evilrouters.net

the toronto star tells the story of chris avenir, a first-year student facing academic expulsion “for helping run an online chemistry study group via facebook“.

“so we each would be given chemistry questions and if we were having trouble, we’d post the question and say: ‘does anyone get how to do this one? i didn’t get it right and i don’t know what i’m doing wrong.’ exactly what we would say to each other if we were sitting in the dungeon.”

as an educator, i think ryerson university is taking this way too far (based on what i know). if there was blatant cheating going on, then by all means punish those involved. if this is, as the article says, the students were simply using the forum to “brainstorm” in groups then it is completely absurd.

i *encourage* my students to work together in groups. working together in groups in something that higher education should teach you. every one of these students will have to work together in teams once they get out into the “real world” and will have to collaborate with their peers. it should also be common knowledge that having multiple people in your group who can provide their own insights is an asset, and makes the team greater than the sum of its parts.

again, blatant academic dishonesty should be punished. from what i’ve read, however, that is not the case here.

best of luck to you, chris avenir.

i just applied for the iphone enterprise beta program for my .edu:

“announcing the iphone enterprise beta program: a unique opportunity for it departments to try iphone 2.0 software before general release. if your company is selected to participate, you’ll test new iphone enterprise features within your corporate environment, then provide apple with valuable feedback. interested? click below to apply.”

*click*

“we appreciate your interest in the iphone enterprise beta program.”

cool!

jeremy works at a post-secondary educational institution. his job duties include managing high-speed fiber optic networks, administering win2k/win2k3, debian, gentoo, and rhel servers, database administration, security, and occasionally hacking on some perl or php.

he also serves as an adjunct faculty member, teaching network security courses. he is a staunch advocate of foss, is currently working towards a bachelor’s degree in information technology, and also owns a consulting company.

jeremy has been a technological swiss army knife since the oregon trail was text only. his favorite color is sushi. he has never been to the moon.

this is a list of some of my “life goals” — things that i want to do at some point in my life. i usually track my short-term goals elsewhere (such as vitalist, my gtd system of choice), but it never hurts to make a list of things you want to do “someday” and refer to it often to keep you on track. a lot of these i will never get around to, for various reasons, and i’m fine with that.

with that, i present to you my list of “life goals”. it will be revised often and the list is not in any particular order.

• continue my education and finish a bachelor’s degree
• put away $10k in my savings account
• uspa skydiving license
• become a licensed private pilot
• red hat certified engineer (rhce)
• microsoft certified system administrator (mcsa)
• systems security certified practitioner (sscp)
• certified information systems security professional (cissp)
• visit italy
• visit australia
• get married
• fork() a child process
• buy a house
• buy a new car with cash
• pay off student loans

Recently, I have been — often without realizing it at the time — doing a lot of reflection and reassessment about myself. Only during the last few days have I realized what I was doing. I am now officially committing myself to do some of the things I’ve been meaning to for quite a while as well as “getting my priorities straight”.

Getting organized is at the top of my list. For as long as I can remember, I have always been one to write things down and/or “make lists”. I usually have so many things going on in both my private and work lives that I have to — if I don’t, I’ll forget things. I’m also guilty of using my Inbox as a task list, which is a bad thing. For the past year and a half or so, I have gotten fairly involved with “Getting Things Done“. “GTD rests on the principle that a person needs to move tasks out of the mind by recording them somewhere. That way, the mind is freed from the job of remembering everything that needs to be done, and can concentrate on actually performing those tasks. What distinguishes GTD from other time- or action-management systems is the idea of grouping tasks by the context (defined as a place or set of available resources) in which they are to be performed.” (–Wikipedia).

About the same time I started getting involved with the GTD methodology, I picked up a copy of “Time Management for System Administrators” by Thomas A. Limoncelli. I was able to relate tremendously to the book — I’m a system administrator as was Mr. Limoncelli. The book outlined the unique aspects of a sysadmin’s daily work life and ways for a syadmin to become better organized. “Time Management for System Administrators” was the first book I’ve read cover-to-cover in a number of years. The things it talked about really hit home and I was determined to put them into practice. And I did. For a while. Then I quit.

It wasn’t a conscious decision to stop, it just happened slowly over time. Over the last week I’ve really been devoting myself to becoming better organized and most of that centers around GTD. I’ve spent countless hours trying out and evaluating a number of online, web-based systems that are designed around GTD: Vitalist (I have a premium account), Toodledo, and Remember the Milk (RTM). I also took the time to install Tracks on a test box at work, but wasn’t all that happy with it. I think I’ve finally decided on RTM — both for its features and because it has a nice API. I currently have 42 tasks entered into RTM, 30 of which are active (i.e. “uncompleted”). I currently have RTM set up to send me a once-per-day reminder e-mail of all my tasks due that day, and I get notifications via Twitter as well. If I can just stick with it, I think it’ll help tremendously.

Continuing my education is the next thing on my list. I currently have somewhere around 69 credit hours completed and have decided I want to continue my education. I’ve decided on pursuing a Bachelor of Science in Information Technology from Franklin University in Columbus, Ohio (home of the Ohio Linuxfest). I’ve spoken to the folks there and every one of my 69 credits will transfer, which is awesome! For the classes I have to complete, a number of them can be taken at my local Community College and Franklin will give me credit towards the B.S. The remainder have to be completed through Franklin, of course. I know firsthand that working full-time and attending school part-time is not the easiest thing in the world to do — especially when I also teach and volunteer for some non-profits in my “spare” time. It will simply come down to being able to effectively managing my time, which goes back to GTD (above). It might be a little on the optimistic side, but I’m confident that I can complete the B.S. in three years. I’ve reviewed the requirements, completed all the necessary paperwork, and have a telephone appointment with a “Student Services Associate” at 2pm on Tuesday to finish things up. At that time, I’ll get signed up for the first course, PF321, “Learning Strategies”. I’ll begin in January.

Obviously, my job is still a priority of mine as well. I don’t spend every waking moment of my “free time” VPN’d in and working on things like I used to, but I still love my job and (a majority of) the people I work with. Building on my skillset is something that I want to continue doing as well, to benefit both myself and my employer. In that regard, I have plans to also add to the list of certifications that I have and will probably start by completing the requirements of the MCSA (I’m already an MCP).

I’ve also made a conscious decision to pay off some of my debt. I don’t have a lot of it, but I usually look at my bills, see what the minimum payment is, double it and round off. I could pay things off a lot faster than I have been — it’s just a matter of doing it, which hasn’t really been a priority for me. That said, I’ve decided to cut down on some of “leisure activities” and put the money towards the debt. Tuition at Franklin will be much higher than at the local Community College (where my tuition is paid for), so that’s another bill I’ll have that I don’t have now. I put together a “Net Worth Worksheet” and have set some pretty realistic goals with regard to my finances. Christmas is getting close, though, and I always blow lots of money this time of the year… maybe I’ll wait until January to start on this. =)

Oh, and I sold my motorcycle too. I’ll miss it, but to be quite honest, I’d probably just end up getting killed on the damn thing. That wouldn’t really be good.

Aside from all of this, I have took the time to take some goals that I’ve had (many of them for years) and put them down on paper where I can review it often. Keeping those sorts of things fresh in my mind is the only way to keep myself motivated towards completing them. The months ahead will definitely be interesting, that’s for sure…

I teach a course entitled “Linux Networking/Security”. A few weeks ago we covered chapter seven, “Security, Ethics, and Privacy”. The homework for that class was a three-part assignment in which the student plays the role of system administrator for a fictional financial services company named Safety First Financial Services, Inc.

The last part of the assignment read as follows:

You came in to work at Safety First this morning and reviewed your system logs, only to discover that a cracker had broken into the retirement calculator Web site during the night and downloaded the registration details and retirement plan summaries of about 400 customers. What will you do today?

I got some good answers to that question, which we discussed in class. Responses included things like contacting HR and Legal, removing the server from the network, attempting to find the exploited vulnerability, etc. The best response I received came from a student who broke down her day into steps:

I decided to put this one into steps. Some steps will be going on at the same time and these are not truly in a specific order.

1. Really loudly say “AAH FUCK!”
2. …

I laughed when I first read that, then thought for a moment and decided to give her extra points for that. Honestly, it’s the first thing I’d do too. =)

On June 1st, Max Spevack, Fedora Project Leader, sent a message to the fedora-announce-list entitled “Discounts on Red Hat training for Fedora folks”.

You can read the message for yourself, but Red Hat is offering discounts (in some cases, up to 25%) off of Red Hat Training for users of and contributors to the Fedora Project. This was good news to me, since I’ve recently been thinking about taking the RH300: RHCE Rapid Track Course, which normally goes for $2,798 (including the RHCE exam).

As an employee at a .edu, I’m eligible for a 12% discount from Red Hat already. I was hoping I could get the 20% stacked on top of the 12%, but Max Spevack let me know that wasn’t gonna happen. =) With the 20% discount, the cost would be right around $2,238. The RH300: RHCE Rapid Track Course is being held in Indianapolis starting October 1st — that’s close enough for me to drive back and forth everyday, avoiding additional costs for airfare, hotel accomodations, etc. I haven’t asked yet, but I’m really hoping I could get $work to spring for this.

We actually run way more stuff on Microsoft Windows than we do Red Hat Enterprise Linux and I know that $boss would be much happier if I were to get some more Microsoft certifications. I’m already a Microsoft Certified Professional, but my reasoning is that if I knock out the rest of the exams for the MCSA by myself, I’m much more likely to get $work to pay for the RH300. I’m not sure if that’s logical reasoning or not, but it seems like it might be a “reward” for me or something (I’d much rather have the RHCE than the MCSA/MCSE).

We shall see… =)

A week or so ago I came across an article entitled “A Student-Hacker Showdown at the Collegiate Cyber Defense Competition”. I heard never heard of this particular event before, but it definitely sounds cool. I would love to get a team together at the school where I work and try to compete in this next time around. I’d also love to hear from anyone who’s been involved in it in any fashion. For those who don’t know, I work at a post-secondary institution in Bloomington, Indiana, and do various sysadmin/netadmin/infosec chores there. I’ve thought about trying to organize some sort of “capture the flag” game, but it’s never moved past the “hey, that’s a cool idea” phase in my head. =)

Here’s another open position, this time it’s a “Lead Security Engineer” at Indiana University:

The following position reporting to Tom Davis, IT Security Officer, Office of the Vice President for Research & IT, at IUB is being posted internally and externally. If interested, you must apply online at http://www.indiana.edu/~hrm/employment/ola.html. Refer to position number #00016490.

Lead Security Engineer - PA 14

Generally, assists the staff and management of departments within OVPIT and UITS as well as senior technical managers in various University departments in examining their environments for system and information security exposures. Provides high level technical and practical expertise/consulting. Must gain, maintain, and apply a significant depth of knowledge in many widely varied technology areas, including computing, data and voice networking, and complex security systems and software.

Responds to requests for security analysis and input to technology projects. Designs, develops and implements complex security software. Evaluates, recommends, and implements vended security software. Responds to requests for security analysis and reviews. Analyzes develops, implements and maintains network and system security analysis and other tools. Collects, analyzes, and distills information regarding current known system vulnerabilities and solutions. Collects, analyzes, and disseminates information regarding current intrusion methods and protections. Collects and disseminates or applies information regarding current best practices. Responds to incidents of breaches in computer security and provides advice to and/or participates in the collection of technical evidence. Recommends security policies and procedures. Develops and maintains automated reporting and other mechanisms. Produces reports, papers or other products.

Qualifications: Bachelor’s degree (Computer Science desirable) is required, and at least three to four years related experience, or equivalent combination of education and experience. Advanced systems analysis, programming, and systems administration experience is required (UNIX preferred, Windows and others very helpful). Working knowledge of computer networking configurations, general data networking, associated protocol suites (e.g., TCP/UDP, IP, etc.) and related issues is required. Solid technical background, with the capacity to subsequently learn and apply security and audit principles and practices is required as is demonstrated excellent oral/written communication skills, and interpersonal skills.

Working knowledge of voice communications, associated protocols, and related issues is desirable. Other desirable technical experiences include C and PERL programming, and relational database management systems.

Limited Criminal Histories (LCH) checks will be required for all external finalists and for internal finalists with less than 1 year on staff.

I’ve been on what seems like a virtual scavenger hunt today. For some reason, I feel like going to some more conferences. A few months ago, I went to the Security 505: Securing Windows course put on by SANS (yes, I passed the exams).

I’d like to take the SSCP exam sometime within the next few months. It’s actually being offered in Indianapolis and Louisville in May, so I may try to do that. For less than $400, the price isn’t bad and should be an asset, until I meet the experience requirement for the CISSP.

A number of universities host the SANS courses, often at great discounts to employees of the government and educational institutions. Since I fall into the latter category, I can get excellent discounts on them. For instance, the SEC 505 course I went to cost $750 for .gov and .edu employees, and nearly $3,000 for everyone else. Virginia Tech is hosting the SEC 504: Hacker Techniques, Exploits, and Incident Handling course in a couple of weeks. The course is $600 and the exams are $300, so that’s only $900. Since I know $boss can’t really spare the $900 out of our budget (which is sad), I’d just about pay that out-of-pocket. I’m not sure I can get the “okay” to go on such short notice, though.

Oh, I’m going to be speaking at Notacon 2006, can’t remember if I’ve mentioned that before or not. That’s four days or so that I’ll be out of town. I’ll be speaking about Patch Management in a Windows environment. Nothing spectacular, will just demo deploying Service Packs through GPOs and managing Windows Server Update Services in large(r) environments. Anyways, it gets me in free.

I came across the Defcon web site as well. Though I’ve wanted to go to Defcon for years, I’ve never managed to make it. This year it’s August 4-6th (in Las Vegas, of course), and I’m definitely going to try to get out there for that. Never been to Vegas, so that should definitely be fun. I suddenly have this feeling I’ll be broke when I get back, though. Hmm.

About two weeks ago I was in Muncie, Indiana for the “Cooperative Computer Incident Response” conference put on by CERIAS of Purdue University. It was pretty interesting and we got to hang out and exchange info with a number of law enforcement guys (Indiana State Police and FBI guys). Oh, that one guy from the ISP didn’t wash his hands after taking a leak, but I can’t remember his name…

Anyways, I’m always on the lookout for good security conferences to go to. Let me know if there are any good ones coming up that I’m missing out on. Bonus points if they’re in the State of Indiana.