... as Bastille does more and more, it has to ask a lot more questions!... but it annoys some users who just want a quick fix.... we're making "One Shot" configurations, where they can choose a sample configuration that matches their own and deploy that. While they miss a crucial part of securing the system (Secure the Admin!) they still get a safer system...
Secure the Admin means to educate the Admin on the tradeoffs between security and ease of use. As Pen said in the original post, Security is inversely proportional to convenience. Bastille takes the next step, and tries to educate as it undoes what the distros have done. Its easy to make a machine very secure, but you end up with a box nobody can use. With an under-educated Admin, it can be very tough to know what to turn on or off and why and how.
First step to securing a system is to secure the admin.
Then go to work securing the system.
Its a motto I've been living by, but it can be very frustrating at times when all someone wants is a big security switch. I tell them its the one marked [| O], the | means insecure, the O means Oversecure.
While peering at the dash, he pointed to the LCD monitors and asked "what are those hoochies?" I wish you could have seen the look on his face when we showed him the tiny color cameras. As we were about to drive off he asked us where we were from. I just looked Chris, looked back at the man, smiled and said "We are from the future."
This would have had even more effect if they had been dressed strangely. Maybe they were.:-) Its the kind of stunts we played on an unsuspecting and gullible public back in university.
As a non-american who has to work regularly in the US, I can tell you that if havenco starts breaking american laws, their american employees have two choices: - get a good lawyer before setting foot in the US again - never leave havenco until they die
The US also regularly prosecutes non-americans for crimes committed outside of the US. Mostly its drugs and tax dodging. Gambling will be a large enough issue to get included on the hot list.
Once they get their hands on you, expect a long stay at their expense.
Change it slightly. You are a dutch coffee shop owner. You sell some marijuana to some americans, and they get in trouble for it later, such as forgetting to empty their pockets before getting on the plane home. Now the FBI/DEA now have a dossier on you as a drug dealer.
What you have done is legal in the Netherlands, and what the americans did at the time was legal, lighting up in your coffee shop. What the americans did later was stupid and illegal.
Next time you set foot in the US, you are facing 10 years or more in a US prison.
I type this because I know one person this has happened, he gets released next year after the Dutch government brought pressure on the US. He'll have served 9 years in prison, even though he never sold drugs in the US. The idiots he sold to each got 25 years, and just got paroled after 10.
This should be a wakeup call for the hit and run web designer industry.
I've got a client whose websites are all hacked up e-commerce packages. Its really funny trying to navigate some of their internal sites. Everything has a shopping basket, and after you perform each action you procede to the checkout stand. This includes a website for inventory management and some basic groupware functions. To sign up for a meeting, you place it in your basket and check out. To retrieve your group's weekly work plan, you place the request in your basket and proceed to the check out function. To submit a helpdesk trouble ticket for a network problem, into the basket. When I have to find the list of open problems I cover, I have to add them to my basket before I can view them.
Despite a ton of complaints, most of the mangement think this is the only way the web can work. And the web developers skip out with a ton of money after a very short development cycle.
There are thousands of horror stories out there, its about time a company struck back at an incompetent group of web monkeys. With some legal prosecution of a few bad apples, the market will shake out the worst and web site design will become a little more sane.
The States could never have remained an integrated political and culture whole without advances such as telegraphy and the railroads... ancient empires of comparable size were considerably less stable and considerably more decentralized.
The US did not remain integrated. There was a big and bloody civil war which started because communication between the seat of power in the north and the southern states was so limited. The south, rightly, claimed the north was ignoring its needs on many issues.
By the end of the war, telegraphy was starting to become widespread. The telegraph and introduction of a standard railroad guage in the US did more to heal the rift between the north and south than any politician's hollow promises.
The same holds true for the British Empire. It achieved its glory days before there was sufficient communication to sustain it. So it collapsed because the needs of each far-off colonial outpost couldn't be met in a timely manner by England. Much of the blame for lack of communication, navigation, economics and other things rests squarely on the shoulders of a very corrupt societal structure. There was a good movie on the search for longitude which highlighted this recently.
Secondly, how does one get a bank of IP addresses these days?
Nobody owns their IP addresses. You rent them from an internet provider. Each provider rents from a provider further up the hierarchy.
At the top of the pile is the Internet Assigned Numbers Authority who have diced and sliced the existing IP address range into pieces, and given authority over those pieces to a handful of regional authorities. This keeps the inter-regional routing simple.
Goodlatte's bill would make it a federal crime -- punishable by up to four years in prison and fines of $20,000 or more -- to operate a Web site that accepts wagers from Americans.
So Havenco's american backers could all find themselves outlaws if they start to host online gambling that doesn't discriminate against sucker^H^H^H^H^Hpatrons in the US.
The article makes it clear, the bill has been written in a determinedly confusing way to allow for selective enforcement, and selective non-enforcement in the case of large campaign contributors. Politics as usual.
There was a band devolved from Billy Idol's Gen-X called Sigue Sigue Sputnik, had a few dance hit songs in about 1984.
Their tapes and albums had short ~10 second advertising blurbs between each track. The only ones I remember was for l'Oreal hair treatment, and there was one about a mens magazine which was out of business after about issue 3. If you know the band, you'll understand why they have hair care ads:-)
I've heard some other bands do this too, as a way to suck more money out of their short lived careers. Some of the european teen pop one hit wonder bands recently have product placement all through their music and cover artwork. But I don't buy those albums.
Theory has it the variable speed limits are more for regulating the flow heading towards the main spoke roads like the M1 and M4. Practice has it the rapidly changing speed limits are for revenue generation. When you see the limit change, you will see a dozen cops sitting on the side of the road after the next exit. Worse than those damnable cameras.
But its much easier to publish a policy saying you don't keep any log files more than 24 hours. Even if you don't bother deleting them except once a month or worse. But when that lawsuit comes your way, suddenly you come into compliance with the judge and show them the last 6 hours worth of logs only. "sorry judge, we automatically purge our logs ever few hours, and we have never kept a backup".
I don't have a vat of molten metal lying around in case law enforcement shows up at my door. Maybe next budget cycle:-)
If a company were looking just for leads back to someone who had posted an annoying comment, an IP address and some other logged info would be a good starting point. No need to have it stand up in court, just enough to target the investigation on an individual. Other supporting evidence could then be collected, stuff that could stand up in court.
By posting a privacy policy on the web site, the company has entered into a legally binding contract with anyone who uses the site. It is the same with a bricks and mortar food shop putting up "sale" signs in their windows or in adverts in the paper. If they publish a price, they are bound to honor it. Only the occasional misprint is allowed, and most shops will honor misprints rather than risk their business license.
So glad to hear some sane news coming from out of America for a change.
The dispute will more likely center on the "X millions of dollars" part. Does this cover salaries for fixing the system? Revenue lost because of downtime? Upgrading software to more secure versions?
When an insurance policy is granted, the company will have in place a well written procedure detailing exactly how each system will be fixed in case of a cracking incident. That will include an estimate of hours to reload the OS from scratch, and then recover the system configuration and data from backup tapes. The policy will specify how much will be paid for recovering a system after a crack, what the losses per hour for the loss of functionality, and whether a consultant can be paid to further secure the machine after the attack.
If a system is critical to a company's well-being, then it becomes cheaper to buy some hot standby systems ready to be switched in almost immediately. Of course, this increases the cost of a system by 4x to 10x or more. Somebody does the math, and figures out which will be cheaper, a second system, or a few hours downtime of the system.
Va/handover/slashdot would immediately comply with a court order. They are a publicly held company. To do otherwise would open them up to being held in contempt of court, or under the new DMCA laws, held equally responsible for any criminal or civil charges brought against the anonymous coward once identified.
That is why I never post anything objectionable, even using an alias pointing to a throwaway mail service. All along the way, websites are tracking everything they can about me, IP address, machine name, OS type, browser type, cookies. As a network guru, it is childs play to trace people on the net when they piss me off.
Truly anonymising TCP connections is very difficult, so I save that for the really important rants.
I'd like to see/. post a much clearer policy on how they purge web logs every day or so, and never make backups of the web log directories. This would make lawyers think twice about trying to subpoena the info if it is clearly stated it is deleted at the end of every day. As it stands, they are certainly collecting all the info they can on users, even anonCowards, to sell to their marketing masters.
This insurance has been available for several years, usually tacked onto an existing data center loss prevention policy. This is a press release to show how our beloved Bruce Schneier has become a partner with a big insurance house.
The insurance company will require at least two audits, the first to determine the policies and attitudes of the management, and to locate holes in enforcement of a good security policy. After the fixes have been made, the second audit will show whether the management can accomodate the change necessary to implement a proper security policy. Its more about attitude than open ports:-)
There are several parts to the audit. The hack/crack part does all the usual stuff, such as wardialing the whole company looking for unauthorised modems, running customised exploit scripts and custom versions of ISS and nmap. They also make sure every system connected to the network is documented, and they log on every server and check the security from inside as well.
There's a bunch of naff stuff going on at the same time like policy audits and background checks on all the IT staff and secretaries. In the end there is a big report, and based on a security score, determines your policy rate.
The policy holder sometimes puts a security consultant on the site for a while, to monitor the state of the network and how well the IT idiots follow the required security policy.
The whole exercise is to raise the bar against script k1dd13s, and give the shareholders a warm and fuzzy feeling. It also gives the lawyers a defence if a cracker does damage and the company gets sued.
What counterpane is probably doing is either renting out some tiger teams or training up some in-house teams to use their custom made tools.
I regularly monitor OC-3,12&48 traffic. Not all of it, but the parts causing trouble. Sometimes the streams are ATM carrying internet traffic, sometimes the streams are DS0s carrying voice. If I were to switch a copy of a DS0 PVC to a voice card, I can listen to someone's conversation. When I copy an ATM stream to a separate port, I can monitor all that data traffic without any interruption.
But this capability exists only at a few critical junctions, where we need to debug our streams. It doesn't exist at all points in the network, that would be too expensive to implement.
The CALEA (US) and RIP (UK) laws are trying to force service providers and telephone companies to install additional switches at key points, which only law enforcement could control. This would allow them to monitor any traffic they wanted to, without having to bother us technical people to take a few minutes to copy a stream to a monitoring port for them. We might ask to see a valid court order or something:-)
The problem from my point of view is that we have a hard enough time keeping the whole system running without having law enforcement controlling one link in the chain. We have problems on a daily basis, and we can do anything necessary to any piece of equipment to restore service. If we had to coordinate with an FBI/MI5 agent before tracing a faulty circuit, outages would go from a few minutes to a few days. Finger pointing would become commonplace.
These programmers are building an entire computing environment (XML in a browser) which runs inside of another computing environment (classic OS), and then re-writing a game to show how they can now work entirely inside of Mozilla and never have to leave the browser environment.
This is yet another example of how the computer, the OS, the applications, and the network are all starting to become interchangeable. It goes one step closer to Bill Gates assertion that the browser belongs inside the OS, but it also shows that a sufficiently bloated browser can replace the OS.
Now they just have to write some compilers and libraries in XML, and we'll never have to leave our browser environments again. Ooops, that's emacs. Sorry.:-)
Last night on the news there was a NASA interview, mostly about some other things, but they also asked the guy about the breakins.
His response, paraphrased, was "That was completely outside of NASA, the data was being sent from internal machines out to some medical researchers. It was their machine which had the problem, not NASA. The shuttle ground control computers are not hooked to the internet in any way."
Since this wasn't a spokesdroid, I'd give it a shred of credibility. I know NASA has been employing tiger teams to probe their security, and they've been shopping around for security firms to independantly audit their review of internal security. Sounds like their want to make sure they have an airgap around their life critical systems, so they can clearly dispute such panic mongering headlines as these.
All Intel has to do is cut prices to squeeze transmeta out of the market
You beat me to it. This is true, except for the fact that Intel would become the DoJ's next illegal monopoly target. It doesn't matter if there are a few other competitors such as AMD. If Intel were to slash prices until transmeta died, and then raised prices very high, the DoJ would be all over them.
I like the idea the DoJ is starting to investigate many large US corporations for aggressive tactics to hurt their competition. Certainly Intel has been under investigation several times in the last few years, and each time they have promised to change their ways. And they've sincerely changed enough after getting their hand slapped. They don't want to get hauled to court and get engaged in a fight to the death like micros~1 is doing.
Also, the knowledge transmeta has collected would not instantly cease to exist. The knowledge would resurface inside another Intel competitor, better funded and ready to do battle. So it is not in Intel's best interests to obliterate small competitors like transmeta, just try to corral them.
This is not so hypothetical as it sounds. The US is well known for extending its laws over the entire world. It regularly makes deals with other countries for "expedited extradition" in picking up suspected criminals. After the bombings of some US embassies in africa a few years ago, every suspect arrested in african countries was taken by local police to the airport and placed on waiting US military planes, and they awoke in a jail in the US. No local hearings, due process, or even the ability to contact a lawyer locally.
I wish I had had the time to pose some well thought out questions when this topic first appeared. I don't doubt their physical security, but I am worried about what happens if the US or Britian decide to issue arrest warrants. If Britian decides that havenco is storing some data on IRA paramilitaries who don't agree with the peace process, the ex-militaries guarding the tower are not going to stand in the way of a Special Branch/SAS team dropping onto their flight deck.
What happens to Ryan and his american friends if a US judge rules them in contempt of court for refusing to pull a dangerous web site? Do they spend the rest of their days on a tiny platform in the north sea, knowing the moment they set foot in the UK or Holland they will be arrested and extradited? Do they have legal counsel in both the US and the UK standing by to defend them in their home countries, where they are still bound to obey the law, despite havenco's vague declaration of sovereignity?
Once they break some american laws and get a judge upset at them, it will get nasty. When their assests get frozen, then its all over for all their clients. But it should be fun while it lasts.
Those were some of the questions I would have like seen answered, but mostly I want to know about their peering arrangements and their cool routing infrastructure.
I was wondering about the funny score as well. But since I'm a serious karma whore, I'll take what I can get.
Yup, this article didn't deserve a precious post on slashdot. By posting this worthless troll, a jon katz article may have been rejected. What a shame:-)
I've lived all over the place searching out hi tech jobs. For outside the US, here is my list in order of techiness, not in order of livability
London and M4 corridor without a doubt the hi-tech consumption leader outside the US. London has the city, with its outrageous salaries and rents to match. All the tech companies stretch out towards the west, following the M4 motorway. Best nightlife in europe, and traffic sucks.
Dublin Lots of development following the dual carriageways north, south, and west from the city. The nightlife is friendly but muted and it ends too early for my tastes. Home of Guiness.
Netherlands Several areas around the netherlands are good for technology. Utrecht is a university town, to the tech is good but the salaries are bad. Cable and DSL are appearing all over the place. Amsterdam has good tech, and Rotterdam is starting to take off despite it being a big ugly port city.
France The frenchies are starting to pull their heads out of their asses, and technology is starting to become cool. Paris now has a few startup centres where the hyper-cool hang out, with a level of pretentiousness that puts san francisco dot-commies to shame. There are a few other tech centres, but they don't have that entrepreneurial spirit. Grenoble has tons of hi tech, but is too distant and not wired. Sophia poses as hi tech, but the riviera is still rural french work ethos meets tourist ripoff. You will have to learn fluent french, but your english will make you very valuable.
Belgium There is a lot of hi tech starting up here. Cable and DSL are spreading around Brussels and east to Leuven, and a few other big cities. Brussels can be a fun place, it's home to the commission, and employs many young, single women. The nightlife revolves around drinking, and most everyone speaks english.
Torino Turin is becoming home to many hi tech companies as the automotive industries evolve. Italian is a must, though. But it is centrally located to the alps and the riviera.
Singapore Tech heaven. Life is hell.
South AfricaCapetown is the nicest, but jo-burg has the connectivity.
Trinidad will soon be getting more bandwidth, upgrades to the voice and datacomms infrastructure. The recent "awakening" by the government is boosting things right along. Standard disclaimer, you didn't hear that from me:-)
But the backwards nature of the island means your hacking skills will be put to the test. You get a huge ego boost when you get your comms up and running on the island. The locals are fairly well educated and willing to jump at any opportunity to work on an internet project, if it gives them the skills to get off the island for a few years.
On the down side, the ingrained corruption will slow you down and wear you down and teach you more about human interaction than you ever wanted to know.
Slashdot Mirror
From the article
... as Bastille does more and more, it has to ask a lot more questions! ... but it annoys some users who just want a quick fix. ... we're making "One Shot" configurations, where they can choose a sample configuration that matches their own and deploy that. While they miss a crucial part of securing the system (Secure the Admin!) they still get a safer system...
Secure the Admin means to educate the Admin on the tradeoffs between security and ease of use. As Pen said in the original post, Security is inversely proportional to convenience. Bastille takes the next step, and tries to educate as it undoes what the distros have done. Its easy to make a machine very secure, but you end up with a box nobody can use. With an under-educated Admin, it can be very tough to know what to turn on or off and why and how.
the AC
First step to securing a system is to secure the admin.
Then go to work securing the system.
Its a motto I've been living by, but it can be very frustrating at times when all someone wants is a big security switch. I tell them its the one marked [| O], the | means insecure, the O means Oversecure.
the AC
While peering at the dash, he pointed to the LCD monitors and asked "what are those hoochies?" I wish you could have seen the look on his face when we showed him the tiny color cameras. As we were about to drive off he asked us where we were from. I just looked Chris, looked back at the man, smiled and said "We are from the future."
:-) Its the kind of stunts we played on an unsuspecting and gullible public back in university.
This would have had even more effect if they had been dressed strangely. Maybe they were.
the AC
Ummmm, no.
As a non-american who has to work regularly in the US, I can tell you that if havenco starts breaking american laws, their american employees have two choices:
- get a good lawyer before setting foot in the US again
- never leave havenco until they die
The US also regularly prosecutes non-americans for crimes committed outside of the US. Mostly its drugs and tax dodging. Gambling will be a large enough issue to get included on the hot list.
Once they get their hands on you, expect a long stay at their expense.
the AC
Change it slightly. You are a dutch coffee shop owner. You sell some marijuana to some americans, and they get in trouble for it later, such as forgetting to empty their pockets before getting on the plane home. Now the FBI/DEA now have a dossier on you as a drug dealer.
What you have done is legal in the Netherlands, and what the americans did at the time was legal, lighting up in your coffee shop. What the americans did later was stupid and illegal.
Next time you set foot in the US, you are facing 10 years or more in a US prison.
I type this because I know one person this has happened, he gets released next year after the Dutch government brought pressure on the US. He'll have served 9 years in prison, even though he never sold drugs in the US. The idiots he sold to each got 25 years, and just got paroled after 10.
the AC
This should be a wakeup call for the hit and run web designer industry.
I've got a client whose websites are all hacked up e-commerce packages. Its really funny trying to navigate some of their internal sites. Everything has a shopping basket, and after you perform each action you procede to the checkout stand. This includes a website for inventory management and some basic groupware functions. To sign up for a meeting, you place it in your basket and check out. To retrieve your group's weekly work plan, you place the request in your basket and proceed to the check out function. To submit a helpdesk trouble ticket for a network problem, into the basket. When I have to find the list of open problems I cover, I have to add them to my basket before I can view them.
Despite a ton of complaints, most of the mangement think this is the only way the web can work. And the web developers skip out with a ton of money after a very short development cycle.
There are thousands of horror stories out there, its about time a company struck back at an incompetent group of web monkeys. With some legal prosecution of a few bad apples, the market will shake out the worst and web site design will become a little more sane.
the AC
The States could never have remained an integrated political and culture whole without advances such as telegraphy and the railroads ... ancient empires of comparable size were considerably less stable and considerably more decentralized.
The US did not remain integrated. There was a big and bloody civil war which started because communication between the seat of power in the north and the southern states was so limited. The south, rightly, claimed the north was ignoring its needs on many issues.
By the end of the war, telegraphy was starting to become widespread. The telegraph and introduction of a standard railroad guage in the US did more to heal the rift between the north and south than any politician's hollow promises.
The same holds true for the British Empire. It achieved its glory days before there was sufficient communication to sustain it. So it collapsed because the needs of each far-off colonial outpost couldn't be met in a timely manner by England. Much of the blame for lack of communication, navigation, economics and other things rests squarely on the shoulders of a very corrupt societal structure. There was a good movie on the search for longitude which highlighted this recently.
Is that off topic enough for a friday night?
the AC
Secondly, how does one get a bank of IP addresses these days?
Nobody owns their IP addresses. You rent them from an internet provider. Each provider rents from a provider further up the hierarchy.
At the top of the pile is the Internet Assigned Numbers Authority who have diced and sliced the existing IP address range into pieces, and given authority over those pieces to a handful of regional authorities. This keeps the inter-regional routing simple.
See this link for a description of the process.
The ICANN exists just to make the internet a confusing place. In confusion, there is profit!
the AC
To quote from the article
Goodlatte's bill would make it a federal crime -- punishable by up to four years in prison and fines of $20,000 or more -- to operate a Web site that accepts wagers from Americans.
So Havenco's american backers could all find themselves outlaws if they start to host online gambling that doesn't discriminate against sucker^H^H^H^H^Hpatrons in the US.
The article makes it clear, the bill has been written in a determinedly confusing way to allow for selective enforcement, and selective non-enforcement in the case of large campaign contributors. Politics as usual.
the AC
There was a band devolved from Billy Idol's Gen-X called Sigue Sigue Sputnik, had a few dance hit songs in about 1984.
:-)
Their tapes and albums had short ~10 second advertising blurbs between each track. The only ones I remember was for l'Oreal hair treatment, and there was one about a mens magazine which was out of business after about issue 3. If you know the band, you'll understand why they have hair care ads
I've heard some other bands do this too, as a way to suck more money out of their short lived careers. Some of the european teen pop one hit wonder bands recently have product placement all through their music and cover artwork. But I don't buy those albums.
the AC
It works quite well apparently.
Apparently, you haven't been stuck on the M25.
Theory has it the variable speed limits are more for regulating the flow heading towards the main spoke roads like the M1 and M4. Practice has it the rapidly changing speed limits are for revenue generation. When you see the limit change, you will see a dozen cops sitting on the side of the road after the next exit. Worse than those damnable cameras.
the AC
But its much easier to publish a policy saying you don't keep any log files more than 24 hours. Even if you don't bother deleting them except once a month or worse. But when that lawsuit comes your way, suddenly you come into compliance with the judge and show them the last 6 hours worth of logs only. "sorry judge, we automatically purge our logs ever few hours, and we have never kept a backup".
:-)
I don't have a vat of molten metal lying around in case law enforcement shows up at my door. Maybe next budget cycle
the AC
If a company were looking just for leads back to someone who had posted an annoying comment, an IP address and some other logged info would be a good starting point. No need to have it stand up in court, just enough to target the investigation on an individual. Other supporting evidence could then be collected, stuff that could stand up in court.
the AC
By posting a privacy policy on the web site, the company has entered into a legally binding contract with anyone who uses the site. It is the same with a bricks and mortar food shop putting up "sale" signs in their windows or in adverts in the paper. If they publish a price, they are bound to honor it. Only the occasional misprint is allowed, and most shops will honor misprints rather than risk their business license.
So glad to hear some sane news coming from out of America for a change.
the AC
The dispute will more likely center on the "X millions of dollars" part. Does this cover salaries for fixing the system? Revenue lost because of downtime? Upgrading software to more secure versions?
When an insurance policy is granted, the company will have in place a well written procedure detailing exactly how each system will be fixed in case of a cracking incident. That will include an estimate of hours to reload the OS from scratch, and then recover the system configuration and data from backup tapes. The policy will specify how much will be paid for recovering a system after a crack, what the losses per hour for the loss of functionality, and whether a consultant can be paid to further secure the machine after the attack.
If a system is critical to a company's well-being, then it becomes cheaper to buy some hot standby systems ready to be switched in almost immediately. Of course, this increases the cost of a system by 4x to 10x or more. Somebody does the math, and figures out which will be cheaper, a second system, or a few hours downtime of the system.
the AC
Va/handover/slashdot would immediately comply with a court order. They are a publicly held company. To do otherwise would open them up to being held in contempt of court, or under the new DMCA laws, held equally responsible for any criminal or civil charges brought against the anonymous coward once identified.
/. post a much clearer policy on how they purge web logs every day or so, and never make backups of the web log directories. This would make lawyers think twice about trying to subpoena the info if it is clearly stated it is deleted at the end of every day. As it stands, they are certainly collecting all the info they can on users, even anonCowards, to sell to their marketing masters.
That is why I never post anything objectionable, even using an alias pointing to a throwaway mail service. All along the way, websites are tracking everything they can about me, IP address, machine name, OS type, browser type, cookies. As a network guru, it is childs play to trace people on the net when they piss me off.
Truly anonymising TCP connections is very difficult, so I save that for the really important rants.
I'd like to see
the AC
Almost exactly how this works!
:-)
This insurance has been available for several years, usually tacked onto an existing data center loss prevention policy. This is a press release to show how our beloved Bruce Schneier has become a partner with a big insurance house.
The insurance company will require at least two audits, the first to determine the policies and attitudes of the management, and to locate holes in enforcement of a good security policy. After the fixes have been made, the second audit will show whether the management can accomodate the change necessary to implement a proper security policy. Its more about attitude than open ports
There are several parts to the audit. The hack/crack part does all the usual stuff, such as wardialing the whole company looking for unauthorised modems, running customised exploit scripts and custom versions of ISS and nmap. They also make sure every system connected to the network is documented, and they log on every server and check the security from inside as well.
There's a bunch of naff stuff going on at the same time like policy audits and background checks on all the IT staff and secretaries. In the end there is a big report, and based on a security score, determines your policy rate.
The policy holder sometimes puts a security consultant on the site for a while, to monitor the state of the network and how well the IT idiots follow the required security policy.
The whole exercise is to raise the bar against script k1dd13s, and give the shareholders a warm and fuzzy feeling. It also gives the lawyers a defence if a cracker does damage and the company gets sued.
What counterpane is probably doing is either renting out some tiger teams or training up some in-house teams to use their custom made tools.
the AC
I regularly monitor OC-3,12&48 traffic. Not all of it, but the parts causing trouble. Sometimes the streams are ATM carrying internet traffic, sometimes the streams are DS0s carrying voice. If I were to switch a copy of a DS0 PVC to a voice card, I can listen to someone's conversation. When I copy an ATM stream to a separate port, I can monitor all that data traffic without any interruption.
:-)
But this capability exists only at a few critical junctions, where we need to debug our streams. It doesn't exist at all points in the network, that would be too expensive to implement.
The CALEA (US) and RIP (UK) laws are trying to force service providers and telephone companies to install additional switches at key points, which only law enforcement could control. This would allow them to monitor any traffic they wanted to, without having to bother us technical people to take a few minutes to copy a stream to a monitoring port for them. We might ask to see a valid court order or something
The problem from my point of view is that we have a hard enough time keeping the whole system running without having law enforcement controlling one link in the chain. We have problems on a daily basis, and we can do anything necessary to any piece of equipment to restore service. If we had to coordinate with an FBI/MI5 agent before tracing a faulty circuit, outages would go from a few minutes to a few days. Finger pointing would become commonplace.
the AC
This is cool. Bloatware for the hellofit.
:-)
These programmers are building an entire computing environment (XML in a browser) which runs inside of another computing environment (classic OS), and then re-writing a game to show how they can now work entirely inside of Mozilla and never have to leave the browser environment.
This is yet another example of how the computer, the OS, the applications, and the network are all starting to become interchangeable. It goes one step closer to Bill Gates assertion that the browser belongs inside the OS, but it also shows that a sufficiently bloated browser can replace the OS.
Now they just have to write some compilers and libraries in XML, and we'll never have to leave our browser environments again. Ooops, that's emacs. Sorry.
the AC
Last night on the news there was a NASA interview, mostly about some other things, but they also asked the guy about the breakins.
His response, paraphrased, was "That was completely outside of NASA, the data was being sent from internal machines out to some medical researchers. It was their machine which had the problem, not NASA. The shuttle ground control computers are not hooked to the internet in any way."
Since this wasn't a spokesdroid, I'd give it a shred of credibility. I know NASA has been employing tiger teams to probe their security, and they've been shopping around for security firms to independantly audit their review of internal security. Sounds like their want to make sure they have an airgap around their life critical systems, so they can clearly dispute such panic mongering headlines as these.
the AC
All Intel has to do is cut prices to squeeze transmeta out of the market
You beat me to it. This is true, except for the fact that Intel would become the DoJ's next illegal monopoly target. It doesn't matter if there are a few other competitors such as AMD. If Intel were to slash prices until transmeta died, and then raised prices very high, the DoJ would be all over them.
I like the idea the DoJ is starting to investigate many large US corporations for aggressive tactics to hurt their competition. Certainly Intel has been under investigation several times in the last few years, and each time they have promised to change their ways. And they've sincerely changed enough after getting their hand slapped. They don't want to get hauled to court and get engaged in a fight to the death like micros~1 is doing.
Also, the knowledge transmeta has collected would not instantly cease to exist. The knowledge would resurface inside another Intel competitor, better funded and ready to do battle. So it is not in Intel's best interests to obliterate small competitors like transmeta, just try to corral them.
the AC
This is not so hypothetical as it sounds. The US is well known for extending its laws over the entire world. It regularly makes deals with other countries for "expedited extradition" in picking up suspected criminals. After the bombings of some US embassies in africa a few years ago, every suspect arrested in african countries was taken by local police to the airport and placed on waiting US military planes, and they awoke in a jail in the US. No local hearings, due process, or even the ability to contact a lawyer locally.
I wish I had had the time to pose some well thought out questions when this topic first appeared. I don't doubt their physical security, but I am worried about what happens if the US or Britian decide to issue arrest warrants. If Britian decides that havenco is storing some data on IRA paramilitaries who don't agree with the peace process, the ex-militaries guarding the tower are not going to stand in the way of a Special Branch/SAS team dropping onto their flight deck.
What happens to Ryan and his american friends if a US judge rules them in contempt of court for refusing to pull a dangerous web site? Do they spend the rest of their days on a tiny platform in the north sea, knowing the moment they set foot in the UK or Holland they will be arrested and extradited? Do they have legal counsel in both the US and the UK standing by to defend them in their home countries, where they are still bound to obey the law, despite havenco's vague declaration of sovereignity?
Once they break some american laws and get a judge upset at them, it will get nasty. When their assests get frozen, then its all over for all their clients. But it should be fun while it lasts.
Those were some of the questions I would have like seen answered, but mostly I want to know about their peering arrangements and their cool routing infrastructure.
the AC
I was wondering about the funny score as well. But since I'm a serious karma whore, I'll take what I can get.
:-)
Yup, this article didn't deserve a precious post on slashdot. By posting this worthless troll, a jon katz article may have been rejected. What a shame
the funny AC
I've lived all over the place searching out hi tech jobs. For outside the US, here is my list in order of techiness, not in order of livability
London and M4 corridor without a doubt the hi-tech consumption leader outside the US. London has the city, with its outrageous salaries and rents to match. All the tech companies stretch out towards the west, following the M4 motorway. Best nightlife in europe, and traffic sucks.
Dublin Lots of development following the dual carriageways north, south, and west from the city. The nightlife is friendly but muted and it ends too early for my tastes. Home of Guiness.
Netherlands Several areas around the netherlands are good for technology. Utrecht is a university town, to the tech is good but the salaries are bad. Cable and DSL are appearing all over the place. Amsterdam has good tech, and Rotterdam is starting to take off despite it being a big ugly port city.
France The frenchies are starting to pull their heads out of their asses, and technology is starting to become cool. Paris now has a few startup centres where the hyper-cool hang out, with a level of pretentiousness that puts san francisco dot-commies to shame. There are a few other tech centres, but they don't have that entrepreneurial spirit. Grenoble has tons of hi tech, but is too distant and not wired. Sophia poses as hi tech, but the riviera is still rural french work ethos meets tourist ripoff. You will have to learn fluent french, but your english will make you very valuable.
Belgium There is a lot of hi tech starting up here. Cable and DSL are spreading around Brussels and east to Leuven, and a few other big cities. Brussels can be a fun place, it's home to the commission, and employs many young, single women. The nightlife revolves around drinking, and most everyone speaks english.
Torino Turin is becoming home to many hi tech companies as the automotive industries evolve. Italian is a must, though. But it is centrally located to the alps and the riviera.
Singapore Tech heaven. Life is hell.
South AfricaCapetown is the nicest, but jo-burg has the connectivity.
the AC
Trinidad will soon be getting more bandwidth, upgrades to the voice and datacomms infrastructure. The recent "awakening" by the government is boosting things right along. Standard disclaimer, you didn't hear that from me :-)
But the backwards nature of the island means your hacking skills will be put to the test. You get a huge ego boost when you get your comms up and running on the island. The locals are fairly well educated and willing to jump at any opportunity to work on an internet project, if it gives them the skills to get off the island for a few years.
On the down side, the ingrained corruption will slow you down and wear you down and teach you more about human interaction than you ever wanted to know.
the AC