And you don't see a problem with that? Thats why Windows is not considered a real OS by people that have used stable OSes for years. A real OS shouldn't require you to kill off your userland processes everynight and log back in the next day. A real OS should let you start up your useland processes and keep yourself logged in for months if you like, only locking the screen at night or lunch to walk away without a degradation in performance or stability problems - two things MS still has problems with, which is excusable in this day and age.
After reading this report, I'm left with the impression that the reporters that wrote it had unrealistic expectations for the products they deployed, and little knowledge about either how to configure, tune or properly setup the products they were testing. But then, they admit that everything they are complaining about isn't such a big deal and so on. In short, a totally sensationalized waste of time. Skip it if you haven't read it already.
To wit, we've used all of the products they complain endlessly about, and all I can say is RTFM. All of the problems they encounter are either configuration problems or worse, PEBKAC.
If you want to really learn about IDS, and you don't have the budget to buy a commercial IDS, download a copy of snort and learn for yourself. This report strikes as the type of complaing you get from an IT customer that wants to buy a product, turn it on, never configure it and expect it to magically work.
By now, readers with security expertise probably are asking why we didn't tune the IDSs to reduce the chatter and improve our chances of seeing real attacks. The short answer is that we did, or at least we tried to(emphasis added). Including setup time, this project stretched along three months; and during that period we worked on these systems almost every day.
Wow! What a revelation! You mean you have to know what you're doing and it actually takes time to configure these powerful tools?! In a word, DUH. IDS'es must be tuned. IT products must be configured properly. These things take time, sometimes a lot of time. The core of their complaints revolve around their inability to do either of these things well. Given that lots of people manage to do this effectively everyday and have been for years and years, we're left to conclude that these reporters were not up to the task. And here it is:
Don't expect IDSs to be plug-and-play devices.
These folks actually expected NIDS to be plug-and-play, and thats what they seem upset about. NIDS are powerful sniffers, they need to be tuned, they need to be configured and yes, this IS an ongoing process - but they are not plug-and-play devices.
Futhermore, all of IT is an ongoing process. A big, circular, ongoing process that requires competent personnel to manage, maintain, tune, test, patch, configure , deploy and yes, spend TIME on. Anyone that expects to be able to deploy close to a dozen different IDS products as plug and play devices into a production network in 90 days with questionable expertise is fooling themselves.
To be effective, they require a lot of tuning, and a fair amount of security expertise(emphasis added). They'll also require willingness to spend a lot of time sifting through reports, at least until the configuration is tuned properly. Even then, IDSs will require constant updating as new attacks appear. IDSs can be lifesavers and invaluable educational tools - but only for those with a lot of patience and a willingness to learn.
And then they say as much. Again, this report is total waste of time. Its overly sensationalized and stems from a lack of expertise on the products in question. Skip it, download snort or buy one of the commerical products, take a class, read a book and learn for yourself. You won't learn much from this report that common sense wouldn't have told you already.
Ok, I get it, so he's a ex-cop not a technologist or computer security expert. Perfect, thats JUST what the government needs. Another so-called "computer security/crime expert" with a 100% police office/federal agent mentality which equals = we need to prosecute more of those "hackers" to make the world a safe place. Because, as we all know, thats worked so well for the world so far and the federal government doesn't have any where near enough of those types.
I think what you have pointed out about Mr. Schmidt should worry people more, not less, regarding his credentials to provide any expertise on the issue of "cyber" security. Reactionists, such as cops, feds and other "prosecute em!" types are of no use to the computer security discipline. And, until proven otherwise, I see no reason not to assume that Mr. Schmidt is one of those types. Afterall, his entire background is on the reactionary side of the model. He has done nothing to contribute to the discipline of information security and assuramce. In short, he is a cop, at best, not a computer security expert by any means.
Instead of working on solutions to prevent intrusions and to manage risk, the White House appears to building up yet another totally ineffective effort at punishing wrong doers.
What the White House needs is real computer security experts at the helm, not another ex-cop. Not to bash Mr. Schmidt, but he just doesn't seem like a real addition to their team. I'm sure the Federal Government has plenty of law enforcement and ex-law enforcement types to guide their decision making, but not enough real experts on the infosec problem.
any adult who verbally beats the shit out of some lowlife who is cruising pr0n in a public library ought to be a hero who quickly gathers a cheering throng (that's throng you prevert).
Or, the ranting raving (almost ALWAYS American) lunatic ends up looking like an uptight fool that can't handle a little harmless sexual content and needs to resort to idle straw men arguements equating thong to throng... bah... silly puritantical unsupported nonsenses. The null hypothesis here is that sex is normal and that your argument (if you can call it that) is unsupported emotional clap trap. Prove your point that someone cruising sexual content is worthy of Ad Hominem retorts and you'll be making a point. Otherwise, you're just blowing hot air.
You know, in many countries, sex is actually considered a wonderfully healthy thing that people should be attracted to. I know it might now be the case where you live, but many people know it to be the case. Sex is not a bad thing.
What is it with nitwits that think sex is bad/immoral/evil/dirty/demeaning? Did those folks ever stop to consider that sex is normal and that people should be interested in it if not down right modivated by sex? (Where did we all come from without sex?) Its the uptight puritanical nitwits that should be made fun of. Those people have serious problems that they need to see a therapist about, and because of their emotional and psychological problems, they choose to make themselves feel better by attacking others (as you have suggested, for SHAME sir!).
Sex is part of the normal process of being alive. Bah... why bother trying to explain. If you honestly think sex is something bad, you need professional help anyway and there is no reasoning with you.
Yes, I'm quite aware of the fact that the electoral college elects presidents, but thats only splitting hairs. The majority did elect Al Gore. To claim otherwise is to argue about technicalities, and its those technicalities that are wrong, not the reality that the current president of the US of A was not elected by a majority. Furthermore, the Supreme Court just decided to stop counting in a close election. So, in this case, we'll frankly never know if the current president had a mandate from the people to be President, because the Supreme Court took that choice away from the people. All they had to do was say "Count em again". Python
I don't think you understand. It's not who elects them, it's who funds them.
People really need to get past this myth.
What myth? Have you ever worked for a congress-critter? It is the people that fund a candidate that get attention. Sure, the constituents get attention, and if a large number of constituents get upset about something, the congress-critter does the right thing or gets caned. But for the most part, the apathy of the public keeps the scales nicely tipped in the favor of the big donors.
Most people just don't care enough, no matter how much you or anyone else wants to lambast them for "believing in the myth". Its not a myth, this is the way the US Congress works. If you can't get enough constituents interested in a topic, you just write the congress-critter a check and you're guaranteed an audience with him/her.
You might as well stay home on Election Day too, since you are so powerless.
LOL! What an ironic statement. In the last elections the US had some of the highest voter turnouts in decades, for all the good it did. The Majority elected one candidate, and the Supreme Court selected the other candidate.
Yeah, some power the people had that day. Thanks for the pep talk, but the US has serious problems that will not be solved by pretending that the system works, and that all we have to do is turn out to vote and send letters to our congress-critters. Did you happen to see the police state in DC on the inauguration day? And you think anyone in their right mind should not be turned off by the whole process when its pretty clear that corruption is seeping into the entire process in a way that doesn't leave any avenue for redress? The US needs serious electoral and campaign finance reform before you can even have the gall to insult someone for be disgusted at the whole thing. Python
If the very influencial LEA and Intel agencies failed to convince the US legislature / ANSI using the Four Horsemen argument (e.g. that nuclear terrorists, child pornographers, money launderers, and drug dealers, would flourish if crypto
remained freely available) then what makes you think RIAA / MPAA can succeed by persuading congress with the argument that the latest movies are being copied illegaly?
Simple, the RIAA/MPAA and entertainment industry in general make compaign contributions, whereas LEAs and intel agencies do not. The RIAA/MPAA and entertainment industry get to call the shots, because the congress-critters have to beg them for money, whereas the LEAs and intel agencies have to beg congress for money. Python
He also drew an interesting parallel between weak crypto and regular mail: you trust that your letters will be private if you seal the envelopes. Sure, anyone can open them. But doing so is federal crime with heavy penalties. Hence criminalizing
the breaking of weak crypto.
Accept that its really a bad analogy. With a "ripped-open" envelope, you can tell its been opened and then you can, hopefully, use that law to try and find out who did it (assuming they left any useful physical evidence to trace them down). With crypto, you can't do this. Its always been possible to read poorly encrypted data without the owner being any the wiser (just look at the NSA, thats all they do). So how would you ever be able to enforce this law? Rhetorically, you can't, so its a big fat Red Herring. That law would be utterly useless. Its about the illusion of safety. The US Government would want you to think such a law would keep you safe. As if laws keep you safe now, which they don't. You have to be able to take action against a person that violates a law for it have any effect, and with crypto, its suprisingly hard to do that.
Equally, using his poor analogy, its also possible to open envelopes without leaving any traces that most people be able to detect. So, criminalizing the opening of someone elses mail is not really a good means for preventing it from being opened. It can be opened, quite easily, without the recipent or sender being any the wiser.
So even in the case of just envelopes, its a lowsy security model and of course anyone with common sense, the US government included, knows this. If you want to keep your secrets, you have to do more than just say its illegal to obtain it. This is really about the fact that the US government does not consider its citizens to have any legitimate need for protecting their privacy in any meaninful way (read: keep secrets). The US government thinks its the only ones that have "real" secrets to keep, so why would the silly little citizens of the US need real crypto? Just look at what the man is saying, basically that you and I don't need strong security models we just need weak laws that can't be enforced (read: weak security model). Envelopes and weaks laws should be good enough for us. Afterall, we don't have anything important to protect. (I could digress into the "what are you trying to hide" argument, but I doubt he's coming from there, I think he doesn't believe that)
The operative response to his analogy should have been something along the lines of "So why doesn't the US government send all of its Top Secret material via the USPS in plain old envelopes or on postcards"? And then follow that up with a "So, is the US Government the only organization with secrets that needs good protection for its secrets?" And then watch him try to equivocate his way out of that one or cave.
Bah... with the US Government, its all about double standards. They want to be able keep their secrets, even if its to the detriment of their own people, while the peasants^H^H^H^H^H^H^H^H citizens have to allow the government to go on fishing expeditions into their private lives. Thats why the US Government and its elected officials need to be continuously reminded that US citizens have inalienable rights to privacy. This isn't some privilige the government can take away at a whim. If they pass laws that require the stipping away of those rights, then its a BAD law. And they need to go back and try again. Its that fundamental set of misunderstandings on the part of US officials that has created the entire crypto/CDA/DMCA/next_stupid_rights_stipping_act_he re mess.
Ugh... this is the tired old "its cheaper to run Windows because you don't need to hire a sysadmin" argument. Its simply not true. The average user is not capable of running anything more than a desktop computer poorly. Once you start to add in things like mail servers, print servers, proxy servers, firewalls and so on, you have to hire some that knows what they are doing no matter which OS you are running. So in any small business where they have a couple of servers, they end up hiring someone to run the servers anyway.
And I'm sure someone will trot out the anecdotal example of someone that knows of a company where the users are so clueful that they can run the whole show without any of those pesky sysadmins. In everyone of those cases you still need at least one person with not only the technical skill to solve problems but the time to do this while still doing their real job. Once a company starts to scale, you simply can't afford to live without dedicated resources to delegate sysadmin tasks to.
In short, there is no TOC savings with Windows because even though its easy for users to use (not nearly as easy as a Mac though) its not easy for those users to do anything other than install the simplest of software, and follow very simple instructions from the help desk(s) they will always end up calling.
So, the tired old argument about needing a sysadmin for Linux vs. Windows is very very misleading. Its the rare business that doesn't have a sysadmin or someone to call on for this task already. Python
I suggest you check your history again and stop trying to be such a apologist for the FBI. FBI agents collected that information with tax dollars. You can try to split hairs on this all you want on this, but the FBI very much was doing these things. No one at the FBI tried to stop and alot of people knew about it. Thats doubly worse.
As if for one second it makes it any better that it was only J. Edgar Hoover that was committing these civil rights violations. A man that not only ran the FBI for decades but one for whom the FBI headquarters is named after! Bunch of scum bags the FBI is for not ripping the horrific name down off their headquarters. They wear it like a badge of honor. Python
Uh, the last time I checked, in the US anyway, you have a perfect right to disturb any public government conference you want to without fear of Government retribution and long as you don't break the law. Upsetting world leaders by protesting the FTA is just too bad for those leaders. They don't get to have their little meetings in peace and quiet.
And, as far as I can tell, IMC Seattle didn't break any law, and if they did break some censorship law governing "born secret" content, those laws have been ruled unconstitutional in the past (the H-Bomb article case) and they should be ruled unconstitutional in the future.
Doesn't it bother anyone that the FBI is purportedly asking for a "readers list" for a media outlet? This is akin to the FBI, if the allegations concerning what the FBI is after are true, walking into the NY Times and demanding a copy of their readership list.
Not to start down a slippery slope, but again, if the FBI is essentially building a list of all the IPs that connected to IMC Seattle over a period of days, and the documents those IPs accessed, how is this any different from any LEA walking into a library or a video rental store and demanding a list of all the books and videos check out over a period days and the persons that checked them out?
I'm sorry, but the burden of proof lies with the FBI to prove that this was not only absolutely necessary but that it also was the least invasive means of conducting this investigation - and finally to prove that the law(s) that gave them the imperative to conduct this investigation (witch-hunt?) are really good laws. Any law that requires the creation of a police state, or the functional equivalent to it, is not a good law.
Again, all of this is really dependent on what the FBI is really getting in its investigation. If the FBI is not asking for web server logs and list of all documents accessed over a period of days, and is instead asking for information about who gave them the document in question, then we are talking about apples and oranges here. But, its not like the Federal LEAs have a track record of overstepping their bounds and snatching up any and every piece of electronic information (and hardware in some cases) without any concern for the rights of the people involved. Some I think its only fair to assume that the FBI is asking for more than they are entitled to. Afterall, who is going to stop them from taking it? Its only after the fact in court that someone can that information thrown out, but that doesn't change the fact that the Federal Government now has it - and unfortunately the US government doesn't have a great track record with respecting the rights of its citizens, especially the FBI. Need I remind anyone of the massive collection of secret files the FBI used to keep on private citizens under J. Edgar Hoover?
The bottom line is that the FBI should have no right to ask for a list of IPs that accessed the document(s) that allegedly are illegal, and certainly has no right to demand a list of IPs that accessed the IMC Seattle website over a period of days. If they are not asking for this, then we must ensure that they don't get it - and that if a law does not exist specifically forbidding this, then we need to push for one - because sooner or later, some LEA will push for this sort of information. And that is a clear violation of the fourth amendment. The readers of IMC Seattle, or any news site, have committed no crime by reading that website, even if the website contains "illegal" content, and should not be treated to an unreasonable search (and cataloging) of their reading habits. Python
Can you provide references to the appropriate US law that requires you to keep logs of what your users do? I'm not aware of any such law and I'm pretty sure it doesn't exist, but I could be wrong.
Regardless, this is the first I've ever heard of it. Python
Why is this news? NAI Labs was one of the original contributors to the SELinux project. Just look at the FAQ on the SELinux website:
The Security-enhanced Linux prototype was developed in conjunction with research partners from NAI Labs, Secure Computing Corporation (SCC), and the MITRE Corporation.
This like annoucing that AOL/Netscape is joining up with the Mozilla project to produce Mozilla. Python
There are no legitimate reasons for doing any of these things
Then you know nothing about computer security or the trails and tribulations of working on a network like Intels. Cracking password files is something SAs should do often if their OS doesn't include something like libcrack to prevent users from picking clueless passwords. 5 years ago, one of the many ways to secure a box, and a very effective one to boot, was to crack its password file and fix all the bad passwords.
If there is any crime at all here, its that no one else apparently in Intel was bothering to do this and it speaks volumes about Intels supposed InfoSec policies and how poor Intels security was.
Python
She was a Wiccan, or at least curious about Wicca, and her tormenters were Christian Fundamentalists (though
they weren't acting according to the teachings of Christianity.)
Speaking as a Wiccan, I can tell you that I've had pleanty of Christians quote from the bible about why they would be morally right if they killed me. Something about Lividicous "Thou shalt not suffer a witch to live" sends chills down the spines of any Wiccan. There is the popularized WASP version of what it means to be a Christian, and then there is the fundamentalist and literal version of what it means to be a Christian. The latter is not nice at all.
I wonder how many Christians have actually read the entire bible and considered what it really has to say about other religions if taken literally.
Merry Meet, Merry Part and Merry Meet Again. Python
Go ahead, mod me down. I don't care. But this is one of the reasons the rest of the first worls looks upon America with bafflement and disbelief.
While begging America to solve all their military problems and provide their police and militaries with those iky weapons. Give me a break. When push comes to shove you sleep better at night knowing that there are big mean nasty people with guns protecting you. And most of the time, those are American guns held by Americans and even, every once in a while, by your own countrymen. So don't be all high and mighty. Some one has to do your dirty work to keep your country safe and provide your police and military with weapons. Its so convient for you to sit there in your nice safe little home in your nice safe little neighborhood, with your good police departments and presumption that your police are beyond corruption and tisk tisk us poor misguided Americans and our silly gun culture. Tell ya what, why don't you just disarm your entire country and see how far that gets in this big mean nasty world? Oh? Whats that? Guns are OK for some and not for others? You trust your government without question? Whats that you say? You're not a native American going toe-toe with the Canadian military because you won't leave your land? Bah. Take your santimonious crap somewhere else. You Candanians have your own dirty laundry and unclean hands too. Not to mention you hide behind the US to keep your country safe.
So you live in a society where people are nicer to each other and where you can trust your cops. Guess what, in America you can't trust the cops, they end up being crooks too often. Crooks with guns and badges and the courts on their side.
Americans cops are well known to be some of the more racist and corrupt in the world. Just look at the latest in a long and proud string of scandals involving abuse of police power in America with the DC police e-mail scandal. Opps! The cops got caught speaking candidly. Just a little insight into their racist and corrupt little worlds. Black cops talking about huntings "whities" and White cops talking about "niggers". Oh yeah, I REALLY wanna trust the police now.
But wait! Theres more! The glorious US history of using the police to oppress minority groups of all kinds! BE they political, racial, religious, it doesn't matter! If you can be tyrannized, we'll do it! How many first world countries do you see with the sorts of riots, lawsuits, beatings and even murders caused by of police corruption? When was the last time Canada had a race riot because your criminal justice system let off four corrupt racist cops that beat a black motorist almost to death? And you expect Americans to trust the police?!
Did it ever dawn on you that many Americans keep weapons because they are afraid of the very police you think everyone expects to protect them? Many Americans have really good and personally earned reasons to be afraid of the police. The police are the bad guys too often in thise country and they get away with it too often as well. I myself had the misfortune of being attacked and beaten by some corrupt cops because I wouldn't do what they wanted me to do, and was not legally or morally required to ask they commanded. They were just thugs with badges and they knew they could get away with it. So don't tell me about how I or anyone else that has felt the horror of that trust in the police evaporate in an instance, only to that horrific feeling get flogged over and over again as you desperately try to seek justice in the very system that is supposed to wield it only to find out that the system protects the corrupt and racist in the police force. Until you have seen it yourself, you can not expect someone that has to implicitly trust the police to be the only ones with weapons - and too many Americans have seen the ugly face of bad cops. Now do you understand why this country is so heavily armed? Why this country has some many militias and conspriacy nuts ranting about not trusting the government? Hell, how many of your leaders have been impeached? How many of your presidents have committed felonies to get themselves relected? Bah. Trust your own damn government, don't ask an American to trust theirs. Its too ugly a thought.
Again, perhaps you live in such an idealistic society that you can blindly trust your leaders to hold the power of life and death over your head, but its not like that in the US of A.
Bah. All this "the US is violent why can't you be like us civilized people" is such a load of crap. The world is a violent place and US is not unique in that regard - nor is it truse that the US is the most violent country, or that countries with lots of guns are violent (look at Switzerland, they have LOTS of guns, and not much crime). For example, I've heard to many British citizens wax eloquent about their gun-free and mostly non-violent culture, while the British military has been violently oppressing Northern Ireland for decades. No violence there. No sir. To blame violence exclusively on access to weapons is totally missing the point. Where there is violence, people will find access to virtually any weapon. Again, just look at Northern Ireland. Where did all those machine guns come from? They're not legal in Northen Ireland, yet there they were.
There had to be something there first to justify the need for the weapons and then their use. Communities aren't all peaches and roses until weapons show up. Weapons are tools. They get used in ways that illustrate the problems of that community. Take away the weapons, and more weapons will find their way into any violent community, no matter what you do.
And that, is the point. Guns are not allowed in schools and kids, even in America, and not allowe to have them, and somehow no matter what right thinking gun-grabbers do to ban guns, they find their way in there. Even in Canada. Python
You're missing the point. Having access to the source does not make it secure, and no one is making that argument. The argument is that access to the source provides you with the opportunity to make it secure. An opportunity you absolutely positively do not have with closed source. Thats the entireity of the argument.
Talk about letting the rhetoric begin. You build up this big straw man and expect people to kock it down. Well OK, "poof" your straw man is blown down.
The Open Source argument is about access. Its about giving everyone (yes, even the bad guys) access to the source code. In a closed source world, the bad guys may already have access to the source code, but you certainly do not. The opportunity to find and fix things, such as security vulnerabilities (and backdoors) exists.
If you can't grasp this, then you've missed them entire point behind the free (as in speech) software movement.
The "security thru obscurity does not work" argument refers to security that depends on obscurity to succeed. If your entire security model rests on the proposition that no one must even find out how it works, then your security model fails the moment that obscurity evaporates. Which is a bad security model. Plain and simple. Python
You have to give companies the ability to recoup their expenses in developing these things, or they are simply not going to spend the money to develop them.
You mean how Linux wasn't developed because it couldn't be patented? How about gnome? El Gamal? IP? Vorbis? The Browser? HTML? C? C++? Python? PERL?
Oh wait, all those things, and more, were developed and released without one single patent. Your argument assumes that the only economic model is to sell patented technology, and that simply is not the case. Lots of things are invented and not patented. Clearly the patent process does not need to exist to foster innovation.
No, penet was shut down because the cult of scientology sued Julf for the lists of his users. That is well documented. People tried and failed to shut down penet on the allegation that it was being used to send child pornography. There is an amazing dislike for anonymity by a small, vocal, visceral minority of extremeists that will make up anything to get someones anonymity stripped away from them.
Regardless, Julf shut penet down because he could no longer guarantee the privacy of his users and he was being sued by the cult of scientology. Furthermore, the Finish police admitted that there was no evidence that the remailer was involved in child porography. So that entire line of reasoning is a red herring, and is this digression you have thrown up to confuse the issue.
Anonymous bi-directional communication is happening now, via all manner of vectors, not the least of which are Type I, Type II and nym anonymous remailers. So, you are wrong that this sort of thing won't happen, which was your original argument. Its happening now and its being done in a way that does not leave the users identity open to attack as with penet model.
You're not very up on the times it would seem. Penet went down because its reply blocks were in the clear, and there was no ability to chain your replies thru other anonymous remailers cryptographically. Penet did not use any encryption at all. Thats why it went down. It was a giant risk to its users and as such, a nice big fat juicy target for the cult of scientology to sue (to try and get those reply blocks). The model was hopelessly flawed, but that does not mean that the idea of perfect forward secrecy, digital mixes and anonymous bi-drectional communication is flawed. Its not.
Modern remailers, such as Type I and Type II remailers, as well as nym remailers (which allow for anonymous bi-directional traffic, without reply blocks being in the clear, and with the ability to chain the replies thru N Type I or Type II remailers) which have been in use for years, solve all of the problems that brought penet.
You can have absolute privacy and absolute anonymity now. Just visit http://mixmaster.shinn.net or any of the other remailers websites for instructions. Heck, if you want ease of use, you can install ZKS' freedom software and abstract away all the work (at a little cost to security). Privacy is not that hard to do, and its really frustrating that people on slashdot have bought into the myth that privacy is not something you can have in this day and age. That is absolute bunk.
Slashdot Mirror
And you don't see a problem with that? Thats why Windows is not considered a real OS by people that have used stable OSes for years. A real OS shouldn't require you to kill off your userland processes everynight and log back in the next day. A real OS should let you start up your useland processes and keep yourself logged in for months if you like, only locking the screen at night or lunch to walk away without a degradation in performance or stability problems - two things MS still has problems with, which is excusable in this day and age.
To wit, we've used all of the products they complain endlessly about, and all I can say is RTFM. All of the problems they encounter are either configuration problems or worse, PEBKAC.
If you want to really learn about IDS, and you don't have the budget to buy a commercial IDS, download a copy of snort and learn for yourself. This report strikes as the type of complaing you get from an IT customer that wants to buy a product, turn it on, never configure it and expect it to magically work.
Wow! What a revelation! You mean you have to know what you're doing and it actually takes time to configure these powerful tools?! In a word, DUH. IDS'es must be tuned. IT products must be configured properly. These things take time, sometimes a lot of time. The core of their complaints revolve around their inability to do either of these things well. Given that lots of people manage to do this effectively everyday and have been for years and years, we're left to conclude that these reporters were not up to the task. And here it is:
These folks actually expected NIDS to be plug-and-play, and thats what they seem upset about. NIDS are powerful sniffers, they need to be tuned, they need to be configured and yes, this IS an ongoing process - but they are not plug-and-play devices.Futhermore, all of IT is an ongoing process. A big, circular, ongoing process that requires competent personnel to manage, maintain, tune, test, patch, configure , deploy and yes, spend TIME on. Anyone that expects to be able to deploy close to a dozen different IDS products as plug and play devices into a production network in 90 days with questionable expertise is fooling themselves.
And then they say as much. Again, this report is total waste of time. Its overly sensationalized and stems from a lack of expertise on the products in question. Skip it, download snort or buy one of the commerical products, take a class, read a book and learn for yourself. You won't learn much from this report that common sense wouldn't have told you already.You mean like how there are no anonymous remailers or proxy servers now run by volunteers?
I think what you have pointed out about Mr. Schmidt should worry people more, not less, regarding his credentials to provide any expertise on the issue of "cyber" security. Reactionists, such as cops, feds and other "prosecute em!" types are of no use to the computer security discipline. And, until proven otherwise, I see no reason not to assume that Mr. Schmidt is one of those types. Afterall, his entire background is on the reactionary side of the model. He has done nothing to contribute to the discipline of information security and assuramce. In short, he is a cop, at best, not a computer security expert by any means.
Instead of working on solutions to prevent intrusions and to manage risk, the White House appears to building up yet another totally ineffective effort at punishing wrong doers.
What the White House needs is real computer security experts at the helm, not another ex-cop. Not to bash Mr. Schmidt, but he just doesn't seem like a real addition to their team. I'm sure the Federal Government has plenty of law enforcement and ex-law enforcement types to guide their decision making, but not enough real experts on the infosec problem.
Or, the ranting raving (almost ALWAYS American) lunatic ends up looking like an uptight fool that can't handle a little harmless sexual content and needs to resort to idle straw men arguements equating thong to throng... bah... silly puritantical unsupported nonsenses. The null hypothesis here is that sex is normal and that your argument (if you can call it that) is unsupported emotional clap trap. Prove your point that someone cruising sexual content is worthy of Ad Hominem retorts and you'll be making a point. Otherwise, you're just blowing hot air.
You know, in many countries, sex is actually considered a wonderfully healthy thing that people should be attracted to. I know it might now be the case where you live, but many people know it to be the case. Sex is not a bad thing.
What is it with nitwits that think sex is bad/immoral/evil/dirty/demeaning? Did those folks ever stop to consider that sex is normal and that people should be interested in it if not down right modivated by sex? (Where did we all come from without sex?) Its the uptight puritanical nitwits that should be made fun of. Those people have serious problems that they need to see a therapist about, and because of their emotional and psychological problems, they choose to make themselves feel better by attacking others (as you have suggested, for SHAME sir!). Sex is part of the normal process of being alive. Bah... why bother trying to explain. If you honestly think sex is something bad, you need professional help anyway and there is no reasoning with you.
Python
Yes, I'm quite aware of the fact that the electoral college elects presidents, but thats only splitting hairs. The majority did elect Al Gore. To claim otherwise is to argue about technicalities, and its those technicalities that are wrong, not the reality that the current president of the US of A was not elected by a majority. Furthermore, the Supreme Court just decided to stop counting in a close election. So, in this case, we'll frankly never know if the current president had a mandate from the people to be President, because the Supreme Court took that choice away from the people. All they had to do was say "Count em again".
Python
What myth? Have you ever worked for a congress-critter? It is the people that fund a candidate that get attention. Sure, the constituents get attention, and if a large number of constituents get upset about something, the congress-critter does the right thing or gets caned. But for the most part, the apathy of the public keeps the scales nicely tipped in the favor of the big donors.
Most people just don't care enough, no matter how much you or anyone else wants to lambast them for "believing in the myth". Its not a myth, this is the way the US Congress works. If you can't get enough constituents interested in a topic, you just write the congress-critter a check and you're guaranteed an audience with him/her.
You might as well stay home on Election Day too, since you are so powerless.
LOL! What an ironic statement. In the last elections the US had some of the highest voter turnouts in decades, for all the good it did. The Majority elected one candidate, and the Supreme Court selected the other candidate.
Yeah, some power the people had that day. Thanks for the pep talk, but the US has serious problems that will not be solved by pretending that the system works, and that all we have to do is turn out to vote and send letters to our congress-critters. Did you happen to see the police state in DC on the inauguration day? And you think anyone in their right mind should not be turned off by the whole process when its pretty clear that corruption is seeping into the entire process in a way that doesn't leave any avenue for redress? The US needs serious electoral and campaign finance reform before you can even have the gall to insult someone for be disgusted at the whole thing.
Python
Simple, the RIAA/MPAA and entertainment industry in general make compaign contributions, whereas LEAs and intel agencies do not. The RIAA/MPAA and entertainment industry get to call the shots, because the congress-critters have to beg them for money, whereas the LEAs and intel agencies have to beg congress for money.
Python
Accept that its really a bad analogy. With a "ripped-open" envelope, you can tell its been opened and then you can, hopefully, use that law to try and find out who did it (assuming they left any useful physical evidence to trace them down). With crypto, you can't do this. Its always been possible to read poorly encrypted data without the owner being any the wiser (just look at the NSA, thats all they do). So how would you ever be able to enforce this law? Rhetorically, you can't, so its a big fat Red Herring. That law would be utterly useless. Its about the illusion of safety. The US Government would want you to think such a law would keep you safe. As if laws keep you safe now, which they don't. You have to be able to take action against a person that violates a law for it have any effect, and with crypto, its suprisingly hard to do that.
Equally, using his poor analogy, its also possible to open envelopes without leaving any traces that most people be able to detect. So, criminalizing the opening of someone elses mail is not really a good means for preventing it from being opened. It can be opened, quite easily, without the recipent or sender being any the wiser.
So even in the case of just envelopes, its a lowsy security model and of course anyone with common sense, the US government included, knows this. If you want to keep your secrets, you have to do more than just say its illegal to obtain it. This is really about the fact that the US government does not consider its citizens to have any legitimate need for protecting their privacy in any meaninful way (read: keep secrets). The US government thinks its the only ones that have "real" secrets to keep, so why would the silly little citizens of the US need real crypto? Just look at what the man is saying, basically that you and I don't need strong security models we just need weak laws that can't be enforced (read: weak security model). Envelopes and weaks laws should be good enough for us. Afterall, we don't have anything important to protect. (I could digress into the "what are you trying to hide" argument, but I doubt he's coming from there, I think he doesn't believe that)
The operative response to his analogy should have been something along the lines of "So why doesn't the US government send all of its Top Secret material via the USPS in plain old envelopes or on postcards"? And then follow that up with a "So, is the US Government the only organization with secrets that needs good protection for its secrets?" And then watch him try to equivocate his way out of that one or cave.
Bah... with the US Government, its all about double standards. They want to be able keep their secrets, even if its to the detriment of their own people, while the peasants^H^H^H^H^H^H^H^H citizens have to allow the government to go on fishing expeditions into their private lives. Thats why the US Government and its elected officials need to be continuously reminded that US citizens have inalienable rights to privacy. This isn't some privilige the government can take away at a whim. If they pass laws that require the stipping away of those rights, then its a BAD law. And they need to go back and try again. Its that fundamental set of misunderstandings on the part of US officials that has created the entire crypto/CDA/DMCA/next_stupid_rights_stipping_act_he re mess.
Python
And I'm sure someone will trot out the anecdotal example of someone that knows of a company where the users are so clueful that they can run the whole show without any of those pesky sysadmins. In everyone of those cases you still need at least one person with not only the technical skill to solve problems but the time to do this while still doing their real job. Once a company starts to scale, you simply can't afford to live without dedicated resources to delegate sysadmin tasks to.
In short, there is no TOC savings with Windows because even though its easy for users to use (not nearly as easy as a Mac though) its not easy for those users to do anything other than install the simplest of software, and follow very simple instructions from the help desk(s) they will always end up calling.
So, the tired old argument about needing a sysadmin for Linux vs. Windows is very very misleading. Its the rare business that doesn't have a sysadmin or someone to call on for this task already.
Python
As if for one second it makes it any better that it was only J. Edgar Hoover that was committing these civil rights violations. A man that not only ran the FBI for decades but one for whom the FBI headquarters is named after! Bunch of scum bags the FBI is for not ripping the horrific name down off their headquarters. They wear it like a badge of honor.
Python
And, as far as I can tell, IMC Seattle didn't break any law, and if they did break some censorship law governing "born secret" content, those laws have been ruled unconstitutional in the past (the H-Bomb article case) and they should be ruled unconstitutional in the future.
Doesn't it bother anyone that the FBI is purportedly asking for a "readers list" for a media outlet? This is akin to the FBI, if the allegations concerning what the FBI is after are true, walking into the NY Times and demanding a copy of their readership list.
Not to start down a slippery slope, but again, if the FBI is essentially building a list of all the IPs that connected to IMC Seattle over a period of days, and the documents those IPs accessed, how is this any different from any LEA walking into a library or a video rental store and demanding a list of all the books and videos check out over a period days and the persons that checked them out?
I'm sorry, but the burden of proof lies with the FBI to prove that this was not only absolutely necessary but that it also was the least invasive means of conducting this investigation - and finally to prove that the law(s) that gave them the imperative to conduct this investigation (witch-hunt?) are really good laws. Any law that requires the creation of a police state, or the functional equivalent to it, is not a good law.
Again, all of this is really dependent on what the FBI is really getting in its investigation. If the FBI is not asking for web server logs and list of all documents accessed over a period of days, and is instead asking for information about who gave them the document in question, then we are talking about apples and oranges here. But, its not like the Federal LEAs have a track record of overstepping their bounds and snatching up any and every piece of electronic information (and hardware in some cases) without any concern for the rights of the people involved. Some I think its only fair to assume that the FBI is asking for more than they are entitled to. Afterall, who is going to stop them from taking it? Its only after the fact in court that someone can that information thrown out, but that doesn't change the fact that the Federal Government now has it - and unfortunately the US government doesn't have a great track record with respecting the rights of its citizens, especially the FBI. Need I remind anyone of the massive collection of secret files the FBI used to keep on private citizens under J. Edgar Hoover?
The bottom line is that the FBI should have no right to ask for a list of IPs that accessed the document(s) that allegedly are illegal, and certainly has no right to demand a list of IPs that accessed the IMC Seattle website over a period of days. If they are not asking for this, then we must ensure that they don't get it - and that if a law does not exist specifically forbidding this, then we need to push for one - because sooner or later, some LEA will push for this sort of information. And that is a clear violation of the fourth amendment. The readers of IMC Seattle, or any news site, have committed no crime by reading that website, even if the website contains "illegal" content, and should not be treated to an unreasonable search (and cataloging) of their reading habits.
Python
Regardless, this is the first I've ever heard of it.
Python
http://lexx.shinn.net/extra/index.html
Python
The Security-enhanced Linux prototype was developed in conjunction with research partners from NAI Labs, Secure Computing Corporation (SCC), and the MITRE Corporation.
This like annoucing that AOL/Netscape is joining up with the Mozilla project to produce Mozilla.
Python
Then you know nothing about computer security or the trails and tribulations of working on a network like Intels. Cracking password files is something SAs should do often if their OS doesn't include something like libcrack to prevent users from picking clueless passwords. 5 years ago, one of the many ways to secure a box, and a very effective one to boot, was to crack its password file and fix all the bad passwords.
If there is any crime at all here, its that no one else apparently in Intel was bothering to do this and it speaks volumes about Intels supposed InfoSec policies and how poor Intels security was.
Python
So should you also be charged with three felonies and be forced to pay a huge fine for your crack?
Python
Speaking as a Wiccan, I can tell you that I've had pleanty of Christians quote from the bible about why they would be morally right if they killed me. Something about Lividicous "Thou shalt not suffer a witch to live" sends chills down the spines of any Wiccan. There is the popularized WASP version of what it means to be a Christian, and then there is the fundamentalist and literal version of what it means to be a Christian. The latter is not nice at all.
I wonder how many Christians have actually read the entire bible and considered what it really has to say about other religions if taken literally.
Merry Meet, Merry Part and Merry Meet Again.
Python
Because there are violent people there. DUH.
Python
While begging America to solve all their military problems and provide their police and militaries with those iky weapons. Give me a break. When push comes to shove you sleep better at night knowing that there are big mean nasty people with guns protecting you. And most of the time, those are American guns held by Americans and even, every once in a while, by your own countrymen. So don't be all high and mighty. Some one has to do your dirty work to keep your country safe and provide your police and military with weapons. Its so convient for you to sit there in your nice safe little home in your nice safe little neighborhood, with your good police departments and presumption that your police are beyond corruption and tisk tisk us poor misguided Americans and our silly gun culture. Tell ya what, why don't you just disarm your entire country and see how far that gets in this big mean nasty world? Oh? Whats that? Guns are OK for some and not for others? You trust your government without question? Whats that you say? You're not a native American going toe-toe with the Canadian military because you won't leave your land? Bah. Take your santimonious crap somewhere else. You Candanians have your own dirty laundry and unclean hands too. Not to mention you hide behind the US to keep your country safe.
So you live in a society where people are nicer to each other and where you can trust your cops. Guess what, in America you can't trust the cops, they end up being crooks too often. Crooks with guns and badges and the courts on their side.
Americans cops are well known to be some of the more racist and corrupt in the world. Just look at the latest in a long and proud string of scandals involving abuse of police power in America with the DC police e-mail scandal. Opps! The cops got caught speaking candidly. Just a little insight into their racist and corrupt little worlds. Black cops talking about huntings "whities" and White cops talking about "niggers". Oh yeah, I REALLY wanna trust the police now.
But wait! Theres more! The glorious US history of using the police to oppress minority groups of all kinds! BE they political, racial, religious, it doesn't matter! If you can be tyrannized, we'll do it! How many first world countries do you see with the sorts of riots, lawsuits, beatings and even murders caused by of police corruption? When was the last time Canada had a race riot because your criminal justice system let off four corrupt racist cops that beat a black motorist almost to death? And you expect Americans to trust the police?!
Did it ever dawn on you that many Americans keep weapons because they are afraid of the very police you think everyone expects to protect them? Many Americans have really good and personally earned reasons to be afraid of the police. The police are the bad guys too often in thise country and they get away with it too often as well. I myself had the misfortune of being attacked and beaten by some corrupt cops because I wouldn't do what they wanted me to do, and was not legally or morally required to ask they commanded. They were just thugs with badges and they knew they could get away with it. So don't tell me about how I or anyone else that has felt the horror of that trust in the police evaporate in an instance, only to that horrific feeling get flogged over and over again as you desperately try to seek justice in the very system that is supposed to wield it only to find out that the system protects the corrupt and racist in the police force. Until you have seen it yourself, you can not expect someone that has to implicitly trust the police to be the only ones with weapons - and too many Americans have seen the ugly face of bad cops. Now do you understand why this country is so heavily armed? Why this country has some many militias and conspriacy nuts ranting about not trusting the government? Hell, how many of your leaders have been impeached? How many of your presidents have committed felonies to get themselves relected? Bah. Trust your own damn government, don't ask an American to trust theirs. Its too ugly a thought.
Again, perhaps you live in such an idealistic society that you can blindly trust your leaders to hold the power of life and death over your head, but its not like that in the US of A.
Bah. All this "the US is violent why can't you be like us civilized people" is such a load of crap. The world is a violent place and US is not unique in that regard - nor is it truse that the US is the most violent country, or that countries with lots of guns are violent (look at Switzerland, they have LOTS of guns, and not much crime). For example, I've heard to many British citizens wax eloquent about their gun-free and mostly non-violent culture, while the British military has been violently oppressing Northern Ireland for decades. No violence there. No sir. To blame violence exclusively on access to weapons is totally missing the point. Where there is violence, people will find access to virtually any weapon. Again, just look at Northern Ireland. Where did all those machine guns come from? They're not legal in Northen Ireland, yet there they were.
There had to be something there first to justify the need for the weapons and then their use. Communities aren't all peaches and roses until weapons show up. Weapons are tools. They get used in ways that illustrate the problems of that community. Take away the weapons, and more weapons will find their way into any violent community, no matter what you do.
And that, is the point. Guns are not allowed in schools and kids, even in America, and not allowe to have them, and somehow no matter what right thinking gun-grabbers do to ban guns, they find their way in there. Even in Canada.
Python
No, religion doesn't ask anything, it simply tells and expects blind unwavering faith from the masses. There is no questioning the faith.
Python
Talk about letting the rhetoric begin. You build up this big straw man and expect people to kock it down. Well OK, "poof" your straw man is blown down.
The Open Source argument is about access. Its about giving everyone (yes, even the bad guys) access to the source code. In a closed source world, the bad guys may already have access to the source code, but you certainly do not. The opportunity to find and fix things, such as security vulnerabilities (and backdoors) exists.
If you can't grasp this, then you've missed them entire point behind the free (as in speech) software movement.
The "security thru obscurity does not work" argument refers to security that depends on obscurity to succeed. If your entire security model rests on the proposition that no one must even find out how it works, then your security model fails the moment that obscurity evaporates. Which is a bad security model. Plain and simple.
Python
You mean how Linux wasn't developed because it couldn't be patented? How about gnome? El Gamal? IP? Vorbis? The Browser? HTML? C? C++? Python? PERL?
Oh wait, all those things, and more, were developed and released without one single patent. Your argument assumes that the only economic model is to sell patented technology, and that simply is not the case. Lots of things are invented and not patented. Clearly the patent process does not need to exist to foster innovation.
Python
Regardless, Julf shut penet down because he could no longer guarantee the privacy of his users and he was being sued by the cult of scientology. Furthermore, the Finish police admitted that there was no evidence that the remailer was involved in child porography. So that entire line of reasoning is a red herring, and is this digression you have thrown up to confuse the issue.
Anonymous bi-directional communication is happening now, via all manner of vectors, not the least of which are Type I, Type II and nym anonymous remailers. So, you are wrong that this sort of thing won't happen, which was your original argument. Its happening now and its being done in a way that does not leave the users identity open to attack as with penet model.
Python
Modern remailers, such as Type I and Type II remailers, as well as nym remailers (which allow for anonymous bi-directional traffic, without reply blocks being in the clear, and with the ability to chain the replies thru N Type I or Type II remailers) which have been in use for years, solve all of the problems that brought penet.
You can have absolute privacy and absolute anonymity now. Just visit http://mixmaster.shinn.net or any of the other remailers websites for instructions. Heck, if you want ease of use, you can install ZKS' freedom software and abstract away all the work (at a little cost to security). Privacy is not that hard to do, and its really frustrating that people on slashdot have bought into the myth that privacy is not something you can have in this day and age. That is absolute bunk.
Python