Your non-existing knowledge about existing terrorism all over the world is scary. You happen to be from the US or from Israel, by chance? It would explain your restricted world view. For sure, you're neither from Europe nor from Asia or South America.
Just for the record: An end user is not a "stupid know-nothings". I'm the CEO of a consulting company, and I have to care every day for end users -- and they're very smart. UI design is actually part of my education; I did my Ph.D. thesis in the area of user-centered design.
With the term power user I classified users (a) whose main task in computer work and not different work and for whom small rises in efficiency pay out, much more than for people who don't use computers several hours a day; and (b) developers who are more of the abstraction-first and not the manipulate-first kind. (Read `Tog on Interfaces' for that distinction.) Mozilla is from developers for developers, just like Unix is - or was, once. And just as plain Unix (i.e., CLI interfaces) is not for the heart of everybody, Mozilla isn't. That's not bad, that's software for minorities; and that's fine.
As I wrote previously, I take exception with your viewpoint that Firefox is the f'up to Mozilla. It isn't; it's a complimentary development with a different target audience. What's so bad about that? Why do some Firefox supporters want to make Mozilla developers abandon their project? They should go on and find additional ones for their project part and both can live happily within MoFo.
Maybe that's because you like Firefox and don't use Mozilla?
Firefox is mom-and-pop-software and it's good at that. To achieve that goal, several design decisions were taken -- among them to remove much of the Preferences dialog that is confusing to end users. For us power users, it's not confusing, it's nice.
In addition, the last time I look at Firefox (1.0 release) it did not had a password management facility that was as good as that of Mozilla. E.g., it wasn't able to remember proxy passwords. And it wasn't adaptable enough to use arbitrary mail clients; it wanted to use Evolution, or insisted on GNOME being installed, etc. (Neither of which is configured on my system.)
That observation made for a quick decision: While I install Firefox on my parent's Windows system; I'll continue to use Mozilla on my Linux system until Firefox has improved for power users.
I did quite some CM introduction at customers, both CVS/SVN style (version-oriented, central server) and CC/arch style (change-set-oriented, distributed).
In both cases, it boils down to:
If two people have conflicts, it is either an emergency bug fix, and they need to communicate about it anyhow. Then the bug fixer got ahead and the module maintainer has to incorporate his bug.
Or it's that really both want to change the module at the same place. Then it's an organizational problem -- distribution and allocation of work should avoid this to happen. If it doesn't, one has other -- more basic -- problem than conflicts in the code.
There is just one minor problem: Due to radiation and us having no shields against it, they will be so ill by the time they arrive on Mars that they will have problems to walk...
This is not Star Trek; this is reality. First, we need better radiation shields. Then, we can talk about multi-month missions outside the Earth's magnetosphere.
He seems to be using several banks, as other posters have told as well. My first cheque is from 1983, and my last one from 2001. All were from Wells Fargo.
I'm basing that on the five cheques that I got for TeX-related errors, the one cheque that I got for an error in TACP in Vol.2, and on the 20+ cheques that Frank Mittelbach got as well. Frank is the only person I know who actually cashed some of his cheques. (Btw, I'm a member of the LaTeX core team.)
Knuth, who is the most humble person that I ever met, doesn't consider himself God either. He doesn't even consider TACP as his big contribution to CS.
According to him, attributed grammars are his big discovery. And since I still see PhD's spawned by his original article, he may be right in that. But it may also be his contributions to early programming languages, or other papers. Hell, he authored literally hundreds of papers (himself, btw; he's not the person to put his name on papers where he wasn't involved in writing.) His scientific account is not centered on TACP, but on other research. You're repeating folklore here.
Of course, as you can read, I'm biased; having had the honor to work with him.
Because they own it. If you got the retail version, you can readily transport it. If you got the cheap OEM version, you can't. Oh -- you want to rip off MS for their work? Too bad. Really, it's as simple -- and I don't think it's a problem.
Those who need MS software for business, can afford to pay the license. If not, they're screwed anyhow, they will go bancrupt soon. Compared to other business expenses, MS licenses are negligable.
The rest really don't need it, they use it for convenience. So what? They have alternatives -- Linux, OpenOffice and other OSS or cheap software are ready to use. Don't use MS software if you cannot afford it. You have other alternatives.
(Btw, This has been typed on a Linux desktop. I need to work with MS software in my business line of work, and I would never pirate them or anybody else. I don't want anybody to pirate my own proprietary software either. I share my Open Source work, that's OK, but it's my decision what to share, as is MS's.)
But this subscription is worth every cent of its money. If you don't need to use MS products, don't pirate them; it's a simple. If you're an IT shop and need to try out MS products, this is a great service of MS.
We're a Sun PS partner, an IBM GS partner, and a MS partner. MS had to beat us to it, since we're all Unix guys. But I get the best product information and also marketing or sales material from MS -- whereas I get none from Sun or IBM. Looking from a business perspective, you have to be really convinced of Unix to stay with it: MS has more bangs for the buck, though they are technically inferior.
I think we're not too far apart. You present solutions, but sadly not the ones that I need. (I knew them already and have systems deployed like you describe.) Since you made the effort of writing a sensible answer; I want to reply with some information about our case, maybe it's of interest to you.
Please note that I wrote: tunneling over HTTPS, not HTTP. I.e., over TCP/443, encrypted by SSL. Actually, in our case users most often use proxies; i.e., they tunnel over CONNECT requests. Snort signatures doesn't help a bit here, neither does "censorware".
Since the proxy typically terminates connections quite quickly, traffic analysis doesn't bring a lot -- there are no long-living connections. But some employees have quite intelligent setups and do regular re-connects. Due to heavy `normal' usage of the proxy and due to heavy SOAP usage over SSL, it's not easy to distinguish these frequent requests from the problematic ones.
The context: We're talking about companies with either >50,000 employees, or with IT staff >3,000. No ISP, large global company networks, connected to many suppliers and vendors. No ADSLs, no cablemodems visible, internally there are just VLANs that may be arranged as the network guys want. (And the LAN guys don't really talk to the security guys -- two separate departments, not even in the same org branch...) Dynamic blocks (i.e., DHCP) are used by all workstations, only servers have fixed IP addresses. This is a fairly common situation that occurs at several of my large customers.
Traffic analysis works for specific high-risk departments or for special business branches, and we do it there; but not `with minimal effort' for the general case. And this minimal effort was what I was questioning. Yes, it can be doable, but the effort is not minimal and thus there must be a business case for it first. For our customers in the finance world, the business case is easy to make and we create solutions for them. But they involve manual work -- as you have written yourself. For our customers in the margin-sensitive automotive industry, it's a much harder issue. Fixed infrastructure costs have to be cut by 60%, to free money for new development. New deployments must not introduce additional regular manual work without lots of approvals. Welcome to the new world of autonomous computing where systems are supposed to `heal' themselves.;-)
For the record: I'm not interested in catching people because they `skipped work' or whatever they are doing outside. IMO, this is a matter for their supervisor -- any supervisor who doesn't recognize that his staff isn't working on their assignments isn't worth his salary anyhow and will be cheated on. Neither I'm interested in outbound connections -- there are lots of possibilities to get data out of house. I'm really worried about reverse tunneling, where people connect from the outside back into the Intranet, bypassing all security checks.
An example case: I had the case of a sysadmin who automatically connected every 15 minutes to his home machine, enabling himself to log in back to his work system via reverse tunneling. It was `to be able to check for problems'. He didn't want to use the available VPN solution (CP SecureClient) because we forbid routing on the VPN client side and he wanted arbitrary routing into his home network. (And thus with two hops from the Internet into the company backbone...) If it wouldn't have been due to the regularity -- i.e., if he would have used a more irregular connection pattern -- and if it wouldn't have been a seperately protected and checked department network; we wouldn't have recognized him for a long time.
(1) Almost no session lasts as long, they're interrupted before. (2) Besides, there are a lot valid long-running HTTPS (most of them are Web Service connections) and ssh connections. Even if I'm checking `just' the multi-hour connections, it's still several thousands per day. (I don't talk about solutions for small or mid-sized companies. This should have been clear from my OP already.) (3) And in the global networks of our clients, 8 to 5 does not cut it either -- which timezone? Matching internal IPs to timezones is almost impossible (read: not cost effective).
Miminal effort means automatically; since no manual check of outbound communication in any realistic setting can be done. I.e., one needs to detect timing patterns in communication that's different from normal traffic: If one has thousands of https connections, one can't check them all, to see which ones carries an ssh connection that has itself tunnels and which ones won't. One needs monitoring tools for this. Signature-based IDSs like snort or ISS Real-Secure doesn't cut it for that task: too much false positives since timing-based signatures are notoriously difficult to create; been there, done that.
Therefore: I'm looking for such monitoring tools to detect tunneling automatically. Specifically, tunnelling over ssh port forwarding and tunnelling over stunnel (HTTPS proxy forwarder). I would also like to know if that tool prefers false negatives or false positives.
Since you present yourself as knowledgeable and are surely `worth your salt', you hopefully can enlighten me with pointers to such tools. Even though I'm working since 15 years as security consultant, I've yet to see something that allows such a discovery task to be done with `minimal effort'. (Of course; I know that the task can be done, but the effort is seldomly worth the result.)
They both sucked, IMNSHO. If you want a great series where a ship is lost in space, aliens need to be evaded (together with aliens on board), and the hero is trying to get back to earth -- how about Farscape? It kicks the shit back out of both Voyager and BG.
Disclaimer: I'm old enough to have seen both TOS and BG when they appeared on TV first. I was young enough (then) to not turn off BG.
The Rules of Law, no one [not even [...] Bush] are above the law.
You mean, like, jailing US citizens without proper trial, and without access to their lawyer? Or, like, ignoring the SCOTUS decision that this is even illegal for foreign detainees?
The current government of the USA has a blatant disregard for law, both national and international. And half of the voting US citizens thinks that's OK because `morality' and `faith' are more important than this old gimmick called `law' and `rights'. Gimme a break.
Na, one just has to combine it with other measures. E.g., my setup: Connect the AP to a special NIC; use iptables to block everything on that NIC except IPsec, set up a road-warrior VPN. (My notbook is also running firewalls both natively and in all VMwares.) No WEP, no WPA. SSID is broadcasted, it doesn't matter.
If somebody will compromise my network, it will probably not be over my no-WEP/no-WPA Wifi setup. You can connect to my AP as long as you like; but you won't come further.
Because you worked for a company that cheated on its customers, doesn't mean that the Y2K problem wasn't real in other areas. I know that the errors in the bank systems that I have fixed in 98 and 99 would have cost hundreds of millions and would have most likely caused employees their jobs. (Even a bank cannot endure such losses without counter actions.)
This might not be relevant to you, but then, you worked for a company that made a scam as their business principle. Not someone I would buy anything from.
I was there at the time, I know the history of the Lucid Emacs/FSF Emacs split. (I'm an old fart in the free software area.)
Disclaimer: I had my clashes with RMS as well; I know how stubborn he can be. But that is exactly my point: RMS insists that he is the one (or better: that the FSF ist the one) to define the meaning of "free software", as opposed to "open source". This meaning has its agenda, and he openly acknowledges that agenda. The OP implied that the agenda is user centric, and I differ. It's very much focused on the projects, both the technical projects and the meta-project `make software free where we define the technicalities of free'. E.g., the dreaded `assign your copyright to us' issue.
If you think so, check out the archives of emacs-devel@gnu.org, the recent thread "Permission to use portions of the recent GNU Emacs Manual" where the XEmacs developers ask to be able to use updates of the GNU Emacs manual.
The GNU Emacs manual has recently changed its license to the GFDL.
Their request was denied by RMS. RMS explicitely expressed that this denial was done to inconvience XEmacs developers and their users. The thread is interesting -- it shows that the FSF is clearly not user centric, but project centric; and they define what Free Software is, in the end.
Re:In the hope someone important at Sun reads this
on
Sun-isms Debunked
·
· Score: 1
Well, how about -- using less that comes with Solaris, and is installed by default?
Concerning the GNU tools, they're on the Companion CD, which many admins choose not to install. (Don't know why.)
Slashdot Mirror
With the term power user I classified users (a) whose main task in computer work and not different work and for whom small rises in efficiency pay out, much more than for people who don't use computers several hours a day; and (b) developers who are more of the abstraction-first and not the manipulate-first kind. (Read `Tog on Interfaces' for that distinction.) Mozilla is from developers for developers, just like Unix is - or was, once. And just as plain Unix (i.e., CLI interfaces) is not for the heart of everybody, Mozilla isn't. That's not bad, that's software for minorities; and that's fine.
As I wrote previously, I take exception with your viewpoint that Firefox is the f'up to Mozilla. It isn't; it's a complimentary development with a different target audience. What's so bad about that? Why do some Firefox supporters want to make Mozilla developers abandon their project? They should go on and find additional ones for their project part and both can live happily within MoFo.
Firefox is mom-and-pop-software and it's good at that. To achieve that goal, several design decisions were taken -- among them to remove much of the Preferences dialog that is confusing to end users. For us power users, it's not confusing, it's nice.
In addition, the last time I look at Firefox (1.0 release) it did not had a password management facility that was as good as that of Mozilla. E.g., it wasn't able to remember proxy passwords. And it wasn't adaptable enough to use arbitrary mail clients; it wanted to use Evolution, or insisted on GNOME being installed, etc. (Neither of which is configured on my system.)
That observation made for a quick decision: While I install Firefox on my parent's Windows system; I'll continue to use Mozilla on my Linux system until Firefox has improved for power users.
In both cases, it boils down to:
This is not Star Trek; this is reality. First, we need better radiation shields. Then, we can talk about multi-month missions outside the Earth's magnetosphere.
Or a non-native English speaker.
He seems to be using several banks, as other posters have told as well. My first cheque is from 1983, and my last one from 2001. All were from Wells Fargo.
I'm basing that on the five cheques that I got for TeX-related errors, the one cheque that I got for an error in TACP in Vol.2, and on the 20+ cheques that Frank Mittelbach got as well. Frank is the only person I know who actually cashed some of his cheques. (Btw, I'm a member of the LaTeX core team.)
According to him, attributed grammars are his big discovery. And since I still see PhD's spawned by his original article, he may be right in that. But it may also be his contributions to early programming languages, or other papers. Hell, he authored literally hundreds of papers (himself, btw; he's not the person to put his name on papers where he wasn't involved in writing.) His scientific account is not centered on TACP, but on other research. You're repeating folklore here.
Of course, as you can read, I'm biased; having had the honor to work with him.
The micropayment solutions is simple: They tend not get chached, usually. E.g., I have a few of them on my office wall... :-)
Those who need MS software for business, can afford to pay the license. If not, they're screwed anyhow, they will go bancrupt soon. Compared to other business expenses, MS licenses are negligable.
The rest really don't need it, they use it for convenience. So what? They have alternatives -- Linux, OpenOffice and other OSS or cheap software are ready to use. Don't use MS software if you cannot afford it. You have other alternatives.
(Btw, This has been typed on a Linux desktop. I need to work with MS software in my business line of work, and I would never pirate them or anybody else. I don't want anybody to pirate my own proprietary software either. I share my Open Source work, that's OK, but it's my decision what to share, as is MS's.)
But this subscription is worth every cent of its money. If you don't need to use MS products, don't pirate them; it's a simple. If you're an IT shop and need to try out MS products, this is a great service of MS.
We're a Sun PS partner, an IBM GS partner, and a MS partner. MS had to beat us to it, since we're all Unix guys. But I get the best product information and also marketing or sales material from MS -- whereas I get none from Sun or IBM. Looking from a business perspective, you have to be really convinced of Unix to stay with it: MS has more bangs for the buck, though they are technically inferior.
Please note that I wrote: tunneling over HTTPS, not HTTP. I.e., over TCP/443, encrypted by SSL. Actually, in our case users most often use proxies; i.e., they tunnel over CONNECT requests. Snort signatures doesn't help a bit here, neither does "censorware".
Since the proxy typically terminates connections quite quickly, traffic analysis doesn't bring a lot -- there are no long-living connections. But some employees have quite intelligent setups and do regular re-connects. Due to heavy `normal' usage of the proxy and due to heavy SOAP usage over SSL, it's not easy to distinguish these frequent requests from the problematic ones.
The context: We're talking about companies with either >50,000 employees, or with IT staff >3,000. No ISP, large global company networks, connected to many suppliers and vendors. No ADSLs, no cablemodems visible, internally there are just VLANs that may be arranged as the network guys want. (And the LAN guys don't really talk to the security guys -- two separate departments, not even in the same org branch...) Dynamic blocks (i.e., DHCP) are used by all workstations, only servers have fixed IP addresses. This is a fairly common situation that occurs at several of my large customers.
Traffic analysis works for specific high-risk departments or for special business branches, and we do it there; but not `with minimal effort' for the general case. And this minimal effort was what I was questioning. Yes, it can be doable, but the effort is not minimal and thus there must be a business case for it first. For our customers in the finance world, the business case is easy to make and we create solutions for them. But they involve manual work -- as you have written yourself. For our customers in the margin-sensitive automotive industry, it's a much harder issue. Fixed infrastructure costs have to be cut by 60%, to free money for new development. New deployments must not introduce additional regular manual work without lots of approvals. Welcome to the new world of autonomous computing where systems are supposed to `heal' themselves. ;-)
For the record: I'm not interested in catching people because they `skipped work' or whatever they are doing outside. IMO, this is a matter for their supervisor -- any supervisor who doesn't recognize that his staff isn't working on their assignments isn't worth his salary anyhow and will be cheated on. Neither I'm interested in outbound connections -- there are lots of possibilities to get data out of house. I'm really worried about reverse tunneling, where people connect from the outside back into the Intranet, bypassing all security checks.
An example case: I had the case of a sysadmin who automatically connected every 15 minutes to his home machine, enabling himself to log in back to his work system via reverse tunneling. It was `to be able to check for problems'. He didn't want to use the available VPN solution (CP SecureClient) because we forbid routing on the VPN client side and he wanted arbitrary routing into his home network. (And thus with two hops from the Internet into the company backbone...) If it wouldn't have been due to the regularity -- i.e., if he would have used a more irregular connection pattern -- and if it wouldn't have been a seperately protected and checked department network; we wouldn't have recognized him for a long time.
Enough rambling, have to get back to work now.
The case was good, but the amount of money was insane.
Tip: In such cases, ask Google with define: IMNSHO. It's also in the Jargon File, though obscured as it's only mentioned in the IMHO entry.
Btw, I agree with you on Voyager.
(1) Almost no session lasts as long, they're interrupted before. (2) Besides, there are a lot valid long-running HTTPS (most of them are Web Service connections) and ssh connections. Even if I'm checking `just' the multi-hour connections, it's still several thousands per day. (I don't talk about solutions for small or mid-sized companies. This should have been clear from my OP already.) (3) And in the global networks of our clients, 8 to 5 does not cut it either -- which timezone? Matching internal IPs to timezones is almost impossible (read: not cost effective).
Therefore: I'm looking for such monitoring tools to detect tunneling automatically. Specifically, tunnelling over ssh port forwarding and tunnelling over stunnel (HTTPS proxy forwarder). I would also like to know if that tool prefers false negatives or false positives.
Since you present yourself as knowledgeable and are surely `worth your salt', you hopefully can enlighten me with pointers to such tools. Even though I'm working since 15 years as security consultant, I've yet to see something that allows such a discovery task to be done with `minimal effort'. (Of course; I know that the task can be done, but the effort is seldomly worth the result.)
Inquiring mind wants to know,
They both sucked, IMNSHO. If you want a great series where a ship is lost in space, aliens need to be evaded (together with aliens on board), and the hero is trying to get back to earth -- how about Farscape? It kicks the shit back out of both Voyager and BG.
Disclaimer: I'm old enough to have seen both TOS and BG when they appeared on TV first. I was young enough (then) to not turn off BG.
The current government of the USA has a blatant disregard for law, both national and international. And half of the voting US citizens thinks that's OK because `morality' and `faith' are more important than this old gimmick called `law' and `rights'. Gimme a break.
If somebody will compromise my network, it will probably not be over my no-WEP/no-WPA Wifi setup. You can connect to my AP as long as you like; but you won't come further.
Are you a troll, or are you a jerk?
This might not be relevant to you, but then, you worked for a company that made a scam as their business principle. Not someone I would buy anything from.
I was there at the time, I know the history of the Lucid Emacs/FSF Emacs split. (I'm an old fart in the free software area.) Disclaimer: I had my clashes with RMS as well; I know how stubborn he can be. But that is exactly my point: RMS insists that he is the one (or better: that the FSF ist the one) to define the meaning of "free software", as opposed to "open source". This meaning has its agenda, and he openly acknowledges that agenda. The OP implied that the agenda is user centric, and I differ. It's very much focused on the projects, both the technical projects and the meta-project `make software free where we define the technicalities of free'. E.g., the dreaded `assign your copyright to us' issue.
If you think so, check out the archives of emacs-devel@gnu.org, the recent thread "Permission to use portions of the recent GNU Emacs Manual" where the XEmacs developers ask to be able to use updates of the GNU Emacs manual. The GNU Emacs manual has recently changed its license to the GFDL. Their request was denied by RMS. RMS explicitely expressed that this denial was done to inconvience XEmacs developers and their users. The thread is interesting -- it shows that the FSF is clearly not user centric, but project centric; and they define what Free Software is, in the end.
Concerning the GNU tools, they're on the Companion CD, which many admins choose not to install. (Don't know why.)
You're right with vi.