With IBM's support of Linux, what do you see happening with AIX? Will that continue? Will one gain from the other? Or will one ultimately be replaced by the other?
I'm left wondering what their plans are for the natural inhabbitants on the island. Christmas Island is 63% national park and 100% beautiful. IIRC, it's the peak of a large underwater mountain. It has a great tourist business as well. The red crab population is a big boomer there as well (it's on Discovery regularly). Simply walking through the forests on the island is difficult due to the large number of crabs on the forest floor. The island isn't that big either. It's only like 52^2 miles. I wonder if they've addressed these issues yet.
Does anyone know if this will affect a student's thesis in college? Can a simple policy or even a IP contract still keep these simple rights away from a starving college grad?
How did this get a troll rating? It's not trolling. It's factual. Did that bastard AC mod me down and then post his rant as an AC? If so then that sucks. How are all the trolls getting mod points all of a sudden? That person's post would correspond to when my karma dropped a point. Damned trolls....
I don't think so. I live 3 miles (count them 1 2 3) miles from the Kansas Missouri border. The majority of the people I work with live in Missouri and commute. They hate Ashcroft with a passion. They hated him more than the hated the former (dead) governor. It wasn't out of grief that the voted for the dead guy. It was a statement, a statement of hate for Ashcroft. Get *your* facts straight before countering with bullshit.
That's good to know. I've been thinking about sinking a few $k in the stock market. I need to find a good HOWTO on the subject because I don't really know squat about investing. Maybe I should seek some professional help before I loose too much.
Couldn't be said better. I contract admin for an ISP as well and different needs apply there. I can filter more in some respects and less in others. Since it is a very rural ISP I can filter more. Since it's an ISP, I really can only filter less than here at the university. Different places have different needs. I'm writing a modular ipchains-based firewall system. The default settings are extremely anal. All priveleged ports are blocked by default. You have to explicitly open the ones you want to allow access to. It's like a ALL: ALL TCP wrapper statement in your hosts.deny. Then you explicitly open what you want services to be accessed and from where. Banks and large corporations all have their needs as well. No one department in a large corporation will have the same needs as another coporation. No matter what way it boils down to, each department should be its own little entity and have its own set of ACLs, possibly even a dedicated firewall (see the other comments I posted in this thread about that).
99 times out of 100 management is much more ignorant than the users they are supposed to be thinking of. Sometimes it's technical incompetence. Other times they try to make it political when it doesn't have to be. Still other times they want to slap a pretty PR face on something and delay or bump up schedules on it to fit their PR whims. Pour management causes that. Managment that doesn't listen to their own employees cause that. Management that is only looking for self advancement causes that. This isn't to say that all management is bad. I've been fortunate enough to have a couple good managers in my time. Usually my super is quite good as well. I can only think of one place where the top of the stack was a knowledgable, technically competent person. What would be ideal is if management could be grown from within. Take a senior sysadmin/netadmin that everyone likes to work with and give them management training. Then give them a shot at the top. Other times the department is already so screwed up that the ultimate top of the heap of the entire business or university would have to be on crack to hire from within. I've seen that as well.
Thanks. I try to write the most productive responses I can. I think that in the larger campuses (even most smaller ones) you can segment users and user types by the building they come from. For example, I know that the only non-dormite user in my dorms is the Residents Hall Director. The front desk is dormites as are all the other users. The basement labs in the dorms are again dormites. The Res Hall Dir wouldn't loose much of anything from being treated like a dormy. Give dorm drops private IPs for security reasons. This greatly inhibits the amount of damage a single student can do with a warez server. It also keeps a passive DDoS client at bay because the master can't contact the slave if it has a non-routed address. It won't do much for active DDoS clients that actively report in and listen for commands for the master, such as one using IRC to communicate. Now mind you, I would have been really upset if this had been done to me when I was in the dorms. After some reflection though I quickly realized how easy of a target my systems were at that time and how much I could have compromised security. A private IP (routed across the campus but no where else) could have prevented anything but a local sploit. This private IP business is part of that "trust level" thing you were talking about. Time and time again a few dorm residents prove that they can't be trusted. It's not all of them but you can't treat just one or two of them. You have to treat them as a whole for whatever reason (usually political). Private IPs will still easily meet the education goals of our charter while increasing MTBF and MTBH's (or MTBCS). Private IPs for printers is also a very very good thing. Printer manufacturers are very bad about embedding an *nix OS to control their printers while not actively taking a role in securing them in the present or future.
A DMZ is also a must. The larger the network the more grand it becomes. DMZ != demilitarized either. If anything it's just as secure as you local server farm, if not more secure. You just allow services from the outside to that subnet that you don't want to allow elsewhere. Once you separate your public services (DNS, SMTP relay, www) from you local services (LDAP, RADIUS, HEC machines, etc..) you can then isolate the local services and beef up security even more internally. I wouldn't say to separate the desktop and server networks although that really what you are doing in a way. In my ideal network, each building is a 3 subnets, 1 public and 2 private. The public is general use for all faculty/staff. One of the private is for our networking hardware (non-packet rewriting things like switches, wireless access points, and repeaters). The other private is broken down more for printers, labs, special machines that only need local access, etc.. Each building is an entity. Each entity is multiple subnets. Each entity is also an interface on a core router (or trunked interfaces if need be). The server farm is also an entity independent of the building it resides in. The same goes for the administrative workstations. That's an entity as well. Each entity becomes a subnet or more and an interface on the/a core router(s). Firewalling from that point on is a breeze because of the ease of which identifying nodes on a subnet has become. The entire subnet is DMZ. This subnet is dorms. This subnet is administrative workstations/personal servers. This subnet is all server farm. Breaking it down from there and applying rules just got a lot easier.:-) Now you can identify users and types of users by subnets and actual physical interfaces (even VLANs if you want to get even more fine grained). The physical distinction makes it a breeze to place the dorms behind a Packeteer or the like.
I also contract admin at my old ISP. At that place I get very anal about my host-based security. In fact all of my machines at all my places of employment and home utilize host-based packet filtering on top of heavily TCP wrapped services. Everything is up-to-date and everything is configured with security in each daemons config file. The TCP wrappers are basically a backup for my ipchains filtering . Redundancy never hurt anyone. Beyond my server farms sit a Linux Router/Firewall. That box provides even more protection. Box A is our web server and does nothing but HTTP, FTP, and SSH) so that's all you can connect to. Box B provides no external services so you can't see squat on it. Host C is a RADIUS machine. Only local subnets have access to it and more specifically only terminal servers. Being very anal about security can be a good and bad thing. Some people are so anal that they won't allow you to SSH in to your desktop machine from home. That's unreasonably anal. I'm anal enough to prohibit RPC, Netbios, direct SMTP (as in server running on desktop machine, and DNS from home to a work machine. That's much more reasonable. The anal retentive firewalling has gotten me one very good thing. I've never been hacked. Not yet anyhow. It will happen; that's garunteed. It just hasn't happened yet. I like to think that some of my measures have helped. If they haven't, it's sure been fun learning how to do what I do. Cheers
It may seem odd to those who have never had to administrate a network...
Odd you mention that because that's exactly what I do. I'm the Network & Systems Manager at one of the 6 Regents universities here in the State of Kansas, which will remain nameless. I also recommend distributed.net and SETI to the users of this university and have a lab cracking on the RC5 challenge. Source? What do we care about source? Better put, are we allowed to care about the security problems found in the source of the software our users download? No. We're a university. We don't have that luxury. If we as a 4-year university could say what you can and can't install for security reasons, the first things to go would be Outlook, IE, Irix, and Windows. Do we trust MSN Messanger? AIM? ICQ? What about all the various IRC clients? MUDs? Local sploits should always be a concern? Can we say what our users can and can't install? Not a chance in hell. As a net & sysadmin you have to remember one thing. Never trust your own network. Period.
Given my placement in the arena you think I'm not in, I can very easily and with great authority comment on "employers not understanding" small parts of the big picture.
Seriously I don't think any ugrad-level work should be owned by the university. I don't think the general grad stuff should be either unless they are working on a big project of which the univeristy is sponsoring in some way. Simply using a basic lab machine doesn't qualify in my book. My lab and engineering fees are supposed to cover those resources. Now if I was on some bigass SGI doing DNA simulations or something of the like of which the university had to purchase something for or they had to give me control of a large lab for an extended period of time, then yes I do think that they should have part of my work. Otherwise people would go to school forever to use up the unv's resources and then sell their work to the top bidder.
"Notepad compromised our security." It all comes down to employers simply not understanding what the application is for and using it as a scape goat for any problem that comes. It happens at my university. Everytime something goes wrong the network is blamed. I can't check my email. The network must be down. I can't stream my local radio station. The network is "full". I can't play my Flash games. The network in my building sucks. We're out of coffee. The network needs to be replace; we need a router in every building. Literally. I hear that shit all day long, not just from users but from co-workers within our IT department! ARGH! The agony.....
You know, it would be hilarious if the theives of that stolen 63"monitor called Samsung tech support to ask about drivers for their newly acquired monitor.;-)
You know, something that I found absolutely hilarious about Ashcroft was the outcome of the Missouri Election. For those that don't know, shortly before election day the existing governor or Missouri died in a plane crash. He and Ashcroft were the only potentials for the big house. On election day everyone got quite a shock. The people of Missouri hated Ashcroft so much that they voted in the dead governor for another term of office. That's right. The stiff was appointed to another term of office. I'm not really sure what the outcome was. His wife accepted it for him and I believe she said she was going to assume the office and continue what her husband started. I also remember somebody (official) saying that he would offer her a senate or congressional seat instead of the governor's seat. Since Ashcroft went to the really big house, she must have decided to stay in Missouri. Otherwise he would have been the next up. IIRC the people of Missouri didn't really like the stiff, but they hated Ashcroft. Honestly I think he and Bush make a good couple. Tell me, can anyone else think of the last time we had such an incompetent administration? Perhaps George Sr's. Other than that I can't think of any other one. They'll probably drop the DOJ vs. M$ thing, outlaw pron, legalize Carnivore, and much much more. Big Gay Al would have been much better I think even if he is a dumbass. My $.02.
You really really need to look into a good email-based virus scanner. Honestly that's where 95% of the threat can be stopped. When was the last time you received an infected CD or floopy? Ok, now when was the last time you received a variant of Hybris via email? You should look into John Hardin's E-mail Sanitizer. The information there about threats is an excellent read. The next step is stopping mail clients (or configurations) that allow ease of spreading. People may like the way Outlook works but in all honesty it has been the best thing for viri since the invention of Windows. It can be secured but someone has to actually do that. Promoting Webmail can be an alternative. Make it incredibly user friendly and feature rich and the average user will choose it over something that they can only use from home. Hopefully this will help you.
Excuse me? Buddy you 1) weren't there, 2) obviously don't know the people involved, and 3) apparently you don't know the policies set forth by the company I worked for. HR would have had a field day over this because it violated numerous company privacy policies for employees as well as procedural policies within my department and my super and boss both knew it. That would probably be why my super was assigned to other duties (read: shit work) and was no longer my super. If there are a number of possible variables that you don't know, either a) ask for them or b) save a some electrons and don't say jack.
"That's really amazing on two counts: that there were computers not behind a firewall and it took 17 days to discover," said state Sen. Debra Bowen (D-Marina del Rey), who chairs her chamber's Energy Committee.
Bowen, who was informed of the breach by The Times, called it a "serious matter" and said she was "very concerned to learn about this from the L.A. Times, rather than from the ISO itself." The lack of official notification, she said, adds to her skepticism about whether the agency has been forthcoming.
"It is embarrassing, so I can understand they would not want to talk about it," Bowen said. "We're going to ask some questions."
I love that quote. What, does she think that she needs to know every little common thing that goes on in a place like that? Does she think that compromises aren't a daily thing in this electronic world? If that same place had a stapler get stolen from the supply closet or hell a company car from the dealer that was working on it, would she have to have "official notification"? Would she expect for someone to realize a stapler was missing right away? People like that make me sick. She reminds me of a super I used to have that was always on my case wanting to know exactly what I was doing every minute of the day. Finally I got so fed up I literally wrote down everything I did for the entire day, minute by minute with notes. Some examples entries would be:
8:15AM Blew nose. 9:30AM Left to take a bathroom break. 9:33AM Arrived at bathroom. Took morning shit. Bad case of diarrhea. Took 9 wipes and 4 dabs and a lot of air freshener. Note to self: bring Peptobismal to work for desk drawer. 9:47AM Returned from bathroom. 10:12AM Picked nose. 10:43AM Did super's job for him because he was too busy planning his next vacation. 11:01AM Opened 3rd can of Mountain Dew. 11:05AM Took a Pepcid AC to combat bad acid reflux. 11:47AM Scratched myself. 1:00AM Went to worthless meeting of which I shouldn't be in because I have no part in anything discussed and nothing in it directly or indirectly affects me.
I documented to entire day like that but worse with even more vivid descriptions. I spent more time writing shit in my list than I did actually working that day. At the end of the day I sent it to my super and _the_ boss. Needless to say my super never asked what I was doing ever again.:-)
I just can't resist reminding people that Phil Zimmermann, the author of PGP is a Macintosh user and wrote PGP using a Mac. I just can't resist it.:-) Now I wish there was a very simple, very concise "Idiots" guide to using PGP with an email client. That would make things so much more simple. It is really hard to explain to a newbie how PGP works. Hell I don't even understand it sometimes. If someone knows of a good resource, I'd love to hear about it. Thanks
Maybe I'm mistaken but I thought what was running on TiVo was LinuxPPC, or at least a variant of LinuxPPC. Wouldn't it be fairly simple to hack around this problem, write a replacement package to replace these missing features, or downgrade to the older version of code? I don't own a TiVo myself but I'd love to get one. Someday...
I can't say for sure but I would think that most forms of life would be burnt up upon entering our atmosphere (meteor showers). Maybe at the very least the intense heat would kill off most of the microscopic forms of life and the rest would die because of the environmental differences between our planets or something. That makes sense to me anyhow. I'm all for quarentining the Martian goods. An even better means of quarentining us might be to analyze the Martian goods on a space station, quarentined there as well. Then we can go through a long isolation phase with the people that had to work with it to make sure they don't bring any little friends home with them. That way no Martian stuff touches Earth's soil until we are certain it's safe. That's my $.02 in wheat pennies.
Slashdot Mirror
--
--
--
--
--
--
--
Are you kidding? That's what we have wireless laptops for! :-)
--
--
--
Couldn't be said better. I contract admin for an ISP as well and different needs apply there. I can filter more in some respects and less in others. Since it is a very rural ISP I can filter more. Since it's an ISP, I really can only filter less than here at the university. Different places have different needs. I'm writing a modular ipchains-based firewall system. The default settings are extremely anal. All priveleged ports are blocked by default. You have to explicitly open the ones you want to allow access to. It's like a ALL: ALL TCP wrapper statement in your hosts.deny. Then you explicitly open what you want services to be accessed and from where. Banks and large corporations all have their needs as well. No one department in a large corporation will have the same needs as another coporation. No matter what way it boils down to, each department should be its own little entity and have its own set of ACLs, possibly even a dedicated firewall (see the other comments I posted in this thread about that).
99 times out of 100 management is much more ignorant than the users they are supposed to be thinking of. Sometimes it's technical incompetence. Other times they try to make it political when it doesn't have to be. Still other times they want to slap a pretty PR face on something and delay or bump up schedules on it to fit their PR whims. Pour management causes that. Managment that doesn't listen to their own employees cause that. Management that is only looking for self advancement causes that. This isn't to say that all management is bad. I've been fortunate enough to have a couple good managers in my time. Usually my super is quite good as well. I can only think of one place where the top of the stack was a knowledgable, technically competent person. What would be ideal is if management could be grown from within. Take a senior sysadmin/netadmin that everyone likes to work with and give them management training. Then give them a shot at the top. Other times the department is already so screwed up that the ultimate top of the heap of the entire business or university would have to be on crack to hire from within. I've seen that as well.
--
A DMZ is also a must. The larger the network the more grand it becomes. DMZ != demilitarized either. If anything it's just as secure as you local server farm, if not more secure. You just allow services from the outside to that subnet that you don't want to allow elsewhere. Once you separate your public services (DNS, SMTP relay, www) from you local services (LDAP, RADIUS, HEC machines, etc..) you can then isolate the local services and beef up security even more internally. I wouldn't say to separate the desktop and server networks although that really what you are doing in a way. In my ideal network, each building is a 3 subnets, 1 public and 2 private. The public is general use for all faculty/staff. One of the private is for our networking hardware (non-packet rewriting things like switches, wireless access points, and repeaters). The other private is broken down more for printers, labs, special machines that only need local access, etc.. Each building is an entity. Each entity is multiple subnets. Each entity is also an interface on a core router (or trunked interfaces if need be). The server farm is also an entity independent of the building it resides in. The same goes for the administrative workstations. That's an entity as well. Each entity becomes a subnet or more and an interface on the/a core router(s). Firewalling from that point on is a breeze because of the ease of which identifying nodes on a subnet has become. The entire subnet is DMZ. This subnet is dorms. This subnet is administrative workstations/personal servers. This subnet is all server farm. Breaking it down from there and applying rules just got a lot easier. :-) Now you can identify users and types of users by subnets and actual physical interfaces (even VLANs if you want to get even more fine grained). The physical distinction makes it a breeze to place the dorms behind a Packeteer or the like.
I also contract admin at my old ISP. At that place I get very anal about my host-based security. In fact all of my machines at all my places of employment and home utilize host-based packet filtering on top of heavily TCP wrapped services. Everything is up-to-date and everything is configured with security in each daemons config file. The TCP wrappers are basically a backup for my ipchains filtering . Redundancy never hurt anyone. Beyond my server farms sit a Linux Router/Firewall. That box provides even more protection. Box A is our web server and does nothing but HTTP, FTP, and SSH) so that's all you can connect to. Box B provides no external services so you can't see squat on it. Host C is a RADIUS machine. Only local subnets have access to it and more specifically only terminal servers. Being very anal about security can be a good and bad thing. Some people are so anal that they won't allow you to SSH in to your desktop machine from home. That's unreasonably anal. I'm anal enough to prohibit RPC, Netbios, direct SMTP (as in server running on desktop machine, and DNS from home to a work machine. That's much more reasonable. The anal retentive firewalling has gotten me one very good thing. I've never been hacked. Not yet anyhow. It will happen; that's garunteed. It just hasn't happened yet. I like to think that some of my measures have helped. If they haven't, it's sure been fun learning how to do what I do. Cheers
PS==> Switching switching switching....
--
Odd you mention that because that's exactly what I do. I'm the Network & Systems Manager at one of the 6 Regents universities here in the State of Kansas, which will remain nameless. I also recommend distributed.net and SETI to the users of this university and have a lab cracking on the RC5 challenge. Source? What do we care about source? Better put, are we allowed to care about the security problems found in the source of the software our users download? No. We're a university. We don't have that luxury. If we as a 4-year university could say what you can and can't install for security reasons, the first things to go would be Outlook, IE, Irix, and Windows. Do we trust MSN Messanger? AIM? ICQ? What about all the various IRC clients? MUDs? Local sploits should always be a concern? Can we say what our users can and can't install? Not a chance in hell. As a net & sysadmin you have to remember one thing. Never trust your own network. Period.
Given my placement in the arena you think I'm not in, I can very easily and with great authority comment on "employers not understanding" small parts of the big picture.
--
Seriously I don't think any ugrad-level work should be owned by the university. I don't think the general grad stuff should be either unless they are working on a big project of which the univeristy is sponsoring in some way. Simply using a basic lab machine doesn't qualify in my book. My lab and engineering fees are supposed to cover those resources. Now if I was on some bigass SGI doing DNA simulations or something of the like of which the university had to purchase something for or they had to give me control of a large lab for an extended period of time, then yes I do think that they should have part of my work. Otherwise people would go to school forever to use up the unv's resources and then sell their work to the top bidder.
--
--
--
--
--
--
--
I love that quote. What, does she think that she needs to know every little common thing that goes on in a place like that? Does she think that compromises aren't a daily thing in this electronic world? If that same place had a stapler get stolen from the supply closet or hell a company car from the dealer that was working on it, would she have to have "official notification"? Would she expect for someone to realize a stapler was missing right away? People like that make me sick. She reminds me of a super I used to have that was always on my case wanting to know exactly what I was doing every minute of the day. Finally I got so fed up I literally wrote down everything I did for the entire day, minute by minute with notes. Some examples entries would be:
8:15AM Blew nose.
9:30AM Left to take a bathroom break.
9:33AM Arrived at bathroom. Took morning shit. Bad case of diarrhea. Took 9 wipes and 4 dabs and a lot of air freshener. Note to self: bring Peptobismal to work for desk drawer.
9:47AM Returned from bathroom.
10:12AM Picked nose.
10:43AM Did super's job for him because he was too busy planning his next vacation. 11:01AM Opened 3rd can of Mountain Dew.
11:05AM Took a Pepcid AC to combat bad acid reflux.
11:47AM Scratched myself.
1:00AM Went to worthless meeting of which I shouldn't be in because I have no part in anything discussed and nothing in it directly or indirectly affects me.
I documented to entire day like that but worse with even more vivid descriptions. I spent more time writing shit in my list than I did actually working that day. At the end of the day I sent it to my super and _the_ boss. Needless to say my super never asked what I was doing ever again. :-)
--
--
--
--
--