The security of open source software has been both idealized and made the subject of targeted disinformation.
Generally, two philosophies exist:
that open source is more secure because it is more rigorously reviewed;
and, that proprietary software is more secure because access to the source code is limited.
While seeming contradictory, both schools of thought have validity depending on circumstances. Open source philosophy states that open source software cannot rely on obscurity for security — because the source code is transparent, security
must be implemented well at the source code level. Also, open collaboration is thought to result in the earlier discovery and correction of security flaws—an aspect of the thesis that “given enough eyeballs, all bugs are shallow.
If you treat it like a business problem and do a cost/benefit analysis which is what Schneier is suggesting, it may turn out to be true in this case where the cost to fix the security hole is far too expensive to cover the risk. This is common for many large businesses where they may treat the lives of people in their Data Center and hence put additional physical security controls there vs. someplace else as part of their Business Continuity/ Disaster Recovery threat assessment process.
It is always a tough thing to do when you ask the question on how do you place a value to human life. The airforce puts a value on the cost to replace a pilot vs. a plane but how do you place something similar to a passenger.
Other than putting thousands of entries in my hosts file to block IP ranges, what options do I have to restrict access to locals only?
Instead of trying to blacklist entire IP ranges on who can't access your web board, instead of a deny ruleset, put in an allow only ruleset. For example, you could plug in your university IP range only in the allow and issue redirects with a proper error message on anyone outside of the allowed range
One thing I can't figure out is why does Apple need to shut down their online store for updates? I would hope that they would treat it like any other roll out, create a test environment, make the necessary changes to your portal, update with all the new toys and products and then elevate to a production environment with the old portal pointing to the newly elevated site.
They'll also suggest a whole bunch of other, probably not so helpful stuff.
Sometimes ideas by employees just work. I know of a company which saved couple hundred thousand dollars by a employee suggestion on changing the default laser print settings from high quality to normal quality. You would be surprised sometimes in these economic conditions, how many dollars a simple employee suggestion could do. Those dollars saved probably saved some jobs.
Nice in theory. In practice that will just become like the US patent system: you will have people submitting tons of general ideas that will prevent other employee to submit "derivative" ideas and/or could interfere with the company already ongoing projects.
Not always true. Most companies retain all IP( in this case ideas) whether on print or electronic media. So any upgraded "derivatives" can still be retained and put into concept
When you don't need TrueCrypt or for that matter any whole disk encryption software
A Crypto nerd's imagination
Person1: His laptop's encrypted. Let's build a million dollar cluster to crack it
Person2: No Good! Its 4096 bit RSA!
Person1: Blast! Our evil plan is foiled!
What would actually happen:
Person1: His Laptop's encrypted. Drug him and hit him with this $5 wrench until he tells us the password
Person2: Got it
Outside of Googlifying this with Gears, using IMAP with my Outlook or Thunderbird solved my offline GMail problem. Connect back to the network, sync and good to go. Nothing new here
Security awareness among the general user population has improved considerably. So, as a corporation which makes a living out of selling software, would it be outlandish to suggest that they intentionally post a malicious version of the software on torrent sites. More of these situations happen, would atleast the security conscious people abandon downloading software and consider buying? Maybe
In the good old days, security analysts could discover and analyze any malicious mobile code with relative ease. Also, malware functionality was easily visible. Hence, there was no need to perform an in-depth analysis of the malware
Today, malware writers are aware of the various forensic techniques, using a virtual machine, aware when some tool is being used to unpack a piece of malware, they conceal network traffic, leave a minimal footprint on the system they are trying to infect, providing remote access (backdoor/trojan), even disabling AV and bypassing firewalls. All this any more where the malware code is increasingly designed to obstruct any form of security/forensic analysis.
Contests like this help documenting the steps taken during a typical malware investigation, makes note of the results and can help others evaluate or repeat the analysis
This is where you have the campaign mode and the online mode. You get up to speed with the campaign mode, learn the levels aka the maps in the online mode and when you think you are ready to play ball, welcome online. You will find that in a game like Halo3 or COD4, do not underestimate the concept of teamwork. If you are starting out, just follow someone and try to keep assisting them.
Interesting that FBI uses plone as their CMS and not Wordpress and they have IE compatibility CSS code like the rest of the planet.
Clue: Is there a reason why they have the crypto code displayed as a flash file and not a simple png or jpeg file?
Agree on the Wii part. When people make the comparison that the Wii should not be compared with the 360 or PS3 because it is not a next generation gaming console.. ok agreed, but at the end of the day, they are all fighting for the same $300 consumer dollars. So, it does affect Microsoft's bottom line
1. Desktop Operating Systems: Granted, Microsoft's cash cow of Desktop operating systems better evolve. I don't agree with the statement on Office 12 which is much better than previous versions. The same can't be said of Windows Vista or Windows 7. They better start working on IE 9 which should be open source and standards compatible for starters. The future of desktop OS is the browser and technologies like gears, silverlight and AIR.
2. Server OS: Microsoft will probably retain the 50-50 ratio on the server side and Server 2008 is excellent with AD. However, it may have to think long and hard about Hyper-V because virtualization is going to be the future on the server OS side.
2. Gaming: With the XBOX division, they will be making their $$ of Xbox live and not by selling the console. Xbox live is very stable and provides an excellent online gaming experience. Sony's victory of Blue Ray won't be longer because for movies and all, its going to turn to a streaming model. So MS better start putting TB drives in there or make them generic for the users to swap them out.
3. Application Dev: Eclipse is a good alterative but MS Visual Studio is one of the best IDE's out there. It is not going to die anytime soon.
4. R&D: Microsoft's labs may not match Google currently but they are coming out with some cool stuff. Photosynth comes to mind. With their "surface" technology evolving it will be interesting.http://livelabs.com/projects/
O'reilly calls out OpenOffice as primitive and seems like they need to use the proofing tools they recommend
A more privimitve and less supported OpenOffice.org 2.0 version of the template is available at https://prod.oreilly.com/external/tools/temp lates/openoffice/ORA/trunk/ (username: guest, leave password blank).
Port 445 has already been used by so many other attacks, including the Sasser and Nimda worms, that even if a new worm were to be created, it would probably not change things. The people that have 445 exposed and therefore would be vulnerable to attack by last week's exploit, will likely already have been compromised by anything that's been going around for the last three years.
People are desperate for something to happen in the security space because it has been so long (since a major attack)
If I was a cop, I would go get an iPhone, subscribe to this service, wait for a "vigilante" to report me, shift position, profit from the next guy speeding away
From the article "Enabling Air Force servers to evade or dodge electronic attacks, somehow"
Like they say... the most secure computer is the one that is unplugged.
I think we need to be prepared for a new generation of phishing. There can be unlimited number of these going around. How about a registration for patch and someone gets a mail linking to http://www.ms08-067.microsoft.patch/ promoting it as the patch for the latest RPC exploit.
Slashdot Mirror
Generally, two philosophies exist:
that open source is more secure because it is more rigorously reviewed;
and, that proprietary software is more secure because access to the source code is limited.
While seeming contradictory, both schools of thought have validity depending on circumstances. Open source philosophy states that open source software cannot rely on obscurity for security — because the source code is transparent, security must be implemented well at the source code level. Also, open collaboration is thought to result in the earlier discovery and correction of security flaws—an aspect of the thesis that “given enough eyeballs, all bugs are shallow.
If you treat it like a business problem and do a cost/benefit analysis which is what Schneier is suggesting, it may turn out to be true in this case where the cost to fix the security hole is far too expensive to cover the risk. This is common for many large businesses where they may treat the lives of people in their Data Center and hence put additional physical security controls there vs. someplace else as part of their Business Continuity/ Disaster Recovery threat assessment process. It is always a tough thing to do when you ask the question on how do you place a value to human life. The airforce puts a value on the cost to replace a pilot vs. a plane but how do you place something similar to a passenger.
Link to the actual Telsra's social media policy itself and the blog post launching it.
This video is being hosted on the discovery channel and they have two stories before the robotic foosball player
http://watch.discoverychannel.ca/daily-planet/february-2009/daily-planet-february-3-2009/#clip136425
Navigator? Should use IE8
He was referring to navigator of the sub and not Netscape Navigator
Other than putting thousands of entries in my hosts file to block IP ranges, what options do I have to restrict access to locals only?
Instead of trying to blacklist entire IP ranges on who can't access your web board, instead of a deny ruleset, put in an allow only ruleset. For example, you could plug in your university IP range only in the allow and issue redirects with a proper error message on anyone outside of the allowed range
One thing I can't figure out is why does Apple need to shut down their online store for updates? I would hope that they would treat it like any other roll out, create a test environment, make the necessary changes to your portal, update with all the new toys and products and then elevate to a production environment with the old portal pointing to the newly elevated site.
They'll also suggest a whole bunch of other, probably not so helpful stuff.
Sometimes ideas by employees just work. I know of a company which saved couple hundred thousand dollars by a employee suggestion on changing the default laser print settings from high quality to normal quality. You would be surprised sometimes in these economic conditions, how many dollars a simple employee suggestion could do. Those dollars saved probably saved some jobs.
Nice in theory. In practice that will just become like the US patent system: you will have people submitting tons of general ideas that will prevent other employee to submit "derivative" ideas and/or could interfere with the company already ongoing projects.
Not always true. Most companies retain all IP( in this case ideas) whether on print or electronic media. So any upgraded "derivatives" can still be retained and put into concept
When you don't need TrueCrypt or for that matter any whole disk encryption software
A Crypto nerd's imagination
Person1: His laptop's encrypted. Let's build a million dollar cluster to crack it
Person2: No Good! Its 4096 bit RSA!
Person1: Blast! Our evil plan is foiled!
What would actually happen:
Person1: His Laptop's encrypted. Drug him and hit him with this $5 wrench until he tells us the password
Person2: Got it
Source: http://xkcd.com/538/
Outside of Googlifying this with Gears, using IMAP with my Outlook or Thunderbird solved my offline GMail problem. Connect back to the network, sync and good to go. Nothing new here
Security awareness among the general user population has improved considerably. So, as a corporation which makes a living out of selling software, would it be outlandish to suggest that they intentionally post a malicious version of the software on torrent sites. More of these situations happen, would atleast the security conscious people abandon downloading software and consider buying? Maybe
A very interesting way to solve the case of a slow system by Mark Russinovich
http://blogs.technet.com/markrussinovich/archive/2008/09/24/3126858.aspx
In the good old days, security analysts could discover and analyze any malicious mobile code with relative ease. Also, malware functionality was easily visible. Hence, there was no need to perform an in-depth analysis of the malware
Today, malware writers are aware of the various forensic techniques, using a virtual machine, aware when some tool is being used to unpack a piece of malware, they conceal network traffic, leave a minimal footprint on the system they are trying to infect, providing remote access (backdoor/trojan), even disabling AV and bypassing firewalls. All this any more where the malware code is increasingly designed to obstruct any form of security/forensic analysis.
Contests like this help documenting the steps taken during a typical malware investigation, makes note of the results and can help others evaluate or repeat the analysis
Link to the winning papers of the malware challenge http://www.malwarechallenge.info/results.html
This is where you have the campaign mode and the online mode. You get up to speed with the campaign mode, learn the levels aka the maps in the online mode and when you think you are ready to play ball, welcome online. You will find that in a game like Halo3 or COD4, do not underestimate the concept of teamwork. If you are starting out, just follow someone and try to keep assisting them.
Interesting that FBI uses plone as their CMS and not Wordpress and they have IE compatibility CSS code like the rest of the planet.
Clue: Is there a reason why they have the crypto code displayed as a flash file and not a simple png or jpeg file?
The links in the article point to FBI challenges in 2007 and the kids challenge but do not point to the 2008 challenge.
Here is the FBI Cryptanalysis challenge 2008 http://www.fbi.gov/page2/dec08/code_122908.html
Other helpful links for reference
2007 challenge: http://www.fbi.gov/page2/nov07/code112107.html
Kids challenge: http://www.fbi.gov/kids/k5th/jobs9.htm
Agree on the Wii part. When people make the comparison that the Wii should not be compared with the 360 or PS3 because it is not a next generation gaming console .. ok agreed, but at the end of the day, they are all fighting for the same $300 consumer dollars. So, it does affect Microsoft's bottom line
LOL. True. But Business 2.0 made much more realistic projections and my intent was to set a benchmark there.
None of these scenarios represent the future for Microsoft. A much well thought out future was done by the now defunct Business 2.0 on Google http://money.cnn.com/magazines/business2/business2_archive/2006/01/01/8368125/index.htm
1. Desktop Operating Systems: Granted, Microsoft's cash cow of Desktop operating systems better evolve. I don't agree with the statement on Office 12 which is much better than previous versions. The same can't be said of Windows Vista or Windows 7. They better start working on IE 9 which should be open source and standards compatible for starters. The future of desktop OS is the browser and technologies like gears, silverlight and AIR.
2. Server OS: Microsoft will probably retain the 50-50 ratio on the server side and Server 2008 is excellent with AD. However, it may have to think long and hard about Hyper-V because virtualization is going to be the future on the server OS side.
2. Gaming: With the XBOX division, they will be making their $$ of Xbox live and not by selling the console. Xbox live is very stable and provides an excellent online gaming experience. Sony's victory of Blue Ray won't be longer because for movies and all, its going to turn to a streaming model. So MS better start putting TB drives in there or make them generic for the users to swap them out.
3. Application Dev: Eclipse is a good alterative but MS Visual Studio is one of the best IDE's out there. It is not going to die anytime soon.
4. R&D: Microsoft's labs may not match Google currently but they are coming out with some cool stuff. Photosynth comes to mind. With their "surface" technology evolving it will be interesting.http://livelabs.com/projects/
O'reilly calls out OpenOffice as primitive and seems like they need to use the proofing tools they recommend A more privimitve and less supported OpenOffice.org 2.0 version of the template is available at https://prod.oreilly.com/external/tools/temp lates/openoffice/ORA/trunk/ (username: guest, leave password blank).
Port 445 has already been used by so many other attacks, including the Sasser and Nimda worms, that even if a new worm were to be created, it would probably not change things. The people that have 445 exposed and therefore would be vulnerable to attack by last week's exploit, will likely already have been compromised by anything that's been going around for the last three years. People are desperate for something to happen in the security space because it has been so long (since a major attack)
If I was a cop, I would go get an iPhone, subscribe to this service, wait for a "vigilante" to report me, shift position, profit from the next guy speeding away
From the article "Enabling Air Force servers to evade or dodge electronic attacks, somehow" Like they say ... the most secure computer is the one that is unplugged.
I think we need to be prepared for a new generation of phishing. There can be unlimited number of these going around. How about a registration for patch and someone gets a mail linking to http://www.ms08-067.microsoft.patch/ promoting it as the patch for the latest RPC exploit.