"You'll be able to ask it to make a note, play music, set a reminder, and lots more without ever logging in. "
All I can think when reading that is "attack vector." No matter how much they claim it's limited, sand-boxed, walled off and segregated from the rest of the system, someone will figure out a way to gain system access through it. Microsoft may as well advertise Windows 10, Now With Built In Password Bypass!
Every time I read about these, it strikes me that it all goes down to poor system design. The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi, at least so far as inputs are concerned. Apps that allow the user to unlock the doors or start the engine, WiFi and OnStar systems that allow on-the-air updates of control software, these are all inherently insecure and always will be! They tie into systems that need to be air-gapped and only accessible via physical access to the car.
Security is almost always a trade off with utility or convenience. But auto makers have gone way too far, to the point of threatening public safety. These car computer systems need to be redesigned from the ground up with proper security practices and risk assessments in place.
It's much more fun to consider the impending doom this protocol brings if you pronounce it to rhyme with "Hey Now" and imagine Jeffrey Tambor saying it.
I did tech support for AMD back in the 90's, and stumbled upon this idea back then. A friend had an old camper-van that I could buy cheap; AMD was a 24-hour campus with cafeteria, gym and other amenities. A cell phone and PO Box was all that was needed to complete the picture.
If I wasn't married, I might have tried it. Things were not nearly as expensive back then as they are now, but AMD paid their tech support folks crap; I would have been hard pressed to afford a one-bedroom apartment in the area on my salary. If you're willing to live simply, it's definitely a viable option.
I'll second this. Muse is nice, but it doesn't match Finale or (my preference) Sibelius. I can do around 90% of my stuff in Linux; I only have dual boot for a few games and music composing/editing.
FBI must have been watching too much CSI of late. Black Rock Desert is about 500 miles outside LVPD's jurisdiction (and 140 miles outside Reno, for you Reno 911 fans). Plus, it's Federal land, overseen by the BLM. The FBI would actually have more jurisdiction there than LVPD ever would.
Some certs have value in the training and experience requirements that come with them.
Some certs add prestige to a resume or company masthead.
Some certs equal a bump in pay.
Some certs do other things that may benefit either the person getting the cert or the company that employs them.
And some certs do none of these, are a complete waste of time, and only add value to the instructor's, governing body's and test facility's bank accounts.
And when it comes down to it, the only person that can make that determination is the person looking at the cert. -- All blanket statements are wrong.
IANAL, but I would think if you consistently use incognito mode, you could make the case that it's just how you work and was not an action taken in response to any sort of criminal activity or investigation. I'm not aware of any law that requires people to maintain evidence as part of their daily lives....
First off, start playing. Grab a free VM tool like VirtualBox, load up some raw Linux and Windows VMs in it, launch Kali, and start poking around. Break things, but in a manageable, recoverable, legal way. Never, ever, ever poke at something where you don't have written permission from the owner. If you want something a little less random, Lamp Security had some guided CTF exercises out there a few years ago that took you through the pen test process.
Look into formal training. In my experience, SANS has some decent hands-on classes, and you get a fancy certification to go with it. A better option would be to look into Black Hat Training class, and stay for the briefings and Defcon.
Talk to people in the profession. There are a lot of security folks on Twitter - Jack Daniel, Jeff Moss, Dan Kaminsky, Johnny Long, HD Moore and Deviant Ollam to name a few. Follow them, ask questions, join in conversations. Meet up with them at conferences. Security professionals love to tell war stories, and we love to educate people who are interested and want to learn.
Speaking of certifications, don't make the mistake of making them a goal. For what you're looking at, the so-called "big name" certifications (like CISSP) are pretty meaningless. CEH (Certified Ethical Hacker) would probably be worthwhile to have, since it would relate directly to the work you're doing. But realize that certs are mainly viewed as window dressing - great for the business card and marketing department, but all they prove is that you're good at taking tests. Make sure you're getting the knowledge that goes with the cert, and can demonstrate it in the field. The skills and abilities are far more important than the letters in your signature block.
I think the biggest issue you'll run into is finding something that will work for the DOS/Win 3.11 device.
See if you can rustle up a copy of Laplink with the LPT cables. It was designed for moving files in just this scenario; using the LPT cable was always a lot faster than serial, which topped out at 115kbps. Yes, that's kilobits per second, you young whippersnappers.
If you can't find laplink, find (or build) yourself a null modem cable. Hook it between the two systems' COM ports, and fire up a basic transfer program that supports batch transfers (look for ZMODEM support).
The biggest downside (for me, at least) is that it's limited to accounts running on Office365 - if your company hasn't migrated, the app will not connect to your Exchange server.
In a perfect world, your employer would jump at the chance to send you, give you full per diem and a room in the conference hotel, rental car, and an allowance for books and materials on sale at the conference.
But as Huey Lewis said, "Ain't no living in a perfect world."
I was fortunate to go to Black Hat and Defcon in Las Vegas for 11 years while I was at my previous (private sector) employer. They paid for all but the first time. For that one, I took leave, paid my own way, and then came back and demonstrated to them the value and knowledge I picked up (mainly by starting just about every sentence with "Well, in a talk at Black Hat..." I got laid off when the company was downsizing, ended up in a public sector agency, which sounds very similar to your situation (great people, interesting work, surprising lack of sticks inserted up people's butts). Same situation - I had to go on my own first, the next year they willingly paid for me to go.
Your employer is at least offering to pay for the training piece, which says that they see some value in this. And I know how hard it is to do things like this on a public sector salary (which is still about 40-50% of an equivalent private sector one). My advice: look for the bargains. Stay at a cheap casino (you can get into places like Excalibur for $40-50/night, sometimes lower) instead of the conference hotel. Walk and use the monorail to get around ($10/day). Eat fast food, or fill up on conference munchies - don't eat in the conference hotel or celebrity chef restaurants, but find the coffee shops and cheap buffets. And most of all, talk to your employer. Tell them you're willing to go on your own dime this time, but when you get back, you'll want to make the case for someone from your group going every year, fully paid.
It will scale up to 100 gallons/year, which is the legal limit in the US for homebrewing. That's 20 batches, or 1.6667 per month. Put it another way, it's 960 bottles of beer on the wall. That's more than enough scaling for me.
Director of Information Security, six-figure income, no degree. Not exactly the "shit-end of the industry". I've known IT managers and directors (and one CSO) who can make the same claim.
Maybe... just maybe... there are career ladders in IT and IS that don't lead to staring at a monitor for hours on end writing algorithms that the users will break.
Working infosec for a dozen years or so, I tend to harden things by default. I view any app on my system as a potential vulnerability, so if I don't need it or aren't using it, off it goes.
My point is that buying a new car with DRM is a choice. Don't want DRM? Don't buy new; there are plenty of viable alternatives out there. Or, buy new from a manufacturer that hasn't gone the DRM route. If enough people make those choices, it starts to hit the manufacturers where it counts the most, in the profit/loss statements. Doesn't always work, but it works often enough.
Slashdot Mirror
"You'll be able to ask it to make a note, play music, set a reminder, and lots more without ever logging in. "
All I can think when reading that is "attack vector." No matter how much they claim it's limited, sand-boxed, walled off and segregated from the rest of the system, someone will figure out a way to gain system access through it. Microsoft may as well advertise Windows 10, Now With Built In Password Bypass!
First reaction: Wow, I sure watch a lot of old Bob Ross and Carol Burnett Show videos on Youtube.
Second reaction: Wow, is there anything but old Bob Ross and Carol Burnett Show videos in here?
Third reaction: Wow, I'm really boring....
Every time I read about these, it strikes me that it all goes down to poor system design. The computers and functions dealing with the operation of the car need to be isolated from the entertainment systems, including WiFi, at least so far as inputs are concerned. Apps that allow the user to unlock the doors or start the engine, WiFi and OnStar systems that allow on-the-air updates of control software, these are all inherently insecure and always will be! They tie into systems that need to be air-gapped and only accessible via physical access to the car.
Security is almost always a trade off with utility or convenience. But auto makers have gone way too far, to the point of threatening public safety. These car computer systems need to be redesigned from the ground up with proper security practices and risk assessments in place.
Not to mention having to program an annoying, intrusive AI "driver" in each car.
"Did I pick you up at home?"
"Um..."
"Am I taking you home now?"
"Well..."
"Can I friend you on Facebook? Friend request sent."
"Hey, I didn't-"
"Can I follow you on Twitter? Following. I see you like cats."
It's much more fun to consider the impending doom this protocol brings if you pronounce it to rhyme with "Hey Now" and imagine Jeffrey Tambor saying it.
I did tech support for AMD back in the 90's, and stumbled upon this idea back then. A friend had an old camper-van that I could buy cheap; AMD was a 24-hour campus with cafeteria, gym and other amenities. A cell phone and PO Box was all that was needed to complete the picture.
If I wasn't married, I might have tried it. Things were not nearly as expensive back then as they are now, but AMD paid their tech support folks crap; I would have been hard pressed to afford a one-bedroom apartment in the area on my salary. If you're willing to live simply, it's definitely a viable option.
Be sure to include DNA from the horses that have already left...
I'll second this. Muse is nice, but it doesn't match Finale or (my preference) Sibelius. I can do around 90% of my stuff in Linux; I only have dual boot for a few games and music composing/editing.
FBI must have been watching too much CSI of late. Black Rock Desert is about 500 miles outside LVPD's jurisdiction (and 140 miles outside Reno, for you Reno 911 fans). Plus, it's Federal land, overseen by the BLM. The FBI would actually have more jurisdiction there than LVPD ever would.
Some certs have value in the training and experience requirements that come with them.
Some certs add prestige to a resume or company masthead.
Some certs equal a bump in pay.
Some certs do other things that may benefit either the person getting the cert or the company that employs them.
And some certs do none of these, are a complete waste of time, and only add value to the instructor's, governing body's and test facility's bank accounts.
And when it comes down to it, the only person that can make that determination is the person looking at the cert.
--
All blanket statements are wrong.
I'd say the Parrot Sketch, Argument Clinic, and Silly Walks. Maybe add in Bruces and Spanish Inquisition, although no one expects that last one.
Um, what? No, I didn't read the article before responding. Why do you ask?
IANAL, but I would think if you consistently use incognito mode, you could make the case that it's just how you work and was not an action taken in response to any sort of criminal activity or investigation. I'm not aware of any law that requires people to maintain evidence as part of their daily lives....
First off, start playing. Grab a free VM tool like VirtualBox, load up some raw Linux and Windows VMs in it, launch Kali, and start poking around. Break things, but in a manageable, recoverable, legal way. Never, ever, ever poke at something where you don't have written permission from the owner. If you want something a little less random, Lamp Security had some guided CTF exercises out there a few years ago that took you through the pen test process.
Look into formal training. In my experience, SANS has some decent hands-on classes, and you get a fancy certification to go with it. A better option would be to look into Black Hat Training class, and stay for the briefings and Defcon.
Talk to people in the profession. There are a lot of security folks on Twitter - Jack Daniel, Jeff Moss, Dan Kaminsky, Johnny Long, HD Moore and Deviant Ollam to name a few. Follow them, ask questions, join in conversations. Meet up with them at conferences. Security professionals love to tell war stories, and we love to educate people who are interested and want to learn.
Speaking of certifications, don't make the mistake of making them a goal. For what you're looking at, the so-called "big name" certifications (like CISSP) are pretty meaningless. CEH (Certified Ethical Hacker) would probably be worthwhile to have, since it would relate directly to the work you're doing. But realize that certs are mainly viewed as window dressing - great for the business card and marketing department, but all they prove is that you're good at taking tests. Make sure you're getting the knowledge that goes with the cert, and can demonstrate it in the field. The skills and abilities are far more important than the letters in your signature block.
I think the biggest issue you'll run into is finding something that will work for the DOS/Win 3.11 device.
See if you can rustle up a copy of Laplink with the LPT cables. It was designed for moving files in just this scenario; using the LPT cable was always a lot faster than serial, which topped out at 115kbps. Yes, that's kilobits per second, you young whippersnappers.
If you can't find laplink, find (or build) yourself a null modem cable. Hook it between the two systems' COM ports, and fire up a basic transfer program that supports batch transfers (look for ZMODEM support).
The biggest downside (for me, at least) is that it's limited to accounts running on Office365 - if your company hasn't migrated, the app will not connect to your Exchange server.
As the father of teenage boys, I could have told them Cheerios are great at growing fungus years ago.
To quote Oakland Raiders coach John Madden, "All I want is my unfair advantage."
Sums up just about everyone, really....
In a perfect world, your employer would jump at the chance to send you, give you full per diem and a room in the conference hotel, rental car, and an allowance for books and materials on sale at the conference.
But as Huey Lewis said, "Ain't no living in a perfect world."
I was fortunate to go to Black Hat and Defcon in Las Vegas for 11 years while I was at my previous (private sector) employer. They paid for all but the first time. For that one, I took leave, paid my own way, and then came back and demonstrated to them the value and knowledge I picked up (mainly by starting just about every sentence with "Well, in a talk at Black Hat..." I got laid off when the company was downsizing, ended up in a public sector agency, which sounds very similar to your situation (great people, interesting work, surprising lack of sticks inserted up people's butts). Same situation - I had to go on my own first, the next year they willingly paid for me to go.
Your employer is at least offering to pay for the training piece, which says that they see some value in this. And I know how hard it is to do things like this on a public sector salary (which is still about 40-50% of an equivalent private sector one). My advice: look for the bargains. Stay at a cheap casino (you can get into places like Excalibur for $40-50/night, sometimes lower) instead of the conference hotel. Walk and use the monorail to get around ($10/day). Eat fast food, or fill up on conference munchies - don't eat in the conference hotel or celebrity chef restaurants, but find the coffee shops and cheap buffets. And most of all, talk to your employer. Tell them you're willing to go on your own dime this time, but when you get back, you'll want to make the case for someone from your group going every year, fully paid.
It will scale up to 100 gallons/year, which is the legal limit in the US for homebrewing. That's 20 batches, or 1.6667 per month. Put it another way, it's 960 bottles of beer on the wall. That's more than enough scaling for me.
One 5-gallon batch at a time. And so far, I too have never run out.
NSA, or someone with (even) fewer scruples. It's only a matter of time before people start getting free malware with their charge.
Putin is under no compunction to tell the truth. And there's no reason to expect he would.
Obama is under no compunction to tell the truth. And there's no reason to expect he would.
Hillary is under no compunction to tell the truth. And there's no reason to expect she would.
Kerry is under no compunction to tell the truth. And there's no reason to expect he would.
Boehner is under no compunction to tell the truth. And there's no reason to expect he would.
McConnell is under no compunction to tell the truth. And there's no reason to expect he would.
Ryan is under no compunction to tell the truth. And there's no reason to expect he would.
Equal time, don't ya know. The statement applies to virtually any politician.
Director of Information Security, six-figure income, no degree. Not exactly the "shit-end of the industry". I've known IT managers and directors (and one CSO) who can make the same claim.
Maybe... just maybe... there are career ladders in IT and IS that don't lead to staring at a monitor for hours on end writing algorithms that the users will break.
Working infosec for a dozen years or so, I tend to harden things by default. I view any app on my system as a potential vulnerability, so if I don't need it or aren't using it, off it goes.
My point is that buying a new car with DRM is a choice. Don't want DRM? Don't buy new; there are plenty of viable alternatives out there. Or, buy new from a manufacturer that hasn't gone the DRM route. If enough people make those choices, it starts to hit the manufacturers where it counts the most, in the profit/loss statements. Doesn't always work, but it works often enough.