Run the web facing site from a ROM and have it communicate with the backend through SSL. Have all activity written to log files on a write-only archive running on a second system. Run intrusion detection software on a third system. At worst you only have to deal with in-memory hacks, and you can use the archive and intrusion detection system to detect any attempted breaches.
"the PCI DSS is a security standard for payment card industries. Their documents go into detail on the specific vulnerabilities that needs to be addressed to be certified. For example they mention specific flaws (say cross-site scripting), and also measures to protect data if an attack succeeds"
All the PCI standard does is set down a number of criteria to be PCI certified. In the real world this provides no defense against getting hacked, as Heartland Payment Systems learned to their regret.
"This document lists specific flaws that are known to be a problem, and had better be comprehensive since these are the standards banks are measured against. "Comprehensive" is perhaps a gross understatement, but it will give you an idea of the aspects to watch out for"
If you need this PCI standard to tell you how to secure your network, then perhaps you shouldn't be in the security industry. Lets see what the 'document' has to teach us that we don't already know:
.. install a firewall, don't use default passwords, encrypt the transmission data, assign a unique ID to each user, restrict physical access to cardholder data, track all access to network resources and..
WOW, I would never have thought of that. But how does one go about getting PCI certified, well there is self assessment or an 'on-site data security assessment' by a suitable qualified security assessor (QSA). How do you get QSA qualified, by filling in a bunch of forms..:)
"Specifically, highjacking SSL sessions.. Several of my customers have had problems with their domain names not resolving.. two of them had pop up warnings.. about a security certificate not matching the domain name"
Well, if you're happy with your DNS server redirecting without telling you, then it isn't a problem. By the way, why would your customers phone you if they have problems with OpenDNS. Wouldn't they just add an entry to their Never Block list.
"Linux is still not refined enough for most home users, nor does it have all the software. If all someone does is surf the internet and write letters it would be good, provided someone set it up for them. But unlike windows it's not as easy as say, buy printer -> Put in Disk -> click install"
All I can say is, that you experience isn't the same as my experience. What equivalent software isn't available on Linux that the average home user would need. Installing printers under Linux is as you described, except you don't need to 'put-in-disk' or click install, it picks it up automatically.
"For Linux you have to start by downloading the correct package and work from there. It is a lot more of a pain in the ass"
For a network engineer who built beowulf and rocks cluster you do seem to be most ignorant of the current distros. Just get a hold any current liveCD insert and boot the machine, and that's it. With Ubuntu you then have an option to do a full installation, and most/all the software the average home user would need comes on the DVD and don't need to be bought in as extras..
"The picture not only opens slow, but first appears scrambled, then finally looks like it's supposed to.. Linux is very weak in the graphics department.. most of the Australians I've met seem to harbor a large amount of contempt for anything related to the United States"
You can tell all this from a half-second video glitch..:)
A pretty impressive set of tools, now you only left out this one
--
click on reply, nothing happens, fire up textpad and type in what you were going to say, before you forget, back to slashdot as the page has finally loaded..:)
Slashdot Mirror
Run the web facing site from a ROM and have it communicate with the backend through SSL. Have all activity written to log files on a write-only archive running on a second system. Run intrusion detection software on a third system. At worst you only have to deal with in-memory hacks, and you can use the archive and intrusion detection system to detect any attempted breaches.
"the PCI DSS is a security standard for payment card industries. Their documents go into detail on the specific vulnerabilities that needs to be addressed to be certified. For example they mention specific flaws (say cross-site scripting), and also measures to protect data if an attack succeeds"
.. install a firewall, don't use default passwords, encrypt the transmission data, assign a unique ID to each user, restrict physical access to cardholder data, track all access to network resources and ..
.. :)
All the PCI standard does is set down a number of criteria to be PCI certified. In the real world this provides no defense against getting hacked, as Heartland Payment Systems learned to their regret.
"This document lists specific flaws that are known to be a problem, and had better be comprehensive since these are the standards banks are measured against. "Comprehensive" is perhaps a gross understatement, but it will give you an idea of the aspects to watch out for"
If you need this PCI standard to tell you how to secure your network, then perhaps you shouldn't be in the security industry. Lets see what the 'document' has to teach us that we don't already know:
WOW, I would never have thought of that. But how does one go about getting PCI certified, well there is self assessment or an 'on-site data security assessment' by a suitable qualified security assessor (QSA). How do you get QSA qualified, by filling in a bunch of forms
"Specifically, highjacking SSL sessions .. Several of my customers have had problems with their domain names not resolving .. two of them had pop up warnings .. about a security certificate not matching the domain name"
Well, if you're happy with your DNS server redirecting without telling you, then it isn't a problem. By the way, why would your customers phone you if they have problems with OpenDNS. Wouldn't they just add an entry to their Never Block list.
"I have at this point just simply refused to help any of my clients until they switch back to their regular ISP's DNS"
What's the name of your company and please enumerate the problems your clients experienced.
"This is without really considering the massive privacy problems with using it"
What privacy problems would that be in comparison to other DNS providers?
"Pop in your latest game you just purchased at Best Buy. What do you mean it won't install??"
..
Personally, if I want to play games I would buy a Playstation, else use something like this or this
"Linux is still not refined enough for most home users, nor does it have all the software. If all someone does is surf the internet and write letters it would be good, provided someone set it up for them. But unlike windows it's not as easy as say, buy printer -> Put in Disk -> click install"
..
All I can say is, that you experience isn't the same as my experience. What equivalent software isn't available on Linux that the average home user would need. Installing printers under Linux is as you described, except you don't need to 'put-in-disk' or click install, it picks it up automatically.
"For Linux you have to start by downloading the correct package and work from there. It is a lot more of a pain in the ass"
For a network engineer who built beowulf and rocks cluster you do seem to be most ignorant of the current distros. Just get a hold any current liveCD insert and boot the machine, and that's it. With Ubuntu you then have an option to do a full installation, and most/all the software the average home user would need comes on the DVD and don't need to be bought in as extras
"The picture not only opens slow, but first appears scrambled, then finally looks like it's supposed to .. Linux is very weak in the graphics department .. most of the Australians I've met seem to harbor a large amount of contempt for anything related to the United States"
.. :)
You can tell all this from a half-second video glitch
A pretty impressive set of tools, now you only left out this one
.. :)
--
click on reply, nothing happens, fire up textpad and type in what you were going to say, before you forget, back to slashdot as the page has finally loaded