Because if the idea is sound, then it should have applied to the Bush/Gore Presidential race, too. You can't make up a rule when it suits you (e.g., if neither candidate has a substantial majority, have a new race with new candidates) and then say that it should only apply when it is to your liking.
I did? Where? I remember saying that most of the problems you could handle "on the wire" - that hardly sounds like me "rejecting" anything, now does it? Stay focused.
Your selective memory disorder is rearing its ugly head. You wrote: "this is just one of many possible strategies - it was offered as an example of a solution, not a solution by itself." That was your rejection of my assertion: "If a package that they use requires administrator privileges, put the system running it behind a firewall. Block all traffic other than that specifically needed to run the package. If it's a standalone package, then take the system off of the net completely. Enforce the policies at the MAC level."
So make up your mind: Do you accept the notion that such machines (machines where admin rights were granted to someone not qualified to use them responsibly) would be firewalled off or removed from the net with no exceptions? First I recommended it. Then you rejected it. Then you recommended it. Then I said that we were in agreement. Then you rejected it again, saying we were diametrically opposed and that it should not be done as a matter of course.
I tell you that security is about trade offs and you tell me I'm ignoring the shades of grey.
You wrote: "Security is all about flexibility: it's about the trade offs between brick walls and open doors."Something does not have to be either a brick wall or an open door. It can be something in-between.
I don't compromise network security for any reason whatsoever.
Earlier, you wrote: "The trail will lead to the PC of professor X. You have evidence that professor X didn't let you secure his pc - didn't let you do your job. He might be in trouble - or not, depending on his position, etc.. You certainly aren't."That is proof positive that you are willing to compromise network security and then try to cover your ass with a paper trail when something goes wrong. Another flip-flop. First you recommend caving (or "being flexible" as you put it) to political pressure and keeping a record for when/if there is a security breach. Then you claim that you never compromise network security for any reason whatsoever.
Are you telling me that the IT gnomes where you work are so weak that if a single user were able to get their hands on the administrator password to their local machine the whole place would come crashing to a halt?
No. I'm telling you that the users where I work have access to company-proprietary information as well as classified/restricted information and that malicious software that made it on to their computer while they were logged on as root could disseminate that information via e-mail, FTP, HTTP, HTTPS, or other protocols. I would have thought someone in network security would have recognized that. And for the record, we don't have "IT gnomes" at my work. We view, and treat, the people in IT/IS as computer professionals.
Let me get this straight: You don't work in security. I work in network administration (which enforces information security at my company) - and yet you are somehow qualified to tell me what "anyone who works in security" knows?
As to my qualifications, I design computer security policies and supervise people who enforce them. And I obviously do it at a firm that takes it a lot more seriously than the one at which you profess to be employed. I headed up a team at Cordant which received a C2 evaluation for a workstation and I designed, at the architectural level, a security coprocessor which took the OS out of the TCB. At my current job, I authored the security policy and procedures, and designed a network, which protected restricted (as in the government classification) and proprietary (my firm's and that of other vendors) simulation software and data in a private point-to-point network with a foreign entity. I should have said "any competent person who works in security." My bad
OK, first of all: Hello? Mr Pot? This is Mr. Kettle.
Glad to meet you.
if you ask a doctor you'll see that they consider what they do a service: what they do - more than that, who they are - is about helping their patients.
Just as someone responsible for network security serves the company/organization that he works for.
We've already established that if someone "endangers others on the network" it means you're not doing your job.
And you can't do that job if you are being forced to turn over admin access to people who pose a security risk on the network. You rejected the notion that such machines would be firewalled off or removed from the net as a matter of policy. If you can't require that the machine be disconnected from the net or that it be firewalled to limit protocols and addresses to the bare minimum, how do you "do your job" to protect network security?
And as for "mid level IT gnomes" - well, I won't get into any "aspects of my widely varied responsibilities", but trust that I don't work in accounting (but I work with them).
I don't work in accounting, but I work with them when preparing the annual capital expenditure budget for my group. I am not, as you apparently assume, a network technician who works in the corporate IT/IS department. I work at an aerospace/defense firm in a fairly high-level technical/managerial role.
Security is all about flexibility: it's about the trade offs between brick walls and open doors.
You are ignoring the shades of gray. Network security is about designing a policy which complies with laws, regulations, and meets the needs of the organization. The laws and regulations may have to do with protecting classified data or they may have to do with protecting student privacy. You don't compromise network security just because someone finds it inconvenient. You work with them to try to find a way minimize the inconvenience, but you do not give up and hand over the password because some well-connected professor doesn't like having to call someone to install software.
Identifying "needs" is important, too. Does Professor X need administrator access to do his job or does he just want it? Does he need port 25 (SMTP) open to the outside world or does he just prefer it? Does he need to be able to install software or does he just dislike putting in requests for someone to install the software?
Anybody who works in security will tell you that if you are too strict your users will just make an end run around you and you will wind up even worse off. If you don't give them admin access on their machine, they'll just bring in a laptop and use that (remember that we are discussing a university setting).
What is "too strict"? If I'm protecting your privacy as a student, how strict should I be with university's security policy? Should I give admin rights to computer-challenged professor X, even though he has your personal information (home address, phone number, private student-professor e-mails, grades, etc.) on his PC? What if you are a professor at another university who is working with professor X on a research project? Should I risk the confidentiality of your research by giving professor X admin rights?
If you make violations of the organizations network security policy grounds for termination, then people will not violate that policy. Network security should not be a technology war between those responsible for it and those who don't like it. If you continually violate the organization's policy on sexual harassment, you get fired. Why should the network security policy be any different?
Anyone who works in security will tell you that it is inconvenient and that many people resent limits being placed on them. They will also tell you that it is important to help people work within the network security policy. But they will not tell you that being "flexible" is the key to success, either professionally o
My doctor would like me to quit smoking and eat less red meat. His "superior understanding of medicine" nonwithstanding, he understands that it's not 100% up to him. If he had attended the fmaxwell school of medecine[sic] his bed side manner might be "if you don't become a vegetarian and take up marathon training right now, I'm out of here mister! I can not work this way!"
You're trying to change the subject. It is 100% up to your doctor, the person with the expertise, as to whether you get morphine, Prozac, or Erythromycin. He decides. You don't. It doesn't matter how much "political clout" you have. You can make a limited set of decisions which affect only you -- just as and end-user on a network can.
And just for the record, this is not about status and prestige and getting ahead by kissing ass. This isn't some right wing rant about the use of influence.
Yes, it is, since you brought terms like "political clout," "prestige", and "revenue" into the discussion. And you are the one who referred to those responsible for network security with the desparaging term of "mid level IT gnomes." You have made it abundently clear that you believe that someone with "political clout" should not have to abide by the same rules as everyone else -- even it it endangers others on the network.
As to what this discussion has to do with politicians being convicted of manslaughter, I have no idea.
It's yet another example of "exceptions" being made for those with "political clout", something you have espoused over and over. It's another example of being "flexible" for someone in a position of power.
This is about flexibility. If you can't be flexible, don't worry about walking out of your job, the decision will eventually be made for you and then you can work on your next four thousand slashdot comments.
No, this is not about flexibility. It is about network security, something that you cannot seem to grasp. And my expertise in computer security has helped to keep me employed. My employer isn't looking for me to be "flexible." They want me to author and enforce network security policies that protect their interests while abiding by agreements that they have made (that is just one aspect of my widely varied responsibilities).
It's funny how you think that the persons responsible for network security should be "flexible", applying rules only to those of lesser influence, but that professors should not have to be "flexible" enough to work within network security rules put in place to protect every user on the network.
Now that you have expressed you luddite viewpoint of the world, I am proud to be on the other side.
You are a technocrat - you believe that your superior understanding of technology gives you the right to lord it over people who know less - people who may have political clout even if they don't know thing one about computers.
That is correct -- just like a doctor believes that his superior understanding of medicine gives him the right to decide whether or not you get access to morphine, Prozac, or Erythromycin. It doesn't matter how much "political clout" you have, the decision belongs with your doctor. And decisions about network security belong with those who have the technical expertise to make those decisions.
And you throw a fit whenever the world contradicts this perception.
You are the one throwing the fit because my +5 Insightful comment does not agree with your status-centric world view.
You don't object to the fact that there are exceptions to the security rules, and you don't see anything wrong with you, for example, having some extra privileges since you "know what you're doing" but the fact that a senior professor - someone who actually generates revenue or prestige for the university - is in a position to exert some pressure on mid level IT gnomes who are there to serve really seems to get your goat.
When the IT staff makes a decision about exceptions to security rules, that's fine and as it should be. They have the technical expertise to make that call. Just like a doctor can decide to put you on a ten-day regimen of antibiotic even if the standard rule is a seven-day regimen. The guy in charge of network security at a university is not a "mid level IT gnome." He's a professional who is probably the intellectual equal of many of the professors whose asses you think should be kissed.
You're the same type who thinks that star football players should not have the same academic standards as everyone else because they "generate revenue or prestige" for the university. "But Bubba is our star receiver and alumni donations are based on football! Bubba shouldn't have to be literate, attend classes, and be under the same acedemic rules as other students. While we are at it, we should make exceptions to those financial rules and go ahead and buy him that Lexus that he wants -- just to make sure that he doesn't go to some other school next year." Yep. That's your idea of how the world should work.
I've really had my fill of people like you. You're the ones who thought that it was fine when a politician used his influence to keep his son from serving in Vietnam -- even though it may have resulted in some other couple's son dying. You think that insurance companies should be able to pressure doctors into prematurely discharging patients from the hospital. You think that it's proper for a politician convicted of manslaughter to serve less time than the average shoplifter -- and then have the conviction removed from his record. You believe that anyone with political connections should get preferential treatment from cradle to grave. I am proud to disagree with you.
If we look at the different scenarios here for granting a professor "Administrator access on their local machines" there's very little trouble they could get into that you couldn't stop on the wire (unless they feel they need to send millions of emails as part of their study, of course. maybe they're sociologists or something).
"If a package that they use requires administrator privileges, put the system running it behind a firewall. Block all traffic other than that specifically needed to run the package. If it's a standalone package, then take the system off of the net completely. Enforce the policies at the MAC level."
We aren't diametrically opposed here. What I'm railing against is the scenario where someone in charge of network security is forced to give Professor X root access and a wide-open firewall just because Professor X finds security to be inconvenient. If you're in that situation, it's a no-win scenario.
it all boils down to the fact that you have to be flexible and that rules - even security rules - do have exceptions.
As long as the guy in charge of network security gets to decide where the exceptions are, that's fine (except when it comes to a SCIF).
To use an analogy, if a doctor decides that it's okay to discharge a surgery patient a day early, that's fine. But the decision for an early discharge should not be made by someone in accounting and passed down to the doctor as an edict. (I'm arguing how it should be, not how it is.)
And in all that time, can you honestly say that you've _never_had a root password that you "shouldn't have"?
Completely honest answer: I never got a "root" password except when someone in the IT/IS department voluntarily gave it to me. They gave it to me because they knew that I had the technical savvy and expertise to not be a security threat to their network. Whether they had the authority to give it to me, I cannot say.
But I can say that I never got it by demanding to management that I have it. I never got it by telling people how important I was or how important my work was. Exceptions weren't made for me because I played golf with the right people.
It's one thing for the IT folks to say 'this guy knows his stuff and can be trusted' and someone telling the IT staff that 'Person X is very important and you must give him root access to his PC.'
The trail will lead to the PC of professor X. You have evidence that professor X didn't let you secure his pc - didn't let you do your job. He might be in trouble - or not, depending on his position, etc.. You certainly aren't.
If you are known as the guy in charge of network security, you will be blamed for lapses in security. You may be able to convince your boss that it wasn't your fault, but everyone else will blame you for it.
I'm sorry, but you are being naive.
Bulls***. I'm in my mid-40s and have been a computer professional all of my working life. I may be jaundiced, but I am not naive.
It is a fact of life that there will always be someone who doesn't have to follow the rules - even the all-important security rules.
No, that is not a fact of life. I have worked at multiple firms where the computer security rules apply to everyone. The people with administrator access to the networked computers are the people in the IT department. Managers don't have admin rights. Developers don't have admin rights. Secretarys don't have admin rights. I did work for one company where a developer was fired (Not warned. Not chastised. Fired.) for tunneling through the firewall to access his personal system -- and not for nefarious purposes.
Professionalism is about flexibility. Tantrums are for children.
You're the one who seems to believe that it's appropriate for professors to throw tantrums when they are told that they can't have admin rights to networked computers. I don't. If the administration gives-in when professors throw childish tantrums, then the professional thing to do is to find a job where they take security seriously and can succeed in your role.
This begs the question of how we make voluntary sterilization an attractive option.
By offering higher welfare benefits to the long-term welfare recipients if they get sterilized. And by funding the sterilization at no cost to those undergoing it.
I think that this would actually be a good thing. People who can't afford food, clothing, shelter, and get medical care for themselves cannot afford to provide for the needs of a child. A young girl on welfare with a child has a tough road ahead of her. If she has another child, her chances of getting off of welfare are truly bleak.
On top of that, the taxpayer comes out ahead by keeping the total welfare costs down. Paying, say, 10% more for getting sterilized is a lot better than paying the additional welfare for multiple children for years to come. It also reduces the burden on the school system, as that would be fewer kids who start school needing remedial everything.
Spelled properly, it does. They have a web site at www.orbital.com. But I should stress that it is my ex-company. I am now at another firm and am not a representative of Orbital Sciences.
My credentials are that I am a Java programmer and am also studying accounting. Maybe this can't compare to you but I am sorry, I am trying hard.
You don't have to compete with me. Your areas of expertise are just different than mine. What torqued me was your hostile 'why should we believe you?' attitude.
You supply no references and expect us to believe you? Tell the name of the company and the straight guys you know.
Orbital Sciences Corporation. As to the names of specific employees there, I won't violate their privacy that way.
So what are your credentials and why should we believe you?
And Geiger counters have additional means for scaling as you well know.
Yes, I am well aware of that, but the use of lead shielding of varying thicknesses to scale Geiger counter readings shows that lead is not an impenetrable shield to radiation.
As the other poster said, "crashing into lead will cause high-energy cosmic rays to spew even more secondary particles."
I have the utmost respect for the initiative, intelligence, and generosity of the man who built this computer. That said, he didn't build a replica of an Apollo Guidance Computer (AGC). He did not use the same parts, constructing it with higher integration 74LS parts that gave about a 10-to-1 IC package reduction. The original AGC prototype used core memory and his uses static RAM and EPROM. There are countless other differences.
Again, he is deserving of high praise, but he did not replicate the original AGC I prototype. He created a working model which was very true to the original at the block diagram level.
well, you could do it without computers, would just be even harder, plus astronauts would have one sucky time flying the craft by hand to the moon. But it could be done, there is always a way without a computer.
Actually, there is not always a way without a computer. Some modern fighter jets are inherently unstable (in order to provide faster response) and no human being in the world could react quick enough to keep those planes from wadding themselves into little silver balls. Their computers make multiple control surface adjustments per second.
That is complete nonsense, the parent poster was totally correct. And also Palm pilot is about $90 if you use Ebay.
I worked at a satellite company and used to believe that a lead box would work. I was set straight by the guys who know about that kind of thing. Lead is not impenetrable to radiation. In fact, early geiger counters used lead shielding as a means of scaling the count.
If AOL users had their time and bandwidth wasted by the spam, then the users suffered damage, too. If some of the users (like the judge) had to cancel their AOL e-mail addresses because of the spam they received, that's certainly damage. Just think of the hassle of disseminating your new e-mail address to friends, colleagues, and family.
Even if so, I'm sure this is covered by the AOL service agreement, and besides, what steps would a reasonable person have taken that AOL didn't take? Someone has to have access to the user lists, after all.
I don't know what steps they took. Did they allow users to carry thumb drives and recordable optical media off of the premises? Did they do background checks on the people who had access to the user email addresses? Did they try to minimize how many people had access to the user list? Maybe they took all reasonable steps and maybe they did not.
The judge himself apparently cancelled his AOL subscription due to receiving too much spam. While he didn't like what Jason did, he wasn't convinced a crime had been committed under the CAN-SPAM law, which requires that a person be deceived.
If "Jason" isn't responsible, perhaps AOL is. If AOL was negligent in their security, then they can be held accountable for the damages that their users suffered. So by not putting the blame on Jason, AOL could be in the judge's sights. This might be a lot smarter move on the part of the judge than anyone realizes. Or I could be totally off-base.
Or maybe just keep a copy of any mails/memos you may have sent to the professor warning him of the possible consequences of not abiding by the security policy, and his replies, copies to management, etc. etc.. Chances are the professor will be too ashamed to make much of a stink about the whole thing since he's the one who will wind up looking stupid, and if he does... go see the administration with a copy and ask them to look up "wrongful termination" in the dictionary.
It's not the professor with the unsecured PC who makes the stink. It's the students who found that their personal information was being e-mailed by a virus on the professor's unsecured PC. It's professor Y who received an e-mailed virus from professor X's unsecured PC. It's the ISP whose mail server got blasted by the unsecured PC. It's some random user on the Internet who got spam from some professor's zombie machine.
Calling someone a prima donna when the extent of your own advice seems to be screaming "I can not work this way! I'll be in my trailer!" is somewhat ironic.
I gave two pieces of advice:
1. "You limit their access and tell them that they have to live with it. Explain to them that security is inconvenient and that they have to be adults and accept it."
2. If you are being held responsible for securing a network but are not allowed to do so, then leave.
I don't believe in sitting around, wringing my hands, and saying "woe is me." If I am in charge of securing a network and people won't let me do my job, then I'm not going to spend my days waiting for failures and gathering evidence. If the all-powerful professors can stop you from taking away their administrator rights, then they can surely whip your butt in a political in-fight when it comes time to assign blame for a network security failure.
Another difference is that the bosses in academia are often professors -- they end up going to administration for a couple of years, serving their time, and going back to their research. Taking away anything from a researcher who raises hell won't happen.
Then leave if you are in charge of network security. You will be the scapegoat when some prima donna professor's unsecured PC gets infected with a virus that blasts the Internet and the rest of the campus with virus-infected e-mail.
Try telling the CFO that he can't use a Blackberry, especially if the CIO's his golf buddy.
Our security team here s perfectly happy to confiscate the Blackberry, cell phone, digital camera, or Blue Tooth headset of anyone who tries to enter a secure area -- whether they are the President, CEO, CFO, or head of IT.
As far as I can tell, a significant portion of academia believes that nobody may dictate what they can and cannot do.
Then won't they be surprised when they find that they no longer have administrator access?
This group considers it a critical part of academic freedom, and in many cases rely on the insecurity for the way they work.
Then they may have to change the way that they work.
It doesn't matter if the president of the University decrees it; there are many professors that just won't care, and won't see the problem.
So what? I may not see a problem with my having access to Percocet, but it doesn't mean that the pharmacist is going to give it to me without a prescription. It's the system administrator's job to see that the network is secure, regardless of whether the professors understand, or care about, the need for network security.
Even something as simple as removing administrator-level access to the desktop is almost impossible.
No, it's not. You log in, change the permissions and/or passwords and it's gone.
Often, there are even valid reasons, like strange software that doesn't run without it but that is actually essential to their research, or the need to install and run extremely esoteric software that's not in general use. This isn't the corporate world where >90% of users are fine with {Outlook|Notes|etc.} and MS Office, and maybe a couple of custom apps that are widely deployed to a group of people. Each researcher often has unique requirements.
I'm in the corporate world and there are plenty of vertical market apps that you've never even heard of. We just purchased one license for a specialized modeling and simulation package and it's costing us about $40,000 for two years. The number of sites running that software can be counted on one hand. So let's lose the attitude about how special academia is.
If a package that they use requires administrator privileges, put the system running it behind a firewall. Block all traffic other than that specifically needed to run the package. If it's a standalone package, then take the system off of the net completely. Enforce the policies at the MAC level.
The bottom line is that there are prima donnas in industry, government, and academia -- and you can't just throw security out the window every time that one of them finds it inconvenient. If they have a specialized app that truly requires administrator access, wall-off that system(s) on which it runs so that it(they) can't harm the rest of the network. You don't put the rest of the network at risk just because some professor finds security to be a hassle. What's next? Allowing unvaccinated kids to attend school because their parents find that taking the kids to the doctors is annoying?
Re:Multizilla and Googlbox make Mozilla my choice
on
Mozilla 1.7.5 Released
·
· Score: 1
Wow! Great find on that link and he sums up my thoughts pretty well when he writes:
"It turns out to be mostly achievable if you download another hundred or so extensions from obscure corners of the Internet. Yes, I've successfully spent hours replicating something I already had in the name of running with the crowd..."
To some extent, Firefox looks more like a kiosk browser or something to put on Mom's PC rather than a browser built for serious computer geeks. It's nice, fast, small, and clean, but seems to be lacking when compared to Mozilla.
Re:Multizilla and Googlbox make Mozilla my choice
on
Mozilla 1.7.5 Released
·
· Score: 1
Thanks for the recommendations. I looked over TBE, but was somewhat put off by its claim to being very buggy (on its home page). Googlebar looks pretty good. I guess to some extent, I know the Mulitzilla/Googlebox tools and am loathe to change from them to something that seems, at least on the surface, to be somewhat less capable and more buggy. I'm holding out hope that there will be a Multizilla/Googlebar for Firefox. Then I'll probably change from Mozilla.
Slashdot Mirror
What the hell does that have to do with anything?
Because if the idea is sound, then it should have applied to the Bush/Gore Presidential race, too. You can't make up a rule when it suits you (e.g., if neither candidate has a substantial majority, have a new race with new candidates) and then say that it should only apply when it is to your liking.
Trolling is for kiddies.
So what grade are you in, little boy?
..they should have to pick two new candidates. Clearly neither of these two have sufficient support.
Funny, but I don't recall Bush supporters saying that after Bush narrowly defeated Gore in the electoral college vote while losing the popular vote.
I did? Where? I remember saying that most of the problems you could handle "on the wire" - that hardly sounds like me "rejecting" anything, now does it? Stay focused.
Your selective memory disorder is rearing its ugly head. You wrote: "this is just one of many possible strategies - it was offered as an example of a solution, not a solution by itself." That was your rejection of my assertion: "If a package that they use requires administrator privileges, put the system running it behind a firewall. Block all traffic other than that specifically needed to run the package. If it's a standalone package, then take the system off of the net completely. Enforce the policies at the MAC level."
So make up your mind: Do you accept the notion that such machines (machines where admin rights were granted to someone not qualified to use them responsibly) would be firewalled off or removed from the net with no exceptions? First I recommended it. Then you rejected it. Then you recommended it. Then I said that we were in agreement. Then you rejected it again, saying we were diametrically opposed and that it should not be done as a matter of course.
I tell you that security is about trade offs and you tell me I'm ignoring the shades of grey.
You wrote: "Security is all about flexibility: it's about the trade offs between brick walls and open doors." Something does not have to be either a brick wall or an open door. It can be something in-between.
I don't compromise network security for any reason whatsoever.
Earlier, you wrote: "The trail will lead to the PC of professor X. You have evidence that professor X didn't let you secure his pc - didn't let you do your job. He might be in trouble - or not, depending on his position, etc.. You certainly aren't." That is proof positive that you are willing to compromise network security and then try to cover your ass with a paper trail when something goes wrong. Another flip-flop. First you recommend caving (or "being flexible" as you put it) to political pressure and keeping a record for when/if there is a security breach. Then you claim that you never compromise network security for any reason whatsoever.
Are you telling me that the IT gnomes where you work are so weak that if a single user were able to get their hands on the administrator password to their local machine the whole place would come crashing to a halt?
No. I'm telling you that the users where I work have access to company-proprietary information as well as classified/restricted information and that malicious software that made it on to their computer while they were logged on as root could disseminate that information via e-mail, FTP, HTTP, HTTPS, or other protocols. I would have thought someone in network security would have recognized that. And for the record, we don't have "IT gnomes" at my work. We view, and treat, the people in IT/IS as computer professionals.
Let me get this straight: You don't work in security. I work in network administration (which enforces information security at my company) - and yet you are somehow qualified to tell me what "anyone who works in security" knows?
As to my qualifications, I design computer security policies and supervise people who enforce them. And I obviously do it at a firm that takes it a lot more seriously than the one at which you profess to be employed. I headed up a team at Cordant which received a C2 evaluation for a workstation and I designed, at the architectural level, a security coprocessor which took the OS out of the TCB. At my current job, I authored the security policy and procedures, and designed a network, which protected restricted (as in the government classification) and proprietary (my firm's and that of other vendors) simulation software and data in a private point-to-point network with a foreign entity. I should have said "any competent person who works in security." My bad
Nostalgia is overrated
It didn't used to be back in the good old days.
OK, first of all: Hello? Mr Pot? This is Mr. Kettle.
Glad to meet you.
if you ask a doctor you'll see that they consider what they do a service: what they do - more than that, who they are - is about helping their patients.
Just as someone responsible for network security serves the company/organization that he works for.
We've already established that if someone "endangers others on the network" it means you're not doing your job.
And you can't do that job if you are being forced to turn over admin access to people who pose a security risk on the network. You rejected the notion that such machines would be firewalled off or removed from the net as a matter of policy. If you can't require that the machine be disconnected from the net or that it be firewalled to limit protocols and addresses to the bare minimum, how do you "do your job" to protect network security?
And as for "mid level IT gnomes" - well, I won't get into any "aspects of my widely varied responsibilities", but trust that I don't work in accounting (but I work with them).
I don't work in accounting, but I work with them when preparing the annual capital expenditure budget for my group. I am not, as you apparently assume, a network technician who works in the corporate IT/IS department. I work at an aerospace/defense firm in a fairly high-level technical/managerial role.
Security is all about flexibility: it's about the trade offs between brick walls and open doors.
You are ignoring the shades of gray. Network security is about designing a policy which complies with laws, regulations, and meets the needs of the organization. The laws and regulations may have to do with protecting classified data or they may have to do with protecting student privacy. You don't compromise network security just because someone finds it inconvenient. You work with them to try to find a way minimize the inconvenience, but you do not give up and hand over the password because some well-connected professor doesn't like having to call someone to install software.
Identifying "needs" is important, too. Does Professor X need administrator access to do his job or does he just want it? Does he need port 25 (SMTP) open to the outside world or does he just prefer it? Does he need to be able to install software or does he just dislike putting in requests for someone to install the software?
Anybody who works in security will tell you that if you are too strict your users will just make an end run around you and you will wind up even worse off. If you don't give them admin access on their machine, they'll just bring in a laptop and use that (remember that we are discussing a university setting).
What is "too strict"? If I'm protecting your privacy as a student, how strict should I be with university's security policy? Should I give admin rights to computer-challenged professor X, even though he has your personal information (home address, phone number, private student-professor e-mails, grades, etc.) on his PC? What if you are a professor at another university who is working with professor X on a research project? Should I risk the confidentiality of your research by giving professor X admin rights?
If you make violations of the organizations network security policy grounds for termination, then people will not violate that policy. Network security should not be a technology war between those responsible for it and those who don't like it. If you continually violate the organization's policy on sexual harassment, you get fired. Why should the network security policy be any different?
Anyone who works in security will tell you that it is inconvenient and that many people resent limits being placed on them. They will also tell you that it is important to help people work within the network security policy. But they will not tell you that being "flexible" is the key to success, either professionally o
My doctor would like me to quit smoking and eat less red meat. His "superior understanding of medicine" nonwithstanding, he understands that it's not 100% up to him. If he had attended the fmaxwell school of medecine[sic] his bed side manner might be "if you don't become a vegetarian and take up marathon training right now, I'm out of here mister! I can not work this way!"
You're trying to change the subject. It is 100% up to your doctor, the person with the expertise, as to whether you get morphine, Prozac, or Erythromycin. He decides. You don't. It doesn't matter how much "political clout" you have. You can make a limited set of decisions which affect only you -- just as and end-user on a network can.
And just for the record, this is not about status and prestige and getting ahead by kissing ass. This isn't some right wing rant about the use of influence.
Yes, it is, since you brought terms like "political clout," "prestige", and "revenue" into the discussion. And you are the one who referred to those responsible for network security with the desparaging term of "mid level IT gnomes." You have made it abundently clear that you believe that someone with "political clout" should not have to abide by the same rules as everyone else -- even it it endangers others on the network.
As to what this discussion has to do with politicians being convicted of manslaughter, I have no idea.
It's yet another example of "exceptions" being made for those with "political clout", something you have espoused over and over. It's another example of being "flexible" for someone in a position of power.
This is about flexibility. If you can't be flexible, don't worry about walking out of your job, the decision will eventually be made for you and then you can work on your next four thousand slashdot comments.
No, this is not about flexibility. It is about network security, something that you cannot seem to grasp. And my expertise in computer security has helped to keep me employed. My employer isn't looking for me to be "flexible." They want me to author and enforce network security policies that protect their interests while abiding by agreements that they have made (that is just one aspect of my widely varied responsibilities).
It's funny how you think that the persons responsible for network security should be "flexible", applying rules only to those of lesser influence, but that professors should not have to be "flexible" enough to work within network security rules put in place to protect every user on the network.
We could not be more diametrically opposed.
Now that you have expressed you luddite viewpoint of the world, I am proud to be on the other side.
You are a technocrat - you believe that your superior understanding of technology gives you the right to lord it over people who know less - people who may have political clout even if they don't know thing one about computers.
That is correct -- just like a doctor believes that his superior understanding of medicine gives him the right to decide whether or not you get access to morphine, Prozac, or Erythromycin. It doesn't matter how much "political clout" you have, the decision belongs with your doctor. And decisions about network security belong with those who have the technical expertise to make those decisions.
And you throw a fit whenever the world contradicts this perception.
You are the one throwing the fit because my +5 Insightful comment does not agree with your status-centric world view.
You don't object to the fact that there are exceptions to the security rules, and you don't see anything wrong with you, for example, having some extra privileges since you "know what you're doing" but the fact that a senior professor - someone who actually generates revenue or prestige for the university - is in a position to exert some pressure on mid level IT gnomes who are there to serve really seems to get your goat.
When the IT staff makes a decision about exceptions to security rules, that's fine and as it should be. They have the technical expertise to make that call. Just like a doctor can decide to put you on a ten-day regimen of antibiotic even if the standard rule is a seven-day regimen. The guy in charge of network security at a university is not a "mid level IT gnome." He's a professional who is probably the intellectual equal of many of the professors whose asses you think should be kissed.
You're the same type who thinks that star football players should not have the same academic standards as everyone else because they "generate revenue or prestige" for the university. "But Bubba is our star receiver and alumni donations are based on football! Bubba shouldn't have to be literate, attend classes, and be under the same acedemic rules as other students. While we are at it, we should make exceptions to those financial rules and go ahead and buy him that Lexus that he wants -- just to make sure that he doesn't go to some other school next year." Yep. That's your idea of how the world should work.
I've really had my fill of people like you. You're the ones who thought that it was fine when a politician used his influence to keep his son from serving in Vietnam -- even though it may have resulted in some other couple's son dying. You think that insurance companies should be able to pressure doctors into prematurely discharging patients from the hospital. You think that it's proper for a politician convicted of manslaughter to serve less time than the average shoplifter -- and then have the conviction removed from his record. You believe that anyone with political connections should get preferential treatment from cradle to grave. I am proud to disagree with you.
As I wrote many messages ago:We aren't diametrically opposed here. What I'm railing against is the scenario where someone in charge of network security is forced to give Professor X root access and a wide-open firewall just because Professor X finds security to be inconvenient. If you're in that situation, it's a no-win scenario.
it all boils down to the fact that you have to be flexible and that rules - even security rules - do have exceptions.
As long as the guy in charge of network security gets to decide where the exceptions are, that's fine (except when it comes to a SCIF).
To use an analogy, if a doctor decides that it's okay to discharge a surgery patient a day early, that's fine. But the decision for an early discharge should not be made by someone in accounting and passed down to the doctor as an edict. (I'm arguing how it should be, not how it is.)
And in all that time, can you honestly say that you've _never_had a root password that you "shouldn't have"?
Completely honest answer: I never got a "root" password except when someone in the IT/IS department voluntarily gave it to me. They gave it to me because they knew that I had the technical savvy and expertise to not be a security threat to their network. Whether they had the authority to give it to me, I cannot say.
But I can say that I never got it by demanding to management that I have it. I never got it by telling people how important I was or how important my work was. Exceptions weren't made for me because I played golf with the right people.
It's one thing for the IT folks to say 'this guy knows his stuff and can be trusted' and someone telling the IT staff that 'Person X is very important and you must give him root access to his PC.'
The trail will lead to the PC of professor X. You have evidence that professor X didn't let you secure his pc - didn't let you do your job. He might be in trouble - or not, depending on his position, etc.. You certainly aren't.
If you are known as the guy in charge of network security, you will be blamed for lapses in security. You may be able to convince your boss that it wasn't your fault, but everyone else will blame you for it.
I'm sorry, but you are being naive.
Bulls***. I'm in my mid-40s and have been a computer professional all of my working life. I may be jaundiced, but I am not naive.
It is a fact of life that there will always be someone who doesn't have to follow the rules - even the all-important security rules.
No, that is not a fact of life. I have worked at multiple firms where the computer security rules apply to everyone. The people with administrator access to the networked computers are the people in the IT department. Managers don't have admin rights. Developers don't have admin rights. Secretarys don't have admin rights. I did work for one company where a developer was fired (Not warned. Not chastised. Fired.) for tunneling through the firewall to access his personal system -- and not for nefarious purposes.
Professionalism is about flexibility. Tantrums are for children.
You're the one who seems to believe that it's appropriate for professors to throw tantrums when they are told that they can't have admin rights to networked computers. I don't. If the administration gives-in when professors throw childish tantrums, then the professional thing to do is to find a job where they take security seriously and can succeed in your role.
I still think it's pretty amazing. I sure wouldn't have the lust and patience (contradiction?) to do a project like this.
I'm with you 100% and he deserves accolades. Any museum would be proud to have such a wonderful recreation.
This begs the question of how we make voluntary sterilization an attractive option.
By offering higher welfare benefits to the long-term welfare recipients if they get sterilized. And by funding the sterilization at no cost to those undergoing it.
I think that this would actually be a good thing. People who can't afford food, clothing, shelter, and get medical care for themselves cannot afford to provide for the needs of a child. A young girl on welfare with a child has a tough road ahead of her. If she has another child, her chances of getting off of welfare are truly bleak.
On top of that, the taxpayer comes out ahead by keeping the total welfare costs down. Paying, say, 10% more for getting sterilized is a lot better than paying the additional welfare for multiple children for years to come. It also reduces the burden on the school system, as that would be fewer kids who start school needing remedial everything.
Your company doesnt not exist in google.
Spelled properly, it does. They have a web site at www.orbital.com. But I should stress that it is my ex-company. I am now at another firm and am not a representative of Orbital Sciences.
My credentials are that I am a Java programmer and am also studying accounting. Maybe this can't compare to you but I am sorry, I am trying hard.
You don't have to compete with me. Your areas of expertise are just different than mine. What torqued me was your hostile 'why should we believe you?' attitude.
You supply no references and expect us to believe you? Tell the name of the company and the straight guys you know.
Orbital Sciences Corporation. As to the names of specific employees there, I won't violate their privacy that way.
So what are your credentials and why should we believe you?
And Geiger counters have additional means for scaling as you well know.
Yes, I am well aware of that, but the use of lead shielding of varying thicknesses to scale Geiger counter readings shows that lead is not an impenetrable shield to radiation.
As the other poster said, "crashing into lead will cause high-energy cosmic rays to spew even more secondary particles."
I have the utmost respect for the initiative, intelligence, and generosity of the man who built this computer. That said, he didn't build a replica of an Apollo Guidance Computer (AGC). He did not use the same parts, constructing it with higher integration 74LS parts that gave about a 10-to-1 IC package reduction. The original AGC prototype used core memory and his uses static RAM and EPROM. There are countless other differences.
Again, he is deserving of high praise, but he did not replicate the original AGC I prototype. He created a working model which was very true to the original at the block diagram level.
well, you could do it without computers, would just be even harder, plus astronauts would have one sucky time flying the craft by hand to the moon. But it could be done, there is always a way without a computer.
Actually, there is not always a way without a computer. Some modern fighter jets are inherently unstable (in order to provide faster response) and no human being in the world could react quick enough to keep those planes from wadding themselves into little silver balls. Their computers make multiple control surface adjustments per second.
That is complete nonsense, the parent poster was totally correct. And also Palm pilot is about $90 if you use Ebay.
I worked at a satellite company and used to believe that a lead box would work. I was set straight by the guys who know about that kind of thing. Lead is not impenetrable to radiation. In fact, early geiger counters used lead shielding as a means of scaling the count.
Isn't AOL the one that suffered the damages?
If AOL users had their time and bandwidth wasted by the spam, then the users suffered damage, too. If some of the users (like the judge) had to cancel their AOL e-mail addresses because of the spam they received, that's certainly damage. Just think of the hassle of disseminating your new e-mail address to friends, colleagues, and family.
Even if so, I'm sure this is covered by the AOL service agreement, and besides, what steps would a reasonable person have taken that AOL didn't take? Someone has to have access to the user lists, after all.
I don't know what steps they took. Did they allow users to carry thumb drives and recordable optical media off of the premises? Did they do background checks on the people who had access to the user email addresses? Did they try to minimize how many people had access to the user list? Maybe they took all reasonable steps and maybe they did not.
The judge himself apparently cancelled his AOL subscription due to receiving too much spam. While he didn't like what Jason did, he wasn't convinced a crime had been committed under the CAN-SPAM law, which requires that a person be deceived.
If "Jason" isn't responsible, perhaps AOL is. If AOL was negligent in their security, then they can be held accountable for the damages that their users suffered. So by not putting the blame on Jason, AOL could be in the judge's sights. This might be a lot smarter move on the part of the judge than anyone realizes. Or I could be totally off-base.
Or maybe just keep a copy of any mails/memos you may have sent to the professor warning him of the possible consequences of not abiding by the security policy, and his replies, copies to management, etc. etc.. Chances are the professor will be too ashamed to make much of a stink about the whole thing since he's the one who will wind up looking stupid, and if he does... go see the administration with a copy and ask them to look up "wrongful termination" in the dictionary.
It's not the professor with the unsecured PC who makes the stink. It's the students who found that their personal information was being e-mailed by a virus on the professor's unsecured PC. It's professor Y who received an e-mailed virus from professor X's unsecured PC. It's the ISP whose mail server got blasted by the unsecured PC. It's some random user on the Internet who got spam from some professor's zombie machine.
Calling someone a prima donna when the extent of your own advice seems to be screaming "I can not work this way! I'll be in my trailer!" is somewhat ironic.
I gave two pieces of advice:
1. "You limit their access and tell them that they have to live with it. Explain to them that security is inconvenient and that they have to be adults and accept it."
2. If you are being held responsible for securing a network but are not allowed to do so, then leave.
I don't believe in sitting around, wringing my hands, and saying "woe is me." If I am in charge of securing a network and people won't let me do my job, then I'm not going to spend my days waiting for failures and gathering evidence. If the all-powerful professors can stop you from taking away their administrator rights, then they can surely whip your butt in a political in-fight when it comes time to assign blame for a network security failure.
Another difference is that the bosses in academia are often professors -- they end up going to administration for a couple of years, serving their time, and going back to their research. Taking away anything from a researcher who raises hell won't happen.
Then leave if you are in charge of network security. You will be the scapegoat when some prima donna professor's unsecured PC gets infected with a virus that blasts the Internet and the rest of the campus with virus-infected e-mail.
Try telling the CFO that he can't use a Blackberry, especially if the CIO's his golf buddy.
Our security team here s perfectly happy to confiscate the Blackberry, cell phone, digital camera, or Blue Tooth headset of anyone who tries to enter a secure area -- whether they are the President, CEO, CFO, or head of IT.
As far as I can tell, a significant portion of academia believes that nobody may dictate what they can and cannot do.
Then won't they be surprised when they find that they no longer have administrator access?
This group considers it a critical part of academic freedom, and in many cases rely on the insecurity for the way they work.
Then they may have to change the way that they work.
It doesn't matter if the president of the University decrees it; there are many professors that just won't care, and won't see the problem.
So what? I may not see a problem with my having access to Percocet, but it doesn't mean that the pharmacist is going to give it to me without a prescription. It's the system administrator's job to see that the network is secure, regardless of whether the professors understand, or care about, the need for network security.
Even something as simple as removing administrator-level access to the desktop is almost impossible.
No, it's not. You log in, change the permissions and/or passwords and it's gone.
Often, there are even valid reasons, like strange software that doesn't run without it but that is actually essential to their research, or the need to install and run extremely esoteric software that's not in general use. This isn't the corporate world where >90% of users are fine with {Outlook|Notes|etc.} and MS Office, and maybe a couple of custom apps that are widely deployed to a group of people. Each researcher often has unique requirements.
I'm in the corporate world and there are plenty of vertical market apps that you've never even heard of. We just purchased one license for a specialized modeling and simulation package and it's costing us about $40,000 for two years. The number of sites running that software can be counted on one hand. So let's lose the attitude about how special academia is.
If a package that they use requires administrator privileges, put the system running it behind a firewall. Block all traffic other than that specifically needed to run the package. If it's a standalone package, then take the system off of the net completely. Enforce the policies at the MAC level.
The bottom line is that there are prima donnas in industry, government, and academia -- and you can't just throw security out the window every time that one of them finds it inconvenient. If they have a specialized app that truly requires administrator access, wall-off that system(s) on which it runs so that it(they) can't harm the rest of the network. You don't put the rest of the network at risk just because some professor finds security to be a hassle. What's next? Allowing unvaccinated kids to attend school because their parents find that taking the kids to the doctors is annoying?
Wow! Great find on that link and he sums up my thoughts pretty well when he writes:
"It turns out to be mostly achievable if you download another hundred or so extensions from obscure corners of the Internet. Yes, I've successfully spent hours replicating something I already had in the name of running with the crowd..."
To some extent, Firefox looks more like a kiosk browser or something to put on Mom's PC rather than a browser built for serious computer geeks. It's nice, fast, small, and clean, but seems to be lacking when compared to Mozilla.
Thanks for the recommendations. I looked over TBE, but was somewhat put off by its claim to being very buggy (on its home page). Googlebar looks pretty good. I guess to some extent, I know the Mulitzilla/Googlebox tools and am loathe to change from them to something that seems, at least on the surface, to be somewhat less capable and more buggy. I'm holding out hope that there will be a Multizilla/Googlebar for Firefox. Then I'll probably change from Mozilla.