Too many things make this not possible to not have connected (air gapped). One is OATI and in California there is the CA ISO. Both use the Internet for the agencies to connect to them and both are essential for the Energy Sector to function in an inter-connected grid. Agencies have to get SCADA information into billing/historical systems and conversely schedules have to get into SCADA systems. Both of these intermediate business networks need Internet access to OATI and CAISO. So while SCADA systems are not directly connected to the Internet, through the right amount of vulnerabilities/compromises, they can in theory be remotely accessed. Yes, there are dozens of protections that can and should be in place, but it's not the same as a true air gap.
Can you name one router or switch vendor with which you can get 100% made in the USA. It's impossible these days.
Agreed. The Whitehouse needs to keep their hands off of the Electrical sector and let us continue to do what we're doing.
Federal Energy Regulatory Commission Chairman Jon Wellinghoff is pandering to Congress and the Whitehouse with untrue statements such as: “No. 1, I don’t have an effective way to confidentially communicate [cyber threats] to the utilities,” Wellinghoff said. “And No. 2, I have no effective enforcement authority, and I’ve said this for six years now. And I’ve also said I don’t care who has the authority, but Congress should give someone the authority.”
#1 is untrue in regards to the Electrical sector. FERC can communicate confidentially via NERC Cyber Alerts. Additionally NERC has the ES-ISAC private alerts that can be issued for lower-priority items. I received a draft alert from the ES-ISAC just yesterday which will be released in a matter of days #2 is untrue in regards to the Electrical sector. FERC via the 2005 legislation received the ability to fine $1MM/incident/day and has delegated this to NERC which enforces the FERC Orders 693 (Electrical) and 706 (Cyber CIP) via NERC standards.
There is the Water ISAC which my Irrigation District also has alerts from. I'm not in the Oil or Gas industries, but I imagine FERC should have the same authority over them and they have the Energy ISAC for communications.
Actually, I do. I started my own one-man consulting business and took a quick accounting class. This topic came up (Use Tax). I wasn't aware of this prior to this time, and mostly because I wanted to track everything accurately (as I was claiming business expenses, etc.), I tracked all purchases. This included tracking all purchases which didn't have sales tax so that I could pay use taxes.
Anyway, long story shortened, I was offered a full-time position at one of my clients, and shut down my business.
I still pay Use Tax since that time, as it's the law. It's really not hard to do. I PDF all my purchase receipts, and a side benefit is that I have record of them for tax reasons. I put a copy of all of them without sales taxes into my "Use Tax" folder and total them up at tax time.
Side note: electronic deliver (where there is no physical product delivered) has no tax responsibility.
I used to be fearful, about 5 years ago. The first step is to make sure you have a really solid backup plan. I have a home server which I use rsnapshot to to store rsync diffs. This can be performed as often as I like (hourly, once per boot, weekly, etc), or even automated (I don't as I don't want the hassle of having to wait for a backup to finish before I shutdown/hibernate).
Once you think you have a solid backup plan, pretend you just lost your hard drive. The best method is to have a second system (or second hard drive, and swap out your real one) to which you will restore to and not touch your original. Once you truly know you have everything backed up and don't need anything from the original system, move to encrypting your disk.
Oh, and what good is encrypting your disk if you don't encrypt your backup? Naturally you want to trust your backup to be solid (especially during system upgrades/migrations when the originaal is at risk), so you're going to want to have two backup devices. Server + external USB hard drive is a nice solution. I'm a big fan of offline storage (only servers have to have the key in memory and thus have the encrypted data available), so I have two external USB hard drives which I rotate. Fire or other disasters may happen, so I rotate that external hard drive to work, then bring the one at work back home. Worst case I may lose 2 weeks of data (which would be minimal, as any major changes of data trigger a home/work external hard drive swap). Take a step further and have a third hard drive you keep off site at a family member's house 30+ miles away (thinking flood plains here). Rotate taking a drive to that location and bringing it back on family visits.
Ok, sorry to digress. Now, when I install, since I know I'm not going to lose any data, I do full encryption on all newer systems that aren't "budget" boxes. I've got a number of hand-me-down laptops (P4, other pre-Intel Core processors, etc.) that the family uses, which still work just fine for simple school research, writing a report, etc. For these systems, I partition things out and encrypt:/home/tmp/var/tmp swap. The rest is part of / and not encrypted for performance reasons.
I've been doing this for 5 years and a dozen laptops and 5 external USB hard drives and never had a problem due to disk encryption. Many of my laptops don't detect the battery power accurately any more, so I've had a handful of sudden "off" situations where the system shutdown uncleanly. Never been a problem and once the disk is decrypted ext4 does it's thing and I keep going.
I have had a failed hard drive in that time. I typically keep the OEM OS and resize it and keep it set to dual-boot so I can "troubleshoot" with the manufacturer. The nice thing about having all my personal data encrypted is that when I had a failed drive, I had no worries sending it back to them as I knew they could not access anything.
I too have run into the issue with Linux not wanting to automatically re-mount the drive when I plug it back in. I also have manual scripts to do all the LUKS scripts (for this reason, and also on my servers which have no GUI, or when using a recovery CD where I want to know exactly how to access my data), and those will work in cases like that.
Your management plane should not be accessible to anything but your management VLAN. If the bad guys have access to that, it's already all over. With management VLAN access they'd just MitM attack your SSL session and serve another "factory" cert that isn't signed by a CA and most admins will just blindly ignore it. This is not news, but a low priority patching event.
It’s okay to copy music onto an analog cassette, but not for commercial purposes.
It’s also okay to copy music onto special Audio CD-R’s, mini-discs, and digital tapes (because royalties have been paid on them) – but, again, not for commercial purposes.
Beyond that, there’s no legal "right" to copy the copyrighted music on a CD onto a CD-R. However, burning a copy of CD onto a CD-R, or transferring a copy onto your computer hard drive or your portable music player, won’t usually raise concerns so long as:
The copy is made from an authorized original CD that you legitimately own
The copy is just for your personal use. It’s not a personal use – in fact, it’s illegal – to give away the copy or lend it to others for copying. "
Saying you don't have a legal "right" to copy is not the same as saying you cannot legally do something. I believe if it really was not legal to do so, they would say be stating it is illegal. They do say other acts are illegal. The way I read the lawyer-speak (despite there "the is not legal advise" disclaimer) is that they are saying you don't have a license or permission from them to do so. Again, saying it this way is not the same as saying it is illegal. (Reading between the lines, I think it is their way to reserve the right to go after you should a law making it illegal be passed - but until that occurs, they can't do anything because it is not illegal).
Except you have to pay for a webserver and/or the bandwidth and/or take the security risk of the hosting server being compromsied and everything that comes with that (bandwidth bills, other non-public devices being compromsied because of the first, etc). The only thing I put on Dropbox is either items I used to put on my public blog or photos I'm sharing with everyone, or items that are AES 256bit encrypted.
I'm going to assume they have their critical workstations airgapped and these are their email/other workstations where they can access situational awareness information.
Simple way to resolve this is to allow access to whitelist-only pre-approved sites. We do this in our SCADA control room. SCADA machines are airgapped, and email/documentation machines are white-list only.
We do give them access to Terminal Servers in a DMZ which have less-restricted Internet access.
Also, we allow them to bring in their own personal devices that are never connected to our networks. It's pretty boring at 3am on a 12-hour shift.
Well, if was dropbox@yourdomain.com, I could see that argument. I started using sitename.YYYYMMDD@mydomain.com to prove beyond the shadow of a doubt. As I my own mail servers, either the recipient, one of our ISPs, or one inbetween would have had to skimmed the email address. I've had a dozen or so sites leak these addresses. If I don't need them, I just block the aliases on my server. If I need them (domain registrar, etc.), I just bump the date, make sure I get the change confirmation email, and then block the old email.
Having just implemented a PEAP-TLS (mutual-certificate based authentication), I can say that what I really want is a combination PEAP-TLS-MSCHAPv2 solution (which doesn't exist to my knowledge). I want mutual-certificate authentication (proving a "Corporate Issue" device which has a typical-end-user non-exportable private key is in use, effectively "something you have"', especially on encrypted drives with no user admin-access) wrapping around a MSCHAPv2 authentication of username/password pairs. While certificates can be revoked (and renewed), it's not the same as requring strong user passwords that change semi-frequently.
Get a femtocell and you can ditch the land line. Verizon calls it a NetworkExtender. It looks like a mini cell tower that your phone will use for data service and it creates a VPN tunnel back to Verizon and your cell phone calls go across the Internet. I had one for a year or so and it worked great. Only down side is if I got home while on a call (cell service outside was semi-ok) it would not switch to the femto cell. I had to be on the femto cell when I started the call to use it. But I could leave from my home and not drop a call as it would switch from the femtocell to the regular tower with no problem.
Side note: another trick with VZN was using their 5 favorites to have one of them be my Google voice number. Then I could call in/out via Google voice all day long and never use a minute. I don't know if that's even worth it now (I've had 3 unlimited voice carrier since then, so I don't care). I still use Google voice so I never have to care about porting my cell number. Plus, I like having my calls ring at work and on my cell at the same time and pick up whatever is convenient (especially since the cell doesn't get great service in the data centers, but I have an extension on the phones in the data centers).
Around here, they call it "mini-basic" and it used to be cheaper. City taxes or something made it a bit more to get the unbundled version.
Oh, but here's a trick with Comcast: You can get any of the "specials" that require a bundle just by adding the $2/mo maintance/line protection thing to your account (and not bundling video or voice).
It's really not hard to find them with Cisco gear managed by Cisco Wireless Control System. WCS will automatically triangulate them so you can physically locate them and you can even block/disable rogue APs (talk to legal before blocking/disabling Wifi APs, re:FCC & unlicensed spectrum). I've used it this last week to track down 3 rogue APs which were permanently installed by employees for personal employee use (turns out they BYOI from a WISP and then share with those who want to chip in and only use with their personal devices, not work devices). Additionally, WCS will alert if any of those "rogue" APs' MAC addresses ever show up on the Corporate network and will also track all authorized work clients to make sure they don't connect to rogue APs. It will also track and make sure non-authorized APs never use a "legitimate" SSID (disallowing any impersonation of our real APs).
I've yet to play with it, but WCS' replacement, NCS, does this as well: Rogue AP Details.
IP addresses were never meant to be used by the masses - and guess what, the masses don't use them.
Memorizing IPv6 addresses is a snap. First you learn you prefix (mine is something like 2600:103:b00[0-f]::), and then you have network blocks inside that. Yes, it's longer, but it's also globally unique.
Here's a "wasteful" but useful trick - imbed your VLAN IDs and IPv4 addresses inside your IPv6 addresses and then there is really nothing new to learn beyond your prefix.
Example: 2600:103:b001:53:10:250:250:1 2600:103:b001 is a prefix we use for DMZs. 53 is the VLAN number of our nameserver DMZ. You can probably guess what 10:250:53:1 is and what the corresponding IPv4 internal address is.
Another example: 2600:103:b000:207:10:2:7:156 2620:103:b000 is the prefix for one of our main sites. 207 is the VLAN (second floor, 7th VLAN on that floor, VLAN'd by department/use).
So long as you use IPv6 logically, it's really not hard to remember and recognize.
SLAAC/DHCP addresses should be registering in DNS (well, all of it should be). Use DNS for those semi-random hard to remember addresses. We have 100K+ electric meters with IPv6 addresses (small electric utility). I can look at the prefix and tell you if it is from our AMI NAN, WAN, LAN, or server networks, and what substation the meter is routing through. Natually I'll never memorize the SLAAC-based NIC portion of the meter address. DNS using the service point name is all I need.
[jason@its5156 ~]$ traceroute6 -n ami-jjr.mid.org traceroute to ami-jjr.mid.org (fd7f:a4b6:4ee6:4:213:5001:0:6ac9), 30 hops max, 80 byte packets
1 2600:103:b000:207::1 0.651 ms 0.618 ms 0.882 ms
2 2600:103:b00f::1 2.085 ms 2.073 ms 2.487 ms
3 fd69:f556:4dba:4:213:50ff:fe02:23cd 76.485 ms 115.080 ms 165.136 ms
4 fd7f:a4b6:4ee6:4:213:5001:0:6ac9 2014.907 ms 2055.036 ms 2084.870 ms
fd69:f556:4dba:4:: is a LAN address going to substation 4 fd7f:a4b6:4ee6:4:: is a WAN address routed through substation 4's AP to my meter at my house.
DNSSEC-enabled stub resolvers on the client and/or browsers would have stopped this from ever becoming a problem. Of course, the bad guys would have just disabled this feature and/or replaced the root key on the clients, if they had access. However, it sounds like much of the time it was a vulnerable router that had the dns settings changed. In this case, the clients would have detected false/forged DNS records and stopped the problems sooner..
I don't know about the laws in other states, but in California all large passenger vehicles (buses) have to stop prior to railroad crossings, open their doors and look left and right down the tracks (and presumably listen for a train).
Agree or disagree, that is the law here.
So I was riding the bus home one day (years ago, while saving to by a car for cash) and the bus driver failed to notice a set of train tracks (industrial area where you can't see the tracks except right in the road). So the driver hits the breaks *on the tracks* and opens the door, looks down the tracks (mind you, it's about 20 feet behind her, with the middle of the bus over the tracks), and then keeps going. Epic logic fail. You already broke the law, and now you're potentially endangering lives stopping on the tracks.
Ditto. You get terminated for cause/quit on the spot, and your cardkey badge (physical) and all electronic access is disabled during your HR exit interview. such that you have to be escorted out. You retire/finish on good terms? It's pre-programmed to stop working at the end of business on your last day.
Slashdot Mirror
Your math is off a bit. Two oldest Irrigation Districts (MID & TID) in the SJV are 125 years old. Still the best place to grow fruit and nuts.
Too many things make this not possible to not have connected (air gapped). One is OATI and in California there is the CA ISO. Both use the Internet for the agencies to connect to them and both are essential for the Energy Sector to function in an inter-connected grid. Agencies have to get SCADA information into billing/historical systems and conversely schedules have to get into SCADA systems. Both of these intermediate business networks need Internet access to OATI and CAISO. So while SCADA systems are not directly connected to the Internet, through the right amount of vulnerabilities/compromises, they can in theory be remotely accessed. Yes, there are dozens of protections that can and should be in place, but it's not the same as a true air gap.
Can you name one router or switch vendor with which you can get 100% made in the USA. It's impossible these days.
Agreed. The Whitehouse needs to keep their hands off of the Electrical sector and let us continue to do what we're doing.
Federal Energy Regulatory Commission Chairman Jon Wellinghoff is pandering to Congress and the Whitehouse with untrue statements such as:
“No. 1, I don’t have an effective way to confidentially communicate [cyber threats] to the utilities,” Wellinghoff said. “And No. 2, I have no effective enforcement authority, and I’ve said this for six years now. And I’ve also said I don’t care who has the authority, but Congress should give someone the authority.”
#1 is untrue in regards to the Electrical sector. FERC can communicate confidentially via NERC Cyber Alerts. Additionally NERC has the ES-ISAC private alerts that can be issued for lower-priority items. I received a draft alert from the ES-ISAC just yesterday which will be released in a matter of days
#2 is untrue in regards to the Electrical sector. FERC via the 2005 legislation received the ability to fine $1MM/incident/day and has delegated this to NERC which enforces the FERC Orders 693 (Electrical) and 706 (Cyber CIP) via NERC standards.
There is the Water ISAC which my Irrigation District also has alerts from. I'm not in the Oil or Gas industries, but I imagine FERC should have the same authority over them and they have the Energy ISAC for communications.
Actually, I do. I started my own one-man consulting business and took a quick accounting class. This topic came up (Use Tax). I wasn't aware of this prior to this time, and mostly because I wanted to track everything accurately (as I was claiming business expenses, etc.), I tracked all purchases. This included tracking all purchases which didn't have sales tax so that I could pay use taxes.
Anyway, long story shortened, I was offered a full-time position at one of my clients, and shut down my business.
I still pay Use Tax since that time, as it's the law. It's really not hard to do. I PDF all my purchase receipts, and a side benefit is that I have record of them for tax reasons. I put a copy of all of them without sales taxes into my "Use Tax" folder and total them up at tax time.
Side note: electronic deliver (where there is no physical product delivered) has no tax responsibility.
I used to be fearful, about 5 years ago. The first step is to make sure you have a really solid backup plan. I have a home server which I use rsnapshot to to store rsync diffs. This can be performed as often as I like (hourly, once per boot, weekly, etc), or even automated (I don't as I don't want the hassle of having to wait for a backup to finish before I shutdown/hibernate).
Once you think you have a solid backup plan, pretend you just lost your hard drive. The best method is to have a second system (or second hard drive, and swap out your real one) to which you will restore to and not touch your original. Once you truly know you have everything backed up and don't need anything from the original system, move to encrypting your disk.
Oh, and what good is encrypting your disk if you don't encrypt your backup? Naturally you want to trust your backup to be solid (especially during system upgrades/migrations when the originaal is at risk), so you're going to want to have two backup devices. Server + external USB hard drive is a nice solution. I'm a big fan of offline storage (only servers have to have the key in memory and thus have the encrypted data available), so I have two external USB hard drives which I rotate. Fire or other disasters may happen, so I rotate that external hard drive to work, then bring the one at work back home. Worst case I may lose 2 weeks of data (which would be minimal, as any major changes of data trigger a home/work external hard drive swap). Take a step further and have a third hard drive you keep off site at a family member's house 30+ miles away (thinking flood plains here). Rotate taking a drive to that location and bringing it back on family visits.
Ok, sorry to digress. Now, when I install, since I know I'm not going to lose any data, I do full encryption on all newer systems that aren't "budget" boxes. I've got a number of hand-me-down laptops (P4, other pre-Intel Core processors, etc.) that the family uses, which still work just fine for simple school research, writing a report, etc. For these systems, I partition things out and encrypt: /home /tmp /var/tmp swap. The rest is part of / and not encrypted for performance reasons.
I've been doing this for 5 years and a dozen laptops and 5 external USB hard drives and never had a problem due to disk encryption. Many of my laptops don't detect the battery power accurately any more, so I've had a handful of sudden "off" situations where the system shutdown uncleanly. Never been a problem and once the disk is decrypted ext4 does it's thing and I keep going.
I have had a failed hard drive in that time. I typically keep the OEM OS and resize it and keep it set to dual-boot so I can "troubleshoot" with the manufacturer. The nice thing about having all my personal data encrypted is that when I had a failed drive, I had no worries sending it back to them as I knew they could not access anything.
I too have run into the issue with Linux not wanting to automatically re-mount the drive when I plug it back in. I also have manual scripts to do all the LUKS scripts (for this reason, and also on my servers which have no GUI, or when using a recovery CD where I want to know exactly how to access my data), and those will work in cases like that.
Here are the rough notes:
# http://wiki.centos.org/HowTos/EncryptedFilesystem
losetup /dev/loop7 /dev/sdb1 /dev/loop7 secretfs7
cryptsetup luksOpen
# password prompt here
cryptsetup status secretfs7
#/dev/mapper/secretfs7 is now active: /dev/loop7
# cipher: aes-cbc-essiv:sha256
# keysize: 256 bits
# device:
# offset: 2056 sectors
# size: 3907021946 sectors
# mode: read/write
mount /dev/mapper/secretfs7 /mnt/usb7/
######### /mnt/usb7/ /dev/loop7
umount
#cryptsetup remove secretfs7
cryptsetup luksClose secretfs7
losetup -d
Your management plane should not be accessible to anything but your management VLAN. If the bad guys have access to that, it's already all over. With management VLAN access they'd just MitM attack your SSL session and serve another "factory" cert that isn't signed by a CA and most admins will just blindly ignore it. This is not news, but a low priority patching event.
Cite your source. I'll cite mine:
https://www.riaa.com/physicalpiracy.php?content_selector=piracy_online_the_law
"Copying CDs
It’s okay to copy music onto an analog cassette, but not for commercial purposes.
It’s also okay to copy music onto special Audio CD-R’s, mini-discs, and digital tapes (because royalties have been paid on them) – but, again, not for commercial purposes.
Beyond that, there’s no legal "right" to copy the copyrighted music on a CD onto a CD-R. However, burning a copy of CD onto a CD-R, or transferring a copy onto your computer hard drive or your portable music player, won’t usually raise concerns so long as:
The copy is made from an authorized original CD that you legitimately own
The copy is just for your personal use. It’s not a personal use – in fact, it’s illegal – to give away the copy or lend it to others for copying.
"
Saying you don't have a legal "right" to copy is not the same as saying you cannot legally do something. I believe if it really was not legal to do so, they would say be stating it is illegal. They do say other acts are illegal. The way I read the lawyer-speak (despite there "the is not legal advise" disclaimer) is that they are saying you don't have a license or permission from them to do so. Again, saying it this way is not the same as saying it is illegal. (Reading between the lines, I think it is their way to reserve the right to go after you should a law making it illegal be passed - but until that occurs, they can't do anything because it is not illegal).
Except you have to pay for a webserver and/or the bandwidth and/or take the security risk of the hosting server being compromsied and everything that comes with that (bandwidth bills, other non-public devices being compromsied because of the first, etc). The only thing I put on Dropbox is either items I used to put on my public blog or photos I'm sharing with everyone, or items that are AES 256bit encrypted.
I'm going to assume they have their critical workstations airgapped and these are their email/other workstations where they can access situational awareness information.
Simple way to resolve this is to allow access to whitelist-only pre-approved sites. We do this in our SCADA control room. SCADA machines are airgapped, and email/documentation machines are white-list only.
We do give them access to Terminal Servers in a DMZ which have less-restricted Internet access.
Also, we allow them to bring in their own personal devices that are never connected to our networks. It's pretty boring at 3am on a 12-hour shift.
We literally have this sort of thing for server room work. We got tired of tearing up perfectly good clothes. The ones we have are only like $40.
Well, if was dropbox@yourdomain.com, I could see that argument. I started using sitename.YYYYMMDD@mydomain.com to prove beyond the shadow of a doubt. As I my own mail servers, either the recipient, one of our ISPs, or one inbetween would have had to skimmed the email address. I've had a dozen or so sites leak these addresses. If I don't need them, I just block the aliases on my server. If I need them (domain registrar, etc.), I just bump the date, make sure I get the change confirmation email, and then block the old email.
You can only watch it with a sub to cable/dish and an account that carries these channels. No sub, no access.
> NBC is putting its free, OTA broadcast on the internet, for free.
Where? All I've found is the nbcolympics.com site which requires a paid sub to cable/sat services.
Having just implemented a PEAP-TLS (mutual-certificate based authentication), I can say that what I really want is a combination PEAP-TLS-MSCHAPv2 solution (which doesn't exist to my knowledge). I want mutual-certificate authentication (proving a "Corporate Issue" device which has a typical-end-user non-exportable private key is in use, effectively "something you have"', especially on encrypted drives with no user admin-access) wrapping around a MSCHAPv2 authentication of username/password pairs. While certificates can be revoked (and renewed), it's not the same as requring strong user passwords that change semi-frequently.
Get a femtocell and you can ditch the land line. Verizon calls it a NetworkExtender. It looks like a mini cell tower that your phone will use for data service and it creates a VPN tunnel back to Verizon and your cell phone calls go across the Internet. I had one for a year or so and it worked great. Only down side is if I got home while on a call (cell service outside was semi-ok) it would not switch to the femto cell. I had to be on the femto cell when I started the call to use it. But I could leave from my home and not drop a call as it would switch from the femtocell to the regular tower with no problem.
Side note: another trick with VZN was using their 5 favorites to have one of them be my Google voice number. Then I could call in/out via Google voice all day long and never use a minute. I don't know if that's even worth it now (I've had 3 unlimited voice carrier since then, so I don't care). I still use Google voice so I never have to care about porting my cell number. Plus, I like having my calls ring at work and on my cell at the same time and pick up whatever is convenient (especially since the cell doesn't get great service in the data centers, but I have an extension on the phones in the data centers).
Around here, they call it "mini-basic" and it used to be cheaper. City taxes or something made it a bit more to get the unbundled version.
Oh, but here's a trick with Comcast: You can get any of the "specials" that require a bundle just by adding the $2/mo maintance/line protection thing to your account (and not bundling video or voice).
I'm not an EE or anything, but Path 65 is HVDC and appears to work just fine over long distances (842mi) with a line rating of 3100MW.
It's really not hard to find them with Cisco gear managed by Cisco Wireless Control System. WCS will automatically triangulate them so you can physically locate them and you can even block/disable rogue APs (talk to legal before blocking/disabling Wifi APs, re:FCC & unlicensed spectrum). I've used it this last week to track down 3 rogue APs which were permanently installed by employees for personal employee use (turns out they BYOI from a WISP and then share with those who want to chip in and only use with their personal devices, not work devices). Additionally, WCS will alert if any of those "rogue" APs' MAC addresses ever show up on the Corporate network and will also track all authorized work clients to make sure they don't connect to rogue APs. It will also track and make sure non-authorized APs never use a "legitimate" SSID (disallowing any impersonation of our real APs).
I've yet to play with it, but WCS' replacement, NCS, does this as well: Rogue AP Details.
IP addresses were never meant to be used by the masses - and guess what, the masses don't use them.
Memorizing IPv6 addresses is a snap. First you learn you prefix (mine is something like 2600:103:b00[0-f]::), and then you have network blocks inside that. Yes, it's longer, but it's also globally unique.
Here's a "wasteful" but useful trick - imbed your VLAN IDs and IPv4 addresses inside your IPv6 addresses and then there is really nothing new to learn beyond your prefix.
Example: 2600:103:b001:53:10:250:250:1
2600:103:b001 is a prefix we use for DMZs. 53 is the VLAN number of our nameserver DMZ. You can probably guess what 10:250:53:1 is and what the corresponding IPv4 internal address is.
Another example: 2600:103:b000:207:10:2:7:156
2620:103:b000 is the prefix for one of our main sites. 207 is the VLAN (second floor, 7th VLAN on that floor, VLAN'd by department/use).
So long as you use IPv6 logically, it's really not hard to remember and recognize.
SLAAC/DHCP addresses should be registering in DNS (well, all of it should be). Use DNS for those semi-random hard to remember addresses. We have 100K+ electric meters with IPv6 addresses (small electric utility). I can look at the prefix and tell you if it is from our AMI NAN, WAN, LAN, or server networks, and what substation the meter is routing through. Natually I'll never memorize the SLAAC-based NIC portion of the meter address. DNS using the service point name is all I need.
[jason@its5156 ~]$ traceroute6 -n ami-jjr.mid.org
traceroute to ami-jjr.mid.org (fd7f:a4b6:4ee6:4:213:5001:0:6ac9), 30 hops max, 80 byte packets
1 2600:103:b000:207::1 0.651 ms 0.618 ms 0.882 ms
2 2600:103:b00f::1 2.085 ms 2.073 ms 2.487 ms
3 fd69:f556:4dba:4:213:50ff:fe02:23cd 76.485 ms 115.080 ms 165.136 ms
4 fd7f:a4b6:4ee6:4:213:5001:0:6ac9 2014.907 ms 2055.036 ms 2084.870 ms
fd69:f556:4dba:4:: is a LAN address going to substation 4
fd7f:a4b6:4ee6:4:: is a WAN address routed through substation 4's AP to my meter at my house.
DNSSEC-enabled stub resolvers on the client and/or browsers would have stopped this from ever becoming a problem. Of course, the bad guys would have just disabled this feature and/or replaced the root key on the clients, if they had access. However, it sounds like much of the time it was a vulnerable router that had the dns settings changed. In this case, the clients would have detected false/forged DNS records and stopped the problems sooner..
We disable for inbound access. All smartphones have Internet access, no? Great way to reverse-tether and get into our network.
I don't know about the laws in other states, but in California all large passenger vehicles (buses) have to stop prior to railroad crossings, open their doors and look left and right down the tracks (and presumably listen for a train).
Agree or disagree, that is the law here.
So I was riding the bus home one day (years ago, while saving to by a car for cash) and the bus driver failed to notice a set of train tracks (industrial area where you can't see the tracks except right in the road). So the driver hits the breaks *on the tracks* and opens the door, looks down the tracks (mind you, it's about 20 feet behind her, with the middle of the bus over the tracks), and then keeps going. Epic logic fail. You already broke the law, and now you're potentially endangering lives stopping on the tracks.
Not. The hosted content is with BGP peering. Even though it is often on local 10gb links, it is still seen as a peer outside of your ISP. See NetFlix
Badges cost us $15. We do try to recover them, but it's not a big deal if we do not.
Ditto. You get terminated for cause/quit on the spot, and your cardkey badge (physical) and all electronic access is disabled during your HR exit interview. such that you have to be escorted out. You retire/finish on good terms? It's pre-programmed to stop working at the end of business on your last day.