General: May 2006 Archives
Why you should wipe the hard drive on any computer you dispose of. Particularly if you're trying to rip someone off on ebay.
As reported by news.com, Oracle CSO Mary Ann Davidson got near a microphone and begin pontificating on the state of security.
First she blammed the "culture of patching" that software people need to think in terms of safety security and reliability instead. The commenters at news.com reacted the same way I did. Perhaps she needs to start in her own house first. Critical Oracle vulnerabilities seem to be routine. Yet the communication about the contents of the patches is spotty.
Next she pulled out security analogy comparing bridge building with software security. I've written before specificly about the bridge analogy here and again just last week here.
Next Davidson gives away her political affiliation by advocating government regulation. Cause its worked so well in other areas. Sigh. Innovation dies with regulation. Costs skyrocket. Look at what HIPPA, SOX, GLB, and FISMA have done. Better security through paperwork.
There is a vulnerability in awstats allowing the configuration file to be changed.
A guy I know online got taken in a ibook purchase. Now everywhere he goes, he is reminded of what could have been bought for $800.
I just ran across a post from Michael Howard's blog from March which claimed that security analogies are usually wrong. I'm not sure that I can agree with that statement. He finds that argument by analogy is weak. I don't know his job role at Microsoft, but it seems rather technical and developer oriented. I suspect that if he was in the position to like be an evangelist for Microsoft Security with CEOs and I.T. people he would find that analogies are often the best way to get the point across. With fellow developers/computer scientists the emphasis should be on hard fact, but that doesn't mean you'd talk that way to an end user. They'd be lost in no time. Analogies do help convey meaning to non-technical people. Analogies can also be imprecise.
What would he say when Jesper Johansson spends 15 minutes at a Microsoft Security Summit comparing defense in depth to a castles defenses? Should Jesper be chastised for using analogies? Of course not.
The one example Michael gives is attacking by analogy and there I agree with him. When people say "software security sucks, imagine if bridges were built the same way" I think they give away their ignorance about bridge building and software design.
Its 5 months since Symantec bought IMLogic. When it first occurred I wrote an anguished cry predicting woe. Lets take inventory and see what has happened.
IMlogic IMmanager 8 was released the last few days of April. Not bad for having originally been on the books for January before the Symantec purchase. Of course I dont know for sure that the delays were caused by the Symantec purchase. But I have my suspicions. The good news is the release still has the support for Google Talk and AIMs rendezvous file sharing server.
The shoe dropped the other day regarding changes to support. Actually its not quite clear from the letter I received. As I figured they are transferring support into their "gold" support at the end of your current contract. The thing is my gold antivirus support does not have a way to create tickets online, I cannot email support, and the knowledge base is kind of annoying. So although the letter says I wont lose anything, it sounds like I will lose features if they make it like antivirus support. I also wonder if there will be a separate IMlogic support group as there is now, or if this skill set will be merged in with the antivirus support people. There are still a lot of questions and I don't know who to ask. The letter from Symantec merely talked about how great things would be but did not offer a way to ask questions. Is support equipped for questions like this? Do I have an account rep? Who knows.
I was also rather worried about integration with Sybari (Microsoft) Antigen. I emailed Sybari today to ask them if they were supporting Microsoft Antigen for IM version 8 integrated with the new IMManager version 8 that came out two weeks ago. Support did not know! They actually emailed me back that they would download IMManager 8 and try it out. This does not bode well.
Ben Edelman and Hannah Rosenbaum report that typing the phrase "Free Screensavers" into a search engine is bad news. More than 64 per cent of sites that are linked to this phrase will cause you some trouble, either with spyware or adware.
Other troublesome phrases:
Bearshare
Screensavers
Winmx
Limewire
Download Yahoo messenger
Lime wire
Free ringtones
source: http://www.theinquirer.net/?article=31675
So next time, you're trying to test the capabilities of your security defenses (whether you're Joe User or whether you actually evaluating a security product), just google up some of these terms from an unpatched computer. You may even want to click on the "I'm feeling lucky" button.
Occasionally people ask how I got where I am. I've been meaning to add an 'about me' but haven't gotten around to it. A question earlier this week reminded me that this post was sitting in my draft folder.
A lot of people are sniffing after information security because they think they smell the green. They see CISSP average salary $93k and they think they deserve some of that cash. It was the same thing with Windows Systems Administrators. People who should be driving a beer truck are instead studying for their MCSE because the ad said they'd make $70 doing that. The flood of paper MCSEs just about destroyed the market for being a Windows Sysadmin, and I would guess led directly to some of the security desasters that have occured in the past 6 years.
So if you're in it for the money, move on. Go train to be an Oracle DBA or something. If you dont truely love the Information Security than dont waste your time. Its a lot of hard work, and just speaking for me the salary quotes you see are really high.
There is a common debate on which is best. Experience, education or certifications. I read an article about 5 years ago that would answer "all of the above". The article argued that these things are the foundation of a solid career. So pick one and work at it. That's the best way to get ahead.
Anotther article I read recently on this subject is by Roberta Bragg in Redmond Magazine "How to be a security babe" You may need to digg it out of the Google cache.
The Spyware Warrior blog reports
The judge has ordered the operators to give up to more than $4 million in ill-gotten gains. The court also ordered a halt to another spyware operator’s stealthy downloads and barred the collection of consumers’ personal information, pending trial.
