On a recent episode of Down the Rabbit Hole, Rafal Los and James Jardine asked CISO-turned-CIO Joe Riesberg how he measures the effectiveness of a security program. He came up with five things, which are pretty much how we measure our effectiveness where I work too. That’s a pretty good indicator. Read more
How to do one-off patches without an Internet connection
If you need to patch a small quantity of Windows servers or desktop PCs and don’t want to download four gigabytes of updates, or, worse yet, can’t download updates, WSUS Offline Update is your buddy. Don’t let its name fool you–it doesn’t require a Microsoft WSUS server in order to operate. But if you have a local WSUS server, you can point it at that to download updates, which is faster than downloading from Microsoft.
It’s a script that can download all existing updates for a given operating system, and then, you can run it off a network drive or removable media on individual systems to install missing patches and service packs. It’s a reliable way to quickly patch a small number of systems. I’ve had to use it a few times in my career and it’s worked well for me.
Patching hundreds of systems with it isn’t something I recommend–if you have a lot of machines, you need to stand up an enterprise patching solution–but this tool definitely has its uses, especially in small environments, or even for one-offs in large environments.
I can think of another good use for it: If you have a development network that doesn’t have an Internet connection, this will let you download and apply updates to it so your development network matches production, which is critical for a properly-working environment.
In the bad old days I used to use batch files to apply updates. This is better, because it will apply only the missing updates, and it does a reasonably good job of applying the updates in the proper order. Using batch files, sometimes I would have to run the file, reboot, and repeat a half dozen times to end up with a clean system, which didn’t make the security team happy. When I started using the predecessor to this tool, my security team and boss were a lot happier.
XP may not be as bad as it sounds
Patrick Gray and Darren Pauli of The Register blasted the continued use of XP on Risky Business last week.
But I think their criticism is based on an assumption that may not be correct. Read more
Don’t run unknown executables for a dollar. And PLEASE don’t for a penny!
I can’t bribe my preschooler with a penny anymore, but, sadly, a consortium of Carnegie Mellon University, NIST and Penn State University found that 22% of respondents through Amazon’s Mechanical Turk were willing to run a dodgy unknown executable in return for a penny. Fifty-eight percent would do it for 50 cents, and 64 percent would do it for a dollar.
I’ve been telling people for 17 years not to take executable files from strangers. I know the percentage of people who will bend down to pick up a penny off the ground when they see one is less than 22%, so this saddens me. Read more
What Linkedin is good for
Alistair Dabbs posted a nice, curmudgeony anti-social-media rant over at The Register. In part, he asked what Linkedin is good for, noting it’s never netted him a job or a useful contact.
I found his piece entertaining, so I thought I’d talk about how I use Linkedin, besides dodging recruiters who blindly type “cissp security clearance” or “security analyst st. louis” and message every single person who comes up. Read more
The ultimate budget smartphone: The Moto E
I wanted to like the Moto E, for sentimental reasons. The Motorola who made this phone isn’t the same Motorola who made the MC68000 CPU in my Amiga, and it’s not the same Motorola that built the hulking briefcase-sized bag phone Dad toted around in the 1980s, but the logo is the same.
The stingy Scottish miser in me wanted to like the phone too, because it costs $129. A few short months ago, the only phones you could buy new for under $130 were cheaply made no-name phones like the Blu Advance with half a gig of RAM, a low-visibility screen, a low-end processor you didn’t want and an Android that was a few versions out of date, encased in lots of cheap plastic. Next to the Moto E, the Blu phones lose what little appeal they had.
Chasing dreams
Lifehacker says to follow your skills rather than chasing your dreams.
There’s something to this. Two years ago I had a job writing security documentation. The CISO where I work now didn’t want to hire me because he was sure I already had my dream job and I’d just go back. On paper, it should have been my dream job, but I was beyond miserable. I was writing and editing for an audience of three people, and the environment was toxic. I woke up literally every morning thinking, “I didn’t study all day every day for three months to pass a 250-question 6-hour test to do this.”
Today I manage Windows patches. On paper it’s the most boring job in the world. But I’m happier than I’ve ever been. I’m up for the mandatory midyear review, and though I’ve only been at the job for four months, I have to provide a six-month review. I can’t fit my four months of accomplishments on a single sheet of paper. I wake up every morning ready to seize the day and accomplish something. Read more
What happens when you write a petabyte of data to an SSD
If you’re concerned about SSD reliability, Tech Report has good news for you: They attempted to write a petabyte of data to six SSDs, and three of them survived. Considering the drives were rated for a 200 TB life expectancy, that’s impressive. In fact, even the worst drives outlived their 200 TB life expectancy. And all started behaving oddly long before their demise, giving you ample warning to do something in advance–something you can’t say about evil nasty platters of spinning rust–perhaps better known as traditional hard drives.
The first drive to fail, if you’re wondering, was the Samsung 840, which uses cheaper TLC memory. But even the Samsung 840 outlived its projected life expectancy. Since other companies are undercutting the 840’s price even with MLC memory these days, I’m not sure what Samsung’s plans for the 840 are. For the time being, I doubt you’ll be buying one. One of the drives that’s still going after a petabyte of writes is a costlier Samsung MLC drive.
How to fix Firefox–really
I’ve been having problems with Firefox for a while now–crashes and other odd behavior. I’ve put up with it for a while, but I shouldn’t have to. It turns out the fix is very easy, but non-obvious.
Mozilla’s documentation is abysmal. When you move stuff around for no reason, change your docs to reflect the move, so people can find what you’re talking about. Or better yet, leave well enough alone.
If you actually want to fix the problem, don’t fiddle with the menus. Do this:
- Type about:troubleshooting in the address bar
- Click “Reset Firefox” in the upper right corner Read more
A Comcastic-ally bad idea
If you haven’t heard about it, Comcast has plans to build a wifi network for its subscribers, on the back of its other subscribers’ routers. What’s worse is it’s an opt-out service. If you don’t hear about it and say something, you’re a hotspot for any other Comcast customer who happens to wander by.
I’m not a Comcast customer. I’m in Charter territory, and I’m not a Charter customer either. But I have so many problems with this it’s hard to know where to begin, so I sure hope other ISPs don’t copy this. Read more