Check out the MythBusters episode about eelskin wallets and demagnitizing the strips on credit cards. They had to use a huge magnet source to have any impact at all. They even left some of the smaller sources (i.e. magnetic money clip) in contact with the cards for 24 hours straight.
One important fact that people fail to grasp is that the authenticing token is not your actual brainwave/retina/fingerprint. The bit that gets authenticated is a mathematic hash generated by the hardware reading of the biometric. I don't have to have my brainscan read by the Major League Baseball satellite, the MLB only needs to grab the hashed token off the wire.
Also, it is very easy to manufacture a fake finger using cellophane tape and gellatin. Granted, retina scans are harder, but the costs of stealing an authenticator go up roughly proportionally with the value of what's being protected. In many sites using retina scans as authenticators, there are motivated attackers who would think that stealing an eye is a small price to pay for getting access to the [bombs,drugs,secret battle plans,Duke Nukem Forever code]. So, the issue there isn't so much losing the authenticator, its the relative ease at which someone notices that it has been compromized:-)
Granted, I am rather overtly paranoid, but did anyone else look at the last paragraph ("we would appreciate it if you could provide us with contact information for RuneLateralus") as a smooth attempt to get directly at the user without having to bother with a subpeona? I mean, come on. I'm Nintendo and I'm getting critized for attacking the website when it was an individual who posted (ignoring the context for a second here). So, I want to go after the user, but I don't know how to send the SaD letter. This looks to be a pretty cool way of getting the info without having to pay^H^H^Hcontact a judge.
/me adjusts tinfoil hat and shuffles off muttering to self
Granted, its not like I'm in a highly-influential government job, but I do work in Computer Security. As a low-level grunt with delusions of grandure, I can certainly understand the feelings of frustration, particularly when people don't do the right thing (i.e. what I tell them to). Maybe those of us in the trenches just have the clarity to realize that the job is hard, there are no quick fixes, and trying to convince people who bought their computer the same way they bought their toaster is a really, REALLY hard job.
On the other hand, I've been doing this for 8 years, 7 years at my present company. Maybe the Baby Bush should hire me, since I'm not such a candy-ass:-)
I've been on 8x8 for about 6 months now. Service is good enough that I canceled my POTS service after about 30 days. Only had one instance without phone service after a lightning strike toasted the VoIP gateway, but 8x8 sent a new one right away and I could forward the calls to my work cell, so no big loss there.
We already had a cable modem and were going to keep it anyway, so I count that as a null cost. So, effectively my phone costs went from $30/mo for the local service with metered local calling (really crappy company) plus our long distance. Under 8x8's unlimited service, all my normal calls are just $20/mo and my wife's been able to switch off of calling cards to call China since 8x8's rate is $0.03/minute to call China.
All in all, if you've already got a cable modem (I hear that the DSL providers get a bit froggie if you try to cancel the POTS but keep the data connection), I heartily recommend switching to VoIP!
Time and time again, we've seen that having no security and knowing it is better than having bad security and not knowing its bad (Maginot Line, anyone?) Most parents who will have their kids participate in this will think "Johnny's got the token, he's completely safe on the Internet" and ignore their kids behavior even more.
Off the top of my head, a better solution would be to use the BMW-type car keys (the ones with the chips in them) and have the computer hardware require the presence of the key to be on (or have internet access, or whatever). That way, at least one parent must have approved of the usage and be physically present for the kids to use the Internet.
A large portion of the problem with protecting children is the parent's responsibility, not the government's, not the school's, and certainly not Verisign's. If the parent's aren't going to monitor their kids and do their due dilligence to make sure the kids are in safe places, then all the tokens/bar codes/subdermal chips in the world won't make a difference.
Due to the ubiquity of AOL and its pretty good stability, I've heard of financial businesses selecting AOL as a backup for the backup (i.e. redundant WAN connections, both backhoed and down for days, so a user dials AOL to transfer daily info the XYZ partner). From what I've seen, this is pretty common for the big players (AOL, MSN, Earthlink, etc.)
What he said, plus the fact that users tend to notice the missing laptop bag and/or the missing keychain with their car/house key on it and report it. In particular, if every laptop gets issued with a SecurID, then every laptop that's reported missing has the corresponding keyfob flagged as stolen and a new one's issued to the user.
A company I work with has thousands of these things out. Very few problems of users locking themselves out, almost no fobs lost/stolen. When the fobs do go missing, we know immediately rather than having to notice the same user being logged in through multiple places in order to figure out the password's compromized. Heck, even the CEO uses one. If non-techie executives can do it, I'm pretty sure AOL business users who are deliberately paying more per month to have it will be able to figure it out.
Hmm. Did you actually read the fine article you posted? If you had, you would realize that all of the attacks fall into one of a few categories:
1) Targeting users of sdshell and a token card
2) Denial of service
3) Require access to the server network
#1 doesn't apply because this is using the keyfobs, not the token cards. The difference, you ask? Keyfobs generate a 6 digit number every six seconds which is appended to the user's password. Since the password is variable-length (per user), it ends up being much more difficult to guess. The token card has a keypad on it where the user enters ther numeric pin which is mathmatically merged with the 6 digit "random" number, creating a 6 digit code that's sent across the wire. Oh, yeah... The attacker also has to have access somehow to the data stream between the client and the AOL server during authentication, which basically requires pre-compromize of the client machine. You got that, why do you need to fake the auth? Oh, and the AOL plan isn't using sdshell. Other than that, sure it might work.
The second, the DoS attack, is old, and its not like AOL hasn't dealt with DoS attacks before.
The third require pretty significant access to AOL's server network, plus the ability to insert yourself into various server data streams. Again, if you've got that, why waste your time getting a user's PIN?
If you read the hacker rags closely, you'll find that the keyfobs auth is really hard to get around without having to do something else first (i.e. get the server key records). Everything I've read from the attacker's perspective is that, while its technically possible in some circumstances to do an attack on the SecurID process, its usually so damn hard that it'd be easier to attack some other point (i.e. dumpster dive for sensitive info, etc.)
At the risk of being a Troll, wouldn't those definitions include various people from the U.S. revolution? I mean, how about the Boston Tea Party?
Premeditated
politically motivated violence (if there can be violence against the Internet, there can be violence against tea)
perpetrated against noncombatants
done by by subnationals
to influence an audience
international, as it was done in the colonies against Britain
Face it, the U.S.A. was founded by terrorists!
I guess my point here is that, above and beyond the lack of a standardized definition of "terrorist", it is also largely influenced by who's ox got gored.
While I guess I can understand NBC's position: they've paid enormously for this, so they should be able to try and make some of the money back. There's not very many people who would be up at 4 in the morning to watch a swim meet, but there's a bunch who'll watch the same thing in the evening. Trying to sell ads for $1 million per second at 04:00 would be a disaster.
What really annoys me, though, is being forced to listen to such blatantly political commentary. What am I talking about, you ask? During the opening ceremony, those morons doing the commentary for NBC made every attempt to point out the places where Islamic groups were "causing" strife. They couldn't seem to resist talking about the problems in the Sudan caused by the Muslims. They also made every effort to talk up how much the US has helped our little brown brothers we liberated in Afghanistan and Iraq, and had the gall to complain about the torture used by the Iraqi training program! I guess torture is OK in the name of national defense but not in the name of national pride.
For all the high-falootin' ideals that the Olympics supposedly stand for, it makes me want to puke every time I hear the American media make some snide comment so they can use the forum to propegate a political agenda.
Out of curiosity, how do you know you haven't been hacked? I mean, I keep track of my logs, watch disk space usage, don't keep the machine on all the time, run AV and spyware detection software, etc., so I'm pretty confident that no one pwns my box, but if I didn't do any of that, particularly the log file monitoring, it would be pretty tough to tell whether I was hacked or not.
Granted, if you were hacked, you'd probably notice performance degredation and get errors about your FTP directory's drive filling up because of all the warez, but I still get a kick out of people when they say that they've never been hacked and they haven't been paying enough attention to their system to actually know.
Granted, I am ultra-paranoid, but I run a combination. I use the hardware firewall to deal with most inbound attacks, and then I also run a software firewall (Kerio for technical users who understand networking, ZoneAlarm for my father) to keep track of what software on my PC is doing. Really good for stuff like that crappy Real Player that constantly wants to phone home. Also keeps track of executable checksums to let me know if a program has been replaced. Sure, its a bit noisy when setting up the software firewall, but once it was properly configured, I almost never get messages from it that I'm not expecting.
I've been reading through this, wondering when someone who's been paying attention to recent password attacking research would post this. I've used the opensource rainbow tables stuff, and now @Stake is selling their latest version of L0phtCrack (renamed LC5 for political correctness purposes) with rainbow tables included. This technology does work as described.
Static passwords are no longer acceptable. Period. If you have a resource worth authenticating for, then strong auth (PKI, SecurID, one-time pads, etc.) should be manditory. If you can't, STOP USING UNENCRYPTED PROTOCOLS! It astounds me that companies that have bought in on firewalls, IDS, antivirus, SSL certs for web servers, etc. are still using telnet and FTP for critical business data! Saying that you can't sniff on a switch is a lie, just check out ettercap, which allows an attacker to poison ARP caches to force traffic to run through a system of the attackers choice.
BTW, IAACSA (I Am A Computer Security Analyst)
Re:A nuisance in corporate LANs
on
802.11 Security
·
· Score: 1
<sigh> I deal with this argument practically every day. Yes, security is inconvenient, but how inconvenient was it for Microsoft to have part of its codebase stolen by a hacker who got in through a poorly-implemented VPN solution? How inconvenient will it be for a doctor's office (in the USA) to explain to the Feds that they didn't pass HIPAA and lost patient AIDS treatment data because they thought that doing IPSec was too hard?
The simple fact is that there are often very few REAL business cases for wireless in the corporate environment short of "Gee, wouldn't it be cool if I could pick up my laptop, walk into the conference room, and not have to log off of my email and IM session?" When compared to the user convenience vs. protecting vital corporate assets question, in my book, I don't even see the value of 802.11 in the first place.
Languages change over time. No one during that time period likes it, but its a simple fact. Ask your parents about the slang that they used that their parents hated, chances are that there are words that are now common usage. If you go even farther back, you'll find that "English" was barely recognizable.
For example, the line from Chaucer in Middle English, "The tendre croppes, and the yonge sonne / Hath in the Ram his half cours yronne," while somewhat recognizable today, is still obviously not the same. Even further back, to the time of Beowulf (the story, not the cluster), and you get "HWÆT WE GARDE / na in geardagum eodcyninga". Believe it or not, this is still considered a form of English, albeit Old English.
The modification of a language over time is both normal and, unfortunately for us old-timers (I'm 30), traumatic. G3t 0v3r 17:-)
Two stories to demonstrate this. My father wanted to be an artist. He loved (and still loves) music, painting, and literature; it consumed his life as a kid. His plan was to move to some artsy community, like Minneapolis (yeah, we're from the Midwest, get over it:-) and live the Artist's Life(TM).
Before that happened, he met my eventual-Mom. She's a small-town girl who never really wanted to leave the town she was born in. Being in love with her, they got married and he chose to stay there because that's where she was going to be. As the family started, he got a job doing what he could since he lacked that all-important piece of paper from a college. He spent the next 30 years of his life working in a job he hated to support his family. The older I grew, the more I understood how hard it was for him, particularly after I started reading the stories he'd written and realizing that he'd painted all of the paintings in the house.
Now that he's retired, he's on the Internet constantly. It's allowed him to get in touch with people with similar interests (James Joyce, in particular) and he's helped several doctoral candidates with thier theses and edited a couple of books for the "experts" prior to publishing. He's finally happy and able to do what he wants to, even though he never made it to Minneapolis.
Now, me, on the other hand, I knew what I wanted and, since I'd seen what "settling" did to my father (at the time, that's what I felt he'd done), I swore to myself that I would never allow that to happen to me. I was going to be a musician, come hell or high water. Throughout high school, I got to the point where I was practicing often 8 hours a day because I knew it was necessary to get There, where ever that was.
Then, life interfered and my personal circumstances changed. With the sudden shock, I stopped and thought my life and realized that being a musician as a job didn't really bring me any happiness, so I abandoned my music major. I floundered around for several years, eventually ending up with a nearly worthless degree (I won't mention in what, for fear of the flames), but I had the Sacred Parchment, and I'd mananged to work a bit in the computer labs at school, too.
Since the computer thing wasn't bad and they tended to pay well, I kinda fell into that. Over the course of the next couple of years, between getting married, lots of arguments, getting laid off one month after closing on our first house, working as a conslutant and just trying out jobs at a big corporation that sounded intersting, I've finally gotten into something that I really, really enjoy. And it has nothing to do with music and even less to do with what I got my degree in.
I guess that the point of this cathartic, rambling, bullshit is this: when we started out, neither my father nor I planned on where we would end up and the plans we had actually caused us some amount of grief because we kept focussing on how much we weren't on track. Long-term plans are great mind games, but when it comes to actual implementation, life has a tendancy to interfere.
Slashdot Mirror
Check out the MythBusters episode about eelskin wallets and demagnitizing the strips on credit cards. They had to use a huge magnet source to have any impact at all. They even left some of the smaller sources (i.e. magnetic money clip) in contact with the cards for 24 hours straight.
One important fact that people fail to grasp is that the authenticing token is not your actual brainwave/retina/fingerprint. The bit that gets authenticated is a mathematic hash generated by the hardware reading of the biometric. I don't have to have my brainscan read by the Major League Baseball satellite, the MLB only needs to grab the hashed token off the wire.
Also, it is very easy to manufacture a fake finger using cellophane tape and gellatin. Granted, retina scans are harder, but the costs of stealing an authenticator go up roughly proportionally with the value of what's being protected. In many sites using retina scans as authenticators, there are motivated attackers who would think that stealing an eye is a small price to pay for getting access to the [bombs,drugs,secret battle plans,Duke Nukem Forever code]. So, the issue there isn't so much losing the authenticator, its the relative ease at which someone notices that it has been compromized :-)
Granted, I am rather overtly paranoid, but did anyone else look at the last paragraph ("we would appreciate it if you could provide us with contact information for RuneLateralus") as a smooth attempt to get directly at the user without having to bother with a subpeona? I mean, come on. I'm Nintendo and I'm getting critized for attacking the website when it was an individual who posted (ignoring the context for a second here). So, I want to go after the user, but I don't know how to send the SaD letter. This looks to be a pretty cool way of getting the info without having to pay^H^H^Hcontact a judge.
Granted, its not like I'm in a highly-influential government job, but I do work in Computer Security. As a low-level grunt with delusions of grandure, I can certainly understand the feelings of frustration, particularly when people don't do the right thing (i.e. what I tell them to). Maybe those of us in the trenches just have the clarity to realize that the job is hard, there are no quick fixes, and trying to convince people who bought their computer the same way they bought their toaster is a really, REALLY hard job.
On the other hand, I've been doing this for 8 years, 7 years at my present company. Maybe the Baby Bush should hire me, since I'm not such a candy-ass :-)
I've been on 8x8 for about 6 months now. Service is good enough that I canceled my POTS service after about 30 days. Only had one instance without phone service after a lightning strike toasted the VoIP gateway, but 8x8 sent a new one right away and I could forward the calls to my work cell, so no big loss there.
We already had a cable modem and were going to keep it anyway, so I count that as a null cost. So, effectively my phone costs went from $30/mo for the local service with metered local calling (really crappy company) plus our long distance. Under 8x8's unlimited service, all my normal calls are just $20/mo and my wife's been able to switch off of calling cards to call China since 8x8's rate is $0.03/minute to call China.
All in all, if you've already got a cable modem (I hear that the DSL providers get a bit froggie if you try to cancel the POTS but keep the data connection), I heartily recommend switching to VoIP!
Time and time again, we've seen that having no security and knowing it is better than having bad security and not knowing its bad (Maginot Line, anyone?) Most parents who will have their kids participate in this will think "Johnny's got the token, he's completely safe on the Internet" and ignore their kids behavior even more.
Off the top of my head, a better solution would be to use the BMW-type car keys (the ones with the chips in them) and have the computer hardware require the presence of the key to be on (or have internet access, or whatever). That way, at least one parent must have approved of the usage and be physically present for the kids to use the Internet.
A large portion of the problem with protecting children is the parent's responsibility, not the government's, not the school's, and certainly not Verisign's. If the parent's aren't going to monitor their kids and do their due dilligence to make sure the kids are in safe places, then all the tokens/bar codes/subdermal chips in the world won't make a difference.
Due to the ubiquity of AOL and its pretty good stability, I've heard of financial businesses selecting AOL as a backup for the backup (i.e. redundant WAN connections, both backhoed and down for days, so a user dials AOL to transfer daily info the XYZ partner). From what I've seen, this is pretty common for the big players (AOL, MSN, Earthlink, etc.)
What he said, plus the fact that users tend to notice the missing laptop bag and/or the missing keychain with their car/house key on it and report it. In particular, if every laptop gets issued with a SecurID, then every laptop that's reported missing has the corresponding keyfob flagged as stolen and a new one's issued to the user.
A company I work with has thousands of these things out. Very few problems of users locking themselves out, almost no fobs lost/stolen. When the fobs do go missing, we know immediately rather than having to notice the same user being logged in through multiple places in order to figure out the password's compromized. Heck, even the CEO uses one. If non-techie executives can do it, I'm pretty sure AOL business users who are deliberately paying more per month to have it will be able to figure it out.
Hmm. Did you actually read the fine article you posted? If you had, you would realize that all of the attacks fall into one of a few categories:
1) Targeting users of sdshell and a token card2) Denial of service
3) Require access to the server network
#1 doesn't apply because this is using the keyfobs, not the token cards. The difference, you ask? Keyfobs generate a 6 digit number every six seconds which is appended to the user's password. Since the password is variable-length (per user), it ends up being much more difficult to guess. The token card has a keypad on it where the user enters ther numeric pin which is mathmatically merged with the 6 digit "random" number, creating a 6 digit code that's sent across the wire. Oh, yeah... The attacker also has to have access somehow to the data stream between the client and the AOL server during authentication, which basically requires pre-compromize of the client machine. You got that, why do you need to fake the auth? Oh, and the AOL plan isn't using sdshell. Other than that, sure it might work.
The second, the DoS attack, is old, and its not like AOL hasn't dealt with DoS attacks before.
The third require pretty significant access to AOL's server network, plus the ability to insert yourself into various server data streams. Again, if you've got that, why waste your time getting a user's PIN?
If you read the hacker rags closely, you'll find that the keyfobs auth is really hard to get around without having to do something else first (i.e. get the server key records). Everything I've read from the attacker's perspective is that, while its technically possible in some circumstances to do an attack on the SecurID process, its usually so damn hard that it'd be easier to attack some other point (i.e. dumpster dive for sensitive info, etc.)
At the risk of being a Troll, wouldn't those definitions include various people from the U.S. revolution? I mean, how about the Boston Tea Party?
- Premeditated
- politically motivated violence (if there can be violence against the Internet, there can be violence against tea)
- perpetrated against noncombatants
- done by by subnationals
- to influence an audience
- international, as it was done in the colonies against Britain
Face it, the U.S.A. was founded by terrorists!I guess my point here is that, above and beyond the lack of a standardized definition of "terrorist", it is also largely influenced by who's ox got gored.
While I guess I can understand NBC's position: they've paid enormously for this, so they should be able to try and make some of the money back. There's not very many people who would be up at 4 in the morning to watch a swim meet, but there's a bunch who'll watch the same thing in the evening. Trying to sell ads for $1 million per second at 04:00 would be a disaster.
What really annoys me, though, is being forced to listen to such blatantly political commentary. What am I talking about, you ask? During the opening ceremony, those morons doing the commentary for NBC made every attempt to point out the places where Islamic groups were "causing" strife. They couldn't seem to resist talking about the problems in the Sudan caused by the Muslims. They also made every effort to talk up how much the US has helped our little brown brothers we liberated in Afghanistan and Iraq, and had the gall to complain about the torture used by the Iraqi training program! I guess torture is OK in the name of national defense but not in the name of national pride.
For all the high-falootin' ideals that the Olympics supposedly stand for, it makes me want to puke every time I hear the American media make some snide comment so they can use the forum to propegate a political agenda.
Out of curiosity, how do you know you haven't been hacked? I mean, I keep track of my logs, watch disk space usage, don't keep the machine on all the time, run AV and spyware detection software, etc., so I'm pretty confident that no one pwns my box, but if I didn't do any of that, particularly the log file monitoring, it would be pretty tough to tell whether I was hacked or not.
Granted, if you were hacked, you'd probably notice performance degredation and get errors about your FTP directory's drive filling up because of all the warez, but I still get a kick out of people when they say that they've never been hacked and they haven't been paying enough attention to their system to actually know.
Granted, I am ultra-paranoid, but I run a combination. I use the hardware firewall to deal with most inbound attacks, and then I also run a software firewall (Kerio for technical users who understand networking, ZoneAlarm for my father) to keep track of what software on my PC is doing. Really good for stuff like that crappy Real Player that constantly wants to phone home. Also keeps track of executable checksums to let me know if a program has been replaced. Sure, its a bit noisy when setting up the software firewall, but once it was properly configured, I almost never get messages from it that I'm not expecting.
I've been reading through this, wondering when someone who's been paying attention to recent password attacking research would post this. I've used the opensource rainbow tables stuff, and now @Stake is selling their latest version of L0phtCrack (renamed LC5 for political correctness purposes) with rainbow tables included. This technology does work as described.
Static passwords are no longer acceptable. Period. If you have a resource worth authenticating for, then strong auth (PKI, SecurID, one-time pads, etc.) should be manditory. If you can't, STOP USING UNENCRYPTED PROTOCOLS! It astounds me that companies that have bought in on firewalls, IDS, antivirus, SSL certs for web servers, etc. are still using telnet and FTP for critical business data! Saying that you can't sniff on a switch is a lie, just check out ettercap, which allows an attacker to poison ARP caches to force traffic to run through a system of the attackers choice.
BTW, IAACSA (I Am A Computer Security Analyst)
<sigh> I deal with this argument practically every day. Yes, security is inconvenient, but how inconvenient was it for Microsoft to have part of its codebase stolen by a hacker who got in through a poorly-implemented VPN solution? How inconvenient will it be for a doctor's office (in the USA) to explain to the Feds that they didn't pass HIPAA and lost patient AIDS treatment data because they thought that doing IPSec was too hard?
The simple fact is that there are often very few REAL business cases for wireless in the corporate environment short of "Gee, wouldn't it be cool if I could pick up my laptop, walk into the conference room, and not have to log off of my email and IM session?" When compared to the user convenience vs. protecting vital corporate assets question, in my book, I don't even see the value of 802.11 in the first place.
Languages change over time. No one during that time period likes it, but its a simple fact. Ask your parents about the slang that they used that their parents hated, chances are that there are words that are now common usage. If you go even farther back, you'll find that "English" was barely recognizable.
For example, the line from Chaucer in Middle English, "The tendre croppes, and the yonge sonne / Hath in the Ram his half cours yronne," while somewhat recognizable today, is still obviously not the same. Even further back, to the time of Beowulf (the story, not the cluster), and you get "HWÆT WE GARDE / na in geardagum eodcyninga". Believe it or not, this is still considered a form of English, albeit Old English.
The modification of a language over time is both normal and, unfortunately for us old-timers (I'm 30), traumatic. G3t 0v3r 17 :-)
Two stories to demonstrate this. My father wanted to be an artist. He loved (and still loves) music, painting, and literature; it consumed his life as a kid. His plan was to move to some artsy community, like Minneapolis (yeah, we're from the Midwest, get over it :-) and live the Artist's Life(TM).
Before that happened, he met my eventual-Mom. She's a small-town girl who never really wanted to leave the town she was born in. Being in love with her, they got married and he chose to stay there because that's where she was going to be. As the family started, he got a job doing what he could since he lacked that all-important piece of paper from a college. He spent the next 30 years of his life working in a job he hated to support his family. The older I grew, the more I understood how hard it was for him, particularly after I started reading the stories he'd written and realizing that he'd painted all of the paintings in the house.
Now that he's retired, he's on the Internet constantly. It's allowed him to get in touch with people with similar interests (James Joyce, in particular) and he's helped several doctoral candidates with thier theses and edited a couple of books for the "experts" prior to publishing. He's finally happy and able to do what he wants to, even though he never made it to Minneapolis.
Now, me, on the other hand, I knew what I wanted and, since I'd seen what "settling" did to my father (at the time, that's what I felt he'd done), I swore to myself that I would never allow that to happen to me. I was going to be a musician, come hell or high water. Throughout high school, I got to the point where I was practicing often 8 hours a day because I knew it was necessary to get There, where ever that was.
Then, life interfered and my personal circumstances changed. With the sudden shock, I stopped and thought my life and realized that being a musician as a job didn't really bring me any happiness, so I abandoned my music major. I floundered around for several years, eventually ending up with a nearly worthless degree (I won't mention in what, for fear of the flames), but I had the Sacred Parchment, and I'd mananged to work a bit in the computer labs at school, too.
Since the computer thing wasn't bad and they tended to pay well, I kinda fell into that. Over the course of the next couple of years, between getting married, lots of arguments, getting laid off one month after closing on our first house, working as a conslutant and just trying out jobs at a big corporation that sounded intersting, I've finally gotten into something that I really, really enjoy. And it has nothing to do with music and even less to do with what I got my degree in.
I guess that the point of this cathartic, rambling, bullshit is this: when we started out, neither my father nor I planned on where we would end up and the plans we had actually caused us some amount of grief because we kept focussing on how much we weren't on track. Long-term plans are great mind games, but when it comes to actual implementation, life has a tendancy to interfere.