Hollywood has become very good at marketing movies. How to get movie-goers excited about a new movie has become a science. So long as a signficant fraction of movie-goers can't see past marketing and go to see movies simply because a trailer made a movie "look really cool," the movies will aimed at them, not at those critical of their quality.
What I find most interesting is how important it is to an ant colony to have inhabitants which wander and can navigate back to the nest. It seems so important, they've devised two different methods; one which depends on odor and this pedometer method. This specific need is so fundamental to their existence, it appears to drive their evolution.
The article illustrated one very convoluted way to break your DMZ security, but failed to make the simple statement: don't trust anyone, not even root, on your DMZ hosts. Allow SSH logins into the DMZ, and allow the DMZ to pull files from private network patching servers, such as apt repositories, but don't allow anyone to SSH from the DMZ to the intranet. Assume the DMZ is cracked wide open and keystroke logging. No one is going to get past the DMZ by watching you type 'apt-get install squid' but they will by watching you type 'ssh root@creditcarddb.int' and then the root password.
Anyone who tunnels from the DMZ to a trusted host which can execute commands on a sensitive server can't see the forest for the trees. You've learned how to use SSH and tunnel, but you're lacking some basic common sense.
Also, I don't see what good a socket catching the authentication will do... you can packet sniff the authentication process all day long and you won't get someone's private key.
That whole article seemed a bit of voodoo itself. Many incongruous statements, like "If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the "safe" intranet."
What does that mean, exactly? You direct the authentication process to a socket file and point the process to the admin's credentials? If the socket is on the DMZ host, and the credentials are on the private network host, how can you point the authentication process to those credentials?
Maybe I'm stupid, but the article didn't seem to make a lot of sense.
I agree about the hardware load-balancer being unnecessary. Round-robin balances just fine, and if you have keepalived on the nodes, all your interfaces will be available if one of the node drops out of the cluster for any reason, so none of the addresses in DNS will look "dead" to clients.
Slashdot Mirror
Hollywood has become very good at marketing movies. How to get movie-goers excited about a new movie has become a science. So long as a signficant fraction of movie-goers can't see past marketing and go to see movies simply because a trailer made a movie "look really cool," the movies will aimed at them, not at those critical of their quality.
What I find most interesting is how important it is to an ant colony to have inhabitants which wander and can navigate back to the nest. It seems so important, they've devised two different methods; one which depends on odor and this pedometer method. This specific need is so fundamental to their existence, it appears to drive their evolution.
The article illustrated one very convoluted way to break your DMZ security, but failed to make the simple statement: don't trust anyone, not even root, on your DMZ hosts. Allow SSH logins into the DMZ, and allow the DMZ to pull files from private network patching servers, such as apt repositories, but don't allow anyone to SSH from the DMZ to the intranet. Assume the DMZ is cracked wide open and keystroke logging. No one is going to get past the DMZ by watching you type 'apt-get install squid' but they will by watching you type 'ssh root@creditcarddb.int' and then the root password.
... you can packet sniff the authentication process all day long and you won't get someone's private key.
Anyone who tunnels from the DMZ to a trusted host which can execute commands on a sensitive server can't see the forest for the trees. You've learned how to use SSH and tunnel, but you're lacking some basic common sense.
Also, I don't see what good a socket catching the authentication will do
That whole article seemed a bit of voodoo itself. Many incongruous statements, like "If the hacker has root on Box D, he or she can point a private copy of the agent forwarding software to that socket file and thereby point the authentication process to the administrator's credentials--the ones kept on the "safe" intranet."
What does that mean, exactly? You direct the authentication process to a socket file and point the process to the admin's credentials? If the socket is on the DMZ host, and the credentials are on the private network host, how can you point the authentication process to those credentials?
Maybe I'm stupid, but the article didn't seem to make a lot of sense.
I agree about the hardware load-balancer being unnecessary. Round-robin balances just fine, and if you have keepalived on the nodes, all your interfaces will be available if one of the node drops out of the cluster for any reason, so none of the addresses in DNS will look "dead" to clients.
Question: which process would replicate sessions?
I'm not a lawyer, but isn't Google's use of the style considered a parody, and aren't parodies of copyrighted works considered protected speech?