I realized I have let this site sit postless longer than I like, so I figured I would throw out some quick ‘life related’ information wile I am working on some future articles.
I received word that my tumor/cyst was NOT cancerous and my mouth is healing nicely. Thanks to everyone who wished me well.
After five years of being engaged, Missy (aka Gryphn) and I have finaly set a wedding date. We are hoping to have a very small shindig so don’t feel slighted if you are not invited. 🙂
In a future blog look for the following topics.
Windows Vista, a Security Analisys
Security Basic Training: Business Continuity
Security Basic Training: Windows Forensics and Incident Response
Top X OS X Penetration Testing (Hacking) Tools
Oh ya, and I am in the process of tweaking this new layout. How it looks as of this post is not how it will look when I am finished. Also look for updates to all of my static pages and all of the software I have written available for download.
I had my surgery last Thursday. I was prepared for the worst and was hoping for the best. My surgeon had prepared me for the “50% chance that your jaw will break during the procedure”.
Luckily everything went fine. He said by looking at the cyst that it didn’t look cancerous. We will know for certain around Thursday when the biopsy results are in.
The cyst side of my mouth doesn’t hurt at all, the side that was on the nerve hurts like a dickens. I have stitches sticking out the side of my mouth and am taking antibiotics 4 times per day like clock work (I have to wake up in the middle of the night for one of the doses). I am also on extra strength vicadin, which I don’t particularly care for. It kills the pain, but I get a queasy feeling in my stomach and feel distant. It’s especially not fun wile at work.
Above you can click on the 2nd set of x-rays I received. They should give you an idea of how crappy my teeth where.
I had a visit to the oral surgeon today. I fully expected to hear that I had to have all four wisdom teeth removed (the bottom two are horizontally impacted), I didn’t expect the news I left with.
I was referred from the oral surgeon to a Oral Maxillofacial Surgeon. I was told that my right bottom wisdom tooth is on the nerve and that extraction may result in temporary to permanent numbness of my tongue, chin and right side of my face and that my left wisdom tooth has a cyst (or tumor) on the bone.
All and all I am very uneasy and nervous about the whole thing. Best case I have two horizontally impacted wisdom teeth removed in a hospital and my headaches go away. Worst case I have no feeling in my chin, tongue and/or face and a cancerous tumor.
Not at all how I hoped this wisdom tooth thing would play out.. but.. umm… at least they will be gone?
Mid-Term election voting is today. If you do not plan on voting… shame on you. Everyone should vote.
I’m hopeful for this election. I believe that our government has been too one sided for longer than our country has been able to stand. Its hurt us a great deal as a nation. I’m not saying that putting democrats in the same position would end any better. Because of this, its my hope that some balance is restored. I want the disenfranchised ~50% to have a voice again and I want checks and balances restored. I also believe its important that the republicans ~50% have a voice.
Preliminary polling and talking with random people of different walks of life all tell me that the VAST majority of people either agree with me, or just want to see the republicans stripped of control. Despite this I am still very afraid. I’m afraid because during both presidential elections we heard rampant stories of vote fraud, disenfranchisement and voter intimidation. In today’s election we also throw in the threat of vote hacking. Black box, closed source voting machines with no paper trail. How serious of a threat is this, really? Please take the time to view this Princeton study regarding the inherent problems with the Diebold systems. I believe you will be as worried as I am.
Information Security is a game of tradeoffs. The most common way these trade offs are represented is the CIA Triad. It is often visually represented as a triangle with the three tenants (concepts, principles, whatever) written across each side. Then as the security of your project is being evaluated a dot will be drawn on each side of the triangle relative to the (evaluators perceived) level of each tenant.
In most cases the goal is to find an absolute balance so that the evaluation of your proposed security solution has dots in the exact center of each of the three sides. The idea is as security (confidentiality and integrity) is increased the availability (usability) will go down. In cases that require high security, this is absolutely acceptable.
The triad is broad and flexible enough that it can generally be used to gauge any product, project, problem or system. Because of this, the three tenets can often mean different things in different situations. I will explain them in the most general terms that will apply to most situations, but be aware that this is in no way exhaustive.
Confidentiality: Confidentiality is all about keeping things that are supposed to be secret… well… secret. Safeguards that would fall into this category include cryptography and anti-spyware. Attacks against confidentiality include sniffing, key logging and cryptanalysis.
Integrity: In the world of information security this is most generally likened to authentication. Non-repudiation is essentially what this one is all about. This can mean either proving you are who you say you are or the file has been unaltered. Other examples of how integrity comes into play in information security include code signing, file checksums, logins and biometrics or using PGP to digitally sign emails.
Availability: When most IT administrators think of the word ‘availability’ the first term that pops into their head is ‘up-time’. To be available is to be accessible by users. While that is still true in this case, it is also only a very small part of the availability definition. This is the one that often gets pushed lower as integrity and confidentiality get pushed higher. Availability can also be thought of as usability. How easy or hard is it for the end user to utilize your system.
Examples of situations that you could benefit from using the CIA triad could range from a user requesting to use their personal laptop at work to individual pieces of a new password policy.
A good example that was recently presented to me was the ballad of Bob (obviously not his real name). Bob works for Company A and Company B (obviously not the real companies, either) and splits his time between both with his laptop. Bob physically works from both offices and needs to access resources on the Active Directory domain of each company. Unfortunately, no trust relationship exists between these two domains.
The IT staff came to me with this dilemma and had three possible solutions; they wanted my input on which is the most ‘secure’.
Solution 1. Set Bob up with a network account under each active directory domain: have him log in to which ever one he needs access to at the time. Although he may be physically working from Company A, he will likely still need to access resources from Company B and vice versa. Although this will allow both companies to stay in line with their security policy regarding expiring passwords and maximum password age, it introduces problems with file synchronization and having to login and out multiple times per day. Bob would likely perceive this to be a pain in the butt.
Solution 2.Create a local profile on Bob’s laptop and have him manually map to the resources he needs access to and set his passwords to never expire on both domains. Bob would likely really like this solution as it involves less work and inconvenience for him. As you can see from the associated figure it would bring accessibility up on the triad while increasing the risk due to no password expiration.
Solution 3.Because Company A and Company B are both bound by internal and industry regulations regarding maximum password age, a third (hybrid) solution was developed. This involves Bob working from a local profile (as seen in solution 2) but having to log into each domain once per password cycle to change his passwords before expiration. As you can see by the figure, this provides and acceptable level of risk and accessibility.
From the above example you can see, even if you aren’t an information security professional, knowing and applying the CIA Triad is a good way to evaluate technology choices and serves as visual way to back up your decisions to management. Without much explanation management grasps why you would want the balance in the picture and will be more willing to follow your advice.
The topic sounds a little like one of those spams I get 300 of per day. But seriously…
About three months ago I stepped on a scale and found myself weighing in at a whopping 193 pounds. This was the heaviest I have ever been. I was in the worst shape of my life, hands down. I looked round and felt like crap. So I decided to do something about it. I stopped eating more than I needed, I started eating good foods (no more McDonalds, for gods sake) and started exercising daily.
After three months I am down to 164 pounds, went from a 37″ waist to 33″, feel great and am starting to look ripped again.
My goal is to drop 10 more pounds and keep myself around 155 pounds and beginning competing in full contact mixed martial arts. I will be going back to Muay Thai and Brazilian Jui Jitsu to shake off the fighting rust.
I tell ya, I should have done this months and months ago. I feel awesome.
‘I give up’ is not a phrase you will hear from me all that often. But I just can’t take any more. Novell has me at my wits end. I can’t believe people use this with any sort reliability.
Throughout my months of toying with it I have issues and stopping blocks with each and every component. Some servers require many, many components to effectively work.
Here’s a brief run down of just a couple of the annoyances:
Updates and patches come rapid fire (about two per day) and often leave the system broken. I have had them cause dependency issues each time I have applied them. This will do crazy stuff from switching the physical network card that eth0-2 are assigned or out right breaking NSS. In fact, every update I have run broke NSS. You just can’t have that in a production environment. Technically you could script an auto-updater, however, per Novell support “Automating the updates might have its own risks […] because of that, rug doesn’t have a –force option the way RPM does.”
Things that should be done by installers must be done manually. A great example of this is having to manually enable remote administration of a GroupWise server. For example, you need to share out /usr/local/gw using samba. But first you have to install and configure samba. That’s essentially all the docs say on the subject is to ‘install samba’. Not ‘Download package X, install it using command Y, tweak this directive in X.conf, and so on’. So I installed Samba from source. After struggling to get it integrated into the eDirectory I discover Novell-Samba. Who knew, they just said ‘Install samba’.
The install process for the OS and packages drives me insane! The OES cd set consists of 10 CDs. During the initial install you are asked to supply almost all 10 CDs in varying order and you have to re-insert a number of them multiple times. It also asks for the Suse Core 2 CD2 and 3. Which end up being the Suse Linux Enterprise Server disk 3 and 4. I figured that out just out of desperation and feeding it random CDs.
The documentation is lacking. It assumes that all Novell customers are intimately familiar with Novell terminology and technology (see previously mentioned GroupWise/samba example).
GroupWise acts as an open relay by default and no settings changes will help that. Users hate the GroupWise client, the outlook plug-in makes Outlook buggy and slow. The cross platform GroupWise client (Linux and Mac) is really bad. The only way to remedy this is to purchase an expensive third party app
I purchased the only (at the time) official Novell Press book for Open Enterprise entitled “Open Enterprise Server, Administrators Handbook, Suse Linux Edition”. Being the only official book I assumed it would be comprehensive and cover anything and everything relating to OES. What I found was that it is entirely based on a pre-release version of OES and a large number of important things have changed since it was published. In fact, a couple of things the book tells you to do regarding updates will break an otherwise happy server.
Overall I would just Novell to hammer all these things out, test thoroughly and make the docs useful. Don’t assume everyone using the product is a 15 year Novell-Netware veteran.
Well, not really. This time it was only my debit card.
I received word, last Saturday evening, from bank (National City) that my debit card had been used for a ‘card-in-hand’ transaction at a gas station in Canada (they made a physical card containing my debit card information on the back strip). The women from the bank asked if had been in Canada earlier that day. After telling her that I was at home all day she informed me that my card number had likely fallen prey to the recent rash of debit card information thefts.
From what I was able to gather from previously reading about this, is that a number of merchants illegally retained debit card PIN information and the information was subsequently stolen and used all over Canada and Europe.
The woman from the fraud department at National City informed me that the transaction had occurred about an hour earlier, that she saw no additional fraudulent transactions (I verified with my online account view), that my card had been frozen to prevent further charges and that the bank maintains no liability policy. In other words I was not responsible for the transaction in any way. She asked that I stop by a branch and fill out an ‘Affidavit of Fraud’ and that a new debit card was being mailed first thing Monday.
All and all I was very impressed with quickness of detection and the fact that they took the initiative and corrected things. They turned what could have been a disaster into only a minor inconvenience.
I am, however, unimpressed with the fact that government still has not passed any law that will hold the vendor(s) accountable for allowing the information to be compromised. I am certain that once a law of this sort passes, the frequency of these sort incidents will drop like a stone.
The number of articles about this whole debacle indicate that hundreds of thousands of others have also fallen victim. A couple from security focus are as follows: