winter scripting games: events 5 and 6

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won’t be upset if you skip this post. I’m posting only because this will mark my first exposure to PowerShell.

Beginner Event 5 can be done rather easily in vbscript. I needed to convert a string into a hexadecimal array and then back into a string. I was able to make the first conversion, but couldn’t work out how to go backwards. I actually couldn’t get from hex to ASCII code, but I could easily get the rest of the way back to a real string of readable characters. Oh well.

$r = “It was the best of times…you know the rest.”
$a = $r.ToCharArray()
$h = @()
$v = @()

for ($i=0;$i -le $a.length;$i++){
$x = [int][char]$a[$i]
$h += “{0:X}” -f $x
}
$h

for ($i=0;$i -le $h.length;$i++){

# $y = [byte]$h[$i]
# $y = “{0:D}” -f $h[$i]
# $y = [Convert]::ToString($h[$i],16)
#this is the last part $y = [char][int]$h[$i]
$y

}

Beginner Event 6 just wanted some key words to be filled into an incomplete script found at the link above. I think my answers were correct…and if not, the program did run as expected anyway.

1. -eq
2. }
3. foreach
4. continue (although this can just be left blank too)
5. While
6. Switch

Advanced Event 5 wanted an Access database opened, then some math computations made, namely the min, max, mode, median, and mean values. Now, this can be very easy in other languages, but for some reason either PowerShell does not have these helpers built in yet, or I wasn’t able to find how to do it properly. Either way, here it is. If you really delve into my code, you can see that by the time I did the median, I was using better techniques than I had been using earlier. If I wanted to, I could rewrite the max and min sections much smaller now, I think.

$adOpenStatic = 3
$adLockOptimistic = 3
$objConnection = New-Object -comobject ADODB.Connection
$objRecordset = New-Object -comobject ADODB.Recordset
$objConnection.Open(“Provider = Microsoft.Jet.OLEDB.4.0 ; Data Source =
/scores.mdb”)
$objRecordset.Open(“Select * from Results”,
$objConnection,$adOpenStatic,$adLockOptimistic)

####### START MEAN #######
$objRecordset.MoveFirst()
$i,$avg = 0

do {
$avg += $objRecordset.Fields.Item(“Score”).Value
$i++;$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)

$avg = [math]::truncate($avg / $i)

####### START MIN #######
$objRecordset.MoveFirst()
$max = 0

do {
if ($objRecordset.Fields.Item(“Score”).Value -gt $max)
{ $max = $objRecordset.Fields.Item(“Score”).Value}
else { }
$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)

####### START MAX #######
$objRecordset.MoveFirst()
$min = $max

do {
if ($objRecordset.Fields.Item(“Score”).Value -lt $min)
{ $min = $objRecordset.Fields.Item(“Score”).Value}
else { }
$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)

####### START MODE #######
[int[]]$modearray = @()

for ($n=0;$n -le $max;$n++)
{$modearray += 0
}
$objRecordset.MoveFirst()

do {
$n = $objRecordset.Fields.Item(“Score”).Value
$modearray[$n] = $modearray[$n] + 1
$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)

$modemax = 0

for ($n=0;$n -le $modearray.length;$n++)
{
if ($modearray[$n] -gt $modemax)
{ $mode = $n; $modemax = $modearray[$n]}
else { }
}

####### START MEDIAN #######
[int[]]$medianarray = @()

for ($n=0;$n -lt $i;$n++)
{$medianarray += 0}

$n = 0
$objRecordset.MoveFirst()

do {
$medianarray[$n] = $objRecordset.Fields.Item(“Score”).Value
$n++;$objRecordset.MoveNext()}
until ($objRecordset.EOF -eq $True)

$medianarray = $medianarray | sort
$median = $medianarray[$medianarray.length/2]

####### START OUTPUT #######
Write-host “Mean: $avg”
Write-host “Mode: $mode”
Write-host “Median: $median”
Write-Host “Highest score: $max”
Write-Host “Lowest score: $min”

$objRecordset.Close()
$objConnection.Close()

Advanced Event 6 wanted a nicely formatted 75-column block of text. I really didn’t know what to do here.

winter scripting games: events 3 and 4

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won’t be upset if you skip this post. I’m posting only because this will mark my first exposure to PowerShell.

Beginner Event 3 was a pretty easy exercise in picking out what item in a series is not like the others. I’m sure this can be done in less code, but this made the quickest sense to me with the least effort.

$a1 = “monday”, “MONDAY”, “monday”
$a2 = “TUESDAY”, “tuesday”, “tuesday”
$a3 = “WEDNESDAY”, “wednesday”, “wednesday”
$a4 = “thursday”, “thursday”, “THURSDAY”
$a5 = “friday”, “FRIDAY”, “friday”

$x1a = [String]::Compare($a1[0],$a1[1],$False)
$x1b = [String]::Compare($a1[1],$a1[2],$False)
$x1c = [String]::Compare($a1[0],$a1[2],$False)
if ($x1a -eq 0){“a1: third”}
elseif ($x2b -eq 0){“a1: first”}
else{“a1: second”}

$x2a = [String]::Compare($a2[0],$a2[1],$False)
$x2b = [String]::Compare($a2[1],$a2[2],$False)
$x2c = [String]::Compare($a2[0],$a2[2],$False)
if ($x2a -eq 0){“a2: third”}
elseif ($x2b -eq 0){“a2: first”}
else{“a2: second”}

$x3a = [String]::Compare($a3[0],$a3[1],$False)
$x3b = [String]::Compare($a3[1],$a3[2],$False)
$x3c = [String]::Compare($a3[0],$a3[2],$False)
if ($x3a -eq 0){“a3: third”}
elseif ($x3b -eq 0){“a3: first”}
else{“a3: second”}

$x4a = [String]::Compare($a4[0],$a4[1],$False)
$x4b = [String]::Compare($a4[1],$a4[2],$False)
$x4c = [String]::Compare($a4[0],$a4[2],$False)
if ($x4a -eq 0){“a4: third”}
elseif ($x4b -eq 0){“a4: first”}
else{“a4: second”}

$x5a = [String]::Compare($a5[0],$a5[1],$False)
$x5b = [String]::Compare($a5[1],$a5[2],$False)
$x5c = [String]::Compare($a5[0],$a5[2],$False)
if ($x5a -eq 0){“a5: third”}
elseif ($x5b -eq 0){“a5: first”}
else{“a5: second”}

Beginner Event 4 just wanted a nicely formatted list of running services.

get-service | where-object {$_.status-eq “running”} | format-table
-property DisplayName, Status -auto

Advanced Event 3 involved a program to make change in various demoninations. Not too bad, and I was pretty happy with my initial formating of the input.

$a = Read-Host “Enter your dollars”
$a = $a -replace(“\$”,””)
$a = $a -replace(“\.”,””)
$a = 5000 – $a
$change = $a / 100
$change = “{0:N2}” -f $change

$tens = $a / 1000
$tens = [math]::truncate($tens)
$a = $a – $tens * 1000
$fives = $a / 500
$fives = [math]::truncate($fives)
$a = $a – $fives * 500
$ones = $a / 100
$ones = [math]::truncate($ones)
$a = $a – $ones * 100
$quarters = $a / 25
$quarters = [math]::truncate($quarters)
$a = $a – $quarters * 25
$dimes = $a / 10
$dimes = [math]::truncate($dimes)
$a = $a – $dimes * 10
$nickels = $a / 5
$nickels = [math]::truncate($nickels)
$a = $a – $nickels * 5
$pennies = $a / 1
$pennies = [math]::truncate($pennies)

Write-Host “Change returned: $change”
Write-Host “Tens: $tens”
Write-Host “Fives: $fives”
Write-Host “Ones: $ones”
Write-Host “Quarters: $quarters”
Write-Host “Dimes: $dimes”
Write-Host “Nickels: $nickels”
Write-Host “Pennies: $pennies”

Advanced Event 4 was also fairly easy and fun in attempting to map out the various chinese new year animals. I did it a slightly harder way than they gave in their answer.

$a = Read-Host “Enter your year”
$a = $a -1900
$b = $a / 12
$b = [math]::truncate($b)
$b = $b * 12
$a = $a – $b

switch($a)
{
“0”{$answer=”Rat”}
“1”{$answer=”Ox”}
“2”{$answer=”Tiger”}
“3”{$answer=”Rabbit”}
“4”{$answer=”Dragon”}
“5”{$answer=”Snake”}
“6”{$answer=”Horse”}
“7”{$answer=”Goat”}
“8”{$answer=”Monkey”}
“9”{$answer=”Rooster”}
“10”{$answer=”Dog”}
“11”{$answer=”Pig”}
}
Write-Host $answer

the problem with fuzzing as a security posture

Mike Rothman mentioned fuzzing today which prompted me to post a thought of my own. Fuzzing is not a security posture.

Fuzzing pretty much means throwing all sorts of “things” at an application either in input fields or network ports, and so on. This is something any dummy can run. But fuzzing results are an order of magnitude more difficult to determine if an issue is really a vulnerability. This isn’t the same as looking at an open port reported by Nessus or a missing patch reported by MBSA. Not only that, but fuzzing is not as fast as even an nmap scan on a network. The setup and execution are longer.

Once you get the results, oftimes you will need some memory management skills to determine if a bug will actually pop the stack properly, and then craft an exploit to prove the issue. Otherwise you might just have found some lame bug that closes the application (DoS), or less. If we raised the alarm on every issue a fuzzing found, we wouldn’t be having “Month of X Bugs,” but rather multiple “Years of X Bugs.” Check out the comments on some of those posts to see the contention some people make on whether a fuzzed result is truly exploitable or not.

Fuzzing is not terribly difficult. Interpreting the results takes an expert, unlike other scanning methods. Fuzzing won’t be a part of most IT shops or even developer circles for a long time until they start learning what happens in the OS/memory and not just doing their interpreted coding to do task A and move item B. Even QA will be hard-pressed to be given training and time to perform real fuzzing in all but the most critical and rich organizations.

comment spam

Of course it is only a matter of time, but I have slowly seen a few comment spam posts on my blog here. This is an itneresting way to see the growth of comment spam and make a few observations.

First, I’ve only seen comment spam on just a few of my posts, and typically over a week I’ll get about 10 comments on just those posts, no others. Odd, especially since two of them even pre-date this URL and site (posts ported over from my older site). I would almost think I am just getting collateral damage from a link to my site from somewhere else, but no one links to those posts that I can see. I might have to analyze my logs a bit deeper just out of curiosity. They are also almost all in chunks and only yesterday did they start getting past the junk comment filters in MovableType.

1/09 – 1/21 spam came to html in email from 12/2006
1/22 spam came to malware analysis: free video codec from 11/2006
1/31 – 2/07 spam came to illustrated guide to cryptography from 6/2006
2/02 – today spam came to remoteregistry issues from 8/2004
2/13 – today spam came to turn off ssdp and upnp from 8/2004

Second, I thought about changing their spam comments to something like, “My IP is blah and I tried to post comment spam.” But that itself is spammy and won’t scale. Or post regularly about my spammers, but again that is spammy itself and likely are just “innocent” bots.

I think I’ll just keep deleting them, but I am happy with MTs ability to score comments and hold them Unpublished if there is too much HTML in the comments. Also, there are limits to the length of certain fields which no legitimate poster should bump against, but spammers might hit. Still, some do get through, though. I also like that I can subscribe to an RSS comments feed which will show me published and unpublished comments readily and I can catch these things.

scripting games day 1 and 2: feet are wet

This post is just about my time with PowerShell for the 2007 Winter Scripting Games. If you have no interest, I certainly won’t be upset if you skip this post. I’m posting only because this will mark my first exposure to PowerShell.

The games have begun. Event 1 in the Beginner’s section basically wanted the creation of a message box (dialogue box, pop up box, et al) that changed a few attributes and did something based on the return behavior. My code looked like this:

[System.Reflection.Assembly]::LoadWithPartialName(“System.Windows.Forms”)
$answer = [System.Windows.Forms.MessageBox]::Show(“Do you want to continue?”, “Continue Processing”, “YesNo”, “Question”)
if ($answer -eq “yes”)
{echo “Yes – Processing will continue…”}
else
{echo “No – Processing stopped”}

Nothing really special there. The only bad part is that I wasn’t able to bring the pop up box to the front, although some Googling turned up that this is a known issue that can be solved with vbscript.

Beginner Event 2 was a series of questions, each scored independently. In one column were ten classes, and in a second column were ten properties. The question is to match the classes with their properties. Not so bad. While I could eyeball this list and likely get an easy 8 of 10 correct, a couple would have required guesses. However, there is an easier way to do this:

get-wmiobject [class] | get-member

Replace [class] with the class name and look through the list for the matching terms.

Now, because of my success in the Beginner Events, I thought I would try my hand at the Advanced Events, which are definitely more up my alley as long as they stay in the “logic” arena as opposed to knowing my way around all the various obscure commands and methods and objects in PowerShell that I don’t know yet.

Event A1 wanted to convert from Roman Numerals to regular numbers. This actually proved more interesting than I thought it would be, and my eventual program, while satisfying the requirements, would not hold up to invalid input, error checking, or additional roman numerals above M.

$r = Read-Host “Please enter a Roman numeral:”
$a1 = $r.ToCharArray()
$a2 = @()
$value = 0

for ($i=0;$i -le $a1.length;$i++){
Switch ($a1[$i]){
“M” {$a2 += 1000}
“D” {$a2 += 500}
“C” {$a2 += 100}
“L” {$a2 += 50}
“X” {$a2 += 10}
“V” {$a2 += 5}
“I” {$a2 += 1}
}
}

for ($i=0;$i -le $a2.length;$i++){
$v1 = $a2[$i-1]
$v2 = $a2[$i]
$v3 = $a2[$i+1]

if ($flip -eq 1){$value += ($v2 – $a2[$i-1]);$flip=0}
elseif ($v2 -ge $v3){$value += $v2}
else {$flip=1}
}

Write-Host $value

Event A2 was simpler even though I had more trouble finding the information I needed (syntax, really). Find the number that when multiplied by 3 would give the smallest answer that consists of nothing but 4s. The answer is 148, and while I could create a script to find this by iterating through every number by multiplying it by 3 and check if the answer is all 4s, or even start with 10 4s and divide them by 3 all the way down to the lowest, but I eventually decided I wanted to just build a string of growing 4s and check each one to see if it was evenly divisible. Sadly, when I submitted my entry I made the mistake and echoed out “444” instead of the needed “148.” D’oh! I was too excited about figuring this one out!

$a = @()
do {
$a += 4
$b = [String]::join(“”,$a)
$m = $b % 3
if ($m -eq 0){
$x = $b / 3
write-Host $x}
}
until ($m -eq 0)

Not too shabby there, I hope! So far, that is very encouraging and my goal has expanded to not just completing the Beginner section, but to complete at least half of the points from the Advanced.

things get lost? no way!

So, the FBI is still losing laptops with sensitive information. What I really hate about this sensationalist news is things have been lost or stolen for decades upon decades. We have laptops and mobile devices and they will get lost. That’s fact and that’s going to be absolute. This is a classic example of a security incident that will happen. That means the real story here is about damage mitigation, disk encryption, and data management.

winter scripting games have begun!

“Thus in war, I have heard tell of a foolish haste, but I have yet to see a case of cleverly dragging on the hostilities. -The Art of War, Chapter 2: On Waging Battle

I take this to mean, do. Don’t wait around and throw sticks at information security. Do things. Get to work. Perform some action.

They have begun! I started in on the Beginner challenges and finished the first two rather quickly. Just for my own benefit (ego) I’ll post my own answers here after the deadlines. If nothing else, it will be just for me to document my own code and dive into PowerShell.

Since I did the two first beginner events, I thought I’d try out the Advanced ones. These are a lot more complicated for me as a beginner, but at least I know the logic and can think through things like how to get from problem A to solution B. Now I just have to look up each little step like getting input into an array, any nuances with variable types (if any) that PowerShell may have, proper syntax for ForEach loops and Switches, and basically working with arrays. I also need to see how it performs with null values or the ends of arrays. Thankfully, the PowerShell syntax so far seems very familiar and standard. I think I might be fine with a couple of the Advanced problems.

being a guru with new things

Just a quick word of advice, both to anyone reading and myself as well. If you find yourself at a point in your career where you have some good experience/knowledge and some free time to spend either in your job or just at home when geeking out, keep your eyes open for new things and grab onto them with both hands. Look for something new, learn it, and become one of the early gurus. Things like PCI knowledge, PowerShell, wireless technologies, FDE, Python, AJAX, VMWare, and many other things I have had the chance to see kinda appear and grow in my time in IT. And those people who latched on early and became gurus definitely end up being go-to guys either in their own company, the community, and possibly beyond. People you know normally suddenly are the “first” to really offer good insight and knowledge get noticed for that.

Just a note to look for in the future as technologies, languages, and practices continue to move forward. This might not mean you can become a highly paid consultant or start your own business, but at least keeping the above in mind might really grow you professionally and get you noticed in the community.

why do I stay updated on black hat techniques?

“Therefore, the business of waging war lies in carefully studying the designs of the enemy.” -The Art of War, The Nine Kinds of Terrain

Carefully studying the enemy motivations and plans and mindset but also knowing their machinations, technology, techniques, and habits. Every now and then I hear about how evil it is to have “hacking” books that shouldn’t be teaching all the techniques and steps. I don’t buy that and think that we need knowledge and study not only of security, but of insecurity so that we can assess risk and protections properly.

Another aspect of this quote is carefully studying a war in progress so that you can move intelligently. If you have an attacker in your network doing something bad, carefully study them so you know what they want, what defenses they may have already dug in, and be best able to defeat them. Just like a chess game that has developed from the start game into one side moving into an offensive position. Play as many steps ahead as your time and brain allow.

microsoft scripting games 2007

I work in a Windows environment. I’ll likely work with Windows in some form or other for my entire career, unless I get completely sucked into networking. And yet I don’t know Windows scripting. Oh the travesty! Seriously, I like programming, but I’ve never freakin’ properly learned Windows scripting. I think I will be taking a good hard look at the Microsoft Scripting Games 2007 to see how things work and maybe tackle a few of the easier challenges and get my feet wet. Really, I don’t need to be some guru that uses scripting day in and day out. You can get by with things like maintenence scripting quite well with just occassionally challenging oneself to script a little bit.

And I like challenges like these Games. There are some ways to learn in this field of IT security, support, and networking. One way is troubleshooting fires that are burning. You can only learn so much theory from other people, books, and mentors. But you have to put it into practice to really get it in this area (hence my occassional disdain for analysts, IT journalists, and people who jus repeat “best practices” ad nauseum). I particularly love challenges, puzzles, and friendly competitions that run the gamut of amazingly fun to very competitive to real-life-mirroring scenarios.

In fact, in the sidebar menu way towards the bottom I have links to various “hacking” and other challenges mixed into the “cons/training” section. I have been putting off moving the actual challenge type items down to the new challenges section. I love those things, and even if I’m late to the party or don’t know the answers, reading the practical solutions offers some excellent insight.

Anyway, I’ll see how my schedule looks and give the Microsoft Scripting Games a try my hands at it.

Someday, I may actually post my answers to various challenges past and present on either this blog, or more likely on my wiki. I find that while reading is great theory, and hands-on is great experience, being able to regurgitate the steps and lessons on virtual paper for others to understand is the last step. When you can teach someone something, you reinforce your learning of it, even if the audience is non-existent and you’re just recording it down in a place no one else will look, or describing it to a loved one who really doesn’t care but is a willing sounding board.

Some *real* quick links from a Google search:
Windows PowerShell
Getting started (vbscript)
PowerShell blog and links
PowerShell FAQ

favorable conditions at work…and play

“By ‘strategic advance.’ I mean making the most of favorable conditions and tilting the scales in our favor.” – The Art of War, Chapter 1: On Assessments

Definitely useful to make the most of good situations when dealing with security. If you suddenly get a budget or have a chance to make an incident into a growing experience, do it. Likewise, be ready to make the most of bad conditions. Budgets or internal issues should not stop necessary security from being cobbled together.

The supreme accomplishment is to blur the line between work and play.” -Arnold Toynbee

Thankfully, when I am with a company I like, work and play are very blurred. Ahh, the geek lifestyle! This quote can be very easily twisted and might make some people very upset because they value separating work and play, but all of us are different, and it has been my mantra in 2006 and ongoing into this year to enjoy my work so much that it feels like play, since I play what I end up doing at work anyway for now. I just want to enjoy the way I spend 1/3 of my day (which you can extrapolate to being 1/3 of the rest of my working life). I want to thoroughly enjoy my job, company, and team, and I likely won’t be settled until I find that balance.

linux as main box part 9: the bad

Going on about 5 months using Ubuntu as my primary laptop and things are still relatively good; good enough to stick with it. I do have a companion laptop with Windows XP that I use to stay sharp on XP, try out new stuff, and do the few things that Linux won’t do yet (particularly run my favorite P2P program, SoulSeek).

However, there are some growing concerns, particularly in how robust Linux can be as a desktop machine.

Ubuntu is sluggish. I’ve long noticed this, but only lately is it really grinding on me. Ubuntu with Gnome is not nearly as crisp to respond as my tried and true Windows machines. Nautilus is even slower and clunky and will sometimes hang when transferring 70+ files over an SMB connection on my network. Firefox 1.5.x (the kind Ubuntu 6.06 supports) is crashing or just having problems loading some content. Firefox on Ubuntu is far slower than Firefox on Windows, even on worse hardware, both on load and in serving content.

I’m going to stick with Linux because I really want to learn it, but I will say I don’t think it is yet ready to displace other OSs on the typical desktop. It still can’t do many things out of the box and it just is not as swift as Windows (assuming Windows is relatively free of spyware/adware). Linux has a long history of being appropriate for geeks, but Windows has a long history of meeting the needs of a vast majority of common users…and that’s where the desktop market is.

I am going to see if I can get Kubuntu 6.10 up and running on another box and try it out before I think about replacing my Ubuntu 6.06 install. Perhaps KDE will be more to my liking and I’m totally willing to check it out.

the training devil’s advocate

An article in InformationWeek has sparked some comments through the various security bloggers. I’ve decided to play devil’s advocate for a moment when it comes to user training. Basically, I’m just making a point or two, so don’t lambaste me too hard for being wrong or pessimistic. 🙂

the vcr clock dilemma
How many people do you know have a VCR/DVD player/Oven/Microwave clock that continuously blinks or is set to the wrong time? Ever wonder why? Typically, people don’t really care to be bothered with setting it after a power outage. Some people may have faulty power and have interruptions regularly, but most people just don’t care enough or maybe even find it cumbersome to change the time.

Similarly in security, not everyone wants to care about the technical ins and outs of security. They don’t want to be bothered in their life with technical details. It just might not be their thing, or, if they are adults, they just don’t have the time to become an expert. It is easy for us geeks to live this sort of lifestyle and to wonder loudly why people don’t educate themselves about their computer, just like it is easy for them to wonder loudly why we don’t get out more. 🙂 Some people tune their own cars and motorcycles, others take it to a shop to get fixed, and still others just let it all go to hell. Are those people idiots for doing that? Maybe the latter, but what if maintaining the car costs more than just letting it go and getting another junker? Basically speaking, we can’t make people care about their computers and put in enough time to become experts in a way that mitigates their risk. We all have friends who fall into this category, I’m sure.

the trampoline illustration
Most of us have likely seen or played on a trampoline at one time. You tell your kids to watch out and stay in the middle of the trampoline so that they don’t smack something on the side rails or outright fly off onto the less forgiving ground. Do kids really listen? Perhaps, but they still make mistakes or just plain do not heed warnings. Users are the same way, and who can blame them every time? Eventually, padding appeared on the supports and even a mesh apparatus encircled the play area like a cage for monkeys (which it kinda was). Now, kids can make a mistake and not have to learn from a broken bone.

This is technology in action. Where good common sense and training and all the words in the world may not have prevented every issue, technology has vastly mitigated the risk of injury and worry to parents. (Of course, there is something that can be said about their lack of developing restraint as they bounce against the mesh cage wildly or not learning by falling…)

Training is excellent to tell someone that a stove is hot. But some people touch it anyway. If your company cannot afford to have someone test the stove or play around near the stove and misjudge a distance or handfall, then you need to isolate the heat or the stove from the curious hands (technology). Many companies and employees cannot afford a mistake that technology could have prevented.


Now, all of that aside, training is important and will help augment technology. Training lessens user outrage at changes and restrictions they do not understand (at least for some, others will refuse to get it no matter what and just want their way). Training will help in those instances where technology cannot make the decision in a situation, and employees need to make better common sense decisions. Training will allow willing learners to become educated about technology and security at work and home. And training is even more necessary when talking about implementors of technology. Can you have untrained security guards make confident decisions about letting a C-level exec into the building with contraband or without a pass? Can you have untrained network admins building your firewall rules? Training shouuld definitely be mandatory for those people who touch or work with the technological security measures. But for the typical worker bee (no offense intended) employees, the effect of their education is still arguable.

some rhetoricals
The mishandling of data is one of the biggest problems, especially when we’re talking regular employees and their security infractions. But how can technology safeguard that? How can education safeguard that? How can social engineering ever be wiped out?

instant messaging in the workplace

I need to watch the episode that Scott Wright references for this post. Instant Messaging is a technology that is still in flux when it comes to corporate use, and I’m always curious on the views people have of it, and how companies use it.

My last company had very little interest in controlling the IT environment. As such, people used Yahoo, AIM, and MSN as they wished. Sales used it regularly, especially those people outside the offices at home or on the road. It really was very useful, even if I wasn’t so happy about it. Eventually the company moved to get a centralized (kinda compliant) IM system. We set up a Jabber server, privatized registrations, and got most everyone on that product. Sadly, too often critical business issues were communicated via IM rather than accepted and more loggable avenues of communication such as a ticketing system, phone, or in person searching for someone to assist. Eventually our team went “invisible” on the system because of the abuse and poor “handing-off” of issues via unresponded-to IM messages (and people got pissed that we would always kindly ask for a trouble ticket so that the issue would properly get logged for metrics and reporting). Also, there was widespread fear that we were logging conversations, which drove people away from Jabber. (I never did understand what people were talking about that they were scared it might be logged…besides which we never did turn on logging since no one asked us to do so.) Unfortunately, no one ever supported removing the other IM programs, so eventually Jabber fell by the wayside and only our networking team used it extensively, albeit with a lot of invisibility (hell, our team was geographically split anyway). The user-base then “found” Skype and started installing and using it, despite network team objections. Management had little interest in curbing that, despite the compliancy holes. This is an example of the users pushing technology and process due to indifferent management.

My current company has banned IM use. Not only are many systems limited in user rights and installed software, but my IPS and possibly the web proxy will actively block known IM traffic. Needless to say, we don’t use IM, but there is talk about evaluating its use, especially as we do a lot of travel business which regularly sees employees in some exotic locations.

What is the proper answer? I don’t think there is a universal answer and it will depend on the company, the business needs, and compliance issues. I do think, however, that IM will eventually continue its push into business. Email is broken as a technology and will very, very slowly be replaced with more IM/SMS technologies. I also think that IM is such an integral tool in our culture and lives that business really cannot just completely preclude it forever. I’d rather properly implement it now rather than later, do it properly, and reap the business benefits. Many people will argue about lost productivity, but I don’t think that will necessarily be the case, especially in a private IM system. Besides, if someone is going to screw around, they will screw around whether it is via IM or not.