Oh look: I can post from anywhere. Whee.

I have to say it’s interesting writing a post
from my Blackberry to add to my blog. Particularly since the subway ride from Queens to Wall Street can take about 45 minutes and the majority of the ride is above ground.

It does highlight how having this is both a useful tool as well as a bane. And does make me wonder how much extra info we’re publishing, given the ease in which it now takes to be published? At one time public transit was a way to meet up with colleagues and talk about the game or kids from the night before. Today, in a car of over 200 people it is silent, save for the silent murmur of iPod-isk music and the occassional bleat from the conductor announcing the next stop.

Even though this has no security risk or sensitive infomation I keep my Blackberry close to my chest, to avoid the possibility of wandering eyes. My, how we’ve changed. What is yet to be determined is if this change is helping or hindering. What do you think the answer is?

Well..

Ok. So I figured out how to import eveything although the formatting leaves a little to be desired. We’ll see how things go from here on in. Should be interesting to say the least.

Sigh..

Well.. I’m going to try to recover the files from the old version of the website. I’m presently in the process of migrating from my old blogging software, Serendipity, to the new one, WordPress. I figure with WordPress I’ll get more options, plug-ins and templates to muck about in. I wish there was an easier way to do the import than manually doing it. 🙁

Edited to add: Archives from the past

Donations???

So on a whim I decided to swallow my pride and try a donations button. I’m hoping that perhaps this might raise a bit of money to either pay off debt or fund top surgery. I figured even if it was a little, it’d be a little more than I had before. In some ways I feel really bad about doing this. I mean, it just highlights how gullible I can be about giving others money or spending a little too much on myself (recently, cigars). I’ve been trying to cut back on both these habits. My book spending is down since I found Paperbackswap.com. It’s a nice option where I can send my books that I won’t read again elsewhere and I can find other books of interest to me, without having to pay for them.

I had also joined Cigarpass.com in hopes of trading some of my cigars with others (so I could try different ones) but haven’t been too successful. I’m limiting myself to buying small packs (known as samplers — they consist of 5 cigars) and ideally, no more than 1-2 packs in a week (1 if there is a two-for-one deal). But I have been making an even bigger effort at paying down credit cards. If I could halve those in about 2 years, I’d be happy. Ideally, I want the cards paid off in 5 years (no later) so I can put that money into a house. I really want to get rid of my cards except for one or two that would be used for items I cannot pay in cash with. And then the cards paid off immediately (as I do with my US Credit card). I may be able to get my top surgery covered under benefits but I’d rather not depend on that. Who knows? Either way, better to ask now and get turned down than not ask at all, eh?













Oh.. and only make a donation if you truly can afford to. I really don’t want others to end up where I am.

Saying goodbye to Mittens

I can’t believe I’m doing this but today I’m booking an appointment to say goodbye to my namesake, Mittens (the appointment is this Tuesday). After 15 years of life, she developed cancer of the mouth. It’s gotten so bad recently that she’s not eating, not grooming and blood is coming out of her mouth. This has been the hardest decision I’ve ever had to do because sometimes one wonders whether it’s time. I do know it is because well, she’s not happy no matter how much she tries. It always amazes me as to how much animal companions give to us without asking much in return — and give it totally without judgement or much complaining.

But as hard as this decision is, I know it is the right decision for her. So I say goodbye to the kitten who was given to me to help me deal with my mom’s murder and ask nothing more of me than to be loved. Good bye, little mittens.

More updating

Well, I have finally moved to the US. It is a challenging process, particularly given the current climate of things and in some ways understandable. But at the same time I wonder if the over-indulgence of security by the US is more detrimental than helpful. Because of the extreme strictness that the US CIS agents take when applying for a visa, many legitimate individuals are rejected depending on the mood of the agent rather than on the legitimacy of the claim. As a result, many businesses are losing money because of this stance. I am very lucky to have a company that supports me and has helped me to obtain the necessary documentation to exist and work here legitimately. I have a few plans for the future as a result. <br />
<br />
I am contemplating taking (online through DeVry) a bachelor/master's degree in computer forensics, ideally seeing if I can tie it with virtualization (there is little to no work on how the legal process will accept or not accept incidents on a virtualized platform). Additionally, once my "stuff" is moved down here (I'm in NYC now), I should be able to get back on my bike. I will be going back to working out and such probably come January (too many trips in Dec to justify getting the membership just yet at the local gym). With life being settled and returning to a routine I expect I'll be able to focus once again on security and cycling. <br />
<br />
There's hope for me yet, eh? <img src="http://www.msmittens.com/serendipity_archive/templates/default/img/emoticons/wink.png" alt=";-)" style="display: inline; vertical-align: bottom;" class="emoticon" />

The Update finally..

Well this update has been a long time in coming. Fair warning, it's probably more personal than some might like. You've been warned.<br />
<br />
A lot of things have changed so perhaps it's finally time to do some explaining. To do this, I'll use a timeline:<br />
<br />
October 2005: I get a job offer from a company in Burlington. I enjoy working for my company. Over the summer of 2005 I did a lot of thinking and came to the conclusion that my personal life wasn't going any where that was of benefit for either of us. I had also come to the conclusion that what I desired wasn't necessarily what I had. It was no reflection of my partner at the time but a reflection of myself and where I really needed to be. At the time we broke up I decided to pursue something I had considered but never did: women.<br />
<br />
I did have a year long relationship with one woman and it was a hard — on me — breakup but it was for the best. At the least, I learned that I'm far happier with women than men. As a result, I've changed my sexual orientation. For all my life, I've considered myself bi but I have found more happiness with women than men recently and a greater connect. <br />
<br />
November 2006: I met the woman I'm seeing now. While a long distance relationship is hard, there are advantages to it — notably the ability for me to look after myself and have a bit of freedom on the side. I feel comfortable enough to move in with her. Which brings us to the present.<br />
<br />
May/June 2007: As I continue to explore who I am and where I'm going, I've discovered that some things just aren't as available in Canada as they are in the US. As such, I contemplated moving to one of two cities: San Francisco or New York. I found out, as of yesterday, that I will be formly accepted into another position within the company I'm with and am expected to be in NYC by Labour Day weekend. It's all been a rather exciting and interesting journey. I have been trying to continue my cycling and writing here but have been slacking off to write in my other blog (see links if you want to read — fair warning: I don't shy away from anything in it). I'm hoping that once this move is done at the end of the summer, that it will be the last move for a while. I don't know if the cats can handle too many more moves. <br />
<br />
Anyways, I will try to continue this blog, maybe adding some insights into how best to manage a virtualized environment. <img src="http://www.msmittens.com/serendipity_archive/templates/default/img/emoticons/wink.png" alt=";-)" style="display: inline; vertical-align: bottom;" class="emoticon" />

An update of sorts

Hrmm.. it has been a while since I've updated this page. I will probably be doing some updates soon as my life has changed considerably in the last 6 months, let alone the last year and a half. I've have gone in a different direction in regards to my own personal endeavours, particularly in regards to my sexual orientation and gender orientation. And, as far as work is concerned, that may be changing soon, and with it — a change in venue. Once things have been firmed up and finalized, I will post here all the details necessary. I am still cycling albeit not as much as previous years. This year bodes to be hot so likely I will be on the road more to enjoy the heat (go figure, a Canuck who likes hotter weather). <br />
<br />
So stayed tuned for updates. <img src="http://www.msmittens.com/serendipity_archive/templates/default/img/emoticons/smile.png" alt=":-)" style="display: inline; vertical-align: bottom;" class="emoticon" />

Secure Desktops = Happy Networks

Last month I talked about some basic concepts that seem to be falling by the wayside, specifically <a href=http://www.enterpriseitplanet.com/security/features/article.php/3633461>performing backups and having a test environment</a> to ensure that updates, patches and other roll-outs are sufficiently vetted. This month I&#146;d like to discuss two other basic concepts that seem to have fallen by the wayside of late: password strengths and lockouts, as well as standardized desktops.<br />
<br />
These aren&#146;t new concepts and yet, people still haven&#146;t figured out how to best implement them. Lockouts are straightforward. After a certain number of attempts &#150; usually 3 or 5 &#150; lock the account from further attempts.<br />
<br />
People have forgotten about things like wardailing. This activity doesn&#146;t happen as often due to the lack of modems in use (although some still use them and are susceptible this kind of attack). But variants of it, such as wardriving and account dictionary attacks, still occur on the physical networks of today.<br />
<br />
<h4>Tough Nut to Crack</h4><br />
<br />
For Windows systems, this kind of attack can easily prevented by enabling account lockouts. Active Directory can be used to easily enable this. The use of security policies through the security configuration editor (SCE) can enforce this across your whole domain with little fuss.<br />
<br />
For many Linux and Unix systems, you can use PAM (pluggable authentication modules) to enforce lockout after too many attempts. Adding two lines like the following in the /etc/pam.d/system-auth will help lock out the account.<br />
<br />
<code>auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root</code><br />
<br />
This line will keep track of each failed login and failed su attempts for each user. This information will normally be stored in /var/log/faillog (unless you redirect logs to a different location).<br />
<br />
<code>account required /lib/security/$ISA/pam_tally.so per_user deny=5 no_magic_root reset</code><br />
<br />
This second line is the one that specifically locks out the account after 5 attempts. If the user successfully logs in prior to hitting the magic number 5, the account will reset. The per_user option will help to avoid locking out system accounts after too many tries because it tells PAM to ignore the deny=n on accounts where the maximum number of login failures is set specifically.<br />
<br />
You can specify this for the GUI interface and system specific accounts (e.g., FTP, mail, etc.) in addition to regular user accounts. Other areas that could be locked down specifically include /etc/pam.d/sshd or /etc/pam.d/login.<br />
<br />
As a side note, $ISA is Instruction Set Architecture. This variable exists to allow for both 32-bit and 64-bit applications to take advantage of PAM.<br />
<br />
In addition, the use of minimal password length and a certain amount of complexity helps secure an account from attack. Some administrators are still under the delusion that 8 characters is sufficient strength for passwords.<br />
<br />
It's not.<br />
<br />
Let's start with the obvious: get rid of those dictionary passwords. That is, we still see use of basic words to protect our important assets, namely user accounts into the network. Surveys of password usage have historically shown that &#147;password,&#148; &#147;letmein&#148; and &#147;blank&#148; remain the top picks for passwords. Perhaps attempting to perform regular &#147;cracking&#148; of company passwords — under company approval, of course– would help eliminate those.<br />
<br />
Now the question becomes: how long should good passwords be?<br />
<br />
Today's standard should be at least 12 different characters (i.e., lower and upper case characters, digits and special characters). The challenge remains how to get users to remember these. One idea that Microsoft put forward — yes, even they have good ideas now and again — was the use of whole phrases. A password of &#147;The answer to security is 42!&#148; is far stronger than &#147;password&#148;. We need regular reminders to users about how to create good passwords, that they should change their password regularly and that their password will be challenged regularly to verify strength.<br />
<br />
<h4>Conformity <u>Is</u> a Good Thing</h4><br />
<br />
The last basic of a system security is to ensure that it is setup in accordance to company policy. This means that a user cannot install software nor can they disable any software that has been installed on the system.<br />
<br />
You can use some of the features of Active Directory&#146;s security policy editor but it would be far more effective to use something like Faronics Deep Freeze Enterprise or VMware&#146;s ACE products. VMware&#146;s ACE is a relatively newer product but also provides a good opportunity to lock down the common platform of challenge, namely Windows.<br />
<br />
Deep Freeze&#146;s legacy, however, is from the school system protection and has evolved into a robust and viable enterprise product. Given that they had to prevent curious young minds from compromising their software, it actually bodes well as to how secure the product is. What&#146;s even more impressive is that it now supports OS X and it appears that Faronics is looking toward Linux as it&#146;s next platform.<br />
<br />
Nonetheless, the importance of standardizing desktops seems to be lost on many. Remember, as long as everyone has the same desktop it&#146;s easier to troubleshoot and sort out issues. This can help ensure faster ticket resolution should a problem crop up.<br />
<br />
This is one of the reasons why many companies choose a specific vendor and purchase en-masse desktops, laptops and servers. It&#146;s easier to find problems when you know what and where to look for them. Additionally, using tools like ACE or Deep Freeze means that users are less able to and less likely to install &#147;malware&#148; or other nasties on your network.<br />
<br />
So save yourself some time and headaches by dealing with the basics. This will mean more opportunity to do the important things, like get in a game of Lego Star Wars II. May the force be with you.<br />
<br />
<h4>Resources:</h4><br />
<br />
<h4>Get to know PAM</h4><br />
<br />
<a href=http://www.faqs.org/docs/Linux-HOWTO/User-Authentication-HOWTO.html>User Authentication HOW-TO</a><br />
<br />
<a href=http://www.puschitz.com/SecuringLinux.shtml>Linux Security and System Hardening</a><br />
<br />
<h4>Securing Desktops</h4><br />
<br />
<a href= http://www.faronics.com/html/deepfreeze.asp>Faronics Deep Freeze</a><br />
<br />
<a href=http://www.faronics.com/html/DFLinux.asp>Faronics Linux sign-up</a><br />
<br />
<a href=http://www.vmware.com/products/ace/>VMware ACE</a><br />

Oh. .couple of updates

I've decided to revert back to allowing comments again. We'll see how that goes. And I think I found a doctor. A new practise is opening down on my street and I'll be going for an "interview" to see if they will take me on as a patient. Interesting process to say the least. <img src="http://www.msmittens.com/serendipity_archive/templates/default/img/emoticons/tongue.png" alt=":-P" style="display: inline; vertical-align: bottom;" class="emoticon" />