Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Comment Where to start (Score 1) 158

You have an impossible task. Rejuvenate your CV, and find your next job.
Seriously though, start with a budget. Until you can secure funds you cannot do anything and the budget will tend to direct what you can accomplish next. Once you have cash, find the oldest piece of hardware in operation and start with that one. You will have more failures based on hardware than you will based on unpatched OS's. Disks are your primary concern in this realm.
Second, after you've completed a few of the more horrendous back-end server migrations, the desktops are next. This is a political move. It will endear you to the user community and this will make additional funding possible. If you focus entirely on the back end, you will run out of support and therefore money long before you can complete the task. You may have to do this step by department, so make sure that your most supportive users get their upgrades first. As I said, this step is entirely political in nature. You will not be able to perform all the upgrades in this step, so be picky.
Third, address the network. Given the health of the server architecture you've described, I suspect that even gigabit-Ethernet is foreign to your environment. Make sure you can build in redundancy along the lines of 802.3ad (LACP) etherchannel connections for all things. Redundancy is your top priority in a network refresh. Basically there are two (2) of every component, each of which is connected to two (2) others.
Fourth, take the remaining servers in order of business impact, most first. This will give you the opportunity to introduce the user community to the concept of "maintenance windows". It will also allow you to engage top management in the upgrade process, which should allow you to re-negotiate the budget; which will be woefully inadequate at first.
Assuming you've made it this far (doubtful) go back and finish the user PC upgrades.
Then prepare to do this entire process again in about three (3) years. Perhaps five (5) if you are lucky enough to get the funds needed to buy things which have significant life. Leasing is also a good thing here because it forces the refresh once the lease terms are fulfilled.

Comment I'm going to scream (Score 1) 616

THIS is exactly why we have so many exploits available in systems today. We have too many 'coders' who have no idea of how the underlying system functions. In the company where I am currently employed, there are individuals who are writing code for new services that don't know what a TCP 3-way handshake is.
IT is the only profession on the planet which does not have a governing body of any sort. There are no exams, no licensure requirements, no educational requirements. Nothing. Anyone who can convince a hiring manager, who themselves is unlikely to be versed in technology, that they "know what they are doing" can be hired into a position of impact. And we wonder why software written today is so bloated and filled with exploits.
What did you expect?

Comment Re:And so it begins (Score 1) 60

And you all missed the point. You focused on the story that occurred back in the late nineties when people used to plug their Win95 machines directly into the broadband modem.

THE POINT WAS that inoculation is a valid response to security threats. If the malware perpetrators can take control of a PC behind a corporate firewall, there is nothing stopping that from being less about exploitation and more about service. Furthermore until we in the profession of IT give up our dependence on reactive techniques to deal with security threats, and move in the direction of actively recapturing the BOTs being used against us, we will continue to have an unending list of major security breaches.

How long do you think it will go before the government steps in and begins the process of setting up regulation?

Comment And so it begins (Score 3, Interesting) 60

This is the first published report I've seen regarding a technique I've been promoting for a decade. Inoculation. If you find an infected machine, take control and fix it. Slashdot commenters universally reply to this technique with sarcasm, warnings of legal action or downright vitriol but the technique stands as the only way to move forward. The best defense after all is an offense and all current and future planned security activities are reactive in nature. As long as you wait for all the other machines to be patched and comply with security best practices, you will never stop waiting and your services will be under attack.
There was a small script I wrote a number of years back when I first got broadband access at my home. My firewall was being inundated by attacks from the metro loop so I wrote something that scanned the source IP for well-known exploits. If one was found, it used said exploit to take enough control to put a system level dialogue box up that said "Your machine has been infected by a virus - please fix this immediately", and then listed the virus it used to gain access. This ran for about a month until my provider called me and asked me to desist.

Comment Saw it comming (Score 1) 220

A decade ago I had a discussion with my then boss about how to respond to inbound attacks. It was clear then that the current methods of defense were wrong by any measure you care to use. They haven't gotten any better in a decade. They've only increased in cost and complexity. The basic failure can be demonstrated by the metaphor of feudal Europe, since I know all of you are aware of your western civ history. Our current defense methods are akin to various forms of dumping molten lead onto the Visigoths below are 'fortified' walls. The problem is that the Visigoths are already in our land, destroying things along their way to the castle. Of course the metaphor breaks down because these Visigoths replicate in place; get stronger, faster and more sinister in their siege weapons with nothing more than the passage of time and no matter how many we disable there are always more than there were a minute ago.

So what to do? Given that the attack is always through an intermediate entity, I propose using a biological analog to address it. Treat it is a diseased state and execute a vaccination. Since the intermediate system has already been compromised, as is demonstrated by the fact that it is currently an intermediate for an attack, it would be best to rest control of it from its current commander. We can certainly discuss what that means or how to accomplish it, but that is the best solution. Remove the Visigoths from battle rather than attempting to thwart their attack on us. The other side of this equation, and the thing its success depends on is automation. The takeover system must be able to respond to the attack within a few packets and rest control a short time later. Otherwise you have accomplished nothing. Waiting until the entire village is infected with Ebola before you send in the inoculant will only result in more deaths. Waiting for a human being to respond is similarly inappropriate in this situation.

This is not an attack. It is a method of removing resources from an attacker. If the takeover were done correctly, say leaving the affected machine in a state where it was no longer vulnerable to the exploit the attacker used originally to take control, you have in fact helped the Internet over all. You have inoculated another machine and the pool of available resources to attackers has diminished. If you can do it fast enough you can rest an entire farm from its nefarious controlling entity and put them back at square one. This method levels the playing field as every attack is therefore a chance to lose all your resources. It requires no coordination to execute, no notice since the machine is already infected, and there is no data breach involved.

The real question is can it be done?

Give me a minute.....

Comment Go ahead, take my stuff (Score 1) 453

My personal laptop is setup to wipe itself if you fail to give the correct credentials enough times. "No" you may not have my password, or better yet, "Password99" Try using that one a few times ;-)
Of course there are things like Google Docs, so there isn't anything on the machine itself. I can stop at a store on the way home from the airport, pick up a cheap replacement and be back in business in the time it takes to logon to a hotspot.
And I don't have anything to hide. This whole process was setup when I lost a machine a while back. The machine is now immaterial.
So go ahead and take my 'portal'. You'll get nothing, and I'll be in touch with my lawyer before you can even attempt a second login.

Submission H-1B visas are bad news for older workers->

hwstar writes: The H-1B visa reform contained in S744 will result in continued high unemployment of older experienced US citizens, and make it very difficult for older workers to remain in a technical field.

There is a caviler attitude being propagated by high tech executives regarding older STEM workers:

The 29-year-old self-proclaimed social media phenom also quipped, “Young people are just smarter,” something he later apologized for. However, Zuckerberg also recognizes the profitably of hiring H-1B visa holders over American kids. Critics call it the immigration lottery, as most foreign students will work twice the hours for half the pay as their U.S. counterparts in order to gain legal status in America.

The industry uses younger STEM workers because they work longer hours for less pay then when they
cast them aside:

"Oftentimes the result of the H-1B visa program is that 35+ and older workers are thrown away like yesterday’s newspaper. Nelson said the Senate’s comprehensive immigration reform bill S744 would be a disaster for Americans."

The article also describes that "dark money" is being used to lobby Congress for H1B reform:

With the help of political PACs, STEM employers use “dark money” (a term used by 501(c)(4)s and 501(c)(6)s donors who wish to remain anonymous), in a calculated effort to continue the flow of foreign workers.

With the help of political PACs, STEM employers use “dark money” (a term used by 501(c)(4)s and 501(c)(6)s donors who wish to remain anonymous), in a calculated effort to continue the flow of foreign workers.

Finally, Salary parity between H-1B and Domestic technical workers is a farce:

Rep. Zoe Lofgren told Computerworld that “the average wage for computer systems analysts in her district is $92,000, but the U.S. government prevailing wage rate for H-1B workers in the same job currently stands at $52,000, or $40,000 less. ‘Small wonder there's a problem here, we can't have people coming in and undercutting the American educated workforce.’”

Link to Original Source

Comment Re:Chilling (Score 1) 306

The implied objective noun (I intended) was of the NSA, not the records themselves.

IMHO I think the collection of data such as that which the NSA has gathered is in no way legal in any way. See 1st and 4th amendments. Given that, the possible utility of the data is by no means sufficient cause to allow it to continue to exist. We either are a society that follows the rule of law, or we are not. If our highest governmental agencies can't comply with our constitutionally guaranteed rights, how are we the people supposed to have any faith in our government. If they can ignore any law at any point for their convenience, how our we then protected from abuse?

Comment Chilling (Score 4, Interesting) 306

"Outside of our borders, the NSA's more aggressive. It's not constrained by laws"

Uhm, I guess the laws of foreign countries, and international law don't apply to our spy organizations. I'm also sure the constraint of our laws (1st Amendment, 4th Amendment) can be ignored at will as well. After all we are just trying to find all the terrorists, right ?!? (You know like the First Unitarian Church of Los Angeles -

As Ben Franklin put it, "They who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -

We need to simply shut down the NSA altogether, burn their records in effigy, and recall every elected official who ever voted in favor of their activities, or their funding.

Submission Suggested Poll

DFDumont writes: Given the various tones and range of opinions I find in Slashdot comments, I wonder if there's any correlation to geography or demography? Where are most Slashdot readers living? What areas are not represented well? How many of us are Americas based, versus EMEA or APAC? Are we living on the coasts or in the interior? Cities or rural? Are we college educated? Are we mostly under 25 or over 40?
Just curious, although I think it would make an interesting study.

Comment Favoring nothing, how about blocking some (Score 1) 2

Irrespective of the business opportunities afforded ISP's and backbone providers by offering 'premium' transmission services, I'd like to see someone propose limiting or blocking nefarious traffic. For instance, anything that violates an established RFC, (Think ping of death) or port scanning. We have left the infancy stage of the Internet and can no longer trust all participants to "play by the rules". They aren't. The only facility in place to stop such traffic is the one with the registered BGP AS#, not your home or corporate firewall. We could reasonably block 80% of the attack traffic by simple firewall rules at every meet point between providers that filtered on 20% of well known attack vectors. (See Pareto Principle)

Brain off-line, please wait.