If you don't know anything about your coworkers, or if you don't have any interaction with them outside of work, you have a PROBLEM! First of all, going out for a beer or going to a party at a coworker's house has advantages in your work relationship too! Geez. Every once in a while I think that I must not really bee a geek because I'm not as completely socially incapable. It is IMPORTANT to interact with other human beings, OUTSIDE of q3 games. The continuation of our species is somewhat dependent upon it!
Well the quote I was replying to was "If he was using linux, the theif couldn't have been able to even use the computer"
No sh*t that he was using Windows, and that's the only thing that's giving him a chance to get the machine back. However, it's not like if he had stolen a Linux box it would have been a brick to him - he could still get root and do whatever he pleased with the computer.
WRONG! You can't protect it if it's physically in the thief's hands. Even if you make it so the password can't be changed in single-user mode, they can just boot a floppy. Even if you put a password on the BIOS and disable the use of the floppy drive, they can still short the clear-BIOS jumper and dump the password. Physical security is paramount with PCs. No OS is safe.
Like many other folks here, I had problems with RSI such as carpal tunnel syndrome, and have had improvements to my keyboard/desk/mouse/etc which have improved my situation.
The article said nothing about a hoax, but rather that it was real pain introduced by the brain but perhaps without physical cause. A hoax would have an entirely different meaning; in that people didn't feel pain and were claiming RSIs to "MAKE MONEY FAST". This isn't the case.
There are other ways to handle CRL checking than the use of CRL DPs. I agree that the CRL DP situation was poorly handled by Entrust (my company was bought by Entrust roughly one year ago) but I've personally been developing PKI software for five years now, and never required the presence of CRL DP.
Of course, I usually had a default directory and/or OCSP responder I could rely on:) It would be tough to configure a few global internet directories... but at the same time, Microsoft could at least have defaulted to check Verisign's directory.
All PKI does not suffer from this. All poorly implemented PKI does. Microsoft is in a very difficult situation here, and this is why:
Verisign issued a certificate containing the Microsoft name, which it should not have. Most likely this is human error. This kind of thing happens all the time, from the inocuous (name misspelled) to the not-so-good (name of summer intern happens to be the same as the CEO). PKI has revocation options, including certificate revocation lists (CRLs) and online certificate status protocol (OCSP) to handle the case in which you want to stop trusting a certificate that you issued.
So, Verisign issues the certificate, realizes that the dude doesn't work for Microsoft, and then revokes the certificate and calls Microsoft. Verisign has done their duty here, and although they get some of the blame for the initial certification, they have issued a revocation list containing these certificates. Verisign has now done its job.
Unfortunately, Microsoft has crappy PKI capabilities in their products. It wasn't until Internet Explorer 5 that they could handle CRLs at all, and that's only in the case where the CRL is available over the web (HTTP:) and the certificate contains a pointer to its CRL (called a CRL distribution point or CDP).
So, Microsoft's difficult situation is that they must now patch the client software on EVERY Microsoft client that uses Microsoft Crypto API (including IE, Office, and Win2K to name a few) in order to add this new CRL and be able to check it. If their PKI was able to check an OCSP responder at Verisign, or always knew that they could get Verisign CRLs from ldap://ldap.verisign.com, they wouldn't have to issue this press release and a patch at all.
--Peter
DISCLOSURE: I work for Entrust Technologies, a company which makes PKI software that does not suck.
The company I work for, CygnaCom Solutions, is in the business of performing security-related evaluations. We perform different evaluations, including:
TCSEC ("Orange Book"), a somewhat outdated U.S. Gov't standard for evaluating trusted systems to see how they comply with requirements along the lines of 4 general areas: security policy, accountability, assurance, and documentation.
Common Criteria, an internationally recognized grammar for stating security functionality and assurance requirements that is rapidly taking the TCSEC's place.
FIPS 140-1 and FIPS 140-2, a U.S. Gov't standard for testing cryptomodules (hardware and software) for a level of assurance.
We could probably arrange some sort of more detailed discussion of what these standards are, how the testing is done, and what good it does, if there is sufficient interest.
One advantage of some colocation services is that they provide services that you are prevented from providing due to either space, geographic, or financial constraints. Such things as redundant power supplies, hot-swappable servers, secure facilities, cooling systems, connections to multiple top tier ISPs, etc. If you're not getting at least some of those services, keep looking around.
Slashdot Mirror
If you don't know anything about your coworkers, or if you don't have any interaction with them outside of work, you have a PROBLEM! First of all, going out for a beer or going to a party at a coworker's house has advantages in your work relationship too! Geez. Every once in a while I think that I must not really bee a geek because I'm not as completely socially incapable. It is IMPORTANT to interact with other human beings, OUTSIDE of q3 games. The continuation of our species is somewhat dependent upon it!
Well the quote I was replying to was "If he was using linux, the theif couldn't have been able to even use the computer"
No sh*t that he was using Windows, and that's the only thing that's giving him a chance to get the machine back. However, it's not like if he had stolen a Linux box it would have been a brick to him - he could still get root and do whatever he pleased with the computer.
WRONG! You can't protect it if it's physically in the thief's hands. Even if you make it so the password can't be changed in single-user mode, they can just boot a floppy. Even if you put a password on the BIOS and disable the use of the floppy drive, they can still short the clear-BIOS jumper and dump the password. Physical security is paramount with PCs. No OS is safe.
Like many other folks here, I had problems with RSI such as carpal tunnel syndrome, and have had improvements to my keyboard/desk/mouse/etc which have improved my situation.
The article said nothing about a hoax, but rather that it was real pain introduced by the brain but perhaps without physical cause. A hoax would have an entirely different meaning; in that people didn't feel pain and were claiming RSIs to "MAKE MONEY FAST". This isn't the case.
...and I wonder where I can buy glowing jellypants.
There are other ways to handle CRL checking than the use of CRL DPs. I agree that the CRL DP situation was poorly handled by Entrust (my company was bought by Entrust roughly one year ago) but I've personally been developing PKI software for five years now, and never required the presence of CRL DP. Of course, I usually had a default directory and/or OCSP responder I could rely on :) It would be tough to configure a few global internet directories... but at the same time, Microsoft could at least have defaulted to check Verisign's directory.
All PKI does not suffer from this. All poorly implemented PKI does. Microsoft is in a very difficult situation here, and this is why:
Verisign issued a certificate containing the Microsoft name, which it should not have. Most likely this is human error. This kind of thing happens all the time, from the inocuous (name misspelled) to the not-so-good (name of summer intern happens to be the same as the CEO). PKI has revocation options, including certificate revocation lists (CRLs) and online certificate status protocol (OCSP) to handle the case in which you want to stop trusting a certificate that you issued.
So, Verisign issues the certificate, realizes that the dude doesn't work for Microsoft, and then revokes the certificate and calls Microsoft. Verisign has done their duty here, and although they get some of the blame for the initial certification, they have issued a revocation list containing these certificates. Verisign has now done its job.
Unfortunately, Microsoft has crappy PKI capabilities in their products. It wasn't until Internet Explorer 5 that they could handle CRLs at all, and that's only in the case where the CRL is available over the web (HTTP:) and the certificate contains a pointer to its CRL (called a CRL distribution point or CDP).
So, Microsoft's difficult situation is that they must now patch the client software on EVERY Microsoft client that uses Microsoft Crypto API (including IE, Office, and Win2K to name a few) in order to add this new CRL and be able to check it. If their PKI was able to check an OCSP responder at Verisign, or always knew that they could get Verisign CRLs from ldap://ldap.verisign.com, they wouldn't have to issue this press release and a patch at all.
--Peter
DISCLOSURE: I work for Entrust Technologies, a company which makes PKI software that does not suck.
- TCSEC ("Orange Book"), a somewhat outdated U.S. Gov't standard for evaluating trusted systems to see how they comply with requirements along the lines of 4 general areas: security policy, accountability, assurance, and documentation.
- Common Criteria, an internationally recognized grammar for stating security functionality and assurance requirements that is rapidly taking the TCSEC's place.
- FIPS 140-1 and FIPS 140-2, a U.S. Gov't standard for testing cryptomodules (hardware and software) for a level of assurance.
We could probably arrange some sort of more detailed discussion of what these standards are, how the testing is done, and what good it does, if there is sufficient interest.like can your lasers take down a flock of birds...
One advantage of some colocation services is that they provide services that you are prevented from providing due to either space, geographic, or financial constraints. Such things as redundant power supplies, hot-swappable servers, secure facilities, cooling systems, connections to multiple top tier ISPs, etc. If you're not getting at least some of those services, keep looking around.