If you did that for me, I'd appreciate it... though I wouldn't be able to abuse my cable provider. (That, and I'm on the other side of the planet...thanks anyway!)
Agreed. Sometimes you have to do the wrong thing to do the right thing.
To add to that, I like to reduce the exposed interfaces to a minimum, use a router with a vlan (!) isolating it. The exposed interfaces (IP ports or API) should be few and well known.
In many cases, poorly designed server apps can be protected even when there are other known security holes. Still does not make me feel comfortable.
Sendmail corporation...I'll get back to them in a moment.
Sendmail has a plugin available which allows for Sender ID compliance. Which other GPL software will be modified by third parties? This is the joy of GPL software, of course, to maintain it separately from the core. This is also the Achilles' Heel. If Microsoft wanted to do so it could produce the necessary changes for all of these dissenting software packages itself -- and distribute them itself -- and achieve dominance through this method.
I'm not sure that Sendmail is licenced under the GPL. (I'm 80% against that being the case...can't verify it.)
As the Apache Foundation and Debian have pointed out, that would put a restriction above and beyond the current licence(s). Since the licences specifically deny that ability, Microsoft could be held liable and could be sued by the other copyright holders.
An exception: Any group that did hold copyright to the code could re-licence or dual licence it and add in the non-compliant parts to that branch or fork.
In the case of Sendmail -- I couldn't find the licence after a short bit of searching. 2 more minutes probably would have done it, though. I think it's similar to the BSD licence, so it is likely that the exception above doesn't even apply. If it's a GPL-style licence, they could be in violation -- depending on who owns the copyright to the code they ship commercially.
My Linux Scribus, KOffice, OpenOffice, etc. customers too but they have less problems with making a PDF file.
A PDF printer is included in KDE. OpenOffice and Scribus have direct support for PDF.
For programs that don't handle PDF or don't use the KDE kprinter print system, setting up a PDF "printer" isn't hard. In the worst case, they can add a Postscript printer and run ps2pdf on it...though that should not be necessary except in odd situations.
I think the main point here is that MS has tried to appeal to people by saying that it's easy to be a sysadmin, that anyone can set up a network and run it. Real sysadmins all over the place freaked out, with good reason. They were accused of being set in their ways, etc, etc.
True! It's a real PITA to secure Windows. It's as much work as securing a *nix system;
*nix - Less is running so security focuses on the application/service and account settings. Very methodical.
Windows - More is running so security focuses on the service level (first) with account setting second. (Applications and specialized services are another task that I dread doing wrong; no control!)
As a start on a new system, doing things the Microsoft-recommended way, I ran Microsoft's baseline security tool...and it said everything was A-OK. Checking the system myself so far, I have to strongly disagree.
One thing that bugs me is that I can't verify everything under Windows...stuff is hidden or enabled in different places. It is harder to strip out everything down to the bare necessities; the concept being "you don't need to know about that...so I won't tell you!" Grrr....
Most people don't feel compelled to do the work under Windows, though, because they think security is the entire responsibility of other companies and they have no control over it. The vendors reinforce this idea (to get sales), and the customers push it too (out of habit and ignorance).
The service is not enabled... it is in a state where applications that rely on it can start it if its necessary, but that would be performed by the user. Have it not enabled is not a security risk....
OH, yes it is!:)
Having services available by default -- on demand or already running -- makes it easier to exploit a system.
If the attacker can rely on those services;
They will not have to take the extra steps needed to enable them...
They will not have to find alternate ways to provide those resources...
They can hide rogue processes by tagging along with the service as a sub-process...
Additionally, if you want to audit a system and have 30 things that may be on at any time vs., say, 10, your job just became that much harder.
Attackers like to hide. A low profile -- blending in with other expected processes -- is a good way of achieving that.
This is the main reason why I have this signature;
...except that when spyware/trojan/virus softwar does run, it's most likely to spread on the local network as well as attempt to strike the rest of the net. Having needlessly open ports is a bad idea.
Boot up the system and go into an account with admin-level access.
Give that admin-level account a password of "password".
Leave the system alone till the screensaver kicks in or intentionally 'switch users'.
At the login screen, select the admin-level account. It will ask for a password now.
Enter in "password" for the password.
The login dialog reports that "password" is an incorrect password.
(Consider getting out that Knoppix linux boot CD and resetting the password to null. Skip that idea for now.)
Select one of the non-admin, not password protected, user accounts to switch to.
The non-admin account comes up fine.
From the non-admin acount, switch users and select the admin-level account.
Enter in "password" for the password.
The login dialog accepts "password" and switches to the admin-level desktop.
This is odd. Now, repeat the steps again *after* switching the password from "password" to "test". The results? The login dialog does not report that "test" is an invalid password.
While I am not doing any more debugging of XP for Microsoft (a detail or two might not be 100% correct), what I have seen is enough to make me wince. Microsoft did not test this one well enough.
Note: It may be necessary to have a program running in the admin account to trip up this bug.
Seriously, what percentage of the apps on your Windows machine did you pay for, inclusing the OS itself?
Currently? ^ 100%. Just because I don't think it is worth it doesn't mean that I feel justified in taking it.
That said, I do make one exception;
^ - If the program is something I might want, I have no problems getting a copy to try it out. Except for kicking the tires for a couple hours, I don't keep it.
I've had people give me audio CDs and DVDs too...I take them, not to insult the person, and toss them in the trash when I get home. (Typically, I've already told the couple people that have given me these things that I don't think it's right. They don't listen, so I don't press it.)
As for games, I have a whole stack of the commercial ones -- all paid for. Demos are usually good enough to judge if a game is worth having at all.
less(1) already does this! Check out the $LESSOPEN variable on your Linux system, it points to a shell script that detects what type of file you are viewing, and runs a filter on it to get plain text from it.
The only service I have heard of under 1mbit in recent memory is Qwest DSL here in Minnesota that is only 640k.
There are plenty. Check
Broadband Reports and search by speed range. Last I heard, many of the regional Bell companies peg DSL at ~750k; if you want something faster, you have to use cable or buy DSL through another company.
If you don't have policies and procedures, you might want to start there and slip the Linux-specific stuff in as an implementation of them.
I don't mean creating and enforcing ridgid doctrine, though.
Here's an example -- if you've never done this or need a refresher;
Backup procedure;
Log the status of all network-based backups in the book (paper journal).
Schedule backups so that they occur regularly including moving backups to an off-site location.
If a system is added/removed or failed to be backed up note it in the book.
If a system can't be backed up over the network or does not require backup, note it somewhere.
The tool(s) used are up to the admin and training in them should be direct and simple. The people who are new to the tools should be given resources (books, notes, and someone experienced to talk to). That the tasks are being performed at all should be easily verifiable. Keep it simple as possible so that it actually gets done, though have it just formal enough that someone else can figure out what should be done -- not necessarily be told how they should do the job.
Some DVDs cost $25 or more no matter where you go.
That said, if these stores are in your area -- try Circuit City, Best Buy, Target, and/or Walmart -- give them a try. These large discount chains tend to have quite a few $6-10 DVDs with a large group for around $15. They also have very good prices for the initial release of popular movies -- often the lowest price for months.
To check a file manually, I should do the following;
Check the MD5sum against a known good source.
Check the GPG signature of that source.
Check the file size (might be harder to fake an MD5 for files of the same size?)
What I actually do most of the time is quite a bit is different;
Check the first and last few characters in the MD5sum against what is posted on the web/FTP site.
To get a complete MD5 collision is currently something the NSA might be able to do (paranoia hat not on). To get a look-alike that matches part of the original MD5 (just the part I tend to check) should be possible.
(Forging the original MD5 is probably the easiest thing to do since the GPG signature is rarely provided and if it is is probably rarely checked.)
And yet, if I went out to try and buy a mobile phone which runs Linux for the geek value, I wouldn't be able to find one. Maybe it's in the wrong embedded markets...
OTOH most of the mini routers for wireless/cable/DSL use are Linux based.
I'd expect that depending on what category of device you look at, there could be an entirely different embeded OS that is most popular if not just more popular than Linux.
Slashdot Mirror
Shhhhh! Be quiet you fool!
If you did that for me, I'd appreciate it ... though I wouldn't be able to abuse my cable provider. (That, and I'm on the other side of the planet...thanks anyway!)
...37:59.45!
...37:59.30!
...37:59.15!
...37:59.00!!!!!
So close! I can't wait!
To add to that, I like to reduce the exposed interfaces to a minimum, use a router with a vlan (!) isolating it. The exposed interfaces (IP ports or API) should be few and well known.
In many cases, poorly designed server apps can be protected even when there are other known security holes. Still does not make me feel comfortable.
thanks
I'm not sure that Sendmail is licenced under the GPL. (I'm 80% against that being the case...can't verify it.)
As the Apache Foundation and Debian have pointed out, that would put a restriction above and beyond the current licence(s). Since the licences specifically deny that ability, Microsoft could be held liable and could be sued by the other copyright holders.
An exception: Any group that did hold copyright to the code could re-licence or dual licence it and add in the non-compliant parts to that branch or fork.
In the case of Sendmail -- I couldn't find the licence after a short bit of searching. 2 more minutes probably would have done it, though. I think it's similar to the BSD licence, so it is likely that the exception above doesn't even apply. If it's a GPL-style licence, they could be in violation -- depending on who owns the copyright to the code they ship commercially.
Unfortunately, I can see that;
A PDF printer is included in KDE. OpenOffice and Scribus have direct support for PDF.
For programs that don't handle PDF or don't use the KDE kprinter print system, setting up a PDF "printer" isn't hard. In the worst case, they can add a Postscript printer and run ps2pdf on it...though that should not be necessary except in odd situations.
True! It's a real PITA to secure Windows. It's as much work as securing a *nix system;
*nix - Less is running so security focuses on the application/service and account settings. Very methodical.
Windows - More is running so security focuses on the service level (first) with account setting second. (Applications and specialized services are another task that I dread doing wrong; no control!)
As a start on a new system, doing things the Microsoft-recommended way, I ran Microsoft's baseline security tool...and it said everything was A-OK. Checking the system myself so far, I have to strongly disagree.
One thing that bugs me is that I can't verify everything under Windows...stuff is hidden or enabled in different places. It is harder to strip out everything down to the bare necessities; the concept being "you don't need to know about that...so I won't tell you!" Grrr....
Most people don't feel compelled to do the work under Windows, though, because they think security is the entire responsibility of other companies and they have no control over it. The vendors reinforce this idea (to get sales), and the customers push it too (out of habit and ignorance).
OH, yes it is! :)
Having services available by default -- on demand or already running -- makes it easier to exploit a system.
If the attacker can rely on those services;
They will not have to take the extra steps needed to enable them...
They will not have to find alternate ways to provide those resources...
They can hide rogue processes by tagging along with the service as a sub-process...
Additionally, if you want to audit a system and have 30 things that may be on at any time vs., say, 10, your job just became that much harder.
Attackers like to hide. A low profile -- blending in with other expected processes -- is a good way of achieving that.
This is the main reason why I have this signature;
...except that when spyware/trojan/virus softwar does run, it's most likely to spread on the local network as well as attempt to strike the rest of the net. Having needlessly open ports is a bad idea.
This is odd. Now, repeat the steps again *after* switching the password from "password" to "test". The results? The login dialog does not report that "test" is an invalid password.
While I am not doing any more debugging of XP for Microsoft (a detail or two might not be 100% correct), what I have seen is enough to make me wince. Microsoft did not test this one well enough.
Note: It may be necessary to have a program running in the admin account to trip up this bug.
Remember, Nessus is your friend.
Thanks! I just found it myself a couple minutes ago. There's a lot to discover in this program....
Currently? ^ 100%. Just because I don't think it is worth it doesn't mean that I feel justified in taking it.
That said, I do make one exception;
I've had people give me audio CDs and DVDs too...I take them, not to insult the person, and toss them in the trash when I get home. (Typically, I've already told the couple people that have given me these things that I don't think it's right. They don't listen, so I don't press it.)
As for games, I have a whole stack of the commercial ones -- all paid for. Demos are usually good enough to judge if a game is worth having at all.
A question for those who know how to use it: Does anyone know how to resize an image in a frame?
The closest I've been able to come to is editing the image (spawns The Gimp), and changing the size there manually.
(I haven't delt with news copy since college -- so maybe the answer is "If Scribus supported resizing the image, that would be a bad idea.".)
*blink*
(Spoing does a happy dance.)
OK, here's one for you... tab completion in Bash for commands.
An example;
It works for other commands also -- and it's programable!
No more than non-sys admins. Some are quite evil, inept, and/or uncaring.
Looks good to me! To the point, and not mucked up. Over the span of a few days/weeks/... someone should come up with a more fleshed out summary.
There are plenty. Check Broadband Reports and search by speed range. Last I heard, many of the regional Bell companies peg DSL at ~750k; if you want something faster, you have to use cable or buy DSL through another company.
I don't mean creating and enforcing ridgid doctrine, though.
Here's an example -- if you've never done this or need a refresher;
The tool(s) used are up to the admin and training in them should be direct and simple. The people who are new to the tools should be given resources (books, notes, and someone experienced to talk to). That the tasks are being performed at all should be easily verifiable. Keep it simple as possible so that it actually gets done, though have it just formal enough that someone else can figure out what should be done -- not necessarily be told how they should do the job.
That said, if these stores are in your area -- try Circuit City, Best Buy, Target, and/or Walmart -- give them a try. These large discount chains tend to have quite a few $6-10 DVDs with a large group for around $15. They also have very good prices for the initial release of popular movies -- often the lowest price for months.
Don't shop there?
To check a file manually, I should do the following;
Check the MD5sum against a known good source.
Check the GPG signature of that source.
Check the file size (might be harder to fake an MD5 for files of the same size?)
What I actually do most of the time is quite a bit is different;
Check the first and last few characters in the MD5sum against what is posted on the web/FTP site.
To get a complete MD5 collision is currently something the NSA might be able to do (paranoia hat not on). To get a look-alike that matches part of the original MD5 (just the part I tend to check) should be possible.
(Forging the original MD5 is probably the easiest thing to do since the GPG signature is rarely provided and if it is is probably rarely checked.)
OTOH most of the mini routers for wireless/cable/DSL use are Linux based.
I'd expect that depending on what category of device you look at, there could be an entirely different embeded OS that is most popular if not just more popular than Linux.