I don't quite understand the issue here. So Comcast put a transparent proxy on http ports, are people upset because of the proxy itself affecting performance? Or is it the fact that the proxy "may" affect privacy?
It sounded to me to be the second point which is ignorant. If Comcast want to "transparently" monitor its users' web usage or whatever data they want to sniff. They would not even have to setup a web proxy. Just an IP-less sniffer to listen in and software to log all web transactions (much more efficient and you would never know).
I only hear this guy crying about privacy issue without any real supportive points, maybe he's just paranoid?
IDS taking actions is a very complex issue. Most of our IDS nowadays are based on signature detection. It is not 100% accurate, it can detect false positive or can miss attacks that are not signature based (I actually wrote my SANS GCIA paper on one of these non-signature based attacks)
IDS triggered action is not safe at all, it could cause unnecessary DoS to unintended target if IDS ever gets too smart.
The best solution with todays technology is still active alert (even better at real time) and have analysis by human to determine whether there was actually an attack.
Remeber, a lot of traffic is stange but there might be a legitimate reason behind it. Anyone remeber the faulty router at daemon.net?
I'd leave your troll alone, except for the upmodding it has received from some idiot.
I am sorry if I was trolling but that really wasn't my intention.
I understand that nothing is preventing people from using IPF on OpenBSD. I am sorry if my original statement is misleading. What I really meant was since IPF was scraped they were already heading straight to PF, even if IPF changes the license to suite OpenBSD, they would never forget about PF and just take IPF back.
Please understand that I am not taking sides on this matter, just presenting my thoughts about Opensource. I do not know why you have your frame mode on, but if I offended you, Sorry. I apologize.
I have taken a brief look at PF myself, like you said there are features that would be great for all of us. We should always appreciate when another new tool comes up.
For PF, I would wait till some more sites start using it and then I will test it in my testing ground before taking it out to the field, I would stick with IPF for the time being. I really have nothing against using it when it gets mature.
I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.
I guess the moral of the story is that, all Opensource developer should bond more together and remember our real goal for opensourcing. There may be slight difference in opinion but we should get over the difference and try to produce the best software with minimal effort.
By writing separate PF, OpenBSD team has to spend extra time to re-code the new PF and going through the code audit, testing....
Being a security consultant, I will still recommend OpenBSD as FW platform, but I would wait a bit before PF, simply for the need for enough track record to be made. Let time to prove this firewall, so to speak.
I think one of the major resistance that PDF have today is support from major Word Processor. MS Office and most major suite does not support saving as PDF "yet".
By the way, the most easiest way to covert MS Word doc to PDF without Acrobat would be Adobe's website, they offer 5 free online file conversion (supporting many source formats). Might be useful for some of you.
I know most readers here (myself included) are from IT industry, let me also introduce some effects of PDF on prepress industry. (Let's look at things from another perspective)
In the old days, there was a lot of press approval and proofs being sent via the ad. agency to the end user for approval. With PDF, even the end user can fire up PDF reader on their own computer and view the electronic proofs, it is not color accurate (looking at the screen), but for most part (especially small cheap run), it works well.
The same PDF sometimes also get on the RIP (Rasterized Image Processor) for output, this assures same results from the electonic proofs. (accuracy is very important in this industry)
Major problem now is sometimes a prepress shop get one job done and sent to other for output to film or CTP (to plate), the PDF files does not have fonts embeded (PDF have this "feature"), then, it will become a hunt for the right fonts.
Prepress shops have mixed feelings for PDF, most that I talked to see it as a constructive technology.
Problem more serious in Business Computing
on
2.4, The Kernel of Pain
·
· Score: 2, Informative
I notice that a few people mention they don't have problems with 2.4. I find that true based on certain conditions.
For home use, I really don't find a lot of problem with 2.4 except minor driver problems. But at work, things are very different. I run a few high load critical servers at work that are still on 2.2, the lab attempt to upgrade 2.4 (at early stage) failed because of lock up and performance issues (yes, some due to VM)
It was till recently, I tried again with 2.4.16 that I am getting some reasonable results with the 2.4 series. For your information, performance are about the same on 2.4 with my application, I cannot confirm high load stability issue yet as I need more time to test. But initial results tells me 2.4.17 are resonably stable, only one lockup so far (for two weeks).
Right now, a lot of people are already complaining about the expired domains with NSI being released at an un-timely fashion. Domains are released anywhere from 9 to 15 weeks and without consistency. Think about the frustration for domain to be released while knowing that it has already expired....
Would this be a way for them to "selectively" release expired domain earlier?
I used to have early symptom of CT on my right wrist. I guess due to improper mouse usage posture. I immediately switched to a Logitech Trackball, it helps a whole lot. Within 3 weeks, I got rid of the pain.
For those of you that have CT related to using the mouse, consider using a trackball.
A buffer overflow on a DB server isn't as deadly as on a web server or other offered public services.
If the perimeter defense is setup properly, DB should never be directly accesible from the Internet (unless some abnormal setup). Just for information, for those web application driven by DB, I prefer to have a different subnet behind the web server using the internal IP address, so the DB is only accessible through the Web server (from the Internet). Any overflow attacker will have to go through the Web server and then the DB server.
Having said that, there is still risk for internal attack (not to mention a lot of security risk comes from internal). So a quick patch is still very necessary.
I have had a few sites the require access from business partners thru VPN to directly access the DB, I see this as a high threat and try my best effort to guard it. Especially because you cannot have a proxy type of filter from another vendor to screen the content (such as e-mail and web). IDS and firewall will not catch a lot of the direct attack. So, the best way to allow access to DB is still via indirect method (such as letting business partner use a web interface to access data.
Because it is a way of version management and control.
2.4 and 2.5 are maintained by different group of people. 2.5 is basically a play ground for the kernel playground to test big changes and it might take serveral revision to get such big changes right.
On the other hand, in 2.4 changes are much smaller, mostly fixes and very important proven improvments.
Please understand that changes in 2.5 does not sync with 2.4, things that should up in 2.5 does not mean it will be in 2.4, this gives developers (or kernel hackers) more flexibility to play around with things.
To learn more about this, play around with some source version control software like CVS and start branching off different version of your code then you might understand the need for a totally testing branch.
For those of you that think Chinese is hard to learn. The Chinese that are being used nowadays is already consider to be easy to use.
In early 1900's, there was a movement to simplify the sentence structure and grammer. That really make Chinese much easier to learn. This would be like the old style of english (Thou, Thy, Thee..) being converting to the english we use nowdays. From my experience, it should take about 10 years of constant pratice to master the new style and another 10-15 to master the old style.
Another major change is much more recent, the Chinese government decided that it is too difficult to read and write Chinese characters which are based on symbols so they simplified a lot of the characters. This version of Chinese (usually under GB encoding on the web) is widely used in China. Most other Chinese speaking places, like Hong Kong, Taiwan and Singapore still uses the Normal non-simplified version of Chinese.
I disagree with your points on long term solution.
Chinese language has such a long heritage (older than English), it is difficult to introduce any changes to it. Even Chinese government's effort into simplified Chinese which should make Chinese easier to read and write is just creating a lot of confusion (but it works), do we want to go through the trouble of inventing another language?
Chinese language is much more concise, much less character to represent a meaningful sentence (one of the most concise language). Most characters have MANY different meanings (depends on the context of usage), sort of like one character of Chinese would represent a word in english.
If you are wonder how Chinese people can master such difficult language, most Chinese parents are very proud of the language and it is a shame to not let the child to learn Chinese. Plus the fact that it is a Chinese tradition that the child have extreme respect for the parents. This all make the forceful learning (or memorization of characters) becomes much easier. Not to mention that punishment from parents (physical) are consider to be ok.
There is a considerable size of Chinese population here in North America (YES, I am part of it), I have seen report saying that in couple of years, there will be more Chinese speaking population in Canada than the French speaking (an official language).
The point is, the 10 billion mainland Chinese people are not the ONLY Chinese, there are MANY Chinese that have un-censored Internet out here, such as Hong Kong, Taiwan....
Different languages material on the web should co-exist on the web without any problem, just as they do in real life. Here in Toronto, there are two Chinese Newspapers and countless Chinese signs all around the city and it never seems to poses any problem. The web should work the same.
In fact, there are already tons Chinese materials on the web, due to the lack of understanding of Chinese by most "westerners", most websites are not visited by most "westerners" for obvious reasons so it does not seems a large community on the web.
I just finished my ugrad degree a year ago, from what I have seen, the university made a lot of effort to stay away from Windows and mantain a Solaris only lab to promote Unix.
Too many times have I heard different professors mention about Unix (or Linux) design being better in certain ways (especially in courses related to OS designs). All of these should promote Unix usage in general.
Afterall, it would be pretty lame to get out of university and not have any exprosure to both Windows and Unix platforms.
This article raised an interesting point that most computer manufacturers (or VAR) would bundle Windows OS as well. There is really no benefit to opt out and refuse to accept Windows in the bundle.
Since most average new computer user would prefer to buy a brand name computer that has Windows comes with it, even if they are willing to try another OS (Linux), if they get into the slightest problem they will be re-installing Windows and get on with Life. This may also come from the fear that they will somehow void the warranty (I have not seen any stickers that tells you installing another OS will not void warranty but too many times have I seen something about touching or tempering with something that will void my warranty).
This would be a huge resistance in pushing Linux forward as a major desktop OS. Unless enough manufacturers get upset with MS and they start pushing Linux, the chances of Linux getting popular on desktop is still remote.
Future of IDS
on
Future Of IDS
·
· Score: 0, Redundant
In the article from Vnunet, what is "Top performer" in terms of ability of detect packet before dropping them (amount of traffic)?
I recently qualified as SANS GCIA, in my opinion, there is a lot of room for improvement in IDS. Other than the points mentioned in the articles, I would like to bring up a point about invasion and evasion attack on the NIDS, it is hard to deal with, HIDS is the real solution to this problem. However, everyone knows the difficulty in implementing HIDS across the network...... It would be great if they could do something about it. (ie. NIDS knowning the TCP/IP stack of the client machine)
Also, there are some attacks that will not be detected by NIDS because of their nature, we are back to the old style of traffic analysis. In some occasion, it can be solved by implementing "state" in the detection engine but this will makes things EXTREMELY slow.
There were earlier comments about IPsec killing IDS, I think this only depends on how you implement your IDS, for the network-network IPsec, you might have to put the IDS behind the gateway if you wanna do analysis. IDS still has a value in the network.
I find most people think IDS as a simple technology and should be easy to implement, it can be true if you only monitor a small network, when you have a large network and lots of traffic, it can get very messy.
Please understand that EVERYONE in Hong Kong needs to have an ID card and will have to bring the card out to anywhere the person wants to go. This system was implemented many years ago as a counter measure for illegal Chinese immigrant (which was/is a big problem).
Believe me, old people carry their ID too, at least all my grandparents do and they understand the importance of bringing the ID.
This is going to move technology status in Hong Kong a large step forward due to the fact that everyone HAS an ID card and under the law of Hong Kong (HK is not under Chinese law), a citizen of Hong Kong will have to carry his/her ID card wherever he/she goes. (Police force in HK carry out ID card checking)
Using this as a auth. method can be secure and should be available to anyone in local trading.
I was told that the reason for changing ID to smartcard is not only about technology advancement but also about the fake ID that some ID cards that illegal immigrants are carrying. (The ID cards before were very low tech)
University is just different from what you are thinking of. When we say study database, we do not actually get to study a lot of real world stuff, but the theory and concept behind it, like normalization, crash recovery, concurrency control. When studying OS, we do not actually study how to use a OS, how to admin an OS. But the concepts and theory of how OS in general works. CPU scheduling, deadlocks, memory management, concurrent processes are taught in my school (York University)
There is just no courses at my University that teaches the usage or admin of an OS. This is not what university is for, but college.
For those of you that thinks coding is hard and that's why the girls are scared, this is not the right sitution. In CS, we learn more about the concept and theory of computation. Only 3-4 courses where you have to code, but the focus is still on the concepts. To me, it seems that women thinks different than men. I notice that during recent group studies, when it comes to definations, girls are the best, but when it comes to the application of the computation theory, girls just stopped there. And this is not from only one girl but from about 10 female I have meet in my University career. In the first year, I can see the classroom with about 40% girls but now, in third year, only about 25% are left. BTW, there are exceptions in every rule, I have also seen some girls that do REALLY well in CS.
Slashdot Mirror
I don't quite understand the issue here. So Comcast put a transparent proxy on http ports, are people upset because of the proxy itself affecting performance? Or is it the fact that the proxy "may" affect privacy?
It sounded to me to be the second point which is ignorant. If Comcast want to "transparently" monitor its users' web usage or whatever data they want to sniff. They would not even have to setup a web proxy. Just an IP-less sniffer to listen in and software to log all web transactions (much more efficient and you would never know).
I only hear this guy crying about privacy issue without any real supportive points, maybe he's just paranoid?
IDS taking actions is a very complex issue. Most of our IDS nowadays are based on signature detection. It is not 100% accurate, it can detect false positive or can miss attacks that are not signature based (I actually wrote my SANS GCIA paper on one of these non-signature based attacks)
IDS triggered action is not safe at all, it could cause unnecessary DoS to unintended target if IDS ever gets too smart.
The best solution with todays technology is still active alert (even better at real time) and have analysis by human to determine whether there was actually an attack.
Remeber, a lot of traffic is stange but there might be a legitimate reason behind it. Anyone remeber the faulty router at daemon.net?
I'd leave your troll alone, except for the upmodding it has received from some idiot.
I am sorry if I was trolling but that really wasn't my intention.
I understand that nothing is preventing people from using IPF on OpenBSD. I am sorry if my original statement is misleading. What I really meant was since IPF was scraped they were already heading straight to PF, even if IPF changes the license to suite OpenBSD, they would never forget about PF and just take IPF back.
Please understand that I am not taking sides on this matter, just presenting my thoughts about Opensource. I do not know why you have your frame mode on, but if I offended you, Sorry. I apologize.
I have taken a brief look at PF myself, like you said there are features that would be great for all of us. We should always appreciate when another new tool comes up.
For PF, I would wait till some more sites start using it and then I will test it in my testing ground before taking it out to the field, I would stick with IPF for the time being. I really have nothing against using it when it gets mature.
Why -o tcp in iptables? Your output network interface called "tcp"?
I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.
I guess the moral of the story is that, all Opensource developer should bond more together and remember our real goal for opensourcing. There may be slight difference in opinion but we should get over the difference and try to produce the best software with minimal effort.
By writing separate PF, OpenBSD team has to spend extra time to re-code the new PF and going through the code audit, testing....
Being a security consultant, I will still recommend OpenBSD as FW platform, but I would wait a bit before PF, simply for the need for enough track record to be made. Let time to prove this firewall, so to speak.
I think one of the major resistance that PDF have today is support from major Word Processor. MS Office and most major suite does not support saving as PDF "yet".
By the way, the most easiest way to covert MS Word doc to PDF without Acrobat would be Adobe's website, they offer 5 free online file conversion (supporting many source formats). Might be useful for some of you.
I know most readers here (myself included) are from IT industry, let me also introduce some effects of PDF on prepress industry. (Let's look at things from another perspective)
In the old days, there was a lot of press approval and proofs being sent via the ad. agency to the end user for approval. With PDF, even the end user can fire up PDF reader on their own computer and view the electronic proofs, it is not color accurate (looking at the screen), but for most part (especially small cheap run), it works well.
The same PDF sometimes also get on the RIP (Rasterized Image Processor) for output, this assures same results from the electonic proofs. (accuracy is very important in this industry)
Major problem now is sometimes a prepress shop get one job done and sent to other for output to film or CTP (to plate), the PDF files does not have fonts embeded (PDF have this "feature"), then, it will become a hunt for the right fonts.
Prepress shops have mixed feelings for PDF, most that I talked to see it as a constructive technology.
I notice that a few people mention they don't have problems with 2.4. I find that true based on certain conditions.
For home use, I really don't find a lot of problem with 2.4 except minor driver problems. But at work, things are very different. I run a few high load critical servers at work that are still on 2.2, the lab attempt to upgrade 2.4 (at early stage) failed because of lock up and performance issues (yes, some due to VM)
It was till recently, I tried again with 2.4.16 that I am getting some reasonable results with the 2.4 series. For your information, performance are about the same on 2.4 with my application, I cannot confirm high load stability issue yet as I need more time to test. But initial results tells me 2.4.17 are resonably stable, only one lockup so far (for two weeks).
Right now, a lot of people are already complaining about the expired domains with NSI being released at an un-timely fashion. Domains are released anywhere from 9 to 15 weeks and without consistency. Think about the frustration for domain to be released while knowing that it has already expired....
Would this be a way for them to "selectively" release expired domain earlier?
I used to have early symptom of CT on my right wrist. I guess due to improper mouse usage posture. I immediately switched to a Logitech Trackball, it helps a whole lot. Within 3 weeks, I got rid of the pain.
For those of you that have CT related to using the mouse, consider using a trackball.
A buffer overflow on a DB server isn't as deadly as on a web server or other offered public services.
If the perimeter defense is setup properly, DB should never be directly accesible from the Internet (unless some abnormal setup). Just for information, for those web application driven by DB, I prefer to have a different subnet behind the web server using the internal IP address, so the DB is only accessible through the Web server (from the Internet). Any overflow attacker will have to go through the Web server and then the DB server.
Having said that, there is still risk for internal attack (not to mention a lot of security risk comes from internal). So a quick patch is still very necessary.
I have had a few sites the require access from business partners thru VPN to directly access the DB, I see this as a high threat and try my best effort to guard it. Especially because you cannot have a proxy type of filter from another vendor to screen the content (such as e-mail and web). IDS and firewall will not catch a lot of the direct attack. So, the best way to allow access to DB is still via indirect method (such as letting business partner use a web interface to access data.
Because it is a way of version management and control.
2.4 and 2.5 are maintained by different group of people. 2.5 is basically a play ground for the kernel playground to test big changes and it might take serveral revision to get such big changes right.
On the other hand, in 2.4 changes are much smaller, mostly fixes and very important proven improvments.
Please understand that changes in 2.5 does not sync with 2.4, things that should up in 2.5 does not mean it will be in 2.4, this gives developers (or kernel hackers) more flexibility to play around with things.
To learn more about this, play around with some source version control software like CVS and start branching off different version of your code then you might understand the need for a totally testing branch.
For those of you that think Chinese is hard to learn. The Chinese that are being used nowadays is already consider to be easy to use.
In early 1900's, there was a movement to simplify the sentence structure and grammer. That really make Chinese much easier to learn. This would be like the old style of english (Thou, Thy, Thee..) being converting to the english we use nowdays. From my experience, it should take about 10 years of constant pratice to master the new style and another 10-15 to master the old style.
Another major change is much more recent, the Chinese government decided that it is too difficult to read and write Chinese characters which are based on symbols so they simplified a lot of the characters. This version of Chinese (usually under GB encoding on the web) is widely used in China. Most other Chinese speaking places, like Hong Kong, Taiwan and Singapore still uses the Normal non-simplified version of Chinese.
I disagree with your points on long term solution.
Chinese language has such a long heritage (older than English), it is difficult to introduce any changes to it. Even Chinese government's effort into simplified Chinese which should make Chinese easier to read and write is just creating a lot of confusion (but it works), do we want to go through the trouble of inventing another language?
Chinese language is much more concise, much less character to represent a meaningful sentence (one of the most concise language). Most characters have MANY different meanings (depends on the context of usage), sort of like one character of Chinese would represent a word in english.
If you are wonder how Chinese people can master such difficult language, most Chinese parents are very proud of the language and it is a shame to not let the child to learn Chinese. Plus the fact that it is a Chinese tradition that the child have extreme respect for the parents. This all make the forceful learning (or memorization of characters) becomes much easier. Not to mention that punishment from parents (physical) are consider to be ok.
There is a considerable size of Chinese population here in North America (YES, I am part of it), I have seen report saying that in couple of years, there will be more Chinese speaking population in Canada than the French speaking (an official language).
The point is, the 10 billion mainland Chinese people are not the ONLY Chinese, there are MANY Chinese that have un-censored Internet out here, such as Hong Kong, Taiwan....
Different languages material on the web should co-exist on the web without any problem, just as they do in real life. Here in Toronto, there are two Chinese Newspapers and countless Chinese signs all around the city and it never seems to poses any problem. The web should work the same.
In fact, there are already tons Chinese materials on the web, due to the lack of understanding of Chinese by most "westerners", most websites are not visited by most "westerners" for obvious reasons so it does not seems a large community on the web.
I just finished my ugrad degree a year ago, from what I have seen, the university made a lot of effort to stay away from Windows and mantain a Solaris only lab to promote Unix.
Too many times have I heard different professors mention about Unix (or Linux) design being better in certain ways (especially in courses related to OS designs). All of these should promote Unix usage in general.
Afterall, it would be pretty lame to get out of university and not have any exprosure to both Windows and Unix platforms.
This article raised an interesting point that most computer manufacturers (or VAR) would bundle Windows OS as well. There is really no benefit to opt out and refuse to accept Windows in the bundle.
Since most average new computer user would prefer to buy a brand name computer that has Windows comes with it, even if they are willing to try another OS (Linux), if they get into the slightest problem they will be re-installing Windows and get on with Life. This may also come from the fear that they will somehow void the warranty (I have not seen any stickers that tells you installing another OS will not void warranty but too many times have I seen something about touching or tempering with something that will void my warranty).
This would be a huge resistance in pushing Linux forward as a major desktop OS. Unless enough manufacturers get upset with MS and they start pushing Linux, the chances of Linux getting popular on desktop is still remote.
In the article from Vnunet, what is "Top performer" in terms of ability of detect packet before dropping them (amount of traffic)?
I recently qualified as SANS GCIA, in my opinion, there is a lot of room for improvement in IDS. Other than the points mentioned in the articles, I would like to bring up a point about invasion and evasion attack on the NIDS, it is hard to deal with, HIDS is the real solution to this problem. However, everyone knows the difficulty in implementing HIDS across the network...... It would be great if they could do something about it. (ie. NIDS knowning the TCP/IP stack of the client machine)
Also, there are some attacks that will not be detected by NIDS because of their nature, we are back to the old style of traffic analysis. In some occasion, it can be solved by implementing "state" in the detection engine but this will makes things EXTREMELY slow.
There were earlier comments about IPsec killing IDS, I think this only depends on how you implement your IDS, for the network-network IPsec, you might have to put the IDS behind the gateway if you wanna do analysis. IDS still has a value in the network.
I find most people think IDS as a simple technology and should be easy to implement, it can be true if you only monitor a small network, when you have a large network and lots of traffic, it can get very messy.
Please understand that EVERYONE in Hong Kong needs to have an ID card and will have to bring the card out to anywhere the person wants to go. This system was implemented many years ago as a counter measure for illegal Chinese immigrant (which was/is a big problem).
Believe me, old people carry their ID too, at least all my grandparents do and they understand the importance of bringing the ID.
This is going to move technology status in Hong Kong a large step forward due to the fact that everyone HAS an ID card and under the law of Hong Kong (HK is not under Chinese law), a citizen of Hong Kong will have to carry his/her ID card wherever he/she goes. (Police force in HK carry out ID card checking) Using this as a auth. method can be secure and should be available to anyone in local trading. I was told that the reason for changing ID to smartcard is not only about technology advancement but also about the fake ID that some ID cards that illegal immigrants are carrying. (The ID cards before were very low tech)
Please understand that Hong Kong is a Special Admin Region and HK is not under the DIRECT rule of Chinese government.
University is just different from what you are thinking of.
When we say study database, we do not actually get to study a lot of real world stuff, but the theory and concept behind it, like normalization, crash recovery, concurrency control.
When studying OS, we do not actually study how to use a OS, how to admin an OS. But the concepts and theory of how OS in general works. CPU scheduling, deadlocks, memory management, concurrent processes are taught in my school (York University)
There is just no courses at my University that teaches the usage or admin of an OS. This is not what university is for, but college.
For those of you that thinks coding is hard and that's why the girls are scared, this is not the right sitution.
In CS, we learn more about the concept and theory of computation. Only 3-4 courses where you have to code, but the focus is still on the concepts. To me, it seems that women thinks different than men. I notice that during recent group studies, when it comes to definations, girls are the best, but when it comes to the application of the computation theory, girls just stopped there. And this is not from only one girl but from about 10 female I have meet in my University career.
In the first year, I can see the classroom with about 40% girls but now, in third year, only about 25% are left.
BTW, there are exceptions in every rule, I have also seen some girls that do REALLY well in CS.