Re:Keep putting it off. Please !
on
Longhorn in 2006
·
· Score: 1
Ah, that's why sendmail and bind have had lifelong histories (has it been 20 year?) of major security vulnerabilities and yet they are included in most *nix distributions?
Just because you need a BS in CS to run a unix server doesn't make it good. Sometimes "best" means features, usability, time to configure.
Re:Keep putting it off. Please !
on
Longhorn in 2006
·
· Score: 1
Okay after a year of "trustworthy computing" there were 3 exploits.
If "trustworthy computing" hadn't been a focus, there probably would have been 60 exploits or more.
I believe that MS is working hard to fix the problems, and security is a 10/90 problem - 90% of the work is required to fix the last 10% of the problems.
"Things" may have changed, but most small businesses don't change that quickly.
One of my former clients is still using a MS Dos based quickbooks version 2 system that I set up for her over 6 years ago, and she had been renting the previous system running the same software for several years before I set up the system that she uses today.
Another former client was using a batch processing system that a college student wrote around 15 years ago...it was so old that it wasn't even an x86 based system.
I haven't consulted for small businesses in a few years, but when I was, I didn't find ANY linux, I couldn't even convince them to convert from SCO Xenix to linux.
If these numbers are accurate, it must be for a small microcosm where the VARs that set up systems for small businesses have switched to using linux in their deployments. Even then, small businesses tend to stick with what is working...even if it doesn't work perfectly.
I think they need to provide more details and some source information to back up their data.
If you can assume that all Apache sites are linux, from netcraft's numbers, it looks like about 0.6% of linux sites migrated from linux to Windows Server 2003 since July.
0.6% moving from a "free" operating system to Windows? Perhaps Windows has something that open source fanatics should take a look at. I wouldn't say that it is time to give up on your favorite operating system because it is out of favor...but with the growth in Windows Server 2003, if you haven't used windows since NT4, it would be prudent to start learning about Windows again.
Awesome idea. Next, you could vary the transmitted tones for "dot" and "dash" along harmonic musical notes and your communication "noise" turns into pleasant music!:)
Motorists everwhere failed to visit the dealer when the recall notices were sent out so that their brake pads wouldn't fail when vandals spray a special substance on the roads, and now the crash victims want to sue the motorists for not allowing the manufacturer to fix the known defects.
Is there any reason that thousands of us can use to file small claims court cases against RIAA, like perhaps theft of my tax money by abusing the court system, harassment, slander of music listening internet users, etc?
Sure, that would be one way to create a good user interface...but several nuclear reactor "accidents" happened because the control rooms initially did not have good user interfaces. Afterall, the operators were expects, why did it need to be simple?
Sure, and just because a Nuclear Reactor control room has the "Critical core temperature warning light" right next to the "Bathroom is out of toilet paper warning light" where the operators are likely to miss it also means that the meltdown is a human error!
Go read "Normal Accidents" and learn a little bit about usability before you blame all misconfigurations on the admin.
I wish this were so funny. The last two VARs that a business I know of has gotten accounting systems from have configured the systems so that all of the users did log in as root.
The point of security is to prevent people from doing things that they should not be able to do. If they shouldn't be able to deface a website, and they do, then there is a security failure somewhere in the system.
Now, the security failure might be due to the Admin, the OS, the user, or the scripts...but it is still a security failure.
If it is due to the Admin, then maybe the OS is too complicated to properly secure. If it is due to the OS, then it is definately an OS problem. If it is due to the user, then maybe the OS is too complicated and/or time consuming to secure. If it is due to the scripts, then perhaps the OS should include some security audited scripts.
I can see it now, Ellison arms a fleet of MIGs, Gates orders a fleet of Subs, and Jobs hires an army and they all battle it out....might be cheaper than all of the lawsuits...
For that matter, ask most tech companies why they seem to have a business model of trying to out-sue eachother!
Oracle, Real Audio, Sun, and Netscape were pushing for the anti-trust suit against Microsoft when they had the same business practices as everyone else...the only difference is that they were larger.
SCO sues everyone. IBM sues SCO. Sun sues Microsoft. Microsoft sues Sun....
There are so many lawsuits, I think that only people making money off of high-tech are the lawyers!
I am already seriously looking at migrating the server I run at home off of linux and onto BSD.
My linux box has just been attacked too much in the last couple years.
Speaking from experience - DON'T DO IT YOURSELF
on
Solving a Wiring Mess?
·
· Score: 2, Interesting
I think that everyone here is pretty much saying the same thing: "IT IS STUPID TO TRY TO DO THIS YOURSELF!"
I have been on the recieving end of a 220v shock because someone flipped a breaker on a circuit after someone else did a home-brew wiring job. Had I picked up the wire with two hands rather than one, I would be dead and decomposing nicely by now.
I have done my fair share of homebrew jobs and after a number of lessons learned the hard way. I now have a lot of respect for electricity and use a great deal of caution with any wiring job.
Wiring something from scratch is one thing, what you describe is a DEATH TRAP!!! DON'T EVEN THINK ABOUT IT!!
I suspect that even an experienced professional would be a bit gun-shy with the setup that you have.
[And yes, I have replaced contact swtiches in my microwave, serviced the non user-servicable parts in my TV, swapped parts in my computer's power supply, re-wired my car, and a lot of other dumb things. I have some idea of what I am doing, but I wouldn't even consider doing that wiring job for a nano-second! Even I am not that deranged.]
Saying that Unix Users don't run as root is funny.
I have seen a number of VAR configured systems (Just go find any system running Autologue, a POS accounting system used in auto parts stores, lumber yards, and some other businesses) where all users were logged in as ROOT, including the dial-in guests, and the root account had no password.
People in general want their computers to be easy to use and don't care about security until their system is trashed. Windows or Unix, it doesn't matter much when the users don't care about security.
Good idea, however, operating systems manage much more than just the number of processes and the amount of ram.
When I was doing my experiment, if I just forked, I could exhaust the number of processes allowed but root on another console was still functional (although unable to spawn more threads), however when I added the attempt to open a file into each thread, the whole system froze immediately.
When you consider network sockets, inter process communication, file handles, and everything else that the OS manages, I'm sure that there are still a dozen ways to tie an operating system in knots.
You don't even need that low-level access to be able to freeze the machine.
A few years ago I was playing with fork bombs (Allocate 10k memory, attempt to open a file for read, and then fork this thread 10 times) and was able to consistently freeze any linux box even when I only had a simple user account.
Kernel access is only one of many ways to kill an OS.
If, 50% of crashes are due to 3rd party code (say driver and apps together), how many of the crashes are due to hardware failures or user misconfigurations (no swap space) vs MS code.
Next question, how much of the time is the user running MS code vs non-MS code? If the office worker is using excel, outlook, powerpoint, access, XP, and IE 90% of the day and 3rd party apps for 10% of the day, even if MS software was responsible for 50% of the crashes they would have better code by a longshot....just a thought.
Yeah, I did that when I found a design flaw in the web portal software that the university that I attended switched to a few years ago.
I still don't know if they have fixed the flaw, but at least the IT group knows what fingerprints the exploit will leave in their logs.
I graduated a year after I found the flaw, and I don't really care that much anymore. I guess I was just lazy...I emailed the company, the IT group, and the faculty on the IT board, but I didn't actually go talk to anyone about it.
Today, if I was really concerned about it, I'd go knock on a few doors.
PS - The really funny thing was, in reviewing the company's literature, one of their "features" was an option for "Null-Crypto".
Slashdot Mirror
Ah, that's why sendmail and bind have had lifelong histories (has it been 20 year?) of major security vulnerabilities and yet they are included in most *nix distributions?
Just because you need a BS in CS to run a unix server doesn't make it good. Sometimes "best" means features, usability, time to configure.
Okay after a year of "trustworthy computing" there were 3 exploits.
If "trustworthy computing" hadn't been a focus, there probably would have been 60 exploits or more.
I believe that MS is working hard to fix the problems, and security is a 10/90 problem - 90% of the work is required to fix the last 10% of the problems.
"Things" may have changed, but most small businesses don't change that quickly.
One of my former clients is still using a MS Dos based quickbooks version 2 system that I set up for her over 6 years ago, and she had been renting the previous system running the same software for several years before I set up the system that she uses today.
Another former client was using a batch processing system that a college student wrote around 15 years ago...it was so old that it wasn't even an x86 based system.
I haven't consulted for small businesses in a few years, but when I was, I didn't find ANY linux, I couldn't even convince them to convert from SCO Xenix to linux.
If these numbers are accurate, it must be for a small microcosm where the VARs that set up systems for small businesses have switched to using linux in their deployments. Even then, small businesses tend to stick with what is working...even if it doesn't work perfectly.
I think they need to provide more details and some source information to back up their data.
True, it would help if we teach children how business works, but how do you teach them a strong work ethic?
If you can assume that all Apache sites are linux, from netcraft's numbers, it looks like about 0.6% of linux sites migrated from linux to Windows Server 2003 since July.
0.6% moving from a "free" operating system to Windows? Perhaps Windows has something that open source fanatics should take a look at. I wouldn't say that it is time to give up on your favorite operating system because it is out of favor...but with the growth in Windows Server 2003, if you haven't used windows since NT4, it would be prudent to start learning about Windows again.
Awesome idea. Next, you could vary the transmitted tones for "dot" and "dash" along harmonic musical notes and your communication "noise" turns into pleasant music! :)
I think a more accurate analogy would be:
Motorists everwhere failed to visit the dealer when the recall notices were sent out so that their brake pads wouldn't fail when vandals spray a special substance on the roads, and now the crash victims want to sue the motorists for not allowing the manufacturer to fix the known defects.
Is there any reason that thousands of us can use to file small claims court cases against RIAA, like perhaps theft of my tax money by abusing the court system, harassment, slander of music listening internet users, etc?
Sure, that would be one way to create a good user interface...but several nuclear reactor "accidents" happened because the control rooms initially did not have good user interfaces. Afterall, the operators were expects, why did it need to be simple?
Sure, and just because a Nuclear Reactor control room has the "Critical core temperature warning light" right next to the "Bathroom is out of toilet paper warning light" where the operators are likely to miss it also means that the meltdown is a human error!
Go read "Normal Accidents" and learn a little bit about usability before you blame all misconfigurations on the admin.
..sigh..
I wish this were so funny. The last two VARs that a business I know of has gotten accounting systems from have configured the systems so that all of the users did log in as root.
BTW, if your system is compromised, compiling may not help.
Reflections on Trusting Trust, Ken Thompson
I disagree.
The point of security is to prevent people from doing things that they should not be able to do.
If they shouldn't be able to deface a website, and they do, then there is a security failure somewhere in the system.
Now, the security failure might be due to the Admin, the OS, the user, or the scripts...but it is still a security failure.
If it is due to the Admin, then maybe the OS is too complicated to properly secure.
If it is due to the OS, then it is definately an OS problem.
If it is due to the user, then maybe the OS is too complicated and/or time consuming to secure.
If it is due to the scripts, then perhaps the OS should include some security audited scripts.
I can see it now, Ellison arms a fleet of MIGs, Gates orders a fleet of Subs, and Jobs hires an army and they all battle it out. ...might be cheaper than all of the lawsuits...
For that matter, ask most tech companies why they seem to have a business model of trying to out-sue eachother!
...
Oracle, Real Audio, Sun, and Netscape were pushing for the anti-trust suit against Microsoft when they had the same business practices as everyone else...the only difference is that they were larger.
SCO sues everyone.
IBM sues SCO.
Sun sues Microsoft.
Microsoft sues Sun.
There are so many lawsuits, I think that only people making money off of high-tech are the lawyers!
I am already seriously looking at migrating the server I run at home off of linux and onto BSD.
My linux box has just been attacked too much in the last couple years.
I think that everyone here is pretty much saying the same thing: "IT IS STUPID TO TRY TO DO THIS YOURSELF!"
I have been on the recieving end of a 220v shock because someone flipped a breaker on a circuit after someone else did a home-brew wiring job. Had I picked up the wire with two hands rather than one, I would be dead and decomposing nicely by now.
I have done my fair share of homebrew jobs and after a number of lessons learned the hard way. I now have a lot of respect for electricity and use a great deal of caution with any wiring job.
Wiring something from scratch is one thing, what you describe is a DEATH TRAP!!! DON'T EVEN THINK ABOUT IT!!
I suspect that even an experienced professional would be a bit gun-shy with the setup that you have.
[And yes, I have replaced contact swtiches in my microwave, serviced the non user-servicable parts in my TV, swapped parts in my computer's power supply, re-wired my car, and a lot of other dumb things. I have some idea of what I am doing, but I wouldn't even consider doing that wiring job for a nano-second! Even I am not that deranged.]
Saying that Unix Users don't run as root is funny.
I have seen a number of VAR configured systems (Just go find any system running Autologue, a POS accounting system used in auto parts stores, lumber yards, and some other businesses) where all users were logged in as ROOT, including the dial-in guests, and the root account had no password.
People in general want their computers to be easy to use and don't care about security until their system is trashed. Windows or Unix, it doesn't matter much when the users don't care about security.
So, is this the United States' way of showing Iraq that we aren't intentionally keeping them in the dark?
Good idea, however, operating systems manage much more than just the number of processes and the amount of ram.
When I was doing my experiment, if I just forked, I could exhaust the number of processes allowed but root on another console was still functional (although unable to spawn more threads), however when I added the attempt to open a file into each thread, the whole system froze immediately.
When you consider network sockets, inter process communication, file handles, and everything else that the OS manages, I'm sure that there are still a dozen ways to tie an operating system in knots.
I might give it a try sometime.
You don't even need that low-level access to be able to freeze the machine.
A few years ago I was playing with fork bombs (Allocate 10k memory, attempt to open a file for read, and then fork this thread 10 times) and was able to consistently freeze any linux box even when I only had a simple user account.
Kernel access is only one of many ways to kill an OS.
If, 50% of crashes are due to 3rd party code (say driver and apps together), how many of the crashes are due to hardware failures or user misconfigurations (no swap space) vs MS code.
...just a thought.
Next question, how much of the time is the user running MS code vs non-MS code? If the office worker is using excel, outlook, powerpoint, access, XP, and IE 90% of the day and 3rd party apps for 10% of the day, even if MS software was responsible for 50% of the crashes they would have better code by a longshot.
What about the software that tells the weapons where to go?
Yeah, I did that when I found a design flaw in the web portal software that the university that I attended switched to a few years ago.
I still don't know if they have fixed the flaw, but at least the IT group knows what fingerprints the exploit will leave in their logs.
I graduated a year after I found the flaw, and I don't really care that much anymore. I guess I was just lazy...I emailed the company, the IT group, and the faculty on the IT board, but I didn't actually go talk to anyone about it.
Today, if I was really concerned about it, I'd go knock on a few doors.
PS - The really funny thing was, in reviewing the company's literature, one of their "features" was an option for "Null-Crypto".