Obviously there will be bias. That's the whole point. Life is biased. Deal with it. Not everybody is equally likely to commit a crime, for example 3-year-old girls are very unlikely to bomb skyscrapers. Is there anything wrong with not checking them ?
The point is to find relations between people that commit crimes so they can be caught red-handed TRYING to hijack a boeing, finding 20 armed policemen inside the plane instead of the innocent passengers they were expecting to kill.
If they're wrong. You cannot be sentenced without an independant review of the evidence. So what's the problem ?
Let's take a stupid simple case. Say they find 45% of muslim redheads kill people at round points, then what exactly is wrong with making sure a policeman is watchin round points near the places they live ?
Life is biased. In a thousand ways. One of them is that YOU are biased (against neo-cons for example), so why whine about it ?
Maybe (maybe) he's a moderate now (let's hope he has to be, it is certainly true that extremists have a tendency to become moderates when they come to power), but at least in his youth he was not. He denied, or at least trivialized the holocaust in his doctoral thesis.
Here's his wikipedia bio :
Abbas was born in 1935 in Safed, then part of the British Mandate of Palestine. His family became refugees during the war of 1948 and settled in Syria. In Syria he taught school and graduated from the University of Damascus before going to Egypt where he studied law. Subsequently, Abbas entered graduate studies at the Peoples' Friendship University of Russia in Moscow, where he earned a Ph.D. in history. In 1982, Abbas wrote a doctoral dissertation, referring to so-called "Holocaust deniers", claiming secret ties between the Nazis and the Zionist movement. In 1984, a book based on Abbas' doctoral dissertation was published in Arabic by Dar Ibn Rushd publishers in Amman, Jordan. His doctoral thesis later became a book, The Other Side: the Secret Relationship Between Nazism and Zionism, which, following his appointment as Palestinian Prime Minister in 2003, was heavily criticized as an example of Holocaust denial, but corroborated by the Jewish German writer Hanna Arendt in her book "The Banality of Evil" . In his book, Abbas raised doubts that gas chambers were used for the extermination of Jews, and suggested that the number of Jews killed in the Holocaust was "less than a million." In an interview with Haaretz in May 2003, he claimed merely to have been quoting the wide range of scholarly disagreement over the Holocaust, but no longer harbored any desire to argue with the generally accepted figures; he further affirmed his belief that "the Holocaust was a terrible, unforgivable crime against the Jewish nation, a crime against humanity that cannot be accepted by humankind". [2]
But if you find something like SMARTS or Netcool or HP Service Center for $50k that will be equally impressive. Hire the main developer of an opensource ticketing system may be a nice compromise.
So doing it your way (what you described above) is not going to happen, unless (see further)
Keep in mind, when you evaluate things like HP openview/SMARTS InCharge/... that 1) they cost > $50k up front for the software box alone 2) they require a lot of consultancy to get running (ie they're not going to be operational tomorrow, and it's going to cost you) 3) you can't save money on them, as that would mean leaving problems lying around unfixed 4) you become dependent on one partner (as there is a BIG cost associated with working in a new guy, no matter how smart he is, he won't understand your business)
So just hire someone to do this, and give him 3-4 beefy servers to work on. For $50k you can hire a good programmer for a year, and he should be able to get the system operational in a month at the latest. Any modifications can be done through this guy, and the system can be very specific to your business, integrate with everything you want, and it'll actually work. And you get a full-time (very) capable consultant (he wrote your system, how much more capable can someone get) for free for a year. If the system really takes off, you have a free analyst/programmer on your hands.
Then why not replace that "bastion host" with a zorp host and keep your current firewall ?
This will, however, save seriously on complexity (e.g. try configuring passive ftp in different firewalls a few times, same type of issues for sip etc.)
For real (tm) security, try a (true) layer-7 firewall (in case anyone knows a product that matches up to this, cisco's pix does NOT, pf does not, and checkpoint does not either, they just have some checks that can be easily fucked up by playing with tcp window size (setting it very low for example))
The moving can be done now. Take a course in algebra and a simple one in encryption. There are multiple ways to achieve this, given communication with the server.
Move some file from A to B :
A -> Server : I give up on accessing encrypted file x, but I copy the encrypted data to B Server -> A : noted, I will no longer send you the decryption key when you ask for it Server -> B : you have data from A ? B -> Server : Yes, can I have the transformation ? here is my machine ID Server -> B : I am not giving you the key, however here is the transformation needed to bind it to your machine ID
B -> Server : I need the key, my machine ID is Server -> B : here it is, you have access
A system like this is extremely hard to hack, given basic precautions in the decryption routines (for example, you do "live decryption", at NO point in the program more than, say 5%, is decrypted in memory, and the routines to decrypt are themselves encrypted, which is quite possible to do)
Therefore you buy yourself a piece of software that can virusscan these files instead of blocking them ! Oh protocol xyz can be used to transfer files (name 1 protocol that cannot be used for this purpose ? even ping can be used to transfer files).
"There will always be one idiot who" -> perhaps, but why punish 1000 non-idiots instead of firing the idiot ?
If IT security becomes synonim with bullying (which it is in many companies), I can assure you nobody, absolutely nobody will care about security, and then your job becomes impossible.
Innocent until proven guilty only applies in Criminal Lawsuits. This is a Civil lawsuit, and they are only innocent till "sufficiently indicated" guilty:-p
It may be possible two break into any system if you have physical accesss, it is however not possible without rebooting the machine. That means that there ARE security policies that will withstand physical access. E.g. In my security class the idea was launched to encrypt stuff in special ways, and to have a key deletion schedule that will allow you to 1) determine the smallest possible window of time when the system was broken 2) prevent an attacker from inserting messages into the system, even with root access to the system. If he reboots, the key will have been deleted, the system will not be able to read its own data, and will not be able to communicate with the rest of the network 3) if the encrypted data is accessible in any way, it can be made possible to check against forgeries, and still accept the data generated before the breach (the data might have been deleted of course)
Get someone who does this for a living. I am sure there are a few in your local linux shop. Someone who works at an isp should have experience with the problems you site.
Step 2
Follow his/her recommendations (which will probably be splitting the network in more l3 domains) get a 6500, or a few 3750, or if you really can't afford much a few 3550 switches (which will leave you out of luck when ipv6 starts getting used, but otherwise is a fine choice).
This is about having L3 switches closer to the end user than you have now, as far as I know there are no acceptable products that are cheaper.
(probably) You should split up the l2 network into a lot of separate l3 domains. Do not implement firewalling and nobody of the students will mind. Get an IGP running between the l3 domains, and provide multiple, geographically separate uplinks (10 * adsl exporting 0.0.0.0/0's in the igp is a lot better than 1 E3 if you don't really know what you're doing)
In short, if you have to ask, you don't know how to fix this, no analysis tools can help you without a serious and deep understanding of the technology. If you don't want to pay someone for this, a lot of people will say they can fix it, but you'll need to be extremely lucky to actually find someone.
Perhaps if you decide to go the cheap route, go the old-fashioned way, trust someone with a CCNP and a CS degree more than a 17-year-old.
Clustering has a MAJOR problem going with it. Clustering requires applications to be written specifically to support clustering. All sorts of libraries have been written to "make this process easier", but one thing's for sure : it will require a recompile, and software that is not designed by people who know what ACID means for databases. It is very hard to keep a hand written app in a consistent state on all machines, knowing that any one of them might fail completely (we only support complete failures, disfunctional memory for example, will not be reacted to) at any time.
So nobody forces you to use their webclient. Data is available over IMAP/POP3 etc, so use whatever you like. Yes IMAP doesn't support calendaring, so you can't use it for that. You'll actually need to think about what you do if you want to mix software nobody else is mixing.
Obviously there will be bias. That's the whole point. Life is biased. Deal with it. Not everybody is equally likely to commit a crime, for example 3-year-old girls are very unlikely to bomb skyscrapers. Is there anything wrong with not checking them ?
The point is to find relations between people that commit crimes so they can be caught red-handed TRYING to hijack a boeing, finding 20 armed policemen inside the plane instead of the innocent passengers they were expecting to kill.
If they're wrong. You cannot be sentenced without an independant review of the evidence. So what's the problem ?
Let's take a stupid simple case. Say they find 45% of muslim redheads kill people at round points, then what exactly is wrong with making sure a policeman is watchin round points near the places they live ?
Life is biased. In a thousand ways. One of them is that YOU are biased (against neo-cons for example), so why whine about it ?
This falls imho under "you have the right to free expression" - "I have the right to not listen" combo
Why ? When was the last journalist killed in the US for writing his mind ? China executed some just last month, and so did Iran.
Maybe (maybe) he's a moderate now (let's hope he has to be, it is certainly true that extremists have a tendency to become moderates when they come to power), but at least in his youth he was not. He denied, or at least trivialized the holocaust in his doctoral thesis.
Here's his wikipedia bio :
Abbas was born in 1935 in Safed, then part of the British Mandate of Palestine. His family became refugees during the war of 1948 and settled in Syria. In Syria he taught school and graduated from the University of Damascus before going to Egypt where he studied law. Subsequently, Abbas entered graduate studies at the Peoples' Friendship University of Russia in Moscow, where he earned a Ph.D. in history. In 1982, Abbas wrote a doctoral dissertation, referring to so-called "Holocaust deniers", claiming secret ties between the Nazis and the Zionist movement. In 1984, a book based on Abbas' doctoral dissertation was published in Arabic by Dar Ibn Rushd publishers in Amman, Jordan. His doctoral thesis later became a book, The Other Side: the Secret Relationship Between Nazism and Zionism, which, following his appointment as Palestinian Prime Minister in 2003, was heavily criticized as an example of Holocaust denial, but corroborated by the Jewish German writer Hanna Arendt in her book "The Banality of Evil" . In his book, Abbas raised doubts that gas chambers were used for the extermination of Jews, and suggested that the number of Jews killed in the Holocaust was "less than a million." In an interview with Haaretz in May 2003, he claimed merely to have been quoting the wide range of scholarly disagreement over the Holocaust, but no longer harbored any desire to argue with the generally accepted figures; he further affirmed his belief that "the Holocaust was a terrible, unforgivable crime against the Jewish nation, a crime against humanity that cannot be accepted by humankind". [2]
Another problem with reporters ... some (like china) just plainly lie. I was quite surprised to find this blog report.
What does one trust ? It's a hard question these days.
Let's hope this makes people think twice about the truth value of news coming from dictatorships without a free press.
... etc ...
Not just China, unfortunately, but for a long list :
China
North Korea
Iran
Afghanistan
Iraq
Palestine
Why do you want to use threats ?
1) You take legal action -> perhaps you'll get what you want (most likely even)
2) You don't -> roll over
By doing what this guy is suggesting you're just adding to the frustration of an already very difficult job.
But if you find something like SMARTS or Netcool or HP Service Center for $50k that will be equally impressive. Hire the main developer of an opensource ticketing system may be a nice compromise.
So doing it your way (what you described above) is not going to happen, unless (see further)
Keep in mind, when you evaluate things like HP openview/SMARTS InCharge/... that
1) they cost > $50k up front for the software box alone
2) they require a lot of consultancy to get running (ie they're not going to be operational tomorrow, and it's going to cost you)
3) you can't save money on them, as that would mean leaving problems lying around unfixed
4) you become dependent on one partner (as there is a BIG cost associated with working in a new guy, no matter how smart he is, he won't understand your business)
So just hire someone to do this, and give him 3-4 beefy servers to work on. For $50k you can hire a good programmer for a year, and he should be able to get the system operational in a month at the latest. Any modifications can be done through this guy, and the system can be very specific to your business, integrate with everything you want, and it'll actually work. And you get a full-time (very) capable consultant (he wrote your system, how much more capable can someone get) for free for a year. If the system really takes off, you have a free analyst/programmer on your hands.
Think about it.
Apple is not a monopoly. MS is. Apple is allowed to do it. MS isn't.
Obviously it's the "strategic decision makers" that pull this kind of crap.
Just my 2c
Then why not replace that "bastion host" with a zorp host and keep your current firewall ?
This will, however, save seriously on complexity (e.g. try configuring passive ftp in different firewalls a few times, same type of issues for sip etc.)
When have you EVER seen a layer change in the OSI model ? Please give a web reference.
(There are multiple models, of course, but OSI layer 7 is quite an accurate description of something)
So it's closed software ... so is windows ...
Lots of undocumented protocols right there in the default install. Also encrypted.
For real (tm) security, try a (true) layer-7 firewall (in case anyone knows a product that matches up to this, cisco's pix does NOT, pf does not, and checkpoint does not either, they just have some checks that can be easily fucked up by playing with tcp window size (setting it very low for example))
http://www.balabit.com/products/zorp/
Check it out.
The moving can be done now. Take a course in algebra and a simple one in encryption. There are multiple ways to achieve this, given communication with the server.
Move some file from A to B :
A -> Server : I give up on accessing encrypted file x, but I copy the encrypted data to B
Server -> A : noted, I will no longer send you the decryption key when you ask for it
Server -> B : you have data from A ?
B -> Server : Yes, can I have the transformation ? here is my machine ID
Server -> B : I am not giving you the key, however here is the transformation needed to bind it to your machine ID
B -> Server : I need the key, my machine ID is
Server -> B : here it is, you have access
A system like this is extremely hard to hack, given basic precautions in the decryption routines (for example, you do "live decryption", at NO point in the program more than, say 5%, is decrypted in memory, and the routines to decrypt are themselves encrypted, which is quite possible to do)
There is NO serious comparison possible between turbo vision and curses. Curses can NOT do what TV can, and it never will.
Why not live in ignorance ? In this case you'll die richer :-p
Jury ?
These are not criminal trials, so there is no jury.
Therefore you buy yourself a piece of software that can virusscan these files instead of blocking them ! Oh protocol xyz can be used to transfer files (name 1 protocol that cannot be used for this purpose ? even ping can be used to transfer files).
"There will always be one idiot who" -> perhaps, but why punish 1000 non-idiots instead of firing the idiot ?
If IT security becomes synonim with bullying (which it is in many companies), I can assure you nobody, absolutely nobody will care about security, and then your job becomes impossible.
Just a thought.
Innocent until proven guilty only applies in Criminal Lawsuits. This is a Civil lawsuit, and they are only innocent till "sufficiently indicated" guilty :-p
IANALY (I am not a lawyer yet)
It may be possible two break into any system if you have physical accesss, it is however not possible without rebooting the machine. That means that there ARE security policies that will withstand physical access. E.g. In my security class the idea was launched to encrypt stuff in special ways, and to have a key deletion schedule that will allow you to
1) determine the smallest possible window of time when the system was broken
2) prevent an attacker from inserting messages into the system, even with root access to the system. If he reboots, the key will have been deleted, the system will not be able to read its own data, and will not be able to communicate with the rest of the network
3) if the encrypted data is accessible in any way, it can be made possible to check against forgeries, and still accept the data generated before the breach (the data might have been deleted of course)
Get someone who does this for a living. I am sure there are a few in your local linux shop. Someone who works at an isp should have experience with the problems you site.
Step 2
Follow his/her recommendations (which will probably be splitting the network in more l3 domains) get a 6500, or a few 3750, or if you really can't afford much a few 3550 switches (which will leave you out of luck when ipv6 starts getting used, but otherwise is a fine choice).
This is about having L3 switches closer to the end user than you have now, as far as I know there are no acceptable products that are cheaper.
(probably) You should split up the l2 network into a lot of separate l3 domains. Do not implement firewalling and nobody of the students will mind. Get an IGP running between the l3 domains, and provide multiple, geographically separate uplinks (10 * adsl exporting 0.0.0.0/0's in the igp is a lot better than 1 E3 if you don't really know what you're doing)
In short, if you have to ask, you don't know how to fix this, no analysis tools can help you without a serious and deep understanding of the technology. If you don't want to pay someone for this, a lot of people will say they can fix it, but you'll need to be extremely lucky to actually find someone.
Perhaps if you decide to go the cheap route, go the old-fashioned way, trust someone with a CCNP and a CS degree more than a 17-year-old.
Clustering has a MAJOR problem going with it. Clustering requires applications to be written specifically to support clustering. All sorts of libraries have been written to "make this process easier", but one thing's for sure : it will require a recompile, and software that is not designed by people who know what ACID means for databases. It is very hard to keep a hand written app in a consistent state on all machines, knowing that any one of them might fail completely (we only support complete failures, disfunctional memory for example, will not be reacted to) at any time.
They don't force you to use any client at all ...
So nobody forces you to use their webclient. Data is available over IMAP/POP3 etc, so use whatever you like. Yes IMAP doesn't support calendaring, so you can't use it for that. You'll actually need to think about what you do if you want to mix software nobody else is mixing.
Regards,
Christophe