I find it amazing you don't see the the difference in security here
It's not that I don't see the difference and it's not as simple as black and white but the fact remains that if you have to delegate security down to the point at which it ends before you begin routing through the public network then you're already insecure to begin with. I mentioned that SSL is relatively secure and if the person is connecting to sites in which security is a must then SSL makes a VPN a moot point and it's ignorant to assume that he's all safe and sound if he just runs a VPN to his home or a VPS.
He needs to address security on the level where it's relevant to the type of data he needs to secure and a VPN is not the place to do so in this case. SSL on the other hand ensures that the connection to his point of interest is relatively secure regardless of where he is connecting from. I am amazed that I have to defend this idea. He either needs to use SSL to connect to secure sites in which case a VPN provides nothing for him or if he does not use SSL then what security does a VPN provide for him anyways? To assume your home connection is secure is utter non sense maybe in your head it's more secure then a WiFi hotspot but the point is it's not secure to begin with so in that case who cares if it is more secure then a WiFi hot spot.
You can route the DNS through the VPN. To be fair, this may still be possible, but they're working on that -- I think the whole point of dnssec is to prevent it.
DNS spoofing can occur anywhere and DNSSEC is based on SSL. SSL is flawed for many reasons which cryptographer DJ Bernstein has pointed out (DJ Bernstein is also the person responsible for why cryptography is no longer on the US export prevention list). SSL is a trust mechanism with people you don't know and SSL is exploitable.
Please give an example of an SSL exploit that has been added at all recently -- even one which has been added within the past two years.
Would you rather broadcast your password over the fucking air for anyone with AirSnort to hear? Or would you rather send it over the still suspect, but much more reliable switched networks of your ISP, the server's ISP, and the public Internet?
The issue is that they are both suspect connections. Unfortunately slashdot does not provide SSL but his banks and creditors will. To simply state that you are moving you're connection from one suspect connection to another does not mitigate the risk is real and only where the vulnerability occurs.
Except at home, I use relatively secured Wifi, and mostly, physical ethernet cables.
... And that gives you a secure connection inside your LAN. Agreed! We are discussing someone who wants to connect to the Internet.
I agree completely but then again I would never expect a kiosk to be safe. Also regarding my previous posts, perhaps a lot of people will find me paranoid and I may be but I also work exclusively in security and I think it's important people weigh how secure they really are vs. how important the information being transmitted is. The poster mentions using a laptop (which excludes kiosks) but if he is connecting to banks and creditors then SSL is almost always guaranteed. SSL moots the point of a VPN to begin with. I wish people would stop posting so many comments that VPN is a security solution because in this instance it is not and I am amazed how many people seem to believe that a VPN will somehow protect the traveler when they know that data _WILL_ be traveling out of the VPN. What is it these people think a VPN is going to provide here?
Just as a follow up to myself here. To assume your home/office/VPS/whatever is a secure connection to begin with is ignorant. A VPN from the WiFi to your home/office/VPS/whatever and then routing out over the internet like normal from your endpoint is simply moving the location where your data is at the most risk and doing nothing to mitigate that risk. Again, the VPN was not designed for this type of security nor does it provide it. Etch it into your heads, the VPN provides only a secure connection to the endpoint and once it leaves there then the VPN is in no way whatsoever protecting your data.
You missed my point, yes you can route all your traffic through OpenVPN but what does that accomplish? Yes people people on the wifi can no longer sniff your traffic but it's an utter joke to think you have solved your security woes with that. What happens is you have a encrypted connection of all traffic from the wifi to your home/VPS/office/whatever but every hop on the route between your endpoint on the route is a spot where your traffic can be sniffed. If you don't appreciate the security concern here then you might as well not bother protecting yourself on the wifi in the first place. SSL will stop people at a wifi location just as well as it will stop people at your home/office/VPS/whatever and if you are using SSL to connect to these locations then the VPN is pointless for security and if you are not using SSL then the VPN is still pointless for security. As I already mentioned "OpenVPN was not designed to provide a proxy service to secure all your connections to everything else in the world but only between locations that you own."
He has to trust his VPS though instead of WiFi hot spots. I use OpenVPN for home to office and it works great but with WiFi you need to take the same measurements you do at home such as SSL. Honestly though, no matter where you go, there is no absolute security because there is no such thing as absolute authentication of a host in this world. DNS spoofing can occur and SSL is becoming weaker with more exploits by the month and when you can't trust a host certificate to be valid then you can't trust that host to be who they say they are so the best you can do is use SSL and hope for the best at home or abroad. Also for those whom recommended OpenVPN yes it's an AES tunnel but only to your endpoint. Where you connect to from your end point that isn't in the LAN that OpenVPN is connected to is the same as connecting from home or abroad. OpenVPN was not designed to provide a proxy service to secure all your connections to everything else in the world but only between locations that you own.
Coming up on celebrity death match we have Dan Kaminsky vs. Dan J. Bernstein. Let's stay tuned. In all honesty I tend to agree with the notion that SSL is joke and hence DNS based on SSL is just as bad. SSL suffers from many flaws that most people are either don't know or choose to remain ignorant too based on the popular notion that SSL is safe. SSL relies on you trusting a third party as being secure when it only takes one corrupt employee to violate the sanctity of a PKI private key. Verisign, the globally trusted "omnipotent" master of SSL dropped the ball hard a year to 18 months ago when their subsidiary RapidSSL had their md5 private key broken, this coming from an SSL provider who was (and probably will remain to be) globally trusted by all browsers. This means the broken key can be used to generate SSL certificates for any domain you choose and knowing from my personal experience those certs were not revoked and fresh and updated installs of FF3 and IE8 still accept them. Not only can an employee be corrupted and an SSL provider who is trusted fall prey to cryptographic hash collision but a certificate provider can still be compromised and their are enough providers out there trusted by almost all common browsers that surely one of them must be vulnerable to being cracked and having the private key taken. Additionally DJB pointed out ( http://cr.yp.to/djbdns/bugtraq/19991114052453-12962-qmail@cr-yp-to ) that by using a spoof and having it redirect to a similarly named http host with a proper valid certificate, the average user and even some of the more advanced users can likely be conned into trusting a site based on valid SSL certificates when the site is run by a hacker so, credit to Dan Kaminsky where it's due, this was a brilliant discovery to say the least and I thought so when I read it a year ago but DNSSEC is as much fools gold as SSL always has been.
I have had to install AV for company and part of my task was figuring out which one was the most effective. Take a look at http://www.av-comparatives.org/ which is an excellent comparison site for AV products. Avira enterprise always came out on top. They have a enterprise client with centralized management etc etc and it works well. Of coarse I personally dislike windows a ton but it's part of the job. If you want a centrally managed AV solutions keep clamav on the mail server, install clam through squid for web access and disable the cdrom and usb disks in windows. Thats the best you can probably do since just about everything in the windows world costs an arm and a leg.
Depends what you mean by free beer alternative.
"Software supports up to 500,000 documents" -Omnifind.
Well it had me sold till I read that. I'm not looking for this software right now although I thought it's good to know if our firm ends up needing it but I don't want to get software for free and then have to pay to upgrade it to capable later. Just not my style. OTOH solr from apache looks worth checking out further.
I just logged into the DNS server at my office via ssh and enabled djbdns on a public port. I opened the firewall to allow me to access it. Then on my home comcast account (consumer / not business) I ran host -t a comcast.com work.dns.com (fake name) and got back comcasts proper DNS entries. I then changed DNS for comcast.com on the temp DNS at work so that comcast.com would return an A record of 127.0.0.1 and from my home account I ran the same command. Our work systems our on a private metro ethernet provider who is not comcast but either way, my home computer on a residential comcast account connecting to a remote DNS server not on comcast and asking for the A record for comcast.com returned the address modified as I told it to in a way that comcast would never approve and it all went through fine so it seems comcast is not redirecting DNS in Miami, Florida.
Well I was 13 at the time, freshmen in high school but don't let that fool you since I was also taking my first programming classes. Anyways, I didn't like windows 95 and now windows 98 has just hit the market and it really didn't impress me. I knew I was a born to be a hard core computer geek and heard about how linux is used not just on the desktop but also on servers and it drew me to that whole wild new concept of "Unix" that no one I knew had ever heard of. So I bought linux for dummies simply because it had the coolest sounding distro in the back from my local borders. Installed Red Hat 5 which came with fvwm95, a pretty twisted window manager. I started using linux more and more and as hard as it seemed and keep in mind we are talking about linux 11 years ago, by the time I was 14 it was the only OS I wanted to use and by the time I was 15 or 16 I had gone through Linux From Scratch. Also at 17 I created an encrypted / partition before anyone had printed a how to for it.
Yeah I did openfire + pidgin at our work too some time ago. When I have the time I am looking to move away from openfire although granted it was easy to install but is not as feature rich for the free version and I havn't tried the commercial edition. Although openfire runs on a debian system, we use active directory for our roster. Right now I think logging is imperative for the work place and I forget the name but there is a popular gnu jabber/xmpp server that has logging as a plugin.
When I was a freshman (age 13) at Fort Lauderdale High School, second semester so I think it was 1999, I took a C++ class or "Programming 1" (which went up through programming 3 and then AP programming which if you passed counted as college credits to your school university or college of choice). Anyways, I transferred schools back to my original home town the next year and they had no programming courses so I only ever took the one however I can still program in C/C++ to this day and do on a regular basis as well as other languages I know all because of what I begun to learn at age 13 in a class. If it's any help, I actually remember the publisher of the book we used which was Lawrencevill Press and, although it included training includes which you won't find in any real programming environment, we studied everything from creating functions to Fibonacci to classes to you name it and frankly it was the best coarse I took in high school.
I had to evaluate a bunch of independent AV studies for our corporate e-mail solution and Avira came out on top. There were a couple with slightly higher ratings in certain components but averaging everything out we went with Avira. Turn the e-mail scan off as that has caused some issues and if the AV is running then scanning the e-mail is just doing the same thing twice.
The whole office seems to love it and I have had no complaints however I am the only person in the office who doesn't run Windows and Ubuntu has yet to catch a virus;)
The problem is FTP. It is an old deprecated protocol that is inherently insecure and even FTP w/ SSL is simply a work around to a broken problem. As long as you are using insecure FTP then you are officially screwed and I seriously doubt any company is making product when they know FTP has the SSL option (which is a work around but it works).
The real answer to your problem is use a secure protocol like SSH which does everything you just asked for natively.
Now because I just posted two easy answers to your dilemma, tell me why my company would write and sell complex time stamping encrypting whatchyamacallit software for FTP transfers? This question was already answered a decade or two ago.
Yeah this is one way to do it. The other option and don't ask me for details because I have never set this up but some 4 years ago when I was a security consultant and auditing some bank in "end of mile" Kansas, I found that they had enabled a 802.11b from one branch to another at a distance of just under 25 miles. I spoke to the wireless tech the bank had hired and he stated that he rigged the switch to use more power then what the FCC had allowed but when I had to drive from one branch to another, a tractor was the closest thing I saw to life between the two so I don't think anyone would notice.
Slashdot Mirror
I don't care anymore. Conversation has gone on too long for me.
I find it amazing you don't see the the difference in security here
It's not that I don't see the difference and it's not as simple as black and white but the fact remains that if you have to delegate security down to the point at which it ends before you begin routing through the public network then you're already insecure to begin with. I mentioned that SSL is relatively secure and if the person is connecting to sites in which security is a must then SSL makes a VPN a moot point and it's ignorant to assume that he's all safe and sound if he just runs a VPN to his home or a VPS.
He needs to address security on the level where it's relevant to the type of data he needs to secure and a VPN is not the place to do so in this case. SSL on the other hand ensures that the connection to his point of interest is relatively secure regardless of where he is connecting from. I am amazed that I have to defend this idea. He either needs to use SSL to connect to secure sites in which case a VPN provides nothing for him or if he does not use SSL then what security does a VPN provide for him anyways? To assume your home connection is secure is utter non sense maybe in your head it's more secure then a WiFi hotspot but the point is it's not secure to begin with so in that case who cares if it is more secure then a WiFi hot spot.
You can route the DNS through the VPN. To be fair, this may still be possible, but they're working on that -- I think the whole point of dnssec is to prevent it.
DNS spoofing can occur anywhere and DNSSEC is based on SSL. SSL is flawed for many reasons which cryptographer DJ Bernstein has pointed out (DJ Bernstein is also the person responsible for why cryptography is no longer on the US export prevention list). SSL is a trust mechanism with people you don't know and SSL is exploitable.
Please give an example of an SSL exploit that has been added at all recently -- even one which has been added within the past two years.
http://it.slashdot.org/story/09/11/16/2327230/SSL-Renegotiation-Attack-Becomes-Real?art_pos=2 Nov 16th, 2009 at 18:30 EST
Would you rather broadcast your password over the fucking air for anyone with AirSnort to hear? Or would you rather send it over the still suspect, but much more reliable switched networks of your ISP, the server's ISP, and the public Internet?
The issue is that they are both suspect connections. Unfortunately slashdot does not provide SSL but his banks and creditors will. To simply state that you are moving you're connection from one suspect connection to another does not mitigate the risk is real and only where the vulnerability occurs.
Except at home, I use relatively secured Wifi, and mostly, physical ethernet cables.
... And that gives you a secure connection inside your LAN. Agreed! We are discussing someone who wants to connect to the Internet.
I agree completely but then again I would never expect a kiosk to be safe. Also regarding my previous posts, perhaps a lot of people will find me paranoid and I may be but I also work exclusively in security and I think it's important people weigh how secure they really are vs. how important the information being transmitted is. The poster mentions using a laptop (which excludes kiosks) but if he is connecting to banks and creditors then SSL is almost always guaranteed. SSL moots the point of a VPN to begin with. I wish people would stop posting so many comments that VPN is a security solution because in this instance it is not and I am amazed how many people seem to believe that a VPN will somehow protect the traveler when they know that data _WILL_ be traveling out of the VPN. What is it these people think a VPN is going to provide here?
Agreed. What I don't understand is everyone assuming their home connection is safe to begin with. Scroll up for my previous posts.
Just as a follow up to myself here. To assume your home/office/VPS/whatever is a secure connection to begin with is ignorant. A VPN from the WiFi to your home/office/VPS/whatever and then routing out over the internet like normal from your endpoint is simply moving the location where your data is at the most risk and doing nothing to mitigate that risk. Again, the VPN was not designed for this type of security nor does it provide it. Etch it into your heads, the VPN provides only a secure connection to the endpoint and once it leaves there then the VPN is in no way whatsoever protecting your data.
You missed my point, yes you can route all your traffic through OpenVPN but what does that accomplish? Yes people people on the wifi can no longer sniff your traffic but it's an utter joke to think you have solved your security woes with that. What happens is you have a encrypted connection of all traffic from the wifi to your home/VPS/office/whatever but every hop on the route between your endpoint on the route is a spot where your traffic can be sniffed. If you don't appreciate the security concern here then you might as well not bother protecting yourself on the wifi in the first place. SSL will stop people at a wifi location just as well as it will stop people at your home/office/VPS/whatever and if you are using SSL to connect to these locations then the VPN is pointless for security and if you are not using SSL then the VPN is still pointless for security. As I already mentioned "OpenVPN was not designed to provide a proxy service to secure all your connections to everything else in the world but only between locations that you own."
He has to trust his VPS though instead of WiFi hot spots. I use OpenVPN for home to office and it works great but with WiFi you need to take the same measurements you do at home such as SSL. Honestly though, no matter where you go, there is no absolute security because there is no such thing as absolute authentication of a host in this world. DNS spoofing can occur and SSL is becoming weaker with more exploits by the month and when you can't trust a host certificate to be valid then you can't trust that host to be who they say they are so the best you can do is use SSL and hope for the best at home or abroad. Also for those whom recommended OpenVPN yes it's an AES tunnel but only to your endpoint. Where you connect to from your end point that isn't in the LAN that OpenVPN is connected to is the same as connecting from home or abroad. OpenVPN was not designed to provide a proxy service to secure all your connections to everything else in the world but only between locations that you own.
Coming up on celebrity death match we have Dan Kaminsky vs. Dan J. Bernstein. Let's stay tuned. In all honesty I tend to agree with the notion that SSL is joke and hence DNS based on SSL is just as bad. SSL suffers from many flaws that most people are either don't know or choose to remain ignorant too based on the popular notion that SSL is safe. SSL relies on you trusting a third party as being secure when it only takes one corrupt employee to violate the sanctity of a PKI private key. Verisign, the globally trusted "omnipotent" master of SSL dropped the ball hard a year to 18 months ago when their subsidiary RapidSSL had their md5 private key broken, this coming from an SSL provider who was (and probably will remain to be) globally trusted by all browsers. This means the broken key can be used to generate SSL certificates for any domain you choose and knowing from my personal experience those certs were not revoked and fresh and updated installs of FF3 and IE8 still accept them. Not only can an employee be corrupted and an SSL provider who is trusted fall prey to cryptographic hash collision but a certificate provider can still be compromised and their are enough providers out there trusted by almost all common browsers that surely one of them must be vulnerable to being cracked and having the private key taken. Additionally DJB pointed out ( http://cr.yp.to/djbdns/bugtraq/19991114052453-12962-qmail@cr-yp-to ) that by using a spoof and having it redirect to a similarly named http host with a proper valid certificate, the average user and even some of the more advanced users can likely be conned into trusting a site based on valid SSL certificates when the site is run by a hacker so, credit to Dan Kaminsky where it's due, this was a brilliant discovery to say the least and I thought so when I read it a year ago but DNSSEC is as much fools gold as SSL always has been.
I have had to install AV for company and part of my task was figuring out which one was the most effective. Take a look at http://www.av-comparatives.org/ which is an excellent comparison site for AV products. Avira enterprise always came out on top. They have a enterprise client with centralized management etc etc and it works well. Of coarse I personally dislike windows a ton but it's part of the job. If you want a centrally managed AV solutions keep clamav on the mail server, install clam through squid for web access and disable the cdrom and usb disks in windows. Thats the best you can probably do since just about everything in the windows world costs an arm and a leg.
as a free as beer alternative?
Depends what you mean by free beer alternative.
"Software supports up to 500,000 documents" -Omnifind.
Well it had me sold till I read that. I'm not looking for this software right now although I thought it's good to know if our firm ends up needing it but I don't want to get software for free and then have to pay to upgrade it to capable later. Just not my style. OTOH solr from apache looks worth checking out further.
I just logged into the DNS server at my office via ssh and enabled djbdns on a public port. I opened the firewall to allow me to access it. Then on my home comcast account (consumer / not business) I ran host -t a comcast.com work.dns.com (fake name) and got back comcasts proper DNS entries. I then changed DNS for comcast.com on the temp DNS at work so that comcast.com would return an A record of 127.0.0.1 and from my home account I ran the same command. Our work systems our on a private metro ethernet provider who is not comcast but either way, my home computer on a residential comcast account connecting to a remote DNS server not on comcast and asking for the A record for comcast.com returned the address modified as I told it to in a way that comcast would never approve and it all went through fine so it seems comcast is not redirecting DNS in Miami, Florida.
Well I was 13 at the time, freshmen in high school but don't let that fool you since I was also taking my first programming classes. Anyways, I didn't like windows 95 and now windows 98 has just hit the market and it really didn't impress me. I knew I was a born to be a hard core computer geek and heard about how linux is used not just on the desktop but also on servers and it drew me to that whole wild new concept of "Unix" that no one I knew had ever heard of. So I bought linux for dummies simply because it had the coolest sounding distro in the back from my local borders. Installed Red Hat 5 which came with fvwm95, a pretty twisted window manager. I started using linux more and more and as hard as it seemed and keep in mind we are talking about linux 11 years ago, by the time I was 14 it was the only OS I wanted to use and by the time I was 15 or 16 I had gone through Linux From Scratch. Also at 17 I created an encrypted / partition before anyone had printed a how to for it.
Yeah it's honestly been a while since I looked at it. Still don't like Spark though. ;)
ugh. Spark client sucks IMHO. Pidgin works much better.
Yeah I did openfire + pidgin at our work too some time ago. When I have the time I am looking to move away from openfire although granted it was easy to install but is not as feature rich for the free version and I havn't tried the commercial edition. Although openfire runs on a debian system, we use active directory for our roster. Right now I think logging is imperative for the work place and I forget the name but there is a popular gnu jabber/xmpp server that has logging as a plugin.
When I was a freshman (age 13) at Fort Lauderdale High School, second semester so I think it was 1999, I took a C++ class or "Programming 1" (which went up through programming 3 and then AP programming which if you passed counted as college credits to your school university or college of choice). Anyways, I transferred schools back to my original home town the next year and they had no programming courses so I only ever took the one however I can still program in C/C++ to this day and do on a regular basis as well as other languages I know all because of what I begun to learn at age 13 in a class. If it's any help, I actually remember the publisher of the book we used which was Lawrencevill Press and, although it included training includes which you won't find in any real programming environment, we studied everything from creating functions to Fibonacci to classes to you name it and frankly it was the best coarse I took in high school.
Oh, and Avast and AVG didn't even come remotely close, they are failboat from the get go.
I had to evaluate a bunch of independent AV studies for our corporate e-mail solution and Avira came out on top. There were a couple with slightly higher ratings in certain components but averaging everything out we went with Avira. Turn the e-mail scan off as that has caused some issues and if the AV is running then scanning the e-mail is just doing the same thing twice. The whole office seems to love it and I have had no complaints however I am the only person in the office who doesn't run Windows and Ubuntu has yet to catch a virus ;)
The problem is FTP. It is an old deprecated protocol that is inherently insecure and even FTP w/ SSL is simply a work around to a broken problem. As long as you are using insecure FTP then you are officially screwed and I seriously doubt any company is making product when they know FTP has the SSL option (which is a work around but it works). The real answer to your problem is use a secure protocol like SSH which does everything you just asked for natively. Now because I just posted two easy answers to your dilemma, tell me why my company would write and sell complex time stamping encrypting whatchyamacallit software for FTP transfers? This question was already answered a decade or two ago.
Yeah this is one way to do it. The other option and don't ask me for details because I have never set this up but some 4 years ago when I was a security consultant and auditing some bank in "end of mile" Kansas, I found that they had enabled a 802.11b from one branch to another at a distance of just under 25 miles. I spoke to the wireless tech the bank had hired and he stated that he rigged the switch to use more power then what the FCC had allowed but when I had to drive from one branch to another, a tractor was the closest thing I saw to life between the two so I don't think anyone would notice.