Well freevaracity does sound promising and it is possible that one day it might rival tripwire.
However, I think the tripwire of the future will be a better service overall, simply because it will be under GPL (to my knowledge). This new FreeVeracity licence, plain stinks. If I'm a lowly University stuck with Irix, I really don't want to spend tons of money to get x86 boxes or buy this product. Free software should be free software, no matter what platform you're running on. And this sort of license really doesn't consider binary emmulation either...
Also my other beef is with this Network Intrusion Detection (IDS) brand that they are putting on it. To me it sounds like a bunch of hype. Sure it's a network service and it can talk to a central machine but that's a far cry from the standard IDS methods I know of. When I think of IDS, I think of known attacks that firewalls recognize or specific IDS machines in promiscous mode sniffing out the network. Sure it does help you quickly find out (like a standard IDS) whether you've been hacked or not, but it is a far cry from a standard IDS system.
I'd also be weary of installing this software and running it right away right now, especially for those who are concerned about security. This product hasn't been reviewed by the general public, the source code hasn't been fully audited. No one (except the company itself) has praised this product. I'd be really weary.
He does make some good points about the shear ammount of vulrabilites on the Linux front. However, just because say wuftpd or lynx is vulrable to some old exploits doesn't mean that linux is more vulrable than Microsoft's OS or any other for that matter. I think a better measure is the ammount of break in in the wild, a good measure of this would be perhaps attrition's stats page.
Also another big factor would be the time the none exploit is out to the time the bugfix is released. Microsoft is improving in this department, so lets give credit where credit is due... but I would never ever ever ever trust a SMB NT machine out on the open internet.
In conclusion.. scared of your linux / windows nt machine? (shameless plug), try OpenBSD!
Anything going out with a source that's not in the IP range should be blocked, imho.
You're very right about this. However, most ISPs use Cisco routers and to configure this sort of thing on border routers is a hell of a lot of work. Imagine having 100 class Cs, with 400 T-1 and DSL accounts, you have customers quiting service and signing up all the time. Adding 4 lines of additonal configuration every time and double checking your work all the time can be a pain in the ass. An excellently staffed ISP can do this, but most ISPs are understaffed and have system admins who have better things to do with their time.
The solution? Petition Cisco for a new command that auto-does this, so you don't have to keep on screwing with the configuration.
In a related article.... GTE, Pac Bell and other phone companies have now released a statement, "No Children under the age of 13 may use the Telephone." Every time you call you will now have to enter in your birthdate into the numeric pad.
It's plain silly for them only to release a Linux version, ESPECIALLY if it's under the GPL. In 6 months there will be a port for Tripwire for every platform under the sun....
Hmm... I thought the idea behind Linus Torvalds heading development was his lack of ego as far as good code is consderned. I guess he doesn't have any leadership over those *FS guys.
It looks like Yahoo is pushing around it's snuff for a good cause.... Mmm.. SMP.. And the cool thing about *BSD, is when 1 BSD gets a reall really cool feature, chances all of them incorprate a bit of it.
What I meant by the procfs thing. A quick history... Procfs Exploit
OpenBSD did not have procfs installed by default where as *BSD did. And from what I understand from my security junkie programming buddies, FBSD is still probably vulrable to a procfs exploit (although it hasn't been written yet). OpenBSD worked really hard on this one and fixed the problem right.
Certainly, OpenBSD is still very relavant, mostly in terms of philosophy. I'll give you a few reasons why as well as a counter-argument against your OS of choice.
OpenBSD's philosophy has always been less is more. One way they do this is carefully monitoring the base installation, no lynx, etc (hey those are ports!). No install of procfs by default.. Most people don't use it anyways (except maybe those killall people;-).
Granted, you can do all of this in FreeBSD, however I'd rather not spend an extra hour of securing the box after the install. I'd rather just edit the rc.conf and inetd.conf files and be through with it.
I really wonder about your comments of FreeBSD tighting up the codebase. By checking out the ammount of exploits for the -current release.. especially the one that is being merged with the BSDi code. Granted, that this is technically an "unreleased" version and is not deemed stable, this does explain a bit about the FreeBSD Philosophy.
I do agree that part of the advantage of OBSD over *BSDs has been erroded because of the export changes in the US. However, it is still the only Unix (that I know of) that is activily being shipped with SSH and SSL. I think that in itself is pretty amazing. I've heard of no plans for *BSD being shipped with either in the base install.
BTW, I think that OBSD was built for hard core BSD / Security Junkies and there is quite a few of those people around. For this reason OBSD will survive, and the fact it's come up from 2.0 -> 2.7 is definate proof of this. (Where as with NetBSD how often do they release?)
The reason why OBSD costs so much is because of funding. They have little corprate backing. If you like any free project, don't you think you should contribute a little bit? That's kind of a lame argument not to spend the $ on something that you would be regularly using.
IPv6 is an ingenious protocol, dismised by too many ISPs and backbone internet providers as an irrelevent frivolity.
Oof. Actually many ISPs do really really want to switch to IPv6. ISPs hate people who spoof ips just like everyone else.
There are several things blocking the path to IPv6. One of the major things that is blocking the movement to IPv6 is lack of support in Switches and Routers. Hell, all of Cisco's releaces of IOS that are IPv6 compliant are all Beta. Now would you like to sign up with an ISP who's uptime is far short of 99.99%?
IPv6 is comming and it is comming fast. I figure it'll be about 2 years before most top level providers start implementing it.
Nothing to worry about there. DSL in general is as secure as any other internet connection - it's less secure than a dialup line just because you're not connected all the time, but it's not much different than T1 or any other full-time connections in that regard.
Not true. DSL is not as secure as any other static connection. The way DSL works is often you are assigned a single ip address out of a huge subnet on a BVI, because of this everyone on the same subnet is pretty much treated as on the same LAN.
So you pretty much have to secure yourself from LAN attacks as well. Win95 users don't have that printer shared,:-)
Wait a second... Do you know who these guys are? They aren't linux zelots. They're purpose in life is not to convert people over to unix (although they probably would prefer that people would use unixies rather than win95). They get their kicks from poking fun at Microsoft and their Windows products by poking holes in it, and screwing around with it.
This news is not new, Intel has been doing this for the past 3 or 4 years now. I'm not sure that these conspiracy theorys for the Wintel monopoly are so true... Intel will only give advertising money for those products that solely use their Intel logo. Unless you can cut a deal with Intel, goodbye Microsoft Windows Compatibile Logos.
Um... Punk rock has nothing to do with this. I'm a punk rocker and I hack code, but this is irrelevant. I know people who are code hackers but perfer to listen to the sweet sounds of funk. The one thing that hackers all have in common is their undieing quest to figure things out and to make things work.
And I resent the fact that you associate punk rock with script kiddies.... That is not cool man.
Depends.... Their revinue may be dropping so fast that this doesn't matter.. Another factor to include is increased material fees (different offices, moving, etc). It could spell disaster for many employees.
Correct me if I'm wrong by Potatoe is the British Spelling of the word and is still valid... However it is still spelled "Potato" for titles sake if anything
This is probably true. From a hardware point of view this is some what of a risk for 3dfx, now people will know the internals of the drivers as well as how they work (if they are GPL'd). Fine by me, anyways.
Hey this post is more appropriate to a different thread or a newsgroup. It would be nice if you would respect other readers and post in a forum more suited to your needs.
Slashdot Mirror
However, I think the tripwire of the future will be a better service overall, simply because it will be under GPL (to my knowledge). This new FreeVeracity licence, plain stinks. If I'm a lowly University stuck with Irix, I really don't want to spend tons of money to get x86 boxes or buy this product. Free software should be free software, no matter what platform you're running on. And this sort of license really doesn't consider binary emmulation either...
Also my other beef is with this Network Intrusion Detection (IDS) brand that they are putting on it. To me it sounds like a bunch of hype. Sure it's a network service and it can talk to a central machine but that's a far cry from the standard IDS methods I know of. When I think of IDS, I think of known attacks that firewalls recognize or specific IDS machines in promiscous mode sniffing out the network. Sure it does help you quickly find out (like a standard IDS) whether you've been hacked or not, but it is a far cry from a standard IDS system.
I'd also be weary of installing this software and running it right away right now, especially for those who are concerned about security. This product hasn't been reviewed by the general public, the source code hasn't been fully audited. No one (except the company itself) has praised this product. I'd be really weary.
As follows...
Chris Coleman chrisc@vmunix.com says:I" have registered bsdports.org. Now I will be taking applications to work on the project.
If you have CVS access to an existing BSD ports/pkg_src tree, it will be summarily granted.
If you wish to donate resources to the project, please contact me. I see this as a community effort."
Also another big factor would be the time the none exploit is out to the time the bugfix is released. Microsoft is improving in this department, so lets give credit where credit is due... but I would never ever ever ever trust a SMB NT machine out on the open internet.
In conclusion.. scared of your linux / windows nt machine? (shameless plug), try OpenBSD!
You're very right about this. However, most ISPs use Cisco routers and to configure this sort of thing on border routers is a hell of a lot of work. Imagine having 100 class Cs, with 400 T-1 and DSL accounts, you have customers quiting service and signing up all the time. Adding 4 lines of additonal configuration every time and double checking your work all the time can be a pain in the ass. An excellently staffed ISP can do this, but most ISPs are understaffed and have system admins who have better things to do with their time.
The solution? Petition Cisco for a new command that auto-does this, so you don't have to keep on screwing with the configuration.
In a related article.... GTE, Pac Bell and other phone companies have now released a statement, "No Children under the age of 13 may use the Telephone." Every time you call you will now have to enter in your birthdate into the numeric pad.
It's plain silly for them only to release a Linux version, ESPECIALLY if it's under the GPL. In 6 months there will be a port for Tripwire for every platform under the sun....
Hmm... I thought the idea behind Linus Torvalds heading development was his lack of ego as far as good code is consderned. I guess he doesn't have any leadership over those *FS guys.
Don't forget it also has elements of FreeBSD and Mach as an overlay for the BSD kernel. ;-)
It looks like Yahoo is pushing around it's snuff for a good cause.... Mmm.. SMP.. And the cool thing about *BSD, is when 1 BSD gets a reall really cool feature, chances all of them incorprate a bit of it.
OpenBSD did not have procfs installed by default where as *BSD did. And from what I understand from my security junkie programming buddies, FBSD is still probably vulrable to a procfs exploit (although it hasn't been written yet). OpenBSD worked really hard on this one and fixed the problem right.
Code junkies wanna check out the code? OBSD procfs patch
FBSD procfs patch
OpenBSD's philosophy has always been less is more. One way they do this is carefully monitoring the base installation, no lynx, etc (hey those are ports!). No install of procfs by default.. Most people don't use it anyways (except maybe those killall people ;-).
Granted, you can do all of this in FreeBSD, however I'd rather not spend an extra hour of securing the box after the install. I'd rather just edit the rc.conf and inetd.conf files and be through with it.
I really wonder about your comments of FreeBSD tighting up the codebase. By checking out the ammount of exploits for the -current release.. especially the one that is being merged with the BSDi code. Granted, that this is technically an "unreleased" version and is not deemed stable, this does explain a bit about the FreeBSD Philosophy.
I do agree that part of the advantage of OBSD over *BSDs has been erroded because of the export changes in the US. However, it is still the only Unix (that I know of) that is activily being shipped with SSH and SSL. I think that in itself is pretty amazing. I've heard of no plans for *BSD being shipped with either in the base install.
BTW, I think that OBSD was built for hard core BSD / Security Junkies and there is quite a few of those people around. For this reason OBSD will survive, and the fact it's come up from 2.0 -> 2.7 is definate proof of this. (Where as with NetBSD how often do they release?)
The reason why OBSD costs so much is because of funding. They have little corprate backing. If you like any free project, don't you think you should contribute a little bit? That's kind of a lame argument not to spend the $ on something that you would be regularly using.
Oof. Actually many ISPs do really really want to switch to IPv6. ISPs hate people who spoof ips just like everyone else.
There are several things blocking the path to IPv6. One of the major things that is blocking the movement to IPv6 is lack of support in Switches and Routers. Hell, all of Cisco's releaces of IOS that are IPv6 compliant are all Beta. Now would you like to sign up with an ISP who's uptime is far short of 99.99%?
IPv6 is comming and it is comming fast. I figure it'll be about 2 years before most top level providers start implementing it.
Try securityfocus.com & packetstorm.securify.net. Then you won't have to visit the crummy sites.
Not true. DSL is not as secure as any other static connection. The way DSL works is often you are assigned a single ip address out of a huge subnet on a BVI, because of this everyone on the same subnet is pretty much treated as on the same LAN.
So you pretty much have to secure yourself from LAN attacks as well. Win95 users don't have that printer shared, :-)
Yes the unix version (without pretty gui interface) was released shortly after the original release.
Wait a second... Do you know who these guys are? They aren't linux zelots. They're purpose in life is not to convert people over to unix (although they probably would prefer that people would use unixies rather than win95). They get their kicks from poking fun at Microsoft and their Windows products by poking holes in it, and screwing around with it.
yeah... where'd it go?
This news is not new, Intel has been doing this for the past 3 or 4 years now. I'm not sure that these conspiracy theorys for the Wintel monopoly are so true... Intel will only give advertising money for those products that solely use their Intel logo. Unless you can cut a deal with Intel, goodbye Microsoft Windows Compatibile Logos.
Yeah we want screenshots, yes we do! We want screenshots, how bout you?
God, High School sucked. Anyways it would be nice if the developers were to add some screenshots... No pics suck
Um... Punk rock has nothing to do with this. I'm a punk rocker and I hack code, but this is irrelevant. I know people who are code hackers but perfer to listen to the sweet sounds of funk. The one thing that hackers all have in common is their undieing quest to figure things out and to make things work.
And I resent the fact that you associate punk rock with script kiddies.... That is not cool man.
Buddy, the word "FUD" is actually an acronym for "Fear Uncertainty (and) Doubt". A campaign idea that was supposedly developed by Microsoft.
Depends.... Their revinue may be dropping so fast that this doesn't matter.. Another factor to include is increased material fees (different offices, moving, etc). It could spell disaster for many employees.
Correct me if I'm wrong by Potatoe is the British Spelling of the word and is still valid... However it is still spelled "Potato" for titles sake if anything
This is probably true. From a hardware point of view this is some what of a risk for 3dfx, now people will know the internals of the drivers as well as how they work (if they are GPL'd). Fine by me, anyways.
Hey this post is more appropriate to a different thread or a newsgroup. It would be nice if you would respect other readers and post in a forum more suited to your needs.