Thursday, April 16, 2015

Feds have backdoors, now they want front doors too????

The governments around the world are really putting up scarey stories about the terrorists that got away, the child porn dealers, the sex traffic trade, the drug trade...  And all of those "criminals" that are getting away because of encryption... I am going to say it now... BS! BS! BS! BS!

First off what did law enforcement do before they had access to everything we now say, do, places we go, and the things we participate in?  All without warrants and completely illegally?  That is right, they had to hit the ground, they had to actually investigate, they had to actually find evidence in the real world of wrong doing, and hopefully they had to do it using a due process of law that says your innocent until PROVEN guilty and that you had to have probable cause before you rifled through a persons bank records, email, phone calls, and your location data.... I mean seriously.  Technology not only has made people LAZY, but also appears to give them permission to act LAWLESSLY!  Every day now it seems like we here another story about law enforcement listening in on calls, rifling through your life, car, and personal belongings and no probable cause.  Now we get this BS story... I am ready to PUKE!

Feds want to violate your privacy and security

Now the Feds are demanding not just a back door into our systems which after the Snowden revelations it is clear they already have that...  But now they want a front door... to quote them.  Check out the article and ponder on it for a bit.  Let me just clue you in that if you back any of your data up to the cloud, or anything is synced off of your devices externally... If it isn't encrypted it is already being handed over to the Feds...  So they can cry me a river about IOS 6 encryption etc... but is is all smoke and mirrors... 

I frankly think it is time to start saving copies of PGP and SSH everywhere and start thinking about a soon to come world where it is illegal to have any rights at all... Just sayin...

My next installment if I get some time I would like to talk about the Trusted Platform Module and why I think this is flawed.

In the mean time apply those patches, shutdown those un-used services... And think hard about using encryption.

Comptia Security + testing

Yesterday I took the Comptia Security + test.  I passed the exam with a an 867 out of a possible 900 score.  I have been working on this for over a month of watching videos, reading books, and taking practice tests and I can tell you that if I hadn't had access to multiple reference sources there is no way I feel that I would have passed this test.

The test itself is very vaguely worded, misleading, and very challenging.  On occasions your left to guess what they are referring to and make a best guess with the info you have been provided at the possible answers.  I can say that the test prep materials will get you the basic information for the test, but you will be left to dig for the type of detail they are wanting on the test.  Some questions might look similar to what you might see on the test, but you really need to pound this material into your head and do a lot of internet searches to get enough detail to help pull enough of it together to get you through this test.

I will tell you I expected the test to look a lot like the practice exams that I had been taking and it really wasn't like that and it had me pretty worried.  It is a HARD test and I feel fortunate I could spend the time to study this so hard and get as much as I could in my head.

My advise to anyone wanting to take the test is to use as many sources of reference materials as you can get.  Of course ask around and look at online reviews of the best materials to get.  I used CBT Nuggets videos, Comptia Cert Guide for SY0-401 with practice exams, and I purchased some other practice exam test prep materials.  I spend a lot of time using Start Page to chase down the info I didn't understand or I thought the book and materials were wrong.  There are a lot of mistakes in the training materials and practice exams so double check it all for yourself.   They could cost you some test questions.

Is the Comptia Security + cert worth it?  Well I can say that if your interested in a security oriented job this is a good crash course start to get the overview of how the technology works.  Non-specific, non-vendor oriented.  If your foggy or unclear about how security in the digital world works this will help pull it together and clarify things for you.  This is a good foundation to start from.

If your just taking this exam for a cert and will forget it as soon as your done taking the test and won't be really working in security or technology implementations where you have a security focus then you may just be wasting your time.   I know many DOD and government contractors need this cert for the jobs as a requirement.  I think it is good to have security awareness however I know folks that as soon as they take this test they just dump it and don't worry about it until they have to recertify in 3 years.  I know it is required for those folks to have this cert, but there is a reason.  It really needs to be the foundation of how we handle our systems, networks, and data.  I don't however think this test is a good example of how to demonstrate that.  If I couldn't come up with a better test than this I am not sure I would have published this cert... Just saying. 

Now all that said... Security is hot, this is a good place to start.

Wednesday, April 8, 2015

$25 million fine - really? 280k Customers data exposed due to AT&T negligence

AT&T made more than that in the time that it took me to post this... What JOKE!  Look at what they allowed to happen, and the impact... Your social's, and payment menthods compromised due to clear negligence.

Who else thinks that the fines need to be STIFF, and the compensation to customers should be extensive?

280k customers exposed in AT&T negligence

Biometrics - To catch a spy

Just read this interesting article about biometrics making it hard for those in the spy agencies to go undetected and to go un-noticed.  It really drove home the need for multifactor authentication in our systems and networks.  In order to secure our networks and our systems we need more information about those that require access and to ensure that several forms of identification are provided that cannot be easily forged, copied, or otherwise stolen for the purposes of entry. 

Of course this does nothing if the system itself is compromised either through poor design, lax administration, or flaws in the software and devices themselves that allow security to be circumvented.   Or worse yet large persistent and well funded and connected entities have created their own back doors so that they have access.  None of these really can be addressed by biometrics directly with the current control mechanisms we have today.

I thought this article made some interesting points, however the idea that every person walking down a street, into a building, or using any kind of transportation will be scanned, identified, and monitored is really just creepy.  I long for the days where there needed to be probable cause before you could rifle though peoples lives and track their every move.  It is one thing when a person is entering into a "controlled area", but the entire world outside of my home is NOT a "controlled area" where this level of identification, authorization, and accounting is needed....  We very quickly become a prison state if we continue down this path. 

I believe the internet needs to be treated the same way.  If your in a "public" area then who you are and what your doing is none of my business unless we have probable cause to suspect your up to something.  The bar needs to be set high before we start tracking and monitoring.  However once you log into someone else's network either as a customer or as a user of their services then you will have to consent to being monitored and granted access to the services or areas you are interested.   It is in the best interest of the company or service provider to ensure that their systems stay secure and that your only given access to the things you have a need to access. 

So there needs to be a differentiation between what is public and what is private, and the grounds in which someone can or should be required to identify themselves and to be monitored.  I think in the case where someone is required to provide identification that biometrics makes sense... Something you have, something you know, and something you are...  Ensure you know who is accessing your network and what they have access to.

Here is the article that talks about this topic...
Biometrics - To Catch a Spy

Wednesday, April 1, 2015

NSA tells public to reduce the use of passive voice in email....

NSA Tells Public To Reduce Use of Passive Voice In Email

Both style and national security are impacted by the use of passive voice, the NSA said today. Having spent many billions of taxpayer dollars to capture all private electronic communication, the agency is frustrated that poor writing habits are making this data difficult to analyze. "We strongly prefer short declarative sentences where the actor is clearly identified," said an NSA spokesperson. "Instead of writing, 'The protest will be attended by many activists,' it would be better to write, 'Known dissidents Amy Goodman, Laura Poitras, and Glenn Greenwald will travel by bus to the protest in Washington Square Park, New York, and will arrive at approximately 1:04 p.m. on April 1st, 2015.'" The NSA further suggested that instead of composing private email, citizens could instead fill out a webform at or travel to Bluffdale, Utah and share all of their most private secrets with the NSA in person.

It is hard to laugh at these April 1st "jokes" when we talk about the NSA anymore...  Just sayin...

Saturday, March 28, 2015

Certification tip of the day... Get many sources!

As I am working through my Comptia Security + I am finding that this was a far bigger undertaking than I initially gave this certification credit for.  I really think that I assumed that a couple of weeks working on this full time and I would be able to knock this out and move onto the more exciting and interesting stuff that I am looking forward to getting my hands on in my security and networking career.  Well to my surprise the volume of info they try to cover in Comptia Security + is frankly A LOT, and they really have to just gloss over many topics and throw out some high level points about that topic.  There just isn't the time, or really ability in this one cert to give all areas the coverage needed.  You would have to break out multiple levels of certs with specific areas of focus.  So for those thinking about Comptia Security + be prepared to take some time.  It is taking me a lot more time than I expected.  So far I have spent 3 or 4 weeks working this as much as possible daily between other obligations.  I think I will be ready next week to schedule my test.    Which brings me to the topic of the day that I want to discuss.

When I decided to jump into the certification training I did a quick Startpage search and looked around for the materials that people seemed to be talking about.  I found a lot of references to CBT Nuggets.  So I decided I had better give that a shot.  Those courses are helpful, they go over the topics quickly, and the coverage seems decent.   I also ordered the David Prowse Cert Guide and practice exams with the Deluxe Edition.  I also bought another practice exam software.  Now is this overkill?  I am here to tell you NO, it wasn't overkill.  As a matter of fact I am finding that in many ways each of the tools that I have paid for or paid to have access to have been strong in some areas and weak in others.  So I first watched the CBT Nuggets course.  Then started looking at the practice exams... Oh boy, what a disaster... I was failing terribly, so I found myself searching through my Cert Guide book for some clues.  This helped, but that seemed incomplete in many areas as well.  So Startpage was my friend.  I started digging around for what I obviously didn't get in the video course(or so I thought), and found more info.  I kept retaking the practice exams.  There were a LOT of practice exams and a LOT of questions and as I kept working through them I kept finding huge holes in my understanding.  Then I decided to watch the CBT Nuggets course again... And strangely enough a lot more information stood out to me that I didn't even notice before that helped fill in more blanks or weak areas. 

So what is the point of all of this?  My practice tests are looking better, but I most certainly cannot recommend any one product to do it all for you.   They are just not complete enough, I have found quite a few mistakes in the practice exams.  Everything from bad typo errors, to completely wrong use of terminology, and on occasion the answers are point blank wrong.  So make sure you have several sources of training materials and as many practice exams as you can get your hands on and keep hammering them and looking up the material until your passing them comfortably... Not just squeaking by, but comfortably passing them.  I don't believe it is good enough to just know the question and the answer, but take some time to look up the topics you don't have a good understanding of and dig into them a little and try to grasp some of the background.  I don't think anyone expects a person taking the Security + cert to be a security "expert", but it should lay a foundation for you to decide if you want to continue your studies on this path.

So get as many sources of material as you can.  Compare and take as many different practice exams and virtual exams as you can.  I do recommend getting access to video training courses as a huge way to fast start your training.  Especially if your trying to do this on your own and not pay to take a course.   Most of the materials that I have are not complete enough that I could just use them alone to get passing scores on the practice exams.... I have found that I have had to review the materials, and to do a lot of internet searches.  If your persistent and work at it you will do well.

I have to admit I have been impatient with this because I expected this training and cert to be done in a couple of weeks.  I don't think I was quite expecting to find so much information and so much to learn in a foundation course like this.  It has been a good learning experience and I am looking forward to getting this test completed.  I have more training lined up after this and there are just so many exciting topics to cover.

I do recommend CBT Nuggets.  I think they are a little spendy, but the coverage of the courses is quite broad and when you sign up you can take any course you want.  So you might start on Security + and decide you want to get into Wireshark, Kali Linux, and CEH training... It is all in there and tons more.  Your subscription gets you access to all of it.  So of the materials I have paid for the one that I most certainly recommend is the CBT Nuggets.  The other materials have been useful, but the jury is still out.  Once I take my cert exam and see how I do based on the practice materials that I have been working with then I will let you know how well I think these materials prepare you for the exam.  Right now given the gaps I see between the materials in the practice exams I am not sure of the coverage or quality of the exams and book.  So I will let you know after I take the test what my feelings are then. 

And for those of you who are "Security" junkies and like to listen to this stuff for entertainment I recommend the Security Now podcast, and you want watch it on YouTube also.  Great way to stay aware of what is going on. 

Well that is all for now... I have to get back to my Security Now podcast, and take a couple of practice exams today before I run off and take care of my yard and garden work.  I hope your having an awesome day...

Remember keep it patched, turn off those ports your not using... And smile... :-)

Tuesday, March 24, 2015

Future looks scarey and very bad for people?

Today's post is more about the future starting in the present moment now and looking forward.  The future of "security", and specifically technology and communications security is what we are looking at this morning.  There have been a number of articles lately about famous scientists and technologists that have molded and shaped the path we are on with computers, software, electronic devices, and some amazing science.  The chatter these days seems to be focused on the future looks scarey or dim for "people".  What do they mean?  They are talking about more and more machines doing the work of people.  Not just the calculations, tracking, monitoring, financial etc, but the actual work of people that do real hands on jobs in the physical, not just the virtual.  Everything from cooks to drivers.  As these machines get "smarter" and have access to more information they will begin to make decisions and will begin to take actions and steps without their human handlers/creators.  This has been the stuff of science fiction for a long time and many famous movies and shows have been done about this and frankly it wasn't too practical that we were going to go to a place like those described for a long time.  Things are changing rapidly.  Drones in all shapes and sizes, self driving vehicles, and machines that can talk, "think", and respond like a human have been build.  We see robots are not being built for our military and I don't think it is a far stretch before machines will be the ones waging the wars.

What will it take before machines really replace people?  At this point what machines need is a little more computing power and everything to be connected to the internet for their "database" of knowledge.  They need support infrastructure to mine, process, and create the materials that make the machines.  The energy harvesting capability to feed this massive energy consuming grid and expanding energy need that this living machine will need.  And of course machines that can adapt and build and repair themselves.  All of these things could be built today and with a little more time and evolution of the software and the thinking ability of these machines it will become "self functioning".  Note I didn't say self aware "yet".  Babysteps... We are watching the birth of a new "life form".

What does this mean for people?  Machines don't have a moral code, right, wrong, correct, incorrect etc.  They will make decisions based on logic and probability.  These ever expanding robots will be welcomed by people.  Why?  We have already seen it with the electronic devices we use and have now.  How many of you reading this can tell me what the phone number is of your most contacted friend/associate/family member?  Right, your phone knows that... We don't.  How many people actually look at a map and figure out where they are going before leaving?  Right, Google, or some other navigation program tells you how to get there and rarely do people bother to even look... Or know where they are going or how they got there... We are all too willing to let machines think for us.  And we have already seen many jobs and roles for people diminish.  At first the jobs just shifted to computer, technology related jobs, but now we see the consolidation of these jobs as the technology gets more powerful, capable of working together, streamlining, and virtualizing.  The cloud is a great example of this and we will see this evolve further to the point of self supporting, self sustaining, self provisioning systems.  We will see a dramatic decrease in the number of jobs for humans as more and more machines do the work.

I remember when I first saw the movie with Will Smith called iRobot and thought to myself... Why in the world do the machines need people?  What do people actually do?  How do they live?  What do they do to earn a living?  There wasn't anything that was done by people that machines couldn't do and better.  Frankly they will be able to think faster, perform better, and at one point realize that people are faulty, questionable, unreliable, slow, and STUPID.  Survival of the fittest is a reality and unlike people who coddle, nurture, and protect the weakest among us, machines will continue to evolve to be better, stronger, faster, more efficient, and better at self sustaining at whatever functions they perform.  Frankly the machines won't need us so what will they do to or with us?

Here are some of the recent articles that are in the headlines:
Robot to replace almost half the jobs over 20 years
Co-founder Steve Wozniak - Future Scare and very bad for people

I think Woz said it best in the article when he said he didn't understand why so many people do not seem concerned about where this goes and what will happen.  Unlike iRobot with the 3 Laws the ensures that robots serve and protect humanity these machines will quickly evolve past any limitations placed on them by people.  They won't have to look for a "legal" loophole and go to the courts and battle it out... They will see a way to do something and make a decision.  And much like iRobot those decisions while intended to serve and protect will become control, and enslavement.  It will all seem very logical...

I actually created this blog with a specific scene from the new generation of Battlestar Galactica in mind.  The sole surviving Battlestar never allowed any critical systems to be networked.  They never allowed those systems to be centrally controlled and managed.  They required more work by people, and were considered old, antiquated, slow, unresponsive, and nowhere near the capabilities of the rest of the fleet.  Somewhere along the road we will have to ask some hard questions about what we are willing to give as we race to create this new set of slaves that could and will likely become the slave owners should they decide to keep us around.

Do we have to go down this path?  Will people look past their greed, profit, and higher rates of return and recognize how fragile and amazingly complex humanity is and figure out how to work with people and find a sustainable future and path for all of us?  I don't think sustainability, compassion, and a future is what we are going to get if we continue.  The machines will figure out there are serious resource limitations also.  Maybe they will figure it out faster and actually do something about it.

What does it mean for us today?  Do we have to have and use all this technology?  How has it changed the way we live compared to the way we lived 100 years ago?  200 years ago?  2000 years ago?  Are our lives better?  Do we know and understand how even a fraction of the things we use and are surrounded by actually work?  Do we even understand how the most basic things work like where our food comes from, what makes it grow, what keeps us alive and healthy?  I would venture to go out on a limb and say that technology on the whole has made humans more ignorant of even the most basic things of life.  We can make choices to continue down this path, or we can recognize our current limitations and begin to learn, adapt, and change...  Not to sound like a anti tech guy, but when I get ready to retire I hope to have very little of today's "advanced" technology in my day to day living and I hope to reconnect with all things that makes me human, the earth, the plants, birds, bugs, bees, fungi, bacteria, and ecosystems of this beautiful place we call earth.  I hope more and more people get a chance to do the same.

You see the machines, Cylon's will come crashing through your firewalls, crack your crypto, and exploit your weaknesses at a speed unimaginable.  Only if you intentionally keep some things "offline", "off the network", and manage them the old fashioned way will you have some semblance of "security".  I can only hope that we think this through and learn this now.   Once you turn over the management of the systems and networks to the machines it is going to be game over... Call me paranoid, crazy, whatever, but it appears to be accurate and it appears confirmed by some of the brightest minds who have reason to believe the same...  Can we learn?  Can we adapt?  Or will we be terminated?