I've been talking to the BFI, the German govt's IT security office, about certifying components of our company's infrastructure as "secure", whatever that means.
Basically, for us it's a selling point both to customers and investors, that an office that's generally pretty respected has decided that we've taken all the common-sense measures within our power (no, you'll never be able to defend your network against H@x0r1ng by the aliens from Mars) to protect ourselves from intrusion. "Technical due diligence" is the key term in this situation.
Our problem was to try and certify portions of our entire network (working together) as being "secure", as opposed to just single products.
I've found that so far, the BFI guys were pretty helpful and technically clued. What they will do for you is to let you define "protection profiles" ("Schutzprofile") based on the Common Criteria for security, for parts of your infrastructure. They then check whether (a) your criteria and profiles make sense, and (b) whether they comply with their idea of CC.
One of the really cool parts of this is that assuming they decide that you're kosher security-wise, you can decide to release the profiles you developed for general use, and they will then certify other companies against those same standards. Likewise, you can just get some pre-defined off-the-shelf requirements that sound usable, and have yourself judged by them...
I'm in a similar position, except without as much technical experience (4+ years.)
I've been offered a job as the head of technology stuff at a new startup consisting mainly of business- and money-type guys, but relying 100% on technology. My job is to scope out all of our tech and to get it up and running. It's a really heavy-duty project, so I will have to end up hiring and "managing" a tech team, as well as being the management consultant for all things technological.
I'm kind of fascinated by it, because even though it means I have to do a ton of presentations and budgets and whatnot, it gives me a chance to take a poke at what I always bitched about with _my_ bosses. Also, I don't intend to relinquish my technical involvement if at all possible, since this will always give me a ticket out.
Lastly, this sort of thing may give me exposure to all the politicking and similar B.S. I would need to know about if I intend to start my own company. No matter what happens, I don't think it's a waste of time.
Frankly though, I would never ever ever dream of taking a similar position in a large, established company's hierarchy.
Problem is, I can't really restrict access to the data.
The sales guys need access to the customer data. The logistics people have to be able to get at our order database via SAP. The accountants need access to the billing database. Tech guys have to be able to read network diagrams and many of us will have to be able to read internal proprietary strategy documents...
This is pretty much up my alley. Are you aware of any non-format-specific methods of inserting binary strings in non-ascii files (Oracle DB files, visio datagrams, etc.)?
I posted this question and I appreciate the responses, but I think a lot of people didn't catch the gist of what I was asking.
It's a comparatively easy task to secure my network from external threats; that is a combination of good product choice, intelligent design, clued configuration, and conscientious administration and monitoring.
I also know that I don't have a hope in hell of technically leak-proofing my network from the inside-out. That problem indeed is not a technical one. That's why I'm not sniffing geneeral network traffic; our usage policy is something like "don't be an asshole." If people are abusing resources, we indeed have other problems.
What I'm trying to do is to address a specific eventuality as required by some of the compliance laws here. Assume a guy is pissed off or leaving for a competitor. He wants to mail/ftp/netcat/ whatever out a customer database or internal documents. We have watermarked our files; he knows this, but doesn't know exactly how, so he will need to encrypt the data, print it out, put it on a tape, write it on his hand, whatever.
The point is to force him to consciously, wilfully take that extra malicious step. That way, under compliance laws, we can say that we exercised due diligence to the best extent possible without impacting our productivity by doing all kinds of crazy paranoid stuff like keystroke logging or chaining people to their desks.
So once again, the question is: is there some mechanism by which we can automatically embed some sort of watermark in any non-ascii file (database, ms word doc, etc.), send all outgoing traffic through a layer 5-7 proxy, and just sniff for that single watermark string?
I've actually found that ipfw's stateful filtering acts, well, "goofy". I've got a bit of a unique environment, to be sure--I'm running a firewall on the rear box of a dual NAT setup.
Basically, I found that ipfw wasn't able to reliably keep state on a lot of traffic which it had to pass out a NAT _after_ passing the natd running on the ipfw machine.
It also had problems with ftp connections-- maybe I just didn't find the corresponding facility in ipfw/natd, but ipf has an excellent ftp 'proxying' mechanism which will not just keep state on two-way tcp/udp connections, but also keep track of the return ftp data connections.
I'm running ipf on FreeBSD 4.0-R. I've found it to be super-stable, and the configuration isn't particularly difficult. It does NAT well, and I like its logging. This is especially important, as I'm installing it for clients who have some UNIX know-how, but aren't necessarily super-clued.
Do providers fall under common carrier status? AOL has control over the data it carries the same way the post office or the phone company do. They could filter every single tidbit of information, but (a) who says what's objectionable, and (b) there's just too much information to bother with.
If they're told about specific incidents, that's another issue.
Somehow I had a feeling my comment was going to get someone's national panties in a bunch.
It's not a question of pride. I am not proud to be an American citizen, as I wouldn't be proud of having a Senegalese passport, or of being a white male. It's an accident of birth, and I'm quite willing to point out flaws in the political setup of any country I "belong" to, just as I will highlight the good bits.
The beef I have with CCTV is that it violates what I believe to be an unwritten right to privacy and anonymity, especially in public areas. I do not trust a government or any organization to responsibly handle information it has about me, thus by extension, the less they know about me, the better.
Concerning a Bill of Rights and a Constitution, they're great ideas. If you have them. If you follow them. I don't recall the precise details, but a while ago someone did a survey with provocatively worded questions; some absurdly high percentage of Americans polled readily rejected the fundamental rights due them by law. I'm no great follower of the idea that the peasants must be beaten into accepting what's good for them, but that's just scary. Paranoid and extreme as it sounds, that's exactly why I don't want to be prosecuted for owning guns, saying what I want about the government, acting provocatively in public, refusing to quarter troops in my house, not paying oppressive taxes, burning flags, etc. etc. etc.
However, I think you'll readily agree with me that without guaranteed and respected freedoms, such as those guaranteed by a code of rights when respected, prevent the unwashed masses you and I tend to elect to political office from passing laws that say "yeah you can be free and say what you want unlessit'ssomethingIdon'tlike!"
In an ideal world, I live in a country with a government that collects no information about me (CCTV, profiling, whatnot,) and which has strong data protection laws, alias UK, Germany, Switzerland; national pride has nothing to do with it. Alas.
Eh, I'll grant you that US lawmakers are happily stumbling over each other to see who can abrogate more of the Bill of Rights faster.
However, I don't think it's be correct to hold up the UK as a paradigm of individual liberties. There's no constitution. The UK has something like the highest density (or one of) of CCTV surveilance cameras per person of any country I know. And as I recall, there are a number of acts in place which not only do away with any vestige of habeas corpus an accused "criminal" might have, but vastly extend the powers of police to detain individuals far beyond anything you or I would find sane.
Data protection laws are a good thing; we have one in place in Switzerland, and Germany's is a pretty good example as well. However, their implementation tends to go in the direction of "we will prevent your information from being used you. But trust us to know what's best with that information; we're the Government."
Castigating the US (or any country) for stomping on your liberty is definitely the right idea; as an American citizen, I am ashamed of and alarmed at the continuous inroads made into what I consider to be my inviolable set of personal rights. However, I do wish you'd pick a better example to hold up high than Great Britain...
I suppose given all the copyright/trademark infringement lawsuits we've seen targeting people who've managed to peek into proprietary broken software (broken source! new term!), I don't suppose it's likely that someone has put up a convenient on-line test version of this--sort of a bad-boy purity test type of thing?
I, for one, would love to see how I'd score on the high school Junior Gangsters of America exam.
Possibly a very stupid question, but what happens if you sell the machine to a third party?
I mean, you can prove you no longer use the service, or even own the box, and thus aren't subject to use charges, even implicit ones. I don't think that's legal (yet.) And as you're not an "authorized reseller", assuming such a thing exists, I wouldn't imagine that you could be held responsible for use charges incurred by a third party (otherwise CompUSA would have to collect their fees for them, and would have to pay usage fees on unsold boxes in stock...)
The person buying from you never signed an agreement that they'd be held liable for use charges, they're just buying the box.
I bought the disk and the player, and if I want to paint it pink, I will paint it pink. If I want to nail the DVD to my wall and make a really pretty and expensive wallpaper out of it, I will do that.
Am I the only one whom it strikes as vaguely amusing that years and years were spent pushing the idea that I can do pretty much anything I want sexually (unless it's under 18, or involuntary) in the privacy of my own home, but I'm legally restricted from taking a screwdriver to electronic equipment I actually own?
A while ago, I saw a Brazilian professor and his group visiting an art exhibition here in Switzerland; I believe they were from the University of Campinas. They had a pretty nifty project they displayed called Roboser (Robot Composer), which took movement patterns such as people moving around a room, and turned them into music.
The guy's desktop was obviously KDE, and when I approached him about it he said that he'd used it because it was free. The Linux box controlled a large array of electronic music equipment, which was pretty impressive in itself.
>I challenge any of you to due useful work in >securing the client/server AND keep the source >open. Nettrek has some good things, as does >DNet, but I have yet to see any progress other >than the bletcherously horrible speed cheat >checker.
You're thinking of Netrek. Some Quake players came into the Netrek Newsgroup asking nicely for help on how to secure the game.
I don't know where this led, but I'm sure all the trek players would be curious to see if there was ever any success.
Netrek uses rsa client authentication--the source for the client and the server is completely open, so anyone can write custom hacks into them. However, most of the public servers have a list of "blessed" client keys. So if you want to play on one of these servers (there are some non-authenticating ones), you need to (a) obtain the source to generate an rsa key--this is currently just to comply with export restrictions--and (b) submit the key to a volunteer key maintainer.
The cool thing is that most of the discussion about what's "borgish" (non-kosher robot features) and what isn't is public; there is no central governing body which decides what goes and what doesn't, it's all done through public scrutiny.
Slashdot Mirror
Basically, for us it's a selling point both to customers and investors, that an office that's generally pretty respected has decided that we've taken all the common-sense measures within our power (no, you'll never be able to defend your network against H@x0r1ng by the aliens from Mars) to protect ourselves from intrusion. "Technical due diligence" is the key term in this situation.
Our problem was to try and certify portions of our entire network (working together) as being "secure", as opposed to just single products. I've found that so far, the BFI guys were pretty helpful and technically clued. What they will do for you is to let you define "protection profiles" ("Schutzprofile") based on the Common Criteria for security, for parts of your infrastructure. They then check whether (a) your criteria and profiles make sense, and (b) whether they comply with their idea of CC.
One of the really cool parts of this is that assuming they decide that you're kosher security-wise, you can decide to release the profiles you developed for general use, and they will then certify other companies against those same standards. Likewise, you can just get some pre-defined off-the-shelf requirements that sound usable, and have yourself judged by them...
I've been offered a job as the head of technology stuff at a new startup consisting mainly of business- and money-type guys, but relying 100% on technology. My job is to scope out all of our tech and to get it up and running. It's a really heavy-duty project, so I will have to end up hiring and "managing" a tech team, as well as being the management consultant for all things technological.
I'm kind of fascinated by it, because even though it means I have to do a ton of presentations and budgets and whatnot, it gives me a chance to take a poke at what I always bitched about with _my_ bosses. Also, I don't intend to relinquish my technical involvement if at all possible, since this will always give me a ticket out.
Lastly, this sort of thing may give me exposure to all the politicking and similar B.S. I would need to know about if I intend to start my own company. No matter what happens, I don't think it's a waste of time.
Frankly though, I would never ever ever dream of taking a similar position in a large, established company's hierarchy.
From what I know of UK tax rates, he already is laying out more than a bit of cash for the service..
"What, don't like having to sign a form and comply with restrictive rules to read the NYT? Go to a news stand and spend some money!"
The sales guys need access to the customer data. The logistics people have to be able to get at our order database via SAP. The accountants need access to the billing database. Tech guys have to be able to read network diagrams and many of us will have to be able to read internal proprietary strategy documents...
This is pretty much up my alley. Are you aware of any non-format-specific methods of inserting binary strings in non-ascii files (Oracle DB files, visio datagrams, etc.)?
I posted this question and I appreciate the responses, but I think a lot of people didn't catch the gist of what I was asking.
It's a comparatively easy task to secure my network from external threats; that is a combination of good product choice, intelligent design, clued configuration, and conscientious administration and monitoring.
I also know that I don't have a hope in hell of technically leak-proofing my network from the inside-out. That problem indeed is not a technical one. That's why I'm not sniffing geneeral network traffic; our usage policy is something like "don't be an asshole." If people are abusing resources, we indeed have other problems.
What I'm trying to do is to address a specific eventuality as required by some of the compliance laws here. Assume a guy is pissed off or leaving for a competitor. He wants to mail/ftp/netcat/ whatever out a customer database or internal documents. We have watermarked our files; he knows this, but doesn't know exactly how, so he will need to encrypt the data, print it out, put it on a tape, write it on his hand, whatever.
The point is to force him to consciously, wilfully take that extra malicious step. That way, under compliance laws, we can say that we exercised due diligence to the best extent possible without impacting our productivity by doing all kinds of crazy paranoid stuff like keystroke logging or chaining people to their desks.
So once again, the question is: is there some mechanism by which we can automatically embed some sort of watermark in any non-ascii file (database, ms word doc, etc.), send all outgoing traffic through a layer 5-7 proxy, and just sniff for that single watermark string?
All replies are appreciated.
I registered at Hole's Website to show some support.
Basically, I found that ipfw wasn't able to reliably keep state on a lot of traffic which it had to pass out a NAT _after_ passing the natd running on the ipfw machine.
It also had problems with ftp connections-- maybe I just didn't find the corresponding facility in ipfw/natd, but ipf has an excellent ftp 'proxying' mechanism which will not just keep state on two-way tcp/udp connections, but also keep track of the return ftp data connections.
I'm running ipf on FreeBSD 4.0-R. I've found it to be super-stable, and the configuration isn't particularly difficult. It does NAT well, and I like its logging. This is especially important, as I'm installing it for clients who have some UNIX know-how, but aren't necessarily super-clued.
http://www.help.com/cgi-perl/question/5/224/504?si dx=1415190&from=http: //www.help.com&tag=st.cn.sr.hp.1
There are other auction services out there, you know.
http://ee.lbl.gov/vat
...either a Klingon warrior, or a condom brand
If they're told about specific incidents, that's another issue.
do we really _want_ spammers to be regulated, or to even have spam outlawed?
Remember, this would be done by the same people who brought you the DMCA.
It occurs to me that projects like the Real Time Blackhole List or Sendmail's anti-spam configuration options serve the cause a lot better than blanket laws passed by technologically less-than-aware legislators?
It's quite possible that lobbying organizations like DMA actually help the idea of keeping the net free of legislative overkill in the long run...
Comments?
Not much character development going on there.
And as for the weird indy music bits, there was more depth in the Berkeley college punk scene, which isn't saying a lot. /html
You can substitute anonymity for privacy if you're going to be pedantic about it.
Better? :-)
It's not a question of pride. I am not proud to be an American citizen, as I wouldn't be proud of having a Senegalese passport, or of being a white male. It's an accident of birth, and I'm quite willing to point out flaws in the political setup of any country I "belong" to, just as I will highlight the good bits.
The beef I have with CCTV is that it violates what I believe to be an unwritten right to privacy and anonymity, especially in public areas. I do not trust a government or any organization to responsibly handle information it has about me, thus by extension, the less they know about me, the better.
Concerning a Bill of Rights and a Constitution, they're great ideas. If you have them. If you follow them. I don't recall the precise details, but a while ago someone did a survey with provocatively worded questions; some absurdly high percentage of Americans polled readily rejected the fundamental rights due them by law. I'm no great follower of the idea that the peasants must be beaten into accepting what's good for them, but that's just scary. Paranoid and extreme as it sounds, that's exactly why I don't want to be prosecuted for owning guns, saying what I want about the government, acting provocatively in public, refusing to quarter troops in my house, not paying oppressive taxes, burning flags, etc. etc. etc.
However, I think you'll readily agree with me that without guaranteed and respected freedoms, such as those guaranteed by a code of rights when respected, prevent the unwashed masses you and I tend to elect to political office from passing laws that say "yeah you can be free and say what you want unlessit'ssomethingIdon'tlike!"
In an ideal world, I live in a country with a government that collects no information about me (CCTV, profiling, whatnot,) and which has strong data protection laws, alias UK, Germany, Switzerland; national pride has nothing to do with it. Alas.
However, I don't think it's be correct to hold up the UK as a paradigm of individual liberties. There's no constitution. The UK has something like the highest density (or one of) of CCTV surveilance cameras per person of any country I know. And as I recall, there are a number of acts in place which not only do away with any vestige of habeas corpus an accused "criminal" might have, but vastly extend the powers of police to detain individuals far beyond anything you or I would find sane.
Data protection laws are a good thing; we have one in place in Switzerland, and Germany's is a pretty good example as well. However, their implementation tends to go in the direction of "we will prevent your information from being used you. But trust us to know what's best with that information; we're the Government."
Castigating the US (or any country) for stomping on your liberty is definitely the right idea; as an American citizen, I am ashamed of and alarmed at the continuous inroads made into what I consider to be my inviolable set of personal rights. However, I do wish you'd pick a better example to hold up high than Great Britain...
Yes, I understand that, and I also understand that in some places it's illegal for it to rain, etc. etc. etc. I stand by my original point :-)
I, for one, would love to see how I'd score on the high school Junior Gangsters of America exam.
I mean, you can prove you no longer use the service, or even own the box, and thus aren't subject to use charges, even implicit ones. I don't think that's legal (yet.) And as you're not an "authorized reseller", assuming such a thing exists, I wouldn't imagine that you could be held responsible for use charges incurred by a third party (otherwise CompUSA would have to collect their fees for them, and would have to pay usage fees on unsold boxes in stock...)
The person buying from you never signed an agreement that they'd be held liable for use charges, they're just buying the box.
Any ideas?
I don't care.
I bought the disk and the player, and if I want to paint it pink, I will paint it pink. If I want to nail the DVD to my wall and make a really pretty and expensive wallpaper out of it, I will do that.
Am I the only one whom it strikes as vaguely amusing that years and years were spent pushing the idea that I can do pretty much anything I want sexually (unless it's under 18, or involuntary) in the privacy of my own home, but I'm legally restricted from taking a screwdriver to electronic equipment I actually own?
Go figure, I think that's pretty funny.
The guy's desktop was obviously KDE, and when I approached him about it he said that he'd used it because it was free. The Linux box controlled a large array of electronic music equipment, which was pretty impressive in itself.
>securing the client/server AND keep the source
>open. Nettrek has some good things, as does
>DNet, but I have yet to see any progress other
>than the bletcherously horrible speed cheat
>checker.
You're thinking of Netrek. Some Quake players came into the Netrek Newsgroup asking nicely for help on how to secure the game.
I don't know where this led, but I'm sure all the trek players would be curious to see if there was ever any success.
Netrek uses rsa client authentication--the source for the client and the server is completely open, so anyone can write custom hacks into them. However, most of the public servers have a list of "blessed" client keys. So if you want to play on one of these servers (there are some non-authenticating ones), you need to (a) obtain the source to generate an rsa key--this is currently just to comply with export restrictions--and (b) submit the key to a volunteer key maintainer.
The cool thing is that most of the discussion about what's "borgish" (non-kosher robot features) and what isn't is public; there is no central governing body which decides what goes and what doesn't, it's all done through public scrutiny.