My first (and only) shot at Monster was in August of 2000. I was getting sick of my $13.50/hr sysadmin job, so I posted to Monster on a whim. I had a call from the recruiting department of a global consultancy within 20 minutes. They offered me 55 up front. I didn't even really negotiate. Moved 300 miles to take it.
The punchline? We all got laid off in January. The Company disolved in June.
I left a perfect contact method. People interested can reply to the post, and I don't expose any corporate externals to Slashdot effects. Seems like a good plan to me.
Coming from the standpoint of a security auditor in a firm that specializes in Managed Security Services, let me lay a couple of things down in our defense.
1. Security firms are told to audit against a certain set of criteria when the audit, be it GLBA, HIPAA, or one of the open security standards. Our work only identifies human security risks in process and policy, not people. If you were individually and specifically labelled a security risk, you should demand to know why.
2. The firm's auditors likely had nothing to do with the loss of your job. Rather, it was your management. Managed Security Firms have two sales models: Unfunded Risk, and Savings. My guess is that their sales team was working on the Savings principle and presented a more cost effective security solution. Your management team decided that cost savings were more important than your job. I hate being a catalyst for that kind of change, because I don't like seeing good people get laid off. Most of our clients use us as a supplement, rather than a replacement. I wish it always worked that way.
3. You lost your job. But we're hiring, and we have a hell of a lot more fun than should be legal. Jobless security professionals and analysts, feel free to reply.
I'm curious what side of the business you're on. I've never heard a CCIE refer to a Cisco OS as anything other than its name.
I think what makes things confusing for some people is the fact that many of the hardware types, especially Cats, can run multiple OSs. Hell, in the 6500 series, you can have the chassis running CatOS, its Sups running two different IOSs, and an SVC-FWM-1 in a blade bay running PIXOS (which, for the record, is named 'Finesse'). That's why things get lumped.
The boys in my local Cisco office are all nomenclature geeks, so that might explain why everyone in this region is anal about names. Point being, to someone who spends a reasonable portion of each day inside other people's Cisco gear, saying 'IOS' to me means 'IOS'.
My love affair with Vision ended about two weeks into the service. It's never been fast, its never worked reliably, and most important, I've never found it particularly useful.
Like a lot of products I have an early-adoptor's love affair with, it solves a problem I don't have. About the most useful thing I ever did with it was write a wap frontend for the nessus batch commandline so I could really impress the ladies. Turns out most ladies don't even know what nessus is. In a college town, I tell you!
For those of you that read Gartner, you'll note where Sprint falls on the fabled magic quadrent. Its a special quadrent reserved for those who had a great idea and then blew it. Can you guess which?
Unless you think you're being funny mentioning "_bloody_ prerequisite" you obviously need to read the Bible a bit more with less biased eyes, sure the the returning of the Savior is a good thing. But the coming of the Antichrist is not. There are lots of other bad things that will happen around then too.
Sure. And I'm not saying that I necessarily agree with the implementation of the technology. Hell, on the Political Compass scale, I'm two clicks shy of being as Libertarian as the Dalai Lama.
My point is that from the standpoint of a fundamentalist Christian (using the sweeping stereotype), this should be great news. Or at least a step in the ultimately right direction.
As for me, I'm not sure how the whole thing is supposed to work. I'd far rather take my chances with putting a bullet in the anti-christ than waiting for Jesus. Unless I can get the Pay-per-View rights.
Why do fundamentalist Christians have a problem with this? Every time one of the prophetic things come to pass, they're like, "my god, the number of the beast! Satan is among us! You cannot do this!!"
Ladies and gentlemen, welcome to Know Your Religion! Guess what guys? The New World Order and the anti-christ's coming are a bloody prerequisite for your savior's return. Remember that bible thing?
What Cisco is developing is a Host Integrity System, something it lacks in its current offerings. A good example to use would be Sygate's Secure Enterprise.
Cisco's new offering serves as a checkpoint at the router or L3 switch level. Hosts incoming must pass a certain set of criteria (MD5 hash of approved AV running, sig file at certain level, hotfix X installed) before they are allowed to pass. While previously used to protoct remote users (Aventail and Checkpoint are good examples), Cisco is moving to market the technology as an endpoint solution for all enterprise users.
This is also a consolidation play. The new version of Cisco's Secure Agent will tie into the new gateway system as a required host integrity piece. If you add that to the new WebVPN SSL VPN code that is currently in beta 3 and will be out over the holidays as v4.1 of the 3000 series concentrator software, you get a pretty clear indication of where Cisco's going with this.
All I can say is our Fortune clients dig the whole shebang. Keep in mind that once you start talking about enterprise security, the more authoritarian, the better.
There is NO SUCH THING as security through obscurity, and those who try show a complete misunderstanding of the issues. The can be _protection_ through obscurity, but security in relation to computers has a certain, specified meaning, and when people start throwing it around in connection with obscurity, it just makes the situation a lot more confusing than it needs to be.
You're passionate, and I like that. But I respectfully disagree.
Security's specified meaning in relation to computers: "Measures by which the confidentiality, integrity, and/or availablility of information is preserved." -- NSA INFOSEC Methodology
If I can't find it, I can't steal it, change it, or make it go away.
While I, as an Information Security Professional, agree that security through obscurity is a less effective method of preservation than a good, thorough risk assessment and targetted remediation program, obscurity is still a valid preservation tactic, and every bit a provider of security by definition.
I'd say "that's my two cents", but all I got's a fiver. Got any change?
Why, there's no telling who would fall for such a seductive sales pitch!
"Hackers, we'll give you $249.95 to display all of your best-kept secrets to our packet dumper so we can build it into our IDS product and nail your pasty white asses when you try it with our clients later! Buy now!"
In the past, my kit contained THC's Amap, Ofir Arkin's Xprobe, and of course, Fyodor's nmap. Its good to see all of these toys (or at least the functionality) coming into one wrapper. I really like Xprobe's probabilistic model for O/S detection. Its a shame that what's good for the hacker is good for the cracker . ..
Oh, and by the way, is anyone watching the global 593 spike?
That's mostly correct. However, there are many organiztions that are now subject to various legislation (such as HIPAA or GLBA) that didn't *know* they need this until recently.
Consumer information safeguards are mandated in many industries now. This package would be a less painful, more expensive way to meet those requirements.
Of course, I haven't seen it yet. It could be crap. Who knows? I registered for the whitepaper, we'll see.
Hey, ya know, I remember when when I got my CISSP and NSA training way back when that I had to sign off on a code of ethics about these kind of things. Since then, I've heard two very good interpretations of the code by two interesting sources:
An old friend from TKE: Ya don't touch the booty til the booty invites you in.
Jack Nicholson: Never rub another man's rhubarb.
Seriously, though. Pick your government or private sector security standard. Access Control, Authentication, and Accountibilty are atthe forefront of all of them. The corporations in question have no way of knowing what he did inside their networks, what he saw, and who he told. All three of the standard elements of information criticality -- Confidentiality, Integrity, and Availablility -- could have been breached. Would you prosecute?
I would. And my father taught me something relevant -- a man who believes he's innocent is rarely found on the run.
Except maybe Harrison Ford. Man, he's getting old.
Slashdot Mirror
Fools, BSD is dea . . . oh, wait, what?
Hmm. I've always thought that good steak speaks for itself. Still, I'll have to try it. Thanks.
Pardon my ignorance.
What the heck is steak spice?
True story.
:)
My first (and only) shot at Monster was in August of 2000. I was getting sick of my $13.50/hr sysadmin job, so I posted to Monster on a whim. I had a call from the recruiting department of a global consultancy within 20 minutes. They offered me 55 up front. I didn't even really negotiate. Moved 300 miles to take it.
The punchline? We all got laid off in January. The Company disolved in June.
Use at your own peril?
I left a perfect contact method. People interested can reply to the post, and I don't expose any corporate externals to Slashdot effects. Seems like a good plan to me.
I certainly hope you don't think I'd post a URL to my corporate site here. :)
Coming from the standpoint of a security auditor in a firm that specializes in Managed Security Services, let me lay a couple of things down in our defense.
1. Security firms are told to audit against a certain set of criteria when the audit, be it GLBA, HIPAA, or one of the open security standards. Our work only identifies human security risks in process and policy, not people. If you were individually and specifically labelled a security risk, you should demand to know why.
2. The firm's auditors likely had nothing to do with the loss of your job. Rather, it was your management. Managed Security Firms have two sales models: Unfunded Risk, and Savings. My guess is that their sales team was working on the Savings principle and presented a more cost effective security solution. Your management team decided that cost savings were more important than your job. I hate being a catalyst for that kind of change, because I don't like seeing good people get laid off. Most of our clients use us as a supplement, rather than a replacement. I wish it always worked that way.
3. You lost your job. But we're hiring, and we have a hell of a lot more fun than should be legal. Jobless security professionals and analysts, feel free to reply.
Point taken on the Sups. Forgot about the MSFC.
I'm curious what side of the business you're on. I've never heard a CCIE refer to a Cisco OS as anything other than its name.
I think what makes things confusing for some people is the fact that many of the hardware types, especially Cats, can run multiple OSs. Hell, in the 6500 series, you can have the chassis running CatOS, its Sups running two different IOSs, and an SVC-FWM-1 in a blade bay running PIXOS (which, for the record, is named 'Finesse'). That's why things get lumped.
The boys in my local Cisco office are all nomenclature geeks, so that might explain why everyone in this region is anal about names. Point being, to someone who spends a reasonable portion of each day inside other people's Cisco gear, saying 'IOS' to me means 'IOS'.
My love affair with Vision ended about two weeks into the service. It's never been fast, its never worked reliably, and most important, I've never found it particularly useful.
Like a lot of products I have an early-adoptor's love affair with, it solves a problem I don't have. About the most useful thing I ever did with it was write a wap frontend for the nessus batch commandline so I could really impress the ladies. Turns out most ladies don't even know what nessus is. In a college town, I tell you!
For those of you that read Gartner, you'll note where Sprint falls on the fabled magic quadrent. Its a special quadrent reserved for those who had a great idea and then blew it. Can you guess which?
Unless you think you're being funny mentioning "_bloody_ prerequisite" you obviously need to read the Bible a bit more with less biased eyes, sure the the returning of the Savior is a good thing. But the coming of the Antichrist is not. There are lots of other bad things that will happen around then too.
Sure. And I'm not saying that I necessarily agree with the implementation of the technology. Hell, on the Political Compass scale, I'm two clicks shy of being as Libertarian as the Dalai Lama.
My point is that from the standpoint of a fundamentalist Christian (using the sweeping stereotype), this should be great news. Or at least a step in the ultimately right direction.
As for me, I'm not sure how the whole thing is supposed to work. I'd far rather take my chances with putting a bullet in the anti-christ than waiting for Jesus. Unless I can get the Pay-per-View rights.
Fair. I stand partially corrected. :)
Why do fundamentalist Christians have a problem with this? Every time one of the prophetic things come to pass, they're like, "my god, the number of the beast! Satan is among us! You cannot do this!!"
Ladies and gentlemen, welcome to Know Your Religion! Guess what guys? The New World Order and the anti-christ's coming are a bloody prerequisite for your savior's return. Remember that bible thing?
You guys should be cheering this stuff on.
What Cisco is developing is a Host Integrity System, something it lacks in its current offerings. A good example to use would be Sygate's Secure Enterprise.
Cisco's new offering serves as a checkpoint at the router or L3 switch level. Hosts incoming must pass a certain set of criteria (MD5 hash of approved AV running, sig file at certain level, hotfix X installed) before they are allowed to pass. While previously used to protoct remote users (Aventail and Checkpoint are good examples), Cisco is moving to market the technology as an endpoint solution for all enterprise users.
This is also a consolidation play. The new version of Cisco's Secure Agent will tie into the new gateway system as a required host integrity piece. If you add that to the new WebVPN SSL VPN code that is currently in beta 3 and will be out over the holidays as v4.1 of the 3000 series concentrator software, you get a pretty clear indication of where Cisco's going with this.
All I can say is our Fortune clients dig the whole shebang. Keep in mind that once you start talking about enterprise security, the more authoritarian, the better.
Actually, I'd be shocked if there wasn't linux support for all the earlier stuff. VESA is VESA, right?
What were the big players back then? Paradise, Trident, and Tseng, right? Man. MCGA rocked.
I note that the history of this article starts in 1996 . . . one year after Rendition's Verite chip became the first consumer add-on 3D accelerator.
There is NO SUCH THING as security through obscurity, and those who try show a complete misunderstanding of the issues. The can be _protection_ through obscurity, but security in relation to computers has a certain, specified meaning, and when people start throwing it around in connection with obscurity, it just makes the situation a lot more confusing than it needs to be.
You're passionate, and I like that. But I respectfully disagree.
Security's specified meaning in relation to computers:
"Measures by which the confidentiality, integrity, and/or availablility of information is preserved." -- NSA INFOSEC Methodology
If I can't find it, I can't steal it, change it, or make it go away.
While I, as an Information Security Professional, agree that security through obscurity is a less effective method of preservation than a good, thorough risk assessment and targetted remediation program, obscurity is still a valid preservation tactic, and every bit a provider of security by definition.
I'd say "that's my two cents", but all I got's a fiver. Got any change?
M
$300. And I'm reading slashdot from the client site through a chain of SSH forwards. Isn't consulting ironic?
Why, there's no telling who would fall for such a seductive sales pitch!
"Hackers, we'll give you $249.95 to display all of your best-kept secrets to our packet dumper so we can build it into our IDS product and nail your pasty white asses when you try it with our clients later! Buy now!"
Oh, crap. Was my sarcasm filter on?
In the past, my kit contained THC's Amap, Ofir Arkin's Xprobe, and of course, Fyodor's nmap. Its good to see all of these toys (or at least the functionality) coming into one wrapper. I really like Xprobe's probabilistic model for O/S detection. Its a shame that what's good for the hacker is good for the cracker . . .
Oh, and by the way, is anyone watching the global 593 spike?
That's mostly correct. However, there are many organiztions that are now subject to various legislation (such as HIPAA or GLBA) that didn't *know* they need this until recently.
Consumer information safeguards are mandated in many industries now. This package would be a less painful, more expensive way to meet those requirements.
Of course, I haven't seen it yet. It could be crap. Who knows? I registered for the whitepaper, we'll see.
Disclaimer: the Man owns me.
Hey, ya know, I remember when when I got my CISSP and NSA training way back when that I had to sign off on a code of ethics about these kind of things. Since then, I've heard two very good interpretations of the code by two interesting sources:
An old friend from TKE:
Ya don't touch the booty til the booty invites you in.
Jack Nicholson:
Never rub another man's rhubarb.
Seriously, though. Pick your government or private sector security standard. Access Control, Authentication, and Accountibilty are atthe forefront of all of them. The corporations in question have no way of knowing what he did inside their networks, what he saw, and who he told. All three of the standard elements of information criticality -- Confidentiality, Integrity, and Availablility -- could have been breached. Would you prosecute?
I would. And my father taught me something relevant -- a man who believes he's innocent is rarely found on the run.
Except maybe Harrison Ford. Man, he's getting old.
M
"Want to see what other people find interesting enough to watch with an X10 Camera?"
I already know. A pool, from left to right, and then this hot twenty-something in a blue dress, up and down.
Really, what else is there?
Awwwww, realy? That explains a hell of a lot. Glad I don't code for a living. And I owe someone five bucks. . .