Well it seems that i am currently unemployed and looking for a job!  The economy of Cyprus is going downhill and the recent influx of 40 000 + working immigrants from Greece has contributed in a shortage of jobs in the Cyprus market.  No one can be blamed here but from the looks of it a lot of Cypriots will be migrating to other countries to seek employment in the months and years to come.

The government doesn’t seem to be doing much to help the situation either.  They were not prepared for the new reality.  Then again what can you say, the political scene in Cyprus is inherited and belongs to a few well known families, most of whom are backed with family money.  I guess this is the reality in most democratic countries anyway.  Makes me question the whole concept of our modern Capitalistic Democracy.  The lesser of all evils i guess.

Well not much else to say here, if any of you readers hear of anything job wise i would appreciate any help i can get.

are you unemployed? you want to get a job? Are you wondering why you cant get a job in Cyprus some times???? Simple, thank the government and the  HRDA http://www.hrdauth.org.cy/  for the ANAD (HRDA) sponsorship plan.

A plan aimed to help unemployed people get work! but what is really happening is this: companies only hire ANAD candidates!! result?? simple: unemployment rates remain the same as people who are looking for a job will remain unemployed till they become eligible for an ANAD (HRDA) sponsorship !! Thanks a lot dear government once again!!

So i plain simple English, i find myself debating as to whether traditional university education, and especially master’s degrees are worth anything.  I hear people in management positions telling me they don’t, and in rare occasions i find some who appreciate them.  And in the land of Academia, if good universities are worth more than some unknown or dodgy universities for that matter.

How can someone even consider a certification on a product to be of an equivalent value as a master’s degree.  This is simply beyond me.  I found myself at an interview some time back debating whether my master’s degree was of equal value or not with someone who had certifications in an equivalent field, security. Certifications that were not even backed up by experience.

I have met people in Cyprus with lots of certifications on their C.V. who are pretty much not adequate to be in a professional environment.  The reality is that since no one can even control the place in which exams are taking place (i.e. enough measures to prevent people from cheating – and yes i know people who were calling people from the outside while in a Microsoft certification exam asking for answers to be googled up), the results of the exams themselves can not be trusted.

The methods in which they are taught are not assessed by institutions that carry histories of decades and peer review, such as in the case of universities.  The material is not assessed or deemed valuable  and not product specific, by the same network of institutions that evaluate each other through the quality of their work.
In many cases the certification material  is even promoting company practices and standards of the vendor, that goes as far as to try and redefine standards and definitions, instead of even accepting widely accepted standards in the corresponding field.

Also, unlike a degree from a university, a certification has to be backed up by certain years of experience, as to prove that the certification was not taken by simply following a testkey guide for that exam.  But since the certification market is so big, no one even bothers.  Everyone just sees masses of people for them and they see revenue in their pockets.

So yes to certification, if they come with 3 to 5 years of provable experience applied to that specific field.  And yes if they are in a field of work you need. Don’t look for an information security professional and take into consideration I.T. Audit certifications.  They are a plus, but are mos likely to be irrelevant to what you need a security professional for.  Unless of course you want an Auditor in your team and you understand what you need them for.

But if not the certification should not carry much weight in my opinion.  And one can not come and ignore the value of academic degrees and especially Master’s degrees that come in specific fields and offered by good universities.

So think well before hiring, and think of how you are rewarding people in terms of salaries.  If management does not understand or is unable to evaluate candidates and their C.V.s in technical fields such as I.T. properly, then it is best to seek consultation and not simply get excited with certifications and titles.  Undermining the value of academic degrees (in technical fields at least and from universities that are internationally acknowledged for their contribution) shows ignorance in the technical nature of the field.

And as a final note, a reminder to those hiring once again, a person with a good degree is more likely to have an all around knowledge and will better cope with difficulties in anything outside of the scope technical expertise of someone without one.  This is true for most cases i have seen as universities tend to pass principles that apply to most IT related fields.  Principles not passed in certification classes or in forums and self learning.

There are exceptions to these rules of course and i am lucky to have met some.  But in most cases you won’t be likely to find one. So how lucky do you feel when hiring?

I have 2 days left before leaving the Cyprus Agricultural Payments Organization.  My stay here was an experience, and so was my departure.

I started here as an IT Officer with a 3 month contract that was renewed 2 more times covering a total of 6 months.  I was assigned programing duties on a dead end project which represents nothing more than a typical example of how governmental organizations waste the tax payer’s money.  The project was outsourced which meant i was pretty much doing donkey work for the people who already worked on the project.

The system here is such that you accept the phrase “less is more” as part of the natural daily life here.  Soon you find your self doing less and less and even getting stressed about not doing enough.

I actually went through panic modes as they kept me idle for most of the 6 months, occasionally giving me things to do such as reports.  I actually used my time here to read and expand my understanding on certain subjects such as technical skills, design, or politics.  Ebook reading became a daily ritual. Over all it was a good experience to understand first hand how the government engine works and how things get done.

My exit was also interesting,  my contract was simply not renewed.  Although i was renewed twice and was congratulated on good performance on both times my contract was renewed. My departure coincided with the visit of one of the 2 big political parties in Cyprus, a few weeks before election times.  One has to wonder but for those who know me, they by now know what happened.  It was nothing personal at the end of the day, people needed work, some people needed to go. Votes count and so do friendships. The excuses used were obviously excuses, and not much can be said or done.  Nor do i want to do anything about it.  People complained for things such as me annoying them asking for more work et cetera.

To be honest i am happy it happened as I was just wasting myself here, and actually started getting used to the system here.  I showed 0% growth professionally although i did pick up a lot of people skills (as well as office politics skills). The salary and hours were great don’t get me wrong, although waking up at 6 and driving through 1 hour of traffic to get here wasn’t.

On the plus side i made new friends here, one or 2 of them read my blog actually so thanks guys

Overall i am thankful to the people here, for their kind words,  for not letting me waste my time here and helping me actually get out and try and do something more with my life, even if it pays less at the beginning.

So I look forward to the new challenges i have ahead, starting on the 11th of April

Cleaning out your closet? well i had comments since back from 2007, so it was time to clean the wall up from comments from people no longer in my life (friends etc).  But the amount of posts and comments i had was rather big so i had to find a better way of cleaning it up.

The solution that worked for me: Firefox + Greasemonkey + Greasemonkey script

So in other words i used the script that deleted the comments on my wall that were visible.  I kept clicking the “show more” link for more comments and then kept deleting them.  Was done in less than 20 minutes (bad internet connection!).

The link for the script was found here:
http://blog.oneduality.com/2010/12/13/clear-your-facebook-wall-entirely-with-greasemonkey-and-firefox/
The actual script here:
http://userscripts.org/scripts/show/92664

Spam a la Grecque ?? coming right up!

I was going through my hotmail junk box this morning ( a good practice if you don’t trust Microsoft’s spam filters, or who ever else they are buying the service from).  To my surprise i came across a spam message claiming to be from a Greek bank!! So someone figured out i spoke Greek, probably cause some Greek talking forum i signed up to either sold the member email addresses to spammers, their database got dumbed or they decided to start spam phishing campaigns. I doubt that the Russian/Nigerian mafia decided to hit Greeks for the fun of it (i mean, the guys are broke, it isn’t worth the trouble!!).  (the Turkish mafia could be behind this as well but i again doubt it )

Anyway, enough with the conspiracy theories.  To cut to the chase have a look at the email i got:

As usual the link to read your “security” message takes you to compromised website, in this case of some rug cleaning company.

Have a look at the screen shot from the site (i don’t recommend visiting it if you don’t know what you are doing as the site might also be serving malware).

Greek Phishing Spam

Pay attention to the fact that they took screenshots and placed them on the page to make the user feel as if they were on the real site.  Not sure if they were too lazy to replicate the original or thought it was more fitting to the eyes of the unsuspected victims.

In any case this is my first greek phishing spam message and it got me all excited

If you are from Cyprus you probably know what ETEK is.  For the rest, it is the corresponding body of the British Engineering Council.  What has unfortunately happened in Cyprus though is that this body has managed to include people from the computer science discipline demanding that they are registered and pay an annual license for practicing their profession.  This is apparently mandatory by law.

Point 1: why would someone with a computer science background need to register as an engineer although they are not, in the traditional sense, engineers.  Why should they not be registered with a body such as the Cyprus Computer Society, whos corresponding British body seems to be responsible for evaluating, recognizing and registering degrees of relevant disciplines?

Point 2: The main drive behind someone wanting to register is that the biggest employer in Cyprus, the government, dictates that for someone to be able to compete for an A8 level position (pay-wise a starting salary of 2000 euro gross) they need to be registered with the body of ETEK.

Point 3: ETEK fails to recognize and provide levels of membership, thus either allowing someone to be registered or not, but does not offer registration and recognition of technicians, or even take into account the years of experience and thus allowing someone to be registered, if they for example graduated from a diploma awarding institution such as the late Higher Technological Institute in Cyprus. It has become a binary decision of yes or no, without even allowing for the government to tap to the potential and expertise of a lot of people out there whos degrees might not be adequate for registration.

point 4:  cynicism – If ETEK was aiming to make more money by simply registering Computer Science graduates then why not allow for levels of membership, more people registering = more money.  Also government positions will then be able to request for different levels of membership depending on the position.  Better yet why not allow another body such as the Cyprus Computer Society to evaluate degrees and eligibility for registration and the academic capabilities of the person at hand .

Cases:

1. Person graduates from HTI (ATI) as an engineer with years of experience working for a construction company such as J&P and still can not register with ETEK in Cyprus
2. Person graduates from a UK University with a degree whos title doesn’t match Computer Science or any other UCY title and as such can not register without an MSc.  Such a title could be computing studies.
3. Graduate with an Management Information Systems degree, not a pure science degree (again note the word science and not engineering.)

Conclusions are up to you to make, but i will quote the following from the official page of ETEK:

Cyprus Scientific and Technical Chamber (ΕΤΕΚ)

The Cyprus Scientific and Technical Chamber (ΕΤΕΚ) is the statutory Technical Advisor to the State and is the umbrella organisation for all Cypriot Engineers. It was established by Law 224/1990 and is a Public Law Body with an elected Governing Body. It has an office and a Service capable of promoting its objects.

Have a read through the rest of the page and see what you think.

The legislation and system itself, although aiming to protect professionals and their professions, has managed to impose a sort of monopoly and word play where people who could not for various reasons get a degree which would allow them to register with ETEK (reasons being that they could not afford to go to a University abroad during their time of studies), but do have the skills, are denied the opportunity to compete on equal terms with others for positions or have been denied the ability to exercise their profession.  They are denied this by a system which has not been designed and implemented correctly.

A group of people who currently can not register with ETEK and thus can not either practice their profession legally or be able to claim such, or higher ranked, government positions with their degrees (or diplomas) and gathering people who want to simply unregister from ETEK (yet another daunting task).

To find them or contact them simply go to
http://anti-etek.com/

To have a look at the official site of ETEK go to
http://www.etek.org.cy

You might also want to have a look at the following page: http://www.etek.org.cy/page.aspx?page_id=84

P.S.
In case you are wondering, yes i am registered with ETEK, and i do believe in the importance of such a body to exist as it will better control who can practice a profession.  But i also believe in fairness and equal opportunities and seeing injustices such as this, which can be fixed, leaves me hoping for change.

Adding the following:

I did not want to touch on this subject but seeing as it might help, i want to raise the issue of people who work in the field of IT (or other engineering subjects for that) but have no relevant degree or no degree at all.   Where do they stand in terms of the law.

My builders did not have a licence from ETEK, did they need someone supervising them with a mechanical engineering degree and an ETEK registration?

Some do have certifications but not all.  So what happens with them in terms of ETEK? or other such bodies, i wonder

Sophos blogger Chester Wisniewski blogs about Allegations made that FBI had planted backdoors in the cryptographic implementations of OpenBSD dating back as far as 2000. Quoting:

OpenBSD is the poster boy of secure operating systems, which is why it was an enormous surprise when allegations were leveled yesterday that the FBI had planted backdoors in the source code for OpenBSD as far back as 2000.

It makes you wonder where else the US and other governments have planted such back-doors using their “secret agent” developers (this sounds funny to me, but back to the point).  A lot of open source projects depend on the contributions of the community, but no one does background checks on the contributors.  Reputation is one key factor.  A lot of these open source projects are used by industry and government bodies world wide.

This of course does not leave out companies as  big as Microsoft where source code is not even available, where we blindly trust them, and where if the US government had asked them to plant such back doors, they would not be able to even admit it.

Some food for thought.

Read more here:
http://nakedsecurity.sophos.com/2010/12/16/allegations-suggest-openbsd-has-us-crypto-backdoor/

Linked.com was doing what i was about to blog about! amazing. Well i was about to comment on how easy it is to completely unregister from a site and whether or not they do unregister you.  I was also about to suggest that a monthly or bi monthly mandatory password reset should be enforced by sites.  Given the Gawker events that are taking place the last 2-3 days (if not longer) people like me who had forgotten that they had even registered on the website would have been saved from having to remember their passwords there by a few simple steps:

1. Remind the user that he has an account there and is inactive
2. Remove him if he doesn’t respond to an email asking them to confirm their existence within the next 2 weeks, for example
3. Mandatory password resets every 1-2 months
4. better encryption of passwords (use hashes please!!! and ones that are not known to be reverse-engineered! e.g. md5
5. Encrypt your backups!

I just received the following LinkedIn email

LinkedIn

Dear Beitis,

In order to ensure that you continue to have the best experience using LinkedIn, we are constantly monitoring our site to make sure your account information is safe.

We have recently disabled your account for security reasons. To reset your password, follow these quick steps:

1. Go to the LinkedIn website
2. Click on “Sign In”
3. Click on “Forgot Password?” and follow the directions on the website

Thank you,
The LinkedIn Team

Now i ‘m guessing that either linked is taking measures to protect its people, or there have been security related incidents linking to Gawker. I need to actually download the dumb myself and find out what my password was (great, more fun…). I hope that its not because my password from Gawker was the same as the linkedin one (i hope not but tested it and it doesn’t seem to be the case).  Unless Gawker is forcing people to reset passwords without telling them, just by not accepting their current ones.

Interesting.  Well if you are running a web site, DO protect your fun base/users.  Also make sure you encrypt your backups!!!! they might stolen too!

Thanks LinkedIn.com !

Security Certifications for organizations verifying their secure infrastructure are needed. Gawker had horrible security. Something needs to be done about this.

And tip of the day: stop logging in to Gawker Sites, they might have planted code monitoring activity and new passwords

Gawker Media group has been associated with a major security breach.  I noticed news of this yesterday, but it was only today when i received an email from the group that carried out the attack, that i started becoming concerned.

A group managed to get hold of user details (including emails and passwords) of users registered with the Gawker group.  The group runs websites such as Gizmodo.com and lifehacker.com .  All very successful blog based sites with millions of funs world wide.

Please make note that the group managed to get access to Gawker systems weeks or months ago.  It was when the attack was carried out that they realized it although they had hints of this long before.

The attackers are a grouped called “Gnosis“, and are not related (according to what they say) with 4Chan group recently associated with the Wikileaks related attacks against payment sites who refused to receive money on behalf of Wikileaks.  Gawker provoked 4Chan in the recent past and has provoked groups making claims of its security. (read more in the links below).  Only foolish people make such claims. Gnosis released the dumb with around 200 000 unencrypted passwords in plain text.

A group, called Hint, decided to take advantage of the publicly available database dumb to market itself (no surprise there).  It actually sent me the following email this morning (not just me but all of the users who’s credentials they have compromised).

Hi there,

Hint wanted to let you know that your email address and password that you used to signup for Gawker (or one of its sites) were hacked. Forbes’ coverage is here

In situations like this, time is of the essence, which is why we were surprised & shocked to find that Gawker Media hadn’t taken the initiative to notify you of this privacy breach immediately. We HIGHLY recommend you change all of your online passwords as a precaution.

-The Team at Hint

What we should pay attention to here is this fact: Gawker WAS aware of the attack but instead of timely notifying its users it did nothing until the group that carried out the attack warned the users.

Also, one can’t help but wonder if part of the code base of the website was also compromised and if users trying to change their passwords (or even remembering them) are feeding them back to the group or someone else.

Gawker group: BAD BAD BAD.

This incident also made me wonder how many other websites i have registered to but forgot about it all together.  I couldn’t even remember what password i used here.  Do all of you remember what sites you are registered to with what passwords? or how they are managing your personal information and credentials? (if they are even encrypted or hashed somehow).  They might even be stored in plain text with not only attackers hoping to get them but even the admins themselves. You have no idea do you? Neither do I but it is time for some house keeping.

Issues of trust lurking here.  Gawker has gone into the not-so-trusted-in-terms-of-security group.

In their defense Gawker did send an email out, although delayed.  Quoting:

This weekend we discovered that Gawker Media's servers were compromised,
resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel,
io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name
and password associated with your comment account were released on the
internet. If you're a commenter on any of our sites, you probably have
several questions.

This Weekend? come on guys! on the bright side they are now maintaining a FAQ section trying to guide users to changing all their passwords.  You can find it here: http://lifehac.kr/eUBjVf.  Forbes also has the whole story here : http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/ .

I wonder how many of you use the same passwords in different websites (or all!).  Reading the forbes article, Gawker guys seem very arrogant indeed.  Hard to take them serious when they don’t seem to get security right (or at all, if you have a look at what their employees did) or even appreciate their own user base.

Disappointing.

Update:

Apparently uses of breached credentials have already taken place via a twitter spam attack: http://www.readwriteweb.com/archives/twitter_spam_attack_tied_to_gawker_security_breach.php . Sophos also blogs about what happened in 2 posts (and don’t worry, not Graham that does the investigation!!):
http://nakedsecurity.sophos.com/2010/12/13/gawker-gizmodo-lifehacker-password-change/
http://nakedsecurity.sophos.com/2010/12/13/acai-berry-spam-gawker-password-hack-twitter/
http://www.mediaite.com/online/exclusive-gawker-hacker-gnosis-explains-method-and-reasoning-behind-his-actions/
http://www.readwriteweb.com/archives/twitter_spam_attack_tied_to_gawker_security_breach.php

Hi Guys!!!

added a new link section called Jobs – Cyprus , and it lists recruitment sites in Cyprus.  If you are looking for a job in Cyprus then this is the place to start!!

Although not much of a book reader, as my attention span seems to be rather limited when it comes to reading stories, a friend (Stephanos) posted on Google buzz he was buying a new book called Life Without Limits: Inspiration for a Ridiculously Good Life .  Quoting from the Amazon website:

Glancing at this book’s cover, it takes a moment to register that the smiling young man staring back has neither arms nor legs. That’s fitting, since Vujicic’s story is about how, despite extreme disabilities, he wants to be seen as a normal person. Readers might find extraordinary a better word, as they learn how Vujicic, born limbless (but with a tiny foot), lives what he calls “a ridiculously good life.” By learning to be a help and resource to others, and choosing to dwell on the positives in his life, including a supportive family and friends, he has overcome the despondency natural to a young person in his predicament and become a source of inspiration for those he meets as a speaker and those who see his videos on YouTube. Although much of his account is straightforward biography, he also devotes considerable space to sharing his faith in God and offering practical suggestions for making one’s life happier and more productive. The underlying message is, “I’m happy; why aren’t you?” That’s a pretty good question, as readers will see after only a few pages. –Ilene Cooper

You will wonder why i posted this.  The answer is simple, we always complain about how bad we have it but never think that it’s actually not that bad and we should stop nagging about our lives. I will actually buy this book and read it.

Thumbs up for this guy for being so optimistic!!

Links:

http://press.lifewithoutlimbs.org/

I have been reading about RIAA actions over the last few years but i think it’s time i expressed an opinion about them by simply stating the obvious.  Don’t expect them to be coherent, they are just thoughts after all.

Fact one:  the movie and music industries make billions every year, a big portion of which is profits which get distributed to the few elite people in the industry.  The figures? Google them up, and we are not talking about a few million dollars or whatever.

Fact two: Generalizing, People who download things illegally weren’t going to buy them to begin with, they either can not afford to or simply didn’t think they were worthy of spending money on.  One thing i have to mention is the fact that people didn’t just decide to indulge themselves in piracy over the last decade.

The piracy of modern media dates back to vhs and audio tapes, and everyone just lived with it.  No RIAA back then.  And these are only ways i remember.  I am not that old.

Fact 3: Industries fuel from the so called art by selling more blank media, recorders (computers and other hardware), but the RIAA doesn’t seem to be targeting them as they would surely loose the battle. Stake holders in this industry, the same as those in the media industry.  See a pattern here already?

The media industries didn’t go bankrupt, they moved on to grow and prosper.   So this model of piracy that dates decades back seems to work for the media industries.

What happens in reality is that those down-loaders will actually be more willing to buy a product such as a dvd as they have seen and enjoyed it, and probably associated it with a positive feelings.  If they might want to give something as a gift, it will be a movie or a music cd, and it will not be a copy.  It will be an original branded dvd, cd or any other sort of legal product.  It looks nice.  It is only natural that they give it to a loved one, or simply want it in their dvd collection. I myself rarely buy gifts that aren’t DVDs or CDs.

Fact 4:  The RIAA is basically a banch of unemployed lawyers who managed to find a way to make money out of people who can’t even afford to pay money.  Instead of targeting on the people that mass produce illegal copies of dvds etc, they focus on the consumer.  Why? individuals are easier to target and attack.

Scare tactics or not the manage to take to court people who have done nothing more than help the media industry market promote its products.

The RIAA is probably a place of investment for the media lords, who see it as yet another way to milk the cow and make some more money.

But really, governments should see the RIAA for what it is, a bunch of unemployed lawyers trying to make money on the expense of the public and individuals but at the same time are incompetent in targeting the organized crime syndicates fueling the creating and distribution of illegal copies of copyrighted material. And they are not doing it over the INTERNET via bittorrent, there is no money to be made there!!

By all means, instead of spending so much effort trying to get money out of people who were not going to give it to you anyway, try and promote your products in such a way that people will want to buy more of those “illegally” downloaded films and music.

RIAA: if you really have what it takes, start targeting the organized crime units that sell copies of your products and stop hassling users.

Music Industry: adapt to the changing world around you.  Don’t target the users who are after all your clients.  They will always outsmart you if you force them to.

Legal systems and governments : please adapt to the changing world around you.  Understand what the internet is and new technolodgies.  Killing net neutrality, sacrificing the right to privacy (as you are doing in the name of national security), and penilizing users isn’t the way.  Stop listening to industries and the BS they feed you when they pay to elect your politicians.

Unemployed Lawyers: go do something useful like helping people, or simply go study something else.

Google Latitude is a very interesting tool.  It allows you to find out where your friends are located and alerts you if they are close to you (i ‘m guessing you must be using an android phone with a GPS tracker on it).  Sounds great right? or does it?

Privacy is an issue here, anyone who is a friend can see where you are at any time, people that might fool you into adding them as friends will see where you are, google and anyone it shares your location data with knows where you are, it is monitoring your every move, it will know your patterns of behaviour and might alert others on changes.  People might be accessing your location data without you knowing.  Even forgetting it on when you go and do something no-one should know about can get you into “trouble”

The list here is endless and it is something that should concern all of us.  After all, we don’t want our boss to know where we are at all times, who ever our boss might be (be it goverment – corrupt or not, the police, wifes, family etc)

Some food for thought

http://www.google.com/latitude

One of the servers i am running at work (a debian box running on a sparc sun machine) decided to stop responding, after months of running smoothly.  My first reaction was “F**K there goes my uptime!!).  I could not connect to the box in any way so we had to do a hard reboot.  When the machine started again, one of the mysql tables of RT (ticketing system running on it), was corrupted (the table was marked as crashed).

After googling i endedup with a mysql command to repair the table, which failed due to a “Not enough memory for blob”.  I ended up with the following link : http://maheshsworld.jokesplanet.com/?q=mysql_crash which basically allows you to increase the allowed blob size when using the myisamchk command.  For example myisamchk –max-record-length=1048576 -r -f <table_name> . This command needs to be ran in the same folder as the .MYI file of the table we are trying to fix.  In my case this was under /var/lib/mysql/<DB NAME>/ .

I hope this is useful.