our IT department decided to implement a much more comprehensive firewall than before
You have the problem basically here. IT should not just decide things on their own, without, at the very least, consulting with the business (essentially the customers of IT services), especially if there is a significant impact to the business operations. IT should usually also not have the authority to set policy or decide on the actual overall security level / risk acceptance level. Policies are under the authority of Top Management. Of course, they can delegate the actual task of formulating policy, but the ultimate decision and approval lies there.
IMO, often people who run IT have somewhat of a god complex (this is where BOFH comes in), just because of their extensive access rights and a feeling of being absolutely essential for the operations of their organization, when in fact, they are in more of a janitorial role.
Think about it in the context of a house or building: You are responsible for making sure the lights and elevators are working, you are handing out keys, make sure the corridors are clean and free of obstacles, there are no fire hazards in the rooms, etc. However, you are NOT responsible for deciding on who specifically gets a key to what door, or what doors actually should have a lock. Nor are you the person to decide on installing an elevator. This is within the responsibility and authority of the building owner.
So, to answer the question: How to get respect and not become a BOFH? --> Know your place!
Multi-billion $ Professional Service corp with high focus on IT related services and consulting.
180.000 staff overall in about 140 offices globally. At least 2/3 of staff are mobile at client sites 90+% of their time. Most have full admin access to their own machine.
Internal IT service organisation has about 5000 stuff (1:36, about 3%)
Mostly Microsoft shop with WinXP workstations (Vista rollout in progress) and Win2003/2008 servers.
Quick facts from 2007 (company grows by several 10k people each year):
Websites 10,000 unique visitors to Intranet Portal per day 24,000 unique visitors to external website per day 5,000 unique visitors use the âoeFindâ feature each day
Applications 280 global applications supported 496 local applications supported 1 global instance of SAP R/3, SAP Business Intelligence (BI), SAP Customer Relationship Management (CRM) (running on Win2003) 40,000 named SAP users between SAP R/3, SAP BI and SAP CRM Database Size: SAP R/3 = 2.3 terabytes, SAP BI = 2 terabytes
e-mail 149,000 e-mail accounts 6,100,000 e-mail messages per day 125 kilobytes is average message size 8,600 Microsoft SharePoint sites 4,100 BlackBerry devices 21,000,000 conference call minutes per month
Support 1,007,000 resolved incidents per year through help desk, eSupport, Web chat and local support
I work in client facing Tech Consulting, so not part of the internal IT, however, I am very satisfied with their services.
For internet connections only your login information to the telecom network is retained (at least, that is how I understand the law). What you do during your connection is not retained. TOR obviously has nothing to do with this, as you only start a connection to TOR after you actually logged in to your DSL line.
(Ignoring now the provisions in the law regarding Email and VOIP, which can be circumvented by simply consuming such services from another country)
I still don't see how this is relevant. The data to be retained are the "call detail records", e.g. time, source, destination for phone calls, login/logout times and assigned IP address for Internet connections.
The actual content of the communication is explicitly not included, including whether this communication is encrypted.
Note that this data has usually been available anyway, e.g. for billing, but before, the telcos were not legally required to retain it for a fixed time period.
Ziercke said there was a vital need for German law enforcement agencies to have the ability to conduct on-line searches of computer hard drives of suspected terrorists using "Trojan horse" spyware.
This is completely unrelated to being able to tap encrypted communications. This is on a whole different level, and contravenes many laws brought into many countries for spyware and data protection. I think the crypto issue is really at the heart of the whole "online search" debate. With the increasing use of full hard disk encryption, traditional methods of physically seizing computers and doing an offline forensic analysis fail. If you read the press coverage between the lines and listen to statements by some of the officials, who actually seem to know what they are talking about, this seems to be the major reason for this push.
This is not really correct. The Verfassungsschutz is Germany's interior intelligence agency, so would be most comparable to the British MI5 and some of the tasks of the FBI. The NSA, on the other hand, is tasked with protection of the criticial communications infrastructure, as well as worldwide electronic signals intelligence (e.g. Echelon). In Germany, this is covered by the BSI (Federal Agency for IT Security - protection of infrastructure) and the BND (exterior intelligence agency - SigInt).
Right, forgot about that one. It was good old-fashioned communists, they blamed for it, though, which, I suppose, is somewhat like a religious group. The even had a catchy name for it: "Law to Remedy the Distress of the People and the Nation" (Gesetz zur Behebung der Not von Volk und Reich). Too bad it doesn't work as an acronym.
No argument there. Interestingly enough, though, the Nazis still found it necessary to stage a Polish attack to convince its own populace of the reasons for war: http://en.wikipedia.org/wiki/Gleiwitz_incident
Any conclusions or comparisons to modern times shall remain with the reader.
Both of these laws are actually based on a European Union Directive, which countries are now implementing as national laws. Some obviously go a bit further on the details than others.
To be fair, it was technically Austria-Hungary, who started the war against Serbia, after their Arch-Duke Ferdinand was assassinated in Sarajevo. Since UK, France, et.al. were allied to Serbia, they then declared war on Austria-Hungary, causing Germany to then also declare war against them through their treaty obligations to Austria-Hungary. In any case, everyone wanted war and has been pushing for it for some time. The actual powder keg situation that started hostilities was engineered by everyone involved for just this purpose.
Sorry to be a grammar nazi, but it always makes me crazy, when people get this wrong. It is "would have" not "would of".
For some reason, it also seems to be only native speakers, who rape English this way. Must have something to do with only hearing the construct verbally and not seeing it written enough.
We now return you to your regularly scheduled programming...
When you have physical access to a machine, you have almost no chance of securing it, anyway (without something like Smart Cards or TPM chips, that is).
You can simply grab the password hashes and run them through a rainbow table.
Slashdot Mirror
our IT department decided to implement a much more comprehensive firewall than before
You have the problem basically here. IT should not just decide things on their own, without, at the very least, consulting with the business (essentially the customers of IT services), especially if there is a significant impact to the business operations.
IT should usually also not have the authority to set policy or decide on the actual overall security level / risk acceptance level. Policies are under the authority of Top Management. Of course, they can delegate the actual task of formulating policy, but the ultimate decision and approval lies there.
IMO, often people who run IT have somewhat of a god complex (this is where BOFH comes in), just because of their extensive access rights and a feeling of being absolutely essential for the operations of their organization, when in fact, they are in more of a janitorial role.
Think about it in the context of a house or building: You are responsible for making sure the lights and elevators are working, you are handing out keys, make sure the corridors are clean and free of obstacles, there are no fire hazards in the rooms, etc.
However, you are NOT responsible for deciding on who specifically gets a key to what door, or what doors actually should have a lock. Nor are you the person to decide on installing an elevator. This is within the responsibility and authority of the building owner.
So, to answer the question: How to get respect and not become a BOFH? --> Know your place!
Isn't this what every cam-phone (or digi-cam for that matter) already does?
I don't see how that would make it seem transparent
Kleinfeld is no longer CEO of Siemens, he now heads up Alcoa. New Siemens CEO is Peter Löscher.
Multi-billion $ Professional Service corp with high focus on IT related services and consulting.
180.000 staff overall in about 140 offices globally. At least 2/3 of staff are mobile at client sites 90+% of their time. Most have full admin access to their own machine.
Internal IT service organisation has about 5000 stuff (1:36, about 3%)
Mostly Microsoft shop with WinXP workstations (Vista rollout in progress) and Win2003/2008 servers.
Quick facts from 2007 (company grows by several 10k people each year):
Hardware
146,000 laptops deployed
4,737 devices monitored
6,700 servers managed
4,100 megabytes network bandwidth managed
Websites
10,000 unique visitors to Intranet Portal per day
24,000 unique visitors to external website per day
5,000 unique visitors use the âoeFindâ feature each day
Applications
280 global applications supported
496 local applications supported
1 global instance of SAP R/3, SAP Business Intelligence (BI), SAP Customer Relationship Management (CRM) (running on Win2003)
40,000 named SAP users between SAP R/3, SAP BI and SAP CRM
Database Size: SAP R/3 = 2.3 terabytes, SAP BI = 2 terabytes
e-mail
149,000 e-mail accounts
6,100,000 e-mail messages per day
125 kilobytes is average message size
8,600 Microsoft SharePoint sites
4,100 BlackBerry devices
21,000,000 conference call minutes per month
Support
1,007,000 resolved incidents per year through help desk, eSupport, Web chat and local support
I work in client facing Tech Consulting, so not part of the internal IT, however, I am very satisfied with their services.
Specifically the Vulnerability Assessment Report is part of the court records, so it is public by default.
Here is the presentation:
http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf
Mirrors:
http://www.evernote.com/pub/ssulistyo/InfoSecStuff#07ff6ce9-1aa9-45e9-8bd2-10ce0805e534
https://dl.getdropbox.com/u/77164/anatomy%20of%20a%20subway%20hack.pdf
Also, a vulnerability assessment report:
http://blog.wired.com/27bstroke6/files/vulnerability_assessment_of_the_mtba_system.pdf
My company uses StopTrack tags on all laptops. Supposedly they form a molecular bond with the case and cannot be removed.
Reminds me of something a friend said:
"Management is like using toilet paper. In the end, the only thing that matters is that your ass is clean."
http://www.conspirito.de/2007/09/management-weiheit-der-woche.html
See also these talks:
Crouching Powerpoint, Hidden Trojan
An analysis of targeted attacks from 2005 to 2007
http://events.ccc.de/congress/2007/Fahrplan/track/Hacking/2189.en.html
Cybercrime 2.0
Storm Worm
http://events.ccc.de/congress/2007/Fahrplan/track/Hacking/2318.en.html
See also this short story: http://www.kuro5hin.org/story/2003/4/3/19455/41933
Here is the text of the actual EU Directive:
http://eur-lex.europa.eu/LexUriServ/site/en/oj/2006/l_105/l_10520060413en00540063.pdf
The interesting part for this discussion is Article 5 - Categories of data to be retained (starting on page 4)
Note that member nations can go further than the Directive, when implementing it into national law.
I should have phrased this more clearly.
http://en.wikipedia.org/wiki/Call_detail_record
For internet connections only your login information to the telecom network is retained (at least, that is how I understand the law). What you do during your connection is not retained.
TOR obviously has nothing to do with this, as you only start a connection to TOR after you actually logged in to your DSL line.
(Ignoring now the provisions in the law regarding Email and VOIP, which can be circumvented by simply consuming such services from another country)
I still don't see how this is relevant. The data to be retained are the "call detail records", e.g. time, source, destination for phone calls, login/logout times and assigned IP address for Internet connections.
The actual content of the communication is explicitly not included, including whether this communication is encrypted.
Note that this data has usually been available anyway, e.g. for billing, but before, the telcos were not legally required to retain it for a fixed time period.
This is not really correct. The Verfassungsschutz is Germany's interior intelligence agency, so would be most comparable to the British MI5 and some of the tasks of the FBI. The NSA, on the other hand, is tasked with protection of the criticial communications infrastructure, as well as worldwide electronic signals intelligence (e.g. Echelon). In Germany, this is covered by the BSI (Federal Agency for IT Security - protection of infrastructure) and the BND (exterior intelligence agency - SigInt).
What does the Data Retention Law have to do with crypto?
Right, forgot about that one. It was good old-fashioned communists, they blamed for it, though, which, I suppose, is somewhat like a religious group.
e
The even had a catchy name for it: "Law to Remedy the Distress of the People and the Nation" (Gesetz zur Behebung der Not von Volk und Reich). Too bad it doesn't work as an acronym.
http://en.wikipedia.org/wiki/Reichstag_Fire_Decre
http://en.wikipedia.org/wiki/Enabling_Act_of_1933
No argument there.
Interestingly enough, though, the Nazis still found it necessary to stage a Polish attack to convince its own populace of the reasons for war:
http://en.wikipedia.org/wiki/Gleiwitz_incident
Any conclusions or comparisons to modern times shall remain with the reader.
Both of these laws are actually based on a European Union Directive, which countries are now implementing as national laws. Some obviously go a bit further on the details than others.
To be fair, it was technically Austria-Hungary, who started the war against Serbia, after their Arch-Duke Ferdinand was assassinated in Sarajevo. Since UK, France, et.al. were allied to Serbia, they then declared war on Austria-Hungary, causing Germany to then also declare war against them through their treaty obligations to Austria-Hungary.
In any case, everyone wanted war and has been pushing for it for some time. The actual powder keg situation that started hostilities was engineered by everyone involved for just this purpose.
This.
Sorry to be a grammar nazi, but it always makes me crazy, when people get this wrong.
It is "would have" not "would of".
For some reason, it also seems to be only native speakers, who rape English this way. Must have something to do with only hearing the construct verbally and not seeing it written enough.
We now return you to your regularly scheduled programming...
When you have physical access to a machine, you have almost no chance of securing it, anyway (without something like Smart Cards or TPM chips, that is).
You can simply grab the password hashes and run them through a rainbow table.
Now that completely reminds me of Ghost in the Shell...