Jekson's blog

Lithium-ion Battery Care

2006-04-27T17:28:00.001+07:00

Since lithium-ion is different than nickel and cadmium-based batteries, how should we take care of lithium batteries?
Lithium Ion

Lithium-Ion (Li-Ion) has become the new standard for portable power in consumer devices. Li-Ion batteries produce the same energy as NiMH battery but weighs approximately 20%35% less. This is can make a noticeable difference in devices such as cellular phones, camcorders or notebook computers where the battery makes up a significant portion of the total weight. Another reason Li-Ion batteries have become so popular is that they do not suffer from the "memory effect" at all. They are also environmentally friendly because they don't contain toxic materials such as Cadmium or Mercury.

Charge often. Don't try to fully discharge the battery packs frequently. This only adds strain. Several partial discharges (regular use) with frequent recharges are better for lithium-ion than one total discharge.
Recharging a partially charged lithium-ion battery pack does not cause any harm because it has no "memory".
Avoid heat. Short battery life in model airplanes is more likely to be caused by heat rather than charge/discharge patterns. Keep the lithium-ion battery cool. Avoid a hot car, for example.
Don't charge up the battery pack just to store it away. When storing for long periods of time, keep the battery at a 40% charge level. Consider removing the battery from a laptop when running on fixed power. (Some laptop manufacturers are concerned about dust and moisture accumulating inside the battery casing.)
Use the right charger. By now you probably know that each kind of battery has its own technology, its own rate of charge and so on. Charging lithium packs correctly is one way to extend their life and to avoid damage. The NMP lithium-ion charger is designed specifically for charging the NMP lithium-ion battery pack safely, on the bench, in the field, or in the car.
Don't use old batteries. Avoid purchasing spare lithium-ion batteries for later use. While it makes perfect sense to have 2 or 3 extra battery packs, so that you always have a fresh one charged up and ready to go, it isn't a great idea to just buy up batteries and keep them around for years before using them.
Battery Storage - If you don't plan on using the battery for a month or more, store it in a clean, dry, cool place away from heat and metal objects. NiCad, NiMH and Li-Ion batteries will self-discharge during storage; remember to recharge the batteries before use.
Remove from the device and stored in a cool, dry, clean place if the battery will not be in use for a month or longer,
Recharge the battery after a storage period

Ada apa gerangan di KM 28-29 Tol Cikampek?

2006-03-09T08:32:00.000+07:00

Kita sering mendengar kecelakaan di Jalan Tol manapun dan yang namanya kecelakaan di Jalan Tol mengakibatkan kerugian yang besar baik nyawa maupun material. Berkendara di Jalan Tol memang mengasikkan apalagi pengendara mobil diberi kebebesan dalam memacu kendaraan dan biasanya dijadikan uji coba performance kendaraan, walaupun hal ini sebenarnya melanggar ketentuan lalu-lintas tetapi tetap saja banyak pengendara melakukannya di Jalan Tol dibandingkan sirkuit mobil seperti Sentul.

Ada beberapa ruas jalan tol yang menjadi momok bagi pengendara mobil, momok yang dimaksud adalah rawan kecelakaan. Diantaranya adalah ruas tol Cipularang km 68-69 yang dikenal angker dan banyak kendaraan mengalami kecelakaan atau nyaris celaka, secara ilmiah dikatakan bahwa tanah disekitar situ suka bergerak karena aktifitas didalam perut bumi.

Belakangan ini penulis mendengar beberapa kecelakaan terjadi di KM 28-29 Tol Cikampek baik dikarenakan ban pecah maupun sopir mengantuk. Ada beberapa sumber yang diperoleh penulis karena pada kilometer tsb adalah bekas kuburan jawara bekasi tempo dulu, apakah hal tsb benar adanya, saya tidak tahu.

Sales vs Marketing

2006-03-07T09:06:00.000+07:00

Dalam ilmu manajemen mengenal 5 konsep dalam pengelolaan usaha:
1. Konsep Produk, yaitu bila manajemen perusahaan dalam mengelola perusahaan berorientasi pada pengembangan produk. Fokus perhatian pengelolaan bisnis adalah pengembangan produk. Saya kira kebanyakan produsen handphone menggunakan konsep ini.
2. Konsep Produksi, yaitu bila fokus pengelolaan perusahaan pada bagaimana pengembangan fasilitas proses produksi. Perusahaan Jepang saya kira kebanyakan menggunakan konsep ini.
3. Konsep Penjualan, yaitu bila pengelolaan perusahaan dengan menekankan pada pengembangan cara-cara penjualan, terutama dalam situasi persaingan yang tajam seperti industri otomotif dewasa ini.
4. Konsep Penjualan, yaitu bila orientasi perusahaan dalam pengelolaan bisnis berfokus pada pemenuhan kebutuhan konsumen. Boleh jadi untuk konsep 1 s.d 3, berangkat dari kita bisa buat apa, bagaimana caranya dan mari kita jual sebanyak-banyaknya. Tetapi untuk konsep pemasaran, manajemen berpikir, mari kita memproduksi sesuatu yang dibutuhkan oleh masyarakat, jadi dimulai dari identifikasi kebutuhan konsumen.
5. Konsep pemasaran dengan berorientasi pada kelestarian lingkungan. Konsep ini pengembangan dari konsep pemasaran. Pada konsep pemasaran dikritik karena ada kecenderungan untuk dalam rangka memenuhi kebutuhan konsumen, tidak jarang mereka melakukan apa saja, termasuk mengabaikan masalah kelestarian lingkungan, sehingga menimbulkan banyak protes dari berbagai kalangan, terutama pecinta lingkungan hidup (spt Green Peace).

Maka untuk itu berkembang pemikiran bahwa supaya produk yang dihasilkan dapat diterima masyarakat, maka harus didasarkan pada prinsip memenuhi kebutuhan masyarakat dengan memperhatikan kelestarian lingkungan.
Dari beberapa konsep tersebut, kita bisa melihat perbedaan antara penjualan dan pemasaran dapat dilihat dari motivasinya. Penjualan didasari konsep apa yang bisa kita buat, mari kita jual sebanyak-banyaknya, sedangkan pemasaran, mari kita hasilkan apa yang bisa dijual di masyarakat. Penjualan berfokus pada bagaimana mengembangkan cara-cara penjualan, pemasaran berangkat dari identifikasi kebutuhan masyarakat.

Sembilan Hal yang Harus Dikuasai dalam Berbisnis

2006-02-27T08:57:00.000+07:00

Saya sangat suka dengan definisi Brad Sugars mengenai bisnis, yaitu: bisnis adalah suatu usaha komersial yang menguntungkan dan berjalan tanpa keterlibatan anda.

Untuk mencapai kondisi itu tentunya ada caranya. Ada ilmunya. Ada tahapannya. Menurut Brad Sugars, ada 6 tahap dalam membangun dan mengembangkan bisnis:
1. Mastery
2. Niche
3. Leverage
4. Niche
5. Result

Saya akan coba bahas mengenai tahap yang pertama. Mastery - adalah tahap awal dalam mengembangkan bisnis. Bagaimana bisnis itu bisa menghasilkan profit secara produktif berdasarkan informasi yang cukup untuk pengambilan keputusan.

Apa saja yang harus di-mastery (dikuasai)?
1. Uang, atau cashflow. Yaitu bagaimana kita menguasai data keuangan historis dan bagaimana dengan data itu kita bisa melakukan sesuatu di masa depan. Cashflow is king. Dengan cashflow itu kita mau buat apa? Jangan terpaku pada mengejar profit di kertas, tapi uangnya nggak ada di tangan. Anda harus kuasai ini. Ini adalah pondasi bisnis anda. Dengan cashflow yang kuat, apa pun bisa anda lakukan.

2. Target break even atau titik impas. Berapa banyak produk yang harus dijual, atau berapa banyak pelanggan, atau berapa rupiah penjualan per hari yang dibutuhkan untuk mencapai target titik impas itu. Kalau anda nggak tahu ini, bisa bahaya... Misalnya, sewa tempat, biaya, plus gaji karyawan per bulan adalah 3 juta, artinya biaya anda adalah 100 ribu per hari, berarti keuntungan yang harus diperoleh adalah minimal 100 ribu per hari. As simple as that.

3. Profit margin atau marjin keuntungan. Harus ditarget atau dibuat budgetnya, berapa profit margin yang harus didapat per hari untuk mencapai target yang diinginkan. Harus jelas berapa persentasenya atau nilai nominalnya. Mengutak-atik hitungan margin ini merupakan keasyikan tersendiri bagi saya. Inilah salah satu permainan bisnis yang menggairahkan.

4. Reporting atau pelaporan. Anda harus tahu angka-angka vital dalam bisnis anda per hari, per minggu, per bulan sehingga anda bisa membuat keputusan berdasarkan ini di masa depan. Berapa produk terjual hari ini, berapa marginnya, berapa jumlah transaksi hari ini, berapa prospek yang masuk ke dalam toko, dan sebagainya. Anda harus tahu ini.

5. Test and Measure atau uji ukur. Apa pun yang anda lakukan harus diuji dan diukur hasilnya. Jangan pernah melakukan sesuatu tanpa diukur tingkat keberhasilannya. Buat indikator kinerja kunci, yaitu apa saja indikator-indikator di bisnis anda yang merupakan kunci atau penentu vital. Harus anda identifikasi faktor-faktor ini. Misalnya anda buat brosur. Berapa biayanya? Bagaimana hasilnya? Untung atau rugi? Kalau untung, lanjutkan. Kalau rugi, diubah, diperbaiki atau dihentikan.

6. Delivery. Delivery juga saya artikan memberikan apa yang anda janjikan. Kalau anda sudah terima uangnya, ya anda harus berikan barangnya sesuai yang anda janjikan mencakup jumlah, kualitas dan waktu pengirimannya. Jangan berusaha menjanjikan yang hebat atau superior. Lebih baik yang biasa-biasa saja tapi konsisten. Berusahalah menutupi setiap lubang kelemahan yang ada. Sedikit demi sedikit.

7. Time. Kuasilah waktu. Produktivitas anda, bisnis anda, organisasi anda sangat tergantung kepada kemampuan anda menguasai waktu. Banyak teori mengenai penguasaan waktu ini, misalnya teori pareto (prinsip 80/20) atau the power of least effort.

8. Goal atau tujuan. Tujuan itu harus jelas dan disampaikan kepada organisasi kita. Tujuan itulah sebagai penunjuk arah bagi orang-orang yang mengikuti di belakang kita. Dari mana kita melangkah dan sampai di mana kita nanti, harus jelas dimengerti oleh mereka.

9. Self mastery. Menguasai diri sendiri, atau pengendalian diri. Ini menyangkut disiplin. Ini menyangkut fokus. Ini adalah harga yang harus anda bayar untuk mencapai kesuksesan.

Western Union

2006-02-23T15:41:00.000+07:00

Bank yang bekerjasama sudah banyak kok, setau saya BII, Bank Niaga, Bank Mandiri, BRI dll.

Sekalian sharing ke teman yg laen, dari situs:

http://www.pintunet.com/lihat_opini.php?pg=2003/06/24062003/15762&xref=/pintunet.php?vpid=7709

Menurut saya, Western Union layanan transfer uang yang paling cepat dalam hitungan menit bahkan detik transfer uang ke seluruh dunia. Dengan Western Union saya dapat mengirim dan menerima uang dari dan ke luar negeri dengan sangat cepat. Jangankan hari, sekarang dikirim sekarang juga dapat diambil, kalau lewat Bank kadang membutuhkan waktu berhari-hari.

Beberapa tips untuk mempermudah dalam menggunakan layanan Western Union:

Untuk pengirim:
1. Minta nama dan alamat si penerima yang lengkap dan jelas sesuai dengan kartu identitasnya yang masih berlaku. Bila si penerima tidak mempunyai Kartu Identitas yang berlaku buat pertanyaan test/Test Question (misalnya: sebutkan warna favorit ibu saya? jawaban: merah muda).
2. Untuk mengirim uang lebih dari Rp.1000.000 atau US$500, tanyakan juga warna mata, jenis kelamin, tinggi badan dan warna rambut si penerima.
3. Beritahukan nama dan alamat anda, jumlah uang yang akan dikirim, Test Question dan yang paling penting Nomor Transfer (Money Transfer Control Number). Nomor Transfer akan anda dapatkan ketika akan mengirim di kantor Western Union.

Untuk penerima:
1. Pastikan anda telah menerima Nomor Transfer yang benar dari si pengirim (bila nomor salah, anda tidak akan dapat mengambil uangnya)
2. Siapkan Kartu Identitas yang masih berlaku, jika tidak anda harus hapal Test Question.
3. Mengetahui nama dan alamat pengirim serta jumlah uang yang dikirim akan semakin memudahkan anda mengambil uang.

Untuk tarifnya, coba klik:
http://www.bii.co.id/p_r/charges/Western%20Union_i.asp

Encryption

2006-02-23T10:20:00.000+07:00

Choosing the encryption type

You will want to consider a number of encryption types.

File encryption: File encryption means that individual files are encrypted with a password. This type is appropriate when sending a confidential file over an open line, for example Internet Mail. This method works for small amounts of data, but becomes too unwieldy as the volume of data increases. Directory encryption: This encryption type is appropriate in networks to prevent access from users which have rights to read other users' data. It may also be useful for protecting data on diskettes or a local hard disk in the absence of other methods of security.

Master Boot encryption: This encryption type allows you to hide the partition data of the computer. This ensures that no-one can gain access to the hard disk after booting from diskette. The data itself, however, is unencrypted, and can be read using a low-level tool for reading sector by sector. Many system viruses can damage Master Boot encryption, making it necessary to partition and reformat the disk from scratch, depending on how the encryption is performed.

Full hard disk encryption: This encryption type encrypts every single sector on the entire disk. Even when a low-level tool is used from a startup diskette, no meaningful data can be read.

COM port encryption: This encryption type is designed to protect communication using a modem however, it has been superseded by hardware solutions built-in to firewalls or modems.

LPT port encryption : A combination of software and hardware will need to be used to encrypt data dent to the printer. Some solutions automatically encrypt print data, with hardware connected to the printer to ensure that what is printed makes sense. The possibility ofmonitoring the printer cable is the reason why some people need this solution.

Encryption keys.

There are a great many strong encryption algorithms, and a lot of effort has gone into cracking them. The most common method is called ?brute force?, and involves searching through all possible keys, of length 1 to ?x?. If the length of the key is known to be 8 bits, the number of possibilities is 28 (256). A PC needs less than 10 seconds to work through all possibilities. If the length of the key is increased to 40 bits, there are 240 possible keys, and it now takes several months to find the key. It is not impossible to find the key, but the expense involved probably exceeds the value of the protected data. It is self evident that a system is only as strong as its weakest part, and this applies equally to encryption algorithms. In theory, an RSA or RC4 (used in SSL) with a 40 bit encryption key is adequately secure for most purposes. The weak link in the encryption process is the generation of the key. The number of possible keys can be reduced if the hacker analyses the way in which the key is created. A weak key generation procedure can mean that it is possible to crack a strong encryption algorithm in a matter of minutes. This is what happened to SSL in 1995.

Encryption algorithms.

There are a large number of encryption algorithms. The most widely methods include :

DES - Data Encryption Standard was developed more than 15 years ago, and is one of the most respected algorithms. It has withstood most attempts to crack it, and currently exists in a number of versions.

CRYPT(3) - A version of DES for UNIX systems.

RC2 and RC4 - This algorithm has a variable key size. It was developed by Ron Rivest for RSA Data Security, Inc. RC is short for ?Ron?s Code?. The algorithm itself has never been made public.

IDEA - This encryption algorithm works on 64 bit blocks containing data previously divided into four sub-blocks. Encryption then takes place, and the blocks are combined in different ways.

RSA - Ron Rivest, Adi Shamir and Leonard Adleman introduced this algorithm in 1978, and it remains one of the strongest encryption algorithms in use. RSA uses shared and private keys for encryption/decryption. However, RSA is a slow algorithm - at it fastest it is 100 times slower than DES in software.

SNEFRU - This is a one-way hash algorithm designed by Ralp Merkle. Thehash function converts incoming data to 128 or 256 bit values.

MD2 - A one-way hash function designed by Ron Rivest.The function produces a 128 bit hash value from incoming data.

MD4 - A one-way hash function designed by Ron Rivest. MD meansMessage Digest, and creates a 128 bit hash value from incomingdata.

MD5 - MD5 is a further development of MD4, and also creates a 128 bithash.

SHA - Secure Hash Algorithm, developed by the National Institute ofStandards and Technology with the National Security Agency. SHAis very similar to MD4.

RIPE-MD - A version of MD4. It was developed by the EU's RAC project.

HAVAL - A one-way has function with variable length.

SKIPJACK - A top secret algorithm for Clipper and Capstone (encryption chips).

The code and algorithms are known only by highly cleared USGovernment and contractor personnel.

DFFIE-HELLMAN -

The first public key algorithm created.The algorithm can be used for distributing keys.

XOR - There are a large number of XOR encryption algorithms. They areamong the simplest, and a very fast.

BLOWFISH - A type of XOR encryption, but much stronger.

Security systems

KERBEROS -Tried and tested third party authentication product for UNIX

TCP/IP networks. Kerberos is based on symmetricalencryption. A secret key determines whether the user isallowed access. Kerberos is available in versions 4 and 5.

IBM SECRET-KEY MANAGEMENT PROTOCOL -Key administration system for communication and filesecurity in networks, -using symmetrical encryption. Thesystem was designed by IBM at the end of the '70s. The protocol has three main functions: Secure communication between servers and terminals, secure file transfers to the server, and secure communication between servers.

KRYPTOKNIGHT - Authentication system designed by IBM, with a secret protocol using DES or a modified version of MD5.

PEM - Private Enhanced Mail is an Internet standard for secure email over the Internet.

MSP - Message Security Protocol is the military's answer to PEM. It was developed by NSA at the end of the '80s. It is an X.400 compatible application protocol used to protect e-mail. This component of the NATO approved military message format is an integral part of the US Defense Department?s DMS (Defense Messaging System) project.

PGP - Pretty Good Privacy is a public domain encryption program designed by Philip Zimmerman. It uses IDEA for encrypting data, RSA for handling keys and MD5 for the one-way hash function. PGP can also compress files.

CLIPPER - Clipper is an electronic chip, designed by NSA, that uses the Skipjack encryption algorithm. Each chip has its own key.

Smartcard technology

There are two current card technologies that you should consider: Number generators (calculators) and smartcards. The number generator needs no additional hardware to work with a computer. It is therefore easy to implement. The technology provides a high level of security and is used for applications like cash transfers over the Internet. The lack of storage capacity, however, is a considerable drawback. It is not possible to obtain information like the username from the card. Smartcard technology needs a card reader installed in each computer. Card readers are available for desktop use, 3?? internal slots, or PCMCIA readers. The quality of the smartcard itself can vary, but some manufactures do supply cards of extremely high quality. The cards have a large storage capacity, their own operating and file systems, and a wide range of authentication methods. For example, a smart card can be installed so that it is the key required for access to the network. Without a smartcard and PIN code, a user is not allowed onto the network. One type of smart card reader, called B1, is manufactured by Siemens Nixdorf and SCM. Deutsche Telekom has developed a very powerful operating system for the smartcard itself. The system is called TCOS and has ITSEC E3 certification. One thing you should consider in connection with card readers is whether data is passed between the computer and the card in encrypted form. Many card readers are connected to the serial port, and if the data transport is not encrypted, a hacker has plenty of scope to crack the system in a short time. Some organizations use so-called ?Trust Center?. The purpose is to send the card's ?certificate? to the ?Trust Centers? to allow for near instantaneous revocation of their smart cards. The party reading the card sends its certificate to the ?Trust Center?, which checks that the card is still valid for use in the organization.

Smartcard operating systems

A smartcard has its own operating system, and communicates with it via a card reader. The smartcard also has its own file system, in which the operating system can protect files by means of encryption, passwords or PIN codes. Smartcards frequently have a set of keys suitable for use as digital signatures. The keys can also be used for encrypting data.

Access Control

2006-02-23T10:17:00.000+07:00

Why use access control?
We are used to insuring valuable property such as boats, houses, commercialproperties and cars. How can we insure ourselves against data getting into thewrong hans, or unauthorized users gaining access to the internal computernetwork? Who is responsible for any losses incurred?The value of data varies from one company to another. Even rumors can have serious effects if sensitive information goes astray. Companies are running a considerable risk with employees roaming the world, carrying important information on their portable computers. If a computer isstolen on a business trip, that important project could easily end up as reading matter on the Internet or in the Washington Post. Companies also have a moral obligation to protect personal information stored on computer, even if the loss of such data would not damage the company in financial terms. If an organization asks its employees to supply personal data, it also has a responsibility to store it safely. The safe way to store data is in encrypted form. It is difficult to judge how sensitive an organization is to the loss of data. Nevertheless, you should be able to answer the following questions:

1. What if internal data gets into the wrong hands?

2. What if unauthorized users make changes to data?

If the consequences of either of the above are negative, you could do a simple sum showing how much an access control product would cost, set against any possible losses. Note that the quality of access control products varies considerably. You should choose the product that meets your specific requirements.

Data security - a management responsibility

The management of a company always needs to take a position on data security before security measures can be introduced. It is the management that lays down guidelines for the security level. In most cases, the IT manager submits a recommendation based on his assessment of the risks. This can be a difficult job. The system or network administrator has a duty to inform his superiors if the measures relating to data security can be considered inadequate. Operating personnel alone do not have much scope for implementing data security in a company. The guidelines must come from management!

Standardization - a question of security

The successful implementation of a security project depends on the standardization of all hardware. The main purpose of standardization is tosimplify administration, but it is also important in creating a secure platform. Where users have permission to start any program they wish, they also have theability circumvent the installed security functions. If non standard drivers are used in DOS and Windows, there is no guarantee that these do not contain "back doors" that can be activated by particular key combinations. The DOS version, network drivers, Windows version and permitted drivers should all be standardized to make best use of the defined security. Large companies should have standardization as a useful objective, as it can provide considerable savings in support costs. The process is made easier if computers and network cards of the same brand are purchased, with peripherals like CD-ROMs and tape units from the same manufacturer.

Operating systems and security functions

Windows ?95 was launched in August 1995. Up to this time, tried and tested DOS and Windows security products were available that had met the varioussecurity requirements for this environment. The secrecy surrounding Windows '95 and the final version meant that producers of security products lost a great deal of time. They had to start from scratch, identifying the security weaknesses and learning new techniques, such as implement full hard disk encryption of a 32 bit operating system. The pressure created by Windows '95 was considerable, but it has taken time for the solutions started to appear. The entire process, from the launch of Windows '95 until the first access control products entered the market, took almost a whole year. This delay left many of those who chose to convert to Windows '95 exposed to major security problems. An IT manager can learn a lot from the circumstances surrounding the introduction of Windows '95. When changes are as significant as from DOS/Windows to Windows '95, the conversion should not take place for at least a year if security requirements are not covered by the operating system itself. Nevertheless, Windows '95 and Windows NT both include a number of security functions. These meet some of the needs of professional customers, but not all. The future demand for modular security programs will become even greater. To achieve an adequate level of security, we recommend a combination of the security features of the operating system with modules from an access control product. A Windows '95 access control product should perform at least the following functions:

1. Boot protection

2. Uninterrupted startup

3. Screen saver

4. Full hard disk encryption

5. Logon program

A Windows '95 computer switches from 16 bit to 32 bit disk access during startup, which complicates full hard disk encryption. Access control programs for Windows ?95 are using both pre-authentication and authentication methods.

Password theft

It is relatively simple to steal passwords from other users in a network if the computers are not secure. Passwords can be stolen in a number of ways. Monitoring the traffic on the network is an advanced but relatively easily accomplished technique.Theoretically, an unauthorized user can tap into the cable at any point along its length, and listen to all the passing network traffic. Encrypting all network traffic would protect against this threat. A variety of different types of packet may be sent along a network cable in the space of a second. Some of them can be read directly, while others are encrypted. Commercial programs exist to monitor to the packets. Many network cards are even supplied with a fault finding program that lets you monitor all the packets sent through the cables. This demonstrates the importance of physical security of the network cables. Avoid any points of contact outside the building. Another way of stealing passwords is to load a false logon program that stores passwords with user IDs. This is one reason why system administrators must never log onto a computer other than his own, which must, of course, be secure. There are also memory-resident programs that detect whenever logon programs are run. When they are started, the next 20 keystrokes are stored in a hidden file. These programs are widely available on the Internet.

Passwords

Passwords are easy to forget. Many users therefore choose simple passwords.Organizations today have an average of three logon systems, usually each with different password rules. From the user's point of view, this creates a great deal of confusion. We know, as do the hackers, that 30-50% of users choose passwords like the name of their spouse, child, pet or car, or telephone numbers and dates of birth of family members. An IT administrator frequently like to place complex requirements on the choice of passwords, but then pays the price of having to deal with users forgetting their passwords more easily. The graph above will not come as a surprise, but it is important to bear it in mind. Why do users forget passwords when there are limitations on their structure? This is largely because users do not realize how important passwords are for security. A good password consists of between six and eight characters. One easy way of creating a good password, that is easy to remember, is to group together two and two or three and three (lower security) letter/characters, for example ?BA SK 86 18?. This method is already used as a way of making telephone numbers easier to remember (grouping 2+2+2+2 or 3+5). The advantage of these passwords is that they remain strong even if the composition of only two characters is changed. The widely-used alternative is to place an extra character after a spouse's name: BILL, BILL1, BILL2, etc. It should be the responsibility of the system administrator to inform users of the rules governing passwords, and to ensure that the rules are followed. It is difficult for a logon system to detect every weak password. This needs to be compensated for by creating a positive general atmosphere surrounding passwords and data security.

Pre-authentication and authentication

Modern access control products generally use two techniques for authenticating users: Pre-authentication and authentication. Both have their advantages and disadvantages. The diagram below shows the startup procedure using a hard disk. The computer's MBS (master boot sector) is executed. This then attempts to start the SBS (system boot sector) which, in turn, launches the operating system. In the case of DOS, the operating system looks for the files config.sys and autoexec.bat and runs them.TA system based on pre-authentication replaces the MBS with its own logon program that prompts for a user ID and password. A system based on authentication inserts a command into the autoexec.bat that prompts for a user ID and password. A pre-authentication system provides a high level of security, because it does not depend on the operating system. However the system cannot be integrated with the user IDs and passwords used in the network, nor is it possible to perform updates from the server before the user is logged on. This means that maintaining systems based on pre-authentication is tedious. In the case of authentication, a logon program is started from the autoexec.bat, allowing the network drivers to be started and updates performed before the user is logged on. This allows integration between the network and the access control system.

Floppy boot protection.

?Floppy boot protection? prevents a computer from being started from a diskette, with subsequent access to the hard disk. It is one of the fundamental elements in a security system. If drive C: can be accessed after booting from a diskette, this represents a gaping hole in your security. One common misconception is that the BIOS can provide security. Most modern computers allow the user to configure the BIOS so that the computer cannot be started from drive A:. This feature only lasts as long as the computer's internal battery. If the power supply to the BIOS chip is interrupted, all your settings are lost, and the BIOS will use its default values the next time it starts. Furthermore, it remains possible simply to move the hard disk to another computer whose BIOS settings do allow drive A: booting. The master boot sector is made up of a program and data. FDISK stores a standard program, while the data varies according to how the hard disk is partitioned. Some users allocate all disk space to drive C:, while others subdivide the space into drives C: and D:. A program offering ?Floppy boot protection? must replace the Master Boot Program with its own program, and encrypt the partition data. This prevents access to the hard disk after an attempt is made to start the computer from a boot diskette. When a boot diskette is used, only the following message is displayed: Invalid drive C: A large number of programs read partition data directly from the Master Boot Sector. The programs must be able to continue doing this even with ?Floppy boot protection? installed. Most access control programs are able to handle this situation. A good floppy boot protection system should also provide a security function that prevents the hard disk from being moved to another computer.

Full hard disk encryption.

With full hard disk encryption, every sector of the hard disk is encrypted. Some access control products provide this feature. The following factors vary from one product to another:

1. Reduced performance

The more powerful the encryption algorithm, the poorer the performance of the computer. It is customary to choose a less powerful algorithm for full hard disk encryption so that performance does not suffer too much. For example, a test showed that full hard disk encryption using DES increased Windows startup time by 600-700%.

2. Encryption power

A compromise always has to be reached to ensure encryption does not unacceptably reduce computer performance. The most widely used algorithms - simple XOR, blowfish or proprietary algorithms (developed by individual companies) - maintain the best possible performance.

3. Handling 16 and 32 bit disk access

Many products have difficulties if 32 bit disk access is used in Windows. You should bear this in mind if individual applications require 32 bit disk access. There is a simple test that those uninitiated in the world of cryptography can use to determine the power of an encryption algorithm. Create a file containing nothing but the same character. It is a sign of weakness if the encrypted result also contains only a series of identical characters.

Poor encryption algorithm :

Unencrypted data : AAAAAAAAAAAAAAAAAAAAA

Encrypted data : BBBBBBBBBBBBBBBBBBBBB

Good encryption algorithm :

Unencrypted data : AAAAAAAAAAAAAAAAAA

Encrypted data : #sah&%8jJnOlp)D#g1Hu/

Access to DOS

Most users do not need to access DOS. The ability to use DOS usually complicates support, and skilled DOS users have plenty of opportunity to change parts of the configuration. Access to DOS, therefore, represents a reduction in the level of security. Many terminal emulators make it possible to access DOS by pressing a shortcut key, so we cannot be sure that users only authorized for a terminal emulator are not also using DOS. If the security level of an IT system requires that users are not prohibited from unrestricted use of DOS, the access control system must provide a corresponding function. A large number of access control products on the market provide a function preventing access to DOS from terminal emulators (including DOS emulators) and from within Windows.

Single point signon

Single point signon is a data security concept that if implemented, simplifies things for the user. It involves automatically sending the same password to all other applications that need user IDs and passwords when they are launched. However, single point signon is difficult to implement. One of the main reasons for this is the fast pace of change in the computer world. Today's solutions will already be outdated in a few months' time. In general, two different techniques are used for single point signon. The first is based on feeding the user ID and password, including the old password where necessary, into the keyboard buffer when an application is launched that requires them. The advantage of this method is that all the normal network loginscripts are run as normal. One disadvantage is that it easy to use up too much of the available memory in DOS. The other method uses API functions (Application Programming Interface) to authorize the user on the basis of his or her user ID and password. A disadvantage in networks is that any logon scripts, etc. are not run.

BIOS password.

The computer prompts for the BIOS password immediately after it is switched on. Most BIOS versions provide the password function. In many cases, the password provides satisfactory protection if you are prepared to accept the following risks:

1. The BIOS password is kept stored by the computer's internal battery. If the battery is removed for 10 seconds or more, the password function is removed.

2. The BIOS password only protects the computer and not the hard disk. If the hard disk is stolen, it is not protected.

BIOS passwords are a nuisance from the system administrator's point of view, too. They work when the owner of the computer is its only user. If more than one user needs to use the computer, they all need to know the same password. If there is no access control product installed on your system, BIOS password might be a temporary solution to achieve a limited level of protection.

BIOS protection of the Master Boot and System Boot Sectors.

Many BIOS versions offer partial virus protection of the Master Boot Sector. This creates problems when an access control product is installed that is designed to encrypt the master boot sector (the partition table is created). The computer's BIOS prohibits any writing to the Master Boot Sector, and so prevents the encryption process. If you know you are using this BIOS function, you must remember to disable it before installing an access control product.

Protecting important files

A number of methods are used to protect important files. By important files, we mean such files as config.sys, autoexec.bat and other central configuration files. If a configuration file is changed by an unauthorized user, the authorized user must be informed of this when he or she logs on. A checksum is used for this purpose. It should be possible to configure the feature so that only the system administrator is able to log on after changes are detected in the checksums of specified files. There are two methods in widespread use for protecting files. The first is to set the DOS attributes of the files (read - archive - write, etc.). This is effective if the access control product is able to ensure that the user cannot change the attributes. The second method is to keep critical files open in the mode required. Certain files can therefore have read access and write access, or be hidden with neither read nor write access.

Config.sys and Autoexec.bat

Most access control programs provide a function that make it impossible to interrupt the computer's boot process. This is one of the fundamental features of a security system, but the function can easily lock up the computer if you do not do things in the correct order. When updating autoexec.bat or config.sys, you should always should always check that the function is disabled before restarting the computer. The function is disabled in different ways depending on the system. The most common method is to insert 'REM' in front of the line ?switches /n /f? in config.sys. This allows you to use F5 or F8 in DOS 6.x to interrupt the boot process.

SWITCHES /N /F

Autoexec.bat and config.sys can be protected so that their execution is not interrupted. Versions of DOS after Version 6 include the option to interrupt the startup files, or to run through them line by line. The function keys F5 and F8 are used. The function can be disabled by inserting ?SWITCHES /N /F? as the first line in config.sys. Nevertheless, the function cannot prevent users from interrupting the startup files by pressing CTRL+BRK or CTRL+C. To protect from this possibility, you need a device driver, provided by most access control programs.

Access to the diskette drive or CD-ROM.

The unrestricted use of the diskette drive and CD-ROM represents a security risk. On the other hand, we need to avoid making life difficult for the users. Most access control products allow access to disks to be blocked. In principle, this is done in two ways. All access to the file system is controlled, and any attempt to access a blocked disk is prevented by an active program monitoring such activities. The second, alternative approach is remove disks entirely from the list of disks available to DOS. This means that the disk is not even shown in Windows File Manager. One disadvantage of this method is that is it often difficult to return the disk to the list of available resources. In many cases, this cannot be done without restarting the computer. A general policy for diskettes and CD-ROMS should be to allow them to be used to retrieve data, but not to start programs. Although it would be desirable to block access to all removable media, the disadvantages from the users' point of view would outweigh the security benefits. An alternative approach is to have a central CD-ROM drive to which all users have access. This means that you can control what is put into the drive. If direct access to the diskette drive is not permitted, a kind of lock gate system can be used instead. A number of companies currently use such a system. In a lock gate system, only specified file types are allowed to be moved directly from the diskette to the home directory on the server. A dedicated lock gate computer is used to perform the move. This computer checks that the files do not contain viruses, and that the file types and content are not barred from the network. Where access to the diskette drive is allowed, it is important to check files for viruses before they are allowed into the computer or network.

Controlling printer ports.

It is sometimes necessary to control printer ports if printouts are not allowed until a certain time. This might be the case in universities, for example, where the computer room is open in the evenings but where the administrators want to prevent long printouts being made, which use up printer toner and paper. Most access control programs provide some kind of LPT port blocking feature. In most cases, the real problem doesn?t involve controlling the printer ports themselves. The most difficult problem for most users is how to keep control of which users have access to which printers. Printer access in Windows is based on ini files. This should be one of the criteria you use when considering an access control product. These ini files can be used to control which printer, fonts, colors, etc. are available to each user.

Controlling COM ports.

It is necessary to control COM ports in order to prevent the unauthorized use of modems. The firewall is a device used to protect Internet connections. This leaves the user with the option of using his or her own modem for unrestricted use of the Internet. This reduces the security provided by a firewall. Many computers connect the pointing device (mouse) to one of the COM ports. If the COM port is disabled, it must be possible to check whether the connected device is a modem or pointing device. If it is pointing device, the COM port should not be disabled. COM port control exists at several levels. We know that many programs are written direct to hardware, so they do no use system calls to obtain access. Many access control programs are unable to prevent this. You should therefore find out whether the COM ports can be checked to see which communication software is in use.

Screen savers

A screen saver can protect the system as well as the data from unauthorized access if the computer is left unattended without the user logging off. An automatic function should be provided to activate the screen saver after a specified number of minutes, and it should also be possible to activate it using shortcut keys. A security system should provide screen savers for DOS and Windows. Two different technologies are used for screen savers in Windows. The first uses the internal Windows screen saver function, which is activated from the Control Panel. The second uses a special program that runs in the background in Windows. Both technologies have their advantages and disadvantages. DOS sessions have always presented particular problems for screen savers in Windows. If a DOS window has the focus, a Windows screen saver will not start. Many products apply the solution of using a VxD or DOS TSR with the screen saver in these circumstances. In Windows, the screen saver is controlled from the Control Panel, which inserts the following line in system.ini :

SCRNSAVE.EXE=BWINSAVE.SCR

Many people use the screen saver supplied with Windows. This is satisfactory if the computer is used by only one person. If a number of people use the computer, the standard Windows screen saver creates password problems. All users need to know the screen saver passwords of all the computers they use. This impairs security, and make administration difficult. A screen saver should therefore prompt for the password entered by the user when he or she logged on. That way, the user always types the same screen saver password regardless of the computer he or she is logged onto.

Protect file.

Easy File Protector is a very flexible password protected security utility that restricts access to your files and folders by a time schedule. You choose users, define restricted files & folders and time periods for them. Your system disables & enables your files automatically depending on current time and user. Protection is achieved by making files and folders undeletable, unrenamable, unreadable, unmodifiable, and unexecutable. With the wild cards feature, you can protect all files that have the same extension (such as EXE, DLL, DOC, etc.).

Network integration

Cumbersome administration is often a drawback when introducing security software. The system administrator frequently has to work through every computer on the site when a user forgets his or her password. This should be a thing of the past. Current solutions provide network integration, and it is the network that accepts or rejects the user. When a network contains more than 50 computers, network integration should be one of your requirements.

Protocol versus file based network installation

Many suppliers claim that their security systems are network based. This is often only partly true. The system frequently handles a central file system on a file server or some other location in the system. In order to store data at a central location, a user requires write access to a directory. To prevent separate directories being allocated to individual users, which would complicate network administration, the users must be given write access to a shared directory on the server. This turns the system into an open system, exposed to external viewing and manipulation. Protocol based systems normally use IPX or TCP/IP for communication. These systems provide a high level of security. The communication protocols send data between clients and servers, and software at both ends receives/sends data to/from a secure location to which no users have access. The only means of contact is by sending/receiving signed and encrypted data from locations not accessible to other users. A combination is also possible whereby some of the contact between the client and the server is protocol based, while other data exchange is file based, from write-protected directories on the server.

Boot Prom and encrypted hard disks

A large number of network cards include a ?Boot Prom?, which contacts a server when the computer is started and runs a ?Boot image? from the server. This is the same as booting from a diskette, and means that no access is ever possible to the hard disk if Master Boot encryption or full disk encryption are installed.

Time control

Time control is an effective barrier against potential hacking over weekends and other times when the system is left unattended. A hacker needs a period in which he or she can spend time quietly trying to break the passwords of users on the system. Time control is a good idea for a number of functions. In the first place, we can differentiate between the different computers within the organization. Some computers might only be used between 08:00 and 16:00. Once these computers are switched off at 16:00, it will not be possible to start them again until 08:00 the next morning. Users within an organization have different requirements. Some users require access to their computer between certain times, while others need 24 hour access. It should be possible to define this in the user registration component of the access control system. Time control may also be appropriate for applications. Some companies might want to introduce time control to define when it is possible to play computer games. Others might impose time restrictions on when specific applications can be started from the network. Many people are attracted to the idea of time control when they first hear about it. Experience shows, however, that the function limits the users' flexibility in their daily work. For example, imagine the situation where an employee is going on a business trip and realizes the evening before he leaves that he still needs some project files from the network. He will not be able to get the information he needs because the computer in the office is subject to time control and cannot be started until the morning. Be careful in applying time control, but even so, an access control product should provide the function, in order to guarantee flexibility for the future. A more effective form of time control is provided by checking when a user account starts, and when it expires. A user account could be granted for one week, after which the user will not be allowed to log on. It should also be possible to define a particular number of total logons to the system. This ensures that a user requesting a single access cannot log him/herself on more than once.

Controlling applications in Windows

Many current systems control the Windows Program Manager, implying that this approach controls the users, too. But what about all the functions in File Manager, and the many macro systems available? Controls based on Program Manager alone provide a false sense of security. File Manager can be used to create new icons in Program Manager using the ?drag and drop? technique, and applications can be started from the Run menu or by double-clicking. A number of applications are able to launch the DOS shell. Most modern access control programs include a function that blocks the facility to obtain the DOS shell. The macro systems in Word and Excel offer virtually unlimited opportunity to the expert. For example, the ?Connect? command allows the user to establish new network connections. It is obvious that unless we can prevent these commands being issued, we cannot control what the user will be able to access. A controlled version of File Manager that would be safe to use might have the following restrictions :

1. Applications cannot be started by double-clicking.

2. A series of menu options are removed, including the Run menu.

3. Program Manager is hidden when File Manager is active, to prevent ?dragging and dropping? files to create new icons.

4. Executable files are not shown.

All Windows applications send and receive messages. Menus, list boxes, etc. are displayed on the basis of these messages. A small number of access control products on the market are capable of controlling these messages.

What if unauthorized users make changes to data?

2006-02-23T10:04:00.000+07:00

Lost Passwords
People often find themselves locked out of their Windows 2000 or Windows NT systems as a result of a lost password for the Administrator account. Usually people consider the system a lost cause and start rebuilding it. However, you can use the following tip to work around this problem. When Win2K or NT boots, the OS usually displays the Ctrl+Alt+Del screen for approximately 20 minutes before the display changes and the logon box moves around the screen. When this happens, the machine has activated the screensaver logon.scr. If you replace this file with an alternative file (e.g., cmd.exe), the system will run this file under the system account instead of logon.scr. At this point, a user could issue a command such as Net User, usermgr.exe, or compmgmt.msc to reset the Administrator password.

How can I disable the "Save Password" option in dial-up networking?

When you connect via RAS you can cache the password. If you
feel this is a security problem then you can disable the option to enable the password to be saved.
Start the registry editor (regedit.exe)
Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters
From the Edit menu select New - DWORD value
Enter a name of DisableSavePassword and press ENTER
Double click the new value and set to 1
If you disable the "save password" make sure "redial on
link failure" is not activated as one redial attempts as it does not
save user information it will attempt to connect as Administrator which will not work (unless the ISP has very poor security :-) ).

With Windows XP, how do I set a password hint?

XP introduces the option to have a password hint, which is useful in a workgroup (this option isn't available in a domain). To set a password hint, perform the following steps:

Start the User Accounts Control Panel applet (Start, Control Panel, User Accounts).
Select the account for which you want to add a password hint.
Click Change the password.
Enter your password in the two locations; in the bottom area, type your password hint.

Click Change Password.
These hints are stored in the registry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hints\[user name]\(Default) key, and you can change them there as well.

In Windows XP, how do I use the password reset disk?

With XP, if you're in a workgroup, you have the option under your profile to create a password reset disk (Start, Control Panel, User Accounts, [account name], Create a Password Reset Disk, Create Disk) using a wizard:

When the wizard starts, click Next.
Select the drive that contains the media you want to create the information on (you can use a diskette or a Zip disk), and click Next.
Type your current password, and click Next.

Click Finish.
The password reset disk contains only one file, userkey.psw, which is an encrypted version of your password. If you change your password, the password reset disk is useless, you must repeat this procedure.
To use the password reset disk, at the logon screen, leave the password field blank and press Enter or click the right arrow. The system will display a dialog box that offers the "Click here to use your password reset disk" option.

When you select this option, a wizard starts:

Click Next.
Select the drive to read the password reset disk from, and click Next.
Enter a new password twice, and click Next.
Click Finish.
Type your new password to log on. Note that the password reset disk is now useless, and you must create a new one.

When I start the Recovery Console, why doesn't the system prompt me for a password?

Usually, when you start the Recovery Console (RC) the system prompts you for the password for the selected Windows 2000 installation. If the RC can't find a valid Win2K installation, it doesn't ask you for a password, and you can perform only basic functions?such as the fixmbr, fixboot, manage, and format partitions commands?but you can't access any folder other than the root of the hard disk.

How can I prevent users from changing their passwords except when Windows 2000 prompts them to?

You can configure your domain via a group policy so that users can change their passwords only when the system prompts them:
Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in (Start, Programs, Administrative Tools, Active Directory Users and Computers).
Right-click the container (site/domain or organizational unit?OU) you want to enforce the policy on, and select Properties.
Select the Group Policy tab.
Select the policy and click Edit.
Expand User Configuration, Administrative Templates, System, Logon/Logoff.
Double-click Disable Change Password, and on the Policy tab, select Enabled.
Click Apply, then OK.
Close all dialog boxes.
Refresh the policy with the following command:
C:\> secedit /refreshpolicy user_policy
You can also configure this feature on a per-user basis. Perform the following steps:
Start regedit.exe.
Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies.
If the System key exists, select it. Otherwise create it (Edit, New, Key, System).
Under System, create a new value of type DWORD (Edit, New, DWORD value).
Type a name of DisableChangePassword, and press Enter.
Double-click the new value, and set it to 1. Click OK.
Close regedit.
You don't need to log off; the change takes effect immediately.

Why doesn't my computer prompt me for a password when it returns from hibernation?

For your computer to prompt you for a password when it returns from hibernation, you must select the "Prompt for password when computer goes off standby" check box on the Power Options Advanced tab:

Start the Power Options Control Panel applet (Start, Settings, Control Panel, Power Options).
Select the Advanced tab.
Check the "Prompt for password when computer goes off standby" check box.
Click OK.

Quantum Key Distribution: The Future of Security?

For Microsoft, the past 2 weeks must seem like a nightmare come true: The company's network has been cracked two more times by a Dutch hacker. Last Friday, a man using the name "Dimitri" gained access to a Microsoft Web server using a known bug in IIS that Microsoft created a patch for in August but failed to apply to one of its exposed Web servers. After the initial break-in on Friday, Microsoft still failed to apply the patch to the affected server, and as a result, Dimitri cracked the system again on Tuesday.
During his activity on Microsoft's Web farm, Dimitri claims to have downloaded administrative usernames and passwords, which he could have used to further his reach into the network. Most likely, Dimitri downloaded a SAM database, and as you know, Microsoft uses the Data Encryption Standard (DES) algorithm to protect that information. But with tools such as L0phtCrack at your disposal, cracking the SAM is much simpler: DES encryption just isn't secure enough in many cases.
The US Government is adopting a new encryption standard called Advanced Encryption Standard (AES), which will eventually replace DES. On October 2, the National Institute of Standards and Technology (NIST) announced that it had chosen Rijndael (pronounced Rhine-doll) as the new standard's cipher formula. Detailed information about the Rijndael cipher is available here.
A press release on the NIST Web site states, "When approved, the AES will be a public algorithm designed to protect sensitive government information well into the 21st century." If that's true, what will we use after AES? Perhaps the answer resides in quantum mechanics.
I recently read an interesting article in Physics Today called "From Quantum Cheating to Quantum Security." The article offers a good view of the inherent risks in our current encryption technologies, such as DES and RSA, and relates how scientists could create quantum mechanics-based computers to both break encryption systems and to facilitate more secure encryption algorithms.
DES and RSA algorithms rely on computational assumptions for protection. For example, the fact that intruders need considerable processing power and time to crack keys helps keep those keys safe to some extent. But because a quantum-based computer can perform instructions so much faster than current computers, intruders can use such technology to reduce cracking time and render algorithms such as DES, RSA, and AES useless. Obviously, when quantum-based computers become reality, we'll need stronger algorithms to protect our information. Perhaps quantum encryption is the answer.
Quantum encryption uses photon state as the key for encoding information. According to the Heisenberg uncertainty principle, it's impossible to discover both the momentum and position of a particle at any given instant in time. Therefore, in theory, an intruder can't discover a cryptographic key based on particle state information; the intruder would need the actual particle to decipher any data encrypted with the key.
The idea is simple yet incredibly complex to implement. IBM scientists constructed the first working prototype of a quantum key distribution (QKD) system in 1989. Back then, they could transmit quantum signals only 32 centimeters through open air. Today, fiber optic cables can transmit the signal up to 31 miles, which isn't very far, but it's definitely good progress. And although we might not see QKD come to market for quite some time, the technology sounds incredibly promising and well worth the wait.
If you're interested in encryption technology, be sure to read the article in Physics Today. Until next time, have a great week.

I've entered a password for a Terminal Services Client Connection. Why does the system continue to prompt me?

By default, a Windows 2000 Server Terminal Services connection always prompts for a password, even if you've configured one in the connection logon information. To disable this option, perform the following steps:
Start the Microsoft Management Console (MMC) Terminal Services Configuration snap-in (Start, Programs, Administrative Tools, Terminal Services Configuration).
Right-click the configuration for which you want to disable the default password setting, and select Properties from the context menu.
Select the Logon Settings tab.
Clear the "Always prompt for password" check box. Click Apply, then click OK.
Close the dialog box. Future connections will no longer force a password entry, which will facilitate automatic logon.

How can I configure the system to let users change their passwords without logging on to the domain?

If you use a password policy in a Windows 2000 domain and you migrated some or all of the users to Active Directory (AD) with the AD Migration tool, users who attempt to change their passwords as soon as they receive the Password Change Notification message might receive the following error message:
You do not have permission to change your password.
However, users who choose not to change their passwords when the Password Change Notification message appears (by clicking No) are logged on with their old passwords and then can change their passwords.
This system behavior occurs when the Everyone group hasn't been granted the Change Password right on the user object. Users can't change their passwords over the null session connection (anonymous logon relies on the Everyone group to carry out this action) established between the workstation and a domain controller. Instead, an authenticated session is required to change a password (i.e., users must be logged on to change their passwords).
To change the permissions setting for the Everyone group, take the following steps:
Start the AD Users and Computers snap-in (Start, Programs, Administrative Tools, Active Directory Users and Computers).
Select the View menu and enable Advanced Features.
Right-click the container hosting the user object to which you want to grant the Change Password right (e.g., Users), then click Properties.
Select the Security tab. Ensure that the Everyone group is listed in the Name box. If it isn't, click Advanced, then add the Everyone group to the list from the Advanced Access Control Settings dialog box. If the Everyone group is listed, click Advanced.
Click the Everyone group in the list, then click View/Edit to edit the group's permissions. In the Apply Onto box, click User Objects. In the Permissions section, select the Allow check box for "Change Password."

Click OK to accept the changes.

How do I reset a machine account password?

Like user accounts, machine accounts in a domain have passwords that change automatically. The domain stores the previous and current passwords so that the previous password is accessible for authentication in case someone changes the current password but the domain controller hasn?t yet fully replicated the password.
If a password changes twice, the computers that use the password might be unable to communicate. In this case, you would receive an error message (e.g., the error message Access Denied when Active Directory?AD?replication occurs). Passwords can also be out of sync during replication between domain controllers in the same domain.
You can manually change a machine account password. You must use the Microsoft Windows 2000 Resource Kit?s Netdom tool rather than the Active Directory Users and Computers snap-in. Netdom is in Win2K?s Support\Tools folder. To reset a machine account password, enter
C:\>netdom resetpwd /server:<servername> /userd:<username>\Administrator /passwordd:*
After you enter the command, you?ll see the following.
Type the password associated with the domain user:
The machine account password for the local machine has been successfully reset.
The command completed successfully.
You need to run this Netdom command on the machine for which you want to change the password. The server must be a domain controller in the domain, and the user must have a domain account with administrative privileges over the machine account whose password you?re changing.
You need to restart the machine for the password change to take effect. Simultaneously resetting the password on the local machine and a domain controller ensures that the two computers involved in the operation are synchronized, and starts AD replication so that other domain controllers receive the change.

How can one protect against password hackers that use sniffers like l0pht?

Nowadays, NT administrators face a tough task in ensuring network security, because of password sniffers such as l0pht, which can sniff an NT password easily. To solve this, one can use a network sniffer that can detect such
password sniffers. The network sniffer could log a user running a password sniffer and also issue an alert. An example of such a network sniffer is
LANguard: http://www.languard.com.
The user password never leaves the local machine with Win2000 using Kerberos security. It is never exposed to the network so it should not be able to be
sniffed.

How can one detect that users have cracked a password?

To detect this, you would either have to review the security logs regularly or use a network sniffer to monitor users accessing shares in real time. A combination of the two would be the most prudent. Security logging can be switched on from the event viewer.
A network sniffer can be used to log IP's & Users accessing particular servers or shares. In real time an administrator would be able to see which users are accessing which shares. An example of such a sniffer is LANguard:
http://www.languard.com or Sessionwall: http://www.sessionwall.com

Are SQL Server userid's and passwords passed in clear on the network?

If you use multi-protocol net-lib with encryption then SQL standard security userids/passwords are encrypted along with the data.
When using an NT userid/trusted connection then passwords are not passed at all - the sids are used as in all NT credential checks.
If you are using SQL 7.0 client drivers talking to a 7.0 server then the SQL standard security userid/password is encrypted regardless of net-lib.
In any other case then the SQL standard security userid/password is sent in clear.

How can I disable trust password changes?

After a trust is established using a defined password it is changed automatically every seven days. If this password change is missed two cycles running then the trust is broken. This also applies to machines in a domain who have a secure channel with the domain controller and change their passwords every 7 days on NT 4.0 and for Windows 2000 every 30 days.
To disable the trust password changes perform the following change on the
domain controllers/workstations:
Start the registry editor (regedit.exe)
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Double click on DisablePasswordChange
Set to 1
Click OK
Close the registry editor
Another option to stop the computer account password changes is to refuse the
change at the domain controller:
Start the registry editor (regedit.exe)
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
From the Edit menu select New - DWORD value
Enter a name of RefusePasswordChange
Double click on the new value and set to 1
Click OK
Close the registry editor

How can I change the password change for computer/trust accounts?

The default interval for password changes for a computer/trust
account can be modified as follows:
Start the registry editor (regedit.exe)
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
From the Edit menu select New - DWORD value
Enter a name of MaximumPasswordAge
Double click the new value and set to the number of days
Click OK
Close the registry editor
In NT 4.0 this value is only available for machines with Service Pack 4 and
for all versions of Windows 2000. Values can be in the range of 1 to 1,000,000

Password policies assigned to an OU/site GPO do not work.

Although the password policy branch is available for all Group
Policy Objects it is only implemented for GPO's at the domain level so even if you make settings for a GPO for an OU or a site it will have no effect. The only way to apply password settings is as follows:
Start the Active Directory Users and Computers MMC snap-in (Start - Programs - Administrative Tools - Active Directory Users and Computers)
Right click on the domain and select properties
Select the Group Policy tab
Select the domain group policy object and select Edit
Expand the 'Computer Configuration' branch - 'Windows Settings' -
'Security Settings' - 'Account Policies' - 'Password Policy'
You will now be able to set the relevant options
When complete close the Group Policy Editor

What does System Key actually protect my passwords from?

System key enables stronger encryption of account passwords stored in the registry in the SAM (Security Account Manager) database. With System key installed the passwords have enhanced encryption in the SAM. Note this is
only the passwords and not for example the user name.
When System Key encryption has been enabled backups of the SAM database will also be encrypted: For example on back up tapes, RDISK and %systemroot%\repair. Which are often used to crack passwords.
System Key is used to make the decrypting or cracking of your passwords from the SAM more difficult and time consuming. Crackers such as L0pht crack ,
John the Ripper, Crack 5 with NT Extensions are used often to break NT password hashes. These use dictionary and brute force types of techniques.
L0pht Crack is now using a form of intelligent brute forcing, which is the next generation of crackers.
- System Key prevents SAM dumping with the tool built into L0pht Crack 2.5.
- System Key prevents SAM dumping with the tool pwdump.
- System Key does not stop SAM dumping with the tool pwdump2 which uses DLL injection techniques different to pwdump.
- System Key does not prevent password cracking or decryption.
- System Key reuses the keystream used to perform some of the encryption.
This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it. Todd
Sabin from Bindview (www.bindview.com) and the author of pwdump2 discovered this exploit in December-1999.
- System Key still increases the time and complexity to crack password? hashes.
Note; Pwdump and pwdump2 require administrator access to be used.
System Key affects the following system components:
%systemroot%\system32\config\sam HKEY_LOCAL_MACHINE\SAM
%systemroot%\system32\config\security HKEY_LOCAL_MACHINE\Security
and three system security component files: Winlogon.exe, Samsrv.dll, Samlib.dll
Also see Q. How do I use the System Key functionality of Service Pack 3? for installing System Key.
For more information on System Key see Q143475 at http://support.microsoft.com/support/kb/articles/q143/4/75.asp
For information on the "System Key Keystream Reuse" Vulnerability and patch see http://www.microsoft.com/security/bulletins/ms99-056.asp
Contributed by Nathan House

How do I enable strong password filtering?

Windows NT 4.0 Service Pack 2 introduced a new password
filter, passfilt.dll, which implements the following new restrictions
Passwords must be at least 6 characters long
Passwords must meet at least 3 of the following criteria
- Uppercase letters A-Z
- Lowercase letters a-z
- Number(s) 0-9
- Non-alphanumeric character (e.g. !, etc.)
Password may not contain your user name or any part of your full name To enable this functionality perform the following on all PDC's (and stand alone's if used). You do not need to install this on BDC's, however you should in case the BDC is promoted to a PDC.
Start the registry editor (regedt32.exe, do not use
regedit.exe)
Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Double click on "Notification Packages"
Add PASSFILT on a new line (there may be a FPNWCLNT so you should add this after this value). Click OK
Close the registry editor
Reboot the machine
It should be noted you will still be able to set passwords in User
Manager that do not meet the criteria, this is by design as direct SAM updates are not filtered.

How can I check the security of my passwords?

If you want to test all your users's password's an excellent utility is l0phtcrack that will try and ascertain your passwords.
L0phtcrack allows NT Administrators & Information Security Engineers to quickly evaluate the security of users passwords. L0phtcrack supports traditional dictionary attacks, hybrid dictionary attacks, and fullblown exhaustive keyspace attacks (user definable).
L0phtcrack can gather NT password hashes through a number of ways, including the registry, SAM files, or even by monitoring SMB network activity.
L0phtcrack has recently won the InfoWorld Golden Guardian award and has been recommended by Microsoft.
Lophtcrack can be downloaded from http://www.l0pht.com/l0phtcrack/
and can be used for free for 15 days and is very simple to use once installed.
Once you start the utility you can either load in a Sam file (from the %systemroot%\system32\config directory) but not on your current installation as the files are locked or dump out passwords from the registry by selecting "Dump Passwords from Registry" from the Tools menu and select the computer, e.g. a domain controller or the local machine. If you want to dump
from the registry you must be an Administrator on the machine whose registry you are trying to dump.
After importing the information from a source you will have a list of usernames and the hash values of the passwords, selecting 'Run Crack' from the Tools menu will then start the attack on the passwords.

Notice the easy passwords were found quickly and it is
starting to guess the more complex ones, only a matter of time.
The idea of running this is to find people who are using weak passwords and force them to change it, a good start is to use the strong password filtering which will FORCE users to use complex passwords and always make sure to have a minimum password length of 8 characters (set in User Manager - Policies -
Account). This helps, but can give a person a false sense of security. For example, if the password requirement is just alphanumeric, a password like "N0ts3cur3" would be guessed rather quickly with a hybrid dictionary attack so you should still audit passwords regularly.
One reader of the FAQ has pointed out 8 characters is not the best number as an 8 character password consists of basically one 7 character passwords and a one letter password (the last character) which will be guessed almost instantly
and may give a clue to the first seven characters. Many times, we've guessed the first half of the password based off of the 8th, 9th, and 10th characters.
(i.e. ???????werty is either 123456qwerty or qwertyqwerty)
"When users are forced to use special characters, 9 out of 10 times, the user will put the special character at the end of the password. In an 8 character minimum password, the eight character becomes the symbol, and the first seven are letters and num! bers. The seven characters are cracked with
L0pht crack in 24 hours or less. Thus, an 8 character password (even with a special character at the end) may either be cracked in 24 hours, or give up enough info to guess the first half (yes - a lot of assumptions here - but this theory has held up over 30,000 times). I'd like us to reset the industry line of thought on NT passwords and suggest that the strongest password policies are
those that require seven characters (instead of 6 or 8). Also, the strongest passwords are those that are either 7 or 14 characters exactly, with at least one special character in each half (with very few exceptions - note Paul Ashtons 7 character or less pwd attack). Given that users will write down pwds that are 14 characters in length, 7 becomes the next best choice. I believe
Dave Leblanc, InfoWorld, and some folks at Microsoft will agree that exactly 7 characters is a recommended length."

How do I avoid having to enter the Key Management password?

If you have the Key Management Server installed each time you
start the KM service you have to either insert a disk with the password on or manually enter it depending on your configuration.
It is possible to configure the service to look on the hard disk although this is not recommended due to security reasons however on development systems this may be OK.
Create a directory on your local harddisk (or you could use an existing directory)
Copy the file kmserver.pwd from the floppy disk created to the local directory, e.g. d:\exchsrvr
Start the registry editor (regedit.exe)
Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange\KMServer
Double click on MasterPasswordPath
Change from A:\ to the directory, e.g. d:\exchsrvr. Click OK
Close the registry editor
Next time the service is started it will look for the password file on the local harddisk and not prompt for a disk to be entered.

How do I enable plain text passwords with the telnet server in Windows 2000?

Windows 2000 uses NTLM to encrypt passwords sent from telnet
for security reasons but not all telnet clients are compatible so its possible to configure the telnet service to not require NTLM as follows:
E:\>tlntadmn
Microsoft (R) Windows 2000 (TM) (Build 2194)
Telnet Server Admin (Build 5.00.99201.1)
Select one of the following options:
0) Quit this application
1) List the current users
2) Terminate a user session ...
3) Display / change registry settings ...
4) Start the service
5) Stop the service
Type an option number [0 - 5] to select that option: 3
Select one of the following options:
0) Exit this menu
1) AllowTrustedDomain
2) AltKeyMapping
3) DefaultDomain
4) DefaultShell
5) LoginScript
6) MaxFailedLogins
7) NTLM
8) TelnetPort
Type an option number [0 - 8] to select that option: 7
Current value of NTLM = 2
Do you want to change this value ? [y/n]y
NTLM [ current value = 2; acceptable values 0, 1 or 2 ] :1
Are you sure you want to set NTLM to : 1 ? [y/n]y
setting will take effect only when Telnet Service is re-started
Select one of the following options:
0) Exit this menu
1) AllowTrustedDomain
2) AltKeyMapping
3) DefaultDomain
4) DefaultShell
5) LoginScript
6) MaxFailedLogins
7) NTLM
8) TelnetPort
Type an option number [0 - 8] to select that option: 0
Select one of the following options:
0) Quit this application
1) List the current users
2) Terminate a user session ...
3) Display / change registry settings ...
4) Start the service
5) Stop the service
Type an option number [0 - 5] to select that option: 0
E:\>net stop tlntsvr
The Telnet service is stopping.
The Telnet service was stopped successfully.
E:\>net start tlntsvr
The Telnet service is starting..
The Telnet service was started successfully.
Now the telnet service will not require NTLM authentication. You can also directly set registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\NTLM
to 1 for the same change.

I've forgotten the sa password for SQL Server - what can I do?

The easiest way around this is to logon to the actual SQL Server NT machine itself as administrator. Then connect to SQL Server using any of the tools and specify "." as the server name and ask for a trusted connection. As long as the admins group hasn't been explicitly removed from having sa rights then you should connect ok and be able to reset the password.
If you're in mixed-mode and you know the NT userid of someone with sa rights, then get their password reset and logon/connect as them.
Otherwise you can try and find a dba's machine who already has the server registered to SQL EM with sa and use that copy of SQL EM to connect.
If all these fail then you'll have to rebuild master and disk reinit (6.x) or re-attach (7.x) all the user databases.

How can I change the local Administrator passwords on machines without going to them?

As you may be aware it is possible to change your password from the command line using the net user command, and if you combine this with the at command you can run the command on different machines, e.g.
at \\<machine name> <time> cmd /c net user
Administrator anythingyouwant
e.g. at \\savilljohn 18:00 cmd /c net user Administrator password
The /c after cmd causes the command window to close after the command has been executed. An alternative to the at command
would be the soon command
soon \\<machine name> cmd /c net user Administrator
password
For this to work you will need to ensure the Scheduler (Task Scheduler) service is running on the destination machines.

How do I change my password?

Perform the following:
Press Ctrl-Alt-Delete
Click the "Change Password" button
Enter you old password and new password twice and click OK
To change your password from the command line use the net user command, e.g.
net user <username> <password> (/domain)
To change from a program use the NetUserChangePassword()? call.

How can I execute a batch file using WINAT with Administrator Permissions?

From the Services Control Panel Applet (Start - Settings - Control Panel) double click Scheduler. Change the account/password to that of a user in the Administrative group. It may be wise to create a new account just for this se which would require the
following attributes:
Non blank password
Non Expiring password
User Rights - Logon as service and Logon as batch job
After changing the Scheduler information you will need to stop and start the service.

How can I stop my Windows 9x clients having to enter a separate Windows password when logging onto a domain?

In the old Windows for Workgroups days the admincfg.exe
utility was used to disable password caching and a similar functionality exists in Windows 95 and Windows 98.
Start the registry editor (regedit.exe)
Move to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Network
From the Edit menu menu select New - DWORD Value
Enter a name of DisablePwdCaching and press Enter
Double click on the new value and set to 1. Click OK
Close the registry editor and reboot the machine
Upon reboot clients will no longer have to enter a local password, just the domain.
When clients use the Password control panel applet the "Change
Windows Password" button under "Windows password" will be
grayed out and only "Other passwords can be set". Clients would
then select "Microsoft Networking" as per normal

How do I recover a lost administrator password?

If there are no other accounts in the administrator group, and the machine is not part of a domain where the Domains Administrator account could be used to logon and change the local Administrator password (the domain's Administrator group is automatically made a member of the machines
Administrator group when the machine joins the domain) then the only way is to reinstall NT into a new directory (not the same, as it will upgrade and see the old password) and it will let you enter a new Admin password. Also if you have an old ERD that you knew the password at time of making, you could use this and
restore the SAM and security portions of the registry.
There is also a piece of software from http://www.winternals.com that can break into an NT system (LockSmith) that will change any password. The software is not free, and will cost around US$100. Their new product, ERD Professional can also change passwords and is available from the same site.
A similar piece of software is also available from
http://www.mirider.com that allows you to
boot off of a set of disks and change the Administrator password.

How can I disable the "Save Password" option in dial-up networking?

Preventive Maintenance HPUX 9000

2006-02-22T17:35:00.000+07:00

Hari ini tanggal 22 Feb 2006 dilakukan preventive maintenance terhadap server HPUX 9000-RP3410 dilakukan oleh pihak HPSI yaitu Jayadi. Ada beberapa tips berkenaan dengan administrasi HPUX yaitu sbb:

Membuat system recovery, ini dibutuhkan bila system kita crash baik karena hard disk rusak atau file OS rusak tidak bisa dijalankan. Untuk membuat recovery tape sbb:
# make_recovery -ACv
Lalu tape beri nama dengan ignite22-02-2006, ignite merupakan aplikasi yang harusnya sudah terinstall di OS. Hasil tape tsb disimpan untuk digunakan sewaktu-waktu sytem crash kita membutuhkannya.
Bila sampai crash yang harus kita lakukan adalah:

Pastikan apa yang membuat system crash, bila karena harddisk maka kita harus mengganti harddisk yang rusak tsb dengan harddisk baru.
Kemudian lakukan boot server melalui tape, caranya yaitu ketika server dinyalakan lakukan interupt (dengan memencet keyboard sehingga booting terinterupt) kurang dari 10 detik.
Akan muncul ISL > sea [enter]
meminta sequence dari tape untuk diisi
Ketikkan ISL > boot [space] p2 [enter]

Untuk menjalankan ini harus dipastikan lokasi boot dengan cara
# lvlnboot -v
Untuk melihat list harddisk yang terinstal
# strings /etc/lvmtab
# vgdisplay -v /dev/vg00 <- vg00 ini adalah nama harddisk

Melakukan extent space dari direktory yang telah kita mounting sebelumnya: (pastikan server sedang tidak menjalankan aktifitas apapun seperti database/aplikasi dll)

unmount terhadap directorynya
# unmount [space] [nama-file]
eq.: # unmount /mfgapp
Melakukan extend directory yang diinginkan dalam MB
# lvextend [space] -L [space] [Ukuran yg diinging dalam MB] [space] [lokasi harddisk]
eq.: # lvextend -L 3500 /dev/vg00/lvol9
Daftarkan
# extendfs [space] [lokasi harddisk dengan menambahkan prefix huruf r pada nama belakang]
eq.: # extendfs /dev/vg00/rlvol9
Mounting directory
# mount [space] [lokasi direktory] [space] [nama direktory]
eq.: # mount /dev/vg00/lvol9 /mfgapp

Sepuluh Unsur Kepribadian Billionaire

2006-02-20T15:50:00.000+07:00

Minggu lalu saya berada di New York City, tepatnya Manhattan, yang jaraknya kurang lebih 2500 mil dari kediaman saya di San Francisco Bay Area. Seorang "mogul" alias pengusaha kelas kakap yang berteman dekat dengan Donald Trump memanggil saya untuk membantunya dalam mendirikan divisi baru institusi pendidikannya yang sudah mendunia. Sebutlah namanya Mr. JC.

Sebagai seorang konsultan yang sering mendengar nama Mr. JC ini disebut-sebut, tentu saja saya sangat girang ketika dikontak oleh asistennya untuk mengunjungi Si Mogul ini untuk business meeting. Dengan harap-harap cemas saya mempersiapkan segala sesuatunya agar presentasi saya nanti tidak memalukan. Namanya saja berbisnis dengan seorang pengusaha kelas kakap. Siapalah saya ini di matanya.

Ternyata, di luar dugaan saya, Mr. JC sangat ramah dan informal. Kecerdasannya tampak jelas dari "being comfortable in his own skin." Ia sangat nyaman dengan dirinya sendiri, tidak ada unsur intimidasi maupun berusaha tampak lebih cerdik daripada lawan bicaranya. Sungguh saya sangat terkesan.

Selama kurang lebih 6 jam perjalanan pulang di pesawat, saya banyak merenungkan pertemuan ini, terutama mengenai kepribadian Mr. JC yang sangat menawan. Otak saya yang gemar melakukan studi komparasi kembali bekerja. Satu per satu wajah orang-orang sukses muncul di benak saya. Wah, ternyata banyak sekali kemiripan sifat dan perilaku mereka dengan Mr. JC, yang tampaknya sangat bertolak belakang dengan sifat-sifat dan perilaku mereka yang kurang berhasil.

Sepuluh unsur kepribadian seorang billionaire yang saya sarikan berdasarkan komunikasi dan pergaulan pribadi dengan para billionaies dan beberapa pengusaha sukses adalah sebagai berikut:

Satu, keberanian untuk berinisiatif.
Di sinilah letak keunikan utama pengusaha kelas kakap dunia. Mereka selalu punya ide-ide jenial. Sebagai contoh, lihat saja si Raja Real Estate, kebangkitannya dari bangkrut beberapa tahun yang lalu sekarang sudah membuahkan lebih dari sekedar kerajaan properti belaka. Adaboneka Donald, ada seri TV The Apprentice, ada online university TrumpUniversity.com, bahkan ada t-shirt "You're Fired" dan buku-buku best-sellernya. Semua berangkat dari inisiatif belaka, yang bisa kita pelajari dan tiru.

Dua, tepat waktu.
Selalu menepati janji dan tepat waktu karena ini adalah bukti kemampuan memanage sesuatu yang paling terbatas di dalam hidup kita, yaitu waktu. Kemampuan untuk hadir sesuai janji adalah kunci dari semua keberhasilan, terutama keberhasilan berbisnis. Respek terhadap waktu merupakan pencerminan dari respek terhadap diri sendiri dan partner bisnis.

Tiga, senang melayani dan memberi.
Seorang billionaire pasti mempunyai kepribadian sebagai pemimpin dan seorang pemimpin adalah pelayan dan pemberi. The more you give to others, the more respect you get in return. Syukur-syukur kalau ada karma baik sehingga mendapat kebaikan juga dari orang lain. Paling tidak dengan memberi dan melayani, kita sudah menunjukkan kepada dunia betapa berlimpahnya kita. Alam bawah sadar kita akan terus membentuk blue print sukses berdasarkan kemampuan memberi ini.

Empat, membuka diri terlebih dahulu.
Pernah Anda bertemu orang yang selalu mau bertanya soal hal-hal pribadi tentang orang lain namun tidak pernah mau membuka diri? Mereka biasanya hidup dalam ketakutan dan kecurigaan, yang pasti mereka akan sangat sulit untuk mencapai kesuksesan karena dua hal ini adalah lawan dari unsur-unsur yang membangun sukses. Rasa percaya dan kebesaran hati untuk membuka diri terhadap lawan bicara merupakan cermin bahwa kita nyaman dengan diri sendiri, lantas tidak ada yang perlu ditutupi, sesuatu yang dicari oleh para partner bisnis sejati. (Siapa yang mau bekerja sama dengan orang yang misterius?)

Lima, senang bekerja sama dan membina hubungan baik dengan para partner bisnis.
Teamwork jelas adalah salah satu kunci keberhasilan utama. Donald Trump dan Martha Stewart pun mempunyai tim-tim mereka yang sangat loyal sehingga mereka bisa mencapai sukses luar biasa. "No man is an island," kita semua perlu membangun network kerja yang baik, sehingga jalan menuju sukses semakin terbuka lebar.

Enam, senang mempelajari hal-hal baru.
Kembali kita mengambil contoh Pak Trump yang baru saja membuka online university. Apakah beliau adalah ahli pendidikan? Seorang profesor? Jelas tidak, namun dengan kegemarannya mencari hal-hal baru serta langsung mengaplikasikannya, maka dunia bisnis semakin terbuka luas baginya. Dunia bisnis baginya adalah tempat bermain yang luas dan tidak terbatas. Kuncinya hanya satu: senang belajar dan mencari hal-hal baru.

Tujuh, jarang mengeluh,
profesionalisme adalah yang paling utama. Lance Armstrong pernah berkata, "There are two kinds of days: good days and great days." Hanya ada dua macam hari: hari yang baik dan hari yang sangat baik. Jangan sekali-kali mengeluh di dalam bisnis, walaupun suatu hari mungkin Anda akan jatuh dan gagal. Mengapa? Karena setiap kali gagal adalah kesempatan untuk belajar mengatasi kegagalan itu sendiri sehingga tidak terulang lagi di kemudian hari. Hari di mana Anda gagal tetap adalah a good day (hari yang baik).

Delapan, berani menanggung resiko.
Jelas, tanpa ini tidak ada kesemp atan sama sekali untuk menuju sukses. Sebenarnya setiap hari kita menanggung resiko, walaupun tidak disadari penuh. Resiko hanyalah akan berakibat dua macam: be a good or a great day (lihat di atas). So, untuk apa takut? Kegagalan pun hanyalah kesempatan belajar untuk tidak mengulangi hal yang sama di kemudian hari kan?

Sembilan, tidak menunjukkan kekhawatiran(berpikir positif setiap saat). Berpikir positif adalah environment atau default state di mana keseluruhan eksistensi kita berada. Jika kita gunakan pikiran negatif sebagai default state, maka semua perbuatan kita akan berdasarkan ini (kekhawatiran atau cemas). Dengan pikiran positif, maka perbuatan kita akan didasarkan oleh getaran positif, sehingga hal positif akan semakin besar kemungkinannya.

Sepuluh, "comfortable in their own skin"alias nyaman dengan diri sendiri
tanpa perlu berusaha menutup-nutupi sesuatu maupun supaya tampak "lebih" dari lawan bicaranya. Pernah bertemu dengan billionaire yang rendah diri alias tidak nyaman
dengan diri mereka sendiri? Saya yakin tidak ada. Kenyamanan menjadi diri sendiri tidak perlu ditutup-tutupi supaya lawan bicara tidak tersinggung karena setiap orang mempunyai tempat tersendiri di dunia yang tidak bisa digantikan oleh orang lain.

Saya adalah saya, mereka adalah mereka. Dengan menjadi diri saya sendiri, saya tidak akan mengusik keberadaan mereka. Jika mereka merasa tidak nyaman, itu bukan karena kepribadian saya, namun karena mindset yang berbeda dan kekurangmampuan mereka dalam mencapai kenyamanan dengan diri sendiri.

Apakah Anda mempunyai kepribadian seorang billionaire? Hanya Anda yang bisa menjawab. Salam sukses, sampai bertemu di puncak gunung kesuksesan.

Sumber: Sepuluh Unsur Kepribadian Billionaire oleh Jennie S. Bev. Jennie
S. Bev adalah konsultan, entrepreneur, penulis dan edukator berbasis di San FranciscoBayArea. Baca perjuangan dan prestasinya di JennieSBev.com.

Mantra Pelet Orang

2006-02-20T08:46:00.000+07:00

Beberapa waktu lalu saya mendengar dari salah satu radio di Jakarta yang selalu memutar lagu-lagu Indonesia, yang menarik dari obrolan tersebut adalah membahas mengenai pelet-peletan, kebetulan pada saat itu sedang ramai-ramainya kasus gugatan antara Jackson Parangin-angin dengan Cut Memey yang disinyalir menggunakan pelet.
Ada yang menarik dari obrolan tersebut adalah mantra untuk memelet orang, mengenai keampuhan mantra tersebut saya meragukan, kebetulan saya tidak percaya dengan hal-hal yang berbau mistik, dukun dan pelet.
Salah satu mantra yang masih saya ingat adalah sebagai berikut

Dung-dung pret dung-dung pret
Anak kodok disangka kampret
Orang melirik pasti kepelet

Mantra ini hanyalah permainan saja, dan jangan dianggap beneran. Tetapi kalau anda mau coba menggunakan mantra tersebut saya persilahkan tetapi saya tidak bisa menjanjikan apakah ampuh atau tidak.

Cuti melahirkan

2004-03-29T09:33:00.000+07:00

Hari ini adalah hari pertama buat istri gue memasuki masa cuti hamil, sebenarnya saat seperti ini ia masih ingin bekerja tetapi karena peraturan perusahaan dimana masa cuti hamil adalah h - 30 sampai h + 60 sehingga mau nggak mau ia harus menjalankan 1 bulan penuh sebelum melahirkan tetap berada di rumah. Memang dengan adanya teknologi canggih seperti USG (Ultrasonographi) bisa memperkirakan kelahiran dan memonitor calon bayi, tetapi yang namanya buatan manusia tentu tidak terhindar dari kesempurnaan sehingga dengan alat itu bisa saja meleset dari perkiraan.

Melesetnya perkiraan ini pernah terjadi pada rekan kerjanya dimana perkiraan yang dibuat oleh dokter ternyata lebih cepat dari perkiraannya kira-kira 1 minggu lebih, karena peraturan perusahaan ia harus masuk h + 60 artinya 60 hari setelah tanggal kelahiran yang sebenarnya bukan tanggal perkiraan. Seharusnya wanita hamil akan mendapatkan hak cuti selama 3 bulan (estimasi 1 bulan = 30 hari) dengan melesetnya perhitungan tsb maka orang tersebut kehilangan waktu cutinya sebanyak 1 minggu lebih. Berbeda jika kelahiran yang terjadi lebih lama dari pada perkiraan semula maka yang menjadi patokan hari h nya adalah tanggal estimasi.

Berdasarkan peraturan pemerintah menyangkut ketenaga-kerjaan mengenai cuti melahirkan adalah h - 30 hingga h + 60, tetapi banyak juga perusahaan tidak menghitung h - 30 tetapi h + 90 dengan mengambil patokan 3 bulan cuti hamil. Tentunya perusahaan yang menggunakan sistem h + 90 lebih menguntungkan buat karyawatinya karena karyawati tersebut akan menghabiskan waktunya bagi bayinya lebih panjang sehingga waktu untuk memberikan ASI exlusive juga lebih panjang.

Berbeda dengan peraturan ketenagakerjaan di negara lain, mengenai nama negara saya tidak tahu pasti, dan saya mengetahui hal ini juga dari pembicaraan teman-teman. Mereka itu bila cuti melahirkan diberi waktu 6 bulan setelah melahirkan karena diyakini bahwa kwalitas ASI yang baik itu hingga 6 bulan, dengan aturan ini maka seorang ibu diberikan keleluasaan dalam memberikan ASI exclusive selama 6 bulan.

Pemberian ASI exclusive selama 6 bulan, bagi perusahaan akan mengalami kerugian dimana perusahaan harus tetap memberikan gaji 6 bulan penuh walaupun karyawatinya tidak masuk kerja. Tentunya dengan perlakuan seperti ini akan merugikan perusahaan.

Tetapi kalau kita tinjau manfaat dari ASI exclusive selama 6 bulan dalam bidang kesehatan tentu manfaatnya lebih besar dari pada hanya memberi ASI exclusive selama 2-3 bulan, dan pemberian ASI exclusive selama 6 bulan akan menaikkan standard kesehatan generasi kita yang nantinya akan memimpin bangsa ini.

Untuk pemerintahan mungkin harus menimbang kembali kebijakan mengenai cuti melahirkan, karena tujuannya adalah baik untuk generasi penerus bangsa ini.

Party line

2004-03-26T11:34:00.000+07:00

Hari ini saya nggak sengaja membaca salah satu surat kabar ibukota di tempat makan bersama teman-teman saya satu kantor. Dalam surat kabar tsb ada beberapa iklan party line dengan gambar yang seronok dan kata-kata yang rada-rada syur dan kocak. Diantara kata-kata tsb adalah:
- Buah janda butuh vitamin
- Ada nggak cowok yang malam ini pisangnya nganggur
- Lebat begini kok nggak kelihatan
- Sedotannya kuat goyangannya kencang pasti mainnya hebat
- Tolong masukin disini butuh donor sedang sakit DB (Demam Bercinta)

Heran iklan party line yang menggunakan premium call tersebut tambah gencar disertai dengan gambar gadis-gadis dengan pakaian yang minim bahan.

Apakah party-line ini masih digemari oleh peminat-peminatnya atau mencari mangsa baru yang belum kejebak dengan iklannya.

Saya pernah dengar cerita dari mantan pacar yang sekarang jadi istri, dimana kantor ia bekerja salah satu bank pemerintah yang gede, mendapat tagihan telepon yg harus dibayar oleh perusahaan tsb lebih besar dari biasanya, saat itu tagihannya sekitar Rp 50-an juta , setelah diteliti dengan meminta print nomor telepon keluar ternyata didapati cukup banyak penggunaan dengan nomor premium call dan kejadiannya cenderung malam hari kalaupun siang terjadi bila kantor libur, tentunya yang dicurigai adalah security, cleaning service dan karyawan yang sering lembur. Setelah diusut ternyata penggunanya adalah salah seorang cleaning service yang tergiur dengan iklan yang seronok tersebut. Dan sejak saat itu maka telepon yang ada dikantor dikunci agar tidak bisa digunakan oleh orang-orang yang tidak berkepentingan.

Maka hati-hatilah terhadap iklan yang mengobral janji-janji yang panas bisa-bisa kebablasan. Lebih baik jangan mencoba telpon nomor-nomor tersebut karena kita akan dibujuk untuk melakukan sesuatu sehingga kita bisa terbawa arus dengan semakin lamanya kita telpon maka semakin besar tagihan yang harus dibayar.

2004-03-26T09:06:00.000+07:00

Hey, kemaren gua di CID oleh boss gue. CID yg diadakan dikantor gue menggunakan tools yang sudah dibuat oleh kantor pusat di Norway dan tools tersebut jalan di Lotus Notes. Beberapa tools yang dipakai adalah:

1. 360 degree feedback, tool ini adalah meminta feedback kepada atasan, bawahan, rekan kerja dan saya sendiri. Feedback form sudah disediakan dalam tool tersebut sehingga orang yang kita minta feedback cukup memberikan nilai masing-masing kategori tentunya diberikan alasan yang tepat sehingga orang tersebut pantas mendapatkan nilai.

2. KPI, tool ini adalah kepanjangan dari Key Performance Indicator. Dengan adanya KPI, kerjaan kita bisa diukur sampai seberapa jauh achievement yang kita peroleh.

3. Job description, dalam job description ini isinya adalah apa saja yang kita kerjakan diperusahaan yang menggaji saya dan juga kualifikasi apa yang dibutuhkan pada saat ini sehingga jika karyawan resign begian HRD akan dengan mudah mencari pengganti dengan dasar job description yang telah dibuat.

4. CIS, kepanjangan dari Continuous Improvement Summary. Adalah summary dari bagian-bagian diatas yang isinya antara lain Performance kita atas dasar KPI, sukses yang telah kita dapatkan berdasarkan Feedback, kapabilitas kita berupa kekuatan dan bagian yang perlu dikembangkan berdasarkan feedback, Action yang akan kita tempuh untuk mendukung kemampuan kita action ini bisa berupa training yang akan kita tempuh, kemudian kemauan/visi kita sebagai karyawan mau jadi apa dilihat dari diri sendiri dan terakhir adalah comment karyawan mengenai CID yang baru saja dijalankan.

Dari CID yang telah saya jalankan dihasilkan bahwa saya masih harus mengembangkan kemampuan saya terutama pada administrasi pekerjaan, bagaimana mengatur skedul dari kerjaan dan keep inform semua kerjaan kepada atasan saya yang selama ini jarang saya lakukan. Dan juga diharapkan saya bisa menjadi sparing partner atasan saya terutama dalam hal development system IT di perusahaan saya

2004-03-26T08:55:00.000+07:00

Saya baru pertama kali tahu tentang blog dari tabloid PC-Plus edisi maret minggu keempat 2004, nah dalam tabloid itu menyarankan untuk yang newbie gunakan blogger.com, karena disamping blog ini paling mudah ngesetnya juga mendapatkan dukungan dari google rajanya search engine di jagat raya. Semoga dengan adanya blog ini saya bisa semakin rajin mengeluarkan ide/konsep yang berguna bagi saya pribadi dan rekan-rekan semua yang membacanya.

Cheer...