Guns N Roses still rocks!

12/11日下午，我們一家四口全上了和欣客運到板橋火車站，眼見著七點半開場時間快到了，路邊隨便吃吃，7點左右就去B1區排隊。

原本還擔心來不及進場，結果好不容易七點半進了場找到位置等啊等的，就等了一個小時，兩個小子都快要睡著了。這次的觀眾也很多元，不是只有我們這種年紀的才認識Guns N Roses，來的也不是只有台灣人，黑的白的黃的各色人種都有，進場就搞到八點，八點之後還是在等，大家等的都快要抓狂了。

但是，開場之後，大家的不爽全忘了，雖然歲月不饒人，當年的俊俏瘦小子，現在已經成為中年男子（有人說陳昇帶頭巾版），Axl Rose的聲音依舊強悍沙啞，樂團的演奏精準度幾乎可比錄音室版本，沒有那種臨場表現不佳，用老油條的方式帶過的隨便。尤其是Lead guitar,換了一個年輕人來，叫做DJ Ashba，表現也很穩定，不管是臺風或是吉他技巧或是舞台魅力，都是一流的。甚至換成slash本人親身來，也不見得會有更好的效果。


當然，在樂曲的創作上，那種化學效應，還是跟slash在的時候不一樣的。只是，那是在錄音室裡以及創作過程上。

對於我們演唱會的樂迷來說，那種差別是不存在的。
 
越老的歌越有感覺，像是November Rain出場的時候，小子正好想上廁所，我看著Axl Rose坐上鋼琴的位置覺得不太對勁，歌迷也一陣騷動。他自彈自唱的歌沒幾首，Axl Rose 的前奏又加上一些變化引誘著歌迷，好像是，又好像不是，前面五十幾秒，大家都在想，這是哪首歌啊？這是嗎？這是嗎？

結果這就是November Rain熟悉的鍵盤聲，全身宛如通電，小孩也從廁所全速跑出來，我們父子倆就在前奏聲中努力的跑，跑回到原先的位子，剛好鍵盤到一個段落，鼓聲一下，全場歡呼，大家都禁不住站起來跳阿跳，搖的搖～根本忘記我們是在看臺區，不是搖滾區。跟著人家搖個什麼勁哪～
你管我，那種氣氛一輩子才一次，我就是要搖，骨頭散掉也要搖。
When I look into your eyes, I can see a love restrained~

幾乎是全場大合唱啦～真爽～
很驚訝他的聲音到現在還維持在當年水準，游刃有餘。

靠，那不是人聲，那是一把樂器，像吉他一樣，只要有把位，什麼高音都按的出來。 你仔細聽他最後兩句，就能明瞭。他還在飆，還在飆。飆到忘記要結尾了還好吉他手跟鼓手把他拉了回來～
我也很驚訝，現場好像有很多搖滾咖，我的左右鄰居都可以唱～ 原key喔！
 
上面那個youtube的連結是看臺區的連結，收音較清楚。
給你一個搖滾區的連結看看
聲音比較差啦，畫質也比較不佳。但是如果是樂迷的話，感受一下那種大家一起亂吼亂叫的感覺，也是不錯。你聽聽看當前奏出來的時候，大家的反應，瞬間爆發的力量。還有，一群人從頭跟著唱到尾的陶醉。甚至你看攝影者在情緒激動的時候，連手機都拿不穩，Axl Rose改了歌詞的時候，大家的認同度。你會希望你在場。
 
那一天，我在場。

只有一個缺憾，我個人希望演唱會是以Patience這首當年我也唱了不下一千次的歌來做結尾，我希望是用那聲「啊」來做結尾。

黑奴Harriet Tubman與CISSP的關係

這是在LinkedIn的論壇上面看到的，作者也是CISSP。
乍看之下，一百年前的女性，黑人，跟CISSP有什麼關連？那時候(ISC)2根本還沒出現吧～
不過，繼續看下去，這個作者寫的非常好。

Harriet Tubman我們也許不太知道，但是知道南北戰爭之前有一條秘密通道可以把南方的黑奴安全地運送到北方，不被發現，而且還安頓逃脫的人的生活、工作，這個大家可能就比較有印象了。這個女人就是Harriet Tubman。起初她是自己逃脫到北方，後來為營救她的家人又冒險回到南方帶走整個家族。後來，她所設計的這個逃脫方式就叫做underground railway system。
作者把Harriet Tubman為這整個逃脫路線跟CISSP的十大領域做了比較，有驚人的發現－完全符合！

比如說：
密碼學: Harriet把逃脫路線寫成黑人靈歌讓人記憶，這些歌謠本身似乎無意義，但是對逃脫者是指南；

BCP跟DRP: 這條逃脫路線不只有單一路線，而是有多條路線，這些路線上都有友好的房舍可以居住，逃脫者不會因為一條路線被毀就因而被捕；

職務分離以及僅知原則(seperation of duty and need to know)：這些幫助者只知道自己執行的部份，對於其他人的部份完全不明白。所以即使被破了，也供不出個所以然。

網路安全：這條路線就像現在的internet，routing可以自由選擇，當某個routing斷掉的時候可以選擇較遠路徑。而這當中訊息的傳遞完全經過黑人靈歌加密。

還有好多重點沒辦法全部寫出來，只能說，把這兩者結合實在是很有創意的作法，更是對自己的先烈（作者是黑人）最大的尊敬。

下一次講資訊安全應該就像作者這樣講：「黃花崗七十二烈士與資訊安全」、「廖添丁如何保護資訊安全」，題目吸引人，過程精采，用說故事的方式來提倡資訊安全，上課不無聊，聽眾不打瞌睡，保證客滿。

讀書心得：電腦犯罪檔案（揭開電腦駭客之驚人內幕）

This guy is a pro! A Guru! Anyone who's interested in white-hat hacking should read this book! When there are no rules, these gurus make the rules. Where there are no laws, they help modify the laws. Excellent, realistic stories that visualize the life of an computer forensic expert. I personally love the chapter 5, because sometimes you just win the battle and lose the war. It's not a perfect world. Welcome to the jungle.




這本書是意外中搜尋到的，並不歸類在電腦安全的書籍而是在商業類 書籍中找到。對於不熟悉電腦的人來說，像是在讀小說一樣的樂趣；對於 有資安跟系統背景的人來說，就像是個活生生的老師在用實例講解資 安及鑑識的過程。

寫此書的人是電腦安全的前輩，在那個法令尚不周 全（現在也還是不周全）的時代就開始進行電腦安全顧問的工作。可 讀性很高，對於一般讀者來說。但是對於上過入侵及電腦鑑識課程的 人來說，可讀性更高，因為他用一種很簡易的方式讓非電腦專業人看 得懂，但是又沒有掩蓋掉任何技術的方式來描寫。所以我們光是用想 像就可以身歷其境，知道他在打什麼指令或工具。另外，從這些故事 裡面我們可以知道為什麼有些蒐證規則要這樣定，因為那是他們那個 年代的慘痛經驗改寫而來的。

裡面寫了費盡心思證明嫌犯不是兇手，後來似乎發現反而是自己中了 圈套；好不容易用盡各種技術方法趕走一個壞蛋，但是後來卻發現壞 蛋又獲得老闆的信任回來了；有時候技術層面不是問題，問題是在法 律層面的缺失，而且是法律本身的缺失。在這種狀況下你捍衛的不是 受害者或加害者本身的權益，而是法律！以及用一張名片就能夠入侵 的過程，非常精采，非常令人意外撿到的一本好書。

你蓋的是棉被還是黑板擦之塵蹣大作戰

有人說我的部落格太技術，很techno，甚至冷血，讓人不敢親近，我實在很想告訴這些人別開玩笑了，我真正的身分可是......不過如果他們知道了，會不會反而覺得你這個人太爆笑....Dark side of the moon 跟Bright side of the moon實在很難拿捏。總之，不表。

那就來記錄一下這幾天跟家中棉被混戰的結果吧。如果你對標題「你蓋的是棉被還是黑板擦」的答案非常確定是「棉被」的話，我想提醒你，你每天晚上裹著入睡，用了五年每年固定會晒三四次的棉被應該是「黑板擦」，如果你用的也是那種傳統式有棉被胎裡面是塞棉花蓋起來重重的那種。因為我昨天把棉被吊起來打，卯起來打，發現那根本是黑板擦。沒錯，你每天晚上都跟最容易引起過敏的敵人在睡覺。You're sleeping with the enemy.

話說，今年以來老大的過敏已經逐漸穩定，但是老婆跟老二的過敏在入秋之後卻急速增加，這令我百思不解。因為我們目前的防塵蹣措施如下：棉被套、床單、枕頭套每兩週用七十度熱水洗一次（嘿嘿，當初就是為了這個目的才買瑞典的滾筒式洗衣機），木地板沒有地毯，絨毛玩具一樣進滾筒洗衣機用七十度熱水洗，外加一台honeywell空氣清淨機，但是老二卻一躺在床上就開始鼻塞，老婆則是眼睛癢，怎麼可能～

這時候就是喜歡解決問題的老爸出場的時候了。塵蹣嘛，只要超過55度即可殺死，所以找洗衣店開烘乾四個小時的價碼就可以了。問遍了四周的洗衣店，只有洗羽毛被，蠶絲被，不洗棉被胎，此路不通。

再來只好採取日本電視台教導的方式用黑色塑膠袋封住棉被胎，在大太陽底下曝曬讓內部達到五十度以上，趁著這幾天太陽大，晒了一天之後開始拍打，這時候黑板擦就出現了～

各位呀，真的要打打看才知道你睡的是棉被還是板擦。一打下去不得了，會冒煙哪（灰塵），再打下去，不得了啊，還是冒煙啊，打了十次，同一個地方，都還是冒煙哪，難怪我的老婆小孩會過敏。這哪是棉被胎呀？這明明就是黑板擦～

拍打棉被時請注意，1.帶口罩，否則你也會吸入不少灰塵 2.用家裡的衣架就可以打了，越厚的塑膠衣架越好，不要用細細的鐵絲外面包一層塑膠皮的那一種，手會磨破皮。

這次就處理到此為止，沒錢有沒錢的作法。將來還是得花錢買可以吸塵蹣的吸塵器，因為1.用打的很久，三條棉被打四十分鐘，心跳計顯示維持在每分鐘132下是很好的運動，但是別人是不是這樣想我就不知道了～ 2.處理完棉被胎，還有一個天天躺的東西沒處理呀，睡了五年的床墊～3.一般洗衣店沒有處理棉被胎的服務，不過你可以問問自助洗衣店。

誰惹到我的家人我就跟他拼了，塵蹣，不要跑！

Fierce 由DNS無聲無息地獲取公司伺服器清冊

之前在某個每次漲價都一堆人排隊的客戶那邊demo了入侵前用DNS蒐集資料的方式時，沒想到客戶的DNS的確洩漏許多重要伺服器的資訊，他們也尷尬，我也很意外。後來，他們行動很快速的把DNS設定修正回來了。那時候用的是手動的方式。
所以呢，又在BACKTRACK上繼續試了FIERCE這個用PERL寫成的SCRIPT。果然，有一些想法以前沒想過。
首先FIERCE可以做到減少你打指令去嘗試ZONE TRANSFER：
perl fierce.pl -dns abcdef.com
就可以幫你做完整個步驟

再來
除了嘗試ZONE TRANSFER之外呢，他還用找到的IP上上下下去找過一遍，因為很多公司的電腦IP都在附近。也就是說一整個C CLASS或者128個IP或64個IP，通通集中在一起，所以雖然在網路上只有露出MX，也就是MAIL的資料；DNS，這是一定要；以及WWW主機的IP，但是只要你在同一個C CLASS附近，找到了DNS或MAIL或WWW主機就等於找到了所有主機。
這在國內似乎都很正常，我看兩大人力銀行上面不約而同都有PAYMENT.XXX.COM.TW，我只能說，WOW，VALUABLE。AMAZON也是一整串C CLASS，但是人家在伺服器名稱上完全看不出來他是做什麼的（伺服器名稱完全等於IP，強），相較之下，哇，PAYMENT，乾脆改名為HACK ME IF YOU CAN（以前有一部電影是李奧那多，迪卡皮歐演的叫CATCH ME IF YOU CAN）。

此外，針對比較小心的公司（這邊申請五個IP，那邊申請五個IP的這種公司），他提供內建的字典去查名稱，找到之後再進行上個步驟，找同一個RANGE裡的IP，這樣就可以處理跳來跳去的IP。厲害。

當然，如果真的被你找到ZONE TRANSFER的內部IP資料的話，他也可以針對192.168.X等等內部IP來做搜尋。不過這些進階功能需要時再到上面的連結去看就可以，plain English。

一樣，這在backtrack裡就有。
補充，試用在國內的一些伺服器，有些狀況下，掃描會卡住，這時候用另一個套件dnsenum速度較快，得到的結果也比較簡單，沒那麼全面性，是second choice。
所以，如果公司要避免這種問題發生的話，有兩點必須做到。
1.拜託不要把伺服器的角色寫在伺服器名稱裡，像是dns1、dns2、ex2k、payment、imss這些內行的肯定猜得出來的字眼
2.IP Range盡量不要在一起（只申請一條專線），以免被找到時一整串被找到。而且這樣還有一個好處，這條線掛了不會全公司都掛（風險太高了吧？）

小學生遭霸凌 導護媽媽冷眼旁觀？不是我們冷漠！不是別人只敢旁觀！這是可以防止這種狀況發生在你或孩子的身上的。

網路上看到這個標題，文章引自東森如下：
小學生遭霸凌　導護媽媽冷眼旁觀
更新日期:2009/10/26 20:12 地方中心／綜合報導
高雄一所學校附近發生兩名國中生在人來人往街上霸凌一名小學生，抵抗不從的小學生卻遭到國中生「教訓」，不但搶走他的書包，還動手推他。而路上的行人對此卻視而不見，就連校門口的導護媽媽全程目擊，也不願意對這名小學生伸出手。

身為父母親的你，看到這樣新聞甚至畫面，你擔不擔心畫面中被欺負的是你的孩子？你是否覺得現代人越來越冷漠，連這樣的事情發生在身邊，都可以不聞不問？如果有一天你在一個陌生的都市，繁忙的大街上中風或心臟麻痺，畫面是否相同？這一切都歸咎於現代人的冷漠，或是幾位沒經驗的法官錯誤判例，導致大家寧可見死不救？
不，以下以心理學來解釋，這件事情可以不必如此灰暗的解讀

首先要對被錯怪的導護媽媽讚聲-這種反應是正常的

當你身邊有這種事情發生的時候
如果很多人都沒意見，而受害者也不懂的如何請別人幫忙
一味的怪路人是沒意義的
根據心理學的研究，人多時，你獲得幫助的機率不會大增，反而還會從75%以上降成35%以下，甚至只有10%。從幾乎人人會幫忙，變成三個人走過，只有一個會幫忙，甚至一群人圍觀或冷淡經過，卻沒人願意主動上前幫忙。
這種標準反應叫做旁觀者反應。
有興趣的請看read for joy 的部落格，寫得非常清楚。

所以也不要假設你看到這樣的事情，你一定會上前幫忙。
現在是有記者加上了旁白說明一切，換成你經過那邊，你的眼睛看了他們一秒鐘，但是心裡想著要去買東西的清單跟要付的水電費，還要拿出icash卡，你連他們的關係是不是親兄弟在玩都搞不清楚。
導護媽媽是個有責無權的人，試圖把事情轉移到他們這些義工身上，是不公平的作法。

再來，我前面提到的部落格（read for joy)裡面就有提過比這個國小生被霸凌更嚴重的事情發生，連人死了都沒有人反應：
芝 加哥合眾國際社(United Press International，UPI)曾發佈一則新聞，報導正值妙齡的女大學生遭人勒斃事件。死者全身赤裸，生前遭到毆打，屍體被一名小男孩在校園圍牆的 樹叢中發現。警方指出，兇手行兇的時間是在人來人往的大白天，死者遇襲之處，還是市區最熱門的觀光景點之一。兇手將死者拖進樹叢時，肯定有很多人路經行兇 現場。事後有民眾向警方表示，他曾在下午兩點左右聽到尖叫聲，但他並沒有前往查探。因為，大家對這件事好像都沒有什麼反應。（《透視影響力：人類史上最詭 譎、強大的武器總析解》頁213） 　　上面這一則不幸的新聞會發生的原因，就是旁觀者效應(bystander effect)。也就是，人多的時候，由於責任分散(diffusion of responsibility)，大家都會想「我不去幫忙，也有其他人會去幫忙」、「應該有其他人已經打電話給警察或救護車了，我沒必要重複打一次」、 「大家都沒什麼動作，應該是已經有人在幫忙，沒事了」，反而容易會出現見死不救的狀況。
就算鬧到這麼嚴重，大家一樣沒有反應。因為上述原因，這是正常的。

再提一則經典案例，這個情形更清楚了。「請你跟我這樣做」這本書第175頁：
「1964年三月，凱瑟林.裘維諾絲並不是在短期間內被無聲的殺死，她在死前曾經經歷了一場漫長、大聲、痛苦、而且被大家所目擊的折磨。兇手繞著大街追著 她跑，在三十五分鐘裡連續三次逞兇，直到最後以利刃結束凱瑟林的呼嚎為止。令人費解的是，案發現場共計有三十八位凱瑟林的鄰居，從自家窗戶裡看見她遇襲， 卻沒有一個人動手打電話報警。」
負責紐約皇后區警方督導的助理總督察表示，這個命案讓他大惑不解，並不是因為這是一樁謀殺案，而是這麼多好人，而且是好鄰居，通通沒有報警。這是在世界第一強國的最大都市紐約發生的事情。1964年的皇后區，治安不見得特別差，但是卻發生了這樣的慘案。

針對這個案子，40年前的人普遍反應跟大家現在看到這名兒童被霸凌的反應一樣。有人歸因於電視暴力節目的影響（現代會再加上電腦遊戲、虛擬世界的影響），有些怪罪於性格壓抑，大多數人歸咎於大都市生活的去人性化。總之，人類就是這麼沒希望，2012年人類就該全部滅亡。

但是該書178頁把問題解釋的清清楚楚，這種現象不是因為都市的冷漠，人類該死，而是有背後的邏輯因素的：
「心理學家們推論，身邊有其他旁觀者在場時，起碼有兩個理由會讓目睹緊急事件的人縮回援手。第一個理由很直接：有同樣可以伸出援手的人在場，會減輕每個人 見義勇為的責任感。『應該有人會來幫忙或打電話求援吧，說不定有人已經這麼做了。』每個人都這麼想，到頭來沒有人真的這麼做。另一個理由，則出於更微妙的 心理作用，同樣源自社會保證原則，關係到無知效應。往往，緊急事件不是那麼容易辨別，路上躺一個人，你怎麼判斷她是心臟病發作還是喝醉酒？隔壁傳出吵鬧 聲，會不會是壞人闖進去？到底要不要報警？萬一報警卻發現那只是人家夫妻家務事，豈不糗大了？所以在狀況不明的當下，我們傾向先看一看在場其他人的反應， 找點線索，研判眼前發生的事是否緊急。」

這些都是原因。每個住在大都市的人不見得都無血無淚，大都市沒有錯，而是人的心理思考邏輯所致。我們每天浸泡在過多的資訊裡，以上的旁觀者效應是保護我們的大腦不致於被擠爆的方式；而社會保證原則則教導我們，既然在場的人都沒有反應，那我跟其他人一樣就好，才不會糗大。就是這兩個簡化人腦的原則導致以上的慘劇發生。

所以，父母親如果想要教導孩子防止這種被欺負而旁觀者無人幫手的狀況，請教導他們：
第一，大聲呼救。讓旁人迅速搞清楚狀況，讓他們知道打你的人並不是你的家人，更不是你的朋友，也不是在玩。這，會消除旁人的不確定心理。
第二，有能力說話的話，應該發出更明確的訊息，讓大家知道你需要協助，往與自己最靠近的某個人說清楚：「這位導護媽媽，他們因為我不給錢而欺負我，請你保護我。」

這樣，這個導護媽媽被賦予一個救援者的角色，現在她才知道眼前的小孩需要救援，了解到她必須提供援助而不是別人，最後更明白她可以提供什麼援助。當導護媽 媽明白狀況之後，她就明瞭她得趕快採取行動協助，在這種狀況下，一般人不會吝於協助的，那些欺負人的根本不會得逞。你看網路上不少人批評討論這樣可惡的事情你就知道，大家並不是冷眼旁觀的，熱血的人還不少呢。人類的希望沒那麼渺小，人與人之間的距離沒那麼遙遠，只要你釋出足夠的訊息。

看完這篇文章，你應該知道，將來如果有一天你在一個國外陌生的大都市當場左半身麻痺，無法動彈的時候應該怎樣向路人呼救：看著對方的眼睛，告訴他，這位先生，你的左半身麻痺了，你需要幫忙，叫救護車。這樣就足夠讓路人得到足夠的訊息，確定你的確需要幫助，而且是什麼樣的幫助。確定就會採取行動。當有人採取行動之後，其他在場的人也就能夠更清楚狀況，並採取甚至更佳的行動（比如說剛好有一名醫生或護士經過現場，提早做出第一時間救援，這可就省掉你半年的復健囉......）

看完以上的文章之後，你應該知道問題並不是出在人的冷漠。人沒有那麼冷漠。

在完全得不到完整訊息的狀況而沒有做出反應的導護媽媽不應該被這樣錯怪。這種心理任何人在場都一樣。希望還在媒體工作的同業們要多多進修，不要把任何事情都簡單化輸入全台灣所有閱聽大眾的腦子裡；而我們也一樣，不要簡單接受媒體的所有觀念而不加思考，他們現在錢少事多工作時間長，實在沒有辦法提昇自己的水平。請讓媒體當我們的眼睛就好，不要讓媒體取代我們的腦。

google提供的ratproxy網頁安全偵測工具

一樣內建在black track4裡面。
使用方式如下

1. 先設定firefox或其他瀏覽器的proxy server為本電腦的8080
2. 啟動ratproxy： ./ratproxy -v /tmp/ratproxy -w ratproxy.log -d xxx.yyy.com -lextfscgjmXC(主動）或 ./ratproxy -v /tmp/ratproxy -w ratproxy.log -d xxx.yyy.com -lextifscgjm（被動）

然後你就用這個proxy去逛你想逛的網頁，而他只會注意xxx.yyy.com的部份。
然後產生報表 ./ratproxy-report.sh ratproxy.log > xxx.yyy.com.html
之後用firefox打開來看就是了。

我是覺得報表挺囉嗦的，很多都是 no charset declared等小東西而且被動的方式要逛很多地方，除非你知道哪個地方比較有問題，否則生性懶惰的我還是比較適合主動尋找。總之，這樣報表就完成了。
如果有進一步需求要修改參數的請找ratproxydoc。

paros proxy掃網頁

最近下載Black Track 4 beta的vm版下來嘗試嘗試，把裡面的工具好好的把玩把玩。
發現其中的paros proxy還滿好用的，跟google的ratproxy有異曲同工之妙，可以查網頁的安全性。已經內建在BT4裡面，所以也省了安裝的事情。
使用方式：

1. 先打開paros proxy，再打開firefox並設定proxy為localhost，port8080
2. site底下會出現你剛開的網站。按右鍵選spider並且按start讓他去跑
3. 跑完之後到analyze的scan去讓他對剛才找到的url掃描安全漏洞
4. 掃完之後到report裡的last scan report
5. 如果沒有跑出結果來，就用fireofx直接到/root/paros/session去找你剛剛generate的report

就這樣簡單。

另，如果同時也安裝了ratproxy，最好是把兩個proxy分開。設定方法如下：>option->connection->proxyport。
還有，如果想讓別台電腦也來幫忙，那就把別台電腦的proxy設為這台電腦ip以及proxy port，並且要把這台的proxy ip設為真實/虛擬ip。反正不能是localhost或127.0.0.1就對了。

不過，這種自動的有個壞處，跑....好....久....我的電腦環境是intel core2 duo  E6550@2.33GHz，2G RAM已經不算慢的環境，在vmware裡跑x-windows模式run一個有兩年歷史的網站要跑一整天，喝，價......恐......怖......

木馬程式悄悄的偷你的銀行帳戶

在中時看到一篇新木馬程式 小心成為駭客提款機文章，叫做urlzone的木馬相當的精細，一旦被植入後不會一夕之間偷走你所有的存款，會慢慢偷，偷不固定數字以免別人發現，而且還會修改你在網頁上看到的數字，所以忙碌的人一時也發現不了。哇，好可怕。如果你是忙碌一族，先跟你講答案，不必擔心，目前。

有空再看下去的容我解釋找出問題的公司Finjanpdf內容。
1.那是針對德國的網路銀行
2.該公司已經對此木馬行為追蹤鎖定並且保護＄439,000存款，6400台電腦的損失。

再來看urlzone是怎麼做到的

1.利用普遍存在windows系統的ie6、7、8、firefox、opera、maxthon、myie漏洞

2.在駭客網站上公布，或社交手段在其他網站上引起你的好奇，點選網站，之後該網站上隱藏或明示的Lucky Sploit就透過javascript 進到你的瀏覽器，這些過程你都看不到，所有的對話都產生在瀏覽器與網站伺服器之間。並且Lucky Sploit會蒐集你的電腦資料，然後產生私鑰，與持有公鑰的網站伺服器對話，網站伺服器就送出加密過的弱點攻擊手法（依照剛剛搜集到的你的電腦資料如系統版本、安裝程式、plug-in等等，有哪些漏洞就送哪些手法）到你的電腦上。因為加密過了，所以整個過程可以瞞住所有網路安全設備（看起來就是單純上網行為）。

3.Lucky-Sploit是一套介面非常人性化，白痴都會用的木馬工具程式。只要你有辦法把木馬送給別人，別人很難偵測到你，操作介面又美觀亮麗（可到http://www.finjan.com/MCRCblog.aspx?EntryId=2213去看看。所以用過的人無不叫好。有商機嘛，才會認真寫。

4.透過Lucky Sploit在你電腦上種完木馬之後，接下來連上c＆c server接受指令，進行一連串精細的操作。找到你網路銀行的認證、copy你網路銀行的畫面、開始偷你帳戶裡的錢(他偷的錢會被遮蓋掉，你看到的網頁只是他造假讓你看到的部份。他不會一次偷光，會慢慢偷以免引起銀行稽核系統的懷疑）、他會記錄你facebook、paypal、gmail的動向。

5.c＆c server位於烏克蘭，偷到的錢由車手抽傭之後轉手給駭客本人

6.德國警方已經著手追查，此木馬已經停止動作。


這個木馬的意義在於，比之前又更進了一步。之前的網路銀行木馬只是偷你的認證，供駭客未來使用（當然還是偷你的錢，手動）。這個木馬比之前的更先進的地方是，更自動化。偷你的認證，偷你的錢，所有過程都不必手動。他照樣上他的班，是你的電腦在幫他搬你的錢給他。景氣不好的時代，賺錢很難，搶錢最快。不重視電腦安全的，隨便fire掉公司裡面工作十幾年的程式設計師的必定會造成這樣的結果。這些人失業了，還是只會寫程式。當然，是對自己有利的程式。

以上部分資料來自scmagazinesus及finjan官網

通過CEH考試！

七月到八月正是忙的時候，三個主要客戶跟其他次要客戶用掉我一週五天的時間天天坐和欣客運南北奔波，又是教育訓練又是弱點掃描跟文件修改。在這樣的狀況下，好死不死之前先報名要上CEH的課程也是排在這個時候，就這樣白天站台上晚上坐台下的參加了學承的CEH課程。

CEH的課程說實在的並不夠，光是要把課程中所有的東西都演練一次，時間就用光了，剛好我又常常遲到（從高雄坐1650的和欣客運回到台中起碼就七點了）有不少課程沒聽到。不過還好，這些東西算是平時就有在接觸的東西，回家自己看自行演練並不困難。剛好八月份中油又安排了駭客入侵攻防的課程，就利用這個課程一邊實作一邊寫powerpoint，上完課自己熟練度也增加不少。

考前猛抱佛腳，利用南來北往的通車時間連續看了一個禮拜的考古題，覺得進展不大。反而最後一天早上在翻課本（對，就是那重的要命的課本）時發現有許多考古題看不懂的答案就在課本中，於是用最後一小時把課本翻翻，有圖的地方看看。最後進考場的時候就發現自己做對了。考起來並不算太難，這幾年來很多經驗都可以在考試的時候用來判斷，不過分數也不算太高。我得到83分，是最後第二個交卷的。用掉兩個半小時。奇怪，為什麼大家都那麼早交卷，是放棄？還是太簡單？最早的一個竟然是一個半小時就交卷了。搞不懂ing。

另外有點訝異的是，竟然有不少大學生甚至高中生就來上這個課程，五萬塊耶～祖上積德真的差很多，不像我們要來上個課考個認證都要再三評估。不過如果沒有跟實務結合的話，來上這門課似乎有點浪費。據說是因為名稱很酷的關係，所以才會有一大堆年輕人來上。

如果是專職的it人員，來上這門課程是不錯的。我以客戶的單位為例子，簡單的DNS查詢，就list出不該出現的所有機器；簡單的程式查詢，就抓出好幾個空白密碼，或者密碼與帳號相同的帳號。當然，可以學到的還有更多。如果自己可以看英文的話，第六版的pdf檔下載來看看，更新更強的程式出現了，更多的內容。很值得一看。

可惜的是，國內重視資安的依然只有政府機關。在這個全球化複雜化的貧富不均狀況下，將來的天災/人禍/戰爭一定有資訊安全的份，到時候可是破巢之下無完卵，不重視資訊安全的損失絕對會超乎想像。

UBUNTU 9.04上安裝VMWARE Player的重點

最近會空閒下來，為了要學滲透測試，下載backtrack來使用。發現用vmplayer配合著用還滿方便的，連安裝都省了，比livecd還快。
想著想著，腦筋就動到我那台eeepc上，想要把backtrack裝到eeepc上頭就可以自由行動（warmotorcycling？）
但是由於eeepc沒有光碟機
所以改採usb開機的方式製作，不過弄了兩天，backtrack3版跟4版的livecd始終無法在eeepc跟另一部hp的筆電上以USB開機的live方式進入kde
只有pc上vmplayer的backtrack3版跟4版都活的好好的。
只好在eeepc上也採用vmplayer。
不過.......
下載了vmplayer的rpm，在eeepc上安裝也是慘遭失敗......

又弄了一天，還是在ubuntu的官網上找到解答
原來......
我還活在以前textmode的linux時代
下載了.rpm的檔案弄老半天
原來，要下載bundle版的程式，自然就有視窗模式的安裝

1.sudo aptitude install build-essential linux-headers-`uname -r`
2.gksudo bash ./VMware-Player-2.5.2-156735.i386.bundle
（以2.5.2版為例）

浪費了四天的時間，笨蛋特此留念。

某個時代的正式過去

Michael Jackson過世了，把2006年看完the ultimate collection的感想，放到網誌中紀念他一下：

話說，八零年代有三個MICHAEL。都是神的複製人。

球場上，飛行的MICHAEL姓JORDAN。不過他後來復出了三次，感動的眼淚迸出量隨著復出的次數，呈等比級數減少。

另外，歌壇上有兩個MICHAEL。一個帥到不行，天然不需雕琢的MICHAEL叫做GEORGE MICHAEL。他一出現，所有台灣的男生都同時失寵。雖然懷著一顆憎恨的心，但是為了追妹妹，也都不約而同的表示很欣賞喬治麥可。只是，後來發現，GEORGE MICHAEL也滿欣賞他們的。

最後一個MICHAEL，是舞台上最耀眼的巨星，儘管他完全是人工雕琢。你承認也好，不承認也罷，很多男生在那時候都會在父母親不在的時候，拿出他的錄影帶，偷偷練習月球漫步。這也是世人第一次發現，摸下體也是一種舞步。真他媽的酷。只是，後來發現，他除了喜歡童話，還喜歡童…….

就是這樣吧！神總是要有跟凡人不一樣的地方才足以稱之為神。所以縱使神的復出像口吃一樣重複了三遍，神欣賞男人，神除了愛世人還愛兒童，都不足以撼動神在專業領域上輝煌的成就。

我們來看看MICHAEL JACKSON。

這個神是天生的。他的表演是全方位的。他的MV可以讓MTV這三個字變成全球風行的時尚工業；他的舞台表現可以讓全場十萬人為之瘋狂，跺地有震；他的錄音室歌聲也是特立獨行，漂亮的假音成為他不必註冊的專利。

最近他出了一張ULTIMATE COLLECTION。貴死人的價格。台幣一千多塊錢。伴隨著訴訟案發展，實在是銷售部門不食人間煙火的最佳例證－這個專輯推出的時候一定要在大家最討厭他的時候嗎？雖然，裡面包括了四張CD－－MICHAEL JACKSON的歌也真的多到要四張CD才塞的下──還有一張DVD。沒錯，就是現場演唱會的DVD。就是十幾年前在台北那場一模一樣的曲目。

不過案情在我摀住眼睛把DVD從家樂福的架上帶回家之後發生急遽變化。

我們一開始看，欲罷不能的狀況出現了。不只是我們，而是孩子們。後來，連鄰居也來一起看。大家都目不轉睛的看著各個橋段。尤其是月球漫步出現的時候，國小五年級的早熟小女孩也睜大眼睛。國小三四年級的小男生已經現場就開始模仿起來。這雖然是演唱會現場，但是只是一張DVD，我不知道大家都站起來看是怎麼的。

這塊DVD錄製在他全盛的時期，所有最佳的現場效果，只有他夠格可以用。所以，他的優，是必然的。所有的熱情，都是再理所當然不過的。現場觀眾暈倒，再暈倒，以各式各樣的姿勢被抬出場外休息，這些雜七雜八的姿勢都變成對神的禮讚。

這張DVD，在鄰居當中變成禮拜天的一件樂事。我們這些當年的小男孩們，紛紛秀出自己以為最正確的舞步，讓太太們發現老公還沒跟他們認識之前的樣子，只有可愛可以形容。

當然，我們這些當年的小男孩，絕對不是用可愛的眼光來看待神。我們看見，他的原創性。白手套，大家都可以戴。只有他戴上去，就是那麼亮眼。小丁，我們常常要求老婆穿。但是只有他想到可以拿來舞台上穿。振臂高呼，用的不過就是一台大電扇；黑皮鞋，白襪子，這種人走進來面試，門都沒有。聳！就只有神穿這樣，才是這麼好看。你看一個明星，他的舞台魅力，看MICHAEL就知道了。別人，是表演執導教出來的；神，是他跟表演執導一起JAM出來的。那就是原創。那就是有趣的地方。

這張DVD買來到現在，看了不下一百遍。如果家裡有小孩的，我建議你們都買來看，然後我們一起來研究到底小孩喜歡哪裡。因為我們家的兩個現在已經愛上 MICHAEL，而且這個PACKAGE中的剩下四張CD也從此之後登上我們家車上最佳音樂排行榜。為什麼MICHAEL跟天線寶寶、派大星的威力相當呢？他們之間到底有什麼雷同的地方呢？誰來告訴我？

這個偶像，足以讓孩子們知道，把拔馬麻當年的偶像，比起現在的，可是毫不遜色！

像MICHAEL這樣的偶像，除了快歌之外，慢歌也是值得欣賞的。比如說，You are not alone這首歌，當年聽，跟現在聽，心情完全不一樣。在MV裡，一大串的快速節奏之後，MICHAEL這首歌特別安排在他的家裡－還是舞台，不過是空無一人的舞台。場景依舊華麗，但是空無一人的舞台。伴隨著尚未卸掉的妝，第一句就要人命了：Another day is gone…..I’m still alone….唱的多溫婉，多誠實，多令人疼惜。

其實，當大家覺得他唱出大家的心聲而產生共鳴時，全世界只有他才知道，他是在唱自己的心聲。全世界沒有人能夠幫忙他面對自己的問題。我想，他一定常常想著這些歌迷：你們常常喊著我的名字，說有多愛我，買我的海報，珍藏我的CD。但是，如果你們知道真正的我，你們，明天，還會愛我嗎？

這首歌獻給所有世界上不該寂寞，卻依然寂寞的人們。
You are not alone.
__________________

資安不是說no

http://www.cio.com/article/494718/RSA_Chief_the_Job_of_Security_Guys_is_Not_to_Be_Doctor_No_
RSA Chief: the Job of Security Guys is Not to Be 'Doctor No'
IT security managers should enable cloud computing by learning how to manage risk, says RSA chief Art Coviello.
By Jaikumar Vijayan
這篇文章提醒資安人員要控管風險，不是趨避風險。

Wed, June 10, 2009 — Computerworld — Web 2.0 technologies and cloud computing are extending traditional enterprise network perimeters to the point that they are practically vanishing, says a report released this week by RSA, the security division of EMC Corp. The report further states that information security managers who understand the associated risks and learn how to manage them can help their companies adopt such technologies on their own terms.
RSA寫了一篇報告

The report also includes recommendations from 10 members of RSA's Security for Business Innovation Council, including chief information security officers from J.P. Morgan Chase, Motorola, eBay, Time Warner and RSA.
這篇報告包含JP摩根、摩托羅拉、eBay、時代華納及RSA等資安人員的意見

In this interview, RSA president Art Coviello talked about some of the report's key recommendations as well as other topics.
Why did RSA do this report? This report is about what we call the hyperextended enterprise, which is exactly what you think it would be. We are using the Internet as never before. There are more devices, there are far more Web applications and now with Web 2.0 and social networking, communication is instant and pretty constant.
Our dealings as businesspeople with customers, suppliers, partners, and even our own employees, has changed dramatically in just the last seven or eight years. The opportunity being created with technologies like virtualization and cloud computing is extending the perimeter out even more. It literally puts your IT infrastructure out of the company in many instances. So our research is on whether people have learned the lessons of the past, and if they are building security into the cloud computing environment. Unfortunately, we found out that they are not doing this as they should.
現在我們使用網路比以前更頻繁，Web 2.0，社交網站等等，現在的防禦範圍要比以前大很多。但是，似乎IT人員沒有在過去的經驗中學到如何應對雲端運算及虛擬化。

What are some the recommendations from the Security for Business Innovation Council in terms of what companies should be doing to enable cloud computing? The first recommendation is that if you are thinking of outsourcing applications and information and infrastructure then you ought to rein in the protection environment. See if there is a way to lessen the cost of security. Look at the kind of security measures you have, check them for cost effectiveness and see if there are redundancies.
第一個建議是對現有的工具檢視是否有效，是否能夠減少安全的代價。

[Another] recommendation is to proactively embrace new technologies on your own. The job of the security guy is not to be "Doctor No." It's not to say "you can't do stuff," but rather how you can embrace these technologies and how you can do it securely. You can never do security perfectly, but if you do it in the context of risk, you can minimize your exposure.
第二個建議是對新的科技要積極的參與。安全人員不該像老是告訴病人這個不能做那個不能做的醫生。安全是無止境的，永遠不會完美的。你只能減少暴露在外的風險。

PAGE 2
It also makes sense if you no longer have control of the physical infrastructure to shift from protecting the container to protecting the data. One would assume that the cloud provider is protecting the container and the physical infrastructure. Your job then is to shift from protecting the container to protecting the data and information itself. Once you go to a cloud environment, it really is about how you maximize the use of your applications and your information and how you ensure that the people who need it get access to it.
雲端之後，你不再像以前一樣可看到實體，所以你的責任也就轉變成保護data。實體及架構的部份由雲端的提供者來保護，而你就專心來保護資料本身。你一旦轉進雲端的使用，重要的是你如何最大化你的應用及資訊以及保證需要使用的人可以得到他們所要的。

[Another recommendation] is really about protecting data with security techniques that allow you to monitor the flow of data in real time. Things like data-leak prevention technologies that are far more dynamic and are based more on content and behavior and looking for anomalies based on who is getting access, or who is using the data and how it is being used.
另一個建議是使用行為及內容偵測的技術來管理資料如何被使用。

What impact has the recession had on information security budgets? Have they been as immune from cuts as some had expected them to be? Every budget has been impacted. There's no question about that. Relative to others though, security budgets have been impacted less. In our case we are gaining market share.
經濟衰退有沒有影響資安預算？當然，但是資安預算被影響的程度較少。

This year we had 10% year-over-year growth in Q1 and actually almost 11% from an order standpoint. Now that is down from last year, but it is still positive growth. I think a lot of high-technology companies would have been thrilled to report growth in Q1. If you were to look at our product lines, SecurID which is still a very significant portion of our business, is only flat to maybe slightly up and that would be expected because it is so employment dependent. We are not getting expansion inside existing accounts because people aren't adding lots of employees. Our security incident management business is growing at well over 30%, while our ID protection and verification suite is growing at about 40%, and our data leak prevention is growing at 80% or 90%.
今年我們第一季的YoY是10％，雖然比去年的YoY低，但是依然算強勁成長，跟許多高科技公司的季報比起來好多了。其中，跟員工人數正相關的SecureID產品只能算平平，這是我們的主要產品。而我們的安全事件管理產品則成長了30％以上；ID保護及確認產品更是成長了40％；防止資料洩漏的產品成長了80％到90％。

Two years ago you had said that standalone security vendors are headed for extinction because vendors such as Microsoft, EMC and Cisco Systemd were integrating security functions into their own products. Do you still believe that will happen? I was wrong on time but not on direction. There really are only two significantly large independent companies that are totally security focused today, and that's McAfee and CheckPoint and they are anomalies.
我兩年前曾經預言單一的安全產品廠商將會面臨滅絕，因為大型廠商像微軟、EMC、思科都會把安全性的功能加入到他們的產品中。我在時間上是錯的，但是方向沒錯。現在只剩安全產品廠商只剩McAfee and CheckPoint 而他們是異類。

PAGE 3
Symantec now owns Veritas so they are as much an infrastructure company as they are a security company. And let's pick a category like data leak prevention. The three big players in that space - IronPort, Tablus and Vontu were all snapped up.
There continue to be innovative startups and lots of point products, but increasingly, especially in cloud environments, the ability [of customers] to absorb countless numbers of independent point products tends to be less and less. We see customers wanting to minimize the amount of vendors they have because the technology really needs to be baked in. It needs to be transparent and seamless in the environment. I'm not saying there won't be security products. But I am saying the infrastructure companies are going to need their own security products and technologies and will form partnerships as we are doing with the likes of Microsoft and Cisco.
What do you think about President Obama's plans to appoint a White House cybersecurity coordinator? I think it makes tremendous sense. I think the idea of having somebody coordinate policy and to lobby strongly on Capitol Hill for the requisite funding and changes to law is a good one and I think it is very necessary.
像賽門鐵克現在就還有Veritas，所以已經不是單一產品的廠商了。另一個資料外洩防護的領域，前三大廠商都被買走了。在雲端領域裡，現在客戶希望配合廠商越少越好，產品與產品間戶不相干的程度越少越好。整合度高以及透明化是必須的。廠商之間必須要同心協力。歐巴馬也在白宮設了一個 資安太上皇，這是很有道理的。由他來統籌政策以及必要的資金。

The [National Security Agency] has a lot to offer, but people are suspicious of them because they don't have a domestic charter. Homeland Security needs to play a very heavy role and I'm sure they will. But somebody in the White House coordinating the effort and also working with civilian agencies that have a lot of personally identifiable information like the IRS and the Social Security Administration just makes tremendous sense.
© 2007 Computerworld Inc.
國家安全局很能幫的上忙，但是他們對國內並沒有特許狀可以執行。國土安全部扮演很重要的角色，但是有人直接在白宮裡協調，直接跟國稅局、社會安全局一起合作就更有道理了。

ubuntu忘記root密碼的解決方法

1.首先進入grub開機選單後,按 "e"進入編輯模式2.將光棒選到kernel 的選項後,在按 "e" 編輯, kernel /boot/vmlinuz-2.4.19 root=/dev/hda1 init=/bin/bash再按下『 Enter 』確定之後，按下 b 就可以 boot 看看啦！
2.然後當然就是
passwd指令去改密碼。

轉貼：從黑澀會妹妹自拍照片看部落格安全性

很生活化的描寫SQL_injection，XSS，Phishing等等，以及其他很常見但是很嚴重的資安問題。

網站是否被插連結掛馬的檢測工具

https://safeweb.norton.com/
Norton的線上版本

http://www.unmaskparasites.com/security-report/
他用來測掛馬，用的是google資料，所以不見得需要用（用google查就行了）。不過除了網站之外，可以看看是否有spam link

http://www.trendmicro.com.tw/wtp/micro/index.asp
趨勢的網路評等，他是需要下載安裝的免費服務（暫時啦），常駐在電腦裡，使用對象是一般使用者

http://www.siteadvisor.com/
賣咖啡的，是瀏覽器的外掛。

Remarks of President Barack Obama -- Address to Joint Session of Congress

（originally posted on white house press office)

Madame Speaker, Mr. Vice President, Members of Congress, and the First Lady of the United States:

I’ve come here tonight not only to address the distinguished men and women in this great chamber, but to speak frankly and directly to the men and women who sent us here.

I know that for many Americans watching right now, the state of our economy is a concern that rises above all others. And rightly so. If you haven’t been personally affected by this recession, you probably know someone who has – a friend; a neighbor; a member of your family. You don’t need to hear another list of statistics to know that our economy is in crisis, because you live it every day. It’s the worry you wake up with and the source of sleepless nights. It’s the job you thought you’d retire from but now have lost; the business you built your dreams upon that’s now hanging by a thread; the college acceptance letter your child had to put back in the envelope. The impact of this recession is real, and it is everywhere.

But while our economy may be weakened and our confidence shaken; though we are living through difficult and uncertain times, tonight I want every American to know this:

We will rebuild, we will recover, and the United States of America will emerge stronger than before.

The weight of this crisis will not determine the destiny of this nation. The answers to our problems don’t lie beyond our reach. They exist in our laboratories and universities; in our fields and our factories; in the imaginations of our entrepreneurs and the pride of the hardest-working people on Earth. Those qualities that have made America the greatest force of progress and prosperity in human history we still possess in ample measure. What is required now is for this country to pull together, confront boldly the challenges we face, and take responsibility for our future once more.

Now, if we’re honest with ourselves, we’ll admit that for too long, we have not always met these responsibilities – as a government or as a people. I say this not to lay blame or look backwards, but because it is only by understanding how we arrived at this moment that we’ll be able to lift ourselves out of this predicament.

The fact is, our economy did not fall into decline overnight. Nor did all of our problems begin when the housing market collapsed or the stock market sank. We have known for decades that our survival depends on finding new sources of energy. Yet we import more oil today than ever before. The cost of health care eats up more and more of our savings each year, yet we keep delaying reform. Our children will compete for jobs in a global economy that too many of our schools do not prepare them for. And though all these challenges went unsolved, we still managed to spend more money and pile up more debt, both as individuals and through our government, than ever before.

In other words, we have lived through an era where too often, short-term gains were prized over long-term prosperity; where we failed to look beyond the next payment, the next quarter, or the next election. A surplus became an excuse to transfer wealth to the wealthy instead of an opportunity to invest in our future. Regulations were gutted for the sake of a quick profit at the expense of a healthy market. People bought homes they knew they couldn’t afford from banks and lenders who pushed those bad loans anyway. And all the while, critical debates and difficult decisions were put off for some other time on some other day.

Well that day of reckoning has arrived, and the time to take charge of our future is here.

Now is the time to act boldly and wisely – to not only revive this economy, but to build a new foundation for lasting prosperity. Now is the time to jumpstart job creation, re-start lending, and invest in areas like energy, health care, and education that will grow our economy, even as we make hard choices to bring our deficit down. That is what my economic agenda is designed to do, and that’s what I’d like to talk to you about tonight.

It’s an agenda that begins with jobs.

As soon as I took office, I asked this Congress to send me a recovery plan by President’s Day that would put people back to work and put money in their pockets. Not because I believe in bigger government – I don’t. Not because I’m not mindful of the massive debt we’ve inherited – I am. I called for action because the failure to do so would have cost more jobs and caused more hardships. In fact, a failure to act would have worsened our long-term deficit by assuring weak economic growth for years. That’s why I pushed for quick action. And tonight, I am grateful that this Congress delivered, and pleased to say that the American Recovery and Reinvestment Act is now law.

Over the next two years, this plan will save or create 3.5 million jobs. More than 90% of these jobs will be in the private sector – jobs rebuilding our roads and bridges; constructing wind turbines and solar panels; laying broadband and expanding mass transit.

Because of this plan, there are teachers who can now keep their jobs and educate our kids. Health care professionals can continue caring for our sick. There are 57 police officers who are still on the streets of Minneapolis tonight because this plan prevented the layoffs their department was about to make.

Because of this plan, 95% of the working households in America will receive a tax cut – a tax cut that you will see in your paychecks beginning on April 1st.

Because of this plan, families who are struggling to pay tuition costs will receive a $2,500 tax credit for all four years of college. And Americans who have lost their jobs in this recession will be able to receive extended unemployment benefits and continued health care coverage to help them weather this storm.

I know there are some in this chamber and watching at home who are skeptical of whether this plan will work. I understand that skepticism. Here in Washington, we’ve all seen how quickly good intentions can turn into broken promises and wasteful spending. And with a plan of this scale comes enormous responsibility to get it right.

That is why I have asked Vice President Biden to lead a tough, unprecedented oversight effort – because nobody messes with Joe. I have told each member of my Cabinet as well as mayors and governors across the country that they will be held accountable by me and the American people for every dollar they spend. I have appointed a proven and aggressive Inspector General to ferret out any and all cases of waste and fraud. And we have created a new website called recovery.gov so that every American can find out how and where their money is being spent.

So the recovery plan we passed is the first step in getting our economy back on track. But it is just the first step. Because even if we manage this plan flawlessly, there will be no real recovery unless we clean up the credit crisis that has severely weakened our financial system.

I want to speak plainly and candidly about this issue tonight, because every American should know that it directly affects you and your family’s well-being. You should also know that the money you’ve deposited in banks across the country is safe; your insurance is secure; and you can rely on the continued operation of our financial system. That is not the source of concern.

The concern is that if we do not re-start lending in this country, our recovery will be choked off before it even begins.

You see, the flow of credit is the lifeblood of our economy. The ability to get a loan is how you finance the purchase of everything from a home to a car to a college education; how stores stock their shelves, farms buy equipment, and businesses make payroll.

But credit has stopped flowing the way it should. Too many bad loans from the housing crisis have made their way onto the books of too many banks. With so much debt and so little confidence, these banks are now fearful of lending out any more money to households, to businesses, or to each other. When there is no lending, families can’t afford to buy homes or cars. So businesses are forced to make layoffs. Our economy suffers even more, and credit dries up even further.

That is why this administration is moving swiftly and aggressively to break this destructive cycle, restore confidence, and re-start lending.

We will do so in several ways. First, we are creating a new lending fund that represents the largest effort ever to help provide auto loans, college loans, and small business loans to the consumers and entrepreneurs who keep this economy running.

Second, we have launched a housing plan that will help responsible families facing the threat of foreclosure lower their monthly payments and re-finance their mortgages. It’s a plan that won’t help speculators or that neighbor down the street who bought a house he could never hope to afford, but it will help millions of Americans who are struggling with declining home values – Americans who will now be able to take advantage of the lower interest rates that this plan has already helped bring about. In fact, the average family who re-finances today can save nearly $2000 per year on their mortgage.

Third, we will act with the full force of the federal government to ensure that the major banks that Americans depend on have enough confidence and enough money to lend even in more difficult times. And when we learn that a major bank has serious problems, we will hold accountable those responsible, force the necessary adjustments, provide the support to clean up their balance sheets, and assure the continuity of a strong, viable institution that can serve our people and our economy.

I understand that on any given day, Wall Street may be more comforted by an approach that gives banks bailouts with no strings attached, and that holds nobody accountable for their reckless decisions. But such an approach won’t solve the problem. And our goal is to quicken the day when we re-start lending to the American people and American business and end this crisis once and for all.

I intend to hold these banks fully accountable for the assistance they receive, and this time, they will have to clearly demonstrate how taxpayer dollars result in more lending for the American taxpayer. This time, CEOs won’t be able to use taxpayer money to pad their paychecks or buy fancy drapes or disappear on a private jet. Those days are over.

Still, this plan will require significant resources from the federal government – and yes, probably more than we’ve already set aside. But while the cost of action will be great, I can assure you that the cost of inaction will be far greater, for it could result in an economy that sputters along for not months or years, but perhaps a decade. That would be worse for our deficit, worse for business, worse for you, and worse for the next generation. And I refuse to let that happen.

I understand that when the last administration asked this Congress to provide assistance for struggling banks, Democrats and Republicans alike were infuriated by the mismanagement and results that followed. So were the American taxpayers. So was I.

So I know how unpopular it is to be seen as helping banks right now, especially when everyone is suffering in part from their bad decisions. I promise you – I get it.

But I also know that in a time of crisis, we cannot afford to govern out of anger, or yield to the politics of the moment. My job – our job – is to solve the problem. Our job is to govern with a sense of responsibility. I will not spend a single penny for the purpose of rewarding a single Wall Street executive, but I will do whatever it takes to help the small business that can’t pay its workers or the family that has saved and still can’t get a mortgage.

That’s what this is about. It’s not about helping banks – it’s about helping people. Because when credit is available again, that young family can finally buy a new home. And then some company will hire workers to build it. And then those workers will have money to spend, and if they can get a loan too, maybe they’ll finally buy that car, or open their own business. Investors will return to the market, and American families will see their retirement secured once more. Slowly, but surely, confidence will return, and our economy will recover.

So I ask this Congress to join me in doing whatever proves necessary. Because we cannot consign our nation to an open-ended recession. And to ensure that a crisis of this magnitude never happens again, I ask Congress to move quickly on legislation that will finally reform our outdated regulatory system. It is time to put in place tough, new common-sense rules of the road so that our financial market rewards drive and innovation, and punishes short-cuts and abuse.

The recovery plan and the financial stability plan are the immediate steps we’re taking to revive our economy in the short-term. But the only way to fully restore America’s economic strength is to make the long-term investments that will lead to new jobs, new industries, and a renewed ability to compete with the rest of the world. The only way this century will be another American century is if we confront at last the price of our dependence on oil and the high cost of health care; the schools that aren’t preparing our children and the mountain of debt they stand to inherit. That is our responsibility.

In the next few days, I will submit a budget to Congress. So often, we have come to view these documents as simply numbers on a page or laundry lists of programs. I see this document differently. I see it as a vision for America – as a blueprint for our future.

My budget does not attempt to solve every problem or address every issue. It reflects the stark reality of what we’ve inherited – a trillion dollar deficit, a financial crisis, and a costly recession.

Given these realities, everyone in this chamber – Democrats and Republicans – will have to sacrifice some worthy priorities for which there are no dollars. And that includes me.

But that does not mean we can afford to ignore our long-term challenges. I reject the view that says our problems will simply take care of themselves; that says government has no role in laying the foundation for our common prosperity.

For history tells a different story. History reminds us that at every moment of economic upheaval and transformation, this nation has responded with bold action and big ideas. In the midst of civil war, we laid railroad tracks from one coast to another that spurred commerce and industry. From the turmoil of the Industrial Revolution came a system of public high schools that prepared our citizens for a new age. In the wake of war and depression, the GI Bill sent a generation to college and created the largest middle-class in history. And a twilight struggle for freedom led to a nation of highways, an American on the moon, and an explosion of technology that still shapes our world.

In each case, government didn’t supplant private enterprise; it catalyzed private enterprise. It created the conditions for thousands of entrepreneurs and new businesses to adapt and to thrive.

We are a nation that has seen promise amid peril, and claimed opportunity from ordeal. Now we must be that nation again. That is why, even as it cuts back on the programs we don’t need, the budget I submit will invest in the three areas that are absolutely critical to our economic future: energy, health care, and education.

It begins with energy.

We know the country that harnesses the power of clean, renewable energy will lead the 21st century. And yet, it is China that has launched the largest effort in history to make their economy energy efficient. We invented solar technology, but we’ve fallen behind countries like Germany and Japan in producing it. New plug-in hybrids roll off our assembly lines, but they will run on batteries made in Korea.

Well I do not accept a future where the jobs and industries of tomorrow take root beyond our borders – and I know you don’t either. It is time for America to lead again.

Thanks to our recovery plan, we will double this nation’s supply of renewable energy in the next three years. We have also made the largest investment in basic research funding in American history – an investment that will spur not only new discoveries in energy, but breakthroughs in medicine, science, and technology.

We will soon lay down thousands of miles of power lines that can carry new energy to cities and towns across this country. And we will put Americans to work making our homes and buildings more efficient so that we can save billions of dollars on our energy bills.

But to truly transform our economy, protect our security, and save our planet from the ravages of climate change, we need to ultimately make clean, renewable energy the profitable kind of energy. So I ask this Congress to send me legislation that places a market-based cap on carbon pollution and drives the production of more renewable energy in America. And to support that innovation, we will invest fifteen billion dollars a year to develop technologies like wind power and solar power; advanced biofuels, clean coal, and more fuel-efficient cars and trucks built right here in America.

As for our auto industry, everyone recognizes that years of bad decision-making and a global recession have pushed our automakers to the brink. We should not, and will not, protect them from their own bad practices. But we are committed to the goal of a re-tooled, re-imagined auto industry that can compete and win. Millions of jobs depend on it. Scores of communities depend on it. And I believe the nation that invented the automobile cannot walk away from it.

None of this will come without cost, nor will it be easy. But this is America. We don’t do what’s easy. We do what is necessary to move this country forward.

For that same reason, we must also address the crushing cost of health care.

This is a cost that now causes a bankruptcy in America every thirty seconds. By the end of the year, it could cause 1.5 million Americans to lose their homes. In the last eight years, premiums have grown four times faster than wages. And in each of these years, one million more Americans have lost their health insurance. It is one of the major reasons why small businesses close their doors and corporations ship jobs overseas. And it’s one of the largest and fastest-growing parts of our budget.

Given these facts, we can no longer afford to put health care reform on hold.

Already, we have done more to advance the cause of health care reform in the last thirty days than we have in the last decade. When it was days old, this Congress passed a law to provide and protect health insurance for eleven million American children whose parents work full-time. Our recovery plan will invest in electronic health records and new technology that will reduce errors, bring down costs, ensure privacy, and save lives. It will launch a new effort to conquer a disease that has touched the life of nearly every American by seeking a cure for cancer in our time. And it makes the largest investment ever in preventive care, because that is one of the best ways to keep our people healthy and our costs under control.

This budget builds on these reforms. It includes an historic commitment to comprehensive health care reform – a down-payment on the principle that we must have quality, affordable health care for every American. It’s a commitment that’s paid for in part by efficiencies in our system that are long overdue. And it’s a step we must take if we hope to bring down our deficit in the years to come.

Now, there will be many different opinions and ideas about how to achieve reform, and that is why I’m bringing together businesses and workers, doctors and health care providers, Democrats and Republicans to begin work on this issue next week.

I suffer no illusions that this will be an easy process. It will be hard. But I also know that nearly a century after Teddy Roosevelt first called for reform, the cost of our health care has weighed down our economy and the conscience of our nation long enough. So let there be no doubt: health care reform cannot wait, it must not wait, and it will not wait another year.

The third challenge we must address is the urgent need to expand the promise of education in America.

In a global economy where the most valuable skill you can sell is your knowledge, a good education is no longer just a pathway to opportunity – it is a pre-requisite.

Right now, three-quarters of the fastest-growing occupations require more than a high school diploma. And yet, just over half of our citizens have that level of education. We have one of the highest high school dropout rates of any industrialized nation. And half of the students who begin college never finish.

This is a prescription for economic decline, because we know the countries that out-teach us today will out-compete us tomorrow. That is why it will be the goal of this administration to ensure that every child has access to a complete and competitive education – from the day they are born to the day they begin a career.

Already, we have made an historic investment in education through the economic recovery plan. We have dramatically expanded early childhood education and will continue to improve its quality, because we know that the most formative learning comes in those first years of life. We have made college affordable for nearly seven million more students. And we have provided the resources necessary to prevent painful cuts and teacher layoffs that would set back our children’s progress.

But we know that our schools don’t just need more resources. They need more reform. That is why this budget creates new incentives for teacher performance; pathways for advancement, and rewards for success. We’ll invest in innovative programs that are already helping schools meet high standards and close achievement gaps. And we will expand our commitment to charter schools.

It is our responsibility as lawmakers and educators to make this system work. But it is the responsibility of every citizen to participate in it. And so tonight, I ask every American to commit to at least one year or more of higher education or career training. This can be community college or a four-year school; vocational training or an apprenticeship. But whatever the training may be, every American will need to get more than a high school diploma. And dropping out of high school is no longer an option. It’s not just quitting on yourself, it’s quitting on your country – and this country needs and values the talents of every American. That is why we will provide the support necessary for you to complete college and meet a new goal: by 2020, America will once again have the highest proportion of college graduates in the world.

I know that the price of tuition is higher than ever, which is why if you are willing to volunteer in your neighborhood or give back to your community or serve your country, we will make sure that you can afford a higher education. And to encourage a renewed spirit of national service for this and future generations, I ask this Congress to send me the bipartisan legislation that bears the name of Senator Orrin Hatch as well as an American who has never stopped asking what he can do for his country – Senator Edward Kennedy.

These education policies will open the doors of opportunity for our children. But it is up to us to ensure they walk through them. In the end, there is no program or policy that can substitute for a mother or father who will attend those parent/teacher conferences, or help with homework after dinner, or turn off the TV, put away the video games, and read to their child. I speak to you not just as a President, but as a father when I say that responsibility for our children's education must begin at home.

There is, of course, another responsibility we have to our children. And that is the responsibility to ensure that we do not pass on to them a debt they cannot pay. With the deficit we inherited, the cost of the crisis we face, and the long-term challenges we must meet, it has never been more important to ensure that as our economy recovers, we do what it takes to bring this deficit down.

I’m proud that we passed the recovery plan free of earmarks, and I want to pass a budget next year that ensures that each dollar we spend reflects only our most important national priorities.

Yesterday, I held a fiscal summit where I pledged to cut the deficit in half by the end of my first term in office. My administration has also begun to go line by line through the federal budget in order to eliminate wasteful and ineffective programs. As you can imagine, this is a process that will take some time. But we’re starting with the biggest lines. We have already identified two trillion dollars in savings over the next decade.

In this budget, we will end education programs that don’t work and end direct payments to large agribusinesses that don’t need them. We’ll eliminate the no-bid contracts that have wasted billions in Iraq, and reform our defense budget so that we’re not paying for Cold War-era weapons systems we don’t use. We will root out the waste, fraud, and abuse in our Medicare program that doesn’t make our seniors any healthier, and we will restore a sense of fairness and balance to our tax code by finally ending the tax breaks for corporations that ship our jobs overseas.

In order to save our children from a future of debt, we will also end the tax breaks for the wealthiest 2% of Americans. But let me perfectly clear, because I know you’ll hear the same old claims that rolling back these tax breaks means a massive tax increase on the American people: if your family earns less than $250,000 a year, you will not see your taxes increased a single dime. I repeat: not one single dime. In fact, the recovery plan provides a tax cut – that’s right, a tax cut – for 95% of working families. And these checks are on the way.

To preserve our long-term fiscal health, we must also address the growing costs in Medicare and Social Security. Comprehensive health care reform is the best way to strengthen Medicare for years to come. And we must also begin a conversation on how to do the same for Social Security, while creating tax-free universal savings accounts for all Americans.

Finally, because we’re also suffering from a deficit of trust, I am committed to restoring a sense of honesty and accountability to our budget. That is why this budget looks ahead ten years and accounts for spending that was left out under the old rules – and for the first time, that includes the full cost of fighting in Iraq and Afghanistan. For seven years, we have been a nation at war. No longer will we hide its price.

We are now carefully reviewing our policies in both wars, and I will soon announce a way forward in Iraq that leaves Iraq to its people and responsibly ends this war.

And with our friends and allies, we will forge a new and comprehensive strategy for Afghanistan and Pakistan to defeat al Qaeda and combat extremism. Because I will not allow terrorists to plot against the American people from safe havens half a world away.

As we meet here tonight, our men and women in uniform stand watch abroad and more are readying to deploy. To each and every one of them, and to the families who bear the quiet burden of their absence, Americans are united in sending one message: we honor your service, we are inspired by your sacrifice, and you have our unyielding support. To relieve the strain on our forces, my budget increases the number of our soldiers and Marines. And to keep our sacred trust with those who serve, we will raise their pay, and give our veterans the expanded health care and benefits that they have earned.

To overcome extremism, we must also be vigilant in upholding the values our troops defend – because there is no force in the world more powerful than the example of America. That is why I have ordered the closing of the detention center at Guantanamo Bay, and will seek swift and certain justice for captured terrorists – because living our values doesn’t make us weaker, it makes us safer and it makes us stronger. And that is why I can stand here tonight and say without exception or equivocation that the United States of America does not torture.

In words and deeds, we are showing the world that a new era of engagement has begun. For we know that America cannot meet the threats of this century alone, but the world cannot meet them without America. We cannot shun the negotiating table, nor ignore the foes or forces that could do us harm. We are instead called to move forward with the sense of confidence and candor that serious times demand.

To seek progress toward a secure and lasting peace between Israel and her neighbors, we have appointed an envoy to sustain our effort. To meet the challenges of the 21st century – from terrorism to nuclear proliferation; from pandemic disease to cyber threats to crushing poverty – we will strengthen old alliances, forge new ones, and use all elements of our national power.

And to respond to an economic crisis that is global in scope, we are working with the nations of the G-20 to restore confidence in our financial system, avoid the possibility of escalating protectionism, and spur demand for American goods in markets across the globe. For the world depends on us to have a strong economy, just as our economy depends on the strength of the world’s.

As we stand at this crossroads of history, the eyes of all people in all nations are once again upon us – watching to see what we do with this moment; waiting for us to lead.

Those of us gathered here tonight have been called to govern in extraordinary times. It is a tremendous burden, but also a great privilege – one that has been entrusted to few generations of Americans. For in our hands lies the ability to shape our world for good or for ill.

I know that it is easy to lose sight of this truth – to become cynical and doubtful; consumed with the petty and the trivial.

But in my life, I have also learned that hope is found in unlikely places; that inspiration often comes not from those with the most power or celebrity, but from the dreams and aspirations of Americans who are anything but ordinary.

I think about Leonard Abess, the bank president from Miami who reportedly cashed out of his company, took a $60 million bonus, and gave it out to all 399 people who worked for him, plus another 72 who used to work for him. He didn’t tell anyone, but when the local newspaper found out, he simply said, ''I knew some of these people since I was 7 years old. I didn't feel right getting the money myself."

I think about Greensburg, Kansas, a town that was completely destroyed by a tornado, but is being rebuilt by its residents as a global example of how clean energy can power an entire community – how it can bring jobs and businesses to a place where piles of bricks and rubble once lay. "The tragedy was terrible," said one of the men who helped them rebuild. "But the folks here know that it also provided an incredible opportunity."

And I think about Ty’Sheoma Bethea, the young girl from that school I visited in Dillon, South Carolina – a place where the ceilings leak, the paint peels off the walls, and they have to stop teaching six times a day because the train barrels by their classroom. She has been told that her school is hopeless, but the other day after class she went to the public library and typed up a letter to the people sitting in this room. She even asked her principal for the money to buy a stamp. The letter asks us for help, and says, "We are just students trying to become lawyers, doctors, congressmen like yourself and one day president, so we can make a change to not just the state of South Carolina but also the world. We are not quitters."

We are not quitters.

These words and these stories tell us something about the spirit of the people who sent us here. They tell us that even in the most trying times, amid the most difficult circumstances, there is a generosity, a resilience, a decency, and a determination that perseveres; a willingness to take responsibility for our future and for posterity.

Their resolve must be our inspiration. Their concerns must be our cause. And we must show them and all our people that we are equal to the task before us.

I know that we haven’t agreed on every issue thus far, and there are surely times in the future when we will part ways. But I also know that every American who is sitting here tonight loves this country and wants it to succeed. That must be the starting point for every debate we have in the coming months, and where we return after those debates are done. That is the foundation on which the American people expect us to build common ground.

And if we do – if we come together and lift this nation from the depths of this crisis; if we put our people back to work and restart the engine of our prosperity; if we confront without fear the challenges of our time and summon that enduring spirit of an America that does not quit, then someday years from now our children can tell their children that this was the time when we performed, in the words that are carved into this very chamber, "something worthy to be remembered." Thank you, God Bless you, and may God Bless the United States of America.

Remarks of President Barack Obama -- Address to Joint Session of Congress聽後感

這幾天我運動的時候聽obama的國會演講，非常令人感動，想要在自己的blog上記錄一下被他給感動的重點。
obama的演講能力實在是好的跟鬼一樣，在學過六學分的演講之後，更是這樣想。
演講內容容易懂，內容清晰有架構，讓人聽完之後還記得他的重點是什麼，並且還會讓人產生行動。
一個演講內容，可以兼具informative跟persuasive兩種演講的特點，實在是超級高手。這就好比倚天劍跟屠龍刀要同時出現在一個人手中，那個人又剛好精通刀法跟劍術，而且他還受過周伯通左右互搏的訓練一樣的困難。而且，時間這麼長的演講，他還可以控制的游刃有餘，即使有看稿，還是像不看稿一樣自然，沒有切換的停滯。現場的人看到這點，通通折服了。這就好比老闆不去尿尿，你就不敢去尿尿，跟他開會一次之後，你就知道，他是你的頭頭。他掌握重點能力比你強，他的體力比你好，他的資料比你齊全，而且他對你的資料比你自己對自己的了解還清楚。只能說，佩服。

leadership。
他很清楚的把要做的事情簡化，目標明確，何時要撤出伊拉克，減稅的支票何時會到你們的手中。什麼東西在路上，什麼事情在何時抵達。綱舉目張，剩下的就交給執行的人了。這樣的老闆底下，很好做事。這樣的總統，容易讓人產生希望，嘿，我們都不知道該做什麼，這個人知道他在幹什麼，我們照他說的做看看。當整個企業人都了解公司執行的方向時，一起找出方法來賺錢的可能性大大提高。當整個國家的人民都朝向同一個方向，那個力量是很強大的。

最近股票市場，多空雙巴。這個時候如果有人跟你講，做哪一個方向，而且做了之後還真的對了，讓你不必像個豬頭一樣窮忙，你當然會感謝他減輕你沈重的負荷。因為他把你的世界變簡單了，你就有時間去煩惱你自己的事情。你到底要煮什麼菜，小孩要上那個補習班，那個幕僚最近表現不好該怎麼鼓勵。

美國人，或者說全世界的中產階級，已經被全球化給雙巴十年了，不管怎麼做，公司的職位持續流失到海外，不管怎麼賺，一個男人要擔起一個家庭的日子早已遠去。就算你很會賺，看到長官老闆把投資交給連動債，既保本又有獲利，每天專心在工作上發揮戰力，不斷的加官晉祿，存款節節高升；而你呢，蠟燭兩頭燒，工作上升不上去，家庭裡地位也一落千丈，光是想要奮起，馬上遭到反對意見。想要放假去散散心，去的起的地方都被人家嫌廉價，想要退而求其次讓自己安靜安靜，也被說成自私。於是呢，賺了錢交給家裡，小孩嫌，老婆念。好不容易鼓起勇氣，拿了存款，投入理專的懷抱裡，沒多久，你的人沒抱到美麗女理專，錢竟然也大大的打折了。賺的錢沒你的份，賠的時候竟然連你繳的稅也不能拿來建設你小孩的未來，而是拿去給那些肥貓們，贖回他們手中被綁架的銀行。不僅是台灣的媽祖會被民代綁架，美國人也一樣窩囊。這時候obama出來了，他把這些窩囊的想法都說出來，並且還附帶解決的方式，大家當然都歡迎了。而且這股歡迎的氣氛會讓大家持續好一陣子不抱怨。

obama講的不只是你的工作，對象也不只是成年人。他提到家庭教育，他說沒有什麼比起父母親在吃完飯之後，幫小孩看功課，念書給孩子聽還重要。從現在開始，關掉電視機、拿走遊樂器，教育是十年之後的競爭力，如果美國還想再起的話，教育不能像現在一樣落後，美國有工業化國家當中高中最高的輟學率，而進了大學之後，也有一半的人沒有念完成。這樣的人力素質，無法在將來繼續帶領全世界，保不住工作的流失。所以，那些放棄學業的，你放棄的不只是你自己，還放棄了國家。他將要改革教育，給想學的學生一直學到畢業，給表現好的老師鼓勵，給他們成長的機會。至於一般美國民眾，他也呼籲大家至少進修一年到四年。

他也安排了暗樁，演講中提到的人，寫信要求援助的國中小女生，似乎就在現場。而那個被歐巴馬拿來諷刺銀行界肥貓的散盡家財的銀行家，似乎也在現場。這些都是梗。只能說，這個演講雖然很長，但是梗很多，掌聲就像爆米花一樣此起彼落。如果以喜劇片的賣座方式來計算的話，每一分鐘就有一個笑點，每三分鐘就有一個大笑點。這部片可以大賣幾十億。你看obama背後右邊那位女性（應該是議長吧），剛開始還會禮貌性的等一下旁邊的副議長一起站起來鼓掌，這樣畫面比較和諧。到後來，她已經不管了，一聽到精采之處，屁股已經坐不住了，不管了，老娘忍不住了，忍不住的笑容，不斷的鼓掌～我自己，也覺得雖然不是美國人，但是我一樣願意朝他指的方向走。

說了這麼多obama好厲害，好動人，連通過的法案ARRA(American Recovery and Reinvestment Act)名字也都很有含意，他要把情勢扭轉過來。
但是他到底能不能做到呢？
這裡要提出兩本書來證明他，做不到，yes, I am one of those so-called skeptical and cynical. 第一本書是，當「企業併購國家」。這本書裡面詳細的解釋了，在美國，民意代表要選舉，不是靠選民選上，而是靠金主的支援選上。雖然他們有嚴格的法律，有公開的方式，但是這並不能挽救一個事實，那就是，在美國，行銷太重要也太貴。太重要以至於你不能沒有行銷，不能不倚賴行銷。太貴以至於你沒辦法從選民的五十一百裡得到足夠的選舉經費，必須從大腕手中拿到大筆的金額否則會出現週轉不靈。一個週轉不靈的候選人等於一條只會吠的狗。所以，在國會議員都是依靠企業金援才能選上的狀況下，每個國會議員背後都代表他的金主的影子。人都是互惠的，否則下次就沒有下次了。我們都以為，能夠選上是依靠選民的力量，也許。但是實際上，他要依靠影子的力量，才能讓選民看的見。所以，現在是影子主宰，影子的力量比你想像中還要來得大，還要來得長。所以說，現在是「企業併購國家」。

這當中只有obama的選舉經費是靠五十一百的慢慢起來的，所以obama說的簡單，他沒包袱。其他人，想像他一樣沒包袱是有困難的。obama是個例外。這樣的例外會不會受到歡迎呢？暫時。他簡直是太classical了，美國人不刑求，美國人不輕言放棄，美國人不做簡單的事情！大家都想要像他一樣。但是，obama另外一個問題是，他～沒有關係。我引用第二本書「請你跟我這樣做」當中的p44：
『禮尚往來原則，如果哪位眾議員出人意表的為某一法案或議程護航， 我們往往可以推斷這應該是他要回報法案支持者的人情。詹森總統任期之初，能夠有那麼多計畫過的了國會那一關，即使站在反對陣營的議員也投下贊成票。這並不在於詹森個人精明的政治手腕，而是他縱橫參眾兩院多年，給過不少議員人情。卡特總統雖然當時參眾兩院都是民主黨人的天下，任期之初議案仍頻頻擱淺。因為卡特入主白宮之前與國會山莊沒有太大淵源，以非華府派系身分參選，沒有人情包袱 ，也就是說，沒有人欠他人情。柯林頓與華府淵源不深，也碰到這樣情形。』

obama在上任之前只當過一屆議員，其他的時候是伊利諾州州議員而已。他的狀況跟卡特很像。我可以想像，有很多議員，不，應該說很多金主，也就是既得利益者，現在正在避避風頭，等到obama鋒頭過了，出了錯，再派出所有與金主有利益關係的參眾議員來掣肘，不，應該說來爭起自己企業的生存，這是必然的。

Yes, we can.
But can we?
我相信，obama不會成功
但是，其實我希望他成功

This story appeared on Network World at
http://www.networkworld.com/allstar/2007/112607-prudential-mobility.html

Prudential on the go

VoIP and enterprise mobility initiatives expected to benefit traders on the floor

By Jon Brodkin , Network World , 11/26/2007

When Prudential Financial of Newark, N.J., strategizes about enterprise mobility, nobody gets left out -- whether that person is a call-center agent or a trader on the floor.

Other stories on this topic

Buyer’s Guide: VoIP security products

Threats to VoIP users

Six burning VoIP questions

Better patient care through mobility

Just about any of its 40,000 employees across the globe, the company reasons, should be able to work from home or on the road just as if they were sitting in an office chair. After all, they need "to be able to respond to customers, access information, get to critical data and communicate with people, and not necessarily from the fixed position they've always been sitting at," says Jim White, a Prudential vice president and IT project leader.

To meet the company's "anytime, anywhere, anyway" goals, IT over the past year upgraded IP PBX systems and deployed new IP phones, Power-over-Ethernet switches, wireless gear and software. Doing so necessitated only a slight increase to the $4 million budgeted for a voice and data technology refresh to replace end-of-life products. The company wins a 2007 Enterprise All-Star Award for pushing the boundaries on convergence and mobilization for all employees.

The business units have been highly receptive, says Chuck Pagano, vice president of network design and engineering. "We're starting to integrate most of our businesses into the pilots." And, "from a recruiting and retention perspective, mobility has become a big plus in going after employees dispersed throughout the country," he says.

Increased mobility

A few thousand users across 14 U.S. sites and five international locations are benefiting from this year's upgrades, which will be rolled out across the company in three to five years. For example, since tests began in June 2006, more than 1,000 users have received IP softphones, one of the project's major components.

This lets them manage their office telephones remotely with the capabilities of a desk phone. They no longer must dial repeatedly into the system to retrieve voice mail or change voice mail greetings or pager settings because they've switched locations, for example.

Another 800 call center agents -- nearly one-third of the company's call-center operation -- use comparable agent software on their desktops. (Prudential executives wouldn't discuss which vendors they use, but IP softphone technology is available from Cisco and Avaya, among others.)

This year's work follows from Prudential's initial VoIP deployment in 2004. VoIP now extends to the company's 13 largest offices, representing most of its voice traffic. Prudential's savings, largely because of this year's PBX upgrades, have reached $60,000 per month over the cost of previous calling plans. That number is expected to grow, but it doesn't take into account other ROI factors, such as increased productivity because of rapid deployment of new customer service representatives, and cost avoidance from not having to build new call centers.

The impacts are being felt abroad, too. Prudential employees in Letterkenny, Ireland, log on to the Newark call center, letting agents make and receive calls over the IP infrastructure while controlling call-center phone features on their PCs. "All we had to do was make sure they had the appropriate software," says Dennis Marine, vice president of IS.

In addition to IP agent software and softphones, Prudential has extended IP telephony to 1,600 users and plans to expand that number to 3,000 by year-end. For example, the company has equipped its trading floors in the United States and abroad with IP trading turrets. Now traders have the flexibility of moving from one site to another. Upon logon, they get consistent functions at any floor.

Prudential also has installed 100 wireless access points for 2,000 users and is giving wireless Internet access to guests at Prudential buildings.

Beyond technology

All these technologies have been deployed at other companies. What makes the project distinctive to Prudential is the way it combined these products to give business users substantial benefits while making sure they received the training necessary for a smooth transition. Managers at Prudential weren't used to overseeing remote workers, so IT had to spend a lot of time on internal training and working with human resources departments to develop policies and procedures.

"From a technology perspective, I don't want to say it was easy, but it was simpler than the challenges that were presented when we tried to get management, as well as some of the associates, familiar with managing a virtual team," Pagano says. "That was a little intimidating for some of our managers because it's never been done before [here]."

If technology was the easy part, maybe that's why IT managers decided to give themselves a few extra challenges. Prudential made the strategic decision to make it as easy as possible for employees to use the new systems, and that meant letting users access Prudential networks with their own machines. "We were forced to support [Windows] Vista from a remote-access perspective before we were ready to support it in our enterprise," Pagano says. "That's kind of innovative. A lot of [companies] just do not allow it because of the time required for support."

CISSP是paper security？

原本是要多找cpe的來源，卻找到一個blog
http://taosecurity.blogspot.com/2005/06/cissp-any-value-few-of-you-wrote-me.html
討論，是否cissp是paper security
其中的討論相當的精采
blog作者本身也相當資深，是hacking exposed的專題作者之一，還出過其他書。

其中的重點在於，作者認為，cissp不該被認為是security的代名詞，唯一認證。另外，isc square 的認證方式有點問題，甚至2002年有個十七歲少年也獲得cissp（是誰endorse，又是誰audit的？）
在回文中有一位自稱是網路主管的認為只要是履歷上說他有cissp的人，他一概認為是菜鳥。菜鳥才需要透過考認證來獲得人事單位的青睞
其實這些人說的都是事實，但是也都是部分事實，cissp不該被過度擴大，但是他有沒有變成paper那麼嚴重？

其中有個dana就說了，technical的事情，沒有人能夠全cover，但是cissp至少能夠找到這方面的專家，他自己不見得要是專家。沒有人能 專到天荒地老的。不能因為因為一個technical上的事情一個cissp不懂，就說這些cissp都是paper。不能因為一件事否定一整個人，不能 因為一個人就否定所有通過cissp的人

當然，一個考試，一定有人想辦法tweak，盡量少花點力氣，最算沒那麼多實際經驗，也要花最少的力氣去給他pass。這方面，isc square 要多釘緊一點，錢要賺，新認證要推，audit也要做。

我自己念cissp的感想則是，這不只是個technician的view，這是個leader的view，甚至有時候是企業主的view。以前總以technician的想法在告訴企業主我們的想法，難怪沒有說服力。老闆是technician嗎？
比如說，以前會告訴企業主，該換新伺服器了，機器舊了，零件可能出問題，伺服器也被入侵裝了sniffer，一定要有另外一台新的機器來代替。

企業主說，這很嚴重嗎？

現在我就知道，我說的不是企業主的語言。我必須告訴他，我們的伺服器的風險有多大，金額有多高，停機一天的結果是多少，停機三天的結果是多少。然後，解決的方式有多少種，每一種可以降低風險多少，換算成多少錢。由於被sniffer了，玩本公司遊戲的客戶資料全被竊取，客戶若求償，有那些法條對我們不利，對本公司商譽有多少損失，以上請核示。

現在我也知道，change management是多麼重要。以前只是從實務上知道，直接在production的機器上做變更，冒的風險有多大。可是，不做，風險更大，左右是一 刀，先切比較好。但是，當人家怪罪於你的時候，講不出個道理來。人家可以罵你為什麼這麼做，也可以罵你為什麼知道問題又不做，疲於奔命，沒有個中心思想在 那裡，就是沒有說服力。於是人家打了你左臉，只能把又臉送上去，其他的全交給上帝。考了cissp把我多年來的問題都提出來了，而且給了個系統的整體概念，有了架構，說服力就有了。