Don't use 3rd party auditing agencies. Buy a better scanner than Nessus for use in-house. There are plenty out there. With a higher-end commercial vulnerability scanner, you are not just buying the scanning engine, but the research that goes into the vulnerability descriptions and solutions. There is a big difference in the amount of time you waste dealing with false positives and "solutions" that just parrot the vendor's original advisory without telling you what you need to know (e.g. is this patch going to break compatibility, etc.).
All products can do more or less the same kind of scans, but once you have seen the better products you will realize that using Nessus is often a false economy. Not to say Nessus is useless, but the money you save will often be wasted chasing down all of the bogus information. Plus, telling people to fix vulns which are false positives will undermine your credibility in the organization. Which means in the future, people will be less willing to take your word on security when it really matters.
Plus, most auditors these days (I'm talking about the big names as well as the little guys) tend to buy and use 2 or 3 different tools and just copy and paste the reports together in Microsoft Word. There's seldom any real additional analysis being performed by the auditors. Certainly no analysis with any technical depth to it.
Well if its legal, meaning, the owners of the video purposely used this as advertisting, then who cares? Its a good idea if you ask me. Should be 'Distributed' via file sharing networks, not leaked:)
If a media companies are intentionally (clandestinely) leaking their products onto p2p networks, then it's hypocritical of them to beg the government to shut down p2p networks because they are hurting their business.
I wonder if the intentionally leaked material gets figured into the "total dollars lost to p2p piracy" figures that we keep reading.
Media companies don't want p2p networks to be shut down. What they really want is to OWN the p2p networks just as they own everything else.
Clearly you don't know what you're talking about. Exploitable software doesn't have to be setuid for someone to gain root. All the exploit has to do is modify your ~/.profile and modify your PATH to include a trojaned version of su or sudo or ssh or telnet that captures passwords. There's more to safe computing than simply choosing Linux and crowing about it.
Have they tested what happens if someone flies a Boeing 777 into a live pebble reactor? I'm not against nuclear power per se, but let's not forget that just because something is unlikely to accidentally melt down doesn't mean that an act of sabotage wouldn't render the surrounding countryside barren for millenia.
Designation: Commercial office buildings in the U.S. are often designated as "Class A", "Class B", or "Class C". Generally, if you can afford not to, you don't want to rent class C space. B is cheaper than A, but the differences between A and B can be subtle and the only way to tell what's right for you is to visit the space and ask lots of questions.
HVAC: Make sure you have adequate localized control over the heating/cooling environment. Many leased office spaces have too few thermostat circuits per floor (sometimes only one), which means that everyone either freezes or roasts. Remember that computers and people generate a lot of heat. This is something you want to discuss in detail with the building manager. Many buildings turn off the air conditioning system on nights and weekends to save money, but it can make the building uninhabitable if you have lots of heat sources.
Security: How secure is the building? How secure is your suite/floor within the building? Do you want security guards at the front desk 24/7? How about keys/access codes, etc. Make sure your suites lock separately. Ask if the cleaning crew and the delivery people have access to your suite. If there is a common mailbox area for all tenants, request to see it and make sure it's secure. Ask if any mailboxes or suites have been broken into within the last 6 months. Make sure your employees can have convenient after hours access without sacrificing security.
Parking is important.
Mass transit: Is the building close to mass transportation (bus or subway or commuter rail lines)? This is important to some companies.
Power: Ask about the power capacity of the office space. Realtors often tell you they don't know the answers ("All that amperage and voltage stuff is gibberish to me, I'm just a realtor."). If the realtor doesn't know, have them put you in touch with the plant maintenance folks. You really do want adequate power for your suite and specifically you want to look at the power circuit layout, so you know whether you can put a sufficient number of computers in without constantly tripping circuit breakers.
Physical network infrastructure: Most modern office spaces are pre-wired for at least 100mbit Ethernet. But you want to make sure you can wire each department into their own subnet, etc. Make sure you ask for detailed information on the physical network infrastructure (how easy will it be for you guys to set up your T1, do they use Cat5 cable or something better (or worse)).
Telephone infrastructure, unless you are using VoIP./
Furniture: Aeron chairs look cool but they are way overrated in terms of comfort. Look at Steelcase
instead (they are not cheap). People tend to be very picky -- it's best if you can offer a choice of 3 different chairs to everyone.
Server room: Make sure you have an adequately sized, separately cooled, securable server room.
There are no free market countries that I know of. U.S. industries are so heavily protected and subsidized by taxpayers it's ridiculous to think we have anything approaching a free market. Our aerospace industry is subsidized to a stunning degree by taxpayers, as is the communications sector, agriculture, and the energy sector. The U.S. steel, auto, and tech sectors are receiving, or about to receive, huge anti-competitive protections that go against all free trade theories. People in the U.S. don't want free markets in the U.S. -- they want free markets elsewhere.
I don't have to fear the pan-handlers, insane and other strays because we actually have a social care system that works.
And don't even get me started about guns, bureaucrazy, corruption and the oppresive regime controlled by big business.
That's quite an attitude for someone who's begging for money. You'd better hope the Europeans and Australians have enough generosity to fund you. I can't see how you'll get many donations from the U.S.A. with such a chip on your shoulder.
BSD licensing lets venders modify it without releasing the source of their version. So what's to stop FooNetCo. adding a backdoor to their version of OpenBSD and shipping that?
Nothing. But if someone really wants to look, they can analyze the binaries and find out. What's to stop FooNetCo. from adding a backdoor to their version of Linux and then releasing doctored source code? The same thing.
We looked at dozens of OSI licenses and failed to find one which met all of the requirements. The fork-ability and lack of credit requirements are biting many OSS security projects in the ass right now...
If you don't want to open source the database, that's your prerogative. But you should not have called your project the Open Source Vulnerability Database! That's my whole point.
...take Nessus for example, where thousands of companies rip off and rebrand thier code, without telling their clients what their service is based on. The GPL license was unacceptable because it prevents the data from being used in closed-source applications; we WANT unencumbered commercial use, it will be a driving factor in the survivability of the project.
Nessus is GPL, so I don't see how anyone could be "ripping off the code", considering the code is free and much of it is written by unpaid volunteers in the first place. Furthermore, Renaud does make a lot of money by licensing those volunteers' efforts to commercial outfits, so who exactly is getting ripped off? If people are rebranding Nessus without crediting Nessus, that violates the GPL. The BSD license also contains a credit-due clause. It's not fair to blame the license if nobody enforces it.
Unfortunately, your objections to open source licensing models don't ring true. Here's what I suspect is going to happen. The OSVDB project is going to brand itself as a "community" and "open source" effort, harness the hard work of hundreds of volunteers, and then it's going to get "bought" by Digital Defense in a year or two, and they are going to start trying to squeeze revenue from it. Look what happened to Bugtraq after it was bought by SecurityFocus (and then later by Symantec). Why else would the company be bankrolling it? Out of the goodness of their hearts? Hell, even CERT started charging for advanced vulnerability notification last year.
You could go a long way towards dispelling these concerns (which have been voiced by others in other forums) by actually making the project open source (GPL, GFDL, or BSD), instead of just using the phrase "open source" as a marketing term.
Calling something "open source" doesn't make it open or free (as in freedom). There are three issues of concern here.
First, the licensing terms Why didn't they license the OSVDB database under a free license, whether it be GPL, GFDL, or even the BSD license? If OSVDB and its sponsors (including primarily Digital Defense, Inc., a privately held computer security firm) retain complete ownership of the content, and nobody has the right to fork the database or create derivative works, I can't see why it's being spun as "open source".
Second, I was concerned when I read the OSVDB's statement of intent to comply with the DMCA. A non-free (read: non-forkable) database based in the United States might not be the best idea. One DMCA injunction could shut it down. Since, from my reading of the terms and conditions, nobody has the right to duplicate or fork this database, the work could not continue outside the US if a DMCA injunction shut it down.
Third, the issue of neutrality and bias. I don't believe that a non-free database sponsored by a private security consulting firm based in the United States will be able to remain neutral for long. Private companies are under no obligations to disclose their partnerships or agreements with vendors.
You know, there are non-trivial, free (GFDL) databases out there...the precedent exists for high quality, truly FREE content. I hope OSVDB considers licensing the content under the GFDL or BSD license.
However, as users of these services are rarely audited or asked to produce their business license, the purchaser can potentially conduct criminal background checks, Social Security number identification and other checks on anyone for a small fee.
This has been available for years. You can already do a combined credit check, criminal history check, and background check (including known aliases, current address, past addresses and cohabitors, marriages, divorces, etc.) for under $100 from sites like USSearch.com. All they ask for is your credit card number -- they don't care if you're a business owner, stalker, or what have you.
Java is already more ubiquitious than C# -- so what would Sun stand to gain from setting it free? For all intents and purposes, it's as free as I need it to be. I have full access to the Sun's source code for the JVM and the Java classes. I can use it the JVM for free in commercial applications. I have many different virtual machine implementations to choose from, on a wide variety of platforms. I'm afraid that setting Java "free" is going to lead to future revisions of the language being designed by committee -- we don't need another C++ thank you very much.
5 inches is actually an inch and a half shorter than what I was told the average was back in junior high. This came from suppposedly authoritive information during sex ed.
I bet there's some fun conspiracy out there, some Illuminati-type group of small dicked educators who are trying to bolster their self image by reporting a lower average.
Nah, they probably just recently factored the Chinese population into the equation.
> All of a sudden, your lean & mean OpenBSD machine needs all the tools to compile an OS.
Errr, no...that's what staging servers are for. You build the stuff on the staging server, deploy it to a COUPLE of test machines, make sure it works, and then deploy it to all the other systems once you've tested it. On OpenBSD, man release for more information.
I like Wikipedia, so I sent $10 their way. I'm glad to see they raised over $20,000 in two days. I know I'm going to be marked off-topic for this, but while you're in the giving spirit, consider that tens of thousands of people were killed in Iran from Friday's earthquake, with many tens of thousands more people left without shelter, food, or water. Without blankets or clean water, lots of babies are going to die over the next two weeks from exposure and diarrhea.
I donated to Mercy Corps because they are working in Iran and they have a very high dollar efficiency rating, but you could donate to one of the dozen or so charities listed at the bottom left on this news story.
People have had good luck with the Soekris hardware for these types of applications. In particular, they make tiny x86 computers that you can mount on the wall, they are optimized for wireless applications (they run Linux, *BSD) and they have very low power consumption and no moving parts. TechTV ran an article on how to build a Linux-based WAP with the Soekris Net4521.
I've been using one of their older models, the Net4501, for over a year now as an OpenBSD firewall. It's nice to have a configurable firewall in my home office that makes zero noise whatsoever.
Lately they've been acting like racists and moral cowards. They proactively withdrew membership privileges and publishing rights for Iranian students and researchers. See also this article for an explanation.
Re:Rule Engine Frameworks
on
Jess in Action
·
· Score: 1
Our NeXpose security scanner uses JESS to perform vulnerability assessments against remote systems. The expert system is a nice way to have NeXpose not only identify vulnerabilities, but also take advantage of the vulnerabilities to perform more tests. It can be done without an expert system, but it works very nicely using JESS.
Government censorship is certainly dangerous, but I think the self censorship practiced by the media (including the U.S. media) is more insidious.
Consider the story that the BBC ran in early 2001 about the theft of the U.S. presidential election. The BBC is not some indie rag, but the story was not picked up by ANY of the U.S. media until almost a year later (too late to do any good).
Whatever you think about Noam Chomsky, his theory on media self censorship is worth hearing: The media doesn't make money by selling news to audiences. It makes money by selling audiences to advertisers. In other words, advertisers must be kept happy at all times. The media chooses which stories will be reported on, but more subtly, it chooses how issues will be framed. The choice between the "right" and "left" viewpoints on issues that we are given in our media is often a false dichotomy. Whole ranges of opinions outside the liberal/conservative framework are ignored.
So pay attention. Don't rely on the news media to filter things for you. Get your news from multiple sources, including sources outside the U.S. Try out The Agonist and TerrorWatch and some other samizdat news sites. Don't always believe what you hear about Arab news networks. It is your responsibility to educate yourself.
In my post I specifically said "a DNS-like system". In your response you described a system that works nothing like DNS, so let me clue you in.
DNS works by using hierarchical mnemonic names with uniqueness enforced by a registry. It allows you to map these UNIQUE names to IP addresses. I don't know about you, but when I try to visit a website, I don't type into my browser "I'd like to visit the website of Bill's Soda Company in Wilmington", I type www.billsodaco.com. It works pretty well.
Slashdot Mirror
Don't use 3rd party auditing agencies. Buy a better scanner than Nessus for use in-house. There are plenty out there. With a higher-end commercial vulnerability scanner, you are not just buying the scanning engine, but the research that goes into the vulnerability descriptions and solutions. There is a big difference in the amount of time you waste dealing with false positives and "solutions" that just parrot the vendor's original advisory without telling you what you need to know (e.g. is this patch going to break compatibility, etc.).
All products can do more or less the same kind of scans, but once you have seen the better products you will realize that using Nessus is often a false economy. Not to say Nessus is useless, but the money you save will often be wasted chasing down all of the bogus information. Plus, telling people to fix vulns which are false positives will undermine your credibility in the organization. Which means in the future, people will be less willing to take your word on security when it really matters.
Plus, most auditors these days (I'm talking about the big names as well as the little guys) tend to buy and use 2 or 3 different tools and just copy and paste the reports together in Microsoft Word. There's seldom any real additional analysis being performed by the auditors. Certainly no analysis with any technical depth to it.
Well if its legal, meaning, the owners of the video purposely used this as advertisting, then who cares? Its a good idea if you ask me. Should be 'Distributed' via file sharing networks, not leaked :)
If a media companies are intentionally (clandestinely) leaking their products onto p2p networks, then it's hypocritical of them to beg the government to shut down p2p networks because they are hurting their business.
I wonder if the intentionally leaked material gets figured into the "total dollars lost to p2p piracy" figures that we keep reading.
Media companies don't want p2p networks to be shut down. What they really want is to OWN the p2p networks just as they own everything else.
Clearly you don't know what you're talking about. Exploitable software doesn't have to be setuid for someone to gain root. All the exploit has to do is modify your ~/.profile and modify your PATH to include a trojaned version of su or sudo or ssh or telnet that captures passwords. There's more to safe computing than simply choosing Linux and crowing about it.
Have they tested what happens if someone flies a Boeing 777 into a live pebble reactor? I'm not against nuclear power per se, but let's not forget that just because something is unlikely to accidentally melt down doesn't mean that an act of sabotage wouldn't render the surrounding countryside barren for millenia.
I agree with Bladerunner as the top pick, but I thought Brazil should have been in there (how can you pick Terminator over Brazil?). Oh well.
Designation: Commercial office buildings in the U.S. are often designated as "Class A", "Class B", or "Class C". Generally, if you can afford not to, you don't want to rent class C space. B is cheaper than A, but the differences between A and B can be subtle and the only way to tell what's right for you is to visit the space and ask lots of questions.
HVAC: Make sure you have adequate localized control over the heating/cooling environment. Many leased office spaces have too few thermostat circuits per floor (sometimes only one), which means that everyone either freezes or roasts. Remember that computers and people generate a lot of heat. This is something you want to discuss in detail with the building manager. Many buildings turn off the air conditioning system on nights and weekends to save money, but it can make the building uninhabitable if you have lots of heat sources.
Security: How secure is the building? How secure is your suite/floor within the building? Do you want security guards at the front desk 24/7? How about keys/access codes, etc. Make sure your suites lock separately. Ask if the cleaning crew and the delivery people have access to your suite. If there is a common mailbox area for all tenants, request to see it and make sure it's secure. Ask if any mailboxes or suites have been broken into within the last 6 months. Make sure your employees can have convenient after hours access without sacrificing security.
Parking is important.
Mass transit: Is the building close to mass transportation (bus or subway or commuter rail lines)? This is important to some companies.
Power: Ask about the power capacity of the office space. Realtors often tell you they don't know the answers ("All that amperage and voltage stuff is gibberish to me, I'm just a realtor."). If the realtor doesn't know, have them put you in touch with the plant maintenance folks. You really do want adequate power for your suite and specifically you want to look at the power circuit layout, so you know whether you can put a sufficient number of computers in without constantly tripping circuit breakers.
Physical network infrastructure: Most modern office spaces are pre-wired for at least 100mbit Ethernet. But you want to make sure you can wire each department into their own subnet, etc. Make sure you ask for detailed information on the physical network infrastructure (how easy will it be for you guys to set up your T1, do they use Cat5 cable or something better (or worse)).
Telephone infrastructure, unless you are using VoIP./
Furniture: Aeron chairs look cool but they are way overrated in terms of comfort. Look at Steelcase instead (they are not cheap). People tend to be very picky -- it's best if you can offer a choice of 3 different chairs to everyone.
Server room: Make sure you have an adequately sized, separately cooled, securable server room.
Yes, you are wrong.
There are no free market countries that I know of. U.S. industries are so heavily protected and subsidized by taxpayers it's ridiculous to think we have anything approaching a free market. Our aerospace industry is subsidized to a stunning degree by taxpayers, as is the communications sector, agriculture, and the energy sector. The U.S. steel, auto, and tech sectors are receiving, or about to receive, huge anti-competitive protections that go against all free trade theories. People in the U.S. don't want free markets in the U.S. -- they want free markets elsewhere.
Do a KaZaa or other P2P search for 'chomsky' and try out some of Noam Chomsky's speeches.
If you want pure entertainment, you can't beat the folks at ZBS Radio who make some great sci-fi shows (Ruby/Jack).
I don't have to fear the pan-handlers, insane and other strays because we actually have a social care system that works.
And don't even get me started about guns, bureaucrazy, corruption and the oppresive regime controlled by big business.
That's quite an attitude for someone who's begging for money. You'd better hope the Europeans and Australians have enough generosity to fund you. I can't see how you'll get many donations from the U.S.A. with such a chip on your shoulder.
BSD licensing lets venders modify it without releasing the source of their version. So what's to stop FooNetCo. adding a backdoor to their version of OpenBSD and shipping that?
Nothing. But if someone really wants to look, they can analyze the binaries and find out. What's to stop FooNetCo. from adding a backdoor to their version of Linux and then releasing doctored source code? The same thing.
We looked at dozens of OSI licenses and failed to find one which met all of the requirements. The fork-ability and lack of credit requirements are biting many OSS security projects in the ass right now...
If you don't want to open source the database, that's your prerogative. But you should not have called your project the Open Source Vulnerability Database! That's my whole point.
Nessus is GPL, so I don't see how anyone could be "ripping off the code", considering the code is free and much of it is written by unpaid volunteers in the first place. Furthermore, Renaud does make a lot of money by licensing those volunteers' efforts to commercial outfits, so who exactly is getting ripped off? If people are rebranding Nessus without crediting Nessus, that violates the GPL. The BSD license also contains a credit-due clause. It's not fair to blame the license if nobody enforces it.
Unfortunately, your objections to open source licensing models don't ring true. Here's what I suspect is going to happen. The OSVDB project is going to brand itself as a "community" and "open source" effort, harness the hard work of hundreds of volunteers, and then it's going to get "bought" by Digital Defense in a year or two, and they are going to start trying to squeeze revenue from it. Look what happened to Bugtraq after it was bought by SecurityFocus (and then later by Symantec). Why else would the company be bankrolling it? Out of the goodness of their hearts? Hell, even CERT started charging for advanced vulnerability notification last year.
You could go a long way towards dispelling these concerns (which have been voiced by others in other forums) by actually making the project open source (GPL, GFDL, or BSD), instead of just using the phrase "open source" as a marketing term.
Calling something "open source" doesn't make it open or free (as in freedom). There are three issues of concern here.
First, the licensing terms Why didn't they license the OSVDB database under a free license, whether it be GPL, GFDL, or even the BSD license? If OSVDB and its sponsors (including primarily Digital Defense, Inc., a privately held computer security firm) retain complete ownership of the content, and nobody has the right to fork the database or create derivative works, I can't see why it's being spun as "open source".
Second, I was concerned when I read the OSVDB's statement of intent to comply with the DMCA. A non-free (read: non-forkable) database based in the United States might not be the best idea. One DMCA injunction could shut it down. Since, from my reading of the terms and conditions, nobody has the right to duplicate or fork this database, the work could not continue outside the US if a DMCA injunction shut it down.
Third, the issue of neutrality and bias. I don't believe that a non-free database sponsored by a private security consulting firm based in the United States will be able to remain neutral for long. Private companies are under no obligations to disclose their partnerships or agreements with vendors.
You know, there are non-trivial, free (GFDL) databases out there...the precedent exists for high quality, truly FREE content. I hope OSVDB considers licensing the content under the GFDL or BSD license.
However, as users of these services are rarely audited or asked to produce their business license, the purchaser can potentially conduct criminal background checks, Social Security number identification and other checks on anyone for a small fee.
This has been available for years. You can already do a combined credit check, criminal history check, and background check (including known aliases, current address, past addresses and cohabitors, marriages, divorces, etc.) for under $100 from sites like USSearch.com. All they ask for is your credit card number -- they don't care if you're a business owner, stalker, or what have you.
Java is already more ubiquitious than C# -- so what would Sun stand to gain from setting it free? For all intents and purposes, it's as free as I need it to be. I have full access to the Sun's source code for the JVM and the Java classes. I can use it the JVM for free in commercial applications. I have many different virtual machine implementations to choose from, on a wide variety of platforms. I'm afraid that setting Java "free" is going to lead to future revisions of the language being designed by committee -- we don't need another C++ thank you very much.
5 inches is actually an inch and a half shorter than what I was told the average was back in junior high. This came from suppposedly authoritive information during sex ed.
I bet there's some fun conspiracy out there, some Illuminati-type group of small dicked educators who are trying to bolster their self image by reporting a lower average.
Nah, they probably just recently factored the Chinese population into the equation.
> All of a sudden, your lean & mean OpenBSD machine needs all the tools to compile an OS.
Errr, no...that's what staging servers are for. You build the stuff on the staging server, deploy it to a COUPLE of test machines, make sure it works, and then deploy it to all the other systems once you've tested it. On OpenBSD, man release for more information.> Except for rap, everything else is better on the East coast. ;-)
You forgot basketball.
Yes, I'm interested in seeing some references. Post them here.
I like Wikipedia, so I sent $10 their way. I'm glad to see they raised over $20,000 in two days. I know I'm going to be marked off-topic for this, but while you're in the giving spirit, consider that tens of thousands of people were killed in Iran from Friday's earthquake, with many tens of thousands more people left without shelter, food, or water. Without blankets or clean water, lots of babies are going to die over the next two weeks from exposure and diarrhea.
I donated to Mercy Corps because they are working in Iran and they have a very high dollar efficiency rating, but you could donate to one of the dozen or so charities listed at the bottom left on this news story.
I've been using one of their older models, the Net4501, for over a year now as an OpenBSD firewall. It's nice to have a configurable firewall in my home office that makes zero noise whatsoever.
Lately they've been acting like racists and moral cowards. They proactively withdrew membership privileges and publishing rights for Iranian students and researchers. See also this article for an explanation.
Our NeXpose security scanner uses JESS to perform vulnerability assessments against remote systems. The expert system is a nice way to have NeXpose not only identify vulnerabilities, but also take advantage of the vulnerabilities to perform more tests. It can be done without an expert system, but it works very nicely using JESS.
Government censorship is certainly dangerous, but I think the self censorship practiced by the media (including the U.S. media) is more insidious.
Consider the story that the BBC ran in early 2001 about the theft of the U.S. presidential election. The BBC is not some indie rag, but the story was not picked up by ANY of the U.S. media until almost a year later (too late to do any good).
Whatever you think about Noam Chomsky, his theory on media self censorship is worth hearing: The media doesn't make money by selling news to audiences. It makes money by selling audiences to advertisers. In other words, advertisers must be kept happy at all times. The media chooses which stories will be reported on, but more subtly, it chooses how issues will be framed. The choice between the "right" and "left" viewpoints on issues that we are given in our media is often a false dichotomy. Whole ranges of opinions outside the liberal/conservative framework are ignored.
So pay attention. Don't rely on the news media to filter things for you. Get your news from multiple sources, including sources outside the U.S. Try out The Agonist and TerrorWatch and some other samizdat news sites. Don't always believe what you hear about Arab news networks. It is your responsibility to educate yourself.
In my post I specifically said "a DNS-like system". In your response you described a system that works nothing like DNS, so let me clue you in.
DNS works by using hierarchical mnemonic names with uniqueness enforced by a registry. It allows you to map these UNIQUE names to IP addresses. I don't know about you, but when I try to visit a website, I don't type into my browser "I'd like to visit the website of Bill's Soda Company in Wilmington", I type www.billsodaco.com. It works pretty well.