Friday, 19 September 2008

Questions, all your many questions

I like questions. I like ones that can’t be immediately answered quite a lot because research is always interesting. It seems that a lot of people struggle to find things out. Sometimes there is too little information available and you have to dig and delve and extrapolate. Sometimes the key facts are buried in a blizzard of information that makes finding a needle in a haystack seem like a trivial operation. I like research all the same.

However, the sort of questions that I have had recently have been a bit different. They have been very business focussed. They have come from some places that I wouldn’t have expected them to come from as well. One from New Zealand, another from Hungary, a couple from the US and so on. I have answered each of the people who asked individually but I will also answer here because if one person has a question, it is likely that there are others who want to know but who haven’t asked.

So, to the questions:

Q1. Can you teach me to hack and do you know of any vulnerabilities in X software?
A1. Can I? Yes. Am I going to? Uh, no. I can point you to resources such as CEH (Certified Ethical Hacker) training and I am happy to explain any points that are unclear but I don’t have a stock training program for this and I would have to tread a little carefully there because of ethical and legal considerations. If I did know of any vulnerabilities, I certainly wouldn’t be mentioning them to anyone until they were public and preferably fixed.

Q2. Can you make my system totally secure?
A2. Absolutely. Just remove the power cable and weld bars across the door. If it has to be online and doing something then I can certainly make it a good deal safer for you. The risk will never be zero but I can and have in the past made systems much less vulnerable to attack. If your system is not an easy target, it is likely that attackers will move on to an easier target.

Q3: Can you teach me to debug?
A3: I don’t have specific training although given the number of requests, I may consider creating some. I can certainly show you the tricks that I know.

Q4: Will you break into such and such a system?
A4: What an interesting request. If you give me your name and address and a time when you will be home, some friends of mine will be happy to call and discuss this with you. Pay no attention to the flashing blue lights on their cars.

Q5: My system has an intermittent problem. Can you help us to troubleshoot it?
A5: Sure can. It might take a while but I there is no charge for waiting for something to happen, only for when I have to do stuff.

Q6: Why is onsite work more expensive?
A6: Because it is harder to juggle other commitments around work on your site. Work done remotely can be done at odd times of the day and night. However, I know that it is desirable to have someone onsite for political reasons and for face to face discussions. Typically, a short onsite visit to gather data and discuss a plan of action is useful and the rest of the work can be done remotely saving you money.

Q7: What geographic area do you cover?
A7: If planes fly there or there is a network link of some description and we have a language in common, I can help. I am happy to do remote work to anywhere in the world. If you want me to book the travel, it will be business class. If you book the travel, you get to choose.

Q8. Can I hire you or another consultant to help us find a particular bug?
A8: If it is legal and ethical, you can hire us to do pretty much anything you want. As for finding a specific problem, it often turns out that a symptom has multiple causes. A classic example of this is performance issues where removing one bottleneck means that you hit another one. In this sort of case, fixing the problem is an iterative process. That is why we quote some problems just with an hourly rate.

Q9: What is the limitation on what we can do with the free 2 hours?
A9: You can use them just like paid for time. Each new client gets 2 hours per gratis. That doesn’t mean that you get 2 hours free when you buy 10 hours. It is 2 free hours and there are no conditions on that. You can even have them onsite if you are willing to pay travel costs and the flight times are not silly. If the job takes less than 2 hours, you get it for nothing. Think of it as a try before you buy. The only possible drawback is that free work doesn’t get priority over other paid work so you might have to wait a bit.


Q10. I want something that isn’t listed on the site. Can you do that?
A10: Like it says, if it is legal and ethical and we can do it for you, yes, sure, anything that you want.

Next blog, back to technical stuff. I might talk about the anatomy of some of the more interesting hacks that I have seen in the past few months.

Signing off,

Mark Long, Digital Looking Glass Ltd

No comments: