You're right, but you don't continue with your tale. It would be the job of the manager to take that estimations and turn them into something useful, by adding the paper work that the programmers often don't count. After all, ressource and time planning is the damned job of a project manager, that's why they are in.
Instead, they pressure the programmers to deliver even lower estimations as the original already-too-low ones, to look good in their budget projections.
I do troubleshooting of projects, and I cannot count the occasions any more where I have seen that pattern.
In most companies, the whole project planning business is fucked up. Sound and down-to-earth advice exists, e.g., Tom Marco's book "Waltzing with bears". But is neither known nor respected.
The check was done by customs. Custom officers are allowed to open and check all stuff that comes in or out a country, being it trade secret, unreleased copyright material, or not. If you try to bring custom officers to court for checking one of your packets that you received from abroad (or sent), you will be laughed at.
The The Elements of Style by W. Strunk and E.B. White has been mentioned several times already.
I would throw in my hat for another book in a similar vain: On Writing Well, 30th Anniversary Edition: The Classic Guide to Writing Nonfiction, by William K. Zinsser, that is just about to be released again. (ISBN: 0060891548) It's an excellent guide that makes one think about the cluttered way one often writes.
No, the real hottie started in TOS with however-she-was-called-as-nurse (Christine something, Chapel or so) and continued in TNG and DS9 as Mama Lwaxana Troi. (Well, and of course as the computer's voice. After all, she was the inspiration for Sigourney Weaver's role in Galaxy Quest.) Well, and she's the only one who has been featured in all five ST series.
She is and remains the real hottie in the ST universe. Carry on, Majel Barrett-Roddenberry!
Think about it - did you tell your business users what was mission critical or did you ask them ?
I think your question implies one-way communication and decision. That would be very unprofessional. If I tell them, business requirements would not be well reflected; if they tell me, IT costs would not be taken into accounts.
SLAs are created via communication between business users and us. My experience shows that it is sensible for such negotiations to have categories where systems are placed in, and many factors determine that placement. Business uses/requirements, failure scenarios, associated business processes, outage costs (both in IT and in business), projected lost revenue, importance of the respective business department, and such. The categories serve to enable more standardized services and processes, to restrict and better plan IT costs, which is a business requirement in itself.
It is good to have labels for the categories, it helps to further the communication and negotiations where systems are placed. (Almost every business owner thinks that his systems belong in the top category, but doesn't want to pay the price for it.) "Mission-critical", "important", and other terms have proven to be good labels, that are well understood and interpreted both by business owners, business users, and IT staff alike.
I don't care if you call that backward. It works as a mean of communication, and that's all that counts for me.
In fact, it isn't even relevant for my posting. The OP asked if somebody has precise definitions for this ``buzzword'', and I replied that I have them; even at several institutions, not just at a single one. He is an arrogant jerk who means that every technical term is well defined (hint: try to look up RTO) and that every business term is a buzzword. Reality ain't so trivial, but luckily most persons can use context to determine the meaning of terms.
Btw, please note that this ain't "my IT shop". Communication between business users and technical staff is something that I'm called in and paid for, that's the core of my business; I'm the CEO of a consulting company.
Mission-Critical
Buzzword. Use "Urgent" "Immediate attention" etc.
At those IT shops where I do consulting, the terms "mission-critical", "business important", or "business foundation" are defined very precisely in the Service Level Agreements, as categories of systems with defined availability demands, defined maximum outage times, and defined RTO/RPO for disaster recovery. The category "mission-critical" has often additional associated service level requirements, e.g., maximum answer times for end users.
And this is quite standard in most current SLA contracts that I have seen. So, while the OP and you think that these are buzzwords, in well-run IT shops they have very specific and very precise meaning.
I agree with you that Ingo's patch is not the solution. I don't agree with you that this ain't no business for the ssh server. Please take note that I don't argue for inclusion of Ingo's patch. I take exception to the arguments that (1) this is pureley a firewall issue and (2) that defenses for DoS attacks and dictionary attacks are the same. IMNSHO, this is an ssh issue; and defenses must be different. How they are implemented is a different issue.
An interesting solution that I have seen is to use PAM and implement connection throttling for bad logins there. This might be a very good solution since it works for other login services as well. (Sorry, no URL at the moment. I think I read in LWN about that.)
Concerning
Another way would be to parse a logfile of your choice for violations of your choice and feed the resulting IPs to the firewalling ruleset of your choice. Requires a little script
I have to say that this is not as easy as it sounds. Partly because they are no good log file watcher out there. (swatch is dead, xlogmaster is dead for all purposes, and logsurfer is frozen. Any other tool?) There are some scripts out there how try to do this, but they all fall down in practical environments. To give you an idea about the problems:
THE PROBLEM:
We need open ssh connections from the outside.
We can not turn off password authentication for all users; it must be possible to log in from a customer or a friend's system when one doesn't have one's private ssh key.
Lots of password attacks are run against open ssh ports. We want to defend against these attacks in a reasonable way.
THE REQUIREMENTS:
It would be best to react only on attacks, and not on arbitrary ssh connections. Alternatively, reacting on lots of ssh connections from the same IP address in a short time frame is possible and can be used as an approximation for an attack situation.
Manually mantained configuration files should not be changed permanently by automatic procedures. This makes those file hard to maintain and makes them differ from their committed version. (Most configuration files are under version control.) If the protection mechanism needs to keep state, it shall do so in its own file.
The ssh server is not necessarily run on the firewall. I.e., the firewall may forward ssh connection to a system in the DMZ.
The solution must be integrated into the operations environment. I.e., proper integration into boot procedures, monitoring, log rotation, and other operation processes is mandatory.
False positives may happen, i.e., categorization of ssh requests as attacks that aren't. It must be possible to manually correct false positives.
Observation has detected that attacks from the same IP address are rare for a longer duration. Using all IP addresses where any attack has ever happened for ssh request rejection is therefore overshoot. It reduces performance and is not good for manual inspection in case of connection problems or false positives. As risk mitigation strategy, it is sufficient to keep connection reject lists for the duration of server uptime, i.e., the list can and should be discarded at boot time.
SOLUTION APPROACHES:
There are several scripts available that parse log files for failed password attempts and modify/etc/hosts.deny after an attack has been detected.
These scripts modify a manually maintained configuration file. The deny rules in this file grow without bounds, no purging is ever done. Integration in boot and log rotation processes does not exist. Therefore we have chosen to skip this approach.
The ipt_recent module for iptables allow to specify thresholds for amount of connections in a given time, specific for IP addresses and protocols.
That solution would be a very good choice -- if it would work. ipt_recent doesn't work corr
So because it is something 'you' want to do specifically it should be added to the source tree for openssh
I have never written that. Please don't put words in my mouth.
I have taken exception to the argument that reactions to ssh attacks are purely a firewall issue and have nothing to do with the ssh server framework itself. This is an ssh issue. Yes, it is open to the developers to tell that they don't want to implement it for other reasons, but no, deferral to perimeter defense (i.e., firewall) ain't no solution.
And if you look how often the issue of ssh attack protection comes up on regular user email lists of distributions, then it is an issue for many people. E.g., on the suse-linue-e list, it comes up at least every two months, and has long threads every time. Thus, it is a concern that is shared by many people.
Connection throttling to prevent DoS attacks or overload situations is something different than throttling or blocking of attacks. I want a support for the latter and have said that the former is not sufficient as replacement. You may have a different opinion, that it is sufficient for you, but don't tell me what I want. For my case, the throttling values are completely different for both scenarios, and the rules when an IP address is allowed again are different, too.
No. I want rate limiting (or blocking) only for unsuccessful login tries, not for successful logins. That cannot be done with a firewall, since the firewall doesn't know about login success or not.
I don't think that a request to reiterate the main points of his research is a good start for a sensible discussion here. (Not that I expect many sensible discussions on/.) Especially not if some of these questions are answered on the homepage and the `About this project' page. Your telling that the data is sent without user consent -- when the first paragraph on the home page tells that data is sent back -- and then slowly backpedalling is not a good start for a/. discussion either.
If you would have concentrated on one issue (e.g., the relation to Dr.Watson and/or Mozilla's Talkback) you would have had a point, IMHO. Otherwise, it was simply an overbroad request that looked as if you're too lazy to inform yourself before posting.
asking us to read 170-odd pages of your dissertation is a little much.
Why? If you're really interested in that area, that's not much material and it's important research. I know that I'm going to read it just because it's interesting.
But if you're not deeply interested, you will be able to pick the most interesting bits by looking at the table of contents, won't you? Or is that too much effort, too? Besides, the project has a Web site that is even referenced in the/. blurb -- did you even bother to look there for an answer?
Please note: I'm not connected to the CBI project, don't use the software, and don't know Ben Liblit.
Secure, might be. But reliable? My syslog servers are very often HA clusters to catch outages. (After all, the logs might be from mission-critical servers.) Serial cable connections don't cut slack here, sorry. Proper planning of a syslog infrastructure must be targeted towards the situation at hand and the audit requirements. For firewalls, your approach might work. For an SAP database server, OTOH, I wouldn't use it. That said, syslog-ng is almost always better than classic Unix syslog for any data center scenario that I have encountered in the last years.
But what I wanted to tell the OP is: good implementations of system logging is one of the areas that look trivial at first and open up a whole can of worms if you look at them in detail. It was a badly chosen show case for the supremacy of some sysadmin over another.
Existence and usage of CPAN -- one of the repositories with the widest reuse of library code -- contradicts your empirical evidence and points out another root cause for your case: That guy is simply incompetent.
Whereas, just configuring syslog is often not a solution either. One has to use syslog-ng to get reliable TCP connections and then still has no encryption.
Countered civil rights approaches? German supreme court decisions: Schäuble's shot-planes legislation was stopped. The right of citizens about their own information (`informationelle Selbstbestimmung'). Schily is gone. (Well, the parlament-ignoring Zypries is still there.:( )
You're right that the last ten years were a set-back. We were stronger before. But this doesn't mean giving up. It means we have to try to get more (young) people into politics, into ATTAC city groups, into local community-based citizen organizations, into our own lobby organizations (FFI, FIFF, etc.), and into the parties [sic!]. It means to go into your local professional organization (like the GI) and change its politics because they are asked by politicians what to do -- even though one might despise the `old' man that are currently at the front. Let's replace them! That's the only way to get forward -- getting active, politically.
I do so, since more than 25 years. What are you doing?
Oh, I like manifestos. Especially if they lead citizens to discuss them, or bring them to action. Everything that brings more people in politics and starts to get them uncomfortable about the world they're living in.
Much better than a bunch of lobbyists taking over the US, breaking US laws, and coming away with it because nobody's interested.
But just for you, I have another quote, from Ice-T: ``When people talk about the system, than it's Rock 'n' Roll. When they talk about popcorn and ice-cream, than it's Pop.'' (I have better political ones, but they are in German.:( )
I don't think so, in particular in view of your signature. The French Revolution leaders explicitly referred to the US.
And I still think that the US has much to offer, both personally with its overboarding (sometimes naive) optimism, and with its political views and history. It's just sad that the current government gives a shit about that.
freedoms? right for a speady trial. (There are still muslim US citizens detained, without trials, in the USA.) right for privacy in communication. restriction in free movement (no-fly list et.al.) spying on US citizens without cause and without judical oversight.
To counter means to fight against it. What else? Discuss it in Feuilletons? But I mean fight in a civilized sense.
If you really think that this fight needs firearms, I'm off and against your viewpoint. The end doesn't justify this mean. We had this viewpoint already in the 70s and the 80s (RAF), and it does not good. (I don't know how old you are -- I lived through that time, and it was not nice. It got enough political ammunition in the hands of the conservatives to destroy German's left. Well, what was left of it.)
You are right that your military `adventures' have more bearings for the opinion on the US.
But you probably underestimate the interest in the PATRIOT act. For example, it is well covered in all major German newspaper; in content, the way the granted powers are used by US government agencies, and the security-related achievements that those reductions in civil liberties have. In other words, it's well publicized that you got a bad bargain.
After all, our government wants to follow your lead and reduce our civil liberties, too (though not as much as yours did) -- and the US situation gives ammunition to counter such proposals. So there is quite some interest in the PATRIOT act and other new laws (Healthy Forest Act etc.) abroad.
But then, you are also right that I had often to discover that interested Europeans know more about current US politics than some Americans. And they surely know more about the US than the typical American knows about Europe. (I lived for several months in the US, and that's my personal judgement.) Sad, it is.
I realize the difference -- I have quite some friends in the US, from my university times. That's why I wrote `US politics' and not `Americans'.
With all those US friends, and the contact to the local part of US politics, I was always the one who defended the USA in discussions on society and politics here around. But it gets harder and harder to do so. (Well, US politics cannot be defended any more; they are outrageous in their contempt for elementary human rights.)
Slashdot Mirror
As well as queries over tables in several databases.
Check out TinyCA, at http://tinyca.sm-zone.net/. It is a GUI to ease certificate creation and management.
I do troubleshooting of projects, and I cannot count the occasions any more where I have seen that pattern.
In most companies, the whole project planning business is fucked up. Sound and down-to-earth advice exists, e.g., Tom Marco's book "Waltzing with bears". But is neither known nor respected.
Hey, if you're not a troll, I can really see why the US school system is so seriously fucked up. There must be more morons like you, there.
The check was done by customs. Custom officers are allowed to open and check all stuff that comes in or out a country, being it trade secret, unreleased copyright material, or not. If you try to bring custom officers to court for checking one of your packets that you received from abroad (or sent), you will be laughed at.
I would throw in my hat for another book in a similar vain: On Writing Well, 30th Anniversary Edition: The Classic Guide to Writing Nonfiction, by William K. Zinsser, that is just about to be released again. (ISBN: 0060891548) It's an excellent guide that makes one think about the cluttered way one often writes.
She is and remains the real hottie in the ST universe. Carry on, Majel Barrett-Roddenberry!
SLAs are created via communication between business users and us. My experience shows that it is sensible for such negotiations to have categories where systems are placed in, and many factors determine that placement. Business uses/requirements, failure scenarios, associated business processes, outage costs (both in IT and in business), projected lost revenue, importance of the respective business department, and such. The categories serve to enable more standardized services and processes, to restrict and better plan IT costs, which is a business requirement in itself.
It is good to have labels for the categories, it helps to further the communication and negotiations where systems are placed. (Almost every business owner thinks that his systems belong in the top category, but doesn't want to pay the price for it.) "Mission-critical", "important", and other terms have proven to be good labels, that are well understood and interpreted both by business owners, business users, and IT staff alike.
I don't care if you call that backward. It works as a mean of communication, and that's all that counts for me.
In fact, it isn't even relevant for my posting. The OP asked if somebody has precise definitions for this ``buzzword'', and I replied that I have them; even at several institutions, not just at a single one. He is an arrogant jerk who means that every technical term is well defined (hint: try to look up RTO) and that every business term is a buzzword. Reality ain't so trivial, but luckily most persons can use context to determine the meaning of terms.
Btw, please note that this ain't "my IT shop". Communication between business users and technical staff is something that I'm called in and paid for, that's the core of my business; I'm the CEO of a consulting company.
And this is quite standard in most current SLA contracts that I have seen. So, while the OP and you think that these are buzzwords, in well-run IT shops they have very specific and very precise meaning.
An interesting solution that I have seen is to use PAM and implement connection throttling for bad logins there. This might be a very good solution since it works for other login services as well. (Sorry, no URL at the moment. I think I read in LWN about that.)
Concerning
I have to say that this is not as easy as it sounds. Partly because they are no good log file watcher out there. (swatch is dead, xlogmaster is dead for all purposes, and logsurfer is frozen. Any other tool?) There are some scripts out there how try to do this, but they all fall down in practical environments. To give you an idea about the problems:
I have taken exception to the argument that reactions to ssh attacks are purely a firewall issue and have nothing to do with the ssh server framework itself. This is an ssh issue. Yes, it is open to the developers to tell that they don't want to implement it for other reasons, but no, deferral to perimeter defense (i.e., firewall) ain't no solution.
And if you look how often the issue of ssh attack protection comes up on regular user email lists of distributions, then it is an issue for many people. E.g., on the suse-linue-e list, it comes up at least every two months, and has long threads every time. Thus, it is a concern that is shared by many people.
Connection throttling to prevent DoS attacks or overload situations is something different than throttling or blocking of attacks. I want a support for the latter and have said that the former is not sufficient as replacement. You may have a different opinion, that it is sufficient for you, but don't tell me what I want. For my case, the throttling values are completely different for both scenarios, and the rules when an IP address is allowed again are different, too.
No. I want rate limiting (or blocking) only for unsuccessful login tries, not for successful logins. That cannot be done with a firewall, since the firewall doesn't know about login success or not.
If you would have concentrated on one issue (e.g., the relation to Dr.Watson and/or Mozilla's Talkback) you would have had a point, IMHO. Otherwise, it was simply an overbroad request that looked as if you're too lazy to inform yourself before posting.
But if you're not deeply interested, you will be able to pick the most interesting bits by looking at the table of contents, won't you? Or is that too much effort, too? Besides, the project has a Web site that is even referenced in the /. blurb -- did you even bother to look there for an answer?
Please note: I'm not connected to the CBI project, don't use the software, and don't know Ben Liblit.
But what I wanted to tell the OP is: good implementations of system logging is one of the areas that look trivial at first and open up a whole can of worms if you look at them in detail. It was a badly chosen show case for the supremacy of some sysadmin over another.
Whereas, just configuring syslog is often not a solution either. One has to use syslog-ng to get reliable TCP connections and then still has no encryption.
Witness the cases where GPL gets enforced legally, when embedded devices violate the copyright of the netfilter project.
You're right that the last ten years were a set-back. We were stronger before. But this doesn't mean giving up. It means we have to try to get more (young) people into politics, into ATTAC city groups, into local community-based citizen organizations, into our own lobby organizations (FFI, FIFF, etc.), and into the parties [sic!]. It means to go into your local professional organization (like the GI) and change its politics because they are asked by politicians what to do -- even though one might despise the `old' man that are currently at the front. Let's replace them! That's the only way to get forward -- getting active, politically.
I do so, since more than 25 years. What are you doing?
Much better than a bunch of lobbyists taking over the US, breaking US laws, and coming away with it because nobody's interested.
But just for you, I have another quote, from Ice-T: ``When people talk about the system, than it's Rock 'n' Roll. When they talk about popcorn and ice-cream, than it's Pop.'' (I have better political ones, but they are in German. :( )
And I still think that the US has much to offer, both personally with its overboarding (sometimes naive) optimism, and with its political views and history. It's just sad that the current government gives a shit about that.
'nuff said.
*PLONK*
If you really think that this fight needs firearms, I'm off and against your viewpoint. The end doesn't justify this mean. We had this viewpoint already in the 70s and the 80s (RAF), and it does not good. (I don't know how old you are -- I lived through that time, and it was not nice. It got enough political ammunition in the hands of the conservatives to destroy German's left. Well, what was left of it.)
But you probably underestimate the interest in the PATRIOT act. For example, it is well covered in all major German newspaper; in content, the way the granted powers are used by US government agencies, and the security-related achievements that those reductions in civil liberties have. In other words, it's well publicized that you got a bad bargain.
After all, our government wants to follow your lead and reduce our civil liberties, too (though not as much as yours did) -- and the US situation gives ammunition to counter such proposals. So there is quite some interest in the PATRIOT act and other new laws (Healthy Forest Act etc.) abroad.
But then, you are also right that I had often to discover that interested Europeans know more about current US politics than some Americans. And they surely know more about the US than the typical American knows about Europe. (I lived for several months in the US, and that's my personal judgement.) Sad, it is.
With all those US friends, and the contact to the local part of US politics, I was always the one who defended the USA in discussions on society and politics here around. But it gets harder and harder to do so. (Well, US politics cannot be defended any more; they are outrageous in their contempt for elementary human rights.)