I agree, but I think it's a matter of triage as far as what to learn first. While disaster recovery and physical security are important, the likelihood of a broken pipe, chemical spill or fire is far less than that of a network-originated security breach, given a lack of attention to all risks. All of the skills that a CISSP is tested for are critical, but it's not really feasible to start with all of them at once, so I think that going for CISSP or the knowledge needed to be one is not the way to go.
I am a CISSP, and have worked with a lot of them also, and I can tell you that it, or its study materials, are not...NOT...the way to go. A CISSP exam only tests knowledge of the underlying concepts of security, at a very high level (and not just related to computers either...you have to learn things like "which of the following camera installation locations also requires installation of an auto-iris?" You can learn a lot, yes, but very little of it will be what you want to know.
I've seen CISSPs who didn't know the difference between a penetration test, vulnerability assessment, or certification/accreditation. I've seen CISSPs who thought that a firewall was all that was needed to protect against outside attacks, and CISSPs who didn't realize that patching systems constantly isn't quite as simple as it may seem when it comes to a large environment, or one in which unstable third-party appls are hosted.
Yes, I am a CISSP. And I'm telling you that it's not a fountain from which you should drink if you wish to learn about computer/network security. It's not bad for a better paycheck, though...
First off, computer security is much like many other forms of security, at the concept level. The particulars of implementation are very different, but the underlying motives of the players and the interactions aren't. The infamous 419 scam was originally done in person, then by phone, and then by fax before it was possible to do it via email, for example, and lesser variants of it (the pigeon scam, for example) have existed in the offline world.
If you're looking to grasp home user or end user security, the first thing I'd do is buy The Gift of Fear by Gavin de Becker. Right off, that will give you a good understanding of intuitive threat modeling for everyday life. Unfortunately, I can't find a book out there that does home-user security for the average joe, nor can I find a class...but I am writing a book myself.
If you're interested in security from a more admin-oriented perspective, I would go to SecurityFocus and check out some of their mailing lists. At first, the material may be over your head, but you'll find that that only pulls you up a bit. Also, get yourself a linux box and learn linux (if you don't already know it). Set up a honeynet and see what's going to happen to an unpatched, exposed box. Or just set up snort with ACID as the front-end console to observe the attacks that are taking place. Once you understand the threat, it becomes a lot easier to decide what to study to defend against it.
The concept of the personal area network, connected by bluetooth, is finally implemented. Samsung will be releasing the first such device suite later this year, at which point things will probably start to come to fruition.
The problem is this: turning a PDA into a phone keeps it as a decent PDA, usually, but makes a terrible phone from a user interface standpoint...touchscreen buttons are a pain in the ass, and nobody wants fingerprints all over their PDA screen. And it's a pain to hold the entire damned thing up to your head all the time too. Phones with PDA functionality built into them suck because there's such a small screen and such a terrible interface from a PDA perspective...no handwriting recognition, no keyboard, and limited options for accessories. The problem is that what works best as a form factor for one blows dead monkeys as a form factor for the other, and as PDAs become even more powerful, the divergence will become greater.
So the best bet is to try to re-examine the total personal information and data exchange needs of a standard individual, and consider a solution based upon current technology, rather than technology from a decade ago. We now have larger, better screens, wireless headsets for cellphones, smaller phones, powerful PDAs, and a growing market of portable digital music players. And best of all, we now have a way to unite myriad portable devices wirelessly at short range using bluetooth.
I say that GM is half-right...the current way of looking at portable devices is not much longer for this world. However, they are also half-wrong...a "smart phone" is NOT the solution. The wireless personal gateway/bluetooth-enabled PDA/bluetooth headset/bluetooth file server are the solution.
Once homebrewing became legal again (which happened in the 80s, if I remember correctly), the homebrew industry started to regain strength. At this point, I wouldn't say that brewing is by any means a lost art...I've brewed hundreds of gallons at this point. The stuff is like zucchini...if you produce it, you produce a LOT of it...and let me tell you, nothing moves your data mining requests to the front of the line faster than giving the DBAs lots of homebrew!:)
I'm inherently distrustful of the ability of Berkeley students to grasp the hard realities of the real-world when it comes to business. I went to a less idealistic (and more politically/culturally moderate) business school, and I didn't grasp them well enough until I had a few years of reality under my belt. The technology might all be there, but that's rarely ever been the problem with any business.
I, like the person who wrote the article, live in DC, and have been bothered by a pre-recorded telemarketer...in this case, a "non profit" that seems not to exist except as a front to accept donations. I'd elaborate more, but I'm off to the courthouse now...:)
I subscribe to various lists that cover computer security. Some of them are well-established, and (should there be a rule for certain email uses to be exempt) would have little trouble attaining an exemption from the tax. However, other lists that spring up from time to time to address new technologies would have a much harder time, and would be quashed entirely by such a tax. When I think about lists that have come up with regards to wi-fi security, VPNs, and other such things, I can only imagine what lists would not come to be, or would only come to be with the support of wealthy vendors to bankroll them.
Yes, that's the one...that was the most interesting part of that article, I think...the way they showed what advertising was like in such a changed world. Color-coordinated suits, gloves, and gas masks, all under the Swatch moniker. And in the end, when the cure was developed, only one organization still had enough of a distribution network to disseminate it to the population...McDonalds!
Reminds me of an old Wired Issue...
on
SARS and the Internet
·
· Score: 4, Interesting
They did a special issue back in the '90s, which was essentially a theoretical copy of Wired from about 20-ish years in the future. At any rate, one of the stories was about how mankind was almost wiped out by this horrific plague...which originated in China, interestingly enough...and the massive social change that resulted from it. There were two keys to developing a cure, in the story, one of them being that we'd cracked the human genome, which gave us an edge on understanding the virus' interaction with our DNA. The other key was the internet, because it allowed the remaining surviving researchers to collaboarate without physical proximity or risk of contagion. You see, most of the medical research community had been wiped out when they gathered for an emergency global conference...the disease was horrifically contagious. I wish I still had a copy of that issue, it was amazing.
I'd love to know if they set their net too wide, and if so by how much. I know that when I email my parents (who have an AOL account...what can you do?), they sometimes don't get it. Of course, this might have something to do with trying to get them to look at naked celebs/buy mini RC cars/help Dr. Oooongaboonga and myself retrieve millions of dollars we swindled in Nigeria...
What do you need to encrypt?
on
SSH or IPSec?
·
· Score: 2, Informative
SSH will only carry TCP traffic. If you need to encrypt anything involving UDP or ICMP (or anything else for that matter), you cannot use SSH to get the job done, except by adding on more clunkiness in the form of things that will encapsulate connectionless protocols within TCP sessions. At that point, you're no longer reaping the benefits of simplicity that come from using something like stunnel, and it's better to bite the bullet and become adept with VPNs (check out FreeS/WAN). On the upside, once you have VPN expertise in hand, you open up a new world of options for other things as well.
NASA could probably sell this better to the current Administration if they ran with the bombs concept, and said that bin Laden might be hiding on the moon:)
Ok, so let me see if I got this right. Current (intensely clumsy) law enforcement deterrents are not working. So we should instead decriminalize hacking, and place the burden upon the victims to mitigate their vulnerability? How much more are you going to burden them than already is the case?
To me this is like responding to a rise in shootings by decriminalizing assault with intent to kill, and instead demanding that doctors and paramedics do a better job.
This is nuts. A $400 device that needs its own cellular phone account so that you can ask it to send you a snapshot when you feel like it? What the frick is the use of THAT? For less in hardware and MUCH less in recurring cost, I can put auto-refreshing pics from a webcam (like an Axxis) on my website and just look at the bloody page from a web-enabled phone. If I really had a hard-on for something clever, I could use the same gear (with enough wireless bandwidth to my phone/pda, that is) to actually watch live video. Why in hell would I pay so much more just to have snapshots on demand?
How do they know it's five spammers and not, say, ten? Nice to see George Moore in the list of known defendants though:)
One problem from the world of ice cream
on
Gas Goes Solid
·
· Score: 4, Interesting
Heat shock, it's called. When the temperature of your freezer goes up by even a fraction of a degree (and it need not go anywhere near as high as 0 degrees celsius), some of the ice melts. When the temperature drops again, it re-freezes, but in a slightly different location. That's why ice cream (especially the really expensive stuff, that doesn't have many or any stabilizers like guar gum in it) will develop that coating of ice crystals after it sits in the freezer a while. The ice is migrating from inside the ice cream to the surface.
Now, what I have GOT to wonder is this...what effect might this have on ice pellets that contain lots and lots of tiny bubbles of methane??
The total amount of Hughes Electronics (the company behind DirecTV) that News Corp. will own will only be 35%. The 51% needed for true ownership isn't here just yet, even though it's clear enough that it'll probably happen soon enough anyways.
It has been claimed that much of the ado about DMCA is demagoguery, particularly with respect to restrictions on security research. While I do not in any way believe that the DMCA is a good law, particularly with regards to its flaunting of fair use, I tend to agree. Could you comment in greater depth as to the threat that the DMCA poses to researchers, and perhaps clarify this debate?
Visibility is only about half the problem when flying in a sandstorm. Sand getting sucked into turbines or jet engines (and damaging them), sand abrading the windshields of cockpits, and sand abrading the leading edges of aircraft (especially the rotor blades of helicopters) are even greater problems. Perhaps these are surmountable problems, but I wouldn't go saying that this technology would make it feasbile to just go running into a sandstorm to do combat just yet.
Everything changes. Why is it that it's such a big surprise when we discover the possibility that there is flux in this, that or the other thing in nature? Just because we needed specialized instrumentation and technology to detect it, why should that mean that it's so unimaginable in the first place?
As a security consultant who has, time and time again, run into large AND small ISPs (t-dialin, wanadoo, etc) who are unresponsive to emails sent to "abuse@...", I think the notion of requiring them to be licensed and to HOLD them to certain standards of behavior is great. After all, why should they be like any other utility?
Slashdot Mirror
I agree, but I think it's a matter of triage as far as what to learn first. While disaster recovery and physical security are important, the likelihood of a broken pipe, chemical spill or fire is far less than that of a network-originated security breach, given a lack of attention to all risks. All of the skills that a CISSP is tested for are critical, but it's not really feasible to start with all of them at once, so I think that going for CISSP or the knowledge needed to be one is not the way to go.
I am a CISSP, and have worked with a lot of them also, and I can tell you that it, or its study materials, are not...NOT...the way to go. A CISSP exam only tests knowledge of the underlying concepts of security, at a very high level (and not just related to computers either...you have to learn things like "which of the following camera installation locations also requires installation of an auto-iris?" You can learn a lot, yes, but very little of it will be what you want to know.
I've seen CISSPs who didn't know the difference between a penetration test, vulnerability assessment, or certification/accreditation. I've seen CISSPs who thought that a firewall was all that was needed to protect against outside attacks, and CISSPs who didn't realize that patching systems constantly isn't quite as simple as it may seem when it comes to a large environment, or one in which unstable third-party appls are hosted.
Yes, I am a CISSP. And I'm telling you that it's not a fountain from which you should drink if you wish to learn about computer/network security. It's not bad for a better paycheck, though...
First off, computer security is much like many other forms of security, at the concept level. The particulars of implementation are very different, but the underlying motives of the players and the interactions aren't. The infamous 419 scam was originally done in person, then by phone, and then by fax before it was possible to do it via email, for example, and lesser variants of it (the pigeon scam, for example) have existed in the offline world.
If you're looking to grasp home user or end user security, the first thing I'd do is buy The Gift of Fear by Gavin de Becker. Right off, that will give you a good understanding of intuitive threat modeling for everyday life. Unfortunately, I can't find a book out there that does home-user security for the average joe, nor can I find a class...but I am writing a book myself.
If you're interested in security from a more admin-oriented perspective, I would go to SecurityFocus and check out some of their mailing lists. At first, the material may be over your head, but you'll find that that only pulls you up a bit. Also, get yourself a linux box and learn linux (if you don't already know it). Set up a honeynet and see what's going to happen to an unpatched, exposed box. Or just set up snort with ACID as the front-end console to observe the attacks that are taking place. Once you understand the threat, it becomes a lot easier to decide what to study to defend against it.
The concept of the personal area network, connected by bluetooth, is finally implemented. Samsung will be releasing the first such device suite later this year, at which point things will probably start to come to fruition.
The problem is this: turning a PDA into a phone keeps it as a decent PDA, usually, but makes a terrible phone from a user interface standpoint...touchscreen buttons are a pain in the ass, and nobody wants fingerprints all over their PDA screen. And it's a pain to hold the entire damned thing up to your head all the time too. Phones with PDA functionality built into them suck because there's such a small screen and such a terrible interface from a PDA perspective...no handwriting recognition, no keyboard, and limited options for accessories. The problem is that what works best as a form factor for one blows dead monkeys as a form factor for the other, and as PDAs become even more powerful, the divergence will become greater.
So the best bet is to try to re-examine the total personal information and data exchange needs of a standard individual, and consider a solution based upon current technology, rather than technology from a decade ago. We now have larger, better screens, wireless headsets for cellphones, smaller phones, powerful PDAs, and a growing market of portable digital music players. And best of all, we now have a way to unite myriad portable devices wirelessly at short range using bluetooth.
I say that GM is half-right...the current way of looking at portable devices is not much longer for this world. However, they are also half-wrong...a "smart phone" is NOT the solution. The wireless personal gateway/bluetooth-enabled PDA/bluetooth headset/bluetooth file server are the solution.
Once homebrewing became legal again (which happened in the 80s, if I remember correctly), the homebrew industry started to regain strength. At this point, I wouldn't say that brewing is by any means a lost art...I've brewed hundreds of gallons at this point. The stuff is like zucchini...if you produce it, you produce a LOT of it...and let me tell you, nothing moves your data mining requests to the front of the line faster than giving the DBAs lots of homebrew! :)
Does this seem like the same thing AOL did with that particular version of the Blackberry, only less useful?
And also...it is just me or does the picture of the columnist make him look like a guy who drives a pickup with a (heavily stocked) gun rack?
I'm inherently distrustful of the ability of Berkeley students to grasp the hard realities of the real-world when it comes to business. I went to a less idealistic (and more politically/culturally moderate) business school, and I didn't grasp them well enough until I had a few years of reality under my belt. The technology might all be there, but that's rarely ever been the problem with any business.
I, like the person who wrote the article, live in DC, and have been bothered by a pre-recorded telemarketer...in this case, a "non profit" that seems not to exist except as a front to accept donations. I'd elaborate more, but I'm off to the courthouse now...:)
I subscribe to various lists that cover computer security. Some of them are well-established, and (should there be a rule for certain email uses to be exempt) would have little trouble attaining an exemption from the tax. However, other lists that spring up from time to time to address new technologies would have a much harder time, and would be quashed entirely by such a tax. When I think about lists that have come up with regards to wi-fi security, VPNs, and other such things, I can only imagine what lists would not come to be, or would only come to be with the support of wealthy vendors to bankroll them.
Yes, that's the one...that was the most interesting part of that article, I think...the way they showed what advertising was like in such a changed world. Color-coordinated suits, gloves, and gas masks, all under the Swatch moniker. And in the end, when the cure was developed, only one organization still had enough of a distribution network to disseminate it to the population...McDonalds!
They did a special issue back in the '90s, which was essentially a theoretical copy of Wired from about 20-ish years in the future. At any rate, one of the stories was about how mankind was almost wiped out by this horrific plague...which originated in China, interestingly enough...and the massive social change that resulted from it. There were two keys to developing a cure, in the story, one of them being that we'd cracked the human genome, which gave us an edge on understanding the virus' interaction with our DNA. The other key was the internet, because it allowed the remaining surviving researchers to collaboarate without physical proximity or risk of contagion. You see, most of the medical research community had been wiped out when they gathered for an emergency global conference...the disease was horrifically contagious. I wish I still had a copy of that issue, it was amazing.
I'd love to know if they set their net too wide, and if so by how much. I know that when I email my parents (who have an AOL account...what can you do?), they sometimes don't get it. Of course, this might have something to do with trying to get them to look at naked celebs/buy mini RC cars/help Dr. Oooongaboonga and myself retrieve millions of dollars we swindled in Nigeria...
SSH will only carry TCP traffic. If you need to encrypt anything involving UDP or ICMP (or anything else for that matter), you cannot use SSH to get the job done, except by adding on more clunkiness in the form of things that will encapsulate connectionless protocols within TCP sessions. At that point, you're no longer reaping the benefits of simplicity that come from using something like stunnel, and it's better to bite the bullet and become adept with VPNs (check out FreeS/WAN). On the upside, once you have VPN expertise in hand, you open up a new world of options for other things as well.
NASA could probably sell this better to the current Administration if they ran with the bombs concept, and said that bin Laden might be hiding on the moon :)
Ok, so let me see if I got this right. Current (intensely clumsy) law enforcement deterrents are not working. So we should instead decriminalize hacking, and place the burden upon the victims to mitigate their vulnerability? How much more are you going to burden them than already is the case?
To me this is like responding to a rise in shootings by decriminalizing assault with intent to kill, and instead demanding that doctors and paramedics do a better job.
This is nuts. A $400 device that needs its own cellular phone account so that you can ask it to send you a snapshot when you feel like it? What the frick is the use of THAT? For less in hardware and MUCH less in recurring cost, I can put auto-refreshing pics from a webcam (like an Axxis) on my website and just look at the bloody page from a web-enabled phone. If I really had a hard-on for something clever, I could use the same gear (with enough wireless bandwidth to my phone/pda, that is) to actually watch live video. Why in hell would I pay so much more just to have snapshots on demand?
Now I can listen in to all those phone calls in Best Buy with a laptop full of Vomit!
How do they know it's five spammers and not, say, ten? Nice to see George Moore in the list of known defendants though :)
Heat shock, it's called. When the temperature of your freezer goes up by even a fraction of a degree (and it need not go anywhere near as high as 0 degrees celsius), some of the ice melts. When the temperature drops again, it re-freezes, but in a slightly different location. That's why ice cream (especially the really expensive stuff, that doesn't have many or any stabilizers like guar gum in it) will develop that coating of ice crystals after it sits in the freezer a while. The ice is migrating from inside the ice cream to the surface.
Now, what I have GOT to wonder is this...what effect might this have on ice pellets that contain lots and lots of tiny bubbles of methane??
The total amount of Hughes Electronics (the company behind DirecTV) that News Corp. will own will only be 35%. The 51% needed for true ownership isn't here just yet, even though it's clear enough that it'll probably happen soon enough anyways.
Ok, this is creepy, in light of the fact that I love playing America's Army: Operations.
It has been claimed that much of the ado about DMCA is demagoguery, particularly with respect to restrictions on security research. While I do not in any way believe that the DMCA is a good law, particularly with regards to its flaunting of fair use, I tend to agree. Could you comment in greater depth as to the threat that the DMCA poses to researchers, and perhaps clarify this debate?
Visibility is only about half the problem when flying in a sandstorm. Sand getting sucked into turbines or jet engines (and damaging them), sand abrading the windshields of cockpits, and sand abrading the leading edges of aircraft (especially the rotor blades of helicopters) are even greater problems. Perhaps these are surmountable problems, but I wouldn't go saying that this technology would make it feasbile to just go running into a sandstorm to do combat just yet.
Everything changes. Why is it that it's such a big surprise when we discover the possibility that there is flux in this, that or the other thing in nature? Just because we needed specialized instrumentation and technology to detect it, why should that mean that it's so unimaginable in the first place?
As a security consultant who has, time and time again, run into large AND small ISPs (t-dialin, wanadoo, etc) who are unresponsive to emails sent to "abuse@...", I think the notion of requiring them to be licensed and to HOLD them to certain standards of behavior is great. After all, why should they be like any other utility?