First of all, I wrote THE OLDEST/FIRST guides for NT-based OS online, back as far as 1998
Prove it. Don't just quote from or link to some web page. Prove that you wrote it.
Secondly - My guide DOES tell people how to "cut off" vulnerable services (by patching)
Oh. I get it. You write guides for clueless users. The stuff that I do is for folks who really know what they're doing and want to take their skills to the next level. My bad.
Also, you can't *secure* access controls in a Windows system. Access controls are an operating system level function
Man, you really DO NOT KNOW WHAT YOU'RE TALKING ABOUT...
I'm a programmer. You claim to be a sysadmin. I can see how you wouldn't understand what the phrase "securing access controls" would *really* mean. Imprecise language indicates the sloppy thinking of the speaker.
Heh, also isn't "grafted on" as a "kernel hooking" system
You have never looked at the way SeLinux or grsecurity actually function, have you? Check it out, you'd be amazed.
[My copypasta] seemed to shut you up on what "security hardening" is defined as though...
Heh. I can see that you are unable to comprehend any degree of subtlety. If I didn't know better, I'd say that you were illiterate and were speaking to me through an ESL intermediary.
I came by the parent comment via AlterSlash. This means that the comment you posted to was of sufficient quality to rise out of the background noise of the general/. commenting public.
Noone but me has replied to your comments. None of your comments here have been up-modded. What does this say about the quality of your advice?
Oh, hang on. You missed my previous post. Let me repeat it.
Oh wait... rather than repeating my previous post and duplicating a lot of effort and wasting loads of my time, let me provide you with a link to a centralized location on the web that is already hosting this information.
Here is a definition of "System Hardening" from a reputable source:
...Hardening systems is a defense strategy to protect against attacks by removing vulnerable and unnecessary services, patching security holes, and securing access controls."
Mmmhmm. You're not patching security holes or removing vulnerable services in your "guide". You're -manually- enforcing "Least Privilege" for running services. That is something that third-party vendors should *already* be doing out of the box. (IMO, you should never purchase software from a vendor that makes its services run as the SYSTEM user.) Also, you can't *secure* access controls in a Windows system. Access controls are an operating system level function. The only way that you can secure them is to harden the OS itself. Projects like grsecurity and SELinux do just that. There are no such projects in the Windows world.
Here is yet another:
"...Generally anything that is done in the name of system hardening ensures the system is both secure and reliable."
Oh. Okay. I'll add a blackhole entry for doubleclick.net to my hosts file. Now my system is secure and reliable.
I'm glad to see that you're still dodging my question.
That's A DECADE OF SOLID UNINFECTED UPTIME HERE... have you even been USING COMPUTERS THAT LONG?
Yes, I have. I've been using computers since the Tandy 1000 TL. That one was produced in... 1986, 1987 or so.
I recommend that in my guide, but, I also tell others how it's done in other browsers AND I provide a HOSTS files that covers ALL/EVERY webbound program you have
Point me to a place in any of your forum postings where you say the equivalent of "See here for a hosts file that is not out of date.".
I severely doubt you've accomplished 1/10th of what I have in it over the past 16++ yrs.
You and I have already talked about your accomplishments. You've demonstrated none of the knowledge that you claim to have.
You can't answer my question, can you? What if I told you that not only have I not seen the "Windows is Getting Old" slow-down, I haven't had a malware infection, ever? [0] This is on a stock -fully patched- installation of Windows Server 2003 Enterprise. No fancy guides or tools are needed to achieve this result, it's attainable out of the box. Nothing more than plain-old user education is required.
t's NOT about speed (though you WILL see more online, if you follow all/each of its points)...
Heh. You you can install NoScript or use Google Chrome and immediately see more speed online. No fancy guide or tool required.
[0] I posit that much of the "Windows is Getting Old" effect is directly related to malware installed on the system.
I'll have to disagree with you: It absolutely is [hardening]
No. It's only recently that Vista SP2 got a single feature that's standard in real hardened systems. Go and see what Hardened Gentoo and Hardened Solaris do. (They do many, many, things that Windows can't match!) Your "hardening" guides are nothing of the sort. The bar was raised a long time ago, and it wasn't done by anything from Redmond.
That has NOTHING to do with an adbanner, bad adbanner, or bad website blocking custom HOSTS files!
...
Right... Spammers and advert hosts can't use DNS to change the hostname that they use to host their crap with a moment's notice.
(That was the main reason & purpose of noting them in my guide)...
E.G./I.E.-> HOSTS files that use 0, 0.0.0.0, or 127.0.0.1 (no DNS server broadcasts those, mind you)
Wait, what? You're telling me that IANA doesn't hand out IP addresses that are invalid or reserved for local use to Internet-facing hosts? You *don't* say!
to block out known bad adbanners, bad websites, etc. et al!
See my initial paragraph. Morever, you're doing the internet a disservice by spraying copypasta across the web. What happens when some spammer registers badnews.forumhost.com and starts spreading the worm du jour from it? How is some clueluess user going to find the very latest copy of the hosts file that you're distributing when you've put several hundred different revisions across several thousand different forums? Is he going to go on a vision quest to compare post dates to be sure that he has the very latest one? That's why I said this:
There's a reason why most IT professionals prefer centralized installation systems over manually walking to each of the systems that they manage and installing each piece of software a machine at a time.
I guess that I was too subtle for you. Would you recommend to your 3000-identical-Windows-machines-at-a-site clients that they install the latest.MSI of EnterpriseApp v4.0 by burning a disc, taking it to each computer -one at a time-, logging in with a root account, open Explorer, double click the.MSI, answer the installer's questions, wait for the installer to complete, and move on to the next machine? Your practice of distributing identical hosts files across dozens of forums is analogous to this inefficient system administration method. How do you plan to update all of those forum posts when a new advertising server starts up? Do you intend to leave stale copies of time-critical information up for clueless users to stumble across and use?
Why don't you emulate the practices that you claim to preach? Set up a web site. Post your advice and wares there. Link to it in forums. When the situation on the Internet changes, you can react to it immediately and be the saviour of the internet, rather than one of those who is leading clueless users astray with reams of out-of-date information.
Okay... I'd still like to see the stats for a fully patched stock system before I say "Oh, this isn't worth the effort."
But it still completely fails to protect the host against 15% of the *known attacks* in the wild?
Do you have a comprehensive list of those attacks? I know that I don't. How many of those attacks are software keyloggers? There's not a whole hell of a lot that you can do to protect against that. How many of them are hardware keyloggers? USB or FireWire DMA memory access sploits?
We need details before we can pass judgement. Until we have these details, this "report" is just some MS PR flack flapping his gums.
There's a reason why most IT professionals prefer centralized installation systems over manually walking to each of the systems that they manage and installing each piece of software a machine at a time. Distributing dynamic things such as hosts files through forum posts is generally a *really* bad plan. DNS changes *Very* quickly. Forum posts (especially identical ones spread throughout tens of forums) do not.
If you're going to be a saviour of the computer world, get a web page, post what you have to say there, link to it, and keep it up to date. If your advice is good, you'll gain pagerank faster than just spraying copypasta across the web.
Also, your guide? It's not hardening. Check out projects like Hardened Gentoo and Hardened Solaris. No amount of registry tweaking and software uninstallation can make Windows match up to the results from either of those projects.
Please explain to me why I've been running a stock (fully patched) Windows Server 2003 Enterprise installation for three years straight, have never reinstalled the OS, and have not experienced any of the dreaded "Windows is Getting Too Old" speed decreases?
No fancy guide is required to get this performance. It's attainable out of the box. All that's needed is -as you say- user education. Don't install crapware and you're done!
I'd have to know what percentage of the attacks were still successful on a stock, fully-patched system to know whether or not I have a problem with this.
A link-local address can allow a computer on a LAN to reach a router. That same link-local address (or another if the router needs to use another interface) can allow that router to reach a router that's Internet-facing and has its own globally-routable IP. Right?
WRT "site-local" vs. "unique-local": You should double-check the RFC that I linked to... I got the terminology confused, but nothing else. Also, I read this as saying that unique-local SHOULD NOT, but may be used to bridge multiple "private" networks. (Why else would site-local addresses have a low probability of collision?);)
Please... do a little bit of research into the claims behind a story before you post it. Keep slashdot beautiful. Don't give timothy or kdawson more shit-tastic stories to post on the front page.:(
RFC4193 gives us Site-Local (fc00::/7) IPV6 addresses. http://tools.ietf.org/html/rfc4193#section-3 These are addresses that you *may* choose to not route to the outside world.
but really high dpi, dots per inch, has yet to be available to budget PC users.
a) Higher DPI in the same physical space means a higher screen resolution. (Do the math! It's true!) b) The trend in mainstream LCD displays has been towards lower and lower DPI. (19" screen @ 1280X1024, anyone?)
I *really* wish that we'd see some 100->300 dpi consumer-level displays, but it would seem that the powers that be *really* love the profit margins on 72->96 dpi panels.:/
Right now, the ISPs are charging the same price to heavy users and light users. Heavy users cost the ISP more than light users. Therefore, their profit motive is to maximize light users and minimize heavy users.
There's an Elephant that you are ignoring. Comcast residential "promises" to move up to 250GB/month for a fee of $46/month. I can get 3TB/month of transit through 1&1 for $20/month. Hell, I can get 300GB/month through them for $4/month.
If you don't like 1&1, you can hop on over to godaddy.com. Their most expensive 300GB/month plan is $5/month. Their most expensive "wide open throttle" plan (which must be at least 1.5TB/month, seeing as how that's their next smallest plan [which is $7/month, at worst]) is $15/month.
Please tell me how these companies can move 20% more of my data than Comcast can for a tenth of what Comcast charges.
Oh balls. I mis-remembered. He only mentions that he's made a "teleportable" application. He never gets time to demo it. I hope that you didn't sit through that whole video.:(
Slashdot Mirror
...you surely showed your behind about ACL's...
You don't understand what the phrase "securing access controls" implies. See this post for my thoughts on the mis-understanding:
http://slashdot.org/comments.pl?sid=1219095&cid=27803057
Point me to a place in any of your forum postings where you say the equivalent of "See here for a hosts file that is not out of date."
[Oh, but I did say this in my original posting!]
Ah. You are correct.
You and I have already talked about your accomplishments
Yes, you have NOTHING like them
You've demonstrated none of the knowledge that you claim to have.
Funny, these say otherwise [Long list of links snippped]
My challenge to you to prove that you've done any of that is here:
http://slashdot.org/comments.pl?sid=1219095&cid=27803057
First of all, I wrote THE OLDEST/FIRST guides for NT-based OS online, back as far as 1998
Prove it. Don't just quote from or link to some web page. Prove that you wrote it.
Secondly - My guide DOES tell people how to "cut off" vulnerable services (by patching)
Oh. I get it. You write guides for clueless users. The stuff that I do is for folks who really know what they're doing and want to take their skills to the next level. My bad.
Also, you can't *secure* access controls in a Windows system. Access controls are an operating system level function
Man, you really DO NOT KNOW WHAT YOU'RE TALKING ABOUT...
I'm a programmer. You claim to be a sysadmin. I can see how you wouldn't understand what the phrase "securing access controls" would *really* mean. Imprecise language indicates the sloppy thinking of the speaker.
Heh, also isn't "grafted on" as a "kernel hooking" system
You have never looked at the way SeLinux or grsecurity actually function, have you? Check it out, you'd be amazed.
[My copypasta] seemed to shut you up on what "security hardening" is defined as though...
Heh. I can see that you are unable to comprehend any degree of subtlety. If I didn't know better, I'd say that you were illiterate and were speaking to me through an ESL intermediary.
Lemmy link you to what I wrote again, so you can re-read it and mull over what I said.
http://slashdot.org/comments.pl?sid=1219095&cid=27801155
Here's something for you to think about...
I came by the parent comment via AlterSlash. This means that the comment you posted to was of sufficient quality to rise out of the background noise of the general /. commenting public.
Noone but me has replied to your comments.
None of your comments here have been up-modded.
What does this say about the quality of your advice?
Oh, hang on. You missed my previous post. Let me repeat it.
Oh wait... rather than repeating my previous post and duplicating a lot of effort and wasting loads of my time, let me provide you with a link to a centralized location on the web that is already hosting this information.
http://slashdot.org/comments.pl?sid=1219095&cid=27799759
Here is a definition of "System Hardening" from a reputable source:
...Hardening systems is a defense strategy to protect against attacks by removing vulnerable and unnecessary services, patching security holes, and securing access controls."
Mmmhmm. You're not patching security holes or removing vulnerable services in your "guide". You're -manually- enforcing "Least Privilege" for running services. That is something that third-party vendors should *already* be doing out of the box. (IMO, you should never purchase software from a vendor that makes its services run as the SYSTEM user.)
Also, you can't *secure* access controls in a Windows system. Access controls are an operating system level function. The only way that you can secure them is to harden the OS itself. Projects like grsecurity and SELinux do just that. There are no such projects in the Windows world.
Here is yet another:
"...Generally anything that is done in the name of system hardening ensures the system is both secure and reliable."
Oh. Okay. I'll add a blackhole entry for doubleclick.net to my hosts file. Now my system is secure and reliable.
Your definitions suck.
I'm glad to see that you're still dodging my question.
That's A DECADE OF SOLID UNINFECTED UPTIME HERE... have you even been USING COMPUTERS THAT LONG?
Yes, I have. I've been using computers since the Tandy 1000 TL. That one was produced in... 1986, 1987 or so.
I recommend that in my guide, but, I also tell others how it's done in other browsers AND I provide a HOSTS files that covers ALL/EVERY webbound program you have
Point me to a place in any of your forum postings where you say the equivalent of "See here for a hosts file that is not out of date.".
I severely doubt you've accomplished 1/10th of what I have in it over the past 16++ yrs.
You and I have already talked about your accomplishments. You've demonstrated none of the knowledge that you claim to have.
You can't answer my question, can you?
What if I told you that not only have I not seen the "Windows is Getting Old" slow-down, I haven't had a malware infection, ever? [0]
This is on a stock -fully patched- installation of Windows Server 2003 Enterprise. No fancy guides or tools are needed to achieve this result, it's attainable out of the box. Nothing more than plain-old user education is required.
t's NOT about speed (though you WILL see more online, if you follow all/each of its points)...
Heh. You you can install NoScript or use Google Chrome and immediately see more speed online. No fancy guide or tool required.
[0] I posit that much of the "Windows is Getting Old" effect is directly related to malware installed on the system.
I'll have to disagree with you: It absolutely is [hardening]
No.
It's only recently that Vista SP2 got a single feature that's standard in real hardened systems. Go and see what Hardened Gentoo and Hardened Solaris do. (They do many, many, things that Windows can't match!) Your "hardening" guides are nothing of the sort. The bar was raised a long time ago, and it wasn't done by anything from Redmond.
" DNS changes *Very* quickly." -
That has NOTHING to do with an adbanner, bad adbanner, or bad website blocking custom HOSTS files!
...
Right... Spammers and advert hosts can't use DNS to change the hostname that they use to host their crap with a moment's notice.
(That was the main reason & purpose of noting them in my guide)...
E.G./I.E.-> HOSTS files that use 0, 0.0.0.0, or 127.0.0.1 (no DNS server broadcasts those, mind you)
Wait, what? You're telling me that IANA doesn't hand out IP addresses that are invalid or reserved for local use to Internet-facing hosts? You *don't* say!
to block out known bad adbanners, bad websites, etc. et al!
See my initial paragraph. Morever, you're doing the internet a disservice by spraying copypasta across the web. What happens when some spammer registers badnews.forumhost.com and starts spreading the worm du jour from it?
How is some clueluess user going to find the very latest copy of the hosts file that you're distributing when you've put several hundred different revisions across several thousand different forums? Is he going to go on a vision quest to compare post dates to be sure that he has the very latest one? That's why I said this:
There's a reason why most IT professionals prefer centralized installation systems over manually walking to each of the systems that they manage and installing each piece of software a machine at a time.
I guess that I was too subtle for you. Would you recommend to your 3000-identical-Windows-machines-at-a-site clients that they install the latest .MSI of EnterpriseApp v4.0 by burning a disc, taking it to each computer -one at a time-, logging in with a root account, open Explorer, double click the .MSI, answer the installer's questions, wait for the installer to complete, and move on to the next machine?
Your practice of distributing identical hosts files across dozens of forums is analogous to this inefficient system administration method. How do you plan to update all of those forum posts when a new advertising server starts up? Do you intend to leave stale copies of time-critical information up for clueless users to stumble across and use?
Why don't you emulate the practices that you claim to preach? Set up a web site. Post your advice and wares there. Link to it in forums. When the situation on the Internet changes, you can react to it immediately and be the saviour of the internet, rather than one of those who is leading clueless users astray with reams of out-of-date information.
This is way beyond a "stock" system...
Okay... I'd still like to see the stats for a fully patched stock system before I say "Oh, this isn't worth the effort."
But it still completely fails to protect the host against 15% of the *known attacks* in the wild?
Do you have a comprehensive list of those attacks? I know that I don't.
How many of those attacks are software keyloggers? There's not a whole hell of a lot that you can do to protect against that.
How many of them are hardware keyloggers?
USB or FireWire DMA memory access sploits?
We need details before we can pass judgement. Until we have these details, this "report" is just some MS PR flack flapping his gums.
There's a reason why most IT professionals prefer centralized installation systems over manually walking to each of the systems that they manage and installing each piece of software a machine at a time. Distributing dynamic things such as hosts files through forum posts is generally a *really* bad plan. DNS changes *Very* quickly. Forum posts (especially identical ones spread throughout tens of forums) do not.
If you're going to be a saviour of the computer world, get a web page, post what you have to say there, link to it, and keep it up to date. If your advice is good, you'll gain pagerank faster than just spraying copypasta across the web.
Also, your guide? It's not hardening.
Check out projects like Hardened Gentoo and Hardened Solaris. No amount of registry tweaking and software uninstallation can make Windows match up to the results from either of those projects.
Please explain to me why I've been running a stock (fully patched) Windows Server 2003 Enterprise installation for three years straight, have never reinstalled the OS, and have not experienced any of the dreaded "Windows is Getting Too Old" speed decreases?
No fancy guide is required to get this performance. It's attainable out of the box. All that's needed is -as you say- user education. Don't install crapware and you're done!
I'd have to know what percentage of the attacks were still successful on a stock, fully-patched system to know whether or not I have a problem with this.
Also check out the my conversation with paul248. He might be correcting some of the slightly inaccurate points of my post.
A link-local address can allow a computer on a LAN to reach a router. That same link-local address (or another if the router needs to use another interface) can allow that router to reach a router that's Internet-facing and has its own globally-routable IP. Right?
WRT "site-local" vs. "unique-local": ;)
You should double-check the RFC that I linked to... I got the terminology confused, but nothing else.
Also, I read this as saying that unique-local SHOULD NOT, but may be used to bridge multiple "private" networks. (Why else would site-local addresses have a low probability of collision?)
:/
Please... do a little bit of research into the claims behind a story before you post it. Keep slashdot beautiful. Don't give timothy or kdawson more shit-tastic stories to post on the front page. :(
Why not do what many folks do:
Download the ISO from the Web.
If you like the game, go and buy a legit copy.
If you don't like the game, uninstall it and delete the ISO.
PS: If your only argument against the practice is something along the lines of "I might get a virus/hacked!" don't bother replying. :)
It's about being able to actually *own* a game. You know. To do with it what you please.
You haven't looked at any EULAs in the past ten to fifteen years, have you?
WTF? Why don't they multi-thread so they shut down while the sound plays?
Probably 'cause it would break ObscureApp '95 by Crap-O Soft, Inc. :/
"IPv6 is a world without NAT". The hell it is. My internal routers don't get publicly routable IP addresses, even if I have to NAT back to IPv4.
Hi. You're ignorant. Let me educate you.
RFC3513 gives us Link-Local (fe80::/10) IPV6 addresses.
http://tools.ietf.org/html/rfc3513#section-2.5.6
These are addresses that *must not* be routed to the outside world.
RFC4193 gives us Site-Local (fc00::/7) IPV6 addresses.
http://tools.ietf.org/html/rfc4193#section-3
These are addresses that you *may* choose to not route to the outside world.
You don't need NAT. :)
but really high dpi, dots per inch, has yet to be available to budget PC users.
a) Higher DPI in the same physical space means a higher screen resolution. (Do the math! It's true!)
b) The trend in mainstream LCD displays has been towards lower and lower DPI. (19" screen @ 1280X1024, anyone?)
I *really* wish that we'd see some 100->300 dpi consumer-level displays, but it would seem that the powers that be *really* love the profit margins on 72->96 dpi panels. :/
TTTTRRRRROLLLLLL!!!!!
Right now, the ISPs are charging the same price to heavy users and light users. Heavy users cost the ISP more than light users. Therefore, their profit motive is to maximize light users and minimize heavy users.
There's an Elephant that you are ignoring.
Comcast residential "promises" to move up to 250GB/month for a fee of $46/month.
I can get 3TB/month of transit through 1&1 for $20/month. Hell, I can get 300GB/month through them for $4/month.
If you don't like 1&1, you can hop on over to godaddy.com. Their most expensive 300GB/month plan is $5/month. Their most expensive "wide open throttle" plan (which must be at least 1.5TB/month, seeing as how that's their next smallest plan [which is $7/month, at worst]) is $15/month.
Please tell me how these companies can move 20% more of my data than Comcast can for a tenth of what Comcast charges.
Oh balls. I mis-remembered. He only mentions that he's made a "teleportable" application. He never gets time to demo it. I hope that you didn't sit through that whole video. :(