Uncategorized29 Nov 2015 10:31 am

During breakfast today, my son and I were talking about the DOT com bust, and, it got me to thinking about the company I was working with at the time. They created a large number of DOT com businesses. With no rhyme or reason to them. They created an auction site, with all the overhead of a big company, so it cost them $87 dollars to list a hammer on their auction site. And like the rest of the DOT com nonsense, they were losing money hand over fist. So what does a big company do? It bundles all of their failed DOT com businesses into a holding company, call a team meeting together, and announce that they are firing everybody and shutting down the business. I was fortunate as a consultant at the time. I was working for the parent companies E-Commerce web site, which they pulled back into the parent company, before the armageddon date for the rest of the digital businesses. We were all in the same building at the time. It was absolute madness. People were shredding documents so fast that the clogged EVERY shredder in the building. People were walking out the door taking their computers, boxes of their stuff, fax machines, printers, anything not nailed down. And the company was so naive that they didn’t have security at the building. Just call an all hands meeting and FIRE everybody. It was one of the most bizarre days I will ever remember from my career. About 6 months later, an invoice from the web hosting company for the digital businesses that were shut down ended up on my desk. I looked it over, and it was not of the same format that I had been receiving in the past for my web hosting services. It looked like a odd maintenance fee. So I started to dig in a little further. It turned out that one of the digital businesses bought a 5 million dollar EMC Symmetric Disk Storage array system. And they shipped it to the web hosting company. It was a company asset. NOT a lease like the rest of the equipment at the hosting center. Typical for the group president of the failed DOT com business to piss away 5 million on a piece of hardware. And then, after they fired everybody in the business, it was FORGOTTEN. The web hosting company had turned off all the lease equipment. But, the 5 million dollar disk array was still sitting there. ME: Lets Bring it back and use it. This caused the parent company all manor of consternation because they could not figure out how to account for a 5 million dollar asset that was not on their books. I had weeks of arguments with them about accepting the asset. And, then I had to convince the hosting company that it was my asset. And we wanted it back. That also took weeks. Because they typically did not accept customer hardware. They simply leased equipment to the customer. That discussion took weeks. And was so bizarre that the first time I sent a truck to retrieve the hardware they turned away the truck. Finally I got the parent company to agree to accept it, and the hosting company to part with it, and it was returned. And i remember the parent company telling me that they used the EMC array for their first SAP implementation. It had terabytes of storage that worked perfectly for their SAP project. Funny to remember all of that after talking to Josh about the DOT com boom and bust.

IT Security17 Dec 2014 09:10 am
I already posted about this funny issue twice on Facebook, but, the issue continues to fascinate me, so it gets a blog entry as a learning and warning to others on the potential ills of text messaging.   I have had numerous discussions with my middle school and high school aged sons, regarding propriety in txt messages, tweets, and emails.  With cell phones having cameras I have had the “direct” conversation about not taking inappropriate pictures or videos and certainly never posting “sketchy” photos or videos on social media and DO Not send them via text to their friends.    This conversation started a few years ago and continues to this day, because I believe youngsters need reinforcement.  And, when sitting at the “breakfast” place on Saturday, when I reiterate a life lesson, I laugh to myself when Josh or Daniel complain that we already covered the issue over and over again.    The conversation started a few years ago, because one of Josh’s friends was walking home from school, when another kid who would be labeled “a jock” decided to give a beating to a kid that would be labeled a “computer nerd”.  Who knows why kid A decided to beat up kid B.  Josh was not friends with either of them, but did know one of the kids who was walking home, with a less then smart participant video taping the beating, quickly posting it to Facebook.   Josh showed me the video when I got home, and my first comment was “nothing good was going to come of it”.   The next day, the principal called kids into the office at the middle school, and asked a simple question, to the kids that where there, but, not the kid who gave the beating.  The question was “were you at the incident”.  One by one the kids he called into the office said “No”, the principal said, “I saw the video, you were there, your suspended for a week.”.  This occurred for everybody on the video.  Suspended, not because they participated in the beating, but, because they lied to the principal.  The kid who gave the beating was suspended, not allowed to participate in graduation but he did graduate form 8th grade and move on to High school.  H was lucky the issue was not escalated to the police department.  In the day of camera phones its remarkable that he didn’t have the common sense to not get into a fist fight, and the other Einstein who video taped also had no common sense.   I’m glad my sons were not involved but, it because a very good life lesson discussion on the evils of capturing inappropriate images or videos and then posting them on social media.  I laterally told them, if they are ever walking home and something like this happens, RUN the other way and come home.

Another discussion point down the same path is never get into txt message wars, do not send emails that contain anything negative, and never get into social media wars.  If its not nice, don’t post it.

In my current role, I hire consultants.     The skill setI need for a certain role is VERY specific.   Application Security manual testing, with knowledge of Java and J2EE, burp suite, and other manual testing tools.  Its a difficult skill set to find.    To determine if the candidate is worth having a discussion with, we have a test we send the potential candidates.  Its open book.  They do the answers at home.  And they can google to get the correct answers.     For candidates that really want to come work for me, they can even “mock up” the source code examples, compile them, and get the 100% correct answer.   But, unfortunately, application security is a hot market, and candidates can find lots of opportunities so they simply don’t take the time to answer the test questions.  So they don’t do well on the test, and we don’t have much interest in interviewing them.   Q.E.D.

I use a consulting company for these technical application security consultants.  We paid them about $300K this year, and we have committed to spending another $400K with them in 2015.   He presented a candidate that did poorly on the test.  But, meh, I thought we would interview him.  And its the holidays and its hard to get the right people on the interview, which I ultimately agreed to have the phone interview on a Tuesday and here is where the wheels came off the bus.  I did not schedule the interview on Tuesday fast enough for his liking, so, the recruiter had some type of FIT, and instead of texting whomever he wanted to text that I was trying to be a “douche bag” for dragging my feet setting up the interview for his less then qualified candidate, HE SENT THE TEXT to me.    Spend $300K with a vendor in 2014.  Lock in a spend of $400K with a vendor for 2015.  Get a Text message from the vendor calling me a “Douche Bag”.  PRICELESS.

The lesson learned?  Only send positive text messages, emails and social media posts.  I bet the executives at Sony are also wishing they are followed these guidelines when referring to the talent they work with in such a negative fashion.  If I were the talent that was based I would certainly not work with Sony again, based on the emails that the Sony Hackers have released from the Sony Executives.


Uncategorized02 Sep 2014 07:06 pm

At the office I have been a detractor of the “cloud”. There is a perception by “the business” that using the Cloud and Elastic Infrastructure the likes of Amazon will save money. My position has been simple. In the risk analysis of using the cloud, understand the classification of the data you wish to store there, and understand that if “they” want access to it in the cloud, “they” will get access. Insert who you want as “they”. Competitors. Bad Nation State actors. Hackers for profit. And include the cost to “the business” if a disclosure event were to occur in the analysis. “the business” does not like to hear this. They typically pucker up when I talk of disclosure events. Fine. Put your head in the sand. I go back to “Just smile and wave boys, Smile and wave.” Today, there are questions now if Apple, one of the most storied IT companies in the world, were at fault or a party to the latest round of celebrity pictures being posted on the Internet. I have a concept for a solution to the problem that I am noodling over. I am thinking about it as Digital Rights Management on Steroids. Rant done for tonight.

Uncategorized29 Jul 2014 04:42 pm

I logged on to the Sun box in my basement this evening, looking to test something on a Solaris box, and decided to look at the log files.  In the messages file I see a bunch of errors: “fatal: padding error: need 168 block 16 mod 8”

Yes, I am forwarding SSH from my Internet IP to the Sun box so I can SSH into the server from the Internet.  And apparently, somebody or multiple somebody’s are trying some type of brute force attack on SSH to get into my machine.

I checked the box, and nobody has managed to hack there way in using SSH, but, its amazing that a bad actor out there found the open SSH connection on my home comcast.net IP address, and they are going to town.

Interesting, to think that if they could get into the server, would that be a launch point to root kit that machine, and the MAC’s on my home network, looking for credit card numbers, account ID’s and passwords, PayPal, etc.

There are so many bad actors out there nowadays.  I’m very excited to be going to Black Hat and Def con next week and learning more about the state of cyber security.


Uncategorized20 Jul 2014 06:18 am

I was sitting in a meeting this week with agents from three different three letter agencies to discuss the state of hackers and malware and threats against systemic financial institutions.  There were about 20 members of the various agencies around this giant conference room, and I was sitting there trying to be a fly on the wall.

The agents at the meeting were discussing the various bad actors and the potential threats against our countries in structure when one of the agents asked if we traveled to China.  When somebody in the room said yes.  He then asked if when traveling you brought your technology, e.g. Laptops, iPads, iPods, iPhones, Android devices.  “Well we issue loaner laptops.”  He saws, “well good… when you get back to the states, do not connect your laptop to your company network, burn it, and throw it out.”

A lively discussion began where he explained that if you take your technology to China and use it, it will be compromised.  period.  And once it is compromised there is nothing you can do, including reformatting the device, or resting it to “factory” defaults that will make the unit safe again.  The malware that will be embedded in your machine is so sophisticated that it cannot be removed by any means.

They did have a good recommendation.  If you need to travel to China or Russia, and have an office there, have loaner technology available for you in country, use it while you are there, and leave it in country.  Never bring it back and never run the risk of allowing malware infested technology to get back on to your corporate network.

This will lead so some additional challenges next year as we are opening offices if China and expanding their functionality.  We know that they will not be connected back to our private company network and we have policies in place that only information with a Data Classification Policy label of “public” be allowed on computers in China.  I’m sure this is going to lead to some interesting IT security challenges for later this year.

When the meeting broke one of the agents sitting next to me notice my interest in the “burn the laptops” comment, and said it me… “The same warning holds true for Russia.”

I believe the person who made the initial statement on China was one of the “Agent’s in Charge”, so I respect the warning that was given.

Next month I am going to be out at Black Hat and Defcon.  I put in a request for a loaner laptop for my travels.  I am going to make sure that “bluetooth” is disabled on all of my devices, and WI-FI turned off on my iPhone.  How about my personal Mac?  I am NOT staying at the headquarters hotel for either event because they do have contests called “capture the flag” where they count the number of devices that they can compromise, and they project on the main conference hall a screen called the “wall of sheep” which broadcasts the passwords that they capture from the open access points they set up, and when a device automatically connects to the “free” internet, WHAM, they have compromised your device, installed a root kit on it, display all the passwords from your device, and add one to the count of devices that they have compromised.  I also do not connect to the hotels internet when I am in down for this convention, using my phones Internet for when I want to connect and check email, but, I have been reading that even cell phone Internet has the potential to being compromised.

What do you think about bringing my personal technology to Black Hat and Def Con?  Will it be at risk with the precautions I am taking?  Leave Facebook comments with your opinion.

Uncategorized25 Sep 2013 11:09 am

I have had the opportunity to lead the selection of a secure email delivery system for my client.  This level of technology raises the bar on securely delivering emails to recepients across the Internet.  For those of you not in the know, older legacy company email systems deliver emails across the internet in a non-secure fashion.  My cool project gave me the opportunity to look at some really cool email delivery systems.

As a aside of this project, i had the opprtunity to learn all about advanced persistent threats.

What is that you ask?

A hacker sending you what looks to be a legitimate email that instead has malware inside of it.  For example, one of the vendors that we spoke with recorded over 23 million SPAM emails that were preported to be from Walmart regarding a flat screen TV being delivered to your house.  Instead, there were 3 links in that email that when clicked on, would install a virus on your windows PC that would attempt to steal all your most personal information.

For anybody that does not have up to date anti-virus software on your PC, stop what you are doing immedaitely and update your anti-virus patterns to ensure that your personal PC is protected to the best extent possible from this scary threat vector.



Uncategorized12 Sep 2013 09:38 am

After watching the keynote from Apple on the new iPhone 5s I have decided that there is one compelling reason to get the iPhone 5s. Since I started using my iPhone, I have stopped carrying around a digital camera for taking pictures. My wife has a really nice 35MM digital with a high mega-pixal count for special occasions, but, all I carry around is my iPhone.

So, with the iPhone 5s, apple has significantly improved the picture taking ability of the 5S so I am in.

I also have a strange problem with my Son’s iPhone 4 hand me down. For the last few months his iPhone has used over 6GB of network traffic even though the phone is on the home wireless network and I can’t imagine him using that munch bandwidth during a month. I am going to call AT&T to complain today, not that I expect that to help, but, I will hand me down my iPhone 5 when I get the iPhone 5S in a few days.

technology04 Aug 2013 04:00 pm

When I was picking up my wife’s iMac computer from the Apple store in Woodfield Mall earlier this week, I noticed the Microsoft had opened a Microsoft store literally one floor below the Apple store.  When you walk to the apple store, you can see the Microsoft store.

Microsoft continues to play catchup to the Apple merchandising model.  The value proposition at the Apple store is quite clear.  They employee “genius” employees at the “genius bar” who appear to know everything about the technology that they are selling.  When I brought my son’s macbook pro into the shop to replace the monitor that got broken, i had them hook up my macbook pro to their diagnostics to check the machine out.  After upgrading to the latest version of MacOS, my macbook pro was getting a bit pokey and I wanted to upgrade the memory.  When I asked about Apple performing the upgrade, they refused.  They only provide like kind repairs to their hardware to ensure that changing the configuration will not introduce any level of incompatibility  that could impact the customer experience.  Thats a very smart move on the part of apple.  The “genius” recommend that I purchase the memory from Newegg, and install it if I wanted to do the upgrade, which I did, since I’m comfortable taking apart computers and understood the risk by doing so.  But, for mom and pop consumer, if they did foray down the path of upgrading their mac computer themselves, they could certainly not hold apple accountable for any type of negative experience associated with the upgrade.

Microsoft has a different issue at their stores.  Outside of the surface, there are all manor of hardware vendors that can provide platforms for the Microsoft operating system, so they will never have the granular level of control that Apple has over their desktops, laptops and servers.

The Microsoft store also has a large section devoted to the Xbox.  I was fascinated how Microsoft completely blew the announcement of the new Xbox that will be coming out by the end of the year.  When I asked my Son if he wanted the new Xbox, he told me no, he did not, because he and his friends did not like the way that Microsoft was setting up the new Xbox, requiring them to connect to the Internet every day, and not being able to buy used games at Gamestop.  You can really consider your product launch a public relations nightmare when a 14 year old and his friends believe that you screwed up your new product launch to the point that Microsoft revised their launch approach for the new Xbox.

Otherwise, the MIcrosoft store is snazzy.  Its a pretty amusing marketing touch to put the new Microsoft stores within spitting distance of the Apple store, which I expect is happening around the country as they build out their new stores.

I haven’t had the opportunity to speak with a Microsoft person at the Microsoft store as of yet, so I can’t comment on the level of expertise that the people working their posses.

family and home and infrastructure04 Aug 2013 08:21 am

This weekend, I got my wife an iMac desktop replacing her aging Windows Vista PC, which was getting long in the tooth and pokey.  This complete our migration from an all PC environment to a complete MAC world.

The process started when I replaced my laptop with a MacBook Pro.  I was typically going through a new PC laptop every 6 months.  I am hard on PC keyboards, since I learned to type on a TRS-80 which had a terrible keyboard bounce problem, so I learned to type by pressing the keys very hard.  So I would get a new Window PC laptop regularly.

Next I got my daughter a MacBook Pro when she graduated from 8th grade.  She was using one of my older PC laptops, but, wasn’t very happy with it, and asked for a Mac, so she got migrated.

My youngest son was not happy with his Windows PC. Even though he had anti-virus software on his PC, he continued to get viruses on his PC, so he asked if he could use my Macbook Air, which became his primary machine.  Even with Microsoft anti-virus installed, during his forays to Club Penguin he still managed to get virus and spyware regularly.  I have not gotten any viruses on my Mac’s as of yet which is a great plus.

My middle son asked for a MacBook Pro about in March before we went on vacation for spring break. Since he was graduating from 8th grade, his MacBook Pro became his graduation present.

So, all we had at the house was my Wife’s Vista PC, which was getting old and locking up.  During the time she was using it, I restored the machine to factory settings a few times because Windows gets pokey when things download and install from the Internet.

Before making the decision to migrate her to a iMac, I installed Windows 8 as a VM on my MacBook Pro using Parallel’s which lets you install VM’s including Windows, Limux, CentOS, etc.  I absolutely hate the Windows 8 interface.  The interface in my option has to be one of the most counter intuitive travesty’s ever created by a major software vendor. Its mind boggling how they could miss the mark so drastically.  I believe that the Windows 8 user interface was designed around their Surface tablet, but, clearly they should have had a refined user interface for PC’s versus the Surface.

I love the interface on my iPad.  Apple, with Steve Jobs as the design nazi really did an amazing job enforcing usability on all of their products.  I will be very interested to see how the interface changes with iOs 7.

So I picked up the iMac earlier in the week, unboxed it, and it literally took a few minutes to get the box configured and up and running including migrating all of my wife’s emails into Microsoft Office for the Mac.  I am still a big fan of Microsoft Office.

Conversely, I work every day with Windows 2008 servers.  While there is the issue of security vulnerabilities on Windows Servers, they still do a fine job every day supporting the IT security applications that I work with on a daily basis.  While I had the option to select the IT security software on Linux servers, running on Active Directory Domain connected servers has worked well for me over the last few years.

When my wife and daughter get back from east coast college visits this evening, she is going to be surprised to see the new ergonomic iMac sitting on her desk ready for her to start using it.

I also have a Sun workstation sitting headless in the Server room in the basement, which I have kept up and running whenever I wanted to geek out in a UNIX environment.  That is less of an issue now that I installed a VM of CentOS Linux on my Mac that I can use for the same purpose.

I think that my sentiments are very similar to others who are moving towards being dissatisfied with the Windows 8 operating system and look for alternatives.

Uncategorized12 Jun 2013 04:06 pm

I finally got my Macbook Pro upgraded to 8GB of memory.  My Macbook worked great with the previous version of MacOS but, when I upgraded the memory the mac started getting a bit pokey.  A colleague at work thought the hard disk might be going south, but, when I brought my Son’s Mac to the Genius bar, I had them plug mine into the diagnostics which confirmed that everything was working fine on the Mac.

Apple has an interesting policy to not upgrade equipment.  They will fix it if it breaks, but with like kind parts.  In retrospect that makes sense from an integration testing perspective.  Apple was always about quality.

So, I ordered memory from Newegg, and got the wrong kind and sent it back for a refund.

Then I ordered the correct memory but at the wrong speed.  I was surprised that the faster memory would not work.

Next I ordered the correct memory and speed on eBay, and got dead on arrival memory, which I also sent back.

Finally I ordered the correct memory at the correct speed from Newegg, ordering Kingston memory.  Fourth time was a charm.  The new memory is working perfectly, and the Macbook pro is once again screaming fast.

I would go through at least a Windows notebook a year sometimes two a year until I moved over to the Macbook pro.  I have had this same Macbook since 2010, and its still working great.  Apple macs amazing technology.

Next Page »