First of all, this may not be the best forum in the world to ask such a question (just read some of the other lame "funny" replies) but since you asked, I'm assuming you're looking for an answer from someone who actually works with this things on a daily basis and will be able to provide some insight.
The hardware on the computer does have to meet certain requirements but they're not really "set in stone". At my work, we typically use off-the-shelf Dell computers and then do some modifications to support removable hard drives on the systems. Additionally, you'll probably need to lock down all writeable removable media drives (think floppy and zip drive locks) as well as disabling USB and any built-in network interfaces, at least in the BIOS but possibly also with some stickers or physical locking devices. You'll have to work with your DIS person who approves the final system configuration to really hammer out the details and get it set the way he/she wants it to be set.
That being said, the only service I've seen Dell offer is their "Custom Factory Integration" program where they will install the removable hard drive chassis for you. Depending on the number of systems you need to support, it may be cheaper to have them do it at the factory than to do it yourself. One issue I had which caused us to do the removable drive install ourselves was the fact that we have multiple drives per system and needed extra drive trays but couldn't get information from Dell regarding the actual manufacturer of the trays nor pricing on additional units. It was just less hassle for us to purchase the removable kits ourselves.
As far as software, I believe another poster already mentioned some of the basic configuration requirements. Yes, you'll need to make sure you're pretty good on locking down Windows (I'm assuming your running Windows since you mentioned SolidWorks - BTW, SW2006 sucks configuring it to run with a non-admin user account). Auditing on certain directories is most likely going to be a requirement as well as a documented review and archive process for the system event logs. Backups are another process that will need to be done on a regular basis. Be prepared for this to eat into alot of your time since all these tasks pretty much have to be done manually since you can't have network connectivity.
If you've got any more questions, feel free to drop me an e-mail and I'll try to help you work through any issues. And don't mind any of the other sarcastic bastards posting here... I've seen the level of documentation the government gives for setting up secure systems and most of it is pretty f'ing obtuse. Best to get advice from someone who's done it before (and obviously double-check with your FSO and DIS officer).
Perhaps Microsoft should include an option, like 'Prepare this computer for resale,' which utterly destroys all data."
Well, as soon as I see a Linux distribution that offers a similiar option (i.e. point, click, destroy all user home directories), then we can start throwing stones at MS.
Realistically, it's not necessarily a bad idea to keep everything in a standardized directory but to make sure that it is encrypted with a user-prompted password to prevent malicious software from randomly going through it without permissions/authorization/consent.
I'm a IT Manager for a Fortune 100 defense contractor and we do the same kind of rotation with our backups. However, e-mail server backups are on a different retention period - 30 days minimum, 60 days maximum. If the e-mail is considered a "business record" then it is to be exported to a different format or printed out as a hard copy.
From what I can tell, if MS is just following their own internal policy, then there is no wrongdoing here.
The main reason behind limited e-mail server backups is for exactly this reason. Why leave yourself vulnerable to some company suing you and having the court force you to go back years and years to get all old e-mails that may have been exchanged? There is no legal requirement to keep archives of e-mail communications (in most cases) so it's just an unnecessary business risk, IMO, to keep them longer than necessary.
It seems to me that Mr. Langa has a valid beef with his commercial Linux distribution vendor. To pay money for a product that claims to support his chipset but doesn't, well, that would not make anyone a happy camper.
So what do we do about this as a community? We can join the individuals on his discussion forum in calling him names and blaming the problem on everything other than the actual lack of Linux compatibility for this sound card. But how is bringing ourselves to that level helping anyone out?
I think the deeper message one can gain from this story is that Linux distributions are currently in a catch-22 (or chicken-and-the-egg, if you prefer) situation. There aren't enough development resources to go around and write drivers from scratch for every sound card, especially if the manufacturer is less than forthcoming with technical information about the hardware. So, the ideal situation (from the OSS community's standpoint) is to have the manufacturers write and include Linux drivers with their hardware. However, manufacturers aren't going to commit the resources (read: money) to develop those drivers unless there is a demonstrable benefit to their bottom-line. And while we may have demonstrated a benefit to _some_ manufacturers, obviously we haven't shown one to _all_ of them or else we wouldn't be having these problems.
I've had some experience with the Adaptec 1200A RAID controllers. I was planning on using them in about 5 workgroup file servers I support.
After I purchased them, I noticed that Adaptec's website says that Linux is not supported and they don't offer any drivers for this base-model card. However, if you investigate a little further, you find that the Adaptec cards use the Highpoint HPT372A chipset which IS supported under Linux. The drivers worked fine on a stock RH8 install and the GUI tools for RAID monitoring are exactly the same ones you get in Windows. You can download the drivers at Highpoint's website.
I emailed their support guys and told them they should at least provide a link to Highpoint's site so people that want Linux drivers for the card can be serviced. They replied and told me that Highpoint had provided them the stock Linux drivers for the chipset and they just haven't gotten around to actually customizing them, and that, in the mean time, they would just recommend people bump up to the next higher model RAID controller they sell.
Another caveat if you are planning on purchasing these cards is that they are only 5V PCI cards, not dual 3.3v and 5v or just 3.3v. Ergo, they don't work on some newer motherboards (like the Intel boards that come with the base-model Dell Poweredge 600SC server). I found this out the hard way and ended up going with 3Ware's Escalade cards which I've been happy with.
After reading the article and the discussions posted on the CounterPane site, everyone seems to be harping on the same issues over and over again.
First of all, people are using really bad analogies to try and prove their point but I think they're just missing what exactly Mr. Mullen is trying to say. Breaking into peoples houses, loud dogs barking, and slapping your neighbor's kid for mouthing off are just some examples of these (IMHO) "flawed" analogies.
I don't think you need an analogy to understand the situation. When is it ever LEGAL to be an unauthorized intruder in someone else's computer system? That's right, never. (If you have permission, it's not unauthorized. If you own it, it's not someone else's.)
The reasoning behind this proposal is to allow the "victims" of a "relentless attack on their network" the right to "neutralize a worm process running on the infected system". "Neutralize", in this context, can basically be read as "obtain unauthorized access to the infected system and terminate", presumably by exploiting some vulnerability in the system (since most modern OS's do not allow anonymous people to just terminate processes at will). However, in doing so, the "victim" here is assuming the role of an unauthorized intruder and thus breaking the law. And there's a damn good reason why things are set up like that (at least in the US).
Hell, even the police (supposedly), need a search warrant or permission to access your computer systems and read your data. Why would I want to give that ability to every "administrator" that hooks a system up to the internet just because they don't like the data that my computer is sending to theirs? If they don't like it, they have several available options including contacting my ISP to shut off my service, contacting their ISP to block my address at their upstream router, or (in the case of criminal actions) contacting the police. If what my computer is doing is not a criminal act, and neither my ISP nor theirs wants to act on it, maybe they need to find a new ISP or maybe what I'm doing is not a large enough nuisance for anyone except the "victim" to care.
Another problem with this proposal is what exactly constitutes a "relentless attack"? What about an attack that isn't relentless? What about unsolicitied commerical email (aka SPAM)? Who gets to say whether something is an "attack" or not? There is way too much "grey area" there for any sane person to just blindly give out ROOT LEVEL ACCESS to their systems based on such a statement (killing arbitrary processes is definately a root-level operation).
From his original paper, I found the following paragraph particularly troubling:
I say that we have the right to defend our systems from blatant worm attacks, and that we are within our rights to take measures to stop an attacking system from further infringing on our assets, consuming system resources and service availability, and from their ultimate attempt to compromise our systems.
He's talking about "Code Red" and "Nimda" specifically so I'll use those examples also. When you hook a web server up to the publically accessible internet, you are implicitly allowing other systems to send HTTP requests to you over port 80. How you can say that certain requests are "infringing on [y]our assets" is beyond me, but then again, I don't agree with much of the logic of Mr. Mullen's argument. And, yes, each request consumes system resources and if you get enough of them, it could affect the service availability of your web server. However, by putting up a web server, you are implicitly allowing such requests. As far as their "ultimate attempt to compromise our systems", that is a legal matter and should be tracked and referred to the police. You don't have the resources to do that? Well, how important is it for you that the "attacks" stop?
Sorry, Mr. Mullen, but I disagree with your proposal and your opinion that you should have the right to access my computer system without my authorization. Let's leave this up to the authorities and just worry about securing our own systems. Your "right" to defend your system/network from worms stops at my system/network.
I am the network administrator for a small R&D company with approximately 50 workstations.
I started almost one year ago and the way backups were done before was horrible. Someone from IT would go around with a tape drive and backup up EACH AND EVERY workstation manually. And they would backup EVERYTHING, which obviously includes a lot of redundant data (operating system files, program files, etc.).
Anyways, since everyone logs into an NT domain now (thanks to Samba), I can put pretty much whatever I want into their login scripts. I've set it up so that once a day when they log into their workstation, all the data that is in C:\DATA gets rsync'd to a personal backup share on the server. The directory on the backup share is of the format -, which takes into account the fact that I COULD log in from someone else's computer and I don't want a backup to be done unless I'm logging in from my primary workstation.
Basically, I have it set up in the login script generation script so that it looks for the existance of a directory with the above format in the/home/backups directory, and if it exists, it puts the instructions in the login script to do a rsync backup. Otherwise, it looks for a "flag" file that matches - in/home/backups/flags, and if it is there, it puts in the login script to connect to the root of the backups share and make a directory - and just do a straight XCOPY of the C:\DATA directory to the server. After the inital backup is completed, the next time they log in they will use rsync to synchronize the two.
It's actually not that difficult at all and was done completely with free software. All users have the ability to save documents to their local hard drives so they have quick access to their stuff, and if a hard drive dies, they lose AT MOST whatever they worked on that day. All the users have access to a personal 7-day rotating incremental backup (look on the rsync website for more info of how to do that) so if they accidently delete a file, they can get it back themselves without contacting me. If it's out of their rotating backup already, then I can pull it off the main server tapes (which gets a monthly full backup and daily incrementals).
I prefer this system rather than trying to teach all the users to save everything to the network. Especially with only 1 admin, if there was a problem with the network or the server, I don't want ALL the work in the entire company to grind to a halt. Of course, we're running FreeBSD so the uptime and stability of the server has been very commendable.
The biggest developments are around email prevention, experts say. Elaborate content filtering software, which can run upwards of $30,000 to install, can block all but the tamest incoming emails, and most attachments, said Trend Micro's Genes. ... But instituting these new security measures can be a costly and labor-intensive investment, experts say, likely discouraging firms with meager IT budgets from upgrading beyond the status quo. "It's a question of resources," said a spokeswoman at UK-based Sophos Anti-Virus. "If you have one or two guys implementing IT at your organization, it's not going to make much sense."
What a crock... I am a network administrator (and basically the ONLY IT employee) for a small company of about 50 people and using some procmail scripts on our FreeBSD mail server, have been able to accomplish this with probably about 3 hours total of set up time. For those interested, here's a URL to a FREE solution to blocking e-mail attachments based on extensions, filenames, and even content (it can scan for Office document macros). Procmail Security
Since I've been there, we've had absolutely ZERO e-mail based viruses/worms that penetrated the desktop through our mail server (One did get through but that was through an executive's AOL account...)
So far, most employees have been very cooperative towards the policy and are grateful that they don't have to be so worried when they read about e-mail viruses going around because the server automatically mangles or quarantines viruses that match the ruleset we implemented.
At my company, we've implemented a mail filtering system (with procmail) that automatically mangles certain "dangerous" extensions. This way, the user can't just open the attachment directly, but instead must save it someone on their hard drive, rename it, and THEN run it. These extra steps usually make them give pause to the fact that MAYBE they really shouldn't be opening this attachment if they don't know who's sending them it. Also, they get to see the whole name of it when they are opening it since alot of mail clients will cut off the extension and just show "..." at the end if the filename is too long. We've just implemented this about 3 weeks ago and although we were physically sent the Goner worm, no one actually ran it because e-mail alerts had already been issued and because of the filtering at the server level.
IMHO, this Napster "pay-per-month" subscription model has very little chance of commercial success for several reasons.
1) The user base has already migrated to better networks (i.e. Kazaa, Morpheus, etc). The content available through these networks is free (as in beer) so it really makes no sense why everyone would "jump" back on Napster to pay for this very same content.
2) The whole idea of community and sharing is what made Napster popular. You were (by default in the software) sharing your music files with others in exchange for getting music files from them. The users provide the bandwidth, the storage, and the content. What exactly Napster would be providing in this "new business model", besides a simple directory service, is beyond me. Is Napster going to host MP3's on fast, high-availability servers and actually shell out some cash for bandwidth and storage space? Or is this another "let's charge for stuff that other people are giving away for free" business model?
I really don't see why anyone would pay to share their music files especially when there are better alternatives and really Napster isn't providing anything in exchange for that $10 (or whatever it may be) monthly fee. Plus, in the mind of most of my peers (college students), Napster has "sold-out" to the music industry and is probably the LAST place anyone would go to get music on the 'net.
I know they certainly won't be getting a dime from me.
Slashdot Mirror
First of all, this may not be the best forum in the world to ask such a question (just read some of the other lame "funny" replies) but since you asked, I'm assuming you're looking for an answer from someone who actually works with this things on a daily basis and will be able to provide some insight.
The hardware on the computer does have to meet certain requirements but they're not really "set in stone". At my work, we typically use off-the-shelf Dell computers and then do some modifications to support removable hard drives on the systems. Additionally, you'll probably need to lock down all writeable removable media drives (think floppy and zip drive locks) as well as disabling USB and any built-in network interfaces, at least in the BIOS but possibly also with some stickers or physical locking devices. You'll have to work with your DIS person who approves the final system configuration to really hammer out the details and get it set the way he/she wants it to be set.
That being said, the only service I've seen Dell offer is their "Custom Factory Integration" program where they will install the removable hard drive chassis for you. Depending on the number of systems you need to support, it may be cheaper to have them do it at the factory than to do it yourself. One issue I had which caused us to do the removable drive install ourselves was the fact that we have multiple drives per system and needed extra drive trays but couldn't get information from Dell regarding the actual manufacturer of the trays nor pricing on additional units. It was just less hassle for us to purchase the removable kits ourselves.
As far as software, I believe another poster already mentioned some of the basic configuration requirements. Yes, you'll need to make sure you're pretty good on locking down Windows (I'm assuming your running Windows since you mentioned SolidWorks - BTW, SW2006 sucks configuring it to run with a non-admin user account). Auditing on certain directories is most likely going to be a requirement as well as a documented review and archive process for the system event logs. Backups are another process that will need to be done on a regular basis. Be prepared for this to eat into alot of your time since all these tasks pretty much have to be done manually since you can't have network connectivity.
If you've got any more questions, feel free to drop me an e-mail and I'll try to help you work through any issues. And don't mind any of the other sarcastic bastards posting here... I've seen the level of documentation the government gives for setting up secure systems and most of it is pretty f'ing obtuse. Best to get advice from someone who's done it before (and obviously double-check with your FSO and DIS officer).
Best of luck...
Perhaps Microsoft should include an option, like 'Prepare this computer for resale,' which utterly destroys all data."
Well, as soon as I see a Linux distribution that offers a similiar option (i.e. point, click, destroy all user home directories), then we can start throwing stones at MS.
Realistically, it's not necessarily a bad idea to keep everything in a standardized directory but to make sure that it is encrypted with a user-prompted password to prevent malicious software from randomly going through it without permissions/authorization/consent.
I'm a IT Manager for a Fortune 100 defense contractor and we do the same kind of rotation with our backups. However, e-mail server backups are on a different retention period - 30 days minimum, 60 days maximum. If the e-mail is considered a "business record" then it is to be exported to a different format or printed out as a hard copy.
From what I can tell, if MS is just following their own internal policy, then there is no wrongdoing here.
The main reason behind limited e-mail server backups is for exactly this reason. Why leave yourself vulnerable to some company suing you and having the court force you to go back years and years to get all old e-mails that may have been exchanged? There is no legal requirement to keep archives of e-mail communications (in most cases) so it's just an unnecessary business risk, IMO, to keep them longer than necessary.
It seems to me that Mr. Langa has a valid beef with his commercial Linux distribution vendor. To pay money for a product that claims to support his chipset but doesn't, well, that would not make anyone a happy camper.
So what do we do about this as a community? We can join the individuals on his discussion forum in calling him names and blaming the problem on everything other than the actual lack of Linux compatibility for this sound card. But how is bringing ourselves to that level helping anyone out?
I think the deeper message one can gain from this story is that Linux distributions are currently in a catch-22 (or chicken-and-the-egg, if you prefer) situation. There aren't enough development resources to go around and write drivers from scratch for every sound card, especially if the manufacturer is less than forthcoming with technical information about the hardware. So, the ideal situation (from the OSS community's standpoint) is to have the manufacturers write and include Linux drivers with their hardware. However, manufacturers aren't going to commit the resources (read: money) to develop those drivers unless there is a demonstrable benefit to their bottom-line. And while we may have demonstrated a benefit to _some_ manufacturers, obviously we haven't shown one to _all_ of them or else we wouldn't be having these problems.
I really don't have the answer to this...
I've had some experience with the Adaptec 1200A RAID controllers. I was planning on using them in about 5 workgroup file servers I support.
After I purchased them, I noticed that Adaptec's website says that Linux is not supported and they don't offer any drivers for this base-model card. However, if you investigate a little further, you find that the Adaptec cards use the Highpoint HPT372A chipset which IS supported under Linux. The drivers worked fine on a stock RH8 install and the GUI tools for RAID monitoring are exactly the same ones you get in Windows. You can download the drivers at Highpoint's website.
I emailed their support guys and told them they should at least provide a link to Highpoint's site so people that want Linux drivers for the card can be serviced. They replied and told me that Highpoint had provided them the stock Linux drivers for the chipset and they just haven't gotten around to actually customizing them, and that, in the mean time, they would just recommend people bump up to the next higher model RAID controller they sell.
Another caveat if you are planning on purchasing these cards is that they are only 5V PCI cards, not dual 3.3v and 5v or just 3.3v. Ergo, they don't work on some newer motherboards (like the Intel boards that come with the base-model Dell Poweredge 600SC server). I found this out the hard way and ended up going with 3Ware's Escalade cards which I've been happy with.
After reading the article and the discussions posted on the CounterPane site, everyone seems to be harping on the same issues over and over again.
First of all, people are using really bad analogies to try and prove their point but I think they're just missing what exactly Mr. Mullen is trying to say. Breaking into peoples houses, loud dogs barking, and slapping your neighbor's kid for mouthing off are just some examples of these (IMHO) "flawed" analogies.
I don't think you need an analogy to understand the situation. When is it ever LEGAL to be an unauthorized intruder in someone else's computer system? That's right, never. (If you have permission, it's not unauthorized. If you own it, it's not someone else's.)
The reasoning behind this proposal is to allow the "victims" of a "relentless attack on their network" the right to "neutralize a worm process running on the infected system". "Neutralize", in this context, can basically be read as "obtain unauthorized access to the infected system and terminate", presumably by exploiting some vulnerability in the system (since most modern OS's do not allow anonymous people to just terminate processes at will). However, in doing so, the "victim" here is assuming the role of an unauthorized intruder and thus breaking the law. And there's a damn good reason why things are set up like that (at least in the US).
Hell, even the police (supposedly), need a search warrant or permission to access your computer systems and read your data. Why would I want to give that ability to every "administrator" that hooks a system up to the internet just because they don't like the data that my computer is sending to theirs? If they don't like it, they have several available options including contacting my ISP to shut off my service, contacting their ISP to block my address at their upstream router, or (in the case of criminal actions) contacting the police. If what my computer is doing is not a criminal act, and neither my ISP nor theirs wants to act on it, maybe they need to find a new ISP or maybe what I'm doing is not a large enough nuisance for anyone except the "victim" to care.
Another problem with this proposal is what exactly constitutes a "relentless attack"? What about an attack that isn't relentless? What about unsolicitied commerical email (aka SPAM)? Who gets to say whether something is an "attack" or not? There is way too much "grey area" there for any sane person to just blindly give out ROOT LEVEL ACCESS to their systems based on such a statement (killing arbitrary processes is definately a root-level operation).
From his original paper, I found the following paragraph particularly troubling:
I say that we have the right to defend our systems from blatant worm attacks, and that we are within our rights to take measures to stop an attacking system from further infringing on our assets, consuming system resources and service availability, and from their ultimate attempt to compromise our systems.
He's talking about "Code Red" and "Nimda" specifically so I'll use those examples also. When you hook a web server up to the publically accessible internet, you are implicitly allowing other systems to send HTTP requests to you over port 80. How you can say that certain requests are "infringing on [y]our assets" is beyond me, but then again, I don't agree with much of the logic of Mr. Mullen's argument. And, yes, each request consumes system resources and if you get enough of them, it could affect the service availability of your web server. However, by putting up a web server, you are implicitly allowing such requests. As far as their "ultimate attempt to compromise our systems", that is a legal matter and should be tracked and referred to the police. You don't have the resources to do that? Well, how important is it for you that the "attacks" stop?
Sorry, Mr. Mullen, but I disagree with your proposal and your opinion that you should have the right to access my computer system without my authorization. Let's leave this up to the authorities and just worry about securing our own systems. Your "right" to defend your system/network from worms stops at my system/network.
I am the network administrator for a small R&D company with approximately 50 workstations.
/home/backups directory, and if it exists, it puts the instructions in the login script to do a rsync backup. Otherwise, it looks for a "flag" file that matches - in /home/backups/flags, and if it is there, it puts in the login script to connect to the root of the backups share and make a directory - and just do a straight XCOPY of the C:\DATA directory to the server. After the inital backup is completed, the next time they log in they will use rsync to synchronize the two.
I started almost one year ago and the way backups were done before was horrible. Someone from IT would go around with a tape drive and backup up EACH AND EVERY workstation manually. And they would backup EVERYTHING, which obviously includes a lot of redundant data (operating system files, program files, etc.).
Anyways, since everyone logs into an NT domain now (thanks to Samba), I can put pretty much whatever I want into their login scripts. I've set it up so that once a day when they log into their workstation, all the data that is in C:\DATA gets rsync'd to a personal backup share on the server. The directory on the backup share is of the format -, which takes into account the fact that I COULD log in from someone else's computer and I don't want a backup to be done unless I'm logging in from my primary workstation.
Basically, I have it set up in the login script generation script so that it looks for the existance of a directory with the above format in the
It's actually not that difficult at all and was done completely with free software. All users have the ability to save documents to their local hard drives so they have quick access to their stuff, and if a hard drive dies, they lose AT MOST whatever they worked on that day. All the users have access to a personal 7-day rotating incremental backup (look on the rsync website for more info of how to do that) so if they accidently delete a file, they can get it back themselves without contacting me. If it's out of their rotating backup already, then I can pull it off the main server tapes (which gets a monthly full backup and daily incrementals).
I prefer this system rather than trying to teach all the users to save everything to the network. Especially with only 1 admin, if there was a problem with the network or the server, I don't want ALL the work in the entire company to grind to a halt. Of course, we're running FreeBSD so the uptime and stability of the server has been very commendable.
From the article:
The biggest developments are around email prevention, experts say. Elaborate content filtering software, which can run upwards of $30,000 to install, can block all but the tamest incoming emails, and most attachments, said Trend Micro's Genes.
...
But instituting these new security measures can be a costly and labor-intensive investment, experts say, likely discouraging firms with meager IT budgets from upgrading beyond the status quo. "It's a question of resources," said a spokeswoman at UK-based Sophos Anti-Virus. "If you have one or two guys implementing IT at your organization, it's not going to make much sense."
What a crock... I am a network administrator (and basically the ONLY IT employee) for a small company of about 50 people and using some procmail scripts on our FreeBSD mail server, have been able to accomplish this with probably about 3 hours total of set up time. For those interested, here's a URL to a FREE solution to blocking e-mail attachments based on extensions, filenames, and even content (it can scan for Office document macros). Procmail Security
Since I've been there, we've had absolutely ZERO e-mail based viruses/worms that penetrated the desktop through our mail server (One did get through but that was through an executive's AOL account...)
So far, most employees have been very cooperative towards the policy and are grateful that they don't have to be so worried when they read about e-mail viruses going around because the server automatically mangles or quarantines viruses that match the ruleset we implemented.
At my company, we've implemented a mail filtering system (with procmail) that automatically mangles certain "dangerous" extensions. This way, the user can't just open the attachment directly, but instead must save it someone on their hard drive, rename it, and THEN run it. These extra steps usually make them give pause to the fact that MAYBE they really shouldn't be opening this attachment if they don't know who's sending them it. Also, they get to see the whole name of it when they are opening it since alot of mail clients will cut off the extension and just show "..." at the end if the filename is too long. We've just implemented this about 3 weeks ago and although we were physically sent the Goner worm, no one actually ran it because e-mail alerts had already been issued and because of the filtering at the server level.
IMHO, this Napster "pay-per-month" subscription model has very little chance of commercial success for several reasons.
1) The user base has already migrated to better networks (i.e. Kazaa, Morpheus, etc). The content available through these networks is free (as in beer) so it really makes no sense why everyone would "jump" back on Napster to pay for this very same content.
2) The whole idea of community and sharing is what made Napster popular. You were (by default in the software) sharing your music files with others in exchange for getting music files from them. The users provide the bandwidth, the storage, and the content. What exactly Napster would be providing in this "new business model", besides a simple directory service, is beyond me. Is Napster going to host MP3's on fast, high-availability servers and actually shell out some cash for bandwidth and storage space? Or is this another "let's charge for stuff that other people are giving away for free" business model?
I really don't see why anyone would pay to share their music files especially when there are better alternatives and really Napster isn't providing anything in exchange for that $10 (or whatever it may be) monthly fee. Plus, in the mind of most of my peers (college students), Napster has "sold-out" to the music industry and is probably the LAST place anyone would go to get music on the 'net.
I know they certainly won't be getting a dime from me.