Friday, August 30, 2013

Career prospects: going to grad school

I've recently been involved in several discussions about whether online schools are really helping their students.  In particular, do they prepare people for the job market?  I can't comment on how this works in other fields, although many are probably similar, but here are my thoughts on IT degrees:

The Oversell

I think that many schools oversell the value of their degrees.  A degree is useful and often required, but it's not a guaranteed ticket to your dream job.  Many schools report that X% of their graduates received a raise or promotion after graduating, but these are rarely automatic.  If you're considering going back to school, the burden is on you to figure out what a degree can do for you and how it fits into your career plan.

What is your narrative?

I've run into a few people who either have no work experience or who are in entry level jobs and have completed graduate degrees in IT.  I think education is a good thing and there's nothing inherently wrong with earning a graduate degree, but you have to think about how it fits into your personal narrative.

Attending an online for-profit school

A few years ago, I decided to go back to school to finish a bachelor's degree.  The school I ultimately chose was Capella University, an online for-profit college.  Online universities, and for-profits in particular, have a poor reputation, but I decided to attend anyway.  Here's my take on for-profit universities and why I plan to return to Capella to finish a master's degree.


I live in a small town.  When I started going back to school, there were no night-time or degree completion programs that I could take advantage of.  I would have loved to go back to school full-time and attend a well-regarded university, but I support a family and can't afford to relocate and quit work in order to go to school.  I needed a degree program that I could complete while working full-time.

Monday, August 12, 2013

Threat scenarios

When analyzing security features, we often look at them in black and white terms: either they can be broken or they can't.  DES is crackable but as far as we know AES is not so we recommend AES.  This is useful when we're making general recommendations because we don't know what threats everyone is going to be concerned about so it's safer to assume that we'll always need to protect against a skilled, well-funded attacker.  In many cases, however, that assumption is not true.

At Passwords 13, Steve Thomas, a.k.a. sc00bzT, gave a presentation about building a cheap hardware security module (HSM) to store and protect passwords.  During the talk, someone mentioned on IRC that what he developed wasn't a true HSM since the hardware was not tamper resistant.  While that is a valid concern, others correctly pointed out that it may not matter depending on your threat scenario.

Since it has no physical protection, Thomas's HSM is vulnerable to hardware tampering.  It should not be used in situations where that is a valid concern.  If you're worried about foreign governments bribing your employees or about a rogue employee (e.g. at a bank) being able to sell those credentials, then you should consider laying out the cash to get a tamper-resistant HSM.  But, if you're mostly worried about outsiders using SQL injection to dump your password hashes, this solution is perfect.  It's cheap and it solves the problem.

Tuesday, July 23, 2013

Passwords 13 - Next Week

I haven't posted anything lately, but I'm heading to Passwords '13 in Las Vegas next week and hope to come back with some new thoughts and ideas worth posting about.  In the mean time, here's a picture of my dog.

Tuesday, March 26, 2013

Basics: Avoiding SQL Injection

SQL injection is a pretty big deal.  The attack is easy to carry out, the vulnerabilities are prevalent and the payoff is potentially large.  Many of the password breaches reported over the last year or two are known or thought to have been carried out via SQL injection. 

SQL injection attacks allow attackers to execute arbitrary queries or commands against a database.  Developers introduce the vulnerabilities into their code when they concatenate or substitute user input into the elements of a SQL query.  In the following Python example, the program will accept any input as the "user_id" variable (returned as a part of login_data) and tack it onto the end of a string that is subsequently executed as a sql query:  

login_data = web.input()
query_string = "SELECT * FROM USERS WHERE ID = '%s'" %

Understanding Scope in Go

As per my New Year's resolution, I've been learning to program in Go and reading  The Go Programming Language .   On page 141 of the...