http://twitter.com/joncanady/status/7528765047
I have spilled coffee in my awesome new keyboard. It is non-responsive. Not the best day for me.

Oops.

Step 1: Unplug it immediately and remove any batteries.
Step 2: Rinse it out well with lukewarm water. Yes, into the keyboard… liberally.
Step 3 – optional but highly recommended: Place keyboard face-down on the top rack of an empty dishwasher. Don’t add dishes or soap. Turn off heated dry (air dry only) and run a cycle.
Step 4: Place upside down on a towel for three days (or more). Flip it each day.
Step 5: Re-enjoy your new uber keyboard.

Good luck Jon.

Personally I think it’s perfectly paired with the flogiston a’la The Lawnmower Man.

Ta da! Pluses with no goofy routing rules (which won’t work, probably why you’re here). Since you’re probably wondering, I’m using TeleVantage for a couple enterprise class IVR systems.

Step 1: Create a virtual directory (if needed).
In IIS Manager expand the server name containing the target website, expand “Web Sites”, right-click on the target site and point to “New”, select “Virtual Directory…”

In the creation wizard choose “Next” and type your virtual directory as the alias…

For the path, browse to the web site directory and create a folder for the virtual directory, choose this folder…

Choose “Next”, give Read access to the directory, and complete the wizard.

Step 2: Setup the redirect.
In IIS Manager, right-click on the new virtual directory and choose “Properties”.

On the Virtual Directory tab, select the radio button for “A redirection to a URL” and check “The exact URL entered above” and “A permanent redirection for this resource”, enter the URL you want to redirect to into the “Redirect to:” box…

Choose OK and test your redirect! You’ll notice for my purposes I checked the “exact URL” box because I want greater control over the redirection through the variables $S$Q. These pass both the suffix and query string to the new URL. Here’s the Microsoft variable reference for IIS 6.0 and further Microsoft reading on redirecting.

The “A permanent redirection for this resource” box makes this a 301 redirect, popular for SEO reasons.

Easy, right? If you’re a mod_rewrite ninja maybe not so much, this is kinda backwards from what you’re used to. But hell, I didn’t find it searching, so here it is.

memory full 016-700

Truly perplexing, as these printers contain 128MB of memory, the offending document is only 115KB, and I could print other documents well over 5MB. The solution is to add an external memory module, these printers are clearly having memory addressing issues on certain documents. So, if your printer(s) is equipped with internal memory only, this is your solution. Read on to learn how I handle calling Dell to solve such a strange issue…

Working with Dell hardware support on an issue like this can be difficult because it’s not a clear hardware failure, which are easy to describe and be understood by the support person. This could be software on the client PC, the server hosting print services, a firmware or software setting on the printer itself, or a hardware problem in the printer. Navigating such a problem takes a little pre-call preparation, patience, and a little luck that you’ll get someone who can think beyond a flowchart (often you don’t, those calls are more fun ).

I prepare for the call by addressing possible points of failure and commonly requested steps starting at the client PC, such as:

• Print as administrative user.
• Print problem document from another PC, then from another location (example, if it’s on a network drive then copy to local hard drive).
• Print another document of the same type, from the same location and then a different location.
• Power-cycle the printer.
• Update all printer drivers/firmware.
• Print directly to the printer’s IP, bypassing server print services (if available).
• If you have other similar printers, especially the same model and configuration, repeat all steps to second or third printer.

These steps should help isolate your issue to the PC, server, or printer and maybe solve the issue in the process! Yes, some (such as power-cycling) are rudimentary, never overlook the simplest solutions because they’re often correct, and in the least quick to rule out. Easy steps performed now will either keep you from wasting time making a call or allow the call to be more efficient. In some cases you’ll show the tech they can trust your judgment and bypass other potentially unnecessary steps. Now gather information about the issue (settings and job reports from the printer, etc.) and call support armed with a list of your steps/outcomes and an idea of where you think the issue is. In this situation, I was sure the printers were the source but not sure if it was hardware or software.

The tech and I worked through usual first steps, building into several printer and driver configurations. At this point, the tech was at a loss and having worked through settings I was sure there was a hardware problem. The tech ordered new logic boards, I was skeptical but now could get a tech physically on site to see the issue with me and more importantly connect me with the internal Dell techs reserved for their field reps. Sweet.

I had parts and a tech the next day, showed him the problem, and he changed the logic board on one printer – problem remained as expected. We got in touch with the internal Dell tech, who consulted with Dell engineers and they didn’t know what to make of the issue. I centered around the printer requesting memory, possibly not addressing its internal memory correctly and suggested they send me an external memory module to try. After some push back the tech agreed to send me a memory module at no charge. As we know already, this resolved the issue. I called back and Dell gladly sent a second module for the other printer (again at no charge). I asked they pass the solution on to engineering so others can get this solved quickly, I hope they did and your call to Dell is efficient.

For what it’s worth, the external memory module appears to simply be standard laptop size 533MHz DDR2, you can see the specs in this image, but I would still call Dell for the correct type lest you have an issue later and they blame unsupported memory.

As of this writing, the website boasts 3,724,336 registered users and certainly a greater number of unregistered users, each one with their own private download/upload history and information to the depth of which one can only speculate. The risk of using this service was eased by the defiant and sometimes animated nature of the current owners, who earned trust with their users similar to what we’d share with good friends. They’re the good guys, fighting for our privacy and right to share information on the internet. They can be trusted.

Until they can’t anymore. The recent loss of a major lawsuit seems to be the catalyst for the sale, though the owners are attempting to portray that this sale had been coming for some time and they had intended to convert the service to a model that would compensate content providers and copyright owners. Doubtful at best. So now The Pirate Bay and all of it’s user data will be the property of a company that isn’t motivated by the thrill of file sharing in defiance of law and cannot be bought, but by a company who can (and probably will). And what of all that history of illegal uploads and downloads of it’s users? The new owner will be free to do whatever, and more importantly, give to whoever it chooses – if it chooses.

If you’re an avid user of The Pirate Bay, this should be scary. I’m not saying that they’re going to start turning over your data to whatever law enforcement agency, but they could. Recall when Naspter, the grandfather of peer-to-peer sharing, was sued and acquired in a similar fashion this technology was in it’s infancy and I’ll argue that a precedent wasn’t set at that time because no one really knew what to do with the data, and many believed the shuttering of Naspter as a free service would itself kill illegal content sharing. Clearly, that didn’t happen and now we’re observing the collapse of another very large sharing service. I believe this one will set a precedent because of the far greater sensitivity of illegal content sharing in this age. I can hear lawyers lip-smacking already to compel vast amount of user data for study and perhaps even limited retribution. All eyes will now be on the new owner and what pressure they receive to release information. In any case, all of that data in accountable hands is unnerving.

While discussing this subject on other mediums, two important points were brought up:

1) The Pirate Bay contends they save no user or identifiable information, and if they did it wouldn’t be transferred to the new owners.
- This simply cannot be trusted. While The Pirate Bay may indeed remove user information, what controls do they employ to ensure the safe and complete removal of the data? Are these controls to be trusted?
- How will they ensure any retained data will not be transferred to the new owners, and what happens after the sale if they weren’t able to ensure this? The new owner also now owns the data.

We cannot verify these statements and just cannot know what data The Pirate Bay possesses, we’re falling back upon blind trust that they’re the good guys and they’ll do the right thing.

2) The way law is currently being enforced, only seeders (people uploading/sharing) are being pursued and prosecuted.
- “currently being enforced” What will the future hold?

Simply, this is another lesson that your data in the hands of others cannot be trusted – ever. It’s impossible to predict what the future holds for a given organization, and in a moment your personal data and information can go from trusted hands into the unknown. Guard your online practices as you guard your real personal information. The internet is real, simply because you access it in the comfort of your home and personal privacy doesn’t mean the risks are smaller.

View 2009 ODOT CONSTRUCTION in a larger map (source)

I don’t travel this freeway on a daily basis, but I drive past it’s junction with I-670, our major east-west artery bypass. Within the last couple years, we’ve finally had large informational signs installed on all major freeways heading into town (like a real, big city!). About three weeks ago the sign on I-70(and 670) started displaying a message similar to the following:
"TRAFFIC PATTERN CHANGE - 315 AT 670 STARTING JUNE 15TH"
The wording leads one to believe “Hey, the traffic pattern is changing when they start work on 315.”

Today, the day work began, it said:
"ROADWORK - 315 AT 670 - WATCH FOR STOPPED TRAFFIC"
You might think “Oh yea, work starts today, I should be careful in that area.” Okay, actually, if you’re me it’s probably a series of expletives because I hate traffic, but I digress…

As you approach the junction for 315 there’s a freestanding sign on the right about 500 feet before the exit that says "315 NORTH RAMP CLOSED" Whhhhaaaaaaaaa? Then there was about 20 cars slamming on brakes as they panic and try and figure out how they’re getting to work, and the freeway slows to a crawl as everyone else panics.

What’s the point of these signs if the messages displayed are not intuitive, useful, and in this case borderline totally false? “Traffic pattern change” implies that traffic will still be able to flow. “Ramp closing” would have implied that the ramp is closing and people need to find another way to work. Exacerbating the situation with nearly no advance notice of the ramp closure turned the situation from annoying to dangerous.

How’s this relate to tech? I’ve mentioned before about how to express technology with our clients. I feel like ODOT chose these messages to put a “friendlier” face on a stressful situation, which of itself clearly isn’t a bad idea. The issue is, while it’s important not only to talk to your clients well, we need to understand the risks and stakes with our communications. The stakes, of course, are high here as ODOT’s failure to properly communicate endangers lives.

Let’s not forget, we’re being retained as an expert and a good expert knows when and how to elevate the urgency of a situation, even at the expense of a “feel good” message. It’s a fine line to walk, but occasionally we’ll have to balance the need to make our client feel good with keeping our client safe.

Our keynote to start the day was delivered by Raphael Perl, Head of the Action Against Terrorism Unit, Organization for Security and Co-operation in Europe (what’s with these titles? sheesh) who discussed global cybersecurity challenges for practitioners as well as the emerging threats and tactics of terrorism in cyberspace.

One of the items I thought most interesting was the explanation of overall approach on a political and military level. From a political perspective, it’s becoming understood and accepted that security is a global challenge requiring international information sharing. But the military is resisting, instead preferring to stay separate and secretive. As I pointed out on day 1, Philip Reitinger and others plainly state the biggest issue we face is hackers and other baddies becoming much more organized and globally sharing information at a rate the good guys can’t match. It would seem to me the military approach is destined for failure, and Raphael Perl made it clear he believes the same. Here’s a few other interesting points or facts from the discussion:

• Last June, 1 billion PC’s were in use worldwide. By 2012 this will double to 2 billion.
• 200 billion email messages are sent every day, Cisco estimates 90% of them are SPAM.
• There are currently 3-5000 active websites run by terrorists or are terrorist affiliated.
• In a non-scientific poll of sales at a major computer store, 10% of home users bought antivirus software with a new PC purchase. Business users bought it 90% of the time.

He devoted a lot of time to discussing the potential threat to cyberspace by terrorists. He believes terrorists are actively planning to disrupt the Internet, and will launch an attack in conjunction with a real attack or a major national disaster. The goal is interrupting services right when many need it most. He believes the information sharing and readily-available tools by hackers will help facilitate these attacks, as any cyberattack can be easily copied by terrorists. However, it was also made clear that not all experts agree with his opinion. Overall I found the discussion very intriguing and certainly worthy of deep future interest.

Day 2 tracks were Five Common Mistakes in Securing Web Applications, Are you Googling Your Privacy Away?, Are You Prepared for Data Loss, and PII (personally identifiable information): Taming the Beast (AKA how to discover and secure PII). Just like yesterday, they were all engaging and very well presented. The Google talk was particularly thrilling – yea I said thrilling. It’s incredible how much private information we *give* away to Google in exchange for their services. If you know me, you know I’m not afraid of talking about how much Google scares me. When it’s all laid out for you in a short presentation it’s even more resonating.

• Google is better than everyone else at screwing you and your privacy.
• Their cookies auto-renew every time you use any service.
• They’ve essentially built the best surveillance system ever created. You are a GUID (Google User ID), everything you do with them maps to this GUID, and it will follow you until you die. They aim to have a GUID for every person in the world.
• You readily give Google (and other social networking sites) vastly more information than the police can ask you.
• GMAIL really is email for life. According to the ECPA your data is only protected for 180 days, on day 181 Google can give it to law enforcement without a warrant, barely with a formal request. Our DOJ is working on depreciating the 180 day rule.
• Google has only indexed 20% of the internet.
• If you use Google Desktop with remote access, everything you have indexed is stored in the Googlesphere. You’re violating HIPAA, PCI, SOX, and most other compliance specifications (oops!).
• When using Chrome, Google knows every keystroke you type into the browser. Even fields you backspace/delete.
• They don’t have to ever delete anything you tell/ask them to. Google’s file system is designed not to delete.
• Does your phone run Andriod? They know everyone you talk to, where you are, where you’ve been.
• Goog411 is a slick, free 411 service, right? Actually, you’re training their voice recognition software.
• Google probably knows much more about you than any government agency.
• Remember that HIPAA, PCI, and SOX violation stuff? Hope you’re not using GMAIL since it’s stored (and indexed) in the Googlesphere.
• Google probably knows much more about you than any government agency.
• Yes, they can filter via your GUID and/or IP address and find all of your search terms.

I could go on, and the presentation was less than an hour. It’s freaking scary. Here’s the rest of my juicy tidbits from the day:

• 60% of top 100 websites had hosted or or were involved in malicious activity in 2008.
• Of all 2008 vulnerabilities, 58% were from web applications.
• From the 2008 total, 73% of those classed “easily exploitable” were web applications.
• Dear developers: Most hackers don’t use browsers to exploit web applications, client-side anything is fail.
• 80% of internet traffic crosses a Verizon network.
• In the vast majority of cases when a breach occurred due to a known software vulnerability, the patch was released for over a year.
• Top three types of malware are keyloggers, back doors, and capture-and-store programs.
• The majority of these are plain, un-customized and easily detectable by most antivirus programs.
• 49% of breaches go undiscovered for months.
• VerizonBusiness’ assessment of breach events over three years revealed 82% of organizations captured the attack(s) in logs, but the logs were either too complex or they lacked the tools to filter the data into a useful view.
• In this period, 69% of breaches were detected by a third party. 24% were detected internally passively (stumbling on), and 7% were detected actively.
• Over 260 million SSN’s have been leaked since 2005.
• There are a few open source tools for scanning/identifying PII.
• According to solution methodology, 89% of breaches could have been solved by data-at-rest protection (identification and removal or encryption, etc.)

I have 21 pages of notes and a large list of ideas/tasks taken over those two days. So let me say again what a fantastic event this conference was.

Chris

The morning began with welcoming remarks and an animated hacking demonstration themed around X-Men, which consisted of using a Linux distro to disable an NT password, Internet-mining to find information about an individual, and WireShark to sniff packets. Wasn’t exactly technically deep, but certainly not boring powerpoint stuff and if anything was pretty entertaining (Indian guy in a Wolverine wig, nice).

The keynote was delivered by Philip Reitinger, National Protection and Programs Directorate for the U.S. Department of Homeland Security (what a mouthful). Without powerpoint (bonus!), he discussed quite a bit on the 60-day Review(pdf) and where DHS is challenged with cybersecurity. He also candidly highlighted some of the largest challenges facing security professionals:

• Hackers getting better not just at hacking but with sharing information at a rate security professionals cannot match.
• Defenses not keeping pace with threats.
• Cybersecurity as an issue of national security (which the president recently accepted responsibility for, a great first step).
• Fostering public-private information sharing.
• Establishing reasonable metrics.

Overall a thoroughly interesting and engaging discussion. He also pushed pretty hard for good IT people, if you’re interested in moving into the Federal space, now might be a great time.

The three tracks I chose were Ensuring Network Protection While Meeting Compliance (PII, HIPAA, etc.), Computer Network Simulators, and Motivating People to Adopt Security Practices. You’d think these would be horribly boring, but I have to say how impressed I am not only with the conference organization but with the quality of the talks. Yes, really, I stayed engaged all day. Let me share a few tidbits of info I found particularly interesting throughout the day:

• Information Security Officers must be allowed a seat at the executive table and involved in business decisions. (there is a heavy push to remove the “wall” of security as a sub-position of IT or an afterthought)
• 35.7 million records potentially breached in 2008 *reported* – imagine what the actual number is. Dizzying.
• In 2008, missing or stolen equipment accounted for 42% of reported breach events – the second highest was employee negligence at 16%.
• Heathrow airport in England averages 900 unclaimed laptops per week – and after reasonable time unclaimed are auctioned off.
• 1 in 10 people click through SPAM and become infected with malware. On the surface, that’s not much. But think of an organization with 1000 or more people.
• There are 500,000 different variants of malware currently, 20,000 new ones are created every day.
• Personal observation: Most admins don’t have a clue how base32 encoded data looks (scary).
• People will not embrace security policies if they reduce their productivity, feel threatened, or are negatively reinforced.

Overall I’ve found the conference very well organized, technically awesome, and the people very welcoming. I also had a few great conversations with some of the sponsoring vendors. So far a great experience, and I’m looking forward to tomorrow. Until then, cheers from the Albany Pump House and my beer sampler.

P.S. I’ve been tweeting some of the conference, feel free to follow me.

Chris