So I'm reading over at Naked Security of Meetup.com suffering a DDoS
over the past week and a Meetup.com CEO post
The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated.
Amateurs with a sophisticated attack. Wait what? Dropping the S word gives me Sad face.
Anyway, this is a great chance for discussion on how a business would go about preventing DDoS and/or reacting to it at the moment it happens (assuming some or no prevention in the first place). DDoS is not *that* sophisticated of an attack, but prevention and reaction is often sophisticated. Oh, and expensive.
Having not actually worked at a company that suffered a DDoS attack, I'd only be guessing based on research and second-hand info, so I'll just sit around with some popcorn for the moment.
This is also a great opportunity for Meetup.com to show off what they *did* do for this sort of attack. Though I doubt they have a more technical blog, which is a shame.
by michael 03.05.14 at 7:55 AM in /general
Don't have things set up at home and need to probe an open port from inside a network? Try out portquiz.net
which listens on all TCP ports.
Need something to probe an external port (maybe because you can't hairpin to the external interface on your firewall)? Try out www.t1shopper.com/tools/port-scan/
I have no affiliation with these, nor do I attest to their legitimacy. Just tools available out on the web. I use these to test out logs/firewalls.
by michael 02.27.14 at 4:14 PM in /general
Just like Target, we're hopefully going to hear a lot more about the Neiman Marcus breach. Such as Sophos' Naked Security
reporting on a businessweek article: Neiman Marcus Hackers Set Off 60,000 Alerts While Bagging Credit Card Data
. Quotes below will be from the businessweek article.
...a spokeswoman for Neiman Marcus, says the hackers were sophisticated...
Has there ever been a newsworthy breach that was *not* described by the victim as "sophisticated?" Please, stop. Even if they were, please stop with the implied excuse that they were sophisticated and thus oh so hard to prevent so please sympathize with us. /fairmaidenindistressvoice
According to the report, Neiman Marcus was in compliance with standards meant to protect transaction data when the attack occurred.
Pray tell what data security requirements these were: internal? industry? PCI? And I require an explanation of why the requirements were met and yet an attack succeeded, not only in penetrating a network, but remaining in a network, planting code repeatedly on trusted devices, and exfiltrating card data. I'm not saying that security needs to be perfect or that requirements need to result in perfect security. But this is a gray line that needs to be spelled out. Otherwise I can make a shitty security policy, get hacked, and say the exact same line like it matters. "We were compliant with standards at the time the attack occurred." Something clearly broke down or was missed. I need to learn from that.
The company’s centralized security system, which logged activity on its network, flagged the anomalous behavior of a malicious software program—although it didn’t recognize the code itself as malicious, or expunge it, according to the report. The system’s ability to automatically block the suspicious activity it flagged was turned off because it would have hampered maintenance, such as patching security holes, the investigators noted.
This is always a security bugaboo just waiting to bite someone; and it *will* *always* bite someone. Either you turn this on and get things stopped that should be stopped...and almost certainly hamer maintenance or legitimate business and incur the wrath of business managers...or you let it run much looser and not get in the way of business and hope your eyeballs catch the bad things. This is always a tough proposition in anyone execpt the largest of companies. I do actually sympathize on this, while at the same time wishing they had done it correctly (which itself is a moving target).
“These 60,000 entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day,”
If there is an elephant in the room where we're talking about digital security, then there's a room outside the one we all look at, and inside *that* room is a larger elephant. And that elephant is alert tuning and watching. No product turns on and is correct out of the box. This means every organization has a different posture on those tools that throw alarms. This means every organization's alarm posture is dependent on their security staff. In addition, it is dependent on the securituy staff to sift through whatever alarms there are plus, when they can, sift through the false alarms just to make sure nothing weird is going on. All of this is hard, freakin' work; time-consuming work; and is never seen as a value-add to anyone except organizations whose security is a core to their busiones. And if you think Neiman Marcus has it bad; visit any SMB in the country.
Should someone have noticed a nightly deletion of code off trusted devices? Maybe. I would kinda like to think so, but the realist in my is shaking his head in a not-positive fashion.
Sticking to the elephant in the room that contains the room; there is yet another one outside of even *that* room. And that room has a nastier elephant in it. This elephant does just one thing, he receites this litany: "If you staff a security team and they silently stop everything, the company will see them as unnecessary and cut back." Often, a business only "sees" IT when issues happen. If everything is smooth, then clearly their job is easy and they can absorb cutbacks. So you kinda want to be good, but not so good that everyone wonders if you're even doing anything. "I'm blocking attacks every day!" "Yeah, but *are* you really?" You gotta prove that to non-technical stakeholders.
“In an ideal world, your card-data network should be completely segmented from the general-purpose network,” said Robert Sadowski, director of technology solutions at RSA Security, a division of EMC (EMC). “Unfortunately, an ideal world is often different than reality.”
It's like we're on a safari, since that's another elephant in the corner! It's very easy to talk about segmentation and separation. It's easy to pad diagrams and plans and even sneak in talk about VLANs and traditional broadcast separation. But pull up those covers, and you'll see a long gray snout and sad black eyes looking up at you. True separation is difficult. It means a separate core, separate switches, separate virtualization hosts if you're a virtual shop, separate Internet links if you have many remote locations, or at least heavy separation with access control devices (ACL or firewalls, pretty much) in place between the two. When you get strict about it, that's shit gets expensive to a business very quickly.
Neiman Marcus was first notified of a potential problem on Dec. 17 by TSYS (TSS), a company that processes credit-card payments, according to the report. TSYS linked fraudulent card usage back to what’s called “a common point of purchase”—in this case, Neiman Marcus stores.
I always mention this as a way to say, "So, how was the breach noticed?" Kudos to the processors and banks and such for having fraud departments that investigate things like this. And those people who trawl carder sites for new caches of numbers and who try to identify where they come from and alert proper authorities. Clearly corporations are going to continue to need and rely upon this backwards alerting. "Oh crap, I'm glad someone was watching that pawn shop. I had no idea my house was broken into until someone said they saw my television in the pawn shop window." (Ok, that's not totally fair, since data isn't removed, rather copied...)
The Target hackers used a protocol known as FTP, for file transfer protocol, to extract the card data, Raff said. The Neiman Marcus hackers used custom hacking software and sent the data out through a virtual private network, or VPN, Raff said, based on facts from the report.
No. At this point I'm spent. I don't even want to go into how a VPN was set up on what I guess was the compromised central server that was in both protected and Internet-facing networks. (It's the former bit of that sentence that I don't like; not the latter; which is necessary.) However, kudos on the attackers for encrypting their exfiltrated data.
Nothing has been said about the initial breach into the network, but it's almost certainly that server that is internet-facing that was mentioned in the article. Here's hoping it's Windows running asp.net and not patched...
by michael 02.25.14 at 8:49 AM in /general
For the next year, we're going to hear a ton of speculation and details and suggestions and eventually facts on the recent Target data breach. Whee! It is, however, a personal pet peeve when expectations are made higher than they should be. Case in point follows!
So Target was breached, and Brian Krebs posted an article
about how the attackers may have (read: probably) piggy-backed into the Target network by using the credentials of a third party vendor who apparently provided project management services (or HVAC services, the actual business relationship details are vague) to Target and thus had the ability to remotely connect to Target's network. Makes sense!
Sophos' Naked Security blog jumps in as well with Did the crooks who broke into Target tailgate the cleaners?
and A hearty welcome to all Cyberoamers!
The combination of these articles triggers a few thoughts.
First, it's "easy" to require two-factor authentication for individual users. It's more difficult to require it for an entire vendor. Who at the vendor gets the other auth factors? Do they share them? Is it software-based? There are logistics questions going on here that make this an annoying task, especially when something like this is planned, requested, and completed more than likely without any oversight in many companies. This is because it's easier to just do it, and not involve cost centers like security.
Second, I don't want alarms on remote connections occuring at 2am. I'm sorry, a firm may not have any business connecting at that time (this is why you time-box accounts or the remote connection portal), but sometimes someone may be burning the midnight oil and I don't want to spend much time chasing these things down every morning when I check out my SEIM dashboard. Yes, you should log these. No, these aren't valid alarms that should have, on their own, scrambled the security teams.
Third, HVAC and/or physical equipment vendors do routinely require some sort of remote access. This isn't strange or rare, and is probably especially true when your business owns and operates, in full, building facilities in hundreds of locations.
Fourth, it's probably not uncommon that the same pipes that connect remote facilities vendors to your remote facilities also connect your payment and data communication to your remote facilities. It's annoying (not impossible, but highly annoying and costly) to get those truly separated. In other words, I think it would be, very strictly speaking, very annoying to truly segregate retail payment in-scope systems and networks from those that are not in-scope for PCI. This is because it's easier to just do it, and not involve cost centers like security and IT, which then have to solve the above headaches and I can tell you it won't effect the retail business revenues in any positive way.
Now, I'll admit I'm nitpicking here. The major questions still remains as the articles all ask: Why did this third party have access to not only, apparently, the full internal Target network, but access into every remote facility?
(I know, it's easier to just make normal accounts than to take the time to lock them down or limit their scope with whatever remote access tools you're using.) Why are the payment systems not segregated?
(Despite being annoying, this is *still* a valid question to keep on the table.) Where was the rest of the monitoring such as on POS systems, netflow traffic egress, and so on?
Damn, IT and security cost so much money! :)
by michael 02.10.14 at 2:33 PM in /general
I thought I would get one last post on this site before 2013 rolled over, but much like most of 2013, I didn't get anything out. There have been a few reasons for this, which I may as well throw out for posterity.
1- Not much new to say about security. Eventually, you do kinda get sick of the same old thing in security. Lots of people whine about this and say we're not innovating or doing security in some new way that will win the War. I think that's a lame way to look at it, and not correct at all. It's not like security/insecurity evolves on its own; both are functions of technology in general, and follow along behind. And there's no real win there; security will *always* be behind the curve. But still, it does get annoying when you have really nothing actually *new* to say.
2- Fucking Google killed Reader and fucking Twitter killed older API-using clients. My dearth of posts on this site corresponds to my lack of posts on Twitter. This is because, at nearly the same time, Google killed my preferred RSS feed reader of choice (and by preferred, I mean, preferred by a long shot) and Twitter shut off support for their older API, which killed my preferred Twitter client of choice, DestroyTwitter. I liked DestroyTwitter because it worked on both my Linux and Windows systems as a standalone client. I really have yet to *like* any others I've tried. I've sort of moved to Feedly for RSS feeds, but I just haven't made it a normal part of my day/week like Google Reader was. I have yet to adopt a new Twitter client. Both of these make me feel very disconnected.
3. Been a busy year in general for me, both personal and work. Work has been busy with lots of changes and...challenges. On the personal front, I've just kept my interests elsewhere for the most part. The older you get the more you realize you only have so much time in a day. Tinkering with security-related stuff sort of took a backseat for the year after Twitter and Google cut me off. I've hung out in the main lobby, but have not delved deeper into back rooms.
No really huge, big, crazy reasons. Just sort of a break, which I do every now and then since I've had a blog of some sort since 2001 or so.
by michael 01.03.14 at 9:56 AM in /general
Probably the worst thing about business-to-business (B2B) security questionnaires is that you know 90% of them are being required, but never really reviewed. You can sort of answer anything, and as long as you have a "yes" or check mark of any sort, the reviewer isn't smart enough to dig further. (Kinda like PCI QSAs!). Because of this situation where not-smart people are reviewing these answers, there are some questions I dread. Especially when someone gets a burr up their ass about better answering a question they don't understand. I.e. achieving that checkbox!
So, what is your least favorite question to read on B2B security questionnaires?
For me, it is any question that involves DDoS protection. I work for an SMB. Our DDoS protection is pretty much hitting the low items. 1) We monitor bandwidth and servers and services to know when any are saturated or having resource issues. 2) We will work with our upstream ISP in the event we need their help in limiting inbound traffic to us. 3) Our standard for systems and processes is to provide for both high availability and disaster recovery/BCP. (In fact, we're pretty nicely set up that way for an SMB of our size.) 4) As a bonus, we do have some capability to do some traffic threshold monitoring, shaping, and shunning with our firewall/IPS and web load balancer combo, but that is only after the traffic makes its way to us.
But if someone wants that answer to be better and more pro-active, you cause me to drink some more. Because what that really says is I should spend a good 100-250k on DDoS protection software (that won't itself promise anything anyway) and a staff member to hold its hand, so that our checkmark in that DDoS box is a little more heavily outlined (and yet still not necessarily truthful). And even with that spend, there are multiple other places where a DDoS may occur. Wireless access on our campus. Email blasts. Legitimate traffic that exceeds what anyone planned for that fills our bandwidth/drops our firewalls/keels over web servers/overwhelms database servers/etc. Most of the time people who think about DDoS are just thinking about junk traffic filling up their Internet bandwidth, or maybe one step further and looking for known, singular resource-gouging attacks like a ping of death or SlowLoris or something. But, what about poorly written code in your custom application that bogs down resources that no tool is going to drop into place and automatically detect because, well, it's custom code?
Anyway, coming in a close second to DDoS questions are Web App Firewall questions. Sure we have one, but is anyone actually making it useful to the custom apps it is protecting? Nope, not beyond the obvious like a 1000+ character URL (Apache issue from 10 years ago) or a GET for root.exe...
by michael 01.03.14 at 8:43 AM in /
If you collect annual security and threat reports like I sure do, you'll want to not miss the Sophos Security Threat Report 2014 like I did. If you follow the security news all year, nothing in here is particularly surprising, but a report like this is nice to whip out when a middle-manager wants to defend Android in the enterprise as being secure (da fuq?) or some other such nonsense. Happy reading!
by michael 01.03.14 at 8:36 AM in /general
Interesting story for those of us who administer IIS 7+ web servers: "The Curious Case of the Malicious IIS Module"
from SpiderLabs. As sort of shown in the article, even an SSL-wrapped site isn't safe, since once you're inside IIS, you're actually behind the SSL encryption process which is handled in the OS starting with IIS 7/Win2008. Even in earlier versions, getting that far gives you unencrypted visibility, pretty much.
The up side is if someone has this level of access to drop a new IIS module on your web server, they likely have access to just flat out change your code. So other than particularly nefarious attackers or automated tools that just do it for them, I'd not expect to see rogue IIS modules. However, this is definitely something to look for in modern IIS web servers and something to inventory and poll and alarm on anything new appearing.
by michael 01.03.14 at 8:27 AM in /general
An article posted by eWeek titled, "10 Disruptive Online Services Enterprises Should Ban From the Network"
, is just ripe for looking at. And I'm not even going to start at the overly blatant buzzword forced into that title.
0. Just to start out, I dislike when "security" and "productivity" get thrown into the same discussion, especially in front of the IT folks. Security is an IT concern (and everyone's if you want to get picky), but productivity is a managerial (and corporate/HR) concern. Not an IT one. So we're already muddying the waters on this topic.
00. Oh, and I should also mention that more than likely many years ago, the phone was probably considered a time waster as well. How dare people have the chance to make personal phone calls during work time! For shame.
1. YouTube -
I agree that YouTube is a time-waster. And one can also make the case for it being a bandwidth drain. But keeping employees away from YouTube can be a bit of a forced disconnect with the rest of the world. Need to check out a song quickly and easily? YouTube. Need to check out a commercial or ad from the past? YouTube. Need to network with clients and their userbase? Need to watch a vendor video on how to implement a new appliance? Conference talk you missed on physical security? YouTube is a remarkable site with a multitude of personal and professional uses for almost every employee at some point during their tenure.
2. Facebook -
Again, I'll agree there are people who waste way too much time on this site. But, I'd say there are plenty of people who do network via Facebook, even so much as researching potential clients or contacts. Yes, this is still the realm of marketing and sales (and maybe anyone who touches clients/customers), but it's really silly when a company has a marketing team with a Facebook presence, but does not allow employee access to Facebook. I mean, really? Do you *really* value it, in that case? Would it not be helpful to have "free" Likes from your employees (without begging for it, of course)? I'd agree, though, that many people don't really have any work reason to be on Facebook other than personal reasons.
000. Back in the day, network admins got serious about security and started putting up firewalls. Eventually, enlightened users started tunneling the services they wanted. Later on, IT and HR) started blocking personal sites as time wasters. So employees worked around it by riding the mobile and particularly cell device wave. There's a lesson in there...
3. Twitter -
Twitter is not for everyone, but I find more work-related value in Twitter than personal. There have been numerous times that I've heard about a breach or new 0-day or patch via the masses on Twitter. There have been times I've been really early in explaining some outage because the vendor/site/service had a Twitter feed I could check. This takes some personal energy to make it useful in a work sense, but it's ridiculous to block it these days.
4. Social gaming sites -
No argument here on this one. :) Why might a company not block these? Maybe because it costs money to block sites; costs time to administrate it; and the chosen vendor may not be all that great at blocking them all. There are technology reasons for lack of coverage. Just sayin'.
5. Adult-oriented sites -
6. Vine social video-sharing site -
I admit. My first reaction: "Vine what?" So I can't really say why this is good or bad, but the article didn't even begin to convince me this is bad.
7. Any shopping site with poor security and a worse reputation -
What? No really, what? This paragraph doesn't make sense. Anyway...this is still pretty dumb. No IT or security person wants to play ethics cop on sites, and then argue with users about it when they can't buy whatever just because the site looks like it was made in 1997. This is why we rely on categories and the people/algorithms behind the scenes at the vendors to make these decisions. And even then, unless a site has a clearly detailed infraction, a user won't understand the block and will raise a stink. It's just not worth the time, usually. (I'm sad the author didn't tap into the benefit of IT helping keep employees safe by not allowing them to put their personal financial data at risk with known bad sites, but whatever. It's a feel-good bit of theater to present it that way.)
8. Pandora -
We can again take the bandwidth angle here, but if you, as a company, want to take the stance of being anti-Pandora, you're really taking the stance of being anti-streaming music. And good luck blocking them all. The benefit of employees being able to just listen to what they want and do their work is probably worth it. I mean, how many employees spend *that* much time curating their music libraries?
9. Security software sites -
This bullet point pretty much tells me the author has not ever been a security or IT admin, or even desktop support for a decent company. The answer to this is not to chase down and block sites, but to restrict access on the endpoint system. And for those who do desktop support, it would really suck to have some big issues that needs cleaning while sitting at the user system, and not be able to get to a site for information or tools or updates. For users who are admins, this is where we talk about software inventory, policy, and auditing.
10. Anonymizer web tools -
This item does have merit. But at some point we're talking about wasting some poor admin's time chasing down these tools, rather than having managers do their job with managing employees and their productivity. Or auditing surfing habits and enforcing computer usage policies. And to block "online instructions?" You mean scour forums and block any that offer any proxy/VPN solutions to the common question of how to bypass work filters? If a web filter has this as a category, it probably can be turned on, but more than likely you want a web filter that inspects the data flows and drops unknown protocols/tunnels. Nonetheless, if an employee is actively making this sort of effort to bypass policies, that should be more than enough to involve HR/management.
0000. No Skype? No IM? No Dropbox? No Gmail? No gun sites? No hate sites? No known malware sites? What the fuck, man? That's not even WTF, that's "What the fuck?"
by michael 05.06.13 at 9:24 PM in /general
Curious about SSL Best Practices? Qualys has a regularly-updated "SSL/TLS Deployment Best Practices"
file with some good information. I like that the best practices include mention of practical concerns in additional to security ones. For instance, not to use private keys larger than 2048. I've forged forward on my own to use 4096 keys, and I can attest to significant performance issues due to it. Also, I'm glad for the very brief EV SSL mention; I'm not sold that it's useful enough to talk about. I personally recommend not spending the money on them unless your customers are asking for a green browser address bar...
The only thing I wish this doc contained would be more insight into common secure and insecure cipher suites. Now, I know SSL tools will do this and many systems rename ciphersuites into weird names for no real reason, but it would be nice to just get a dumped list. For a doc that is useful to slam down on a CIO or developer or sysadmin desk, it would be welcome. Props, though, to suggesting SSL eval tools, which will help a sysadmin do the same thing, just with a little bit of sweat and time expense.
by michael 04.24.13 at 7:40 PM in /general
I feel dirty linking to Wired these days, especially since the article isn't very informative
beyond this blurb:
...Nosal never was accused of traditional hacking. Among other things, what the jury concluded was that he coaxed, sometimes through monetary payments, his former colleagues at Los Angeles-based executive search firm Korn/Ferry International to access the firm’s proprietary database and provide him with trade secrets to help him build a competing firm. Those associates cooperated with the government and were not charged.
by michael 04.24.13 at 7:34 PM in /general
A few weeks ago a new physical attack against Cisco phones was announced [YouTube clip]
. A few days ago, this was detailed further in a 29C3 presentation by Ang Cui and Michael Costello [YouTube clip]
. And even just today, this news has hit the mainstream news waves
because of how cool it is to watch a phone be pwned and be turned into a silent eavesdropper, recording conversations without any indication the mic is engaged. And this, of course, means questions from non-technical people who sometimes are important enough to need some pragmatic answers quickly!
The 29C3 preso is excellent, but very technical. The shorter vid up above is nice, but doesn't quite give enough information for a proper risk assessment. (There are a scattering of other articles on this topic, but nothing that brings anything new beyond talking about the mic issues, and really not anything worth mentioning from any incident response/vuln announcement outlets... Cisco has an advisory or two, but I don't have the time at the moment to look that up.)
To me, there is one major issue, which then can be leveraged in 2 attack scenarios. There are actually more issues, but for anyone who is not a pen-tester or Cisco, there is really just one main one to look at. If the others are important to you, then you're going to be technical enough to digest them from the preso.
- The big issue: privilege escalation/kernel exploit where someone with access to the phone can become root and run whatever they want on the phone.
- Physical attack by plugging a device into the rear ethernet jack on the phone and then executing arbitrary code to own the phone, leveraging item #1.
- Local network ("remote") SSH authentication bypass by impersonating the TFTP server the phone interrogates for authorized SSH user keys, and then leveraging item #1. (skip to 38:00 in the preso.)
This distills down to a few talking points.
- The physical attack is neat, but has a few components to it. First, the attack hasn't (to my knowledge) been yet made public, so many people know this is possible, but don't have the tools (yet) to do anything about it. Second, Cisco will certainly be working to patch the issue. Third, leveraging item #1 above requires some sort of access, either physical or local network, to a target phone.
- Even if the "eavesdropping mic" attack is successful and the attacker turns on the mic, the recorded data still needs to be sent somewhere for the attacker to listen to or retrieve. This is possible in many ways, but keep in mind the above presentations pretty much avoid that hurdle.
- These phones are basically little computers. If an attacker can take control of it, they can do the same things from it that they could by using a rogue or compromised system on a network. The "eavesdropping mic" is just one of many ways the compromised phone could be used.
- Physical security is still paramount, even for phones placed in semi-public locations.
- Keep unauthorized devices off your network so they aren't able to do things like impersonate TFTP servers or make SSH attempts to your phones. In addition, make sure your network monitoring is set up to let you know when even someone authorized tries to do suspicious things. This isn't new.
- It's up to Cisco to fix the privilege escalation and other various issues in their firmware.
- Always be vigilant and report any strange devices, electronics, dongles, or other things hanging off phones, systems, or plugged into jacked that aren't normally used or have not been sanctioned/installed by your local IT. And even then, question what things are in case an insider is planting devices.
The tough part of assuring security for phones like this is their closed nature. Do we have logs shuttled somewhere to watch for events like firmware replacements, for instance? How do we know firmware has been replaced? Or when the Flash/ROM has been tampered with? Or when audio data is going to a weird place on the network? Basically, similar questions we have of any device we can't properly manage quite as deeply as a server, or have our management abstracted out to someone else's centralized management that probably has not accounted for these sorts of questions.
And to throw what many non-technical people will claim is FUD (and is mentioned in the preso, kudos!), this issue has been present for 6 years. Go ahead and think about that one for a bit! :)
by michael 01.04.13 at 11:49 AM in /general
News has passed around about a BusinessWeek article talking about getting rid of the "Reply-All" button in email programs
. I think this is an interesting discussion topic.
Is the problem a reply-all button, or the behavior of workers to pass along stupid information? Is that a failure of management to control it and teach employees? Should it even be a problem to worry about? Also, is there *any* value in the reply-to-all function? I know I use it for work-related stuff.
A user is mentioned in the article about being proud of having a verbal agreement not to use the reply-all button, but is that a passive-aggressive way to blame a silly function on a human problem of passing on garbage? Shouldn't you have talked to your employees and made a gentleman's agreement to not abuse the email system with garbage? Be direct on the problem, don't sidestep it and blame the reply-all button. Be smart and look at your damn recipient list. There is plenty of time between when "reply-all" is pressed and the moment the email is completed and then sent.
You can probably fix a lot of it by reporting those emails and creating custom rules to deny certain key phrases, but that's a lot of custom work for your mail admin(s).
Is it a corporate culture thing? Would there be less spam if users knew that their managers could read their email?
Is the problem email in general? Email sometimes feels so outdated, but it's still a great "push" mechanism for information. Today's socially collaborative settings can vote down (or just not vote up) such unnecessary garbage, but then we get into all sorts of popularity issues with long-term usage. And this whole "like" but no "dislike" thing makes us all just too timid. (Or conversely, only leaves childish YouTube comments as the non-timid crowd.)
Anyway, it's an interesting discussion point. Automation, which is ultimately what "reply-all" is (makes it faster to input all the participants in an ongoing discussion), makes needed actions easier, but also makes boneheaded actions easier.
by michael 11.25.12 at 7:40 AM in /general
I sometimes post my thoughts on major games I've played recently, and I notice I hadn't said boo about WoW: Mists of Pandaria. I may as well say something!
I had taken quite a break from WoW last November when Skyrim, SWTOR, and D3 all hit in succession. And by break I mean, hadn't logged in at all. But I'm back with MoP and enjoying WoW for what it is: a well-polished and solid game/experience. I play plenty, but I long ago put the raiding behind me (pre-Wrath, in fact), so my time is just leisure time spent gaming. That said, I tend to just do fun things with my guild and other relatively autonomous things like running 5-man Heroics and such. I have 5 toons at 85-90 (Shaman and DK are 90), a Druid sitting at 60, and a Monk in his 40s, I prefer healing/tanking over DPS (my only true DPSer is a Warlock), but when solo-questing I'll of course offspec as DPS.
The Farmville/Cooking Timesink - I'm one of those players who *tends* to max professions when it is practical (primaries yes, cooking usually, fishing sometimes, archeology not a chance). So it is a bit annoying at how convoluted the whole MoP cooking progress is with its 89 dailies and such. Bleh. Thumbs down.
Mess of a Skill/Talent System - In short, the talent/skill system is a mess. You have spells in a spellbook, more stuff in a glyph system that feels more like a tumor than a valuable feature, and a talent system in another spot. This makes organizing what you do and who you are a mess. The old system was just fine where you spend points. The D3 system was brilliant because it made multiple builds viable rather than just one "acceptable" build. But the MoP system is still fraught with "if you're this class, you still need to pick things this way." For most classes, the playstyle has changed almost not at all since Cataclysm (which is good for some classes!), so the net change is just annoyance. Likewise, leveling a new character is not as satisfying when you don't get points to spend but for every 15 levels, and instead things are just handed to you on a platter. Boo to that. Like I said, I get the changes and what Blizz kinda wants to do (allow for multiple playstyles even if you play the same class as someone else), but the talents and glyphs usually don't allow it. For instance, all healer Shaman will basically pick the same talents, because the other choices are for PVP or for the other builds.
5-man Heroics are Too Easy - Last night my 85 Disc Priest healed an 87 Fury tank through the starter normal 5-man with no issues and me rusty as all get-out. These new 5-mans are quick and, dare I say it, easy. Cataclysm 5-mans had character; you needed to execute what you needed to do, usually needed Crowd-Control on trash, and the balance at the start between difficulty and gear was brilliant. MoP 5-man heroics are a joke. There's a few mechanics, but where a mistake in Cata would cost a death, in MoP it costs about 10% health, unless you are standing in something for 15 seconds. I get that there's now Challenge Modes for these, but those are way more difficult for a casual player like me, and you can't just queue for them with other random players. Honestly, Wrath heroics were more interesting and "harder" than MoP heroics, and that's saying something since Wrath heroics were also easy.
Really, even for a casual player like me, I find most of this game is pretty easy these days.
Loot Rooling Table - This table just plain sucks. And I swear I see more asshats rolling on things they shoudn't because of it. I just want to see the queued choices easily before I make my pick, and not in a window that keeps changing on me.
Female Pandas have Fox Tails - Not all of them, but the option is there. It's telling, though, that almost every single female panda in the starter zone has a normal panda nub of a tail. The fox tail is just stupid.
Grinding Dailies for Rep - Never been a fan of these; really loved when I could wear tabards in dungeons to earn rep automatically, since those are fun. MoP? Nope, I have to grind rep by doing endless dailies. Boring and annoying. (It's hard for me to get too down on it though, being from Classic I remember old school Timbermaw and Winterspring rep grinding and even Aldor/Scryer grinding in BC...)
Story Moments are a bit Sappy/Obvious
- The underlying story and underlying evil of MoP is this bad spirit that awakens because the Alliance and Horde "find" Pandaria and, as they are wont to do, start fighting with each other. It's hand-fisted and obvious that the point of the expansion is to exagerrate the silly hostility between Alliance and Horde, point out how that bad karma fuels this underlying evil spirit (Sha), and how there should be middle ground, blah blah. A fundamental concept (and poignant in an election year) but it just feels a bit childish, ya know? Simple. And it's not even fully fleshed out yet in the game progress...
The Game - First of all, having played SWTOR and even some GW2 in the past year, I appreciate all the things Blizzard does right with WoW, which is really most everything. It's a solid piece of work and worth the money I pay for it. The game looks great, plays great, and so on. Also, the voice acting is excellent; not SWTOR-quality, but good.
LFG/LFR - The Looking For Raid tool came out just as I was taking my break from WoW, so I never got to use it. I still haven't used it since I'm skeered (ok, it's on the plan this weekend), but the idea that I can casually queue for a raid (as well as 5-mans) is absolutely awesome. It might not be as smooth and fair and awesome as a guild raid, but at least this is on MY time and not making me a SLAVE to someone else's time. Win. (This option is one of the 3 things that crippled SWTOR.)
Pandas are Cute but the Game Didn't Dumb Down - When pandas were announced for MoP, fans decried Blizzard for selling out to be more family-friendly. Yes, they're cuter, but I'm happy that I don't feel like I'm playing a game trying to attract kids. It has its dark moments and still has its dark humor, so I really *mostly* feel like I'm playing the same game I have been all this time. There are a few exceptions, but they're fleeting moments.
Transmog - I know, Transmog came out just before I took my break, but it's a game-changer to me. Transmogrification allows me to change any piece of gear I own to visually look like another piece of gear that I own. This means that armor set I earned 4 years ago raiding, while it is outdated and I can't wear it and be a viable player today, I can make my current gear LOOK exactly like it. I've always said since BC that our gear will always be replaced and improved; the happiness is just in how badass you look in the moment. And now my toon can look relatively unique compared to others. (Especially since my Priest still has Benediction, which is no longer attainable.) This means I can also casually spend my time...
Old Raids Are Easy - Many old raids and 5-mans (and achievements) are now soloable or duoable. In fact, most everything pre-Cata should be duoable. Last weekend I sent my 90 DK into Gruul, Mag, TK, Hyjal, and BT and solo'd every boss. This is great to gather up some gear to transmog and look cool. (Nope, didn't do SSC because it has some tricky parts and I only ever went through it a few times at level, so I don't really know it.)
Class Playstyles - Despite the messy skill/talent system, the classes still play solidly, though that is more due to changes in Cataclysm than in MoP, but it's to MoP's credit that many didn't change. My Shaman heals the same (though Teluric Currents returns less mana now). My Disc priest plays the same (though I miss the mana regen). My Blood DK mostly plays the same (less button-mashing). Prot Warrior plays the same. Warlock...ahh the warlock is my biggest changer and he's lost his long-time staple Shadow Bolt, but at least as Affliction there is no getting away from the DoT mania. I'll miss the SB but I appreciate that he's truly differentiated now. In fact, all three trees are tightened up a lot to play differently. Nice.
Pet Battles - Yeah, not everyone thinks these are worthwhile, but it's really fun and cool and interesting. Thumbs up to the throwback Warcraft 1 & 2 music. I've never played Pokemon, which is a bit of a travesty since I grew up with and loved and still love turn-based RPGs, so turn-based combat is a nice addition. I've not wasted much time in it (and make no mistake, it's a time-waster!), but it is nice to know I have that to do if I want.
Population Sharing - I didn't really think of it as a problem, but Blizzard implemented a way of getting players from different servers to be able to play in otherwise low-populated zones together. This means rather than leveling a character and being utterly lonely in Silithus, you probably will now run into plenty of other players leveling or hanging out in Silithus on other servers. That's kinda neat to help out or just to socialize. Like I said, didn't think it was an issue, but you do notice it now.
by michael 11.07.12 at 1:45 PM in /general
Tavis Ormandy and Sophos are being mentioned again in the same headlines, particularly for Tavis releasing a security report on Sophos Antivirus [pdf]
, a Sophos response
, and a CSO.com posting dropping the, "says the product should be kept away from high value information system,"
Whew! There's never any winning in situations like this. Either a company patches too quickly and recklessly, or patches too slow, with "slow" being an entirely subjective term. Software has bugs and shouldn't be trusted as secure, but yet all software has issues eventually. Response is the key, but again we dive into subjective terms.
Either way, consumers benefit from the knowledge being out there and progress being made, both from researchers poking at systems and companies improving because of it. I think it's a bit melodramatic to suggest for others to not use a product, but that's an opinion that can be weighed along with one's own risk judgement.
by michael 11.07.12 at 9:39 AM in /general
My lunch routine is pretty standard and well-known. I go to a Barnes & Noble and pick up a latte over lunch and read magazines that I don't purchase. I've literally done this for years. Clearly I'm a store member and carry a card which I swipe every day for 10% off.
A few weeks ago I took immediate note of the missing card swipe device on the counter and asked if someone had broken their swiper. I got the response that HQ had come in and pulled them all off. Being the savvy person that I am, bells went off, I tuned them down, and went about my business.
As I'm catching up with security news today, sure enough I see word that B&N suffered a POS security breach.
Every day that went by without the POS device at the store(s), was further indication that something bad went down and it wasn't just an upgrade/replacement or glitch.
(Of note, like a good security geek, I don't use credit cards willy-nilly, especially for tiny purchases like a latte; I'm all about cash for anything but huge purchases, so I wasn't even at high risk of this.
These breaches always make me curious and I always have the same round of questions that will never be answered, because no one shares the information, not even in professional circles.
1. What did the attack consist of? Taking apart and adding something to the POS device? Skimmer over top? Code update?
2. Only 1 compromised device in each of 63 stores? Why only 1? Did the device/attack store up credit card info? Did it beam it out realtime via an Internet connection? Did it have access to penetrate the internal network/databases?
3. 63 stores affected in varied major metros. Sounds custom and targeted.
4. How did B&N find out about this? Someone else bring it to their attention? Monitoring? Why or why not?
These are questions not intended to cause legal issues or backpedaling or lay blame. They're more about learning from mistakes so that I can be better informed and do a better job in my own security endeavors. PCI Guru has a nice follow-up piece.
by michael 10.30.12 at 10:49 AM in /general
(Yes, the title makes me feel dirty as well, for using 'cyber...') I've been waiting on this case with PATCO Construction v Peoples United Bank to offer up some resolution for a while now, since I think it may set some important precedents. Alan Shimel weighed in earlier this month
on it, particularly on the topic of individual accountability. (Disclaimer: I didn't listen to the audio accompaniment.)
Toward the end, I was struck by:
Perhaps having breach insurance is the prudent, responsible business way to handle this? Does your organization even have breach insurance? Breach insurance is one way of managing your risk, but all it can do is replace money lost. Some breaches are hard to put a price tag on.
I can understand the PATCO situation, or maybe even the bank's situation. But in the other example offered in the post, that of Wyndham Hotels and Resorts losing customer credit card information
, how does insurance help those whose data is lost by a third party? Does it pay for credit monitoring (nearly useless)? Does it repay with gift cards that can be spent only with the negligent party (ridiculous)? I don't think having a safety net is necessarily a solution for all parties involved. In fact, insurance may allow business to take less
responsibility since it'll just get a payout.
Ultimately, the idea of taking responsibility for security is a good one, but it cuts contrary to how the culture of America has evolved in the last 50 years to blame everyone else for anything that goes wrong.
by michael 10.30.12 at 10:30 AM in /general
The Chief Monkey (honestly, I never know how to address him) has a great post up, How Your #Naked Pictures Ended Up on the Internet
. The post illustrates a few key things.
1) Security question weaknesses.
2) You *are* sharing your information with others.
3) You *are not* just keeping files secret on only your phone.
4) You can't trust other services/people, de facto. You have to put some thought into it.
5) What gets on the Internet and is tied to your name/identity, will haunt you.
6) Facebook is a great place to stalk people.
7) All of these weaknesses are borne out of making things easier for you, the user.
8) Staying safe and secure and yet still using all these technologies and services *requires* work.
As a warm-blooded guy who has internet access, I can attest to the uptick in porn sites featuring what are obviously pilfered personal pics from phones.
At some point, digital picture facial recognition is going to both help (to find out who people are to warn them) and explode (tie bad pics to your name forever) this problem.
by michael 10.17.12 at 2:34 PM in /general
Bopping through Lifehacker articles, I found a gem speaking to interview questions: "The Interview Question That's Always Asked and How to Nail it."
(Ironically, Lifehacker has so much noise in its rss feed, I really feel only 1 in 100 articles is worth clicking into...)
When I first looked for a job after college, I would really have nothing to say after being asked, "Do you have any questions for us?"
I usually didn't. I didn't know what I liked, what I wanted, what was out there, or what to even ask. I had such little experience, that I didn't know what I didn't know!
These days I know better and use that question to my benefit. It lets me fill in gaps in my knowledge of the company, open questions on why I should work there, whether I'd like the job/people, and demonstrate a bit of interest in the position without sounding like a jerk. Truly, I'm not usually looking to get in good with the interviewer and demonstrate that I'm a critical thinker or something, but really there are always questions about the job, company, manager, people, and expectations such that they should be asked before making such a big decision as a job opp.
The article itself has a few suggestions, two of which I've used regularly in the past: "What is the immediate need on your team that you are hoping to fill with this position?" and "How would you describe a typical day on this team?"
by michael 08.22.12 at 9:56 AM in /general
I only realized/found out today that World of Warcraft's next expansion, Mists of Pandaria (MoP), is set to released in late September. That seems pretty quick. My gaming situation is a bit stagnant at the moment where I'm really only playing a few games, and not as much of them as even I'd like. I went from WoW casual to Skyrim when it released, and then Star Wars The Old Republic (SWTOR) when it released, and then Diablo 3 when it released. I've really not gone back to any of them since. I've only moonlighted in a few other games, and my XBox Live account has probably lapsed since I last logged in; I'm just not in front of my television at all (have not watched television in about 10 years, so it's just movies and gaming).
Diablo 3, unfortunately, is just not the same crack it used to me. I mentioned my thoughts previously, and I think the points all still stand. The one exception is that I just don't think the loot is quite the same for a variety of really small reasons that add up in the end. I have not had a single set piece drop. I've seen 3 uniques. The rares (yellows) are just random names with random stats, most of which I don't want so it's trash. None of the gear seems memorable enough, and doesn't drop quite enough to justify further grinds just for it. I think I might ultimately blame the Auction House (AH) for that. Also, after years of social FPS and MMO games, D3 just isn't that social and the attempts it has made just aren't that compelling. I don't know how you fix that, since D2 really was similar. As it is, I have a few toons, my Wizard is level 60 and basically bogged down near the end of Act 2 Inferno (I don't expect to have an easy time of it with the end boss, so I've just drifted away).
TL;DR: Diablo 3 isn't really beckoning me to play it unless it's with a few friends in coop.
SWTOR is a great game with great stories and I really like the gameplay. The problem is still twofold as I've mentioned from launch: underpopulated servers and lack of Looking For Group (LFG) tools. LFG is coming in the next major patch, but it's really freakin' late. I should get back to this game, but it would just to achieve the bragging rights of finishing my Smuggler's story arc and getting the last few levels to 50. The social part of SWTOR just never hooked me, though that's hard to do when you don't raid or care much for guild affiliations anymore.
WoW MoP will get me back to WoW, but I'm not sure if that will be lasting. The content doesn't much excite me, but the biggest draw of WoW has always been the guild/social factor, as well as catering to both hardcore players and casual players. I've been in both boats, and I have exceedingly fond memories of both, but I really love the idea of just wasting time with virtual friends in a casual manner.
Skyrim. It has its faults and it's strictly single player, but of all the games I've played in the last year, I think Skyrim is the one that beckons me the hardest to get back into. It's huge, long, varied, fun, and deep. I just feel a bit lonely when I play (single player), and sometimes you hit walls that are frustrating (killing a priest/dragon combo as a thief-type is maddening). But it's a beautiful game.
Hopefully MoP is fun and hopefully Elder Scrolls Online is Skyrim+social MMO, which would be amazing. SWTOR did most everything right, in my opinion, but two glaring issues really have held it back (and some smaller ones that were actually fixed in earlier patches).
by michael 08.04.12 at 12:13 PM in /general