Fedora, Red Hat Enterprise Linux, and CentOS come with a reasonable Net Filter (iptables) configuration by default that allows the necessary operations. It can be easily configured to allow extra ports, trusted interfaces, etc. It often gets turned off because it's supposedly too hard.
Fedora, RHEL, and CentOS also come with SE Linux enabled by default, it gets turned off more often than Net Filter.
I find it difficult to believe that any significant portion of IT budget goes to security when I see so many people turning off things that are free and relatively easy to use.
Many local papers don't have original comment and will end up dying. But I believe that there is a need for quality local news sources (maybe a blog and a wiki could combine as a news source for a locality with volunteer journalists, a paid editor and Internet advertising).
There is a real need for local news. What do you want to know about, the horror crash in another city that killed 20 people or what the police were doing when they blocked off the street behind your house?
If I could syndicate a RSS feeds of significant international news (about wars etc), moderately significant news for my country (including changes to tax laws and other things that affect me), interesting and useful news about my state (changes to public transport, information about local celebrities), and trivial stuff related to my locality (like the car that caught on fire at the end of my street) then my news requirements would be met. Put Adsense for feeds on all of that and there should be enough money to be made to pay for it.
They should adopt a capitalistic system and auction the tickets. If they sell tickets for $150 when fans want to pay $300 then it's natural that there will be a black-market in them.
Whenever you see a documentary about life in the Soviet Union it always shows long queues to buy goods and black market people selling them at the market price. It's exactly the same situation with concert tickets in first-world (supposedly capitalist) countries now.
Charge what the fans want to pay, sell the tickets at auction (I'm sure that Ebay would be happy to create a special online store for them) and everyone will be happy. The performers get more revenue from higher ticket prices, the fans avoid queues and simply pay what they think tickets are worth (or miss out if other people value the concert more highly), and the middle-man only gets a few percent (as opposed to Ticketmaster getting 30% or more when fees are taken into account and scalpers adding another 100% mark-up).
I'd like to see something like NetTop (see above URL) implemented in the hardware. Imagine if you could have a Windows session running under VMWare (or similar) and when (not if) it gets rooted use Linux to recover it. NetTop allows doing this now (at moderate expense and some difficulty), if there was a cheap version of the same thing implemented in flash on the motherboard (so it didn't even add to the boot time) then it would significantly increase the security of the entire Internet.
It seems that the battle for desktop security has been lost by the company with the most market share. So the battle is now to contain the damage when a desktop machine is 0wned. Technology with features similar to NetTop allow having a full local firewall in front of a Windows VM controlling which network interfaces it accesses. For example you could have one Windows session with access to the Internet and one with access to the corporate Intranet and not allow them to talk to each other!
To summarise the NetTop project. It has a base OS of SE Linux with custom policy to prevent VMWare sessions from talking to each other (they can't access each other's block devices etc). To access a CD-ROM or other removable media you have to assign it to one session (which denies access to other VMWare instances). Each VMWare session can have access to some sub-set of the network interfaces (which may be VPN interfaces allowing a single Ethernet cable to carry data classified at multiple levels).
Aliasing to "-X" is a really bad idea. If one of the servers you administer gets cracked then the attacker can probably take over your session and crack the others (the -X vs -Y distinction doesn't seem to gain you anything with current implementations).
If you wanted that you could always set "ForwardX11 yes" in/etc/ssh/ssh_config.
The Port setting for the ssh client can also have a default value in/etc/ssh/ssh_config under the "Host *" section, this means that you could make the default be the non-standard port you usually use but be easily able to add sections for the hosts you connect to which use the standard port (or a different non-standard port).
As for your FTP issue, why do you have to restart FTP? Why not just change the firewall?
You are correct that there are some situations such as routers that block ports. In those cases ports such as 53 or 443 can be used (depending on what your router blocks and what other legitimate traffic you have going through your network).
Using a different port saves network bandwidth and also human bandwidth when reading the log summaries. This means that more time can be devoted to analysing log data that is not a result of simple bot-based attacks.
Disabling password based login is a really good idea!
In the old days attackers would often make a machine their home as you describe, do you have any evidence that the serious criminals (the ones that the article is about) do this now? I suspect that only hobbyist criminals do such things nowadays.
If you use a CLI session then you either have a TCP connection leading back to where you are (a bad idea if you don't want to be caught) or you bounce the connection between multiple machines (giving serious problems of lag). An IRC (or similar server based) control interface is simply a better way to manage a number of remote machines when you don't want people to know that you are connected to them.
If you have a remote-control system in place based on IRC or a similar protocol (maybe a protocol you wrote yourself) then the benefits of Linux over Windows in terms of remote administration are dramatically reduced.
Run your sshd on a port other than 22. Most attackers only scan the well-known ports. Running your sshd on a different port removes a lot of the noise from your logs and allows you to concentrate on the real issues.
The "Host" sections in the/etc/ssh/ssh_config file allows you to specify which port to use for each host you connect to (so you don't need to type "-p 1234" every time you connect).
Iftach Amit says "Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks". If you root-kit a machine then regardless of OS you can create whatever packets you want. Bypassing the IP protocol stack and sending raw data on the wire can't be particularly difficult if you are trying to conceal processes from the equivalent of "ps" and avoid other methods of detecting your code.
While I agree that Linux is a reliable OS, I doubt that is a reason for attackers to target it for running phishing web servers either. A good reason for targeting an OS is that you know it well and can easily write code for it. Given that many insecure machines can be obtained running any OS you please it makes sense that attackers will target their attack on machines that they know well. Maybe the criminals in question just enjoy Linux programming!
Then there's the issue of where servers are located, if you want reliable servers on the net then often the location of the server (in terms of a server room with UPS etc) is more important than the OS. What's the server market share for Linux? The above URL shows Apache leading the field for web servers and most Apache installations run on Linux...
It seems that if you want to own some web servers then aiming at Apache on Linux gives the largest number of potential targets - whether that gives the largest number of vulnerable targets is another matter.
The traditional operation of VMWare has been to simulate (in software) operations that are not permitted by hardware (for example requests to change virtual memory mappings). The default mode of operation of Xen is to have the Xen hypervisor expose an API for Xen enabled kernels to use to request such operations (it's basically a system call to change memory mappings etc).
I believe that recent versions of VMWare and Xen support the virtualisation features of the latest Intel and AMD CPUs so they can run unmodified OSs (without special Xen kernel support) at full speed (software emulation of protected-mode instructions is very slow - the fact that such instructions are not used often means that overall performance may not suffer much). But not owning a machine with such hardware I have not had a chance to test this.
The Dom0 in Xen provides the kernel and initrd to the Xen system for booting, the process which does this runs as root and if it is compromised then you lose.
PyGrub expects that the root device is partitioned and searches on partition 1 for the GRUB configuration. This is bad because it requires you to have a partition table which makes things inconvenient if you want to resize the disk space provided to the virtual machine.
I run my Xen DomU's with a single virtual disk per filesystem, no partition tables (the DomU mounts/dev/vbda or/dev/hda etc) and I can easily resize any filesystem at any time by stopping the DomU, extending the LVM volume, and extending the filesystem.
This doesn't work with PyGrub, I could fix the bug but I haven't bothered - it's easier to just have the kernel and initrd stored outside the filesystem managed by the DomU.
This configuration makes it easier to manage (one kernel and initrd for multiple DomU's) and avoids security issues with PyGrub.
I wonder who tested the "gay bomb" for the US air force?
Sounds like a good excuse for some guys who were gay already "we're not gay, we're testing some new weapons". If they didn't ban gay men from joining the military this wouldn't be a problem.
Alexander the Great seemed to be successful in his military campaigns with a significant number of homosexuals in his army. Maybe the US military would be more effective if they used the "gay bomb" on their own guys.
The research that showed people eating more soup (without feeling more full) if the bowl was filled without them noticing is not interesting on it's own. But if the opposite is true then it may be commercially successful.
What if you had a soup bowl that sucked soup out without the eater noticing, if they felt full after believing that they ate a large bowl of soup then it might make dieting a lot easier!
If the appearance of food size determines how much people eat then maybe different shaped bowls could affect how much people eat. Maybe a bowl that makes a serve of food look big would encourage people to eat less.
A small portion of what I learned during my B.Sc degree (majoring in Computer Science and Software Engineering) came from the actual course work. Most of what I learned came from being in an environment with many intelligent people who wanted to learn (which comprised a minority of staff and students), having access to a well-stocked library, and having access to good hardware resources (lots of expensive Unix systems with man pages online).
Now I have a choice of Linux distributions, three different BSD distributions, and OpenSolaris that run on hardware that I can find in a dumpster.
If you want to read in the library (not borrow books) then anyone can use a university library (they don't check ID when you enter).
So in regard to actually learning Computer Science the main thing that universities offer is an environment where the intelligent people who want to learn are in less of a minority than the general population.
I'm sure that CS is not the only area of study that could be completed without a university.
Of course if you want to get a job with high pay then university degrees still have something to offer.;)
The discussion on this topic seems to confuse several issues. There is the issue of high assurance software which as the document [1] indicates can be done on free software (but generally isn't).
Then there is the issue of proving that a system has not been compromised before or after installation (how paranoid are you regarding where the source came from?). It's a pity that so many developers don't sign their source releases (that includes me, I'll have to do better for future releases).
There is the issue of whether users are at fault (the actual topic for the discussion) and the related issue of whether typical Windows users are given such a selection of bad options that it's not their fault for getting it wrong.
All of these are worthy issues, but it seems to me that trying to discuss them all on the one thread gives more heat than light.
Let's assume that anyone who likes Ogg and is seriously into music will compress their music with both Ogg variants and use the best variant for each file.
Therefore we should also consider taking the best of the two results and comparing it to mp3.
From a quick look at the results it appears that Ogg will still be edged out by mp3 when analysed in such a fashion, but it's much closer.
Also a test on several bit rates would be useful.
All they have to do to revoke the statement is to create a new company (costs $1000 or less depending on where you are) and then assign the patent rights to the new company.
This is not binding on them at all.
Here's what Alan had to say on the matter:
The assurance simply says you cannot use it. Using it for authorization for applications, or services is excluded. That makes it useless
He seems to like it less than I do.
Oh well, it'll be good if this goes to court, having the NSA (represented by the Justice Department) defending the GPL would set a good precedent.
Slashdot Mirror
Fedora, Red Hat Enterprise Linux, and CentOS come with a reasonable Net Filter (iptables) configuration by default that allows the necessary operations. It can be easily configured to allow extra ports, trusted interfaces, etc. It often gets turned off because it's supposedly too hard.
Fedora, RHEL, and CentOS also come with SE Linux enabled by default, it gets turned off more often than Net Filter.
I find it difficult to believe that any significant portion of IT budget goes to security when I see so many people turning off things that are free and relatively easy to use.
Many local papers don't have original comment and will end up dying. But I believe that there is a need for quality local news sources (maybe a blog and a wiki could combine as a news source for a locality with volunteer journalists, a paid editor and Internet advertising).
There is a real need for local news. What do you want to know about, the horror crash in another city that killed 20 people or what the police were doing when they blocked off the street behind your house?
If I could syndicate a RSS feeds of significant international news (about wars etc), moderately significant news for my country (including changes to tax laws and other things that affect me), interesting and useful news about my state (changes to public transport, information about local celebrities), and trivial stuff related to my locality (like the car that caught on fire at the end of my street) then my news requirements would be met. Put Adsense for feeds on all of that and there should be enough money to be made to pay for it.
They should adopt a capitalistic system and auction the tickets. If they sell tickets for $150 when fans want to pay $300 then it's natural that there will be a black-market in them.
Whenever you see a documentary about life in the Soviet Union it always shows long queues to buy goods and black market people selling them at the market price. It's exactly the same situation with concert tickets in first-world (supposedly capitalist) countries now.
Charge what the fans want to pay, sell the tickets at auction (I'm sure that Ebay would be happy to create a special online store for them) and everyone will be happy. The performers get more revenue from higher ticket prices, the fans avoid queues and simply pay what they think tickets are worth (or miss out if other people value the concert more highly), and the middle-man only gets a few percent (as opposed to Ticketmaster getting 30% or more when fees are taken into account and scalpers adding another 100% mark-up).
http://en.wikipedia.org/wiki/NetTop
I'd like to see something like NetTop (see above URL) implemented in the hardware. Imagine if you could have a Windows session running under VMWare (or similar) and when (not if) it gets rooted use Linux to recover it. NetTop allows doing this now (at moderate expense and some difficulty), if there was a cheap version of the same thing implemented in flash on the motherboard (so it didn't even add to the boot time) then it would significantly increase the security of the entire Internet.
It seems that the battle for desktop security has been lost by the company with the most market share. So the battle is now to contain the damage when a desktop machine is 0wned. Technology with features similar to NetTop allow having a full local firewall in front of a Windows VM controlling which network interfaces it accesses. For example you could have one Windows session with access to the Internet and one with access to the corporate Intranet and not allow them to talk to each other!
To summarise the NetTop project. It has a base OS of SE Linux with custom policy to prevent VMWare sessions from talking to each other (they can't access each other's block devices etc). To access a CD-ROM or other removable media you have to assign it to one session (which denies access to other VMWare instances). Each VMWare session can have access to some sub-set of the network interfaces (which may be VPN interfaces allowing a single Ethernet cable to carry data classified at multiple levels).
Aliasing to "-X" is a really bad idea. If one of the servers you administer gets cracked then the attacker can probably take over your session and crack the others (the -X vs -Y distinction doesn't seem to gain you anything with current implementations).
/etc/ssh/ssh_config.
/etc/ssh/ssh_config under the "Host *" section, this means that you could make the default be the non-standard port you usually use but be easily able to add sections for the hosts you connect to which use the standard port (or a different non-standard port).
If you wanted that you could always set "ForwardX11 yes" in
The Port setting for the ssh client can also have a default value in
As for your FTP issue, why do you have to restart FTP? Why not just change the firewall?
You are correct that there are some situations such as routers that block ports. In those cases ports such as 53 or 443 can be used (depending on what your router blocks and what other legitimate traffic you have going through your network).
Using a different port saves network bandwidth and also human bandwidth when reading the log summaries. This means that more time can be devoted to analysing log data that is not a result of simple bot-based attacks.
Disabling password based login is a really good idea!
In the old days attackers would often make a machine their home as you describe, do you have any evidence that the serious criminals (the ones that the article is about) do this now? I suspect that only hobbyist criminals do such things nowadays.
If you use a CLI session then you either have a TCP connection leading back to where you are (a bad idea if you don't want to be caught) or you bounce the connection between multiple machines (giving serious problems of lag). An IRC (or similar server based) control interface is simply a better way to manage a number of remote machines when you don't want people to know that you are connected to them.
If you have a remote-control system in place based on IRC or a similar protocol (maybe a protocol you wrote yourself) then the benefits of Linux over Windows in terms of remote administration are dramatically reduced.
Run your sshd on a port other than 22. Most attackers only scan the well-known ports. Running your sshd on a different port removes a lot of the noise from your logs and allows you to concentrate on the real issues.
/etc/ssh/ssh_config file allows you to specify which port to use for each host you connect to (so you don't need to type "-p 1234" every time you connect).
The "Host" sections in the
Iftach Amit says "Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks". If you root-kit a machine then regardless of OS you can create whatever packets you want. Bypassing the IP protocol stack and sending raw data on the wire can't be particularly difficult if you are trying to conceal processes from the equivalent of "ps" and avoid other methods of detecting your code.
While I agree that Linux is a reliable OS, I doubt that is a reason for attackers to target it for running phishing web servers either. A good reason for targeting an OS is that you know it well and can easily write code for it. Given that many insecure machines can be obtained running any OS you please it makes sense that attackers will target their attack on machines that they know well. Maybe the criminals in question just enjoy Linux programming!
http://survey.netcraft.com/Reports/200708/
Then there's the issue of where servers are located, if you want reliable servers on the net then often the location of the server (in terms of a server room with UPS etc) is more important than the OS. What's the server market share for Linux? The above URL shows Apache leading the field for web servers and most Apache installations run on Linux...
It seems that if you want to own some web servers then aiming at Apache on Linux gives the largest number of potential targets - whether that gives the largest number of vulnerable targets is another matter.
The traditional operation of VMWare has been to simulate (in software) operations that are not permitted by hardware (for example requests to change virtual memory mappings). The default mode of operation of Xen is to have the Xen hypervisor expose an API for Xen enabled kernels to use to request such operations (it's basically a system call to change memory mappings etc).
I believe that recent versions of VMWare and Xen support the virtualisation features of the latest Intel and AMD CPUs so they can run unmodified OSs (without special Xen kernel support) at full speed (software emulation of protected-mode instructions is very slow - the fact that such instructions are not used often means that overall performance may not suffer much). But not owning a machine with such hardware I have not had a chance to test this.
The Dom0 in Xen provides the kernel and initrd to the Xen system for booting, the process which does this runs as root and if it is compromised then you lose.
PyGrub expects that the root device is partitioned and searches on partition 1 for the GRUB configuration. This is bad because it requires you to have a partition table which makes things inconvenient if you want to resize the disk space provided to the virtual machine.
/dev/vbda or /dev/hda etc) and I can easily resize any filesystem at any time by stopping the DomU, extending the LVM volume, and extending the filesystem.
I run my Xen DomU's with a single virtual disk per filesystem, no partition tables (the DomU mounts
This doesn't work with PyGrub, I could fix the bug but I haven't bothered - it's easier to just have the kernel and initrd stored outside the filesystem managed by the DomU.
This configuration makes it easier to manage (one kernel and initrd for multiple DomU's) and avoids security issues with PyGrub.
I wonder who tested the "gay bomb" for the US air force?
Sounds like a good excuse for some guys who were gay already "we're not gay, we're testing some new weapons". If they didn't ban gay men from joining the military this wouldn't be a problem.
Alexander the Great seemed to be successful in his military campaigns with a significant number of homosexuals in his army. Maybe the US military would be more effective if they used the "gay bomb" on their own guys.
The research that showed people eating more soup (without feeling more full) if the bowl was filled without them noticing is not interesting on it's own. But if the opposite is true then it may be commercially successful.
What if you had a soup bowl that sucked soup out without the eater noticing, if they felt full after believing that they ate a large bowl of soup then it might make dieting a lot easier!
If the appearance of food size determines how much people eat then maybe different shaped bowls could affect how much people eat. Maybe a bowl that makes a serve of food look big would encourage people to eat less.
A small portion of what I learned during my B.Sc degree (majoring in Computer Science and Software Engineering) came from the actual course work. Most of what I learned came from being in an environment with many intelligent people who wanted to learn (which comprised a minority of staff and students), having access to a well-stocked library, and having access to good hardware resources (lots of expensive Unix systems with man pages online).
;)
Now I have a choice of Linux distributions, three different BSD distributions, and OpenSolaris that run on hardware that I can find in a dumpster.
If you want to read in the library (not borrow books) then anyone can use a university library (they don't check ID when you enter).
So in regard to actually learning Computer Science the main thing that universities offer is an environment where the intelligent people who want to learn are in less of a minority than the general population.
I'm sure that CS is not the only area of study that could be completed without a university.
Of course if you want to get a job with high pay then university degrees still have something to offer.
The discussion on this topic seems to confuse several issues. There is the issue of high assurance software which as the document [1] indicates can be done on free software (but generally isn't).
Then there is the issue of proving that a system has not been compromised before or after installation (how paranoid are you regarding where the source came from?). It's a pity that so many developers don't sign their source releases (that includes me, I'll have to do better for future releases).
There is the issue of whether users are at fault (the actual topic for the discussion) and the related issue of whether typical Windows users are given such a selection of bad options that it's not their fault for getting it wrong.
All of these are worthy issues, but it seems to me that trying to discuss them all on the one thread gives more heat than light.
[1] http://www.dwheeler.com/essays/high-assurance-floss.html
Let's assume that anyone who likes Ogg and is seriously into music will compress their music with both Ogg variants and use the best variant for each file.
Therefore we should also consider taking the best of the two results and comparing it to mp3.
From a quick look at the results it appears that Ogg will still be edged out by mp3 when analysed in such a fashion, but it's much closer.
Also a test on several bit rates would be useful.
All they have to do to revoke the statement is to create a new company (costs $1000 or less depending on where you are) and then assign the patent rights to the new company.
This is not binding on them at all.
The assurance simply says you cannot use it. Using it for authorization
for applications, or services is excluded. That makes it useless
He seems to like it less than I do.
Oh well, it'll be good if this goes to court, having
the NSA (represented by the Justice Department)
defending the GPL would set a good precedent.