Spock was good, but remember Kirk got them out of many jams by his unconventional thinking and actions. Spock is not very "out of the box"...he's too much by the book.

Spock would also not take to the term hacker very well; his eyebrow would go so high up regarding that term he'd injure it. Be careful...

I hope you've spent or plan to spend some time managing servers, applications, networks, and users first. A practical foundation is critical.

I haven't seen "Hackers," but it's on my list.

Regarding stealing music:
For some reason, some people feel it's okay to steal from the rich or people they dislike, but those same people would get livid if you stole from them or did like things to members of their family. I don't get it.

If there's no difference between downloading/listening to a song and playing it on your own guitar, my advice would be to record yourself playing it on your guitar and singing it and listen to that. Then you can avoid the issue altogether. If you don't want to do that, then you obviously DO understand the difference between the two.

I agree with you if your goal is to lock down every attack vector and you have limitless funds and resources. Most companies that I have worked for have had little of both, so you have to balance, I think, the risk/probability with the cost/effort. I would love to do what you suggest to the nth degree.

However, if most companies would at least run auto tools regularly and fix what they find (or knowingly accept the risk in some areas), we'd be better off. I wish more companies would do at least that.

I think if you can at least lock down the basics, you can successfully get the skiddie and others slightly above her to move on to an easier target. Automated tools help you get there, but as you said, they can't do it all.

Let me clarify: I'm speaking in terms of what I feel a security professional's goal is: maximize profits. That of course means you weight cost/effort against the risk and only put in/recommend the security that is "needed" and cost beneficial for the company. The problem is in accurately determining (sometimes called guessing) what the probability a threat has--and that's different depending on the company and the industry.

It's not an exact science. I have seen simple vulnerabilities go untouched for years. Some things are just not found. They all give me pause, but I can't expect each industry to lock down like it's a financial institution. But at the same time, I can't expect companies to lock down things that won't lead to much of a loss, even if it is exploited; sometimes the cost is just too high and it's cheaper to clean up IF IT HAPPENS.

I know many of you will disagree, but that's what forums are all about: sharing perspectives and being stretched out of your comfort zone--and pondering what others advocate.

Kev, I enjoy your perspective. Keep it up. And congrats on your prize!

I never saw sluggish even before I went from 512 MB  to 1 GB RAM.

I'll be there. If there's a group, let's plan to hook up at a certain place and time. Post here if you're be there (or Don, perhaps you want to modify my post and open another topic?)

It was good last year. Not as heavy as a SANS course or anything, but a lot of good perspectives. They did have a guy last year who was all geek but couldn't speak. Every other word was "uh" and boy he seemed nervous. I'm sure it's a tough crowd...I've spoken before to 800 people at once and I remember how that went....so I have some sympathy.

But overall, the topics, rooms, and food was good, and hey, that's where I met DON! 

Hard to imagine this will last. Even SANS simplified their requirements. And MS changes their certs too much in my opinion.

Yes, let's have it. I'm sure we'll have some good feedback for you...

I think this is going to take a while. In 1999, one of the 10 largest banks was still settling federal reserve bank funds (overnight funds) with DOS 3.0. I know as I replaced that system.

Look how many Win95 boxes are still around, along with win98. I know many business still running NT 4.0 in their DMZ (we don't need no stinkin' patches!)

And on the list goes.

Also, as long as there are users, I think there will be middle ground, as there will be middle users. Buffer overflows and other things like that will only stop when they are impossible to create...

Bruce Schenier says that security needs to be easier to use and built in before it really catches on (a very loose paraphrase); he doesn't think there's much of a future in security awareness training. I just don't think that we will be able to make security easy enough for the average user, at least not in my lifetime...technology changes too fast for us to bring it down to the naive user level....

How many people do you know that still don't use computers? Too many!

I agree, it's people. They're the only ones who can plug the holes and practice safe computing. Sure you can mandate and push updates and quarantine people off the network if they're not up-to-date, etc., but in the end, it's the uninformed/naive user that's the biggest threat, along with the trusted but untrustworthy insider.

IE is bad, too, along with other browsers, but again, users point and click the mouse...

KEV,
Thanks for spacing out your posts. Appreciated.

Kev,
Interesting stuff. Could you please put a return between your paragraphs to help with readability? Thx.

My first thought was GREAT, first Foundstone, now Sysinternals. Soon to be NOinternals. Then Nessus was closed.

But then Foundstone is still kicking and still free.

It's got to be tough to stay small and free. Can't say I blame them, but it gives pause for thought.

I thought this was YOUR 1000th post. Hey, that's not far away either.

Great work, Don. I hope to drop by more often.

Here's the info that I find useful:

Risk: H/M/L
Severity: H/M/L
Probability: H/M/L
Remediation effort:H/M/L
Issue: (describe the problem: vulnerability, Host/IP, how it can be exploited
Affected: (identify the affected devices: PIX firewall, PrintServer1, etc.)
Business impact: (like loss of operation services, theft of bandwidth, etc.)
Remediation (How to fix it)

Of course you want an overall summary and a description of the methods used and the IPs/DIDs/etc. that were tested.

I didn't realize this until I dropped my T30 on a tiled floor. It hit on one of the front corners (it wasn't turned on) and the latch on one side that holds the lid shut popped completely out of the casing and the spring attached to it was hanging out.

I took it to my tech guys and they put it back together in minutes with no issues. That was a year ago.

The only problem I had was a key that broke off while closed, in my briefcase. I think one of my kids got to it. Since it was under warrantly, they ordered me a new keyboard.

I still miss my big fat dell that had a DVD bay and a floppy bay. I still miss my floppies. I have two thumbdrives, but my flops are hard to give up. Don't know why. Oh, the other reason I miss the Dell was because you only needed one hand to open the lid (only one latch). I hate the two latches on my IBM.