Tips for IT Contracting

Contracting is not for everybody. But then, neither are jobs.

Do you find that no matter where you go, you have a knack for finding things that need to be done? Do you often find you can do the, too? In that case, you’re an immediate candidate for working as a contractor or consultant.

But that doesn’t make it easy. Getting through the initial transition can be tough, and living a lifestyle that lets you get through times of sparse work is mandatory. Fortunately, I’ve found that most of the year I’m swamped, and the majority of my colleagues agree. It’s much trickier learning which gigs you should turn down.

Computerworld has a very nice slideshow, “15 Tips for Surviving – and Thriving – as an IT Contractor”:—-and-thriving—-as-an-IT-contractor

* * *

Gee: “Chinese hackers linked to breach of control systems used in electric grids”

Department of Don’t Take It From Me:

The ever-entertaining fulfilled its daily promise by making my neck prickle. So: Telvent, prominent maker of the SCADA industrial systems control software, got penetrated, got slurped for important product information and got pwned with malware left behind.

So good. Now we can’t trust executables from Telvent until all Chinese malware is certifiably gone, and how are they going to prove that?

The criminals were identified by their fingerprints, typical comments in code that’s led to the group being called the Comment Group. And they’re part of the biggest transfer of intellectual property in human history, in which Chinese of various affiliations including political, military and criminal have hacked their way into, face it, ALL American companies.

What the general public hears about — stolen credit card numbers, somebody hacked LinkedIn (LNKD) — that’s the tip of the iceberg, the unclassified stuff. … I’ve been circling the iceberg in a submarine. This is the biggest vacuuming up of U.S. proprietary data that we’ve ever seen. It’s a machine.

Evidence indicates that at least 20 organizations have been harvested for data, many of whose secrets could give China a leg up on its path to becoming the world’s largest economy.

By all means proceed for further depressing details:

A Quick Guide to PGP/GPG

One of the interesting barriers we’ve encountered during the rewrite of Hacker High School has been the trickiness of using email security. It’s pretty bad for us as professionals not to be versed in using PGP and S/MIME, even though both are painful. Here’s my response to one of the contributors asking how to choose and use a PGP/GPG product:

For all practical purposes, take your OS, add your mail client, search thoroughly and you’ll likely find your range of choices limited. On Mac/Thunderbird, it seems to be OpenPGP or Die. Notice the conflation of “Open” and “PGP”? Underneath it’s Enigmail regardless.

Then follow instructions everywhere for generating your key(s).

Then you’ll need the keys of whomever you want to send encrypted email. Stir up thoroughly until recipient confusion eventually gets their key to you (coach them to pull down their GPG menu and check “sign this message” and “include my cert with the message”)

When you’ve got the key you need to email to a trusted recipient, you’ll need to follow the instructions found *nowhere* and *sign* that person’s key in order to be able to use it! I check the boxes “I have done casual checking” and “keep this signature locally only.” Fumble around until you achieve encryption, and voila! Elegant as scrambled eggs.

A Sweet Example of Using the OSSTMM

It’s a bit of a tangled web, but let me try to comb it out:

ISECOM is the parent organization for a whole cluster of projects, including the Monster that Ate My Summer, Hacker High School. One of their premiere products is the Open Source Security Testing Methodology Manual (OSSTMM), a handbook for testing network and organizational security that brings an entirely different mindset to the practice of information security.

I’ve been reading and re-reading the OSSTMM and gradually coming to understand how to use it, so it’s been particularly useful to see an example. Pablo Endres, a HHS contributor, recently released a short, concise and very clear paper on the subject of a common security practice: putting a “reverse proxy” server in between your web server farm and the Internet. This practice is so commonly accepted that I’ve never even seen a testing scenario that validates it. But Pablo put it to the test of the OSSTMM, and found that the answer to the question, “Is it effective?”, is “It depends.” Check out his blog here, where you can also download the PDF of Pablo’s paper.

The application of the OSSTMM is really simple and elegant. And it’s required reading for my security students now.

Amazing Mind-Reading Tricks Revealed

Working with the Hacker High School team has been a tremendous learning experience, because I’m honored to be Project Manager to a brilliant group of hackers, security consultants and the next generation of wildly talented young people.

Among them is Peter Houppermans, a long-time Swiss banking security expert and consultant to multiple royal families. He’s got an operation called the Privacy and Confidentiality Group ( that provides extremely high-end privacy services (and those of you in the security field know confidentiality is different than privacy). He’s been a gold mine of information like this:

“It was funded by the national organization of Belgian banks, and it is ab-so-lu-te-ly awesome,” as Peter puts it.

Ten Thousand Cameras per Server

Many of us who are or have been sci-fi buffs have a deep inward cringe at things like the robot Cheetah that can outrun Usein Bolt:

Now the ever-watchful Herbbie makes me uncomfortable with news of Cisco’s grand new surveillance plan: a virtualized system in which each server can manage up to 10,000 cameras. Which makes me wonder, how many cameras are they getting ready to deploy? How can they be used or misused by their owner, and even more how they could be used or misused by anyone smart enough to hack into the system. Because there will be those, for dead certain.

Unfortunately, when I ponder this the word that comes to mind is Skynet.

Joomla 1.5 to 2.5 Upgrade Complete!

Thanks to all of you who have endured a couple of weeks without the elixir of my constant posts. I know it’s hard to live without your usual dose of irascible white male geek, but I paused in my postings to make the painful, painful upgrade (not migration, oh no that would be too easy) from Joomla! (the exclamation point is unfortunately part of the name) 1.5.x to 2.5.x.

Was I a negligent fool to wait so long, for so many versions? Actually, Joomla (damn the bang) went slowly, slowly through the 1.5 versions, then jetted through 1.6 to 1.7. Then it leapfrogged itself to the 2.x series, which rapidly moved to maturity under the 2.5 moniker. So I let the madness run its course, the dust settle, and finally tried the migration using Jupgrade.

Ha. Fat chance.

Which meant doing a manual upgrade with the aid of a very nice commercial tool that was oh, so very worth the $35, from SP CYEND, called JUpgrade. This is such a prime example of small-business software development! I am an obsessive shopper and researcher (bet you haven’t noticed), and it took some serious convincing to get me to buy this component. But it is fantastic, and I’d recommend it to anybody. My stinkin’ time is worth far more than the cost of JUpgrade. Thanks, SP CYEND!