Discover how mastering email communication can boost business efficiency, avoid common pitfalls, and ensure secure, respectful online interactions.
Turkey Revenge
The turkeys are pissed this Thanksgiving they are seeking revenge.
Germs Infest 60% of Americas Phones
60% of Americans sleep with their phones, harboring germs. Cleaning regularly with UV sanitizer or alcohol wipes can help keep your phone and bed germ-free.
Smartphone Sanitizing: A Practical Guide
Securely erase personal data from your old smartphone before recycling. Protect your identity from hackers—easy steps to follow.
Why Soft Skills Matter in Today’s Job Market
Boost your career with essential soft skills like communication, teamwork, and emotional intelligence. Learn why they’re crucial for workplace success.
IPv4 Final Countdown Begins
The number of U.S. IPv4 addresses is critically low. This means that you may no longer be able to get new IPv4 addresses. Jason Verge at Data Center Knowledge cites reports from the American Registry for Internet Numbers (ARIN). The keeper of U.S. IPv4 addresses is down to the final /8 (around 16 million addresses) and has moved into the final phase of its IPv4 countdown plan.
DCK explains that in Phase Four, ARIN will process all IPv4 requests on a “first-in-first-out” basis. Every request will undergo team review. Requests for /15 or larger will require department director approval, which may mean a longer turn-around.
Strategies delayed theIPv6 IPocalypse
Those in the know, recognized IPv4 had issues in the early 1990s. However new strategies delayed the IPocalypse. Owen DeLong, ARIN advisory council member, and director at Hurricane Electric explained. “… Network Address Translation (NAT) was developed and Classless Inter-Domain Routing (CIDR) and some other technologies that allowed us to conserve addresses.”
While those changes slowed address consumption down, DKC reports they did not stop the need for IPV4 addresses. Mr. DeLong explains that every Regional Internet Registry (RIR) has developed an “austerity policy.” Europe is more than one year into its austerity plan (rb- which I noted here). For Asia Pacific it has been more than two years. Latin America and Caribbean Network and Information Center (LACNIC) is close to triggering its plan.
IPv4 address brokers and auction houses
In response to the shortage (and profit), a new industry of IPv4 address brokers and auction houses has arisen. Many of the IPv4 addresses have been assigned, though not necessarily used. The IPv4 marketplaces list the number of IPv4 resources that are still available. The blog says a company called Hilco Streambank launched an auction marketplace that provides liquidity for IPv4 address sellers and connects them with buyers.
Broker IPv4 Market Group believes potential legal issues in this highly regulated space make such auctions not feasible. The article says an auction winner may end up not getting the approval to get the addresses they have won. Which would leave both the buyer and seller in limbo. Some bidders are illegitimate; no contract terms are established other than pricing.
Hence, brokers are stepping in to lend end-to-end IPv4 address transaction expertise. They help with marketing, sales, the transfer process, and the financial aspects. IPv4 Market Group also provides legal and technical advice. (rb- I noted the rise of IP brokering here)
Prices of IPv4 addresses will skyrocket
Mr. Verge says auctions and brokerages are band-aids. The space will run out, potentially causing the prices of IPv4 addresses to skyrocket and making a fast-track transition to IPv6 ever more urgent.
Mr. DeLong is not a fan of either brokerages or auction houses. He told DCK, “I’m old-school in this regard … I feel that the whole idea of treating address resources as a resale commodity is distasteful at best. These are a community resources that [were] handed out without charge on the basis of actual need for the addresses. It’s pretty clear to anyone who was around in the early days that if you had addresses you no longer needed, you were expected to return them to the community for use elsewhere. I regard these monetized transfers as being more of a necessary evil to bridge a (hopefully) short-term gap and not a desirable state of affairs.”
Hilco Streambank CEO Gabe Fried responded to DCK’s concerns. “Our policy is that a buyer cannot close a transaction for any reason, we move on with the next highest bidder and prohibit that bidder from further participation … We’ve successfully completed numerous transactions that were initiated on our auction platform to the satisfaction of both buyer and seller. Additionally, the auction platform is designed only to automate the bid/ask portion of the transaction, and not to provide all of the post-closing transaction support. We still do that by hand, as we do with our traditional brokerage services.”
The ISOC provides some perspective on the urgency of getting your network off of IPv4. They calculate that one /8 of IPv4 address space is equivalent to about 65,000 /24s and ARIN has delegated an average of 92,000 /24s per year for the past three years. When you factor in that some of ARIN’s last IPv4 space is reserved, a /16 for critical infrastructure and a /10 to aid IPv6 deployment, the math indicates that ARIN could hand out its last free IPv4 addresses by the end of 2014 … if not sooner.
rb-
I have covered the IPocalypse since 2009 and it seems to finally become a reality. IPv6 has been a non-issue for many of the engineers I have spoken with, .edu is flush with IPv4 but the rest of the world is not.
Related articles
- Historical Lookback: IPv6 Traffic and IPv4 Exhaustion Trends (blogs.akamai.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2014, ARIN, CIDR, Hurricane Electric, IPocalypse, IPV4, IPv6, NAT, RIR
Security From the Heart
We have all heard the horror stories of password management. Users choose the same weak passwords, trade them for chocolate bars. They keep track of them on post-it notes. Firms are negligent in managing weak passwords. Help Net Security wrote about the latest innovation in passwords from Canadian security start-up Bionym.
Bionym created Nymi, a bracelet/wristband containing an ECG (electrocardiogram) sensor that “reads” the unique heartbeat pattern of the wearer. The bracelet will use the ECG to authenticate into electronic devices; cars, computers, smartphones, TVs, etc.
“It was actually observed over 40 years ago that ECGs had unique characteristics,” Bionym CEO Karl Martin pointed out to Tech Hive. “What we do is ultimately look for the unique features in the shape of the wave that will also be permanent over time. The big breakthrough was a set of signal-processing and machine-learning algorithms that find those features reliably and to turn them into a biometric template.”
“When you clasp the Nymi around your wrist it powers on. By placing a finger on the topside sensor while your wrist is in contact with the bottom sensor, you complete an electrical circuit. After you feel a vibration and see the LEDs illuminate, your Nymi knows you are you and your devices will too. You will stay authenticated until your Nymi is taken off,” it’s explained on the firm’s website.
3-factor security
The Nymi functions on a 3-factor security system. To take control of your identity you must have your Nymi, your unique heartbeat, and an Authorized Authentication Device (AAD). The AAD could be a smartphone or device registered with their app.
No details about the bracelet’s security have been share on the site. Ars Technica’s Dan Goodin has pumped Martin for information and, so far, the news is good. Elliptic curve cryptography is used to ensure data traveling between the bracelet and the device is not monitored or intercepted by attackers. ECC also encrypts the handshake performed between the bracelet and the devices being unlocked.
“The Nymi also has motion sensing and proximity detection that allows users to perform remote, gesture-specific commands, creating a dynamic and interactive environment,” it is explained. “A simple twist of the wrist can unlock your car door.”
When it arrives, Nymi will offer three-factor authentication. The wristband itself, your unique cardiac rhythm, and a mobile device, like a smartphone or tablet. The Nymi hardware acts as a secure token that ties into the biometric. The wristband will need to check in with your smartphone or tablet at the beginning of the day.
rb-
The thing that excites me most about Nymi is its potential to get rid of passwords. I think the password has a limited shelf-life. Once wearable computing takes off, payment processing will be integrated with biometrics on the wearable devices, there will be no need for passwords.
Bionym’s Martin stated, “[Killing the password] is one of our goals,” noting that the Nymi will be compatible with the FIDO Alliance.
FIDO, which stands for Fast IDentity Online, was created by PayPal and Lenovo (LNVGY) and now counts Google (GOOG) and Microsoft (MSFT) among its members. The alliance has set out to create the next-generation standard for identity verification.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2014, Authentication, Biometrics, bionym, FIDO Alliance, GOOG, Google, Karl Martin, Lenovo, Microsoft, MSFT, Nymi, PayPal, Security
Social Engineering Terms
Social engineering means manipulating a person to get access without authorization. Practically speaking, it’s a blanket term for non-technical hacking. FierceITSecurity gives the classic example: Hacker calls target and pretends to be “from the IT department,” getting the target to divulge a password or other sensitive corporate information.
Derek C. Slater at FierceITSecurity discusses a short-list of social engineering terms with Chris Hadnagy, author of the book “Unmasking the Social Engineer: The Human Element of Security.” The author explained that some of the terms below aren’t social engineering per se, but they are related to the same goal: Gaining unauthorized access to information, systems, and facilities through deception and other non-technical means.
In his Social Engineering course, Mr. Hadnagy tells participants that one goal is that every target “will be glad to see them” because the social engineering methods covered seem friendly, not antagonistic. “It’s amazing how much information people will give you if you’re just nice to them,” he says. “Con men don’t look malicious–they’re the guys with the biggest smiles.”
Social Engineering terms
Confidence trick: The ‘con’ in “con man” refers to gaining the confidence of the target before attempting to exploit him. Examples: The movie Grifters with John Cusack, and every Ponzi scheme from Charles Ponzi himself on through to Bernie Madoff and whoever’s doing it now. And somebody’s doing it now warns the article.
Amygdala hijacking: Your amygdala is the part of your brain that manages decision-making and emotional responses. “Amygdala hijacking” in the social engineering context means putting the target emotionally off-balance by causing stress, or contacting the person during an unusually stressful time, according to Hadnagy. That means the target is less rational and more vulnerable to exploitation.
Example: Friday at 4:30 pm, or the day before holiday vacation starts, many employees–not you or me, obviously–are anxious to get out of the office. That’s a perfect time for a pretexting call (see below) or a hacker-simulated crisis, putting the target further off-balance and making them more likely to do whatever is expedient–giving information over the phone or via email to make the “crisis” go away.
Elicitation: means getting information without asking for it directly.
Influencing: Mr. Hadnagy says influencing means provoking a desired response from the target “while getting them to think it’s their idea.”
Manipulation: involves getting the target to perform the desired action, regardless of whose idea they think it is. Unlike influence, manipulation could involve a direct or implied threat, for example.
Pretexting: Mr. Hadnagy’s definition, is equal to method acting. The social engineer doesn’t just say “I’m Bob”–he becomes Bob.
Example: Contracted to test one company’s defenses, Hadnagy gained access to various facilities by posing as Paul the Pest Inspector. “I had the uniform with the name patch, I had Paul’s business cards, and for a day before the event, my team was calling me ‘Paul’,” he says.
Phishing: is the use of email as a conduit for social engineering attacks.
Example: Know those emails that start “I’m Prince Phillip and I need help transferring my royal fortune to an American bank”–the venerable so-called 419 or Nigerian scam? People still fall for those. It’s a phishing attack and an example of a confidence scam.
Spear-phishing: Spear-phishing is a more targeted form of phishing. Instead of blasting that “I’m a Prince” email to everyone with an email address, a spear-phishing attack is personalized to reach a small group or individual.
Example: A hacker identifies a target, Fred, and finds personal details, professional connections, and current project information via Fred’s LinkedIn profile. He then sends the target an email that is correctly addressed to Fred, appears to come from a real colleague, and references specific project details. Fred is much more likely to click on malicious links or open attachments in this email than he is likely to respond to Prince Phillip spam.
These next four terms don’t involve deception. However, they’re all important non-technical information attacks and can work in concert with social engineering efforts.
Harvesting – is using publicly available sources–particularly on social media, these days–to gather information about a target for later use in social engineering.
Dumpster diving – means what it sounds like: rooting through the trash to find discarded papers or items with valuable information. This is less glamorous than social engineering, but it’s also a useful form of harvesting and doesn’t need human interaction. (rb- I have covered the dangers of dumpster diving on Bach Seat since 2010.)
Shoulder surfing – means reading sensitive information on-screen and over the shoulder of a legitimate user.
Tailgating – is the ancient practice of going through a physical access point on the heels of someone who has an access card, key, or entry code. Catching the door before it shuts behind them, as it were.
rb-
Whether it is your home or corporate email account, social engineering is dangerous. Being educated about the risks of social engineering is critical. The next time someone reaches out via email or the phone, take a second and ask a few questions before you give away your digital identity unless of course they also have a candy bar.
Related articles
- NOOK Daily Find! Social Engineering: The Art of Human Hacking by Christopher Hadnagy for $4.50! (randomizeme.wordpress.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2014, Amygdala hijacking, Confidence trick, Diving, Dumpster, Engineer, LinkedIn, Phishing, Ponzi, Pretexting, Security, Social
No More POTS!
A.G. Bell‘s question to Watson over a century ago may be relevant again. Tom Nolle at No Jitter explains how that can happen if the FCC expedites the transition to VoIP. Mr. Nolle, the founder of CIMI Corporation does not think that the basic quality of voice service is at risk. He does believe but there are some truly profound consequences to a decision to abandon TDM voice. He believes it will happen, it’s smart to think about the end of POTS — as relates to both opportunities and risks.
Telecommunications has long been more than analog voice and copper loops. The author points out that regulations have stayed in the “TDM” Dark Ages. Operators like AT&T (T) have demanded the FCC modernize things. To deal with these issues, the FCC bundled its transitions (TDM-to-VoIP, fixed to mobile, copper to fiber) into a single Technology Transition Policy Task Force. The recommendations from that activity will hopefully launch experiments in promoting change while controlling the risk of unfavorable impacts. The recommendations of the TTPTF (quite the acronym!) are posted online (PDF) and he says it’s a clarion call for change. So instead of talking about the process, let’s look at the impact.
Who still uses TDM
Mr. Nolle the CIMI principal consultant estimates, that 40% of US households still have TDM voice. Businesses have a higher TDM commitment. The article says that nearly 70% of business voice is still TDM. Suppose we saw TDM voice go away completely; what would happen?
First, little besides voice that requires TDM services and trunks. Which he says means we would see all access lines and trunks transition to packet–almost certainly to Ethernet. The author says this could increase the number of Ethernet business connections by about 28%. it would also likely increase the access bandwidth commitments by branch offices and SMBs (using DSL, fiber, cable, etc.) by over 50%. Metro and access vendors would benefit from this almost immediately because it’s likely that operators would start to promote Ethernet access and IP voice more strongly as soon as the “experiments” showed signs of success.
Operators already like the notion of an “access-first” strategy where they supply a fat pipe to a customer and then build ad hoc services over it. Ethernet or packet access encourages that, so giving that to everyone would drive operators quickly to look for rapid service deployment tools so that they don’t lose all the new access-generated opportunities to the over-the-top players (OTTs). The author believes that operator interest in software defined networks (SDN) and network functions virtualization (NFV) are linked to this very thing. After all it’s silly to talk about “improved service velocity” if you have to restring an access connection to upgrade service.
Impact on Internet policy
The second impact Mr. Nolle sees is on Internet policy. This voice transition raises the question of the difference between “packet” or “IP” and “the Internet”. You can do VoIP over any IP, including private networking. That’s done with a lot of IP voice today in fact. Operators could in theory augment their services to customers by building IP services that bypass the Internet, but that would pose issues in linking the services to current devices in the home or in businesses. OTTs would surely want to get involved in any new service opportunity, and all that raises the triple-threat question of QoS, settlement, and Net Neutrality.
There’s no barrier to QoS in “private” IP networks, but on the Internet, the Net Neutrality order last year said that you could offer QoS only if the subscriber pays for it. Most practical Internet QoS opportunities arise because an OTT like Netflix (NFLX) could gain by offering QoS to customers. They’d pay the ISPs and either embed the cost or perhaps eat it to improve their differentiation. But the FCC said “No!” Now the new FCC Chairman, Tom Wheeler, says “Perhaps”–at least he did in a speech to a university audience. If that were to become policy, it would likely drive QoS for Internet services, and that would drive settlement among ISPs and content players.
Settlement has been a big issue for the Internet since the 1990s. Customers pay their own ISP, so if there’s no money flow from that ISP to others, QoS stops where the ISP hands off the traffic. That’s inhibited the value of the Internet for applications that need QoS, but it perhaps encouraged smaller players and startups who couldn’t pay like Google (GOOG) or Netflix could. Whether this small-player benefit is more for VCs who then have to raise less funding to get an OTT off the ground is an interesting question–but in any event, adding settlement and QoS to the Internet would almost certainly increase operator interest in providing service quality for a fee, which in turn would increase network investment, helping equipment vendors and carriers alike… In short, it would change the industry.
Mr. Nolle concludes that VoIP could be a back door to making the Internet a real network and not a service on top of carrier IP infrastructure. That could remake our experiences online, and the vendors’ fortunes in the marketplace. So watch the progress of this initiative; it could have huge impacts.
rb-
ATT has already made its move to get rid of POTS lines in Michigan. ATT has bribed gotten politicians in Lansing to introduce Senate Bill 636. Michigan SB 636 would amend the Michigan Telecommunications Act (PDF) to let ATT and their fellow travelers eliminate POTS lines in Michigan.
Melissa Seifert, associate state director for government affairs for AARP Michigan says eliminating POTS lines in the Great Lakes State would impact many people. It would affect small-business owners who use fax machines and credit card verification systems, she said, as well as emergency services in parts of the state where cell phone access is unreliable. According to the Michigan Public Service Commission, roughly 3 million Michiganders subscribe to landline service. About 90 percent of households of folks ages 65 and older still use landlines for “lifelines.”
Related articles
- FCC Prepares to Set Rules for the Death of Copper POTS – (dslreports.com)
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.
Category: Uncategorized |
Tags: 2014, Ethernet, FCC, GOOG, Google, Internet protocol suite, IP, Netflix, Networking, NFLX, Plain old telephone service, QoS, TDM, Time-division multiplexing, Voice over IP
Non-Compete Clauses Hurt Worker Productivity
Jeff John Roberts at GigaOM writes about research published in Harvard Business Review that says non-compete clauses, which limit workers’ ability to move from one firm to another, may do more harm than good. The research suggests that workers are less motivated and perform worse when subjected to terms that limit their job mobility.
The study paid online participants to search matrices for numbers that add up to ten. The article explains that a sub-group of people subjected to a mock non-compete clause, 61 percent decided to drop out and forgo the money compared to 41 percent in a control group. The non-compete group also performed much worse at the task, making mistakes at twice the rate as the others. According to the authors of the study:
We believe that limits on future employment not only dim workers’ external prospects but also decrease their perceived ownership of their jobs, sapping their desire to exert themselves and develop their skills. The resulting drop in performance may be more damaging to companies than the actual loss of the employees would be.
Mr. Roberts concludes that the findings could carry big implications for the American workforce, where more than half of engineers and 70 percent of executives are reportedly subject to non-compete clauses.
The study authors also say that existing research shows higher levels of innovation and productivity in regions that outlaw limits on worker mobility.
Silicon Valley and California stand out in this area. Courts there have explicitly banned non-compete clauses on public policy grounds, a situation that makes it easy for companies to poach each others’ employees.
rb-
I’m not a lawyer, so get your own legal counsel, but I can google and it seems that enforcing or challenging the enforceability of a non-compete agreement under Michigan law invariably boils down to four issues:
- Do the non-compete clauses protect a legitimate business interest?
- Is the duration reasonable?
- Is the geographical restriction reasonable?
- Is the type of employment or line of work restriction reasonable?
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.