Although your advice is good, I HAVE seen situations in which it was very helpful that root was allowed to do a remote SSH login.
In one of those situations, / and/home were on different disks on a machine at a colo. The disk containing/home was failing and locking up any attempt by regular users to log into the box (preventing a sysadmin from logging in and sudo'ing), but since / (the root disk) was OK and that's where root's homedir was stored, root was also able to log in and do a safe unmount of the disk remotely. The backup disk was then able to be mounted and operations continued smoothly without an hour drive to the colo facility.
Yes there are other creative ways to also try to get past the failing disk lockup issue -- just pointing out that not all situations are "OMG you should NEVER allow this!!" type situations.
If you really want to tinker around with Linux as a home NAT/Firewall device, you would love the SoekrisNET4801 or NET5501 boxes.
I have one (I have no financial relationship with them other than customer) and I really love it. Very low power, 4GB flash card (up to 8 now I think), 1GB of RAM, no fans, no noise and if I want to I can put a large USB external drive (or small laptop drive inside) to do NFS/SMB/ETC.
All that and the wonder of Linux IPTables, routing, NATting, OpenVPN, OpenSSH for around $300. I replaced an old P3 box I had been using as a router and my power bill thanks me every month.:)
Also, each unit ships with a free pudding!! (Warning: Pudding may be evil.)
Incorrect. There are other costs, such as my time (I don't work for free!), Facilities (server rooms, etc), Security staff, IT staff, IT Security, Software maintenence, Backups (what, you expect a world financial system to not be backed up?), Insurance (Even FDIC ain't free), Customer support, and on and on.
Even ignoring all the "Hidden" costs involved above, you're still making the mistake that the "Obviousness" of the magical.5% figure is self-evident. It's not. Provide some real data to back it up, or people are under no obligation to take it seriously.
I am failing to see in you post the logic which makes your conclusion (the real cost is less than half a percent thanks to technology) obvious to the reader.
Can you offer any evidence, studies, proof or explanation as to how you came to that conclusion, or are you considering your argument self-evident somehow?
>>Obviously the real cost is less than half a percent thanks to technology.
Not that I like the government regulating things, but your statement below seems to imply that you consider your elders basically children with no rights. You talk of not letting granny off her financial leash, but legally speaking she's an adult and there IS no financial leash. Should there be one? At what age should someones' control over their own money be taken away from them?
Have you ever had to take care of an ageing parent or grandparent? Tried to convince them not to spend money on something you don't think they should be spending it on? Some grannies can be pretty stubborn - and after the scammers have all her life savings, guess where she's coming to live!
then perhaps her family shouldn't have let granny so loose on the financial leash, should they?
I don't know which country you're in, but I have to point out that the bluff of calling out "I've got a gun and will use it" is probably more effective in countries/states where it's believable. So, in that case the fact that it's *likely to be true* is what protected the person, not the bluff itself.
In other words, if that person lived in a country where no one but criminals are permitted to own a weapon, the criminal may very well have decided to call their bluff instead of fleeing.
>> "shouting to the person that they had a gun and were calling the cops caused the person to forget about it and flee... (in that case they didn't even have a gun)"
jd: I have to comment on the "D- through F- on federal security audits..." portion of your comment. Having participated in a lot of these audits, the most common "failure" is a paperwork failure.
That is, a system (lets say a webserver) may have patch management, a firewall, hardened webserver, FACLS and Chrooting to protect its software and content from attacks, but the system owner may have forgotten to write a document detailing one or more portions of this -- or simply may have forgotten to write down their disaster contingency plan.
When the auditor visits that system, it "Fails".
Yes, documentation is an important part of a system, but I think a lot of the time people assume the "D-" that an agency receives on an audit means they're simple to break into, or have horribly lax security. Sometimes that may be the case, but often enough it's a secure system with poor documentation.
I wouldn't automatically assume it's an argument against adopting Linux; There are probably a similar (if not greater, due to numbers) number of Windows "support" forums. Hell, even MSDN has forums where the users will help each other through obscure problems, no?
Have you considered a linux based router using a flash card for the storage, and the Soekris net4801 board? I have one for my home router (Debian, FYI) and it uses a very low amount of power. For me, generally on the order of 10 watts.
>> First, there'll be a lot of database servers that are "supposed" to be accessible from the net for various reasons (which is ridiculous, yes, but there you go - at least use a whitelist of good IP's or something).
Look, I love security as much as any good paranoid guy, but what's with all the absolutism going on around here with regards to security?
"You should always whitelist IPS!!!" "You should NEVER EVER connect without SSH tunneling everything!!" "You must VPN to your data source!"
Some of us have to support groups of people for whom "SSH Tunneling" is like speaking an alien language. Some of their data is NOT so critical as to be the end of the world even IF it were exposed. Some of their clients won't support a VPN and even if it did, they'd forget to run it and call us for support all the time.
Computer security is the act of obtaining a balance between the usability of the system, the criticality of the data, and the needs of the owner of the data. If you can run a system with the DB port open to the world and mitigate potential threats through other means (IDS, SSL, strong passwords, chrooting, automatic patching, read-only access to nonsensitive data) then by god you are not doing anything wrong.
Some days it looks like computer security people are getting as bad as all the other zealots. "Microsoft is always evil", "Apple is always right", "If you have nothing to hide you don't need privacy" and "There's no excuse for a DB port to be public" all have the same thing wrong with them. They're absolutist and have no thought put into them.
Absolutes are fun and all, but not practical. Sometimes you DO need your DB port exposed to the world. Sometimes SSH is not the answer, as much as I LOVE ssh.
For example, solve this problem using only SSH.
======== You are a volunteer for an animal rescue with, at most, 2 hours per week of spare time to support them.
The best free software currently available to support an animal rescue (http://sheltermanager.sourceforge.net) uses a MySQL (or Postgres) database to allow the Java client software to store data on animals, owners, surrenderers, finances and shelter operations like veterinary care.
There are 40 volunteers around the state doing data entry. They are not computer literate in any sense, but know how to use windows to double click the "Run my app" icon. Since they're working from their homes on their personal computers, they run versions of windows running from 98 to Vista. Also, some of them are on Macs. Since they're on Cable/DSL/Dial-up they will all have dynamic IPs. Some leave their software open for days at a time. They will stare at you blankly when you say things like "Run SSH first" and will constantly forget their "ssh" passwords. Some have wireless networks and laptops at home, and SSH timeouts become an issue when trying to SSH tunnel. ========
Now, I solved that problem by configuring the database client software to talk to a MySQL server with "REQUIRE SSL" for the database connection, and left the database port open to the world (GASP!!). However I keep the database patched frequently, I require SSL, I use strong DB passwords and have an IDS checking for brute force attempts. The root login is bound to localhost.
What's your practical, workable solution given the constraints above?
Actually recent research indicates that memories are not "stored" in the brain at all. Rather, your experience at a particular moment activates a sequence of proteins in the brain that "make" the experience. Then, each time you recall the event, you're actually recreating the event in your head to re-form the memory, rather than recalling a stored event.
It's really fascinating research and has huge implications for memory erasure/formation and treatments for PTSD.
I haven't watched too much of this debate so far, but assuming you're being honest with your post (hey, I haven't background checked you!) I want to extend some sincere Kudos to you and her for having this kind of competition in the security industry, diametrically opposed, and NOT resorting to childish name-calling or logical fallacies.
I see a ton of research teams contradicting each other on a daily basis online and often they take things very personally. It brings me a rare bit of optimism to see two teams of professionals duking it out professionally and without malice.
No seriously, NASA is an acronym not a proper name. National Aviation and Space Administration. Kindly get it right. Oh yeah, this is slashdot...
As long as we're bashing slashdot for not getting it right, it's National Aeronautics and Space Administration. A quick peek at their home page, www.nasa.gov, would have shown you that.
Interesting! I wanted to upmod this, but I wanted even more to reply since no one else has. I just noticed after reading your post that I, too, am guilty of "No problem" instead of "You're welcome", and will now start intentionally forcing myself back to the old standby.
Just figured you'd want to know that you reached at least one person.:)
Following your logic in this line, it is actually the victim of the sex offense, rather than the perpetrator, who should be placed on the permanent watch list and added to the "Probably will become a sex offender" public website.
>>People who are molested at an early age tend to do it to other people when they get older. >>It's like CFCs for society. Murderers don't cause their victims to murder, armed robbers don't cause their victims to rob.
Actually some folks (Vegetarians) do not eat any animals and some (Vegans) will not eat animal derived products of any kind including honey. If I knew that a candy bar contained dye that was manufactured by crushing animals to produce the dye, I would select a different product!
Hola; I tried to email you through the slashdot interface but it seems to not be an option. We did defeat prop 90 (yay!), so I just wanted you to know your sig was out of date.
>> Yeah, see, most people of color tend to prefer to spend that on, I don't know, diapers and baby formula.
Also, as someone planning on having a child and doing the research, i'm compelled to point out that for most people, diapers are the only necessary portion of that spending (and reusable ones are cheaper). Most women who become mothers have a natural limited supply of baby food that's FREE, and don't need to buy formula. In actuality formula is less healthy than breast milk anyway.
Also, some of the companies who make formula have been doing some pretty darn dishonest things....
The world would be a better place if less people assumed that having a child means paying for formula...
In general you're right that Sun systems are still bordering on "Overpriced"
BUT..
You have to take into consideration that the UltraSparc 4 processors in that 890 have 8 megs of L2 cache PER CORE, or 16MB of cache per chip. Compare that with the offerings from intel (Is it still 1MB for Itanium?) and it's easier to justify the insane price of the chips.
I've speced out plenty of Oracle database servers and mathematics processing machines, and I tend to recommend Sun based on the ability to handle massive amounts of IO without problems (for Oracle) and for them to handle an assload of computations.
Sure, for cracking passwords, the 3.6GHz intel machines (or a G5 with Altavec support) will outperform, but let 5 researchers run Matlab and an Oracle DB, and the PCS will typically struggle while the Suns keep going.
Not to mention that the $16 billion includes lots of "Earmarks". An Earmark is a clever way of putting lots of money into a budget to make an agency budget look larger, but demanding that the money be spent certain ways.
For a non-specific example, if the military awarded a $10 million grant to DARPA, but demanded that they spend $5 million on contracts only with Lockheed Martin, then the DARPA budget would look like it got a $10 million increase while, in practice, it got much less of an increase.
Take an entire agency budget of $15 billion, add a $1 billion raise and than tack on $5 billion in earmarks, and it actually amounts to a ~25% budget cut.
Speaking as someone who left college to take a job in their field of interest....
Finish college!
While my job has been excellent for me and I don't actually regret any of my actions, it is very difficult to get a degree taking night classes. It's tough, it takes a long time and if you have the good fortune of meeting someone and starting a family, it'll take even longer and be even more difficult.
Slashdot Mirror
Although your advice is good, I HAVE seen situations in which it was very helpful that root was allowed to do a remote SSH login.
/home were on different disks on a machine at a colo. The disk containing /home was failing and locking up any attempt by regular users to log into the box (preventing a sysadmin from logging in and sudo'ing), but since / (the root disk) was OK and that's where root's homedir was stored, root was also able to log in and do a safe unmount of the disk remotely. The backup disk was then able to be mounted and operations continued smoothly without an hour drive to the colo facility.
In one of those situations, / and
Yes there are other creative ways to also try to get past the failing disk lockup issue -- just pointing out that not all situations are "OMG you should NEVER allow this!!" type situations.
If you really want to tinker around with Linux as a home NAT/Firewall device, you would love the Soekris NET4801 or NET5501 boxes.
:)
I have one (I have no financial relationship with them other than customer) and I really love it. Very low power, 4GB flash card (up to 8 now I think), 1GB of RAM, no fans, no noise and if I want to I can put a large USB external drive (or small laptop drive inside) to do NFS/SMB/ETC.
All that and the wonder of Linux IPTables, routing, NATting, OpenVPN, OpenSSH for around $300. I replaced an old P3 box I had been using as a router and my power bill thanks me every month.
Also, each unit ships with a free pudding!! (Warning: Pudding may be evil.)
Incorrect. There are other costs, such as my time (I don't work for free!), Facilities (server rooms, etc), Security staff, IT staff, IT Security, Software maintenence, Backups (what, you expect a world financial system to not be backed up?), Insurance (Even FDIC ain't free), Customer support, and on and on.
.5% figure is self-evident. It's not. Provide some real data to back it up, or people are under no obligation to take it seriously.
Even ignoring all the "Hidden" costs involved above, you're still making the mistake that the "Obviousness" of the magical
I am failing to see in you post the logic which makes your conclusion (the real cost is less than half a percent thanks to technology) obvious to the reader.
Can you offer any evidence, studies, proof or explanation as to how you came to that conclusion, or are you considering your argument self-evident somehow?
>>Obviously the real cost is less than half a percent thanks to technology.
Not that I like the government regulating things, but your statement below seems to imply that you consider your elders basically children with no rights. You talk of not letting granny off her financial leash, but legally speaking she's an adult and there IS no financial leash. Should there be one? At what age should someones' control over their own money be taken away from them?
Have you ever had to take care of an ageing parent or grandparent? Tried to convince them not to spend money on something you don't think they should be spending it on? Some grannies can be pretty stubborn - and after the scammers have all her life savings, guess where she's coming to live!
then perhaps her family shouldn't have let granny so loose on the financial leash, should they?
I don't know which country you're in, but I have to point out that the bluff of calling out "I've got a gun and will use it" is probably more effective in countries/states where it's believable. So, in that case the fact that it's *likely to be true* is what protected the person, not the bluff itself.
In other words, if that person lived in a country where no one but criminals are permitted to own a weapon, the criminal may very well have decided to call their bluff instead of fleeing.
>> "shouting to the person that they had a gun and were calling the cops caused the person to forget about it and flee... (in that case they didn't even have a gun)"
jd: I have to comment on the "D- through F- on federal security audits..." portion of your comment. Having participated in a lot of these audits, the most common "failure" is a paperwork failure.
That is, a system (lets say a webserver) may have patch management, a firewall, hardened webserver, FACLS and Chrooting to protect its software and content from attacks, but the system owner may have forgotten to write a document detailing one or more portions of this -- or simply may have forgotten to write down their disaster contingency plan.
When the auditor visits that system, it "Fails".
Yes, documentation is an important part of a system, but I think a lot of the time people assume the "D-" that an agency receives on an audit means they're simple to break into, or have horribly lax security. Sometimes that may be the case, but often enough it's a secure system with poor documentation.
I wouldn't automatically assume it's an argument against adopting Linux; There are probably a similar (if not greater, due to numbers) number of Windows "support" forums. Hell, even MSDN has forums where the users will help each other through obscure problems, no?
Have you considered a linux based router using a flash card for the storage, and the Soekris net4801 board? I have one for my home router (Debian, FYI) and it uses a very low amount of power. For me, generally on the order of 10 watts.
http://www.soekris.com/net4801.htm
There's a newer, higher powered 5501 board if I recall correctly but the 4801 performs routing, firewalling and OpenVPN for me quite nicely.
>> First, there'll be a lot of database servers that are "supposed" to be accessible from the net for various reasons (which is ridiculous, yes, but there you go - at least use a whitelist of good IP's or something).
Look, I love security as much as any good paranoid guy, but what's with all the absolutism going on around here with regards to security?
"You should always whitelist IPS!!!" "You should NEVER EVER connect without SSH tunneling everything!!" "You must VPN to your data source!"
Some of us have to support groups of people for whom "SSH Tunneling" is like speaking an alien language. Some of their data is NOT so critical as to be the end of the world even IF it were exposed. Some of their clients won't support a VPN and even if it did, they'd forget to run it and call us for support all the time.
Computer security is the act of obtaining a balance between the usability of the system, the criticality of the data, and the needs of the owner of the data. If you can run a system with the DB port open to the world and mitigate potential threats through other means (IDS, SSL, strong passwords, chrooting, automatic patching, read-only access to nonsensitive data) then by god you are not doing anything wrong.
Some days it looks like computer security people are getting as bad as all the other zealots. "Microsoft is always evil", "Apple is always right", "If you have nothing to hide you don't need privacy" and "There's no excuse for a DB port to be public" all have the same thing wrong with them. They're absolutist and have no thought put into them.
Absolutes are fun and all, but not practical. Sometimes you DO need your DB port exposed to the world. Sometimes SSH is not the answer, as much as I LOVE ssh.
For example, solve this problem using only SSH.
========
You are a volunteer for an animal rescue with, at most, 2 hours per week of spare time to support them.
The best free software currently available to support an animal rescue (http://sheltermanager.sourceforge.net) uses a MySQL (or Postgres) database to allow the Java client software to store data on animals, owners, surrenderers, finances and shelter operations like veterinary care.
There are 40 volunteers around the state doing data entry. They are not computer literate in any sense, but know how to use windows to double click the "Run my app" icon. Since they're working from their homes on their personal computers, they run versions of windows running from 98 to Vista. Also, some of them are on Macs. Since they're on Cable/DSL/Dial-up they will all have dynamic IPs. Some leave their software open for days at a time. They will stare at you blankly when you say things like "Run SSH first" and will constantly forget their "ssh" passwords. Some have wireless networks and laptops at home, and SSH timeouts become an issue when trying to SSH tunnel.
========
Now, I solved that problem by configuring the database client software to talk to a MySQL server with "REQUIRE SSL" for the database connection, and left the database port open to the world (GASP!!). However I keep the database patched frequently, I require SSL, I use strong DB passwords and have an IDS checking for brute force attempts. The root login is bound to localhost.
What's your practical, workable solution given the constraints above?
Actually recent research indicates that memories are not "stored" in the brain at all. Rather, your experience at a particular moment activates a sequence of proteins in the brain that "make" the experience. Then, each time you recall the event, you're actually recreating the event in your head to re-form the memory, rather than recalling a stored event.
_ erase.html
It's really fascinating research and has huge implications for memory erasure/formation and treatments for PTSD.
More info here: http://www.livescience.com/health/060824_memories
I haven't watched too much of this debate so far, but assuming you're being honest with your post (hey, I haven't background checked you!) I want to extend some sincere Kudos to you and her for having this kind of competition in the security industry, diametrically opposed, and NOT resorting to childish name-calling or logical fallacies.
I see a ton of research teams contradicting each other on a daily basis online and often they take things very personally. It brings me a rare bit of optimism to see two teams of professionals duking it out professionally and without malice.
it seems conceivable that someone could rise up from the media/infotainment realm into the political realm.
Don't Ronald Reagan and Arnold Schwarzenegger count?
No seriously, NASA is an acronym not a proper name. National Aviation and Space Administration.
Kindly get it right. Oh yeah, this is slashdot...
As long as we're bashing slashdot for not getting it right, it's National Aeronautics and Space Administration. A quick peek at their home page, www.nasa.gov, would have shown you that.
Interesting! I wanted to upmod this, but I wanted even more to reply since no one else has. I just noticed after reading your post that I, too, am guilty of "No problem" instead of "You're welcome", and will now start intentionally forcing myself back to the old standby.
:)
Just figured you'd want to know that you reached at least one person.
Following your logic in this line, it is actually the victim of the sex offense, rather than the perpetrator, who should be placed on the permanent watch list and added to the "Probably will become a sex offender" public website.
>>People who are molested at an early age tend to do it to other people when they get older.
>>It's like CFCs for society. Murderers don't cause their victims to murder, armed robbers don't cause their victims to rob.
Actually some folks (Vegetarians) do not eat any animals and some (Vegans) will not eat animal derived products of any kind including honey. If I knew that a candy bar contained dye that was manufactured by crushing animals to produce the dye, I would select a different product!
Hola; I tried to email you through the slashdot interface but it seems to not be an option. We did defeat prop 90 (yay!), so I just wanted you to know your sig was out of date.
>> Yeah, see, most people of color tend to prefer to spend that on, I don't know, diapers and baby formula.
Also, as someone planning on having a child and doing the research, i'm compelled to point out that for most people, diapers are the only necessary portion of that spending (and reusable ones are cheaper). Most women who become mothers have a natural limited supply of baby food that's FREE, and don't need to buy formula. In actuality formula is less healthy than breast milk anyway.
Also, some of the companies who make formula have been doing some pretty darn dishonest things.... The world would be a better place if less people assumed that having a child means paying for formula...
In general you're right that Sun systems are still bordering on "Overpriced"
BUT..
You have to take into consideration that the UltraSparc 4 processors in that 890 have 8 megs of L2 cache PER CORE, or 16MB of cache per chip. Compare that with the offerings from intel (Is it still 1MB for Itanium?) and it's easier to justify the insane price of the chips.
I've speced out plenty of Oracle database servers and mathematics processing machines, and I tend to recommend Sun based on the ability to handle massive amounts of IO without problems (for Oracle) and for them to handle an assload of computations.
Sure, for cracking passwords, the 3.6GHz intel machines (or a G5 with Altavec support) will outperform, but let 5 researchers run Matlab and an Oracle DB, and the PCS will typically struggle while the Suns keep going.
Not to mention that the $16 billion includes lots of "Earmarks". An Earmark is a clever way of putting lots of money into a budget to make an agency budget look larger, but demanding that the money be spent certain ways.
For a non-specific example, if the military awarded a $10 million grant to DARPA, but demanded that they spend $5 million on contracts only with Lockheed Martin, then the DARPA budget would look like it got a $10 million increase while, in practice, it got much less of an increase.
Take an entire agency budget of $15 billion, add a $1 billion raise and than tack on $5 billion in earmarks, and it actually amounts to a ~25% budget cut.
Speaking as someone who left college to take a job in their field of interest....
Finish college!
While my job has been excellent for me and I don't actually regret any of my actions, it is very difficult to get a degree taking night classes. It's tough, it takes a long time and if you have the good fortune of meeting someone and starting a family, it'll take even longer and be even more difficult.
The problem with your theory is that, inevitably, some friend of yours will either:
a) Send you an e-vite or online greeting card
b) Post your email on their blog, or
c) Otherwise leak your "private" email to the world.
At that point, spammers will pick it up and your one "known good" email address will get as much spam as the rest.
That said... What stops people now from rummaging through your garbage, finding your bank statements, and draining your bank accounts?
1) My paper shredder
2) My neighbors, who would tell me if someone rummaged through my garbage
3) My dogs