Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Were the users randomized? (Score 1) 509

Of course they had lots of issues still, they're *marketing*. Across all my years' experience in a few companies, I have never seen a group more technically inept than them, except perhaps for sales. Sure, there's an occasional bright light, but the field sure attracts the techno-peasants.

Comment Those that are still here? Maybe. (Score 1) 205

I'm in a company that was acquired by a competitor, where the resulting company was in turn acquired by a much larger, overseas firm. That latter firm knows little I think except the balance sheet, so things are really managed by the CEO of the first acquiring firm. He isn't at all from our field, says the right things, and much of it bullshit. Most of the firm I came with is gone, on their own or when much of it got closed suddenly. So yeah, many of the employees he had would fire him, but it's probably 50-50 on those that are left.

Comment Re:Encrypt everything (Score 1) 94

Heartbleed was/is a critical issue, and easy to exploit to be sure. On the other hand, you had to attack a server to try and find useful bits of information such as the private key for that server. Bad as it is, I'd far prefer that to *plaintext*, in which every knob-puller between you and the server is free to muck with it as much as they want, with no clue that it's going on. With all its warts, even the unpatched servers provide more help than hindrance, should it be used.

ASCII-based plaintext protocols are great for hand-bombing via a terminal, but really have no place in the modern world. Encrypt everything, all the time, and high muckety-mucks have to be specific about which needles they expect you to reveal.

Comment Encrypt everything (Score 1) 94

Services are increasingly moving towards HTTPS by default, which is awesome. Besides the obvious privacy implications, it prevents these ISP wankers from messing with your content, as it all becomes a sea of bytes (as it should be).

There have been hints of this sort of meddling in the past, when providers started injecting ad banners and other cruft into web responses.

Comment Ugh, need a clue-bat for commenters (Score 1) 120

What's with all the anonymous wankers beaking off about PHP vs Node, or JavaScript in general, when it's a server-side parsing of input that leads to the vulnerability? WebGoat was written as an on-purpose vulnerable web app for learning on, maybe some of you should download it and Burp or ZAP and do some self-education. OTOH, I'm sure someone would look at WebGoat, and respond with, "OMG, Java is teh suckz!"

Comment SANS is great content, if expensive (Score 2) 70

I've taken the intrusion detection and incident handling courses, with certs in both (still have the latter). When considering them, try to align with what you figure you'll be doing job-wise, if you know. The intrusion detection stuff was great for grubbing through packets to figure out what's going on, where the hacker tools and incident handling gives you some hands-on playing and knowledge you'll want for incident response. I wasn't doing any network monitoring in my role though, so didn't keep up the intrusion analyst cert, but I did love the course.

Comment Show them the risks (Score 4, Interesting) 158

I don't know your organization's level of risk tolerance, but getting them to pay for one of the following would be an eye-opener:
- A vulnerability assessment will show a sea of red for the unsupported platforms. Maybe that'll be sufficient to convince them that it's time to upgrade (and train up on new stuff).
- A penetration test will take those same vulnerabilities, and combine it with attempting to use those vulnerabilities to see what they could get. The difference is in trying to use those issues, and turn them into "oh SHIT" screen shots in the report. It's the difference between "someone could theoretically do X" and "someone just did X, and documented it all for your edification."

On the latter engagements, especially with the dreadfully old stuff, it is quite enlightening to include those screen shots that show how I've added new users, logged in with them, and used them to poke yet more systems I couldn't reach from the starting point. The under-educated staff would only help things if social engineering was in scope too.

Slashdot Top Deals

FORTUNE'S FUN FACTS TO KNOW AND TELL: #44 Zebras are colored with dark stripes on a light background.