Archive for the ‘School’ Category

Master of Science in Information Assurance

Tuesday, April 13th, 2010

So I’m finally finished with my MSIA degree – the thesis has been turned in and graded. Now all that’s left is to wait for May to walk down the aisle with my classmates. My goal at the beginning was to graduate with a 4.0 so that I may earn the “with distinction” title. Unfortunately, I didn’t quite make it as my GPA turned out to be 3.9. However, I learned that grades aren’t necessarily everything. Sometimes it’s the experiences and information you share with your classmates that prove to be invaluable in the long run.

Besides…it doesn’t seem to me that employers put a lot of emphasis on additional degree titles such as “with honors”, “with high honors”, or “with distinction”. Fortunately, most employers realize that schooling is merely a baseline of knowledge and doesn’t automatically make you prepared to jump right on a job. Employers also test your knowledge one way or another during the interview process to their specific requirements. No matter where you end up as far as employment goes, you will always need time to adjust to the job itself. And that is where fellow students and instructors are valuable by bringing real life experiences in to the course work.

To my fellow classmates, congratulations, good luck, and I look forward to seeing you in May.

Exempt vs Non-exempt

Wednesday, August 13th, 2008

If you ever decide to switch to exempt versus hourly, it’s your chance to negotiate your rate. Go back several years and calculate how much you made in overtime vs regular time. Do market research on your job function and find out the salary range in your area as well as nationally. Do an honest evaluation of how you stack up to your co-workers.

Or, if they will not negotiate, leave for a new job – that’s what I did and I’m much happier for it. Unless you like your present job SO much that you will take a pay cut, find another job. However, I make sure that if I do have to work, I require that I am paid hourly…and I get paid for all OT. I learned years ago, I do NOT work for free.

My time is much to valuable. I generally prefer time off to OT, but sometimes you gotta do it. Don’t get me wrong, when they really need me for emergency down time, a deadline is looming, I’m there as long as it takes to get things done. I just refuse to do it for free. If they have to pay you for every hour you are there, they will think twice before making requests that you do so, and only do it when it is required.

Something to think about. How valuable is your time?

“IT saves the day!”…or something

Saturday, March 1st, 2008

When it comes to fuckups, IT is usually the last guy to get the hot potato, and they’re expected to save the day.

Any time a user screws up, the IT department is EXPECTED to save the day by upper management. If they don’t, it is (rarely) the fault of the employee, it’s the fault of the IT department for not anticipating such a need, or not being available at a second’s notice, or simply not being able to save someone else’s bacon. Often times we’re asked to perform miracles.

It sounds reasonable, until you cross professions. Someone drives off the company driveway, crashes their car into a tree, car bursts into flames. Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not. Yet IT departments are expected to back up everything known to man and expected to resurrect deleted and/or overwritten files.

Another example – it’s 4:55pm and Fedex comes at 5:00pm to pick up a package that is going to The Big Client. The employee has procrastinated working on it, and goes to print at 4:57pm. There’s something wrong with the printer or their system. Guess whose emergency it becomes? Guess who gets screamed at on the telephone? Guess who gets reamed by the CEO because the package didn’t go out? Usually the IT department. “Why was the printer broken? Why couldn’t you fix it?”…not, “Bob, why did you wait until 5 minutes before your deadline?”

Then there are security breaches due to stupid people. Here’s a way to fix this:

Education and consequences.

Nobody takes security seriously because regular staff thinks that the IT guys are there to clean up the messes when they occur. What they don’t understand is that the IT department is not there to be a janitor or babysitter. The IT department is there to provide the information infrastructure to enable the company and to ensure the company’s information security. That doesn’t necessarily include end users.

My personal philosophy is that end-users should be punished severely for security breaches. Sure the IT department will fix the problem, but the person who clicked on the link (or opened the email) needs to pay a price for their behavior, otherwise they will continue to do it. Nearly every company has an IT AUP. Nearly every company says that you can be disciplined, including termination of employement, for violating the policy. Yet I have never worked at a company where day-to-day infractions (even those with security risks associated with them) were punished. Sure, every once in awhile someone gets fired for surfing porn, or when their misuse of the system affects their ability to work (goofing off online for hours), but who gets fired for forwarding chain letters with flash animations in them? Nobody.

This absolutely has to change. If you had a receptionist who let random strangers in to wander the halls of your building she would be disciplined and probably canned. If you have a receptionist who forwards chain letters, clicks on suspicious links, downloads spyware and causes virus infections, the odds are nothing will happen to her.

Company officers think Information Security means securing the company with a firewall and looking out for hack attempts. They still don’t take Information Security seriously, and until they do, the rank-and-file won’t either.

Education alone is not going to do it. Education that is reinforced with consequences will.

Hackers: Nuisance or Necessity?

Friday, January 18th, 2008

Here’s a report I wrote back in 2002 for an Composition class. It’s kind of interesting to look back and read some of this stuff, so I thought I’d post it as well. Enjoy!

The word “hacker” brings several images to most people’s minds ranging from sweaty, pimple-faced kids with too much time on their hands, to malicious programmers who feel great satisfaction when defacing web pages and stealing credit card numbers. Near the middle of the 20th century, the word “communist”, to a lot of people, represented all the evil things in the world, and now at the beginning of the 21st century, hackers have been labeled the new age communists. For years, the media has helped to mislead the general public into thinking hackers stand for everything that is evil and unlawful on the internet.

Since the mid-1980s, media attention to technology has increased just as the industry of technology itself has increased. Media sources such as television, newspapers, and movies have used the word “hacker” in a negative way for as long as many individuals can remember. Media resources often have been the first time the vast majority of people had ever publicly heard the word “hacker” being used, which has been detrimental to how hackers are perceived. Unfortunately, many people feel there is a clear consensus that most of the stereotypes given to hackers are true. Only through the realization of what truly defines a hacker, examination of how hackers have contributed to the internet, and learning what hacking really is, can there be any chance of replenishing the soiled name that hackers have been given in the past.

It would appear to be pointless to attempt to change the minds of millions of people by skewing opinions to believe hackers are welcome users on the internet or hackers should be considered acceptable in todays growing internet-influenced society. The US Department of Justice has created several laws regarding hacking on the internet including their own interpretation of what a hacker is. Newspaper articles are printed daily describing how hackers have illegally obtained credit card numbers, illicitly distributed copies of copyrighted proprietary software, and even obtained and used personal identities to perform unlawful acts in the internet community. In addition, according to Security Space, an internet security company, advertising networks such as Double Click, Link Exchange, and America Online benefit from “web bugs” placed on web sites to gather e-mail addresses and online purchasing habits.

Perhaps the most common misperception about hackers has been the word “hacker” itself. Popular, although negative, descriptions of hackers have included “a malicious meddler who tries to discover sensitive information by poking around”. The best choice for a negative description of the word “hacker” would be the word “cracker”. According to Eric Raymond, the President of the Open Source Initiative, a non-profit corporation that promotes and distributes free, open source software, the word cracker would be more fitting for the description of what most people envision a hacker to be “one who breaks security on a computer system or computer network. The definition of hacking originated back in the 1950s as “a teenager who operates ham radios or tinkers with electronics” which pre-dated home computers by over 20 years. Presently, the correct definition of the word “hacker”, as supported by many long-time internet users, is “A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary”. One of the most appropriate ways to help reverse the stereotype that has shrouded hackers would include computer professors to start teaching the difference between “hackers” and “crackers” in public schools and universities. Discussion of hacking in a positive manner in a learning institution would help curb the trend of naming hackers as destructive internet users.

Countless internet users have been led to believe hackers have nothing to offer other than ways to steal credit cards and various methods to break into computers; on the contrary, hackers have always been an immeasurable asset to the internet community by creating software to aid in securing computers. By creating programs to check for vulnerabilities within networks and server computers, hackers have helped system administrators and network administrators find ways to more efficiently and effectively do their jobs. Notable creations by hackers are Linux, a free open-source operating system, and the Apache web server, a free open-source software. As of 1999, there were 12 million internet users using Linux as their primary operating system, and 63% of all web servers were Apache web servers. Linux and Apache have been tested several times against vulnerabilities and security, then directly compared to Microsoft’s operating systems and web server software, continually resulting in Linux and Apache being superior in comparison. Perhaps if more internet users and web site owners switched to using alternative operating systems and superior web server software such as Linux and Apache, the internet would be more secure against crackers.

Online privacy breaches, that have resulted from several credit card number databases being broken into by crackers, have also been a concern to many internet users. The ignorance of system and network administrators who are not imposing strict security measures on corporate and student databases have often resulted in even the most novice internet user accidentally stumbling into “protected” databases by typing a wrong character when entering a URL in a web browser. A disturbing fact associated with virtually unsafeguarded databases ran by corporations that is most corporations sell personal data given to them in confidence by customers making online purchases, signing up for e-mail accounts, or running programs created by online businesses. In addition to the sale of personal information by corporations, personal information is also stolen via a “backdoor” in some programs built by large corporations often without a typical internet user knowing a program they’re using is stealing information from the internet user’s computer. If a typical internet user decided to create a program that steals information from another internet user, the program is then considered a virus by United States Cybercrime Laws. If hackers had not discovered the devious methods used by corporations to gather information, it is unknown what other illegal methods to gather information a corporation could have been presently using. In order to resolve the issue of corporations stealing information through “backdoored” programs, laws need to be enforced equally against corporations as much as the average internet user by the US Department of Justice and FBI.

Media sources such as television, newspapers, and movies continue to use the word “hacker” in a negative way and may not change their attitudes toward hackers unless people are more informed about what hackers are and what they have done for the internet community. The hacker community has lost much of the respect it has earned over time because of inaccurate journalism and unfair stereotypes; meanwhile, hackers have made the internet safer and more enjoyable for anyone who goes online. Unfortunately, persistent negativity being reflected on hackers and the hacker community continually tarnishes the way hackers are viewed by the general public.

In conclusion, educational institutions and media resources need to be persuaded to educate and inform individuals about what being a hacker means and what hackers have contributed to the internet. Over half of all web sites have relied on what hackers have freely given to the internet, so it could be said that the internet may not have grown into what it is today without the aid of hackers. Also, federal laws regarding “hacking” should be clarified by having computer experts help write laws, rather than rely on politicians who only know basic computing, and then rigorously enforced by law enforcement agencies such as the FBI and local police. Perhaps after professors and reporters have been familiarized with the word “cracker”, it may change their usage of the word “hacker” to include the various online definitions in which the word “hacker” had actually been intended, and hackers could finally command the respect they deserve.

IT Certifications – what are they really worth?

Monday, December 24th, 2007

I specifically avoid recommending them because I firmly believe their organization and the certificates they provide aren’t worth the paper they’re printed on (even if they provided PDF files). It’s also widely known amongst the technically literate which “schools” are little more than diploma factories (if you pay your $8 grand, hell, here’s your diploma! You’re now educated!) I’ve dealt with way too many “I have $CERT so I’m qualified to make six figures! Hire me or your company will wither and die!” types to mention.

A previous co-worker informed one of them that he should be a garbage man. Apparently, he was trying to string together an ethernet LAN without using a hub or switch (because that’s wrong or something) but instead by installing two network cards in each of the fifteen computers and cabling them one to the next to the next in a lovely bastardization of, I dunno, token ring with ethernet with thinnet with…?

What we need is a professional standards body that actually measures skills and mandates periodic skills reviews to maintain certification according to accepted industry guidelines. Practical examinations as well as an apprenticeship period would be preferable to ensure capability.

If I’m not mistaken, one can still go out and buy a CompTIA A+ certification book, schedule a time to take the test and be certified without ever actually opening the case on a computer, which was also the cause of the complete industry-wide invalidation of the MCSE certification when it came out. I’ve went to school with people who have achieved an “A” in a PC hardware repair class, but couldn’t take apart a computer piece by piece, much less troubleshoot hardware issues.

Take for example Cisco certifications; the CCNA means nothing in a practical sense, but it does indicate that you have some grounding in networking fundamentals. Ok. So you can assist our network techs and troubleshoot problems at the LAN level. After a couple years experience you take the CCNP test. Now you’re able to move into the bigger office and assist our WAN techs and touch the real routers. A few years of this and you enroll in the CCIE program. Combine that with 10+ years in the trenches and suddenly four letters mean you can pretty much write your own ticket.

However if you somehow do manage to aquire even a CCIE but don’t have a decades worth of relevant experience you may as well have saved yourself the few grand and just took your CCNA because, hey, you’re our new tape switcher.

Combine all this certification nonsense with HR people and management who don’t understand anything about the computer industry but who do recognize “industry recognized certification body” and associate it with “skilled professional” and make the leap to “qualified for this position” and you have a very large disconnect from reality, compound that a million fold and welcome to today.

I have already taken both of the CompTIA A+ certification tests (hardware side and software side) and passed them both on the first try. I couldn’t help walking away knowing that the questions were all based on what was read in a book and there was no hands-on part to the exam. I was honestly thinking about getting Linux+ certified, but what will it really mean to my current employer or a potential employer? So anyway, here I am preparing to take the Security+ exam through CompTIA. Not because I want to, but because that’s what is required of me when applying to move on to my University’s Masters in Science program. Couldn’t they just accept a $190.00 application fee or create a hands-on knowledge test?

Maybe someday they’ll change their outlook on it, but I don’t think that will happen any time soon.

The next generation and loans

Monday, December 3rd, 2007

I read an article somewhere a while back and it really frustrated me how the newer generation considers a loan “slavery”. As if they should be able to get a loan and never have to pay it back. This comes especially with educational loans, which I find to be quite amazing. It’s a strange twist in generation perception. No one says you have to buy a new car, when saving $200 for a tune-up on the old car will do just fine, or you fix it yourself. No one says you have to buy a new house, when the kids can double bunk in one room until more can be afforded later. And, no one says college is a right. Moreover, work full time, jump through the scholarship hoops, fill out those FAFSA forms, and reap the benefits of eventually earning your way through college, like I am.

At 0% to 7% on car to home loans, respectively, they’re complaining? No. The problem is they expect to have everything else everyone else has. Yes, the X and millenial generation kids never had it so good. It’s unfortunate they never realized just how hard it can be, financing your way through life by their own sweat and blood. You think student loans are your shackle and chains? If you take the time, you might see yourself in the mirror wielding the whip in your own hand.

Loan slavery? You’re a slave to your own devices. Apply to get some sort of governmental financial aid (FAFSA). Work harder to get better grades. After you’ve done that for a semester or two, do your research and apply for scholarships if you can’t afford school. The means are there so if you can’t do the little bit of work to get some sort of financial aid, then continue to get student loans and continue to call yourself a slave to your loan. Just don’t cry on my shoulder.

RIAA lawsuits – where do they come up with those numbers?

Wednesday, September 12th, 2007

If you steal a single apple from your neighbour, it’s not reasonable to argue that the risk of being convicted after having stolen a single apple from a neighbour is 1:1000000, so despite the apple being worth $0.20, you should be fined $200000. It’s an unconstitutional excess to put someone in debt for life for the crime of stealing a single apple.

A different problem is that when a huge part of the population is guilty of breaking a certain law, but the risk of being investigated are very low, and punishment very high, this has the effect of giving whomever decides who to investigate the power to essentially punish people at will.

Politicians should make law. Police should investigate. Courts should convict (or not). That’s the way it’s supposed to work. With filesharing and these RIAA lawsuits it works more similar to this:

Politicians make a law, that a huge part of the population breaks regularily.Police essentially never investigates anyone for breaking it. Private companies are free to, according to their own criteria, decide who to investigate. Courts tend to convict (not surprising, since most people are guilty)

This puts a HUGE amount of power in the hands of those private companies. I’d guess in a average group of college-students, that company is, currently, free to bankrupt for life anyone they chose to. Well, not EVERYONE but close enough. (certainly 90%)

Focusing on the real issues of vulnerability reporting

Thursday, April 5th, 2007

A lot of focus and time goes into how to report a flaw anonymously. But this is curing the symptom. The disease is the fact that you get to be a suspect if you report a bug – and might even be incriminated by it.

Many years ago some wise men in the air-traffic industry realized this. Often planes got into dangerous situations, but due to the risk of getting accused of being the wrongdoers and the risk of losing their jobs, no pilots would report these situations. The result was that the security of air-traffic was not improved. Sometimes these incidents caused people to get killed.

So they changed the rules. Today pilots can report all dangerous situations, without blame, even if they themselves caused the situation. Airports have such a briefing room where these reports are collected.

The reason for this is that human error in air traffic does happen. But by getting a clear picture of the situations you may be able to focus on helping them out. If pilots miss a sign on the runways, focus should not be on the pilot, but on the visibility of the sign. It doesn’t really matter if you say: Pilots should look out for signs or they should get fired. Next time an unlucky pilot misses the sign… bang.

Something similar could be done with IT security. Reporting a bug if you encounter it should be with the focus on fixing the bug. Not to blame the one who found it.

Remember the focus in this case is the flaw or bug, not the one who finds it. Unfortunately the case appears to be focusing on the man rather than the real issue. We do this in our daily life. It’s a part of human nature. But the bug never gets fixed… and then the really bad guy comes…

Choose your field wisely

Sunday, March 11th, 2007

There are those who are passionate about their choice of study in school and there are those that are not. I see the latter quite a often in school and I’m not exactly certain as to why it is, but I have a few theories. People have been predicting a boom later on in the IT industry…right around 2010. My theory is that school counselors are pushing students in this direction because there hasn’t been a lot of people actively seeking out a degree in IT. The reason behind the lack of interest varies, but there was, indeed, a lack of interest. Reasons include a lot of programming being outsourced overseas, a lot of companies use to have an in-house IT staff decided to start contracting that type of work out, and the dot-com bubble of 2000 popped which left a lot of IT students looking for a new career outside of the IT field. New reasons for hiring IT staff include legislation such as HIPAA, SarbOx, and even some state laws that hold company’s a little more liable for data lost/theft.

While it is good that people seem to be showing interest, there are those that are being pushed into an IT field that are only doing it because they were told it’s “going to get bigger” or a friend said they were talented because they could put up a web page “on teh intarweb”. At least in my geographic region, here are three good examples of why people who are not good at web design should not choose web design as a field of study. I have also met people who have an Associates in Computer Networking and couldn’t give me a brief description of how DHCP works or what 192.168.1.0/24 means. I have also met people who have an Associates in PC Systems and Support (repair) as well as A+ certified who do not know how to tear down a PC and put it back together again…because they’ve never done it. Sure you could google that stuff, but so can everyone else. A company does not hire someone for their googling abilities, they hire people because they are able to perform the job on their own.

Because of this, my fear is that the IT job market will be saturated with people who, well…just aren’t good at IT. If the market becomes saturated with those who shouldn’t be in the field, and just saturated in general, it will drive wages for the IT field down. Once again, this will cause a lull in the IT job market and we’ll be going through the IT hiring/reduction cycle once again.

My only hope for right now is that hiring managers will be able to wade through all of the potential IT hires and find those that really belong in the IT field. Unfortunately, knowing that I’ve seen ads in the paper looking for “someone with 10 years of xml and ruby programming experience”, “10 years of C sharp programming experience”, and “15 years of Linux experience”, I’m not so sure that’s going to happen. Either the hiring managers who posted those ads in the paper are absolutely clueless about their hiring criteria, or are completely unrealistic on their hiring criteria. Encourage your current IT staff to talk shop with potential new hires – make them part of the hiring process and have them ask questions that will allow them to learn about one’s technical abilities. This will prevent non-tech people doing the hiring to not fall into the buzzword trap. In return, this can help you in the long run to remove the potential for a lot of wasted time and effort in finding the right person for the job.

IT’s “gender gap”

Sunday, February 18th, 2007

This was a two-part article – here is part 1, and here is part 2 – a “solution”.

I think complaining there aren’t emough women in tech is disingenuous and a little condescending towards women. There has been a wide open door for women for years, self-taught, or otherwise. To claim otherwise ignores so many other attempts and programs.

The reason there aren’t more women in tech, self starters or otherwise is because they don’t want to be and aren’t interested! No program, encouragement, coersion or other methods will change that.

A reader writes: “Consider a telcom I worked for… In the mid-80s a memo was circulated admonishing IT for the “underutilized” women. An IT policy was thus implemented picking women from myriad other jobs (call centers, anywhere!). These women were given free training, often at universities and were given 6 weeks and more to be trained. Most of these women were looking at more than a doubling in salary, all they had to do was “participate”…Even with that policy, we could not even approach fifty percent of women in the IT work force.

As an aside, an unexpected (to management) side effect of this monumental effort was a flood of women (those that signed up), only a small fraction of whom had any interest at all in tech, and only a fraction of those hitting stride in any reasonable time join It without even close to the skills necessary to contribute. We burned a lot of money to skew a population and saw productivity tank.”

It is no reflection of women’s abilities. But, as in the male population, many women are incompetent as are men. The difference isn’t in ability, it’s in the proportion choosing a field. For some reason more men choose computers, more women don’t.

Ultimately, if you build it (the program), they will come, but not in droves. Like it or not, there seems to be a difference in wiring between the sexes. And, as in any large population, there will always be exceptions. At least in my experience, IT welcomes women as much as men. In the meantime, these “special programs” only condescend to women who have chose not to enter IT as a career choice. They do have the options today… they’re still not choosing it. Nudging them with these initiatives somehow implies their non-IT choices weren’t valid, or good.

These articles are as silly as wondering why more police officers don’t enter the tech fields or why more men aren’t choosing to be day care providers. They didn’t/don’t because they like being police officers better or aren’t insterested in being day care providers.