While it has never gone as far as including outright and deliberate lies like C*** in its curriculum it has quite clearly omitted topics where it was crap and the competition was good. For example in the days when it had declared desktop linux as dead and was the only distro not to have a working automounter, configuring autofs and distributing home directory mappings via autofs/nis to the network was suspiciously missing from the curriculum. This is _essential_ for rolling out any workstation deployments and admin-ing large deployments. As a result I had to teach people this from scratch.
This is just one example that comes to mind. Plenty of others. None as vile as companies starting with C, L or god forbid N or A, but examples none the less.
Translated into language more appropriate for a tech/geek news site - they look for metabolites or whatever the drug is excreted as. This may or may not be the drug itself. For example Prozac is excreted nearly unchanged. It is also fairly stable as a result it has become a common contaminant of drinking water supplies in the western world http://news.bbc.co.uk/1/hi/health/3545684.stm. Plenty of other examples...
Re:Interview Questions
on
Network Warrior
·
· Score: 1, Troll
Yep. And Cisco is not any different. Neither is Sun, RedHat or any other.
The reality is that certification and exam materials are viewed by companies predominantly from the perspective of product revenue assurance. This is considered even more important than actually having revenue stream from certification fees and revenue from the courses themselves. As a result courses and exams are designed to indoctrinate, brainwash and secure future custom. They have nothing to do with qualification, knowledge or ability.
Looking at the logs on my mail server and PBX they have/dev/null-ed 6 agencies that were way past the 1 year period (2.5 years in one case). So I suspect that you are a minority regarding caring in the slightest about the DPA. Most of your agency bretheren do not give a f*** so tightening up the regs until they do is a jolly good idea.
Similarly, for the last 5 years I have seen only 2 UK agencies in the IT area (including security oriented ones) that are aware that MS Word leaves personal information including paths and such in the document. As a result the supposedly "top secret" client name is easy to find as 99% also tend to put "Cable and Wireless" cvs in a directory called "Specs\CW" on a _WINDOWS_ server and the directory stays in the doc metadata. There was a point when I used strings and hexedit on job specs _before_ reading them as that provided more information than then agencies were willing to provide (including old revisions of the spec, email trails with the request and even information on how much you can actually bargain for). Personally I find it hard to believe that someone that is so inept that they cannot clean up private info out of MS Word can protect against a well designed and directed Trojan attack. This is besides clearly using a Windows driven network and Windows file storage as a method for keeping their CVs and specs organised.
Granted, some of the bigger agencies use database systems and 3rd party AV and mail services which shield them to some extent, but this still leaves thousands (in the UK) potential marks for a well placed Trojan which can after that trawl jobsite, jobserve, cwjobs, monster and the like and collect several GB of personal information for further consideration. Exactly like in the Monster case.
Further to this, it is only a matter of time until this type of information is used not for spearphishing, but for targeted burglaries and good old classic crime. As there are less and less people who can be caught even with a targeted phishing attack, the data thieves will inevitably start to sell their data to people ingaged in more mundane activities like burglary.
Monster.com was broken in for spearphishing, not for sending bulk emails regarding "Bank of America". Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.
Recruitment agencies are actually a prime target for such attacks:
1. Nearly all of them (even the specialised unix oriented ones) require all CVs in Microshit Word so pushing a custom Trojan is trivial. 2. Nearly all of them systematically violate the Data Protection act and other similar statutes which require them to remove customer data from their databases when no longer needed. So far in the UK only 3% of the ones I have asked to remove my details have complied with the request. Amidst the most vile violators are the two biggest MOD oriented agencies and more than 50% of the top 20 (by job posting numbers). 3. In addition to that apparently at least one UK (and international) jobboard also does not remove customer data even if you delete your accounts from there. As a result the agencies are re-fed your details on a regular basis. 4. The agencies possess enough data for a perfect spearphish: date of birth, nationality, postal address, occupation, prior job history, current and past salaries as well as further background. In some cases where they have been subcontracted to do HR they possess even more data like NSNs/SSNs, credit ratings and the like.
Frankly this is an industry that is in desperate need to be smacked with some vile regulation compared to which SOX and the recent health IT regs in the US are a child's play. They need to be straightened out and made to follow the laws of the land with regard to customer privacy. At the moment they are systematically ignoring them and in many cases they possess more of your personal information than your bank.
So let's hope that the Monster case will cause some moves towards that.
Nope. They do not seem to be locking out anything deliberately. They are locking out through sheer ineptitude though. I had a chance to compare the network in Bulgaria on Mtel (which is a vodafone partner) and Vodafone UK and frankly Vodafone UK should learn how to do Data networking. "Sucks bricks through a thin straw sidewise" is probably the correct description of the shit they do for data.
Code sequence allocations and move along the 3G coding tree is not predictive, use a horrid algorithm and you can see when the cell reclaims codes and reallocates them. You initially get allocated a lot and you can see as new codes get allocated how you slip down the code tree and your bandwidth withers away until it reaches practically 0. After that the cell reshuffles the coding tree and you start again on top. This plays marry hell with TCP windows to the point where it becomes totally unusable. Compared to that Mtel actually did fairly smooth ramp-down/ups with some form of "fair share" allocation.
The DNS-es they supply do not work half of the time so you have to override them and use Level3 or some other useable ISP DNS instead.
MTel had Edge even in the middle of nowhere on remote cells within the mountains. As a result the network was useable nearly everywhere. Compared to that Vodafone keeps Edge off their network for solely political reasons (no tech reason whatsoever) and once you go out of the 3G coverage into the countryside the network becomes barely useable. Mtel - 200ms average ping to a server in EU when on GPRS. Vodafone - 600ms average ping. 3 times higher latency and considerably slower.
And so on... The truth is that their network and data product royally suck. Unfortunately nobody else has a sensible roaming tariff and a sensibly priced data product so there is no choice for the time being.
Why USA-international? International-international is more interesting.
This approach allows picking up traffic between two ids of interest to someone with a suitable request. If some unspecified USA institution wants to know all conversations between XXXZZZ in Russia and ZZZXCC in France they can do it and there is dickshit any of these can do about it besides stopping to use Skype.
By the way, personally, I think that Skype has had that for a very long time and it is indeed bogus coding of the auth module this time.
"Blackberry user" and "speaking with wallet". This is probably about right. All addicts do speak with their wallets. Giving the crack dealer as much as he wants to get that wonderful fix from a vibrator slotted in the immediate vicinity of their belt buckle. On a more serious note, the BB is a business product. Nearly all businesses buy the phones unlocked. They can get bulk rates, discounts, etc and the entire "stay in contract to get the phone subsidised" malarkey no longer makes sense.
Their latest data roaming rate is actually 12 Eu per day for up to 50 MB on partner networks if you are on a dedicated data product. If you use data a lot I suggest you take on that offer, get the card or USB modem coming with it and forget about using data on your normal phone. It comes with 3G monthly within the UK as well for 25 quid. There as similar offers from other vodafone franchises.
The card is probably a better choice (the USB modem is quirky). It is a Huawey (should be probably called HuyHuy as more descriptive) 631 3G-HSDPA/GPRS-Edge 3 band PCMCIA. There is a linux connection manager available from vodafone betavine. Words of warning:
The connection manager software is total and utter shite. It is worth using only abroad where you need to check that you are locked onto the correct network to use the 12Eu roaming tariff. In the UK just pick up the relevant bits of the dial strings from the debug output and add them to a chat profile.
The card eats so much off the 3.3V rail that some small form factor laptops become unreliable. For example my HP NC4000 cannot use reliably its second memory slot if it has the card plugged in. Most large bricks like HP NC6xxx and NC8xxx are OK.
Not per wheel. The diesel electric train still has a normal transmission and the wheels are not rotated separately. You simply do not need that on rails.
Compared to that the 75 ton version of BELAZ is probably the first mass produced 4x4 vehicle with independent per-wheel electric motor and a generator power plant (not sure if the 30 ton version had it). As a result it has no transmission to speak of. Differential, accelerator, etc are all drive-by-wire. This is what makes the great difference as far as maintainability and maneuvrability. In fact it is surprising that it is not used so far on military vehicles both US and Russian. It has been the mainstay of hydroelectric and minining projects around the globe for nearly 30 years now (probably the only export item Belarus got nowdays).
Nope. The US army is reimplementing the transmission of the BELAZ mining supertrucks from the 70-es. These had an electric plant an a separate in-wheel motor as far back as late-70es if not earlier. Very Cute monsters actually. Start at 30 ton and go to 420 tons for the largest model. This is 40 years old tech. Move along:-)
Fox and Co think that the world consist only of USA, news at 10.
They have looked solely at the USA graphs and completely ignored the world ones which are the ones that look really scary. They have also declared the problem with the USA data analysis to be a flaw in the data for the whole world.
'log in here with your bank of america credentials to see if you have won a prize'. As a matter of fact this is the latest and probably the most successfull class of phishing sites. The ruse is a "survey" on behalf of "Bank of America" or someone else. It is surprising how many people fall for it. The website has nothing to do with the bank, the addresses are not the bank ones, but none the less the consumer enters their credentials. As a results of many years of brainwashing by direct marketeers they now consider all this to be "business as usual".
Both management and engineering types are currently taught to view systems from the point of view of how they work, not how they fail. Computer and network engineers nowdays no longer study optimal control, advanced parts of probability theory and other mathematical principles which determine system stability. As a result they are along with the management in the same boat. They think positively and while they may have some remote recollections of the Tacoma Narrows they do not quite understand why it collapsed. At least this is the case in the computer science and networking industry.
Absolutely. In fact it is even worse. In most optical media the session resolution is a track. Not even a sector. While you can leave the session open and write sequentially this means that the disk is not fixated. I am not sure for how long and to what extent you can do that. Even in that case you are working at a sector resolution which in ISOFS is 2048 bytes. That exceeds by far the size of most log entries. Overall, writing to optical media for applications like this is a can of WORMs (pun intended) which you just do not want to open.
Now, assuming that they use harddrives, we all know that someone could extract mount the file system and change records.
Not if they have done it properly. If it is designed as an audit solution it is likely to have a hardware crypto module, a device specific key and have all data written out to disks at least signed with it. More likely - encrypted with it. In either case even if the fs is standard you cannot do jack sh*** with it after taking the drives out.
By the way - implementing the above using OSS is trivial as all free OS-es nowdays provide a TPM API so you can have unique machine keys. In fact you can implement this on top of any Free OS and integrate it with any standard MTA and most applications with minimal effort. The implementation would also most likely pass audit scrutiny as it is trivial. The only sticking point will be the crypto procedures and especially escrow. While proving that the app and the design is compliant is not hard, proving that your CA procedures are solid is a phenomenal pain in the a***. Also, you need to prove that you have an effective escrow and taking a hammer to the log machine does not prevent reading the compliance logs later on. The vendor has already done that and the auditors are happy. Compared to that it will take you on average 4-6 months to get this done with the help of external consluttants. Now, if you have done it anyway for a different project that is an entirely differnet ball game. You always have to prove to auditors that your app does what it says on the tin anyway and the apps are often internal. So one more or one less item is not going to turn the boat if the main sticking points (the CA and the escrow) have already been done.
This is actually the standard approach recommended in places like "Building Internet Firewalls" and such. It does nicely with the write-once requirement provided that you have also secured the machine from tampering. Unfortunately it does not do very well with the "read many".
They are not very good at tasks which involve writing a lot in small increments like a log. The sector size is quite big so if you guarantee that each log entry has finished physically on disc without caching till the sector is full the disc will be eaten in no time.
You probably need a custom writer/reader (most normal ones cannot alter sector size) and custom formatted media along with something different from isofs. Not rocket science really, but definitely beyond the scope of DIY.
Sure it's particulate and it may even be harmful. So is asbestous. Chemically asbestous is a very inert material. You are right, so far the statistical evidence is that toner it is not particularly harmfull. None the less, I have always tried to chose the furthest possible part of an open office plan from the printing station.
Depends if this is particulate toner after thermal processing or particulate toner in the form found in the cartridge.
Dunno about the former as it is bound to have larger and less active particles, but the latter is a known health hazard on par with glass dust and asbestos. Just look at any IT health and safety handbook under "dealing with toner spillages". It is supposed to be collected using specialised vacuum cleaners, you have to have the floor tiles replaced and so on. Unfortunately very few people follow these procedures.
Further to this, I find these findings quite strange. Most manufacturers go to insane lengths to avoid toner emission into the air so that they do not get an asbestos style class action suit.
Slashdot Mirror
RedHat is a corporation. Just like any other.
While it has never gone as far as including outright and deliberate lies like C*** in its curriculum it has quite clearly omitted topics where it was crap and the competition was good. For example in the days when it had declared desktop linux as dead and was the only distro not to have a working automounter, configuring autofs and distributing home directory mappings via autofs/nis to the network was suspiciously missing from the curriculum. This is _essential_ for rolling out any workstation deployments and admin-ing large deployments. As a result I had to teach people this from scratch.
This is just one example that comes to mind. Plenty of others. None as vile as companies starting with C, L or god forbid N or A, but examples none the less.
Translated into language more appropriate for a tech/geek news site - they look for metabolites or whatever the drug is excreted as. This may or may not be the drug itself. For example Prozac is excreted nearly unchanged. It is also fairly stable as a result it has become a common contaminant of drinking water supplies in the western world http://news.bbc.co.uk/1/hi/health/3545684.stm. Plenty of other examples...
Yep. And Cisco is not any different. Neither is Sun, RedHat or any other.
The reality is that certification and exam materials are viewed by companies predominantly from the perspective of product revenue assurance. This is considered even more important than actually having revenue stream from certification fees and revenue from the courses themselves. As a result courses and exams are designed to indoctrinate, brainwash and secure future custom. They have nothing to do with qualification, knowledge or ability.
Looking at the logs on my mail server and PBX they have /dev/null-ed 6 agencies that were way past the 1 year period (2.5 years in one case). So I suspect that you are a minority regarding caring in the slightest about the DPA. Most of your agency bretheren do not give a f*** so tightening up the regs until they do is a jolly good idea.
Similarly, for the last 5 years I have seen only 2 UK agencies in the IT area (including security oriented ones) that are aware that MS Word leaves personal information including paths and such in the document. As a result the supposedly "top secret" client name is easy to find as 99% also tend to put "Cable and Wireless" cvs in a directory called "Specs\CW" on a _WINDOWS_ server and the directory stays in the doc metadata. There was a point when I used strings and hexedit on job specs _before_ reading them as that provided more information than then agencies were willing to provide (including old revisions of the spec, email trails with the request and even information on how much you can actually bargain for). Personally I find it hard to believe that someone that is so inept that they cannot clean up private info out of MS Word can protect against a well designed and directed Trojan attack. This is besides clearly using a Windows driven network and Windows file storage as a method for keeping their CVs and specs organised.
Granted, some of the bigger agencies use database systems and 3rd party AV and mail services which shield them to some extent, but this still leaves thousands (in the UK) potential marks for a well placed Trojan which can after that trawl jobsite, jobserve, cwjobs, monster and the like and collect several GB of personal information for further consideration. Exactly like in the Monster case.
Further to this, it is only a matter of time until this type of information is used not for spearphishing, but for targeted burglaries and good old classic crime. As there are less and less people who can be caught even with a targeted phishing attack, the data thieves will inevitably start to sell their data to people ingaged in more mundane activities like burglary.
Err... You are missing the point.
Monster.com was broken in for spearphishing, not for sending bulk emails regarding "Bank of America". Spearphishing as a term is used to describe a phishing set up which is designed to hit a victim specifically by using a victim specific ruse based on knowledge of personal data.
Recruitment agencies are actually a prime target for such attacks:
1. Nearly all of them (even the specialised unix oriented ones) require all CVs in Microshit Word so pushing a custom Trojan is trivial.
2. Nearly all of them systematically violate the Data Protection act and other similar statutes which require them to remove customer data from their databases when no longer needed. So far in the UK only 3% of the ones I have asked to remove my details have complied with the request. Amidst the most vile violators are the two biggest MOD oriented agencies and more than 50% of the top 20 (by job posting numbers).
3. In addition to that apparently at least one UK (and international) jobboard also does not remove customer data even if you delete your accounts from there. As a result the agencies are re-fed your details on a regular basis.
4. The agencies possess enough data for a perfect spearphish: date of birth, nationality, postal address, occupation, prior job history, current and past salaries as well as further background. In some cases where they have been subcontracted to do HR they possess even more data like NSNs/SSNs, credit ratings and the like.
Frankly this is an industry that is in desperate need to be smacked with some vile regulation compared to which SOX and the recent health IT regs in the US are a child's play. They need to be straightened out and made to follow the laws of the land with regard to customer privacy. At the moment they are systematically ignoring them and in many cases they possess more of your personal information than your bank.
So let's hope that the Monster case will cause some moves towards that.
- Code sequence allocations and move along the 3G coding tree is not predictive, use a horrid algorithm and you can see when the cell reclaims codes and reallocates them. You initially get allocated a lot and you can see as new codes get allocated how you slip down the code tree and your bandwidth withers away until it reaches practically 0. After that the cell reshuffles the coding tree and you start again on top. This plays marry hell with TCP windows to the point where it becomes totally unusable. Compared to that Mtel actually did fairly smooth ramp-down/ups with some form of "fair share" allocation.
- The DNS-es they supply do not work half of the time so you have to override them and use Level3 or some other useable ISP DNS instead.
- MTel had Edge even in the middle of nowhere on remote cells within the mountains. As a result the network was useable nearly everywhere. Compared to that Vodafone keeps Edge off their network for solely political reasons (no tech reason whatsoever) and once you go out of the 3G coverage into the countryside the network becomes barely useable. Mtel - 200ms average ping to a server in EU when on GPRS. Vodafone - 600ms average ping. 3 times higher latency and considerably slower.
And so on... The truth is that their network and data product royally suck. Unfortunately nobody else has a sensible roaming tariff and a sensibly priced data product so there is no choice for the time being.Why USA-international? International-international is more interesting.
This approach allows picking up traffic between two ids of interest to someone with a suitable request. If some unspecified USA institution wants to know all conversations between XXXZZZ in Russia and ZZZXCC in France they can do it and there is dickshit any of these can do about it besides stopping to use Skype.
By the way, personally, I think that Skype has had that for a very long time and it is indeed bogus coding of the auth module this time.
Gooseberry mark V.
"Blackberry user" and "speaking with wallet". This is probably about right. All addicts do speak with their wallets. Giving the crack dealer as much as he wants to get that wonderful fix from a vibrator slotted in the immediate vicinity of their belt buckle.
On a more serious note, the BB is a business product. Nearly all businesses buy the phones unlocked. They can get bulk rates, discounts, etc and the entire "stay in contract to get the phone subsidised" malarkey no longer makes sense.
Their latest data roaming rate is actually 12 Eu per day for up to 50 MB on partner networks if you are on a dedicated data product. If you use data a lot I suggest you take on that offer, get the card or USB modem coming with it and forget about using data on your normal phone. It comes with 3G monthly within the UK as well for 25 quid. There as similar offers from other vodafone franchises.
The card is probably a better choice (the USB modem is quirky). It is a Huawey (should be probably called HuyHuy as more descriptive) 631 3G-HSDPA/GPRS-Edge 3 band PCMCIA. There is a linux connection manager available from vodafone betavine. Words of warning:
Yeah, bollocks.
Tell that to vodafone UK who removed the VOIP from all recent nokias.
Not per wheel. The diesel electric train still has a normal transmission and the wheels are not rotated separately. You simply do not need that on rails.
Compared to that the 75 ton version of BELAZ is probably the first mass produced 4x4 vehicle with independent per-wheel electric motor and a generator power plant (not sure if the 30 ton version had it). As a result it has no transmission to speak of. Differential, accelerator, etc are all drive-by-wire. This is what makes the great difference as far as maintainability and maneuvrability. In fact it is surprising that it is not used so far on military vehicles both US and Russian. It has been the mainstay of hydroelectric and minining projects around the globe for nearly 30 years now (probably the only export item Belarus got nowdays).
Nope. The US army is reimplementing the transmission of the BELAZ mining supertrucks from the 70-es. These had an electric plant an a separate in-wheel motor as far back as late-70es if not earlier. Very Cute monsters actually. Start at 30 ton and go to 420 tons for the largest model. This is 40 years old tech. Move along :-)
Fox and Co think that the world consist only of USA, news at 10.
They have looked solely at the USA graphs and completely ignored the world ones which are the ones that look really scary. They have also declared the problem with the USA data analysis to be a flaw in the data for the whole world.
Is anyone surprised? I am not...
'log in here with your bank of america credentials to see if you have won a prize'. As a matter of fact this is the latest and probably the most successfull class of phishing sites. The ruse is a "survey" on behalf of "Bank of America" or someone else. It is surprising how many people fall for it. The website has nothing to do with the bank, the addresses are not the bank ones, but none the less the consumer enters their credentials. As a results of many years of brainwashing by direct marketeers they now consider all this to be "business as usual".
Sorry you are being overlyoptimistic.
Both management and engineering types are currently taught to view systems from the point of view of how they work, not how they fail. Computer and network engineers nowdays no longer study optimal control, advanced parts of probability theory and other mathematical principles which determine system stability. As a result they are along with the management in the same boat. They think positively and while they may have some remote recollections of the Tacoma Narrows they do not quite understand why it collapsed. At least this is the case in the computer science and networking industry.
Absolutely. In fact it is even worse. In most optical media the session resolution is a track. Not even a sector. While you can leave the session open and write sequentially this means that the disk is not fixated. I am not sure for how long and to what extent you can do that. Even in that case you are working at a sector resolution which in ISOFS is 2048 bytes. That exceeds by far the size of most log entries. Overall, writing to optical media for applications like this is a can of WORMs (pun intended) which you just do not want to open.
Not if they have done it properly. If it is designed as an audit solution it is likely to have a hardware crypto module, a device specific key and have all data written out to disks at least signed with it. More likely - encrypted with it. In either case even if the fs is standard you cannot do jack sh*** with it after taking the drives out.
By the way - implementing the above using OSS is trivial as all free OS-es nowdays provide a TPM API so you can have unique machine keys. In fact you can implement this on top of any Free OS and integrate it with any standard MTA and most applications with minimal effort. The implementation would also most likely pass audit scrutiny as it is trivial. The only sticking point will be the crypto procedures and especially escrow. While proving that the app and the design is compliant is not hard, proving that your CA procedures are solid is a phenomenal pain in the a***. Also, you need to prove that you have an effective escrow and taking a hammer to the log machine does not prevent reading the compliance logs later on. The vendor has already done that and the auditors are happy. Compared to that it will take you on average 4-6 months to get this done with the help of external consluttants. Now, if you have done it anyway for a different project that is an entirely differnet ball game. You always have to prove to auditors that your app does what it says on the tin anyway and the apps are often internal. So one more or one less item is not going to turn the boat if the main sticking points (the CA and the escrow) have already been done.
This is actually the standard approach recommended in places like "Building Internet Firewalls" and such. It does nicely with the write-once requirement provided that you have also secured the machine from tampering. Unfortunately it does not do very well with the "read many".
Not quite.
They are not very good at tasks which involve writing a lot in small increments like a log. The sector size is quite big so if you guarantee that each log entry has finished physically on disc without caching till the sector is full the disc will be eaten in no time.
You probably need a custom writer/reader (most normal ones cannot alter sector size) and custom formatted media along with something different from isofs. Not rocket science really, but definitely beyond the scope of DIY.
It asks now. Are you sure that it will ask you about a patch that is critical for Apple's revenue stream?
Sure it's particulate and it may even be harmful. So is asbestous. Chemically asbestous is a very inert material. You are right, so far the statistical evidence is that toner it is not particularly harmfull. None the less, I have always tried to chose the furthest possible part of an open office plan from the printing station.
Depends if this is particulate toner after thermal processing or particulate toner in the form found in the cartridge.
Dunno about the former as it is bound to have larger and less active particles, but the latter is a known health hazard on par with glass dust and asbestos. Just look at any IT health and safety handbook under "dealing with toner spillages". It is supposed to be collected using specialised vacuum cleaners, you have to have the floor tiles replaced and so on. Unfortunately very few people follow these procedures.
Further to this, I find these findings quite strange. Most manufacturers go to insane lengths to avoid toner emission into the air so that they do not get an asbestos style class action suit.
Alternatively, if the mouse is called Algernon...
Well... His disposable income clearly has :-)