Tuesday, August 28, 2007

Linux felon forced to install Windows - or - "For the love of God, enough is enough!"

Prison, home confinement, and now Windows???? The torture just keeps going and going. Just like that little battery bunny.

Not that I condone what this guy did, but wouldn't you think that the "Smart" government would have come up with a *nix app for monitoring criminals by now? Anyway, read on and you'll see why I had to throw in my two pence worth today.

A Linux user who was jailed for uploading a film onto a peer-to-peer service has been told he will have to switch to Windows if he wants to use a computer again.

Scott McCausland, who used to be an administrator of the EliteTorrents BitTorrent server before it was shut down by the FBI, pleaded guilty in 2006 to two copyright-related charges over the uploading of Star Wars: Episode III to the Internet. As a result, he was sentenced to five months in jail and five months' home confinement.

McCausland--who also goes by the name "sk0t"--has since been released from jail, but on Tuesday he reported on his blog that the terms of his sentence meant he would have to install Windows if he wanted to use a computer during his probation. "I had a meeting with my probation officer today, and he told me that he has to install monitoring software onto my PC," wrote McCausland. "No big deal to me...that is part of my sentence."

"However, their software doesn't support GNU/Linux (which is what I use)," continued McCausland. "So, he told me that if I want to use a computer, I would have to use an OS that the software can be installed on. Which basically means: Microsoft and monitoring software or no computer. I use Ubuntu 7.04 now, and they are trying to force me to switch. First they give me two felonies, then they throw me in prison, and now this."

According to the Web site TorrentFreak, McCausland and his attorney will fight the situation. "It isn't the fact that I have to be monitored that bothers me, it is the fact that I have (to) restructure my life (different OS, different software on that OS) and that they would require (force) me to purchase software while I am currently unemployed and relatively unemployable with the two felonies that they gave me," McCausland said. "It is just a ridiculous situation."

Friday, August 24, 2007

Sonicwall, Watchguard, or Untangle?

Sonicwall, Watchguard, or Untangle? by ZDNet's Christopher Dawson -- I was in the process of spiffing up our Sonicwall firewall and came across an open source alternative, called Untangle. According to the company’s website, Untangle is The Open Source Network Gateway The best open source projects, integrated and made easier for spam blocking, web filtering, remote access and more. * Commercial-grade open [...]

Wednesday, August 22, 2007

12 IT skills that employers can't say no to

By Mary Brandel, Computerworld, 07/11/07

Have you spoken with a high-tech recruiter or professor of computer science lately? According to observers across the country, the technology skills shortage that pundits were talking about a year ago is real.

"Everything I see in Silicon Valley is completely contrary to the assumption that programmers are a dying breed and being offshored," says Kevin Scott, senior engineering manager at Google and a founding member of the professions and education boards at the Association for Computing Machinery. "From big companies to start-ups, companies are hiring as aggressively as possible."

Many recruiters say there are more open positions than they can fill, and according to Kate Kaiser, associate professor of IT at Marquette University in Milwaukee, students are getting snapped up before they graduate. In January, Kaiser asked the 34 students in the systems analysis and design class she was teaching how many had already accepted offers to begin work after graduating in May. Twenty-four students raised their hands. "I feel sure the other 10 who didn't have offers at that time have all been given an offer by now," she says.

Suffice it to say, the market for IT talent is hot, but only if you have the right skills. If you want to be part of the wave, take a look at what eight experts -- including recruiters, curriculum developers, computer science professors and other industry observers -- say are the hottest skills of the near future.

1) Machine learning

As companies work to build software such as collaborative filtering, spam filtering and fraud-detection applications that seek patterns in jumbo-size data sets, some observers are seeing a rapid increase in the need for people with machine-learning knowledge, or the ability to design and develop algorithms and techniques to improve computers' performance, Scott says.

"It's not just the case for Google," he says. "There are lots of applications that have big, big, big data sizes, which creates a fundamental problem of how you organize the data and present it to users."

Demand for these applications is expanding the need for data mining, statistical modeling and data structure skills, among others, Scott says. "You can't just wave your hand at some of these problems -- there are subtle differences in how the data structures or algorithms you choose impacts whether you get a reasonable solution or not," he explains.

You can acquire machine-learning knowledge either through job experience or advanced undergraduate or graduate coursework, Scott says. But no matter how you do it, "companies are snapping up these skills as fast as they can grab them," he says.

2) Mobilizing applications

The race to deliver content over mobile devices is akin to the wild days of the Internet during the '90s, says Sean Ebner, vice president of professional services at Spherion Pacific Enterprises, a recruiter in Fort Lauderdale, Fla. And with devices like BlackBerries and Treos becoming more important as business tools, he says, companies will need people who are adept at extending applications such as ERP, procurement and expense approval to these devices. "They need people who can push applications onto mobile devices," he says.

3) Wireless networking

With the proliferation of de facto wireless standards such as Wi-Fi, WiMax and Bluetooth, securing wireless transmissions is top-of-mind for employers seeking technology talent, says Neill Hopkins, vice president of skills development for the Computing Technology Industry Association (CompTIA). "There's lots of wireless technologies taking hold, and companies are concerned about how do these all fit together, and what are the security risks, which are much bigger than on wired networks," he says.

"If I were to hire a wireless specialist, I'd also want them to understand the security implications of that and build in controls from the front end," agrees Howard Schmidt, president of the Information Systems Security Association and former chief information security officer and chief security strategist at eBay Inc.

But don't venture into the marketplace with only a wireless certification, Hopkins warns. "No one gets hired as a wireless technician -- you have to be a network administrator with a specialization in wireless so you know how wireless plays with the network," he says.

4) Human-computer interface

Another area that will see growing demand is human-computer interaction or user interface design, Scott says, which is the design of user interfaces for the Web or desktop applications. "There's been more recognition over time that it's not OK for an engineer to throw together a crappy interface," he says. Thanks to companies like Apple Inc., he continues, "consumers are increasingly seeing well-designed products, so why shouldn't they demand that in every piece of software they use?"

5) Project management

Project managers have always been in high demand, but with growing intolerance for over-budget or failed projects, the ones who can prove that they know what they're doing are very much in demand, says Grant Gordon, managing director at Kansas City-based staffing firm Intronic Solutions Group. "Job reqs are coming in for 'true project managers,' not just people who have that denotation on their title," Gordon says. "Employers want people who can ride herd, make sense of the project life cycle and truly project-manage."

That's a big change from a year ago, he says, when it was easy to fill project management slots. But now, with employers demanding in-the-trenches experience, "the interview process has become much tougher," Gordon says. "The right candidates are fewer and farther between, and those that are there can be more picky on salaries and perks."

The way Gordon screens candidates is by having on-staff subject-matter experts conduct interviews that glean how the candidate has handled various situations in the past, such as conflicting team responsibilities or problem resolution. "It's easy to regurgitate what you heard from PMBOK [the Project Management Institute's Project Management Body of Knowledge], but when it comes to things like conflict management, you start seeing whether they know what they're doing."

In one case, Gordon asked a candidate to describe how he'd go about designing a golf ball that goes farther by changing the dimples on the ball. "No one has the answer to questions like that, but it shows how they think on their feet and how they can break down a problem that's pretty ambiguous into smaller segments," he says.

6) General networking skills

No matter where you work in IT, you can no longer escape the network, and that has made it crucial for non-networking professionals, such as software engineers, to have some basic understanding of networking concepts, Scott says. At the very least, they should brush up on networking basics, such as TCP/IP, Ethernet and fiber optics, he says, and have a working knowledge of distributed and networked computing.

"There's an acute need for people writing applications deployed in data centers to be aware of how their applications are using the network," Scott says. "They need to understand how to take advantage of the network in their application design." For instance, to split three-tier applications among multiple machines, developers need to know how to build and coordinate that network. "People who understand basic distributed systems principles are very valuable," Scott says.

7) Network convergence technicians

With more companies implementing voice over IP, there's a growing demand for network administrators who understand all sorts of networks -- LANs, WANs, voice, the Internet -- and how they all converge together, according to Hopkins.

"When something needs to be fixed, companies don't want the network administrator to say, 'Oh, that's a phone problem,' and the phone guy to say, 'Call the networking guy,' " Hopkins says. "Our research has validated that there's a huge demand for people who've been in the phone world and understand what the IT network is, or someone managing the IT network who understands the voice network and how it converges."

8) Open-source programming

There's been an uptick in employers interested in hiring open- source talent, Ebner says. "Some people thought the sun was setting on open source, but it's coming back in a big way, both at the operating system level and in application development," he says. People with experience in Linux, Apache, MySQL and PHP, collectively referred to as LAMP, will find themselves in high demand, he says.

Scott Saunders, dean of career services at DeVry University in Southern California, is seeing the same trend. "Customer dissatisfaction and security concerns are driving this phenomenon, especially in the operating system and database markets," he says.

9) Business intelligence systems

Momentum is also building around business intelligence, Ebner says, creating demand for people who are skilled in BI technologies such as Cognos, Business Objects and Hyperion, and who can apply those to the business.

"Clients are making significant investments in business intelligence," Ebner says. "But they don't need pure technicians creating scripts and queries. To be a skilled data miner, you need hard-core functional knowledge of the business you're trying to dissect." People who can do both "are some of the hottest talent in the country right now," he says.

10) Embedded security

Security professionals have been in high demand in recent years, but today, according to Schmidt, there's a surge in employers looking for security skills and certifications in all their job applicants, not just the ones for security positions.

"In virtually every job description I've seen in the last six months, there's been some use of the word security in there," he says. "Employers are asking for the ability to create a secure environment, whether the person is running the e-mail server or doing software development. It's becoming part of the job description."

This, Schmidt says, mirrors the trend toward integrating security into companies' day-to-day operations rather than considering it an add-on role performed by a specialist. Companies will still need security specialists and subject-matter experts, Schmidt says, but more and more, every IT person a company hires will have to have an understanding of the security ramifications of his area.

Hopkins echoes that sentiment. "Every single certification we do now has an element of security built in," he says. "We keep getting feedback from the market researchers that security touches everything and everyone. Even an entry-level technician better understand security."

Saunders says DeVry University has responded to this demand by adding a security curriculum to some of its campuses throughout the U.S. "Companies are increasingly interested in protecting their assets against cyberterrorism and internal threats," he says.

11) Digital home technology integration

Homes are increasingly becoming high-tech havens, and there has been enormous growth in the home video and audio markets, and in home security and automated lighting systems. But who installs these systems, and who fixes them when something goes wrong?

To answer that question, CompTIA developed a certification in cooperation with the Consumer Electronics Association, called Digital Home Technology Integrator. "It's the hottest and most vibrant market we've seen in a long time," Hopkins says.

12) .Net, C #, C ++, Java -- with an edge

Recruiters and curriculum developers are seeing job orders come in for a range of application frameworks and languages, including ASP.Net, VB.net, XML, PHP, Java, C#, and C++, but according to Gordon, employers want more than just a coder. "Rarely do they want people buried behind the computer who aren't part of a team," he says. "They want someone with Java who can also be a team lead or a project coordinator."

Thursday, August 16, 2007

Broadband over powerlines gets a boost

Broadband over powerlines gets a boost by ZDNet's Larry Dignan -- Broadband over powerlines (BPL) may get a much-needed boost from a deal between Current Group and DirecTV. On Wednesday, Current and DirecTV announced a distribution agreement (see Techmeme roundup) that will allow the satellite TV giant to distribute Current’s broadband and VOIP services by the end of 2007 and 2008. The gallery at right details [...]

Ubuntu servers hacked to attack others

Ubuntu servers hacked to attack others by ZDNet's Ryan Naraine -- According to a notice in the Ubuntu weekly newsletter, 5 of the 8 servers that are loco hosted had to be shut down after an investigation showed a variety of security problems.

Dissecting Firefox’s retention woes

Dissecting Firefox’s retention woes by ZDNet's Larry Dignan -- Mozilla says 50 percent of the people that download Firefox actually try it. And half of that group actually uses it actively. That’s a major issue–and a surprising admission since the confession renders millions of downloads moot. As a loyal Firefox user that retention rate is just shocking. Let’s examine some of the reasons why: Bundles [...]

Anti-virals get beat up at Untangle Fight Club

Anti-virals get beat up at Untangle Fight Club by ZDNet's Dana Blankenhorn -- Some well known virus signatures were run against the programs to test their engines. Some, like open source ClamAV (above), found them all. Others, like Watchguard, missed nearly all of them.

Monday, August 06, 2007

Something uncomfortable about DEFCON’s treatment of Dateline NBC reporter

This is the first time I have to disagree with one of the bloggers from over at ZDNet.

I feel if the press cannot abide by the rules (No matter what the "sub culture" is about) then they don't need to be there. The press doesn't need to be allowed to cover the event. It could all happen behind closed doors for all you drones to wonder what's going on in there.

Anyway, read the article Ryan Naraine wrote. You'll see his failed attempt in trying to use logic. He just lost a little credibility from my point of view.

Something uncomfortable about DEFCON’s treatment of Dateline NBC reporter by ZDNet's Ryan Naraine -- I don't know about you but after watching the video and reading the reports about DefCon's outing of Dateline NBC producer Michelle Madigan, I came away with an uncomfortable feeling that it was rather childish, over-the-top and unnecessary.

IRS employees successfully social engineered

In an audit of IRS security rules by the Treasury Inspector General for Tax Administration, it appears that they were able to successfully social engineer IRS employees into improperly disclosing their user names and passwords — a staggering 61% of the time.

According to the report, a caller posed as a technical support person and contacted 102 employees. On the pretext of solving a computer problem, he attempted to persuade them to temporarily change his or her password to one based on his suggestion.

Excerpt from SignOnDiego.com:

Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request… Only eight of the 102 employees contacted either the inspector general’s office or IRS security offices to validate the legitimacy of the caller.


The IRS agreed with recommendations from the inspector general that it should take steps to make employees more aware of hacker tactics such as posing as an internal employee and to remind people to report such incidents to security officials.

The especially disturbing part here is the revelation that IRS actually took many measures to improve their security awareness after two similar test telephone calls in 2001 and 2004.

The report sums the efforts: “… the corrective actions have not been effective.”

It is needless to say that the employees were putting the IRS at risk of providing unauthorized people access to taxpayer data. Still, is this case simply a sign of the impossibility of educating end-users, especially in a large corporation or organization spanning multiple locations, or is it due to the lack of a proper system?

Saturday, August 04, 2007

NBC Dateline Reporter flees Defcon 15

Next time I think she will Get a press pass. Some drones make me laugh when they try stupid crap like this.

Friday, August 03, 2007

Hamster plus Hotspot equals Web 2.0 meltdown!

This article is a prime example of why personal responsibility is a key factor when roaming away from home and out onto strange WiFi networks. You never know what is lurking out there just waiting to take your information.

Hamster plus Hotspot equals Web 2.0 meltdown! by ZDNet's George Ou -- Robert Graham (CEO Errata Security) gave his Web 2.0 hijacking presentation to a packed audience at Black Hat 2007 today. The audience erupted with applause and laughter when Graham used his tools to hijack someone’s Gmail account during an unscripted demo. The victim in this case was using a typical unprotected Wi-Fi Hotspot [...]

Wednesday, August 01, 2007

Black Hat 'supersizes' in Las Vegas

LAS VEGAS-- The 11th annual Black Hat security conference will occupy more space at Caesar's Palace this year in order to accommodate more people, more topics, and, of course, more controversy.

The conference kicked off over the weekend, starting with four days of topic-specific training, before concluding Wednesday and Thursday with two days of public sessions.

If past conferences are any guide, expect the overall total attendance to be more than last year. With that in mind, Black Hat is expanding its footprint within the Caesar's Palace resort here.

But count out at least one prospective attendee. On Sunday, Thomas Dullien, CEO of the German company Sabre Security, reported in his personal blog that he had been denied entry to the U.S. for reasons having to do with H-1B visa regulations. He says that U.S. Customs officials detained him over material he was carrying to Black Hat in order to teach what was billed as an "intense course encompassing binary analysis, reverse engineering and bug finding."

A larger conference means not one but two keynote addresses. One is from Richard Clarke, President Bush's former special adviser on cyberspace security. Clarke, whose 2002 Black Hat keynote speech stated that software vendors and Internet providers must share the blame for malicious software, is now with Good Harbor Security. This year, he will talk about those "who seek truth through science, even when the powerful try to suppress it." The other keynote speaker will be Tony Sager, vulnerability chief of the National Security Agency, who will talk about creating government security standards while working with commercial vendors.

Unlike last year, when Microsoft hosted an entire series of sessions focusing on the yet-to-be released Windows Vista platform, there will be no similar tracks offered this year. Returning tracks include sessions on voice services security, forensics, hardware, zero-day attacks and zero-day defenses. New tracks include operating system kernels, application security, reverse engineering, fuzzing and the testing of application security.

But it's the individual sessions that could get heated.

Several presenters are familiar to Black Hat attendees and not without controversy. Neal Krawetz is returning to tackle image forensics, showing how to peel back the layers to find less-than-obvious manipulation; Dan Kaminsky is presenting his annual Black Ops survey; and Phil Zimmerman is returning to talk once again about his vision of a secure telephone for the Internet, called the Z Phone.

Meanwhile, Jeremiah Grossman will talk more about "Hacking Intranet Websites from the Outside (Take 2)--Fun with and without JavaScript malware", and Billy Hoffman will team with Brian Sullivan to discuss "Ajax-ulation," a talk about building a secure Ajax-laden Travel Web site.

The talk "Breaking Forensics" is already controversial. iSec researchers Chris Palmer, Tim Newsham and Alex Stamos have stated they've found up to six vulnerabilities within Guidance Software EnCase, a digital forensics program used primarily by government and law enforcement, prompting swift denials from the company.

Also controversial is Joanna Rutkowska, whose presentation last year drew a standing ovation from the crowd. This time, Rutkowska is appearing alongside Alexander Tereshkin to talk about methods for compromising the Vista x64 kernel. Luis Miras will reprise a talk he gave this past spring at CanSecWest on hacking peripheral devices such as mice and pointers.

In the evening, there will a mock hacker trial presided over by a real judge, and a talk by security researcher Johnny Long titled "No-tech Hacking"--and that's all just within the first day.

On Thursday, there will be only one keynote speaker, Bruce Schneier, who will talk about the psychology of security. Then David Maynor, who last year presented an Apple wireless flaw, will return with "tips your security vendor doesn't want you to know." Mozilla's Window Snyder and Mike Shaver will introduce new tools to fuzz browsers as well as talk about the security features expected in Firefox 3 due later this fall.

Also, Hoffman will give a second talk along with John Terrill on the possibility of a Web-based Ajax-enabled worm and how antivirus companies might cope with it; Gregg Hoagland will give a talk about reverse engineering; Adam Laurie will talk about RFID vulnerabilities; Gadi Evron will discuss the supposed cyberwar in Estonia; and retired Special Agent Jim Christy will host a regular feature called "Meet the Feds."

At the end of the second day, F-Secure's Mikko Hypponen will talk about mobile phone vulnerabilities. Meanwhile, Brian Chess and Jacob West will have some fun with something they're calling "Iron Chef Black Hat," a session where two different methods of vulnerability testing will be used to try to discover the "secret ingredient" nestled within in an open-source application.

All Black Hat events are being held here at Caesar's Palace. A sister conference, DefCon 15, will run Friday through Sunday at the Riviera Hotel, also in Las Vegas.

Google hires browser hacking guru

Google hires browser hacking guru by ZDNet's Ryan Naraine -- Google has snapped up one of the sharpest minds in the hacker community, luring Michal Zalewski to help lock down its long list of Internet facing products.