I used to do the same. However, what you are doing doesn't scale. You can't remember all the passwords, and certainly not enough to really be secure. And if you need to change one? It's a pain in the arse. So... don't try and do something impossible. Use a password manager, so you can use fully random passwords of the strongest length available on each site, and reset them without having to reprogram your brain. Keepass is free and open source.
Most of the general public don't understand any of the other options. The idea of a password reset link via email is that you use this password TEMPORARILY to get access to the account only. So. Click password reset link, keep email program open, wait for email, log in and reset password. If someone is that sophisticated that they can sniff my email on the way through, recognise a forum login and log into it before I do whilst i'm sitting here waiting for the reset email, they can have it.
Presumably, they mean to change your password if you use the same one on other sites. The site itself is likely OFFLINE for forensic analysis. Install a password manager (I use both 1passord and Keepass - keepass is open source, cross platform and free, so no excuse). Make all passwords 100% random and unique. Move on.
Removing a key from authorized_keys relies on the fact that you happen to KNOW it has been stolen. If you don't know, you're fucked. Password protect your keys!
As I understand it, generally the "4 wheel drive" types have either part time 4 wheel drive with lockable/freewheel front hubs (no center differential - on bitumen you need to disengage 4 wheel drive), or a center differential which can be locked. They also usually have a dual range gearbox. AWD typically have a non-lockable center differential and single range gearbox. Though trick stuff like the EVO and higher grade STi have electronically controlled center differentials these days which has blurred the line somewhat.
Hydroplane speed will depend very much on how much standing water you have vs. tread level. Also, air pressure. Improperly inflated tyres will hydroplane more.
"Ideal" depends on what you are trying to achieve. To go fast, yes mid/rear or mid/awd is the way to go.
But unfortunately, the vast majority of the population are muppets when it comes to driving and some degree of inbuilt understeeer (so that when they panic brake or mash the throttle mid-corner the car is closer to neutral or slight understeer rather than snap oversteer if the car was properly balanced) is preferable. Which is why FF cars are popular.
Mid engined cars require either electronic aids or a driver who has some level of competency to stay facing the right way around in an emergency situation.
Yeah, rear wheel drive done properly is not the homocidal axe murderer type car that some people fear, and others (including myself know and love).
Take a big beemer or merc for a drive and understand how rear wheel drive can and should behave. Yes if you're talking massive massive power (AMG or M5, etc) then it will demand respect, but power levels that would see a front wheel drive basically become un-drivable are no problem. I actually have to be quite a dick to get my 5 series to step out. Why? good chassis balance, well sorted suspension and massive rubber on it.
Turning my desktop icons into a plasmoid in a seperate window that can be turned off/turned on (somehow by accident within my first 5-10 minutes before decidign that KDE4 was a waste of space and a regression in usability from 3.x and even 2.x) was retarded for a start.
I'm sure there's some reason that you might want to do that (mobile perhaps?) but there's no good reason that I can see for a desktop user to lose their desktop icons...
Now I'm not saying I agree with everything gnome are doing either, but KDE 4 just gave me the shits in the first 5-10 minutes and prevented me from doing what i wanted to be doing. I've never had that happen with any other desktop environment.
ALSO - mac addresses can be changed just as easily as an IP address. if you want to be more secure, you use IPSEC, which is more secure and far easier to manage anyway - the IP is all you see.
Password auth in SSH and password protected keys are two entirely different things - password auth on your key is a client side thing; to enforce key use you turn off password auth in SSH. Unfortunately, I'm not aware of a way to enforce password protection on private keys on the server end. So your options are to generate the private key with the user under supervision or via a script or such which forces them to supply a passphrase.
It is also why you also block access to networks you don't know and preferably secure via some other method (IPSEC/VPN/etc.) first. That way, even if someone steals the private key, and it has no passphrase, they still need to get onto one of your designated management networks/machines before they can even be allowed to hit the SSH port.
When securing your stuff - always try and assume "what if", e.g., "what if someone steals a private key from a compromised client?". You can't mitigate every single possible scenario, you can certainly make it a lot more difficult than just hitting the machine from the internet via a stolen/backdoor key or passphrase.
Anyone who has public/private key access should be informed that any suspected private key disclosure MUST be reported.
Does not surprise me in the slightest. Which is why black boxes like this should be on an entirely segregated and firewalled network, and have nothing on the device exposed directly to the internet (or any other not-fully-trusted network).. If any devices or vendors "need" remote access or their device to have access to the internet, I demand to know which IPs/ports/protocols so they can be added to the firewall, specifically due to issues like this. If they are not supplied, they don't get access, and management are informed as to where the holdup is. Yes, I'm lucky to have a fairly small management team who "get it" and share my concerns regarding the security and integrity of our assets (so long as my paranoia is explained/justified, which thankfully I am able to convince them of).
I'm not talking about moving it to a different port. I'm talking about blocking port 22 inbound using your firewall or hosts.allow, except for a specific set of management IPs that are preferably on the end of an IPSEC tunnel or other VPN service. If not, at least reduce the IP space that is allowed to hit that port to a well defined set of IPs that you either own or at the bare minimum belong to the ISP you use. There is ZERO reason to be listening on port 22 for connections from say, China or Russia!
Having port 22 exposed to the internet (or whatever port you move SSH to which as you say is no real defense) is just completely fucking retarded, and inexcusable in a high value service (read: high value target) supposedly installed and maintained by professionals.
Given the asshattery displayed by the browser team as of late with regards to... well, everything since say, 2005, I suspect they'll probably pick up at least 40% of the Windows Phone 8 users.
don't listen to port 22 on the internet from anywhere. require VPN, ipsec tunnel, at the bare minimum, hosts.allow from a specific management network, or some other method to secure the connection first. security is layered, don't rely on a single authentication to give people to keys to the castle, or someone will fuck you
use multiple service accounts with least privilege access so compromise of one doesn't impact another
The fact that an emergency services network has been left in a state like this is bordering on.... no, IS criminal negligence.
As would I, but alas... time constraints. To further what I'm talking about above..... if GNUstep is a viable Linux desktop environment, then developers on OS X can more easily port to Linux and vice versa. Yes, there will obviously be a fair amount of re-writing going on, but if the development concepts are at least similar (e.g., GORM vs interface builder, common use of obj-c, a fairly large subset of the base *step frameworks source compatible, etc. then I think things will be better for both platforms. Objective-C is IMHO also really nice to work with once you get your head around some of the fundamentals. It's certainly battle tested and proven to be pretty adaptable, which is more than can be said for the alternatives.
Fair enough - animations don't really bother me. Used to not having a terminal on the dock/taskbar form every other OS i've used in the past 10 years or so, and have been launching apps via spotlight or the windows start menu search for about 7 years. So the launcher didn't really phase me either.
Window management I didn't notice anything horribly broken, but I guess one of my favourite window managers is wm2/wmx.
All "window management" is pretty crap if you're doing more than about 3 things, I've really gelled with the multi-full screen thing OS X has going on, and the gestures for mission control. If you haven't played with a mac recently, its actually pretty neat. 4 finger swipe up = all your windows tiled and desktop previews at the top, 3 finger swipe left/right = change full screen apps, etc. Needs a decent trackpad though, but once you get the hang of the gestures, running pretty much everything full screen most of the time seems to be the way to go, unless you're doing something like reading documentation and working at the same time. Its almost the way I worked back in the 90s with alt+tab I guess - unfortunately that became unusable with say 50 windows on screen...
Given i'm a mac user nowadays I guess i didn't have a major problem with it. One thing OS X definitely got right is cmd+q to close ANY application. Linux world? Hahaha....
Slashdot Mirror
2011-2015 = 8:11pm to 8:15pm.
I used to do the same. However, what you are doing doesn't scale. You can't remember all the passwords, and certainly not enough to really be secure. And if you need to change one? It's a pain in the arse. So... don't try and do something impossible. Use a password manager, so you can use fully random passwords of the strongest length available on each site, and reset them without having to reprogram your brain. Keepass is free and open source.
Unless they changed it in the last couple of years, no you don't. I (still) don't have my number in facebeook.
Most of the general public don't understand any of the other options. The idea of a password reset link via email is that you use this password TEMPORARILY to get access to the account only. So. Click password reset link, keep email program open, wait for email, log in and reset password. If someone is that sophisticated that they can sniff my email on the way through, recognise a forum login and log into it before I do whilst i'm sitting here waiting for the reset email, they can have it.
Banks? Yes, this isn't good enough.
Presumably, they mean to change your password if you use the same one on other sites. The site itself is likely OFFLINE for forensic analysis. Install a password manager (I use both 1passord and Keepass - keepass is open source, cross platform and free, so no excuse). Make all passwords 100% random and unique. Move on.
Removing a key from authorized_keys relies on the fact that you happen to KNOW it has been stolen. If you don't know, you're fucked. Password protect your keys!
As I understand it, generally the "4 wheel drive" types have either part time 4 wheel drive with lockable/freewheel front hubs (no center differential - on bitumen you need to disengage 4 wheel drive), or a center differential which can be locked. They also usually have a dual range gearbox. AWD typically have a non-lockable center differential and single range gearbox. Though trick stuff like the EVO and higher grade STi have electronically controlled center differentials these days which has blurred the line somewhat.
Hydroplane speed will depend very much on how much standing water you have vs. tread level. Also, air pressure. Improperly inflated tyres will hydroplane more.
"Ideal" depends on what you are trying to achieve. To go fast, yes mid/rear or mid/awd is the way to go.
But unfortunately, the vast majority of the population are muppets when it comes to driving and some degree of inbuilt understeeer (so that when they panic brake or mash the throttle mid-corner the car is closer to neutral or slight understeer rather than snap oversteer if the car was properly balanced) is preferable. Which is why FF cars are popular.
Mid engined cars require either electronic aids or a driver who has some level of competency to stay facing the right way around in an emergency situation.
Yeah, rear wheel drive done properly is not the homocidal axe murderer type car that some people fear, and others (including myself know and love).
Take a big beemer or merc for a drive and understand how rear wheel drive can and should behave. Yes if you're talking massive massive power (AMG or M5, etc) then it will demand respect, but power levels that would see a front wheel drive basically become un-drivable are no problem. I actually have to be quite a dick to get my 5 series to step out. Why? good chassis balance, well sorted suspension and massive rubber on it.
This is a feature, not a bug. See: Porsche, Ferrari, BMW, Mercedes, etc.
Yes, if you drive in snow you probably want ALL wheel drive.
Turning my desktop icons into a plasmoid in a seperate window that can be turned off/turned on (somehow by accident within my first 5-10 minutes before decidign that KDE4 was a waste of space and a regression in usability from 3.x and even 2.x) was retarded for a start.
I'm sure there's some reason that you might want to do that (mobile perhaps?) but there's no good reason that I can see for a desktop user to lose their desktop icons...
Now I'm not saying I agree with everything gnome are doing either, but KDE 4 just gave me the shits in the first 5-10 minutes and prevented me from doing what i wanted to be doing. I've never had that happen with any other desktop environment.
So what you're saying is that basically - they're useless? I.e., it's a feature tickbox item that doesn't actually provide any meaningful benefit?
ALSO - mac addresses can be changed just as easily as an IP address. if you want to be more secure, you use IPSEC, which is more secure and far easier to manage anyway - the IP is all you see.
Because you don't see the originating machine's MAC address when it is over the WAN.
Password auth in SSH and password protected keys are two entirely different things - password auth on your key is a client side thing; to enforce key use you turn off password auth in SSH. Unfortunately, I'm not aware of a way to enforce password protection on private keys on the server end. So your options are to generate the private key with the user under supervision or via a script or such which forces them to supply a passphrase.
It is also why you also block access to networks you don't know and preferably secure via some other method (IPSEC/VPN/etc.) first. That way, even if someone steals the private key, and it has no passphrase, they still need to get onto one of your designated management networks/machines before they can even be allowed to hit the SSH port.
When securing your stuff - always try and assume "what if", e.g., "what if someone steals a private key from a compromised client?". You can't mitigate every single possible scenario, you can certainly make it a lot more difficult than just hitting the machine from the internet via a stolen/backdoor key or passphrase.
Anyone who has public/private key access should be informed that any suspected private key disclosure MUST be reported.
Does not surprise me in the slightest. Which is why black boxes like this should be on an entirely segregated and firewalled network, and have nothing on the device exposed directly to the internet (or any other not-fully-trusted network).. If any devices or vendors "need" remote access or their device to have access to the internet, I demand to know which IPs/ports/protocols so they can be added to the firewall, specifically due to issues like this. If they are not supplied, they don't get access, and management are informed as to where the holdup is. Yes, I'm lucky to have a fairly small management team who "get it" and share my concerns regarding the security and integrity of our assets (so long as my paranoia is explained/justified, which thankfully I am able to convince them of).
I'm not talking about moving it to a different port. I'm talking about blocking port 22 inbound using your firewall or hosts.allow, except for a specific set of management IPs that are preferably on the end of an IPSEC tunnel or other VPN service. If not, at least reduce the IP space that is allowed to hit that port to a well defined set of IPs that you either own or at the bare minimum belong to the ISP you use. There is ZERO reason to be listening on port 22 for connections from say, China or Russia!
Having port 22 exposed to the internet (or whatever port you move SSH to which as you say is no real defense) is just completely fucking retarded, and inexcusable in a high value service (read: high value target) supposedly installed and maintained by professionals.
Given the asshattery displayed by the browser team as of late with regards to... well, everything since say, 2005, I suspect they'll probably pick up at least 40% of the Windows Phone 8 users.
It's really not that hard.
The fact that an emergency services network has been left in a state like this is bordering on.... no, IS criminal negligence.
As would I, but alas... time constraints. To further what I'm talking about above..... if GNUstep is a viable Linux desktop environment, then developers on OS X can more easily port to Linux and vice versa. Yes, there will obviously be a fair amount of re-writing going on, but if the development concepts are at least similar (e.g., GORM vs interface builder, common use of obj-c, a fairly large subset of the base *step frameworks source compatible, etc. then I think things will be better for both platforms. Objective-C is IMHO also really nice to work with once you get your head around some of the fundamentals. It's certainly battle tested and proven to be pretty adaptable, which is more than can be said for the alternatives.
Fair enough - animations don't really bother me. Used to not having a terminal on the dock/taskbar form every other OS i've used in the past 10 years or so, and have been launching apps via spotlight or the windows start menu search for about 7 years. So the launcher didn't really phase me either.
Window management I didn't notice anything horribly broken, but I guess one of my favourite window managers is wm2/wmx.
All "window management" is pretty crap if you're doing more than about 3 things, I've really gelled with the multi-full screen thing OS X has going on, and the gestures for mission control. If you haven't played with a mac recently, its actually pretty neat. 4 finger swipe up = all your windows tiled and desktop previews at the top, 3 finger swipe left/right = change full screen apps, etc. Needs a decent trackpad though, but once you get the hang of the gestures, running pretty much everything full screen most of the time seems to be the way to go, unless you're doing something like reading documentation and working at the same time. Its almost the way I worked back in the 90s with alt+tab I guess - unfortunately that became unusable with say 50 windows on screen...
Given i'm a mac user nowadays I guess i didn't have a major problem with it. One thing OS X definitely got right is cmd+q to close ANY application. Linux world? Hahaha....
Works fine until 3 seconds later your X display manager attempts to re-start and takes over the console again.
Probably. But I already have that with OS X (yes, the UI is different, it's the libraries and the way they work that I want).