I personally have an oscilloscope hooked up to my network as an IDS. I have been staring at it for 3 days straight now as my co-worker has been off. Still haven't seen any computer attacks yet, but I will be ready!
You can connect into the serial port (same cable as most phones use) and then use putty to serial in on the 2 higher end devices. It is very nice and works well. You can also use SSH once it is all set up. I have the older unit.
I have their older 700MHz unit (single core) 2 GB of memory I bought not too long ago (of course, that is how it always works). So far the unit has actually exceeded my expectations and is a lot of fun to play with. For me I wanted something that I could install Kali Linux on (the successor to Backtrack Linux) to do some simple type attacks on a network (I teach part time at a community college an information security class).
First what I don't like:
The shipping comes for Isreal. The price of shipping is $30 which raises the cost of the product.
That they came out with a new one shortly after I already bought one that includes a lot of features I wanted.
What I like:
Gigabit ethernet
They have this thing called u-boot which is pretty slick. You stick a file on a usb memory stick and stick it into the top USB port. Connect the ethernet and then boot up and it asks you what OS you want to install. You can select Ubuntu, Opensuse, Fedora, XBMC and a bunch more and it just installs them to the SD card. Very slick.
It has the ability to serial into the unit so you don't have to set up a mouse, keyboard and monitor to install OSes. Works in Linux and Windows (with putty fine).
I can then do SSH X forwarding really easy from the network if you want a GUI.
I have been able to run a slew of python things on it and the performance is reasonable. I really have been having fun with it.
My favorite example of this is Best Buy. Best Buy online now has prices that sometimes beat Amazon, particularly on games but their stores do not. I went online and saw Best Buy had and item for $30. Went to the store and it was $40. I was then told that Best Buy doesn't price match their own website, wtf? So from my phone, I ordered it and did the pick up from store option. Told the person that I got it online and they went back retrieved the item for me and I walked out paying $10 less.
This vulnerability is in a TON of software. Python 2.X (which most people are still using) doesn't even allow you to verify the CN without adding a bunch of code to make it happen yourself.
http://bugs.python.org/issue1589
Most APIs allow you to do it both ways, but I think it is time that they stop making it optional. If you want to use SSL, use it properly otherwise it isn't worth wasting your time with it.
http://www.androidauthority.com/t-mobile-carrier-strategy-dual-4g-164618/
T-mobile is rumored to be doing just that. They already kind of do with their value plans and having you bring your own phone. We switched to it recently from Verizon and bought two Nexus 4 phones. I have calculated that if I keep the same phone for three years which I feel is reasonable we will have saved $1200 over the three year period. The only issue is we had $750 to lay out up front which most people probably don't have. Our new plan has 1000 minutes which we will never touch vs. Verizon's unlimited and 2GB per phone vs 2GB shared on Verizon (which we probably would have broken that mark occasionally). So far the coverage has been fine but we live in a major metropolitan area so I have no idea what it it is like outside of that.
The real question should be... what games do you want now, and in the future. Just getting all games to work that I want now doesn't really help me when Awesome cool game 15 comes out and I really want it.
This is coming from a person who has been using Linux for years.
When the developers leave and their is no documentation and the thing blows up... No one will know how it works. With handing the product and the documentation off to someone else this provides a final check on the documentation to ensure that the documentation doesn't suck. Developers tend to intimately know their product well and therefore will be likely to leave out steps in the documentation, because they know how to do it anyway. I have seen this a number of times. When they leave it takes reverse engineering to figure out what was done. I am a big proponent of documentation. Here is how I think it should be done:
-Development happens where they are able to test using a test environment
-Developers hand off everything to the System Admin (SA) who will install it. They then install it on a test environment as well.. If there are issues found work with the developers to solve the issue, correct the documentation and proceed to step 3.
-Install in production.
The only issue with this is step 1 and 2 can sometimes become filled with accusations. SAs think the product sucks and Developers think that the SAs are idiots who need everything spelled out for them. It becomes a lot worst when the developers are contracted out (which is common). This needs to be avoided, both parties should see themselves as working together to create a better product.
It exists in the DoD, all contractors are rated yearly in a process called CPARs (I think it is Contractor Performance Assesment Review). The basic idea is that each contractor is rated and then all future contracts, this rating is considered. They have formulas that take into account cost, CPAR, and other methods (I don't think that this is the best way to do this). The CPARs are a very big deal to large contractors, because a bad rating will harm all future contracts. I feel like smaller companies care less because they can simply just become a new company.
I personally have a Master in Information Security and Assurance that was given by the Computer Science department which meant that it had a lot of programming in the curriculum. I also have a CISSP and a few other certs, some security related and some not. I can say for this field that CISSP is far more valuable and took far less time to obtain. When I got my Masters degree I can't say I saw a large upswing in Linkedin activity. I got my CISSP and Linkedin went crazy sometimes to the point of being annoying (which is a good problem to have). Now you can blame this on recruiters just seaching for keywords, but that is how it is. Many jobs require CISSP, I don't think I have ever seen anything that required the Masters. My Masters I am sure would help me if there was a competitive position between two people and I am hoping that my Masters will help me in the long run more. Obviously your mileage will vary depending on location, chosen field, etc.
Is you can tell the truth, and still completely misrepresent the information. To see how this works, I will differ to Jon Stewart... http://www.huffingtonpost.com/2012/07/26/jon-stewart-you-didnt-build-that_n_1705264.html
Recently I saw someone post on facebook "how ridiculous it was that olympians needed to pay $9K in taxes to the US". I though.. man that is ridiculous, I am sure very few athletes are going to go and sell their medals, though some athletes would have difficulty paying for that tax bill. Then I do 5 seconds of googling and find out, that they are payed $25K for each gold medal, and are simply paying on that... to top it off, to pay that the athletes would need to be in the upper tax bracket meaning they aren't struggling for cash. In other words, it is simply income and therefore they need to pay taxes on it. I mentioned it and they commented back thanks, that makes more sense though usually people get pissy because it doesn't fit with their idealogy. Then you find out that Romney, Foxnews and everyone trying to convey taxes are evil are repeating this same mis representation of the facts.
Yes because Unix is inherently secure with magic pixie dust. There is nothing special about Unix that makes it secure. Just because the implementations tend to be more secure (which in some cases is debatable) doesn't mean all Unix systems are secure.
Most attacks aren't even against the kernel anyway, they are against the applications that run on top of the kernel and there is little that "Unix" does about that. Linux, Windows, and now Mac (though most people agree their implementation sucks) use things like ASLR to make vulnerabilities harder to exploit but that has nothing to do with its Unix heritage.
No problem with being the best at something and trying to sell it for more, that is called healthy competition. The problem is Apple is trying to put the Flank Steak people out of business by saying that they are the only ones who should be allowed to BBQ. They are saying that the invented the beef and the bbq and no one else should be able to do this. Just because you are good at perfecting something, doesn't mean you should take credit for inventing something and claim broadly that no one else should be able to make any product remotely similiar to yours.
The rule in security is one thing.... if I can touch it, I can break it... period. The problem with the voting process is you have to trust A LOT of people who all have very mixed motives. These machines need to to be transported to their polling place, set up by humans, then used by people. And to top things off, there is a lot of payoff if you can tamper with these machines. Voting also has a major problem, you don't want to be able to monitor them. Securing these systems well (not perfectly) could be done and the damage could be limited when they are tampered with it just isn't monetarily practical nor does it fit in well with democratic ideas such as anonymous voting. Implementing policies such as a device must be locked in a secure location at all times in a box that requires multiple keys to open and is guarded by at least 2 people would help fix a lot of the problems but would make the process so ridiculously expensive it would be insane. The answer to "securing" the vote is TO NOT TRUST THE MACHINES. Something simple like a printout that the user is given that can then be verified by the user and is then run through a well guarded tally device would go a long way to fixing a lot of the problems.
All packages are signed by Fedora or whoever the distro is, unless you turn off the gpgcheck feature then it won't install the package if it hasn't been signed. The gotcha is that if you can steal Fedoras gpg key or somehow create a collision attack, they are also screwed as well so they have the same issue.
$900 a month? That is cheap to me! I live in DC and am paying not quite double that and I know that there are some areas that are even more! I think $900 a month is about average for most major metropolitan areas.
Just out of curiosity, do you have to travel a lot with your job. I do Security Engineering now and have done IDS and Log monitoring in the past and was thinking that I would enjoy incident handling, but the thing that has kept me out of it was the 100% on call, get on a flight now to fly who knows where.
When you purchase something like professional services of a new system, you need to make sure that throughout the process you are receiving and own all the code and documentation and have at least a high level overview of what is going on. Too many people just say "Make this XYZ system for me, heres money to do it" and then expect to be barely involved with the process from there on until the product is done.
Not really unfeasible... reflashing an Android phone really just requires selecting an image from an application and rebooting. It shouldn't be required, but it's a pretty trivial problem to resolve.
Military uses user based certs. This means that every time a user throughout the entire DoD organization is fired/quits/change jobs/changes names/etc. They have their certificate revoked. This means they are probably revoking hundreds of certificates per day. Generally, you need to update your CRLs about once a week at a minimum, though they prefer that applications use OCSP, where a query is sent in real time to the CA to see if the cert has been revoked for this reason. So, flashing isn't a very reasonable thing to do once a week or more, especially when the product takes an hour to flash.
Yeah, this has been my experience as well, it is amazing how quickly you get a person who knows what they are talking about. It is a fresh relief from the usual "did you try turning it off and on". Half the time you are thinking, I know more about your product then you do kid! Red Hat is not at all like this. They get you to someone who knows everything about some little facet that you are having an issue with.
If you ask nicely enough maybe they will do something about all their problems. What needs to happen is Mozilla needs to get with Microsoft, Chrome, Apple etc and say unless you submit yourself to an INDEPENDENT audit you will be revoked from our default trusted root certs. SSL has been destroyed, not because of protocol problems but because of the companies running the show. It was a race to the bottom from the beginning. Who could provide the cheapest service and make the most profit off of it. This model doesn't mesh well with Security and never will. Once one company operates their systems cheaply, everyone else must follow so as to maintain low prices.
As someone who has gone to Defcon myself and work in the security industry I don't think I would send my (presently non-existent) kids to this. While I have no qualms about Defcon teaching these items I feel like kids don't have the ability to understand the ramifications of their actions, which is why we try them differently in court. Once they get out of this class what are they going to be able to do with their new found ability to pick a lock? They can't get a job as a pen-tester or some other legal activity so the only thing that they will use this skill for is illegal. Also, the general atmosphere for Defcon isn't very conducive to children with the whole hotel being drunk, loud music playing and people partying all night. Maybe I am not even a father yet and I am already too conservative.
Slashdot Mirror
Canon All in one. The printing works easily in Linux. You install a driver and it just works in Ubuntu. I never got the network scanning to work in Linux though. Works well in Windows as well. I don't use the wireless option (it is hard wired into my network). I have heard people complain about the wireless strength in reviews. http://www.amazon.com/Canon-imageCLASS-MF4890dw-Wireless-Monochrome/dp/B008YD1V76/ref=sr_1_2?ie=UTF8&qid=1382541608&sr=8-2&keywords=canon+all+in+one+laser+printer
I personally have an oscilloscope hooked up to my network as an IDS. I have been staring at it for 3 days straight now as my co-worker has been off. Still haven't seen any computer attacks yet, but I will be ready!
You can connect into the serial port (same cable as most phones use) and then use putty to serial in on the 2 higher end devices. It is very nice and works well. You can also use SSH once it is all set up. I have the older unit.
I have their older 700MHz unit (single core) 2 GB of memory I bought not too long ago (of course, that is how it always works). So far the unit has actually exceeded my expectations and is a lot of fun to play with. For me I wanted something that I could install Kali Linux on (the successor to Backtrack Linux) to do some simple type attacks on a network (I teach part time at a community college an information security class). First what I don't like: The shipping comes for Isreal. The price of shipping is $30 which raises the cost of the product. That they came out with a new one shortly after I already bought one that includes a lot of features I wanted. What I like: Gigabit ethernet They have this thing called u-boot which is pretty slick. You stick a file on a usb memory stick and stick it into the top USB port. Connect the ethernet and then boot up and it asks you what OS you want to install. You can select Ubuntu, Opensuse, Fedora, XBMC and a bunch more and it just installs them to the SD card. Very slick. It has the ability to serial into the unit so you don't have to set up a mouse, keyboard and monitor to install OSes. Works in Linux and Windows (with putty fine). I can then do SSH X forwarding really easy from the network if you want a GUI. I have been able to run a slew of python things on it and the performance is reasonable. I really have been having fun with it.
My favorite example of this is Best Buy. Best Buy online now has prices that sometimes beat Amazon, particularly on games but their stores do not. I went online and saw Best Buy had and item for $30. Went to the store and it was $40. I was then told that Best Buy doesn't price match their own website, wtf? So from my phone, I ordered it and did the pick up from store option. Told the person that I got it online and they went back retrieved the item for me and I walked out paying $10 less.
This vulnerability is in a TON of software. Python 2.X (which most people are still using) doesn't even allow you to verify the CN without adding a bunch of code to make it happen yourself. http://bugs.python.org/issue1589 Most APIs allow you to do it both ways, but I think it is time that they stop making it optional. If you want to use SSL, use it properly otherwise it isn't worth wasting your time with it.
http://www.androidauthority.com/t-mobile-carrier-strategy-dual-4g-164618/ T-mobile is rumored to be doing just that. They already kind of do with their value plans and having you bring your own phone. We switched to it recently from Verizon and bought two Nexus 4 phones. I have calculated that if I keep the same phone for three years which I feel is reasonable we will have saved $1200 over the three year period. The only issue is we had $750 to lay out up front which most people probably don't have. Our new plan has 1000 minutes which we will never touch vs. Verizon's unlimited and 2GB per phone vs 2GB shared on Verizon (which we probably would have broken that mark occasionally). So far the coverage has been fine but we live in a major metropolitan area so I have no idea what it it is like outside of that.
The real question should be... what games do you want now, and in the future. Just getting all games to work that I want now doesn't really help me when Awesome cool game 15 comes out and I really want it. This is coming from a person who has been using Linux for years.
When the developers leave and their is no documentation and the thing blows up... No one will know how it works. With handing the product and the documentation off to someone else this provides a final check on the documentation to ensure that the documentation doesn't suck. Developers tend to intimately know their product well and therefore will be likely to leave out steps in the documentation, because they know how to do it anyway. I have seen this a number of times. When they leave it takes reverse engineering to figure out what was done. I am a big proponent of documentation. Here is how I think it should be done:
-Development happens where they are able to test using a test environment
-Developers hand off everything to the System Admin (SA) who will install it. They then install it on a test environment as well.. If there are issues found work with the developers to solve the issue, correct the documentation and proceed to step 3.
-Install in production.
The only issue with this is step 1 and 2 can sometimes become filled with accusations. SAs think the product sucks and Developers think that the SAs are idiots who need everything spelled out for them. It becomes a lot worst when the developers are contracted out (which is common). This needs to be avoided, both parties should see themselves as working together to create a better product.
It exists in the DoD, all contractors are rated yearly in a process called CPARs (I think it is Contractor Performance Assesment Review). The basic idea is that each contractor is rated and then all future contracts, this rating is considered. They have formulas that take into account cost, CPAR, and other methods (I don't think that this is the best way to do this). The CPARs are a very big deal to large contractors, because a bad rating will harm all future contracts. I feel like smaller companies care less because they can simply just become a new company.
I personally have a Master in Information Security and Assurance that was given by the Computer Science department which meant that it had a lot of programming in the curriculum. I also have a CISSP and a few other certs, some security related and some not. I can say for this field that CISSP is far more valuable and took far less time to obtain. When I got my Masters degree I can't say I saw a large upswing in Linkedin activity. I got my CISSP and Linkedin went crazy sometimes to the point of being annoying (which is a good problem to have). Now you can blame this on recruiters just seaching for keywords, but that is how it is. Many jobs require CISSP, I don't think I have ever seen anything that required the Masters. My Masters I am sure would help me if there was a competitive position between two people and I am hoping that my Masters will help me in the long run more. Obviously your mileage will vary depending on location, chosen field, etc.
Is you can tell the truth, and still completely misrepresent the information. To see how this works, I will differ to Jon Stewart... http://www.huffingtonpost.com/2012/07/26/jon-stewart-you-didnt-build-that_n_1705264.html Recently I saw someone post on facebook "how ridiculous it was that olympians needed to pay $9K in taxes to the US". I though.. man that is ridiculous, I am sure very few athletes are going to go and sell their medals, though some athletes would have difficulty paying for that tax bill. Then I do 5 seconds of googling and find out, that they are payed $25K for each gold medal, and are simply paying on that... to top it off, to pay that the athletes would need to be in the upper tax bracket meaning they aren't struggling for cash. In other words, it is simply income and therefore they need to pay taxes on it. I mentioned it and they commented back thanks, that makes more sense though usually people get pissy because it doesn't fit with their idealogy. Then you find out that Romney, Foxnews and everyone trying to convey taxes are evil are repeating this same mis representation of the facts.
I didn't see him advocating getting rid of copyright, therefore even without the patent law, he still couldn't "pirate".
Yes because Unix is inherently secure with magic pixie dust. There is nothing special about Unix that makes it secure. Just because the implementations tend to be more secure (which in some cases is debatable) doesn't mean all Unix systems are secure. Most attacks aren't even against the kernel anyway, they are against the applications that run on top of the kernel and there is little that "Unix" does about that. Linux, Windows, and now Mac (though most people agree their implementation sucks) use things like ASLR to make vulnerabilities harder to exploit but that has nothing to do with its Unix heritage.
No problem with being the best at something and trying to sell it for more, that is called healthy competition. The problem is Apple is trying to put the Flank Steak people out of business by saying that they are the only ones who should be allowed to BBQ. They are saying that the invented the beef and the bbq and no one else should be able to do this. Just because you are good at perfecting something, doesn't mean you should take credit for inventing something and claim broadly that no one else should be able to make any product remotely similiar to yours.
The rule in security is one thing.... if I can touch it, I can break it... period. The problem with the voting process is you have to trust A LOT of people who all have very mixed motives. These machines need to to be transported to their polling place, set up by humans, then used by people. And to top things off, there is a lot of payoff if you can tamper with these machines. Voting also has a major problem, you don't want to be able to monitor them. Securing these systems well (not perfectly) could be done and the damage could be limited when they are tampered with it just isn't monetarily practical nor does it fit in well with democratic ideas such as anonymous voting. Implementing policies such as a device must be locked in a secure location at all times in a box that requires multiple keys to open and is guarded by at least 2 people would help fix a lot of the problems but would make the process so ridiculously expensive it would be insane. The answer to "securing" the vote is TO NOT TRUST THE MACHINES. Something simple like a printout that the user is given that can then be verified by the user and is then run through a well guarded tally device would go a long way to fixing a lot of the problems.
All packages are signed by Fedora or whoever the distro is, unless you turn off the gpgcheck feature then it won't install the package if it hasn't been signed. The gotcha is that if you can steal Fedoras gpg key or somehow create a collision attack, they are also screwed as well so they have the same issue.
$900 a month? That is cheap to me! I live in DC and am paying not quite double that and I know that there are some areas that are even more! I think $900 a month is about average for most major metropolitan areas.
Just out of curiosity, do you have to travel a lot with your job. I do Security Engineering now and have done IDS and Log monitoring in the past and was thinking that I would enjoy incident handling, but the thing that has kept me out of it was the 100% on call, get on a flight now to fly who knows where.
http://motherboard.vice.com/2011/12/16/dear-congress-it-s-no-longer-ok-to-not-know-how-the-internet-works I mean, they are currently debating how they can engineer a solution to redesign DNS on the Internet! These guys are geniuses! I am proud to be able to have these people represent me!
When you purchase something like professional services of a new system, you need to make sure that throughout the process you are receiving and own all the code and documentation and have at least a high level overview of what is going on. Too many people just say "Make this XYZ system for me, heres money to do it" and then expect to be barely involved with the process from there on until the product is done.
Not really unfeasible ... reflashing an Android phone really just requires selecting an image from an application and rebooting. It shouldn't be required, but it's a pretty trivial problem to resolve.
Military uses user based certs. This means that every time a user throughout the entire DoD organization is fired/quits/change jobs/changes names/etc. They have their certificate revoked. This means they are probably revoking hundreds of certificates per day. Generally, you need to update your CRLs about once a week at a minimum, though they prefer that applications use OCSP, where a query is sent in real time to the CA to see if the cert has been revoked for this reason. So, flashing isn't a very reasonable thing to do once a week or more, especially when the product takes an hour to flash.
Yeah, this has been my experience as well, it is amazing how quickly you get a person who knows what they are talking about. It is a fresh relief from the usual "did you try turning it off and on". Half the time you are thinking, I know more about your product then you do kid! Red Hat is not at all like this. They get you to someone who knows everything about some little facet that you are having an issue with.
If you ask nicely enough maybe they will do something about all their problems. What needs to happen is Mozilla needs to get with Microsoft, Chrome, Apple etc and say unless you submit yourself to an INDEPENDENT audit you will be revoked from our default trusted root certs. SSL has been destroyed, not because of protocol problems but because of the companies running the show. It was a race to the bottom from the beginning. Who could provide the cheapest service and make the most profit off of it. This model doesn't mesh well with Security and never will. Once one company operates their systems cheaply, everyone else must follow so as to maintain low prices.
As someone who has gone to Defcon myself and work in the security industry I don't think I would send my (presently non-existent) kids to this. While I have no qualms about Defcon teaching these items I feel like kids don't have the ability to understand the ramifications of their actions, which is why we try them differently in court. Once they get out of this class what are they going to be able to do with their new found ability to pick a lock? They can't get a job as a pen-tester or some other legal activity so the only thing that they will use this skill for is illegal. Also, the general atmosphere for Defcon isn't very conducive to children with the whole hotel being drunk, loud music playing and people partying all night. Maybe I am not even a father yet and I am already too conservative.