I plan on staying single for a while into the future, but I am considering online dating in addition to other methods of meeting local women for casual dating.
What-r-u-nuts? Get married NOW. That way, you can get that much close to your second marrage; the one that you will be happy with. (Just don't have kids in the first one.)
(Go ahead...mod this as funny. The old guys know I'm not joking.)
No, it's ease of use. Turn on the workstation, it boots. Double-click MS Word. Type. I can explain that to a traditional editor who has never used a computer before.
Then, how does that differ from Linux (KDE or Gnome + OpenOffice.org / Crossover Office + MS Word) or Mac OS/OS X (OOo or MS Word)?
If the person has never used a computer before (?), they will find the task you outlined as easy or befuddling on any of these systems. (An argument could be made for other tasks being easier/harder on specific systems -- though that's not your claim as I understand it.)
It hasn't crossed your mind that the amount of QA required for testing such a change (removal of a major OS component) on a whole shitload of configurations that Windows is normally expected to run on is mind-numbling?
What's the problem? Track the dependencies, and when you yank a library anything dependant on it will break in one way or another.
For 98% of the slashdot crowd, I'll assure you that 6 megapixels is enough.
I'd say 3 is probably good enough for 95%. I have a Nikon Coolpix 3100. It's not a photo geek's dream, though I as a regular geek have taken some stunning photos with it -- enough for people to question that I even took some of them.
My only wishes;
The improvements introduced in the 3200 -- plus...
Better low light support (if the camera doesn't get too bulky).
Raw image support.
From what I've read, Cannon rules if you want to control every aspect of your shot. The Nikons are point and shoot with many pre-programmed modes -- so if you already have your hands full with other tech, it's the way to go. (Something that came to mind as I wrote this.)
You know, Microsoft has done an incredible number of crappy things, and they deserve most of the flak they get, but I don't understand why we can't just once acknowledge them for taking a positive step without making some cheap jab like this.
I don't think it's a cheap jab. Other articles about non-Microsoft projects/products offer comparisons to other non-Microsoft projects/products. (Example: Anything about the latest MP3 players.)
That said, Microsoft is fundimentially untrustworthy. The list of sneaky tricks they've pulled over the years does not make me want to jump at what they offer without looking very closely for yet another trap. (I have first hand experience as an OEM rep with Microsoft and OEM purchases.)
As for source code, unless they follow thier own advice and put the code under a BSD licence, why would I want to look at it?
"Microsoft released something as open source -- but let's all assume that a non-MS alternative is better even though we haven't made an actual comparison!" How immature can you get?
What makes Microsoft's offering worth examining at all? There are so many others that have been out for years and cover just about every spot from small/light/easy through to complex/flexible/corporate. Does Microsoft offer support for the new open source Wiki like other companies do, or are they looking for someone else to do the enhancements and fix the bugs?
I don't believe it. Every 6 months I get excited when someone mentions Evolution for Windows being used somewhere...but when I look I'm disappointed.
Just now, I've searched the web for 2 hours and have come up with no other references except for a few comments on cobbled together copies a few people have been able to comple for themselves. None seem to be used for anything practical at this time, though.
In my searching, I found no packages for the X or Gnome-specific branchs of Cygwin. No stand-alone ports. Nothing in the main Cygwin package repositories. No binaries of any sort. No directions for compiling it from scratch or in part let alone 'just compile it from source after installing Cygwin'. Not even a short 'it works, but you have to build, configure, and install A, B, and C versions 1, 2, and 3'. Nothing. Silence.
The only thing that looks remotely promising is Evolution for Windows -- and that project started three days ago.
What function of Oracle made it more useful than MySQL in this case? It's certainly a valid DB for Web Applications - even if Oracle might scale better.
What also puzzles me is that if Oracle on Linux was the only option (let's say it was for whatever reason) what does this have to do with the web app? The web app just needs database access. The db itself usually will be on another system anyway. That other box can run whatever OS is needed to make it happy.
And MS had notified all the vendors about the error in the original code. MS however, has ZERO idea how the vendor modified the code, or how the rest of their app interacts with it, and if it is a security risk or not. The vendors DO know. They are the ones that should patch their own app.
Did the vendors have the ability to change these DLLs or were they given binaries or restrictions on what changes (if any) were allowed?
This is liked saying the since some Linux code may have been used in some 3rd party app like the Gimp (of course following the strictures that the code was correctly licensed accoring to the GPL) Linux should be responsible for checking the Gimp and any of a million and one other 3rd party apps, for any problematic code. Even tho he has no idea how the code was modified for that specific app.
You're talking about source code modifications. Is that the case here? (Why would there have to be source modifications on a shared library? It makes no sense!)
The analogy you use is also not the way that things are typically done on *nix systems (Linux or not).
A more similar analogy would be if two applications that were similar but from the same code base -- say Sodipodi and Inkscape -- used a PNG manipulation routine that was defective. In that case under Linux (and *BSD and likely all other *nix) would not have any security issues -- though libPNG would! Fix libPNG, and the issue goes away for Sodipodi, Inkscape, and all other applications that use libPNG.
Sooooo, how exactly is MS responsible for all 3rd party DLLs?
While Microsoft isn't responsible for 3rd party DLLs, this is a different situation. They are partially responsible, and if they were interested in making the client systems secure they would handle things differently for what is really a simple file update.
Reasons: They designed a system that requires 3rd parties to distribute DLLs that Microsoft created. If the DLLs were set in a well organized location, the updates of the system DLLs would automatically 'fix' the other programs. Versioning -- something that Windows DLLs support and programs can take advantage of -- would handle compatability issues that are not directly incompatable with this fix.
not true. I rarely see a.DOC file in the company for ANY business documents, including files from outside the company.
Not true... for you. For me, it is quite different. I see MS Word.DOC files constantly...even for trivial memos that would be better done as normal text.
PDFs mainly appear for external documents. Even policy manuals tend to be both created in MS Word and passed around as MS Word.DOC files.
I've gotten no complaints from using OOo to create and save documents in MS Word.DOC format, though changing existing.DOC files in OOo has caused problems in the past -- usually with indented bullets. MS Word is supposedly to blaim for mangling bullets, though I don't have evidence either way.
[...] Granted, some silly people in Marketing, specifically the new ones, try to use.PPT files as their preferred communication style and document. but they get flamed to crispy death by most of sales and the entire IT department when they do.
I typically get "Can you give me that as a.DOC. I need to edit it." Editing usually consists of a logo change and having the person change or modify the attribution.
But what if a vulnerability pops up and you can't wait for your distro to update the kernel. I think knowing how to download the sources, patch them, and recompile your kernel is important for running a solid system.
If your systems are locked down already, an exploit won't matter much. If the thing that can be exploited can't be reached by a bad actor, it is not a risk. Besides, kernel level exploits are rare compared to system tool exploits let alone application or user library exploits.
That said, I quickly patch these 'impossible' vulnerabilities even if I've blocked the routes that could be used to activate them.
In the long term, it might not matter. Much of the tech in the *open source* version of Solaris will possibly move to Linux and visa-versa. *BSD might even benifit. The gotcha is the licence(s) Sun will choose and are they compatable with the mostly GPLed Linux kernel code.
I'll go through your reply point by point. If I miss something, let me know...though keep in mind that I approach this from a specifc POV that you may not share;
Simplify, simplify, simplify; if it is too complex to understand you can't be assured that you can detect intentional or unintentional dammage. Constantly remove cruft.
All machines are suspect and potential platforms for abuse to be spread around; clients, servers, and networking gear.
Unless a system is booted using a known good image of an OS and all data on all media are compaired against a known good list of files, the machine should be considered untrustworthy; 'I guess it is OK' or 'Norton didn't find any problems' aren't good enough.
With that in mind, isolate all systems at the network level (vlan...) as well as reduce all services to a minimum.
Move services to the servers.
Move data to the servers.
Server hardware should be single function unless securely segmented; the database not be a file, print, web, and login server.
That won't work because most of the "really good" worms bring their own services nowdays... Look at how Klex [or was that blaster?] that spread with it's own SMTP server. You can block the ports, but that doesn't work in a corperate environment where people expect to use "file shareing" between user machines on the lan, or all the custom software that freaks out with non-standard windows installs.
Answers;
No, don't block ports (see my sig). Remove the services entirely and know what is running or you can't be in control.
Any available service is a target. Turn them off or secure them (not trivial), and they aren't targets. (This keeps the client and servers clean in the first place.)
Nessus and nmap scan for ports. If the port is open, it can be discovered.
Many pieces of mal ware want to be discovered thus they will leave open ports. Scaning for the ports and turning them off shows you if anything else is hiding there; if the service for that port is off, and you've removed the service...it has to be something you don't know about (malware or otherwise).
Yes, people expect client to client corporate network services. Doesn't make them a good idea! Hostile environments -- and client systems are to be considered hostile -- should not be on the inside of the corporate network. The dedicated servers can provide the same services even if set up as a proxy for what is really peer-to-peer style communications (ex: corporate IM).
Eventually, you get the user that knowingly breaks ALL the rules. While SP2 looks to address some of the issues with runaway user clients, once something is inside a corperate network it's really hard to stop. After all, not all machines can run XP with SP2... you may have hardware tied to older versions of Win98, NT, or 2K... that doesn't have all the update features that XP does.
Consider laptops. They are entirely outside the control of the admins...so treat them like hostile systems; limit the dammage they can perform. Peer to peer services are off, and the routers control what the laptop sees on the network.
Good idea for laptops? Yep. Good idea for all systems -- including servers.
That the systems run one OS revision or another means less once you have the network properly configured. Each can be scanned for problems. Each that you do control can be made more secure even before updates and patches are applied.
Speaking of update features, the most secure thing to do is NOT let user machines hit the internet directly. My shop has all the machines locked down with no users as administrator. Internet is HEAVILY filtered...even slashdot.ico files don't come thru!!! and all incomming ports other than 80 and it's dependants are rigidly blocked. Unauthenticated machines can't get on the internet [i.e. no Knoppix CD for you!] and all SMTP traffic is blocked or
So you think it is an exploit in some service that XP is running that allows it to wedge the DLL in there?
It has to be some service, otherwise there would be no way to have the files inserted on the machine.^ Put it this way; the trojan/malware/virus/... can't inject itself onto another computer. It needs to request that the target machine do something -- allowing the program/library/registry entry/... to be installed.
(The service being exploited might even be the admin drive share, though it's more likely some of the other less obvious ones.)
Bring up the services list to get a general idea of what is running or can be run (on demand). Keep in mind that the list is incomplete and disabling a service there might not really turn it off; verify that it is really off by running nmap and nessus against the target system.
Caution: Disabling a service does not mean your systems are more secure. Many services are only local and are not exposed to the rest of the network at all. While I suggest turning most of these off, the urgency is not as high and some of them are really necessary. Most of them are crap, though. This will be a lot of work, so take notes and look for things that break.
Another gotcha: When installing updates, the services you turned off before may be turned on again without warning. (Bet on it!)
^. OK, it could be an application exploit (IE/Outlook/...) though for the the network wide plauges these are not as effective since they nearly always require people to do something to cause the exploit to be active. Only 1 machine with the exploit loaded needs to be on a network with access to others with the service enabled; no human interaction needed.
It's simple enough to say - but what about when you are responsible for a corporate network of 400 users, and a remote WAN of over 30 sites, and 1000 users? And your Network operations department is comprised of you and a monkey sitting under your desk?
It's even more important. Do you want to chase problems every 5 minutes and waste your weekend? I don't!
With the massive number of companies 'downsizing' lately, I find it hilarious how so many of you recommend doing all this rearchitecture, when most of us in the Ops/IT field are already spending 70+ hours a week fighting fires.
Exactly my point!
Take one thing at a time, starting with your most troublesome group or servers. Don't grab the 300 client system nightmare first; look one server and see what it depends on. Are there 10 applications running on it? Is there a way to move one or a set of them of them off and isolated that?
If you're getting pecked to death by ducks, start by killing one duck at a time! (Or find a smaller group of ducks to kill at a new job.)
Don't let upper management know that you suceeding, though. They may want to get rid of the monkey.
We've had a number of keylogger viruses and such pop up on local machines, even from machines with restricted permissions (i.e. can't even write to C:). I don't know what's wrong with XP, but this looks to be a pretty big flaw.
If the service that the viruses are using aren't enabled, they can't be exploited.
Here's one way to deal with this...
Isolate the client; vlan/router or yank the system and put it in an isolated environment (test lab, 2 system LAN,...). Turn off the client XP firewall (if any), run Nessus on another system and point it at the client, go back to the client system and disable all services that Nessus reports -- even the ones that are not considered problems! Do any security hardening Nessus suggests. If you really need the detected services, write down what you would loose by disabling the service, what it would take to secure the service, and if there are any automated tools that can be run client side to clean up or better block hostile attacks.
Document what you needed to do, do the same to a few more systems, and then automate the process (registry files, boot scripts, policies,...).
The user can corrupt the hell out of their hard disk, and they have only themselves to blame.
While I agree that this provides a very good level of isolation between clients and servers, it doesn't take care of maintaining the client systems and it doesn't take care of every issue. Maintaining client systems is a PITA. A well run server should be little trouble.
Isolation between client systems is really needed; disallow peer to peer, focus on using the network as storage, and backup everything. Sweeping through the client machines on a regular basis to see what data people have left there -- and making it easy to use the network instead -- is a good idea.
Also, by switching the servers to *nix you do not eliminate abuse you only eliminate malware that the users run getting on the servers. Anyone with just enough knowledge to be dangerous -- either by mistake or intentionally -- can still cause hard to impossible to find dammage (ex: database access and changing a field property or correcting one piece of data that has dependencies elsewhere).
I get very annoyed when hearing about whole networks being knocked out by a virus/trojan. It should never happen; any dammage should be isolated.
Limit access to the application/web server level at the router. Isolate workstations so that they can each see the file servers but not all other systems. If someone needs direct access to servers, they should have a real good reason (or it should be obvious; admins, developers.).
Keep in mind that I'm not suggesting that the limits be so strict that people are annoyed and attempt to break or ignore security. They should be well organized, though, and monitored. Reasonable exceptions should be made immediately, and unreasonable exceptions should be granted quickly with an eye to isolating the damage of that exception as much as possible.
This is really a page flip program with a 3D effect. While the desktops are updated, the updates aren't dynamic; don't expect to run programs in different windows and see the current status in one of the windows. You will see a slightly dated view on the other desktops.
Slashdot Mirror
What-r-u-nuts? Get married NOW. That way, you can get that much close to your second marrage; the one that you will be happy with. (Just don't have kids in the first one.)
(Go ahead...mod this as funny. The old guys know I'm not joking.)
Then, how does that differ from Linux (KDE or Gnome + OpenOffice.org / Crossover Office + MS Word) or Mac OS/OS X (OOo or MS Word)?
If the person has never used a computer before (?), they will find the task you outlined as easy or befuddling on any of these systems. (An argument could be made for other tasks being easier/harder on specific systems -- though that's not your claim as I understand it.)
What's the problem? Track the dependencies, and when you yank a library anything dependant on it will break in one way or another.
This works well under Linux.
I'd say 3 is probably good enough for 95%. I have a Nikon Coolpix 3100. It's not a photo geek's dream, though I as a regular geek have taken some stunning photos with it -- enough for people to question that I even took some of them.
My only wishes;
The improvements introduced in the 3200 -- plus...
Better low light support (if the camera doesn't get too bulky).
Raw image support.
From what I've read, Cannon rules if you want to control every aspect of your shot. The Nikons are point and shoot with many pre-programmed modes -- so if you already have your hands full with other tech, it's the way to go. (Something that came to mind as I wrote this.)
You're welcome!
Awww...for old times, here it is again;
I don't think it's a cheap jab. Other articles about non-Microsoft projects/products offer comparisons to other non-Microsoft projects/products. (Example: Anything about the latest MP3 players.)
That said, Microsoft is fundimentially untrustworthy. The list of sneaky tricks they've pulled over the years does not make me want to jump at what they offer without looking very closely for yet another trap. (I have first hand experience as an OEM rep with Microsoft and OEM purchases.)
As for source code, unless they follow thier own advice and put the code under a BSD licence, why would I want to look at it?
Better or not has little to do with it. That said, there are quite a few open Wikis and CMS programs out there already -- and similar programs you might be familiar with already.
What makes Microsoft's offering worth examining at all? There are so many others that have been out for years and cover just about every spot from small/light/easy through to complex/flexible/corporate. Does Microsoft offer support for the new open source Wiki like other companies do, or are they looking for someone else to do the enhancements and fix the bugs?
Just now, I've searched the web for 2 hours and have come up with no other references except for a few comments on cobbled together copies a few people have been able to comple for themselves. None seem to be used for anything practical at this time, though.
In my searching, I found no packages for the X or Gnome-specific branchs of Cygwin. No stand-alone ports. Nothing in the main Cygwin package repositories. No binaries of any sort. No directions for compiling it from scratch or in part let alone 'just compile it from source after installing Cygwin'. Not even a short 'it works, but you have to build, configure, and install A, B, and C versions 1, 2, and 3'. Nothing. Silence.
The only thing that looks remotely promising is Evolution for Windows -- and that project started three days ago.
What also puzzles me is that if Oracle on Linux was the only option (let's say it was for whatever reason) what does this have to do with the web app? The web app just needs database access. The db itself usually will be on another system anyway. That other box can run whatever OS is needed to make it happy.
Did the vendors have the ability to change these DLLs or were they given binaries or restrictions on what changes (if any) were allowed?
You're talking about source code modifications. Is that the case here? (Why would there have to be source modifications on a shared library? It makes no sense!)
The analogy you use is also not the way that things are typically done on *nix systems (Linux or not).
A more similar analogy would be if two applications that were similar but from the same code base -- say Sodipodi and Inkscape -- used a PNG manipulation routine that was defective. In that case under Linux (and *BSD and likely all other *nix) would not have any security issues -- though libPNG would! Fix libPNG, and the issue goes away for Sodipodi, Inkscape, and all other applications that use libPNG.
While Microsoft isn't responsible for 3rd party DLLs, this is a different situation. They are partially responsible, and if they were interested in making the client systems secure they would handle things differently for what is really a simple file update.
Reasons: They designed a system that requires 3rd parties to distribute DLLs that Microsoft created. If the DLLs were set in a well organized location, the updates of the system DLLs would automatically 'fix' the other programs. Versioning -- something that Windows DLLs support and programs can take advantage of -- would handle compatability issues that are not directly incompatable with this fix.
The best 'trick' I can pass along:
Early on OO did use .tar.gz. It's been quite a while, though!
I don't understand. What does that have to do with an OOo document reader/viewer program? I don't see the connection.
Not true ... for you. For me, it is quite different. I see MS Word .DOC files constantly...even for trivial memos that would be better done as normal text.
PDFs mainly appear for external documents. Even policy manuals tend to be both created in MS Word and passed around as MS Word .DOC files.
I've gotten no complaints from using OOo to create and save documents in MS Word .DOC format, though changing existing .DOC files in OOo has caused problems in the past -- usually with indented bullets. MS Word is supposedly to blaim for mangling bullets, though I don't have evidence either way.
I typically get "Can you give me that as a .DOC. I need to edit it." Editing usually consists of a logo change and having the person change or modify the attribution.
If your systems are locked down already, an exploit won't matter much. If the thing that can be exploited can't be reached by a bad actor, it is not a risk. Besides, kernel level exploits are rare compared to system tool exploits let alone application or user library exploits.
That said, I quickly patch these 'impossible' vulnerabilities even if I've blocked the routes that could be used to activate them.
A few links here.
Audio interview here.
Answers;
No, don't block ports (see my sig). Remove the services entirely and know what is running or you can't be in control.
Any available service is a target. Turn them off or secure them (not trivial), and they aren't targets. (This keeps the client and servers clean in the first place.)
Nessus and nmap scan for ports. If the port is open, it can be discovered.
Many pieces of mal ware want to be discovered thus they will leave open ports. Scaning for the ports and turning them off shows you if anything else is hiding there; if the service for that port is off, and you've removed the service...it has to be something you don't know about (malware or otherwise).
Yes, people expect client to client corporate network services. Doesn't make them a good idea! Hostile environments -- and client systems are to be considered hostile -- should not be on the inside of the corporate network. The dedicated servers can provide the same services even if set up as a proxy for what is really peer-to-peer style communications (ex: corporate IM).
Consider laptops. They are entirely outside the control of the admins...so treat them like hostile systems; limit the dammage they can perform. Peer to peer services are off, and the routers control what the laptop sees on the network.
Good idea for laptops? Yep. Good idea for all systems -- including servers.
That the systems run one OS revision or another means less once you have the network properly configured. Each can be scanned for problems. Each that you do control can be made more secure even before updates and patches are applied.
You're right. I noted that here.
Thanks & agreed.
It has to be some service, otherwise there would be no way to have the files inserted on the machine.^ Put it this way; the trojan/malware/virus/... can't inject itself onto another computer. It needs to request that the target machine do something -- allowing the program/library/registry entry/... to be installed.
(The service being exploited might even be the admin drive share, though it's more likely some of the other less obvious ones.)
Bring up the services list to get a general idea of what is running or can be run (on demand). Keep in mind that the list is incomplete and disabling a service there might not really turn it off; verify that it is really off by running nmap and nessus against the target system.
Caution: Disabling a service does not mean your systems are more secure. Many services are only local and are not exposed to the rest of the network at all. While I suggest turning most of these off, the urgency is not as high and some of them are really necessary. Most of them are crap, though. This will be a lot of work, so take notes and look for things that break.
Another gotcha: When installing updates, the services you turned off before may be turned on again without warning. (Bet on it!)
It's even more important. Do you want to chase problems every 5 minutes and waste your weekend? I don't!
Exactly my point!
Take one thing at a time, starting with your most troublesome group or servers. Don't grab the 300 client system nightmare first; look one server and see what it depends on. Are there 10 applications running on it? Is there a way to move one or a set of them of them off and isolated that?
If you're getting pecked to death by ducks, start by killing one duck at a time! (Or find a smaller group of ducks to kill at a new job.)
Don't let upper management know that you suceeding, though. They may want to get rid of the monkey.
If the service that the viruses are using aren't enabled, they can't be exploited.
Here's one way to deal with this...
Isolate the client; vlan/router or yank the system and put it in an isolated environment (test lab, 2 system LAN, ...). Turn off the client XP firewall (if any), run Nessus on another system and point it at the client, go back to the client system and disable all services that Nessus reports -- even the ones that are not considered problems! Do any security hardening Nessus suggests. If you really need the detected services, write down what you would loose by disabling the service, what it would take to secure the service, and if there are any automated tools that can be run client side to clean up or better block hostile attacks.
Document what you needed to do, do the same to a few more systems, and then automate the process (registry files, boot scripts, policies, ...).
1.) Desktop machines can use windows
2.) Servers must be unix based.
The user can corrupt the hell out of their hard disk, and they have only themselves to blame.
While I agree that this provides a very good level of isolation between clients and servers, it doesn't take care of maintaining the client systems and it doesn't take care of every issue. Maintaining client systems is a PITA. A well run server should be little trouble.
Isolation between client systems is really needed; disallow peer to peer, focus on using the network as storage, and backup everything. Sweeping through the client machines on a regular basis to see what data people have left there -- and making it easy to use the network instead -- is a good idea.
Also, by switching the servers to *nix you do not eliminate abuse you only eliminate malware that the users run getting on the servers. Anyone with just enough knowledge to be dangerous -- either by mistake or intentionally -- can still cause hard to impossible to find dammage (ex: database access and changing a field property or correcting one piece of data that has dependencies elsewhere).
Limit access to the application/web server level at the router. Isolate workstations so that they can each see the file servers but not all other systems. If someone needs direct access to servers, they should have a real good reason (or it should be obvious; admins, developers.).
Keep in mind that I'm not suggesting that the limits be so strict that people are annoyed and attempt to break or ignore security. They should be well organized, though, and monitored. Reasonable exceptions should be made immediately, and unreasonable exceptions should be granted quickly with an eye to isolating the damage of that exception as much as possible.
This is really a page flip program with a 3D effect. While the desktops are updated, the updates aren't dynamic; don't expect to run programs in different windows and see the current status in one of the windows. You will see a slightly dated view on the other desktops.
We will have to disagree.