• My Tweats

    • Flickr Photos

    One of my wordles was used…

    One of my Wordles was used here.

    Information Security Wordle: PCI Data Security Standard

    My Home Windows PC Security…

    …culled from tweets.

     

    I meant to write this for sometime. I just never got around to it. I felt moved to tweet the bare bones notes earlier today.

     

    I will replicate those here.

     

    – Avast for AV http://bit.ly/8bcLxX

    – I try to separate out my on-line life as Purpleslog from my real life as XXXX. http://bit.ly/oE15sU

    – I have an use a cross-cut paper shredder http://amzn.to/rhzXeM

    – I don’t use my own email client. I use GMAIL for Purpleslog and Yahoo Email for XXXXX for their anti-malware

    – Secunia Personal Software Inspector for Application patches and updates http://bit.ly/DW9u

    – I have MS Updates set to auto-download. I require it to wait for me to install. http://bit.ly/LncO

    – I have the MS Firewall turned on. http://bit.ly/9MArC

    OpenDNS for some further AV and Mal-ware screening – http://bit.ly/lYju1o http://bit.ly/a66DUI

    – Browser extension WOT – to give warnings of malicious web sites http://bit.ly/dHANri

    – Browser extension Adblock Plus to reduce ads and ad-based malware http://bit.ly/fKVAIL

    – Browser extension Flashblock to curtail unexpected Flash http://bit.ly/eJtzuo

    – Browser extension HTTPS-Everywhere to force more SSL/TLS/HTTPS usage http://bit.ly/aZvj4e

    – I use Foxit as my PDF reader. I don’t uses Adobe’s.  http://bit.ly/oAycMG

    – Choose good passwords. Don’t re-use across systems. I use Password Safe to contain them. http://bit.ly/aqnaeB

    – For my home WiFi, I use good and long passwords. http://bit.ly/cNpJoJ http://bit.ly/lqJSlJ

    – Secure Zip http://www.pkware.com/software/securezip/windows

    I ‘ll add Mac OS/X stuff in the future TBD.

     

    Anti-Spam Lawfare

    It sounds like some Computer Scientists…

    A team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, and they think found a ‘choke point’ [PDF] that could greatly reduce the flow of spam…If a handful of companies like these refused to authorize online credit card payments to the merchants, ‘you’d cut off the money that supports the entire spam enterprise,’ said one of the scientists. [Link]

    …has caught up to my thinking…

    Often much of the cost of an information security incident falls not onto the party that is responsible for providing the Security but onto third parties. While the enterprise/individual that has the incident may incur costs, much of the cost of this InfoSec externality is put onto others (organizations/individuals/taxpayers).

    What is lacking is proper incentives. By incentives I do not mean government regulations or criminal statutes.

    I mean money. Getting money is a good incentive. Avoiding loosing money is a good incentive. Not having your Balance Sheet, Income Statement, and Cash Flow Statement be effected by information security loss is a good incentive.

    What is needed is Information Security Lawfare.

    If an organization or individual deploys information technology in such a way that normal best practices are not followed (read: Duty of Care) and is subsequently used as part of an information security incident, those effected by that information Security incident should sue for a Tort Remedy.[link]

    Why leave Lawfare just to the bad guys?

    For Joseph Fouche

    Does Python have a counter?

     

    via Slashdot

    Cyber Security – APT – Advanced Persistant Threats – Capture Phrase…

    …from here [The bolding is mine]:

    Unlike traditional malicious attacks that occur over a number of minutes (days to weeks at most) and result in a demonstrable system payload, APTs are far more subtle. There is no single event to indicate compromise; the threat is made up of a number of small activities occurring over a long period of time, often up to 18 months.

    The challenge facing security experts is that many of these small activities will not raise any alerts. APTs often include a degree of social engineering, with malicious individuals getting information from phone calls or looking up web addresses as a starting point for finding creative ways to gain access to systems, or they use people within the organisation to plant malware components within the system.

    These small actions will not stand out from the millions of events occurring on an IT infrastructure every day– they get lost in the crowd. Even if they are noticed, they may be viewed as low risk when compared with traditional security threats, but in the era of APT these low-key events need to be considered differently.

    Is there a trend in activity? Could this action actually provide a route into other company assets, such as financial information or intellectual property? Is this small event part of a larger scheme?

    What does that sound like sort of? Hmm…

    (old found draft post)CyberWar – Ref Links

    Apr 26, 2009 @ 12:05

    I will return to the topic of CyberWar sometime in the near future.

    Continue reading

    Robot News (links – no post)

    I was going to write a post on this along time ago. Instead, I just follow this blog – robots.net . So, I am dumping these links. I may write on robotics now and then.

    Continue reading

    Found While browsing: The Terak

    I followed a a stray through while browsing on the internet and re-found the Terak.

    The Terak was the Micro Computer I used in my first college programming
    class – CS302 Honors Intro to Computer Programming (using Pascal). While I had done some programming with BASIC on Apple 2s and a Dec PDP11, this was my first “real” programming class.

    Found at the informative http://www.threedee.com/jcm/terak/ :

    It is an early personal computer made by the Terak Corporation of Scottsdale, Arizona. It was sold from about 1979 until 1985.

    One of the first models was the Terak 8510/a shown above. It was based on the popular PDP-11/03 processor, a 16-bit CPU. The Terak 8510 could have as much as 128K of RAM with the PDP-11/23 option. For storage, it has big eight-inch floppy drives that go klunk-klunk, in IBM 3740 format, holding roughly 256K, 512K or 1 meg each. Hard disks of five to forty megs were available. The Terak featured both RS-232 and 20 milliamp current loop serial connections, so you could connect to the printers and teletypes of the time. The keyboard included a numeric keypad and arrow keys arranged in a vertical column.

    The Terak was advertised as a “Graphic Computer System.” It featured a monochrome 320 x 240 square-dot display and relatively advanced video features such as a purely bitmapped display, allowing a customizable character set, the mixing text and graphics on the same screen, and raster operations like continuous smooth panning and scrolling. The system included a twelve-inch composite video monitor. It even had programmable sound and a two-inch speaker. The main system box was robust metal, weighing about forty pounds.

    Wait, WTF?

    The Terak was popular for teaching Pascal to college kids. As such, all the oldsters who were in college then and used this computer have a great affection for it, meaning they can no longer remember how slow they were.

    Oldsters? F*cking whippersnapper.

    Anyways, I like how the author of the above got his:

    I have several Terak 8510/a and hundreds of floppies. I bought the first one in 1990 for about $25 at a University of Wisconsin–Madison Surplus equipment sale. At one time, the UW had about a dozen Teraks in the computer science and math departments, including about eight that were available to students in entry-level programming classes.

    Netbook Purchase?

    I am thinking about buying a netbook to replace a long dead laptop. Any suggestions or counter-suggestions?

    Reference: Intro to Programming for Kids aka Growing a Young Computer Geek

    Phrogram
    http://phrogram.com/Default.aspx
    Not Basic but look interesting. Designed for Kids.
    Intro Book for Kids: http://www.amazon.com/Phrogram-Programming-Absolute-Experience-Technology/dp/1598634437

    ALICE
    http://www.alice.org/

    Alice is an innovative 3D programming environment that makes it easy to create an animation for telling a story, playing an interactive game, or a video to share on the web. Alice is a teaching tool for introductory computing. It uses 3D graphics and a drag-and-drop interface to facilitate a more engaging, less frustrating first programming experience.

    …and…

    Alice is a teaching tool designed as a revolutionary approach to teaching and learning introductory programming concepts. The Alice team has developed instructional materials to support students and teachers in using this new approach. Resources include textbooks, lessons, sample syllabuses, test banks, and more. Other authors have generously joined our efforts, creating additional textbooks.

    BASIC-256
    http://kidbasic.sourceforge.net/

    BASIC-256 is an easy to use version of BASIC designed to teach young children the basics of computer programming. It uses traditional control structures like gosub, for/next, and goto, which helps kids easily see how program flow-control works. It has a built-in graphics mode which lets them draw pictures on screen in minutes, and a set of detailed, easy-to-follow tutorials that introduce programming concepts through fun exercises.

    PYTHON:
    http://python.org/
    http://wiki.python.org/moin/BeginnersGuide/Overview
    For Beginners:
    http://wiki.python.org/moin/BeginnersGuide
    http://wiki.python.org/moin/BeginnersGuide/NonProgrammers
    http://twitter.com/JosephFouche/status/2107482644
    http://twitter.com/JosephFouche/status/2107549825
    http://pyrorobotics.org/

    SCRATCH
    http://info.scratch.mit.edu/About_Scratch
    http://scratch.mit.edu/

    Scratch is a new programming language that makes it easy to create your own interactive stories, animations, games, music, and art — and share your creations on the web. Scratch is designed to help young people (ages 8 and up) develop 21st century learning skills. As they create and share Scratch projects, young people learn important mathematical and computational ideas, while also learning to think creatively, reason systematically, and work collaboratively.

    Other BASICS:

    Script Basic
    http://en.wikipedia.org/wiki/ScriptBasic
    http://www.scriptbasic.org/home/

    Real Basic
    http://en.wikipedia.org/wiki/REALbasic

    Basic 4GL
    http://en.wikipedia.org/wiki/Basic4GL
    http://www.basic4gl.net/

    Free Basic
    http://en.wikipedia.org/wiki/FreeBASIC

    Oracle buying Sun Microsystems

    So, Sun Microsystems will be no more.

    I used admin lots of Sun servers which were acting as various types of internet application servers or network operations servers. They were good solid Unix Servers. Their apps where pretty good too. The rise of Linux running on Intel platforms took care of their fat profits (yeah capitalism).

    I am not sure what Oracle and its shareholders get out of this. Bigger, yes. Better (more profitability), I imagine not.

    Answer: “I will blow a hole in your eardrum with the power of my voice if I have to”

    Question: What did Purpleslog just yell at an ISP vendor this afternoon?

    Found On You Tube: A Complete “Intro to Computer Networking” Class

    You can watch the courses in turn here.

    Here is the first lecture:

    They have lots of engineering classes here.

    A reminder of why companies need to block outbound SSH

    Noted in a comment at SlashDot:

    One day, I set up a PPP over SSH tunnel between my home computer, and my desktop at work. Transferring large binary files from my office network to my home computer was much closer to the original 3Mb/s speeds.

    There is no legitimate reason for the above. I t would be a great opportunity for a malicious insider (e.g. to transfer proprietary data, to bypass access controls) or just a dumb-ass insider (e.g. to get around content filters).

    Some sub-set of internal users may need SSH access to the organization’s servers that might be past the firewall. The right thing to do is have to have firewall rules to support that explicit user group and their destinations.

    1234567890

    For Unix geeks and number freaks from the ISC Handler:

    Today is Friday the 13th, and also the day when we reach the symbolic 1234567890th second of Unix time.  This will occur at  11:31:30pm UTC on Feb 13, 2009.

     A quick note:  To see when this time is going to occur in your locatime:

    perl -e ‘print scalar localtime(1234567890),”\n”;’

    Fri Feb 13 21:31:30 2009

    It should be less “scary” then the Mayan Apocalypse.

    I am being abused by Verizon mentally

    Verizon, you suck.

    I am on-hold right now with the Verizon Business technical support super secret escalation number.

    I am being abused by their on-hold music.

    It is playing a disco/techno instrumental version of Stairway to Heaven.

    Why would a business do this? Do they want their customers to hate them more?

    By the time I am brought off hold, I will be pissed off and ready to fly off the handle at the Verizon guy for abusing my ears and not just becuase they have not been able to fix service (for 7+ days) to one of my remote sites.


    I like to think he is singing “Verizon, you can suck my…”

    “For the past five months, Amanda’s Medicaid payments have been delayed because of problems at the Wisconsin Department of Health Services”

    It is being blamed on the computer system:

    Officials within the state agency acknowledge they’ve had trouble with a new $64.2 million computer system that handles Medicaid services. Glitches with the automated system caused a backlog of claims, preventing the state from processing some prior authorizations for therapies and medical equipment.

    The agency has been unable to process about 10% of its claims for prior authorization within the 20-day time period required under state law. Some requests have taken four times longer to be approved.

    As a result, about 2,500 people who use Medicaid have been left wondering when, or if, they’ll get approval for things such as physical therapy, a new wheelchair or leg braces to help them walk.

    I don’t know anything about how this system was designed, programmed and deployed.

    I do wonder if it was contractors or State IT workers doing the project.

    When I was getting near to graduating from College many years ago, the economy wasn’t so great. Just to be safe, I took some State IT civil service exam. A big part of the exam was on programming in COBOL. COBOL is a business programming language used almost exclusively on IBM mainframe computers. I was a a CompSci major programming mostly in C (also Pascal, assembly, Fortran, Lisp, Common Lisp, and ProLog).We didn’t go near COBOL. 

    My Cobol knowledge came from flipping through a roomate’s girlfriend’s Cobol book the night before the exam while talking and watching TV.

    I ended up second or third on the State list. I never took a state job and  I went to work doing IT for a defense contractor in what turned out to be an ideal environment for a first job.

    Let me say, I was a very good programmer.

    However, if I can place really high up on a State list for programming in language I know nothing about (to this day I have never even logged into a Mainframe), what does that say about the quality of the State IT programmers?

    Grace Hopper – Navy Chick and a major mover behind COBOL

    “The key to OB1, retired U.S. Air Force Gen. Eugene Habiger tells Waterman, is the “separation kernel,a piece of software guaranteed to keep the different networks separate.”

    Well, this should get hackers and foreign cyber militia fired up. It sounds like there are just using software virtual machines. I think there could be problems.

    There is nothing like a good challenge and a profit motive to fire up hackers

    Is VisiCalc responsible for the Current Finacial Crisis? (“On the Bailout” Series)

    John C. Dvorak thinks so. He makes an interesting case.

    Where are the old programmers?

    In PaulDotCom episode 133 there was a throwaway line about “where are the old programmers”.

    You don’t see to many that’s for sure.

    I was burned out after 5 years of programming professionally (preceded by 8 years in high school and college). The group I was in was young and after 3-6 months I was the de-facto chief programmer (e.g. setting the standards and practices, building the common use libraries, training/mentoring the newbies, checking code quality, helping on all the hard/weird/odd problems). For me the way out was Systems Administration, Network Engineering, Security Engineering and some Project Management.  I still use my programming skills somewhat in ways that make me a better IT infrastructure engineer.


    What I think happens to most programmers is that they become:

    – Project Managers

    – Business Analysts
     
    – IT Managers

    – IT Infrastructure specialist (Systems, networks, security, databases)

    – On the fringes as IT trained analyst but in operations or supply chain roles

    – Out of IT completely

    Are there other current former IT folks out there? What’s your story?

    Link: Network Cheat Sheets

    http://packetlife.net/cheatsheets/

    Unfortunate Typos in IM while at work

    Sometimes my bad/lazy typing has a cost as in this this business IM I made a few minutes ago:

    The cocks look fine to me now. How do they look to you?

    Yikes.

    I will be keeping a low profile at work for the next couple of hours. I was referring to Clocks (network/IP based time clocks run at our branch offices).


    “Sometimes a typo is just a typo”

    ISP Employees Suck – The ATT Edition

    I am trying to order ATT uVerse service (really Very High Bit Rate DSL) for a site to replace a Comcast connection that has just never worked (don’t get me started on Comcast).

    The ATT person has the address and phone for the business location.

    It is not in the ATT business system.

    So we are SOL.

    Me: “Can you call someone?”

    ATT: “No”.

    Me: “Is there like an application support number for the application internally at ATT?”

    ATT: “No”

    Me: (mild lauging noise)

    ATT: (Silence)

    Me: “So you are saying you don’t want our business? There is no way for you to take are money.”

    ATT: “Well…”

    Me: “Come on, this is silly. There has to be a way, who can you ask for help on…”

    ATT: “Sir I am tring to help you! Please Hold.”

    The above was all 10 minutes ago. I am still on hold. I suspect I will remain on hold. I am never to be picked up again.

    It is too bad. I would have moved as many sites as possible if this had worked out from Comcast and TWC to ATT uVerse. Now, I will most likely not bother ever again – or at least move very slow on any future change for a different site.

    Many American companies just don’t want to succeed. Maybe they can survive for now, but competitors and entrepreneurs will chip away at large unresponsive companies until they collapse (for the overall good of society at the expense of shareholders and employees).

    The aggregate of little decisions made every day by people like the ATT person I am talking to matter to companies. Employees who don’t care will in the future find their jobs in jeopardy and poor performing (quantitative, qualitative) employees are weeded out.

    Ending to the story. ATT is going to call me back in a few days. And no, they don’t have a ticket number for me. I wil lbe surprised if they call me.

    TWC just sucks as a Business ISP

    I have been getting the run around on issue(s) for going on a week now. Nobody in the organization (technical, managerial, national accounts sales) want to take ownership. They fling me around from group to group.

    Escalations to management are repaid with petty slowdown/refusals of support on other issue by folks working for that management tree. Internal paperwork issues are treated by the nation accounts teams as oh-wells.

    Note: My company is not small. We have hundreds of broadband sites through TWC and use them for pipes for our main facilities.

    They do not deserve to survive a competative business market. They woud not be able to act as they do in a competative business market.

    Never Choose TWC (Time Warner Cable) as a Business ISP

    You will regret it.

    Weird work emails that are making me giggle at 7am

    I have lots of emails from bosses and bosses’ bosses about moving forward on the “Cox” plan.

    Things like “Ditto on the Cox”, “Cox works for me” and “let’s move on the Cox”.

    I know it is stupid and juvenile, but I can’t stop laughing…I hope nobody hears me! Luckily it is pretty early in the office.