Conversations - 2nd August 2010

"Criminal: A person with predatory instincts who has not sufficient capital to form a corporation." - Howard Scott

***

Someone: *** related a story about why you can't kayak near the merlion

a bunch of trainers organised a trip to marina bay
they were playing at the merlion sprout
then this security guard comes over and tells them to "go away! go away! merlion only for tourists!"

Me: wonderful
2nd class citizens


Someone else: i HATE how guys turn so much colder when they find out im attached
maybe i should purport to be single just to make use of them
maybe it is a type of feminism too

Me: yeah you've said that before
how do you want to make use of them

Someone else: for whatever lah
carry my bags
give me tips
things that men do just to get pussy

Me: ...
dont you feel that is exploiting them
and that you are equally reprehensible

Someone else: they do that for me anyway, BEFORE they find out im attached
all im doing is taking my time to let them know i am

Me: ...

Someone else: it's like going for free drinks on ladies night lah
lol


Someone: from an old post: "I talked to someone who'd studied in Japan for 9 months, and he said when you first meet Jap girls they talk in a high voice, but later when you know them better and you're at the bar they will talk in their natural voice." this is so true!

actually, it's high and sort of breathless
someone i know does this.. totally irritates me
esp when she suddenly switches to her natural voice


Someone else: studying in an all-girls' school taught me a few things

1) when girls talk among themselves they talk dirtier than guys do
2) some girls are not shy about teaching one another how to use tampons

Me: was it CHIJ
if so it's a biased sample

Someone else: no no no
no i came from ***

i believe such observations can be made in any girls' school lah


Someone: wah i din noe u r into law as well

Me: I'm a man of many talents and interests


Someone else on sending me a file on YouSendIt: i'm gg to encrypt it with a password

Me: ... why're you so paranoid
at the most they will delete it tomorrow

Someone else: sorry i'm in the bizness
heh

Me: this is called paranoia

since you're in the business are you scared of DNS poisoning
I can destroy your modem for you

do you check keyboards for hardware keyloggers
do you know that people can detect your password by the sound of your typing?
or there're keyloggers that can detect onscreen keyboards also
rootkits that you will never detect
so you should never use an unsecured computer

do you use bitlocker on your laptop

Someone else: i noe all of this
duhz

Me: yes
so do you do all those things

Someone else: i'm pretty lax already
u shld see my friend

Me: they have better things to do than trace the IPs of people who upload vaguely naughty videos
and report them to their ISPs for copyright infringement
when the copyright holder is someone chinese company they have never even heard of

Someone else: he runs all his programs in a vm
and resets e image everyday

Me: this reminds me of audiophiles

Someone else: sorry lar
u cant blame us
we've in this line

so we noe

Me: you know all the possible things that can go wrong
you don't know a reasonable way to calibrate what you do

remember to physically destroy hard disks after you use them
otherwise people can read the data
even if you write the bits 255 times
or cut up the platters

Someone else: yes physical destruction is e only way to be absolutely safe

Me: doesn't mean everyone should do that

Someone else: most pple dun

Me: most people shouldn't
it's not worth the bother

so what do you think will happen if you don't encrypt the file with a password

the only reason people normally do that is so the file isn't detected as illegal and deleted
e.g. when you're sharing warez

however in this case it's a one-time send to me
and I won't download it again

Someone else: its a public server
after all

i dun want the admins to probe it

Me: so what if they probe it

Someone else: nah i'm just not comfortable with it

anyway it isnt very troublesome
to just encrypt it with a password

no computer is totally secure
but trying to minimize e potential areas of attack

my browser is encapsulated inside a sandbox
so there's no way web exploits can jump out of e sandbox

Me: using google chrome?

Someone else: firefox

Me: what if no browser has that function
would you set up a VM just to browse?

Someone else: YES

Me: can you cut and paste to/from VMs?
the clipboard should be secured to prevent clipboard exploits right

Someone else: not saying using a VM is 100% safe
but if e attacker is able to jump out of e VM, he's probably so highly skilled
tt its a targeted attack
and dun bother to defend it in tt case then

Me: see
this is where you are using some form of discretion
I bet there're ways to make it even more secure than a VM

Someone else: but it shld keep 99% of e attacks out

Me: do you bother to use other terminals
since you can't be sure if there're keyloggers on them

when you go overseas do you check your email

Someone else: we always change our passwords
when we go overseas
for msn, emails

and then change back
when we get back

and no, we dun use public terminals to check mail

Me: yes you can change your password
but they can hack in before you return home
and your account will be gone

Someone else: NEVER
if i have to check mail

Me: so you always bring your laptop overseas

Someone else: yes

Me: right

so if you have no laptop
or it spoils
will you check your mail

Someone else: u will nv find me logging in a public terminal to check my email
i wun

Me: ok

Someone else: ok lar i noe this sounds a bit extreme to u
trust me
u haven seen e really extreme ones in my office

Me: no
not checking email on public pcs is not that extreme

err
if people cut off their arms it doesn't mean cutting off your hand is ok

Someone else: another way
is to relay forward all ur email
received
to a temporary email account
while overseas
and check from tt account
and delete e mails after viewing

if u for some reason decides to join IT security one day
perhaps u'll understand better why IT security r so paranoid

Me: it's because they are not able to calibrate the cost-benefit matrix

Someone else: not true

*** configures some hot keys
to disable his network adapter
whenever he's not at his pc physically
THAT extreme

Me: so do you think companies are justified in blocking MSN, gchat, gmail, twitter, facebook etc

Someone else: tt's from a biz perspective

its rather to restrain colleagues from wasting time on these
rather than for security

Me: it's also called paranoia
the official justification is to prevent the leaking of business secrets also

Someone else: rubbish lar
do u see me being blocked from ms, etc

Me: that's because they're not being dumb about it

how about the SAF
are they justified in banning CD-Rs for 'security'?

Someone else: e company is just lazy to do a proper audit
if it blocks all e msn etc

RW YES
justfiied

R...no

Me: I said CD-R

Someone else: i think they no longer ban cd-r

Me: they do

Someone else: but yah its SAF
they r well known for being a f**ked up org

Me: so if someone from the SAF talked to you about "security"
and justified all those measures
what would you say

Someone else: we as the solution providers provide recommendations
the clients , whether they want to follow
is their own business