An open network connection at a security conference. That's either a honeypot or a freebie.
This. At the security conference I attend (defcon), assuming you got drunk enough to be dumb enough to connect an open hotspot, you'd be thanking your lucky stars if the worst that happened to you was getting on the wall of sheep (which is essentially the same stunt this guy pulled, with the information projected on a wall for everyone to see). I personally VPN *everything* during that week, and if I have to absolutely connect to a work system, I drive to a random McDs outside of the conference and do my VPNing from there (it's usually faster and more reliable then any network at the conference too, since it's not the prize in a big game of Spy vs Spy).
+1 to CISSP, I had essentially the same experience as the OP, and decided that IS manager tedious. I went and wrote my CISSP, got 'lucky' a couple of times with breach issues and poof, 5 yrs later I'm a Sr Infosec Manager.
While it doesn't have a practical component, I've met very few people who honestly say they left the exam knowing if they passed or failed. Most nerve wracking test I've ever sat for anyways. And most of infosec (absent specialties such as pentest, and even then arguably) is 90% thinking anyways. Very seldom is it important to know what command to type. Much more important to know the theory like the back of your hand.
All that having been said, if you don't like handling people, infosec is likely a poor fit. You'll top out soon if you can't have a coherent argument with someone that doesn't degenerate into "Because I said so".
Be honest about the crime, don't have it be a surprise that I find out during the background check part of the hiring process.
I also know other managers who've done the same. Its tough to find good people. A drug offense 5 yrs ago, with proof of a completed drug treatment program for instance isn't going to stop me from hiring a good IT worker.
Well since the publication date was 2010, I'm not sure we can blame Jean for this one.
I'm very happy that my daughter gets angry and pissed off whenever anyone suggests something is a boy toy or a girl toy tho. (Drive thru at McD's is rough!)
Yep, a call to my corporate legal dept would be my first move in this situation. It's amazing how many situations got deescalated when we got the other party on the phone with my legal dept on the line.
I did YKnet around the same era then, out of Whitehorse. Set up an 8 line dial up pop in Old Crow, using bound analog sat channels.
I also did a stint down in the Eastern Carribean. I remember the bribes, favors, etc required to get a UPS from the dock to our building, and members of our team blocking off the main drag in town while we used the (borrowed) cargo forklift from the docks to lift the UPS up the side of the building. While we were discussing how to get it in the window the forklift driver disappeared, leaving the UPS balancing on top of a power pole. Driver was asleep under the lift. Waiting for the ex-pats to make up their minds.
Heyya - just a quick tip of the hat - sounds like we got started much the same way. What part of the Canadian frontier you tame? Yukon here, early 90s with a NPO.
I manage this using xprivacy module under xposed. It allows you to whitelist an application for any subtree under where it's requesting access. Works well for me. More work of course, but security tends to be more work.
Acutally not quite accurate - a faraday cage that blocks at all wavelengths would need to have a very small mesh. Rule of thumb is you want your mesh to be less then 1/4(c/freq) m.
Since freq in the case of NFC is 13.56 MHz, that will yield us with 22/4=5.5 meters (excuse the rounding, you get the point) so anything you can wrap around your wallet is going to do the trick.
Google NFC blocking wallets for some selections.
Source: I attend hacker conferences. All my credit cards are NFC enabled. I don't want to have conversations with my CC company that starts with "I was at Defcon when..." - those don't end well!
Actually, post Chip+Pin (and RFID interact flash for that matter) this sort of attack isn't possible. That's because the chip inside the card creates a unique one time approval for the transaction. The approval is un-replayable,
At worst, attack wise, you might be able to perform a turnstile attack on it (Interac flash reader, taped to a turnstile say), but transactions over Interac flash are capped at under 100$ and every 5 transactions you have to re-auth with a full chip and pin, so the banks' risk is pretty limited there.
Disclaimer: I've not done an indepth analysis of the security controls myself. I know there were some weaknesses in the Euro implementation around not signing the list of allowable transaction verification mechanisms or somesuch (look up the blackhat talk if you need to know) but it's a LOT more difficult these days then inserting a skimmer on the terminal and video recording the pin. (Interac was always two factor, until interac flash).
World wide 2013 air crash fatalities: 29 World wide 2010 traffic crash fatalities 1,250,000 (est)
So unless you're going to argue that I'm 4310300% more likely to walk away from a fatal car crash, we're better off spending money there, looking at it from an objective point of view.
Fear drives us to make poor decisions. I fly a lot, but I understand that I'm just as dead from making an error at 70 mph as I would be asleep in my seat when the back end falls off my 737. Just 4310300% more likely to experience the former then the latter.
*disclaimer: Yes, I know, I mixed statistics from 2013 and 2010 above. I was too lazy to go back and find 2010 air crash statistics, but I seriously doubt it impacts the statistical analysis any more then the rounding error in the world wide traffic fatality stat.
On traffic safety, agreed, long term, autonomous cars are the way to go. Some of the answer there is time and market forces, but I suspect a billion or two from the war on terrorism could move that along nicely. Faster technology evaluation and approval pipeline, more money for NSF funded core research, etc. But nearer term there are technologies that exist in high end cars that would lower traffic fatalities tomorrow if available in all cars. Blindspot object detection, lane departure alerts, etc. If the concern is about an objective attempt to lower the number of people who die each year, a dollar spent in this area is going to save more people than a dollar spent in airport security.
On diseases, if you're talking about a billion dollars to paradrop a few thousand doctors into africa to do contact tracing, then you have my support. If on the other hand you're discussing mobilizing the national guard to protect North America from Ebola, not so much, spend the money on the flu, which kills many more people world wide. If we do the right things in Africa, Ebola will never be more then a hideous way for a couple of people to die in the US. This is one of those situations where the "Protect the Homeland" mantra is worse then useless.
If we wanted to actually make people safer we'd take very dollar we spend on airport security and Ebola beyond contact tracking, containment and isolation/care for the infected and spend it on:
1) Traffic safety 2) Finding better ways to fight the flu
Those two things would be way more impactful in terms of lives saved then the money being spent to keep air travel safe from terrorists and mobilizing the national guard to fight Ebola (not sure how they're going to do that, absent a shrink machine, Fantastic Voyage style).
As I understand it, EBOV (and all other currently known strains of the Ebola family for that matter) transmits using a subset of the flu transmissions mechanisms, so if you're safe from the flu, you should be safe from EBOV too.
I have a 6 yr old too. If she sees me looking at something on the computer, she'll come up, looking away and say "Daddy, is that kid appropriate?" before looking. I have no concerns that she'll break the rules, so I don't feel the need for any preventive controls. If I had a child with a different temperament I would react differently of course. For what its worth, my day job involves ensuring that people employed by my company are safe on the internet. Generally my 6 yr old is better behaved:)
Or discourage the abuse from occurring in the first place, which is even better.
If the officer has to think "OK, I'm going to have to find a way to deal with the video camera" then maybe they don't do whatever it is that would require dealing with the camera.
Here's the difference - we have firewalls on the Internet.
What they're saying is that the Bluetooth is sitting on the same network as your anti-lock brakes and there is no firewall.
Not sure about you, but where I work, if I didn't put a firewall between the internet, and my web servers and at least one more between my web servers and the database, I'd be looking for a new job. These guys hooked it up to the "internet" (bluetooth) and decided they didn't need any additional security between there and the "database" (your brakes).
Security is all about layers, and they've said that Bluetooth is all the security your health and safety critical systems needs. Not sure about you, but that doesn't leave me with a warm and fuzzy feeling.
No one is ever influenced by advertising, ask around. People say "no, I'd never buy something because it's on TV" but those infomercials stay in business for a reason.
So polling people and asking them if advertising is effective on them is a bit of a red herring. Like IQ tests - logically half the world has IQs less then 100. Oddly, I've never met any of them.
Now the question 'is social advertising effective' is certainly open for debate, but not because some survey says people believe it's not effective on themselves.
Sitting on a closed toilet seat in a college bathroom where someone decided to install the Cisco router I needed to do unnatural things to with a Perl script.
Slashdot Mirror
An open network connection at a security conference. That's either a honeypot or a freebie.
This. At the security conference I attend (defcon), assuming you got drunk enough to be dumb enough to connect an open hotspot, you'd be thanking your lucky stars if the worst that happened to you was getting on the wall of sheep (which is essentially the same stunt this guy pulled, with the information projected on a wall for everyone to see). I personally VPN *everything* during that week, and if I have to absolutely connect to a work system, I drive to a random McDs outside of the conference and do my VPNing from there (it's usually faster and more reliable then any network at the conference too, since it's not the prize in a big game of Spy vs Spy).
Min
+1 to CISSP, I had essentially the same experience as the OP, and decided that IS manager tedious. I went and wrote my CISSP, got 'lucky' a couple of times with breach issues and poof, 5 yrs later I'm a Sr Infosec Manager.
While it doesn't have a practical component, I've met very few people who honestly say they left the exam knowing if they passed or failed. Most nerve wracking test I've ever sat for anyways. And most of infosec (absent specialties such as pentest, and even then arguably) is 90% thinking anyways. Very seldom is it important to know what command to type. Much more important to know the theory like the back of your hand.
All that having been said, if you don't like handling people, infosec is likely a poor fit. You'll top out soon if you can't have a coherent argument with someone that doesn't degenerate into "Because I said so".
Min
Min
I've hired people with misdemeanors before.
Be honest about the crime, don't have it be a surprise that I find out during the background check part of the hiring process.
I also know other managers who've done the same. Its tough to find good people. A drug offense 5 yrs ago, with proof of a completed drug treatment program for instance isn't going to stop me from hiring a good IT worker.
Min
Well since the publication date was 2010, I'm not sure we can blame Jean for this one.
I'm very happy that my daughter gets angry and pissed off whenever anyone suggests something is a boy toy or a girl toy tho. (Drive thru at McD's is rough!)
Min
Yep, a call to my corporate legal dept would be my first move in this situation. It's amazing how many situations got deescalated when we got the other party on the phone with my legal dept on the line.
Min
My Wife's response:
"OK that's it, I'm cutting you and the kid off. More for me!!!"
Min
I did YKnet around the same era then, out of Whitehorse. Set up an 8 line dial up pop in Old Crow, using bound analog sat channels.
I also did a stint down in the Eastern Carribean. I remember the bribes, favors, etc required to get a UPS from the dock to our building, and members of our team blocking off the main drag in town while we used the (borrowed) cargo forklift from the docks to lift the UPS up the side of the building. While we were discussing how to get it in the window the forklift driver disappeared, leaving the UPS balancing on top of a power pole. Driver was asleep under the lift. Waiting for the ex-pats to make up their minds.
Cricket games were something else too!
Min
Heyya - just a quick tip of the hat - sounds like we got started much the same way. What part of the Canadian frontier you tame? Yukon here, early 90s with a NPO.
Min
I manage this using xprivacy module under xposed. It allows you to whitelist an application for any subtree under where it's requesting access. Works well for me. More work of course, but security tends to be more work.
Min
proper Faraday cage has to have no gaps,
Acutally not quite accurate - a faraday cage that blocks at all wavelengths would need to have a very small mesh. Rule of thumb is you want your mesh to be less then 1/4(c/freq) m.
Since freq in the case of NFC is 13.56 MHz, that will yield us with 22/4=5.5 meters (excuse the rounding, you get the point) so anything you can wrap around your wallet is going to do the trick.
Google NFC blocking wallets for some selections.
Source: I attend hacker conferences. All my credit cards are NFC enabled. I don't want to have conversations with my CC company that starts with "I was at Defcon when..." - those don't end well!
Actually, post Chip+Pin (and RFID interact flash for that matter) this sort of attack isn't possible. That's because the chip inside the card creates a unique one time approval for the transaction. The approval is un-replayable,
At worst, attack wise, you might be able to perform a turnstile attack on it (Interac flash reader, taped to a turnstile say), but transactions over Interac flash are capped at under 100$ and every 5 transactions you have to re-auth with a full chip and pin, so the banks' risk is pretty limited there.
Disclaimer: I've not done an indepth analysis of the security controls myself. I know there were some weaknesses in the Euro implementation around not signing the list of allowable transaction verification mechanisms or somesuch (look up the blackhat talk if you need to know) but it's a LOT more difficult these days then inserting a skimmer on the terminal and video recording the pin. (Interac was always two factor, until interac flash).
Min
Mmmm, Internet tax!
World wide 2013 air crash fatalities: 29
World wide 2010 traffic crash fatalities 1,250,000 (est)
So unless you're going to argue that I'm 4310300% more likely to walk away from a fatal car crash, we're better off spending money there, looking at it from an objective point of view.
Fear drives us to make poor decisions. I fly a lot, but I understand that I'm just as dead from making an error at 70 mph as I would be asleep in my seat when the back end falls off my 737. Just 4310300% more likely to experience the former then the latter.
*disclaimer: Yes, I know, I mixed statistics from 2013 and 2010 above. I was too lazy to go back and find 2010 air crash statistics, but I seriously doubt it impacts the statistical analysis any more then the rounding error in the world wide traffic fatality stat.
Min
On traffic safety, agreed, long term, autonomous cars are the way to go. Some of the answer there is time and market forces, but I suspect a billion or two from the war on terrorism could move that along nicely. Faster technology evaluation and approval pipeline, more money for NSF funded core research, etc. But nearer term there are technologies that exist in high end cars that would lower traffic fatalities tomorrow if available in all cars. Blindspot object detection, lane departure alerts, etc. If the concern is about an objective attempt to lower the number of people who die each year, a dollar spent in this area is going to save more people than a dollar spent in airport security.
On diseases, if you're talking about a billion dollars to paradrop a few thousand doctors into africa to do contact tracing, then you have my support. If on the other hand you're discussing mobilizing the national guard to protect North America from Ebola, not so much, spend the money on the flu, which kills many more people world wide. If we do the right things in Africa, Ebola will never be more then a hideous way for a couple of people to die in the US. This is one of those situations where the "Protect the Homeland" mantra is worse then useless.
Min
There must be an optimal level of security
If we wanted to actually make people safer we'd take very dollar we spend on airport security and Ebola beyond contact tracking, containment and isolation/care for the infected and spend it on:
1) Traffic safety
2) Finding better ways to fight the flu
Those two things would be way more impactful in terms of lives saved then the money being spent to keep air travel safe from terrorists and mobilizing the national guard to fight Ebola (not sure how they're going to do that, absent a shrink machine, Fantastic Voyage style).
Min
As I understand it, EBOV (and all other currently known strains of the Ebola family for that matter) transmits using a subset of the flu transmissions mechanisms, so if you're safe from the flu, you should be safe from EBOV too.
Min
I did a bit of RTFAing and clicked through a link and found some examples:
MaxPathLength.java in ManagedRuntimeInitiative (git://github.com/GregBowyer/ManagedRuntimeInitiative.git) Show 2 matches
isWindows = true;
if (osName.startsWith("Windows 9") ||
osName.startsWith("Windows Me"))
So there's at least some real world examples. Not totally hogwash methinks.
Min
Oh gods, I hope her behavior changes in 10 years! She'll be 16 then!
It comes down to knowing your kid.
I have a 6 yr old too. If she sees me looking at something on the computer, she'll come up, looking away and say "Daddy, is that kid appropriate?" before looking. I have no concerns that she'll break the rules, so I don't feel the need for any preventive controls. If I had a child with a different temperament I would react differently of course. For what its worth, my day job involves ensuring that people employed by my company are safe on the internet. Generally my 6 yr old is better behaved :)
Quick! Load Kerbal Space Program!
Or discourage the abuse from occurring in the first place, which is even better.
If the officer has to think "OK, I'm going to have to find a way to deal with the video camera" then maybe they don't do whatever it is that would require dealing with the camera.
That would suit me fine.
Here's the difference - we have firewalls on the Internet.
What they're saying is that the Bluetooth is sitting on the same network as your anti-lock brakes and there is no firewall.
Not sure about you, but where I work, if I didn't put a firewall between the internet, and my web servers and at least one more between my web servers and the database, I'd be looking for a new job. These guys hooked it up to the "internet" (bluetooth) and decided they didn't need any additional security between there and the "database" (your brakes).
Security is all about layers, and they've said that Bluetooth is all the security your health and safety critical systems needs. Not sure about you, but that doesn't leave me with a warm and fuzzy feeling.
Min
Agreed - and in this case "Hackers" == "Nation Sates"
No one is ever influenced by advertising, ask around. People say "no, I'd never buy something because it's on TV" but those infomercials stay in business for a reason.
So polling people and asking them if advertising is effective on them is a bit of a red herring. Like IQ tests - logically half the world has IQs less then 100. Oddly, I've never met any of them.
Now the question 'is social advertising effective' is certainly open for debate, but not because some survey says people believe it's not effective on themselves.
Min
Sitting on a closed toilet seat in a college bathroom where someone decided to install the Cisco router I needed to do unnatural things to with a Perl script.
Min