| Search |
| Navigation |
| Syndicate |
|
| User login |
Computing
SQL injection humor isn't funny? That's what I was informed as I was leaving school tonight. Oddly, I laughed pretty good at it. I got it from a Facebook Friend update, with SarahD laughing at it. It popped up on my Planet Identity feed later in the day. Whew. I know I'm not the only one who gets it; in fact, I imagine a good number of my regular readers do. Could be wrong...
However, here's an attempt at humor that fewer will get. It actually popped in my head when I read it, but I forgot about it. Same strip, but I've added a caption:
"Eve, why do cats suck?"
Last summer, ZiefBrief reported that wireless was coming to the library. There was a note in that article: "(Our helpful Law IT staff ask us to remind you that, wireless being wireless, it will never be 100% secure. So please don't us it for your online banking and such!)"
I commented with some of my thoughts about why that was important. Our public networking uses a wildly insecure method for authenticating users and authorizing access. The first, most obvious problem is that no wireless encryption is used. All communications with the wireless network are in the clear, and anyone within range can watch your traffic. Second, there's no authentication of the wireless network; that is, there's no way for the user to know that the "USFWireless" SSID they connect to is, in fact, USFWireless. Finally, because there is no authentication of the wireless network and no wireless network authorization, authentication to the public network happens by means of a jail, which is opened by means of a form on an apparent transparent HTTP proxy.
Why is that a concern? Rather than redirect the request to an authentication host with an appropriate, properly sign TLS (nee SSL) certificate, the request is simply hijacked. Users are lulled into accepting these poorly signed certificates as a regular part of getting online. It becomes second nature to ignore those warnings, and I'm sure many do. That opens up a prime opportunity for a man-in-the-middle attack. Even if you send all of your traffic across an encrypted channel, if you get to the point you simply accept "bad" certificates, you no longer know who is watching your data.
This came to mind today as I was reading this article from the Washington Post. It describes new, automated tools for sniffing credentials from the "wire" and using them to connect to common online services. Similar attacks on USFConnect (the university intranet) aren't hard to imagine. It's never been particularly hard to pull this off; it's just that now folks are demonstrating automated tools to do the job.
And so, this is a gentle reminder to watch the certificates you're granted while you're surfing online. Be careful with the information you send around on insecure wireless networks, and that especially includes relatively public places like the law school. Perhaps one of these days, the IT folks will see fit to strengthen the protections; it's not hard, but the user support can be daunting. For the time being, wireless continues to be unsafe, even though its use can be a calculated risk.
Law.com - First Day of N.Y. Bar Exam Marked by Software Snafus:
Test takers who typed the essays on the New York state bar examination into their laptop computers this week experienced problems saving their work and uploading the files for transfer to graders, the chair of the Board of Law Examiners acknowledged Wednesday.
...
The board suspects that a flaw in the Secure Exam software provided to test takers by Software Secure Inc. is responsible for the computer glitches, said Diane Bosse, chairwoman of the Board of Law Examiners. Even as the board was administering the second day of the two-day bar exam Wednesday, officials were trying to determine how many test takers were affected by the software problems and whether any of their essays would be lost.
Because there aren't enough pressures when taking the bar exam, lousy software also comes into play. Securexam is the same thing we use for our final exams, and even on our limited scale, and even with requirements to do practice tests prior to exams, we still have people with problems.
As I've previously written, I find the whole notion of locking us down somewhat offensive. However, I guess for the bar exam, with thousands of people, policing the situation in a nearly anonymous environment might be near impossible.
Of course, it's easier to blame the technology.
Congress: P2P networks harm national security:
The politicians present Tuesday generally said they believe that there are benefits to peer-to-peer technology but that it will imperil national security, intrude on personal privacy and violate copyright law, if not properly restricted. Both Waxman and Rep. Paul Hodes (D-N.H.) dubbed P2P networks ongoing national security threats.
One would be led to believe this is the only way imaginable to get at this. Meanwhile, Congress all but ignores the spam issue, the bots that exist on computers around the world that allow it to happen, and the myriad other risks to government computer security. The primary risks? Untrained users on poorly secured networks.
There were some attempts at balance and sanity:
Mary Koelbel Engle, the associate director for advertising practices in the Federal Trade Commission's Bureau of Consumer Protection, said her agency has found in its studies of peer-to-peer network use that risks to sensitive information "stem largely from how individuals use the technology rather than being inherent in the technology itself."
But leave it to our elected representatives to be "impenetrable to logic":
Some politicians nonetheless lashed out at the sole representative from a peer-to-peer software company at Tuesday's hearing: Lime Wire's Gorton, who is also CEO of parent company Lime Group.
The most scathing criticism came from Rep. Jim Cooper (D-Tenn.), who launched into a lengthy monologue in which he deemed Gorton "one of the most naive chairmen and CEOs I've ever run across," and accused his company of making the "skeleton keys" that grant access to material harmful to U.S. national security.
"I'd feel more than a shade of guilt at this point, having made the laptop a dangerous weapon against the security of the United States," Cooper said. "Mr. Gorton, you seem to lack imagination about how your product can be deliberately misused by evildoers against this country." (Cooper also, at one point, claimed that Gorton's own home computer was probably leaking sensitive documents.)
Gorton know doubt rubs his hands together coolly each day thinking, "All your tubes are belong to us." Apparently the main things missing from this hearing were some moronic platitudes from Chertoff.
I really only see one solution: shut down this Internet experiment. Just flip the switch on it. It's endangering our national security, leaving no other realistic choice.
SILICON VALLEY USERS GUIDE: How do I get my sysadmin to do anything?:
No one sets out to be a professional systems administrator -- do you ever see kids wearing toy pagers playing sysadmin? For those fluent with computers but uninterested in writing huge software programs, it's a pretty good job. Except for the part where they have to deal with you.
...
- Say hello. Even when you don't need something. You say a big Hi to the pretty lady at the front desk every time you pass. Why not treat the tech guy the same? Sure, he doesn't say anything back. Don't be fooled. Sysadmins are like cats -- he won't acknowledge you, but he's mentally keeping score.
- Don't question what he does all day. Systems administrators are like firemen and cops. If you don't have a couple of bored ones hanging around, you'll be sorry when there's an emergency.
Much of this is just a caricature of sysadmins. However, the most important points here, which management overlooks time and again in nearly every organization, are that there is often no visible work output from what we do and often we're working even when it may look like we're not. It's important to remember that it's when it seems we have nothing to do that we're doing our jobs best. Trying to fill that "underutilized" time simply prevents the ongoing smooth running of operations.
I'm sitting here at the BCLT symposium on Copyright, DRM Technology, and Consumer Protection. Tom Rubin from Microsoft, who recently made a name for himself by attacking Google, is now speaking, trying to draw analogies between physical protection and DRM.
For instance, he cites the account/payment requirement to read WSJ online content as a form of DRM. I suppose there's some validity to that comparison. However, it should be noted, once a user logs into the WSJ online, there are no further restrictions on the use of that content. There is copyright and user agreements, sure. But that's different. He suggested library circulation policies as an analogy, except that that's a limit to physical resources, and once users have physical access, fair use again comes into play.
Just how big is this cyber crime problem? Grasso said the FBI estimates that cyber crime cost the United States alone more than $67 billion last year. That means online criminal gangs like Carderplanet are carting off about $183 million worth of stolen U.S. goods, services and identities each day, or about $7.5 million every hour.
And yet, the government seems perfectly content to let the problem grow.
We don't have meaningful action to prevent identity theft. There's no comprehensive legislation that helps those who are victims to recover. There are no penalties for those who irresponsibly manage identity information.
What's the government's response? Things like Real ID, which will only worsen the problem, and NIEM, which aims to make it easier for identity information to be exchanged between government agencies and private industry.
Hang on to your hats. And maybe they should be made out of tinfoil.
Because we get lots of University of California news at work, I read random articles about things going on there. I know that some of the numbers (SAT and high school GPA) floor me at times. Newsweek has a series of articles from Kaplan on colleges. I'm certainly pleased to see Carnegie Mellon University listed as a "New Ivy." Then, there's lots of talk about other aspects of college admissions in 2007. I particularly liked the notion of the ACT putting the SAT out to pasture. I did particularly well on the ACT, and only pretty well on the SAT, and I always felt that the ACT was just a saner test.
Of course, the last time I took either exam was, I guess, 18 years ago. (Whoa!)
Anyhow, one of the articles uses the huge increase in application numbers to support the notion of something they're calling "Prestige Panic," a concept any law student can understand:
From 1994 (the recent low) to 2006, the increase is 28 percent. Still, 64 percent of freshmen attend schools where acceptance rates exceed 70 percent, and the application surge at elite schools dwarfs population growth. Take Yale. In 1994, it accepted 18.9 percent of 12,991 applicants; this year it admitted only 8.6 percent of 21,000.
They do mention that there are more high-schoolers now then there were then. And certainly, it strikes me that people are more obsessed with mastering the entrance exams than we were back in the late 80s, and I assume the early 90s. Heck, the standard practice for SAT and ACT prep for me an my friends was to buy a prep book, set it on our shelf, and look at and think about doing some practice exams here and there.
What this article seems to completely ignore between 1994 and 2006 is the rise of the Web and other technologies that have made college admissions much easier. When I was applying to schools, I had to take paper applications down to a Kinko's, rent a typewriter (gasp!) and type my college applications. I applied to exactly one school (Stevens Institute of Technology) that allowed for electronic submissions. How did that work? You used a modem and a terminal program -- at 1200 baud -- and called up a computer system they ran and entered all of your application information that way.
When Emily was graduating from high school and applying to colleges, she was able to buy a CD that filled out many parts of her college applications for her. A major service now appears to be CommonApp, which is supported by nearly 300 schools. Even schools that don't support CommonApp (MIT's a notable) have online admissions procedures. Using a computer to prepare an application is a whole lot easier than using a typewriter.
Do high school students today even know what a typewriter is? My contracts professor made a joke about IBM typewriters one day in class, and I think Stan and I were the only ones who laughed. I figured most of my classmates weren't sure IBM had ever really made typewriters.
That's beside the point. I can't help but thinking a huge reason for the increase in applications to schools like Yale, while maybe in part related to "prestige panic," isn't also aided by the fact that it's far easier to submit a college application today than it was in 1994. That makes shopping for prestige much easier than it used to be.
Bruce Schneier and Marcus Ranum go point-counterpoint on certifications.
Schneier provides a less than overwhelming endorsement:
In the end, certifications are like profiling. They work , but they're sloppy. Just because someone has a particular certification doesn't mean that he has the security expertise you're looking for (in other words, there are false positives). And just because someone doesn't have a security certification doesn't mean that he doesn't have the required security expertise (false negatives). But we use them for the same reason we profile: We don't have the time, patience, or ability to test for what we're looking for explicitly.
Profiling based on security certifications is the easiest way for an organization to make a good hiring decision, and the easiest way for an organization to train its existing employees. And honestly, that's usually good enough.
Ranum counters:
Information Security magazine (Jul 2006) : Face-Off:
Certifications are great if you're lazy and ignorant and want to stay that way. If you're a hiring manager and you're too lazy to review a candidate's résumé, understand its contents and perform the difficult task of thinking whether his qualifications fit your needs, just hire the guy with the alphabet soup after his name.
...
The bottom line is that, regardless of whether a candidate is certified, a smart interviewer needs to know enough to judge if a candidate is the right person for the job. In fact, a smart employer is always going to check references and evaluate a candidate based on past accomplishments--only one of which may be successfully cramming for an exam.
I've long fallen very much in the Ranum camp on this. I have precisely zero professional certifications in my current line of work, despite the ready abundance of certification opportunities. However, as I was chatting with one of my professors the other day about career prospects, I noted that while I've long eschewed certifications in the current (tech) career, I now find myself staring at a career that often times seems obsessed with them. It's certainly obsessed with the ability to "successfully [cram] for an exam."
For instance, it's been suggested to me that it would be useful (and lend an air of credibility) for me to be admitted to the Patent Bar. Fine. Except I don't qualify right now. What's more, most people filling such positions (or at least asking for such qualifications) also seem to want a technical degree. Fine. Except I don't have one. And so, lately, I've been pondering a second B.S. in computer science so that I can have both a technical degree and sit for the Patent Bar exam. All, essentially, for certifications.
Or, I suppose, to make myself more certifiable.
| Browse archives |
| IP/Tech Blawgs |
| Other Blawgs |
| Friends |
| USF Law Blawgs |