This is certainly a high-profile breach, but not apparently immediately catastrophic. However, it does provide a number of lessons for organizations and developers building smartphone applications (iPhone, iPad, Android, Blackberry, Windows Mobile, etc) All of the issues with the AT&T/Apple infrastructure for the iPad are known web application security issues. Smartphone developers need to learn from the past or they are going to repeat the mistakes of web application and AJAX/RIA application developers.
For background information I highly recommend the Open Web Application Security Project http://www.owasp.org/ There are local chapters all over the world that should have regular meetings - I help run the San Antonio chapter.
The important thing is to target any training so that it matches the background of those being trained. I have done work with with IT Audit groups and they wanted to learn how to do application security assessments themselves. Given their background this simply was not in the cards so we instead focused their attention on how to audit the assessment process to make sure that tools were being used properly and the outcomes of the assessments was being addressed by the development teams. Training for network security folks can include how to run scanning tools and interpret the results, as well as how to do some manual testing of their own. Developers can obviously learn about the assessment process, but will ultimately need training on how to design and code secure systems. In any case, the important thing is to match the training being given with the job responsibilities and capabilities of those being trained.
As for groups that do this sort of training, obviously I am biased, but my company Denim Group http://www.denimgroup.com/ does application security security training for developers, auditors, QA and network security folks. McAfee and Symantec offer courses as well.
I am not an accountant, but I am a small business owner so I have some idea about this stuff.
The advantages of leasing are primarily:
1. cash flow benefits 2. tax benefits
One of the primary things that small businesses (well, all businesses, but especially small businesses) have to manage is their cash on hand and their cash flow (when cash shows up, when it leaves) If I have to buy a $3000 server and I pay cash then I need to have $3000 cash right now and that cash goes away. If I lease that server, then I might have monthly payments of $50/month. Over the life of using the equipment I pay more, but at the outset I don't have to have all of that cash around.
Also, when you pay money to buy something of value, for tax purposes you don't take all of that cost off your profit immediately (you pay taxes on profits, not gross income) You have to depreciate it out over a period of time which is supposed to represent the useful life of the equipment. This means that while you might have paid the money out (in cash) you can't claim that they money has all gone away yet for tax purposes. Not fun!
When you lease an item the leasing company owns that capital expenditure and so they depreciate the item. Your monthly payments can be treated as expenses so they come off your taxable profits immediately. Plus you don't have to account for the depreciation, etc.
In my business most of my costs are salaries for my people, not workstations for them to use so workstation costs are a small fraction of my expenses. It makes sense just to buy a decent workstation outright rather than haggle with the lease people and try to return or buy out the eqipment later on. Other businesses will operate differently.
I have some experience with this type of situation because I founded a company that was acquired and stayed along as they did a extra-professional job of ruining the organization I had built with my original partners. All of our original employees and the great team we built up after the acquisition were extremely disappointed to find what was previously an excellent company to work for turn into a hell-on-earth mess.
There are a couple of important things you might want to think about before having a mass walk-out at your current company:
Why the mass walk out? Is it to "teach management a lesson" and make yourselves feel better? If so, you should probably realize that everyone is better served if the people who are dissatisfied simply find other jobs (or don't find jobs if they have enough cash to ride out some unemployment) and leave in an orderly fashion. Give your two weeks notice, go to your next job, and hopefully you'll find yourself in a better situation.
Staging some sort of apocalyptic last battle that leaves the company IT department in shambles might be fun to fantasize about and possibly even fun to execute, but you really need to think about what actual benefits this will provide. Possibly some of the people who quit are now unemployed and under the gun to find something else. Possibly there are some people left behind in management who were actually all right folks who are now in a really hard position. Almost certainly anyone who is left behind to pick up the pieces isn't going to be a terribly useful reference for future work.
In a situation like this it is key to determine what value there is in striking a "victory" against your old department. A Phyrric victory is a victory where so much damage has been done to all parties involved that is is hard to actually call the nominal winner a true victor. Adopting a scorched earth mentality might be a fun posture to adopt, but dealing with the consequences can be pretty unpleasant for _everyone_ involved.
I had to sit around and watch the company I built go to hell. The smart people just found other jobs, said their goodbyes, and went on to bigger and better things - everyone stayed friends. Other people chose to sabotage the operation by sending employee lists to recruiters, complaining about things that weren't going to change, and just generally adding to an already terrible situation. These people all left or got laid off eventually, but they also destroyed a number of professional relationships that did not have to end with their attachment to the original company.
In short, please leave your job if it sucks because life is too short to work at a shitty job (unless you're contractually required to stay like I was). However, take a moment to think about how you leave that job and be sure that your actions actually contribute to your long term happiness and professional development rather than just making you feel good when you tell The Man to take his job and suck it.
Even beyond discussing non-standard extensions, there are facets of application development/deployment that are not covered by the J2EE spec. Therefore, in order to provide the environment the application expects, there is application-server specific configuration that must go on.
Specifically, this is often the case in setting up the JNDI tree for the application and for the individual components (java:/comp/env/) as well as configuring features like EJB 2.0 CMP where you must map database fields to Entity EJB fields, and configuring the specific JMS queues and topics that you want to connect your Message Driven Beans to.
JBoss uses a jboss.xml config file, BEA WebLogic uses a different configuration file, and other application servers use their own file formats and tools. JBoss offers a tool that helps migrate WebLogic configuration files to their XML format. This doesn't cover non-standard extensions, but it does cover converting many of the application-server configuration options.
I believe the "cross platform" comment would be better interpreted as "between development and deployment platforms" Hard coding things like JNDI properties is guaranteed to cause troubles when you move your app from one developer's machine to another or from a test environment to deployment.
The point is that code examples should employ best practices so that people who are learning new technolgies learn to use the correctly from the outset.
Their Evolution product does some of this. It does individual calendaring and email management, and it has a connector for Exchange, but I don't believe that there is a server version of the software. You can set up appointments and whatnot peer-to-peer, but there is no centralized repository like there is in Exchange. So you can't check other people's schedules or reserver rooms or other groupware-type stuff that Exchange lets you do (I don't think)
My girlfriend is in law school, so I teased her about the "sign up online" form. She told me that these firms bringing class action suits are actually obligated to publicize the case (via newspaper ads, etc) in order to include all interested / qualified parties so that the subset of people who originally decided to complain aren't privy to "unjust enrichment" It makes sense for the legal system to get as many people as are interested involved up front because if the suit results in a huge award, other parties who might have been eligible will all bring suits of their own. Better to get everyone involved from the start in one large suit rather than twenty smaller ones. She wasn't sure the intention of these policies was to have web-based signup forms, but, hey, whatever. Law on the Internet...
I'm not too big a fan of this lawyer crap, but I just thought I'd pass on some info that came my way.
Slashdot Mirror
This is certainly a high-profile breach, but not apparently immediately catastrophic. However, it does provide a number of lessons for organizations and developers building smartphone applications (iPhone, iPad, Android, Blackberry, Windows Mobile, etc) All of the issues with the AT&T/Apple infrastructure for the iPad are known web application security issues. Smartphone developers need to learn from the past or they are going to repeat the mistakes of web application and AJAX/RIA application developers.
I put together some more in-depth comments here:
4 Lessons From the AT&T/Apple Data Breach for Smartphone App Developers
--Dan
@danielcornell
Site is up. Apparently the service provider who provides our DNS is being DDoS'd right now. Super...
--Dan
For background information I highly recommend the Open Web Application Security Project http://www.owasp.org/ There are local chapters all over the world that should have regular meetings - I help run the San Antonio chapter.
The important thing is to target any training so that it matches the background of those being trained. I have done work with with IT Audit groups and they wanted to learn how to do application security assessments themselves. Given their background this simply was not in the cards so we instead focused their attention on how to audit the assessment process to make sure that tools were being used properly and the outcomes of the assessments was being addressed by the development teams. Training for network security folks can include how to run scanning tools and interpret the results, as well as how to do some manual testing of their own. Developers can obviously learn about the assessment process, but will ultimately need training on how to design and code secure systems. In any case, the important thing is to match the training being given with the job responsibilities and capabilities of those being trained.
As for groups that do this sort of training, obviously I am biased, but my company Denim Group http://www.denimgroup.com/ does application security security training for developers, auditors, QA and network security folks. McAfee and Symantec offer courses as well.
Thanks,
Dan
I am not an accountant, but I am a small business owner so I have some idea about this stuff.
The advantages of leasing are primarily:
1. cash flow benefits
2. tax benefits
One of the primary things that small businesses (well, all businesses, but especially small businesses) have to manage is their cash on hand and their cash flow (when cash shows up, when it leaves) If I have to buy a $3000 server and I pay cash then I need to have $3000 cash right now and that cash goes away. If I lease that server, then I might have monthly payments of $50/month. Over the life of using the equipment I pay more, but at the outset I don't have to have all of that cash around.
Also, when you pay money to buy something of value, for tax purposes you don't take all of that cost off your profit immediately (you pay taxes on profits, not gross income) You have to depreciate it out over a period of time which is supposed to represent the useful life of the equipment. This means that while you might have paid the money out (in cash) you can't claim that they money has all gone away yet for tax purposes. Not fun!
When you lease an item the leasing company owns that capital expenditure and so they depreciate the item. Your monthly payments can be treated as expenses so they come off your taxable profits immediately. Plus you don't have to account for the depreciation, etc.
In my business most of my costs are salaries for my people, not workstations for them to use so workstation costs are a small fraction of my expenses. It makes sense just to buy a decent workstation outright rather than haggle with the lease people and try to return or buy out the eqipment later on. Other businesses will operate differently.
My $.02
Isn't the linked article about HP laptops and not Dell laptops?
I have some experience with this type of situation because I founded a company that was acquired and stayed along as they did a extra-professional job of ruining the organization I had built with my original partners. All of our original employees and the great team we built up after the acquisition were extremely disappointed to find what was previously an excellent company to work for turn into a hell-on-earth mess.
There are a couple of important things you might want to think about before having a mass walk-out at your current company:
Why the mass walk out? Is it to "teach management a lesson" and make yourselves feel better? If so, you should probably realize that everyone is better served if the people who are dissatisfied simply find other jobs (or don't find jobs if they have enough cash to ride out some unemployment) and leave in an orderly fashion. Give your two weeks notice, go to your next job, and hopefully you'll find yourself in a better situation.
Staging some sort of apocalyptic last battle that leaves the company IT department in shambles might be fun to fantasize about and possibly even fun to execute, but you really need to think about what actual benefits this will provide. Possibly some of the people who quit are now unemployed and under the gun to find something else. Possibly there are some people left behind in management who were actually all right folks who are now in a really hard position. Almost certainly anyone who is left behind to pick up the pieces isn't going to be a terribly useful reference for future work.
In a situation like this it is key to determine what value there is in striking a "victory" against your old department. A Phyrric victory is a victory where so much damage has been done to all parties involved that is is hard to actually call the nominal winner a true victor. Adopting a scorched earth mentality might be a fun posture to adopt, but dealing with the consequences can be pretty unpleasant for _everyone_ involved.
I had to sit around and watch the company I built go to hell. The smart people just found other jobs, said their goodbyes, and went on to bigger and better things - everyone stayed friends. Other people chose to sabotage the operation by sending employee lists to recruiters, complaining about things that weren't going to change, and just generally adding to an already terrible situation. These people all left or got laid off eventually, but they also destroyed a number of professional relationships that did not have to end with their attachment to the original company.
In short, please leave your job if it sucks because life is too short to work at a shitty job (unless you're contractually required to stay like I was). However, take a moment to think about how you leave that job and be sure that your actions actually contribute to your long term happiness and professional development rather than just making you feel good when you tell The Man to take his job and suck it.
I don't know, but that was certainly too much "personal information."
Even beyond discussing non-standard extensions, there are facets of application development/deployment that are not covered by the J2EE spec. Therefore, in order to provide the environment the application expects, there is application-server specific configuration that must go on.
Specifically, this is often the case in setting up the JNDI tree for the application and for the individual components (java:/comp/env/) as well as configuring features like EJB 2.0 CMP where you must map database fields to Entity EJB fields, and configuring the specific JMS queues and topics that you want to connect your Message Driven Beans to.
JBoss uses a jboss.xml config file, BEA WebLogic uses a different configuration file, and other application servers use their own file formats and tools. JBoss offers a tool that helps migrate WebLogic configuration files to their XML format. This doesn't cover non-standard extensions, but it does cover converting many of the application-server configuration options.
I believe the "cross platform" comment would be better interpreted as "between development and deployment platforms" Hard coding things like JNDI properties is guaranteed to cause troubles when you move your app from one developer's machine to another or from a test environment to deployment.
The point is that code examples should employ best practices so that people who are learning new technolgies learn to use the correctly from the outset.
Their Evolution product does some of this. It does individual calendaring and email management, and it has a connector for Exchange, but I don't believe that there is a server version of the software. You can set up appointments and whatnot peer-to-peer, but there is no centralized repository like there is in Exchange. So you can't check other people's schedules or reserver rooms or other groupware-type stuff that Exchange lets you do (I don't think)
Actually - he did bring up some new information which was that RealPlayer displays this functionality as well as Windows Media Player.
My girlfriend is in law school, so I teased her about the "sign up online" form. She told me that these firms bringing class action suits are actually obligated to publicize the case (via newspaper ads, etc) in order to include all interested / qualified parties so that the subset of people who originally decided to complain aren't privy to "unjust enrichment" It makes sense for the legal system to get as many people as are interested involved up front because if the suit results in a huge award, other parties who might have been eligible will all bring suits of their own. Better to get everyone involved from the start in one large suit rather than twenty smaller ones. She wasn't sure the intention of these policies was to have web-based signup forms, but, hey, whatever. Law on the Internet...
I'm not too big a fan of this lawyer crap, but I just thought I'd pass on some info that came my way.
-Dan