TVA supplies power to eight states. Keeping something like that free of malware is important enough to invest in a second network. Having a separate networks - one set of PCs connected to a mailserver and to the internet but not to any internal machines, another set that don't have access to the internet, but that you use to manage internal machines - is a totally reasonable precaution. Forget about SETI@Home for a minute. What about all the other stupid net tricks that your typical luser engages in; i.e. all the malware they bring into the network by sending each other email attatchments, the unpatched web browsers with cross-site scripting holes that are ripe for abuse because the lusers won't turn off javascript. How much time do you think their admins have to spend cleaning up malware? What if that malware could never get to the important machines, no matter how virulant it is?
Don't you think that makes sense? The military does. That's why staff are supposed to use separate computers for
SIPRnet and NIPRnet --
"Weapons should be hardy rather than decorative" - Musashi
It's interesting to see Dick taking the strategy of cutting FBI funding to kill off carnivore so soon after the FBI went to the hill claiming that the reason NIPC
was
not effective at preventing computer crime is that they need
more money. --
"Weapons should be hardy rather than decorative" - Musashi
It's interesting to see Dick taking the strategy of cutting FBI funding to kill off carnivore so soon after the FBI went to the hill claiming that the reason NIPC
was
not effective at preventing computer crime is that they need
more money. --
"Weapons should be hardy rather than decorative" - Musashi
We already have electric cars with great performance. Cars like the tzero, and drag carsthat can
beat a viper off the line. You want performance? Russ Wilde is talking about building a street legal
1000 hp electric car!
The problem with current electric cars is that batteries don't have enough range. The new fuel cells (like the ones in this story) may be able to change that --
"Weapons should be hardy rather than decorative" - Musashi
The Australians have used the JORN radar base at Alice Springs to track U.S. stealth aircraft since 1993 --
"Weapons should be hardy rather than decorative" - Musashi
Austrailia's JORN radar facility at Alice Springs has been using Jindalee radar systems to track US stealth aircraft since 1993. This was known in the USA before the recent "all aircraft must be stealth" attitude was adopted. --
"Weapons should be hardy rather than decorative" - Musashi
I see port scanning as crawling around someone's house rattling doorknobs, windows, mailboxes, air ducts, rooftop hatches, basement doors, garage doors, electric panel doors, gas valves, water valves, sewer vent lines, outdoor outlets, chimney openings, stove vents. Trying all 256 codes on RF X-10 modules, using a frequency counter/scanner to check for and listen in on radio transmissions, ringing phone lines, ringing doorbells, seeing if you can turn on sprinklers/water faucets, etc.
Would you have no problem with someone doing all that? That's a port scan.
No, that is not at all like a port scan. Doing things like "Trying all 256 codes on RF X-10 modules, using a frequency counter/scanner to check for and listen in on radio transmissions" seems more like the meatspace version of a vulnerability scan (i.e. nessus).
In a similar vein:
Many people compare portscanning to "checking all the doors and windows to see if they are locked" That is hogwash. Portscanning (e.g. nmap) is like looking to see what doors and windows are on the building. Banner capture is like looking closely at the window and door locks to see what kind of lock they are. (e.g. bindview's HackerShield[1]). You are not actually doing something equivalent to checking if the doors are locked until you try using the vulnerabillity (e.g. nessus[2])
[1] Last year I used HackerShield to check one of my OpenBSD boxes. It reported that the box was vulnerable to the ancient sendmail "wiz" vulnerability. The reason it made that erroneous report was that I was running an old version of sendmail that the OpenBSD team has patched and audited to make secure, but HackerShield only checks the sendmail banner that is displayed when you telnet to port 25. It saw the old banner, and reported it as vulnerable.
[2] One of the nessus tests for cold fusion looks for vulnerable scripts (ones that are installed by default by cold fusion) by trying to use the script to remotely download your win.ini files. That clearly is like the meatspace act of trying to open a door in order to see if it is locked.
--
"Weapons should be hardy rather than decorative" - Musashi
I hope he doesn't use the excuse that leaving active content on by default provides "a richer experience for the user", because that is utter hogwash. I'm certain that the average user would much rather have static email without the risk of viruses, not to mention the annoyance of background pictures and advertisments.
I wonder why microsoft doesnt just leave all that stuff turned off by default. If a user *must* have that stuff, they should have to turn it on themselves. I doubt those features would be popular if a user turning them on had to click on a warning stating that they were enabling the primary method of viruses to infect their box
These miniature fuel cells would be a great source of hydrogen. That might let them avoid some of the difficulties of storing liquid hydrogen in the car. Also, an alcohol-powered fuel cell would allow for a cheap and easy fuel distribution system....just use the methods we use now to transport alcohol.
Spiegel claims that German security authorities suspect that the US National
Security Agency (NSA) has 'back door' access to Microsoft source code, and can therefore
easily read the Federal Republic's deepest secrets.
If Microsoft really is going to open their source code to a select few parties, they better make the German government one of those parties. I think the potential economic (and PR) impact here makes it obvious that the Germans need to feel comfortable with the code
I agree with your idea of focusing on the fundamentals instead of new, trendy languages, but I think it should go even one step further; we need to focus on using the fundamentals *correctly*. The vast majority of security problems are due to easily avoidable mistakes that fall into catagories that have been familiar for years. Lyons was talking about race conditions back in 1983, and we still see them. I attended a security conference last year where the speaker said he had sat in on several differen't Boston school's introductory programming classes, and they all taught students to use insecure techniques when they code. His recommended solution was to start a "visiting professor" program where people with real world security experience would come to a school for a few months teach beginning coders how to do things safely
Flabdabb Hubbard said: most CS courses seem to have a Unix bias. Now I am all in favor of unix (especially the free varieties), but I have to wonder if Unix is
relavent for the vast majority of CS students who will end up writing applets or PHP or perl to run on W2K servers.
I disagree with this. Students should be taught basic skills that can be applied to any new situation or language. Trying to only teach what is "relevant" is a mistake, because it presumes that we know what will be useful in the future. Martin Vermeer has written a number of convincing reasons why everyone, not just CS majors, should learn unix. He says:
The basics to be taught -- presumably on the secondary school level -- would include: using vi
(probably the only modal editor anybody will ever see!), using the command line, file system directory
structure, mounting, finding and understanding configuration files, writing simple programs (such as
"hello world") in C, shell or perl, regular expressions, basic networking (ping, traceroute etc), ftp, email,
usenet, mark-up languages, overview of the way standards are created, e.g., in the Internet Engineering
Task Force, and other essentials.
You may notice that these are precisely the "tough" things you will never learn by just clicking around,
but which kids will pick up almost in play if made to -- after all, this is nothing but language learning.
Few people would ever learn Spanish or Russian if not in school! And some of these skills will be
immediately useful, like "regular expressions", that will immediately give a better basic understanding of
how to effectively use search engines on the World Wide Web. Or mark-up languages such as
HTML/XML, offering a glimpse of a better world in which documents can be freely transferred, without
risk of illegibility, to someone using an ever-so slightly different system -- or even to yourself, after a
system upgrade.
One argument must immediately be put to sleep: that because Windows is the dominant operating
system in the world today, one should teach that and not some esoteric alternative. The answer to this is
plain and simple. The task of education is to instill generalist abilities and not the skill of "operating" one
product. Someone who has acquired the skill of reading books will easily absorb also comic strips, but
the reverse is not true... similarly, someone versed in Unix will feel right at home in many other
environments including Windows. And for children, learning Unix is not that hard, as experience has
shown, due perhaps to its internal consistency and logic.
larval mosquitos live underwater. Mosquito eggs are laid in floating rafts on standing water. When the eggs hatch, the larvae live underwater and hunt insects. It is common to use gambusia fish to eat the larvae so they don't grow up to be bloodsuckers.
Of course, this can present other problems, too.
This will only work on a small scale. As the article states: The world's supply of saltwater is virtually unlimited, but salt stifles conventional crops and spoils topsoil.
Using saltwater for irrigation will make the land impossible to use for other crops. Furthermore, it isn't necessary, since there are simple ways to remove the salt from the water.
There's also the question of Dr. Hodges' past experience. The article touts his 30 years of experience with shrimp farming in Mexico and Saudi Arabia. Despite this, it fails to note that even advocates of shrimp farming admit that the most economically viable shrimp farms have been environmental disasters, and that there are serious concerns about shrimp farming in mexico
Since when is it permissible for a school to dictate what a student can say outside of the school?
That's always been permitted. If you attend a private school, they can pass rules (e.g. regarding smoking or alcohol consumption) that govern your behavior both on and off campus. Many religiously affiliated colleges reserve the right to expel students who have been drinking at off campus parties.
As was mentioned in a thread further up the page, The first amendment limits the powers of the government. It does not limit the power of private institutions. This school was a private institution; i.e. it was not affiliated with the government.
I wonder how Dubya's school voucher program will affect rulings like this...it will be interesting to see if a private school taking federal money is subject to the first admendment.
what's all the hubbub? I just finished reading an article about SOAP. Sounded pretty neat.
Many security people, including
Bruce Schneier consider SOAP to be a horrible idea. Think about it. Your simple stateful packet filter (i.e. linux 2.4 kernel) will no longer be enough to build a firewall. If applications use XML over port 80 as an API, we will have to put application level proxies on things that used to be simple services. All firewalls will have to include an analytical engine as strong as that of an IDS for each service they want to run. That makes them much more expensive and complex.
Complex firewalls generally aren't as trusted as simple ones. Things are going to get ugly, and SOAP won't help.
Slashdot Mirror
Don't you think that makes sense? The military does. That's why staff are supposed to use separate computers for SIPRnet and NIPRnet
--
"Weapons should be hardy rather than decorative" - Musashi
It's interesting to see Dick taking the strategy of cutting FBI funding to kill off carnivore so soon after the FBI went to the hill claiming that the reason NIPC was not effective at preventing computer crime is that they need more money.
--
"Weapons should be hardy rather than decorative" - Musashi
It's interesting to see Dick taking the strategy of cutting FBI funding to kill off carnivore so soon after the FBI went to the hill claiming that the reason NIPC was not effective at preventing computer crime is that they need more money.
--
"Weapons should be hardy rather than decorative" - Musashi
The problem with current electric cars is that batteries don't have enough range. The new fuel cells (like the ones in this story) may be able to change that
--
"Weapons should be hardy rather than decorative" - Musashi
The Australians have used the JORN radar base at Alice Springs to track U.S. stealth aircraft since 1993
--
"Weapons should be hardy rather than decorative" - Musashi
Austrailia's JORN radar facility at Alice Springs has been using Jindalee radar systems to track US stealth aircraft since 1993. This was known in the USA before the recent "all aircraft must be stealth" attitude was adopted.
--
"Weapons should be hardy rather than decorative" - Musashi
Would you have no problem with someone doing all that? That's a port scan.
No, that is not at all like a port scan. Doing things like "Trying all 256 codes on RF X-10 modules, using a frequency counter/scanner to check for and listen in on radio transmissions" seems more like the meatspace version of a vulnerability scan (i.e. nessus).
In a similar vein:
Many people compare portscanning to "checking all the doors and windows to see if they are locked" That is hogwash. Portscanning (e.g. nmap) is like looking to see what doors and windows are on the building. Banner capture is like looking closely at the window and door locks to see what kind of lock they are. (e.g. bindview's HackerShield[1]). You are not actually doing something equivalent to checking if the doors are locked until you try using the vulnerabillity (e.g. nessus[2])
[1] Last year I used HackerShield to check one of my OpenBSD boxes. It reported that the box was vulnerable to the ancient sendmail "wiz" vulnerability. The reason it made that erroneous report was that I was running an old version of sendmail that the OpenBSD team has patched and audited to make secure, but HackerShield only checks the sendmail banner that is displayed when you telnet to port 25. It saw the old banner, and reported it as vulnerable.
[2] One of the nessus tests for cold fusion looks for vulnerable scripts (ones that are installed by default by cold fusion) by trying to use the script to remotely download your win.ini files. That clearly is like the meatspace act of trying to open a door in order to see if it is locked.
--
"Weapons should be hardy rather than decorative" - Musashi
I wonder why microsoft doesnt just leave all that stuff turned off by default. If a user *must* have that stuff, they should have to turn it on themselves. I doubt those features would be popular if a user turning them on had to click on a warning stating that they were enabling the primary method of viruses to infect their box
These miniature fuel cells would be a great source of hydrogen. That might let them avoid some of the difficulties of storing liquid hydrogen in the car. Also, an alcohol-powered fuel cell would allow for a cheap and easy fuel distribution system....just use the methods we use now to transport alcohol.
If Microsoft really is going to open their source code to a select few parties, they better make the German government one of those parties. I think the potential economic (and PR) impact here makes it obvious that the Germans need to feel comfortable with the code
I agree with your idea of focusing on the fundamentals instead of new, trendy languages, but I think it should go even one step further; we need to focus on using the fundamentals *correctly*. The vast majority of security problems are due to easily avoidable mistakes that fall into catagories that have been familiar for years. Lyons was talking about race conditions back in 1983, and we still see them. I attended a security conference last year where the speaker said he had sat in on several differen't Boston school's introductory programming classes, and they all taught students to use insecure techniques when they code. His recommended solution was to start a "visiting professor" program where people with real world security experience would come to a school for a few months teach beginning coders how to do things safely
most CS courses seem to have a Unix bias. Now I am all in favor of unix (especially the free varieties), but I have to wonder if Unix is relavent for the vast majority of CS students who will end up writing applets or PHP or perl to run on W2K servers.
I disagree with this. Students should be taught basic skills that can be applied to any new situation or language. Trying to only teach what is "relevant" is a mistake, because it presumes that we know what will be useful in the future. Martin Vermeer has written a number of convincing reasons why everyone, not just CS majors, should learn unix. He says:
The basics to be taught -- presumably on the secondary school level -- would include: using vi (probably the only modal editor anybody will ever see!), using the command line, file system directory structure, mounting, finding and understanding configuration files, writing simple programs (such as "hello world") in C, shell or perl, regular expressions, basic networking (ping, traceroute etc), ftp, email, usenet, mark-up languages, overview of the way standards are created, e.g., in the Internet Engineering Task Force, and other essentials.
You may notice that these are precisely the "tough" things you will never learn by just clicking around, but which kids will pick up almost in play if made to -- after all, this is nothing but language learning. Few people would ever learn Spanish or Russian if not in school! And some of these skills will be immediately useful, like "regular expressions", that will immediately give a better basic understanding of how to effectively use search engines on the World Wide Web. Or mark-up languages such as HTML/XML, offering a glimpse of a better world in which documents can be freely transferred, without risk of illegibility, to someone using an ever-so slightly different system -- or even to yourself, after a system upgrade.
One argument must immediately be put to sleep: that because Windows is the dominant operating system in the world today, one should teach that and not some esoteric alternative. The answer to this is plain and simple. The task of education is to instill generalist abilities and not the skill of "operating" one product. Someone who has acquired the skill of reading books will easily absorb also comic strips, but the reverse is not true... similarly, someone versed in Unix will feel right at home in many other environments including Windows. And for children, learning Unix is not that hard, as experience has shown, due perhaps to its internal consistency and logic.
larval mosquitos live underwater. Mosquito eggs are laid in floating rafts on standing water. When the eggs hatch, the larvae live underwater and hunt insects. It is common to use gambusia fish to eat the larvae so they don't grow up to be bloodsuckers. Of course, this can present other problems, too.
There's also the question of Dr. Hodges' past experience. The article touts his 30 years of experience with shrimp farming in Mexico and Saudi Arabia. Despite this, it fails to note that even advocates of shrimp farming admit that the most economically viable shrimp farms have been environmental disasters, and that there are serious concerns about shrimp farming in mexico
That's always been permitted. If you attend a private school, they can pass rules (e.g. regarding smoking or alcohol consumption) that govern your behavior both on and off campus. Many religiously affiliated colleges reserve the right to expel students who have been drinking at off campus parties.
I wonder how Dubya's school voucher program will affect rulings like this...it will be interesting to see if a private school taking federal money is subject to the first admendment.
Many security people, including Bruce Schneier consider SOAP to be a horrible idea. Think about it. Your simple stateful packet filter (i.e. linux 2.4 kernel) will no longer be enough to build a firewall. If applications use XML over port 80 as an API, we will have to put application level proxies on things that used to be simple services. All firewalls will have to include an analytical engine as strong as that of an IDS for each service they want to run. That makes them much more expensive and complex.
Complex firewalls generally aren't as trusted as simple ones. Things are going to get ugly, and SOAP won't help.
I took a look at it, and I'm still OK. Let's hope the breaks on my car don't give out on the way home