There's not a whole lot new and interesting in terms of security on the network side of things. Lay out your network properly, use a DMZ, firewall (preferably Linux's iptables with stateful firewalling and something like shorewall to make it easy to use) and use IDS etc. Actually, one kinda new and interesting you can do on the network side of things is to use User Mode Linux to set up a fake network (all running on one box) of tempting looking target machines simulating your production network and watch for people to poke at it. It serves as a good control subject to compare against your IDS results to reduce false positives. If anything is hitting your honeypot you know it's hostile.
But the real recent innovation in the host based security area is Mandatory Access Controls. ugo+rwx and unix uid's are all part of descretionary access controls. Users can make their.rhosts world writeable and can often use suid binaries or buffer overflows in daemons running as root to elevate their privs. But if you have a kernel enforced mandatory access control system these things cannot happen. I have been playing with SE Linux for a while now and I really like it. I just created a security domain/role for the freenet daemon to run in. If someone exploits it and gets a root shell they will be trapped in freenets domain which is restricted to least priviledge. Even if they get root they cannot hurt the system. Mandatory Access Controls take the fangs out of root. I have put up my freenet domain config file for your viewing pleasure here. Note that it is still a work in progress. SE Linux is very flexible and secures the entire machine from any root exploit I have seen used in recent years. It would have prevented my personal box from being rooted by that ssh bug that came out a couple years ago!
As they say, it is "Military grade security at Open Source prices!"
The Freenet developers have done a great deal of study. The enemy has to have control of or be able to monitor a great number of freenet nodes to accomplish this.
In what way does freenet lack publisher anonymity? Lots of people are publishing completely anonymously on freenet. That is one of its main selling points.It is not practically possible to tell who inserted any given piece of data into freenet.
I have to second the recommendation to try Freenet. I believe it is superior technology to mixmaster and is completely decentralized so nobody can censor it or take it down. Very slick. Undergoing some growing pains for sure but definitely moving along.
Every year or so I give taper another try and every time it segfaults on me. Even across different systems and tape drives. This has been going on since around 96 when I first tried it. I emailed the author and got a reply but he just couldn't reproduce it and I couldn't find anything in particular that caused it. I just have zero confidence that I will be able to restore a backup with it after all of the troubles. I currently use tar. I've heard good things about Mondo. Search freshmeat for it.
Freenet has much better data integrity and trust mechanisms.Someone could upload a bunch of crap files but you could download from SSK's of trusted sources and know they are good.
I have used lots of spam filters including spam assassin, junkfilter, homegrown scripts, etc. Nothing works nearly as well as the bayesian filtering. I started with bayespam but found ESR's bogofilter better performing (It's in C as opposed to perl so lower startup time) and it fits more easily into my mail architecture. No false positives and many hundreds of spams caught. I have a feeling this is going to be the best spam filtering technology for some time to come. Spammers won't be able to out-evolve it. I also like the fact that I don't have to periodically update rulesets or anything because it is self-maintaining.
If you haven't tried it, check it out! You won't regret it.
Because I pretty much run my life by computer I end up with all kinds of info on my computer. And it is for this reason that I use the Linux Crypto API (formerly the international kernel patch). I have an encrypted volume (a big file which gets mounted on loopback fs) on my machine where I keep any sensitive information including all of my email once it has been read. Every so often I mount it, copy the stuff in, and unmount it. It works great and is so easy to use that I actually use it. The only chance someone has of catching sensitive information is if they get it before I copy it into the encrypted volume (passwords, keys, company private data, etc. all go straight in) or if they can somehow recover it from the raw device from when it was written in cleartext. My disk has enough activity and accidentally fills up often enough that I'm not too worried. It's not like I'm protecting national secrets or anything.
Learning to fly is easy. It took me 12 lessons. And I've got the logbook signed by an FAA certified CFII to prove it.
Unfortunately, the majority of learning to fly is judgement. And that is the sort of incomputable problem we are not going to be teaching computers any time soon. Humans have enough trouble with it.
Had you been running SE Linux your files would not have been modified in the first place and a good audit trail would tell you what they attempted to modify.
Unfortunately, it is illegal for me to run anything other than 100LL fuel in my certified airplane without doing a bunch of paperwork, testing, and obtaining a STC (Supplemental Type Certificate) or paying someone else who has done all of that work. If I owned an experimental/homebuilt aircraft, that would be different. But those are not allowed to be used for any sort of commercial operation.
Also check out GNUnet which is similar to freenet but is searchable and written in C instead of Java. I think GNUnet has more long term potential than Freenet.
Crypto won't hide your IP address but relaying the information through a number of proxies sure will.
Have you ever seen a regular person install Windows?
Didn't think so. Of course the only "regular people" who use Linux have someone else set it up for them. The vast majority of windows users don't install their own systems. You haven't really made much of a point.
Don't think for a second that I didn't consider this. As a pilot, you know that flying is all a matter of risk management. I normally control this risk by not flying this low over unlandable terrain and minimizing my time being away from landable terrain. But the fact is we were over highways the majority of the time, as the map shows.
Re:No really sir, we're just sniffing for APs...
on
Warflying: San Diego
·
· Score: 2, Informative
I was in contact with controllers the entire time and explained to them that we were doing an aerial survey. It was no problem at all.
A few seconds connectivity? Let's say the range is a mile radius. That means flying directly over it I have 2 miles to work with. At 120kts (137mph) that gives me 53 seconds. Plenty of time to associate, dhcp an ip, check email, send queued outgoing mail, and scoot on to the next AP. Plus we could always circle and have as much time as we want.
Nonsense. 802.11b in a small plane is harmless. Probably harmless in an airliner also but I am less familiar with airliner systems. And FYI, I fly airplanes with CD players built into the instrument panel. Check this picture out. See that box with the slot in it above the right yoke? It's a CD player. I haven't flown this particular plane in a few months but it is the only one that I have flown with a CD player I can find a picture of online. And when I am flying a plane that doesn't have the CD player built in I am flying a plane with a 3.5mm jack for portable CD player audio input.
My opinion is that the airlines are scared to death of lawsuits. If a plane goes down and people were allowed to use 802.11 onboard they would get sued out of existance becaue "everybody knows that using portable electronics onboard aircraft is dangerous." There's not much proof of it, but "everybody knows it!"
A Grumman Tiger is a small single engine plane. You can rent one for $73 US per engine hour (not the best price in the world but everything is expensive in San Diego) here: Plus One Flying Club. I rent this one occasionally: 222WC Not really all that expensive for the amount of fun you can have and a far cry from a private jet.
I'm a pilot too. I have recently flown approximately 360 hours with a cel phone turned on in my pocket just a couple feet from the radio stack and have never noticed a problem. Cel phones operate on a different frequency range than the VHF communications and navigation equipment in an airplane. I am not aware of there having been any documented instances of mobile phone interfering with avionics. If anyone has any references (not anecdotes) please email me.
IDS systems need to be tuned! Don't have any NT machines on that subnet? Turn off all of the NT related signatures! Get tons of false alarms on a particular alert which isn't applicable? Turn it off! It's a matter of risk assessment. Are you more likely to miss something important because of this alert which goes off all the time and has a low probability of being legitimately triggered? Turn it off! You won't catch everything this way but the goal is to at least catch SOMETHING that you would not have if you didn't have the IDS!
I wonder if these things could also be used to block radiation emitted from computers which can leak data? This sounds somewhat like building a faraday cage around the theater.
Slashdot Mirror
There's not a whole lot new and interesting in terms of security on the network side of things. Lay out your network properly, use a DMZ, firewall (preferably Linux's iptables with stateful firewalling and something like shorewall to make it easy to use) and use IDS etc. Actually, one kinda new and interesting you can do on the network side of things is to use User Mode Linux to set up a fake network (all running on one box) of tempting looking target machines simulating your production network and watch for people to poke at it. It serves as a good control subject to compare against your IDS results to reduce false positives. If anything is hitting your honeypot you know it's hostile.
.rhosts world writeable and can often use suid binaries or buffer overflows in daemons running as root to elevate their privs. But if you have a kernel enforced mandatory access control system these things cannot happen. I have been playing with SE Linux for a while now and I really
But the real recent innovation in the host based security area is Mandatory Access Controls. ugo+rwx and unix uid's are all part of descretionary access controls. Users can make their
like it. I just created a security domain/role for the freenet daemon to run in. If someone exploits it and gets a root shell they will be trapped in freenets domain which is restricted to least priviledge. Even if they get root they cannot hurt the system. Mandatory Access Controls take the fangs out of root. I have put up my freenet domain config file for your viewing pleasure
here. Note that it is still a work in progress. SE Linux is very flexible and secures the entire machine from any root exploit I have seen used in recent years. It would have prevented my personal box from being rooted by that ssh bug that came out a couple years ago!
As they say, it is "Military grade security at Open Source prices!"
The Freenet developers have done a great deal of study. The enemy has to have control of or be able to monitor a great number of freenet nodes to accomplish this.
In what way does freenet lack publisher anonymity? Lots of people are publishing completely anonymously on freenet. That is one of its main selling points.It is not practically possible to tell who inserted any given piece of data into freenet.
I have to second the recommendation to try Freenet. I believe it is superior technology to mixmaster and is completely decentralized so nobody can censor it or take it down. Very slick. Undergoing some growing pains for sure but definitely moving along.
Every year or so I give taper another try and every time it segfaults on me. Even across different systems and tape drives. This has been going on since around 96 when I first tried it. I emailed the author and got a reply but he just couldn't reproduce it and I couldn't find anything in particular that caused it. I just have zero confidence that I will be able to restore a backup with it after all of the troubles. I currently use tar. I've heard good things about Mondo. Search freshmeat for it.
Freenetproject.org
Freenet has much better data integrity and trust mechanisms.Someone could upload a bunch of crap files but you could download from SSK's of trusted sources and know they are good.
I have used lots of spam filters including spam assassin, junkfilter, homegrown scripts, etc. Nothing works nearly as well as the bayesian filtering. I started with bayespam but found ESR's bogofilter better performing (It's in C as opposed to perl so lower startup time) and it fits more easily into my mail architecture. No false positives and many hundreds of spams caught. I have a feeling this is going to be the best spam filtering technology for some time to come. Spammers won't be able to out-evolve it. I also like the fact that I don't have to periodically update rulesets or anything because it is self-maintaining.
If you haven't tried it, check it out! You won't regret it.
One of the references is:
Bill Yerazunis. ``Sparse Binary Polynomial Hash Message Filtering and The CRM114 Discriminator.''
Anyone else recognize the reference to Dr Strangelove? I love that movie!
Because I pretty much run my life by computer I end up with all kinds of info on my computer. And it is for this reason that I use the Linux Crypto API (formerly the international kernel patch). I have an encrypted volume (a big file which gets mounted on loopback fs) on my machine where I keep any sensitive information including all of my email once it has been read. Every so often I mount it, copy the stuff in, and unmount it. It works great and is so easy to use that I actually use it. The only chance someone has of catching sensitive information is if they get it before I copy it into the encrypted volume (passwords, keys, company private data, etc. all go straight in) or if they can somehow recover it from the raw device from when it was written in cleartext. My disk has enough activity and accidentally fills up often enough that I'm not too worried. It's not like I'm protecting national secrets or anything.
It should CLEARLY be the GNU/LNX-BBC!
Q: Does masturbation cause you to go blind?
A: Not as far as I can see.
Learning to fly is easy. It took me 12 lessons. And I've got the logbook signed by an FAA certified CFII to prove it.
Unfortunately, the majority of learning to fly is judgement. And that is the sort of incomputable problem we are not going to be teaching computers any time soon. Humans have enough trouble with it.
Had you been running SE Linux your files would not have been modified in the first place and a good audit trail would tell you what they attempted to modify.
Unfortunately, it is illegal for me to run anything other than 100LL fuel in my certified airplane without doing a bunch of paperwork, testing, and obtaining a STC (Supplemental Type Certificate) or paying someone else who has done all of that work. If I owned an experimental/homebuilt aircraft, that would be different. But those are not allowed to be used for any sort of commercial operation.
Unless you run SE Linux. SE Linux will prevent the Apache/OpenSSL/WU-FTPd/Sendmail exploits from working.
Also check out GNUnet which is similar to freenet but is searchable and written in C instead of Java. I think GNUnet has more long term potential than Freenet.
Crypto won't hide your IP address but relaying the information through a number of proxies sure will.
Have you ever seen a regular person install Windows?
Didn't think so. Of course the only "regular people" who use Linux have someone else set it up for them. The vast majority of windows users don't install their own systems. You haven't really made much of a point.
Don't think for a second that I didn't consider this. As a pilot, you know that flying is all a matter of risk management. I normally control this risk by not flying this low over unlandable terrain and minimizing my time being away from landable terrain. But the fact is we were over highways the majority of the time, as the map shows.
I was in contact with controllers the entire time and explained to them that we were doing an aerial survey. It was no problem at all.
A few seconds connectivity? Let's say the range is a mile radius. That means flying directly over it I have 2 miles to work with. At 120kts (137mph) that gives me 53 seconds. Plenty of time to associate, dhcp an ip, check email, send queued outgoing mail, and scoot on to the next AP. Plus we could always circle and have as much time as we want.
Nonsense. 802.11b in a small plane is harmless. Probably harmless in an airliner also but I am less familiar with airliner systems. And FYI, I fly airplanes with CD players built into the instrument panel. Check this picture out. See that box with the slot in it above the right yoke? It's a CD player. I haven't flown this particular plane in a few months but it is the only one that I have flown with a CD player I can find a picture of online. And when I am flying a plane that doesn't have the CD player built in I am flying a plane with a 3.5mm jack for portable CD player audio input.
My opinion is that the airlines are scared to death of lawsuits. If a plane goes down and people were allowed to use 802.11 onboard they would get sued out of existance becaue "everybody knows that using portable electronics onboard aircraft is dangerous." There's not much proof of it, but "everybody knows it!"
A Grumman Tiger is a small single engine plane. You can rent one for $73 US per engine hour (not the best price in the world but everything is expensive in San Diego) here: Plus One Flying Club. I rent this one occasionally: 222WC
Not really all that expensive for the amount of fun you can have and a far cry from a private jet.
I'm a pilot too. I have recently flown approximately 360 hours with a cel phone turned on in my pocket just a couple feet from the radio stack and have never noticed a problem. Cel phones operate on a different frequency range than the VHF communications and navigation equipment in an airplane. I am not aware of there having been any documented instances of mobile phone interfering with avionics. If anyone has any references (not anecdotes) please email me.
IDS systems need to be tuned! Don't have any NT machines on that subnet? Turn off all of the NT related signatures! Get tons of false alarms on a particular alert which isn't applicable? Turn it off! It's a matter of risk assessment. Are you more likely to miss something important because of this alert which goes off all the time and has a low probability of being legitimately triggered? Turn it off! You won't catch everything this way but the goal is to at least catch SOMETHING that you would not have if you didn't have the IDS!
I wonder if these things could also be used to block radiation emitted from computers which can leak data? This sounds somewhat like building a faraday cage around the theater.