here is power in the word "no" -- and we, particularly we here in America where 'organized labor' has become a dirty word, have lost
sight of it.
There are two problems with saying "No".
The employer holds all the cards. You say "No", they say "Terminated for Cause", which means no severance pay, no collecting unemployment, and you are hunting for a job for the next six months with zero income. Meanwhile, your now-former employer can replace you in a week, with a random selection from the teeming hordes of unemployed happy to "[sell] their soles to Beelzebub (aka the Almighty Dollar"
Second, my employer knows I'm single. So the married guy with seniority and the new mother recently back from maternity leave have their weekend at home with the family, leaving me working weekends.
I'm not bitter (except about the extra benefits gifted to the married and the procreative), but I'm still not up taking the risk of saying "No".
I'm serious. This 'higher productivity' bullshit has come at the cost of our lives and what's worse, we continue to pretend to think that
sacrificing our lives for the almighty spreadsheet somehow will entitle us to the life of the wannabe dot-com neuveau riche.
I'm still collecting my pre-dot-bomb inflated salary, decreased only slightly by a couple of years of zero-percent raises and having to take a loss on my worthless dot-bomb stock options.
Nearly fifty percent of all graduates come from the bottom half of the class!
Not always. For example, my high school cheated on 'rank in class', reporting a class rank that was misleading, if not entirely dishonest.
My graduating class was just shy of 400 students, but the lowest ranked kid was ranked as "325/400".
Class rankings were calculated on a big old mainframe (IBM MUSIC/SP), which would print out your class rank on your report card each quarter, and on the official transcript provided to universities with your application.
The "trick" was, the administrators felt it was unfair that if you had a grade average of 103.1 (due to honors, AP, etc 'bonus' points), at the start of the senior year and were ranked #3, and #4 and #5 improved their grades and at the end of the first quarter of senior year all three of you had a 103.1 average, then they would not lower your ranking, they would rank all three of you at #3. Ditto for everybody else down the line.
The didn't correct for these when reporting "top X percent of graduating class", so the "top 25%" of students made up closer to 40% of the graduating class...
End result, Nearly seventy percent of my graduating class came from the top half of the class.
One thing that really bothers me is that layoffs are done by upper management. Some guy with his tie constricting him in an office miles away decides that employee A isn't "company material" and axes him. Upper manager doesn't even know who employee A is.
Really? I've never seen it done that way. Generally, managers are given a target in terms of $$$ or total headcount, and choose who to fire from their direct reports.
Upper management doesn't know employees by name, they just know that they need to reduce the headcount (salary+benefits+overhead) cost for a particular department by some dollar figure. Having the CEO/VP downsize by picking who to terminate by name is micromanagement carried to a ludicrous extreme.
The department directors and managers know who among their direct reports they can afford to fire to meet their target $$$ figure without paralyzing their department...
Rather than making shots in the dark, why not use a survivor-style method of getting rid of people? Why not have tribal council once a week to vote someone off? That would give a person motivation to find themselves useful, otherwise those around the person would give the axe. Justice in its finest form, sounds good to me.
Great, now your job depends on making all of your cow-orkers like you. So "Sally the office slut" keeps her job, and meanwhile the slacker faction will "vote off" anybody whose high productivity makes them look bad.
Just what we need, even more "office politics" with even more immediate consequences if you do not play the game.
I wouldn't say "scared" as such. If anything, I am less productive today than two years ago.
Two years ago, I knew that hard work and initiative would be rewarded with bonuses, raises, promotion. Today I know that no matter how productive you are, there is no chance of any such recognition, and the best most productive model employee has more immunity from "downsizing" than the least productive clock-watcher.
krinsh writes:
If you are here because this is what you chose to do for a living, and enjoy it, then more power to you.
Sounds good, but what if I am here because this was what I had chosen to do for a living, and I used to enjoy it, but now cutbacks, overwork, and micromanagement (as managers try to protect their own jobs) are making it more and more difficult to drag myself out of bed each morning.
I could quit, but unless I want to move out of state, there are no job openings in my field here. Even my quitting would not create a job opening in my field -- few companies are hiring to fill open positions, including positions created by employees who quit or are fired for cause.
Like one of these posters said if the employers get into the "you are nothing but cattle" mode you'll be in a position to leave without notice when things level off or improve. I have a feeling that some of the turnover, salary and demand issues that prompted part of the 'good times' were a result of this kind of treatment in the first place.
It used to be that if your job turned into a nightmare you could always quit and find a new one. These days, few employees can afford to quit, and the employers know this and take full advantage of it.
Sure, I may in a position to leave when things level off or improve, but what is there to keep the abused employee sane and productive until then?
In my office (Corporate IT for a fortune 500), our staff is down 33% across the board, but if anything, there is more work to be done, but not enough people left to do it.
If anything, the remaining staff is less productive than before downsizing -- we have the same list of projects and tasks, but now half of the stuff on the list just doesn't get done at all.
It's not like the company planned to cut staff by a third -- but after the official layoffs and salary freeze, the best and brightest employees took off for greener pastures, leaving the lazy and the lifers. The only remainining IT folk either lack the skills or initiative to go find a better job elsewhere, or are just hanging around waiting to 'vest' their 401k.
Combine that with a hiring freeze, and when the really good employees quit (or the really really bad employees are fired), it takes an act of god to hire a replacement.
Nothing better than the confused look on the face of your local "broadband installation expert" when they arrive to install new service and you show them to an otherwise empty room containing a PC (Gateway PC, keyboard, monitor, mouse), a phone jack, a power strip, and absolutely nothing else.
Rather than risk a "real" machine that I actually use, and knowing that the pre-installation instructions requested a Windows machine as part of the new service requirement, I gave them exactly what they asked for.
I did manage to convince the installer to leave the install CD, and I didn't find anything suspicious -- a copy of IETK configured for the provider's home page and search page and a cheesy freeware 'PING' utitilty.
Five minutes after he left, the "Windows PC" was booting OpenBSD+PF+Squid...
Bulk metallic sodium runs under a buck per pound (15 cents to a dollar), when you are buying a 300# drum. Prices in smaller lots and higher purity are slightly higher, ranging up to around $35/pound for analytical grade.
The higher purity metal makes little or no difference when you are tossing it into a highly impure natural lake.
I wonder how something like a cap dotted with such LEDs would affect a camera. If nothing else you might be able to freak people out by walking past electronics store windows that have cameras demonstrating in them:)
That sounds very similar to an idea I was considering...
My variation is to attach a number of small IR LEDs to the underside of the bill of a baseball cap, aimed so as to direct the light towards your nose and cheekbones, to confound facial-recognition camera systems.
In the winter this could provide some minimal added protection against frostbite:)
Has anybody used InstantSSL [instantssl.com]? They claim to work with IE 5+, NS 4+, AOL 5+ and Opera 5+, which they say is 99% of the browsers in use out there. Sounds like a good deal to me.
I'm hoping to try them out, but they do their validation through Comodo in the UK, and with the time difference, it's taking much longer than it should to get my certificate signed.
I'm looking at using the cert to do some credit card auth for a webhosting company, and I don't really think I'd have a problem turning away that 1% of people who can't upgrade to a browser that came several years ago. That whole 80/20 rule kicks in there. I'm sure somebody who can't be bothered to upgrade to a modern browser is going to be a tech support nightmare.
The way I look at it, the users who cannot be bothered to upgrade the browsers, are also the same users who are going to just 'click through' the "This certificate is not signed by a trusted authority" message, and most of the time, you'll still get their business.
Just this week I have started looking around before we purchase a certificate for a semi-private Internet server. I've found the 'WhichSSL.com' site to be very helpful, especially http://www.whichssl.com/faq/compatibility.html.
Our users are easily alarmed, so we need to use a certificate from CA that is fully trusted by all of the common browsers.
This pretty much limits you to Verisign/Thawte. If you expect that most users will have mostly upgraded to more modern browsers, then your available choices increase dramatically.
I am currently considering InstantSSL... so far it's taken two days, and no signed certificate, but the price (free trial, $49/year) is right.
zoward writes:
... say, "Okay, I'll add it to my list of things to do", and always find other things that are higher priority until the submittor forgets they ever asked for it. If the submittor keeps asking about it... you'll need to take care of it.
I've been working on a Apache+ModPerl project to implement this process as a web page.
Basically, anybody on the system can submit a project, and set what THEY feel the priority should be, relative to their other submissions. But when you go to view your own personal todo list, the program applies your own modifiers to the priorities, giving some submitters and jobs a higher priority based on your subjective view.
The list also shows a little 'nag' button next to each job. Click this, and the job temporarily gets a 'bump' in priority (Multiplier jumps from 1.00 to 1.1 to 1.21, etc). If you don't get nagged about something for a while, the 'bumps' wear off (the multiplier degrades back down to 1.00).
The code isn't anywhere near ready for release....
But you stated yourself that you are violating the EULA, that is damaging to the publisher of the software and is not
research. It would be defined as 'research' if you had sought the publishers permission which I doubt you ever did.
Being "research" and being "illegal" are not mutally exclusive. My claim is that I am doing legitimate research on security, even though I may be violating a civil contract between myself (or my employer) and the vendor.
The fact that I did not obtain the publisher's permission does not magically redefine my activity to be "not research".
I bought a sports car. I don't think it goes fast enough. I swap out the intake system, have a machine shop rebore the engine, and I extract the manufacturer's ROM, edit the ROM image to tune the pre-computed fuel curve table, and burn a new ROM for myself.
All of this activity I define as "research". The car manufacturer might not agree, and will void my warranty. But the fact that I do not have permission from them to "hack" my car does not change the definition of my research to something else, it only changes my relationship with the vendor, and precludes me from obtaining future "tech support" from the vendor.
Your comment states your an OPENBSD fan, OPENBSD gladly allows you to perform research. In that case, use the OpenSource for your research and if your concerned about the security of COTS then DON'T USE IT!
My clients choose to use non-open-source products. They choose to pay me to perform "research" on these products and supply my results either exclusively to my client, or to Bugtraq. I accept my client's conditions, and perform research for them.
The fact that the company that sold them the hardware or software did not agree to this "research" does not change the definition of my activity.
If my client was "Consumer Reports", would you still have a problem with my research?
Even if the so-called "white" or "grey" hats cease to disclose these vulnerabilities to anyone, it would be virtually impossible for a
large number of black hats to keep the exploit to themselves without it getting back to the security community.
It's human nature to brag and to leak.
There are several real-life examples of remote root exploits being held by a (relatively large) group of "black hat" hackers for several years before leaking out to the community at large. For example, there was a Solaris statd exploit that circulated for, IIRC, three years before it "leaked", resulting in a functional patch from Sun.
What's more, I would argue that very few blackhats have the sophistication to come up with original exploits
themselves.
It only takes one.
There are some very intelligent people coding for black hats. Many of the brightest people on the legitimate side of network security honed their skills as a black hat, then had a change of heart in the past few years as the threat of criminal charges grew larger, or after suddenly realizing that having a house, a wife, and kids changes your priorities.
They pretty much depend upon the more knowledgable people that disclose the vulnerabilities to the public. In other
words, the community of people having exploits over vulnerable machines would be far smaller.
However, the pool of exploitable machines would be much much larger.
Restricting public exposure of holes has been tried, and found wanting.
Limited distribution of the details of holes was the unwritten law in the 1980's and early 1990s (anybody remember the 'core' list?). This is why the creation of Bugtraq in 1993 was such a big deal. Prior to that, vulnerability information was carefully controlled, distributed to a limited pool of "trusted" admins... including the "daytime personas" of a number of black hats.
This approach did little to keep the black hats from learning about new vulnerabilities and writing exploits, and put little pressure on vendors to patch their software or pro-actively work to limit security holes.
Full-disclosure may not be ideal, but it is better than the alternatives.
Your analogy is interesting, but flawed. Instead imagine that your discovery about the Ford Pinto did not involve rear-end
collisions but something that could be induced by making a few modifications to a garage door remote control.
You publish your findings and some incredibly malajusted person actually builds the device and uses it to blow up every
occupied and unoccupied car that he can find. Now the chances of his being able to do this without your having published
your discovery are essentially nil. Leaving aside legal responsibility for the moment are you ethically responsible for the harm that has been done?
It's not just black and white, and (most) software exploits do not result in human deaths.
The "spotless white" hat notifies Ford, but the company ignores the warning and goes on making the Pinto without any changes. The CIA, Mafia, and Mossad learn of the weakness (through leaks or by discovering the issue independently) and build selective exploits, using them against their enemies for several years before the weakness becomes widely known. (This scenario has played out in both physical security and remote software exploits more than once.)
The "light gray" hat tells Ford and his circle of 'leet buddies, and when Ford does not respond, some or all of his research notes are published to a "Full-Disclosure" list. Ford rushes out a fix in record time.
The "pitch black" hat builds selective exploit tools and sells them to the highest bidder.
This goes right to the heart of the Black/Gray/White Hat issue. Knowing that there are Script Kiddies and other malicious
forces that will IMMEDIATELY act to turn your published discovery into harmfull results and that there is no way the
company could both create a fix and fully distribute it fast enough is it EVER the lesser harm to publish it?
Yes, it can be "the lesser harm" to publish.
I've learned the hard way on more than one occasion that if you don't publish, most vendors will almost certainly not respond in a timely manner. They may create a fix and quietly distribute it in their next scheduled release, or they may just ignore the warning.
Meanwhile, other researchers (including some truly morally bankrupt black hats) are almost certainly looking at the same areas you are, and will eventually discover the same vulnerability independently, and begin to exploit it.
You might say that you are encouraging them to release a fix. But even if they had a fix already created and tested (unlikely)
how much harm would occur to machines that did not get a chance to install it fast enough? No, your act of publishing will
allways create the greater harm.
In case after case it has been demonstrated that for most vendors, nothing short of full disclosure is sufficient for them to take the problem seriously.
I agree that if your Gray then your black. You might be Black with good intentions.. but your still black.
I strongly disagree. The law may define more and more actions as being unlawful (see the DMCA), yet those actions may still be ethically/morally right, and socially acceptable. The US has many such rules, where the law says one thing and society at large says another.
Unless you are specifically asked by a company owner or software maker to exploit security holes, you shouldn't be doing it.
I'm not exactly a "white hat" by most definitions.
My job (and my hobbies) involves legally acquiring software and hardware and testing it, tearing it apart, looking for weak spots.
That includes purchasing items like a Cisco PIX or a software firewall, testing for security holes, and often extends to writing and executing working exploits for these holes, on legally acquired copies running in my test lab.
These actions may violate the vendor's EULA. But they do not ever involving penatration of the network, host, or data belonging to an innocent third-party. Do these acts make me a black hat?
If my customer agrees, I report issues to the vendor. If they not respond, and if my customer agrees, I will post some or all information to a full-disclosure list. What color is my hat now?
If your concerned about security of the source, then choose a OpenSource alternative or write your own. If your using a
COTS, then ask the publisher for permission to test the software for security holes, most will allow you as long as your a paying customer. If they don't, you probably don't want to be using that software vendor's appliction anyways.
Neither I personally nor my employers trust the publisher to do their own testing and report honestly on the results.
While it may be in violation of the law or a civil transgression to "test" software after purchasing a legally licensed copy, I do not agree that such testing turns a grey hat to black.
But we don't need vigilanties running around exploiting everybodies software or network just because they can. It's not research its criminal; you've breached somebodies privacy even if you didn't do damage.
I've breached whose privacy? That of the vendor who wrote the software or designed the hardware?
If I legally acquire software and hardware, install it on my private testbed, then exploit the software (locally, in my "sandbox"), it most certainly is research. It may also be criminal. If I take the results of my tests and publish them, that too is research, and under the DMCA or certain EULAs, may be unlawful.
Regardless of how the laws are contorted to depict my actions, I will not accept the label of "black hat" on this basis.
They should not have rewarded the most destruction resistant robot, but the most technically advanced. The idea of a "fight" is simply flawed, and reeks of testestrone driven, cheap male entertainment.
And that is exactly the point.
I like testesterone driven, expensive male entertainment.
I'm not going to spend thousands of dollars to build a cute gee-whiz "technologically advanced" robot. I am am planning to spend thousands of dollars to build (and test, and repair) a semi-autonomous fighting robot that I can pit against other similar devices.
There is alot one could do with robot building skills, instead of investing resources on how to build the next destructive machine. They could cut down on the weight too, some of these beasts weight as much as 500 lbs.
Yeah sure -- and there is a lot one could do with automobile tuning skills, instead of investing resources to build the next rubber-burning nitrous-powered drag racing machine. Sure, I could have spent the $5K to convert my car to electric power...
But you know what? For many people, big/powerful/fast/dangerous hardware is FUN.
Speaking of male entertainment, carmen electra has no business in a friken bot fight.
Okay, on that point I agree with you 100%. They should have gotten Cathy Rogers (Scrapheap challenge, aka Junkyard Wars), or some other photogenic female with a three-digit IQ.
Prior to the recession, a "system administrator" (no security experience or training), a year or two out of college, could pull down $45K in the midwest, and considerably more in the CA or NYC.
An experienced computer security person (BS plus 5 years experience plus security-specific training) in his/her late twenties can easily command $90K+ from private industry. For most people,the priviledge of carrying a gun and a badge isn't worth the salary cut (and those for whom it is worth it, hopefully they fail the psych tests).
I don't have anything against helping the government catch real (violent) criminals, but if the feds are interested in hiring people with real-world experience, they are going to find it difficult to compete with the salary offered by private industry for experts in this field.
Forget the disdain from the "Special Agents"...
A more personal issue that has not been mentioned, is the special hatred all hackers, white or black hat (or any shade in between), hold in their hearts for the turncoats who dare to "sell out", going to work on the side of the prosecution.
Although the host that stores the script for editing may be on the station internal LAN, with little or no security, the teleprompter itself is unlikely to be networked, and if so, is most likely on a private segment, not the main LAN.
In general, broadcast station teleprompter hardware itself is very old technology, with a simple serial cable to load the script (a text file with some very simple markup sequences to adjust speed, fonts, etc)
Among the cheapest "professional" teleprompters are Stewert, starting around $1K. You can throw together your own home-brew solution for a few bucks, but "real" TV stations are sticking with the old, expensive, pre-MS-Windows solutions.
Usually the producer and on-air talent will run through the script at a high speed (just barely readable without practice) shortly before going on air, so your timing would have to be just right if you want to add any extra little "suprises" with any chance of success.
It's an interesting idea, but even for a live news broadcast, it's not likely that you would slip anything through.
Disclaimer: No affiliation with Smarthome, except as a satisfied customer. I've bought wired cameras and other products from them, never had any problems with SmartHome.
Encrypted communications will not help here, as the software is a "trojan" installed on your PC, logs every keystroke, and intercepts content of email after it has been decrypted.
Basically, if you cannot trust the PC that you are running your HTTPS browser on, you should assume that the encryption is not giving you any protection against the owner of that PC, or anybody else who "0WNZ" that PC...
Personally, I bring my personal laptop to the office each day, run a local firewall on that laptop, connect it to the office LAN, and never install any company-provided binaries on that laptop.
The company provides a corporate-owned business desktop, and I use that machine solely for messages and network traffic that I would not have any problem with the helpdesk people reading -- since the corporate standard is to install LanDesk, I have to assume that the HelpDesk people can and do have access to anything on that machine.
Keep your business life as distinct from your personal life as you possibly can.
A lot of the big routers don't propigate routes for anything
smaller than a/19 subnet. I could be wrong about the size, but a/24 is right out.
Any ARIN registered, fully portable/24 will be reliably propagated through BGP.
Most any/19 netmask or larger blocks will also propagate, even if they are not "portable". The issue is the announcement in BGP of smaller subnets, from within ranges that were originally assigned by ARIN as a single large block.
IOW, an ISP with an assigned/16 might "sell" you a/24, and you might attempt to announce a route for this/24 via BGP through a different ISP. That announcement is likely to be filtered out by some backbone providers.
They're not the same thing, or at least they shouldn't be. Flash memory is *really* slow, fast random access, but spectacularly slow read/write. And it wears out. A good quality flash drive should be a stack of DRAM, a battery, and some way of backing up the DRAM when the power gets yanked (and vice versa). As you can imagine, this costs a bit and since it has low demand, it is also expensive.
You're thinking of a RAM drive. These usually present a SCSI interface, and are really horrendously expensive. Often used to accelerate database performance on mid-range ($100K) solaris servers.
There are a number of companies selling actual "flash" drives, both as CF-to-IDE harnesses and custom packaged in a laptop-drive form factor.
These are nothing like RAM drives, and in fact are not really any more sophisticated than your standard "Compact Flash" storage card.
2. The entire OpenBSD tree was modified.
...
There has been backdoors in the kernel, openssh, and numerous other areas since OpenBSD 3.0.
I highly doubt the truth of these statements... Just another anti-BSD troll?
This does bring up a good point... has anybody built a "meta-CVS", a mechanism where I can do a CVS checkout from a public repository, diff the checkout against the one I did yesterday, and then check-in to my own private CVS showing the date, the purported actual change/committer, and the real diff between the two code revs?
If "the entire OpenBSD tree was modified", a simple DIFF would tell the story. I have every OpenBSD release set since 2.4, each of which includes a full source tree.
It would be trivial to do a straight file-for-file diff between the Kernel sources for 2.9/3.0/3.1/current and see exactly what changed and approximately when, and compare this to what CVS claims was officially changed.
I have migrated my entire network away from OpenBSD.
Migrated "away" to what platform?
I urge someone to take up the project and audit the code, and fork itoff. It's a great idea, a great package, and very lightweight, but it is no longer secure.
Assuming you can find checkouts for the appropriate time range, doing Diff's for the core kernel code between November 2001 and January 2002 should not be a huge task. But I'm not going to put the effort in on the word of an "anonymous coward".
"OK, so let's suppose I walk into your house and go into your bathroom right now. What magazines would I find on your toilet tank, or wherever else you keep magazines you read often?"
I don't keep magazines on the toilet tank, at least not since I got the Cat-5 drop into the bathroom working.
Pretty much takes care of the Penthouse issue as well;-)
Slashdot Mirror
Not always. For example, my high school cheated on 'rank in class', reporting a class rank that was misleading, if not entirely dishonest. My graduating class was just shy of 400 students, but the lowest ranked kid was ranked as "325/400".
Class rankings were calculated on a big old mainframe (IBM MUSIC/SP), which would print out your class rank on your report card each quarter, and on the official transcript provided to universities with your application.
The "trick" was, the administrators felt it was unfair that if you had a grade average of 103.1 (due to honors, AP, etc 'bonus' points), at the start of the senior year and were ranked #3, and #4 and #5 improved their grades and at the end of the first quarter of senior year all three of you had a 103.1 average, then they would not lower your ranking, they would rank all three of you at #3. Ditto for everybody else down the line.
The didn't correct for these when reporting "top X percent of graduating class", so the "top 25%" of students made up closer to 40% of the graduating class...
End result, Nearly seventy percent of my graduating class came from the top half of the class.
Upper management doesn't know employees by name, they just know that they need to reduce the headcount (salary+benefits+overhead) cost for a particular department by some dollar figure. Having the CEO/VP downsize by picking who to terminate by name is micromanagement carried to a ludicrous extreme.
The department directors and managers know who among their direct reports they can afford to fire to meet their target $$$ figure without paralyzing their department...
Great, now your job depends on making all of your cow-orkers like you. So "Sally the office slut" keeps her job, and meanwhile the slacker faction will "vote off" anybody whose high productivity makes them look bad.Just what we need, even more "office politics" with even more immediate consequences if you do not play the game.
Two years ago, I knew that hard work and initiative would be rewarded with bonuses, raises, promotion. Today I know that no matter how productive you are, there is no chance of any such recognition, and the best most productive model employee has more immunity from "downsizing" than the least productive clock-watcher.
krinsh writes:
Sounds good, but what if I am here because this was what I had chosen to do for a living, and I used to enjoy it, but now cutbacks, overwork, and micromanagement (as managers try to protect their own jobs) are making it more and more difficult to drag myself out of bed each morning.
I could quit, but unless I want to move out of state, there are no job openings in my field here. Even my quitting would not create a job opening in my field -- few companies are hiring to fill open positions, including positions created by employees who quit or are fired for cause.
It used to be that if your job turned into a nightmare you could always quit and find a new one. These days, few employees can afford to quit, and the employers know this and take full advantage of it.Sure, I may in a position to leave when things level off or improve, but what is there to keep the abused employee sane and productive until then?
If anything, the remaining staff is less productive than before downsizing -- we have the same list of projects and tasks, but now half of the stuff on the list just doesn't get done at all.
It's not like the company planned to cut staff by a third -- but after the official layoffs and salary freeze, the best and brightest employees took off for greener pastures, leaving the lazy and the lifers. The only remainining IT folk either lack the skills or initiative to go find a better job elsewhere, or are just hanging around waiting to 'vest' their 401k.
Combine that with a hiring freeze, and when the really good employees quit (or the really really bad employees are fired), it takes an act of god to hire a replacement.
IT's better than unemployment, barely...
Similar gripe with their belts (Khaki and Navy) and ankle socks (khaki and white)
Rather than risk a "real" machine that I actually use, and knowing that the pre-installation instructions requested a Windows machine as part of the new service requirement, I gave them exactly what they asked for.
I did manage to convince the installer to leave the install CD, and I didn't find anything suspicious -- a copy of IETK configured for the provider's home page and search page and a cheesy freeware 'PING' utitilty.
Five minutes after he left, the "Windows PC" was booting OpenBSD+PF+Squid...
Bulk metallic sodium runs under a buck per pound (15 cents to a dollar), when you are buying a 300# drum. Prices in smaller lots and higher purity are slightly higher, ranging up to around $35/pound for analytical grade.
The higher purity metal makes little or no difference when you are tossing it into a highly impure natural lake.
My variation is to attach a number of small IR LEDs to the underside of the bill of a baseball cap, aimed so as to direct the light towards your nose and cheekbones, to confound facial-recognition camera systems.
In the winter this could provide some minimal added protection against frostbite :)
The way I look at it, the users who cannot be bothered to upgrade the browsers, are also the same users who are going to just 'click through' the "This certificate is not signed by a trusted authority" message, and most of the time, you'll still get their business.
Our users are easily alarmed, so we need to use a certificate from CA that is fully trusted by all of the common browsers. This pretty much limits you to Verisign/Thawte. If you expect that most users will have mostly upgraded to more modern browsers, then your available choices increase dramatically.
I am currently considering InstantSSL... so far it's taken two days, and no signed certificate, but the price (free trial, $49/year) is right.
Basically, anybody on the system can submit a project, and set what THEY feel the priority should be, relative to their other submissions. But when you go to view your own personal todo list, the program applies your own modifiers to the priorities, giving some submitters and jobs a higher priority based on your subjective view.
The list also shows a little 'nag' button next to each job. Click this, and the job temporarily gets a 'bump' in priority (Multiplier jumps from 1.00 to 1.1 to 1.21, etc). If you don't get nagged about something for a while, the 'bumps' wear off (the multiplier degrades back down to 1.00).
The code isn't anywhere near ready for release....
The fact that I did not obtain the publisher's permission does not magically redefine my activity to be "not research".
I bought a sports car. I don't think it goes fast enough. I swap out the intake system, have a machine shop rebore the engine, and I extract the manufacturer's ROM, edit the ROM image to tune the pre-computed fuel curve table, and burn a new ROM for myself.
All of this activity I define as "research". The car manufacturer might not agree, and will void my warranty. But the fact that I do not have permission from them to "hack" my car does not change the definition of my research to something else, it only changes my relationship with the vendor, and precludes me from obtaining future "tech support" from the vendor.
My clients choose to use non-open-source products. They choose to pay me to perform "research" on these products and supply my results either exclusively to my client, or to Bugtraq. I accept my client's conditions, and perform research for them.The fact that the company that sold them the hardware or software did not agree to this "research" does not change the definition of my activity.
If my client was "Consumer Reports", would you still have a problem with my research?
Consumer Reports buys all the items they test from retail outlets, and does not ask the manufacturer for permission to perform their "research": http://www.consumerreports.org/static/popup/didyou know.html
There are some very intelligent people coding for black hats. Many of the brightest people on the legitimate side of network security honed their skills as a black hat, then had a change of heart in the past few years as the threat of criminal charges grew larger, or after suddenly realizing that having a house, a wife, and kids changes your priorities. However, the pool of exploitable machines would be much much larger.
Restricting public exposure of holes has been tried, and found wanting. Limited distribution of the details of holes was the unwritten law in the 1980's and early 1990s (anybody remember the 'core' list?). This is why the creation of Bugtraq in 1993 was such a big deal. Prior to that, vulnerability information was carefully controlled, distributed to a limited pool of "trusted" admins... including the "daytime personas" of a number of black hats.
This approach did little to keep the black hats from learning about new vulnerabilities and writing exploits, and put little pressure on vendors to patch their software or pro-actively work to limit security holes.
Full-disclosure may not be ideal, but it is better than the alternatives.
The "spotless white" hat notifies Ford, but the company ignores the warning and goes on making the Pinto without any changes. The CIA, Mafia, and Mossad learn of the weakness (through leaks or by discovering the issue independently) and build selective exploits, using them against their enemies for several years before the weakness becomes widely known. (This scenario has played out in both physical security and remote software exploits more than once.)
The "light gray" hat tells Ford and his circle of 'leet buddies, and when Ford does not respond, some or all of his research notes are published to a "Full-Disclosure" list. Ford rushes out a fix in record time.
The "pitch black" hat builds selective exploit tools and sells them to the highest bidder.
Yes, it can be "the lesser harm" to publish.I've learned the hard way on more than one occasion that if you don't publish, most vendors will almost certainly not respond in a timely manner. They may create a fix and quietly distribute it in their next scheduled release, or they may just ignore the warning.
Meanwhile, other researchers (including some truly morally bankrupt black hats) are almost certainly looking at the same areas you are, and will eventually discover the same vulnerability independently, and begin to exploit it.
In case after case it has been demonstrated that for most vendors, nothing short of full disclosure is sufficient for them to take the problem seriously.My job (and my hobbies) involves legally acquiring software and hardware and testing it, tearing it apart, looking for weak spots.
That includes purchasing items like a Cisco PIX or a software firewall, testing for security holes, and often extends to writing and executing working exploits for these holes, on legally acquired copies running in my test lab.
These actions may violate the vendor's EULA. But they do not ever involving penatration of the network, host, or data belonging to an innocent third-party. Do these acts make me a black hat?
Neither I personally nor my employers trust the publisher to do their own testing and report honestly on the results.If my customer agrees, I report issues to the vendor. If they not respond, and if my customer agrees, I will post some or all information to a full-disclosure list. What color is my hat now?
While it may be in violation of the law or a civil transgression to "test" software after purchasing a legally licensed copy, I do not agree that such testing turns a grey hat to black.
I've breached whose privacy? That of the vendor who wrote the software or designed the hardware?
If I legally acquire software and hardware, install it on my private testbed, then exploit the software (locally, in my "sandbox"), it most certainly is research. It may also be criminal. If I take the results of my tests and publish them, that too is research, and under the DMCA or certain EULAs, may be unlawful.
Regardless of how the laws are contorted to depict my actions, I will not accept the label of "black hat" on this basis.
I like testesterone driven, expensive male entertainment.
I'm not going to spend thousands of dollars to build a cute gee-whiz "technologically advanced" robot. I am am planning to spend thousands of dollars to build (and test, and repair) a semi-autonomous fighting robot that I can pit against other similar devices.
Yeah sure -- and there is a lot one could do with automobile tuning skills, instead of investing resources to build the next rubber-burning nitrous-powered drag racing machine. Sure, I could have spent the $5K to convert my car to electric power...But you know what? For many people, big/powerful/fast/dangerous hardware is FUN.
Okay, on that point I agree with you 100%. They should have gotten Cathy Rogers (Scrapheap challenge, aka Junkyard Wars), or some other photogenic female with a three-digit IQ.An experienced computer security person (BS plus 5 years experience plus security-specific training) in his/her late twenties can easily command $90K+ from private industry. For most people,the priviledge of carrying a gun and a badge isn't worth the salary cut (and those for whom it is worth it, hopefully they fail the psych tests).
I don't have anything against helping the government catch real (violent) criminals, but if the feds are interested in hiring people with real-world experience, they are going to find it difficult to compete with the salary offered by private industry for experts in this field.
Forget the disdain from the "Special Agents"...
A more personal issue that has not been mentioned, is the special hatred all hackers, white or black hat (or any shade in between), hold in their hearts for the turncoats who dare to "sell out", going to work on the side of the prosecution.
In general, broadcast station teleprompter hardware itself is very old technology, with a simple serial cable to load the script (a text file with some very simple markup sequences to adjust speed, fonts, etc)
Among the cheapest "professional" teleprompters are Stewert, starting around $1K. You can throw together your own home-brew solution for a few bucks, but "real" TV stations are sticking with the old, expensive, pre-MS-Windows solutions.
Usually the producer and on-air talent will run through the script at a high speed (just barely readable without practice) shortly before going on air, so your timing would have to be just right if you want to add any extra little "suprises" with any chance of success.
It's an interesting idea, but even for a live news broadcast, it's not likely that you would slip anything through.
They have a large variety of surveillance products, at various price/durability levels.
Disclaimer: No affiliation with Smarthome, except as a satisfied customer. I've bought wired cameras and other products from them, never had any problems with SmartHome.
Encrypted communications will not help here, as the software is a "trojan" installed on your PC, logs every keystroke, and intercepts content of email after it has been decrypted.
Basically, if you cannot trust the PC that you are running your HTTPS browser on, you should assume that the encryption is not giving you any protection against the owner of that PC, or anybody else who "0WNZ" that PC...
Personally, I bring my personal laptop to the office each day, run a local firewall on that laptop, connect it to the office LAN, and never install any company-provided binaries on that laptop.
The company provides a corporate-owned business desktop, and I use that machine solely for messages and network traffic that I would not have any problem with the helpdesk people reading -- since the corporate standard is to install LanDesk, I have to assume that the HelpDesk people can and do have access to anything on that machine.
Keep your business life as distinct from your personal life as you possibly can.
Any ARIN registered, fully portable /24 will be reliably propagated through BGP.
Most any /19 netmask or larger blocks will also propagate, even if they are not "portable". The issue is the announcement in BGP of smaller subnets, from within ranges that were originally assigned by ARIN as a single large block.
IOW, an ISP with an assigned /16 might "sell" you a /24, and you might attempt to announce a route for this /24 via BGP through a different ISP. That announcement is likely to be filtered out by some backbone providers.
You're thinking of a RAM drive. These usually present a SCSI interface, and are really horrendously expensive. Often used to accelerate database performance on mid-range ($100K) solaris servers.
There are a number of companies selling actual "flash" drives, both as CF-to-IDE harnesses and custom packaged in a laptop-drive form factor.
These are nothing like RAM drives, and in fact are not really any more sophisticated than your standard "Compact Flash" storage card.
Here's an example with some specs:c hip.htm
http://www.acal.be/products/el/active/sandisk/san
I have a couple of 64Mb models, you can often find them on Ebay at reasonable prices. I use them to build Diskless FreeBSD hosts.
This does bring up a good point... has anybody built a "meta-CVS", a mechanism where I can do a CVS checkout from a public repository, diff the checkout against the one I did yesterday, and then check-in to my own private CVS showing the date, the purported actual change/committer, and the real diff between the two code revs?
If "the entire OpenBSD tree was modified", a simple DIFF would tell the story. I have every OpenBSD release set since 2.4, each of which includes a full source tree.
It would be trivial to do a straight file-for-file diff between the Kernel sources for 2.9/3.0/3.1/current and see exactly what changed and approximately when, and compare this to what CVS claims was officially changed.
Migrated "away" to what platform?Assuming you can find checkouts for the appropriate time range, doing Diff's for the core kernel code between November 2001 and January 2002 should not be a huge task. But I'm not going to put the effort in on the word of an "anonymous coward".
I don't keep magazines on the toilet tank, at least not since I got the Cat-5 drop into the bathroom working.
Pretty much takes care of the Penthouse issue as well ;-)