Your claim of strawman is not based in any reasoned argument. Is this how they taught you to make an argument in "university"?
I supported my position.
And by simple logic... you can tell which is a subset of which.
Is all math logical?
Yes.
Is all logic math?
No.
Thus Math is a subset of applied logic using standardized symbols.
The argument presented above to which I responded expanded the definition of math so widely that it encompassed all language which would make any expression in any such language to be math. Nonsense obviously.
You can beat your chest all you like and say you studied one thing or another anywhere you like. It won't do you any good if you're actually wrong.
I'm sure you're educated and I'm sure you're smart. But that's like saying you have a tank and training... but someone naked with a rock can still come up behind you and cave your head in if you're not paying attention.
And that is what happened here. Your citation of education rather than bolstering your position merely shows that you really should know better than to make this argument.
Its unsurvivable.
Assuming you want to talk about "formal languages" versus "informal languages"... while programming languages are formal in the sense that they are literal with tightly defined fixed meanings it is a stretch to conflate this with the standard mathematical languages. They are properly logical instructions rather than mathematical representations.
One could find highly literal languages elsewhere that would be hard to cite as math. Certain aspects of the law for example are effectively formal languages in that they deal with VERY tightly defined meanings of words and terms that are manipulated to create contracts and laws.
now does that mean the judges or jury or legislators are competent to interpret these laws or that they were very well written in the first place? Saying the law isn't a formal language in this context for that reason is sort of like saying a given programming language isn't a programming language because its compiler is sloppy and operates unpredictably.
Something isn't a formal language merely because its practitioners or interpreters are not competent to read it. The other issue the law has is definition drift. A term can mean one thing 200 years ago when a law is written and the law appears to mean a new thing today because we have a new interpretation of that word. Which is akin to compiling an old program with modern libraries... chances are the fucking thing is going to bomb out because things change. To understand an old law you have to interpret it using the context of the time it was written so you understand what the law was actually doing. What you want it to now is another matter and you can change the law as you see fit to say whatever you want. But what is relevant with a law is what the law meant at signing into law.
There is an argument for storing a library of definitions for various legal terms with laws at the time of their signing. Though what legal scholars do in practice is read essays written at the time that discuss the intentions of the law at the time which tends to make clear any discrepancies.
This is a big problem in the US especially because we have one of the older legal codes in the world with some of our laws going back to 1791... not counting English common law which goes back quite a bit further.
Maybe I'm the guy that doesn't get the point of underwear... I don't know... I just look at those things and think... "why?"... notifications?... of what? Emails/texts/tweets? Meh.
On the issue of hostfiles I like the concept of security through DNS because it eliminates a huge number of threat vectors very cheaply and is very hard to bypass.
The virus would have to have to have its own DNS query system which would increase the complexity, code size, and detection surface of the malware.
I think DNS filtration should be a bigger aspect of firewall operation. Obviously a proper firewall has to expand that to IP filtration.
I'd like to see two way filtration based on DNS name where in if the DNS name is redirected to localhost that the firewall is also made aware of the correct IP for that hostname and also blocks any attempt for that IP to be accessed at the firewall level.
Managing all the fucking IPs I have to make available at the firewall is irritating. I passively block anything not on the allowed list on the high security network. Where as I use more of a blacklisting system for medium security networks. The low security ones only block pornography and known blackhat IPs.
Anyway, if you ever came along with something that made managing a really comprehensive blacklist for a large network easy... you could get yacht money. Just fyi for thee. We're currently still managing a lot of this stuff manually. There are tools that try to help but they generally are all for show and don't actually work when the barrel is against your temple and the hammer cocks back.
And in a high security network... that is PRECISELY when the fucking thing needs to work. We both see these nutty hack demos at the hacker conventions where things are just WIDE OPEN to attack. And I'm sure it baffles you as much as it baffles me.
i think to some extent it explains the shift to cloud services. The clouds for all their sins generally have "better" security. Good? Great?... perhaps not. But better than nothing.
Its good to know I'm not alone in this respect. Its always distressing for me to see people ragging on the guy when most of the people doing it are f'ing useless fuckwits.
If there's anything I decry in the modern era it is that the playing field has been leveled not just between the haves and have nots but also between the competent and incompetent.
APK is a man on a mission... and he's actually built something pretty cool. To get dog piled by witless nothings is an indignity.
It doesn't matter. I only get harassed by a couple AC trolls... I recognized one of them... and I've decided to call him "bingo the clowno"...:)
Oh and communists don't like me because whenever their failed ideology comes up I take some joy is rubbing their stupid faces in it.
Besides that... I generally get along with everyone.
APK, have you thought of making an application of your DNS hostfile thing ON a Raspberry pi? Like actually package it as an appliance image?
Because the Pi has more than enough brain power and bandwidth to handle a network DNS server. The pi costs about 30 USD.
My main issue with your program is that while it is applicable to ONE computer I'd like to try it on a wider network. Point the router DNS to the Pi and then have the Pi effectively filter the DNS results of the entire network.
Maybe I'm being dumb and there is already a superior product for this that you'd like to suggest. I do operate a lot of DNS servers in the few networks I manage but controlling these subscription based DNS lists is not practical.
Anyone able to add input on that? My information was that HPS was MORE energy efficient than LED if you went with the correct bulb and wattage... that is... bigger bulbs with the opposing leads.
I'm not an expert but that was my understanding. Naturally the HPS lights can't be near the plants. You ahve to back up. But they cover a much wider surface area.
I do a lot of it with control of DNS servers. If you're talking about blocking doubleclick.. I mean... that's an easy one.
The whitelisting isn't just for programs. Its for web domains as well. We have several different networks but for this discussion you just need to know there is an unlocked Wifi Network for people to facebook on and there is a HEAVILY locked down wired network is which what the machines I actually give a shit about are connected to...
Totally scalable. And in case you're curious... we have about a dozen external IPs though most of them are for specific servers. In so far as the users are concerned there are TWO IPs. The locked down wired network and the everything goes download horse porn network. And nether the twain shall they meet.
Look look look.
Here's the thing. Security is very very serious in my context. Enough that... well there are security guys with guns... and those guns have bullets in them.
So... Keep that in mind when you're saying something I'm saying isn't realistic. It isn't just realistic... its every fucking day. Its just high security.
How many of you guys operate managed air gapped networks? That's one of our layers of security for the archives amongst other things.
Is this reasonable for everyone? No. But its reasonable for more people than do it. A lot of these corporate and government breaches could have been stopped if they had been more serious about it. Sure, an Ed Snowden can nail you if one of your IT people goes rogue. But short of that, I don't see how you break a system like this... and even the Ed Snowden thing has a solution. The solution is drastic... but effective.
hmmm... I'm still seeing the presupposition that the program in question has the permissions. And you're still forgetting the firewalls.
I mean... fine... you might get by ONE defense by doing something like this but to actually be effective you need to get past them all. And I don't see that happening.
I mean, fine... you get some code into active memory... great... but what permissions does it have? Its going to inherit the permissions of the host program. So you're inheriting the permissions of what? Internet explorer/firefox/chrome/opera/whatever? Congrats. Its permissions are shit.
You're not thinking about this systematically. You're using magical logic and I can't go through the chain of logic when everything looks like a long string of unlinked and unassociated preconceptions. Its just a bunch of givens.
You're saying X=5 Y=2 R=94
etc
And there's no association or proof or causal chain in it anywhere that I can evaluate.
You say that if the code gets into a program with limited permission on a network with limited access to specific domains on the internet that someone is going to take over the whole fucking network when the whole thing is knitted up tightly at every fucking level?
I get along with APK just fine. I've had a few discussions with him. I like him.:-D
Unlike most of the people that diss him he actually knows something, has accomplished something, and has one of the few novel perspectives on stuff.
Does he go on and on about his host file thing? Yeah. The man is advertising to a certain extent. he hears all these problems and he's like "my program solves this" and everyone is like "fuck you you're stupid!"... think about how that would make you feel.
I hold the distinction so far as I know of being the only person on this site that has gotten along well with APK... to give you some idea of how crazy you probably think I am.
He's an interesting guy and unlike most of his detractors he's actually built something that actually works and he actually knows "something". He's abrasive, largely indifferent to the opinions of people he sees as knowing less than him, and some what robotic in his communication style.
That said... I empathize with that entire personality profile since it largely mirrors my own.
I don't believe in coddling retards. I'd prefer to piss them off and then slap the shit out of them until they learn their place. Its initially annoying but in the long run it is less work to maintain a functional social model if everyone is keenly aware of their place in the hierarchy. As to being indifferent to the opinions of ignorant people... sort of the same thing again. Dumb people have dumb opinions. As to a robotic communication style... I've been accused of that myself many times and i frankly don't see any shame in admitting it. I do have a "rules based" personality. I operate on a core logic. I don't make choices based on emotion. This baffles the humans but it is actually my nature. The reason in my own case is that I do not trust my own instincts or emotional compass to be a reliable guide for action. In my childhood it repeatedly let me down so I learned to think rationally simply as a survival strategy because my instincts are basically broken. As such when I see someone else operating under a rules based mental frame work... although a perhaps repetitive one from my perspective... I have some empathy for it.
The first time I encountered APK he tried to fight me. I kept refusing to get upset, responding rationally, being patient, and offering credit where credit was due. And he eventually started being nice to me. So, progress.
I have a long history of working with troubled geniuses. I grew up with a few and I work with a few on a regular basis. The world is full of a lot of really smart people that were sadly traumatized by their mentality because it disturbed their early childhood by isolating them.
A lot of them grow up to be odd people but they're frequently exceptionally productive members of society if you can put up with a little of that oddness and show them a little human compassion and understanding.
Just my own experience with such things. To each their own.
Yep... I keep hearing about these demon PDF files... poor Adobe. First flash and now PDF.
Two issues with this concept.
1. You're assuming I'm opening the PDF with adobe acrobat. Its a good assumption but it isn't necessarily valid. Lots of programs can open, edit, and write in PDF. I prefer actually to not use acrobat precisely for this reason. I avoid standard programs where convenient. No one cares about acrobat. You change excel or word and people lose their god damned minds. But change acrobat and most people don't even notice.
2. Any code operating from within acrobat would be using acrobat's own permissions to do whatever. If I restrict those to something tight enough that it can't really do anything then what are you going to do to me? If you can't access the internet to download a proper bit of malware. If you can't modify system settings. If you can't even change your own settings. Why do I care?
All these exploits rely on essentially shitty security. Its all "well after we sneak by the bank guard we'll just break into that cardboard box they store the money in and we'll be home free"...
There isn't one layer of defense. There are many layers and getting acrobat or excel to act crazy shouldn't be enough to actually threaten security.
My systems are locked down to such an extent that I can have a given endpoint entirely 100 percent infected and it still doesn't compromise the network.
As to subscriptions for signed modules... I think an open source list system will work just fine.
As to government hacks getting whitelisted... that's why it has to be open source.
That said, I think you're over estimating the difficulty here. The trick is to control ways code can be introduced into a system, properly identify that something is or is not code, and then run that code by the white list.
The trickiest thing is going to be some dumb hybrid file formats that contain executable code for dubious reasons. But that just means you need to control the permissions of those programs so they don't have the permissions to do anything that would be a problem to the system or themselves. And if they can't do anything harmful then the code even if it is going wild inside of excel or whatever is just going to fail to do anything harmful and then drop out of memory on program termination.
1. I try to use non-standard applications for such uses where I can get away with it. Acrobat reader for example is one I generally replace with a third party alternative. Your executable code will assume acrobat and it won't get passed anywhere via that little tweak all by itself.
2. The PDF readers etc have restricted permissions. The code in the file uses the application's own permissions to do things and it doesn't have the permissions to do anything that would threaten me. Is there a reason I need to give Excel Network or internet access? Any reason to give Excel access to system settings? What is it going to do?
The workstations are thin clients that connect to a terminal server. And the templates refresh on each login so even if you corrupted excel some how it would be clean again on the next load.
As to the IT industry being full of suckers... I would agree. They seem entirely incapable of grasping what it means to put on your game face... to go to war over the network. They don't take any of it seriously and frankly I think a lot of that attitude is why other aspects of business and government actually don't take IT seriously. It shows. You are serious or you're not taken seriously.
So they pay the price over and over again. They get treated like shit and their systems get raped by the first black hat that really tries. Fuckwits.
Is my system perfect? Its as close to perfect as I've been able to make it. its pretty fucking secure. There have been many attempts and... I believe no breaches ever. Can I know? Its possible. Its just not very likely. I don't just have firewalls but I also have a very robust logging and reporting regime. Lots of things are logged and a penetration should show up in the logs.
Why would I talk to double click? I don't even talk to double click on my personal machine at home? why would I let a protected system talk to doubleclick?
Access denied.
I'm generally a believer in not running code that I don't need to run. That extends to javascript.
I am currently blocking about 5~7 domains from serving javascript on this site alone... right now. And I've seen sites that were trying to push me to run 20+ javascript domains for a single page.
Its dumb.
I run script when it serves a purpose. And then I only run the script that I need to run to permit that purpose. And i do not permit domains I do not trust to run anything.
I've never seen anything where I "had" to run double click. I feel bad about it sometimes because the sites likely lose ad revenue. But I'm not running the code. I will happily display the image but the code... no.
As to embedding malware in a PNG file, my understanding is that you're not infecting anything with that file unless the image file is not merely displayed by run as an executable.
its less that some image files contain viruses than that you can write an executable so that it displays as an image if given the appropriate file extension. But so far as I know, the image file itself will not infect anything unless executed rather than being read as an image.
Correct me if I'm wrong. If that works then the webbrowsers are more incompetent than I had imagined.
Regardless, I don't run scripts or access domains that I don't need something from. I'm quite happy to give them nothing.
... and this was introduced to the computer... HOW?
did someone walk over to the machine and ejaculate it into the USB port? How did it get into the system?
I know what ROP is... I want to understand how you're introducing the infection to the system.
Lets say I have a clean system. Everything is from the factory. I put it together, I install from the DVD.
Okay... how are you infecting me? Lets say I connect this machine to my organziation's firewalled network. So... how are you infecting me. Where is your infected code coming from?
if you say something about block chains again... I will strangle you with your umbilical cord. The block chains are how the infection operates but it is not how the infection was introduced to the system.
I want to know how you're getting this in the machine in the first place. HOW are you infecting the machine.
Rhonda does what she's told or else she gets the hose again. You people keep ignoring the point about this being a secure system.
We're not talking about whatever jerk off network for idiots at the mustard factory you're running.
I even cited blocking domains. In secure systems you only permit communication to domains on an explicit basis. You don't let them talk to just fucking anything.
So for example, facebook is blocked. Why would anyone doing their job need to access facebook? I do permit an isolated wifi network to connect to anything. HOWEVER... that is a BYOD network that office systems will not connect to because not a fucking one of them has a wifi card. They're all wired. And here someone says "what if someone brings a laptop and connects it to the network!?"... then they won't even get an IP address... obviously.
And then someone says "what if they spoof a MAC address!?" Well, Rhonda isn't doing that. That's a deliberate attempt to breach the network's security which means any pretense of "oops that was just an honest mistake" goes completely out the window. And even then... while you'd get an IP address, you would not get access to servers and any system that connects to the network without doing certain things after it turns on will get flagged even if it has a known MAC address. Which means I'll get a text message within minutes of such a system connecting and then I'll go hunting for someone to mutilate.
And it goes without saying that you'd need to be INSIDE my network to even do that.
As to malvertising... I'm not sure what you think the threat is here. If they can't pass executable code to my systems then at best they're going to make someone's eye's bleed with penis enlargment ads or something. I don't really care about that. Beyond that, you're unlikely to be able to serve such ads if I restrict web access to domains that you have a "reason" to check and not just give you permissive access to the entire internet for no reason.
As to ROP, you're using good code only in part. What you're executing, the order of execution, and the object of execution are instructions you passed to the system. HOW are you introducing that code into the system? I'm having a hard time understanding the infection vector you're suggesting here. Because all the ROP infections I've seen have had very typical infection vectors. Once they were in the system they were a pain in the ass to deal with but you still had to play in the sewer drain to the infection in the first place.
Look, I don't even give my users a full workstation. Why would I? They use thin clients that link back to a terminal server. And the terminal does not retain changes to clients between boots. Every time they boot into their workstation it is tabula rasa. If they want to save something, they save it to the file server. Point is... even if you were able to infect an endpoint... the infection would be very short lived and wouldn't accomplish anything.
As to notifications quicker... notifications of what?
My phone beeps when it gets a text or something and I'll take it out if it isn't already in my pocket. Takes between two and five seconds depending on if I've had to charge it in my backpack. I do that about once a week.
As to the pebble being inferior... if notifications are the thing you care about, I would think the pebble has you covered there.
What does the iwatch do that the pebble doesn't?
I say this as someone that owns neither.
I think these things are toys and I don't take them seriously.
going through your video, the first thing I saw in there was "what happens if someone sends a link to bad executable code to your stupid employees through email?!"... well, a white listing system would not allow the executable code in the link to do anything. Also the fucking link itself might not even work because depending on the security of the network I might not permit any random computer to talk to your computer.
Why would I let an email client download and execute any random fucking code in an email? So right off the bat this video has me baffled.
Skipping past that he's talking burying weird instructions in PDFs etc. One thing I do to avoid that in particular is that I don't use standard programs to open files like that where possible. I use third party programs and one of the fun things about such programs is that while they have exploits their exploits are DIFFERENT. Getting a PDF file to execute X or Y using Adobe Acrobat Reader is a different kettle of fish to getting one of the third party programs to do the same thing.
Its not a perfect solution to the issue but it is marginally more secure.
Another thing that I do is that I control the permissions of every program so that it can and cannot do certain things. I'm not giving acrobat the ability to write to the registry or really do anything that it doesn't actually need to do.
That's really what all of this malware exploits. Overly permissive security settings.
You lock it down so that only the programs that are supposed to run have permission to run and even then you define what permissions it has while it is running. Can it access the local network? Can it access certain segments of the file system? Can it read or write to system files or the registry?
You just go through a long list of permissions.
And the reality is that most programs need very little to actually operate properly.
Take one of the more annoying applications... the web browser. It has to be able to access pretty much any address, downloads are often required which means we're letting this thing download ANYTHING to the workstation, then the fucking things have to allow HTML, Java, Javascript, cookies, flash, etc. How do you secure that?
My first step and again... this is a corporate/government secure network context... is that I don't permit you to access just anywhere on the internet. Someone in a context like that doesn't need to get to facebook. They can use a different system for that.
That alone reduces the threat dramatically.
The next thing is... sure... I'll let you download something and that something could be fucking awful but you can't "RUN" anything you downloaded. Nothing. Everything comes into the system with the presumption of being full of fucking snakes.
And if it is a document from a poorly designed file type that can include executable code in a data file... then you deal with that by limiting the permissions of the program itself so it can't really do anything.
And the firewalls are also going to stop whatever program or malware that got into the system from phoning home.
I really could go on and on and on. But the point I was making is that rather than trying to define bad code, the security community should be focusing on identifying GOOD code. Its much easier to know what should be allowed to run than not and only give the good code the freedom it needs rather than just give everything fucking root.
I made it very clear I wasn't trying to protect the home user.
My context is a secure and managed corporate or government network or data center.
You lower the bar to "that machine that guy over there is masturbating to" and the only way I can protect that system is to walled garden it so hard that it literally would have to have factory writelocked memory.
That's the whole security regime on these tablets and smartphones that everyone likes. So the home users are apparently okay with a big company telling everyone what they can and can't install on the machines.
Fine. That's your solution for the home user.
And here you might say "what if he downloads something or something is snuck into an app"...
in the case of downloading something... you don't permit executable code unless it went through your "market" or whatever you want to call these gate keepers. And as to something getting white listed that shouldn't have been whitelisted. The whole point is that you don't do that with a white listing system. So... if you're doing something that is antithetical to the entire design philosophy... I guess that would be a problem... sure.
Slashdot Mirror
Your claim of strawman is not based in any reasoned argument. Is this how they taught you to make an argument in "university"?
I supported my position.
And by simple logic... you can tell which is a subset of which.
Is all math logical?
Yes.
Is all logic math?
No.
Thus Math is a subset of applied logic using standardized symbols.
The argument presented above to which I responded expanded the definition of math so widely that it encompassed all language which would make any expression in any such language to be math. Nonsense obviously.
You can beat your chest all you like and say you studied one thing or another anywhere you like. It won't do you any good if you're actually wrong.
I'm sure you're educated and I'm sure you're smart. But that's like saying you have a tank and training... but someone naked with a rock can still come up behind you and cave your head in if you're not paying attention.
And that is what happened here. Your citation of education rather than bolstering your position merely shows that you really should know better than to make this argument.
Its unsurvivable.
Assuming you want to talk about "formal languages" versus "informal languages"... while programming languages are formal in the sense that they are literal with tightly defined fixed meanings it is a stretch to conflate this with the standard mathematical languages. They are properly logical instructions rather than mathematical representations.
One could find highly literal languages elsewhere that would be hard to cite as math. Certain aspects of the law for example are effectively formal languages in that they deal with VERY tightly defined meanings of words and terms that are manipulated to create contracts and laws.
now does that mean the judges or jury or legislators are competent to interpret these laws or that they were very well written in the first place? Saying the law isn't a formal language in this context for that reason is sort of like saying a given programming language isn't a programming language because its compiler is sloppy and operates unpredictably.
Something isn't a formal language merely because its practitioners or interpreters are not competent to read it. The other issue the law has is definition drift. A term can mean one thing 200 years ago when a law is written and the law appears to mean a new thing today because we have a new interpretation of that word. Which is akin to compiling an old program with modern libraries... chances are the fucking thing is going to bomb out because things change. To understand an old law you have to interpret it using the context of the time it was written so you understand what the law was actually doing. What you want it to now is another matter and you can change the law as you see fit to say whatever you want. But what is relevant with a law is what the law meant at signing into law.
There is an argument for storing a library of definitions for various legal terms with laws at the time of their signing. Though what legal scholars do in practice is read essays written at the time that discuss the intentions of the law at the time which tends to make clear any discrepancies.
This is a big problem in the US especially because we have one of the older legal codes in the world with some of our laws going back to 1791... not counting English common law which goes back quite a bit further.
I know, I was just saying I didn't get it.
Maybe I'm the guy that doesn't get the point of underwear... I don't know... I just look at those things and think... "why?"... notifications?... of what? Emails/texts/tweets? Meh.
On the issue of hostfiles I like the concept of security through DNS because it eliminates a huge number of threat vectors very cheaply and is very hard to bypass.
The virus would have to have to have its own DNS query system which would increase the complexity, code size, and detection surface of the malware.
I think DNS filtration should be a bigger aspect of firewall operation. Obviously a proper firewall has to expand that to IP filtration.
I'd like to see two way filtration based on DNS name where in if the DNS name is redirected to localhost that the firewall is also made aware of the correct IP for that hostname and also blocks any attempt for that IP to be accessed at the firewall level.
Managing all the fucking IPs I have to make available at the firewall is irritating. I passively block anything not on the allowed list on the high security network. Where as I use more of a blacklisting system for medium security networks. The low security ones only block pornography and known blackhat IPs.
Anyway, if you ever came along with something that made managing a really comprehensive blacklist for a large network easy... you could get yacht money. Just fyi for thee. We're currently still managing a lot of this stuff manually. There are tools that try to help but they generally are all for show and don't actually work when the barrel is against your temple and the hammer cocks back.
And in a high security network... that is PRECISELY when the fucking thing needs to work. We both see these nutty hack demos at the hacker conventions where things are just WIDE OPEN to attack. And I'm sure it baffles you as much as it baffles me.
i think to some extent it explains the shift to cloud services. The clouds for all their sins generally have "better" security. Good? Great?... perhaps not. But better than nothing.
I said *shhhh*, greasy stain. This is over. You're now modern art.
It is I that shall explain you over a glass of wine to friends pretentiously at parties. That is your fate hence forth.
Its good to know I'm not alone in this respect. Its always distressing for me to see people ragging on the guy when most of the people doing it are f'ing useless fuckwits.
If there's anything I decry in the modern era it is that the playing field has been leveled not just between the haves and have nots but also between the competent and incompetent.
APK is a man on a mission... and he's actually built something pretty cool. To get dog piled by witless nothings is an indignity.
It doesn't matter. I only get harassed by a couple AC trolls... I recognized one of them... and I've decided to call him "bingo the clowno"... :)
Oh and communists don't like me because whenever their failed ideology comes up I take some joy is rubbing their stupid faces in it.
Besides that... I generally get along with everyone.
APK, have you thought of making an application of your DNS hostfile thing ON a Raspberry pi? Like actually package it as an appliance image?
Because the Pi has more than enough brain power and bandwidth to handle a network DNS server. The pi costs about 30 USD.
My main issue with your program is that while it is applicable to ONE computer I'd like to try it on a wider network. Point the router DNS to the Pi and then have the Pi effectively filter the DNS results of the entire network.
Maybe I'm being dumb and there is already a superior product for this that you'd like to suggest. I do operate a lot of DNS servers in the few networks I manage but controlling these subscription based DNS lists is not practical.
Just an idea and all the best.
Anyone able to add input on that? My information was that HPS was MORE energy efficient than LED if you went with the correct bulb and wattage... that is... bigger bulbs with the opposing leads.
I'm not an expert but that was my understanding. Naturally the HPS lights can't be near the plants. You ahve to back up. But they cover a much wider surface area.
I do it on a large a very large network, dude.
I do a lot of it with control of DNS servers. If you're talking about blocking doubleclick.. I mean... that's an easy one.
The whitelisting isn't just for programs. Its for web domains as well. We have several different networks but for this discussion you just need to know there is an unlocked Wifi Network for people to facebook on and there is a HEAVILY locked down wired network is which what the machines I actually give a shit about are connected to...
Totally scalable. And in case you're curious... we have about a dozen external IPs though most of them are for specific servers. In so far as the users are concerned there are TWO IPs. The locked down wired network and the everything goes download horse porn network. And nether the twain shall they meet.
Look look look.
Here's the thing. Security is very very serious in my context. Enough that... well there are security guys with guns... and those guns have bullets in them.
So... Keep that in mind when you're saying something I'm saying isn't realistic. It isn't just realistic... its every fucking day. Its just high security.
How many of you guys operate managed air gapped networks? That's one of our layers of security for the archives amongst other things.
Is this reasonable for everyone? No. But its reasonable for more people than do it. A lot of these corporate and government breaches could have been stopped if they had been more serious about it. Sure, an Ed Snowden can nail you if one of your IT people goes rogue. But short of that, I don't see how you break a system like this... and even the Ed Snowden thing has a solution. The solution is drastic... but effective.
hmmm... I'm still seeing the presupposition that the program in question has the permissions. And you're still forgetting the firewalls.
I mean... fine... you might get by ONE defense by doing something like this but to actually be effective you need to get past them all. And I don't see that happening.
I mean, fine... you get some code into active memory... great... but what permissions does it have? Its going to inherit the permissions of the host program. So you're inheriting the permissions of what? Internet explorer/firefox/chrome/opera/whatever? Congrats. Its permissions are shit.
You're not thinking about this systematically. You're using magical logic and I can't go through the chain of logic when everything looks like a long string of unlinked and unassociated preconceptions. Its just a bunch of givens.
You're saying
X=5
Y=2
R=94
etc
And there's no association or proof or causal chain in it anywhere that I can evaluate.
You say that if the code gets into a program with limited permission on a network with limited access to specific domains on the internet that someone is going to take over the whole fucking network when the whole thing is knitted up tightly at every fucking level?
No, motherfucker. Absolutely not.
https://www.youtube.com/watch?...
I get along with APK just fine. I've had a few discussions with him. I like him. :-D
Unlike most of the people that diss him he actually knows something, has accomplished something, and has one of the few novel perspectives on stuff.
Does he go on and on about his host file thing? Yeah. The man is advertising to a certain extent. he hears all these problems and he's like "my program solves this" and everyone is like "fuck you you're stupid!"... think about how that would make you feel.
As I said, I get along with him just fine.
I hold the distinction so far as I know of being the only person on this site that has gotten along well with APK... to give you some idea of how crazy you probably think I am.
He's an interesting guy and unlike most of his detractors he's actually built something that actually works and he actually knows "something". He's abrasive, largely indifferent to the opinions of people he sees as knowing less than him, and some what robotic in his communication style.
That said... I empathize with that entire personality profile since it largely mirrors my own.
I don't believe in coddling retards. I'd prefer to piss them off and then slap the shit out of them until they learn their place. Its initially annoying but in the long run it is less work to maintain a functional social model if everyone is keenly aware of their place in the hierarchy. As to being indifferent to the opinions of ignorant people... sort of the same thing again. Dumb people have dumb opinions. As to a robotic communication style... I've been accused of that myself many times and i frankly don't see any shame in admitting it. I do have a "rules based" personality. I operate on a core logic. I don't make choices based on emotion. This baffles the humans but it is actually my nature. The reason in my own case is that I do not trust my own instincts or emotional compass to be a reliable guide for action. In my childhood it repeatedly let me down so I learned to think rationally simply as a survival strategy because my instincts are basically broken. As such when I see someone else operating under a rules based mental frame work... although a perhaps repetitive one from my perspective... I have some empathy for it.
The first time I encountered APK he tried to fight me. I kept refusing to get upset, responding rationally, being patient, and offering credit where credit was due. And he eventually started being nice to me. So, progress.
I have a long history of working with troubled geniuses. I grew up with a few and I work with a few on a regular basis. The world is full of a lot of really smart people that were sadly traumatized by their mentality because it disturbed their early childhood by isolating them.
A lot of them grow up to be odd people but they're frequently exceptionally productive members of society if you can put up with a little of that oddness and show them a little human compassion and understanding.
Just my own experience with such things. To each their own.
No, they're logical... math is a subset of logic.
https://en.wikipedia.org/wiki/...
Logic
---Mathematical logic
---Computational logic
---Philosophical logic
etc.
All math is logical but not all logic is math. That is how you know that math is a subset of logic and logic is not a subset of math.
You know this simply by thinking about the question itself LOGICALLY.
Go through the logic Actually think about it systematically.
... nah, by that logic all language is math and all communication is math.
You basically just defined MATH = Language.
Whatever.
By your logic... this is all math:
https://www.youtube.com/watch?...
Yep... I keep hearing about these demon PDF files... poor Adobe. First flash and now PDF.
Two issues with this concept.
1. You're assuming I'm opening the PDF with adobe acrobat. Its a good assumption but it isn't necessarily valid. Lots of programs can open, edit, and write in PDF. I prefer actually to not use acrobat precisely for this reason. I avoid standard programs where convenient. No one cares about acrobat. You change excel or word and people lose their god damned minds. But change acrobat and most people don't even notice.
2. Any code operating from within acrobat would be using acrobat's own permissions to do whatever. If I restrict those to something tight enough that it can't really do anything then what are you going to do to me? If you can't access the internet to download a proper bit of malware. If you can't modify system settings. If you can't even change your own settings. Why do I care?
All these exploits rely on essentially shitty security. Its all "well after we sneak by the bank guard we'll just break into that cardboard box they store the money in and we'll be home free"...
There isn't one layer of defense. There are many layers and getting acrobat or excel to act crazy shouldn't be enough to actually threaten security.
My systems are locked down to such an extent that I can have a given endpoint entirely 100 percent infected and it still doesn't compromise the network.
As to subscriptions for signed modules... I think an open source list system will work just fine.
As to government hacks getting whitelisted... that's why it has to be open source.
That said, I think you're over estimating the difficulty here. The trick is to control ways code can be introduced into a system, properly identify that something is or is not code, and then run that code by the white list.
The trickiest thing is going to be some dumb hybrid file formats that contain executable code for dubious reasons. But that just means you need to control the permissions of those programs so they don't have the permissions to do anything that would be a problem to the system or themselves. And if they can't do anything harmful then the code even if it is going wild inside of excel or whatever is just going to fail to do anything harmful and then drop out of memory on program termination.
As to PDFs... two things.
1. I try to use non-standard applications for such uses where I can get away with it. Acrobat reader for example is one I generally replace with a third party alternative. Your executable code will assume acrobat and it won't get passed anywhere via that little tweak all by itself.
2. The PDF readers etc have restricted permissions. The code in the file uses the application's own permissions to do things and it doesn't have the permissions to do anything that would threaten me. Is there a reason I need to give Excel Network or internet access? Any reason to give Excel access to system settings? What is it going to do?
The workstations are thin clients that connect to a terminal server. And the templates refresh on each login so even if you corrupted excel some how it would be clean again on the next load.
As to the IT industry being full of suckers... I would agree. They seem entirely incapable of grasping what it means to put on your game face... to go to war over the network. They don't take any of it seriously and frankly I think a lot of that attitude is why other aspects of business and government actually don't take IT seriously. It shows. You are serious or you're not taken seriously.
So they pay the price over and over again. They get treated like shit and their systems get raped by the first black hat that really tries. Fuckwits.
Is my system perfect? Its as close to perfect as I've been able to make it. its pretty fucking secure. There have been many attempts and... I believe no breaches ever. Can I know? Its possible. Its just not very likely. I don't just have firewalls but I also have a very robust logging and reporting regime. Lots of things are logged and a penetration should show up in the logs.
Why would I talk to double click? I don't even talk to double click on my personal machine at home? why would I let a protected system talk to doubleclick?
Access denied.
I'm generally a believer in not running code that I don't need to run. That extends to javascript.
I am currently blocking about 5~7 domains from serving javascript on this site alone... right now. And I've seen sites that were trying to push me to run 20+ javascript domains for a single page.
Its dumb.
I run script when it serves a purpose. And then I only run the script that I need to run to permit that purpose. And i do not permit domains I do not trust to run anything.
I've never seen anything where I "had" to run double click. I feel bad about it sometimes because the sites likely lose ad revenue. But I'm not running the code. I will happily display the image but the code... no.
As to embedding malware in a PNG file, my understanding is that you're not infecting anything with that file unless the image file is not merely displayed by run as an executable.
its less that some image files contain viruses than that you can write an executable so that it displays as an image if given the appropriate file extension. But so far as I know, the image file itself will not infect anything unless executed rather than being read as an image.
Correct me if I'm wrong. If that works then the webbrowsers are more incompetent than I had imagined.
Regardless, I don't run scripts or access domains that I don't need something from. I'm quite happy to give them nothing.
... and this was introduced to the computer... HOW?
did someone walk over to the machine and ejaculate it into the USB port? How did it get into the system?
I know what ROP is... I want to understand how you're introducing the infection to the system.
Lets say I have a clean system. Everything is from the factory. I put it together, I install from the DVD.
Okay... how are you infecting me? Lets say I connect this machine to my organziation's firewalled network. So... how are you infecting me. Where is your infected code coming from?
if you say something about block chains again... I will strangle you with your umbilical cord. The block chains are how the infection operates but it is not how the infection was introduced to the system.
I want to know how you're getting this in the machine in the first place. HOW are you infecting the machine.
I'll have to take your word for it. It looks like a toy to me still.
Wrong.
Rhonda does what she's told or else she gets the hose again. You people keep ignoring the point about this being a secure system.
We're not talking about whatever jerk off network for idiots at the mustard factory you're running.
I even cited blocking domains. In secure systems you only permit communication to domains on an explicit basis. You don't let them talk to just fucking anything.
So for example, facebook is blocked. Why would anyone doing their job need to access facebook? I do permit an isolated wifi network to connect to anything. HOWEVER... that is a BYOD network that office systems will not connect to because not a fucking one of them has a wifi card. They're all wired. And here someone says "what if someone brings a laptop and connects it to the network!?"... then they won't even get an IP address... obviously.
And then someone says "what if they spoof a MAC address!?" Well, Rhonda isn't doing that. That's a deliberate attempt to breach the network's security which means any pretense of "oops that was just an honest mistake" goes completely out the window. And even then... while you'd get an IP address, you would not get access to servers and any system that connects to the network without doing certain things after it turns on will get flagged even if it has a known MAC address. Which means I'll get a text message within minutes of such a system connecting and then I'll go hunting for someone to mutilate.
And it goes without saying that you'd need to be INSIDE my network to even do that.
As to malvertising... I'm not sure what you think the threat is here. If they can't pass executable code to my systems then at best they're going to make someone's eye's bleed with penis enlargment ads or something. I don't really care about that. Beyond that, you're unlikely to be able to serve such ads if I restrict web access to domains that you have a "reason" to check and not just give you permissive access to the entire internet for no reason.
As to ROP, you're using good code only in part. What you're executing, the order of execution, and the object of execution are instructions you passed to the system. HOW are you introducing that code into the system? I'm having a hard time understanding the infection vector you're suggesting here. Because all the ROP infections I've seen have had very typical infection vectors. Once they were in the system they were a pain in the ass to deal with but you still had to play in the sewer drain to the infection in the first place.
Look, I don't even give my users a full workstation. Why would I? They use thin clients that link back to a terminal server. And the terminal does not retain changes to clients between boots. Every time they boot into their workstation it is tabula rasa. If they want to save something, they save it to the file server. Point is... even if you were able to infect an endpoint... the infection would be very short lived and wouldn't accomplish anything.
As to notifications quicker... notifications of what?
My phone beeps when it gets a text or something and I'll take it out if it isn't already in my pocket. Takes between two and five seconds depending on if I've had to charge it in my backpack. I do that about once a week.
As to the pebble being inferior... if notifications are the thing you care about, I would think the pebble has you covered there.
What does the iwatch do that the pebble doesn't?
I say this as someone that owns neither.
I think these things are toys and I don't take them seriously.
you didn't answer my question. How are you introducing the malicious code?
Answer the question please.
going through your video, the first thing I saw in there was "what happens if someone sends a link to bad executable code to your stupid employees through email?!" ... well, a white listing system would not allow the executable code in the link to do anything. Also the fucking link itself might not even work because depending on the security of the network I might not permit any random computer to talk to your computer.
Why would I let an email client download and execute any random fucking code in an email? So right off the bat this video has me baffled.
Skipping past that he's talking burying weird instructions in PDFs etc. One thing I do to avoid that in particular is that I don't use standard programs to open files like that where possible. I use third party programs and one of the fun things about such programs is that while they have exploits their exploits are DIFFERENT. Getting a PDF file to execute X or Y using Adobe Acrobat Reader is a different kettle of fish to getting one of the third party programs to do the same thing.
Its not a perfect solution to the issue but it is marginally more secure.
Another thing that I do is that I control the permissions of every program so that it can and cannot do certain things. I'm not giving acrobat the ability to write to the registry or really do anything that it doesn't actually need to do.
That's really what all of this malware exploits. Overly permissive security settings.
You lock it down so that only the programs that are supposed to run have permission to run and even then you define what permissions it has while it is running. Can it access the local network? Can it access certain segments of the file system? Can it read or write to system files or the registry?
You just go through a long list of permissions.
And the reality is that most programs need very little to actually operate properly.
Take one of the more annoying applications... the web browser. It has to be able to access pretty much any address, downloads are often required which means we're letting this thing download ANYTHING to the workstation, then the fucking things have to allow HTML, Java, Javascript, cookies, flash, etc. How do you secure that?
My first step and again... this is a corporate/government secure network context... is that I don't permit you to access just anywhere on the internet. Someone in a context like that doesn't need to get to facebook. They can use a different system for that.
That alone reduces the threat dramatically.
The next thing is... sure... I'll let you download something and that something could be fucking awful but you can't "RUN" anything you downloaded. Nothing. Everything comes into the system with the presumption of being full of fucking snakes.
And if it is a document from a poorly designed file type that can include executable code in a data file... then you deal with that by limiting the permissions of the program itself so it can't really do anything.
And the firewalls are also going to stop whatever program or malware that got into the system from phoning home.
I really could go on and on and on. But the point I was making is that rather than trying to define bad code, the security community should be focusing on identifying GOOD code. Its much easier to know what should be allowed to run than not and only give the good code the freedom it needs rather than just give everything fucking root.
I made it very clear I wasn't trying to protect the home user.
My context is a secure and managed corporate or government network or data center.
You lower the bar to "that machine that guy over there is masturbating to" and the only way I can protect that system is to walled garden it so hard that it literally would have to have factory writelocked memory.
That's the whole security regime on these tablets and smartphones that everyone likes. So the home users are apparently okay with a big company telling everyone what they can and can't install on the machines.
Fine. That's your solution for the home user.
And here you might say "what if he downloads something or something is snuck into an app"...
in the case of downloading something... you don't permit executable code unless it went through your "market" or whatever you want to call these gate keepers. And as to something getting white listed that shouldn't have been whitelisted. The whole point is that you don't do that with a white listing system. So... if you're doing something that is antithetical to the entire design philosophy... I guess that would be a problem... sure.