Forgot your password?
typodupeerror

Comment: Sysadmin Day Events and Discounts (Score 2) 200

by WHiTe VaMPiRe (#44391343) Attached to: How Are You Celebrating National Sysadmin Day?

We're celebrating in Columbus, OH this evening at the Three Legged Mare...

http://eevent.com/lopsa-columbus/2013sysadminday

Events all over the place, more listed here...

https://lopsa.org/content/sysadmin-day-events

LOPSA has a significant discount for renewing members and new members until Sunday...

https://lopsa.org/content/sys%C2%A0admin-day-discount-until-728

Happy System Administrator's Day!

IT

+ - Searching for Backdoors from Rogue IT Staff->

Submitted by WHiTe VaMPiRe
WHiTe VaMPiRe (87507) writes "When IT staff are terminated under duress, there is often justification for a complete infrastructure audit to reduce future risk to a company. sysadmin1138 recently answered a question on Server Fault that provides a through exploration of the steps necessary to maintain security. Read more at How do you search for back doors from previous IT?"
Link to Original Source

Comment: Re:Who is PCI compliant? (Score 1) 157

by WHiTe VaMPiRe (#29095425) Attached to: Amazon Confirms EC2/S3 Not PCI Level 1 Compliant

Was this supposed to be moderated Funny?

If you focus on the high-level requirements, it is certainly easy to take them out of context.

Quoted from the PCI document [1], "Malicious software, commonly referred to as âoemalwareââ"including viruses, worms, and Trojansâ"enters the network during many business approved activities including employeesâ(TM) e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats."

Is Linux commonly affected by malware? No auditor is going to expect UNIX servers to have anti-virus software installed.

Item 6, "Ha!" ... nevermind the multiple detailed requirements under the high level bullet.

PCI is fantastic. It allows IT departments leverage to implement sometimes costly best practices that companies prefer to consider cost centers.

I'm still hoping you're just trying to be funny.

[1] https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf

Comment: Re:A few notes... (Score 1) 530

by WHiTe VaMPiRe (#24668399) Attached to: A Good Reason To Go Full-Time SSL For Gmail

Mike Perry did a great public service by making this tool and making it available.

WTF? No he didn't. Pointing out the vulnerability is a a public service, yes. Giving a talk where he outlines the problem? Also a public service. Distributing the means for anyone to make use of this vulnerability (ESPECIALLY when so many major vendors aren't prepared for it yet) is not a public service anymore. It's just arming script kiddies. Ralph Nader was able to do plenty of good without going around ramming into Chevy Corvairs to somehow "drive home" the need for a fix.

Security through obscurity is not security.

Full disclosure is a good thing. Unfortunately, the commercial focus of the Internet allows people to forget.

Not fully disclosing the nature of the vulnerability only minimizes one's ability to completely assess the circumstance.

Using irrelevant and inapplicable metaphors does not further your point.

Although RFP's policy [1] does not particularly address vulnerability assessment methodology, it is what I often like to reference when this comes up.

[1] http://www.wiretrip.net/rfp/policy.html

"No problem is so formidable that you can't walk away from it." -- C. Schulz

Working...