If you run a business with Windows you should be using Windows 7 Enterprise for any nominal amount of computers. Once you move to Enterprise, you can use Bitlocker, which has FIPS-validated AES256 encryption, integrated into Active Directory, and you have recovery agents available.
Tools I disagree with: -UltraDefrag: Windows Vista and Windows 7 include built-in, very capable, automatic defragmentation tools
Everything else is on a situational basis and depends largely on your environment. If you've got a massively virtualized system, Virtualbox is not necessary.
The purpose of a patent is to prevent others from profiting off of your invention, or method of doing something for a finite period of time. The purpose of trademark is to ensure that someone cannot mimick your branding, products, or company in an attempt to profit off of people whom don't know any better. The purpose of copyright is to ensure that others cannot profit off of your work for a finite amount of time.
The purpose of these 3 things is not to force others to purchase your work if they do not wish to give you money for it.
If you wish to thank anyone for this, Ressy on Freenode has been spearheading this movement for nearly a year now, having worked closely with Blizzard support staff to uncover the throttling being used as well as worked closely with end users affected by the issue.
So this brings up an interesting point since it's something I had discussed with a person from the hacking community trying to join ISC2 (@wimremes) and bring more technical aspects to the "Infosec" industry.
As of right now the "Infosec" industry is dominated by corporate and military pencil pushers and not much else. I'm not exactly sure how they got into that field other than the fact that they got direct training from the US Military security practices (this is also a big reason why the Infosec community is very heavily US dominated).
But the core reality is that these people, for all intents and purposes, are not technical in nature and have no idea what they're getting into as far as the civilian "wild wild west" internet mentality.
On the other side of the fence is the far less professional, less formal group of "hackers". These guys aren't really taken seriously by the professional community, but in general are the source of the kinds of things that Lulzsec and Anonymous does.
I know Wim had talked about wanting to try and come up with a solution to help bring both communities together not only at a professional level but a certification level. I'd recommend any ISC2-certified individuals to nominate him so we can try to bridge the gap.
I've known a ton of small businesses that leave RDP exposed. Many leave VNC exposed as well (which can be even more dangerous if you don't understand encryption and authentication).
I've argued with people on IRC that leave entire POS systems exposed via VNC to the internet.
It's deplorable, but fairly common. And there's nothing particularly wrong with leaving it exposed if you configure it properly. A VPN provides more peace of mind, of course, since you get all the benefits that come with private keys, etc. Not to mention you can encrypt your channel with AES versus RC4 (in FIPS mode you get 3DES).
I've seen a few people here note the fact that "salts" are used to add complexity to a password where no complexity exists. I believe this is incorrect, or at the very least not entirely the truth.
Many are assuming that the salt is something that wouldn't be compromised, i.e.
I think this is a bit of a misunderstanding. The salt is not necessarily intended to be a secret value unless you can ensure the security of that value, that is the salt is never revealed unless fully guarded (you have a hidden, ultra secure password hashing mechanism that keeps the salt out of the hands of the system).
In this case, I use mcrypt_create_iv() to generate from/dev/urandom (VPS machine...) and then MD5 that to get a usable salt, then use CRYPT() with its default of 5000 rounds to hash the password via SHA512.
In this case, the salt generation prevents the generation of usable rainbow tables. This does not stop dictionary attacks, but the added rounds of hashing increases the complexity for brute force attacks.
TLDR: ENFORCE PASSWORD COMPLEXITY, USE ENCRYPTION OR MANY ROUNDS OF HASHING, AND USE A UNIQUE SALT PER PASSWORD.
A modern day libertarian in my book is extremely conservative. Technically, they're not anarchist as they do want a form of government, just *their* form of government.
It's amazing isn't it? The reason being is because they've successfully taught people that they too can be millionaires. Little do they know that class jumping is NEARLY impossible.
Was the average IQ on the report really at 80? That's quite a bit low for any sort of real "study", lol. There are people with high IQs that don't know jack shit about computers and may be using IE for the simple fact of internal business use, and nothing more.
You act as if a simple, one-line statement made on a comment forum is the best representation of my personal character. It was obviously more of a generalization. I make no claims as to how much or how little knowledge I have or don't have in the grand scheme of things. Just that, for all intents and purposes, amongst the circles that I have, it's generally pretty solid, or at the very least a bit more developed in certain areas.
I use IE. I'm one of the smartest IT people in my circles, and when I speak, people listen. I'm fairly humble about what I'm capable of for the most part and almost never flaunt this. You will almost never hear me say one OS is better than the other, the most you will hear me say is "I like the way they do this particular feature more than it's done in other operating systems."
I'm posting this from IE9 right now, on a Windows laptop.
*USERS* in general are stupid. You could put Firefox or Chrome in front of them all the same and that doesn't make them more or less intelligent than if they used IE.
More importantly, the zealots out there are even more dumb. I can take dumb users who don't know what they're doing. It's not their job to know how computers work. I've learned to deal with them. It's the people who act like they know better, and in some cases, should know better, that I have a problem with.
There's still comparatively heavy competition in most markets for wired communications services.
^What? There is *no* competition in "most markets" for wired communication. None. Zero. Nada. There's so much conspiring to work against it that it's sickening. MOST wired "competition" is merely reselling connections from the larger providers in a way to lower the cost through the purchase of bulk bandwidth. As an example in Canada, Rogers and Teksavvy.
AT&T and Verizon are known to do this in the US as well with small providers.
Slashdot Mirror
Windows 7 and Vista automatically defragment without user interaction.
Bonus points is the 7 defragmenter will disable itself on SSDs automatically as well.
Yes, free space consolidation is a part of the Vista and 7 defragmenter.
If you run a business with Windows you should be using Windows 7 Enterprise for any nominal amount of computers. Once you move to Enterprise, you can use Bitlocker, which has FIPS-validated AES256 encryption, integrated into Active Directory, and you have recovery agents available.
Tools I agree with:
-Wireshark
-NMAP
Tools I disagree with:
-UltraDefrag: Windows Vista and Windows 7 include built-in, very capable, automatic defragmentation tools
Everything else is on a situational basis and depends largely on your environment. If you've got a massively virtualized system, Virtualbox is not necessary.
The purpose of a patent is to prevent others from profiting off of your invention, or method of doing something for a finite period of time.
The purpose of trademark is to ensure that someone cannot mimick your branding, products, or company in an attempt to profit off of people whom don't know any better.
The purpose of copyright is to ensure that others cannot profit off of your work for a finite amount of time.
The purpose of these 3 things is not to force others to purchase your work if they do not wish to give you money for it.
If you wish to thank anyone for this, Ressy on Freenode has been spearheading this movement for nearly a year now, having worked closely with Blizzard support staff to uncover the throttling being used as well as worked closely with end users affected by the issue.
http://digitaloffense.net/tools/debian-openssl/
Just saying...
So this brings up an interesting point since it's something I had discussed with a person from the hacking community trying to join ISC2 (@wimremes) and bring more technical aspects to the "Infosec" industry.
As of right now the "Infosec" industry is dominated by corporate and military pencil pushers and not much else. I'm not exactly sure how they got into that field other than the fact that they got direct training from the US Military security practices (this is also a big reason why the Infosec community is very heavily US dominated).
But the core reality is that these people, for all intents and purposes, are not technical in nature and have no idea what they're getting into as far as the civilian "wild wild west" internet mentality.
On the other side of the fence is the far less professional, less formal group of "hackers". These guys aren't really taken seriously by the professional community, but in general are the source of the kinds of things that Lulzsec and Anonymous does.
I know Wim had talked about wanting to try and come up with a solution to help bring both communities together not only at a professional level but a certification level. I'd recommend any ISC2-certified individuals to nominate him so we can try to bridge the gap.
You can configure smart card authentication for Windows RDP.
Again, re-read a previous post of mine:
Account Lockout policies. Same difference using "fail2ban" with SSH that so many people use to "secure" their linux boxes.
What we're down to isn't an argument against RDP, we're arguing over password vs key-based authentication and data integrity.
I've known a ton of small businesses that leave RDP exposed. Many leave VNC exposed as well (which can be even more dangerous if you don't understand encryption and authentication).
I've argued with people on IRC that leave entire POS systems exposed via VNC to the internet.
It's deplorable, but fairly common. And there's nothing particularly wrong with leaving it exposed if you configure it properly. A VPN provides more peace of mind, of course, since you get all the benefits that come with private keys, etc. Not to mention you can encrypt your channel with AES versus RC4 (in FIPS mode you get 3DES).
This has nothing to do with "hacking windows". This has everything to do with brute forcing passwords.
This same thing can happen with SSH, FTP, and any other service that uses password authentication.
In Linux, you install "fail2ban" to slow down brute force attempts.
In Windows, you use secpol.msc > Account Policies > Account Lockout Policy to accomplish the same task.
In all systems, you use more complex passwords or two-factor authentication to avoid this.
PS: This is only affecting idiots.
A lot of people leave these services open, particularly for managed IT for small businesses (small practices, etc.)
RDP itself is encrypted with RC4 by default, and gets AES if you use FIPS mode.
Space X has yet to put a man into space. Period.
Keep that in mind before saying how "useless" "overfunded" "wasteful" the NASA Shuttle and Constellation programs were.
TLDR: "In this case, the salt generation prevents the generation of usable rainbow tables."
I've seen a few people here note the fact that "salts" are used to add complexity to a password where no complexity exists. I believe this is incorrect, or at the very least not entirely the truth.
/dev/urandom (VPS machine...) and then MD5 that to get a usable salt, then use CRYPT() with its default of 5000 rounds to hash the password via SHA512.
Many are assuming that the salt is something that wouldn't be compromised, i.e.
$SITE_SALT = 'LULZYOUCANTGUESSTHIS';
$HASH = MD5($SITE_SALT + $PASSWORD);
I think this is a bit of a misunderstanding. The salt is not necessarily intended to be a secret value unless you can ensure the security of that value, that is the salt is never revealed unless fully guarded (you have a hidden, ultra secure password hashing mechanism that keeps the salt out of the hands of the system).
In this case, I use mcrypt_create_iv() to generate from
In this case, the salt generation prevents the generation of usable rainbow tables. This does not stop dictionary attacks, but the added rounds of hashing increases the complexity for brute force attacks.
TLDR: ENFORCE PASSWORD COMPLEXITY, USE ENCRYPTION OR MANY ROUNDS OF HASHING, AND USE A UNIQUE SALT PER PASSWORD.
A modern day libertarian in my book is extremely conservative. Technically, they're not anarchist as they do want a form of government, just *their* form of government.
Like many of the people in these comments, apparently.
It's amazing isn't it? The reason being is because they've successfully taught people that they too can be millionaires. Little do they know that class jumping is NEARLY impossible.
Truer words probably won't be seen in any other section on this thread.
Was the average IQ on the report really at 80? That's quite a bit low for any sort of real "study", lol. There are people with high IQs that don't know jack shit about computers and may be using IE for the simple fact of internal business use, and nothing more.
Just me and my action figures, unfortunately.
You act as if a simple, one-line statement made on a comment forum is the best representation of my personal character. It was obviously more of a generalization. I make no claims as to how much or how little knowledge I have or don't have in the grand scheme of things. Just that, for all intents and purposes, amongst the circles that I have, it's generally pretty solid, or at the very least a bit more developed in certain areas.
I take it all in stride.
I use IE. I'm one of the smartest IT people in my circles, and when I speak, people listen. I'm fairly humble about what I'm capable of for the most part and almost never flaunt this. You will almost never hear me say one OS is better than the other, the most you will hear me say is "I like the way they do this particular feature more than it's done in other operating systems."
I'm posting this from IE9 right now, on a Windows laptop.
*USERS* in general are stupid. You could put Firefox or Chrome in front of them all the same and that doesn't make them more or less intelligent than if they used IE.
More importantly, the zealots out there are even more dumb. I can take dumb users who don't know what they're doing. It's not their job to know how computers work. I've learned to deal with them. It's the people who act like they know better, and in some cases, should know better, that I have a problem with.
There's still comparatively heavy competition in most markets for wired communications services.
^What? There is *no* competition in "most markets" for wired communication. None. Zero. Nada. There's so much conspiring to work against it that it's sickening. MOST wired "competition" is merely reselling connections from the larger providers in a way to lower the cost through the purchase of bulk bandwidth. As an example in Canada, Rogers and Teksavvy.
AT&T and Verizon are known to do this in the US as well with small providers.