Thursday, July 21, 2005
Thanks to Boing Boing for letting me know about this.
Wednesday, June 29, 2005
Berks-Mont Newspapers - Kutztown Area Patriot - 06/23/2005 - 13 teens face felonies: "06/23/2005
13 teens face felonies
By: Dan Roman
Thirteen Kutztown Area High School students are facing felony charges for tampering with district-issued laptop computers.
According to parent testimony and confirmed by an otherwise vaguely-worded letter from the Kutztown Police Department, students got hold of the system's secret administrative password and reconfigured their computers to achieve greater Internet and network access.
Some students used the newfound freedom to download music and inappropriate images from the Internet.
(Via BoingBoing .)
Okay once again people are getting out of control with punishing for security violations.
I would like to first point out that "50Trexler" is a horrid password. No special characters and it is more than likely someone's last name. So the school administration's is already weak before we look at the student's poor behavior. The student's took advantage of their administration falling down on the job - no one was obviously looking at access logs, auditing the computers, or even tracking administration access over the whole year. I notice if someone new has attempted access on my network daily. Handing a tool to someone and then not teaching or monitoring the usage of the tool gurantees that the user will figure out other ways to "play" with the tool.
I am not defending the student's behavior. Was the student behavior right? No! Is it a felony? Well let RIAA decide that one - they like to prosecute old ladies and children. It's like having a substitute teacher in the classroom - you know to a certain degree things are going to fall apart - we all look for human weakness and try to use it to our advantage - high school students do this on a daily basis.
As a security auditor I notice regulary that even if you hand someone a written policy you are never guranteed compliance. However, if you demostrate to the user that there are reasons for the policy and that you are going to monitor their usage regulary - you have a smaller percentage of people abusing the policy. In my eyes the school dropped the ball - the students picked it up and played a game or two. The administration should have stopped the behavior at the first instance and enforced the violation with a solid slap on the wrist - jail might be a bit extreme. Even RIAA just tries to make you pay for violations - helps float the music companies that were robbed at gun point.
Friday, May 06, 2005
Please remember no catfish has lips to harm nor do the people of North Carolina like to equate themselves at the lower social status of those from the armpits further south.
I ger-ron-tee that there are those of a different upbringing than me that will point out North Carolina's own mistakes in not being able to determine whose side it was on during certain 'portant battles of these here 'Nited States. To those I remind you that we still drink and eat our Budweezer and Moonpies or for the youngins RC Cola same as you folk do.
Gosh I sure do miss home.
Thanks to Boing Boing for the link.
Monday, May 02, 2005
So I started playing with it as soon as I walked in the door of my house - my wife's comment was something like, "you are more proud of that new laptop than you were when you got your little girl last year for father's day!" She's wrong, I love my little peaches but hey I am a geek and this is a brand new powerbook.
I didn't get Tiger - the guys at the store convinced me to hang on, and I agreed with them. Some great articles about Tiger have been in the news. The best being the Ars Technica article . I have read it three times and have finally gotten a solid understanding of what's going on underneath the hood. I like articles that make me think about how things work. I also picked up a copy of Mac OS X Panther for Unix Geeks. I'm not sure I am a unix geek but this book as showed me how to do things the mac way that I commonly do on all my other *nix boxs.
I have also installed SubEthaEdit, Fink, Ethereal, iTerm, iPodder, and NetNewsWire Lite. All of these programs are shareware utilities. My powerbook was more valuable to me in about 2 hours of work than the usual 4 hours of work it takes me to get my Windows XP boxes ready to go. Plus all of the utilities I installed didn't cost me another arm and a leg to Microsoft for them.
To understand what I mean check out the article I mentioned about comparing Apples to oranges-Dell . That article had a follow up today comparing Apples to IBM Powerbooks.
I am noticing things I need to do some research on: .png files not showing up correctly in Safari, some ASP pages don't behave correctly under Safari or Firefox, blogger.com editor doesn't have all the options in Safari, have to convert old exchange to mbox then import into mail to import finally into entourage.
I will keep you updated as the machines joins my family of 9 other pcs. We counted them at lunch today.
Oh it already made a friend in my wife. I took my son's first soccer game, edited it with iMovie, and then burned it to DVD with titles using iDVD (5 copies, grandparents, and a dear friend, and of course a copy for mom and dad) all in about an hour. It made up for my sudden infatuation with a piece of warm aluminum.
Friday, April 29, 2005
Monday, April 25, 2005
Then again the birds have friends in high places, well on the tail of Frontier planes I saw some penguins. Wonder if they are related?
Friday, April 22, 2005
... I've spent some time doing research on ID Theft thats happened since December '04 and came up with the following...
DSW: 1.5 million
Bank of America: 1.2 Million
San Jose Medical Group: 185,000
California State University: 59,000
Boston College: 120,000
George Mason University: 30,000
Delta Blood Bank: 100,000
UC Berkeley: 98,000
SAIC: UNKNOWN NUMBER
UC San Diego: 3,500
So then we throw in Ameritrade and a professor at UCB and we are approaching 4 million and 1 ID thefts in the first quarter of the year. Guess we can only get better from here. Right?
I have a huge respect for college professors. I look to them to be wise and all knowing (hey it's my dream and I can believe what I want.) However, what logic was the professor applying when he thought - hmm let's put all this research I do, and some IPO information, and well anything that is super secret all on this laptop and leave it sitting on my desk after class.
Yes, I know I am a bit biased because I work at security company. I know that I commonly apply to all my laptops, things like, BIOS password, system password, PGP disk. I also don't leave my laptop laying in public places - I fundamentally don't trust people.
Maybe I should call him and see if he wants a security assessment? Or he could just go on the web and find something easy to follow like this: Laptop Security Guidelines. I really like the one about a cable lock the best ;-)
It will be interesting to see how this story plays out.
Thursday, April 21, 2005
Another note I have discovered my Technorati ranking is 1,113,718. I am thinking this is probably bad. It also appears that no one cares what I say, because I have no links. A friend of mine Phil Windley, actually the whole reason I found out about Technorati, must be super high on the list as when you search his name you get about a million hits. Does this make me invisible? Do I matter? Am I matter?
I have a couple of new posts in the next day or so. Recaps of two different security meetings I attended. One is on Web Application Security and the other is on Incident Response and Digital Forensics. Maybe someone will care.
I have added a new little ticker on the right - courtesy of Symantec. It is kind of interesting look at what is going on in the security world.
Tuesday, April 19, 2005
I am interested in seeing a database that has remote probes scattered across the internet colo'd at prime target destination subnets collecting and analyzing inbound traffic. The model looks like a worldwide IDS, learning about new traffic and attacks as they are being assembled. The idea needs some more work. Just rolling it around in my head at the moment.
Thursday, April 14, 2005
Patricia Titus currently reports to the Chief Information Officer at Transportation Security Administration in Washington, DC, in the capacity of the Chief Information Security Officer and Director of IT Security. Her duties have been to develop and implement a new IT Security Office for TSA. She also reports and works for the CISO at the Department of Homeland Security. Prior to joining TSA in April 2002, Ms. Titus was assigned as a Technical Advisor to the Deputy CIO at the Department of Treasury. Since joining public service in March 2000, Ms. Titus has been assigned to various emerging technology projects and has worked extensively on the enterprise network security projects. Prior to public server Ms. Titus worked in small start up companies within the DC metropolitan area as Vice President of Sales and Marketing. She spent several years in the Information Technology industry in various capacities. Prior to this she spent 13 years living overseas on duty with the US State Department, Department of Defense and Swiss Government.
Okay so now you know who she is - here's what she had to say:
Patti had several points she wanted to convey to the crowd, anong the points she touched on
were Homeland Security Presidential Directive/Hspd-12, a policy for a Common Identification Standard for Federal Employees and Contractor. Basically the problem has come to light that there exist "Wide variations in the quality and security of forms of identification used to gain access to secure Federal and other facilities where there is potential for terrorist attacks need to be eliminated. Therefore, it is the policy of the United States to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). " Patti discussed the need for implementation of better biometeric solutions, PKI infrasturcture etc. She however did not comment on where the money was going to come from to finance these cool new gadgets for the government.
As previous user of biometrics this intrigues me - during a normal week I encountered no less than 20 false readings for a simple finger print scanner that allowed access to the lab I worked in. If we are going to utilize this technology in the government we really need to make things work - the common worker will not tolerate having to scan their finger 3 or 4 times every time they try to enter a room.
There was a brief discussion concerning IPSonar, an enterprise software consists of several interrelated discovery processes that find routes and routers, hosts, servers, wireless access points, operating system information, unauthorized connections or hosts, and perimeter leaks. This included how an intern was the one who actually deployed the initial testing launch of this program and how the resulting report of holes lead to the report being labeled - TOP SECRET - ONLY THOSE AT THE TOP CAN SEE THIS -
This is discouraging news to me. I would hope that our government would be running toolsets by now that allow them to accurately discover and gauge the risk that their network has to the outside world. To have an intern (Hats of to her for pointing out the silliness) come in and throw a product on the network that so accurately describes where water is pouring from the damn is not a building confidence for those security geeks who pay attention to these things.
We learned some interesting things about the TSA's luggage machines - no wonder I get yanked all the time - I must be getting the guy who isn't punching the threat button fast enough.
Patti discussed the convergence of CIO and CISO positions in the enterprise market. I agree with her on this one - the CISO position had little chance of survival in my eyes, typically you are stepping on the CIO/CTO's toes and something has to give. I will be curious to see whether we actually see the CISO blend with the CFO position. The advent of SOX puts the financial department on the hook for non-compliancy, with jail sentences following quickly behind that.
Patti left with a few thoughts, reminding us that We Do Not Negotiate with Terrorists, Cyber or Real! She also said something that made me wonder how soon till we see someone hunt down a "cracker" and put a bullet in him for cracking their systems.
All and all a very interesting speaker - I had an opportunity to have dinner with her the night before her speech and was happy to meet some one who was candid about her role within the current administration, the political appointees and what was right and wrong with our current behaviors.
Tuesday, March 08, 2005
So I am sitting in Fado's - Chicago. It's an Irish pub that has free wireless, so I can sit and work all while drinking a pint of Guinness. Very few things can get better than that in my opinion. If you happen to be in the neighborhood of a Fado, I would recommend the the Guiness Stew - good home cooking, and to wrap things up, you guessed it Guinness Ice Cream.
If you get a chance look try to end up in Brie's section - she doesn't own a computer but she really digs bloggers. Yes, I used dig and no, I didn't ask for her number my wife doesn't share well with other children
Now on to other things...
I registered for my CISA exam recently. This should be interesting. If I pass, and I plan to, I will have what the industry is considering the top two certifications going: CISSP and CISA. The next thing I have to figure out is what I want to be when I grow up. If you have any ideas let me know. Registering for the exam cost me a quick 500 dollars and then another 250 for study materials - somewhere I hear warning bells going off. The test is offered once a year, so I had better pass or suffer the abuse for the next twelve months.
And in other news...
Finally we have a virus for mobile phones. Uses bluetooth and MMS messages to replicate itself. I wondered how long this would take, ever since I started using the Audiovox 5600 (the same phone Scoble and crew love so much - side note i had mine before Scoble got his - nanner nanner). It is based on Windows SmartPhone so I know it will be the next platform for attack.
Firewalls' False Sense of Security
I have argued for both sides of this issue. A majority of the time I find that the deployment team behind the firewall believe that they have mitigated all future damage because of their firewall deployment. Conversations then lead to IDS, IPS - I have no idea where it will end - I do know that every time a new stop is added someone will look for a new way to get over the bump.
Now back to my regulary consumed beer.
Thursday, March 03, 2005
It was a great trip - a yearly 'boys' trip that has several interesting characters, including: Rick aka 'the Founder', Chuck aka 'Chuckles/Chuckalafucas', Andrew aka 'the Scotsman', Chris aka 'Mr. Goodlookin' and myself Ward aka 'Big Daddy'.
We had a wonderful time, there was good snow - nothing fresh - that didn't show till the last night and we got 7 inches of fresh powder - wanted to extend the trip by one more day for some pow pow but instead I got on the plane and flew back to Denver.
Squaw's new village - looks very similar to Whistler (why change a good thing?) - could use some help. As I said I was there for 5 days - while the mouse is away from the kitty he can play with other mice. We stayed exactly 22 feet from the Squaw one lift, and about 100 feet from the closest bar - yet - the nightlife was horrid.
I have lived in ski towns before - I remember the 1 woman to 12 guy ratio, and this was expected but I grew up in a more lively town smack in the middle of the bible belt - one bar closed at 9 pm on Sunday night. The drive thru liquor store the next county over in North Carolina would have still been open. Needless to say - the experience was repeated night after night for the entire weekend.
So I say to the intrawest guys - figure out beyond copying the buildings, how to create the same nightlife experience you have at Whistler or start preparing yourself for continued disappointment at Squaw.
On a side note - the little breakfast place at the end of the village - two wonderful waitresses (Bunny and ????) and one great owner (Lisa) made the week a little better.
Tuesday, February 22, 2005
Friday, February 18, 2005
Using the GUI to access the network card was doing next to nothing. If I added DNS entries they did not show up in the resolv.conf file, if clicked it off the file did not modify upon recieving a DHCP update.
Using the GUI, I could never create a default gateway, I had to add a default gateway via the command line. This should also be learned via the DHCP packet.
So basically somewhere in the process of the system/kernel update DHCP got screwed up. I can only grab a DHCP address, I don't appear to learn anything else from the DHCP packet - although firing up Ethereal shows that the information is contained within the packet.
I am not sure whether I really want to troubleshoot any deeper or whether I want to chunk the machine and try again. I would prefer to run Fedora, I know the OS better and seem better able to dig around within the file structure but then the company I am working for has their tool ported to Suse argh choices.....
Tuesday, February 15, 2005
Where things went wrong - I decided to patch the box - patching is similar having your teeth pulled.
I began the patching process, everything appeared to go correctly, and then I did the reboot as I had also told YaST to upgrade my kernel. Well everything appeared to be working, so I decided to browse the web. It didn't work. It took me a couple of tries before the onboard ethernet grabbed an ip address. I still can't browse the web. I grab an ip address but DNS doesn't appear to work. I hard code DNS entries, still nothing, disable firewall, still nothing. Threaten to toss the laptop out the window, still ntohing. So I am left with an upgraded SUSE 9.2 professional that can't speak to the internet.
I used YaST, a tool that does always leaves me wondering what is really going on under the hood. A lot of people have commented on the efffectiveness of this tool. I miss some of the tools that RedHat has in comparison. I am going to have to take things apart now.
So where does this leave us? This points to the underlying probelm with why there aren't more Linux desktops - the complexity. I don't mind getting under the hood, but then my dad handed me a lawn mower engine when I was a kid so that I could understand how motors work. Most people want things to work, straight up. I didn't have that experience, in fact I mumbled under my breath at one point that I was either going back to Fedora or FreeBSD over the weekend. Why? They work, I have had little to no problems with upgrading them, and when I patch them things keep working. I also know that the whole problem could be somewhere between the brain and the keyboard. ;)
Thursday, February 10, 2005
Friday, February 04, 2005
I got back to Colorado on Sunday night, started the new job on Wednesday and was told on Thursday to pack my bags I would in Chicago for the next month. Needless to say the wife wasn't exactly happy with me and well I was a bit disappointed myself. I was looking forward to being home for a few weeks, I was even beginning to enjoy changing the little girl's diapers. Oh but the life of a consultant requires some sacrafice and so I must head off to Chicago in February.
I am diving headfirst into the world of VISA CISP and Sarbanes-Oxley. Should be fun, finally going to use that silly CISSP for something useful.
Monday, January 31, 2005
I leave my responsibilities in very capable hands. Right now I am sure he is questioning the logic of accepting my position but I believe he will find a strong supporting staff and make his name known. If you or anyone you know is looking for a job as a senior network engineer or sysadmin please contact DynamicCity or Dave.
I managed to get in one more CTO breakfast before skipping town. Phil as always is a wonderful host. If you find yourself in the area during one of the scheduled breakfasts please take the time to attend. I will be trying to schedule my own trips back occasionally for them.
It was nice to talk to people at the breakfast and discover that they understood my decisions to move on from the project. They understood that occasionally you stop growing in your position and you either need to get out or continue to be miserable. This led to some interesting discussions.
A vast majority of people are stuck in jobs, or towns or situations where they don't ever leave. They continue to live with the pain whether real or pyschological and do nothing about it. The worst case is our own perceptions of jobs - we call something we hate to do a job and then moan and whine about having to do it. When you start having problems getting up in the morning to go to the office then you need to stop and evaluate what the real problem is. Are you no longer happy where you are? If that's the case can you fix it from the inside or should you be moving on. I tried to fix my situation, didn't like the band-aids applied and decided it was time to move along. People don't do that - they live with the situation and allow it to eat them from the inside. Silly people!!!!
My new contact info is available for those that want it. Try my google mail wardspan at gmail.com and I can forward it along to you.