Not that I'm a fan of hiding breaches from the customer, but what if the company notices a breach and wants to collect data from the hacker or direct the hacker to a honeypot?
I think notifying the FBI within 6 hours of the breach should be mandatory. With hourly updates for the next 18 hours. And maybe 6-hour briefs for the next 96 hours.
If they haven't collected enough evidence in 120 hours, then they should pull the plug.
I don't know if this applies to commercial pilots, but here goes.
Military pilots are required to write, word for word, the emergency procedures for their aircraft. Yes, the manuals and checklists are still there, but it's nice knowing that you already have it committed to memory.
Agreed. Just throw a dart at a map, lay down a fixed-sized hex, and call that a district. Set all the other districts as the same-sized hex built off the first hex.
Once the population density of a hex falls below a specific density, i.e. rural areas, start letting the computers take over and carve it up.
Maybe then, disenfranchised inner-city voters would think they have a voice.
If you build software on top of locked hardware, then you should *never* update the systems until you test what the updated will break.
Now, there may be a group out there that is concerned about not being able to replace failed units. But I doubt any *really* good programmers were bothered by a PS3 firmware update.
We use VTP extensively. I couldn't imagine trying to manage our domain without it.
We have a policy that before we shelve a switch, we blank the config. We also have standard configs on the laptops in our equipment cage. Take a switch off of the shelf, boot into ROMMON, upload the latest IOS, then apply the standard config.
I could see a smaller shop with no real policies or procedures in-place making a mistake like that. I've heard of it happening. And I think that's why we are so paranoid about it.
We take an additional step of whitelist pruning vice blacklist pruning. The CCNA level stuff talks about removing VLANs from trunks. Our default is to prune all VLANs from every trunk and then we allow the VLANs that are in-use downstream.
Everything else is pretty solid. I really like the idea of connecting the access to the core stack using dual links. I'm guessing you mean via EtherChanel?
You could go with HSRP if you *really* need uptime. But HSRP can be a beast to get working properly...
I'm a Sr. network engineer for a *huge* network. For 100 machines, I would probably have a Cisco 3750s for the core and, depending on the distribution of users, something like Cisco 2940s for access. If all the users are in one location, just stack the 3750s.
3750s run about $7K each. 2940s are around $1200.
Get a CCNA book or CCNA videos and start reading/watching.
I haven't used any of the HP kit. I have used Juniper and Marconi for WAN stuff. As a general rule, just buy Cisco until you know you need something else.
1. Create a spreadsheet with your networks. It should have headings like this: IP, mask, DNS name, use, user, phone number.
2. Separate those into subnets.
3. Print that out and put it into a binder.
4. Use something like Solarwinds to map your subnets.
5. Use a *pencil* and fill all the information into the binder.
6. Photocopy the binder and leave one copy at home, one with your boss. Carry the original with you at *all* times.
7. Update often.
I have used databases, spreadsheets, specialized tools like SolarWinds, Orion, HP OpenView, etc. Nothing beats a printed binder that is always with you. Using a pencil will ensure that future updates, additions, or deletions will not mean printing a brand new sheet.
It *needs* to happen. And happen big. Maybe after Sony files for bankruptcy, investors in other companies will start asking the CIO to ensure security at any cost.
I was thinking about that. It seems to me that there is Alice, Bob, and Charlie.
Alice needs to authorize Bob to take money from Charlie that Alice will pay back in the future.
Alice could do a one-time authentication with Bob, Bob would do an authentication with Charlie. Bob could hash Alice's number and Charlie could store the hash of Bob's hash.
Basically, Alice and Charlie could have a secret number that Bob could never (if properly salted) decode.
To take it a step further, the secret number could revolve based on timestamps; say refreshing every 6 hours. As long as Alice and Charlie's clocks were synched (radio isotope decay), then you could have a super-secure CC# processing system.
I agree that the partisan politics is really playing a number on things.
Why not just pull up the budget for last year, cut everything by 10%, and call it a day? Everyone gets screwed equally and no one side can complain about their special interest getting screwed more than the other guys'.
Just keep cutting everything by 10% every year until income matches expenditures. At that point, enact a law that says the Federal Government isn't allowed to spend any more money than it makes.
Once we get to that point, then look at re-distribution of resources. Move some of the Military spending into NASA and re-tool the government contractors to build orbiters instead of airplanes.
You are correct that a/25 has 126 usable IPs. I was referring to the fact that the engineer has a single class-c to work with. If he applies a/25 to a class-c, he will have two subnets with 126 usable IPs in each; a total of 252 IPs for the class-C.
A Windows license is around $200. You can get a pretty decent laptop with Windows 7 for around $500. Sell the MacBook and buy a Toshiba or HP. You'll come out several hundred dollars ahead.
For most link-local addresses, yeah, it kinda works like that. Of course, the host is going to pull additional info from the default gateway and then *politely* ask if anyone else is using this IP.
If I read the documentation properly, there should never be a duplicate link-local. If a duplicate is detected, the newer host will just modify its address.
Slashdot Mirror
Not that I'm a fan of hiding breaches from the customer, but what if the company notices a breach and wants to collect data from the hacker or direct the hacker to a honeypot?
Here is a great read about just such an event: http://en.wikipedia.org/wiki/The_Cuckoo's_Egg_(book)
I think notifying the FBI within 6 hours of the breach should be mandatory. With hourly updates for the next 18 hours. And maybe 6-hour briefs for the next 96 hours.
If they haven't collected enough evidence in 120 hours, then they should pull the plug.
Windows Media Center does what you want.
I don't know if this applies to commercial pilots, but here goes.
Military pilots are required to write, word for word, the emergency procedures for their aircraft. Yes, the manuals and checklists are still there, but it's nice knowing that you already have it committed to memory.
Look, I'm not into the whole "political" thing.
But it isn't "Mr." Obama; it's Mr. President or President Obama.
You could also use The President or POTUS.
Saying "Mr." Obama isn't just disrespecting him, it's disrespecting The Office of the President. It's tacky.
Agreed. Just throw a dart at a map, lay down a fixed-sized hex, and call that a district. Set all the other districts as the same-sized hex built off the first hex.
Once the population density of a hex falls below a specific density, i.e. rural areas, start letting the computers take over and carve it up.
Maybe then, disenfranchised inner-city voters would think they have a voice.
The vast majority of the time, I use my bookmarks to hit the sites I love.
Sometimes, I click on a link from a forum (including /., Digg, and Redit links).
Sometimes, I search for something in Google and click the links there.
I *almost* never type in a URL.
Still, not sure that an extra 150~200 pixels is really going to make or break my browsing experience.
If you build software on top of locked hardware, then you should *never* update the systems until you test what the updated will break.
Now, there may be a group out there that is concerned about not being able to replace failed units. But I doubt any *really* good programmers were bothered by a PS3 firmware update.
You can order that, but it'll take 9 years to deliver...
We use VTP extensively. I couldn't imagine trying to manage our domain without it.
We have a policy that before we shelve a switch, we blank the config. We also have standard configs on the laptops in our equipment cage. Take a switch off of the shelf, boot into ROMMON, upload the latest IOS, then apply the standard config.
I could see a smaller shop with no real policies or procedures in-place making a mistake like that. I've heard of it happening. And I think that's why we are so paranoid about it.
We take an additional step of whitelist pruning vice blacklist pruning. The CCNA level stuff talks about removing VLANs from trunks. Our default is to prune all VLANs from every trunk and then we allow the VLANs that are in-use downstream.
5a. Why do you avoid VTP?
Everything else is pretty solid. I really like the idea of connecting the access to the core stack using dual links. I'm guessing you mean via EtherChanel?
You could go with HSRP if you *really* need uptime. But HSRP can be a beast to get working properly...
I can second this.
I'm a Sr. network engineer for a *huge* network. For 100 machines, I would probably have a Cisco 3750s for the core and, depending on the distribution of users, something like Cisco 2940s for access. If all the users are in one location, just stack the 3750s.
3750s run about $7K each. 2940s are around $1200.
Get a CCNA book or CCNA videos and start reading/watching.
I haven't used any of the HP kit. I have used Juniper and Marconi for WAN stuff. As a general rule, just buy Cisco until you know you need something else.
I disagree about the database thing.
1. Create a spreadsheet with your networks. It should have headings like this: IP, mask, DNS name, use, user, phone number.
2. Separate those into subnets.
3. Print that out and put it into a binder.
4. Use something like Solarwinds to map your subnets.
5. Use a *pencil* and fill all the information into the binder.
6. Photocopy the binder and leave one copy at home, one with your boss. Carry the original with you at *all* times.
7. Update often.
I have used databases, spreadsheets, specialized tools like SolarWinds, Orion, HP OpenView, etc. Nothing beats a printed binder that is always with you. Using a pencil will ensure that future updates, additions, or deletions will not mean printing a brand new sheet.
Doesn't being a stock-holder also mean some control over the company?
You could claim that you suffered a loss by having to check your CC statement daily for a month, then weekly for a year.
Claim the time spent on the phone with the CC company to get a new card issued.
Claim the time you spent between when the old card was axed and the new card arrived.
Claim the increase in SPAM via email and snail mail.
It *needs* to happen. And happen big. Maybe after Sony files for bankruptcy, investors in other companies will start asking the CIO to ensure security at any cost.
Definitely. I'd love to see Sony deal with 77M suits in small-claims court.
At $500 per suit, that would be something like $38B.
I was thinking about that. It seems to me that there is Alice, Bob, and Charlie.
Alice needs to authorize Bob to take money from Charlie that Alice will pay back in the future.
Alice could do a one-time authentication with Bob, Bob would do an authentication with Charlie. Bob could hash Alice's number and Charlie could store the hash of Bob's hash.
Basically, Alice and Charlie could have a secret number that Bob could never (if properly salted) decode.
To take it a step further, the secret number could revolve based on timestamps; say refreshing every 6 hours. As long as Alice and Charlie's clocks were synched (radio isotope decay), then you could have a super-secure CC# processing system.
Address is needed for billing purposes. DOB is needed to ensure they don't sell violent video games to minors.
The thing I'm most pissed about is that none of this data was hashed. At the very least, they should have hashed the CC# and passwords.
Same thing we do with Cisco, Microsoft, RedHat, and any other company we buy things from; we don't buy without a good SLA.
If nodes need to be added, we can get them from Sony with whatever firmware revision we want.
If your SI (military?) is worth $500B, then you lose $50B. Then $45B. And so on.
If your SI (advancement for arts) is worth $10M, then you lose $1M.
Both programs, one vital and one a luxury, get equally screwed. But the Country as a whole is better off.
I agree that the partisan politics is really playing a number on things.
Why not just pull up the budget for last year, cut everything by 10%, and call it a day? Everyone gets screwed equally and no one side can complain about their special interest getting screwed more than the other guys'.
Just keep cutting everything by 10% every year until income matches expenditures. At that point, enact a law that says the Federal Government isn't allowed to spend any more money than it makes.
Once we get to that point, then look at re-distribution of resources. Move some of the Military spending into NASA and re-tool the government contractors to build orbiters instead of airplanes.
You are correct that a /25 has 126 usable IPs. I was referring to the fact that the engineer has a single class-c to work with. If he applies a /25 to a class-c, he will have two subnets with 126 usable IPs in each; a total of 252 IPs for the class-C.
No problem. Yeah, NAT is the way to go for most networks.
If you have a large network, you can do a 10.0.0.0/8 and then subnet/VLAN that down.
A Windows license is around $200. You can get a pretty decent laptop with Windows 7 for around $500. Sell the MacBook and buy a Toshiba or HP. You'll come out several hundred dollars ahead.
For most link-local addresses, yeah, it kinda works like that. Of course, the host is going to pull additional info from the default gateway and then *politely* ask if anyone else is using this IP.
If I read the documentation properly, there should never be a duplicate link-local. If a duplicate is detected, the newer host will just modify its address.