Spamhaus’ recent continuing issues help convince me that spam blacklisting on a global or huge scale is just not worth it. Right now there are lots of firms doing a million little workarounds and hacks to offer up services for safe email, secure email, spam-free email, etc. All of these are built on an insecure protocol and are almost all really bad approaches that will work for a few years and for a decent scale, but are not the approach that will last.
Spamhaus was forced to take a company off their blacklist and pay millions of dollars in compensation to a mass-mailing company that won a suit again them (so I read). I’ve seen the cost, firsthand, to a company that gets wrongfully blacklisted (or rightfully blacklisted), and it is just not pretty.
Instead of the workarounds and hacks, someone needs to make a better protocol or force more use of the secure versions of those protocols. Let’s face it, eventually all traffic is going to be encrypted or obfuscated in some fashion, even if it takes 50 years.
Better yet, adopt something new, like instant messaging over P2P or something similar. Email is surprisingly hanging on despite IM and texting and cell phone use. Will it really still be around in 15 years? I’m skeptical…

This article got me thinking about how Microsoft is packaging some things into Vista that will put some current software makers into a real bind, such as free antivirus protection and free pdf creation/reading programs, and no doubt more.
Immediately I bristle at the notion that Microsoft can make these things better than those who specialize in it. I immediately think about all the monopoly issues that may arise, especially if Microsoft toes the line too far (particularly in Europe) and prevents competing products from being installed.
But the more I think about it, the more I truly think they have a good approach. The average consumer couldn’t give two rat asses about needing third-party antivirus, firewalls, email spam blockers, a secure web browser with pop-up blocker and decent enough features for your average middle-aged worker or teenage myspace rat (now displacing mall rats). When I buy a car, I might add on little package deals like ABS and Airbags, but I certainly don’t have to shop at Sears and pick from multitudes of vendors and pray I pick something compatible that does that job I want.
Consumers just want things to work with as much security as can be put in without getting too anal about it. This is the niche the Mac has enjoyed for quite some time: elegant simplicity and usability. Microsoft needs security in their OS, and they really cannot get away with just letting third-party software makers do the hard work they should be doing. Not only is it a bad long-term approach, but it also stymies the average consumer who doesn’t want to constantly tinker with firewall settings and spyware scans and keeping up to date with 6 different programs and pay for those upgrades every other year…they just want it to work.
We just want it to work, not overpower out lives with complexity (like the VCR clock), and not be a completely leaky hole. Security holes will always exist, especially in the market leader, but let’s get serious about what the future is. So far, that future still has Microsoft on the forefront, even if I think Vista is going to be ugly, complex, large, buggy, and still clinging to that old underlying architecture and assumptions that made Windows 98 and XP bad. But hey, they’re moving in the right direction and once that big ship gets turned the right way and starts plowing along, they’ll do some more great things.
In the meantime, I’ll stick to older Windows OS and Linux and pine for a Macbook in the near future.

I’ve reformatted my new laptop harddrive, installed Windows, carved up the partitions to give Windows roughly 20GB, Ubuntu 30 GB, and the other 50GB for eventualy virtual machines.
I did this because originally Ubuntu just decided to take the whole disk, and I’ve had experience with Windows just not playing nice with Grub if it isn’t loaded first. So now my system is in a moreorless state of completion to move forward again.
This also means I’ve spent a bit more time in Windows again, getting the new install configured up and things back to normal with email and such. Thankfully, since I build systems so much at work and home I’ve learned not to get fancy. Back in the day I worked with such things as WindowBlinds to make my Windows all fancy and neat and pretty and slick. But I quickly realized I don’t want to spend a week redoing all that fancy crap every time I format.
Anyway, now that Windows is situated and my old drive is mounted in a USB enclosure fitted for laptop drives, I am now back into Ubuntu and moving forward with getting things installed and using it for more every day use. Next step this week sometime: get my email ported over from Thunderbird to…Thunderbird! Piece of cake!

Go figure. Just this morning read an internal IT newsletter about this same subject. All of this information is second-hand, but I may just check out this book soon. The book “The Geek Gap: Why Business and Technology Professionals Don’t Understand Each Other and Why They Need Each Other to Survive,” by Pfleging and Minda Zetlin, claims that the “geek-suit” divide is inevitable. Here are some bullets points as to why:
• The tech worker, “the geek”, is a problem solver; the business person, “the suit”, is a people influencer. The geek likes to fix things, the suit relies more on people skills. Geeks and suits also interact with technology differently; the former are more interested in process while the latter are more consumed with use.
• To geeks, a piece of technology is a thing of beauty in its own right, a wonderfully fascinating puzzle. To suits, it’s a tool that is only worthwhile if it helps them accomplish their objectives.
• The moment geeks are likeliest to lose interest in a project is when it’s running perfectly (‘Hooray! Now I can stop working on it!’). That’s the moment suits are likeliest to start taking interest in the same project (‘Hooray! Now I can start working with it!’).
• Technology and business people differ in terms of career aspirations and lifelong goals, and relate differently to their workplaces. Tech people typically do not identify themselves by where they work but by what they do. It’s more important to them that they are in the ‘community’ of, say, .Net programmers or database administrators rather than at the company where they work. Business people are much more about climbing their company’s ladder.
The authors do go on to give points about how IT and business can help bridge that nearly inevitable gap, including cross-functional teams, intermingling, job exchanges, and business people doing what IT people now are doing: learning about how the other side works.
Since I spend most of my lunch periods nursing a latte at a nearby Barnes & Noble and recouping the cost by reading magazines and books, I may skim this to see if it is worthwhile to fully read and have on my shelf.

There has been a lot of articles and posts lately about users and the user experience and how IT interacts with users.
My “first” read on this came a few months ago in Network World, What users hate about IT pros, to which I rough-drafted a response essay I never did post on here on exactly the opposite topic, What IT pros hate about users. In the past few weeks, even more posts:
the snide IT attitude | counterproductive approaches to IT | dan morrill #1 | locutus | dan morrill #2
So who is right and who is not? Honestly, they are all right, to an extent.
There are problems with IT staff and “normal” users meeting together to work effectively and create proper solutions for a business. But the subject is far more complicated than so many writers are trying to make it out to be. In order to really look at a solution that works for a given business, the IT roles need to be better defined, the corporate culture needs to be evaluated, and then the exceptions need to be acknowledged.
IT should be sliced into smaller chunks as there are vastly different roles in an organization. What is important to, and how that employee relates to such things like users, differs even in our own field. Internal application developers will be different from those that develop applications sold to external users. IT shops that host services for external clients differ to those that just host internal infrastructure. A networker is different from a help desk jockey is different from a CIO. In fact, in each of those areas there are even still different roles that the workers and managers each fit. A help desk jockey is different from a help desk manager.
Does a backend networker need to be attentive and aligned with business needs as much as his or her manager? Or perhaps the user-facing help desk jockey? What about an application developer creating a standard application that will be used by 100,000 customers versus the internal application developer creating a system to be used by 10 people all located inside the company?
Once those chunks are defined, one can then look at a target corporate culture and managerial paradigm. Only then can real statements about IT, users, and the relationship of them be effectively made. Are the users technical in nature or not? Does the corporate culture encourage worker to worker interaction across boundaries, or does all of that occur only through manager levels? Can a beer be involved? Is it important to a business to have a customized service or a standardized product?
Lastly, look for the exceptions. It is true, sometimes customers make unrealistic demands that are a detriment to IT or even the business. When a customer gets on a metro rail system, do they expect to be allowed to guide the train and stop it at exactly where they want to get off? No, and to demand such when getting on the train is unrealistic. Likewise, users getting on the IT train need to plan and make requests properly as well, or at least be open to the possibility that their (and every other user) request may not be met. While the metro rail customer may be able to appeal to the train boards to add a new stop that happens to be closer to their home, what if every user made that request no matter what part of the city they were in and are not satisfied until the train stops within a block of their house? In that case, many someones will be disappointed in their request.
There is something to be said about being a good IT provider, but also about being a good IT customer.
But what if there are to be general, blanket comments and attitudes made? Is there some credo that all IT people can live by to do their work effectively and prosperously in the business world?
Perhaps. In the end, it is not about making a better widget, improving uptime, or meeting every customer demand both internal and external. It all gets back to the things that matter in life, the soft skills of working well with people and users and IT pros. Be respectful, professional, and honest. Work together to make great things happen in a company.
To bring this back to information security, Dan Morrill says something I think is important and cannot be said enough. If we end up being roadblocks to users, users will adapt and do things some other way which may introduce security and audit issues, widen the gulf between them and IT, and cost the business money.
The real bugbear is trying to figure out how to best work with the users in a given role with a given corporate culture and with the exceptions that will occur.

Having started a new job this past spring, I’ve had some firsthand experience in starting out in a new IT (networking/sysadmin) role. And I have since become pretty sensitive about what I think is one of the most important things with new IT hires.
Recently, more talk has surfaced about IT hiring the right people and then training them for their job, as opposed to hiring only people trained for the job and hoping they have the ethics and soft skills needed to do a quality and loyal job.
One of the biggest challenges, and in my mind, mistakes, in managing my new employment has been lack of real training when starting the job.
Let’s face it, even in the midst of regulations and standards flying around about how IT should secure and run their operations, there are no two shops that do something even as simple as track and allocate IP addresses the same, let alone all the other little stuff and multitude of settings in servers and devices (one of the reasons I really do not enjoy Windows Sysadmin work as much as networking). This means that any new people are either going to sit back and wait to be shown what to do, or will attempt to dive right in and possibly screw something big up either right away or maybe not even detectable for months or years. While I do believe in just getting things done, I’ve seen what happens to people (especially in my last job) when they make a simple mistake or move forward too quickly and how that will paint them in the eyes of the people who matter and write the checks, even if those same people were the ones who put the pressure on getting things done quickly.
So I feel that job training early on is paramount, especially for any Windows Sysadmin type of support work that is not very finite or narrow.
Training will also acclimate new employees with existing employees to gain some team cameraderie, which will more quickly open the avenues of discussion, collaboration, and comfort in asking for help when needed.
I think the best form of training is not necessarily documentation, although that is highly important, but actually just doing some shadowing of coworkers for not just a half day or even a day, but for a few weeks, to get used to the tasks, load, culture, and attitudes of the job role and team. In this way, also, the new employee made confide their own comforts, interests, and desires to their colleagues more than a manager, and thus their niche in the team may more quickly develop. This might bog down the existing employee who is being shadowed and sharing some of his workload with the new person, but in the long run, this is far better and I think will lead to a happier worker.
I feel that very, very few IT sysadmins and networking people can step into a job and do an effective job without lots of experience or in a contractual role that is narrow by definition.
Unfortunately, with my current job I had about a week and a half of corporate training with HR, phone systems, and other general stuff like benefits and customer service. This is all good and fine, but I had maybe a half day with the most senior analyst that I work with, and got shown the physical data center and where some things are. That was about it, for the most part…which has left me, 6 months later, still feeling disengaged and not entirely happy or comfortable with the job and network I work in. It is definitely an uphill battle that I am having to slowly tackle as the tasks slowly mount.

A little closer to home, it seems University of Iowa has had to notify 14,500 persons that their data might have been disclosed. I like that the announcement qualified that the likelihood of disclosure was low. In other words, an attack was detected, but the extent of the breach was unknown, but this data was accessible on the system.
This makes me shake my head and wonder when this disclosure storm will end. Disclosing possible data thefts and leaks is just not a scalable or long term solution. It is not even a short term solution. Very quickly we will all become numb to this activity, not care, and even if we understand what to do by reading the letters and FAQs, we still won’t do much more or change our behavior as users and consumers.
But there are other reasons why this is a poor decision. For instance, there is this huge grey area on defining what is a disclosure. What if a system was broken into, but all indications point to the system being used to house pirated movies, but *may* have had data disclosed? Do you have to disclose it if there is a reasonable expectation? What about a networked system that is not fully patched and is noticed to be out of date? Theoretically, it could have been attacked. What if the hosting company would not have detected such an attack? Is it reasonable to assume that system was never accessed fraudulently? And just where to 0day attacks fall into this picture? What if there may be the potential for disclosure in the future, which is not all that unlikely given a Windows architecture and the mishmash inner organization of most IT infrastructure from the perspective of the malicious insider. Should we disclose when information is just simply being stored in a non-optimal way?
And that is not even to begin to get into the grey areas within organizations on disclosure and reasonable expectations. Who is held accountable for hardening systems, detecting problems, escalating them to those that need to know, and then disclosing them? How much grey area or liberty will be taken with interpreting the regulations and expectations?
No matter the answers, the current practice of forcing disclosure of possible data thefts and possible identity theft are not very good procedures and may do more harm in the long run than good. But at least it drives home to C-levels the need to pay attention to this stuff, and not just treat IT like some arcane entity working behind a large screen. The handling of information and data access is only going to become more and more important over the next 10 years (and anyone having tried to track access to data and permissions in anything but small corporations will be able to relate exactly how difficult this may be).
And yes, at least this is the start and it is something, as opposed to diving straight into analysis paralysis and doing nothing.

The weirdness of this whole debacle between Maynor/Cache and Apple involving possible Apple wireless driver exploits continues. There are some fishy things going on here, and Apple is being very shifty in their dealings.
I previously likened the weight and importance of this situation to what Michael Lynn went through with ISS and Cisco last year, and the similarities continue to grow. David Maynor has been forced to pull out of his revelatory Toorcon presentation which was probably going to finally pull the veil back on this situation.
Now, SecureWorks and Apple are working through a third party, CERT, on security issues. Sadly, there is the possibility that Applie may stiff-arm CERT as well, which kinda digs at a suggestion I read and agreed with that perhaps security issues need to be verified by a third party so that full disclosure and corporate protections can coexist.
Unfortunately, the integrity of a third party is then in question, as are the rules of engagement for that third party. As Brian Krebs’ mentions, what if CERT decides to just never authorize the release of information? We’re back to having no real solution for the full disclosure debate.
If this keeps up, full disclosure will just plain happen, and corporations affected will simply be alienated from the research communities. Also, complete non-disclosure will happen by those who can’t afford to fully disclose and possibly be attacked legally, which threatens the health of our systems and networks when corporations just stifle any problems with their products. In that case, one may as well sell the exploit to someone else.
Not only that, but just look at Brian Krebs’ comments to see exactly how enflamed and impassioned even the security industry can be, on both sides of the issue.

These security and networking posters might be worth the money someday. Kinda spendy, though…

Companies and home users are definitely different entities with different approaches to computer security. Not only are some of the items different, but the solutions as well. What is important to a business may not be important at all to a home user, and the reverse is true as well. Home users value system performance, ease of use, stability, security of their personal data, and security with their identities. Home users can both be the hardest to break into and the easiest to break into, from a security standpoint.
Not every home user is technically inclined or even wants to learn to use new programs and such for being secure. For this reason, many of the best pieces of advice for home users is behavioral. Rather than “learn Linux and implement a highly guarded firewall” most users will read that and not even try. That’s just too much effort to ask of most people.
You can also go crazy trying to keep up with the latest security news, updates, vulnerabilities, and patches. But why bother? Unless you’re a geek or an IT professional, there is no reason to spend personal time being paranoid. Instead, home users can benefit from education and careful habits when working or playing on their computers.
For homes user, I assume the user is just operating one or a couple systems for the primary purpose of surfing the web, gaming, entertainment, and personal uses. No servers, web servers, mail servers, etc, are assumed. Once you get real servers with open services, the game changes quite a bit, and most home users do not do those things anyway.
1. Backups. Always back up important data to a second hard drive or system. If possible, do it twice and keep one set offsite somewhere. Windows has built-in mechanisms for automatic backups, but if you don’t mind doing it, at least just drag-n-drop all the important stuff over. Imagine if your hard drive dies in the next hour and no data is recoverable. What is your pain? What will you miss? What cannot be recreated? Back that up. USB or Firewire drives are cheap and easy to get. Buy a spacious one and use it for backing up data regularly. If you can back your data up to a drive stored offsite or in a fireproof safe, that is even better.
2. Firewall or NAT the Internet link. Actually, it is much easier and more common for home users to simply operate behind a NAT device such as a typical cable router or wireless router from Best Buy. That is typically enough, but if the opportunity is there, run behind a Linux firewall, either iptables or SmoothWall/IPCop or something. This one step is enough to stop any curious Internet-side parties from getting into your systems. If you’re not sure if you are protected by a NAT device, ask someone you know to check, or call your ISP and ask their support if they know. Be ready to let them know what your cable modem or DSL router model is. If you are not behind a NAT device, ask about how you can implement one. Most ISPs have recommendations and instructions on this.
3. Turn on Windows Automatic Updates. Every now and then perform a manual Windows Update, but otherwise just turn on Automatic Updates to automatically download and install on at least a weekly basis at a time when the computer will be on (like 8pm or something). Not only will this apply necessary patches, but can enhance or fix features like wireless options.
4. Practice safe computing. Do some common sense things to stay safer online. First, don’t install every new and neat free program that tells you to install something or that you need something. Chances are, there is a reason it is free and enticing. Treat it like you would any advertising on television or radio and just be wary. Second, do not open any email attachments that are not sent from known people and are expected. Just delete those emails. Likewise, do not click on any links in emails unless from known people and the email is expected. when in doubt, just delete the message or type in the address to your web browser as opposed to copying it or clicking it. Third, do not frequent questionable sites, especially when using IE. If you are visiting a site you wouldn’t want your parents or kids to know you were visiting, chances are you shouldn’t be there. Avoid that darker and more dangerous side of the web. Fourth, always close pop-up windows. Never click inside them or respond to ads on sites. Just never do it. Fifth, if possible, use only one credit card for online purchases, keep the credit limit as low as you can while allowing you to do what you need, and always go over the monthly statements.
5. Protect your passwords. Write down all your passwords and put them someplace safe, but easy to get to while at your computer. I know, many security people will look aghast at this suggestion, but when it comes to home users, there is little real reason to trouble people with anything more complicated. Get an envelope and write down your passwords on paper inside it, and keep it tucked safely into a drawer or even inside a book. I suggest making two copies of this and storing it somewhere offsite, especially if you do lots of banking and other monetary things online. You don’t want to lose your accounts because you lost your passwords in a fire or something. I do suggest not sharing passwords amongst spouses, roommates, or even your kids. Don’t let them find or use those logins. Also, do not use the same password for everything. I find it best to have 3-7 different passwords. For anything you don’t care about, use your first password. For more sensitive things, use other passwords. You can use multiple, but just think if one password is swiped by a hacker and is linked to your email account which has the same password. You can’t usually protect yourself from lost accounts on various websites or even forums. They may be run be unethical people or they may be victims themselves of a break-in that divulges your personal information. More technically inclined users can look into using a program like PasswordSafe to store their passwords securely on their computer. Be sure to make a backup of the storage file.
6. Don’t use Outlook or IE. Yes, IE and Outlook are easy to use and everyone uses them, making getting informal support painless. But just like ease of use is high for users, ease of use for malware is even higher. IE has had holes for years, unpatched, deep holes, and will continue to have them because it is so deeply married into Windows itself. Ask any IT pro to uninstall IE for you, and you will get the wide-eyed response that they can’t. To make an analogy, IE is so deeply rooted into Windows, you cannot separate it out. That’s dangerous, and Outlook is no better. Instead, use something less mainstream and exploitable. I recommend Firefox as default web browser and Thunderbird as an email client. Both are free, easy to use once someone opens their mind up and accepts a little bit of change, and suffice for 98% of everything users do with email and web surfing. This software switch will nearly eliminate the risk from email worms (although will not stop spam or malware attachments designed for the user to execute as opposed to running from a preview pane or through Outlook’s tools) and drastically lower adware and spyware infections from web surfing.
7. Run antivirus software. Many new computers for most users come with antivirus software. Be sure it is set to update automatically, and pay for the protection if required. For somewhat technically inclined home users that practice safe common sense computing, this software may not be entirely necessary, but I suggest it for decent protection, detection of most malware, and peace of mind. I suggest F-Secure or Kaspersky as opposed to Norton or McAfee, but chances are the latter two came with the new PC. If so, stick with what is pre-installed. And yes, make sure it downloads new updates or signatures on a daily basis.
8. For wireless at home: secure your wireless. If you run wireless at home, be sure it is secured by at least WEP encryption. If available, use WPA encryption. This will prevent a huge majority of neighbors from hopping onto your wireless connection. Not only can they use your Internet link for their own traffic (legal or illega), but they can also probe at your network and computers and sniff your traffic if they get on. And yes, trust me, young adults and kids are curious creatures and will try these things if they have that sort of knowledge. Turning on encryption will prevent any but the most determined attackers.
9. For laptop users: be paranoid when at hotspots. Lots of people get fancy with recommending Tor even SSH proxying for secure access at wireless hotspots. But lets face it, only the technically inclined bother with such things. For all other users, just assume the wireless hotspot is not a safe network. Do not stay on wireless hotspot networks for too long. Do not log into email through Outlook or Thunderbird when at a hotspot. Do not log into a website that is not SSL-enabled. If you use IM, assume your conversations are being read by someone sitting near you, and, in some cases, assume they now have your login account and password. If you do not go to hotspots very often or you had to chat in IM or check email, once you get home immediately change your passwords for those systems. Hotspots are fun places for geeks like me who are curious about other people, and for people who would love to do you harm or mischief. Be safe when not at home. Now, what counts as a wireless hotspot? Any wireless network that is not your home network.
10. Get help. Like mentioned for small businesses, home users will benefit the most by befriending technically inclined friends and family, or even paying for the service of a home consultant or contractor to help you out. Always be nice to your experts, though, as we do tend to get tired of high maintenance users, especially if we’re not being compensated for our time. I strongly suggest just asking your technical friends questions as opposed to asking them to actually do things for you. You can get really good return, though, for paying someone a little bit of money to spend an evening or some hours tuning your system and giving you some education on what the best things to do are. All the steps above are either behavioral (education), one-time deals where you set it up and that is it, or a few that require some additional changes or on-going action. Spend some money, hire up someone on the side that knows their stuff. If nothing else, befriend them and make a night of it with pizza, beer, and maybe hang out for a movie or something while they do their wizardry.
PS: I added a “1/2” extra step in a later post on getting to know how to reinstall your operating system.