Chuck Easttoms Tech Corner

The Birthday Problem

2012-02-01T20:43:00.002-06:00

OK, lets apply some number theory. This is a classic math problem that is related to hashes. How likely is it that 2 people in a room of 23 people would have the same birthday? There are 365 days a year, so you might think it is 1/365 but that is not true.

The first person has 22 chances of there being a match, the second person as 21 chances, the third 20, etc. If you put that together there are 253 chances.

How many people do you invite to your party so that two will have the same birthday (with high probability)? √365
You need √N to have a high probability of a collision. This is called the birthday paradox.

Now based on that fact, you can use the same concept to try a type of brute force attack on encryption. A birthday attack is a name used to refer
to a class of brute-force attacks based on the birthday paradox.

General formulation
function f() whose output is uniformly distributed over domain
On repeated random inputs n = { n1, n2, , .., nk }
Pr(ni = nj) = 1.2k1/2, for some 1 <= i, j <= k, 1 <= j < k, i != j
E.g., 1.2(3651/2) = 23

In other words if you have an encryption algorithm with a key space of 32 bits, you can generate √4,294,967,295 random keys or 65,535 keys and have a high chance of one of them being the right key. Note this only gives you a high probability of getting a matching key, not a guarantee. For a guaranteed match you would have to generate 4,294,967,295 random keys. Basically the birthday paradox means that one can try a set of random keys that is much smaller than the entire key space, and have a good chance of getting a match. This makes larger keys even more essential.

Rainbow Tables

2012-01-23T13:39:00.002-06:00

In 1980 Martin Hellman described a cryptanalytic time-memory trade-off which reduces the time of cryptanalysis by using pre-calculated data stored in memory. Essentially these types of password crackers are working with pre-calculated hashes of all passwords available within a certain character space, be that a-z or a-zA-z or a-zA-Z0-9 etc. These files are called Rainbow Tables. They are particularly useful when trying to crack hashes. Since a hash is a one way function, the way to break it is to attempt to find a match. The attacker takes the hashed value and searches the rainbow tables seeking a match to the hash. If one is found then the original text for the hash is found. Popular hacking tools like OphCrack depend on Rainbow tables.

General cryptanalysis methods

2012-01-17T04:26:00.001-06:00

• Chosen Plaintext Attack: In this attack the attacker obtain sthe ciphertexts corresponding to a set of plaintexts of his own choosing. This can allow the attacker to attempt to derive the key used and thus decrypt other messages encrypted with that key. This can be difficult but is not impossible.

• Ciphertext-only: The attacker only has access to a collection of cipher texts. This is much more likely than known plaintext, but also the most difficult. The attack is completely successful if the corresponding plaintexts can be deduced, or even better, the key. The ability to obtain any information at all about the underlying plaintext is still considered a success.

• Related-key attack: Like a chosen-plaintext attack, except the attacker can obtain ciphertexts encrypted under two different keys. This is actually a very useful attack if you can obtain the plain text and matching cipher text.

Another breach that should not have happened

2012-01-02T07:38:00.001-06:00

Another story of a company that should be more secure that simply is not
http://news.yahoo.com/hackers-target-us-security-think-tank-123046257.html

Why does this keep occurring, particularly with security firms? The answer is not as simple as it should be. There are many factors. Let me address some that I believe are of most concern:
Lack of skill on the part of security personnel. I know this is a drum I beat often. But I routinely meet people who have 5 or more years of experience, computer related degrees, and even prominent certifications like CISSP, who are woefully under informed. So many security degree programs and certifications have a strong emphasis on concepts without hands on practical skills. Both are required for security. You simply should not be working in security if you do not have a strong knowledge of operating systems, networks, and at least one programming language. That, in my opinion, is the basis for then learning security.
Not applying industry best practices. I still encounter companies that put all the tech support guys in the domain admin group, don’t remove unused local accounts, have servers that are not hardened, etc. You must apply all industry best practices, and that will only get you to the point of the most basic level of security.

Penetration testing. I have always said that if you are not conducting penetration testing using skilled pen testers, then you are guessing that your system is secure, you don’t know. Everything else you do is just preparation. Without a pen test you won’t know for sure.

The security boom. This is actually hurting the security industry. Now it is booming, so everyone wants to be a ‘security professional’. This leads to a lot of under qualified people getting into the field. And questionable schools (like ITT) offering security programs.
The security industry is getting hammered by the bad guys, but this need not be the case. These problems can be fixed.

Security Training

2012-01-01T10:20:00.000-06:00

Security training can be expensive. Many places charge $3000 or more per student for training such as Security+ or CISSP prep. I have been training for over 10 years, including teaching both of the aforementioned courses.

I am now offering that training direct to organizations, thus saving them money. You can find out more at
http://www.securitycertificationtrainer.com/
or the alternative URL
http://www.cissp-trainer.com

Frequency analysis

2011-12-28T05:05:00.001-06:00

I am going to be doing a series of posts on cryptanalysis. I hope you find it useful.

Frequency analysis
This is the basic tool for breaking most classical ciphers. In natural languages, certain letters of the alphabet appear more frequently than others. By examining those frequencies you can derive some information about the key that was used. This method is very effective against classic ciphers like Caesar, Vigenere, etc. It is far less effective against modern methods. In fact with modern methods, the most likely result is that you will simply get some basic information about the key, but you will not get the key. Remember in English the words’ the and and are the two most common three letter words. The most common single letter words are I and a. If you see two of the same letters together in a word, it is most likely ee or oo.

The Windows 7 Spyware 2012…another virus

2011-12-02T12:30:00.000-06:00

This virus is a really difficult one. It essentially renders much of your computer inoperable. No email, no web browsing, and many executables (like msconfig) no longer work. It is 'scareware'. It claims to be an anti virus, and looks like it is part of windows

Then it trys to remove the 'viruses' it found. It will tell you that you have to purchase the full version in order to remove these viruses. And if you Google how to remove it, most of the instructions are for downloading someone else’s software to remove this virus. Well I have successfully cleaned this virus so I would like to share how:

Step 1: reboot into safe mode (press F8 during startup).
Step 2: In safe mode start the task manager and stop all processes not owned by the system.
Step 3: Download malware bytes (malwarebytes.org)
Step 4: Change the extension of the installer from .exe to .com (the virus has, by now, started up again and prevents any exe’s from running).

Step 5: Install malware bytes and run a quick scan.

When you reboot you may still have problems, if so you can then restore to a previous known good restore point.

iPod Virus

2011-11-30T20:45:00.001-06:00

I discovered a virus that affects iPods. As you may know, when you plug in your iPod, your computer views it as another drive. This particular virus would copy onto that drive, and the symptom would be random and rapid song skipping on the iPod. It would not be detected unless you had the iPod plugged in while you did a virus scan.

The point of this is that viruses are becoming more and more creative. Any device that has a processor and memory could be infected by some type of virus. It is also important to have portable devices plugged into your computer when you run an anti virus.

Why the little things matter

2011-11-17T07:57:00.002-06:00

A news story today (http://news.yahoo.com/computer-4m-patients-stolen-calif-021447575.html) describes a stolen computer. This computer has a few million patient records…and identity thief’s dream. So many lessons from this story:

1. The company says ‘it is working to get all their computers hard drives encrypted’..What?? Trucrypt is free, uses AES 256 bit encryption, and takes about 5 to 10 minutes for a complete novice to configure. Why are all their sensitive drives not encrypted already?
2. Physical security. Someone literally walked out with the computer itself. I know manly students in my Security+ and CISSP classes wonder why the emphasis on physical security…this is why. The best firewalls, anti virus, security policies, etc. don’t help if someone can physically access your computers.

In this day and age, there is no excuse for any sensitive information to not be encrypted. In fact I would call such an act ‘IT malpractice’. The network administrator responsible for these systems should be fired and should not work in this industry again. And now we also see the reason for physical security.

Are cyber terrorism and cyber warfare real, or just science fiction?

2011-11-08T20:32:00.002-06:00

According to the FBI “cyber terrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by sub national groups or clandestine agents.”1 Cyber terrorism is simply the use of computer systems to conduct a terrorist attack. .Clearly the loss of life due to a cyber attack would be much less than that of a bombing. In fact it is highly likely that there would be no loss of life at all. However significant economic damage, disruptions in communications, disruptions in supply lines, and general degradation of the national infrastructure are all quite possible via the internet. It is also possible that attacks on certain systems such as the power grid or air traffic control systems could lead to a loss of life.

In 2008 and 2009 there have been growing reports of attacks on various systems tracing back to South Korea or China. Given that both nations are totalitarian regimes with a very strict control on their populace is it difficult to believe that the governments of those countries were not at least aware of those attacks. And many people (including this author), suspect that these governments were actually behind the attacks. When governments begin using or support cyber attacks, then cyber warfare is now a reality.

And in 2011 the news is replete with stories of cyber terrorism, cyber warfare, and cyber skirmishes

Hackers take down Palestinian servers http://news.yahoo.com/hackers-down-palestinian-servers-154504544.html

Cyber spies go after chemical companies http://news.yahoo.com/cyber-spy-campaign-targets-chemical-industry-symantec-201803040.html

A new stuxnet virus is threatening a new round of cyber war http://news.yahoo.com/us-security-firm-warns-stuxnet-virus-162150525.html

A look inside AES

2011-11-08T07:07:00.003-06:00

As many of you know I frequently blog about cryptography. The following is an overview of AES. The first part are the general facts that anyone in network security should know. The second part is an overview of the algorithms. You can skip that if it does not interest you.

Basic facts.
Advanced Encryption Standard was ultimately chosen as a replacement for DES. AES is also Known as Rijndael block cipher. It was officially designated as a replacement for DES in 2001 after a 5 year process involving 15 competing algorithms. AES is designated as FIPS 197.AES was developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen
AES can have three different key sizes, they are:128, 192, or 256 bits. The three different implementations of AES are referred to as AES 128, AES 192, and AES 256. All three operate on a block size of 128 bits. According to the NSA, AES 256 is secure enough to be used with top secret documents.

The algorithm
This uses a substitution-permutation matrix rather than a Feistel network
AES operates on a 4×4 column-major order matrix of bytes, termed the state (versions of AES with a larger block size have additional columns in the state).

1.KeyExpansion—round keys are derived from the cipher key using Rijndael's key schedule
2.Initial Round
1.AddRoundKey—each byte of the state is combined with the round key using bitwise xor
3.Rounds
1.SubBytes—a non-linear substitution step where each byte is replaced with another according to a lookup table.
2.ShiftRows—a transposition step where each row of the state is shifted cyclically a certain number of steps.
3.MixColumns—a mixing operation which operates on the columns of the state, combining the four bytes in each column.
4.AddRoundKey
4.Final Round (no MixColumns)
1.SubBytes
2.ShiftRows
3.AddRoundKey

In the SubBytes step, each byte in the matrix is substitued for another byte using an 8-bit substitution box, called the Rijndael S-box

The ShiftRows step by shifting the bytes in each row by a certain amount. The first row is left unchanged. The second row is shifted one to the left. The third row by two, etc.

In the MixColumns step, the four bytes of each column of the state are combined using an invertible linear transformation. This takes four bytes as input and outputs four bytes. Together with ShiftRows, MixColumns provides diffusion in the cipher.

In the AddRoundKey step, the subkey is xord with the state. For each round, a subkey is derived from the main key using Rijndael's key schedule; each subkey is the same size as the state.

Is there an engineer in the house?

2011-11-01T13:51:00.002-05:00

The past week has been replete with alarming computer crime stories. There have been breeches of satellites, chemical companies, and military installations. These are not trivial attacks like some teenager breaking into the high school server. They are even more serious than identity thieves stealing sensitive financial data from banks.

But as always, these stories make us ask why? Why is this happening? All the focus on security, all the people rushing out to get relevant certifications…why is it still happening? My opinion is that there are primarily two causes.

The first cause: security is unlike any other IT field. It requires both depth and breadth beyond any other. I meet CISSP’s with over 10 years experience who can discuss the concepts of security but could not actually secure a router, launch and SQL injection attack, or configure an IDS if they had to. This field requires a constant, almost obsessive hunger for new knowledge. The bad guys are hungry to learn more and are always expanding their skills. The good guys better be as well.

The second cause: our approach to security is ad hoc. We need to borrow from the engineering disciplines. Now there has been some progress in this regard. The CISSP and ISSAP tests now ask some questions about the capability maturity model, but that is just a paltry first step. We must be designing security, we must know the stresses our systems can withstand, we must be testing our systems. We must do ‘security engineering’.

Send in the drones

2011-10-17T22:07:00.001-05:00

You have probably heard that this week the United States Air Force acknowledged that its drone fleet had been infected with a computer virus (http://news.yahoo.com/us-air-force-calls-drone-fleet-virus-nuisance-053626091.html). In 2009 one particular drone was hacked. The perpetrator did not take control of the drone but was able to tap into its video feed. What do stories like this mean?
Frankly it simply means a new theater for military, paramilitary, covert operations, and terrorism is active. People, including myself, have been discussing the possibilities for cyber warfare, for years. Now it is actually happening, albeit on a small scale. Cyber attacks are simply another aspect of any conflict now.

Now this means that while we cannot ignore such attacks, they should not spark paranoid over reactions. This is no more serious (or less serious) than any traditional breach of military security. It necessitates a review and improvement of security procedures. But, in my opinion, does not require abandoning the very successful drone program. If someone breached security of an Air Force base and gathered sensitive information on stealth fighters, would we stop using them? Of course not. Neither should we abandon the drone program. And two, relatively minor, breaches during the entire lifetime of the drone program, is actually a good record.

Improving any block cipher

2011-10-02T22:04:00.000-05:00

Another post on cryptography basics.

Here is one (of several) standard methods that can be used to improve any block cipher. It is called cipher-block chaining (CBC) mode. It is actually simple: each block of plaintext is XORed with the previous ciphertext block before being encrypted. This means there is significantly more randomness in the final ciphertext.

The knowledge deficit

2011-09-25T12:55:00.001-05:00

A recent report stated that cybercrime costs 114 billion dollars a year (http://news.yahoo.com/cybercrime-costs-114-billion-report-151343640.html). I have not personally researched the dollar amount lost to cybercrime, but I find this report very plausible.
Obviously cybercrime costs when data is lost or damaged. But there are also significant costs associated with repairing damage, investigating cybercrimes, and attempting to prevent them. And as our society becomes more dependent upon technology, this situation will worsen.
Fortunately law enforcement agencies, corporations, and the military are taking the threats far more seriously than they did 5 years ago. But there is still one significant gap, it is what I term the ‘security knowledge deficit’. I routinely interact with network administrators and security professionals who should know a great deal about security but seem to know less than they should (or at least less than I think they should). This is a business where one never knows ‘enough’. To be a security professional you must be obsessed with learning more. Always be looking to broaden and deepen your knowledge.

Too often security pros think because they have a CISSP, and perhaps a degree (maybe even a graduate degree) that they know all they need to know. This is a rapidly changing field. I personally find myself always learning new things, and always surprised I did not already know them!

Feistel Functions - the basis of many block ciphers

2011-09-08T08:15:00.002-05:00

At the heart of most block ciphers is a Feistel function. This function forms the basis for most block ciphers. This makes it one of the most influential developments in symmetric block ciphers. It is also known as a Feistel Network or a Feistel cipher. It was first seen in IBM’s Lucifer algorithm (the precursor to DES). It is used in DES, 3DES, CAST-128, BlowFish, TwoFish, RC5, and other algorithms. This function is named after its inventor, the German-born physicist and cryptographer Horst Feistel.

This function starts by splitting the bock of plain text data (often 64 bits) into two parts (traditionally termed L0 and R0)
The round function F is applied to 1 of the halves. The term ‘round function’ simply means a function performed with each iteration, or round, of the Feistel cipher. The details of the round function F can vary with different implementations. Usually these are relatively simple functions, to allow for increased speed of the algorithm.
The output of each round function F is then xor’d with the other half. What this means is that, for example, you take L0, pass it through the round function F, then take the result and xor it with R0.
Then the halves are transposed. So L0 gets moved to the right and R0 gets moved to the left.
This process is repeated a given number of times. The main difference between Feistel based cryptography algorithms is the exact nature of the round function F, and the number of iterations.

Fi is the round function for that particular round. Li-1 is the left side from the previous round, and Ri-1 is the right side.

Understanding Hashes

2011-09-05T08:40:00.003-05:00

People taking the Security+, CHFI, CEH, or CISSP need to know about hashes, and many have trouble with the concept. In order for an algorithm to be a ‘hashing’ algorithm it must satisfy 3 criteria:
1. It must be one-way
2. It must take a variable length input and produce a fixed length output
3. It must have few or no collisions.
Now what does all this mean? Well the first item is simple. A hash is not reversible. You cannot ‘unhash’ something. Unlike encryption, where you encrypt and decrypt data, a hash cannot be undone. The second part is even simpler. Whatever length of input you put in, you will get the same length output. For example MD5 produces 160 bit output, no matter what the input. Finally a collision is when two different inputs produce the same output. A hashing algorithm should either never have this occur, or it should be very very rare.

So how are hashes used? Often to verify something. For example when you create a password in many systems, the password is stored as a hash. That way even the administrator cannot read what your password is, he or she can only see the hash (and remember, it is not reversible so he cannot get back your password from the hash). Then when you login, whatever password you type in is hashed and compared to the stored hash. If it matches, you are given access.

Another use of hashes is in forensics (but again for verification). Before you begin your forensic examination, hash the suspect drive and store that hash. Then when you make a forensic copy of the drive, you can hash the copy and compare it to the hash you created and make sure everything was copied, with no errors.

How risky is technology?

2011-08-20T11:53:00.002-05:00

Anyone who has read this blog, read one of my books, or met with me, knows I am no luddite denouncing technology. However, I am a proponent of our being cognizant of the dangers posed by any technology. A story this week (http://news.yahoo.com/summary-box-texting-poses-risk-alarms-devices-171546991.html) showed some researchers were able to access a vehicles computer system by texting commands to that vehicles cell phone number. This is obviously disconcerting, particularly if you have a system like OnStar (and I do). However, even the articles authors stressed that it would be very difficult to steal a car with this technique.
My concern is not imminent mass auto theft (or even theft of my own car!) My concern is that technology vendors seem to still be making security an afterthought. I would have assumed that all commands to a car were encrypted and password protected. But I would have assumed the same thing about medical devices, and that has also turned out to be false. What I am advocating is not a turning away from the wonderful technological marvels our society prodigiously produces. I am instead encouraging consumers to demand that security be part of the product. Simply boycott products that are not secure. I am encouraging companies to make security part of product design, not an afterthought. I am suggesting that engineers to temper their thrill for their latest innovation with a bit of thought to how it might be exploited.

Prime Number Generation

2011-08-12T09:44:00.001-05:00

I have been working on this prime number generating method for some time. I have a lengthier version for publication and it is included in my new cryptography course for the EC Council. However I thought I would introduce this abbreviated version to those who read my blog. Enjoy!

There is a large body of research concerning prime numbers. A great deal of pivotal work in number theory concerns prime numbers. For example the Goldbach Conjecture states that every positive even integer greater than 2 can be written as the sum of two primes. Perhaps more importantly is Euclid’s theorem that there are infinitely many prime numbers. In modern times, prime numbers are a critical part of public key cryptography (Stallings 2010 ).
There have been numerous attempts to derive a formula that will consistently generate prime numbers (Gries & Misra, 1978; Pritchard 1981; Adleman, 1980). Even before the 20th century, mathematicians sought a reliable method for generating prime numbers. For example Mersenne posited that Mn = 1n -1 is prime for the numbers 2, 3, 5, 7, etc. Mersenne was attempting to derive prime numbers from known prime numbers. Unfortunately his method failed at M11 (Devlin, 2001). These methods have been partially successful, but a reliable method for consistently generating prime numbers has been elusive.
This paper details yet another attempt to derive an algorithm for discovering prime numbers. In this particular study, prime numbers were examined in order to discover any patterns that might emerge. The hypothesis being that an efficient algorithm will not be derived for generating large prime numbers, until a clear pattern is found. Finding such a pattern should lead to an algorithm.
The methodology used in this study was very simple. Starting with the lowest prime number, 2, each prime is multiplied by each subsequent prime, increasing the number of primes used each time. For want of a more appropriate term, this can be called prime factorialization. In every case the product was not only composite, but even, and in fact ended in zero. What became interesting, was that in every case tested, the product was within 1 small prime numbers distance from another larger prime. In the first 4 iterations of this process the nearest primes are equidistant from the product, by a distance of a prime number. That particular pattern does not continue. The data generated is shown in table 1-1.

While there are primes closer to the product than the ones listed in this chart, it is the equidistant primes that are exactly one prime length from the product that are of interest.
What this data suggests is that by continually multiplying the list of primes by the next known prime, one can generate a number that is within one relatively small prime of another large prime. In fact in every case, another prime number was within a 2 digit prime of the product of the preceding primes. It is also worth noting that while table 1-1 stops with the prime number 29, continuing the multiplication by the next prime through 47 also showed the product to be even, and to end in a zero. Numbers beyond 47 were not tested.

References

Adleman, L. (1980). On distinguishing prime numbers from composite numbers. 21st Annual
symposium on foundations of computer science. Retrieved from http://www.computer.org/portal/web/csdl/doi/10.1109/SFCS.1980.28

Devlin, K. (2001). Mathematics: The new golden age. Columbia, NY: Columbia University
Press.

Gries, D., Misra, J. (1978). A linear sieve algorithm for finding prime numbers.
Communications of the ACM, 21 (12).

Pritchard, P. (1981). A sublinear additive sieve for finding prime number. Communications of
the ACM, 24 (1).

Stallings, W. (2010). Cryptography and network security: Principles and practice. Saddle
Brook, New Jersey: Prentice-Hall.

What is a hacker

2011-08-07T13:21:00.002-05:00

Recently someone forwarded me an article (http://m.techrepublic.com/blog/10things/the-top-10-hackers-of-all-time/2610?tag=nl.e099) that purports to list the top 10 hackers of all time. I could not disagree with this list more. Let me pick a few examples from it:

Robert Morris: Robert Morris developed a worm that got out of hand and caused far more damage than he had intended. There are several reasons I would not consider him a hacker (black hat or white hat). To begin with he did not even understand his own worm well enough to realize what harm it could cause. Secondly, being renown for a single event does not make one ‘great’ in any field.

Yan Romanowski: This person launched a massive denial of service attack. The first issue with his inclusion on the list is that a DoS attack is the easiest attack to do. It does not take any great skill. Secondly he was caught and arrested, so it seems he did not even do the DoS right.

Kevin Mitnick: Mr. Mitnick was caught…more than once. That alone brings into question his skillset. Secondly he was most known for social engineering, not actual technical hacking.

So what is a hacker? Whether the person is black hat or white hat, a hacker is someone with well above average technical skills and a deep curiosity of how things work. A hacker is always exploring, always prodding, and always learning. Some hackers direct this effort to elicit purposes, most do not.

What makes an expert?

2011-07-25T20:27:00.002-05:00

This week there was a news story of a ‘cyber crime expert’ being taken in by a hoax. However when I looked up that particular expert I found the person in question was an attorney who had worked on anti cyber bullying laws. That person had no training or experience in IT security, computer science, networks, etc. I also could not find one publication by this person (not one article, not one book, etc.). Not one IT certification (no CISSP, no ISSAP, no CEH, no Sans, etc.) . I could not find any mention of even one year working in any IT related job. Now obviously one could be missing one of these credentials, but how does one qualify as an ‘expert’ without any of them? This person simply was not really a 'cyber crime expert'.

This brings us to a problem I discuss in class frequently. Computer security is exciting. You will notice movies about hackers (Swordfish, Hackers, Untraceable, etc.), but when was the last time you saw a move about database admins or mainframe programmers? So since computer security sounds cool, everyone wants to claim expertise in it. Everyone is an uber hacker. Unlike licensed professions, nothing prevents anyone from claiming to be a ‘security expert’. So what should you look for in an expert? At least 3 of the following (note I said expert not merely a consultant):
1. Graduate training. A masters or Ph.D. in some computer related discipline.
2. Some relevant industry certification (CISSP, CEH, etc.)
3. Real world experience. At least 4 years.
4. Published (at least co-authored a paper or perhaps presented a talk at a conference).
Now obviously all four is an ideal mix, but an excess in one area might make up for a dearth in another. For example if one had only a bachelor’s degree, but 10 years of experience, that would be fine.

We have too many people pontificating on computer security who simply don’t know enough. Expert does not mean ‘competent’. It means you are the top of your field.

Is CAST worth it?

2011-07-23T12:58:00.000-05:00

The EC Council has started a new program called Center for Advanced Security. The question is: is it worth it? Now in full disclosure, I created their cryptography course so I am not unbiased.
With that said it may seem no surprise that I do think it is worth it. Please allow me to explain why. What happens to the person who is reasonably well versed in security? Perhaps you are a CEH, CISSP, or even
have a graduate degree in information assurance (or something related). Is that all there is to know? Well anyone who possesses those credentials knows the answer is a resounding 'NO!' There is a lot more
to learn. But for the most part you learn it via experience, trial and error. The CAST prgoram is about letting trained professionals go to a deeper level. In 3 days, 8 hours each you learn in depth details
of some particular aspect of security. And these are very in depth. They begin assuming you have moderate amount of knowledge. Essentially in 3 days you take your knowledge of one specific area to a whole other level.

Cost is also a factor. Well many training classes cost over 3K for training, particularly certification boot camps. well these very advanced courses with well known experts, cost 2295. There are also usually
some discounts to be had to knock some of that price. So this is a very reasonable cost.

So in my opinion this is well worth it. It is past time we had advanced training for those who have already gained a professional level of knowledge.

No need to fear Rainbow tables

2011-07-11T09:05:00.001-05:00

First, for those readers who do not know, I need to clarify what a rainbow table is. Essentially Windows stores passwords in hashed format. A hash is a one-way function , you don’t ‘unhash’ something. When you login, Windows hashes the password you entered and compares that to the hash stored in your SAM file (that is found in Windows\System32\) to see if it matches. If it does you are logged in.
Well a rainbow table has hashes of every possible configuration of characters. For example you would have every possible 2 character combination and the matching hash. Then every possible 3 character combination and the matching hash, etc. Tools like OphCrack are used on Windows machines to boot into Linux, grab the Windows SAM file and then search the rainbow tables for a match. If a match is found, then that is the password. These tools are very effective on XP and Vista machines with passwords less than 10 -12 characters long.
Now how do you stop this? Well there are several ways:
1. Use longer pass phrases. For example ‘!L!k3ch33seburg3rsfrombUrg3rk!nG’ would be too long for any rainbow table (those tables get HUGE very fast. And 32 characters long is way too big for them).
2. Use Microsoft’s free tool ‘Syskey’ to encrypt the SAM file. Then the tool (such as OphCrack) cannot read the SAM file to search for matches.
3. Use a free tool like TrueCrypt to encrypt your entire hard drive.
4. Windows 7 uses something called salt. This is the insertion of random bits into the hash to keep tools like OphCrack from guessing the password.

So you have four methods to prevent these kinds of attacks. Personally I have Windows 7, with Syskey, and a long passphrase…so I am not worried about someone cracking my Windows password.

Lulzsec How worried should you be?

2011-06-22T09:28:00.002-05:00

The media is buzzing with stories of Lulzsec and Anonymous. If you take the media hype at face value, you have two nefarious rogue hacker groups laying waste to the internet with law enforcement powerless to stop them. Just last week they took down the CIA…..or did they?
To gauge how serious this threat is, one has to look at what they have actually done. With very few exceptions their attacks have been distributed denial of service attacks against web sites.

It is important to keep in mind what is happening here. First and foremost a website is, by definition, the most exposed portion of a network. It is open to the world. And it must be. For example hacking into the CIA web site is not even remotely the same as hacking into the CIA network. The website for most organizations is completely isolated from the actual network. Secondly they did not actually ‘hack in’ to the website, they simply shut it down. While there are many different ways to do it, in essence a denial of service attack is about overloading a target system with more traffic than it can handle. This usually forces the target system offline. This is the cyber equivalent of low skilled vandalism. To equate this with ‘hacking into the CIA” would be akin to someone spraying graffiti on the side of the bank, and that act being equated with breaking into the vault. They are not even close.

What I have seen so far from Lulzsec are very low skilled attacks on public facing web sites. These sorts of attacks could be easily done by any student studying security and penetration testing. While I do think these events are crimes and should be treated as such, I think the reputation the media is giving to the perpetrators is vastly exaggerated and totally unjustified.

Are we in a cyber war?

2011-06-16T09:53:00.002-05:00

It is not hard to find stories in the news of hacking attacks that appear politically motivated. This week the hacker group Lulz Security claims responsibility for taking down the CIA website http://beta.news.yahoo.com/cia-website-goes-down-hackers-claim-responsibility-002426685.html . It is certainly true that a denial of service attack on a website is neither difficult nor particularly dangerous. It is the cyber equivalent of low end vandalism. More an annoyance than an intrusion. However, hacking groups specifically targeting the CIA, even with a simple denial of service attack on the website, is interesting.

There is also the issue of the China Eagle Union http://www.thedarkvisitor.com/2007/10/china-eagle-union/. This group of thousands of hackers based in China, specifically targets western networks. And they are not just performing denial of service attacks on websites. Their goal is to steal information. While they insist that they have no connection to the Chinese government, and in fact are in constant danger of arrest by Chinese authorities, I have difficulty believing this. In an authoritarian country, where citizens have few rights and the government is routinely monitoring network activity, it is hard to imagine this group does not have at least the tacit approval of the Chines government.
Now China’s military is recommending steps be taken to counter a cyber warfare threat from the United States. http://news.yahoo.com/s/nm/20110616/wr_nm/us_china_usa_internet

What does all this mean? Frankly my opinion is that we are already in a cyber cold war with China. Small, low intensity cyber conflicts, often through third party groups rather than direct government involvement. This is a text book cold war conflict, and it is underway right now.

What is a Fiestel network

2011-06-09T14:02:00.000-05:00

Also called a Feistel function. First of all it is the basic methodology employed in many block ciphers (including the famous DES And 3DES). It is named after its inventor, the German-born physicist and cryptographer Horst Feistel.
In general it combines substitution and transposition in each stage. In other words the plain text characters are replaced by something new, and blocks of text are swapped.
If you are going to study cryptography at all you should become familiar with this function.

A slightly more detailed view of the algorithm is as follows:
• This function starts by splitting the bock of plain text data (often 64 bits) into two parts (traditionally termed L0 and R0)
• The round function F is applied to 1 of the halves. The details of that function F can vary with different implementations.
• The output of F is then xor’d with the other half.
• Then the halves are transposed.
• This process is repeated a given number of times

For more details
http://x5.net/faqs/crypto/q56.html
http://www.schneier.com/paper-unbalanced-feistel.html

What will it take to be secure

2011-06-06T08:06:00.002-05:00

This past week there has been another story of hacking. However this one is about an attempt to extort a company that works with the FBI (http://news.yahoo.com/s/ap/20110606/ap_on_hi_te/tec_fbi_partner_data_breach). Cyber extortion is nothing new, and this case is a classic one. The attackers breached the targets security, then sent an email to an executive with proof of their breach, demanding money to keep the private data private. What makes this story so interesting is that it was a security firm that works with the FBI. One would think that such a target was unassailable. How did this happen? I have not done an audit or analysis of that specific company, but I would like to comment on issues with security professionals in general. Too often the skill level of security professionals varies widely. I have personally met security professionals form major companies that literally barely knew how to navigate their own PC. Of course I have also had the privilege to meet and interact with some very talented professionals. So the real question becomes: what does it take to be a real security pro? Well I have a few things I suggest:
a) Formal Education: You need to have training/education in computer science in general. You should have a basic working knowledge of operating systems, hardware, networking technologies, and at least one programming language. Now of course someone will say they ‘know a guy’ who has no formal education and is awesome. I am certain that is true. But I am also certain that is the exception. I am sure you would not want a self educated physician to perform an operation on you, would you?
b) Certification: Some people deride certifications, others extol their virtues. I agree with Bruce Schneier’s view (http://www.schneier.com/blog/archives/2006/07/security_certif.html) certifications are a very useful way to determine if someone has the baseline skillset to be a competent practitioner. They do not make one an expert. I have taken a lot of them myself, and I often learn some new nuance in the process of prepping for a certification. But keep in mind certifications show one has the baseline knowledge, they do not make one an expert. I would also say that no single certification is enough. I would consider the basic certification needs for a security pro would be CISSP, CEH, and one ‘elective’ (Cisco, CompTIA, Microsoft, etc.). And again, I would consider that the basic requirement. This won't make you an expert, it will indicate basic competence.
c) Constant learning: I know of no field that changes as fast as this one. You have to constantly be learning and growing. If you are not routinely updating your knowledge, you cannot be effective in security. Read books, read journals, attend conferences. Perahps consider other certifications (GIAC, ISSAP, Forensics, etc.). Maybe seek advance training (EC Council's CAST training for example). But whatever you do, keep learning and growing.

In my opinion these are the basic requirements for a security professional. And all too many security professionals fail to meet them.

Where's the beef?

2011-05-16T07:17:00.001-05:00

Every week you can find more stories of security breaches at major companies. It is easy to understand a small organization lacking the security measures to prevent these attacks, but major organizations? In just the last 30 days we have seen:
1. Sony
2. Texas Comptroller
3. Epsilon
4. RSA
And these are just a few of the biggest ones. There have been many more smaller breaches.
Why is this happening with organizations that supposedly have the resources to secure their networks? I believe there are two reasons.
Management
All too often management does not put security first. Security is seen as a cost, not a benefit, and therefor gets short changed in the budgeting process. Companies spend huge sums of money for new products, but comparatively little to secure them.

IT
I have yet to meet anyone in IT who does not think they know security…yet it usually takes less than 2 minutes of chatting to identify gaping holes in their knowledge. Security is perhaps the broadest, most complex area of IT. IT touches everything. So to work in security you must have knowledge that is very broad, and is deep in at least a few areas. There is no such thing as knowing too much. You need to know common security principles as well as the specifics of your operating systems, software, and hardware. You need to understand countermeasures such as firewalls, IDS, honeypot, encryption, antivirus, etc. on a deep level. You also need to understand the techniques that attackers use. If you don’t know how they operate you will not be able to stop them. Frankly all too many IT people simply lack the requisite knowledge to truly secure their systems.

The Sony Breach and what it means to you...

2011-05-08T08:59:00.003-05:00

You can use your credit/debit card for everything these days. You can buy music/movies/ebooks on iTunes, get books on Amazon.com, or buy gaming items (new maps, games, etc.) on Sony network. However all of those are vulnerable, as we have seen this week.

So my advice for protecting yourself is this:
1. Don't store a credit card on their service. It might be convenient, easy to pay, but it is also vulnerable.

2. Use the 'gift cards' that most of these services offer. That will not only keep you secure, but will help you keep a budget (it is really easy to get carried away on iTunes or Kindle books!).

I am not saying don't use your credit/debit card online, I do. I am saying
1. Only use it with reputable companies
2. Even with reputable companies, don't use it in a way that stores the information.

A cautionary Wi-Fi tale

2011-04-25T07:26:00.001-05:00

From time to time the news features a story of someone wrongfully suspected of some heinous computer crime such as child pornography (http://news.yahoo.com/s/ap/20110425/ap_on_re_us/us_wi_fi_warning). These cases involve another party, often a neighbor, accessing the persons Wi-Fi and committing the crime. In many of these cases, the victim did not even attempt to secure their wireless router. Leaving your wireless connection open to anyone to use is a very foolish move. So just remember a few basic steps:
1. Encrypt with WPA2 if at all possible.
2. Have a strong administrative password on the router admin utility.
3. Set the router administration utility so that it can only be administered via a direct connection, not wirelessly.
4. Set the router administration utility to use HTTPS rather than HTTP.

These simple steps would stop a lot of these problems.
In addition to securing your wireless, does your iPad/iPhone/Android have a lock out password and automatically lock out after a certain number of seconds? Is your cell phone password protected? With our increasing use of wireless and portable devices, one must be vigilant regarding security.

Integrity, there is no substitute.

2011-04-19T09:58:00.001-05:00

Bruce Raisley, formerly associated with ‘Perverted Justice’ (they aid in catching online predators), will spend two years in prison, in addition to three years of supervised release and pay a hefty fine.
Raisley, had some disagreement with the group and its founder, Xavier Von Erick. The exact nature of that disagreement is unknown. However Raisley became an outspoken critic of Perverted Justice and Von Erick and did all he could to discredit the group and Van Erick. So Von Erick decided to get even. Hewent online, posed as a woman named Holly, and started up an Internet relationship with Raisley. Von Erck eventually convinced Raisley to leave his wife for Holly, and had a Perverted Justice volunteer photograph him waiting for "Holly" at the airport.
A few magazines did stories on Perverted Justice and included this incident. So Raisely responded by creating a virus that infected about 100,000 computers globally. He then used this botnet to launch distributed denial of service (DDoS) attacks against any Web sites that had posted the articles.

Now first and foremost both parties (Von Erick and Raisly) were not simply wrong, but monumentally wrong. To begin with people have disagreements. Business relationships end. The responsible thing to do is to just walk away. Raisley decided to go on the attack. Then Von Erick compounded the problem by perpetrating a fraud to attempt to discredit Raisley. Then Raisley decided to escalate the matter to felonies.
Now for the fallout: Well Raisley is going to prison and is done in the IT world. Von Erick has managed to discredit the group Perverted Justice, and of course one can only assume Raisley’s marriage is in deep trouble if not over. All parties involved are far worse off than they were. No one ‘won’, everyone lost. Beyond that, I cannot imagine that an enterprising defense attorney won’t use the fraud committed by Von Erick and the Perverted Justice volunteer to undermine the prosecution of anyone if evidence gathered by Perverted Justice is involved. Frankly speaking both Raisley and Von Erick not only demeaned themselves, but may well be instrumental in some online predators going free.

The moral to this story is simple: if you are involved in any aspect of computer security, then your integrity is just as important as your technical skills. You must conduct yourself in a manner that is above reproach.
http://news.yahoo.com/s/zd/20110416/tc_zd/263249
http://news.yahoo.com/s/nm/20110415/wr_nm/us_crime_hacker

What is new in CEH 7

2011-04-08T09:19:00.000-05:00

I took the CEH V 6, and I was very curious to know what is in the new CEH 7 test. As an EC Council Instructor I was invited to see a webinar on the new class material, and I have some insights for you.

The first major change I saw was that they have included Metasploit as part of the curriculum and part of the test. I have often thought that Metasploit should be part of the curriculum, well it seems the EC Council agrees!

They have also updated attacks and tools to reflect the current standards. This is an important change, but one I had expected.

They have iLabs (with official EC Council tests), which allows you to get to virtual machines via your web browser and execute labs!

Most importantly, all EC Council instructors go through a four hour train the trainer webinar to make sure that the instructor knows CEH 7.

I always thought the CEH was a good test, but needed some improvements...well EC Council seems intent on continually improving it. I have to say I really like the new CEH 7!

Getting Deeper Security Training

2011-04-06T07:29:00.001-05:00

OK, lets assume you are security professional. You understand Intrusion Detection Systems, Honeypots, Firewalls, Digital Certificates, etc. You have taken some security certifications (perhaps Security+ or CIW Security Analyst). Maybe you even studied penetration testing and perhaps became a Certified Ethical Hacker. Perhaps you have even achieved the gold standard in security certifications the CISSP. Is there nothing more?

Well yes there is. In fact there are two paths to something deeper:
1. ISC2 has advanced concentration exams for CISSP holders. You can pursue the ISSEP, ISSAP, or ISSMP concentrations for the CISSP. I am currently a CISSP myself. I am scheduled for the ISSEP in May and the ISSAP in June...I am trying to get all three before the end of this year. So I highly recomend these concentrations for people trying to get adavanced security skills.

2. The EC Council is now offering advanced training courses, they call 'Deep Dive' courses. http://www.eccouncil.org/training/advanced_security_training.aspx
These are not for beginners. They offer advanced courses in penetration testing, cryptography, mobile forensics, application security, and network defense. These courses are all for the experienced pro, wanting to go very deep on one specific topic. In the interest of full disclosure, I am currently developing their cryptography deep dive course, so I am not completely unbiased. But the reason I agreed to work with them on this is because of how impressed I was with the program. I would recomend it even if I had no connection to it. In fact you may not be interested in my cryptography course, but you should strongly consider one of the other courses that does interest you. They have some outstanding training that simply is not available anywhere else.

Are you safe enough

2011-03-19T08:54:00.000-05:00

The RSA company, renown for making security products, was breached this week (http://news.yahoo.com/s/afp/20110318/ts_alt_afp/usitinternetcrimesoftwarersa). A spokesman for the company states that data was stolen that could be used to breach their customers.

Now RSA has always been a very reputable and reliable security company. Yet their defenses were breached. It should be noted that they are also a very big target, attracking the attention of the very best attackers. However what can we learn from this? Well a few things:

1. No network is completely safe. Just because you have not yet been breached, does not mean you are safe. It just means you have not yet attracted the attention of talented hackers.

2. Not only should you have defense in depth, you should also not have all of your defense dependent on one vendor. If, for example, your entire defense is based on RSA products, you might be in serious trouble now. As much as companies love to 'standardize' on one vendor, that can be a security disaster. If that vendor has a flaw, your entire system is susceptible.

3. Every organization needs penetration testing. Whether that is done interenally, or by outside consultants, it needs to happen. Until a talented and trained professional tries to breach your network, you have no idea how secure you really are.

Why certifications sometimes miss the mark

2011-03-10T06:33:00.000-06:00

I have previously commented on the value (both perceived and actual) of certifications in IT. It is obvious to anyone, however, that some people have certifications and don't appear to have the breadth or depth of knowledge one would expect. For example you may encounter someone who has Network+, but seems to not know enough about networking. Why is this?

The problem is not in the certification, it is how we prepare for it. Let me use an analogy. If I asked you to tell me the derivative of the cosine of x, and you are able to do so, we would assume (based on your correct answer) that you know several things. For example it could be safely assumed that you knew about derivitives and could compute others, as well as limits. It could be safely assumed that you had a working knowledge of trigonometry and basic algebra. We assume all of this because to get to derivatives you would have normally first studied algebra, trigonometry, then limits. We don't assume you simply memorized what the derivative of cos x is (btw for those math challanged readers, it is - sin x).

However in IT some people do just that. They memorize a set of facts just to pass a given test. That is not what the test was designed to do. It was designed to sample your knowledge from a broad area. Just memorizing specific answers to specific questions defeats the purpose. Unfortunately some boot camps do just that. They cram a bunch of memorization in your head, you pass a certification test...but do you really have the knowledge?

This is why when I teach certification classes I always
1. Cover the 'why' behind the what. Why is this true?
2. Include hands on training. You don't just memorize answers, you do it.
3. Add extra peripheral information, not directly on the test, but related. As some of you may know, my favorite phrase in class is 'no extra charge for extra knowledge'.

I would encourage all those studying for a certification, to avoid a myopic view of just cramming in facts for a test. Learn the field of study. And I would encourage all instructors and trainers to make sure they are truly teaching the full topic, not just cramming in facts for a test.

IS THE CISSP WORTH IT?

2011-03-06T22:32:00.001-06:00

If you google the title of this article you will find many blogs with conflicting thoughts on this issue. I have recently passed the CISSP and would like to add my comments to the cacophony of opinions on this issue. It is true the CISSP has limits. It is so broad that it does not go into depth on any one topic. And I am certainly not the first to make this criticism of the CISSP. However let me enumerate what I perceive to be its strong points:

First and foremost is that breadth. I personally am of the opinion that security can only be achieved with a broad knowledge of many topics. The CISSP will sample your knowledge of policies, cryptography, the OSI model, ports and protocols, and more. Now presumably this is just a sample to test your knowledge. Obviously if you went to a boot camp and crammed in just enough to pass the test, that may be all you know.

The background check. Allegedly 25% of applicants are randomly selected to verify their background. I know of no other certification that does this.

The continuing education credits. More certifications are implementing this. Despite how some people complain about this, it is not very onerous. If you are active in the security industry you should have no problem keeping up with the CE Credits.

The education and experience requirements. You must either have 4 years of experience with a degree, or 5 years without one. This is a wonderful requirement. This exam is meant to sample your knowledge, and show what you have learned with years of experience.

Last but not least, many employers are very enamored with it. In fact some jobs won’t interview you without the CISSP. That alone is reason enough to get it!

So all in all I would have to opine that the CISSP is a valid and worthwhile certification. Like all certifications, is has certain limits. But it is well worth your time to pursue.

WHY NO FLASH WITH IPAD/IPOD/IPHONE

2011-03-06T22:26:00.001-06:00

It amazes me how many 'experts' wring their hands and bemoan apples avoidance if Flash support. This is actually rather simple. Right now Flash is put into web pages by embedding a flash player. This has proven to be quite a security problem. So HTML version 5 does not support embedding such players, and instead plays Flash animations inline, with a standard HTML command. Apples problem lies in jumping the gun. They put out a product that does not support flash, but did not put out a browser that embraced HTML 5.

This really brings up the topic of pundits. Tech pundits abound. I supposed this blog makes me one. However, I would caution anyone to make sure they know all the facts before publicizing an opinion....

A new method for creating ghost partitions

2011-02-25T11:49:00.001-06:00

I have developed a new method for creating ghost partitions. You may find it of some interest. You can read the brief paper here:
http://www.chuckeasttom.com/ghostdrive.pdf

RSA Encryption in more depth

2011-02-25T08:29:00.000-06:00

RSA is perhaps the most widely used public key encryption algorithm in use today. The algorithm was publicly described in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman at MIT; the letters RSA are the initials of their last names. Most people in networking or network security know this much about it. You also probably know that in public key cryptography (also called asymmetric cryptography) that one key is used to encrypt a message and another to decrypt it. You probably even know that this math is based on really large primes. But do you know exactly how it works? Well let me walk you though the math. I will use small primes to make this easier to follow.
Key generation
Generate two large random primes, p and q, of approximately equal size such that their product n = pq is of the required bit length (such as 128 bits, 256 bits, etc.)
Lets use p=7 and q= 5 (remember we are using small because the math is easier)
Let n = pq
So n = 35
Let m = (p-1)(q-1)
So m = (7-1)(5-1) = 6 * 4 = 24
Choose a small number e, co-prime to m (note: Two numbers are co-prime if they have no common factors.)
OK lets say e = 2
Find d, such that de % m = 1
This means we want some number d such that d * e divided by m leaves a remainder of 1 (the % means modulus, or divide and give the remainder). So we have everything but d, that gives us
d2 % 24 =1
or what times 2 divided by 24 leaves a remainder of 1? Well that is easy Basically if you take any multiple of 24 add 1 and divide by 2 you get a possible solution. Lets use the smallest one or 49/2 =24.5
So d = 24.5

 Publish e and n as the public key.
Keep d and n as the secret key.
 Encrypt
 C= Me % n
Note m is your message
Put another way
Computes the ciphertext c = pe mod n
So take your message (converted to ascii then to binary, then you can leave it in binary if you want but the math is easier if you convert that to decimal) and do
Me % n
Decrypt
P = Cd % n
Put another way
Uses his private key (d,n) to compute m = cd mod n.
For more details go to http://www.di-mgt.com.au/rsa_alg.html#keygen

FUN WITH MATH

2011-02-24T14:25:00.002-06:00

Yes I said FUN with math. Hard to believe? Trust me for just a moment, I am going to show you math can be fun. Just try this:
Pick a single digit number other than zero…have you got one? Good. Now multiply that number times 9. Got your answer? Ok if your answer is a single digit, then leave it alone. If it is two digits, then add the two digits together. Now whatever that answer is subtract 5. With that answer assign a letter to the number. So if you have a 1, it becomes A, 2 becomes B, 3 becomes C, etc. Got your letter? Ok pick a country that starts with that letter (not a city, state, or continent, but a country). Do you have one? Ok now pick an animal whose name starts with the last letter of that country you picked.

I bet you picked Denmark and Kangaroo (though it could have been Koala)…wow How did I know that?

Here it is:

Well it is simple. You picked a number and multiplied it by 9. Now think about the 9’s times tables. You have 9* 2 = 18. If you add those digits (1, 8) you get 9. If you have 9 *3 = 27. If you add those digits (2, 7) you get 9. If you have 9 * 3= 36. If you add those digits (3 , 6) you get 9. In fact no matter what single digit you picked, your answer will lead to a 9! Now when I asked you to subtract 5, you will always get 4, so you will always get the latter D…and in the English language that gives you only one country: Denmark. And very few animals have names starting with K.

This is all based on simply knowing the multiplication tables and applying them in an interesting way.

My point is that math can be very fun!!

Net Neutrality...what is it all about?

2011-02-18T09:04:00.001-06:00

I have recently read a number of news stories online, regarding net neutrality. And the discussions regarding these stories are full of disinformation. Many people seem concerned the government will be taking over the internet and limiting free speech. This is not what net neutrality is about.

Many large ISP's want to be able to regulate the content you recieve over the internet. They may wish to block content they disapprove of (perhaps an expose news story about their parent company?) or simply charge more for certain content than for others. Net neutrality is simply stating that the internet is content neutral. An ISP cannot block any content (other than illegal content such as child pornography) and cannot charge you more for certain types of content (for example charge you more for using netflix than some other video source). This protects your right to free speech.

This time the government got it right. The new net neutrality FCC regulations are very important and virtually every major computer science group has been beggin for this for years.

The other tablets…

2011-02-11T10:13:00.002-06:00

Why am I so sold on iPad. What about the Android tablets? Windows 7 tablets? They have USB support and other cool features, so why am I not touting their value? While I won’t be denigrating them, some of the restrictions on Apple products are their strength. You cannot just download anything at all to your iPad. It has to go through the app store, and that is one reason you don’t ever hear about iPad viruses or spyware. I also found the iPad to be amazingly easy to use. Last but not least is iTunesU. I have been touting the value of this for some time. Free lectures from major universities on any topic you may want. I find this to be an amazing feature. And if everyone else implements the same on their products tomorrow, it will still be Apple who pioneered this.

So for me, I may have a Windows 7 desktop, but my tablet will be iPad.

Distance Learning at a glance

2011-01-23T09:39:00.002-06:00

I am often asked my opinion on educational venues. In this blog, and in other mediums I have frequently denounced the tech schools such as ITT, Remington, Westwood, etc. I have commented that regional accreditation is the only educational accreditation that matters in the United States. However, some ask me is it possible to get a legitimate, regionally accredited degree via distance learning? The answer is absolutely.

Before I describe to you a few such options, let me caution you. Distance education is not for everyone. If you are not self-directed and very self-disciplined you will not succeed. You must be able to work with minimal interaction with peers and reduced interaction with the instructor/professor. If you have a subject that you are struggling with, distance learning will be very difficult for you. However if you do feel you are well suited to distance learning, let me briefly describe some of the programs available to you:

Traditional Colleges with Distance Learning Programs
Texas Tech (http://www.depts.ttu.edu/distancelearning/programs/) has a variety of undergrad and grad programs including a masters of engineering and a master of education. They also have doctoral programs with only a once a year on campus seminar. Texas Residents pay about $880 per undergrad class, out of state residents pay about $1800.

University of North Texas (http://www.untecampus.com/default.cfm?p=programs) has a variety of masters programs offered on line. Quite a number of education and business degrees.

University of Nebraska (http://www.unk.edu/academics/ecampus/programs/eCampus_Online_Programs/) offers online a masters of science in biology, a masters of education, and several other programs. Their distance learning grad programs run about $400/credit hour for out of state residents.

Regis University (http://cps.regis.edu/academic-programs.php) is a traditional catholic school, with multiple online bachelors and masters programs. Several related to computer science including a masters of science in software engineering.

Mississippi State (http://www.distance.msstate.edu/engr/degreeprograms.html) has a number of distance learning engineering graduate programs, all with very reasonable tuition. Some require a brief on campus visit.

The University of Arkansas (http://sceao.uark.edu/Distance_Education/index.html) has a large number of graduate and undergraduate online programs. All with very reasonable tuition.

Stanford university (http://scpd.stanford.edu/degreeCredit/degreesCertificates.jsp) has a number of certificate and a few degree programs online.

University of Florida (http://www.distancelearning.ufl.edu/Degrees.aspx) has a number of programs in education, management, engineering, public health, etc.

Non traditional, but regionally accredited programs
Northcentral University (www.ncu.edu) has distance learning bachelors, masters, and doctoral programs in psychology, education, and business. Each offers a variety of concentrations including applied computer science, marriage and family therapy, and more. This university is regionally accredited but it is not cheap. The Ph.D. classes will cost $2200 per class.

American Public University (http://www.apu.apus.edu/index.htm) has a wide range of bachelors and masters programs including information technology, space studies, psychology, history, and more. They are very affordable with undergrad courses costing $250/credit hour and graduate courses costing $300/credit hour.

Colorado Technical University (http://www.coloradotech.edu/Degree-Programs) has many distance learning bachelors and masters degrees in business, information technology, education, and more.

These are just a few of your many options for regionally accredited distance learning degrees.

Musing on Windows

2011-01-20T21:17:00.000-06:00

I have said it many times, I am an operating system's agnostic. I am writing this on a Windows 7 machine, but I have 4 different Linux distributions in VM's and a Mac notebook on my desk. Not to mention the book I am currently working on is about Linux Administration. With that said, let me give you some insight into Windows 7.

Often times experienced computer techs simply glance over new versions of products and fail to delve in deeply. I have to confess I did that with Windows 7. I have been using it for many months and am just now discovering some really cool features. A few of my favorite are
1. Branch caching. If you have Windows 7 in offices, and your workstations use files from a server located in a different location, you can use branch caching to cach the file locally. That accomplishes two things. The first is improves performance for the users, and the second is that it reduces network traffic. Most importantly is that it is all transparent to the user.

2. File recovery. If you look at the file properties of, for example, a Word document, you have the option now to go back and recover previous versions. This will be quite a boon to most end users.

3. IE 8. IE 8 has some fascinating features. Most important to me are the security related ones, like inPrivate Browsing. If you are concerned about your privacy, you have to check this out http://windows.microsoft.com/en-US/windows-vista/What-is-InPrivate-Browsing

4. BitLocker: Windows 7 offers complete hard drive encryption with BitLocker. And Windows 7 Enterprise offers BitLocker to go. That lets you encrypt removable media.

These are just a few of my favorite features in Windows 7. In the next few weeks I will have a post discussing Windows 8 rumors!

Bond…nerd Bond

2011-01-13T10:10:00.002-06:00

Well it is now official (http://news.yahoo.com/s/ap/us_military_cyber_oversight) we are using cyberspace for clandestine ops. These may be espionage, sabotage, or reconnaissance. Since we are now publically acknowledging this, it seems likely it has been occurring for quite some time. My personal take is that we absolutely should be doing this. Our nation is heavily dependent upon technology, and for some time we have been aware that government and quasi governmental entities have been attacking our systems.
For some time it has been known that we use cyberspace for espionage, and that is an obvious tactic. The goal of espionage is to get information, most of the really interesting information is on a computer somewhere. But this article reveals our using computer systems for attacks, not just espionage. This is simply a facet of our modern society. It is hard to imagine any modern conflict not having a cyber component.

We already have the cyber equivalent of James Bond...now it seems we will have the cyber equivalent of Navy Seals

My Initial Impressions of Visual Studio 2010

2010-12-29T21:53:00.001-06:00

Well I am neither a Microsoft apologist, nor Microsoft basher. I have worked with Java programming, MySQL and PostGres for database, and Linux for operating systems. But I also use Microsoft technologies. In my opinion their work on Visual Studio has been a steady progression of improvement. I first found Microsoft programming with Visual Basic 3.0, then VC++ 5.0 and VB 5.0. I have followed the progress of Visual Studio.net through its various incarnations, now culminating with Visual Studio 2010.

First it is backward compatible with VS 2008, and that is a critical item. You don’t have to scrap all you did before. Secondly they now include much more robust and flexible data access methods. Object oriented programming is now more fully ingrained in Visual Studio than ever before. They also have blurred the line between VB.Net and C# so much that is you take any of the VS 2010 certification tests, you pick which language you want the test done in, when you sit down to take the test!

For those of you just looking to wow your end users there is plenty for you. Silverlight is fully integrated into Visual Studio allowing you to put some incredible animation into your program. The use of WCF ans WWF has been expanded since VS 2008.

My recommendation is that if you are programming with Microsoft technologies, you should do yourself a favor and move up to VS 2010 as quickly as possible.

Ethernet over power

2010-12-17T19:02:00.000-06:00

I must confess, I had read about this and discussed with several people, but remained skeptical. Obviously data going down a CAT 6 cable is simply electrical impulses. And obviously ones home wireing carries electrical impulses. But was it really possible to get data over the house wiring?

Well it turns out I had to try it. My son has a computer and a desk that is about as far from our wireless router as it could possibly be. And he was having constant connectivity issues. So about a month ago we bought (about $99) the ethernet over power. I waited a month to observe performance, and here is what we have found:
1. The setup could not be easier. If you can plug in a toaster, you can set this up. You plug in one end near your wireless router, and then plug a short ethernet cable from the device to a port on the router (that cable is included by the way!). Then you plug a second device into a socket near the computer you wish to connect and run ethernet from that device to the NIC on the computer and that is it. You are connected.

2. Problems. Well not at all. We have broadband phone/internet/TV all in one. And frankly I was concerned this might interfere with the other signals. It did not. We have not had any problems at all.

3. Speed. Well my son is absolutely delighted. He is getting noticably better performance than he did over wireless.

My final word is yes, this beats wireless hands down. I am not going to recomend a specific vendor, but I can heartily recomend ethernet over power.

There is an app for that

2010-12-11T17:39:00.000-06:00

Just a listing of some of my favorite science/math/educational apps for iPod/iPad

Best Free Educational Apps (some for iPad some for iPhone/Ipod
Shakespeare- All of shakespear for free
Particle Zoo - This is just awesome!
Periodic Table of the elements - There are several free ones
New England Journal of Medicine this week - You can read it on your pad for free!
Physics World - You can read it on your pad for free!
Math Ref Free - lots of trig, calc, and physics formulus

Best Paid for Educational Apps (some for iPad some for iPhone/Ipod
Star Walk for iPad 4.99
Supernova .99
OnScreen DNA Lite"4.99

Software Engineering...really?

2010-12-06T14:12:00.000-06:00

Software Engineering, is it really engineering?

Much of my career has been in software development, so forgive me if I blast my own profession a bit. Yet another technological failure is due to programming flaws, a Russian rocket failure (http://news.yahoo.com/s/afp/20101206/wl_asia_afp/russiaspacescience). It is not hard to find instances where programming flaws doomed technological projects to failure. Why does this happen?

In my opinion it is because we have so few software engineers. By that I mean, people who actually engineer software. Just because you write code, and your job description says ‘engineer’ does not make you a software engineer. Think about any engineering discipline. There is extensive planning prior to development, then extensive testing prior to production. I rarely see anything approaching appropriate planning or testing in software. Usually testing means a few hours banging around on it, then maybe having a few users beta testing. Planning usually consists of some half hearted attempts at a few UML diagrams. And all too often change management is non existent.

If programmers wish to take on the mantle of ‘engineer’, then act like engineers. Planning and testing should occupy at least as much time as coding. And simply because something seems to function does not mean it is good. Does it function efficiently? Does the code have inherent weaknesses that may lead to problems later?

Besides the engineering aspects, you must also use proper coding. At a minimum this means effective use of algorithms, extensive error handing, and pervasive data validation. A user should not be able to enter data that crashes your program.

Until we programmers start acting like engineers, these problems will continue. And PLEASE do not call yourself a 'software engineer' unless you conduct your software development, like an engineer!

DONT FAKE IT

2010-11-23T09:18:00.000-06:00

Ok this is not strictly about technology or about science. It is a personal rant. Don't fake it
Fake Ph.D.
Look I will be the first to say there are certainly people without graduate degrees, who are incredibly knowledgeable, probably more so than some with graduate degrees. But if you want to be called 'Doctor' then earn it. A few famous fake Ph.D.s:
1. Laura Callahan: this is the most egregious. She held an IT management position with the Department of Homeland Security. And it turns out her Bachelors, Masters, and Ph.D. were all fake!http://reason.com/archives/2005/01/01/cut-rate-diplomas

2. Kent Hovind and Carl Baugh: Both well known 'creation scientists'. Both of whom have degrees from totally unaccredited degree mills. Both of whom claim the title 'doctor'.

The list goes on and on. People want recognition but are not willing to work for it. I will be the first to say that having a Ph.D. does not guarantee intelligence, or even expertise in a given field. And not having one certainly does not denote incompetence. But if you want one, do it right.

Fake authors

Being an author is not easy. You need to be prepared for many rejections. However some take the easy way out. They fake it. What do I mean? Well I am talking about 'self-publishing'. There are many companies out there that will print your book for a fee. Then it will get listed on Amazon.com. There are many problems with this process:
1. You will never even break even on your investment. A real publishing company only makes money if your book sells. So they work hard to market it. To get it in stores, to get pertinent people to review it, etc. Simply listing it on Amazon.com means a few of your close friends might buy it.

2. A real publishing company knows the industry. They know if your book is competitive. If they turn you down, there may be a good reason. It may be that there are too many similar books, or too small an audience for your book, or frankly that your book simply is not that good. If you are turned down, the right thing to do is to go back to your book and fix the problems.

Self publishing does NOT make one an author. Think of it this way, if I pay people to listen to my music, am I a real musician? If you pay people to hang out with you, are you really popular? Well if you pay someone to publish your book, you are not really an author.

In my opinion self publishing is like buying unaccredited degrees. It is trying to fake an accomplishment you have not actually achieved.

How to reclaim deleted files

2010-11-17T07:22:00.000-06:00

Having to restore deleted files is a common task. It may be that one is simply trying to get back the document that was mistakenly deleted. Or you may be involved in scanning a computer for evidence.

However there are many undelete utilities available. Some free, some not. Some are easier to use than others. Well I, and my Security+ class, reviewed and tested several tools. While we found many that worked well, one came out on top as being both very easy to use, and free.

Disk Digger http://diskdigger.org/purchase can be downloaded for free. There is a licensed version that is $14.95 for personal use and 49.95 for commercial use. Still very inexpensive.

It is a remarkably easy to use tool. Simply click a few buttons and you will be recovering previously deleted files. And once recovered you can view them and restore them very easily.

What is a Theory?

2010-11-13T08:52:00.003-06:00

Many words have a different meaning in specific situations than they do in normal, day to day conversation. For example the word bug usually refers to an insect, but in computer programming it refers to a flaw in a program. Even a simple and common word such as love means different things in different situations. For example you may love your favorite TV show, love your spouse, and love chocolate ice cream, but you probably don‘t mean the same thing in each case. The word love has a different meaning in different contexts. So when one is attempting to define a term it is important to consider the context one is using it in.

This is even more true when a word is being used in a specific technical or professional context. Various professions have very specific definitions for certain words. The legal community is a good example. Many words have very specific meanings within the law, meanings which might not exactly match their ordinary daily use.

It is also true that scientists have some very specific meanings for words they use. The term theory is such a word. This word has a very different meaning in a scientific context than it does in everyday language. In the day-to-day vernacular, a theory is often synonymous with a guess. For
example your favorite sports team is on a losing streak, you might have a 'theory' about why they are losing. And in this case, by theory you probably mean just a guess. You may or may not have a shred of data to support your theory. In fact it may be littler more than a gut feeling.
In science, however, a theory is not a guess or gut feeling, it is not even just an "educated guess". An educated and testable guess is called an hypothesis. The key part being that it is a testable guess. In fact a guess that is untestable has no place in science at all. When you have a testable, educated, guess, you then have an hypothesis. Once you have tested that hypothesis you have a fact. The fact may be that the test results confirm or reject your hypothesis. Usually you will repeat the test several times to make sure the results were not an error. But even an hypothesis is more than a wild guess or a hunch. It is an educated estimate that must be testable. If it is not testable it is not even an hypothesis.

For example, if you found a fossil in the ground you might hypothesize that it is a 1.5 million year old thigh bone of a Homo habilis. Now you must test that hypothesis. In fact you will need to perform several tests in order to confirm or reject your hypothesis. You will need to use dating techniques to determine how old it is, and then you will have to carefully examine the bone itself to see if it is consistent with Homo habilis anatomy. Assuming your tests confirm your hypothesis that this is a 1.5 million year old Homo habilis thigh bone, you now have a fact. It is a fact that this bone is 1.5 million years old, and it did not match modern humans or apes. Over time many scientists collect many facts. Eventually one has a body of facts that require some explanation. The explanation of those facts is called a theory. Or put another way ―A theory is an explanation of a set of related observations or events based upon proven hypotheses and verified multiple times by detached groups of researchers. In general, both a scientific theory and a scientific law are accepted to be true by the scientific community as a whole. Both are used to make predictions of events. Both are used to advance technology1
Now think about this definition for the word theory for just a moment. A theory is an explanation. That is the key part of this definition. After you have accumulated data, you must have some sort of explanation. A string of facts with no connection, no explanation is of little use. This is not only true in science, but in other fields as well. Think about how a detective works. Anyone can notice a string of facts. The detective's job is to put those facts together in a manner which is consistent with all the facts. This is very similar to what scientists do when trying to formulate a theory. Note that with both the scientist and the detective, the theory must match all the facts.
It is sometimes difficult for non-scientists to become accustomed to this use of the word theory.

People often make the mistake of simply consulting a standard dictionary for a definition. Yet even a basic dictionary usually has multiple definitions. For example the Merriam Webster online dictionary lists many alternative definitions for the word theory. Some of those definitions are synonymous with guess. However even this standard dictionary offers alternative definitions for the word theory. The ones applicable to sciences use of the word theory are:
―1 : the analysis of a set of facts in their relation to one another‖
―3 : the general or abstract principles of a body of fact, a science, or an art ‖
―5 : a plausible or scientifically acceptable general principle or body of principles offered to explain phenomena 2
As you can see these three definitions are not synonymous with guess or gut feeling. An even better explanation of this was given by the Scientific American Magazine:
―Many people learned in elementary school that a theory falls in the middle of a hierarchy of certainty--above a mere hypothesis but below a law. Scientists do not use the terms that way, however. According to the National Academy of Sciences (NAS), a scientific theory is "a well-substantiated explanation of some aspect of the natural world that can incorporate facts, laws, inferences, and tested hypotheses.‖ No amount of validation changes a theory into a law, which is a descriptive generalization about nature. So when scientists talk about the theory of evolution--or the atomic theory or the theory of relativity, for that matter--they are not expressing reservations about its truth3.‖

1. Scientific Laws, Hypothesis, and Theories, September 2003,
http://www.wilstar.net/theories.htm
2. Merriam Webster Dictionary, November 2003, http://www.m-w.com/cgi-bin/dictionary
3. Scientific American Online, July 2003, http://www.sciam.com/article.cfm?articleID=000D4FEC-7D5B-1D07-8E49809EC588EEDF

firesheep -what does it mean to you?

2010-10-30T08:05:00.002-05:00

How vulnerable are social networking sites?

We all know you can (and should) pay close attention to your privacy settings. However there is another issue. Something called ‘sidejacking’ Basically once you login, the web site stores a cookie letting it know that you have successfully logged in and have permission to use the site. If someone can get your cookie after you have logged in, then they can pretend to be you. But, you may say, this is not a problem as the cookie is on your machine and no one can get it without physically accessing your machine. This simply is not true. There is a tool called ‘firesheep’ that will actually sniff nearby wireless connections and snatch that login cookie for you, then you can access that social networking site as that user!

I am not sharing this to encourage you to hijack the facebook accounts of the person next to you at StarBucks, but rather to highlight the vulnerabilities not simply of social web sites, but also of cookies in general. Also the fact that network security is always changing. You have to keep up with the latest trends and changes.

Varying Key Encryption

2010-10-25T07:41:00.000-05:00

Microsoft Microsoft Point-to-Point Encryption (http://en.wikipedia.org/wiki/Microsoft_Point-to-Point_Encryption) from time to time varies the key it is using to encrypt transmissions. It works with 3 key sizes, all using the same cryptography algorithm.

What I am suggesting in this article, is a series of keys (n keys) each using a different algorithm. So each packet being sent was done with a different algorithm and different key. The collection of keys being used would be a 'super key'.

When any message is sent over a network, it is broken down into a number of packets. Any packet might be intercepted and might be read. Even an encrypted packet is of no use if the packet encryption is broken for one packet, all packets can be read. Each packet is encrypted with a separate key, and a seperate algorithm. So if ones message constitutes 12 packets, then 12 keys would be used, one for each packet. Even if one packet is intercepted and its encryption is cracked, this would not allow the intervening party to be able to read the other packets. The actual encryption method used to encrypt each packet, could be any secure symmetric key such as 3DES, AES, or Blowfish. And it would even be possible to use assymetric algorithms with htis.

Organizing the packets on the receiving end and determining which key should be used with which packet can be problematic. In one version of this technique you simply use the packet number to indicate what key is needed to decrypt that packet. In other words, in advance the two parties have a set of keys. Both parties have the keys stored in the same order.

In another version of the technique you have a separate key called the key management key. This key maps packet numbers to the cryptography key used for that packet number.

This requires both ends of the communication channel to retain a key vault that stores the necessary keys for sending messages. This can be of any size. If the vault contains fewer keys than there are packets being sent, then the keys begin to repeat. For example if the key vault contains only 10 keys, then every 10th packet would have the same key. Obviously the larger the key vault, the more secure the system. They key vault itself could be incorporated into software or the operating system, or stored on an external, removable device such as a USB drive.

Just food for thought on yet another way to make communications more secure.

Doubt is the key to knowledge

2010-10-14T08:18:00.001-05:00

I have discovered, in casual conversations with people, that most people do not understand how science works. It may surprise many readers to learn that doubt and dispute are keys to science. Let me explain with a hypothetical story.

Lets say you are a physicist. And you have discovered a new sub atomic particle. You would first write an article, in excruciating detail, explaining the exact steps you took to make this discovery. You would detail every measurement, every calculation. Then you would submit it to a scientific journal. The editor would take your article (sans your name) and send it a few (often 3) physicists to review. Each would not know you, nor each other. Each of the three would simply be asked to verify that your paper is valid. If a majority claim it is valid, then the editor may choose to publish it.

So before a finding is even published, it is reviewed by peers in your field. Then the next step is the post publication review by readers. The scientists reading your journal would be able to respond. Some might even try to duplicate your expiriment. They would then report that they either verified or failed to verify your discovery. If it is not possible to verify your discovery, then your discovery will be rejected by the scientific community.

People will doubt your discovery, they will challenge it. There will be vigorous debate over the issue. But ultimately truth will win out. Obviously science is done by humans and we humans make mistakes. But science is the only human endeavor that I am aware of that has a built in mechanism for correcting mistakes.

Changes to this blog...

2010-10-03T12:50:00.001-05:00

So far this blog has been exclusively about computer science. And that will remain its primary focus. However in coming months you can expect to see some posts on other areas of science including biology, chemistry, physics, and astronomy.

Is Training worth it?

2010-10-01T18:23:00.001-05:00

After our discussion of certifications and for profit colleges, it is probably a good idea to discuss training companies. Again I have some first-hand experience, with three different companies. They companies themselves will be unnamed. However all three had the same issues:
1. They charged exorbitant amounts for training. For example 1 week/40 hour training went for about 3K/student.
2. However the instructor gets paid anywhere from 40 to 80/ hour. So a 10 student class generates 30,000 dollars in a single week, the instructor gets anywhere from 1600 to 3200.
3. Most community colleges offer similar classes for as little as 1/10th to 1/8th the price
But the biggest problem I found is that in most cases the training company is really not interested in getting the best instructor. They are simply interested in getting a competent instructor. For example lets say a company wants someone to teach Windows 7. They pay the same whether the person just has certification in Windows 7 and is a Microsoft Trainer, or if the person has published a ½ dozen books on Windows, worked for Microsoft, and is a Microsoft MVP. Obviously if quality was an issue, this would not be the case.

So my advice is that before your company shells out thousands for training
1. Check with your local community college
2. Go online and advertise for a trainer. You can probably get a well qualified person to come to your site, cheaper than you can get a training company.

Private School?

2010-09-26T11:38:00.001-05:00

Following the last two blog entries on IT certifications, this entry is about formal education. Traditionally one would either attend a four year university or a community college. The term ‘private college’ implied a more expensive school with higher standards, such as Harvard, Southern Methodist University, Baylor, Yale, etc. However things have changed. Now ‘private college’ could mean ITT, Westwood, Remington, DeVry, Phoenix, etc. Are such schools a good option?

Lets start by discussing accreditation. In the United States the ONLY accreditation that matters is regional. If your college is not accredited by one of the regional accrediting bodies, your credits will not transfer and many employers will not recognize your degree. That means one of the following:
New England Association of Schools and Colleges (NEASC)
North Central Association Commission on Accreditation and School Improvement(NCA)
Middle States Association of Schools and Colleges (MSA)
Southern Association of Schools and Colleges (SACS)
Western Association of Schools and Colleges (WASC)
Northwest Association of Schools and Colleges (NWCCU)

Anything else, any claims of ‘national accreditation’ are essentially worthless. If you are looking for degrees in specific areas, they may need additional accreditation along with the regional. For example engineering programs need to be ABET accredited to be recognized.

So lets begin with the private schools that are regionally accredited. This includes Phoenix, DeVry, Capella, and several others. That means their credits will likely transfer to most schools, including state schools. In other words you could get a B.S. at DeVry then go get a Masters from your local state school. So whatever one’s opinion of these schools, they are real universities granting real degrees.

This takes us to the ITT, Westwood, Remington and similar schools. None of them are regionally accredited. Their degrees are not recognized by many employers and their credits will not transfer in most cases. In essence they are not ‘real degrees’. I also am ashamed to admit that many years ago, I taught at one of these schools for a brief time. I won’t name the school, but suffice it to say I am ashamed I ever taught there. There was extreme pressure on instructors to pass students, even low performers. The curriculum was watered down so that it was actually equivalent to a high school program, not a college program. Furthermore the faculty and staff I met were not qualified. Most could not teach at a real college. They had a department chair who had a bachelors degree and no experience. The ‘dean’ had a masters degree and his only experience had been teaching at a public school for a few years before being forced out. Neither of these would even get adjunct teaching jobs at a small community college. To make it worse, their associates degree at that time (remember it won’t actually transfer anywhere) was $33,000. The nearby community college (that would transfer) offered an associates for about $6,000 total cost. I cannot say strongly enough that no one should attend such institutions.

But ultimately one has to do some investigating before any educational program. What is your goal? What does the job market demand? Will you regret trying to take a short cut?

Certifications Continued

2010-09-15T19:26:00.003-05:00

In my last article I discussed the value of IT certifications. Now I will address which certifications are most important depending on what you wish to do.

Let’s begin with an entry level certifications, the CompTIA A+ technician certification. It was just revised in 2009 and includes two separate 100 question tests one must pass. It covers PC hardware, troubleshooting, basic networking, Windows, printers, and monitors. For years the A+ certification has been the benchmark for tech support and PC repair jobs. It is an excellent certification for someone in the tech support/network support field.

There are other CompTIA certifications that one may consider. The CompTIA network+ test is a general test covering all the fundamentals of computer networks. Often tech support personnel take this, or similar certifications, as they attempt to move into network administration. Along with this is the Security+ Certification. This has been called by some, the CISSP lite (more on CISSP it a bit). It is a general network security certification test that is relatively rigorous. It is getting more recognition in the industry and is a good place to start in the network security field. Some of the other CompTIA certifications such as Convergence+ and Linux+ simply have not gained wide recognition in the industry. They are valid tests, but simply are not in demand.

What about Microsoft Certifications? In general if you intend to work with a specific vendors products, getting certified by that vendor is a good move. Microsoft has recently revamped their certification process. Any one test in any product will make one a Microsoft Certified Technology Specialist (MCTS) in that product. Depending on the product an additional 1 to 2 tests can make one a Microsoft Certified IT Professional (MCITP) with that product. Then beyond that, one can pursue the Microsoft Master certifications which all require hands on tests as well as written tests. I think the new process is much more efficient. If you just need to demonstrate basic competence, the MCTS is for you. If you are specializing in a product the MCITP is a good choice. The master certifications are much more rigorous than anything Microsoft has done previously.

Cisco Certifications? Well if you wish to work with routers, getting at least CCNA is an excellent idea. There are a number of jobs that simply will not interview you without CCNA. And Cisco has done an excellent job of making their certifications challenging, and including hands on elements.

CISSP, is it worth it? The Certified Information Security Specialist is the oldest of the security certifications. They also require experience (4 to 5 years) before taking the test, as well as continuing education requirements to keep the certification. The problem is, frankly the test covers procedures, policies, and concepts. It is not a test of hands on security skills. However this certification has become so in demand by employers it is unlikely you will go far in network security without it. In essence my opinion is that the test, well reasonably good, is drastically over rated. But it is in such demand that your career would definitely benefit from it.

Should I get the CEH? The Certified Ethical Hacker is an interesting test. It actually tests you on your hacking skills. Presumably you will use your skills for penetration testing, not to commit crimes. It should also be noted that the CEH requires 2 years experience before you can take the test, and requires continuing education to keep the certification. I feel this is one of the top security certifications. It is also getting a lot of publicity this last year.

Are you certifiable?

2010-09-14T19:00:00.002-05:00

No, this is not meant to disparage your mental health. But rather as a segue into a discussion about the value if Information Technology Certifications. Some people in the industry swear by them, others deride them as worthless. However I think both extremes stem from a fundamental misunderstanding of what a certification is.

A certification simply means that the person with that certification has demonstrated a certain level of competence in a given area. It does not mean they are experts or masters. For example a person who is certified in Windows 2008 Active Directory would have shown that he or she has a certain level of competence in Windows Server 2008 Active Directory.

The problem arises from people who manage to pass a certification without actually having the requisite competence. This can be due to the person using questionable study aids (brain dumps) and simply memorizing key questions, or the person is simply very good at taking tests. There is no question that there are some incompetent people who manage to get IT certifications. But is that not true of any professional standard? Are there not incompetent medical doctors? Certainly, but I bet that when you get sick you call an M.D. trusting that most are quite competent. In general IT certifications are the same way. It is most likely that the person with A+ certification is competent at PC repair and support.

In short my view is that certifications are a positive factor in IT. And I think they do usually denote competence. But, as with any profession, some less competent individuals to slip through.

In my next article I will discuss which certifications are most important…

Encryption everywhere, but nary a cipher to use!

2010-09-07T08:02:00.003-05:00

Excuse the play on the old ‘water water everywhere, but nary a drop to drink’, but it seems appropriate. We are surrounded by easy to use, and sometimes free encryption tools that people are not using. In an earlier blog posting I talked about using bitlocker and syskey, both free Microsoft tools for securing your system. Beyond that most people should also be encrypting their wireless router/hub. However this is not the end of the free encryption.

SQL Server 2008 gives one the option of encrypting the database! There is a small performance hit, but it makes your database so much more secure http://msdn.microsoft.com/en-us/library/cc278098(SQL.100).aspx.

You can get PGP modules to encrypt your email http://www.pgp.com/products/desktop_email/

Microsoft Server (2003 or 2008) can be setup as a VPN server and any client that connects to it can utilize a VPN connection (complete instructions are on the teaching section of my website, at the bottom).

So we can use our existing tools to encrypt the password file (syskey), encrypt our entire hard drive (bitlocker), encrypt our database (SQL Server 2008), encrypt our email (pgp) and use VPN’s for connectivity (Server 2003/2008)…yet it is still common to find all of these items completely unencrypted. And not just on home computers. It is very common to find sensitive databases that are not encrypted and the hard drive is not encrypted….. My recommendation is that if you are using SQL Server, implement encryption.

Open Source is not a Panacea

2010-08-25T05:20:00.002-05:00

I have in past posts tried to ensure all readers are aware of open source alternatives. Items like Open Office, GIMP, and Linux can be excellent solutions for some problems. I even have released an open source electronic medical records product myself. However I think it is time for a note of caution. At least once a month I see a Craigslist ad from some small company begging for help with their Asterisk voice mail server. For those not familiar, Asterisk is an open source, Linux based voice mail server solution. In these cases some small business made a budgetary decision to go with the free/open source solution for their voicemail…then realized they have no IT infrastructure and cannot support it! Companies like that will usually go through a number of free lancers that will assist with various issues, and eventually either resign themselves to using a poorly configured product, or drop it and go to a commercial product.

So when is open source the right solution? Well it can be a perfect solution if you are in any of several situations. The first being that you have some one (or more than one) on your staff who has at least moderate skill with the open source product. Going to Asterisk (for example) when you have someone on your staff who knows Asterisk is an excellent idea. But if you are going to have to outsource 100% of your configuration, support, and administration tasks, it might not be the right solution. Open source can also be a good choice for situations where support is not critical. If you need a basic word processor, and you don’t necessarily need every bell and whistle in the latest version of MS Word, then Open Office is an excellent choice.

The point is I see two camps. I see people who are slavishly devoted to some particular vendor such as Microsoft or Apple. They seem to think anything other than their vendors product is inferior. On the other end of the spectrum I see the open source zealots who seem to resent any vendor that is not open source, and feel open source is the only solution to any IT problem. A more reasonable view is to look at each situation and determine if an open source, or a commercial solution is the better route to go.

There is an app for that....

2010-08-14T11:24:00.001-05:00

I have finally delved into the world of iPod/iPhone/iPad apps and resources. And I must confess I was amazed at the wealth of information available for free. On my iPod touch I now have access (for free) to NASA sattalite information, the New England Journal of Medicine, Physics World, vocubulary builders, cellular biology 3D demos, and more. Now waiting in an office can be a chance to catch up on the latest science, what is happening in the world, or to expand my educational horizons. Furthermore there is iTunesU, which consists of University lectures on audio, video, and sometimes with PowerPoints...most of which are free or at a minimal cost (less than $5). Now I can sit in a sauna and listen to a lecture on Virology from Columbia, or Ancient History from Yale, or perhaps Dark Matter from MIT. Most of it is free, or less than the cost of a coffee at Starbucks.

But alas, I have been amazed. When I enthusiastically share my new found resources with others who have an iPod/iPhone/iPad, I find that rarely have the availed themselves of these resources. At best most people use these technological wonders for fantasy football and amusing games. At worst, to share pornography. I must confess to being truly baffled. One can carry all of human knowledge in their hand....yet we use it for totally inane purposes.

My point is simple: Modern technology gives almost everyone access, to virtually any knowledge you may wish to acquire. I am not advocating you give up your passtimes, but what would happen if you spend 1 hour a week listening to a lecture on any topic that interests you? Or perhaps 30 minutes a week reading the latest scientific news? How much would you know 1 year from now?

Once again, I wish to impress upon readers that ignorance is a curable disease...and technology has the cure, but only if we will use it.

Safeguard your passwords

2010-08-12T22:26:00.000-05:00

For those readers familiar with basic hacking techniques, tools like OphCrack are nothing new. For the rest of you, allow me to explain how such tools work and how to subvert them.

Windows stores passwords in a hash. A hash is a one way function that generates a fixed length output from variable length input. In other words you enter your password, and regardless of length, a specific length output will be produced. And that output cannot be reversed. What Windows does when you login is to hash whatever password you type in, and compare that to what is in the pass word file (called a SAM file, and stored in the Windows System32 directory).

Well some time ago an enterprising fellow came up with the idea of rainbow tables. What rainbow tables are is actually relatively simple. You take a given hash algorithm (such as SHA 1 or MD5) and hash ever possible combination of 4 characters. Then every possible combination of 5 characters, six characters, etc. And you store those in tables. Then if you can get the SAM file from a Windows system, you simply take whatever hashed passwords are in that SAM file and do a search through your Rainbow table for a match. Once a match is found, you now know the password. Ophcrack is a tool that comes on a CD. You boot the target PC to the CD, it boots up to Linux, rather than Windows. Then grabs the SAM file and runs it through a series of rainbow tables. And it usually is fairly effective.

But there is a way to avoid this. First Microsoft makes a simple tool called SYSKEY. SYSKEY is a free tool that Microsoft provides that will encrypt the entire SAM file, making rainbow tables much less useful. http://support.microsoft.com/kb/310105

Another option you have is the new BitLocker drive encryption, available for free in Windows 7. It encryptes your entire drive. http://windows.microsoft.com/en-us/windows7/products/features/bitlocker

I hope these two tips help you make your systems far more secure.

Yes, in fact there is a free lunch...

2010-08-02T07:02:00.000-05:00

The web is replete with incredible utilities that can make your computer usage much easier. Downloadable tools and websites abound. However many of these can be vehicles for spyware, adware, or viruses. So it can be difficult for the average computer user (or even the seasoned computer pro) to find safe utilities on the web. Allow me to help with a few items I found useful:

The Everything Search Engine: This is a very fast search tool for your computer. It finds files in seconds. I highly recommend it http://www.voidtools.com/

The Microsoft Baseline Security Analyzer: This free tool will scan your system or network for vulnerabilities. It is very easy to use, even a novice should have no problem using it to identify security problems on their system, http://technet.microsoft.com/en-us/security/cc184924.aspx.

VM Lite: Need an easy to install, easy to use XP Virtual machine? Try VM Lite http://www.vmlite.com/

GIMP: Need a basic graphics program, but cannot afford Photoshop? Try GIMP, its free http://www.gimp.org/ .

HULU: Watch TV on the web...for free! http://www.hulu.com/

This is just the tip of the iceberg. There is much more free, for you on the web.

What's in that chip?

2010-07-24T04:00:00.002-05:00

This month’s Scientific American contained an article about hardware hacking. The main point of the article was that microchips are often developed by teams of engineers spread over multiple countries and it is not feasible for us to know exactly what a given chip contains. It would not be a particularly difficult matter for a party with interests adverse to the United States (or any nation) to introduce a flaw in a given chip that would subvert that chips normal function.

A few months, ago 60 minutes featured a story on hacking that included similar concerns about microchips. In one scenario a microchip might be pre programmed to fail on a given date, or to provide an outside party with access to control that chip. The difficulty arises due to the fact that such chips are ubiquitous. They are in game consoles, automobiles, airplanes, radar systems, missiles, etc.

What is the solution? While this may seem xenophobic to some readers, I would recommend that all chips that will be used in any critical systems (aircraft) or military systems be required to be manufactured in the United States by personal with security clearances. Companies can still use chips made abroad in devices like game consoles, TV remotes, calculators, etc. But items deemed critical should only utilize chips made within the United States. Furthermore we must re-examine the security at such manufacturing locations. Particularly the background checks of key engineers.

In a society increasingly dependent upon technologies, having key microchips manufactured overseas in conditions we cannot control, or even be fully cognizant of, is a serious threat to national security.

Wake up and smell the technology

2010-07-14T20:13:00.000-05:00

This past week has brought a flood of stories about Russian spy rings on the United States. Reporters breathlessly reported the amazing technology of Steganography….well amazing to those who don’t know tech. Steganography is a means for hiding text or images inside another image. There are permutations to hide data inside video and even radio transmissions. And this is not new technology, it has been around for a long time. In fact one can find free tools on the web that will assist you in using steganography. Just do a web search for ‘steganography software’.
So why did reporters treat this technology like it was some amazing discovery? Because for most people it is. I routinely find myself speaking to groups of IT professionals, including network admins, who don’t know about relevant technology and techniques (such as steganography, alternate data streams, and rainbow tables). It is amazing that as our society becomes ever more emeshed in technology, so few people seem to know much about it…including our technology professionals.
There are many wonderful technologies available. Some for security (hey novice Windows user, go download the free Microsoft Baseline Security Analyser, it will tell you what is wrong with your system and how to fix it), some for hacking (go search Metasploit…you will think you have found the holy grail), and many others for diverse purposes. The tools can be found on the internet, and in many cases you can find a YouTube video explaining how to use it.

It is time to wake up and smell the technology….

Fuggedaboutit...

2010-06-24T10:15:00.000-05:00

Security experts have been tracking the involvement of organized crime groups in computer crime for some time. These groups are involved in identity theft, prostitution, trafficking in stolen goods, and other illegal activities. I want to share with you a few thoughts, based on chapter 6 of my book "Computer Crime, Investigation, and the Law".

One example where traditional crime now has an online element is prostitution. The challenge for the criminal is to actively seek out customers for the illegal service. The internet has made this task easier. Erotic ads on websites such as craigslist allow prostitutes and pimps to advertise prostitution to a wide range of potential customers. As early as 2006, Seattle prostitution stings were showing as many as 3/4ths of the customers arrested had responded to erotic ads on Craigslist.

Online trafficking in stolen goods is also a growing concern. When one steals an item, the next step is to convert that item into cash. Traditionally thieves had to attempt to sell the item in their own general region. Often the movement of the stolen goods, helps lead to the capture of the thieves. This is particularly true in cases of organizes theft rings. These groups need to repeatedly move stolen goods, thus making it possible to catch them in the act. However online trafficking allows an individual or group in one location to sell their stolen goods across a diverse market space, making it difficult to track the merchandise back to the thief. EBay has been a frequent place for thieves to sell stolen good5. Online sales venues allow a thief, particularly one who is part of an organized effort to steal and sell of items, to access diverse markets.

Identity theft has become a popular money maker for many criminal organizations. It is a lucrative scheme with minimal risk.

In recent years authorities have seen Italian Mafia families, Russian Mafia, and other organized criminal groups augmenting their criminal enterprises with cyber components. The fact is that computer crime is no longer the exclusive perview of frustrated but intelligent young people. It is now the domain of serious, violent, career criminals.

I hate to say I told you so...but

2010-06-13T19:56:00.002-05:00

In 2005 I wrote two computer security books. In each I outlined potential cyber warfare and cyber terrorist scenarios. Most reviews found the books to be satisfactory. However one particular review (from a Mr. Robert M. Slade) went to great pains to give the "Computer Security Fundamentals" book a scathing review. Among his other negative comments he disagreed strongly with my view of potential cyber terrorism, stating 'Cyber terrorism and information warfare gets the usual
lurid (and inaccurate) treatment in chapter ten'. Well five years later tonight’s 60 minutes episode focused on cyber terrorism and information warfare. And it seems that all the 'lurid and inaccurate' predictions I made in 2005 have indeed come true.

It seems to be that anyone with even a cursory understanding of networks and network security could have foreseen the same things I did. And in fact many others did. I was not the only author predicting such nefarious attacks. Unfortunately there are always those who like to pretend the dangers are not real. I only hope that more people will come to realize the serious dangers we face from cyber terrorism, before some truly horrendous attack occurs

Ignorance is a curable disease.

2010-06-13T11:06:00.002-05:00

This week in South Carolina Alan Greene upset the incumbent to win the Democratic nomination for the United States Senate. That would not be news in and of itself, except that Mr. Greene never campaigned. He had no website, no bumper stickers, no pins, no signs, no ads, did not do any speeches, etc. Now political pundits are focusing on the possibility that Mr. Greene is a plant from the Republicans to help them win the general election. I will leave that subject to political pundits. I am far more concerned about what this says about 'we the people'. Think about it: enough people voted for this man that he won the primary...yet the voters had no idea who he is or what his platform is.

This is astounding in our information age. Anyone can Google anything. Many people have smart phones with them that would allow them to instantly research any topic they wish. Information on anything from politicians to particle physics is just a few clicks away....yet so many of us remain painfully ignorant of crucial information. In 2010 to vote in any election were you do not have a clear understanding of all candidates and the major issues is inexcusable.

But why, in this age of ubiquitous access to instant information, is ignorance still a problem? The answer seems to be ....us. Most of us do not use the internet primarily as a learning tool. We use it to play games on Face Book, tweet about our latest shopping trip, or watch people make fools of themselves on YouTube. This is appalling. Right now, at your keyboard, you have access to the combined total knowledge of the entire human race. It is right there in front of you. Do you want to learn to speak Swahili? It is free, right here http://learnswahili.net/. Are you baffled by science stories on string theory and would like a laymen's guide? Here is a free YouTube talk by renowned physicist Brian Greene http://www.youtube.com/watch?v=YtdE662eY_M . Or perhaps Ancient Egypt is of more interest to you? http://www.mnsu.edu/emuseum/prehistory/egypt/history/history.html will give it to you in quick simple terms.

There is NO subject you cannot learn about on the internet. Rather than waste a few hours aimlessly surfing nonsense, you could learn so much. But as long as we the people don't seek knowledge, no amount of technology will correct the problem. I urge all readers of this blog to pick just one topic each week and spend just one hour reading about it online. How much more will you know next year than you do now? Remember ignorance is a curable disease....

Should you hide your face?

2010-05-23T20:46:00.003-05:00

Various bloggers have been denouncing Facebook and MySpace over privacy concerns. Some even suggesting you delete your accounts on social networking sites. I have to wonder how much these people know about social networking sites? One can not only choose want to display, be even what to enter. For example nowhere in my Facebook page (even for friends) is my phone number or address displayed. After all if you are really my friend don’t you already have that information? In addition to that, my birthday, but not year is listed. These are just two examples of how you can protect your privacy on Facebook.

Another issue, of course, is the content you post. You should never post anything you don’t want the whole world to know, even if you restrict it to just friends. Facebook is not the appropriate forum for embarrassing but funny pics, or admitting to significant personal foibles.

If you just obey these few simple rules, Facebook is safe. And it is well worth the trouble. I have personally used Facebook to connect with people I have not seen in many years. So my advice is don’t hide your face…just be selective in what you show.

You know of course...this means WAR!

2010-05-10T13:20:00.001-05:00

A recent article Is there a cyber war brought up an intriguing question. Is there an ongoing cyber war? Clearly there are coordinated attacks against government websites and system. Just as clearly, at least some of those originate in countries who have negative relationships with the target countries. But does this mean we are in a 'cyber war'? I think not. I think not. At this point a full scale cyber war has never occurred.

So what are we seeing? We are seeing the emergence of a global cyber war. Countries, ideologically based organizations, and interested civilians can engage in cyber attacks, cyber espionage, and minor skirmishes. And this is what is happening now. Undoubtedly some of this is orchestrated by governments, much like the proxy gorilla conflicts of the cold war. My prediction is that this situation will continue to escalate. More and more groups will elect to use cyberspace to attack their enemies, and cyberspace will become ever more dangerous.

A book by any other name, is just as sweet

2010-05-05T16:39:00.001-05:00

Well Google is joining others in the eBook world. You can read books on Kindle or iPad, or simply on your PC. I must confess to having a certain affinity for holding a tome in my hands. The smell of books is as sweet to me as that of fresh flowers. However I do believe e-books are the wave of the future. The cost of publishing is enormous. Electronic publishing cuts those costs drastically. Schools, for example, could save an enormous amount of money by using e-textbooks.

And some people, like me, like to work on a few books at the same time. Having them all on an electronic device where I can switch back and forth at my whim is very convenient. So like it or not, I believe that traditional printed books will, someday, become a curiosity. However I believe that day is still many decades away. E-books will slowly take a greater portion of the publishing market over coming decades. I doubt they will supplant books entirely in my lifetime, but perhaps in my grandchildren’s lifetime

Is your head in the clouds?

2010-05-02T11:17:00.000-05:00

The latest IT buzzword is 'cloud computing'. One can hardly pick up a computer related magazine without seeing something about cloud computing. And pleny of CIO's are terribly excited that this will improve performance and reduce costs. Allow me to add a note of sober reality to the frenzy of excitement. Lets first look at a bit of IT history.
In the early 80's n-tier applications were the rage...while they were a great solution for some problems, they did not solve every problem. Then in the late 90's into the early 21st century all one heard was 'web based applications'. Everything on the web....while in some cases this was an excellent solution, in others it yielded sub par performance and security issues.
Now the prophets of IT are telling us cloud computing is the panacea for all corporate technology ills. Cloud computing, in simple terms, is having your data (and perhaps even your applications) on a hosted system that is accessed via the internet. The claim is that this reduces your need for local IT infrastructure and the hosting company has a dedicated staff so your data/apps are secure and stable. But what about internet connectivity issues? What about the financial stability of the hosting company? And if you think your corporate network has been a target for hackers, imagine a hosting company that has data and apps for dozens or even hundreds of companies...I can see black hat hackers everywhere simply salivating over such an opportunity.

Even if one assumes the hosting company is totally financially stable, much more secure than you could make your own network, and you have an excellent internet connection...what happens if the hosting company raises their rates? Does not wish to support something you want to implement?

My take on cloud computing is that it may be a perfect solution for some problems. If you have a small company that simply cannot afford to support extensive infrastructure, you may be best served by cloud computing. But it has its share of issues. You are essentially outsourcing your entire information infrastructure to a third party, your business is now completely dependent upon that company. This may simply be too big a risk for some companies.

You can't give it away!

2010-04-29T04:14:00.000-05:00

Hopefully most readers of this blog are familiar with open source software. If you are not let me give you a very brief introduction. Open source products are literally given away for free. There are some licensing nuances, but for the end user it basically means free software.

What can you get for free? Well lets start with something you can all use, Open Office (www.openoffice.org). It has a word processor, presentation software, spread sheet, and more. It is also compatible with Microsoft Office. You can make a presentation in PowerPoint and open it with Open Office, and visa versa. It is available for Windows or Linux. So why do so few people use it? Various surverys place between 9% and 15% of Windows users, using Open Office. For many people it is simply ignorance of what is available. You may simply not know that you can get a robust, fully functional, and free office suite. Now there are some advanced features that Open Office does not have, that Microsoft Office does. Things like Office Communicator come to mind. But, in my opinion, the biggest reason is people just don't know about it. And there are so many other things you can get that are open office:
Need a basic graphics tool? Try GIMP (http://www.gimp.org/), not as powerful as PhotoShop, but easy to use, and does what most average users need. Looking for Intrusion Detection for your network? Snort is very robust (www.snort.org). The list goes on. Free products. But since most average users are not well acquainted with open source, they literally have trouble giving away the software. Get educated, save yourself a LOT of money.

Now this brings us to the elephant in the room: Linux. It is an entirely free operating system. And modern versions are not realy any harder to use than Windows. You can download, for example, Ubuntu Linux for free. It has an easy to use GUI, much like Windows, and installs pretty easily. And will have Open Office on it! So why are more people not using Linux? Well in the case of an operating system, things are more complex than with an office product. There are two things holding back Linux. The first is hardware support. It is still common to find hardware that Linux simply won't support. The second is software. The average user wants to play games, run Turbo Tax or Quicken, etc. Many of the products they want are not available for Linux.

So for now Linux may not be ready for many home users...but many other open source products are. So save yourself some money, get comfortable with open source.

Mcafee attacks Windows?

2010-04-22T09:58:00.000-05:00

By now most of you have read the story about McAfee anti virus treating a Windows System file as a virus. What makes this worse is it only affected corporate clients. How much damage did this do? According to a spokesman for the hospital this computer problem forced about a third of the hospitals in Rhode Island to postpone elective surgeries and stop treating patients without traumas in emergency room.

It is hard to over emphasize just how significant this is. A major anti virus vendor, effectively shutdown corporate customers, including hospitals, with an update. You can read about this story anywhere, but there are two questions few news reports will address: why did this happen and how do you prevent it from happening to you?

This happened due to a problem I have long lamented, the rush to push out products. Most software vendors push products into market that simply are not ready. They do not adequately test. This is not limited to McAfee. Conventional wisdom in IT has long stated you never get a product until service pack 1 is released. In this case McAfee clearly did not adequately test before release. Until this issue is addressed, industry wide, we will continue to see problems like this.

However you can prevent it by doing one small thing. In any corporate network disable automatic updates for everything (Windows, anti virus, etc.). Instead setup one machine that you apply updates to. Once you are satisfied the update is working, then apply it across your network. This simple process would have saved thousands of computers from becoming inoperable due to this McAfee issue. Network admins cannot blithely assume that all patches are harmless. The admin must do due diligence.

A look at the iPad

2010-04-14T08:15:00.000-05:00

I am an operating system agnostic...I have a Windows 7 machine, a Mac notbook, and a Linux machine. I have no bias. So when the iPad came out I was not looking to bash it our sing its praises. But I have to say my first look is very favorable.

The screen is crisp and clear, and seems less susceptible to glare than my notebook computers. The touch interface works wonderfully. There are also many apps available for it as well as e-books. It also seems that one can write apps for it just like the iPhone. Furthermore, project Mono is intent on bringing C# programming to the iPad, and that will open up even more serious business applications.

My only complaint is the price. I think this would be awesome at $199, maybe even $299 but with a starting price of $499 (the high end model at $699) it is about the same price as a notebook computer but with less functionality. So my recomendation is to wait. If they drop the price down, then get one!

Lions, and Tigers, and Spy's...OH MY

2010-04-06T07:53:00.000-05:00

It seems researcher's have tracked a cyber espionage ring to China. I have to ask: is anyone surprised? In my 2005/2006 I wrote two security books and in both I warned of the growing danger from cyber espionage and cyber terrorism. One reviewer wrote 'Cyber terrorism and information warfare gets the usual
lurid (and inaccurate) treatment in chapter ten'. Many people have long thought that fears of internet based spying, or even terrorist attacks, were the stuff of fiction novels.

Each year we have more incidents of cyber spying, and even ideologically based hacking attacks. Now we have confirmation of a government involved in hacking into other countries networks. It is clear that the threat is real. And my prediction is that it will grow worse. With regards to cyber spying, the expansion of this technique is obvious. They purpose of spying is to gather information. Information is often on computers. Rather than use high risk, James Bond style missions, why not just break into the computer systems? I would suspect that most government engage in cyber espionage to one degree or another.

However I still stand by my prediction that we will also eventually see a major cyber terrorist attack. As our society becomes ever more dependent on computer systems, those systems become an increasingly attractive target. If someone really wants to hurt the United States, attacking our financial systems, power grid systems, etc. makes perfect sense. There have already been isolated incidents that some experts attributed to terrorism. It seems only a matter of time before there is a major cyber terrorist attack.

THE WHITE HAT HACKERS

2010-03-16T08:36:00.002-05:00

In the public mind, the term hacker tends to conjure up visions of someone late at night prowling the internet seeking a vulnerable computer network. Then pouncing on that vulnerable system like a cheetah pouncing on an antelope. And that sometimes is the case. However it is becoming more common for the good guys to learn hacking techniques in order to counter the computer criminals online.

The EC council has long sponsored the Certified Ethical Hacker certification. That certification is now required by the DoD for people working in cyber defense. And I just finished teaching a course in hacking techniques. Everyone in the class was an IT professional or law enforcement.

To put it simply, it is well past time that the good guys learned the techniques the bad guys are using. Until the defenders of networks have a similar skillset to the attacker, then the bad guys will always win. So if you are a network administrator, IT manager, or involved in computer crime investigation, I urge you to at least read a few books on hacking techniques. Take a course on it if possible.

Can you really learn online?

2010-01-14T19:28:00.003-06:00

There was a time when distance education meant degree mill. However that has changed. Texas A&M, University of Texas, University of Boston, in fact most traditional universities offer some degrees completely online. And there are also fully accredited Universities that are exclusively online. So it is clear that online education is now acceptable, but does it work?

In my opinion our approach to online education is completely backwards. There are more online bachelors degree programs than I can count, quite a few masters programs, but only a handful of legitmate fully accredited online doctoral degrees. This is completely backwards. The bachelors degree student is new to that field of study, they need the direct contact with an instructor and the interaction with peers. The further one goes in ones study the more one should be able to work independently. Not to mention the most significant part of the doctoral degree is the dissertation. In my opinion online bachelors degrees should be few and far between, but online doctoral degrees should be quite common. It is also the case that many doctoral students have worked in their chosen fields for years and have now returned to school to complete a doctorate (that is the case with me). That makes it even more likely that they have the requisite background to work with less direction and guidence. However the fact is there are few legitimate, accredited doctoral programs. I would hope that would change in time.

I would also stress that in order to succeed in an a legitimate online program, you need to be a self motivated and disciplined person. You have to be able to learn independently and keep on schedule. If you cannot, then an online education will be a failure for you. But for the busy adult trying to balance a hectic schedule, or the military person trying to accomodate an education along with deployments, online education might be the only option.

Does technology connect us more?

2009-12-12T10:32:00.003-06:00

For those of you over 25 years old, you remember in your childhood a world without widespread internet access, cell phones, face book, etc. In those days there was no email (at least not that most people had access to and used). You did not connect with friends online, and if you where away from your home or office phone, you where unreachable. Times have certainly changed. You can check your email, update your facebook page, and take a call, all from a smart phone while backpacking in a remote area. It is beyond question that we are better able to connect and communicate. It is also without question that these things have improved our lives. I cannot count the times that my wife and I have talked on the phone to arrange some picayune detail of our lives, but one which was made so much more convenient by the cell phone. And I truly love email (much more than phone conversations!).

It is also true that social networking allows people to stay connected and stay in touch. My Facebook page has allowed me to stay connected with former students, former colleages, and readers. This blog allows me to share my thoughts with whomever might be interested.

However I fear there is a real danger that the tool becomes more important to us than the object of the tool. Put another way: if technology (cell phone, facebook, email, etc.) help you to connect to other people, then they are wonderful tools. If you use email to coordinate a get together with friends, cell phones to have quick chats, and facebook to update friends, then they are wonderful tools that enhance our lives. However I have recently noticed a disturbing trend. I see people in a room (with other people) but everyone in the room is immersed in a text message, laptop, or some similar technological substitute for social connection. I won't give particulars (so as not to embaress the people involved), but I am thinking of a situation at a social gathering where the individuals all knew each other. But rather than connect with each other, most of the people present where engrossed in their own technologies.

We must remember to use our technological tools to enhance our social lives, not replace them. Human beings need other human beings.

Integrating technology

2009-11-27T14:54:00.002-06:00

That is the buzzword, and has been for some time. Everyone wants to have a single device that handles all communication and technology needs. A phone that allows them to surf the internet and watch TV, or a TV that allows one to surf the internet. I must confess, my natural inclination is always to embrace new technologies. However I have found some of these integrations less than satisfying.

For example most phones have too small a keyboard for effective internet usage. And I personally have no desire to watch my favorte TV show on such a tiny screen. It seems to me that some technologies are so varied in their intended usage that integrating them is difficult. I do find that integrating home computer networks with voice and video is very practical and useful. But I also think that there is a limit to what can effectively be put into a phone.

In the end I would encourage vendors to consider the practicality of any new integration prior to producing products.

Cyber Terrorism and Warfare

2009-11-01T09:08:00.002-06:00

An interesting news story this week discusses the United States government getting more active in cyber warfare defense. This is news I was happy to see. As I document in some of my books (including the new one coming out in 2010), cyber espionage and cyber warfare have been with us for over a decade. And cyber terrorism is following close behind. For too long our response has been fragmented and ad hoc. Each incident is treated like a standard security breach. It is past time for us to have an active cyber intel, counter intel, and warfare effort in this country. Most in the security community realize that China has been involved in such efforts for many years. And more recently attacks have been traced to North Korea.

Some will say we have had CERT for a long time, and that is true. But Cert is really just an information clearing house, albeit an outstanding one. It is not a group actively pursuing cyber intel, or countering cyber warfare. And while this may be controversial to some, I believe we also need to be planning and practicing how to conduct cyber attacks should the need arise in a conflict. Disruption of communications can be a powerful weapon, even with a low tech target such as a terrorist group.

So I for one am quite pleased to see the U.S. becoming more pro-active in this arena, and hope we see more of this.

CRIMINAL GENIUS?

2009-10-22T04:33:00.003-05:00

This morning brought another story of experts warning of an increase in cybercrime. While I certainly agree with that assessment, I disagree with the purported reasons for the increase in cybercrime. The article (and others) talk of increasingly sophisticated attacks. Frankly I have envisioned (and discussed with students in my classes) more sophisticated and heinous attacks than any I have seen occur in the real world. So I do not see any trend towards more skillful cyber criminals. As to more sophisticated attacks, the trends seem to indicate a simple evolutionary progression of attacks rather than some dramatic increase in sophistication.
So why will cyber crimes continue to increase? My experience tells me there are two reaons: The IT profession and Law Enforcement. Before you cry foul (particularly members of either profession), hear me out.
The IT profession still remains woefully under trained in security. Anytime I get a chance to talk to any group of IT professionals, even an informal gathering, I like to ask them how many feel they know security well enough. Invariably I get almost all answering in the affirmative. But then if I ask even 2 or 3 rather simple security questions, I find immediately that most in the room cannot answer them. Most IT people THINK they know security, and most are wrong. This can also be seen at any college or tech school. Security classes frequently have so little enrollment they don't always even make...whereas classes in the latest web development tool will fill up immediately. IT professionals MUST learn security. That includes network admins, tech support, web developers, and programmers. Hardly a month goes by without my encountering some IT professional, some company that is completely disregarding basic security, usually out of ignorance.
Even some of our IT Security certifications are of almost no practical value. For example most people are very familiar with the CISSP. This is often called the 'gold standard' in IT security certifications. But there is one problem; it does not test any practical hands on security knowledge. That may sound surprising to some readers. But it actually just tests knowledge of policies and standards. On the other hand the Certified Ethical Hacker test, which tests actual hacking skills, is far less well known and pursued. Yet the CEH is a treasure trove of hands on practical skils.
Next to law enforcement. The problem here is also lack of training. What most local law enforcement agencies do is to select an officer who has previously handled traditional crime (burglary, drugs, etc.) send them to a brief federal computer crime training course, and voila! They are now computer crime experts. This is frankly inadequate, and backwards. What law enforcement agencies need to do is to seek out skilled computer professionals (network admins, tech support, etc.) who already have a solid basis in IT and who have some interest in law enforcement, and train them to become detectives handling computer crimes. To put it another way, when you match a detective whose first taste of computer networking was two years ago at a brief federal class, against a criminal who may have been tinkering with computers and networks since he was 12 years old...the outcome is going to be rather obvious.

The bottom line is that we are not suddenly getting a new crop of criminal geniuses...we simply need the good guys to be better trained.

BIG MAC ATTACK!

2009-10-20T05:51:00.002-05:00

Well Apple's profits are up, but that is coming primarily from iPhone and iPod, not from the Macintosh. Lets take a look at the Mac. It has always had a sleeker design than the PC. It is remarkably easy to use (while I primarily use a Windows and Linux PC dual boot, I also have a G4 laptop). It is very stable. I have never had my G4 lock up or crash on me (unfortunately I cannot say the same for the PC I have!). And to say Mac users are delighted with their purchase would be an enormous understatement. They are in fact almost cult like in their devotion to Mac. Macs have also been prominently featured in popular TV programs such as 'Lie to Me'. So why is Mac still only capturing a miniscule share of the computer market for home and business?

One answer is programming. Microsoft has always made very easy to use programming tools. There are even free versions of their programming tools. Furthermore there is extensive, free, online help for Microsoft oriented programmers. If you wish to create an application for Windows, it is much easier than doing so for Mac (or Linux for that matter). Now some will point to Java as working on all platforms, but the user interface for Java is simply not as slick and appealing as writing apps for the platform itself.

Secondly Mac has never gone after the business user. Since many users purchase computers which would be compatable with their work environment, this undoubtably stifles Mac sales. Mac must begin to go after the small business market. I don't suggest Mac try to enter the server market, as they just don't have the track record for that. But appealing to mobile workers, making integrating with Microsoft and Unix servers easier, could all help penetrate the business market.

The final problem for Mac is price. Macs are always significantly more expensive than PC's. This is particularly problematic for the business customer. If one is purchasing 1000 computers for corporate use, and each Mac costs $400 more than the equivalent PC, there is no way to make a business case for purchasing Mac.

So while Apple has an impressive Mac advertising campaign, my prediction is that they won't be really penetrating the computer market and displacing Windows until they begin to court businesses and programmers and lower their price.

Why does bad software happen to good people?

2009-10-16T05:02:00.005-05:00

This weeks stunning story of Microsoft causing the loss of side kick data (see this story and this one ), may have some readers wondering how this happened? More to the point why is it so common to see large companies with large IT departments, churn out incredibly bug ridden software? Or put another way: why does bad software happen to good people?

Is it that most programmers are monumentally incompetent? Well like all professions, there certainly are some programmers whose technical acumen is less than impressive. However that is not the primary problem. The problem lies in how the software industry functions. Having worked with more than a few programming teams, I have some insight into this. The problem is that too many software teams simply don’t follow software development methodologies. Anyone who has ever taken a software analysis, software engineering, design, etc. course knows that there are a number of various approaches to software development. But all focus (in one fashion or another) on spending time on clearly defining specifications, planning and designing the project, development, then thorough testing. Often in the real world one or more of these items gets left to the side. What passes for planning in many companies is woefully inadequate. And Microsoft itself is renowned for releasing inadequately tested software. Many in the IT industry will tell you “never by Microsoft products until Service Pack 1. The initial release is really just advanced Beta”.

Why does this happen? Well in some cases it is pressure from management. In some cases it is the desire to get the product out there quicker. But it is also sometimes the case that programmers do a poor job of explaining why these phases are needed. It is incumbent upon the technology professionals to make a clear case to the business leaders for proper software development. I know many programmers will cry foul over this article, saying it is out of their hands. I ask you: do you not think electrical engineers, mechanical engineers, aerospace engineers, etc. all are under pressure to cut costs, cut project time, and produce fast? Yes of course they are. But they all, in unison, respond that there are certain aspects of engineering that simply cannot be shortcut. As I see programmers scramble for titles like ‘software engineer’ or ‘software architect’, I say before you pick up such a mantle, make sure you are truly doing engineering or architecture!

The public is still waiting on our profession to fullfill its many promises. All to often our technological wonders seem to introduce as many bugs, headaches, and issues as they solve

Disinformation in the information age

2009-10-15T21:57:00.003-05:00

We are all well aware that we live in the midst of the information age. At the click of your mouse you can access a deluge of information on any tope you choose. But can we rely on that information? In some case the answer is clearly yes, in others clearly no..but many others are hard for most people to determine.
What puzzles me most is that in this day of ready access to information, so many people are so clearly misinformed on so many topics. And the misinformation spreads. I am certain that you, like me, have received emails that circulate some rumor...only to find the rumor is absolutely false. We have entire websites devoted to debunking the urban legends circulating the internet (www.snopes.com, www.truthorfiction.com, etc.). Yet people still circulate rumors that can easily be disproven by taking two seconds to search an urban legend website. Why? Why in this age of ready information are so many people trafficking in disinformation? Well if we are discussing political pundits or ideological groups, the answer is simple: the desire to shape public opinion. But why do ordinary people do this?
The answer, sadly enough, is that so many people are intellectually lazy. It takes a bit of effort (albeit minimal) to ferret out the truth from the hoopla. It takes some effort to pursue the real data, and to cull out the biased nonsense. And most people won't take that time and effort. Instead anytime we hear something that resonates with our existing preconceptions, we simply repeat it as if it were fact.
I encourage everyone in this age, to use the internet for what it was meant for: to find and access information. Know what you are talking about. Don't forward something you have not verified.

Is your data secure? Why not?

2009-10-15T21:57:00.001-05:00

A recent story (http://tech.yahoo.com/news/pcworld/20090923/tc_pcw orld/pcisurveyfindssomemerchantsdontuseantivirusso ftware) showed that only 28 percent of smaller companies actually follow PCI (Payment Card Industry) standards on such items as having virus scanning. This should be concerning, but is not surprising. And furthermore it is not uncommong or limited to small businesses.
I frequently find myself talking to experienced IT professionals, and finding they are poorly informed on security matters. Though when asked, most IT professionals would state they are at least competent on IT security. Let me give you a few examples of what I have personally enountered, thought actual names won't be given.
a) A group of 5 hospital network administrators, all experienced. Not one had ever heard of a 'honey pot' and only one had heard of Intrusion Detection Systems. None had any experience with either.
b) A web application/hosting firm that thought load balancing meant spreading out pieces of a web application in a unorganized fashion across multiple servers. They seem not to have heard of having two identical servers with duplicate functionality for load balancing and fail over.
c) A shocking number of techies who do not realize Windows Remote Desktop, while very convenient, is NOT encrypted and is therefore NOT secure.
The list goes on. Security is one of those things that everyone thinks they understand, and few really do. I encourage all IT pros to take the time to actually learn basic security. Read a book, take a class, do something to get at least basic security skills. As long as so many in our profession persist in self delusion, the security situation will only deteriorate.

Stop the Hype!

2009-10-15T21:56:00.001-05:00

This morning I read yet another story wherein some pundit is beating the drum for broadband access for everyone in the United States http://tech.yahoo.com/news/ap/20091002/ap_on_hi_te /us_informing_citizens. Don't misunderstand me, I find the internet to be just an amazing source of information. Just this week I have read several news articles, looked up a book I was trying to find, read an interesting article on transporons, and found the answers to two different programming problems. I also know many people who use the internet for job searches, e-commerce, social connections, and online learning. However let us not delude ourselves. Yes the internet is an astounding resource for finding any information you may wish to find. However it is also the place where people spread misinformation and rumors, look for pornography, waste countless hours on mind numbingly vacuous surveys and 'humorous' stories, and people make complete fools of themselves on YouTube. And lets be more frank. The vast bulk of the population is far more familiar with Farm Town and Mafia Wars on Face Book, erotic ads on Craigslist, and ridiculous video's on YouTube than they are with brushing up on history, finding out what is new at NASA, or learning a new language online. Wider broadband will not necessarily mean a more educated or informed populace. As I have written before: the internet is a tool. A bright and curious person will use it to expand their knowledge. A less intellectually active person will use it to waste countless hours on content completely devoid of any informational content, or worse to inundate themselves and associates with disinformation.