From their web site, they say their initiatives are: # Coordinating with the Homeland Security Department to improve information sharing between business and government on cyber threats # Improving corporate governance of information security # Improving federal procurement practices and guidelines # Identifying gaps in cybersecurity research and development # Collaborating with U.S. and international standards development organizations to support emerging technology standards and specifications for cybersecurity # Supporting campaigns to improve awareness of cybersecurity # Supporting cybersecurity academic and workforce development programs # Pursuing Senate ratification of the Council of Europe's Convention on Cyber-Crime.
They sound pretty reasonable to me..
They one that might have some bad implications is the last one:
# Pursuing Senate ratification of the Council of Europe's Convention on Cyber-Crime.
This is not big brother trying to control you life.. This is a company trying to do the best job of marketing they can. They are putting together as much data as they can, to market and sell their product as efficiently as they can.
Their not tieing this to a record of an individual person. They are not providing the data to the "Office of Homeland Security" to determine who the terrorist / non-bud-drinkers are..
They're just trying to see who is buying their beer.
Then, they'll use that data to more effectively target the low-income urban minorities, to keep them under the yoke of "The Man".
Come on, dude.. that myth was debunked after the last election.
Sure, all the centrist crap they spout during the campaigns was very similar. But, once elected the radical Republicans closed the blinds on their presidency, took an extreme corporatist stance, and blurred the seperation of church and state. After 9/11, it just got more extreme.
It seems like a lot of the banking system should be redesigned with modern security..
Think of the security behind checks, or wire transfers in U.S. Banks.. They rely on bank routing numbers and account numbers printed on the checks. It seems to be a pretty weak web of trust. As far as I can see, the only security is the record of the transaction.
But, I guess it's one of those things where it's cheaper to pay for the fraud than to re-impliment securely.
I am not sure what they changed in IPSec, but I installed the updates and my VPN connections are still working fine to a Check Point VPN-1 device.
I looked through the man page for racoon.conf, and didn't see any functionality updates mentioned there. I was hoping they had added patches for NAT Traversal or xauth.
The Opterons and A64's have the ability to mark the stack as non-executable. This will stop common buffer overflow exploits, which run code off the stack to gain privileged execution.
But, the OS needs to enable this, and I think it may only be available in 64 bit mode. The article mentions that the 64 bit XP will use it. Does anyone know if the x86-64 Linux kernels use this feature?
McNealy has been spewing FUD since SCO first announced their lawsuit. This guy's talk prior to the lawsuit would imply that Sun was not just responding opportunistically. They knew about it beforehand, and maybe even contributed to it.
See this article for some McNealy FUD right after SCO started this. Such as:
"We think open source is wonderful and good, but we also believe in copyright and the rule of law," McNealy said.
"We paid a big, big bag of money a decade ago to get IP (intellectual property) rights to do what we wanted to do with Solaris," he said at a press conference announcing a new line of Intel-based servers on Monday. "We've got a free and clear SCO license. Your audit committee won't get a letter if you are using Solaris." said Sun chairman Scott McNealy.
Compare that to HP's response at the same time:
"HP is unaware of any intellectual property infringement within Linux. The complaint is focused on alleged inappropriate behavior by IBM, it is not about infringement by Linux itself of SCO's IP rights."
and Larry Ellison was quick to point to Microsoft as one of the groups behind the scenes: "All Bill (Gates) says is, 'Give me the opportunity to innovate,' and once again Bill is innovating," Ellison said during a press conference announcing an alliance between Oracle and Sun to promote Sun's Intel-based servers. "You've seen advanced bundling and now you are seeing extreme litigation...They know a lot about extreme litigation."
I don't know if the L2TP config will work.. I briefly tried it, but moved on to straight IPSec since that's what most security products use (L2TP/IPSec is more of a Microsoft thing).
Check Point and Panther do work together, but there are some caveats which may require cooperation from the VPN admin to work out.
I just picked up a new 15" Powerbook (what a great machine), and went through the process of getting it connected to my VPN.. Here are some things I learned along the way:
- The VPN configurable via the network settings GUI is L2TP over IPSec.. This is the same thing that Windows 2K/XP clients support. But, most security devices (Check Point VPN-1, Netscreen) use straight IPSec. It sounds like Bluesocket wants IPSec.
- MacOS X comes with IPSec from the KAME (Kah-May, Japanese for 'turtle') project. KAME is very common in *BSD platforms, and I believe it is integrated into Linux kernel 2.6. There is a ton of config/compatibility information available for KAME.
- Several GUI tools are available to help with VPN setup/usage. VPNTracker, VaporSec, and IPSecuritas. Some VPN vendors, like Cisco and Check Point also have MacOS VPN clients (which are probably expensive)
- I ended up using a set of Perl scripts I found here. This allows me to see exactly what is going on, and tweak as necessary. (I also posted a few more tips about IPSec setup at that forum)
- I found the debugging of IPSec sessions to be rather difficult. Without help from the VPN administrator, it can be very difficult to determine what is failing..
- I was able to get the VPN working when using a "shared secret" configuration for the user. Note that this is NOT the same thing as passwords. Using passwords, SecurID tokens, or other one-way authentication systems require XAUTH or other proprietary mechanisms (like Check Point's Hybrid mode). KAME does not support this. A better option, which will be more secure, is to use certificates for authentication. I haven't gotten around to trying this yet, but I have seen other reports of success.
- The VPN device had to be configured to enable "Aggressive Mode" in the IKE negotiations.
- Some NAT gateways will not pass IPSec packets. IPSec uses a different IP protocol, not TCP/UDP. So, many gateways don't know how to NAT it. KAME does not support NAT Traversal (encapsulation of the IPSec packet in a UDP packet), so when setting this up make sure you're not behind a NAT gateway.
- KAME's configuration requires you to enter your IP address. So, as you move to a new LAN or Wireless Access Point, you must reconfigure and restart the VPN. (This is one reason I used the Perl script I linked above. It determines your current IP address automatically.)
In a previous interview with Gibson, he said he had no clue about computers when he wrote Neuromancer. He described his disappointment upon finally using a computer. He was expecting some magical star trek experience, instead he got slow, spinning floppy disks and cumbersome interfaces.
It is inaccurate and misleading to say "IPSec tunnels the kitchen sink...". Any decent IPSec client turns OFF IP forwarding, so it's not going to tunnel anything from the "dirty LAN". Some VPN Clients also provide a client firewall, check the OS for security/integrity, and integrate with other apps like anti-virus. If all those security checks don't pass, they are not allowed to connect to the VPN. That's pretty hard to replicate with a "clientless SSL VPN".
Also, on the VPN server that it connects to, the firewall/vpn device controls exactly what is allowed to pass. So, it's not like it opens up some big hole into a network, it only allows what the admin wants.
The IPSec clients also have the advantage of using certificates for strong authentication. Using SecurID, like your company, is a wise precaution (though the security of SecurID vs certificates/smart cards could be debated). But, I have seen companies that provide very broad access to servers in their network based only on a password.. That's scary considering the weak passwords that Joe Average User often picks, or someone installing a key-logger on a public terminal.
I think SSL VPN has its place, but the security policy, authentication methods, and decisions about what is allowable to access via SSL is extremely important.
You are confusing the key exchange with the data encryption.
To set up an IPSec tunnel, IKE (Internet Key Exchange) happens first, to securely establish all the necessary session and keying information. This typically uses 1024 bit RSA, and most devices also support 1536 bits. As a result of the IKE process, both sides have agreed on all the IPSec session parameters and computed a session key.
The session key is used by the negotiated encryption algorithm {DES, 3DES, AES-128, AES-256, RC4, etc.} to secure the communications. The performance will depend somewhat on which of these ciphers is used.. e.g. AES-128 will be faster than 3DES while offering similar security. But this symmetric encryption is MUCH faster than the Public Key crypto you referenced.
How can this yahoo keep getting press? Why does anyone think that having him as the self appointed mouthpiece for Open Source would be a good thing?
All of his writings show a distinct lack of depth. He has a superficial understanding of most topics he writes on, and quickly exposes that fact. I'll give him the benefit of the doubt in Unix/Linux/Coding. But, beyond that he should STFU.
In the Java essay, he exposes the fact that he has no clue about business financials by comparing the share price of Sun & Red Hat. Anyone who has invested at all knows this is meaningless.. A company with 1M shares @ $100 is worth a lot less than a company with 1B shares @ $33.
As someone who recently purchased his "Down and out in the Magic Kingdom", I would say the e-book had almost no influence on my purchase. I knew about it being available online, and it did give Cory "cool points" for being involved in the creative commons and other excellent projects. But, I never even looked at the online version.
I purchased in the traditional way.. I browsed it on the shelves of my local small bookstore. I then checked if it was available at my local used bookstore. When it wasn't there, I returned to the small bookstore & purchased it there. (The two stores are next door to each other.. very handy.)
As Cory acknowledges, noone is going to read a text of significant duration online. Until there is an e-book reader device that can better replicate the look/feel/portability/durability of paper and won't strain my eyes, then I'm sticking to paperbacks.
Maybe, but it seems like most people have a pretty flexible view of where the cutoff line is. For example, would you pay sales tax for inter-state purchases where it was not billed as part of the transaction? You are supposed to, but virtually noone does.
Many people would consider paying for a product, but trying to get the best possible price, completely fine. Whether this means rebates, or any possible discount you can get.
After all, it's just a company's arbitrary decision on who gets discounts for what. Why should that company's policy mean anything to people not involved with that company? As if a professor at a university, or an employee of the government (who also get Apple discounts) is more deserving of lower prices than Joe Average.
This is also complicated by the fact that educational discounts are often used as a way to satisfy consumers while keeping corporate prices high. Do a google search for that with respect to Microsoft. They have educational pricing for Office, with no validation, which is aimed at keeping the price for Office sky high for those fat corporations, but still allowing home users to "get a great deal" on it. So, their plan is to encourage you to break their licensing agreement.
When I bought my Powerbook, I instead found a local "gray market" dealer who has access to Apple hardware, but does not stick to their pricing policies. So, he sold it to me for $500 below the MSRP, well below the educational pricing. Where would that be on your moral compass?
Okay great, the precedent is there.. The concept still stays the same. Ask the Europeans and Canadians to kick in more.. enough to cover the launch. Open it up to other countries for involvement, giving them access to the telescope in return.
Do the Russians have a vehicle capable of this sort of rendezvous while carrying the necessary parts/supplies/tools/crew? Maybe they could provide a cheaper launch option.
The Russians could provide their valuable experience from the Mir.. Their unique brand of duct tape engineering would do wonders for the Hubble.:)
The knowledge gained from the Hubble is certainly not a US-only thing.. Open it up to all nations to maintain it. I'm sure that among Japan and the various European contries they could get enough $$ to run a repair mission.
This must be based on the same logic that Bush gave today claiming that 2.6 Million jobs will be created this year, mostly as a result of his brilliant tax cuts.
I can't believe he can say it with a straight face, after saying similar things last year. He claimed that last year's tax cuts would create 1.7 Million jobs. Instead, 53,000 jobs were lost.
He meets skyrocketing deficits with more tax cuts. Then tries to distract the voters with an oil war in Iraq, and protecting us from the scourge of gay marriage. Toss some faith based initiatives in there and he'll have the all important moron vote locked up.
Yes, the true resolution is always debateable. But, it's certainly higher than 540p. I have hooked a PC to mine, and displayed 1280x768 with various patterns and it appeared to display it perfectly.
Of course, my point was that the technology was capable of much more than they weresaying. There are quite a few RPTV's with 9" CRT guns that can achieve very high resolutions. Even the cheap ones can do more than 540p.
Slashdot Mirror
From their web site, they say their initiatives are:
# Coordinating with the Homeland Security Department to improve information sharing between business and government on cyber threats
# Improving corporate governance of information security
# Improving federal procurement practices and guidelines
# Identifying gaps in cybersecurity research and development
# Collaborating with U.S. and international standards development organizations to support emerging technology standards and specifications for cybersecurity
# Supporting campaigns to improve awareness of cybersecurity
# Supporting cybersecurity academic and workforce development programs
# Pursuing Senate ratification of the Council of Europe's Convention on Cyber-Crime.
They sound pretty reasonable to me..
They one that might have some bad implications is the last one:
# Pursuing Senate ratification of the Council of Europe's Convention on Cyber-Crime.
This is not big brother trying to control you life.. This is a company trying to do the best job of marketing they can. They are putting together as much data as they can, to market and sell their product as efficiently as they can.
Their not tieing this to a record of an individual person. They are not providing the data to the "Office of Homeland Security" to determine who the terrorist / non-bud-drinkers are..
They're just trying to see who is buying their beer.
Then, they'll use that data to more effectively target the low-income urban minorities, to keep them under the yoke of "The Man".
Come on, dude.. that myth was debunked after the last election.
Sure, all the centrist crap they spout during the campaigns was very similar. But, once elected the radical Republicans closed the blinds on their presidency, took an extreme corporatist stance, and blurred the seperation of church and state. After 9/11, it just got more extreme.
It seems like a lot of the banking system should be redesigned with modern security..
Think of the security behind checks, or wire transfers in U.S. Banks.. They rely on bank routing numbers and account numbers printed on the checks. It seems to be a pretty weak web of trust. As far as I can see, the only security is the record of the transaction.
But, I guess it's one of those things where it's cheaper to pay for the fraud than to re-impliment securely.
That's actually true.. If you take your cash in nickels.
I am not sure what they changed in IPSec, but I installed the updates and my VPN connections are still working fine to a Check Point VPN-1 device.
I looked through the man page for racoon.conf, and didn't see any functionality updates mentioned there. I was hoping they had added patches for NAT Traversal or xauth.
The Opterons and A64's have the ability to mark the stack as non-executable. This will stop common buffer overflow exploits, which run code off the stack to gain privileged execution.
But, the OS needs to enable this, and I think it may only be available in 64 bit mode. The article mentions that the 64 bit XP will use it. Does anyone know if the x86-64 Linux kernels use this feature?
McNealy has been spewing FUD since SCO first announced their lawsuit. This guy's talk prior to the lawsuit would imply that Sun was not just responding opportunistically. They knew about it beforehand, and maybe even contributed to it.
See this article for some McNealy FUD right after SCO started this. Such as:
"We think open source is wonderful and good, but we also believe in copyright and the rule of law," McNealy said.
"We paid a big, big bag of money a decade ago to get IP (intellectual property) rights to do what we wanted to do with Solaris," he said at a press conference announcing a new line of Intel-based servers on Monday. "We've got a free and clear SCO license. Your audit committee won't get a letter if you are using Solaris." said Sun chairman Scott McNealy.
Compare that to HP's response at the same time:
"HP is unaware of any intellectual property infringement within Linux. The complaint is focused on alleged inappropriate behavior by IBM, it is not about infringement by Linux itself of SCO's IP rights."
and Larry Ellison was quick to point to Microsoft as one of the groups behind the scenes:
"All Bill (Gates) says is, 'Give me the opportunity to innovate,' and once again Bill is innovating," Ellison said during a press conference announcing an alliance between Oracle and Sun to promote Sun's Intel-based servers. "You've seen advanced bundling and now you are seeing extreme litigation...They know a lot about extreme litigation."
Aren't most electric razors these days battery powered? Mine is. So, I'm not using that 60Hz AC wall power.
But, I assume the electric motor emits an electric field. I wonder how that compares to the field in their study.
I don't know if the L2TP config will work.. I briefly tried it, but moved on to straight IPSec since that's what most security products use (L2TP/IPSec is more of a Microsoft thing).
Check Point and Panther do work together, but there are some caveats which may require cooperation from the VPN admin to work out.
See this page for more information.
Panther does work with VPN-1.. I am using it.
But, some of the default configurations might be getting in the way.
- You must use either Certificates, or "Shared Secret" authentication. (Shared Secret is not the common way to configure users.)
- If you use Shared Secrets, gateway must be set up to support "Aggressive Mode" IKE negotiations.
See this page for more information on Check Point and Panther.
I just picked up a new 15" Powerbook (what a great machine), and went through the process of getting it connected to my VPN.. Here are some things I learned along the way:
- The VPN configurable via the network settings GUI is L2TP over IPSec.. This is the same thing that Windows 2K/XP clients support. But, most security devices (Check Point VPN-1, Netscreen) use straight IPSec. It sounds like Bluesocket wants IPSec.
- MacOS X comes with IPSec from the KAME (Kah-May, Japanese for 'turtle') project. KAME is very common in *BSD platforms, and I believe it is integrated into Linux kernel 2.6. There is a ton of config/compatibility information available for KAME.
- Several GUI tools are available to help with VPN setup/usage. VPNTracker, VaporSec, and IPSecuritas. Some VPN vendors, like Cisco and Check Point also have MacOS VPN clients (which are probably expensive)
- I ended up using a set of Perl scripts I found here. This allows me to see exactly what is going on, and tweak as necessary. (I also posted a few more tips about IPSec setup at that forum)
- I found the debugging of IPSec sessions to be rather difficult. Without help from the VPN administrator, it can be very difficult to determine what is failing..
- I was able to get the VPN working when using a "shared secret" configuration for the user. Note that this is NOT the same thing as passwords. Using passwords, SecurID tokens, or other one-way authentication systems require XAUTH or other proprietary mechanisms (like Check Point's Hybrid mode). KAME does not support this. A better option, which will be more secure, is to use certificates for authentication. I haven't gotten around to trying this yet, but I have seen other reports of success.
- The VPN device had to be configured to enable "Aggressive Mode" in the IKE negotiations.
- Some NAT gateways will not pass IPSec packets. IPSec uses a different IP protocol, not TCP/UDP. So, many gateways don't know how to NAT it. KAME does not support NAT Traversal (encapsulation of the IPSec packet in a UDP packet), so when setting this up make sure you're not behind a NAT gateway.
- KAME's configuration requires you to enter your IP address. So, as you move to a new LAN or Wireless Access Point, you must reconfigure and restart the VPN. (This is one reason I used the Perl script I linked above. It determines your current IP address automatically.)
Damn.. Anyone want to buy my new 15" Powerbook with integrated Wifi-G & Bluetooth? I'll throw in my bluetooth keyboard, mouse, GPS, and cell phone..
Also, someone should notify the car manufacturers that are adding bluetooth to integrate cell phones or other audio devices.
In a previous interview with Gibson, he said he had no clue about computers when he wrote Neuromancer. He described his disappointment upon finally using a computer. He was expecting some magical star trek experience, instead he got slow, spinning floppy disks and cumbersome interfaces.
Same effect for me.. I read it about ten years ago, before I read other books of the genre, and I was not that fond of it.
I liked "Snow Crash" by Neal Stephenson much better.
"Permutation City" by Greg Egan went in a different direction, but it was excellent.
It is inaccurate and misleading to say "IPSec tunnels the kitchen sink...". Any decent IPSec client turns OFF IP forwarding, so it's not going to tunnel anything from the "dirty LAN". Some VPN Clients also provide a client firewall, check the OS for security/integrity, and integrate with other apps like anti-virus. If all those security checks don't pass, they are not allowed to connect to the VPN. That's pretty hard to replicate with a "clientless SSL VPN".
Also, on the VPN server that it connects to, the firewall/vpn device controls exactly what is allowed to pass. So, it's not like it opens up some big hole into a network, it only allows what the admin wants.
The IPSec clients also have the advantage of using certificates for strong authentication. Using SecurID, like your company, is a wise precaution (though the security of SecurID vs certificates/smart cards could be debated). But, I have seen companies that provide very broad access to servers in their network based only on a password.. That's scary considering the weak passwords that Joe Average User often picks, or someone installing a key-logger on a public terminal.
I think SSL VPN has its place, but the security policy, authentication methods, and decisions about what is allowable to access via SSL is extremely important.
You are confusing the key exchange with the data encryption.
To set up an IPSec tunnel, IKE (Internet Key Exchange) happens first, to securely establish all the necessary session and keying information. This typically uses 1024 bit RSA, and most devices also support 1536 bits. As a result of the IKE process, both sides have agreed on all the IPSec session parameters and computed a session key.
The session key is used by the negotiated encryption algorithm {DES, 3DES, AES-128, AES-256, RC4, etc.} to secure the communications. The performance will depend somewhat on which of these ciphers is used.. e.g. AES-128 will be faster than 3DES while offering similar security. But this symmetric encryption is MUCH faster than the Public Key crypto you referenced.
How can this yahoo keep getting press? Why does anyone think that having him as the self appointed mouthpiece for Open Source would be a good thing?
All of his writings show a distinct lack of depth. He has a superficial understanding of most topics he writes on, and quickly exposes that fact. I'll give him the benefit of the doubt in Unix/Linux/Coding. But, beyond that he should STFU.
As an example, check out the ill-advised, simplistic, racist ramblings from his blog: http://www.gnxp.com/MT2/archives/001393.html
In the Java essay, he exposes the fact that he has no clue about business financials by comparing the share price of Sun & Red Hat. Anyone who has invested at all knows this is meaningless.. A company with 1M shares @ $100 is worth a lot less than a company with 1B shares @ $33.
So please, ignore the troll and he'll go away.
As someone who recently purchased his "Down and out in the Magic Kingdom", I would say the e-book had almost no influence on my purchase. I knew about it being available online, and it did give Cory "cool points" for being involved in the creative commons and other excellent projects. But, I never even looked at the online version.
I purchased in the traditional way.. I browsed it on the shelves of my local small bookstore. I then checked if it was available at my local used bookstore. When it wasn't there, I returned to the small bookstore & purchased it there. (The two stores are next door to each other.. very handy.)
As Cory acknowledges, noone is going to read a text of significant duration online. Until there is an e-book reader device that can better replicate the look/feel/portability/durability of paper and won't strain my eyes, then I'm sticking to paperbacks.
Maybe, but it seems like most people have a pretty flexible view of where the cutoff line is. For example, would you pay sales tax for inter-state purchases where it was not billed as part of the transaction? You are supposed to, but virtually noone does.
Many people would consider paying for a product, but trying to get the best possible price, completely fine. Whether this means rebates, or any possible discount you can get.
After all, it's just a company's arbitrary decision on who gets discounts for what. Why should that company's policy mean anything to people not involved with that company? As if a professor at a university, or an employee of the government (who also get Apple discounts) is more deserving of lower prices than Joe Average.
This is also complicated by the fact that educational discounts are often used as a way to satisfy consumers while keeping corporate prices high. Do a google search for that with respect to Microsoft. They have educational pricing for Office, with no validation, which is aimed at keeping the price for Office sky high for those fat corporations, but still allowing home users to "get a great deal" on it. So, their plan is to encourage you to break their licensing agreement.
When I bought my Powerbook, I instead found a local "gray market" dealer who has access to Apple hardware, but does not stick to their pricing policies. So, he sold it to me for $500 below the MSRP, well below the educational pricing. Where would that be on your moral compass?
Okay great, the precedent is there.. The concept still stays the same. Ask the Europeans and Canadians to kick in more.. enough to cover the launch. Open it up to other countries for involvement, giving them access to the telescope in return.
:)
Do the Russians have a vehicle capable of this sort of rendezvous while carrying the necessary parts/supplies/tools/crew? Maybe they could provide a cheaper launch option.
The Russians could provide their valuable experience from the Mir.. Their unique brand of duct tape engineering would do wonders for the Hubble.
The knowledge gained from the Hubble is certainly not a US-only thing.. Open it up to all nations to maintain it. I'm sure that among Japan and the various European contries they could get enough $$ to run a repair mission.
This must be based on the same logic that Bush gave today claiming that 2.6 Million jobs will be created this year, mostly as a result of his brilliant tax cuts.
I can't believe he can say it with a straight face, after saying similar things last year. He claimed that last year's tax cuts would create 1.7 Million jobs. Instead, 53,000 jobs were lost.
He meets skyrocketing deficits with more tax cuts. Then tries to distract the voters with an oil war in Iraq, and protecting us from the scourge of gay marriage. Toss some faith based initiatives in there and he'll have the all important moron vote locked up.
Yes, the true resolution is always debateable. But, it's certainly higher than 540p. I have hooked a PC to mine, and displayed 1280x768 with various patterns and it appeared to display it perfectly.
Of course, my point was that the technology was capable of much more than they weresaying. There are quite a few RPTV's with 9" CRT guns that can achieve very high resolutions. Even the cheap ones can do more than 540p.
They list CRT's top resolution as:
720x540p
1080i
Why would they be limited to 540p?? I have a CRT that natively displays 1080i, 720p, 1024x768p, and 1280x768p.
There are many rear projection CRTs that display 720p and above (I hear some support 1080p, but I have not seen any).