The problem with the 30 character password in this case is that (a little known fact) Windows actually breaks it into seven or eight character passwords and then encrypts those. So, your 30 character password is only as good as four or five passwords...which are even further compromised if any of those blocks resemble a dictionary word.
Jack the Ripper (for physical access) or Cain & Abel (over the network) can grab most seven-character passwords in seconds.
Yes, long passwords are better in theory, so I agree with you. But, some systems remove a lot of the long-password advantage when they break the passwords into blocks and then encrypt them.
I am not disagreeing that GPA is not important, because frankly many people in HR or who make hiring decisions are not properly trained to do so and will throw out a non-4.0 resume haphazardly. Of course, good self-marketing skills are more important if you can get past these people by making good contacts elsewhere in the company, because that will ultimately get you a job.
However, I must say that this is not the end-all decision maker. For instance:
------- (long, boring account of my getting around the GPA issue. You can skip this) When I was an undergraduate, my GPA was not spectacular. It was not bad, and was certainly within the B range, but it was not a 4.0, which many people seem to hold as the determining value of whether someone will be a spectacular student/employee. However, during my undergraduate work, I carried two engineering majors (Mechanical Engineering and Electrical Engineering), and graduated with my EE degree a semester early--and would have graduated a year early were it not for administration issues. In this time, I did research in a myriad of areas, including designing a hybrid electric vehicle, working on artificial vision for the blind, autonomous robotics, electro-optics, and VoIP. I also worked as an intern at a local defense contractor. Frankly, when I interviewed for the defense contractor, they asked for my unofficial transcript within my packet. I sent them a list of all of the courses I had taken, grades and GPA omitted. That GPA-minded company, in starting from the front of my packet and working backward to the transcript, probably forgot about my GPA completely. A few interviewers asked, but it was after packet-review. When they asked why I should be hired over all of the people outside, I asserted that they might be 4.0 students, but they don't bring a broad, creative background to their work. If they had a problem and wanted the same, memorized solution over and over again, then hire them. But when that solution doesn't work practically and suddenly they are faced with the same solution from a room full of people, I will be the one to always bring them a plan B. I was hired over the other applicants. Taking this work and research history to a graduate school, they admitted me...while I was still an undergrad. (So, I was both a grad and undergrad.) GPA was barely an issue. I ended up with a full ride in a very nice program because of all of the "extras." I have been admitted to grad school as a full-time student twice now, and neither time required a GRE (the GRE is typically a requirement at our university), and neither time was my undergrad GPA an issue. I now hold a 4.0 in grad school (where a lot of the 4.0 undergrads do not), and have a job lined up. Of course, that doesn't mean that everyone within the college--especially the bean-couters--were happy about this. You have to be prepared to face some backlash when you totally throw the system out the window. (/long, boring account of my getting around the GPA issue.) -------
Yes, this was long, but I want people out there who are hard workers without stellar GPAs to realize that they don't have to give up. It is important, indeed. But, your college experience is what you make of it. If you pursue a lot of extra areas, have a broad educational background (as you mentioned), do internships, learn to work in team situations with people you might not fit in with or may fit in with wonderfully, build professional networks through your projects, and show yourself as a hard worker, it can indeed work out. There will always be people for whom the GPA (or GRE scores...which is fun to explain the lack of in my case) is their determining factor, but you might also keep in mind that if that is their end-all method for hiring, that the people hired might not be the hardworking and fun individuals you want to start your career alongside, and probably won't have the social networks to launch you into better careers in the future.
If you just go to college to get
Many, many interviews
on
Defining Google
·
· Score: 4, Interesting
Oftentimes, that "rigor" is really not so rigorous as much as a process for your and the company's good. A lot of large companies/agencies do this so that they can find the right fit for you in their company. Many times, the company already plans on hiring you and has already decided you will make a "good employee," but the seemingly ridiculous number of interviews is for placement purposes.
If you come in and wish to interview only for the advertised position, you might be missing out on an opportunity in an area you really want to work in or would excel at (being a new, unpublicized area, you might be brilliant at it and love it, but not be aware it even exists), and so oftentimes the company puts you through interviews (in this case, ump-teen interviews), so that people in each of those areas have an opportunity to speak-up on your behalf and say, "you know, I could really use him/her here, but the position we have open hasn't been advertised." Putting you in an area that you are likely to love is worth the time "wasted" because you are more likely to be productive.
Perhaps it isn't this way at all companies, but interviewing many-times (seemingly "rigorous") is simply a placement issue, not a torture or publicity one.
Also, the tests oftentimes aren't about the right answer, but your reaction to being placed outside your comfort zone for a moment, and how well you respond. Perhaps Google is doing it for torture purposes (I am not so sure of that, though), but the "extreme interview processes" often have other purposes than the initially-perceived ones. I am speaking about other companies here, not necessarily exclusively about Google.
Indeed. That completely escaped my notice, and I apologize.:)
It should be noted that I extend much more care and effort into my research (for Google or any other institution/company/what-have-you) than I did quickly hammering-out that post. Spelling and grammar do count.
(It should also be noted that being polite helps, even when correcting another's very silly mistake without the courtesy of offering one's screen name. So, have a nice day.)
One thing I did not mention in my parent post was that I did not accept the offer.
In July of 2002, when Google Answers was hardly-known (is it very well known even today?), I did some research work--without pay--for Google.com. I love research, so I didn't mind; I was thrilled to do it.
One day, I got a letter/email from Google.
In it: "We have noticed you have been quite active on the site and that your comments have been well-written and comprehensive...
Based on your postings we think you would be an excellent addition to the researcher community."
They were offering me a job as a paid researcher. I was quite shocked because I had read that lots of people applied and were never given jobs, and I never even applied.
Apparently I was answering questions very quickly and thoroughly; one of their paid researchers noticed and recommended me.
It wasn't a very well-paying job and it was not a "high ranking one" per say, but it does qualify as a job that did not require an aptitude test.
I didn't intend to differentiate between the written and spoken word. And I appologize if my words were poorly written to suggest that.
I suppose I read more into the running of the jihadist website, considering I had just posted something shortly beforehand talking about an al-qaeda webspace that was being used to exchange plans for attacks against the U.S. So, my mindset was already one that painted the situation as something nefarious, and the wording of the NYT article aided that... However, the fact that he was offering to aid the terrorist group in their terrorist activities, yes, is reason enough to be detained. He has just (whether written or verbal) marked himself as a threat who intends to and desires to harm people when he offers to help them. If you elect to become part of that terrorist organization, then regardless of if you're the ones hitting the buildings (which this boy clearly said he wanted to) or doing the paperworks, you're still a member of that organization and are facilitating the acts. When you facilitate the acts, you have to accept the responsibility for your actions. It's no longer talk.
Perhaps the boy didn't really mean it (again, teenage angst), but his actions certainly seem to build a character that is ready to act on his words. It is much different from expressing hatred if he is offering to facilitate attacks. Hating someone versus threatening or offering to hurt them are two different things, especially when you go so far as to aid in their communications (with that intent), offer to help conduct these acts, etc.
Unfortunately, I think that neither you nor I can effectively draw conclusions about the situation based on a NYT article, which does seem to paint the boy in a horrible light. It would seem there is more involved, and that is what I read into based on the "offering to help" and the subjects involved. I wish we had a better source.
Unfortunately, when its a news source who paints the picture, we have to look at the situation through their glasses and then every piece of news that derives from this source. Perhaps simply saying a few things was indeed what the boy got in trouble over, but I doubt that given his apparent willingness to help (again, as painted by the NYT.) I simply drew my limited conclusions based on what I read, not having the benefit of knowing first-hand about the situation.
No, I don't think you should get in trouble for saying "I hate so-and-so" (which more than enough blogs on the Internet do), but when you say "Let me help you. I wish I did x. I want to join your organization. How can I get to do x because I intend to do x? Here, let me facilitate your communications about being able to do x in the future because gee, I really dislike those guys," then I indeed think it reasonable to be brought-in, questioned, and held for whatever you did to aid those nefarious acts. If the U.S. just let that pass, and this was the next guy to help launch a major terrorist attack, those same people saying that the U.S. over-reacted (to someone who claims intent?) would be screaming about insufficient response and intel.
It's not written versus spoken word. It's not about rants. It's about action and intent and if you proclaim that loudly in a public forum so that the U.S. sees it, especially after the backlash about inaction from the last "failure," how do we expect the government to react?
"Embedding binary data into images is extremely easy and is impossible to distinguish visually from the original image(from what I was able to tell from testing). I'm wondering why we never hear anything about this? If anyone has any thoughts on why I am just being paranoid I would like to hear them."
I suppose I should also add that, in the article itself, "Shortly after Sept. 11, questions swirled around steganography, the age-old technique of hiding one piece of information within another. A digital image of a sailboat, for instance, might also invisibly hold a communiqué, a map or some other hidden data. A digital song file might contain blueprints for a desired target."
The article itself mentions it, and it is in the widely-read NYT. So, perhaps some of your questions would be answered were you to read the article. I am not trying to be an ass about this, but it would seem as though it would perhaps answer some of your questions.
"Disagree with this kid's stance or not, all he did was say some words that represented how he felt. He did no harm to anyone. He is now paying a severe price for speaking those words."
As per the article, "Mr. Walker, a 19-year-old student, is accused, among other things, of using his roommate's computer to communicate with - and offer aid to - a federally designated terrorist group in Somalia and with helping to run a jihadist Web site." (bold emphasis is mine)
Now, the NYT is certainly not above (or below?) spinning things to make the situation look worse than it was, but that certain looks like he moving beyond a simple teenage-angsty-stance and "speaking out," into action. There is a difference between saying words and actively helping.
Interesting. I just dug out the presentation I heard on Stego. This is not new and frankly, I am suprised that people don't hear about it except perhaps you aren't into anything nefarious, or in an employment position to catch those doing nefarious things. In fact, among child porn traders, this is a sad method where one image is inserted into another and used to "covertly" trade those images. (I can't think of the major case in which this was used... but there was a major child pornography case where this was an issue)
I have used a forensics suite that was able to detect many of the images on the machine with embedded data in them. The images were extracted and then cryptanalysis is necessary to decrypt. Frankly, I wish I remembered how it was able to detect those images, because they weren't compared against known images. It found them, and even presented what program was likely used to hide the data.
Substitution - Replaces redundant/insignificant data with covert data. Injection - Inserts covert information into parts of overt files that are usually ignored. Generation - The covert text itself is used to generate the overt message.
The program I used was able to find an example of each, IIRC.
But, the short of it is that this is being used:
"Lately, al-Qaeda operatives have been sending hundreds of encrypted messages that have been hidden in files on digital photographs on the auction site eBay.com....The volume of the messages has nearly doubled in the past month, indicating to some U.S. intelligence officials that al-Qaeda is planning another attack." - USA Today, 10 July 2002
"Authorities also are investigating information from detainees that suggests al Qaeda members -- and possibly even bin Laden -- are hiding messages inside photographic files on pornographic Web sites." - CNN, 23 July 2002
While I admit that it is inefficient on a global scale, I will attest to this being possible on a smaller scale having much more computing power than I. While maybe not the Internet in general, an isolated suspect network is very much filterable, even with a few terabytes of information (which is nothing. We had a terrabyte storage machine as a doorstop once.)
I was in a forensics mockup situation where the mock situation dealt with terrorists. Using standard Forensics software, I fed it a word list and pulled up evidence, even from deleted files on the target machine. Sure, "attack" "bomb" "infidel" and such and such were on there, but so were things like "Blair" and mis-spellings of words, and that actually pulled up more information than "bomb" or "weapon" did. It didn't take much time to index the machine and do this search.
Of course communications could be more veiled than that, but if you are on a targeted machine (as you seem to know, most of the monitoring is targeted and is not done on random citizens for the hell of it, so this is more for the general audience than a reply to the parent post), the INTEL guys are going to make it their business to pour over poems, symbols, etc. to find those communications.
With just one machine, a pre-prepared list of words, and a targeted attack, I pulled tons of information off of the target machine. Now, throw a more sophisticated suite at it, more computing power, and a growing list of words based off of those found on seized machines, and the hit/miss ratio goes up.
I agree mostly with the rest of your post except that it doesn't present a solution as much as a whole new problem of how to get "less terrorists in the first place."
However:
Quote: "Let's assume for the purposes of this discussion that the government's motives are 100% pure. It spends billions of dollars annually attempting to log/decrypt/analyze all communications data in real-time to weed out terrorists and make the world a safe happy place. A noble attempt, but hardly efficient."
The thing that many people don't realize is that there are a lot of hoops that have to be jumped-through before monitoring takes place. Sure, legislation makes it easier, but there isn't an all-consuming communications monitoring and decrypting monster in place (cue Anonymous Cowards, tin foil hats, and the like), but that the idea is often times to monitor known terrorists. A lot of those Gmen geeks are privacyphiles themselves. I attended a conference recently where I witnessed a few members from one of the biggest government organizations absolutely tearing into members of another over security issues and privacy concerns. Not everyone is John Ashcroft.
It isn't always about capturing new terrorists, although that is a bonus. Oftentimes, these monitoring systems are developed and put into place to quietly monitor known existing communications to get insight into their attack plans, and to creat that socio-economic insight that allows us to see what, when, and also sometimes why. To me, that is extremely efficient compared to just guessing or walking up to a guy with a bomb strapped to his chest and politely asking why he is about to blow himself up. Agreed, though, that monitoring any and every citizen for the hopes of catching a terrorist would be inefficient indeed.
After September 11th, an al-Qaeda webspace was being monitored. Different parts of what was being monitored was registered using a Yahoo account, which the U.S. already had access to. They were quietly leaving things the way they were and simply watching what was going on, listening to potential attack strategy, dates, and enemy locations. Some good-intentioned American citizen used the password hint question and correctly guessed the Yahoo password, logged in, deleted everything, gained the password to their website and then hacked it to show some sort of patriotic message. All communications stopped. That was an example of targeted monitoring that often occurs (of course ruined in this case by good intentions.) Not all monitoring is about going after the vanilla citizen to weed out closet terrorist intentions.
I bet the terrorists could just communicate in Arabic or whatever their native tongues is. Let us all hope that they think that, especially with regards to online communication. Agencies right now are giving $30,000 signing bonuses to people with almost-native knowledge of languages like Farsi, and are sent into these places to suck up the culture as well.
I mean look at the Iraq war - the US sent tons of soldiers there but hardly any of them could speak to the locals at all. The vanilla soldier is not the one intercepting and interpreting communications. That is what the INTEL community does. They have all of the resources and toys.
And, like those who think that speaking in Arabic will shield them, people who think that hiding in their unencrypted MUDs will shield them are setting themselves up for quite a suprise if they give someone a reason to monitor them. In the end, its all 1s and 0s, and like the language specialists, there are cyber units who are trained to recognize what they need to from those 1s and 0s (oftentimes, plaintext.) And lots of people do not realize that their online games are not encrypted, or are weakly encrypted. Because game companies have international markets and there are encryption export controls in the U.S., anything that would give those who want to know a tough time figuring out those messages, could just get the messages though the backdoor the NSA requires, or will just be handed the keys. If not, then they get jailed for encryption export reasons, held, and then we get to start all over again.
It's those who think they're impervious and don't go through the extra hoops that make it so much easier.
I'm saying knowing how to do the wrong thing is of great benefit.And the government will and does hire those with that expertise.
I can't disagree with you about that. That is why a lot of these forensics/computer security programs are actually taught by reformed blackhats. One is taught to "think like a crimminal," but generally under the protection of proper permission, and signed papers. They actually "unleash" these students on systems as part of red or blue teams, but always with prior permission. That is how they get a lot of the expertise of how to go about doing the wrong thing, while still not technically maliciously hacking, making them AOK in the government's eyes.
It seems that a lot of the strictness in hiring (being concerned with hacking pasts and such) is fairly new. I suppose that I should check out your case study, but I was under the impression that the three-letter agencies had tightened up on things like that.
Many police agencies have cyber crime units, and many take on interns. You might check with your local law enforcement and see if they have something in place for this.
Or, since the author appears to be Canadian, their equivalent agencies, since most agencies in the U.S. will not hire non-U.S. citizens, or anyone who has been outside the U.S. for an extended amount of time on non-government business.
Actually, the average time for a security clearance for a student, since most of the time they are only required to fill out information back to their 18th birthday, or four years, which ever is longer, is between four to six months. Some people get clearances within two months. Other people, a year.
Also, I worked for a defense contractor that did work for the DoD and did not have a security clearance. There are positions that do not require clearances, and some of the ones that do only require a "Secret" clearance, which isn't too difficult, as I understand it, to get.
I suppose it depends on what defense contractor you work for.
Actually, they may contract you, but most government agencies, despite the misinformation lots people like to spread or think happens, will absolutely not hire someone who has done any hacking, especially of government systems. A lot of school programs which lead to government or military positions actually ask you this before accepting you into their programs.
A lot of really good security professionals get locked out because of that little hacking question that comes up during security processing. They might get hired into the private sector and thus contracted for non mission critical security positions, but when you play the little hack game, you've cut your exployment opportunities.
The only way to get that security clearance is to start the process, and start it early. I notice that you are from Canada, so I can't give any advice specific to your situation, but I am sure that the Canadian government has cybersecurity internship slots.
Apply to one of those and the government will usually pay for the security clearance. A lot of times, government positions rotate their interns into many security positions and place them with a mentor, so you get the benefit of varied experience. Even better, these are most often available during the summer (three month vacation to a security position works) and since most places start processing in December/January, you're right on that edge for applying.
I suggest you check out your own various government agencies and send your resume out. Processing time for young people usually borders about four or five months (although it can take over a year), which would put you, if all goes well, at the perfect timing to get one of these positions. And, better, agencies often hire their interns for full time positions when the students graduate, and you will already have your clearance.
I, however, like many/. commenters, find it odd that your program has a service component involved and no contact network or career advising attached to it. Frankly, if you're early in your studies, I would consider going elsewhere. Most programs that have service components have professors or advisors with vast social networks that can place you in a good position. I would certainly check with your professors and make sure that there isn't an unofficial social network there that they can get you hooked into.
But if you are planning on going into the security profession, that security clearance is something you will want/need anyways, so if you can get it now, all the better!
If you check out most of the "Stupid Law" collections online, under Tulsa, Oklahoma, you will find this oddity. The google search can be found here. I will see if I can track down a copy of the actual law, though.
Oklahoma has many of these laws and do not prosecute. I don't know why they would prosecute a cybercrime division for confiscating child porn as long as it is done as done as a matter of law enforcement. However, a corporate entity might have more to worry about, although unlikely.
Of course, they have prosecuted people in the past for having a few child pornography images in a cache that was planting there unknowingly because of their visiting a joke site or something that uses those pay-per-popup advertising schemes. Generally these people are let off the hook because the evidence does not show intent, but it is technically still illegal to posess those images.
I think that these ineffective laws make a mockery of important laws and should be revised or removed from the books. (Revised referring to the child porn law, to allow law enforcement and forensic/corporate investigation, and removed referring to our funny yet ridiculous soda bottle law.)
Actually, I would hazard a guess that a fair amount of our students take more than the thirty required hours for their Masters degree, oftentimes auditing courses for no credit so that they still get the instruction, but do not graduate early.
I can think of at least five students who are auditing an Operating Systems course for no credit toward their degree, although I suspect there will be many more. My own experience with AI (although not in the strict sense) comes from a combination of a Neural Networking course I opted to take as well as research on autonomous robots, although the Advanced AI course is open students to take (with permission) if they prefer that route. So, I would still stand by my assertion that for many students, it is a fundamentals+ route. I don't know many schools that offer or encourage this, but it seems more commonplace at our university for graduate students to take 12-15 hour semesters (note: graduate students. At most schools, it seems those students take 6-9 hour semesters instead) to expand their interests in other areas, and to extend their knowledge into more advanced areas of the fundamentals (like OS). I would personally qualify that as a high workload, but perhaps I misunderstand you. I am certainly not trying to raise my own university above the others (although I am proud of my university), as I imagine that some of other schools have similar successful programs in this area. It seems that the advisors for that program demand a lot from their students.
(On a side note: I have a picture of Mudge from @stake and I from this summer when he visited the university. The students in these programs, it seems, are not completely cut off from the industry market, although I understand that this was not what you were asserting.)
Although you are correct in calling it more of a Security specialization because, overall, the degree is still labeled a Computer Science, but carries with it lots of security (as well as forensics and similar) courses. Not everyone in the Computer Science program opts to take security courses. Although those outside the security area also seem less likely to carry a heavy workload that is not required. Of course, that is true of any major.
I believe this might be an instance of my poorly explaining myself and misunderstanding you. For that, I appologize.
You are assuming that I am buying into something someone else is selling.
You don't sound like a dick at all. In fact, you sound like a fair part of the American public. It is true that "blowing something big up" might have a larger physical impact, but the strength of a nation is often determined by its information. When you stop or compromise the flow of information, you can really make an impact. It was not Bush or Cheney or any member of that administration that brought me to that conclusion.
I can't change your mindset and nor do I blame you for having it.
However, you cannot convince me that creating jobs for these students by creating government positions for them, and that securing a nation to the best of our abilities is a bad thing. It is not a propaganda directed at the general public (that is what the war is for; most citizens don't give a flip about what sort of security runs in our government's 1s and 0s) but simply good practice. They are training people for the job of considering that "Hey, this VoIP network is terribly insecure and could have x impact" so that the rest of the public does not have to. It's not the intention of getting every American citizen scared to death about how our computer networks are being run (although information awareness and homeland opsec is an important and useful concept) as much as doing what we can to make sure those systems are secure for if our day 0 comes. In fact, in this area of study, it's not about hyping people into accepting the violation of personal rights in exchange for security because many of these young students are some of the most vehement of privacy activists, but understand the importance of securing government systems.
They say hindsight is 20/20 after any tragic event occurs; what is the problem with endeavoring to look ahead while also creating jobs and educating students in an area in which they are interested?
If one says that system security is hype and that it shouldn't be pursued to all reasonable means, then I pity the system that person admins.
For once we are pursuing an area of defense... and this is still a bad thing?
CERT Guide to System and Network Security Practices by Julia Allen Addison-Wesley 2001 ISBN: 020173723X
I somehow combined the "CERT Guide to System and Network Security" with a course I was taking called "Secure System Administration and Accreditation." My mistake. I am not sure about your comment on firewalls. Firewalls are still are and should be used.
Protecting the asset of *Consumer Information*
on
Computer Forensics
·
· Score: 1
Given this, it is worth asking why on earth any ethically-minded person would want to protect corporate assets, unless he were a fascist.
I know this is a troll, but I will bite. You do realize that many corporations list their database that contains customer names, addresses, credit card numbers, etc. as an asset, right?
So, in the case of Information Security, when you are helping corporations protect their "assets," many times you are helping protect consumer privacy. When this information is compromised, it is extremely important to be able to investigate that breach in a forensically-sound manner in the case that prosecution becomes necessary, and also to limit the further exposure of this "private" information.
Unless their mom is a savvy forensics analyst and happens to have FTK laying around and recovers those deleted files. FTK does a nice job of recovering deleted files.
Slashdot Mirror
The problem with the 30 character password in this case is that (a little known fact) Windows actually breaks it into seven or eight character passwords and then encrypts those. So, your 30 character password is only as good as four or five passwords...which are even further compromised if any of those blocks resemble a dictionary word.
Jack the Ripper (for physical access) or Cain & Abel (over the network) can grab most seven-character passwords in seconds.
Yes, long passwords are better in theory, so I agree with you. But, some systems remove a lot of the long-password advantage when they break the passwords into blocks and then encrypt them.
I am not disagreeing that GPA is not important, because frankly many people in HR or who make hiring decisions are not properly trained to do so and will throw out a non-4.0 resume haphazardly. Of course, good self-marketing skills are more important if you can get past these people by making good contacts elsewhere in the company, because that will ultimately get you a job.
However, I must say that this is not the end-all decision maker. For instance:
-------
(long, boring account of my getting around the GPA issue. You can skip this)
When I was an undergraduate, my GPA was not spectacular. It was not bad, and was certainly within the B range, but it was not a 4.0, which many people seem to hold as the determining value of whether someone will be a spectacular student/employee. However, during my undergraduate work, I carried two engineering majors (Mechanical Engineering and Electrical Engineering), and graduated with my EE degree a semester early--and would have graduated a year early were it not for administration issues. In this time, I did research in a myriad of areas, including designing a hybrid electric vehicle, working on artificial vision for the blind, autonomous robotics, electro-optics, and VoIP. I also worked as an intern at a local defense contractor. Frankly, when I interviewed for the defense contractor, they asked for my unofficial transcript within my packet. I sent them a list of all of the courses I had taken, grades and GPA omitted. That GPA-minded company, in starting from the front of my packet and working backward to the transcript, probably forgot about my GPA completely. A few interviewers asked, but it was after packet-review. When they asked why I should be hired over all of the people outside, I asserted that they might be 4.0 students, but they don't bring a broad, creative background to their work. If they had a problem and wanted the same, memorized solution over and over again, then hire them. But when that solution doesn't work practically and suddenly they are faced with the same solution from a room full of people, I will be the one to always bring them a plan B. I was hired over the other applicants.
Taking this work and research history to a graduate school, they admitted me...while I was still an undergrad. (So, I was both a grad and undergrad.) GPA was barely an issue. I ended up with a full ride in a very nice program because of all of the "extras." I have been admitted to grad school as a full-time student twice now, and neither time required a GRE (the GRE is typically a requirement at our university), and neither time was my undergrad GPA an issue. I now hold a 4.0 in grad school (where a lot of the 4.0 undergrads do not), and have a job lined up.
Of course, that doesn't mean that everyone within the college--especially the bean-couters--were happy about this. You have to be prepared to face some backlash when you totally throw the system out the window.
(/long, boring account of my getting around the GPA issue.)
-------
Yes, this was long, but I want people out there who are hard workers without stellar GPAs to realize that they don't have to give up. It is important, indeed. But, your college experience is what you make of it. If you pursue a lot of extra areas, have a broad educational background (as you mentioned), do internships, learn to work in team situations with people you might not fit in with or may fit in with wonderfully, build professional networks through your projects, and show yourself as a hard worker, it can indeed work out. There will always be people for whom the GPA (or GRE scores...which is fun to explain the lack of in my case) is their determining factor, but you might also keep in mind that if that is their end-all method for hiring, that the people hired might not be the hardworking and fun individuals you want to start your career alongside, and probably won't have the social networks to launch you into better careers in the future.
If you just go to college to get
Oftentimes, that "rigor" is really not so rigorous as much as a process for your and the company's good. A lot of large companies/agencies do this so that they can find the right fit for you in their company. Many times, the company already plans on hiring you and has already decided you will make a "good employee," but the seemingly ridiculous number of interviews is for placement purposes.
If you come in and wish to interview only for the advertised position, you might be missing out on an opportunity in an area you really want to work in or would excel at (being a new, unpublicized area, you might be brilliant at it and love it, but not be aware it even exists), and so oftentimes the company puts you through interviews (in this case, ump-teen interviews), so that people in each of those areas have an opportunity to speak-up on your behalf and say, "you know, I could really use him/her here, but the position we have open hasn't been advertised." Putting you in an area that you are likely to love is worth the time "wasted" because you are more likely to be productive.
Perhaps it isn't this way at all companies, but interviewing many-times (seemingly "rigorous") is simply a placement issue, not a torture or publicity one.
Also, the tests oftentimes aren't about the right answer, but your reaction to being placed outside your comfort zone for a moment, and how well you respond. Perhaps Google is doing it for torture purposes (I am not so sure of that, though), but the "extreme interview processes" often have other purposes than the initially-perceived ones. I am speaking about other companies here, not necessarily exclusively about Google.
Indeed. That completely escaped my notice, and I apologize. :)
It should be noted that I extend much more care and effort into my research (for Google or any other institution/company/what-have-you) than I did quickly hammering-out that post. Spelling and grammar do count.
(It should also be noted that being polite helps, even when correcting another's very silly mistake without the courtesy of offering one's screen name. So, have a nice day.)
One thing I did not mention in my parent post was that I did not accept the offer.
In July of 2002, when Google Answers was hardly-known (is it very well known even today?), I did some research work--without pay--for Google.com. I love research, so I didn't mind; I was thrilled to do it.
...
One day, I got a letter/email from Google.
In it:
"We have noticed you have been quite active on the site and that your
comments have been well-written and comprehensive
Based on your postings we think you would be
an excellent addition to the researcher community."
They were offering me a job as a paid researcher. I was quite shocked because I had read that lots of people applied and were never given jobs, and I never even applied.
Apparently I was answering questions very quickly and thoroughly; one of their paid researchers noticed and recommended me.
It wasn't a very well-paying job and it was not a "high ranking one" per say, but it does qualify as a job that did not require an aptitude test.
I didn't intend to differentiate between the written and spoken word. And I appologize if my words were poorly written to suggest that.
I suppose I read more into the running of the jihadist website, considering I had just posted something shortly beforehand talking about an al-qaeda webspace that was being used to exchange plans for attacks against the U.S. So, my mindset was already one that painted the situation as something nefarious, and the wording of the NYT article aided that...
However, the fact that he was offering to aid the terrorist group in their terrorist activities, yes, is reason enough to be detained. He has just (whether written or verbal) marked himself as a threat who intends to and desires to harm people when he offers to help them. If you elect to become part of that terrorist organization, then regardless of if you're the ones hitting the buildings (which this boy clearly said he wanted to) or doing the paperworks, you're still a member of that organization and are facilitating the acts. When you facilitate the acts, you have to accept the responsibility for your actions. It's no longer talk.
Perhaps the boy didn't really mean it (again, teenage angst), but his actions certainly seem to build a character that is ready to act on his words. It is much different from expressing hatred if he is offering to facilitate attacks.
Hating someone versus threatening or offering to hurt them are two different things, especially when you go so far as to aid in their communications (with that intent), offer to help conduct these acts, etc.
Unfortunately, I think that neither you nor I can effectively draw conclusions about the situation based on a NYT article, which does seem to paint the boy in a horrible light. It would seem there is more involved, and that is what I read into based on the "offering to help" and the subjects involved. I wish we had a better source.
Unfortunately, when its a news source who paints the picture, we have to look at the situation through their glasses and then every piece of news that derives from this source. Perhaps simply saying a few things was indeed what the boy got in trouble over, but I doubt that given his apparent willingness to help (again, as painted by the NYT.) I simply drew my limited conclusions based on what I read, not having the benefit of knowing first-hand about the situation.
No, I don't think you should get in trouble for saying "I hate so-and-so" (which more than enough blogs on the Internet do), but when you say "Let me help you. I wish I did x. I want to join your organization. How can I get to do x because I intend to do x? Here, let me facilitate your communications about being able to do x in the future because gee, I really dislike those guys," then I indeed think it reasonable to be brought-in, questioned, and held for whatever you did to aid those nefarious acts. If the U.S. just let that pass, and this was the next guy to help launch a major terrorist attack, those same people saying that the U.S. over-reacted (to someone who claims intent?) would be screaming about insufficient response and intel.
It's not written versus spoken word. It's not about rants. It's about action and intent and if you proclaim that loudly in a public forum so that the U.S. sees it, especially after the backlash about inaction from the last "failure," how do we expect the government to react?
"Embedding binary data into images is extremely easy and is impossible to distinguish visually from the original image(from what I was able to tell from testing). I'm wondering why we never hear anything about this? If anyone has any thoughts on why I am just being paranoid I would like to hear them."
I suppose I should also add that, in the article itself, "Shortly after Sept. 11, questions swirled around steganography, the age-old technique of hiding one piece of information within another. A digital image of a sailboat, for instance, might also invisibly hold a communiqué, a map or some other hidden data. A digital song file might contain blueprints for a desired target."
The article itself mentions it, and it is in the widely-read NYT. So, perhaps some of your questions would be answered were you to read the article. I am not trying to be an ass about this, but it would seem as though it would perhaps answer some of your questions.
"Disagree with this kid's stance or not, all he did was say some words that represented how he felt. He did no harm to anyone. He is now paying a severe price for speaking those words."
As per the article, "Mr. Walker, a 19-year-old student, is accused, among other things, of using his roommate's computer to communicate with - and offer aid to - a federally designated terrorist group in Somalia and with helping to run a jihadist Web site. " (bold emphasis is mine)
Now, the NYT is certainly not above (or below?) spinning things to make the situation look worse than it was, but that certain looks like he moving beyond a simple teenage-angsty-stance and "speaking out," into action. There is a difference between saying words and actively helping.
Interesting. I just dug out the presentation I heard on Stego. This is not new and frankly, I am suprised that people don't hear about it except perhaps you aren't into anything nefarious, or in an employment position to catch those doing nefarious things. In fact, among child porn traders, this is a sad method where one image is inserted into another and used to "covertly" trade those images. (I can't think of the major case in which this was used... but there was a major child pornography case where this was an issue)
I have used a forensics suite that was able to detect many of the images on the machine with embedded data in them. The images were extracted and then cryptanalysis is necessary to decrypt. Frankly, I wish I remembered how it was able to detect those images, because they weren't compared against known images. It found them, and even presented what program was likely used to hide the data.
Some common steganalysis programs:
- Stego
- Jphswin
- S-tools
- Hide in Picture
- Stegdetect/Stegbreak
- OutGuess
There are three types of stego:
Substitution - Replaces redundant/insignificant data with covert data.
Injection - Inserts covert information into parts of overt files that are usually ignored.
Generation - The covert text itself is used to generate the overt message.
The program I used was able to find an example of each, IIRC.
But, the short of it is that this is being used:
"Lately, al-Qaeda operatives have been sending hundreds of
encrypted messages that have been hidden in files on digital
photographs on the auction site eBay.com....The volume of the
messages has nearly doubled in the past month, indicating to some
U.S. intelligence officials that al-Qaeda is planning another attack."
- USA Today, 10 July 2002
"Authorities also are investigating information from detainees that
suggests al Qaeda members -- and possibly even bin Laden -- are
hiding messages inside photographic files on pornographic Web
sites."
- CNN, 23 July 2002
Tagging on...
if it's strong encryption, though, there legally has to be a common backdoor (key, algorithm, etc.) for government agencies, if I recall correctly.
Otherwise, the p2p world will just be trading a lawsuit over pirated material, to a much more serious one.
While I admit that it is inefficient on a global scale, I will attest to this being possible on a smaller scale having much more computing power than I. While maybe not the Internet in general, an isolated suspect network is very much filterable, even with a few terabytes of information (which is nothing. We had a terrabyte storage machine as a doorstop once.)
I was in a forensics mockup situation where the mock situation dealt with terrorists. Using standard Forensics software, I fed it a word list and pulled up evidence, even from deleted files on the target machine. Sure, "attack" "bomb" "infidel" and such and such were on there, but so were things like "Blair" and mis-spellings of words, and that actually pulled up more information than "bomb" or "weapon" did. It didn't take much time to index the machine and do this search.
Of course communications could be more veiled than that, but if you are on a targeted machine (as you seem to know, most of the monitoring is targeted and is not done on random citizens for the hell of it, so this is more for the general audience than a reply to the parent post), the INTEL guys are going to make it their business to pour over poems, symbols, etc. to find those communications.
With just one machine, a pre-prepared list of words, and a targeted attack, I pulled tons of information off of the target machine. Now, throw a more sophisticated suite at it, more computing power, and a growing list of words based off of those found on seized machines, and the hit/miss ratio goes up.
I agree mostly with the rest of your post except that it doesn't present a solution as much as a whole new problem of how to get "less terrorists in the first place."
However:
Quote: "Let's assume for the purposes of this discussion that the government's motives are 100% pure. It spends billions of dollars annually attempting to log/decrypt/analyze all communications data in real-time to weed out terrorists and make the world a safe happy place. A noble attempt, but hardly efficient."
The thing that many people don't realize is that there are a lot of hoops that have to be jumped-through before monitoring takes place. Sure, legislation makes it easier, but there isn't an all-consuming communications monitoring and decrypting monster in place (cue Anonymous Cowards, tin foil hats, and the like), but that the idea is often times to monitor known terrorists. A lot of those Gmen geeks are privacyphiles themselves. I attended a conference recently where I witnessed a few members from one of the biggest government organizations absolutely tearing into members of another over security issues and privacy concerns. Not everyone is John Ashcroft.
It isn't always about capturing new terrorists, although that is a bonus. Oftentimes, these monitoring systems are developed and put into place to quietly monitor known existing communications to get insight into their attack plans, and to creat that socio-economic insight that allows us to see what, when, and also sometimes why. To me, that is extremely efficient compared to just guessing or walking up to a guy with a bomb strapped to his chest and politely asking why he is about to blow himself up. Agreed, though, that monitoring any and every citizen for the hopes of catching a terrorist would be inefficient indeed.
After September 11th, an al-Qaeda webspace was being monitored. Different parts of what was being monitored was registered using a Yahoo account, which the U.S. already had access to. They were quietly leaving things the way they were and simply watching what was going on, listening to potential attack strategy, dates, and enemy locations. Some good-intentioned American citizen used the password hint question and correctly guessed the Yahoo password, logged in, deleted everything, gained the password to their website and then hacked it to show some sort of patriotic message. All communications stopped. That was an example of targeted monitoring that often occurs (of course ruined in this case by good intentions.) Not all monitoring is about going after the vanilla citizen to weed out closet terrorist intentions.
I bet the terrorists could just communicate in Arabic or whatever their native tongues is.
Let us all hope that they think that, especially with regards to online communication. Agencies right now are giving $30,000 signing bonuses to people with almost-native knowledge of languages like Farsi, and are sent into these places to suck up the culture as well.
I mean look at the Iraq war - the US sent tons of soldiers there but hardly any of them could speak to the locals at all.
The vanilla soldier is not the one intercepting and interpreting communications. That is what the INTEL community does. They have all of the resources and toys.
And, like those who think that speaking in Arabic will shield them, people who think that hiding in their unencrypted MUDs will shield them are setting themselves up for quite a suprise if they give someone a reason to monitor them. In the end, its all 1s and 0s, and like the language specialists, there are cyber units who are trained to recognize what they need to from those 1s and 0s (oftentimes, plaintext.)
And lots of people do not realize that their online games are not encrypted, or are weakly encrypted. Because game companies have international markets and there are encryption export controls in the U.S., anything that would give those who want to know a tough time figuring out those messages, could just get the messages though the backdoor the NSA requires, or will just be handed the keys. If not, then they get jailed for encryption export reasons, held, and then we get to start all over again.
It's those who think they're impervious and don't go through the extra hoops that make it so much easier.
I'm saying knowing how to do the wrong thing is of great benefit.And the government will and does hire those with that expertise.
I can't disagree with you about that.
That is why a lot of these forensics/computer security programs are actually taught by reformed blackhats. One is taught to "think like a crimminal," but generally under the protection of proper permission, and signed papers.
They actually "unleash" these students on systems as part of red or blue teams, but always with prior permission.
That is how they get a lot of the expertise of how to go about doing the wrong thing, while still not technically maliciously hacking, making them AOK in the government's eyes.
It seems that a lot of the strictness in hiring (being concerned with hacking pasts and such) is fairly new. I suppose that I should check out your case study, but I was under the impression that the three-letter agencies had tightened up on things like that.
Actually, this is very good advice.
Many police agencies have cyber crime units, and many take on interns. You might check with your local law enforcement and see if they have something in place for this.
Or, since the author appears to be Canadian, their equivalent agencies, since most agencies in the U.S. will not hire non-U.S. citizens, or anyone who has been outside the U.S. for an extended amount of time on non-government business.
Actually, the average time for a security clearance for a student, since most of the time they are only required to fill out information back to their 18th birthday, or four years, which ever is longer, is between four to six months. Some people get clearances within two months. Other people, a year.
Also, I worked for a defense contractor that did work for the DoD and did not have a security clearance. There are positions that do not require clearances, and some of the ones that do only require a "Secret" clearance, which isn't too difficult, as I understand it, to get.
I suppose it depends on what defense contractor you work for.
Actually, they may contract you, but most government agencies, despite the misinformation lots people like to spread or think happens, will absolutely not hire someone who has done any hacking, especially of government systems. A lot of school programs which lead to government or military positions actually ask you this before accepting you into their programs.
A lot of really good security professionals get locked out because of that little hacking question that comes up during security processing.
They might get hired into the private sector and thus contracted for non mission critical security positions, but when you play the little hack game, you've cut your exployment opportunities.
The only way to get that security clearance is to start the process, and start it early. I notice that you are from Canada, so I can't give any advice specific to your situation, but I am sure that the Canadian government has cybersecurity internship slots.
/. commenters, find it odd that your program has a service component involved and no contact network or career advising attached to it. Frankly, if you're early in your studies, I would consider going elsewhere. Most programs that have service components have professors or advisors with vast social networks that can place you in a good position. I would certainly check with your professors and make sure that there isn't an unofficial social network there that they can get you hooked into.
Apply to one of those and the government will usually pay for the security clearance. A lot of times, government positions rotate their interns into many security positions and place them with a mentor, so you get the benefit of varied experience. Even better, these are most often available during the summer (three month vacation to a security position works) and since most places start processing in December/January, you're right on that edge for applying.
I suggest you check out your own various government agencies and send your resume out. Processing time for young people usually borders about four or five months (although it can take over a year), which would put you, if all goes well, at the perfect timing to get one of these positions. And, better, agencies often hire their interns for full time positions when the students graduate, and you will already have your clearance.
I, however, like many
But if you are planning on going into the security profession, that security clearance is something you will want/need anyways, so if you can get it now, all the better!
I know that this is not an authoratative source, and I would prefer to find a copy of the actual law for you, but until I do, here is a link:
http://www.ahajokes.com/laws036.html
If you check out most of the "Stupid Law" collections online, under Tulsa, Oklahoma, you will find this oddity.
The google search can be found here.
I will see if I can track down a copy of the actual law, though.
Oklahoma has many of these laws and do not prosecute. I don't know why they would prosecute a cybercrime division for confiscating child porn as long as it is done as done as a matter of law enforcement. However, a corporate entity might have more to worry about, although unlikely.
Of course, they have prosecuted people in the past for having a few child pornography images in a cache that was planting there unknowingly because of their visiting a joke site or something that uses those pay-per-popup advertising schemes. Generally these people are let off the hook because the evidence does not show intent, but it is technically still illegal to posess those images.
I think that these ineffective laws make a mockery of important laws and should be revised or removed from the books. (Revised referring to the child porn law, to allow law enforcement and forensic/corporate investigation, and removed referring to our funny yet ridiculous soda bottle law.)
Actually, I would hazard a guess that a fair amount of our students take more than the thirty required hours for their Masters degree, oftentimes auditing courses for no credit so that they still get the instruction, but do not graduate early.
I can think of at least five students who are auditing an Operating Systems course for no credit toward their degree, although I suspect there will be many more.
My own experience with AI (although not in the strict sense) comes from a combination of a Neural Networking course I opted to take as well as research on autonomous robots, although the Advanced AI course is open students to take (with permission) if they prefer that route. So, I would still stand by my assertion that for many students, it is a fundamentals+ route.
I don't know many schools that offer or encourage this, but it seems more commonplace at our university for graduate students to take 12-15 hour semesters (note: graduate students. At most schools, it seems those students take 6-9 hour semesters instead) to expand their interests in other areas, and to extend their knowledge into more advanced areas of the fundamentals (like OS). I would personally qualify that as a high workload, but perhaps I misunderstand you.
I am certainly not trying to raise my own university above the others (although I am proud of my university), as I imagine that some of other schools have similar successful programs in this area. It seems that the advisors for that program demand a lot from their students.
(On a side note: I have a picture of Mudge from @stake and I from this summer when he visited the university. The students in these programs, it seems, are not completely cut off from the industry market, although I understand that this was not what you were asserting.)
Although you are correct in calling it more of a Security specialization because, overall, the degree is still labeled a Computer Science, but carries with it lots of security (as well as forensics and similar) courses. Not everyone in the Computer Science program opts to take security courses. Although those outside the security area also seem less likely to carry a heavy workload that is not required. Of course, that is true of any major.
I believe this might be an instance of my poorly explaining myself and misunderstanding you. For that, I appologize.
You are assuming that I am buying into something someone else is selling.
You don't sound like a dick at all. In fact, you sound like a fair part of the American public.
It is true that "blowing something big up" might have a larger physical impact, but the strength of a nation is often determined by its information. When you stop or compromise the flow of information, you can really make an impact. It was not Bush or Cheney or any member of that administration that brought me to that conclusion.
I can't change your mindset and nor do I blame you for having it.
However, you cannot convince me that creating jobs for these students by creating government positions for them, and that securing a nation to the best of our abilities is a bad thing. It is not a propaganda directed at the general public (that is what the war is for; most citizens don't give a flip about what sort of security runs in our government's 1s and 0s) but simply good practice. They are training people for the job of considering that "Hey, this VoIP network is terribly insecure and could have x impact" so that the rest of the public does not have to. It's not the intention of getting every American citizen scared to death about how our computer networks are being run (although information awareness and homeland opsec is an important and useful concept) as much as doing what we can to make sure those systems are secure for if our day 0 comes. In fact, in this area of study, it's not about hyping people into accepting the violation of personal rights in exchange for security because many of these young students are some of the most vehement of privacy activists, but understand the importance of securing government systems.
They say hindsight is 20/20 after any tragic event occurs; what is the problem with endeavoring to look ahead while also creating jobs and educating students in an area in which they are interested?
If one says that system security is hype and that it shouldn't be pursued to all reasonable means, then I pity the system that person admins.
For once we are pursuing an area of defense... and this is still a bad thing?
I appologize. I misquoted the title. You can find a review of this book here:8 f/
http://www.unixreview.com/documents/s=1357/urm010
CERT Guide to System and Network Security Practices
by Julia Allen
Addison-Wesley 2001
ISBN: 020173723X
I somehow combined the "CERT Guide to System and Network Security" with a course I was taking called "Secure System Administration and Accreditation." My mistake.
I am not sure about your comment on firewalls. Firewalls are still are and should be used.
Given this, it is worth asking why on earth any ethically-minded person would want to protect corporate assets, unless he were a fascist.
I know this is a troll, but I will bite.
You do realize that many corporations list their database that contains customer names, addresses, credit card numbers, etc. as an asset, right?
So, in the case of Information Security, when you are helping corporations protect their "assets," many times you are helping protect consumer privacy.
When this information is compromised, it is extremely important to be able to investigate that breach in a forensically-sound manner in the case that prosecution becomes necessary, and also to limit the further exposure of this "private" information.
Unless their mom is a savvy forensics analyst and happens to have FTK laying around and recovers those deleted files. FTK does a nice job of recovering deleted files.
Poor Billy.