.: January 2009 Archives
I've long enjoyed my 2 year-old Wi-Spy. I see they will soon be coming out with a Wi-Spy DBx "soon"
for $799. If you sign up, I guess you get a coupon for $200 off when it is released.
Sadly, the price point moves this out of the "geek gadgets" realm and into an area meant for people who professionally test, monitor, or manage wireless networks. I actually do not manage a wireless nework at my current job, so this gadget would really just be a for-fun deal. Even with the coupon, $500 is too high for a toy for me. But I wanted to mention it to remind me it is there, and give someone else the idea if they could use it and afford it.
by michael 01.02.09 at 11:12 AM in /general
Lee Hinman has a post on writequit.org about "De-gooling" himself
, i.e. using tools other than those provided by Google. I commend this effort! Ever since Google went public I've trusted them far less (much like Yahoo) but have to grudgingly admit their tools are speedy and good for what I need. Unlike Lee, I'm not so open to accepting that Google has stuck to their "Do no evil" mission, but what can you expect when you suddenly have so many stakeholders holding your feet to the fire of profit? I completely share Lee's concerns over privacy with the Google-machine.
I've never heard of Scroogle
as a search tool. I'm sold!
Note to self: Open a new account someday just as an RSS feed reader. Bonus points if I find a way to permanently proxy to it.
Read the rest of Lee's article for more ideas on replacing some Google tools.
by michael 01.02.09 at 1:56 PM in /general
I invariably seem to hear about the hacker challenge stories on the EthicalHacker
site only after the deadlines have passed. I'm not sure if I'm the one who is behind or if it has anything to do with the headache-inducing site they have which looks like a freakish juxtaposition of a forum with news script software from 1998 (yet powered by Joomla!). Great books! Messy site!
At any rate, their latest challenge is up and hopefully the chosen answer sometime soon!
by michael 01.02.09 at 4:11 PM in /general
Well played indeed. In my posts discussing the recent MD5 hack that led to a rogue CA, I neglected to give the utmust credit to the researchers involved. These guys did an amazing job to not only recognize and develop the attack, but to actually execute it, dodge the legal questions, and present their findings at CCC.
And you gotta wonder what it would feel like to have in your hands a rogue CA that can break the trust people have in the web. That definitely has to be an awesome feeling, and I think we all owe the guys a weekend a beer!
by michael 01.03.09 at 6:15 PM in /general
PacketLife.net has a January contest posted
. From the packet capture given, determine the IOS version of one of the systems.
by michael 01.05.09 at 3:01 PM in /general
Blog post from Abe Getchell to create a covert channel over SMTP
by using the X-Spam-Report (and related) email header to enbed a message in what otherwise can look like spam messages. Adding value beyond just the issue itself, Abe drops a Snort rule to detect his example at the end of the post.
by michael 01.07.09 at 11:29 AM in /general
For future reference, SourceMap
: "SourceMap is designed to scan to a port from multiple different source ports, to aid in finding weaknesses in firewall rule sets. It is possible to scan ports on a host from all 65535 source ports, somthing that nmap could not do. SourceMap is a mutil threaded perl wrapper arround nmap."
by michael 01.07.09 at 4:28 PM in /general
What is the next "Web?" Well, probably immersive virtual environments, even though it seems a bit counter-intuitive on some levels. For instance, Sony's Home will be interesting to watch develop. On some levels virtuali environments work, like online training experiences or meetings. On some levels I imagine it doesn't work, go to an arcade in Home just to play a game...why the extra lobby/step?
by michael 01.11.09 at 6:43 PM in /general
What is it about the Internet that has most changed our lives and society? Well, I would surmise that it is our ability to self-serve information-finding. In 1990, what did we depend upon for information? Today, I can self-serve by looking it up.
by michael 01.11.09 at 6:46 PM in /general
When posting a quick series on a blog, which number do you start with? Do you use "1" for anyone who gets updates and reads them immediately, or reads them from oldest to newest? Do you start with the last one, so it reads properly in a reader or on the blog itself? Do you make it all one post, which diminishes the stand-alone value of all points? (Kinda like mashing 4 ideas into one paragraph, the first and maybe last get special value and the rest are mushy potatoes in the middle.) Ultimately, blogs fail...but hey, we all have things to say, even if no one is listening.
by michael 01.11.09 at 6:48 PM in /general
A couple points I want to throw out for a Monday:
1. Security takes knowledge.
2. Security takes time.
3. Insecurity arises when shortcuts are taken. (Yes, you fall into this area, web developers!)
4. It is no surprise security permissions (in general) are lax, because they suck to manage.
5. We all started in a place where we didn't have expert knowledge.
6. Don't overinflate your abilities. This is where 'paper CISSPs' harm our field, not because they aren't experts yet, but because they profess to know more than they do.
In recent weeks, Snosoft's (Adriel Desautels) blog
has delved into the topic of fraudulent security experts
and how corporations can tell if they have a quality security expert (or vendor)
. I applaud the effort, even if he is preaching to the choir and may be tackling issues that are universal and have no absolute "oh-my-god-epiphany-that-will-change-the-world" answers. Those posts and a headache-inducing security permissions issue I tackled today prompted this post.
I had a longer essay presenting those 5 topics above, but I think I'll just let them sit alone. Anyone reading my blog can either outright agree, or think for themselves on how those points apply. Just one hint: "knowledge" can refer to both technical as well as business knowledge.
by michael 01.12.09 at 1:31 PM in /general
Linkage to The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (pdf)
. I clicked through thinking, "Wow, 25, did you leave enough out to make a 'Bottom 25'?" But as I skimmed through it, it seemed like a pretty logical listing and a decent read as well. If I had a suggestion, it would be to dump the cute analogies in the Discussion sections of each entry and replace it with a technical example or two.
And include, "economics" and "shortcuts" and "cheap coders" as dangerous errors too. :)
by michael 01.13.09 at 1:47 PM in /general
I'm finally getting around to reading the NetworkWorld article
that cited Fortify Software Inc. co-founder Brian Chess as essentially saying that penetration testing as we know it today is dying/dead. The article further states, "Customers are clamoring more for preventative tools than tools that simply find the weaknesses that already exist, he said. They want to prevent holes from opening in the first place."
Talk about confusing!
I think the assertion is correct that customers want preventative tools. I want preventative tools wherever possible. But I think there are three incorrect assumptions here. First, that preventative tools can possibly prevent or even anticipate every potential hole (or even most of them!). Second, that preventative tools are something more than just a band-aid on other issues. Third, that companies know all their weaknesses already.
The article (and Mr. Chess) make it sound like the security buck stops at "preventative tools."
There is value in preventing issues, but there is no way penetration testing is going away or even beginning to die or dwindle for many years. Too many corporations still thirst for knowledge on their security stances and weaknesses, or for more leverage to higher-ups for budgets or project direction.
Prevention, detection, testing...these and more are all
parts of a solid security posture. No one trumps the others, nor does one lag behind as dying or even changing.
Here are a couple statements on my view of pen-testing.
If you have little existing security, pen-testing helps give direction and information on where to make improvements.
If you have a security plan in place, pen-testing helps give third-party validation to the results, while also potentially exposing weaknesses that were overlooked (the more eyes that read this post, the more we can say all the typos were caught!).
by michael 01.13.09 at 2:12 PM in /general
Articles like this one on the IRS in NetworkWorld (channeling a GAO report)
often leave me shaking my head in disgust. And no, it's not because the IRS has security issues (we all do!).
"The GAO said the IRS had mitigated 49 of the 115 information security weaknesses that the GAO reported in early 2008."
Fine, I agree we need to keep nipping at the heels of the people who should be securing digital assets.
But I disagree with the general tone of this article that implies three unhealthy things to me:
1. "Let's hire contractors to knock away these final 49 items, and that will be when we release them." - I don't like this because it implies what much of business thinks: Put in the time, and then it's done, game over, let the contractors all go. Yes, some things in security require time and then you're done for that technology cycle, but too much has to be ongoing. It is dangerous to put too much emphasis on a milestone like this. People and oversight and maintenance are probably more important than the initial implementation. There's really less breathing easy after you check those last 49 things.
2. "Man, just do those final 49 things. All it takes is to just flip that switch and turn those things on." - Security often takes time, especially in a large, critical entity that likely cannot absorb long downtimes or huge sweeping changes. Even in small companies, relatively "simple" things like permissions can result in dramatic business changes. They may be necessary, but they are not often quick.
3. "There are only 49 weaknesses left, and then we don't have to worry anymore." - This gets back to point 1, but is a slightly subtle difference. Rather than saying the checkmarks are a milestone, but rather assuming the checkmarks are all you ever need to do.
The article may mean well, but I find it implies a dangerous, unhealthy tone and attitude. It really is not just the article, but all checklist-driven security eventually reaches that tone when overemphasized.
by michael 01.14.09 at 2:09 PM in /general
To circle back around to an earlier link
to a packetlife challenge/contest notice, the answers are now up
. What did I learn? Well, I didn't know Wireshark could decode SNMPv3 data if I had the proper info. In fact, I couldn't even do it with my installed version of Wireshark. I had to update to get the features. Cool challenge. Simple, but not necessarily elementary.
by michael 01.15.09 at 1:04 PM in /general
If you want to get my feathers ruffled up a bit, bring up the topic of SSL and browsers. The whole situation is a mess, and I blame the browser makers (and partially our extended use of the web outpacing SSL updates) for muddying up the waters. Did we *really* need EV SSL and browsers throwing error messages on *everything* that wasn't EV SSL? It's just silly... Half the problems (sure, that's my scientific measure) with SSL arise because of the browsers and the "market" for PKI. Sure, for consumers, they should be on the lookout for self-signed certs. For geeks that manage network devices and internal sites, self-signed certs are a daily reality.
I need to stop on that rant before I look more foolish than normal!
A new site, SSLFail.com
, by Marcin
illustrate the issues SSL and web browsers (and admin teams that try to manage them) have. Not only does the site present images of failures in SSL usage, but they also have informational posts
if you want to learn more about SSL and the nuances involved with it. To be honest, if you manage any device that uses SSL (web, network, VPN...), I'd suggest checking the site out. Hell, even if you just like to sit back and laugh at the security failures (or admin issues) other people have, check it out, too!
by michael 01.15.09 at 1:41 PM in /general
Joel Spolsky recently posted his latest inc magazine article dealing with the topic of performance rewards
. While I think he dropped the ball on the actual reward he offered, I feel he has good food for thought on the subject. Questions like:
How do you measure performance and contribution?
If you measure, how do you know you're measuring enough pieces to get a proper view of the employee?
How do you reward contribution without stepping all over your other employees?
How do you reward such that a competitor can't just match it and steal away the employee?
How do performance rewards influence the attitudes of the other employees?
Should you reward based on how their updated resume would look to someone else?
Do you want to run a socialist or capitalist company? (Ok, I'm stretching it there!)
I think Joel has a good approach when he talks about the intrinsic and extrinsic motivations. Money and peer recognition are cool, but ultimately geeks like me derive their motivation internally because we love what we do and want to do it well. Obviously, that is not for everyone or every company.
Why do I think Joel dropped the ball with his example? Because that intern walked away with absolutely zero reward from Joel; instead walking away with what amounts to a coupon for a store you may or may not want to shop at again. Granted, his real reward (especially as an intern) are the line items on his resume and knowing Joel was impressed. I'm also not a big fan of 'stock' in its various forms. I'm not a huge fan of only doing peer recognition (unless it winds up as a resume line item) because it really has little monetary value (the fundamental reason almost everyone works) and can become so unvalued in other ways over time and if mismanaged. And I can go both ways when it comes to performance-based rewards.
Obviously Joel does other little things beyond direct monetary compensation to make work enticing and fun for his programmers; making it a place they *want* to work. So maybe he doesn't truly need to think too hard about monetary performance-based reward schemes and instead keep doing what he does. Maybe give Noah an extra gift of some sort, but don't otherwise break the cooperative culture that he obviously values. Maybe the reward or lack of one should not be a reason his workforce remains present and motivated.
At the bottom of the article, click the link to go to the base page if you want to read other comments posted directly to the article.
by michael 01.19.09 at 10:44 AM in /general
A SANS Diarist (Daniel Wesemann) details going from a packet capture to binary recovery to malware investigation
. I'm particularly keeping this for the packet cap to binary conversion. One of many ways to skin the cat (skin the cap?).
by michael 01.20.09 at 12:51 PM in /general
I sometimes skip posting about major events for a few reasons, two of which being I hate sounding like I'm just repeating what everyone else says, and any one who reads my blog should be involved enough to not use my blog for breaking news.
Anyway, the Downadup/Conficker worm has arrived and made its way into the mainstream media. I posted some info to my team and boss about it this weekend. Here are some links to more information (the more the better, especially for the analysis since no one source seems to get it all).
Really, this whole worm occurence begs the age old question, "Did you update when you were told? Did you even know this was brewing?"
For us, this is still a somewhat non-event, although the widespread reality of this worm raises my concern over incoming laptops and VPN connections from home users, but not enough to keep me up at night, yet.
by michael 01.20.09 at 1:28 PM in /general
I see Krebs
) has posted about an astoundingly large payment processor data breach at Heartland Payment Systems and may affect 100 million credit and debit card accounts. By the way, do as I do: use your credit cards only when you need to! I don't even use a debit card.
Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn't until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.
Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.
Some questions I have:
So, how did malicious code get installed and run unfettered for as long as it did?
What led to the suspicions that a breach had occured? It sounds like the malicious code was found only *after* experts were called in. Why were they called in?
What breakdown led to all of this? I hate asking this question, since too often we get zero details on how these things truly happen, as companies, people, and legalese cover it all up leaving the rest of us unable to truly learn from their mistakes.
Was the firm PCI compliant? This is mostly a trivia question, but it will get asked so I might as well join in. PCI compliant or not, there *will* be incidents, even large ones. But it is useful to see if PCI or compliance in general is just not working as the means and end. PCI and any compliance should be an "oh yeah, we got this on the road towards being more secure," as opposed to being the driver or the goal.
What could have prevented or, better yet, detected this issue? This is part of the "let's learn from their mistake" that never gets truly answered. I imagine some egress monitoring should have helped...100 million transactions a month all going back out to one or a couple locations should have been spotted, right? And if you do *that* much business, you should have damned good monitoring on systems for processes and digital integrity, right?
by michael 01.20.09 at 1:46 PM in /general
I just want to post and save a link to a discussion/essay that RSnake has written. In it, he talks about increasing the penalties for digital crime
, maybe to an exaggerated level. It is worth a good read along with the comments.
Like security, I'm of a mind that there is no "solving" of digital crime in general. It is a fact of life and we have to find a moral equalibrium, just like any law enforcement category.
Sadly, I think the only way RSnake's approach will work is if we remove one of the fundamental drivers of what makes many of us even use the Internet: the privacy. To achieve better punishments for more criminals, we absolutely must remove the anonymity, privacy, and transparent digital borders between nations.
This all goes back to what your "security religion" is. Are you a glass half empty kind of guy? Are you a "It's not secure unless it is absolutely secure? sort of guy?" Or are you a glass half full person who sees value in partial security or incremental steps towards a goal that doesn't need to be absolutely attainable? This is not just fundamental to a consistent approach to security solutions, but also fundamental for our attitude in our career.
by michael 01.20.09 at 2:32 PM in /general
The site SSLFail
has rekindled my disdain for the "Extended Validation SSL" farce. It sounds lofty to have a CA validate that you are who you say you are, but all they really do is make sure you are a corporation or entity of some sort. After which (at least for the CA I use, which is one of the major 3), I can order as many EV SSL certs as I want and apply them to any domain that I can register. That includes domains that look like they might belong to someone else, i.e. their brand. I do this on a weekly basis for our clients. I'm not affiliated with company XYZ, but I sure can register a domain and purchase an EV SSL for it!
The first time my company acquired an EV SSL, it required some extra jumps through vague hoops. All I know is that it required a call to our main phone line (someone who claimed to be a receptionist) to then talk to one of the persons on our company charter (?) over the phone (someone who claimed to be the CFO). In our case, of course, these people were legit, but phone verification is ridiculous. I'm sure the CA looked up other things, but really the only information given was our incorporation date and entity type (corporation).
I imagine if I were a sole proprietor or LLC I'd still get approved, or at least an agent of mine would get it approved if they ran my web presence and I wanted EV SSL. Besides, like Blizzard not having real incentive to blacklist accounts or credit cards used to purchase exploitative accounts (read this book
), what incentive is there for a CA to turn away my desire to purchase an EV SSL? Hah. Integrity and trust? Only if the process were totally transparent!
The point is, I'm less than impressed by the money-making scheme that EV SSLs are. And even less impressed by browsers forcing this adoption. It really is maybe the first time I think Firefox has failed me.
by michael 01.21.09 at 1:53 PM in /general
There's a comment
over on Mogull's blog post
for the Heartland Payment Systems incident that was announced the other day. I wanted to link to it quick and highlight it. I won't post the name or even copy the comment itself, but rather paraphrase (I'm just avoiding searches, especially if the comment gets removed later):
I have worked for the company for many years. They cut corners. They have big problems internally.
For the moment, let's assume this comment is truthful and legit. A couple points I will use this for:
1. You get the real story on security the farther down into the trenches you get.
Yes, you get far less actual risk management and ability to accept risk, but you get the real deal down with the techs who have their fingers on the pulse of the network and systems and processes. Any respectable security posture should include information-gathering from them.
2. Look behind the curtains of any company, and I would estimate that 99% cut corners, even up to making very huge mistakes or oversights.
This is why pen-testing is not going away or beginning to die. This is economics, really, and part of the superficial facade that a business can throw up to anyone looking too closely. A role-play exercise for a security posture should be to pretend your systems and processes are suddenly transparent. What would the experts point out? What would Mike Rothman do? (Along the lines of 'What would Brian Boitano do?") This might throw eggs at "some security through obscurity," but assume that still gives value and can be only looked at lightly. Really, the role-play should expose the real problems.
3. Is it possible for PCI to improve a poor security posture that has been an active choice for that entity?
If a company is cutting corners, choosing to accept risk poorly, or simply incompetent, I would bet they will actively make sure PCI doesn't catch it, or outright lie, fudge, or (hah) cut corners with the Assessor.
*"Cutting Corners With Security" reminds me too much of the book series that might read, "How to Cheat at Securing Your Shit."
by michael 01.21.09 at 4:34 PM in /general
I don't get it, but I admit I've not tried all that hard.
I actually don't get "cloud computing." No, I know the basics principles, but I don't get why I need it, would ever want it, or ever care. Like "distributed computing" in an enterprise, it sounds economical in theory, but it seems otherwise impractical in the real world.
I understand that standard services can be outsourced/offloaded/clouded (depending on what era your marketing terms come from), like DNS or web acceleration or proxying. Or an Amazon storefront. Or CMS software. Or backup services from your data center. Whether I am Joe Blow or Susie Q, my needs will be pretty much the same thing and both of us can be serviced easily by the provider/outsourcer/clouder/offloader.
But I feel this only works when what you need is predictable by the vendor providing it, i.e. the more customized your needs are, the less you will ever be happy with what someone else builds. I see this quarterly in the pain levels of implementing third-party software and applications versus having in-house developers roll their own.
Fine, high-end number crunching may work, but I think those organizations with that need already invest a lot in the people designing such number crunching, and can probably fit into clouds better just by sheer numbers and mass. The people who still use mainframes, I guess. Maybe that's the problem, maybe I'm just not in the mainframe space...
Update: I use my ISPs DNS services. Is that cloud computing? I also use GoDaddy as my registrar, and I may someday move to shared hosting. Is that also cloud computing? See, I don't get it. :)
So it gets back to, why should I ever care about the cloud? I feel it sounds nice on paper, and for the few people who jump in with proper expectations it will be "just fine," but for everyone else I think it will be more difficult to wrap heads around than keeping the computing in-house.
by michael 01.22.09 at 8:42 AM in /general
This is one of the fundamental differences between IT security and IT operations (or a difference between haphazard IP operations and properly managed IT operations):
web dude: "I need you to give a development service account access to a staging environment system for me to get a project done."
sec dude: "Umm, no, you need to use a staging account in the staging environment."
web dude: "Are you saying no because you don't want to, or because you can't do it?"
sec dude: "I'm saying no because that's not how we manage and operate our environment."
web dude: "But it's possible, right?"
sec dude: *sigh*
It's one of those "always painful" parts of what we do... Yes, it's possible. It's also possible for me to clone my HID card and leave them scattered in the parking lot just in case someone gets stranded and needs a warm place to wait while help arrives. It's possible for me to open up the firewall to allow everything in and out. It's possible for me to give everyone admins rights to their machine, go home, unplug my phone, and ignore frantic calls for help when things break. Yes, it's possible, but it's illegal/prohibited/stupid.
Further conversation can go down the topics like the difference between the right and wrong of most crime versus the right and wrong of digital practices/security; or how layered protections that go beyond the level of knowledge by the web dude in the above example will succinctly quell his protests (he doesn't know I limit accounts to certain servers); or how policy is enforced, etc.
by michael 01.23.09 at 9:58 AM in /general
When I read these two lines from Andrew Storms
over at the nCircle blog, I got a little pissed off. Then I read them again and said, "Oh, yeah!" The post subject is the Heartland Payment Systems data breach and how there is little excuse for the lack of detection:
Many well performing products are available on the market today to perform system integrity monitoring. A basic email alert to an IT systems administrator could have done much to dam the flow.
Of course, quickly reading I missed that he is talking about a small slice of a security posture, but one that is exceedingly important when it comes to malicious software installs on server: system integrity monitoring
(aka file integrity, digital integrity, etc).
Sadly, this is a slice that I don't think is present enough, especially in the Windows space. I believe Tripwire Linux is still free, as are possibly others, but pretty much anything for Windows beyond homegrown scripts is yet another budget cost. My last two companies have not had any digital integrity software in place beyond your normal AV/AM pieces. Of course, anything that already has an agent on the server should be putting this in as a feature, eh? Well, as long as they aren't one of the Big Boys who get disabled or thwarted as a first step in an attack...
This is yet again all part of a layered defense. Yes, people should not be doing much on servers such as browsing anything or installing much beyond what is needed. Yes, the network should have controls to limit access whether that be direct or pivoted (like Skoudis' latest hacking challenge answer from McGrew
). Yes, there should be network monitoring to find anomalies in egress and ingress, let alone some sort of IDS presence (come on, all that pilfered data had to either be sent out or stored in some constantly growing file!). Yes, server roles should be limited as much as possible, if only to allow regular deletion and rebuilding nodes in a cluster when they become inconsistent or "weird" as we call it. Blah, blah, system monitoring, blah, change management, blah, blah...
Why is it difficult to get this integrity monitoring? I can only guess. Money for yet another tool? Someone to install it on all the servers and tune it to ignore all the normal things like Windows patches? Lack of trust that ninja-like malware will get in underneath and root down lower than these checks?* Someone to watch all the alerts that come in and check them out? Maybe a lack of technical knowledge in someone who is "just watching alerts?" Or lack of knowledge to look far enough to explain an alert rather than write it off as yet another "Windows just being Windows?" Who knows, but all of these reasons don't surprise me.
* Really, how often have we seen or heard of cutting edge techniques truly being used by people in the Crazy-Fu level of black hat criminal demigods? Maybe they don't get caught, but my guess is that everything else is still so easy that there is no need to bother!
by michael 01.26.09 at 12:54 PM in /general
Anantasec has posted a review/comparison of three major web app security scanners
: AppScan, WebInspect, and Acunetix. This is an excellent-looking report! Just to save time for anyone curious about the results, AppScan lagged behind the other two in detecting vulns. Acunetix certainly scores well when you get a chance to use the AcuSensor piece. I personally have only briefly used/seen WebInspect. Basically I've never had a budget to get real hands-on with them.
by michael 01.27.09 at 11:19 AM in /general
Warning: This isn't a normal geek/tech post. There must be something in the digital air that is promoting personal posts this week...
I don't typically read more than a few skimmed words in Rothman's first section on his regular posts (they're always more personal), but today I read a bit more
. "I can only hope at least some of us have gotten past the greed of the past 20 years. I know that's being way too idealistic, but we can hope, no?"
Yeah, sadly, I'm not even that optimistic to even think that. :) Sometimes economic woes can be caused by natural issues (both nature and just natural economic cycles) or global influences. But, in my non-expert opinion, our current climate was caused by the confluence of just two* things: greed and affluence-addiction.
Greed. There's no real need to expound on this topic. Corporations are greedy, individuals in corporations are greedy, and individuals themselves are greedy. It just gets back to one of the insinuated tenets of capitalism: always increase profits. There is no plateau, no arrival at happiness or some financial equilibrium of bliss. Unless policy or corp culture/leadership provide hard stops, the risky decisions continue.
Affluence-addiction. Sure, this is my own term I made up today, but it's what I feel drives too-high mortgages/household budgets, gas-guzzling but "impresses the coworkers" SUV tanks and v8 cars, and exponential credit debt. Some odd need to always have better, perfect, impressive, and increasingly costly affluent luxuries. The drive that tells someone to go wash their car every 3 days so it looks pretty (especially on Saturday so it looks good in the Sunday church parking lot). I feel this every time I see a report on how some family is having budget issues as they send their kids to private school, drive two cars, and want their 250 channels of cable (or whatever it is people watch today, tivo?). Or drives the decision for a automotive exec to fly in a private jet to beg for money, but then continue to avoid the dirty commercial airlines to drive themselves on their second try.
I like my affluence as much as anyone, and I have my costly hobbies and interests, but I don't like it being taken to non-practical excess.** I do have a little Emerson or Thoreau in me, and that's the part writing today. There has got to be something said about the slave-driver weight of debt being indirectly related to happiness...
* Yes, I'm sure there are more, especially the long-term issues like maybe a governmental administration or long-term 9/11 fallout or whathaveyou, but I consider those, ultimately, to be minor influences.
** If you want a popular movie that explores a very similar topic, watch American Beauty. And try to compare every character in the movie on a scale of superficial down towards "underlying value." A hint: stalker boy is one extreme, real estate wife is the other.
by michael 01.28.09 at 11:27 AM in /general
Over the years, one lesson I am learning is being able to spot which trends in IT and security are things to do sooner than later (disk encryption) and which things are too new, too infant, too complicated, or simply have too few threats to do now (virtualization security). Certainly allows time to focus on the important things and simply be aware of the future things...
by michael 01.28.09 at 1:19 PM in /general
posted this article of a Texas road sign that was changed to display warnings of "ZOMBIES AHEAD!" I really can't stop giggling about this, so I had to look up some more pics and info here
I think this is hilarious! Although, yes the signs are there for a reason, but if someone sees orange construction equipment ahead and flashing signs, they really should be exercising caution, even if the sign is working, broken, or tampered with. If I saw this on the way to or from work, that would totally make my day.
It annoys me that people think someone "hacked" into this. Almost certainly the control box was not locked and was still using the default password. A bad move, but I'm not surprised considering the people who use these and deploy them state-wide. The last thing you want is to have your technician out on the road and unable to log into or unlock a construction sign. Fine, maybe someone did break a lock and maybe guess a password, but any non-hacker could do that. Next thing I know someone will break a window and rob a house and hackers will be blamed!
by michael 01.29.09 at 9:57 AM in /general