b) Some of the articles are not very realistic. Like I said, try walking into a major financial institution, deploying a security service under tight time-lines where you had to Q/A the big things and hope for the best and telling the client that their major financial services that make them money might experience some issues till the security is figured out and they will just have to deal with it. Doesn’t work. Security is a risk assessment, like crossing the street or buying stocks. If opening port xxx/udp allows a major service to function, there are no known serious vulnerabilities, do you just block it because someone might attack it in someway? Try and sell that to the executives. I have never seen it work successfully and it only damages your reputation as a consultant.

When I was in highschool… we had a print ballance system. The printers were shared on a Novel server which enforced how many printouts it issued. All the printers / servers were fully routeable and I discovered you could print directly to the printers print server and bypass the queues. Effort was spent on preventing the mis-use of the printers when used as expected, but no effort was given to the un-expected use.

In order to work and be in school, I had to be able to administer machines remotely from the school network. What I did was run an SSH server on port 443 on my home network. I would use the mindterm java ssh applet to allow me to tunnel VNC and RDP to whatever I needed access to. Once I even used a reverse tunnel to connect the a local socket on my SSH server to the school printers queue so that I could print my homework from my home machine to the local printer.

What the school needed was a tough writen security policy, a log of all un-expected events and an administrator who looked at the logs and was able to give me hell when he caught me doing things I was not supposed to. They may not have been able to catch my tunneling but they could have tracked my printer misuse and found out the other. I never did anything disruptive… but the only thing that stopped me was my character.

The other day I had a co-worker complain he was not getting my emails… but it was his junk email filter in outlook. Every single email in there (and there were many) were false positives marked as spam.

I just follow up all my emails with a phone call.

What I did in the past when I wanted to confirm read was embed an external image and parse my web server’s logs. I even took it one step further by actually making the external image a server side script (to notify me back). Using mod_rewrite on my server, the regular user just saw a standard looking path to an image in the email’s src. The image I returned would be as simple as a “please dont print this” watermark or something like that. Worked better back in the day… but still works usually now.

The point I was trying to get across in the post was that typically now a days people immediately jump to conclusions when suspect data is found. The person is charged, systems are confiscated for examination. While I understand why this happens, I believe it opens the possibility up if I was a bad guy to frame someone by planting evidence on their computer. Even if law enforcement determines it is not the suspect that is at fault, they still face the ridicule, social stigma, potential loss of employment and stigma around getting new employment regardless of the outcome.

Here is one example http://www.msnbc.msn.com/id/33778733, and there are others.