I agree with your logic but disagree with this application. The problem with Carly was her fundamental misunderstanding of the immediate and near-future forces in the marketplace. I attribute these solely to her having _only_ trained in Managing Technology and NOT in Building technology. She had no basis to understand what her customers would want.
She was, in effect, a classic example of when Heterosis goes wrong. IMHO as it does the majority of the time, i've worked with far more dead weight than homogeek-superior. Face facts, Carly is a "mule".
I'm actually taking a class right now at that University with a lecturer who was a senior during Gates sojourn.
Leitner mentioned a number of weeks ago that Gates had written an altair emulator that ran in 3k of ram and left 1k for the users environment. He wrote this on a PDP-10 with only the Altair specs for a reference. The true programming feat is that his subsequently developed code ran flawlessly on an actual altair machine.
Calm down. Warning : RTFA : Developers at play : Roundtable discussion regurgitated as ruminant principles. This is standard bassackward engineering. Take sound tested principles and piss all over them in favour of the next big thing. Lets wander past engineering before we start the marketing engines.
Yes, i know. Silly me, its not boring. Its New, Improved and with [Insert Trademark here]. Oh wow, you actually have a shipping product? Version 1.0? Nah, ProductX _is_ mature and the, eh, the flaws are readily apparent, eh, flaws, guys, u see this? Hold up! No worries, Version 2.0 is here! Yay!
No wait, DeveloperX just had a brainfart, lets got with the original plan. Its the bestest! Hmmm, unemployment is fun! I like feeding my family Raman.
I suspect your complaint is primarily directed at the office dressing. The "I don't need to learn, I'm friends with the CEO" hordes. Right school, right background, right golf buddies. Blind of their own incompetence, the Peter Principle extended .
People have a reason to be arrogant. Its not necessarily based in reality. The functionally incompetent have a viable position in the marketplace. Investors hand people a lotta rope/a lotta risk and sometimes, just sometimes, the venture accomplishes amazing things no sensible businessman would even attempt. Its a proven business tactic and IMHO the primary fuel for the dotcom explosion (and implosion). The self-assured can't-fail/never-failed approach sometimes works (given sufficient guidance and willingness to participate). Unfortunately as you indicate, the so-afflicted are not pleasant to work with.
This is fun. Take comments out of context and attach immature snide remarks. Hold on, this is Slashdot!
"never sign anything without having a lawyer read it"?
Exactly, thats the whole point, the users irresponsibility has legal implications. Indemnify yourself or educate the user to their predicament.
IT department shouldn't be responsible for IT?
An IT department is responsible for the components of the infrastructure over which it can exert control. Thats the whole point. Trim the fat. Its called an SLA. Everything else that doesn't qualify for support gets pushed to the bottom of the pile if it gets addressed at all.
There is such a thing as a "standard box"? C'mon, no two people are even going to agree on the best text-editor (and do you want to be the one increasing everyones' costs by 20% for non-optimal tools?)
Pure comedy. You want to support every hardware and software and are going to mention costs? Sound financial practice encourages efficient economies of scale. Laissez faire technocracy applies wonderfully in theory however in practice it disregards the functionally clueless. Empowering the clueless is leads to dramatic diminishing returns.
Ah I see. A beaurocracy. Can't have too many of those.
And you're alternative is? Ah, i know, lets wait for better written software. That'll be along soon. In the interim, bureaucracy works.
Such a piece of paper will never be signed, by anybody. Think about it.
Thats the fucking point. Since you're in the mood, heres a couple more related aphorisms "Speak softly and carry a big stick" and "The nail that sticks out gets hammered".
And when projects fail, the people involved will be telling everyone who listens that "they're still waiting for IT to install the necessary software"
Hold on, anyone who blames their tools or forgoes to work to facilitate those tools will blame anyone within finger-pointing distance. Sloppy work habits will kill a project irrespective of whatever wareztool asshat devleper can't live without. No i know - lets let them do whatever they want. I'm sure we'll all benefit from more badly written software or insecure desktop. I want more spam!
Don't blame the users, part of your complaint is poor user education(!). You know its bad but your users don't. Build and document exactly why you want the user to be secure and why it is a good thing for EVERYONE.
The following suggested discussion points are in no particular priority:
Have the user sign a document assuming responsibility for any legal liability
Have the user sign a document absolving you/IT/Corporation of any responsibility
Have the user sign off that you're not going to give their non-standard box priority. Custom solutions require expertise and your best fit, economy of scale is to standardize on "bricks" AND not to shit them when Chief Asshat calls
Have the user technically justify their reasons for the request
Have the user sign off that they know and recognise what they are doing is against company policy
Research, document and educate people to the costs behind their actions - emphasive individual desktop customization/attention is prohibitively expensive. See other bullets for ammunition.
Scale the lockdown. Try Power User. Try stripping rights. Give them a gun with no bullets
Emphasize your expensive security efforts are concentrated at the network level and based on users not shooting themselves (or the company) in the foot
Emphasize that users are their own worst enemy, you're trying to protect them from themselves - the dumbed down modern spyware/viruses use user rights
"Encourage" users with administrative rights to attend a responsibility/learning class/session.
Use what you have put together to educate YOUR management. The pervasive executive buddy system is fiscally irresponsible and leads to spineless management
This is true... within reason. However, the original poster only wanted to implement a proxy. A good approach to a complex problem usually involves condering a hierachy of potential solutions. At the very least, we can make the effort to intrude intensive enough to discourage the casual and intermediate hacker. The reality is that anyone with sufficient dedication will eventually surpass the most severe battery of defenses. Its not aways the fault of the solution provider! Mitnick made a (criminal) career of proving the most complex security solution often falls to the dumpster dive/user disclosure/Social Engineering/OSI Layer 1.
A proxy is simply not enough. Its absurdly easy to tunnel what ever you want (with a bias towards TCP) through a proxy (or any unfiltered port). Heres a brief rundown. Beside a proxy, a firewall and a desktop/server lockdown, I'd suggest you add the Big Brother approach of trend analysis, metrics, pattern recognition and scare tactics i.e. an IDS, IPS! We can hope the effort to circumvent the measures will teach as well as hamper. The question is who you are teaching and hampering!
Network security was an engineering afterthought. Its ironic considering the military built the Internet. We live with the aftermath. Encapsulation and spoofing have practical uses beside the malicious!
Nope. Its not difficult to gain local admin rights on a windows box from the console. Its also not gonna stop them running firefox from a usb stick. Not gonna stop their IM. And on and on.
Proxys are too easy to get around. You'd end up having to lock down the desktops as well. At some point you'd probably want to extend the lockdown to IM, p2p etc.
Start clean and extensible. I advize you to follow jhealys advise - start at the network layer. You're gonna lose the turn-key soho router in favour of a custom firewall/router. Network metering will be ip/mac specific/box specific but you can incorporate some authentication aspect.
Y'know all those weekly and biweekly glossy mags your CIO and Manager get? There actually is valid product overview and release information in them. The IT executive industry base is a PR flaks paradise. Read/scan and then scurry to the vendors website for the White Paper/lowdown.
If you have the money, set up a test lab. Vendors are more wary to loan eval hw than they were in the dotcom era but a relationship with a good salesman can always finagle some product.
Have the suits do the talking if you are buzzword intolerant. Warning: suits talking will often lead to mutual masturbation, technical direction by fiat and the resulting stillborn initiative pandemic.
Obviously Steve also supports the OSIA in discounting the Windows piracy report recently released by Gartner otherwise as a fulltime resident in a Glass house he would not be throwing stones:
The Iraqi authorities actively discourage the release of the Iraqi wounded tally http://www.hrw.org/reports/2003/iraq1003/. The US authorities "don't do bodycounts".
The bodycounts are tallied by 3rd parties on sites like http://icasualties.org/oif/ or http://www.iraqbodycount.net/. A rough extrapolation from US casualties to wounded based on the nature of the casualties (predominately due to coalition or faction bombs) the wounded figure could be 5-10 times the number of casualties i.e. 65/75 to 130/150 thousand.
Yes you are correct when considering the "reported" cost to date. Check http://costofwar.com/ for an updated ticker.
You are assuming of course that when someone refers to the Cost of the War in Iraq that they imply a "to-date" qualifier. This is not necessarily the case. Kerrys figures likely encompass the entire period leading up to the Iraqi National Elections and supposed hand-off of power i.e. when we are "done" and the UN starts to sucks up the bulk of the cost.
I can only assume the negligible indicator is ironic. As negligable apparently as the national debt and deficit.
The sources for the cost of the war are based on data the government provides. This is the same government who trumpet victory when the jobless figures drop because the long term unemployed drop off the register. The same government who fight tooth and nail for their right to hide everything and anything they want from the people who pay for it. The Bush-camp distort/spin everything but yet we are to believe these figures are reasonable?
The true figures are likely much much worse. Even Kerrys figures are below the true cost. Whats the cost of long term care for 10s of thousands of injured soldiers in the most expensive Healthcare system on the planet?
I'm confused, are you attempting to refine your security to the application level or looking to integrate your applications with a centralised security model?. These are separate and distinct requirements!
You need to provide more info to help us determine the exact capabilities of the "ancient PC Programs" and the nature of the access you intend to provide. It may be as simple as facilitating the centralised OS security-authentication and applying group level access-control to the application folder.
The quote is taken out of its relevant context. Another way to rephrase the quote could be:
"In the present violent clime, democratic elections would not lead to a representational government"
Military gangwar is part and parcel of the current conflict. The feudal ganglords will not cede authority easily. Those with support (military and political) will bargain for power in the same manner as the Afghani process. Suspicious one-candidate boundaries will be drawn up and ad-hoc ministerial privileges doled out to unelected strongmen.
Besides his publish and IETF work, Scott is also the chief security officer for Harvard. He also teaches.
I'm looking for to taking the prep course which starts in a couple of weeks prior to taking the Bradners advanced class in the Spring. Bradner sometimes guest-lectures one of the Fall classes.
It cracks me up that all the "Pump and Dump" McBride rants to the media for nigh on 2 years are now evidence in the latest IBM filing.
Once the dust settles, i expect a SEC investigation into the conduct of the ambulance-chasing SCO executives.
Then again, we've been waiting 4 years for Enron to settle, admittedly under the Cheney vice-presidency. I guess i won't hold my breath for the SCO evisceration just yet.
Recent research supports the belief that one well chosen password will defeat most intruders and that enforced rotation leads to weak passwords.
Here in work i've implemented a reasonable level (read: what you get for free from MS) password policy on the GC/DC (its a MS shop). Passwords:
* Vary between Upper and Lower case
* Contain at least 1 number
* Have a minimum of 8 characters (MacOS9 users are only allowed to use 8 unless they have the MSUAM)
* Forced change every 90 days
* Differ from the 3 passwords used previously
In addition we encourage users to pick strong passwords:
Good Passwords contain:
* Multiple small words (let me in now: LetM3In0w)
* Unusual keys (open at eight : 0pEn@Ate)
* Personal Acronyms (open now please : 0pN0Plez)
* Replace letters with numbers (close please : C7o53p7z)
* Misspelled or nonsense words (close please : klOz3PeaZ)
* Offset the Number/Word (to home sweet : H0m325we3t)
* Non-sequential words from songs/poems (home of the brave: 7hebRaFovH0m3)
* A combination of the above!
Bad Passwords contain:
* Countries or Place names
* Names (First or Last)
* Anything Workplace related
* Historical events and Dates
* Personal information: Phone numbers, Birthdays or Social Security numbers
* Dictionary (English and Foreign language) words
* Consecutive numbers
* Popular phrases separated by spaces, underscores or a hyphen
I recently conducted an audit using the excellent @stake LC5. I used the SAM agent import feature and not the sniff the wire capability. It cracked 26/196 passwords in less than 50 seconds with straight dictionary attacks tho' to be fair it was running checks against the weaker LM password. It finished the run with 96/196 successful cracks in around 11 hours using the dictionary, hybrid dictionary/brute force and straight brute force cracking.
It got many "strong passwords" chosen using the above methodology which is similar to the previous post. I am not too worried as ANY password is vulnerable to determined brute forcing. Thats the reason you combine strong passwords and an x-attempt lockout policy.
The bonehead central office still enforces the password rotation despite the evidence that users are sabotaging the process. I sincerely believe this collision of function and security is a zero sum game: the users need to work meeting a complex security process irrespective of the necessity.
I am actively looking into 3rd party DC/GC extensions which perform the routine checks LC5 used so successfully and that have been in use on *nix systems for years. I'd love to hear from any1 in a similar situation. Please note i had reservations purchasing from @stake based on their abhorrent treatment of Dan Geer and evidently vindictive successive OSX disclosure campaign.
Slashdot Mirror
I agree with your logic but disagree with this application. The problem with Carly was her fundamental misunderstanding of the immediate and near-future forces in the marketplace. I attribute these solely to her having _only_ trained in Managing Technology and NOT in Building technology. She had no basis to understand what her customers would want.
She was, in effect, a classic example of when Heterosis goes wrong. IMHO as it does the majority of the time, i've worked with far more dead weight than homogeek-superior. Face facts, Carly is a "mule".
I'm actually taking a class right now at that University with a lecturer who was a senior during Gates sojourn.
Leitner mentioned a number of weeks ago that Gates had written an altair emulator that ran in 3k of ram and left 1k for the users environment. He wrote this on a PDP-10 with only the Altair specs for a reference. The true programming feat is that his subsequently developed code ran flawlessly on an actual altair machine.
Calm down. Warning : RTFA : Developers at play : Roundtable discussion regurgitated as ruminant principles. This is standard bassackward engineering. Take sound tested principles and piss all over them in favour of the next big thing. Lets wander past engineering before we start the marketing engines.
Yes, i know. Silly me, its not boring. Its New, Improved and with [Insert Trademark here]. Oh wow, you actually have a shipping product? Version 1.0? Nah, ProductX _is_ mature and the, eh, the flaws are readily apparent, eh, flaws, guys, u see this? Hold up! No worries, Version 2.0 is here! Yay!
No wait, DeveloperX just had a brainfart, lets got with the original plan. Its the bestest! Hmmm, unemployment is fun! I like feeding my family Raman.
I'll bite, right after the Fortune 1000.
I suspect your complaint is primarily directed at the office dressing. The "I don't need to learn, I'm friends with the CEO" hordes. Right school, right background, right golf buddies. Blind of their own incompetence, the Peter Principle extended .
People have a reason to be arrogant. Its not necessarily based in reality. The functionally incompetent have a viable position in the marketplace. Investors hand people a lotta rope/a lotta risk and sometimes, just sometimes, the venture accomplishes amazing things no sensible businessman would even attempt. Its a proven business tactic and IMHO the primary fuel for the dotcom explosion (and implosion). The self-assured can't-fail/never-failed approach sometimes works (given sufficient guidance and willingness to participate). Unfortunately as you indicate, the so-afflicted are not pleasant to work with.
Exactly how is this desktop application going to be managed? More GPO extensions? Can we use WUS/SUS to certify definition updates?
Exactly, thats the whole point, the users irresponsibility has legal implications. Indemnify yourself or educate the user to their predicament.
An IT department is responsible for the components of the infrastructure over which it can exert control. Thats the whole point. Trim the fat. Its called an SLA. Everything else that doesn't qualify for support gets pushed to the bottom of the pile if it gets addressed at all.
Pure comedy. You want to support every hardware and software and are going to mention costs? Sound financial practice encourages efficient economies of scale. Laissez faire technocracy applies wonderfully in theory however in practice it disregards the functionally clueless. Empowering the clueless is leads to dramatic diminishing returns.
And you're alternative is? Ah, i know, lets wait for better written software. That'll be along soon. In the interim, bureaucracy works.
Thats the fucking point. Since you're in the mood, heres a couple more related aphorisms "Speak softly and carry a big stick" and "The nail that sticks out gets hammered".
Hold on, anyone who blames their tools or forgoes to work to facilitate those tools will blame anyone within finger-pointing distance. Sloppy work habits will kill a project irrespective of whatever wareztool asshat devleper can't live without. No i know - lets let them do whatever they want. I'm sure we'll all benefit from more badly written software or insecure desktop. I want more spam!
Don't blame the users, part of your complaint is poor user education(!). You know its bad but your users don't. Build and document exactly why you want the user to be secure and why it is a good thing for EVERYONE.
The following suggested discussion points are in no particular priority:This is true... within reason. However, the original poster only wanted to implement a proxy. A good approach to a complex problem usually involves condering a hierachy of potential solutions. At the very least, we can make the effort to intrude intensive enough to discourage the casual and intermediate hacker. The reality is that anyone with sufficient dedication will eventually surpass the most severe battery of defenses. Its not aways the fault of the solution provider! Mitnick made a (criminal) career of proving the most complex security solution often falls to the dumpster dive/user disclosure/Social Engineering/OSI Layer 1.
A proxy is simply not enough. Its absurdly easy to tunnel what ever you want (with a bias towards TCP) through a proxy (or any unfiltered port). Heres a brief rundown. Beside a proxy, a firewall and a desktop/server lockdown, I'd suggest you add the Big Brother approach of trend analysis, metrics, pattern recognition and scare tactics i.e. an IDS, IPS! We can hope the effort to circumvent the measures will teach as well as hamper. The question is who you are teaching and hampering!
Network security was an engineering afterthought. Its ironic considering the military built the Internet. We live with the aftermath. Encapsulation and spoofing have practical uses beside the malicious!
Nope. Its not difficult to gain local admin rights on a windows box from the console. Its also not gonna stop them running firefox from a usb stick. Not gonna stop their IM. And on and on.
Proxys are too easy to get around. You'd end up having to lock down the desktops as well. At some point you'd probably want to extend the lockdown to IM, p2p etc.
Start clean and extensible. I advize you to follow jhealys advise - start at the network layer. You're gonna lose the turn-key soho router in favour of a custom firewall/router. Network metering will be ip/mac specific/box specific but you can incorporate some authentication aspect.
Try looking for something on Freshmeat or Google
Y'know all those weekly and biweekly glossy mags your CIO and Manager get? There actually is valid product overview and release information in them. The IT executive industry base is a PR flaks paradise. Read/scan and then scurry to the vendors website for the White Paper/lowdown.
If you have the money, set up a test lab. Vendors are more wary to loan eval hw than they were in the dotcom era but a relationship with a good salesman can always finagle some product.
Have the suits do the talking if you are buzzword intolerant. Warning: suits talking will often lead to mutual masturbation, technical direction by fiat and the resulting stillborn initiative pandemic.
"I was downloading mp3s in college in 1995"
"Bullshit, Napster wasn't founded until 1999"
"Gui'fied IRC DCC: in the beginning was the commandline"
{silence}
Think fantasy sports games.
Obviously Steve also supports the OSIA in discounting the Windows piracy report recently released by Gartner otherwise as a fulltime resident in a Glass house he would not be throwing stones:
/ 1355234&tid=163&tid=1&tid=106
http://linux.slashdot.org/article.pl?sid=04/10/02
The Iraqi authorities actively discourage the release of the Iraqi wounded tally http://www.hrw.org/reports/2003/iraq1003/. The US authorities "don't do bodycounts".
The bodycounts are tallied by 3rd parties on sites like http://icasualties.org/oif/ or http://www.iraqbodycount.net/. A rough extrapolation from US casualties to wounded based on the nature of the casualties (predominately due to coalition or faction bombs) the wounded figure could be 5-10 times the number of casualties i.e. 65/75 to 130/150 thousand.
Yes you are correct when considering the "reported" cost to date. Check http://costofwar.com/ for an updated ticker.
You are assuming of course that when someone refers to the Cost of the War in Iraq that they imply a "to-date" qualifier. This is not necessarily the case. Kerrys figures likely encompass the entire period leading up to the Iraqi National Elections and supposed hand-off of power i.e. when we are "done" and the UN starts to sucks up the bulk of the cost.
I can only assume the negligible indicator is ironic. As negligable apparently as the national debt and deficit.
The sources for the cost of the war are based on data the government provides. This is the same government who trumpet victory when the jobless figures drop because the long term unemployed drop off the register. The same government who fight tooth and nail for their right to hide everything and anything they want from the people who pay for it. The Bush-camp distort/spin everything but yet we are to believe these figures are reasonable?
The true figures are likely much much worse. Even Kerrys figures are below the true cost. Whats the cost of long term care for 10s of thousands of injured soldiers in the most expensive Healthcare system on the planet?
All parties admit that the reasoning leading to the invasion of Iraq has been a $200 billion dollar mistake.
1000 soldiers have lost their lives. To what extent, if any, have cost-cutting measures been behind these deaths.
I'm confused, are you attempting to refine your security to the application level or looking to integrate your applications with a centralised security model?. These are separate and distinct requirements!
You need to provide more info to help us determine the exact capabilities of the "ancient PC Programs" and the nature of the access you intend to provide. It may be as simple as facilitating the centralised OS security-authentication and applying group level access-control to the application folder.For free authentication look to LDAP or RADIUS.
The quote is taken out of its relevant context. Another way to rephrase the quote could be:
Military gangwar is part and parcel of the current conflict. The feudal ganglords will not cede authority easily. Those with support (military and political) will bargain for power in the same manner as the Afghani process. Suspicious one-candidate boundaries will be drawn up and ad-hoc ministerial privileges doled out to unelected strongmen.
Bottom line: Its not democracy.
The Republican Attack Machine would have persued any inaccuracies through legal means.
There are no lawsuits.
Whats the question?
I'm looking for to taking the prep course which starts in a couple of weeks prior to taking the Bradners advanced class in the Spring. Bradner sometimes guest-lectures one of the Fall classes.
It cracks me up that all the "Pump and Dump" McBride rants to the media for nigh on 2 years are now evidence in the latest IBM filing.
Once the dust settles, i expect a SEC investigation into the conduct of the ambulance-chasing SCO executives.
Then again, we've been waiting 4 years for Enron to settle, admittedly under the Cheney vice-presidency. I guess i won't hold my breath for the SCO evisceration just yet.
Heres the idea:
- Have your students do it
- Have someones else's students do it
- Have a subcontractor do it. Note: See pts 1 and 2
Its a private school. Have the students/parents/endowment pay for the privilege. Its good for the economy.Recent research supports the belief that one well chosen password will defeat most intruders and that enforced rotation leads to weak passwords.
Here in work i've implemented a reasonable level (read: what you get for free from MS) password policy on the GC/DC (its a MS shop).
Passwords:
* Vary between Upper and Lower case
* Contain at least 1 number
* Have a minimum of 8 characters (MacOS9 users are only allowed to use 8 unless they have the MSUAM)
* Forced change every 90 days
* Differ from the 3 passwords used previously
In addition we encourage users to pick strong passwords:
Good Passwords contain:
* Multiple small words (let me in now: LetM3In0w)
* Unusual keys (open at eight : 0pEn@Ate)
* Personal Acronyms (open now please : 0pN0Plez)
* Replace letters with numbers (close please : C7o53p7z)
* Misspelled or nonsense words (close please : klOz3PeaZ)
* Offset the Number/Word (to home sweet : H0m325we3t)
* Non-sequential words from songs/poems (home of the brave: 7hebRaFovH0m3)
* A combination of the above!
Bad Passwords contain:
* Countries or Place names
* Names (First or Last)
* Anything Workplace related
* Historical events and Dates
* Personal information: Phone numbers, Birthdays or Social Security numbers
* Dictionary (English and Foreign language) words
* Consecutive numbers
* Popular phrases separated by spaces, underscores or a hyphen
I recently conducted an audit using the excellent @stake LC5. I used the SAM agent import feature and not the sniff the wire capability. It cracked 26/196 passwords in less than 50 seconds with straight dictionary attacks tho' to be fair it was running checks against the weaker LM password. It finished the run with 96/196 successful cracks in around 11 hours using the dictionary, hybrid dictionary/brute force and straight brute force cracking.
It got many "strong passwords" chosen using the above methodology which is similar to the previous post. I am not too worried as ANY password is vulnerable to determined brute forcing. Thats the reason you combine strong passwords and an x-attempt lockout policy.
The bonehead central office still enforces the password rotation despite the evidence that users are sabotaging the process. I sincerely believe this collision of function and security is a zero sum game: the users need to work meeting a complex security process irrespective of the necessity.
I am actively looking into 3rd party DC/GC extensions which perform the routine checks LC5 used so successfully and that have been in use on *nix systems for years. I'd love to hear from any1 in a similar situation. Please note i had reservations purchasing from @stake based on their abhorrent treatment of Dan Geer and evidently vindictive successive OSX disclosure campaign.
I submitted this on Friday?
Is it still breaking geek "news"?