Diary of a Network Geek

Pardon the pun, but I hope it got your attention.

If you’re like most people who read this blog, you probably have at least one laptop.  Now, it may run Windows or Mac or even Linux, but, you likely have one and you wonder what might happen if it gets stolen.  Wonder no more.

Now, there’s free, Open Source software called Prey, hence the pun, that will track your stolen laptop.

So, I’ve been thinking about getting yet another professional certification.

I’ve been a Certified Novell Engineer for about fifteen years now.  In fact, I upgraded that cert three times after initially certifying back in 1993.  In 2003, I got the CompTIA Linux+ certification.  All at more or less my own expense.  Now, I haven’t heard anything about Novell updating their certification requirements lately, but I suppose it might happen one day.  I don’t think I’ll pay to re-up that cert, though.  I haven’t really used Novell in any significant sense for about five years now, so there’s not much point in maintaining it.
The lack of continuing education requirement is one of the things I liked about getting the CompTIA Linux+ certification.  One test, one cert, for life.  It seemed like a good idea to me, a good investment.  About the time I ended up getting divorced, I gave up on studying for the CompTIA Security+ certification.  There seemed plenty of time.  Well, as it turns out, there may not be after all.

Earlier this year, CompTIA announced that there would be continuing education requirements for several of their certifications.  Well, the great mass of IT professionals raised such a hue and cry about it that they modified that stance somewhat.  We not have until the end of this year to get the certifications if we want to escape the re-up requirements.  That goes for the A+, the Network+ and, yes, the Security+ certifications.
So, it looks like I’ll be buying the Exam Cram Security+ book and, probably, investing in the SelfTest Software pre-exam study software, too.  It’s not that big an investment monetarily, but I suspect it will be a little more difficult to knuckle down and study to take the test.  I haven’t worked at that sort of thing for quite some time now, and I’m almost afraid I’ve forgotten how!

Of course, the real question is, in a way, whether or not it’s even worth getting the certification at all.  I mean, it just sucks me even deeper into the bottomless pit that is the IT profession.  It’s a never-ending treadmill of oppressive hours and thankless work that few people truly appreciate.  Of course, it does pay pretty well.  And, it does beat digging ditches.  Most days.
Naturally, my hope is that the Security+ certification will make me more marketable in the long-term, should something happen to my current job.  Not that I think that’s likely, but still, it never hurts to be prepared.  And, frankly, security is going to continue to be a big issue going forward, so getting this particular certification surely can’t hurt my resume any.

Over all, the investment is small for the potential return.  And, it will probably do me good to stretch my poor, feeble, little mind to work at something like this again.
Besides, I may know a beautiful, young college student or two who could help me study.
Stranger things have happened!

Stop laughing.

Okay, so this is totally no joke. Marketing people now use sex to sell absolutely everything. Even hacking. Yes, over at SexyHacking.com they have hot chicks dispensing computer security information and techniques. Really. And, apparently, they were supposed to be at Blackhat, one of the big security conferences in Vegas, this year, too.  Not sure if they actually were or not.
Well, thank you, to the Security Monkey for pointing this out to us.

So, sex sells. Go figure.
(Oh, and don’t forget, today is “Talk Like A Pirate Day“.)

Make yourself a safe room.

Hurricane season is upon us. Do you have a safe place to weather any storms in your house? Well, if DuPont has their way, you will. They’ve got this new system/product/”thing” that they’re rolling out to the public with the help of the Home Depot called the DuPont™ StormRoom™ with KEVLAR®. It’s for both new construction and existing homes, though I’d imagine a retrofit would be much, much more expensive. And, if you add optional plumbing, they say you can use this space as a “panic room”, too.

Years ago, I bought a book about doing this yourself called the Secure Home. At the time, of course, my ex-wife thought I was crazy for even thinking about it, but now, here’s a big company who’s doing it for a tidy profit.

Advice from your Uncle Jim:
"Forewarned, forearmed; being prepared is half the victory."
   --Miguel de Cervantes

Okay, not quite the whole city…

Have you been reading about this network administrator in San Francisco who was keeping key passwords secret and holding the city’s fiber network hostage? Yeah, well, he gave them up to the mayor today. And, you know what? I bet there are a lot more companies in this situation than realize it.  Okay, maybe they don’t have to worry about being taken hostage by a disgruntled employee, but they may have someone who holds key information for their network that no one else has.  And, of course, if something happened to them, well, that company would be in a bad spot.

I, for one, always try to plan for being gone. You know, in case I were trapped under a rock, hit by a bus, or, oh, I don’t know, died of cancer.   And, I’m not the only one.  So, if you want to protect your business, plan for your network administrator to fall through a figurative manhole.
Don’t let what happened in San Francisco happen to you and your business!

Advice from your Uncle Jim:
"As long as you're green, you're growing; as soon as you're ripe you start to rot."
   --Ray Kroc

In this case, it’s a hard drive crusher.

Once upon a time, I was in charge of a networking department who’s responsibilities included backups and disposal of old tapes and drives. We had to do all kinds of crazy things to assure the Board of Directors that the data had been completely and safely removed from those drives before we could get rid of them. At one point, a tech was actually drilling through backup tapes with an electric drill to make sure they were destroyed.
The Hard Drive Crusher from EDR would have been an easy sell.

And, if we’d gotten it? Techs would have been fighting for the privilege to destroy old backups.

Oh, and don’t forget to vote in the poll!

No, not really.

So, there’s obviously been quite a furor about this new law here in Texas that apparently requires anyone doing any kind of computer forensic work to get a Private Investigator’s License. Now, one of my favorite computer security bloggers, Security Monkey (aka The Chief) of A Day in the Life of an Information Security Investigator, has a blog entry about this. His sources in Texas have a different, more relaxed, take on this law. They seem to think that it’s only going to effect professionals doing investigative work for a third party. I think they’re wrong.
As at least one other commenter on A Day in the Life of a Computer Security Investigator pointed out, no matter what the lawyers think and say, only a judge sitting on a case can really interpret the law. And, only after that precedent is set can anyone say what the law covers and doesn’t.
Based on the Slashdot story about someone getting charged with a felony for using a fake name to sign up to MySpace, it seems like this is going to be an important step in the process. I mean, until that all important precedent is set, there’s no telling how people will try to use this new law.

As I wrote here the other day about this far-reaching law, I think it’s just another example of the sad state of our legal system. Laws like this have effects that are much, much further reaching than the bill’s author intended, and it’s ripe for abuse by our overly litigious society.

Advice from your Uncle Jim:
"If you want to lift yourself up, lift up someone else."
   --Booker T. Washington

Me, or my provider?

When a hacker does something to someone on the Internet, who’s responsible? Just the hacker? What about the company that supplied him with bandwidth? Or the company that supplied the computer that he compromised to effect his hack? If you haven’t thought about this, you probably should. This article on Wired News talks about that some. It’s a couple of weeks old, but still quite relevant.
See, it’s like this. The Feds are cracking down on security. Or, at least, they allege they will be soon. In any case, there are a number of bills and suggestions and commissions and whatever else the government uses to get things done floating around out there talking about making executives who’s companies don’t secure their networks liable for the damages done. Neat, huh? Say, are your security patches up to date?

Okay, so this is a very scary bedtime story.

“Once upon a time, there was a hard-working network security admin. His company ordered a security audit, and he thought it was a great idea. Then, the evil network security auditor/outsourcer told his company that the security admin was the weakest link in their network security. So they fired him.”
The only reason that’s scary is because it’s also apparently true.

So, is it just me, or does stuff like this keep you up at night? Now, if you’ll excuse me, I think I need to check on that resume in the oven…

Why did it take over a week for me to find this?

I guess Micro$oft is keeping it mum, but there’s a pretty major security issue with their Exchange versions 5.5 and 2000. It seems that if any guest accounts are left open, they can be exploited by spammers. Usually, a guest account is set up as a default mailstop for anything that doesn’t have anywhere else to go. But, spammers can use these accounts to send out their own e-mail with their own agenda. There’s an article about it on CNet News.
But the thing that disturbs me about this is that they seem to have known about this for sometime. They just didn’t feel the need to publisize it very much. Kind of ironic for a company that’s offering a “bounty” for the virus writer that came up with Slammer and the like. It’s also hard to believe that they’re really getting behind the whole idea of tightening security on their products when they let something like this slip! Ah, well, what can you expect from a company run by a college drop-out with a police record?