Security Balance » Uncategorized

Helpdesk, a very good start to shape your mindset

apbarros — Tue, 19 May 2009 15:22:55 +0000

Should the Helpdesk be a Mandatory Start for an IT Career?

For
anyone who has worked in a “front line” customer facing telephone
support role, the answer is almost always am emphatic “YES”. I tend to
agree with my colleagues for one simple reason – embitterment helps you succeed.

Why do I think IT folks need to have a sprinkle of bitterness be in
this field? The fact is that IT, like roadkill removal, is truly a
thankless job. Sure, guidance counselors, parents, and the media will
all tell you that “Computers are the way to go” for a good salary,
benefits, and career advancement. The problem with that mentality is
that it’s not the mid-1980’s anymore. More and more jobs are being
moved to parts of the world where wages are lower and, to be perfectly
frank, people are willing to do the crappy jobs that North Americans
think are beneath them.

To be clear, I’m not saying that working in IT is the hardest, or
worst, job around. IT workers are taken for granted, much like the
aforementioned roadkill removal worker. Most people enjoy driving to
work on a road free from dead animals. When an animal gets run over and
left for dead, the roadkill removal person is dispatched to “dispose”
of the remains. When was the last time you sent a “thank you” card to
your roadkill removal person? To that end, when was the last time you
sent a “thank you” card to a member of your IT department? Show of
hands?

Now let’s jump back to my original topic with a metaphor: an IT
career is like a human body and, in order for your career to live a
long and healthy life, you need a nice thick layer of skin to protect
you from infection. The “infection” in this metaphor referrers to the
emotional challenges that every IT professional experiences during
their career. In order for IT personnel to adequately quote with the
critical thinking required to overcome most IT related challenges, a
“thick skin” is a requirement — one that I believe should show up on
most job postings.

Working on the front lines of an IT organization let’s you
experience what it’s like to sympathize, and empathize, with those who
are having the problems. It lets you develop valuable customer service
and communications skills while you work towards making the customer
happy. Along the way you’ll have numerous bad experiences which will
serve as lessons that you can use to make yourself a better person.

No matter what role you hold within an organization, you have
customers to answer to. This is something that working the front lines
forces you to remember. Good or bad, working in the trenches teaches
you valuable life lessons that will only help you grow as an IT
professional.

The help desk is the best place to see how those incredibly nice projects fail, cause problems or are twisted to be used for different purposes (and bringing different risks). Working there for some time will help to create that “wait a minute, this will cause issues” mindset that is so valuable for the security professional.

RSA so far

apbarros — Wed, 22 Apr 2009 20:04:01 +0000

So, trying to do a quick review of the first day:

Nothing really special from the keynotes. Funny to see that some people complained about Scott Charney, from Microsoft, doing a “vendor presentation”. Actually I found his presentation better than the others (RSA, Symantec), as he didn’t try to hide the fact he was talking about the roadmap of his products. I really don’t like those vendor presentations where they show the current challenges exactly in the way that their last product is the perfect fit. Charney at least was honest about what he was showing.

The best session, as usual, was the Cryptographers panel. I was happy to hear their concerns about “Black Swans”. Bruce Schneier also mentioned his studies on Security Psychology. What I’d want to see now is how these things affect our current risk management methodologies.

After that, I watched some technical presentations, one of those about the new edition of “Hacking Exposed”. Nothing really new there.

Stephan Chenette, from Websense, talked about script fragmentation attacks. Basically, javascript code being transfered in very small chunks through AJAX to evade detection, mostly by Web filters. The attack relies on code that will pull those small chunks and reassembly the exploit in order to execute it, what he called the “decoder”. I think that one of the challenges of this attack is to avoid the detection of the decoder. Even if code from “non-malicious” libraries is used, I think there’s still room for detection based on “decoder behaviour”. An interesting part was when he mentioned cross-domain transfers to get the exploit, there are endless possibilities to explore in that direction. Decored could find (and grab) the exploit pieces through Google searches, and those pieces could be inserted in apparently innocent comments on blogs and social networks. A lot of room to explore here.

After that I went to see some of my favorite security bloggers on the “security groundhog day panel”, hosted by Mike Rothman. Some good discussions about PCI, cloud computing and compliance. It gave some ideas to write about these subjects, I’ll try do it after the conference. Best quote from the conference until now was from Rich Mogull, “you need to know your own business”. Dead right.

After that, Jeremiah Grossman presenting the “top 10″ attacks. Nice, but I could have just read the paper and used that slot for another presentation.

And day one was over. To be honest, nothing really special until now. Let’s see if I can see something nice on the expo booths.

RSA

apbarros — Tue, 21 Apr 2009 14:29:55 +0000

OK, a bit late, but here I am. I’ve just found time to write about RSA now, 40 minutes before the first keynote. I’m really curious about how the conference will look like after all this economic rollercoaster we’ve been through.

It’s also my first time as “press”. That makes me feel a little more obligated to blog about it, so I’ll try to put my impressions about the sessions I attend. Let the show begin!

(and hey, if you are here and want to meet, just drop me a line on my email (augusto at -blog-url) or Twitter (@apbarros).

April Fools stories

apbarros — Wed, 01 Apr 2009 16:14:33 +0000

Some are coming, some good, some not that much. Isn’t it a funny day?

CADIE – Cognitive Autoheuristic Distributed-Intelligence Entity

Conficket doomsday

Lynx is coming back!

The Guardian switching to Twitter

ASS certification

Mastering “cat”

more to come

About Sao Paulo

apbarros — Thu, 26 Feb 2009 20:41:19 +0000

This is a security blog, and I rarely go off-topic here, as I maintain an “other stuff blog” too. However, I wrote the stuff below to someone who is in Sao Paulo (Brazil, for those who failed in Geography and are not aware of an almost 20 million people city in South America) and asked about what to do in the city. As this is the “English” blog I think it may be more useful to this audience that the audience of the other blog, so, here it is.

[About the fences and electrified wires around fancy houses] You see, when you start to think that all those fences, armed guards and armored cars are something normal, you’re definitely not in the right place! Not only that, but you’ll notice that’s too much traffic, too much noise and too much dirty. Having said that, I don’t know a better place in the world to eat!

Sao Paulo has three areas that can be compared to Toronto Bay Street. There is the “old” one, Avenida Paulista, that is maybe the most known landscape of the city. But most of the big companies now are in two new areas close to the Pinheiros river, Avenida Faria Lima (the “fancy part of the city”) and Avenida Berrini (mostly technology companies, Microsoft, HP, etc). There is a new cable sustained bridge (“ponte estaiada”) at this region that is the newest landmark of the city.

I really love the Ibirapuera park, I used to live very close. It’s a nice place to walk around in a Saturday morning. Avoid the Sunday as it’s usually too crowded. I miss early morning running there.

I like the old city centre. There are some (not very well maintained) nice old buildings, like the old city theatre. There is the place were the city was founded, a small jesuit church, the Vale do Anhangabau place (nice, but not very clean too) and the Sao Bento church (Gothic style, I really like this one).

As I said, SP is the food paradise for me. You should try the pizza, I don’t know a better one. Some places to go:

- Mercado Municipal – The equivalent of St. Lawrence market. Try the Mortadela sandwich.

- Pizza – “Quintal do Braz” or just “Braz” – Quintal do Braz is a very fancy pizza restaurant, don’t try it on Sundays, the waiting line is above an hour.

- Italian food – Sao Paulo received lots of Italian immigrants on the 19th century. I think SP Italian food is better than Italy, but you need to go to the smaller restaurants. I suggest:

- Café Toscano – Av. Moema, 444 – Moema neighbourhood (good call after a walk in Ibirapuera park)

- La Trattoria – Rua. Antonio Bicudo, 50 – Pinheiros neighbourhood (after lunch there you can stop on Vila Madalena bars, nice place for “people watching”)

- Innominato Osteria – Rua Joinville, 861 – Vila Mariana neighbourhood (I used to have dinner there on Fridays, I lived two blocks away there)

- Barbecue (Churrasco): Has anybody introduced you to Brazilian churrascarias? You will find the best there! For the best, go to “Fogo de Chão” (expensive – around 50 dollars). There are others that are almost as good as that, like “Montana Grill” (Av. Juscelino Kubitschek, 817), that are not as expensive. That can be considered “Brazilian food”.

- Feijoada (black beans): The most famous Brazilian food, you can find in lots of restaurants for Saturday lunch. There’s a place close to where I used to live (Vila Mariana) that has a very good feijoada, some old school SP samba (called “chorinho”, ten thousand times better than current samba music) and very good “chopp” (draft beer). Only on Saturday lunch time, the place is called Genuino (Rua. Joaquim Tavora, 1217).

There is also ”Terraço Itália”. It’s something like 360 at the CN Tower, as it is on the top of one of the highest buildings in the city, and right on the city centre. I like it as it gives you a very good perspective of the size of the city.

I wouldn’t be a real paulista (people from SP) without suggesting you to go to some of the Shopping malls People from Rio say that malls are the paulista’s beaches. The most famous one is the “Iguatemi Shopping”, but I also like the “Morumbi Shopping” (good restaurants in the lower floor) and there is a new one that I don’t know yet that seems to be quite fancy, “Shopping Cidade Jardim”.

Well, probably enough for a whole month. Enjoy!

Security videos

apbarros — Wed, 11 Feb 2009 04:36:51 +0000

Today I want to mention the security videos made by Stiennon and company. They shot these four nice pieces below:

I’m extremely late on this and I also believe that most of the readers of this blog also follow the blogs of the participants, but as they are veyr valuable for those that are working with those technologies I thought it would be nice to post the links to them here too. Enjoy!

Best Practices – Even Dilbert know what they mean

Augusto — Wed, 03 Sep 2008 16:09:20 +0000

You can see it here.

So what are the quick wins you can do on security to go beyond best practices? Feedback would be nice.