Slashdot Mirror

No, Snapgear is the best router you can get for under $500.00 - it is multihoming, supports ipsec, pptp. and a slew of other features, has an EXCELLENT NAT interface, and uptime is measured in months, not days. On top of that, like dd-wrt, snapgear runs Linux and is of course OSS. Oh, also, unlike dd-wrt, the GUI isn't asstastic -- and pptp actually works.

The WRT54GL is the best router you can get for under $180.00.

I think Boing Boing needs to get a lawyer and get to suing.

If they're going to sue, they need to start with those jokers at Smartfilter.

They use it at my workplace, and it blocks things completely at random. BoingBoing posted some critical articals on Smartfilter and instantly got on their shit list -- Boing Boing is now permanently blocked as "nudity", a blatantly false category designed to get people in trouble for even trying to view it.

If you report the inaccuracy, they claim to fix it, only to ignore it and keep them blocked.

I wouldn't be surprised at all if Boston was just using Smartfilter and this is just a symptom of a much larger problem. Smartfilter is, IIRC, the official filter of choice for the US and Iranian governments for blocking naughty content from their masses -- ever since the Republicans managed to con their way into forcing all library machines into being filtered ("Think of the Children" covering the fact that Libraries are poor people's only way to get on the net) Smartfilter has been a bit of a fun toy to play with.

In the middle of the 2006 elections, for example, out of the blue Liberal blogs and Political Canidate websites in Swing States suddenly found themselves blocked as being "curse words" or "mature" or "forums" or other similarly flimsy excuses. Pretty sneaky -- get a censorship filter installed where poor people (who typically vote Democratic) are going to be forced to go through it, then just start randomly blocking political "dissidents" that you don't like. And since Smartfilter has a very, very strict policy (now, anyway) about not REMOVING, only RECATEGORIZING websites... well, yeah.

Sidewinder from Secure Computing is the only commercially available sidewinder to never have a CERT. http://www.securecomputing.com/index.cfm?skey=20&l ang=en [securecomputing.com] You get anti-virus, anti-spam, and the strongest firewall in the world on a single appliance. Hook it into Secure Computing's TrustedSource solution and you will not only have an incredible firewall but you will also stop 99% of Spam (including image spam) from hitting your network.

ACK! Secure Computing Sidewinders suck! I know first-hand. I have two G2s (in an active/passive cluster) at work. I have a long list of problems that I've encountered with those beasts over the last year. They are going to be replaced soon by a very fast, very capable product from Juniper.

I am currently running Sidewinder G2 version 6. A few of my problems:

1. Slow. The Sidewinders (specifically the "proxy" part) are a significant bottleneck in our network.
2. Email. For a while, certain inbound email messages were being dropped due to "feature" in Sendmail. The only was to fix the problem was for me to get into the guts of the Sendmail config files and edit things by hand.
3. Traceroute. Is it too much to ask to be able to run a traceroute *through* a firewall? The Sidewinder G2s do not allow this to happen.
4. HA: Failover is slow and clumsy. There is no "state table" shared between the Sidewinders so any active TCP connections will get terminated when the failover happens.
5. Reboot: Certain operations require the firewalls to be rebooted. What???? My PIX or Juniper Netscreen firewalls never pop-up a message saying "That change will go into effect after the next reboot."
6. The whole "proxy" thing is a pain in the neck. I can't tell you how many IPtables-style rules I have had to create to get around problems caused by the Secure Computing "tcp proxies".
7. The admin GUI is really nothing to write home about.
8. Logging. Logging is really, really sucky. Compared to the syslog messages that come from a PIX, the difference between the Sidewinders and a PIX is like night and day.
9. "Application Defense". Yeah, had to disable that is most places because, believe it or not, every single website on the Internet is not RFC-compliant.
10. I ran into a situation recently where I wanted to create a tcp proxy for ports 2000-2010. I couldn't do that because earlier I had created a proxy for the single tcp port 2001. What's up with that? I left the tcp proxy in place and then opened tcp 2000-2010 using an IPTables rule.
That's enough for now. I do have more.

The Sidewinder G2s will be removed from our network and replaced by high performance firewalls from Juniper. I'm very familiar with ScreenOS and I've seen the Juniper Netscreen HA feature in action. The failover time between two firewalls in an active/passive NSRP cluster is amazing.

So, we are going to cease being a Secure Computing customer and the Sidewinders (which are really Dell servers running some flavor of BSD) will get turned into test servers (probably get Win2003 server loaded onto them). I will say this for Secure Computing, we have a LOT of RSA tokens and we are taking a very serious look at Secure Computing's Safeword tokens. S.C. has a very nice product in that market.

Sidewinder from Secure Computing is the only commercially available sidewinder to never have a CERT. http://www.securecomputing.com/index.cfm?skey=20&l ang=en You get anti-virus, anti-spam, and the strongest firewall in the world on a single appliance. Hook it into Secure Computing's TrustedSource solution and you will not only have an incredible firewall but you will also stop 99% of Spam (including image spam) from hitting your network.

Researchers in the Information Assurance Research Group of NSA worked with Secure Computing Corporation (SCC) to develop a strong, flexible mandatory access control architecture based on Type Enforcement, a mechanism first developed for the LOCK system. NSA and SCC developed two Mach-based prototypes of the architecture: DTMach and DTOS (http://www.cs.utah.edu/flux/dtos/). NSA and SCC then worked with the University of Utah's Flux research group to transfer the architecture to the Fluke research operating system. During this transfer, the architecture was enhanced to provide better support for dynamic security policies. This enhanced architecture was named Flask (http://www.cs.utah.edu/flux/flask/). NSA has now integrated the Flask architecture into the Linux operating system to transfer the technology to a larger developer and user community.

Boingboing has a guide to evading cesonsorware

Should be useful to Iranians, as the US firm Secure Computing is the company censoring Iran.

That's not what I get when I put those URLs in the form provided. Of course, it's possible someone in the military is customizing the filter. What I get:

URL1: HTTP://WWW.BILLOREILLY.COM
V4 - Entertainment/Recreation/Hobbies, Politics/Opinion
3.x Premier - Entertainment, Politics/Religion

URL2: HTTP://WWW.AIRAMERICARADIO.COM
V4 - General News
3.x Premier - Gen. News

URL3: HTTP://WWW.RUSHLIMBAUGH.COM
V4 - Politics/Opinion
3.x Premier - Politics/Religion

URL4: HTTP://WWW.ALFRANKENSHOW.COM
V4 - Not Categorized
3.x Premier - Not Categorized

URL5: HTTP://WWW.LIDDYSHOW.US
V4 - Provocative Attire, Politics/Opinion, Weapons
3.x Premier - Politics/Religion, Mature

URL1: HTTP://WWW.DONANDMIKEWEBSITE.COM
V4 - Entertainment/Recreation/Hobbies, Profanity
3.x Premier - Entertainment, Mature

To add... I'm in the Air National Guard, and am a network manager, which is why I'm posting as an AC. The above is mostly true, in that there's a contracted company, Secure Computing that categorizes sites and blocks all the categories selected. However, any site can be let through as an exception to the policy. Slashdot was blocked (as is games.slashdot still) for a while but somebody successfully asked for an exception and it was let through. What has obviously happened is that people with enough brass to be able to shrug off any questions have selectively asked to have their favorite unofficial sites unblocked. The reality is that if I, a lowly MSgt, were to submit paperwork to have Al Franken's site unblocked, people would crawl up my butt about "unofficial internet use" (which is absolutely rampant every place I've been to by the way), whereas when the bird colonel higher up in the food chain asked for his favorite baseball team's site to be unblocked, nobody even blinked. The poster above is mouthing the official party line, but I don't think he's considering the selective nature of what is blocked and what is not. I went through the links in the post, and for the ANG at least, all was exactly as wonkette described. It's sort of like when I designed our base's intranet site. Originally the "news links" section had a variety of military news, the local newspaper, CNN, Fox News, USA Today, MSNBC, ABC News, NBC News, BBC World News, CBS News, and NPR. Immediately after the site when online I was directed by my wing leadership to get rid of everything but the military news, the local paper, and (surprise surprise) Fox News. We stream exactly one channel. Fox News. This sort of de facto censorship-- "We block everything then unblock what we agree with," is indicative of the overwhelmingly politically conservative makeup of today's military. Especially since the Bush election, if you lean left, it's better to keep your mouth shut and hope for better days.

A brief Googling seems to indicate that they're using Secure Computing SmartFilter as the content filtering service.

The Secure Computing site lists "A United States Defense Agency" as one of its clients. Said agency also uses the Sidewinder product as a firewall.

Of course, this is all conjecture.

A brief Googling seems to indicate that they're using Secure Computing SmartFilter as the content filtering service.

The Secure Computing site lists "A United States Defense Agency" as one of its clients. Said agency also uses the Sidewinder product as a firewall.

Of course, this is all conjecture.

Their "statement of assurance" makes it kind of scary to try and do a commercial selinux distro of your own.

http://www.securecomputing.com/pdf/Statement_of_As surance.pdf

Secure Computing

If you read the full text of the article, it states and confirms "that it uses the commercial filtering package SmartFilter - made by the US-based company, Secure Computing - as the primary technical engine of its filtering system." The multilingual support allows them to filter Farsi. So the same company that stops you so many from visiting just about any site at work is proping up other restrictive regeimes.

If you read the full text of the article, it states and confirms "that it uses the commercial filtering package SmartFilter - made by the US-based company, Secure Computing - as the primary technical engine of its filtering system." The multilingual support allows them to filter Farsi. So the same company that stops you so many from visiting just about any site at work is proping up other restrictive regeimes.

No, he's probably talking about some retarded filtering policy. I get the same raw deal at my school.

It's like a bank machine gives you money because you HAVE your bank card and KNOW your pin.

See two-factor authentication devices from RSA SecurID, VASCO, or Secure Computing.

Microsoft has had a tight partnership with RSA for several years. Any word if MS will roll their own?

Sam

Secure Computing offers tokens that use that "best password schema" mentioned by the parent. They call 'em "SafeWord Tokens".

Secure Computing offers tokens that use that "best password schema" mentioned by the parent. They call 'em "SafeWord Tokens".

While I am mostly in agreement with you about Linux being crap compared to OpenBSD security wise, your statement regarding nothing beating OpenBSD as a firewall is pure bunk.

The Sidewinder G2 firewall implemented on top of "Secure OS" (a BSDi derived OS developed by the people who co developed the technology used by the NSA's "Security Enhanced Linux" has not yet been compromised, and has recently achieved full EAL4+Common Criteria (CC) certification. It is unlikely that OpenBSD will ever do that.

Had I the money, I would use nothing else myself, as Secure OS is *Hard Core* Military grade security built into a BSD OS.

http://www.securecomputing.com/news_display.cfm?ni d=466&lang=en

Read. Learn. Grow.

Here.

I looked at this awhile back. It was cheaper and seemed more robust than the SecureID stuff. Plus, it's event based, not time based. You don't have to wait a minute before logging into another device, you just hit the button and take the next code. If it gets out of sync, just enter the next 5 codes in, and it syncs back up, no calling the IT dept or messing around with timing.

Trusted Solaris from Sun and SecureOS from Secure Computing used in their Sidewinder firewall are just two off the top of my head.

It doesn't necessarily need to be commercial either since there's TrustedBSD for instance. I guess I shouldn't say "designed from scratch" since many of them build on original BSD or System V code as a starting point, but there are certainly MAC based systems built from scratch out there.. probably custom jobs unavailable to us outside the government, but they're out there.

Again, I'm not saying OpenBSD is insecure, far from it. OpenBSD is probably the most secure operating system you'll get without introducing complicated mandatory access controls (type enforcement, RBAC, whatever you want to call it), but we shouldn't kid ourselves by saying that it's as secure as other operating systems available.

Some of their exciting "Strikeback" tools referenced on the page: traceroute, finger, and dig.

You want these. Basically, you give one to each user who needs access to the site. They enter their username, and then to get their password, they enter their PIN into this credit card sized device, and it gives them a one time password. To further enhance security, you can make the password they have to enter a concatenation of a "permanent" password and the one time generated one. This pretty much ensures you are allowing the right person in. You can also implement paranoia features in the generators (we call them Enigmas where I work, as that used to be the name of the company). Such things include lockout from the physical password generator itself when the wrong PIN is entered N times or lockout from the authentication system after a number of incorrect tries.

I wonder how this will affect Sidewinder. It's tightly integrated around BSD/OS for it's type-enforcement technology. They're even quoted in a Wind River press release from last year. I guess people should just migrate to FreeBSD and be done with it. It's not going anywhere.

"Forbidden, this page (http://www.alpern.org/weblog/stories/2003/01/09/p rojectionKeyboards.html) is categorized as: Sex. "

(according to Smartfilter)

Since when slashdot links to pr0n pages ?

There are good certifications and bad certifications. Bad ones can be just bought (and addressed like: This product is secure, as tested by company X). But certifications like Common Criteria need a lot more work. If you are going to get e.g. Common Criteria level 4 (or above) certification you must provide the high-level and low-level design documents, tests, etc to certification body. They check all these and create also tests by themselves. Also if you go beyond level 4, another party may test your product (like NSA). You might also need to provide your source code (or part of it) to be inspected. In the case of NSA, they propably don't use script ciddies :-)

With Common Criteria one must also carefully check the Security Target of the evaluated product. The ST identifies what was actually tested. Some products are only partially certified. For example Checkpoint has only their engines certified and not the management system. Security Targets are publicly available documents.

I might say that you could rely more on products which are Common Criteria level 4+ certified than level 2 or plain 4. Although some people say that if a product is EAL4+ certified in UK it is same than EAL3 at USA...

according to CommonCriteria.org only two firewalls are now being under evaluation for EAL4+ in USA. Another one is Sidewinder, but I think they have some problems with their evaluation since it has been going on over a year now (See also their press release ). Another one is Stonegate. For this there was no exact information when the evaluation was started, but IIRC it wasn't listed until this summer, or so.

http://www.securecomputing.com/index.cfm?sKey=738

As it turns out, this is the problem child. SCC has a patent on this technology, and seems to have used it in SE Linux

I've got a better idea.

Go here and change the category from "Sex, Extreme" to "Art and Culture".

We must preserve The Goatse for future generations. I'm positive it will go down as the internet equivalent of the Mona Lisa. We cannot allow a few conservatives and their offended sensibilities to block this True Piece of Art and Culture.

Vote early, vote often!

I've got a better idea.

Go here and change the category from "Sex, Extreme" to "Art and Culture".

We must preserve The Goatse for future generations. I'm positive it will go down as the internet equivalent of the Mona Lisa. We cannot allow a few conservatives and their offended sensibilities to block this True Piece of Art and Culture.

Vote early, vote often!

Don't forget to click here and select "Extreme"!

Click here and change the category from "none" to "criminal skills". Don't let your children (or cow-orkers) visit a criminal orgainization!

use this link to request sourceforge removal directly

and

use this to list microsoft.com as hate speech site

use this link to request sourceforge removal directly

and

use this to list microsoft.com as hate speech site

What better time to demonstrate the allmighty power of the /. effect? I suggest pointing your browsers towards The Bastards and egaging the beast.

From their filter checker everyone is talking about after entering the SourceForge URL

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webadmin@securecomputing.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Perhaps your company's block list hasn't been updated. Or your firm doesn't block sites listed under 'mp3'. In any event, go to the search page on their site, and enter sourceforge. You will see that it is categorized as a 'bad' domain. Not only that, but it seems that all domains ending in .sourceforge.net are listed. For example, brewnix.sourceforge.net is listed, (for real. Used the search ~4:35 EDT) and there are no mp3 files or tools available.

It's less bogus than several /. stories of the past.

Here is where you can plug a URL in to see if it gets filtered or not. And indeed, sourceforge turns out to be a wicked MP3-peddler. Oddly enough, freshmeat is not in there yet.

They also have another interesting and potentially more controversial filtering category: "Anonymizer". Try plugging http://www.anonymizer.com into that box on the link above. Thin legal ice, if you ask me.

Or just click here. Thanks for the link. Just submitted my sourceforge.net project page.

Hmm... Why should sourceforge sue? They have maligned me via brewnix.sourceforge.net. I may have a case.

1. Go to the URL and enter "http://www.sourceforge.net" into the 'URL 1' field. Hit 'check URL'

2. The next page should say "http://www.sourceforge.net MP3" if it is still listed.

3. On the dropbox on the right, select 'remove from list' and hit 'send request'

We all know that's not easy enough, so click here, enter sourceforge.net and pick Remove From List from their choices.

His discussion of the legal risks of decrypting these blacklists is fascinating too, and (as he likes to say) "a topic in itself." He would like to open up the source to his SmartFilter-decryption tool but feels the legal risk is too high. How sad is that?

Here's Secure Computing's definition of the "extreme" category, and the examples they give ("Pixman's Vault of Porn Pix", "Bizarre & Maximum Perversion").

You can confirm Seth's findings using Secure Computing's own SmartFilterWhere.
It asks for your name and phone number; you have my permission to make some up. As of December 7, at 9:45 PM EST, that CGI operates with a Control List updated on December 5 and confirms all of Seth's results that I tried. By the time you read this, they may have quickly fixed all the errors he published, loaded in an up-to-the-minute Control List, and proudly announced that their software is now perfect.

His discussion of the legal risks of decrypting these blacklists is fascinating too, and (as he likes to say) "a topic in itself." He would like to open up the source to his SmartFilter-decryption tool but feels the legal risk is too high. How sad is that?

Here's Secure Computing's definition of the "extreme" category, and the examples they give ("Pixman's Vault of Porn Pix", "Bizarre & Maximum Perversion").

You can confirm Seth's findings using Secure Computing's own SmartFilterWhere.
It asks for your name and phone number; you have my permission to make some up. As of December 7, at 9:45 PM EST, that CGI operates with a Control List updated on December 5 and confirms all of Seth's results that I tried. By the time you read this, they may have quickly fixed all the errors he published, loaded in an up-to-the-minute Control List, and proudly announced that their software is now perfect.

Go here and enter the sourceforge URL. On the right, "Suggest a Change" and tell them that it should not be on their list. Make your voice heard!

Take a look at SafeWord:

http://www.securecomputing.com/index.cfm?skey=643

In a nutshell, you install the SafeWord server somewhere, then all your applications/servers/NASes/etc can authenticate against it via Radius, Tacacs, etc.
The one-time passwords are generated via small credit-card-sized tokens; you have to give one token to each user.

Hopefully Secure Computing will lose the contract next year. Apprently the people at Secure Computing feel that the Saudi people do not deserve to have the same freedoms which afford Secure Computing the luxury to do business in the first place. Not only is secure computing not doing anything to promote freedom of information, but Secure Computing has actually agreed to help take the Saudi peoples access to information away. I hope everyone takes the time to let Secure Computing know how you feel about their drive to squelch the free exchange of ideas.

Customer Service service@securecomputing.com

Federal Government Customers
Global: +1.703.761.2060
FAX: +1.703.761.2070
E-mail: govt@securecomputing.com

Hopefully Secure Computing will lose the contract next year. Apprently the people at Secure Computing feel that the Saudi people do not deserve to have the same freedoms which afford Secure Computing the luxury to do business in the first place. Not only is secure computing not doing anything to promote freedom of information, but Secure Computing has actually agreed to help take the Saudi peoples access to information away. I hope everyone takes the time to let Secure Computing know how you feel about their drive to squelch the free exchange of ideas.

Customer Service service@securecomputing.com

Federal Government Customers
Global: +1.703.761.2060
FAX: +1.703.761.2070
E-mail: govt@securecomputing.com

The basics of a censorware program are not complex. To oversimplify a bit, the core of censorware is just looking up a string (the URL) on the censorware's blacklist. That's not hard, from a programming point of view.

You should ignore the PR hype about magic "porn filters" and similar snake-oil. What the censorware companies sell is the (claimed) million-item blacklist, and the work that goes into putting sites on their blacklist.

I will note, however, that the most popular platform for censorware servers seems to be Microsoft ISA server ...

Sig: What Happened To The Censorware Project (censorware.org)

SmartFilterWhere Search Results

SmartFilterWhere(TM) for SmartFilter(TM) V301 confirms that the URL(s) you have entered are currently listed in the SmartFilter V301 Control List Categories shown below.

...

http://slashdot.org Entertainment,Gen. News

Sig: What Happened To The Censorware Project (censorware.org)

Maybe I just skimmed their site too quickly, but what exactly do they do that couldn't be implemented via open source software?

SmartFilter: Way Too Extreme

SmartFilter's Greatest Evils

(sigh, due to politics, I may never get an article in Slashdot again - but in the spirit of the holiday, I'll give thanks for what I had)

Anyway, the major work is not in the censorware program itself, but in compiling the HUGE blacklist.

Sig: What Happened To The Censorware Project (censorware.org)

Where we can make a start is nibbling round the edges - for example proxy server is not included, so we can use Linux and Squid. Except (SFAIK) Squid does not integrate with things like Websense which we need to block sites (nothing draconian - mainly web e-mail to stop viruses and web porn to stop lawsuits).

You may be invested in WebSense, but in case you have the ability to change, you might want to know about SmartFilter for Squid.

Cheers.