I have FC2 installed on two machines, an Athlon XP 2500+ with a WDC WD800JB, and a K62 500 with an older Hitachi. Both worked great dual booting, one with WinXP/FC2 the other with FreeBSD 5.2.1/FC2
The only problem I had has been mentioned before, and that is with the X drivers for the Radeon 9600SE...but ATIs proprietary ones fixed that.
They state proximity RFIDs...just how far does this proximity go? I have no problems keeping track of who opens what doors inside a building, etc. for security reasons if they're doing classified or confidential work. However, an RFID is a little more invasive.
So, what does MIT do with the data they could collect on how many trips to the watercooler I made?
I've seen several "corporate" XP cds floating around, as well as some beta versions which contain all XP functionality once patched through Windows Update.
Microsoft disables some CD keys already which are known to be pirated, but I wonder how many valid corporate group cd key installations there are which have been pirated. In that case, it really wouldn't be feasible for MS to disable that cd key, as it would disable that entire company, etc.
The use of port knocking should be as a deception device, not necessarily as an active defense.
You are hiding the fact that you have something to hide, ala steganography. Once that something is found (the knock sequence), it is open to attack just like anything else.
Stego + encryption is the way to go. Not necessarily for this application (port knocking), but it could have some great security uses.
So with port knocking, you still want that encrypted channel to be required (SSH, etc.) on the port that you successfully knock to.
You are correct that if you have a static knock sequence, that's not that good. However, if you have ever-changing sequences that combines time windows with other external factors, then unless you knew the sequence beforehand (since it changes everytime), you would have no way to guess what it was besides running a brute force attack, which is outside the scope of this sort of defense, since it brings into account lots of other issues liked using spoofed packets to DOS IDS/IPS etc.
I remember talking about port knocking and its inherent sniffing vulnerability previously.
Basically, if someone can sniff the sequence of packets, they can get your static knock sequence.
However, if you base it on their IP perhaps, or add in a timestamp (ie, on this date, at this time, you must do this sequence) then it would make port knocking a much more effective method of deceiving attackers.
You could also do something where knock sequence would be a form of one time password. So you would have a list of valid knocks that could only be used in order. Each person could be given a "block" of these one time passes, or the sequences could be generated on the fly as other current implementations of one time keys are.
There are lots of great possibilities, if only I were smart enough to think of them;) I'm currently implementing a c++ networking class for a project with port-knocking built in, and it uses the timestamp method. (Of course, they all have to compute the timestamp for one zone, GMT or wherever)
I wonder how widespread this guide will be. Just a note, the folks who are putting this out are a private group and not the US government itself.
The National Labs already use a lot of open source software, so it would be great to see more inclusion in other government sectors, maybe saving some tax $$. (Or it will cost more, you can never say;)
My housemates and I had several issues with a DirecPC system. (We had both upload and download via the dish, they also have upload via modem, which might be better.)
1. Latency was usually around 600ms. While this might not be bad for downloading, since the actual speed once the download started was great, it did make for a very annoying web experience. Often times we could dialup to a local provider at a 33.6kbps connection and connect to websites faster. I think this was because every request takes 600ms at least, and some webpages require many requests, etc. The upload via modem might fix this issue. 2. We had problems with the USB interface. It was the only one available to the system at that time. It would often just drop off and we would have to reboot to continue. (We were running it on a windows box because they did not have any bsd/linux drivers.) 3. Our service was down many times over the course of the six month period we had it. Several times this was for period of a couple of weeks at a time. I found this to be unacceptable.
I'd try the uploading via modem if you have that option.
...that he decided to list his company affiliation in the list of authors. Most companies require any paper that goes external to go through a review and approval process, which would catch any differences in opinion between the author and the entity which that author represents in title.
I personally agree with the paper, too bad @Stake lost such a valuable employee. OS diversity can be a great asset in system security, as it keeps an attacker on their toes. However, administration becomes that much more complicated of course : |
One thing that you get with the licenses is centralized updating from redhat's servers. I find that on my networks, its easier to setup your own server and do it yourself. That way you don't have to pay RedHat and depend on each of your servers getting it from an outside source, you just need to have your update server grab it and share.
Of course, companies like redhat are good for businesses as well, because a lot of companies don't have the time to do a lot of their own support (or the technical savvy/staff), so having that option out there is a definite plus.
a) How long does it take one of these micro blackholes to decay. and...
b) Are they positive that a blackhole will just decay nicely. The big bang only took one particle supposedly, so...what happens when a blackhole pulls in upon itself? Boom?
Haha, interesting point. Gotta watch out for those R-Boxes they will create to do this! (blatant spin on S-Boxes for DES..oh wait, they cracked that one already)
I agree that nothing is secure. And I was pretty stupid and didn't think of the whole "they have to transmit stuff for the police to get it" thing;) However, on your local lan, there is a measureable way to include physical security so that no one can attach to your network. Once its at the router level however, that means they can connect through methods which never touch your physical lan, and that's not acceptable for something that is "non-detectable". I'm fine with getting a subpoena and having to install a sniffer on my network if someone has committed a crime. I'm not fine with installing something that I can't tell is on or off, or even installed. Hopefully Cisco will come up with a method to do this in as secure a manner as possible, while allowing the administrators of the router to see what is going on as well.
"multiple police agencies conducting simultaneous wiretaps must not learn of one another" -- If the police cannot determine if a wiretap is running on the router, then what is to stop a malicious party from running one there without administrative knowledge?
It always bothers me when a movie gets a review that it is not true to life, or the actors would not feel that way in real life, etc.
When watching a movie, my main purpose is to be entertained. If I want to learn something about life, I will go to real people, not some fabricated actors in a scripted universe.
Not to say that movies can't be educating about social and other issues, but I think their best tool is entertainment.
With that goal in mind, HP2 did a great job.
Just an interesting fact I've observed. Having worked for the past 5 months at a DOE national laboratory, I've noticed that (very generalized), the physicists use macs more, the engineers use sun/linux, and general work is done using windows (access to office without emulation.) Also, many also use windows on a separate desktop, though I haven't seen anyone using all three.
I wonder if this is due to the software, reliability issues, or other matters. I know of many people who use their old computers (mac, windows, linux, whatever), and will not upgrade to new versions or other OSs just because they are complacent with what their current machines can do, they don't want to lose their desktop settings, etc.) Others cannot switch, because they use applications which are critical to their work area, and only work on a specific OS.
On another tangent, a project is currently being undertaken at our lab to replace large, expensive sun workstations, with quieter, faster linux workstations.
One of the main issues here is whether ORBZ should be punished for checking a domain for SPAMing with authorization from that domain. There are several pros/cons for doing it this way:
PROS: -SPAMing domain administrators aren't likely to respond to an email asking if they can be -Incompetent administrators who will refuse and/or just not know what the check is so not want it to be done. -Some administrators will simply delete it by mistake, not ever finding out they have an open relay. -Also more reasons which I haven't thought of because I'm dead tired.
CONS: -Lotus Domino and other servers with problems might either crash, or report false positives. This is a big problem for companies, but...they should really upgrade anyway. -Probably some that I haven't thought of here too.
I think the positives far outweigh the We were using their service for about 12,000 customers, and it worked quite well. Ah well.
---
It's my personal opinion that if someone sends one of these emails and it crashes your server, yes, it is your fault. Better to find out now, when you can fix it, before you lose more productivity later on when it is combined with all of the other
Maybe it will act as a reality check for all those managements out there who think security isn't a big issue. It is.
Slashdot Mirror
I have FC2 installed on two machines, an Athlon XP 2500+ with a WDC WD800JB, and a K62 500 with an older Hitachi. Both worked great dual booting, one with WinXP/FC2 the other with FreeBSD 5.2.1/FC2
...but ATIs proprietary ones fixed that.
The only problem I had has been mentioned before, and that is with the X drivers for the Radeon 9600SE
They state proximity RFIDs...just how far does this proximity go? I have no problems keeping track of who opens what doors inside a building, etc. for security reasons if they're doing classified or confidential work. However, an RFID is a little more invasive.
So, what does MIT do with the data they could collect on how many trips to the watercooler I made?
I've seen several "corporate" XP cds floating around, as well as some beta versions which contain all XP functionality once patched through Windows Update.
Microsoft disables some CD keys already which are known to be pirated, but I wonder how many valid corporate group cd key installations there are which have been pirated. In that case, it really wouldn't be feasible for MS to disable that cd key, as it would disable that entire company, etc.
The use of port knocking should be as a deception device, not necessarily as an active defense.
You are hiding the fact that you have something to hide, ala steganography. Once that something is found (the knock sequence), it is open to attack just like anything else.
Stego + encryption is the way to go. Not necessarily for this application (port knocking), but it could have some great security uses.
So with port knocking, you still want that encrypted channel to be required (SSH, etc.) on the port that you successfully knock to.
Refer to my original post.
You are correct that if you have a static knock sequence, that's not that good. However, if you have ever-changing sequences that combines time windows with other external factors, then unless you knew the sequence beforehand (since it changes everytime), you would have no way to guess what it was besides running a brute force attack, which is outside the scope of this sort of defense, since it brings into account lots of other issues liked using spoofed packets to DOS IDS/IPS etc.
Port knocking is not designed to act as a single layer security scheme. (At least it shouldn't...)
:) ...if the slow is silent.
The port knocking should be an added layer to slow down/decieve/deter attackers.
So, you would still have authentication as normal on the ssh port or whatever with one time passwords.
A 'Triple D Threat'
I remember talking about port knocking and its inherent sniffing vulnerability previously.
;) I'm currently implementing a c++ networking class for a project with port-knocking built in, and it uses the timestamp method. (Of course, they all have to compute the timestamp for one zone, GMT or wherever)
Basically, if someone can sniff the sequence of packets, they can get your static knock sequence.
However, if you base it on their IP perhaps, or add in a timestamp (ie, on this date, at this time, you must do this sequence) then it would make port knocking a much more effective method of deceiving attackers.
You could also do something where knock sequence would be a form of one time password. So you would have a list of valid knocks that could only be used in order. Each person could be given a "block" of these one time passes, or the sequences could be generated on the fly as other current implementations of one time keys are.
There are lots of great possibilities, if only I were smart enough to think of them
I wonder how widespread this guide will be. Just a note, the folks who are putting this out are a private group and not the US government itself.
;)
The National Labs already use a lot of open source software, so it would be great to see more inclusion in other government sectors, maybe saving some tax $$. (Or it will cost more, you can never say
My housemates and I had several issues with a DirecPC system. (We had both upload and download via the dish, they also have upload via modem, which might be better.)
1. Latency was usually around 600ms. While this might not be bad for downloading, since the actual speed once the download started was great, it did make for a very annoying web experience. Often times we could dialup to a local provider at a 33.6kbps connection and connect to websites faster.
I think this was because every request takes 600ms at least, and some webpages require many requests, etc. The upload via modem might fix this issue.
2. We had problems with the USB interface. It was the only one available to the system at that time. It would often just drop off and we would have to reboot to continue. (We were running it on a windows box because they did not have any bsd/linux drivers.)
3. Our service was down many times over the course of the six month period we had it. Several times this was for period of a couple of weeks at a time. I found this to be unacceptable.
I'd try the uploading via modem if you have that option.
...that he decided to list his company affiliation in the list of authors. Most companies require any paper that goes external to go through a review and approval process, which would catch any differences in opinion between the author and the entity which that author represents in title.
I personally agree with the paper, too bad @Stake lost such a valuable employee. OS diversity can be a great asset in system security, as it keeps an attacker on their toes. However, administration becomes that much more complicated of course : |
One thing that you get with the licenses is centralized updating from redhat's servers. I find that on my networks, its easier to setup your own server and do it yourself. That way you don't have to pay RedHat and depend on each of your servers getting it from an outside source, you just need to have your update server grab it and share.
Of course, companies like redhat are good for businesses as well, because a lot of companies don't have the time to do a lot of their own support (or the technical savvy/staff), so having that option out there is a definite plus.
So...
a) How long does it take one of these micro blackholes to decay. and...
b) Are they positive that a blackhole will just decay nicely. The big bang only took one particle supposedly, so...what happens when a blackhole pulls in upon itself? Boom?
Haha, interesting point.
Gotta watch out for those R-Boxes they will create to do this! (blatant spin on S-Boxes for DES..oh wait, they cracked that one already)
I agree that nothing is secure. And I was pretty stupid and didn't think of the whole "they have to transmit stuff for the police to get it" thing ;) However, on your local lan, there is a measureable way to include physical security so that no one can attach to your network. Once its at the router level however, that means they can connect through methods which never touch your physical lan, and that's not acceptable for something that is "non-detectable". I'm fine with getting a subpoena and having to install a sniffer on my network if someone has committed a crime. I'm not fine with installing something that I can't tell is on or off, or even installed. Hopefully Cisco will come up with a method to do this in as secure a manner as possible, while allowing the administrators of the router to see what is going on as well.
"multiple police agencies conducting simultaneous wiretaps must not learn of one another" -- If the police cannot determine if a wiretap is running on the router, then what is to stop a malicious party from running one there without administrative knowledge?
It always bothers me when a movie gets a review that it is not true to life, or the actors would not feel that way in real life, etc.
When watching a movie, my main purpose is to be entertained. If I want to learn something about life, I will go to real people, not some fabricated actors in a scripted universe.
Not to say that movies can't be educating about social and other issues, but I think their best tool is entertainment.
With that goal in mind, HP2 did a great job.
Just an interesting fact I've observed. Having worked for the past 5 months at a DOE national laboratory, I've noticed that (very generalized), the physicists use macs more, the engineers use sun/linux, and general work is done using windows (access to office without emulation.) Also, many also use windows on a separate desktop, though I haven't seen anyone using all three.
I wonder if this is due to the software, reliability issues, or other matters. I know of many people who use their old computers (mac, windows, linux, whatever), and will not upgrade to new versions or other OSs just because they are complacent with what their current machines can do, they don't want to lose their desktop settings, etc.) Others cannot switch, because they use applications which are critical to their work area, and only work on a specific OS.
On another tangent, a project is currently being undertaken at our lab to replace large, expensive sun workstations, with quieter, faster linux workstations.
One of the main issues here is whether ORBZ should be punished for checking a domain for SPAMing with authorization from that domain. There are several pros/cons for doing it this way:
PROS:
-SPAMing domain administrators aren't likely to respond to an email asking if they can be
-Incompetent administrators who will refuse and/or just not know what the check is so not want it to be done.
-Some administrators will simply delete it by mistake, not ever finding out they have an open relay.
-Also more reasons which I haven't thought of because I'm dead tired.
CONS:
-Lotus Domino and other servers with problems might either crash, or report false positives. This is a big problem for companies, but...they should really upgrade anyway.
-Probably some that I haven't thought of here too.
I think the positives far outweigh the
We were using their service for about 12,000 customers, and it worked quite well. Ah well.
---
It's my personal opinion that if someone sends one of these emails and it crashes your server, yes, it is your fault. Better to find out now, when you can fix it, before you lose more productivity later on when it is combined with all of the other
Maybe it will act as a reality check for all those managements out there who think security isn't a big issue. It is.