There are always the option of notecards for diagrams (I love the pen not the marker).

Tablet plus stylus ftw. I just use my note 4 though

Laminated cut out squares and rectangles and various other shapes. Felt tip pen. String.

You're welcome.

On the other hand, if you have to keep writing out the full diagram you're going to known it inside and out. For people who learn through rote memorization, good old fashioned notebooks is the way to go.

In my day-to-day job I'm using the whiteboard to figure how I should make things work - not to memorize something. I already know the major (and minor for that matter) pieces of our architecture and definitely don't need to spend time writing them out multiple times.

Something something Martha Stewart of IT.

You had me at "laminated".

Does anyone have much experience with ASP.NET Identity, or OAuth, or ideally both? I spent a frustrating 5 hours or so at work today trying to figure out how I needed to implement it. All the guides I found were either uber-Microsofty, where they hand-hold you through every step of setting up authentication in an MVC app and you end up with a pile of tightly-coupled, un-reusable garbage at the end, or else they were super technical and assumed I was already familiar with OAuth and knew what the jargon meant.

I couldn't even figure out exactly what I needed to implement, which would be a nice step one to getting it done. I'm trying to implement single signon for our company's products. What I want is this:

- Authentication against either our private database or via Facebook or Google
- On-demand sign out from external OAuth providers
- Single sign on across all our products, encompassing multiple domains
- Reusable code for authentication, applicable to both MVC apps and Web API
- The nice stuff in ASP.NET MVC, like just tagging controllers [Authorize] to enforce authentication

Stuff I'm not sure what to do with:

- I'm not sure whether I want redirect to a common URL to sign in (which probably means implementing my own OAuth server?) or some common "web controls" for want of a better word, that can be dropped into apps where authentication is required. What I'm certain I don't want is implementing authentication views in MVC apps 15 separate times.
- Ideally I'd like to reuse some code for mobile apps to authenticate against as well, but I'm not sure how realistic that is given mobiles have to use onboard APIs to authenticate against OAuth providers.

Assistance appreciated. What I really want is some sort of road map for what I have to do. Right now I don't even know where to start.

Just finished doing OAuth for Facebook and Twitter in .NET.

The FB auth was actually surprisingly easy, I just wrote it myself following these steps:
https://developers.facebook.com/docs...2?locale=en_GB

I find most instructions for this sort of thing to be horrible, but FB's here are actually very straight forward.

There's a gotcha, the redirect URL must end with a trailing slash IF there is no query string (stupid I know, but spent a good hour trying to figure that one out).

Here's my auth class:
http://pastebin.com/mGngQHhM

And here's the code behind for a page that uses it. The page is a popup which takes a base 64 image and posts it to your Facebook wall. You don't need to post anything to peoples walls, but it shows you how to handle authorisation:
http://pastebin.com/fhadiN8m

Twitter auth was a lot more fiddly!

For each authorised user, you should store somehow:

- Facebook App ID
- Authorisation code
- Expiry date of authorisation

Once you have those stored, you'll be able to see how to integrate it as an option in your login flow.

What the ****? Kato never got back with us on how his first day went?

I guess that means the succubi in the dungeon got the better of him.

LOL. First day went pretty awesome. Everyone there is a huge geek, so I fit right in

I spent pretty much the whole day just setting up my computer, and I still am not done. There are tons of things to get access to, and even more tools to set up!

And what of the succubi dungeon?

Protip: If the set-up documentation sucks or is wrong - Fix it!

Pro-protip: If you need to follow documentation steps to setup the machine, then automate it.

I've been reading about this Sony Pictures hack. I get how the Destover virus was installed on a bunch of machines. But I'm wondering how the hackers got access to all those machines in the first place. I haven't really seen anywhere attempt to explain that.

It's a little spooky because a few of those corporate videos (which were made before the Sony hack) I had to watch were about security. Our head security guy said "nation state hackers" are what keeps him up at night. He said it's been estimated that they've penetrated and have free access to most if not all Fortune 100 companies' networks. Could they put the screws to pretty much any company they want at this point?

http://www.engadget.com/2014/12/10/s...e-whole-story/

http://securelist.com/blog/research/67985/destover/

Disagree. Or at least partly-disagree.

Some things need to be left to personal preference, some things aren't worth automating from a time spent automating vs time saved once automated, and some things are worth having a new employee do manually so they understand what exactly is happening.

suzz,

not sure if we the public will ever know, for sure. Could be a zero-day vulnerability, man on the inside (doubtful), simple password bruteforce, tons of entry points for a place that big.

Given the virus was unknown, is there really a way to figure out which PC had it first, aside from going through changed files on date x and thinking that was it? Sounds like it was a pretty complex piece of code that I would assume could cover its tracks

It is an incredibly interesting story. One of the side notes I've read said something like 43% of all companies in the world have suffered some type of data security breach. Madness if true.

The virus is known. Read the second article. It's just not known how it was planted on the machines.

I didn't see that in the second article, but it was almost completely over my head, so that's probably why

The documentation is great. There is just so much to do!

Who knows how they got in? But it's pretty interesting! Some of the quotes make it seem like social engineering/physical hacking, but who knows?

I'm not sure about the North Korea speculation. All of the scary skeleton imagery and warnings seems kind of trollish, and I'm not sure a Nation State would do that, unless they know it would appear doing that is unlikely and they're playing mind games to deflect suspicion.

As far as Nation States basically owning all of the top Fortune 100's networks, it's possible., but it doesn't take a Nation State to own and take down a company. Just small groups of elite hackers could wreak havoc on probably any company they wanted to, if they were determined. Advanced persistent threats, you know? If a highly skilled small group of hackers hated a company so much they were willing to spend months, or even years trying to own them, I don't think there's a lot that company could do to stop it, because they have to defend their entire structure/organization, and the hackers would just have to find one way in, and it might not even have to be a technical vulnerability. A company could spend tons of money on securing their networks, securing their servers, securing their web sites and web apps, and then be screwed because they had a dumb employee who didn't know not to plug in a stranger's flash drive.

Attackers definitely have the advantage.

I am installing two enterprise grade SSDs in my system right now. I'm not gonna lie I am really excited!

Sounds expensive!

Did you have SSDs before?

I can't remember a single upgrade that had a more noticeable improvement on my computer performance.

We have a site that we built and we continue to maintain and support for a research group in DC that produces a lot of research on Chinese technological threats and state-sponsored hacking.

As soon as the site went live IPs in China started making requests/ scanning the site furiously, and when they apparently didn't find any vulnerabilities they ddos'd it (which we fought as best we could by essentially playing whack-a-mole with IP ranges for a while).

After over a year now they haven't been able to get access to the site (as best we know), even tough they still try quite often. Now we have upgraded their infras and have them behind a CDN and have a lot of active monitoring set up in case something went bad.

One of the biggest factors in exposing a system, is like you are asking about, getting the virus into the system. Usually, this does not come down to actually penetrating the exterior wall of a system. While it is obviously theoretically possible to break most things if you have enough time and money, social engineering is usually a TON more efficient of a way to go about it. Our client is good about how they manage access and who can do what on the website, as long as those people don't do something dumb, they are in decent shape.

All it takes is someone cold calling a secretary and being told that "Hi this is Julie...Sorry Jim is on a business trip, can I take a message", and then having someone call and say "Hey Julie, I'm supposed to send Jim something for his meeting this afternoon, all I have is his number, can I email you it and have you send it to him..."

Its my impression that in a lot of cases this type of social engineering is a huge part of how they get virus' into the systems to be compromised. Not sure how Stuxnet was delivered, but I imagine the Iranian engineers occasionally met with people for Siemens, all it takes is a flash drive with documentation, etc. and you are then into the network.