Re:If if changes the Unix/Linux security model, fi
on
Analyzing Palladium
·
· Score: 0, Offtopic
What the hell does local root access have to do with network security?
Especially since just about everything under Windows runs at or about what would be root level? Access control lists just dumb down the control panels. At least in Unix when I say that something is running in user space IT REALLY RUNS IN USER SPACE.
Hardware based security is bunk
on
Analyzing Palladium
·
· Score: 2, Insightful
So how preciesly are are supposed to know, across a network, that the signals you are recieving come from a chip or come from a piece of software emulating a chip?
And how do you patch hardware when you find, 6 months in, that there is a flaw? This is a giant step backward in technology, designed to make people go out an buy yet more useless crap for their computers.
And when was the last time you have heard of the FAA stringing Fiber-Optic cable between LA and NY? Dude they piggy back on the national TELCO carriers! These TELCO carriers also route internet traffic, sometimes across the same switches. (In fact, the reason why NY and NJ got telephone service back so fast is because the TELCOs routed a lot of voice traffic across the internet.)
As far as bringing down the root DNS servers, that is easier said than done. Can you remember the last time the DNS root servers were ever all down? One time? At all? Even accidentally? And even if they did, most critical stuff uses host tables or hard-coded IP addresses.
The internet has no single point of failure. Business keeps trying to insert one. Governments keep trying to insert one. They have been trying to 10 years, and they haven't found one.
Re:What about the Air Gap
on
Cyber-Attacks?
·
· Score: 1
Yes, but in the same breath they utter "Why was that on the internet" they also say, "Oh but it is such an antiquated system!"
Like it or not, the increasingly becoming the switching and interconnection system of choice. When properly designed, systems on the internet have many advantages over running, and maintaining, your own long-haul data transmittion lines.
Even when you aren't going over the internet directly, have you ever heard of the department of long-distance telecommunications. They don't exist. To be able to get systems to talk to each other in different cities every system ends up going through some telecommunications company's switching network.
And where the telco switched overlap the internet, that's where we have a problem.
The solution would cost more than you or I would be willing to pay for. Everyone forgets that every project is on a budget.
Actually, the Navy was so disturbed by the Kamikaze, modern warships still have weapons designed to thwart them.
Did you ever tour a Battleship or destroyer? Did you ever notice the Phalanx gatling gun that is mounted high up on both sides of the ship?
It's designed to hit an incoming target with so much kinetic energy that it will literally be pushed away from the ship, and disintegrated. It re-trains on the target every blink of on eye.
What really put the bee in the American bonnett was the stamp tax. The exact details escape me, but the parallels between the Stamp Act and new Software Assurance program are startling.
Think about it, Parliment wanted to bill the colonists for every legal document, license, contract, pamplet, and even playing card (MS Solitaire?). The Bill was passed without any feedback or representation of the customer.
You want to talk about history repeating itself, look no further.
In Philadelphia we have a Folk Festival that has been running for 40 years. Bascially 40,000 pile onto a farm for a long weekend. Since its in the middle of po-dunk PA, a few thousand folks camp in the field Next door. (Trailers and RV's are allowed.)
I mean, pop up the folk singers and toss up a few talking heads. Replace the smootie stand with some ultra-caffinated beverages, and throw up some wireless internet (oh wait, they already do that...) and you have something cheap and OH so scalable.
Special discount for folks who try to pass their hatchbacks off as "Heavy Camping".
Why bitch about the price of a hotel. Most major cities have a campground nearby. My wife and I love using that trick to stay in, say, Williamsburg for $10/day. Of course, you do need a tent, but you can pick up a decent one at Walmart for $40.
I run the network at the Franklin Institute Science Museum. One item we have to contend with is the rather destructive nature of computer users in a public access setting.
We are in the process of replacing Windows bases kiosks with Linux. We were finding it is far too easy to destroy a windows installation, even when locked down to the point of being unusable. (We even went so far as to fabricate a plexiglas cover to block the control keys, f keys, and number pad.) We have not had a single problem with the Linux machines. We even had one set up as a survey kiosk, with a standard unprotected keyboard.
The main difference is that everything in Linux must be turned on, from Ctrl-Alt-Delete on up. Also, at least with RedHat, anything that requires mucking with the system through the X interface also requires the Root password.
If you are looking for some tips on how to set up a lab, and what sort of policies to enforce, the
Unix System Administrator's Handbook is chock full of really nifty practical tips and anecdotes. I use my copy daily.
I run a 200 person windows network and would trade it in a second for Linux. First and foremost: Windows is NOT all that easy to use. Our help desk has to do just about everything for our users from setting up printers to bailing their asses out of locked programs. People do not know Windows nearly as well as the industry would have us believe. (Or MS Office for that matter, If I get one more request for a manual I am going to scream.)
As far as programs they are going to want to use:
Mozilla makes a great Mail and Web client. Plus the interface is wonderful, consistent, and can be upgraded over an entire network with a shell script.
Office Applications. MS Office, while widely used, is not very well understood by the common user. As long as you can provide something that will read Office documents, print, and spell check, they will barely notice. I have all of 5 users who know how to do more than spell check in Word. 3 of them work for the Help Desk.
Beyond that are games and annoyances like Instant Messaging and (grrr) bonsai buddy. Do you really want people tying up workstations with that?
Nah, I say whatever does the job with the tools you know how to use. Rock on!
We just happend to use it to manage TCL scripts and config files for a cluster of linux servers, kiosks, and a cute little intranet app for windows. It just so happens that we use MySQL. Use whatever works in your environment.
It is far better to deliver quietly than to fail loudly. Just look how excited everyone is about Mozilla. It's here. It works. Everyone feels like that took part in it. All it has to do is work 9 times out of 10 and we will be pleased as punch.
I'm looking at the list of suspects, and none on them strike me as being capable of pulling it off.
Then again, if you asked me 10 years ago if I would be running my data center off of an operating written by a Grad Student in his spare time, I would have said that was crazy too.
Here's hoping. Or Hyping. In any case, It's fun to have a ringside seat.
Since you are tracking binary files, CVS is the wrong tool. (It's great for ASCII so you can see the differences in source files.)
What you are looking for is something to just keep the different versions straight. A few shell scripts (Tcl/Tk works on Mac/PC/Unix) and an SQL database (MySQL also works on Mac/PC/Unix) are all that are required. Ok, a scripting language, an SQL database, and a central file store.
You add new files via a checkin script. The checkin script creates a simple naming convention. (I start at [thefilename].zero and work up.)
The [pick your]SQL database gives you a little extra information than something file based. For instance, say you yank a file, but don't want to extinguish it. You simply mark it as deprecated in your tables. Say you need a certain version of each file for a demo. You link them together into a "Release".
Again, this approach is primarily for binary data where you don't care about the differences between files, but you do care about keeping distinct versions.
Is the implementation involved: yes, but only slightly more than trying to adapt off-the-shelf tools.
That means that the Linux developers are doing their job. God only knows how many bugs are under the hood in Microsoft products. And that is what is ultimately going to be their undoing.
The drop in security holes for Microsoft is a change in how they are counting and reporting them. Granted, they have gotten better about testing before release, but they have still let some doozies out.
I put my trust on code that has many eyeballs constantly reviewing and revising.
Microsoft's business model is suffering not because of open source, but because open source programs have the living snot beaten out of them before, during and after release.
If M$ would use the same million monkeys techniques, it too would have bulletproof stuff and nearly instanteneous responses to security goofs.Just what they would save on product testing and PR. Oh wait, that is their business model, isn't it?
I live in downtown Philadelphia. I was delighted to hear that my particular neighborhood was in comcast country. (We lost our local ABC channels when Turner and Disney had their little pissing contest the year before.)
Suffice to say after several (previosly mentioned by fellow slashdotters) after yatting with a few of the service guys at the local diner, I learned that it just wasn't happening.
Fortunately I live about a block from work, so I am in the process of rigging some 802.11 from to roof for broadband. There are times where it is good to be the admin.
We tried the alphabet soup arrangement. I hate it. I would much rather type in a quirky name than a bunch of numbers. Makes it harder to screw up a script too.
Our network powers the Franklin Institute Science Museum. Since we are best known for our planetarium, I picked something that brings out the legacy of our organization with lots of room to grow. There are 80 registered constellations, and I figure if we run out of those we can move on to other astronomical bodies. (Our finance department's workstations are already named after the planets.)
So far we have:
Andromeda
Booetes
Cetus
Draco
Eridanus
Fornax
Hercules
Indus
Cygnus
Perseus
Lyra
Vela
Our coop has been naming some non-it computers after casinos. Again, the idea is to break up the
lump of names into something meaningful.
Be nice if they announced this to the museums!
on
.museum TLDs are Live
·
· Score: 0
I'm the admin for the franklin institute (www.fi.edu and now franklininstitute.science.museum). The funny part is, I have not recieved any instructions on how to use this new domain name!
Especially since just about everything under Windows runs at or about what would be root level? Access control lists just dumb down the control panels. At least in Unix when I say that something is running in user space IT REALLY RUNS IN USER SPACE.
And how do you patch hardware when you find, 6 months in, that there is a flaw? This is a giant step backward in technology, designed to make people go out an buy yet more useless crap for their computers.
And when was the last time you have heard of the FAA stringing Fiber-Optic cable between LA and NY? Dude they piggy back on the national TELCO carriers! These TELCO carriers also route internet traffic, sometimes across the same switches. (In fact, the reason why NY and NJ got telephone service back so fast is because the TELCOs routed a lot of voice traffic across the internet.)
As far as bringing down the root DNS servers, that is easier said than done. Can you remember the last time the DNS root servers were ever all down? One time? At all? Even accidentally? And even if they did, most critical stuff uses host tables or hard-coded IP addresses.
The internet has no single point of failure. Business keeps trying to insert one. Governments keep trying to insert one. They have been trying to 10 years, and they haven't found one.
Like it or not, the increasingly becoming the switching and interconnection system of choice. When properly designed, systems on the internet have many advantages over running, and maintaining, your own long-haul data transmittion lines.
Even when you aren't going over the internet directly, have you ever heard of the department of long-distance telecommunications. They don't exist. To be able to get systems to talk to each other in different cities every system ends up going through some telecommunications company's switching network.
And where the telco switched overlap the internet, that's where we have a problem.
The solution would cost more than you or I would be willing to pay for. Everyone forgets that every project is on a budget.
What if you need to control a system that has interlocking pieces that span thousands of miles. Say a pipeline, or a train line.
What if you have to do it on a rediculously small budget so your CEO can save face and/or congress can give everybody a check worth a car payment?
Face it, IT has to do dumb things because we are always having to work on a budget.
Fast - Cheap - Right. Pick two. Usually Government and industry pick A and C.
Did you ever tour a Battleship or destroyer? Did you ever notice the Phalanx gatling gun that is mounted high up on both sides of the ship?
It's designed to hit an incoming target with so much kinetic energy that it will literally be pushed away from the ship, and disintegrated. It re-trains on the target every blink of on eye.
Computers are connected to the internet.
My god, you can control things over the internet!
No wait, we actually have a few building control systems like that...
Doh! Well we were reviewing this stuff after the SNMP vulnerability issue came out. Damn proprietary systems.
What really put the bee in the American bonnett was the stamp tax. The exact details escape me, but the parallels between the Stamp Act and new Software Assurance program are startling.
Think about it, Parliment wanted to bill the colonists for every legal document, license, contract, pamplet, and even playing card (MS Solitaire?). The Bill was passed without any feedback or representation of the customer.
You want to talk about history repeating itself, look no further.
I mean, pop up the folk singers and toss up a few talking heads. Replace the smootie stand with some ultra-caffinated beverages, and throw up some wireless internet (oh wait, they already do that...) and you have something cheap and OH so scalable.
Special discount for folks who try to pass their hatchbacks off as "Heavy Camping".
Now, parking is another story...
We are in the process of replacing Windows bases kiosks with Linux. We were finding it is far too easy to destroy a windows installation, even when locked down to the point of being unusable. (We even went so far as to fabricate a plexiglas cover to block the control keys, f keys, and number pad.) We have not had a single problem with the Linux machines. We even had one set up as a survey kiosk, with a standard unprotected keyboard.
The main difference is that everything in Linux must be turned on, from Ctrl-Alt-Delete on up. Also, at least with RedHat, anything that requires mucking with the system through the X interface also requires the Root password.
If you are looking for some tips on how to set up a lab, and what sort of policies to enforce, the Unix System Administrator's Handbook is chock full of really nifty practical tips and anecdotes. I use my copy daily.
As far as programs they are going to want to use:
We just happend to use it to manage TCL scripts and config files for a cluster of linux servers, kiosks, and a cute little intranet app for windows. It just so happens that we use MySQL. Use whatever works in your environment.
It is far better to deliver quietly than to fail loudly. Just look how excited everyone is about Mozilla. It's here. It works. Everyone feels like that took part in it. All it has to do is work 9 times out of 10 and we will be pleased as punch.
Then again, if you asked me 10 years ago if I would be running my data center off of an operating written by a Grad Student in his spare time, I would have said that was crazy too.
Here's hoping. Or Hyping. In any case, It's fun to have a ringside seat.
What you are looking for is something to just keep the different versions straight. A few shell scripts (Tcl/Tk works on Mac/PC/Unix) and an SQL database (MySQL also works on Mac/PC/Unix) are all that are required. Ok, a scripting language, an SQL database, and a central file store.
You add new files via a checkin script. The checkin script creates a simple naming convention. (I start at [thefilename].zero and work up.)
The [pick your]SQL database gives you a little extra information than something file based. For instance, say you yank a file, but don't want to extinguish it. You simply mark it as deprecated in your tables. Say you need a certain version of each file for a demo. You link them together into a "Release".
Again, this approach is primarily for binary data where you don't care about the differences between files, but you do care about keeping distinct versions.
Is the implementation involved: yes, but only slightly more than trying to adapt off-the-shelf tools.
Blue
Though, I personally would not need the trailer.
The drop in security holes for Microsoft is a change in how they are counting and reporting them. Granted, they have gotten better about testing before release, but they have still let some doozies out.
I put my trust on code that has many eyeballs constantly reviewing and revising.
If M$ would use the same million monkeys techniques, it too would have bulletproof stuff and nearly instanteneous responses to security goofs.Just what they would save on product testing and PR. Oh wait, that is their business model, isn't it?
I live in downtown Philadelphia. I was delighted to hear that my particular neighborhood was in comcast country. (We lost our local ABC channels when Turner and Disney had their little pissing contest the year before.)
Suffice to say after several (previosly mentioned by fellow slashdotters) after yatting with a few of the service guys at the local diner, I learned that it just wasn't happening.
Fortunately I live about a block from work, so I am in the process of rigging some 802.11 from to roof for broadband. There are times where it is good to be the admin.
Muhahahahahah
Our network powers the Franklin Institute Science Museum. Since we are best known for our planetarium, I picked something that brings out the legacy of our organization with lots of room to grow. There are 80 registered constellations, and I figure if we run out of those we can move on to other astronomical bodies. (Our finance department's workstations are already named after the planets.)
So far we have:
Our coop has been naming some non-it computers after casinos. Again, the idea is to break up the lump of names into something meaningful.
(Somewhere on the Black Horse pike in New Jersey)
Say, do you want to get married...
(Screech)
(Did I mention she was driving...)
I'm the admin for the franklin institute (www.fi.edu and now franklininstitute.science.museum). The funny part is, I have not recieved any instructions on how to use this new domain name!