Rumors of my death are exaggerated.
I’m procrastinating at the moment, putting off some forensic work that always depresses me when I have to do it. So let’s see what I can do to kill some time.
Investigations depress me. I hate to have to look through someone’s files, see what I have no business seeing, and put together the List of Files With Bad Stuff in them to hand over to someone else.
Pentests, on the other hand, are fun. Even when the point is to rule OUT any security problems, and you’re supposed to hope you don’t find any, it’s still disappointing if you don’t find something juicy. You’re going for the opposing team’s soccer goal, after all.
“Yep, boys, I think we’ve got us some telnet!”
“Aw, dang, it’s supposed to be there. Okay, keep looking ...”
“Oh, he’s found a DoS exploit ... he’s loading it into the proxy ... he’s kicking it off ... we’renotgettinganyresponsefromtheservercoulditbeyesitisPWWWWWWWWWWWWWWNNNN!!!!!!!” (Goal dance ensues, flinging of jerseys, etc.)
I’ve got a copy of the Pragmatic CSO, but have no time to read it. (“We’ve alrrready got one, it’s verrry nice.”) Am I the only one who is appalled by the graphics? Those have been turning me off ever since they showed up on Rothman’s website. It looks like security meets the Sims, with a little bit of the Vienna Convention on Road Signs and Signals thrown in. I know I shouldn’t be judging the book by its cover, but jeez.
Does anyone have experience reverse-engineering a huge, complicated legacy application? I’ve got a heavy metal monster app to fix and don’t even know where to start. It talks to about 50 other apps (that we know of) in probably 50 different ways. I could make a case for scrapping it and starting over, but I can’t use the justification of “let’s trash it because we’ll never figure it out,” and besides, about 100 developers and managers would come after me with torches and pitchforks.
Is ITIL dead? I have a feeling we’re about to find out, because if it’s one thing humongous outsourcers love today, it’s the methodology du jour. And why shouldn’t they? By the time we get it into my organization, it may reek and be wrapped in old newspapers. I’ll keep you posted.
Oh, and while I’m complaining: I hate playing mind-reading games with an auditor. Is he gonna like this solution? What are the secret woids to make him NOT write up a finding? It would probably be very helpful to our developers and sysadmins if they just had a copy of whatever checklists the auditor was going to use so that they knew in advance what they would have to supply.
Well, enough foot-dragging. Back to work. Do you suppose “hotchickwantsyou” is a business-related screen name? I didn’t think so either ...
I’ll do the investigation for you!