[ale] Bobness and Jonathanness (and some PHP)

Jeff Hubbs hbbs at attbi.com
Wed Feb 12 23:06:12 EST 2003 

"Bobness Johnson is right."

What Bob is describing is right on the money.  If computer/network
security is what you want to do, then it's going to take surgeon-level
skill to really be effective.  You have to know at least as much as the
attackers or at least the kiddie scripts that are run.

I've dealt hands-on and elbow-deep with computer and network security
since 1988, but there are depths to which I have not gone and I know
when it's time to hand the issues over to people who really, really know
what they're doing.

What I see in industry is that IT decision-makers throw a huge "Hail
Mary" and, instead of handing security issues down to a progressively
smarter series of people (I'm oversimplifying in saying that, I know),
they hand it straight to, oh, Cisco, Microsoft, Linksys, CheckPoint,
McAfee, etc. so that their products become the "experts."  

-Jeff


On Wed, 2003-02-12 at 19:58, Bob Toxen wrote:
> On Tue, Feb 04, 2003 at 05:29:28PM -0500, J.M. Taylor wrote:
> > So how does one pursue Bob- or Jonathanness? :)
> 
> Start by showing up at tomorrow night's Key Signing Party at Emory at
> 7:30, sponsored by ALE and hosted by Mike Warfield.  I'll be there,
> of course.  There will be a giveaway of a Linux mouse pad and several
> Linux stickers, suitable for laptops and desktops.
> 
> 
> Be careful what you wish for and understand your goals and reasons.  The
> glammer of computer security that the media portrays it as is fantasy.
> I consider computer security to be far closer to what a financial auditor
> does: balancing accounts, finding where that last penny is, etc.  Lots of
> grunt work.  The exciting world of patching weekly and debugging when they
> don't install or don't work.  9 to 5 job?  Forget it.
> 
> My pager goes off at all times of the night and weekend notifying me of
> attacks on my clients' networks.  My clients will call at any time too.
> Plan on it making a very large cut into your personal life for a long time.
> Remember that a firewall is a critical piece of infrastructure.  When it
> is down (or seems to be down), it's a "drop everything" emergency.  If
> Office A cannot get to Office B, "Better call Bob, it may be a firewall
> issue."  Most recently it was a Laptop with a flaky NIC that worked when
> it was sent back to the factory for repair.
> 
> Plan on balancing security against functionality and convenience.  Too
> little of the latter and your users will try to get you fired.  Allow
> too little security so that you get broken into and your boss will try
> to get you fired.
> 
> For Computer Security, plan on spending literally thousands of hours of
> your own time learning it.  Plan on becoming an EXPERT on networking
> and network protocols down to the bit level.  When data does not go
> through, everyone from the user to the SysAdmin to the nitwit at all of
> the ISP/telecomm.  providers that will blame the problems on you and
> your non-Cisco Firewall.  You will be guilty until proven innocent.
> Plan on knowing how to prove where the problem is.
> 
> 
> I suspect that Mike Warfield and Jonathan will tell similar stories.
> 
> 
> That said, read my book, practice the things discussed for hardening,
> install and learn to use GPG, SSH, Ethereal, tcpdump, arpwatch, set up
> a Linux-based Firewall.
> 
> > I've been a security focused admin and coder for a couple of
> > years...what's the next level?  Certification?  Education?  Annoying
> > questions lobbed at Bob and Jonathan for the rest of my career? ;)
> 
> I consider the certifications to be BS.  I would fail the tests because I
> don't know WinBloz System Administration.  What this has to do with being
> competent to set up Linux-based Firewalls, Virus&spam filters, Routers,
> etc. is beyond me.  (I DO know the M$ protocols, popular programs, and their
> ports and protocols so that I can tune firewall rules.)  Employers and large
> clients will care about certification, though.
> 
> Plan on paying LOTS of dues in terms of time spent.  Is it worth it?
> For money, probably not.  I love doing it and that's my reward.
> 
> Plan on going to KSU's security summit in a few weeks: Feb 24-26.  It's
> only $100 and is quite good.  I'll be there:
> 
>      http://www.southeastcybercrimesummit.com/
> 
> For financial security, learn WinBloz & UNIX SysAdmin.  Know some Perl
> Bash & csh, and C.
> 
> > jenn
> 
> > >> I'm not a Bob Toxen or a Jonathan Rickman, but I'm working on it. :)
> 
> So am I.  The threats change from day-to-day.
> 
> The world is getting darker.  The Matrix is being re-loaded.
> 
> Bob Toxen
> bob at verysecurelinux.com               [Please use for email to me]
> http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
> http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
> Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
> 
> "Microsoft: Unsafe at any clock speed!"
>    -- Bob Toxen 10/03/2002
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

More information about the Ale mailing list