To make individual administrators accountable for their actions by creating an audit trail. If multiple individuals use the "Administrator" or "root" account, the source of errors is obscured.
To implement the principal of "least priviledge". Where possible, system access accounts will be assigned the least amount of priviledge possible (e.g. put a name service administrator into the "DNS Admins" group instead of "Enterprise Admins"). This may limit the degree of damage caused when a particular priviledged account is compromised, although it introduces communication complexity among system administrators and users.
To limit the impact of accidents. By forcing administrators to use a non-priviledged account for regular tasks, the chances of accidentally damaging the network or any shared resources are reduced.
An addiction is the "compulsive need for and use of a habit-forming substance (as heroin, nicotine, or alcohol) characterized by tolerance and by well-defined physiological symptoms upon withdrawal; broadly: persistent compulsive use of a substance known by the user to be harmful."
An obsession is "a persistent disturbing preoccupation with an often unreasonable idea or feeling; broadly: compelling motivation (e.g. an obsession with profits)."
Gaming to the detriment of one's grades, social life, or work is an obsession because there is no build of up tolerance, nor are there withdrawal symptoms. Please note the difference. Thank you.
It is the history in which a couple of tens of thousands of Japanese die because of the primary and secondary effects of two atomic bombs.
It is the history in which researchers (cf. the Curies) and "volunteers" (cf. the recent DoE scandal) die because of an insufficient understanding of nuclear radiation, among other reasons.
It is the history in which a lot of people die, for a very long time, before anyone gets a clue that drinking from a river that doubles as a latrine will give you cholera, dysentery, and a whole host of other really nasty diseases.
I'm all for peer review. Lord knows there are plenty of misinformed people out there---how many people are comfortable calling it Nuclear Magnetic Resonance Imaging? However, scientists and doctors need a measure of humility, too. And the whole point of science is to make knowledge accessible to EVERYBODY, to uncover the "mysteries" and "secrets" used to chain a society to the service of a few, or one.
In CLOS, a GF supports multiple methods with fast dispatch times, and you can use them without having to go through the whole bondage-and-discipline routine forced on you by other "high level" programming languages like C++. And don't get me started on "before", "after", and "around" methods or garbage collection. Needless to say, GFs are pretty sweet.
Add spyware detection to Anti-Virus software?
on
Spy v. Spy
·
· Score: 2
If BackOrifice and Sub7 are considered malicious, I think we can make a pretty good case to the AV companies that spyware/adware should be detected and cleaned by their anti-virus engines.
I expect there will be lots of replies saying how unnecessary cellphones are (blabbermouths in cinemas, road accidents, etc.) to society
Humans have survived for millions of years without cellphones. Humans have also survived for millions of years without public sanitation systems and medicine. Society isn't going to disintegrate just because you get a little annoyed with people who want to talk to their friends 24 hours a day from every point on the globe.
What is so wrong with doctors wanting to lessen the impact of their chosen profession on their personal lives? Sacrifice, in and of itself, is no virtue.
Ah, I understand. You are right. To be true, HURD daemons communicate with processes and each other via a message passing mechanism (facilitated by Mach), and message passing is how some OO systems are modelled/implemented. I still think "client-server" is a better mental framework for how things work, but whatever.
Mac OS X is merely a monolithic server running on a microkernel. If some portion of the kernel panics, the whole OS goes down.
Contrast that with the HURD, where what were once kernel subsystems are now user-space daemons (basically). So if the networking layer bugs out, you can just restart the process (just as you would restart a hung web server daemon). You can also be running two versions of the same daemon at the same time, which facilitates debugging. It's more complicated than the single server architecture found in Mac OS X and NEXTSTEP, plus, since the microkernel has to keep passing messages between processes, the theory is that microkernels are inefficient (although optimizations like zero-copy schemes and whatnot probably can alleviate some of the performance hit).
I have no idea where the OO comment came from. People who ask about object oriented paradigms and kernel programming usually don't know what their talking about (e.g. newbies who want to re-write Linux in C++). I wouldn't call the HURD "OO", maybe "client-server" is a better characterization. Darwin is just a plain-jane BSD kernel, all C and assembler. Any OO in the kernel would have to be done by hand, because the C++ runtime system doesn't really exist at that low a level </handwave>.
Since everyone else is flaming about licenses, I figure I might as well jump into the fray, too. Yes, Darwin is source-available, even possibly DFSG-compliant, however, it is not free software in the same sense that the HURD or Linux or Net/Open/FreeBSD are. Either way, be very mindful of the licenses to which you agree before contributing time, effort, and code.
Actually, you compile GCC with itself twice. It is a three stage process:
Build GCC with the platform's supplied C compiler.
Rebuild GCC with the result of (1) above.
Rebuild GCC with the result of (2) above.
One then compares the output of stages two and three. They should be identical. Any differences in the generated code indicate a compiler or runtime bug of some sort. At least, that's the way it was the last time I built GCC on my own (back in the golden age of GCC 2.7.2).
This is the first time I've seen the unit used, and while I'm clever enough to figure out that "ly" means "light year", I'm having a hard time with "pc".
If access to Microsoft's software products is that important to you, an MSDN subscription is both cheap AND legal, up to a certain (small) number of seats. Otherwise, Linux and StarOffice 5.x are close enough as far as your typical small office goes.
For each language, the report conflates the standard library with the language itself. Languages are grammar and semantics. Many specifications also describe aspects of the language run-time environment, but this is not part of the language proper.
The paper makes little distinction among lanaguage/library implementations. This means that comparisons between Java and C++, especially when comparing performance, are not necessarily comparing apples to apples. Hand-waving implementational differences, especially between two different programming languages, is sloppy at best, especially when one may see vast differences in "performance" within a family of language implementations, e.g. in the Common Lisp world, the CLISP implementation (which compiles Lisp to byte codes running on a C-based VM) is said to have good bignum performance, but the CMUCL implementation (which compiles Lisp to assembly codes) is said to have superior fixnum and floating point performance.
Ok, so with all this talk of performance, there is this really neat paper called "Optimization: Your Worst Enemy". It has an eye-catching title but it's really worth a read.
As much as I like Levy, it's not really that great of an article. It's still propaganda and unfounded assumptions, the only difference is that we like what he has to say.
Windows 2000/XP's support for IPSEC is limited to transport mode. Tunnelling is handled by Cisco's Layer 2 Tunnelling Protocol (L2TP). Unless FreeS/WAN and KAME now support L2TP, IPSEC VPNs using Windows-native clients are limited to routable IP addresses all the way around.
Now NAT is evil---ask my friends, I rant about it all the time---but in the real world, one must be able to tunnel VPN traffic at least in one direction (into the company). Without support for L2TP in FreeS/WAN or commercial IPSEC clients in Windows, one cannot currently do this.
Please, I beg you, prove me wrong. I've been struggling to get Windows IPSEC working with KAME for some time now. And my copy of Cisco's Unity VPN client doesn't work on XP.
One of the things I find frustrating about living in the US is that so many people are cowards who won't defend their rights against Equifax.
I think this is largely because most people don't know what their rights are in the first place. I would love to get a clue. Do you have pointers to any resources, suggested courses of action, good lawyers to call, etc.?
This article makes me wonder how many of the port 80/tcp scans I see are spambots and not viruses.
That said, email filters are your friend. I create unique email address that use the "username+indicator" syntax, and filter accordingly. If someone is clever enough to strip the tag, the mail gets junked indefinitely. There are exceptions for messages sent by friends and family, and I'm thinking about adding controls for messages that are blind-copied, "From" and "Reply-To" checking, etc.
Speaking of PVRs, which one should I buy?;) I keep hearing good things about both, and I'm tired of futzing around with the 30-second commercial skip button on my VCR. Any suggestions?
Security (especially security by obscurity) must remain useful and not get too much in the way of doing one's job. Using that criteria, running the firewall on a halted OS is pretty stupid. One cannot use the firewall for an IPSEC endpoint (key negotiation happens in user space). One cannot log events (also in user space). One cannot remotely administer the firewall (all in user space). These things are all bad in much the same way that obscure naming conventions are bad---they get in the way of operating and trouble-shooting the network.
While we're on the subject, another tremendously bad idea is using an interior light timer to control a physical connection between two servers (e.g. a bastion host uploading data to an internal server). The only thing this does is limit the window of opportunity to a pre-set (and predictable) time, while increasing the chance of interrupting whatever the connection is there for. Physical security hacks like this should be the last thing one does (after locking down a box, setting up encryption, etc.), not the first.
My big problem is address space. I cannot convince Time Warner to give me my own routable subnet, so I have to use NAT (which is evil, evil, evil). This is unreasonable. There is plenty of IPv4 addresses around, and if ISPs are so concerned about scarcity, then maybe they should get of their butts and start rolling out IPv6. I don't know about the rest of you, but I can easily justify a/27 or a/28, and that's just counting the computers that still boot!;)
As for bandwidth, I certainly want it fast and furious, but if ISDN was as cheap as cable (2-Mbps down, 384-Kbps up, business-class SLA), I'd think twice about ISDN so I could have real IPs.
The rule you describe (only allow S/SA and keep state) would indeed block a FIN or ACK scan.
For example, I have the following IPFILTER rule installed on my firewall:
pass in log first quick on fxp0 proto tcp from any to 10.63.1.1 port = 3389 flags S keep state keep frags group 132 # wtsrv
This allows the initial SYN packet in, and tracks state from there on out. The next packet it allows through the firewall must be a SYNACK, and the packets following that must be ACKs, RSTs, or FINs. Once it sees the terminating FIN or RST, it removes the connection from the dynamic state. If it doesn't complete the handshake (SYN, SYNACK, ACK), the dynamic rule times out pretty quickly. If it does complete the handshake, I think the default timeout is on the order of a few days.
Sorry about the flame bit. It's just that so many people mis-understand stateful firewall rules that I try to explain it to avoid people getting confused.
I'm not sure how you went from syncookies to OpenBSD, but you did mention stateful inspection, so flame on!
Stateful Inspection(tm), stateful inspection, and TCP flag checks are not all the same thing. The INSPECT engine included in FireWall-1 is a dynamically-programmable state machine, capable of semi-complicated connection state tracking over a variety of connection-oriented (e.g. TCP) and connectionless (e.g. UDP) protocols. INSPECT is, in some form or another, patented. IPFILTER 's keep state clause (and IPFW's dynamic rules using the keep-state clause and the check state rule) also tracks connection state, but only for ICMP, UDP, and TCP, and it can only be changed by re-compiling the appropriate C code.
Here's the rant part: SIMPLY CHECKING TCP FLAGS IS NOT STATEFUL INSPECTION!! It's sometimes called stateless inspection and it means that a decision to pass or block a packet is decided on the characteristics of that packet alone. Allowing J. Random TCP packet to go through the firewall with a cursory check of the headers means I can do FIN or ACK scans through your firewall, and if you've got it set up to only log connection attempts, the scans won't even be logged. Suck!
As for stop denial of service attacks (aside: I hope to God I'm not the only person who has to figure out whether a person means the operating system or the network attack every time he sees those three letters), the only way to do that is to implement proper ingress AND egress filters on the gateway firewall or router. Needless to say, this is complicated, so most people don't bother.
Only you can prevent forest fires and improperly configured firewalls.
Slashdot Mirror
In my analysis, there are three reasons.
An addiction is the "compulsive need for and use of a habit-forming substance (as heroin, nicotine, or alcohol) characterized by tolerance and by well-defined physiological symptoms upon withdrawal; broadly: persistent compulsive use of a substance known by the user to be harmful."
An obsession is "a persistent disturbing preoccupation with an often unreasonable idea or feeling; broadly: compelling motivation (e.g. an obsession with profits)."
Gaming to the detriment of one's grades, social life, or work is an obsession because there is no build of up tolerance, nor are there withdrawal symptoms. Please note the difference. Thank you.
Well, that's easy. The cockroach is the pretty one. *bah-dump-ching*
It is the history in which a couple of tens of thousands of Japanese die because of the primary and secondary effects of two atomic bombs.
It is the history in which researchers (cf. the Curies) and "volunteers" (cf. the recent DoE scandal) die because of an insufficient understanding of nuclear radiation, among other reasons.
It is the history in which a lot of people die, for a very long time, before anyone gets a clue that drinking from a river that doubles as a latrine will give you cholera, dysentery, and a whole host of other really nasty diseases.
I'm all for peer review. Lord knows there are plenty of misinformed people out there---how many people are comfortable calling it Nuclear Magnetic Resonance Imaging? However, scientists and doctors need a measure of humility, too. And the whole point of science is to make knowledge accessible to EVERYBODY, to uncover the "mysteries" and "secrets" used to chain a society to the service of a few, or one.
Sorry, rant mode off.
In CLOS, a GF supports multiple methods with fast dispatch times, and you can use them without having to go through the whole bondage-and-discipline routine forced on you by other "high level" programming languages like C++. And don't get me started on "before", "after", and "around" methods or garbage collection. Needless to say, GFs are pretty sweet.
If BackOrifice and Sub7 are considered malicious, I think we can make a pretty good case to the AV companies that spyware/adware should be detected and cleaned by their anti-virus engines.
I expect there will be lots of replies saying how unnecessary cellphones are (blabbermouths in cinemas, road accidents, etc.) to society
Humans have survived for millions of years without cellphones. Humans have also survived for millions of years without public sanitation systems and medicine. Society isn't going to disintegrate just because you get a little annoyed with people who want to talk to their friends 24 hours a day from every point on the globe.
What is so wrong with doctors wanting to lessen the impact of their chosen profession on their personal lives? Sacrifice, in and of itself, is no virtue.
I don't know anything about BeOS. Sorry. :(
Ah, I understand. You are right. To be true, HURD daemons communicate with processes and each other via a message passing mechanism (facilitated by Mach), and message passing is how some OO systems are modelled/implemented. I still think "client-server" is a better mental framework for how things work, but whatever.
Mac OS X is merely a monolithic server running on a microkernel. If some portion of the kernel panics, the whole OS goes down.
Contrast that with the HURD, where what were once kernel subsystems are now user-space daemons (basically). So if the networking layer bugs out, you can just restart the process (just as you would restart a hung web server daemon). You can also be running two versions of the same daemon at the same time, which facilitates debugging. It's more complicated than the single server architecture found in Mac OS X and NEXTSTEP, plus, since the microkernel has to keep passing messages between processes, the theory is that microkernels are inefficient (although optimizations like zero-copy schemes and whatnot probably can alleviate some of the performance hit).
I have no idea where the OO comment came from. People who ask about object oriented paradigms and kernel programming usually don't know what their talking about (e.g. newbies who want to re-write Linux in C++). I wouldn't call the HURD "OO", maybe "client-server" is a better characterization. Darwin is just a plain-jane BSD kernel, all C and assembler. Any OO in the kernel would have to be done by hand, because the C++ runtime system doesn't really exist at that low a level </handwave>.
Since everyone else is flaming about licenses, I figure I might as well jump into the fray, too. Yes, Darwin is source-available, even possibly DFSG-compliant, however, it is not free software in the same sense that the HURD or Linux or Net/Open/FreeBSD are. Either way, be very mindful of the licenses to which you agree before contributing time, effort, and code.
Actually, you compile GCC with itself twice. It is a three stage process:
- Build GCC with the platform's supplied C compiler.
- Rebuild GCC with the result of (1) above.
- Rebuild GCC with the result of (2) above.
One then compares the output of stages two and three. They should be identical. Any differences in the generated code indicate a compiler or runtime bug of some sort. At least, that's the way it was the last time I built GCC on my own (back in the golden age of GCC 2.7.2).This is the first time I've seen the unit used, and while I'm clever enough to figure out that "ly" means "light year", I'm having a hard time with "pc".
If access to Microsoft's software products is that important to you, an MSDN subscription is both cheap AND legal, up to a certain (small) number of seats. Otherwise, Linux and StarOffice 5.x are close enough as far as your typical small office goes.
I have several criticisms of the report.
- For each language, the report conflates the standard library with the language itself. Languages are grammar and semantics. Many specifications also describe aspects of the language run-time environment, but this is not part of the language proper.
- The paper makes little distinction among lanaguage/library implementations. This means that comparisons between Java and C++, especially when comparing performance, are not necessarily comparing apples to apples. Hand-waving implementational differences, especially between two different programming languages, is sloppy at best, especially when one may see vast differences in "performance" within a family of language implementations, e.g. in the Common Lisp world, the CLISP implementation (which compiles Lisp to byte codes running on a C-based VM) is said to have good bignum performance, but the CMUCL implementation (which compiles Lisp to assembly codes) is said to have superior fixnum and floating point performance.
Ok, so with all this talk of performance, there is this really neat paper called "Optimization: Your Worst Enemy". It has an eye-catching title but it's really worth a read.As much as I like Levy, it's not really that great of an article. It's still propaganda and unfounded assumptions, the only difference is that we like what he has to say.
Windows 2000/XP's support for IPSEC is limited to transport mode. Tunnelling is handled by Cisco's Layer 2 Tunnelling Protocol (L2TP). Unless FreeS/WAN and KAME now support L2TP, IPSEC VPNs using Windows-native clients are limited to routable IP addresses all the way around.
Now NAT is evil---ask my friends, I rant about it all the time---but in the real world, one must be able to tunnel VPN traffic at least in one direction (into the company). Without support for L2TP in FreeS/WAN or commercial IPSEC clients in Windows, one cannot currently do this.
Please, I beg you, prove me wrong. I've been struggling to get Windows IPSEC working with KAME for some time now. And my copy of Cisco's Unity VPN client doesn't work on XP.
I think this is largely because most people don't know what their rights are in the first place. I would love to get a clue. Do you have pointers to any resources, suggested courses of action, good lawyers to call, etc.?
This article makes me wonder how many of the port 80/tcp scans I see are spambots and not viruses.
That said, email filters are your friend. I create unique email address that use the "username+indicator" syntax, and filter accordingly. If someone is clever enough to strip the tag, the mail gets junked indefinitely. There are exceptions for messages sent by friends and family, and I'm thinking about adding controls for messages that are blind-copied, "From" and "Reply-To" checking, etc.
Speaking of PVRs, which one should I buy? ;) I keep hearing good things about both, and I'm tired of futzing around with the 30-second commercial skip button on my VCR. Any suggestions?
Security (especially security by obscurity) must remain useful and not get too much in the way of doing one's job. Using that criteria, running the firewall on a halted OS is pretty stupid. One cannot use the firewall for an IPSEC endpoint (key negotiation happens in user space). One cannot log events (also in user space). One cannot remotely administer the firewall (all in user space). These things are all bad in much the same way that obscure naming conventions are bad---they get in the way of operating and trouble-shooting the network.
While we're on the subject, another tremendously bad idea is using an interior light timer to control a physical connection between two servers (e.g. a bastion host uploading data to an internal server). The only thing this does is limit the window of opportunity to a pre-set (and predictable) time, while increasing the chance of interrupting whatever the connection is there for. Physical security hacks like this should be the last thing one does (after locking down a box, setting up encryption, etc.), not the first.
My big problem is address space. I cannot convince Time Warner to give me my own routable subnet, so I have to use NAT (which is evil, evil, evil). This is unreasonable. There is plenty of IPv4 addresses around, and if ISPs are so concerned about scarcity, then maybe they should get of their butts and start rolling out IPv6. I don't know about the rest of you, but I can easily justify a /27 or a /28, and that's just counting the computers that still boot! ;)
As for bandwidth, I certainly want it fast and furious, but if ISDN was as cheap as cable (2-Mbps down, 384-Kbps up, business-class SLA), I'd think twice about ISDN so I could have real IPs.
The rule you describe (only allow S/SA and keep state) would indeed block a FIN or ACK scan.
For example, I have the following IPFILTER rule installed on my firewall:
This allows the initial SYN packet in, and tracks state from there on out. The next packet it allows through the firewall must be a SYNACK, and the packets following that must be ACKs, RSTs, or FINs. Once it sees the terminating FIN or RST, it removes the connection from the dynamic state. If it doesn't complete the handshake (SYN, SYNACK, ACK), the dynamic rule times out pretty quickly. If it does complete the handshake, I think the default timeout is on the order of a few days.Sorry about the flame bit. It's just that so many people mis-understand stateful firewall rules that I try to explain it to avoid people getting confused.
I'm not sure how you went from syncookies to OpenBSD, but you did mention stateful inspection, so flame on!
Stateful Inspection(tm), stateful inspection, and TCP flag checks are not all the same thing. The INSPECT engine included in FireWall-1 is a dynamically-programmable state machine, capable of semi-complicated connection state tracking over a variety of connection-oriented (e.g. TCP) and connectionless (e.g. UDP) protocols. INSPECT is, in some form or another, patented. IPFILTER 's keep state clause (and IPFW's dynamic rules using the keep-state clause and the check state rule) also tracks connection state, but only for ICMP, UDP, and TCP, and it can only be changed by re-compiling the appropriate C code.
Here's the rant part: SIMPLY CHECKING TCP FLAGS IS NOT STATEFUL INSPECTION!! It's sometimes called stateless inspection and it means that a decision to pass or block a packet is decided on the characteristics of that packet alone. Allowing J. Random TCP packet to go through the firewall with a cursory check of the headers means I can do FIN or ACK scans through your firewall, and if you've got it set up to only log connection attempts, the scans won't even be logged. Suck!
As for stop denial of service attacks (aside: I hope to God I'm not the only person who has to figure out whether a person means the operating system or the network attack every time he sees those three letters), the only way to do that is to implement proper ingress AND egress filters on the gateway firewall or router. Needless to say, this is complicated, so most people don't bother.
Only you can prevent forest fires and improperly configured firewalls.
I keep trying to explain to the help desk why I can't wear a pager or cell phone, but they never listen. Maybe this article will help convince them!