It does have implications for IPsec but the main question you are starting from the wrong place. The first question you should be asking youself is "Who is my enemy?". For the sake of this discussion let's assume the worst and go with the NSA.
The next thing you should be asking yourself is "What am I protecting?" Since we are assuming that the NSA is your enemy let's go ahead and say that you want to blow up rather large and expensive things that the USian.gov would really rather you not blow up.
And the last factor is "How long do I want to keep this secret?"
For the sake of argument let's assume that the NSA can do twice as well as any known attack. Given all of that if the answer to the last question is "years" you have something to worry about. If it is months you very likely have something to worry about. If it is "weeks", "days", or "hours" you are very likely safe.
So yes at some point in the future if you have a long planning horizon it could matter.
What this all means is that you want to pay attention to all of this but there is no need to panic. At this point SHA1 is still better than MD5 for most things. So use it, pay attention to it, and most of all you might want to evalute what traffic you are passing. I've *always* been against passing secrets over a IPSec tunnel with a lifetime of more than a few months. This is simply because, IMO, IPsec is too complex to ever be safe over a long planning horizon. I'm in pretty damn good company here.
So pay attention and be ready to change when things change. And they *will* change. And I would not send anything that has a long lifetime over the wire.
Granted my IE knowledge is outdated. Before I pulled up the copy on my work desktop to look yesterday it had been *months* since I had last looked at it.
So you think that Microsoft using their near-monopoly on the desktop to force more people to buy more MS servers and to increasingly use only their browser is a good thing?
Name a "new techology" that MS has come up with that is cross-platform. Now name one that has come out of the OSS world that isn't. That would be my point.
Has nothing to do with technology. Has to do with the fact that you can't seem to see that this is a power-grab and all about vendor lock in. So how is that a good thing?
"IE6 has a popup blocker as part of the browser, has for like a year now. So I don't know how old this cut and paste is, but it's seriously misinformed."
It was written nearly 18 months ago. But looking at a current copy of IE6 I can't find such a thing. Point it out, please.
Where is View Objects? Can't find it. OTOH in FF it is obvious where to do it. In Konq it is just a dream to be able to reject or accept on the fly. IE still seems to be behind in all these areas.
Never said it was perfect. Just better than IE which, granted, isn't hard to do. But still.
Yeah. For the same reason eveyboby else in the OSS community gives code away. Yes and all of those "new technolgies" are going to require Windows on the desktop and more and more in the server room. This was my point.
Copy and pasted from a thing I wrote several months ago, can't be arsed to edit for/. but you'll get the idea.
Browsers matter for a number of reasons. I'll start off with feature sets, then security, and end with why what browser you use or don't use matters to the future of the net.
Microsoft has basically decided that they won the browser wars years ago and have since then pretty much paid no attention at all to adding real features to IE. Here is a short list of some of the things you are missing if you still running a legacy browser.
Popup blocking. Everybody hates popups but they are everywhere and are going to be with us for as far as we can see into the future. Now you could run IE and a popup blocker, that is just one more app taking up resources on your machine. Both Firefox and Mozilla provide popup blockers as part of the browser. This can make your surfing faster and provide for a better overall experience.
Tabbed browsing. Almost every modern browser offers some version of tabbed browsing. This is a feature that lets you view more than one site in a tab within the browser. Besides the obvious advantage of conserving screen space it also uses fewer system resources.
Cookie management. Proper management of cookies is critical critical to maintiang your privacy and security online. With IE it is *very* hard to do. But just about any modern browser gives you the ability to see who has placed a cookie on your machine, who has accessed the cookie and to manage who can access it and to easily delete them.
There are so many security holes and ways for crackers to use IE to exploit your system and steal your data that I'm not going to take the time or place to list them here. In addition the the sheer numbers they change so often that any attempt to list them here would be outdated almost before I can publish it. So I'll just point you at the list maintained by Browsehappy . It contains links to the latest holes and also to a number of very good articles on on why IE is not safe.
The argument I often here at this point is "I don't have anything worth stealing on my compter, why should I care.". The answer is that the analogy to an unsecured computer is not you leaving your front door open and someone stealing your TV. The more correct analogy is you leaving your front door open and a machinegun just inside of the door which is then stolen and used to commit crimes against others. An unsecured computer on the net is a weapon. This is why you should care. I will go further into this in a later post.
It matters what browser you choose to care. Have you ever stopped to ask yourself why Microsoft has spent so much time and money on a product that they give away? Certainly not because they are good hearted people. Due to the fact that a huge number of people on the net use IE many websites and applications that use a browser are written to only work with IE. This helps to tighten the grip that Microsoft has both on the desktop and on the server. This leads to a lack of choice, a drop in quality, and increased insecurity for everyone. By simply using a different browser you can help fight this and help bring increased choice and quality to the net.
Many fans of Alton Brown, to include myself, already use that term to refer to what we do. Simply put hacking is a term that describes, very well, a lot of what we all do. Thus the widespred use.
Yes because clearly the intent is to have them pull all nighters.
Many of these folks, just like our ancestors, are working from pre-dawn to after dark just to get by. I can see how an hour or two of light once it's too dark to work could be a great benefit.
"I've heard it said, whether or not correctly I do not know, that if you simply predict that tomorrow's weather will be the same as today's, you will be accurate more often than the weather service."
Not quite that simple but *very* close. Basically it's a big book of observations from the past and given a certain set of criteria a large chunk of the time it will come out to be the same.
It's really a very simple concept. At 18, a mostly arbitrary, age you are "of age". Before that you are not. There are a list of mostly arbitrary things you can see, buy, and do before you are of age and after you are of age..ukia has the same thing but I think it's 16 for you guys, I could be wrong with the age. Basically there are many things that almost everyone agrees should be controlled by age nobody can agree on what age or exactly what things so over the years a list of arbitrary things/ages has been made in various places.
So to answer your question it's a arbitrary legal restriction.
Did I use the word arbitrary enough? I really hope I did.
The difference is that I have Snownews installed on my OpenBSD box. I am now able to, in a few minuts and in a format that I really like, get my news from just about anyplace on the planet.
It makes getting news in 5 minutes at a kiosk in Narita or Changi dead easy and much faster than looking at the sites in question.
That and last I looked you could not do fun things like this with the old push stuff either.
So yeah it may be a similar idea but the big difference is that this time implemantions don't suck.
Security is like ogres, onions, cake, and parafait.
It's all about layers. Far too often people do perimeter security and call it a day and far too often people argue that if your hosts are hard that you don't need to worry about the perimeter. You need both.
Now granted I didn't rtfa but the summary makes sense in some situations that we have where I work. I maintain 5 firewalls with up to 16 ports each. Most of those are internal and a great many of those firewalls/interfaces could be safely done away with using a model similar to this one. But you would be insane to rip out the perimeter. You would also be insane to ignore your middle. Far too many places do just that. So it's all about balance young grasshopper.
Here OSS costs less. Mostly cause I'm here and can build OpenBSD and/or Debian boxes to do just about any job I need them to do and they just sit there and do their job. Contrast this with the attempts at doing anything with Checkpoint/Cisco that always seems to devolve into support calls.
Clearly it's going to depend on the skillset of your people but I can almost promise that in the year of our lord 2000 and 5 that almost any IT shop is going to have at least one geek who already has the CDs in his bag and the skills to do the job. This is, IMO, because in contrast to closed source stuff that hacking on OSS systems is *fun*.
I think what he was talking about is best summed up by a thing I've seen many times. A cop car will approach a yellow light. One where you or I would have to stop. They will flip on their lights and sirens and go through only to turn it off on the other side.
This privilage of theirs does get abused. Can't say that I've ever seen that kind of abuse from other emergency workers.
There is not a single major VPN implementation that can't do NAT traversal by defualt.
Also I have yet to hear a *single* example of a NAT problem that doesn't stem from coders ignoring OSI. The simple fact of the matter is if coders would start doing their jobs right NAT has no problems. But they just can't seem to grok the idea that they need to stay in their layers. And/or are too lazy to figure out how to do stuff right so they break the model adn then say that NAT causes problems.
Granted I'm just a net admin but I *really* do not get it.
Heh. You would think so. But no it turns into. "Somebody wrote the thing then *gave* it to me and now you are trying to help me for free and I don't want to think. You suck"
OTOH a OSS consultant (and since every geek I know either does or wants side jobs that includes almost every geek in the world I think) and business matchmaking service with some of the I'll teach for free to get a rep thing does seem like a good idea.
Slashdot Mirror
apt-get install sense-of-humour
Bah. Gmail takes a browser talk about bloat. Mutt now *there* is a thin client.
Yes, it was somewhat badly worded. I meant "able to break in half the time."
It does have implications for IPsec but the main question you are starting from the wrong place. The first question you should be asking youself is "Who is my enemy?". For the sake of this discussion let's assume the worst and go with the NSA.
.gov would really rather you not blow up.
The next thing you should be asking yourself is "What am I protecting?" Since we are assuming that the NSA is your enemy let's go ahead and say that you want to blow up rather large and expensive things that the USian
And the last factor is "How long do I want to keep this secret?"
For the sake of argument let's assume that the NSA can do twice as well as any known attack. Given all of that if the answer to the last question is "years" you have something to worry about. If it is months you very likely have something to worry about. If it is "weeks", "days", or "hours" you are very likely safe.
So yes at some point in the future if you have a long planning horizon it could matter.
What this all means is that you want to pay attention to all of this but there is no need to panic. At this point SHA1 is still better than MD5 for most things. So use it, pay attention to it, and most of all you might want to evalute what traffic you are passing. I've *always* been against passing secrets over a IPSec tunnel with a lifetime of more than a few months. This is simply because, IMO, IPsec is too complex to ever be safe over a long planning horizon. I'm in pretty damn good company here.
So pay attention and be ready to change when things change. And they *will* change. And I would not send anything that has a long lifetime over the wire.
http://www.schneier.com/paper-ipsec.html
Granted my IE knowledge is outdated. Before I pulled up the copy on my work desktop to look yesterday it had been *months* since I had last looked at it.
So you think that Microsoft using their near-monopoly on the desktop to force more people to buy more MS servers and to increasingly use only their browser is a good thing?
Name a "new techology" that MS has come up with that is cross-platform. Now name one that has come out of the OSS world that isn't. That would be my point.
Has nothing to do with technology. Has to do with the fact that you can't seem to see that this is a power-grab and all about vendor lock in. So how is that a good thing?
Version: 6.0.2800.1106.xpsp22.030422-1633CO
Update Versions: SP1; Q330994; Q831167; q837009; Q832894
"IE6 has a popup blocker as part of the browser, has for like a year now. So I don't know how old this cut and paste is, but it's seriously misinformed."
It was written nearly 18 months ago. But looking at a current copy of IE6 I can't find such a thing. Point it out, please.
Where is View Objects? Can't find it. OTOH in FF it is obvious where to do it. In Konq it is just a dream to be able to reject or accept on the fly. IE still seems to be behind in all these areas.
Never said it was perfect. Just better than IE which, granted, isn't hard to do. But still.
Yeah. For the same reason eveyboby else in the OSS community gives code away. Yes and all of those "new technolgies" are going to require Windows on the desktop and more and more in the server room. This was my point.
Yes it does matter but you'll never grok why.
Copy and pasted from a thing I wrote several months ago, can't be arsed to edit for /. but you'll get the idea.
Browsers matter for a number of reasons. I'll start off with feature sets, then security, and end with why what browser you use or don't use matters to the future of the net.
Microsoft has basically decided that they won the browser wars years ago and have since then pretty much paid no attention at all to adding real features to IE. Here is a short list of some of the things you are missing if you still running a legacy browser.
Popup blocking. Everybody hates popups but they are everywhere and are going to be with us for as far as we can see into the future. Now you could run IE and a popup blocker, that is just one more app taking up resources on your machine. Both Firefox and Mozilla provide popup blockers as part of the browser. This can make your surfing faster and provide for a better overall experience.
Tabbed browsing. Almost every modern browser offers some version of tabbed browsing. This is a feature that lets you view more than one site in a tab within the browser. Besides the obvious advantage of conserving screen space it also uses fewer system resources.
Cookie management. Proper management of cookies is critical critical to maintiang your privacy and security online. With IE it is *very* hard to do. But just about any modern browser gives you the ability to see who has placed a cookie on your machine, who has accessed the cookie and to manage who can access it and to easily delete them.
There are so many security holes and ways for crackers to use IE to exploit your system and steal your data that I'm not going to take the time or place to list them here. In addition the the sheer numbers they change so often that any attempt to list them here would be outdated almost before I can publish it. So I'll just point you at the list maintained by Browsehappy . It contains links to the latest holes and also to a number of very good articles on on why IE is not safe.
The argument I often here at this point is "I don't have anything worth stealing on my compter, why should I care.". The answer is that the analogy to an unsecured computer is not you leaving your front door open and someone stealing your TV. The more correct analogy is you leaving your front door open and a machinegun just inside of the door which is then stolen and used to commit crimes against others. An unsecured computer on the net is a weapon. This is why you should care. I will go further into this in a later post.
It matters what browser you choose to care. Have you ever stopped to ask yourself why Microsoft has spent so much time and money on a product that they give away? Certainly not because they are good hearted people. Due to the fact that a huge number of people on the net use IE many websites and applications that use a browser are written to only work with IE. This helps to tighten the grip that Microsoft has both on the desktop and on the server. This leads to a lack of choice, a drop in quality, and increased insecurity for everyone. By simply using a different browser you can help fight this and help bring increased choice and quality to the net.
Many fans of Alton Brown, to include myself, already use that term to refer to what we do. Simply put hacking is a term that describes, very well, a lot of what we all do. Thus the widespred use.
I'm late. But really that was *far* too easy.
Yes because clearly the intent is to have them pull all nighters.
Many of these folks, just like our ancestors, are working from pre-dawn to after dark just to get by. I can see how an hour or two of light once it's too dark to work could be a great benefit.
"I've heard it said, whether or not correctly I do not know, that if you simply predict that tomorrow's weather will be the same as today's, you will be accurate more often than the weather service."
Not quite that simple but *very* close. Basically it's a big book of observations from the past and given a certain set of criteria a large chunk of the time it will come out to be the same.
I've paid nothing but cash for my t-mobile account? What country are you in? Cause it ain't .us.
It's really a very simple concept. At 18, a mostly arbitrary, age you are "of age". Before that you are not. There are a list of mostly arbitrary things you can see, buy, and do before you are of age and after you are of age. .ukia has the same thing but I think it's 16 for you guys, I could be wrong with the age. Basically there are many things that almost everyone agrees should be controlled by age nobody can agree on what age or exactly what things so over the years a list of arbitrary things/ages has been made in various places.
So to answer your question it's a arbitrary legal restriction.
Did I use the word arbitrary enough? I really hope I did.
The difference is that I have Snownews installed on my OpenBSD box. I am now able to, in a few minuts and in a format that I really like, get my news from just about anyplace on the planet.
It makes getting news in 5 minutes at a kiosk in Narita or Changi dead easy and much faster than looking at the sites in question.
That and last I looked you could not do fun things like this with the old push stuff either.
So yeah it may be a similar idea but the big difference is that this time implemantions don't suck.
Security is like ogres, onions, cake, and parafait.
It's all about layers. Far too often people do perimeter security and call it a day and far too often people argue that if your hosts are hard that you don't need to worry about the perimeter. You need both.
Now granted I didn't rtfa but the summary makes sense in some situations that we have where I work. I maintain 5 firewalls with up to 16 ports each. Most of those are internal and a great many of those firewalls/interfaces could be safely done away with using a model similar to this one. But you would be insane to rip out the perimeter. You would also be insane to ignore your middle. Far too many places do just that. So it's all about balance young grasshopper.
It'll depend on the shop.
Here OSS costs less. Mostly cause I'm here and can build OpenBSD and/or Debian boxes to do just about any job I need them to do and they just sit there and do their job. Contrast this with the attempts at doing anything with Checkpoint/Cisco that always seems to devolve into support calls.
Clearly it's going to depend on the skillset of your people but I can almost promise that in the year of our lord 2000 and 5 that almost any IT shop is going to have at least one geek who already has the CDs in his bag and the skills to do the job. This is, IMO, because in contrast to closed source stuff that hacking on OSS systems is *fun*.
I think what he was talking about is best summed up by a thing I've seen many times. A cop car will approach a yellow light. One where you or I would have to stop. They will flip on their lights and sirens and go through only to turn it off on the other side.
This privilage of theirs does get abused. Can't say that I've ever seen that kind of abuse from other emergency workers.
There is not a single major VPN implementation that can't do NAT traversal by defualt.
Also I have yet to hear a *single* example of a NAT problem that doesn't stem from coders ignoring OSI. The simple fact of the matter is if coders would start doing their jobs right NAT has no problems. But they just can't seem to grok the idea that they need to stay in their layers. And/or are too lazy to figure out how to do stuff right so they break the model adn then say that NAT causes problems.
Granted I'm just a net admin but I *really* do not get it.
With a uid that low I'd think you would recall the unplesantness with BSD and AT&T back in 1992. But maybe I'd be wrong on that.
Not sure where you live. But here Comcast doesn't and in fact can't force you to bundle TV and Internet.
Heh. You would think so. But no it turns into. "Somebody wrote the thing then *gave* it to me and now you are trying to help me for free and I don't want to think. You suck"
OTOH a OSS consultant (and since every geek I know either does or wants side jobs that includes almost every geek in the world I think) and business matchmaking service with some of the I'll teach for free to get a rep thing does seem like a good idea.
The mecha suit for when you have to beat the living shit out of Superman: $?
Well not for the public. But you claim to work for the goverenment.
When I worked for the goverment we got all of our data for free from the source. After all it *is* owned by them. I call bullshit.
Very nicely put.