Expect your HP printer to get 0wnz0r3d shortly

Courtesy of Dan Bowman: You may have seen the brief writeup on Slashdot about how to set printers on fire by messing with the fuser, but in Germany next month there’s going to be a security engineer’s nightmare unleashed, courtesy of the HP printer that’s probably sitting a few feet outside your cubicle and mine.

And there’s a whole lot more to it than just messing with the fuser in hopes of killing a printer or (perhaps) starting a fire. There’s a lot more to a printer than toner and a fuser. As the link above says, a printer contains an embedded Linux or Vxworks system that’s trivially easy to install a rootkit on and that nobody’s paying attention to. Seriously, who watches traffic coming from the printer?

The possibilities are endless.
Read more

In defense of college and 4-year degrees

College is a waste of time?

I disagree with Mr. Stephens’ statement that college is a waste of time. I don’t know what college he went to, or what he studied there, but I certainly didn’t spend four years at the University of Missouri copying my professors’ thoughts.

Read more

Do I believe the Enquirer story about Steve Jobs?

I don’t like gossip, and normally I wouldn’t stoop to the level of commenting on the National Enquirer’s claims that Steve Jobs has six weeks to live.

But it seems to me that a legitimate journalist’s opinion might interest someone. As someone who worked for a daily newspaper in 1996-97, I have a little bit of perspective on that.
Read more

How to use an IT recruiter to get a job

So what would you rather have: a steady, full-time job with benefits, or a year-to-year contract with minimal benefits?

Yeah, I thought so. But sometimes in IT, the first option isn’t immediately available. I’ve settled for the latter a couple of times and lived to tell about it. So I might as well tell.

Read more

Rogue IT people and how to avoid hiring them

Computerworld published a scare piece on rogue IT people.

Linuxplanet countered with a piece that was about equal parts substance and hand-waving. I found myself mostly agreeing with the Linuxplanet piece, but was disappointed it didn’t go deeper into the counter-arguments.

I’ve been on both sides of this.
Read more

The stunning fall of Mark Hurd

I didn’t believe it when the news broke late Friday that Mark Hurd, CEO of Hewlett-Packard, had suddenly resigned under fire.

Hurd wasn’t flamboyant or a quote machine like many technology CEOs. He just steadily turned HP around, increasing profits, passing Dell in sales of PCs and IBM in sales of servers, and buying companies like EDS and 3Com. He was exactly what investors liked.

In the following days, it turned out there was more to the story.Some people believe the infraction that HP cited for Hurd’s downfall was a cover, that HP wanted him out. The reasons make some sense. The one that resonates with me the most is the logic that Hurd increased profits by squeezing expenses to the bone, slashing the workforce to the minimum, then slashing salaries. Doing more with less, in other words–the mantra of IT during the entire previous decade.

The result? Record numbers of applications from HP employees at competitors. So far, no Steven Slater-style meltdowns, but when demanding more and more while paying less isn’t a good long-term strategy. The Slater story brought attention to this problem and got people talking about it, and it looks like HP may have been a few days ahead of the curve on that.

Other accounts have said employees don’t like working for Hurd and he’s unpleasant toward him. Which lead to some defenders questioning when "being nice" was a job qualification for a CEO.

Well, five years ago I was consulting for a Fortune 500 company. I stepped onto an elevator, and the company CEO stepped on right after me. He extended his hand, introduced himself, and asked me my name, what department I worked in, and what I did there. It was a 30-second exchange.

He stepped off the elevator and literally never saw me again. I don’t know whether he forgot about me the moment I stepped off the elevator, or if he jotted down a note that if he needed a printer fixed he could call Dave Farquhar and filed it away. But unlike a certain very famous CEO, he gave me no reason to fear sharing an elevator ride with him.

And I do think an important qualification of being a CEO is knowing who to call when they need something done quickly and done right. Being friendly is conducive to that. Being ruthless at all times is not. Even Genghis Khan and Attila the Hun knew when to be kind.

Then there’s the question of the consultant. The consultant who had, among other duties, the questionable job duty of "keeping Mr. Hurd company on trips," but with whom Hurd didn’t have an affair (both deny any sexual element to the relationship), and whom Hurd didn’t sexually harass (HP said no harassment took place, and the two settled out of court and kept the terms private). The consultant with whom Hurd concealed $20,000 in expenses in order to hide the relationship.

To a CEO of a multibillion-dollar company, 20 grand isn’t much. Hurd could have paid that back, and he offered. The amount of money isn’t the question nearly so much as the motive. Why did he feel the need to conceal having dinner with one particular subordinate?

The sexual harassment claim gives weight to the claim of it not being a sexual affair. But the job duty of "keeping [any male in a position of power] company" is a common euphemism for something less innocent. I’ve also read speculation that some of this consultant’s past work–namely, acting roles in several R-rated films of the type that gave the cable TV channel Cinemax the nickname "Skinamax"–may have contributed to these expectations.

Some have said that’s blaming the victim. But no means no, and the definition is the same no matter what the person’s job description was for most of the 1990s.

If Mr. Hurd jumped to certain conclusions because his consultant once had a starring role in "Body of Evidence 2," that says more about him than it says about her.

If I remember one thing from my freshman orientation in college, it’s sitting in an auditorium and being told repeatedly that no means no. Regardless of how much she’s had to drink, or what she’s wearing, or what reputation she has for whatever reason.

Since the charge was harassment rather than something else, it sounds like perhaps someone thought a no on Monday might not be followed by a no on Tuesday. That’s better than thinking no means yes based on reputation, but it was still problematic enough to settle out of court rather than try to get it dismissed.

We’ll probably never know HP’s full motivation behind the dismissal. Mark Hurd left over what appears now to be a relatively minor matter of $20,000 worth of incorrect expense reports and a slightly inappropriate relationship with a subordinate, both things that would go completely unnoticed or be easily rectified if it was a different company, or, perhaps, a different person.

The key is to not leave that something relatively minor laying around.

That’s David L. Farquhar, Security+ now

I got a few letters behind my name this afternoon. I passed the CompTIA Security+ exam with flying colors. And that means two things: I get to keep my job, and I was qualified to have the job in the first place, but now I have a certificate that says a third party agrees.My personal opinion on the test: You have to approach it like any other test. Another coworker took the test at the same time I did. He was joking around with other people and talking up a storm beforehand. Meanwhile, I was pacing, counting on my fingers and not talking to anyone. I had five things I needed to remember until the clock on the test started and I could scribble them down, so I was focused solely on those five things.

My coworker said he was worried about me because I appeared to be nervous. But that’s just how I am before tests. I review a few things up until the time I’m supposed to walk in, and I take any aid the system provides. If I can carry in an index card, I do that. In the case of CompTIA tests, you can ask for a pencil and piece of paper and scribble down whatever you want on it after the test starts. So I did.

I probably would have passed without that, but I didn’t want to score a 765 on the test (passing is either 764 or 765 out of a possible 900). I wanted an 899. For what it’s worth, my score was a lot closer to 899 than 765.

My coworker and I also both believe the test is designed to frustrate you. The first 30 or so questions were pretty easy. Then my coworker missed 18 questions in a row. He knew he missed them, and there wasn’t anything he could do about it. I was pretty confident about my test, but most of my questionable questions came in bunches too. The real key is to not get bogged down in those rough stretches. It gets better.

Of the 100 questions on the test, only 85 count. The contents of the other 15 are anyone’s guess. Some are questions they’re considering to add to the test’s question pool, and based on how people answer them, they’ll decide if they’re fair or unfair. Some are just plain garbage. I had two questions, I think, that had no right answer out of the four options. I think those are control questions to thwart the companies who pay people to take the test and remember a few questions verbatim so they can build up a bank of test questions to sell. If, for example, you pay for some questions and see one asking where the password hashes are stored on a Linux system, and all four responses start with C:\, you’re going to lose confidence in that provider.

As for classes and books… CompTIA’s official class and book cover a lot of material, but there’s an awful lot of middle-management bull in the book and class that isn’t on the test. We had a manager take the test, and he knew the book forward and backward and paid attention in class, but he didn’t pass.

By the same token, every sysadmin who attended the same class and took the test has passed so far. Having lots of recent experience to draw on helps. I can harden Windows systems in my sleep because that’s been my job description for the last couple of years, and no week-long class can cover that kind of depth.

But the interesting thing is, I got very few questions about system hardening. I got a lot more questions about encryption and firewalls, where my knowledge is weaker. I don’t know if the test determines all of your questions at the start or if it uses the first few questions to figure out your weaker areas and then tries to concentrate on those, but I suspect it might be the latter.

But with Security+ out of the way, I’m thinking about other certifications. Network+ is supposed to be easy when Security+ is fresh in your mind. Given my hardware and operating systems background, A+ should be easy.