It is interesting that Schneier says that. One of the regular features in his newsletters exposes charlatan security companies that claim to provide security without revealing their methods. At least with a FIPS validation, you can be sure that the program attmepts to do what it claims to do. Hopefully labs won't pass a module that was completely bogus, because they would lose their accreditation from NIST and be out of business.(Think Arthur Anderson) That is a valuable assurance for someone who can't read code.
it doesn't look like they're offering an RA or subordinate CA, unfortunately.
You didn't look hard enough. The RA comes bundled with the CA (Oops I mean Security Manager). The CA can be configured to be a subordinate with little trouble during installation.
The link is VERY interesting and thank you, but just to let others know, it only covers HTTP URL encoding. It does not cover setting up IDS on SSL via reverse proxies, nor does it cover avoiding IDS by using SSL. (but that should be somewhat obvious to anyone who cares to think about it a little.)
I don't want to belabor the point, but often it's not necessary to read a technical book from start to finish to review it. A good part of technical reviewing involves just reporting what the book does and doesn't have
Sure you can report about some things that the book has before reading it entirely, but how do you know what the book doesn't have unless you've read the whole thing?
For nine years, the company has designated users with particular skills--usually seen by how often they intervene helpfully in newsgroups--as "most valued professionals". Currently there are about 1,200 MVPs, half of whom are in the United States.
Oh Great! So these will be people who have nothing better to do than post to newsgroups! Oh wait a minute...
So once you've made it hard for the hacker to get into the system, also make it pointless. If the data that resides on the system is also strongly encrypted, than obtaining valuable information is not only hard it is a collossal pain, and beyond the capability of anyone except maybe NIST. BTW SSL as implemented by Web servers and browsers can't maintain encryption of data through to the back end, you need a third party product for that ( Yes they exist ).
Any security mechanism should be designed in such a way that when it fails, it fails closed. That is to say, it should fail to a state that rejects all subsequent security requests rather than allows them
This is one of my favorites. Most browsers fail SSL connections with a warning that allows the user to just "click through" if the certificate is expired, does not match the DNS name of the site, or is issued by an untrusted authority. Only the last of these should be a warning (since you may want to trust it anyway. The other two should be connection failures. I am glad they included this.
Instead of having to load and configure software manually, they tell N1 to set up a computer system for them--which, assuming it actually works, takes hours rather than weeks. Well, well where to begin?
Is this like ghosting an existing configuration? If so I have never seen a ghost image take weeks.
How do you tell it what you want on the system? Set up an initial system and then copy it?
Who makes the configuration decisions that are normally made during a manual install?
What software takes weeks to install?
Why did I let this stupid, impractical, fact-lean marketing ploy make me late for dinner?
I thought it was invented by Al Gore? Oh no wait that was the internet...:-)
Yes, Yes, I know, taken out of context blah, blah, blah. It's a joke! A very old joke! Laugh!
I am glad to learn the obvious from a physicist I think this sadly under moderated reader comment provides a fine rebuttal, if you were being serious. Physicists also like to describe other obvious things like how if you drop something it falls to the ground. I think that Newton guy said something like that.
Mod parent up!
The reason that the recent IE certificate bug exists at all is that they don't follow the standard. A certificate using system MUST reject the certificate if it encounters a critical extension it does not recognize IE does not process the critical basicConstraints extension (as well as others) and still accepts the certificate. Netscape (even back to version 4) will reject a critical extension that it does not recognize.
human networks never dye...
They just shade away.
Seriously, what a ridiculous statement. Of course human networks die. The Jim Jones - Kool-Aid cult comes to mind.
this reminds me of the Towers of Utopia by Mack Reynolds. A massive apartment building where layouts were completely configurable. It also had automatic room service that included alcohol!
From the article: RoamAD operates with a multitude of encryption protocols in conjunction with its proprietary authentication systems that provides a genuinely secure wireless connection So we can't say that there is absolutely no security, but we also can't say that there security is any good either unless we get to look at it, which we probably can't since it's proprietary.
They're murmuring about a replacement which would cost about $15M less (than the $154M price tag) thanks to much of the engineering being done already.
Um, since it broke into three parts following a routine firing of the engines, shouldn't we double check that engineering?
Speaking of which, I'm not sure I trust this article:
"Acetone is an organic solution often used on the skin. "
Maybe in your sado-masochistic world-view, but acetone is a known defatting agent and will seriously dry up your skin. I think I'll stick with Bull Frog! Poor little mice.
The exclusions are printed below for your edification. Note that hardcore, and disguising the origin of content are specifically excluded. Sorry Slashdotters, you'll have to give this one a pass or *gasp* break the acceptable use terms!
Also, #9 excludes the service's use by the RIAA.
The Services must not be used:
1. For any unlawful purposes or activities. 2. To attempt to violate, compromise or in any way breach the security or integrity of other internet users systems, networks or data including, but not limited to, the transmission of viruses or other programs intended to interfere in any way with other internet users systems, networks or data. 3. upload, post, send or receive e-mail any content that is unlawful, harmful, threatening, abusive, threatening, harassing, tortious, defamatory, vulgar, obscene, libelous, invasive of another's privacy, hateful, or racially, ethnically or otherwise objectionable; 4. For the purposes of receiving, possessing, storing, distributing or publishing of any obscene or otherwise unlawful material including, but not limited to, any form of hardcore and/or child pornography or to harm minors in any way. 5. To cause a breach of copyright, intellectual property, data protection or other third party rights by downloading, uploading or the transmission of information, software or any other material covered by such rights. 6. impersonate any person or entity, falsely state or otherwise misrepresent your affiliation with a person or entity or disguise the origin of any content; 7. upload, post or e-mail any content that you do not have a right to transmit under any law or under contractual or fiduciary relationships; 8. upload, post or e-mail any unsolicited or unauthorised advertising, promotional materials, 'junk mail', 'spam', 'chain letters', or any other form of solicitation; 9. upload, post or e-mail any content that contains computer viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer software, hardware or telecommunications equipment; 10. violate any applicable national or international laws or regulations.
Slashdot Mirror
It looks like there is some information here
It is interesting that Schneier says that. One of the regular features in his newsletters exposes charlatan security companies that claim to provide security without revealing their methods. At least with a FIPS validation, you can be sure that the program attmepts to do what it claims to do. Hopefully labs won't pass a module that was completely bogus, because they would lose their accreditation from NIST and be out of business.(Think Arthur Anderson) That is a valuable assurance for someone who can't read code.
Actually, a later post accurately refutes this.
You can also do the same thing with OpenSSL
it doesn't look like they're offering an RA or subordinate CA, unfortunately.
You didn't look hard enough. The RA comes bundled with the CA (Oops I mean Security Manager). The CA can be configured to be a subordinate with little trouble during installation.
The link is VERY interesting and thank you, but just to let others know, it only covers HTTP URL encoding. It does not cover setting up IDS on SSL via reverse proxies, nor does it cover avoiding IDS by using SSL. (but that should be somewhat obvious to anyone who cares to think about it a little.)
I don't want to belabor the point, but often it's not necessary to read a technical book from start to finish to review it. A good part of technical reviewing involves just reporting what the book does and doesn't have
Sure you can report about some things that the book has before reading it entirely, but how do you know what the book doesn't have unless you've read the whole thing?
For nine years, the company has designated users with particular skills--usually seen by how often they intervene helpfully in newsgroups--as "most valued professionals". Currently there are about 1,200 MVPs, half of whom are in the United States.
Oh Great! So these will be people who have nothing better to do than post to newsgroups! Oh wait a minute...
Security should be layered:
So once you've made it hard for the hacker to get into the system, also make it pointless. If the data that resides on the system is also strongly encrypted, than obtaining valuable information is not only hard it is a collossal pain, and beyond the capability of anyone except maybe NIST. BTW SSL as implemented by Web servers and browsers can't maintain encryption of data through to the back end, you need a third party product for that ( Yes they exist ).
Any security mechanism should be designed in such a way that when it fails, it fails closed. That is to say, it should fail to a state that rejects all subsequent security requests rather than allows them
This is one of my favorites. Most browsers fail SSL connections with a warning that allows the user to just "click through" if the certificate is expired, does not match the DNS name of the site, or is issued by an untrusted authority. Only the last of these should be a warning (since you may want to trust it anyway. The other two should be connection failures. I am glad they included this.
When asked to comment about the chips, a PETA spokesperson said, "I bet you can't eat just one!"
Well, well where to begin?
Is this like ghosting an existing configuration? If so I have never seen a ghost image take weeks.
How do you tell it what you want on the system? Set up an initial system and then copy it?
Who makes the configuration decisions that are normally made during a manual install?
What software takes weeks to install?
Why did I let this stupid, impractical, fact-lean marketing ploy make me late for dinner?
I thought it was invented by Al Gore? Oh no wait that was the internet...:-) Yes, Yes, I know, taken out of context blah, blah, blah. It's a joke! A very old joke! Laugh!
but whether anybody should trust Verisign's assurance that company X is legit
Good Question
I am glad to learn the obvious from a physicist
I think this sadly under moderated reader comment provides a fine rebuttal, if you were being serious. Physicists also like to describe other obvious things like how if you drop something it falls to the ground. I think that Newton guy said something like that.
Now if we could just get Peggy Whitson to flash us! Does anyone know whether the U.S. Naval Observatory Telescope is open on the morning of the 6th?
We already have glucose powered vehicles. They are called "horse and buggy".
Mod parent up! The reason that the recent IE certificate bug exists at all is that they don't follow the standard.
A certificate using system MUST reject the certificate if it encounters a critical extension it does not recognize
IE does not process the critical basicConstraints extension (as well as others) and still accepts the certificate. Netscape (even back to version 4) will reject a critical extension that it does not recognize.
Ouch my side! I laughed so hard that my co-workers are looking at me funny.
human networks never dye... They just shade away.
Seriously, what a ridiculous statement. Of course human networks die. The Jim Jones - Kool-Aid cult comes to mind.
this reminds me of the Towers of Utopia by Mack Reynolds. A massive apartment building where layouts were completely configurable. It also had automatic room service that included alcohol!
From the article: RoamAD operates with a multitude of encryption protocols in conjunction with its proprietary authentication systems that provides a genuinely secure wireless connection
So we can't say that there is absolutely no security, but we also can't say that there security is any good either unless we get to look at it, which we probably can't since it's proprietary.
If you used acetone as a solvent it would.
Speaking of which, I'm not sure I trust this article:
"Acetone is an organic solution often used on the skin. "
Maybe in your sado-masochistic world-view, but acetone is a known defatting agent and will seriously dry up your skin. I think I'll stick with Bull Frog! Poor little mice.
The exclusions are printed below for your edification. Note that hardcore, and disguising the origin of content are specifically excluded. Sorry Slashdotters, you'll have to give this one a pass or *gasp* break the acceptable use terms!
:
Also, #9 excludes the service's use by the RIAA.
The Services must not be used
1. For any unlawful purposes or activities.
2. To attempt to violate, compromise or in any way breach the security or integrity of other internet users systems, networks or data including, but not limited to, the transmission of viruses or other programs intended to interfere in any way with other internet users systems, networks or data.
3. upload, post, send or receive e-mail any content that is unlawful, harmful, threatening, abusive, threatening, harassing, tortious, defamatory, vulgar, obscene, libelous, invasive of another's privacy, hateful, or racially, ethnically or otherwise objectionable;
4. For the purposes of receiving, possessing, storing, distributing or publishing of any obscene or otherwise unlawful material including, but not limited to, any form of hardcore and/or child pornography or to harm minors in any way. 5. To cause a breach of copyright, intellectual property, data protection or other third party rights by downloading, uploading or the transmission of information, software or any other material covered by such rights.
6. impersonate any person or entity, falsely state or otherwise misrepresent your affiliation with a person or entity or disguise the origin of any content;
7. upload, post or e-mail any content that you do not have a right to transmit under any law or under contractual or fiduciary relationships;
8. upload, post or e-mail any unsolicited or unauthorised advertising, promotional materials, 'junk mail', 'spam', 'chain letters', or any other form of solicitation;
9. upload, post or e-mail any content that contains computer viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer software, hardware or telecommunications equipment;
10. violate any applicable national or international laws or regulations.