While you're spending all your time in front of the keyboard becoming a non-provable top 5% (busy work is boring to you - but grades are important to employers), prob the rest of the class are out drinking, having fun and getting laid.
And by laid, I mean with actual 3d live humans who don't ask for a credit card number before they talk to you.
They have been focusing on the security and privacy impact of networked / intelligent devices since the mid 90s.
Hopefully these guys will be included (there's no mention of them in the article) as they've already looked at a lot of the key problems and solutions.
I've been working in IT security for almost 13 years now - I started back in the days when were said, "what's a firewall and why do I need it?"
I largely work as an independent consultant, and I have worked in banking, defense, fed gov't and the live-like-a-rockstar-dot-com-days.
I have to say that my overall sense of fulfillment at work has been rather low. Spending a decade telling people 'no' or 'how to do it better' - especially when they don't really understand that you're trying to help them, or they don't understand that there are actual threats - is really frustrating.
Working on endless IT projects, for clueless management, unappreciative end users only to have the project canceled (don't 80% of all IT projects fail?) leaves me with no real sense of accomplishment and meaning.
To mitigate this, I joined the local volunteer fire dept. Nothing beats a day in the cube more than rolling down the road lights and sirens or actually bringing someone back to life.
I worked as a defense contractor for the Office of the Secretary of Defense (OSD) at the Pentagon for a few years. I put together a proposal for a global kiosk system of 2000+ systems that would have had hardened linux distro (which one isn't the point) as the underlying OS for the kiosk. This system would have booted into the application (a Java app) and the users would never see the OS. It was particulary tricky as the kiosks were to be deployed at DoD facilities world-wide (OCONUS in govvie-speak), and needed to be managed from a few key sites in the US (CONUS).
The Gov't agreed that the solution was more secure, easier to manage and would save a few million $USD (in additional management, security and helpdesk costs) but they instead chose to go with Windows Server 2003 because of "look and feel." Remember, the users never saw the underlying OS!
To me this said that they weren't really open to any other options, their minds were already made up and that OSS is still largely untrusted by the neck-tie community. I still have the minutes from the meeting as a souvenir.
Ross Anderson of the Computer Security Group at Cambridge University wrote a paper called the Eternity Service. It has had a fewdifferentattempts at implementation, as well as some reworks in terms of design.
The primary difference is in the Eternity Service - you had no idea what data you had, nor did you have access to the keys. This new concept/design seems to provide more control/granualirity for the user. Given the new proposed encryption laws in the UK, I'm not sure this is a good idea.
I had the same issue with my Grandmother and Mother. They were both running infested versions of Windows and my cousin (an avid Mac user) and I (a Linux user) finally decided to put them both running linux.
We got them both setup on FC2, and they're still running it. My Grandmother now uses her Linux machine as 'bragging rights' in the blue-hair community and mocks all of her friends who use windows when they have problems.
It also came in handy when I was proposing a linux based solution (immunix) to a DoD client I was working with a couple of years ago. They didn't want to use Linux because "it is beyound our technical means." I replied that if my 70+ year old grandmother can run Linux they could too. I even suggested they offer her a job.
It didn't go over well.
Basically you need to do a cost benefit analysis. What's your time worth? What's it worth to you sister? Go from there.
It is all too easy to point the finger. The 'vulnerabilities' listed are in fact many tiered and go back to the founding of the 'internet.'
It is affected by all the layers of the 'net
Transport:
Remember that the net was designed to be an alternate method of communication for the US Defense Dept in the event of a nuclear conflict. This means it was designed with the (then quite valid) assumption that all those connected were 'trusted' as it was an entirely closed system.
OS Architecture:
Consider that the number one (in terms of number of users) OS company didn't consider security as part of their OS architecture until their 2000 release. Even then it was limited by the 'need' for backwards compabitility with previous systems.
Application Code:
Ever notice that the SDLC doesn't have any security concepts as part of it? While there are now methodologies (such as CLASP) that help introduce security into the dev process, we still have a culture that is blissfully uninterested in security. A lot of developers have no idea what race conditions, overflows are - much less how to prevent their occurance.
Management Layer:
Product managers only care about getting something 'shippable' out the door by their magical ship date. Bugs and such can be fixed 'later.' Most suits only started caring about security (other than as a marketing tool) when their firms started getting slammed in the mainstream media and it started to affect the value of their stock options.
End users: While we absolutely have to have pity for grandma who just bought her new computer, somehow people shut their brains down when they get infront of the monitor. If someone walked up to you in the street and said 'hey - give me your bank account information so i can wire you some money from my country and you get to keep some' they would call the police. But when it's in an email...
Media: The media has had some good benefits in terms of making security an issue, but they are also good at causing the management teams to focus their energies on the wrong problems. Remember a few years back when the DDoD attacks started happening? the news reported that the big content providers were getting hammered. The real story at the time was the botnet that launched the attack. Botnets are in the media now - but a couple years too late.
Basically there is no one person or group to blame. The entire system is fundamentally flawed on all the levels, and the results are cummulative.
It's a matter of time before the EULA has something along the lines of:
"By using this software, the User agrees to have all his/her traffic monitored, logged for the purposes of marketing you stuff we believe you can't live without.
Any effort to remove the Claria software from your system will result in a personal visit from some Really Big Guys who will have a Quiet Talk With You Out Back"
Consider that the FBI and other 3 letter agencies have compiled extensive watch lists of people they consider to be "national security threats."
Further, under the powers of the Patriot Act, as well as other FCC regulations, LEOs (law enforcement organizations) have a selective group of people to target. All they have to do is monitor your ISP/Cell/Home Phone lines. Any communications that you have that cause red flags will then cause other people to be added to their lists and so on.
The way these models work is to have a basic monitoring in place of probable targets, and then step it up if anything 'suspicious' occurs.
--- "become a government informant, spy on your friends and family - fabulous prizes to be won" Red Dwarf "Back to Reality"
i've always held that a good firewall ruleset should have an 'east german borderguard' type mentality. all traffic going in and out on either side is suspect of being bad things.
all the concept of 'reverse firewall' does is demonstrate how inadequate and inappropriately named the 'built-in' firewalls that come on cable/dsl router/modems are.
a good metrics tool that can show the PHBs in semi-real time the security posture of their enterprise would be a good thing. it would also help identify weak areas, good areas, and actually quantify the money spent in IT security.
dr martin carmichael's doctoral thesis proposed a method to do this, but alas i cannot find a link.
www.metacoretex.com has easily the best database scanner out there. (no offense mr Klaus). It's fully modular and written in java - so you can run it anywhere.
to the best of my knowledge, is it the only db scanner tool out there.
(and yes it's a bit of a plug cause i know the guy who wrote it - but it still smokes...
Actually, in California
giving a false name is a felony - it's
very similar in other states...
Basically it's 'obstruction of justice'
and sections 1510
and 1511 are
almost equally applicable (depending on whether or not you really are a suspect
of a crime).
Back in May 1997, the US fitted the USS YORKTOWN (http://www.yorktown.navy.mil/ ) with NT and it had disastrous results (http://www.gcn.com/archives/gcn/1998/july13/cov2. htm ) . The ship went DIW (dead in the water) for a few hours. This is the worst case scenario for any ship's captain (and their career)...
Guess it took this long to work out the bugs... Not bad - only 7 years!
During the October Crisis in 1970 in Canada the FLQ (Front de Libération du Québec) ( http://en.wikipedia.org/wiki/FLQ ) terrorist group kidnapped two public officials in Quebec ( http://www.bonjourquebec.com/anglais/ ) and murdered one, and Prime Minister Pierre Trudeau ( http://www.clevernet.on.ca/pierre_trudeau/ ) invoked the War Measures Act ( http://www.nationmaster.com/encyclopedia/War-Measu res-Act )suspending civil liberties.
In fact, the Canadian Goverment ( http://canada.gc.ca/ ) was worried that the FLQ wanted to steal nuclear weapons ( http://tinyurl.com/3ysev ). So the whole WMD and terrorism thing predates Mr Bush by 30 odd years... And the Canadian "War on Terror" is well over....
It was never the object of patent laws to grant a
monopoly for every trifling device, every shadow of a shade of an
idea, which would naturally and spontaneously occur to any skilled
mechanic or operator in the ordinary progress of manufactures. Such
an indiscriminate creation of exclusive privileges tends rather to
obstruct than to stimulate invention. It creates a class of
speculative schemers who make it their business to watch the
advancing wave of improvement, and gather its foam in the form of
patented monopolies, which enable them to lay a heavy tax on the
industry of the country, without contributing anything to the real
advancement of the arts. It embarrasses the honest pursuit of
business with fears and apprehensions of unknown liability lawsuits
and vexatious accounting for profits made in good faith.
--
U.S.
Supreme Court, Atlantic Works vs. Brady, 1882
Historically, the IETF has been neutral about using patents in the
Standards process, and its position is summed up best in the charter
of the IPR Working Group
(http://www.ietf.org/html.charters/ipr-charter.htm l):
The IETF and the Internet have greatly benefited
from the free exchange of ideas and technology. For many years the
IETF normal behavior was to standardize only unencumbered technology.
While the 'Tao' of the IETF is still strongly oriented
toward unencumbered technology, we can and do make use of technology
that has various encumbrances. One of the goals of RFC2026 'The
Internet Standards Process -- Revision 3' was to make it easier for
the IETF to make use of encumbered technology when it made sense to
do so.
Slashdot Mirror
While you're spending all your time in front of the keyboard becoming a non-provable top 5% (busy work is boring to you - but grades are important to employers), prob the rest of the class are out drinking, having fun and getting laid.
And by laid, I mean with actual 3d live humans who don't ask for a credit card number before they talk to you.
Anyone else have this experience?
Of spending Valentine's day with a female? No, sorry...
Well, I did.
But her avatar kept asking for my credit card number.
This seems like a rehash of Prof Yvo Desmedt's Things that Think project from MIT's media lab.
They have been focusing on the security and privacy impact of networked / intelligent devices since the mid 90s.
Hopefully these guys will be included (there's no mention of them in the article) as they've already looked at a lot of the key problems and solutions.
I've been working in IT security for almost 13 years now - I started back in the days when were said, "what's a firewall and why do I need it?"
I largely work as an independent consultant, and I have worked in banking, defense, fed gov't and the live-like-a-rockstar-dot-com-days.
I have to say that my overall sense of fulfillment at work has been rather low. Spending a decade telling people 'no' or 'how to do it better' - especially when they don't really understand that you're trying to help them, or they don't understand that there are actual threats - is really frustrating.
Working on endless IT projects, for clueless management, unappreciative end users only to have the project canceled (don't 80% of all IT projects fail?) leaves me with no real sense of accomplishment and meaning.
To mitigate this, I joined the local volunteer fire dept. Nothing beats a day in the cube more than rolling down the road lights and sirens or actually bringing someone back to life.
pax
Use CP/IP (RFC 1149 ).
You'll get great bandwidth, especially during migratgory seasons.
The Gov't agreed that the solution was more secure, easier to manage and would save a few million $USD (in additional management, security and helpdesk costs) but they instead chose to go with Windows Server 2003 because of "look and feel." Remember, the users never saw the underlying OS!
To me this said that they weren't really open to any other options, their minds were already made up and that OSS is still largely untrusted by the neck-tie community. I still have the minutes from the meeting as a souvenir.
Ross Anderson of the Computer Security Group at Cambridge University wrote a paper called the Eternity Service. It has had a few different attempts at implementation, as well as some reworks in terms of design. The primary difference is in the Eternity Service - you had no idea what data you had, nor did you have access to the keys. This new concept/design seems to provide more control/granualirity for the user. Given the new proposed encryption laws in the UK, I'm not sure this is a good idea.
I had the same issue with my Grandmother and Mother. They were both running infested versions of Windows and my cousin (an avid Mac user) and I (a Linux user) finally decided to put them both running linux.
We got them both setup on FC2, and they're still running it. My Grandmother now uses her Linux machine as 'bragging rights' in the blue-hair community and mocks all of her friends who use windows when they have problems.
It also came in handy when I was proposing a linux based solution (immunix) to a DoD client I was working with a couple of years ago. They didn't want to use Linux because "it is beyound our technical means." I replied that if my 70+ year old grandmother can run Linux they could too. I even suggested they offer her a job.
It didn't go over well.
Basically you need to do a cost benefit analysis. What's your time worth? What's it worth to you sister? Go from there.
It is all too easy to point the finger. The 'vulnerabilities' listed are in fact many tiered and go back to the founding of the 'internet.'
It is affected by all the layers of the 'net
Transport:
Remember that the net was designed to be an alternate method of communication for the US Defense Dept in the event of a nuclear conflict. This means it was designed with the (then quite valid) assumption that all those connected were 'trusted' as it was an entirely closed system.
OS Architecture:
Consider that the number one (in terms of number of users) OS company didn't consider security as part of their OS architecture until their 2000 release. Even then it was limited by the 'need' for backwards compabitility with previous systems.
Application Code:
Ever notice that the SDLC doesn't have any security concepts as part of it? While there are now methodologies (such as CLASP) that help introduce security into the dev process, we still have a culture that is blissfully uninterested in security. A lot of developers have no idea what race conditions, overflows are - much less how to prevent their occurance.
Management Layer:
Product managers only care about getting something 'shippable' out the door by their magical ship date. Bugs and such can be fixed 'later.' Most suits only started caring about security (other than as a marketing tool) when their firms started getting slammed in the mainstream media and it started to affect the value of their stock options.
End users: While we absolutely have to have pity for grandma who just bought her new computer, somehow people shut their brains down when they get infront of the monitor. If someone walked up to you in the street and said 'hey - give me your bank account information so i can wire you some money from my country and you get to keep some' they would call the police. But when it's in an email...
Media: The media has had some good benefits in terms of making security an issue, but they are also good at causing the management teams to focus their energies on the wrong problems. Remember a few years back when the DDoD attacks started happening? the news reported that the big content providers were getting hammered. The real story at the time was the botnet that launched the attack. Botnets are in the media now - but a couple years too late.
Basically there is no one person or group to blame. The entire system is fundamentally flawed on all the levels, and the results are cummulative.
Microsoft to patent the chair to keyboard interface.
So are they going to sue MacDonalds as well - it's rumoured he had a bigmac the day before.
It's a matter of time before the EULA has something along the lines of:
"By using this software, the User agrees to have all his/her traffic monitored, logged for the purposes of marketing you stuff we believe you can't live without.
Any effort to remove the Claria software from your system will result in a personal visit from some Really Big Guys who will have a Quiet Talk With You Out Back"
the foreign intelligence services and other spy types that are interested... oh and the Chinese Cyber Warriors... Oh - Organized crime is on the rampage such that the Feds miss old fashioned hackers. And Spammer botnets, and so on. Yep, way to blame those poor Stereotypical H4x0rz to get your name in the press yet again.
Consider that the FBI and other 3 letter agencies have compiled extensive watch lists of people they consider to be "national security threats."
Further, under the powers of the Patriot Act, as well as other FCC regulations, LEOs (law enforcement organizations) have a selective group of people to target. All they have to do is monitor your ISP/Cell/Home Phone lines. Any communications that you have that cause red flags will then cause other people to be added to their lists and so on.
The way these models work is to have a basic monitoring in place of probable targets, and then step it up if anything 'suspicious' occurs.
---
"become a government informant, spy on your friends and family - fabulous prizes to be won" Red Dwarf "Back to Reality"
Did someone have their personality slit in a malfunctioning transporter?
gee, you'd think the nice fatcatman would buy a copy at least.
i've always held that a good firewall ruleset should have an 'east german borderguard' type mentality. all traffic going in and out on either side is suspect of being bad things.
all the concept of 'reverse firewall' does is demonstrate how inadequate and inappropriately named the 'built-in' firewalls that come on cable/dsl router/modems are.
a good metrics tool that can show the PHBs in semi-real time the security posture of their enterprise would be a good thing. it would also help identify weak areas, good areas, and actually quantify the money spent in IT security.
dr martin carmichael's doctoral thesis proposed a method to do this, but alas i cannot find a link.
www.metacoretex.com has easily the best database scanner out there. (no offense mr Klaus). It's fully modular and written in java - so you can run it anywhere.
to the best of my knowledge, is it the only db scanner tool out there.
(and yes it's a bit of a plug cause i know the guy who wrote it - but it still smokes...
Actually, in California giving a false name is a felony - it's very similar in other states...
Basically it's 'obstruction of justice' and sections 1510 and 1511 are almost equally applicable (depending on whether or not you really are a suspect of a crime).
How is this different than what Lance and the Honeynet ( http://project.honeynet.org ) team are doing?
Back in May 1997, the US fitted the USS YORKTOWN (http://www.yorktown.navy.mil/ ) with NT and it had disastrous results (http://www.gcn.com/archives/gcn/1998/july13/cov2. htm ) . The ship went DIW (dead in the water) for a few hours. This is the worst case scenario for any ship's captain (and their career)...
Guess it took this long to work out the bugs... Not bad - only 7 years!
better watch out for those NBT broadcasts....
During the October Crisis in 1970 in Canada the FLQ (Front de Libération du Québec) ( http://en.wikipedia.org/wiki/FLQ ) terrorist group kidnapped two public officials in Quebec ( http://www.bonjourquebec.com/anglais/ ) and murdered one, and Prime Minister Pierre Trudeau ( http://www.clevernet.on.ca/pierre_trudeau/ ) invoked the War Measures Act ( http://www.nationmaster.com/encyclopedia/War-Measu res-Act )suspending civil liberties.
In fact, the Canadian Goverment ( http://canada.gc.ca/ ) was worried that the FLQ wanted to steal nuclear weapons ( http://tinyurl.com/3ysev ). So the whole WMD and terrorism thing predates Mr Bush by 30 odd years... And the Canadian "War on Terror" is well over....
Historically, the IETF has been neutral about using patents in the Standards process, and its position is summed up best in the charter of the IPR Working Group (http://www.ietf.org/html.charters/ipr-charter.htm l):
Last year, there was an attempt to make the IETF change their policy, but it failed miserably (http://news.com.com/2100-1013-996351.html?tag=fd_ top).
So you can have more secure communications, but only if you pay Cisco.
Bastards.
This would drive them crazy.. you start your "crime" in the EU, then fly over greenland, and canada and then finally the US....