Getting that first IT job
Are you graduating in the next year and don’t yet have an IT job lined up? It’s time to begin the work of making yourself attractive to prospective employers. Our career services folks can help by alerting you to job postings that come our way, and they have a whole list of things you can do to improve your chances of getting an IT job, but times are tough. I call for drastic measures. Here’s my checklist of drastic measures for you:
1. If you don’t have a job (any job) now–then get one. Employers are more interested in hiring people who have a record of showing up to work. Ideally this will be a part time or volunteer job that can be worked around your class schedule.
2. Clean yourself up. This one was hard for me so I understand if your reaction is “no way”. Change your mind and your language. Cut your hair. IT jobs and most entry level jobs you will apply for in (1) above require a certain amount of customer contact. Buy several pairs of Dockers and shirts with collars.
3. Quit World of Warcraft. Everyone played it, but no one wants to hire a WoW junkie. If you’re already too cool for WoW, quit whatever is your current addiction. Farmville? Smoking?
4. Make your boss happy. Now you should have a part time job (any job). Make your boss happy. Never be late. Never miss a day. Always cover shifts missed by others if you can. Learn and be an expert at your job. If asked, train others. This is a no-brainer that I have seen many young people not get. Imagine what she wants in a model employee and be that. The time will come when you are ready to move on and a letter of recommendation from your current boss is like a free ticket to your next job.
5. Be an excellent student. Not only does this have the obvious benefit of giving you the best return on investment in your time in school, but your instructors are like your current bosses. We can write letters of recommendation too. If you do well in a class, ask that instructor to write you one. Most instructors have done it before and if they think they can write you a strong recommendation, they will agree to do so.
6. Visit your campus career services department. Make an appointment and keep it. Bring your resume and portfolio. Be pleasant and professional. Follow their advice too.
The Road to a Network Security Emphasis at Globe/MSB
I went into registration for the Spring Quarter with mainly Information Technology electives remaining for my last quarter minus a 1 credit career development class. I saved most of my electives for the end of my program, because I believe my final classes will be the most interesting and useful for my career path. I started realizing a couple of quarters ago that I wanted to start emphasizing in network security courses, but have been having trouble getting into these courses because of unmet pre-requisites.
Thankfully I was able to finally get some of these pre-requisites taken care of so I could take the classes I needed to take to fit my desired emphasis. I recommend that if there are elective courses that you want and you don’t meet the requirements due to a prerequisite, either plan to take care of the prerequisite if you have time, or lobby to join the course anyways. I don’t see a problem with that unless the class is unreasonably out of your range, as you are paying for the classes it should be up to you. Core requirements will be much more strict as they are built into the program and much less flexible, but Globe/MSB has always been very reasonable with me when it has come to getting the electives I need.
While choosing my classes for the Spring Quarter, I was pleasantly surprised by how many courses I found to help me meet my emphasis of network security and was grateful that I was able to get into all of these great courses at Globe/MSB, and all online! If I would have figured out exactly what my emphasis was going to be sooner and I could have even taken a greater advantage on what our college offers. This is why I put together a little guide to help students who are more in the infancy of the program and are thinking about emphasizing in network security. Here are some courses that you can shoot for to maximize your specialization of Networking and Security at Globe/MSB in the Information Technology program -
Core
NT272 – Network Administration and Security
DB311 – Database Implementation
IT305 – Systems Analysis and Design
IT315 – Information Security
Electives
DB321 – Database Server Administration
IT333 – Network Application Services
IT425 – Network Security Services
IT432 – Computer Forensics – Especially excited about this one
NT322 – Network Implementation Technologies
For a security emphasis, I think that it is a great idea to get a good base in the database as this can be the most integral part of an information system. I didn’t know anything about databases before I started here, and now I am enrolled in the fourth and final course offered here. Globe/MSB has taught me database concepts from the ground up so I can personally recommend this process. Whatever your strong areas are, it is good to figure out what your exact interest is earlier so you can start planning on your future.
Games are motivators
This quarter I have been teaching Programming I. One thing I can confirm as a result of this experience is that games are great motivators for new programming students. They certainly are more relevant to the students than calculating interest rates or tax rates. The four programming examples that piqued my students interests more than any others included:
1. an implementation of the Caesar Cipher, which is a simple substitution cipher. Our text by D.S. Malik introduces reading and writing files early (in Chapter 3). The Caesar Cipher is a good way to get students to work with files. I introduced the cipher by giving the students a program, “DecoderRing.cpp” and three text files that contained these phrases:
message1.txt: “Tgcf{”kp”vjg”pqtvj0″
message2.txt:”Vjg”gcuv”ku”tgcf{0″
message3.txt:”Yg”ujcnn”cvvcem”cv”fcyp0″
Students were asked to run the DecoderRing.cpp program on each of these files and investigate the results. The program created three new files with these words:
Plain text 1: “Ready in the north.”
Plain text 2: “The east is ready.”
Plain text 3: “We shall attack at dawn.”
I was very pleased with the reaction of the students! This exercise demonstrated many important but tedious programming concepts: reading and writing files, integer arithmatic on character data types, and I think they got a glimpse of what power they would wield if they mastered programming.
2. An implementation of the XOR hashing algorithm. Granted, this required some time on my part to implement, but it provided my students with an example of a program that implements a very important error-detecting algorithm and gets them to think at the bit-level. Since the second quarter of programming will be going into objects, I figured this was my only chance to get them to look at integers as the 32 bits (on our machines) that they are. Students then used my program as a template to write their own hashing algorithm that has some of the features of the more cryptographically secure algorithms (like the MD5 checksum algorithm has). It will be my task (hopefully enjoyable!) to grade these this weekend.
3. An implementation of a tic-tac-toe game. I introduced this only after arrays and enumerated data types, but this was much more popular than either the XOR hash or the Caesar Cipher. Next time around, I think I can introduce tic-tac-toe even earlier–during the unit on functions. You don’t really need an array to represent nine squares on a board.
4. Rock-paper-scissors (lizard-Spock). This was a hoot. I provided the source code for the game Rock-Paper-Scissors (thank you D.S. Malik and Cengage Learning for this and other excellent programs with your text). Students were directed to modify it to accomodate Lizard and Spock as player actions (see these sites:http://www.samkass.com/theories/RPSSL.html and YouTube video of the Big Bang Theory). This was just a laboratory assignment this quarter. Next time, I will make it a homework assignment, and have the students add a computer player.
In summary, whenever possible I suggest that we design our programming examples and homework assignments around things that students may find interesting. Games top the list clearly in my experience–but be careful–many games and game features (such as an artificial intelligence) are very difficult to implement in code for first year programming students. I recommend that you try writing the game yourself before you recommend that your students attempt it.
More IT means less paper
Last week while at an event hosted by Pearson Publishing, I had the good fortune of listening to Allen H. Kupetz, who spoke about his vision for less, including less paper. He describes this and other visions for less in his book, “The Future of Less”.
Also last week, I sat in on a presentation of highly-charged publishing marketers who were describing to me their approach to this solution, a kind of electronic book. In this fantasy world, essentially print books are converted from *.pdf to a format that can be viewed in any recent version of the Internet Explorer browser only—won’t work in Safari, won’t work in Firefox, won’t work on your iPod, or on your iPad, and it won’t work with the Jaws reader, for those with visual impairments. Cost will go down, but not enough to pique my interest.
I envision less paper-based books for our IT program at some time in the future. But I also envision an improvement over paper-based books. This is my call to action for book publishers, instructors, and students. I ask publishers to change their business model:
Stop selling us heavy wasteful books we don’t want and start selling us web content made for the web. Hybrid solutions that rely on converting *.pdf to e-books don’t have all the advantages of the web that we demand.
Ideally, the revenues retained by publishers will increase to cover increases in web functionality and content I will describe below. Meanwhile, the costs to the student will decrease, as they no longer pay for paper, printing, or shipping. (Sorry Lumber, Pulp, Paper, Ink, and Shipping Barons—you’re out)
Student savings are an important part of this, since we would no longer be selling them a physical book. Students take the advantages of the web for granted and are used to it being free. Therefore, I suggest we pay publishers on a per-seat basis for each student and we would work the revenue into our course fees. The money GEN would save on the logistics of distributing books would also decrease costs.
For their part, publishers would need to change their business model significantly, rewording contracts with authors as new editions are published, and easing away from paper, printing, and shipping distribution models.
My vision is less paper, less cost, but more accessible quality content. If publishers wrote content specifically for the web rather than for books, we can see the following positive changes:
1. Begin a new era of providing instructional content to students over the web, without the need for books. Students are used to web browsers and they will read the content if it is there.
2. Teach green: These websites should specifically demonstrate to students that they need not print the entire website. Some critical chapter summary information should be printable on a single page or two, since the students may be anxious about losing access to the site eventually.
3. Leverage all the advantages of the text-based web. The time of converting *.pdf files to the web are at an end. That was just publisher-denial based upon old-school production models. New content should be written specifically for the web platform, not adapted from book *.pdf.
4. Increase the value of this content by making it viewable in a wide number of browsers on a wide number of platforms, including popular impairment compensation software such as the Jaws reader (http://www.freedomscientific.com/products/fs/jaws-product-page.asp) .
5. Web 2.0 features should also be realized. Students and instructors should be able to customize their view by adding and sharing notes, highlights, and so on.
6. Incorporate media related to the book such as learning games, self-check quizzes, images, diagrams, and short movies. (try to avoid Flash though since the Mac iPad won’t play Flash)
7. Decrease the cost to the students, by eliminating the cost of paper, printing, and shipping.
8. Increase the publisher’s financial performance by paying for each student who takes a course. No more used book market. I understand that building and maintaining web content require costs. These costs should be lower than paper, printing, and shipping books, however. I believe students would welcome quality web content, with the overall costs still below what a print book costs.
9. Organized content links to help our course developers integrate publisher content into our BlackBoard course shells in an efficient way. One way to do this is to have a secure log-in for developers to select and link to content, while making it difficult for hackers to find and make use of the content without paying for it.
10. Every rule has exceptions: Granted we should still have a book purchase option for those students who really want or need a book, since progress is not worth losing customers over. The book purchased need not be exactly the same as the content we offer on the web, though, but it could be.
I call upon publishers, instructors and students to consider this the beginning of a conversation. The time is near to think no longer of books, but think to the future of less books.
I sincerely hope that marketing executives of our publishing partners read this and find this approach to be a viable model. I hope that instructors and students likewise see the value and the potential of this approach. Please join the conversation, by posting a response here. I look forward to your responses.
Thank you Allen H. Kupetz and Pearson Publishing for an excellent keynote speech last weekend.
Science and Technology Fair coming up
The Minnesota State Science and Technology Fair will be held at the Crowne Plaza Hotel in St. Paul this year March 25 - 28. I have volunteered to judge junior high school student presentations in computer programming, artificial intelligence, algorithms and databases.
I would like to encourage other IT and science faculty to likewise volunteer if your schedule allows. You don’t have to be there all four days to be a judge. In fact, I’ll just be there just Friday because the Minnesota State Poker Tournament is held the same weekend and I have been invited to that tournament. Last year, I placed seventh at this state tournament. This year, I hope to make the final table again!
If you are interested in volunteering at the Minnesota State Science and Technology fair, you may do so here:
http://www.fair.mnas.org/sfHome.asp
Is it the methods or the targets that make a hacker unethical?
I recently ran into a very interesting discussion on a LinkedIn group that I belong to called the “Legal IT Network”. The question that starts the discussion is - “Is it the methods or the targets that make a hacker unethical?” The question has risen because of a “patriotic” hacker who has recently been attacking Jihadi recruiting websites. A Question and Answer session and an email correspondence reveals more about the motives and methods of the attacks by the one who self-proclaims his name “the Jester.” He basically reveals how he has been in combat, and is very passionate about what he is doing, even though he himself struggles about it being right. He targets Jihad recruiting groups who use the internet as their primary method of recruitment. As a conservative and a patriot myself, I can definitely say that I can see where he is coming from, and if he can justify what he is doing to himself, then all the power to him. However, it seems that many information security professionals don’t feel the same way and I also understand why.
L. Brent Hutson, CEO & Security Evangelist at MicroSolved, Inc, a leading provider of security assessments and penetration testing, shared some great thoughts on the subject in the LinkedIn discussion. He argues that it’s not a methodology or the target that account for ethics, but the intent – and here’s why.
“But, make no mistake, today “hacking” as it is often used in the media is just another word for criminal behavior. Criminal behavior, by its very definition, is outside of the ethical boundaries of a society.
“Hacktivism” is unethical, not because of its goals, but because of the intent of the attacker to compromise, modify or control the underlying system components that are in use. Basically, “messing around with things that don’t belong to you” is outside of the ethical boundaries of our society. Thus, in my definition, it is the intent behind the actions that make it unethical.” (L. Brent Hutson)
I very much agree with what Brent has to say, and I do think that even though I can understand where “the Jester” is coming from, his actions still cannot be deemed as “ethical”. Even though Americans have a very different beliefs than the Jihad, that doesn’t make this type of act justified. If everyone who had the ability started openly attacking every organization they don’t agree with, the internet wouldn’t be a safe place at all. I also have a hard time accepting “The Jester’s” choice to open himself up to the public, and you can even follow him on Twitter (th3j35t3r). In doing so, he is naturally open to the skepticism of desiring fame or credit for his actions. Here you watch a video showing the XerXes tool that is used and developed by “the Jester” to spring an attack on the targeted web sites.
One tangent subject that I had thought of while writing this blog post was, even though what “The Jester” is doing may not be viewed as ethical by some, would there be a difference if the U.S government was distributing these attacks? Surely it would increase national security, but at the same time may not be in good practice. It is something to think about, and up to you to decide.
An (in)Convenient Deal Between Google and the NSA
Most people interested in Information Security have heard about the attacks last month originating from China. A posting in the original Google Blog says “at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted.” There is also a long history between Google and China that has lead up to this attack. As reaction to this attack, Google lifted the censorship on select content it was filtering for their version of the search engine in China. I am glad that Google did this, and I don’t think they should have been filtering any content for them in the first place like they have been doing since January 2006, but that one is a separate issue. What this is really all about, is how it is leading to a partnership between Google and the NSA. Google is teaming up with the NSA to investigate into this attack, and I am having a hard time accepting their decision.
Until this deal has been wide out in the open about what is really going on, I am going to just assume that there is a lot of garbage going on under the table. Neither the NSA or Google really have much to say about the deal, and Google only says it needs aid from the expertise of the NSA to help them strengthen their network security. I don’t claim to be an economist, but the unemployment rate has skyrocketed over 10%, why doesn’t Google just buy out some established network security companies? I am sure these companies would love to be bought by Google, and it will help then strengthen their network security like they want. Surely they can find the expertise they are looking for in many many security companies out there. Their decision to seek the aid of a government agency means there could be other motives to this partnership.
The problem is that right now Google is just asking for the aid of the NSA, so what is in it for the NSA? The relationship wouldn’t be mutually beneficial the way it stands. All I want is to see an invoice from the NSA to Google for the work they will be doing together and I will be happy. If Google doesn’t have to pay for their services, there might be an exchange of personal information for the services, or the U.S citizens are paying for the time and resources used by the NSA to aid Google.
I am not denying that there are benefits to this partnership, because there definitely are. I do understand that the partnership will increase the overall national security we have as a country, but I also understand that I will only cautiously be using many Google services in the future because I can’t trust that Google’s databases haven’t become NSA data mines. The only way I can convince myself that this union will be beneficial is that there is much more to the attack then what Google is telling, and that this could be just a start to a high level national security problem.
Is My Computer a Zombie?
This is a post to guide users through finding out if their machine is acting as a “zombie” to engage in malicious botnet activity without even knowing it. This only applies to Windows users as Mac and Linux users are significantly less susceptible to being infected, if even at all. A great way you can monitor this type of activity is to set up an account at www.projecthoneypot.org and they will send you reports upon your request about suspicious activity occurring on your network. Some symptoms you might notice if you are a part of a botnet are:
1. Your computer is constantly using resources when you actually aren’t using any. Your RAM might be processing information even when idle, your computer is still high in temperature even when idle, or you can hear your hard drive working when idle. Also, don’t confuse these symptoms with just a simply out of date computer.
2. Your network connection is active even though you aren’t running any applications that are accessing the internet, or browsing the internet. An easy way to look for this is to simply go to your task manager and monitor your network performance while idle.
3. You remember falling for a phishing scheme of some sort, or have browsed the internet without
Here is a systematic approach that I have come up with to detect if you are a part of a botnet:
1. Update to the latest definitions and run a full scan of your favorite spyware and virus scanners in SAFE MODE.
I use Spybot Search and Destroy and Lavasoft Ad-Aware for spyware scanners. I also use both Avast! and Threat Fire anti-virus. These are all free products because I am a poor college student, you might have better luck if you actually spent some dough.
2. Restart your computer and don’t open any other applications besides the ones set to run at start up. Go to your command line, start >> run >> “cmd”. Run the command “netstat -n” and see what network connections are being established on your computer. The results are listed in the ip.address:port# format. If you see any unrecognized IP addresses, go to http://ip-lookup.net/ and do a look up on what your computer is actually connecting to. If you are connecting to a computer in Romania or some other foreign country, chances are it is something that you aren’t using for anything productive. On the IP lookup site, you can also see a host name of the suspicious IP and it might turn out to be associated with a legitimate application you are using. The Project Honey Pot site also has a place to lookup an IP address, where it would compare it to any other suspicious activity reported by that particular IP.
3. If you followed steps 1 and 2 and have found that your computer is indeed connecting to foreign sources without your consent, then your computer is infected with some sort of malicious entity and it is quite possible that your computer is a “zombie.” If you only found maybe 1 or 2 suspicious connections, I would encourage you to dig deeper to find an answer for what the connections are doing. You can go to www.projecthoneypot.org and they have lists of suspicious IP ranges for you to compare to along with oodles of information about spam.
4. If you decide that you are infected, I don’t recommend to manually remove any of the threats as re-infection would be likely. As much of a pain it might be for you, I would back up all of your personal files on a separate hard drive and re-image your computer completely.
I hope that this method works for someone who finds out they are indeed infected because as of a very recent study, 48% of machines are infected with some form of malware and you can bet that over 80% are running Windows. RECENT ARTICLE ON INFECTIONS
DDoS Follow-up and Behavioral Prevention
This is a post that is following up on a previous article I wrote last week called “My first DDoS Experience.” I wrote the post while the company I work for was still in the middle of a relentless SYN flood attack. A Cisco ASA 5510 firewall was installed running software version 7.1(2), and didn’t do much to fight off the attack. Now I wish I had hands on experience configuring such a firewall but I don’t, and wasn’t able to be present when it was configured. The impression was that the firewall had the capabilities to stop an attack like this, but it wasn’t able to do much for us after being put into place.
After the firewall didn’t do as much as hoped, we had to manually find out what domain was being targeted by the attacker and stop hosting it from our server. We did this by making many different IP’s on the server and distribute the domains across all the IP’s, then follow which IP the traffic was being funneled to. Eventually we narrowed it down to 5 domains and made an IP for each domain, and found the culprit and removed it. That was the end of it for us, but I learned a new technique for weeding out a targeted domain name (if I ever encounter such a thing again). What I am more interested in, is preventing such attacks, and a commenter on my original blog pointed me to a great resource for such.
If you are interested in DDoS prevention and network behavioral analysis, then you must check out the material on www.intruguard.com. They offer network behavioral analysis solutions for larger companies and go into great detail on how their products operate. For smaller companies, a solution like this might be overkill if you already have an intrusion detection system in place. I do realize that could be a bold statement though, because you really can never be too safe, and I know that botnets aren’t getting smaller at the moment. I have even heard of botnet armies being reported at up to 50,000 infected machines, wowsers. I think for medium/larger sized companies a network behavioral analysis appliance would be a must as they will be targeted much more. I imagine that very large companies get hit with multiple enormous DDoS attacks daily, and I can guarantee they are using units like the ones offered by IntruGuard. I am also a huge believer in behavioral detection systems of many varieties security wise. I have been using the behavioral anti-virus Threat Fire on my personal computer to supplement my virus definition scanning anti-virus, and have had superb success with it. I think that behavioral detection of many sorts just puts you one step ahead of the attacker.
Anti-Social Networking
As a “social media intern” for the Globe Education Network - Online community for my 3rd quarter, I have gotten a chance to dive into many aspects of social media that were foreign to me in the past. I have been on Facebook for sometime, but the two new platforms that I have joined that I am most impressed with are Twitter and LinkedIn. I am a HUGE fan of LinkedIn because it is a much more professional social media platform that you only want to connect with people who you have directly done work with in the past. On the other hand, even though I have been greatly impressed with the power of connecting to mass amounts of people on Twitter, I see it being constantly abused, and sometimes I question how it is affecting the younger users on the platform. As if all of the magazines and paparazzi that invade celebrities privacy aren’t enough, now we get a chance to follow the personal lives of these celebrities in an even more creepier way on Twitter. Certainly only the celebrities who want to be followed are on there, and they feed off this attention and actually want youth to feel a personal connection to them. I am truly afraid for the youth that religiously connect and follow people they will never become in contact with, and I think it is simply unhealthy. During your youth, you are supposed to be developing your personality and social skills. I think for some people who get to engrossed into these platforms it just a set back, and why not engage in real personal contact? This isn’t the only thing that bugs me about social media, I think that full grown adults abuse these systems as well.
I am bothered by some users who think they can get away with saying whatever they please even though they would never say it to somebody’s face in the real world. This is where the I like to use the term “anti-social networking.” This term I use to describe anyone who prefers to talk about sensitive topics via social media even though they have the chance to discuss them in person. I can’t express how much this bothers me, and how unhealthy I believe it is. I think that when people engage in these “anti-social networking” tendencies enough, it can severely downgrade how they handle real life situations. To me this says, “since I can’t handle myself in difficult social situations, I can deal with it later hiding behind my computer.” Am I saying that it isn’t ok to debate over various topics on these platforms? NO! That is one of the great things I love about social media, is that there is always someone out there who is going to have an opposing view. I am saying that don’t use it as your “go to” scapegoat of emotions that should be channeled in other areas.
So what is my point in all of this? I love to social network through Facebook, Twitter, and LinkedIn, but just like anything else in life needs to be handled in moderation. If I were a parent raising a child, I wouldn’t let them join social media until I know they can handle it (whatever age that might be). Call me conservative, but I want my children to develop REAL social skills before they join the virtual world. I am also a believer in building your own social community, but don’t let your social community overshadow your real life connections. The way I see it, if real friends come and go, your virtual friends will come and go even quicker. I am awaiting some comments by people who maybe disagree with what I have to say.