If theyre targetting you specifically, they will do such a slow scan, and be changing IPs. Changing the port is enough to lower your profile and make you less conspicuous, but its not a serious safeguard.
It is already possible to do something like "after 10 failed attempts in 2 minutes, lock account for 5 minutes". Very unlikely to be an inconvenience, but good luck bruteforcing @ 1 attempt every 12 seconds.
It does raise the potential for a type of administrative DDOS, of course, but presumably knowing that there is an attack is better than not knowing.
You could also simply do a static port mapping, if your firewall/router supports it, to change which external port is natted to your server. Tends to be a lot easier than trying to keep track of scads of servers and which port is which pc.
But generally, if im allowing straight up RDP access to the server, there is a strong password in place; changing the port wont stop a detailed scan, which would pick up "RDP" pretty quick. Theres not much substitute for a good password, port changing just stops simple worm attacks.
Having access to the commandline =/= privilege esclaation.
Care to explain how you can go from "domain user" or "Remote user" to "domain administrator", with commandline access, on server 2003 or server 2008? Im sure a LOT of people would be interested to hear this.
Being infected doesnt mean that it happened because of an opened port 3389. I have never heard of an exploit that can run arbitrary code simply due to an open RDP listener. I would imagine such a thing to be possible on VNC far before RDP, given the attention to security that RDP has gotten over the last 10 years.
The security model of the browser and related plugins are generally more in charge of whether or not your machine gets infected, than the security of the OS itself. Once arbitrary code is running on your machine, uncontrolled, its kind of a moot point anyways. The browser is in charge of making sure that HTML and JS cant DO arbitrary things.
It should be noted that that principle in no way empowers legislators to gag free speech; it only empowers schools and institutions to set rules for the kids.
Sorry for double post-- even minors have all the protections in the first amendment; there have been court battles over it and the one exception I am aware of (other than "imminent danger") is that children WHILE THEY ARE AT SCHOOL are assumed to be under the "parental supervision" of the school-- the teachers receive some degree of the authority that the parent has, including the right to ask students to be silent.
However, I do not believe the courts have EVER allowed a law that silences "free speech" of students extracurricularly.
Um, the first amendment is directed explicitly at legislatures, NOT a parent with their child. The child is not GRANTED rights in the Bill of Rights; simply given protections that Congress (and state legislatures) will not violate assumed rights.
There is nothing in the BoR or Constitution that says that a store-owner may not impose a "no talking" restriction on its patrons, or that you may not control who may talk to your daughter.
Its a common misconception that the 1st amendment means "you can say what you want". It only says "neither congress (nor state legislatures) may prevent you from saying what you want"; the two are very different. In this case, a state legislature WAS attempting to control who could say what, and on "former students" after they had become "of age" to boot. This is the parent's responsibility, and the state has no authority to do such a thing.
Every product you buy is in general cheaper to begin with because of the system we have, and you have more money because of it. Look at 90% of the systems that other countries have, and how much buying power their average person has, and then try to tell me how awful we have it here.
A government which doesn't give bailouts probably has to be one which doesn't allow bailouts to become necessary
Thats a lot easier to do when it never considers "bailing out a failing, faulty company" an option. All a bailout did was validate a bad model as workable.
Whatever pain it may have caused-- and Im not sure the full extent of how bad it could have been-- part of me still thinks we should have let all the big companies fall, and let that be a lesson about "bad practices" to the companies remaining. That is of course only half-serious, as I dont really understand what the implications would have been.
What the heck is Mozilla syndrome? What does Mozillas new software development model even have to do with a decision in Linux not to support ancient hardware?
Just avoid the 'Windows Tailpipe Fume Chasing' options that insist that configuration has to be done using X11.
Generally I agree with the idea that bash is better (I wince when IBM devs tell me I need to fire up the AIX GUI to run configuration; I'll take smitty, thanks); but there ARE things that are done far better through a GUI, or are much easier at 2 in the morning when you just for example want to create a new user in Active directory and you dont want to have to type out the full AD path to the OU where you want the user.
Whats that old saying about hammers and seeing everything as a nail?
In today's networked world there unfortunately isn't much choice but to stay on the software upgrade treadmill/quote? Explain to me why Win2k with Opera 10.5 would be insufficient to browse the web?
Peppermint or Puppy would also have been good choices. They aim (especially Puppy) to be a simple, but very lightweight distros. Puppy feels a little foreign because of the WM it uses, but Peppermint feels natural to this Gnome user even tho its not using Gnome. Everything feels intuitive, and very fast.
For REALLY old machines (2003 and prior), Puppy linux works wonders. Entire distro is under 100m, and the OS boots entirely to RAM even on a machine with under 100MB of ram.
Someone tasked me with getting a 98-2000 (i think) laptop set up and useable, so I put puppy on there and installed Opera browser (with is also wonderful for such old, crappy machines). The thing worked pretty darn good for 96MB of ram and a Pentium 2 (or whever awful processor it had). The alternative, of course-- Windows ME (what it was licensed for)-- really wasnt something I would put anyone through.
Generally, if theyve lost, theyre not big CEOs, and their company fails. If Tesla Motors doesnt deliver and fails to have a workable business plan, the entire design of capitalism dictates that they will either be a gigantic drain on some investor's wallet (and Im sure the economy thanks them for their donation), or the company will crumble and Musk will be out of work.
Someone has to lose, and right now that is the rest of us.
If youre worried about encrypting the contents of RAM, youre trying to protect against an attack which needs far more physical access than booting off of a CD and loading a malicious MBR onto the drive.
The massive, gigantic problem with all of this is that "weakest link" applies here. Theyre not going to wait for you to turn off your compter and walk away so they can do a RAM dump, theyre simply going to modify your bios or bootloader or insert a keylogger inbetween the keyboard and motherboard, and find out your passphrase.
So at the end of the day TRESOR and all the rest is wonderful, but it doesnt prevent the hardware from being tampered with except in the most theoretical and irrelevant manner.
Question: Wouldnt sticking the RAM into another computer be a MASSIVE risk, given the POST ram checks etc, and the fact that you really dont know what parts of RAM the boot CD will overwrite?
It is a theoretical possibility and has been shown to be possible.
If he is referring to "putting the RAM into another PC" and "booting from the ram", hes full of crap and isnt qualified to defend against these attacks. Every theoretical attack I have heard of relies on specialized hardware to read the RAM without altering it.
If theyre targetting you specifically, they will do such a slow scan, and be changing IPs. Changing the port is enough to lower your profile and make you less conspicuous, but its not a serious safeguard.
It is already possible to do something like "after 10 failed attempts in 2 minutes, lock account for 5 minutes". Very unlikely to be an inconvenience, but good luck bruteforcing @ 1 attempt every 12 seconds.
It does raise the potential for a type of administrative DDOS, of course, but presumably knowing that there is an attack is better than not knowing.
You could also simply do a static port mapping, if your firewall/router supports it, to change which external port is natted to your server. Tends to be a lot easier than trying to keep track of scads of servers and which port is which pc.
But generally, if im allowing straight up RDP access to the server, there is a strong password in place; changing the port wont stop a detailed scan, which would pick up "RDP" pretty quick. Theres not much substitute for a good password, port changing just stops simple worm attacks.
Having access to the commandline =/= privilege esclaation.
Care to explain how you can go from "domain user" or "Remote user" to "domain administrator", with commandline access, on server 2003 or server 2008? Im sure a LOT of people would be interested to hear this.
Being infected doesnt mean that it happened because of an opened port 3389. I have never heard of an exploit that can run arbitrary code simply due to an open RDP listener. I would imagine such a thing to be possible on VNC far before RDP, given the attention to security that RDP has gotten over the last 10 years.
Youre reading vast statements into my post that were never made.
The security model of the browser and related plugins are generally more in charge of whether or not your machine gets infected, than the security of the OS itself. Once arbitrary code is running on your machine, uncontrolled, its kind of a moot point anyways. The browser is in charge of making sure that HTML and JS cant DO arbitrary things.
THank you, that is what I was looking for.
It should be noted that that principle in no way empowers legislators to gag free speech; it only empowers schools and institutions to set rules for the kids.
Um, that IS what 4pm means.
Sorry for double post-- even minors have all the protections in the first amendment; there have been court battles over it and the one exception I am aware of (other than "imminent danger") is that children WHILE THEY ARE AT SCHOOL are assumed to be under the "parental supervision" of the school-- the teachers receive some degree of the authority that the parent has, including the right to ask students to be silent.
However, I do not believe the courts have EVER allowed a law that silences "free speech" of students extracurricularly.
Um, the first amendment is directed explicitly at legislatures, NOT a parent with their child. The child is not GRANTED rights in the Bill of Rights; simply given protections that Congress (and state legislatures) will not violate assumed rights.
There is nothing in the BoR or Constitution that says that a store-owner may not impose a "no talking" restriction on its patrons, or that you may not control who may talk to your daughter.
Its a common misconception that the 1st amendment means "you can say what you want". It only says "neither congress (nor state legislatures) may prevent you from saying what you want"; the two are very different. In this case, a state legislature WAS attempting to control who could say what, and on "former students" after they had become "of age" to boot. This is the parent's responsibility, and the state has no authority to do such a thing.
Every product you buy is in general cheaper to begin with because of the system we have, and you have more money because of it. Look at 90% of the systems that other countries have, and how much buying power their average person has, and then try to tell me how awful we have it here.
But it would have been terrible for the US.
Propping up a bad, unable-to-hold-its-own company is better?
A government which doesn't give bailouts probably has to be one which doesn't allow bailouts to become necessary
Thats a lot easier to do when it never considers "bailing out a failing, faulty company" an option. All a bailout did was validate a bad model as workable.
Whatever pain it may have caused-- and Im not sure the full extent of how bad it could have been-- part of me still thinks we should have let all the big companies fall, and let that be a lesson about "bad practices" to the companies remaining. That is of course only half-serious, as I dont really understand what the implications would have been.
What the heck is Mozilla syndrome? What does Mozillas new software development model even have to do with a decision in Linux not to support ancient hardware?
Just avoid the 'Windows Tailpipe Fume Chasing' options that insist that configuration has to be done using X11.
Generally I agree with the idea that bash is better (I wince when IBM devs tell me I need to fire up the AIX GUI to run configuration; I'll take smitty, thanks); but there ARE things that are done far better through a GUI, or are much easier at 2 in the morning when you just for example want to create a new user in Active directory and you dont want to have to type out the full AD path to the OU where you want the user.
Whats that old saying about hammers and seeing everything as a nail?
In today's networked world there unfortunately isn't much choice but to stay on the software upgrade treadmill/quote?
Explain to me why Win2k with Opera 10.5 would be insufficient to browse the web?
Peppermint or Puppy would also have been good choices. They aim (especially Puppy) to be a simple, but very lightweight distros. Puppy feels a little foreign because of the WM it uses, but Peppermint feels natural to this Gnome user even tho its not using Gnome. Everything feels intuitive, and very fast.
For REALLY old machines (2003 and prior), Puppy linux works wonders. Entire distro is under 100m, and the OS boots entirely to RAM even on a machine with under 100MB of ram.
Someone tasked me with getting a 98-2000 (i think) laptop set up and useable, so I put puppy on there and installed Opera browser (with is also wonderful for such old, crappy machines). The thing worked pretty darn good for 96MB of ram and a Pentium 2 (or whever awful processor it had). The alternative, of course-- Windows ME (what it was licensed for)-- really wasnt something I would put anyone through.
win, lose or draw
Generally, if theyve lost, theyre not big CEOs, and their company fails. If Tesla Motors doesnt deliver and fails to have a workable business plan, the entire design of capitalism dictates that they will either be a gigantic drain on some investor's wallet (and Im sure the economy thanks them for their donation), or the company will crumble and Musk will be out of work.
Someone has to lose, and right now that is the rest of us.
Im not clear, how are they taking my money?
If youre worried about encrypting the contents of RAM, youre trying to protect against an attack which needs far more physical access than booting off of a CD and loading a malicious MBR onto the drive.
The massive, gigantic problem with all of this is that "weakest link" applies here. Theyre not going to wait for you to turn off your compter and walk away so they can do a RAM dump, theyre simply going to modify your bios or bootloader or insert a keylogger inbetween the keyboard and motherboard, and find out your passphrase.
So at the end of the day TRESOR and all the rest is wonderful, but it doesnt prevent the hardware from being tampered with except in the most theoretical and irrelevant manner.
Those people arent using Ubuntu, though, thats the really absurd thing.
Question: Wouldnt sticking the RAM into another computer be a MASSIVE risk, given the POST ram checks etc, and the fact that you really dont know what parts of RAM the boot CD will overwrite?
It is a theoretical possibility and has been shown to be possible.
If he is referring to "putting the RAM into another PC" and "booting from the ram", hes full of crap and isnt qualified to defend against these attacks. Every theoretical attack I have heard of relies on specialized hardware to read the RAM without altering it.