES 256, but this doesn’t deter its use. We know its problem space and work factor are sufficiently large to make brute forcing computationally impractical even if technically possible. The same principles should apply to the design of a CAPTCHA test, though it has many more constraining factors (it must be complex and hard for a computer, but easy for a human, and take into account human disabilities, etc).

So when new CAPTCHA techniques come out we shouldn’t immediately lambast them simply because they don’t provide the definitive test to distinguish a computer adversary, but whether they sufficiently increase the work factor. If they do, the spammers and other folks are going to opt to exploit a competing service with a lower work factor, because it will increase their throughput and arguably make them more money. In the specific instance of Google’s new proposal it would seem to reduce the work factor if one was simply guessing, since the chances of guessing the image orientation is much higher than a random 8 digit alphanumeric string, however with the advances in OCR techniques most alphanumeric CAPTCHAs are being analyzed rather than guessed (the success rate seems to change daily, so I don’t know how that compares to guessing the image). The real question is whether it is easier, faster, and more reliable to analyze the images and determine which way is upright, and I think that is entirely dependent on the images chosen as well as whether a correctly oriented comparison image can be obtained (which would make the analysis pretty easy) or if it had to be algorithmically determined without comparison (which may be hard). In the examples given, I think the gum ball machine and guitar are poor choices for images, since there is an easy linear line that can be used to determine orientation, probably with slightly better than 25% accuracy, since the line will either point up, down, left, or right, and the “weight” or proportions would allow for an educated guess on whether vertical or horizontal orientation is more likely. The more complex the picture, with less clues towards orientation, the better.

Personally, though, I like the MSR pet finder CAPTCHA. It may be easier to break, but I think it serves a noble secondary purpose.

~ Joshbw

Dear Web Developers,

It’s not kosher to request login information for other websites. Both LinkedIn and Facebook are guilty of asking for your various email credentials so they can harvest your address list under the guise of “making it easier to find your friends” and they are by no means unique in this practice. Doing so does two things- first it makes users accustomed to disclosing credentials to websites unrelated to the site the credentials correspond to. Phishing is a huge issue folks, and we have a hard enough time just getting users to be aware that they really are on their bank website. About the last thing we want is to water down that message and get them accustomed to providing that information on sites they clearly see aren’t the site corresponding to the credentials. Unless you move to two factor authentication the only real way to protect against phishing is user education and training, and this practice completely torpedoes that effort.

The other issue is that you are introducing another link into an already vulnerable chain. Not only does google have to worry about the gmail credentials being properly handled on their site (only sent over SSL, hashed in the database, no sql injection to disclose them, etc), but they now have to worry about how your site secures those credentials (I bet you aren’t hashing the values, since you need to use them outside your system) and they really have no control over it.

So Please, quit asking for credentials to other sites- don’t do what attackers do, otherwise you don’t give people an easy way to distinguish between the two.

~ Joshbw

Jeremiah Grossman asks a series of questions on his blog trying to determine if we disagree with the concept or implementation of WAFs, Certifications, Trust Logos, and Compliance Regulations, so I will indulge the questions.

For WAFs I agree with a certain concept of them. I believe they are bandaids rather than solutions, but that bandaids have their place. The solution is to fix the code and ultimately the robustness of the code is the only real defense for a website. However a problem can be fixed *immediately* with a WAF- a good SDLC would require time for the code to be changed. A root cause of the problem should be analyzed and the application should be inspected for related problems (very likely if the bug got into the code once, it got in more than once). The changes should be thoroughly tested to ensure that functionality is not jeopardized, that the fix works, and that different problems were not introduced. A proper change control process should manage the deployment of the fix. In short, I believe that even if resources can be thrown at the problem immediately, it does not follow that the fix would likewise be immediate. (Tangent- I believe that Firefox is too aggressive on their patch to market strategy and likely takes shortcuts that they shouldn’t. I think it better to fix something right than fast, but I am not certain that Firefox agrees) Web App Firewalls allow an interim fix to put in place between disclosure and a coded solution, and in reality not many organizations can throw immediate resources on the volume of issues that they have. WAFs also offer a bit of defense in depth, which isn’t a bad thing. So long as people focus on that conceptualization of a WAF I think things are fine- my issue is when they are treated as a solution in and of themselves, at which point their limitations will be apparent. A WAF is a generalized appliance, not a specialized solution for a specific site (even with good rules). It doesn’t understand business context and so won’t catch things like unathorized or unintended access.

Professional Certifications I believe serve little point. Their implementations are almost entirely horrible and conceptually there is no certification that says that I will be successful for a given role in a specific organization. They are a decent marketing gimmick to put on a resume to get a bit of attention, and organizations may enjoy advertising how many CISSPs they have to assure clients, but ultimately I will not trust a third party organization in place of my own impressions. When I look at the resume of a candidate I am going to look at what experience is listed to narrow down the folks I want to talk to, and then I am going to probe their knowledge to make sure that it satisfies the needs of my organization. Since that is my inclination when looking for coworkers for my own group, I put absolutely no stock in the number of certifications in outside orgs that I might engage with.

Website Trust Logos are horribly implemented- I can’t think of a single logo peddler whom I believe does a sufficient job of assessing a website (except for PCI Scanless, which is one of the few logos that does *exactly* what it claims to). I will let you in on a little secret though, since I don’t see great harm in it. I have a pair of ADT security placards outside of my home, but no security system installed. If a would be thief is going down my block he is going to see the signs in front of my house, with the possibility of an alarm system backing it up, and opt to hit my neighbor that has no visible security system advertised. It is an entirely deterrent based approach, and while worthless if anyone calls my bluff, the bluff in and of itself is not without utility. I see the various logos as something similar. At the end of the day there is nothing backing them up (and even if they weren’t utterly terrible, in order to make them at all cost effective they aren’t going to be anywhere near as thorough as a proper pen test) but if I have to choose between two otherwise equivalent websites to break into, I am going after the one that didn’t bother to even get the logo. Also, consumers don’t know any better, so it is a cheap way to get them to trust you.

And compliance regulations vary in the effectiveness of the implementations, but I don’t disagree with the concept. My view on regulations in general are that they are a way of mandating certain things that are societaly beneficial, but not necessarily beneficial to the bottom line of a company. As such, left to capitalistic pressures in a vacuum, those things would never happen (or only happen in companies not completely governed by the bottom line). For example, from an economic standpoint it is cheapest for a company to just dump pollutants in a nearby stream rather than properly dispose of them most of the time (depending on the economic power of the locale, and how likely it is for serious legal threats to originate out of the action)- see mountain top removal mining for just such a mentality in action. Thus the government needs to impose regulations to ensure that societal wellbeing is also taken into account. Conceptually I see nothing wrong with the interests of individual entities and the interests of the society being balanced by regulation- that is an optimal solution to natural trends in pure capitalism that allows for most of the efficiency of the system while managing some of the drawbacks.

The flaws arrive in the actual implementation of the regulations. If implemented poorly they can prove to be too much of a burden, overly hard to implement or understand, not fully effective, or as usually the case, all three. PCI is a great example of this- Heartford was a nice and shiney gold partner, following the regulations, and it did absolutely nothing that actually stopped the disclosure of card information. At the same time, the overly specific nature of PCI means it has to be constantly revised, that more secure solutions can technically be non-compliant, and that it is a huge burden to understand and implement the mandates. The whole thing would be much better off if it said that systems and communication channels that deal with card information must have both confidentiality and integrity maintained, followed with recommended baseline guidelines. Rather than check the controls in place, the QSA simply checks to see if they can extract card information. The problem is that PCI is too focused on checklists and not at all focused on what it actually hopes to achieve, so its implementation is pretty worthless.

Regulations only work if they are clear, their restrictions are reasonable, and if they are focused on ensuring *a* solution to the problem, rather than *one* solution to the problem. If I had to choose between my bank information being stored on an encrypted drive in a generally open data center and questionable asset disposal programs, or plain text in a data center with detailed background checks for all employees, strictly enforced physical controls that limit access to the box, and a thorough and consistently applied asset disposal program, I am going to choose the latter because that organization has a clear intent on security, rather than on meeting a checkmark on a list. (ideally I would want the latter with an encrypted drive). I think most security regulations lose focus on this.

~ Joshbw