tssci security

We really wouldn't need a security industry

if everybody was honest with themselves and others. If people didn't break into other people's houses, bank accounts, commit acts that are criminal and deprive (or take advantage of) others' rights, we wouldn't need security. Remember the days you could leave your front door unlocked? Whatever happened to taking people for their word? Nowadays, you need contracts and a bunch of legal hoopla to communicate with one another.

Recall "risk" -- threat x vulnerability x asset value. Take the threat out of the equation and you no longer have a risk -- nobody would care to take advantage of it. Take the vulnerability out of the equation (like Bruce Schneier did) and you have a completely secure system. What's the most practical way to lower risk? Eliminate the threat or remove the vulnerabilities? We can't do both 100%, so what Schneier is suggesting, is unreasonable and impossible. The best we can do is work with law enforcement and justice system to remove the threat as best we can and through improved processes, create systems with less vulnerabilities.

" ....as long as people are involved, security threats can never be completely eliminated" - Viktor Cherkashin, KGB officer

Posted by Marcin on Thursday, May 10, 2007 in Security.

20 years old and [in] security (part 1)

A thread that has gotten some attention and even sparked some bloggers to tag each other with their own stories, I thought I'd post my own "how I got started." I'm twenty years old and my area of study since I graduated high school has been network security. I wasn't always into network security, in fact, up until later half of high school I didn't care for computers much if at all.

I loved to ride bikes -- especially bmx, hitting dirt jumps and grinding some rails, causing trouble for security guards, etc. I was pretty good at it and didn't know what I'd do if it wasn't for my bike riding. In ninth grade though, I broke my leg while fooling around doing some tricks; fibula, tibia, and ankle all in one shot. This put me on crutches for a good four months, and I had no idea what to do with myself... So I took up computer gaming.

Having just hooked up cable internet at my house, my friend Luke turned me onto Counter-Strike. We played for hours at a time -- gaming became an addiction. I wanted faster hardware, so I started doing research online for a new processor, motherboard, graphics card, etc. I started overclocking my system, wanting more and more from it. Instead of gaming, I started playing benchmarks like 3DMark2001 just for fun, to see how high I could get my score.

In tenth grade (2001), I tried out Linux for the first time. I think it was Red Hat 7.3 that I installed on my old IBM Aptiva 200MMX. What's funny about this machine when we first got it back in 1996, a couple weeks later my father came home from work and asked me if I wanted to try out some operating system called Red Hat Linux. I replied "nah dad, everyone runs Windows and we should stick with that." Heh, I kinda wish I went with it and tried it... who knows what I'd be doing today?? Anyways, I used to frequent car forums and one day a girl posted asking us to vote for her in some bikini competition. Well, Chad and I took a look at the code behind the poll and in five minutes we had a BASH script voting a hundred times a second for her. Within a half hour, the girl went from last place to first by a huge margin. The guys on the forum thought it was them that inflated her results, but we just kept it to ourselves. It was pretty cool and funny at the time.

By now I started my junior year of high school, and my first year of Cisco Networking Academy Program (the second year it was offered at my school). We had five Cisco 2501 routers and two Cisco Catalyst 1900 switches to play with, along a bunch of old 386's running Windows 98. What a drag, but we managed.

In my senior year, the classroom had a wall put up in the middle and we moved our lab across the hall in the tech ed teacher's old office. We had newer (486's) computers from the computer typing class and we installed Windows 2000 on them. Our school IT administrator had a shit fit when he found out it was a pirated copy, and made us uninstall it and put legal copies back on. We thought he was going to have a stroke right there, his vein in his forehead popping out and face all red and sweating. LOL, take it easy buddy!

Two weeks later, our teacher said he had some "bad news" for us, and our lab was being turned into an in-school suspension area. This meant all our hard work setting it up had to be torn down and moved back into the original but now cramped classroom. Once we settled back in, we had balsa wood houses from the architecture classes sitting on top of our routers and computers. Morale hit an all time low in the class, everyone was burnt out from the recent events. I didn't want to touch another computer again. The rest of my senior year in Cisco Academy wasted away while I did what I had to do to just "get by." I never did take the CCNA afterwards. I regret that a lot.

Part Two will detail college life and what I've currently been doing.

Posted by Marcin on Wednesday, May 9, 2007 in School, Security and Work.

How to Be a Security Idiot

So, I was wading through all the garbage on digg today and came across Jim Rapoza's 12 Ways to Be a Security Idiot. It got me thinking about all of the dumb and insecure practices that I saw while I was working for the City of Tempe here in Arizona. Also, I'm having a bad day with Firefox 2.0.0.3 crashing every few minutes while I am trying to get some work done and figured this would lighten the mood a touch. Here is Jim's list and a few extras from us here at TSSCI. I encourage you all to post your 'How to Be a Security Idiot' stories. comments, etc.

  1. That stupid firewall thing is so annoying. Life is so much easier with it turned off.
  2. That big laptop harddrive is great, everything on there is important, but don't worry about encrypting the data because you'll never lose the laptop.
  3. Those Internet kiosks sure are handy eh? Let's access our bank accounts and company webmail systems. Hey, there's a long lost friend from school, let's go say hello. The next guy that comes along will surely log me out of my account being that the world is full of such trustworthy people right?
  4. You're response to questions about anti-virus is 'Of course. I use RightGuard.' Anyways, if you don't go to porn sites you can't catch viruses anyway =p
  5. Hrmm, looks like something's wrong with my Paypal account. Odd, this email they sent me doesn't look like the other's I've received. Microsoft removed spellcheck from Outlook and the message is in all capital letters. Let's login and see if we can't fix this.
  6. Woohoo! A Nigerian prince wants to give me a bunch of money and all I have to do is send him a few grand. Ha! Marcin and I had this happen before.
  7. Look, someone you've never heard of sent you an email that says 'Checkout this awesome game!'. Let's open it since everyone knows that a complete stranger would never do you any harm.
  8. My password is 'password' When I used to change it from 'password' I wrote it on my monitor so that I wouldn't forget it. When an application comes with a default password, it must be a good one if they felt the need to include it, so I just leave it alone. Also, my other favorite passwords include '1234', my birth date, my name, and my favorite color.
  9. Patches? There's no holes in the screens on my Windows. My TV doesn't require updates, why should my computer? Afterall, isn't a computer just a more intelligent television set?
  10. WoW! This site is full of advertising and strange letters at the end of the URL but golly! doesn't it have some cool software available for free to download. And what harm can a Scarlett Johansson screensave do.
  11. Wireless networks are so convenient. Nothing like checking my Wells Fargo account balance from my friendly neighborhood Starbucks. No reason for WEP/WPA or disabling file sharing without a password. My Linksys do-hicky has to be broadcasting this SSID stuff huh for it to work; afterall it is wireless right? Hey, that car sure has been parked out in front of my house for a long time.
  12. So, zerocool calls and wants my user information so he can login to my account and install some new software. Kevin's the IT guy but this zerocool dude seems to know what he's talking about. Go ahead zerocool, my username is idiot and my password is password.

Our additions:

  1. When I go on a smoke break or bathroom break I leave my system unlocked. No one at my company would ever do something malicious to my system.
  2. Nothing beats the convenience of removing the security code from my cellular phone. I've never had my phone lost or stolen so it's not necessary.
  3. I care soooo much about my system's uptime, so I haven't rebooted to apply a patch since the 2.4 kernel was released. But hey, all my friends on IRC think I'm sooo cool because my system's been up since 1999.
  4. Aren't those 'Get a free Ip0d SiT3s' great? Just give them all your personal information and then wait for the UPS guy. No, for real, it's not a scam.
  5. Bots!? The only bot I have to worry about screwing something up is my Roomba harassing the family dog.
  6. Those 'Remember me on this computer' checkboxes are just so convenient. 'If you're not James, click here'. Well, I'm not James but I wonder if there's anything cool in here. Let me check quick.
  7. Our IT guy is sooo sick of answering tickets in Remedy that he emailed everyone the admin passwords so we could login to the local machine and change things ourselves.
  8. Cops have a sense of humor right? I've never seen so many Flash videos with malicious code in them as I did doing data migration for the police department. Why does everyone need the 'You Don't Know Jack Schiddt' video anyway?
  9. You forgot the guy's password in the cube next to you and can't find his Post-It note under his keyboard? Just call the helpdesk, give them the username, and they'll reset it to 'water'. No need for a callback or anything like that, that stuff's not for government offices anyway.
  10. Redact with Confidence. Make sure you draw black boxes over your PDF files and then distribute them like that. No one in a million years would think to CTRL+A and copy/paste into a text editor. Also, using the highlight feature in Word is really good for redacting right? Just highlight in black and no one can ever see the text.

Posted by Casey on Wednesday, May 2, 2007 in Security.

Today's Lucky Numbers are...

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Posted by Marcin on Wednesday, May 2, 2007 in News and Tech.

CSUM Ratings

Good stuff. I just find it hilarious when people watch CSI or all these other movies and think hacking or recovering data off a hard drive is so flashy and cool. Or better yet, completely retarded.

It's a UNIX system! I know this!

Cookie to the first person who gets the answer (and no cheating!) :P

Posted by Marcin on Monday, April 30, 2007 in Security and Tech.

« Newer entries — 35 — Older entries »

blog comments powered by Disqus