wrook -- see my uid? I've been around a while. (you too, I see.)
My enjoyment of slashdot diminished years ago -- it's long since fallen off my rss feeds and daily visits. I found your comment via a link on hacker news and you sir -- you have given me a new hope for slashdot.
Many computer guys tend to be alarmist and see the world in black and white. Many security firms rate problems only based on potential damage without consideration for existing mitigations elsewhere in the system or the reality of targeting from attackers. Consider your company's situation carefully.
If, after much deliberation, you are certain legitimate problems exist that must be fixed (versus managed) then talk to the managers in their language: build a business case. You work for a company, the company's job is to make money. Security costs money. You must clearly articulate how the security improvements will make money or stop the company from losing money. It's all engineering, in the end. It's just engineering with words and numbers.
The universe tends toward maximum irony. Don't push it....Do a backup onto [a third] drive...take that to your office and lock it in a desk. Every few months, bring it home, do a backup, and immediately take it away again. This is your "my house burned down" backup.
if yes, is the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\NoLMHash set to 1?
if no, then your password is:
converted to uppercase,
truncated to 14 characters
stored in two seven-character halves that may be bruted independently -- single 2GHz system can brute the entire keyspace in about 90 days.
if NoLMHash is set to 1, then your password is stored as a relatively secure MD4 hash. resources to crack in a reasonable timeframe are significant.
either way, the complexity of your hash is actually irrelevant:
in any domain that still supports NTLM authentication (vice pure kerberos) you can use smbproxy to authenticate with the hash, vice the password. w00t.
the hash is stored in the domain SAM and the local SAM, and may be dumped with pwdump, given administrator credentials
the password hash is also stored in a user's logon struct, down in... winlogon.exe (?) -- that whole "single sign-on" thing. has to be somewhere.
not in a windows domain? I'm not qualified to answer.
so basically, passwords are irrelevant, but are a tangible element to everyone. so when the boss asks for better security, the IT admin implements greater password complexity, the boss notices because he has to type the damn password every day, and the IT admin get kudos. because of course, if user convenience decreased, security obviously increased. yay.
what is the value of having a complex password? it should be complex enough an attacker can not guess it. everything else relates to an attacker's ability to *crack* passwords, which is irrelevant in the world of windows these days. in a few years, NTLM will have died and kerberos will rule the day. then things might be different.
Fact: The computer will always be compromised -- ref the Dancing Bunnies theorem.
Fact: Networks are chaotic places. In a network of any size (read: corporate) there will always exist vulnerabilities.
Result: The network, as a whole, will always be insecure.
Microsoft's traditional approach to security is very "box" focused: secure the OS. But the network is a collection of operating systems, and the dynamics of securing the network are very different from an individual system. Active Directory, and the ability to reliably apply consistent policies across a domain is the biggest step towards this goal to come out of Redmond, but that's as much a system administration feature as a security feature. There are gaping holes in the technologies available today to secure networks.
The corporate answer I'd expect is something along the lines of providing "opportunities for third-party software vendors" -- but I really think that's a cop out. Your customers lay the blame squarely at the feet of Microsoft. After all, Microsoft provides all the technology necessary to build a corporate network, but not the technologies necessary to secure it.
What is Microsoft's roadmap for providing security technologies that secure the network?
The Economist recently did an article on how all the major carriers are rolling out the "push to talk" features in the coming months.
What Verizon doesn't tell you:
And compared with Nextel's service, which connects users almost instantly, it can take
two seconds to establish a PTT connection over a GSM network, and four to six seconds over CDMA, says Bob Plaschke of Sonim, a firm selling PTT upgrades to operators.
In my opinion, you have three classes of people that are capable of writing a worm:
The curious amateur
This guy has a couple clever ideas, few scruples, and a lot of spare time. All the wide-spread (and well-covered) worms, to date, have come from this kind of guy.
The white-hat professional
These are your security researchers other security professionals. these are the guys that get paid to work in this field every day. They're smart, the understand the details of the security business, and they're fully aware of the extreme vulnerability of the Internet. Like you, the know how bad a "real worm" could be.
The black-hat professional
These are your security researchers and security professionals. These are the guys who's job is security. They're smart, they understand the details of the security business, and they develop tools (including worms, trojans and viruses) to take advantage of these vulnerabilities. These tools are developed for a specific purpose: to further the objectives of their employer. You don't hear about them, because their tools are low-n-slow and their impact is very targeted and controlled.
The difference between a white-hat and a black-hat is a matter of perspective. The world is a big place. Certain governments do not have the same morals as others. Read The Economist. The French intelligence services work very closely with French businesses. The Chinese have equally questionable practices.
The future is not that bleak. The worms that are designed and released for wide-spread, global impact are the modern-day equivalent of graffiti on billboards. It's an ego trip, nothing more. The ones to worry about are the ones who don't have an ego, and have a specific purpose.
Hope you're checking your logs, and I hope you notice when he hacks your systems.
It's not remarkable that this made it to the NYT op/ed pages. Anything written by Thomas Friedman is going to make it. What's remarkable is that he chose to write about it.
Friedman has written three books that generally focus on economics and globalization. He's won three Pulitzer prizes. A few of the other posts are knocking this article as fluff, or knocking Friedman in general. Whatever your personal views, people listen to him.
What's striking to me is that he writes on large political-type issues - globalization, 9/11, Isreal. He's not a tech writer. The fact that he took the trouble to go tour Google and then write a column about it is evidence of how entrenched Google is in his non-techie world.
Yeah, the article is fluff. It's nothing but Friedman's impression and opinions. But it ran on the print version of the New York Times. If it ran on CNet, I'd blow it off. In NYT's op/ed, it's another story.
I just returned from a three-week backpacking tour of Nicaragua, Costa Rica and Panama. In general, they're not in as bad of shape as Africa, but some parts still suffer the same difficulities with access and utility availability.
I told folks I'd keep in touch via e-mail, but was careful to always caveat that with "as long as I can find internet access". Next time, I'll drop the caveat. Places with phones have an "internet cafe". And they're often full.
In my constant pursuit of fluent spanish, I thought I'd have to find another bilingual computer professional to learn the spanish translation of computer-centric terms like e-mail, web, internet, scanner, mouse, instant messaging and the like. If you find yourself in the same situation, ask a kid on the bus. The older generations aren't there yet, but the kids have it down. I was amazed.
The Economist did a good article recently on [somewhat] related issues of access, business and money. Instead of working to deliver telephones, they give an account of the beer man. It's a good read. Trucking in Cameroon
Little gems like this are exactly why I read slashdot. Thank you! I've been in networking for two years now, and have been searching for an active news site/mailing list/community of intelligent people that are discussing networking specific issues.
There are sites out there that are well-publicized and have a lot of advertisers, but they're all crap. All fluff, no content. Any 'networking news' site is just an agreggator that filters based on keywords, and is filled with the latest press releases from Microsoft. I don't want to hear about Microsoft - I get enough of that in the standard press.
Usability is not everything. If usability engineers designed a nightclub, it would be clean, quiet, brightly lit, with lots of places to sit down, plenty of bartenders, menus written in 18-point sans-serif, and easy-to-find bathrooms. But nobody would be there. They would all be down the street at Coyote Ugly pouring beer on each other.
I noticed this last week when searching Cisco's site. The addition of the "powered by Google" snippet in the upper right hand corner of the search results threw me for a loop.
I haven't noticed much of an improvement in their search results yet - perhaps it takes time to build the link relationships index?
Uerm.. correct me if I'm wrong, but doesn't glow-in-the-dark stuff "stop and hold light to be later emitted"?
Glow in the dark stuff is made up of phosphors - similar material as what's in your CRT monitor. Phosphors emit visible light when excited.
The phosphors in your monitor are delicately excited by the electron gun in the back. The phosphors in glow in the dark stuff are excited en masse by normal light.
The fact that Redmond and Cupertino engineers have already ported (most of) the Office technology to Mac OS X indicates that a port to the X Window System would not be too difficult.
He should add this to his 'clanger' section.
The ease of porting Office to OS X has nothing to do with the ease of porting Office to X Windows. Microsoft has had a version of Office on Mac for years. The OS X environment has two sets of APIs for programmers: Carbon and Cocoa. Cocoa is the native OS X set of APIs. Carbon is a translation layer that maps the APIs from Mac OS 9 and below to the correct function calls on OS X.
The ease of porting Office to OS X is due to the engineers at Apple who created OS X.
(Not to be too gushing: SPAM is a rich mans problem - I hope someone comes up with some cool technological solutions to some of humanities more basic problems.)
No, spam is a rich man's problem. SPAM is a problem that most definately spans class boundaries. The world would be a better place without them both.
You should have read the article a bit closer. From Page 2:
Although the NJ100 can be powered by a local AC adapter, the NJ100's "Power-Over-Ethernet" option is a feature that really provides additional value. The NJ100 supports IEEE 802.3af Power-Over-Ethernet standards, which allows you to power the NJ100s from wiring closets, rather than locally. 3Com also offers a Power-Over-Ethernet Midspan Solution, which can add Power-Over-Ethernet capabilities from one to twenty-four ports, using the IEEE 802.3af standard. Of course, this feature isn't included, but can be purchased at additional cost.
It's more like a DoD wide transition from Unix to WinNT/2k. It's all the DoD networks - not just the classified ones.
I think it's a mistake personally, but I've never researched the reasoning behind the decision. The difficulty in finding unix admins shouldn't matter that much, since the military tends to grown their own anyhow.
Cattle like you deserve the police state you'll get. Mooooooo
The recent anti-terrorism bills that have been passed are the unfortunate result of patriotism. Folks the nation over are wishing to do whatever they can to help - everyone wants to do what they can to 'rebuild America'. Most Americans aren't in a position where they can do anything except wave the flag.
Our Congressmen are no different - they wish to help, and to 'appear decisive and taking action to counter the threat of terrorism'. Unfortunately, they are in a position where they can do things - even when they shouldn't.
Be patient - cooler heads will prevail, and things will return to a happy medium.
Slashdot Mirror
wrook -- see my uid? I've been around a while. (you too, I see.)
My enjoyment of slashdot diminished years ago -- it's long since fallen off my rss feeds and daily visits. I found your comment via a link on hacker news and you sir -- you have given me a new hope for slashdot.
kudos on an insightful post.
J.J.
Python + ctypes
load the DLL yourself direct from python, get a pointer to the function and use it, from python, the same any other windows programmer.
zero reliability on frameworks and included in the main python distro for 2.5 and above.
Take a few steps back and consider your perspective. Try reading about engineers vs. managers: http://www.fourmilab.ch/hackdiet/e4/eatwatch.html (scroll halfway down)
Many computer guys tend to be alarmist and see the world in black and white. Many security firms rate problems only based on potential damage without consideration for existing mitigations elsewhere in the system or the reality of targeting from attackers. Consider your company's situation carefully.
If, after much deliberation, you are certain legitimate problems exist that must be fixed (versus managed) then talk to the managers in their language: build a business case. You work for a company, the company's job is to make money. Security costs money. You must clearly articulate how the security improvements will make money or stop the company from losing money. It's all engineering, in the end. It's just engineering with words and numbers.
Cheers.
- jj
The universe tends toward maximum irony. Don't push it. ...Do a backup onto [a third] drive...take that to your office and lock it in a desk. Every few months, bring it home, do a backup, and immediately take it away again. This is your "my house burned down" backup.
- jwz on backups, 29 Sep 07.
http://jwz.livejournal.com/801607.html
I guess you could call that "my shit got stolen" backup, too. Maximum irony, indeed.
so basically, passwords are irrelevant, but are a tangible element to everyone. so when the boss asks for better security, the IT admin implements greater password complexity, the boss notices because he has to type the damn password every day, and the IT admin get kudos. because of course, if user convenience decreased, security obviously increased. yay.
what is the value of having a complex password? it should be complex enough an attacker can not guess it. everything else relates to an attacker's ability to *crack* passwords, which is irrelevant in the world of windows these days. in a few years, NTLM will have died and kerberos will rule the day. then things might be different.
Fact: The computer will always be compromised -- ref the Dancing Bunnies theorem.
Fact: Networks are chaotic places. In a network of any size (read: corporate) there will always exist vulnerabilities.
Result: The network, as a whole, will always be insecure.
Microsoft's traditional approach to security is very "box" focused: secure the OS. But the network is a collection of operating systems, and the dynamics of securing the network are very different from an individual system. Active Directory, and the ability to reliably apply consistent policies across a domain is the biggest step towards this goal to come out of Redmond, but that's as much a system administration feature as a security feature. There are gaping holes in the technologies available today to secure networks.
The corporate answer I'd expect is something along the lines of providing "opportunities for third-party software vendors" -- but I really think that's a cop out. Your customers lay the blame squarely at the feet of Microsoft. After all, Microsoft provides all the technology necessary to build a corporate network, but not the technologies necessary to secure it.
What is Microsoft's roadmap for providing security technologies that secure the network?
Thanks!
J.J.
What Verizon doesn't tell you:
In my opinion, you have three classes of people that are capable of writing a worm:
The curious amateur
This guy has a couple clever ideas, few scruples, and a lot of spare time. All the wide-spread (and well-covered) worms, to date, have come from this kind of guy.
The white-hat professional
These are your security researchers other security professionals. these are the guys that get paid to work in this field every day. They're smart, the understand the details of the security business, and they're fully aware of the extreme vulnerability of the Internet. Like you, the know how bad a "real worm" could be.
The black-hat professional
These are your security researchers and security professionals. These are the guys who's job is security. They're smart, they understand the details of the security business, and they develop tools (including worms, trojans and viruses) to take advantage of these vulnerabilities. These tools are developed for a specific purpose: to further the objectives of their employer. You don't hear about them, because their tools are low-n-slow and their impact is very targeted and controlled.
The difference between a white-hat and a black-hat is a matter of perspective. The world is a big place. Certain governments do not have the same morals as others. Read The Economist. The French intelligence services work very closely with French businesses. The Chinese have equally questionable practices.
The future is not that bleak. The worms that are designed and released for wide-spread, global impact are the modern-day equivalent of graffiti on billboards. It's an ego trip, nothing more. The ones to worry about are the ones who don't have an ego, and have a specific purpose.
Hope you're checking your logs, and I hope you notice when he hacks your systems.
J.J.
It's not remarkable that this made it to the NYT op/ed pages. Anything written by Thomas Friedman is going to make it. What's remarkable is that he chose to write about it.
Friedman has written three books that generally focus on economics and globalization. He's won three Pulitzer prizes. A few of the other posts are knocking this article as fluff, or knocking Friedman in general. Whatever your personal views, people listen to him.
What's striking to me is that he writes on large political-type issues - globalization, 9/11, Isreal. He's not a tech writer. The fact that he took the trouble to go tour Google and then write a column about it is evidence of how entrenched Google is in his non-techie world.
Yeah, the article is fluff. It's nothing but Friedman's impression and opinions. But it ran on the print version of the New York Times. If it ran on CNet, I'd blow it off. In NYT's op/ed, it's another story.
JJ
I just returned from a three-week backpacking tour of Nicaragua, Costa Rica and Panama. In general, they're not in as bad of shape as Africa, but some parts still suffer the same difficulities with access and utility availability.
I told folks I'd keep in touch via e-mail, but was careful to always caveat that with "as long as I can find internet access". Next time, I'll drop the caveat. Places with phones have an "internet cafe". And they're often full.
In my constant pursuit of fluent spanish, I thought I'd have to find another bilingual computer professional to learn the spanish translation of computer-centric terms like e-mail, web, internet, scanner, mouse, instant messaging and the like. If you find yourself in the same situation, ask a kid on the bus. The older generations aren't there yet, but the kids have it down. I was amazed.
The Economist did a good article recently on [somewhat] related issues of access, business and money. Instead of working to deliver telephones, they give an account of the beer man. It's a good read. Trucking in Cameroon
Cheers,
J.J.
Little gems like this are exactly why I read slashdot. Thank you! I've been in networking for two years now, and have been searching for an active news site/mailing list/community of intelligent people that are discussing networking specific issues.
There are sites out there that are well-publicized and have a lot of advertisers, but they're all crap. All fluff, no content. Any 'networking news' site is just an agreggator that filters based on keywords, and is filled with the latest press releases from Microsoft. I don't want to hear about Microsoft - I get enough of that in the standard press.
Thanks for mentioning the list!
JJ
I don't use bogus addresses, just the work addresses of the guys I went to college with.
And they wonder why the spammers seem to keep finding them every time they switch jobs...
At least, for the first 1000 pages. Remember, you get $5 free just for signing up at paypal.
Listen to the clever people. Not me, but Joel Spolsky.
From his book, User Interface Design for Programmers:
Usability is not everything. If usability engineers designed a nightclub, it would be clean, quiet, brightly lit, with lots of places to sit down, plenty of bartenders, menus written in 18-point sans-serif, and easy-to-find bathrooms. But nobody would be there. They would all be down the street at Coyote Ugly pouring beer on each other.
(he also said that on his site in Nov 2000.)
Joel's a far more clever guy than I, and is always much more eloquent in expressing ideas. You should listen to him, too.
J.J.
Cautious readers will want to be sure to read the whole thread. Take the numbers above with a grain of salt.
These results have not been seen across the board.
J.J.
Sun had an Intel port of Solaris. Now, they're pulling support for it. New versions of Solaris will run only on Sun hardware.
Cringely should really examine those parallels more closely.
JJ
I noticed this last week when searching Cisco's site. The addition of the "powered by Google" snippet in the upper right hand corner of the search results threw me for a loop.
I haven't noticed much of an improvement in their search results yet - perhaps it takes time to build the link relationships index?
Cheers,
J.J.
Uerm.. correct me if I'm wrong, but doesn't glow-in-the-dark stuff "stop and hold light to be later emitted"?
Glow in the dark stuff is made up of phosphors - similar material as what's in your CRT monitor. Phosphors emit visible light when excited.
The phosphors in your monitor are delicately excited by the electron gun in the back. The phosphors in glow in the dark stuff are excited en masse by normal light.
See How Stuff Works for more details.
J.J.
The fact that Redmond and Cupertino engineers have already ported (most of) the Office technology to Mac OS X indicates that a port to the X Window System would not be too difficult.
He should add this to his 'clanger' section.
The ease of porting Office to OS X has nothing to do with the ease of porting Office to X Windows. Microsoft has had a version of Office on Mac for years. The OS X environment has two sets of APIs for programmers: Carbon and Cocoa. Cocoa is the native OS X set of APIs. Carbon is a translation layer that maps the APIs from Mac OS 9 and below to the correct function calls on OS X.
The ease of porting Office to OS X is due to the engineers at Apple who created OS X.
Fight FUD with FUD!
J.J.
(Not to be too gushing: SPAM is a rich mans problem - I hope someone comes up with some cool technological solutions to some of humanities more basic problems.)
No, spam is a rich man's problem. SPAM is a problem that most definately spans class boundaries. The world would be a better place without them both.
Cheers,
JJ
J.J.
The Physics of Star Trek, by Lawrence Krauss, a Physics professor at CWRU.
Cheers,
J.J.
It's more like a DoD wide transition from Unix to WinNT/2k. It's all the DoD networks - not just the classified ones.
I think it's a mistake personally, but I've never researched the reasoning behind the decision. The difficulty in finding unix admins shouldn't matter that much, since the military tends to grown their own anyhow.
One question: who do you trust more? cnet or wininformant?
Cheers,
JJ
Cattle like you deserve the police state you'll get. Mooooooo
The recent anti-terrorism bills that have been passed are the unfortunate result of patriotism. Folks the nation over are wishing to do whatever they can to help - everyone wants to do what they can to 'rebuild America'. Most Americans aren't in a position where they can do anything except wave the flag.
Our Congressmen are no different - they wish to help, and to 'appear decisive and taking action to counter the threat of terrorism'. Unfortunately, they are in a position where they can do things - even when they shouldn't.
Be patient - cooler heads will prevail, and things will return to a happy medium.