The article states that the configurations where done using the typical, basic options that an adminisrator may do and not any kind of security wizard.
I would like to know how many companies are out there that would take their pimply faced intern and have him to a default installation for an internet server with databases on it. They may have found a valid point, but their premise is fucking retarded.
I have always given MSFT the benefit of the doubt that they would have the option to configure a server with the intention of meeting security requirements and similarly doing the same with Linux and then see who's the most secure. While Microsoft has made ground against the *NIXes of the world, I really don't believe that a reasonable attempt at security is any better on Windows than it is on Linux. Considering the damage they've been suffering, I would expect their default installations to be increasinbly severe.
I would equate this study to testing the security of a 4 foot high brick wall or a 3 foot high set of four horizontal wires. The wall is obviously more secure, until you turn on the high voltage supply to the electric fence...
My sexist statement is based on the explicit orientation of the spam that I receive. I have only once seen an advertisement directed towards women and that was months ago. No assumption there. You are incorrectly concluding that only men get spam versus spam is primarily directed towards men.
I don't know how well the show can do with out Shatner. But then I only watch the originals, even Picard with his socially engineered story lines got pretty boring after a while.
I think that the 4% who buy from spam, according to the article, should be castrated. Then they won't have any need to buy anything else. Unless they start selling strap-ons.
I am so glad that the government was able to protect the telemarketing firms freedom of speech.
Now we need a US civilians freedom of silence.
Unfortunately none of this will change through legislation. Our government is too heavily in bed with corporations and not enough concern exists for the individuals experiences. As you can see by the title of this article, it's the cost to business, not individuals, that is worth measuring and reporting on.
But if I'm representing myself as a non-US firm, who's really a front for a US firm, then I'm in the clear.
Don't believe me, see the recent news on Haliburton and GE deciding not to do any more business with Iran. Any more? It's been banned for years, but they used foreign fronts to do their work for them. Are they in trouble with the US Gov? No. They got away with it.
Firefox will launch it for you but not auto-magically. I don't believe in auto-magic applications anymore. They bloat, they crash, they generally aren't free.
First law of software, if it isn't free it's crap. There's nothing out there that I can't get for free and do what I NEED to do today. Nothing.
As far as the next Microsoft. It's dead. Not because of ingenuity, but because the business model is dead. No one will ever pay as much for software again.
I hire a company in some other country to manage my Marketing or at least a portion of it.
They hire a spam/telemarketing company that is also outside of the US.
Since I'm not my contractors subcontract keeper I'm in the clear. I have plausible deniability of the behaviour of the third company and as such, am not liable under the DNC rules
Not International. This outsourcing is just another way of getting around the rules. Just like CAN-SPAM act. You can't spam from within the US, but if you outsource to someone outside of US Law you can spam yourself blue in the face and nothing can stop short of WMDs
It's worse than that. Who is going to fund the cost of testing. Automotive companies pay for the road testing done by US DOT. It's not a free service. So if you license the developers you have to arrange for them to afford the certification tests.
Of course, you also have Consumer Report type organizations doing Vehicle testing of their own along with the government to indicate certain qualities like crash survival statistics, roll-over, Theft statistics and so on. If there was something similar to this on Operating Systems I think it would prove more valuable than doing some Government oversight like US DOT testing.
Can you cite any examples where people have had their vehicle license suspended because they pissed someone off? In a non-totalitarian country?
You are paranoid.
With your perspective, spammers are just being Free. After all, maybe they look at it as you just left your computer accessable and they took advantage of it. Just like using a Park.
I think people who do not know or are unwilling to learn how to correctly operate a machine that is capable of doing this much damage should not be allowed to operate on the internet.
I have certain restrictions on the condition of my automobile, how I choose to drive it, and how it impacts other people and the road I'm on. And for this I have to pay an average annual fee of $5 (actually $20/4 years) for that priviledge.
If computer internet operation required an annual $5 license for a compentency requirement I would happily pay for it.
And you should support the idea, because you can now run a business as a licensed operator, running firewall products/computers for people wo do not take security seriously. Kind of like a Taxi.
Linux and BSD's are changing fast and becoming useful. They are also installed with many better options than CDE.
The installation that came with Solaris 9 had no documentation sufficient to actually perform an installation unless you where already a Sun expert. This is one of the key points in what made Linux so popular in the beginning. Available documentation and free support from internet resources.
If RedHat and SuSE decide to start really laming down their mailing lists, I would expect them to lose some share. SuSE mailing list isn't that impressive in terms of knowledgable users when compared to gentoo or debian. I have no knowledge of RedHat. But a lot of the generic Linux installation processes can be guessed at from other resources.
But the solaris install had virtually nothing useful. So they pretty much made the statement that they are giving away the software but only the most familiar Solaris users will be able to actually do anything with it. I don't know if Sun will ever figure out how to actually sell their software.
Monitoring for viral activity is nice and all, but it's not as easy as you think. Consider, average traffic from the facility is 500Mbps, one customer (who has a 256 Kbps connection) catches a virus so that their traffic goes from 196Kbps to 240Kbps. It's lost in the noise. The network traffic varies far more on a moment to moment basis out of pure randomness.
You are looking for the wrong traffic signature.
Viruses are made to scan for other ports. So you watch the ports on a neighboring machine for Evil Bits from the colocated boxes. Think of a Canary in a Coal Mine.
I'm not sure if they have a clue or not. I think they are desperately trying to make a winning image for Wall Street.
However, they used to have a pretty nice server hardware. If they would just concentrate on that and skip the OS, they might have something worthwhile. But I'm no expert.
Now where did I mention people legitimately and responsibly running mail servers? If your ISP says its fine, and you're making sure that you're not a relay, then I have no complaint. However, some residential customer that has had his computer turned into a zombie should not be permitted to blast the Internet with thousands of attacks an hour.
I told my ISP I was running a mail server from my residential account. The person I told was my ISP's pony tailed sys admin in the back room. His response, considering my use of physical firewalls, linux, and other mechanisms, was that he wished there were more people like me on the network.
Blanket statements about ISPs should do this to all their customers or do that to all their customers is not the correct solution. AOL has managed to block a lot of spam from their network without blasting their own customer base. And I don't think AOL's customer base is the most internet savvy group.
So, RTFA and ask yourself this: Considering the technical range of users AOL has, and his mention that blocking spam is not as resource intensive as one would think, why not ask yourself what they might have done to block spam so effectively?
They did it by rigidly enforcing rules of proper email handling, blocking dynamic IP addresses and other RBL lists (not too aggressively either). That's obvious from anyone trying to send email to AOL. They've implimented a lot of typical UCE controls that most other ISPs simply don't do.
If everyone had a perfectly configured email server, there wouldn't be as much of a problem as their is today.
Actually, the more attention you pay to what your customers' customers are sending over your network, the more legally liable you might be held for anything that slips through. The phone company isn't held responsable if a bank robbery is planned over the phone only because they make no effort to control what is said. (In other words, because they are a common carrier).
Yes, but the phone company has a limit of 400 calls per month on a home account line with additional charges per call after that. It's a high limit and I've only once ever hit it. I don't even remember why.
But even they have a passive limit.
It might be more effective to simply block and monitor the subnets for viral activity more than anything else. Spammers run most of their spam through viral like proxies. These viruses are always banging on the network looking for more hosts, and that leaves a signature.
The ISPs could go a long ways by simply shutting down infected customers until they could get themselves cleaned up. And verify that with a 24 hour monitor of their network traffic to ensure it's not infected.
This doesn't deal with spam directly, but it deals with the most infectous vector of spam-bots.
I heard the same argument about why Dow Chemical needed to manufacture Agent Orange. Because if they didn't, someone else would. And given that inevitability, they were only missing the financial profits.
I'm surprised no one has tried that argument for rape.
Unfortunately as long as you are working on the Microsoft Operating System you are subject to the whims of the Microsoft corporation. If Evolution is released on Windows, how many weeks will it take before Microsoft releases security critical patches that also accidentally break Evolution? How many times has this same pattern happened already?
Novell is going to screw the pooch on this one. First they bought up SuSE, which got a lot of people hot and bothered about potentials for Linux Desktop becoming a reality. Then they kind of sat on their ass and starting talking about how great it will be when SuSE/Linux incorporates all the Novell technologies. Now they're looking at porting Linux applications to Windows.
Slashdot Mirror
The article states that the configurations where done using the typical, basic options that an adminisrator may do and not any kind of security wizard.
I would like to know how many companies are out there that would take their pimply faced intern and have him to a default installation for an internet server with databases on it. They may have found a valid point, but their premise is fucking retarded.
I have always given MSFT the benefit of the doubt that they would have the option to configure a server with the intention of meeting security requirements and similarly doing the same with Linux and then see who's the most secure. While Microsoft has made ground against the *NIXes of the world, I really don't believe that a reasonable attempt at security is any better on Windows than it is on Linux. Considering the damage they've been suffering, I would expect their default installations to be increasinbly severe.
I would equate this study to testing the security of a 4 foot high brick wall or a 3 foot high set of four horizontal wires. The wall is obviously more secure, until you turn on the high voltage supply to the electric fence...
My sexist statement is based on the explicit orientation of the spam that I receive. I have only once seen an advertisement directed towards women and that was months ago. No assumption there. You are incorrectly concluding that only men get spam versus spam is primarily directed towards men.
I don't know how well the show can do with out Shatner. But then I only watch the originals, even Picard with his socially engineered story lines got pretty boring after a while.
The attorney general has to find me first.... And how often to spammers change their names? Much faster than the A.G. can respond to anything.
I think that the 4% who buy from spam, according to the article, should be castrated. Then they won't have any need to buy anything else. Unless they start selling strap-ons.
I am so glad that the government was able to protect the telemarketing firms freedom of speech.
Now we need a US civilians freedom of silence.
Unfortunately none of this will change through legislation. Our government is too heavily in bed with corporations and not enough concern exists for the individuals experiences. As you can see by the title of this article, it's the cost to business, not individuals, that is worth measuring and reporting on.
But if I'm representing myself as a non-US firm, who's really a front for a US firm, then I'm in the clear.
Don't believe me, see the recent news on Haliburton and GE deciding not to do any more business with Iran. Any more? It's been banned for years, but they used foreign fronts to do their work for them. Are they in trouble with the US Gov? No. They got away with it.
Don't use a plug in. Use XPDF instead.
Firefox will launch it for you but not auto-magically. I don't believe in auto-magic applications anymore. They bloat, they crash, they generally aren't free.
First law of software, if it isn't free it's crap. There's nothing out there that I can't get for free and do what I NEED to do today. Nothing.
As far as the next Microsoft. It's dead. Not because of ingenuity, but because the business model is dead. No one will ever pay as much for software again.
I'm a company.
I hire a company in some other country to manage my Marketing or at least a portion of it.
They hire a spam/telemarketing company that is also outside of the US.
Since I'm not my contractors subcontract keeper I'm in the clear. I have plausible deniability of the behaviour of the third company and as such, am not liable under the DNC rules
Wake Up America!
First Word: National
Not International. This outsourcing is just another way of getting around the rules. Just like CAN-SPAM act. You can't spam from within the US, but if you outsource to someone outside of US Law you can spam yourself blue in the face and nothing can stop short of WMDs
Obviously these laws aren't working anymore.
It's worse than that. Who is going to fund the cost of testing. Automotive companies pay for the road testing done by US DOT. It's not a free service. So if you license the developers you have to arrange for them to afford the certification tests.
Of course, you also have Consumer Report type organizations doing Vehicle testing of their own along with the government to indicate certain qualities like crash survival statistics, roll-over, Theft statistics and so on. If there was something similar to this on Operating Systems I think it would prove more valuable than doing some Government oversight like US DOT testing.
Can you cite any examples where people have had their vehicle license suspended because they pissed someone off? In a non-totalitarian country?
You are paranoid.
With your perspective, spammers are just being Free. After all, maybe they look at it as you just left your computer accessable and they took advantage of it. Just like using a Park.
I love car analogies...
I think people who do not know or are unwilling to learn how to correctly operate a machine that is capable of doing this much damage should not be allowed to operate on the internet.
I have certain restrictions on the condition of my automobile, how I choose to drive it, and how it impacts other people and the road I'm on. And for this I have to pay an average annual fee of $5 (actually $20/4 years) for that priviledge.
If computer internet operation required an annual $5 license for a compentency requirement I would happily pay for it.
And you should support the idea, because you can now run a business as a licensed operator, running firewall products/computers for people wo do not take security seriously. Kind of like a Taxi.
Nope.
What I mean by the "figure out how to sell their software" means just that. As you pointed out, Sun has to sell "Solutions".
Their solutions are not cost effective for SOHO, small business, home users by any stretch.
And on the big server side of things, HP and IBM are still quite capable of spanking Sun whenever the challenge comes up.
Sun is in trouble. That's my point. They need to really change direction to stay alive. I don't think this is it.
Linux and BSD's are changing fast and becoming useful. They are also installed with many better options than CDE.
The installation that came with Solaris 9 had no documentation sufficient to actually perform an installation unless you where already a Sun expert. This is one of the key points in what made Linux so popular in the beginning. Available documentation and free support from internet resources.
If RedHat and SuSE decide to start really laming down their mailing lists, I would expect them to lose some share. SuSE mailing list isn't that impressive in terms of knowledgable users when compared to gentoo or debian. I have no knowledge of RedHat. But a lot of the generic Linux installation processes can be guessed at from other resources.
But the solaris install had virtually nothing useful. So they pretty much made the statement that they are giving away the software but only the most familiar Solaris users will be able to actually do anything with it. I don't know if Sun will ever figure out how to actually sell their software.
My parents got me addicted to food!
Oh God!!! I need protection from myself? And who the FUCK is going to decide what to protect me from? You?
Yes, but terrorism is more politically profitable.
Monitoring for viral activity is nice and all, but it's not as easy as you think. Consider, average traffic from the facility is 500Mbps, one customer (who has a 256 Kbps connection) catches a virus so that their traffic goes from 196Kbps to 240Kbps. It's lost in the noise. The network traffic varies far more on a moment to moment basis out of pure randomness.
You are looking for the wrong traffic signature.
Viruses are made to scan for other ports. So you watch the ports on a neighboring machine for Evil Bits from the colocated boxes. Think of a Canary in a Coal Mine.
I'm not sure if they have a clue or not. I think they are desperately trying to make a winning image for Wall Street.
However, they used to have a pretty nice server hardware. If they would just concentrate on that and skip the OS, they might have something worthwhile. But I'm no expert.
Now where did I mention people legitimately and responsibly running mail servers? If your ISP says its fine, and you're making sure that you're not a relay, then I have no complaint. However, some residential customer that has had his computer turned into a zombie should not be permitted to blast the Internet with thousands of attacks an hour.
I told my ISP I was running a mail server from my residential account. The person I told was my ISP's pony tailed sys admin in the back room. His response, considering my use of physical firewalls, linux, and other mechanisms, was that he wished there were more people like me on the network.
Blanket statements about ISPs should do this to all their customers or do that to all their customers is not the correct solution. AOL has managed to block a lot of spam from their network without blasting their own customer base. And I don't think AOL's customer base is the most internet savvy group.
So, RTFA and ask yourself this: Considering the technical range of users AOL has, and his mention that blocking spam is not as resource intensive as one would think, why not ask yourself what they might have done to block spam so effectively?
They did it by rigidly enforcing rules of proper email handling, blocking dynamic IP addresses and other RBL lists (not too aggressively either). That's obvious from anyone trying to send email to AOL. They've implimented a lot of typical UCE controls that most other ISPs simply don't do.
If everyone had a perfectly configured email server, there wouldn't be as much of a problem as their is today.
Actually, the more attention you pay to what your customers' customers are sending over your network, the more legally liable you might be held for anything that slips through. The phone company isn't held responsable if a bank robbery is planned over the phone only because they make no effort to control what is said. (In other words, because they are a common carrier).
Yes, but the phone company has a limit of 400 calls per month on a home account line with additional charges per call after that. It's a high limit and I've only once ever hit it. I don't even remember why.
But even they have a passive limit.
It might be more effective to simply block and monitor the subnets for viral activity more than anything else. Spammers run most of their spam through viral like proxies. These viruses are always banging on the network looking for more hosts, and that leaves a signature.
The ISPs could go a long ways by simply shutting down infected customers until they could get themselves cleaned up. And verify that with a 24 hour monitor of their network traffic to ensure it's not infected.
This doesn't deal with spam directly, but it deals with the most infectous vector of spam-bots.
I heard the same argument about why Dow Chemical needed to manufacture Agent Orange. Because if they didn't, someone else would. And given that inevitability, they were only missing the financial profits.
I'm surprised no one has tried that argument for rape.
Unfortunately as long as you are working on the Microsoft Operating System you are subject to the whims of the Microsoft corporation. If Evolution is released on Windows, how many weeks will it take before Microsoft releases security critical patches that also accidentally break Evolution? How many times has this same pattern happened already?
It's easy to yell that the sky is falling, even a little chicken can do that.
But it takes more than that to really know how much of a problem it is.
Just because I say the sky is falling doesn't actually mean that the whole sky is falling right now
Novell is going to screw the pooch on this one. First they bought up SuSE, which got a lot of people hot and bothered about potentials for Linux Desktop becoming a reality. Then they kind of sat on their ass and starting talking about how great it will be when SuSE/Linux incorporates all the Novell technologies. Now they're looking at porting Linux applications to Windows.
It's the wrong direction for Novell
It's the wrong direction for SuSE
It's the wrong direction for Linux