Merry Christmas (eve) to everyone, Santa's on his way. I hope you have a great time, I know I am. Christmas is turning out to be a four day party.
Here's a story for the poor bastards patching their Oracle and IBM boxes.
- Andrew's Birthday
- My Mother's Birthday
- Christ's Birthday
- Boxing Day
Here's a story for the poor bastards patching their Oracle and IBM boxes.
One of internet explorer's advantages over Firefox is that it can be controlled via Group Policy.
Group Policy is how an administrator ensures certain configurations of windows machines in an Active Directory domain. Group policy can also be manipulated locally by editing the local Group Policy object or the registry directly (as the policy object manipulates certain values in the registry).
In-Cider Knowledge has made a go of adding this functionality for Firefox.
Group Policy is how an administrator ensures certain configurations of windows machines in an Active Directory domain. Group policy can also be manipulated locally by editing the local Group Policy object or the registry directly (as the policy object manipulates certain values in the registry).
In-Cider Knowledge has made a go of adding this functionality for Firefox.
Today I went with a friend to an upmarket grocery store, Thrupps. He has an account there, and so did the lady in the line behind us. To use the account you fill out your 4 digit account number on a piece of paper and scribble your signature. About 5 minutes in the store will get you at least one account number. I got two in less than that. I don't know if this counts as authentication but rather arbitrary identification. A simple token would make a big difference. I would be interested to see how much they loose this way as there are other factors to take into account.
- There is a security guard to the center keeping the 'rif-raf' out.
- The patrons are mostly upper-class and might not pay as much attention to their bills.
- In some cases the patrons are known by face, but this does not seem to be the norm.
Vodacom and Vodafone have teamed up to bring 3G to South Africa. They are offering a bunch of 3G enabled phones and a PCMCIA card for your laptop. The price is about R600 rand a month. They also claim it will provide 7x56K dialup speeds (so 392K). Looks interesting, but still a bit expensive.
The F-Secure blog has an excellent write-up of this years malware scene and some other happening. This has been a very busy year indeed.
Well I just got off the phone. I have tons of nervous energy I need to work off. The interview went well on the whole, but I am a little dissapointed. They are looking for a software engineer but my passion is security.
I have another interview on Jan 11th at 9:30pm (10:30am PST), which is a bit late, but it's Google! I am going to be asked about algorithms and code. I feel I am a fairly competent coder but I shudder to think of the kind of questions I will be asked. "Given a tree structure of zoo animals what algorithm would sort them into their kingdom's the fastest?" I am a bit worried about this. I am going to rework my CV to make it more security oriented and send it off . Hopefully this will be a foot-in-the-door, and I will see where it leads. I have done a lot fo reading about working at Google and it looks amazing. From the way they treat their employees, their development philosophies, their ethics and social commitment, and their really cool stuff.
The first question I was asked was how many lines of code my largest project was. I guessed 8-10 thousand. I was also asked which of Google's products interested me most. What do you choose, there are hundreds, check out the labs page. I went for the searching (boring eh?), but I imagine they have some hardcore code for PageRank. I was also asked where I would like to work: Mountainview (HQ) or New York. I went for the HQ as being in the centre of things is always better. I was also asked what my favourite programming language is, I proudly mentioned REBOL, then perl and other scripting languages. I am better at Java but I prefer C++, I just don't know all the tricks (that shotgun is dangerous).
It turns out that my CV (or resume as I discovered Amricans call it) was submitted and a team of engineers decided I would be best at software engineering. I really have absolutely no reccolection of submitting a CV. Someone out there must have done it for me, whoever you are: thanks.
I have another interview on Jan 11th at 9:30pm (10:30am PST), which is a bit late, but it's Google! I am going to be asked about algorithms and code. I feel I am a fairly competent coder but I shudder to think of the kind of questions I will be asked. "Given a tree structure of zoo animals what algorithm would sort them into their kingdom's the fastest?" I am a bit worried about this. I am going to rework my CV to make it more security oriented and send it off . Hopefully this will be a foot-in-the-door, and I will see where it leads. I have done a lot fo reading about working at Google and it looks amazing. From the way they treat their employees, their development philosophies, their ethics and social commitment, and their really cool stuff.
The first question I was asked was how many lines of code my largest project was. I guessed 8-10 thousand. I was also asked which of Google's products interested me most. What do you choose, there are hundreds, check out the labs page. I went for the searching (boring eh?), but I imagine they have some hardcore code for PageRank. I was also asked where I would like to work: Mountainview (HQ) or New York. I went for the HQ as being in the centre of things is always better. I was also asked what my favourite programming language is, I proudly mentioned REBOL, then perl and other scripting languages. I am better at Java but I prefer C++, I just don't know all the tricks (that shotgun is dangerous).
It turns out that my CV (or resume as I discovered Amricans call it) was submitted and a team of engineers decided I would be best at software engineering. I really have absolutely no reccolection of submitting a CV. Someone out there must have done it for me, whoever you are: thanks.
Bruce Schneier has a nice checklist of how the average user can keep themselves secure (or maintain computer hygeine). The Chief has some updates. Very nice, now it just needs a step by step guide to achieving some of the steps.
No, I'm not taking a turn for the porngraphic (hoho).
I just bought myself a power ball. It is a nice geek toy, a hand held gyroscope. So far it has been tons of fun that left me with a blister on my right hand pinkie after two hours. This should be great for preventing my sore wrists, not so sure about the lesser digits though.
I just bought myself a power ball. It is a nice geek toy, a hand held gyroscope. So far it has been tons of fun that left me with a blister on my right hand pinkie after two hours. This should be great for preventing my sore wrists, not so sure about the lesser digits though.
Sorry about my lack of technical news at them moment but I don't have the bandwidth to do much surfing while at home.
On the lighter side, patch management humor:
Microsoft ... could ship a brown paper bag called Microsoft Brown Paper Bag 1.0 and hundreds of thousands of people would buy it. Or at least try it.
[snip...]
here's the first service pack for MS BPB 1.0:
On the lighter side, patch management humor:
Microsoft ... could ship a brown paper bag called Microsoft Brown Paper Bag 1.0 and hundreds of thousands of people would buy it. Or at least try it.
[snip...]
here's the first service pack for MS BPB 1.0:
(it's all about the patch management...)
I know this argument has been going on for years and years, but the debate about God's existence has been going on for longer. Security is has a while to go before people worship in our churches.
I would love to see if I am going completely wrong. This time the staging ground is Susan Bradley's blog. A quick summary is that Susan is arguing that disclosure of an exploit (or technical details) at the same time as the patch release doesn't give administrators time to patch and is therefore, irresponsible. My counter is that the patch can be used to reverse engineer an exploit and that the technical details/exploit is usefull for other tools such as snort, nessus, oval or virus signatures which are often the front line during patching.
I would love to see if I am going completely wrong. This time the staging ground is Susan Bradley's blog. A quick summary is that Susan is arguing that disclosure of an exploit (or technical details) at the same time as the patch release doesn't give administrators time to patch and is therefore, irresponsible. My counter is that the patch can be used to reverse engineer an exploit and that the technical details/exploit is usefull for other tools such as snort, nessus, oval or virus signatures which are often the front line during patching.
I have heard many good things about the CISSP certification and plan to get myself certified next year after my write-up is done. Here is some free training.
Yesterday I got an e-mail from Google asking for a good time to phone me next week to 'discuss Google career opportunities and your qualifications'. At first I thought it was a hoax, but on a closer inspection of the mail headers it appeared to be legitimate.
I am pretty damn excited. Google looks to be an awesome place to work with their junior to intermediate systems security engineer pretty much exactly what I am looking for. Well as 'exactly' as a 22 year old grad student can muster.
The only thing bugging me is that the e-mail seems to be a reply. This is from the first line which states 'Thank you for your interest in Google.' Now the name of the person who e-mailed me seems very familiar and I have a vauge recollection about e-mailing Google after reading about how they were looking for MSc and up students. After some extensive grep'ing of my sent mail I have turned up nothing however. The stress from this year has messed my memory up quite badly.
UPDATE: It is a non-technical, screening interview and I am expecting a call at 6:30pm SAST on Thursday the 16th. It has also been suggested that I filled out an online form. I have decided after further research to apply to the lunar station.
I am pretty damn excited. Google looks to be an awesome place to work with their junior to intermediate systems security engineer pretty much exactly what I am looking for. Well as 'exactly' as a 22 year old grad student can muster.
The only thing bugging me is that the e-mail seems to be a reply. This is from the first line which states 'Thank you for your interest in Google.' Now the name of the person who e-mailed me seems very familiar and I have a vauge recollection about e-mailing Google after reading about how they were looking for MSc and up students. After some extensive grep'ing of my sent mail I have turned up nothing however. The stress from this year has messed my memory up quite badly.
UPDATE: It is a non-technical, screening interview and I am expecting a call at 6:30pm SAST on Thursday the 16th. It has also been suggested that I filled out an online form. I have decided after further research to apply to the lunar station.
EWeek has an article on how Microsoft's regular patch cycle is doing a year later. The up sides are that Microsoft now has better security notification and less dodgy patches. Also more people appear to be patching. The down side is that this is mostly a percieved increase in security, as the Bofra worm demonstrates.
When I got off the bus yesterday I was flashed some ID by two guys claiming to work for the South African Police Services. They had a small machine and asked if they could check my fingerprint to see if I was a wanted criminal. I thought it was a bit strange and had just woken up after a long bus drive and wasn't thinking. They checked my right index finger then my left. The machine said 'No Record'.
Then I woke up, and so did my father who was there to pick me up. I would love to say my security training kicked in and I did some digging but my father got there first. They said they don't work in uniform. My father was given the sargent's name and a number in cape town to phone, as he had just transferred. Will phone tomorrow.
Now I have no idea if this is a scam or not. My index finger print isn't used for anything that I know of. Our driver's licenses use thumb prints. I would check our news services and do some google-fu but this connection is too expensive and too slow. Anyone have any ideas?
If it is legit, apart form their approach, it is an interesting idea. However they checked 3 people who got off a bus of about 50, they then got an earful from one unhappy lady and my father, not very effective.
UPDATE: It appears the SAPS have been doing random finger printing. I am still not sure if these guys were legit however. My father claims to have phoned but I haven't had a chance to speak to him yet.
Then I woke up, and so did my father who was there to pick me up. I would love to say my security training kicked in and I did some digging but my father got there first. They said they don't work in uniform. My father was given the sargent's name and a number in cape town to phone, as he had just transferred. Will phone tomorrow.
Now I have no idea if this is a scam or not. My index finger print isn't used for anything that I know of. Our driver's licenses use thumb prints. I would check our news services and do some google-fu but this connection is too expensive and too slow. Anyone have any ideas?
If it is legit, apart form their approach, it is an interesting idea. However they checked 3 people who got off a bus of about 50, they then got an earful from one unhappy lady and my father, not very effective.
UPDATE: It appears the SAPS have been doing random finger printing. I am still not sure if these guys were legit however. My father claims to have phoned but I haven't had a chance to speak to him yet.