What’s Next in IT Jobs?

The year is ending and it’s time to re-evaluate one’s career and direction in the next five years.  Doing the nuts and bolts of systems administration may not be as relevant anymore.  An article in Computer World UK noted:

So what should today’s IT employee do to protect his or her career? “Look for the skills the company is going to need five years from now, not now, and start building them,” advises Forrester’s Schadler. “These include vendor contract management, integration with the cloud, analytics, rich lightweight Internet workforce applications, mobile applications — these are all skills for the next decade,” he says.

IT executives are considering cloud computing. That’s where the game is at.  It’s going to be a slow shift, but it will surely happen.  Better be prepared than sorry.

Problem Solving And Deciding On A Solution

Working in a team can be quite challenging. Deciding what to agree on for an outcome or goal is important for the success of a project. Some key actions to evaluate solutions and gain consensus on the decision to be implemented are:

  1. Describe the decision and how it will be made.
  2. Jointly establish decision-making guidelines.
  3. Jointly evaluate options against the guidelines.
  4. Gain agreement on the best alternative.

Keep it cool, civilized, and concise. Keep discussions on topic and on time. Most of all, communicate well!

How To Listen

Listening is an obvious skill everyone must have.  In business, it’s especially critical.  Companies must listen to their customers.  Supervisors must listen to their subordinates.  Peers must listen to each other.  The key is removing the emotions and focus on the following actions:

  1. Evaluate the need to listen.
  2. Manage internal and external noises.
  3. Demonstrate a curious and open mind.
  4. Manage the flow of conversation.

Effective listening is critical to sorting through and keeping up with the information needed to get results.

Samba and Windows 7

Windows 7 has upgraded security.  This will effectively cause trouble in making connections to legacy apps (ie. Windows XP supported).  One of them is Samba on Unix.

Fortunately, there’s a solution to this:

  1. Open Control Panel.
  2. Choose Administrative Tools.
  3. Click Local Security Policy.
  4. Under Local Policies and Security Options:
    1. Change Network security: LAN Manager Authentication Level to “Send LM & NTLM responses”
    2. Change Minimum Session Security for NTLM SSP to disable “Require 128-bit encryption” into “No Minimum Security”.

Illustrations below:

How To Build A Web App

ApprovedDeveloping a good web application is a tricky job.  Deploying one that gains people’s acceptance can be a big challenge.  The good ones that come into mind are Twitter, Pandora, and tumblr.

Is there a recipe for building a good web application?

I watched an excellent presentation by Fred Wilson, a venture capitalist who invested in several successful companies, that summarized the basic rules of building a great web app:

  1. Fast
  2. Instantly Useful
  3. Unique Style
  4. Less and simple
  5. Programmable (ie. APIs)
  6. Personal
  7. REST – REpresentational State Transfer (ie. Unique URL)
  8. SEO – Search Engine Optimization
  9. Clean Design
  10. Playful

These guidelines are definitely a good start for new companies.  They’re also useful for established companies who want to redefine their products.

Here’s the presentation by Fred Wilson on The 10 Golden Principles of Successful Web Apps:

Future of Mobile Data Networks

Selection of SmartphonesAnything can be communicated via the Internet.  It readily connects everyone to emails, web, television, and voice.  It is where mobile computing’s future lies. The mobile industry seems to be shifting focus to Everything-Over-IP.

Traditionally, a mobile phone is used to communicate voice conversations.   The question now is who needs mobile voice?  Texting has becoming a popular way of doing things in Asia and Europe.  North America is catching up.  Then there’s the popularity of Facebook and Twitter, where Internet connection is required for status updates.  It’s becoming more than just a 1-to-1 communication.  It’s a broadcast of information.

To make Internet capable mobile devices, first the portable technologies have to converge.  Laptops have to be small enough for maximum portability.  Cell phones must be powerful enough to run like computers.  There are plenty of companies like Apple, Toshiba, Dell, and Nokia who are trying to close that gap.

It’s no surprise Apple announced the iPad.  They’re touting it as a reading device, but people know it can be much more.  Its main communication devices are WiFi and 3G.  No voice capability.  However, Apple has also recently allowed VoIP over the 3G network, so apps like Fring or Skype can provide voice calling.  Similarly, AT&T now allows Slingbox, TV anywhere, to go over 3G network to iPhone users (eventually the iPad).  So Apple’s strategy is definitely IP based communication.  Other companies will (or have already) follow suit.

This may sound familiar.  In 1998, there was much hype for Voice-Over-IP (VoIP) in the Telecom industry.  Huge investments were made to lay down fiber optics infrastructure for faster data transfers.  It took a while for that investment to bear fruit, and it looks like the consumers are finally starting to see the benefits.

Interestingly enough, wireless Internet connectivity it not widely available.  But that’s changing, thanks to innovation in wireless technology, such as WiMax or LTE.  It will reach the rural areas where Internet access is scarce.  Also, the price needs to go down in order to make it economically feasible.  Maybe the government should step in?

The direction is to get everyone connected.  Mobile Internet can finally become an integral part of the way people do business and go about their personal lives.  It’s the future of communication – on everyone’s hand.

The Importance of Page Loading Time

run_blur

Customers are very fickle when checking out a company’s web site.  Unless they’re desperate, a person browsing a site tend to go quickly from one page to another.  Their attention span is short.  Their time is valuable.  They don’t want to spend too much time waiting for a web page to load.

Companies have spent a substantial amount of money to improve page loading times.  Improvements include upgrading internet connectivity, buying faster computers, reducing web applications RAM usage footprint, or investing on a content delivery network.

What other important reasons to improve web performance?

  • Increase in traffic due to natural business growth, or advertising campaigns.
  • Snappy response times are required when using the latest web browser tools, such as AJAX.
  • Google is planning to rank web pages by their load times.
  • Increase use of videos using embedded Flash, and future HTML5.

There is a cheaper way to improve web site performance: Optimize Content.  It means reducing the use of heavy graphics, Flash files, or client side Javascripts.  It also means reducing HTML and CSS file sizes.  It may seem contradictory, but ultimately, content dictates page loading times and can improve the web browsing experience.

Operating System and Web Apps Hacking

A lot can be learned from a hacker (albeit a convicted hacker).  Here are some of his thoughts on OS and web application security:

Securing a system:

I keep my services to a minimum, and I keep them updated. On my Linux box I use custom kernel hardening patches to make memory corruption bugs pretty hard to exploit. OpenSSH is firewalled and only accepts a connection from your ip if you visit a custom port-knocking page on my webserver. Basically the only service listening is apache, without PHP.

On my desktop and laptop I don’t have any services listening at all.

Public computers:

… I try to avoid public computers. If I really have to log in from an untrusted terminal I use otp authentication.

Modern website’s security:

Not very secure. SQL-injections are everywhere.

Discovering SQL injections vulnerabilities:

I don’t know of any specific papers, SQL injection is such a simple concept so you can pick it up in a matter of hours. The best method of finding them manually is to simply insert ‘ and ” union select(..” at random in parameters and see if things break.

Local source disclosure vulnerabilities:

Yes, sure. You can do a lot with config.php + phpMyAdmin.

What to do in a hacked machine:

1) Find a custom admin interface.

2) Get read access to a db from an SQL-injection.

3) Find tables corresponding to the custom admin interface.

4) Crack the admin password.

5) Log in and upload a new picture, containing PHP.

6) Exploit buggy custom cron-scripts that delete directories in /tmp once a day.

7) Wait for exploit to trigger..

8 ) Infect a binary on an NFS-share.

9) Wait for someone to use the binary..

10) Enjoy access to the main servers.

Something like that 😉

Operating System:

Personally I use Linux. I don’t consider Linux especially secure, just look at the number of local kernel root vulns found in the last year. I do however know that this is because there are so many people auditing Linux every day. I’d rather use an OS that has a few serious public vulns each year than one where the vulns are still there but aren’t found.

If you make a new operating system, how long it takes for someone to exploit vulnerabilities depend on how secure your code is and how much someone would want to exploit it. A local root vulnerability in QNX isn’t as “popular” as one in Linux, so more people are looking at Linux.

Tools used:

Exploits, network scanners, rootkits, google (perhaps the best network scanner).

And a voice recorder. They are essential when hacking banks.

More security holes:

Yes, I’ve written exploits for most types of bugs. Buffer overflows, format strings, int overflows. I have discovered some holes myself. Nowadays the most popular thing to audit is webapps. The age of remote root holes in popular ftpds is gone.

Government computers:

Personally I think that there are government agencies in the US, China, Russia etc. that have already backdoored each other to hell and back.

Stopping a hacker from coming in:

In short, if you have a network that is connected to the internet and someone wants to get in, they will eventually get in. If you are running the latest versions of all possible software you might think you are safe. But what if someone comes along with a 0day, or someone hacks the home computer of one of your administrators?

Tracing a hacker:

I got too comfortable with my setup and thought I was untraceable. It turns out that, given enough incentive, some people will analyze router logs from all over the world for months until they find you.

PHP:

Make sure whatever PHP software you are using is always up to date. PHP stuff has a tendency to be written very poorly. Install some custom hardening patches like Grsec.

… I’m a big fan of Python. It’s much easier to write insecure software in PHP than in Python.

Security Industry:

I think has become less about knowledge and innovation and more about hype. Extreme hype. Everyone wants to make money off their name. Bugs become a commodity that is sold to companies that charge subscription fees for advance notice, etc..

Personally I am a blackhat. I loathe the cesspool of inflated egos that is the computer security industry. Therefore, I would never ever advise them to become “whitehats”. As for a more rewarding way to use their skill and curiosity, I can’t think of a good answer. Hacking into computers is simply the most rewarding experience I have ever had. I don’t see it as a problem if you are hacking big companies or governments for the sake of adventure, you are not out to hurt people.

Just make sure not to make money from your hacking, be it selling out to the security industry or selling botnet-stuff to russians. Both will destroy your passion.

Sysadmins:

I understand that ultimately some admin will have to take care of cleaning up after the breach, but it’s a part of their job. If one of the main reasons not to hack is that some administrator, whose job it is to maintain the servers, has to do his job.. I just don’t see that as a very compelling reason not to hack.

Hacking:

The incentive was the thrill of breaking into something that could sometimes have taken over a month of preparation. Looking at information that you weren’t supposed to be looking at. I suppose it’s the same feeling you get when solving any complex problem. It’s better than sex. I mostly worked alone, and I was not hired for anything.

Operating System hacking preference:

I almost exclusively hacked *NIX machines. Mostly Linux and Solaris, but also a lot of IRIX/HP-(S)UX/AIX. I would however definitely say that it is easier to hack a Windows PC, given their history of remote “root” vulnerabilities in default services.

OpenBSD is not secure at all. At least they changed the text on their front page to “Only two remote holes in the default install, in a heck of a long time!”. There’s a reason Theo DeRaadt has been hacked a number of times, his ego is enormously inflated. OpenBSD is 10 years behind grsec for example.

The most important part is the anti-exploitation techniques like ASLR, PIE, etc. What I meant to say was that GRsec has always been in the forefront when it comes to those. GRSec, RBAC and SELinux also have MAC capabilities but these are extremely rarely used correctly and to their full extent, since they are so hard to configure right.

IE6 Still Lingering

W3CSchools has stats for IE6 usage at about 15%, as of May 2009.  IE6 in Enterprise environment is still being used,

It’s steadily dropping because of the wide acceptance of Firefox, and Corporations are proactively upgrading to IE7 or IE8.   This number will change dramatically when Enterprise favors Windows 7 as the new standard for productivity machines.

Some websites have already taken steps to prevent IE6 from loading their site.  I can only applaud their efforts.

IE6 Denial Image

IE6 Denial Image