2008-03-28

Superglueing USB/Firewall ports (LANL)

One of the latest security trends is being able to grab sensitive data from a machine with just a USB key. This got me to thinking about one of the most harumphed thing from LANL employees.. the superglue-ing of external ports of all lab computers and the lock-down of laptops.

Not that its going to quiet down any, but a lot of people could not see any reason why you would want to do this and poo-poo'd the scenarios where someone could steal something from their computer (or use their computer for something bad). Well it turns out that the scenarios were not too far fetched, and you can try it soon yourself with 'DaisyDukes' a memory sniffer that will read data from a 'locked' laptop or office computer... whether its running Linux or Windows.

And if you have any computer with Firewire (hi Macs!) you are even more hosed. The firewire port has direct access to memory and can walk through all the protected parts. And depending on what your USB is and what drivers.. this can be the case also. While most of the published papers have been made public in the last couple of months.. a lot of this has been outlined in public research 2 or 3 years old... [and supposedly older, but I can't read Chinese to confirm or deny.]

I am not saying to go out and superglue your computers USB/Firewire/video-card ports (I am waiting for someone to figure out how to get into a computer with some of the latest video cards memory access).. Just be aware that someone with casual physical access to your computer can get more out of it without needing to take it apart.
  1. Make sure you know who has access to your computer when its on and off. The more sensitive the data you have on it, the more you need to control that access.
  2. Make sure you have a BIOS password and its not 00000, 123456, etc.
  3. Make sure your computer does NOT boot from a plugged in USB key etc.
As with all things security related, you are trying to make yourself less of a casual target...

2008-03-25

Red Hat IT plans..

Thank you for the post. I will say that this is a lot more open communication than many years ago (though that was because we were in constant firefighter mode).

As someone who has been going through various ITIL training lately.. I can say it does look good and can make a difference because it is stuff that most people do but forget because we are usually in firefighting mode. And when we forget.. we usually have to go back and do it again.

The main concern to deal with is when we get to the point we feel we have to have proper change/incident/problem management before we can make a pot of coffee in the morning (I have seen ISO projects go this way.. it becomes paperwork driven because too many people get in the wrong mindset... they can only see the swamp without alligators and other people can only see the alligators.)

The second issue is that a lot of us in the IT industry are used to being the Scotty: Under promise and over deliver. It sounds like customer service... but it can also cause dependency issues where people know that you will somehow deliver a miracle because you have always done things you said were impossible before.

ITIL is about promise exactly X and deliver exactly X and only charge for X. which allows you to then say you will do miracle Y but it will cost you Y. Which makes sure that you don't overwork people.. but again you have to be careful of going too far along that way. IT people do not want to feel that they are working at McDonald's where everything is scripted down to how to lay out the fries.

As with any process change, it has to be watched closely because people have a tendency to go too far without some sort of external governance (just like an engine.. you have various governors to make sure it doesn't go too slow or too fast).

Anyway, thank you for being so open about this. I can point this out to other CIO's.

2008-03-14

Supposedly there was no inflation last month...

I have the feeling something is out of whack on the inflation numbers. According to the U.S. Federal Government, the core rate of inflation was flat last month. I don't know how they came up with those numbers.. but they sure didn't look at our house :). Prices on food have gone up in all the stores we go to in NM and from talking to my sister in Tenn and my parents in SC its gone up there too, and we have all had to cut back on things.

My feeling is that this is going to be one of those numbers that's going to be revised a couple of times (probably during days when there are other crisis that will bury it on the back page.) I know its a standard thing during election years to play with the economic numbers at first to make sure that things don't look that bad.

I mean we could say that the US unemployment is only 4.6%.. because we only now measure who is actively looking for employment. If you add in the people who have part-time employment and are wanting full-time.. that number shoots to over 8%. And if you count in the number of people who were looking and have given up because its been 2+ years since they were employed.. the number goes over 12%.. but well that would look like... France or somewhere.

[Addendum:] Duh.. the core inflation does not cover food and energy. Of course with the fact that we are spending a LOT more on those 2 items.. we can't buy anything else.. so those prices would not go up. Well, not until people ask for more raises to cover the fact that they can't buy clothes, washing machines, etc.. because food+energy is so much of the budget.

2008-03-02

Ketchup

So its been a month.. what have I been doing? Not blogging is one thing.

  1. I have been reading the latest Wild Cards book: Inside Straight. I have also been going over what it would take to run an RPG campaign of the game. I have been enjoying the book pretty much... the Wild Cards series was very gritty and realistic about what people with super powers would be like.. and one thing is that a good many were not very likable. This one twists it in a new way, what if people really wanted to be heros beyond just some reality TV. I found that moving and I look forward to the next books. I like being inspired again by 'superheroes'.. especially when I find most modern comics to be stuck in the heroes arent inspiring mode.
  2. I got my book signed by the authors... that was really cool.
  3. I have not been playing Kingdom Hearts with my kid. We are currently taking a break while he reads me a lot of books. Its great to see him grow and finding new worlds for himself to explore.
  4. I got a position on the EPEL steering committee, and started trying to help out on packages. I am looking to 'shepard' about 8 or so packages so that rt3 can be produced. I have a wishlist of getting the normal network security apps over also.
  5. I got a promotion to being EPEL steering committee chairman. I am working on getting my life in order for that (being on time, etc).
  6. Since my life has not been in order, I am no longer the QA Lead for CentOS. Tim Verhoeven has been doing an excellent job of this.. so I am quite happy.
  7. I am dealing with my Passive Aggressive problems. I realize I have them, and I have inflected them on a lot of people. Please call me on this if I inflect them on you.