.:Computer Defense:.

Warning... this is a bit of a disjointed rant!

I won't reveal the person's name, but recently I chuckled when reading a Facebook status update from someone I knew in high school. His comment was along the lines of, "My boss asked me to label our switches with their IPs, so I asked if we should post the configs along with the usernames and passwords on the internet. My boss has a wonderful concept of 'security'".

This person is a graduate of a post-secondary computer program. Probably not unlike the program that I graduated and now teach in. I want to know who, during his education, said "labels are insecure" and drove this idea into his head to the point that he would call out his boss on Facebook over it. I want to know who this professor is because I want to see them stripped of their right to teach.

However, if we ignore that someone is passing along incorrect information, this seems to be part of a larger issue. I noticed numerous comments on Facebook laughing at the status update, perhaps by people that know nothing about computers but, even worse, they might be people that work in IT. I have to ask myself as a security professional and as a security professor if all of my efforts are wasted. Do we really have people working for companies that feel proper security means not labelling equipment?

I then realized that this likely part of a larger problem. We have people everywhere doing jobs that they aren't trained for and aren't prepared for. As we focus more and more on security, we are forcing developers, network admins and sys admins to focus on security, but we're never telling them what matters and what is involved in security. It's not unlike when I took my first job after I graduated and cried my first day. The prevoius sys admin had enabled WEP on their wifi ("for security") but had also put their Win 2K box acting as a DC and running Exchange 2K directly onto the internet. Not even a linksys router in the way, just straight into the DSL modem.

So are we wasting our efforts? Is there any point in looking at security when there are so many SMBs that have a single IT person or an outside consultant who has no idea what to do. A lot of people dislike standards like PCI but maybe this first step, a simple checklist, is exactly what we need. Maybe instead of user awareness training, we need to start talking about IT grunt training because how do we have the users trained if their likely trainers don't know what's going on.

If I were told it was a security risk to write IPs on switches, I'd really have to ask why someone is able to get access to the switches in the first place. That would be the real security risk... who cares about the IP if someone has physical access.

Lately I seem to have over extended myself. I had multiple blogs on the go and on top of my full time day job, I was developing curriculum, teaching and doing some book editing. Given my unnatural TV watching habits, that meant other things had to suffer. One of my many resolutions this year was to fix that. I have plenty of things Iwant to write about at any given time, I just never do...and everything I do leads me to more things I want to write about. So it's time to start writing again. My goal was to publish 365 blog posts this year, but since this is my first one and it's the 7th, that doesn't seem likely. I will, however, do my best to start blogging again on a regular basis.

One thing that kept me ridiculously busy this past year was my server. I had decided that a Linux box at home wasn't sufficient a couple years ago and purchased a hosted server for way too much money each month. In the end the maintenence and upkeep were draining me and I finally decided to abandon it. Primarily because I grew lax on maintaining it and it was hacked. I decided it just wasn't something I needed to have any more and that there were better ways to accomplish my goals. So now I'm in the middle of transition as I restore back-ups I'd pulled off the server and get myself up and running with various new services.

One way that I'm handling my lack of access to that shell is by increasing my usage of SDF. I've been an ARPA member of SDF since 2003, but I decided to upgrade to MetaARPA membership and take advantage of some of the additional services (more on this in the future). On top of this, I signed up for Amazon Web Services. I created myself a Micro-Linux instance that falls within the free tier for now, but I plan on playing with AWS and exploring some of the possibilities with it in the future.

I seem to have most things back up and running that I had previously, however one missing piece is that SSLFail.com is still not back up. I am hoping to get that blog back up and running and open it up to be more user contributable...I'm just not sure how to do that yet. If you have any opinions, please let me know.