Yes, what a fantastic idea...because there aren't MILLIONS AND MILLIONS of friggin' zombies out there running proxies that they could connect from. I definitely think you missed your calling as a Security Admin.
As you said, the CISSP is supposed to be geared towards management. It's the "500 ft view" InfoSec cert as opposed to the "50ft view" ones like the SANS and other analyst courses. I feel it serves its purpose fairly well. Yes, someone who is a CISSP most likely wouldn't do an audit but would be managing the CISA/CISM/GIAC that *WOULD* be doing the audit. Working as intended IMHO.
Get into Information Security and stop worrying about your industry being outsourced. The PHBs and other ilk are usually reluctant to outsource security operations offshore. Look at all the SOX and HIPPA regs out there now and you'll see why your job wouldn't get outsourced. The worst you have to worry about is working for a company that decides to replace you with managed security services. Big deal...
Become a coder and at some point, someone else in a cheaper place will code it for cheaper. It's a vicious cycle you can't escape.
All the noise about Windows getting hacked 4 minutes after it was connected to the net was due to lack of firewalling and vulnerable services - turn on firewalling and the vulnerable services are no longer accessible. What does that prove? nothing - they didn't magically become secure. OSX probably has fewer vulnerable services (active or not) but that was not the point.
I know one large security vendor with what is likely the best R&D department in the world that PWNED Windows SP2 machines running the firewall as early as the alpha release. The security that is provided by the MS FW is a smokescreen at best.
There are too many threat vectors in Windows to make the default FW effective.
Yes, blacklisting is a great idea except for the fact that the reallly good fux0rs are most likely using the machine as an "island hop" and the only people you are really affecting are the innocent people that might want to come to your machine/network for whatever reason. Yes, I know...it's the responsibility of the ISP to keep it's networks clean, but you know that ain't going to happen with the GAZILLION bots and botnets out there.
While I applaud the efforts, the Model T was built with hemp and designed to run on hempseed oil. The harvest period of hemp is a fraction of the soybean crop and no pesticides are needed. Meh...
At that point I stopped playing EQ and didn't mess with any of their competitors. But everything I'm hearing about WoW is that it seems almost identical to Everquest. It has all the same problems that plagued EQ. So what makes it a big deal? Is is just new and different eye candy but the same design? Same group sizes; same raid setup; instanced zones; epic weapons; everything?
That's because the asshats at Blizzard hired away the guys from SOE who worked on EQ2, which in turn brought their idiotic philosophy of "40-man raids or nothing" to WOW. The original developers of WOW are long gone, and so is Blizz's original vision for the game. All it is now is a much more cartoony version of EQ with instanced dungeons and lame-ass PVP.
Bands get crap contracts because most musicians aren't savvy enough to be engaging in practices that involve "signing contracts". It's surprising to see how many bands will get the lamest attorney possible in order to save an almighty buck. During the signing process, labels will attempt to completely screw the bands over...it's up to the band to decide how much they want to get bent over.
One classic example. Back in the late 90's, Sony decided it was in their best interest to register domain names of it's artists if they were available in order to prevent the artists from making money on the few ways they can...merchandise. They also tried to include asanine stipulations into their contracts where they demanded portions of profits from merch sold on the website. Noone was falling for that shit but if you're a new band and you agree to that, then you get what you deserve. The two bands you know of that turned down major label contracts are idiots. All they needed was a good, knowledgable music attorney, one that knows standard signing practices.
I hate myself for saying this...defending the labels, but the reason why the labels get that $1 is they are the ones that put up the capital to develop (sic!) the artist. This includes recording, distribution, radio promotion, touring, etc. Granted that alot of the things I just mentioned get strapped back to the artist as a recoupable charges, but the label still goes out on a limb to put the cash into what they believe will make them money back.
The reason why labels are fighting the alternate distribution methods (Internet downloads, etc) is they don't have the vision to figure a way to stay in the game and see it as a huge threat. The digital model takes them of the distribution game altogether.
Wells Fargo has *THE* worst security of all the large financial institutions.
Last year, I received a notice that my personal info was on a system of theirs that was compromised. I called the customer support number given and inquired about what happened. Turns out, a laptop at a billing facility (yeah, i know...a laptop) was stolen along with a few others in a physical security breach.
On that laptop was the personal info (SS numbers, addys, everything) of 300,000 account holders. Yes, that's right...300,000! Worse part is that this same scenario has occurred 3 times in the last 2 years!
Wells Fargo's CSO and CISO should be flipping friggin' burgers instead of providing security as they are setting the standard for how bad you really can be.
Hey Wells Fargo asshats, ever heard of getting some kind of policy and compliance audits going?
Really, I really don't understand why this is a big deal. Anyone worth their salt in trying to take the code and develop the 'sploits doesn't need the source to get 'em. Many groups out there have already reverse-engineered the OS without the source and have plenty of 0-day exploits for the PIX, as well as Checkpoint and many other vendors. These groups are commerical R&D groups as well as hackers.
Between all the 0-days for Checkpoint and PIX, I honestly don't understand why anyone in their right mind would want to use these firewalls. This source offer is for eager script kiddies and nothing more.
I'm all for a good RIAA bashing as the companies deserve it, but this lawsuit is the stupiest thing I've ever seen. The indie promototers are basically defunct now anyways. This lawsuit is about 8 years too late, when everything was back in full swing. Lots of indies (HITS, McCluskey,etc) aren't doing that great because the labels have pulled the budgets.
How is developing a program for an OS that enjoys 90% - 95% of the marketplace considered, "In Bed with MS"?
Microsoft developed their OS's with the intention of allowing applications better access to the kernel/OS. This is the primary reason for all the ridiculous security holes. Google has just developed an app that will search out and correlate all the data that is requested, that any user could get themselves.
By the way, grep and locate work on Linux and nobody is having a fit about those tools.
This is much different than a keylogger. It's a client/listener app that allows the Enterprise Server to connect and run investigative processes. You have an working baseline of all allowed processes and programs that are hashed with an md5. If the server detects a client with a prog running that isn't part of the md5, it signals an alarm to an admin to further investigate. This is only one function that it perfroms.
In regards to spyware not being allowed...employers are free to fully search and seize an employees computer if the 4th amendment is waived via employee policy that is signed during the HR employment signup. Most corporations are smart enough to include this in their policy, otherwise they have no rights to employee's machines and the subsequent right to search. This would leave them pretty much defenseless in subjecting an employee to a meaningful internal investigation.
Depending on your budget, try Encase Enterprise by Guidance Software. EnCase is the forensic program/application used by the US Govt and also by most of local and foreign law enforcement investigators as well.
The Enterprise version takes forsensics a step further, utlizing a client listener app which runs on the desktop and after establishing a baseline of permitted apps, can be used to detect and counter malicious apps running on the LAN and WAN as well as imaging drives realtime for investigative purposes.
Investigations have been performed from halfway around the world with the click of a button. Another selling point to the PHB's is that it can be used for HR investigations as well, making it an easy ROI for most companies.
umm...because it ruins the marketing plan that they had designed for this launch. Bungie devises a plan around the launch date (print, television, video, etc) and they focus on the timing of the date and how all of the aspects of the campaign tie in together.
This is the same reason that U2 was going to release their album early if the stolen version made it onto the internet. It ruins that way the company can market the record and can effectively promote the singles in the correct order at radio. In effect, it takes all marketing control out of the hands of the company.
There was a lot rumors floating around the BH and anti-viral community abou CodeRed being written by the Chief Hacking Officer at eEye, Marc Maiffret. I've always suspected that is what the companies do. That's how ISS justifies it's subscription model for sigs...X-Force creates craploads of major 0days.
And don't forget that after FDR closed the banks for 6 days and confiscated all of the gold when he first took office (ala Trading with Enemies Act), the US had in possession 85% of all the mined and refined gold up until 1955. Pretty scary... This is why we had such a huge economic boom until the real Welfare state was created by Johnson.
Save the newly acquired cash and the possibility of problems by going the natural route. There are excercises that you can perform a few minutes a day that can completely restore your vision. I also hear the military had people with bad vision do this during WWII to get around the sight requirements. Check the link below:
http://www.rebuildyourvision.com
Good luck and if you go the surgery route, get a good doctor.
How about a phone that acts like a phone? I know that the issue is primarily with the telecoms but jesus h. christ...when will someone invest money in making the networks better. At this rate, in 5 years I will be able to remotely cook my food with my phone. I would settle for a phone that has excellent clarity and doesnt drop out. Now that's the phone I want.
Maybe they can work out a franchise model and create a Beowolf Cluster from all the participtating car washes/computer stores? Huzzah!! Serious number crunching and armor-alling for everyone!!
I hope his punishment includes the jailer "jacking up the jail and throwing him under it". Seriously, if this was the EU, he would seriously be screwed. Why does the US think privacy is such unimportant issue ( CAPPS II anyone)??
I'll do you one better. The label promo dept decides they're having a hard time working the album at radio. So the band goes out on tour, and the label promo guy, in collusion with the band's manager, setup a team of kids around the country to go into record stores to buy the album. The retail stores report sales to radio and then the radio station either adds or bumps up the airplay because they think this is a "HIT". The kicker... the expense that is used to buy the artists albums is then billed back to the artist. The artist is paying to "buy" their own albums. This tactic has been going on since Elvis Presley was selling records. Lucious Jackson's career was built on this.
Looking for a secure OS? Try OpenBSD 2.8 Not a remote exploit in 3 years!! You run through the install in like 10 minutes and when you're done, you have a lean OS that has had a line-by-line audit done of the kernel with all overflows and vulnerabilites removed. Ships standard with OpenSSH 2.5. No stupid security issues out of the box, like rstatd which affects Solaris and Linux alike. All ports come locked down. This OS is a must for anyone needing to sleep at night and for people who don't feel like spending all your time doing security updates. www.openbsd.org for more info
Slashdot Mirror
Yes, what a fantastic idea...because there aren't MILLIONS AND MILLIONS of friggin' zombies out there running proxies that they could connect from. I definitely think you missed your calling as a Security Admin.
As you said, the CISSP is supposed to be geared towards management. It's the "500 ft view" InfoSec cert as opposed to the "50ft view" ones like the SANS and other analyst courses. I feel it serves its purpose fairly well. Yes, someone who is a CISSP most likely wouldn't do an audit but would be managing the CISA/CISM/GIAC that *WOULD* be doing the audit. Working as intended IMHO.
Get into Information Security and stop worrying about your industry being outsourced. The PHBs and other ilk are usually reluctant to outsource security operations offshore. Look at all the SOX and HIPPA regs out there now and you'll see why your job wouldn't get outsourced. The worst you have to worry about is working for a company that decides to replace you with managed security services. Big deal...
Become a coder and at some point, someone else in a cheaper place will code it for cheaper. It's a vicious cycle you can't escape.
All the noise about Windows getting hacked 4 minutes after it was connected to the net was due to lack of firewalling and vulnerable services - turn on firewalling and the vulnerable services are no longer accessible. What does that prove? nothing - they didn't magically become secure. OSX probably has fewer vulnerable services (active or not) but that was not the point.
I know one large security vendor with what is likely the best R&D department in the world that PWNED Windows SP2 machines running the firewall as early as the alpha release. The security that is provided by the MS FW is a smokescreen at best.
There are too many threat vectors in Windows to make the default FW effective.
Yes, blacklisting is a great idea except for the fact that the reallly good fux0rs are most likely using the machine as an "island hop" and the only people you are really affecting are the innocent people that might want to come to your machine/network for whatever reason. Yes, I know...it's the responsibility of the ISP to keep it's networks clean, but you know that ain't going to happen with the GAZILLION bots and botnets out there.
While I applaud the efforts, the Model T was built with hemp and designed to run on hempseed oil. The harvest period of hemp is a fraction of the soybean crop and no pesticides are needed. Meh...
At that point I stopped playing EQ and didn't mess with any of their competitors. But everything I'm hearing about WoW is that it seems almost identical to Everquest. It has all the same problems that plagued EQ. So what makes it a big deal? Is is just new and different eye candy but the same design? Same group sizes; same raid setup; instanced zones; epic weapons; everything?
That's because the asshats at Blizzard hired away the guys from SOE who worked on EQ2, which in turn brought their idiotic philosophy of "40-man raids or nothing" to WOW. The original developers of WOW are long gone, and so is Blizz's original vision for the game. All it is now is a much more cartoony version of EQ with instanced dungeons and lame-ass PVP.
It's fine...learn2play n00b.
Bands get crap contracts because most musicians aren't savvy enough to be engaging in practices that involve "signing contracts". It's surprising to see how many bands will get the lamest attorney possible in order to save an almighty buck. During the signing process, labels will attempt to completely screw the bands over...it's up to the band to decide how much they want to get bent over.
One classic example. Back in the late 90's, Sony decided it was in their best interest to register domain names of it's artists if they were available in order to prevent the artists from making money on the few ways they can...merchandise. They also tried to include asanine stipulations into their contracts where they demanded portions of profits from merch sold on the website. Noone was falling for that shit but if you're a new band and you agree to that, then you get what you deserve. The two bands you know of that turned down major label contracts are idiots. All they needed was a good, knowledgable music attorney, one that knows standard signing practices.
I hate myself for saying this...defending the labels, but the reason why the labels get that $1 is they are the ones that put up the capital to develop (sic!) the artist. This includes recording, distribution, radio promotion, touring, etc. Granted that alot of the things I just mentioned get strapped back to the artist as a recoupable charges, but the label still goes out on a limb to put the cash into what they believe will make them money back.
The reason why labels are fighting the alternate distribution methods (Internet downloads, etc) is they don't have the vision to figure a way to stay in the game and see it as a huge threat. The digital model takes them of the distribution game altogether.
Wells Fargo has *THE* worst security of all the large financial institutions.
Last year, I received a notice that my personal info was on a system of theirs that was compromised. I called the customer support number given and inquired about what happened. Turns out, a laptop at a billing facility (yeah, i know...a laptop) was stolen along with a few others in a physical security breach.
On that laptop was the personal info (SS numbers, addys, everything) of 300,000 account holders. Yes, that's right...300,000! Worse part is that this same scenario has occurred 3 times in the last 2 years!
Wells Fargo's CSO and CISO should be flipping friggin' burgers instead of providing security as they are
setting the standard for how bad you really can be.
Hey Wells Fargo asshats, ever heard of getting some kind of policy and compliance audits going?
Really, I really don't understand why this is a big deal. Anyone worth their salt in trying to take the code and develop the 'sploits doesn't need the source to get 'em. Many groups out there have already reverse-engineered the OS without the source and have plenty of 0-day exploits for the PIX, as well as Checkpoint and many other vendors. These groups are commerical R&D groups as well as hackers.
Between all the 0-days for Checkpoint and PIX, I honestly don't understand why anyone in their right mind would want to use these firewalls. This source offer is for eager script kiddies and nothing more.
I'm all for a good RIAA bashing as the companies deserve it, but this lawsuit is the stupiest thing I've ever seen. The indie promototers are basically defunct now anyways. This lawsuit is about 8 years too late, when everything was back in full swing. Lots of indies (HITS, McCluskey,etc) aren't doing that great because the labels have pulled the budgets.
This suit is a wild goose chase, pure and simple.
How is developing a program for an OS that enjoys 90% - 95% of the marketplace considered, "In Bed with MS"?
Microsoft developed their OS's with the intention of allowing applications better access to the kernel/OS. This is the primary reason for all the ridiculous security holes. Google has just developed an app that will search out and correlate all the data that is requested, that any user could get themselves.
By the way, grep and locate work on Linux and nobody is having a fit about those tools.
This is much different than a keylogger. It's a client/listener app that allows the Enterprise Server to connect and run investigative processes. You have an working baseline of all allowed processes and programs that are hashed with an md5. If the server detects a client with a prog running that isn't part of the md5, it signals an alarm to an admin to further investigate. This is only one function that it perfroms.
In regards to spyware not being allowed...employers are free to fully search and seize an employees computer if the 4th amendment is waived via employee policy that is signed during the HR employment signup. Most corporations are smart enough to include this in their policy, otherwise they have no rights to employee's machines and the subsequent right to search. This would leave them pretty much defenseless in subjecting an employee to a meaningful internal investigation.
Depending on your budget, try Encase Enterprise by Guidance Software. EnCase is the forensic program/application used by the US Govt and also by most of local and foreign law enforcement investigators as well.
The Enterprise version takes forsensics a step further, utlizing a client listener app which runs on the desktop and after establishing a baseline of permitted apps, can be used to detect and counter malicious apps running on the LAN and WAN as well as imaging drives realtime for investigative purposes.
Investigations have been performed from halfway around the world with the click of a button. Another selling point to the PHB's is that it can be used for HR investigations as well, making it an easy ROI for most companies.
http://www.encase.com/
umm...because it ruins the marketing plan that they had designed for this launch. Bungie devises a plan around the launch date (print, television, video, etc) and they focus on the timing of the date and how all of the aspects of the campaign tie in together.
This is the same reason that U2 was going to release their album early if the stolen version made it onto the internet. It ruins that way the company can market the record and can effectively promote the singles in the correct order at radio. In effect, it takes all marketing control out of the hands of the company.
There was a lot rumors floating around the BH and anti-viral community abou CodeRed being written by the Chief Hacking Officer at eEye, Marc Maiffret. I've always suspected that is what the companies do. That's how ISS justifies it's subscription model for sigs...X-Force creates craploads of major 0days.
And don't forget that after FDR closed the banks for 6 days and confiscated all of the gold when he first took office (ala Trading with Enemies Act), the US had in possession 85% of all the mined and refined gold up until 1955. Pretty scary... This is why we had such a huge economic boom until the real Welfare state was created by Johnson.
http://www.rebuildyourvision.com
Good luck and if you go the surgery route, get a good doctor.
How about a phone that acts like a phone? I know that the issue is primarily with the telecoms but jesus h. christ...when will someone invest money in making the networks better. At this rate, in 5 years I will be able to remotely cook my food with my phone. I would settle for a phone that has excellent clarity and doesnt drop out. Now that's the phone I want.
Maybe they can work out a franchise model and create a Beowolf Cluster from all the participtating car washes/computer stores? Huzzah!! Serious number crunching and armor-alling for everyone!!
I hope his punishment includes the jailer "jacking up the jail and throwing him under it". Seriously, if this was the EU, he would seriously be screwed. Why does the US think privacy is such unimportant issue ( CAPPS II anyone)??
I'll do you one better. The label promo dept decides they're having a hard time working the album at radio. So the band goes out on tour, and the label promo guy, in collusion with the band's manager, setup a team of kids around the country to go into record stores to buy the album. The retail stores report sales to radio and then the radio station either adds or bumps up the airplay because they think this is a "HIT". The kicker... the expense that is used to buy the artists albums is then billed back to the artist. The artist is paying to "buy" their own albums. This tactic has been going on since Elvis Presley was selling records. Lucious Jackson's career was built on this.
Looking for a secure OS? Try OpenBSD 2.8 Not a remote exploit in 3 years!! You run through the install in like 10 minutes and when you're done, you have a lean OS that has had a line-by-line audit done of the kernel with all overflows and vulnerabilites removed. Ships standard with OpenSSH 2.5. No stupid security issues out of the box, like rstatd which affects Solaris and Linux alike. All ports come locked down. This OS is a must for anyone needing to sleep at night and for people who don't feel like spending all your time doing security updates. www.openbsd.org for more info