Tuesday, November 22, 2011

The CFAA Must Go!

Go ahead and read this article, then come back. Go ahead.

I'll wait.

She's charged with violations of the Computer Fraud and Abuse Act for changing some students' grades.

To quote Bill and Ted, "Bogus!"

I will wager that this woman did not crack any computer systems. I don't know the details of the case, but from seeing this type of case before I'll tell you what most likely happened.

She logged in with her own ID and password, picked another teacher's class (which the system did not have adequate controls to say "you can only modify grades for your own classes"), and changed some grades. Sure, she abused her access privileges (which is wrong), but this should be an administrative issue not criminal. Period.

The nature of the act does not change based on the medium on which it is performed, and the act was that she changed some students' grades; that's it. If this had been a paper grade book that she altered with a pencil, she only would have been fired and her teaching certificate (possibly) revoked. No criminal charges would have been filed. Just because it's on a computer doesn't change the nature of the act -especially to a crime worthy of jail time.

The Computer Fraud and Abuse Act is over-broad and overreaching. It criminalizes actions that would not otherwise be crimes, simply because they're done with a computer. It's time for the CFAA to go, but lawmakers don't know enough about computers to realize it.

Monday, October 31, 2011

Test Web Filtering Without Porn

I know, how can you do anything without porn? Well, let me tell you it's possible (not fun, but possible).

I've been making some changes to Websense lately and have to test whether filtering is working appropriately. Since I have very few sites I'm guaranteed to be blocked from, it's sometimes difficult to think up a test on the fly. For this reason, I always use Porn.com. I know it should be blocked and it's easy to remember, but there's an issue. What if it's not?

With my luck, some VP would stop by my desk "just to see how things are going" right as I hit the site.

So, I came up with the idea of creating this blog post as a "this should be blocked" page.

Just add this URL (http://www.gruntingfrog.com/p/this-page-should-be-blocked.html) to a custom URL Category called "Test Filtering" (or whatever you want), set it to "Block." You can use it for testing filtering anytime you make a change to Websense or think you may be having problems. Obviously, this could be done with any web filtering system; it's not limited to Websense.

Of course, you could add any site, but the good thing is that by adding a specific page of a little-read blog (trust me, nobody reads this), it's unlikely anybody will be affected by it.

Sure, Websense comes with tools such as WebsensePing that allow you to test whether filtering is working but that has to be run off the server and nothing's as quick as just clicking a bookmark in your browser.

Wednesday, August 10, 2011

Why I'm Leaving Facebook

I've finally decided that I will not provide my personal information to a company that has repeatedly shown itself to be untrustworthy. I am closing my account.

Facebook has on several occasions changed privacy settings -without informing their users- while hiding those changes behind a facade of providing more "choice," "convenience," or the ability to "stay connected."

This is a lie.

It is an attempt to gather more of your personal information to sell without you knowing. And Mark Zuckerberg thinks you're too stupid to realize what's going on.

Facebook will not be able to hide behind the "it's in our Terms of Service" argument much longer; state and federal courts have held several times that Terms of Service and End User Licence Agreements are not necessarily binding to the user -especially if they are used to hide terms that would not be acceptable if put in plain text with an explicit agreement required.  

I ask you all to consider what you are putting on Facebook; yours and your children's health and social problems, your gripes about your employers, your dreams and desires, your possibly controversial beliefs, your family's whereabouts. Are these things you would tell someone in real life who you know is not trustworthy?

Remember that you are not a customer of Facebook, you are an asset to be sold to their real customers.
I choose not to be that product anymore.

You can find me on Twitter as @thegruntingfrog where at least they are honest about the fact that your info is public.

Tuesday, April 12, 2011

The Value of Stepping Away

As much as I love technology, I think it's important to step away from it every once in a while -especially for those of us in the IT field. We're under constant assault from email, blogs, podcasts, text messages, Twitter, Facebook, TV, and radio. This can amount to an information overload that over the years can really start to break you down.

For those of us in IT, it's worse. Since our livelihood (and hopefully our passion) is entwined with constant communication and data processing, it can seem like we can never escape. In fact, just admitting that you need an escape is seen as a sign of weakness in the geek culture; but it's necessary. I'm not talking about throwing in the towel and getting a job as a lumberjack or construction worker; instead I'm calling for a more subtle and temporary escape. A weekend here, a week there -trust me, the world can do without us and we can do without the world.

I just took a much-needed break from technology with a couple of coworkers and friends who I will call Sasquatch (yes, he really is that hairy) and Brains since I didn't ask if I could use their real names. We packed into a car with some camping gear and headed out to the woods for the weekend.

A solemn pact was made.
  • No cell phones
  • No email
  • No blogs or social media
  • No radio, video games, or other electronic distractions
  • No technology discussions
  • And above all NO WORK
As technology-junkies and semi-workaholics, what ever would we do?

We hiked, watched wild life, told jokes, played pranks on each other, discussed politics and religion around a campfire, and generally had a great time. At no point did we wonder what was going on in the outside world, let alone what the Twitterverse was up to.

It was amazing.

I wish it had been longer and we may have to schedule a week-long trip next time, but as short as the escape was, we all returned to work on Monday refreshed and ready to dive back into our passion for IT.

Let's hear it for the occasional escape. It's the best cure for burnout ever invented.

Thursday, January 20, 2011

Filtering iTunes Traffic - Allowing Software Updates Without the iTunes Store

As many people are probably doing right now, I've been investigating ways to incorporate the iPhone Macro iPad or other tablets into our environment. It's no question why, either. They are really light, have astounding battery life, and Steve Jobs says that we should like them.

However, what happens if someone wants to use their personal iPad at work and asks for iTunes to be installed on their desktop to accompany it. Although this hasn't been tested in court as far as I know, it is the opinion of many a General Counsel that U.S. corporate entities must own a license for any copyrighted media stored on its computers whether the user of that computer has a license for it or not.  This is the main reason that we block MP3 download sites -including the iTunes store. Alternately, what if they are using their personal laptop and iPad at work (attached to our guest network, of course). We still want to block those sites on our guest network (this time for bandwidth reasons) but someone may have the need to update their iStuff.

The problem is that iTunes is required for updating the OS on iPads and iPhones, but that network traffic is identified by Websense the same as if the user were downloading Justin Bieber's latest musical masterpiece.

This raises an important question.  How do we allow people to use iTunes to update their iPhones, iPads, and iTunes itself without granting access to the iTunes Store to download movies, music, or other media?

Saturday, January 8, 2011

User Awareness - Ur doin it rong.

It's heard throughout the security community that user awareness is an important part of a security program, but I think we technical people seem to miss the mark.

We often assume -although nobody actually says it- that if the user only knew the details of a computer system or had more information about how specific threats work that they would automatically become security-minded and less vulnerable to attack.  The problem is that many of us don't know how to talk to normal people.  Because of this limitation, we either give up immediately, or, if we do get off our butts and put together a user awareness program it tends to be the type of talk that we would enjoy but dumbed down for "the peasants."

Thursday, January 6, 2011

Come on Ride the Train

No, not this one:  

This one:

I started riding the train to work in December (thank you, DART) and I've learned a couple of things that I think are important for anyone who is making the decision to do the same. 

Rules for Riding the Train to Work:

1. Don't lose your ticket.  The transit police don't believe you when you say, "Really!  I bought one!" The citation isn't cheap, either.
2. The guy talking to himself is not on a Bluetooth headset.
3. Don't get so into your book that you miss your transfer station.
4. That is not soup spilled in the corner.

This is all I have so far.  I might add a few more as I come across them.

Sunday, January 2, 2011

Is RSS Dying? Short answer: I doubt it.

Kroc Camen of CamenDesign.com made a recent blog post about RSS dying (http://camendesign.com/blog/rss_is_dying).  Although I agree with some of the points he made, I disagree with the conclusion and some of the reasoning. 

The post first assumes that the client-side browser settings are the optimal location for RSS feed configuration.

On the contrary, I am an avid RSS user that finds the local browser a really poor choice for storing RSS selections.  This is why I don't use the RSS button in Firefox.  It simply doesn't travel to other computers without reconfiguring those as well.  This is a useless choice for my needs.  When I add an RSS feed to follow, I want that setting to automatically follow me from machine to machine -- even those machines that I don't own.