As a former Enron employee and stock option holder, it wouldn't have made any difference for us. What brought the financial issues to light was the failed Blockbuster Video on Demand project that Enron Broadband (the company I worked for) booked profits for when there were none. Then, when the deal failed, it was hard to cover that up. They were putting profits on the books that didn't exist, and would have continued to do so even if they had been forced to record the stock options as an expense. It's likely that they might have lied to an even greater extent in that case.
Enron, specifically Jeff Skilling, wanted to drive the stock like an Internet stock during the.com boom. And that's exactly what got them in trouble. Now the stock is worthless, unless you have the actual printed stock certificates, which have collectors value now.
With China, India, and other countries now making overtures to get to the moon and possibly start extracting the natural resources contained on it, wouldn't it be a good idea to get back there?
With the previous article here on Helium 3, it would seem that the moon should be our next destination, and probably the best launching pad for a Mars mission.
I meant to see I can't see it being a hit without him directing. Evil Dead was made by all those whacky camera moves and angles he invented, and without them it just won't be the same.
Without Raimi's visual style, which along with Bruce Campbell, virtually makes Evil Dead, I can't see how this can be a success. Also, when I met Bruce back in September of 2002, he said he would not ever reprise the role of Ash for any more Evil Dead movies. He said they were just too hard on his body and he was too old for it now. The article doesn't mention what role he'll have in it, so it's unclear exactly how he will be a part of this one.
Just getting people to pay attention in a corporate environment is hard enough, even with HIPAA and now Sarbanes-Oxley. Hell, if it weren't for Sarbanes-Oxley my company wouldn't even give a damn about security. That's sad, and frightening.
I can only imagine the nightmare it must be trying to be in charge of security in a beauracracy like the federal government. If you've never dealt with the feds as an employee or contractor, you have no idea how many layers thick it goes. You can't even fart without pushing paperwork and dealing with red tape.
And it covered more protocols. Anyone opening a telnet or ftp got an ascii middle finger and a little message telling them it was a bad idea to use protocols with clear text authentication. Anyone who tried to visit a web page got a picture of Pete Shipley's face photoshopped over a naked chick having sex. Shipley was shown it and destroyed the IBM T21 laptop that was used to do it. Priest, head Defcon goon, didn't do anything about it except escort Little Mike from Dallas away from the scene, and ultimately the laptop was never replaced or repaired. We also had fun with Shipley's war driving presentation.
It was a lot funnier and certainly more original four years ago.
Especially when it comes to China. Piracy of intellectual property is virtually ingrained into Chinese culture. Why anyone would want to develop IP in a country like that is beyond me. It certainly doesn't seem to be an idea that has been thoroughly thought out.
There's an entire library of material licensed and sanctioned by Lucas, and he chooses to cast most of it to the wind. So what's going to keep this movie from sucking? My guess is nothing. George Lucas went from being a modern mythmaker to peddling contrived sci-fi. It's really sad to see his work decline because of his overinflated ego. He believes his films somehow stand on their own, regardless of what the fans think.
Someone really needs to remind George Lucas, and Hollywood in general, that while CGI is a great tool it's not a panacea when it comes to making films. Stories matter. Miniatures and actual sets still have their places.
And it failed miserably. They're going to have a very hard time convincing the MPAA and the studios to allow them to stream the content without some serious consideration to DRM.
Seriously, he forwards spam for everything from natural viagra to radar jammers. And this guy has over 8 figures in assetts. It's insane. I think he's finally starting to notice that he's getting less of it though. He wants to know whereh is ads are.
I can't really get excited about all these live CD's. A guy named Chris in Enron Broadband's Information Security Group created a Solaris LiveCD back in 2000 (before the term LiveCD either existed or was popular) that the InfoSec group used to run systems from CD. He even had one that was the absolute minimum of the OS to run IDS engines. I believe it was around 70MB total. After he hacked all that together from Solaris 2.6 and then 7, all the rest of this stuff just seems a bit anticlimactic. Don't get me wrong, as I do enjoy the variety. I wonder if Chris ever wrote up how he did it. It's probably not that hard to to do now, but back then that was cool stuff.
I hate to break it to you, but I've got brown skin just like yours. But I'm a Texan. I was born here and God willing I'll die here. You should study more about the Tejano contribution to Texas history and the Alamo before getting all offended. There were men born in Mexico who gave their lives for Texasd during the revolution, including at the Alamo.
I hate to be the bearer of bad news, but the FBI has been doing this in computer crime cases since the last few years of the Clinton administration under that bastion of civil liberties (nevermind Waco, Ruby Ridge, or Elian Gonzalez) Janet Reno, and it didn't require several TB of potential evidence to make it happen.
The FBI will attempt to work with any provider in order to get the data they need to investigate a crime. If that is impossible to do in a 'reasonable amount of time' they have little choice but to confiscate the equipment in order to copy the existing data from the machines to conduct a forensic investigation. A reasonable amount of time is generally a couple of hours to a day. Believe me, the last thing some poor special agent wants to do is sift through TBs of customer crap and put a company out of business or under financial hardship.
Thats why most free/open source based company's make their money on services, and not necessarily the products they sell. Comparing the service I've gotten from Free Software comanies compared to having the highest priority service contract you can have with Microsoft at a Fortune 100 company, I'd glady pay nothing for Free Software because the support I am paying for is superior.
Microsoft has done quite well at having lots of security bugs pointed out of their closed source products, and closed source vendors like SGI HP (HP-UX) don't exactly have stellar security records either.
I work with two guys from India at work. One is a great guy and is super smart. The other is just an ass who has tried to make himself look good by making everyone else look bad. Unfortunately it's backfired.
Friday is my last day, as my job has been outsourced to Australia.
Cisco composite exam 642-891 @ $125 through any Prometric testing center will renew both CCNP and CCDP certs instead of taking both BSCI (642-801) and BCMSN (642-811) @ $125 each. This is from the e-mail I received from Cisco yesterday letting me know my certs were almost up.
But without experience, all the certs in the world won't matter. Get experience any way you can. Work for free if you must, but get some experience deploying the stuff.
That said, some certs are worth more than others. Cisco isn't going anywhere, but there's a glut of CCNP/DP's out there after the bubble burst. CCIE's still walk on water and can still get a job almost immediately.
If you really want a job, get Oracle training. Oracle DBA's will never go hungry, at least not where I live.
Actually, I've had several HR people ask me when my certifications were awarded and when they expire. Mine are all up to date and good for another 3 years as of yesterday.
I got my CISSP last year, and so far it hasn't helped much. That's with 9 years of IT experience, being employed by a couple of Fortune 100 employers, and doing consulting for several more. I'm still making money, but steady employment with benefits has been elusive since 2001. Then again, that could just be my local job market. It looks like most security work is concentrated in the Northeast, especially near D.C., but more and more of that is requiring a security clearance before you can even apply.
Some certs are going to be more worthwhile than others. I'm not sure how worthwhile the Cisco certs are going to be, but just yesterday I took and passed the Securing Cisco IOS Networks (SECUR) exam in an effort to complete the Cisco Certified Security Professional cert. It's vendor specific, but Cisco isn't going away. The ultimate goal is CCIE Security.
I'll be taking the CISA exam in the summer, since they give it once a year, and that's supposed to be highly desirable to employers when linked to the CISSP. Only time will tell.
It's true. With so many layers of management in corporate America it's highly likely that whatever concerns you and your fellow workers have may not be known to upper management. It's good to tell them these things, however there are some rules of protocol that should be acknowledged before anyone opens their mouths to make this work.
1: NEVER blame anyone directly, especially in the open. If they want more information on the issue from you they'll get back with you in a more private setting to get more detail.
2: Never make your boss look bad by name, even if he deserves it.
3: Be prepared to present a solution to any problem you bring up. Saying "X, Y, and Z suck and need to be fixed" and waiting for the CIO and President to come up with resolutions is not only asking for trouble, since they likely play little to no role in your daily duties and could come up with a solution that only makes the problem worse, but also shows no initiative on your part. You should have at least one good answer to any problem you bring up, and at least one alternate solution in case the first answer doesn't work. This shows that you aren't just a complainer, and management loves this. This is also a way to get your foot in the door to management if you so desire, or at least make yourself visible. Just complaining about things makes them think you're nothing more than a whiner.
4: Do not kiss ass, but don't be rude either. If you have a hard time speaking to non-tech people, then you might want to either find someone else to speak for you or present your ideas in writing.
5: Establish constant lines of communication by checking to see if they have an open door policy on important issues. More often than not they'll be interested in hearing about what you have to say about problems in the workplace, especially if they can show to be wasting money and resources, yet most employees never approach them directly.
Why is spam even on the list? Yes, it's annoying and a big waste of time dealing with. Spam is an abuse of resources, so if you consider any abuse a security issue, then pop-up and flash adds can also be considered security issues because they consume excessive network bandwith too.
Information Security is made up of what is known as the security triad: Integrity, confidentiality, and availability. SPAM has a nasty habit of affecting both integrity and availability of systems, availability especially. And this is true of many abuses of resources. Systems designed to not relay messages can still be brought to their knees with a large amount of incoming messages. Can you categorize bringing an SMTP server to a state where it no longer functions as anything other than a DoS attack? Certainly, it may not have been the intended result, but the result still is what it is. You may not consider it a security issues, but many corporations do and it certainly fits the accepted criteria.
Browse through the RFCs issued in the last 5 years, which is where new Internet technology generally appears, and you'll find a generally excellent level of security design.
It's not the RFC's that are insecure or the people who write them who are ill informed. It's groups like IEEE who put inadequate security mechanisms in place in hardware specifications, developers who implement homebrew encryption or insecure methods in their programming, and general lack of respect for designing security into products from the ground up. This happens because they're not security people who understand the issues, and they think the security person's arguments are overblown. Believe me, I've been involved in some commercial product development projects, both software and hardware, where I was brought in to help design security into the product from the ground up but was ignored throughout the development process. It still happens in commercial products today as well, because security isn't part of the initial design spec, and sometimes isn't even considered at all until extremely late in the development cycle. Security of a product should begin in the design phase, but sadly it's just not the case in many of today's applications and hardware specifications.
Of course, computer/information security is much more visible today than it has ever been, but still the problems persist because for all the talk, a lot of people still don't take security seriously. It's more often than not an afterthought.
Funny, me too. I'll only address the things that I disagree with and leave the other points that stand alone.
APs should be configured so as not to broadcast their SSID.
Doesn't matter. It's trivial to determine the SSID. I can either catch a client associating to the AP or force any/all connections to disassociate and then catch the SSID when the card reassociates. I don't even need low-level 802.11b code to do this. A simple connection cutter written in C cutting connections at the transport layer can cause enough havoc that someone will reset their card and I can snatch it that way.
If the AP supports it, consider MAC Address filtering by only allowing authorized MAC Addresses.
MAC address filtering is pointless. It may keep a wintel user out of your network, but an actual attacker can bypass this with BSD or Linux card drivers.
If the AP supports it, consider additional authentication such as RADIUS.
Using RADIUS is a good idea, but entirely too many people use their SSID as their RADIUS key, their WEP key, or both. The problem with all those keys is key management, and people tend to be lazy in that aspect.
And of course, if you really want to be a nuisance, it's not that hard to simply DOS any and all 802.11b networks your antenna can reach from a distance.
It would be really, really nice if IEEE put some honest through into the security of network technologies, especially the wireless technologies. Retrofitting security after the fact isn't the ideal solution.
Now 802.11g is a little more secure, but only because the information behind the chipsets have been so closely guarded by the chipset manufacturers. Now that 802.11g drivers are starting to appear for Linux, it won't be long before we see canned code to exploit it as well.
Even for the writers of magazine articles. Their job is to sell advertisements and pseudo-content, and if they have to do it by being outrageous and saying the dumbest things ever, then that's what they'll do.
And check netraft. www.forbes.com is hosted on a Linux server. I wonder if they even know that?
Slashdot Mirror
As a former Enron employee and stock option holder, it wouldn't have made any difference for us. What brought the financial issues to light was the failed Blockbuster Video on Demand project that Enron Broadband (the company I worked for) booked profits for when there were none. Then, when the deal failed, it was hard to cover that up. They were putting profits on the books that didn't exist, and would have continued to do so even if they had been forced to record the stock options as an expense. It's likely that they might have lied to an even greater extent in that case.
.com boom. And that's exactly what got them in trouble. Now the stock is worthless, unless you have the actual printed stock certificates, which have collectors value now.
Enron, specifically Jeff Skilling, wanted to drive the stock like an Internet stock during the
With China, India, and other countries now making overtures to get to the moon and possibly start extracting the natural resources contained on it, wouldn't it be a good idea to get back there?
With the previous article here on Helium 3, it would seem that the moon should be our next destination, and probably the best launching pad for a Mars mission.
I meant to see I can't see it being a hit without him directing. Evil Dead was made by all those whacky camera moves and angles he invented, and without them it just won't be the same.
Without Raimi's visual style, which along with Bruce Campbell, virtually makes Evil Dead, I can't see how this can be a success. Also, when I met Bruce back in September of 2002, he said he would not ever reprise the role of Ash for any more Evil Dead movies. He said they were just too hard on his body and he was too old for it now. The article doesn't mention what role he'll have in it, so it's unclear exactly how he will be a part of this one.
Just getting people to pay attention in a corporate environment is hard enough, even with HIPAA and now Sarbanes-Oxley. Hell, if it weren't for Sarbanes-Oxley my company wouldn't even give a damn about security. That's sad, and frightening.
I can only imagine the nightmare it must be trying to be in charge of security in a beauracracy like the federal government. If you've never dealt with the feds as an employee or contractor, you have no idea how many layers thick it goes. You can't even fart without pushing paperwork and dealing with red tape.
And it covered more protocols. Anyone opening a telnet or ftp got an ascii middle finger and a little message telling them it was a bad idea to use protocols with clear text authentication. Anyone who tried to visit a web page got a picture of Pete Shipley's face photoshopped over a naked chick having sex. Shipley was shown it and destroyed the IBM T21 laptop that was used to do it. Priest, head Defcon goon, didn't do anything about it except escort Little Mike from Dallas away from the scene, and ultimately the laptop was never replaced or repaired. We also had fun with Shipley's war driving presentation.
It was a lot funnier and certainly more original four years ago.
Especially when it comes to China. Piracy of intellectual property is virtually ingrained into Chinese culture. Why anyone would want to develop IP in a country like that is beyond me. It certainly doesn't seem to be an idea that has been thoroughly thought out.
There's an entire library of material licensed and sanctioned by Lucas, and he chooses to cast most of it to the wind. So what's going to keep this movie from sucking? My guess is nothing. George Lucas went from being a modern mythmaker to peddling contrived sci-fi. It's really sad to see his work decline because of his overinflated ego. He believes his films somehow stand on their own, regardless of what the fans think.
Someone really needs to remind George Lucas, and Hollywood in general, that while CGI is a great tool it's not a panacea when it comes to making films. Stories matter. Miniatures and actual sets still have their places.
And it failed miserably. They're going to have a very hard time convincing the MPAA and the studios to allow them to stream the content without some serious consideration to DRM.
Seriously, he forwards spam for everything from natural viagra to radar jammers. And this guy has over 8 figures in assetts. It's insane. I think he's finally starting to notice that he's getting less of it though. He wants to know whereh is ads are.
I can't really get excited about all these live CD's. A guy named Chris in Enron Broadband's Information Security Group created a Solaris LiveCD back in 2000 (before the term LiveCD either existed or was popular) that the InfoSec group used to run systems from CD. He even had one that was the absolute minimum of the OS to run IDS engines. I believe it was around 70MB total. After he hacked all that together from Solaris 2.6 and then 7, all the rest of this stuff just seems a bit anticlimactic. Don't get me wrong, as I do enjoy the variety. I wonder if Chris ever wrote up how he did it. It's probably not that hard to to do now, but back then that was cool stuff.
I'm mexican, you insensitive clod.
I hate to break it to you, but I've got brown skin just like yours. But I'm a Texan. I was born here and God willing I'll die here. You should study more about the Tejano contribution to Texas history and the Alamo before getting all offended. There were men born in Mexico who gave their lives for Texasd during the revolution, including at the Alamo.
I hate to be the bearer of bad news, but the FBI has been doing this in computer crime cases since the last few years of the Clinton administration under that bastion of civil liberties (nevermind Waco, Ruby Ridge, or Elian Gonzalez) Janet Reno, and it didn't require several TB of potential evidence to make it happen.
The FBI will attempt to work with any provider in order to get the data they need to investigate a crime. If that is impossible to do in a 'reasonable amount of time' they have little choice but to confiscate the equipment in order to copy the existing data from the machines to conduct a forensic investigation. A reasonable amount of time is generally a couple of hours to a day. Believe me, the last thing some poor special agent wants to do is sift through TBs of customer crap and put a company out of business or under financial hardship.
Thats why most free/open source based company's make their money on services, and not necessarily the products they sell. Comparing the service I've gotten from Free Software comanies compared to having the highest priority service contract you can have with Microsoft at a Fortune 100 company, I'd glady pay nothing for Free Software because the support I am paying for is superior.
Microsoft has done quite well at having lots of security bugs pointed out of their closed source products, and closed source vendors like SGI HP (HP-UX) don't exactly have stellar security records either.
I work with two guys from India at work. One is a great guy and is super smart. The other is just an ass who has tried to make himself look good by making everyone else look bad. Unfortunately it's backfired.
Friday is my last day, as my job has been outsourced to Australia.
Cisco composite exam 642-891 @ $125 through any Prometric testing center will renew both CCNP and CCDP certs instead of taking both BSCI (642-801) and BCMSN (642-811) @ $125 each. This is from the e-mail I received from Cisco yesterday letting me know my certs were almost up.
But without experience, all the certs in the world won't matter. Get experience any way you can. Work for free if you must, but get some experience deploying the stuff.
That said, some certs are worth more than others. Cisco isn't going anywhere, but there's a glut of CCNP/DP's out there after the bubble burst. CCIE's still walk on water and can still get a job almost immediately.
If you really want a job, get Oracle training. Oracle DBA's will never go hungry, at least not where I live.
Actually, I've had several HR people ask me when my certifications were awarded and when they expire. Mine are all up to date and good for another 3 years as of yesterday.
I got my CISSP last year, and so far it hasn't helped much. That's with 9 years of IT experience, being employed by a couple of Fortune 100 employers, and doing consulting for several more. I'm still making money, but steady employment with benefits has been elusive since 2001. Then again, that could just be my local job market. It looks like most security work is concentrated in the Northeast, especially near D.C., but more and more of that is requiring a security clearance before you can even apply.
Some certs are going to be more worthwhile than others. I'm not sure how worthwhile the Cisco certs are going to be, but just yesterday I took and passed the Securing Cisco IOS Networks (SECUR) exam in an effort to complete the Cisco Certified Security Professional cert. It's vendor specific, but Cisco isn't going away. The ultimate goal is CCIE Security.
I'll be taking the CISA exam in the summer, since they give it once a year, and that's supposed to be highly desirable to employers when linked to the CISSP. Only time will tell.
Is that it swats flies with sledghammers. Surely there's a more elegant way to deal with this issue now?
It's true. With so many layers of management in corporate America it's highly likely that whatever concerns you and your fellow workers have may not be known to upper management. It's good to tell them these things, however there are some rules of protocol that should be acknowledged before anyone opens their mouths to make this work.
1: NEVER blame anyone directly, especially in the open. If they want more information on the issue from you they'll get back with you in a more private setting to get more detail.
2: Never make your boss look bad by name, even if he deserves it.
3: Be prepared to present a solution to any problem you bring up. Saying "X, Y, and Z suck and need to be fixed" and waiting for the CIO and President to come up with resolutions is not only asking for trouble, since they likely play little to no role in your daily duties and could come up with a solution that only makes the problem worse, but also shows no initiative on your part. You should have at least one good answer to any problem you bring up, and at least one alternate solution in case the first answer doesn't work. This shows that you aren't just a complainer, and management loves this. This is also a way to get your foot in the door to management if you so desire, or at least make yourself visible. Just complaining about things makes them think you're nothing more than a whiner.
4: Do not kiss ass, but don't be rude either. If you have a hard time speaking to non-tech people, then you might want to either find someone else to speak for you or present your ideas in writing.
5: Establish constant lines of communication by checking to see if they have an open door policy on important issues. More often than not they'll be interested in hearing about what you have to say about problems in the workplace, especially if they can show to be wasting money and resources, yet most employees never approach them directly.
Good luck!
Why is spam even on the list? Yes, it's annoying and a big waste of time dealing with. Spam is an abuse of resources, so if you consider any abuse a security issue, then pop-up and flash adds can also be considered security issues because they consume excessive network bandwith too.
Information Security is made up of what is known as the security triad: Integrity, confidentiality, and availability. SPAM has a nasty habit of affecting both integrity and availability of systems, availability especially. And this is true of many abuses of resources. Systems designed to not relay messages can still be brought to their knees with a large amount of incoming messages. Can you categorize bringing an SMTP server to a state where it no longer functions as anything other than a DoS attack? Certainly, it may not have been the intended result, but the result still is what it is. You may not consider it a security issues, but many corporations do and it certainly fits the accepted criteria.
Browse through the RFCs issued in the last 5 years, which is where new Internet technology generally appears, and you'll find a generally excellent level of security design.
It's not the RFC's that are insecure or the people who write them who are ill informed. It's groups like IEEE who put inadequate security mechanisms in place in hardware specifications, developers who implement homebrew encryption or insecure methods in their programming, and general lack of respect for designing security into products from the ground up. This happens because they're not security people who understand the issues, and they think the security person's arguments are overblown. Believe me, I've been involved in some commercial product development projects, both software and hardware, where I was brought in to help design security into the product from the ground up but was ignored throughout the development process. It still happens in commercial products today as well, because security isn't part of the initial design spec, and sometimes isn't even considered at all until extremely late in the development cycle. Security of a product should begin in the design phase, but sadly it's just not the case in many of today's applications and hardware specifications.
Of course, computer/information security is much more visible today than it has ever been, but still the problems persist because for all the talk, a lot of people still don't take security seriously. It's more often than not an afterthought.
Disclaimer: I work in Information Security.
Funny, me too. I'll only address the things that I disagree with and leave the other points that stand alone.
APs should be configured so as not to broadcast their SSID.
Doesn't matter. It's trivial to determine the SSID. I can either catch a client associating to the AP or force any/all connections to disassociate and then catch the SSID when the card reassociates. I don't even need low-level 802.11b code to do this. A simple connection cutter written in C cutting connections at the transport layer can cause enough havoc that someone will reset their card and I can snatch it that way.
If the AP supports it, consider MAC Address filtering by only allowing authorized MAC Addresses.
MAC address filtering is pointless. It may keep a wintel user out of your network, but an actual attacker can bypass this with BSD or Linux card drivers.
If the AP supports it, consider additional authentication such as RADIUS.
Using RADIUS is a good idea, but entirely too many people use their SSID as their RADIUS key, their WEP key, or both. The problem with all those keys is key management, and people tend to be lazy in that aspect.
And of course, if you really want to be a nuisance, it's not that hard to simply DOS any and all 802.11b networks your antenna can reach from a distance.
It would be really, really nice if IEEE put some honest through into the security of network technologies, especially the wireless technologies. Retrofitting security after the fact isn't the ideal solution.
Now 802.11g is a little more secure, but only because the information behind the chipsets have been so closely guarded by the chipset manufacturers. Now that 802.11g drivers are starting to appear for Linux, it won't be long before we see canned code to exploit it as well.
Even for the writers of magazine articles. Their job is to sell advertisements and pseudo-content, and if they have to do it by being outrageous and saying the dumbest things ever, then that's what they'll do.
And check netraft. www.forbes.com is hosted on a Linux server. I wonder if they even know that?