Well it isn't exactly hard to kill the majority of the virus's propagation vectors. I haven't run a "real-time" AV program on my windows machine regularly since 2000 or so. I have caught 1 (detected) virus in that time, and that was from a USB fob a friend plugged into my PC. That actually failed because I was running under a restricted user account when it happened (win2003) and the autorun on the fob simply started up and then didn't have permissions to write to the registry location in wanted. Caused some strange behavior and I said "that's weird" and promptly dug into it. Found it, and had it removed in about 10 mins.
Before that I had autorun turned off, but failed to realize that it wasn't a binary on/off, instead there are further controls which needed to be set to disable it for USB mass storage, and other types of media (fsking M$).
So, for a start..
Plain text email. Restricted user account (can't modify the system settings). Updated Browser with noscript/flashblock/adblock/etc. virus total (upload everything there before you install it). autorun disabled on all devices restrictive firewall, traffic monitoring etc..
That said, I do periodically run some scanners, so its not like I never check, but I don't like any of the run all the time scanners.
So while its possible I have a virus, it doesn't seem to have done any harm yet, and none of the mainstream scanners I sometimes run against system images seems to be able to find anything.
how does locking a MAC to a particular port prevent someone from spoofing that printer's MAC on his laptop and plugging into the same switch port to gain the same network access that the printer had?
It doesn't, but they way I understood it, you had the printers on the vlan because they didn't support 802.1x anyway.
I'm not aware of any mechanism to allow an endpoint to access another VLAN on an switch port set as an "access" port rather than a "trunk" port. I'm not using tagged VLANs for endpoints.
Your switches are probably better than most (by definition, if you can run 802.1x), in many cases a device can negotiate "trunk" (aka another switch) status on any random port. Even on devices which can disable it for all but a specified set of ports, that oftentimes is an option that must be enabled. Plus vmware and other virtual adapter type applications cause real heartache in environments like yours (cause even a non switched endpoint can have multiple mac's and don't necessary support 802.1x).
Network access control is just one layer in my security and keeping non 802.1x authenticated devices off of my main corporate network is trivial to implement and prevents someone from spoofing my printer's MAC address to give him full network access.
Locking the mac to a given switch port achieves the same functionality.
I mean really, what possible harm could someone do if all they can do is send/receive traffic to any port on any of my internal hosts?
My point is that unless your very careful the vlan probably isn't going to give you 100% protection in this regard. Vlan tagging tends to be more a "gentleman's agreement" type protocol. A device which talks MSTP could very well just change its vlan tagging.
With cat6 I assume you are running GigE or better, which generally has auto MDI-X and may not even require a crossover. The problem is this crap often doesn't work as advertised, and disabling auto negotiation often forces the speed to 100Mbit, or worse (cause auto negotiation is required for GigE per the spec). I've seen adapters that expect the remote side of the port to send NLP/FLP sequences before they wake up. Get two adapters like that, and they won't talk.
Really, even when its a proprietary, or edge/wimax/etc type adapter? If it does then it must be getting enough false positives to cause you heartache... If someone is putting a wireless interface in a device for back-channel communications I would assume there are much better choices than a normal 802 wireless interface.
You don't need to even do that. Generally you can wire multiple devices to the same switch port and it actually works. I got a personal shock about 15 years ago when I saw it temporarly done to work around an out of switch ports situation. Since then, I try it once in a while to see if it still works, its like the crossover cable trick, doesn't work 100% of the time, but doesn't need to. The carrier sense and collision detection functions still work even at 1Gbit, so the two adapters will stay out of each others ways. Matching mac's or leaving one in a listen only promiscuous mode allows you to monitor the traffic with very little hardware effort.
Well a lot of people fail to remember that the majority of the Ethernet switches being sold today only send packets to the specific port the endpoint is on, unless its a broadcase/multicast packet. This means that plugging joe random promiscuous mode adapter into a switch won't give you visibility to the whole network.
That said, unless the designer of the trojan is stupid there will only be a single mac address exported to the network by the printer. Sure, no one is going to just plug a random printer in, but one of the printers on the vlan could be compromised and you would never know. If the trojan were routing the information out over a hidden wireless interface you might never be able to detect that either, if it buffered everything up and burst it for a few seconds every couple days. Frankly, I'm not sure what extra security you might be gaining putting the printers on their own vlan instead of on the regular network. As long as you control the mac addresses, the amount of data any single port can see is going to be limited even if someone shows up and transparently monitors a given port. I guess an evil device could start responding to arp requests and routing traffic through itself, but if you don't notice that you have other problems. For that matter, a truly evil device could probably preempt your switch management traffic. At that point the vlans aren't going to protect you. Again this will probably be pretty obvious to anyone paying attention. This is the problem with vlans, they tend to provide a false sense of security. There is a reason a lot of the really high end gear won't allow (or strongly suggests) the management ports to be on the same physical network as the rest of the switch.
Or are HDs doing some special magic that I've forgotten about?
You forgot about the fact that HD's are sector based, so you address the sector, rather than the byte. So 512B*4GB=2TB.
HD's are generally 512b sectors, but 2k and 4k block devices have been seen. As flash is generally even larger sectors sizes (128k->1M) with a fancy controller to mimic 512b sectors, I wonder why for something like CF they don't just allow large sector sizes.
Uh, hu... and why do you have a really fast CPU that sits idle or throttled back 99% of the time?
Maybe its because when you want to use something you don't want to wait for it. Instead of waiting 10 seconds to open firefox it opens in 2 seconds, instead of it taking 30 minutes to get the latest openSuse you get it in 1 minute..
I'd say trying it on the desktops of regular users is still pretty risky. Unless your users are geeks, you are going to incur training costs, user hostility, and serious issues with compatibility.
Which means you probably should have at least 1 windows server doing active directory and group policy management. Which then brings up the question of what a Linux machine can provide beyond a basic windows server for 20 users. Especially give the bundles Microsoft offers for small business servers.
Where did the games like "Tetris" or "Lemmings", with a simple, but fascinating idea, that keeps you countless hours playing, go?
They are still there, you just won't find them at $large_retailer. Try searching the indy game sites.
For example, I wasted hours of my life playing Osmos. Simple like tetris and just as addictive. It can also be totally relaxing on the levels were you aren't racing against another organism.
But going through security in Israel sucks even more
I've flown in/out of Ben Gurion. Granted it was a long time ago (pre 9-11), but I don't remember it being especially annoying, and I sure don't remember an interview. Of course, I understand they use racial profiling, and I don't look like someone from the middle east, so maybe I got off easy.
high profile buildings all have barricades around them
I'm fine with that, same as strengthening the cockpit doors. Cheap and easy while being pretty effective. A couple bollards I have to walk around, don't bother me nearly as much as getting strip searched.
How about buildings? Even the 9/11 hijackings were about the buildings and not the planes. The planes were just a weapon to be used, same as a truck full of ANFO. Nearly every attack is against something like a hotel, market, restaurant, etc. Plus, the size of the airplane is important as well, there is a reason GA generally gets left alone with the security theater, and part of it has to do with the amount of damage you can do with a plane smaller than an automobile. Same thing for the planes, little 737's aren't going to be nearly as destructive as a larger jet, but you don't see them selecting a higher percentage of the passengers flying on a 747 for screening do you?
Its total BS, the 4th amendment should either be enforced or removed.
Anyone who's developing thick-client GUIs in this day and age is a fool.
Right, except when you want to do anything more advanced than basic text/form manipulation. If you go beyond that, it takes 10x as long fighting with javascript/dom/css/etc wedging your UI into html, than the effort it takes to port it to 20 different platforms. There is a reason html is adding a canvas tag. The problem with canvas, is that its the equivalent of giving a modern UI programmer an assembler.
This illustrates the problem with Linux. The stuff programmers care about are not the same things end users care about. Linux is made for programmers.
Chuckle, As a someone who writes a lot of code, I've been running multi head for nearly two decades using windows, heck I ran dualhead in dos using a herc card. About 10 years ago, I started rotating, one of my heads because vertical real-estate is king in my world. I've also been doing development in one flavor of unix or another (the last 10 or so linux). But every time, I end up going back to windows with an X-server because its simply better. Last time I checked its still impossible in linux to have monitors with differing rotations. They can be rotated but just rotating a subset of the total cannot be done. So I run an x-server in windows, even though i'm doing 100% linux development. Funny enough, but I'm still using a 8 year old install of windows at work, while my coworkers end up regularly reinstalling their linux machines for one reason or another. I'm the only one with more than 2 heads because the multiple card support in xorg seems to be broken with nvidia hardware. A few years ago, a couple of them had it working, but OS crashes or upgrades and days spent trying to get it working caused them all to give up.
The problem I have with comparing Linux to Windows on the desktop is that I think Windows stinks on the desktop. I may be in the minority, but I want an operating system that is lean and mean, with no zooming windows, special effects, cute audio cues, or glassy curved "kewl" surfaces. I want an operating system to run applications.
Glad, i'm not the only one. I think some part of M$ gets this, hence server core. On the other-hand, im one of those XP/2003 guys because I cannot deal with the lag in vista/7 due to the changes in the graphical model, moving GDI (the API that 99% of windows the applications use) higher up in the software stack and loosing 3x-20x drawing performance drives me nuts.
Plus, I want to run "apps", and strangely enough some of my apps are 10-15 years old. Of course some of them are brand new, but I don't always feel like keeping an old computer around just to use my old eeprom burner.
Oh BTW, You sound like the kind of person who would have enjoyed MR BIOS in their day. Basically instant on BIOS. Now days I just leave my machines in S3 all the time. My windows machines are stable enough to never need rebooting, and handle S3 well enough, I have my desktops doing WOL and S3 standby on a 10 minute cycle. Solves the boot problem, of course with all the shit cut out the machine cold boots in ~10 seconds anyway.
The Tora Bora "fuck up" happened before the war drums started beating for Iraq
But this doesn't mean it didn't have a large impact, our special forces are documented to have been in Iraq as early as July of 02. Numerous white house insiders have also made statements indicating that from day 1 Iraq was the focus, even after 9-11. Bush was trying to pin it on Saddam. So, rather than shifting focus and giving Afghanistan 100%, it appears to have been done mostly to placate public opinion until Iraq got underway. Numerous sources have stated dates, saying that hard planning for Iraq happened before Tora Bora, for example http://www.washingtonpost.com/wp-dyn/articles/A17347-2004Apr16.html. So, you really have to wonder how much planning was going on for Afghanistan, at the same time. Especially given the views of Berntsen, Schroen or McNab.
You must have had one of the nice ones. The thermostats in the building I work in are more like slave devices. They get their marching orders from a central computer, but they are individually responsible for AC control. There isn't a back channel to tell the central computer if they are working. Turns out the ones on our floor are in the middle of the buildings control loop. Which apparently is differential (and in our case someone T'ed off the Loop and ran 200' to our section). So either end of the loop works fine, but the devices in the middle don't always get their marching orders. On a regular basis they would loose their minds and flip the heat on in the middle of the summer, or something equally evil. In the end after the AC guys basically quoted the building mgmt a new system and wiring job, they just came up and installed a $30 programmable thermostat from home depot. Now our AC works fine, and it cycles at 7PM/7AM to conserve energy.
Now if they would just do something about the single pane windows...
With a straight face, yes Al Gore would have gone to war with Iraq in his first term.
I don't buy that, you fail to account for two things. First, the Cheney factor. Secondly the fact that Gore would have probably been busy in Afghanistan as retaliation for 9-11. Its possible he might have just sent in some special forces and concentrated on getting Bin-Laden. Given the f**kup in Tora bora, which probably can be blamed partially on the Iraq "strategy" its possible we might actually have been out of the intervention before the 04 election because Bin Laden would have been caught. Instead we spent 700B busting a 3rd rate dictator that was effectively hemmed in. If Sadam had acted up, Gore probably would have just bombed him same as Clinton.
I would suggest that google should have a "clarification" page like the ones on wikipedia.
It should say something like "I'm sorry, you searched for \apple\ that request is ambiguous, please select the category of you are interested in/electronics/food/etc"
Slashdot Mirror
Well it isn't exactly hard to kill the majority of the virus's propagation vectors. I haven't run a "real-time" AV program on my windows machine regularly since 2000 or so. I have caught 1 (detected) virus in that time, and that was from a USB fob a friend plugged into my PC. That actually failed because I was running under a restricted user account when it happened (win2003) and the autorun on the fob simply started up and then didn't have permissions to write to the registry location in wanted. Caused some strange behavior and I said "that's weird" and promptly dug into it. Found it, and had it removed in about 10 mins.
Before that I had autorun turned off, but failed to realize that it wasn't a binary on/off, instead there are further controls which needed to be set to disable it for USB mass storage, and other types of media (fsking M$).
So, for a start..
Plain text email.
Restricted user account (can't modify the system settings).
Updated Browser with noscript/flashblock/adblock/etc.
virus total (upload everything there before you install it).
autorun disabled on all devices
restrictive firewall, traffic monitoring
etc..
That said, I do periodically run some scanners, so its not like I never check, but I don't like any of the run all the time scanners.
So while its possible I have a virus, it doesn't seem to have done any harm yet, and none of the mainstream scanners I sometimes run against system images seems to be able to find anything.
how does locking a MAC to a particular port prevent someone from spoofing that printer's MAC on his laptop and plugging into the same switch port to gain the same network access that the printer had?
It doesn't, but they way I understood it, you had the printers on the vlan because they didn't support 802.1x anyway.
I'm not aware of any mechanism to allow an endpoint to access another VLAN on an switch port set as an "access" port rather than a "trunk" port. I'm not using tagged VLANs for endpoints.
Your switches are probably better than most (by definition, if you can run 802.1x), in many cases a device can negotiate "trunk" (aka another switch) status on any random port. Even on devices which can disable it for all but a specified set of ports, that oftentimes is an option that must be enabled. Plus vmware and other virtual adapter type applications cause real heartache in environments like yours (cause even a non switched endpoint can have multiple mac's and don't necessary support 802.1x).
Network access control is just one layer in my security and keeping non 802.1x authenticated devices off of my main corporate network is trivial to implement and prevents someone from spoofing my printer's MAC address to give him full network access.
Locking the mac to a given switch port achieves the same functionality.
I mean really, what possible harm could someone do if all they can do is send/receive traffic to any port on any of my internal hosts?
My point is that unless your very careful the vlan probably isn't going to give you 100% protection in this regard. Vlan tagging tends to be more a "gentleman's agreement" type protocol. A device which talks MSTP could very well just change its vlan tagging.
With cat6 I assume you are running GigE or better, which generally has auto MDI-X and may not even require a crossover. The problem is this crap often doesn't work as advertised, and disabling auto negotiation often forces the speed to 100Mbit, or worse (cause auto negotiation is required for GigE per the spec). I've seen adapters that expect the remote side of the port to send NLP/FLP sequences before they wake up. Get two adapters like that, and they won't talk.
Really, even when its a proprietary, or edge/wimax/etc type adapter? If it does then it must be getting enough false positives to cause you heartache... If someone is putting a wireless interface in a device for back-channel communications I would assume there are much better choices than a normal 802 wireless interface.
Yah, the ones with dedicated "monitor" modes tend to be more robust. Course those generally are layer3, which also by itself tends to be more robust.
port forward to the printer
You don't need to even do that. Generally you can wire multiple devices to the same switch port and it actually works. I got a personal shock about 15 years ago when I saw it temporarly done to work around an out of switch ports situation. Since then, I try it once in a while to see if it still works, its like the crossover cable trick, doesn't work 100% of the time, but doesn't need to. The carrier sense and collision detection functions still work even at 1Gbit, so the two adapters will stay out of each others ways. Matching mac's or leaving one in a listen only promiscuous mode allows you to monitor the traffic with very little hardware effort.
Well a lot of people fail to remember that the majority of the Ethernet switches being sold today only send packets to the specific port the endpoint is on, unless its a broadcase/multicast packet. This means that plugging joe random promiscuous mode adapter into a switch won't give you visibility to the whole network.
That said, unless the designer of the trojan is stupid there will only be a single mac address exported to the network by the printer. Sure, no one is going to just plug a random printer in, but one of the printers on the vlan could be compromised and you would never know. If the trojan were routing the information out over a hidden wireless interface you might never be able to detect that either, if it buffered everything up and burst it for a few seconds every couple days. Frankly, I'm not sure what extra security you might be gaining putting the printers on their own vlan instead of on the regular network. As long as you control the mac addresses, the amount of data any single port can see is going to be limited even if someone shows up and transparently monitors a given port. I guess an evil device could start responding to arp requests and routing traffic through itself, but if you don't notice that you have other problems. For that matter, a truly evil device could probably preempt your switch management traffic. At that point the vlans aren't going to protect you. Again this will probably be pretty obvious to anyone paying attention. This is the problem with vlans, they tend to provide a false sense of security. There is a reason a lot of the really high end gear won't allow (or strongly suggests) the management ports to be on the same physical network as the rest of the switch.
Or are HDs doing some special magic that I've forgotten about?
You forgot about the fact that HD's are sector based, so you address the sector, rather than the byte. So 512B*4GB=2TB.
HD's are generally 512b sectors, but 2k and 4k block devices have been seen. As flash is generally even larger sectors sizes (128k->1M) with a fancy controller to mimic 512b sectors, I wonder why for something like CF they don't just allow large sector sizes.
Uh, hu... and why do you have a really fast CPU that sits idle or throttled back 99% of the time?
Maybe its because when you want to use something you don't want to wait for it. Instead of waiting 10 seconds to open firefox it opens in 2 seconds, instead of it taking 30 minutes to get the latest openSuse you get it in 1 minute..
BTW: It also runs on apple's i* hardware, so you don't need a "desktop".
I'd say trying it on the desktops of regular users is still pretty risky. Unless your users are geeks, you are going to incur training costs, user hostility, and serious issues with compatibility.
Which means you probably should have at least 1 windows server doing active directory and group policy management. Which then brings up the question of what a Linux machine can provide beyond a basic windows server for 20 users. Especially give the bundles Microsoft offers for small business servers.
Where did the games like "Tetris" or "Lemmings", with a simple, but fascinating idea, that keeps you countless hours playing, go?
They are still there, you just won't find them at $large_retailer. Try searching the indy game sites.
For example, I wasted hours of my life playing Osmos. Simple like tetris and just as addictive. It can also be totally relaxing on the levels were you aren't racing against another organism.
Plus, the levels are totally repayable.
Which on my display is a shedload easier to read than the cited example.
Course I had a hp48...
But going through security in Israel sucks even more
I've flown in/out of Ben Gurion. Granted it was a long time ago (pre 9-11), but I don't remember it being especially annoying, and I sure don't remember an interview. Of course, I understand they use racial profiling, and I don't look like someone from the middle east, so maybe I got off easy.
high profile buildings all have barricades around them
I'm fine with that, same as strengthening the cockpit doors. Cheap and easy while being pretty effective. A couple bollards I have to walk around, don't bother me nearly as much as getting strip searched.
How about buildings? Even the 9/11 hijackings were about the buildings and not the planes. The planes were just a weapon to be used, same as a truck full of ANFO. Nearly every attack is against something like a hotel, market, restaurant, etc. Plus, the size of the airplane is important as well, there is a reason GA generally gets left alone with the security theater, and part of it has to do with the amount of damage you can do with a plane smaller than an automobile. Same thing for the planes, little 737's aren't going to be nearly as destructive as a larger jet, but you don't see them selecting a higher percentage of the passengers flying on a 747 for screening do you?
Its total BS, the 4th amendment should either be enforced or removed.
Lets see, if electric vehicles take off, who will see a major spike in sales?
Hmmm, maybe this might clarify things GE energy is one of teh world's leading suppliers of power generation and energy delivery technologies in all areas of the energy industry..
Anyone who's developing thick-client GUIs in this day and age is a fool.
Right, except when you want to do anything more advanced than basic text/form manipulation. If you go beyond that, it takes 10x as long fighting with javascript/dom/css/etc wedging your UI into html, than the effort it takes to port it to 20 different platforms. There is a reason html is adding a canvas tag. The problem with canvas, is that its the equivalent of giving a modern UI programmer an assembler.
This illustrates the problem with Linux. The stuff programmers care about are not the same things end users care about. Linux is made for programmers.
Chuckle, As a someone who writes a lot of code, I've been running multi head for nearly two decades using windows, heck I ran dualhead in dos using a herc card. About 10 years ago, I started rotating, one of my heads because vertical real-estate is king in my world. I've also been doing development in one flavor of unix or another (the last 10 or so linux). But every time, I end up going back to windows with an X-server because its simply better. Last time I checked its still impossible in linux to have monitors with differing rotations. They can be rotated but just rotating a subset of the total cannot be done. So I run an x-server in windows, even though i'm doing 100% linux development. Funny enough, but I'm still using a 8 year old install of windows at work, while my coworkers end up regularly reinstalling their linux machines for one reason or another. I'm the only one with more than 2 heads because the multiple card support in xorg seems to be broken with nvidia hardware. A few years ago, a couple of them had it working, but OS crashes or upgrades and days spent trying to get it working caused them all to give up.
The problem I have with comparing Linux to Windows on the desktop is that I think Windows stinks on the desktop. I may be in the minority, but I want an operating system that is lean and mean, with no zooming windows, special effects, cute audio cues, or glassy curved "kewl" surfaces. I want an operating system to run applications.
Glad, i'm not the only one. I think some part of M$ gets this, hence server core. On the other-hand, im one of those XP/2003 guys because I cannot deal with the lag in vista/7 due to the changes in the graphical model, moving GDI (the API that 99% of windows the applications use) higher up in the software stack and loosing 3x-20x drawing performance drives me nuts.
Plus, I want to run "apps", and strangely enough some of my apps are 10-15 years old. Of course some of them are brand new, but I don't always feel like keeping an old computer around just to use my old eeprom burner.
Oh BTW, You sound like the kind of person who would have enjoyed MR BIOS in their day. Basically instant on BIOS. Now days I just leave my machines in S3 all the time. My windows machines are stable enough to never need rebooting, and handle S3 well enough, I have my desktops doing WOL and S3 standby on a 10 minute cycle. Solves the boot problem, of course with all the shit cut out the machine cold boots in ~10 seconds anyway.
The Tora Bora "fuck up" happened before the war drums started beating for Iraq
But this doesn't mean it didn't have a large impact, our special forces are documented to have been in Iraq as early as July of 02. Numerous white house insiders have also made statements indicating that from day 1 Iraq was the focus, even after 9-11. Bush was trying to pin it on Saddam. So, rather than shifting focus and giving Afghanistan 100%, it appears to have been done mostly to placate public opinion until Iraq got underway. Numerous sources have stated dates, saying that hard planning for Iraq happened before Tora Bora, for example http://www.washingtonpost.com/wp-dyn/articles/A17347-2004Apr16.html. So, you really have to wonder how much planning was going on for Afghanistan, at the same time. Especially given the views of Berntsen, Schroen or McNab.
You must have had one of the nice ones. The thermostats in the building I work in are more like slave devices. They get their marching orders from a central computer, but they are individually responsible for AC control. There isn't a back channel to tell the central computer if they are working. Turns out the ones on our floor are in the middle of the buildings control loop. Which apparently is differential (and in our case someone T'ed off the Loop and ran 200' to our section). So either end of the loop works fine, but the devices in the middle don't always get their marching orders. On a regular basis they would loose their minds and flip the heat on in the middle of the summer, or something equally evil. In the end after the AC guys basically quoted the building mgmt a new system and wiring job, they just came up and installed a $30 programmable thermostat from home depot. Now our AC works fine, and it cycles at 7PM/7AM to conserve energy.
Now if they would just do something about the single pane windows...
With a straight face, yes Al Gore would have gone to war with Iraq in his first term.
I don't buy that, you fail to account for two things. First, the Cheney factor. Secondly the fact that Gore would have probably been busy in Afghanistan as retaliation for 9-11. Its possible he might have just sent in some special forces and concentrated on getting Bin-Laden. Given the f**kup in Tora bora, which probably can be blamed partially on the Iraq "strategy" its possible we might actually have been out of the intervention before the 04 election because Bin Laden would have been caught. Instead we spent 700B busting a 3rd rate dictator that was effectively hemmed in. If Sadam had acted up, Gore probably would have just bombed him same as Clinton.
Lame, what about "apple".
I would suggest that google should have a "clarification" page like the ones on wikipedia.
It should say something like "I'm sorry, you searched for \apple\ that request is ambiguous, please select the category of you are interested in /electronics/food/etc"