You can get a Panasonic Toughbook 72: Pentium III 700 MHz processor, liquid-spill-resistant keyboard, and some other rugged features (used) on e-bay for about $600. Naturally, for a few $$$ more you could get a new non-rugged pentium 4 machine. You could also get a less-powerful, but more ruggedized model.
If you make (or obtain) a basic, clear plastic enclosure, you could add considerable protection by placing it inside, and you could even run an external keyboard by passing its cable through the enclosure. You may wish to add one or more fans and an air filter to the enclosure. At the end of each work day, you could take the notebook with you. I'd also recommend backing it up off-site.
You could actually use a wireless keyboard and mouse (consider them disposable if exposed to the environment in your shop - but this will further save the computer from wear-and-tear. Actually, there are "roll-up" rubberized keyboards that might be perfect for your environment. You could also look for a ruggedized trackball (this might not be the easiest or most affordable item to find, but one could also be picked up later).
If the work doesn't have to be paid-for, or paid-work at a high rate, could you work for / volunteer for a variety of computer-security publications and conferences that you may be able to support. Go to their web sites and inquire.
You could be exposed to a variety of topics and subjects relating to information security, and deal with balancing issues related to what subjects are pivital in different infosec themes:
There are some academic venues: National Information Systems Security Conference (NISSC) - don't know that this is still running. Perhaps it is, or there is something similar.
http://www.ncisse.org/ Colloquium for Information Security Education
"Hacker Magazines":
2600: The Hacker Quarterly http://www.2600.com
Blacklisted 411: http://www.blacklisted411.net
Binary Revolution http://www.binrev.com
Anyway, I'm not saying that anything would come from it, but these are a few organizations that you might want to contact.
- Sam http://www.iamsam.com http://www.NitzbergSec urityAssociates.com
Actually, if you do Hebrew, I think that you'd almost get Yiddish as a freebie.
Yiddish uses the Hebrew letters - and I don't know of any distinction in their use that would make for a difference in typing Hebrew vs. Yiddish. On the other hand, the grammar rules and dictionary would be different.
VideoTape and annotate every step ! Re:Step 1
on
Computer Forensics
·
· Score: 1
Make sure that you have appropriate equipment on-hand so that you can -document- that you have taken appropriate steps. Make sure that you have appropriate gear to record and playback every operation that you take, and the system's responses. Test it out. Do scan-lines destroy your video image ?
Yes - an adversary can challenge everything you do in court - but, this is the only effective way to assert that you have not damaged or tainted the evidence. You can prove that you've maintained the chain-of-custody.
I'm not too active, but I put up a little site for myself and one or two associates to do consulting through. Our areas of interest include corporate intelligence.
The corporate-intelligence work involves searching for information on a company based on information available on-line. Depending on a client's needs, we can search English-language and localized foreign-language sites for information of interest to the client. This can concern information on the company's products or its perception. We only use on-line sources, and use absolutely no "covert" or non-open sources.
Keep in mind if you consult that you have to be careful to avoid conflicts-of-interest with your day-job, and not to violate your employment contract. It also helps to work with more than just e-mail. Get an 800-number, fax, and decent voice mail system. It helps if you can arrange to get a human answer the phone during your work-day hours.
It doesn't necessarily pay (or pay too much), but I also stay active and try to keep experimenting with different computing technologies, and presenting and publishing when I can. This also introduces me to more people in the field, and can also lead to more opportunities.
Maybe these systems are being built based on the wrong models.
People often compare these machines to ATM machines, electronic cash registers, and on-line transaction systems. OK - maybe there is some valid basis for comparison to on-line transaction systems.
When I think of e-voting systems, I look at them and the appropriate design discipline in terms of embedded [weapons] systems and controllers.
- The choice (or new development) of an O/S should reflect only the requirements for the application (in this case e-voting) to be supported - Security policy should be formalized - formal tests against policy should be tested - all privacy must be preserved - all transactions should be logged as appropriate
** without violating policy - not necessarily an easy trade-off - systems should fail to a safe state. This takes some consideration when dealing with the nature of voting systems - appropriate training and maintenance to be mandated. no use of non-certified and properly readied systems - auto-detection of the system entering 'invalid' states. Has once vote been recorded per lever-pull? Do votes since power-on reflect total votes? Flag erroneous results - you get the idea...
Anyway, I think that they need a rigorous approach from design-to-maintenance-to retirement.
For USCF (United States Chess Federation) - sponsored play, you go through them. The USCF arranges the matches, and you are assigned a score / rating based on your wins / losses. ( I imagine the USCF still does this - I remember it from my undergrad college days...). You also had stacks of templated-postcards to show your move / chess positions.
I remember an old Gomer Pyle show... (OK - I know - all Gomer Pyle episodes are old...)
Anyway, there was an episode where he would use a particuliar jeep. Everytime he had the jeep, his buddies would keep filling it with gas for fun, and not tell him. He thought that he was getting like 100 miles per gallon. When the sargent had the jeep, they'd siphon off the gas...
You could really screw with their numbers. Your Lexmark printer could report 200 reams per ink cartridge. Depending on the detail of their reporting back, you could make it look like you printed 1000 sheets all red, then all blue. You could mess with their metrics. Worse yet, if you falsify your registration number, you could fill their databases with fake data and even collide with other numbers already registered. How do they interpret data when the same printer is being reported numerous times with different behaviors. They shouldn've used strong crypto to ensure data integrity...
They probably should have had a click-to-authorize this activity as on option with their driver, with some benefit attached. Most would click it anyway, or not read the advisory...
Some years back, a friend of mine and I were using a Sparc workstation running solaris.
For fun, we removed all the files on the file system - basically using rm -f
We did this in pieces, and using rm commands over groups of files and directories.
We also had apparently had some of the basic commands (e.g. ls, mount, etc...) cached in memory from their recent use.
We were able to achieve having a Solaris system functioning from a command line (I am pretty sure we exited X-windows first), with NO files. We were able to perform mount and ls to witness that there were no files, and we had the root prompt.
Nothing fancy. Just a demonstration of how cumulative errors can lead to errors in calculation. Example : Two calculations that should each result in the value 3.0, but one results in 3.0 and the other in 2.9999999. An equality check will fail. Sometimes, these situations aren't handled well, even in real-world situations.
Set Theory-
Just some basics. Just enough to lead up to state-transition diagrams. Once some very basic set theory and state-transition diagrams are introduced, you have the basis for modeling many systems and automata, formal methods (which I would not introduce to kids - but the concept that development does not have to be flying-by-the-seat-of-your-pants is of value), and many other applicatons. Just the exposure could lead them to discover and think about a great deal more.
Security - E-voting could be an excellent topic, with already many straighforward papers and analysis worth discussing and debating. Many important and approachable arguments lie here, as well as many important infosec principles.
Anyway, these are just some ideas. There may be pros and cons that I am not considering, but I think that there should be some exposure in these areas.
I think that a great blurring is occuring (even in the Slashdot title for this article) between those who craft viruses, and those that release them.
The title indicates that the person was arrested for writing the virus. Actually, the issue may be closer to dissemination and resulting damage. There is still, to my knowledge, no law against the actual crafting of viruses. There are many who write or experiment with viruses (professionally and out of interest), without releasing them.
You mentioned that from what you have seen that most virus writers are borderline sociopathic. I think the media helps foster that notion - I think that they tend to be introverts. However, introvert != sociopath. I am not sure that there is sufficient reason to believe that the next step is stealing handbags from old ladies, or that they won't at some point "grow out of it." I wouldn't draft a parallel that by definition, the harm of the virus == a sociopathic person behind it. Curiously, if I rember correctly - the Morris worm was not intended to cause any destruction or system interruption. However, there were coding errors that interfered with networks and choked their bandwidth / consumed CPU resources.
Two of the people that I have great respect for in computer science are Dr. Fred Cohen (who did his Ph.D. dissertation which provided a mathematical basis for the computer virus many years ago). If I remember correctly, his dissertation included code fragments if not complete code examples for viruses. Also, Tom Duff wrote the original paper on viruses in Unix - a great paper, elegant in its simplicity, and ahead of its time.
Actually on the notion of... "More than Just P=NP" I will mention that there are entire complexity classes harder than (or at the very least, believed harder than) NP.
These include EXPSPACE. This is mentioned here: http://www.demarcken.org/carl/papers/ITA-so ftware- travel-complexity/img24.html
I don't have my old texts with me here, but one of the texts by Papadimitriou has an excellent diagram of the relationship between complexity classes, and has a bunch "worse" than NP.
Of course, if you can prove things like P=NP, or similiarly break down barriers between the other complexity classes, there are big implications to the diagram......
Toshiba 5 GB hard drives, in PCMCIA format. Great for notebooks, compatible with PC-based pc card readers. Good for major projects or carrying around a lot of data. Also, you can have more than one to seperate out work or personal material associated with different projects / interests.
One - getting used gear / items (?) - Some items, especially electronics lose their smell after some days/weeks/months. With that, some compounds are freed / liberated / lost. The items can be cleaned of dust,etc..., but the initial breaking-in period will be done.
Two - getting a vent-hood. Here, I'm thinking along the lines of either (a) a kitchen vent, or (b) a chemistry-lab vent system.
Slashdot Mirror
LOOPBACK
I named my wireless access point-
o ckmaster
Dorkmaster
It's a fun name, and if you run several WAPs, you can plug in any vowel in the place of dOckmaster's "O"
For reference,
http://www.google.com/search?q=ncsc+d
You can get a Panasonic Toughbook 72: Pentium III 700 MHz processor, liquid-spill-resistant keyboard, and some other rugged features (used) on e-bay for about $600. Naturally, for a few $$$ more you could get a new non-rugged pentium 4 machine. You could also get a less-powerful, but more ruggedized model.
If you make (or obtain) a basic, clear plastic enclosure, you could add considerable protection by placing it inside, and you could even run an external keyboard by passing its cable through the enclosure. You may wish to add one or more fans and an air filter to the enclosure. At the end of each work day, you could take the notebook with you. I'd also recommend backing it up off-site.
You could actually use a wireless keyboard and mouse (consider them disposable if exposed to the environment in your shop - but this will further save the computer from wear-and-tear. Actually, there are "roll-up" rubberized keyboards that might be perfect for your environment. You could also look for a ruggedized trackball (this might not be the easiest or most affordable item to find, but one could also be picked up later).
I spend 50 hours a week socializing - if you count Slashdot as socializing.
If the work doesn't have to be paid-for, or paid-work at a high rate, could you work for / volunteer for a variety of computer-security publications and conferences that you may be able to support. Go to their web sites and inquire.
:
c urityAssociates.com
You could be exposed to a variety of topics and subjects relating to information security, and deal with balancing issues related to what subjects are pivital in different infosec themes:
There are some academic venues
National Information Systems Security Conference (NISSC) - don't know that this is still running. Perhaps it is, or there is something similar.
http://www.ncisse.org/
Colloquium for Information Security Education
"Hacker Magazines":
2600: The Hacker Quarterly
http://www.2600.com
Blacklisted 411:
http://www.blacklisted411.net
Binary Revolution
http://www.binrev.com
Anyway, I'm not saying that anything would come from it, but these are a few organizations that you might want to contact.
- Sam
http://www.iamsam.com
http://www.NitzbergSe
Actually, if you do Hebrew, I think that you'd almost get Yiddish as a freebie.
Yiddish uses the Hebrew letters - and I don't know of any distinction in their use that would make for a difference in typing Hebrew vs. Yiddish. On the other hand, the grammar rules and dictionary would be different.
Make sure that you have appropriate equipment on-hand so that you can -document- that you have taken appropriate steps. Make sure that you have appropriate gear to record and playback every operation that you take, and the system's responses. Test it out. Do scan-lines destroy your video image ?
Yes - an adversary can challenge everything you do in court - but, this is the only effective way to assert that you have not damaged or tainted the evidence. You can prove that you've maintained the chain-of-custody.
http://www.iamsam.com
My day job is as a computer-security analyst.
i tyAssociates.com_ this_part_to_email _me
I'm not too active, but I put up a little site for myself and one or two associates to do consulting through. Our areas of interest include corporate intelligence.
The corporate-intelligence work involves searching for information on a company based on information available on-line. Depending on a client's needs, we can search English-language and localized foreign-language sites for information of interest to the client. This can concern information on the company's products or its perception. We only use on-line sources, and use absolutely no "covert" or non-open sources.
Keep in mind if you consult that you have to be careful to avoid conflicts-of-interest with your day-job, and not to violate your employment contract. It also helps to work with more than just e-mail. Get an 800-number, fax, and decent voice mail system. It helps if you can arrange to get a human answer the phone during your work-day hours.
It doesn't necessarily pay (or pay too much), but I also stay active and try to keep experimenting with different computing technologies, and presenting and publishing when I can. This also introduces me to more people in the field, and can also lead to more opportunities.
http://www.iamsam.com
http://www.NitzbergSecur
sam@iamsam.com___nospam__remove
Maybe these systems are being built based on the wrong models.
People often compare these machines to ATM machines, electronic cash registers, and on-line transaction systems. OK - maybe there is some valid basis for comparison to on-line transaction systems.
When I think of e-voting systems, I look at them and the appropriate design discipline in terms of embedded [weapons] systems and controllers.
- The choice (or new development) of an O/S should reflect only the requirements for the application (in this case e-voting) to be supported
- Security policy should be formalized
- formal tests against policy should be tested
- all privacy must be preserved
- all transactions should be logged as appropriate
** without violating policy - not necessarily an easy trade-off
- systems should fail to a safe state. This takes some consideration when dealing with the nature of voting systems
- appropriate training and maintenance to be mandated. no use of non-certified and properly readied systems
- auto-detection of the system entering 'invalid' states. Has once vote been recorded per lever-pull? Do votes since power-on reflect total votes? Flag erroneous results
- you get the idea...
Anyway, I think that they need a rigorous approach from design-to-maintenance-to retirement.
Sam Nitzberg
sam@iamsam.com
http://www.iamsam.com
People still play chess by (snail) mail...
For USCF (United States Chess Federation) - sponsored play, you go through them. The USCF arranges the matches, and you are assigned a score / rating based on your wins / losses. ( I imagine the USCF still does this - I remember it from my undergrad college days...). You also had stacks of templated-postcards to show your move / chess positions.
http://chess.about.com/od/emailpostalchess/
Real mail. No need for a computer.
I remember an old Gomer Pyle show... (OK - I know - all Gomer Pyle episodes are old...)
Anyway, there was an episode where he would use a particuliar jeep. Everytime he had the jeep, his buddies would keep filling it with gas for fun, and not tell him. He thought that he was getting like 100 miles per gallon. When the sargent had the jeep, they'd siphon off the gas...
You could really screw with their numbers. Your Lexmark printer could report 200 reams per ink cartridge. Depending on the detail of their reporting back, you could make it look like you printed 1000 sheets all red, then all blue. You could mess with their metrics. Worse yet, if you falsify your registration number, you could fill their databases with fake data and even collide with other numbers already registered. How do they interpret data when the same printer is being reported numerous times with different behaviors. They shouldn've used strong crypto to ensure data integrity...
They probably should have had a click-to-authorize this activity as on option with their driver, with some benefit attached. Most would click it anyway, or not read the advisory...
http://www.iamsam.com
... ... or for warddriving ..
I find it funny that most slashdotters will cry foul at ~any~ type of fine for
As far as I know, wardriving itself still isn't illegal....
If his last name were Kernighan, Ritchie, Knuth, Dijkstra, or Pike, I'd hire him :-)
Some years back, a friend of mine and I were using a Sparc workstation running solaris.
For fun, we removed all the files on the file system - basically using rm -f
We did this in pieces, and using rm commands over groups of files and directories.
We also had apparently had some of the basic commands (e.g. ls, mount, etc...) cached in memory from their recent use.
We were able to achieve having a Solaris system functioning from a command line (I am pretty sure we exited X-windows first), with NO files. We were able to perform mount and ls to witness that there were no files, and we had the root prompt.
That was fun and strange.
The O/S didn't even crash...
Sam Nitzberg
http://www.iamsam.com
cat /dev/random | /dev/drum
Numerical Analysis-
Nothing fancy. Just a demonstration of how cumulative errors can lead to errors in calculation. Example : Two calculations that should each result in the value 3.0, but one results in 3.0 and the other in 2.9999999. An equality check will fail. Sometimes, these situations aren't handled well, even in real-world situations.
Set Theory-
Just some basics. Just enough to lead up to state-transition diagrams. Once some very basic set theory and state-transition diagrams are introduced, you have the basis for modeling many systems and automata, formal methods (which I would not introduce to kids - but the concept that development does not have to be flying-by-the-seat-of-your-pants is of value), and many other applicatons. Just the exposure could lead them to discover and think about a great deal more.
Security - E-voting could be an excellent topic, with already many straighforward papers and analysis worth discussing and debating. Many important and approachable arguments lie here, as well as many important infosec principles.
Anyway, these are just some ideas. There may be pros and cons that I am not considering, but I think that there should be some exposure in these areas.
Be careful watching out for these things in communications...
"It's a plant ! "
I think that a great blurring is occuring (even in the Slashdot title for this article) between those who craft viruses, and those that release them.
The title indicates that the person was arrested for writing the virus. Actually, the issue may be closer to dissemination and resulting damage. There is still, to my knowledge, no law against the actual crafting of viruses. There are many who write or experiment with viruses (professionally and out of interest), without releasing them.
You mentioned that from what you have seen that most virus writers are borderline sociopathic. I think the media helps foster that notion - I think that they tend to be introverts. However, introvert != sociopath.
I am not sure that there is sufficient reason to believe that the next step is stealing handbags from old ladies, or that they won't at some point "grow out of it." I wouldn't draft a parallel that by definition, the harm of the virus == a sociopathic person behind it. Curiously, if I rember correctly - the Morris worm was not intended to cause any destruction or system interruption. However, there were coding errors that interfered with networks and choked their bandwidth / consumed CPU resources.
Two of the people that I have great respect for in computer science are Dr. Fred Cohen (who did his Ph.D. dissertation which provided a mathematical basis for the computer virus many years ago). If I remember correctly, his dissertation included code fragments if not complete code examples for viruses. Also, Tom Duff wrote the original paper on viruses in Unix - a great paper, elegant in its simplicity, and ahead of its time.
Slashdot !
Actually on the notion of ...
o ftware- travel-complexity/img24.html
"More than Just P=NP"
I will mention that there are entire complexity classes harder than (or at the very least, believed harder than) NP.
These include EXPSPACE.
This is mentioned here:
http://www.demarcken.org/carl/papers/ITA-s
I don't have my old texts with me here, but one of the texts by Papadimitriou has an excellent diagram of the relationship between complexity classes, and has a bunch "worse" than NP.
Of course, if you can prove things like P=NP, or similiarly break down barriers between the other complexity classes, there are big implications to the diagram......
Sam
SSID=public
or
SSID=free
or
SSID=freewireless
etc...
and
WEP = disabled
I like these...
2
http://www.compgeeks.com/details.asp?InvtId=123
Toshiba 5 GB hard drives, in PCMCIA format. Great for notebooks, compatible with PC-based pc card readers. Good for major projects or carrying around a lot of data. Also, you can have more than one to seperate out work or personal material associated with different projects / interests.
Sam
20001-1990 = 18,011 years.
That's a big survey !
My thoughts run two ways :
One - getting used gear / items (?) - Some items, especially electronics lose their smell after some days/weeks/months. With that, some compounds are freed / liberated / lost. The items can be cleaned of dust,etc..., but the initial breaking-in period will be done.
Two - getting a vent-hood. Here, I'm thinking along the lines of either (a) a kitchen vent, or (b) a chemistry-lab vent system.
This may help, it may not.
Regards-
Sam
I wouldn't exactly call them reviews, but I always look forward to getting my next article on SCO / The Caldera Group ! :-)