FWIW, I happen to be the organizer at York University, which is where it's being held. I'd be happy to answer any venue-related questions that anyone has. Just post them in a reply to this message.
Keep in mind that I don't anything about the conference proper (nor do I use Debian). Joe Drew left his e-mail in the article and I'm sure he'd be happy to answer any questions about conference content, etc...
Perhaps this is a bit offtopic, but Debconf 2002 was also announced today. Will holding it in Canada make a difference crypto-wise? Probably not, but it should be a rockin' good time for participants anyway.
It's also been conveniently scheduled to coincide nicely with the Ottawa Linux Symposium. Other than that, more info will be forthcoming within the next couple of weeks.
In fact, this stuff has been known about for quite some time now. A quick search of Bugtraq came up with this message. It basically says that Fasttrack based clients have a built-in http server. Big deal.
This sounds more like a misconfiguration issue in the sense that people may be sharing entire harddrives. But until this is discussed and verified in some sort of forum like Bugtraq I wouldn't believe it.
The issue that the OpenBSD guys had with IPF was that the license wasn't 100% BSD compatible as it stood when they decided to ditch it. I can't recall exactly what the issue was, but there's historical posts in the misc@openbsd.org mailing list. (Searching for Theo De Raadt and IPF should be enough - he's explained his position at least a half dozen times). Afterwards. Darren decided to change the license so that the other BSD's wouldn't ditch IPF in favor of PF too.
All in all, one of the things I respect most about the OpenBSD guys is how they do stick to their principles, as they did in the IPF fiasco.
About five years ago at the Ottawa 2600 meetings that I frequented, there was a guy with a device just like that. Now, it was kind of impressive to look at (had a keyboard app which loaded at startup), but the specs were OK at best. If I remember correctly, it had at least
a 12" LCD touch-screen
a 386 or a 486
a built in 14.4 modem
It would have been even more impressive, except that the batteries didn't work anymore - so the guy had to plug it in like a normal computer. Supposedly he'd gotten about a half hour of battery life off it just after he'd gotten it from another guy from some forsale newsgroup. I wish I could remember the name of the company that made it, but I'm pretty sure it's long since dead.
In conclusion - stuff like this has been around for ages. Just because it's what MS is hyping hardly means it's new or revolutionary.
It would be nice to know that Guardent is contributing to the respective projects that are being implemented on this device (IPTables, Snort, Nessus), but I haven't been able to find any ackknowledgement of it on either Nessus's thanks page or in the credits for Snort.
Certainly they've got people working for them who have the know-how to add substancial features to the projects and it would be nice to know that they're not just freeriding on the software for the managed services platform that this device really is.
Philip Bond, the Commerce Department's under secretary for technological policy, said cyber-pirates steal an estimated $12 billion worth of technology and goods a year, according to the Business Software Alliance. American leadership in computers and software is "very much at stake" because of piracy, he said.
Is it just me, or does anyone else find statements like this incredibly misleading? Ever since I first got into computers (circa '93), warez has been pretty much a constant. Of course the BSA has also been making these kinds of unqualified statements for that long so it's not like anything has really changed.
It was also interesting to read how the NYT describes 'Warez' as a group of people ("Members of Warez..."). Don't they have any better writers in their technology section that they could have assigned this one to?
No. It means that if there is a known exploit in the wild then it is legitimate to post information about the vulnerability that it pertains to.
Let's say for a second that I'm a network administrator (which I have been) or in a related position. Would I want to know about how someone will be able to break into my network or servers? You bet I would. What if it was possible to avoid being affected by the exploit by changing default settings or shutting down services temporarily? I think whatever inconvience that might cause would be outweighed by keeping my network secure.
Obviously you haven't had to deal with this sort of stuff before. I'd suggest you do a quick search through the Bugtraq archives for informed discussions on vulnerability disclosure. In the information security world it's a topic which has (almost) been flogged to death.
A long time ago (mid 90's) I heard about a movie based on Doom in which you were to star. If this ever was in the works, what happened? It might not have been a classic of it's time, but it would have rocked.
During the whole discussion of Eclipse the other day, I wrote about how it differs from Netbeans.
For me it meets pretty much all of my needs:
Open source
Decent interface (although some people disagree), which you can configure to appear as a single window or multiple windows (great for those multi-monitor setups)
Support for CVS
Ability to mount FTP directories as a filesystem so that I can store projects on the servers at school
Support for a whole wack of Java standards which I don't use at all - JINI, JSP, beans, etc...
In fact the only real minus to it is that it is kind of a memory hog and takes a bit to load up (probably because it's written all in Java). Either way though, it's worth a look.
Maybe it's just me, but how does this project really differ from Netbeans (except for the whole Sun-IBM sponsorship thing). I've been using it for a while now and it does pretty much everything you mentioned above. It's also been out for a while now (coming out with version 3.3 when Java 1.4 comes out next year) and IMHO is fairly mature.
I'm quite curious to know why I should consider switching.
This isn't where I worked. I'm in school in Toronto at the moment (as can be seen by my e-mail address), but worked and lived in Ottawa, where pretty much every federal agency has presence.
Obviously my post was specific to my experience and doesn't reflect the Canadian government as a whole.
I am actually surprised how many problems people have protecting their server rooms...
An interesting little tidbit: At my university the main server room is only protected by one of those proximity swipe card things. While this is in and of itself isn't that big of a problem, the fact that the registrar leaves their main server logged on (based on the 2-3 times I've been in there) is. The fact that it's an NT box doesn't help matters either...
Although this article definetly shouldn't come as any surprise to anyone with even a marginal interest in information or any other type of security. Back in the day (early nineties), I was able to read loads of textfiles on all the local hacking BBS's about social engineering.
Notwithstanding all of that though, it's kind of funny to see exactly how physical security is implemented these days. Back at my old job in the Canadian government (the department shall remain nameless), this stuff was nothing but a joke. Although you could certainly see that attempts were made at making things secure, like with the ID cards with the digital picture and magnetic swipe thing, it didn't really make much of a difference in the end. Firstly the only verification system that was used on these was to flash them at the rent-a-guards who sat all day long at the entrances. By this I mean that they would literally look at it for a split second - hardly enough time to even read the expiry date or even have a good look at the photo on the card. Case in point, after quitting, a friend of mine made a copy of his card on cardboard and was able to use that to get in without any trouble.
Another strange thing was the departmental library. It was actually located within the building that I worked in on the second floor. Thus anyone (who knew about it) could walk up to the guards in the main lobby asking for access to it. They would then have to lend a piece of ID and write down their name, number, etc... and they'd get a library pass. This would essentially give them acccess to the entire building, as there wasn't any verification that they were sticking to the library. I ended up using this method of entry a few times to visit friends while I was at school in another part of the country.
Anyway, I could rant on about it all night, but in the end it just came down to the fact that the people implementing the physical security were subcontracting to a bunch of dumbasses. Other things like network/information security were dealt with by intelligent and capable people for the mostpart, but I won't get into the whole weakest link discussion.
I think that you would probably find that most (if not all) universities do offer these services, just not as classes. Where I go to school we have a Career Services department which does exactly the things you outlined. They have luncheons/breakfasts with potential employers and network, they have tutorials on what employers are looking for in resumes and interviews. In fact they even have a service where they set up mock interviews for you and give you feedback on your performance.
Notwithstanding that, there tend to be other things on campus (and off) as well. I'm heavily involved in the computer club at my school and we have speakers who talk about almost all the things you mention within the context of computers and IT. I'm also involved with the the Canadian Undergraduate Technology Conference, which assuming you're a canuck and in a CS-like program, would be great for you too. On their schedule they have a job fair for attendees, they have seminars with people in industry where you can actually speak with them afterwards and a bunch of other things. I highly recommend people in university check out these sorts of things. Thus far a bunch of my friends have scored jobs directly through that conference.
In the end, you really do have to do this stuff yourself.
Slashdot Mirror
FWIW, I happen to be the organizer at York University, which is where it's being held. I'd be happy to answer any venue-related questions that anyone has. Just post them in a reply to this message.
Keep in mind that I don't anything about the conference proper (nor do I use Debian). Joe Drew left his e-mail in the article and I'm sure he'd be happy to answer any questions about conference content, etc...
Perhaps this is a bit offtopic, but Debconf 2002 was also announced today. Will holding it in Canada make a difference crypto-wise? Probably not, but it should be a rockin' good time for participants anyway.
It's also been conveniently scheduled to coincide nicely with the Ottawa Linux Symposium. Other than that, more info will be forthcoming within the next couple of weeks.
This is probably more than a bit offtopic, but developerworks has an article on writing vendor independant JMS code. It's availible here.
Unfortunetly I've never really dealt with JMS, so I can't really answer the question in the post.
Quite right.
In fact, this stuff has been known about for quite some time now. A quick search of Bugtraq came up with this message. It basically says that Fasttrack based clients have a built-in http server. Big deal.
This sounds more like a misconfiguration issue in the sense that people may be sharing entire harddrives. But until this is discussed and verified in some sort of forum like Bugtraq I wouldn't believe it.
Where did you get that from?
The issue that the OpenBSD guys had with IPF was that the license wasn't 100% BSD compatible as it stood when they decided to ditch it. I can't recall exactly what the issue was, but there's historical posts in the misc@openbsd.org mailing list. (Searching for Theo De Raadt and IPF should be enough - he's explained his position at least a half dozen times). Afterwards. Darren decided to change the license so that the other BSD's wouldn't ditch IPF in favor of PF too.
All in all, one of the things I respect most about the OpenBSD guys is how they do stick to their principles, as they did in the IPF fiasco.
Big deal.
About five years ago at the Ottawa 2600 meetings that I frequented, there was a guy with a device just like that. Now, it was kind of impressive to look at (had a keyboard app which loaded at startup), but the specs were OK at best. If I remember correctly, it had at least
a 12" LCD touch-screen
a 386 or a 486
a built in 14.4 modem
It would have been even more impressive, except that the batteries didn't work anymore - so the guy had to plug it in like a normal computer. Supposedly he'd gotten about a half hour of battery life off it just after he'd gotten it from another guy from some forsale newsgroup. I wish I could remember the name of the company that made it, but I'm pretty sure it's long since dead.
In conclusion - stuff like this has been around for ages. Just because it's what MS is hyping hardly means it's new or revolutionary.
It would be nice to know that Guardent is contributing to the respective projects that are being implemented on this device (IPTables, Snort, Nessus), but I haven't been able to find any ackknowledgement of it on either Nessus's thanks page or in the credits for Snort.
Certainly they've got people working for them who have the know-how to add substancial features to the projects and it would be nice to know that they're not just freeriding on the software for the managed services platform that this device really is.
Philip Bond, the Commerce Department's under secretary for technological policy, said cyber-pirates steal an estimated $12 billion worth of technology and goods a year, according to the Business Software Alliance. American leadership in computers and software is "very much at stake" because of piracy, he said.
Is it just me, or does anyone else find statements like this incredibly misleading? Ever since I first got into computers (circa '93), warez has been pretty much a constant. Of course the BSA has also been making these kinds of unqualified statements for that long so it's not like anything has really changed.
It was also interesting to read how the NYT describes 'Warez' as a group of people ("Members of Warez..."). Don't they have any better writers in their technology section that they could have assigned this one to?
I know - I'm stupid, but if it makes any difference I was reading it just after I woke up. Didn't really register with me when I was reading the post.
Didn't expect it to be modded up, but it's not that big a deal.
(avaiting appropriate mod-down)
Is that they ported pong to it.
Damn these guys are cool (in an ultra-geeky way).
No. It means that if there is a known exploit in the wild then it is legitimate to post information about the vulnerability that it pertains to.
Let's say for a second that I'm a network administrator (which I have been) or in a related position. Would I want to know about how someone will be able to break into my network or servers? You bet I would. What if it was possible to avoid being affected by the exploit by changing default settings or shutting down services temporarily? I think whatever inconvience that might cause would be outweighed by keeping my network secure.
Obviously you haven't had to deal with this sort of stuff before. I'd suggest you do a quick search through the Bugtraq archives for informed discussions on vulnerability disclosure. In the information security world it's a topic which has (almost) been flogged to death.
A long time ago (mid 90's) I heard about a movie based on Doom in which you were to star. If this ever was in the works, what happened? It might not have been a classic of it's time, but it would have rocked.
If not, please disregard =)
If Scottish politics isn't your thing, you might want to skip the first 22 and a half minutes. (when the crypto stuff starts)
During the whole discussion of Eclipse the other day, I wrote about how it differs from Netbeans.
For me it meets pretty much all of my needs:
Open source
Decent interface (although some people disagree), which you can configure to appear as a single window or multiple windows (great for those multi-monitor setups)
Support for CVS
Ability to mount FTP directories as a filesystem so that I can store projects on the servers at school
Support for a whole wack of Java standards which I don't use at all - JINI, JSP, beans, etc...
ANT build scipts
Plenty of other stuff I won't bother to mention.
In fact the only real minus to it is that it is kind of a memory hog and takes a bit to load up (probably because it's written all in Java). Either way though, it's worth a look.
Maybe it's just me, but how does this project really differ from Netbeans (except for the whole Sun-IBM sponsorship thing). I've been using it for a while now and it does pretty much everything you mentioned above. It's also been out for a while now (coming out with version 3.3 when Java 1.4 comes out next year) and IMHO is fairly mature.
I'm quite curious to know why I should consider switching.
This isn't where I worked. I'm in school in Toronto at the moment (as can be seen by my e-mail address), but worked and lived in Ottawa, where pretty much every federal agency has presence.
Obviously my post was specific to my experience and doesn't reflect the Canadian government as a whole.
I am actually surprised how many problems people have protecting their server rooms...
An interesting little tidbit: At my university the main server room is only protected by one of those proximity swipe card things. While this is in and of itself isn't that big of a problem, the fact that the registrar leaves their main server logged on (based on the 2-3 times I've been in there) is. The fact that it's an NT box doesn't help matters either...
Although this article definetly shouldn't come as any surprise to anyone with even a marginal interest in information or any other type of security. Back in the day (early nineties), I was able to read loads of textfiles on all the local hacking BBS's about social engineering.
Notwithstanding all of that though, it's kind of funny to see exactly how physical security is implemented these days. Back at my old job in the Canadian government (the department shall remain nameless), this stuff was nothing but a joke. Although you could certainly see that attempts were made at making things secure, like with the ID cards with the digital picture and magnetic swipe thing, it didn't really make much of a difference in the end. Firstly the only verification system that was used on these was to flash them at the rent-a-guards who sat all day long at the entrances. By this I mean that they would literally look at it for a split second - hardly enough time to even read the expiry date or even have a good look at the photo on the card. Case in point, after quitting, a friend of mine made a copy of his card on cardboard and was able to use that to get in without any trouble.
Another strange thing was the departmental library. It was actually located within the building that I worked in on the second floor. Thus anyone (who knew about it) could walk up to the guards in the main lobby asking for access to it. They would then have to lend a piece of ID and write down their name, number, etc... and they'd get a library pass. This would essentially give them acccess to the entire building, as there wasn't any verification that they were sticking to the library. I ended up using this method of entry a few times to visit friends while I was at school in another part of the country.
Anyway, I could rant on about it all night, but in the end it just came down to the fact that the people implementing the physical security were subcontracting to a bunch of dumbasses. Other things like network/information security were dealt with by intelligent and capable people for the mostpart, but I won't get into the whole weakest link discussion.
I think that you would probably find that most (if not all) universities do offer these services, just not as classes. Where I go to school we have a Career Services department which does exactly the things you outlined. They have luncheons/breakfasts with potential employers and network, they have tutorials on what employers are looking for in resumes and interviews. In fact they even have a service where they set up mock interviews for you and give you feedback on your performance.
Notwithstanding that, there tend to be other things on campus (and off) as well. I'm heavily involved in the computer club at my school and we have speakers who talk about almost all the things you mention within the context of computers and IT. I'm also involved with the the Canadian Undergraduate Technology Conference, which assuming you're a canuck and in a CS-like program, would be great for you too. On their schedule they have a job fair for attendees, they have seminars with people in industry where you can actually speak with them afterwards and a bunch of other things. I highly recommend people in university check out these sorts of things. Thus far a bunch of my friends have scored jobs directly through that conference.
In the end, you really do have to do this stuff yourself.
So it would seem... guess I better start buying the good crack again. =)
Great, now I can run Linux, MacOS and Linux all at the same time. Is there anything greater?